Merge branch 'master' into arraybolt3/emerg-shutdown

2025-08-08 01:52:19 -04:00 · 2025-07-13 15:21:34 -05:00 · 2025-07-13 15:21:34 -05:00 · 2a7071055f
commit 2a7071055f
parent f3d46ee562 e3ce9c38c5
14 changed files with 638 additions and 42 deletions
--- a/README.md
+++ b/README.md
@ -143,7 +143,7 @@ and simultaneous multithreading (SMT) is disabled. See the
 Note, to achieve complete protection for known CPU vulnerabilities, the latest
 security microcode (BIOS/UEFI) updates must be installed on the system. Furthermore,
 if using Secure Boot, the Secure Boot Forbidden Signature Database (DBX) must be kept
-up to date through [UEFI Revocation List](https://uefi.org/revocationlistfile) updates.
+up to date through [UEFI Revocation List](https://github.com/microsoft/secureboot_objects) updates.
 CPU mitigations:
@ -226,8 +226,8 @@ Kernel space:
 - Optional - Disable support for all x86 processes and syscalls (when using Linux kernel >= 6.7)
  to reduce attack surface.
- Disable EFI persistent storage feature, preventing the kernel from writing crash logs and
+- Disable the EFI persistent storage feature which prevents the kernel from writing crash logs
-  other persistent data to the EFI variable store.
+  and other persistent data to either the UEFI variable storage or ACPI ERST backends.
 Direct memory access:
--- a/changelog.upstream
+++ b/changelog.upstream
@ -1,3 +1,456 @@
 commit b06fb5428051518390439ce95c9d6894e6338951
 Merge: 115b6f6 468cf40
 Author: Patrick Schleizer <adrelanos@whonix.org>
 Date:   Wed Jul 2 13:47:12 2025 -0400
    Merge remote-tracking branch 'github-kicksecure/master'
 commit 468cf40e2a216625d02066b609b0991e37c50ebc
 Merge: 865a052 bb208fb
 Author: Patrick Schleizer <adrelanos@whonix.org>
 Date:   Wed Jul 2 13:45:28 2025 -0400
    Merge pull request #306 from raja-grewal/erst
    Set `erst_disable`
 commit 865a052bf47f28c0084b2bbd51e3c606df9eda96
 Merge: 115b6f6 e3c4519
 Author: Patrick Schleizer <adrelanos@whonix.org>
 Date:   Wed Jul 2 13:44:17 2025 -0400
    Merge pull request #309 from RebornRider/patch-1
    remove  TemporaryTimeout=0 in Bluetooth config
 commit bb208fb134fe25fc3539494f331072a851369064
 Merge: 4314b1e 115b6f6
 Author: raja-grewal <rg_public@proton.me>
 Date:   Wed Jul 2 11:35:50 2025 +1000
    Merge branch 'Kicksecure:master' into erst
 commit 4314b1e85bd5495832b4398bdbd358c41703dcc9
 Author: raja-grewal <rg_public@proton.me>
 Date:   Tue Jul 1 13:36:39 2025 +1000
    Add comment
 commit e3c451917931aa4e63056fb03470c203694d399f
 Author: Kevin Agwaze <7119346+RebornRider@users.noreply.github.com>
 Date:   Mon Jun 16 10:35:16 2025 +0100
    remove misleading TemporaryTimeout=0 in Bluetooth config
 commit 115b6f6aa2a4d00ad5690c2c0889e142540c01ca
 Author: Patrick Schleizer <adrelanos@whonix.org>
 Date:   Sat Jun 14 11:51:44 2025 +0000
    bumped changelog version
 commit 4639d1aab572bb4ad751bd1da5b936b9d73d3264
 Merge: 5159de6 109c013
 Author: Patrick Schleizer <adrelanos@whonix.org>
 Date:   Fri Jun 13 15:09:52 2025 -0400
    Merge remote-tracking branch 'ArrayBolt3/arraybolt3/approx'
 commit 109c0134677d991c449aa009773cb22babeee8db
 Author: Aaron Rainbolt <arraybolt3@ubuntu.com>
 Date:   Thu Jun 12 01:08:34 2025 -0500
    Add comment related to approx package caching proxy
 commit 72613203b9692d1098b13ff98119499a5a30a6da
 Author: raja-grewal <rg_public@proton.me>
 Date:   Fri Jun 6 13:07:52 2025 +0000
    Add reference
 commit dd0b55cc45f9ccd64d0075ba37ab6a4723d94a02
 Author: raja-grewal <rg_public@proton.me>
 Date:   Tue Jun 3 12:32:17 2025 +1000
    Add reference
 commit 5159de63438e8c1274658e7175a80fb693d6554a
 Author: Patrick Schleizer <adrelanos@whonix.org>
 Date:   Wed May 28 13:48:11 2025 +0000
    bumped changelog version
 commit 3e102df76583a14b5efc18238aefbf539ab0d8a1
 Author: Patrick Schleizer <adrelanos@whonix.org>
 Date:   Wed May 28 08:37:03 2025 -0400
    fix
 commit d5edc243ac2db861f1600d3906a02494eaf9a824
 Author: Patrick Schleizer <adrelanos@whonix.org>
 Date:   Wed May 28 12:12:00 2025 +0000
    bumped changelog version
 commit eda1d0aef640af1ea73c72d6caa876733de4e5a0
 Merge: e966774 5a10ad0
 Author: Patrick Schleizer <adrelanos@whonix.org>
 Date:   Wed May 28 07:22:16 2025 -0400
    Merge remote-tracking branch 'github-kicksecure/master'
 commit 5a10ad031d67acc8fa4c16f9e2db191bde559caa
 Merge: e966774 3559bc8
 Author: Patrick Schleizer <adrelanos@whonix.org>
 Date:   Wed May 28 07:21:31 2025 -0400
    Merge pull request #307 from maybebyte/ssh-agent-to-allowlist
    fix(permission-hardener): ssh-agent gets 2755 perms
 commit 3559bc86b7aed8122ff7996ce0ab4a65bdaf05c0
 Author: Ashlen <dev@anthes.is>
 Date:   Tue May 27 15:32:41 2025 -0600
    fix(permission-hardener): ssh-agent gets 2755 perms
    Change from exactwhitelist to matchwhitelist. Discussion revealed that
    there's a good reason to leave setgid in here, which is essentially
    defense-in-depth (sometimes users may want to revert Kicksecure's
    default of kernel.yama.ptrace_scope=2, e.g. to debug a program, and
    Kicksecure should not be less secure than vanilla Debian in that
    situation).
