Raja Grewal
4e93b4d37e
Revert "enforce defualt net.ipv4.ip_forward"
...
This reverts commit 57b5b2145c
.
2022-07-13 21:10:39 +10:00
Raja Grewal
a47922ad28
enforce of IOMMU TLB invalidation
2022-07-13 04:47:07 +10:00
Raja Grewal
33df16af80
disables random.trust_bootloader
2022-07-13 04:37:03 +10:00
Raja Grewal
d0779a96fc
add reference
2022-07-13 04:36:34 +10:00
Raja Grewal
74858d257b
enable randomize_kstack_offset
2022-07-13 04:34:35 +10:00
Raja Grewal
f572332108
disable slub_debug
2022-07-13 04:32:03 +10:00
Raja Grewal
57b5b2145c
enforce defualt net.ipv4.ip_forward
2022-07-13 04:30:43 +10:00
Raja Grewal
79156262c9
enforce default net.ipv4.icmp_ignore_bogus_error_responses
2022-07-13 04:29:42 +10:00
Raja Grewal
dabcaf22e1
enforce default kernel.randomize_va_space
2022-07-13 04:28:03 +10:00
Raja Grewal
48089e5ba4
More verbose kernel module blocking error logs
2022-07-12 17:02:12 +10:00
Raja Grewal
40ec791774
Updated comments
2022-07-12 16:58:16 +10:00
Raja Grewal
ef1ef9917d
Blacklist automatic loading of CD-ROM modules
2022-07-10 04:53:25 +10:00
Raja Grewal
61ef9bd59f
Incorporated Ubuntu’s kernel module blacklists
2022-07-10 04:52:00 +10:00
Patrick Schleizer
26b2c9727f
not blacklist CD-ROM / DVD yet
...
https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/31
2022-07-07 15:39:40 -04:00
Patrick Schleizer
ca19d78d48
shuffle
2022-07-07 15:27:15 -04:00
Raja Grewal
780dc8eec9
replace /bin/false -> /bin/disabled-by-security-misc
2022-07-08 04:11:25 +10:00
Raja Grewal
fa2e30f512
Updated descriptions of disabled modules
2022-07-08 03:04:37 +10:00
Raja Grewal
da389d6682
Revert "replace /bin/false -> /bin/true"
...
This reverts commit f0511635a9
.
2022-07-08 02:12:04 +10:00
raja-grewal
f0511635a9
replace /bin/false -> /bin/true
2022-07-07 09:27:53 +00:00
raja-grewal
18d67dbc53
Blacklist more modules
2022-07-07 09:26:55 +00:00
Patrick Schleizer
1c0e071948
comments
2022-07-05 10:45:55 -04:00
Patrick Schleizer
5d47f5f74c
comments
2022-07-05 10:45:09 -04:00
Patrick Schleizer
435c689cf9
comments
2022-07-05 10:44:28 -04:00
Patrick Schleizer
c20d588d78
comments
2022-07-05 10:42:37 -04:00
Patrick Schleizer
b342ce930e
add /etc/default/grub.d/40_cold_boot_attack_defense.cfg
2022-07-05 10:28:22 -04:00
Patrick Schleizer
67eaf8c916
comments
2022-06-29 11:40:38 -04:00
Patrick Schleizer
72908d6b0d
comments
2022-06-29 11:34:55 -04:00
Patrick Schleizer
55d16e1602
remove unicode
2022-06-08 09:04:03 -04:00
Patrick Schleizer
fcaec49675
Merge remote-tracking branch 'github-kicksecure/master'
2022-06-08 08:20:24 -04:00
Patrick Schleizer
5c43197f10
minor
2022-06-08 08:11:28 -04:00
Kuri Schlarb
6e8f584d88
permission-hardening: Keep pam_unix.so
password checking helper SetGID shadow
2022-06-08 05:29:42 +00:00
Kuri Schlarb
3910e4ee15
permission-hardening: Keep passwd
executable but non-SetUID
2022-06-07 08:11:51 +00:00
Patrick Schleizer
2d37e3a1af
copyright
2022-05-20 14:46:38 -04:00
Patrick Schleizer
bb0307290b
update link
2022-04-16 14:18:35 -04:00
Patrick Schleizer
c72567dbd2
fix
2021-09-14 14:18:44 -04:00
Patrick Schleizer
d62bbaab82
fix, unduplicate kernel command line
2021-09-12 11:40:58 -04:00
Patrick Schleizer
bd31b4085c
remove Debian buster support in /etc/default/grub.d
2021-09-09 12:16:18 -04:00
Patrick Schleizer
ac0c492663
do not set kernel parameter quiet loglevel=0
for recovery boot option
...
