Patrick Schleizer
|
f3ff32ddbb
|
Protect /bin/mount from 'chmod -x'.
/bin/mount exactwhitelist
/usr/bin/mount exactwhitelist
Remove SUID from 'mount' but keep executable.
/bin/mount 745 root root
/usr/bin/mount 745 root root
https://forums.whonix.org/t/disable-suid-binaries/7706/61
|
2019-12-30 06:39:24 -05:00 |
|
Patrick Schleizer
|
e5623fcd2b
|
comment
|
2019-12-29 04:21:52 -05:00 |
|
Patrick Schleizer
|
674840e6f9
|
/fusermount matchwhitelist
unbreak AppImages such as electrum Bitcoin wallet
https://forums.whonix.org/t/disable-suid-binaries/7706/57
|
2019-12-26 05:44:35 -05:00 |
|
Patrick Schleizer
|
ede536913d
|
no longer hardcode amd64
|
2019-12-24 06:00:41 -05:00 |
|
Patrick Schleizer
|
27a42a9da8
|
Merge pull request #50 from madaidan/modules
Make /lib/modules unreadable
|
2019-12-24 10:55:11 +00:00 |
|
Patrick Schleizer
|
ac49c55d1f
|
Merge pull request #49 from madaidan/kver
Detect kernel upgrades
|
2019-12-24 10:55:03 +00:00 |
|
madaidan
|
79241c5d09
|
Make /lib/modules unreadable
|
2019-12-23 20:28:29 +00:00 |
|
madaidan
|
98e88d1456
|
Detect kernel upgrades
|
2019-12-23 19:57:43 +00:00 |
|
madaidan
|
d1a0650fd9
|
Use only one slub_debug parameter
|
2019-12-23 19:44:52 +00:00 |
|
Patrick Schleizer
|
9d77d88a4d
|
comments
|
2019-12-23 09:39:50 -05:00 |
|
Patrick Schleizer
|
3e131174d5
|
comments
|
2019-12-23 05:00:35 -05:00 |
|
Patrick Schleizer
|
9f072ce4f9
|
comment
|
2019-12-23 03:46:02 -05:00 |
|
Patrick Schleizer
|
26fe9394ff
|
disable lockdown for now due to module loading
|
2019-12-23 03:41:54 -05:00 |
|
madaidan
|
535c258b83
|
More kernel hardening
|
2019-12-23 03:35:07 -05:00 |
|
Patrick Schleizer
|
11b4192fbd
|
comments
|
2019-12-23 03:28:42 -05:00 |
|
Patrick Schleizer
|
2152fa2d61
|
comment
|
2019-12-23 02:38:53 -05:00 |
|
Patrick Schleizer
|
f8f2e6c704
|
fix disablewhitelist feature
|
2019-12-23 02:35:13 -05:00 |
|
Patrick Schleizer
|
47ddcad0c0
|
rename keyword whitelist to exactwhitelist
add new keyword disablewhitelist
refactoring
|
2019-12-23 02:29:47 -05:00 |
|
Patrick Schleizer
|
1ff56625a1
|
polkit-agent-helper-1 matchwhitelist to match both
- /usr/lib/policykit-1/polkit-agent-helper-1 matchwhitelist
- /lib/policykit-1/polkit-agent-helper-1
|
2019-12-23 01:42:03 -05:00 |
|
Patrick Schleizer
|
d484b299ea
|
matchwhitelist /qubes/qfile-unpacker to match both
- /usr/lib/qubes/qfile-unpacker whitelist
- /lib/qubes/qfile-unpacker
|
2019-12-23 01:38:31 -05:00 |
|
Patrick Schleizer
|
58a4e0bc7d
|
dbus-daemon-launch-helper matchwhitelist
|
2019-12-22 19:12:10 -05:00 |
|
Patrick Schleizer
|
15e3a2832d
|
comment
|
2019-12-22 18:57:23 -05:00 |
|
Patrick Schleizer
|
6eb8fd257a
|
suid utempter/utempter matchwhitelist
to cover both:
/usr/lib/x86_64-linux-gnu/utempter/utempter
/lib/x86_64-linux-gnu/utempter/utempter
|
2019-12-22 18:56:36 -05:00 |
|
Patrick Schleizer
|
bce02ffdc0
|
Merge pull request #47 from madaidan/msr
Blacklist CPU MSRs
|
2019-12-22 15:26:07 +00:00 |
|
madaidan
|
dd93b11321
|
Blacklist CPU MSRs
|
2019-12-22 13:52:43 +00:00 |
|
Patrick Schleizer
|
2ddf7b5db5
|
