Patrick Schleizer
|
ae2c1c5a7a
|
fix xession environment variable
|
2023-10-21 14:18:50 -04:00 |
|
Patrick Schleizer
|
d543825d85
|
comments
|
2023-10-21 12:24:59 -04:00 |
|
Patrick Schleizer
|
645ee814e4
|
fix
|
2023-10-13 15:22:48 -04:00 |
|
Patrick Schleizer
|
2d45241084
|
avoid duplicate environment variables
|
2023-10-12 11:37:01 -04:00 |
|
Patrick Schleizer
|
fa820e8978
|
refactoring environment variables loading mechanism
|
2023-10-12 10:40:27 -04:00 |
|
Patrick Schleizer
|
8a6baea990
|
comment
|
2023-06-22 16:16:15 +00:00 |
|
Raja Grewal
|
cf003dfad8
|
Update comments
|
2023-05-16 02:11:44 +10:00 |
|
Jeremy Rand
|
61f63255ac
|
vm.mmap_rnd_bits: Fix ppc64le
Probably fixes a bunch of other non-x86_64 arches too.
|
2023-04-24 23:07:39 +00:00 |
|
Patrick Schleizer
|
5c6db28881
|
Merge pull request #122 from raja-grewal/tcp
Remove outdated comment about SACK, DSACK, and FACK
|
2023-03-31 04:52:55 -04:00 |
|
Raja Grewal
|
ed5f8be9eb
|
Remove outdated comment about SACK, DSACK, and FACK
|
2023-03-30 19:17:43 +11:00 |
|
Raja Grewal
|
7a4212dd76
|
Update copyright
|
2023-03-30 17:08:47 +11:00 |
|
Patrick Schleizer
|
8c3204a5e4
|
comment
|
2023-01-25 15:20:30 -05:00 |
|
Patrick Schleizer
|
65c29f493b
|
move kexec disabling to dedicated file /etc/sysctl.d/30_security-misc_kexec-disable.conf
so ram-wipe can `config-package-dev` `hide` this config file
|
2023-01-25 15:13:19 -05:00 |
|
Patrick Schleizer
|
ad5d0d4b12
|
disable kexec (revert enabling kexec)
remove kexec-utils for ram-wipe since moved to its own package
|
2023-01-09 06:37:45 -05:00 |
|
Patrick Schleizer
|
87c4e77c01
|
migrate to ram-wipe package
|
2023-01-09 06:23:00 -05:00 |
|
Friedrich Doku
|
78a4fad667
|
Change echo to info. Included more reliable way of getting initrd and kernel. Allow user custom kexec
|
2023-01-07 11:14:31 -05:00 |
|
Raja Grewal
|
f81714be50
|
Merge branch 'Kicksecure:master' into framebuffer
|
2022-12-13 05:14:56 +00:00 |
|
Raja Grewal
|
d67845fea8
|
Typo
|
2022-12-13 16:11:24 +11:00 |
|
Patrick Schleizer
|
6d7a782624
|
fix
|
2022-11-24 07:21:46 -05:00 |
|
Raja Grewal
|
6f695902fb
|
Add comment about legacy Apple fiesystems
|
2022-11-23 23:53:40 +11:00 |
|
Patrick Schleizer
|
e5255a630a
|
pam-info: support non-root environments (such as during graphical display manager login and xscreensaver)
|
2022-11-22 05:57:30 -05:00 |
|
Raja Grewal
|
daa30d4e78
|
Include several framebuffer drivers into blacklist
These were previously commented out to test for compatibility issues.
