Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2024-10-01 08:25:45 -04:00
Code Issues Packages Projects Releases Wiki Activity
2,398 Commits 2 Branches 291 Tags 8.2 MiB
master
Commit Graph

531 Commits

Author SHA1 Message Date
Raja Grewal
92669dba18
Comment out machine check exception 2022-08-21 23:02:44 +10:00
Patrick Schleizer
0c5b1e9f57
undo "force kernel to panic on "oopses" 
because implemented differently already

https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panic-on-oops-1-sysctl-for-better-security/7713
 2022-07-23 07:49:56 -04:00
Raja Grewal
ca764d8de0
force kernel to panic on "oopses" 2022-07-20 04:06:35 +10:00
Raja Grewal
1660aaa6dd
update details around disabling SMT 2022-07-19 03:38:41 +10:00
Raja Grewal
bfd78a2c06
update SRBDS mitigation 2022-07-19 03:16:08 +10:00
Raja Grewal
c3ebb9160f
CPU mitigation - MMIO Stale Data 2022-07-19 02:33:16 +10:00
Raja Grewal
59e90ff122
CPU mitigation - L1D FLushing 2022-07-19 02:32:41 +10:00
Raja Grewal
8531fbf99d
CPU mitigation - SRBDS 2022-07-19 02:30:49 +10:00
Raja Grewal
73f1e23332
shuffle and rewording 2022-07-19 02:29:46 +10:00
Raja Grewal
39314b2912
Merge branch 'harden' of https://github.com/raja-grewal/security-misc into harden 2022-07-19 00:49:08 +10:00
Raja Grewal
bb831d57bc
delete repeated commands 2022-07-19 00:38:32 +10:00
Raja Grewal
c77a2a78bc
enforce default net.ipv6.icmp_ignore_bogus_error_responses 2022-07-19 00:37:31 +10:00
Raja Grewal
c4a1094760
Merge branch 'Kicksecure:master' into harden 2022-07-18 13:36:23 +00:00
Raja Grewal
a72bbb1883
Corrected kerenl module disabling 2022-07-13 23:42:13 +10:00
Raja Grewal
4e93b4d37e
Revert "enforce defualt net.ipv4.ip_forward" 
This reverts commit 57b5b2145c.
 2022-07-13 21:10:39 +10:00
Raja Grewal
a47922ad28
enforce of IOMMU TLB invalidation 2022-07-13 04:47:07 +10:00
Raja Grewal
33df16af80
disables random.trust_bootloader 2022-07-13 04:37:03 +10:00
Raja Grewal
d0779a96fc
add reference 2022-07-13 04:36:34 +10:00
Raja Grewal
74858d257b
enable randomize_kstack_offset 2022-07-13 04:34:35 +10:00
Raja Grewal
f572332108
disable slub_debug 2022-07-13 04:32:03 +10:00
Raja Grewal
57b5b2145c
enforce defualt net.ipv4.ip_forward 2022-07-13 04:30:43 +10:00
Raja Grewal
79156262c9
enforce default net.ipv4.icmp_ignore_bogus_error_responses 2022-07-13 04:29:42 +10:00
Raja Grewal
dabcaf22e1
enforce default kernel.randomize_va_space 2022-07-13 04:28:03 +10:00
Raja Grewal
48089e5ba4
More verbose kernel module blocking error logs 2022-07-12 17:02:12 +10:00
Raja Grewal
40ec791774
Updated comments 2022-07-12 16:58:16 +10:00
Raja Grewal
ef1ef9917d
Blacklist automatic loading of CD-ROM modules 2022-07-10 04:53:25 +10:00
Raja Grewal
61ef9bd59f
Incorporated Ubuntu’s kernel module blacklists 2022-07-10 04:52:00 +10:00
Patrick Schleizer
26b2c9727f
not blacklist CD-ROM / DVD yet 
https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/31
 2022-07-07 15:39:40 -04:00
Patrick Schleizer
ca19d78d48
shuffle 2022-07-07 15:27:15 -04:00
Raja Grewal
780dc8eec9
replace /bin/false -> /bin/disabled-by-security-misc 2022-07-08 04:11:25 +10:00
Raja Grewal
fa2e30f512
Updated descriptions of disabled modules 2022-07-08 03:04:37 +10:00
Raja Grewal
da389d6682
Revert "replace /bin/false -> /bin/true" 
This reverts commit f0511635a9.
 2022-07-08 02:12:04 +10:00
raja-grewal
f0511635a9
replace /bin/false -> /bin/true 2022-07-07 09:27:53 +00:00
raja-grewal
18d67dbc53
Blacklist more modules 2022-07-07 09:26:55 +00:00
Patrick Schleizer
1c0e071948
comments 2022-07-05 10:45:55 -04:00
Patrick Schleizer
5d47f5f74c
comments 2022-07-05 10:45:09 -04:00
Patrick Schleizer
435c689cf9
comments 2022-07-05 10:44:28 -04:00
Patrick Schleizer
c20d588d78
comments 2022-07-05 10:42:37 -04:00
Patrick Schleizer
b342ce930e
add /etc/default/grub.d/40_cold_boot_attack_defense.cfg 2022-07-05 10:28:22 -04:00
Patrick Schleizer
67eaf8c916
comments 2022-06-29 11:40:38 -04:00
Patrick Schleizer
72908d6b0d
comments 2022-06-29 11:34:55 -04:00
Patrick Schleizer
55d16e1602
remove unicode 2022-06-08 09:04:03 -04:00
Patrick Schleizer
fcaec49675
Merge remote-tracking branch 'github-kicksecure/master' 2022-06-08 08:20:24 -04:00
Patrick Schleizer
5c43197f10
minor 2022-06-08 08:11:28 -04:00
Kuri Schlarb
6e8f584d88
permission-hardening: Keep pam_unix.so password checking helper SetGID shadow 2022-06-08 05:29:42 +00:00
Kuri Schlarb
3910e4ee15
permission-hardening: Keep passwd executable but non-SetUID 2022-06-07 08:11:51 +00:00
Patrick Schleizer
2d37e3a1af
copyright 2022-05-20 14:46:38 -04:00
Patrick Schleizer
bb0307290b
update link 2022-04-16 14:18:35 -04:00
Patrick Schleizer
c72567dbd2
fix 2021-09-14 14:18:44 -04:00
Patrick Schleizer
d62bbaab82
fix, unduplicate kernel command line 2021-09-12 11:40:58 -04:00
Patrick Schleizer
bd31b4085c
remove Debian buster support in /etc/default/grub.d 2021-09-09 12:16:18 -04:00
Patrick Schleizer
ac0c492663
do not set kernel parameter quiet loglevel=0 for recovery boot option 
for easier debugging
 2021-09-06 08:22:55 -04:00
Patrick Schleizer
49902b8c56
move grub quiet to separate config file /etc/default/grub.d/41_quiet.cfg 2021-09-06 08:19:41 -04:00
Patrick Schleizer
f5b0e4b5b8
debugging 2021-09-06 04:55:16 -04:00
Patrick Schleizer
6257bfa926
debugging 2021-09-05 15:54:20 -04:00
Patrick Schleizer
a4e18a2ae8
dracut reproducible=yes 2021-09-04 18:28:37 -04:00
Patrick Schleizer
db43cedcfd
LANG=C str_replace 2021-08-22 05:23:24 -04:00
Patrick Schleizer
582492d6d8
port from pam_tally2 to pam_faillock 
since pam_tally2 was deprecated upstream
 2021-08-10 17:13:00 -04:00
Patrick Schleizer
50bdd097df
move /usr/lib/security-misc to /usr/libexec/security-misc as per lintian FHS 2021-08-03 12:56:31 -04:00
Patrick Schleizer
0492f28aa1
enable "apt-get --error-on=any" by default 
makes apt exit non-zero for transient failures

