/etc/security Hardening? - Console Lockdown - pam_access - access.conf

madaidan · December 10, 2019, 8:17pm

Why is whonixcheck trying to access it? Why not just add it to the whonixcheck profile?

Maybe this would work:

Conflicts: sudo

madaidan · December 10, 2019, 8:29pm

Ah, the issue isn’t /etc/pam.d/sudo but /etc/pam.d/common-account (which sudo has an include rule for).

Patrick_mobile · December 10, 2019, 9:00pm

It’s not. But it uses sudo. And then pam calls it.

It’s just a symptom. Would be happening with other applications too.

Exactly.

madaidan · December 11, 2019, 5:35pm

Then it should be added to the base abstraction.

Patrick · December 11, 2019, 8:43pm

Found a potential solution. Using pam_exec, environment variable PAM_SERVICE, exit codes (depending on if PAM_SERVICE is set to login) and then using the /etc/pam.d feature “jumping over the next N modules in the stack”.

That probably means just that when users run sudo pam-auth-update that they cannot enable two conflicting pam modules at the same time.

Patrick · December 12, 2019, 1:45pm

Patrick · December 12, 2019, 2:03pm

use pam_acccess only for /etc/pam.d/login
remove Allow members of group 'ssh' to login.
remove +:ssh:ALL EXCEPT LOCAL

The SSH restrictions earlier was just a byproduct of not knowing how to implement this better, i.e like how it is implemented now. Now this is effectively only used for /etc/pam.d/login.

Does pam_access line

+:ssh:ALL EXCEPT LOCAL

make sense for /etc/pam.d/ssh or should pam_access be used for any other services in /etc/pam.d folder too?

Patrick · March 31, 2020, 11:12am

Patrick · April 2, 2020, 9:53am

Patrick · April 2, 2020, 10:06am

Why don’t we allow group members of group sudo to use console by editing /etc/security/access-security-misc.conf ? Group members of group sudo could run sudo addgroup user console anyhow. Therefore no security advantage by not doing that.

Did that:

Review for full file welcome:

security-misc/etc/security/access-security-misc.conf at master · Kicksecure/security-misc · GitHub

81a989 · August 1, 2020, 3:14pm

@Patrick, there are syntax errors in the file. Groups should be surrounded with “(group)” instead of as “group”. It works as is unless any users with the same name as the groups are created. See access.conf to verify. I fixed it for you.

line 30: +:(console):console tty1 tty2 tty3 tty4 tty5 tty6 tty7 pts/0 pts/1 pts/2 pts/3 pts/4 pts/5 pts/6 pts/7 pts/8 pts/9 hvc0 hvc1 hvc2 hvc3 hvc4 hvc5 hvc6 hvc7 hvc8 hvc9 ttyS0 ttyS1 ttyS2 ttyS3 ttyS4 ttyS5 ttyS6 ttyS7 ttyS8 ttyS9

line 34: +:(sudo):console tty1 tty2 tty3 tty4 tty5 tty6 tty7 pts/0 pts/1 pts/2 pts/3 pts/4 pts/5 pts/6 pts/7 pts/8 pts/9 hvc0 hvc1 hvc2 hvc3 hvc4 hvc5 hvc6 hvc7 hvc8 hvc9 ttyS0 ttyS1 ttyS2 ttyS3 ttyS4 ttyS5 ttyS6 ttyS7 ttyS8 ttyS9

line 38: -:ALL EXCEPT (console-unrestricted):ALL

Patrick · August 3, 2020, 12:14pm

Thanks. Good catch. Fixed.