Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2024-10-01 08:25:45 -04:00
Code Issues Packages Projects Releases Wiki Activity
2,398 Commits 2 Branches 291 Tags 8.2 MiB
master
Commit Graph

531 Commits

Author SHA1 Message Date
Patrick Schleizer
f4da582aa3
spelling 2024-07-17 11:44:17 -04:00
Patrick Schleizer
9e976474d5
spelling 2024-07-17 11:40:51 -04:00
Patrick Schleizer
b569fc02a4
spelling 2024-07-17 11:38:53 -04:00
Raja Grewal
4afe257a42
minor 2024-07-18 00:14:13 +10:00
Raja Grewal
d0a59617f6
Add missing Copyright (C) statements 2024-07-18 00:13:30 +10:00
Raja Grewal
8f3896c3da
Upgrade hyperlinks to HTTPS 2024-07-17 23:44:37 +10:00
Patrick Schleizer
df80385289
Merge pull request #237 from raja-grewal/intel_pmt 
Disable some Intel PMT kernel modules
 2024-07-17 09:04:18 -04:00
Patrick Schleizer
6157e328f4
no longer disable Intel ME related kernel modules 
https://github.com/Kicksecure/security-misc/issues/239
 2024-07-17 08:52:11 -04:00
Patrick Schleizer
a4ba6e485d
Merge pull request #236 from raja-grewal/intel_me 
Disable more Intel ME kernel modules
 2024-07-17 08:46:27 -04:00
Patrick Schleizer
9a75135633
Merge pull request #238 from raja-grewal/uvcvideo_2 
Minor additions to `30_security-misc_disable.conf`
 2024-07-17 08:41:43 -04:00
Patrick Schleizer
d29a616142
minor 2024-07-17 08:39:20 -04:00
Patrick Schleizer
a2802f352f
Merge remote-tracking branch 'raja/kargs' 2024-07-17 08:38:23 -04:00
Raja Grewal
a3408990ab
Uncomment disabling of already disabled ATM modules 2024-07-17 15:03:39 +10:00
Raja Grewal
81a3715c7c
Add info regarding the downsides of disabling SMT 2024-07-17 13:32:08 +10:00
Raja Grewal
abafb1945c
Add Intel ME references 2024-07-17 13:26:03 +10:00
Raja Grewal
f317aaebab
Disable two network modules 
These were previously blacklisted for two years in 61ef9bd59f.
 2024-07-17 01:09:02 +10:00
Raja Grewal
d69fe88091
Provide option to disable uvcvideo driver 2024-07-17 01:08:01 +10:00
Raja Grewal
49594ccb22
Partially revert f4d652fa7b 2024-07-17 00:49:25 +10:00
Patrick Schleizer
94df2e3d24
further discussion required 
https://github.com/Kicksecure/security-misc/pull/234#issuecomment-2228909249
 2024-07-15 12:29:52 -04:00
Raja Grewal
73f6d4b26f
Fix transcription error 2024-07-16 01:03:41 +10:00
Raja Grewal
724435e56e
Disable some Intel Platform Monitoring Technology Telemetry (PMT) modules 2024-07-15 22:38:43 +10:00
Raja Grewal
22ba7a7c39
Disable more Intel Management Engine (ME) modules 2024-07-15 22:21:20 +10:00
Raja Grewal
9300c208e2
Fix script 2024-07-15 21:36:25 +10:00
Raja Grewal
f2db11269e
Fix script 2024-07-15 21:18:32 +10:00
Raja Grewal
fda3832eaf
Replace bash file presented for disabling of miscellaneous modules 2024-07-15 21:08:45 +10:00
Raja Grewal
cb2fb95b81
Disable more miscellaneous drivers 2024-07-15 21:01:36 +10:00
Raja Grewal
96aa63267a
Disable more Thunderbolt modules 2024-07-15 20:57:14 +10:00
Raja Grewal
51f7776bc8
Disable more network protocols/drivers 2024-07-15 20:56:12 +10:00
Raja Grewal
9e40ff0551
Disable more network file systems 2024-07-15 20:54:18 +10:00
Raja Grewal
82c5a93f7c
Disable another GPS module 2024-07-15 20:53:07 +10:00
Raja Grewal
99b0ce7948
Disable more file systems 2024-07-15 20:47:56 +10:00
Raja Grewal
4476a477a7
Provide option to disable more Bluetooth modules 2024-07-15 20:47:07 +10:00
Raja Grewal
b2657bc61f
Improve docs 2024-07-15 15:05:00 +10:00
Raja Grewal
c8385d82fb
Clarify instructions for increasing log verbosity 2024-07-15 14:57:40 +10:00
Raja Grewal
d229e8b04d
Fix link 2024-07-15 14:50:29 +10:00
Raja Grewal
f4d652fa7b
Update presentation of quiet loglevel=0 2024-07-15 14:39:12 +10:00
Raja Grewal
48e1ac4163
Remove the optional slub_debug parameter since it is no longer recommended 2024-07-15 02:04:25 +10:00
Raja Grewal
99038c7a06
Add option to disable support for x86 processes and syscalls in the future 2024-07-15 02:02:01 +10:00
Raja Grewal
f550fbe07c
Add option to disable the entire IPv6 stack functionality 2024-07-15 01:59:04 +10:00
Raja Grewal
a33d4cd099
Refactor existing kernel parameters for clarity 2024-07-15 01:56:25 +10:00
Raja Grewal
9f58266546
Move nf_conntrack_helper disabling into separate file 2024-07-13 23:32:01 +10:00
Raja Grewal
98580bb39a
Update modprobe presentation 2024-07-13 23:29:52 +10:00
Raja Grewal
41a3bf92fb
Sort 30_security-misc_disable.conf 2024-07-12 16:21:41 +10:00
Raja Grewal
b02230a783
Split modprobe into blacklisted and disabled configurations 2024-07-12 02:42:37 +10:00
Raja Grewal
fc792ff232
Alphabetically sort existing modprobe 2024-07-12 02:29:36 +10:00
Raja Grewal
fe20f3240e
Refactor existing modprobe for clarity 2024-07-12 02:28:48 +10:00
Raja Grewal
275a4ffc11
Remove redundant disabled modules 2024-07-12 02:27:56 +10:00
Ashlen
e198447866 fix(etc): delete typo in /etc/apparmor.d tunables 
/etc/pam.d was present twice in a row ("/etc/pam.d//etc/pam.d") in this
file: /etc/apparmor.d/tunables/home.d/security-misc.
 2024-06-08 22:17:05 -06:00
Patrick Schleizer
e0cd9579d6
remove duplicate fsckobjects = true from /etc/gitconfig 2024-06-01 13:32:13 -04:00
Patrick Schleizer
4efa293f3b
add /etc/gitconfig by default for better git security 
```
[core]
	symlinks = false

[transfer]
	fsckobjects = true
	fsckobjects = true
[fetch]
	fsckobjects = true
	fsckobjects = true
[receive]
	fsckobjects = true
	fsckobjects = true
```

