From 6c3be9ced071e73e78451c82e8def9c5a5b02598 Mon Sep 17 00:00:00 2001 From: DMHalford <161769419+DMHalford@users.noreply.github.com> Date: Thu, 15 May 2025 15:06:10 -0400 Subject: [PATCH 01/47] Prevent erroneous "Login blocked after [negative number] attempts" errors For root, faillock appears to always* return an empty string (i.e. no table headers are present), yielding a zero-initialized pam_faillock_output_count and thus resulting in the calculation of a negative failed_login_counter value. This can cause erroneous errors of the form "ERROR: Login blocked after [negative number] attempts" during sudo-ing and screen unlocking. This commit modifies the initialization of failed_login_counter such that it cannot be negative and prevents the display of these incorrect warnings. * Only rudimentary tests were conducted --- usr/libexec/security-misc/pam-info | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info index 5f8198a..a0e86db 100755 --- a/usr/libexec/security-misc/pam-info +++ b/usr/libexec/security-misc/pam-info @@ -163,9 +163,9 @@ pam_faillock_output_count="$(echo "$pam_faillock_output" | wc -l)" ## example pam_faillock_output_count: ## 4 -## Do not count the first two informational textual output lines -## (starting with "user:" and "When"). -failed_login_counter=$(( pam_faillock_output_count - 2 )) +## Do not count the first two informational textual output lines (starting with "user:" and "When") if present, +## but ensure failed_login_counter is not set to a negative value. +failed_login_counter=$( [ $(( pam_faillock_output_count - 2 )) -gt 0 ] && echo $(( pam_faillock_output_count - 2 )) || echo "0" ) ## example failed_login_counter: ## 2 From 91a76db66bb496ba4650ada38df31636297738cf Mon Sep 17 00:00:00 2001 From: DMHalford <161769419+DMHalford@users.noreply.github.com> Date: Thu, 15 May 2025 15:42:50 -0400 Subject: [PATCH 02/47] Prevent erroneous "Login blocked after [negative number] attempts" errors For root, faillock appears to always* return an empty string (i.e. no table headers are present), yielding a zero-initialized pam_faillock_output_count and thus resulting in the calculation of a negative failed_login_counter value. This can cause erroneous errors of the form "ERROR: Login blocked after [negative number] attempts" during sudo-ing and screen unlocking. This commit modifies the initialization of failed_login_counter such that it cannot be negative and prevents the display of these incorrect warnings. * Only rudimentary local tests were conducted --- usr/libexec/security-misc/pam-info | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info index a0e86db..0559ea3 100755 --- a/usr/libexec/security-misc/pam-info +++ b/usr/libexec/security-misc/pam-info @@ -164,7 +164,7 @@ pam_faillock_output_count="$(echo "$pam_faillock_output" | wc -l)" ## 4 ## Do not count the first two informational textual output lines (starting with "user:" and "When") if present, -## but ensure failed_login_counter is not set to a negative value. +## whilst ensuring failed_login_counter is not set to a negative value. failed_login_counter=$( [ $(( pam_faillock_output_count - 2 )) -gt 0 ] && echo $(( pam_faillock_output_count - 2 )) || echo "0" ) ## example failed_login_counter: From a1bde21ccb475fc21a084559dbe766f6315d9287 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Sat, 17 May 2025 04:41:06 +0000 Subject: [PATCH 03/47] Set `erst_disable` --- README.md | 4 ++-- etc/default/grub.d/40_kernel_hardening.cfg | 5 ++++- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 38cc8e0..628f732 100644 --- a/README.md +++ b/README.md @@ -226,8 +226,8 @@ Kernel space: - Optional - Disable support for all x86 processes and syscalls (when using Linux kernel >= 6.7) to reduce attack surface. -- Disable EFI persistent storage feature, preventing the kernel from writing crash logs and - other persistent data to the EFI variable store. +- Disable the EFI persistent storage feature which prevents the kernel from writing crash logs + and other persistent data to either the UEFI variable storage or ACPI ERST backends. Direct memory access: diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index 99f2d16..ee79f81 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -224,7 +224,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0" #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ia32_emulation=0" ## Disable EFI persistent storage feature. -## Prevents the kernel from writing crash logs and other persistent data to the EFI variable store. +## Disable Error Record Serialization Table (ERST) support as a form of defense-in-depth. +## Prevents the kernel from writing crash logs and other persistent data to the storage backend. +## Both the UEFI variable storage and ACPI ERST backends are inactivated. ## ## https://blogs.oracle.com/linux/post/pstore-linux-kernel-persistent-storage-file-system ## https://www.ais.com/understanding-pstore-linux-kernel-persistent-storage-file-system/ @@ -234,6 +236,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0" ## https://github.com/Kicksecure/security-misc/issues/299 ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi_pstore.pstore_disable=1" +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX erst_disable" ## 2. Direct Memory Access: ## From 35fa32e4ed6333f3ab87d09828f13155aa1e7a72 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Sat, 17 May 2025 15:06:49 +1000 Subject: [PATCH 04/47] Reword --- etc/default/grub.d/40_kernel_hardening.cfg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index ee79f81..671c28b 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -226,7 +226,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0" ## Disable EFI persistent storage feature. ## Disable Error Record Serialization Table (ERST) support as a form of defense-in-depth. ## Prevents the kernel from writing crash logs and other persistent data to the storage backend. -## Both the UEFI variable storage and ACPI ERST backends are inactivated. +## Both the UEFI variable storage and ACPI ERST backends are deactivated. ## ## https://blogs.oracle.com/linux/post/pstore-linux-kernel-persistent-storage-file-system ## https://www.ais.com/understanding-pstore-linux-kernel-persistent-storage-file-system/ From 7f2ba0980d17360fc014c6a412fc4ee57e1032fd Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 18 May 2025 06:40:50 -0400 Subject: [PATCH 05/47] refactoring --- usr/libexec/security-misc/pam-info | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info index 0559ea3..8998641 100755 --- a/usr/libexec/security-misc/pam-info +++ b/usr/libexec/security-misc/pam-info @@ -164,12 +164,18 @@ pam_faillock_output_count="$(echo "$pam_faillock_output" | wc -l)" ## 4 ## Do not count the first two informational textual output lines (starting with "user:" and "When") if present, -## whilst ensuring failed_login_counter is not set to a negative value. -failed_login_counter=$( [ $(( pam_faillock_output_count - 2 )) -gt 0 ] && echo $(( pam_faillock_output_count - 2 )) || echo "0" ) +failed_login_counter=$(( pam_faillock_output_count - 2 )) ## example failed_login_counter: ## 2 +## Ensuring failed_login_counter is not set to a negative value. +## https://github.com/Kicksecure/security-misc/pull/305 +if [ "$failed_login_counter" -le "0" ]; then + true "$0: WARNING: Failed login counter is negative. Resetting to 0." + failed_login_counter=0 +fi + if [ "$failed_login_counter" = "0" ]; then true "$0: INFO: Failed login counter is 0, ok." exit 0 From d8feca12768441b0499ead7cc9f9bce4e89b1edf Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 18 May 2025 06:41:41 -0400 Subject: [PATCH 06/47] printf --- usr/libexec/security-misc/pam-info | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info index 8998641..49b376c 100755 --- a/usr/libexec/security-misc/pam-info +++ b/usr/libexec/security-misc/pam-info @@ -42,7 +42,7 @@ if [ ! "$grep_result" = "" ]; then ## Yes, grep matched. ## Check if not out commented. - if ! echo "$grep_result" | grep --quiet -- "#" ; then + if ! printf '%s\n' "$grep_result" | grep --quiet -- "#" ; then ## Not out commented indeed. ## https://forums.whonix.org/t/etc-security-hardening-console-lockdown/8592 @@ -55,7 +55,7 @@ if [ ! "$grep_result" = "" ]; then fi if [ ! "$console_allowed" = "true" ]; then - echo "\ + printf '%s\n' "\ $0: ERROR: PAM_USER: '$PAM_USER' is not a member of group 'console' To unlock, run the following command as superuser: (If you still have a sudo/root shell somewhere.) @@ -76,7 +76,7 @@ if [ "$PAM_USER" = 'sysmaint' ]; then sysmaint_passwd_info="$(passwd --status sysmaint 2>/dev/null)" || true sysmaint_lock_info="$(cut -d' ' -f2 <<< "${sysmaint_passwd_info}")" if [ "${sysmaint_lock_info}" = 'L' ]; then - echo "$0: ERROR: Reboot and choose 'PERSISTENT Mode - SYSMAINT Session' for system maintenance. See https://www.kicksecure.com/wiki/Sysmaint" + printf '%s\n' "$0: ERROR: Reboot and choose 'PERSISTENT Mode - SYSMAINT Session' for system maintenance. See https://www.kicksecure.com/wiki/Sysmaint" fi fi @@ -84,7 +84,7 @@ kernel_cmdline="$(cat /proc/cmdline)" if [ "$PAM_USER" != 'sysmaint' ] \ && [[ "${kernel_cmdline}" =~ 'boot-role=sysmaint' ]]; then - echo "$0: WARNING: Use account 'sysmaint' for system maintenance. See https://www.kicksecure.com/wiki/Sysmaint" + printf '%s\n' "$0: WARNING: Use account 'sysmaint' for system maintenance. See https://www.kicksecure.com/wiki/Sysmaint" fi ## https://forums.whonix.org/t/how-strong-do-linux-user-account-passwords-have-to-be-when-using-full-disk-encryption-fde-too/7698 @@ -95,7 +95,7 @@ fi # if [ -f /etc/securetty ]; then # grep_result="$(grep "^[^#]" /etc/securetty)" # if [ "$grep_result" = "" ]; then -# echo "\ +# printf '%s\n' "\ # $0: ERROR: Root login is disabled. # ERROR: This is because /etc/securetty is empty. # See also: @@ -143,7 +143,7 @@ fi ## Usage: faillock [--dir /path/to/tally-directory] [--user username] [--reset] ## Get first line. -#pam_faillock_output_first_line="$(echo "$pam_faillock_output" | head --lines=1)" +#pam_faillock_output_first_line="$(printf '%s\n' "$pam_faillock_output" | head --lines=1)" while read -t 10 -r pam_faillock_output_first_line ; do break done <<< "$pam_faillock_output" @@ -152,12 +152,12 @@ true "pam_faillock_output_first_line: '$pam_faillock_output_first_line'" ## example pam_faillock_output_first_line: ## user: -user_name="$(echo "$pam_faillock_output_first_line" | str_replace ":" "")" +user_name="$(printf '%s\n' "$pam_faillock_output_first_line" | str_replace ":" "")" ## example user_name: ## user ## root -pam_faillock_output_count="$(echo "$pam_faillock_output" | wc -l)" +pam_faillock_output_count="$(printf '%s\n' "$pam_faillock_output" | wc -l)" ## example pam_faillock_output_count: ## 2 ## example pam_faillock_output_count: @@ -186,13 +186,13 @@ deny=3 if test -f /etc/security/faillock.conf ; then deny_line=$(grep --invert-match "#" -- /etc/security/faillock.conf | grep -- "deny =") - deny="$(echo "$deny_line" | str_replace "=" "" | str_replace "deny" "" | str_replace " " "")" + deny="$(printf '%s\n' "$deny_line" | str_replace "=" "" | str_replace "deny" "" | str_replace " " "")" ## Example: #deny=50 fi if [[ "$deny" == *[!0-9]* ]]; then - echo "\ + printf '%s\n' "\ $0: ERROR: deny is not numeric. deny: '$deny' ERROR: Please report this bug. " >&2 @@ -202,7 +202,7 @@ fi remaining_attempts="$(( $deny - $failed_login_counter ))" if [ "$remaining_attempts" -le "0" ]; then - echo "\ + printf '%s\n' "\ $0: ERROR: Login blocked after $failed_login_counter attempts. To unlock, run the following command as superuser: (If you still have a sudo/root shell somewhere.) @@ -217,14 +217,14 @@ https://www.kicksecure.com/wiki/root#unlock exit 0 fi -echo "\ +printf '%s\n' "\ $0: WARNING: $failed_login_counter failed login attempts for user_name '$user_name'. Login will be blocked after $deny attempts. You have $remaining_attempts more attempts before unlock procedure is required. " >&2 if [ "$PAM_SERVICE" = "su" ]; then - echo "\ + printf '%s\n' "\ $0: NOTE: Type the password. When entering the password, no password feedback (no asterisk (\"*\") symbol) will be shown. " >&2 fi From 601ea77b005d18b57a85e0701f3981edd61b7881 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 18 May 2025 06:42:39 -0400 Subject: [PATCH 07/47] end-of-options --- usr/libexec/security-misc/pam-info | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info index 49b376c..ce420b2 100755 --- a/usr/libexec/security-misc/pam-info +++ b/usr/libexec/security-misc/pam-info @@ -80,7 +80,7 @@ if [ "$PAM_USER" = 'sysmaint' ]; then fi fi -kernel_cmdline="$(cat /proc/cmdline)" +kernel_cmdline="$(cat -- /proc/cmdline)" if [ "$PAM_USER" != 'sysmaint' ] \ && [[ "${kernel_cmdline}" =~ 'boot-role=sysmaint' ]]; then @@ -93,7 +93,7 @@ fi ## Also this should only run for login since securetty covers only login. # if [ "$PAM_USER" = "root" ]; then # if [ -f /etc/securetty ]; then -# grep_result="$(grep "^[^#]" /etc/securetty)" +# grep_result="$(grep -- "^[^#]" /etc/securetty)" # if [ "$grep_result" = "" ]; then # printf '%s\n' "\ # $0: ERROR: Root login is disabled. From 88235cc97b8b54f3fe78d6ad76f64326e8b53f3e Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 18 May 2025 06:44:04 -0400 Subject: [PATCH 08/47] refactoring --- usr/libexec/security-misc/pam-info | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info index ce420b2..b24c668 100755 --- a/usr/libexec/security-misc/pam-info +++ b/usr/libexec/security-misc/pam-info @@ -82,9 +82,10 @@ fi kernel_cmdline="$(cat -- /proc/cmdline)" -if [ "$PAM_USER" != 'sysmaint' ] \ - && [[ "${kernel_cmdline}" =~ 'boot-role=sysmaint' ]]; then - printf '%s\n' "$0: WARNING: Use account 'sysmaint' for system maintenance. See https://www.kicksecure.com/wiki/Sysmaint" +if [ "$PAM_USER" != 'sysmaint' ]; then + if [[ "${kernel_cmdline}" =~ 'boot-role=sysmaint' ]]; then + printf '%s\n' "$0: WARNING: Use account 'sysmaint' for system maintenance. See https://www.kicksecure.com/wiki/Sysmaint" + fi fi ## https://forums.whonix.org/t/how-strong-do-linux-user-account-passwords-have-to-be-when-using-full-disk-encryption-fde-too/7698 From 405880e63b92319626332d083a6c5ad5101dbf77 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 18 May 2025 06:44:42 -0400 Subject: [PATCH 09/47] handle case of non-existence of /proc/cmdline --- usr/libexec/security-misc/pam-info | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info index b24c668..736e44f 100755 --- a/usr/libexec/security-misc/pam-info +++ b/usr/libexec/security-misc/pam-info @@ -80,7 +80,9 @@ if [ "$PAM_USER" = 'sysmaint' ]; then fi fi -kernel_cmdline="$(cat -- /proc/cmdline)" +if test -f /proc/cmdline; then + kernel_cmdline="$(cat -- /proc/cmdline)" +fi if [ "$PAM_USER" != 'sysmaint' ]; then if [[ "${kernel_cmdline}" =~ 'boot-role=sysmaint' ]]; then From 19d7e1af5d7acf6eb3a20fe3ebf5f14cef041f92 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 20 May 2025 11:40:27 +0000 Subject: [PATCH 10/47] bumped changelog version --- changelog.upstream | 80 ++++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++ 2 files changed, 86 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index d2432d7..e64e373 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,83 @@ +commit 405880e63b92319626332d083a6c5ad5101dbf77 +Author: Patrick Schleizer +Date: Sun May 18 06:44:42 2025 -0400 + + handle case of non-existence of /proc/cmdline + +commit 88235cc97b8b54f3fe78d6ad76f64326e8b53f3e +Author: Patrick Schleizer +Date: Sun May 18 06:44:04 2025 -0400 + + refactoring + +commit 601ea77b005d18b57a85e0701f3981edd61b7881 +Author: Patrick Schleizer +Date: Sun May 18 06:42:39 2025 -0400 + + end-of-options + +commit d8feca12768441b0499ead7cc9f9bce4e89b1edf +Author: Patrick Schleizer +Date: Sun May 18 06:41:41 2025 -0400 + + printf + +commit 7f2ba0980d17360fc014c6a412fc4ee57e1032fd +Author: Patrick Schleizer +Date: Sun May 18 06:40:50 2025 -0400 + + refactoring + +commit 4d1f8c44d28895587abce586ed5b2fe354544f6a +Merge: 341dce3 e478750 +Author: Patrick Schleizer +Date: Sun May 18 06:36:08 2025 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit e478750814798f3d9aa60354b6cecbb84769ed53 +Merge: 341dce3 91a76db +Author: Patrick Schleizer +Date: Sun May 18 06:35:23 2025 -0400 + + Merge pull request #305 from DMHalford/pam-info-failed_login_counter-fix + + Prevent erroneous "Login blocked after [negative number] attempts" errors + +commit 91a76db66bb496ba4650ada38df31636297738cf +Author: DMHalford <161769419+DMHalford@users.noreply.github.com> +Date: Thu May 15 15:42:50 2025 -0400 + + Prevent erroneous "Login blocked after [negative number] attempts" errors + + For