Commit Graph

81 Commits

Author SHA1 Message Date
Patrick Schleizer
dbea7d1511
add hook etc/kernel/postinst.d/30_remove-system-map to remove system.map
on kernel package upgrade;

self-document this package: during upgrade the following will be written
to stdout:

Setting up linux-image-4.19.0-5-amd64 (4.19.37-5+deb10u2) ...
/etc/kernel/postinst.d/30_remove-system-map:
removed '/boot/System.map-4.19.0-5-amd64
2019-08-14 07:22:14 +00:00
madaidan
9a49b8ecbb
Create 40_only_allow_signed_modules.cfg
Require all loaded kernel modules to be signed with a valid key.
2019-08-13 13:33:07 +00:00
Patrick Schleizer
1c7441ddf1
alias /etc/securetty -> /etc/securetty.security-misc, 2019-07-17 21:16:14 +00:00
Patrick Schleizer
b153e8f7df
fix path 2019-07-17 21:02:48 +00:00
Patrick Schleizer
2299ed041f
passwordless recovery / emergency console
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802211
bc5ca2de85

https://forums.whonix.org/t/restrict-root-access/7658/46
2019-07-17 20:36:51 +00:00
Patrick Schleizer
cb668459e8
port umask from /etc/pam.d to /usr/share/pam-configs implementation
https://forums.whonix.org/t/change-default-umask/7416
2019-07-13 10:35:10 -04:00
Patrick Schleizer
ac25733de8
remove etc/pam.d/common-password.security-misc rounds=65536
due to unclean implementation, see:

https://forums.whonix.org/t/restrict-root-access/7658/37
2019-07-13 14:01:53 +00:00
Patrick Schleizer
69b97981f3
convert etc/pam.d/su.security-misc to usr/share/pam-configs/wheel
https://forums.whonix.org/t/restrict-root-access/7658/32
2019-07-13 12:33:51 +00:00
Patrick Schleizer
4079632d1a
remove modifying to /etc/pam.d directly (unrelased)
config-package-dev displace /etc/securetty
remove trailing spaces

https://forums.whonix.org/t/restrict-root-access/7658/31
2019-07-13 11:41:37 +00:00
madaidan
b63d4ccb41
Update uncommon-network-protocols.conf 2019-07-11 15:28:56 +00:00
madaidan
4058e283a5
Blacklist more uncommon network protocols 2019-07-10 14:27:19 +00:00
madaidan
d70440aaed
Remove duplicate 2019-07-09 21:57:37 +00:00
madaidan
2d27bdd808
Blacklist more uncommon network protocols 2019-07-09 21:55:37 +00:00
Patrick Schleizer
3df6a44e98
also allow members of group sudo to run /usr/lib/security-misc/panic-on-oops 2019-07-09 06:56:23 -04:00
Patrick Schleizer
0f15303eb4
Merge branch 'master' into patch-16 2019-07-09 10:54:24 +00:00
madaidan
24d9eadcb2
Use 65536 hashing rounds 2019-07-08 23:19:59 +00:00
madaidan
86117d9577
Create common-password.security-misc 2019-07-08 23:19:19 +00:00
madaidan
8ad9a54b09
Don't allow root login from a terminal 2019-07-08 23:17:17 +00:00
madaidan
890298a3c8
Restrict su to users in the root group 2019-07-08 23:15:56 +00:00
madaidan
38099a2a5d
Create su.security-misc 2019-07-08 23:11:17 +00:00
madaidan
2a17427055
Create security-misc 2019-07-08 23:01:30 +00:00
madaidan
4ac700ded0
Create 50panic_on_oops 2019-07-08 22:59:39 +00:00
Patrick Schleizer
e543c4bf82
apparmor fixes (this broke whonixcheck apparmor profile) 2019-07-07 16:37:46 -04:00
Patrick Schleizer
3558a9949f
Enable APT seccomp sandboxing.
Thanks to @torjunkie for the suggestion!

https://forums.whonix.org/t/apt-seccomp-bpf-sandboxing/7702
2019-07-07 09:37:25 +00:00
madaidan
46409be8b6
Use install instead of blacklist 2019-07-04 14:25:28 +00:00
madaidan
eb7eaffba1
Blacklist n-hdlc 2019-07-04 14:24:44 +00:00
Patrick Schleizer
93c0821054
config-package-dev displace files for change umask
https://forums.whonix.org/t/change-default-umask/7416
2019-07-01 13:35:45 +00:00
Patrick Schleizer
a73f0566e9
change default umask to 006
session optional  pam_umask.so usergroups

https://forums.whonix.org/t/change-default-umask/7416/17
2019-07-01 13:25:23 +00:00
Patrick Schleizer
41b61e3277
revert to Debian buster original 2019-07-01 13:24:29 +00:00
madaidan
eedeaa0e7f
Update common-session-noninteractive 2019-06-30 13:12:59 +00:00
madaidan
a9af85f585
Update common-session 2019-06-30 13:12:16 +00:00
madaidan
1e1d29cfde
Create common-session-noninteractive 2019-06-30 13:11:31 +00:00
madaidan
501901f7c0
Change default umask to 006 2019-06-30 13:10:54 +00:00
madaidan
09a5c27f47
Create common-session 2019-06-30 13:10:29 +00:00
madaidan
a319333493
Create login.defs 2019-06-30 13:09:51 +00:00
madaidan
230ef34db4
Create disable-coredumps.conf 2019-06-30 00:19:04 +00:00
madaidan
1bf802f846
Create coredumps.conf 2019-06-30 00:16:50 +00:00
madaidan
f040081a59
Prevent setuid processes from creating coredumps. 2019-06-30 00:13:52 +00:00
Patrick Schleizer
ab312235ba
Merge pull request #14 from madaidan/patch-10
Add some hardening for other distributions
2019-06-28 06:59:16 +00:00
Patrick Schleizer
5e02100e34
Merge pull request #13 from madaidan/patch-9
Remove System.map and restrict the SysRq key.
2019-06-28 06:58:32 +00:00
Patrick Schleizer
7e12e16dc0
Merge pull request #11 from madaidan/patch-7
Protect against DMA attacks
2019-06-28 06:57:42 +00:00
madaidan
3801a53a9e
Update tcp_hardening.conf 2019-06-27 18:17:58 +00:00
madaidan
c54125270b
Create dmesg_restrict.conf 2019-06-27 18:15:57 +00:00
madaidan
01c839c815
Restrict what the SysRq key can do 2019-06-25 19:16:43 +00:00
Patrick Schleizer
2a6289980e
syntax fix
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mds=full,nosmt"

https://forums.whonix.org/t/kernel-hardening/7296/70
2019-06-23 18:46:52 +00:00
Patrick Schleizer
aec6da28e9
Merge pull request #10 from madaidan/patch-6
Enable more kernel hardening parameters
2019-06-23 18:45:24 +00:00
madaidan
641407c8e9
Enable IOMMU 2019-06-23 18:38:50 +00:00
madaidan
07c6362f1a
Blacklist thunderbolt and firewire 2019-06-23 18:34:45 +00:00
madaidan
2178fb37a8
Add more kernel hardening parameters 2019-06-23 17:54:34 +00:00
madaidan
807ac7d659
Create tcp_sack.conf 2019-06-22 16:08:30 +00:00