Commit Graph

2108 Commits

Author SHA1 Message Date
Patrick Schleizer
468d8b600d
readme 2021-01-12 03:20:58 -05:00
Patrick Schleizer
b5cee63999
new file: README_generic.md 2021-01-12 03:19:31 -05:00
Patrick Schleizer
94627f0875
Merge remote-tracking branch 'github/master' 2021-01-12 03:18:41 -05:00
Patrick Schleizer
79876f7b12
Merge pull request #99 from madaidan/docs
Overhaul documentation
2021-01-12 08:17:04 +00:00
madaidan
3066b5ad97
Overhaul documentation 2021-01-12 02:17:13 +00:00
Patrick Schleizer
353e74fb5f
bumped changelog version 2021-01-05 08:30:37 -05:00
Patrick Schleizer
a258f35f38
comment 2021-01-05 02:11:08 -05:00
Patrick Schleizer
a4d7e46141
bumped changelog version 2020-12-10 05:20:57 -05:00
Patrick Schleizer
c5097ed599
comment 2020-12-06 04:23:09 -05:00
Patrick Schleizer
b2b614ed2a
cover more folders in /usr/local 2020-12-06 04:15:52 -05:00
Patrick Schleizer
5bd267d774
refactoring 2020-12-06 04:10:50 -05:00
Patrick Schleizer
11cdce02a0
refactoring 2020-12-06 04:10:10 -05:00
Patrick Schleizer
f73c55f16c
/opt
https://forums.whonix.org/t/suid-disabler-and-permission-hardener/7706/68
2020-12-06 04:08:58 -05:00
Patrick Schleizer
261ef85c14
bumped changelog version 2020-12-01 05:53:06 -05:00
Patrick Schleizer
c031f22995
SUID Disabler and Permission Hardener: introduce configuration option to disable all whitelists
`whitelists_disable_all=true`
2020-12-01 05:14:48 -05:00
Patrick Schleizer
b09cc0de6a
Revert "SUID Disabler and Permission Hardener: introduce configuration option to disable all whitelists"
This reverts commit 36a471ebce.
2020-12-01 05:10:26 -05:00
Patrick Schleizer
704f0500ba
fix, rename 40_default_whitelist_[...].conf to 25_default_whitelist_[...].conf
since whitelist needs to be defined before SUID removal commands
2020-12-01 05:03:16 -05:00
Patrick Schleizer
36a471ebce
SUID Disabler and Permission Hardener: introduce configuration option to disable all whitelists
`whitelists_disable_all=true`
2020-12-01 05:02:34 -05:00
Patrick Schleizer
318ab570aa
simplify disabling of SUID Disabler and Permission Hardener whitelist
split `/etc/permission-hardening.d/30_default.conf` into multiple files

`/etc/permission-hardening.d/40_default_whitelist_[...].conf`

therefore make it easier to delete any whitelisted SUID binaries
2020-12-01 04:28:15 -05:00
Patrick Schleizer
cf07e977bd
add /bin/pkexec exactwhitelist for consistency
since there is already `/usr/bin/pkexec exactwhitelist`
2020-11-29 09:09:42 -05:00
Patrick Schleizer
fe27483886
bumped changelog version 2020-11-28 06:08:10 -05:00
Patrick Schleizer
28a326a8a1
add feature /usr/lib/security-misc/permission-hardening-undo /path/to/filename
to allow removing 1 SUID

fix, show INFO message if file does not exist during removal rather than ERROR
2020-11-28 05:31:12 -05:00
Patrick Schleizer
0ef35f8770
bumped changelog version 2020-11-06 10:18:09 -05:00
Patrick Schleizer
abae787186
usability: pam abort when attempting to login to root when root password is locked 2020-11-05 06:47:16 -05:00
Patrick Schleizer
581e31af81
comment 2020-11-05 06:46:57 -05:00
Patrick Schleizer
dfe9b0f6c7
fix, no longer unconditionally abort pam for user accounts with locked passwords
as locked user accounts might have valid sudoers exceptions

Thanks to @mimp for the bug report!

https://forums.whonix.org/t/pam-abort-on-locked-password-and-running-privileged-command-from-web-browser/10521
2020-11-05 06:42:47 -05:00
Patrick Schleizer
211769dc65
comment 2020-11-05 06:41:51 -05:00
Patrick Schleizer
7952139731
comment 2020-11-05 06:39:32 -05:00
Patrick Schleizer
bb72c1278d
copyright 2020-11-05 06:36:39 -05:00
Patrick Schleizer
f4843b1deb
bumped changelog version 2020-10-31 06:29:25 -04:00
Patrick Schleizer
c1e0bb8310
shebang 2020-10-31 06:11:49 -04:00
Patrick Schleizer
b06d4ca299
bumped changelog version 2020-10-31 06:09:22 -04:00
Patrick Schleizer
3f656be574
chmod +x /etc/X11/Xsession.d/50panic_on_oops
chmod +x /etc/X11/Xsession.d/50security-misc
2020-10-31 05:48:10 -04:00
Patrick Schleizer
881d695bff
bumped changelog version 2020-10-05 07:03:37 -04:00
Patrick Schleizer
3adb2c92d9
Merge remote-tracking branch 'github/master' 2020-10-03 14:10:32 -04:00
Patrick Schleizer
58560138cd
Merge pull request #77 from madaidan/debugfs
Restrict access to debugfs
2020-10-03 18:09:07 +00:00
madaidan
06ffd5d220
Restrict access to debugfs 2020-09-28 19:21:20 +00:00
Patrick Schleizer
feb7cea4c5
bumped changelog version 2020-09-28 10:30:42 -04:00
Patrick Schleizer
da1ac48cde
unblacklist squashfs as this would likely break Whonix-Host ISO
https://github.com/Whonix/security-misc/pull/75#issuecomment-700044182
2020-09-28 10:29:50 -04:00
Patrick Schleizer
4070133ed6
unblacklist vfat
https://github.com/Whonix/security-misc/pull/75#issuecomment-695201068
2020-09-28 10:25:57 -04:00
Patrick Schleizer
77d461ec08
Merge remote-tracking branch 'github/master' 2020-09-28 10:24:59 -04:00
Patrick Schleizer
3684ab585e
Merge pull request #75 from flawedworld/patch-1
Blacklist more modules (based on OpenSCAP for RHEL 8)
2020-09-28 14:24:15 +00:00
Patrick Schleizer
ae90107e6d
Merge pull request #76 from flawedworld/patch-2
Add IPv6 sysctl options and enforce kernel.perf_event_paranoid=3
2020-09-28 14:23:42 +00:00
flawedworld
a813e7da07 Blacklist more modules 2020-09-19 20:46:19 +01:00
Patrick Schleizer
5fc7b791db
bumped changelog version 2020-09-19 09:28:27 -04:00
Patrick Schleizer
bff6ce7abb
Merge remote-tracking branch 'github/master' 2020-09-19 06:54:50 -04:00
Patrick Schleizer
9239c8b807
Merge pull request #71 from onions-knight/patch-1
Update thunar.xml
2020-09-19 10:54:21 +00:00
flawedworld
8f7727e823
Add some IPv6 options 2020-09-18 23:36:30 +01:00
flawedworld
944fed3c45
Disallow kernel profiling by users without CAP_SYS_ADMIN
It's the default on a lot of stuff, but still nice to have.
2020-09-18 23:29:04 +01:00
Patrick Schleizer
98c0decaa4
bumped changelog version 2020-08-03 09:43:43 -04:00