Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-08-07 19:52:21 -04:00
Code Issues Projects Releases Packages Wiki Activity

Merge branch 'master' into arraybolt3/emerg-shutdown

Browse source
This commit is contained in:
Aaron Rainbolt 2025-07-13 15:21:34 -05:00
commit 2a7071055f
No known key found for this signature in database
GPG key ID: A709160D73C79109
14 changed files with 638 additions and 42 deletions
Download patch file Download diff file Expand all files Collapse all files

6
README.md
View file

@ -143,7 +143,7 @@ and simultaneous multithreading (SMT) is disabled. See the
Note, to achieve complete protection for known CPU vulnerabilities, the latest
security microcode (BIOS/UEFI) updates must be installed on the system. Furthermore,
if using Secure Boot, the Secure Boot Forbidden Signature Database (DBX) must be kept
up to date through [UEFI Revocation List](https://uefi.org/revocationlistfile) updates.
up to date through [UEFI Revocation List](https://github.com/microsoft/secureboot_objects) updates.
CPU mitigations:
@ -226,8 +226,8 @@ Kernel space:
- Optional - Disable support for all x86 processes and syscalls (when using Linux kernel >= 6.7)
to reduce attack surface.
- Disable EFI persistent storage feature, preventing the kernel from writing crash logs and
other persistent data to the EFI variable store.
- Disable the EFI persistent storage feature which prevents the kernel from writing crash logs
and other persistent data to either the UEFI variable storage or ACPI ERST backends.
Direct memory access:

