Patrick Schleizer
547757f451
Merge pull request #220 from raja-grewal/block_gps
...
Block Several GPS-related Modules
2024-05-10 06:45:34 -04:00
raja-grewal
f3800a4e2b
Create disabled-gps-by-security-misc
2024-05-09 02:25:46 +00:00
raja-grewal
132b41ae73
Revert logging of martians
2024-05-09 02:16:50 +00:00
Patrick Schleizer
7dba3fb7be
no longer disable MSR by default
...
fixes https://github.com/Kicksecure/security-misc/issues/215
2024-04-01 02:56:27 -04:00
Patrick Schleizer
ecaa024f22
lower debugging
2024-03-18 11:01:56 -04:00
Patrick Schleizer
a5206bde33
proc-hidepid.service
add gid=proc
...
This allows users that are a member of the `proc` group to be excluded from `hidepid` protections.
https://github.com/Kicksecure/security-misc/issues/208
2024-03-10 08:44:53 -04:00
Patrick Schleizer
6b76373395
fix panic-on-oops started every 10s in Qubes-Whonix
...
by changing from a /etc/profile.d etc. related mechanism to start to a systemd unit file based approach
Thanks to @marmarek for the bug report!
https://forums.whonix.org/t/panic-on-oops-started-every-10s/19450
2024-03-04 06:44:26 -05:00
Patrick Schleizer
808e72f24b
use long options
...
https://github.com/Kicksecure/security-misc/issues/172
2024-02-26 08:11:26 -05:00
Patrick Schleizer
2d1d1b246f
improve output
...
https://github.com/Kicksecure/security-misc/issues/172
2024-02-26 08:07:29 -05:00
Patrick Schleizer
d8f5376c4f
improve output
...
https://github.com/Kicksecure/security-misc/issues/172
2024-02-26 07:58:06 -05:00
Patrick Schleizer
cf84762a3a
improve output
...
https://github.com/Kicksecure/security-misc/issues/172
2024-02-26 07:52:41 -05:00
Patrick Schleizer
f2958bbfa5
comment
2024-02-26 07:49:30 -05:00
Patrick Schleizer
b23d167342
Merge pull request #204 from DanWin/sysfs-mount
...
Make /sys hardening optional and allow access to /sys/fs to make polkit work
2024-02-26 07:46:02 -05:00
Patrick Schleizer
d13d1aa7ec
comments
2024-02-22 15:07:53 -05:00
Patrick Schleizer
c3dd178b19
output
2024-02-22 14:57:50 -05:00
Daniel Winzen
ef44ecea44
Add option to disabe /sys hardening
2024-02-22 17:27:46 +01:00
Daniel Winzen
3bc1765dbb
Allow access to /sys/fs for polkit
2024-02-22 17:27:45 +01:00
Patrick Schleizer
37a7abdf0c
ConditionKernelCommandLine=!remountsecure=0
2024-02-22 11:07:01 -05:00
Patrick Schleizer
c0924321b8
fix systemd unit ExecStart
2024-02-22 09:52:36 -05:00
Patrick Schleizer
6d7cf3c12a
output
2024-02-22 09:49:48 -05:00
Patrick Schleizer
f7831db197
do not exit non-zero if folder does not exist
2024-02-22 09:17:41 -05:00
Patrick Schleizer
5bdd7b8475
output
2024-02-22 09:14:52 -05:00
Patrick Schleizer
44a15cd97d
mount --make-private
...
https://github.com/Kicksecure/security-misc/issues/172
2024-02-22 09:13:56 -05:00
Patrick Schleizer
c0f98b05b6
comment
...
https://github.com/Kicksecure/security-misc/pull/202
2024-02-22 06:03:59 -05:00
Patrick Schleizer
1e1613aa93
allow /opt exec as usually optional binaries are placed there such as firefox
...
https://github.com/Kicksecure/security-misc/pull/202
2024-02-22 06:02:28 -05:00
Patrick Schleizer
7c7b4b24b4
fix home_noexec_maybe -> most_noexec_maybe
...
https://github.com/Kicksecure/security-misc/pull/202
2024-02-22 06:02:00 -05:00
Patrick Schleizer
38783faf60
add more bind mounts of mount options hardening
...
as suggested in https://github.com/Kicksecure/security-misc/pull/202
2024-02-22 05:58:53 -05:00
Patrick Schleizer
3048e0ac76
usrmerge
...
https://github.com/Kicksecure/security-misc/issues/190
2024-01-17 13:54:07 -05:00
Patrick Schleizer
0efee2f50f
usrmerge
...
fixes https://github.com/Kicksecure/security-misc/issues/190
2024-01-17 13:39:56 -05:00
Patrick Schleizer
3ba8fe586e
update permission-hardener.service
...
