538 Commits

Author	SHA1	Message	Date
Patrick Schleizer	1b33e83529	Merge pull request #291 from raja-grewal/drop_gratuitous_arp ... Drop gratuitous ARP packets	2025-01-10 10:29:30 -05:00
Patrick Schleizer	486757bfae	Merge pull request #290 from raja-grewal/arp_ignore ... Respond to ARP requests only if the target IP address is on-link	2025-01-10 10:29:12 -05:00
Patrick Schleizer	17ff249150	Merge pull request #289 from raja-grewal/arp_filter ... Enable ARP filtering	2025-01-10 10:28:48 -05:00
Patrick Schleizer	27d19ba568	Merge pull request #288 from raja-grewal/shared_media ... Deny sending and receiving shared media redirects	2025-01-10 10:28:05 -05:00
Patrick Schleizer	3a31cc99b3	Merge remote-tracking branch 'ArrayBolt3/arraybolt3/usrmerge'	2025-01-09 09:30:58 -05:00
raja-grewal	1f8eee4720	Add missing sentence full stop	2025-01-08 18:36:00 +11:00
Aaron Rainbolt	5941195e96	Don't worry about files under /bin anymore, Bookworm uses a merged /usr directory	2025-01-07 14:10:46 -06:00
Aaron Rainbolt	895c0f541f	Merge branch 'master' into arraybolt3/permission-hardener-refactor	2025-01-01 15:04:01 -06:00
Patrick Schleizer	33114f771a	copyright	2024-12-31 13:26:21 -05:00
Aaron Rainbolt	dbcb612517	Polish permission-hardener refactor	2024-12-26 00:43:26 -06:00
Aaron Rainbolt	83d3867959	Refactor permission-hardener to be more idempotent	2024-12-25 16:53:55 -06:00
Patrick Schleizer	ad6e1f5ad4	move from /etc/permission-hardener.d to /usr/lib/permission-hardener.d	2024-12-20 00:41:06 -05:00
raja-grewal	2e6e1701a0	Set net.ipv4.conf.*.drop_gratuitous_arp=1	2024-12-19 10:35:08 +00:00
raja-grewal	c37f4efadf	Set net.ipv4.conf.*.arp_ignore=2	2024-12-19 10:33:49 +00:00
raja-grewal	af1d06973b	Set net.ipv4.conf.*.arp_filter=1	2024-12-19 10:31:43 +00:00
raja-grewal	750367a906	Set net.ipv4.conf.*.shared_media=0	2024-12-19 10:29:56 +00:00
Patrick Schleizer	c7f7196471	Merge pull request #287 from raja-grewal/patch ... Refactor and add two CPU mitigations	2024-12-19 00:31:25 -05:00
Patrick Schleizer	e5b67e044b	Merge pull request #279 from raja-grewal/arp ... Provide network-related hardening options via `sysctl`'s	2024-12-19 00:15:02 -05:00
raja-grewal	3749f8ff09	Update presentation on user namespaces	2024-12-18 03:36:09 +00:00
raja-grewal	ca3a73ac13	Typo	2024-12-17 11:37:10 +00:00
raja-grewal	c116796854	arp_ignore: Add reference to 2024-12-10 Mullvad VPN audit details	2024-12-12 06:36:47 +00:00
Patrick Schleizer	ef95b3f9a5	Revert "fix panic-on-oops.service" ... This reverts commit 862d23cb10b7687084f8e7e207d1e2c9c1ef6751.	2024-11-14 14:41:14 -05:00
raja-grewal	412b371e85	Merge branch 'Kicksecure:master' into arp	2024-11-13 16:47:57 +11:00
raja-grewal	141b84c40d	Provide option to deny sending and receiving shared media redirects	2024-11-13 05:42:56 +00:00
raja-grewal	18aec201bf	Provide option to harden response to ARP requests	2024-11-13 05:41:25 +00:00
raja-grewal	a25d4f8df8	Provide option to enable ARP filtering	2024-11-13 05:40:21 +00:00
raja-grewal	c2aae73ce1	Add reference and move text	2024-11-13 05:38:03 +00:00
Patrick Schleizer	862d23cb10	fix panic-on-oops.service ... remove `After=multi-user.target` because already using `WantedBy=multi-user.target` Thanks to @ArrayBolt3 for the bug report!	2024-11-11 05:36:41 -05:00
raja-grewal	a1d1f97955	Provide option to drop gratuitous ARP packets	2024-11-08 03:58:23 +00:00
raja-grewal	09fe46adc9	Clarify KSPP compliance header for the undocumented case	2024-10-14 02:54:30 +00:00
raja-grewal	0c0774f6c0	Merge branch 'master' into text_2	2024-10-06 10:48:52 +00:00
Patrick Schleizer	0e3ffa3f11	no longer set kernel.unprivileged_userns_clone=0 ... because it breaks too much fixes https://github.com/Kicksecure/security-misc/issues/274	2024-10-03 02:58:58 -04:00
Patrick Schleizer	f401d94d5e	expand documentation on kernel.unprivileged_userns_clone=0 sysctl ... https://github.com/Kicksecure/security-misc/issues/274	2024-10-03 02:44:06 -04:00
raja-grewal	f3b50a23c9	Add reference on unprivileged_userns_restriction	2024-09-26 13:10:01 +00:00
raja-grewal	39d063d494	Add KSPP=no definition	2024-09-26 13:09:21 +00:00
raja-grewal	870ff88605	Comment on Flatpak requiring unprivileged user namespaces	2024-09-25 10:01:45 +10:00
Patrick Schleizer	563a898013	Merge pull request #265 from raja-grewal/mmap_min_addr ... Set `sysctl vm.mmap_min_addr=65536`	2024-09-04 10:11:48 -04:00
raja-grewal	7393ba1591	Typo	2024-09-04 23:23:24 +10:00
Raja Grewal	6294729c8e	Follow-up on f70fe308a9	2024-08-29 15:34:24 +10:00
Patrick Schleizer	f70fe308a9	no longer set sysctl fs.binfmt_misc.status=0 / ... no longer disallow registering interpreters for miscellaneous binary formats causing file/folder permissions issue `d????????? ? ? ? ? ? .` Firefox no longer starting (probably not not a Firefox issue) https://github.com/Kicksecure/security-misc/issues/267	2024-08-28 06:49:50 -04:00
Raja Grewal	9e91c98cc9	Add details on BPF hardening and split the sysctls	2024-08-26 12:40:04 +10:00
Raja Grewal	2c356e8b0e	Add KSPP notice definitions	2024-08-26 11:34:12 +10:00
Raja Grewal	ac6602ac35	Add detail on disabling user namespaces breaking UPower	2024-08-26 11:19:20 +10:00
raja-grewal	9dbd200be4	Merge branch 'Kicksecure:master' into kspp_compliance	2024-08-26 11:08:21 +10:00
Patrick Schleizer	73900b59db	Merge pull request #263 from raja-grewal/max_user_namespaces ... Provide option to disable user namespaces	2024-08-25 11:00:51 -04:00
Patrick Schleizer	43d13b70f1	Merge remote-tracking branch 'raja/syntax'	2024-08-25 10:55:52 -04:00
Raja Grewal	32de5e7c49	Add details on oopses and warnings	2024-08-25 12:57:22 +10:00
Raja Grewal	e4909b5e28	Add details on kernel panics	2024-08-25 12:47:04 +10:00
Raja Grewal	56b28e3826	Typo	2024-08-19 11:50:08 +10:00
Raja Grewal	e61027a40e	Set sysctl vm.mmap_min_addr=65536	2024-08-19 11:32:20 +10:00