From 89d32402b2dd2182dc6e7788d41708eaaeeb02c1 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 31 Jul 2019 14:52:29 -0400 Subject: [PATCH 01/51] fix, do not use "," inside /usr/share/pam-configs files --- usr/share/pam-configs/security-misc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/share/pam-configs/security-misc b/usr/share/pam-configs/security-misc index 30b0df4..2cf08ca 100644 --- a/usr/share/pam-configs/security-misc +++ b/usr/share/pam-configs/security-misc @@ -1,4 +1,4 @@ -Name: group sudo membership required to use su, lock accounts after 5 failed authentication attempts (by package security-misc) +Name: group sudo membership required to use su and lock accounts after 5 failed authentication attempts (by package security-misc) Default: yes Priority: 260 Auth-Type: Primary From 5d0aec1321b4f46f1834ba9ad166d2445a995fbb Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 31 Jul 2019 19:12:27 +0000 Subject: [PATCH 02/51] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 1ebedfc..3a80ad4 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit 89d32402b2dd2182dc6e7788d41708eaaeeb02c1 +Author: Patrick Schleizer +Date: Wed Jul 31 14:52:29 2019 -0400 + + fix, do not use "," inside /usr/share/pam-configs files + +commit 864de10659d0145ae8883b98b1746a7debc9492a +Author: Patrick Schleizer +Date: Wed Jul 31 15:17:51 2019 +0000 + + bumped changelog version + commit 47368ae4fccc85ab3197f07316b03c123187f9a2 Author: Patrick Schleizer Date: Wed Jul 31 15:15:30 2019 +0000 diff --git a/debian/changelog b/debian/changelog index c4fceca..ceb1666 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:6.3-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 31 Jul 2019 19:12:27 +0000 + security-misc (3:6.2-1) unstable; urgency=medium * New upstream version (local package). From 830111e99aa6f45688c4ba00a7f41ea323f15f2a Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 1 Aug 2019 11:04:22 +0000 Subject: [PATCH 03/51] split usr/share/pam-configs/security-misc into usr/share/pam-configs/tally2-security-misc usr/share/pam-configs/wheel-security-misc --- usr/share/pam-configs/security-misc | 7 ------- usr/share/pam-configs/tally2-security-misc | 6 ++++++ usr/share/pam-configs/wheel-security-misc | 6 ++++++ 3 files changed, 12 insertions(+), 7 deletions(-) delete mode 100644 usr/share/pam-configs/security-misc create mode 100644 usr/share/pam-configs/tally2-security-misc create mode 100644 usr/share/pam-configs/wheel-security-misc diff --git a/usr/share/pam-configs/security-misc b/usr/share/pam-configs/security-misc deleted file mode 100644 index 2cf08ca..0000000 --- a/usr/share/pam-configs/security-misc +++ /dev/null @@ -1,7 +0,0 @@ -Name: group sudo membership required to use su and lock accounts after 5 failed authentication attempts (by package security-misc) -Default: yes -Priority: 260 -Auth-Type: Primary -Auth: - required pam_wheel.so group=sudo debug - required pam_tally2.so deny=5 debug diff --git a/usr/share/pam-configs/tally2-security-misc b/usr/share/pam-configs/tally2-security-misc new file mode 100644 index 0000000..3639b13 --- /dev/null +++ b/usr/share/pam-configs/tally2-security-misc @@ -0,0 +1,6 @@ +Name: lock accounts after 5 failed authentication attempts (by package security-misc) +Default: yes +Priority: 260 +Auth-Type: Primary +Auth: + required pam_tally2.so deny=5 debug diff --git a/usr/share/pam-configs/wheel-security-misc b/usr/share/pam-configs/wheel-security-misc new file mode 100644 index 0000000..bf7442c --- /dev/null +++ b/usr/share/pam-configs/wheel-security-misc @@ -0,0 +1,6 @@ +Name: group sudo membership required to use su (by package security-misc) +Default: yes +Priority: 270 +Auth-Type: Primary +Auth: + required pam_wheel.so group=sudo debug From e076470f68dc18908c5ab1889232aaaa0fcb9f3d Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 1 Aug 2019 11:04:58 +0000 Subject: [PATCH 04/51] renamed: usr/share/pam-configs/usergroups -> usr/share/pam-configs/usergroups-security-misc --- usr/share/pam-configs/{usergroups => usergroups-security-misc} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename usr/share/pam-configs/{usergroups => usergroups-security-misc} (100%) diff --git a/usr/share/pam-configs/usergroups b/usr/share/pam-configs/usergroups-security-misc similarity index 100% rename from usr/share/pam-configs/usergroups rename to usr/share/pam-configs/usergroups-security-misc From 1fe3036a4903588b89edd82e7097a665271fd27f Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 1 Aug 2019 11:13:43 +0000 Subject: [PATCH 05/51] readme --- README.md | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 643e5ad..69890e5 100644 --- a/README.md +++ b/README.md @@ -186,16 +186,24 @@ Application specific hardening: * Deactivates thumbnails in Thunar. ## How to install `security-misc` using apt-get ## -1\. Add [Whonix's Signing Key](https://www.whonix.org/wiki/Whonix_Signing_Key). +1\. Download [Whonix's Signing Key](). ``` -sudo apt-key --keyring /etc/apt/trusted.gpg.d/whonix.gpg adv --keyserver hkp://ipv4.pool.sks-keyservers.net:80 --recv-keys 916B8D99C38EAF5E8ADC7A2A8D66066A2EEACCDA +wget https://www.whonix.org/patrick.asc +``` + +Users can [check Whonix Signing Key](https://www.whonix.org/wiki/Whonix_Signing_Key) for better security. + +2\. Add Whonix's signing key. + +``` +sudo apt-key --keyring /etc/apt/trusted.gpg.d/whonix.gpg add ~/patrick.asc ``` 3\. Add Whonix's APT repository. ``` -echo "deb http://deb.whonix.org buster main contrib non-free" | sudo tee /etc/apt/sources.list.d/whonix.list +echo "deb https://deb.whonix.org buster main contrib non-free" | sudo tee /etc/apt/sources.list.d/whonix.list ``` 4\. Update your package lists. From a703865dcf736996a58e6f684fc02f0e9dfa8cc7 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 1 Aug 2019 12:02:41 +0000 Subject: [PATCH 06/51] bumped changelog version --- changelog.upstream | 27 +++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 33 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 3a80ad4..e372107 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,30 @@ +commit 1fe3036a4903588b89edd82e7097a665271fd27f +Author: Patrick Schleizer +Date: Thu Aug 1 11:13:43 2019 +0000 + + readme + +commit e076470f68dc18908c5ab1889232aaaa0fcb9f3d +Author: Patrick Schleizer +Date: Thu Aug 1 11:04:58 2019 +0000 + + renamed: usr/share/pam-configs/usergroups -> usr/share/pam-configs/usergroups-security-misc + +commit 830111e99aa6f45688c4ba00a7f41ea323f15f2a +Author: Patrick Schleizer +Date: Thu Aug 1 11:04:22 2019 +0000 + + split usr/share/pam-configs/security-misc + into + usr/share/pam-configs/tally2-security-misc + usr/share/pam-configs/wheel-security-misc + +commit 5d0aec1321b4f46f1834ba9ad166d2445a995fbb +Author: Patrick Schleizer +Date: Wed Jul 31 19:12:27 2019 +0000 + + bumped changelog version + commit 89d32402b2dd2182dc6e7788d41708eaaeeb02c1 Author: Patrick Schleizer Date: Wed Jul 31 14:52:29 2019 -0400 diff --git a/debian/changelog b/debian/changelog index ceb1666..032c4ea 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:6.4-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 01 Aug 2019 12:02:41 +0000 + security-misc (3:6.3-1) unstable; urgency=medium * New upstream version (local package). From 0f896a9d8d6f7c125311a0e226755f8a00214f3c Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 10 Aug 2019 06:05:37 -0400 Subject: [PATCH 07/51] add onerr=fail audit to pam_tally2 --- usr/share/pam-configs/tally2-security-misc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/share/pam-configs/tally2-security-misc b/usr/share/pam-configs/tally2-security-misc index 3639b13..bc5c104 100644 --- a/usr/share/pam-configs/tally2-security-misc +++ b/usr/share/pam-configs/tally2-security-misc @@ -3,4 +3,4 @@ Default: yes Priority: 260 Auth-Type: Primary Auth: - required pam_tally2.so deny=5 debug + required pam_tally2.so deny=5 onerr=fail audit debug From d17e25272b9b7bbb6abc4dccd500a6b34311a7dd Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 10 Aug 2019 06:06:39 -0400 Subject: [PATCH 08/51] effectively (not directly) add "required pam_tally2.so debug" to /etc/pam.d/common-account This is required because otherwise something like "sudo bash" would count as a failed login for pam_tally2 even though it was successful. https://bugzilla.redhat.com/show_bug.cgi?id=707660 https://forums.whonix.org/t/restrict-root-access/7658 --- usr/share/pam-configs/tally2-security-misc | 3 +++ 1 file changed, 3 insertions(+) diff --git a/usr/share/pam-configs/tally2-security-misc b/usr/share/pam-configs/tally2-security-misc index bc5c104..7844ea1 100644 --- a/usr/share/pam-configs/tally2-security-misc +++ b/usr/share/pam-configs/tally2-security-misc @@ -4,3 +4,6 @@ Priority: 260 Auth-Type: Primary Auth: required pam_tally2.so deny=5 onerr=fail audit debug +Account-Type: Primary +Account: + required pam_tally2.so debug From a2fa18c38159161418edcdaacb1baad215f5d31d Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 10 Aug 2019 07:07:28 -0400 Subject: [PATCH 09/51] pam_tally2.so deny=100 during testing, due to issues https://github.com/Whonix/security-misc/commit/d17e25272b9b7bbb6abc4dccd500a6b34311a7dd https://forums.whonix.org/t/how-strong-do-linux-user-account-passwords-have-to-be-when-using-full-disk-encryption-fde-too/7698/12 --- usr/share/pam-configs/tally2-security-misc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/share/pam-configs/tally2-security-misc b/usr/share/pam-configs/tally2-security-misc index 7844ea1..0d858cd 100644 --- a/usr/share/pam-configs/tally2-security-misc +++ b/usr/share/pam-configs/tally2-security-misc @@ -3,7 +3,7 @@ Default: yes Priority: 260 Auth-Type: Primary Auth: - required pam_tally2.so deny=5 onerr=fail audit debug + required pam_tally2.so deny=100 onerr=fail audit debug Account-Type: Primary Account: required pam_tally2.so debug From 75769151cd7980042357f18c5567adab2a031049 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 10 Aug 2019 11:37:02 +0000 Subject: [PATCH 10/51] bumped changelog version --- changelog.upstream | 37 +++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 43 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index e372107..ae067fb 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,40 @@ +commit a2fa18c38159161418edcdaacb1baad215f5d31d +Author: Patrick Schleizer +Date: Sat Aug 10 07:07:28 2019 -0400 + + pam_tally2.so deny=100 + + during testing, due to issues + + https://github.com/Whonix/security-misc/commit/d17e25272b9b7bbb6abc4dccd500a6b34311a7dd + + https://forums.whonix.org/t/how-strong-do-linux-user-account-passwords-have-to-be-when-using-full-disk-encryption-fde-too/7698/12 + +commit d17e25272b9b7bbb6abc4dccd500a6b34311a7dd +Author: Patrick Schleizer +Date: Sat Aug 10 06:06:39 2019 -0400 + + effectively (not directly) add "required pam_tally2.so debug" to /etc/pam.d/common-account + + This is required because otherwise something like "sudo bash" would count as a + failed login for pam_tally2 even though it was successful. + + https://bugzilla.redhat.com/show_bug.cgi?id=707660 + + https://forums.whonix.org/t/restrict-root-access/7658 + +commit 0f896a9d8d6f7c125311a0e226755f8a00214f3c +Author: Patrick Schleizer +Date: Sat Aug 10 06:05:37 2019 -0400 + + add onerr=fail audit to pam_tally2 + +commit a703865dcf736996a58e6f684fc02f0e9dfa8cc7 +Author: Patrick Schleizer +Date: Thu Aug 1 12:02:41 2019 +0000 + + bumped changelog version + commit 1fe3036a4903588b89edd82e7097a665271fd27f Author: Patrick Schleizer Date: Thu Aug 1 11:13:43 2019 +0000 diff --git a/debian/changelog b/debian/changelog index 032c4ea..e242274 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:6.5-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 10 Aug 2019 11:37:02 +0000 + security-misc (3:6.4-1) unstable; urgency=medium * New upstream version (local package). From c50eb3c9b07b9e54951eb08206db6d28383f6cdc Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 11 Aug 2019 10:28:55 +0000 Subject: [PATCH 11/51] add usr/share/pam-configs/mkhomedir-security-misc based on /usr/share/pam-configs/mkhomedir --- usr/share/pam-configs/mkhomedir-security-misc | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 usr/share/pam-configs/mkhomedir-security-misc diff --git a/usr/share/pam-configs/mkhomedir-security-misc b/usr/share/pam-configs/mkhomedir-security-misc new file mode 100644 index 0000000..9c27980 --- /dev/null +++ b/usr/share/pam-configs/mkhomedir-security-misc @@ -0,0 +1,7 @@ +Name: Create home directory on login +Default: no +Priority: 0 +Session-Type: Additional +Session-Interactive-Only: yes +Session: + optional pam_mkhomedir.so From 1eb806a03ef25bb387fa80f45dd6509925437048 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 11 Aug 2019 10:29:49 +0000 Subject: [PATCH 12/51] pam_mkhomedir.so umask=006 --- usr/share/pam-configs/mkhomedir-security-misc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/share/pam-configs/mkhomedir-security-misc b/usr/share/pam-configs/mkhomedir-security-misc index 9c27980..cd7812b 100644 --- a/usr/share/pam-configs/mkhomedir-security-misc +++ b/usr/share/pam-configs/mkhomedir-security-misc @@ -4,4 +4,4 @@ Priority: 0 Session-Type: Additional Session-Interactive-Only: yes Session: - optional pam_mkhomedir.so + optional pam_mkhomedir.so umask=006 From e83ec79a25d09b2467e2389959d87267bab7f1f0 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 11 Aug 2019 10:30:51 +0000 Subject: [PATCH 13/51] enable usr/share/pam-configs/mkhomedir-security-misc by default --- usr/share/pam-configs/mkhomedir-security-misc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/share/pam-configs/mkhomedir-security-misc b/usr/share/pam-configs/mkhomedir-security-misc index cd7812b..d34f0fe 100644 --- a/usr/share/pam-configs/mkhomedir-security-misc +++ b/usr/share/pam-configs/mkhomedir-security-misc @@ -1,5 +1,5 @@ Name: Create home directory on login -Default: no +Default: yes Priority: 0 Session-Type: Additional Session-Interactive-Only: yes From 2f37a66fd009c9cba423c0f95833a71c8669af46 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 11 Aug 2019 10:31:29 +0000 Subject: [PATCH 14/51] description --- usr/share/pam-configs/mkhomedir-security-misc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/share/pam-configs/mkhomedir-security-misc b/usr/share/pam-configs/mkhomedir-security-misc index d34f0fe..4e9e66a 100644 --- a/usr/share/pam-configs/mkhomedir-security-misc +++ b/usr/share/pam-configs/mkhomedir-security-misc @@ -1,4 +1,4 @@ -Name: Create home directory on login +Name: Create home directory on login (by package security-misc) Default: yes Priority: 0 Session-Type: Additional From c0b5c70de498d891e4edd5b9af2292909be36776 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 11 Aug 2019 10:33:22 +0000 Subject: [PATCH 15/51] description --- debian/control | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/debian/control b/debian/control index 1693bba..d3b29a5 100644 --- a/debian/control +++ b/debian/control @@ -133,6 +133,10 @@ Description: enhances misc security settings permissions. Debian by default uses User Private Groups (UPG). https://wiki.debian.org/UserPrivateGroups /usr/share/pam-configs/usergroups + . + * Create home directory on login with umask 006 using + pam_mkhomedir.so umask=006 + /usr/share/pam-configs/mkhomedir-security-misc . * Removes read, write and execute access for others for all users who have home folders under folder /home by running for example From aacd9c7679b05b7ee59df484f21a24fe7aa5901d Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 11 Aug 2019 10:34:38 +0000 Subject: [PATCH 16/51] description --- debian/control | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/debian/control b/debian/control index d3b29a5..f4b60f0 100644 --- a/debian/control +++ b/debian/control @@ -108,7 +108,7 @@ Description: enhances misc security settings . * `su` is restricted to only users within the group `sudo` which prevents users from using `su` to gain root access or to switch user accounts. - /usr/share/pam-configs/security-misc + /usr/share/pam-configs/wheel-security-misc (Which results in a change in file `/etc/pam.d/common-auth`.) . * Add user `root` to group `sudo`. This is required to make above work so @@ -116,7 +116,7 @@ Description: enhances misc security settings debian/security-misc.postinst . * Lock user accounts after 5 failed login attempts using pam_tally2. - /usr/share/pam-configs/security-misc + /usr/share/pam-configs/tally2-security-misc . * Logging into the root account from a virtual, serial, whatnot console is prevented by shipping an existing and empty /etc/securetty. @@ -132,7 +132,7 @@ Description: enhances misc security settings * Enables pam_umask.so usergroups so group permissions are same as