Patrick Schleizer
8cf5ed990a
comment
2019-12-05 15:52:24 -05:00
madaidan
30289c68c2
Enable reverse path filtering
2019-12-05 20:13:10 +00:00
Patrick Schleizer
0c25a96b59
description / comments
2019-12-03 02:18:32 -05:00
madaidan
5da2a27bf0
Distrust the CPU for initial entropy
2019-12-02 16:43:00 +00:00
madaidan
d9d6d07714
/dev/pts/[0-9]* rw,
2019-11-26 17:12:12 +00:00
Patrick Schleizer
d32024a3da
/usr/sbin/pam_tally2 mrix,
...
https://forums.whonix.org/t/apparmor-for-complete-system-including-init-pid1-systemd-everything-full-system-mac-policy/8339/152
2019-11-23 05:53:19 -05:00
Patrick Schleizer
81e4f580af
etc/apparmor.d/usr.lib.security-misc.permission-lockdown: /usr/bin/chmod mrix,
2019-11-19 15:29:02 +00:00
Patrick Schleizer
477d476bb1
etc/apparmor.d/usr.lib.security-misc.pam_tally2-info: add '#include <abstractions/base>'
2019-11-10 08:29:44 -05:00
Patrick Schleizer
11dc23bf08
etc/apparmor.d/usr.lib.security-misc.permission-lockdown: add '#include <abstractions/base>'
2019-11-10 08:28:32 -05:00
Patrick Schleizer
9f2932faab
/usr/bin/id rix,
2019-11-09 13:32:21 -05:00
Patrick Schleizer
94d40c68d4
do not set kernel boot parameter page_poison=1 in Qubes since does not work
...
https://github.com/QubesOS/qubes-issues/issues/5212#issuecomment-533873012
2019-11-05 10:02:55 -05:00
Patrick Schleizer
f57702c158
comments; copyright
2019-11-05 09:55:43 -05:00
Patrick Schleizer
b55c2fd62e
Enables punycode (network.IDN_show_punycode
) by default in Thunderbird
...
to make phising attacks more difficult. Fixing URL not showing real Domain
Name (Homograph attack).
https://forums.whonix.org/t/enable-network-idn-show-punycode-by-default-in-thunderbird-to-fix-url-not-showing-real-domain-name-homograph-attack-punycode/8415
2019-11-03 02:50:51 -05:00
Patrick Schleizer
e1375802eb
apparmor fix
...
https://forums.whonix.org/t/apparmor-for-complete-system-including-init-pid1-systemd-everything-full-system-mac-policy/8339/67
2019-10-31 16:32:28 +00:00
Patrick Schleizer
203d5cfa68
copyright
2019-10-31 11:19:44 -04:00
madaidan
0e49bdc45f
Licensing
2019-10-28 14:26:14 +00:00
madaidan
5d5ad92638
Licensing
2019-10-28 14:26:05 +00:00
madaidan
1b8b3610b1
Create usr.lib.security-misc.pam_tally2-info
2019-10-28 14:20:59 +00:00
madaidan
29b05546e4
Create usr.lib.security-misc.permission-lockdown
2019-10-28 14:20:08 +00:00
Patrick Schleizer
40707e70db
Redirect calls for pkexec to lxqt-sudo because pkexec is incompatible with hidepid.
...
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860040
https://forums.whonix.org/t/cannot-use-pkexec/8129
Thanks to AnonymousUser for the bug report!
2019-10-21 05:46:49 -04:00
Patrick Schleizer
0b8725306f
renamed: etc/hide-hardware-info.d/30_whitelist.conf -> etc/hide-hardware-info.d/30_default.conf
2019-10-17 06:13:44 -04:00
Patrick Schleizer
8a42c5b023
Merge pull request #34 from madaidan/whitelist
...