root, faillock appears to always* return an empty string (i.e. no table headers are present), yielding a zero-initialized pam_faillock_output_count and thus resulting in the calculation of a negative failed_login_counter value. + + This can cause erroneous errors of the form "ERROR: Login blocked after [negative number] attempts" during sudo-ing and screen unlocking. + + This commit modifies the initialization of failed_login_counter such that it cannot be negative and prevents the display of these incorrect warnings. + + * Only rudimentary local tests were conducted + +commit 6c3be9ced071e73e78451c82e8def9c5a5b02598 +Author: DMHalford <161769419+DMHalford@users.noreply.github.com> +Date: Thu May 15 15:06:10 2025 -0400 + + Prevent erroneous "Login blocked after [negative number] attempts" errors + + For root, faillock appears to always* return an empty string (i.e. no table headers are present), yielding a zero-initialized pam_faillock_output_count and thus resulting in the calculation of a negative failed_login_counter value. + + This can cause erroneous errors of the form "ERROR: Login blocked after [negative number] attempts" during sudo-ing and screen unlocking. + + This commit modifies the initialization of failed_login_counter such that it cannot be negative and prevents the display of these incorrect warnings. + + * Only rudimentary tests were conducted + +commit 341dce33fb806ab03822470e6af91604662c22dd +Author: Patrick Schleizer +Date: Fri Apr 25 09:54:23 2025 +0000 + + bumped changelog version + commit 06e1e44b0039807baa862102b12fc5e199c3ccb3 Author: Patrick Schleizer Date: Fri Apr 25 05:51:21 2025 -0400 diff --git a/debian/changelog b/debian/changelog index a0ef4b0..6c74fa5 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:45.3-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 20 May 2025 11:40:27 +0000 + security-misc (3:45.2-1) unstable; urgency=medium * New upstream version (local package). From 94dc9da4ab8fb93760dbb3b325bdeaa155e492cb Mon Sep 17 00:00:00 2001 From: Ashlen Date: Tue, 20 May 2025 17:07:51 -0600 Subject: [PATCH 11/47] fix(permission-hardener): ssh-agent gets 755 perms Replace the commented-out matchwhitelist entry for ssh-agent with an explicit permission entry (755) for /usr/bin/ssh-agent. When ssh-agent's matchwhitelist entry was commented out in commit 7a5f8b87af, permission-hardener began resetting it to restrictive defaults (744), preventing non-root users from executing ssh-agent. This broke split SSH functionality in Qubes OS for me because I was using Kicksecure in the vault qube, and ssh-agent runs under a non-root user in that configuration (see https://forum.qubes-os.org/t/split-ssh/19060). As noted in the comment, Debian installs with 2755 permissions as a way to mitigate ptrace attacks, but this rationale doesn't apply due to kernel.yama.ptrace_scope=2 being set in Kicksecure. --- .../25_default_whitelist_ssh.conf | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf b/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf index 8688dfe..5415197 100644 --- a/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf +++ b/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf @@ -5,11 +5,21 @@ ## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom ## configuration. When security-misc is updated, this file may be overwritten. +## Used for SSH client key management +## https://manpages.debian.org/bookworm/openssh-client/ssh-agent.1.en.html +## Debian installs ssh-agent with setgid permissions (2755) and with +## _ssh as the group to prevent ptrace attacks that could extract +## private keys from the agent's memory. However, as Kicksecure makes use +## of kernel.yama.ptrace_scope=2 by default, this is not a concern. +## +## ssh-agent is often run under non-root users, so 755 permissions make +## sense here to avoid breakage. +/usr/bin/ssh-agent 755 root root + ## Used only for SSH host-based authentication ## https://linux.die.net/man/8/ssh-keysign ## Needed to allow access to the machine's host key for use in the ## authentication process. This is a non-default method of authenticating to ## SSH, and is likely rarely used, thus this should be safe to disable. -#ssh-agent matchwhitelist #ssh-keysign matchwhitelist #/usr/lib/openssh matchwhitelist From 7a079c3de8bd8b4e026a1bd1b932a04610a1e386 Mon Sep 17 00:00:00 2001 From: Ashlen Date: Tue, 20 May 2025 18:41:48 -0600 Subject: [PATCH 12/47] fix(permission-hardener): add exactwhitelist here Without this, the permissions for ssh-agent won't be changed properly. --- usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf b/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf index 5415197..767cd08 100644 --- a/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf +++ b/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf @@ -14,6 +14,7 @@ ## ## ssh-agent is often run under non-root users, so 755 permissions make ## sense here to avoid breakage. +/usr/bin/ssh-agent exactwhitelist /usr/bin/ssh-agent 755 root root ## Used only for SSH host-based authentication From e14b81b15e479afbc4820a2b9bb60f3cf65bfb12 Mon Sep 17 00:00:00 2001 From: Ashlen Date: Tue, 20 May 2025 21:34:03 -0600 Subject: [PATCH 13/47] perf(permission-hardener): optimize string match MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Replace subprocess grep calls with bash substring matching in check_nosuid_whitelist function. This eliminates ~10k unneeded subprocess spawns that were causing significant performance degradation. In testing, it improves overall script execution speed by an order of magnitude: Before patch: $ sudo hyperfine -- './permission-hardener enable' Benchmark 1: ./permission-hardener enable Time (mean ± σ): 11.906 s ± 0.974 s [User: 3.639 s, System: 8.728 s] Range (min … max): 10.430 s … 14.090 s 10 runs After patch: $ sudo hyperfine -- './permission-hardener enable' Benchmark 1: ./permission-hardener enable Time (mean ± σ): 802.8 ms ± 178.5 ms [User: 283.0 ms, System: 471.9 ms] Range (min … max): 639.4 ms … 1092.3 ms 10 runs --- usr/bin/permission-hardener | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index 9f70834..b871fdc 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -256,8 +256,7 @@ check_nosuid_whitelist() { [[ " ${policy_exact_white_list[*]} " =~ " ${target_file} " ]] && return 1 for match_white_list_entry in "${policy_match_white_list[@]:-}"; do - if safe_echo "${target_file}" \ - | grep --quiet --fixed-strings -- "${match_white_list_entry}"; then + if [[ "${target_file}" == *"${match_white_list_entry}"* ]]; then return 1 fi done From 5c981e0891ef009c5c2355f5f6383aca22c45638 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 21 May 2025 06:55:09 -0400 Subject: [PATCH 14/47] pam-info: fix, consistently write errors and warnings to stderr --- usr/libexec/security-misc/pam-info | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info index 736e44f..00cab0b 100755 --- a/usr/libexec/security-misc/pam-info +++ b/usr/libexec/security-misc/pam-info @@ -76,7 +76,7 @@ if [ "$PAM_USER" = 'sysmaint' ]; then sysmaint_passwd_info="$(passwd --status sysmaint 2>/dev/null)" || true sysmaint_lock_info="$(cut -d' ' -f2 <<< "${sysmaint_passwd_info}")" if [ "${sysmaint_lock_info}" = 'L' ]; then - printf '%s\n' "$0: ERROR: Reboot and choose 'PERSISTENT Mode - SYSMAINT Session' for system maintenance. See https://www.kicksecure.com/wiki/Sysmaint" + printf '%s\n' "$0: ERROR: Reboot and choose 'PERSISTENT Mode - SYSMAINT Session' for system maintenance. See https://www.kicksecure.com/wiki/Sysmaint" >&2 fi fi @@ -86,7 +86,7 @@ fi if [ "$PAM_USER" != 'sysmaint' ]; then if [[ "${kernel_cmdline}" =~ 'boot-role=sysmaint' ]]; then - printf '%s\n' "$0: WARNING: Use account 'sysmaint' for system maintenance. See https://www.kicksecure.com/wiki/Sysmaint" + printf '%s\n' "$0: WARNING: Use account 'sysmaint' for system maintenance. See https://www.kicksecure.com/wiki/Sysmaint" >&2 fi fi From 5930e270521e0e5d6a0a3877c813accbf5253051 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 21 May 2025 07:05:25 -0400 Subject: [PATCH 15/47] pam-info: improve error handling https://github.com/Kicksecure/security-misc/pull/305#issuecomment-2892378246 --- usr/libexec/security-misc/pam-info | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info index 00cab0b..0f30faf 100755 --- a/usr/libexec/security-misc/pam-info +++ b/usr/libexec/security-misc/pam-info @@ -19,8 +19,22 @@ fi true "$0: START PHASE 2" +set -o errexit +set -o errtrace set -o pipefail +error_handler() { + exit_code="$?" + printf '%s\n' "\ +$0: ERROR: Unexpected error. +BASH_COMMAND: '$BASH_COMMAND' +exit_code: '$exit_code' +ERROR: Please report this bug." >&2 + exit 1 +} + +trap error_handler ERR + ## Named constants. pam_faillock_state_dir="/var/lib/security-misc/faillock" @@ -35,7 +49,7 @@ if [ "$PAM_USER" = "" ]; then exit 0 fi -grep_result="$(grep -- "accessfile=/etc/security/access-security-misc.conf" /etc/pam.d/common-account 2>/dev/null)" +grep_result="$(grep -- "accessfile=/etc/security/access-security-misc.conf" /etc/pam.d/common-account 2>/dev/null)" || true ## Check if grep matched something. if [ ! "$grep_result" = "" ]; then From 353b6e83c55d52b47a2a35063406324cec7237c4 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 21 May 2025 07:20:13 -0400 Subject: [PATCH 16/47] test that `wc` is functional https://github.com/Kicksecure/security-misc/pull/305#issuecomment-2892378246 --- usr/libexec/security-misc/apt-get-update-sanity-test | 10 ++++++++++ usr/libexec/security-misc/pam-info | 10 ++++++++++ 2 files changed, 20 insertions(+) diff --git a/usr/libexec/security-misc/apt-get-update-sanity-test b/usr/libexec/security-misc/apt-get-update-sanity-test index a5b7709..f96a4f8 100755 --- a/usr/libexec/security-misc/apt-get-update-sanity-test +++ b/usr/libexec/security-misc/apt-get-update-sanity-test @@ -7,5 +7,15 @@ set -x set -e set -o pipefail +if ! printf '%s\n' | wc -l >/dev/null ; then + printf "\ +$0: ERROR: command 'wc' test failed! Do not ignore this! + +'wc' can core dump. Example: +zsh: illegal hardware instruction (core dumped) wc -l +https://github.com/rspamd/rspamd/issues/5137" >&2 + exit 1 +fi + wc -L "/var/lib/apt/lists/"*InRelease wc -L "/var/lib/apt/lists/"*InRelease | awk '$1 > 1024 {print; exit 1}' diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info index 0f30faf..3ac9a5d 100755 --- a/usr/libexec/security-misc/pam-info +++ b/usr/libexec/security-misc/pam-info @@ -35,6 +35,16 @@ ERROR: Please report this bug." >&2 trap error_handler ERR +if ! printf '%s\n' | wc -l >/dev/null ; then + printf "\ +$0: ERROR: command 'wc' test failed! Do not ignore this! + +'wc' can core dump. Example: +zsh: illegal hardware instruction (core dumped) wc -l +https://github.com/rspamd/rspamd/issues/5137" >&2 + exit 1 +fi + ## Named constants. pam_faillock_state_dir="/var/lib/security-misc/faillock" From ff6bc5d5b6097bcdddd8e66c2541106c2cbabbaf Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 21 May 2025 11:23:39 +0000 Subject: [PATCH 17/47] bumped changelog version --- changelog.upstream | 28 ++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 34 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index e64e373..3ad374b 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,31 @@ +commit 353b6e83c55d52b47a2a35063406324cec7237c4 +Author: Patrick Schleizer +Date: Wed May 21 07:20:13 2025 -0400 + + test that `wc` is functional + + https://github.com/Kicksecure/security-misc/pull/305#issuecomment-2892378246 + +commit 5930e270521e0e5d6a0a3877c813accbf5253051 +Author: Patrick Schleizer +Date: Wed May 21 07:05:25 2025 -0400 + + pam-info: improve error handling + + https://github.com/Kicksecure/security-misc/pull/305#issuecomment-2892378246 + +commit 5c981e0891ef009c5c2355f5f6383aca22c45638 +Author: Patrick Schleizer +Date: Wed May 21 06:55:09 2025 -0400 + + pam-info: fix, consistently write errors and warnings to stderr + +commit 19d7e1af5d7acf6eb3a20fe3ebf5f14cef041f92 +Author: Patrick Schleizer +Date: Tue May 20 11:40:27 2025 +0000 + + bumped changelog version + commit 405880e63b92319626332d083a6c5ad5101dbf77 Author: Patrick Schleizer Date: Sun May 18 06:44:42 2025 -0400 diff --git a/debian/changelog b/debian/changelog index 6c74fa5..d865aba 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:45.4-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 21 May 2025 11:23:39 +0000 + security-misc (3:45.3-1) unstable; urgency=medium * New upstream version (local package). From 14cf205579ff65fa765d7574e5d0e301a30a1904 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 21 May 2025 08:36:16 -0400 Subject: [PATCH 18/47] fix --- etc/profile.d/30_security-misc.sh | 6 +++--- usr/bin/remount-secure | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/etc/profile.d/30_security-misc.sh b/etc/profile.d/30_security-misc.sh index c1adb22..8cb5673 100755 --- a/etc/profile.d/30_security-misc.sh +++ b/etc/profile.d/30_security-misc.sh @@ -4,8 +4,8 @@ ## See the file COPYING for copying conditions. if [ -z "$XDG_CONFIG_DIRS" ]; then - XDG_CONFIG_DIRS=/etc/xdg + XDG_CONFIG_DIRS="/etc/xdg" fi -if ! echo "$XDG_CONFIG_DIRS" | grep --quiet /usr/share/security-misc/ ; then - export XDG_CONFIG_DIRS=/usr/share/security-misc/:$XDG_CONFIG_DIRS +if ! printf '%s\n' "$XDG_CONFIG_DIRS" | grep -- "/usr/share/security-misc/" >/dev/null 2>/dev/null ; then + export XDG_CONFIG_DIRS="/usr/share/security-misc/:$XDG_CONFIG_DIRS" fi diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index 865867d..957ad46 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -180,7 +180,7 @@ remount_secure() { $output_command "INFO: '$mount_folder' old_mount_options: '$old_mount_options'" - if echo "$old_mount_options" | grep --quiet "$intended_mount_options" ; then + if printf '%s\n' "$old_mount_options" | grep "$intended_mount_options" >/dev/null 2>/dev/null ; then $output_command "INFO: '$mount_folder' has already intended mount options. ('$intended_mount_options')" return 0 fi From bd01a683054b1f7d5a5f6cc4848da73b1b1ef5ff Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 21 May 2025 13:58:18 +0000 Subject: [PATCH 19/47] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 3ad374b..748b236 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit 14cf205579ff65fa765d7574e5d0e301a30a1904 +Author: Patrick Schleizer +Date: Wed May 21 08:36:16 2025 -0400 + + fix + +commit ff6bc5d5b6097bcdddd8e66c2541106c2cbabbaf +Author: Patrick Schleizer +Date: Wed May 21 11:23:39 2025 +0000 + + bumped changelog version + commit 353b6e83c55d52b47a2a35063406324cec7237c4 Author: Patrick Schleizer Date: Wed May 21 07:20:13 2025 -0400 diff --git a/debian/changelog b/debian/changelog index d865aba..589c983 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:45.5-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 21 May 2025 13:58:18 +0000 + security-misc (3:45.4-1) unstable; urgency=medium * New upstream version (local package). From e1bae1c68aabc424924b6386fe4980d657dc2cdf Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 21 May 2025 11:50:59 -0400 Subject: [PATCH 20/47] fix --- usr/libexec/security-misc/apt-get-update-sanity-test | 4 ++-- usr/libexec/security-misc/pam-info | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/usr/libexec/security-misc/apt-get-update-sanity-test b/usr/libexec/security-misc/apt-get-update-sanity-test index f96a4f8..7efac72 100755 --- a/usr/libexec/security-misc/apt-get-update-sanity-test +++ b/usr/libexec/security-misc/apt-get-update-sanity-test @@ -7,8 +7,8 @@ set -x set -e set -o pipefail -if ! printf '%s\n' | wc -l >/dev/null ; then - printf "\ +if ! printf '%s\n' "" | wc -l >/dev/null ; then + printf '%s\n' "\ $0: ERROR: command 'wc' test failed! Do not ignore this! 'wc' can core dump. Example: diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info index 3ac9a5d..c13bea4 100755 --- a/usr/libexec/security-misc/pam-info +++ b/usr/libexec/security-misc/pam-info @@ -35,8 +35,8 @@ ERROR: Please report this bug." >&2 trap error_handler ERR -if ! printf '%s\n' | wc -l >/dev/null ; then - printf "\ +if ! printf '%s\n' "" | wc -l >/dev/null ; then + printf '%s\n' "\ $0: ERROR: command 'wc' test failed! Do not ignore this! 