|
2022-11-09 20:43:59 +11:00 |
|
Raja Grewal
|
92669dba18
|
Comment out machine check exception
|
2022-08-21 23:02:44 +10:00 |
|
Patrick Schleizer
|
0c5b1e9f57
|
undo "force kernel to panic on "oopses"
because implemented differently already
https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panic-on-oops-1-sysctl-for-better-security/7713
|
2022-07-23 07:49:56 -04:00 |
|
Raja Grewal
|
ca764d8de0
|
force kernel to panic on "oopses"
|
2022-07-20 04:06:35 +10:00 |
|
Raja Grewal
|
1660aaa6dd
|
update details around disabling SMT
|
2022-07-19 03:38:41 +10:00 |
|
Raja Grewal
|
bfd78a2c06
|
update SRBDS mitigation
|
2022-07-19 03:16:08 +10:00 |
|
Raja Grewal
|
c3ebb9160f
|
CPU mitigation - MMIO Stale Data
|
2022-07-19 02:33:16 +10:00 |
|
Raja Grewal
|
59e90ff122
|
CPU mitigation - L1D FLushing
|
2022-07-19 02:32:41 +10:00 |
|
Raja Grewal
|
8531fbf99d
|
CPU mitigation - SRBDS
|
2022-07-19 02:30:49 +10:00 |
|
Raja Grewal
|
73f1e23332
|
shuffle and rewording
|
2022-07-19 02:29:46 +10:00 |
|
Raja Grewal
|
39314b2912
|
Merge branch 'harden' of https://github.com/raja-grewal/security-misc into harden
|
2022-07-19 00:49:08 +10:00 |
|
Raja Grewal
|
bb831d57bc
|
delete repeated commands
|
2022-07-19 00:38:32 +10:00 |
|
Raja Grewal
|
c77a2a78bc
|
enforce default net.ipv6.icmp_ignore_bogus_error_responses
|
2022-07-19 00:37:31 +10:00 |
|
Raja Grewal
|
c4a1094760
|
Merge branch 'Kicksecure:master' into harden
|
2022-07-18 13:36:23 +00:00 |
|
Raja Grewal
|
a72bbb1883
|
Corrected kerenl module disabling
|
2022-07-13 23:42:13 +10:00 |
|
Raja Grewal
|
4e93b4d37e
|
Revert "enforce defualt net.ipv4.ip_forward"
This reverts commit 57b5b2145c.
|
2022-07-13 21:10:39 +10:00 |
|
Raja Grewal
|
a47922ad28
|
enforce of IOMMU TLB invalidation
|
2022-07-13 04:47:07 +10:00 |
|
Raja Grewal
|
33df16af80
|
disables random.trust_bootloader
|
2022-07-13 04:37:03 +10:00 |
|
Raja Grewal
|
d0779a96fc
|
add reference
|
2022-07-13 04:36:34 +10:00 |
|
Raja Grewal
|
74858d257b
|
enable randomize_kstack_offset
|
2022-07-13 04:34:35 +10:00 |
|
Raja Grewal
|
f572332108
|
disable slub_debug
|
2022-07-13 04:32:03 +10:00 |
|
Raja Grewal
|
57b5b2145c
|
enforce defualt net.ipv4.ip_forward
|
2022-07-13 04:30:43 +10:00 |
|
Raja Grewal
|
79156262c9
|
enforce default net.ipv4.icmp_ignore_bogus_error_responses
|
2022-07-13 04:29:42 +10:00 |
|
Raja Grewal
|
dabcaf22e1
|
enforce default kernel.randomize_va_space
|
2022-07-13 04:28:03 +10:00 |
|
Raja Grewal
|
48089e5ba4
|
More verbose kernel module blocking error logs
|
2022-07-12 17:02:12 +10:00 |
|
Raja Grewal
|
40ec791774
|
Updated comments
|
2022-07-12 16:58:16 +10:00 |
|
Raja Grewal
|
ef1ef9917d
|
Blacklist automatic loading of CD-ROM modules
|
2022-07-10 04:53:25 +10:00 |
|
Raja Grewal
|
61ef9bd59f
|
Incorporated Ubuntu’s kernel module blacklists
|
2022-07-10 04:52:00 +10:00 |
|
Patrick Schleizer
|
26b2c9727f
|
not blacklist CD-ROM / DVD yet
https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/31
|
2022-07-07 15:39:40 -04:00 |
|
Patrick Schleizer
|
ca19d78d48
|
shuffle
|
2022-07-07 15:27:15 -04:00 |
|
Raja Grewal
|
780dc8eec9
|
replace /bin/false -> /bin/disabled-by-security-misc
|
2022-07-08 04:11:25 +10:00 |
|
Raja Grewal
|
fa2e30f512
|
Updated descriptions of disabled modules
|
2022-07-08 03:04:37 +10:00 |
|
Raja Grewal
|
da389d6682
|
Revert "replace /bin/false -> /bin/true"
This reverts commit f0511635a9.
