Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-01-07 15:07:53 -05:00
Code Issues Packages Projects Releases Wiki Activity
2,170 Commits 2 Branches 291 Tags 8.2 MiB
fd41acdc72
Commit Graph

475 Commits

Author SHA1 Message Date
raja-grewal
8f7768ce96
Add vendor links 2024-05-05 12:50:39 +00:00
raja-grewal
0c031a29d3
RFDS mitigation on Intel Atom CPUs (including E-cores) 2024-05-01 13:55:09 +10:00
raja-grewal
1122b3402c
GDS mitigation for CPUs 2024-05-01 13:50:42 +10:00
raja-grewal
c002bd62e8
Clarify use of mitigations=auto 2024-05-01 13:49:34 +10:00
raja-grewal
d89d7e8ef8
Add reference for RETBleed 2024-05-01 13:49:00 +10:00
raja-grewal
015dcc4212
Add reference for SSB 2024-05-01 13:48:13 +10:00
raja-grewal
de4f4be947
Merge spectre mitigations 2024-05-01 13:47:40 +10:00
raja-grewal
965c8641fd
Update BHI mitigation reference 2024-05-01 13:47:02 +10:00
raja-grewal
493576836c
BHI mitigation on Intel CPUs 2024-04-12 00:17:06 +10:00
Patrick Schleizer
7dba3fb7be
no longer disable MSR by default 
fixes https://github.com/Kicksecure/security-misc/issues/215
 2024-04-01 02:56:27 -04:00
Patrick Schleizer
6b76373395
fix panic-on-oops started every 10s in Qubes-Whonix 
by changing from a /etc/profile.d etc. related mechanism to start to a systemd unit file based approach

Thanks to @marmarek for the bug report!

https://forums.whonix.org/t/panic-on-oops-started-every-10s/19450
 2024-03-04 06:44:26 -05:00
Patrick Schleizer
af6c6971a7
comment 2024-03-04 06:33:51 -05:00
Patrick Schleizer
e013070e0b
newline 2024-03-04 06:33:21 -05:00
Daniel Winzen
ef44ecea44
Add option to disabe /sys hardening 2024-02-22 17:27:46 +01:00
raja-grewal
b16c99ab62
Remove hardcoded spec_rstack_overflow setting 2024-01-29 13:39:40 +00:00
raja-grewal
139b10a9aa
Control RAS overflow mitigation on AMD Zen CPUs 2024-01-29 12:59:13 +00:00
raja-grewal
6c54e35027
Enable mitigations for RETBleed vulnerability and disable SMT 2024-01-29 12:58:51 +00:00
raja-grewal
4509a5fc95
Enable known mitigations for CPU vulnerabilities and disable SMT 2024-01-29 12:58:14 +00:00
raja-grewal
4231155efa
Add reference for kernel parameters 2024-01-29 12:57:48 +00:00
Patrick Schleizer
071b984a1e
sort -d 
https://github.com/Kicksecure/security-misc/issues/190
 2024-01-17 13:49:05 -05:00
Patrick Schleizer
011e55e3e5
remove duplicates after usrmerge 
https://github.com/Kicksecure/security-misc/issues/190
 2024-01-17 13:45:17 -05:00
Patrick Schleizer
0efee2f50f
usrmerge 
fixes https://github.com/Kicksecure/security-misc/issues/190
 2024-01-17 13:39:56 -05:00
Patrick Schleizer
4f7973bc56
comment 2024-01-16 08:56:26 -05:00
Ben Grande
abf72c2ee4
Rename file permission hardening script 
Hardener as the script is the agent that is hardening the file
permissions.
 2024-01-02 13:34:29 +01:00
Ben Grande
f138cf0f78
Refactor permission-hardener 
- Organize comments from default configuration;
- Apply and undo changes from a single file controlled by parameters;
- Arrays should be evaluated as arrays and not normal variables;
- Quote variables;
- Brackets around variables;
- Standardize test cases to "test" command;
- Test against empty or non-empty variables with "-z" and "-n";
- Show a usage message when necessary;
- Require root to run the script with informative message;
- Permit the user to see the help message without running as root;
- Do not create root directories without passing root check;
- Use long options for "set" command;
 2024-01-02 12:17:16 +01:00
Patrick Schleizer
f70a034da2
exclude hardened malloc from SUID disabler 
fixes https://github.com/Kicksecure/security-misc/issues/179
 2023-12-22 08:31:58 -05:00
Patrick Schleizer
5a73817a95
move to /usr/lib/issue.d/20_security-misc.issue 
https://github.com/Kicksecure/security-misc/pull/167
 2023-12-04 11:38:49 -05:00
Patrick Schleizer
dfaea492c7
remove etc/issue.net.d/20_security-misc 
since not mentioned on debian.org
 2023-12-04 11:37:02 -05:00
Patrick Schleizer
36850f89fb
Merge pull request #167 from monsieuremre/patch-4 
Non-Identifiable and Generic Issue Banners that include the Recommended Keywords
 2023-12-04 11:27:16 -05:00
Patrick Schleizer
c9ea7a4dca
use amd_iommu=force_isolation instead of amd_iommu=force_enable 
because we set `iommu=force` already anyhow