'wc' can core dump. Example: From 0eea681ce893a259563f8e9d5a2ec9722fbc635d Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 21 May 2025 15:52:16 +0000 Subject: [PATCH 21/47] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 748b236..8b19816 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit e1bae1c68aabc424924b6386fe4980d657dc2cdf +Author: Patrick Schleizer +Date: Wed May 21 11:50:59 2025 -0400 + + fix + +commit bd01a683054b1f7d5a5f6cc4848da73b1b1ef5ff +Author: Patrick Schleizer +Date: Wed May 21 13:58:18 2025 +0000 + + bumped changelog version + commit 14cf205579ff65fa765d7574e5d0e301a30a1904 Author: Patrick Schleizer Date: Wed May 21 08:36:16 2025 -0400 diff --git a/debian/changelog b/debian/changelog index 589c983..886323c 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:45.6-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 21 May 2025 15:52:16 +0000 + security-misc (3:45.5-1) unstable; urgency=medium * New upstream version (local package). From 784867e24b4d6f2899fa9b215ec9e3c4e2fb9d84 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 21 May 2025 12:21:45 -0400 Subject: [PATCH 22/47] fix --- usr/libexec/security-misc/pam-info | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info index c13bea4..907c684 100755 --- a/usr/libexec/security-misc/pam-info +++ b/usr/libexec/security-misc/pam-info @@ -212,7 +212,7 @@ fi deny=3 if test -f /etc/security/faillock.conf ; then - deny_line=$(grep --invert-match "#" -- /etc/security/faillock.conf | grep -- "deny =") + deny_line=$(grep --invert-match "#" -- /etc/security/faillock.conf | grep -- "deny =") || true deny="$(printf '%s\n' "$deny_line" | str_replace "=" "" | str_replace "deny" "" | str_replace " " "")" ## Example: #deny=50 From ef8515ba82996b137c386eeb91e6f853d58a515f Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 21 May 2025 12:23:45 -0400 Subject: [PATCH 23/47] improve error handling --- usr/libexec/security-misc/pam-info | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info index 907c684..cf50d2a 100755 --- a/usr/libexec/security-misc/pam-info +++ b/usr/libexec/security-misc/pam-info @@ -190,6 +190,14 @@ pam_faillock_output_count="$(printf '%s\n' "$pam_faillock_output" | wc -l)" ## example pam_faillock_output_count: ## 4 +if [[ "$deny" == *[!0-9]* ]]; then + printf '%s\n' "\ +$0: ERROR: Variable pam_faillock_output_count is not numeric. pam_faillock_output_count: '$deny' +ERROR: Please report this bug. +" >&2 + exit 0 +fi + ## Do not count the first two informational textual output lines (starting with "user:" and "When") if present, failed_login_counter=$(( pam_faillock_output_count - 2 )) From 0801b96ae74256f36dcf8757d0ba8abc66ea0b9b Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 21 May 2025 12:25:49 -0400 Subject: [PATCH 24/47] output --- usr/libexec/security-misc/pam-info | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info index cf50d2a..d0210d9 100755 --- a/usr/libexec/security-misc/pam-info +++ b/usr/libexec/security-misc/pam-info @@ -124,7 +124,7 @@ fi # if [ "$grep_result" = "" ]; then # printf '%s\n' "\ # $0: ERROR: Root login is disabled. -# ERROR: This is because /etc/securetty is empty. +# ERROR: This is because file '/etc/securetty' is empty. # See also: # https://www.kicksecure.com/wiki/root#login # " >&2 @@ -192,7 +192,7 @@ pam_faillock_output_count="$(printf '%s\n' "$pam_faillock_output" | wc -l)" if [[ "$deny" == *[!0-9]* ]]; then printf '%s\n' "\ -$0: ERROR: Variable pam_faillock_output_count is not numeric. pam_faillock_output_count: '$deny' +$0: ERROR: Variable 'pam_faillock_output_count' is not numeric. pam_faillock_output_count: '$deny' ERROR: Please report this bug. " >&2 exit 0 @@ -228,7 +228,7 @@ fi if [[ "$deny" == *[!0-9]* ]]; then printf '%s\n' "\ -$0: ERROR: deny is not numeric. deny: '$deny' +$0: ERROR: Variable 'deny' is not numeric. deny: '$deny' ERROR: Please report this bug. " >&2 exit 0 From 2c1abb23e03cfe449347ba692d35f5ba1f33cff4 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 21 May 2025 12:26:46 -0400 Subject: [PATCH 25/47] output --- usr/libexec/security-misc/pam-info | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info index d0210d9..d39738d 100755 --- a/usr/libexec/security-misc/pam-info +++ b/usr/libexec/security-misc/pam-info @@ -253,7 +253,7 @@ https://www.kicksecure.com/wiki/root#unlock fi printf '%s\n' "\ -$0: WARNING: $failed_login_counter failed login attempts for user_name '$user_name'. +$0: WARNING: $failed_login_counter failed login attempts for account '$user_name'. Login will be blocked after $deny attempts. You have $remaining_attempts more attempts before unlock procedure is required. " >&2 From 92d3a36a0f43615db622c6b0daa7064b8e8ebbbb Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 21 May 2025 12:29:01 -0400 Subject: [PATCH 26/47] fix --- usr/libexec/security-misc/pam-info | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info index d39738d..49b959d 100755 --- a/usr/libexec/security-misc/pam-info +++ b/usr/libexec/security-misc/pam-info @@ -206,7 +206,7 @@ failed_login_counter=$(( pam_faillock_output_count - 2 )) ## Ensuring failed_login_counter is not set to a negative value. ## https://github.com/Kicksecure/security-misc/pull/305 -if [ "$failed_login_counter" -le "0" ]; then +if [ "$failed_login_counter" -lt "0" ]; then true "$0: WARNING: Failed login counter is negative. Resetting to 0." failed_login_counter=0 fi From aa905fc8875c5c56351f10f4e40e6d2a7dd6d918 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 21 May 2025 12:32:16 -0400 Subject: [PATCH 27/47] further validation of output of `faillock` --- usr/libexec/security-misc/pam-info | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info index 49b959d..d0fec69 100755 --- a/usr/libexec/security-misc/pam-info +++ b/usr/libexec/security-misc/pam-info @@ -184,6 +184,14 @@ user_name="$(printf '%s\n' "$pam_faillock_output_first_line" | str_replace ":" " ## user ## root +if [ "$PAM_USER" != "$user_name" ]; then + printf '%s\n' "\ +$0: ERROR: Variable 'PAM_USER' '$PAM_USER' does not match variable 'user_name' '$user_name'. +ERROR: Please report this bug. +" >&2 + exit 1 +fi + pam_faillock_output_count="$(printf '%s\n' "$pam_faillock_output" | wc -l)" ## example pam_faillock_output_count: ## 2 From d7643954d184846c8b7fb5eda7200779126274eb Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 21 May 2025 12:33:50 -0400 Subject: [PATCH 28/47] minor --- usr/libexec/security-misc/pam-info | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info index d0fec69..f59c3f6 100755 --- a/usr/libexec/security-misc/pam-info +++ b/usr/libexec/security-misc/pam-info @@ -242,7 +242,7 @@ ERROR: Please report this bug. exit 0 fi -remaining_attempts="$(( $deny - $failed_login_counter ))" +remaining_attempts="$(( deny - failed_login_counter ))" if [ "$remaining_attempts" -le "0" ]; then printf '%s\n' "\ From f086787464191a07e028dd92649c48b145023858 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 21 May 2025 12:35:23 -0400 Subject: [PATCH 29/47] fix --- usr/libexec/security-misc/pam-info | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info index f59c3f6..cb42e48 100755 --- a/usr/libexec/security-misc/pam-info +++ b/usr/libexec/security-misc/pam-info @@ -22,6 +22,7 @@ true "$0: START PHASE 2" set -o errexit set -o errtrace set -o pipefail +#set -o nounset error_handler() { exit_code="$?" @@ -198,9 +199,9 @@ pam_faillock_output_count="$(printf '%s\n' "$pam_faillock_output" | wc -l)" ## example pam_faillock_output_count: ## 4 -if [[ "$deny" == *[!0-9]* ]]; then +if [[ "$pam_faillock_output_count" == *[!0-9]* ]]; then printf '%s\n' "\ -$0: ERROR: Variable 'pam_faillock_output_count' is not numeric. pam_faillock_output_count: '$deny' +$0: ERROR: Variable 'pam_faillock_output_count' is not numeric. pam_faillock_output_count: '$pam_faillock_output_count' ERROR: Please report this bug. " >&2 exit 0 From f023651c984c52a997bc241f99f118255cf60809 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 21 May 2025 12:35:37 -0400 Subject: [PATCH 30/47] nounset --- usr/libexec/security-misc/pam-info | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info index cb42e48..877b602 100755 --- a/usr/libexec/security-misc/pam-info +++ b/usr/libexec/security-misc/pam-info @@ -22,7 +22,7 @@ true "$0: START PHASE 2" set -o errexit set -o errtrace set -o pipefail -#set -o nounset +set -o nounset error_handler() { exit_code="$?" From a969fa350e28ca296966509821a7c62b68f09a5a Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 21 May 2025 12:40:27 -0400 Subject: [PATCH 31/47] fix --- usr/libexec/security-misc/pam-info | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info index 877b602..3ef81d0 100755 --- a/usr/libexec/security-misc/pam-info +++ b/usr/libexec/security-misc/pam-info @@ -46,9 +46,14 @@ https://github.com/rspamd/rspamd/issues/5137" >&2 