From fa32ba6c4fccf35111f85ec3819e718963359d7c Mon Sep 17 00:00:00 2001 From: Aaron Rainbolt Date: Fri, 7 Nov 2025 17:09:22 -0600 Subject: [PATCH 01/10] Suppress usbguard startup unless a USB controller is visible to lspci --- debian/security-misc-shared.install | 1 + .../30_security-misc.conf#security-misc-shared | 1 + .../check-for-usb-controller#security-misc-shared | 11 +++++++++++ 3 files changed, 13 insertions(+) create mode 100755 usr/libexec/security-misc/check-for-usb-controller#security-misc-shared diff --git a/debian/security-misc-shared.install b/debian/security-misc-shared.install index a228845..0b4dba2 100755 --- a/debian/security-misc-shared.install +++ b/debian/security-misc-shared.install @@ -55,6 +55,7 @@ usr/libexec/security-misc/disable-kernel-module-loading#security-misc-shared => usr/libexec/security-misc/hide-hardware-info#security-misc-shared => /usr/libexec/security-misc/hide-hardware-info usr/libexec/security-misc/virusforget#security-misc-shared => /usr/libexec/security-misc/virusforget usr/libexec/security-misc/pam_faillock_not_if_x#security-misc-shared => /usr/libexec/security-misc/pam_faillock_not_if_x +usr/libexec/security-misc/check-for-usb-controller#security-misc-shared => /usr/libexec/security-misc/check-for-usb-controller usr/src/security-misc/emerg-shutdown.c#security-misc-shared => /usr/src/security-misc/emerg-shutdown.c usr/bin/disabled-gps-by-security-misc#security-misc-shared => /usr/bin/disabled-gps-by-security-misc usr/bin/disabled-netfilesys-by-security-misc#security-misc-shared => /usr/bin/disabled-netfilesys-by-security-misc diff --git a/usr/lib/systemd/system/usbguard.service.d/30_security-misc.conf#security-misc-shared b/usr/lib/systemd/system/usbguard.service.d/30_security-misc.conf#security-misc-shared index 70accaf..fa87f09 100644 --- a/usr/lib/systemd/system/usbguard.service.d/30_security-misc.conf#security-misc-shared +++ b/usr/lib/systemd/system/usbguard.service.d/30_security-misc.conf#security-misc-shared @@ -3,3 +3,4 @@ [Unit] ConditionPathExists=/sys/bus/usb +ExecCondition=/usr/libexec/security-misc/check-for-usb-controller diff --git a/usr/libexec/security-misc/check-for-usb-controller#security-misc-shared b/usr/libexec/security-misc/check-for-usb-controller#security-misc-shared new file mode 100755 index 0000000..7688ee2 --- /dev/null +++ b/usr/libexec/security-misc/check-for-usb-controller#security-misc-shared @@ -0,0 +1,11 @@ +#!/bin/bash + +## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +export LC_ALL='C' + +if lspci | grep -q '^[^ ]* USB controller: '; then + exit 0 +fi +exit 1 From 1e48886c7e77fa7bccfdee3cca6f0fbdba74e4a1 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 8 Nov 2025 01:31:02 -0500 Subject: [PATCH 02/10] long option name --- .../security-misc/check-for-usb-controller#security-misc-shared | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/libexec/security-misc/check-for-usb-controller#security-misc-shared b/usr/libexec/security-misc/check-for-usb-controller#security-misc-shared index 7688ee2..a23031b 100755 --- a/usr/libexec/security-misc/check-for-usb-controller#security-misc-shared +++ b/usr/libexec/security-misc/check-for-usb-controller#security-misc-shared @@ -5,7 +5,7 @@ export LC_ALL='C' -if lspci | grep -q '^[^ ]* USB controller: '; then +if lspci | grep --quiet '^[^ ]* USB controller: '; then exit 0 fi exit 1 From 12679608428e6927da480ca721b34bab75108687 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 8 Nov 2025 01:32:45 -0500 Subject: [PATCH 03/10] comments --- .../security-misc/check-for-usb-controller#security-misc-shared | 2 ++ 1 file changed, 2 insertions(+) diff --git a/usr/libexec/security-misc/check-for-usb-controller#security-misc-shared b/usr/libexec/security-misc/check-for-usb-controller#security-misc-shared index a23031b..515155e 100755 --- a/usr/libexec/security-misc/check-for-usb-controller#security-misc-shared +++ b/usr/libexec/security-misc/check-for-usb-controller#security-misc-shared @@ -5,7 +5,9 @@ export LC_ALL='C' +## Package 'pciutils' provides tool 'lspci'. if lspci | grep --quiet '^[^ ]* USB controller: '; then exit 0 fi + exit 1 From d50e6afc8fb0a925e07fc54b7ecc1f450d9aa176 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 8 Nov 2025 01:34:32 -0500 Subject: [PATCH 04/10] sanity test --- .../check-for-usb-controller#security-misc-shared | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/usr/libexec/security-misc/check-for-usb-controller#security-misc-shared b/usr/libexec/security-misc/check-for-usb-controller#security-misc-shared index 515155e..3c00602 100755 --- a/usr/libexec/security-misc/check-for-usb-controller#security-misc-shared +++ b/usr/libexec/security-misc/check-for-usb-controller#security-misc-shared @@ -3,9 +3,13 @@ ## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. +set -e + export LC_ALL='C' ## Package 'pciutils' provides tool 'lspci'. +command -v lspci &>/dev/null + if lspci | grep --quiet '^[^ ]* USB controller: '; then exit 0 fi From 69419357e1bb2d0842ecd5db3e42bcaa011f5c11 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 8 Nov 2025 02:42:25 -0500 Subject: [PATCH 05/10] genmkfile debinstfile --- debian/security-misc-shared.install | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/security-misc-shared.install b/debian/security-misc-shared.install index 0b4dba2..9ae61fb 100755 --- a/debian/security-misc-shared.install +++ b/debian/security-misc-shared.install @@ -50,12 +50,12 @@ usr/libexec/security-misc/pam-info#security-misc-shared => /usr/libexec/security usr/libexec/security-misc/permission-lockdown#security-misc-shared => /usr/libexec/security-misc/permission-lockdown usr/libexec/security-misc/pam_only_if_su#security-misc-shared => /usr/libexec/security-misc/pam_only_if_su usr/libexec/security-misc/remove-system.map#security-misc-shared => /usr/libexec/security-misc/remove-system.map +usr/libexec/security-misc/check-for-usb-controller#security-misc-shared => /usr/libexec/security-misc/check-for-usb-controller usr/libexec/security-misc/pam_only_if_login#security-misc-shared => /usr/libexec/security-misc/pam_only_if_login usr/libexec/security-misc/disable-kernel-module-loading#security-misc-shared => /usr/libexec/security-misc/disable-kernel-module-loading usr/libexec/security-misc/hide-hardware-info#security-misc-shared => /usr/libexec/security-misc/hide-hardware-info usr/libexec/security-misc/virusforget#security-misc-shared => /usr/libexec/security-misc/virusforget usr/libexec/security-misc/pam_faillock_not_if_x#security-misc-shared => /usr/libexec/security-misc/pam_faillock_not_if_x -usr/libexec/security-misc/check-for-usb-controller#security-misc-shared => /usr/libexec/security-misc/check-for-usb-controller usr/src/security-misc/emerg-shutdown.c#security-misc-shared => /usr/src/security-misc/emerg-shutdown.c usr/bin/disabled-gps-by-security-misc#security-misc-shared => /usr/bin/disabled-gps-by-security-misc usr/bin/disabled-netfilesys-by-security-misc#security-misc-shared => /usr/bin/disabled-netfilesys-by-security-misc From 48ce12eba38aec099b4afe42e4d42b1d41dcb97f Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 8 Nov 2025 07:44:43 +0000 Subject: [PATCH 06/10] bumped changelog version --- changelog.upstream | 43 +++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 49 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 5d0b2e2..411fc54 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,46 @@ +commit 69419357e1bb2d0842ecd5db3e42bcaa011f5c11 +Author: Patrick Schleizer +Date: Sat Nov 8 02:42:25 2025 -0500 + + genmkfile debinstfile + +commit d50e6afc8fb0a925e07fc54b7ecc1f450d9aa176 +Author: Patrick Schleizer +Date: Sat Nov 8 01:34:32 2025 -0500 + + sanity test + +commit 12679608428e6927da480ca721b34bab75108687 +Author: Patrick Schleizer +Date: Sat Nov 8 01:32:45 2025 -0500 + + comments + +commit 1e48886c7e77fa7bccfdee3cca6f0fbdba74e4a1 +Author: Patrick Schleizer +Date: Sat Nov 8 01:31:02 2025 -0500 + + long option name + +commit d6c949c791bcc2c76b4f2e81eb0ffd370f8f1a37 +Merge: 5b97e7bd fa32ba6c +Author: Patrick Schleizer +Date: Sat Nov 8 01:29:48 2025 -0500 + + Merge remote-tracking branch 'ArrayBolt3/arraybolt3/trixie' + +commit fa32ba6c4fccf35111f85ec3819e718963359d7c +Author: Aaron Rainbolt +Date: Fri Nov 7 17:09:22 2025 -0600 + + Suppress usbguard startup unless a USB controller is visible to lspci + +commit 5b97e7bd277038b3b04c80a78ce05bb52277d4f6 +Author: Patrick Schleizer +Date: Sun Nov 2 11:41:51 2025 +0000 + + bumped changelog version + commit 58d5f738e63d4c18048fab4e2fd134d68722d0fd Merge: 5121f80f 7beb19b6 Author: Patrick Schleizer diff --git a/debian/changelog b/debian/changelog index aefccf2..0ca8055 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:49.5-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 08 Nov 2025 07:44:43 +0000 + security-misc (3:49.4-1) unstable; urgency=medium * New upstream version (local package). From 1ef974300a157235da6a6c4d1379b62acf0c4c61 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 8 Nov 2025 04:00:47 -0500 Subject: [PATCH 07/10] readme --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 302c8ab..acded8d 100644 --- a/README.md +++ b/README.md @@ -562,8 +562,8 @@ See: - `/etc/systemd/system/emergency.service.d/override.conf` - `/etc/systemd/system/rescue.service.d/override.conf` -Adverse security effects can be prevented by setting up BIOS password -protection, GRUB password protection, and/or full disk encryption. +Adverse security effects can be prevented by setting up [BIOS Password](https://www.kicksecure.com/wiki/Protection_Against_Physical_Attacks#BIOS_Password) +protection, [Bootloader Password](https://www.kicksecure.com/wiki/Protection_Against_Physical_Attacks#Bootloader_Password) protection, and/or [Full Disk Encryption (FDE)](https://www.kicksecure.com/wiki/Full_Disk_Encryption). ## Console lockdown From 26b96ce2800e794104e6d3c113c3c2c121795b39 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 9 Nov 2025 08:12:42 +0000 Subject: [PATCH 08/10] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 411fc54..9f99460 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit 1ef974300a157235da6a6c4d1379b62acf0c4c61 +Author: Patrick Schleizer +Date: Sat Nov 8 04:00:47 2025 -0500 + + readme + +commit 48ce12eba38aec099b4afe42e4d42b1d41dcb97f +Author: Patrick Schleizer +Date: Sat Nov 8 07:44:43 2025 +0000 + + bumped changelog version + commit 69419357e1bb2d0842ecd5db3e42bcaa011f5c11 Author: Patrick Schleizer Date: Sat Nov 8 02:42:25 2025 -0500 diff --git a/debian/changelog b/debian/changelog index 0ca8055..31425a9 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:49.6-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 09 Nov 2025 08:12:41 +0000 + security-misc (3:49.5-1) unstable; urgency=medium * New upstream version (local package). From 039141188558931b73a9b5897ea3422bbb201dad Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 9 Nov 2025 05:47:00 -0500 Subject: [PATCH 09/10] revert Force immediate kernel panic on OOM. https://github.com/Kicksecure/security-misc/issues/324#issuecomment-3507949741 --- README.md | 2 +- usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index acded8d..8c232ae 100644 --- a/README.md +++ b/README.md @@ -52,7 +52,7 @@ configuration file and significant hardening is applied to a myriad of component - Force immediate system reboot on the occurrence of a single kernel panic, reducing the risk and impact of denial of service attacks and both cold and warm boot attacks. -- Force immediate kernel panic on OOM. This is to avoid security features such as the screen +- Optional - Force immediate kernel panic on OOM. This is to avoid security features such as the screen locker, kloak, emerg-shutdown from being arbitrarily terminated when the system starts running out of memory. diff --git a/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared b/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared index 78e5e5f..a4914da 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared +++ b/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared @@ -204,7 +204,9 @@ kernel.perf_event_paranoid=3 ## from being arbitrarily terminated when the system starts running out of memory. ## https://forums.whonix.org/t/screen-locker-in-security-can-we-disable-these-at-least-4-backdoors/8128/14 ## https://github.com/Kicksecure/security-misc/issues/324 -vm.panic_on_oom=2 +## Needs more work. +## +#vm.panic_on_oom=2 ## Disable the use of legacy TIOCSTI operations which can be used to inject keypresses. ## Can lead to privilege escalation by pushing characters into a controlling TTY. From 0939883f0b5e1232e9aa85e61c0cbef551a59357 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 9 Nov 2025 10:47:45 +0000 Subject: [PATCH 10/10] bumped changelog version --- changelog.upstream | 14 ++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 20 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 9f99460..e0f3c96 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,17 @@ +commit 039141188558931b73a9b5897ea3422bbb201dad +Author: Patrick Schleizer +Date: Sun Nov 9 05:47:00 2025 -0500 + + revert Force immediate kernel panic on OOM. + + https://github.com/Kicksecure/security-misc/issues/324#issuecomment-3507949741 + +commit 26b96ce2800e794104e6d3c113c3c2c121795b39 +Author: Patrick Schleizer +Date: Sun Nov 9 08:12:42 2025 +0000 + + bumped changelog version + commit 1ef974300a157235da6a6c4d1379b62acf0c4c61 Author: Patrick Schleizer Date: Sat Nov 8 04:00:47 2025 -0500 diff --git a/debian/changelog b/debian/changelog index 31425a9..64715f1 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:49.7-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 09 Nov 2025 10:47:45 +0000 + security-misc (3:49.6-1) unstable; urgency=medium * New upstream version (local package).