Patrick Schleizer
|
cf07e977bd
|
add /bin/pkexec exactwhitelist for consistency
since there is already `/usr/bin/pkexec exactwhitelist`
|
2020-11-29 09:09:42 -05:00 |
|
Patrick Schleizer
|
fe27483886
|
bumped changelog version
|
2020-11-28 06:08:10 -05:00 |
|
Patrick Schleizer
|
28a326a8a1
|
add feature /usr/lib/security-misc/permission-hardening-undo /path/to/filename
to allow removing 1 SUID
fix, show INFO message if file does not exist during removal rather than ERROR
|
2020-11-28 05:31:12 -05:00 |
|
Patrick Schleizer
|
0ef35f8770
|
bumped changelog version
|
2020-11-06 10:18:09 -05:00 |
|
Patrick Schleizer
|
abae787186
|
usability: pam abort when attempting to login to root when root password is locked
|
2020-11-05 06:47:16 -05:00 |
|
Patrick Schleizer
|
581e31af81
|
comment
|
2020-11-05 06:46:57 -05:00 |
|
Patrick Schleizer
|
dfe9b0f6c7
|
fix, no longer unconditionally abort pam for user accounts with locked passwords
as locked user accounts might have valid sudoers exceptions
Thanks to @mimp for the bug report!
https://forums.whonix.org/t/pam-abort-on-locked-password-and-running-privileged-command-from-web-browser/10521
|
2020-11-05 06:42:47 -05:00 |
|
Patrick Schleizer
|
211769dc65
|
comment
|
2020-11-05 06:41:51 -05:00 |
|
Patrick Schleizer
|
7952139731
|
comment
|
2020-11-05 06:39:32 -05:00 |
|
Patrick Schleizer
|
bb72c1278d
|
copyright
|
2020-11-05 06:36:39 -05:00 |
|
Patrick Schleizer
|
f4843b1deb
|
bumped changelog version
|
2020-10-31 06:29:25 -04:00 |
|
Patrick Schleizer
|
c1e0bb8310
|
shebang
|
2020-10-31 06:11:49 -04:00 |
|
Patrick Schleizer
|
b06d4ca299
|
bumped changelog version
|
2020-10-31 06:09:22 -04:00 |
|
Patrick Schleizer
|
3f656be574
|
chmod +x /etc/X11/Xsession.d/50panic_on_oops
chmod +x /etc/X11/Xsession.d/50security-misc
|
2020-10-31 05:48:10 -04:00 |
|
Patrick Schleizer
|
881d695bff
|
bumped changelog version
|
2020-10-05 07:03:37 -04:00 |
|
Patrick Schleizer
|
3adb2c92d9
|
Merge remote-tracking branch 'github/master'
|
2020-10-03 14:10:32 -04:00 |
|
Patrick Schleizer
|
58560138cd
|
Merge pull request #77 from madaidan/debugfs
Restrict access to debugfs
|
2020-10-03 18:09:07 +00:00 |
|
madaidan
|
06ffd5d220
|
Restrict access to debugfs
|
2020-09-28 19:21:20 +00:00 |
|
Patrick Schleizer
|
feb7cea4c5
|
bumped changelog version
|
2020-09-28 10:30:42 -04:00 |
|
Patrick Schleizer
|
da1ac48cde
|
unblacklist squashfs as this would likely break Whonix-Host ISO
https://github.com/Whonix/security-misc/pull/75#issuecomment-700044182
|
2020-09-28 10:29:50 -04:00 |
|
Patrick Schleizer
|
4070133ed6
|
unblacklist vfat
https://github.com/Whonix/security-misc/pull/75#issuecomment-695201068
|
2020-09-28 10:25:57 -04:00 |
|
Patrick Schleizer
|
77d461ec08
|
Merge remote-tracking branch 'github/master'
|
2020-09-28 10:24:59 -04:00 |
|
Patrick Schleizer
|
3684ab585e
|
Merge pull request #75 from flawedworld/patch-1
Blacklist more modules (based on OpenSCAP for RHEL 8)
|
2020-09-28 14:24:15 +00:00 |
|
Patrick Schleizer
|
ae90107e6d
|
Merge pull request #76 from flawedworld/patch-2
Add IPv6 sysctl options and enforce kernel.perf_event_paranoid=3
|
2020-09-28 14:23:42 +00:00 |
|
flawedworld
|
a813e7da07
|
Blacklist more modules
|
2020-09-19 20:46:19 +01:00 |
|
Patrick Schleizer
|
5fc7b791db
|
bumped changelog version
|
2020-09-19 09:28:27 -04:00 |
|
Patrick Schleizer
|
bff6ce7abb
|
Merge remote-tracking branch 'github/master'
|
2020-09-19 06:54:50 -04:00 |
|
Patrick Schleizer
|
9239c8b807
|
Merge pull request #71 from onions-knight/patch-1
Update thunar.xml
|
2020-09-19 10:54:21 +00:00 |
|
flawedworld
|
8f7727e823
|
Add some IPv6 options
|
2020-09-18 23:36:30 +01:00 |
|
flawedworld
|
944fed3c45
|
Disallow kernel profiling by users without CAP_SYS_ADMIN
It's the default on a lot of stuff, but still nice to have.