 commit c59b2e4bc53cad4c9cc90ddd5abaca0705ccff90
 Merge: 017ee29 e966774
 Author: maybebyte <99762926+maybebyte@users.noreply.github.com>
 Date:   Tue May 27 20:33:07 2025 +0000
    Merge branch 'Kicksecure:master' into ssh-agent-to-allowlist
 commit e96677486201ebddc145af7962ad5e89f6fa253b
 Author: Patrick Schleizer <adrelanos@whonix.org>
 Date:   Tue May 27 19:41:25 2025 +0000
    bumped changelog version
 commit 017ee29eb39d84edc89f128a633a619cad852241
 Merge: 7a079c3 abb2207
 Author: maybebyte <99762926+maybebyte@users.noreply.github.com>
 Date:   Tue May 27 18:25:47 2025 +0000
    Merge branch 'Kicksecure:master' into ssh-agent-to-allowlist
 commit 5195977be474e29a29b6392306e909e9f2d05ada
 Author: Patrick Schleizer <adrelanos@whonix.org>
 Date:   Tue May 27 11:57:21 2025 -0400
    protect against grep pipefail
 commit abb2207313810966dad381c3a9f637c445a5834d
 Author: Patrick Schleizer <adrelanos@whonix.org>
 Date:   Tue May 27 15:51:50 2025 +0000
    bumped changelog version
 commit 45016146f7c77d383f2254d19dc66ba9b883b8f2
 Merge: ace45d7 395169f
 Author: Patrick Schleizer <adrelanos@whonix.org>
 Date:   Tue May 27 11:03:23 2025 -0400
    Merge remote-tracking branch 'github-kicksecure/master'
 commit 395169fbce1854bfed727d1784f4e5c0d8e7c6ff
 Merge: ace45d7 e14b81b
 Author: Patrick Schleizer <adrelanos@whonix.org>
 Date:   Tue May 27 10:58:50 2025 -0400
    Merge pull request #308 from maybebyte/permission-hardener-speedboost
    perf(permission-hardener): optimize string match
 commit 1c353032046f556bb11c32506019310c9f6d47c0
 Merge: 35fa32e ace45d7
 Author: raja-grewal <rg_public@proton.me>
 Date:   Fri May 23 20:20:19 2025 +1000
    Merge branch 'Kicksecure:master' into erst
 commit ace45d7c95ed6b83c1897f76da5af4a0c97cab10
 Author: Patrick Schleizer <adrelanos@whonix.org>
 Date:   Wed May 21 22:06:02 2025 +0000
    bumped changelog version
 commit 142ea2118989faddafa17db48efed379c4ac3f45
 Author: Patrick Schleizer <adrelanos@whonix.org>
 Date:   Wed May 21 12:42:16 2025 -0400
    fix
 commit a969fa350e28ca296966509821a7c62b68f09a5a
 Author: Patrick Schleizer <adrelanos@whonix.org>
 Date:   Wed May 21 12:40:27 2025 -0400
    fix
 commit f023651c984c52a997bc241f99f118255cf60809
 Author: Patrick Schleizer <adrelanos@whonix.org>
 Date:   Wed May 21 12:35:37 2025 -0400
    nounset
 commit f086787464191a07e028dd92649c48b145023858
 Author: Patrick Schleizer <adrelanos@whonix.org>
 Date:   Wed May 21 12:35:23 2025 -0400
    fix
 commit d7643954d184846c8b7fb5eda7200779126274eb
 Author: Patrick Schleizer <adrelanos@whonix.org>
 Date:   Wed May 21 12:33:50 2025 -0400
    minor
 commit aa905fc8875c5c56351f10f4e40e6d2a7dd6d918
 Author: Patrick Schleizer <adrelanos@whonix.org>
 Date:   Wed May 21 12:32:16 2025 -0400
    further validation of output of `faillock`
 commit 92d3a36a0f43615db622c6b0daa7064b8e8ebbbb
 Author: Patrick Schleizer <adrelanos@whonix.org>
 Date:   Wed May 21 12:29:01 2025 -0400
    fix
 commit 2c1abb23e03cfe449347ba692d35f5ba1f33cff4
 Author: Patrick Schleizer <adrelanos@whonix.org>
 Date:   Wed May 21 12:26:46 2025 -0400
    output
 commit 0801b96ae74256f36dcf8757d0ba8abc66ea0b9b
 Author: Patrick Schleizer <adrelanos@whonix.org>
 Date:   Wed May 21 12:25:49 2025 -0400
    output
 commit ef8515ba82996b137c386eeb91e6f853d58a515f