|
2022-07-08 02:12:04 +10:00 |
|
raja-grewal
|
f0511635a9
|
replace /bin/false -> /bin/true
|
2022-07-07 09:27:53 +00:00 |
|
raja-grewal
|
18d67dbc53
|
Blacklist more modules
|
2022-07-07 09:26:55 +00:00 |
|
Patrick Schleizer
|
1c0e071948
|
comments
|
2022-07-05 10:45:55 -04:00 |
|
Patrick Schleizer
|
5d47f5f74c
|
comments
|
2022-07-05 10:45:09 -04:00 |
|
Patrick Schleizer
|
435c689cf9
|
comments
|
2022-07-05 10:44:28 -04:00 |
|
Patrick Schleizer
|
c20d588d78
|
comments
|
2022-07-05 10:42:37 -04:00 |
|
Patrick Schleizer
|
b342ce930e
|
add /etc/default/grub.d/40_cold_boot_attack_defense.cfg
|
2022-07-05 10:28:22 -04:00 |
|
Patrick Schleizer
|
67eaf8c916
|
comments
|
2022-06-29 11:40:38 -04:00 |
|
Patrick Schleizer
|
72908d6b0d
|
comments
|
2022-06-29 11:34:55 -04:00 |
|
Patrick Schleizer
|
55d16e1602
|
remove unicode
|
2022-06-08 09:04:03 -04:00 |
|
Patrick Schleizer
|
fcaec49675
|
Merge remote-tracking branch 'github-kicksecure/master'
|
2022-06-08 08:20:24 -04:00 |
|
Patrick Schleizer
|
5c43197f10
|
minor
|
2022-06-08 08:11:28 -04:00 |
|
Kuri Schlarb
|
6e8f584d88
|
permission-hardening: Keep pam_unix.so password checking helper SetGID shadow
|
2022-06-08 05:29:42 +00:00 |
|
Kuri Schlarb
|
3910e4ee15
|
permission-hardening: Keep passwd executable but non-SetUID
|
2022-06-07 08:11:51 +00:00 |
|
Patrick Schleizer
|
2d37e3a1af
|
copyright
|
2022-05-20 14:46:38 -04:00 |
|
Patrick Schleizer
|
bb0307290b
|
update link
|
2022-04-16 14:18:35 -04:00 |
|
Patrick Schleizer
|
c72567dbd2
|
fix
|
2021-09-14 14:18:44 -04:00 |
|
Patrick Schleizer
|
d62bbaab82
|
fix, unduplicate kernel command line
|
2021-09-12 11:40:58 -04:00 |
|
Patrick Schleizer
|
bd31b4085c
|
remove Debian buster support in /etc/default/grub.d
|
2021-09-09 12:16:18 -04:00 |
|
Patrick Schleizer
|
ac0c492663
|
do not set kernel parameter quiet loglevel=0 for recovery boot option
for easier debugging
|
2021-09-06 08:22:55 -04:00 |
|
Patrick Schleizer
|
49902b8c56
|
move grub quiet to separate config file /etc/default/grub.d/41_quiet.cfg
|
2021-09-06 08:19:41 -04:00 |
|
Patrick Schleizer
|
f5b0e4b5b8
|
debugging
|
2021-09-06 04:55:16 -04:00 |
|
Patrick Schleizer
|
6257bfa926
|
debugging
|
2021-09-05 15:54:20 -04:00 |
|
Patrick Schleizer
|
a4e18a2ae8
|
dracut reproducible=yes
|
2021-09-04 18:28:37 -04:00 |
|
Patrick Schleizer
|
db43cedcfd
|
LANG=C str_replace
|
2021-08-22 05:23:24 -04:00 |
|
Patrick Schleizer
|
582492d6d8
|
port from pam_tally2 to pam_faillock
since pam_tally2 was deprecated upstream
|
2021-08-10 17:13:00 -04:00 |
|
Patrick Schleizer
|
50bdd097df
|
move /usr/lib/security-misc to /usr/libexec/security-misc as per lintian FHS
|
2021-08-03 12:56:31 -04:00 |
|
Patrick Schleizer
|
0492f28aa1
|
enable "apt-get --error-on=any" by default
makes apt exit non-zero for transient failures
`/etc/apt/apt.conf.d/40error-on-any`
https://forums.whonix.org/t/debian-bullseye-apt-get-error-on-any/12068