`/etc/apt/apt.conf.d/40error-on-any`

https://forums.whonix.org/t/debian-bullseye-apt-get-error-on-any/12068
 2021-08-03 12:37:39 -04:00
Patrick Schleizer
c94281121e
comment 2021-08-01 16:37:02 -04:00
Patrick Schleizer
eff5af0318
https://forums.whonix.org/t/restrict-root-access/7658/116 2021-06-20 10:16:33 -04:00
madaidan
97d8db3f74
Restrict sudo's file permissions 2021-06-05 19:16:42 +00:00
Patrick Schleizer
d87bee37f7
comment 2021-06-01 07:21:18 -04:00
Patrick Schleizer
809930c021
comment 2021-06-01 05:36:01 -04:00
Patrick Schleizer
e2afd00627
modify DKMS configuration file /etc/dkms/framework.conf 
Lower parallel compilation jobs to 1 if less than 2 GB RAM to avoid freezing of virtual machines.

`parallel_jobs=1`

This does not necessarily belong into security-misc, however likely
security-misc will need to modify `/etc/dkms/framework.conf` in the future to
enable kernel module signing.

https://forums.whonix.org/t/linux-kernel-runtime-guard-lkrg-linux-kernel-runtime-integrity-checking-and-exploit-detection/8477/26

https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/58
 2021-04-29 11:14:30 -04:00
Patrick Schleizer
3ba3b37187
add /etc/dkms/framework.conf.security-misc 
original, from
- https://github.com/dell/dkms/blob/master/dkms_framework.conf
- https://raw.githubusercontent.com/dell/dkms/master/dkms_framework.conf

