Commit Graph

50 Commits

Author SHA1 Message Date
c7c65fe4e7 higher priority usr/share/pam-configs/tally2-security-misc
so it can give info before pam stack gets aborted by other pam modules
2019-12-08 03:15:53 -05:00
19cc6d7555 pam description 2019-12-08 02:10:43 -05:00
b871421a54 usr/share/pam-configs/console-lockdown -> usr/share/pam-configs/console-lockdown-security-misc 2019-12-08 01:57:43 -05:00
6479c883bf Console Lockdown.
Allow members of group 'console' to use tty1 to tty7. Everyone else except
members of group 'console-unrestricted' are restricted from using console
using ancient, unpopular login methods such as using /bin/login over networks,
which might be exploitable. (CVE-2001-0797)

Not enabled by default in this package since this package does not know which
users shall be added to group 'console'.

In new Whonix builds, user 'user" will be added to group 'console' and
pam console-lockdown enabled by package anon-base-files.

/usr/share/pam-configs/console-lockdown

/etc/security/access-security-misc.conf

https://forums.whonix.org/t/etc-security-hardening/8592
2019-12-07 05:40:20 -05:00
aa5451c8cd Lock user accounts after 50 rather than 100 failed login attempts.
https://forums.whonix.org/t/how-strong-do-linux-user-account-passwords-have-to-be-when-using-full-disk-encryption-fde-too/7698/19
2019-11-25 01:39:53 -05:00
03e8023847 output 2019-11-22 14:11:30 -05:00
2e73c053b5 fix lintian warning 2019-11-09 12:55:00 +00:00
203d5cfa68 copyright 2019-10-31 11:19:44 -04:00
1e4d0ea1d0 fix lintian warning 2019-10-21 09:55:05 +00:00
0ae5c5ff14 remove umask changes since these are causing issues are are not needed anymore
thanks to home folder permission lockdown

https://forums.whonix.org/t/change-default-umask/7416/45
2019-08-24 12:14:22 -04:00
41b2819ec8 PAM: abort on locked password
to avoid needlessly bumping pam_tally2 counter

https://forums.whonix.org/t/restrict-root-access/7658/1
2019-08-17 10:33:47 +00:00
ed90d8b025 change default umask to 027
as per:

https://forums.whonix.org/t/change-default-umask/7416/47
2019-08-17 09:55:20 +00:00
ff9bc1d7ea informational output during PAM:
* Show failed and remaining password attempts.
* Document unlock procedure if Linux user account got locked.
* Point out, that there is no password feedback for `su`.
* Explain locked (root) account if locked.
* /usr/share/pam-configs/tally2-security-misc
* /usr/lib/security-misc/pam_tally2-info
2019-08-15 13:37:28 +00:00
454e135822 pam_tally2.so even_deny_root 2019-08-15 07:33:41 +00:00
63b476221c use requisite rather than required to avoid asking for password needlessly
if login will fail anyhow
2019-08-15 07:30:56 +00:00
8fdc77fed5 output to stdout 2019-08-14 10:33:23 +00:00
15094cab4f avoid ' character in usr/share/pam-configs; in description 2019-08-14 09:36:30 +00:00
97d1945e61 no log needed, informative output to stdout instead 2019-08-14 09:32:58 +00:00
a085d46c56 change priories so "pam_umask.so usergroups umask=006" runs before pam_exec.so /usr/lib/security-misc/permission-lockdown 2019-08-14 09:31:58 +00:00
ce06fdf911 formatting 2019-08-14 05:15:53 -04:00
21489111d1 run permission lockdown during pam
https://forums.whonix.org/t/change-default-umask/7416
2019-08-14 08:34:03 +00:00
52df8dc014 optional pam_umask.so usergroups umask=006 2019-08-14 07:37:21 +00:00
2f37a66fd0 description 2019-08-11 10:31:29 +00:00
e83ec79a25 enable usr/share/pam-configs/mkhomedir-security-misc by default 2019-08-11 10:30:51 +00:00
1eb806a03e pam_mkhomedir.so umask=006 2019-08-11 10:29:49 +00:00
c50eb3c9b0 add usr/share/pam-configs/mkhomedir-security-misc based on
/usr/share/pam-configs/mkhomedir
2019-08-11 10:28:55 +00:00
a2fa18c381 pam_tally2.so deny=100
during testing, due to issues