exit 1 fi +command -v pam_faillock_output &>/dev/null + ## Named constants. pam_faillock_state_dir="/var/lib/security-misc/faillock" +[[ -v PAM_USER ]] || PAM_USER="" +[[ -v SUDO_USER ]] || SUDO_USER="" + ## Debugging. who_ami="$(whoami)" true "$0: who_ami: $who_ami" @@ -72,6 +77,7 @@ if [ ! "$grep_result" = "" ]; then ## https://forums.whonix.org/t/etc-security-hardening-console-lockdown/8592 + console_allowed="" if id --name --groups --zero -- "$PAM_USER" | grep --quiet --null-data --line-regexp --fixed-strings -- "console"; then console_allowed=true fi From 142ea2118989faddafa17db48efed379c4ac3f45 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 21 May 2025 12:42:16 -0400 Subject: [PATCH 32/47] fix --- usr/libexec/security-misc/pam-info | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info index 3ef81d0..a42effa 100755 --- a/usr/libexec/security-misc/pam-info +++ b/usr/libexec/security-misc/pam-info @@ -46,7 +46,7 @@ https://github.com/rspamd/rspamd/issues/5137" >&2 exit 1 fi -command -v pam_faillock_output &>/dev/null +command -v str_replace &>/dev/null ## Named constants. pam_faillock_state_dir="/var/lib/security-misc/faillock" From ace45d7c95ed6b83c1897f76da5af4a0c97cab10 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 21 May 2025 22:06:02 +0000 Subject: [PATCH 33/47] bumped changelog version --- changelog.upstream | 72 ++++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++ 2 files changed, 78 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 8b19816..fa55e48 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,75 @@ +commit 142ea2118989faddafa17db48efed379c4ac3f45 +Author: Patrick Schleizer +Date: Wed May 21 12:42:16 2025 -0400 + + fix + +commit a969fa350e28ca296966509821a7c62b68f09a5a +Author: Patrick Schleizer +Date: Wed May 21 12:40:27 2025 -0400 + + fix + +commit f023651c984c52a997bc241f99f118255cf60809 +Author: Patrick Schleizer +Date: Wed May 21 12:35:37 2025 -0400 + + nounset + +commit f086787464191a07e028dd92649c48b145023858 +Author: Patrick Schleizer +Date: Wed May 21 12:35:23 2025 -0400 + + fix + +commit d7643954d184846c8b7fb5eda7200779126274eb +Author: Patrick Schleizer +Date: Wed May 21 12:33:50 2025 -0400 + + minor + +commit aa905fc8875c5c56351f10f4e40e6d2a7dd6d918 +Author: Patrick Schleizer +Date: Wed May 21 12:32:16 2025 -0400 + + further validation of output of `faillock` + +commit 92d3a36a0f43615db622c6b0daa7064b8e8ebbbb +Author: Patrick Schleizer +Date: Wed May 21 12:29:01 2025 -0400 + + fix + +commit 2c1abb23e03cfe449347ba692d35f5ba1f33cff4 +Author: Patrick Schleizer +Date: Wed May 21 12:26:46 2025 -0400 + + output + +commit 0801b96ae74256f36dcf8757d0ba8abc66ea0b9b +Author: Patrick Schleizer +Date: Wed May 21 12:25:49 2025 -0400 + + output + +commit ef8515ba82996b137c386eeb91e6f853d58a515f +Author: Patrick Schleizer +Date: Wed May 21 12:23:45 2025 -0400 + + improve error handling + +commit 784867e24b4d6f2899fa9b215ec9e3c4e2fb9d84 +Author: Patrick Schleizer +Date: Wed May 21 12:21:45 2025 -0400 + + fix + +commit 0eea681ce893a259563f8e9d5a2ec9722fbc635d +Author: Patrick Schleizer +Date: Wed May 21 15:52:16 2025 +0000 + + bumped changelog version + commit e1bae1c68aabc424924b6386fe4980d657dc2cdf Author: Patrick Schleizer Date: Wed May 21 11:50:59 2025 -0400 diff --git a/debian/changelog b/debian/changelog index 886323c..4507e57 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:45.7-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 21 May 2025 22:06:01 +0000 + security-misc (3:45.6-1) unstable; urgency=medium * New upstream version (local package). From abb2207313810966dad381c3a9f637c445a5834d Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 27 May 2025 15:51:50 +0000 Subject: [PATCH 34/47] bumped changelog version --- changelog.upstream | 48 ++++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 54 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index fa55e48..bc31fbb 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,25 @@ +commit 45016146f7c77d383f2254d19dc66ba9b883b8f2 +Merge: ace45d7 395169f +Author: Patrick Schleizer +Date: Tue May 27 11:03:23 2025 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 395169fbce1854bfed727d1784f4e5c0d8e7c6ff +Merge: ace45d7 e14b81b +Author: Patrick Schleizer +Date: Tue May 27 10:58:50 2025 -0400 + + Merge pull request #308 from maybebyte/permission-hardener-speedboost + + perf(permission-hardener): optimize string match + +commit ace45d7c95ed6b83c1897f76da5af4a0c97cab10 +Author: Patrick Schleizer +Date: Wed May 21 22:06:02 2025 +0000 + + bumped changelog version + commit 142ea2118989faddafa17db48efed379c4ac3f45 Author: Patrick Schleizer Date: Wed May 21 12:42:16 2025 -0400 @@ -116,6 +138,32 @@ Date: Wed May 21 06:55:09 2025 -0400 pam-info: fix, consistently write errors and warnings to stderr +commit e14b81b15e479afbc4820a2b9bb60f3cf65bfb12 +Author: Ashlen +Date: Tue May 20 21:34:03 2025 -0600 + + perf(permission-hardener): optimize string match + + Replace subprocess grep calls with bash substring matching in + check_nosuid_whitelist function. This eliminates ~10k unneeded + subprocess spawns that were causing significant performance + degradation. + + In testing, it improves overall script execution speed by an + order of magnitude: + + Before patch: + $ sudo hyperfine -- './permission-hardener enable' + Benchmark 1: ./permission-hardener enable + Time (mean ± σ): 11.906 s ± 0.974 s [User: 3.639 s, System: 8.728 s] + Range (min … max): 10.430 s … 14.090 s 10 runs + + After patch: + $ sudo hyperfine -- './permission-hardener enable' + Benchmark 1: ./permission-hardener enable + Time (mean ± σ): 802.8 ms ± 178.5 ms [User: 283.0 ms, System: 471.9 ms] + Range (min … max): 639.4 ms … 1092.3 ms 10 runs + commit 19d7e1af5d7acf6eb3a20fe3ebf5f14cef041f92 Author: Patrick Schleizer Date: Tue May 20 11:40:27 2025 +0000 diff --git a/debian/changelog b/debian/changelog index 4507e57..d86926c 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:45.8-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 27 May 2025 15:51:50 +0000 + security-misc (3:45.7-1) unstable; urgency=medium * New upstream version (local package). From 5195977be474e29a29b6392306e909e9f2d05ada Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 27 May 2025 11:57:21 -0400 Subject: [PATCH 35/47] protect against grep pipefail --- usr/bin/permission-hardener | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index b871fdc..2d9a729 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -626,7 +626,7 @@ commit_policy() { else if ! capsh --print \ | grep --fixed-strings -- "Bounding set" \ - | grep --quiet -- "${policy_capability_item}"; then + | grep -- "${policy_capability_item}" >/dev/null; then log error \ "Capability from config does not exist: '${policy_capability_item}'" \ >&2 From e96677486201ebddc145af7962ad5e89f6fa253b Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 27 May 2025 19:41:25 +0000 Subject: [PATCH 36/47] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index bc31fbb..51fb35c 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit 5195977be474e29a29b6392306e909e9f2d05ada +Author: Patrick Schleizer +Date: Tue May 27 11:57:21 2025 -0400 + + protect against grep pipefail + +commit abb2207313810966dad381c3a9f637c445a5834d +Author: Patrick Schleizer +Date: Tue May 27 15:51:50 2025 +0000 + + bumped changelog version + commit 45016146f7c77d383f2254d19dc66ba9b883b8f2 Merge: ace45d7 395169f Author: Patrick Schleizer diff --git a/debian/changelog b/debian/changelog index d86926c..5a1e957 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:45.9-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 27 May 2025 19:41:25 +0000 + security-misc (3:45.8-1) unstable; urgency=medium * New upstream version (local package). From 3559bc86b7aed8122ff7996ce0ab4a65bdaf05c0 Mon Sep 17 00:00:00 2001 From: Ashlen Date: Tue, 27 May 2025 15:32:41 -0600 Subject: [PATCH 37/47] fix(permission-hardener): ssh-agent gets 2755 perms Change from exactwhitelist to matchwhitelist. Discussion revealed that there's a good reason to leave setgid in here, which is essentially defense-in-depth (sometimes users may want to revert Kicksecure's default of kernel.yama.ptrace_scope=2, e.g. to debug a program, and Kicksecure should not be less secure than vanilla Debian in that