Which is now only an additional opt-in systemd unit,
because permission-hardener is run by default at security-misc
package installation time.
https://github.com/Kicksecure/security-misc/pull/181
2024-01-16 09:23:54 -05:00
Patrick Schleizer
862bf6b5ab
Merge remote-tracking branch 'ben-grande/clean'
2024-01-16 08:19:28 -05:00
Patrick Schleizer
1199871d7b
undo IPv6 privacy due to potential server issues
...
https://github.com/Kicksecure/security-misc/issues/184
2024-01-07 06:37:34 -05:00
Patrick Schleizer
128bb01b35
undo IPv6 privacy due to potential server issues
...
https://github.com/Kicksecure/security-misc/issues/184
2024-01-07 06:36:25 -05:00
Patrick Schleizer
86f91e3030
revert umask 027 by default
...
because broken because this also happens for root while it should not
https://github.com/Kicksecure/security-misc/issues/185
2024-01-06 09:11:54 -05:00
Patrick Schleizer
3f1304403f
disable MAC randomization in Network Manager (NM) because it breaks VirtualBox DHCP
...
https://github.com/Kicksecure/security-misc/issues/184
2024-01-06 08:15:31 -05:00
Raja Grewal
74afcc9c63
Clarify validity of disabling io_uring
2024-01-03 17:52:23 +11:00
Ben Grande
bc02c72018
Fix unbound variable
...
- Run messages preceded by INFO;
- Comment unknown unused variables;
- Remove unnecessary variables; and
- Deal with unbound variable due to subshell by writing to a file;
2024-01-02 17:08:45 +01:00
Ben Grande
abf72c2ee4
Rename file permission hardening script
...
Hardener as the script is the agent that is hardening the file
permissions.
2024-01-02 13:34:29 +01:00
Ben Grande
f138cf0f78
Refactor permission-hardener
...
- Organize comments from default configuration;
- Apply and undo changes from a single file controlled by parameters;
- Arrays should be evaluated as arrays and not normal variables;
- Quote variables;
- Brackets around variables;
- Standardize test cases to "test" command;
- Test against empty or non-empty variables with "-z" and "-n";
- Show a usage message when necessary;
- Require root to run the script with informative message;
- Permit the user to see the help message without running as root;
- Do not create root directories without passing root check;
- Use long options for "set" command;
2024-01-02 12:17:16 +01:00
Patrick Schleizer
8daf97ab01
Merge pull request #178 from raja-grewal/io_uring
...
Disable asynchronous I/O
2024-01-02 05:29:35 -05:00
Patrick Schleizer
5b36599c0c
/dev/, /dev/shm, /tmp
...
https://github.com/Kicksecure/security-misc/issues/157#issuecomment-1869073716
2023-12-29 14:57:38 -05:00
Patrick Schleizer
c86c83cef7
formatting
...
https://github.com/Kicksecure/security-misc/issues/157
2023-12-25 10:31:58 -05:00
Patrick Schleizer
971ff687b1
do not mount /dev/cdrom by default
...
https://github.com/Kicksecure/security-misc/issues/157
2023-12-25 10:30:35 -05:00
Patrick Schleizer
9fce67fcd9
remove superfluous, broken remount
mount option
...
https://github.com/Kicksecure/security-misc/issues/157
2023-12-25 10:28:47 -05:00
Patrick Schleizer
40fd8cb608
no nofail
mount option to avoid breaking the boot of a system
...
unit testing belongs elsewhere
https://github.com/Kicksecure/security-misc/issues/157
2023-12-25 09:51:09 -05:00
Patrick Schleizer
4aa645f29f
comment
...
https://github.com/Kicksecure/security-misc/issues/157
2023-12-25 09:46:33 -05:00
Patrick Schleizer
2b7aeedb4a
mount /dev/cdrom to /mnt/cdrom (instead of /mnt/cdrom0) and
...
nodev,nosuid,noexec
as per:
https://www.debian.org/doc/manuals/securing-debian-manual/ch04s10.en.html
https://github.com/Kicksecure/security-misc/issues/157
2023-12-25 09:44:51 -05:00
Patrick Schleizer
0d9e9780da
formatting
...
https://github.com/Kicksecure/security-misc/issues/157
2023-12-25 09:37:14 -05:00
Patrick Schleizer
00f9ab4394
/dev devtmpfs
...
https://github.com/Kicksecure/security-misc/issues/157
2023-12-25 09:36:05 -05:00
Patrick Schleizer
55709b3aa0
/tmp tmpfs
...
https://github.com/Kicksecure/security-misc/issues/157
2023-12-25 09:30:57 -05:00