Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2024-10-01 08:25:45 -04:00
Code Issues Packages Projects Releases Wiki Activity
1,396 Commits 2 Branches 291 Tags 8.2 MiB
f572332108
Commit Graph

301 Commits

Author SHA1 Message Date
Raja Grewal
f572332108
disable slub_debug 2022-07-13 04:32:03 +10:00
Raja Grewal
57b5b2145c
enforce defualt net.ipv4.ip_forward 2022-07-13 04:30:43 +10:00
Raja Grewal
79156262c9
enforce default net.ipv4.icmp_ignore_bogus_error_responses 2022-07-13 04:29:42 +10:00
Raja Grewal
dabcaf22e1
enforce default kernel.randomize_va_space 2022-07-13 04:28:03 +10:00
Patrick Schleizer
1c0e071948
comments 2022-07-05 10:45:55 -04:00
Patrick Schleizer
5d47f5f74c
comments 2022-07-05 10:45:09 -04:00
Patrick Schleizer
435c689cf9
comments 2022-07-05 10:44:28 -04:00
Patrick Schleizer
c20d588d78
comments 2022-07-05 10:42:37 -04:00
Patrick Schleizer
b342ce930e
add /etc/default/grub.d/40_cold_boot_attack_defense.cfg 2022-07-05 10:28:22 -04:00
Patrick Schleizer
67eaf8c916
comments 2022-06-29 11:40:38 -04:00
Patrick Schleizer
72908d6b0d
comments 2022-06-29 11:34:55 -04:00
Patrick Schleizer
55d16e1602
remove unicode 2022-06-08 09:04:03 -04:00
Patrick Schleizer
fcaec49675
Merge remote-tracking branch 'github-kicksecure/master' 2022-06-08 08:20:24 -04:00
Patrick Schleizer
5c43197f10
minor 2022-06-08 08:11:28 -04:00
Kuri Schlarb
6e8f584d88
permission-hardening: Keep pam_unix.so password checking helper SetGID shadow 2022-06-08 05:29:42 +00:00
Kuri Schlarb
3910e4ee15
permission-hardening: Keep passwd executable but non-SetUID 2022-06-07 08:11:51 +00:00
Patrick Schleizer
2d37e3a1af
copyright 2022-05-20 14:46:38 -04:00
Patrick Schleizer
bb0307290b
update link 2022-04-16 14:18:35 -04:00
Patrick Schleizer
c72567dbd2
fix 2021-09-14 14:18:44 -04:00
Patrick Schleizer
d62bbaab82
fix, unduplicate kernel command line 2021-09-12 11:40:58 -04:00
Patrick Schleizer
bd31b4085c
remove Debian buster support in /etc/default/grub.d 2021-09-09 12:16:18 -04:00
Patrick Schleizer
ac0c492663
do not set kernel parameter quiet loglevel=0 for recovery boot option 
for easier debugging
 2021-09-06 08:22:55 -04:00
Patrick Schleizer
49902b8c56
move grub quiet to separate config file /etc/default/grub.d/41_quiet.cfg 2021-09-06 08:19:41 -04:00
Patrick Schleizer
f5b0e4b5b8
debugging 2021-09-06 04:55:16 -04:00
Patrick Schleizer
6257bfa926
debugging 2021-09-05 15:54:20 -04:00
Patrick Schleizer
a4e18a2ae8
dracut reproducible=yes 2021-09-04 18:28:37 -04:00
Patrick Schleizer
db43cedcfd
LANG=C str_replace 2021-08-22 05:23:24 -04:00
Patrick Schleizer
582492d6d8
port from pam_tally2 to pam_faillock 
since pam_tally2 was deprecated upstream
 2021-08-10 17:13:00 -04:00
Patrick Schleizer
50bdd097df
move /usr/lib/security-misc to /usr/libexec/security-misc as per lintian FHS 2021-08-03 12:56:31 -04:00
Patrick Schleizer
0492f28aa1
enable "apt-get --error-on=any" by default 
makes apt exit non-zero for transient failures

