Commit Graph

2003 Commits

Author SHA1 Message Date
Patrick Schleizer
38783faf60
add more bind mounts of mount options hardening
as suggested in https://github.com/Kicksecure/security-misc/pull/202
2024-02-22 05:58:53 -05:00
Patrick Schleizer
ad9d913902
bumped changelog version 2024-02-03 18:28:27 +00:00
Patrick Schleizer
02090da08c
Merge remote-tracking branch 'github-kicksecure/master' 2024-02-03 12:51:07 -05:00
Patrick Schleizer
ba13657d89
Merge pull request #197 from raja-grewal/mitigations
Additional Explicit CPU Mitigations
2024-02-03 12:50:28 -05:00
raja-grewal
b16c99ab62
Remove hardcoded spec_rstack_overflow setting 2024-01-29 13:39:40 +00:00
raja-grewal
139b10a9aa
Control RAS overflow mitigation on AMD Zen CPUs 2024-01-29 12:59:13 +00:00
raja-grewal
6c54e35027
Enable mitigations for RETBleed vulnerability and disable SMT 2024-01-29 12:58:51 +00:00
raja-grewal
4509a5fc95
Enable known mitigations for CPU vulnerabilities and disable SMT 2024-01-29 12:58:14 +00:00
raja-grewal
4231155efa
Add reference for kernel parameters 2024-01-29 12:57:48 +00:00
Patrick Schleizer
8037ce52f9
bumped changelog version 2024-01-25 13:59:29 +00:00
Patrick Schleizer
185bfe7497
use interest-noawait instead of interest-await
fixes https://github.com/Kicksecure/security-misc/issues/196
2024-01-25 06:54:36 -05:00
Patrick Schleizer
64e41b113c
bumped changelog version 2024-01-18 14:10:51 +00:00
Patrick Schleizer
1855fa08b1
readme 2024-01-18 08:54:39 -05:00
Patrick Schleizer
f0e2a82b55
bumped changelog version 2024-01-17 19:18:25 +00:00
Patrick Schleizer
314e5b490c
use wildcards
instead of outdated, incomplete list

https://github.com/Kicksecure/security-misc/issues/160
2024-01-17 14:03:09 -05:00
Patrick Schleizer
08619d6a73
minor RPM updates
https://github.com/Kicksecure/security-misc/issues/160
2024-01-17 13:59:36 -05:00
Patrick Schleizer
3048e0ac76
usrmerge
https://github.com/Kicksecure/security-misc/issues/190
2024-01-17 13:54:07 -05:00
Patrick Schleizer
5a6cd4c2ab
remove now empty /bin from copying since it is empty after usrmerge
https://github.com/Kicksecure/security-misc/issues/190
2024-01-17 13:51:30 -05:00
Patrick Schleizer
071b984a1e
sort -d
https://github.com/Kicksecure/security-misc/issues/190
2024-01-17 13:49:05 -05:00
Patrick Schleizer
011e55e3e5
remove duplicates after usrmerge
https://github.com/Kicksecure/security-misc/issues/190
2024-01-17 13:45:17 -05:00
Patrick Schleizer
0efee2f50f
usrmerge
fixes https://github.com/Kicksecure/security-misc/issues/190
2024-01-17 13:39:56 -05:00
Patrick Schleizer
18a06935e0
run permission hardener when new packages are install files to /usr or /opt
(basically anywhere)

fixes https://github.com/Kicksecure/security-misc/issues/189
2024-01-17 13:23:20 -05:00
Patrick Schleizer
66e6371221
bumped changelog version 2024-01-16 14:26:34 +00:00
Patrick Schleizer
0d78ecaee3
README 2024-01-16 09:26:21 -05:00
Patrick Schleizer
3ba8fe586e
update permission-hardener.service
Which is now only an additional opt-in systemd unit,
because permission-hardener is run by default at security-misc
package installation time.

