Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2024-10-01 08:25:45 -04:00
Code Issues Packages Projects Releases Wiki Activity
1,209 Commits 2 Branches 291 Tags 8.2 MiB
ddd62c1eef
Commit Graph

53 Commits

Author SHA1 Message Date
flawedworld
8f7727e823
Add some IPv6 options 2020-09-18 23:36:30 +01:00
flawedworld
944fed3c45
Disallow kernel profiling by users without CAP_SYS_ADMIN 
It's the default on a lot of stuff, but still nice to have.
 2020-09-18 23:29:04 +01:00
Patrick Schleizer
3cd7b144bb
move "kernel.printk = 3 3 3 3" to separate file /etc/sysctl.d/30_silent-kernel-printk.conf 
so package debug-misc can easily disable it

https://phabricator.whonix.org/T950
 2020-05-14 13:47:58 -04:00
Patrick Schleizer
8d2e4b68dc
Prevent kernel info leaks in console during boot. 
By setting `kernel.printk = 3 3 3 3`.

https://phabricator.whonix.org/T950

Thanks to @madaidan for the suggestion!
 2020-04-16 08:00:31 -04:00
Patrick Schleizer
565ff136e5
vm.swappiness=1 
import from swappiness-lowest

https://forums.whonix.org/t/vm-swappiness-1-set-swapiness-to-lowest-setting-still-useful-swappiness-lowest/9278
 2020-04-08 21:04:02 +00:00
Patrick Schleizer
2ceea8d1fe
update copyright year 2020-04-01 08:49:59 -04:00
madaidan
4d0de87f79
Disable unprivileged userfaultfd use again 2020-03-08 17:49:49 +00:00
Patrick Schleizer
284a491100
disable vm.unprivileged_userfaultfd=0 for now 
because broken

https://forums.whonix.org/t/kernel-hardening/7296/406

reverts "Restrict the userfaultfd() syscall to root as it can make heap sprays easier."

https://duasynt.com/blog/linux-kernel-heap-spray
 2020-03-08 08:07:10 -04:00
madaidan
6b64b36b01
Restrict the userfaultfd() syscall to root 2020-02-24 18:23:15 +00:00
madaidan
a79ce7fa68
Document ldisc_autoload better 2020-02-15 17:30:21 +00:00
Patrick Schleizer
1e5946c795
Merge branch 'master' into sysrq 2020-02-15 10:41:52 +00:00
madaidan
d251c43344
Restrict the SysRq key 2020-02-14 18:17:20 +00:00
madaidan
0ea7dd161b
Restrict loading line disciplines to CAP_SYS_MODULE 2020-02-14 17:50:19 +00:00
madaidan
5cb21d0d4d
Prevent symlink/hardlink TOCTOU races 2020-02-12 18:03:23 +00:00
Patrick Schleizer
6a4c493213
merge the many sysctl config files into 1 
and use a name starting with double digits

to make it easier to disable settings using a lexically higher config file
 2020-01-24 04:26:36 -05:00
Patrick Schleizer
8cf5ed990a
comment 2019-12-05 15:52:24 -05:00
madaidan
30289c68c2
Enable reverse path filtering 2019-12-05 20:13:10 +00:00
madaidan
4f5b7816ec
Elaborate 2019-10-16 19:01:49 +00:00
madaidan
99a762d3dc
KASLR is different from ASLR 2019-10-16 18:53:04 +00:00
Patrick Schleizer
c22738be02
comments 2019-10-07 08:25:45 +00:00
Patrick Schleizer
75f36bc2c9
comments 2019-10-07 08:25:07 +00:00
Patrick Schleizer
e92a8a6966
comments 2019-10-07 08:24:02 +00:00
Patrick Schleizer
60c044a9d6
copyright / comments 2019-10-07 05:30:56 +00:00
Patrick Schleizer
cd2135ff82
comments 2019-10-06 10:18:24 +00:00
Patrick Schleizer
8b4f2befd4
comment out sack by default 
https://forums.whonix.org/t/disabling-tcp-sack-dsack-fack/8109/8?u=patrick
 2019-10-05 13:15:34 +00:00
Patrick Schleizer
02096f8d7c
Revert "undo Disabling TCP SACK, DSACK, FACK" 
This reverts commit 5fb4eb8e56.
 2019-10-05 13:13:46 +00:00
Patrick Schleizer
5fb4eb8e56
undo Disabling TCP SACK, DSACK, FACK 
https://forums.whonix.org/t/disabling-tcp-sack-dsack-fack/8109/5
 2019-10-05 07:00:47 -04:00
madaidan
d0c6bb1e90
Disable TCP DSACK and FACK 2019-10-04 17:35:54 +00:00
Patrick Schleizer
f13a73e569
undo SysRq restrictions 
https://forums.whonix.org/t/sysrq-magic-sysrq-key/8079
 2019-09-10 12:35:42 -04:00
Patrick Schleizer
ccdbc52b82
comment 2019-09-06 11:43:55 +00:00
Patrick Schleizer
051856bc8e
remove trailing space 2019-09-06 11:42:38 +00:00
madaidan
1bf802f846
Create coredumps.conf 2019-06-30 00:16:50 +00:00
madaidan
f040081a59
Prevent setuid processes from creating coredumps. 2019-06-30 00:13:52 +00:00
Patrick Schleizer
ab312235ba
Merge pull request #14 from madaidan/patch-10 
Add some hardening for other distributions
 2019-06-28 06:59:16 +00:00
Patrick Schleizer
5e02100e34
Merge pull request #13 from madaidan/patch-9 
Remove System.map and restrict the SysRq key.
 2019-06-28 06:58:32 +00:00
madaidan
3801a53a9e
Update tcp_hardening.conf 2019-06-27 18:17:58 +00:00
madaidan
c54125270b
Create dmesg_restrict.conf 2019-06-27 18:15:57 +00:00
madaidan
01c839c815
Restrict what the SysRq key can do 2019-06-25 19:16:43 +00:00
madaidan
807ac7d659
Create tcp_sack.conf 2019-06-22 16:08:30 +00:00
madaidan
b814f338b8
Update tcp_hardening.conf 2019-05-16 16:33:03 +00:00
madaidan
e6794721bd
Update ptrace_scope.conf 2019-05-16 16:29:20 +00:00
madaidan
a4852ad6c8
Create fs_protected.conf 2019-05-06 20:37:53 +00:00
madaidan
0296e51e06
Create ptrace_scope.conf 2019-05-06 15:46:37 +00:00
madaidan
2923fc96ef
Create tcp_hardening.conf 2019-05-06 15:45:53 +00:00
madaidan
4216299ee8
Create kexec.conf 2019-05-06 15:42:55 +00:00
Patrick Schleizer
f917c27a19
remove trailing spaces 2019-05-06 05:51:14 -04:00
madaidan
d2ca85c686
Create mmap_aslr.conf 2019-05-05 14:36:30 +00:00
madaidan
197c1120a9
Create harden_bpf.conf 2019-05-05 14:35:42 +00:00
madaidan
351db0ef7f
Create kptr_restrict.conf 2019-05-05 14:34:41 +00:00
Patrick Schleizer
6cda8b1496
disable conntrack helper for better security 
https://phabricator.whonix.org/T486
 2016-10-10 16:10:30 +00:00