security-misc

mirror of https://github.com/Kicksecure/security-misc.git synced 2024-12-28 10:19:26 -05:00

Author	SHA1	Message	Date
Patrick Schleizer	10c19d6a8f	Merge remote-tracking branch 'origin/master'	2019-12-21 13:00:41 -05:00
madaidan	f5a52aeddc	Don't remount /sys/kernel/security	2019-12-21 14:55:28 +00:00
Patrick Schleizer	b2260f48f4	add support for /etc/exec / /usr/local/etc/exec to allow enabling exec on a per VM basis	2019-12-21 08:03:33 -05:00
Patrick Schleizer	b74e5ca972	comment	2019-12-21 07:47:00 -05:00
Patrick Schleizer	8fb17624bc	comment	2019-12-21 07:44:51 -05:00
Patrick Schleizer	aef796a524	disable debugging	2019-12-21 07:44:23 -05:00
Patrick Schleizer	1fe83d683f	comment	2019-12-21 07:43:55 -05:00
Patrick Schleizer	7c3da38bd5	comment	2019-12-21 07:42:25 -05:00
Patrick Schleizer	9050058bc2	fix	2019-12-21 07:42:01 -05:00
Patrick Schleizer	6b13a644df	add /usr/lib/security-misc/permission-hardening-undo	2019-12-21 07:37:41 -05:00
Patrick Schleizer	c336bc4fd2	comment	2019-12-21 06:39:13 -05:00
Patrick Schleizer	b5f88efe20	fix	2019-12-21 06:27:01 -05:00
Patrick Schleizer	2088628c8d	debugging	2019-12-21 06:24:08 -05:00
Patrick Schleizer	2dca031527	debugging	2019-12-21 06:22:46 -05:00
Patrick Schleizer	195e00cc87	output	2019-12-21 06:16:38 -05:00
Patrick Schleizer	4b21b6df41	fix	2019-12-21 06:11:44 -05:00
Patrick Schleizer	8436da2b7b	output	2019-12-21 05:58:50 -05:00
Patrick Schleizer	da15265e1c	fix	2019-12-21 05:55:23 -05:00
Patrick Schleizer	2a248fe0de	fix	2019-12-21 05:54:39 -05:00
Patrick Schleizer	4f12664362	output	2019-12-21 05:54:07 -05:00
Patrick Schleizer	e3355843c8	fix	2019-12-21 05:51:22 -05:00
Patrick Schleizer	234ec5fe93	fix	2019-12-21 05:47:35 -05:00
Patrick Schleizer	7ff900c204	fix	2019-12-21 05:37:43 -05:00
Patrick Schleizer	e1a5ee4bcf	output	2019-12-21 05:26:55 -05:00
Patrick Schleizer	66aaf3e22c	output	2019-12-21 05:25:54 -05:00
Patrick Schleizer	7aa7d0b5a0	improve error handling	2019-12-21 05:22:27 -05:00
Patrick Schleizer	8919d38de9	disable debugging	2019-12-21 05:21:46 -05:00
Patrick Schleizer	cf5dee64fd	refactoring	2019-12-21 05:18:34 -05:00
Patrick Schleizer	29cd9a0c38	fix	2019-12-21 05:17:35 -05:00
Patrick Schleizer	486027a4d7	fix	2019-12-21 05:15:38 -05:00
Patrick Schleizer	1fd26be864	fix	2019-12-21 05:14:51 -05:00
Patrick Schleizer	0fc97c37be	fix	2019-12-21 05:14:39 -05:00
Patrick Schleizer	1018d5b3b0	output	2019-12-21 05:11:51 -05:00
Patrick Schleizer	4388fc4d5a	refactoring	2019-12-21 05:11:19 -05:00
Patrick Schleizer	ed20980f4c	refactoring	2019-12-21 05:07:10 -05:00
Patrick Schleizer	315ce86b9a	refactoring	2019-12-21 04:33:03 -05:00
Patrick Schleizer	0c5848494b	do not remount if already has intended mount options	2019-12-21 04:21:26 -05:00
Patrick Schleizer	203f4ad46e	refactoring	2019-12-21 04:17:10 -05:00
Patrick Schleizer	e7fd0dadb0	output	2019-12-21 04:09:35 -05:00
Patrick Schleizer	e6ea21c775	record existing modes in separate dpkg-statoverwrite databases to have a history of what was modified and to allow to undo changes	2019-12-21 04:08:35 -05:00
Patrick Schleizer	17e8605119	add matchwhitelist feature add "/usr/lib/virtualbox/ matchwhitelist"	2019-12-20 12:57:24 -05:00
