Patrick Schleizer
938e929f39
add pkexec to suid default whitelist
...
/usr/bin/pkexec exactwhitelist
/usr/bin/pkexec.security-misc-orig exactwhitelist
2020-04-12 16:37:51 -04:00
Patrick Schleizer
565ff136e5
vm.swappiness=1
...
import from swappiness-lowest
https://forums.whonix.org/t/vm-swappiness-1-set-swapiness-to-lowest-setting-still-useful-swappiness-lowest/9278
2020-04-08 21:04:02 +00:00
Patrick Schleizer
72228946dc
fix etc/default/grub.d/40_kernel_hardening.cfg
...
in Qubes if no kernel package is installed
2020-04-08 16:46:11 +00:00
Patrick Schleizer
5c81e1f23f
import from anon-gpg-conf
2020-04-06 09:25:45 -04:00
Patrick Schleizer
a7f2a2a3b6
console lockdown: allow members of group sudo
to use console
...
https://forums.whonix.org/t/etc-security-hardening/8592
https://github.com/Whonix/security-misc/pull/74#issuecomment-607748407
https://www.whonix.org/wiki/Dev/Strong_Linux_User_Account_Isolation#Console_Lockdown
2020-04-02 06:04:45 -04:00
Patrick Schleizer
7764ee0d20
comments
2020-04-02 05:58:16 -04:00
Patrick Schleizer
2ceea8d1fe
update copyright year
2020-04-01 08:49:59 -04:00
Patrick Schleizer
814f613a2f
When using systemd-nspawn (chroot) then login
requires console 'console' to be permitted.
2020-03-31 07:08:25 -04:00
Patrick Schleizer
5f0dd8270b
consistent use of quotes
2020-03-21 14:14:35 -04:00
Patrick Schleizer
66ea1a3a12
minor
2020-03-21 14:14:15 -04:00
Patrick Schleizer
23bd7ead59
remove trailing space
2020-03-21 14:12:42 -04:00
madaidan
89ada11cf9
Only remount if already mounted read-only
2020-03-21 17:49:07 +00:00
madaidan
c8826d6702
Fix sysctl-initramfs logs
2020-03-21 17:15:25 +00:00
onions-knight
8dfdec1d3b
Update thunar.xml
...
Adding Delete option for thunar on right mouse click (removed in Debian 10). See https://forums.whonix.org/t/whonix-host-calamares-branding-suggestion/7772/26
2020-03-17 16:38:53 +00:00
madaidan
4d0de87f79
Disable unprivileged userfaultfd use again
2020-03-08 17:49:49 +00:00
madaidan
efb2683cfc
Hide unprivileged_userfaultfd error
2020-03-08 17:49:12 +00:00
Patrick Schleizer
284a491100
disable vm.unprivileged_userfaultfd=0
for now
...
because broken
https://forums.whonix.org/t/kernel-hardening/7296/406
reverts "Restrict the userfaultfd() syscall to root as it can make heap sprays easier."
https://duasynt.com/blog/linux-kernel-heap-spray
2020-03-08 08:07:10 -04:00
madaidan
6b64b36b01
Restrict the userfaultfd() syscall to root
2020-02-24 18:23:15 +00:00
madaidan
f6b6ab374e
Gather more entropy during boot
2020-02-16 19:51:32 +00:00
madaidan
a79ce7fa68
Document ldisc_autoload better
2020-02-15 17:30:21 +00:00
Patrick Schleizer
1e5946c795
Merge branch 'master' into sysrq
2020-02-15 10:41:52 +00:00
Patrick Schleizer
5124f8cebc
Merge pull request #61 from madaidan/disable_early_pci_dma
...
Avoid holes in IOMMU
2020-02-15 10:18:56 +00:00
madaidan
9b767139ef
Avoid holes in IOMMU
2020-02-14 18:52:01 +00:00
madaidan
d251c43344
Restrict the SysRq key
2020-02-14 18:17:20 +00:00
madaidan
0ea7dd161b
Restrict loading line disciplines to CAP_SYS_MODULE
2020-02-14 17:50:19 +00:00
Patrick Schleizer
ad6b766886
Merge pull request #57 from madaidan/sysctl
...