+ additional suggestions as comments

fixes https://github.com/Kicksecure/security-misc/issues/225
 2024-05-28 07:51:06 -04:00
Raja Grewal
1bb843ec38
Update Copyright (C) to 2024 2024-05-11 13:18:36 +10:00
Patrick Schleizer
0f1119f326
Merge pull request #221 from raja-grewal/firewire 
Disable Firewire Module
 2024-05-10 06:45:57 -04:00
Patrick Schleizer
547757f451
Merge pull request #220 from raja-grewal/block_gps 
Block Several GPS-related Modules
 2024-05-10 06:45:34 -04:00
raja-grewal
677f75ae8e
Disable firewire-net module 2024-05-09 02:34:02 +00:00
raja-grewal
06f13bb766
Disable GPS modules like GNSS 2024-05-09 02:28:53 +00:00
raja-grewal
4694268b8f
Remove a word 2024-05-05 12:52:51 +00:00
raja-grewal
8f7768ce96
Add vendor links 2024-05-05 12:50:39 +00:00
raja-grewal
0c031a29d3
RFDS mitigation on Intel Atom CPUs (including E-cores) 2024-05-01 13:55:09 +10:00
raja-grewal
1122b3402c
GDS mitigation for CPUs 2024-05-01 13:50:42 +10:00
raja-grewal
c002bd62e8
Clarify use of mitigations=auto 2024-05-01 13:49:34 +10:00
raja-grewal
d89d7e8ef8
Add reference for RETBleed 2024-05-01 13:49:00 +10:00
raja-grewal
015dcc4212
Add reference for SSB 2024-05-01 13:48:13 +10:00
raja-grewal
de4f4be947
Merge spectre mitigations 2024-05-01 13:47:40 +10:00
raja-grewal
965c8641fd
Update BHI mitigation reference 2024-05-01 13:47:02 +10:00
raja-grewal
493576836c
BHI mitigation on Intel CPUs 2024-04-12 00:17:06 +10:00
Patrick Schleizer
7dba3fb7be
no longer disable MSR by default 
fixes https://github.com/Kicksecure/security-misc/issues/215
 2024-04-01 02:56:27 -04:00
Patrick Schleizer
6b76373395
fix panic-on-oops started every 10s in Qubes-Whonix 
by changing from a /etc/profile.d etc. related mechanism to start to a systemd unit file based approach

Thanks to @marmarek for the bug report!

