Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-11-25 15:07:11 -05:00
Code Issues Projects Releases Packages Wiki Activity
2967 commits 2 branches 291 tags 8.2 MiB
Commit graph

603 commits

Author SHA1 Message Date
Aaron Rainbolt
5fbd42bbec
Add kill-vboxdrmclient-on-shutdown.service 2025-11-09 18:38:54 -06:00
Patrick Schleizer
0391411885
revert Force immediate kernel panic on OOM. 
https://github.com/Kicksecure/security-misc/issues/324#issuecomment-3507949741
 2025-11-09 05:47:00 -05:00
Aaron Rainbolt
fa32ba6c4f
Suppress usbguard startup unless a USB controller is visible to lspci 2025-11-07 17:09:34 -06:00
Patrick Schleizer
1f093f8175
do not start usbguard-notifier if /sys/bus/usb does not exist 2025-10-22 00:37:36 -04:00
Aaron Rainbolt
29639fe69e
Merge remote-tracking branch 'raja/bad_ipv6_ra' into arraybolt3/trixie 2025-10-15 19:01:08 -05:00
Aaron Rainbolt
026d55ac41
Typo fixes 2025-10-15 18:30:52 -05:00
Aaron Rainbolt
35fce26476
Merge remote-tracking branch 'raja/stop_ptrace' into arraybolt3/trixie 2025-10-15 18:18:33 -05:00
raja-grewal
2304174171
Insert empty new line 2025-10-12 02:32:45 +00:00
raja-grewal
7161430a60
Seperate ptrace() disabling into own file 2025-10-12 02:27:48 +00:00
Patrick Schleizer
968de33c65
Force immediate kernel panic on OOM. 
This is to avoid security features such as the screen locker, kloak, emerg-shutdown
from being arbitrarily terminated when the system starts running out of memory.

https://forums.whonix.org/t/screen-locker-in-security-can-we-disable-these-at-least-4-backdoors/8128/14