Patrick Schleizer	1b569ea790	comment	2019-12-20 12:32:36 -05:00
Patrick Schleizer	f88ca25889	fix terminology, sguid -> sgid Thanks to @madaidan for the bug report! https://forums.whonix.org/t/permission-hardening/8655/21	2019-12-20 11:58:07 -05:00
Patrick Schleizer	ff0a26fb5d	comment	2019-12-20 11:49:19 -05:00
Patrick Schleizer	71496a33ab	skip folders are these are not suid / guid	2019-12-20 11:47:53 -05:00
Patrick Schleizer	9321ecff41	no more need to add/remove /	2019-12-20 11:43:53 -05:00
Patrick Schleizer	b95225b6a6	pipefail	2019-12-20 11:37:05 -05:00
Patrick Schleizer	cad6f328f4	minor	2019-12-20 11:34:44 -05:00
Patrick Schleizer	3265f9894d	output	2019-12-20 11:27:43 -05:00
Patrick Schleizer	1615ebec58	output	2019-12-20 11:07:44 -05:00
Patrick Schleizer	1e11b775cf	output	2019-12-20 11:05:05 -05:00
Patrick Schleizer	731f802895	output	2019-12-20 11:04:12 -05:00
Patrick Schleizer	cd8efe5800	output	2019-12-20 11:03:22 -05:00
Patrick Schleizer	b31abea0af	improve error handling	2019-12-20 10:49:31 -05:00
Patrick Schleizer	79cd3b86b6	comment	2019-12-20 10:47:23 -05:00
Patrick Schleizer	b3458cc6ee	fix checking existing entries to avoid needless calls to dpkg-statoverride	2019-12-20 10:45:59 -05:00
Patrick Schleizer	370f3c5e54	comment	2019-12-20 10:35:05 -05:00
Patrick Schleizer	133d09f298	output	2019-12-20 10:33:16 -05:00
Patrick Schleizer	1ffa8e197e	speed up setuid removal by using find with '-perm /u=s,g=s' https://forums.whonix.org/t/permission-hardening/8655/19	2019-12-20 10:31:26 -05:00
Patrick Schleizer	4cfdf2c65b	fix, re-enforce nosuid even if changed on the disk	2019-12-20 10:21:27 -05:00
Patrick Schleizer	e36868e675	output	2019-12-20 10:02:46 -05:00
Patrick Schleizer	50b8f65490	add sanity test: count if we really processed all files	2019-12-20 09:59:28 -05:00
Patrick Schleizer	55faa7b997	fix missing processing files bug https://forums.whonix.org/t/permission-hardening/8655/16	2019-12-20 09:43:23 -05:00
Patrick Schleizer	fbe2479f48	count processed file system objects to be able to verify if any were "forgotten"	2019-12-20 08:54:56 -05:00
Patrick Schleizer	195ea522f5	fix	2019-12-20 08:52:14 -05:00
Patrick Schleizer	6f8231be70	debugging	2019-12-20 08:51:55 -05:00
Patrick Schleizer	ed50f98010	output	2019-12-20 08:47:22 -05:00
Patrick Schleizer	6d30e3b4a2	do not remove suid from whitelisted binaries ever https://forums.whonix.org/t/permission-hardening/8655/13	2019-12-20 08:13:23 -05:00
Patrick Schleizer	d5f1bd8dd2	fix mode sanity check no longer use seq due to issue https://forums.whonix.org/t/permission-hardening/8655/13	2019-12-20 08:02:30 -05:00
Patrick Schleizer	0ae3e689b5	comment	2019-12-20 06:35:02 -05:00
Patrick Schleizer	050f4d8b94	comment	2019-12-20 06:34:37 -05:00
Patrick Schleizer	36043fe5cc	comment	2019-12-20 06:33:41 -05:00
Patrick Schleizer	fb4254547b	comment	2019-12-20 06:32:04 -05:00
Patrick Schleizer	cca0908d9a	fix	2019-12-20 06:11:38 -05:00
Patrick Schleizer	e254b8b52d	fix	2019-12-20 06:09:17 -05:00
Patrick Schleizer	7f8b3c76de	output	2019-12-20 06:02:17 -05:00