Prevent symlink/hardlink TOCTOU races
2020-02-13 18:40:58 +00:00
madaidan
700c7ed908
Create 40_cpu_mitigations.cfg
2020-02-12 18:42:13 +00:00
madaidan
ba0043b8a7
Update 40_kernel_hardening.cfg
2020-02-12 18:36:05 +00:00
madaidan
5cb21d0d4d
Prevent symlink/hardlink TOCTOU races
2020-02-12 18:03:23 +00:00
HulaHoop0
e4c6e897cf
kvm.nx_huge_pages=force
2020-02-03 16:06:46 +00:00
Patrick Schleizer
85d2aa1365
hide stdout (but not stderr) by sysctl during initramfs
2020-01-30 06:13:42 -05:00
Patrick Schleizer
b9d65338bc
unconditionally enable all CPU bugs (spectre, meltdown, L1TF, ...)
...
this might reduce performance
* `spectre_v2=on`
* `spec_store_bypass_disable=on`
* `tsx=off`
* `tsx_async_abort=full,nosmt`
Thanks to @madaidan for the suggestion!
https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647
2020-01-30 05:55:13 -05:00
Patrick Schleizer
c1a0da60be
set kernel boot parameter l1tf=full,force
and nosmt=force
...
https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647/17
2020-01-30 00:46:48 -05:00
Patrick Schleizer
a37da1c968
add digits to drop-in file names
2020-01-24 04:39:06 -05:00
Patrick Schleizer
e0aa67677d
merge the many modprobe.d config files into 1
...
and use a name starting with double digits
to make it easier to disable settings using a lexically higher config file
2020-01-24 04:30:36 -05:00
Patrick Schleizer
6a4c493213
merge the many sysctl config files into 1
...
and use a name starting with double digits
to make it easier to disable settings using a lexically higher config file
2020-01-24 04:26:36 -05:00
Patrick Schleizer
6f8d89c6c5
error handling
2020-01-15 15:54:06 -05:00
madaidan
f7fde60b67
Process sysctl.conf too
2020-01-15 20:28:32 +00:00
Patrick Schleizer
528c5fc4c4
Merge branch 'master' into sysctl-initramfs
2020-01-15 11:02:03 +00:00
Patrick Schleizer
80159545a5
fix xfce4-power-manager xfpm-power-backlight-helper pkexec lxsudo popup
...
https://forums.whonix.org/t/xfce4-power-manager-xfpm-power-backlight-helper-pkexec-lxsudo-popup/8764
do show lxqt-sudo password prompt if there is a sudoers exceptoin
improved pkexec wrapper logging
2020-01-15 02:42:10 -05:00
madaidan
8c4e0ff1c4
Set sysctl values in initramfs
2020-01-12 21:37:37 +00:00
madaidan
a662a76a52
Blacklist vivid
2020-01-11 18:37:00 +00:00
Patrick Schleizer
f3ff32ddbb
Protect /bin/mount from 'chmod -x'.
...
/bin/mount exactwhitelist
/usr/bin/mount exactwhitelist
Remove SUID from 'mount' but keep executable.
/bin/mount 745 root root
/usr/bin/mount 745 root root
https://forums.whonix.org/t/disable-suid-binaries/7706/61
2019-12-30 06:39:24 -05:00
Patrick Schleizer
e5623fcd2b
comment
2019-12-29 04:21:52 -05:00
Patrick Schleizer
674840e6f9
/fusermount matchwhitelist
...
unbreak AppImages such as electrum Bitcoin wallet
https://forums.whonix.org/t/disable-suid-binaries/7706/57
2019-12-26 05:44:35 -05:00
Patrick Schleizer
ede536913d
no longer hardcode amd64
2019-12-24 06:00:41 -05:00
Patrick Schleizer
27a42a9da8
Merge pull request #50 from madaidan/modules
...
Make /lib/modules unreadable
2019-12-24 10:55:11 +00:00
Patrick Schleizer
ac49c55d1f
Merge pull request #49 from madaidan/kver
...