`/etc/apt/apt.conf.d/40error-on-any`

https://forums.whonix.org/t/debian-bullseye-apt-get-error-on-any/12068
 2021-08-03 12:37:39 -04:00
Patrick Schleizer
c94281121e
comment 2021-08-01 16:37:02 -04:00
Patrick Schleizer
eff5af0318
https://forums.whonix.org/t/restrict-root-access/7658/116 2021-06-20 10:16:33 -04:00
madaidan
97d8db3f74
Restrict sudo's file permissions 2021-06-05 19:16:42 +00:00
Patrick Schleizer
d87bee37f7
comment 2021-06-01 07:21:18 -04:00
Patrick Schleizer
809930c021
comment 2021-06-01 05:36:01 -04:00
Patrick Schleizer
e2afd00627
modify DKMS configuration file /etc/dkms/framework.conf 
Lower parallel compilation jobs to 1 if less than 2 GB RAM to avoid freezing of virtual machines.

`parallel_jobs=1`

This does not necessarily belong into security-misc, however likely
security-misc will need to modify `/etc/dkms/framework.conf` in the future to
enable kernel module signing.

https://forums.whonix.org/t/linux-kernel-runtime-guard-lkrg-linux-kernel-runtime-integrity-checking-and-exploit-detection/8477/26

https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/58
 2021-04-29 11:14:30 -04:00
Patrick Schleizer
3ba3b37187
add /etc/dkms/framework.conf.security-misc 
original, from
- https://github.com/dell/dkms/blob/master/dkms_framework.conf
- https://raw.githubusercontent.com/dell/dkms/master/dkms_framework.conf

https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/58
 2021-04-29 11:08:30 -04:00
Patrick Schleizer
a67007f4b7
copyright 2021-03-17 09:45:21 -04:00
Patrick Schleizer
a1819e8cab
comment 2021-03-01 09:15:44 -05:00
Kenton Groombridge
4db7d6be64
hide-hardware-info: allow unrestricting selinuxfs 
On SELinux systems, the /sys/fs/selinux directory must be visible to
userspace utilities in order to function properly.
 2021-02-06 03:02:08 -05:00
Patrick Schleizer
a258f35f38
comment 2021-01-05 02:11:08 -05:00
Patrick Schleizer
b2b614ed2a
cover more folders in /usr/local 2020-12-06 04:15:52 -05:00
Patrick Schleizer
5bd267d774
refactoring 2020-12-06 04:10:50 -05:00
Patrick Schleizer
11cdce02a0
refactoring 2020-12-06 04:10:10 -05:00
Patrick Schleizer
f73c55f16c
/opt 
https://forums.whonix.org/t/suid-disabler-and-permission-hardener/7706/68
 2020-12-06 04:08:58 -05:00
Patrick Schleizer
c031f22995
SUID Disabler and Permission Hardener: introduce configuration option to disable all whitelists 
`whitelists_disable_all=true`
 2020-12-01 05:14:48 -05:00
Patrick Schleizer
b09cc0de6a
Revert "SUID Disabler and Permission Hardener: introduce configuration option to disable all whitelists" 
This reverts commit 36a471ebce.
 2020-12-01 05:10:26 -05:00
Patrick Schleizer
704f0500ba
fix, rename 40_default_whitelist_[...].conf to 25_default_whitelist_[...].conf 
since whitelist needs to be defined before SUID removal commands
 2020-12-01 05:03:16 -05:00
Patrick Schleizer
36a471ebce
SUID Disabler and Permission Hardener: introduce configuration option to disable all whitelists 
`whitelists_disable_all=true`
 2020-12-01 05:02:34 -05:00
Patrick Schleizer
318ab570aa
simplify disabling of SUID Disabler and Permission Hardener whitelist 
split `/etc/permission-hardening.d/30_default.conf` into multiple files

`/etc/permission-hardening.d/40_default_whitelist_[...].conf`

therefore make it easier to delete any whitelisted SUID binaries
 2020-12-01 04:28:15 -05:00