Patrick Schleizer
|
5a73817a95
|
move to /usr/lib/issue.d/20_security-misc.issue
https://github.com/Kicksecure/security-misc/pull/167
|
2023-12-04 11:38:49 -05:00 |
|
Patrick Schleizer
|
dfaea492c7
|
remove etc/issue.net.d/20_security-misc
since not mentioned on debian.org
|
2023-12-04 11:37:02 -05:00 |
|
Patrick Schleizer
|
36850f89fb
|
Merge pull request #167 from monsieuremre/patch-4
Non-Identifiable and Generic Issue Banners that include the Recommended Keywords
|
2023-12-04 11:27:16 -05:00 |
|
Patrick Schleizer
|
c9ea7a4dca
|
use amd_iommu=force_isolation instead of amd_iommu=force_enable
because we set `iommu=force` already anyhow
fixes https://github.com/Kicksecure/security-misc/issues/175
|
2023-12-04 11:02:55 -05:00 |
|
monsieuremre
|
f2ad8383cf
|
fix
|
2023-12-03 19:51:38 +00:00 |
|
monsieuremre
|
dd15823a97
|
undo superfluousness
|
2023-12-03 19:50:07 +00:00 |
|
monsieuremre
|
83e13bb62d
|
Update 40_enable_iommu.cfg
|
2023-12-03 19:42:34 +00:00 |
|
monsieuremre
|
0d7af9707f
|
Update 20_security-misc
|
2023-12-03 19:31:12 +00:00 |
|
monsieuremre
|
04d27a10b0
|
Update 20_security-misc
|
2023-12-03 19:30:55 +00:00 |
|
monsieuremre
|
c8b9f5a917
|
net
|
2023-11-18 10:03:19 +00:00 |
|
monsieuremre
|
3b614f3753
|
20_security-misc
|
2023-11-18 10:02:16 +00:00 |
|
Patrick Schleizer
|
5bb357cac0
|
spice-client-glib-usb-acl-helper matchwhitelist
|
2023-11-06 16:55:00 -05:00 |
|
Patrick Schleizer
|
7309445ee5
|
comment
|
2023-11-06 16:52:27 -05:00 |
|
Patrick Schleizer
|
f09d97fc9e
|
whitelist VirtualBox
|
2023-11-06 16:50:19 -05:00 |
|
Patrick Schleizer
|
64c8c7a8d5
|
whitelist SSH
|
2023-11-06 16:47:31 -05:00 |
|
Patrick Schleizer
|
9682b51d54
|
whitelist virtualbox
|
2023-11-06 16:44:36 -05:00 |
|
Patrick Schleizer
|
a40b9bc095
|
comments
|
2023-11-06 16:40:22 -05:00 |
|
Patrick Schleizer
|
2c1a3da433
|
VirtualBoxVM matchwhitelist
|
2023-11-06 16:38:50 -05:00 |
|
Patrick Schleizer
|
4e96ffaabb
|
chrome-sandbox matchwhitelist
|
2023-11-06 16:37:19 -05:00 |
|
Patrick Schleizer
|
51decff2fd
|
exclude qfile-unpacker from permission hardener
|
2023-11-05 16:03:36 -05:00 |
|
Patrick Schleizer
|
1900c1ab07
|
pam exclude from permission-hardener
|
2023-11-05 15:57:49 -05:00 |
|
Patrick Schleizer
|
5a75bcfb19
|
Merge pull request #145 from monsieuremre/wifi-and-bluetooth
Wifi and Bluetooth Patch | Security and Privacy
|
2023-11-05 14:49:00 -05:00 |
|
Patrick Schleizer
|
4946f85d43
|
Merge pull request #146 from monsieuremre/thunderbird
Thunderbird Hardening
|
2023-11-05 14:37:47 -05:00 |
|
Patrick Schleizer
|
97054b2b10
|
revert enabling kernel module signature enforcement
due to issues
https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/63
https://github.com/dell/dkms/issues/359
|
2023-11-03 15:55:17 -04:00 |
|
Patrick Schleizer
|
0242c04dc2
|
port to DKMS drop-in folder
undisplace /etc/dkms/framework.conf.security-misc
moved to /etc/dkms/framework.conf.d/30_security-misc.conf
|
2023-11-03 14:51:14 -04:00 |
|
Patrick Schleizer
|
d1b5a3ffd5
|
/usr/sbin/pam-tmpdir-helper exactwhitelist
https://github.com/Kicksecure/security-misc/pull/147
|
2023-11-03 12:55:34 -04:00 |
|
Patrick Schleizer
|
b6d53f698d
|
Revert "allow loading unsigned modules due to issues"
This reverts commit 661bcd8603 .
