8616728ce0
remove duplicate
2020-01-24 03:35:15 -05:00
1df48a226d
Update control
2020-01-15 20:30:17 +00:00
0618b53464
fix lintian warning
2020-01-15 11:35:07 -05:00
528c5fc4c4
Merge branch 'master' into sysctl-initramfs
2020-01-15 11:02:03 +00:00
0953bbe1d7
Update control
2020-01-13 21:05:35 +00:00
9dc43eae38
Description
2020-01-12 21:42:07 +00:00
61a2d390a7
lintian
2020-01-11 15:15:12 -05:00
6088444c37
Update control
2020-01-11 18:38:17 +00:00
9ec5b0ee82
description: lockdown not enabled yet
2019-12-23 03:38:49 -05:00
1ff51ee061
merge
2019-12-23 03:37:28 -05:00
3670fcf48b
depend on libcap2-bin for setcap / getcap / capsh
2019-12-23 00:49:33 -05:00
8f11a520f4
Update control
2019-12-22 13:54:16 +00:00
b74e5ca972
comment
2019-12-21 07:47:00 -05:00
ed20980f4c
refactoring
2019-12-21 05:07:10 -05:00
8e112c3423
description
2019-12-20 06:53:24 -05:00
24ea70384b
description
2019-12-20 06:53:03 -05:00
2c4170e6f3
description
2019-12-12 09:47:58 -05:00
2d5ef378f3
description
2019-12-12 09:39:39 -05:00
c192644ee3
security-misc /usr/share/pam-configs/permission-lockdown-security-misc is no longer required, removed.
...
Thereby fix apparmor issue.
> Dec 08 09:47:50 host audit[3232]: AVC apparmor="DENIED" operation="exec" profile="/usr/bin/whonixcheck" name="/usr/lib/security-misc/permission-lockdown" pid=3232 comm="sudo" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
> Dec 08 09:47:50 host sudo[3232]: pam_exec(sudo:session): execve(/usr/lib/security-misc/permission-lockdown,...) failed: Permission denied
It is no longer required, because...
existing linux user accounts:
* Get permission lock down because security-misc `debian/security-misc.postinst` calls `/usr/lib/security-misc/permission-lockdown`.
new linux user accounts (created at first boot):
* security-misc `/usr/share/pam-configs/mkhomedir-security-misc` pam mkhomedir sets secure permissions using `umask=027`.
2019-12-08 05:21:35 -05:00
1dbca1ea2d
add usr/bin/hardening-enable
2019-12-08 02:27:09 -05:00
24423b42f0
description
2019-12-08 02:03:05 -05:00
66bebefc9f
description
2019-12-08 02:00:23 -05:00
b871421a54
usr/share/pam-configs/console-lockdown -> usr/share/pam-configs/console-lockdown-security-misc
2019-12-08 01:57:43 -05:00
1464f01d19
description
2019-12-08 01:30:42 -05:00
55225aa30e
description
2019-12-07 07:16:07 -05:00
34a2bc16c8
description
2019-12-07 07:15:58 -05:00
d823f06c78
description
2019-12-07 07:13:42 -05:00
090ddbe96a
description
2019-12-07 06:00:41 -05:00
6479c883bf
Console Lockdown.
...
Allow members of group 'console' to use tty1 to tty7. Everyone else except
members of group 'console-unrestricted' are restricted from using console
using ancient, unpopular login methods such as using /bin/login over networks,
which might be exploitable. (CVE-2001-0797)
Not enabled by default in this package since this package does not know which
users shall be added to group 'console'.
In new Whonix builds, user 'user" will be added to group 'console' and
pam console-lockdown enabled by package anon-base-files.
/usr/share/pam-configs/console-lockdown
/etc/security/access-security-misc.conf
https://forums.whonix.org/t/etc-security-hardening/8592
2019-12-07 05:40:20 -05:00
6d92d03b31
description
2019-12-07 01:54:50 -05:00
470cad6e91
remount /home /tmp /dev/shm /run with nosuid,nodev (default) and noexec (opt-in)
...
https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707
2019-12-06 05:14:02 -05:00
af9e19c51f
Update control
2019-12-05 20:14:55 +00:00
0c25a96b59
description / comments
2019-12-03 02:18:32 -05:00
8d63da3cef
Update control
2019-12-02 16:46:12 +00:00
25aed91eb1
description
2019-11-28 09:20:46 -05:00
0c4e5df3e0
description
2019-11-28 09:18:05 -05:00
5ac2a6f9ac
description
2019-11-28 09:17:32 -05:00
aa5451c8cd
Lock user accounts after 50 rather than 100 failed login attempts.
...
https://forums.whonix.org/t/how-strong-do-linux-user-account-passwords-have-to-be-when-using-full-disk-encryption-fde-too/7698/19
2019-11-25 01:39:53 -05:00
fe1f1b73a7
load jitterentropy_rng kernel module for better entropy collection
...
https://www.whonix.org/wiki/Dev/Entropy
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927972
https://forums.whonix.org/t/jitterentropy-rngd/7204
2019-11-23 11:20:32 +00:00
b55c2fd62e
Enables punycode (network.IDN_show_punycode) by default in Thunderbird
...
to make phising attacks more difficult. Fixing URL not showing real Domain
Name (Homograph attack).
https://forums.whonix.org/t/enable-network-idn-show-punycode-by-default-in-thunderbird-to-fix-url-not-showing-real-domain-name-homograph-attack-punycode/8415
2019-11-03 02:50:51 -05:00
203d5cfa68
copyright
2019-10-31 11:19:44 -04:00
fe4e29d392
Depend on dh-apparmor
2019-10-28 14:22:47 +00:00
40707e70db
Redirect calls for pkexec to lxqt-sudo because pkexec is incompatible with hidepid.
...
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860040
https://forums.whonix.org/t/cannot-use-pkexec/8129
Thanks to AnonymousUser for the bug report!
2019-10-21 05:46:49 -04:00
d301e7f365
description, fix lintian warning
2019-10-18 10:36:44 +00:00
259b1f2c71
Update control
2019-10-16 19:21:24 +00:00
8b4f2befd4
comment out sack by default
...
https://forums.whonix.org/t/disabling-tcp-sack-dsack-fack/8109/8?u=patrick
2019-10-05 13:15:34 +00:00
02096f8d7c
Revert "undo Disabling TCP SACK, DSACK, FACK"
...
This reverts commit 5fb4eb8e56
2019-10-05 13:13:46 +00:00
5fb4eb8e56
undo Disabling TCP SACK, DSACK, FACK
...
https://forums.whonix.org/t/disabling-tcp-sack-dsack-fack/8109/5
2019-10-05 07:00:47 -04:00
ec5fcf813b
Update control
2019-10-03 20:50:48 +00:00
619550da23
description
2019-09-15 14:00:24 +00:00
