diff --git a/.gitignore b/.gitignore deleted file mode 100644 index ef58a2f..0000000 --- a/.gitignore +++ /dev/null @@ -1 +0,0 @@ -pkgs diff --git a/COPYING b/COPYING index 829d909..4cfb76c 100644 --- a/COPYING +++ b/COPYING @@ -1,668 +1,212 @@ Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Files: * -Copyright: 2012 - 2025 ENCRYPTED SUPPORT LLC -License: AGPL-3+ - -License: AGPL-3+ - GNU AFFERO GENERAL PUBLIC LICENSE - Version 3, 19 November 2007 - . - Copyright (C) 2007 Free Software Foundation, Inc. - Everyone is permitted to copy and distribute verbatim copies - of this license document, but changing it is not allowed. - . - Preamble - . - The GNU Affero General Public License is a free, copyleft license for - software and other kinds of works, specifically designed to ensure - cooperation with the community in the case of network server software. - . - The licenses for most software and other practical works are designed - to take away your freedom to share and change the works. By contrast, - our General Public Licenses are intended to guarantee your freedom to - share and change all versions of a program--to make sure it remains free - software for all its users. - . - When we speak of free software, we are referring to freedom, not - price. Our General Public Licenses are designed to make sure that you - have the freedom to distribute copies of free software (and charge for - them if you wish), that you receive source code or can get it if you - want it, that you can change the software or use pieces of it in new - free programs, and that you know you can do these things. - . - Developers that use our General Public Licenses protect your rights - with two steps: (1) assert copyright on the software, and (2) offer - you this License which gives you legal permission to copy, distribute - and/or modify the software. - . - A secondary benefit of defending all users' freedom is that - improvements made in alternate versions of the program, if they - receive widespread use, become available for other developers to - incorporate. Many developers of free software are heartened and - encouraged by the resulting cooperation. However, in the case of - software used on network servers, this result may fail to come about. - The GNU General Public License permits making a modified version and - letting the public access it on a server without ever releasing its - source code to the public. - . - The GNU Affero General Public License is designed specifically to - ensure that, in such cases, the modified source code becomes available - to the community. It requires the operator of a network server to - provide the source code of the modified version running there to the - users of that server. Therefore, public use of a modified version, on - a publicly accessible server, gives the public access to the source - code of the modified version. - . - An older license, called the Affero General Public License and - published by Affero, was designed to accomplish similar goals. This is - a different license, not a version of the Affero GPL, but Affero has - released a new version of the Affero GPL which permits relicensing under - this license. - . - The precise terms and conditions for copying, distribution and - modification follow. - . - TERMS AND CONDITIONS - . - 0. Definitions. - . - "This License" refers to version 3 of the GNU Affero General Public License. - . - "Copyright" also means copyright-like laws that apply to other kinds of - works, such as semiconductor masks. - . - "The Program" refers to any copyrightable work licensed under this - License. Each licensee is addressed as "you". "Licensees" and - "recipients" may be individuals or organizations. - . - To "modify" a work means to copy from or adapt all or part of the work - in a fashion requiring copyright permission, other than the making of an - exact copy. The resulting work is called a "modified version" of the - earlier work or a work "based on" the earlier work. - . - A "covered work" means either the unmodified Program or a work based - on the Program. - . - To "propagate" a work means to do anything with it that, without - permission, would make you directly or secondarily liable for - infringement under applicable copyright law, except executing it on a - computer or modifying a private copy. Propagation includes copying, - distribution (with or without modification), making available to the - public, and in some countries other activities as well. - . - To "convey" a work means any kind of propagation that enables other - parties to make or receive copies. Mere interaction with a user through - a computer network, with no transfer of a copy, is not conveying. - . - An interactive user interface displays "Appropriate Legal Notices" - to the extent that it includes a convenient and prominently visible - feature that (1) displays an appropriate copyright notice, and (2) - tells the user that there is no warranty for the work (except to the - extent that warranties are provided), that licensees may convey the - work under this License, and how to view a copy of this License. If - the interface presents a list of user commands or options, such as a - menu, a prominent item in the list meets this criterion. - . - 1. Source Code. - . - The "source code" for a work means the preferred form of the work - for making modifications to it. "Object code" means any non-source - form of a work. - . - A "Standard Interface" means an interface that either is an official - standard defined by a recognized standards body, or, in the case of - interfaces specified for a particular programming language, one that - is widely used among developers working in that language. - . - The "System Libraries" of an executable work include anything, other - than the work as a whole, that (a) is included in the normal form of - packaging a Major Component, but which is not part of that Major - Component, and (b) serves only to enable use of the work with that - Major Component, or to implement a Standard Interface for which an - implementation is available to the public in source code form. A - "Major Component", in this context, means a major essential component - (kernel, window system, and so on) of the specific operating system - (if any) on which the executable work runs, or a compiler used to - produce the work, or an object code interpreter used to run it. - . - The "Corresponding Source" for a work in object code form means all - the source code needed to generate, install, and (for an executable - work) run the object code and to modify the work, including scripts to - control those activities. However, it does not include the work's - System Libraries, or general-purpose tools or generally available free - programs which are used unmodified in performing those activities but - which are not part of the work. For example, Corresponding Source - includes interface definition files associated with source files for - the work, and the source code for shared libraries and dynamically - linked subprograms that the work is specifically designed to require, - such as by intimate data communication or control flow between those - subprograms and other parts of the work. - . - The Corresponding Source need not include anything that users - can regenerate automatically from other parts of the Corresponding - Source. - . - The Corresponding Source for a work in source code form is that - same work. - . - 2. Basic Permissions. - . - All rights granted under this License are granted for the term of - copyright on the Program, and are irrevocable provided the stated - conditions are met. This License explicitly affirms your unlimited - permission to run the unmodified Program. The output from running a - covered work is covered by this License only if the output, given its - content, constitutes a covered work. This License acknowledges your - rights of fair use or other equivalent, as provided by copyright law. - . - You may make, run and propagate covered works that you do not - convey, without conditions so long as your license otherwise remains - in force. You may convey covered works to others for the sole purpose - of having them make modifications exclusively for you, or provide you - with facilities for running those works, provided that you comply with - the terms of this License in conveying all material for which you do - not control copyright. Those thus making or running the covered works - for you must do so exclusively on your behalf, under your direction - and control, on terms that prohibit them from making any copies of - your copyrighted material outside their relationship with you. - . - Conveying under any other circumstances is permitted solely under - the conditions stated below. Sublicensing is not allowed; section 10 - makes it unnecessary. - . - 3. Protecting Users' Legal Rights From Anti-Circumvention Law. - . - No covered work shall be deemed part of an effective technological - measure under any applicable law fulfilling obligations under article - 11 of the WIPO copyright treaty adopted on 20 December 1996, or - similar laws prohibiting or restricting circumvention of such - measures. - . - When you convey a covered work, you waive any legal power to forbid - circumvention of technological measures to the extent such circumvention - is effected by exercising rights under this License with respect to - the covered work, and you disclaim any intention to limit operation or - modification of the work as a means of enforcing, against the work's - users, your or third parties' legal rights to forbid circumvention of - technological measures. - . - 4. Conveying Verbatim Copies. - . - You may convey verbatim copies of the Program's source code as you - receive it, in any medium, provided that you conspicuously and - appropriately publish on each copy an appropriate copyright notice; - keep intact all notices stating that this License and any - non-permissive terms added in accord with section 7 apply to the code; - keep intact all notices of the absence of any warranty; and give all - recipients a copy of this License along with the Program. - . - You may charge any price or no price for each copy that you convey, - and you may offer support or warranty protection for a fee. - . - 5. Conveying Modified Source Versions. - . - You may convey a work based on the Program, or the modifications to - produce it from the Program, in the form of source code under the - terms of section 4, provided that you also meet all of these conditions: - . - a) The work must carry prominent notices stating that you modified - it, and giving a relevant date. - . - b) The work must carry prominent notices stating that it is - released under this License and any conditions added under section - 7. This requirement modifies the requirement in section 4 to - "keep intact all notices". - . - c) You must license the entire work, as a whole, under this - License to anyone who comes into possession of a copy. This - License will therefore apply, along with any applicable section 7 - additional terms, to the whole of the work, and all its parts, - regardless of how they are packaged. This License gives no - permission to license the work in any other way, but it does not - invalidate such permission if you have separately received it. - . - d) If the work has interactive user interfaces, each must display - Appropriate Legal Notices; however, if the Program has interactive - interfaces that do not display Appropriate Legal Notices, your - work need not make them do so. - . - A compilation of a covered work with other separate and independent - works, which are not by their nature extensions of the covered work, - and which are not combined with it such as to form a larger program, - in or on a volume of a storage or distribution medium, is called an - "aggregate" if the compilation and its resulting copyright are not - used to limit the access or legal rights of the compilation's users - beyond what the individual works permit. Inclusion of a covered work - in an aggregate does not cause this License to apply to the other - parts of the aggregate. - . - 6. Conveying Non-Source Forms. - . - You may convey a covered work in object code form under the terms - of sections 4 and 5, provided that you also convey the - machine-readable Corresponding Source under the terms of this License, - in one of these ways: - . - a) Convey the object code in, or embodied in, a physical product - (including a physical distribution medium), accompanied by the - Corresponding Source fixed on a durable physical medium - customarily used for software interchange. - . - b) Convey the object code in, or embodied in, a physical product - (including a physical distribution medium), accompanied by a - written offer, valid for at least three years and valid for as - long as you offer spare parts or customer support for that product - model, to give anyone who possesses the object code either (1) a - copy of the Corresponding Source for all the software in the - product that is covered by this License, on a durable physical - medium customarily used for software interchange, for a price no - more than your reasonable cost of physically performing this - conveying of source, or (2) access to copy the - Corresponding Source from a network server at no charge. - . - c) Convey individual copies of the object code with a copy of the - written offer to provide the Corresponding Source. This - alternative is allowed only occasionally and noncommercially, and - only if you received the object code with such an offer, in accord - with subsection 6b. - . - d) Convey the object code by offering access from a designated - place (gratis or for a charge), and offer equivalent access to the - Corresponding Source in the same way through the same place at no - further charge. You need not require recipients to copy the - Corresponding Source along with the object code. If the place to - copy the object code is a network server, the Corresponding Source - may be on a different server (operated by you or a third party) - that supports equivalent copying facilities, provided you maintain - clear directions next to the object code saying where to find the - Corresponding Source. Regardless of what server hosts the - Corresponding Source, you remain obligated to ensure that it is - available for as long as needed to satisfy these requirements. - . - e) Convey the object code using peer-to-peer transmission, provided - you inform other peers where the object code and Corresponding - Source of the work are being offered to the general public at no - charge under subsection 6d. - . - A separable portion of the object code, whose source code is excluded - from the Corresponding Source as a System Library, need not be - included in conveying the object code work. - . - A "User Product" is either (1) a "consumer product", which means any - tangible personal property which is normally used for personal, family, - or household purposes, or (2) anything designed or sold for incorporation - into a dwelling. In determining whether a product is a consumer product, - doubtful cases shall be resolved in favor of coverage. For a particular - product received by a particular user, "normally used" refers to a - typical or common use of that class of product, regardless of the status - of the particular user or of the way in which the particular user - actually uses, or expects or is expected to use, the product. A product - is a consumer product regardless of whether the product has substantial - commercial, industrial or non-consumer uses, unless such uses represent - the only significant mode of use of the product. - . - "Installation Information" for a User Product means any methods, - procedures, authorization keys, or other information required to install - and execute modified versions of a covered work in that User Product from - a modified version of its Corresponding Source. The information must - suffice to ensure that the continued functioning of the modified object - code is in no case prevented or interfered with solely because - modification has been made. - . - If you convey an object code work under this section in, or with, or - specifically for use in, a User Product, and the conveying occurs as - part of a transaction in which the right of possession and use of the - User Product is transferred to the recipient in perpetuity or for a - fixed term (regardless of how the transaction is characterized), the - Corresponding Source conveyed under this section must be accompanied - by the Installation Information. But this requirement does not apply - if neither you nor any third party retains the ability to install - modified object code on the User Product (for example, the work has - been installed in ROM). - . - The requirement to provide Installation Information does not include a - requirement to continue to provide support service, warranty, or updates - for a work that has been modified or installed by the recipient, or for - the User Product in which it has been modified or installed. Access to a - network may be denied when the modification itself materially and - adversely affects the operation of the network or violates the rules and - protocols for communication across the network. - . - Corresponding Source conveyed, and Installation Information provided, - in accord with this section must be in a format that is publicly - documented (and with an implementation available to the public in - source code form), and must require no special password or key for - unpacking, reading or copying. - . - 7. Additional Terms. - . - "Additional permissions" are terms that supplement the terms of this - License by making exceptions from one or more of its conditions. - Additional permissions that are applicable to the entire Program shall - be treated as though they were included in this License, to the extent - that they are valid under applicable law. If additional permissions - apply only to part of the Program, that part may be used separately - under those permissions, but the entire Program remains governed by - this License without regard to the additional permissions. - . - When you convey a copy of a covered work, you may at your option - remove any additional permissions from that copy, or from any part of - it. (Additional permissions may be written to require their own - removal in certain cases when you modify the work.) You may place - additional permissions on material, added by you to a covered work, - for which you have or can give appropriate copyright permission. - . - Notwithstanding any other provision of this License, for material you - add to a covered work, you may (if authorized by the copyright holders of - that material) supplement the terms of this License with terms: - . - a) Disclaiming warranty or limiting liability differently from the - terms of sections 15 and 16 of this License; or - . - b) Requiring preservation of specified reasonable legal notices or - author attributions in that material or in the Appropriate Legal - Notices displayed by works containing it; or - . - c) Prohibiting misrepresentation of the origin of that material, or - requiring that modified versions of such material be marked in - reasonable ways as different from the original version; or - . - d) Limiting the use for publicity purposes of names of licensors or - authors of the material; or - . - e) Declining to grant rights under trademark law for use of some - trade names, trademarks, or service marks; or - . - f) Requiring indemnification of licensors and authors of that - material by anyone who conveys the material (or modified versions of - it) with contractual assumptions of liability to the recipient, for - any liability that these contractual assumptions directly impose on - those licensors and authors. - . - All other non-permissive additional terms are considered "further - restrictions" within the meaning of section 10. If the Program as you - received it, or any part of it, contains a notice stating that it is - governed by this License along with a term that is a further - restriction, you may remove that term. If a license document contains - a further restriction but permits relicensing or conveying under this - License, you may add to a covered work material governed by the terms - of that license document, provided that the further restriction does - not survive such relicensing or conveying. - . - If you add terms to a covered work in accord with this section, you - must place, in the relevant source files, a statement of the - additional terms that apply to those files, or a notice indicating - where to find the applicable terms. - . - Additional terms, permissive or non-permissive, may be stated in the - form of a separately written license, or stated as exceptions; - the above requirements apply either way. - . - 8. Termination. - . - You may not propagate or modify a covered work except as expressly - provided under this License. Any attempt otherwise to propagate or - modify it is void, and will automatically terminate your rights under - this License (including any patent licenses granted under the third - paragraph of section 11). - . - However, if you cease all violation of this License, then your - license from a particular copyright holder is reinstated (a) - provisionally, unless and until the copyright holder explicitly and - finally terminates your license, and (b) permanently, if the copyright - holder fails to notify you of the violation by some reasonable means - prior to 60 days after the cessation. - . - Moreover, your license from a particular copyright holder is - reinstated permanently if the copyright holder notifies you of the - violation by some reasonable means, this is the first time you have - received notice of violation of this License (for any work) from that - copyright holder, and you cure the violation prior to 30 days after - your receipt of the notice. - . - Termination of your rights under this section does not terminate the - licenses of parties who have received copies or rights from you under - this License. If your rights have been terminated and not permanently - reinstated, you do not qualify to receive new licenses for the same - material under section 10. - . - 9. Acceptance Not Required for Having Copies. - . - You are not required to accept this License in order to receive or - run a copy of the Program. Ancillary propagation of a covered work - occurring solely as a consequence of using peer-to-peer transmission - to receive a copy likewise does not require acceptance. However, - nothing other than this License grants you permission to propagate or - modify any covered work. These actions infringe copyright if you do - not accept this License. Therefore, by modifying or propagating a - covered work, you indicate your acceptance of this License to do so. - . - 10. Automatic Licensing of Downstream Recipients. - . - Each time you convey a covered work, the recipient automatically - receives a license from the original licensors, to run, modify and - propagate that work, subject to this License. You are not responsible - for enforcing compliance by third parties with this License. - . - An "entity transaction" is a transaction transferring control of an - organization, or substantially all assets of one, or subdividing an - organization, or merging organizations. If propagation of a covered - work results from an entity transaction, each party to that - transaction who receives a copy of the work also receives whatever - licenses to the work the party's predecessor in interest had or could - give under the previous paragraph, plus a right to possession of the - Corresponding Source of the work from the predecessor in interest, if - the predecessor has it or can get it with reasonable efforts. - . - You may not impose any further restrictions on the exercise of the - rights granted or affirmed under this License. For example, you may - not impose a license fee, royalty, or other charge for exercise of - rights granted under this License, and you may not initiate litigation - (including a cross-claim or counterclaim in a lawsuit) alleging that - any patent claim is infringed by making, using, selling, offering for - sale, or importing the Program or any portion of it. - . - 11. Patents. - . - A "contributor" is a copyright holder who authorizes use under this - License of the Program or a work on which the Program is based. The - work thus licensed is called the contributor's "contributor version". - . - A contributor's "essential patent claims" are all patent claims - owned or controlled by the contributor, whether already acquired or - hereafter acquired, that would be infringed by some manner, permitted - by this License, of making, using, or selling its contributor version, - but do not include claims that would be infringed only as a - consequence of further modification of the contributor version. For - purposes of this definition, "control" includes the right to grant - patent sublicenses in a manner consistent with the requirements of - this License. - . - Each contributor grants you a non-exclusive, worldwide, royalty-free - patent license under the contributor's essential patent claims, to - make, use, sell, offer for sale, import and otherwise run, modify and - propagate the contents of its contributor version. - . - In the following three paragraphs, a "patent license" is any express - agreement or commitment, however denominated, not to enforce a patent - (such as an express permission to practice a patent or covenant not to - sue for patent infringement). To "grant" such a patent license to a - party means to make such an agreement or commitment not to enforce a - patent against the party. - . - If you convey a covered work, knowingly relying on a patent license, - and the Corresponding Source of the work is not available for anyone - to copy, free of charge and under the terms of this License, through a - publicly available network server or other readily accessible means, - then you must either (1) cause the Corresponding Source to be so - available, or (2) arrange to deprive yourself of the benefit of the - patent license for this particular work, or (3) arrange, in a manner - consistent with the requirements of this License, to extend the patent - license to downstream recipients. "Knowingly relying" means you have - actual knowledge that, but for the patent license, your conveying the - covered work in a country, or your recipient's use of the covered work - in a country, would infringe one or more identifiable patents in that - country that you have reason to believe are valid. - . - If, pursuant to or in connection with a single transaction or - arrangement, you convey, or propagate by procuring conveyance of, a - covered work, and grant a patent license to some of the parties - receiving the covered work authorizing them to use, propagate, modify - or convey a specific copy of the covered work, then the patent license - you grant is automatically extended to all recipients of the covered - work and works based on it. - . - A patent license is "discriminatory" if it does not include within - the scope of its coverage, prohibits the exercise of, or is - conditioned on the non-exercise of one or more of the rights that are - specifically granted under this License. You may not convey a covered - work if you are a party to an arrangement with a third party that is - in the business of distributing software, under which you make payment - to the third party based on the extent of your activity of conveying - the work, and under which the third party grants, to any of the - parties who would receive the covered work from you, a discriminatory - patent license (a) in connection with copies of the covered work - conveyed by you (or copies made from those copies), or (b) primarily - for and in connection with specific products or compilations that - contain the covered work, unless you entered into that arrangement, - or that patent license was granted, prior to 28 March 2007. - . - Nothing in this License shall be construed as excluding or limiting - any implied license or other defenses to infringement that may - otherwise be available to you under applicable patent law. - . - 12. No Surrender of Others' Freedom. - . - If conditions are imposed on you (whether by court order, agreement or - otherwise) that contradict the conditions of this License, they do not - excuse you from the conditions of this License. If you cannot convey a - covered work so as to satisfy simultaneously your obligations under this - License and any other pertinent obligations, then as a consequence you may - not convey it at all. For example, if you agree to terms that obligate you - to collect a royalty for further conveying from those to whom you convey - the Program, the only way you could satisfy both those terms and this - License would be to refrain entirely from conveying the Program. - . - 13. Remote Network Interaction; Use with the GNU General Public License. - . - Notwithstanding any other provision of this License, if you modify the - Program, your modified version must prominently offer all users - interacting with it remotely through a computer network (if your version - supports such interaction) an opportunity to receive the Corresponding - Source of your version by providing access to the Corresponding Source - from a network server at no charge, through some standard or customary - means of facilitating copying of software. This Corresponding Source - shall include the Corresponding Source for any work covered by version 3 - of the GNU General Public License that is incorporated pursuant to the - following paragraph. - . - Notwithstanding any other provision of this License, you have - permission to link or combine any covered work with a work licensed - under version 3 of the GNU General Public License into a single - combined work, and to convey the resulting work. The terms of this - License will continue to apply to the part which is the covered work, - but the work with which it is combined will remain governed by version - 3 of the GNU General Public License. - . - 14. Revised Versions of this License. - . - The Free Software Foundation may publish revised and/or new versions of - the GNU Affero General Public License from time to time. Such new versions - will be similar in spirit to the present version, but may differ in detail to - address new problems or concerns. - . - Each version is given a distinguishing version number. If the - Program specifies that a certain numbered version of the GNU Affero General - Public License "or any later version" applies to it, you have the - option of following the terms and conditions either of that numbered - version or of any later version published by the Free Software - Foundation. If the Program does not specify a version number of the - GNU Affero General Public License, you may choose any version ever published - by the Free Software Foundation. - . - If the Program specifies that a proxy can decide which future - versions of the GNU Affero General Public License can be used, that proxy's - public statement of acceptance of a version permanently authorizes you - to choose that version for the Program. - . - Later license versions may give you additional or different - permissions. However, no additional obligations are imposed on any - author or copyright holder as a result of your choosing to follow a - later version. - . - 15. Disclaimer of Warranty. - . - THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY - APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT - HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY - OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, - THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM - IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF +Copyright: 2012 - 2019 ENCRYPTED SUPPORT LP +License: GPL-3+-with-additional-terms-1 + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + . + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + . + You should have received a copy of the GNU General Public License + along with this program. If not, see . + . + On Debian systems, the full text of the GNU General Public + License version 3 can be found in the file + `/usr/share/common-licenses/GPL-3'. + . + ADDITIONAL TERMS APPLICABLE per GNU GPL version 3 section 7 + . + 1. Replacement of Section 15. Section 15 of the GPL shall be deleted in its + entirety and replaced with the following: + . + 15. Disclaimer of Warranty. + . + THE PROGRAM IS PROVIDED WITHOUT ANY WARRANTIES, WHETHER EXPRESSED OR IMPLIED, + INCLUDING, WITHOUT LIMITATION, IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR + PURPOSE, NON-INFRINGEMENT, TITLE AND MERCHANTABILITY. THE PROGRAM IS BEING + DELIVERED OR MADE AVAILABLE 'AS IS', 'WITH ALL FAULTS' AND WITHOUT WARRANTY OR + REPRESENTATION. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE + PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. . - 16. Limitation of Liability. + 2. Replacement of Section 16. Section 16 of the GPL shall be deleted in its + entirety and replaced with the following: . - IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING - WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS - THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY - GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE - USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF - DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD - PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), - EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF - SUCH DAMAGES. + 16. LIMITATION OF LIABILITY. . - 17. Interpretation of Sections 15 and 16. + UNDER NO CIRCUMSTANCES SHALL ANY COPYRIGHT HOLDER OR ITS AFFILIATES, OR ANY + OTHER PARTY WHO MODIFIES AND/OR CONVEYS THE PROGRAM AS PERMITTED ABOVE, BE + LIABLE TO YOU, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, FOR ANY + DAMAGES OR OTHER LIABILITY, INCLUDING ANY GENERAL, DIRECT, INDIRECT, SPECIAL, + INCIDENTAL, CONSEQUENTIAL OR PUNITIVE DAMAGES ARISING FROM, OUT OF OR IN + CONNECTION WITH THE USE OR INABILITY TO USE THE PROGRAM OR OTHER DEALINGS WITH + THE PROGRAM(INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED + INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE + PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), WHETHER OR NOT ANY COPYRIGHT HOLDER + OR SUCH OTHER PARTY RECEIVES NOTICE OF ANY SUCH DAMAGES AND WHETHER OR NOT SUCH + DAMAGES COULD HAVE BEEN FORESEEN. . - If the disclaimer of warranty and limitation of liability provided - above cannot be given local legal effect according to their terms, - reviewing courts shall apply local law that most closely approximates - an absolute waiver of all civil liability in connection with the - Program, unless a warranty or assumption of liability accompanies a - copy of the Program in return for a fee. + 3. LEGAL NOTICES; NO TRADEMARK LICENSE; ORIGIN. You must reproduce faithfully + all trademark, copyright and other proprietary and legal notices on any copies + of the Program or any other required author attributions. This license does not + grant you rights to use any copyright holder or any other party's name, logo, or + trademarks. Neither the name of the copyright holder or its affiliates, or any + other party who modifies and/or conveys the Program may be used to endorse or + promote products derived from this software without specific prior written + permission. The origin of the Program must not be misrepresented; you must not + claim that you wrote the original Program. Altered source versions must be + plainly marked as such, and must not be misrepresented as being the original + Program. . - END OF TERMS AND CONDITIONS + 4. INDEMNIFICATION. IF YOU CONVEY A COVERED WORK AND AGREE WITH ANY RECIPIENT + OF THAT COVERED WORK THAT YOU WILL ASSUME ANY LIABILITY FOR THAT COVERED WORK, + YOU HEREBY AGREE TO INDEMNIFY, DEFEND AND HOLD HARMLESS THE OTHER LICENSORS AND + AUTHORS OF THAT COVERED WORK FOR ANY DAMAGES, DEMANDS, CLAIMS, LOSSES, CAUSES OF + ACTION, LAWSUITS, JUDGMENTS EXPENSES (INCLUDING WITHOUT LIMITATION REASONABLE + ATTORNEYS' FEES AND EXPENSES) OR ANY OTHER LIABILITY ARISING FROM, RELATED TO OR + IN CONNECTION WITH YOUR ASSUMPTIONS OF LIABILITY. . - How to Apply These Terms to Your New Programs + +Files: etc/login.defs.security-misc +Copyright: + This is Debian GNU/Linux's prepackaged version of the shadow utilities. . - If you develop a new program, and you want it to be of the greatest - possible use to the public, the best way to achieve this is to make it - free software which everyone can redistribute and change under these terms. + It was downloaded from: . + As of May 2007, this site is no longer available. . - To do so, attach the following notices to the program. It is safest - to attach them to the start of each source file to most effectively - state the exclusion of warranty; and each file should have at least - the "copyright" line and a pointer to where the full notice is found. + Copyright: . - - Copyright (C) + Parts of this software are copyright 1988 - 1994, Julianne Frances Haugh. + All rights reserved. . - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU Affero General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. + Parts of this software are copyright 1997 - 2001, Marek Michałkiewicz. + All rights reserved. . - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU Affero General Public License for more details. + Parts of this software are copyright 2001 - 2004, Andrzej Krzysztofowicz + All rights reserved. . - You should have received a copy of the GNU Affero General Public License - along with this program. If not, see . + Parts of this software are copyright 2000 - 2007, Tomasz Kłoczko. + All rights reserved. +License: shadow-license + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + 1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + 3. Neither the name of Julianne F. Haugh nor the names of its contributors + may be used to endorse or promote products derived from this software + without specific prior written permission. . - Also add information on how to contact you by electronic and paper mail. + THIS SOFTWARE IS PROVIDED BY JULIE HAUGH AND CONTRIBUTORS ``AS IS'' AND + ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + ARE DISCLAIMED. IN NO EVENT SHALL JULIE HAUGH OR CONTRIBUTORS BE LIABLE + FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + SUCH DAMAGE. . - If your software can interact with users remotely through a computer - network, you should also make sure that it provides a way for users to - get its source. For example, if your program is a web application, its - interface could display a "Source" link that leads users to an archive - of the code. There are many ways you could offer source, and different - solutions will be better for different programs; see section 13 for the - specific requirements. + This source code is currently archived on ftp.uu.net in the + comp.sources.misc portion of the USENET archives. You may also contact + the author, Julianne F. Haugh, at jockgrrl@ix.netcom.com if you have + any questions regarding this package. . - You should also get your employer (if you work as a programmer) or school, - if any, to sign a "copyright disclaimer" for the program, if necessary. - For more information on this, and how to apply and follow the GNU AGPL, see - . + THIS SOFTWARE IS BEING DISTRIBUTED AS-IS. THE AUTHORS DISCLAIM ALL + LIABILITY FOR ANY CONSEQUENCES OF USE. THE USER IS SOLELY RESPONSIBLE + FOR THE MAINTENANCE OF THIS SOFTWARE PACKAGE. THE AUTHORS ARE UNDER NO + OBLIGATION TO PROVIDE MODIFICATIONS OR IMPROVEMENTS. THE USER IS + ENCOURAGED TO TAKE ANY AND ALL STEPS NEEDED TO PROTECT AGAINST ACCIDENTAL + LOSS OF INFORMATION OR MACHINE RESOURCES. + . + Special thanks are due to Chip Rosenthal for his fine testing efforts; + to Steve Simmons for his work in porting this code to BSD; and to Bill + Kennedy for his contributions of LaserJet printer time and energies. + Also, thanks for Dennis L. Mumaugh for the initial shadow password + information and to Tony Walton (olapw@olgb1.oliv.co.uk) for the System + V Release 4 changes. Effort in porting to SunOS has been contributed + by Dr. Michael Newberry (miken@cs.adfa.oz.au) and Micheal J. Miller, Jr. + (mke@kaberd.rain.com). Effort in porting to AT&T UNIX System V Release + 4 has been provided by Andrew Herbert (andrew@werple.pub.uu.oz.au). + Special thanks to Marek Michalkiewicz (marekm@i17linuxb.ists.pwr.wroc.pl) + for taking over the Linux port of this software. + +Files: etc/pam.d/* +Copyright: + This package was debianized by J.H.M. Dassen (Ray) jdassen@debian.org on + Wed, 23 Sep 1998 20:29:32 +0200. + . + It was downloaded from ftp://ftp.kernel.org/pub/linux/libs/pam/pre/ + . + Copyright (C) 1994, 1995, 1996 Olaf Kirch, + Copyright (C) 1995 Wietse Venema + Copyright (C) 1995, 2001-2008 Red Hat, Inc. + Copyright (C) 1996-1999, 2000-2003, 2005 Andrew G. Morgan + Copyright (C) 1996, 1997, 1999 Cristian Gafton + Copyright (C) 1996, 1999 Theodore Ts'o + Copyright (C) 1996 Alexander O. Yuriev + Copyright (C) 1996 Elliot Lee + Copyright (C) 1997 Philip W. Dalrymple + Copyright (C) 1999 Jan Rękorajski + Copyright (C) 1999 Ben Collins + Copyright (C) 2000-2001, 2003, 2005, 2007 Steve Langasek + Copyright (C) 2003, 2005 IBM Corporation + Copyright (C) 2003, 2006 SuSE Linux AG. + Copyright (C) 2003 Nalin Dahyabhai + Copyright (C) 2005-2008 Thorsten Kukuk + Copyright (C) 2005 Darren Tucker +License: Linux-PAM-license + Unless otherwise *explicitly* stated the following text describes the + licensed conditions under which the contents of this Linux-PAM release + may be distributed: + . + ------------------------------------------------------------------------- + Redistribution and use in source and binary forms of Linux-PAM, with + or without modification, are permitted provided that the following + conditions are met: + . + 1. Redistributions of source code must retain any existing copyright + notice, and this entire permission notice in its entirety, + including the disclaimer of warranties. + . + 2. Redistributions in binary form must reproduce all prior and current + copyright notices, this list of conditions, and the following + disclaimer in the documentation and/or other materials provided + with the distribution. + . + 3. The name of any author may not be used to endorse or promote + products derived from this software without their specific prior + written permission. + . + ALTERNATIVELY, this product may be distributed under the terms of the + GNU General Public License, in which case the provisions of the GNU + GPL are required INSTEAD OF the above restrictions. (This clause is + necessary due to a potential conflict between the GNU GPL and the + restrictions contained in a BSD-style copyright.) + . + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED + WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF + MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + IN NO EVENT SHALL THE AUTHOR(S) BE LIABLE FOR ANY DIRECT, INDIRECT, + INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS + OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND + ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR + TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE + USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH + DAMAGE. + ------------------------------------------------------------------------- + . + On Debian GNU/Linux systems, the complete text of the GNU General + Public License can be found in `/usr/share/common-licenses/GPL-1'. diff --git a/GPLv3 b/GPLv3 new file mode 100644 index 0000000..94a9ed0 --- /dev/null +++ b/GPLv3 @@ -0,0 +1,674 @@ + GNU GENERAL PUBLIC LICENSE + Version 3, 29 June 2007 + + Copyright (C) 2007 Free Software Foundation, Inc. + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The GNU General Public License is a free, copyleft license for +software and other kinds of works. + + The licenses for most software and other practical works are designed +to take away your freedom to share and change the works. By contrast, +the GNU General Public License is intended to guarantee your freedom to +share and change all versions of a program--to make sure it remains free +software for all its users. We, the Free Software Foundation, use the +GNU General Public License for most of our software; it applies also to +any other work released this way by its authors. You can apply it to +your programs, too. