Merge remote-tracking branch 'github-kicksecure/master'

This commit is contained in:
Patrick Schleizer 2023-11-05 14:49:43 -05:00
commit 811d1cd0dd
No known key found for this signature in database
GPG Key ID: CB8D50BB77BB3C48
6 changed files with 48 additions and 2 deletions

View File

@ -46,3 +46,6 @@ rm_conffile /etc/sysctl.d/30_security-misc.conf
rm_conffile /etc/sysctl.d/30_silent-kernel-printk.conf rm_conffile /etc/sysctl.d/30_silent-kernel-printk.conf
rm_conffile /etc/sysctl.d/30_security-misc_kexec-disable.conf rm_conffile /etc/sysctl.d/30_security-misc_kexec-disable.conf
## replaced with privacy conscious configurations for bluetooth
## not to hinder day to day usage
rm_conffile /bin/disabled-bluetooth-by-security-misc

View File

@ -0,0 +1,30 @@
[General]
# How long to stay in pairable mode before going back to non-discoverable
# The value is in seconds. Default is 0.
# 0 = disable timer, i.e. stay pairable forever
PairableTimeout = 30
# How long to stay in discoverable mode before going back to non-discoverable
# The value is in seconds. Default is 180, i.e. 3 minutes.
# 0 = disable timer, i.e. stay discoverable forever
DiscoverableTimeout = 30
# Maximum number of controllers allowed to be exposed to the system.
# Default=0 (unlimited)
MaxControllers=1
# How long to keep temporary devices around
# The value is in seconds. Default is 30.
# 0 = disable timer, i.e. never keep temporary devices
TemporaryTimeout = 0
[Policy]
# AutoEnable defines option to enable all controllers when they are found.
# This includes adapters present on start as well as adapters that are plugged
# in later on. Defaults to 'true'.
AutoEnable=false
# network/on: A device will only accept advertising packets from peer
# devices that contain private addresses. It may not be compatible with some
# legacy devices since it requires the use of RPA(s) all the time.
Privacy=network/on

View File

@ -11,8 +11,11 @@ options nf_conntrack nf_conntrack_helper=0
## Disable bluetooth to reduce attack surface due to extended history of security vulnerabilities ## Disable bluetooth to reduce attack surface due to extended history of security vulnerabilities
## https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns ## https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns
install bluetooth /bin/disabled-bluetooth-by-security-misc #
install btusb /bin/disabled-bluetooth-by-security-misc ## Now replaced by a privacy and security preserving default bluetooth configuration for better usability
#
# install bluetooth /bin/disabled-bluetooth-by-security-misc
# install btusb /bin/disabled-bluetooth-by-security-misc
## Disable thunderbolt and firewire modules to prevent some DMA attacks ## Disable thunderbolt and firewire modules to prevent some DMA attacks
install thunderbolt /bin/disabled-thunderbolt-by-security-misc install thunderbolt /bin/disabled-thunderbolt-by-security-misc

View File

@ -0,0 +1,2 @@
[connection]
ipv6.ip6-privacy=2

View File

@ -0,0 +1,6 @@
[device-mac-randomization]
wifi.scan-rand-mac-address=yes
[connection-mac-randomization]
ethernet.cloned-mac-address=random
wifi.cloned-mac-address=random

View File

@ -0,0 +1,2 @@
[Network]
IPv6PrivacyExtensions=kernel