 Author: Patrick Schleizer <adrelanos@whonix.org>
 Date:   Wed May 21 12:23:45 2025 -0400
    improve error handling
 commit 784867e24b4d6f2899fa9b215ec9e3c4e2fb9d84
 Author: Patrick Schleizer <adrelanos@whonix.org>
 Date:   Wed May 21 12:21:45 2025 -0400
    fix
 commit 0eea681ce893a259563f8e9d5a2ec9722fbc635d
 Author: Patrick Schleizer <adrelanos@whonix.org>
 Date:   Wed May 21 15:52:16 2025 +0000
    bumped changelog version
 commit e1bae1c68aabc424924b6386fe4980d657dc2cdf
 Author: Patrick Schleizer <adrelanos@whonix.org>
 Date:   Wed May 21 11:50:59 2025 -0400
    fix
 commit bd01a683054b1f7d5a5f6cc4848da73b1b1ef5ff
 Author: Patrick Schleizer <adrelanos@whonix.org>
 Date:   Wed May 21 13:58:18 2025 +0000
    bumped changelog version
 commit 14cf205579ff65fa765d7574e5d0e301a30a1904
 Author: Patrick Schleizer <adrelanos@whonix.org>
 Date:   Wed May 21 08:36:16 2025 -0400
    fix
 commit ff6bc5d5b6097bcdddd8e66c2541106c2cbabbaf
 Author: Patrick Schleizer <adrelanos@whonix.org>
 Date:   Wed May 21 11:23:39 2025 +0000
    bumped changelog version
 commit 353b6e83c55d52b47a2a35063406324cec7237c4
 Author: Patrick Schleizer <adrelanos@whonix.org>
 Date:   Wed May 21 07:20:13 2025 -0400
    test that `wc` is functional
    https://github.com/Kicksecure/security-misc/pull/305#issuecomment-2892378246
 commit 5930e270521e0e5d6a0a3877c813accbf5253051
 Author: Patrick Schleizer <adrelanos@whonix.org>
 Date:   Wed May 21 07:05:25 2025 -0400
    pam-info: improve error handling
    https://github.com/Kicksecure/security-misc/pull/305#issuecomment-2892378246
 commit 5c981e0891ef009c5c2355f5f6383aca22c45638
 Author: Patrick Schleizer <adrelanos@whonix.org>
 Date:   Wed May 21 06:55:09 2025 -0400
    pam-info: fix, consistently write errors and warnings to stderr
 commit e14b81b15e479afbc4820a2b9bb60f3cf65bfb12
 Author: Ashlen <dev@anthes.is>
 Date:   Tue May 20 21:34:03 2025 -0600
    perf(permission-hardener): optimize string match
    Replace subprocess grep calls with bash substring matching in
    check_nosuid_whitelist function. This eliminates ~10k unneeded
    subprocess spawns that were causing significant performance
    degradation.
    In testing, it improves overall script execution speed by an
    order of magnitude:
    Before patch:
    $ sudo hyperfine -- './permission-hardener enable'
    Benchmark 1: ./permission-hardener enable
      Time (mean ± σ):     11.906 s ±  0.974 s    [User: 3.639 s, System: 8.728 s]
      Range (min … max):   10.430 s … 14.090 s    10 runs
    After patch:
    $ sudo hyperfine -- './permission-hardener enable'
    Benchmark 1: ./permission-hardener enable
      Time (mean ± σ):     802.8 ms ± 178.5 ms    [User: 283.0 ms, System: 471.9 ms]
      Range (min … max):   639.4 ms … 1092.3 ms    10 runs
 commit 7a079c3de8bd8b4e026a1bd1b932a04610a1e386
 Author: Ashlen <dev@anthes.is>
 Date:   Tue May 20 18:41:48 2025 -0600
    fix(permission-hardener): add exactwhitelist here
    Without this, the permissions for ssh-agent won't be changed properly.
 commit 94dc9da4ab8fb93760dbb3b325bdeaa155e492cb
 Author: Ashlen <dev@anthes.is>
 Date:   Tue May 20 17:07:51 2025 -0600
    fix(permission-hardener): ssh-agent gets 755 perms
    Replace the commented-out matchwhitelist entry for ssh-agent with an
    explicit permission entry (755) for /usr/bin/ssh-agent.