for easier debugging
2021-09-06 08:22:55 -04:00
Patrick Schleizer
49902b8c56
move grub quiet to separate config file /etc/default/grub.d/41_quiet.cfg
2021-09-06 08:19:41 -04:00
Patrick Schleizer
f5b0e4b5b8
debugging
2021-09-06 04:55:16 -04:00
Patrick Schleizer
6257bfa926
debugging
2021-09-05 15:54:20 -04:00
Patrick Schleizer
a4e18a2ae8
dracut
reproducible=yes
2021-09-04 18:28:37 -04:00
Patrick Schleizer
db43cedcfd
LANG=C str_replace
2021-08-22 05:23:24 -04:00
Patrick Schleizer
582492d6d8
port from pam_tally2 to pam_faillock
...
since pam_tally2 was deprecated upstream
2021-08-10 17:13:00 -04:00
Patrick Schleizer
50bdd097df
move /usr/lib/security-misc to /usr/libexec/security-misc as per lintian FHS
2021-08-03 12:56:31 -04:00
Patrick Schleizer
0492f28aa1
enable "apt-get --error-on=any
" by default
...
makes apt exit non-zero for transient failures
`/etc/apt/apt.conf.d/40error-on-any`
https://forums.whonix.org/t/debian-bullseye-apt-get-error-on-any/12068
2021-08-03 12:37:39 -04:00
Patrick Schleizer
c94281121e
comment
2021-08-01 16:37:02 -04:00
Patrick Schleizer
eff5af0318
https://forums.whonix.org/t/restrict-root-access/7658/116
2021-06-20 10:16:33 -04:00
madaidan
97d8db3f74
Restrict sudo's file permissions
2021-06-05 19:16:42 +00:00
Patrick Schleizer
d87bee37f7
comment
2021-06-01 07:21:18 -04:00
Patrick Schleizer
809930c021
comment
2021-06-01 05:36:01 -04:00
Patrick Schleizer
e2afd00627
modify DKMS configuration file /etc/dkms/framework.conf
...
Lower parallel compilation jobs to 1 if less than 2 GB RAM to avoid freezing of virtual machines.
`parallel_jobs=1`
This does not necessarily belong into security-misc, however likely
security-misc will need to modify `/etc/dkms/framework.conf` in the future to
enable kernel module signing.
https://forums.whonix.org/t/linux-kernel-runtime-guard-lkrg-linux-kernel-runtime-integrity-checking-and-exploit-detection/8477/26
https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/58
2021-04-29 11:14:30 -04:00
Patrick Schleizer
3ba3b37187
add /etc/dkms/framework.conf.security-misc
...
original, from
- https://github.com/dell/dkms/blob/master/dkms_framework.conf
- https://raw.githubusercontent.com/dell/dkms/master/dkms_framework.conf
https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/58
2021-04-29 11:08:30 -04:00
Patrick Schleizer
a67007f4b7
copyright
2021-03-17 09:45:21 -04:00
Patrick Schleizer
a1819e8cab
comment
2021-03-01 09:15:44 -05:00
Kenton Groombridge
4db7d6be64
hide-hardware-info: allow unrestricting selinuxfs
...
On SELinux systems, the /sys/fs/selinux directory must be visible to
userspace utilities in order to function properly.
