4ca9fc5920
fix
2019-12-16 03:53:10 -05:00
f68efd53cf
remount /sys/kernel/security with nodev,nosuid[,noexec]
...
as suggested by @madaidan
http://forums.whonix.org/t/apparmor-for-complete-system-including-init-pid1-systemd-everything-full-system-mac-policy/8339/238
2019-12-16 03:52:09 -05:00
300f010fc2
increase priority of pam-abort-on-locked-password-security-misc
...
since it has its own user help output
so it shows before pam tally2 info
to avoid duplicate non-applicable help text
2019-12-12 09:29:00 -05:00
729fa26eca
use pam_acccess only for /etc/pam.d/login
...
remove "Allow members of group 'ssh' to login."
remove "+:ssh:ALL EXCEPT LOCAL"
2019-12-12 09:00:08 -05:00
b72eb30056
quotes
2019-12-09 02:32:05 -05:00
c258376b7e
use read (built-in) rather than awk (external)
2019-12-09 02:31:10 -05:00
02165201ab
read -r; refactoring
...
as per https://mywiki.wooledge.org/BashFAQ/001
2019-12-09 02:23:43 -05:00
7467252122
quotes
2019-12-09 02:22:16 -05:00
61e19fa5f1
Create permission-hardening
2019-12-08 16:49:28 +00:00
c192644ee3
security-misc /usr/share/pam-configs/permission-lockdown-security-misc is no longer required, removed.
...
Thereby fix apparmor issue.
> Dec 08 09:47:50 host audit[3232]: AVC apparmor="DENIED" operation="exec" profile="/usr/bin/whonixcheck" name="/usr/lib/security-misc/permission-lockdown" pid=3232 comm="sudo" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
> Dec 08 09:47:50 host sudo[3232]: pam_exec(sudo:session): execve(/usr/lib/security-misc/permission-lockdown,...) failed: Permission denied
It is no longer required, because...
existing linux user accounts:
* Get permission lock down because security-misc `debian/security-misc.postinst` calls `/usr/lib/security-misc/permission-lockdown`.
new linux user accounts (created at first boot):
* security-misc `/usr/share/pam-configs/mkhomedir-security-misc` pam mkhomedir sets secure permissions using `umask=027`.
2019-12-08 05:21:35 -05:00
ac96708b24
improve usr/bin/hardening-enable
2019-12-08 04:01:11 -05:00
50ac03363f
output
2019-12-08 03:18:32 -05:00
c7c65fe4e7
higher priority usr/share/pam-configs/tally2-security-misc
...
so it can give info before pam stack gets aborted by other pam modules
2019-12-08 03:15:53 -05:00
3bd0b3f837
notify when attempting to use ssh but user is member of group ssh
2019-12-08 03:10:41 -05:00
1dbca1ea2d
add usr/bin/hardening-enable
2019-12-08 02:27:09 -05:00
19cc6d7555
pam description
2019-12-08 02:10:43 -05:00
b871421a54
usr/share/pam-configs/console-lockdown -> usr/share/pam-configs/console-lockdown-security-misc
2019-12-08 01:57:43 -05:00
6846a94327
Check for more locations of System.map
2019-12-07 19:38:12 +00:00
668b6420de
Remove hyphen
2019-12-07 14:15:02 +00:00
9ba84f34c6
comment
2019-12-07 06:51:59 -05:00
dc1dfc8c20
output
2019-12-07 06:51:16 -05:00
532a1525c2
comment
2019-12-07 06:26:55 -05:00
14aa6c5077
comment
2019-12-07 06:26:23 -05:00
8b3f5a555b
add console lockdown to pam info output
2019-12-07 06:25:45 -05:00
6479c883bf
Console Lockdown.
...
Allow members of group 'console' to use tty1 to tty7. Everyone else except
members of group 'console-unrestricted' are restricted from using console
using ancient, unpopular login methods such as using /bin/login over networks,
which might be exploitable. (CVE-2001-0797)
Not enabled by default in this package since this package does not know which
users shall be added to group 'console'.
In new Whonix builds, user 'user" will be added to group 'console' and
pam console-lockdown enabled by package anon-base-files.
/usr/share/pam-configs/console-lockdown
/etc/security/access-security-misc.conf
https://forums.whonix.org/t/etc-security-hardening/8592
2019-12-07 05:40:20 -05:00
5a4eda0d05
also support /usr/local/etc/remount-disable and /usr/local/etc/noexec
2019-12-07 01:53:33 -05:00
9b14f24d5e
refactoring
2019-12-06 11:17:32 -05:00
a6133f5912
output
2019-12-06 11:16:43 -05:00
c1ea35e2ef
output
2019-12-06 11:15:54 -05:00
4bec41379d
fix remount with noexec if /etc/noexec exists
2019-12-06 11:15:13 -05:00
470cad6e91
remount /home /tmp /dev/shm /run with nosuid,nodev (default) and noexec (opt-in)
...
https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707
2019-12-06 05:14:02 -05:00
aa5451c8cd
Lock user accounts after 50 rather than 100 failed login attempts.
...
https://forums.whonix.org/t/how-strong-do-linux-user-account-passwords-have-to-be-when-using-full-disk-encryption-fde-too/7698/19
2019-11-25 01:39:53 -05:00
fe1f1b73a7
load jitterentropy_rng kernel module for better entropy collection
...
https://www.whonix.org/wiki/Dev/Entropy
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927972
https://forums.whonix.org/t/jitterentropy-rngd/7204
2019-11-23 11:20:32 +00:00
03e8023847
output
2019-11-22 14:11:30 -05:00
2e73c053b5
fix lintian warning
2019-11-09 12:55:00 +00:00
74293bcd2f
output
2019-11-05 01:59:25 -05:00
2b5b06b602
output
2019-11-05 01:59:19 -05:00
d6977becba
refactoring
2019-11-05 01:51:14 -05:00
daf0006795
comment
2019-11-05 01:50:27 -05:00
203d5cfa68
copyright
2019-10-31 11:19:44 -04:00
bce5274a15
quotes fix
2019-10-22 09:22:29 -04:00
e20b9e2133
better solution when using pkexec with --user: wrap sudo --user with lxqt-sudo
2019-10-22 09:08:18 -04:00
d4e02de43a
set SUDO_ASKPASS for pkexec wrapper when using sudo --askpass
2019-10-22 09:04:44 -04:00
1a65a91039
long rather than short option
2019-10-22 08:56:05 -04:00
b55913637b
silence output by mount/grep
2019-10-22 08:54:48 -04:00
a1154170c9
Call original pkexec in case there are no arguments.
2019-10-22 08:54:17 -04:00
1e4d0ea1d0
fix lintian warning
2019-10-21 09:55:05 +00:00
343d9cc916
fix
2019-10-21 09:53:55 +00:00
40707e70db
Redirect calls for pkexec to lxqt-sudo because pkexec is incompatible with hidepid.
...
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860040
https://forums.whonix.org/t/cannot-use-pkexec/8129
Thanks to AnonymousUser for the bug report!
2019-10-21 05:46:49 -04:00
a5045dc26e
set -e
2019-10-17 06:18:32 -04:00