Detect kernel upgrades
2019-12-24 10:55:03 +00:00
madaidan
79241c5d09
Make /lib/modules unreadable
2019-12-23 20:28:29 +00:00
madaidan
98e88d1456
Detect kernel upgrades
2019-12-23 19:57:43 +00:00
madaidan
d1a0650fd9
Use only one slub_debug parameter
2019-12-23 19:44:52 +00:00
Patrick Schleizer
9d77d88a4d
comments
2019-12-23 09:39:50 -05:00
Patrick Schleizer
3e131174d5
comments
2019-12-23 05:00:35 -05:00
Patrick Schleizer
9f072ce4f9
comment
2019-12-23 03:46:02 -05:00
Patrick Schleizer
26fe9394ff
disable lockdown for now due to module loading
2019-12-23 03:41:54 -05:00
madaidan
535c258b83
More kernel hardening
2019-12-23 03:35:07 -05:00
Patrick Schleizer
11b4192fbd
comments
2019-12-23 03:28:42 -05:00
Patrick Schleizer
2152fa2d61
comment
2019-12-23 02:38:53 -05:00
Patrick Schleizer
f8f2e6c704
fix disablewhitelist feature
2019-12-23 02:35:13 -05:00
Patrick Schleizer
47ddcad0c0
rename keyword whitelist to exactwhitelist
...
add new keyword disablewhitelist
refactoring
2019-12-23 02:29:47 -05:00
Patrick Schleizer
1ff56625a1
polkit-agent-helper-1 matchwhitelist to match both
...
- /usr/lib/policykit-1/polkit-agent-helper-1 matchwhitelist
- /lib/policykit-1/polkit-agent-helper-1
2019-12-23 01:42:03 -05:00
Patrick Schleizer
d484b299ea
matchwhitelist /qubes/qfile-unpacker to match both
...
- /usr/lib/qubes/qfile-unpacker whitelist
- /lib/qubes/qfile-unpacker
2019-12-23 01:38:31 -05:00
Patrick Schleizer
58a4e0bc7d
dbus-daemon-launch-helper matchwhitelist
2019-12-22 19:12:10 -05:00
Patrick Schleizer
15e3a2832d
comment
2019-12-22 18:57:23 -05:00
Patrick Schleizer
6eb8fd257a
suid utempter/utempter matchwhitelist
...
to cover both:
/usr/lib/x86_64-linux-gnu/utempter/utempter
/lib/x86_64-linux-gnu/utempter/utempter
2019-12-22 18:56:36 -05:00
Patrick Schleizer
bce02ffdc0
Merge pull request #47 from madaidan/msr
...
Blacklist CPU MSRs
2019-12-22 15:26:07 +00:00
madaidan
dd93b11321
Blacklist CPU MSRs
2019-12-22 13:52:43 +00:00
Patrick Schleizer
2ddf7b5db5
/lib/ nosuid
2019-12-21 14:06:51 -05:00
Patrick Schleizer
2350e0f5d0
Merge remote-tracking branch 'origin/master'
2019-12-21 06:57:10 -05:00
Patrick Schleizer
efd65a3f15
Merge pull request #45 from madaidan/apparmor
...
Delete apparmor profiles
2019-12-21 11:56:31 +00:00
Patrick Schleizer
3ea587187e
no need to exclude xorg nosuid on Debian
...
http://forums.whonix.org/t/permission-hardening/8655/25
2019-12-21 06:53:07 -05:00
madaidan
c28ddf5c4d
Delete usr.lib.security-misc.pam_tally2-info
2019-12-20 22:44:31 +00:00
madaidan
cfe69dd669
Delete usr.lib.security-misc.permission-lockdown
2019-12-20 22:44:27 +00:00
Patrick Schleizer
d220bb3bc4
suid /usr/lib/chromium/chrome-sandbox whitelist
2019-12-20 13:07:01 -05:00
Patrick Schleizer
77b3dd5d6b
comments
2019-12-20 13:02:33 -05:00
Patrick Schleizer
d7bd477e73
add "/usr/lib/xorg/Xorg.wrap whitelist"
...
until this is researched
https://manpages.debian.org/buster/xserver-xorg-legacy/Xorg.wrap.1.en.html
https://lwn.net/Articles/590315/
2019-12-20 12:59:27 -05:00
Patrick Schleizer
17e8605119
add matchwhitelist feature
...
add "/usr/lib/virtualbox/ matchwhitelist"
2019-12-20 12:57:24 -05:00
Patrick Schleizer
3fab387669
suid /usr/bin/firejail whitelist
...