2021-02-06 03:02:08 -05:00
Patrick Schleizer
a258f35f38
comment
2021-01-05 02:11:08 -05:00
Patrick Schleizer
b2b614ed2a
cover more folders in /usr/local
2020-12-06 04:15:52 -05:00
Patrick Schleizer
5bd267d774
refactoring
2020-12-06 04:10:50 -05:00
Patrick Schleizer
11cdce02a0
refactoring
2020-12-06 04:10:10 -05:00
Patrick Schleizer
f73c55f16c
/opt
...
https://forums.whonix.org/t/suid-disabler-and-permission-hardener/7706/68
2020-12-06 04:08:58 -05:00
Patrick Schleizer
c031f22995
SUID Disabler and Permission Hardener: introduce configuration option to disable all whitelists
...
`whitelists_disable_all=true`
2020-12-01 05:14:48 -05:00
Patrick Schleizer
b09cc0de6a
Revert "SUID Disabler and Permission Hardener: introduce configuration option to disable all whitelists"
...
This reverts commit 36a471ebce
.
2020-12-01 05:10:26 -05:00
Patrick Schleizer
704f0500ba
fix, rename 40_default_whitelist_[...].conf to 25_default_whitelist_[...].conf
...
since whitelist needs to be defined before SUID removal commands
2020-12-01 05:03:16 -05:00
Patrick Schleizer
36a471ebce
SUID Disabler and Permission Hardener: introduce configuration option to disable all whitelists
...
`whitelists_disable_all=true`
2020-12-01 05:02:34 -05:00
Patrick Schleizer
318ab570aa
simplify disabling of SUID Disabler and Permission Hardener whitelist
...
split `/etc/permission-hardening.d/30_default.conf` into multiple files
`/etc/permission-hardening.d/40_default_whitelist_[...].conf`
therefore make it easier to delete any whitelisted SUID binaries
2020-12-01 04:28:15 -05:00
Patrick Schleizer
cf07e977bd
add /bin/pkexec exactwhitelist
for consistency
...
since there is already `/usr/bin/pkexec exactwhitelist`
2020-11-29 09:09:42 -05:00
Patrick Schleizer
bb72c1278d
copyright
2020-11-05 06:36:39 -05:00
Patrick Schleizer
c1e0bb8310
shebang
2020-10-31 06:11:49 -04:00
Patrick Schleizer
3f656be574
chmod +x /etc/X11/Xsession.d/50panic_on_oops
...
chmod +x /etc/X11/Xsession.d/50security-misc
2020-10-31 05:48:10 -04:00
madaidan
06ffd5d220
Restrict access to debugfs
2020-09-28 19:21:20 +00:00
Patrick Schleizer
da1ac48cde
unblacklist squashfs as this would likely break Whonix-Host ISO
...
https://github.com/Whonix/security-misc/pull/75#issuecomment-700044182
2020-09-28 10:29:50 -04:00
Patrick Schleizer
4070133ed6
unblacklist vfat
...
https://github.com/Whonix/security-misc/pull/75#issuecomment-695201068
2020-09-28 10:25:57 -04:00
Patrick Schleizer
3684ab585e
Merge pull request #75 from flawedworld/patch-1
...
Blacklist more modules (based on OpenSCAP for RHEL 8)
2020-09-28 14:24:15 +00:00
Patrick Schleizer
ae90107e6d
Merge pull request #76 from flawedworld/patch-2
...
Add IPv6 sysctl options and enforce kernel.perf_event_paranoid=3
2020-09-28 14:23:42 +00:00
flawedworld
a813e7da07
Blacklist more modules
2020-09-19 20:46:19 +01:00
Patrick Schleizer
9239c8b807
Merge pull request #71 from onions-knight/patch-1
...
Update thunar.xml
2020-09-19 10:54:21 +00:00
flawedworld
8f7727e823
Add some IPv6 options
2020-09-18 23:36:30 +01:00
flawedworld
944fed3c45
Disallow kernel profiling by users without CAP_SYS_ADMIN
...
It's the default on a lot of stuff, but still nice to have.