    When ssh-agent's matchwhitelist entry was commented out in commit
    7a5f8b87af, permission-hardener began resetting it to restrictive
    defaults (744), preventing non-root users from executing ssh-agent. This
    broke split SSH functionality in Qubes OS for me because I was using
    Kicksecure in the vault qube, and ssh-agent runs under a non-root user in
    that configuration (see https://forum.qubes-os.org/t/split-ssh/19060).
    As noted in the comment, Debian installs with 2755 permissions as a way
    to mitigate ptrace attacks, but this rationale doesn't apply due to
    kernel.yama.ptrace_scope=2 being set in Kicksecure.
 commit 19d7e1af5d7acf6eb3a20fe3ebf5f14cef041f92
 Author: Patrick Schleizer <adrelanos@whonix.org>
 Date:   Tue May 20 11:40:27 2025 +0000
    bumped changelog version
 commit 405880e63b92319626332d083a6c5ad5101dbf77
 Author: Patrick Schleizer <adrelanos@whonix.org>
 Date:   Sun May 18 06:44:42 2025 -0400
    handle case of non-existence of /proc/cmdline
 commit 88235cc97b8b54f3fe78d6ad76f64326e8b53f3e
 Author: Patrick Schleizer <adrelanos@whonix.org>
 Date:   Sun May 18 06:44:04 2025 -0400
    refactoring
 commit 601ea77b005d18b57a85e0701f3981edd61b7881
 Author: Patrick Schleizer <adrelanos@whonix.org>
 Date:   Sun May 18 06:42:39 2025 -0400
    end-of-options
 commit d8feca12768441b0499ead7cc9f9bce4e89b1edf
 Author: Patrick Schleizer <adrelanos@whonix.org>
 Date:   Sun May 18 06:41:41 2025 -0400
    printf
 commit 7f2ba0980d17360fc014c6a412fc4ee57e1032fd
 Author: Patrick Schleizer <adrelanos@whonix.org>
 Date:   Sun May 18 06:40:50 2025 -0400
    refactoring
 commit 4d1f8c44d28895587abce586ed5b2fe354544f6a
 Merge: 341dce3 e478750
 Author: Patrick Schleizer <adrelanos@whonix.org>
 Date:   Sun May 18 06:36:08 2025 -0400
    Merge remote-tracking branch 'github-kicksecure/master'
 commit e478750814798f3d9aa60354b6cecbb84769ed53
 Merge: 341dce3 91a76db
 Author: Patrick Schleizer <adrelanos@whonix.org>
 Date:   Sun May 18 06:35:23 2025 -0400
    Merge pull request #305 from DMHalford/pam-info-failed_login_counter-fix
    Prevent erroneous "Login blocked after [negative number] attempts" errors
 commit 35fa32e4ed6333f3ab87d09828f13155aa1e7a72
 Author: raja-grewal <rg_public@proton.me>
 Date:   Sat May 17 15:06:49 2025 +1000
    Reword
 commit a1bde21ccb475fc21a084559dbe766f6315d9287
 Author: raja-grewal <rg_public@proton.me>
 Date:   Sat May 17 04:41:06 2025 +0000
    Set `erst_disable`
 commit 91a76db66bb496ba4650ada38df31636297738cf
 Author: DMHalford <161769419+DMHalford@users.noreply.github.com>
 Date:   Thu May 15 15:42:50 2025 -0400
    Prevent erroneous "Login blocked after [negative number] attempts" errors
    For root, faillock appears to always* return an empty string (i.e. no table headers are present), yielding a zero-initialized pam_faillock_output_count and thus resulting in the calculation of a negative failed_login_counter value.
    This can cause erroneous errors of the form "ERROR: Login blocked after [negative number] attempts" during sudo-ing and screen unlocking.
    This commit modifies the initialization of failed_login_counter such that it cannot be negative and prevents the display of these incorrect warnings.
    * Only rudimentary local tests were conducted
 commit 6c3be9ced071e73e78451c82e8def9c5a5b02598
 Author: DMHalford <161769419+DMHalford@users.noreply.github.com>
 Date:   Thu May 15 15:06:10 2025 -0400
    Prevent erroneous "Login blocked after [negative number] attempts" errors
    For root, faillock appears to always* return an empty string (i.e. no table headers are present), yielding a zero-initialized pam_faillock_output_count and thus resulting in the calculation of a negative failed_login_counter value.
    This can cause erroneous errors of the form "ERROR: Login blocked after [negative number] attempts" during sudo-ing and screen unlocking.
    This commit modifies the initialization of failed_login_counter such that it cannot be negative and prevents the display of these incorrect warnings.
    * Only rudimentary tests were conducted
 commit 341dce33fb806ab03822470e6af91604662c22dd
 Author: Patrick Schleizer <adrelanos@whonix.org>
 Date:   Fri Apr 25 09:54:23 2025 +0000
    bumped changelog version
 commit 06e1e44b0039807baa862102b12fc5e199c3ccb3
 Author: Patrick Schleizer <adrelanos@whonix.org>
 Date:   Fri Apr 25 05:51:21 2025 -0400
--- a/debian/changelog
+++ b/debian/changelog
@ -1,3 +1,69 @@
 security-misc (3:46.3-1) unstable; urgency=medium
  * New upstream version (local package).
 -- Patrick Schleizer <adrelanos@whonix.org>  Wed, 02 Jul 2025 20:52:17 +0000
 security-misc (3:46.2-1) unstable; urgency=medium
  * New upstream version (local package).
