From 6479c883bf04464b299ce42185df2429f7b5cab5 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 7 Dec 2019 05:40:20 -0500 Subject: [PATCH] Console Lockdown. Allow members of group 'console' to use tty1 to tty7. Everyone else except members of group 'console-unrestricted' are restricted from using console using ancient, unpopular login methods such as using /bin/login over networks, which might be exploitable. (CVE-2001-0797) Not enabled by default in this package since this package does not know which users shall be added to group 'console'. In new Whonix builds, user 'user" will be added to group 'console' and pam console-lockdown enabled by package anon-base-files. /usr/share/pam-configs/console-lockdown /etc/security/access-security-misc.conf https://forums.whonix.org/t/etc-security-hardening/8592 --- debian/control | 12 ++++++++++++ debian/security-misc.postinst | 4 ++++ etc/security/access-security-misc.conf | 19 +++++++++++++++++++ usr/share/pam-configs/console-lockdown | 6 ++++++ 4 files changed, 41 insertions(+) create mode 100644 etc/security/access-security-misc.conf create mode 100644 usr/share/pam-configs/console-lockdown diff --git a/debian/control b/debian/control index 354280a..6a2c889 100644 --- a/debian/control +++ b/debian/control @@ -171,6 +171,18 @@ Description: enhances misc security settings prevented by shipping an existing and empty /etc/securetty. (Deletion of /etc/securetty has a different effect.) /etc/securetty.security-misc + . + * Console Lockdown. + Allow members of group 'console' to use tty1 to tty7. Everyone else except + members of group 'console-unrestricted' are restricted from using console + using ancient, unpopular login methods such as using /bin/login over networks, + which might be exploitable. (CVE-2001-0797) + Not enabled by default in this package since this package does not know which + users shall be added to group 'console'. + In new Whonix builds, user 'user" will be added to group 'console' and + pam console-lockdown enabled by package anon-base-files. + /usr/share/pam-configs/console-lockdown + /etc/security/access-security-misc.conf . Protect Linux user accounts against brute force attacks. Lock user accounts after 50 failed login attempts using pam_tally2. diff --git a/debian/security-misc.postinst b/debian/security-misc.postinst index bb3dd49..864d4d8 100644 --- a/debian/security-misc.postinst +++ b/debian/security-misc.postinst @@ -32,6 +32,10 @@ esac addgroup root sudo addgroup --system sysfs addgroup --system cpuinfo +addgroup --system console +addgroup --system console-unrestricted + +addgroup root console pam-auth-update --package diff --git a/etc/security/access-security-misc.conf b/etc/security/access-security-misc.conf new file mode 100644 index 0000000..1dfc0eb --- /dev/null +++ b/etc/security/access-security-misc.conf @@ -0,0 +1,19 @@ +## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Console Lockdown +## https://forums.whonix.org/t/etc-security-hardening/8592 + +## see also: +## man access.conf +## man pam_access + +## Usually tty7 is for X. +## Qubes uses tty1 for X. + +## Allow members of group 'console' to use tty1 to tty7. ++:console:tty1 tty2 tty3 tty4 tty5 tty6 tty7 + +## Everyone else except members of group 'console-unrestricted' +## are restricted from everything else. +-:ALL EXCEPT console-unrestricted :ALL diff --git a/usr/share/pam-configs/console-lockdown b/usr/share/pam-configs/console-lockdown new file mode 100644 index 0000000..160f7eb --- /dev/null +++ b/usr/share/pam-configs/console-lockdown @@ -0,0 +1,6 @@ +Name: allow only members of group console to login (by package security-misc) +Default: no +Priority: 280 +Account-Type: Primary +Account: + required pam_access.so accessfile=/etc/security/access-security-misc.conf debug