raja-grewal
015dcc4212
Add reference for SSB
2024-05-01 13:48:13 +10:00
raja-grewal
de4f4be947
Merge spectre mitigations
2024-05-01 13:47:40 +10:00
raja-grewal
965c8641fd
Update BHI mitigation reference
2024-05-01 13:47:02 +10:00
raja-grewal
493576836c
BHI mitigation on Intel CPUs
2024-04-12 00:17:06 +10:00
Patrick Schleizer
7dba3fb7be
no longer disable MSR by default
...
fixes https://github.com/Kicksecure/security-misc/issues/215
2024-04-01 02:56:27 -04:00
Patrick Schleizer
6b76373395
fix panic-on-oops started every 10s in Qubes-Whonix
...
by changing from a /etc/profile.d etc. related mechanism to start to a systemd unit file based approach
Thanks to @marmarek for the bug report!
https://forums.whonix.org/t/panic-on-oops-started-every-10s/19450
2024-03-04 06:44:26 -05:00
Patrick Schleizer
af6c6971a7
comment
2024-03-04 06:33:51 -05:00
Patrick Schleizer
e013070e0b
newline
2024-03-04 06:33:21 -05:00
Daniel Winzen
ef44ecea44
Add option to disabe /sys hardening
2024-02-22 17:27:46 +01:00
raja-grewal
b16c99ab62
Remove hardcoded spec_rstack_overflow
setting
2024-01-29 13:39:40 +00:00
raja-grewal
139b10a9aa
Control RAS overflow mitigation on AMD Zen CPUs
2024-01-29 12:59:13 +00:00
raja-grewal
6c54e35027
Enable mitigations for RETBleed vulnerability and disable SMT
2024-01-29 12:58:51 +00:00
raja-grewal
4509a5fc95
Enable known mitigations for CPU vulnerabilities and disable SMT
2024-01-29 12:58:14 +00:00
raja-grewal
4231155efa
Add reference for kernel parameters
2024-01-29 12:57:48 +00:00
Patrick Schleizer
071b984a1e
sort -d
...
https://github.com/Kicksecure/security-misc/issues/190
2024-01-17 13:49:05 -05:00
Patrick Schleizer
011e55e3e5
remove duplicates after usrmerge
...
https://github.com/Kicksecure/security-misc/issues/190
2024-01-17 13:45:17 -05:00
Patrick Schleizer
0efee2f50f
usrmerge
...
fixes https://github.com/Kicksecure/security-misc/issues/190
2024-01-17 13:39:56 -05:00
Patrick Schleizer
4f7973bc56
comment
2024-01-16 08:56:26 -05:00
Ben Grande
abf72c2ee4
Rename file permission hardening script
...
Hardener as the script is the agent that is hardening the file
permissions.
2024-01-02 13:34:29 +01:00
Ben Grande
f138cf0f78
Refactor permission-hardener
...
- Organize comments from default configuration;
- Apply and undo changes from a single file controlled by parameters;
- Arrays should be evaluated as arrays and not normal variables;
- Quote variables;
- Brackets around variables;
- Standardize test cases to "test" command;
- Test against empty or non-empty variables with "-z" and "-n";
- Show a usage message when necessary;
- Require root to run the script with informative message;
- Permit the user to see the help message without running as root;
- Do not create root directories without passing root check;
- Use long options for "set" command;
2024-01-02 12:17:16 +01:00
Patrick Schleizer
f70a034da2
exclude hardened malloc from SUID disabler
...
fixes https://github.com/Kicksecure/security-misc/issues/179
2023-12-22 08:31:58 -05:00
Patrick Schleizer
5a73817a95
move to /usr/lib/issue.d/20_security-misc.issue
...
https://github.com/Kicksecure/security-misc/pull/167
2023-12-04 11:38:49 -05:00
Patrick Schleizer
dfaea492c7
remove etc/issue.net.d/20_security-misc
...
since not mentioned on debian.org
2023-12-04 11:37:02 -05:00
Patrick Schleizer
36850f89fb
Merge pull request #167 from monsieuremre/patch-4
...
