Michael Raitza
d09c7986de
config.security.oath: new module
...
Add a module to make options to pam_oath module configurable.
These are:
- enable - enable the OATH pam module
- window - number of OTPs to check
- digits - length of the OTP (adds support for two-factor auth)
- usersFile - filename to store OATH credentials in
2016-02-25 13:52:45 +00:00
Vladimír Čunát
e9520e81b3
Merge branch 'master' into staging
2016-02-17 10:06:31 +01:00
Nikolay Amiantov
c420a6f1ef
acme service: update plugins enum
2016-02-10 02:06:01 +03:00
Guillaume Maudoux
9f358f809d
Configure a default trust store for openssl
2016-02-03 12:42:01 +01:00
Eelco Dolstra
bfebc7342e
Fix some references to deprecated /etc/ssl/certs/ca-bundle.crt
2016-01-29 02:32:05 +01:00
Eelco Dolstra
2352e2589e
audit: Disable in containers
...
This barfs:
Jan 18 12:46:32 machine 522i0x9l80z7gw56iahxjjsdjp0xi10q-audit-start[506]: The audit system is disabled
2016-01-26 16:25:40 +01:00
Domen Kožar
7fe7138968
nixos: fix acme service @abbradar
2016-01-12 11:50:34 +01:00
Nikolay Amiantov
f92cec4c1b
nixos/acme: add allowKeysForGroup
2016-01-10 07:28:19 +03:00
Dan Peebles
63bfe20b72
security.audit: add NixOS module
...
Part of the way towards #11864 . We still don't have the auditd
userland logging daemon, but journald also tracks audit logs so we
can already use this.
2016-01-07 03:06:10 +00:00
Nikolay Amiantov
5250582396
nixos/acme: fix timer unit
2015-12-13 17:01:59 +03:00
Franz Pletz
1685b9d06e
nixos/acme: Add module documentation
2015-12-12 16:06:53 +01:00
Franz Pletz
9374ddb895
nixos/acme: validMin & renewInterval aren't cert-specific
2015-12-12 16:06:53 +01:00
Franz Pletz
0517d59a66
nixos/acme: Improve documentation
2015-12-12 16:06:52 +01:00
Franz Pletz
de24b00d41
nixos/simp_le: Rename to security.acme
2015-12-12 16:06:52 +01:00
obadz
a05a340e26
PAM: reorganize the way pam_ecryptfs and pam_mount get their password
...
Run pam_unix an additional time rather than switching it from sufficient
to required. This fixes a potential security issue for
ecryptfs/pam_mount users as with pam_deny gone, if cfg.unixAuth = False
then it is possible to login without a password.
2015-11-21 21:10:40 +00:00
Jan Malakhovski
6eadb16022
nixos: fix some types
2015-09-18 18:48:50 +00:00
Tobias Geerinckx-Rice
c90eb862fc
nixos: prey module: fix option descriptions
2015-09-06 23:50:03 +02:00
Jaka Hudoklin
c7bb64cb97
Merge pull request #7344 from joachifm/apparmor-pam
...
nixos: add AppArmor PAM support
2015-08-29 18:59:53 +02:00
obadz
172522e153
ecryptfs:
...
- upgrade 106 -> 108
- fix passphrase rewrapper (password changing should now work fine) as
discussed on https://bugs.launchpad.net/ecryptfs/+bug/1486470
- add lsof dependency so ecryptfs-migrate-home should work out of the
box
2015-08-19 12:16:57 +01:00
Joachim Fasting
2e0933787b
nixos: add AppArmor PAM support
...
Enables attaching AppArmor profiles at the user/group level.
This is not intended to be used directly, but as part of a
role-based access control scheme. For now, profile attachment
is 'session optional', but should be changed to 'required' once
a more comprehensive solution is in place.
2015-07-15 12:40:06 +02:00
William A. Kennington III
d605663ae2
Merge branch 'master.upstream' into staging.upstream
2015-07-05 13:06:02 -07:00
Thomas Strobel
7b6f279142
pam_mount module: integrate pam_mount into PAM of NixOS
2015-07-04 23:42:31 +02:00
William A. Kennington III
8e19ac8d7c
Merge branch 'master.upstream' into staging.upstream
2015-06-17 11:57:40 -07:00
Eelco Dolstra
6e6a96d42c
Some more type cleanup
2015-06-15 18:18:46 +02:00
William A. Kennington III
9d6555dc0a
Merge branch 'master.upstream' into staging.upstream
2015-06-06 12:04:42 -07:00
William A. Kennington III
ffd0539eba
cacert: store ca-bundle.crt in $out/etc/ssl/certs instead of $out
2015-06-05 13:00:52 -07:00
William A. Kennington III
867d2c5c46
openssl: Remove References to OPENSSL_X509_CERT_FILE
2015-05-31 15:50:51 -07:00
William A. Kennington III
d6cbb061e3
cacert: Build directly from nss instead of our own tarball
2015-05-29 13:52:07 -07:00
Ricardo M. Correia
aa75bb25d8
grsecurity: Update stable and test patches
...
stable: 3.1-3.14.41-201505072056 -> 3.1-3.14.41-201505101121
test: 3.1-4.0.2-201505072057 -> 3.1-4.0.2-201505101122
2015-05-11 02:45:38 +02:00
Philip Potter
2216728979
add support for pam_u2f to nixos pam module
...
