18a06935e0
run permission hardener when new packages are install files to /usr or /opt
...
(basically anywhere)
fixes https://github.com/Kicksecure/security-misc/issues/189
2024-01-17 13:23:20 -05:00
6aa55698ab
delete legacy folder /etc/permission-hardening.d if empty
...
https://github.com/Kicksecure/security-misc/pull/181
2024-01-16 09:10:59 -05:00
ed7c09fc46
permission-hardening -> permission-hardener migration
...
mv --verbose /var/lib/permission-hardening /var/lib/permission-hardener
https://github.com/Kicksecure/security-misc/pull/181
2024-01-16 08:45:13 -05:00
a90cd43631
fix postinst for new permission-hardener
...
https://github.com/Kicksecure/security-misc/pull/181
2024-01-16 08:32:52 -05:00
abf72c2ee4
Rename file permission hardening script
...
Hardener as the script is the agent that is hardening the file
permissions.
2024-01-02 13:34:29 +01:00
72f6e6bb9c
output
2023-11-06 16:28:23 -05:00
4a19fbae0b
move permission-hardening to /usr/bin to make it more easily accessible
2023-11-05 15:13:01 -05:00
5f4222c1c3
enable SUID Disabler and Permission Hardener by default
...
https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener
https://forums.whonix.org/t/suid-disabler-and-permission-hardener/7706
2023-10-26 12:20:48 -04:00
d6d79e96c9
minor mmap-rnd-bits improvements
2023-05-05 14:44:29 +00:00
2cf105700a
postinst: Don't fail if mmap-rnd-bits fails
2023-04-24 23:07:40 +00:00
61f63255ac
vm.mmap_rnd_bits: Fix ppc64le
...
Probably fixes a bunch of other non-x86_64 arches too.
2023-04-24 23:07:39 +00:00
7a4212dd76
Update copyright
2023-03-30 17:08:47 +11:00
2d37e3a1af
copyright
2022-05-20 14:46:38 -04:00
50bdd097df
move /usr/lib/security-misc to /usr/libexec/security-misc as per lintian FHS
2021-08-03 12:56:31 -04:00
6607c1e4bd
move /usr/lib/helper-scripts and /usr/lib/curl-scripts to /usr/libexec/helper-scripts as per lintian FHS
2021-08-03 12:48:57 -04:00
5a65c35479
port LKRG compatibility settings automation for VirtualBox hosts from systemd to dpkg trigger
2021-08-01 13:11:18 -04:00
a67007f4b7
copyright
2021-03-17 09:45:21 -04:00
5c81e1f23f
import from anon-gpg-conf
2020-04-06 09:25:45 -04:00
2ceea8d1fe
update copyright year
2020-04-01 08:49:59 -04:00
d2f6ac0491
fix, do user/group modifications in preinst rather than postinst
2019-12-10 03:50:23 -05:00
6b01e5be14
comment
2019-12-08 02:01:22 -05:00
52e0f104cc
comment
2019-12-08 01:59:55 -05:00
731d486fa0
refactoring
2019-12-08 01:58:58 -05:00
221a2df2a2
refactoring
2019-12-08 01:58:37 -05:00
b871421a54
usr/share/pam-configs/console-lockdown -> usr/share/pam-configs/console-lockdown-security-misc
2019-12-08 01:57:43 -05:00
d36669596f
comment
2019-12-08 01:56:30 -05:00
1a0f353708
comment
2019-12-08 01:47:40 -05:00
eed1f0a462
comment
2019-12-08 01:46:32 -05:00
2491b62393
refactoring, add all groups first before adding any users to any groups
2019-12-08 01:43:45 -05:00
c1800b13fe
separate group "ssh" for incoming ssh console permission
...
Thanks to @madaidan
https://forums.whonix.org/t/etc-security-hardening-console-lockdown-pam-access-access-conf/8592/16
2019-12-07 11:26:39 -05:00
6479c883bf
Console Lockdown.
...
Allow members of group 'console' to use tty1 to tty7. Everyone else except
members of group 'console-unrestricted' are restricted from using console
using ancient, unpopular login methods such as using /bin/login over networks,
which might be exploitable. (CVE-2001-0797)
Not enabled by default in this package since this package does not know which
users shall be added to group 'console'.
In new Whonix builds, user 'user" will be added to group 'console' and
pam console-lockdown enabled by package anon-base-files.
/usr/share/pam-configs/console-lockdown
/etc/security/access-security-misc.conf
https://forums.whonix.org/t/etc-security-hardening/8592
2019-12-07 05:40:20 -05:00
203d5cfa68
copyright
2019-10-31 11:19:44 -04:00
af607d5eb2
Create sysfs and cpuinfo groups
2019-10-15 21:02:03 +00:00
8132052ce0
run update-grub from postinst so /etc/default/grub.d changes take effect
2019-09-07 05:44:23 +00:00
21489111d1
run permission lockdown during pam
...
https://forums.whonix.org/t/change-default-umask/7416
2019-08-14 08:34:03 +00:00
404f597c0a
description
2019-07-31 07:29:42 +00:00
3f031a297d
Removes read, write and execute access for others for all users who have home
...
folders under folder /home by running for example "chmod o-rwx /home/user"
during package installation or upgrade. This will be done only once per folder
in folder /home so users who wish to relax file permissions are free to do so.
This is to protect previously created files in user home folder which were
previously created with lax file permissions prior installation of this
package.
2019-07-13 16:20:14 +00:00
4079632d1a
remove modifying to /etc/pam.d directly (unrelased)
...
config-package-dev displace /etc/securetty
remove trailing spaces
https://forums.whonix.org/t/restrict-root-access/7658/31
2019-07-13 11:41:37 +00:00
673aab6bc2
shut up pam-auth-update
2019-07-07 22:18:47 +00:00
67ff83262b
move to pam-auth-update --force
...
--package hangs in Qubes updater since it starts whiptail for interactive dpkg configuration dialog.
2019-07-07 21:31:56 +00:00
91fb21aafb
Due to error:
...
Jul 07 20:35:39 host sudo[16090]: PAM unable to dlopen(pam_cgfs.so): /lib/security/pam_cgfs.so: cannot open shared object file: No such file or directory
Jul 07 20:35:39 host sudo[16090]: PAM adding faulty module: pam_cgfs.so
run:
pam-auth-update --package
from Debian maintainer scripts
2019-07-07 16:51:40 -04:00
06b86229a4
update path to pre.bsh
2019-05-12 02:58:45 -04:00
5b3fc2f6b9
update copyright
2018-01-29 15:22:05 +00:00
c3b6a44e97
update copyright
2018-01-29 15:15:17 +00:00
ff28f5932c
update copyright
2018-01-29 15:09:42 +00:00
99bb1e877e
"$@"
2017-03-06 15:00:33 +00:00
dfe8a569b6
override glib-compile-schemas with || true in postinst
...
https://phabricator.whonix.org/T500
2017-02-19 22:32:04 +00:00
5ba2a5b6ff
disable previews in nautilus by default for better security
...
copied solution by @unman
https://github.com/QubesOS/qubes-issues/issues/1108
https://github.com/QubesOS/qubes-core-agent-linux/pull/39
https://phabricator.whonix.org/T500
2017-02-19 22:25:28 +00:00
