c7c65fe4e7
higher priority usr/share/pam-configs/tally2-security-misc
...
so it can give info before pam stack gets aborted by other pam modules
2019-12-08 03:15:53 -05:00
19cc6d7555
pam description
2019-12-08 02:10:43 -05:00
b871421a54
usr/share/pam-configs/console-lockdown -> usr/share/pam-configs/console-lockdown-security-misc
2019-12-08 01:57:43 -05:00
6479c883bf
Console Lockdown.
...
Allow members of group 'console' to use tty1 to tty7. Everyone else except
members of group 'console-unrestricted' are restricted from using console
using ancient, unpopular login methods such as using /bin/login over networks,
which might be exploitable. (CVE-2001-0797)
Not enabled by default in this package since this package does not know which
users shall be added to group 'console'.
In new Whonix builds, user 'user" will be added to group 'console' and
pam console-lockdown enabled by package anon-base-files.
/usr/share/pam-configs/console-lockdown
/etc/security/access-security-misc.conf
https://forums.whonix.org/t/etc-security-hardening/8592
2019-12-07 05:40:20 -05:00
aa5451c8cd
Lock user accounts after 50 rather than 100 failed login attempts.
...
https://forums.whonix.org/t/how-strong-do-linux-user-account-passwords-have-to-be-when-using-full-disk-encryption-fde-too/7698/19
2019-11-25 01:39:53 -05:00
03e8023847
output
2019-11-22 14:11:30 -05:00
2e73c053b5
fix lintian warning
2019-11-09 12:55:00 +00:00
203d5cfa68
copyright
2019-10-31 11:19:44 -04:00
1e4d0ea1d0
fix lintian warning
2019-10-21 09:55:05 +00:00
0ae5c5ff14
remove umask changes since these are causing issues are are not needed anymore
...
thanks to home folder permission lockdown
https://forums.whonix.org/t/change-default-umask/7416/45
2019-08-24 12:14:22 -04:00
41b2819ec8
PAM: abort on locked password
...
to avoid needlessly bumping pam_tally2 counter
https://forums.whonix.org/t/restrict-root-access/7658/1
2019-08-17 10:33:47 +00:00
ed90d8b025
change default umask to 027
...
as per:
https://forums.whonix.org/t/change-default-umask/7416/47
2019-08-17 09:55:20 +00:00
ff9bc1d7ea
informational output during PAM:
...
* Show failed and remaining password attempts.
* Document unlock procedure if Linux user account got locked.
* Point out, that there is no password feedback for `su`.
* Explain locked (root) account if locked.
* /usr/share/pam-configs/tally2-security-misc
* /usr/lib/security-misc/pam_tally2-info
2019-08-15 13:37:28 +00:00
454e135822
pam_tally2.so even_deny_root
2019-08-15 07:33:41 +00:00
63b476221c
use requisite rather than required to avoid asking for password needlessly
...
if login will fail anyhow
2019-08-15 07:30:56 +00:00
8fdc77fed5
output to stdout
2019-08-14 10:33:23 +00:00
15094cab4f
avoid ' character in usr/share/pam-configs; in description
2019-08-14 09:36:30 +00:00
97d1945e61
no log needed, informative output to stdout instead
2019-08-14 09:32:58 +00:00
a085d46c56
change priories so "pam_umask.so usergroups umask=006" runs before pam_exec.so /usr/lib/security-misc/permission-lockdown
2019-08-14 09:31:58 +00:00
ce06fdf911
formatting
2019-08-14 05:15:53 -04:00
21489111d1
run permission lockdown during pam
...
https://forums.whonix.org/t/change-default-umask/7416
2019-08-14 08:34:03 +00:00
52df8dc014
optional pam_umask.so usergroups umask=006
2019-08-14 07:37:21 +00:00
2f37a66fd0
description
2019-08-11 10:31:29 +00:00
e83ec79a25
enable usr/share/pam-configs/mkhomedir-security-misc by default
2019-08-11 10:30:51 +00:00
1eb806a03e
pam_mkhomedir.so umask=006
2019-08-11 10:29:49 +00:00
c50eb3c9b0
add usr/share/pam-configs/mkhomedir-security-misc based on
...