453
changelog.upstream
View file

@ -1,3 +1,456 @@
commit b06fb5428051518390439ce95c9d6894e6338951
Merge: 115b6f6 468cf40
Author: Patrick Schleizer <adrelanos@whonix.org>
Date: Wed Jul 2 13:47:12 2025 -0400
Merge remote-tracking branch 'github-kicksecure/master'
commit 468cf40e2a216625d02066b609b0991e37c50ebc
Merge: 865a052 bb208fb
Author: Patrick Schleizer <adrelanos@whonix.org>
Date: Wed Jul 2 13:45:28 2025 -0400
Merge pull request #306 from raja-grewal/erst
Set `erst_disable`
commit 865a052bf47f28c0084b2bbd51e3c606df9eda96
Merge: 115b6f6 e3c4519
Author: Patrick Schleizer <adrelanos@whonix.org>
Date: Wed Jul 2 13:44:17 2025 -0400
Merge pull request #309 from RebornRider/patch-1
remove TemporaryTimeout=0 in Bluetooth config
commit bb208fb134fe25fc3539494f331072a851369064
Merge: 4314b1e 115b6f6
Author: raja-grewal <rg_public@proton.me>
Date: Wed Jul 2 11:35:50 2025 +1000
Merge branch 'Kicksecure:master' into erst
commit 4314b1e85bd5495832b4398bdbd358c41703dcc9
Author: raja-grewal <rg_public@proton.me>
Date: Tue Jul 1 13:36:39 2025 +1000
Add comment
commit e3c451917931aa4e63056fb03470c203694d399f
Author: Kevin Agwaze <7119346+RebornRider@users.noreply.github.com>
Date: Mon Jun 16 10:35:16 2025 +0100
remove misleading TemporaryTimeout=0 in Bluetooth config
commit 115b6f6aa2a4d00ad5690c2c0889e142540c01ca
Author: Patrick Schleizer <adrelanos@whonix.org>
Date: Sat Jun 14 11:51:44 2025 +0000
bumped changelog version
commit 4639d1aab572bb4ad751bd1da5b936b9d73d3264
Merge: 5159de6 109c013
Author: Patrick Schleizer <adrelanos@whonix.org>
Date: Fri Jun 13 15:09:52 2025 -0400
Merge remote-tracking branch 'ArrayBolt3/arraybolt3/approx'
commit 109c0134677d991c449aa009773cb22babeee8db
Author: Aaron Rainbolt <arraybolt3@ubuntu.com>
Date: Thu Jun 12 01:08:34 2025 -0500
Add comment related to approx package caching proxy
commit 72613203b9692d1098b13ff98119499a5a30a6da
Author: raja-grewal <rg_public@proton.me>
Date: Fri Jun 6 13:07:52 2025 +0000
Add reference
commit dd0b55cc45f9ccd64d0075ba37ab6a4723d94a02
Author: raja-grewal <rg_public@proton.me>
Date: Tue Jun 3 12:32:17 2025 +1000
Add reference
commit 5159de63438e8c1274658e7175a80fb693d6554a
Author: Patrick Schleizer <adrelanos@whonix.org>
Date: Wed May 28 13:48:11 2025 +0000
bumped changelog version
commit 3e102df76583a14b5efc18238aefbf539ab0d8a1
Author: Patrick Schleizer <adrelanos@whonix.org>
Date: Wed May 28 08:37:03 2025 -0400
fix
commit d5edc243ac2db861f1600d3906a02494eaf9a824
Author: Patrick Schleizer <adrelanos@whonix.org>
Date: Wed May 28 12:12:00 2025 +0000
bumped changelog version
commit eda1d0aef640af1ea73c72d6caa876733de4e5a0
Merge: e966774 5a10ad0
Author: Patrick Schleizer <adrelanos@whonix.org>
Date: Wed May 28 07:22:16 2025 -0400
Merge remote-tracking branch 'github-kicksecure/master'
commit 5a10ad031d67acc8fa4c16f9e2db191bde559caa
Merge: e966774 3559bc8
Author: Patrick Schleizer <adrelanos@whonix.org>
Date: Wed May 28 07:21:31 2025 -0400
Merge pull request #307 from maybebyte/ssh-agent-to-allowlist
fix(permission-hardener): ssh-agent gets 2755 perms
commit 3559bc86b7aed8122ff7996ce0ab4a65bdaf05c0
Author: Ashlen <dev@anthes.is>
Date: Tue May 27 15:32:41 2025 -0600
fix(permission-hardener): ssh-agent gets 2755 perms
Change from exactwhitelist to matchwhitelist. Discussion revealed that
there's a good reason to leave setgid in here, which is essentially
defense-in-depth (sometimes users may want to revert Kicksecure's
default of kernel.yama.ptrace_scope=2, e.g. to debug a program, and
Kicksecure should not be less secure than vanilla Debian in that
situation).
commit c59b2e4bc53cad4c9cc90ddd5abaca0705ccff90
Merge: 017ee29 e966774
Author: maybebyte <99762926+maybebyte@users.noreply.github.com>
Date: Tue May 27 20:33:07 2025 +0000
Merge branch 'Kicksecure:master' into ssh-agent-to-allowlist
commit e96677486201ebddc145af7962ad5e89f6fa253b
Author: Patrick Schleizer <adrelanos@whonix.org>
Date: Tue May 27 19:41:25 2025 +0000
bumped changelog version
commit 017ee29eb39d84edc89f128a633a619cad852241
Merge: 7a079c3 abb2207
Author: maybebyte <99762926+maybebyte@users.noreply.github.com>
Date: Tue May 27 18:25:47 2025 +0000
Merge branch 'Kicksecure:master' into ssh-agent-to-allowlist
commit 5195977be474e29a29b6392306e909e9f2d05ada
Author: Patrick Schleizer <adrelanos@whonix.org>
Date: Tue May 27 11:57:21 2025 -0400
protect against grep pipefail
commit abb2207313810966dad381c3a9f637c445a5834d
Author: Patrick Schleizer <adrelanos@whonix.org>
Date: Tue May 27 15:51:50 2025 +0000
bumped changelog version
commit 45016146f7c77d383f2254d19dc66ba9b883b8f2
Merge: ace45d7 395169f
Author: Patrick Schleizer <adrelanos@whonix.org>
Date: Tue May 27 11:03:23 2025 -0400
