Commit Graph

452 Commits

Author SHA1 Message Date
Ben Grande
abf72c2ee4
Rename file permission hardening script
Hardener as the script is the agent that is hardening the file
permissions.
2024-01-02 13:34:29 +01:00
Ben Grande
f138cf0f78
Refactor permission-hardener
- Organize comments from default configuration;
- Apply and undo changes from a single file controlled by parameters;
- Arrays should be evaluated as arrays and not normal variables;
- Quote variables;
- Brackets around variables;
- Standardize test cases to "test" command;
- Test against empty or non-empty variables with "-z" and "-n";
- Show a usage message when necessary;
- Require root to run the script with informative message;
- Permit the user to see the help message without running as root;
- Do not create root directories without passing root check;
- Use long options for "set" command;
2024-01-02 12:17:16 +01:00
Patrick Schleizer
f70a034da2
exclude hardened malloc from SUID disabler
fixes https://github.com/Kicksecure/security-misc/issues/179
2023-12-22 08:31:58 -05:00
Patrick Schleizer
5a73817a95
move to /usr/lib/issue.d/20_security-misc.issue
https://github.com/Kicksecure/security-misc/pull/167
2023-12-04 11:38:49 -05:00
Patrick Schleizer
dfaea492c7
remove etc/issue.net.d/20_security-misc
since not mentioned on debian.org
2023-12-04 11:37:02 -05:00
Patrick Schleizer
36850f89fb
Merge pull request #167 from monsieuremre/patch-4
Non-Identifiable and Generic Issue Banners that include the Recommended Keywords
2023-12-04 11:27:16 -05:00
Patrick Schleizer
c9ea7a4dca
use amd_iommu=force_isolation instead of amd_iommu=force_enable
because we set `iommu=force` already anyhow

fixes https://github.com/Kicksecure/security-misc/issues/175
2023-12-04 11:02:55 -05:00
monsieuremre
f2ad8383cf
fix 2023-12-03 19:51:38 +00:00
monsieuremre
dd15823a97
undo superfluousness 2023-12-03 19:50:07 +00:00
monsieuremre
83e13bb62d
Update 40_enable_iommu.cfg 2023-12-03 19:42:34 +00:00
monsieuremre
0d7af9707f
Update 20_security-misc 2023-12-03 19:31:12 +00:00
monsieuremre
04d27a10b0
Update 20_security-misc 2023-12-03 19:30:55 +00:00
monsieuremre
c8b9f5a917
net 2023-11-18 10:03:19 +00:00
monsieuremre
3b614f3753
20_security-misc 2023-11-18 10:02:16 +00:00
Patrick Schleizer
5bb357cac0
spice-client-glib-usb-acl-helper matchwhitelist 2023-11-06 16:55:00 -05:00
Patrick Schleizer
7309445ee5
comment 2023-11-06 16:52:27 -05:00
Patrick Schleizer
f09d97fc9e
whitelist VirtualBox 2023-11-06 16:50:19 -05:00
Patrick Schleizer
64c8c7a8d5
whitelist SSH 2023-11-06 16:47:31 -05:00
Patrick Schleizer
9682b51d54
whitelist virtualbox 2023-11-06 16:44:36 -05:00
Patrick Schleizer
a40b9bc095
comments 2023-11-06 16:40:22 -05:00
Patrick Schleizer
2c1a3da433
VirtualBoxVM matchwhitelist 2023-11-06 16:38:50 -05:00
Patrick Schleizer
4e96ffaabb
chrome-sandbox matchwhitelist 2023-11-06 16:37:19 -05:00
Patrick Schleizer
51decff2fd
exclude qfile-unpacker from permission hardener 2023-11-05 16:03:36 -05:00
Patrick Schleizer
1900c1ab07
pam exclude from permission-hardener 2023-11-05 15:57:49 -05:00
Patrick Schleizer
5a75bcfb19
Merge pull request #145 from monsieuremre/wifi-and-bluetooth
Wifi and Bluetooth Patch | Security and Privacy
2023-11-05 14:49:00 -05:00
Patrick Schleizer
4946f85d43
Merge pull request #146 from monsieuremre/thunderbird
Thunderbird Hardening
2023-11-05 14:37:47 -05:00
Patrick Schleizer
97054b2b10
revert enabling kernel module signature enforcement
due to issues

