Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2024-10-01 08:25:45 -04:00
Code Issues Packages Projects Releases Wiki Activity
729fa26eca
security-misc/etc/security/access-security-misc.conf
Patrick Schleizer 729fa26eca
use pam_acccess only for /etc/pam.d/login 
remove "Allow members of group 'ssh' to login."
remove "+:ssh:ALL EXCEPT LOCAL"
2019-12-12 09:00:08 -05:00

26 lines
960 B
Plaintext
Raw Blame History

## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## See the file COPYING for copying conditions.
## Console Lockdown
## https://forums.whonix.org/t/etc-security-hardening/8592
## This is the error message should this fail:
## sudo su
## sudo: PAM account management error: Permission denied
## see also:
## man access.conf
## man pam_access
## Usually tty7 is for X.
## Qubes uses tty1 for X.
## Allow members of group 'console' to use tty1 to tty7 and pts/0 to pts/9 and hvc0 to hvc9.
## Qubes has 'pts/0' when for example running "sudo" from a terminal emulator.
## Qubes uses 'hvc0' when using in dom0 "sudo xl console vm-name".
+:console:tty1 tty2 tty3 tty4 tty5 tty6 tty7 pts/0 pts/1 pts/2 pts/3 pts/4 pts/5 pts/6 pts/7 pts/8 pts/9 hvc0 hvc1 hvc2 hvc3 hvc4 hvc5 hvc6 hvc7 hvc8 hvc9
## Everyone else except members of group 'console-unrestricted'
## are restricted from everything else.
-:ALL EXCEPT console-unrestricted :ALL
Reference in New Issue View Git Blame Copy Permalink