This adds support for authenticating using a U2F device such as a
yubikey neo.
2015-05-03 19:22:00 +01:00
Austin Seipp
8d3b8d0dc8
Merge pull request #7149 from joachifm/grsec-gradm-optional
...
grsecurity module: configure gradm iff RBAC is enabled
2015-04-13 17:11:29 -05:00
Austin Seipp
b86f6a3ed6
Merge pull request #7148 from joachifm/grsec-trivial
...
grsecurity module: trivial improvements
2015-04-13 17:10:47 -05:00
Nicolas B. Pierron
6de931a0f8
Merge rename.nix changes.
2015-04-03 23:12:12 +02:00
Arseniy Seroka
8592c6c004
Merge pull request #7150 from joachifm/grsec-types
...
grsecurity module: use types.enum
2015-04-03 16:03:49 +03:00
Joachim Fasting
3e847d512d
grsecurity module: configure gradm iff RBAC is enabled
2015-04-03 13:45:57 +02:00
Joachim Fasting
ba93a75724
grsecurity module: use types.enum
...
Also
- set desktop as default system
- make virtualisationSoftware nullOr
- make virtualisationConfig nullOr
2015-04-03 13:45:45 +02:00
Joachim Fasting
66c4f51046
grsecurity module: simplify assertion
2015-04-03 13:38:32 +02:00
Joachim Fasting
2e88605a91
grsecurity module: remove reference to systemd-sysctl
...
First, that's not what the service is called, and secondly it's
most likely irrelevant to the user.
2015-04-03 13:38:32 +02:00
Arseniy Seroka
4fa554e32b
Merge pull request #7017 from obadz/sg+sudo-g
...
Ability to switch groups with sg and sudo -g
2015-04-02 02:11:10 +03:00
obadz
be7f104502
sg: add setuid wrapper. (newgrp is a symlink to sg and was already setuid).
...
sudo: add ability for wheel users to change group (as well as user)
2015-03-30 23:50:45 +01:00
Austin Seipp
3ff22a924f
Merge pull request #6871 from joachifm/apparmor-fixups
...
Apparmor fixups
2015-03-20 15:36:42 -05:00
Joachim Fasting
532337d673
Cleanup AppArmor module
...
Remove excessive whitespace & comment sections
2015-03-18 12:07:43 +01:00
Austin Seipp
ef95600372
Merge pull request #6771 from joachifm/apparmor-2.9
...
Apparmor 2.9
2015-03-15 14:16:24 -05:00
Ricardo M. Correia
7c8247a8c5
grsecurity: Update stable and test patches
...
stable: 3.1-3.14.35-201503071140 -> 3.1-3.14.35-201503092203
test: 3.1-3.18.9-201503071142 -> 3.1-3.19.1-201503122205
2015-03-15 03:49:58 +01:00
Shea Levy
1d62ad4746
modules.nix: Generate the extra argument set from the configuration
...
This allows for module arguments to be handled modularly, in particular
allowing the nixpkgs module to handle the nixpkgs import internally.
This creates the __internal option namespace, which should only be added
to by the module system itself.
2015-03-12 23:42:57 +01:00
Joachim Fasting
7a9a24a95e
Update AppArmor service module
...
- Use AppArmor 2.9
- Enable PAM support
2015-03-12 11:49:05 +01:00
obadz
e5d4624420
PAM/eCryptfs now able to mount ecryptfs'd home directories on login
2015-03-08 16:03:51 -07:00
lethalman
c97d7819ab
Merge pull request #6624 from joachifm/grsec-lock
...
nixos: grsec-lock service fixes
2015-03-02 18:49:39 +01:00
Joachim Fasting
18320d3b21
nixos: fix grsec-lock requires
2015-03-02 18:39:04 +01:00
Joachim Fasting
ccd6f5a313
nixos: make the grsec-lock unit depend on the path it writes to
...
The grsec-lock unit fails unless /proc/sys/kernel/grsecurity/grsec_lock
exists and so prevents switching into a new configuration after enabling
grsecurity.sysctl.
2015-03-02 18:39:01 +01:00