Commit Graph

136 Commits

Author SHA1 Message Date
8e112c3423 description 2019-12-20 06:53:24 -05:00
24ea70384b description 2019-12-20 06:53:03 -05:00
2c4170e6f3 description 2019-12-12 09:47:58 -05:00
2d5ef378f3 description 2019-12-12 09:39:39 -05:00
c192644ee3 security-misc /usr/share/pam-configs/permission-lockdown-security-misc is no longer required, removed.
Thereby fix apparmor issue.

> Dec 08 09:47:50 host audit[3232]: AVC apparmor="DENIED" operation="exec" profile="/usr/bin/whonixcheck" name="/usr/lib/security-misc/permission-lockdown" pid=3232 comm="sudo" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
> Dec 08 09:47:50 host sudo[3232]: pam_exec(sudo:session): execve(/usr/lib/security-misc/permission-lockdown,...) failed: Permission denied

It is no longer required, because...

existing linux user accounts:

* Get permission lock down because security-misc `debian/security-misc.postinst` calls `/usr/lib/security-misc/permission-lockdown`.

new linux user accounts (created at first boot):

* security-misc `/usr/share/pam-configs/mkhomedir-security-misc` pam mkhomedir sets secure permissions using `umask=027`.
2019-12-08 05:21:35 -05:00
1dbca1ea2d add usr/bin/hardening-enable 2019-12-08 02:27:09 -05:00
24423b42f0 description 2019-12-08 02:03:05 -05:00
66bebefc9f description 2019-12-08 02:00:23 -05:00
b871421a54 usr/share/pam-configs/console-lockdown -> usr/share/pam-configs/console-lockdown-security-misc 2019-12-08 01:57:43 -05:00
1464f01d19 description 2019-12-08 01:30:42 -05:00
55225aa30e description 2019-12-07 07:16:07 -05:00
34a2bc16c8 description 2019-12-07 07:15:58 -05:00
d823f06c78 description 2019-12-07 07:13:42 -05:00
090ddbe96a description 2019-12-07 06:00:41 -05:00
6479c883bf Console Lockdown.
Allow members of group 'console' to use tty1 to tty7. Everyone else except
members of group 'console-unrestricted' are restricted from using console
using ancient, unpopular login methods such as using /bin/login over networks,
which might be exploitable. (CVE-2001-0797)

Not enabled by default in this package since this package does not know which
users shall be added to group 'console'.

In new Whonix builds, user 'user" will be added to group 'console' and
pam console-lockdown enabled by package anon-base-files.

/usr/share/pam-configs/console-lockdown

/etc/security/access-security-misc.conf

https://forums.whonix.org/t/etc-security-hardening/8592
2019-12-07 05:40:20 -05:00
6d92d03b31 description 2019-12-07 01:54:50 -05:00
470cad6e91 remount /home /tmp /dev/shm /run with nosuid,nodev (default) and noexec (opt-in)
https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707
2019-12-06 05:14:02 -05:00
af9e19c51f Update control 2019-12-05 20:14:55 +00:00
0c25a96b59 description / comments 2019-12-03 02:18:32 -05:00
8d63da3cef Update control 2019-12-02 16:46:12 +00:00
25aed91eb1 description 2019-11-28 09:20:46 -05:00
0c4e5df3e0 description 2019-11-28 09:18:05 -05:00
5ac2a6f9ac description 2019-11-28 09:17:32 -05:00
aa5451c8cd Lock user accounts after 50 rather than 100 failed login attempts.
https://forums.whonix.org/t/how-strong-do-linux-user-account-passwords-have-to-be-when-using-full-disk-encryption-fde-too/7698/19
2019-11-25 01:39:53 -05:00
fe1f1b73a7 load jitterentropy_rng kernel module for better entropy collection
https://www.whonix.org/wiki/Dev/Entropy

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927972

https://forums.whonix.org/t/jitterentropy-rngd/7204
2019-11-23 11:20:32 +00:00
b55c2fd62e Enables punycode (network.IDN_show_punycode) by default in Thunderbird
to make phising attacks more difficult. Fixing URL not showing real Domain
Name (Homograph attack).

https://forums.whonix.org/t/enable-network-idn-show-punycode-by-default-in-thunderbird-to-fix-url-not-showing-real-domain-name-homograph-attack-punycode/8415
2019-11-03 02:50:51 -05:00
203d5cfa68 copyright 2019-10-31 11:19:44 -04:00
fe4e29d392 Depend on dh-apparmor 2019-10-28 14:22:47 +00:00
40707e70db Redirect calls for pkexec to lxqt-sudo because pkexec is incompatible with hidepid.
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860040

https://forums.whonix.org/t/cannot-use-pkexec/8129

Thanks to AnonymousUser for the bug report!
2019-10-21 05:46:49 -04:00
d301e7f365 description, fix lintian warning 2019-10-18 10:36:44 +00:00
259b1f2c71 Update control 2019-10-16 19:21:24 +00:00
8b4f2befd4 comment out sack by default
https://forums.whonix.org/t/disabling-tcp-sack-dsack-fack/8109/8?u=patrick
2019-10-05 13:15:34 +00:00
02096f8d7c Revert "undo Disabling TCP SACK, DSACK, FACK"
This reverts commit 5fb4eb8e56.
2019-10-05 13:13:46 +00:00
5fb4eb8e56 undo Disabling TCP SACK, DSACK, FACK
https://forums.whonix.org/t/disabling-tcp-sack-dsack-fack/8109/5
2019-10-05 07:00:47 -04:00
ec5fcf813b Update control 2019-10-03 20:50:48 +00:00
619550da23 description 2019-09-15 14:00:24 +00:00
b95b66e429 description 2019-09-15 13:56:37 +00:00
ae804a15e7 description 2019-09-15 13:21:02 +00:00
f13a73e569 undo SysRq restrictions
https://forums.whonix.org/t/sysrq-magic-sysrq-key/8079
2019-09-10 12:35:42 -04:00
661bcd8603 allow loading unsigned modules due to issues
https://forums.whonix.org/t/allow-loading-signed-kernel-modules-by-default-disallow-kernel-module-loading-by-default/7880/23
2019-09-07 05:39:56 +00:00
5960c1682a description 2019-09-06 11:46:22 +00:00
fccfacfdaf description 2019-09-06 11:45:54 +00:00
0e20e33d16 description 2019-09-05 02:31:57 -04:00
0b3dcef13d description 2019-09-05 02:30:40 -04:00
f2e5883b4c description 2019-09-05 02:29:48 -04:00
a4913ae092 description 2019-09-05 02:28:43 -04:00
3a5bdddf5c depend on adduser 2019-08-31 08:43:46 -04:00
0ae5c5ff14 remove umask changes since these are causing issues are are not needed anymore
thanks to home folder permission lockdown

https://forums.whonix.org/t/change-default-umask/7416/45
2019-08-24 12:14:22 -04:00
a74b983283 remove LLC - IEEE 802.2 from blacklist
since required by KVM

https://forums.whonix.org/t/whonix-desktop-installer-with-calamares-field-report/7350/107

https://forums.whonix.org/t/blacklist-uncommon-network-protocols/7391/22

https://github.com/Whonix/security-misc/pull/29
2019-08-19 12:46:59 +00:00
e535232728 description 2019-08-17 10:37:49 +00:00