security-misc/debian/security-misc.maintscript

## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.

rm_conffile /etc/sudoers.d/umask-security-misc

## https://forums.whonix.org/t/sysrq-magic-sysrq-key/8079
rm_conffile /etc/sysctl.d/sysrq.conf

## https://github.com/Whonix/security-misc/pull/45
rm_conffile /etc/apparmor.d/usr.lib.security-misc.pam_tally2-info
rm_conffile /etc/apparmor.d/usr.lib.security-misc.permission-lockdown

## merged into 1 file /etc/sysctl.d/30_security-misc.conf
rm_conffile /etc/sysctl.d/fs_protected.conf
rm_conffile /etc/sysctl.d/kptr_restrict.conf
rm_conffile /etc/sysctl.d/suid_dumpable.conf
rm_conffile /etc/sysctl.d/harden_bpf.conf
rm_conffile /etc/sysctl.d/ptrace_scope.conf
rm_conffile /etc/sysctl.d/tcp_timestamps.conf
rm_conffile /etc/sysctl.d/mmap_aslr.conf
rm_conffile /etc/sysctl.d/dmesg_restrict.conf
rm_conffile /etc/sysctl.d/coredumps.conf
rm_conffile /etc/sysctl.d/kexec.conf
rm_conffile /etc/sysctl.d/tcp_hardening.conf
rm_conffile /etc/sysctl.d/tcp_sack.conf

## merged into 2 files /etc/modprobe.d/30_security-misc_blacklist.conf and /etc/modprobe.d/30_security-misc_disable.conf
rm_conffile /etc/modprobe.d/uncommon-network-protocols.conf
rm_conffile /etc/modprobe.d/blacklist-bluetooth.conf
rm_conffile /etc/modprobe.d/vivid.conf
rm_conffile /etc/modprobe.d/blacklist-dma.conf
rm_conffile /etc/modprobe.d/msr.conf
rm_conffile /etc/modprobe.d/30_nf_conntrack_helper_disable.conf

## renamed to /etc/security/limits.d/30_security-misc.conf
rm_conffile /etc/security/limits.d/disable-coredumps.conf

## moved to separate package ram-wipe
rm_conffile /etc/default/grub.d/40_cold_boot_attack_defense.cfg

rm_conffile /etc/X11/Xsession.d/50panic_on_oops
rm_conffile /etc/X11/Xsession.d/50security-misc

## moved to /usr/lib/sysctl.d
rm_conffile /etc/sysctl.d/30_security-misc.conf
rm_conffile /etc/sysctl.d/30_silent-kernel-printk.conf
rm_conffile /etc/sysctl.d/30_security-misc_kexec-disable.conf

## moved to etc/permission-hardener.d
rm_conffile /etc/permission-hardening.d/25_default_passwd.conf
rm_conffile /etc/permission-hardening.d/25_default_sudo.conf
rm_conffile /etc/permission-hardening.d/25_default_whitelist_bubblewrap.conf
rm_conffile /etc/permission-hardening.d/25_default_whitelist_chromium.conf
rm_conffile /etc/permission-hardening.d/25_default_whitelist_dbus.conf
rm_conffile /etc/permission-hardening.d/25_default_whitelist_firejail.conf
rm_conffile /etc/permission-hardening.d/25_default_whitelist_fuse.conf
rm_conffile /etc/permission-hardening.d/25_default_whitelist_hardened_malloc.conf
rm_conffile /etc/permission-hardening.d/25_default_whitelist_mount.conf
rm_conffile /etc/permission-hardening.d/25_default_whitelist_pam.conf
rm_conffile /etc/permission-hardening.d/25_default_whitelist_policykit.conf
rm_conffile /etc/permission-hardening.d/25_default_whitelist_qubes.conf
rm_conffile /etc/permission-hardening.d/25_default_whitelist_selinux.conf
rm_conffile /etc/permission-hardening.d/25_default_whitelist_spice.conf
rm_conffile /etc/permission-hardening.d/25_default_whitelist_ssh.conf
rm_conffile /etc/permission-hardening.d/25_default_whitelist_sudo.conf
rm_conffile /etc/permission-hardening.d/25_default_whitelist_unix_chkpwd.conf
rm_conffile /etc/permission-hardening.d/25_default_whitelist_virtualbox.conf
rm_conffile /etc/permission-hardening.d/30_default.conf
Update Copyright (C) to 2024 2024-05-10 23:18:36 -04:00			`## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>`
rm_conffile /etc/sudoers.d/umask-security-misc 2019-09-06 09:00:20 -04:00			`## See the file COPYING for copying conditions.`