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +them if you wish), that you receive source code or can get it if you +want it, that you can change the software or use pieces of it in new +free programs, and that you know you can do these things. + + To protect your rights, we need to prevent others from denying you +these rights or asking you to surrender the rights. Therefore, you have +certain responsibilities if you distribute copies of the software, or if +you modify it: responsibilities to respect the freedom of others. + + For example, if you distribute copies of such a program, whether +gratis or for a fee, you must pass on to the recipients the same +freedoms that you received. You must make sure that they, too, receive +or can get the source code. And you must show them these terms so they +know their rights. + + Developers that use the GNU GPL protect your rights with two steps: +(1) assert copyright on the software, and (2) offer you this License +giving you legal permission to copy, distribute and/or modify it. + + For the developers' and authors' protection, the GPL clearly explains +that there is no warranty for this free software. For both users' and +authors' sake, the GPL requires that modified versions be marked as +changed, so that their problems will not be attributed erroneously to +authors of previous versions. + + Some devices are designed to deny users access to install or run +modified versions of the software inside them, although the manufacturer +can do so. This is fundamentally incompatible with the aim of +protecting users' freedom to change the software. The systematic +pattern of such abuse occurs in the area of products for individuals to +use, which is precisely where it is most unacceptable. Therefore, we +have designed this version of the GPL to prohibit the practice for those +products. If such problems arise substantially in other domains, we +stand ready to extend this provision to those domains in future versions +of the GPL, as needed to protect the freedom of users. + + Finally, every program is threatened constantly by software patents. +States should not allow patents to restrict development and use of +software on general-purpose computers, but in those that do, we wish to +avoid the special danger that patents applied to a free program could +make it effectively proprietary. To prevent this, the GPL assures that +patents cannot be used to render the program non-free. + + The precise terms and conditions for copying, distribution and +modification follow. + + TERMS AND CONDITIONS + + 0. Definitions. + + "This License" refers to version 3 of the GNU General Public License. + + "Copyright" also means copyright-like laws that apply to other kinds of +works, such as semiconductor masks. + + "The Program" refers to any copyrightable work licensed under this +License. Each licensee is addressed as "you". "Licensees" and +"recipients" may be individuals or organizations. + + To "modify" a work means to copy from or adapt all or part of the work +in a fashion requiring copyright permission, other than the making of an +exact copy. The resulting work is called a "modified version" of the +earlier work or a work "based on" the earlier work. + + A "covered work" means either the unmodified Program or a work based +on the Program. + + To "propagate" a work means to do anything with it that, without +permission, would make you directly or secondarily liable for +infringement under applicable copyright law, except executing it on a +computer or modifying a private copy. Propagation includes copying, +distribution (with or without modification), making available to the +public, and in some countries other activities as well. + + To "convey" a work means any kind of propagation that enables other +parties to make or receive copies. Mere interaction with a user through +a computer network, with no transfer of a copy, is not conveying. + + An interactive user interface displays "Appropriate Legal Notices" +to the extent that it includes a convenient and prominently visible +feature that (1) displays an appropriate copyright notice, and (2) +tells the user that there is no warranty for the work (except to the +extent that warranties are provided), that licensees may convey the +work under this License, and how to view a copy of this License. If +the interface presents a list of user commands or options, such as a +menu, a prominent item in the list meets this criterion. + + 1. Source Code. + + The "source code" for a work means the preferred form of the work +for making modifications to it. "Object code" means any non-source +form of a work. + + A "Standard Interface" means an interface that either is an official +standard defined by a recognized standards body, or, in the case of +interfaces specified for a particular programming language, one that +is widely used among developers working in that language. + + The "System Libraries" of an executable work include anything, other +than the work as a whole, that (a) is included in the normal form of +packaging a Major Component, but which is not part of that Major +Component, and (b) serves only to enable use of the work with that +Major Component, or to implement a Standard Interface for which an +implementation is available to the public in source code form. A +"Major Component", in this context, means a major essential component +(kernel, window system, and so on) of the specific operating system +(if any) on which the executable work runs, or a compiler used to +produce the work, or an object code interpreter used to run it. + + The "Corresponding Source" for a work in object code form means all +the source code needed to generate, install, and (for an executable +work) run the object code and to modify the work, including scripts to +control those activities. However, it does not include the work's +System Libraries, or general-purpose tools or generally available free +programs which are used unmodified in performing those activities but +which are not part of the work. For example, Corresponding Source +includes interface definition files associated with source files for +the work, and the source code for shared libraries and dynamically +linked subprograms that the work is specifically designed to require, +such as by intimate data communication or control flow between those +subprograms and other parts of the work. + + The Corresponding Source need not include anything that users +can regenerate automatically from other parts of the Corresponding +Source. + + The Corresponding Source for a work in source code form is that +same work. + + 2. Basic Permissions. + + All rights granted under this License are granted for the term of +copyright on the Program, and are irrevocable provided the stated +conditions are met. This License explicitly affirms your unlimited +permission to run the unmodified Program. The output from running a +covered work is covered by this License only if the output, given its +content, constitutes a covered work. This License acknowledges your +rights of fair use or other equivalent, as provided by copyright law. + + You may make, run and propagate covered works that you do not +convey, without conditions so long as your license otherwise remains +in force. You may convey covered works to others for the sole purpose +of having them make modifications exclusively for you, or provide you +with facilities for running those works, provided that you comply with +the terms of this License in conveying all material for which you do +not control copyright. Those thus making or running the covered works +for you must do so exclusively on your behalf, under your direction +and control, on terms that prohibit them from making any copies of +your copyrighted material outside their relationship with you. + + Conveying under any other circumstances is permitted solely under +the conditions stated below. Sublicensing is not allowed; section 10 +makes it unnecessary. + + 3. Protecting Users' Legal Rights From Anti-Circumvention Law. + + No covered work shall be deemed part of an effective technological +measure under any applicable law fulfilling obligations under article +11 of the WIPO copyright treaty adopted on 20 December 1996, or +similar laws prohibiting or restricting circumvention of such +measures. + + When you convey a covered work, you waive any legal power to forbid +circumvention of technological measures to the extent such circumvention +is effected by exercising rights under this License with respect to +the covered work, and you disclaim any intention to limit operation or +modification of the work as a means of enforcing, against the work's +users, your or third parties' legal rights to forbid circumvention of +technological measures. + + 4. Conveying Verbatim Copies. + + You may convey verbatim copies of the Program's source code as you +receive it, in any medium, provided that you conspicuously and +appropriately publish on each copy an appropriate copyright notice; +keep intact all notices stating that this License and any +non-permissive terms added in accord with section 7 apply to the code; +keep intact all notices of the absence of any warranty; and give all +recipients a copy of this License along with the Program. + + You may charge any price or no price for each copy that you convey, +and you may offer support or warranty protection for a fee. + + 5. Conveying Modified Source Versions. + + You may convey a work based on the Program, or the modifications to +produce it from the Program, in the form of source code under the +terms of section 4, provided that you also meet all of these conditions: + + a) The work must carry prominent notices stating that you modified + it, and giving a relevant date. + + b) The work must carry prominent notices stating that it is + released under this License and any conditions added under section + 7. This requirement modifies the requirement in section 4 to + "keep intact all notices". + + c) You must license the entire work, as a whole, under this + License to anyone who comes into possession of a copy. This + License will therefore apply, along with any applicable section 7 + additional terms, to the whole of the work, and all its parts, + regardless of how they are packaged. This License gives no + permission to license the work in any other way, but it does not + invalidate such permission if you have separately received it. + + d) If the work has interactive user interfaces, each must display + Appropriate Legal Notices; however, if the Program has interactive + interfaces that do not display Appropriate Legal Notices, your + work need not make them do so. + + A compilation of a covered work with other separate and independent +works, which are not by their nature extensions of the covered work, +and which are not combined with it such as to form a larger program, +in or on a volume of a storage or distribution medium, is called an +"aggregate" if the compilation and its resulting copyright are not +used to limit the access or legal rights of the compilation's users +beyond what the individual works permit. Inclusion of a covered work +in an aggregate does not cause this License to apply to the other +parts of the aggregate. + + 6. Conveying Non-Source Forms. + + You may convey a covered work in object code form under the terms +of sections 4 and 5, provided that you also convey the +machine-readable Corresponding Source under the terms of this License, +in one of these ways: + + a) Convey the object code in, or embodied in, a physical product + (including a physical distribution medium), accompanied by the + Corresponding Source fixed on a durable physical medium + customarily used for software interchange. + + b) Convey the object code in, or embodied in, a physical product + (including a physical distribution medium), accompanied by a + written offer, valid for at least three years and valid for as + long as you offer spare parts or customer support for that product + model, to give anyone who possesses the object code either (1) a + copy of the Corresponding Source for all the software in the + product that is covered by this License, on a durable physical + medium customarily used for software interchange, for a price no + more than your reasonable cost of physically performing this + conveying of source, or (2) access to copy the + Corresponding Source from a network server at no charge. + + c) Convey individual copies of the object code with a copy of the + written offer to provide the Corresponding Source. This + alternative is allowed only occasionally and noncommercially, and + only if you received the object code with such an offer, in accord + with subsection 6b. + + d) Convey the object code by offering access from a designated + place (gratis or for a charge), and offer equivalent access to the + Corresponding Source in the same way through the same place at no + further charge. You need not require recipients to copy the + Corresponding Source along with the object code. If the place to + copy the object code is a network server, the Corresponding Source + may be on a different server (operated by you or a third party) + that supports equivalent copying facilities, provided you maintain + clear directions next to the object code saying where to find the + Corresponding Source. Regardless of what server hosts the + Corresponding Source, you remain obligated to ensure that it is + available for as long as needed to satisfy these requirements. + + e) Convey the object code using peer-to-peer transmission, provided + you inform other peers where the object code and Corresponding + Source of the work are being offered to the general public at no + charge under subsection 6d. + + A separable portion of the object code, whose source code is excluded +from the Corresponding Source as a System Library, need not be +included in conveying the object code work. + + A "User Product" is either (1) a "consumer product", which means any +tangible personal property which is normally used for personal, family, +or household purposes, or (2) anything designed or sold for incorporation +into a dwelling. In determining whether a product is a consumer product, +doubtful cases shall be resolved in favor of coverage. For a particular +product received by a particular user, "normally used" refers to a +typical or common use of that class of product, regardless of the status +of the particular user or of the way in which the particular user +actually uses, or expects or is expected to use, the product. A product +is a consumer product regardless of whether the product has substantial +commercial, industrial or non-consumer uses, unless such uses represent +the only significant mode of use of the product. + + "Installation Information" for a User Product means any methods, +procedures, authorization keys, or other information required to install +and execute modified versions of a covered work in that User Product from +a modified version of its Corresponding Source. The information must +suffice to ensure that the continued functioning of the modified object +code is in no case prevented or interfered with solely because +modification has been made. + + If you convey an object code work under this section in, or with, or +specifically for use in, a User Product, and the conveying occurs as +part of a transaction in which the right of possession and use of the +User Product is transferred to the recipient in perpetuity or for a +fixed term (regardless of how the transaction is characterized), the +Corresponding Source conveyed under this section must be accompanied +by the Installation Information. But this requirement does not apply +if neither you nor any third party retains the ability to install +modified object code on the User Product (for example, the work has +been installed in ROM). + + The requirement to provide Installation Information does not include a +requirement to continue to provide support service, warranty, or updates +for a work that has been modified or installed by the recipient, or for +the User Product in which it has been modified or installed. Access to a +network may be denied when the modification itself materially and +adversely affects the operation of the network or violates the rules and +protocols for communication across the network. + + Corresponding Source conveyed, and Installation Information provided, +in accord with this section must be in a format that is publicly +documented (and with an implementation available to the public in +source code form), and must require no special password or key for +unpacking, reading or copying. + + 7. Additional Terms. + + "Additional permissions" are terms that supplement the terms of this +License by making exceptions from one or more of its conditions. +Additional permissions that are applicable to the entire Program shall +be treated as though they were included in this License, to the extent +that they are valid under applicable law. If additional permissions +apply only to part of the Program, that part may be used separately +under those permissions, but the entire Program remains governed by +this License without regard to the additional permissions. + + When you convey a copy of a covered work, you may at your option +remove any additional permissions from that copy, or from any part of +it. (Additional permissions may be written to require their own +removal in certain cases when you modify the work.) You may place +additional permissions on material, added by you to a covered work, +for which you have or can give appropriate copyright permission. + + Notwithstanding any other provision of this License, for material you +add to a covered work, you may (if authorized by the copyright holders of +that material) supplement the terms of this License with terms: + + a) Disclaiming warranty or limiting liability differently from the + terms of sections 15 and 16 of this License; or + + b) Requiring preservation of specified reasonable legal notices or + author attributions in that material or in the Appropriate Legal + Notices displayed by works containing it; or + + c) Prohibiting misrepresentation of the origin of that material, or + requiring that modified versions of such material be marked in + reasonable ways as different from the original version; or + + d) Limiting the use for publicity purposes of names of licensors or + authors of the material; or + + e) Declining to grant rights under trademark law for use of some + trade names, trademarks, or service marks; or + + f) Requiring indemnification of licensors and authors of that + material by anyone who conveys the material (or modified versions of + it) with contractual assumptions of liability to the recipient, for + any liability that these contractual assumptions directly impose on + those licensors and authors. + + All other non-permissive additional terms are considered "further +restrictions" within the meaning of section 10. If the Program as you +received it, or any part of it, contains a notice stating that it is +governed by this License along with a term that is a further +restriction, you may remove that term. If a license document contains +a further restriction but permits relicensing or conveying under this +License, you may add to a covered work material governed by the terms +of that license document, provided that the further restriction does +not survive such relicensing or conveying. + + If you add terms to a covered work in accord with this section, you +must place, in the relevant source files, a statement of the +additional terms that apply to those files, or a notice indicating +where to find the applicable terms. + + Additional terms, permissive or non-permissive, may be stated in the +form of a separately written license, or stated as exceptions; +the above requirements apply either way. + + 8. Termination. + + You may not propagate or modify a covered work except as expressly +provided under this License. Any attempt otherwise to propagate or +modify it is void, and will automatically terminate your rights under +this License (including any patent licenses granted under the third +paragraph of section 11). + + However, if you cease all violation of this License, then your +license from a particular copyright holder is reinstated (a) +provisionally, unless and until the copyright holder explicitly and +finally terminates your license, and (b) permanently, if the copyright +holder fails to notify you of the violation by some reasonable means +prior to 60 days after the cessation. + + Moreover, your license from a particular copyright holder is +reinstated permanently if the copyright holder notifies you of the +violation by some reasonable means, this is the first time you have +received notice of violation of this License (for any work) from that +copyright holder, and you cure the violation prior to 30 days after +your receipt of the notice. + + Termination of your rights under this section does not terminate the +licenses of parties who have received copies or rights from you under +this License. If your rights have been terminated and not permanently +reinstated, you do not qualify to receive new licenses for the same +material under section 10. + + 9. Acceptance Not Required for Having Copies. + + You are not required to accept this License in order to receive or +run a copy of the Program. Ancillary propagation of a covered work +occurring solely as a consequence of using peer-to-peer transmission +to receive a copy likewise does not require acceptance. However, +nothing other than this License grants you permission to propagate or +modify any covered work. These actions infringe copyright if you do +not accept this License. Therefore, by modifying or propagating a +covered work, you indicate your acceptance of this License to do so. + + 10. Automatic Licensing of Downstream Recipients. + + Each time you convey a covered work, the recipient automatically +receives a license from the original licensors, to run, modify and +propagate that work, subject to this License. You are not responsible +for enforcing compliance by third parties with this License. + + An "entity transaction" is a transaction transferring control of an +organization, or substantially all assets of one, or subdividing an +organization, or merging organizations. If propagation of a covered +work results from an entity transaction, each party to that +transaction who receives a copy of the work also receives whatever +licenses to the work the party's predecessor in interest had or could +give under the previous paragraph, plus a right to possession of the +Corresponding Source of the work from the predecessor in interest, if +the predecessor has it or can get it with reasonable efforts. + + You may not impose any further restrictions on the exercise of the +rights granted or affirmed under this License. For example, you may +not impose a license fee, royalty, or other charge for exercise of +rights granted under this License, and you may not initiate litigation +(including a cross-claim or counterclaim in a lawsuit) alleging that +any patent claim is infringed by making, using, selling, offering for +sale, or importing the Program or any portion of it. + + 11. Patents. + + A "contributor" is a copyright holder who authorizes use under this +License of the Program or a work on which the Program is based. The +work thus licensed is called the contributor's "contributor version". + + A contributor's "essential patent claims" are all patent claims +owned or controlled by the contributor, whether already acquired or +hereafter acquired, that would be infringed by some manner, permitted +by this License, of making, using, or selling its contributor version, +but do not include claims that would be infringed only as a +consequence of further modification of the contributor version. For +purposes of this definition, "control" includes the right to grant +patent sublicenses in a manner consistent with the requirements of +this License. + + Each contributor grants you a non-exclusive, worldwide, royalty-free +patent license under the contributor's essential patent claims, to +make, use, sell, offer for sale, import and otherwise run, modify and +propagate the contents of its contributor version. + + In the following three paragraphs, a "patent license" is any express +agreement or commitment, however denominated, not to enforce a patent +(such as an express permission to practice a patent or covenant not to +sue for patent infringement). To "grant" such a patent license to a +party means to make such an agreement or commitment not to enforce a +patent against the party. + + If you convey a covered work, knowingly relying on a patent license, +and the Corresponding Source of the work is not available for anyone +to copy, free of charge and under the terms of this License, through a +publicly available network server or other readily accessible means, +then you must either (1) cause the Corresponding Source to be so +available, or (2) arrange to deprive yourself of the benefit of the +patent license for this particular work, or (3) arrange, in a manner +consistent with the requirements of this License, to extend the patent +license to downstream recipients. "Knowingly relying" means you have +actual knowledge that, but for the patent license, your conveying the +covered work in a country, or your recipient's use of the covered work +in a country, would infringe one or more identifiable patents in that +country that you have reason to believe are valid. + + If, pursuant to or in connection with a single transaction or +arrangement, you convey, or propagate by procuring conveyance of, a +covered work, and grant a patent license to some of the parties +receiving the covered work authorizing them to use, propagate, modify +or convey a specific copy of the covered work, then the patent license +you grant is automatically extended to all recipients of the covered +work and works based on it. + + A patent license is "discriminatory" if it does not include within +the scope of its coverage, prohibits the exercise of, or is +conditioned on the non-exercise of one or more of the rights that are +specifically granted under this License. You may not convey a covered +work if you are a party to an arrangement with a third party that is +in the business of distributing software, under which you make payment +to the third party based on the extent of your activity of conveying +the work, and under which the third party grants, to any of the +parties who would receive the covered work from you, a discriminatory +patent license (a) in connection with copies of the covered work +conveyed by you (or copies made from those copies), or (b) primarily +for and in connection with specific products or compilations that +contain the covered work, unless you entered into that arrangement, +or that patent license was granted, prior to 28 March 2007. + + Nothing in this License shall be construed as excluding or limiting +any implied license or other defenses to infringement that may +otherwise be available to you under applicable patent law. + + 12. No Surrender of Others' Freedom. + + If conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot convey a +covered work so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you may +not convey it at all. For example, if you agree to terms that obligate you +to collect a royalty for further conveying from those to whom you convey +the Program, the only way you could satisfy both those terms and this +License would be to refrain entirely from conveying the Program. + + 13. Use with the GNU Affero General Public License. + + Notwithstanding any other provision of this License, you have +permission to link or combine any covered work with a work licensed +under version 3 of the GNU Affero General Public License into a single +combined work, and to convey the resulting work. The terms of this +License will continue to apply to the part which is the covered work, +but the special requirements of the GNU Affero General Public License, +section 13, concerning interaction through a network will apply to the +combination as such. + + 14. Revised Versions of this License. + + The Free Software Foundation may publish revised and/or new versions of +the GNU General Public License from time to time. Such new versions will +be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + + Each version is given a distinguishing version number. If the +Program specifies that a certain numbered version of the GNU General +Public License "or any later version" applies to it, you have the +option of following the terms and conditions either of that numbered +version or of any later version published by the Free Software +Foundation. If the Program does not specify a version number of the +GNU General Public License, you may choose any version ever published +by the Free Software Foundation. + + If the Program specifies that a proxy can decide which future +versions of the GNU General Public License can be used, that proxy's +public statement of acceptance of a version permanently authorizes you +to choose that version for the Program. + + Later license versions may give you additional or different +permissions. However, no additional obligations are imposed on any +author or copyright holder as a result of your choosing to follow a +later version. + + 15. Disclaimer of Warranty. + + THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY +APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT +HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY +OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, +THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM +IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF +ALL NECESSARY SERVICING, REPAIR OR CORRECTION. + + 16. Limitation of Liability. + + IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS +THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY +GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE +USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF +DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD +PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), +EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF +SUCH DAMAGES. + + 17. Interpretation of Sections 15 and 16. + + If the disclaimer of warranty and limitation of liability provided +above cannot be given local legal effect according to their terms, +reviewing courts shall apply local law that most closely approximates +an absolute waiver of all civil liability in connection with the +Program, unless a warranty or assumption of liability accompanies a +copy of the Program in return for a fee. + + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Programs + + If you develop a new program, and you want it to be of the greatest +possible use to the public, the best way to achieve this is to make it +free software which everyone can redistribute and change under these terms. + + To do so, attach the following notices to the program. It is safest +to attach them to the start of each source file to most effectively +state the exclusion of warranty; and each file should have at least +the "copyright" line and a pointer to where the full notice is found. + + + Copyright (C) + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . + +Also add information on how to contact you by electronic and paper mail. + + If the program does terminal interaction, make it output a short +notice like this when it starts in an interactive mode: + + Copyright (C) + This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'. + This is free software, and you are welcome to redistribute it + under certain conditions; type `show c' for details. + +The hypothetical commands `show w' and `show c' should show the appropriate +parts of the General Public License. Of course, your program's commands +might be different; for a GUI interface, you would use an "about box". + + You should also get your employer (if you work as a programmer) or school, +if any, to sign a "copyright disclaimer" for the program, if necessary. +For more information on this, and how to apply and follow the GNU GPL, see +. + + The GNU General Public License does not permit incorporating your program +into proprietary programs. If your program is a subroutine library, you +may consider it more useful to permit linking proprietary applications with +the library. If this is what you want to do, use the GNU Lesser General +Public License instead of this License. But first, please read +. diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..27424fb --- /dev/null +++ b/Makefile @@ -0,0 +1,18 @@ +#!/usr/bin/make -f + +## Copyright (C) 2012 - 2018 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## genmkfile - Makefile - version 1.5 + +## This is a copy. +## master location: +## https://github.com/Whonix/genmkfile/blob/master/usr/share/genmkfile/Makefile + +GENMKFILE_PATH ?