There is a controversy about firejail but those who choose to install it
should be able to use it.
https://www.whonix.org/wiki/Dev/Firejail#Security
2019-12-20 12:50:35 -05:00
Patrick Schleizer
d3f16a5bf4
sgid /usr/lib/qubes/qfile-unpacker whitelist
2019-12-20 12:47:10 -05:00
Patrick Schleizer
508ec0c6fa
comment
2019-12-20 12:34:07 -05:00
Patrick Schleizer
1b569ea790
comment
2019-12-20 12:32:36 -05:00
Patrick Schleizer
e28da89253
/bin/sudo whitelist / /bin/bwrap whitelist
2019-12-20 09:48:06 -05:00
Patrick Schleizer
6d30e3b4a2
do not remove suid from whitelisted binaries ever
...
https://forums.whonix.org/t/permission-hardening/8655/13
2019-12-20 08:13:23 -05:00
Patrick Schleizer
48fe7312bf
update config
2019-12-20 05:57:41 -05:00
Patrick Schleizer
87d820d84c
comment
2019-12-20 05:54:16 -05:00
Patrick Schleizer
46466c12ad
parse drop-in config folder rather than only one config file
2019-12-20 05:49:11 -05:00
Patrick Schleizer
6c8127e3cd
remove "/lib/ nosuid" from permission hardening
...
Takes 1 minute to parse. No SUID binaries there by default.
remount-secure mounts it with nosuid anyhow.
Therefore no processing it here.
2019-12-20 05:29:37 -05:00
Patrick Schleizer
788a2c1ba3
comment
2019-12-20 03:45:01 -05:00
madaidan
9df7407286
Remove SUID bits
2019-12-19 17:01:33 +00:00
Patrick Schleizer
729fa26eca
use pam_acccess only for /etc/pam.d/login
...
remove "Allow members of group 'ssh' to login."
remove "+:ssh:ALL EXCEPT LOCAL"
2019-12-12 09:00:08 -05:00
madaidan
6c564f6e95
Create permission-hardening.conf
2019-12-08 16:50:11 +00:00
Patrick Schleizer
9432d16378
/usr/bin/cat mrix,
2019-12-07 12:13:42 -05:00
Patrick Schleizer
c1800b13fe
separate group "ssh" for incoming ssh console permission
...
Thanks to @madaidan
https://forums.whonix.org/t/etc-security-hardening-console-lockdown-pam-access-access-conf/8592/16
2019-12-07 11:26:39 -05:00
Patrick Schleizer
8636d2f629
add securetty
2019-12-07 06:51:10 -05:00
Patrick Schleizer
8b3f5a555b
add console lockdown to pam info output
2019-12-07 06:25:45 -05:00
Patrick Schleizer
021b06dac9
add hvc0 to hvc9
2019-12-07 06:04:45 -05:00
Patrick Schleizer
8a59662a44
comment
2019-12-07 06:02:45 -05:00
Patrick Schleizer
cda6724755
add pts/0 to pts/9
2019-12-07 05:56:57 -05:00
Patrick Schleizer
218cbddba9
comment
2019-12-07 05:52:06 -05:00
Patrick Schleizer
6479c883bf
Console Lockdown.
...
Allow members of group 'console' to use tty1 to tty7. Everyone else except
members of group 'console-unrestricted' are restricted from using console
using ancient, unpopular login methods such as using /bin/login over networks,
which might be exploitable. (CVE-2001-0797)
Not enabled by default in this package since this package does not know which
users shall be added to group 'console'.
In new Whonix builds, user 'user" will be added to group 'console' and
pam console-lockdown enabled by package anon-base-files.
