Commit Graph

1040 Commits

Author SHA1 Message Date
Patrick Schleizer
cd8efe5800
output 2019-12-20 11:03:22 -05:00
Patrick Schleizer
c0ddb76d74
bumped changelog version 2019-12-20 10:50:51 -05:00
Patrick Schleizer
b31abea0af
improve error handling 2019-12-20 10:49:31 -05:00
Patrick Schleizer
79cd3b86b6
comment 2019-12-20 10:47:23 -05:00
Patrick Schleizer
b3458cc6ee
fix checking existing entries to avoid needless calls to dpkg-statoverride 2019-12-20 10:45:59 -05:00
Patrick Schleizer
370f3c5e54
comment 2019-12-20 10:35:05 -05:00
Patrick Schleizer
133d09f298
output 2019-12-20 10:33:16 -05:00
Patrick Schleizer
1ffa8e197e
speed up setuid removal by using find with '-perm /u=s,g=s'
https://forums.whonix.org/t/permission-hardening/8655/19
2019-12-20 10:31:26 -05:00
Patrick Schleizer
4cfdf2c65b
fix, re-enforce nosuid even if changed on the disk 2019-12-20 10:21:27 -05:00
Patrick Schleizer
e36868e675
output 2019-12-20 10:02:46 -05:00
Patrick Schleizer
50b8f65490
add sanity test: count if we really processed all files 2019-12-20 09:59:28 -05:00
Patrick Schleizer
e28da89253
/bin/sudo whitelist / /bin/bwrap whitelist 2019-12-20 09:48:06 -05:00
Patrick Schleizer
55faa7b997
fix missing processing files bug
https://forums.whonix.org/t/permission-hardening/8655/16
2019-12-20 09:43:23 -05:00
Patrick Schleizer
fbe2479f48
count processed file system objects
to be able to verify if any were "forgotten"
2019-12-20 08:54:56 -05:00
Patrick Schleizer
195ea522f5
fix 2019-12-20 08:52:14 -05:00
Patrick Schleizer
6f8231be70
debugging 2019-12-20 08:51:55 -05:00
Patrick Schleizer
ed50f98010
output 2019-12-20 08:47:22 -05:00
Patrick Schleizer
089c40135f
bumped changelog version 2019-12-20 08:15:00 -05:00
Patrick Schleizer
6d30e3b4a2
do not remove suid from whitelisted binaries ever
https://forums.whonix.org/t/permission-hardening/8655/13
2019-12-20 08:13:23 -05:00
Patrick Schleizer
d5f1bd8dd2
fix mode sanity check
no longer use seq due to issue

https://forums.whonix.org/t/permission-hardening/8655/13
2019-12-20 08:02:30 -05:00
Patrick Schleizer
ddc0eec63d
bumped changelog version 2019-12-20 07:12:36 -05:00
Patrick Schleizer
65248a94ef
readme 2019-12-20 07:06:50 -05:00
Patrick Schleizer
8e112c3423
description 2019-12-20 06:53:24 -05:00
Patrick Schleizer
24ea70384b
description 2019-12-20 06:53:03 -05:00
Patrick Schleizer
0ae3e689b5
comment 2019-12-20 06:35:02 -05:00
Patrick Schleizer
050f4d8b94
comment 2019-12-20 06:34:37 -05:00
Patrick Schleizer
36043fe5cc
comment 2019-12-20 06:33:41 -05:00
Patrick Schleizer
fb4254547b
comment 2019-12-20 06:32:04 -05:00
Patrick Schleizer
cca0908d9a
fix 2019-12-20 06:11:38 -05:00
Patrick Schleizer
e254b8b52d
fix 2019-12-20 06:09:17 -05:00
Patrick Schleizer
7f8b3c76de
output 2019-12-20 06:02:17 -05:00
Patrick Schleizer
071c64dc41
enable 'set -e' 2019-12-20 06:01:49 -05:00
Patrick Schleizer
b97c66707c
minor 2019-12-20 05:59:05 -05:00
Patrick Schleizer
17b4f12276
output 2019-12-20 05:58:42 -05:00
Patrick Schleizer
48fe7312bf
update config 2019-12-20 05:57:41 -05:00
Patrick Schleizer
87d820d84c
comment 2019-12-20 05:54:16 -05:00
Patrick Schleizer
918cbb4e25
output 2019-12-20 05:51:25 -05:00
Patrick Schleizer
c8cf09a4cb
output 2019-12-20 05:50:16 -05:00
Patrick Schleizer
46466c12ad
parse drop-in config folder rather than only one config file 2019-12-20 05:49:11 -05:00
Patrick Schleizer
66fd31189d
improve output if set-user-id / set-group-id is set 2019-12-20 05:37:33 -05:00
Patrick Schleizer
6dd6530fa5
remove hardening-enable
please invent package security-paranoid instead

https://forums.whonix.org/t/security-hardening-tool-usr-bin-hardening-enable-by-security-misc/8609
2019-12-20 05:32:26 -05:00
Patrick Schleizer
6c8127e3cd
remove "/lib/ nosuid" from permission hardening
Takes 1 minute to parse. No SUID binaries there by default.
remount-secure mounts it with nosuid anyhow.
Therefore no processing it here.
2019-12-20 05:29:37 -05:00
Patrick Schleizer
af0f074987
remount /lib with nosuid,nodev
https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707/22
2019-12-20 05:27:11 -05:00
Patrick Schleizer
7f20160477
comment 2019-12-20 05:24:00 -05:00
Patrick Schleizer
a135ae9400
use must manually enable permission-hardening.service
until development finished
2019-12-20 05:22:59 -05:00
Patrick Schleizer
fa6f1e1568
output 2019-12-20 05:19:39 -05:00
Patrick Schleizer
a26cb94bfd
globstar no longer required 2019-12-20 04:49:21 -05:00
Patrick Schleizer
c66e9abe18
comment 2019-12-20 04:48:57 -05:00
Patrick Schleizer
d1d0afff34
fix
fso: /lib/
usr/lib/security-misc/permission-hardening: line 19: /usr/bin/stat: Argument list too long

https://forums.whonix.org/t/kernel-hardening/7296/326
2019-12-20 04:48:02 -05:00
Patrick Schleizer
e74d2e4f94
output 2019-12-20 04:23:14 -05:00