Merge remote-tracking branch 'github-kicksecure/master'
commit 395169fbce1854bfed727d1784f4e5c0d8e7c6ff
Merge: ace45d7 e14b81b
Author: Patrick Schleizer <adrelanos@whonix.org>
Date: Tue May 27 10:58:50 2025 -0400
Merge pull request #308 from maybebyte/permission-hardener-speedboost
perf(permission-hardener): optimize string match
commit 1c353032046f556bb11c32506019310c9f6d47c0
Merge: 35fa32e ace45d7
Author: raja-grewal <rg_public@proton.me>
Date: Fri May 23 20:20:19 2025 +1000
Merge branch 'Kicksecure:master' into erst
commit ace45d7c95ed6b83c1897f76da5af4a0c97cab10
Author: Patrick Schleizer <adrelanos@whonix.org>
Date: Wed May 21 22:06:02 2025 +0000
bumped changelog version
commit 142ea2118989faddafa17db48efed379c4ac3f45
Author: Patrick Schleizer <adrelanos@whonix.org>
Date: Wed May 21 12:42:16 2025 -0400
fix
commit a969fa350e28ca296966509821a7c62b68f09a5a
Author: Patrick Schleizer <adrelanos@whonix.org>
Date: Wed May 21 12:40:27 2025 -0400
fix
commit f023651c984c52a997bc241f99f118255cf60809
Author: Patrick Schleizer <adrelanos@whonix.org>
Date: Wed May 21 12:35:37 2025 -0400
nounset
commit f086787464191a07e028dd92649c48b145023858
Author: Patrick Schleizer <adrelanos@whonix.org>
Date: Wed May 21 12:35:23 2025 -0400
fix
commit d7643954d184846c8b7fb5eda7200779126274eb
Author: Patrick Schleizer <adrelanos@whonix.org>
Date: Wed May 21 12:33:50 2025 -0400
minor
commit aa905fc8875c5c56351f10f4e40e6d2a7dd6d918
Author: Patrick Schleizer <adrelanos@whonix.org>
Date: Wed May 21 12:32:16 2025 -0400
further validation of output of `faillock`
commit 92d3a36a0f43615db622c6b0daa7064b8e8ebbbb
Author: Patrick Schleizer <adrelanos@whonix.org>
Date: Wed May 21 12:29:01 2025 -0400
fix
commit 2c1abb23e03cfe449347ba692d35f5ba1f33cff4
Author: Patrick Schleizer <adrelanos@whonix.org>
Date: Wed May 21 12:26:46 2025 -0400
output
commit 0801b96ae74256f36dcf8757d0ba8abc66ea0b9b
Author: Patrick Schleizer <adrelanos@whonix.org>
Date: Wed May 21 12:25:49 2025 -0400
output
commit ef8515ba82996b137c386eeb91e6f853d58a515f
Author: Patrick Schleizer <adrelanos@whonix.org>
Date: Wed May 21 12:23:45 2025 -0400
improve error handling
commit 784867e24b4d6f2899fa9b215ec9e3c4e2fb9d84
Author: Patrick Schleizer <adrelanos@whonix.org>
Date: Wed May 21 12:21:45 2025 -0400
fix
commit 0eea681ce893a259563f8e9d5a2ec9722fbc635d
Author: Patrick Schleizer <adrelanos@whonix.org>
Date: Wed May 21 15:52:16 2025 +0000
bumped changelog version
commit e1bae1c68aabc424924b6386fe4980d657dc2cdf
Author: Patrick Schleizer <adrelanos@whonix.org>
Date: Wed May 21 11:50:59 2025 -0400
fix
commit bd01a683054b1f7d5a5f6cc4848da73b1b1ef5ff
Author: Patrick Schleizer <adrelanos@whonix.org>
Date: Wed May 21 13:58:18 2025 +0000
bumped changelog version
commit 14cf205579ff65fa765d7574e5d0e301a30a1904
Author: Patrick Schleizer <adrelanos@whonix.org>
Date: Wed May 21 08:36:16 2025 -0400
fix
commit ff6bc5d5b6097bcdddd8e66c2541106c2cbabbaf
Author: Patrick Schleizer <adrelanos@whonix.org>
Date: Wed May 21 11:23:39 2025 +0000
bumped changelog version
commit 353b6e83c55d52b47a2a35063406324cec7237c4
Author: Patrick Schleizer <adrelanos@whonix.org>
Date: Wed May 21 07:20:13 2025 -0400
test that `wc` is functional
https://github.com/Kicksecure/security-misc/pull/305#issuecomment-2892378246
commit 5930e270521e0e5d6a0a3877c813accbf5253051
Author: Patrick Schleizer <adrelanos@whonix.org>
Date: Wed May 21 07:05:25 2025 -0400
pam-info: improve error handling
https://github.com/Kicksecure/security-misc/pull/305#issuecomment-2892378246
commit 5c981e0891ef009c5c2355f5f6383aca22c45638
Author: Patrick Schleizer <adrelanos@whonix.org>
Date: Wed May 21 06:55:09 2025 -0400
pam-info: fix, consistently write errors and warnings to stderr
commit e14b81b15e479afbc4820a2b9bb60f3cf65bfb12
Author: Ashlen <dev@anthes.is>
Date: Tue May 20 21:34:03 2025 -0600
perf(permission-hardener): optimize string match
Replace subprocess grep calls with bash substring matching in
check_nosuid_whitelist function. This eliminates ~10k unneeded
subprocess spawns that were causing significant performance
degradation.
In testing, it improves overall script execution speed by an
order of magnitude:
Before patch:
$ sudo hyperfine -- './permission-hardener enable'
Benchmark 1: ./permission-hardener enable
Time (mean ± σ): 11.906 s ± 0.974 s [User: 3.639 s, System: 8.728 s]
Range (min … max): 10.430 s … 14.090 s 10 runs
After patch:
$ sudo hyperfine -- './permission-hardener enable'
Benchmark 1: ./permission-hardener enable
Time (mean ± σ): 802.8 ms ± 178.5 ms [User: 283.0 ms, System: 471.9 ms]
Range (min … max): 639.4 ms … 1092.3 ms 10 runs
commit 7a079c3de8bd8b4e026a1bd1b932a04610a1e386
