Ashlen
3559bc86b7
fix(permission-hardener): ssh-agent gets 2755 perms
...
Change from exactwhitelist to matchwhitelist. Discussion revealed that
there's a good reason to leave setgid in here, which is essentially
defense-in-depth (sometimes users may want to revert Kicksecure's
default of kernel.yama.ptrace_scope=2, e.g. to debug a program, and
Kicksecure should not be less secure than vanilla Debian in that
situation).
2025-05-27 15:32:41 -06:00
Ashlen
7a079c3de8
fix(permission-hardener): add exactwhitelist here
...
Without this, the permissions for ssh-agent won't be changed properly.
2025-05-20 18:41:48 -06:00
Ashlen
94dc9da4ab
fix(permission-hardener): ssh-agent gets 755 perms
...
Replace the commented-out matchwhitelist entry for ssh-agent with an
explicit permission entry (755) for /usr/bin/ssh-agent.
When ssh-agent's matchwhitelist entry was commented out in commit
7a5f8b87afhttps://forum.qubes-os.org/t/split-ssh/19060 ).
As noted in the comment, Debian installs with 2755 permissions as a way
to mitigate ptrace attacks, but this rationale doesn't apply due to
kernel.yama.ptrace_scope=2 being set in Kicksecure.
2025-05-20 18:04:46 -06:00
Patrick Schleizer
9f2836d2ba
Merge pull request #304 from raja-grewal/stop_pstore
...
Disable PStore
2025-04-15 15:17:25 -04:00
Patrick Schleizer
39f4f5b607
comments
2025-04-08 06:53:08 -04:00
raja-grewal
f643ebc2f9
Disable pstore processing by systemd-pstore service
2025-03-16 03:28:39 +00:00
raja-grewal
ce4b57d1cb
Update docs on kernel panics
2025-02-03 00:31:45 +00:00
Patrick Schleizer
df9d058ed9
usrmerge
2025-01-20 06:28:16 -05:00
Patrick Schleizer
4e0d5a196c
delete comment only configuration file (moved to user-sysmaint-split)
2025-01-20 04:30:26 -05:00
Patrick Schleizer
1b4d1edfc3
comments
2025-01-20 04:29:42 -05:00
Patrick Schleizer
eec2e2c8ee
comment
2025-01-14 04:13:39 -05:00
Patrick Schleizer
6d282226ef
comment
2025-01-14 04:12:12 -05:00
Patrick Schleizer
466308e4f9
permission hardener: disable SUID for chrome-sandbox
2025-01-14 04:09:57 -05:00
Patrick Schleizer
7a5f8b87af
permission hardener: disable SUID for ssh-agent, ssh-keysign, /lib/openssh/*
...
This might break SSH host-based authentication.
2025-01-14 04:06:44 -05:00
Patrick Schleizer
d89ffcde30
comment
2025-01-14 04:04:09 -05:00
Patrick Schleizer
9f1759ba0e
comment
2025-01-14 03:56:55 -05:00
Patrick Schleizer
0ac85ea9f5
comment
2025-01-14 03:54:35 -05:00
Patrick Schleizer
fce6a5f830
comment
2025-01-14 03:51:43 -05:00
Patrick Schleizer
1e99404813
comment
2025-01-14 03:50:16 -05:00
Patrick Schleizer
b198591537
comment
2025-01-14 03:49:42 -05:00
Patrick Schleizer
7d44db2cb2
usrmerge
2025-01-14 03:49:15 -05:00
Patrick Schleizer
1b33e83529
Merge pull request #291 from raja-grewal/drop_gratuitous_arp
...
Drop gratuitous ARP packets
2025-01-10 10:29:30 -05:00
Patrick Schleizer
486757bfae
Merge pull request #290 from raja-grewal/arp_ignore
...
Respond to ARP requests only if the target IP address is on-link
2025-01-10 10:29:12 -05:00
Patrick Schleizer
17ff249150
Merge pull request #289 from raja-grewal/arp_filter
...
