mirror of
https://github.com/Kicksecure/security-misc.git
synced 2024-12-25 16:29:25 -05:00
remove unicode
This commit is contained in:
parent
55d16e1602
commit
d7dd188651
16
README.md
16
README.md
@ -93,7 +93,7 @@ disabled.
|
||||
Certain kernel modules are blacklisted to reduce attack surface via the
|
||||
`/etc/modprobe.d/30_security-misc.conf` configuration file.
|
||||
|
||||
* Deactivates Netfilter's connection tracking helper — this module
|
||||
* Deactivates Netfilter's connection tracking helper - this module
|
||||
increases kernel attack surface by enabling superfluous functionality
|
||||
such as IRC parsing in the kernel. Hence, this feature is disabled.
|
||||
|
||||
@ -133,7 +133,7 @@ such as IRC parsing in the kernel. Hence, this feature is disabled.
|
||||
|
||||
p8022 - IEEE 802.2
|
||||
|
||||
CAN — Controller Area Network
|
||||
CAN - Controller Area Network
|
||||
|
||||
ATM
|
||||
|
||||
@ -225,14 +225,14 @@ could be used.
|
||||
## Root access restrictions
|
||||
|
||||
* `su` is restricted to only users within the group `sudo` which prevents
|
||||
users from using `su` to gain root access or to switch user accounts —
|
||||
users from using `su` to gain root access or to switch user accounts -
|
||||
`/usr/share/pam-configs/wheel-security-misc`
|
||||
(which results in a change in file `/etc/pam.d/common-auth`).
|
||||
|
||||
* Add user `root` to group `sudo`. This is required due to the above restriction so
|
||||
that logging in from a virtual console is still possible — `debian/security-misc.postinst`
|
||||
that logging in from a virtual console is still possible - `debian/security-misc.postinst`
|
||||
|
||||
* Abort login for users with locked passwords —
|
||||
* Abort login for users with locked passwords -
|
||||
`/usr/libexec/security-misc/pam-abort-on-locked-password`.
|
||||
|
||||
* Logging into the root account from a virtual, serial, whatnot console is
|
||||
@ -353,10 +353,10 @@ See:
|
||||
## Application-specific hardening
|
||||
|
||||
* Enables "`apt-get --error-on=any`" which makes apt exit non-zero for
|
||||
transient failures. — `/etc/apt/apt.conf.d/40error-on-any`.
|
||||
* Enables APT seccomp-BPF sandboxing — `/etc/apt/apt.conf.d/40sandbox`.
|
||||
transient failures. - `/etc/apt/apt.conf.d/40error-on-any`.
|
||||
* Enables APT seccomp-BPF sandboxing - `/etc/apt/apt.conf.d/40sandbox`.
|
||||
* Deactivates previews in Dolphin.
|
||||
* Deactivates previews in Nautilus —
|
||||
* Deactivates previews in Nautilus -
|
||||
`/usr/share/glib-2.0/schemas/30_security-misc.gschema.override`.
|
||||
* Deactivates thumbnails in Thunar.
|
||||
* Displays domain names in punycode (`network.IDN_show_punycode`) in
|
||||
|
@ -437,7 +437,7 @@ set_file_perms() {
|
||||
if [ "$capability_from_config" = "none" ]; then
|
||||
## https://forums.whonix.org/t/disable-suid-binaries/7706/45
|
||||
# sudo setcap -r /bin/ping 2>/dev/null
|
||||
# Failed to set capabilities on file `/bin/ping' (No data available)
|
||||
# Failed to set capabilities on file '/bin/ping' (No data available)
|
||||
# The value of the capability argument is not permitted for a file. Or the file is not a regular (non-symlink) file
|
||||
## Therefore use echo_wrapper_ignore.
|
||||
echo_wrapper_ignore setcap -r "$fso"
|
||||
@ -465,9 +465,9 @@ parse_config_folder() {
|
||||
# Query contents of password and group databases only once and buffer them
|
||||
#
|
||||
# If we don't buffer we sometimes get incorrect results when checking for entries using
|
||||
# `if getent passwd | grep -q '^root:'; …` since `grep` exits after the first match in
|
||||
# this case causing `getent` to receive SIGPIPE, which then fails the pipeline since
|
||||
# `set -o pipefail` is set for this script.
|
||||
# 'if getent passwd | grep -q '^root:'; ...' since 'grep' exits after the first match in
|
||||
# this case causing 'getent' to receive SIGPIPE, which then fails the pipeline since
|
||||
# 'set -o pipefail' is set for this script.
|
||||
passwd_file_contents="$(getent passwd)"
|
||||
group_file_contents="$(getent group)"
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user