Raja Grewal
d67845fea8
Typo
2022-12-13 16:11:24 +11:00
Patrick Schleizer
6d7a782624
fix
2022-11-24 07:21:46 -05:00
Raja Grewal
6f695902fb
Add comment about legacy Apple fiesystems
2022-11-23 23:53:40 +11:00
Patrick Schleizer
e5255a630a
pam-info: support non-root environments (such as during graphical display manager login and xscreensaver)
2022-11-22 05:57:30 -05:00
Raja Grewal
daa30d4e78
Include several framebuffer drivers into blacklist
...
These were previously commented out to test for compatibility issues.
2022-11-09 20:43:59 +11:00
Raja Grewal
92669dba18
Comment out machine check exception
2022-08-21 23:02:44 +10:00
Patrick Schleizer
0c5b1e9f57
undo "force kernel to panic on "oopses"
...
because implemented differently already
https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panic-on-oops-1-sysctl-for-better-security/7713
2022-07-23 07:49:56 -04:00
Raja Grewal
ca764d8de0
force kernel to panic on "oopses"
2022-07-20 04:06:35 +10:00
Raja Grewal
1660aaa6dd
update details around disabling SMT
2022-07-19 03:38:41 +10:00
Raja Grewal
bfd78a2c06
update SRBDS mitigation
2022-07-19 03:16:08 +10:00
Raja Grewal
c3ebb9160f
CPU mitigation - MMIO Stale Data
2022-07-19 02:33:16 +10:00
Raja Grewal
59e90ff122
CPU mitigation - L1D FLushing
2022-07-19 02:32:41 +10:00
Raja Grewal
8531fbf99d
CPU mitigation - SRBDS
2022-07-19 02:30:49 +10:00
Raja Grewal
73f1e23332
shuffle and rewording
2022-07-19 02:29:46 +10:00
Raja Grewal
39314b2912
Merge branch 'harden' of https://github.com/raja-grewal/security-misc into harden
2022-07-19 00:49:08 +10:00
Raja Grewal
bb831d57bc
delete repeated commands
2022-07-19 00:38:32 +10:00
Raja Grewal
c77a2a78bc
enforce default net.ipv6.icmp_ignore_bogus_error_responses
2022-07-19 00:37:31 +10:00
Raja Grewal
c4a1094760
Merge branch 'Kicksecure:master' into harden
2022-07-18 13:36:23 +00:00
Raja Grewal
a72bbb1883
Corrected kerenl module disabling
2022-07-13 23:42:13 +10:00
Raja Grewal
4e93b4d37e
Revert "enforce defualt net.ipv4.ip_forward"
...
This reverts commit 57b5b2145c
.
2022-07-13 21:10:39 +10:00
Raja Grewal
a47922ad28
enforce of IOMMU TLB invalidation
2022-07-13 04:47:07 +10:00
Raja Grewal
33df16af80
disables random.trust_bootloader
2022-07-13 04:37:03 +10:00
Raja Grewal
d0779a96fc
add reference
2022-07-13 04:36:34 +10:00
Raja Grewal
74858d257b
enable randomize_kstack_offset
2022-07-13 04:34:35 +10:00
Raja Grewal
f572332108
disable slub_debug
2022-07-13 04:32:03 +10:00
Raja Grewal
57b5b2145c
enforce defualt net.ipv4.ip_forward
2022-07-13 04:30:43 +10:00
Raja Grewal
79156262c9
enforce default net.ipv4.icmp_ignore_bogus_error_responses
2022-07-13 04:29:42 +10:00
Raja Grewal
dabcaf22e1
enforce default kernel.randomize_va_space
2022-07-13 04:28:03 +10:00
Raja Grewal
48089e5ba4
More verbose kernel module blocking error logs
2022-07-12 17:02:12 +10:00
Raja Grewal
40ec791774
Updated comments
2022-07-12 16:58:16 +10:00
Raja Grewal
ef1ef9917d
Blacklist automatic loading of CD-ROM modules
2022-07-10 04:53:25 +10:00
Raja Grewal
61ef9bd59f
Incorporated Ubuntu’s kernel module blacklists
2022-07-10 04:52:00 +10:00
Patrick Schleizer
26b2c9727f
not blacklist CD-ROM / DVD yet
...
https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/31
2022-07-07 15:39:40 -04:00
Patrick Schleizer
ca19d78d48
shuffle
2022-07-07 15:27:15 -04:00
Raja Grewal
780dc8eec9
replace /bin/false -> /bin/disabled-by-security-misc
2022-07-08 04:11:25 +10:00
Raja Grewal
fa2e30f512
Updated descriptions of disabled modules
2022-07-08 03:04:37 +10:00
Raja Grewal
da389d6682
Revert "replace /bin/false -> /bin/true"
...
This reverts commit f0511635a9
.