|
2020-09-18 23:29:04 +01:00 |
|
Patrick Schleizer
|
98c0decaa4
|
bumped changelog version
|
2020-08-03 09:43:43 -04:00 |
|
Patrick Schleizer
|
7e267ab498
|
fix, allow group sudo and console to use consoles
fix /etc/security/access-security-misc.conf syntax error
Thanks to @81a989 for the bug report!
https://forums.whonix.org/t/etc-security-hardening-console-lockdown-pam-access-access-conf/8592/31
|
2020-08-03 08:12:19 -04:00 |
|
Patrick Schleizer
|
b09f5ddc15
|
bumped changelog version
|
2020-07-29 08:33:07 -04:00 |
|
Patrick Schleizer
|
ac8bc4f006
|
readme
|
2020-07-29 06:30:07 -04:00 |
|
Patrick Schleizer
|
861f9d1022
|
bumped changelog version
|
2020-05-14 13:57:32 -04:00 |
|
Patrick Schleizer
|
3cd7b144bb
|
move "kernel.printk = 3 3 3 3" to separate file /etc/sysctl.d/30_silent-kernel-printk.conf
so package debug-misc can easily disable it
https://phabricator.whonix.org/T950
|
2020-05-14 13:47:58 -04:00 |
|
Patrick Schleizer
|
81cb6ad246
|
bumped changelog version
|
2020-04-23 12:27:25 -04:00 |
|
Patrick Schleizer
|
6485df8126
|
Prevent kernel info leaks in console during boot.
add kernel parameter `quiet loglevel=0`
https://phabricator.whonix.org/T950
|
2020-04-23 12:26:31 -04:00 |
|
Patrick Schleizer
|
aa5631b02b
|
bumped changelog version
|
2020-04-16 08:43:40 -04:00 |
|
Patrick Schleizer
|
8d2e4b68dc
|
Prevent kernel info leaks in console during boot.
By setting `kernel.printk = 3 3 3 3`.
https://phabricator.whonix.org/T950
Thanks to @madaidan for the suggestion!
|
2020-04-16 08:00:31 -04:00 |
|
Patrick Schleizer
|
4898a9e753
|
fix, sysctl-initramfs: switch log to /run/initramfs/sysctl-initramfs-error.log
since ephemeral, in RAM, not written to disk, no conflict with grub-live
https://forums.whonix.org/t/kernel-hardening/7296/435
|
2020-04-16 07:54:33 -04:00 |
|
Patrick Schleizer
|
701da5f6cc
|
formatting
|
2020-04-16 07:24:44 -04:00 |
|
Patrick Schleizer
|
cb51847085
|
readme
|
2020-04-15 14:05:37 -04:00 |
|
Patrick Schleizer
|
df218ad658
|
bumped changelog version
|
2020-04-14 12:40:31 -04:00 |
|
Patrick Schleizer
|
8851c9ed29
|
fix: disable proc-hidepid.service
|
2020-04-14 12:39:34 -04:00 |
|
Patrick Schleizer
|
b6dde34bfb
|
bumped changelog version
|
2020-04-13 06:56:34 -04:00 |
|
Patrick Schleizer
|
e0b8640fb9
|
readme
|
2020-04-13 06:56:34 -04:00 |
|
Patrick Schleizer
|
253578afdf
|
/etc/security/access-security-misc.conf white list ttyS0 etc.
ttyS0 ttyS1 ttyS2 ttyS3 ttyS4 ttyS5 ttyS6 ttyS7 ttyS8 ttyS9
Thanks to @subpar_marlin for the bug report and helping to fix this!
https://forums.whonix.org/t/how-do-i-enter-the-whonix-shell-from-cli/7271/43
https://forums.whonix.org/t/etc-security-hardening/8592
|
2020-04-13 06:50:32 -04:00 |
|
Patrick Schleizer
|
b3ce18f0f9
|
disable proc-hidepid by default because incompatible with pkexec
and undo pkexec wrapper
|
2020-04-12 16:54:10 -04:00 |
|
Patrick Schleizer
|
4429315291
|
disable proc-hidepid by default because incompatible with pkexec
and undo pkexec wrapper
|
2020-04-12 16:52:55 -04:00 |
|