security-misc

mirror of https://github.com/Kicksecure/security-misc.git synced 2025-07-11 00:10:00 +07:00

Author	SHA1	Message	Date
Patrick Schleizer	c7c65fe4e7	higher priority usr/share/pam-configs/tally2-security-misc so it can give info before pam stack gets aborted by other pam modules	2019-12-08 03:15:53 -05:00
Patrick Schleizer	19cc6d7555	pam description	2019-12-08 02:10:43 -05:00
Patrick Schleizer	b871421a54	usr/share/pam-configs/console-lockdown -> usr/share/pam-configs/console-lockdown-security-misc	2019-12-08 01:57:43 -05:00
Patrick Schleizer	6479c883bf	Console Lockdown. Allow members of group 'console' to use tty1 to tty7. Everyone else except members of group 'console-unrestricted' are restricted from using console using ancient, unpopular login methods such as using /bin/login over networks, which might be exploitable. (CVE-2001-0797) Not enabled by default in this package since this package does not know which users shall be added to group 'console'. In new Whonix builds, user 'user" will be added to group 'console' and pam console-lockdown enabled by package anon-base-files. /usr/share/pam-configs/console-lockdown /etc/security/access-security-misc.conf https://forums.whonix.org/t/etc-security-hardening/8592	2019-12-07 05:40:20 -05:00
Patrick Schleizer	aa5451c8cd	Lock user accounts after 50 rather than 100 failed login attempts. https://forums.whonix.org/t/how-strong-do-linux-user-account-passwords-have-to-be-when-using-full-disk-encryption-fde-too/7698/19	2019-11-25 01:39:53 -05:00
Patrick Schleizer	03e8023847	output	2019-11-22 14:11:30 -05:00
Patrick Schleizer	2e73c053b5	fix lintian warning	2019-11-09 12:55:00 +00:00
Patrick Schleizer	203d5cfa68	copyright	2019-10-31 11:19:44 -04:00
Patrick Schleizer	1e4d0ea1d0	fix lintian warning	2019-10-21 09:55:05 +00:00
Patrick Schleizer	0ae5c5ff14	remove umask changes since these are causing issues are are not needed anymore thanks to home folder permission lockdown https://forums.whonix.org/t/change-default-umask/7416/45	2019-08-24 12:14:22 -04:00
Patrick Schleizer	41b2819ec8	PAM: abort on locked password to avoid needlessly bumping pam_tally2 counter https://forums.whonix.org/t/restrict-root-access/7658/1	2019-08-17 10:33:47 +00:00
Patrick Schleizer	ed90d8b025	change default umask to 027 as per: https://forums.whonix.org/t/change-default-umask/7416/47	2019-08-17 09:55:20 +00:00
Patrick Schleizer	ff9bc1d7ea	informational output during PAM: * Show failed and remaining password attempts. * Document unlock procedure if Linux user account got locked. * Point out, that there is no password feedback for `su`. * Explain locked (root) account if locked. * /usr/share/pam-configs/tally2-security-misc * /usr/lib/security-misc/pam_tally2-info	2019-08-15 13:37:28 +00:00
Patrick Schleizer	454e135822	pam_tally2.so even_deny_root	2019-08-15 07:33:41 +00:00
Patrick Schleizer	63b476221c	use requisite rather than required to avoid asking for password needlessly if login will fail anyhow	2019-08-15 07:30:56 +00:00
Patrick Schleizer	8fdc77fed5	output to stdout	2019-08-14 10:33:23 +00:00
Patrick Schleizer	15094cab4f	avoid ' character in usr/share/pam-configs; in description	2019-08-14 09:36:30 +00:00
Patrick Schleizer	97d1945e61	no log needed, informative output to stdout instead	2019-08-14 09:32:58 +00:00
Patrick Schleizer	a085d46c56	change priories so "pam_umask.so usergroups umask=006" runs before pam_exec.so /usr/lib/security-misc/permission-lockdown	2019-08-14 09:31:58 +00:00
Patrick Schleizer	ce06fdf911	formatting	2019-08-14 05:15:53 -04:00
Patrick Schleizer	21489111d1	run permission lockdown during pam https://forums.whonix.org/t/change-default-umask/7416	2019-08-14 08:34:03 +00:00
Patrick Schleizer	52df8dc014	optional pam_umask.so usergroups umask=006	2019-08-14 07:37:21 +00:00
Patrick Schleizer	2f37a66fd0	description	2019-08-11 10:31:29 +00:00
