security-misc

mirror of https://github.com/Kicksecure/security-misc.git synced 2025-07-13 17:29:47 +07:00

Author	SHA1	Message	Date
Patrick Schleizer	55709b3aa0	/tmp tmpfs https://github.com/Kicksecure/security-misc/issues/157	2023-12-25 09:30:57 -05:00
Patrick Schleizer	b0dd967611	usrmerge https://github.com/Kicksecure/security-misc/issues/157	2023-12-25 09:28:08 -05:00
Patrick Schleizer	269fada14a	combine bind lines https://github.com/Kicksecure/security-misc/issues/157	2023-12-25 09:25:14 -05:00
Patrick Schleizer	039de1dc9b	add hardened fstab `/usr/share/doc/security-misc/fstab-vm` to the documentation folder as an example not directly used by security-misc will later be used by Kicksecure VM build process https://github.com/Kicksecure/security-misc/issues/157	2023-12-12 11:50:11 -05:00
Patrick Schleizer	3bc831a1f7	lintian	2023-11-06 16:27:29 -05:00
Patrick Schleizer	b85d48eb83	do not change default umask for root since this causes permission issues in `/etc/` https://github.com/Kicksecure/security-misc/pull/151	2023-11-03 10:31:59 -04:00
Patrick Schleizer	07540db90d	Revert "Revert "set default umask to 027"" This reverts commit `f8913ceb2e`.	2023-11-03 09:45:12 -04:00
Patrick Schleizer	f8913ceb2e	Revert "set default umask to 027" This reverts commit `cd216095eb`.	2023-11-03 09:43:44 -04:00
Patrick Schleizer	cd216095eb	set default umask to 027 using package libpam-umask https://www.debian.org/doc/manuals/securing-debian-manual/ch04s11.en.html#id-1.5.14.19 https://github.com/Kicksecure/security-misc/pull/151	2023-11-03 09:12:24 -04:00
Patrick Schleizer	a7629b98cf	fix	2023-10-22 15:40:49 -04:00
Patrick Schleizer	25760f7024	bookworm	2023-06-13 08:34:41 +00:00
Raja Grewal	7a4212dd76	Update copyright	2023-03-30 17:08:47 +11:00
Patrick Schleizer	b87d9eb865	lintian	2023-01-24 07:08:13 -05:00
Patrick Schleizer	d31c17ea04	fix	2023-01-07 14:31:14 -05:00
Patrick Schleizer	41d116aa2f	lintian	2023-01-07 14:30:12 -05:00
Patrick Schleizer	8b584c570a	lintian	2022-06-29 16:06:22 -04:00
Patrick Schleizer	1c51d15649	lintian	2022-06-29 15:23:53 -04:00
Patrick Schleizer	6eba53767f	lintian	2022-06-29 14:17:52 -04:00
Patrick Schleizer	cfae7de6a8	lintian	2022-06-29 09:58:37 -04:00
Patrick Schleizer	2d37e3a1af	copyright	2022-05-20 14:46:38 -04:00
Patrick Schleizer	be8c10496f	fix faillock implementation dovecot / ssh are exempted	2021-09-01 15:55:53 -04:00
Patrick Schleizer	582492d6d8	port from pam_tally2 to pam_faillock since pam_tally2 was deprecated upstream	2021-08-10 17:13:00 -04:00
Patrick Schleizer	2bf0e7471c	port from pam_tally2 to pam_faillock since pam_tally2 was deprecated upstream	2021-08-10 15:11:01 -04:00
Patrick Schleizer	2aea74bd71	renamed: usr/libexec/security-misc/pam_tally2-info -> usr/libexec/security-misc/pam-info renamed: usr/libexec/security-misc/pam_tally2_not_if_x -> usr/libexec/security-misc/pam_faillock_not_if_x renamed: usr/share/pam-configs/tally2-security-misc -> usr/share/pam-configs/faillock-security-misc	2021-08-10 15:06:04 -04:00
Patrick Schleizer	50bdd097df	move /usr/lib/security-misc to /usr/libexec/security-misc as per lintian FHS	2021-08-03 12:56:31 -04:00
Patrick Schleizer	8eae635668	update lintian tag name	2021-08-03 11:51:31 -04:00
Patrick Schleizer	b3e34f7f43	comment	2021-07-25 11:27:07 -04:00
Patrick Schleizer	7e128636b3	improve LKRG VirtualBox host configuration as per https://github.com/openwall/lkrg/issues/82#issuecomment-886188999	2021-07-25 11:26:20 -04:00
Patrick Schleizer	257cef24ba	add LKRG compatibility settings automation for VirtualBox hosts https://github.com/openwall/lkrg/issues/82	2021-07-24 18:03:40 -04:00
Patrick Schleizer	a67007f4b7	copyright	2021-03-17 09:45:21 -04:00
Patrick Schleizer	9622f28e25	skip counting failed login attempts from dovecot Failed dovecot logins should not result in account getting locked. revert "use pam_tally2 only for login"	2021-01-27 05:49:34 -05:00
Patrick Schleizer	6757104aa4	use pam_tally2 only for login to skip counting failed login attempts over ssh and mail login	2021-01-24 05:04:48 -05:00
Patrick Schleizer	5c81e1f23f	import from anon-gpg-conf	2020-04-06 09:25:45 -04:00