Enable ARP filtering
2025-01-10 10:28:48 -05:00
Patrick Schleizer
27d19ba568
Merge pull request #288 from raja-grewal/shared_media
...
Deny sending and receiving shared media redirects
2025-01-10 10:28:05 -05:00
Patrick Schleizer
3a31cc99b3
Merge remote-tracking branch 'ArrayBolt3/arraybolt3/usrmerge'
2025-01-09 09:30:58 -05:00
raja-grewal
1f8eee4720
Add missing sentence full stop
2025-01-08 18:36:00 +11:00
Aaron Rainbolt
5941195e96
Don't worry about files under /bin anymore, Bookworm uses a merged /usr directory
2025-01-07 14:10:46 -06:00
Aaron Rainbolt
895c0f541f
Merge branch 'master' into arraybolt3/permission-hardener-refactor
2025-01-01 15:04:01 -06:00
Patrick Schleizer
33114f771a
copyright
2024-12-31 13:26:21 -05:00
Aaron Rainbolt
dbcb612517
Polish permission-hardener refactor
2024-12-26 00:43:26 -06:00
Aaron Rainbolt
83d3867959
Refactor permission-hardener to be more idempotent
2024-12-25 16:53:55 -06:00
Patrick Schleizer
ad6e1f5ad4
move from /etc/permission-hardener.d to /usr/lib/permission-hardener.d
2024-12-20 00:41:06 -05:00
raja-grewal
2e6e1701a0
Set net.ipv4.conf.*.drop_gratuitous_arp=1
2024-12-19 10:35:08 +00:00
raja-grewal
c37f4efadf
Set net.ipv4.conf.*.arp_ignore=2
2024-12-19 10:33:49 +00:00
raja-grewal
af1d06973b
Set net.ipv4.conf.*.arp_filter=1
2024-12-19 10:31:43 +00:00
raja-grewal
750367a906
Set net.ipv4.conf.*.shared_media=0
2024-12-19 10:29:56 +00:00
Patrick Schleizer
c7f7196471
Merge pull request #287 from raja-grewal/patch
...
Refactor and add two CPU mitigations
2024-12-19 00:31:25 -05:00
Patrick Schleizer
e5b67e044b
Merge pull request #279 from raja-grewal/arp
...
Provide network-related hardening options via `sysctl`'s
2024-12-19 00:15:02 -05:00
raja-grewal
3749f8ff09
Update presentation on user namespaces
2024-12-18 03:36:09 +00:00
raja-grewal
ca3a73ac13
Typo
2024-12-17 11:37:10 +00:00
raja-grewal
c116796854
arp_ignore: Add reference to 2024-12-10 Mullvad VPN audit details
2024-12-12 06:36:47 +00:00
Patrick Schleizer
ef95b3f9a5
Revert "fix panic-on-oops.service"
...
This reverts commit 862d23cb10
2024-11-14 14:41:14 -05:00
raja-grewal
412b371e85
Merge branch 'Kicksecure:master' into arp
2024-11-13 16:47:57 +11:00
raja-grewal
141b84c40d
Provide option to deny sending and receiving shared media redirects
2024-11-13 05:42:56 +00:00
raja-grewal
18aec201bf
Provide option to harden response to ARP requests
2024-11-13 05:41:25 +00:00
raja-grewal
a25d4f8df8
Provide option to enable ARP filtering
2024-11-13 05:40:21 +00:00
raja-grewal
c2aae73ce1
Add reference and move text
2024-11-13 05:38:03 +00:00
Patrick Schleizer
862d23cb10
fix panic-on-oops.service
...
remove `After=multi-user.target` because already using `WantedBy=multi-user.target`
Thanks to @ArrayBolt3 for the bug report!
2024-11-11 05:36:41 -05:00
raja-grewal
a1d1f97955
Provide option to drop gratuitous ARP packets
2024-11-08 03:58:23 +00:00
