security-misc

mirror of https://github.com/Kicksecure/security-misc.git synced 2024-10-01 08:25:45 -04:00

Author	SHA1	Message	Date
madaidan	535c258b83	More kernel hardening	2019-12-23 03:35:07 -05:00
Patrick Schleizer	11b4192fbd	comments	2019-12-23 03:28:42 -05:00
Patrick Schleizer	2152fa2d61	comment	2019-12-23 02:38:53 -05:00
Patrick Schleizer	f8f2e6c704	fix disablewhitelist feature	2019-12-23 02:35:13 -05:00
Patrick Schleizer	47ddcad0c0	rename keyword whitelist to exactwhitelist add new keyword disablewhitelist refactoring	2019-12-23 02:29:47 -05:00
Patrick Schleizer	1ff56625a1	polkit-agent-helper-1 matchwhitelist to match both - /usr/lib/policykit-1/polkit-agent-helper-1 matchwhitelist - /lib/policykit-1/polkit-agent-helper-1	2019-12-23 01:42:03 -05:00
Patrick Schleizer	d484b299ea	matchwhitelist /qubes/qfile-unpacker to match both - /usr/lib/qubes/qfile-unpacker whitelist - /lib/qubes/qfile-unpacker	2019-12-23 01:38:31 -05:00
Patrick Schleizer	58a4e0bc7d	dbus-daemon-launch-helper matchwhitelist	2019-12-22 19:12:10 -05:00
Patrick Schleizer	15e3a2832d	comment	2019-12-22 18:57:23 -05:00
Patrick Schleizer	6eb8fd257a	suid utempter/utempter matchwhitelist to cover both: /usr/lib/x86_64-linux-gnu/utempter/utempter /lib/x86_64-linux-gnu/utempter/utempter	2019-12-22 18:56:36 -05:00
Patrick Schleizer	bce02ffdc0	Merge pull request #47 from madaidan/msr Blacklist CPU MSRs	2019-12-22 15:26:07 +00:00
madaidan	dd93b11321	Blacklist CPU MSRs	2019-12-22 13:52:43 +00:00
Patrick Schleizer	2ddf7b5db5	/lib/ nosuid	2019-12-21 14:06:51 -05:00
Patrick Schleizer	2350e0f5d0	Merge remote-tracking branch 'origin/master'	2019-12-21 06:57:10 -05:00
Patrick Schleizer	efd65a3f15	Merge pull request #45 from madaidan/apparmor Delete apparmor profiles	2019-12-21 11:56:31 +00:00
Patrick Schleizer	3ea587187e	no need to exclude xorg nosuid on Debian http://forums.whonix.org/t/permission-hardening/8655/25	2019-12-21 06:53:07 -05:00
madaidan	c28ddf5c4d	Delete usr.lib.security-misc.pam_tally2-info	2019-12-20 22:44:31 +00:00
madaidan	cfe69dd669	Delete usr.lib.security-misc.permission-lockdown	2019-12-20 22:44:27 +00:00
Patrick Schleizer	d220bb3bc4	suid /usr/lib/chromium/chrome-sandbox whitelist	2019-12-20 13:07:01 -05:00
Patrick Schleizer	77b3dd5d6b	comments	2019-12-20 13:02:33 -05:00
Patrick Schleizer	d7bd477e73	add "/usr/lib/xorg/Xorg.wrap whitelist" until this is researched https://manpages.debian.org/buster/xserver-xorg-legacy/Xorg.wrap.1.en.html https://lwn.net/Articles/590315/	2019-12-20 12:59:27 -05:00
Patrick Schleizer	17e8605119	add matchwhitelist feature add "/usr/lib/virtualbox/ matchwhitelist"	2019-12-20 12:57:24 -05:00
Patrick Schleizer	3fab387669	suid /usr/bin/firejail whitelist There is a controversy about firejail but those who choose to install it should be able to use it. https://www.whonix.org/wiki/Dev/Firejail#Security	2019-12-20 12:50:35 -05:00
Patrick Schleizer	d3f16a5bf4	sgid /usr/lib/qubes/qfile-unpacker whitelist	2019-12-20 12:47:10 -05:00
Patrick Schleizer	508ec0c6fa	comment	2019-12-20 12:34:07 -05:00
