security-misc

mirror of https://github.com/Kicksecure/security-misc.git synced 2025-02-13 06:31:22 -05:00

Author	SHA1	Message	Date
Patrick Schleizer	df9d058ed9	usrmerge	2025-01-20 06:28:16 -05:00
Patrick Schleizer	4e0d5a196c	delete comment only configuration file (moved to user-sysmaint-split)	2025-01-20 04:30:26 -05:00
Patrick Schleizer	1b4d1edfc3	comments	2025-01-20 04:29:42 -05:00
Patrick Schleizer	eec2e2c8ee	comment	2025-01-14 04:13:39 -05:00
Patrick Schleizer	6d282226ef	comment	2025-01-14 04:12:12 -05:00
Patrick Schleizer	466308e4f9	permission hardener: disable SUID for `chrome-sandbox`	2025-01-14 04:09:57 -05:00
Patrick Schleizer	7a5f8b87af	permission hardener: disable SUID for `ssh-agent`, `ssh-keysign`, `/lib/openssh/*` This might break SSH host-based authentication.	2025-01-14 04:06:44 -05:00
Patrick Schleizer	d89ffcde30	comment	2025-01-14 04:04:09 -05:00
Patrick Schleizer	9f1759ba0e	comment	2025-01-14 03:56:55 -05:00
Patrick Schleizer	0ac85ea9f5	comment	2025-01-14 03:54:35 -05:00
Patrick Schleizer	fce6a5f830	comment	2025-01-14 03:51:43 -05:00
Patrick Schleizer	1e99404813	comment	2025-01-14 03:50:16 -05:00
Patrick Schleizer	b198591537	comment	2025-01-14 03:49:42 -05:00
Patrick Schleizer	7d44db2cb2	usrmerge	2025-01-14 03:49:15 -05:00
Patrick Schleizer	1b33e83529	Merge pull request #291 from raja-grewal/drop_gratuitous_arp Drop gratuitous ARP packets	2025-01-10 10:29:30 -05:00
Patrick Schleizer	486757bfae	Merge pull request #290 from raja-grewal/arp_ignore Respond to ARP requests only if the target IP address is on-link	2025-01-10 10:29:12 -05:00
Patrick Schleizer	17ff249150	Merge pull request #289 from raja-grewal/arp_filter Enable ARP filtering	2025-01-10 10:28:48 -05:00
Patrick Schleizer	27d19ba568	Merge pull request #288 from raja-grewal/shared_media Deny sending and receiving shared media redirects	2025-01-10 10:28:05 -05:00
Patrick Schleizer	3a31cc99b3	Merge remote-tracking branch 'ArrayBolt3/arraybolt3/usrmerge'	2025-01-09 09:30:58 -05:00
raja-grewal	1f8eee4720	Add missing sentence full stop	2025-01-08 18:36:00 +11:00
Aaron Rainbolt	5941195e96	Don't worry about files under /bin anymore, Bookworm uses a merged /usr directory	2025-01-07 14:10:46 -06:00
Aaron Rainbolt	895c0f541f	Merge branch 'master' into arraybolt3/permission-hardener-refactor	2025-01-01 15:04:01 -06:00
Patrick Schleizer	33114f771a	copyright	2024-12-31 13:26:21 -05:00
Aaron Rainbolt	dbcb612517	Polish permission-hardener refactor	2024-12-26 00:43:26 -06:00
Aaron Rainbolt	83d3867959	Refactor permission-hardener to be more idempotent	2024-12-25 16:53:55 -06:00
Patrick Schleizer	ad6e1f5ad4	move from `/etc/permission-hardener.d` to `/usr/lib/permission-hardener.d`	2024-12-20 00:41:06 -05:00
raja-grewal	2e6e1701a0	Set `net.ipv4.conf.*.drop_gratuitous_arp=1`	2024-12-19 10:35:08 +00:00
raja-grewal	c37f4efadf	Set `net.ipv4.conf.*.arp_ignore=2`	2024-12-19 10:33:49 +00:00
raja-grewal	af1d06973b	Set `net.ipv4.conf.*.arp_filter=1`	2024-12-19 10:31:43 +00:00
raja-grewal	750367a906	Set `net.ipv4.conf.*.shared_media=0`	2024-12-19 10:29:56 +00:00
Patrick Schleizer	c7f7196471	Merge pull request #287 from raja-grewal/patch Refactor and add two CPU mitigations	2024-12-19 00:31:25 -05:00
Patrick Schleizer	e5b67e044b	Merge pull request #279 from raja-grewal/arp Provide network-related hardening options via `sysctl`'s	2024-12-19 00:15:02 -05:00
raja-grewal	3749f8ff09	Update presentation on user namespaces	2024-12-18 03:36:09 +00:00
raja-grewal	ca3a73ac13	Typo	2024-12-17 11:37:10 +00:00
raja-grewal	c116796854	`arp_ignore`: Add reference to 2024-12-10 Mullvad VPN audit details	2024-12-12 06:36:47 +00:00
Patrick Schleizer	ef95b3f9a5	Revert "fix `panic-on-oops.service`" This reverts commit 862d23cb10b7687084f8e7e207d1e2c9c1ef6751.	2024-11-14 14:41:14 -05:00
raja-grewal	412b371e85	Merge branch 'Kicksecure:master' into arp	2024-11-13 16:47:57 +11:00
raja-grewal	141b84c40d	Provide option to deny sending and receiving shared media redirects	2024-11-13 05:42:56 +00:00
raja-grewal	18aec201bf	Provide option to harden response to ARP requests	2024-11-13 05:41:25 +00:00
raja-grewal	a25d4f8df8	Provide option to enable ARP filtering	2024-11-13 05:40:21 +00:00
raja-grewal	c2aae73ce1	Add reference and move text	2024-11-13 05:38:03 +00:00
Patrick Schleizer	862d23cb10	fix `panic-on-oops.service` remove `After=multi-user.target` because already using `WantedBy=multi-user.target` Thanks to @ArrayBolt3 for the bug report!	2024-11-11 05:36:41 -05:00
raja-grewal	a1d1f97955	Provide option to drop gratuitous ARP packets	2024-11-08 03:58:23 +00:00
raja-grewal	09fe46adc9	Clarify KSPP compliance header for the undocumented case	2024-10-14 02:54:30 +00:00
raja-grewal	0c0774f6c0	Merge branch 'master' into text_2	2024-10-06 10:48:52 +00:00
Patrick Schleizer	0e3ffa3f11	no longer set `kernel.unprivileged_userns_clone=0` because it breaks too much fixes https://github.com/Kicksecure/security-misc/issues/274	2024-10-03 02:58:58 -04:00
Patrick Schleizer	f401d94d5e	expand documentation on `kernel.unprivileged_userns_clone=0` sysctl https://github.com/Kicksecure/security-misc/issues/274	2024-10-03 02:44:06 -04:00
raja-grewal	f3b50a23c9	Add reference on unprivileged_userns_restriction	2024-09-26 13:10:01 +00:00
raja-grewal	39d063d494	Add KSPP=no definition	2024-09-26 13:09:21 +00:00
raja-grewal	870ff88605	Comment on Flatpak requiring unprivileged user namespaces	2024-09-25 10:01:45 +10:00

1 2 3 4 5 ...

552 Commits