 -- Patrick Schleizer <adrelanos@whonix.org>  Sat, 14 Jun 2025 11:51:44 +0000
 security-misc (3:46.1-1) unstable; urgency=medium
  * New upstream version (local package).
 -- Patrick Schleizer <adrelanos@whonix.org>  Wed, 28 May 2025 13:48:11 +0000
 security-misc (3:46.0-1) unstable; urgency=medium
  * New upstream version (local package).
 -- Patrick Schleizer <adrelanos@whonix.org>  Wed, 28 May 2025 12:12:00 +0000
 security-misc (3:45.9-1) unstable; urgency=medium
  * New upstream version (local package).
 -- Patrick Schleizer <adrelanos@whonix.org>  Tue, 27 May 2025 19:41:25 +0000
 security-misc (3:45.8-1) unstable; urgency=medium
  * New upstream version (local package).
 -- Patrick Schleizer <adrelanos@whonix.org>  Tue, 27 May 2025 15:51:50 +0000
 security-misc (3:45.7-1) unstable; urgency=medium
  * New upstream version (local package).
 -- Patrick Schleizer <adrelanos@whonix.org>  Wed, 21 May 2025 22:06:01 +0000
 security-misc (3:45.6-1) unstable; urgency=medium
  * New upstream version (local package).
 -- Patrick Schleizer <adrelanos@whonix.org>  Wed, 21 May 2025 15:52:16 +0000
 security-misc (3:45.5-1) unstable; urgency=medium
  * New upstream version (local package).
 -- Patrick Schleizer <adrelanos@whonix.org>  Wed, 21 May 2025 13:58:18 +0000
 security-misc (3:45.4-1) unstable; urgency=medium
  * New upstream version (local package).
 -- Patrick Schleizer <adrelanos@whonix.org>  Wed, 21 May 2025 11:23:39 +0000
 security-misc (3:45.3-1) unstable; urgency=medium
  * New upstream version (local package).
 -- Patrick Schleizer <adrelanos@whonix.org>  Tue, 20 May 2025 11:40:27 +0000
 security-misc (3:45.2-1) unstable; urgency=medium
  * New upstream version (local package).
--- a/etc/bluetooth/30_security-misc.conf
+++ b/etc/bluetooth/30_security-misc.conf
@ -16,11 +16,6 @@ DiscoverableTimeout = 30
 # Default=0 (unlimited)
 MaxControllers=1
 # How long to keep temporary devices around
 # The value is in seconds. Default is 30.
 # 0 = disable timer, i.e. never keep temporary devices
 TemporaryTimeout = 0
 [Policy]
 # AutoEnable defines option to enable all controllers when they are found.
 # This includes adapters present on start as well as adapters that are plugged
--- a/etc/default/grub.d/40_cpu_mitigations.cfg
+++ b/etc/default/grub.d/40_cpu_mitigations.cfg
@ -30,6 +30,7 @@
 ## The UEFI Revocation List contains signatures of now revoked firmware and software used in booting systems.
 ## If using compatible hardware, the database can be updated directly in user space using fwupd.
 ## Note that incorrectly performing DBX updates can potentially lead to serious functionality issues.
 ## https://github.com/microsoft/secureboot_objects
 ## https://uefi.org/revocationlistfile
 ## https://github.com/fwupd/fwupd
--- a/etc/default/grub.d/40_kernel_hardening.cfg
+++ b/etc/default/grub.d/40_kernel_hardening.cfg
@ -224,7 +224,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0"
 #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ia32_emulation=0"
 ## Disable EFI persistent storage feature.
-## Prevents the kernel from writing crash logs and other persistent data to the EFI variable store.
+## Disable Error Record Serialization Table (ERST) support as a form of defense-in-depth.
 ## Prevents the kernel from writing crash logs and other persistent data to the storage backend.
 ## Both the UEFI variable storage and ACPI ERST backends are deactivated.
 ##
 ## https://blogs.oracle.com/linux/post/pstore-linux-kernel-persistent-storage-file-system
 ## https://www.ais.com/understanding-pstore-linux-kernel-persistent-storage-file-system/
@ -234,6 +236,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0"
 ## https://github.com/Kicksecure/security-misc/issues/299
 ##
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi_pstore.pstore_disable=1"
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX erst_disable"