situation). --- .../25_default_whitelist_ssh.conf | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf b/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf index 767cd08..2b55bd2 100644 --- a/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf +++ b/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf @@ -8,14 +8,9 @@ ## Used for SSH client key management ## https://manpages.debian.org/bookworm/openssh-client/ssh-agent.1.en.html ## Debian installs ssh-agent with setgid permissions (2755) and with -## _ssh as the group to prevent ptrace attacks that could extract -## private keys from the agent's memory. However, as Kicksecure makes use -## of kernel.yama.ptrace_scope=2 by default, this is not a concern. -## -## ssh-agent is often run under non-root users, so 755 permissions make -## sense here to avoid breakage. -/usr/bin/ssh-agent exactwhitelist -/usr/bin/ssh-agent 755 root root +## _ssh as the group to help mitigate ptrace attacks that could extract +## private keys from the agent's memory. +ssh-agent matchwhitelist ## Used only for SSH host-based authentication ## https://linux.die.net/man/8/ssh-keysign From d5edc243ac2db861f1600d3906a02494eaf9a824 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 28 May 2025 12:12:00 +0000 Subject: [PATCH 38/47] bumped changelog version --- changelog.upstream | 77 ++++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++ 2 files changed, 83 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 51fb35c..253259a 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,52 @@ +commit eda1d0aef640af1ea73c72d6caa876733de4e5a0 +Merge: e966774 5a10ad0 +Author: Patrick Schleizer +Date: Wed May 28 07:22:16 2025 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 5a10ad031d67acc8fa4c16f9e2db191bde559caa +Merge: e966774 3559bc8 +Author: Patrick Schleizer +Date: Wed May 28 07:21:31 2025 -0400 + + Merge pull request #307 from maybebyte/ssh-agent-to-allowlist + + fix(permission-hardener): ssh-agent gets 2755 perms + +commit 3559bc86b7aed8122ff7996ce0ab4a65bdaf05c0 +Author: Ashlen +Date: Tue May 27 15:32:41 2025 -0600 + + fix(permission-hardener): ssh-agent gets 2755 perms + + Change from exactwhitelist to matchwhitelist. Discussion revealed that + there's a good reason to leave setgid in here, which is essentially + defense-in-depth (sometimes users may want to revert Kicksecure's + default of kernel.yama.ptrace_scope=2, e.g. to debug a program, and + Kicksecure should not be less secure than vanilla Debian in that + situation). + +commit c59b2e4bc53cad4c9cc90ddd5abaca0705ccff90 +Merge: 017ee29 e966774 +Author: maybebyte <99762926+maybebyte@users.noreply.github.com> +Date: Tue May 27 20:33:07 2025 +0000 + + Merge branch 'Kicksecure:master' into ssh-agent-to-allowlist + +commit e96677486201ebddc145af7962ad5e89f6fa253b +Author: Patrick Schleizer +Date: Tue May 27 19:41:25 2025 +0000 + + bumped changelog version + +commit 017ee29eb39d84edc89f128a633a619cad852241 +Merge: 7a079c3 abb2207 +Author: maybebyte <99762926+maybebyte@users.noreply.github.com> +Date: Tue May 27 18:25:47 2025 +0000 + + Merge branch 'Kicksecure:master' into ssh-agent-to-allowlist + commit 5195977be474e29a29b6392306e909e9f2d05ada Author: Patrick Schleizer Date: Tue May 27 11:57:21 2025 -0400 @@ -176,6 +225,34 @@ Date: Tue May 20 21:34:03 2025 -0600 Time (mean ± σ): 802.8 ms ± 178.5 ms [User: 283.0 ms, System: 471.9 ms] Range (min … max): 639.4 ms … 1092.3 ms 10 runs +commit 7a079c3de8bd8b4e026a1bd1b932a04610a1e386 +Author: Ashlen +Date: Tue May 20 18:41:48 2025 -0600 + + fix(permission-hardener): add exactwhitelist here + + Without this, the permissions for ssh-agent won't be changed properly. + +commit 94dc9da4ab8fb93760dbb3b325bdeaa155e492cb +Author: Ashlen +Date: Tue May 20 17:07:51 2025 -0600 + + fix(permission-hardener): ssh-agent gets 755 perms + + Replace the commented-out matchwhitelist entry for ssh-agent with an + explicit permission entry (755) for /usr/bin/ssh-agent. + + When ssh-agent's matchwhitelist entry was commented out in commit + 7a5f8b87af, permission-hardener began resetting it to restrictive + defaults (744), preventing non-root users from executing ssh-agent. This + broke split SSH functionality in Qubes OS for me because I was using + Kicksecure in the vault qube, and ssh-agent runs under a non-root user in + that configuration (see https://forum.qubes-os.org/t/split-ssh/19060). + + As noted in the comment, Debian installs with 2755 permissions as a way + to mitigate ptrace attacks, but this rationale doesn't apply due to + kernel.yama.ptrace_scope=2 being set in Kicksecure. + commit 19d7e1af5d7acf6eb3a20fe3ebf5f14cef041f92 Author: Patrick Schleizer Date: Tue May 20 11:40:27 2025 +0000 diff --git a/debian/changelog b/debian/changelog index 5a1e957..2f1be9f 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:46.0-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 28 May 2025 12:12:00 +0000 + security-misc (3:45.9-1) unstable; urgency=medium * New upstream version (local package). From 3e102df76583a14b5efc18238aefbf539ab0d8a1 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 28 May 2025 08:37:03 -0400 Subject: [PATCH 39/47] fix --- usr/libexec/security-misc/pam-info | 1 + 1 file changed, 1 insertion(+) diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info index a42effa..6d772ca 100755 --- a/usr/libexec/security-misc/pam-info +++ b/usr/libexec/security-misc/pam-info @@ -111,6 +111,7 @@ if [ "$PAM_USER" = 'sysmaint' ]; then fi fi +kernel_cmdline="" if test -f /proc/cmdline; then kernel_cmdline="$(cat -- /proc/cmdline)" fi From 5159de63438e8c1274658e7175a80fb693d6554a Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 28 May 2025 13:48:11 +0000 Subject: [PATCH 40/47] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 253259a..01216c3 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit 3e102df76583a14b5efc18238aefbf539ab0d8a1 +Author: Patrick Schleizer +Date: Wed May 28 08:37:03 2025 -0400 + + fix + +commit d5edc243ac2db861f1600d3906a02494eaf9a824 +Author: Patrick Schleizer +Date: Wed May 28 12:12:00 2025 +0000 + + bumped changelog version + commit eda1d0aef640af1ea73c72d6caa876733de4e5a0 Merge: e966774 5a10ad0 Author: Patrick Schleizer diff --git a/debian/changelog b/debian/changelog index 2f1be9f..152c289 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:46.1-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 28 May 2025 13:48:11 +0000 + security-misc (3:46.0-1) unstable; urgency=medium * New upstream version (local package). From dd0b55cc45f9ccd64d0075ba37ab6a4723d94a02 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Tue, 3 Jun 2025 12:32:17 +1000 Subject: [PATCH 41/47] Add reference --- usr/lib/sysctl.d/990-security-misc.conf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 3b2e38c..9d4f3eb 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -360,6 +360,8 @@ kernel.core_pattern=|/bin/false ## Prevent setuid processes or otherwise protected/tainted binaries from creating core dumps. ## Any process which has changed privilege levels or is execute-only will not be dumped. ## +## https://blog.qualys.com/vulnerabilities-threat-research/2025/05/29/qualys-tru-discovers-two-local-information-disclosure-vulnerabilities-in-apport-and-systemd-coredump-cve-2025-5054-and-cve-2025-4598 +## ## KSPP=yes ## KSPP sets the sysctl. ## From 72613203b9692d1098b13ff98119499a5a30a6da Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Fri, 6 Jun 2025 13:07:52 +0000 Subject: [PATCH 42/47] Add reference --- README.md | 2 +- etc/default/grub.d/40_cpu_mitigations.cfg | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 628f732..ab0c69a 100644 --- a/README.md +++ b/README.md @@ -143,7 +143,7 @@ and simultaneous multithreading (SMT) is disabled. See the Note, to achieve complete protection for known CPU vulnerabilities, the latest security microcode (BIOS/UEFI) updates must be installed on the system. Furthermore, if using Secure Boot, the Secure Boot Forbidden Signature Database (DBX) must be kept -up to date through [UEFI Revocation List](https://uefi.org/revocationlistfile) updates. +up to date through [UEFI Revocation List](https://github.com/microsoft/secureboot_objects) updates. CPU mitigations: diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index 9b29760..efc9e5e 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -30,6 +30,7 @@ ## The UEFI Revocation List contains signatures of now revoked firmware and software used in booting systems. ## If using compatible hardware, the database can be updated directly in user space using fwupd. ## Note that incorrectly performing DBX updates can potentially lead to serious functionality issues. +## https://github.com/microsoft/secureboot_objects ## https://uefi.org/revocationlistfile ## https://github.com/fwupd/fwupd From 109c0134677d991c449aa009773cb22babeee8db Mon Sep 17 00:00:00 2001 From: Aaron Rainbolt Date: Thu, 12 Jun 2025 01:08:34 -0500 Subject: [PATCH 43/47] Add comment related to approx package caching proxy --- usr/libexec/security-misc/permission-lockdown | 1 + 1 file changed, 1 insertion(+) diff --git a/usr/libexec/security-misc/permission-lockdown b/usr/libexec/security-misc/permission-lockdown index 31aaee4..19fbe89 100755 --- a/usr/libexec/security-misc/permission-lockdown +++ b/usr/libexec/security-misc/permission-lockdown @@ -25,6 +25,7 @@ # /usr/libexec/security-misc/permission-lockdown: user: stunnel4 | chmod o-rwx "/var/run/stunnel4" # /usr/libexec/security-misc/permission-lockdown: user: iodine | chmod o-rwx "/var/run/iodine" # /usr/libexec/security-misc/permission-lockdown: user: apt-cacher-ng | chmod o-rwx "/var/cache/apt-cacher-ng" +# /usr/libexec/security-misc/permission-lockdown: user: approx | chmod o-rwx "/var/cache/approx" # /usr/libexec/security-misc/permission-lockdown: user: statd | chmod o-rwx "/var/lib/nfs" # /usr/libexec/security-misc/permission-lockdown: user: timidity | chmod o-rwx "/etc/timidity" # /usr/libexec/security-misc/permission-lockdown: user: uuidd | chmod o-rwx "/run/uuidd" From 115b6f6aa2a4d00ad5690c2c0889e142540c01ca Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 14 Jun 2025 11:51:44 +0000 Subject: [PATCH 44/47] bumped changelog version --- changelog.upstream | 19 +++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 25 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 01216c3..b1f95a9 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,22 @@ +commit 4639d1aab572bb4ad751bd1da5b936b9d73d3264 +Merge: 5159de6 109c013 +Author: Patrick Schleizer +Date: Fri Jun 13 15:09:52 2025 -0400 + + Merge remote-tracking branch 'ArrayBolt3/arraybolt3/approx' + +commit 109c0134677d991c449aa009773cb22babeee8db +Author: Aaron Rainbolt +Date: Thu Jun 12 01:08:34 2025 -0500 + + Add comment related to approx package caching proxy + +commit 5159de63438e8c1274658e7175a80fb693d6554a +Author: Patrick Schleizer +Date: Wed May 28 13:48:11 2025 +0000 + + bumped changelog version + commit 3e102df76583a14b5efc18238aefbf539ab0d8a1 Author: Patrick Schleizer Date: Wed May 28 08:37:03 2025 -0400 diff --git a/debian/changelog b/debian/changelog index 152c289..6f6d1ad 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:46.2-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 14 Jun 2025 11:51:44 +0000 + security-misc (3:46.1-1) unstable; urgency=medium * New upstream version (local package). From e3c451917931aa4e63056fb03470c203694d399f Mon Sep 17 00:00:00 2001 From: Kevin Agwaze <7119346+RebornRider@users.noreply.github.com> Date: Mon, 16 Jun 2025 10:35:16 +0100 Subject: [PATCH 45/47] remove misleading TemporaryTimeout=0 in Bluetooth config --- etc/bluetooth/30_security-misc.conf | 5 ----- 1 file changed, 5 deletions(-) diff --git a/etc/bluetooth/30_security-misc.conf b/etc/bluetooth/30_security-misc.conf index 91ce2d3..8de8384 100644 --- a/etc/bluetooth/30_security-misc.conf +++ b/etc/bluetooth/30_security-misc.conf @@ -16,11 +16,6 @@ DiscoverableTimeout = 30 # Default=0 (unlimited) MaxControllers=1 -# How long to keep temporary devices around -# The value is in seconds. Default is 30. -# 0 = disable timer, i.e. never keep temporary devices -TemporaryTimeout = 0 - [Policy] # AutoEnable defines option to enable all controllers when they are found. # This includes adapters present on start as well as adapters that are plugged From 4314b1e85bd5495832b4398bdbd358c41703dcc9 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Tue, 1 Jul 2025 13:36:39 +1000 Subject: [PATCH 46/47] Add comment --- usr/lib/sysctl.d/990-security-misc.conf | 3 +++ 1 file changed, 3 insertions(+) diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 9d4f3eb..eaa671e 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -477,6 +477,9 @@ net.ipv4.conf.*.arp_filter=1 ## https://github.com/mullvad/mullvadvpn-app/pull/7141 ## https://www.x41-dsec.de/static/reports/X41-Mullvad-Audit-Public-Report-2024-12-10.pdf ## +## Can lead to breakages with certain VM configurations that may be resolved by lowering protection to `arp_ignore=1`. +## https://github.com/Kicksecure/security-misc/pull/290 +## net.ipv4.conf.*.arp_ignore=2 ## Drop gratuitous ARP (Address Resolution Protocol) packets. From e3ce9c38c5b241f789945de7229c0ee15fa0a266 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 2 Jul 2025 20:52:17 +0000 Subject: [PATCH 47/47] bumped changelog version --- changelog.upstream | 81 ++++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++ 2 files changed, 87 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index b1f95a9..fb9687f 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,53 @@ +commit b06fb5428051518390439ce95c9d6894e6338951 +Merge: 115b6f6 468cf40 +Author: Patrick Schleizer +Date: Wed Jul 2 13:47:12 2025 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 468cf40e2a216625d02066b609b0991e37c50ebc +Merge: 865a052 bb208fb +Author: Patrick Schleizer +Date: Wed Jul 2 13:45:28 2025 -0400 + + Merge pull request #306 from raja-grewal/erst + + Set `erst_disable` + +commit 865a052bf47f28c0084b2bbd51e3c606df9eda96 +Merge: 115b6f6 e3c4519 +Author: Patrick Schleizer +Date: Wed Jul 2 13:44:17 2025 -0400 + + Merge pull request #309 from RebornRider/patch-1 + + remove TemporaryTimeout=0 in Bluetooth config + +commit bb208fb134fe25fc3539494f331072a851369064 +Merge: 4314b1e 115b6f6 +Author: raja-grewal +Date: Wed Jul 2 11:35:50 2025 +1000 + + Merge branch 'Kicksecure:master' into erst + +commit 4314b1e85bd5495832b4398bdbd358c41703dcc9 +Author: raja-grewal +Date: Tue Jul 1 13:36:39 2025 +1000 + + Add comment + +commit e3c451917931aa4e63056fb03470c203694d399f +Author: Kevin Agwaze <7119346+RebornRider@users.noreply.github.com> +Date: Mon Jun 16 10:35:16 2025 +0100 + + remove misleading TemporaryTimeout=0 in Bluetooth config + +commit 115b6f6aa2a4d00ad5690c2c0889e142540c01ca +Author: Patrick Schleizer +Date: Sat Jun 14 11:51:44 2025 +0000 + + bumped changelog version + commit 4639d1aab572bb4ad751bd1da5b936b9d73d3264 Merge: 5159de6 109c013 Author: Patrick Schleizer @@ -11,6 +61,18 @@ Date: Thu Jun 12 01:08:34 2025 -0500 Add comment related to approx package caching proxy +commit 72613203b9692d1098b13ff98119499a5a30a6da +Author: raja-grewal +Date: Fri Jun 6 13:07:52 2025 +0000 + + Add reference + +commit dd0b55cc45f9ccd64d0075ba37ab6a4723d94a02 +Author: raja-grewal +Date: Tue Jun 3 12:32:17 2025 +1000 + + Add reference + commit 5159de63438e8c1274658e7175a80fb693d6554a Author: Patrick Schleizer Date: Wed May 28 13:48:11 2025 +0000 @@ -106,6 +168,13 @@ Date: Tue May 27 10:58:50 2025 -0400 perf(permission-hardener): optimize string match +commit 1c353032046f556bb11c32506019310c9f6d47c0 +Merge: 35fa32e ace45d7 +Author: raja-grewal +Date: Fri May 23 20:20:19 2025 +1000 + + Merge branch 'Kicksecure:master' into erst + commit ace45d7c95ed6b83c1897f76da5af4a0c97cab10 Author: Patrick Schleizer Date: Wed May 21 22:06:02 2025 +0000 @@ -336,6 +405,18 @@ Date: Sun May 18 06:35:23 2025 -0400 Prevent erroneous "Login blocked after [negative number] attempts" errors +commit 35fa32e4ed6333f3ab87d09828f13155aa1e7a72 +Author: raja-grewal +Date: Sat May 17 15:06:49 2025 +1000 + + Reword + +commit a1bde21ccb475fc21a084559dbe766f6315d9287 +Author: raja-grewal +Date: Sat May 17 04:41:06 2025 +0000 + + Set `erst_disable` + commit 91a76db66bb496ba4650ada38df31636297738cf Author: DMHalford <161769419+DMHalford@users.noreply.github.com> Date: Thu May 15 15:42:50 2025 -0400 diff --git a/debian/changelog b/debian/changelog index 6f6d1ad..63a49d9 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:46.3-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 02 Jul 2025 20:52:17 +0000 + security-misc (3:46.2-1) unstable; urgency=medium * New upstream version (local package).