mirror of
https://github.com/Kicksecure/security-misc.git
synced 2024-12-28 02:39:25 -05:00
minor RPM updates
https://github.com/Kicksecure/security-misc/issues/160
This commit is contained in:
parent
3048e0ac76
commit
08619d6a73
@ -4,7 +4,7 @@ Release: 1%{?dist}
|
||||
Summary: enhances misc security settings
|
||||
|
||||
License: AGPL-3+
|
||||
URL: https://github.com/Whonix/security-misc
|
||||
URL: https://github.com/Kicksecure/security-misc
|
||||
Source0: %{name}-%{version}.tar.xz
|
||||
|
||||
BuildRequires: dpkg-dev
|
||||
@ -13,50 +13,7 @@ Requires: make
|
||||
BuildArch: noarch
|
||||
|
||||
%description
|
||||
The following settings are changed:
|
||||
|
||||
deactivates previews in Dolphin;
|
||||
deactivates previews in Nautilus;
|
||||
deactivates thumbnails in Thunar;
|
||||
deactivates TCP timestamps;
|
||||
deactivates Netfilter's connection tracking helper;
|
||||
|
||||
TCP time stamps (RFC 1323) allow for tracking clock
|
||||
information with millisecond resolution. This may or may not allow an
|
||||
attacker to learn information about the system clock at such
|
||||
a resolution, depending on various issues such as network lag.
|
||||
This information is available to anyone who monitors the network
|
||||
somewhere between the attacked system and the destination server.
|
||||
It may allow an attacker to find out how long a given
|
||||
system has been running, and to distinguish several
|
||||
systems running behind NAT and using the same IP address. It might
|
||||
also allow one to look for clocks that match an expected value to find the
|
||||
public IP used by a user.
|
||||
|
||||
Hence, this package disables this feature by shipping the
|
||||
/etc/sysctl.d/tcp_timestamps.conf configuration file.
|
||||
|
||||
Note that TCP time stamps normally have some usefulness. They are
|
||||
needed for:
|
||||
|
||||
* the TCP protection against wrapped sequence numbers; however, to
|
||||
trigger a wrap, one needs to send roughly 2^32 packets in one
|
||||
minute: as said in RFC 1700, "The current recommended default
|
||||
time to live (TTL) for the Internet Protocol (IP) [45,105] is 64".
|
||||
So, this probably won't be a practical problem in the context
|
||||
of Anonymity Distributions.
|
||||
|
||||
* "Round-Trip Time Measurement", which is only useful when the user
|
||||
manages to saturate their connection. When using Anonymity Distributions,
|
||||
probably the limiting factor for transmission speed is rarely the capacity
|
||||
of the user connection.
|
||||
|
||||
Netfilter's connection tracking helper module increases kernel attack
|
||||
surface by enabling superfluous functionality such as IRC parsing in
|
||||
the kernel. (!)
|
||||
|
||||
Hence, this package disables this feature by shipping the
|
||||
/etc/sysctl.d/nf_conntrack_helper.conf configuration file.
|
||||
See README.
|
||||
|
||||
%prep
|
||||
%setup -q
|
||||
|
Loading…
Reference in New Issue
Block a user