2022-07-08 02:12:04 +10:00
raja-grewal
f0511635a9
replace /bin/false -> /bin/true
2022-07-07 09:27:53 +00:00
raja-grewal
18d67dbc53
Blacklist more modules
2022-07-07 09:26:55 +00:00
Patrick Schleizer
1c0e071948
comments
2022-07-05 10:45:55 -04:00
Patrick Schleizer
5d47f5f74c
comments
2022-07-05 10:45:09 -04:00
Patrick Schleizer
435c689cf9
comments
2022-07-05 10:44:28 -04:00
Patrick Schleizer
c20d588d78
comments
2022-07-05 10:42:37 -04:00
Patrick Schleizer
b342ce930e
add /etc/default/grub.d/40_cold_boot_attack_defense.cfg
2022-07-05 10:28:22 -04:00
Patrick Schleizer
67eaf8c916
comments
2022-06-29 11:40:38 -04:00
Patrick Schleizer
72908d6b0d
comments
2022-06-29 11:34:55 -04:00
Patrick Schleizer
55d16e1602
remove unicode
2022-06-08 09:04:03 -04:00
Patrick Schleizer
fcaec49675
Merge remote-tracking branch 'github-kicksecure/master'
2022-06-08 08:20:24 -04:00
Patrick Schleizer
5c43197f10
minor
2022-06-08 08:11:28 -04:00
Kuri Schlarb
6e8f584d88
permission-hardening: Keep pam_unix.so
password checking helper SetGID shadow
2022-06-08 05:29:42 +00:00
Kuri Schlarb
3910e4ee15
permission-hardening: Keep passwd
executable but non-SetUID
2022-06-07 08:11:51 +00:00
Patrick Schleizer
2d37e3a1af
copyright
2022-05-20 14:46:38 -04:00
Patrick Schleizer
bb0307290b
update link
2022-04-16 14:18:35 -04:00
Patrick Schleizer
c72567dbd2
fix
2021-09-14 14:18:44 -04:00
Patrick Schleizer
d62bbaab82
fix, unduplicate kernel command line
2021-09-12 11:40:58 -04:00
Patrick Schleizer
bd31b4085c
remove Debian buster support in /etc/default/grub.d
2021-09-09 12:16:18 -04:00
Patrick Schleizer
ac0c492663
do not set kernel parameter quiet loglevel=0
for recovery boot option
...
for easier debugging
2021-09-06 08:22:55 -04:00
Patrick Schleizer
49902b8c56
move grub quiet to separate config file /etc/default/grub.d/41_quiet.cfg
2021-09-06 08:19:41 -04:00
Patrick Schleizer
f5b0e4b5b8
debugging
2021-09-06 04:55:16 -04:00
Patrick Schleizer
6257bfa926
debugging
2021-09-05 15:54:20 -04:00
Patrick Schleizer
a4e18a2ae8
dracut
reproducible=yes
2021-09-04 18:28:37 -04:00
Patrick Schleizer
db43cedcfd
LANG=C str_replace
2021-08-22 05:23:24 -04:00
Patrick Schleizer
582492d6d8
port from pam_tally2 to pam_faillock
...
since pam_tally2 was deprecated upstream
2021-08-10 17:13:00 -04:00
Patrick Schleizer
50bdd097df
move /usr/lib/security-misc to /usr/libexec/security-misc as per lintian FHS
2021-08-03 12:56:31 -04:00
Patrick Schleizer
0492f28aa1
enable "apt-get --error-on=any
" by default
...
makes apt exit non-zero for transient failures
`/etc/apt/apt.conf.d/40error-on-any`
https://forums.whonix.org/t/debian-bullseye-apt-get-error-on-any/12068
2021-08-03 12:37:39 -04:00
Patrick Schleizer
c94281121e
comment
2021-08-01 16:37:02 -04:00
Patrick Schleizer
eff5af0318
https://forums.whonix.org/t/restrict-root-access/7658/116
2021-06-20 10:16:33 -04:00
madaidan
97d8db3f74
Restrict sudo's file permissions
2021-06-05 19:16:42 +00:00
Patrick Schleizer
d87bee37f7
comment
2021-06-01 07:21:18 -04:00
Patrick Schleizer
809930c021
comment
2021-06-01 05:36:01 -04:00
Patrick Schleizer
e2afd00627
modify DKMS configuration file /etc/dkms/framework.conf
...
Lower parallel compilation jobs to 1 if less than 2 GB RAM to avoid freezing of virtual machines.
`parallel_jobs=1`
This does not necessarily belong into security-misc, however likely
security-misc will need to modify `/etc/dkms/framework.conf` in the future to
enable kernel module signing.
https://forums.whonix.org/t/linux-kernel-runtime-guard-lkrg-linux-kernel-runtime-integrity-checking-and-exploit-detection/8477/26
https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/58
2021-04-29 11:14:30 -04:00
Patrick Schleizer
3ba3b37187
add /etc/dkms/framework.conf.security-misc
...
original, from
- https://github.com/dell/dkms/blob/master/dkms_framework.conf
- https://raw.githubusercontent.com/dell/dkms/master/dkms_framework.conf
https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/58
2021-04-29 11:08:30 -04:00
Patrick Schleizer
a67007f4b7
copyright
2021-03-17 09:45:21 -04:00
Patrick Schleizer
a1819e8cab
comment
2021-03-01 09:15:44 -05:00
Kenton Groombridge
4db7d6be64
hide-hardware-info: allow unrestricting selinuxfs
...