user permissions. Debian by default uses User Private Groups (UPG). https://wiki.debian.org/UserPrivateGroups - /usr/share/pam-configs/usergroups + /usr/share/pam-configs/usergroups-security-misc . * Create home directory on login with umask 006 using pam_mkhomedir.so umask=006 From 52cee9128316d649ba7ffa9600d0fdc33c99a9a9 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 11 Aug 2019 11:39:32 +0000 Subject: [PATCH 17/51] readme --- README.md | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 69890e5..f1dd05e 100644 --- a/README.md +++ b/README.md @@ -91,7 +91,7 @@ restricts access to the root account: * `su` is restricted to only users within the group `sudo` which prevents users from using `su` to gain root access or to switch user accounts. -/usr/share/pam-configs/security-misc +/usr/share/pam-configs/wheel-security-misc (Which results in a change in file `/etc/pam.d/common-auth`.) * Add user `root` to group `sudo`. This is required to make above work so @@ -99,7 +99,7 @@ login as a user in a virtual console is still possible. debian/security-misc.postinst * Lock user accounts after 5 failed login attempts using pam_tally2. -/usr/share/pam-configs/security-misc +/usr/share/pam-configs/tally2-security-misc * Logging into the root account from a virtual, serial, whatnot console is prevented by shipping an existing and empty /etc/securetty. @@ -115,7 +115,11 @@ to read and write to newly created files. * Enables pam_umask.so usergroups so group permissions are same as user permissions. Debian by default uses User Private Groups (UPG). https://wiki.debian.org/UserPrivateGroups -/usr/share/pam-configs/usergroups +/usr/share/pam-configs/usergroups-security-misc + +* Create home directory on login with umask 006 using +pam_mkhomedir.so umask=006 +/usr/share/pam-configs/mkhomedir-security-misc * Removes read, write and execute access for others for all users who have home folders under folder /home by running for example From 6f8acf06d79c77e3bee15cc8696a433271e2b7c9 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 11 Aug 2019 12:07:07 +0000 Subject: [PATCH 18/51] bumped changelog version --- changelog.upstream | 49 ++++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 55 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index ae067fb..59edcac 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,52 @@ +commit 52cee9128316d649ba7ffa9600d0fdc33c99a9a9 +Author: Patrick Schleizer +Date: Sun Aug 11 11:39:32 2019 +0000 + + readme + +commit aacd9c7679b05b7ee59df484f21a24fe7aa5901d +Author: Patrick Schleizer +Date: Sun Aug 11 10:34:38 2019 +0000 + + description + +commit c0b5c70de498d891e4edd5b9af2292909be36776 +Author: Patrick Schleizer +Date: Sun Aug 11 10:33:22 2019 +0000 + + description + +commit 2f37a66fd009c9cba423c0f95833a71c8669af46 +Author: Patrick Schleizer +Date: Sun Aug 11 10:31:29 2019 +0000 + + description + +commit e83ec79a25d09b2467e2389959d87267bab7f1f0 +Author: Patrick Schleizer +Date: Sun Aug 11 10:30:51 2019 +0000 + + enable usr/share/pam-configs/mkhomedir-security-misc by default + +commit 1eb806a03ef25bb387fa80f45dd6509925437048 +Author: Patrick Schleizer +Date: Sun Aug 11 10:29:49 2019 +0000 + + pam_mkhomedir.so umask=006 + +commit c50eb3c9b07b9e54951eb08206db6d28383f6cdc +Author: Patrick Schleizer +Date: Sun Aug 11 10:28:55 2019 +0000 + + add usr/share/pam-configs/mkhomedir-security-misc based on + /usr/share/pam-configs/mkhomedir + +commit 75769151cd7980042357f18c5567adab2a031049 +Author: Patrick Schleizer +Date: Sat Aug 10 11:37:02 2019 +0000 + + bumped changelog version + commit a2fa18c38159161418edcdaacb1baad215f5d31d Author: Patrick Schleizer Date: Sat Aug 10 07:07:28 2019 -0400 diff --git a/debian/changelog b/debian/changelog index e242274..f5bbc27 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:6.6-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 11 Aug 2019 12:07:07 +0000 + security-misc (3:6.5-1) unstable; urgency=medium * New upstream version (local package). From 9a49b8ecbb863a995862a4d380c6a03f6c0991ac Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Tue, 13 Aug 2019 13:33:07 +0000 Subject: [PATCH 19/51] Create 40_only_allow_signed_modules.cfg Require all loaded kernel modules to be signed with a valid key. --- etc/default/grub.d/40_only_allow_signed_modules.cfg | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 etc/default/grub.d/40_only_allow_signed_modules.cfg diff --git a/etc/default/grub.d/40_only_allow_signed_modules.cfg b/etc/default/grub.d/40_only_allow_signed_modules.cfg new file mode 100644 index 0000000..a38c6d2 --- /dev/null +++ b/etc/default/grub.d/40_only_allow_signed_modules.cfg @@ -0,0 +1,3 @@ +# Requires every module to be signed before being loaded. Any module that is unsigned or signed with an invalid key cannot be loaded. +# This makes it harder to load a malicious module. +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX module.sig_enforce=1" From a82448d46af4fb9dce2de84025b8b820a11fae01 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 14 Aug 2019 07:01:25 +0000 Subject: [PATCH 20/51] description --- debian/control | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/debian/control b/debian/control index f4b60f0..4141302 100644 --- a/debian/control +++ b/debian/control @@ -69,6 +69,11 @@ Description: enhances misc security settings * The kernel now panics on oopses to prevent it from continuing running a flawed process. . + Requires every module to be signed before being loaded. Any module that is + unsigned or signed with an invalid key cannot be loaded. This makes it harder + to load a malicious module. + /etc/default/grub.d/40_only_allow_signed_modules.cfg + . Uncommon network protocols are blacklisted: These are rarely used and may have unknown vulnerabilities. /etc/modprobe.d/uncommon-network-protocols.conf From 41f4441d9dc5777d4ea7424f8422164c548da091 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 14 Aug 2019 07:01:47 +0000 Subject: [PATCH 21/51] readme --- README.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/README.md b/README.md index f1dd05e..205844c 100644 --- a/README.md +++ b/README.md @@ -52,6 +52,11 @@ for DMA (Direct Memory Access) attacks. * The kernel now panics on oopses to prevent it from continuing running a flawed process. +Requires every module to be signed before being loaded. Any module that is +unsigned or signed with an invalid key cannot be loaded. This makes it harder +to load a malicious module. +/etc/default/grub.d/40_only_allow_signed_modules.cfg + Uncommon network protocols are blacklisted: These are rarely used and may have unknown vulnerabilities. /etc/modprobe.d/uncommon-network-protocols.conf From f1d8cbc9fb2b800205923cce77a8e242dddd133c Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 14 Aug 2019 07:02:09 +0000 Subject: [PATCH 22/51] bumped changelog version --- changelog.upstream | 42 ++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 48 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 59edcac..d5da9e8 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,45 @@ +commit 41f4441d9dc5777d4ea7424f8422164c548da091 +Author: Patrick Schleizer +Date: Wed Aug 14 07:01:47 2019 +0000 + + readme + +commit a82448d46af4fb9dce2de84025b8b820a11fae01 +Author: Patrick Schleizer +Date: Wed Aug 14 07:01:25 2019 +0000 + + description + +commit ff8c0979435b491cf462c5ef6e8e02f6d85f1d81 +Merge: 6f8acf0 a8ea379 +Author: Patrick Schleizer +Date: Wed Aug 14 06:59:50 2019 +0000 + + Merge remote-tracking branch 'origin/master' + +commit a8ea37952669b3f40a452cb580442126ec44233a +Merge: 6f8acf0 9a49b8e +Author: Patrick Schleizer +Date: Wed Aug 14 06:59:34 2019 +0000 + + Merge pull request #28 from madaidan/patch-22 + + Require all loaded kernel modules to be signed with a valid key. + +commit 9a49b8ecbb863a995862a4d380c6a03f6c0991ac +Author: madaidan <50278627+madaidan@users.noreply.github.com> +Date: Tue Aug 13 13:33:07 2019 +0000 + + Create 40_only_allow_signed_modules.cfg + + Require all loaded kernel modules to be signed with a valid key. + +commit 6f8acf06d79c77e3bee15cc8696a433271e2b7c9 +Author: Patrick Schleizer +Date: Sun Aug 11 12:07:07 2019 +0000 + + bumped changelog version + commit 52cee9128316d649ba7ffa9600d0fdc33c99a9a9 Author: Patrick Schleizer Date: Sun Aug 11 11:39:32 2019 +0000 diff --git a/debian/changelog b/debian/changelog index f5bbc27..98491aa 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:6.7-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 14 Aug 2019 07:02:09 +0000 + security-misc (3:6.6-1) unstable; urgency=medium * New upstream version (local package). From dbea7d1511d8e1b2604960d37146ec931d9dfe15 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 14 Aug 2019 07:22:14 +0000 Subject: [PATCH 23/51] add hook etc/kernel/postinst.d/30_remove-system-map to remove system.map on kernel package upgrade; self-document this package: during upgrade the following will be written to stdout: Setting up linux-image-4.19.0-5-amd64 (4.19.37-5+deb10u2) ... /etc/kernel/postinst.d/30_remove-system-map: removed '/boot/System.map-4.19.0-5-amd64 --- etc/kernel/postinst.d/30_remove-system-map | 5 +++++ usr/lib/security-misc/remove-system.map | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) create mode 100755 etc/kernel/postinst.d/30_remove-system-map diff --git a/etc/kernel/postinst.d/30_remove-system-map b/etc/kernel/postinst.d/30_remove-system-map new file mode 100755 index 0000000..fc4a604 --- /dev/null +++ b/etc/kernel/postinst.d/30_remove-system-map @@ -0,0 +1,5 @@ +#!