https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/58
 2021-04-29 11:08:30 -04:00
Patrick Schleizer
a67007f4b7
copyright 2021-03-17 09:45:21 -04:00
Patrick Schleizer
a1819e8cab
comment 2021-03-01 09:15:44 -05:00
Kenton Groombridge
4db7d6be64
hide-hardware-info: allow unrestricting selinuxfs 
On SELinux systems, the /sys/fs/selinux directory must be visible to
userspace utilities in order to function properly.
 2021-02-06 03:02:08 -05:00
Patrick Schleizer
a258f35f38
comment 2021-01-05 02:11:08 -05:00
Patrick Schleizer
b2b614ed2a
cover more folders in /usr/local 2020-12-06 04:15:52 -05:00
Patrick Schleizer
5bd267d774
refactoring 2020-12-06 04:10:50 -05:00
Patrick Schleizer
11cdce02a0
refactoring 2020-12-06 04:10:10 -05:00
Patrick Schleizer
f73c55f16c
/opt 
https://forums.whonix.org/t/suid-disabler-and-permission-hardener/7706/68
 2020-12-06 04:08:58 -05:00
Patrick Schleizer
c031f22995
SUID Disabler and Permission Hardener: introduce configuration option to disable all whitelists 
`whitelists_disable_all=true`
 2020-12-01 05:14:48 -05:00
Patrick Schleizer
b09cc0de6a
Revert "SUID Disabler and Permission Hardener: introduce configuration option to disable all whitelists" 
This reverts commit 36a471ebce.
 2020-12-01 05:10:26 -05:00
Patrick Schleizer
704f0500ba
fix, rename 40_default_whitelist_[...].conf to 25_default_whitelist_[...].conf 
since whitelist needs to be defined before SUID removal commands
 2020-12-01 05:03:16 -05:00
Patrick Schleizer
36a471ebce
SUID Disabler and Permission Hardener: introduce configuration option to disable all whitelists 
`whitelists_disable_all=true`
 2020-12-01 05:02:34 -05:00
Patrick Schleizer
318ab570aa
simplify disabling of SUID Disabler and Permission Hardener whitelist 
split `/etc/permission-hardening.d/30_default.conf` into multiple files

`/etc/permission-hardening.d/40_default_whitelist_[...].conf`

therefore make it easier to delete any whitelisted SUID binaries
 2020-12-01 04:28:15 -05:00
Patrick Schleizer
cf07e977bd
add /bin/pkexec exactwhitelist for consistency 
since there is already `/usr/bin/pkexec exactwhitelist`
 2020-11-29 09:09:42 -05:00
Patrick Schleizer
bb72c1278d
copyright 2020-11-05 06:36:39 -05:00
Patrick Schleizer
c1e0bb8310
shebang 2020-10-31 06:11:49 -04:00
Patrick Schleizer
3f656be574
chmod +x /etc/X11/Xsession.d/50panic_on_oops 
chmod +x /etc/X11/Xsession.d/50security-misc
 2020-10-31 05:48:10 -04:00
madaidan
06ffd5d220
Restrict access to debugfs 2020-09-28 19:21:20 +00:00
Patrick Schleizer
da1ac48cde
unblacklist squashfs as this would likely break Whonix-Host ISO 
https://github.com/Whonix/security-misc/pull/75#issuecomment-700044182
 2020-09-28 10:29:50 -04:00
Patrick Schleizer
4070133ed6
unblacklist vfat 
https://github.com/Whonix/security-misc/pull/75#issuecomment-695201068
 2020-09-28 10:25:57 -04:00
Patrick Schleizer
3684ab585e
Merge pull request #75 from flawedworld/patch-1 
Blacklist more modules (based on OpenSCAP for RHEL 8)
 2020-09-28 14:24:15 +00:00
Patrick Schleizer
ae90107e6d
Merge pull request #76 from flawedworld/patch-2 
Add IPv6 sysctl options and enforce kernel.perf_event_paranoid=3
 2020-09-28 14:23:42 +00:00
flawedworld
a813e7da07 Blacklist more modules 2020-09-19 20:46:19 +01:00
Patrick Schleizer
9239c8b807
Merge pull request #71 from onions-knight/patch-1 
Update thunar.xml
 2020-09-19 10:54:21 +00:00
flawedworld
8f7727e823
Add some IPv6 options 2020-09-18 23:36:30 +01:00
flawedworld
944fed3c45
Disallow kernel profiling by users without CAP_SYS_ADMIN 
It's the default on a lot of stuff, but still nice to have.
 2020-09-18 23:29:04 +01:00
Patrick Schleizer
7e267ab498
fix, allow group sudo and console to use consoles 
fix /etc/security/access-security-misc.conf syntax error

Thanks to @81a989 for the bug report!

https://forums.whonix.org/t/etc-security-hardening-console-lockdown-pam-access-access-conf/8592/31
 2020-08-03 08:12:19 -04:00
Patrick Schleizer
3cd7b144bb
move "kernel.printk = 3 3 3 3" to separate file /etc/sysctl.d/30_silent-kernel-printk.conf 
so package debug-misc can easily disable it

https://phabricator.whonix.org/T950
 2020-05-14 13:47:58 -04:00
Patrick Schleizer
6485df8126
Prevent kernel info leaks in console during boot. 
add kernel parameter `quiet loglevel=0`

https://phabricator.whonix.org/T950
 2020-04-23 12:26:31 -04:00
Patrick Schleizer
8d2e4b68dc
Prevent kernel info leaks in console during boot. 
By setting `kernel.printk = 3 3 3 3`.

