Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-02-22 17:39:48 -05:00
Code Issues Packages Projects Releases Wiki Activity
2,620 Commits 2 Branches 291 Tags
Commit Graph

959 Commits

Author SHA1 Message Date
raja-grewal
ce4b57d1cb
Update docs on kernel panics 2025-02-03 00:31:45 +00:00
Patrick Schleizer
9f5e522b83
LC_ALL=C 2025-01-30 07:53:04 -05:00
Patrick Schleizer
7c150d116d
LANG=C str_replace: no longer requires LANG=C, therefore removed 2025-01-30 07:45:08 -05:00
Patrick Schleizer
d5ad29a732
add /usr/lib/polkit-1/polkit-agent-helper-1 to permission hardener hardcoded statoverride file 2025-01-22 09:04:44 -05:00
Patrick Schleizer
80bd314436
add .whonix files to hardcoded files 2025-01-22 08:25:14 -05:00
Aaron Rainbolt
42f34f5a4c
Don't handle files with multiple hardlinks 2025-01-21 21:49:03 -06:00
Aaron Rainbolt
5e60416c86
Make permission-hardener always apply changes to real files, not symlinks 2025-01-21 21:05:03 -06:00
Aaron Rainbolt
ed767e00b0
Add some local variable declarations 2025-01-21 16:41:30 -06:00
Aaron Rainbolt
a97620a2e4
Add print-diagnostics command to permission-hardener 2025-01-20 22:43:55 -06:00
Patrick Schleizer
df9d058ed9
usrmerge 2025-01-20 06:28:16 -05:00
Patrick Schleizer
4e0d5a196c
delete comment only configuration file (moved to user-sysmaint-split) 2025-01-20 04:30:26 -05:00
Patrick Schleizer
1b4d1edfc3
comments 2025-01-20 04:29:42 -05:00
Aaron Rainbolt
328f747179
Restore permission-hardener's notice about how to compare old and new states 2025-01-14 20:35:28 -06:00
Aaron Rainbolt
c6f09748f3
Handle de-corruption of new_mode a bit better 2025-01-14 20:27:53 -06:00
Aaron Rainbolt
a0f81958df
De-corrupt the new_mode permission-hardener statoverride database too 2025-01-14 19:25:15 -06:00
Patrick Schleizer
eec2e2c8ee
comment 2025-01-14 04:13:39 -05:00
Patrick Schleizer
6d282226ef
comment 2025-01-14 04:12:12 -05:00
Patrick Schleizer
466308e4f9
permission hardener: disable SUID for chrome-sandbox 2025-01-14 04:09:57 -05:00
Patrick Schleizer
7a5f8b87af
permission hardener: disable SUID for ssh-agent, ssh-keysign, /lib/openssh/* 
This might break SSH host-based authentication.
 2025-01-14 04:06:44 -05:00
Patrick Schleizer
d89ffcde30
comment 2025-01-14 04:04:09 -05:00
Patrick Schleizer
9f1759ba0e
comment 2025-01-14 03:56:55 -05:00
Patrick Schleizer
0ac85ea9f5
comment 2025-01-14 03:54:35 -05:00
Patrick Schleizer
fce6a5f830
comment 2025-01-14 03:51:43 -05:00
Patrick Schleizer
1e99404813
comment 2025-01-14 03:50:16 -05:00
Patrick Schleizer
b198591537
comment 2025-01-14 03:49:42 -05:00
Patrick Schleizer
7d44db2cb2
usrmerge 2025-01-14 03:49:15 -05:00
Aaron Rainbolt
de9ebabd46
Fix minor migration bugs, don't run the migration code on new image builds 2025-01-13 22:16:02 -06:00
Patrick Schleizer
1b33e83529
Merge pull request #291 from raja-grewal/drop_gratuitous_arp 
Drop gratuitous ARP packets
 2025-01-10 10:29:30 -05:00
Patrick Schleizer
486757bfae
Merge pull request #290 from raja-grewal/arp_ignore 
Respond to ARP requests only if the target IP address is on-link
 2025-01-10 10:29:12 -05:00
Patrick Schleizer
17ff249150
Merge pull request #289 from raja-grewal/arp_filter 
Enable ARP filtering
 2025-01-10 10:28:48 -05:00
Patrick Schleizer
27d19ba568
Merge pull request #288 from raja-grewal/shared_media 
Deny sending and receiving shared media redirects
 2025-01-10 10:28:05 -05:00
Patrick Schleizer
482960d056
permission-hardener: move to new state folder /var/lib/permission-hardener-v2 without migration 
https://github.com/Kicksecure/security-misc/pull/294
 2025-01-10 10:21:12 -05:00
Patrick Schleizer
3a31cc99b3
Merge remote-tracking branch 'ArrayBolt3/arraybolt3/usrmerge' 2025-01-09 09:30:58 -05:00
raja-grewal
1f8eee4720
Add missing sentence full stop 2025-01-08 18:36:00 +11:00
Aaron Rainbolt
5941195e96
Don't worry about files under /bin anymore, Bookworm uses a merged /usr directory 2025-01-07 14:10:46 -06:00
Patrick Schleizer
c4cfb8597d
Merge remote-tracking branch 'ArrayBolt3/arraybolt3/permission-hardener-refactor' 2025-01-06 08:43:54 -05:00
Patrick Schleizer
6e0787957b
increase priority of pam wheel so it is checked even before faillock 
in case of attemtping to use `su` without being a member of the required group `sudo`, it's useful to abort the PAM stack as early as possible to avoid needlessly propmting for a password to later
be rejected tu to lack of group membership
 2025-01-06 05:29:40 -05:00
Patrick Schleizer
d4767b7520
fix: apply PAM wheal only to su PAM service 2025-01-06 04:24:44 -05:00
Aaron Rainbolt
93ebf176c5
Make the main field count check in permission-hardener a bit more elegant 2025-01-02 20:42:06 -05:00
Aaron Rainbolt
895c0f541f
Merge branch 'master' into arraybolt3/permission-hardener-refactor 2025-01-01 15:04:01 -06:00
Patrick Schleizer
33114f771a
copyright 2024-12-31 13:26:21 -05:00
Aaron Rainbolt
717e6fcfbe
Post-review improvements to permission-hardener 2024-12-30 21:34:23 -06:00
Aaron Rainbolt
dbcb612517
Polish permission-hardener refactor 2024-12-26 00:43:26 -06:00
Aaron Rainbolt
83d3867959
Refactor permission-hardener to be more idempotent 2024-12-25 16:53:55 -06:00
Aaron Rainbolt
6602fb102d
Adjust pam-info messaging for sysmaint mode 2024-12-24 20:52:34 -06:00
Aaron Rainbolt
2f3a2bce77
Add warning about using non-sysmaint accounts in sysmaint mode 2024-12-20 11:04:22 -06:00
Patrick Schleizer
ad6e1f5ad4
move from /etc/permission-hardener.d to /usr/lib/permission-hardener.d 2024-12-20 00:41:06 -05:00
Patrick Schleizer
6de5d2d076
permission hardener: also parse /usr/lib/permission-hardener.d/*.conf folder 2024-12-20 00:37:44 -05:00
Patrick Schleizer
175b442d5b
use long option name 2024-12-19 05:56:50 -05:00
Patrick Schleizer
c99021bb0c
Merge remote-tracking branch 'ArrayBolt3/arraybolt3/sysmaint' 2024-12-19 05:56:01 -05:00