Author: Ashlen <dev@anthes.is>
Date: Tue May 20 18:41:48 2025 -0600
fix(permission-hardener): add exactwhitelist here
Without this, the permissions for ssh-agent won't be changed properly.
commit 94dc9da4ab8fb93760dbb3b325bdeaa155e492cb
Author: Ashlen <dev@anthes.is>
Date: Tue May 20 17:07:51 2025 -0600
fix(permission-hardener): ssh-agent gets 755 perms
Replace the commented-out matchwhitelist entry for ssh-agent with an
explicit permission entry (755) for /usr/bin/ssh-agent.
When ssh-agent's matchwhitelist entry was commented out in commit
7a5f8b87af, permission-hardener began resetting it to restrictive
defaults (744), preventing non-root users from executing ssh-agent. This
broke split SSH functionality in Qubes OS for me because I was using
Kicksecure in the vault qube, and ssh-agent runs under a non-root user in
that configuration (see https://forum.qubes-os.org/t/split-ssh/19060).
As noted in the comment, Debian installs with 2755 permissions as a way
to mitigate ptrace attacks, but this rationale doesn't apply due to
kernel.yama.ptrace_scope=2 being set in Kicksecure.
commit 19d7e1af5d7acf6eb3a20fe3ebf5f14cef041f92
Author: Patrick Schleizer <adrelanos@whonix.org>
Date: Tue May 20 11:40:27 2025 +0000
bumped changelog version
commit 405880e63b92319626332d083a6c5ad5101dbf77
Author: Patrick Schleizer <adrelanos@whonix.org>
Date: Sun May 18 06:44:42 2025 -0400
handle case of non-existence of /proc/cmdline
commit 88235cc97b8b54f3fe78d6ad76f64326e8b53f3e
Author: Patrick Schleizer <adrelanos@whonix.org>
Date: Sun May 18 06:44:04 2025 -0400
refactoring
commit 601ea77b005d18b57a85e0701f3981edd61b7881
Author: Patrick Schleizer <adrelanos@whonix.org>
Date: Sun May 18 06:42:39 2025 -0400
end-of-options
commit d8feca12768441b0499ead7cc9f9bce4e89b1edf
Author: Patrick Schleizer <adrelanos@whonix.org>
Date: Sun May 18 06:41:41 2025 -0400
printf
commit 7f2ba0980d17360fc014c6a412fc4ee57e1032fd
Author: Patrick Schleizer <adrelanos@whonix.org>
Date: Sun May 18 06:40:50 2025 -0400
refactoring
commit 4d1f8c44d28895587abce586ed5b2fe354544f6a
Merge: 341dce3 e478750
Author: Patrick Schleizer <adrelanos@whonix.org>
Date: Sun May 18 06:36:08 2025 -0400
Merge remote-tracking branch 'github-kicksecure/master'
commit e478750814798f3d9aa60354b6cecbb84769ed53
Merge: 341dce3 91a76db
Author: Patrick Schleizer <adrelanos@whonix.org>
Date: Sun May 18 06:35:23 2025 -0400
Merge pull request #305 from DMHalford/pam-info-failed_login_counter-fix
Prevent erroneous "Login blocked after [negative number] attempts" errors
commit 35fa32e4ed6333f3ab87d09828f13155aa1e7a72
Author: raja-grewal <rg_public@proton.me>
Date: Sat May 17 15:06:49 2025 +1000
Reword
commit a1bde21ccb475fc21a084559dbe766f6315d9287
Author: raja-grewal <rg_public@proton.me>
Date: Sat May 17 04:41:06 2025 +0000
Set `erst_disable`
commit 91a76db66bb496ba4650ada38df31636297738cf
Author: DMHalford <161769419+DMHalford@users.noreply.github.com>
Date: Thu May 15 15:42:50 2025 -0400
Prevent erroneous "Login blocked after [negative number] attempts" errors
For root, faillock appears to always* return an empty string (i.e. no table headers are present), yielding a zero-initialized pam_faillock_output_count and thus resulting in the calculation of a negative failed_login_counter value.
This can cause erroneous errors of the form "ERROR: Login blocked after [negative number] attempts" during sudo-ing and screen unlocking.
This commit modifies the initialization of failed_login_counter such that it cannot be negative and prevents the display of these incorrect warnings.
* Only rudimentary local tests were conducted
commit 6c3be9ced071e73e78451c82e8def9c5a5b02598
Author: DMHalford <161769419+DMHalford@users.noreply.github.com>
Date: Thu May 15 15:06:10 2025 -0400
Prevent erroneous "Login blocked after [negative number] attempts" errors
For root, faillock appears to always* return an empty string (i.e. no table headers are present), yielding a zero-initialized pam_faillock_output_count and thus resulting in the calculation of a negative failed_login_counter value.
This can cause erroneous errors of the form "ERROR: Login blocked after [negative number] attempts" during sudo-ing and screen unlocking.
This commit modifies the initialization of failed_login_counter such that it cannot be negative and prevents the display of these incorrect warnings.
* Only rudimentary tests were conducted
commit 341dce33fb806ab03822470e6af91604662c22dd
Author: Patrick Schleizer <adrelanos@whonix.org>
Date: Fri Apr 25 09:54:23 2025 +0000
bumped changelog version
commit 06e1e44b0039807baa862102b12fc5e199c3ccb3
Author: Patrick Schleizer <adrelanos@whonix.org>
Date: Fri Apr 25 05:51:21 2025 -0400

