diff --git a/README.md b/README.md index 5a6a0c5..b991963 100644 --- a/README.md +++ b/README.md @@ -93,7 +93,7 @@ disabled. Certain kernel modules are blacklisted to reduce attack surface via the `/etc/modprobe.d/30_security-misc.conf` configuration file. -* Deactivates Netfilter's connection tracking helper — this module +* Deactivates Netfilter's connection tracking helper - this module increases kernel attack surface by enabling superfluous functionality such as IRC parsing in the kernel. Hence, this feature is disabled. @@ -133,7 +133,7 @@ such as IRC parsing in the kernel. Hence, this feature is disabled. p8022 - IEEE 802.2 - CAN — Controller Area Network + CAN - Controller Area Network ATM @@ -225,14 +225,14 @@ could be used. ## Root access restrictions * `su` is restricted to only users within the group `sudo` which prevents -users from using `su` to gain root access or to switch user accounts — +users from using `su` to gain root access or to switch user accounts - `/usr/share/pam-configs/wheel-security-misc` (which results in a change in file `/etc/pam.d/common-auth`). * Add user `root` to group `sudo`. This is required due to the above restriction so -that logging in from a virtual console is still possible — `debian/security-misc.postinst` +that logging in from a virtual console is still possible - `debian/security-misc.postinst` -* Abort login for users with locked passwords — +* Abort login for users with locked passwords - `/usr/libexec/security-misc/pam-abort-on-locked-password`. * Logging into the root account from a virtual, serial, whatnot console is @@ -353,10 +353,10 @@ See: ## Application-specific hardening * Enables "`apt-get --error-on=any`" which makes apt exit non-zero for - transient failures. — `/etc/apt/apt.conf.d/40error-on-any`. -* Enables APT seccomp-BPF sandboxing — `/etc/apt/apt.conf.d/40sandbox`. + transient failures. - `/etc/apt/apt.conf.d/40error-on-any`. +* Enables APT seccomp-BPF sandboxing - `/etc/apt/apt.conf.d/40sandbox`. * Deactivates previews in Dolphin. -* Deactivates previews in Nautilus — +* Deactivates previews in Nautilus - `/usr/share/glib-2.0/schemas/30_security-misc.gschema.override`. * Deactivates thumbnails in Thunar. * Displays domain names in punycode (`network.IDN_show_punycode`) in diff --git a/usr/libexec/security-misc/permission-hardening b/usr/libexec/security-misc/permission-hardening index 5382676..1a1e13a 100755 --- a/usr/libexec/security-misc/permission-hardening +++ b/usr/libexec/security-misc/permission-hardening @@ -437,7 +437,7 @@ set_file_perms() { if [ "$capability_from_config" = "none" ]; then ## https://forums.whonix.org/t/disable-suid-binaries/7706/45 # sudo setcap -r /bin/ping 2>/dev/null - # Failed to set capabilities on file `/bin/ping' (No data available) + # Failed to set capabilities on file '/bin/ping' (No data available) # The value of the capability argument is not permitted for a file. Or the file is not a regular (non-symlink) file ## Therefore use echo_wrapper_ignore. echo_wrapper_ignore setcap -r "$fso" @@ -465,9 +465,9 @@ parse_config_folder() { # Query contents of password and group databases only once and buffer them # # If we don't buffer we sometimes get incorrect results when checking for entries using - # `if getent passwd | grep -q '^root:'; …` since `grep` exits after the first match in - # this case causing `getent` to receive SIGPIPE, which then fails the pipeline since - # `set -o pipefail` is set for this script. + # 'if getent passwd | grep -q '^root:'; ...' since 'grep' exits after the first match in + # this case causing 'getent' to receive SIGPIPE, which then fails the pipeline since + # 'set -o pipefail' is set for this script. passwd_file_contents="$(getent passwd)" group_file_contents="$(getent group)"