Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-01-24 23:26:38 -05:00
Code Issues Packages Projects Releases Wiki Activity

readme

Browse Source
This commit is contained in:
Patrick Schleizer 2023-12-25 09:04:10 -05:00
parent 79f398d219
commit 37b4ab15a8
No known key found for this signature in database
GPG Key ID: CB8D50BB77BB3C48
1 changed files with 17 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
README.md
View File

@ -41,12 +41,11 @@ configuration file.
- Prevents unintentional writes to attacker-controlled files. - Prevents unintentional writes to attacker-controlled files.
- Prevents common symlink and hardlink TOCTOU races. `<!-- - Prevents common symlink and hardlink TOCTOU races.
* Restricts the SysRq key so it can only be used for shutdowns and the
Secure Attention Key.
-->`{=html}
- Disables SysRq completely. - Disables SysRq key completely.
* Therefore Secure Attention Key (SAK) cannot be used.
* https://www.kicksecure.com/wiki/SysRq
- The kernel is only allowed to swap if it is absolutely necessary. This - The kernel is only allowed to swap if it is absolutely necessary. This
prevents writing potentially sensitive contents of memory to disk. prevents writing potentially sensitive contents of memory to disk.
@ -278,7 +277,7 @@ install.
Not enabled by default yet. In development. Help welcome. Not enabled by default yet. In development. Help welcome.
- https://github.com/Kicksecure/security-misc/pull/152 - https://github.com/Kicksecure/security-misc/issues/157
- https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/ - https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/
## Root access restrictions ## Root access restrictions
@ -421,18 +420,21 @@ include but are not limited to:
- Protecting the information of sudoers from others. - Protecting the information of sudoers from others.
- Protecting various system relevant files and modules. - Protecting various system relevant files and modules.
```{=html} ##### permission-hardening #####
<!--
Not enabled by default yet.
A systemd service removes SUID / SGID bits from non-essential binaries as `permission-hardener` removes SUID / SGID bits from non-essential binaries as
these are often used in privilege escalation attacks. It is disabled by these are often used in privilege escalation attacks. It runs at package
default for now during testing and can optionally be enabled by running installation and upgrade time.
`systemctl enable permission-hardening.service` as root.
There is also an optional systemd unit which does the same at boot time that
can be enabled by running `systemctl enable permission-hardening.service` as
root. The hardening at boot time is not the default because this slows down
the boot too much.
See: See:
* `/usr/libexec/security-misc/permission-hardening` * `/usr/bin/permission-hardening`
* `debian/security-misc.postinst`
* `/lib/systemd/system/permission-hardening.service` * `/lib/systemd/system/permission-hardening.service`
* `/etc/permission-hardening.d` * `/etc/permission-hardening.d`
* https://forums.whonix.org/t/disable-suid-binaries/7706 * https://forums.whonix.org/t/disable-suid-binaries/7706
@ -450,8 +452,7 @@ See:
* `/usr/bin/pkexec.security-misc` * `/usr/bin/pkexec.security-misc`
* https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860040 * https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860040
* https://forums.whonix.org/t/cannot-use-pkexec/8129 * https://forums.whonix.org/t/cannot-use-pkexec/8129
-->
```
## Application-specific hardening ## Application-specific hardening
- Enables "`apt-get --error-on=any`" which makes apt exit non-zero for - Enables "`apt-get --error-on=any`" which makes apt exit non-zero for