			`rm_conffile /etc/sudoers.d/umask-security-misc`
allow loading unsigned modules due to issues https://forums.whonix.org/t/allow-loading-signed-kernel-modules-by-default-disallow-kernel-module-loading-by-default/7880/23 2019-09-07 01:39:56 -04:00
undo SysRq restrictions https://forums.whonix.org/t/sysrq-magic-sysrq-key/8079 2019-09-10 12:35:42 -04:00			`## https://forums.whonix.org/t/sysrq-magic-sysrq-key/8079`
			`rm_conffile /etc/sysctl.d/sysrq.conf`
rm_conffile /etc/apparmor.d/usr.lib.security-misc.pam_tally2-info rm_conffile /etc/apparmor.d/usr.lib.security-misc.permission-lockdown https://github.com/Whonix/security-misc/pull/45 2019-12-21 06:58:01 -05:00
			`## https://github.com/Whonix/security-misc/pull/45`
			`rm_conffile /etc/apparmor.d/usr.lib.security-misc.pam_tally2-info`
			`rm_conffile /etc/apparmor.d/usr.lib.security-misc.permission-lockdown`
merge the many sysctl config files into 1 and use a name starting with double digits to make it easier to disable settings using a lexically higher config file 2020-01-24 04:26:36 -05:00
comment 2020-01-24 04:40:03 -05:00			`## merged into 1 file /etc/sysctl.d/30_security-misc.conf`
merge the many sysctl config files into 1 and use a name starting with double digits to make it easier to disable settings using a lexically higher config file 2020-01-24 04:26:36 -05:00			`rm_conffile /etc/sysctl.d/fs_protected.conf`
			`rm_conffile /etc/sysctl.d/kptr_restrict.conf`
			`rm_conffile /etc/sysctl.d/suid_dumpable.conf`
			`rm_conffile /etc/sysctl.d/harden_bpf.conf`
			`rm_conffile /etc/sysctl.d/ptrace_scope.conf`
			`rm_conffile /etc/sysctl.d/tcp_timestamps.conf`
			`rm_conffile /etc/sysctl.d/mmap_aslr.conf`
			`rm_conffile /etc/sysctl.d/dmesg_restrict.conf`
			`rm_conffile /etc/sysctl.d/coredumps.conf`
			`rm_conffile /etc/sysctl.d/kexec.conf`
			`rm_conffile /etc/sysctl.d/tcp_hardening.conf`
			`rm_conffile /etc/sysctl.d/tcp_sack.conf`
merge the many modprobe.d config files into 1 and use a name starting with double digits to make it easier to disable settings using a lexically higher config file 2020-01-24 04:30:36 -05:00
Split modprobe into blacklisted and disabled configurations 2024-07-11 12:42:37 -04:00			`## merged into 2 files /etc/modprobe.d/30_security-misc_blacklist.conf and /etc/modprobe.d/30_security-misc_disable.conf`
merge the many modprobe.d config files into 1 and use a name starting with double digits to make it easier to disable settings using a lexically higher config file 2020-01-24 04:30:36 -05:00			`rm_conffile /etc/modprobe.d/uncommon-network-protocols.conf`
			`rm_conffile /etc/modprobe.d/blacklist-bluetooth.conf`
			`rm_conffile /etc/modprobe.d/vivid.conf`
			`rm_conffile /etc/modprobe.d/blacklist-dma.conf`
			`rm_conffile /etc/modprobe.d/msr.conf`
			`rm_conffile /etc/modprobe.d/30_nf_conntrack_helper_disable.conf`
add digits to drop-in file names 2020-01-24 04:39:06 -05:00
			`## renamed to /etc/security/limits.d/30_security-misc.conf`
			`rm_conffile /etc/security/limits.d/disable-coredumps.conf`
migrate to ram-wipe package 2023-01-09 06:23:00 -05:00
			`## moved to separate package ram-wipe`
fix 2023-01-09 07:05:06 -05:00			`rm_conffile /etc/default/grub.d/40_cold_boot_attack_defense.cfg`
refactoring environment variables loading mechanism 2023-10-12 10:40:27 -04:00
			`rm_conffile /etc/X11/Xsession.d/50panic_on_oops`
			`rm_conffile /etc/X11/Xsession.d/50security-misc`
security-misc.maintscript 2023-10-24 16:43:10 -04:00
comment 2023-10-25 17:41:05 -04:00			`## moved to /usr/lib/sysctl.d`
security-misc.maintscript 2023-10-24 16:43:10 -04:00			`rm_conffile /etc/sysctl.d/30_security-misc.conf`
			`rm_conffile /etc/sysctl.d/30_silent-kernel-printk.conf`
			`rm_conffile /etc/sysctl.d/30_security-misc_kexec-disable.conf`
rm_conffile /etc/permission-hardening.d https://github.com/Kicksecure/security-misc/pull/181 2024-01-16 09:05:09 -05:00
			`## moved to etc/permission-hardener.d`
			`rm_conffile /etc/permission-hardening.d/25_default_passwd.conf`
			`rm_conffile /etc/permission-hardening.d/25_default_sudo.conf`
			`rm_conffile /etc/permission-hardening.d/25_default_whitelist_bubblewrap.conf`
			`rm_conffile /etc/permission-hardening.d/25_default_whitelist_chromium.conf`
			`rm_conffile /etc/permission-hardening.d/25_default_whitelist_dbus.conf`
			`rm_conffile /etc/permission-hardening.d/25_default_whitelist_firejail.conf`
			`rm_conffile /etc/permission-hardening.d/25_default_whitelist_fuse.conf`
			`rm_conffile /etc/permission-hardening.d/25_default_whitelist_hardened_malloc.conf`
			`rm_conffile /etc/permission-hardening.d/25_default_whitelist_mount.conf`
			`rm_conffile /etc/permission-hardening.d/25_default_whitelist_pam.conf`
			`rm_conffile /etc/permission-hardening.d/25_default_whitelist_policykit.conf`
			`rm_conffile /etc/permission-hardening.d/25_default_whitelist_qubes.conf`
			`rm_conffile /etc/permission-hardening.d/25_default_whitelist_selinux.conf`
			`rm_conffile /etc/permission-hardening.d/25_default_whitelist_spice.conf`
			`rm_conffile /etc/permission-hardening.d/25_default_whitelist_ssh.conf`
			`rm_conffile /etc/permission-hardening.d/25_default_whitelist_sudo.conf`
			`rm_conffile /etc/permission-hardening.d/25_default_whitelist_unix_chkpwd.conf`
			`rm_conffile /etc/permission-hardening.d/25_default_whitelist_virtualbox.conf`
			`rm_conffile /etc/permission-hardening.d/30_default.conf`