Add a whitelist for /sys and /proc/cpuinfo
2019-10-17 09:59:12 +00:00
madaidan
4f5b7816ec
Elaborate
2019-10-16 19:01:49 +00:00
madaidan
99a762d3dc
KASLR is different from ASLR
2019-10-16 18:53:04 +00:00
madaidan
a14a2854c6
Elaborate
2019-10-16 18:52:14 +00:00
madaidan
a47a2fca8b
Create 30_whitelist.conf
2019-10-15 20:58:58 +00:00
Patrick Schleizer
c22738be02
comments
2019-10-07 08:25:45 +00:00
Patrick Schleizer
75f36bc2c9
comments
2019-10-07 08:25:07 +00:00
Patrick Schleizer
e92a8a6966
comments
2019-10-07 08:24:02 +00:00
Patrick Schleizer
60c044a9d6
copyright / comments
2019-10-07 05:30:56 +00:00
Patrick Schleizer
cd2135ff82
comments
2019-10-06 10:18:24 +00:00
Patrick Schleizer
8b4f2befd4
comment out sack by default
...
https://forums.whonix.org/t/disabling-tcp-sack-dsack-fack/8109/8?u=patrick
2019-10-05 13:15:34 +00:00
Patrick Schleizer
02096f8d7c
Revert "undo Disabling TCP SACK, DSACK, FACK"
...
This reverts commit 5fb4eb8e56
.
2019-10-05 13:13:46 +00:00
Patrick Schleizer
5fb4eb8e56
undo Disabling TCP SACK, DSACK, FACK
...
https://forums.whonix.org/t/disabling-tcp-sack-dsack-fack/8109/5
2019-10-05 07:00:47 -04:00
madaidan
d0c6bb1e90
Disable TCP DSACK and FACK
2019-10-04 17:35:54 +00:00
Patrick Schleizer
f13a73e569
undo SysRq restrictions
...
https://forums.whonix.org/t/sysrq-magic-sysrq-key/8079
2019-09-10 12:35:42 -04:00
madaidan
60db7e6294
fix typo
2019-09-07 20:08:56 +00:00
Patrick Schleizer
7affddb3bb
blacklist modules with /bin/false rather than /bin/true to fail with error
...
message rather than failing without notification
2019-09-07 05:47:34 +00:00
Patrick Schleizer
661bcd8603
allow loading unsigned modules due to issues
...
https://forums.whonix.org/t/allow-loading-signed-kernel-modules-by-default-disallow-kernel-module-loading-by-default/7880/23
2019-09-07 05:39:56 +00:00
Patrick Schleizer
cb8170fd80
comment
2019-09-06 11:44:56 +00:00
Patrick Schleizer
ccdbc52b82
comment
2019-09-06 11:43:55 +00:00
Patrick Schleizer
051856bc8e
remove trailing space
2019-09-06 11:42:38 +00:00
Patrick Schleizer
0ae5c5ff14
remove umask changes since these are causing issues are are not needed anymore
...
thanks to home folder permission lockdown
https://forums.whonix.org/t/change-default-umask/7416/45
2019-08-24 12:14:22 -04:00
onions-knight
a8b6281119
Update uncommon-network-protocols.conf
...
Removing llc from blacklisted network protocols as it is needed by KVM for networking.
See https://hub.packtpub.com/kvm-networking-libvirt/ and https://forums.whonix.org/t/whonix-desktop-installer-with-calamares-field-report/7350/107
2019-08-19 11:30:57 +00:00
Patrick Schleizer
ed90d8b025
change default umask to 027
...
as per:
https://forums.whonix.org/t/change-default-umask/7416/47
2019-08-17 09:55:20 +00:00
Patrick Schleizer
224f95799c
sudo default umask 006
...
https://forums.whonix.org/t/change-default-umask/7416/43
2019-08-16 11:15:25 -04:00
Patrick Schleizer
85502ad430
Merge branch 'master' into patch-21
2019-08-16 14:35:51 +00:00
Patrick Schleizer
dbea7d1511
add hook etc/kernel/postinst.d/30_remove-system-map to remove system.map
...
on kernel package upgrade;
self-document this package: during upgrade the following will be written
to stdout:
Setting up linux-image-4.19.0-5-amd64 (4.19.37-5+deb10u2) ...