https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/63

https://github.com/dell/dkms/issues/359
2023-11-03 15:55:17 -04:00
Patrick Schleizer
0242c04dc2
port to DKMS drop-in folder
undisplace /etc/dkms/framework.conf.security-misc
moved to /etc/dkms/framework.conf.d/30_security-misc.conf
2023-11-03 14:51:14 -04:00
Patrick Schleizer
d1b5a3ffd5
/usr/sbin/pam-tmpdir-helper exactwhitelist
https://github.com/Kicksecure/security-misc/pull/147
2023-11-03 12:55:34 -04:00
Patrick Schleizer
b6d53f698d
Revert "allow loading unsigned modules due to issues"
This reverts commit 661bcd8603.
2023-11-03 12:17:00 -04:00
monsieuremre
1abac794b5
very secure and private defaults 2023-11-02 09:15:20 +00:00
monsieuremre
5a583ca48c
typo in file name 2023-11-02 08:30:26 +00:00
monsieuremre
229032d691
Rename etc/systemd/networkd.conf.d/99_ipv6-privacy-extensions.conf to usr/lib/systemd/networkd.conf.d/99_ipv6-privacy-extensions.conf 2023-11-01 17:54:05 +00:00
monsieuremre
1049298e7b
Update and rename etc/NetworkManager/conf.d/99_randomize-mac.conf to usr/lib/NetworkManager/conf.d/99_randomize-mac.conf 2023-11-01 17:52:40 +00:00
monsieuremre
76e684cc0a
Update and rename etc/NetworkManager/conf.d/99_ipv6-privacy.conf to usr/lib/NetworkManager/conf.d/99_ipv6-privacy.conf 2023-11-01 17:51:27 +00:00
monsieuremre
fc8e201e84
rename 2023-10-27 14:49:24 +00:00
monsieuremre
13b4ddbb62
30_security-misc.conf 2023-10-27 14:34:21 +00:00
monsieuremre
b298d152fc
30_security-misc.conf 2023-10-27 14:32:08 +00:00
monsieuremre
3d4b04fddc
99_ipv6-privacy.conf 2023-10-27 12:35:39 +00:00
monsieuremre
e90f62eaab
99_randomize_mac.conf 2023-10-27 12:34:15 +00:00
monsieuremre
604d839537
99_ipv6-privacy-extensions.conf 2023-10-27 12:30:26 +00:00
monsieuremre
f2c23a2831
ssh config 2023-10-27 10:53:45 +00:00
Patrick Schleizer
7cff267002
remove duplicates 2023-10-26 19:31:14 -04:00
monsieuremre
99355c6169
new lines 30_default.conf 2023-10-26 17:45:28 +00:00
Patrick Schleizer
b7c52800f4
renamed: etc/sysctl.d/30_security-misc.conf -> usr/lib/sysctl.d/30_security-misc.conf
renamed:    etc/sysctl.d/30_security-misc_kexec-disable.conf -> usr/lib/sysctl.d/30_security-misc_kexec-disable.conf
renamed:    etc/sysctl.d/30_silent-kernel-printk.conf -> usr/lib/sysctl.d/30_silent-kernel-printk.conf
2023-10-25 17:28:43 -04:00
Patrick Schleizer
f6d1346e2b
fix 2023-10-22 16:22:08 -04:00
Patrick Schleizer
11382881b5
comments 2023-10-22 16:12:26 -04:00
Patrick Schleizer
4288e10554
fix, rework remount-secure kernel parameters parsing 2023-10-22 13:25:31 -04:00
Patrick Schleizer
c409e3221e
implement remount-secure 2023-10-22 09:36:03 -04:00
Patrick Schleizer
ae2c1c5a7a
fix xession environment variable 2023-10-21 14:18:50 -04:00
Patrick Schleizer
d543825d85
comments 2023-10-21 12:24:59 -04:00
Patrick Schleizer
645ee814e4
fix 2023-10-13 15:22:48 -04:00
Patrick Schleizer
2d45241084
avoid duplicate environment variables 2023-10-12 11:37:01 -04:00
Patrick Schleizer
fa820e8978
refactoring environment variables loading mechanism 2023-10-12 10:40:27 -04:00
Patrick Schleizer
8a6baea990
comment 2023-06-22 16:16:15 +00:00
Raja Grewal
cf003dfad8
Update comments 2023-05-16 02:11:44 +10:00
Jeremy Rand
61f63255ac
vm.mmap_rnd_bits: Fix ppc64le
Probably fixes a bunch of other non-x86_64 arches too.
2023-04-24 23:07:39 +00:00
Patrick Schleizer
5c6db28881
Merge pull request #122 from raja-grewal/tcp
Remove outdated comment about SACK, DSACK, and FACK
2023-03-31 04:52:55 -04:00
Raja Grewal
ed5f8be9eb
Remove outdated comment about SACK, DSACK, and FACK 2023-03-30 19:17:43 +11:00
Raja Grewal
7a4212dd76
Update copyright 2023-03-30 17:08:47 +11:00
Patrick Schleizer
8c3204a5e4
comment 2023-01-25 15:20:30 -05:00
Patrick Schleizer
65c29f493b
move kexec disabling to dedicated file /etc/sysctl.d/30_security-misc_kexec-disable.conf
so ram-wipe can `config-package-dev` `hide` this config file
2023-01-25 15:13:19 -05:00
Patrick Schleizer
ad5d0d4b12
disable kexec (revert enabling kexec)
remove kexec-utils for ram-wipe since moved to its own package
2023-01-09 06:37:45 -05:00
Patrick Schleizer
87c4e77c01
migrate to ram-wipe package 2023-01-09 06:23:00 -05:00
Friedrich Doku
78a4fad667 Change echo to info. Included more reliable way of getting initrd and kernel. Allow user custom kexec 2023-01-07 11:14:31 -05:00
Raja Grewal
f81714be50
Merge branch 'Kicksecure:master' into framebuffer 2022-12-13 05:14:56 +00:00
Raja Grewal
d67845fea8
Typo 2022-12-13 16:11:24 +11:00
Patrick Schleizer
6d7a782624
fix 2022-11-24 07:21:46 -05:00
Raja Grewal
6f695902fb
Add comment about legacy Apple fiesystems 2022-11-23 23:53:40 +11:00
Patrick Schleizer
e5255a630a
pam-info: support non-root environments (such as during graphical display manager login and xscreensaver) 2022-11-22 05:57:30 -05:00
Raja Grewal
daa30d4e78
Include several framebuffer drivers into blacklist
These were previously commented out to test for compatibility issues.
2022-11-09 20:43:59 +11:00
Raja Grewal
92669dba18
Comment out machine check exception 2022-08-21 23:02:44 +10:00
Patrick Schleizer
0c5b1e9f57
undo "force kernel to panic on "oopses"
because implemented differently already

