Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-01-09 17:19:26 -05:00
Code Issues Packages Projects Releases Wiki Activity
2,202 Commits 2 Branches 291 Tags 8.2 MiB
d6fc71dba7
Commit Graph

492 Commits

Author SHA1 Message Date
Raja Grewal
a33d4cd099
Refactor existing kernel parameters for clarity 2024-07-15 01:56:25 +10:00
Raja Grewal
9f58266546
Move nf_conntrack_helper disabling into separate file 2024-07-13 23:32:01 +10:00
Raja Grewal
98580bb39a
Update modprobe presentation 2024-07-13 23:29:52 +10:00
Raja Grewal
41a3bf92fb
Sort 30_security-misc_disable.conf 2024-07-12 16:21:41 +10:00
Raja Grewal
b02230a783
Split modprobe into blacklisted and disabled configurations 2024-07-12 02:42:37 +10:00
Raja Grewal
fc792ff232
Alphabetically sort existing modprobe 2024-07-12 02:29:36 +10:00
Raja Grewal
fe20f3240e
Refactor existing modprobe for clarity 2024-07-12 02:28:48 +10:00
Raja Grewal
275a4ffc11
Remove redundant disabled modules 2024-07-12 02:27:56 +10:00
Ashlen
e198447866 fix(etc): delete typo in /etc/apparmor.d tunables 
/etc/pam.d was present twice in a row ("/etc/pam.d//etc/pam.d") in this
file: /etc/apparmor.d/tunables/home.d/security-misc.
 2024-06-08 22:17:05 -06:00
Patrick Schleizer
e0cd9579d6
remove duplicate fsckobjects = true from /etc/gitconfig 2024-06-01 13:32:13 -04:00
Patrick Schleizer
4efa293f3b
add /etc/gitconfig by default for better git security 
```
[core]
	symlinks = false

[transfer]
	fsckobjects = true
	fsckobjects = true
[fetch]
	fsckobjects = true
	fsckobjects = true
[receive]
	fsckobjects = true
	fsckobjects = true
```

+ additional suggestions as comments

fixes https://github.com/Kicksecure/security-misc/issues/225
 2024-05-28 07:51:06 -04:00
Raja Grewal
1bb843ec38
Update Copyright (C) to 2024 2024-05-11 13:18:36 +10:00
Patrick Schleizer
0f1119f326
Merge pull request #221 from raja-grewal/firewire 
Disable Firewire Module
 2024-05-10 06:45:57 -04:00
Patrick Schleizer
547757f451
Merge pull request #220 from raja-grewal/block_gps 
Block Several GPS-related Modules
 2024-05-10 06:45:34 -04:00
raja-grewal
677f75ae8e
Disable firewire-net module 2024-05-09 02:34:02 +00:00
raja-grewal
06f13bb766
Disable GPS modules like GNSS 2024-05-09 02:28:53 +00:00
raja-grewal
4694268b8f
Remove a word 2024-05-05 12:52:51 +00:00
raja-grewal
8f7768ce96
Add vendor links 2024-05-05 12:50:39 +00:00
raja-grewal
0c031a29d3
RFDS mitigation on Intel Atom CPUs (including E-cores) 2024-05-01 13:55:09 +10:00
raja-grewal
1122b3402c
GDS mitigation for CPUs 2024-05-01 13:50:42 +10:00
raja-grewal
c002bd62e8
Clarify use of mitigations=auto 2024-05-01 13:49:34 +10:00
raja-grewal
d89d7e8ef8
Add reference for RETBleed 2024-05-01 13:49:00 +10:00
raja-grewal
015dcc4212
Add reference for SSB 2024-05-01 13:48:13 +10:00
raja-grewal
de4f4be947
Merge spectre mitigations 2024-05-01 13:47:40 +10:00
raja-grewal
965c8641fd
Update BHI mitigation reference 2024-05-01 13:47:02 +10:00
raja-grewal
493576836c
BHI mitigation on Intel CPUs 2024-04-12 00:17:06 +10:00
Patrick Schleizer
7dba3fb7be
no longer disable MSR by default 
fixes https://github.com/Kicksecure/security-misc/issues/215
 2024-04-01 02:56:27 -04:00
Patrick Schleizer
6b76373395
fix panic-on-oops started every 10s in Qubes-Whonix 
by changing from a /etc/profile.d etc. related mechanism to start to a systemd unit file based approach