66
debian/changelog vendored
View file

@ -1,3 +1,69 @@
security-misc (3:46.3-1) unstable; urgency=medium
* New upstream version (local package).
-- Patrick Schleizer <adrelanos@whonix.org> Wed, 02 Jul 2025 20:52:17 +0000
security-misc (3:46.2-1) unstable; urgency=medium
* New upstream version (local package).
-- Patrick Schleizer <adrelanos@whonix.org> Sat, 14 Jun 2025 11:51:44 +0000
security-misc (3:46.1-1) unstable; urgency=medium
* New upstream version (local package).
-- Patrick Schleizer <adrelanos@whonix.org> Wed, 28 May 2025 13:48:11 +0000
security-misc (3:46.0-1) unstable; urgency=medium
* New upstream version (local package).
-- Patrick Schleizer <adrelanos@whonix.org> Wed, 28 May 2025 12:12:00 +0000
security-misc (3:45.9-1) unstable; urgency=medium
* New upstream version (local package).
-- Patrick Schleizer <adrelanos@whonix.org> Tue, 27 May 2025 19:41:25 +0000
security-misc (3:45.8-1) unstable; urgency=medium
* New upstream version (local package).
-- Patrick Schleizer <adrelanos@whonix.org> Tue, 27 May 2025 15:51:50 +0000
security-misc (3:45.7-1) unstable; urgency=medium
* New upstream version (local package).
-- Patrick Schleizer <adrelanos@whonix.org> Wed, 21 May 2025 22:06:01 +0000
security-misc (3:45.6-1) unstable; urgency=medium
* New upstream version (local package).
-- Patrick Schleizer <adrelanos@whonix.org> Wed, 21 May 2025 15:52:16 +0000
security-misc (3:45.5-1) unstable; urgency=medium
* New upstream version (local package).
-- Patrick Schleizer <adrelanos@whonix.org> Wed, 21 May 2025 13:58:18 +0000
security-misc (3:45.4-1) unstable; urgency=medium
* New upstream version (local package).
-- Patrick Schleizer <adrelanos@whonix.org> Wed, 21 May 2025 11:23:39 +0000
security-misc (3:45.3-1) unstable; urgency=medium
* New upstream version (local package).
-- Patrick Schleizer <adrelanos@whonix.org> Tue, 20 May 2025 11:40:27 +0000
security-misc (3:45.2-1) unstable; urgency=medium
* New upstream version (local package).

5
etc/bluetooth/30_security-misc.conf
View file

@ -16,11 +16,6 @@ DiscoverableTimeout = 30
# Default=0 (unlimited)
MaxControllers=1
# How long to keep temporary devices around
# The value is in seconds. Default is 30.
# 0 = disable timer, i.e. never keep temporary devices
TemporaryTimeout = 0
[Policy]
# AutoEnable defines option to enable all controllers when they are found.
# This includes adapters present on start as well as adapters that are plugged

1
etc/default/grub.d/40_cpu_mitigations.cfg
View file

@ -30,6 +30,7 @@
## The UEFI Revocation List contains signatures of now revoked firmware and software used in booting systems.
## If using compatible hardware, the database can be updated directly in user space using fwupd.
## Note that incorrectly performing DBX updates can potentially lead to serious functionality issues.
## https://github.com/microsoft/secureboot_objects
## https://uefi.org/revocationlistfile
## https://github.com/fwupd/fwupd

5
etc/default/grub.d/40_kernel_hardening.cfg
View file

@ -224,7 +224,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0"
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ia32_emulation=0"
## Disable EFI persistent storage feature.
## Prevents the kernel from writing crash logs and other persistent data to the EFI variable store.
## Disable Error Record Serialization Table (ERST) support as a form of defense-in-depth.
## Prevents the kernel from writing crash logs and other persistent data to the storage backend.
## Both the UEFI variable storage and ACPI ERST backends are deactivated.
##
## https://blogs.oracle.com/linux/post/pstore-linux-kernel-persistent-storage-file-system
## https://www.ais.com/understanding-pstore-linux-kernel-persistent-storage-file-system/
@ -234,6 +236,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0"
## https://github.com/Kicksecure/security-misc/issues/299
##
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi_pstore.pstore_disable=1"
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX erst_disable"
## 2. Direct Memory Access:
##

6
etc/profile.d/30_security-misc.sh
View file

@ -4,8 +4,8 @@
## See the file COPYING for copying conditions.
if [ -z "$XDG_CONFIG_DIRS" ]; then
XDG_CONFIG_DIRS=/etc/xdg
XDG_CONFIG_DIRS="/etc/xdg"
fi
if ! echo "$XDG_CONFIG_DIRS" | grep --quiet /usr/share/security-misc/ ; then
export XDG_CONFIG_DIRS=/usr/share/security-misc/:$XDG_CONFIG_DIRS
if ! printf '%s\n' "$XDG_CONFIG_DIRS" | grep -- "/usr/share/security-misc/" >/dev/null 2>/dev/null ; then
export XDG_CONFIG_DIRS="/usr/share/security-misc/:$XDG_CONFIG_DIRS"
fi