https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panic-on-oops-1-sysctl-for-better-security/7713
2022-07-23 07:49:56 -04:00
Raja Grewal
ca764d8de0
force kernel to panic on "oopses" 2022-07-20 04:06:35 +10:00
Raja Grewal
1660aaa6dd
update details around disabling SMT 2022-07-19 03:38:41 +10:00
Raja Grewal
bfd78a2c06
update SRBDS mitigation 2022-07-19 03:16:08 +10:00
Raja Grewal
c3ebb9160f
CPU mitigation - MMIO Stale Data 2022-07-19 02:33:16 +10:00
Raja Grewal
59e90ff122
CPU mitigation - L1D FLushing 2022-07-19 02:32:41 +10:00
Raja Grewal
8531fbf99d
CPU mitigation - SRBDS 2022-07-19 02:30:49 +10:00
Raja Grewal
73f1e23332
shuffle and rewording 2022-07-19 02:29:46 +10:00
Raja Grewal
39314b2912
Merge branch 'harden' of https://github.com/raja-grewal/security-misc into harden 2022-07-19 00:49:08 +10:00
Raja Grewal
bb831d57bc
delete repeated commands 2022-07-19 00:38:32 +10:00
Raja Grewal
c77a2a78bc
enforce default net.ipv6.icmp_ignore_bogus_error_responses 2022-07-19 00:37:31 +10:00
Raja Grewal
c4a1094760
Merge branch 'Kicksecure:master' into harden 2022-07-18 13:36:23 +00:00
Raja Grewal
a72bbb1883
Corrected kerenl module disabling 2022-07-13 23:42:13 +10:00
Raja Grewal
4e93b4d37e
Revert "enforce defualt net.ipv4.ip_forward"
This reverts commit 57b5b2145c.
2022-07-13 21:10:39 +10:00
Raja Grewal
a47922ad28
enforce of IOMMU TLB invalidation 2022-07-13 04:47:07 +10:00
Raja Grewal
33df16af80
disables random.trust_bootloader 2022-07-13 04:37:03 +10:00
Raja Grewal
d0779a96fc
add reference 2022-07-13 04:36:34 +10:00
Raja Grewal
74858d257b
enable randomize_kstack_offset 2022-07-13 04:34:35 +10:00
Raja Grewal
f572332108
disable slub_debug 2022-07-13 04:32:03 +10:00
Raja Grewal
57b5b2145c
enforce defualt net.ipv4.ip_forward 2022-07-13 04:30:43 +10:00
Raja Grewal
79156262c9
enforce default net.ipv4.icmp_ignore_bogus_error_responses 2022-07-13 04:29:42 +10:00
Raja Grewal
dabcaf22e1
enforce default kernel.randomize_va_space 2022-07-13 04:28:03 +10:00
Raja Grewal
48089e5ba4
More verbose kernel module blocking error logs 2022-07-12 17:02:12 +10:00
Raja Grewal
40ec791774
Updated comments 2022-07-12 16:58:16 +10:00
Raja Grewal
ef1ef9917d
Blacklist automatic loading of CD-ROM modules 2022-07-10 04:53:25 +10:00
Raja Grewal
61ef9bd59f
Incorporated Ubuntu’s kernel module blacklists 2022-07-10 04:52:00 +10:00
Patrick Schleizer
26b2c9727f
not blacklist CD-ROM / DVD yet
https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/31
2022-07-07 15:39:40 -04:00
Patrick Schleizer
ca19d78d48
shuffle 2022-07-07 15:27:15 -04:00