The pam related changes most likely broke whonixcheck systemd hardening.
Jul 13 19:46:53 host whonixcheckdaemon[25502]: sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the ‘nosuid’ option set or an NFS file system without root privileges?
To test:
sudo systemctl daemon-reload && sudo systemctl restart whonixcheck && sleep 1 && sudo systemctl status whonixcheck.service | cat
Again “most” of them don’t work. List below.
## Copyright (C) 2012 - 2018 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## See the file COPYING for copying conditions.
[Unit]
Description=whonixcheck
Documentation=https://www.whonix.org/wiki/whonixcheck
After=network.target
Wants=network.target
After=rinetd.service
After=tor.service
After=tor@default.service
After=onion-grater.service
After=whonix-firewall.service
After=whonix-firewall-sdwdate-watcher.service
Requires=msgcollector.service
[Service]
Type=simple
User=user
Group=user
ExecStart=/usr/lib/whonixcheckdaemon
SuccessExitStatus=143
#KillMode=process
TimeoutSec=30
Restart=always
# Hardening.
#ProtectSystem=strict
## ok
ProtectHome=true
## fail
#ProtectKernelTunables=true
## fail
#ProtectKernelModules=true
## ok
ProtectControlGroups=true
## ok
PrivateTmp=true
## ok
PrivateMounts=true
## fail
#PrivateDevices=true
## fail
#MemoryDenyWriteExecute=true
## fail
#NoNewPrivileges=true
## fail
#RestrictRealtime=true
## fail
#SystemCallArchitectures=native
## fail
#RestrictNamespaces=true
## fail
#RestrictAddressFamilies=AF_UNIX AF_INET
## fail
#SystemCallFilter=wait4 read close execve open write rt_sigprocmask stat munmap mprotect clone mmap fstat access brk poll rt_sigaction select ioctl recvfrom getuid getgid getegid pipe getpid futex arch_prctl lseek rt_sigreturn geteuid fcntl getdents dup2 readlink sync getsid unlink sysinfo uname connect setresuid lstat newfstatat sendto getrlimit statfs faccessat sendmsg getppid setgroups bind umask fchmod writev mremap msync madvise dup alarm socket recvmsg shutdown getsockname getpeername socketpair getsockopt setsockopt kill getcwd chdir fchdir rename mkdir chmod chown lchown getrusage setuid setgid setpgid getpgrp setsid getgroups getresuid setresgid getresgid getpgid capget sigaltstack fstatfs prctl setrlimit gettid getxattr sched_getaffinity set_tid_address fadvise64 timer_create timer_settime openat unlinkat fchmodat ppoll set_robust_list utimensat getrandom
[Install]
WantedBy=multi-user.target
But even with the few enabled ones there is still an error message.
Jul 13 20:05:54 host PAM-CGFS[634]: cgroupfs v1: Failed to escape to init’s cgroup
Jul 13 20:05:54 host PAM-CGFS[634]: cgroupfs v1: Failed to enter cgroups
Jul 13 20:05:54 host PAM-CGFS[634]: Failed to enter user cgroup /user/root/0 for user root
I don’t think systemd hardening for whonixcheck is very important. It runs under user whonixcheck
automatically anyhow. (/user/bin/whonixcheck does that.) And once users run whonixcheck manually it would not have systemd seccomp protections anyhow.
Therefore disabled in git master. Please retest and fix if you like.