/etc/kernel/postinst.d/30_remove-system-map:
removed '/boot/System.map-4.19.0-5-amd64
2019-08-14 07:22:14 +00:00
madaidan
9a49b8ecbb
Create 40_only_allow_signed_modules.cfg
...
Require all loaded kernel modules to be signed with a valid key.
2019-08-13 13:33:07 +00:00
madaidan
5a4ea39566
Create blacklist-bluetooth.conf
2019-07-31 18:30:57 +00:00
Patrick Schleizer
1c7441ddf1
alias /etc/securetty -> /etc/securetty.security-misc,
2019-07-17 21:16:14 +00:00
Patrick Schleizer
b153e8f7df
fix path
2019-07-17 21:02:48 +00:00
Patrick Schleizer
2299ed041f
passwordless recovery / emergency console
...
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802211
bc5ca2de85
https://forums.whonix.org/t/restrict-root-access/7658/46
2019-07-17 20:36:51 +00:00
Patrick Schleizer
cb668459e8
port umask from /etc/pam.d to /usr/share/pam-configs implementation
...
https://forums.whonix.org/t/change-default-umask/7416
2019-07-13 10:35:10 -04:00
Patrick Schleizer
ac25733de8
remove etc/pam.d/common-password.security-misc rounds=65536
...
due to unclean implementation, see:
https://forums.whonix.org/t/restrict-root-access/7658/37
2019-07-13 14:01:53 +00:00
Patrick Schleizer
69b97981f3
convert etc/pam.d/su.security-misc to usr/share/pam-configs/wheel
...
https://forums.whonix.org/t/restrict-root-access/7658/32
2019-07-13 12:33:51 +00:00
Patrick Schleizer
4079632d1a
remove modifying to /etc/pam.d directly (unrelased)
...
config-package-dev displace /etc/securetty
remove trailing spaces
https://forums.whonix.org/t/restrict-root-access/7658/31
2019-07-13 11:41:37 +00:00
madaidan
b63d4ccb41
Update uncommon-network-protocols.conf
2019-07-11 15:28:56 +00:00
madaidan
4058e283a5
Blacklist more uncommon network protocols
2019-07-10 14:27:19 +00:00
madaidan
d70440aaed
Remove duplicate
2019-07-09 21:57:37 +00:00
madaidan
2d27bdd808
Blacklist more uncommon network protocols
2019-07-09 21:55:37 +00:00
Patrick Schleizer
3df6a44e98
also allow members of group sudo to run /usr/lib/security-misc/panic-on-oops
2019-07-09 06:56:23 -04:00
Patrick Schleizer
0f15303eb4
Merge branch 'master' into patch-16
2019-07-09 10:54:24 +00:00
madaidan
24d9eadcb2
Use 65536 hashing rounds
2019-07-08 23:19:59 +00:00
madaidan
86117d9577
Create common-password.security-misc
2019-07-08 23:19:19 +00:00
madaidan
8ad9a54b09
Don't allow root login from a terminal
2019-07-08 23:17:17 +00:00
madaidan
890298a3c8
Restrict su to users in the root group
2019-07-08 23:15:56 +00:00
madaidan
38099a2a5d
Create su.security-misc
2019-07-08 23:11:17 +00:00
madaidan
2a17427055
Create security-misc
2019-07-08 23:01:30 +00:00
madaidan
4ac700ded0
Create 50panic_on_oops
2019-07-08 22:59:39 +00:00
Patrick Schleizer
e543c4bf82
apparmor fixes (this broke whonixcheck apparmor profile)
2019-07-07 16:37:46 -04:00
Patrick Schleizer
3558a9949f
Enable APT seccomp sandboxing.