Patrick Schleizer	2ceea8d1fe	update copyright year	2020-04-01 08:49:59 -04:00
Patrick Schleizer	300f010fc2	increase priority of pam-abort-on-locked-password-security-misc since it has its own user help output so it shows before pam tally2 info to avoid duplicate non-applicable help text	2019-12-12 09:29:00 -05:00
Patrick Schleizer	729fa26eca	use pam_acccess only for /etc/pam.d/login remove "Allow members of group 'ssh' to login." remove "+:ssh:ALL EXCEPT LOCAL"	2019-12-12 09:00:08 -05:00
Patrick Schleizer	c192644ee3	security-misc `/usr/share/pam-configs/permission-lockdown-security-misc` is no longer required, removed. Thereby fix apparmor issue. > Dec 08 09:47:50 host audit[3232]: AVC apparmor="DENIED" operation="exec" profile="/usr/bin/whonixcheck" name="/usr/lib/security-misc/permission-lockdown" pid=3232 comm="sudo" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 > Dec 08 09:47:50 host sudo[3232]: pam_exec(sudo:session): execve(/usr/lib/security-misc/permission-lockdown,...) failed: Permission denied It is no longer required, because... existing linux user accounts: * Get permission lock down because security-misc `debian/security-misc.postinst` calls `/usr/lib/security-misc/permission-lockdown`. new linux user accounts (created at first boot): * security-misc `/usr/share/pam-configs/mkhomedir-security-misc` pam mkhomedir sets secure permissions using `umask=027`.	2019-12-08 05:21:35 -05:00
Patrick Schleizer	c7c65fe4e7	higher priority usr/share/pam-configs/tally2-security-misc so it can give info before pam stack gets aborted by other pam modules	2019-12-08 03:15:53 -05:00
Patrick Schleizer	19cc6d7555	pam description	2019-12-08 02:10:43 -05:00
Patrick Schleizer	b871421a54	usr/share/pam-configs/console-lockdown -> usr/share/pam-configs/console-lockdown-security-misc	2019-12-08 01:57:43 -05:00
Patrick Schleizer	6479c883bf	Console Lockdown. Allow members of group 'console' to use tty1 to tty7. Everyone else except members of group 'console-unrestricted' are restricted from using console using ancient, unpopular login methods such as using /bin/login over networks, which might be exploitable. (CVE-2001-0797) Not enabled by default in this package since this package does not know which users shall be added to group 'console'. In new Whonix builds, user 'user" will be added to group 'console' and pam console-lockdown enabled by package anon-base-files. /usr/share/pam-configs/console-lockdown /etc/security/access-security-misc.conf https://forums.whonix.org/t/etc-security-hardening/8592	2019-12-07 05:40:20 -05:00
Patrick Schleizer	aa5451c8cd	Lock user accounts after 50 rather than 100 failed login attempts. https://forums.whonix.org/t/how-strong-do-linux-user-account-passwords-have-to-be-when-using-full-disk-encryption-fde-too/7698/19	2019-11-25 01:39:53 -05:00
Patrick Schleizer	03e8023847	output	2019-11-22 14:11:30 -05:00
Patrick Schleizer	2e73c053b5	fix lintian warning	2019-11-09 12:55:00 +00:00
Patrick Schleizer	203d5cfa68	copyright	2019-10-31 11:19:44 -04:00
Patrick Schleizer	1e4d0ea1d0	fix lintian warning	2019-10-21 09:55:05 +00:00
Patrick Schleizer	0ae5c5ff14	remove umask changes since these are causing issues are are not needed anymore thanks to home folder permission lockdown https://forums.whonix.org/t/change-default-umask/7416/45	2019-08-24 12:14:22 -04:00
Patrick Schleizer	41b2819ec8	PAM: abort on locked password to avoid needlessly bumping pam_tally2 counter https://forums.whonix.org/t/restrict-root-access/7658/1	2019-08-17 10:33:47 +00:00
Patrick Schleizer	ed90d8b025	change default umask to 027 as per: https://forums.whonix.org/t/change-default-umask/7416/47	2019-08-17 09:55:20 +00:00
Patrick Schleizer	ff9bc1d7ea	informational output during PAM: * Show failed and remaining password attempts. * Document unlock procedure if Linux user account got locked. * Point out, that there is no password feedback for `su`. * Explain locked (root) account if locked. * /usr/share/pam-configs/tally2-security-misc * /usr/lib/security-misc/pam_tally2-info	2019-08-15 13:37:28 +00:00

1 2

87 Commits