2020-09-18 23:29:04 +01:00
Patrick Schleizer
7e267ab498
fix, allow group sudo
and console
to use consoles
...
fix /etc/security/access-security-misc.conf syntax error
Thanks to @81a989 for the bug report!
https://forums.whonix.org/t/etc-security-hardening-console-lockdown-pam-access-access-conf/8592/31
2020-08-03 08:12:19 -04:00
Patrick Schleizer
3cd7b144bb
move "kernel.printk = 3 3 3 3" to separate file /etc/sysctl.d/30_silent-kernel-printk.conf
...
so package debug-misc can easily disable it
https://phabricator.whonix.org/T950
2020-05-14 13:47:58 -04:00
Patrick Schleizer
6485df8126
Prevent kernel info leaks in console during boot.
...
add kernel parameter `quiet loglevel=0`
https://phabricator.whonix.org/T950
2020-04-23 12:26:31 -04:00
Patrick Schleizer
8d2e4b68dc
Prevent kernel info leaks in console during boot.
...
By setting `kernel.printk = 3 3 3 3`.
https://phabricator.whonix.org/T950
Thanks to @madaidan for the suggestion!
2020-04-16 08:00:31 -04:00
Patrick Schleizer
4898a9e753
fix, sysctl-initramfs: switch log to /run/initramfs/sysctl-initramfs-error.log
...
since ephemeral, in RAM, not written to disk, no conflict with grub-live
https://forums.whonix.org/t/kernel-hardening/7296/435
2020-04-16 07:54:33 -04:00
Patrick Schleizer
701da5f6cc
formatting
2020-04-16 07:24:44 -04:00
Patrick Schleizer
253578afdf
/etc/security/access-security-misc.conf white list ttyS0 etc.
...
ttyS0 ttyS1 ttyS2 ttyS3 ttyS4 ttyS5 ttyS6 ttyS7 ttyS8 ttyS9
Thanks to @subpar_marlin for the bug report and helping to fix this!
https://forums.whonix.org/t/how-do-i-enter-the-whonix-shell-from-cli/7271/43
https://forums.whonix.org/t/etc-security-hardening/8592
2020-04-13 06:50:32 -04:00
Patrick Schleizer
b3ce18f0f9
disable proc-hidepid by default because incompatible with pkexec
...
and undo pkexec wrapper
2020-04-12 16:54:10 -04:00
Patrick Schleizer
4429315291
disable proc-hidepid by default because incompatible with pkexec
...
and undo pkexec wrapper
2020-04-12 16:52:55 -04:00
Patrick Schleizer
938e929f39
add pkexec to suid default whitelist
...
/usr/bin/pkexec exactwhitelist
/usr/bin/pkexec.security-misc-orig exactwhitelist
2020-04-12 16:37:51 -04:00
Patrick Schleizer
565ff136e5
vm.swappiness=1
...
import from swappiness-lowest
https://forums.whonix.org/t/vm-swappiness-1-set-swapiness-to-lowest-setting-still-useful-swappiness-lowest/9278
2020-04-08 21:04:02 +00:00
Patrick Schleizer
72228946dc
fix etc/default/grub.d/40_kernel_hardening.cfg
...
in Qubes if no kernel package is installed
2020-04-08 16:46:11 +00:00
Patrick Schleizer
5c81e1f23f
import from anon-gpg-conf
2020-04-06 09:25:45 -04:00
Patrick Schleizer
a7f2a2a3b6
console lockdown: allow members of group sudo
to use console
...
https://forums.whonix.org/t/etc-security-hardening/8592
https://github.com/Whonix/security-misc/pull/74#issuecomment-607748407
https://www.whonix.org/wiki/Dev/Strong_Linux_User_Account_Isolation#Console_Lockdown
2020-04-02 06:04:45 -04:00
Patrick Schleizer
7764ee0d20
comments
2020-04-02 05:58:16 -04:00
Patrick Schleizer
2ceea8d1fe
update copyright year
2020-04-01 08:49:59 -04:00
Patrick Schleizer
814f613a2f
When using systemd-nspawn (chroot) then login
requires console 'console' to be permitted.
2020-03-31 07:08:25 -04:00
Patrick Schleizer
5f0dd8270b
consistent use of quotes
2020-03-21 14:14:35 -04:00
Patrick Schleizer
66ea1a3a12
minor
2020-03-21 14:14:15 -04:00
Patrick Schleizer
23bd7ead59
remove trailing space
2020-03-21 14:12:42 -04:00
madaidan
89ada11cf9
Only remount if already mounted read-only
2020-03-21 17:49:07 +00:00
madaidan
c8826d6702
Fix sysctl-initramfs logs
2020-03-21 17:15:25 +00:00
onions-knight
8dfdec1d3b
Update thunar.xml
...