|
2023-11-03 12:17:00 -04:00 |
|
monsieuremre
|
1abac794b5
|
very secure and private defaults
|
2023-11-02 09:15:20 +00:00 |
|
monsieuremre
|
5a583ca48c
|
typo in file name
|
2023-11-02 08:30:26 +00:00 |
|
monsieuremre
|
229032d691
|
Rename etc/systemd/networkd.conf.d/99_ipv6-privacy-extensions.conf to usr/lib/systemd/networkd.conf.d/99_ipv6-privacy-extensions.conf
|
2023-11-01 17:54:05 +00:00 |
|
monsieuremre
|
1049298e7b
|
Update and rename etc/NetworkManager/conf.d/99_randomize-mac.conf to usr/lib/NetworkManager/conf.d/99_randomize-mac.conf
|
2023-11-01 17:52:40 +00:00 |
|
monsieuremre
|
76e684cc0a
|
Update and rename etc/NetworkManager/conf.d/99_ipv6-privacy.conf to usr/lib/NetworkManager/conf.d/99_ipv6-privacy.conf
|
2023-11-01 17:51:27 +00:00 |
|
monsieuremre
|
fc8e201e84
|
rename
|
2023-10-27 14:49:24 +00:00 |
|
monsieuremre
|
13b4ddbb62
|
30_security-misc.conf
|
2023-10-27 14:34:21 +00:00 |
|
monsieuremre
|
b298d152fc
|
30_security-misc.conf
|
2023-10-27 14:32:08 +00:00 |
|
monsieuremre
|
3d4b04fddc
|
99_ipv6-privacy.conf
|
2023-10-27 12:35:39 +00:00 |
|
monsieuremre
|
e90f62eaab
|
99_randomize_mac.conf
|
2023-10-27 12:34:15 +00:00 |
|
monsieuremre
|
604d839537
|
99_ipv6-privacy-extensions.conf
|
2023-10-27 12:30:26 +00:00 |
|
monsieuremre
|
f2c23a2831
|
ssh config
|
2023-10-27 10:53:45 +00:00 |
|
Patrick Schleizer
|
7cff267002
|
remove duplicates
|
2023-10-26 19:31:14 -04:00 |
|
monsieuremre
|
99355c6169
|
new lines 30_default.conf
|
2023-10-26 17:45:28 +00:00 |
|
Patrick Schleizer
|
b7c52800f4
|
renamed: etc/sysctl.d/30_security-misc.conf -> usr/lib/sysctl.d/30_security-misc.conf
renamed: etc/sysctl.d/30_security-misc_kexec-disable.conf -> usr/lib/sysctl.d/30_security-misc_kexec-disable.conf
renamed: etc/sysctl.d/30_silent-kernel-printk.conf -> usr/lib/sysctl.d/30_silent-kernel-printk.conf
|
2023-10-25 17:28:43 -04:00 |
|
Patrick Schleizer
|
f6d1346e2b
|
fix
|
2023-10-22 16:22:08 -04:00 |
|
Patrick Schleizer
|
11382881b5
|
comments
|
2023-10-22 16:12:26 -04:00 |
|
Patrick Schleizer
|
4288e10554
|
fix, rework remount-secure kernel parameters parsing
|
2023-10-22 13:25:31 -04:00 |
|
Patrick Schleizer
|
c409e3221e
|
implement remount-secure
|
2023-10-22 09:36:03 -04:00 |
|
Patrick Schleizer
|
ae2c1c5a7a
|
fix xession environment variable
|
2023-10-21 14:18:50 -04:00 |
|
Patrick Schleizer
|
d543825d85
|
comments
|
2023-10-21 12:24:59 -04:00 |
|
Patrick Schleizer
|
645ee814e4
|
fix
|
2023-10-13 15:22:48 -04:00 |
|
Patrick Schleizer
|
2d45241084
|
avoid duplicate environment variables
|
2023-10-12 11:37:01 -04:00 |
|
Patrick Schleizer
|
fa820e8978
|
refactoring environment variables loading mechanism
|
2023-10-12 10:40:27 -04:00 |
|
Patrick Schleizer
|
8a6baea990
|
comment
|
2023-06-22 16:16:15 +00:00 |
|
Raja Grewal
|
cf003dfad8
|
Update comments
|
2023-05-16 02:11:44 +10:00 |
|
Jeremy Rand
|
61f63255ac
|
vm.mmap_rnd_bits: Fix ppc64le
Probably fixes a bunch of other non-x86_64 arches too.