https://phabricator.whonix.org/T950

Thanks to @madaidan for the suggestion!
 2020-04-16 08:00:31 -04:00
Patrick Schleizer
4898a9e753
fix, sysctl-initramfs: switch log to /run/initramfs/sysctl-initramfs-error.log 
since ephemeral, in RAM, not written to disk, no conflict with grub-live

https://forums.whonix.org/t/kernel-hardening/7296/435
 2020-04-16 07:54:33 -04:00
Patrick Schleizer
701da5f6cc
formatting 2020-04-16 07:24:44 -04:00
Patrick Schleizer
253578afdf
/etc/security/access-security-misc.conf white list ttyS0 etc. 
ttyS0 ttyS1 ttyS2 ttyS3 ttyS4 ttyS5 ttyS6 ttyS7 ttyS8 ttyS9

Thanks to @subpar_marlin for the bug report and helping to fix this!

https://forums.whonix.org/t/how-do-i-enter-the-whonix-shell-from-cli/7271/43

https://forums.whonix.org/t/etc-security-hardening/8592
 2020-04-13 06:50:32 -04:00
Patrick Schleizer
b3ce18f0f9
disable proc-hidepid by default because incompatible with pkexec 
and undo pkexec wrapper
 2020-04-12 16:54:10 -04:00
Patrick Schleizer
4429315291
disable proc-hidepid by default because incompatible with pkexec 
and undo pkexec wrapper
 2020-04-12 16:52:55 -04:00
Patrick Schleizer
938e929f39
add pkexec to suid default whitelist 
/usr/bin/pkexec exactwhitelist
/usr/bin/pkexec.security-misc-orig exactwhitelist
 2020-04-12 16:37:51 -04:00
Patrick Schleizer
565ff136e5
vm.swappiness=1 
import from swappiness-lowest

https://forums.whonix.org/t/vm-swappiness-1-set-swapiness-to-lowest-setting-still-useful-swappiness-lowest/9278
 2020-04-08 21:04:02 +00:00
Patrick Schleizer
72228946dc
fix etc/default/grub.d/40_kernel_hardening.cfg 
in Qubes if no kernel package is installed
 2020-04-08 16:46:11 +00:00
Patrick Schleizer
5c81e1f23f
import from anon-gpg-conf 2020-04-06 09:25:45 -04:00
Patrick Schleizer
a7f2a2a3b6
console lockdown: allow members of group sudo to use console 
https://forums.whonix.org/t/etc-security-hardening/8592

https://github.com/Whonix/security-misc/pull/74#issuecomment-607748407

https://www.whonix.org/wiki/Dev/Strong_Linux_User_Account_Isolation#Console_Lockdown
 2020-04-02 06:04:45 -04:00
Patrick Schleizer
7764ee0d20
comments 2020-04-02 05:58:16 -04:00
Patrick Schleizer
2ceea8d1fe
update copyright year 2020-04-01 08:49:59 -04:00
Patrick Schleizer
814f613a2f
When using systemd-nspawn (chroot) then login requires console 'console' to be permitted. 2020-03-31 07:08:25 -04:00
Patrick Schleizer
5f0dd8270b
consistent use of quotes 2020-03-21 14:14:35 -04:00
Patrick Schleizer
66ea1a3a12
minor 2020-03-21 14:14:15 -04:00
Patrick Schleizer
23bd7ead59
remove trailing space 2020-03-21 14:12:42 -04:00
madaidan
89ada11cf9
Only remount if already mounted read-only 2020-03-21 17:49:07 +00:00
madaidan
c8826d6702
Fix sysctl-initramfs logs 2020-03-21 17:15:25 +00:00
onions-knight
8dfdec1d3b
Update thunar.xml 
Adding Delete option for thunar on right mouse click (removed in Debian 10). See https://forums.whonix.org/t/whonix-host-calamares-branding-suggestion/7772/26
 2020-03-17 16:38:53 +00:00
madaidan
4d0de87f79
Disable unprivileged userfaultfd use again 2020-03-08 17:49:49 +00:00
madaidan
efb2683cfc
Hide unprivileged_userfaultfd error 2020-03-08 17:49:12 +00:00
Patrick Schleizer
284a491100
disable vm.unprivileged_userfaultfd=0 for now 
because broken

https://forums.whonix.org/t/kernel-hardening/7296/406

reverts "Restrict the userfaultfd() syscall to root as it can make heap sprays easier."

https://duasynt.com/blog/linux-kernel-heap-spray
 2020-03-08 08:07:10 -04:00
madaidan
6b64b36b01
Restrict the userfaultfd() syscall to root 2020-02-24 18:23:15 +00:00
madaidan
f6b6ab374e
Gather more entropy during boot 2020-02-16 19:51:32 +00:00
madaidan
a79ce7fa68
Document ldisc_autoload better 2020-02-15 17:30:21 +00:00
Patrick Schleizer
1e5946c795
Merge branch 'master' into sysrq 2020-02-15 10:41:52 +00:00
Patrick Schleizer
5124f8cebc
Merge pull request #61 from madaidan/disable_early_pci_dma 
Avoid holes in IOMMU
 2020-02-15 10:18:56 +00:00
madaidan
9b767139ef
Avoid holes in IOMMU 2020-02-14 18:52:01 +00:00
madaidan
d251c43344
Restrict the SysRq key 2020-02-14 18:17:20 +00:00
madaidan
0ea7dd161b
Restrict loading line disciplines to CAP_SYS_MODULE 2020-02-14 17:50:19 +00:00
Patrick Schleizer
ad6b766886
Merge pull request #57 from madaidan/sysctl 
Prevent symlink/hardlink TOCTOU races
 2020-02-13 18:40:58 +00:00
madaidan
700c7ed908
Create 40_cpu_mitigations.cfg 2020-02-12 18:42:13 +00:00
madaidan
ba0043b8a7
Update 40_kernel_hardening.cfg 2020-02-12 18:36:05 +00:00
madaidan
5cb21d0d4d
Prevent symlink/hardlink TOCTOU races 2020-02-12 18:03:23 +00:00
HulaHoop0
e4c6e897cf
kvm.nx_huge_pages=force 2020-02-03 16:06:46 +00:00
Patrick Schleizer
85d2aa1365
hide stdout (but not stderr) by sysctl during initramfs 2020-01-30 06:13:42 -05:00
Patrick Schleizer
b9d65338bc
unconditionally enable all CPU bugs (spectre, meltdown, L1TF, ...) 
this might reduce performance