Adding Delete option for thunar on right mouse click (removed in Debian 10). See https://forums.whonix.org/t/whonix-host-calamares-branding-suggestion/7772/26
2020-03-17 16:38:53 +00:00
madaidan
4d0de87f79
Disable unprivileged userfaultfd use again
2020-03-08 17:49:49 +00:00
madaidan
efb2683cfc
Hide unprivileged_userfaultfd error
2020-03-08 17:49:12 +00:00
Patrick Schleizer
284a491100
disable vm.unprivileged_userfaultfd=0
for now
...
because broken
https://forums.whonix.org/t/kernel-hardening/7296/406
reverts "Restrict the userfaultfd() syscall to root as it can make heap sprays easier."
https://duasynt.com/blog/linux-kernel-heap-spray
2020-03-08 08:07:10 -04:00
madaidan
6b64b36b01
Restrict the userfaultfd() syscall to root
2020-02-24 18:23:15 +00:00
madaidan
f6b6ab374e
Gather more entropy during boot
2020-02-16 19:51:32 +00:00
madaidan
a79ce7fa68
Document ldisc_autoload better
2020-02-15 17:30:21 +00:00
Patrick Schleizer
1e5946c795
Merge branch 'master' into sysrq
2020-02-15 10:41:52 +00:00
Patrick Schleizer
5124f8cebc
Merge pull request #61 from madaidan/disable_early_pci_dma
...
Avoid holes in IOMMU
2020-02-15 10:18:56 +00:00
madaidan
9b767139ef
Avoid holes in IOMMU
2020-02-14 18:52:01 +00:00
madaidan
d251c43344
Restrict the SysRq key
2020-02-14 18:17:20 +00:00
madaidan
0ea7dd161b
Restrict loading line disciplines to CAP_SYS_MODULE
2020-02-14 17:50:19 +00:00
Patrick Schleizer
ad6b766886
Merge pull request #57 from madaidan/sysctl
...
Prevent symlink/hardlink TOCTOU races
2020-02-13 18:40:58 +00:00
madaidan
700c7ed908
Create 40_cpu_mitigations.cfg
2020-02-12 18:42:13 +00:00
madaidan
ba0043b8a7
Update 40_kernel_hardening.cfg
2020-02-12 18:36:05 +00:00
madaidan
5cb21d0d4d
Prevent symlink/hardlink TOCTOU races
2020-02-12 18:03:23 +00:00
HulaHoop0
e4c6e897cf
kvm.nx_huge_pages=force
2020-02-03 16:06:46 +00:00
Patrick Schleizer
85d2aa1365
hide stdout (but not stderr) by sysctl during initramfs
2020-01-30 06:13:42 -05:00
Patrick Schleizer
b9d65338bc
unconditionally enable all CPU bugs (spectre, meltdown, L1TF, ...)
...
this might reduce performance
* `spectre_v2=on`
* `spec_store_bypass_disable=on`
* `tsx=off`
* `tsx_async_abort=full,nosmt`
Thanks to @madaidan for the suggestion!
https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647
2020-01-30 05:55:13 -05:00
Patrick Schleizer
c1a0da60be
set kernel boot parameter l1tf=full,force
and nosmt=force
...
https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647/17
2020-01-30 00:46:48 -05:00
Patrick Schleizer
a37da1c968
add digits to drop-in file names
2020-01-24 04:39:06 -05:00
Patrick Schleizer
e0aa67677d
merge the many modprobe.d config files into 1
...
and use a name starting with double digits
to make it easier to disable settings using a lexically higher config file
2020-01-24 04:30:36 -05:00
Patrick Schleizer
6a4c493213
merge the many sysctl config files into 1
...