= /usr/share/genmkfile +GENMKFILE_ROOT_DIR := $(dir $(abspath $(lastword $(MAKEFILE_LIST)))) + +export GENMKFILE_PATH +export GENMKFILE_ROOT_DIR + +include $(GENMKFILE_PATH)/makefile-full diff --git a/README.md b/README.md index 38cc8e0..df72034 100644 --- a/README.md +++ b/README.md @@ -1,860 +1,119 @@ -# Enhances miscellaneous security settings +# enhances misc security settings # -## Kernel hardening +The following settings are changed: -This section is inspired by the Kernel Self Protection Project (KSPP). It -attempts to implement all recommended Linux kernel settings by the KSPP and -many more sources. +deactivates previews in Dolphin; +deactivates previews in Nautilus; +deactivates thumbnails in Thunar; +deactivates TCP timestamps; +deactivates Netfilter's connection tracking helper; -- https://kspp.github.io/Recommended_Settings -- https://github.com/KSPP/kspp.github.io +TCP time stamps (RFC 1323) allow for tracking clock +information with millisecond resolution. This may or may not allow an +attacker to learn information about the system clock at such +a resolution, depending on various issues such as network lag. +This information is available to anyone who monitors the network +somewhere between the attacked system and the destination server. +It may allow an attacker to find out how long a given +system has been running, and to distinguish several +systems running behind NAT and using the same IP address. It might +also allow one to look for clocks that match an expected value to find the +public IP used by a user. -### sysctl +Hence, this package disables this feature by shipping the +/etc/sysctl.d/tcp_timestamps.conf configuration file. -sysctl settings are configured via the `/usr/lib/sysctl.d/990-security-misc.conf` -configuration file and significant hardening is applied to a myriad of components. +Note that TCP time stamps normally have some usefulness. They are +needed for: -#### Kernel space +* the TCP protection against wrapped sequence numbers; however, to +trigger a wrap, one needs to send roughly 2^32 packets in one +minute: as said in RFC 1700, "The current recommended default +time to live (TTL) for the Internet Protocol (IP) [45,105] is 64". +So, this probably won't be a practical problem in the context +of Anonymity Distributions. -- Restrict access to kernel addresses through the use of kernel pointers regardless - of user privileges. +* "Round-Trip Time Measurement", which is only useful when the user +manages to saturate their connection. When using Anonymity Distributions, +probably the limiting factor for transmission speed is rarely the capacity +of the user connection. -- Restrict access to the kernel logs to `CAP_SYSLOG` as they often contain - sensitive information. +Netfilter's connection tracking helper module increases kernel attack +surface by enabling superfluous functionality such as IRC parsing in +the kernel. (!) -- Prevent kernel information leaks in the console during boot. +Hence, this package disables this feature by shipping the +/etc/sysctl.d/nf_conntrack_helper.conf configuration file. -- Restrict usage of `bpf()` to `CAP_BPF` to prevent the loading of BPF programs - by unprivileged users. +Kernel symbols in /proc/kallsyms are hidden to prevent malware from +reading them and using them to learn more about what to attack on your system. -- Restrict loading TTY line disciplines to `CAP_SYS_MODULE`. +Kexec is disabled as it can be used for live patching of the running kernel. -- Restrict the `userfaultfd()` syscall to `CAP_SYS_PTRACE`, which reduces the - likelihood of use-after-free exploits. +The BPF JIT compiler is restricted to the root user and is hardened. -- Disable `kexec` as it can be used to replace the running kernel. +ASLR effectiveness for mmap is increased. -- Entirely disable the SysRq key so that the Secure Attention Key (SAK) - can no longer be utilized. See [documentation](https://www.kicksecure.com/wiki/SysRq). +The ptrace system call is restricted to the root user only. -- Optional - Disable all use of user namespaces. +The TCP/IP stack is hardened. -- Optional - Restrict user namespaces to `CAP_SYS_ADMIN` as they can lead to substantial - privilege escalation. +This package makes some data spoofing attacks harder. -- Restrict kernel profiling and the performance events system to `CAP_PERFMON`. +SACK is disabled as it is commonly exploited and is rarely used. -- Force the kernel to panic on both "oopses", which can potentially indicate and thwart - certain kernel exploitation attempts, and also kernel warnings in the `WARN()` path. +This package disables the merging of slabs of similar sizes to prevent an +attacker from exploiting them. -- Optional - Force immediate reboot on the occurrence of a single kernel panic and also - (when using Linux kernel >= 6.2) limit the number of allowed panics to one. +Sanity checks, redzoning, and memory poisoning are enabled. -- Disable the use of legacy TIOCSTI operations which can be used to inject keypresses. +The kernel now panics on uncorrectable errors in ECC memory which could +be exploited. -- Disable asynchronous I/O (when using Linux kernel >= 6.6) as `io_uring` has been - the source of numerous kernel exploits. +Kernel Page Table Isolation is enabled to mitigate Meltdown and increase +KASLR effectiveness. -#### User space +SMT is disabled as it can be used to exploit the MDS vulnerability. -- Restrict usage of `ptrace()` to only processes with `CAP_SYS_PTRACE` as it - enables programs to inspect and modify other active processes. Optional - Disable - usage of `ptrace()` by all processes. +All mitigations for the MDS vulnerability are enabled. -- Maximize the bits of entropy used for mmap ASLR across all CPU architectures. +DCCP, SCTP, TIPC and RDS are blacklisted as they are rarely used and may have +unknown vulnerabilities. +## How to install `security-misc` using apt-get ## -- Prevent hardlink and symlink TOCTOU races in world-writable directories. - -- Disallow unintentional writes to files in world-writable directories unless - they are owned by the directory owner to mitigate some data spoofing attacks. - -- Randomize the addresses (ASLR) for mmap base, stack, VDSO pages, and heap. - -- Raise the minimum address a process can request for memory mapping to 64KB to - protect against kernel null pointer dereference vulnerabilities. - -- Increase the maximum number of memory map areas a process is able to utilize to 1,048,576. - -- Optional - Disallow registering interpreters for various (miscellaneous) binary formats based - on a magic number or their file extension to prevent unintended code execution. - See issue: https://github.com/Kicksecure/security-misc/issues/267 - -#### Core dumps - -- Disable core dump files and prevent their creation. If core dump files are - enabled, they will be named based on `core.PID` instead of the default `core`. - -#### Swap space - -- Limit the copying of potentially sensitive content in memory to the swap device. - -#### Networking - -- Enable hardening of the BPF JIT compiler protect against JIT spraying. - -- Enable TCP SYN cookie protection to assist against SYN flood attacks. - -- Protect against TCP time-wait assassination hazards. - -- Enable reverse path filtering (source validation) of packets received - from all interfaces to prevent IP spoofing. - -- Disable ICMP redirect acceptance and redirect sending messages to prevent - man-in-the-middle attacks and minimize information disclosure. - -- Deny sending and receiving shared media redirects to reduce the risk of IP - spoofing attacks. - -- Enable ARP filtering to mitigate some ARP spoofing and ARP cache poisoning attacks. - -- Respond to ARP requests only if the target IP address is on-link, - preventing some IP spoofing attacks. - -- Drop gratuitous ARP packets to prevent ARP cache poisoning via - man-in-the-middle and denial-of-service attacks. - -- Ignore ICMP echo requests to prevent clock fingerprinting and Smurf attacks. - -- Ignore bogus ICMP error responses. - -- Disable source routing which allows users to redirect network traffic that - can result in man-in-the-middle attacks. - -- Do not accept IPv6 router advertisements and solicitations. - -- Optional - Disable SACK and DSACK as they have historically been a known - vector for exploitation. - -- Disable TCP timestamps as they can allow detecting the system time. - -- Optional - Log packets with impossible source or destination addresses to - enable further inspection and analysis. - -- Optional - Enable IPv6 Privacy Extensions. - -- Documentation: https://www.kicksecure.com/wiki/Networking - -### Boot parameters - -Mitigations for known CPU vulnerabilities are enabled in their strictest form -and simultaneous multithreading (SMT) is disabled. See the -`/etc/default/grub.d/40_cpu_mitigations.cfg` configuration file. - -Note, to achieve complete protection for known CPU vulnerabilities, the latest -security microcode (BIOS/UEFI) updates must be installed on the system. Furthermore, -if using Secure Boot, the Secure Boot Forbidden Signature Database (DBX) must be kept -up to date through [UEFI Revocation List](https://uefi.org/revocationlistfile) updates. - -CPU mitigations: - -- Disable Simultaneous Multithreading (SMT) - -- Spectre Side Channels (BTI and BHI) - -- Speculative Store Bypass (SSB) - -- L1 Terminal Fault (L1TF) - -- Microarchitectural Data Sampling (MDS) - -- TSX Asynchronous Abort (TAA) - -- iTLB Multihit - -- Special Register Buffer Data Sampling (SRBDS) - -- L1D Flushing - -- Processor MMIO Stale Data - -- Arbitrary Speculative Code Execution with Return Instructions (Retbleed) - -- Cross-Thread Return Address Predictions - -- Speculative Return Stack Overflow (SRSO) - -- Gather Data Sampling (GDS) - -- Register File Data Sampling (RFDS) - -Boot parameters relating to kernel hardening, DMA mitigations, and entropy -generation are outlined in the `/etc/default/grub.d/40_kernel_hardening.cfg` -configuration file. - -Kernel space: - -- Disable merging of slabs with similar size, which reduces the risk of - triggering heap overflows and limits influencing slab cache layout. - -- Enable sanity checks and red zoning via slab debugging. This will implicitly - disable kernel pointer hashing, leaking very sensitive information to root. - -- Enable memory zeroing at both allocation and free time, which mitigates some - use-after-free vulnerabilities by erasing sensitive information in memory. - -- Enable the kernel page allocator to randomize free lists to limit some data - exfiltration and ROP attacks, especially during the early boot process. - -- Enable kernel page table isolation to increase KASLR effectiveness and also - mitigate the Meltdown CPU vulnerability. - -- Enable randomization of the kernel stack offset on syscall entries to harden - against memory corruption attacks. - -- Disable vsyscalls as they are vulnerable to ROP attacks and have now been - replaced by vDSO. - -- Restrict access to debugfs by not registering the file system since it can - contain sensitive information. - -- Force kernel panics on "oopses" to potentially indicate and thwart certain - kernel exploitation attempts. - -- Optional - Modify the machine check exception handler. - -- Prevent sensitive kernel information leaks in the console during boot. - -- Enable the kernel Electric-Fence sampling-based memory safety error detector - which can identify heap out-of-bounds access, use-after-free, and invalid-free errors. - -- Disable 32-bit vDSO mappings as they are a legacy compatibility feature. - -- Optional - Use kCFI as the default CFI implementation (when using Linux kernel >= 6.2) - since it may be slightly more resilient to attacks that are able to write - arbitrary executables in memory. - -- Optional - Disable support for all x86 processes and syscalls (when using Linux kernel >= 6.7) - to reduce attack surface. - -- Disable EFI persistent storage feature, preventing the kernel from writing crash logs and - other persistent data to the EFI variable store. - -Direct memory access: - -- Enable strict IOMMU translation to protect against some DMA attacks via the use - of both CPU manufacturer-specific drivers and kernel settings. - -- Clear the busmaster bit on all PCI bridges during the EFI hand-off, which disables - DMA before the IOMMU is configured. May cause boot failure on certain hardware. - -Entropy: - -- Do not credit the CPU or bootloader as entropy sources at boot in order to - maximize the absolute quantity of entropy in the combined pool. - -- Obtain more entropy at boot from RAM as the runtime memory allocator is - being initialized. - -Networking: - -- Optional - Disable the entire IPv6 stack to reduce attack surface. - -### mmap ASLR - -- The bits of entropy used for mmap ASLR for all CPU architectures are maxed - out via `/usr/libexec/security-misc/mmap-rnd-bits` (set to the values of - `CONFIG_ARCH_MMAP_RND_BITS_MAX` and `CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX` - that the kernel was built with), therefore improving its effectiveness. - -### Kernel Self Protection Project (KSPP) compliance status - -**Summary:** - -`security-misc` is in full compliance with KSPP recommendations wherever feasible. However, -there are a few cases of partial or non-compliance due to technical limitations. - -* [KSPP Recommended Settings](https://kspp.github.io/Recommended_Settings) - -**Full compliance:** - -More than 30 kernel boot parameters and over 30 sysctl settings are fully aligned with -the KSPP's recommendations. - -**Partial compliance:** - -1. `sysctl kernel.yama.ptrace_scope=3` - -Completely disables `ptrace()`. Can be enabled easily if needed. - -* [security-misc pull request #242](https://github.com/Kicksecure/security-misc/pull/242) - -2. `sysctl kernel.panic=-1` - -Forces an immediate reboot on kernel panic. This can be enabled, but it may lead to unexpected -system crashes. - -* [security-misc pull request #264](https://github.com/Kicksecure/security-misc/pull/264) -* [security-misc pull request #268](https://github.com/Kicksecure/security-misc/pull/268) - -**Non-compliance:** - -3. `sysctl user.max_user_namespaces=0` - -Disables user namespaces entirely. Not recommended due to the potential for widespread breakages. - -* [security-misc pull request #263](https://github.com/Kicksecure/security-misc/pull/263) - -4. `sysctl fs.binfmt_misc.status=0` - -Disables the registration of interpreters for miscellaneous binary formats. Currently not -feasible due to compatibility issues with Firefox. - -* [security-misc pull request #249](https://github.com/Kicksecure/security-misc/pull/249) -* [security-misc issue #267](https://github.com/Kicksecure/security-misc/issues/267) - -### Kernel Modules - -#### Kernel Module Signature Verification - -Not yet implemented due to issues: - -- https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/64 -- https://github.com/dell/dkms/issues/359 - -See: - -- `/etc/default/grub.d/40_signed_modules.cfg` - -#### Disables the loading of new modules to the kernel after the fact - -Not yet implemented due to issues: - -- https://github.com/Kicksecure/security-misc/pull/152 - -A systemd service dynamically sets the kernel parameter `modules_disabled` to 1, -preventing new modules from being loaded. Since this isn't configured directly -within systemctl, it does not break the loading of legitimate and necessary -modules for the user, like drivers etc., given they are plugged in on startup. - -#### Blacklist and disable kernel modules - -Conntrack: Deactivates Netfilter's connection tracking helper module which -increases kernel attack surface by enabling superfluous functionality such -as IRC parsing in the kernel. See `/etc/modprobe.d/30_security-misc_conntrack.conf`. - -Certain kernel modules are blacklisted by default to reduce attack surface via -`/etc/modprobe.d/30_security-misc_blacklist.conf`. Blacklisting prevents kernel -modules from automatically starting. - -- CD-ROM/DVD: Blacklist modules required for CD-ROM/DVD devices. - -- Miscellaneous: Blacklist an assortment of other modules to prevent them from - automatically loading. - -Specific kernel modules are entirely disabled to reduce attack surface via -`/etc/modprobe.d/30_security-misc_disable.conf`. Disabling prohibits kernel -modules from starting. This approach should not be considered comprehensive; -rather, it is a form of badness enumeration. Any potential candidates for future -disabling should first be blacklisted for a suitable amount of time. - -Hardware modules: - -- Optional - Bluetooth: Disabled to reduce attack surface. - -- FireWire (IEEE 1394): Disabled as they are often vulnerable to DMA attacks. - -- GPS: Disable GPS-related modules such as those required for Global Navigation - Satellite Systems (GNSS). - -- Optional - Intel Management Engine (ME): Provides some disabling of the interface - between the Intel ME and the OS. May lead to breakages in places such as firmware - updates, security, power management, display, and DRM. See discussion: https://github.com/Kicksecure/security-misc/issues/239 - -- Intel Platform Monitoring Technology (PMT) Telemetry: Disable some functionality - of the Intel PMT components. - -- Thunderbolt: Disabled as they are often vulnerable to DMA attacks. - -File system modules: - -- File Systems: Disable uncommon and legacy file systems. - -- Network File Systems: Disable uncommon and legacy network file systems. - -Networking modules: - -- Network Protocols: A wide array of uncommon and legacy network protocols and drivers - are disabled. - -Miscellaneous modules: - -- Amateur Radios: Disabled to reduce attack surface. - -- Optional - CPU MSRs: Disabled as can be abused to write to arbitrary memory. - -- Floppy Disks: Disabled to reduce attack surface. - -- Framebuffer (fbdev): Disabled as these drivers are well-known to be buggy, cause - kernel panics, and are generally only used by legacy devices. - -- Replaced Modules: Disabled legacy drivers that have been entirely replaced and - superseded by newer drivers. - -- Optional - USB Video Device Class: Disables the USB-based video streaming driver for - devices like some webcams and digital camcorders. - -- Vivid: Disabled to reduce attack surface given previous vulnerabilities. - -### Other - -- A systemd service clears the System.map file on boot as these contain kernel - pointers. The file is completely overwritten with zeroes to ensure it cannot - be recovered. See: - -`/etc/kernel/postinst.d/30_remove-system-map` - -`/usr/lib/systemd/system/remove-system-map.service` - -`/usr/libexec/security-misc/remove-system.map` - -- Coredumps are disabled as they may contain important information such as - encryption keys or passwords. See: - -`/etc/security/limits.d/30_security-misc.conf` - -`/usr/lib/sysctl.d/30_security-misc.conf` - -`/usr/lib/systemd/coredump.conf.d/30_security-misc.conf` - -- PStore is disabled as crash logs can contain sensitive system data such as - kernel version, hostname, and users. See: - - `/usr/lib/systemd/pstore.conf.d/30_security-misc.conf` - -- An initramfs hook sets the sysctl values in `/etc/sysctl.conf` and - `/etc/sysctl.d` before init is executed so sysctl hardening is enabled as - early as possible. This is implemented for `initramfs-tools` only because - this is not needed for `dracut` as `dracut` does that by default, at - least on `systemd` enabled systems. Not researched for non-`systemd` systems - by the author of this part of the readme. - -## Network hardening - -Not yet implemented due to issues: - -- https://github.com/Kicksecure/security-misc/pull/145 - -- https://github.com/Kicksecure/security-misc/issues/184 - -- Unlike version 4, IPv6 addresses can provide information not only about the - originating network but also the originating device. We prevent this from - happening by enabling the respective privacy extensions for IPv6. - -- In addition, we deny the capability to track the originating device in the - network at all, by using randomized MAC addresses per connection by - default. - -See: - -- `/usr/lib/NetworkManager/conf.d/80_ipv6-privacy.conf` -- `/usr/lib/NetworkManager/conf.d/80_randomize-mac.conf` -- `/usr/lib/systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf` - -## Bluetooth Hardening - -### Bluetooth Status: Enabled but Defaulted to Off - -- **Default Behavior**: Although Bluetooth capability is 'enabled' in the kernel, - security-misc deviates from the usual behavior by starting with Bluetooth - turned off at system start. This setting remains until the user explicitly opts - to activate Bluetooth. - -- **User Control**: Users have the freedom to easily switch Bluetooth on and off - in the usual way, exercising their own discretion. This can be done via the - Bluetooth toggle through the usual way, that is either through GUI settings - application or command line commands. - -- **Enhanced Privacy Settings**: We enforce more private defaults for Bluetooth - connections. This includes the use of private addresses and strict timeout - settings for discoverability and visibility. - -- **Security Considerations**: Despite these measures, it's important to note that - Bluetooth technology, by its nature, may still be prone to exploits due to its - history of security vulnerabilities. Thus, we recommend users to opt-out of - using Bluetooth when possible. - -### Configuration Details - -- See configuration: `/etc/bluetooth/30_security-misc.conf` -- For more information and discussion: [GitHub Pull Request](https://github.com/Kicksecure/security-misc/pull/145) - -### Understanding Bluetooth Terms - -- **Disabling Bluetooth**: This means the absence of the Bluetooth kernel module. - When disabled, Bluetooth is non-existent in the system - it cannot be seen, set, - configured, or interacted with in any way. - -- **Turning Bluetooth On/Off**: This refers to a software toggle. Normally, on - Debian systems, Bluetooth is 'on' when the system boots up. It actively searches - for known devices to auto-connect and may be discoverable or visible under certain - conditions. Our default ensures that Bluetooth is off on startup. However, it - remains 'enabled' in the kernel, meaning the kernel can use the Bluetooth protocol - and has the necessary modules. - -### Quick Toggle Guide - -- **Turning Bluetooth On**: Simply click the Bluetooth button in the settings - application or on the tray, and switch the toggle. It's a straightforward action - that can be completed in less than a second. - -- **Turning Bluetooth Off**: Follow the same procedure as turning it on but switch - the toggle to the off position. - -## Entropy collection improvements - -- The `jitterentropy_rng` kernel module is loaded as early as possible during - boot to gather more entropy via the - `/usr/lib/modules-load.d/30_security-misc.conf` configuration file. - -- Distrusts the CPU for initial entropy at boot as it is not possible to - audit, may contain weaknesses or a backdoor. Similarly, do not credit the - bootloader seed for initial entropy. For references, see: - `/etc/default/grub.d/40_kernel_hardening.cfg` - -- Gathers more entropy during boot if using the linux-hardened kernel patch. - -## Restrictive mount options - -A systemd service is triggered on boot to remount all sensitive partitions and -directories with significantly more secure hardened mount options. Since this -would require manual tuning for a given specific system, we handle it by -creating a very solid configuration file for that very system on package -installation. - -Not enabled by default yet. In development. Help welcome. - -- https://www.kicksecure.com/wiki/Dev/remount-secure -- https://github.com/Kicksecure/security-misc/issues/157 -- https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/ - -## Root access restrictions - -- `su` is restricted to only users within the group `sudo` which prevents - users from using `su` to gain root access or to switch user accounts - - `/usr/share/pam-configs/wheel-security-misc` (which results in a change in - file `/etc/pam.d/common-auth`). - -- Add user `root` to group `sudo`. This is required due to the above - restriction so that logging in from a virtual console is still possible - - `debian/security-misc.postinst` - -- Abort login for users with locked passwords - - `/usr/libexec/security-misc/pam-abort-on-locked-password`. - -- Logging into the root account from a virtual, serial, or other console is - prevented by shipping an existing and empty `/etc/securetty` file (deletion - of `/etc/securetty` has a different effect). - -This package does not yet automatically lock the root account password. It is -not clear if this would be sane in such a package, although it is recommended to -lock and expire the root account. - -In new Kicksecure builds, the root account will be locked by package -dist-base-files. - -See: - -- https://www.kicksecure.com/wiki/Root -- https://www.kicksecure.com/wiki/Dev/Permissions -- https://forums.whonix.org/t/restrict-root-access/7658 - -However, a locked root password will break rescue and emergency shell. -Therefore, this package enables passwordless rescue and emergency shell. This is -the same solution that Debian will likely adopt for the Debian installer: -https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802211 - -See: - -- `/etc/systemd/system/emergency.service.d/override.conf` -- `/etc/systemd/system/rescue.service.d/override.conf` - -Adverse security effects can be prevented by setting up BIOS password -protection, GRUB password protection, and/or full disk encryption. - -## Console lockdown - -This uses pam_access to allow members of group `console` to use the console but -restrict everyone else (except members of group `console-unrestricted`) from -using the console with ancient, unpopular login methods such as `/bin/login` over -networks as this might be exploitable. (CVE-2001-0797) - -This is not enabled by default in this package since this package does not know -which users should be added to group 'console' and thus, would break console access. - -See: - -- `/usr/share/pam-configs/console-lockdown-security-misc` -- `/etc/security/access-security-misc.conf` - -## Brute force attack protection - -User accounts are locked after 50 failed login attempts using `pam_faillock`. - -Informational output during Linux PAM: - -- Show failed and remaining password attempts. -- Document unlock procedure if Linux user account got locked. -- Point out that there is no password feedback for `su`. -- Explain locked root account if locked. - -See: - -- `/usr/share/pam-configs/tally2-security-misc` -- `/usr/libexec/security-misc/pam-info` -- `/usr/libexec/security-misc/pam-abort-on-locked-password` - -## Access rights restrictions - -### Strong user account separation - -#### Permission Lockdown - -Read, write, and execute access for "others" are removed during package -installation, upgrade, or PAM `mkhomedir` for all users who have home folders in -`/home` by running, for example: +1\. Add [Whonix's Signing Key](https://www.whonix.org/wiki/Whonix_Signing_Key). ``` -chmod o-rwx /home/user +sudo apt-key --keyring /etc/apt/trusted.gpg.d/whonix.gpg adv --keyserver hkp://ipv4.pool.sks-keyservers.net:80 --recv-keys 916B8D99C38EAF5E8ADC7A2A8D66066A2EEACCDA ``` -This will be done only once per folder in `/home` so users who wish to relax -file permissions are free to do so. This is to protect files in a home folder -that were previously created with lax file permissions prior to the installation -of this package. +3\. Add Whonix's APT repository. -See: +``` +echo "deb http://deb.whonix.org buster main contrib non-free" | sudo tee /etc/apt/sources.list.d/whonix.list +``` -- `debian/security-misc.postinst` -- `/usr/libexec/security-misc/permission-lockdown` -- `/usr/share/pam-configs/mkhomedir-security-misc` +4\. Update your package lists. -#### umask +``` +sudo apt-get update +``` -The default `umask` is set to `027` for files created by non-root users, such -as the account `user`. +5\. Install `security-misc`. -This is done using the PAM module `pam_mkhomedir.so umask=027`. +``` +sudo apt-get install security-misc +``` -This configuration ensures that files created by non-root users cannot be read -by other non-root users by default. While Permission Lockdown already protects -the `/home` folder, this setting extends protection to other folders such as -`/tmp`. +## How to Build deb Package ## -`group` read permissions are not removed. This is unnecessary due to Debian's -use of User Private Groups (UPGs). See also: -https://wiki.debian.org/UserPrivateGroups +Replace `apparmor-profile-torbrowser` with the actual name of this package with `security-misc` and see [instructions](https://www.whonix.org/wiki/Dev/Build_Documentation/apparmor-profile-torbrowser). -The default `umask` is unchanged for root because configuration files created -in `/etc` by the system administrator would otherwise be unreadable by -"others," potentially breaking applications. Examples include `/etc/firefox-esr` -and `/etc/thunderbird`. Additionally, the `umask` is set to `022` via `sudoers` -configuration, ensuring that files created as root are world-readable, even -when using commands such as `sudo vi /etc/file` or `sudo -i; touch /etc/file`. +## Contact ## -When using `sudo`, the `umask` is set to `022` rather than `027` to ensure -compatibility with commands such as `sudo vi /etc/configfile` and -`sudo -i; touch /etc/file`. +* [Free Forum Support](https://forums.whonix.org) +* [Professional Support](https://www.whonix.org/wiki/Professional_Support) -See: +## Donate ## -- `/usr/share/pam-configs/umask-security-misc` - -### SUID / SGID removal and permission hardening - -#### SUID / SGID removal - -A systemd service removes SUID / SGID bits from non-essential binaries as these -are often used in privilege escalation attacks. - -#### File permission hardening - -Various file permissions are reset with more secure and hardened defaults. These -include but are not limited to: - -- Limiting `/home` and `/root` to the root only. -- Limiting crontab to root as well as all the configuration files for cron. -- Limiting the configuration for cups and ssh. -- Protecting the information of sudoers from others. -- Protecting various system-relevant files and modules. - -##### permission-hardener - -`permission-hardener` removes SUID / SGID bits from non-essential binaries as -these are often used in privilege escalation attacks. It is enabled by default -and applied at security-misc package installation and upgrade time. - -There is also an optional systemd unit which does the same at boot time that -can be enabled by running `systemctl enable permission-hardener.service` as -root. The hardening at boot time is not the default because this slows down -the boot process too much. - -See: - -* `/usr/bin/permission-hardener` -* `debian/security-misc.postinst` -* `/lib/systemd/system/permission-hardener.service` -* `/etc/permission-hardener.d` -* https://forums.whonix.org/t/disable-suid-binaries/7706 -* https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener - -### Access rights relaxations - -This is not enabled yet because hidepid is not enabled by default. - -Calls to `pkexec` are redirected to `lxqt-sudo` because `pkexec` is -incompatible with `hidepid=2`. - -See: - -* `/usr/bin/pkexec.security-misc` -* https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860040 -* https://forums.whonix.org/t/cannot-use-pkexec/8129 - -## Application-specific hardening - -- Enables "`apt-get --error-on=any`" which makes apt exit non-zero for - transient failures. - `/etc/apt/apt.conf.d/40error-on-any`. -- Enables APT seccomp-BPF sandboxing - `/etc/apt/apt.conf.d/40sandbox`. -- Deactivates previews in Dolphin. -- Deactivates previews in Nautilus - - `/usr/share/glib-2.0/schemas/30_security-misc.gschema.override`. -- Deactivates thumbnails in Thunar. - - Rationale: lower attack surface when using the file manager - - https://forums.whonix.org/t/disable-preview-in-file-manager-by-default/18904 -- Thunderbird is hardened with the following options: - - Displays domain names in punycode to prevent IDN homograph attacks (a - form of phishing). - - Strips email client information from sent email headers. - - Strips user time information from sent email headers by replacing the - originating time zone with UTC and rounding the timestamp to the nearest - minute. - - Disables scripting when viewing PDF files. - - Disables implicit outgoing connections. - - Disables all and any kind of telemetry. -- Security and privacy enhancements for gnupg's config file - `/etc/skel/.gnupg/gpg.conf`. See also: - - https://raw.github.com/ioerror/torbirdy/master/gpg.conf - - https://github.com/ioerror/torbirdy/pull/11 - -### Project scope of application-specific hardening - -Added in December 2023. - -Before sending pull requests to harden arbitrary applications, please note the -scope of security-misc is limited to default installed applications in -Kicksecure and Whonix. This includes: - -- Thunderbird, VLC Media Player, KeePassXC -- Debian Specific System Components (APT, DPKG) -- System Services (NetworkManager IPv6 privacy options, MAC address - randomization) -- Actually used development utilities such as `git`. - -It will not be possible to review and merge "1500" settings profiles for -arbitrary applications outside of this context. - -The main objective of security-misc is to harden Kicksecure and its derivatives, -such as Whonix, by implementing robust security settings. It's designed to be -compatible with Debian, reflecting a commitment to clean implementation and -sound design principles. However, it's important to note that security-misc is a -component of Kicksecure, not a substitute for it. The intention isn't to -recreate Kicksecure within security-misc. Instead, specific security -enhancements, like recommending a curated list of security-focused -default packages (e.g., `libpam-tmpdir`), should be integrated directly into -those appropriate areas of Kicksecure (e.g. `kicksecure-meta-packages`). - -Discussion: https://github.com/Kicksecure/security-misc/issues/154 - -### Development philosophy - -Added in December 2023. - -Maintainability is a key priority \[1\]. Before modifying settings in the -downstream security-misc, it's essential to first engage with upstream -developers to propose these changes as defaults. This step should only be -bypassed if there's a clear, prior indication from upstream that such changes -won't be accepted. Additionally, before implementing any workarounds, consulting -with upstream is necessary to avoid future unmaintainable complexity. - -If debugging features are disabled, pull requests won't be merged until there is -a corresponding pull request for the debug-misc package to re-enable these. This -is to avoid configuring the system into a corner where it can no longer be -debugged. - -\[1\] https://www.kicksecure.com/wiki/Dev/maintainability - -## Opt-in hardening - -Some hardening is opt-in as it causes too much breakage to be enabled by -default. - -- An optional systemd service mounts `/proc` with `hidepid=2` at boot to - prevent users from seeing another user's processes. This is disabled by - default because it is incompatible with `pkexec`. It can be enabled by - executing `systemctl enable proc-hidepid.service` as root. - -- A systemd service restricts `/proc/cpuinfo`, `/proc/bus`, `/proc/scsi`, and - `/sys` to the root user. This hides a lot of hardware identifiers from - unprivileged users and increases security as `/sys` exposes a lot of - information that shouldn't be accessible to unprivileged users. As this will - break many things, it is disabled by default and can optionally be enabled - by executing `systemctl enable hide-hardware-info.service` as root. - -## Miscellaneous - -- Hardened malloc compatibility for haveged workaround - `/lib/systemd/system/haveged.service.d/30_security-misc.conf` - -- Set `dracut` `reproducible=yes` setting - -## Legal - -`/usr/lib/issue.d/20_security-misc.issue` - -https://github.com/Kicksecure/security-misc/pull/167 - -## Related - -- Linux Kernel Runtime Guard (LKRG) -- tirdad - TCP ISN CPU Information Leak Protection. -- Kicksecure (TM) - a security-hardened Linux Distribution -- And more. -- https://www.kicksecure.com/wiki/Linux_Kernel_Runtime_Guard_LKRG -- https://github.com/Kicksecure/tirdad -- https://www.kicksecure.com -- https://github.com/Kicksecure - -## Discussion - -Happening primarily in forums. - -https://forums.whonix.org/t/kernel-hardening/7296 - -## How to install `security-misc` - -See https://www.kicksecure.com/wiki/Security-misc#install - -## How to Build deb Package from Source Code - -Can be build using standard Debian package build tools such as: - - dpkg-buildpackage -b - -See instructions. (Replace `generic-package` with the actual name of this -package `security-misc`.) - -- **A)** - [easy](https://www.kicksecure.com/wiki/Dev/Build_Documentation/generic-package/easy), - *OR* -- **B)** [including verifying software - signatures](https://www.kicksecure.com/wiki/Dev/Build_Documentation/generic-package) - -## Contact - -- [Free Forum Support](https://forums.kicksecure.com) -- [Professional Support](https://www.kicksecure.com/wiki/Professional_Support) - -## Donate - -`security-misc` requires [donations](https://www.kicksecure.com/wiki/Donate) to -stay alive! +`security-misc` requires [donations](https://www.whonix.org/wiki/Donate) to stay alive! diff --git a/README_generic.md b/README_generic.md deleted file mode 100644 index 787af72..0000000 --- a/README_generic.md +++ /dev/null @@ -1,68 +0,0 @@ -# Enhances Miscellaneous Security Settings # - -https://github.com/Kicksecure/security-misc/blob/master/README.md - -https://www.kicksecure.com/wiki/Security-misc - -Discussion: - -Happening primarily in Whonix forums. -https://forums.whonix.org/t/kernel-hardening/7296 - -## How to install `security-misc` using apt-get ## - -1\. Download the APT Signing Key. - -``` -wget https://www.kicksecure.com/keys/derivative.asc -``` - -Users can [check the Signing Key](https://www.kicksecure.com/wiki/Signing_Key) for better security. - -2\. Add the APT Signing Key. - -``` -sudo cp ~/derivative.asc /usr/share/keyrings/derivative.asc -``` - -3\. Add the derivative repository. - -``` -echo "deb [signed-by=/usr/share/keyrings/derivative.asc] https://deb.kicksecure.com bookworm main contrib non-free" | sudo tee /etc/apt/sources.list.d/derivative.list -``` - -4\. Update your package lists. - -``` -sudo apt-get update -``` - -5\. Install `security-misc`. - -``` -sudo apt-get install security-misc -``` - -## How to Build deb Package from Source Code ## - -Can be build using standard Debian package build tools such as: - -``` -dpkg-buildpackage -b -``` - -See instructions. - -NOTE: Replace `generic-package` with the actual name of this package `security-misc`. - -* **A)** [easy](https://www.kicksecure.com/wiki/Dev/Build_Documentation/generic-package/easy), _OR_ -* **B)** [including verifying software signatures](https://www.kicksecure.com/wiki/Dev/Build_Documentation/generic-package) - -## Contact ## - -* [Free Forum Support](https://forums.kicksecure.com) -* [Premium Support](https://www.kicksecure.com/wiki/Premium_Support) - -## Donate ## - -`security-misc` requires [donations](https://www.kicksecure.com/wiki/Donate) to stay alive! diff --git a/changelog.upstream b/changelog.upstream index d2432d7..2a839f8 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,15906 +1,3 @@ -commit 06e1e44b0039807baa862102b12fc5e199c3ccb3 -Author: Patrick Schleizer -Date: Fri Apr 25 05:51:21 2025 -0400 - - comments - -commit ba1012ca8767baf34ed762d80b25b03bb70e6765 -Author: Patrick Schleizer -Date: Fri Apr 25 08:19:35 2025 +0000 - - bumped changelog version - -commit a8f6132bec1a6f4a639d58295b3e50faf5494d98 -Author: Patrick Schleizer -Date: Fri Apr 25 03:11:27 2025 -0400 - - output - -commit 1d14a9f32435b8131c251e03bff2af5c929bbf49 -Merge: e154d0a 612f5f9 -Author: Patrick Schleizer -Date: Fri Apr 25 02:59:09 2025 -0400 - - Merge remote-tracking branch 'ArrayBolt3/arraybolt3/fix-pkexec-umask' - -commit 612f5f92fde236b86928428fd0247c8e971b0460 -Author: Aaron Rainbolt -Date: Thu Apr 24 20:01:35 2025 -0500 - - Fix umask for pkexec-run commands - -commit e154d0af6dd41e392122fbe3d09219734c5ad588 -Author: Patrick Schleizer -Date: Mon Apr 21 10:21:54 2025 +0000 - - bumped changelog version - -commit 4bf0e3a63667c284d053e5b8517440a884a42441 -Author: Patrick Schleizer -Date: Mon Apr 21 04:57:07 2025 -0400 - - comments - -commit 502f5953c734346edc680a0b898b435e6c6f6e27 -Author: Patrick Schleizer -Date: Mon Apr 21 04:55:19 2025 -0400 - - comments - -commit abb0c83619b820b7b66258efa9e141850eaa8b6c -Author: Patrick Schleizer -Date: Mon Apr 21 04:54:06 2025 -0400 - - comments - -commit efa2967fca36c776d43419dd5bf12696bc61c426 -Author: Patrick Schleizer -Date: Mon Apr 21 04:53:04 2025 -0400 - - comments - -commit dc7e8579040a96630ab1bbf7b4b901e3e3abe8c7 -Author: Patrick Schleizer -Date: Sat Apr 19 17:33:56 2025 +0000 - - bumped changelog version - -commit 9948ae114d4c6bbd650022c9985137c0fdea5675 -Author: Patrick Schleizer -Date: Sat Apr 19 13:24:17 2025 -0400 - - fix - -commit 4aca622706f33e85832e67650259a7751ba87a72 -Author: Patrick Schleizer -Date: Sat Apr 19 13:23:26 2025 -0400 - - fix - -commit 701f4a0e88a32e4c9312fd92b73cef5d4f755f0a -Author: Patrick Schleizer -Date: Sat Apr 19 13:20:04 2025 -0400 - - output - -commit a670c0d873eba8d84bde90ebbeecc7aecc22349e -Author: Patrick Schleizer -Date: Sat Apr 19 13:18:23 2025 -0400 - - comment - -commit 4799f3ce02e5683dad0fff13f5d7fe0aadb0a0db -Author: Patrick Schleizer -Date: Sat Apr 19 13:17:28 2025 -0400 - - make `/usr/libexec/security-misc/apt-get-update` more reliable - -commit c4f0e1d16f6999b055b0fa310456870f12a6dbea -Author: Patrick Schleizer -Date: Sat Apr 19 12:57:14 2025 -0400 - - refactoring - -commit 81634930fa13a240b9fff9a878dd84af1dccc6b3 -Author: Patrick Schleizer -Date: Sat Apr 19 12:55:32 2025 -0400 - - refactoring - -commit 90330a1ec958f82f9322ecc62bcfb7169d641af4 -Author: Patrick Schleizer -Date: Sat Apr 19 12:49:18 2025 -0400 - - refactoring - -commit ce2c9a21a357b3981335336eaf7ac8a6a3bcb052 -Author: Patrick Schleizer -Date: Sat Apr 19 12:47:40 2025 -0400 - - /usr/libexec/security-misc/apt-get-update: use `/run/helper-scripts` folder for pid file instead of `$TMP` - - to avoid permission issues - -commit 96ff7c8dc67809a3199d0b7f22d9e50483634a9c -Author: Patrick Schleizer -Date: Sat Apr 19 12:45:06 2025 -0400 - - refactoring - -commit 5a37790e6bd80ffd4f74d9596523ef72366d35d9 -Author: Patrick Schleizer -Date: Sat Apr 19 12:43:15 2025 -0400 - - cleanup - -commit 7512aa67572c97267fd176e63ae4862b6d37f8ae -Author: Patrick Schleizer -Date: Tue Apr 15 20:59:37 2025 +0000 - - bumped changelog version - -commit e0e2a9b61c61b34a6fe10782e294d58adff15cfe -Merge: 5e88dfe 9f2836d -Author: Patrick Schleizer -Date: Tue Apr 15 15:27:10 2025 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 9f2836d2baae900222cbae74d7a32bcdc69e589f -Merge: 5e88dfe aa0ffff -Author: Patrick Schleizer -Date: Tue Apr 15 15:17:25 2025 -0400 - - Merge pull request #304 from raja-grewal/stop_pstore - - Disable PStore - -commit 5e88dfe809a762aeebf62ea2de131cfbdea9ae32 -Author: Patrick Schleizer -Date: Thu Apr 10 11:38:17 2025 +0000 - - bumped changelog version - -commit c0a18c5a7122fe3c7b52d0e02ca5e8817efb3996 -Merge: da9dd3c 74ca63d -Author: Patrick Schleizer -Date: Thu Apr 10 06:07:55 2025 -0400 - - Merge remote-tracking branch 'ArrayBolt3/arraybolt3/rename-boot-modes' - -commit 74ca63d12c716017d022f5dfc5348ae7b787e220 -Author: Aaron Rainbolt -Date: Wed Apr 9 21:01:41 2025 -0500 - - Mass-change "PERSISTENCE mode USERNAME" to "PERSISTENCE Mode - USERNAME Session" - -commit aa0ffff42753f68e67bc92680a22986a5b9ef9e0 -Author: raja-grewal -Date: Thu Apr 10 11:49:45 2025 +1000 - - README.md: Revert error - -commit da9dd3c3f14103701ad82af775b4fb547f5b3e2e -Author: Patrick Schleizer -Date: Wed Apr 9 15:16:00 2025 +0000 - - bumped changelog version - -commit 163d51f32a1888a52ea78ba32a4e4a2d72aea87d -Author: Patrick Schleizer -Date: Wed Apr 9 09:47:52 2025 -0400 - - newline at the end - -commit 4d2b2e65468522b1d1beda63b0b16cfa12b1d535 -Author: Patrick Schleizer -Date: Tue Apr 8 14:08:24 2025 +0000 - - bumped changelog version - -commit 39f4f5b60739c387f02970018e14f1ae93677e00 -Author: Patrick Schleizer -Date: Tue Apr 8 06:53:08 2025 -0400 - - comments - -commit 173606891ad0c064a22b4ec0aee772105d8be54a -Author: Patrick Schleizer -Date: Tue Apr 8 06:48:29 2025 -0400 - - output - -commit f0d17c7e4134d8a54ce7331c1e9d3ce932278987 -Author: raja-grewal -Date: Sun Mar 16 03:31:24 2025 +0000 - - README: Fix a few links - -commit df2fc2cf6b0437d23c7641118ebd24d2e3a670ce -Author: raja-grewal -Date: Sun Mar 16 03:30:04 2025 +0000 - - Set `efi_pstore.pstore_disable=1` - -commit f643ebc2f923ba4d7231e5aeaf1d91d1a9d1d0df -Author: raja-grewal -Date: Sun Mar 16 03:28:39 2025 +0000 - - Disable pstore processing by systemd-pstore service - -commit d927fe238cc5369f7fe1632a4173fe4bdf0ffdfb -Author: Patrick Schleizer -Date: Mon Mar 3 11:00:38 2025 +0000 - - bumped changelog version - -commit cd0ba94ac5e7e8360183ac6f440d941b4067025b -Author: Patrick Schleizer -Date: Mon Mar 3 05:57:59 2025 -0500 - - no longer disable `vivid` kernel module by default, - because it breaks Qubes Video Companion - - Thanks to @marmarek for the bug report! - - https://forums.whonix.org/t/testing-qubes-video-companion-on-whonix/21393 - - fixes https://github.com/Kicksecure/security-misc/issues/298 - -commit 3e7d1b4e23e1e8ef4ad138dbe4119eee7e72511c -Author: Patrick Schleizer -Date: Sun Feb 9 23:04:36 2025 +0000 - - bumped changelog version - -commit 0615e6e995eb25d8e1bff181ecc49ff51e4029cc -Merge: 2a4a228 4d62ee3 -Author: Patrick Schleizer -Date: Sun Feb 9 18:01:43 2025 -0500 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 4d62ee3ab31bde80eebde265c2513233f10f751a -Merge: 2a4a228 ce4b57d -Author: Patrick Schleizer -Date: Sun Feb 9 18:00:59 2025 -0500 - - Merge pull request #297 from raja-grewal/warn_path - - Update docs on kernel panics - -commit ce4b57d1cb179f18c1ac41681626d01054355fe6 -Author: raja-grewal -Date: Mon Feb 3 00:31:45 2025 +0000 - - Update docs on kernel panics - -commit 2a4a228b150e06c7ff796315719d41e825dd8ad3 -Author: Patrick Schleizer -Date: Fri Jan 31 19:38:42 2025 +0000 - - bumped changelog version - -commit 041caf286b343268e6db69f2957f23c1dd20812a -Author: Patrick Schleizer -Date: Fri Jan 31 14:33:54 2025 -0500 - - update pkg_installed function - -commit ac1493fcfc194b8d1a680d7e8bf53a90caa984ac -Author: Patrick Schleizer -Date: Fri Jan 31 14:33:17 2025 -0500 - - comment - -commit c0f2f110146410428fc12815b30aaba67ff16126 -Author: Patrick Schleizer -Date: Thu Jan 30 12:58:48 2025 +0000 - - bumped changelog version - -commit 9f5e522b83ba969112abf6a9fba77c1eff31b14d -Author: Patrick Schleizer -Date: Thu Jan 30 07:53:04 2025 -0500 - - LC_ALL=C - -commit 7c150d116d1d1f95e2fb729934906eb4391a389a -Author: Patrick Schleizer -Date: Thu Jan 30 07:45:08 2025 -0500 - - LANG=C str_replace: no longer requires LANG=C, therefore removed - -commit 6aaf7082177fe4d02415aac4317cde74665f495c -Author: Patrick Schleizer -Date: Wed Jan 29 14:36:41 2025 +0000 - - bumped changelog version - -commit 10508cb5801c28f8fff306957e867a1626aa6489 -Merge: 6b4fa1e b9dee26 -Author: Patrick Schleizer -Date: Wed Jan 29 09:36:28 2025 -0500 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit b9dee2633128577245763bad41cf3cb6b49751f3 -Merge: 6b4fa1e 4b1e530 -Author: Patrick Schleizer -Date: Wed Jan 29 09:35:50 2025 -0500 - - Merge pull request #296 from raja-grewal/cpu_details - - Hardware-related Documentation - -commit 6b4fa1ef0055d36a45d65481129dabfee77027e4 -Author: Patrick Schleizer -Date: Thu Jan 23 16:28:58 2025 +0000 - - bumped changelog version - -commit b10f5489a3e3317f01339ea34a0e5c7bfb850a01 -Author: Patrick Schleizer -Date: Thu Jan 23 11:12:26 2025 -0500 - - copyright - -commit 3c18734db32b2d19c3a30e282435f083d307d86e -Author: Patrick Schleizer -Date: Wed Jan 22 14:11:21 2025 +0000 - - bumped changelog version - -commit f90ffacac3d3c12f62f62106a69cb6caeca69041 -Author: Patrick Schleizer -Date: Wed Jan 22 09:09:56 2025 -0500 - - bump permission hardner migration code version - -commit 3a056c9d9c17ed3968f48ac332cee94f714320c7 -Author: Patrick Schleizer -Date: Wed Jan 22 09:05:50 2025 -0500 - - bump permission hardner migration code version - -commit d5ad29a7324dfbece3185026a3f4c58121c453b6 -Author: Patrick Schleizer -Date: Wed Jan 22 09:04:44 2025 -0500 - - add /usr/lib/polkit-1/polkit-agent-helper-1 to permission hardener hardcoded statoverride file - -commit c8a2483cf6735b29ef9b265cc09b58b00b14b6f0 -Author: Patrick Schleizer -Date: Wed Jan 22 13:52:29 2025 +0000 - - bumped changelog version - -commit 80bd314436b99b723359f25e52bbd14683929b56 -Author: Patrick Schleizer -Date: Wed Jan 22 08:25:14 2025 -0500 - - add `.whonix` files to hardcoded files - -commit 9b012bdeee03e73de537e7fe65c0bb8d16b38e79 -Merge: 507130a 42f34f5 -Author: Patrick Schleizer -Date: Wed Jan 22 08:23:49 2025 -0500 - - Merge remote-tracking branch 'ArrayBolt3/arraybolt3/permission-hardener-symlink-fix' - -commit 507130a1cc0592bd4a4b280da7496dade470e637 -Merge: f1b6bff ed767e0 -Author: Patrick Schleizer -Date: Wed Jan 22 08:21:39 2025 -0500 - - Merge remote-tracking branch 'ArrayBolt3/arraybolt3/permission-hardener-diag' - -commit 42f34f5a4ccf95d504e28a26aeb0747fef4685ba -Author: Aaron Rainbolt -Date: Tue Jan 21 21:49:03 2025 -0600 - - Don't handle files with multiple hardlinks - -commit 5e60416c864a7d06f635161a185864fc36d5685c -Author: Aaron Rainbolt -Date: Tue Jan 21 21:05:03 2025 -0600 - - Make permission-hardener always apply changes to real files, not symlinks - -commit ed767e00b0260d29c18c710efe07d68a9beffb34 -Author: Aaron Rainbolt -Date: Tue Jan 21 16:41:30 2025 -0600 - - Add some local variable declarations - -commit 4b1e530674146d4d2b62ff4a87fe3add5667403c -Author: raja-grewal -Date: Tue Jan 21 12:39:06 2025 +0000 - - README.md: List CPU mitigations - -commit 15d13a8571d1f38b2bc36387f61bce24c86be97b -Author: raja-grewal -Date: Tue Jan 21 12:36:04 2025 +0000 - - Add info on DBX updates via the UEFI Revocation List - -commit a97620a2e491cc039adb15af94958f26b39319a2 -Author: Aaron Rainbolt -Date: Mon Jan 20 22:43:55 2025 -0600 - - Add print-diagnostics command to permission-hardener - -commit f1b6bff30b1891bfbe870de9edd78fa7dbd66e7c -Author: Patrick Schleizer -Date: Mon Jan 20 11:35:08 2025 +0000 - - bumped changelog version - -commit df9d058ed9635b168508ded20277c174a24cf3f5 -Author: Patrick Schleizer -Date: Mon Jan 20 06:28:16 2025 -0500 - - usrmerge - -commit 8ff5f3b22125488f64cd384ffbfcbd8f2ecd61a6 -Author: Patrick Schleizer -Date: Mon Jan 20 10:11:43 2025 +0000 - - bumped changelog version - -commit 4e0d5a196ccb8ef3fdf2b67d974f28d02a532f91 -Author: Patrick Schleizer -Date: Mon Jan 20 04:30:26 2025 -0500 - - delete comment only configuration file (moved to user-sysmaint-split) - -commit 1b4d1edfc316f125ff5039bf17897802205750e2 -Author: Patrick Schleizer -Date: Mon Jan 20 04:29:42 2025 -0500 - - comments - -commit 51c7010e8f47ce6e6a28e6267c735e897dcfb053 -Author: Patrick Schleizer -Date: Fri Jan 17 13:35:28 2025 +0000 - - bumped changelog version - -commit 876d596a071ac916f7d220ee2449358aedba7efe -Author: Patrick Schleizer -Date: Fri Jan 17 07:55:54 2025 -0500 - - comment - -commit c9e2f82bd01813682998c775f75bac0841239e5e -Merge: 5971869 bf73f1f -Author: Patrick Schleizer -Date: Fri Jan 17 07:53:59 2025 -0500 - - Merge remote-tracking branch 'ArrayBolt3/master' - -commit bf73f1f2b5e429caaf01bfbcdc7d5d032e3c0efb -Author: Aaron Rainbolt -Date: Wed Jan 15 19:10:41 2025 -0600 - - Avoid impossible-to-satisfy dependency on helper-scripts, improve string handling robustness in postinst - -commit 597186972e463ce7a0b44662f7656f351ddf1030 -Author: Patrick Schleizer -Date: Wed Jan 15 15:02:44 2025 +0000 - - bumped changelog version - -commit ca257164105c4f66576024b64c52a42921455d16 -Author: Patrick Schleizer -Date: Wed Jan 15 09:44:48 2025 -0500 - - improve permission hardener migration code - -commit 2dfd30a44ae332faa50bc4920486cdd9480c7e5d -Merge: a84d3ba 328f747 -Author: Patrick Schleizer -Date: Wed Jan 15 09:33:57 2025 -0500 - - Merge remote-tracking branch 'ArrayBolt3/arraybolt3/more-permission-hardener' - -commit 328f747179ffb2e7705a73bc9a0c5133a17da829 -Author: Aaron Rainbolt -Date: Tue Jan 14 20:35:28 2025 -0600 - - Restore permission-hardener's notice about how to compare old and new states - -commit c6f09748f383fdf7c1b07441c73477b3f18d2768 -Author: Aaron Rainbolt -Date: Tue Jan 14 20:27:53 2025 -0600 - - Handle de-corruption of new_mode a bit better - -commit a0f81958dfb020d311d86cbd00d4f86f678d8be9 -Author: Aaron Rainbolt -Date: Tue Jan 14 19:25:15 2025 -0600 - - De-corrupt the new_mode permission-hardener statoverride database too - -commit 396372c1295e2a09d596f3e23fccc26794a26f05 -Author: Aaron Rainbolt -Date: Tue Jan 14 18:50:24 2025 -0600 - - Avoid scanning unnecessary packages for modified permission-hardener config - -commit a84d3ba732bcbd2fb93ea2bc145a0db0f33f1b77 -Author: Patrick Schleizer -Date: Tue Jan 14 14:32:13 2025 +0000 - - bumped changelog version - -commit 709036c79f8efc9fefa9e7709780a75f9f5004d2 -Author: Patrick Schleizer -Date: Tue Jan 14 09:31:58 2025 -0500 - - debconf-updatepo - -commit 659c7037c6956f6d905e55a1ebb13ebe6a273dee -Author: Patrick Schleizer -Date: Tue Jan 14 14:30:58 2025 +0000 - - bumped changelog version - -commit 86d3db15bf94dc0f4547105e18ef5f26ca124fa8 -Author: Patrick Schleizer -Date: Tue Jan 14 09:30:46 2025 -0500 - - output - -commit 876c0b618785fc71d1d399ff7ab649382104a714 -Author: Patrick Schleizer -Date: Tue Jan 14 09:29:35 2025 -0500 - - output - -commit c46178dee46f88e8d0007a12a48addc2493faab7 -Author: Patrick Schleizer -Date: Tue Jan 14 09:27:37 2025 -0500 - - output - -commit f3c07a2451fd2818daca6bc248cbbcba213516e7 -Author: Patrick Schleizer -Date: Tue Jan 14 09:24:06 2025 -0500 - - update link - -commit bbc4ad7c2a0827d079ccbb18dce4aaae042a2253 -Author: Patrick Schleizer -Date: Tue Jan 14 14:16:45 2025 +0000 - - bumped changelog version - -commit 9bb92e91a8f364a9d9e5d69e907fe8ed8a3c58a2 -Author: Patrick Schleizer -Date: Tue Jan 14 09:16:25 2025 -0500 - - debhelper - -commit 95dd8f419fc7e9832d8ce6f74d35af9b36752f3f -Author: Patrick Schleizer -Date: Tue Jan 14 14:07:50 2025 +0000 - - bumped changelog version - -commit 0a2f06b456854f1cec3ff93952edef928ac7a184 -Author: Patrick Schleizer -Date: Tue Jan 14 09:07:32 2025 -0500 - - use pre.bsh - -commit 6a4f9c1bd8c48bb1a711eee077ea7a05646b0598 -Author: Patrick Schleizer -Date: Tue Jan 14 14:06:50 2025 +0000 - - bumped changelog version - -commit e60183ec073d278f8d69a5475aa52d75870cd9b0 -Author: Patrick Schleizer -Date: Tue Jan 14 09:06:41 2025 -0500 - - output - -commit a812961beabacca052b4b25b78ecd2c35184d5d5 -Author: Patrick Schleizer -Date: Tue Jan 14 09:06:12 2025 -0500 - - verbose - -commit 0e4dfc59dd9c06dd732affd8ca7f72a1a70a95b0 -Author: Patrick Schleizer -Date: Tue Jan 14 13:53:49 2025 +0000 - - bumped changelog version - -commit cdf179f1277bcae3ef681d35aeca6289d55b3a6a -Author: Patrick Schleizer -Date: Tue Jan 14 08:53:38 2025 -0500 - - fix - -commit 41cd09933a506d55bab1f8bf101840cf4bbbf028 -Author: Patrick Schleizer -Date: Tue Jan 14 09:26:05 2025 +0000 - - bumped changelog version - -commit eec2e2c8ee621c6ebb152abbfe3951fa0322a0d0 -Author: Patrick Schleizer -Date: Tue Jan 14 04:13:39 2025 -0500 - - comment - -commit 6d282226ef653accf1de32582b999ff31775f60f -Author: Patrick Schleizer -Date: Tue Jan 14 04:12:12 2025 -0500 - - comment - -commit 466308e4f9ebd496ff54dd9f77881ce10a558802 -Author: Patrick Schleizer -Date: Tue Jan 14 04:09:57 2025 -0500 - - permission hardener: disable SUID for `chrome-sandbox` - -commit 7a5f8b87af7142ce973bd88abf98279ce15559a9 -Author: Patrick Schleizer -Date: Tue Jan 14 04:06:44 2025 -0500 - - permission hardener: disable SUID for `ssh-agent`, `ssh-keysign`, `/lib/openssh/*` - - This might break SSH host-based authentication. - -commit d89ffcde30f6115c25c1bc807eb30b18c21e2b6e -Author: Patrick Schleizer -Date: Tue Jan 14 04:04:09 2025 -0500 - - comment - -commit 9f1759ba0ea7ecee87c8777226eb8a56482deeb5 -Author: Patrick Schleizer -Date: Tue Jan 14 03:56:55 2025 -0500 - - comment - -commit 0ac85ea9f56abdf621ec1b4f2acf08a2450067ba -Author: Patrick Schleizer -Date: Tue Jan 14 03:54:35 2025 -0500 - - comment - -commit fce6a5f8303cd891efd8bbfef861e357dc90e88e -Author: Patrick Schleizer -Date: Tue Jan 14 03:51:43 2025 -0500 - - comment - -commit 1e9940481318d8d7a443b98f0906089759f27a5d -Author: Patrick Schleizer -Date: Tue Jan 14 03:50:16 2025 -0500 - - comment - -commit b198591537a01f5b35c9301ca28a24c70864bcbd -Author: Patrick Schleizer -Date: Tue Jan 14 03:49:42 2025 -0500 - - comment - -commit 7d44db2cb268c4eb31b50bbd44b87b8001dc068c -Author: Patrick Schleizer -Date: Tue Jan 14 03:49:15 2025 -0500 - - usrmerge - -commit 7e7632a55396e10e20a6e9d8d563011694cccc85 -Author: Patrick Schleizer -Date: Tue Jan 14 08:24:05 2025 +0000 - - bumped changelog version - -commit 420cb3f86f69c4505702a8f38271fb095316cb6f -Author: Patrick Schleizer -Date: Tue Jan 14 03:19:21 2025 -0500 - - refactoring - -commit b7e7b2767eb957dd1401f5abcff07bfcb47a4c00 -Author: Patrick Schleizer -Date: Tue Jan 14 03:18:17 2025 -0500 - - refactoring - -commit b2a1a0ec9f8db1d84c222e734737b7ed149f6d92 -Author: Patrick Schleizer -Date: Tue Jan 14 03:17:00 2025 -0500 - - refactoring - -commit 69ae2d9ea0826aa81c70e957bb5a9241a84346ad -Merge: de1f31e de9ebab -Author: Patrick Schleizer -Date: Tue Jan 14 03:15:45 2025 -0500 - - Merge remote-tracking branch 'ArrayBolt3/arraybolt3/permission-hardener-migrate' - -commit de9ebabd46798ff2afa259907b6a7b976070e7f0 -Author: Aaron Rainbolt -Date: Mon Jan 13 21:57:10 2025 -0600 - - Fix minor migration bugs, don't run the migration code on new image builds - -commit a9e87e9d308f5e61a2d2054fa038dae6faadad3a -Author: Aaron Rainbolt -Date: Sun Jan 12 21:13:43 2025 -0600 - - Prevent installation failures when installing non-interactively - -commit 5570d3e5b9f97f14c772facff16dc45df66d42e9 -Author: Aaron Rainbolt -Date: Sun Jan 12 20:40:41 2025 -0600 - - Add a forgotten set -e - -commit 07786de03953b91310588e0b37b9e150bf1b4736 -Author: Aaron Rainbolt -Date: Sun Jan 12 19:34:41 2025 -0600 - - Enable smooth migration from permission-hardener-v1 to permission-hardener-v2 - -commit de1f31e3df1a0fba0a4c6e41b9b46e076266cfd4 -Author: Patrick Schleizer -Date: Sun Jan 12 11:47:18 2025 +0000 - - bumped changelog version - -commit b0baa8baa57937358dc988b88adab4858a1d8cae -Author: Patrick Schleizer -Date: Sun Jan 12 05:38:35 2025 -0500 - - add link - -commit d6a7cd3e0d1e677c1fa8c1fb3b307cdbe0f45031 -Author: Patrick Schleizer -Date: Sun Jan 12 05:36:16 2025 -0500 - - formatting. - - use chapter to make allow for deep linking - -commit 485d9abd1d14e445b48f0fd63290a985b05a5ac7 -Author: Patrick Schleizer -Date: Fri Jan 10 15:34:21 2025 +0000 - - bumped changelog version - -commit c17485baa118e76cc8074ce3e72ac3ac38c577cd -Merge: 482960d e9ef360 -Author: Patrick Schleizer -Date: Fri Jan 10 10:32:26 2025 -0500 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit e9ef3602dd1661de0c0c3781d7e0246720643354 -Merge: 1b33e83 cf435a8 -Author: Patrick Schleizer -Date: Fri Jan 10 10:30:34 2025 -0500 - - Merge pull request #292 from raja-grewal/cpu_table - - Add link to tabular comparison of CPU mitigations - -commit 1b33e83529d652dab4468e0b386e333b3ca4745b -Merge: 486757b 2e6e170 -Author: Patrick Schleizer -Date: Fri Jan 10 10:29:30 2025 -0500 - - Merge pull request #291 from raja-grewal/drop_gratuitous_arp - - Drop gratuitous ARP packets - -commit 486757bfae5e7ecc389b16c49704e742fd267565 -Merge: 17ff249 c37f4ef -Author: Patrick Schleizer -Date: Fri Jan 10 10:29:12 2025 -0500 - - Merge pull request #290 from raja-grewal/arp_ignore - - Respond to ARP requests only if the target IP address is on-link - -commit 17ff24915062736a32d4d54da7163fe34aa70fd3 -Merge: 27d19ba 1f8eee4 -Author: Patrick Schleizer -Date: Fri Jan 10 10:28:48 2025 -0500 - - Merge pull request #289 from raja-grewal/arp_filter - - Enable ARP filtering - -commit 27d19ba568e601c37035a310ae6cdd7d953be286 -Merge: 482960d 5e3785d -Author: Patrick Schleizer -Date: Fri Jan 10 10:28:05 2025 -0500 - - Merge pull request #288 from raja-grewal/shared_media - - Deny sending and receiving shared media redirects - -commit 482960d056ec8d624f127bfe9b1c69a4c30c7e34 -Author: Patrick Schleizer -Date: Fri Jan 10 10:21:12 2025 -0500 - - permission-hardener: move to new state folder `/var/lib/permission-hardener-v2` without migration - - https://github.com/Kicksecure/security-misc/pull/294 - -commit cf435a8fa8e6f795a25ef004cf44a65d461dd32c -Author: raja-grewal -Date: Fri Jan 10 13:22:21 2025 +1100 - - README.md: Note importance of microcode updates - -commit 3a31cc99b34617cdd3c5f8e8950a37158849cb56 -Merge: c4cfb85 5941195 -Author: Patrick Schleizer -Date: Thu Jan 9 09:30:58 2025 -0500 - - Merge remote-tracking branch 'ArrayBolt3/arraybolt3/usrmerge' - -commit 538b312349a97bcecb12e62519d77840afcd6ca3 -Author: raja-grewal -Date: Thu Jan 9 15:28:56 2025 +1100 - - Add comment about microcode updates - -commit 1f8eee47200221e2e38291a31e852e9c222d8c64 -Author: raja-grewal -Date: Wed Jan 8 18:36:00 2025 +1100 - - Add missing sentence full stop - -commit 5e3785d76e616f49407e720b37138f35a50fe4fb -Author: raja-grewal -Date: Wed Jan 8 18:35:52 2025 +1100 - - README.md: Remove double space - -commit 5941195e96880b8beb2a791d3c21f3a4c6d429eb -Author: Aaron Rainbolt -Date: Tue Jan 7 14:10:46 2025 -0600 - - Don't worry about files under /bin anymore, Bookworm uses a merged /usr directory - -commit c4cfb8597d1a8631a4cbfa7e88212b798e2bc514 -Merge: c6be621 93ebf17 -Author: Patrick Schleizer -Date: Mon Jan 6 08:43:54 2025 -0500 - - Merge remote-tracking branch 'ArrayBolt3/arraybolt3/permission-hardener-refactor' - -commit c6be621968c898f792ef1a450d2e1be5cd6056da -Author: Patrick Schleizer -Date: Mon Jan 6 10:31:40 2025 +0000 - - bumped changelog version - -commit 6e0787957b53a64132b64e2a29bafe3e4b66d178 -Author: Patrick Schleizer -Date: Mon Jan 6 05:29:40 2025 -0500 - - increase priority of pam wheel so it is checked even before faillock - - in case of attemtping to use `su` without being a member of the required group `sudo`, it's useful to abort the PAM stack as early as possible to avoid needlessly propmting for a password to later - be rejected tu to lack of group membership - -commit d4767b75206b46f1a006cd91b00239a7b828fc89 -Author: Patrick Schleizer -Date: Mon Jan 6 04:24:44 2025 -0500 - - fix: apply PAM wheal only to `su` PAM service - -commit 93ebf176c5f38bd268e5394e01421e46b9ae7dff -Author: Aaron Rainbolt -Date: Thu Jan 2 20:41:40 2025 -0500 - - Make the main field count check in permission-hardener a bit more elegant - -commit 895c0f541fb34f9ebfee9c7ef79c053d5af4a7cc -Merge: 717e6fc 40b23cf -Author: Aaron Rainbolt -Date: Wed Jan 1 15:04:01 2025 -0600 - - Merge branch 'master' into arraybolt3/permission-hardener-refactor - -commit 40b23cfad40825eefc3686e562d78250b58bbc82 -Author: Patrick Schleizer -Date: Tue Dec 31 18:42:01 2024 +0000 - - bumped changelog version - -commit 33114f771aaeb4dccb0b465861d1239129deb8b2 -Author: Patrick Schleizer -Date: Tue Dec 31 13:26:21 2024 -0500 - - copyright - -commit bb24bff2965ca31de6337820eafd787a11a44a2b -Author: Patrick Schleizer -Date: Tue Dec 31 14:09:34 2024 +0000 - - bumped changelog version - -commit 0640964c35b0d977ba718629d4a8791e67700202 -Author: Patrick Schleizer -Date: Tue Dec 31 06:14:29 2024 -0500 - - readme - -commit 717e6fcfbea38cef9d3e201cf2e2b725e3da2267 -Author: Aaron Rainbolt -Date: Mon Dec 30 19:23:20 2024 -0600 - - Post-review improvements to permission-hardener - -commit dbcb612517abbf8d162cfb31ba0585c518df8817 -Author: Aaron Rainbolt -Date: Wed Dec 25 19:48:28 2024 -0600 - - Polish permission-hardener refactor - -commit 397b476a822c9f7e41ec911f5d689b67026660ad -Author: Patrick Schleizer -Date: Thu Dec 26 04:12:02 2024 +0000 - - bumped changelog version - -commit 66f8c18c65f33676d242b57ebb1d4410876461b3 -Merge: aa82202 6602fb1 -Author: Patrick Schleizer -Date: Wed Dec 25 22:43:04 2024 -0500 - - Merge remote-tracking branch 'ArrayBolt3/arraybolt3/sysmaint' - -commit 83d386795940099e0835c51f3522aae3d9217dc8 -Author: Aaron Rainbolt -Date: Tue Dec 24 20:14:57 2024 -0600 - - Refactor permission-hardener to be more idempotent - -commit 6602fb102dedc21300ae4c4519f3d9ef4e668045 -Author: Aaron Rainbolt -Date: Tue Dec 24 20:52:34 2024 -0600 - - Adjust pam-info messaging for sysmaint mode - -commit aa82202e701167eacb63eac208469844e983ca43 -Author: Patrick Schleizer -Date: Tue Dec 24 05:16:22 2024 +0000 - - bumped changelog version - -commit 27d015d58ebc5e750d9d06f042b761720473941d -Merge: 3c73c0c 2f3a2bc -Author: Patrick Schleizer -Date: Tue Dec 24 00:08:58 2024 -0500 - - Merge remote-tracking branch 'ArrayBolt3/arraybolt3/sysmaint' - -commit 2f3a2bce7756efe75cd8aaf5066b599b4c49bbdc -Author: Aaron Rainbolt -Date: Fri Dec 20 11:04:22 2024 -0600 - - Add warning about using non-sysmaint accounts in sysmaint mode - -commit 3c73c0cd3a845d1a484551ff50f59e5f2ef56a68 -Author: Patrick Schleizer -Date: Fri Dec 20 06:01:27 2024 +0000 - - bumped changelog version - -commit a4c76c617a18a49168e0ffdba2d8b0ae834f2877 -Author: Patrick Schleizer -Date: Fri Dec 20 01:01:13 2024 -0500 - - syntax fix - -commit b40bc0a2c9b17b3569918a6839bce1c67af5c9df -Author: Patrick Schleizer -Date: Fri Dec 20 05:58:24 2024 +0000 - - bumped changelog version - -commit b21c394ea52401c0d77b6ec396af6a49335f5e0b -Author: Patrick Schleizer -Date: Fri Dec 20 00:56:20 2024 -0500 - - Trigger permission hardener when new configuration files are being installed. - -commit cd027b86e710b6f6b8fac6dd0ebcdcd691e86dd3 -Author: Patrick Schleizer -Date: Fri Dec 20 05:48:48 2024 +0000 - - bumped changelog version - -commit ad6e1f5ad490e12fc5e69b82da5dc1830cc41c96 -Author: Patrick Schleizer -Date: Fri Dec 20 00:41:06 2024 -0500 - - move from `/etc/permission-hardener.d` to `/usr/lib/permission-hardener.d` - -commit a2c1e8c218117a47ef70dd767d753be5d084adfa -Author: Patrick Schleizer -Date: Fri Dec 20 00:39:51 2024 -0500 - - clean up old files in `/etc/permission-hardener.d` - because will be moved to `/usr/lib/permission-hardener.d` - -commit 6de5d2d0763539d6d0d4b19b501bb316ed3b2c94 -Author: Patrick Schleizer -Date: Fri Dec 20 00:37:44 2024 -0500 - - permission hardener: also parse `/usr/lib/permission-hardener.d/*.conf` folder - -commit 721b100fb64136b7c36c8d43c90c716a1fed42d0 -Author: Patrick Schleizer -Date: Thu Dec 19 10:58:50 2024 +0000 - - bumped changelog version - -commit 642b4eeedc43e69bb82ea259b52c0946ce638983 -Author: raja-grewal -Date: Thu Dec 19 21:57:25 2024 +1100 - - Add link to tabular comparison of CPU mitigations - -commit 175b442d5bb9dfcb4e9b524ec2077e72c74598cc -Author: Patrick Schleizer -Date: Thu Dec 19 05:56:50 2024 -0500 - - use long option name - -commit c99021bb0c1d5b6bf361cc483449330cdd218ee6 -Merge: 95b5357 9d69cd1 -Author: Patrick Schleizer -Date: Thu Dec 19 05:56:01 2024 -0500 - - Merge remote-tracking branch 'ArrayBolt3/arraybolt3/sysmaint' - -commit 2e6e1701a052ef32711f6c3abaad693a773323f6 -Author: raja-grewal -Date: Thu Dec 19 10:35:08 2024 +0000 - - Set `net.ipv4.conf.*.drop_gratuitous_arp=1` - -commit c37f4efadf8f046168732871172cb66f58eb7c78 -Author: raja-grewal -Date: Thu Dec 19 10:33:49 2024 +0000 - - Set `net.ipv4.conf.*.arp_ignore=2` - -commit af1d06973bdd46af3e39b0bdfda81b950ccac996 -Author: raja-grewal -Date: Thu Dec 19 10:31:43 2024 +0000 - - Set `net.ipv4.conf.*.arp_filter=1` - -commit 750367a9066ca2a0ff819b438a92cb1f6c325edb -Author: raja-grewal -Date: Thu Dec 19 10:29:56 2024 +0000 - - Set `net.ipv4.conf.*.shared_media=0` - -commit 95b535764c8a98b67a71ee1fd57b7f01da464106 -Author: Patrick Schleizer -Date: Thu Dec 19 09:43:26 2024 +0000 - - bumped changelog version - -commit daf0a0900b780a9d44d0d9b49b3fca6ddbd20d18 -Author: Patrick Schleizer -Date: Thu Dec 19 04:39:34 2024 -0500 - - fix apt-get-update for non-English locale - - https://forums.kicksecure.com/t/systemcheck-reports-warning-debian-package-update-check-result-apt-get-reports-that-packages-can-be-updated-but-system-is-already-fully-upgraded/785 - -commit e9a5b14a0db6f071424c19e6f4b006386afb6ab4 -Author: Patrick Schleizer -Date: Thu Dec 19 06:57:42 2024 +0000 - - bumped changelog version - -commit 3135a03e21f9e5816097e25aaa7f4a1671f8f87d -Merge: f0c611d c7f7196 -Author: Patrick Schleizer -Date: Thu Dec 19 00:34:56 2024 -0500 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit c7f7196471b07a580c6d4a5d86739215508142cd -Merge: e5b67e0 3749f8f -Author: Patrick Schleizer -Date: Thu Dec 19 00:31:25 2024 -0500 - - Merge pull request #287 from raja-grewal/patch - - Refactor and add two CPU mitigations - -commit f0c611d9edb5fd7a3e00d13b248c65abda2c9d8a -Author: Patrick Schleizer -Date: Thu Dec 19 00:18:25 2024 -0500 - - comment - -commit 4f681be77429984695a1b0f689065051884e7bf7 -Merge: 4c3ca68 4cf5757 -Author: Patrick Schleizer -Date: Thu Dec 19 00:17:44 2024 -0500 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit e5b67e044bb5011dd667879a73a670f2c5f74057 -Merge: 4cf5757 c116796 -Author: Patrick Schleizer -Date: Thu Dec 19 00:15:02 2024 -0500 - - Merge pull request #279 from raja-grewal/arp - - Provide network-related hardening options via `sysctl`'s - -commit 4cf5757575c1257a14331f0169a9d8d163e1326d -Merge: 9d06341 1708a03 -Author: Patrick Schleizer -Date: Thu Dec 19 00:08:56 2024 -0500 - - Merge pull request #282 from ArrayBolt3/arraybolt3/umask - - Enable umask hardening - -commit 9d69cd1912ab657e7916b38f56b477c2b7abd0a3 -Author: Aaron Rainbolt -Date: Wed Dec 18 21:34:16 2024 -0600 - - Add sysmaint account lock detection - -commit 3749f8ff097551a843e5ed80de52c6770a32e0c6 -Author: raja-grewal -Date: Wed Dec 18 03:36:09 2024 +0000 - - Update presentation on user namespaces - -commit 0dff2cd28fd769955757cdef1b7f9d637a1180c5 -Author: raja-grewal -Date: Wed Dec 18 03:32:35 2024 +0000 - - Minor additions - -commit 3e96fdd9ccb6268403d6c4f9a061c4a33e6f6dd2 -Author: raja-grewal -Date: Tue Dec 17 11:44:11 2024 +0000 - - Enable `kvm.mitigate_smt_rsb=1` - -commit 45355aabdc180a6a2fdd4a374c6f7d72f4d36240 -Author: raja-grewal -Date: Tue Dec 17 11:42:52 2024 +0000 - - Enable `kvm-intel.vmentry_l1d_flush=always` - -commit defba1f2450b2c8bbc668bf5f6f6f0d101338cc7 -Author: raja-grewal -Date: Tue Dec 17 11:42:03 2024 +0000 - - Refactor CPU mitigations - -commit 943c421889ce5dfe3869380e4587ca22724f2ce7 -Author: raja-grewal -Date: Tue Dec 17 11:40:38 2024 +0000 - - Minor refactoring - -commit ca3a73ac13d805515f71f1be7ecedc33d3a1b519 -Author: raja-grewal -Date: Tue Dec 17 11:37:10 2024 +0000 - - Typo - -commit 4c3ca68453b44074025a1ec9f31451c57344f3cf -Author: Aaron Rainbolt -Date: Mon Dec 9 12:37:11 2024 -0600 - - Disable unnecessary sudoers exceptions - -commit 9d06341c91b51f9c737fe67457045924323635f0 -Merge: a9dd592 5b88e92 -Author: Patrick Schleizer -Date: Sat Dec 14 15:18:56 2024 -0500 - - Merge pull request #285 from Kicksecure/permission-hardener-mount - - Permission Hardener: treat mount same as umount - -commit c1167968542a62d0677517e11505f6e9222ec378 -Author: raja-grewal -Date: Thu Dec 12 06:36:47 2024 +0000 - - `arp_ignore`: Add reference to 2024-12-10 Mullvad VPN audit details - -commit a9dd592a8b49226f326e90111178aebba3cc144f -Author: Patrick Schleizer -Date: Tue Dec 10 19:19:10 2024 +0000 - - bumped changelog version - -commit 58722324ec0be98c3e44938df8cb60ca9b261210 -Merge: 518224b 439fa7f -Author: Patrick Schleizer -Date: Tue Dec 10 14:18:50 2024 -0500 - - Merge remote-tracking branch 'ArrayBolt3/arraybolt3/no-recovery-mode' - -commit 518224b8cf9e99a830b584d8d54b5dea2925c8f5 -Author: Patrick Schleizer -Date: Tue Dec 10 19:17:10 2024 +0000 - - bumped changelog version - -commit 439fa7f3be74f5eba4b98f73c0bb50fd37e8b0e1 -Author: Aaron Rainbolt -Date: Sun Dec 8 03:21:27 2024 -0600 - - Harden/disable recovery mode options - -commit 7902311c570edd4286ba36f0cb85223d1e909a03 -Author: Patrick Schleizer -Date: Sat Dec 7 04:54:47 2024 -0500 - - do not create /etc/sysctl.d/30-lkrg-virtualbox.conf if LKRG is not installed - -commit 1ce37d42cd2c132eca8c45ddb04fdb594349d08f -Author: Patrick Schleizer -Date: Sat Dec 7 04:50:40 2024 -0500 - - . - -commit 5b88e92e5c4b951e659e1574fc248bd11158dfb2 -Author: Patrick Schleizer -Date: Fri Dec 6 09:48:58 2024 -0500 - - permission hardner: treat `mount` the same way we treat `umount` - - Thanks to @the-moog for the bug report! - - fixes https://github.com/Kicksecure/security-misc/issues/284 - -commit 93b51819d4693955936456916188b4118fe68a66 -Author: Patrick Schleizer -Date: Fri Dec 6 09:47:08 2024 -0500 - - permission hardener mount chmod change from `745` to `755` - - https://github.com/Kicksecure/security-misc/issues/284 - -commit 1708a03e1edda821ef091f10c46d32f740511d38 -Author: Aaron Rainbolt -Date: Thu Nov 28 15:20:57 2024 -0600 - - Enable umask hardening - -commit 59299a6639fef31565b8f3cef857c9faa331e0f7 -Author: Patrick Schleizer -Date: Mon Nov 25 21:07:42 2024 +0000 - - bumped changelog version - -commit 98d7c245ee11f16e566422a17543aaed2c155d88 -Author: Patrick Schleizer -Date: Mon Nov 25 15:57:30 2024 -0500 - - "|| exit 1" no longer required thanks to errexit - -commit f9b5d7d3f4f2ed8d1baae67d8427f13cf26aee8d -Author: Patrick Schleizer -Date: Mon Nov 25 15:48:01 2024 -0500 - - use strict shell options - -commit d32cb8c95b09721e52c4d682a0ddd39d590a4368 -Author: Patrick Schleizer -Date: Mon Nov 25 15:44:00 2024 -0500 - - use TMP, sponge, refactoring - -commit 62a551cfe39a6a640f32e6e97f3e915aa8673514 -Merge: af43472 d7475e2 -Author: Patrick Schleizer -Date: Mon Nov 25 15:38:01 2024 -0500 - - Merge remote-tracking branch 'ArrayBolt3/arraybolt3/sudoers' - -commit d7475e252a64e296913ed8893261e52e72163d55 -Author: Aaron Rainbolt -Date: Thu Nov 21 20:03:42 2024 -0600 - - Make apt-get-update able to be terminated securely - -commit af43472d0ccdecb1725a200d10aeeb1b8d51f31a -Author: Patrick Schleizer -Date: Thu Nov 14 22:24:50 2024 +0000 - - bumped changelog version - -commit c7e9460b2ae8dcb96196fef69a7e0ed992c1b43b -Author: Patrick Schleizer -Date: Thu Nov 14 16:31:12 2024 -0500 - - output - -commit 31804e30ecc9c5a1c5a8e1e014d3dcb85cee4f36 -Author: Patrick Schleizer -Date: Thu Nov 14 20:46:26 2024 +0000 - - bumped changelog version - -commit ef95b3f9a5aed9652c541cf4bf05b20011718466 -Author: Patrick Schleizer -Date: Thu Nov 14 14:41:14 2024 -0500 - - Revert "fix `panic-on-oops.service`" - - This reverts commit 862d23cb10b7687084f8e7e207d1e2c9c1ef6751. - -commit 412b371e85044962f6620386b767369b9e25d71e -Merge: 141b84c 57e1edd -Author: raja-grewal -Date: Wed Nov 13 16:47:57 2024 +1100 - - Merge branch 'Kicksecure:master' into arp - -commit 141b84c40de76988ec78bdccf1c1d67fc4367b3f -Author: raja-grewal -Date: Wed Nov 13 05:42:56 2024 +0000 - - Provide option to deny sending and receiving shared media redirects - -commit 18aec201bfb0477fee8800ad1388099e11920016 -Author: raja-grewal -Date: Wed Nov 13 05:41:25 2024 +0000 - - Provide option to harden response to ARP requests - -commit a25d4f8df88908e83e56049204aa625f1196a948 -Author: raja-grewal -Date: Wed Nov 13 05:40:21 2024 +0000 - - Provide option to enable ARP filtering - -commit c2aae73ce161811571e4c85609a0b043399c1b65 -Author: raja-grewal -Date: Wed Nov 13 05:38:03 2024 +0000 - - Add reference and move text - -commit 57e1edde23aa3f313ce087e00ebc14d158356d6c -Author: Patrick Schleizer -Date: Tue Nov 12 09:11:57 2024 +0000 - - bumped changelog version - -commit 7987a3914d364e674eb7479b15708c450041af02 -Author: Patrick Schleizer -Date: Tue Nov 12 02:29:42 2024 -0500 - - deleted no longer used and out-commented `/etc/sudoers.d/xfce-security-misc` leftover - -commit 8c2e8e69798e5255529ab3dbee6ca07b8b293100 -Author: Patrick Schleizer -Date: Tue Nov 12 01:41:12 2024 -0500 - - deleted no longer used and out-commented `etc/sudoers.d/pkexec-security-misc` leftover - -commit 65fc0419a84d62e07c61d7e37ef27d144b6b6794 -Author: Patrick Schleizer -Date: Mon Nov 11 11:07:57 2024 +0000 - - bumped changelog version - -commit 50161f5d79eea2ab796863e4eb30eccc17e0b41d -Author: Patrick Schleizer -Date: Mon Nov 11 05:48:11 2024 -0500 - - moved /etc/dkms/framework.conf.d/30_security-misc.conf (renamed) to usability-misc - -commit 7c06e22c7d11c345428f3ad42ba43805ebc8d810 -Author: Patrick Schleizer -Date: Mon Nov 11 05:43:25 2024 -0500 - - deleted `/usr/bin/pkexec.security-misc` - - This was not used anymore for anything. In the past, we used to `config-package-dev` `replace` `/usr/bin/pkexec` with `/usr/bin/pkexec.security-misc` for the purpose of: - - > Redirect calls for pkexec to lxqt-sudo because pkexec is incompatible with hidepid. - - * https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860040 - * https://forums.whonix.org/t/cannot-use-pkexec/8129 - - This was a worthwhile effort, interesting approach but ultimately a dead-end. - -commit ef05b1a160b24d5aa42da9cc15009d94a37cf120 -Author: Patrick Schleizer -Date: Mon Nov 11 05:40:41 2024 -0500 - - disable legacy matroxfb_base framebuffer driver - - fix typo matroxfb_bases -> matroxfb_base - - Thanks to @ArrayBolt3 for the bug report! - -commit 862d23cb10b7687084f8e7e207d1e2c9c1ef6751 -Author: Patrick Schleizer -Date: Mon Nov 11 05:36:41 2024 -0500 - - fix `panic-on-oops.service` - - remove `After=multi-user.target` because already using `WantedBy=multi-user.target` - - Thanks to @ArrayBolt3 for the bug report! - -commit 29ae5f5980d521f6a4b468f5bf41210f78fdf10a -Author: Patrick Schleizer -Date: Mon Nov 11 05:28:31 2024 -0500 - - fix optional opt-in `harden-module-loading.service` - - by making `/usr/libexec/security-misc/disable-kernel-module-loading` executable - - Thanks to @ArrayBolt3 for the bug report! - -commit 4c649577f053af12bcd02c20576bf2d8aec1476d -Author: Patrick Schleizer -Date: Sun Nov 10 11:52:42 2024 +0000 - - bumped changelog version - -commit 29b1f1ec5f3a4bf3991fc1b862751c8eb9769ecd -Merge: 5bd0a27 238f32e -Author: Patrick Schleizer -Date: Sun Nov 10 06:32:30 2024 -0500 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 5bd0a277bf39812c6adf40a7a3ef6390935fa08e -Author: Patrick Schleizer -Date: Sun Nov 10 06:29:17 2024 -0500 - - fix permission-hardener issue "Removing capabilities failed. File: '/bin/ping'" - - no longer user end-of-options marker (`--`) for `setcap` - since setcap does not support it - - Fixes https://github.com/QubesOS/qubes-issues/issues/9569 - - https://forums.whonix.org/t/permission-hardener-error/20719 - -commit 238f32e81d835e5b9d3bc43a0654d05efa4c4313 -Merge: 3af2684 8107782 -Author: Patrick Schleizer -Date: Fri Nov 8 07:39:40 2024 -0500 - - Merge pull request #280 from raja-grewal/ssbd - - Enable `ssbd=force-on` - -commit 8107782fa54ec0e21893e6bd4a6baabb71eb864b -Author: raja-grewal -Date: Fri Nov 8 15:36:04 2024 +1100 - - Enable `ssbd=force-on` - -commit a1d1f97955fd9fd3cee77dc04e2eb5e5fa29d243 -Author: raja-grewal -Date: Fri Nov 8 03:58:23 2024 +0000 - - Provide option to drop gratuitous ARP packets - -commit 3af2684134279ba6f5b18b40986f02a50baa5604 -Author: Patrick Schleizer -Date: Wed Oct 30 09:43:05 2024 +0000 - - bumped changelog version - -commit 71c58442ca6d57cd95b72a76ed87f8c248cdbd98 -Author: Patrick Schleizer -Date: Mon Oct 28 05:10:19 2024 -0400 - - minor - -commit cfe19e31d858d7899f4d95e21117c992d236d328 -Author: Patrick Schleizer -Date: Mon Oct 28 05:09:53 2024 -0400 - - shell options - -commit 0d506156587f87a303184f22259ffb57dd92cbc8 -Author: Patrick Schleizer -Date: Mon Oct 28 05:07:00 2024 -0400 - - local - -commit ef0eb5f7a0c5a62c5d26bf6dc534f6aa3decc4b0 -Author: Patrick Schleizer -Date: Mon Oct 28 05:06:26 2024 -0400 - - refactoring - -commit fdd1f4b7f88efc22bb57c2ad3e83c0c2e8cbb064 -Author: Patrick Schleizer -Date: Mon Oct 28 05:06:05 2024 -0400 - - refactoring - -commit d00235897d686895a7e2e7da7435832fee008164 -Author: Patrick Schleizer -Date: Mon Oct 28 05:03:59 2024 -0400 - - hide-hardware-info: also parse `/usr/local/etc/hide-hardware-info.d/*.conf` - -commit 6c2e808b9f34900840bd2857fed10d1ffd4cc4c2 -Author: Patrick Schleizer -Date: Mon Oct 28 05:03:20 2024 -0400 - - refactoring - -commit b44e507900defe3db68f31f3e110b1c3e5aa684c -Author: Patrick Schleizer -Date: Wed Oct 23 09:56:05 2024 +0000 - - bumped changelog version - -commit 566cda5e4bc69f54d63d72f1e30703074fdf0ce8 -Author: Patrick Schleizer -Date: Mon Oct 21 05:47:38 2024 -0400 - - output - -commit 5991a23049491dd04c19d9ea80f7d7381dd494a0 -Author: Patrick Schleizer -Date: Mon Oct 21 05:47:25 2024 -0400 - - comment - -commit fd34baff8ff17ed572469d9d6d884e6c0d881d20 -Merge: b643330 690e8dd -Author: Patrick Schleizer -Date: Mon Oct 21 05:43:53 2024 -0400 - - Merge remote-tracking branch 'ArrayBolt3/master' - -commit 690e8dd826d1cb39c0c12c03792781862cc2dd23 -Author: Aaron Rainbolt -Date: Sat Oct 19 23:49:07 2024 -0500 - - Avoid faillock lock/tally reset on reboot or timeout - -commit b6433309fd7d6839cfba89e1197590e1ff62ef58 -Author: Patrick Schleizer -Date: Fri Oct 18 12:45:02 2024 -0400 - - use end-of-options - -commit 0cfcdf4f89dc75f2a8e3f8a9e8c69dc3ba3da78a -Author: Patrick Schleizer -Date: Wed Oct 16 10:57:20 2024 +0000 - - bumped changelog version - -commit 0adb9b7c0609a51d503b61ab40ae7d8e55635043 -Merge: 263335f e50ad80 -Author: Patrick Schleizer -Date: Wed Oct 16 06:31:09 2024 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit e50ad807c01b5753c67d579126d7b79d38070c0a -Merge: 263335f eb72163 -Author: Patrick Schleizer -Date: Wed Oct 16 06:29:25 2024 -0400 - - Merge pull request #276 from raja-grewal/KSPP_header - - Clarify KSPP compliance header - -commit eb72163d5707c7673db1f12405d2e04261bd43c8 -Author: raja-grewal -Date: Mon Oct 14 03:01:15 2024 +0000 - - README.md: Make line lengths consistent - -commit a9f238fe048acfeff49f96c00570acc6ca4c37e8 -Author: raja-grewal -Date: Mon Oct 14 02:57:31 2024 +0000 - - README.md: Split optional setting to new line - -commit 09fe46adc956e8c6de232f1093c37cdd30933acd -Author: raja-grewal -Date: Mon Oct 14 02:54:30 2024 +0000 - - Clarify KSPP compliance header for the undocumented case - -commit 263335f74ea0f050f9c259e20141c3345e7fa789 -Author: Patrick Schleizer -Date: Tue Oct 8 11:24:56 2024 +0000 - - bumped changelog version - -commit 9169611645d0cd5a308ff48862f351ef5ea5f7e8 -Merge: 8a2d432 8227a3d -Author: Patrick Schleizer -Date: Tue Oct 8 05:54:50 2024 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 8227a3dde2995ceb113164baf49591d52c2b53e1 -Merge: 8a2d432 0c0774f -Author: Patrick Schleizer -Date: Tue Oct 8 05:53:48 2024 -0400 - - Merge pull request #273 from raja-grewal/text_2 - - Documentation update 2 - -commit 0c0774f6c0927ed1cc599f931175985b8f01ec30 -Merge: dc470ca 8a2d432 -Author: raja-grewal -Date: Sun Oct 6 10:48:52 2024 +0000 - - Merge branch 'master' into text_2 - -commit dc470cac1d93656354aeaaac0a6f8cbbd39f9f0f -Author: raja-grewal -Date: Sun Oct 6 10:46:05 2024 +0000 - - Remmove deprecated link - -commit 8a2d432ffe6d4eb661026b6e7dbf534bb1db971b -Author: Patrick Schleizer -Date: Thu Oct 3 07:22:23 2024 +0000 - - bumped changelog version - -commit 0e3ffa3f11a0049e57803c8f2e75dbb7d8ceb22c -Author: Patrick Schleizer -Date: Thu Oct 3 02:58:58 2024 -0400 - - no longer set `kernel.unprivileged_userns_clone=0` - - because it breaks too much - - fixes https://github.com/Kicksecure/security-misc/issues/274 - -commit f401d94d5e0d0f26e93be55deda440fe565a6b22 -Author: Patrick Schleizer -Date: Thu Oct 3 02:44:06 2024 -0400 - - expand documentation on `kernel.unprivileged_userns_clone=0` sysctl - - https://github.com/Kicksecure/security-misc/issues/274 - -commit ac1378743c7448c9a7e7e02bebcf3270592d42a5 -Author: raja-grewal -Date: Mon Sep 30 16:56:18 2024 +1000 - - Consistent formatting - -commit eae38e72f30ff9b9f8d0b8b0b33182a918333e48 -Author: raja-grewal -Date: Thu Sep 26 13:10:36 2024 +0000 - - README.md: Show the current max_map_count - -commit f3b50a23c976ba4feff34eee721c50f698ecc5bf -Author: raja-grewal -Date: Thu Sep 26 13:10:01 2024 +0000 - - Add reference on unprivileged_userns_restriction - -commit 39d063d494cb540f45747f6253ab896200ba03c3 -Author: raja-grewal -Date: Thu Sep 26 13:09:21 2024 +0000 - - Add KSPP=no definition - -commit 5572eb897a10455041df8abec6b6be6de29431a0 -Author: Patrick Schleizer -Date: Wed Sep 25 01:03:42 2024 +0000 - - bumped changelog version - -commit e04f9cd4c17305d5201aa973c34778e81508734b -Merge: 18d426f 65aa910 -Author: Patrick Schleizer -Date: Tue Sep 24 20:16:06 2024 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 65aa910503c07f708abf20f78be2f519ef58764a -Merge: 18d426f 870ff88 -Author: Patrick Schleizer -Date: Tue Sep 24 20:15:03 2024 -0400 - - Merge pull request #272 from raja-grewal/text - - Documentation update - -commit 870ff88605b8167c8882162cc3da005d71ca0cd3 -Author: raja-grewal -Date: Wed Sep 25 10:01:45 2024 +1000 - - Comment on Flatpak requiring unprivileged user namespaces - -commit 769767a96a5de2a8bc05e70ca490d8340b553061 -Author: raja-grewal -Date: Wed Sep 25 09:54:49 2024 +1000 - - Update mmap ASLR docs - -commit 18d426f521b2b1369fe68e143dc8a0be064d0dcc -Author: Patrick Schleizer -Date: Sat Sep 14 02:56:09 2024 +0000 - - bumped changelog version - -commit 3280dbd5d562d7f6b50118ac0da36c3285493be6 -Author: Patrick Schleizer -Date: Fri Sep 13 22:52:47 2024 -0400 - - Fix VirtualBox audio device ICH AC97. - - no longer `blacklist snd_intel8x0` - - Breaks VirtualBox audio device ICH AC97, which is unfortunately still required by some users. - https://www.kicksecure.com/wiki/Dev/audio - - Fixes https://github.com/Kicksecure/security-misc/issues/271 - -commit 1bc694fa124eaeb6e1517d2191a8fd97446872c4 -Author: Patrick Schleizer -Date: Sun Sep 8 17:41:30 2024 +0000 - - bumped changelog version - -commit 01908d505a59e7ec37cc3de3e1d49ff35ba127aa -Author: Patrick Schleizer -Date: Thu Sep 5 07:00:11 2024 -0400 - - readme - -commit e914028be7a48a3bfdf86e09c029011807f080d7 -Author: Patrick Schleizer -Date: Thu Sep 5 06:03:05 2024 -0400 - - add KSPP compliance status to readme based on comment by @raja-grewal - - https://github.com/Kicksecure/security-misc/issues/256#issuecomment-2330376651 - -commit 40fb14c654df94e9bdfb30ae55fc3bc4f0a0aef4 -Author: Patrick Schleizer -Date: Wed Sep 4 14:13:15 2024 +0000 - - bumped changelog version - -commit 5a255d4831470449a26b324a8f16594432bf834b -Merge: d618f9f 563a898 -Author: Patrick Schleizer -Date: Wed Sep 4 10:12:34 2024 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 563a8980133e15e33ac95a631e37ecfff88f6f8f -Merge: 175945e e61027a -Author: Patrick Schleizer -Date: Wed Sep 4 10:11:48 2024 -0400 - - Merge pull request #265 from raja-grewal/mmap_min_addr - - Set `sysctl vm.mmap_min_addr=65536` - -commit d618f9f35b8e8c6eee1e164a6ec300d63b1ee797 -Merge: 59374ce 175945e -Author: Patrick Schleizer -Date: Wed Sep 4 10:07:50 2024 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 175945ec9a28bf1e5b0fa0d2ae2bd6546d6c6172 -Merge: b0a8544 3101035 -Author: Patrick Schleizer -Date: Wed Sep 4 10:05:47 2024 -0400 - - Merge pull request #268 from raja-grewal/panic_on_warn - - Enable `panic_on_warn=1` - -commit b0a8544182f6ff3c8c3f1068176ff5e9e4f557ef -Merge: 59374ce 7393ba1 -Author: Patrick Schleizer -Date: Wed Sep 4 10:04:45 2024 -0400 - - Merge pull request #270 from raja-grewal/typo - - Small typo - -commit 7393ba159192fdfc45ef31a3fa60786f899dbf25 -Author: raja-grewal -Date: Wed Sep 4 23:23:24 2024 +1000 - - Typo - -commit 59374ce902127e2125addc2ebb57d0d856a63671 -Author: Patrick Schleizer -Date: Thu Aug 29 09:49:51 2024 +0000 - - bumped changelog version - -commit 7e2838ec077b53e41d468d5655290152761c8745 -Merge: 9c918eb 0762794 -Author: Patrick Schleizer -Date: Thu Aug 29 05:06:07 2024 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 0762794ff684049a62b5b92b61177615a5376ad7 -Merge: 9c918eb 6294729 -Author: Patrick Schleizer -Date: Thu Aug 29 04:46:26 2024 -0400 - - Merge pull request #269 from raja-grewal/tidy - - Minor correction - -commit 6294729c8ef24077cd342b4557653806c3aacd34 -Author: Raja Grewal -Date: Thu Aug 29 15:34:24 2024 +1000 - - Follow-up on https://github.com/Kicksecure/security-misc/commit/f70fe308a9f65873d34de2d1906d825f3a56e272 - -commit 3101035a3fd5fbe87c79e95e51dc2da39fee93d5 -Author: Raja Grewal -Date: Thu Aug 29 01:57:32 2024 +1000 - - Enable `panic_on_warn=1` - -commit 9c918eb4313b60dc15aa9fa4474a7977602030c1 -Author: Patrick Schleizer -Date: Wed Aug 28 11:01:37 2024 +0000 - - bumped changelog version - -commit f70fe308a9f65873d34de2d1906d825f3a56e272 -Author: Patrick Schleizer -Date: Wed Aug 28 06:49:50 2024 -0400 - - no longer set sysctl `fs.binfmt_misc.status=0` / - no longer disallow registering interpreters for miscellaneous binary formats - - causing file/folder permissions issue `d????????? ? ? ? ? ? .` - - Firefox no longer starting (probably not not a Firefox issue) - - https://github.com/Kicksecure/security-misc/issues/267 - -commit 463aa58f28b6389d0925fed87096b348b652cc16 -Merge: cf824dd 328840c -Author: Patrick Schleizer -Date: Wed Aug 28 06:42:49 2024 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 328840c933a583adc5458aa08c63fb627b31b298 -Merge: cf824dd 9e91c98 -Author: Patrick Schleizer -Date: Wed Aug 28 06:38:57 2024 -0400 - - Merge pull request #264 from raja-grewal/kspp_compliance - - Add KSPP compliance notices to corresponding parameters and `sysctls` - -commit 9e91c98cc926e7a166458cd78e3c1d1ced23c753 -Author: Raja Grewal -Date: Mon Aug 26 12:40:04 2024 +1000 - - Add details on BPF hardening and split the `sysctl`s - -commit 2c356e8b0ef7db56e7b453535c8cb6c83fc2e3c6 -Author: Raja Grewal -Date: Mon Aug 26 11:34:12 2024 +1000 - - Add KSPP notice definitions - -commit 2841d789bebbd43f855b6ffb92a3a6f017007a72 -Author: Raja Grewal -Date: Mon Aug 26 11:21:26 2024 +1000 - - README: Update - -commit ac6602ac3531ae57603e8a9e5ac2ee1652164b23 -Author: Raja Grewal -Date: Mon Aug 26 11:19:20 2024 +1000 - - Add detail on disabling user namespaces breaking UPower - -commit 9dbd200be415c86e7039463c6269fad8395a4373 -Merge: 32de5e7 cf824dd -Author: raja-grewal -Date: Mon Aug 26 11:08:21 2024 +1000 - - Merge branch 'Kicksecure:master' into kspp_compliance - -commit cf824ddb248957fd9e542c1a5adc5e90381f684c -Author: Patrick Schleizer -Date: Sun Aug 25 15:34:55 2024 +0000 - - bumped changelog version - -commit 500568e322b2e3623fc649209d671c7b9d9fa097 -Merge: 43d13b7 73900b5 -Author: Patrick Schleizer -Date: Sun Aug 25 11:01:58 2024 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 73900b59db37d77bc24bd5088aae3cc760aacc69 -Merge: 43d13b7 1f51d4e -Author: Patrick Schleizer -Date: Sun Aug 25 11:00:51 2024 -0400 - - Merge pull request #263 from raja-grewal/max_user_namespaces - - Provide option to disable user namespaces - -commit 43d13b70f12d2198a800054ce4d1ff901cc474f9 -Merge: 8353764 fae586c -Author: Patrick Schleizer -Date: Sun Aug 25 10:55:52 2024 -0400 - - Merge remote-tracking branch 'raja/syntax' - -commit 835376418d616699023f8e638666f43d34241863 -Merge: ae85fd5 342caf8 -Author: Patrick Schleizer -Date: Sun Aug 25 10:48:25 2024 -0400 - - Merge remote-tracking branch 'raja/mod' - -commit ae85fd5b4ce6f4716f95332c19b79d3daa8f7220 -Author: Patrick Schleizer -Date: Sun Aug 25 14:33:40 2024 +0000 - - bumped changelog version - -commit 433b15f985545f531b87d09659bbbb89993b5a67 -Author: Raja Grewal -Date: Wed Aug 21 12:51:51 2024 +1000 - - README.md: Organise `sysctl`s - -commit af87a84b4f40b2ad9ac05dd9bce837665f239454 -Author: Raja Grewal -Date: Wed Aug 21 12:52:48 2024 +1000 - - README.md: Organise kernel boot parameters - -commit 32de5e7c49d301b62b838ba88550f58b02b6562b -Author: Raja Grewal -Date: Sun Aug 25 12:57:22 2024 +1000 - - Add details on oopses and warnings - -commit e4909b5e28e16f09de0e548c9221578ebe1190a3 -Author: Raja Grewal -Date: Sun Aug 25 12:47:04 2024 +1000 - - Add details on kernel panics - -commit 342caf82b20acc2931563449fafe9a98cbedaba2 -Author: Raja Grewal -Date: Wed Aug 21 12:52:48 2024 +1000 - - README.md: Organise kernel boot parameters - -commit b87a18d4050bbf2add5cc4920684876a440e65bb -Author: Raja Grewal -Date: Wed Aug 21 12:51:51 2024 +1000 - - README.md: Organise `sysctl`s - -commit 18ed77ecc93e9ee759a4990a32edb3dd671b8c26 -Author: Raja Grewal -Date: Wed Aug 21 12:50:14 2024 +1000 - - Refactor modprobe.d to minimise potential future merge conflicts - -commit 56b28e38264fe742b8d694176f1057c15574fc08 -Author: Raja Grewal -Date: Mon Aug 19 11:50:08 2024 +1000 - - Typo - -commit e61027a40e2ab82fac3ae4cfd5f91fd0a47f31e5 -Author: Raja Grewal -Date: Mon Aug 19 11:32:20 2024 +1000 - - Set `sysctl vm.mmap_min_addr=65536` - -commit 94dab1b7c503429e2fa91019a0183b2f36c6693f -Author: Raja Grewal -Date: Mon Aug 19 10:53:05 2024 +1000 - - Partial compliance with the KSPP on kernel panics - -commit 683110e7f02fa5fc6415354386552640cdb8758b -Author: Raja Grewal -Date: Mon Aug 19 01:34:14 2024 +1000 - - Correction - -commit 1f51d4eeb2b0c6e23ce64fb272eecb97e089324d -Author: Raja Grewal -Date: Sun Aug 18 13:53:11 2024 +1000 - - Add details on user namespaces - -commit 248e094b8e0bbf7892f79ad1c3ec77c7ed00d008 -Author: Raja Grewal -Date: Sat Aug 17 01:06:21 2024 +1000 - - Include KSPP compliance notices - -commit 759aee8150a2d1258d73217c071b25432d47496f -Author: Raja Grewal -Date: Fri Aug 16 22:54:57 2024 +1000 - - Provide option to disable user namespaces - -commit fae586c3c5e8382ca01c60f810b26d88189a5514 -Author: Raja Grewal -Date: Fri Aug 16 19:23:48 2024 +1000 - - Patch bug in existing `rp_filter` `sysctl` - -commit e962153f84c4cb8e13fb0cc25d611ae481c7a0c7 -Author: Patrick Schleizer -Date: Fri Aug 16 08:38:12 2024 +0000 - - bumped changelog version - -commit 40b12f5a2a4a40d7033569b11ad4e1c228e7389b -Merge: 12296c6 305467c -Author: Patrick Schleizer -Date: Fri Aug 16 04:30:29 2024 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 305467c652af933bb5aa5a677b10a992a5f19cab -Merge: 12296c6 a5373af -Author: Patrick Schleizer -Date: Fri Aug 16 04:25:43 2024 -0400 - - Merge pull request #245 from raja-grewal/blacklist_to_disable - - Update `/etc/modprobe.d/*` - -commit 12296c68dc0aaa3703e1c36f854a02de8db412fe -Merge: 4bc12b0 036bcea -Author: Patrick Schleizer -Date: Fri Aug 16 04:22:43 2024 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 036bcea4e6757de094fcafdadcf56aaa90729d79 -Merge: ef60c5b 81bf7a8 -Author: Patrick Schleizer -Date: Fri Aug 16 04:20:32 2024 -0400 - - Merge pull request #262 from raja-grewal/docs - - Miscellaneous updates to presentation - -commit 81bf7a8f90098a7107dcb3c783b87a168f5c090f -Merge: cea8e75 ef60c5b -Author: raja-grewal -Date: Fri Aug 16 16:57:01 2024 +1000 - - Merge branch 'Kicksecure:master' into docs - -commit ef60c5b153a521e1cfd522ac471a8ca6dc076d90 -Merge: 4bc12b0 b552b92 -Author: Patrick Schleizer -Date: Fri Aug 16 02:43:57 2024 -0400 - - Merge pull request #249 from raja-grewal/binfmt_misc - - Disallow registering interpreters for miscellaneous binary formats - -commit cea8e753786d100ebe961ad74a99925e54d47771 -Author: Raja Grewal -Date: Fri Aug 16 14:55:22 2024 +1000 - - Consistent formating - -commit 84376d23fc17d2ced890ffca0b05d15907d42a6f -Author: Raja Grewal -Date: Fri Aug 16 13:39:11 2024 +1000 - - Add details on ASLR and move to user space section - -commit a13298002350a39491a509d15633edb95a2e3edd -Author: Raja Grewal -Date: Fri Aug 16 13:24:25 2024 +1000 - - Update README.md - -commit 9212a4e93754a4505be3fcf0ff4b029c073d2f07 -Author: Raja Grewal -Date: Fri Aug 16 13:12:07 2024 +1000 - - Typos - -commit 23a77d4973ec20b2aaab6a9c3a9fd8a98034923e -Author: Raja Grewal -Date: Fri Aug 16 12:46:51 2024 +1000 - - Simplify syntax of some network-related `sysctl`'s - -commit e3a3207a4447568a17129afe9dde34debc465e21 -Author: Raja Grewal -Date: Fri Aug 16 12:41:36 2024 +1000 - - Clarify DMA hardening - -commit be9308e490f79a7b7788a744524d1d91cc870726 -Merge: 73db68d 4bc12b0 -Author: raja-grewal -Date: Fri Aug 16 11:45:43 2024 +1000 - - Merge branch 'Kicksecure:master' into docs - -commit 4bc12b07b42def786862b938e3f63c18cf874158 -Author: Patrick Schleizer -Date: Thu Aug 15 17:51:18 2024 +0000 - - bumped changelog version - -commit 9e61e37c17524b57f185b796f2ac19ba193205a8 -Merge: 89e816d dfd1c97 -Author: Patrick Schleizer -Date: Thu Aug 15 13:47:33 2024 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit dfd1c97168249b229495cbd873d4d8493e244663 -Merge: 89e816d ec3038c -Author: Patrick Schleizer -Date: Thu Aug 15 13:46:30 2024 -0400 - - Merge pull request #248 from raja-grewal/secure_redirects - - Re-enable (default) `secure_redirects` for ICMP redirect messages - -commit b552b92401f67d59e12ac6fda2f7fe1c54b0c8a7 -Author: Raja Grewal -Date: Thu Aug 15 11:54:21 2024 +1000 - - Add references on `fs.binfmt_misc.status` - -commit 326d82a9beee130956dd817812016a6ee16fccbc -Author: Raja Grewal -Date: Thu Aug 15 11:46:56 2024 +1000 - - Revert "Provide optional `sysctl fs.binfmt_misc.status=0`" - - This reverts commit debd7a7b7ae8b03e04d2c8597bcccf2c79000570. - -commit 73db68dbf9a1f9ded95a593db36a4960ce06a173 -Author: Raja Grewal -Date: Fri Aug 9 14:27:30 2024 +1000 - - Add details on KFENCE - -commit f8fa89b245d929aee9884937fdcf44a6551df4cf -Author: Raja Grewal -Date: Fri Aug 9 14:21:59 2024 +1000 - - Add details on `tcp_timestamps` - -commit 3456f1c1d7725846ec201c28dd693bf9b07bab89 -Author: Raja Grewal -Date: Fri Aug 9 13:39:25 2024 +1000 - - Minor consistency update in README.md - -commit 15c638acad64cc3dcc7b5c43d9a6be2fa2350654 -Author: Raja Grewal -Date: Fri Aug 9 13:36:47 2024 +1000 - - Add reference on RDRAND - -commit 077bc48a26d1d3f5d1f758d7e251edccba64742b -Author: Raja Grewal -Date: Fri Aug 9 13:35:33 2024 +1000 - - Add reference on `rp_filter` - -commit d8bcec881f66604e29d6e0c1426635e2ad4979f1 -Author: Raja Grewal -Date: Fri Aug 9 13:33:32 2024 +1000 - - Add some notices for future Debian 13 rebase - -commit 0b0683499a6a21e3995a115c377eb19008bc4cd1 -Author: Raja Grewal -Date: Fri Aug 9 13:30:39 2024 +1000 - - Consistent line length formatting - -commit e5a38fc856c66d2bd6abc35fc08d4f2083ea8e54 -Author: Raja Grewal -Date: Fri Aug 9 13:30:15 2024 +1000 - - Typo - -commit a5373afc55e789f4657f3d843243e878e4afffa2 -Author: Raja Grewal -Date: Wed Aug 7 14:44:14 2024 +1000 - - Details on disabled `fbdev` kernel modules - -commit e98dc8c4f8af32dd3b10c034477fd2154df189ac -Author: Raja Grewal -Date: Wed Aug 7 14:14:47 2024 +1000 - - Update notifications for disabled kernel modules - -commit 50fa721fd54cd696ae90a35bc7df7c8f1eb17a13 -Author: Raja Grewal -Date: Wed Aug 7 14:01:49 2024 +1000 - - Update docs regarding Intel module disabling - -commit ec3038c7bc625f6c8eddb753ffe295ff2697a717 -Author: Raja Grewal -Date: Wed Aug 7 13:48:53 2024 +1000 - - Clarify `secure_redirects` - -commit debd7a7b7ae8b03e04d2c8597bcccf2c79000570 -Author: Raja Grewal -Date: Wed Aug 7 13:33:44 2024 +1000 - - Provide optional `sysctl fs.binfmt_misc.status=0` - -commit 89e816dda6c5a00512b276071c4d9fe108ee63b5 -Author: Patrick Schleizer -Date: Tue Aug 6 14:01:39 2024 +0000 - - bumped changelog version - -commit 967f9e257b09bc73ddb579292d507f7cb9832643 -Merge: fa90918 a25aaf9 -Author: Patrick Schleizer -Date: Tue Aug 6 09:57:56 2024 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit a25aaf900a12666046278a9fab6933b3d5670679 -Merge: 6bc039a 8559079 -Author: Patrick Schleizer -Date: Tue Aug 6 09:55:20 2024 -0400 - - Merge pull request #260 from raja-grewal/vdso32 - - Enable `vdso32=0` - -commit 6bc039a430289342f06857a52a5f13829d6e50f5 -Merge: ce60d56 d102ec1 -Author: Patrick Schleizer -Date: Tue Aug 6 09:52:56 2024 -0400 - - Merge pull request #259 from raja-grewal/kfence - - Enable `kfence.sample_interval=100` - -commit ce60d5615fe99e41c48d459f562d581a688c295a -Merge: b027842 c0d140f -Author: Patrick Schleizer -Date: Tue Aug 6 09:48:08 2024 -0400 - - Merge pull request #258 from raja-grewal/legacy_tiocsti - - Enable `dev.tty.legacy_tiocsti=0` - -commit b0278428a73cd3d329aaa36626005e0c593331f0 -Merge: fa90918 aa34d86 -Author: Patrick Schleizer -Date: Tue Aug 6 09:39:04 2024 -0400 - - Merge pull request #257 from raja-grewal/slab_debug - - Enable `slab_debug=FZ` - -commit 8559079312adb4ed92e5f478120b408dfe7a1124 -Author: Raja Grewal -Date: Mon Aug 5 15:10:02 2024 +1000 - - Enable `vdso32=0` - -commit d102ec19972865032f12f90bffe3e592546f0267 -Author: Raja Grewal -Date: Mon Aug 5 15:07:56 2024 +1000 - - Enable `kfence.sample_interval=100` - -commit c0d140f2211e6490d13e3cd327005027c668905f -Author: Raja Grewal -Date: Mon Aug 5 15:06:34 2024 +1000 - - Enable `dev.tty.legacy_tiocsti=0` - -commit aa34d86598f5b846b007730104e4c99c59f9984d -Author: Raja Grewal -Date: Mon Aug 5 14:27:17 2024 +1000 - - Enable `slab_debug=FZ` - -commit 4f7f82016015f61002ac8f778b61968c572dc7dc -Author: Raja Grewal -Date: Mon Aug 5 14:16:33 2024 +1000 - - Add reference - -commit fa9091869d417c6494840d0cb32623037d70c8be -Merge: 06f0c27 725118c -Author: Patrick Schleizer -Date: Sun Aug 4 16:20:36 2024 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 725118c5759b45118bbd2804492526ea2a7c1a81 -Merge: 6d97408 6d211fa -Author: Patrick Schleizer -Date: Sun Aug 4 16:19:52 2024 -0400 - - Merge pull request #243 from raja-grewal/namespaces - - Restrict unprivileged user namespaces - -commit 06f0c27128a66c1074f405de3139651519e48204 -Merge: 8abc5ae 6d97408 -Author: Patrick Schleizer -Date: Sun Aug 4 16:15:01 2024 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 6d97408a6d2f002461ae6ca1d647fbf24bf1b99e -Merge: 8abc5ae 6f14d68 -Author: Patrick Schleizer -Date: Sun Aug 4 16:11:46 2024 -0400 - - Merge pull request #255 from raja-grewal/SLUB - - Restore option to enable `slub_debug=FZ` - -commit 8abc5ae8f0f152c68f855f0e8d993880589c5d5c -Merge: de6f3ea eab66da -Author: Patrick Schleizer -Date: Sun Aug 4 16:09:52 2024 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit eab66dad0994e408c1beaade3fdcf2cd1d605b31 -Merge: de6f3ea ca2179b -Author: Patrick Schleizer -Date: Sun Aug 4 16:08:32 2024 -0400 - - Merge pull request #254 from raja-grewal/patch - - Updates to kernel and `sysctl` hardening - -commit 6f14d68cdcad3784311e33029eba6906ea0784c2 -Author: Raja Grewal -Date: Sat Aug 3 15:12:15 2024 +1000 - - Update legacy name `slub_debug` -> `slab_debug` - -commit 22b6cee80c74aff3d0f9cd36822ae88f8fa8e601 -Author: Raja Grewal -Date: Sat Aug 3 15:11:14 2024 +1000 - - Add details about `slub_debug` - -commit b77d1a2b980ae20158aa628eec67b016282d0a40 -Author: Raja Grewal -Date: Sat Aug 3 14:49:48 2024 +1000 - - Revert "Remove the optional `slub_debug` parameter since it is no longer recommended" - - This reverts commit 48e1ac416314d2c66f3a0d5044a3c51cb6fb4093. - -commit ca2179bb6a01e3ebbb1e04e3507cc305f25bca4e -Author: Raja Grewal -Date: Sat Aug 3 00:25:49 2024 +1000 - - Provide the option to disable legacy TIOCSTI operation - -commit 52aeacb4da4a8458b0ffdc1ade4094a178def6f4 -Author: Raja Grewal -Date: Sat Aug 3 00:13:38 2024 +1000 - - Provide option to disable 32 bit vDSO mappings - -commit 9099ecce8ae12352f2b739d3d7adf6069488ff49 -Author: Raja Grewal -Date: Sat Aug 3 00:12:50 2024 +1000 - - Provide option to enable the kernel Electric-Fence - -commit f6a16258a116ce5c5f4f6bad9d8ab9b6e1ec6bb7 -Author: Raja Grewal -Date: Sat Aug 3 00:11:06 2024 +1000 - - Add references to KSPP - -commit e53d24fc48b51a21fc182cc59890e97a1d7ac647 -Author: Raja Grewal -Date: Sat Aug 3 00:09:42 2024 +1000 - - Add missing GRUB command lines for disabled boot parameters - -commit de6f3ea74a5a1408e4351c955ecb7010825364c5 -Author: Patrick Schleizer -Date: Sun Jul 28 20:50:22 2024 +0000 - - bumped changelog version - -commit d036094089e3e3a74df981c50882481273fcb6c0 -Merge: e60ce50 0f86fbd -Author: Patrick Schleizer -Date: Sun Jul 28 15:44:40 2024 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 0f86fbd8ceea3157ee035eb9f4a0ff13024f1bc9 -Merge: e60ce50 73979d4 -Author: Patrick Schleizer -Date: Sun Jul 28 15:43:54 2024 -0400 - - Merge pull request #242 from raja-grewal/ptrace - - Disable the usage of `ptrace()` by all processes - -commit 9cabaa1bd15a0639c87bf2e965755d06ff0a7bb4 -Author: Raja Grewal -Date: Sun Jul 28 22:04:30 2024 +1000 - - Typo - -commit d2d024ebe9a371eaf90b7b72f8a227e5d2e9babe -Author: Raja Grewal -Date: Sun Jul 28 22:03:33 2024 +1000 - - Typo - -commit 9fbee9fc82768c3b436307459d174378ee471335 -Author: Raja Grewal -Date: Sun Jul 28 21:57:25 2024 +1000 - - Clarify - -commit e60ce50d30c8981f13d8bab1d6ca8b8efb9d8928 -Author: Patrick Schleizer -Date: Sat Jul 27 16:13:35 2024 +0000 - - bumped changelog version - -commit e86b2e7f8fcda5727b158579610cb6a0354e89cf -Author: Patrick Schleizer -Date: Sat Jul 27 12:13:18 2024 -0400 - - output - -commit 144545762674e914046bb94100237329320e8ece -Author: Raja Grewal -Date: Sat Jul 27 14:00:30 2024 +1000 - - Show details regarding `secure_redirects` (again) - -commit 73979d4342dae2017be52d5182bb66fa28be398d -Author: Raja Grewal -Date: Sat Jul 27 13:28:59 2024 +1000 - - Link to `ptrace()` discussion - -commit 1c9f33f90606fb930744f1b9afc11caf87626194 -Author: Raja Grewal -Date: Sat Jul 27 13:24:08 2024 +1000 - - Revert "Disable the usage of `ptrace()` by all processes" - - This reverts commit b04828f858fa6d101099773d3156841fd6d33b6f. - -commit 330cf14eab248d035fa467dba4f7bc3eb92a33bb -Author: Patrick Schleizer -Date: Fri Jul 26 15:40:24 2024 +0000 - - bumped changelog version - -commit 62bb4bc6269a0603c15f1efaad7ca365ea15c9d7 -Merge: 7969e86 886f609 -Author: Patrick Schleizer -Date: Fri Jul 26 11:10:25 2024 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 886f6095dba71d76d5fd98277374417657e0cd31 -Merge: 7969e86 ed33366 -Author: Patrick Schleizer -Date: Fri Jul 26 11:08:30 2024 -0400 - - Merge pull request #250 from raja-grewal/Panik-Kalm - - Add details on "oopes" and kernel panics - -commit 7969e8607160eae0cb5a3adddeec8d07c1d6e097 -Merge: e2ae93a 0318f57 -Author: Patrick Schleizer -Date: Fri Jul 26 11:06:13 2024 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 0318f577ab554ae2ac0f9417b18134723ea2b580 -Merge: e2ae93a 4397de0 -Author: Patrick Schleizer -Date: Fri Jul 26 11:04:29 2024 -0400 - - Merge pull request #246 from raja-grewal/cfi - - Provide the option to change the default CFI implementation in the future - -commit e2ae93a9571f2f0c9077ea61436a540a3be5a894 -Author: Patrick Schleizer -Date: Fri Jul 26 10:30:45 2024 -0400 - - port to safe_echo - -commit 8ec23ed7128580ed0092df43945ba55e94163a6d -Author: Patrick Schleizer -Date: Fri Jul 26 10:28:57 2024 -0400 - - echo does not support end-of-options - -commit 6096ed1109a0d5a62a844552fee500ebe66071c8 -Author: Patrick Schleizer -Date: Fri Jul 26 10:26:43 2024 -0400 - - comment - -commit ac41d1cfff8b722248a5ef1dfe38a8c704f04134 -Author: Patrick Schleizer -Date: Fri Jul 26 10:25:59 2024 -0400 - - comment - -commit 3b033ceba24e5e14056d54710d782397e5c669df -Author: Patrick Schleizer -Date: Fri Jul 26 10:17:24 2024 -0400 - - shellcheck - -commit 04d9ca1ebe79cae5cce04b6533285b8d1299d692 -Author: Patrick Schleizer -Date: Fri Jul 26 10:16:20 2024 -0400 - - use `find` with `safe_echo_nonewline` - -commit 20454fb81157f1f962f36d9c37d34f4ac650a1e6 -Merge: 28b25bd 6bbf176 -Author: raja-grewal -Date: Sat Jul 27 00:09:30 2024 +1000 - - Merge branch 'Kicksecure:master' into blacklist_to_disable - -commit 6bbf176e3b91f842cf4cdeaf8cb1f4c60e159a0c -Author: Patrick Schleizer -Date: Fri Jul 26 09:33:45 2024 -0400 - - consider end-of-options for `find` - -commit 794f6a25fa87a9d6d796b07ee06b690ea0badc92 -Author: Patrick Schleizer -Date: Fri Jul 26 09:08:29 2024 -0400 - - comment - -commit 7e0f1a87010674c63963b70c87e903cf27b288ef -Author: Patrick Schleizer -Date: Fri Jul 26 09:08:04 2024 -0400 - - dpkg-statoverride can actually handle '--file-name'. - -commit ee037c01a1208b9247c3ae144fa3faa68657ffdb -Author: Patrick Schleizer -Date: Fri Jul 26 08:58:44 2024 -0400 - - Skip file names starting with '--', - - because this would be interpreted by dpkg-statoverride as an option. - -commit 82d401a7de58b74448113bed36c8f0cc073c7f82 -Author: Patrick Schleizer -Date: Fri Jul 26 08:52:42 2024 -0400 - - sanity test - -commit 0e661bc688c7222840c9d83fb3ccab6549b3ac11 -Author: Patrick Schleizer -Date: Fri Jul 26 08:49:14 2024 -0400 - - output - -commit d144f68d1a06a1153c4178b2f6ba9643dededbb8 -Author: Patrick Schleizer -Date: Fri Jul 26 08:46:08 2024 -0400 - - output - -commit 05504b9ab251ae6e48b5d28eb5fdcd12d730ea8a -Author: Patrick Schleizer -Date: Fri Jul 26 08:40:10 2024 -0400 - - minor - -commit d96c0633d431dafd034ae8d1ae0ffbb59c49be4a -Author: Patrick Schleizer -Date: Fri Jul 26 08:39:11 2024 -0400 - - more use of end of options - -commit 8e40c10c319a76e0256c8f135182b0ca7f532f85 -Author: Patrick Schleizer -Date: Fri Jul 26 08:31:17 2024 -0400 - - comment - -commit f2c9c2f5d1b59127b22fae4dd4b8bb7a6f98a485 -Author: Patrick Schleizer -Date: Fri Jul 26 08:26:16 2024 -0400 - - output - -commit 2b40ea75e9c3f679fd09ae331a56f294c3ac7607 -Author: Patrick Schleizer -Date: Fri Jul 26 08:24:23 2024 -0400 - - cleanup - -commit 6f0551b944cbf83d82f7a1a554c4461bc971520b -Author: Patrick Schleizer -Date: Fri Jul 26 08:23:54 2024 -0400 - - refactoring - -commit aac450f80836b03478b9e2632afc5a4519f9b37a -Author: Patrick Schleizer -Date: Fri Jul 26 08:22:04 2024 -0400 - - refactoring - -commit 30f46790a4df7662926fa43d44ac34c3286dd590 -Author: Patrick Schleizer -Date: Fri Jul 26 08:21:21 2024 -0400 - - use end of options whenever possible - -commit 95722d6d7902367afb44175263a8628df9ad01b2 -Author: Patrick Schleizer -Date: Fri Jul 26 08:13:33 2024 -0400 - - use long option name - -commit 19f131c7426aaa5199504e75aba180a7771a2520 -Author: Patrick Schleizer -Date: Fri Jul 26 08:07:08 2024 -0400 - - code simplification - - https://github.com/Kicksecure/security-misc/pull/251 - -commit 9694cf0cd1a225c68d45814e0f4d6995659a0066 -Author: Patrick Schleizer -Date: Fri Jul 26 07:43:59 2024 -0400 - - output - -commit bdfe764f9d805b14dca4196e623e81ce95145d9b -Merge: 9f13523 652a06c -Author: Patrick Schleizer -Date: Fri Jul 26 07:19:05 2024 -0400 - - Merge remote-tracking branch 'ben-grande/stat-dedup' - -commit 9f135231ccdc3f6eba27db2e1794eff23f03fc0f -Author: Patrick Schleizer -Date: Fri Jul 26 06:43:01 2024 -0400 - - no longer disable Intel ME related kernel modules - - because that might break firmware updates - - This reverts commit 64f8b2eb5870664fca06aa060f2f50af358ced55. - - https://github.com/Kicksecure/security-misc/issues/239 - -commit f616da7c0690fc0dffc21be59174ed8754ec55fb -Author: Patrick Schleizer -Date: Fri Jul 26 09:40:59 2024 +0000 - - bumped changelog version - -commit 4397de0138dac47aee66570fcfe4ef38c8179321 -Author: Raja Grewal -Date: Fri Jul 26 11:30:46 2024 +1000 - - Update description of `cfi=kcfi` kerenel parameter - -commit 652a06c8e9f841e043cc5b5fb030b149cb70dc85 -Author: Ben Grande -Date: Thu Jul 25 12:37:21 2024 +0200 - - Only print SUID or SGID values when set - -commit 3b8a3f9b832ee1eee959fbcce8b5eed417d4712e -Author: Ben Grande -Date: Thu Jul 25 12:20:16 2024 +0200 - - Unduplicate stat call - -commit 28b25bda3f51c7d5a6ee6d28446cb5f731f452d0 -Author: Raja Grewal -Date: Thu Jul 25 15:51:32 2024 +1000 - - Partial inclusion of GrapheneOS infrastructure blacklist - -commit ed3336694ce35614ab47db42bce29d3c69d46752 -Author: Raja Grewal -Date: Thu Jul 25 10:28:27 2024 +1000 - - Provide the option to immediately reboot on a kernel panics - -commit 3926b91dcf371377d38c747e5c7718ac2fed3c83 -Author: Raja Grewal -Date: Thu Jul 25 10:26:23 2024 +1000 - - Add documentation on `sysctl kernel.panic_on_oops=1` - -commit f699eb02a27ef54b9ced5866447b63152984af66 -Author: Raja Grewal -Date: Thu Jul 25 10:11:33 2024 +1000 - - Set `sysctl fs.binfmt_misc.status=0` - -commit 9231f058911ab9059e91c4c0c1677ef66b5bb666 -Author: Patrick Schleizer -Date: Wed Jul 24 13:31:49 2024 -0400 - - todo - -commit 4cc1289e89b341e15725d65e405e607ea4784f9f -Author: Patrick Schleizer -Date: Wed Jul 24 13:30:30 2024 -0400 - - output - -commit 10c73b326f824f783169383888b9464965a53cbb -Author: Patrick Schleizer -Date: Wed Jul 24 12:07:26 2024 -0400 - - fix delimiter parsing - -commit a16dd8474bf72c2b8c63adc7500140e89d19fedb -Author: Patrick Schleizer -Date: Wed Jul 24 11:50:30 2024 -0400 - - sanity test - -commit cc2b335ee692cc04a2c4e298902f3503927b2c50 -Author: Patrick Schleizer -Date: Wed Jul 24 11:48:32 2024 -0400 - - cleanup - -commit 6cadc70a96cd709fb7a94abcb14e7dd97c57fdb8 -Author: Patrick Schleizer -Date: Wed Jul 24 11:47:52 2024 -0400 - - output - -commit cda0d26af7c057dab8edf4897f98c2e8f83e3d56 -Author: Patrick Schleizer -Date: Wed Jul 24 11:45:13 2024 -0400 - - cannot use NULL inside a bash variable - - use custom delimiter instead - -commit 4a5312b3a9419c8b3e07dda2b650d5fbf9a38d34 -Author: Patrick Schleizer -Date: Wed Jul 24 11:27:51 2024 -0400 - - output - -commit 3bf1f26c0bb271d63c16b314e4da040abf5b3713 -Author: Patrick Schleizer -Date: Wed Jul 24 11:20:26 2024 -0400 - - downgrade warning of non-existing folders to info - - to avoid all users by default getting a warning for expected non-existing folders - -commit 151ca659a9f5565744ff57f3b581c8c051def148 -Author: Patrick Schleizer -Date: Wed Jul 24 11:19:15 2024 -0400 - - output - -commit c9fd2ceb61ea176c731432f02a9fa40652fbddc8 -Author: Patrick Schleizer -Date: Wed Jul 24 11:13:35 2024 -0400 - - downgrade warning of non-existing files to info - - to avoid all users by default getting a warning for expected non-existing files - -commit 721392901be384014298f59deb57747b825c8b37 -Author: Patrick Schleizer -Date: Wed Jul 24 11:12:39 2024 -0400 - - remove duplicate test - -commit 9712b5b4e3cff3eac8ef03b5e562ff89d74ef4b8 -Author: Patrick Schleizer -Date: Wed Jul 24 11:12:18 2024 -0400 - - output - -commit 00911df5c1de24960ad6d21b4cd99450f2d08a88 -Author: Patrick Schleizer -Date: Wed Jul 24 11:10:56 2024 -0400 - - modify call of stat to use NUL delimiter - - for more robust string parsing - -commit d5366835112cc5fabef7ec46a9c582c08121cb14 -Author: Patrick Schleizer -Date: Wed Jul 24 11:03:28 2024 -0400 - - local clean_output_prefix clean_output - -commit a6e517736b83c124cf8cec52bac184612a29ad0d -Author: Patrick Schleizer -Date: Wed Jul 24 11:02:25 2024 -0400 - - local stat_output - -commit ced02fb9e03e12c7d51923511e7d6a54b09a6274 -Author: Patrick Schleizer -Date: Wed Jul 24 11:01:24 2024 -0400 - - add sanity test for file_name output from stat - -commit b9dfe70a016e46e1f275918be19890526182cfa2 -Author: Patrick Schleizer -Date: Wed Jul 24 10:58:05 2024 -0400 - - check first if file_name is empty - -commit 1cbda7998196dc04e83c48526d15f9ad5f11e6c9 -Author: Patrick Schleizer -Date: Wed Jul 24 10:57:13 2024 -0400 - - check first if array is empty before parsing further - -commit a077ae54ea050af8828813b781738cba24e27624 -Author: Patrick Schleizer -Date: Wed Jul 24 10:56:08 2024 -0400 - - modify call of stat to use NUL delimiter - - for more robust string parsing - -commit 1135d34ab334c9b39e51a147dc94df568f982512 -Author: Raja Grewal -Date: Wed Jul 24 23:33:36 2024 +1000 - - Reword description of `cfi=kcfi` kerenel parameter - -commit 7200e9bd8c793f5ea30c3448fd03fbd38c6292b5 -Author: Patrick Schleizer -Date: Wed Jul 24 09:15:02 2024 -0400 - - output - -commit 1b6161c2dcd9a0686503c84cda4c9f6a29fe4e02 -Merge: d2563ed 8be21b6 -Author: Patrick Schleizer -Date: Wed Jul 24 09:13:48 2024 -0400 - - Merge remote-tracking branch 'ben-grande/fuzz' - -commit 88c88187f2909322211cc08598717068ea7cf1d1 -Author: Raja Grewal -Date: Wed Jul 24 17:26:50 2024 +1000 - - Re-enable (default) `secure_redirects` for ICMP redirect messages - -commit 8be21b6eff40fdd3909ef63468463fc52e8bf45f -Author: Ben Grande -Date: Tue Jul 23 19:36:12 2024 +0200 - - Handle newlines in file names - -commit aa99de68d307cd88462665424996d9b730ab5087 -Author: Ben Grande -Date: Tue Jul 23 18:46:47 2024 +0200 - - Log output with defined levels - -commit 06fbcdac1de6f1830d911f05a4f7c14fd522fad4 -Author: Ben Grande -Date: Tue Jul 23 09:55:02 2024 +0200 - - Prettify log messages - -commit fb494c2ba5b7fd0f864a59896710d9cddf92b458 -Author: Raja Grewal -Date: Tue Jul 23 13:12:13 2024 +1000 - - Update docs relating to the `cfi=kcfi` kernel parameter - -commit 7ee1ea2cc7dd62feee3243d64b414130e68d35e9 -Author: Ben Grande -Date: Mon Jul 22 17:06:07 2024 +0200 - - Unify functions that evaluate commands - -commit 9c3566f524f748b9f7c98a36b3f2b1064cdba3ed -Author: Ben Grande -Date: Mon Jul 22 16:01:14 2024 +0200 - - Delimit file names with null terminator - -commit d6fc71dba78a9c871015ebdde3bef61943369b47 -Author: Raja Grewal -Date: Mon Jul 22 17:26:00 2024 +1000 - - Add option to switch (back) to using kCFI in the future - -commit f582e543434ba20a2fb7f7300058f7c8a7d62878 -Merge: a189956 d2563ed -Author: raja-grewal -Date: Mon Jul 22 15:12:00 2024 +1000 - - Merge branch 'Kicksecure:master' into blacklist_to_disable - -commit d2563ed92317a029340dbb83f30da008b01325f2 -Author: Patrick Schleizer -Date: Sun Jul 21 10:40:14 2024 +0000 - - bumped changelog version - -commit 64f8b2eb5870664fca06aa060f2f50af358ced55 -Author: Patrick Schleizer -Date: Sun Jul 21 06:36:22 2024 -0400 - - Revert "no longer disable Intel ME related kernel modules" - - This reverts commit 6157e328f40a7f3780208489b1ffecef8e6d738a. - - https://www.kicksecure.com/wiki/Out-of-band_Management_Technology#Intel_ME_Kernel_Modules - - https://github.com/Kicksecure/security-misc/issues/239 - -commit 04fb00572f2e4c9bdfaaa0f6da8007999daab641 -Author: Patrick Schleizer -Date: Sat Jul 20 17:02:05 2024 +0000 - - bumped changelog version - -commit f0a478c7c91697988926a73d3a1880dd8caaca68 -Author: Patrick Schleizer -Date: Sat Jul 20 12:57:56 2024 -0400 - - permission hardener: allow postfix - - postqueue matchwhitelist - postdrop matchwhitelist - -commit a189956adc2cf5a1c8311d0e0e9c7cfbc6e4afe3 -Author: Raja Grewal -Date: Sat Jul 20 20:11:09 2024 +1000 - - Typo - -commit 3c720a0715191c858e8d1df9795dddfea5dbdcf1 -Author: Raja Grewal -Date: Sat Jul 20 15:03:21 2024 +1000 - - Disable some legacy drivers - These were all previously blacklisted for over 2 years. - -commit c4965ed838b1df93ddb9e947fb2f0d23fa8ffc17 -Author: Raja Grewal -Date: Sat Jul 20 14:55:10 2024 +1000 - - Disable legacy framebuffer drivers - These were all previously blacklisted for over 2 years. - -commit 9f53a0182b5f6a7cf8228bf19b04661d39c7a2fe -Author: Patrick Schleizer -Date: Fri Jul 19 07:20:59 2024 -0400 - - undo io_uring related changes - - as these should be done in a separate pull request (if apprpriate) - - https://github.com/Kicksecure/security-misc/pull/244#issuecomment-2238889062 - -commit 8791aecb38a41aa0b0c108505726bc6a1ace903e -Merge: 2d11436 06894d1 -Author: Patrick Schleizer -Date: Fri Jul 19 07:19:09 2024 -0400 - - Merge remote-tracking branch 'raja/fixes' - -commit 06894d1c98e91f43af58cc438559ea76b6a361e3 -Author: Raja Grewal -Date: Fri Jul 19 18:30:42 2024 +1000 - - Typo - -commit 2d11436432d3b2b75f84b05550de06cd77ec6e79 -Author: Patrick Schleizer -Date: Thu Jul 18 18:05:07 2024 +0000 - - bumped changelog version - -commit cac5bbad99a9c083c5b5f85f07c7368287c64f72 -Author: Patrick Schleizer -Date: Thu Jul 18 14:04:00 2024 -0400 - - comment - -commit a5eed00eba76f83c310f62d000830f38b0e87d21 -Author: Patrick Schleizer -Date: Thu Jul 18 14:02:38 2024 -0400 - - cleanup comments - -commit 21efacf1b111d9599e72cef23b791cf4961c04c3 -Author: Patrick Schleizer -Date: Thu Jul 18 14:00:28 2024 -0400 - - cleanup duplicate comments which are already in `/etc/dkms/framework.conf` - -commit 61628c2baf58ca2859bc5fc99782985ef0822750 -Author: Patrick Schleizer -Date: Thu Jul 18 14:11:35 2024 +0000 - - bumped changelog version - -commit 05cf438199ca75f96cf8e67131f4a409b465e7e7 -Author: Patrick Schleizer -Date: Thu Jul 18 10:11:03 2024 -0400 - - no comments / copyright allowed in .displace-extension - -commit 2ccc95f6d44bacd3da97d586542695f33d5faf38 -Author: Patrick Schleizer -Date: Thu Jul 18 14:05:23 2024 +0000 - - bumped changelog version - -commit 95286df50274953326accb615487e21d409b652a -Author: Raja Grewal -Date: Thu Jul 18 15:28:31 2024 +1000 - - Update README.md regarding secure ICMP redirects - -commit 13cc1f0986033855a399b50442a86a8d8552eb96 -Author: Raja Grewal -Date: Thu Jul 18 12:25:00 2024 +1000 - - Clarify (future) disabling of `io_uring` - -commit 9e6facda7017498e8310a9c39403e95e81c5a903 -Author: Raja Grewal -Date: Thu Jul 18 12:21:37 2024 +1000 - - Update module disabling presentation - -commit faa9181a6c0c78b9471c9a4e6bdd3291aec704f6 -Author: Raja Grewal -Date: Thu Jul 18 12:19:27 2024 +1000 - - Typos - -commit 6d211faf591608ea6e7f484e8bc69dd567877abf -Author: Raja Grewal -Date: Thu Jul 18 11:04:54 2024 +1000 - - Restrict unprivileged user namespaces - -commit b04828f858fa6d101099773d3156841fd6d33b6f -Author: Raja Grewal -Date: Thu Jul 18 11:01:41 2024 +1000 - - Disable the usage of `ptrace()` by all processes - -commit d454f36c63bd653e47353fb1c93107b2d5584fe2 -Author: Patrick Schleizer -Date: Wed Jul 17 11:52:29 2024 -0400 - - spelling - -commit f4da582aa31b869413aef6f4e252b7985e961339 -Author: Patrick Schleizer -Date: Wed Jul 17 11:44:17 2024 -0400 - - spelling - -commit 9e976474d5d620be9e4f8d8a97f73c6cc3e64573 -Author: Patrick Schleizer -Date: Wed Jul 17 11:40:51 2024 -0400 - - spelling - -commit b569fc02a4650187e69b62b95439c05ee2611e91 -Author: Patrick Schleizer -Date: Wed Jul 17 11:38:53 2024 -0400 - - spelling - -commit a2e26f441b6f44831c7b1bf3bf9dc2cf6f06e176 -Author: Patrick Schleizer -Date: Wed Jul 17 11:04:03 2024 -0400 - - spelling - -commit c8be4ac83c2563798ee35d56200eb8d11a2c32e3 -Author: Patrick Schleizer -Date: Wed Jul 17 10:56:14 2024 -0400 - - comment - -commit 24cd70a014b221b25669755b955bc114fe083643 -Author: Patrick Schleizer -Date: Wed Jul 17 10:55:12 2024 -0400 - - spelling - -commit 5cec685cf9b0845838f17fba78ac65d6c2e63386 -Author: Patrick Schleizer -Date: Wed Jul 17 10:49:21 2024 -0400 - - spelling - -commit 821a416fe39e11ca030c63f25a5220772d80eae5 -Author: Patrick Schleizer -Date: Wed Jul 17 10:43:16 2024 -0400 - - spelling - -commit 9a387f95e9346030e2adc3252a45942949561b52 -Merge: fd41acd 4afe257 -Author: Patrick Schleizer -Date: Wed Jul 17 10:32:26 2024 -0400 - - Merge remote-tracking branch 'raja/miscellaneous' - -commit fd41acdc721a6463813bc347cb965b6211fb9447 -Merge: 0da22c2 1087387 -Author: Patrick Schleizer -Date: Wed Jul 17 10:27:31 2024 -0400 - - Merge remote-tracking branch 'raja/fack_off' - -commit 4afe257a42576158a54a68948440a2b4c043b67c -Author: Raja Grewal -Date: Thu Jul 18 00:14:13 2024 +1000 - - minor - -commit d0a59617f6b8a90fd5c758699e910af9d7496c98 -Author: Raja Grewal -Date: Thu Jul 18 00:13:30 2024 +1000 - - Add missing Copyright (C) statements - -commit 8f3896c3dac13b604e36d4249f976598f271a215 -Author: Raja Grewal -Date: Wed Jul 17 23:44:37 2024 +1000 - - Upgrade hyperlinks to HTTPS - -commit 1087387b362d5598e44262db07ab0fff9118b064 -Author: Raja Grewal -Date: Wed Jul 17 23:35:25 2024 +1000 - - Remove obsolete `#net.ipv4.tcp_fack=0` - -commit 0da22c20316c8f0f574e0127926506e52ccbc269 -Author: Patrick Schleizer -Date: Wed Jul 17 09:07:31 2024 -0400 - - minor - -commit c336b266f61528cce27e1cafac6377370927a787 -Merge: afe3c25 df80385 -Author: Patrick Schleizer -Date: Wed Jul 17 09:06:44 2024 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit df80385289717fee0266436d056c9aedd0fb06af -Merge: afe3c25 724435e -Author: Patrick Schleizer -Date: Wed Jul 17 09:04:18 2024 -0400 - - Merge pull request #237 from raja-grewal/intel_pmt - - Disable some Intel PMT kernel modules - -commit afe3c25a49940f7f322414c08e8dbd631e696215 -Author: Patrick Schleizer -Date: Wed Jul 17 08:58:00 2024 -0400 - - update readme - - https://github.com/Kicksecure/security-misc/issues/239 - -commit f7772fb85a1fe6d3c0749e5f34fc29111b6a8125 -Author: Patrick Schleizer -Date: Wed Jul 17 08:57:35 2024 -0400 - - minor - -commit 6157e328f40a7f3780208489b1ffecef8e6d738a -Author: Patrick Schleizer -Date: Wed Jul 17 08:52:11 2024 -0400 - - no longer disable Intel ME related kernel modules - - https://github.com/Kicksecure/security-misc/issues/239 - -commit daee8b900b3057235aedc17b1231c3c05599140c -Merge: 954ff1b a4ba6e4 -Author: Patrick Schleizer -Date: Wed Jul 17 08:47:55 2024 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit a4ba6e485d94512fdf737b9f66137c3f692c9904 -Merge: 9a75135 abafb19 -Author: Patrick Schleizer -Date: Wed Jul 17 08:46:27 2024 -0400 - - Merge pull request #236 from raja-grewal/intel_me - - Disable more Intel ME kernel modules - -commit 954ff1be41288b5fa2e50d492d92544915f93bb5 -Merge: d29a616 9a75135 -Author: Patrick Schleizer -Date: Wed Jul 17 08:42:52 2024 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 9a75135633ad172f7cbf318e1206865493c28bb4 -Merge: d29a616 a340899 -Author: Patrick Schleizer -Date: Wed Jul 17 08:41:43 2024 -0400 - - Merge pull request #238 from raja-grewal/uvcvideo_2 - - Minor additions to `30_security-misc_disable.conf` - -commit d29a616142562492db6c45c299f002100e905828 -Author: Patrick Schleizer -Date: Wed Jul 17 08:39:20 2024 -0400 - - minor - -commit a2802f352fc7021ead0d431c665cc16b2821ae0b -Merge: 0b873b7 81a3715 -Author: Patrick Schleizer -Date: Wed Jul 17 08:38:23 2024 -0400 - - Merge remote-tracking branch 'raja/kargs' - -commit 0b873b765e20b06113d808075fa95c8acbb1e0fc -Author: Patrick Schleizer -Date: Wed Jul 17 08:05:27 2024 -0400 - - minor - -commit 070bb46a08afcd84fb638472c39bd543bad4fb17 -Merge: 6d6e547 25fd532 -Author: Patrick Schleizer -Date: Wed Jul 17 08:02:45 2024 -0400 - - Merge remote-tracking branch 'raja/sysctl' - -commit 6d6e5473f2778a2a5b1ca7826d0a3a5a63cff08a -Author: Patrick Schleizer -Date: Wed Jul 17 08:00:24 2024 -0400 - - minor - -commit cf5f0edbb85589a72ec891e9c3e090f9e81c4fda -Merge: fe5c840 693b47e -Author: Patrick Schleizer -Date: Wed Jul 17 07:59:35 2024 -0400 - - Merge remote-tracking branch 'raja/sysctl' - -commit 25fd532ce62399d5bb42d844ad32b5128eaf748d -Author: Raja Grewal -Date: Wed Jul 17 21:56:40 2024 +1000 - - Update README.md relating to `sysctl`'s - -commit 39fd125eb0f0c16c8a64933bbd04709287a2686a -Author: Raja Grewal -Date: Wed Jul 17 21:44:44 2024 +1000 - - Provide explanation on the disabling of IPv6 Privacy Extensions - -commit a3408990ab439e6edbf8691cf7d65fb16c0d24df -Author: Raja Grewal -Date: Wed Jul 17 15:03:39 2024 +1000 - - Uncomment disabling of already disabled ATM modules - -commit 693b47e6235528ab7a9032818cce22fd63a4f5ea -Author: Raja Grewal -Date: Wed Jul 17 14:58:30 2024 +1000 - - Clarify ICMP redirect acceptance and sending - -commit 81a3715c7c0b73796a62297ebe55e861a46f7686 -Author: Raja Grewal -Date: Wed Jul 17 13:32:08 2024 +1000 - - Add info regarding the downsides of disabling SMT - -commit abafb1945cace774429fefd0c1a037fb2ec3f774 -Author: Raja Grewal -Date: Wed Jul 17 13:26:03 2024 +1000 - - Add Intel ME references - -commit f317aaebab126bafe3cfaef8159bf0820c392c87 -Author: Raja Grewal -Date: Wed Jul 17 01:09:02 2024 +1000 - - Disable two network modules - These were previously blacklisted for two years in https://github.com/Kicksecure/security-misc/commit/61ef9bd59f9ff39c140f782ff5b41d0a3c6d97bc. - -commit d69fe88091c7212a9af86306c797aed40398584b -Author: Raja Grewal -Date: Wed Jul 17 01:08:01 2024 +1000 - - Provide option to disable `uvcvideo` driver - -commit 49594ccb223c09d70f00434e5875c9dae1a2360d -Author: Raja Grewal -Date: Wed Jul 17 00:49:25 2024 +1000 - - Partially revert https://github.com/raja-grewal/security-misc/commit/f4d652fa7b5dd350b577521c6bba22c9eb3c13f1 - -commit 824d9b82e53485eed8eaf24e9815ac07ad0f2406 -Author: Raja Grewal -Date: Wed Jul 17 00:36:18 2024 +1000 - - Uncomment redundant disabling of TCP FACK` - -commit d1119c38b6ad4193919d4b800de0a3cb014f92c1 -Author: Raja Grewal -Date: Wed Jul 17 00:31:23 2024 +1000 - - Apply changes from code review - -commit fe5c840b79c4aabd5c21a286d3ce1a3ee460812c -Author: Patrick Schleizer -Date: Mon Jul 15 21:18:55 2024 +0000 - - bumped changelog version - -commit 6e63fc8985b97902dbae2553ded51950168dc222 -Merge: fe0846c b7796a5 -Author: Patrick Schleizer -Date: Mon Jul 15 17:14:25 2024 -0400 - - Merge remote-tracking branch 'ben-grande/fuzz' - -commit fe0846c8c2bdfc0534850b1e9bf9c4130381def9 -Author: Patrick Schleizer -Date: Mon Jul 15 12:30:38 2024 -0400 - - fix - - https://github.com/Kicksecure/security-misc/pull/234#discussion_r1678065395 - -commit 94df2e3d244f5e6e8e4320c1f28cc11dba00dd36 -Author: Patrick Schleizer -Date: Mon Jul 15 12:29:52 2024 -0400 - - further discussion required - - https://github.com/Kicksecure/security-misc/pull/234#issuecomment-2228909249 - -commit 41f0b53dd62d2968a6ff88a6fd907ca42f581847 -Merge: 5ba5a85 9300c20 -Author: Patrick Schleizer -Date: Mon Jul 15 12:28:03 2024 -0400 - - Merge remote-tracking branch 'raja/kernel_modules' - -commit 73f6d4b26f51f0c920fe020677f464c536d75410 -Author: Raja Grewal -Date: Tue Jul 16 01:03:41 2024 +1000 - - Fix transcription error - -commit 724435e56ea059183241044a4fc09423187533eb -Author: Raja Grewal -Date: Mon Jul 15 22:38:43 2024 +1000 - - Disable some Intel Platform Monitoring Technology Telemetry (PMT) modules - -commit 61941da37509a4bb809212536b79f461a209f584 -Author: Raja Grewal -Date: Mon Jul 15 22:38:09 2024 +1000 - - Create `disabled-intelpmt-by-security-misc` - -commit 22ba7a7c393a8c9005dfe26aea396815a4d54803 -Author: Raja Grewal -Date: Mon Jul 15 22:21:20 2024 +1000 - - Disable more Intel Management Engine (ME) modules - -commit 9300c208e25d936f2c633a0904126566afc1c275 -Author: Raja Grewal -Date: Mon Jul 15 21:36:25 2024 +1000 - - Fix script - -commit f2db11269e89d4c945642b661aa9cbe356f89037 -Author: Raja Grewal -Date: Mon Jul 15 21:18:32 2024 +1000 - - Fix script - -commit 382f1e9ec00ab5f012f028fa324d6cf73040c37d -Author: Raja Grewal -Date: Mon Jul 15 21:13:25 2024 +1000 - - Fix error - -commit a8bc1144c32b4b4f20904af5f813da1051fe4c9c -Author: Raja Grewal -Date: Mon Jul 15 21:10:13 2024 +1000 - - Updated wording of error files for disabled modules - -commit fda3832eaf293915ab77ce73a0be2caec15e21fa -Author: Raja Grewal -Date: Mon Jul 15 21:08:45 2024 +1000 - - Replace bash file presented for disabling of miscellaneous modules - -commit 8219a1e257525d487a49e7b3a6b14c1e180a7b52 -Author: Raja Grewal -Date: Mon Jul 15 21:02:10 2024 +1000 - - Update README.md relating to disabled miscellaneous modules - -commit cb2fb95b81efa2ebb2bd80aeaacad9122f0f073c -Author: Raja Grewal -Date: Mon Jul 15 21:01:36 2024 +1000 - - Disable more miscellaneous drivers - -commit c52b1a3fd269ef4f98028dd5eead476abe5d138d -Author: Raja Grewal -Date: Mon Jul 15 20:58:45 2024 +1000 - - Create `disabled-miscellaneous-by-security-misc` - -commit 96aa63267a6fcee03f252f0791f37b7b6222a7c1 -Author: Raja Grewal -Date: Mon Jul 15 20:57:14 2024 +1000 - - Disable more Thunderbolt modules - -commit 51f7776bc8722752d53fc503b0c79564d8715d4c -Author: Raja Grewal -Date: Mon Jul 15 20:56:12 2024 +1000 - - Disable more network protocols/drivers - -commit 9e40ff055195b1e8637d1e957c3f8db01f99bbc1 -Author: Raja Grewal -Date: Mon Jul 15 20:54:18 2024 +1000 - - Disable more network file systems - -commit 82c5a93f7cf2846490120c5262a146a313a5ce47 -Author: Raja Grewal -Date: Mon Jul 15 20:53:07 2024 +1000 - - Disable another GPS module - -commit 99b0ce7948213e7f7adf42ddd7c7beb229374bd4 -Author: Raja Grewal -Date: Mon Jul 15 20:47:56 2024 +1000 - - Disable more file systems - -commit 4476a477a77c98cf4334fbcb866bc8f113f568ac -Author: Raja Grewal -Date: Mon Jul 15 20:47:07 2024 +1000 - - Provide option to disable more Bluetooth modules - -commit e0696d02a234e6f7ab9fb601ffe58e7d953846a2 -Author: Raja Grewal -Date: Mon Jul 15 20:46:04 2024 +1000 - - Update `security-misc.maintscript` - Due to previous splitting IN https://github.com/Kicksecure/security-misc/commit/b02230a783941da412be72fb52053db0c6b8010f. - -commit b2657bc61fb15bb89d62f0743a36835c1f0dda8a -Author: Raja Grewal -Date: Mon Jul 15 15:05:00 2024 +1000 - - Improve docs - -commit 1c2afc1f253e15d2605d1bef0e323e6e972a2484 -Author: Raja Grewal -Date: Mon Jul 15 15:01:48 2024 +1000 - - Update presentation of the `kernel.printk` sysctl - -commit c8385d82fbd6ba16ba1f0b4969661474966b74f1 -Author: Raja Grewal -Date: Mon Jul 15 14:57:40 2024 +1000 - - Clarify instructions for increasing log verbosity - -commit d229e8b04d914803fa66c3a695022cfb2d9b2a25 -Author: Raja Grewal -Date: Mon Jul 15 14:50:29 2024 +1000 - - Fix link - -commit fbfdb0fa99087e4160979b612db04e63a1d3e3b1 -Author: Raja Grewal -Date: Mon Jul 15 14:40:03 2024 +1000 - - Update `security-misc.maintscript` relating to grub - -commit f4d652fa7b5dd350b577521c6bba22c9eb3c13f1 -Author: Raja Grewal -Date: Mon Jul 15 14:39:12 2024 +1000 - - Update presentation of `quiet loglevel=0` - -commit 69c8e849270393537d3e024137bc20a42c848333 -Author: Raja Grewal -Date: Mon Jul 15 14:38:21 2024 +1000 - - Fix typos - -commit 48e1ac416314d2c66f3a0d5044a3c51cb6fb4093 -Author: Raja Grewal -Date: Mon Jul 15 02:04:25 2024 +1000 - - Remove the optional `slub_debug` parameter since it is no longer recommended - -commit 99038c7a0621f5c9852638c1706c5306b42e6480 -Author: Raja Grewal -Date: Mon Jul 15 02:02:01 2024 +1000 - - Add option to disable support for x86 processes and syscalls in the future - -commit f550fbe07cafb75112e98268730d1bcc511489e2 -Author: Raja Grewal -Date: Mon Jul 15 01:59:04 2024 +1000 - - Add option to disable the entire IPv6 stack functionality - -commit a33d4cd099b8cbf569ff35627eeacf3562a4371e -Author: Raja Grewal -Date: Mon Jul 15 01:56:25 2024 +1000 - - Refactor existing kernel parameters for clarity - -commit acd60e45d8cbc98ea935c9bf035f2840622ab58d -Author: Raja Grewal -Date: Sun Jul 14 20:07:31 2024 +1000 - - Add comment about enabling core dump files - -commit 5cf9afc21563712b851850e2041141807503807c -Author: Raja Grewal -Date: Sun Jul 14 17:05:49 2024 +1000 - - Include optional `sysctl`'s in README.md - -commit 2b9e174c9db69f2c30828aae236c631d46255e07 -Author: Raja Grewal -Date: Sun Jul 14 16:22:52 2024 +1000 - - Remove empty lines - -commit dd1741c4a1cd18f34f69437c00f3a78a9ebd402a -Author: Raja Grewal -Date: Sun Jul 14 13:40:53 2024 +1000 - - Some documentation additions and fixes - -commit 565597c9a282b08697d04204f5eb9c22153e77bd -Author: Raja Grewal -Date: Sun Jul 14 01:21:24 2024 +1000 - - Minor documentation changes and fixes - -commit 5ba5a85ad09b74a29c5ed0e5c265d54d93da9d32 -Author: Patrick Schleizer -Date: Sat Jul 13 15:01:16 2024 +0000 - - bumped changelog version - -commit ad860063aba0443a8ac8b9cf191d008617d6d904 -Merge: f34b9d7 9f58266 -Author: Patrick Schleizer -Date: Sat Jul 13 10:55:45 2024 -0400 - - Merge remote-tracking branch 'raja/modprobe' - -commit 9f582665467fd4fdf20c83841305785024bceedf -Author: Raja Grewal -Date: Sat Jul 13 23:32:01 2024 +1000 - - Move nf_conntrack_helper disabling into separate file - -commit 8f2ec75f8173b6ab970a5ef213dcf5a3f67aa84a -Author: Raja Grewal -Date: Sat Jul 13 23:30:55 2024 +1000 - - Clarify README.mmd relating to module disabling - -commit 98580bb39a495a141e7b40792fd9d232fcf29d23 -Author: Raja Grewal -Date: Sat Jul 13 23:29:52 2024 +1000 - - Update modprobe presentation - -commit 2de3a795990234134be15be90aa55f547c064d92 -Author: Raja Grewal -Date: Sat Jul 13 22:41:40 2024 +1000 - - Refactor existing sysctl for clarity - -commit f34b9d7c45cd723535eedd3df99896ee7f852388 -Merge: 05c1711 5f10cc8 -Author: Patrick Schleizer -Date: Sat Jul 13 06:14:43 2024 -0400 - - Merge remote-tracking branch 'raja/modules' - -commit 5f10cc8bcf11654f5e0f97c07e0a7ff198013c1e -Author: Raja Grewal -Date: Fri Jul 12 16:22:10 2024 +1000 - - Update README.md relating to modprobe - -commit 41a3bf92fbdac88a1884dee735600cafa35134bf -Author: Raja Grewal -Date: Fri Jul 12 16:21:41 2024 +1000 - - Sort `30_security-misc_disable.conf` - -commit f31dc8aebc652b2037c375351fc478d9b5ba4c27 -Author: Raja Grewal -Date: Fri Jul 12 16:21:03 2024 +1000 - - Fix error in error script - -commit b02230a783941da412be72fb52053db0c6b8010f -Author: Raja Grewal -Date: Fri Jul 12 02:42:37 2024 +1000 - - Split modprobe into blacklisted and disabled configurations - -commit fc792ff23234399ed299c3fdc086d47c87d9b4a3 -Author: Raja Grewal -Date: Fri Jul 12 02:29:36 2024 +1000 - - Alphabetically sort existing modprobe - -commit fe20f3240e2f31099bcaa9f9e2045320df810edf -Author: Raja Grewal -Date: Fri Jul 12 02:28:48 2024 +1000 - - Refactor existing modprobe for clarity - -commit 275a4ffc1114856cbd9a1cd49701dcb25d87bfb5 -Author: Raja Grewal -Date: Fri Jul 12 02:27:56 2024 +1000 - - Remove redundant disabled modules - -commit b7796a5334075d5fa538d7579003fde6287d7e6d -Author: Ben Grande -Date: Thu Jul 11 11:04:22 2024 +0200 - - Unify method to find SUID files - -commit 05c1711b16c96a221c13a011a6666fe6b385ec1e -Author: Patrick Schleizer -Date: Tue Jun 11 12:56:56 2024 +0000 - - bumped changelog version - -commit e48115588caae8e51bb980ac84b1f0f415ca0d17 -Merge: b316352 cad8d85 -Author: Patrick Schleizer -Date: Tue Jun 11 07:25:47 2024 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit cad8d857556e29544f742fdac8fe82758a4f885c -Merge: b316352 e198447 -Author: Patrick Schleizer -Date: Tue Jun 11 07:25:07 2024 -0400 - - Merge pull request #227 from 3uryd1ce/fix-pam.d-path - - fix(etc): delete typo in /etc/apparmor.d tunables - -commit e1984478662fc51e6eacc989bc6bba0ca1fc07cd -Author: Ashlen -Date: Sat Jun 8 22:17:05 2024 -0600 - - fix(etc): delete typo in /etc/apparmor.d tunables - - /etc/pam.d was present twice in a row ("/etc/pam.d//etc/pam.d") in this - file: /etc/apparmor.d/tunables/home.d/security-misc. - -commit b316352ede379d96cff4813735b93eb59506fe42 -Author: Patrick Schleizer -Date: Sat Jun 1 18:13:08 2024 +0000 - - bumped changelog version - -commit c815304026d30f7774f804498d20431ccdf8dc7f -Author: Patrick Schleizer -Date: Sat Jun 1 14:12:57 2024 -0400 - - readme - -commit 641e98e57714f7d38962bfd12d673500b8114356 -Author: Patrick Schleizer -Date: Sat Jun 1 17:35:04 2024 +0000 - - bumped changelog version - -commit e0cd9579d64e6d16667832de51f77a3091ef213e -Author: Patrick Schleizer -Date: Sat Jun 1 13:32:13 2024 -0400 - - remove duplicate `fsckobjects = true` from `/etc/gitconfig` - -commit bbe64a0b7992610dfef6002271718a2aee115cae -Author: Patrick Schleizer -Date: Tue May 28 12:04:53 2024 +0000 - - bumped changelog version - -commit ae24a97d4d0ffcfb3d1cc92edb61e7ecf4535ee7 -Merge: bfca98e a735857 -Author: Patrick Schleizer -Date: Tue May 28 08:02:21 2024 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit a7358578520294b51e1001199670a0bbeeb43eb1 -Merge: bfca98e 4efa293 -Author: Patrick Schleizer -Date: Tue May 28 07:55:31 2024 -0400 - - Merge pull request #226 from Kicksecure/gitconfig - - add `/etc/gitconfig` by default for better `git` security - -commit 4efa293f3b76814bc5399a959482d7db6e7431ec -Author: Patrick Schleizer -Date: Tue May 28 07:51:06 2024 -0400 - - add `/etc/gitconfig` by default for better `git` security - - ``` - [core] - symlinks = false - - [transfer] - fsckobjects = true - fsckobjects = true - [fetch] - fsckobjects = true - fsckobjects = true - [receive] - fsckobjects = true - fsckobjects = true - ``` - - + additional suggestions as comments - - fixes https://github.com/Kicksecure/security-misc/issues/225 - -commit bfca98ea89cea0f8604ecca0c8640860320e8e33 -Author: Patrick Schleizer -Date: Sat May 18 20:45:12 2024 +0000 - - bumped changelog version - -commit eb82884fb2e3d3bb4fa5555d8212146042ba8aa4 -Merge: 5867b1b 12e006e -Author: Patrick Schleizer -Date: Sat May 18 16:42:41 2024 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 12e006ef9cabbbcbe9cb45d9a6631e9a7a47cf3a -Merge: 5867b1b 2f71605 -Author: Patrick Schleizer -Date: Sat May 18 16:30:07 2024 -0400 - - Merge pull request #222 from raja-grewal/text - - Update Readme and Copyright - -commit 2f716050d17016be6f550a7de8e0c1030e869e8f -Author: raja-grewal -Date: Sun May 12 01:06:34 2024 +0000 - - Update README.md - -commit 1bb843ec3863696170242c57668d0b3f44f41d7b -Author: Raja Grewal -Date: Sat May 11 13:18:36 2024 +1000 - - Update Copyright (C) to 2024 - -commit dddac1dc4015a28fc6b12244809685295272edd1 -Author: Raja Grewal -Date: Sat May 11 13:15:42 2024 +1000 - - Update README.md - -commit 5867b1b014f450acdf70c203ffe2f27831f1d9b0 -Author: Patrick Schleizer -Date: Fri May 10 11:20:36 2024 +0000 - - bumped changelog version - -commit 9b589bc3116c8f9d6d574021bcec7b5dec3888b8 -Author: Patrick Schleizer -Date: Fri May 10 06:49:34 2024 -0400 - - comment - -commit 8d01fc2d351285c9c2f810bf5cf10797c9b9eb41 -Author: Patrick Schleizer -Date: Fri May 10 06:48:26 2024 -0400 - - chmod +x - -commit 8a28c1bc38b87bf55f25764c96a0e81e22137232 -Merge: a9886a3 0f1119f -Author: Patrick Schleizer -Date: Fri May 10 06:48:04 2024 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 0f1119f326cd769db8995e8eb54ff35503c70562 -Merge: 547757f 677f75a -Author: Patrick Schleizer -Date: Fri May 10 06:45:57 2024 -0400 - - Merge pull request #221 from raja-grewal/firewire - - Disable Firewire Module - -commit 547757f4514a54437d044656c5e2b6d413a4cc30 -Merge: 7b9fe44 06f13bb -Author: Patrick Schleizer -Date: Fri May 10 06:45:34 2024 -0400 - - Merge pull request #220 from raja-grewal/block_gps - - Block Several GPS-related Modules - -commit 7b9fe44a20f3caf67f386969a5fc7c980e5f0282 -Merge: 62ea4dc 132b41a -Author: Patrick Schleizer -Date: Fri May 10 06:43:43 2024 -0400 - - Merge pull request #219 from raja-grewal/logging_martians - - Revert Logging of Martians - -commit 62ea4dc1768f69bb28a69c20e55c87ae692cc0c8 -Merge: a9886a3 4694268 -Author: Patrick Schleizer -Date: Fri May 10 06:43:15 2024 -0400 - - Merge pull request #218 from raja-grewal/secure_cpu - - More CPU Mitigations and Additional References - -commit 677f75ae8ed64af599f837ced15f34990df498e5 -Author: raja-grewal -Date: Thu May 9 02:34:02 2024 +0000 - - Disable `firewire-net` module - -commit 06f13bb766bd84182331aeb1632b917de4b36020 -Author: raja-grewal -Date: Thu May 9 02:28:53 2024 +0000 - - Disable GPS modules like GNSS - -commit f3800a4e2b7bef87cc3bd8791f9e7f654f8d782a -Author: raja-grewal -Date: Thu May 9 02:25:46 2024 +0000 - - Create disabled-gps-by-security-misc - -commit 132b41ae73e9ea72bc3d8aff22ae75fc622758a3 -Author: raja-grewal -Date: Thu May 9 02:16:50 2024 +0000 - - Revert logging of martians - -commit 4694268b8f779c1a0a56546dc6d12bf9f23a7cdd -Author: raja-grewal -Date: Sun May 5 12:52:51 2024 +0000 - - Remove a word - -commit 8f7768ce96e32e3f1ec52118afffc2a44a160976 -Author: raja-grewal -Date: Sun May 5 12:50:39 2024 +0000 - - Add vendor links - -commit 0c031a29d33d13d9106746d61b87f9d98a80b5cd -Author: raja-grewal -Date: Wed May 1 13:55:09 2024 +1000 - - RFDS mitigation on Intel Atom CPUs (including E-cores) - -commit 1122b3402c0856a087415d7ba1a313048b7e3eea -Author: raja-grewal -Date: Wed May 1 13:50:42 2024 +1000 - - GDS mitigation for CPUs - -commit c002bd62e8584a19e73b3f42673a3f9bafba6a2c -Author: raja-grewal -Date: Wed May 1 13:49:34 2024 +1000 - - Clarify use of `mitigations=auto` - -commit d89d7e8ef8ee3fd45456e82e8f649f7f28c93e80 -Author: raja-grewal -Date: Wed May 1 13:49:00 2024 +1000 - - Add reference for RETBleed - -commit 015dcc4212736417a2202ea0e0a92e5c2e58d6a5 -Author: raja-grewal -Date: Wed May 1 13:48:13 2024 +1000 - - Add reference for SSB - -commit de4f4be94762c9751ea62f744d7d6ede3ef30e88 -Author: raja-grewal -Date: Wed May 1 13:47:40 2024 +1000 - - Merge spectre mitigations - -commit 965c8641fd28e0ee592b50605edb7494fe9c3a28 -Author: raja-grewal -Date: Wed May 1 13:47:02 2024 +1000 - - Update BHI mitigation reference - -commit a9886a3119f9b662b15fc26d28a7fedf316b72c4 -Author: Patrick Schleizer -Date: Fri Apr 12 06:56:39 2024 +0000 - - bumped changelog version - -commit 5cbdf3c1262d26ae03b28baee87b1d268329da40 -Merge: 7fba04d ab8b6da -Author: Patrick Schleizer -Date: Fri Apr 12 02:54:17 2024 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit ab8b6da484a90e9a62f8ba515c757aa3758baf48 -Merge: 7fba04d 4935768 -Author: Patrick Schleizer -Date: Fri Apr 12 02:53:08 2024 -0400 - - Merge pull request #216 from raja-grewal/spectre_bhi - - BHI mitigation on Intel CPUs - -commit 493576836c90653f9c3514fcd5b3bf816e56d689 -Author: raja-grewal -Date: Fri Apr 12 00:17:06 2024 +1000 - - BHI mitigation on Intel CPUs - -commit 7fba04d1485187fe648f3d3ab44cd834b0eb9791 -Author: Patrick Schleizer -Date: Mon Apr 1 06:56:45 2024 +0000 - - bumped changelog version - -commit 7dba3fb7bebd4fdc7f168df378c2d505971f2c04 -Author: Patrick Schleizer -Date: Mon Apr 1 02:55:59 2024 -0400 - - no longer disable MSR by default - - fixes https://github.com/Kicksecure/security-misc/issues/215 - -commit d9ac01ba5c26f9730feb17fe573d447e625e59f8 -Author: Patrick Schleizer -Date: Mon Mar 18 15:10:10 2024 +0000 - - bumped changelog version - -commit ecaa024f226f4f45ac9d2a4f38bcdb82a6e35a2f -Author: Patrick Schleizer -Date: Mon Mar 18 11:01:56 2024 -0400 - - lower debugging - -commit 357ea5deab85debb9dff5d9e4e80a972954249c8 -Author: Patrick Schleizer -Date: Mon Mar 11 15:07:50 2024 +0000 - - bumped changelog version - -commit 0a018bdebca167d671d8bda81a2b0d929d396945 -Merge: 57fc487 0b81316 -Author: Patrick Schleizer -Date: Mon Mar 11 10:13:57 2024 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 0b8131630041dbd80f1aa61dcedde446208c06f7 -Merge: 57fc487 03ed546 -Author: Patrick Schleizer -Date: Mon Mar 11 10:12:46 2024 -0400 - - Merge pull request #211 from wryMitts/patch-1 - - Create proc group on install - -commit 03ed546cd8992b29855ca1c2748ed988dd3c765d -Author: wryMitts <158655396+wryMitts@users.noreply.github.com> -Date: Sun Mar 10 16:55:10 2024 -0400 - - Create proc group on install - - Fixes https://github.com/Kicksecure/security-misc/issues/210 - -commit 57fc487e5e5ffad765f1418236744319cc666871 -Author: Patrick Schleizer -Date: Sun Mar 10 13:19:26 2024 +0000 - - bumped changelog version - -commit a5206bde336c159be065345e7dd5cb86b2b6a27f -Author: Patrick Schleizer -Date: Sun Mar 10 08:44:53 2024 -0400 - - `proc-hidepid.service` add `gid=proc` - - This allows users that are a member of the `proc` group to be excluded from `hidepid` protections. - - https://github.com/Kicksecure/security-misc/issues/208 - -commit 0f0d9ca2a42cf9fc04e405ae90f3d67bc0794e12 -Author: Patrick Schleizer -Date: Mon Mar 4 11:48:30 2024 +0000 - - bumped changelog version - -commit 6b76373395622bac0e701c6d15c6656658febced -Author: Patrick Schleizer -Date: Mon Mar 4 06:44:26 2024 -0500 - - fix panic-on-oops started every 10s in Qubes-Whonix - - by changing from a /etc/profile.d etc. related mechanism to start to a systemd unit file based approach - - Thanks to @marmarek for the bug report! - - https://forums.whonix.org/t/panic-on-oops-started-every-10s/19450 - -commit af6c6971a741c69a584ba3f92dbfed12e40784dc -Author: Patrick Schleizer -Date: Mon Mar 4 06:33:51 2024 -0500 - - comment - -commit e013070e0bfc43d006e09ae1c5ae3533f7bebc5f -Author: Patrick Schleizer -Date: Mon Mar 4 06:33:21 2024 -0500 - - newline - -commit a5cc1774f2fbf6475e7b56601fbcd84a2a63fed0 -Author: Patrick Schleizer -Date: Mon Feb 26 13:32:44 2024 +0000 - - bumped changelog version - -commit 808e72f24bf30b3476ab6b87f96eb636632c195c -Author: Patrick Schleizer -Date: Mon Feb 26 08:11:26 2024 -0500 - - use long options - - https://github.com/Kicksecure/security-misc/issues/172 - -commit 2d1d1b246f3fe061d4f817da5cecf46010839e1d -Author: Patrick Schleizer -Date: Mon Feb 26 08:07:29 2024 -0500 - - improve output - - https://github.com/Kicksecure/security-misc/issues/172 - -commit d8f5376c4f36f5deb734e6dead42a62566d13480 -Author: Patrick Schleizer -Date: Mon Feb 26 07:58:06 2024 -0500 - - improve output - - https://github.com/Kicksecure/security-misc/issues/172 - -commit cf84762a3a84d2be3b9510dddb32bdc433170dfa -Author: Patrick Schleizer -Date: Mon Feb 26 07:52:41 2024 -0500 - - improve output - - https://github.com/Kicksecure/security-misc/issues/172 - -commit f2958bbfa5e67ee10380a25d996826233469080a -Author: Patrick Schleizer -Date: Mon Feb 26 07:49:30 2024 -0500 - - comment - -commit bc8f9edc3197e33e75ea1d691834d9abbdcdefd0 -Merge: 02d6f67 b23d167 -Author: Patrick Schleizer -Date: Mon Feb 26 07:48:19 2024 -0500 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit b23d167342ef242a1e9d4e91b6a4b945e80c3e7e -Merge: 02d6f67 ef44ece -Author: Patrick Schleizer -Date: Mon Feb 26 07:46:02 2024 -0500 - - Merge pull request #204 from DanWin/sysfs-mount - - Make /sys hardening optional and allow access to /sys/fs to make polkit work - -commit 02d6f67741ef93d9ab39e02ac56b27c551a19dca -Author: Patrick Schleizer -Date: Thu Feb 22 20:08:17 2024 +0000 - - bumped changelog version - -commit d13d1aa7ec7e9ac9f1aa87e4b36228bfd3af6eb2 -Author: Patrick Schleizer -Date: Thu Feb 22 15:07:53 2024 -0500 - - comments - -commit a1f898e3b317f49a5bb9507c8b9d3bd3c4e23abf -Author: Patrick Schleizer -Date: Thu Feb 22 19:58:01 2024 +0000 - - bumped changelog version - -commit c3dd178b19be8c078ed6a2f46a072bef3d144c06 -Author: Patrick Schleizer -Date: Thu Feb 22 14:57:50 2024 -0500 - - output - -commit ef44ecea44ee516b1ba92175eb78b2e8143c4502 -Author: Daniel Winzen -Date: Thu Feb 22 16:51:23 2024 +0100 - - Add option to disabe /sys hardening - -commit 3bc1765dbbd333a1d607ab6962281b4d0a5c4b60 -Author: Daniel Winzen -Date: Wed Feb 21 20:37:34 2024 +0100 - - Allow access to /sys/fs for polkit - -commit 6b73e6c2a9ff1efe211e41e005e4ecaa63731d82 -Author: Patrick Schleizer -Date: Thu Feb 22 16:07:16 2024 +0000 - - bumped changelog version - -commit 37a7abdf0c1e6d8179bd09d3c1bd0363e8bc0a96 -Author: Patrick Schleizer -Date: Thu Feb 22 11:07:01 2024 -0500 - - ConditionKernelCommandLine=!remountsecure=0 - -commit eb3e0b9292f71a5dba312500508f893779fb1b9c -Author: Patrick Schleizer -Date: Thu Feb 22 14:52:55 2024 +0000 - - bumped changelog version - -commit c0924321b84874ae7fc72c59fd58e4c4ae8bc6d9 -Author: Patrick Schleizer -Date: Thu Feb 22 09:52:36 2024 -0500 - - fix systemd unit ExecStart - -commit d148a769b7106831c0b27a7ad63d91ab42257678 -Author: Patrick Schleizer -Date: Thu Feb 22 14:50:05 2024 +0000 - - bumped changelog version - -commit 6d7cf3c12a8a772fee1cd893d5504767690b3b77 -Author: Patrick Schleizer -Date: Thu Feb 22 09:49:48 2024 -0500 - - output - -commit f7831db197b2fff33b66eeb44efd749e482315e0 -Author: Patrick Schleizer -Date: Thu Feb 22 09:17:41 2024 -0500 - - do not exit non-zero if folder does not exist - -commit 5bdd7b8475bdfde8dbee5318fb43d0c2a236e3b0 -Author: Patrick Schleizer -Date: Thu Feb 22 09:14:52 2024 -0500 - - output - -commit 44a15cd97da3066e39d2d7df1f456e703036a6e9 -Author: Patrick Schleizer -Date: Thu Feb 22 09:13:56 2024 -0500 - - mount --make-private - - https://github.com/Kicksecure/security-misc/issues/172 - -commit c0f98b05b609c7c8ac6f86e123af9e0642d82697 -Author: Patrick Schleizer -Date: Thu Feb 22 06:03:59 2024 -0500 - - comment - - https://github.com/Kicksecure/security-misc/pull/202 - -commit 1e1613aa93dca1e7fe7f24dbd32028a0cadd21fd -Author: Patrick Schleizer -Date: Thu Feb 22 06:02:28 2024 -0500 - - allow /opt exec as usually optional binaries are placed there such as firefox - - https://github.com/Kicksecure/security-misc/pull/202 - -commit 7c7b4b24b4959f3ef96ff7ef0b11fa4c0bd48c8e -Author: Patrick Schleizer -Date: Thu Feb 22 06:01:00 2024 -0500 - - fix home_noexec_maybe -> most_noexec_maybe - - https://github.com/Kicksecure/security-misc/pull/202 - -commit 38783faf60b85c4e855bf78c87e1c07765776b50 -Author: Patrick Schleizer -Date: Thu Feb 22 05:58:53 2024 -0500 - - add more bind mounts of mount options hardening - - as suggested in https://github.com/Kicksecure/security-misc/pull/202 - -commit ad9d913902d7e696f1114da74d84f9cdcb22bc25 -Author: Patrick Schleizer -Date: Sat Feb 3 18:28:27 2024 +0000 - - bumped changelog version - -commit 02090da08cfd411314ffeeb6df95f73c701f06c6 -Merge: 8037ce5 ba13657 -Author: Patrick Schleizer -Date: Sat Feb 3 12:51:07 2024 -0500 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit ba13657d894f2f30d8deb7c08b85e5fbc1dcea21 -Merge: 8037ce5 b16c99a -Author: Patrick Schleizer -Date: Sat Feb 3 12:50:28 2024 -0500 - - Merge pull request #197 from raja-grewal/mitigations - - Additional Explicit CPU Mitigations - -commit b16c99ab62a902b1f61b9d4fe63273cd614e757c -Author: raja-grewal -Date: Mon Jan 29 13:39:40 2024 +0000 - - Remove hardcoded `spec_rstack_overflow` setting - -commit 139b10a9aad85018f87bdc4bb227e938f7955235 -Author: raja-grewal -Date: Mon Jan 29 12:59:13 2024 +0000 - - Control RAS overflow mitigation on AMD Zen CPUs - -commit 6c54e35027e86ec045102cd1d95f84aa30bc55c9 -Author: raja-grewal -Date: Mon Jan 29 12:58:51 2024 +0000 - - Enable mitigations for RETBleed vulnerability and disable SMT - -commit 4509a5fc95204080f2855849d22c7e05393455d9 -Author: raja-grewal -Date: Mon Jan 29 12:58:14 2024 +0000 - - Enable known mitigations for CPU vulnerabilities and disable SMT - -commit 4231155efa0970d2456b67cc89c8828b0766cf7f -Author: raja-grewal -Date: Mon Jan 29 12:57:48 2024 +0000 - - Add reference for kernel parameters - -commit 8037ce52f96dcc6f8007c1567daf38ff013352d6 -Author: Patrick Schleizer -Date: Thu Jan 25 13:59:29 2024 +0000 - - bumped changelog version - -commit 185bfe749787a8c6e93103ae8c6b0751a169e276 -Author: Patrick Schleizer -Date: Thu Jan 25 06:54:36 2024 -0500 - - use `interest-noawait` instead of `interest-await` - - fixes https://github.com/Kicksecure/security-misc/issues/196 - -commit 64e41b113cae893d1f27f441f99340389ba8b9b3 -Author: Patrick Schleizer -Date: Thu Jan 18 14:10:51 2024 +0000 - - bumped changelog version - -commit 1855fa08b1386b1ea8697767104e7ad0f1521c9c -Author: Patrick Schleizer -Date: Thu Jan 18 08:54:39 2024 -0500 - - readme - -commit f0e2a82b558f64611f037424c6f8f12de32737f6 -Author: Patrick Schleizer -Date: Wed Jan 17 19:18:25 2024 +0000 - - bumped changelog version - -commit 314e5b490c6864b745fbf5fd6d9bb2c724d478b8 -Author: Patrick Schleizer -Date: Wed Jan 17 14:03:09 2024 -0500 - - use wildcards - - instead of outdated, incomplete list - - https://github.com/Kicksecure/security-misc/issues/160 - -commit 08619d6a7307b6ab05a3ba7e71ea33b00db20b27 -Author: Patrick Schleizer -Date: Wed Jan 17 13:59:36 2024 -0500 - - minor RPM updates - - https://github.com/Kicksecure/security-misc/issues/160 - -commit 3048e0ac76e4eba1c53b43ba2424157505578cdd -Author: Patrick Schleizer -Date: Wed Jan 17 13:54:07 2024 -0500 - - usrmerge - - https://github.com/Kicksecure/security-misc/issues/190 - -commit 5a6cd4c2abd243c91575e9477a921aa290c68ba5 -Author: Patrick Schleizer -Date: Wed Jan 17 13:51:30 2024 -0500 - - remove now empty /bin from copying since it is empty after usrmerge - - https://github.com/Kicksecure/security-misc/issues/190 - -commit 071b984a1eaaa8a8ea6a40e4ee36eabcde2d630d -Author: Patrick Schleizer -Date: Wed Jan 17 13:49:05 2024 -0500 - - `sort -d` - - https://github.com/Kicksecure/security-misc/issues/190 - -commit 011e55e3e52485ccd728b4bb249efbc816f38806 -Author: Patrick Schleizer -Date: Wed Jan 17 13:45:17 2024 -0500 - - remove duplicates after usrmerge - - https://github.com/Kicksecure/security-misc/issues/190 - -commit 0efee2f50fd38feade7700c2f033cc3d4c200d34 -Author: Patrick Schleizer -Date: Wed Jan 17 13:39:56 2024 -0500 - - usrmerge - - fixes https://github.com/Kicksecure/security-misc/issues/190 - -commit 18a06935e0cca3dc090643aad406d861e4583085 -Author: Patrick Schleizer -Date: Wed Jan 17 13:23:20 2024 -0500 - - run permission hardener when new packages are install files to /usr or /opt - - (basically anywhere) - - fixes https://github.com/Kicksecure/security-misc/issues/189 - -commit 66e6371221c3395a0523e30e8ef1a051d3e6cdd0 -Author: Patrick Schleizer -Date: Tue Jan 16 14:26:34 2024 +0000 - - bumped changelog version - -commit 0d78ecaee37536379ad2f230f45904f57425cb19 -Author: Patrick Schleizer -Date: Tue Jan 16 09:26:21 2024 -0500 - - README - -commit 3ba8fe586e1abe133bd41076278f8663aba7e641 -Author: Patrick Schleizer -Date: Tue Jan 16 09:23:54 2024 -0500 - - update permission-hardener.service - - Which is now only an additional opt-in systemd unit, - because permission-hardener is run by default at security-misc - package installation time. - - https://github.com/Kicksecure/security-misc/pull/181 - -commit 186f6015da7b3314c95c2833032c6fe953a71afd -Author: Patrick Schleizer -Date: Tue Jan 16 14:14:18 2024 +0000 - - bumped changelog version - -commit 6aa55698ab2a0f3771d28293d7ad14da2763a16f -Author: Patrick Schleizer -Date: Tue Jan 16 09:10:59 2024 -0500 - - delete legacy folder /etc/permission-hardening.d if empty - - https://github.com/Kicksecure/security-misc/pull/181 - -commit 9cafd78fe21baa3c2a36853f57e0638b2facfe5c -Author: Patrick Schleizer -Date: Tue Jan 16 09:05:09 2024 -0500 - - rm_conffile /etc/permission-hardening.d - - https://github.com/Kicksecure/security-misc/pull/181 - -commit fa53848b5cda135fbb8a3855e8508692084fc7e9 -Author: Patrick Schleizer -Date: Tue Jan 16 13:58:55 2024 +0000 - - bumped changelog version - -commit 4f7973bc5628cdc24f5224bd98858249307635d3 -Author: Patrick Schleizer -Date: Tue Jan 16 08:56:26 2024 -0500 - - comment - -commit ed7c09fc46b26440439adf748f597da277a3f1e4 -Author: Patrick Schleizer -Date: Tue Jan 16 08:45:13 2024 -0500 - - permission-hardening -> permission-hardener migration - - mv --verbose /var/lib/permission-hardening /var/lib/permission-hardener - - https://github.com/Kicksecure/security-misc/pull/181 - -commit a90cd43631216f28a18a1b3f066b9f6ef3301ac4 -Author: Patrick Schleizer -Date: Tue Jan 16 08:32:52 2024 -0500 - - fix postinst for new permission-hardener - - https://github.com/Kicksecure/security-misc/pull/181 - -commit 862bf6b5ab29917138325023eb3507f5fbd5653c -Merge: dc8d9ee bc02c72 -Author: Patrick Schleizer -Date: Tue Jan 16 08:19:28 2024 -0500 - - Merge remote-tracking branch 'ben-grande/clean' - -commit dc8d9eece32dec06e63c580c886a240019b3f33e -Author: Patrick Schleizer -Date: Tue Jan 9 05:52:49 2024 +0000 - - bumped changelog version - -commit 1199871d7bbc7316a7e5822d77eee0666b55b203 -Author: Patrick Schleizer -Date: Sun Jan 7 06:37:34 2024 -0500 - - undo IPv6 privacy due to potential server issues - - https://github.com/Kicksecure/security-misc/issues/184 - -commit 128bb01b35d20e97351dfb53768f35482f9756a2 -Author: Patrick Schleizer -Date: Sun Jan 7 06:36:25 2024 -0500 - - undo IPv6 privacy due to potential server issues - - https://github.com/Kicksecure/security-misc/issues/184 - -commit df0f9d3267644c4aea87add2dcade86044c496f0 -Author: Patrick Schleizer -Date: Sat Jan 6 09:19:57 2024 -0500 - - README - -commit 86f91e3030ef0b08000fc28a3a172e6a47918e4e -Author: Patrick Schleizer -Date: Sat Jan 6 09:10:45 2024 -0500 - - revert umask 027 by default - - because broken because this also happens for root while it should not - - https://github.com/Kicksecure/security-misc/issues/185 - -commit 3f1304403fbf04f15dac01963c66f82cd84452d4 -Author: Patrick Schleizer -Date: Sat Jan 6 08:15:31 2024 -0500 - - disable MAC randomization in Network Manager (NM) because it breaks VirtualBox DHCP - - https://github.com/Kicksecure/security-misc/issues/184 - -commit e8f8dcd0fb1c23a62974849f55516da9dce5948e -Author: Patrick Schleizer -Date: Thu Jan 4 02:03:26 2024 +0000 - - bumped changelog version - -commit 70a86fa994c0a894643e876fc86226ad0443a741 -Merge: db0503e 71060f1 -Author: Patrick Schleizer -Date: Wed Jan 3 05:12:48 2024 -0500 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 71060f1f53ca7a275f10c4b6ab3e6c25585d5440 -Merge: db0503e 74afcc9 -Author: Patrick Schleizer -Date: Wed Jan 3 05:00:41 2024 -0500 - - Merge pull request #182 from raja-grewal/io_uring - - Clarify validity of disabling io_uring - -commit 74afcc9c63ad064f20778ad2870690925c3cee81 -Author: Raja Grewal -Date: Wed Jan 3 17:52:23 2024 +1100 - - Clarify validity of disabling io_uring - -commit bc02c72018d6458d4c1852dd441287b277421514 -Author: Ben Grande -Date: Tue Jan 2 17:08:45 2024 +0100 - - Fix unbound variable - - - Run messages preceded by INFO; - - Comment unknown unused variables; - - Remove unnecessary variables; and - - Deal with unbound variable due to subshell by writing to a file; - -commit db0503e71d5c37865cbb0a01cb8fa00af2a4e574 -Author: Patrick Schleizer -Date: Tue Jan 2 14:55:13 2024 +0000 - - bumped changelog version - -commit abf72c2ee4286ec069f75e66acf05a42f3645c89 -Author: Ben Grande -Date: Tue Jan 2 13:34:29 2024 +0100 - - Rename file permission hardening script - - Hardener as the script is the agent that is hardening the file - permissions. - -commit f138cf0f78c03e3952801d01d25d5f8065ff1457 -Author: Ben Grande -Date: Tue Jan 2 12:17:16 2024 +0100 - - Refactor permission-hardener - - - Organize comments from default configuration; - - Apply and undo changes from a single file controlled by parameters; - - Arrays should be evaluated as arrays and not normal variables; - - Quote variables; - - Brackets around variables; - - Standardize test cases to "test" command; - - Test against empty or non-empty variables with "-z" and "-n"; - - Show a usage message when necessary; - - Require root to run the script with informative message; - - Permit the user to see the help message without running as root; - - Do not create root directories without passing root check; - - Use long options for "set" command; - -commit a94f2a3f4626a9292660bc7f98a6513f34d0f5b2 -Merge: 94c0e26 8daf97a -Author: Patrick Schleizer -Date: Tue Jan 2 05:30:49 2024 -0500 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 8daf97ab0181a9cbb9e9dec57f1f00270dbb3a50 -Merge: 94c0e26 f055fe5 -Author: Patrick Schleizer -Date: Tue Jan 2 05:29:35 2024 -0500 - - Merge pull request #178 from raja-grewal/io_uring - - Disable asynchronous I/O - -commit 94c0e26a082f61f71e89b1fb7386a58166ffa411 -Author: Patrick Schleizer -Date: Fri Dec 29 20:15:50 2023 +0000 - - bumped changelog version - -commit 5b36599c0ce35857239c82459828db1ec4215411 -Author: Patrick Schleizer -Date: Fri Dec 29 14:57:38 2023 -0500 - - /dev/, /dev/shm, /tmp - - https://github.com/Kicksecure/security-misc/issues/157#issuecomment-1869073716 - -commit e15596e7af6fc645dd652c043397baaa91954915 -Author: Patrick Schleizer -Date: Mon Dec 25 16:28:10 2023 +0000 - - bumped changelog version - -commit f64a869bfdd4c746afd206367885851946deb692 -Author: Patrick Schleizer -Date: Mon Dec 25 11:03:22 2023 -0500 - - readme - -commit c86c83cef760906a0d1c56ee8a8c744b2e07f212 -Author: Patrick Schleizer -Date: Mon Dec 25 10:31:58 2023 -0500 - - formatting - - https://github.com/Kicksecure/security-misc/issues/157 - -commit 971ff687b1423499c54495a03e5e6fafcbfefb2a -Author: Patrick Schleizer -Date: Mon Dec 25 10:30:35 2023 -0500 - - do not mount /dev/cdrom by default - - https://github.com/Kicksecure/security-misc/issues/157 - -commit 9fce67fcd942a7e3e0dd2e874226fcdab5e33ba3 -Author: Patrick Schleizer -Date: Mon Dec 25 10:28:47 2023 -0500 - - remove superfluous, broken `remount` mount option - - https://github.com/Kicksecure/security-misc/issues/157 - -commit 40fd8cb6081512e2bc0ef1a7a1ee17cd317024c2 -Author: Patrick Schleizer -Date: Mon Dec 25 09:51:09 2023 -0500 - - no `nofail` mount option to avoid breaking the boot of a system - - unit testing belongs elsewhere - - https://github.com/Kicksecure/security-misc/issues/157 - -commit 4aa645f29ff741b6e5cdf629deade1923fdcc234 -Author: Patrick Schleizer -Date: Mon Dec 25 09:46:33 2023 -0500 - - comment - - https://github.com/Kicksecure/security-misc/issues/157 - -commit 2b7aeedb4a543d0a43a35918999338097d13bb16 -Author: Patrick Schleizer -Date: Mon Dec 25 09:44:51 2023 -0500 - - mount /dev/cdrom to /mnt/cdrom (instead of /mnt/cdrom0) and - nodev,nosuid,noexec - - as per: - https://www.debian.org/doc/manuals/securing-debian-manual/ch04s10.en.html - - https://github.com/Kicksecure/security-misc/issues/157 - -commit 0d9e9780daca563a726470a3a5d6fa8c20487240 -Author: Patrick Schleizer -Date: Mon Dec 25 09:37:14 2023 -0500 - - formatting - - https://github.com/Kicksecure/security-misc/issues/157 - -commit 00f9ab43947795c1144d797547968c7c149d6f21 -Author: Patrick Schleizer -Date: Mon Dec 25 09:36:05 2023 -0500 - - /dev devtmpfs - - https://github.com/Kicksecure/security-misc/issues/157 - -commit 55709b3aa0acd6cad0c9fedb8782c49fbea79689 -Author: Patrick Schleizer -Date: Mon Dec 25 09:30:57 2023 -0500 - - /tmp tmpfs - - https://github.com/Kicksecure/security-misc/issues/157 - -commit b0dd967611c27f5b8e2472bb74a664aead7a229e -Author: Patrick Schleizer -Date: Mon Dec 25 09:27:45 2023 -0500 - - usrmerge - - https://github.com/Kicksecure/security-misc/issues/157 - -commit 269fada14a616c53d7421e88e662f6893eb1fd88 -Author: Patrick Schleizer -Date: Mon Dec 25 09:25:14 2023 -0500 - - combine bind lines - - https://github.com/Kicksecure/security-misc/issues/157 - -commit 0810c1ce3c9e19c745b8f0d2cd9410353b172779 -Author: Patrick Schleizer -Date: Mon Dec 25 09:10:31 2023 -0500 - - fix bluetooth in readme - - fixes https://github.com/Kicksecure/security-misc/issues/180 - -commit 37b4ab15a823134e616a2a0fe1dda18d5ebfa3c0 -Author: Patrick Schleizer -Date: Mon Dec 25 09:04:10 2023 -0500 - - readme - -commit 79f398d219b9c4cdf8ea0f9e3135a08fa32659a8 -Author: Patrick Schleizer -Date: Mon Dec 25 08:45:20 2023 -0500 - - formatting - -commit c90ada3c398205227d906e2b2108d36d92edcf3c -Author: Patrick Schleizer -Date: Mon Dec 25 08:37:23 2023 -0500 - - pandoc -f markdown -t markdown --wrap=auto --columns=80 README.md -o README.md - -commit 34bf297bd17af2adf59804bd133a00b7dc1942b7 -Author: Patrick Schleizer -Date: Mon Dec 25 08:32:34 2023 -0500 - - formatting - -commit d5fc9f620169b6975c8d3ef685f47e62cb6b9262 -Author: Patrick Schleizer -Date: Mon Dec 25 08:26:03 2023 -0500 - - improve bluetooth in readme - - as suggested by @monsieuremre - - https://github.com/Kicksecure/security-misc/issues/180 - -commit 7fa597deca7ff2b2932a5f5fad56be57bd78b6cf -Author: Patrick Schleizer -Date: Fri Dec 22 16:31:58 2023 +0000 - - bumped changelog version - -commit f70a034da2b4b615855504e7080baf1a7e7b461c -Author: Patrick Schleizer -Date: Fri Dec 22 08:31:58 2023 -0500 - - exclude hardened malloc from SUID disabler - - fixes https://github.com/Kicksecure/security-misc/issues/179 - -commit f055fe5da2219b68f46c3c577d79fcfd7e79cfc6 -Author: Raja Grewal -Date: Fri Dec 15 08:33:36 2023 +0000 - - Disable asynchronous I/O - - io_uring creation is disabled for all processes. io_uring_setup always fails with -EPERM. Existing io_uring instances can still be used. - -commit 99f2edd4f685cdc9a47b32107125408e12a294c2 -Author: Patrick Schleizer -Date: Tue Dec 12 16:51:21 2023 +0000 - - bumped changelog version - -commit 039de1dc9bd6f3cc6595d66f54d0d88d9b537b17 -Author: Patrick Schleizer -Date: Tue Dec 12 11:50:11 2023 -0500 - - add hardened fstab `/usr/share/doc/security-misc/fstab-vm` - - to the documentation folder as an example - - not directly used by security-misc - - will later be used by Kicksecure VM build process - - https://github.com/Kicksecure/security-misc/issues/157 - -commit dcaafa6c8bf380dd990942e9c10e280943b442a6 -Author: Patrick Schleizer -Date: Mon Dec 4 17:06:45 2023 +0000 - - bumped changelog version - -commit 5a73817a9575fe5bcaf3fd354e5f175db7d45ba4 -Author: Patrick Schleizer -Date: Mon Dec 4 11:38:49 2023 -0500 - - move to `/usr/lib/issue.d/20_security-misc.issue` - - https://github.com/Kicksecure/security-misc/pull/167 - -commit dfaea492c76a277b9cbe84982a135cb4f03a557c -Author: Patrick Schleizer -Date: Mon Dec 4 11:37:02 2023 -0500 - - remove `etc/issue.net.d/20_security-misc` - - since not mentioned on debian.org - -commit 69c895af09f05000ace5f273f3e5032aabf8c64e -Merge: c9ea7a4 36850f8 -Author: Patrick Schleizer -Date: Mon Dec 4 11:27:53 2023 -0500 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 36850f89fb07678ca24eb580a18247e593eac608 -Merge: c9ea7a4 0d7af97 -Author: Patrick Schleizer -Date: Mon Dec 4 11:27:16 2023 -0500 - - Merge pull request #167 from monsieuremre/patch-4 - - Non-Identifiable and Generic Issue Banners that include the Recommended Keywords - -commit c9ea7a4dca6e985c3a1044a3b4ddda83909fbc51 -Author: Patrick Schleizer -Date: Mon Dec 4 11:02:55 2023 -0500 - - use `amd_iommu=force_isolation` instead of `amd_iommu=force_enable` - - because we set `iommu=force` already anyhow - - fixes https://github.com/Kicksecure/security-misc/issues/175 - -commit e83c1d7ed662bb0533c670dd5b7a6745a75e9ca4 -Merge: c4e21ca befd21e -Author: Patrick Schleizer -Date: Mon Dec 4 11:01:02 2023 -0500 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit befd21e0c0c38eaf91c7096e9f60120f533a5842 -Merge: c4e21ca f2ad838 -Author: Patrick Schleizer -Date: Mon Dec 4 11:00:29 2023 -0500 - - Merge pull request #176 from monsieuremre/patch-1 - - Iommu Kernel Parameters - -commit c4e21ca5f49fbc2d67853eebca647539acbca815 -Author: Patrick Schleizer -Date: Mon Dec 4 10:58:16 2023 -0500 - - added development philosophy - - https://github.com/Kicksecure/security-misc/issues/154 - -commit feab1432f9d0966118ca233c9f88270b98c3f120 -Author: Patrick Schleizer -Date: Mon Dec 4 10:48:27 2023 -0500 - - clarify scope - - https://github.com/Kicksecure/security-misc/issues/154 - -commit dc04040cb3644c9e3be9b44a34da4a5f7b61f2cc -Author: Patrick Schleizer -Date: Mon Dec 4 10:36:48 2023 -0500 - - typo - -commit 2634dbff2bd9d7482e7b02be2b5b6fa1c58ef6c7 -Author: Patrick Schleizer -Date: Mon Dec 4 10:36:21 2023 -0500 - - shuffle - -commit f2ad8383cfea4bba42e8b246b05b85101d707641 -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Sun Dec 3 19:51:38 2023 +0000 - - fix - -commit dd15823a97e953750d7a8288c7d3b8d5f554d6f9 -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Sun Dec 3 19:50:07 2023 +0000 - - undo superfluousness - -commit 83e13bb62d028cfeea7a4d3f3def3bff8d2b5eaa -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Sun Dec 3 19:42:34 2023 +0000 - - Update 40_enable_iommu.cfg - -commit 0d7af9707f802fb600d9eb39bbe0b3bd4a65e3b0 -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Sun Dec 3 19:31:12 2023 +0000 - - Update 20_security-misc - -commit 04d27a10b0cd1c22cb166c9fccb93a09d5f388f0 -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Sun Dec 3 19:30:55 2023 +0000 - - Update 20_security-misc - -commit 7963f811e1bb6f5e0e2ba41e96b14e4a3a70f847 -Merge: c8b9f5a 82bd913 -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Sun Dec 3 19:30:22 2023 +0000 - - Merge branch 'Kicksecure:master' into patch-4 - -commit 82bd9138de750a3590be9c91c898cbd04c550e7e -Author: Patrick Schleizer -Date: Mon Nov 20 13:13:10 2023 +0000 - - bumped changelog version - -commit c2b3ff5243c69c4e1ba28e9966bf0ffd3ce550ce -Author: Patrick Schleizer -Date: Mon Nov 20 04:40:28 2023 -0500 - - moved libpam-tmpdir dependency to kicksecure-meta-packages - - https://github.com/Kicksecure/security-misc/pull/147 - -commit c8b9f5a917e6c415575d6763a65930f1a91a7c78 -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Sat Nov 18 10:03:19 2023 +0000 - - net - -commit 3b614f3753608bd62ff6bc6e56e15f280994c646 -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Sat Nov 18 10:02:16 2023 +0000 - - 20_security-misc - -commit 4e4df5dd7c6b5cf1deb179a2c3f8fe7a8844884d -Author: Patrick Schleizer -Date: Sat Nov 11 22:29:57 2023 +0000 - - bumped changelog version - -commit a51674410cb8a7ac2119ea7c85f986223ce8fc25 -Author: Patrick Schleizer -Date: Sat Nov 11 17:29:37 2023 -0500 - - fix - -commit 8d58077d68e6363313cdc62f7fac14840f5d9a8e -Author: Patrick Schleizer -Date: Sat Nov 11 20:22:34 2023 +0000 - - bumped changelog version - -commit 5b85a0b34d30d191654158506e0209b34a8f9fe8 -Author: Patrick Schleizer -Date: Sat Nov 11 14:46:35 2023 -0500 - - license - -commit 7757080519858492a7fcbf735ec854029b29d67a -Author: Patrick Schleizer -Date: Sat Nov 11 13:41:28 2023 -0500 - - change license to AGPL-3+ - - https://forums.whonix.org/t/license-change-to-agplv3/17455 - -commit 20f804f19c046e3ef2b38c367de9d5c80cccccd9 -Author: Patrick Schleizer -Date: Mon Nov 6 17:28:21 2023 -0500 - - bumped changelog version - -commit a1e00be0e09a7271a3fae9e9abdbe9a2279b7197 -Author: Patrick Schleizer -Date: Mon Nov 6 16:58:23 2023 -0500 - - update link - -commit 5bb357cac02c7217f4e897a0625f531602ac69cf -Author: Patrick Schleizer -Date: Mon Nov 6 16:55:00 2023 -0500 - - spice-client-glib-usb-acl-helper matchwhitelist - -commit 7309445ee518c093ba3f9aec56197e391e0a194a -Author: Patrick Schleizer -Date: Mon Nov 6 16:52:27 2023 -0500 - - comment - -commit f09d97fc9efc98d8b197a497e2ce4c5965be531a -Author: Patrick Schleizer -Date: Mon Nov 6 16:50:19 2023 -0500 - - whitelist VirtualBox - -commit 64c8c7a8d5a42d2e3da9ce243bc708d1bcbe6039 -Author: Patrick Schleizer -Date: Mon Nov 6 16:47:31 2023 -0500 - - whitelist SSH - -commit 9682b51d548396717867a0c336f1fb1677ccfe2b -Author: Patrick Schleizer -Date: Mon Nov 6 16:44:36 2023 -0500 - - whitelist virtualbox - -commit a40b9bc095bb0f363911dacee050234b3a555744 -Author: Patrick Schleizer -Date: Mon Nov 6 16:40:22 2023 -0500 - - comments - -commit 2c1a3da433b8dc96039caab17e81666896ade58c -Author: Patrick Schleizer -Date: Mon Nov 6 16:38:50 2023 -0500 - - VirtualBoxVM matchwhitelist - -commit 4e96ffaabb7c2e73bf686e56bcaa220f4d2e9e93 -Author: Patrick Schleizer -Date: Mon Nov 6 16:37:19 2023 -0500 - - chrome-sandbox matchwhitelist - -commit df5f3e80566da210ee5d807cc1b5dd53678fdae0 -Author: Patrick Schleizer -Date: Mon Nov 6 16:36:22 2023 -0500 - - output - -commit 72f6e6bb9c2426535bfc48175d88707331ec5346 -Author: Patrick Schleizer -Date: Mon Nov 6 16:28:23 2023 -0500 - - output - -commit 3bc831a1f71a80a178601bdd5c7f06b22ada75ab -Author: Patrick Schleizer -Date: Mon Nov 6 16:27:29 2023 -0500 - - lintian - -commit fd1f38b2ebe31aec04b22d968b38305504f7f935 -Author: Patrick Schleizer -Date: Mon Nov 6 16:22:42 2023 -0500 - - remount-secure systemd unit - - https://github.com/Kicksecure/security-misc/pull/152 - -commit 79f9c1fb3adac319342a22c099401cb21af4429f -Author: Patrick Schleizer -Date: Mon Nov 6 15:48:09 2023 -0500 - - add sysinit-post.target - - https://github.com/Kicksecure/security-misc/pull/152 - -commit 2de5ab41201c561a2684f15196ce37b0f34038a9 -Author: Patrick Schleizer -Date: Mon Nov 6 13:47:30 2023 -0500 - - clarify scope of application specific hardening - - fixes https://github.com/Kicksecure/security-misc/issues/154 - -commit 5a96616b39e7188903bd0d35c9812a02fddc02f9 -Author: Patrick Schleizer -Date: Sun Nov 5 21:13:14 2023 -0500 - - bumped changelog version - -commit ad079ac5cc4d7ce2270e9abf21fa520fc9b2761f -Author: Patrick Schleizer -Date: Sun Nov 5 20:55:55 2023 -0500 - - readme - - https://github.com/Kicksecure/security-misc/pull/152 - -commit be023c77223c4ec0e26ffe2a88acd94653efee9a -Author: Patrick Schleizer -Date: Sun Nov 5 20:54:43 2023 -0500 - - readme - - https://github.com/Kicksecure/security-misc/issues/159 - -commit e1f413c1ee5107468cb2a9c4aa8bd061d0dc911b -Author: Patrick Schleizer -Date: Sun Nov 5 20:53:26 2023 -0500 - - disable harden-module-loading.service for now - - due to issues - - https://github.com/Kicksecure/security-misc/issues/159 - -commit f2ea1abc9b3efc035f4d1381bece458de9b89ff3 -Author: Patrick Schleizer -Date: Sun Nov 5 20:53:03 2023 -0500 - - comment - -commit 95d1cfb4a03afc987cf89bb0f4cd6d2f1ad431b1 -Author: Patrick Schleizer -Date: Sun Nov 5 20:49:36 2023 -0500 - - Revert "remove no longer required remount-service systemd unit" - - This reverts commit 479ab61a1d0c91d26c2cd200d97b39b2b786e073. - - https://github.com/Kicksecure/security-misc/pull/152 - -commit 24b4d59ce41bc95e0b0aadf401223dc40b0f9c8f -Author: Patrick Schleizer -Date: Sun Nov 5 20:14:33 2023 -0500 - - bumped changelog version - -commit 4482f1841cfc6caa063e2274db890cfa01944811 -Author: Patrick Schleizer -Date: Sun Nov 5 20:13:14 2023 -0500 - - newline - -commit c5167c8f0d398946fdfae56fa78b32fade4cb451 -Author: Patrick Schleizer -Date: Sun Nov 5 20:12:03 2023 -0500 - - fix systemd unit - - https://github.com/Kicksecure/security-misc/issues/159 - -commit 2571bbf315693f65f564ef4ad1b2ff4941f2ebc3 -Author: Patrick Schleizer -Date: Sun Nov 5 18:42:25 2023 -0500 - - duplicate - -commit aa170878838b2218da8295be8b6898bc86056cec -Author: Patrick Schleizer -Date: Sun Nov 5 18:42:08 2023 -0500 - - update path - -commit d203e539aa975b042cd6ec9608a0cc16b3314372 -Author: Patrick Schleizer -Date: Sun Nov 5 18:17:59 2023 -0500 - - bumped changelog version - -commit 4ebab940c750154a396c4ffdbde61367e12c72f8 -Author: Patrick Schleizer -Date: Sun Nov 5 17:56:35 2023 -0500 - - description too long, fixed - -commit ad010ef5b4c90e4abbd1c88724f99450740fb2eb -Author: Patrick Schleizer -Date: Sun Nov 5 17:52:44 2023 -0500 - - debugging - -commit 826e76d037f88636fdde7d4ef1eb72f29ac5f4a5 -Author: Patrick Schleizer -Date: Sun Nov 5 17:43:33 2023 -0500 - - bumped changelog version - -commit 3130a39d8c280d913fb632a40562438b82a499bb -Author: Patrick Schleizer -Date: Sun Nov 5 17:43:07 2023 -0500 - - set -e - -commit 18a2d814cc0c477599b276bb319ed8bdd34499ea -Merge: 4fda9d2 36f3c30 -Author: Patrick Schleizer -Date: Sun Nov 5 17:42:28 2023 -0500 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 36f3c30440e73c8bf4946742095f0495994fed99 -Merge: 4fda9d2 2e64d89 -Author: Patrick Schleizer -Date: Sun Nov 5 17:41:56 2023 -0500 - - Merge pull request #148 from monsieuremre/module-loading-hardening - - Harden the loading of new modules to the kernel after install - -commit 4fda9d2e8459c043ec27178ceb87483229b45d5f -Author: Patrick Schleizer -Date: Sun Nov 5 16:46:18 2023 -0500 - - bumped changelog version - -commit 4219347f0a739ed1ea93a596968295ddcd3a940f -Author: Patrick Schleizer -Date: Sun Nov 5 16:43:44 2023 -0500 - - fix permission-hardener config parsing issue - -commit e72f79236b7b704c60c6920b51c86832f4fda9e3 -Author: Patrick Schleizer -Date: Sun Nov 5 16:41:41 2023 -0500 - - refactoring - -commit dea0d9a78a99c441a1738f88cef2cd3c5f433454 -Author: Patrick Schleizer -Date: Sun Nov 5 16:40:49 2023 -0500 - - fix permission-hardener config parsing issue - -commit 017ae18ad7a757a18c5a7a92677f24053280e8b5 -Author: Patrick Schleizer -Date: Sun Nov 5 16:39:10 2023 -0500 - - fix permission-hardener config parsing issue - -commit 65e3c14643ca2b5167e0f5bc30a6bbc45cb4f645 -Author: Patrick Schleizer -Date: Sun Nov 5 16:35:11 2023 -0500 - - fix permission-hardener config parsing issue - -commit 40e536a9beb48f1938e67ae2010fc34f80e3bd1f -Author: Patrick Schleizer -Date: Sun Nov 5 16:04:03 2023 -0500 - - bumped changelog version - -commit 51decff2fd48c2437b08136e97d4211e5eaccd89 -Author: Patrick Schleizer -Date: Sun Nov 5 16:03:36 2023 -0500 - - exclude qfile-unpacker from permission hardener - -commit 52b6e92e002987952c908eeb05a293dd401ee9be -Author: Patrick Schleizer -Date: Sun Nov 5 15:58:21 2023 -0500 - - bumped changelog version - -commit 1900c1ab07e4d55577815b942b34457596a1d703 -Author: Patrick Schleizer -Date: Sun Nov 5 15:57:49 2023 -0500 - - pam exclude from permission-hardener - -commit 76e3a3c5f9fa5e95b90e4ea3f3ba7019615a3d1a -Author: Patrick Schleizer -Date: Sun Nov 5 15:29:38 2023 -0500 - - bumped changelog version - -commit d4494fd3c341796081dd8c114c8cc97e627c236c -Author: Patrick Schleizer -Date: Sun Nov 5 15:27:09 2023 -0500 - - disable remount-secure dracut modules - - pending new systemd based implementation - - https://github.com/Kicksecure/security-misc/pull/152 - -commit 949c1633701ac168e908794d4dd74c5a9b09a437 -Author: Patrick Schleizer -Date: Sun Nov 5 15:14:43 2023 -0500 - - bumped changelog version - -commit 4a19fbae0be2ab99c1f21826eca2ec3cef605a0e -Author: Patrick Schleizer -Date: Sun Nov 5 15:13:01 2023 -0500 - - move permission-hardening to /usr/bin to make it more easily accessible - -commit c75f80b29f2fee3f2ead579390b8d3a8ff86b9d2 -Author: Patrick Schleizer -Date: Sun Nov 5 15:09:29 2023 -0500 - - lower verbosity of permission hardener - - fixes https://github.com/Kicksecure/security-misc/issues/158 - -commit 0544657123100b333211a91ef32054dc7e14c7db -Author: Patrick Schleizer -Date: Sun Nov 5 14:56:06 2023 -0500 - - bumped changelog version - -commit 42be6310237bdb663f38982b221327a337251e0a -Author: Patrick Schleizer -Date: Sun Nov 5 14:54:05 2023 -0500 - - readme - -commit 55ba5d48321ec4224bcbf03cf2bf51226cf34e50 -Author: Patrick Schleizer -Date: Sun Nov 5 14:51:31 2023 -0500 - - renamed: usr/lib/NetworkManager/conf.d/99_ipv6-privacy.conf -> usr/lib/NetworkManager/conf.d/80_ipv6-privacy.conf - renamed: usr/lib/NetworkManager/conf.d/99_randomize-mac.conf -> usr/lib/NetworkManager/conf.d/80_randomize-mac.conf - renamed: usr/lib/systemd/networkd.conf.d/99_ipv6-privacy-extensions.conf -> usr/lib/systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf - -commit eab5d7d4ec58baaf7eedc777e250ad9f00e4b71b -Author: Patrick Schleizer -Date: Sun Nov 5 14:50:13 2023 -0500 - - cleanup - -commit 811d1cd0dd0dcb9021d2f72638dd6c12b734964c -Merge: 9343795 5a75bcf -Author: Patrick Schleizer -Date: Sun Nov 5 14:49:43 2023 -0500 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 5a75bcfb19ac6c555a52cb1600e4efd13a8cfc06 -Merge: 9343795 229032d -Author: Patrick Schleizer -Date: Sun Nov 5 14:49:00 2023 -0500 - - Merge pull request #145 from monsieuremre/wifi-and-bluetooth - - Wifi and Bluetooth Patch | Security and Privacy - -commit 93437952b4f64866dfe6067d8caf19415112418d -Author: Patrick Schleizer -Date: Sun Nov 5 14:41:01 2023 -0500 - - readme - -commit f32b5438872ad0b9e10cb7b0519f1f18fce1913e -Merge: 56b90ee 4946f85 -Author: Patrick Schleizer -Date: Sun Nov 5 14:38:20 2023 -0500 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 4946f85d43083c64bc3f8f02e26b08f79b622bfe -Merge: 817ca11 1abac79 -Author: Patrick Schleizer -Date: Sun Nov 5 14:37:47 2023 -0500 - - Merge pull request #146 from monsieuremre/thunderbird - - Thunderbird Hardening - -commit 56b90eecbfb21e546d52d1f41ce9361f2843cd71 -Merge: 3178677 817ca11 -Author: Patrick Schleizer -Date: Sun Nov 5 14:35:23 2023 -0500 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 817ca116f693893e6dcb69254ee91815d200b8a1 -Merge: d9b5d77 fbd9e5d -Author: Patrick Schleizer -Date: Sun Nov 5 14:34:13 2023 -0500 - - Merge pull request #153 from monsieuremre/readme - - Updated Readme - -commit 317867758478619fe1df4ebdb5e22240c40104c0 -Merge: dcead44 d9b5d77 -Author: Patrick Schleizer -Date: Sun Nov 5 14:32:21 2023 -0500 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit d9b5d770cfd5f7747f1d606f3136a93034928f30 -Merge: dcead44 ac224b2 -Author: Patrick Schleizer -Date: Sun Nov 5 14:31:26 2023 -0500 - - Merge pull request #150 from monsieuremre/sysreq - - Disable SysRq by default - -commit dcead44cc6d4272b0966562046f9dab1792845b6 -Author: Patrick Schleizer -Date: Sun Nov 5 11:32:46 2023 -0500 - - output - -commit f6bf69b41fa3e1168c2c49884197770e1a78b888 -Author: Patrick Schleizer -Date: Sun Nov 5 11:31:09 2023 -0500 - - update link - -commit 2e64d89b042227fe5f38bb6d6a859deb4c5183b7 -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Sat Nov 4 21:18:45 2023 +0000 - - undo unnecessary manual activation - -commit 19eceaa8108879ee5477b157fb2175993c487959 -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Sat Nov 4 20:56:46 2023 +0000 - - more fix - -commit a187d23c4187fd08611e5cba85d09666dfd9f735 -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Sat Nov 4 20:56:08 2023 +0000 - - big fix - -commit fbd9e5d017c4b00d838e9f225c7748c4b362f023 -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Sat Nov 4 14:33:35 2023 +0000 - - README.md - -commit 97054b2b1076d6d428996967304b29620923eff4 -Author: Patrick Schleizer -Date: Fri Nov 3 15:55:17 2023 -0400 - - revert enabling kernel module signature enforcement - - due to issues - - https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/63 - - https://github.com/dell/dkms/issues/359 - -commit 978e3e4abd8f55a877dfe0d6e39b45ee9f58ba6d -Author: Patrick Schleizer -Date: Fri Nov 3 14:53:40 2023 -0400 - - readme - -commit 0242c04dc26638dc1250e3f681b46d15459cf8aa -Author: Patrick Schleizer -Date: Fri Nov 3 14:51:14 2023 -0400 - - port to DKMS drop-in folder - - undisplace /etc/dkms/framework.conf.security-misc - moved to /etc/dkms/framework.conf.d/30_security-misc.conf - -commit d1b5a3ffd525ec92554ffc9c666f8007c8522aac -Author: Patrick Schleizer -Date: Fri Nov 3 12:55:34 2023 -0400 - - /usr/sbin/pam-tmpdir-helper exactwhitelist - - https://github.com/Kicksecure/security-misc/pull/147 - -commit 48adb44c6fd157673cdf7fab3b86ecf7c6b31966 -Author: Patrick Schleizer -Date: Fri Nov 3 12:17:24 2023 -0400 - - bumped changelog version - -commit b6d53f698d0ad21a31da6bf74a44577a0c8869fc -Author: Patrick Schleizer -Date: Fri Nov 3 12:17:00 2023 -0400 - - Revert "allow loading unsigned modules due to issues" - - This reverts commit 661bcd8603425934188cf139f33e20675ff4b765. - -commit 04b210ee88589ef9e6e214d3a5a614780244abc9 -Author: Patrick Schleizer -Date: Fri Nov 3 12:10:48 2023 -0400 - - bumped changelog version - -commit 5e73f78ed9282bf0895b01d44d9c261ea0050cce -Merge: ceffd2b 8e66a41 -Author: Patrick Schleizer -Date: Fri Nov 3 12:10:33 2023 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 8e66a4177868ee7b51dafdb06062b0cb7cbc7415 -Merge: ceffd2b 7dc99d5 -Author: Patrick Schleizer -Date: Fri Nov 3 12:10:00 2023 -0400 - - Merge pull request #147 from monsieuremre/PAM-tmp-files-hardening - - Depend on libpam-tmpdir for very solid extra security - -commit 7dc99d54c0358842745ee48c7cc24f589fd63d14 -Author: Patrick Schleizer -Date: Fri Nov 3 12:09:39 2023 -0400 - - fix - -commit 2a602e78d6ca0f87f11de9a30ae2114468243075 -Merge: 3ee4be6 ceffd2b -Author: Patrick Schleizer -Date: Fri Nov 3 12:08:50 2023 -0400 - - Merge branch 'master' into PAM-tmp-files-hardening - -commit ceffd2b3ee453122e66f594ec31dde6ec3bb7187 -Author: Patrick Schleizer -Date: Fri Nov 3 12:06:43 2023 -0400 - - bumped changelog version - -commit cdd66ee3762c441843d421a9e6b11a20580ed7ac -Author: Patrick Schleizer -Date: Fri Nov 3 10:48:46 2023 -0400 - - wrap-and-sort - -commit c33a3d9aadcc4c0ff90f330239eff4b7c905a022 -Author: Patrick Schleizer -Date: Fri Nov 3 10:44:48 2023 -0400 - - readme - -commit d71ac03d96c9861513ff56c68aec9090ef5c50bb -Author: Patrick Schleizer -Date: Fri Nov 3 10:36:15 2023 -0400 - - comment - -commit 8326aecdb460fffa450bbf3ec0b051010f87ee2a -Author: Patrick Schleizer -Date: Fri Nov 3 10:33:02 2023 -0400 - - bumped changelog version - -commit b85d48eb83005da8fd9edc658c71493f407e3670 -Author: Patrick Schleizer -Date: Fri Nov 3 10:31:59 2023 -0400 - - do not change default umask for root - - since this causes permission issues in `/etc/` - - https://github.com/Kicksecure/security-misc/pull/151 - -commit 07540db90d60b10cbd10881b0024d8e8871330de -Author: Patrick Schleizer -Date: Fri Nov 3 09:45:12 2023 -0400 - - Revert "Revert "set default umask to 027"" - - This reverts commit f8913ceb2e2fdd274011377c41b5d08e7459e4af. - -commit f8913ceb2e2fdd274011377c41b5d08e7459e4af -Author: Patrick Schleizer -Date: Fri Nov 3 09:43:44 2023 -0400 - - Revert "set default umask to 027" - - This reverts commit cd216095eb8d9387437e653d7764ec765ce42a10. - -commit 43bd789c30a562aa60349d019107277a428aece8 -Author: Patrick Schleizer -Date: Fri Nov 3 09:28:08 2023 -0400 - - bumped changelog version - -commit cd216095eb8d9387437e653d7764ec765ce42a10 -Author: Patrick Schleizer -Date: Fri Nov 3 09:12:24 2023 -0400 - - set default umask to 027 - - using package libpam-umask - - https://www.debian.org/doc/manuals/securing-debian-manual/ch04s11.en.html#id-1.5.14.19 - - https://github.com/Kicksecure/security-misc/pull/151 - -commit ac224b270a3a0945d187202f8cca89af0e71a166 -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Thu Nov 2 13:01:55 2023 +0000 - - disable sysrq - -commit 07882f61a8003026a9e4c135a6e18a8fd204060f -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Thu Nov 2 10:44:19 2023 +0000 - - enable service on install - - not sure if this would be the right way to do it - -commit 9f063584c1f96267b04f8f7fe0eee773f9345370 -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Thu Nov 2 10:28:41 2023 +0000 - - disable-kernel-module-loading - -commit 3e604618a8ba2531553af4f9af00470bd9629615 -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Thu Nov 2 10:24:35 2023 +0000 - - harden-module-loading.service - -commit 3ee4be652b28201ba208757ce5144e51c453ad70 -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Thu Nov 2 09:36:58 2023 +0000 - - depend on libpam-tmpdir - -commit 1abac794b564d178df37a385cf0d25bac5842c3c -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Thu Nov 2 09:15:20 2023 +0000 - - very secure and private defaults - -commit 5a583ca48ce608fee4fe55c1d6948505e83a98d8 -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Thu Nov 2 08:30:26 2023 +0000 - - typo in file name - -commit 229032d691c614a926cf3cf96b44752364e4e087 -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Wed Nov 1 17:54:05 2023 +0000 - - Rename etc/systemd/networkd.conf.d/99_ipv6-privacy-extensions.conf to usr/lib/systemd/networkd.conf.d/99_ipv6-privacy-extensions.conf - -commit 1049298e7bfa4ca0e8f02b4086f8aa086d51c725 -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Wed Nov 1 17:52:40 2023 +0000 - - Update and rename etc/NetworkManager/conf.d/99_randomize-mac.conf to usr/lib/NetworkManager/conf.d/99_randomize-mac.conf - -commit 76e684cc0ac0544219d200eeefae1356864fe702 -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Wed Nov 1 17:51:27 2023 +0000 - - Update and rename etc/NetworkManager/conf.d/99_ipv6-privacy.conf to usr/lib/NetworkManager/conf.d/99_ipv6-privacy.conf - -commit a768f1f1ebfc29b0c0105f2965a4290f8dfd8e63 -Author: Patrick Schleizer -Date: Wed Nov 1 12:26:21 2023 -0400 - - bumped changelog version - -commit bb14a058520b13e242fea9f3022c439c4677bd1d -Merge: 5ed2a5c 44906e8 -Author: Patrick Schleizer -Date: Wed Nov 1 11:11:54 2023 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 44906e8f398aae6e9565b131b82124e738e2d0d1 -Merge: 5ed2a5c f2c23a2 -Author: Patrick Schleizer -Date: Wed Nov 1 11:11:27 2023 -0400 - - Merge pull request #142 from monsieuremre/patch-5 - - ssh config - -commit 5ed2a5ce4a24a1a9c3e722a30aa9c6af1dc5d78a -Author: Patrick Schleizer -Date: Wed Nov 1 11:10:36 2023 -0400 - - bumped changelog version - -commit bb1161986b6d108c4fc5a16a48cdac55f98ab35d -Merge: 7d57684 b7cddd6 -Author: Patrick Schleizer -Date: Wed Nov 1 10:31:04 2023 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit b7cddd6e552cb5f5139de91ef2aeae6fde691136 -Merge: 7d57684 c975c3c -Author: Patrick Schleizer -Date: Wed Nov 1 10:30:26 2023 -0400 - - Merge pull request #143 from monsieuremre/patch-6 - - new lines 990-security-misc.conf - -commit fc8e201e84e4c777c087fd113c539ca368fd3a31 -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Fri Oct 27 14:49:24 2023 +0000 - - rename - -commit 90a88225a4fde2f09cc14b24f8467bb1ded90c9d -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Fri Oct 27 14:38:31 2023 +0000 - - security-misc.maintscript - -commit 13b4ddbb627d2279b41d1dcbe5c8ce1ac384b088 -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Fri Oct 27 14:34:21 2023 +0000 - - 30_security-misc.conf - -commit b298d152fc10c66892698d9dcae769a44a32037b -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Fri Oct 27 14:32:08 2023 +0000 - - 30_security-misc.conf - -commit 3d4b04fddc16067ed345074683281e74f41eeadf -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Fri Oct 27 12:35:39 2023 +0000 - - 99_ipv6-privacy.conf - -commit e90f62eaabfeee7483af573ef8e9d015ba1977dc -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Fri Oct 27 12:34:15 2023 +0000 - - 99_randomize_mac.conf - -commit 604d839537c409604ed2c4c88992ea1a31368f6f -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Fri Oct 27 12:30:26 2023 +0000 - - 99_ipv6-privacy-extensions.conf - -commit c975c3c0ff7cc5a1e29b651c2db6c27e3f952870 -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Fri Oct 27 11:07:53 2023 +0000 - - new lines 990-security-misc.conf - - added new recommended hardening settings with comments - -commit f2c23a28319e359c642da2dde424456a1064763f -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Fri Oct 27 10:53:45 2023 +0000 - - ssh config - -commit 7d576842fb6f3c124db2b6deb5abfc095974a67f -Author: Patrick Schleizer -Date: Thu Oct 26 20:08:41 2023 -0400 - - bumped changelog version - -commit 7cff267002485fd0abca98d12b0024e061f4ba51 -Author: Patrick Schleizer -Date: Thu Oct 26 19:31:14 2023 -0400 - - remove duplicates - -commit 928cdb81d43dfd337c82917182d2914d9c9d0915 -Merge: a330a9f 39fed05 -Author: Patrick Schleizer -Date: Thu Oct 26 19:29:55 2023 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 39fed058f4734029b303fac4ea9a1b11f652fab4 -Merge: 92a6ecc 99355c6 -Author: Patrick Schleizer -Date: Thu Oct 26 19:27:41 2023 -0400 - - Merge pull request #140 from monsieuremre/patch-3 - - New lines in default permission config - -commit a330a9fd75314931639e7e873adc31c5cc65d555 -Author: Patrick Schleizer -Date: Thu Oct 26 19:20:21 2023 -0400 - - refactor permission-lockdown - -commit 8bf5ff82be706599f33228ecd6df42be0dc29f39 -Merge: 1123d23 92a6ecc -Author: Patrick Schleizer -Date: Thu Oct 26 19:15:04 2023 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 92a6ecc40a4d3bd4d8f3cec7dd9b1334c72399dc -Merge: ca9603a 91c4452 -Author: Patrick Schleizer -Date: Thu Oct 26 19:13:34 2023 -0400 - - Merge pull request #141 from monsieuremre/patch-4 - - New permission-lockdown - -commit 1123d23114201988ac3f5f50ab6e74a5307d3d52 -Author: Patrick Schleizer -Date: Thu Oct 26 18:45:07 2023 -0400 - - remount-secure: disable debugging to save space in initrd - -commit 91c445244c47c163e2466f8c4dff710eda20c337 -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Thu Oct 26 19:41:07 2023 +0000 - - actually we do it once indeed - -commit 88f396264ca9d072e4e5de4e1acaee54f3b39749 -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Thu Oct 26 19:35:59 2023 +0000 - - avoiding /etc/passwd - -commit b5ba03247a5b5bb1f4e010130e4a575ad1397117 -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Thu Oct 26 19:31:25 2023 +0000 - - readability - -commit f487752ba1b469eb0b2f85657e2ee0860f58496b -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Thu Oct 26 19:30:58 2023 +0000 - - not limiting ourselves. we do not do this not just once. - -commit 88cd5a905d8aa0f6033ac4ba72903fbad4a90b4b -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Thu Oct 26 19:25:24 2023 +0000 - - strip unnecessary - -commit d9f10c221a2b6794f0a3c5bcd1c15e2a4f352751 -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Thu Oct 26 18:17:50 2023 +0000 - - new permission-lockdown - -commit 99355c616974d167e3a5424d63cd56b1f64f0eaf -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Thu Oct 26 17:45:28 2023 +0000 - - new lines 30_default.conf - -commit ca9603af1713ff37392662c9d1b4251052e7b983 -Author: Patrick Schleizer -Date: Thu Oct 26 12:23:48 2023 -0400 - - bumped changelog version - -commit 5f4222c1c3d7fa057b31bba7b0b5c2e83c92a7be -Author: Patrick Schleizer -Date: Thu Oct 26 12:20:48 2023 -0400 - - enable SUID Disabler and Permission Hardener by default - - https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener - - https://forums.whonix.org/t/suid-disabler-and-permission-hardener/7706 - -commit e5d989af5ac2899985c48d60311856fb86e0ddeb -Author: Patrick Schleizer -Date: Thu Oct 26 12:04:13 2023 -0400 - - comment - -commit 8557e0963ed6159f7f6c816ad4e009cc7323a760 -Author: Patrick Schleizer -Date: Wed Oct 25 17:55:37 2023 -0400 - - bumped changelog version - -commit b7e2d49f5f3f49fab2e1c0647f10bda1921e0a80 -Author: Patrick Schleizer -Date: Wed Oct 25 17:41:05 2023 -0400 - - comment - -commit 5d71217e597aa3366658524ec5395c9f76dd527b -Merge: 6a22351 a2f811a -Author: Patrick Schleizer -Date: Wed Oct 25 17:40:13 2023 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 6a22351d298e475ecae22bb99249a308b294ff9a -Author: Patrick Schleizer -Date: Wed Oct 25 17:30:07 2023 -0400 - - renamed: usr/lib/sysctl.d/30_security-misc.conf -> usr/lib/sysctl.d/990-security-misc.conf - -commit b7c52800f4c16b1573e372089704a68fd47c5906 -Author: Patrick Schleizer -Date: Wed Oct 25 17:28:43 2023 -0400 - - renamed: etc/sysctl.d/30_security-misc.conf -> usr/lib/sysctl.d/30_security-misc.conf - renamed: etc/sysctl.d/30_security-misc_kexec-disable.conf -> usr/lib/sysctl.d/30_security-misc_kexec-disable.conf - renamed: etc/sysctl.d/30_silent-kernel-printk.conf -> usr/lib/sysctl.d/30_silent-kernel-printk.conf - -commit a2f811aff0cb4e73c3975093012c223127495707 -Merge: 3317332 ee6716e -Author: Patrick Schleizer -Date: Wed Oct 25 17:26:46 2023 -0400 - - Merge pull request #135 from monsieuremre/kernel-fix - - Kernel hardening fix - -commit ee6716e178806912da08b671ae31504ed2f3ac56 -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Tue Oct 24 20:43:10 2023 +0000 - - security-misc.maintscript - -commit 3317332cb431115f81d832ba974181c74427c884 -Author: Patrick Schleizer -Date: Tue Oct 24 05:51:11 2023 -0400 - - bumped changelog version - -commit 42c802cd1eca3d2586abde871e4842cdf83490c4 -Merge: f3b40f1 5320c11 -Author: Patrick Schleizer -Date: Tue Oct 24 05:30:15 2023 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 5320c11f3f92b66b7dcab7ca1f67fcba2de5deba -Merge: f3b40f1 f0857fd -Author: Patrick Schleizer -Date: Tue Oct 24 05:22:33 2023 -0400 - - Merge pull request #134 from monsieuremre/patch-1 - - Fix double mount issue for /var/log and /var/tmp - -commit 1f489719efb37492b9c040ba4e332e8dd70fde1f -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Mon Oct 23 16:38:58 2023 +0000 - - rename - -commit 9dda6f69a7df792966005f9c6feb057483cd9ea4 -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Mon Oct 23 16:38:40 2023 +0000 - - more rename - -commit 89381fe7abcc2f4418b95c3eb290c975bf6d612c -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Mon Oct 23 16:38:23 2023 +0000 - - rename - -commit f0857fd5608525115bd8a96c2f75368263f6f830 -Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> -Date: Mon Oct 23 15:33:05 2023 +0000 - - Fix double mount issue for /var/log and /var/tmp - - Mounting var with bind and mounting a subdirectory causes /var/tmp and /var/log bind mounted twice each. can be checked with lsblk. When we bind mount var only after having mounted the subdirectories, everything is mounted only one. - -commit f3b40f12cb4bad0f2f00d4ba2dec59fb315c0798 -Author: Patrick Schleizer -Date: Sun Oct 22 19:23:22 2023 -0400 - - bumped changelog version - -commit d2e8a6dad3b94d574cb9c043303160b06893ab97 -Author: Patrick Schleizer -Date: Sun Oct 22 19:21:51 2023 -0400 - - debugging - -commit e7aafd64d4418d43426b310653861f9024a54255 -Author: Patrick Schleizer -Date: Sun Oct 22 19:16:12 2023 -0400 - - refactoring - -commit ee15f749bb4e68350498e52e8505bed43c98cbaf -Author: Patrick Schleizer -Date: Sun Oct 22 16:54:58 2023 -0400 - - bumped changelog version - -commit d521662d04892fb6d5477fa4450fb5488892a87a -Author: Patrick Schleizer -Date: Sun Oct 22 16:49:36 2023 -0400 - - comment - -commit 0e80acf38d430784fbb779f4f10c81bfe8a3813f -Author: Patrick Schleizer -Date: Sun Oct 22 16:45:10 2023 -0400 - - fix - -commit a1c3b87fcee07496af4b42e387b46488b58b73a0 -Author: Patrick Schleizer -Date: Sun Oct 22 16:29:08 2023 -0400 - - bumped changelog version - -commit f6d1346e2bde51cd70bc60246c0bfba923c00c3d -Author: Patrick Schleizer -Date: Sun Oct 22 16:22:08 2023 -0400 - - fix - -commit 9a649ddd091b116c9091f3fa582d411b5186375a -Author: Patrick Schleizer -Date: Sun Oct 22 16:16:40 2023 -0400 - - bumped changelog version - -commit 11382881b56556741fad5f0291ccb57a24e9c617 -Author: Patrick Schleizer -Date: Sun Oct 22 16:12:26 2023 -0400 - - comments - -commit 5182d7502b34a95fd751c69c4bc3f01d5f5e02b9 -Author: Patrick Schleizer -Date: Sun Oct 22 16:08:21 2023 -0400 - - improve remount-secure - -commit 555d83792df9aa599ae9e0e7c41af49b0601c1c1 -Author: Patrick Schleizer -Date: Sun Oct 22 15:44:47 2023 -0400 - - bumped changelog version - -commit a88c0a3ad2d83fe72612faf97866e255c5527384 -Author: Patrick Schleizer -Date: Sun Oct 22 15:44:30 2023 -0400 - - fix - -commit 316282952f7d2470c89f268beea01b8bac9bb4bb -Author: Patrick Schleizer -Date: Sun Oct 22 15:40:59 2023 -0400 - - bumped changelog version - -commit a7629b98cf4e7f86bab07c2b75fa712adcd63ee5 -Author: Patrick Schleizer -Date: Sun Oct 22 15:40:49 2023 -0400 - - fix - -commit 7112eac3be014938f757e0c0def74bb04dc72d2f -Author: Patrick Schleizer -Date: Sun Oct 22 15:37:21 2023 -0400 - - output - -commit f80b5fe3767502f6890bdfb7bc32a602c94828d6 -Author: Patrick Schleizer -Date: Sun Oct 22 15:36:16 2023 -0400 - - fix - -commit ce0babce215dc4ec08101cff5e0d25ad6ec87e70 -Author: Patrick Schleizer -Date: Sun Oct 22 15:35:03 2023 -0400 - - comment - -commit fa0804b7ae46ecfc1e9e82ca83342c9d456aa9c3 -Author: Patrick Schleizer -Date: Sun Oct 22 15:33:21 2023 -0400 - - bumped changelog version - -commit 70cbe4daaa5cd857c49f2f9b9241f24e2867ab5a -Author: Patrick Schleizer -Date: Sun Oct 22 15:33:11 2023 -0400 - - fix - -commit 36f2acb93f65958b27bae030f1d2bd66a278e073 -Author: Patrick Schleizer -Date: Sun Oct 22 15:28:04 2023 -0400 - - bumped changelog version - -commit 9b9e9ce1c0feb4ca854189754c47ca826eef1c32 -Author: Patrick Schleizer -Date: Sun Oct 22 15:27:01 2023 -0400 - - fix - -commit 3731716a497c233127bff3febbe22d5cf088aad8 -Author: Patrick Schleizer -Date: Sun Oct 22 15:14:22 2023 -0400 - - fix - -commit eec87a0508a6242430a1f0b8ad341f4c3ea43059 -Author: Patrick Schleizer -Date: Sun Oct 22 15:11:26 2023 -0400 - - fix - -commit f3286cf440992661ba85b5c7e41b92ffaca62cf3 -Author: Patrick Schleizer -Date: Sun Oct 22 15:10:21 2023 -0400 - - fix - -commit eb90d38d8ca6d6292dbb8013bb9bca8ec26f4792 -Author: Patrick Schleizer -Date: Sun Oct 22 15:05:33 2023 -0400 - - fix - -commit f44020973897d98fdc21ced748ad64106979829e -Author: Patrick Schleizer -Date: Sun Oct 22 14:46:42 2023 -0400 - - bumped changelog version - -commit 7f03c2b13742e583e426c91ff4e111b6c0e7da43 -Author: Patrick Schleizer -Date: Sun Oct 22 14:45:45 2023 -0400 - - fix - -commit c85db586cadbe781704e62405a76e43650046d2c -Author: Patrick Schleizer -Date: Sun Oct 22 14:44:58 2023 -0400 - - improve - -commit 7c0ea4324aa1713f365f7352a3e4db1b703d9750 -Author: Patrick Schleizer -Date: Sun Oct 22 14:39:52 2023 -0400 - - fix - -commit b29b626b41545fd49b67631820ae40d0fe000f22 -Author: Patrick Schleizer -Date: Sun Oct 22 14:30:28 2023 -0400 - - bumped changelog version - -commit 6198ae317c4d8cbd06d95d5e2a585892f455cab6 -Author: Patrick Schleizer -Date: Sun Oct 22 14:29:02 2023 -0400 - - fix - -commit 245fad09868c2d84bee66d65ecca32704786919b -Author: Patrick Schleizer -Date: Sun Oct 22 14:00:06 2023 -0400 - - fix - -commit 619f1705e13232680f38bc630f19f2ace32f48ad -Author: Patrick Schleizer -Date: Sun Oct 22 13:58:55 2023 -0400 - - output - -commit 52fa7db0874be85a3db296499ab76f84a5f518db -Author: Patrick Schleizer -Date: Sun Oct 22 13:57:38 2023 -0400 - - output - -commit 8a592c2e371de1136d566e707ba56ce89309230a -Author: Patrick Schleizer -Date: Sun Oct 22 13:56:17 2023 -0400 - - fix remountsecure kernel parameter logic - -commit 3c183294cd8a402418eafc1e657c6524be49c487 -Author: Patrick Schleizer -Date: Sun Oct 22 13:31:55 2023 -0400 - - bumped changelog version - -commit e689f38ad0ba9727d482dbab25ea5d88e67a8edf -Author: Patrick Schleizer -Date: Sun Oct 22 13:31:44 2023 -0400 - - todo - -commit 6675a2e93194ea15daeb22bee707cf49563f69fe -Author: Patrick Schleizer -Date: Sun Oct 22 13:30:50 2023 -0400 - - fix - -commit 4288e10554f854d6dd9be092ddbf6a62686b1549 -Author: Patrick Schleizer -Date: Sun Oct 22 13:25:31 2023 -0400 - - fix, rework remount-secure kernel parameters parsing - -commit b0181af099a2bc20a6d8cc20e6e27371ecc50bf1 -Author: Patrick Schleizer -Date: Sun Oct 22 13:12:25 