Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2024-10-01 08:25:45 -04:00
Code Issues Packages Projects Releases Wiki Activity
1,018 Commits 2 Branches 291 Tags 8.2 MiB
b9d65338bc
Commit Graph

198 Commits

Author SHA1 Message Date
Patrick Schleizer
e28da89253
/bin/sudo whitelist / /bin/bwrap whitelist 2019-12-20 09:48:06 -05:00
Patrick Schleizer
6d30e3b4a2
do not remove suid from whitelisted binaries ever 
https://forums.whonix.org/t/permission-hardening/8655/13
 2019-12-20 08:13:23 -05:00
Patrick Schleizer
48fe7312bf
update config 2019-12-20 05:57:41 -05:00
Patrick Schleizer
87d820d84c
comment 2019-12-20 05:54:16 -05:00
Patrick Schleizer
46466c12ad
parse drop-in config folder rather than only one config file 2019-12-20 05:49:11 -05:00
Patrick Schleizer
6c8127e3cd
remove "/lib/ nosuid" from permission hardening 
Takes 1 minute to parse. No SUID binaries there by default.
remount-secure mounts it with nosuid anyhow.
Therefore no processing it here.
 2019-12-20 05:29:37 -05:00
Patrick Schleizer
788a2c1ba3
comment 2019-12-20 03:45:01 -05:00
madaidan
9df7407286
Remove SUID bits 2019-12-19 17:01:33 +00:00
Patrick Schleizer
729fa26eca
use pam_acccess only for /etc/pam.d/login 
remove "Allow members of group 'ssh' to login."
remove "+:ssh:ALL EXCEPT LOCAL"
 2019-12-12 09:00:08 -05:00
madaidan
6c564f6e95
Create permission-hardening.conf 2019-12-08 16:50:11 +00:00
Patrick Schleizer
9432d16378
/usr/bin/cat mrix, 2019-12-07 12:13:42 -05:00
Patrick Schleizer
c1800b13fe
separate group "ssh" for incoming ssh console permission 
Thanks to @madaidan

https://forums.whonix.org/t/etc-security-hardening-console-lockdown-pam-access-access-conf/8592/16
 2019-12-07 11:26:39 -05:00
Patrick Schleizer
8636d2f629
add securetty 2019-12-07 06:51:10 -05:00
Patrick Schleizer
8b3f5a555b
add console lockdown to pam info output 2019-12-07 06:25:45 -05:00
Patrick Schleizer
021b06dac9
add hvc0 to hvc9 2019-12-07 06:04:45 -05:00
Patrick Schleizer
8a59662a44
comment 2019-12-07 06:02:45 -05:00
Patrick Schleizer
cda6724755
add pts/0 to pts/9 2019-12-07 05:56:57 -05:00
Patrick Schleizer
218cbddba9
comment 2019-12-07 05:52:06 -05:00
Patrick Schleizer
6479c883bf
Console Lockdown. 
Allow members of group 'console' to use tty1 to tty7. Everyone else except
members of group 'console-unrestricted' are restricted from using console
using ancient, unpopular login methods such as using /bin/login over networks,
which might be exploitable. (CVE-2001-0797)

Not enabled by default in this package since this package does not know which
users shall be added to group 'console'.

In new Whonix builds, user 'user" will be added to group 'console' and
pam console-lockdown enabled by package anon-base-files.

