remove unicode

This commit is contained in:
Patrick Schleizer 2022-06-08 09:27:02 -04:00
parent 55d16e1602
commit d7dd188651
No known key found for this signature in database
GPG Key ID: CB8D50BB77BB3C48
2 changed files with 12 additions and 12 deletions

View File

@ -93,7 +93,7 @@ disabled.
Certain kernel modules are blacklisted to reduce attack surface via the
`/etc/modprobe.d/30_security-misc.conf` configuration file.
* Deactivates Netfilter's connection tracking helper this module
* Deactivates Netfilter's connection tracking helper - this module
increases kernel attack surface by enabling superfluous functionality
such as IRC parsing in the kernel. Hence, this feature is disabled.
@ -133,7 +133,7 @@ such as IRC parsing in the kernel. Hence, this feature is disabled.
p8022 - IEEE 802.2
CAN Controller Area Network
CAN - Controller Area Network
ATM
@ -225,14 +225,14 @@ could be used.
## Root access restrictions
* `su` is restricted to only users within the group `sudo` which prevents
users from using `su` to gain root access or to switch user accounts
users from using `su` to gain root access or to switch user accounts -
`/usr/share/pam-configs/wheel-security-misc`
(which results in a change in file `/etc/pam.d/common-auth`).
* Add user `root` to group `sudo`. This is required due to the above restriction so
that logging in from a virtual console is still possible `debian/security-misc.postinst`
that logging in from a virtual console is still possible - `debian/security-misc.postinst`
* Abort login for users with locked passwords
* Abort login for users with locked passwords -
`/usr/libexec/security-misc/pam-abort-on-locked-password`.
* Logging into the root account from a virtual, serial, whatnot console is
@ -353,10 +353,10 @@ See:
## Application-specific hardening
* Enables "`apt-get --error-on=any`" which makes apt exit non-zero for
transient failures. `/etc/apt/apt.conf.d/40error-on-any`.
* Enables APT seccomp-BPF sandboxing `/etc/apt/apt.conf.d/40sandbox`.
transient failures. - `/etc/apt/apt.conf.d/40error-on-any`.
* Enables APT seccomp-BPF sandboxing - `/etc/apt/apt.conf.d/40sandbox`.
* Deactivates previews in Dolphin.
* Deactivates previews in Nautilus
* Deactivates previews in Nautilus -
`/usr/share/glib-2.0/schemas/30_security-misc.gschema.override`.
* Deactivates thumbnails in Thunar.
* Displays domain names in punycode (`network.IDN_show_punycode`) in

View File

@ -437,7 +437,7 @@ set_file_perms() {
if [ "$capability_from_config" = "none" ]; then
## https://forums.whonix.org/t/disable-suid-binaries/7706/45
# sudo setcap -r /bin/ping 2>/dev/null
# Failed to set capabilities on file `/bin/ping' (No data available)
# Failed to set capabilities on file '/bin/ping' (No data available)
# The value of the capability argument is not permitted for a file. Or the file is not a regular (non-symlink) file
## Therefore use echo_wrapper_ignore.
echo_wrapper_ignore setcap -r "$fso"
@ -465,9 +465,9 @@ parse_config_folder() {
# Query contents of password and group databases only once and buffer them
#
# If we don't buffer we sometimes get incorrect results when checking for entries using
# `if getent passwd | grep -q '^root:'; …` since `grep` exits after the first match in
# this case causing `getent` to receive SIGPIPE, which then fails the pipeline since
# `set -o pipefail` is set for this script.
# 'if getent passwd | grep -q '^root:'; ...' since 'grep' exits after the first match in
# this case causing 'getent' to receive SIGPIPE, which then fails the pipeline since
# 'set -o pipefail' is set for this script.
passwd_file_contents="$(getent passwd)"
group_file_contents="$(getent group)"