/usr/share/pam-configs/console-lockdown
/etc/security/access-security-misc.conf
https://forums.whonix.org/t/etc-security-hardening/8592
2019-12-07 05:40:20 -05:00
Patrick Schleizer
8cf5ed990a
comment
2019-12-05 15:52:24 -05:00
madaidan
30289c68c2
Enable reverse path filtering
2019-12-05 20:13:10 +00:00
Patrick Schleizer
0c25a96b59
description / comments
2019-12-03 02:18:32 -05:00
madaidan
5da2a27bf0
Distrust the CPU for initial entropy
2019-12-02 16:43:00 +00:00
madaidan
d9d6d07714
/dev/pts/[0-9]* rw,
2019-11-26 17:12:12 +00:00
Patrick Schleizer
d32024a3da
/usr/sbin/pam_tally2 mrix,
...
https://forums.whonix.org/t/apparmor-for-complete-system-including-init-pid1-systemd-everything-full-system-mac-policy/8339/152
2019-11-23 05:53:19 -05:00
Patrick Schleizer
81e4f580af
etc/apparmor.d/usr.lib.security-misc.permission-lockdown: /usr/bin/chmod mrix,
2019-11-19 15:29:02 +00:00
Patrick Schleizer
477d476bb1
etc/apparmor.d/usr.lib.security-misc.pam_tally2-info: add '#include <abstractions/base>'
2019-11-10 08:29:44 -05:00
Patrick Schleizer
11dc23bf08
etc/apparmor.d/usr.lib.security-misc.permission-lockdown: add '#include <abstractions/base>'
2019-11-10 08:28:32 -05:00
Patrick Schleizer
9f2932faab
/usr/bin/id rix,
2019-11-09 13:32:21 -05:00
Patrick Schleizer
94d40c68d4
do not set kernel boot parameter page_poison=1 in Qubes since does not work
...
https://github.com/QubesOS/qubes-issues/issues/5212#issuecomment-533873012
2019-11-05 10:02:55 -05:00
Patrick Schleizer
f57702c158
comments; copyright
2019-11-05 09:55:43 -05:00
Patrick Schleizer
b55c2fd62e
Enables punycode (network.IDN_show_punycode
) by default in Thunderbird
...
to make phising attacks more difficult. Fixing URL not showing real Domain
Name (Homograph attack).
https://forums.whonix.org/t/enable-network-idn-show-punycode-by-default-in-thunderbird-to-fix-url-not-showing-real-domain-name-homograph-attack-punycode/8415
2019-11-03 02:50:51 -05:00
Patrick Schleizer
e1375802eb
apparmor fix
...
https://forums.whonix.org/t/apparmor-for-complete-system-including-init-pid1-systemd-everything-full-system-mac-policy/8339/67
2019-10-31 16:32:28 +00:00
Patrick Schleizer
203d5cfa68
copyright
2019-10-31 11:19:44 -04:00
madaidan
0e49bdc45f
Licensing
2019-10-28 14:26:14 +00:00
madaidan
5d5ad92638
Licensing
2019-10-28 14:26:05 +00:00
madaidan
1b8b3610b1
Create usr.lib.security-misc.pam_tally2-info
2019-10-28 14:20:59 +00:00
madaidan
29b05546e4
Create usr.lib.security-misc.permission-lockdown
2019-10-28 14:20:08 +00:00
Patrick Schleizer
40707e70db
Redirect calls for pkexec to lxqt-sudo because pkexec is incompatible with hidepid.
...
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860040
https://forums.whonix.org/t/cannot-use-pkexec/8129
Thanks to AnonymousUser for the bug report!
2019-10-21 05:46:49 -04:00
Patrick Schleizer
0b8725306f
renamed: etc/hide-hardware-info.d/30_whitelist.conf -> etc/hide-hardware-info.d/30_default.conf
2019-10-17 06:13:44 -04:00
Patrick Schleizer
8a42c5b023
Merge pull request #34 from madaidan/whitelist
...