5
usr/bin/permission-hardener
View file

@ -256,8 +256,7 @@ check_nosuid_whitelist() {
[[ " ${policy_exact_white_list[*]} " =~ " ${target_file} " ]] && return 1
for match_white_list_entry in "${policy_match_white_list[@]:-}"; do
if safe_echo "${target_file}" \
| grep --quiet --fixed-strings -- "${match_white_list_entry}"; then
if [[ "${target_file}" == *"${match_white_list_entry}"* ]]; then
return 1
fi
done
@ -627,7 +626,7 @@ commit_policy() {
else
if ! capsh --print \
| grep --fixed-strings -- "Bounding set" \
| grep --quiet -- "${policy_capability_item}"; then
| grep -- "${policy_capability_item}" >/dev/null; then
log error \
"Capability from config does not exist: '${policy_capability_item}'" \
>&2

2
usr/bin/remount-secure
View file

@ -180,7 +180,7 @@ remount_secure() {
$output_command "INFO: '$mount_folder' old_mount_options: '$old_mount_options'"
if echo "$old_mount_options" | grep --quiet "$intended_mount_options" ; then
if printf '%s\n' "$old_mount_options" | grep "$intended_mount_options" >/dev/null 2>/dev/null ; then
$output_command "INFO: '$mount_folder' has already intended mount options. ('$intended_mount_options')"
return 0
fi

8
usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf
View file

@ -5,11 +5,17 @@
## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom
## configuration. When security-misc is updated, this file may be overwritten.
## Used for SSH client key management
## https://manpages.debian.org/bookworm/openssh-client/ssh-agent.1.en.html
## Debian installs ssh-agent with setgid permissions (2755) and with
## _ssh as the group to help mitigate ptrace attacks that could extract
## private keys from the agent's memory.
ssh-agent matchwhitelist
## Used only for SSH host-based authentication
## https://linux.die.net/man/8/ssh-keysign
## Needed to allow access to the machine's host key for use in the
## authentication process. This is a non-default method of authenticating to
## SSH, and is likely rarely used, thus this should be safe to disable.
#ssh-agent matchwhitelist
#ssh-keysign matchwhitelist
#/usr/lib/openssh matchwhitelist

5
usr/lib/sysctl.d/990-security-misc.conf
View file

@ -360,6 +360,8 @@ kernel.core_pattern=|/bin/false
## Prevent setuid processes or otherwise protected/tainted binaries from creating core dumps.
## Any process which has changed privilege levels or is execute-only will not be dumped.
##
## https://blog.qualys.com/vulnerabilities-threat-research/2025/05/29/qualys-tru-discovers-two-local-information-disclosure-vulnerabilities-in-apport-and-systemd-coredump-cve-2025-5054-and-cve-2025-4598
##
## KSPP=yes
## KSPP sets the sysctl.
##
@ -475,6 +477,9 @@ net.ipv4.conf.*.arp_filter=1
## https://github.com/mullvad/mullvadvpn-app/pull/7141
## https://www.x41-dsec.de/static/reports/X41-Mullvad-Audit-Public-Report-2024-12-10.pdf
##
## Can lead to breakages with certain VM configurations that may be resolved by lowering protection to `arp_ignore=1`.
## https://github.com/Kicksecure/security-misc/pull/290
##
net.ipv4.conf.*.arp_ignore=2
## Drop gratuitous ARP (Address Resolution Protocol) packets.

10
usr/libexec/security-misc/apt-get-update-sanity-test
View file

@ -7,5 +7,15 @@ set -x
set -e
set -o pipefail
if ! printf '%s\n' "" | wc -l >/dev/null ; then
printf '%s\n' "\
$0: ERROR: command 'wc' test failed! Do not ignore this!
'wc' can core dump. Example:
zsh: illegal hardware instruction (core dumped) wc -l
https://github.com/rspamd/rspamd/issues/5137" >&2
exit 1
fi
wc -L "/var/lib/apt/lists/"*InRelease
wc -L "/var/lib/apt/lists/"*InRelease | awk '$1 > 1024 {print; exit 1}'