https://github.com/Kicksecure/security-misc/issues/324

`vm.panic_on_oom=2`

implements https://github.com/Kicksecure/security-misc/issues/324
 2025-10-10 08:03:03 -04:00
raja-grewal
0c8f2f1b44
Add docs about the risks associated with IPv6 RAs 2025-10-02 07:05:00 +00:00
raja-grewal
194b8fce4e
Disable the usage of ptrace() by all processes 2025-09-28 03:20:24 +00:00
Aaron Rainbolt
2a39d5997c
security-misc split string changes 2025-09-21 16:06:11 -05:00
Patrick Schleizer
f70550d015
Split the security-misc into security-misc-shared, security-misc-desktop and security-misc-server: rename files 
https://github.com/Kicksecure/security-misc/issues/187
 2025-09-17 14:49:28 -04:00
Aaron Rainbolt
cd44a7e136
Disable memlockd service by default, fix systemd path 2025-08-22 16:00:25 -05:00
Aaron Rainbolt
28f44d2e1d
Disable emerg-shutdown and ensure-shutdown on Qubes OS 2025-08-22 15:50:28 -05:00
Aaron Rainbolt
53e930b4cc
Merge branch 'master' into arraybolt3/trixie 2025-08-21 20:09:48 -05:00
Aaron Rainbolt
df8a323d03
Fix XDG handling, replace Xfce with LXQt where appropriate, make USBGuard configuration work 2025-08-21 18:39:28 -05:00
raja-grewal
e48897cc44
Merge branch 'master' into panic_limits 2025-08-21 10:27:44 +10:00
raja-grewal
add054933b
Update docs on instant reboot when kernel panic 2025-08-21 00:24:28 +00:00
Patrick Schleizer
5d67277c9f
comments 2025-08-20 09:46:43 -04:00
raja-grewal
a471069378
Remove link 2025-08-19 11:03:05 +10:00
Aaron Rainbolt
b5a36e02f1
Merge remote-tracking branch 'raja/panic_limits' into arraybolt3/trixie 2025-08-17 13:52:01 -05:00
raja-grewal
6df3e3cde8
Update kernel panic service description 2025-08-17 06:32:11 +00:00
raja-grewal
247015bcc6
Set sysctl kernel.panic=-1 2025-08-17 06:27:44 +00:00
raja-grewal
c33f7d04e2
Remove duplicate comment 2025-08-16 03:32:48 +00:00
Aaron Rainbolt
a2a9e8440b
Merge branch 'trixie_docs' into arraybolt3/trixie 2025-08-15 16:06:35 -05:00
Aaron Rainbolt
4930703b8c
Merge branch 'master' into arraybolt3/trixie 2025-08-09 21:30:45 -05:00
Patrick Schleizer
046c932898
disable emerg-shutdown.service: 
Disabled due to bug: breaks ISO Live Mode Calamares installer
 2025-08-09 05:40:11 -04:00
Aaron Rainbolt
5f2425ba6f
Merge branch 'arraybolt3/emerg-shutdown' into arraybolt3/trixie 2025-08-06 20:21:01 -05:00
Aaron Rainbolt
44e7d3059a
Integrate emerg-shutdown into the initramfs 2025-08-06 19:10:14 -05:00
Aaron Rainbolt
86f44063eb
Port to Trixie. 2025-08-05 22:58:06 -05:00
raja-grewal
498551536c
Update docs 2025-08-06 03:12:06 +00:00
raja-grewal
45d20dd972
Upgrade sysctls and docs on kernel panics 2025-08-06 02:35:15 +00:00
Aaron Rainbolt
5a17e67c0a
Fix local-fs.target dependency in emerg-shutdown.service 2025-08-05 20:14:07 -05:00
Aaron Rainbolt
63f2909341
Fix emerg-shutdown and ensure-shutdown libexec scripts, start emerg-shutdown and ensure-shutdown earlier 2025-08-03 15:00:14 -05:00
Aaron Rainbolt
1a60da71ed
emerg-shutdown: Add shutdown timeout for preventing stuck shutdowns, briefly document feature set and usage 2025-07-29 21:16:51 -05:00
Aaron Rainbolt
e42078e90d
emerg-shutdown: fix the hang-on-shutdown bug, add autodetection of new keyboards, shutdown key configuration, and instant shutdown option 2025-07-28 20:43:54 -05:00
Aaron Rainbolt
e387086de4
Allow specifying alternative keys in panic key combo, fix optical disk eject handling 2025-07-15 00:01:50 -05:00
Aaron Rainbolt
2a7071055f
Merge branch 'master' into arraybolt3/emerg-shutdown 2025-07-13 15:21:34 -05:00
raja-grewal
bb208fb134
Merge branch 'Kicksecure:master' into erst 2025-07-02 11:35:50 +10:00
raja-grewal
4314b1e85b
Add comment 2025-07-01 13:36:39 +10:00
raja-grewal
dd0b55cc45
Add reference 2025-06-03 12:32:17 +10:00
Ashlen
3559bc86b7
fix(permission-hardener): ssh-agent gets 2755 perms 
Change from exactwhitelist to matchwhitelist. Discussion revealed that
there's a good reason to leave setgid in here, which is essentially
defense-in-depth (sometimes users may want to revert Kicksecure's
default of kernel.yama.ptrace_scope=2, e.g. to debug a program, and
Kicksecure should not be less secure than vanilla Debian in that
situation).
 2025-05-27 15:32:41 -06:00
Ashlen
7a079c3de8
fix(permission-hardener): add exactwhitelist here 
Without this, the permissions for ssh-agent won't be changed properly.
 2025-05-20 18:41:48 -06:00
Ashlen
94dc9da4ab
fix(permission-hardener): ssh-agent gets 755 perms 
Replace the commented-out matchwhitelist entry for ssh-agent with an
explicit permission entry (755) for /usr/bin/ssh-agent.

When ssh-agent's matchwhitelist entry was commented out in commit
7a5f8b87af, permission-hardener began resetting it to restrictive
defaults (744), preventing non-root users from executing ssh-agent. This
broke split SSH functionality in Qubes OS for me because I was using
Kicksecure in the vault qube, and ssh-agent runs under a non-root user in
that configuration (see https://forum.qubes-os.org/t/split-ssh/19060).

As noted in the comment, Debian installs with 2755 permissions as a way
to mitigate ptrace attacks, but this rationale doesn't apply due to
kernel.yama.ptrace_scope=2 being set in Kicksecure.
 2025-05-20 18:04:46 -06:00
Aaron Rainbolt
f3d46ee562
Add emergency shutdown feature, triggered by root device removal 2025-05-09 18:46:41 -05:00
Patrick Schleizer
9f2836d2ba
Merge pull request #304 from raja-grewal/stop_pstore 
Disable PStore
 2025-04-15 15:17:25 -04:00
Patrick Schleizer
39f4f5b607
comments 2025-04-08 06:53:08 -04:00
raja-grewal
f643ebc2f9
Disable pstore processing by systemd-pstore service 2025-03-16 03:28:39 +00:00