Add a whitelist for /sys and /proc/cpuinfo
2019-10-17 09:59:12 +00:00
madaidan
4f5b7816ec
Elaborate
2019-10-16 19:01:49 +00:00
madaidan
99a762d3dc
KASLR is different from ASLR
2019-10-16 18:53:04 +00:00
madaidan
a14a2854c6
Elaborate
2019-10-16 18:52:14 +00:00
madaidan
a47a2fca8b
Create 30_whitelist.conf
2019-10-15 20:58:58 +00:00
Patrick Schleizer
c22738be02
comments
2019-10-07 08:25:45 +00:00
Patrick Schleizer
75f36bc2c9
comments
2019-10-07 08:25:07 +00:00
Patrick Schleizer
e92a8a6966
comments
2019-10-07 08:24:02 +00:00
Patrick Schleizer
60c044a9d6
copyright / comments
2019-10-07 05:30:56 +00:00
Patrick Schleizer
cd2135ff82
comments
2019-10-06 10:18:24 +00:00
Patrick Schleizer
8b4f2befd4
comment out sack by default
...
https://forums.whonix.org/t/disabling-tcp-sack-dsack-fack/8109/8?u=patrick
2019-10-05 13:15:34 +00:00
Patrick Schleizer
02096f8d7c
Revert "undo Disabling TCP SACK, DSACK, FACK"
...
This reverts commit 5fb4eb8e56
.
2019-10-05 13:13:46 +00:00
Patrick Schleizer
5fb4eb8e56
undo Disabling TCP SACK, DSACK, FACK
...
https://forums.whonix.org/t/disabling-tcp-sack-dsack-fack/8109/5
2019-10-05 07:00:47 -04:00
madaidan
d0c6bb1e90
Disable TCP DSACK and FACK
2019-10-04 17:35:54 +00:00
Patrick Schleizer
f13a73e569
undo SysRq restrictions
...
https://forums.whonix.org/t/sysrq-magic-sysrq-key/8079
2019-09-10 12:35:42 -04:00
madaidan
60db7e6294
fix typo
2019-09-07 20:08:56 +00:00
Patrick Schleizer
7affddb3bb
blacklist modules with /bin/false rather than /bin/true to fail with error
...
message rather than failing without notification
2019-09-07 05:47:34 +00:00
Patrick Schleizer
661bcd8603
allow loading unsigned modules due to issues
...
https://forums.whonix.org/t/allow-loading-signed-kernel-modules-by-default-disallow-kernel-module-loading-by-default/7880/23
2019-09-07 05:39:56 +00:00
Patrick Schleizer
cb8170fd80
comment
2019-09-06 11:44:56 +00:00
Patrick Schleizer
ccdbc52b82
comment
2019-09-06 11:43:55 +00:00
Patrick Schleizer
051856bc8e
remove trailing space
2019-09-06 11:42:38 +00:00
Patrick Schleizer
0ae5c5ff14
remove umask changes since these are causing issues are are not needed anymore
...
thanks to home folder permission lockdown
https://forums.whonix.org/t/change-default-umask/7416/45
2019-08-24 12:14:22 -04:00
onions-knight
a8b6281119
Update uncommon-network-protocols.conf
...
Removing llc from blacklisted network protocols as it is needed by KVM for networking.
See https://hub.packtpub.com/kvm-networking-libvirt/ and https://forums.whonix.org/t/whonix-desktop-installer-with-calamares-field-report/7350/107
2019-08-19 11:30:57 +00:00
Patrick Schleizer
ed90d8b025
change default umask to 027
...
as per:
https://forums.whonix.org/t/change-default-umask/7416/47
2019-08-17 09:55:20 +00:00
Patrick Schleizer
224f95799c
sudo default umask 006
...
https://forums.whonix.org/t/change-default-umask/7416/43
2019-08-16 11:15:25 -04:00
Patrick Schleizer
85502ad430
Merge branch 'master' into patch-21
2019-08-16 14:35:51 +00:00
Patrick Schleizer
dbea7d1511
add hook etc/kernel/postinst.d/30_remove-system-map to remove system.map
...
on kernel package upgrade;
self-document this package: during upgrade the following will be written
to stdout:
Setting up linux-image-4.19.0-5-amd64 (4.19.37-5+deb10u2) ...
/etc/kernel/postinst.d/30_remove-system-map:
removed '/boot/System.map-4.19.0-5-amd64
2019-08-14 07:22:14 +00:00
madaidan
9a49b8ecbb
Create 40_only_allow_signed_modules.cfg
...
Require all loaded kernel modules to be signed with a valid key.
2019-08-13 13:33:07 +00:00
madaidan
5a4ea39566
Create blacklist-bluetooth.conf
2019-07-31 18:30:57 +00:00