 ## 2. Direct Memory Access:
 ##
--- a/etc/profile.d/30_security-misc.sh
+++ b/etc/profile.d/30_security-misc.sh
@ -4,8 +4,8 @@
 ## See the file COPYING for copying conditions.
 if [ -z "$XDG_CONFIG_DIRS" ]; then
-   XDG_CONFIG_DIRS=/etc/xdg
+   XDG_CONFIG_DIRS="/etc/xdg"
 fi
-if ! echo "$XDG_CONFIG_DIRS" | grep --quiet /usr/share/security-misc/ ; then
+if ! printf '%s\n' "$XDG_CONFIG_DIRS" | grep -- "/usr/share/security-misc/" >/dev/null 2>/dev/null ; then
-   export XDG_CONFIG_DIRS=/usr/share/security-misc/:$XDG_CONFIG_DIRS
+   export XDG_CONFIG_DIRS="/usr/share/security-misc/:$XDG_CONFIG_DIRS"
 fi
--- a/usr/bin/permission-hardener
+++ b/usr/bin/permission-hardener
@ -256,8 +256,7 @@ check_nosuid_whitelist() {
  [[ " ${policy_exact_white_list[*]} " =~ " ${target_file} " ]] && return 1
  for match_white_list_entry in "${policy_match_white_list[@]:-}"; do
-    if safe_echo "${target_file}" \
+    if [[ "${target_file}" == *"${match_white_list_entry}"* ]]; then
      | grep --quiet --fixed-strings -- "${match_white_list_entry}"; then
      return 1
    fi
  done
@ -627,7 +626,7 @@ commit_policy() {
    else
      if ! capsh --print \
        | grep --fixed-strings -- "Bounding set" \
-        | grep --quiet -- "${policy_capability_item}"; then
+        | grep -- "${policy_capability_item}" >/dev/null; then
        log error \
          "Capability from config does not exist: '${policy_capability_item}'" \
          >&2
--- a/usr/bin/remount-secure
+++ b/usr/bin/remount-secure
@ -180,7 +180,7 @@ remount_secure() {
   $output_command "INFO: '$mount_folder' old_mount_options: '$old_mount_options'"
-   if echo "$old_mount_options" | grep --quiet "$intended_mount_options" ; then
+   if printf '%s\n' "$old_mount_options" | grep "$intended_mount_options" >/dev/null 2>/dev/null ; then
      $output_command "INFO: '$mount_folder' has already intended mount options. ('$intended_mount_options')"
      return 0
   fi
--- a/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf
+++ b/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf
@ -5,11 +5,17 @@
 ## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom
 ## configuration. When security-misc is updated, this file may be overwritten.
 ## Used for SSH client key management
 ## https://manpages.debian.org/bookworm/openssh-client/ssh-agent.1.en.html
 ## Debian installs ssh-agent with setgid permissions (2755) and with
 ## _ssh as the group to help mitigate ptrace attacks that could extract
 ## private keys from the agent's memory.
 ssh-agent matchwhitelist
 ## Used only for SSH host-based authentication
 ## https://linux.die.net/man/8/ssh-keysign
 ## Needed to allow access to the machine's host key for use in the
 ## authentication process. This is a non-default method of authenticating to
 ## SSH, and is likely rarely used, thus this should be safe to disable.
 #ssh-agent matchwhitelist
 #ssh-keysign matchwhitelist
 #/usr/lib/openssh matchwhitelist
--- a/usr/lib/sysctl.d/990-security-misc.conf
+++ b/usr/lib/sysctl.d/990-security-misc.conf
@ -360,6 +360,8 @@ kernel.core_pattern=|/bin/false
 ## Prevent setuid processes or otherwise protected/tainted binaries from creating core dumps.
 ## Any process which has changed privilege levels or is execute-only will not be dumped.
 ##
 ## https://blog.qualys.com/vulnerabilities-threat-research/2025/05/29/qualys-tru-discovers-two-local-information-disclosure-vulnerabilities-in-apport-and-systemd-coredump-cve-2025-5054-and-cve-2025-4598
 ##
 ## KSPP=yes
 ## KSPP sets the sysctl.
 ##
@ -475,6 +477,9 @@ net.ipv4.conf.*.arp_filter=1
 ## https://github.com/mullvad/mullvadvpn-app/pull/7141
 ## https://www.x41-dsec.de/static/reports/X41-Mullvad-Audit-Public-Report-2024-12-10.pdf
 ##
 ## Can lead to breakages with certain VM configurations that may be resolved by lowering protection to `arp_ignore=1`.
 ## https://github.com/Kicksecure/security-misc/pull/290
 ##
 net.ipv4.conf.*.arp_ignore=2
 ## Drop gratuitous ARP (Address Resolution Protocol) packets.
--- a/usr/libexec/security-misc/apt-get-update-sanity-test
+++ b/usr/libexec/security-misc/apt-get-update-sanity-test
@ -7,5 +7,15 @@ set -x
 set -e
 set -o pipefail
 if ! printf '%s\n' "" | wc -l >/dev/null ; then
  printf '%s\n' "\
 $0: ERROR: command 'wc' test failed! Do not ignore this!
 'wc' can core dump. Example:
 zsh: illegal hardware instruction (core dumped) wc -l
 https://github.com/rspamd/rspamd/issues/5137" >&2
  exit 1
 fi
 wc -L "/var/lib/apt/lists/"*InRelease
 wc -L "/var/lib/apt/lists/"*InRelease | awk '$1 > 1024 {print; exit 1}'
--- a/usr/libexec/security-misc/pam-info
+++ b/usr/libexec/security-misc/pam-info
@ -19,11 +19,41 @@ fi
 true "$0: START PHASE 2"
 set -o errexit
 set -o errtrace
 set -o pipefail
 set -o nounset
 error_handler() {
   exit_code="$?"
   printf '%s\n' "\
 $0: ERROR: Unexpected error.
