2015-12-14 21:00:24 -05:00
|
|
|
## Copyright (C) 2012 - 2014 Patrick Schleizer <adrelanos@riseup.net>
|
|
|
|
|
## See the file COPYING for copying conditions.
|
|
|
|
|
|
|
|
|
|
Source: security-misc
|
|
|
|
|
Section: misc
|
|
|
|
|
Priority: optional
|
|
|
|
|
Maintainer: Patrick Schleizer <adrelanos@riseup.net>
|
|
|
|
|
Build-Depends: debhelper (>= 9), faketime, genmkfile
|
|
|
|
|
Homepage: https://github.com/Whonix/security-misc
|
|
|
|
|
Vcs-Browser: https://github.com/Whonix/security-misc
|
|
|
|
|
Vcs-Git: https://github.com/Whonix/security-misc.git
|
|
|
|
|
Standards-Version: 3.9.6
|
|
|
|
|
|
|
|
|
|
Package: security-misc
|
|
|
|
|
Architecture: all
|
|
|
|
|
Depends: ${misc:Depends}
|
2016-03-31 11:36:59 -04:00
|
|
|
Replaces: tcp-timestamps-disable
|
2015-12-14 21:00:24 -05:00
|
|
|
Description: enhances misc security settings
|
2016-03-30 23:18:05 -04:00
|
|
|
- deactivates previews in Dolphin
|
2016-03-30 23:16:10 -04:00
|
|
|
- deactivates previews in Nautilus
|
|
|
|
|
- deactivates TCP timestamps
|
|
|
|
|
- deactivates Netfilter's connection tracking helper
|
|
|
|
|
.
|
|
|
|
|
Changes to the file browser only take effect for newly created user accounts. Not for
|
|
|
|
|
existing user accounts. This package is most useful to help Linux distribution
|
|
|
|
|
maintainers setting divergent defaults.
|
|
|
|
|
.
|
|
|
|
|
TCP time stamps (rfc 1323) allow for tracking clock
|
|
|
|
|
information with millisecond resolution. This may or may not allow an
|
|
|
|
|
attacker to learn information about the system clock at such
|
|
|
|
|
a resolution, depending on various issues such as network lag.
|
|
|
|
|
This information is available to anyone who monitors the network
|
|
|
|
|
somewhere between the attacked system and the destination server.
|
|
|
|
|
It may allow an attacker to find out how long a given
|
|
|
|
|
system has been running, and to distinguish several
|
|
|
|
|
systems running behind NAT and using the same IP address. It might
|
|
|
|
|
also allow to look for clocks that match an expected value to find the
|
|
|
|
|
public IP used by a user.
|
|
|
|
|
.
|
|
|
|
|
Hence, this package disables this feature by shipping the
|
|
|
|
|
/etc/sysctl.d/tcp_timestamps.conf configuration file.
|
|
|
|
|
.
|
|
|
|
|
Note that TCP time stamps normally have some usefulness. They are
|
|
|
|
|
needed for:
|
|
|
|
|
.
|
|
|
|
|
* the TCP protection against wrapped sequence numbers; however, to
|
|
|
|
|
trigger a wrap, one needs to send roughly 2^32 packets in one
|
|
|
|
|
minute: as said in rfc 1700, "The current recommended default
|
|
|
|
|
time to live (TTL) for the Internet Protocol (IP) [45,105] is 64".
|
|
|
|
|
So, this probably won't be a practical problem in the context
|
|
|
|
|
of Anonymity Distributions.
|
|
|
|
|
.
|
|
|
|
|
* "Round-Trip Time Measurement", which is only useful when the user
|
|
|
|
|
manages to saturate their connection. When using Anonymity Distributions,
|
|
|
|
|
probably the limiting factor for transmission speed is rarely the capacity
|
|
|
|
|
of the user connection.
|
|
|
|
|
.
|
2016-03-31 11:36:59 -04:00
|
|
|
Netfilter's connection tracking helper module increases kernel attack
|
|
|
|
|
surface by enabling superfluous functionality such as IRC parsing in
|
2016-03-30 23:18:05 -04:00
|
|
|
the kernel (!)
|
2016-03-30 23:16:10 -04:00
|
|
|
.
|
|
|
|
|
Hence, this package disables this feature by shipping the
|
|
|
|
|
/etc/sysctl.d/nf_conntrack_helper.conf configuration file.
|