fixes https://github.com/Kicksecure/security-misc/issues/175
 2023-12-04 11:02:55 -05:00
monsieuremre
f2ad8383cf
fix 2023-12-03 19:51:38 +00:00
monsieuremre
dd15823a97
undo superfluousness 2023-12-03 19:50:07 +00:00
monsieuremre
83e13bb62d
Update 40_enable_iommu.cfg 2023-12-03 19:42:34 +00:00
monsieuremre
0d7af9707f
Update 20_security-misc 2023-12-03 19:31:12 +00:00
monsieuremre
04d27a10b0
Update 20_security-misc 2023-12-03 19:30:55 +00:00
monsieuremre
c8b9f5a917
net 2023-11-18 10:03:19 +00:00
monsieuremre
3b614f3753
20_security-misc 2023-11-18 10:02:16 +00:00
Patrick Schleizer
5bb357cac0
spice-client-glib-usb-acl-helper matchwhitelist 2023-11-06 16:55:00 -05:00
Patrick Schleizer
7309445ee5
comment 2023-11-06 16:52:27 -05:00
Patrick Schleizer
f09d97fc9e
whitelist VirtualBox 2023-11-06 16:50:19 -05:00
Patrick Schleizer
64c8c7a8d5
whitelist SSH 2023-11-06 16:47:31 -05:00
Patrick Schleizer
9682b51d54
whitelist virtualbox 2023-11-06 16:44:36 -05:00
Patrick Schleizer
a40b9bc095
comments 2023-11-06 16:40:22 -05:00
Patrick Schleizer
2c1a3da433
VirtualBoxVM matchwhitelist 2023-11-06 16:38:50 -05:00
Patrick Schleizer
4e96ffaabb
chrome-sandbox matchwhitelist 2023-11-06 16:37:19 -05:00
Patrick Schleizer
51decff2fd
exclude qfile-unpacker from permission hardener 2023-11-05 16:03:36 -05:00
Patrick Schleizer
1900c1ab07
pam exclude from permission-hardener 2023-11-05 15:57:49 -05:00
Patrick Schleizer
5a75bcfb19
Merge pull request #145 from monsieuremre/wifi-and-bluetooth 
Wifi and Bluetooth Patch | Security and Privacy
 2023-11-05 14:49:00 -05:00
Patrick Schleizer
4946f85d43
Merge pull request #146 from monsieuremre/thunderbird 
Thunderbird Hardening
 2023-11-05 14:37:47 -05:00
Patrick Schleizer
97054b2b10
revert enabling kernel module signature enforcement 
due to issues