...
Thanks to @torjunkie for the suggestion!
https://forums.whonix.org/t/apt-seccomp-bpf-sandboxing/7702
2019-07-07 09:37:25 +00:00
madaidan
46409be8b6
Use install instead of blacklist
2019-07-04 14:25:28 +00:00
madaidan
eb7eaffba1
Blacklist n-hdlc
2019-07-04 14:24:44 +00:00
Patrick Schleizer
93c0821054
config-package-dev displace files for change umask
...
https://forums.whonix.org/t/change-default-umask/7416
2019-07-01 13:35:45 +00:00
Patrick Schleizer
a73f0566e9
change default umask to 006
...
session optional pam_umask.so usergroups
https://forums.whonix.org/t/change-default-umask/7416/17
2019-07-01 13:25:23 +00:00
Patrick Schleizer
41b61e3277
revert to Debian buster original
2019-07-01 13:24:29 +00:00
madaidan
eedeaa0e7f
Update common-session-noninteractive
2019-06-30 13:12:59 +00:00
madaidan
a9af85f585
Update common-session
2019-06-30 13:12:16 +00:00
madaidan
1e1d29cfde
Create common-session-noninteractive
2019-06-30 13:11:31 +00:00
madaidan
501901f7c0
Change default umask to 006
2019-06-30 13:10:54 +00:00
madaidan
09a5c27f47
Create common-session
2019-06-30 13:10:29 +00:00
madaidan
a319333493
Create login.defs
2019-06-30 13:09:51 +00:00
madaidan
230ef34db4
Create disable-coredumps.conf
2019-06-30 00:19:04 +00:00
madaidan
1bf802f846
Create coredumps.conf
2019-06-30 00:16:50 +00:00
madaidan
f040081a59
Prevent setuid processes from creating coredumps.
2019-06-30 00:13:52 +00:00
Patrick Schleizer
ab312235ba
Merge pull request #14 from madaidan/patch-10
...
Add some hardening for other distributions
2019-06-28 06:59:16 +00:00
Patrick Schleizer
5e02100e34
Merge pull request #13 from madaidan/patch-9
...
Remove System.map and restrict the SysRq key.
2019-06-28 06:58:32 +00:00
Patrick Schleizer
7e12e16dc0
Merge pull request #11 from madaidan/patch-7
...
Protect against DMA attacks
2019-06-28 06:57:42 +00:00
madaidan
3801a53a9e
Update tcp_hardening.conf
2019-06-27 18:17:58 +00:00
madaidan
c54125270b
Create dmesg_restrict.conf
2019-06-27 18:15:57 +00:00
madaidan
01c839c815
Restrict what the SysRq key can do
2019-06-25 19:16:43 +00:00
Patrick Schleizer
2a6289980e
syntax fix
...
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mds=full,nosmt"
https://forums.whonix.org/t/kernel-hardening/7296/70
2019-06-23 18:46:52 +00:00
Patrick Schleizer
aec6da28e9
Merge pull request #10 from madaidan/patch-6
...
Enable more kernel hardening parameters
2019-06-23 18:45:24 +00:00
madaidan
641407c8e9
Enable IOMMU
2019-06-23 18:38:50 +00:00
madaidan
07c6362f1a
Blacklist thunderbolt and firewire
2019-06-23 18:34:45 +00:00
madaidan
2178fb37a8
Add more kernel hardening parameters
2019-06-23 17:54:34 +00:00
madaidan
807ac7d659
Create tcp_sack.conf
2019-06-22 16:08:30 +00:00
Patrick Schleizer
49873e8e02
solve package file conflict
...
https://github.com/QubesOS/qubes-issues/issues/1885#issuecomment-500200375
2019-06-09 10:06:58 +00:00
madaidan
7177c6041a
Create uncommon-network-protocols.conf
2019-05-16 20:30:49 +00:00
Patrick Schleizer
7d7b899dd1
Merge pull request #6 from madaidan/patch-2
...