Patrick Schleizer	071c64dc41	enable 'set -e'	2019-12-20 06:01:49 -05:00
Patrick Schleizer	b97c66707c	minor	2019-12-20 05:59:05 -05:00
Patrick Schleizer	17b4f12276	output	2019-12-20 05:58:42 -05:00
Patrick Schleizer	918cbb4e25	output	2019-12-20 05:51:25 -05:00
Patrick Schleizer	c8cf09a4cb	output	2019-12-20 05:50:16 -05:00
Patrick Schleizer	46466c12ad	parse drop-in config folder rather than only one config file	2019-12-20 05:49:11 -05:00
Patrick Schleizer	66fd31189d	improve output if set-user-id / set-group-id is set	2019-12-20 05:37:33 -05:00
Patrick Schleizer	af0f074987	remount /lib with nosuid,nodev https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707/22	2019-12-20 05:27:11 -05:00
Patrick Schleizer	a135ae9400	use must manually enable permission-hardening.service until development finished	2019-12-20 05:22:59 -05:00
Patrick Schleizer	fa6f1e1568	output	2019-12-20 05:19:39 -05:00
Patrick Schleizer	a26cb94bfd	globstar no longer required	2019-12-20 04:49:21 -05:00
Patrick Schleizer	c66e9abe18	comment	2019-12-20 04:48:57 -05:00
Patrick Schleizer	d1d0afff34	fix fso: /lib/ usr/lib/security-misc/permission-hardening: line 19: /usr/bin/stat: Argument list too long https://forums.whonix.org/t/kernel-hardening/7296/326	2019-12-20 04:48:02 -05:00
Patrick Schleizer	e74d2e4f94	output	2019-12-20 04:23:14 -05:00
Patrick Schleizer	eb86359033	refactoring	2019-12-20 04:20:05 -05:00
Patrick Schleizer	bb84fca184	refactoring	2019-12-20 04:08:46 -05:00
Patrick Schleizer	f92b414195	refactoring	2019-12-20 04:06:28 -05:00
Patrick Schleizer	4c44871e9d	comment	2019-12-20 04:02:05 -05:00
Patrick Schleizer	6876a2eaa8	comment	2019-12-20 04:01:40 -05:00
Patrick Schleizer	35c4fce61b	fix "dpkg-statoverride: warning: stripping trailing /"	2019-12-20 03:54:46 -05:00
Patrick Schleizer	9bd9012ab1	refactoring	2019-12-20 03:46:50 -05:00
Patrick Schleizer	55933f8876	refactoring	2019-12-20 03:43:36 -05:00
Patrick Schleizer	9e493a9f48	refactoring	2019-12-20 03:42:09 -05:00
Patrick Schleizer	b92a690c16	refactoring	2019-12-20 03:40:47 -05:00
Patrick Schleizer	98535e3a2b	refactoring	2019-12-20 03:39:25 -05:00
Patrick Schleizer	ecbba2fd61	refactoring	2019-12-20 03:38:39 -05:00
Patrick Schleizer	20b8a407ac	refactoring	2019-12-20 03:25:17 -05:00
Patrick Schleizer	6cd9eb44fb	refactoring	2019-12-20 03:24:07 -05:00
Patrick Schleizer	706dba104d	code simplification	2019-12-20 03:19:12 -05:00
Patrick Schleizer	01dd567f8b	fix, if fso has exactly the mode we want (not 3 instead of 4 string length), not need to reset it	2019-12-20 03:16:43 -05:00
Patrick Schleizer	4f65b0fc1e	refactoring	2019-12-20 03:13:27 -05:00
Patrick Schleizer	bfee6b60cb	comment	2019-12-20 03:11:11 -05:00
Patrick Schleizer	d64cdc1247	refactoring	2019-12-20 03:04:41 -05:00
Patrick Schleizer	7c5c65a6c1	comment	2019-12-20 03:04:13 -05:00
Patrick Schleizer	b31d8cd3fc	fix	2019-12-20 03:03:40 -05:00
Patrick Schleizer	c626290673	refactoring	2019-12-20 03:02:26 -05:00
Patrick Schleizer	d5ff1d6f28	refactoring	2019-12-20 03:00:39 -05:00
Patrick Schleizer	640ca1d24d	skip symlinks https://forums.whonix.org/t/kernel-hardening/7296/323?	2019-12-20 02:57:57 -05:00