d17e25272b

https://forums.whonix.org/t/how-strong-do-linux-user-account-passwords-have-to-be-when-using-full-disk-encryption-fde-too/7698/12
2019-08-10 07:07:28 -04:00
d17e25272b effectively (not directly) add "required pam_tally2.so debug" to /etc/pam.d/common-account
This is required because otherwise something like "sudo bash" would count as a
failed login for pam_tally2 even though it was successful.

https://bugzilla.redhat.com/show_bug.cgi?id=707660

https://forums.whonix.org/t/restrict-root-access/7658
2019-08-10 06:06:39 -04:00
0f896a9d8d add onerr=fail audit to pam_tally2 2019-08-10 06:05:37 -04:00
e076470f68 renamed: usr/share/pam-configs/usergroups -> usr/share/pam-configs/usergroups-security-misc 2019-08-01 11:04:58 +00:00
830111e99a split usr/share/pam-configs/security-misc
into
usr/share/pam-configs/tally2-security-misc
usr/share/pam-configs/wheel-security-misc
2019-08-01 11:04:22 +00:00
89d32402b2 fix, do not use "," inside /usr/share/pam-configs files 2019-07-31 14:52:29 -04:00
cf90668756 lock user accounts after 5 failed authentication attempts using pam_tally2 2019-07-31 03:25:02 -04:00
3e29761560 debug at the end 2019-07-31 03:17:06 -04:00
5cdb3edb32 usr/share/pam-configs/wheel -> usr/share/pam-configs/security-misc 2019-07-31 03:16:41 -04:00
3f9437f1ec Revert "set back to default group "root" rather than group "sudo" membership required to use su"
This reverts commit 2f276cdb10.
2019-07-17 14:25:19 -04:00
2f276cdb10 set back to default group "root" rather than group "sudo" membership required to use su
since root login will be locked by default anyhow

Thanks to @madaidan for providing the rationale!

https://forums.whonix.org/t/restrict-root-access/7658/42
2019-07-15 08:44:28 -04:00
6d1e8ac9a4 description 2019-07-14 11:16:49 +00:00
ffb61f43ea fix, add 'group=sudo' and 'debug' for debugging
https://forums.whonix.org/t/restrict-root-access/7658
2019-07-14 11:11:59 +00:00
e9eb38b5db formatting 2019-07-13 15:04:09 +00:00
cb668459e8 port umask from /etc/pam.d to /usr/share/pam-configs implementation
https://forums.whonix.org/t/change-default-umask/7416
2019-07-13 10:35:10 -04:00
69b97981f3 convert etc/pam.d/su.security-misc to usr/share/pam-configs/wheel
https://forums.whonix.org/t/restrict-root-access/7658/32
2019-07-13 12:33:51 +00:00
f9acd890a7 lintian 2019-06-09 10:24:24 +00:00
c040117fe4 lintian 2019-05-12 10:50:34 +00:00
811dcee2cb fix lintian warning 2019-04-05 09:26:18 -04:00
5b3fc2f6b9 update copyright 2018-01-29 15:22:05 +00:00
ff28f5932c update copyright 2018-01-29 15:09:42 +00:00
49cde21078 Whonix 14 KDE plasma 5 fixes
https://phabricator.whonix.org/T633
2017-02-21 19:54:41 +00:00
5ba2a5b6ff disable previews in nautilus by default for better security
copied solution by @unman

https://github.com/QubesOS/qubes-issues/issues/1108

https://github.com/QubesOS/qubes-core-agent-linux/pull/39

https://phabricator.whonix.org/T500
2017-02-19 22:25:28 +00:00
d3ccf0eeaf initial commit 2015-12-15 02:00:24 +00:00