|
2021-08-03 12:37:39 -04:00 |
|
Patrick Schleizer
|
c94281121e
|
comment
|
2021-08-01 16:37:02 -04:00 |
|
Patrick Schleizer
|
eff5af0318
|
https://forums.whonix.org/t/restrict-root-access/7658/116
|
2021-06-20 10:16:33 -04:00 |
|
madaidan
|
97d8db3f74
|
Restrict sudo's file permissions
|
2021-06-05 19:16:42 +00:00 |
|
Patrick Schleizer
|
d87bee37f7
|
comment
|
2021-06-01 07:21:18 -04:00 |
|
Patrick Schleizer
|
809930c021
|
comment
|
2021-06-01 05:36:01 -04:00 |
|
Patrick Schleizer
|
e2afd00627
|
modify DKMS configuration file /etc/dkms/framework.conf
Lower parallel compilation jobs to 1 if less than 2 GB RAM to avoid freezing of virtual machines.
`parallel_jobs=1`
This does not necessarily belong into security-misc, however likely
security-misc will need to modify `/etc/dkms/framework.conf` in the future to
enable kernel module signing.
https://forums.whonix.org/t/linux-kernel-runtime-guard-lkrg-linux-kernel-runtime-integrity-checking-and-exploit-detection/8477/26
https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/58
|
2021-04-29 11:14:30 -04:00 |
|
Patrick Schleizer
|
3ba3b37187
|
add /etc/dkms/framework.conf.security-misc
original, from
- https://github.com/dell/dkms/blob/master/dkms_framework.conf
- https://raw.githubusercontent.com/dell/dkms/master/dkms_framework.conf
https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/58
|
2021-04-29 11:08:30 -04:00 |
|
Patrick Schleizer
|
a67007f4b7
|
copyright
|
2021-03-17 09:45:21 -04:00 |
|
Patrick Schleizer
|
a1819e8cab
|
comment
|
2021-03-01 09:15:44 -05:00 |
|
Kenton Groombridge
|
4db7d6be64
|
hide-hardware-info: allow unrestricting selinuxfs
On SELinux systems, the /sys/fs/selinux directory must be visible to
userspace utilities in order to function properly.
|
2021-02-06 03:02:08 -05:00 |
|
Patrick Schleizer
|
a258f35f38
|
comment
|
2021-01-05 02:11:08 -05:00 |
|
Patrick Schleizer
|
b2b614ed2a
|
cover more folders in /usr/local
|
2020-12-06 04:15:52 -05:00 |
|
Patrick Schleizer
|
5bd267d774
|
refactoring
|
2020-12-06 04:10:50 -05:00 |
|
Patrick Schleizer
|
11cdce02a0
|
refactoring
|
2020-12-06 04:10:10 -05:00 |
|
Patrick Schleizer
|
f73c55f16c
|
/opt
https://forums.whonix.org/t/suid-disabler-and-permission-hardener/7706/68
|
2020-12-06 04:08:58 -05:00 |
|
Patrick Schleizer
|
c031f22995
|
SUID Disabler and Permission Hardener: introduce configuration option to disable all whitelists
`whitelists_disable_all=true`
|
2020-12-01 05:14:48 -05:00 |
|
Patrick Schleizer
|
b09cc0de6a
|
Revert "SUID Disabler and Permission Hardener: introduce configuration option to disable all whitelists"
This reverts commit 36a471ebce.
|
2020-12-01 05:10:26 -05:00 |
|
Patrick Schleizer
|
704f0500ba
|
fix, rename 40_default_whitelist_[...].conf to 25_default_whitelist_[...].conf
since whitelist needs to be defined before SUID removal commands
|
2020-12-01 05:03:16 -05:00 |
|