Patrick Schleizer	e83ec79a25	enable usr/share/pam-configs/mkhomedir-security-misc by default	2019-08-11 10:30:51 +00:00
Patrick Schleizer	1eb806a03e	pam_mkhomedir.so umask=006	2019-08-11 10:29:49 +00:00
Patrick Schleizer	c50eb3c9b0	add usr/share/pam-configs/mkhomedir-security-misc based on /usr/share/pam-configs/mkhomedir	2019-08-11 10:28:55 +00:00
Patrick Schleizer	a2fa18c381	pam_tally2.so deny=100 during testing, due to issues `d17e25272b` https://forums.whonix.org/t/how-strong-do-linux-user-account-passwords-have-to-be-when-using-full-disk-encryption-fde-too/7698/12	2019-08-10 07:07:28 -04:00
Patrick Schleizer	d17e25272b	effectively (not directly) add "required pam_tally2.so debug" to /etc/pam.d/common-account This is required because otherwise something like "sudo bash" would count as a failed login for pam_tally2 even though it was successful. https://bugzilla.redhat.com/show_bug.cgi?id=707660 https://forums.whonix.org/t/restrict-root-access/7658	2019-08-10 06:06:39 -04:00
Patrick Schleizer	0f896a9d8d	add onerr=fail audit to pam_tally2	2019-08-10 06:05:37 -04:00
Patrick Schleizer	e076470f68	renamed: usr/share/pam-configs/usergroups -> usr/share/pam-configs/usergroups-security-misc	2019-08-01 11:04:58 +00:00
Patrick Schleizer	830111e99a	split usr/share/pam-configs/security-misc into usr/share/pam-configs/tally2-security-misc usr/share/pam-configs/wheel-security-misc	2019-08-01 11:04:22 +00:00
Patrick Schleizer	89d32402b2	fix, do not use "," inside /usr/share/pam-configs files	2019-07-31 14:52:29 -04:00
Patrick Schleizer	cf90668756	lock user accounts after 5 failed authentication attempts using pam_tally2	2019-07-31 03:25:02 -04:00
Patrick Schleizer	3e29761560	debug at the end	2019-07-31 03:17:06 -04:00
Patrick Schleizer	5cdb3edb32	usr/share/pam-configs/wheel -> usr/share/pam-configs/security-misc	2019-07-31 03:16:41 -04:00
Patrick Schleizer	3f9437f1ec	Revert "set back to default group "root" rather than group "sudo" membership required to use su" This reverts commit `2f276cdb10`.	2019-07-17 14:25:19 -04:00
Patrick Schleizer	2f276cdb10	set back to default group "root" rather than group "sudo" membership required to use su since root login will be locked by default anyhow Thanks to @madaidan for providing the rationale! https://forums.whonix.org/t/restrict-root-access/7658/42	2019-07-15 08:44:28 -04:00
Patrick Schleizer	6d1e8ac9a4	description	2019-07-14 11:16:49 +00:00
Patrick Schleizer	ffb61f43ea	fix, add 'group=sudo' and 'debug' for debugging https://forums.whonix.org/t/restrict-root-access/7658	2019-07-14 11:11:59 +00:00
Patrick Schleizer	e9eb38b5db	formatting	2019-07-13 15:04:09 +00:00
Patrick Schleizer	cb668459e8	port umask from /etc/pam.d to /usr/share/pam-configs implementation https://forums.whonix.org/t/change-default-umask/7416	2019-07-13 10:35:10 -04:00
Patrick Schleizer	69b97981f3	convert etc/pam.d/su.security-misc to usr/share/pam-configs/wheel https://forums.whonix.org/t/restrict-root-access/7658/32	2019-07-13 12:33:51 +00:00
Patrick Schleizer	f9acd890a7	lintian	2019-06-09 10:24:24 +00:00
Patrick Schleizer	c040117fe4	lintian	2019-05-12 10:50:34 +00:00
Patrick Schleizer	811dcee2cb	fix lintian warning	2019-04-05 09:26:18 -04:00
Patrick Schleizer	5b3fc2f6b9	update copyright	2018-01-29 15:22:05 +00:00
Patrick Schleizer	ff28f5932c	update copyright	2018-01-29 15:09:42 +00:00
Patrick Schleizer	49cde21078	Whonix 14 KDE plasma 5 fixes https://phabricator.whonix.org/T633	2017-02-21 19:54:41 +00:00
Patrick Schleizer	5ba2a5b6ff	disable previews in nautilus by default for better security copied solution by @unman https://github.com/QubesOS/qubes-issues/issues/1108 https://github.com/QubesOS/qubes-core-agent-linux/pull/39 https://phabricator.whonix.org/T500	2017-02-19 22:25:28 +00:00
Patrick Schleizer	d3ccf0eeaf	initial commit	2015-12-15 02:00:24 +00:00

50 Commits