/usr/share/pam-configs/mkhomedir
2019-08-11 10:28:55 +00:00
a2fa18c381
pam_tally2.so deny=100
...
during testing, due to issues
d17e25272b
https://forums.whonix.org/t/how-strong-do-linux-user-account-passwords-have-to-be-when-using-full-disk-encryption-fde-too/7698/12
2019-08-10 07:07:28 -04:00
d17e25272b
effectively (not directly) add "required pam_tally2.so debug" to /etc/pam.d/common-account
...
This is required because otherwise something like "sudo bash" would count as a
failed login for pam_tally2 even though it was successful.
https://bugzilla.redhat.com/show_bug.cgi?id=707660
https://forums.whonix.org/t/restrict-root-access/7658
2019-08-10 06:06:39 -04:00
0f896a9d8d
add onerr=fail audit to pam_tally2
2019-08-10 06:05:37 -04:00
e076470f68
renamed: usr/share/pam-configs/usergroups -> usr/share/pam-configs/usergroups-security-misc
2019-08-01 11:04:58 +00:00
830111e99a
split usr/share/pam-configs/security-misc
...
into
usr/share/pam-configs/tally2-security-misc
usr/share/pam-configs/wheel-security-misc
2019-08-01 11:04:22 +00:00
89d32402b2
fix, do not use "," inside /usr/share/pam-configs files
2019-07-31 14:52:29 -04:00
cf90668756
lock user accounts after 5 failed authentication attempts using pam_tally2
2019-07-31 03:25:02 -04:00
3e29761560
debug at the end
2019-07-31 03:17:06 -04:00
5cdb3edb32
usr/share/pam-configs/wheel -> usr/share/pam-configs/security-misc
2019-07-31 03:16:41 -04:00
3f9437f1ec
Revert "set back to default group "root" rather than group "sudo" membership required to use su"
...
This reverts commit 2f276cdb10
.
2019-07-17 14:25:19 -04:00
2f276cdb10
set back to default group "root" rather than group "sudo" membership required to use su
...
since root login will be locked by default anyhow
Thanks to @madaidan for providing the rationale!
https://forums.whonix.org/t/restrict-root-access/7658/42
2019-07-15 08:44:28 -04:00
6d1e8ac9a4
description
2019-07-14 11:16:49 +00:00
ffb61f43ea
fix, add 'group=sudo' and 'debug' for debugging
...
https://forums.whonix.org/t/restrict-root-access/7658
2019-07-14 11:11:59 +00:00
e9eb38b5db
formatting
2019-07-13 15:04:09 +00:00
cb668459e8
port umask from /etc/pam.d to /usr/share/pam-configs implementation
...
https://forums.whonix.org/t/change-default-umask/7416
2019-07-13 10:35:10 -04:00
69b97981f3
convert etc/pam.d/su.security-misc to usr/share/pam-configs/wheel
...
https://forums.whonix.org/t/restrict-root-access/7658/32
2019-07-13 12:33:51 +00:00
f9acd890a7
lintian
2019-06-09 10:24:24 +00:00
c040117fe4
lintian
2019-05-12 10:50:34 +00:00
811dcee2cb
fix lintian warning
2019-04-05 09:26:18 -04:00
5b3fc2f6b9
update copyright
2018-01-29 15:22:05 +00:00
ff28f5932c
update copyright
2018-01-29 15:09:42 +00:00
49cde21078
Whonix 14 KDE plasma 5 fixes
...
https://phabricator.whonix.org/T633
2017-02-21 19:54:41 +00:00
5ba2a5b6ff
disable previews in nautilus by default for better security
...
copied solution by @unman
https://github.com/QubesOS/qubes-issues/issues/1108
https://github.com/QubesOS/qubes-core-agent-linux/pull/39
https://phabricator.whonix.org/T500
2017-02-19 22:25:28 +00:00
d3ccf0eeaf
initial commit
2015-12-15 02:00:24 +00:00