729fa26eca
use pam_acccess only for /etc/pam.d/login
...
remove "Allow members of group 'ssh' to login."
remove "+:ssh:ALL EXCEPT LOCAL"
2019-12-12 09:00:08 -05:00
6c564f6e95
Create permission-hardening.conf
2019-12-08 16:50:11 +00:00
9432d16378
/usr/bin/cat mrix,
2019-12-07 12:13:42 -05:00
c1800b13fe
separate group "ssh" for incoming ssh console permission
...
Thanks to @madaidan
https://forums.whonix.org/t/etc-security-hardening-console-lockdown-pam-access-access-conf/8592/16
2019-12-07 11:26:39 -05:00
8636d2f629
add securetty
2019-12-07 06:51:10 -05:00
8b3f5a555b
add console lockdown to pam info output
2019-12-07 06:25:45 -05:00
021b06dac9
add hvc0 to hvc9
2019-12-07 06:04:45 -05:00
8a59662a44
comment
2019-12-07 06:02:45 -05:00
cda6724755
add pts/0 to pts/9
2019-12-07 05:56:57 -05:00
218cbddba9
comment
2019-12-07 05:52:06 -05:00
6479c883bf
Console Lockdown.
...
Allow members of group 'console' to use tty1 to tty7. Everyone else except
members of group 'console-unrestricted' are restricted from using console
using ancient, unpopular login methods such as using /bin/login over networks,
which might be exploitable. (CVE-2001-0797)
Not enabled by default in this package since this package does not know which
users shall be added to group 'console'.
In new Whonix builds, user 'user" will be added to group 'console' and
pam console-lockdown enabled by package anon-base-files.
/usr/share/pam-configs/console-lockdown
/etc/security/access-security-misc.conf
https://forums.whonix.org/t/etc-security-hardening/8592
2019-12-07 05:40:20 -05:00
8cf5ed990a
comment
2019-12-05 15:52:24 -05:00
30289c68c2
Enable reverse path filtering
2019-12-05 20:13:10 +00:00
0c25a96b59
description / comments
2019-12-03 02:18:32 -05:00
5da2a27bf0
Distrust the CPU for initial entropy
2019-12-02 16:43:00 +00:00
d9d6d07714
/dev/pts/[0-9]* rw,
2019-11-26 17:12:12 +00:00
d32024a3da
/usr/sbin/pam_tally2 mrix,
...
https://forums.whonix.org/t/apparmor-for-complete-system-including-init-pid1-systemd-everything-full-system-mac-policy/8339/152
2019-11-23 05:53:19 -05:00
81e4f580af
etc/apparmor.d/usr.lib.security-misc.permission-lockdown: /usr/bin/chmod mrix,
2019-11-19 15:29:02 +00:00
477d476bb1
etc/apparmor.d/usr.lib.security-misc.pam_tally2-info: add '#include <abstractions/base>'
2019-11-10 08:29:44 -05:00
11dc23bf08
etc/apparmor.d/usr.lib.security-misc.permission-lockdown: add '#include <abstractions/base>'
2019-11-10 08:28:32 -05:00
9f2932faab
/usr/bin/id rix,
2019-11-09 13:32:21 -05:00
94d40c68d4
do not set kernel boot parameter page_poison=1 in Qubes since does not work
...
https://github.com/QubesOS/qubes-issues/issues/5212#issuecomment-533873012
2019-11-05 10:02:55 -05:00
f57702c158
comments; copyright
2019-11-05 09:55:43 -05:00
b55c2fd62e
Enables punycode (network.IDN_show_punycode) by default in Thunderbird
...
to make phising attacks more difficult. Fixing URL not showing real Domain
Name (Homograph attack).
https://forums.whonix.org/t/enable-network-idn-show-punycode-by-default-in-thunderbird-to-fix-url-not-showing-real-domain-name-homograph-attack-punycode/8415
2019-11-03 02:50:51 -05:00
e1375802eb
apparmor fix
...
https://forums.whonix.org/t/apparmor-for-complete-system-including-init-pid1-systemd-everything-full-system-mac-policy/8339/67
2019-10-31 16:32:28 +00:00
203d5cfa68
copyright
2019-10-31 11:19:44 -04:00
0e49bdc45f
Licensing
2019-10-28 14:26:14 +00:00
5d5ad92638
Licensing
2019-10-28 14:26:05 +00:00
1b8b3610b1
Create usr.lib.security-misc.pam_tally2-info
2019-10-28 14:20:59 +00:00
29b05546e4
Create usr.lib.security-misc.permission-lockdown
2019-10-28 14:20:08 +00:00
40707e70db
Redirect calls for pkexec to lxqt-sudo because pkexec is incompatible with hidepid.
...
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860040
https://forums.whonix.org/t/cannot-use-pkexec/8129
Thanks to AnonymousUser for the bug report!
2019-10-21 05:46:49 -04:00
0b8725306f
renamed: etc/hide-hardware-info.d/30_whitelist.conf -> etc/hide-hardware-info.d/30_default.conf
2019-10-17 06:13:44 -04:00
8a42c5b023
Merge pull request #34 from madaidan/whitelist
...
Add a whitelist for /sys and /proc/cpuinfo
2019-10-17 09:59:12 +00:00
4f5b7816ec
Elaborate
2019-10-16 19:01:49 +00:00
99a762d3dc
KASLR is different from ASLR
2019-10-16 18:53:04 +00:00
a14a2854c6
Elaborate
2019-10-16 18:52:14 +00:00
a47a2fca8b
Create 30_whitelist.conf
2019-10-15 20:58:58 +00:00
c22738be02
comments
2019-10-07 08:25:45 +00:00
75f36bc2c9
comments
2019-10-07 08:25:07 +00:00
e92a8a6966
comments
2019-10-07 08:24:02 +00:00
60c044a9d6
copyright / comments
2019-10-07 05:30:56 +00:00
cd2135ff82
comments
2019-10-06 10:18:24 +00:00
8b4f2befd4
comment out sack by default
...
https://forums.whonix.org/t/disabling-tcp-sack-dsack-fack/8109/8?u=patrick
2019-10-05 13:15:34 +00:00
02096f8d7c
Revert "undo Disabling TCP SACK, DSACK, FACK"
...
This reverts commit 5fb4eb8e56
2019-10-05 13:13:46 +00:00
5fb4eb8e56
undo Disabling TCP SACK, DSACK, FACK
...
https://forums.whonix.org/t/disabling-tcp-sack-dsack-fack/8109/5
2019-10-05 07:00:47 -04:00
d0c6bb1e90
Disable TCP DSACK and FACK
2019-10-04 17:35:54 +00:00
f13a73e569
undo SysRq restrictions
...
https://forums.whonix.org/t/sysrq-magic-sysrq-key/8079
2019-09-10 12:35:42 -04:00
60db7e6294
fix typo
2019-09-07 20:08:56 +00:00
7affddb3bb
blacklist modules with /bin/false rather than /bin/true to fail with error
...
message rather than failing without notification
2019-09-07 05:47:34 +00:00
661bcd8603
allow loading unsigned modules due to issues
...
https://forums.whonix.org/t/allow-loading-signed-kernel-modules-by-default-disallow-kernel-module-loading-by-default/7880/23
2019-09-07 05:39:56 +00:00