107
usr/libexec/security-misc/pam-info
View file

@ -19,11 +19,41 @@ fi
true "$0: START PHASE 2"
set -o errexit
set -o errtrace
set -o pipefail
set -o nounset
error_handler() {
exit_code="$?"
printf '%s\n' "\
$0: ERROR: Unexpected error.
BASH_COMMAND: '$BASH_COMMAND'
exit_code: '$exit_code'
ERROR: Please report this bug." >&2
exit 1
}
trap error_handler ERR
if ! printf '%s\n' "" | wc -l >/dev/null ; then
printf '%s\n' "\
$0: ERROR: command 'wc' test failed! Do not ignore this!
'wc' can core dump. Example:
zsh: illegal hardware instruction (core dumped) wc -l
https://github.com/rspamd/rspamd/issues/5137" >&2
exit 1
fi
command -v str_replace &>/dev/null
## Named constants.
pam_faillock_state_dir="/var/lib/security-misc/faillock"
[[ -v PAM_USER ]] || PAM_USER=""
[[ -v SUDO_USER ]] || SUDO_USER=""
## Debugging.
who_ami="$(whoami)"
true "$0: who_ami: $who_ami"
@ -35,18 +65,19 @@ if [ "$PAM_USER" = "" ]; then
exit 0
fi
grep_result="$(grep -- "accessfile=/etc/security/access-security-misc.conf" /etc/pam.d/common-account 2>/dev/null)"
grep_result="$(grep -- "accessfile=/etc/security/access-security-misc.conf" /etc/pam.d/common-account 2>/dev/null)" || true
## Check if grep matched something.
if [ ! "$grep_result" = "" ]; then
## Yes, grep matched.
## Check if not out commented.
if ! echo "$grep_result" | grep --quiet -- "#" ; then
if ! printf '%s\n' "$grep_result" | grep --quiet -- "#" ; then
## Not out commented indeed.
## https://forums.whonix.org/t/etc-security-hardening-console-lockdown/8592
console_allowed=""
if id --name --groups --zero -- "$PAM_USER" | grep --quiet --null-data --line-regexp --fixed-strings -- "console"; then
console_allowed=true
fi
@ -55,7 +86,7 @@ if [ ! "$grep_result" = "" ]; then
fi
if [ ! "$console_allowed" = "true" ]; then
echo "\
printf '%s\n' "\
$0: ERROR: PAM_USER: '$PAM_USER' is not a member of group 'console'
To unlock, run the following command as superuser:
(If you still have a sudo/root shell somewhere.)
@ -76,15 +107,19 @@ if [ "$PAM_USER" = 'sysmaint' ]; then
sysmaint_passwd_info="$(passwd --status sysmaint 2>/dev/null)" || true
sysmaint_lock_info="$(cut -d' ' -f2 <<< "${sysmaint_passwd_info}")"
if [ "${sysmaint_lock_info}" = 'L' ]; then
echo "$0: ERROR: Reboot and choose 'PERSISTENT Mode - SYSMAINT Session' for system maintenance. See https://www.kicksecure.com/wiki/Sysmaint"
printf '%s\n' "$0: ERROR: Reboot and choose 'PERSISTENT Mode - SYSMAINT Session' for system maintenance. See https://www.kicksecure.com/wiki/Sysmaint" >&2
fi
fi
kernel_cmdline="$(cat /proc/cmdline)"
kernel_cmdline=""
if test -f /proc/cmdline; then
kernel_cmdline="$(cat -- /proc/cmdline)"
fi
if [ "$PAM_USER" != 'sysmaint' ] \
&& [[ "${kernel_cmdline}" =~ 'boot-role=sysmaint' ]]; then
echo "$0: WARNING: Use account 'sysmaint' for system maintenance. See https://www.kicksecure.com/wiki/Sysmaint"
if [ "$PAM_USER" != 'sysmaint' ]; then
if [[ "${kernel_cmdline}" =~ 'boot-role=sysmaint' ]]; then
printf '%s\n' "$0: WARNING: Use account 'sysmaint' for system maintenance. See https://www.kicksecure.com/wiki/Sysmaint" >&2
fi
fi
## https://forums.whonix.org/t/how-strong-do-linux-user-account-passwords-have-to-be-when-using-full-disk-encryption-fde-too/7698
@ -93,11 +128,11 @@ fi
## Also this should only run for login since securetty covers only login.
# if [ "$PAM_USER" = "root" ]; then
# if [ -f /etc/securetty ]; then
# grep_result="$(grep "^[^#]" /etc/securetty)"
# grep_result="$(grep -- "^[^#]" /etc/securetty)"
# if [ "$grep_result" = "" ]; then
# echo "\
# printf '%s\n' "\
# $0: ERROR: Root login is disabled.
# ERROR: This is because /etc/securetty is empty.
# ERROR: This is because file '/etc/securetty' is empty.
# See also:
# https://www.kicksecure.com/wiki/root#login
# " >&2
@ -143,7 +178,7 @@ fi
## Usage: faillock [--dir /path/to/tally-directory] [--user username] [--reset]
## Get first line.
#pam_faillock_output_first_line="$(echo "$pam_faillock_output" | head --lines=1)"
#pam_faillock_output_first_line="$(printf '%s\n' "$pam_faillock_output" | head --lines=1)"
while read -t 10 -r pam_faillock_output_first_line ; do