/bin/bash + +if test -x /usr/lib/security-misc/remove-system.map ; then + /usr/lib/security-misc/remove-system.map +fi diff --git a/usr/lib/security-misc/remove-system.map b/usr/lib/security-misc/remove-system.map index 10071f8..621879b 100755 --- a/usr/lib/security-misc/remove-system.map +++ b/usr/lib/security-misc/remove-system.map @@ -9,6 +9,6 @@ shopt -s nullglob for filename in /boot/System.map-* do if [ -f "${filename}" ]; then - rm -f "${filename}" + rm --verbose --force "${filename}" fi done From f210294f4091b6a09c902a446b125c26022c5d2a Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 14 Aug 2019 07:24:24 +0000 Subject: [PATCH 24/51] description --- debian/control | 3 +++ 1 file changed, 3 insertions(+) diff --git a/debian/control b/debian/control index 4141302..d2ca1e1 100644 --- a/debian/control +++ b/debian/control @@ -57,6 +57,9 @@ Description: enhances misc security settings * The SysRq key is restricted to only allow shutdowns/reboots. A systemd service clears System.map on boot as these contain kernel symbols that could be useful to an attacker. + /etc/kernel/postinst.d/30_remove-system-map + /lib/systemd/system/remove-system-map.service + /usr/lib/security-misc/remove-system.map . * Coredumps are disabled as they may contain important information such as encryption keys or passwords. From 52df8dc0149d597c3106daa7112a01db444e34f1 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 14 Aug 2019 07:37:21 +0000 Subject: [PATCH 25/51] optional pam_umask.so usergroups umask=006 --- usr/share/pam-configs/usergroups-security-misc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/share/pam-configs/usergroups-security-misc b/usr/share/pam-configs/usergroups-security-misc index a089e63..a613a24 100644 --- a/usr/share/pam-configs/usergroups-security-misc +++ b/usr/share/pam-configs/usergroups-security-misc @@ -3,4 +3,4 @@ Default: yes Priority: 256 Session-Type: Additional Session: - optional pam_umask.so usergroups + optional pam_umask.so usergroups umask=006 From 42f2d5f6664f15baebdaf200a5690cf32cdbe284 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 14 Aug 2019 07:39:28 +0000 Subject: [PATCH 26/51] description --- debian/control | 1 + 1 file changed, 1 insertion(+) diff --git a/debian/control b/debian/control index d2ca1e1..c8cefcd 100644 --- a/debian/control +++ b/debian/control @@ -136,6 +136,7 @@ Description: enhances misc security settings * The default umask is changed to 006. This allows only the owner and group to read and write to newly created files. /etc/login.defs.security-misc + /usr/share/pam-configs/usergroups-security-misc . * Enables pam_umask.so usergroups so group permissions are same as user permissions. Debian by default uses User Private Groups (UPG). From 21489111d107023f150988137180154ba62e1ff2 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 14 Aug 2019 08:34:03 +0000 Subject: [PATCH 27/51] run permission lockdown during pam https://forums.whonix.org/t/change-default-umask/7416 --- debian/security-misc.postinst | 28 +--------------- usr/lib/security-misc/permission-lockdown | 33 +++++++++++++++++++ .../permission-lockdown-security-misc | 6 ++++ 3 files changed, 40 insertions(+), 27 deletions(-) create mode 100755 usr/lib/security-misc/permission-lockdown create mode 100644 usr/share/pam-configs/permission-lockdown-security-misc diff --git a/debian/security-misc.postinst b/debian/security-misc.postinst index 194929f..ffdd07d 100644 --- a/debian/security-misc.postinst +++ b/debian/security-misc.postinst @@ -15,32 +15,6 @@ true " ##################################################################### " -home_folder_access_rights_lockdown() { - mkdir -p /var/cache/security-misc/state-files - - shopt -s nullglob - - ## Not using dotglob. - ## touch /var/cache/security-misc/state-files//home/.Trash - ## touch: cannot touch '/var/cache/security-misc/state-files//home/.Trash': No such file or directory - - local folder_name base_name - - for folder_name in /home/* ; do - base_name="$(basename "$folder_name")" - if [ -f "/var/cache/security-misc/state-files/$base_name" ]; then - continue - fi - chmod o-rwx "$folder_name" - ## Create a state-file so we do this only once. - ## Therefore a user who will manually undo this, will not get - ## annoyed by this being done over and over again. - touch "/var/cache/security-misc/state-files/$base_name" - done - - shopt -u nullglob -} - case "$1" in configure) glib-compile-schemas /usr/share/glib-2.0/schemas || true @@ -59,7 +33,7 @@ addgroup root sudo pam-auth-update --package -home_folder_access_rights_lockdown +/usr/lib/security-misc/permission-lockdown true "INFO: debhelper beginning here." diff --git a/usr/lib/security-misc/permission-lockdown b/usr/lib/security-misc/permission-lockdown new file mode 100755 index 0000000..8a79844 --- /dev/null +++ b/usr/lib/security-misc/permission-lockdown @@ -0,0 +1,33 @@ +#!/bin/bash + +set -x + +home_folder_access_rights_lockdown() { + mkdir -p /var/cache/security-misc/state-files + + shopt -s nullglob + + ## Not using dotglob. + ## touch /var/cache/security-misc/state-files//home/.Trash + ## touch: cannot touch '/var/cache/security-misc/state-files//home/.Trash': No such file or directory + + local folder_name base_name + + for folder_name in /home/* ; do + base_name="$(basename "$folder_name")" + if [ -f "/var/cache/security-misc/state-files/$base_name" ]; then + continue + fi + chmod o-rwx "$folder_name" + ## Create a state-file so we do this only once. + ## Therefore a user who will manually undo this, will not get + ## annoyed by this being done over and over again. + touch "/var/cache/security-misc/state-files/$base_name" + done + + shopt -u nullglob +} + +home_folder_access_rights_lockdown + +exit 0 diff --git a/usr/share/pam-configs/permission-lockdown-security-misc b/usr/share/pam-configs/permission-lockdown-security-misc new file mode 100644 index 0000000..ac974e8 --- /dev/null +++ b/usr/share/pam-configs/permission-lockdown-security-misc @@ -0,0 +1,6 @@ +Name: prevent others from reading one's home folder (by package security-misc) +Default: yes +Priority: 500 +Session-Type: Additional +Session: + optional pam_exec.so debug seteuid log=/var/log/permission-lockdown-security-misc /usr/lib/security-misc/permission-lockdown From ce06fdf91103afbaf84523ce998570af733b5bbe Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 14 Aug 2019 05:15:53 -0400 Subject: [PATCH 28/51] formatting --- usr/share/pam-configs/mkhomedir-security-misc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/share/pam-configs/mkhomedir-security-misc b/usr/share/pam-configs/mkhomedir-security-misc index 4e9e66a..1dfc0a2 100644 --- a/usr/share/pam-configs/mkhomedir-security-misc +++ b/usr/share/pam-configs/mkhomedir-security-misc @@ -4,4 +4,4 @@ Priority: 0 Session-Type: Additional Session-Interactive-Only: yes Session: - optional pam_mkhomedir.so umask=006 + optional pam_mkhomedir.so umask=006 From 1595789d7c310c80196345e06b6bacc8fb7c0baf Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 14 Aug 2019 05:17:16 -0400 Subject: [PATCH 29/51] comment --- usr/lib/security-misc/permission-lockdown | 28 ++++++++++++++++++++++- 1 file changed, 27 insertions(+), 1 deletion(-) diff --git a/usr/lib/security-misc/permission-lockdown b/usr/lib/security-misc/permission-lockdown index 8a79844..706fa2f 100755 --- a/usr/lib/security-misc/permission-lockdown +++ b/usr/lib/security-misc/permission-lockdown @@ -1,6 +1,32 @@ #!