* `spectre_v2=on`
* `spec_store_bypass_disable=on`
* `tsx=off`
* `tsx_async_abort=full,nosmt`

Thanks to @madaidan for the suggestion!

https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647
 2020-01-30 05:55:13 -05:00
Patrick Schleizer
c1a0da60be
set kernel boot parameter l1tf=full,force and nosmt=force 
https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647/17
 2020-01-30 00:46:48 -05:00
Patrick Schleizer
a37da1c968
add digits to drop-in file names 2020-01-24 04:39:06 -05:00
Patrick Schleizer
e0aa67677d
merge the many modprobe.d config files into 1 
and use a name starting with double digits

to make it easier to disable settings using a lexically higher config file
 2020-01-24 04:30:36 -05:00
Patrick Schleizer
6a4c493213
merge the many sysctl config files into 1 
and use a name starting with double digits

to make it easier to disable settings using a lexically higher config file
 2020-01-24 04:26:36 -05:00
Patrick Schleizer
6f8d89c6c5
error handling 2020-01-15 15:54:06 -05:00
madaidan
f7fde60b67
Process sysctl.conf too 2020-01-15 20:28:32 +00:00
Patrick Schleizer
528c5fc4c4
Merge branch 'master' into sysctl-initramfs 2020-01-15 11:02:03 +00:00
Patrick Schleizer
80159545a5
fix xfce4-power-manager xfpm-power-backlight-helper pkexec lxsudo popup 
https://forums.whonix.org/t/xfce4-power-manager-xfpm-power-backlight-helper-pkexec-lxsudo-popup/8764

do show lxqt-sudo password prompt if there is a sudoers exceptoin

improved pkexec wrapper logging
 2020-01-15 02:42:10 -05:00
madaidan
8c4e0ff1c4
Set sysctl values in initramfs 2020-01-12 21:37:37 +00:00
madaidan
a662a76a52
Blacklist vivid 2020-01-11 18:37:00 +00:00
Patrick Schleizer
f3ff32ddbb
Protect /bin/mount from 'chmod -x'. 
/bin/mount exactwhitelist
/usr/bin/mount exactwhitelist

Remove SUID from 'mount' but keep executable.

/bin/mount 745 root root
/usr/bin/mount 745 root root

https://forums.whonix.org/t/disable-suid-binaries/7706/61
 2019-12-30 06:39:24 -05:00
Patrick Schleizer
e5623fcd2b
comment 2019-12-29 04:21:52 -05:00
Patrick Schleizer
674840e6f9
/fusermount matchwhitelist 
unbreak AppImages such as electrum Bitcoin wallet

https://forums.whonix.org/t/disable-suid-binaries/7706/57
 2019-12-26 05:44:35 -05:00
Patrick Schleizer
ede536913d
no longer hardcode amd64 2019-12-24 06:00:41 -05:00
Patrick Schleizer
27a42a9da8
Merge pull request #50 from madaidan/modules 
Make /lib/modules unreadable
 2019-12-24 10:55:11 +00:00
Patrick Schleizer
ac49c55d1f
Merge pull request #49 from madaidan/kver 
Detect kernel upgrades
 2019-12-24 10:55:03 +00:00
madaidan
79241c5d09
Make /lib/modules unreadable 2019-12-23 20:28:29 +00:00
madaidan
98e88d1456
Detect kernel upgrades 2019-12-23 19:57:43 +00:00
madaidan
d1a0650fd9
Use only one slub_debug parameter 2019-12-23 19:44:52 +00:00
Patrick Schleizer
9d77d88a4d
comments 2019-12-23 09:39:50 -05:00
Patrick Schleizer
3e131174d5
comments 2019-12-23 05:00:35 -05:00
Patrick Schleizer
9f072ce4f9
comment 2019-12-23 03:46:02 -05:00
Patrick Schleizer
26fe9394ff
disable lockdown for now due to module loading 2019-12-23 03:41:54 -05:00
madaidan
535c258b83
More kernel hardening 2019-12-23 03:35:07 -05:00
Patrick Schleizer
11b4192fbd
comments 2019-12-23 03:28:42 -05:00
Patrick Schleizer
2152fa2d61
comment 2019-12-23 02:38:53 -05:00
Patrick Schleizer
f8f2e6c704
fix disablewhitelist feature 2019-12-23 02:35:13 -05:00
Patrick Schleizer
47ddcad0c0
rename keyword whitelist to exactwhitelist 
add new keyword disablewhitelist

