mirror of
https://github.com/Kicksecure/security-misc.git
synced 2024-10-01 08:25:45 -04:00
Merge remote-tracking branch 'github-kicksecure/master'
This commit is contained in:
commit
811d1cd0dd
3
debian/security-misc.maintscript
vendored
3
debian/security-misc.maintscript
vendored
@ -46,3 +46,6 @@ rm_conffile /etc/sysctl.d/30_security-misc.conf
|
|||||||
rm_conffile /etc/sysctl.d/30_silent-kernel-printk.conf
|
rm_conffile /etc/sysctl.d/30_silent-kernel-printk.conf
|
||||||
rm_conffile /etc/sysctl.d/30_security-misc_kexec-disable.conf
|
rm_conffile /etc/sysctl.d/30_security-misc_kexec-disable.conf
|
||||||
|
|
||||||
|
## replaced with privacy conscious configurations for bluetooth
|
||||||
|
## not to hinder day to day usage
|
||||||
|
rm_conffile /bin/disabled-bluetooth-by-security-misc
|
||||||
|
30
etc/bluetooth/30_security-misc.conf
Normal file
30
etc/bluetooth/30_security-misc.conf
Normal file
@ -0,0 +1,30 @@
|
|||||||
|
[General]
|
||||||
|
# How long to stay in pairable mode before going back to non-discoverable
|
||||||
|
# The value is in seconds. Default is 0.
|
||||||
|
# 0 = disable timer, i.e. stay pairable forever
|
||||||
|
PairableTimeout = 30
|
||||||
|
|
||||||
|
# How long to stay in discoverable mode before going back to non-discoverable
|
||||||
|
# The value is in seconds. Default is 180, i.e. 3 minutes.
|
||||||
|
# 0 = disable timer, i.e. stay discoverable forever
|
||||||
|
DiscoverableTimeout = 30
|
||||||
|
|
||||||
|
# Maximum number of controllers allowed to be exposed to the system.
|
||||||
|
# Default=0 (unlimited)
|
||||||
|
MaxControllers=1
|
||||||
|
|
||||||
|
# How long to keep temporary devices around
|
||||||
|
# The value is in seconds. Default is 30.
|
||||||
|
# 0 = disable timer, i.e. never keep temporary devices
|
||||||
|
TemporaryTimeout = 0
|
||||||
|
|
||||||
|
[Policy]
|
||||||
|
# AutoEnable defines option to enable all controllers when they are found.
|
||||||
|
# This includes adapters present on start as well as adapters that are plugged
|
||||||
|
# in later on. Defaults to 'true'.
|
||||||
|
AutoEnable=false
|
||||||
|
|
||||||
|
# network/on: A device will only accept advertising packets from peer
|
||||||
|
# devices that contain private addresses. It may not be compatible with some
|
||||||
|
# legacy devices since it requires the use of RPA(s) all the time.
|
||||||
|
Privacy=network/on
|
@ -11,8 +11,11 @@ options nf_conntrack nf_conntrack_helper=0
|
|||||||
|
|
||||||
## Disable bluetooth to reduce attack surface due to extended history of security vulnerabilities
|
## Disable bluetooth to reduce attack surface due to extended history of security vulnerabilities
|
||||||
## https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns
|
## https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns
|
||||||
install bluetooth /bin/disabled-bluetooth-by-security-misc
|
#
|
||||||
install btusb /bin/disabled-bluetooth-by-security-misc
|
## Now replaced by a privacy and security preserving default bluetooth configuration for better usability
|
||||||
|
#
|
||||||
|
# install bluetooth /bin/disabled-bluetooth-by-security-misc
|
||||||
|
# install btusb /bin/disabled-bluetooth-by-security-misc
|
||||||
|
|
||||||
## Disable thunderbolt and firewire modules to prevent some DMA attacks
|
## Disable thunderbolt and firewire modules to prevent some DMA attacks
|
||||||
install thunderbolt /bin/disabled-thunderbolt-by-security-misc
|
install thunderbolt /bin/disabled-thunderbolt-by-security-misc
|
||||||
|
2
usr/lib/NetworkManager/conf.d/99_ipv6-privacy.conf
Normal file
2
usr/lib/NetworkManager/conf.d/99_ipv6-privacy.conf
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
[connection]
|
||||||
|
ipv6.ip6-privacy=2
|
6
usr/lib/NetworkManager/conf.d/99_randomize-mac.conf
Normal file
6
usr/lib/NetworkManager/conf.d/99_randomize-mac.conf
Normal file
@ -0,0 +1,6 @@
|
|||||||
|
[device-mac-randomization]
|
||||||
|
wifi.scan-rand-mac-address=yes
|
||||||
|
|
||||||
|
[connection-mac-randomization]
|
||||||
|
ethernet.cloned-mac-address=random
|
||||||
|
wifi.cloned-mac-address=random
|
@ -0,0 +1,2 @@
|
|||||||
|
[Network]
|
||||||
|
IPv6PrivacyExtensions=kernel
|
Loading…
Reference in New Issue
Block a user