https://github.com/Kicksecure/security-misc/pull/181
2024-01-16 09:23:54 -05:00
Patrick Schleizer
186f6015da
bumped changelog version 2024-01-16 14:14:18 +00:00
Patrick Schleizer
6aa55698ab
delete legacy folder /etc/permission-hardening.d if empty
https://github.com/Kicksecure/security-misc/pull/181
2024-01-16 09:10:59 -05:00
Patrick Schleizer
9cafd78fe2
rm_conffile /etc/permission-hardening.d
https://github.com/Kicksecure/security-misc/pull/181
2024-01-16 09:05:09 -05:00
Patrick Schleizer
fa53848b5c
bumped changelog version 2024-01-16 13:58:55 +00:00
Patrick Schleizer
4f7973bc56
comment 2024-01-16 08:56:26 -05:00
Patrick Schleizer
ed7c09fc46
permission-hardening -> permission-hardener migration
mv --verbose /var/lib/permission-hardening /var/lib/permission-hardener

https://github.com/Kicksecure/security-misc/pull/181
2024-01-16 08:45:13 -05:00
Patrick Schleizer
a90cd43631
fix postinst for new permission-hardener
https://github.com/Kicksecure/security-misc/pull/181
2024-01-16 08:32:52 -05:00
Patrick Schleizer
862bf6b5ab
Merge remote-tracking branch 'ben-grande/clean' 2024-01-16 08:19:28 -05:00
Patrick Schleizer
dc8d9eece3
bumped changelog version 2024-01-09 05:52:49 +00:00
Patrick Schleizer
1199871d7b
undo IPv6 privacy due to potential server issues
https://github.com/Kicksecure/security-misc/issues/184
2024-01-07 06:37:34 -05:00
Patrick Schleizer
128bb01b35
undo IPv6 privacy due to potential server issues
https://github.com/Kicksecure/security-misc/issues/184
2024-01-07 06:36:25 -05:00
Patrick Schleizer
df0f9d3267
README 2024-01-06 09:19:57 -05:00
Patrick Schleizer
86f91e3030
revert umask 027 by default
because broken because this also happens for root while it should not

https://github.com/Kicksecure/security-misc/issues/185
2024-01-06 09:11:54 -05:00
Patrick Schleizer
3f1304403f
disable MAC randomization in Network Manager (NM) because it breaks VirtualBox DHCP
https://github.com/Kicksecure/security-misc/issues/184
2024-01-06 08:15:31 -05:00
Patrick Schleizer
e8f8dcd0fb
bumped changelog version 2024-01-04 02:03:26 +00:00
Patrick Schleizer
70a86fa994
Merge remote-tracking branch 'github-kicksecure/master' 2024-01-03 05:12:48 -05:00
Patrick Schleizer
71060f1f53
Merge pull request #182 from raja-grewal/io_uring
Clarify validity of disabling io_uring
2024-01-03 05:00:41 -05:00
Raja Grewal
74afcc9c63
Clarify validity of disabling io_uring 2024-01-03 17:52:23 +11:00
Ben Grande
bc02c72018
Fix unbound variable
- Run messages preceded by INFO;
- Comment unknown unused variables;
- Remove unnecessary variables; and
- Deal with unbound variable due to subshell by writing to a file;
2024-01-02 17:08:45 +01:00
Patrick Schleizer
db0503e71d
bumped changelog version 2024-01-02 14:55:13 +00:00
Ben Grande
abf72c2ee4
Rename file permission hardening script
Hardener as the script is the agent that is hardening the file
permissions.
2024-01-02 13:34:29 +01:00
Ben Grande
f138cf0f78
Refactor permission-hardener
- Organize comments from default configuration;
- Apply and undo changes from a single file controlled by parameters;
- Arrays should be evaluated as arrays and not normal variables;
- Quote variables;
- Brackets around variables;
- Standardize test cases to "test" command;
- Test against empty or non-empty variables with "-z" and "-n";
- Show a usage message when necessary;
- Require root to run the script with informative message;
- Permit the user to see the help message without running as root;
- Do not create root directories without passing root check;
- Use long options for "set" command;
2024-01-02 12:17:16 +01:00
Patrick Schleizer
a94f2a3f46
Merge remote-tracking branch 'github-kicksecure/master' 2024-01-02 05:30:49 -05:00
Patrick Schleizer
8daf97ab01
Merge pull request #178 from raja-grewal/io_uring
Disable asynchronous I/O
2024-01-02 05:29:35 -05:00
Patrick Schleizer
94c0e26a08
bumped changelog version 2023-12-29 20:15:50 +00:00