Me too as per Dev/STIG - Whonix
bash scripts/check-package-verify.sh >/dev/null 2>&1 & spinner $! output “SV-86479r2_rule” $?
Probably porting issue. check-package-verify.sh [archive] does not test anything security relevant.
Yes, comments added there and linked to open discussions.
[1] Defended in other ways. See [[Dev/Permissions]]. Unclear rationale. Discussed here: enforce minimum password strength / pam-cracklib - #4 by Patrick
Agreed. Added comment:
Same as [1].
Expiry limits would likely just annoy users. This might be more useful in an enterprise context where shoulder surfing might be an issue.
TODO: document shoulder surfing
Right. Added comment:
Same as [1].
Set to 50 before unlockk procedure is required. 50 attempts is far to less for bruteforce.
Setting it to 3 might fall victim to some bugs. There are cases involving sudo where 1 login attempt is recognized as 3 due to pasting text by mistake into the terminal emulator. We might incrementally lower 50 over the releases if that seems worthwhile but not to 3. Can be discussed in protect Linux user accounts against brute force attacks
Same as [1].
Likely a false positive but should check the code of the test just to make sure.
Likely also a false positive but need to check the test code. Similar for other false positives.
needs development, tracked in (re-)mount home [and other?] with noexec (and nosuid [among other useful mount options]) for better security?
Mostly agreed with your other comments
Initial impression:
- Mostly applicable to governmental or enterprise environments.
- Whonix / Kicksecure is not an enterprise operating system yet. Such a flavor might be possible in future if an enterprise pays for implementation of these features / such a flavor.
- Lots of false positives.
- Doesn’t test for and/or find anything catastrophic such as remote exploitable vulnerabilities.
- Would still be useful to work through the list and add comments for any reported failure.