Patrick Schleizer	1b569ea790	comment	2019-12-20 12:32:36 -05:00
Patrick Schleizer	e28da89253	/bin/sudo whitelist / /bin/bwrap whitelist	2019-12-20 09:48:06 -05:00
Patrick Schleizer	6d30e3b4a2	do not remove suid from whitelisted binaries ever https://forums.whonix.org/t/permission-hardening/8655/13	2019-12-20 08:13:23 -05:00
Patrick Schleizer	48fe7312bf	update config	2019-12-20 05:57:41 -05:00
Patrick Schleizer	87d820d84c	comment	2019-12-20 05:54:16 -05:00
Patrick Schleizer	46466c12ad	parse drop-in config folder rather than only one config file	2019-12-20 05:49:11 -05:00
Patrick Schleizer	6c8127e3cd	remove "/lib/ nosuid" from permission hardening Takes 1 minute to parse. No SUID binaries there by default. remount-secure mounts it with nosuid anyhow. Therefore no processing it here.	2019-12-20 05:29:37 -05:00
Patrick Schleizer	788a2c1ba3	comment	2019-12-20 03:45:01 -05:00
madaidan	9df7407286	Remove SUID bits	2019-12-19 17:01:33 +00:00
Patrick Schleizer	729fa26eca	use pam_acccess only for /etc/pam.d/login remove "Allow members of group 'ssh' to login." remove "+:ssh:ALL EXCEPT LOCAL"	2019-12-12 09:00:08 -05:00
madaidan	6c564f6e95	Create permission-hardening.conf	2019-12-08 16:50:11 +00:00
Patrick Schleizer	9432d16378	/usr/bin/cat mrix,	2019-12-07 12:13:42 -05:00
Patrick Schleizer	c1800b13fe	separate group "ssh" for incoming ssh console permission Thanks to @madaidan https://forums.whonix.org/t/etc-security-hardening-console-lockdown-pam-access-access-conf/8592/16	2019-12-07 11:26:39 -05:00
Patrick Schleizer	8636d2f629	add securetty	2019-12-07 06:51:10 -05:00
Patrick Schleizer	8b3f5a555b	add console lockdown to pam info output	2019-12-07 06:25:45 -05:00
Patrick Schleizer	021b06dac9	add hvc0 to hvc9	2019-12-07 06:04:45 -05:00
Patrick Schleizer	8a59662a44	comment	2019-12-07 06:02:45 -05:00
Patrick Schleizer	cda6724755	add pts/0 to pts/9	2019-12-07 05:56:57 -05:00
Patrick Schleizer	218cbddba9	comment	2019-12-07 05:52:06 -05:00
Patrick Schleizer	6479c883bf	Console Lockdown. Allow members of group 'console' to use tty1 to tty7. Everyone else except members of group 'console-unrestricted' are restricted from using console using ancient, unpopular login methods such as using /bin/login over networks, which might be exploitable. (CVE-2001-0797) Not enabled by default in this package since this package does not know which users shall be added to group 'console'. In new Whonix builds, user 'user" will be added to group 'console' and pam console-lockdown enabled by package anon-base-files. /usr/share/pam-configs/console-lockdown /etc/security/access-security-misc.conf https://forums.whonix.org/t/etc-security-hardening/8592	2019-12-07 05:40:20 -05:00
Patrick Schleizer	8cf5ed990a	comment	2019-12-05 15:52:24 -05:00
madaidan	30289c68c2	Enable reverse path filtering	2019-12-05 20:13:10 +00:00
Patrick Schleizer	0c25a96b59	description / comments	2019-12-03 02:18:32 -05:00
madaidan	5da2a27bf0	Distrust the CPU for initial entropy	2019-12-02 16:43:00 +00:00
madaidan	d9d6d07714	/dev/pts/[0-9]* rw,	2019-11-26 17:12:12 +00:00

1 2 3 4

174 Commits