mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-07-13 01:09:16 +07:00
Code Issues Packages Projects Releases Wiki Activity
NaN Commits 4 Branches 456 Tags
8e112c34232b8ef88fb0c0fb19f2983de4e5a0a1
Commit Graph

305 Commits

Author SHA1 Message Date
Patrick Schleizer
8e112c3423 description 2019-12-20 06:53:24 -05:00
Patrick Schleizer
24ea70384b description 2019-12-20 06:53:03 -05:00
Patrick Schleizer
6dd6530fa5 remove hardening-enable 
please invent package security-paranoid instead

https://forums.whonix.org/t/security-hardening-tool-usr-bin-hardening-enable-by-security-misc/8609
 2019-12-20 05:32:26 -05:00
Patrick Schleizer
62eb462920 skip console_users_check for Qubes users 2019-12-16 06:46:48 -05:00
Patrick Schleizer
ab68182e11 bumped changelog version 2019-12-16 06:27:51 -05:00
Patrick Schleizer
2c4170e6f3 description 2019-12-12 09:47:58 -05:00
Patrick Schleizer
2d5ef378f3 description 2019-12-12 09:39:39 -05:00
Patrick Schleizer
a10597de92 bumped changelog version 2019-12-12 09:04:15 -05:00
Patrick Schleizer
729fa26eca use pam_acccess only for /etc/pam.d/login 
remove "Allow members of group 'ssh' to login."
remove "+:ssh:ALL EXCEPT LOCAL"
 2019-12-12 09:00:08 -05:00
Patrick Schleizer
22b6480bc4 bumped changelog version 2019-12-10 11:44:02 -05:00
Patrick Schleizer
88bea2a6ef comment 2019-12-10 03:53:10 -05:00
Patrick Schleizer
7d8001ddc9 refactoring 2019-12-10 03:51:39 -05:00
Patrick Schleizer
d2f6ac0491 fix, do user/group modifications in preinst rather than postinst 2019-12-10 03:50:23 -05:00
Patrick Schleizer
64ae53edb9 bumped changelog version 2019-12-09 08:25:30 -05:00
Patrick Schleizer
6f944234a9 bumped changelog version 2019-12-08 05:26:29 -05:00
Patrick Schleizer
c192644ee3 security-misc /usr/share/pam-configs/permission-lockdown-security-misc is no longer required, removed. 
Thereby fix apparmor issue.

> Dec 08 09:47:50 host audit[3232]: AVC apparmor="DENIED" operation="exec" profile="/usr/bin/whonixcheck" name="/usr/lib/security-misc/permission-lockdown" pid=3232 comm="sudo" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
> Dec 08 09:47:50 host sudo[3232]: pam_exec(sudo:session): execve(/usr/lib/security-misc/permission-lockdown,...) failed: Permission denied

It is no longer required, because...

existing linux user accounts:

* Get permission lock down because security-misc `debian/security-misc.postinst` calls `/usr/lib/security-misc/permission-lockdown`.

new linux user accounts (created at first boot):

* security-misc `/usr/share/pam-configs/mkhomedir-security-misc` pam mkhomedir sets secure permissions using `umask=027`.
 2019-12-08 05:21:35 -05:00
Patrick Schleizer
edcc2de71d bumped changelog version 2019-12-08 04:38:33 -05:00
Patrick Schleizer
17d81d0083 bumped changelog version 2019-12-08 04:27:01 -05:00
Patrick Schleizer
ebae9eef38 skip sudo_users_check in Qubes 
Qubes users can use dom0 to get a root terminal emulator.