/bin/bash -set -x +## Doing this for all users would create many issues. +# /usr/lib/security-misc/permission-lockdown: user: root | chmod o-rwx "/root" +# /usr/lib/security-misc/permission-lockdown: user: daemon | chmod o-rwx "/usr/sbin" +# /usr/lib/security-misc/permission-lockdown: user: bin | chmod o-rwx "/bin" +# /usr/lib/security-misc/permission-lockdown: user: sys | chmod o-rwx "/dev" +# /usr/lib/security-misc/permission-lockdown: user: sync | chmod o-rwx "/bin" +# /usr/lib/security-misc/permission-lockdown: user: games | chmod o-rwx "/usr/games" +# /usr/lib/security-misc/permission-lockdown: user: man | chmod o-rwx "/var/cache/man" +# /usr/lib/security-misc/permission-lockdown: user: mail | chmod o-rwx "/var/mail" +# /usr/lib/security-misc/permission-lockdown: user: proxy | chmod o-rwx "/bin" +# /usr/lib/security-misc/permission-lockdown: user: backup | chmod o-rwx "/var/backups" +# /usr/lib/security-misc/permission-lockdown: user: systemd-timesync | chmod o-rwx "/run/systemd" +# /usr/lib/security-misc/permission-lockdown: user: systemd-network | chmod o-rwx "/run/systemd/netif" +# /usr/lib/security-misc/permission-lockdown: user: messagebus | chmod o-rwx "/var/run/dbus" +# /usr/lib/security-misc/permission-lockdown: user: tinyproxy | chmod o-rwx "/run/tinyproxy" +# /usr/lib/security-misc/permission-lockdown: user: rtkit | chmod o-rwx "/proc" +# /usr/lib/security-misc/permission-lockdown: user: colord | chmod o-rwx "/var/lib/colord" +# /usr/lib/security-misc/permission-lockdown: user: Debian-exim | chmod o-rwx "/var/spool/exim4" +# /usr/lib/security-misc/permission-lockdown: user: debian-tor | chmod o-rwx "/var/lib/tor" +# /usr/lib/security-misc/permission-lockdown: user: stunnel4 | chmod o-rwx "/var/run/stunnel4" +# /usr/lib/security-misc/permission-lockdown: user: iodine | chmod o-rwx "/var/run/iodine" +# /usr/lib/security-misc/permission-lockdown: user: apt-cacher-ng | chmod o-rwx "/var/cache/apt-cacher-ng" +# /usr/lib/security-misc/permission-lockdown: user: statd | chmod o-rwx "/var/lib/nfs" +# /usr/lib/security-misc/permission-lockdown: user: timidity | chmod o-rwx "/etc/timidity" +# /usr/lib/security-misc/permission-lockdown: user: uuidd | chmod o-rwx "/run/uuidd" +# /usr/lib/security-misc/permission-lockdown: user: _rpc | chmod o-rwx "/run/rpcbind" +# /usr/lib/security-misc/permission-lockdown: user: geoclue | chmod o-rwx "/var/lib/geoclue" home_folder_access_rights_lockdown() { mkdir -p /var/cache/security-misc/state-files From e5da6d9699de1d3c4aaefee7d301a4c47f33e4bd Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 14 Aug 2019 05:17:54 -0400 Subject: [PATCH 30/51] copyright --- usr/lib/security-misc/permission-lockdown | 3 +++ 1 file changed, 3 insertions(+) diff --git a/usr/lib/security-misc/permission-lockdown b/usr/lib/security-misc/permission-lockdown index 706fa2f..f260a6f 100755 --- a/usr/lib/security-misc/permission-lockdown +++ b/usr/lib/security-misc/permission-lockdown @@ -1,5 +1,8 @@ #!/bin/bash +## Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + ## Doing this for all users would create many issues. # /usr/lib/security-misc/permission-lockdown: user: root | chmod o-rwx "/root" # /usr/lib/security-misc/permission-lockdown: user: daemon | chmod o-rwx "/usr/sbin" From f8c828b69a8f52108d19af4076e718930b5dcd07 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 14 Aug 2019 05:19:02 -0400 Subject: [PATCH 31/51] output --- usr/lib/security-misc/permission-lockdown | 1 + 1 file changed, 1 insertion(+) diff --git a/usr/lib/security-misc/permission-lockdown b/usr/lib/security-misc/permission-lockdown index f260a6f..ec0a99c 100755 --- a/usr/lib/security-misc/permission-lockdown +++ b/usr/lib/security-misc/permission-lockdown @@ -47,6 +47,7 @@ home_folder_access_rights_lockdown() { if [ -f "/var/cache/security-misc/state-files/$base_name" ]; then continue fi + echo "$0: chmod o-rwx \"$folder_name\"" chmod o-rwx "$folder_name" ## Create a state-file so we do this only once. ## Therefore a user who will manually undo this, will not get From a085d46c567b0b5dbbaddd8f3e5873d87d904c4a Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 14 Aug 2019 09:31:58 +0000 Subject: [PATCH 32/51] change priories so "pam_umask.so usergroups umask=006" runs before pam_exec.so /usr/lib/security-misc/permission-lockdown --- usr/share/pam-configs/mkhomedir-security-misc | 2 +- usr/share/pam-configs/permission-lockdown-security-misc | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/usr/share/pam-configs/mkhomedir-security-misc b/usr/share/pam-configs/mkhomedir-security-misc index 1dfc0a2..7e87e21 100644 --- a/usr/share/pam-configs/mkhomedir-security-misc +++ b/usr/share/pam-configs/mkhomedir-security-misc @@ -1,6 +1,6 @@ Name: Create home directory on login (by package security-misc) Default: yes -Priority: 0 +Priority: 100 Session-Type: Additional Session-Interactive-Only: yes Session: diff --git a/usr/share/pam-configs/permission-lockdown-security-misc b/usr/share/pam-configs/permission-lockdown-security-misc index ac974e8..d5ba42c 100644 --- a/usr/share/pam-configs/permission-lockdown-security-misc +++ b/usr/share/pam-configs/permission-lockdown-security-misc @@ -1,6 +1,6 @@ Name: prevent others from reading one's home folder (by package security-misc) Default: yes -Priority: 500 +Priority: 50 Session-Type: Additional Session: optional pam_exec.so debug seteuid log=/var/log/permission-lockdown-security-misc /usr/lib/security-misc/permission-lockdown From 97d1945e61053efd3b73fb9f761b3ea1c9271cdc Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 14 Aug 2019 09:32:58 +0000 Subject: [PATCH 33/51] no log needed, informative output to stdout instead --- usr/share/pam-configs/permission-lockdown-security-misc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/share/pam-configs/permission-lockdown-security-misc b/usr/share/pam-configs/permission-lockdown-security-misc index d5ba42c..ce82738 100644 --- a/usr/share/pam-configs/permission-lockdown-security-misc +++ b/usr/share/pam-configs/permission-lockdown-security-misc @@ -3,4 +3,4 @@ Default: yes Priority: 50 Session-Type: Additional Session: - optional pam_exec.so debug seteuid log=/var/log/permission-lockdown-security-misc /usr/lib/security-misc/permission-lockdown + optional pam_exec.so debug seteuid /usr/lib/security-misc/permission-lockdown From 15094cab4fbbb1fd0c20bd8241ea20bd6c0bd331 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 14 Aug 2019 09:36:30 +0000 Subject: [PATCH 34/51] avoid ' character in usr/share/pam-configs; in description --- usr/share/pam-configs/permission-lockdown-security-misc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/share/pam-configs/permission-lockdown-security-misc b/usr/share/pam-configs/permission-lockdown-security-misc index ce82738..fb847f3 100644 --- a/usr/share/pam-configs/permission-lockdown-security-misc +++ b/usr/share/pam-configs/permission-lockdown-security-misc @@ -1,4 +1,4 @@ -Name: prevent others from reading one's home folder (by package security-misc) +Name: prevent users from reading other users /home/user folders (by package security-misc) Default: yes Priority: 50 Session-Type: Additional From 6321ff5ad5938a929d4a997b4f1b03db2ac4b5fd Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 14 Aug 2019 09:38:44 +0000 Subject: [PATCH 35/51] refactoring --- usr/lib/security-misc/permission-lockdown | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/usr/lib/security-misc/permission-lockdown b/usr/lib/security-misc/permission-lockdown index ec0a99c..d138723 100755 --- a/usr/lib/security-misc/permission-lockdown +++ b/usr/lib/security-misc/permission-lockdown @@ -32,8 +32,6 @@ # /usr/lib/security-misc/permission-lockdown: user: geoclue | chmod o-rwx "/var/lib/geoclue" home_folder_access_rights_lockdown() { - mkdir -p /var/cache/security-misc/state-files - shopt -s nullglob ## Not using dotglob. @@ -47,6 +45,7 @@ home_folder_access_rights_lockdown() { if [ -f "/var/cache/security-misc/state-files/$base_name" ]; then continue fi + mkdir -p /var/cache/security-misc/state-files echo "$0: chmod o-rwx \"$folder_name\"" chmod o-rwx "$folder_name" ## Create a state-file so we do this only once. From 799acad724977dea220c2228f9da0db3d6b5170e Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 14 Aug 2019 09:39:43 +0000 Subject: [PATCH 36/51] skip, if not a folder --- usr/lib/security-misc/permission-lockdown | 3 +++ 1 file changed, 3 insertions(+) diff --git a/usr/lib/security-misc/permission-lockdown b/usr/lib/security-misc/permission-lockdown index d138723..6485477 100755 --- a/usr/lib/security-misc/permission-lockdown +++ b/usr/lib/security-misc/permission-lockdown @@ -45,6 +45,9 @@ home_folder_access_rights_lockdown() { if [ -f "/var/cache/security-misc/state-files/$base_name" ]; then continue fi + if [ ! -d "$folder_name" ]; then + continue + fi mkdir -p /var/cache/security-misc/state-files echo "$0: chmod o-rwx \"$folder_name\"" chmod o-rwx "$folder_name" From dee195d89e94ff343cec60308cbbb5464d2a7b18 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 14 Aug 2019 09:40:41 +0000 Subject: [PATCH 37/51] description --- debian/control | 2 ++ 1 file changed, 2 insertions(+) diff --git a/debian/control b/debian/control index c8cefcd..fc2c4a9 100644 --- a/debian/control +++ b/debian/control @@ -156,6 +156,8 @@ Description: enhances misc security settings previously created with lax file permissions prior installation of this package. debian/security-misc.postinst + /usr/share/pam-configs/permission-lockdown-security-misc + /usr/lib/security-misc/permission-lockdown . access rights relaxations: . From 547ba91d799780487782cdd8088c556d978494e8 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 14 Aug 2019 09:45:30 +0000 Subject: [PATCH 38/51] sanity test --- usr/lib/security-misc/permission-lockdown | 3 +++ 1 file changed, 3 insertions(+) diff --git a/usr/lib/security-misc/permission-lockdown b/usr/lib/security-misc/permission-lockdown index 6485477..2b4e802 100755 --- a/usr/lib/security-misc/permission-lockdown +++ b/usr/lib/security-misc/permission-lockdown @@ -48,6 +48,9 @@ home_folder_access_rights_lockdown() { if [ ! -d "$folder_name" ]; then continue fi + if [ "$folder_name" = "/home/" ]; then + continue + fi mkdir -p /var/cache/security-misc/state-files echo "$0: chmod o-rwx \"$folder_name\"" chmod o-rwx "$folder_name" From 01b3a0bfaeda0dad87644ad8d54c61e07dd501f7 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 14 Aug 2019 09:52:53 +0000 Subject: [PATCH 39/51] description --- debian/control | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/debian/control b/debian/control index fc2c4a9..f307c24 100644 --- a/debian/control +++ b/debian/control @@ -150,10 +150,10 @@ Description: enhances misc security settings * Removes read, write and execute access for others for all users who have home folders under folder /home by running for example "chmod o-rwx /home/user" - during package installation or upgrade. This will be done only once per folder - in folder /home so users who wish to relax file permissions are free to do so. - This is to protect previously created files in user home folder which were - previously created with lax file permissions prior installation of this + during package installation, upgrade or pam. This will be done only once per + folder in folder /home so users who wish to relax file permissions are free to + do so. This is to protect previously created files in user home folder which + were previously created with lax file permissions prior installation of this package. debian/security-misc.postinst /usr/share/pam-configs/permission-lockdown-security-misc From 2875adb7221769dcd23ef701dae8b9ad24708590 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 14 Aug 2019 10:07:55 +0000 Subject: [PATCH 40/51] readme --- README.md | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 205844c..2ca7981 100644 --- a/README.md +++ b/README.md @@ -40,6 +40,9 @@ KASLR effectiveness. * The SysRq key is restricted to only allow shutdowns/reboots. A systemd service clears System.map on boot as these contain kernel symbols that could be useful to an attacker. +/etc/kernel/postinst.d/30_remove-system-map +/lib/systemd/system/remove-system-map.service +/usr/lib/security-misc/remove-system.map * Coredumps are disabled as they may contain important information such as encryption keys or passwords. @@ -116,6 +119,7 @@ access rights restrictions: * The default umask is changed to 006. This allows only the owner and group to read and write to newly created files. /etc/login.defs.security-misc +/usr/share/pam-configs/usergroups-security-misc * Enables pam_umask.so usergroups so group permissions are same as user permissions. Debian by default uses User Private Groups (UPG). @@ -129,12 +133,14 @@ pam_mkhomedir.so umask=006 * Removes read, write and execute access for others for all users who have home folders under folder /home by running for example "chmod o-rwx /home/user" -during package installation or upgrade. This will be done only once per folder -in folder /home so users who wish to relax file permissions are free to do so. -This is to protect previously created files in user home folder which were -previously created with lax file permissions prior installation of this +during package installation, upgrade or pam. This will be done only once per +folder in folder /home so users who wish to relax file permissions are free to +do so. This is to protect previously created files in user home folder which +were previously created with lax file permissions prior installation of this package. debian/security-misc.postinst +/usr/share/pam-configs/permission-lockdown-security-misc +/usr/lib/security-misc/permission-lockdown access rights relaxations: From 5213cfbcdcb41a5aa714d1031b36436adeb0359c Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 14 Aug 2019 10:08:18 +0000 Subject: [PATCH 41/51] bumped changelog version --- changelog.upstream | 125 +++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 +++ 2 files changed, 131 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index d5da9e8..1f727bc 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,128 @@ +commit 2875adb7221769dcd23ef701dae8b9ad24708590 +Author: Patrick Schleizer +Date: Wed Aug 14 10:07:55 2019 +0000 + + readme + +commit 01b3a0bfaeda0dad87644ad8d54c61e07dd501f7 +Author: Patrick Schleizer +Date: Wed Aug 14 09:52:53 2019 +0000 + + description + +commit 547ba91d799780487782cdd8088c556d978494e8 +Author: Patrick Schleizer +Date: Wed Aug 14 09:45:30 2019 +0000 + + sanity test + +commit dee195d89e94ff343cec60308cbbb5464d2a7b18 +Author: Patrick Schleizer +Date: Wed Aug 14 09:40:41 2019 +0000 + + description + +commit 799acad724977dea220c2228f9da0db3d6b5170e +Author: Patrick Schleizer +Date: Wed Aug 14 09:39:43 2019 +0000 + + skip, if not a folder + +commit 6321ff5ad5938a929d4a997b4f1b03db2ac4b5fd +Author: Patrick Schleizer +Date: Wed Aug 14 09:38:44 2019 +0000 + + refactoring + +commit 15094cab4fbbb1fd0c20bd8241ea20bd6c0bd331 +Author: Patrick Schleizer +Date: Wed Aug 14 09:36:30 2019 +0000 + + avoid ' character in usr/share/pam-configs; in description + +commit 97d1945e61053efd3b73fb9f761b3ea1c9271cdc +Author: Patrick Schleizer +Date: Wed Aug 14 09:32:58 2019 +0000 + + no log needed, informative output to stdout instead + +commit a085d46c567b0b5dbbaddd8f3e5873d87d904c4a +Author: Patrick Schleizer +Date: Wed Aug 14 09:31:58 2019 +0000 + + change priories so "pam_umask.so usergroups umask=006" runs before pam_exec.so /usr/lib/security-misc/permission-lockdown + +commit f8c828b69a8f52108d19af4076e718930b5dcd07 +Author: Patrick Schleizer +Date: Wed Aug 14 05:19:02 2019 -0400 + + output + +commit e5da6d9699de1d3c4aaefee7d301a4c47f33e4bd +Author: Patrick Schleizer +Date: Wed Aug 14 05:17:54 2019 -0400 + + copyright + +commit 1595789d7c310c80196345e06b6bacc8fb7c0baf +Author: Patrick Schleizer +Date: Wed Aug 14 05:17:16 2019 -0400 + + comment + +commit ce06fdf91103afbaf84523ce998570af733b5bbe +Author: Patrick Schleizer +Date: Wed Aug 14 05:15:53 2019 -0400 + + formatting + +commit 21489111d107023f150988137180154ba62e1ff2 +Author: Patrick Schleizer +Date: Wed Aug 14 08:34:03 2019 +0000 + + run permission lockdown during pam + + https://forums.whonix.org/t/change-default-umask/7416 + +commit 42f2d5f6664f15baebdaf200a5690cf32cdbe284 +Author: Patrick Schleizer +Date: Wed Aug 14 07:39:28 2019 +0000 + + description + +commit 52df8dc0149d597c3106daa7112a01db444e34f1 +Author: Patrick Schleizer +Date: Wed Aug 14 07:37:21 2019 +0000 + + optional pam_umask.so usergroups umask=006 + +commit f210294f4091b6a09c902a446b125c26022c5d2a +Author: Patrick Schleizer +Date: Wed Aug 14 07:24:24 2019 +0000 + + description + +commit dbea7d1511d8e1b2604960d37146ec931d9dfe15 +Author: Patrick Schleizer +Date: Wed Aug 14 07:22:14 2019 +0000 + + add hook etc/kernel/postinst.d/30_remove-system-map to remove system.map + + on kernel package upgrade; + + self-document this package: during upgrade the following will be written + to stdout: + + Setting up linux-image-4.19.0-5-amd64 (4.19.37-5+deb10u2) ... + /etc/kernel/postinst.d/30_remove-system-map: + removed '/boot/System.map-4.19.0-5-amd64 + +commit f1d8cbc9fb2b800205923cce77a8e242dddd133c +Author: Patrick Schleizer +Date: Wed Aug 14 07:02:09 2019 +0000 + + bumped changelog version + commit 41f4441d9dc5777d4ea7424f8422164c548da091 Author: Patrick Schleizer Date: Wed Aug 14 07:01:47 2019 +0000 diff --git a/debian/changelog b/debian/changelog index 98491aa..9170ff6 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:6.8-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 14 Aug 2019 10:08:18 +0000 + security-misc (3:6.7-1) unstable; urgency=medium * New upstream version (local package). From 8fdc77fed553d7ba6123d738b9cb3efe98f3f08f Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 14 Aug 2019 10:33:23 +0000 Subject: [PATCH 42/51] output to stdout --- usr/share/pam-configs/permission-lockdown-security-misc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/share/pam-configs/permission-lockdown-security-misc b/usr/share/pam-configs/permission-lockdown-security-misc index fb847f3..65be498 100644 --- a/usr/share/pam-configs/permission-lockdown-security-misc +++ b/usr/share/pam-configs/permission-lockdown-security-misc @@ -3,4 +3,4 @@ Default: yes Priority: 50 Session-Type: Additional Session: - optional pam_exec.so debug seteuid /usr/lib/security-misc/permission-lockdown + optional pam_exec.so debug stdout seteuid /usr/lib/security-misc/permission-lockdown From 0feb54b28e90b5c4cfcd529914a3892362c34966 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 14 Aug 2019 11:10:18 +0000 Subject: [PATCH 43/51] add Depends: apparmor-profile-anondist to fix apparmor issue sudo[19806]: pam_exec(sudo:session): execve(/usr/lib/security-misc/permission-lockdown,...) failed: Permission denied sudo[18961]: pam_exec(sudo:session): /usr/lib/security-misc/permission-lockdown failed: exit code 13 kernel: audit: type=1400 audit(1565780860.972:224): apparmor="DENIED" operation="exec" profile="/usr/bin/whonixcheck" name="/usr/lib/security-misc/permission-lockdown" pid=19806 comm="sudo" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 --- debian/control | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/control b/debian/control index f307c24..816ad08 100644 --- a/debian/control +++ b/debian/control @@ -14,7 +14,7 @@ Standards-Version: 4.3.0 Package: security-misc Architecture: all Depends: python, libglib2.0-bin, libpam-runtime, libpam-cgfs, sudo, - ${misc:Depends} + apparmor-profile-anondist, ${misc:Depends} Replaces: tcp-timestamps-disable Description: enhances misc security settings kernel hardening: From 633854c6bec439af9718439c8207012322800166 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 14 Aug 2019 11:13:25 +0000 Subject: [PATCH 44/51] bumped changelog version --- changelog.upstream | 22 ++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 28 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 1f727bc..d2e87b6 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,25 @@ +commit 0feb54b28e90b5c4cfcd529914a3892362c34966 +Author: Patrick Schleizer +Date: Wed Aug 14 11:10:18 2019 +0000 + + add Depends: apparmor-profile-anondist to fix apparmor issue + + sudo[19806]: pam_exec(sudo:session): execve(/usr/lib/security-misc/permission-lockdown,...) failed: Permission denied + sudo[18961]: pam_exec(sudo:session): /usr/lib/security-misc/permission-lockdown failed: exit code 13 + kernel: audit: type=1400 audit(1565780860.972:224): apparmor="DENIED" operation="exec" profile="/usr/bin/whonixcheck" name="/usr/lib/security-misc/permission-lockdown" pid=19806 comm="sudo" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 + +commit 8fdc77fed553d7ba6123d738b9cb3efe98f3f08f +Author: Patrick Schleizer +Date: Wed Aug 14 10:33:23 2019 +0000 + + output to stdout + +commit 5213cfbcdcb41a5aa714d1031b36436adeb0359c +Author: Patrick Schleizer +Date: Wed Aug 14 10:08:18 2019 +0000 + + bumped changelog version + commit 2875adb7221769dcd23ef701dae8b9ad24708590 Author: Patrick Schleizer Date: Wed Aug 14 10:07:55 2019 +0000 diff --git a/debian/changelog b/debian/changelog index 9170ff6..2759f8a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:6.9-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 14 Aug 2019 11:13:25 +0000 + security-misc (3:6.8-1) unstable; urgency=medium * New upstream version (local package). From a7c25a451c78f7b9a5720e1b6fc7d168eb0afa4f Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 14 Aug 2019 11:50:53 +0000 Subject: [PATCH 45/51] remove unneeded dependency on libpam-cgfs --- debian/control | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/control b/debian/control index 816ad08..cf95127 100644 --- a/debian/control +++ b/debian/control @@ -13,7 +13,7 @@ Standards-Version: 4.3.0 Package: security-misc Architecture: all -Depends: python, libglib2.0-bin, libpam-runtime, libpam-cgfs, sudo, +Depends: python, libglib2.0-bin, libpam-runtime, sudo, apparmor-profile-anondist, ${misc:Depends} Replaces: tcp-timestamps-disable Description: enhances misc security settings From ce4a30d3cecb7e9bddb96c79aab871804cb90bd4 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 14 Aug 2019 11:52:26 +0000 Subject: [PATCH 46/51] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index d2e87b6..e6dfcce 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit a7c25a451c78f7b9a5720e1b6fc7d168eb0afa4f +Author: Patrick Schleizer +Date: Wed Aug 14 11:50:53 2019 +0000 + + remove unneeded dependency on libpam-cgfs + +commit 633854c6bec439af9718439c8207012322800166 +Author: Patrick Schleizer +Date: Wed Aug 14 11:13:25 2019 +0000 + + bumped changelog version + commit 0feb54b28e90b5c4cfcd529914a3892362c34966 Author: Patrick Schleizer Date: Wed Aug 14 11:10:18 2019 +0000 diff --git a/debian/changelog b/debian/changelog index 2759f8a..5e451dc 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:7.0-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 14 Aug 2019 11:52:26 +0000 + security-misc (3:6.9-1) unstable; urgency=medium * New upstream version (local package). From 63b476221c7b9ece6b99f9e194fab80e300275d9 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 15 Aug 2019 07:30:56 +0000 Subject: [PATCH 47/51] use requisite rather than required to avoid asking for password needlessly if login will fail anyhow --- usr/share/pam-configs/tally2-security-misc | 4 ++-- usr/share/pam-configs/wheel-security-misc | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/usr/share/pam-configs/tally2-security-misc b/usr/share/pam-configs/tally2-security-misc index 0d858cd..11385c8 100644 --- a/usr/share/pam-configs/tally2-security-misc +++ b/usr/share/pam-configs/tally2-security-misc @@ -3,7 +3,7 @@ Default: yes Priority: 260 Auth-Type: Primary Auth: - required pam_tally2.so deny=100 onerr=fail audit debug + requisite pam_tally2.so deny=100 onerr=fail audit debug Account-Type: Primary Account: - required pam_tally2.so debug + requisite pam_tally2.so debug diff --git a/usr/share/pam-configs/wheel-security-misc b/usr/share/pam-configs/wheel-security-misc index bf7442c..661e639 100644 --- a/usr/share/pam-configs/wheel-security-misc +++ b/usr/share/pam-configs/wheel-security-misc @@ -3,4 +3,4 @@ Default: yes Priority: 270 Auth-Type: Primary Auth: - required pam_wheel.so group=sudo debug + requisite pam_wheel.so group=sudo debug From 454e1358220abf75def0d88a22426086a55c0802 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 15 Aug 2019 07:33:41 +0000 Subject: [PATCH 48/51] pam_tally2.so even_deny_root --- usr/share/pam-configs/tally2-security-misc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/share/pam-configs/tally2-security-misc b/usr/share/pam-configs/tally2-security-misc index 11385c8..bfa0e6f 100644 --- a/usr/share/pam-configs/tally2-security-misc +++ b/usr/share/pam-configs/tally2-security-misc @@ -3,7 +3,7 @@ Default: yes Priority: 260 Auth-Type: Primary Auth: - requisite pam_tally2.so deny=100 onerr=fail audit debug + requisite pam_tally2.so even_deny_root deny=100 onerr=fail audit debug Account-Type: Primary Account: requisite pam_tally2.so debug From ff9bc1d7ea81a8507f44d9bb1301b9665614ebdd Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 15 Aug 2019 13:37:28 +0000 Subject: [PATCH 49/51] informational output during PAM: * Show failed and remaining password attempts. * Document unlock procedure if Linux user account got locked. * Point out, that there is no password feedback for `su`. * Explain locked (root) account if locked. * /usr/share/pam-configs/tally2-security-misc * /usr/lib/security-misc/pam_tally2-info --- debian/control | 9 ++ usr/lib/security-misc/pam_tally2-info | 109 +++++++++++++++++++++ usr/share/pam-configs/tally2-security-misc | 1 + 3 files changed, 119 insertions(+) create mode 100755 usr/lib/security-misc/pam_tally2-info diff --git a/debian/control b/debian/control index cf95127..262b04a 100644 --- a/debian/control +++ b/debian/control @@ -131,6 +131,15 @@ Description: enhances misc security settings (Deletion of /etc/securetty has a different effect.) /etc/securetty.security-misc . + informational output during PAM: + . + * Show failed and remaining password attempts. + * Document unlock procedure if Linux user account got locked. + * Point out, that there is no password feedback for `su`. + * Explain locked (root) account if locked. + * /usr/share/pam-configs/tally2-security-misc + * /usr/lib/security-misc/pam_tally2-info + . access rights restrictions: . * The default umask is changed to 006. This allows only the owner and group diff --git a/usr/lib/security-misc/pam_tally2-info b/usr/lib/security-misc/pam_tally2-info new file mode 100755 index 0000000..ca23a76 --- /dev/null +++ b/usr/lib/security-misc/pam_tally2-info @@ -0,0 +1,109 @@ +#!/bin/bash + +if [ ! -r /var/log/auth.log ]; then + exit 0 +fi + +pam_tally2_output="$(pam_tally2 --user "$PAM_USER")" + +if [ "$pam_tally2_output" = "" ]; then + true "$0: no failed login" + exit 0 +fi + +## Example: +#Login Failures Latest failure From +#user 0 + +pam_tally2_output_last_line="$(echo "$pam_tally2_output" | tail -1)" +## Example: +#user 0 + +arr=($pam_tally2_output_last_line) +user_name="${arr[0]}" +failed_login_counter="${arr[1]}" + +if [ ! "$PAM_USER" = "$user_name" ]; then + echo "$0: ERROR: PAM_USER: $PAM_USER does not equal user_name: '$user_name'." >&2 + echo "$0: ERROR: Please report this bug." >&2 + echo "" >&2 + exit 0 +fi + +if [ "$failed_login_counter" = "0" ]; then + true "$0: INFO: Failed login counter is 0, ok." + exit 0 +fi + +temp="$(grep pam_tally2 /var/log/auth.log | grep ", deny" | tail -1)" +last_line_of_user="$(echo "$temp" | grep "pam_tally2")" +last_line_of_user="$(echo "$temp" | grep "): user $PAM_USER")" + +#last_line_of_user="$(grep pam_tally2 /var/log/auth.log | grep "): user $PAM_USER " | tail -1)" +## Example: +#Aug 15 03:47:50 localhost sudo: pam_tally2(sudo:auth): user user (1000) tally 1, deny 10 + +temp="$(echo "$last_line_of_user" | sed 's/.*tally //')" +temp="${temp/", deny"/""}" +## Example: +#1 100 + +arr=($temp) +tally="${arr[0]}" +deny="${arr[1]}" + +if [[ "$tally" == *[!0-9]* ]]; then + echo "$0: ERROR: tally is not numeric." >&2 + echo "$0: ERROR: Please report this bug." >&2 + echo "" >&2 + exit 0 +fi + +if [[ "$deny" == *[!0-9]* ]]; then + echo "$0: ERROR: deny is not numeric." >&2 + echo "$0: ERROR: Please report this bug." >&2 + echo "" >&2 + exit 0 +fi + +remaining_attempts="$(( $deny - $tally ))" + +## Thanks to: +if [ "$(passwd -S "$PAM_USER" | cut -d ' ' -f 2)" = "P" ]; then + true "INFO: Password not locked." +else + echo "$0: ERROR: Password for user \"$PAM_USER\" is locked." >&2 + if [ "$PAM_USER" = "root" ]; then + echo "$0: ERROR: root account is locked by default. See:" >&2 + echo "https://www.whonix.org/wiki/root" >&2 + echo "" >&2 + fi + exit 0 +fi + +if [ "$remaining_attempts" -le "0" ]; then + echo "$0: ERROR: Login blocked after $tally attempts." >&2 + echo "$0: To unlock, run the following command as superuser:" >&2 + echo "$0: (If you still have a sudo/root shell somewhere.)" >&2 + echo "" >&2 + echo "pam_tally2 --quiet -r --user $PAM_USER" >&2 + echo "" >&2 + echo "$0: However, most likely unlock procedure is required." >&2 + echo "$0: First boot into recovery mode at grub boot menu and then run above command." >&2 + echo "$0: See also:" >&2 + echo "https://www.whonix.org/wiki/root#unlock" >&2 + echo "" >&2 + exit 0 +fi + +echo "$0: WARNING: $tally failed login attempts." >&2 +echo "$0: Login will be blocked after $deny attempts." >&2 +echo "$0: You have $remaining_attempts more attempts before unlock procedure is required." >&2 +echo "" >&2 + +if [ "$PAM_SERVICE" = "su" ]; then + echo "$0: NOTE: Type the password. When entering the password, no password feedback (no asterisk (\"*\") symbol) will be shown." >&2 + echo "" >&2 +fi + +exit 0 diff --git a/usr/share/pam-configs/tally2-security-misc b/usr/share/pam-configs/tally2-security-misc index bfa0e6f..82cfc0c 100644 --- a/usr/share/pam-configs/tally2-security-misc +++ b/usr/share/pam-configs/tally2-security-misc @@ -3,6 +3,7 @@ Default: yes Priority: 260 Auth-Type: Primary Auth: + optional pam_exec.so debug stdout seteuid /usr/lib/security-misc/pam_tally2-info requisite pam_tally2.so even_deny_root deny=100 onerr=fail audit debug Account-Type: Primary Account: From a11e3cea9eb160ba84dbc273ea4cb48bc687158f Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 15 Aug 2019 15:08:48 +0000 Subject: [PATCH 50/51] readme --- README.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/README.md b/README.md index 2ca7981..19a001a 100644 --- a/README.md +++ b/README.md @@ -114,6 +114,15 @@ prevented by shipping an existing and empty /etc/securetty. (Deletion of /etc/securetty has a different effect.) /etc/securetty.security-misc +informational output during PAM: + +* Show failed and remaining password attempts. +* Document unlock procedure if Linux user account got locked. +* Point out, that there is no password feedback for `su`. +* Explain locked (root) account if locked. +* /usr/share/pam-configs/tally2-security-misc +* /usr/lib/security-misc/pam_tally2-info + access rights restrictions: * The default umask is changed to 006. This allows only the owner and group From 34672b88a86285e1d3eaf35f0a2b3c2e974ffd26 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 15 Aug 2019 15:18:02 +0000 Subject: [PATCH 51/51] bumped changelog version --- changelog.upstream | 39 +++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 45 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index e6dfcce..9fba34d 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,42 @@ +commit a11e3cea9eb160ba84dbc273ea4cb48bc687158f +Author: Patrick Schleizer +Date: Thu Aug 15 15:08:48 2019 +0000 + + readme + +commit ff9bc1d7ea81a8507f44d9bb1301b9665614ebdd +Author: Patrick Schleizer +Date: Thu Aug 15 13:37:28 2019 +0000 + + informational output during PAM: + + * Show failed and remaining password attempts. + * Document unlock procedure if Linux user account got locked. + * Point out, that there is no password feedback for `su`. + * Explain locked (root) account if locked. + * /usr/share/pam-configs/tally2-security-misc + * /usr/lib/security-misc/pam_tally2-info + +commit 454e1358220abf75def0d88a22426086a55c0802 +Author: Patrick Schleizer +Date: Thu Aug 15 07:33:41 2019 +0000 + + pam_tally2.so even_deny_root + +commit 63b476221c7b9ece6b99f9e194fab80e300275d9 +Author: Patrick Schleizer +Date: Thu Aug 15 07:30:56 2019 +0000 + + use requisite rather than required to avoid asking for password needlessly + + if login will fail anyhow + +commit ce4a30d3cecb7e9bddb96c79aab871804cb90bd4 +Author: Patrick Schleizer +Date: Wed Aug 14 11:52:26 2019 +0000 + + bumped changelog version + commit a7c25a451c78f7b9a5720e1b6fc7d168eb0afa4f Author: Patrick Schleizer Date: Wed Aug 14 11:50:53 2019 +0000 diff --git a/debian/changelog b/debian/changelog index 5e451dc..4b43e8e 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:7.1-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 15 Aug 2019 15:18:02 +0000 + security-misc (3:7.0-1) unstable; urgency=medium * New upstream version (local package).