Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2024-10-01 08:25:45 -04:00
Code Issues Packages Projects Releases Wiki Activity
1,197 Commits 2 Branches 291 Tags 8.2 MiB
11cdce02a0
Commit Graph

1197 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Patrick Schleizer
11cdce02a0
refactoring 2020-12-06 04:10:10 -05:00
Patrick Schleizer
f73c55f16c
/opt 
https://forums.whonix.org/t/suid-disabler-and-permission-hardener/7706/68
 2020-12-06 04:08:58 -05:00
Patrick Schleizer
261ef85c14
bumped changelog version 2020-12-01 05:53:06 -05:00
Patrick Schleizer
c031f22995
SUID Disabler and Permission Hardener: introduce configuration option to disable all whitelists 
`whitelists_disable_all=true`
 2020-12-01 05:14:48 -05:00
Patrick Schleizer
b09cc0de6a
Revert "SUID Disabler and Permission Hardener: introduce configuration option to disable all whitelists" 
This reverts commit 36a471ebce.
 2020-12-01 05:10:26 -05:00
Patrick Schleizer
704f0500ba
fix, rename 40_default_whitelist_[...].conf to 25_default_whitelist_[...].conf 
since whitelist needs to be defined before SUID removal commands
 2020-12-01 05:03:16 -05:00
Patrick Schleizer
36a471ebce
SUID Disabler and Permission Hardener: introduce configuration option to disable all whitelists 
`whitelists_disable_all=true`
 2020-12-01 05:02:34 -05:00
Patrick Schleizer
318ab570aa
simplify disabling of SUID Disabler and Permission Hardener whitelist 
split `/etc/permission-hardening.d/30_default.conf` into multiple files

`/etc/permission-hardening.d/40_default_whitelist_[...].conf`

therefore make it easier to delete any whitelisted SUID binaries
 2020-12-01 04:28:15 -05:00
Patrick Schleizer
cf07e977bd
add /bin/pkexec exactwhitelist for consistency 
since there is already `/usr/bin/pkexec exactwhitelist`
 2020-11-29 09:09:42 -05:00
Patrick Schleizer
fe27483886
bumped changelog version 2020-11-28 06:08:10 -05:00
Patrick Schleizer
28a326a8a1
add feature /usr/lib/security-misc/permission-hardening-undo /path/to/filename 
to allow removing 1 SUID

fix, show INFO message if file does not exist during removal rather than ERROR
 2020-11-28 05:31:12 -05:00
Patrick Schleizer
0ef35f8770
bumped changelog version 2020-11-06 10:18:09 -05:00
Patrick Schleizer
abae787186
usability: pam abort when attempting to login to root when root password is locked 2020-11-05 06:47:16 -05:00
Patrick Schleizer
581e31af81
comment 2020-11-05 06:46:57 -05:00
Patrick Schleizer
dfe9b0f6c7
fix, no longer unconditionally abort pam for user accounts with locked passwords 
as locked user accounts might have valid sudoers exceptions

Thanks to @mimp for the bug report!