/usr/share/pam-configs/console-lockdown

/etc/security/access-security-misc.conf

https://forums.whonix.org/t/etc-security-hardening/8592
 2019-12-07 05:40:20 -05:00
Patrick Schleizer
8cf5ed990a
comment 2019-12-05 15:52:24 -05:00
madaidan
30289c68c2
Enable reverse path filtering 2019-12-05 20:13:10 +00:00
Patrick Schleizer
0c25a96b59
description / comments 2019-12-03 02:18:32 -05:00
madaidan
5da2a27bf0
Distrust the CPU for initial entropy 2019-12-02 16:43:00 +00:00
madaidan
d9d6d07714
/dev/pts/[0-9]* rw, 2019-11-26 17:12:12 +00:00
Patrick Schleizer
d32024a3da
/usr/sbin/pam_tally2 mrix, 
https://forums.whonix.org/t/apparmor-for-complete-system-including-init-pid1-systemd-everything-full-system-mac-policy/8339/152
 2019-11-23 05:53:19 -05:00
Patrick Schleizer
81e4f580af
etc/apparmor.d/usr.lib.security-misc.permission-lockdown: /usr/bin/chmod mrix, 2019-11-19 15:29:02 +00:00
Patrick Schleizer
477d476bb1
etc/apparmor.d/usr.lib.security-misc.pam_tally2-info: add '#include <abstractions/base>' 2019-11-10 08:29:44 -05:00
Patrick Schleizer
11dc23bf08
etc/apparmor.d/usr.lib.security-misc.permission-lockdown: add '#include <abstractions/base>' 2019-11-10 08:28:32 -05:00
Patrick Schleizer
9f2932faab
/usr/bin/id rix, 2019-11-09 13:32:21 -05:00
Patrick Schleizer
94d40c68d4
do not set kernel boot parameter page_poison=1 in Qubes since does not work 
https://github.com/QubesOS/qubes-issues/issues/5212#issuecomment-533873012
 2019-11-05 10:02:55 -05:00
Patrick Schleizer
f57702c158
comments; copyright 2019-11-05 09:55:43 -05:00
Patrick Schleizer
b55c2fd62e
Enables punycode (network.IDN_show_punycode) by default in Thunderbird 
to make phising attacks more difficult. Fixing URL not showing real Domain
Name (Homograph attack).

https://forums.whonix.org/t/enable-network-idn-show-punycode-by-default-in-thunderbird-to-fix-url-not-showing-real-domain-name-homograph-attack-punycode/8415
 2019-11-03 02:50:51 -05:00
Patrick Schleizer
e1375802eb
apparmor fix 
https://forums.whonix.org/t/apparmor-for-complete-system-including-init-pid1-systemd-everything-full-system-mac-policy/8339/67
 2019-10-31 16:32:28 +00:00
Patrick Schleizer
203d5cfa68
copyright 2019-10-31 11:19:44 -04:00
madaidan
0e49bdc45f
Licensing 2019-10-28 14:26:14 +00:00
madaidan
5d5ad92638
Licensing 2019-10-28 14:26:05 +00:00
madaidan
1b8b3610b1
Create usr.lib.security-misc.pam_tally2-info 2019-10-28 14:20:59 +00:00
madaidan
29b05546e4
Create usr.lib.security-misc.permission-lockdown 2019-10-28 14:20:08 +00:00
Patrick Schleizer
40707e70db
Redirect calls for pkexec to lxqt-sudo because pkexec is incompatible with hidepid. 
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860040

