ffba0e0179
Elaborate
2019-10-16 19:04:15 +00:00
f08c03ab21
Restrict sysfs/cpuinfo if the whitelist is disabled
2019-10-16 15:39:23 +00:00
6b78dbcd07
Add way to whitelist things
2019-10-15 20:57:02 +00:00
d2bc3a2a08
chmod +x usr/lib/security-misc/hide-hardware-info
2019-10-05 09:14:41 +00:00
87917d2f03
Add licensing
2019-10-03 21:38:07 +00:00
9449f5017a
Create hide-hardware-info
2019-10-03 20:45:14 +00:00
75258843e9
copyright
2019-09-16 13:03:43 +00:00
8e39cea876
comment
2019-09-16 13:03:25 +00:00
bac462f211
comment
2019-09-16 13:03:02 +00:00
bec680d4f3
pam_tally2-info: fix, do nothing when started as user "user"
...
xscreensaver runs as user "user", therefore pam_tally2 cannot function.
xscreensaver has its own failed login counter.
as user "user"
/sbin/pam_tally2 -u user
pam_tally2: Error opening /var/log/tallylog for update: Permission denied
/sbin/pam_tally2: Authentication error
https://askubuntu.com/questions/983183/how-lock-the-unlock-screen-after-wrong-password-attempts
https://forums.whonix.org/t/how-strong-do-linux-user-account-passwords-have-to-be-when-using-full-disk-encryption-fde-too/7698
2019-09-16 12:30:23 +00:00
0ae5c5ff14
remove umask changes since these are causing issues are are not needed anymore
...
thanks to home folder permission lockdown
https://forums.whonix.org/t/change-default-umask/7416/45
2019-08-24 12:14:22 -04:00
0140df8668
virusforget
2019-08-19 08:43:28 +00:00
113ab42568
virusforget
2019-08-19 08:31:23 +00:00
416906d4f9
virusforget
2019-08-19 08:19:35 +00:00
2d867d9fee
virusforget
2019-08-19 08:10:18 +00:00
8e76e6b8b3
fix
2019-08-19 07:48:12 +00:00
3f068f77fe
keep cache folder outside of reach of user since even user can remove files
...
owned by root in its home folder
2019-08-19 07:47:20 +00:00
1fa1efa58e
credits
2019-08-19 07:22:09 +00:00
1e026a3ebb
initial development version of VirusForget
2019-08-18 22:50:44 +00:00
41b2819ec8
PAM: abort on locked password
...
to avoid needlessly bumping pam_tally2 counter
https://forums.whonix.org/t/restrict-root-access/7658/1
2019-08-17 10:33:47 +00:00
ed90d8b025
change default umask to 027
...
as per:
https://forums.whonix.org/t/change-default-umask/7416/47
2019-08-17 09:55:20 +00:00
17cfcb63b6
code simplification; report locked account earlier
2019-08-16 10:50:56 -04:00
ff9bc1d7ea
informational output during PAM:
...
* Show failed and remaining password attempts.
* Document unlock procedure if Linux user account got locked.
* Point out, that there is no password feedback for `su`.
* Explain locked (root) account if locked.
* /usr/share/pam-configs/tally2-security-misc
* /usr/lib/security-misc/pam_tally2-info
2019-08-15 13:37:28 +00:00
454e135822
pam_tally2.so even_deny_root
2019-08-15 07:33:41 +00:00
63b476221c
use requisite rather than required to avoid asking for password needlessly
...
if login will fail anyhow
2019-08-15 07:30:56 +00:00
8fdc77fed5
output to stdout
2019-08-14 10:33:23 +00:00
547ba91d79
sanity test
2019-08-14 09:45:30 +00:00
799acad724
skip, if not a folder
2019-08-14 09:39:43 +00:00
6321ff5ad5
refactoring
2019-08-14 09:38:44 +00:00
15094cab4f
avoid ' character in usr/share/pam-configs; in description
2019-08-14 09:36:30 +00:00
97d1945e61
no log needed, informative output to stdout instead
2019-08-14 09:32:58 +00:00
a085d46c56
change priories so "pam_umask.so usergroups umask=006" runs before pam_exec.so /usr/lib/security-misc/permission-lockdown
2019-08-14 09:31:58 +00:00
f8c828b69a
output
2019-08-14 05:19:02 -04:00
e5da6d9699
copyright
2019-08-14 05:17:54 -04:00
1595789d7c
comment
2019-08-14 05:17:16 -04:00
ce06fdf911
formatting
2019-08-14 05:15:53 -04:00
21489111d1
run permission lockdown during pam
...
https://forums.whonix.org/t/change-default-umask/7416
2019-08-14 08:34:03 +00:00
52df8dc014
optional pam_umask.so usergroups umask=006
2019-08-14 07:37:21 +00:00
dbea7d1511
add hook etc/kernel/postinst.d/30_remove-system-map to remove system.map
...
on kernel package upgrade;
self-document this package: during upgrade the following will be written
to stdout:
Setting up linux-image-4.19.0-5-amd64 (4.19.37-5+deb10u2) ...
/etc/kernel/postinst.d/30_remove-system-map:
removed '/boot/System.map-4.19.0-5-amd64
2019-08-14 07:22:14 +00:00
2f37a66fd0
description
2019-08-11 10:31:29 +00:00
e83ec79a25
enable usr/share/pam-configs/mkhomedir-security-misc by default
2019-08-11 10:30:51 +00:00
1eb806a03e
pam_mkhomedir.so umask=006
2019-08-11 10:29:49 +00:00
c50eb3c9b0
add usr/share/pam-configs/mkhomedir-security-misc based on
...
/usr/share/pam-configs/mkhomedir
2019-08-11 10:28:55 +00:00
a2fa18c381
pam_tally2.so deny=100
...
during testing, due to issues
d17e25272bhttps://forums.whonix.org/t/how-strong-do-linux-user-account-passwords-have-to-be-when-using-full-disk-encryption-fde-too/7698/12
2019-08-10 07:07:28 -04:00
d17e25272b
effectively (not directly) add "required pam_tally2.so debug" to /etc/pam.d/common-account
...
This is required because otherwise something like "sudo bash" would count as a
failed login for pam_tally2 even though it was successful.
https://bugzilla.redhat.com/show_bug.cgi?id=707660
https://forums.whonix.org/t/restrict-root-access/7658
2019-08-10 06:06:39 -04:00
0f896a9d8d
add onerr=fail audit to pam_tally2
2019-08-10 06:05:37 -04:00
e076470f68
renamed: usr/share/pam-configs/usergroups -> usr/share/pam-configs/usergroups-security-misc
2019-08-01 11:04:58 +00:00
830111e99a
split usr/share/pam-configs/security-misc
...
into
usr/share/pam-configs/tally2-security-misc
usr/share/pam-configs/wheel-security-misc
2019-08-01 11:04:22 +00:00
89d32402b2
fix, do not use "," inside /usr/share/pam-configs files
2019-07-31 14:52:29 -04:00
cf90668756
lock user accounts after 5 failed authentication attempts using pam_tally2
2019-07-31 03:25:02 -04:00