refactoring
 2019-12-23 02:29:47 -05:00
Patrick Schleizer
1ff56625a1
polkit-agent-helper-1 matchwhitelist to match both 
- /usr/lib/policykit-1/polkit-agent-helper-1 matchwhitelist
- /lib/policykit-1/polkit-agent-helper-1
 2019-12-23 01:42:03 -05:00
Patrick Schleizer
d484b299ea
matchwhitelist /qubes/qfile-unpacker to match both 
- /usr/lib/qubes/qfile-unpacker whitelist
- /lib/qubes/qfile-unpacker
 2019-12-23 01:38:31 -05:00
Patrick Schleizer
58a4e0bc7d
dbus-daemon-launch-helper matchwhitelist 2019-12-22 19:12:10 -05:00
Patrick Schleizer
15e3a2832d
comment 2019-12-22 18:57:23 -05:00
Patrick Schleizer
6eb8fd257a
suid utempter/utempter matchwhitelist 
to cover both:

/usr/lib/x86_64-linux-gnu/utempter/utempter
/lib/x86_64-linux-gnu/utempter/utempter
 2019-12-22 18:56:36 -05:00
Patrick Schleizer
bce02ffdc0
Merge pull request #47 from madaidan/msr 
Blacklist CPU MSRs
 2019-12-22 15:26:07 +00:00
madaidan
dd93b11321
Blacklist CPU MSRs 2019-12-22 13:52:43 +00:00
Patrick Schleizer
2ddf7b5db5
/lib/ nosuid 2019-12-21 14:06:51 -05:00
Patrick Schleizer
2350e0f5d0
Merge remote-tracking branch 'origin/master' 2019-12-21 06:57:10 -05:00
Patrick Schleizer
efd65a3f15
Merge pull request #45 from madaidan/apparmor 
Delete apparmor profiles
 2019-12-21 11:56:31 +00:00
Patrick Schleizer
3ea587187e
no need to exclude xorg nosuid on Debian 
http://forums.whonix.org/t/permission-hardening/8655/25
 2019-12-21 06:53:07 -05:00
madaidan
c28ddf5c4d
Delete usr.lib.security-misc.pam_tally2-info 2019-12-20 22:44:31 +00:00
madaidan
cfe69dd669
Delete usr.lib.security-misc.permission-lockdown 2019-12-20 22:44:27 +00:00
Patrick Schleizer
d220bb3bc4
suid /usr/lib/chromium/chrome-sandbox whitelist 2019-12-20 13:07:01 -05:00
Patrick Schleizer
77b3dd5d6b
comments 2019-12-20 13:02:33 -05:00
Patrick Schleizer
d7bd477e73
add "/usr/lib/xorg/Xorg.wrap whitelist" 
until this is researched

https://manpages.debian.org/buster/xserver-xorg-legacy/Xorg.wrap.1.en.html
https://lwn.net/Articles/590315/
 2019-12-20 12:59:27 -05:00
Patrick Schleizer
17e8605119
add matchwhitelist feature 
add "/usr/lib/virtualbox/ matchwhitelist"
 2019-12-20 12:57:24 -05:00
Patrick Schleizer
3fab387669
suid /usr/bin/firejail whitelist 
There is a controversy about firejail but those who choose to install it
should be able to use it.
https://www.whonix.org/wiki/Dev/Firejail#Security
 2019-12-20 12:50:35 -05:00
Patrick Schleizer
d3f16a5bf4
sgid /usr/lib/qubes/qfile-unpacker whitelist 2019-12-20 12:47:10 -05:00
Patrick Schleizer
508ec0c6fa
comment 2019-12-20 12:34:07 -05:00
Patrick Schleizer
1b569ea790
comment 2019-12-20 12:32:36 -05:00
Patrick Schleizer
e28da89253
/bin/sudo whitelist / /bin/bwrap whitelist 2019-12-20 09:48:06 -05:00
Patrick Schleizer
6d30e3b4a2
do not remove suid from whitelisted binaries ever 
https://forums.whonix.org/t/permission-hardening/8655/13
 2019-12-20 08:13:23 -05:00
Patrick Schleizer
48fe7312bf
update config 2019-12-20 05:57:41 -05:00
Patrick Schleizer
87d820d84c
comment 2019-12-20 05:54:16 -05:00
Patrick Schleizer
46466c12ad
parse drop-in config folder rather than only one config file 2019-12-20 05:49:11 -05:00
Patrick Schleizer
6c8127e3cd
remove "/lib/ nosuid" from permission hardening 
Takes 1 minute to parse. No SUID binaries there by default.
remount-secure mounts it with nosuid anyhow.
Therefore no processing it here.
 2019-12-20 05:29:37 -05:00
Patrick Schleizer
788a2c1ba3
comment 2019-12-20 03:45:01 -05:00
madaidan
9df7407286
Remove SUID bits 2019-12-19 17:01:33 +00:00
Patrick Schleizer
729fa26eca
use pam_acccess only for /etc/pam.d/login 
remove "Allow members of group 'ssh' to login."
remove "+:ssh:ALL EXCEPT LOCAL"
 2019-12-12 09:00:08 -05:00
madaidan
6c564f6e95
Create permission-hardening.conf 2019-12-08 16:50:11 +00:00
Patrick Schleizer
9432d16378
/usr/bin/cat mrix, 2019-12-07 12:13:42 -05:00
Patrick Schleizer
c1800b13fe
separate group "ssh" for incoming ssh console permission 
Thanks to @madaidan