https://forums.whonix.org/t/cannot-use-pkexec/8129

Thanks to AnonymousUser for the bug report!
 2019-10-21 05:46:49 -04:00
Patrick Schleizer
0b8725306f
renamed: etc/hide-hardware-info.d/30_whitelist.conf -> etc/hide-hardware-info.d/30_default.conf 2019-10-17 06:13:44 -04:00
Patrick Schleizer
8a42c5b023
Merge pull request #34 from madaidan/whitelist 
Add a whitelist for /sys and /proc/cpuinfo
 2019-10-17 09:59:12 +00:00
madaidan
4f5b7816ec
Elaborate 2019-10-16 19:01:49 +00:00
madaidan
99a762d3dc
KASLR is different from ASLR 2019-10-16 18:53:04 +00:00
madaidan
a14a2854c6
Elaborate 2019-10-16 18:52:14 +00:00
madaidan
a47a2fca8b
Create 30_whitelist.conf 2019-10-15 20:58:58 +00:00
Patrick Schleizer
c22738be02
comments 2019-10-07 08:25:45 +00:00
Patrick Schleizer
75f36bc2c9
comments 2019-10-07 08:25:07 +00:00
Patrick Schleizer
e92a8a6966
comments 2019-10-07 08:24:02 +00:00
Patrick Schleizer
60c044a9d6
copyright / comments 2019-10-07 05:30:56 +00:00
Patrick Schleizer
cd2135ff82
comments 2019-10-06 10:18:24 +00:00
Patrick Schleizer
8b4f2befd4
comment out sack by default 
https://forums.whonix.org/t/disabling-tcp-sack-dsack-fack/8109/8?u=patrick
 2019-10-05 13:15:34 +00:00
Patrick Schleizer
02096f8d7c
Revert "undo Disabling TCP SACK, DSACK, FACK" 
This reverts commit 5fb4eb8e56.
 2019-10-05 13:13:46 +00:00
Patrick Schleizer
5fb4eb8e56
undo Disabling TCP SACK, DSACK, FACK 
https://forums.whonix.org/t/disabling-tcp-sack-dsack-fack/8109/5
 2019-10-05 07:00:47 -04:00
madaidan
d0c6bb1e90
Disable TCP DSACK and FACK 2019-10-04 17:35:54 +00:00
Patrick Schleizer
f13a73e569
undo SysRq restrictions 
https://forums.whonix.org/t/sysrq-magic-sysrq-key/8079
 2019-09-10 12:35:42 -04:00
madaidan
60db7e6294
fix typo 2019-09-07 20:08:56 +00:00
Patrick Schleizer
7affddb3bb
blacklist modules with /bin/false rather than /bin/true to fail with error 
message rather than failing without notification
 2019-09-07 05:47:34 +00:00
Patrick Schleizer
661bcd8603
allow loading unsigned modules due to issues 
https://forums.whonix.org/t/allow-loading-signed-kernel-modules-by-default-disallow-kernel-module-loading-by-default/7880/23
 2019-09-07 05:39:56 +00:00
Patrick Schleizer
cb8170fd80
comment 2019-09-06 11:44:56 +00:00
Patrick Schleizer
ccdbc52b82
comment 2019-09-06 11:43:55 +00:00
Patrick Schleizer
051856bc8e
remove trailing space 2019-09-06 11:42:38 +00:00
Patrick Schleizer
0ae5c5ff14
remove umask changes since these are causing issues are are not needed anymore 
thanks to home folder permission lockdown

https://forums.whonix.org/t/change-default-umask/7416/45
 2019-08-24 12:14:22 -04:00
onions-knight
a8b6281119
Update uncommon-network-protocols.conf 
Removing llc from blacklisted network protocols as it is needed by KVM for networking.
See https://hub.packtpub.com/kvm-networking-libvirt/ and https://forums.whonix.org/t/whonix-desktop-installer-with-calamares-field-report/7350/107
 2019-08-19 11:30:57 +00:00
Patrick Schleizer
ed90d8b025
change default umask to 027 
as per:

https://forums.whonix.org/t/change-default-umask/7416/47
 2019-08-17 09:55:20 +00:00
Patrick Schleizer
224f95799c
sudo default umask 006 
https://forums.whonix.org/t/change-default-umask/7416/43
 2019-08-16 11:15:25 -04:00
Patrick Schleizer
85502ad430
Merge branch 'master' into patch-21 2019-08-16 14:35:51 +00:00
Patrick Schleizer
dbea7d1511
add hook etc/kernel/postinst.d/30_remove-system-map to remove system.map 
on kernel package upgrade;

self-document this package: during upgrade the following will be written
to stdout:

Setting up linux-image-4.19.0-5-amd64 (4.19.37-5+deb10u2) ...
/etc/kernel/postinst.d/30_remove-system-map:
removed '/boot/System.map-4.19.0-5-amd64
 2019-08-14 07:22:14 +00:00
madaidan
9a49b8ecbb
Create 40_only_allow_signed_modules.cfg 
Require all loaded kernel modules to be signed with a valid key.
 2019-08-13 13:33:07 +00:00
madaidan
5a4ea39566
Create blacklist-bluetooth.conf 2019-07-31 18:30:57 +00:00
Patrick Schleizer
1c7441ddf1
alias /etc/securetty -> /etc/securetty.security-misc, 2019-07-17 21:16:14 +00:00
Patrick Schleizer
b153e8f7df
fix path 2019-07-17 21:02:48 +00:00
Patrick Schleizer
2299ed041f
passwordless recovery / emergency console 
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802211
bc5ca2de85

