mirror of
https://github.com/Kicksecure/security-misc.git
synced 2024-12-18 00:24:24 -05:00
readme
This commit is contained in:
parent
468d8b600d
commit
ddd62c1eef
@ -205,6 +205,10 @@ audit, may contain weaknesses or a backdoor. For references, see:
|
||||
|
||||
## Restrictive mount options
|
||||
|
||||
Not enabled by default yet. In development. Help welcome.
|
||||
|
||||
https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/
|
||||
|
||||
`/home`, `/tmp`, `/dev/shm` and `/run` are remounted with the `nosuid` and `nodev`
|
||||
mount options to prevent execution of setuid or setgid binaries and creation of
|
||||
devices on those filesystems.
|
||||
@ -318,6 +322,8 @@ See:
|
||||
|
||||
### SUID / SGID removal and permission hardening
|
||||
|
||||
Not enabled by default yet.
|
||||
|
||||
A systemd service removes SUID / SGID bits from non-essential binaries as
|
||||
these are often used in privilege escalation attacks. It is disabled by
|
||||
default for now during testing and can optionally be enabled by running
|
||||
@ -329,9 +335,12 @@ See:
|
||||
* `/lib/systemd/system/permission-hardening.service`
|
||||
* `/etc/permission-hardening.d`
|
||||
* https://forums.whonix.org/t/disable-suid-binaries/7706
|
||||
* https://www.whonix.org/wiki/SUID_Disabler_and_Permission_Hardener
|
||||
|
||||
### Access rights relaxations
|
||||
|
||||
This is not enabled yet because hidepid is not enabled by default.
|
||||
|
||||
Calls to `pkexec` are redirected to `lxqt-sudo` because `pkexec` is
|
||||
incompatible with `hidepid=2`.
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user