break
done <<< "$pam_faillock_output"
@ -152,24 +187,46 @@ true "pam_faillock_output_first_line: '$pam_faillock_output_first_line'"
## example pam_faillock_output_first_line:
## user:
user_name="$(echo "$pam_faillock_output_first_line" | str_replace ":" "")"
user_name="$(printf '%s\n' "$pam_faillock_output_first_line" | str_replace ":" "")"
## example user_name:
## user
## root
pam_faillock_output_count="$(echo "$pam_faillock_output" | wc -l)"
if [ "$PAM_USER" != "$user_name" ]; then
printf '%s\n' "\
$0: ERROR: Variable 'PAM_USER' '$PAM_USER' does not match variable 'user_name' '$user_name'.
ERROR: Please report this bug.
" >&2
exit 1
fi
pam_faillock_output_count="$(printf '%s\n' "$pam_faillock_output" | wc -l)"
## example pam_faillock_output_count:
## 2
## example pam_faillock_output_count:
## 4
## Do not count the first two informational textual output lines
## (starting with "user:" and "When").
if [[ "$pam_faillock_output_count" == *[!0-9]* ]]; then
printf '%s\n' "\
$0: ERROR: Variable 'pam_faillock_output_count' is not numeric. pam_faillock_output_count: '$pam_faillock_output_count'
ERROR: Please report this bug.
" >&2
exit 0
fi
## Do not count the first two informational textual output lines (starting with "user:" and "When") if present,
failed_login_counter=$(( pam_faillock_output_count - 2 ))
## example failed_login_counter:
## 2
## Ensuring failed_login_counter is not set to a negative value.
## https://github.com/Kicksecure/security-misc/pull/305
if [ "$failed_login_counter" -lt "0" ]; then
true "$0: WARNING: Failed login counter is negative. Resetting to 0."
failed_login_counter=0
fi
if [ "$failed_login_counter" = "0" ]; then
true "$0: INFO: Failed login counter is 0, ok."
exit 0
@ -179,24 +236,24 @@ fi
deny=3
if test -f /etc/security/faillock.conf ; then
deny_line=$(grep --invert-match "#" -- /etc/security/faillock.conf | grep -- "deny =")
deny="$(echo "$deny_line" | str_replace "=" "" | str_replace "deny" "" | str_replace " " "")"
deny_line=$(grep --invert-match "#" -- /etc/security/faillock.conf | grep -- "deny =") || true
deny="$(printf '%s\n' "$deny_line" | str_replace "=" "" | str_replace "deny" "" | str_replace " " "")"
## Example:
#deny=50
fi
if [[ "$deny" == *[!0-9]* ]]; then
echo "\
$0: ERROR: deny is not numeric. deny: '$deny'
printf '%s\n' "\
$0: ERROR: Variable 'deny' is not numeric. deny: '$deny'
ERROR: Please report this bug.
" >&2
exit 0
fi
remaining_attempts="$(( $deny - $failed_login_counter ))"
remaining_attempts="$(( deny - failed_login_counter ))"
if [ "$remaining_attempts" -le "0" ]; then
echo "\
printf '%s\n' "\
$0: ERROR: Login blocked after $failed_login_counter attempts.
To unlock, run the following command as superuser:
(If you still have a sudo/root shell somewhere.)
@ -211,14 +268,14 @@ https://www.kicksecure.com/wiki/root#unlock
exit 0
fi
echo "\
$0: WARNING: $failed_login_counter failed login attempts for user_name '$user_name'.
printf '%s\n' "\
$0: WARNING: $failed_login_counter failed login attempts for account '$user_name'.
Login will be blocked after $deny attempts.
You have $remaining_attempts more attempts before unlock procedure is required.
" >&2
if [ "$PAM_SERVICE" = "su" ]; then
echo "\
printf '%s\n' "\
$0: NOTE: Type the password. When entering the password, no password feedback (no asterisk (\"*\") symbol) will be shown.
" >&2
fi

1
usr/libexec/security-misc/permission-lockdown
View file

@ -25,6 +25,7 @@
# /usr/libexec/security-misc/permission-lockdown: user: stunnel4 | chmod o-rwx "/var/run/stunnel4"
# /usr/libexec/security-misc/permission-lockdown: user: iodine | chmod o-rwx "/var/run/iodine"
# /usr/libexec/security-misc/permission-lockdown: user: apt-cacher-ng | chmod o-rwx "/var/cache/apt-cacher-ng"
# /usr/libexec/security-misc/permission-lockdown: user: approx | chmod o-rwx "/var/cache/approx"
# /usr/libexec/security-misc/permission-lockdown: user: statd | chmod o-rwx "/var/lib/nfs"
# /usr/libexec/security-misc/permission-lockdown: user: timidity | chmod o-rwx "/etc/timidity"
# /usr/libexec/security-misc/permission-lockdown: user: uuidd | chmod o-rwx "/run/uuidd"