Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2024-10-01 08:25:45 -04:00
Code Issues Packages Projects Releases Wiki Activity

readme

Browse Source
This commit is contained in:
Patrick Schleizer 2021-01-12 03:24:11 -05:00
parent 468d8b600d
commit ddd62c1eef
No known key found for this signature in database
GPG Key ID: CB8D50BB77BB3C48
1 changed files with 9 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
README.md
View File

@ -205,6 +205,10 @@ audit, may contain weaknesses or a backdoor. For references, see:
## Restrictive mount options ## Restrictive mount options
Not enabled by default yet. In development. Help welcome.
https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/
`/home`, `/tmp`, `/dev/shm` and `/run` are remounted with the `nosuid` and `nodev` `/home`, `/tmp`, `/dev/shm` and `/run` are remounted with the `nosuid` and `nodev`
mount options to prevent execution of setuid or setgid binaries and creation of mount options to prevent execution of setuid or setgid binaries and creation of
devices on those filesystems. devices on those filesystems.
@ -318,6 +322,8 @@ See:
### SUID / SGID removal and permission hardening ### SUID / SGID removal and permission hardening
Not enabled by default yet.
A systemd service removes SUID / SGID bits from non-essential binaries as A systemd service removes SUID / SGID bits from non-essential binaries as
these are often used in privilege escalation attacks. It is disabled by these are often used in privilege escalation attacks. It is disabled by
default for now during testing and can optionally be enabled by running default for now during testing and can optionally be enabled by running
@ -329,9 +335,12 @@ See:
* `/lib/systemd/system/permission-hardening.service` * `/lib/systemd/system/permission-hardening.service`
* `/etc/permission-hardening.d` * `/etc/permission-hardening.d`
* https://forums.whonix.org/t/disable-suid-binaries/7706 * https://forums.whonix.org/t/disable-suid-binaries/7706
* https://www.whonix.org/wiki/SUID_Disabler_and_Permission_Hardener
### Access rights relaxations ### Access rights relaxations
This is not enabled yet because hidepid is not enabled by default.
Calls to `pkexec` are redirected to `lxqt-sudo` because `pkexec` is Calls to `pkexec` are redirected to `lxqt-sudo` because `pkexec` is
incompatible with `hidepid=2`. incompatible with `hidepid=2`.