|
2023-04-24 23:07:39 +00:00 |
|
Patrick Schleizer
|
5c6db28881
|
Merge pull request #122 from raja-grewal/tcp
Remove outdated comment about SACK, DSACK, and FACK
|
2023-03-31 04:52:55 -04:00 |
|
Raja Grewal
|
ed5f8be9eb
|
Remove outdated comment about SACK, DSACK, and FACK
|
2023-03-30 19:17:43 +11:00 |
|
Raja Grewal
|
7a4212dd76
|
Update copyright
|
2023-03-30 17:08:47 +11:00 |
|
Patrick Schleizer
|
8c3204a5e4
|
comment
|
2023-01-25 15:20:30 -05:00 |
|
Patrick Schleizer
|
65c29f493b
|
move kexec disabling to dedicated file /etc/sysctl.d/30_security-misc_kexec-disable.conf
so ram-wipe can `config-package-dev` `hide` this config file
|
2023-01-25 15:13:19 -05:00 |
|
Patrick Schleizer
|
ad5d0d4b12
|
disable kexec (revert enabling kexec)
remove kexec-utils for ram-wipe since moved to its own package
|
2023-01-09 06:37:45 -05:00 |
|
Patrick Schleizer
|
87c4e77c01
|
migrate to ram-wipe package
|
2023-01-09 06:23:00 -05:00 |
|
Friedrich Doku
|
78a4fad667
|
Change echo to info. Included more reliable way of getting initrd and kernel. Allow user custom kexec
|
2023-01-07 11:14:31 -05:00 |
|
Raja Grewal
|
f81714be50
|
Merge branch 'Kicksecure:master' into framebuffer
|
2022-12-13 05:14:56 +00:00 |
|
Raja Grewal
|
d67845fea8
|
Typo
|
2022-12-13 16:11:24 +11:00 |
|
Patrick Schleizer
|
6d7a782624
|
fix
|
2022-11-24 07:21:46 -05:00 |
|
Raja Grewal
|
6f695902fb
|
Add comment about legacy Apple fiesystems
|
2022-11-23 23:53:40 +11:00 |
|
Patrick Schleizer
|
e5255a630a
|
pam-info: support non-root environments (such as during graphical display manager login and xscreensaver)
|
2022-11-22 05:57:30 -05:00 |
|
Raja Grewal
|
daa30d4e78
|
Include several framebuffer drivers into blacklist
These were previously commented out to test for compatibility issues.