Thanks to @marmarek for the bug report!

https://forums.whonix.org/t/panic-on-oops-started-every-10s/19450
 2024-03-04 06:44:26 -05:00
Patrick Schleizer
af6c6971a7
comment 2024-03-04 06:33:51 -05:00
Patrick Schleizer
e013070e0b
newline 2024-03-04 06:33:21 -05:00
Daniel Winzen
ef44ecea44
Add option to disabe /sys hardening 2024-02-22 17:27:46 +01:00
raja-grewal
b16c99ab62
Remove hardcoded spec_rstack_overflow setting 2024-01-29 13:39:40 +00:00
raja-grewal
139b10a9aa
Control RAS overflow mitigation on AMD Zen CPUs 2024-01-29 12:59:13 +00:00
raja-grewal
6c54e35027
Enable mitigations for RETBleed vulnerability and disable SMT 2024-01-29 12:58:51 +00:00
raja-grewal
4509a5fc95
Enable known mitigations for CPU vulnerabilities and disable SMT 2024-01-29 12:58:14 +00:00
raja-grewal
4231155efa
Add reference for kernel parameters 2024-01-29 12:57:48 +00:00
Patrick Schleizer
071b984a1e
sort -d 
https://github.com/Kicksecure/security-misc/issues/190
 2024-01-17 13:49:05 -05:00
Patrick Schleizer
011e55e3e5
remove duplicates after usrmerge 
https://github.com/Kicksecure/security-misc/issues/190
 2024-01-17 13:45:17 -05:00
Patrick Schleizer
0efee2f50f
usrmerge 
fixes https://github.com/Kicksecure/security-misc/issues/190
 2024-01-17 13:39:56 -05:00
Patrick Schleizer
4f7973bc56
comment 2024-01-16 08:56:26 -05:00
Ben Grande
abf72c2ee4
Rename file permission hardening script 
Hardener as the script is the agent that is hardening the file
permissions.
 2024-01-02 13:34:29 +01:00
Ben Grande
f138cf0f78
Refactor permission-hardener 
- Organize comments from default configuration;
- Apply and undo changes from a single file controlled by parameters;
- Arrays should be evaluated as arrays and not normal variables;
- Quote variables;
- Brackets around variables;
- Standardize test cases to "test" command;
- Test against empty or non-empty variables with "-z" and "-n";
- Show a usage message when necessary;
- Require root to run the script with informative message;
- Permit the user to see the help message without running as root;
- Do not create root directories without passing root check;
- Use long options for "set" command;
 2024-01-02 12:17:16 +01:00
Patrick Schleizer
f70a034da2
exclude hardened malloc from SUID disabler 
fixes https://github.com/Kicksecure/security-misc/issues/179
 2023-12-22 08:31:58 -05:00
Patrick Schleizer
5a73817a95
move to /usr/lib/issue.d/20_security-misc.issue 
https://github.com/Kicksecure/security-misc/pull/167
 2023-12-04 11:38:49 -05:00
Patrick Schleizer
dfaea492c7
remove etc/issue.net.d/20_security-misc 
since not mentioned on debian.org
 2023-12-04 11:37:02 -05:00
Patrick Schleizer
36850f89fb
Merge pull request #167 from monsieuremre/patch-4 
Non-Identifiable and Generic Issue Banners that include the Recommended Keywords
 2023-12-04 11:27:16 -05:00
Patrick Schleizer
c9ea7a4dca
use amd_iommu=force_isolation instead of amd_iommu=force_enable 
because we set `iommu=force` already anyhow