Patrick Schleizer	cc8f795799	comment	2019-12-20 02:47:04 -05:00
Patrick Schleizer	4e5b222a08	comment	2019-12-20 02:43:33 -05:00
Patrick Schleizer	fa895ee11e	refactoring	2019-12-20 02:40:42 -05:00
Patrick Schleizer	2c163bf439	check string length of permission variable https://forums.whonix.org/t/kernel-hardening/7296/322	2019-12-20 02:39:53 -05:00
Patrick Schleizer	a89befd902	code simplification	2019-12-20 02:20:54 -05:00
Patrick Schleizer	72812da63f	comment	2019-12-20 02:16:32 -05:00
Patrick Schleizer	39a41cc27b	refactoring	2019-12-20 02:14:45 -05:00
Patrick Schleizer	2ed6452590	downgrade to info	2019-12-20 02:12:43 -05:00
Patrick Schleizer	a5e55dfcfc	quotes	2019-12-20 02:11:39 -05:00
Patrick Schleizer	3187cee4fb	output	2019-12-20 02:10:13 -05:00
Patrick Schleizer	5160b4c781	disable xtrace	2019-12-20 02:08:05 -05:00
Patrick Schleizer	27bfe95d25	add echo wrapper	2019-12-20 02:07:49 -05:00
Patrick Schleizer	a6988f3fb8	output	2019-12-20 02:06:31 -05:00
Patrick Schleizer	1819577b88	fix	2019-12-20 02:04:34 -05:00
Patrick Schleizer	278c60c5a0	exit non-zero if some line cannot be parsed therefore make systemd notice this therefore allow the sysadmin to notice this	2019-12-20 02:01:36 -05:00
Patrick Schleizer	66bcba8313	improve character whitelisting	2019-12-20 01:58:35 -05:00
Patrick Schleizer	8f14e808a9	send error messages to stderr	2019-12-20 01:32:49 -05:00
Patrick Schleizer	d8c9fac2e5	output	2019-12-20 01:32:08 -05:00
Patrick Schleizer	f19abaf627	refactoring	2019-12-20 01:31:37 -05:00
madaidan	3c2ca0257f	Support for removing SUID bits	2019-12-19 17:01:08 +00:00
Patrick Schleizer	4ca9fc5920	fix	2019-12-16 03:53:10 -05:00
Patrick Schleizer	f68efd53cf	remount /sys/kernel/security with nodev,nosuid[,noexec] as suggested by @madaidan http://forums.whonix.org/t/apparmor-for-complete-system-including-init-pid1-systemd-everything-full-system-mac-policy/8339/238	2019-12-16 03:52:09 -05:00
Patrick Schleizer	729fa26eca	use pam_acccess only for /etc/pam.d/login remove "Allow members of group 'ssh' to login." remove "+:ssh:ALL EXCEPT LOCAL"	2019-12-12 09:00:08 -05:00
Patrick Schleizer	b72eb30056	quotes	2019-12-09 02:32:05 -05:00
Patrick Schleizer	c258376b7e	use read (built-in) rather than awk (external)	2019-12-09 02:31:10 -05:00
Patrick Schleizer	02165201ab	read -r; refactoring as per https://mywiki.wooledge.org/BashFAQ/001	2019-12-09 02:23:43 -05:00
Patrick Schleizer	7467252122	quotes	2019-12-09 02:22:16 -05:00
madaidan	61e19fa5f1	Create permission-hardening	2019-12-08 16:49:28 +00:00
Patrick Schleizer	50ac03363f	output	2019-12-08 03:18:32 -05:00
Patrick Schleizer	3bd0b3f837	notify when attempting to use ssh but user is member of group ssh	2019-12-08 03:10:41 -05:00
madaidan	6846a94327	Check for more locations of System.map	2019-12-07 19:38:12 +00:00
madaidan	668b6420de	Remove hyphen	2019-12-07 14:15:02 +00:00
Patrick Schleizer	9ba84f34c6	comment	2019-12-07 06:51:59 -05:00
Patrick Schleizer	dc1dfc8c20	output	2019-12-07 06:51:16 -05:00
Patrick Schleizer	532a1525c2	comment	2019-12-07 06:26:55 -05:00
Patrick Schleizer	14aa6c5077	comment	2019-12-07 06:26:23 -05:00

1 2 3 4 5 ...

332 Commits