 BASH_COMMAND: '$BASH_COMMAND'
 exit_code: '$exit_code'
 ERROR: Please report this bug." >&2
   exit 1
 }
 trap error_handler ERR
 if ! printf '%s\n' "" | wc -l >/dev/null ; then
  printf '%s\n' "\
 $0: ERROR: command 'wc' test failed! Do not ignore this!
 'wc' can core dump. Example:
 zsh: illegal hardware instruction (core dumped) wc -l
 https://github.com/rspamd/rspamd/issues/5137" >&2
  exit 1
 fi
 command -v str_replace &>/dev/null
 ## Named constants.
 pam_faillock_state_dir="/var/lib/security-misc/faillock"
 [[ -v PAM_USER ]] || PAM_USER=""
 [[ -v SUDO_USER ]] || SUDO_USER=""
 ## Debugging.
 who_ami="$(whoami)"
 true "$0: who_ami: $who_ami"
@ -35,18 +65,19 @@ if [ "$PAM_USER" = "" ]; then
   exit 0
 fi
-grep_result="$(grep -- "accessfile=/etc/security/access-security-misc.conf" /etc/pam.d/common-account 2>/dev/null)"
+grep_result="$(grep -- "accessfile=/etc/security/access-security-misc.conf" /etc/pam.d/common-account 2>/dev/null)" || true
 ## Check if grep matched something.
 if [ ! "$grep_result" = "" ]; then
   ## Yes, grep matched.
   ## Check if not out commented.
-   if ! echo "$grep_result" | grep --quiet -- "#" ; then
+   if ! printf '%s\n' "$grep_result" | grep --quiet -- "#" ; then
      ## Not out commented indeed.
      ## https://forums.whonix.org/t/etc-security-hardening-console-lockdown/8592
      console_allowed=""
      if id --name --groups --zero -- "$PAM_USER" | grep --quiet --null-data --line-regexp --fixed-strings -- "console"; then
         console_allowed=true
      fi
@ -55,7 +86,7 @@ if [ ! "$grep_result" = "" ]; then
      fi
      if [ ! "$console_allowed" = "true" ]; then
-         echo "\
+         printf '%s\n' "\
 $0: ERROR: PAM_USER: '$PAM_USER' is not a member of group 'console'
 To unlock, run the following command as superuser:
 (If you still have a sudo/root shell somewhere.)
@ -76,15 +107,19 @@ if [ "$PAM_USER" = 'sysmaint' ]; then
   sysmaint_passwd_info="$(passwd --status sysmaint 2>/dev/null)" || true
   sysmaint_lock_info="$(cut -d' ' -f2 <<< "${sysmaint_passwd_info}")"
   if [ "${sysmaint_lock_info}" = 'L' ]; then
-      echo "$0: ERROR: Reboot and choose 'PERSISTENT Mode - SYSMAINT Session' for system maintenance. See https://www.kicksecure.com/wiki/Sysmaint"
+      printf '%s\n' "$0: ERROR: Reboot and choose 'PERSISTENT Mode - SYSMAINT Session' for system maintenance. See https://www.kicksecure.com/wiki/Sysmaint" >&2
   fi
 fi
-kernel_cmdline="$(cat /proc/cmdline)"
+kernel_cmdline=""
 if test -f /proc/cmdline; then
   kernel_cmdline="$(cat -- /proc/cmdline)"
 fi
-if [ "$PAM_USER" != 'sysmaint' ] \
+if [ "$PAM_USER" != 'sysmaint' ]; then
-   && [[ "${kernel_cmdline}" =~ 'boot-role=sysmaint' ]]; then
+   if [[ "${kernel_cmdline}" =~ 'boot-role=sysmaint' ]]; then
-   echo "$0: WARNING: Use account 'sysmaint' for system maintenance. See https://www.kicksecure.com/wiki/Sysmaint"
+      printf '%s\n' "$0: WARNING: Use account 'sysmaint' for system maintenance. See https://www.kicksecure.com/wiki/Sysmaint" >&2
   fi
 fi
 ## https://forums.whonix.org/t/how-strong-do-linux-user-account-passwords-have-to-be-when-using-full-disk-encryption-fde-too/7698
@ -93,11 +128,11 @@ fi
 ## Also this should only run for login since securetty covers only login.
 # if [ "$PAM_USER" = "root" ]; then
 #    if [ -f /etc/securetty ]; then
-#       grep_result="$(grep "^[^#]" /etc/securetty)"
+#       grep_result="$(grep -- "^[^#]" /etc/securetty)"
 #       if [ "$grep_result" = "" ]; then
-#          echo "\
+#          printf '%s\n' "\
 # $0: ERROR: Root login is disabled.
-# ERROR: This is because /etc/securetty is empty.
+# ERROR: This is because file '/etc/securetty' is empty.