https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/63

https://github.com/dell/dkms/issues/359
 2023-11-03 15:55:17 -04:00
Patrick Schleizer
0242c04dc2
port to DKMS drop-in folder 
undisplace /etc/dkms/framework.conf.security-misc
moved to /etc/dkms/framework.conf.d/30_security-misc.conf
 2023-11-03 14:51:14 -04:00
Patrick Schleizer
d1b5a3ffd5
/usr/sbin/pam-tmpdir-helper exactwhitelist 
https://github.com/Kicksecure/security-misc/pull/147
 2023-11-03 12:55:34 -04:00
Patrick Schleizer
b6d53f698d
Revert "allow loading unsigned modules due to issues" 
This reverts commit 661bcd8603.
 2023-11-03 12:17:00 -04:00
monsieuremre
1abac794b5
very secure and private defaults 2023-11-02 09:15:20 +00:00
monsieuremre
5a583ca48c
typo in file name 2023-11-02 08:30:26 +00:00
monsieuremre
229032d691
Rename etc/systemd/networkd.conf.d/99_ipv6-privacy-extensions.conf to usr/lib/systemd/networkd.conf.d/99_ipv6-privacy-extensions.conf 2023-11-01 17:54:05 +00:00
monsieuremre
1049298e7b
Update and rename etc/NetworkManager/conf.d/99_randomize-mac.conf to usr/lib/NetworkManager/conf.d/99_randomize-mac.conf 2023-11-01 17:52:40 +00:00
monsieuremre
76e684cc0a
Update and rename etc/NetworkManager/conf.d/99_ipv6-privacy.conf to usr/lib/NetworkManager/conf.d/99_ipv6-privacy.conf 2023-11-01 17:51:27 +00:00
monsieuremre
fc8e201e84
rename 2023-10-27 14:49:24 +00:00
monsieuremre
13b4ddbb62
30_security-misc.conf 2023-10-27 14:34:21 +00:00
monsieuremre
b298d152fc
30_security-misc.conf 2023-10-27 14:32:08 +00:00
monsieuremre
3d4b04fddc
99_ipv6-privacy.conf 2023-10-27 12:35:39 +00:00
monsieuremre
e90f62eaab
99_randomize_mac.conf 2023-10-27 12:34:15 +00:00
monsieuremre
604d839537
99_ipv6-privacy-extensions.conf 2023-10-27 12:30:26 +00:00
monsieuremre
f2c23a2831
ssh config 2023-10-27 10:53:45 +00:00
Patrick Schleizer
7cff267002
remove duplicates 2023-10-26 19:31:14 -04:00
monsieuremre
99355c6169
new lines 30_default.conf 2023-10-26 17:45:28 +00:00
Patrick Schleizer
b7c52800f4
renamed: etc/sysctl.d/30_security-misc.conf -> usr/lib/sysctl.d/30_security-misc.conf 
renamed:    etc/sysctl.d/30_security-misc_kexec-disable.conf -> usr/lib/sysctl.d/30_security-misc_kexec-disable.conf
renamed:    etc/sysctl.d/30_silent-kernel-printk.conf -> usr/lib/sysctl.d/30_silent-kernel-printk.conf
 2023-10-25 17:28:43 -04:00
Patrick Schleizer
f6d1346e2b
fix 2023-10-22 16:22:08 -04:00
Patrick Schleizer
11382881b5
comments 2023-10-22 16:12:26 -04:00
Patrick Schleizer
4288e10554
fix, rework remount-secure kernel parameters parsing 2023-10-22 13:25:31 -04:00
Patrick Schleizer
c409e3221e
implement remount-secure 2023-10-22 09:36:03 -04:00
Patrick Schleizer
ae2c1c5a7a
fix xession environment variable 2023-10-21 14:18:50 -04:00
Patrick Schleizer
d543825d85
comments 2023-10-21 12:24:59 -04:00
Patrick Schleizer
645ee814e4
fix 2023-10-13 15:22:48 -04:00
Patrick Schleizer
2d45241084
avoid duplicate environment variables 2023-10-12 11:37:01 -04:00
Patrick Schleizer
fa820e8978
refactoring environment variables loading mechanism 2023-10-12 10:40:27 -04:00
Patrick Schleizer
8a6baea990
comment 2023-06-22 16:16:15 +00:00
Raja Grewal
cf003dfad8
Update comments 2023-05-16 02:11:44 +10:00
Jeremy Rand
61f63255ac
vm.mmap_rnd_bits: Fix ppc64le 
Probably fixes a bunch of other non-x86_64 arches too.
 2023-04-24 23:07:39 +00:00
Patrick Schleizer
5c6db28881
Merge pull request #122 from raja-grewal/tcp 
Remove outdated comment about SACK, DSACK, and FACK
 2023-03-31 04:52:55 -04:00
Raja Grewal
ed5f8be9eb
Remove outdated comment about SACK, DSACK, and FACK 2023-03-30 19:17:43 +11:00
Raja Grewal
7a4212dd76
Update copyright 2023-03-30 17:08:47 +11:00
Patrick Schleizer
8c3204a5e4
comment 2023-01-25 15:20:30 -05:00
Patrick Schleizer
65c29f493b
move kexec disabling to dedicated file /etc/sysctl.d/30_security-misc_kexec-disable.conf 
so ram-wipe can `config-package-dev` `hide` this config file
 2023-01-25 15:13:19 -05:00
Patrick Schleizer
ad5d0d4b12
disable kexec (revert enabling kexec) 
remove kexec-utils for ram-wipe since moved to its own package
 2023-01-09 06:37:45 -05:00
Patrick Schleizer
87c4e77c01
migrate to ram-wipe package 2023-01-09 06:23:00 -05:00
Friedrich Doku
78a4fad667 Change echo to info. Included more reliable way of getting initrd and kernel. Allow user custom kexec 2023-01-07 11:14:31 -05:00
Raja Grewal
f81714be50
Merge branch 'Kicksecure:master' into framebuffer 2022-12-13 05:14:56 +00:00
Raja Grewal
d67845fea8
Typo 2022-12-13 16:11:24 +11:00
Patrick Schleizer
6d7a782624
fix 2022-11-24 07:21:46 -05:00
Raja Grewal
6f695902fb
Add comment about legacy Apple fiesystems 2022-11-23 23:53:40 +11:00
Patrick Schleizer
e5255a630a
pam-info: support non-root environments (such as during graphical display manager login and xscreensaver) 2022-11-22 05:57:30 -05:00
Raja Grewal
daa30d4e78
Include several framebuffer drivers into blacklist 
These were previously commented out to test for compatibility issues.
 2022-11-09 20:43:59 +11:00
Raja Grewal
92669dba18
Comment out machine check exception 2022-08-21 23:02:44 +10:00
Patrick Schleizer
0c5b1e9f57
undo "force kernel to panic on "oopses" 
because implemented differently already

https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panic-on-oops-1-sysctl-for-better-security/7713
 2022-07-23 07:49:56 -04:00
Raja Grewal
ca764d8de0
force kernel to panic on "oopses" 2022-07-20 04:06:35 +10:00
Raja Grewal
1660aaa6dd
update details around disabling SMT 2022-07-19 03:38:41 +10:00
Raja Grewal
bfd78a2c06
update SRBDS mitigation 2022-07-19 03:16:08 +10:00
Raja Grewal
c3ebb9160f
CPU mitigation - MMIO Stale Data 2022-07-19 02:33:16 +10:00