https://forums.whonix.org/t/etc-security-hardening-console-lockdown-pam-access-access-conf/8592/16
 2019-12-07 11:26:39 -05:00
Patrick Schleizer
8636d2f629
add securetty 2019-12-07 06:51:10 -05:00
Patrick Schleizer
8b3f5a555b
add console lockdown to pam info output 2019-12-07 06:25:45 -05:00
Patrick Schleizer
021b06dac9
add hvc0 to hvc9 2019-12-07 06:04:45 -05:00
Patrick Schleizer
8a59662a44
comment 2019-12-07 06:02:45 -05:00
Patrick Schleizer
cda6724755
add pts/0 to pts/9 2019-12-07 05:56:57 -05:00
Patrick Schleizer
218cbddba9
comment 2019-12-07 05:52:06 -05:00
Patrick Schleizer
6479c883bf
Console Lockdown. 
Allow members of group 'console' to use tty1 to tty7. Everyone else except
members of group 'console-unrestricted' are restricted from using console
using ancient, unpopular login methods such as using /bin/login over networks,
which might be exploitable. (CVE-2001-0797)

Not enabled by default in this package since this package does not know which
users shall be added to group 'console'.

In new Whonix builds, user 'user" will be added to group 'console' and
pam console-lockdown enabled by package anon-base-files.

/usr/share/pam-configs/console-lockdown

/etc/security/access-security-misc.conf

https://forums.whonix.org/t/etc-security-hardening/8592
 2019-12-07 05:40:20 -05:00
Patrick Schleizer
8cf5ed990a
comment 2019-12-05 15:52:24 -05:00
madaidan
30289c68c2
Enable reverse path filtering 2019-12-05 20:13:10 +00:00
Patrick Schleizer
0c25a96b59
description / comments 2019-12-03 02:18:32 -05:00
madaidan
5da2a27bf0
Distrust the CPU for initial entropy 2019-12-02 16:43:00 +00:00
madaidan
d9d6d07714
/dev/pts/[0-9]* rw, 2019-11-26 17:12:12 +00:00
Patrick Schleizer
d32024a3da
/usr/sbin/pam_tally2 mrix, 
https://forums.whonix.org/t/apparmor-for-complete-system-including-init-pid1-systemd-everything-full-system-mac-policy/8339/152
 2019-11-23 05:53:19 -05:00
Patrick Schleizer
81e4f580af
etc/apparmor.d/usr.lib.security-misc.permission-lockdown: /usr/bin/chmod mrix, 2019-11-19 15:29:02 +00:00
Patrick Schleizer
477d476bb1
etc/apparmor.d/usr.lib.security-misc.pam_tally2-info: add '#include <abstractions/base>' 2019-11-10 08:29:44 -05:00
Patrick Schleizer
11dc23bf08
etc/apparmor.d/usr.lib.security-misc.permission-lockdown: add '#include <abstractions/base>' 2019-11-10 08:28:32 -05:00
Patrick Schleizer
9f2932faab
/usr/bin/id rix, 2019-11-09 13:32:21 -05:00
Patrick Schleizer
94d40c68d4
do not set kernel boot parameter page_poison=1 in Qubes since does not work 
https://github.com/QubesOS/qubes-issues/issues/5212#issuecomment-533873012
 2019-11-05 10:02:55 -05:00
Patrick Schleizer
f57702c158
comments; copyright 2019-11-05 09:55:43 -05:00
Patrick Schleizer
b55c2fd62e
Enables punycode (network.IDN_show_punycode) by default in Thunderbird 
to make phising attacks more difficult. Fixing URL not showing real Domain
Name (Homograph attack).

https://forums.whonix.org/t/enable-network-idn-show-punycode-by-default-in-thunderbird-to-fix-url-not-showing-real-domain-name-homograph-attack-punycode/8415
 2019-11-03 02:50:51 -05:00
Patrick Schleizer
e1375802eb
apparmor fix 
https://forums.whonix.org/t/apparmor-for-complete-system-including-init-pid1-systemd-everything-full-system-mac-policy/8339/67
 2019-10-31 16:32:28 +00:00
Patrick Schleizer
203d5cfa68
copyright 2019-10-31 11:19:44 -04:00
madaidan
0e49bdc45f
Licensing 2019-10-28 14:26:14 +00:00
madaidan
5d5ad92638
Licensing 2019-10-28 14:26:05 +00:00
madaidan
1b8b3610b1
Create usr.lib.security-misc.pam_tally2-info 2019-10-28 14:20:59 +00:00
madaidan
29b05546e4
Create usr.lib.security-misc.permission-lockdown 2019-10-28 14:20:08 +00:00
Patrick Schleizer
40707e70db
Redirect calls for pkexec to lxqt-sudo because pkexec is incompatible with hidepid. 
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860040