|
2022-11-09 20:43:59 +11:00 |
|
Raja Grewal
|
92669dba18
|
Comment out machine check exception
|
2022-08-21 23:02:44 +10:00 |
|
Patrick Schleizer
|
0c5b1e9f57
|
undo "force kernel to panic on "oopses"
because implemented differently already
https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panic-on-oops-1-sysctl-for-better-security/7713
|
2022-07-23 07:49:56 -04:00 |
|
Raja Grewal
|
ca764d8de0
|
force kernel to panic on "oopses"
|
2022-07-20 04:06:35 +10:00 |
|
Raja Grewal
|
1660aaa6dd
|
update details around disabling SMT
|
2022-07-19 03:38:41 +10:00 |
|
Raja Grewal
|
bfd78a2c06
|
update SRBDS mitigation
|
2022-07-19 03:16:08 +10:00 |
|
Raja Grewal
|
c3ebb9160f
|
CPU mitigation - MMIO Stale Data
|
2022-07-19 02:33:16 +10:00 |
|
Raja Grewal
|
59e90ff122
|
CPU mitigation - L1D FLushing
|
2022-07-19 02:32:41 +10:00 |
|
Raja Grewal
|
8531fbf99d
|
CPU mitigation - SRBDS
|
2022-07-19 02:30:49 +10:00 |
|
Raja Grewal
|
73f1e23332
|
shuffle and rewording
|
2022-07-19 02:29:46 +10:00 |
|
Raja Grewal
|
39314b2912
|
Merge branch 'harden' of https://github.com/raja-grewal/security-misc into harden
|
2022-07-19 00:49:08 +10:00 |
|
Raja Grewal
|
bb831d57bc
|
delete repeated commands
|
2022-07-19 00:38:32 +10:00 |
|
Raja Grewal
|
c77a2a78bc
|
enforce default net.ipv6.icmp_ignore_bogus_error_responses
|
2022-07-19 00:37:31 +10:00 |
|
Raja Grewal
|
c4a1094760
|
Merge branch 'Kicksecure:master' into harden
|
2022-07-18 13:36:23 +00:00 |
|
Raja Grewal
|
a72bbb1883
|
Corrected kerenl module disabling
|
2022-07-13 23:42:13 +10:00 |
|
Raja Grewal
|
4e93b4d37e
|
Revert "enforce defualt net.ipv4.ip_forward"
This reverts commit 57b5b2145c .
|
2022-07-13 21:10:39 +10:00 |
|
Raja Grewal
|
a47922ad28
|
enforce of IOMMU TLB invalidation
|
2022-07-13 04:47:07 +10:00 |
|
Raja Grewal
|
33df16af80
|
disables random.trust_bootloader
|
2022-07-13 04:37:03 +10:00 |
|
Raja Grewal
|
d0779a96fc
|
add reference
|
2022-07-13 04:36:34 +10:00 |
|
Raja Grewal
|
74858d257b
|
enable randomize_kstack_offset
|
2022-07-13 04:34:35 +10:00 |
|
Raja Grewal
|
f572332108
|
disable slub_debug
|
2022-07-13 04:32:03 +10:00 |
|
Raja Grewal
|
57b5b2145c
|
enforce defualt net.ipv4.ip_forward
|
2022-07-13 04:30:43 +10:00 |
|
Raja Grewal
|
79156262c9
|
enforce default net.ipv4.icmp_ignore_bogus_error_responses
|
2022-07-13 04:29:42 +10:00 |
|
Raja Grewal
|
dabcaf22e1
|
enforce default kernel.randomize_va_space
|
2022-07-13 04:28:03 +10:00 |
|
Raja Grewal
|
48089e5ba4
|
More verbose kernel module blocking error logs
|
2022-07-12 17:02:12 +10:00 |
|
Raja Grewal
|
40ec791774
|
Updated comments
|
2022-07-12 16:58:16 +10:00 |
|
Raja Grewal
|
ef1ef9917d
|
Blacklist automatic loading of CD-ROM modules
|
2022-07-10 04:53:25 +10:00 |
|
Raja Grewal
|
61ef9bd59f
|
Incorporated Ubuntu’s kernel module blacklists
|
2022-07-10 04:52:00 +10:00 |
|
Patrick Schleizer
|
26b2c9727f
|
not blacklist CD-ROM / DVD yet
https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/31
|
2022-07-07 15:39:40 -04:00 |
|
Patrick Schleizer
|
ca19d78d48
|
shuffle
|
2022-07-07 15:27:15 -04:00 |
|
Raja Grewal
|
780dc8eec9
|
replace /bin/false -> /bin/disabled-by-security-misc
|
2022-07-08 04:11:25 +10:00 |
|
Raja Grewal
|
fa2e30f512
|
Updated descriptions of disabled modules
|
2022-07-08 03:04:37 +10:00 |
|
Raja Grewal
|
da389d6682
|
Revert "replace /bin/false -> /bin/true"
This reverts commit f0511635a9 .
|
2022-07-08 02:12:04 +10:00 |
|