https://forums.whonix.org/t/restrict-root-access/7658/46
 2019-07-17 20:36:51 +00:00
Patrick Schleizer
cb668459e8
port umask from /etc/pam.d to /usr/share/pam-configs implementation 
https://forums.whonix.org/t/change-default-umask/7416
 2019-07-13 10:35:10 -04:00
Patrick Schleizer
ac25733de8
remove etc/pam.d/common-password.security-misc rounds=65536 
due to unclean implementation, see:

https://forums.whonix.org/t/restrict-root-access/7658/37
 2019-07-13 14:01:53 +00:00
Patrick Schleizer
69b97981f3
convert etc/pam.d/su.security-misc to usr/share/pam-configs/wheel 
https://forums.whonix.org/t/restrict-root-access/7658/32
 2019-07-13 12:33:51 +00:00
Patrick Schleizer
4079632d1a
remove modifying to /etc/pam.d directly (unrelased) 
config-package-dev displace /etc/securetty
remove trailing spaces

https://forums.whonix.org/t/restrict-root-access/7658/31
 2019-07-13 11:41:37 +00:00
madaidan
b63d4ccb41
Update uncommon-network-protocols.conf 2019-07-11 15:28:56 +00:00
madaidan
4058e283a5
Blacklist more uncommon network protocols 2019-07-10 14:27:19 +00:00
madaidan
d70440aaed
Remove duplicate 2019-07-09 21:57:37 +00:00
madaidan
2d27bdd808
Blacklist more uncommon network protocols 2019-07-09 21:55:37 +00:00
Patrick Schleizer
3df6a44e98
also allow members of group sudo to run /usr/lib/security-misc/panic-on-oops 2019-07-09 06:56:23 -04:00
Patrick Schleizer
0f15303eb4
Merge branch 'master' into patch-16 2019-07-09 10:54:24 +00:00
madaidan
24d9eadcb2
Use 65536 hashing rounds 2019-07-08 23:19:59 +00:00
madaidan
86117d9577
Create common-password.security-misc 2019-07-08 23:19:19 +00:00
madaidan
8ad9a54b09
Don't allow root login from a terminal 2019-07-08 23:17:17 +00:00
madaidan
890298a3c8
Restrict su to users in the root group 2019-07-08 23:15:56 +00:00
madaidan
38099a2a5d
Create su.security-misc 2019-07-08 23:11:17 +00:00
madaidan
2a17427055
Create security-misc 2019-07-08 23:01:30 +00:00
madaidan
4ac700ded0
Create 50panic_on_oops 2019-07-08 22:59:39 +00:00
Patrick Schleizer
e543c4bf82
apparmor fixes (this broke whonixcheck apparmor profile) 2019-07-07 16:37:46 -04:00
Patrick Schleizer
3558a9949f
Enable APT seccomp sandboxing. 
Thanks to @torjunkie for the suggestion!

https://forums.whonix.org/t/apt-seccomp-bpf-sandboxing/7702
 2019-07-07 09:37:25 +00:00
madaidan
46409be8b6
Use install instead of blacklist 2019-07-04 14:25:28 +00:00
madaidan
eb7eaffba1
Blacklist n-hdlc 2019-07-04 14:24:44 +00:00
Patrick Schleizer
93c0821054
config-package-dev displace files for change umask 
https://forums.whonix.org/t/change-default-umask/7416
 2019-07-01 13:35:45 +00:00
Patrick Schleizer
a73f0566e9
change default umask to 006 
session optional  pam_umask.so usergroups

https://forums.whonix.org/t/change-default-umask/7416/17
 2019-07-01 13:25:23 +00:00
Patrick Schleizer
41b61e3277
revert to Debian buster original 2019-07-01 13:24:29 +00:00
madaidan
eedeaa0e7f
Update common-session-noninteractive 2019-06-30 13:12:59 +00:00
madaidan
a9af85f585
Update common-session 2019-06-30 13:12:16 +00:00
madaidan
1e1d29cfde
Create common-session-noninteractive 2019-06-30 13:11:31 +00:00
madaidan
501901f7c0
Change default umask to 006 2019-06-30 13:10:54 +00:00