fixes https://github.com/Kicksecure/security-misc/issues/175
 2023-12-04 11:02:55 -05:00
monsieuremre
f2ad8383cf
fix 2023-12-03 19:51:38 +00:00
monsieuremre
dd15823a97
undo superfluousness 2023-12-03 19:50:07 +00:00
monsieuremre
83e13bb62d
Update 40_enable_iommu.cfg 2023-12-03 19:42:34 +00:00
monsieuremre
0d7af9707f
Update 20_security-misc 2023-12-03 19:31:12 +00:00
monsieuremre
04d27a10b0
Update 20_security-misc 2023-12-03 19:30:55 +00:00
monsieuremre
c8b9f5a917
net 2023-11-18 10:03:19 +00:00
monsieuremre
3b614f3753
20_security-misc 2023-11-18 10:02:16 +00:00
Patrick Schleizer
5bb357cac0
spice-client-glib-usb-acl-helper matchwhitelist 2023-11-06 16:55:00 -05:00
Patrick Schleizer
7309445ee5
comment 2023-11-06 16:52:27 -05:00
Patrick Schleizer
f09d97fc9e
whitelist VirtualBox 2023-11-06 16:50:19 -05:00
Patrick Schleizer
64c8c7a8d5
whitelist SSH 2023-11-06 16:47:31 -05:00
Patrick Schleizer
9682b51d54
whitelist virtualbox 2023-11-06 16:44:36 -05:00
Patrick Schleizer
a40b9bc095
comments 2023-11-06 16:40:22 -05:00
Patrick Schleizer
2c1a3da433
VirtualBoxVM matchwhitelist 2023-11-06 16:38:50 -05:00
Patrick Schleizer
4e96ffaabb
chrome-sandbox matchwhitelist 2023-11-06 16:37:19 -05:00
Patrick Schleizer
51decff2fd
exclude qfile-unpacker from permission hardener 2023-11-05 16:03:36 -05:00
Patrick Schleizer
1900c1ab07
pam exclude from permission-hardener 2023-11-05 15:57:49 -05:00
Patrick Schleizer
5a75bcfb19
Merge pull request #145 from monsieuremre/wifi-and-bluetooth 
Wifi and Bluetooth Patch | Security and Privacy
 2023-11-05 14:49:00 -05:00
Patrick Schleizer
4946f85d43
Merge pull request #146 from monsieuremre/thunderbird 
Thunderbird Hardening
 2023-11-05 14:37:47 -05:00
Patrick Schleizer
97054b2b10
revert enabling kernel module signature enforcement 
due to issues