Even more kernel hardening
2019-05-16 19:52:52 +00:00
madaidan
b814f338b8
Update tcp_hardening.conf
2019-05-16 16:33:03 +00:00
madaidan
e6794721bd
Update ptrace_scope.conf
2019-05-16 16:29:20 +00:00
Patrick Schleizer
137bc073c5
port to /etc/xdg/xfce4/xfconf/xfce-perchannel-xml
...
https://forums.whonix.org/t/whonix-xfce-development/6213/84?u=patrick
2019-05-08 21:38:25 -04:00
Patrick Schleizer
b00a264ce2
Disable thunar-volman by default.
2019-05-08 21:29:36 -04:00
madaidan
a4852ad6c8
Create fs_protected.conf
2019-05-06 20:37:53 +00:00
madaidan
0296e51e06
Create ptrace_scope.conf
2019-05-06 15:46:37 +00:00
madaidan
2923fc96ef
Create tcp_hardening.conf
2019-05-06 15:45:53 +00:00
madaidan
4216299ee8
Create kexec.conf
2019-05-06 15:42:55 +00:00
Patrick Schleizer
f917c27a19
remove trailing spaces
2019-05-06 05:51:14 -04:00
madaidan
02e8888b0b
Update 40_kernel_hardening.cfg
2019-05-05 20:17:33 +00:00
madaidan
3695d7491e
Create 40_kernel_hardening.cfg
2019-05-05 14:42:03 +00:00
madaidan
d2ca85c686
Create mmap_aslr.conf
2019-05-05 14:36:30 +00:00
madaidan
197c1120a9
Create harden_bpf.conf
2019-05-05 14:35:42 +00:00
madaidan
351db0ef7f
Create kptr_restrict.conf
2019-05-05 14:34:41 +00:00
Patrick Schleizer
63b080f40b
fix hiding network bookmark in thunar by default
...
Thanks to @Algernon for suggesting the fix!
2018-11-19 06:27:52 -05:00
Patrick Schleizer
daf7fc002b
Disables network bookmark by default.
2018-11-19 03:08:20 -05:00
Algernon-01
f84f988118
Enabled hidden files and volume management.
2018-11-08 07:22:35 +00:00
Algernon-01
5aebf29214
Security and general settings for Thunar.
2018-11-02 10:16:09 +00:00
Patrick Schleizer
008a97d9e7
disable previews in thunar
2018-10-31 02:22:43 -04:00
Patrick Schleizer
5b3fc2f6b9
update copyright
2018-01-29 15:22:05 +00:00
Patrick Schleizer
ff28f5932c
update copyright
2018-01-29 15:09:42 +00:00
Patrick Schleizer
49cde21078
Whonix 14 KDE plasma 5 fixes
...
https://phabricator.whonix.org/T633
2017-02-21 19:54:41 +00:00
Patrick Schleizer
c59d15d48f
Debian stretch / kde plasma5 fix: KDEDIRS -> XDG_CONFIG_DIRS
...
https://phabricator.whonix.org/T633
2017-02-15 20:46:22 +00:00
Patrick Schleizer
6cda8b1496
disable conntrack helper for better security
...
https://phabricator.whonix.org/T486
2016-10-10 16:10:30 +00:00
Patrick Schleizer
192d1e0cee
/etc/sysctl.d/nf_conntrack_helper.conf disabled for now as it needs more work
...
https://phabricator.whonix.org/T486
2016-04-25 23:19:54 +00:00
HulaHoopWhonix
92d738db56
Create nf_conntrack_helper.conf
2016-03-31 02:53:12 +00:00
HulaHoopWhonix
5992a7f026
Create tcp_timestamps.conf
2016-03-31 02:48:06 +00:00
Patrick Schleizer
d3ccf0eeaf
initial commit
2015-12-15 02:00:24 +00:00