and use a name starting with double digits
to make it easier to disable settings using a lexically higher config file
2020-01-24 04:26:36 -05:00
Patrick Schleizer
6f8d89c6c5
error handling
2020-01-15 15:54:06 -05:00
madaidan
f7fde60b67
Process sysctl.conf too
2020-01-15 20:28:32 +00:00
Patrick Schleizer
528c5fc4c4
Merge branch 'master' into sysctl-initramfs
2020-01-15 11:02:03 +00:00
Patrick Schleizer
80159545a5
fix xfce4-power-manager xfpm-power-backlight-helper pkexec lxsudo popup
...
https://forums.whonix.org/t/xfce4-power-manager-xfpm-power-backlight-helper-pkexec-lxsudo-popup/8764
do show lxqt-sudo password prompt if there is a sudoers exceptoin
improved pkexec wrapper logging
2020-01-15 02:42:10 -05:00
madaidan
8c4e0ff1c4
Set sysctl values in initramfs
2020-01-12 21:37:37 +00:00
madaidan
a662a76a52
Blacklist vivid
2020-01-11 18:37:00 +00:00
Patrick Schleizer
f3ff32ddbb
Protect /bin/mount from 'chmod -x'.
...
/bin/mount exactwhitelist
/usr/bin/mount exactwhitelist
Remove SUID from 'mount' but keep executable.
/bin/mount 745 root root
/usr/bin/mount 745 root root
https://forums.whonix.org/t/disable-suid-binaries/7706/61
2019-12-30 06:39:24 -05:00
Patrick Schleizer
e5623fcd2b
comment
2019-12-29 04:21:52 -05:00
Patrick Schleizer
674840e6f9
/fusermount matchwhitelist
...
unbreak AppImages such as electrum Bitcoin wallet
https://forums.whonix.org/t/disable-suid-binaries/7706/57
2019-12-26 05:44:35 -05:00
Patrick Schleizer
ede536913d
no longer hardcode amd64
2019-12-24 06:00:41 -05:00
Patrick Schleizer
27a42a9da8
Merge pull request #50 from madaidan/modules
...
Make /lib/modules unreadable
2019-12-24 10:55:11 +00:00
Patrick Schleizer
ac49c55d1f
Merge pull request #49 from madaidan/kver
...
Detect kernel upgrades
2019-12-24 10:55:03 +00:00
madaidan
79241c5d09
Make /lib/modules unreadable
2019-12-23 20:28:29 +00:00
madaidan
98e88d1456
Detect kernel upgrades
2019-12-23 19:57:43 +00:00
madaidan
d1a0650fd9
Use only one slub_debug parameter
2019-12-23 19:44:52 +00:00
Patrick Schleizer
9d77d88a4d
comments
2019-12-23 09:39:50 -05:00
Patrick Schleizer
3e131174d5
comments
2019-12-23 05:00:35 -05:00
Patrick Schleizer
9f072ce4f9
comment
2019-12-23 03:46:02 -05:00
Patrick Schleizer
26fe9394ff
disable lockdown for now due to module loading
2019-12-23 03:41:54 -05:00
madaidan
535c258b83
More kernel hardening
2019-12-23 03:35:07 -05:00
Patrick Schleizer
11b4192fbd
comments
2019-12-23 03:28:42 -05:00
Patrick Schleizer
2152fa2d61
comment
2019-12-23 02:38:53 -05:00
Patrick Schleizer
f8f2e6c704
fix disablewhitelist feature
2019-12-23 02:35:13 -05:00
Patrick Schleizer
47ddcad0c0
rename keyword whitelist to exactwhitelist
...
add new keyword disablewhitelist
refactoring
2019-12-23 02:29:47 -05:00
Patrick Schleizer
1ff56625a1
polkit-agent-helper-1 matchwhitelist to match both
...
- /usr/lib/policykit-1/polkit-agent-helper-1 matchwhitelist
- /lib/policykit-1/polkit-agent-helper-1
2019-12-23 01:42:03 -05:00
Patrick Schleizer
d484b299ea
matchwhitelist /qubes/qfile-unpacker to match both
...
- /usr/lib/qubes/qfile-unpacker whitelist
- /lib/qubes/qfile-unpacker
2019-12-23 01:38:31 -05:00