On SELinux systems, the /sys/fs/selinux directory must be visible to
userspace utilities in order to function properly.
2021-02-06 03:02:08 -05:00
Patrick Schleizer
a258f35f38
comment
2021-01-05 02:11:08 -05:00
Patrick Schleizer
b2b614ed2a
cover more folders in /usr/local
2020-12-06 04:15:52 -05:00
Patrick Schleizer
5bd267d774
refactoring
2020-12-06 04:10:50 -05:00
Patrick Schleizer
11cdce02a0
refactoring
2020-12-06 04:10:10 -05:00
Patrick Schleizer
f73c55f16c
/opt
...
https://forums.whonix.org/t/suid-disabler-and-permission-hardener/7706/68
2020-12-06 04:08:58 -05:00
Patrick Schleizer
c031f22995
SUID Disabler and Permission Hardener: introduce configuration option to disable all whitelists
...
`whitelists_disable_all=true`
2020-12-01 05:14:48 -05:00
Patrick Schleizer
b09cc0de6a
Revert "SUID Disabler and Permission Hardener: introduce configuration option to disable all whitelists"
...
This reverts commit 36a471ebce
.
2020-12-01 05:10:26 -05:00
Patrick Schleizer
704f0500ba
fix, rename 40_default_whitelist_[...].conf to 25_default_whitelist_[...].conf
...
since whitelist needs to be defined before SUID removal commands
2020-12-01 05:03:16 -05:00
Patrick Schleizer
36a471ebce
SUID Disabler and Permission Hardener: introduce configuration option to disable all whitelists
...
`whitelists_disable_all=true`
2020-12-01 05:02:34 -05:00
Patrick Schleizer
318ab570aa
simplify disabling of SUID Disabler and Permission Hardener whitelist
...
split `/etc/permission-hardening.d/30_default.conf` into multiple files
`/etc/permission-hardening.d/40_default_whitelist_[...].conf`
therefore make it easier to delete any whitelisted SUID binaries
2020-12-01 04:28:15 -05:00
Patrick Schleizer
cf07e977bd
add /bin/pkexec exactwhitelist
for consistency
...
since there is already `/usr/bin/pkexec exactwhitelist`
2020-11-29 09:09:42 -05:00
Patrick Schleizer
bb72c1278d
copyright
2020-11-05 06:36:39 -05:00
Patrick Schleizer
c1e0bb8310
shebang
2020-10-31 06:11:49 -04:00
Patrick Schleizer
3f656be574
chmod +x /etc/X11/Xsession.d/50panic_on_oops
...
chmod +x /etc/X11/Xsession.d/50security-misc
2020-10-31 05:48:10 -04:00
madaidan
06ffd5d220
Restrict access to debugfs
2020-09-28 19:21:20 +00:00
Patrick Schleizer
da1ac48cde
unblacklist squashfs as this would likely break Whonix-Host ISO
...
https://github.com/Whonix/security-misc/pull/75#issuecomment-700044182
2020-09-28 10:29:50 -04:00
Patrick Schleizer
4070133ed6
unblacklist vfat
...
https://github.com/Whonix/security-misc/pull/75#issuecomment-695201068
2020-09-28 10:25:57 -04:00
Patrick Schleizer
3684ab585e
Merge pull request #75 from flawedworld/patch-1
...
Blacklist more modules (based on OpenSCAP for RHEL 8)
2020-09-28 14:24:15 +00:00
Patrick Schleizer
ae90107e6d
Merge pull request #76 from flawedworld/patch-2
...
Add IPv6 sysctl options and enforce kernel.perf_event_paranoid=3
2020-09-28 14:23:42 +00:00
flawedworld
a813e7da07
Blacklist more modules
2020-09-19 20:46:19 +01:00
Patrick Schleizer
9239c8b807
Merge pull request #71 from onions-knight/patch-1
...
Update thunar.xml
2020-09-19 10:54:21 +00:00
flawedworld
8f7727e823
Add some IPv6 options
2020-09-18 23:36:30 +01:00
flawedworld
944fed3c45
Disallow kernel profiling by users without CAP_SYS_ADMIN
...
It's the default on a lot of stuff, but still nice to have.
2020-09-18 23:29:04 +01:00
Patrick Schleizer
7e267ab498
fix, allow group sudo
and console
to use consoles
...
fix /etc/security/access-security-misc.conf syntax error
Thanks to @81a989 for the bug report!
https://forums.whonix.org/t/etc-security-hardening-console-lockdown-pam-access-access-conf/8592/31
2020-08-03 08:12:19 -04:00
Patrick Schleizer
3cd7b144bb
move "kernel.printk = 3 3 3 3" to separate file /etc/sysctl.d/30_silent-kernel-printk.conf
...
so package debug-misc can easily disable it
https://phabricator.whonix.org/T950
2020-05-14 13:47:58 -04:00