https://forums.whonix.org/t/pam-abort-on-locked-password-and-running-privileged-command-from-web-browser/10521
 2020-11-05 06:42:47 -05:00
Patrick Schleizer
211769dc65
comment 2020-11-05 06:41:51 -05:00
Patrick Schleizer
7952139731
comment 2020-11-05 06:39:32 -05:00
Patrick Schleizer
bb72c1278d
copyright 2020-11-05 06:36:39 -05:00
Patrick Schleizer
f4843b1deb
bumped changelog version 2020-10-31 06:29:25 -04:00
Patrick Schleizer
c1e0bb8310
shebang 2020-10-31 06:11:49 -04:00
Patrick Schleizer
b06d4ca299
bumped changelog version 2020-10-31 06:09:22 -04:00
Patrick Schleizer
3f656be574
chmod +x /etc/X11/Xsession.d/50panic_on_oops 
chmod +x /etc/X11/Xsession.d/50security-misc
 2020-10-31 05:48:10 -04:00
Patrick Schleizer
881d695bff
bumped changelog version 2020-10-05 07:03:37 -04:00
Patrick Schleizer
3adb2c92d9
Merge remote-tracking branch 'github/master' 2020-10-03 14:10:32 -04:00
Patrick Schleizer
58560138cd
Merge pull request #77 from madaidan/debugfs 
Restrict access to debugfs
 2020-10-03 18:09:07 +00:00
madaidan
06ffd5d220
Restrict access to debugfs 2020-09-28 19:21:20 +00:00
Patrick Schleizer
feb7cea4c5
bumped changelog version 2020-09-28 10:30:42 -04:00
Patrick Schleizer
da1ac48cde
unblacklist squashfs as this would likely break Whonix-Host ISO 
https://github.com/Whonix/security-misc/pull/75#issuecomment-700044182
 2020-09-28 10:29:50 -04:00
Patrick Schleizer
4070133ed6
unblacklist vfat 
https://github.com/Whonix/security-misc/pull/75#issuecomment-695201068
 2020-09-28 10:25:57 -04:00
Patrick Schleizer
77d461ec08
Merge remote-tracking branch 'github/master' 2020-09-28 10:24:59 -04:00
Patrick Schleizer
3684ab585e
Merge pull request #75 from flawedworld/patch-1 
Blacklist more modules (based on OpenSCAP for RHEL 8)
 2020-09-28 14:24:15 +00:00
Patrick Schleizer
ae90107e6d
Merge pull request #76 from flawedworld/patch-2 
Add IPv6 sysctl options and enforce kernel.perf_event_paranoid=3
 2020-09-28 14:23:42 +00:00
flawedworld
a813e7da07 Blacklist more modules 2020-09-19 20:46:19 +01:00
Patrick Schleizer
5fc7b791db
bumped changelog version 2020-09-19 09:28:27 -04:00
Patrick Schleizer
bff6ce7abb
Merge remote-tracking branch 'github/master' 2020-09-19 06:54:50 -04:00
Patrick Schleizer
9239c8b807
Merge pull request #71 from onions-knight/patch-1 
Update thunar.xml
 2020-09-19 10:54:21 +00:00
flawedworld
8f7727e823
Add some IPv6 options 2020-09-18 23:36:30 +01:00
flawedworld
944fed3c45
Disallow kernel profiling by users without CAP_SYS_ADMIN 
It's the default on a lot of stuff, but still nice to have.
 2020-09-18 23:29:04 +01:00
Patrick Schleizer
98c0decaa4
bumped changelog version 2020-08-03 09:43:43 -04:00
Patrick Schleizer
7e267ab498
fix, allow group sudo and console to use consoles 
fix /etc/security/access-security-misc.conf syntax error

Thanks to @81a989 for the bug report!

https://forums.whonix.org/t/etc-security-hardening-console-lockdown-pam-access-access-conf/8592/31
 2020-08-03 08:12:19 -04:00
Patrick Schleizer
b09f5ddc15
bumped changelog version 2020-07-29 08:33:07 -04:00
Patrick Schleizer
ac8bc4f006
readme 2020-07-29 06:30:07 -04:00
Patrick Schleizer
861f9d1022
bumped changelog version 2020-05-14 13:57:32 -04:00
Patrick Schleizer
3cd7b144bb
move "kernel.printk = 3 3 3 3" to separate file /etc/sysctl.d/30_silent-kernel-printk.conf 
so package debug-misc can easily disable it

https://phabricator.whonix.org/T950
 2020-05-14 13:47:58 -04:00
Patrick Schleizer
81cb6ad246
bumped changelog version 2020-04-23 12:27:25 -04:00
Patrick Schleizer
6485df8126
Prevent kernel info leaks in console during boot. 
add kernel parameter `quiet loglevel=0`

https://phabricator.whonix.org/T950
 2020-04-23 12:26:31 -04:00
Patrick Schleizer
aa5631b02b
bumped changelog version 2020-04-16 08:43:40 -04:00
Patrick Schleizer
8d2e4b68dc
Prevent kernel info leaks in console during boot. 
By setting `kernel.printk = 3 3 3 3`.

https://phabricator.whonix.org/T950

Thanks to @madaidan for the suggestion!
 2020-04-16 08:00:31 -04:00
Patrick Schleizer
4898a9e753
fix, sysctl-initramfs: switch log to /run/initramfs/sysctl-initramfs-error.log 
since ephemeral, in RAM, not written to disk, no conflict with grub-live

https://forums.whonix.org/t/kernel-hardening/7296/435
 2020-04-16 07:54:33 -04:00
Patrick Schleizer
701da5f6cc
formatting 2020-04-16 07:24:44 -04:00