https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/63

https://github.com/dell/dkms/issues/359
 2023-11-03 15:55:17 -04:00
Patrick Schleizer
0242c04dc2
port to DKMS drop-in folder 
undisplace /etc/dkms/framework.conf.security-misc
moved to /etc/dkms/framework.conf.d/30_security-misc.conf
 2023-11-03 14:51:14 -04:00
Patrick Schleizer
d1b5a3ffd5
/usr/sbin/pam-tmpdir-helper exactwhitelist 
https://github.com/Kicksecure/security-misc/pull/147
 2023-11-03 12:55:34 -04:00
Patrick Schleizer
b6d53f698d
Revert "allow loading unsigned modules due to issues" 
This reverts commit 661bcd8603.
 2023-11-03 12:17:00 -04:00
monsieuremre
1abac794b5
very secure and private defaults 2023-11-02 09:15:20 +00:00
monsieuremre
5a583ca48c
typo in file name 2023-11-02 08:30:26 +00:00
monsieuremre
229032d691
Rename etc/systemd/networkd.conf.d/99_ipv6-privacy-extensions.conf to usr/lib/systemd/networkd.conf.d/99_ipv6-privacy-extensions.conf 2023-11-01 17:54:05 +00:00
monsieuremre
1049298e7b
Update and rename etc/NetworkManager/conf.d/99_randomize-mac.conf to usr/lib/NetworkManager/conf.d/99_randomize-mac.conf 2023-11-01 17:52:40 +00:00
monsieuremre
76e684cc0a
Update and rename etc/NetworkManager/conf.d/99_ipv6-privacy.conf to usr/lib/NetworkManager/conf.d/99_ipv6-privacy.conf 2023-11-01 17:51:27 +00:00
monsieuremre
fc8e201e84
rename 2023-10-27 14:49:24 +00:00
monsieuremre
13b4ddbb62
30_security-misc.conf 2023-10-27 14:34:21 +00:00
monsieuremre
b298d152fc
30_security-misc.conf 2023-10-27 14:32:08 +00:00
monsieuremre
3d4b04fddc
99_ipv6-privacy.conf 2023-10-27 12:35:39 +00:00
monsieuremre
e90f62eaab
99_randomize_mac.conf 2023-10-27 12:34:15 +00:00
monsieuremre
604d839537
99_ipv6-privacy-extensions.conf 2023-10-27 12:30:26 +00:00
monsieuremre
f2c23a2831
ssh config 2023-10-27 10:53:45 +00:00
Patrick Schleizer
7cff267002
remove duplicates 2023-10-26 19:31:14 -04:00
monsieuremre
99355c6169
new lines 30_default.conf 2023-10-26 17:45:28 +00:00
Patrick Schleizer
b7c52800f4
renamed: etc/sysctl.d/30_security-misc.conf -> usr/lib/sysctl.d/30_security-misc.conf 
renamed:    etc/sysctl.d/30_security-misc_kexec-disable.conf -> usr/lib/sysctl.d/30_security-misc_kexec-disable.conf
renamed:    etc/sysctl.d/30_silent-kernel-printk.conf -> usr/lib/sysctl.d/30_silent-kernel-printk.conf
 2023-10-25 17:28:43 -04:00
Patrick Schleizer
f6d1346e2b
fix 2023-10-22 16:22:08 -04:00
Patrick Schleizer
11382881b5
comments 2023-10-22 16:12:26 -04:00
Patrick Schleizer
4288e10554
fix, rework remount-secure kernel parameters parsing 2023-10-22 13:25:31 -04:00
Patrick Schleizer
c409e3221e
implement remount-secure 2023-10-22 09:36:03 -04:00
Patrick Schleizer
ae2c1c5a7a
fix xession environment variable 2023-10-21 14:18:50 -04:00
Patrick Schleizer
d543825d85
comments 2023-10-21 12:24:59 -04:00
Patrick Schleizer
645ee814e4
fix 2023-10-13 15:22:48 -04:00
Patrick Schleizer
2d45241084
avoid duplicate environment variables 2023-10-12 11:37:01 -04:00
Patrick Schleizer
fa820e8978
refactoring environment variables loading mechanism 2023-10-12 10:40:27 -04:00
Patrick Schleizer
8a6baea990
comment 2023-06-22 16:16:15 +00:00
Raja Grewal
cf003dfad8
Update comments 2023-05-16 02:11:44 +10:00
Jeremy Rand
61f63255ac
vm.mmap_rnd_bits: Fix ppc64le 
Probably fixes a bunch of other non-x86_64 arches too.
 2023-04-24 23:07:39 +00:00
Patrick Schleizer
5c6db28881
Merge pull request #122 from raja-grewal/tcp 
Remove outdated comment about SACK, DSACK, and FACK
 2023-03-31 04:52:55 -04:00
Raja Grewal
ed5f8be9eb
Remove outdated comment about SACK, DSACK, and FACK 2023-03-30 19:17:43 +11:00
Raja Grewal
7a4212dd76
Update copyright 2023-03-30 17:08:47 +11:00