Commit Graph

201 Commits

Author SHA1 Message Date
Patrick Schleizer
7dc99d54c0
fix 2023-11-03 12:09:39 -04:00
Patrick Schleizer
2a602e78d6
Merge branch 'master' into PAM-tmp-files-hardening 2023-11-03 12:08:50 -04:00
Patrick Schleizer
cdd66ee376
wrap-and-sort 2023-11-03 10:48:46 -04:00
Patrick Schleizer
07540db90d
Revert "Revert "set default umask to 027""
This reverts commit f8913ceb2e.
2023-11-03 09:45:12 -04:00
Patrick Schleizer
f8913ceb2e
Revert "set default umask to 027"
This reverts commit cd216095eb.
2023-11-03 09:43:44 -04:00
Patrick Schleizer
cd216095eb
set default umask to 027
using package libpam-umask

https://www.debian.org/doc/manuals/securing-debian-manual/ch04s11.en.html#id-1.5.14.19

https://github.com/Kicksecure/security-misc/pull/151
2023-11-03 09:12:24 -04:00
monsieuremre
3ee4be652b
depend on libpam-tmpdir 2023-11-02 09:36:58 +00:00
Patrick Schleizer
81ad786dfc
Kicksecure 2023-07-17 11:19:07 -04:00
Patrick Schleizer
ab56b7ca0c
Kicksecure 2023-07-17 11:10:05 -04:00
Patrick Schleizer
94a326ec7f
bookworm 2023-06-21 09:11:31 +00:00
Patrick Schleizer
07b3ce0bcd
Standards-Version: 4.6.1.0 2023-06-12 16:22:32 +00:00
Raja Grewal
7a4212dd76
Update copyright 2023-03-30 17:08:47 +11:00
Patrick Schleizer
ad5d0d4b12
disable kexec (revert enabling kexec)
remove kexec-utils for ram-wipe since moved to its own package
2023-01-09 06:37:45 -05:00
Patrick Schleizer
1e19c2cbad
Depends: kexec-tools
required for cold boot attack defense second RAM wipe after reboot
2023-01-07 15:32:25 -05:00
Patrick Schleizer
38cdf2722b
- Wipe LUKS Disk Encryption Key for Root Disk from RAM during Shutdown to defeat Cold Boot Attacks
- Confirm in console output if encrypted mounts (root disk) is unmounted. (Because that is a pre-condition for wiping the LUKS full disk encryption key from RAM.)

Thanks to @friedy10!

https://github.com/friedy10/dracut/tree/master/modules.d/40sdmem

https://forums.whonix.org/t/is-ram-wipe-possible-inside-whonix-cold-boot-attack-defense/5596
2022-06-29 09:32:55 -04:00
Patrick Schleizer
2d37e3a1af
copyright 2022-05-20 14:46:38 -04:00
Patrick Schleizer
e2810f348b
Depends: libpam-modules-bin 2021-09-04 11:50:31 -04:00
Patrick Schleizer
5e3338f8d3
bullseye 2021-08-03 05:48:25 -04:00
Patrick Schleizer
a67007f4b7
copyright 2021-03-17 09:45:21 -04:00
Patrick Schleizer
611fbe2c61
description 2021-01-18 05:39:34 -05:00
madaidan
06ffd5d220
Restrict access to debugfs 2020-09-28 19:21:20 +00:00
Patrick Schleizer
72be31e870
disable proc-hidepid by default because incompatible with pkexec
and undo pkexec wrapper
2020-04-12 16:48:13 -04:00
Patrick Schleizer
565ff136e5
vm.swappiness=1
import from swappiness-lowest

https://forums.whonix.org/t/vm-swappiness-1-set-swapiness-to-lowest-setting-still-useful-swappiness-lowest/9278
2020-04-08 21:04:02 +00:00
Patrick Schleizer
a9d0baffe6
python -> python3 2020-04-08 16:57:32 +00:00
Patrick Schleizer
4153d8d088
apparmor-profile-anondist -> apparmor-profile-dist 2020-04-08 16:51:22 +00:00
Patrick Schleizer
663811a819
anon-base-files -> dist-base-files 2020-04-08 12:04:13 +00:00
Patrick Schleizer
5c81e1f23f
import from anon-gpg-conf 2020-04-06 09:25:45 -04:00
Patrick Schleizer
d9f2a0e4a1
remove 'Build-Depends: ronn' since no longer required 2020-04-01 17:34:59 -04:00
Patrick Schleizer
eda9c57a62
remove genmkfile 2020-04-01 16:57:33 -04:00
Patrick Schleizer
2ceea8d1fe
update copyright year 2020-04-01 08:49:59 -04:00
Patrick Schleizer
15dde15a36
typo 2020-03-03 09:42:24 -05:00
Patrick Schleizer
cd19c2da00
fix lintian warning 2020-03-03 09:18:24 -05:00
Patrick Schleizer
453aa8a4eb
Merge pull request #65 from madaidan/userfaultfd
Restrict the userfaultfd() syscall to root
2020-02-29 12:28:32 +00:00
Patrick Schleizer
e3e39f2235
Merge remote-tracking branch 'origin/master' 2020-02-29 05:01:41 -05:00
Patrick Schleizer
b31caefdeb
description 2020-02-29 04:59:02 -05:00
Patrick Schleizer
bd7678c574
Merge pull request #66 from madaidan/mce
Fix docs
2020-02-28 12:04:05 +00:00
madaidan
42d3b986c4
Update control 2020-02-27 17:41:14 +00:00
Patrick Schleizer
4043d2af3f
description 2020-02-25 02:06:48 -05:00
Patrick Schleizer
0e5187ff24
description 2020-02-25 02:00:27 -05:00
madaidan
60fbf8b0de
Update control 2020-02-24 18:24:07 +00:00
madaidan
8ea4e50c8e
Update control 2020-02-16 19:52:40 +00:00
Patrick Schleizer
1e5946c795
Merge branch 'master' into sysrq 2020-02-15 10:41:52 +00:00
madaidan
0f49736957
Update control 2020-02-14 18:18:18 +00:00
madaidan
ace6211176
Update control 2020-02-14 17:51:17 +00:00
Patrick Schleizer
ad6b766886
Merge pull request #57 from madaidan/sysctl
Prevent symlink/hardlink TOCTOU races
2020-02-13 18:40:58 +00:00
madaidan
2796c2dd00
Update control 2020-02-12 18:43:19 +00:00
madaidan
14f8458374
Update control 2020-02-12 18:05:32 +00:00
Patrick Schleizer
c1a0da60be
set kernel boot parameter l1tf=full,force and nosmt=force
https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647/17
2020-01-30 00:46:48 -05:00
Patrick Schleizer
f4c54881ac
description 2020-01-24 04:49:19 -05:00
Patrick Schleizer
a37da1c968
add digits to drop-in file names 2020-01-24 04:39:06 -05:00