From 2e81885f691201e2229dadfd5ec7b554980ac689 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?= Date: Fri, 21 Jun 2019 04:52:01 +0200 Subject: [PATCH] Add rpm packaging QubesOS/qubes-issues#1885 --- Makefile.builder | 1 + rpm_spec/security-misc.spec.in | 96 ++++++++++++++++++++++++++++++++++ version | 1 + 3 files changed, 98 insertions(+) create mode 100644 rpm_spec/security-misc.spec.in create mode 100644 version diff --git a/Makefile.builder b/Makefile.builder index 5e8887e..bbe1ea5 100644 --- a/Makefile.builder +++ b/Makefile.builder @@ -1 +1,2 @@ DEBIAN_BUILD_DIRS := debian +RPM_SPEC_FILES := rpm_spec/security-misc.spec diff --git a/rpm_spec/security-misc.spec.in b/rpm_spec/security-misc.spec.in new file mode 100644 index 0000000..e345219 --- /dev/null +++ b/rpm_spec/security-misc.spec.in @@ -0,0 +1,96 @@ +Name: security-misc +Version: @VERSION@ +Release: 1%{?dist} +Summary: enhances misc security settings + +License: GPL-3+-with-additional-terms-1 +URL: https://github.com/Whonix/security-misc +Source0: %{name}-%{version}.tar.xz + +BuildRequires: dpkg-dev +BuildRequires: genmkfile +Requires: make +BuildArch: noarch + +%description +The following settings are changed: + +deactivates previews in Dolphin; +deactivates previews in Nautilus; +deactivates thumbnails in Thunar; +deactivates TCP timestamps; +deactivates Netfilter's connection tracking helper; + +TCP time stamps (RFC 1323) allow for tracking clock +information with millisecond resolution. This may or may not allow an +attacker to learn information about the system clock at such +a resolution, depending on various issues such as network lag. +This information is available to anyone who monitors the network +somewhere between the attacked system and the destination server. +It may allow an attacker to find out how long a given +system has been running, and to distinguish several +systems running behind NAT and using the same IP address. It might +also allow one to look for clocks that match an expected value to find the +public IP used by a user. + +Hence, this package disables this feature by shipping the +/etc/sysctl.d/tcp_timestamps.conf configuration file. + +Note that TCP time stamps normally have some usefulness. They are +needed for: + +* the TCP protection against wrapped sequence numbers; however, to + trigger a wrap, one needs to send roughly 2^32 packets in one + minute: as said in RFC 1700, "The current recommended default + time to live (TTL) for the Internet Protocol (IP) [45,105] is 64". + So, this probably won't be a practical problem in the context + of Anonymity Distributions. + +* "Round-Trip Time Measurement", which is only useful when the user + manages to saturate their connection. When using Anonymity Distributions, + probably the limiting factor for transmission speed is rarely the capacity + of the user connection. + +Netfilter's connection tracking helper module increases kernel attack +surface by enabling superfluous functionality such as IRC parsing in +the kernel. (!) + +Hence, this package disables this feature by shipping the +/etc/sysctl.d/nf_conntrack_helper.conf configuration file. + +%prep +%setup -q + + +%build +make %{?_smp_mflags} + + +%install +%make_install + + +%files +%license debian/copyright +/etc/X11/Xsession.d/50security-misc +/etc/default/grub.d/40_kernel_hardening.cfg +/etc/modprobe.d/30_nf_conntrack_helper_disable.conf +/etc/modprobe.d/uncommon-network-protocols.conf +/etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml +/etc/sysctl.d/fs_protected.conf +/etc/sysctl.d/harden_bpf.conf +/etc/sysctl.d/kexec.conf +/etc/sysctl.d/kptr_restrict.conf +/etc/sysctl.d/mmap_aslr.conf +/etc/sysctl.d/ptrace_scope.conf +/etc/sysctl.d/tcp_hardening.conf +/etc/sysctl.d/tcp_timestamps.conf +/usr/lib/security-misc/apt-get-update +/usr/lib/security-misc/apt-get-update-sanity-test +/usr/lib/security-misc/apt-get-wrapper +/usr/share/glib-2.0/schemas/30_security-misc.gschema.override +/usr/share/lintian/overrides/security-misc +/usr/share/security-misc/dolphinrc + +%changelog +@CHANGELOG@ diff --git a/version b/version new file mode 100644 index 0000000..8c50098 --- /dev/null +++ b/version @@ -0,0 +1 @@ +3.1