/lib/ nosuid
|
2019-12-21 14:06:51 -05:00 |
|
Patrick Schleizer
|
2350e0f5d0
|
Merge remote-tracking branch 'origin/master'
|
2019-12-21 06:57:10 -05:00 |
|
Patrick Schleizer
|
efd65a3f15
|
Merge pull request #45 from madaidan/apparmor
Delete apparmor profiles
|
2019-12-21 11:56:31 +00:00 |
|
Patrick Schleizer
|
3ea587187e
|
no need to exclude xorg nosuid on Debian
http://forums.whonix.org/t/permission-hardening/8655/25
|
2019-12-21 06:53:07 -05:00 |
|
madaidan
|
c28ddf5c4d
|
Delete usr.lib.security-misc.pam_tally2-info
|
2019-12-20 22:44:31 +00:00 |
|
madaidan
|
cfe69dd669
|
Delete usr.lib.security-misc.permission-lockdown
|
2019-12-20 22:44:27 +00:00 |
|
Patrick Schleizer
|
d220bb3bc4
|
suid /usr/lib/chromium/chrome-sandbox whitelist
|
2019-12-20 13:07:01 -05:00 |
|
Patrick Schleizer
|
77b3dd5d6b
|
comments
|
2019-12-20 13:02:33 -05:00 |
|
Patrick Schleizer
|
d7bd477e73
|
add "/usr/lib/xorg/Xorg.wrap whitelist"
until this is researched
https://manpages.debian.org/buster/xserver-xorg-legacy/Xorg.wrap.1.en.html
https://lwn.net/Articles/590315/
|
2019-12-20 12:59:27 -05:00 |
|
Patrick Schleizer
|
17e8605119
|
add matchwhitelist feature
add "/usr/lib/virtualbox/ matchwhitelist"
|
2019-12-20 12:57:24 -05:00 |
|
Patrick Schleizer
|
3fab387669
|
suid /usr/bin/firejail whitelist
There is a controversy about firejail but those who choose to install it
should be able to use it.
https://www.whonix.org/wiki/Dev/Firejail#Security
|
2019-12-20 12:50:35 -05:00 |
|
Patrick Schleizer
|
d3f16a5bf4
|
sgid /usr/lib/qubes/qfile-unpacker whitelist
|
2019-12-20 12:47:10 -05:00 |
|
Patrick Schleizer
|
508ec0c6fa
|
comment
|
2019-12-20 12:34:07 -05:00 |
|
Patrick Schleizer
|
1b569ea790
|
comment
|
2019-12-20 12:32:36 -05:00 |
|
Patrick Schleizer
|
e28da89253
|
/bin/sudo whitelist / /bin/bwrap whitelist
|
2019-12-20 09:48:06 -05:00 |
|
Patrick Schleizer
|
6d30e3b4a2
|
do not remove suid from whitelisted binaries ever
https://forums.whonix.org/t/permission-hardening/8655/13
|
2019-12-20 08:13:23 -05:00 |
|
Patrick Schleizer
|
48fe7312bf
|
update config
|
2019-12-20 05:57:41 -05:00 |
|
Patrick Schleizer
|
87d820d84c
|
comment
|
2019-12-20 05:54:16 -05:00 |
|
Patrick Schleizer
|
46466c12ad
|
parse drop-in config folder rather than only one config file
|
2019-12-20 05:49:11 -05:00 |
|
Patrick Schleizer
|
6c8127e3cd
|
remove "/lib/ nosuid" from permission hardening
Takes 1 minute to parse. No SUID binaries there by default.
remount-secure mounts it with nosuid anyhow.
Therefore no processing it here.
|
2019-12-20 05:29:37 -05:00 |
|
Patrick Schleizer
|
788a2c1ba3
|
comment
|
2019-12-20 03:45:01 -05:00 |
|
madaidan
|
9df7407286
|
Remove SUID bits
|
2019-12-19 17:01:33 +00:00 |
|
Patrick Schleizer
|
729fa26eca
|
use pam_acccess only for /etc/pam.d/login
remove "Allow members of group 'ssh' to login."
remove "+:ssh:ALL EXCEPT LOCAL"
|
2019-12-12 09:00:08 -05:00 |
|
madaidan
|
6c564f6e95
|
Create permission-hardening.conf
|
2019-12-08 16:50:11 +00:00 |
|
Patrick Schleizer
|
9432d16378
|
/usr/bin/cat mrix,
|
2019-12-07 12:13:42 -05:00 |
|