 # See also:
 # https://www.kicksecure.com/wiki/root#login
 # " >&2
@ -143,7 +178,7 @@ fi
 ## Usage: faillock [--dir /path/to/tally-directory] [--user username] [--reset]
 ## Get first line.
-#pam_faillock_output_first_line="$(echo "$pam_faillock_output" | head --lines=1)"
+#pam_faillock_output_first_line="$(printf '%s\n' "$pam_faillock_output" | head --lines=1)"
 while read -t 10 -r pam_faillock_output_first_line ; do
   break
 done <<< "$pam_faillock_output"
@ -152,24 +187,46 @@ true "pam_faillock_output_first_line: '$pam_faillock_output_first_line'"
 ## example pam_faillock_output_first_line:
 ## user:
-user_name="$(echo "$pam_faillock_output_first_line" | str_replace ":" "")"
+user_name="$(printf '%s\n' "$pam_faillock_output_first_line" | str_replace ":" "")"
 ## example user_name:
 ## user
 ## root
-pam_faillock_output_count="$(echo "$pam_faillock_output" | wc -l)"
+if [ "$PAM_USER" != "$user_name" ]; then
   printf '%s\n' "\
 $0: ERROR: Variable 'PAM_USER' '$PAM_USER' does not match variable 'user_name' '$user_name'.
 ERROR: Please report this bug.
 " >&2
   exit 1
 fi
 pam_faillock_output_count="$(printf '%s\n' "$pam_faillock_output" | wc -l)"
 ## example pam_faillock_output_count:
 ## 2
 ## example pam_faillock_output_count:
 ## 4
-## Do not count the first two informational textual output lines
+if [[ "$pam_faillock_output_count" == *[!0-9]* ]]; then
-## (starting with "user:" and "When").
+   printf '%s\n' "\
 $0: ERROR: Variable 'pam_faillock_output_count' is not numeric. pam_faillock_output_count: '$pam_faillock_output_count'
 ERROR: Please report this bug.
 " >&2
   exit 0
 fi
 ## Do not count the first two informational textual output lines (starting with "user:" and "When") if present,
 failed_login_counter=$(( pam_faillock_output_count - 2 ))
 ## example failed_login_counter:
 ## 2
 ## Ensuring failed_login_counter is not set to a negative value.
 ## https://github.com/Kicksecure/security-misc/pull/305
 if [ "$failed_login_counter" -lt "0" ]; then
   true "$0: WARNING: Failed login counter is negative. Resetting to 0."
   failed_login_counter=0
 fi
 if [ "$failed_login_counter" = "0" ]; then
   true "$0: INFO: Failed login counter is 0, ok."
   exit 0
@ -179,24 +236,24 @@ fi
 deny=3
 if test -f /etc/security/faillock.conf ; then
-   deny_line=$(grep --invert-match "#" -- /etc/security/faillock.conf | grep -- "deny =")
+   deny_line=$(grep --invert-match "#" -- /etc/security/faillock.conf | grep -- "deny =") || true
-   deny="$(echo "$deny_line" | str_replace "=" "" | str_replace "deny" "" | str_replace " " "")"
+   deny="$(printf '%s\n' "$deny_line" | str_replace "=" "" | str_replace "deny" "" | str_replace " " "")"
   ## Example:
   #deny=50
 fi
 if [[ "$deny" == *[!0-9]* ]]; then
-   echo "\
+   printf '%s\n' "\
-$0: ERROR: deny is not numeric. deny: '$deny'
+$0: ERROR: Variable 'deny' is not numeric. deny: '$deny'
 ERROR: Please report this bug.
 " >&2
   exit 0
 fi
-remaining_attempts="$(( $deny - $failed_login_counter ))"
+remaining_attempts="$(( deny - failed_login_counter ))"
 if [ "$remaining_attempts" -le "0" ]; then
-   echo "\
+   printf '%s\n' "\
 $0: ERROR: Login blocked after $failed_login_counter attempts.
 To unlock, run the following command as superuser:
 (If you still have a sudo/root shell somewhere.)
@ -211,14 +268,14 @@ https://www.kicksecure.com/wiki/root#unlock
   exit 0
 fi
-echo "\
+printf '%s\n' "\
-$0: WARNING: $failed_login_counter failed login attempts for user_name '$user_name'.
+$0: WARNING: $failed_login_counter failed login attempts for account '$user_name'.
 Login will be blocked after $deny attempts.
 You have $remaining_attempts more attempts before unlock procedure is required.
 " >&2
 if [ "$PAM_SERVICE" = "su" ]; then
-   echo "\
+   printf '%s\n' "\
 $0: NOTE: Type the password. When entering the password, no password feedback (no asterisk (\"*\") symbol) will be shown.
 " >&2
 fi
--- a/usr/libexec/security-misc/permission-lockdown
+++ b/usr/libexec/security-misc/permission-lockdown
@ -25,6 +25,7 @@
 # /usr/libexec/security-misc/permission-lockdown: user: stunnel4 | chmod o-rwx "/var/run/stunnel4"
 # /usr/libexec/security-misc/permission-lockdown: user: iodine | chmod o-rwx "/var/run/iodine"
 # /usr/libexec/security-misc/permission-lockdown: user: apt-cacher-ng | chmod o-rwx "/var/cache/apt-cacher-ng"
 # /usr/libexec/security-misc/permission-lockdown: user: approx | chmod o-rwx "/var/cache/approx"
 # /usr/libexec/security-misc/permission-lockdown: user: statd | chmod o-rwx "/var/lib/nfs"
 # /usr/libexec/security-misc/permission-lockdown: user: timidity | chmod o-rwx "/etc/timidity"
 # /usr/libexec/security-misc/permission-lockdown: user: uuidd | chmod o-rwx "/run/uuidd"