Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-11-25 18:36:21 -05:00
Code Issues Projects Releases Packages Wiki Activity

Merge branch 'master' into arraybolt3/trixie

Browse source
This commit is contained in:
Aaron Rainbolt 2025-08-21 20:09:48 -05:00
commit 53e930b4cc
No known key found for this signature in database
GPG key ID: A709160D73C79109
8 changed files with 27 additions and 25 deletions
Download patch file Download diff file Expand all files Collapse all files

4
usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf
View file

@ -6,14 +6,14 @@
## configuration. When security-misc is updated, this file may be overwritten.
## Used for SSH client key management
## https://manpages.debian.org/trixie/openssh-client/ssh-agent.1.en.html
## https://manpages.debian.org/ssh-agent
## Debian installs ssh-agent with setgid permissions (2755) and with
## _ssh as the group to help mitigate ptrace attacks that could extract
## private keys from the agent's memory.
ssh-agent matchwhitelist
## Used only for SSH host-based authentication
## https://linux.die.net/man/8/ssh-keysign
## https://manpages.debian.org/ssh-keysign
## Needed to allow access to the machine's host key for use in the
## authentication process. This is a non-default method of authenticating to
## SSH, and is likely rarely used, thus this should be safe to disable.

3
usr/lib/sysctl.d/990-security-misc.conf
View file

@ -175,7 +175,6 @@ kernel.perf_event_paranoid=3
##
## https://en.wikipedia.org/wiki/Kernel_panic#Linux
## https://en.wikipedia.org/wiki/Linux_kernel_oops
## https://en.wikipedia.org/wiki/Kdump_(Linux)
## https://lwn.net/Articles/876209/
## https://git.sr.ht/~gregkh/presentation-security/tree/3fdaf81a2f8b2c8d64cdb2f529cc714624868aa8/item/security-stuff.pdf
## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panisc-on-oops-1-sysctl-for-better-security/7713
@ -189,8 +188,8 @@ kernel.perf_event_paranoid=3
#kernel.warn_limit=1
## Force immediate system reboots on the occurrence of a single kernel panic.
## Ensures the system does not hang forever if a panic occurs, reducing susceptibility to cold boot attacks.
## Increases resilience and limits impact of denial of service attacks as system automatically restarts.
## Ensures the system does not hang forever if a panic occurs, reducing susceptibility to both cold and warm boot attacks.
## Immediate rebooting also prevents persistent information disclosure on panic details that were dumped to screen.
##
## KSPP=yes

8
usr/libexec/security-misc/panic-on-oops
View file

@ -17,10 +17,14 @@ fi
## to run after an inconsistent state is triggered by a potentially
## flawed processes. The reasons for the errors could be kernel
## exploit attempts but may also simply be general software bugs.
##
## https://docs.kernel.org/admin-guide/sysctl/kernel.html#oops-limit
sysctl kernel.oops_limit=1
## https://docs.kernel.org/admin-guide/sysctl/kernel.html#warn-limit
sysctl kernel.warn_limit=1
## Makes the system immediately reboot on the occurrence of a single
## kernel panic. This reduces the risk and impact of both denial of
## service and cold boot attacks.
## kernel panic. This reduces the risk and impact of denial of
## service attacks and both cold and warm boot attacks.
## https://docs.kernel.org/admin-guide/sysctl/kernel.html#panic
sysctl kernel.panic=-1