For example:
qvm-run -u root debian-10 xterm
 2019-12-08 04:25:19 -05:00
Patrick Schleizer
53e4717c62 bumped changelog version 2019-12-08 04:05:29 -05:00
Patrick Schleizer
a345a0fb64 abort installation if ssh.service is enabled but no user is member of group ssh 2019-12-08 03:27:12 -05:00
Patrick Schleizer
cea598dc1a refactoring 2019-12-08 02:43:05 -05:00
Patrick Schleizer
54f5e02c21 comment 2019-12-08 02:42:30 -05:00
Patrick Schleizer
b4265195f4 refactoring 2019-12-08 02:41:36 -05:00
Patrick Schleizer
0f65b2e85c abort installation if no user is a member of group "console"; output 
https://forums.whonix.org/t/etc-security-hardening-console-lockdown-pam-access-access-conf/8592/7
 2019-12-08 02:38:19 -05:00
Patrick Schleizer
1dbca1ea2d add usr/bin/hardening-enable 2019-12-08 02:27:09 -05:00
Patrick Schleizer
24423b42f0 description 2019-12-08 02:03:05 -05:00
Patrick Schleizer
6b01e5be14 comment 2019-12-08 02:01:22 -05:00
Patrick Schleizer
66bebefc9f description 2019-12-08 02:00:23 -05:00
Patrick Schleizer
52e0f104cc comment 2019-12-08 01:59:55 -05:00
Patrick Schleizer
731d486fa0 refactoring 2019-12-08 01:58:58 -05:00
Patrick Schleizer
221a2df2a2 refactoring 2019-12-08 01:58:37 -05:00
Patrick Schleizer
b871421a54 usr/share/pam-configs/console-lockdown -> usr/share/pam-configs/console-lockdown-security-misc 2019-12-08 01:57:43 -05:00
Patrick Schleizer
d36669596f comment 2019-12-08 01:56:30 -05:00
Patrick Schleizer
1a0f353708 comment 2019-12-08 01:47:40 -05:00
Patrick Schleizer
eed1f0a462 comment 2019-12-08 01:46:32 -05:00
Patrick Schleizer
2491b62393 refactoring, add all groups first before adding any users to any groups 2019-12-08 01:43:45 -05:00
Patrick Schleizer
1464f01d19 description 2019-12-08 01:30:42 -05:00
Patrick Schleizer
c1800b13fe separate group "ssh" for incoming ssh console permission 
Thanks to @madaidan

https://forums.whonix.org/t/etc-security-hardening-console-lockdown-pam-access-access-conf/8592/16
 2019-12-07 11:26:39 -05:00
Patrick Schleizer
55225aa30e description 2019-12-07 07:16:07 -05:00
Patrick Schleizer
34a2bc16c8 description 2019-12-07 07:15:58 -05:00
Patrick Schleizer
d823f06c78 description 2019-12-07 07:13:42 -05:00
Patrick Schleizer
090ddbe96a description 2019-12-07 06:00:41 -05:00
Patrick Schleizer
6479c883bf Console Lockdown. 
Allow members of group 'console' to use tty1 to tty7. Everyone else except
members of group 'console-unrestricted' are restricted from using console
using ancient, unpopular login methods such as using /bin/login over networks,
which might be exploitable. (CVE-2001-0797)

Not enabled by default in this package since this package does not know which
users shall be added to group 'console'.

In new Whonix builds, user 'user" will be added to group 'console' and
pam console-lockdown enabled by package anon-base-files.

/usr/share/pam-configs/console-lockdown

/etc/security/access-security-misc.conf

https://forums.whonix.org/t/etc-security-hardening/8592
 2019-12-07 05:40:20 -05:00
Patrick Schleizer
52934c9288 bumped changelog version 2019-12-07 02:02:32 -05:00
Patrick Schleizer
6d92d03b31 description 2019-12-07 01:54:50 -05:00
Patrick Schleizer
0afcc5e798 bumped changelog version 2019-12-06 12:43:21 -05:00
Patrick Schleizer
af0cf058e7 bumped changelog version 2019-12-06 11:18:20 -05:00
Patrick Schleizer
bff425fec2 bumped changelog version 2019-12-06 09:32:18 -05:00
Patrick Schleizer
470cad6e91 remount /home /tmp /dev/shm /run with nosuid,nodev (default) and noexec (opt-in) 
https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707
 2019-12-06 05:14:02 -05:00