Non-Identifiable and Generic Issue Banners that include the Recommended Keywords
2023-12-04 11:27:16 -05:00
Patrick Schleizer
c9ea7a4dca
use amd_iommu=force_isolation
instead of amd_iommu=force_enable
...
because we set `iommu=force` already anyhow
fixes https://github.com/Kicksecure/security-misc/issues/175
2023-12-04 11:02:55 -05:00
monsieuremre
f2ad8383cf
fix
2023-12-03 19:51:38 +00:00
monsieuremre
dd15823a97
undo superfluousness
2023-12-03 19:50:07 +00:00
monsieuremre
83e13bb62d
Update 40_enable_iommu.cfg
2023-12-03 19:42:34 +00:00
monsieuremre
0d7af9707f
Update 20_security-misc
2023-12-03 19:31:12 +00:00
monsieuremre
04d27a10b0
Update 20_security-misc
2023-12-03 19:30:55 +00:00
monsieuremre
c8b9f5a917
net
2023-11-18 10:03:19 +00:00
monsieuremre
3b614f3753
20_security-misc
2023-11-18 10:02:16 +00:00
Patrick Schleizer
5bb357cac0
spice-client-glib-usb-acl-helper matchwhitelist
2023-11-06 16:55:00 -05:00
Patrick Schleizer
7309445ee5
comment
2023-11-06 16:52:27 -05:00
Patrick Schleizer
f09d97fc9e
whitelist VirtualBox
2023-11-06 16:50:19 -05:00
Patrick Schleizer
64c8c7a8d5
whitelist SSH
2023-11-06 16:47:31 -05:00
Patrick Schleizer
9682b51d54
whitelist virtualbox
2023-11-06 16:44:36 -05:00
Patrick Schleizer
a40b9bc095
comments
2023-11-06 16:40:22 -05:00
Patrick Schleizer
2c1a3da433
VirtualBoxVM matchwhitelist
2023-11-06 16:38:50 -05:00
Patrick Schleizer
4e96ffaabb
chrome-sandbox matchwhitelist
2023-11-06 16:37:19 -05:00
Patrick Schleizer
51decff2fd
exclude qfile-unpacker from permission hardener
2023-11-05 16:03:36 -05:00
Patrick Schleizer
1900c1ab07
pam exclude from permission-hardener
2023-11-05 15:57:49 -05:00
Patrick Schleizer
5a75bcfb19
Merge pull request #145 from monsieuremre/wifi-and-bluetooth
...
Wifi and Bluetooth Patch | Security and Privacy
2023-11-05 14:49:00 -05:00
Patrick Schleizer
4946f85d43
Merge pull request #146 from monsieuremre/thunderbird
...
Thunderbird Hardening
2023-11-05 14:37:47 -05:00
Patrick Schleizer
97054b2b10
revert enabling kernel module signature enforcement
...
due to issues
https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/63
https://github.com/dell/dkms/issues/359
2023-11-03 15:55:17 -04:00
Patrick Schleizer
0242c04dc2
port to DKMS drop-in folder
...
undisplace /etc/dkms/framework.conf.security-misc
moved to /etc/dkms/framework.conf.d/30_security-misc.conf
2023-11-03 14:51:14 -04:00
Patrick Schleizer
d1b5a3ffd5
/usr/sbin/pam-tmpdir-helper exactwhitelist
...
https://github.com/Kicksecure/security-misc/pull/147
2023-11-03 12:55:34 -04:00
Patrick Schleizer
b6d53f698d
Revert "allow loading unsigned modules due to issues"
...
This reverts commit 661bcd8603
.
2023-11-03 12:17:00 -04:00
monsieuremre
1abac794b5
very secure and private defaults
2023-11-02 09:15:20 +00:00
monsieuremre
5a583ca48c
typo in file name
2023-11-02 08:30:26 +00:00