mirror of
https://github.com/Kicksecure/security-misc.git
synced 2024-12-25 21:29:24 -05:00
comments
This commit is contained in:
Patrick Schleizer
parent
d7bd477e73
commit
77b3dd5d6b
@ -13,8 +13,12 @@
|
||||
## To remove all SUID/SGID binaries in a directory, you can use the "nosuid"
|
||||
## argument.
|
||||
|
||||
## SUID exact match whitelist.
|
||||
######################################################################
|
||||
# SUID exact match whitelist
|
||||
######################################################################
|
||||
|
||||
## TODO: white spaces inside file name untested
|
||||
|
||||
/usr/bin/sudo whitelist
|
||||
/bin/sudo whitelist
|
||||
/usr/bin/bwrap whitelist
|
||||
@ -29,7 +33,11 @@
|
||||
## https://www.whonix.org/wiki/Dev/Firejail#Security
|
||||
/usr/bin/firejail whitelist
|
||||
|
||||
## {{ TODO: research
|
||||
######################################################################
|
||||
# SUID exact match whitelist - research required
|
||||
######################################################################
|
||||
|
||||
## TODO: research required
|
||||
|
||||
## https://github.com/QubesOS/qubes-core-agent-linux/blob/master/qubes-rpc/qfile-unpacker.c
|
||||
/usr/lib/qubes/qfile-unpacker whitelist
|
||||
@ -38,13 +46,18 @@
|
||||
## https://lwn.net/Articles/590315/
|
||||
/usr/lib/xorg/Xorg.wrap whitelist
|
||||
|
||||
## }}
|
||||
######################################################################
|
||||
# SUID regex match whitelist - research required
|
||||
######################################################################
|
||||
|
||||
## SUID regex match whitelist.
|
||||
## TODO: white spaces inside file name untested
|
||||
|
||||
/usr/lib/virtualbox/ matchwhitelist
|
||||
|
||||
## Permission hardening.
|
||||
######################################################################
|
||||
# Permission Hardening
|
||||
######################################################################
|
||||
|
||||
/home/ 0755 root root
|
||||
/home/user/ 0700 user user
|
||||
/root/ 0700 root root
|
||||
@ -52,7 +65,12 @@
|
||||
/etc/permission-hardening.d 0600 root root
|
||||
/usr/local/etc/permission-hardening.d 0600 root root
|
||||
|
||||
######################################################################
|
||||
# SUID/SGID Removal
|
||||
######################################################################
|
||||
|
||||
## Remove all SUID/SGID binaries/libraries.
|
||||
|
||||
/bin/ nosuid
|
||||
/usr/bin/ nosuid
|
||||
/usr/local/bin/ nosuid
|
||||
|
||||
Loading…
Reference in New Issue
Block a user