security-misc

mirror of https://github.com/Kicksecure/security-misc.git synced 2024-10-01 08:25:45 -04:00

Author	SHA1	Message	Date
Patrick Schleizer	453aa8a4eb	Merge pull request #65 from madaidan/userfaultfd Restrict the userfaultfd() syscall to root	2020-02-29 12:28:32 +00:00
Patrick Schleizer	e3e39f2235	Merge remote-tracking branch 'origin/master'	2020-02-29 05:01:41 -05:00
Patrick Schleizer	b31caefdeb	description	2020-02-29 04:59:02 -05:00
Patrick Schleizer	bd7678c574	Merge pull request #66 from madaidan/mce Fix docs	2020-02-28 12:04:05 +00:00
madaidan	42d3b986c4	Update control	2020-02-27 17:41:14 +00:00
Patrick Schleizer	4043d2af3f	description	2020-02-25 02:06:48 -05:00
Patrick Schleizer	0e5187ff24	description	2020-02-25 02:00:27 -05:00
madaidan	60fbf8b0de	Update control	2020-02-24 18:24:07 +00:00
madaidan	8ea4e50c8e	Update control	2020-02-16 19:52:40 +00:00
Patrick Schleizer	1e5946c795	Merge branch 'master' into sysrq	2020-02-15 10:41:52 +00:00
madaidan	0f49736957	Update control	2020-02-14 18:18:18 +00:00
madaidan	ace6211176	Update control	2020-02-14 17:51:17 +00:00
Patrick Schleizer	ad6b766886	Merge pull request #57 from madaidan/sysctl Prevent symlink/hardlink TOCTOU races	2020-02-13 18:40:58 +00:00
madaidan	2796c2dd00	Update control	2020-02-12 18:43:19 +00:00
madaidan	14f8458374	Update control	2020-02-12 18:05:32 +00:00
Patrick Schleizer	c1a0da60be	set kernel boot parameter `l1tf=full,force` and `nosmt=force` https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647/17	2020-01-30 00:46:48 -05:00
Patrick Schleizer	f4c54881ac	description	2020-01-24 04:49:19 -05:00
Patrick Schleizer	a37da1c968	add digits to drop-in file names	2020-01-24 04:39:06 -05:00
Patrick Schleizer	3a4d283169	description	2020-01-24 04:33:30 -05:00
Patrick Schleizer	8616728ce0	remove duplicate	2020-01-24 03:35:15 -05:00
madaidan	1df48a226d	Update control	2020-01-15 20:30:17 +00:00
Patrick Schleizer	0618b53464	fix lintian warning	2020-01-15 11:35:07 -05:00
Patrick Schleizer	528c5fc4c4	Merge branch 'master' into sysctl-initramfs	2020-01-15 11:02:03 +00:00
madaidan	0953bbe1d7	Update control	2020-01-13 21:05:35 +00:00
madaidan	9dc43eae38	Description	2020-01-12 21:42:07 +00:00
Patrick Schleizer	61a2d390a7	lintian	2020-01-11 15:15:12 -05:00
madaidan	6088444c37	Update control	2020-01-11 18:38:17 +00:00
Patrick Schleizer	9ec5b0ee82	description: lockdown not enabled yet	2019-12-23 03:38:49 -05:00
Patrick Schleizer	1ff51ee061	merge	2019-12-23 03:37:28 -05:00
Patrick Schleizer	3670fcf48b	depend on libcap2-bin for setcap / getcap / capsh	2019-12-23 00:49:33 -05:00
madaidan	8f11a520f4	Update control	2019-12-22 13:54:16 +00:00
Patrick Schleizer	b74e5ca972	comment	2019-12-21 07:47:00 -05:00
Patrick Schleizer	ed20980f4c	refactoring	2019-12-21 05:07:10 -05:00
Patrick Schleizer	8e112c3423	description	2019-12-20 06:53:24 -05:00
Patrick Schleizer	24ea70384b	description	2019-12-20 06:53:03 -05:00
Patrick Schleizer	2c4170e6f3	description	2019-12-12 09:47:58 -05:00
Patrick Schleizer	2d5ef378f3	description	2019-12-12 09:39:39 -05:00
Patrick Schleizer	c192644ee3	security-misc `/usr/share/pam-configs/permission-lockdown-security-misc` is no longer required, removed. Thereby fix apparmor issue. > Dec 08 09:47:50 host audit[3232]: AVC apparmor="DENIED" operation="exec" profile="/usr/bin/whonixcheck" name="/usr/lib/security-misc/permission-lockdown" pid=3232 comm="sudo" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 > Dec 08 09:47:50 host sudo[3232]: pam_exec(sudo:session): execve(/usr/lib/security-misc/permission-lockdown,...) failed: Permission denied It is no longer required, because... existing linux user accounts: * Get permission lock down because security-misc `debian/security-misc.postinst` calls `/usr/lib/security-misc/permission-lockdown`. new linux user accounts (created at first boot): * security-misc `/usr/share/pam-configs/mkhomedir-security-misc` pam mkhomedir sets secure permissions using `umask=027`.	2019-12-08 05:21:35 -05:00
Patrick Schleizer	1dbca1ea2d	add usr/bin/hardening-enable	2019-12-08 02:27:09 -05:00
Patrick Schleizer	24423b42f0	description	2019-12-08 02:03:05 -05:00
Patrick Schleizer	66bebefc9f	description	2019-12-08 02:00:23 -05:00
Patrick Schleizer	b871421a54	usr/share/pam-configs/console-lockdown -> usr/share/pam-configs/console-lockdown-security-misc	2019-12-08 01:57:43 -05:00
Patrick Schleizer	1464f01d19	description	2019-12-08 01:30:42 -05:00
Patrick Schleizer	55225aa30e	description	2019-12-07 07:16:07 -05:00
Patrick Schleizer	34a2bc16c8	description	2019-12-07 07:15:58 -05:00
Patrick Schleizer	d823f06c78	description	2019-12-07 07:13:42 -05:00
Patrick Schleizer	090ddbe96a	description	2019-12-07 06:00:41 -05:00
Patrick Schleizer	6479c883bf	Console Lockdown. Allow members of group 'console' to use tty1 to tty7. Everyone else except members of group 'console-unrestricted' are restricted from using console using ancient, unpopular login methods such as using /bin/login over networks, which might be exploitable. (CVE-2001-0797) Not enabled by default in this package since this package does not know which users shall be added to group 'console'. In new Whonix builds, user 'user" will be added to group 'console' and pam console-lockdown enabled by package anon-base-files. /usr/share/pam-configs/console-lockdown /etc/security/access-security-misc.conf https://forums.whonix.org/t/etc-security-hardening/8592	2019-12-07 05:40:20 -05:00
Patrick Schleizer	6d92d03b31	description	2019-12-07 01:54:50 -05:00
Patrick Schleizer	470cad6e91	remount /home /tmp /dev/shm /run with nosuid,nodev (default) and noexec (opt-in) https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707	2019-12-06 05:14:02 -05:00

1 2 3 4

169 Commits