https://forums.whonix.org/t/cannot-use-pkexec/8129

Thanks to AnonymousUser for the bug report!
 2019-10-21 05:46:49 -04:00
Patrick Schleizer
0b8725306f
renamed: etc/hide-hardware-info.d/30_whitelist.conf -> etc/hide-hardware-info.d/30_default.conf 2019-10-17 06:13:44 -04:00
Patrick Schleizer
8a42c5b023
Merge pull request #34 from madaidan/whitelist 
Add a whitelist for /sys and /proc/cpuinfo
 2019-10-17 09:59:12 +00:00
madaidan
4f5b7816ec
Elaborate 2019-10-16 19:01:49 +00:00
madaidan
99a762d3dc
KASLR is different from ASLR 2019-10-16 18:53:04 +00:00
madaidan
a14a2854c6
Elaborate 2019-10-16 18:52:14 +00:00
madaidan
a47a2fca8b
Create 30_whitelist.conf 2019-10-15 20:58:58 +00:00
Patrick Schleizer
c22738be02
comments 2019-10-07 08:25:45 +00:00
Patrick Schleizer
75f36bc2c9
comments 2019-10-07 08:25:07 +00:00
Patrick Schleizer
e92a8a6966
comments 2019-10-07 08:24:02 +00:00
Patrick Schleizer
60c044a9d6
copyright / comments 2019-10-07 05:30:56 +00:00
Patrick Schleizer
cd2135ff82
comments 2019-10-06 10:18:24 +00:00
Patrick Schleizer
8b4f2befd4
comment out sack by default 
https://forums.whonix.org/t/disabling-tcp-sack-dsack-fack/8109/8?u=patrick
 2019-10-05 13:15:34 +00:00
Patrick Schleizer
02096f8d7c
Revert "undo Disabling TCP SACK, DSACK, FACK" 
This reverts commit 5fb4eb8e56.
 2019-10-05 13:13:46 +00:00
Patrick Schleizer
5fb4eb8e56
undo Disabling TCP SACK, DSACK, FACK 
https://forums.whonix.org/t/disabling-tcp-sack-dsack-fack/8109/5
 2019-10-05 07:00:47 -04:00
madaidan
d0c6bb1e90
Disable TCP DSACK and FACK 2019-10-04 17:35:54 +00:00
Patrick Schleizer
f13a73e569
undo SysRq restrictions 
https://forums.whonix.org/t/sysrq-magic-sysrq-key/8079
 2019-09-10 12:35:42 -04:00
madaidan
60db7e6294
fix typo 2019-09-07 20:08:56 +00:00
Patrick Schleizer
7affddb3bb
blacklist modules with /bin/false rather than /bin/true to fail with error 
message rather than failing without notification
 2019-09-07 05:47:34 +00:00
Patrick Schleizer
661bcd8603
allow loading unsigned modules due to issues 
https://forums.whonix.org/t/allow-loading-signed-kernel-modules-by-default-disallow-kernel-module-loading-by-default/7880/23
 2019-09-07 05:39:56 +00:00
Patrick Schleizer
cb8170fd80
comment 2019-09-06 11:44:56 +00:00
Patrick Schleizer
ccdbc52b82
comment 2019-09-06 11:43:55 +00:00
Patrick Schleizer
051856bc8e
remove trailing space 2019-09-06 11:42:38 +00:00
Patrick Schleizer
0ae5c5ff14
remove umask changes since these are causing issues are are not needed anymore 
thanks to home folder permission lockdown

https://forums.whonix.org/t/change-default-umask/7416/45
 2019-08-24 12:14:22 -04:00
onions-knight
a8b6281119
Update uncommon-network-protocols.conf 
Removing llc from blacklisted network protocols as it is needed by KVM for networking.
See https://hub.packtpub.com/kvm-networking-libvirt/ and https://forums.whonix.org/t/whonix-desktop-installer-with-calamares-field-report/7350/107
 2019-08-19 11:30:57 +00:00
Patrick Schleizer
ed90d8b025
change default umask to 027 
as per:

https://forums.whonix.org/t/change-default-umask/7416/47
 2019-08-17 09:55:20 +00:00
Patrick Schleizer
224f95799c
sudo default umask 006 
https://forums.whonix.org/t/change-default-umask/7416/43
 2019-08-16 11:15:25 -04:00
Patrick Schleizer
85502ad430
Merge branch 'master' into patch-21 2019-08-16 14:35:51 +00:00
Patrick Schleizer
dbea7d1511
add hook etc/kernel/postinst.d/30_remove-system-map to remove system.map 
on kernel package upgrade;

self-document this package: during upgrade the following will be written
to stdout:

Setting up linux-image-4.19.0-5-amd64 (4.19.37-5+deb10u2) ...
/etc/kernel/postinst.d/30_remove-system-map:
removed '/boot/System.map-4.19.0-5-amd64
 2019-08-14 07:22:14 +00:00