Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-04-14 15:42:57 -04:00
Code Issues Packages Projects Releases Wiki Activity

readme

Browse Source
This commit is contained in:
Patrick Schleizer 2019-12-08 04:03:02 -05:00
parent ac96708b24
commit bc45ed385e
No known key found for this signature in database
GPG Key ID: CB8D50BB77BB3C48
1 changed files with 20 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
README.md
View File

@ -81,6 +81,10 @@ unprivileged users and increases security as /sys exposes a lot of information
that shouldn't be accessible to unprivileged users. As this will break many
things, it is disabled by default and can optionally be enabled by running
`systemctl enable hide-hardware-info.service` as root.
/usr/lib/security-misc/hide-hardware-info
/lib/systemd/system/hide-hardware-info.service
/lib/systemd/system/user@.service.d/sysfs.conf
/etc/hide-hardware-info.d/30_default.conf
Improve Entropy Collection
@ -155,6 +159,21 @@ prevented by shipping an existing and empty /etc/securetty.
(Deletion of /etc/securetty has a different effect.)
/etc/securetty.security-misc
* Console Lockdown.
Allow members of group 'console' to use console and members of group 'ssh'
to receive incoming SSH connections. Everyone else except members of group
'console-unrestricted' are restricted from using console using ancient,
unpopular login methods such as using /bin/login over networks, which might
be exploitable. (CVE-2001-0797) Using pam_access.
Not enabled by default in this package since this package does not know which
users shall be added to group 'console' and/or 'ssh' and would break console,
X Window System and ssh login since files in
/usr/share/pam-configs/console-lockdown-security-misc result in modifications
of /etc/pam.d/common-account file which not only applies to /etc/pam.d/login
but also all other services such as /etc/pam.d/ssh.
/usr/share/pam-configs/console-lockdown-security-misc
/etc/security/access-security-misc.conf
Protect Linux user accounts against brute force attacks.
Lock user accounts after 50 failed login attempts using pam_tally2.
/usr/share/pam-configs/tally2-security-misc
@ -246,6 +265,7 @@ Application specific hardening:
* Enables APT seccomp-BPF sandboxing. /etc/apt/apt.conf.d/40sandbox
* Deactivates previews in Dolphin.
* Deactivates previews in Nautilus.
/usr/share/glib-2.0/schemas/30_security-misc.gschema.override
* Deactivates thumbnails in Thunar.
* Enables punycode (`network.IDN_show_punycode`) by default in Thunderbird
to make phising attacks more difficult. Fixing URL not showing real Domain