https://forums.whonix.org/t/panic-on-oops-started-every-10s/19450
 2024-03-04 06:44:26 -05:00
Patrick Schleizer
af6c6971a7
comment 2024-03-04 06:33:51 -05:00
Patrick Schleizer
e013070e0b
newline 2024-03-04 06:33:21 -05:00
Daniel Winzen
ef44ecea44
Add option to disabe /sys hardening 2024-02-22 17:27:46 +01:00
raja-grewal
b16c99ab62
Remove hardcoded spec_rstack_overflow setting 2024-01-29 13:39:40 +00:00
raja-grewal
139b10a9aa
Control RAS overflow mitigation on AMD Zen CPUs 2024-01-29 12:59:13 +00:00
raja-grewal
6c54e35027
Enable mitigations for RETBleed vulnerability and disable SMT 2024-01-29 12:58:51 +00:00
raja-grewal
4509a5fc95
Enable known mitigations for CPU vulnerabilities and disable SMT 2024-01-29 12:58:14 +00:00
raja-grewal
4231155efa
Add reference for kernel parameters 2024-01-29 12:57:48 +00:00
Patrick Schleizer
071b984a1e
sort -d 
https://github.com/Kicksecure/security-misc/issues/190
 2024-01-17 13:49:05 -05:00
Patrick Schleizer
011e55e3e5
remove duplicates after usrmerge 
https://github.com/Kicksecure/security-misc/issues/190
 2024-01-17 13:45:17 -05:00
Patrick Schleizer
0efee2f50f
usrmerge 
fixes https://github.com/Kicksecure/security-misc/issues/190
 2024-01-17 13:39:56 -05:00
Patrick Schleizer
4f7973bc56
comment 2024-01-16 08:56:26 -05:00
Ben Grande
abf72c2ee4
Rename file permission hardening script 
Hardener as the script is the agent that is hardening the file
permissions.
 2024-01-02 13:34:29 +01:00
Ben Grande
f138cf0f78
Refactor permission-hardener 
- Organize comments from default configuration;
- Apply and undo changes from a single file controlled by parameters;
- Arrays should be evaluated as arrays and not normal variables;
- Quote variables;
- Brackets around variables;
- Standardize test cases to "test" command;
- Test against empty or non-empty variables with "-z" and "-n";
- Show a usage message when necessary;
- Require root to run the script with informative message;
- Permit the user to see the help message without running as root;
- Do not create root directories without passing root check;
- Use long options for "set" command;
 2024-01-02 12:17:16 +01:00
Patrick Schleizer
f70a034da2
exclude hardened malloc from SUID disabler 
fixes https://github.com/Kicksecure/security-misc/issues/179
 2023-12-22 08:31:58 -05:00
Patrick Schleizer
5a73817a95
move to /usr/lib/issue.d/20_security-misc.issue 
https://github.com/Kicksecure/security-misc/pull/167
 2023-12-04 11:38:49 -05:00
Patrick Schleizer
dfaea492c7
remove etc/issue.net.d/20_security-misc 
since not mentioned on debian.org
 2023-12-04 11:37:02 -05:00
Patrick Schleizer
36850f89fb
Merge pull request #167 from monsieuremre/patch-4 
Non-Identifiable and Generic Issue Banners that include the Recommended Keywords
 2023-12-04 11:27:16 -05:00
Patrick Schleizer
c9ea7a4dca
use amd_iommu=force_isolation instead of amd_iommu=force_enable 
because we set `iommu=force` already anyhow

fixes https://github.com/Kicksecure/security-misc/issues/175
 2023-12-04 11:02:55 -05:00
monsieuremre
f2ad8383cf
fix 2023-12-03 19:51:38 +00:00
monsieuremre
dd15823a97
undo superfluousness 2023-12-03 19:50:07 +00:00
monsieuremre
83e13bb62d
Update 40_enable_iommu.cfg 2023-12-03 19:42:34 +00:00
monsieuremre
0d7af9707f
Update 20_security-misc 2023-12-03 19:31:12 +00:00
monsieuremre
04d27a10b0
Update 20_security-misc 2023-12-03 19:30:55 +00:00
monsieuremre
c8b9f5a917
net 2023-11-18 10:03:19 +00:00
monsieuremre
3b614f3753
20_security-misc 2023-11-18 10:02:16 +00:00
Patrick Schleizer
5bb357cac0
spice-client-glib-usb-acl-helper matchwhitelist 2023-11-06 16:55:00 -05:00
Patrick Schleizer
7309445ee5
comment 2023-11-06 16:52:27 -05:00
Patrick Schleizer
f09d97fc9e
whitelist VirtualBox 2023-11-06 16:50:19 -05:00
Patrick Schleizer
64c8c7a8d5
whitelist SSH 2023-11-06 16:47:31 -05:00
Patrick Schleizer
9682b51d54
whitelist virtualbox 2023-11-06 16:44:36 -05:00
Patrick Schleizer
a40b9bc095
comments 2023-11-06 16:40:22 -05:00
Patrick Schleizer
2c1a3da433
VirtualBoxVM matchwhitelist 2023-11-06 16:38:50 -05:00