2023 -0400 - - fix - -commit 28cb53341d48ece9e042caea03e7159b0f93c2ee -Author: Patrick Schleizer -Date: Sun Oct 22 13:11:44 2023 -0400 - - remount-secure dracut module: improve output - -commit f70f36e6cfead0038075d715e430e15aedae459f -Author: Patrick Schleizer -Date: Sun Oct 22 12:55:41 2023 -0400 - - bumped changelog version - -commit 479ab61a1d0c91d26c2cd200d97b39b2b786e073 -Author: Patrick Schleizer -Date: Sun Oct 22 12:55:20 2023 -0400 - - remove no longer required remount-service systemd unit - -commit 84ca0ac8a0b6a72a28e030081299b402749b9348 -Author: Patrick Schleizer -Date: Sun Oct 22 12:54:25 2023 -0400 - - improve remount-secure - -commit 1696c37251fe6158118ac3a694c2e11439de5c46 -Author: Patrick Schleizer -Date: Sun Oct 22 11:28:18 2023 -0400 - - bumped changelog version - -commit e7d30955e88b0a052e9159c11f4c1e1a47dadb49 -Author: Patrick Schleizer -Date: Sun Oct 22 11:28:08 2023 -0400 - - debugging - -commit 975a017dec26f671b7869ba4ad94b3a4d2faf999 -Author: Patrick Schleizer -Date: Sun Oct 22 11:13:05 2023 -0400 - - bumped changelog version - -commit 8eb4607a0e8c3db10f64e4ed5a02e87fd3ee8903 -Author: Patrick Schleizer -Date: Sun Oct 22 11:12:54 2023 -0400 - - improve - -commit f1da0ce7461fab2eeb421daa886ddd9856c9fd52 -Author: Patrick Schleizer -Date: Sun Oct 22 11:11:10 2023 -0400 - - fix - -commit 26826e8398c4d3feed07e8e3e095a87bbde9907a -Author: Patrick Schleizer -Date: Sun Oct 22 11:06:34 2023 -0400 - - fix - -commit a423b85f81e0c066271ad7db78902ccddbeabb5a -Author: Patrick Schleizer -Date: Sun Oct 22 10:50:30 2023 -0400 - - bumped changelog version - -commit 233fa4625bb60ef65c707d28e7c8a51ef5a1d66e -Author: Patrick Schleizer -Date: Sun Oct 22 10:49:53 2023 -0400 - - output - -commit 3ebe8cf4de5c77f26f93ac40bdc596c0c38451f5 -Author: Patrick Schleizer -Date: Sun Oct 22 10:41:42 2023 -0400 - - refactoring - -commit 24d2e26397e8f1e8e350fb60206ab1c5b597cbe6 -Author: Patrick Schleizer -Date: Sun Oct 22 10:40:19 2023 -0400 - - no longer reproducible - -commit fcba70df2e4e6c71fd29852d6f0b20f80e2e2d5e -Author: Patrick Schleizer -Date: Sun Oct 22 10:38:48 2023 -0400 - - refactoring - -commit a05bd3dd0e7319807fa7ea523407ec82ce8aa39c -Author: Patrick Schleizer -Date: Sun Oct 22 10:37:02 2023 -0400 - - /home last because most likely to fail - -commit 41077c94fbc1a0c90ee870292fe82e16a70b52f1 -Author: Patrick Schleizer -Date: Sun Oct 22 10:32:24 2023 -0400 - - improve remount-secure - -commit ef69e512bd2e2eba0e292470bfef6336216e2605 -Author: Patrick Schleizer -Date: Sun Oct 22 10:25:57 2023 -0400 - - refactoring - -commit d5cb7ecec9d10069e2e37a2f88680dff6d3f6eb6 -Author: Patrick Schleizer -Date: Sun Oct 22 10:22:21 2023 -0400 - - use findmnt - -commit 1120d0652ddead556801958973d61502b75f9fc7 -Author: Patrick Schleizer -Date: Sun Oct 22 10:16:53 2023 -0400 - - bumped changelog version - -commit 45ce0ff74d8f42d6a424e0742989008403891f8a -Author: Patrick Schleizer -Date: Sun Oct 22 10:16:43 2023 -0400 - - debugging - -commit b81a991731e912fa0f7d4ca59b0531bafb02a25a -Author: Patrick Schleizer -Date: Sun Oct 22 10:15:11 2023 -0400 - - fix - -commit 292a5c3a8a37bc9dd807913bd76826e57e978b67 -Author: Patrick Schleizer -Date: Sun Oct 22 10:11:31 2023 -0400 - - fix - -commit bb57b1a289cc64cc5b2ab5518c151df5355a9f29 -Author: Patrick Schleizer -Date: Sun Oct 22 10:10:51 2023 -0400 - - fix - -commit 4f6f45fb3902f6c49d01b5ccb33a4e24804cd02a -Author: Patrick Schleizer -Date: Sun Oct 22 10:01:54 2023 -0400 - - bumped changelog version - -commit 181a6424796b1cafc87a8d74aad197135381a389 -Author: Patrick Schleizer -Date: Sun Oct 22 10:01:38 2023 -0400 - - root check - -commit 84fd41931ce3ba4d6e3785dc8052ee14ce62b80e -Author: Patrick Schleizer -Date: Sun Oct 22 09:44:17 2023 -0400 - - /var/run -> /run - -commit 33d97a2560fe4aaab24f90057e825802541a408b -Author: Patrick Schleizer -Date: Sun Oct 22 09:39:54 2023 -0400 - - improve output of remount-secure dracut module - -commit c409e3221e179437ed0b162dde1e72cd116ba795 -Author: Patrick Schleizer -Date: Sun Oct 22 09:36:03 2023 -0400 - - implement remount-secure - -commit f472ce690ae350085d40cfd5ec46084dc559a51d -Author: Patrick Schleizer -Date: Sun Oct 22 08:57:35 2023 -0400 - - comments - -commit 90f2b5e11c341c38bb0b11db603ceeba28e14b1c -Author: Patrick Schleizer -Date: Sun Oct 22 08:51:37 2023 -0400 - - code simplification - -commit 167683ce763e97838e62950f00313b63d7c968b0 -Author: Patrick Schleizer -Date: Sun Oct 22 08:50:57 2023 -0400 - - code simplification - -commit 05e9accf64a3a6bfa24aac7aaa62620f814b05d1 -Author: Patrick Schleizer -Date: Sun Oct 22 08:12:30 2023 -0400 - - bumped changelog version - -commit e065f85c8809d04a9a4c041dd8b9b81bacd04e24 -Author: Patrick Schleizer -Date: Sun Oct 22 08:10:48 2023 -0400 - - add remount-secure dracut module - -commit f0ee470ecd0fc37125165dd6a5cefb47339b14b4 -Author: Patrick Schleizer -Date: Sun Oct 22 07:51:05 2023 -0400 - - comment - -commit e257f2a3806ba7013e8e47005fde1385044bc8d9 -Author: Patrick Schleizer -Date: Sun Oct 22 07:50:14 2023 -0400 - - remount-secure: - no longer use /usr/libexec/helper-scripts/pre.bsh as not simple with dracut - -commit 27b3ba8bdf2556066a4be02cd1be9a4451a591b2 -Author: Patrick Schleizer -Date: Sun Oct 22 07:06:00 2023 -0400 - - bumped changelog version - -commit ed11c68ac64c1ec4eaa590dbb56734d450c89b04 -Author: Patrick Schleizer -Date: Sun Oct 22 06:51:52 2023 -0400 - - move remount-secure to /usr/bin/remount-secure to make it easier to manually run - -commit 6f4bf57ff2bc878f03a50d91a5db0afaf897d70e -Author: Patrick Schleizer -Date: Sun Oct 22 06:48:56 2023 -0400 - - `remount-secure`: add support for `--force`; output - -commit 6dec5cb1d6b841bc6ea92986d6567902109f5ed0 -Author: Patrick Schleizer -Date: Sun Oct 22 06:32:19 2023 -0400 - - debugging - -commit bc768aa196a08218aac0b6ef1c4ca013f2034122 -Author: Patrick Schleizer -Date: Sun Oct 22 06:31:57 2023 -0400 - - output - -commit c069c73109b45fbb8fa230ad4f90f4252db730f2 -Author: Patrick Schleizer -Date: Sun Oct 22 06:29:38 2023 -0400 - - refactoring - -commit abc35927345e14bbe4b9f13d205a648ce7a8bd8d -Author: Patrick Schleizer -Date: Sun Oct 22 06:23:48 2023 -0400 - - remount-secure: stricter error handling - -commit 59a5fea25d0b0c39a6e7b3b11f9242ebe5eaa462 -Author: Patrick Schleizer -Date: Sun Oct 22 05:41:56 2023 -0400 - - documentation - -commit ac63b0eb3db3d168908459fecd6b3275cce015bc -Author: Patrick Schleizer -Date: Sun Oct 22 05:41:11 2023 -0400 - - remove duplicate - -commit ef3f1575733c668f652326cdb4f4fba8c71bf0ed -Author: Patrick Schleizer -Date: Sat Oct 21 14:19:24 2023 -0400 - - bumped changelog version - -commit ae2c1c5a7a02a5f3f6a8bcd4a90fdc9e3b512e62 -Author: Patrick Schleizer -Date: Sat Oct 21 14:18:50 2023 -0400 - - fix xession environment variable - -commit 43375fa1f4d32f04907edf1297fef737342b49ea -Author: Patrick Schleizer -Date: Sat Oct 21 12:34:59 2023 -0400 - - bumped changelog version - -commit d543825d85a5d84274c21cd85db6df777948606e -Author: Patrick Schleizer -Date: Sat Oct 21 12:24:59 2023 -0400 - - comments - -commit dd43ab634d9ab0a59234798e1b14ba99099c65c9 -Author: Patrick Schleizer -Date: Fri Oct 13 15:22:58 2023 -0400 - - bumped changelog version - -commit 645ee814e4f3dc330dd6fb24ec4fac0e278c4f42 -Author: Patrick Schleizer -Date: Fri Oct 13 15:22:48 2023 -0400 - - fix - -commit 13a4f37e50805a0e51b8f63808e166318e39a074 -Author: Patrick Schleizer -Date: Thu Oct 12 12:51:37 2023 -0400 - - bumped changelog version - -commit 2d4524108445829d7ac80e828e9a1442cf038a6b -Author: Patrick Schleizer -Date: Thu Oct 12 11:37:01 2023 -0400 - - avoid duplicate environment variables - -commit e96e6aa38e29888a64fa35f85becc1596118a812 -Author: Patrick Schleizer -Date: Thu Oct 12 10:43:40 2023 -0400 - - bumped changelog version - -commit fa820e897895eda93011a0f2bbd915ffffcb1459 -Author: Patrick Schleizer -Date: Thu Oct 12 10:40:27 2023 -0400 - - refactoring environment variables loading mechanism - -commit 358e4226f1b3db32e560e4bbe1c663828eac7059 -Author: Patrick Schleizer -Date: Mon Jul 17 11:48:35 2023 -0400 - - bumped changelog version - -commit 81ad786dfcdd416056c6ae8a9d02231bda6fcbde -Author: Patrick Schleizer -Date: Mon Jul 17 11:19:07 2023 -0400 - - Kicksecure - -commit ab56b7ca0cf1a2cb6bc19514750ca618f4ebb7fe -Author: Patrick Schleizer -Date: Mon Jul 17 11:10:05 2023 -0400 - - Kicksecure - -commit 29aaf13c13ec1023d33e84442db0f5afeaa4436d -Author: Patrick Schleizer -Date: Fri Jun 23 08:18:12 2023 +0000 - - bumped changelog version - -commit 8a6baea99017fd971ae4a5e89599b87bc945b276 -Author: Patrick Schleizer -Date: Thu Jun 22 16:16:15 2023 +0000 - - comment - -commit 609c8c0697ecf3414e38de9d32dc367a25172802 -Author: Patrick Schleizer -Date: Wed Jun 21 09:36:44 2023 +0000 - - bumped changelog version - -commit 94a326ec7ff8704be224e76b2f3f9c2a12cbd4a7 -Author: Patrick Schleizer -Date: Wed Jun 21 09:11:31 2023 +0000 - - bookworm - -commit b610cdcbcd85ee4c433a3df0662e225b52b592cd -Author: Patrick Schleizer -Date: Fri Jun 16 11:09:02 2023 +0000 - - bumped changelog version - -commit 0c56d3d9d2dd1b40b07226b70d3d1b9343757d1a -Author: Patrick Schleizer -Date: Fri Jun 16 10:49:05 2023 +0000 - - readme - -commit 63599a09d795d82b0f069f88d73fd607129af0ef -Author: Patrick Schleizer -Date: Wed Jun 14 09:59:20 2023 +0000 - - bumped changelog version - -commit 25760f70246dd07376465d9a4222098fd24b8516 -Author: Patrick Schleizer -Date: Tue Jun 13 08:34:41 2023 +0000 - - bookworm - -commit be990188f56f059585cf70589de03afb992b9ea2 -Author: Patrick Schleizer -Date: Mon Jun 12 18:01:55 2023 +0000 - - bumped changelog version - -commit 07b3ce0bcdb6ddb72c7064f527ff4d6250b54ad2 -Author: Patrick Schleizer -Date: Mon Jun 12 16:22:32 2023 +0000 - - Standards-Version: 4.6.1.0 - -commit 4e28ace103e11373d1b5cf5de8be6b1f94c567ce -Author: Patrick Schleizer -Date: Mon May 15 17:31:59 2023 +0000 - - bumped changelog version - -commit b11a336b4ff6c748d20aade6e98b25c251bd8c8e -Merge: c921d4e b0b73db -Author: Patrick Schleizer -Date: Mon May 15 16:58:11 2023 +0000 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit b0b73db3c84f8cc7594b6b181e0e495cd7e92571 -Merge: c921d4e cf003df -Author: Patrick Schleizer -Date: Mon May 15 12:57:46 2023 -0400 - - Merge pull request #126 from raja-grewal/Comment - - Update comments - -commit cf003dfad85434f5a52524fdd97a7f619ba82429 -Author: Raja Grewal -Date: Tue May 16 02:11:44 2023 +1000 - - Update comments - -commit c921d4e915af50dd1773016b0015be584e1e3f5f -Author: Patrick Schleizer -Date: Mon May 15 11:56:30 2023 +0000 - - bumped changelog version - -commit 39676395f814007f74ce1edb0aee0ada4d4fa478 -Merge: 6511dac 1f38fcf -Author: Patrick Schleizer -Date: Mon May 15 11:34:57 2023 +0000 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 1f38fcfefa1ccd732e4500522cc0978bda69ab0b -Merge: d66a9ba 6ab400c -Author: Patrick Schleizer -Date: Mon May 15 07:34:16 2023 -0400 - - Merge pull request #125 from JeremyRand/typo - - mmap-rnd-bits: Fix typo in error message - -commit d66a9bac551e7544eed592a69f576d27880e2bf3 -Merge: 6511dac 9d23717 -Author: Patrick Schleizer -Date: Mon May 15 07:34:00 2023 -0400 - - Merge pull request #124 from JeremyRand/doc-aslr - - README: Document mmap-rnd-bits - -commit 6ab400c9d982bde16271052f181c87255046037e -Author: Jeremy Rand -Date: Tue May 9 10:55:31 2023 +0000 - - mmap-rnd-bits: Fix typo in error message - -commit 9d23717b6d3f94d8fad5ab00628dcbf41fa2cab5 -Author: Jeremy Rand -Date: Mon May 8 13:45:18 2023 +0000 - - README: Document mmap-rnd-bits - -commit 6511dac1d4aea1800ce8e51d1f6cdbae4d31e10c -Author: Patrick Schleizer -Date: Sat May 6 12:00:12 2023 +0000 - - bumped changelog version - -commit 0c10b3f0383d69c2d504b3e346da68b056d1dca8 -Author: Patrick Schleizer -Date: Sat May 6 11:59:59 2023 +0000 - - output - -commit a815c9b9867b0ec56737e60eb1dfeec6a57af6f1 -Author: Patrick Schleizer -Date: Sat May 6 11:54:31 2023 +0000 - - bumped changelog version - -commit 5d4d04a2ebeeea7e096c1680779f2897a03838c6 -Author: Patrick Schleizer -Date: Sat May 6 11:54:00 2023 +0000 - - output - -commit 2d465c624975cc2ca308878e0ef1508316d3316e -Author: Patrick Schleizer -Date: Sat May 6 11:51:25 2023 +0000 - - refactoring - -commit b756314eb894dde4d017e0aec5876b56f0178de4 -Author: Patrick Schleizer -Date: Fri May 5 15:09:32 2023 +0000 - - bumped changelog version - -commit 014a28ba07406e5d69f86e90ddb8a27b3778c3a8 -Author: Patrick Schleizer -Date: Fri May 5 15:04:21 2023 +0000 - - comment - -commit ec01c1a99630f44a73763b019a1bad6dc52bbf4e -Author: Patrick Schleizer -Date: Fri May 5 15:02:31 2023 +0000 - - minor mmap-rnd-bits improvements - -commit 3dc406f138ee3dc81b54db2c8c4b795fc6b7c9d5 -Author: Patrick Schleizer -Date: Fri May 5 15:01:22 2023 +0000 - - minor - -commit 40e940ec58928049bb38b85d15beaead80740192 -Author: Patrick Schleizer -Date: Fri May 5 14:54:24 2023 +0000 - - minor mmap-rnd-bits improvements - -commit f4fd0f90120e8983b37bc5822cf98a215d25990e -Author: Patrick Schleizer -Date: Fri May 5 14:53:07 2023 +0000 - - minor mmap-rnd-bits improvements - -commit a8e4121befe19bb7d2f74582655a14bded23a37d -Author: Patrick Schleizer -Date: Fri May 5 14:52:07 2023 +0000 - - minor mmap-rnd-bits improvements - -commit 9184e6bb921a9c7356e8d2c7216a1da91f963304 -Author: Patrick Schleizer -Date: Fri May 5 14:51:19 2023 +0000 - - fix - -commit 89168ef40ce713b27974e4e38f6e3e63646d78bc -Author: Patrick Schleizer -Date: Fri May 5 14:49:56 2023 +0000 - - minor mmap-rnd-bits improvements - -commit d6d79e96c9a3f25b75d92a46dc97d6191d6ac691 -Author: Patrick Schleizer -Date: Fri May 5 14:44:29 2023 +0000 - - minor mmap-rnd-bits improvements - -commit 15d0ee100834e01e3f17ee179c3120f37eb3cae5 -Merge: 1137e6c 2d40bbc -Author: Patrick Schleizer -Date: Fri May 5 14:37:34 2023 +0000 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 2d40bbc8fec7ceea47b64fdebc9e751b26e0cf27 -Merge: 5c6db28 48a68ba -Author: Patrick Schleizer -Date: Fri May 5 10:14:43 2023 -0400 - - Merge pull request #120 from JeremyRand/aslr-ppc64le - - vm.mmap_rnd_bits: Fix ppc64le - -commit 48a68ba237895c0c6c24ebd256ae6a9adec2628f -Author: Jeremy Rand -Date: Sat Apr 22 04:43:41 2023 +0000 - - mmap-rnd-bits: Handle unwritable /etc/sysctl.d/ - -commit 434cfb427f739258bd3280ce148cdbe85c800f8a -Author: Jeremy Rand -Date: Sat Apr 22 04:36:05 2023 +0000 - - mmap-rnd-bits: Check that configs are valid integers - -commit 76ca8a27f94d89ed783b900257934c0749e631ce -Author: Jeremy Rand -Date: Sat Apr 22 04:29:14 2023 +0000 - - mmap-rnd-bits: Handle missing kernel config file - -commit 2cf105700a98297f65026e43b435fe017a04ba07 -Author: Jeremy Rand -Date: Sat Apr 22 04:08:20 2023 +0000 - - postinst: Don't fail if mmap-rnd-bits fails - -commit 61f63255acdf942e52af35d7f6d1c271a671e6f7 -Author: Jeremy Rand -Date: Fri Mar 24 12:32:58 2023 +0000 - - vm.mmap_rnd_bits: Fix ppc64le - - Probably fixes a bunch of other non-x86_64 arches too. - -commit 5c6db28881463e8c764872a8cd268c23ac64b8f1 -Merge: 8a34d6c ed5f8be -Author: Patrick Schleizer -Date: Fri Mar 31 04:52:55 2023 -0400 - - Merge pull request #122 from raja-grewal/tcp - - Remove outdated comment about SACK, DSACK, and FACK - -commit 8a34d6c067bdebc513f34cd3c434b0675f118e10 -Merge: 1137e6c 7a4212d -Author: Patrick Schleizer -Date: Fri Mar 31 04:52:18 2023 -0400 - - Merge pull request #121 from raja-grewal/copyright - - Update Copyright - -commit ed5f8be9ebd4f34c8b8de78abe0a8df0775b80aa -Author: Raja Grewal -Date: Thu Mar 30 19:17:43 2023 +1100 - - Remove outdated comment about SACK, DSACK, and FACK - -commit 7a4212dd76c866e1db4dd4875e51c0d49bb3574d -Author: Raja Grewal -Date: Thu Mar 30 17:08:47 2023 +1100 - - Update copyright - -commit 1137e6c9104565b8f7546a9a5450ec2c2330efb7 -Author: Patrick Schleizer -Date: Mon Jan 30 05:58:47 2023 -0500 - - bumped changelog version - -commit 8c3204a5e42b0c4dc6ff9c66568ac78abc4dbd47 -Author: Patrick Schleizer -Date: Wed Jan 25 15:20:30 2023 -0500 - - comment - -commit 65c29f493b56798bc67de7ea451f8f65d99d3093 -Author: Patrick Schleizer -Date: Wed Jan 25 15:13:19 2023 -0500 - - move kexec disabling to dedicated file `/etc/sysctl.d/30_security-misc_kexec-disable.conf` - - so ram-wipe can `config-package-dev` `hide` this config file - -commit 56c7c57b3a3929f57c9173f9156b2b9f7f7f854e -Author: Patrick Schleizer -Date: Tue Jan 24 07:09:40 2023 -0500 - - bumped changelog version - -commit b87d9eb86544a7f06772a0db803711b49ec3f554 -Author: Patrick Schleizer -Date: Tue Jan 24 07:08:13 2023 -0500 - - lintian - -commit a4820086508a64156aa222d61d5f0f88bf56fb3e -Author: Patrick Schleizer -Date: Tue Jan 24 07:05:53 2023 -0500 - - bumped changelog version - -commit 7bda2ad3e8f30668428e054f57613d7c2ed2a4d6 -Author: Patrick Schleizer -Date: Tue Jan 24 06:34:17 2023 -0500 - - move ram-wipe scripts to dedicated ram-wipe package - -commit 11d0bb2c006eb7add5f9b0e70a199098972af25e -Author: Patrick Schleizer -Date: Mon Jan 9 07:05:18 2023 -0500 - - bumped changelog version - -commit c50665218776733919845044b39466c57117542d -Author: Patrick Schleizer -Date: Mon Jan 9 07:05:06 2023 -0500 - - fix - -commit b3d85f115cf486f4a2805d954ba6dd741817dd71 -Author: Patrick Schleizer -Date: Mon Jan 9 07:02:01 2023 -0500 - - bumped changelog version - -commit 6faa050dd8d26bd6436688b32bbc7a6515f9cb14 -Author: Patrick Schleizer -Date: Mon Jan 9 06:54:04 2023 -0500 - - migrate ram-wipe to dedicated package - -commit ad5d0d4b12e73b74166aafb5c34252f1e1af1854 -Author: Patrick Schleizer -Date: Mon Jan 9 06:37:45 2023 -0500 - - disable kexec (revert enabling kexec) - - remove kexec-utils for ram-wipe since moved to its own package - -commit 87c4e77c017aba7d57ae1fc7cf41a1f3143f1a04 -Author: Patrick Schleizer -Date: Mon Jan 9 06:23:00 2023 -0500 - - migrate to ram-wipe package - -commit 3867acf723f26416a047260010518829adcefc03 -Author: Patrick Schleizer -Date: Mon Jan 9 05:34:48 2023 -0500 - - bumped changelog version - -commit d769099db1dbf90350838430cda2de7196076c5d -Author: Patrick Schleizer -Date: Mon Jan 9 05:34:07 2023 -0500 - - use warn instead of info for now - - because dracut does not show info messages when kernel parameter quiet is set - -commit 7fa6946694a997e04b17ecb3a167d767543093a2 -Author: Patrick Schleizer -Date: Sun Jan 8 07:17:02 2023 -0500 - - bumped changelog version - -commit f3b84e15be40ef64969b70bc62ab4bf8d40352b6 -Author: Patrick Schleizer -Date: Sun Jan 8 07:16:18 2023 -0500 - - refactoring - -commit 96d6ca7ae01d537ab972798417b9453d57c03cd7 -Author: Patrick Schleizer -Date: Sun Jan 8 07:09:09 2023 -0500 - - improve kernel and initrd file detection - -commit 8367b27a0df2e6ea5bc2d57d1520cfdd2f4d35e2 -Author: Patrick Schleizer -Date: Sun Jan 8 07:08:18 2023 -0500 - - output - -commit da0fc9f5bd5d1551f46fb5625010b317d30274b3 -Author: Patrick Schleizer -Date: Sun Jan 8 07:07:43 2023 -0500 - - improve kernel and initrd file detection - -commit 5b11eecaecdec7487224b90708da82c10ccc4d63 -Author: Patrick Schleizer -Date: Sun Jan 8 06:45:10 2023 -0500 - - refactoring - -commit e81dd6cd25f58871c1f6b4a082f81eec34a518b5 -Author: Patrick Schleizer -Date: Sat Jan 7 18:13:57 2023 -0500 - - bumped changelog version - -commit 938b87d26c195b6804796d4fa6050a453278700c -Author: Patrick Schleizer -Date: Sat Jan 7 18:06:10 2023 -0500 - - comment - -commit 0b1310a21944939d94de18d8ac6d494446d23d0c -Author: Patrick Schleizer -Date: Sat Jan 7 18:05:47 2023 -0500 - - output - -commit 2fd302f580509842d290b2b0a27079dca445d5cd -Author: Patrick Schleizer -Date: Sat Jan 7 18:02:21 2023 -0500 - - output - -commit 921bc3e867411e5a96ca3e4641a7501038cf5139 -Author: Patrick Schleizer -Date: Sat Jan 7 17:49:24 2023 -0500 - - bumped changelog version - -commit 080abe574ba10b8365587a1c89085efe88f210ee -Author: Patrick Schleizer -Date: Sat Jan 7 17:48:21 2023 -0500 - - output - -commit 5689c07f97d2775b9445f75a10554e70875a5636 -Author: Patrick Schleizer -Date: Sat Jan 7 17:37:46 2023 -0500 - - comment - -commit 8e2db269b01e5d3c28346dd7713074a346fa3e72 -Author: Patrick Schleizer -Date: Sat Jan 7 17:36:51 2023 -0500 - - cleanup - -commit a07af631559e9c9312c263826969b5b028509a2e -Author: Patrick Schleizer -Date: Sat Jan 7 17:35:56 2023 -0500 - - output - -commit 1d22ebde08984968deb143dab244a2b6e30d45e9 -Author: Patrick Schleizer -Date: Sat Jan 7 17:23:35 2023 -0500 - - bumped changelog version - -commit 539156c0dad74c584adb02beacdcf7a3a9b8b982 -Author: Patrick Schleizer -Date: Sat Jan 7 17:23:25 2023 -0500 - - drop_caches - -commit 02f44459ad194444122e98a9f743c2725edb4e43 -Author: Patrick Schleizer -Date: Sat Jan 7 17:22:45 2023 -0500 - - DRACUT_QUIET=no - -commit abbaea582de898e48a852a0a153fe336341afe17 -Author: Patrick Schleizer -Date: Sat Jan 7 17:16:23 2023 -0500 - - bumped changelog version - -commit ab89d0e06e68fa47fa4058416a6c8700551f1b9a -Author: Patrick Schleizer -Date: Sat Jan 7 16:59:00 2023 -0500 - - cleanup - -commit 2e833b40a1af1f194ec392ff0c05b0060bb27fe8 -Author: Patrick Schleizer -Date: Sat Jan 7 16:43:09 2023 -0500 - - prevent "wait: pid 55 is not a child of this shell" - -commit 3777ecba8568cf5458b05b3eeedf98f0ba51cd69 -Author: Patrick Schleizer -Date: Sat Jan 7 16:34:19 2023 -0500 - - comment - -commit e0ded5e69d38a02f9896277a67c0d209e4ee4ad4 -Author: Patrick Schleizer -Date: Sat Jan 7 16:34:04 2023 -0500 - - comment - -commit 996c6af2d84cf23f323ca80c04fab26beea2aa1b -Author: Patrick Schleizer -Date: Sat Jan 7 16:31:23 2023 -0500 - - lower debugging - -commit 4fca8f4225f134316e734d5f85d12b9e39b99b0f -Author: Patrick Schleizer -Date: Sat Jan 7 16:28:11 2023 -0500 - - comment - -commit fa579cad8980c8d9231a9e2682267910544be175 -Author: Patrick Schleizer -Date: Sat Jan 7 16:20:48 2023 -0500 - - bumped changelog version - -commit c9107bb044e3038d837e371aa7467edcedbbdb16 -Author: Patrick Schleizer -Date: Sat Jan 7 16:11:48 2023 -0500 - - debugging - -commit b7bb24f984cb5669d9cc9b3522ee57a05070cef9 -Author: Patrick Schleizer -Date: Sat Jan 7 16:09:11 2023 -0500 - - description - -commit 2bd9cc5bc1ac94d039a7e515d3a839af820fb4be -Author: Patrick Schleizer -Date: Sat Jan 7 16:08:12 2023 -0500 - - output - -commit 2456fed3614268abfb238f3a0783719adb45b711 -Author: Patrick Schleizer -Date: Sat Jan 7 16:00:42 2023 -0500 - - output - -commit c0b5fea6806ea07b667a341b2400aacb7191b27f -Author: Patrick Schleizer -Date: Sat Jan 7 15:59:52 2023 -0500 - - protect against wipe RAM reboot loop - -commit c1b87d250c4e5decd726e7fd67b482ff1eaecbf1 -Author: Patrick Schleizer -Date: Sat Jan 7 15:37:47 2023 -0500 - - bumped changelog version - -commit 91aedb234aa7c516dca8016f6b82536cfe25f410 -Author: Patrick Schleizer -Date: Sat Jan 7 15:36:36 2023 -0500 - - output - -commit 368ad8e636ae30eb60c8f2c6ce7117970a77c021 -Author: Patrick Schleizer -Date: Sat Jan 7 15:36:05 2023 -0500 - - cleanup - -commit d8bf40f7a28f53f2f51c41b77663e5a40a5d8fb4 -Author: Patrick Schleizer -Date: Sat Jan 7 15:35:45 2023 -0500 - - refactoring - -commit 166a6863a1c249e68e3f38109b115503bc5663ec -Author: Patrick Schleizer -Date: Sat Jan 7 15:35:15 2023 -0500 - - output - -commit 20596488be39f92f069523a3d86c0e6b6ec15399 -Author: Patrick Schleizer -Date: Sat Jan 7 15:34:20 2023 -0500 - - long options - -commit 1e19c2cbad8cdf97f6bb460c90cfa330492b8019 -Author: Patrick Schleizer -Date: Sat Jan 7 15:32:25 2023 -0500 - - Depends: kexec-tools - - required for cold boot attack defense second RAM wipe after reboot - -commit b0630f58c136d6c7a964447806ec8ee603a73aa8 -Author: Patrick Schleizer -Date: Sat Jan 7 15:24:05 2023 -0500 - - debugging - -commit dde01f36634337a24d0cd37cfe5a456ff77e8b0e -Author: Patrick Schleizer -Date: Sat Jan 7 15:23:23 2023 -0500 - - long options - -commit 6e0926eece54a55502fa67c2abedf5b718e306e6 -Author: Patrick Schleizer -Date: Sat Jan 7 15:22:58 2023 -0500 - - long options - -commit 51a5f68c7654774d37986916029607da588189ab -Author: Patrick Schleizer -Date: Sat Jan 7 15:22:25 2023 -0500 - - refactoring - -commit 83800fcb4fd365aab58a5f70f78f39af7d9371dc -Author: Patrick Schleizer -Date: Sat Jan 7 15:18:58 2023 -0500 - - --no-legend - -commit 822cf646182f8ff649ea08da2fd4365022871a61 -Author: Patrick Schleizer -Date: Sat Jan 7 15:13:36 2023 -0500 - - output - -commit bb2f0a3c4421e3686477a6dff81bb87d5dcd836f -Author: Patrick Schleizer -Date: Sat Jan 7 15:12:15 2023 -0500 - - minor - -commit c3a822af0e9c8bb6c9b34b732ba48710e3ee1974 -Author: Patrick Schleizer -Date: Sat Jan 7 15:09:25 2023 -0500 - - test if readable - -commit 227871c12c57ecc5ff6d4075ea59a7dc9eca3dd3 -Author: Patrick Schleizer -Date: Sat Jan 7 15:07:34 2023 -0500 - - output - -commit c09f4da1922f40f666dae0570295b5ab5c02e8a9 -Author: Patrick Schleizer -Date: Sat Jan 7 15:06:56 2023 -0500 - - code simplification - -commit 01fee8a7b4a12c8c2be4173337decc37ec3e6019 -Author: Patrick Schleizer -Date: Sat Jan 7 15:06:31 2023 -0500 - - refactoring - -commit f675f8da0d33ab18efa782ee155a8632e9a3dc0f -Author: Patrick Schleizer -Date: Sat Jan 7 15:05:58 2023 -0500 - - quotes - -commit d0daf75db3529e206565604a63e11ee1268ed39b -Author: Patrick Schleizer -Date: Sat Jan 7 15:05:24 2023 -0500 - - quotes - -commit 8bcf7e3c235c1193f3a6d43a7c8b23b50e972de7 -Author: Patrick Schleizer -Date: Sat Jan 7 15:04:57 2023 -0500 - - minor - -commit 2cc3c6c59ca88cf44751bc2e9bb7055b46102284 -Author: Patrick Schleizer -Date: Sat Jan 7 15:04:42 2023 -0500 - - lower debugging - -commit 10932bb5d83c469f556b46f42ee517e882d87a4f -Author: Patrick Schleizer -Date: Sat Jan 7 15:04:23 2023 -0500 - - minor - -commit c88e95ce33f30f67726ac086c1b8d020b1024ebc -Author: Patrick Schleizer -Date: Sat Jan 7 15:04:07 2023 -0500 - - output - -commit 06034d2e4f97712fc84ad75e3fa8ba6bf4fccfee -Author: Patrick Schleizer -Date: Sat Jan 7 15:03:06 2023 -0500 - - fix - -commit 059ebb212d03f5d01d46362530702dbeaefdce5e -Author: Patrick Schleizer -Date: Sat Jan 7 14:35:30 2023 -0500 - - comment - -commit c0304ec029198665aaf63c843f5b7d5567f95208 -Author: Patrick Schleizer -Date: Sat Jan 7 14:35:09 2023 -0500 - - minor - -commit d5271d6250f0f6ea5adf7bc71fc48fddab1a9af4 -Author: Patrick Schleizer -Date: Sat Jan 7 14:31:40 2023 -0500 - - bumped changelog version - -commit d31c17ea047fbbd698ad9f074a00d6fba2aaf283 -Author: Patrick Schleizer -Date: Sat Jan 7 14:31:14 2023 -0500 - - fix - -commit 41d116aa2f6d5ab33a1d5889f6ae251e5b8b5538 -Author: Patrick Schleizer -Date: Sat Jan 7 14:30:12 2023 -0500 - - lintian - -commit e83ba18553832134b2f6da6ce98b0ee0c852961e -Author: Patrick Schleizer -Date: Sat Jan 7 14:29:12 2023 -0500 - - minor - -commit 53ab93d8f6553eab1682290d42faf0d466f06219 -Author: Patrick Schleizer -Date: Sat Jan 7 14:27:42 2023 -0500 - - bumped changelog version - -commit bb121e52bbab151b2104f1a333cabc3889ef47b0 -Author: Patrick Schleizer -Date: Sat Jan 7 14:27:22 2023 -0500 - - chmod +x - -commit 42ab341a58de4c54b20b8f6dc4e048ce61068cf4 -Author: Patrick Schleizer -Date: Sat Jan 7 12:57:36 2023 -0500 - - bumped changelog version - -commit d37b19fb6bb3cadbb74d011be026fd8d2653ac17 -Author: Patrick Schleizer -Date: Sat Jan 7 12:55:05 2023 -0500 - - comment - -commit 0367250dc74f9e6ec38f9da5809ff661493134a8 -Author: Patrick Schleizer -Date: Sat Jan 7 12:54:35 2023 -0500 - - comment - -commit c1df2fd601f3445a0a811a679efa7d2176026558 -Author: Patrick Schleizer -Date: Sat Jan 7 12:52:14 2023 -0500 - - comment - -commit c2b20603fdd62a3f82c842c7ebeaad0f70e005d0 -Author: Patrick Schleizer -Date: Sat Jan 7 12:49:18 2023 -0500 - - output - -commit 999a82ed946c8fd57654a0a90e2a2e53ef98a788 -Author: Patrick Schleizer -Date: Sat Jan 7 12:46:21 2023 -0500 - - output - -commit 2860560edb7951a8ac9de1c23c9655c655b40f23 -Author: Patrick Schleizer -Date: Sat Jan 7 12:43:07 2023 -0500 - - minor - -commit 450ff378b067070618e4a972f8131acac5b292e0 -Merge: 929f49f b8e82ff -Author: Patrick Schleizer -Date: Sat Jan 7 12:38:14 2023 -0500 - - Merge remote-tracking branch 'friedy10/master' - -commit b8e82fffca0138afaf20e1b2faf755ce1533af45 -Author: Friedrich Doku -Date: Sat Jan 7 11:31:02 2023 -0500 - - Get rid of /dev/kmsg - -commit 78a4fad6674bb11fa682b908e0d3bc63705e7d20 -Author: Friedrich Doku -Date: Sat Jan 7 11:14:31 2023 -0500 - - Change echo to info. Included more reliable way of getting initrd and kernel. Allow user custom kexec - -commit 8da3b9c40c6ee073addcc06d5227b3043438b768 -Author: Friedrich Doku -Date: Fri Jan 6 21:40:17 2023 -0500 - - fix last line - -commit 7cf51a1b433bfb2ccf4fa14b7807184e9e3681c5 -Author: Friedrich Doku -Date: Fri Jan 6 21:32:57 2023 -0500 - - Checking job queue instead of dbus - -commit 4b7053a6353cf0e092a6ef712e955b4318671bfc -Author: Friedrich Doku -Date: Fri Jan 6 13:53:28 2023 -0500 - - Update wipe-ram.sh - -commit 779ad24b573b83c08e89569e5213e018377d1535 -Author: Friedrich Doku -Date: Fri Jan 6 13:53:18 2023 -0500 - - Update wipe-ram-needshutdown.sh - -commit d45ba826bca6f5efef846de01a34a0a8c7936442 -Author: Friedrich Doku -Date: Fri Jan 6 13:53:10 2023 -0500 - - Update module-setup.sh - -commit b3d4314a069a608380ca9dd01d76c653bdb87078 -Author: Friedrich Doku -Date: Fri Jan 6 13:52:51 2023 -0500 - - Update wipe-ram.sh - -commit 33877250172349cccb2c776c1fa7aed2e8ad716f -Author: Friedrich Doku -Date: Fri Jan 6 13:52:42 2023 -0500 - - Update wipe-ram-needshutdown.sh - -commit ec68ee6ded7294c161b3d0793bf8874b12262190 -Author: Friedrich Doku -Date: Fri Jan 6 13:52:32 2023 -0500 - - Update module-setup.sh - -commit 014d10b9778907a9282ec337023f8c2b01b0ca6b -Author: Friedrich Doku -Date: Fri Jan 6 13:52:09 2023 -0500 - - Update cold-boot-attack-defense-kexec-prepare.service - -commit 62dcdcf7649175e0587a84708e8f0aa318a45d30 -Author: Friedrich Doku -Date: Fri Jan 6 13:51:45 2023 -0500 - - Update cold-boot-attack-defense-kexec-prepare - -commit f4637509205c11eddaa13151b93c961e9d345be6 -Author: Friedrich Doku -Date: Fri Jan 6 13:48:22 2023 -0500 - - Update cold-boot-attack-defense-kexec-prepare.service - -commit 14abfbfccdd3403d90a16dd5b2a1057ccf4da3d5 -Author: Friedrich Doku -Date: Fri Jan 6 13:48:03 2023 -0500 - - Update cold-boot-attack-defense-kexec-prepare - -commit 37a5264696797c0807570606361e04cb8dcb2395 -Author: Friedrich Doku -Date: Fri Jan 6 13:47:34 2023 -0500 - - Update wipe-ram.sh - -commit 7ac45acd0f3e3e0a68e3fc4036787e8e7d4ebe9f -Author: Friedrich Doku -Date: Fri Jan 6 13:47:23 2023 -0500 - - Update wipe-ram-needshutdown.sh - -commit 114a37fcd39ff20ddd9e8cca829763a9b96a8115 -Author: Friedrich Doku -Date: Fri Jan 6 13:47:14 2023 -0500 - - Update module-setup.sh - -commit 1eeb32b7b96ab1df63d808b6715fef7a6e1a9482 -Author: Friedrich Doku -Date: Fri Jan 6 13:47:01 2023 -0500 - - Update wipe-ram.sh - -commit c5accc5ad191fe54a96e12cd1f1286508da8243c -Author: Friedrich Doku -Date: Fri Jan 6 13:46:51 2023 -0500 - - Update wipe-ram-needshutdown.sh - -commit f9ebc3cfa86674025ccd65c22cde2427ea2f4ae3 -Author: Friedrich Doku -Date: Fri Jan 6 13:46:40 2023 -0500 - - Update module-setup.sh - -commit 28687092ef4f57afab5e8d32f68492799694a379 -Author: Friedrich Doku -Date: Fri Jan 6 12:52:36 2023 -0500 - - Update cold-boot-attack-defense-kexec-prepare - -commit d67d3c1d7d788fff589806457ff140e8f82089a0 -Author: Friedrich Doku -Date: Fri Jan 6 12:51:18 2023 -0500 - - Update wipe-ram.sh - -commit 7fa64d68423d24668e44eb0d7e19ccf4845ee711 -Author: Friedrich Doku -Date: Fri Jan 6 12:50:58 2023 -0500 - - Update wipe-ram-needshutdown.sh - -commit 14c7239681300edc4f715bc96c5235cddf677c60 -Author: Friedrich Doku -Date: Fri Jan 6 12:50:42 2023 -0500 - - Update module-setup.sh - -commit 73913ea5afef8354f433f7cf87c7cd64c16be0a0 -Author: Friedrich Doku -Date: Fri Jan 6 12:49:34 2023 -0500 - - Added checks - -commit a7015f4ddff892cab17f96713ddb0a720ebb7901 -Author: Friedrich Doku -Date: Fri Jan 6 10:50:34 2023 -0500 - - added files - -commit 929f49f333fc88d91ed4cef849921b0b4a69bfea -Author: Patrick Schleizer -Date: Sun Dec 18 14:37:51 2022 -0500 - - bumped changelog version - -commit 75beb52bd5b7cee4a48eead53dbbe7fac9f6cc9e -Merge: 98f753d 58b622f -Author: Patrick Schleizer -Date: Sun Dec 18 06:24:41 2022 -0500 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 58b622f0fe373b6e2fb30b9564b22f1064f690b0 -Merge: 98f753d f81714b -Author: Patrick Schleizer -Date: Sun Dec 18 06:23:26 2022 -0500 - - Merge pull request #114 from raja-grewal/framebuffer - - Add some framebuffer drivers into blacklist - -commit f81714be506d1b15c0e79cbe8378bf8a18a2256f -Merge: d67845f 98f753d -Author: Raja Grewal -Date: Tue Dec 13 05:14:56 2022 +0000 - - Merge branch 'Kicksecure:master' into framebuffer - -commit d67845fea89f4a74ed4b0a6eefbf2bf228b13a1b -Author: Raja Grewal -Date: Tue Dec 13 16:11:24 2022 +1100 - - Typo - -commit 98f753d8ffcf6673a3130d45c23b84a4c35917b1 -Author: Patrick Schleizer -Date: Thu Nov 24 07:21:58 2022 -0500 - - bumped changelog version - -commit 6d7a78262464c054c46df155605a480f1b32f22c -Author: Patrick Schleizer -Date: Thu Nov 24 07:21:46 2022 -0500 - - fix - -commit 421f03ae9e648d366146415532d4dd9dda106980 -Author: Patrick Schleizer -Date: Thu Nov 24 07:20:56 2022 -0500 - - fix - -commit ad1e722879ef049ef421f0062ee383770d66bfee -Author: Patrick Schleizer -Date: Thu Nov 24 07:00:33 2022 -0500 - - bumped changelog version - -commit a806c782d78d691617dd650808a0403ce72d4a1a -Author: Patrick Schleizer -Date: Thu Nov 24 07:00:23 2022 -0500 - - fix - -commit 4601e106c4823f2cb0dc7a8ba601670395c96326 -Author: Patrick Schleizer -Date: Thu Nov 24 06:49:26 2022 -0500 - - bumped changelog version - -commit 39b35ef9ac7489685df5486334a0acf5936e9b47 -Author: Patrick Schleizer -Date: Thu Nov 24 06:49:15 2022 -0500 - - fix - -commit 73963a9e6847fd8099093da1253267d79db7d261 -Author: Patrick Schleizer -Date: Thu Nov 24 06:31:37 2022 -0500 - - bumped changelog version - -commit d05c10172178d04781976026243297fa153125a0 -Author: Patrick Schleizer -Date: Thu Nov 24 06:31:24 2022 -0500 - - debugging - -commit 36454c2dbf43de4805f2f156b05d263c37b9615a -Author: Patrick Schleizer -Date: Thu Nov 24 06:25:47 2022 -0500 - - debugging - -commit e06b173a1be8c0e3e47a9c4bab2d94fe88d422e0 -Author: Patrick Schleizer -Date: Thu Nov 24 06:24:14 2022 -0500 - - debugging - -commit 97722d1926bc106a0645783fcb55b7d5691c873b -Author: Patrick Schleizer -Date: Thu Nov 24 06:14:15 2022 -0500 - - bumped changelog version - -commit 497b5b45442b1293b130fef63de1b84d091d27eb -Author: Patrick Schleizer -Date: Thu Nov 24 06:14:04 2022 -0500 - - fix - -commit 6f695902fb70cbbc95b71f827216ab84edcfeb83 -Author: Raja Grewal -Date: Wed Nov 23 23:53:40 2022 +1100 - - Add comment about legacy Apple fiesystems - -commit d7222b5678aa182866c389d8a88f55b6488e74e0 -Author: Patrick Schleizer -Date: Tue Nov 22 06:03:13 2022 -0500 - - bumped changelog version - -commit e5255a630ad3c9c99b6b7ffa4c7be43a44dffba9 -Author: Patrick Schleizer -Date: Tue Nov 22 05:57:30 2022 -0500 - - pam-info: support non-root environments (such as during graphical display manager login and xscreensaver) - -commit d419898ee494fb159ed6811a719dbb4a5ffb469a -Author: Patrick Schleizer -Date: Thu Nov 17 10:15:36 2022 -0500 - - bumped changelog version - -commit 09e6af5c080f776d56d7e2390f88c4ae7e01bdb7 -Author: Patrick Schleizer -Date: Wed Nov 16 02:01:23 2022 -0500 - - pam-info refactoring - -commit caf0099064747a2048363e3600a53af51df549ad -Author: Patrick Schleizer -Date: Wed Nov 16 02:00:32 2022 -0500 - - pam-info refactoring - -commit 487f63bb01c6dfc71d0e4efef2c70dae94093dce -Author: Patrick Schleizer -Date: Wed Nov 16 01:56:01 2022 -0500 - - comment - -commit f59f959a8d43ebd80a4037e65ec26df7143bcaf5 -Author: Patrick Schleizer -Date: Wed Nov 16 01:55:14 2022 -0500 - - pam-info fix - -commit ae113442a162969561a24fcf17718ceb6a11d928 -Author: Patrick Schleizer -Date: Wed Nov 16 01:49:45 2022 -0500 - - pam-info refactoring - -commit bb6b509d06a1ae34ee407cb309c530e5dddfedfd -Author: Patrick Schleizer -Date: Wed Nov 16 01:44:21 2022 -0500 - - pam-info refactoring - -commit e5d7ab7082908e64596ccd1da835a781cae22456 -Author: Patrick Schleizer -Date: Tue Nov 15 12:44:12 2022 -0500 - - comment - -commit 23b936b573c8989222a50d1ef8c35dc95589bb0e -Author: Patrick Schleizer -Date: Tue Nov 15 12:31:14 2022 -0500 - - also support /usr/local/etc/pam-info-debug - -commit 95487346dbb18c4ac9133fc21b4abed12dc346b3 -Author: Patrick Schleizer -Date: Tue Nov 15 12:29:41 2022 -0500 - - pam-info: create debug log file ~/pam-info-debug.txt - - when file /etc/pam-info-debug exists - -commit 2872c2ab52ae9a1eaa25ea8b9852401e82d5616a -Author: Patrick Schleizer -Date: Tue Nov 15 12:00:59 2022 -0500 - - comments - -commit 6033de78152cb5d7a9659f58aa8035ae2a7d6532 -Author: Patrick Schleizer -Date: Tue Nov 15 11:58:50 2022 -0500 - - debugging - -commit daa30d4e7830ba38ed52f83e6ac93c3a4e03ee33 -Author: Raja Grewal -Date: Wed Nov 9 20:43:59 2022 +1100 - - Include several framebuffer drivers into blacklist - - These were previously commented out to test for compatibility issues. - -commit 2319458e9f1a0ae2b60cf5786122c19459bbaea1 -Author: Patrick Schleizer -Date: Wed Aug 24 18:28:39 2022 -0400 - - bumped changelog version - -commit cdfc175953a8ab358bb8e6db2610df11733ba258 -Merge: ff84514 ae4d498 -Author: Patrick Schleizer -Date: Mon Aug 22 06:09:30 2022 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit ae4d4989b0e8ea79b5661f098e9814379ff9401e -Merge: ff84514 d500205 -Author: Patrick Schleizer -Date: Mon Aug 22 06:09:40 2022 -0400 - - Merge pull request #113 from raja-grewal/master - - Comment out machine check exception - -commit d500205f556ba896417eb0bae1df0144b00ef7b9 -Author: Raja Grewal -Date: Sun Aug 21 23:03:13 2022 +1000 - - Update README.md - -commit 92669dba186c6ac40ff601fd39639945cd7633c6 -Author: Raja Grewal -Date: Sun Aug 21 23:02:44 2022 +1000 - - Comment out machine check exception - -commit ff8451469ad3b9cbd101ca4b93d72a2ac6cebe37 -Author: Patrick Schleizer -Date: Sat Aug 13 11:40:04 2022 -0400 - - bumped changelog version - -commit 272a33fe2c3c7666de96f9037094db8e9ab8e09e -Author: Patrick Schleizer -Date: Sat Aug 13 11:35:25 2022 -0400 - - addgroup -> adduser fix - -commit 7d5246693c5c07f76e3f2e29c3ed39d4910673ff -Author: Patrick Schleizer -Date: Fri Aug 12 07:52:26 2022 -0400 - - bumped changelog version - -commit 82da4ed18f5682c0cc76cd435b6de2459c7b5f83 -Author: Patrick Schleizer -Date: Thu Jul 28 09:56:24 2022 -0400 - - comments - -commit a6bee1493d4113ab63f8d0671f97989b00d23544 -Author: Patrick Schleizer -Date: Thu Jul 28 09:55:12 2022 -0400 - - cold-boot-attack-defense wait longer to make messages readable by user - -commit 109594952335f94c2a21f22d6a517ecc8b864d81 -Author: Patrick Schleizer -Date: Tue Jul 26 10:00:53 2022 -0400 - - bumped changelog version - -commit 053142cdb57f23172fd0155dde4ff4c0183c4f65 -Author: Patrick Schleizer -Date: Tue Jul 26 10:00:21 2022 -0400 - - fix - -commit 73f6523e09f12fc56da0ed3555d050686ff441f3 -Author: Patrick Schleizer -Date: Sat Jul 23 08:07:37 2022 -0400 - - bumped changelog version - -commit 0c5b1e9f577d52e2c056e786e32c14ff37db344b -Author: Patrick Schleizer -Date: Sat Jul 23 07:49:56 2022 -0400 - - undo `"force kernel to panic on "oopses"` - - because implemented differently already - - https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panic-on-oops-1-sysctl-for-better-security/7713 - -commit c1c04b4619eea4c79a0dbb5cced3ebb77482877c -Merge: 465775c bfe6b88 -Author: Patrick Schleizer -Date: Sat Jul 23 07:43:19 2022 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit bfe6b888395abf554623a9e530fe7e6605047e12 -Merge: 465775c ca764d8 -Author: Patrick Schleizer -Date: Sat Jul 23 07:27:24 2022 -0400 - - Merge pull request #111 from raja-grewal/harden - - Increased kernel hardening at boot - -commit ca764d8de0f17bb7e6d44e3d79ea1805276fc521 -Author: Raja Grewal -Date: Wed Jul 20 04:06:35 2022 +1000 - - force kernel to panic on "oopses" - -commit 1660aaa6dd1013ede105baebbb8ff3e1afc7b268 -Author: Raja Grewal -Date: Tue Jul 19 03:38:41 2022 +1000 - - update details around disabling SMT - -commit bfd78a2c06153ebadfee39190055edf0a13958f4 -Author: Raja Grewal -Date: Tue Jul 19 03:16:08 2022 +1000 - - update SRBDS mitigation - -commit c3ebb9160ffbbd2972cc898e3c1c0055d89beb5c -Author: Raja Grewal -Date: Tue Jul 19 02:33:16 2022 +1000 - - CPU mitigation - MMIO Stale Data - -commit 59e90ff1226bd6330d85244cf7c73ecf7fd5fdf1 -Author: Raja Grewal -Date: Tue Jul 19 02:32:41 2022 +1000 - - CPU mitigation - L1D FLushing - -commit 8531fbf99dea1b4cd806babd6072a8a1f0506eb3 -Author: Raja Grewal -Date: Tue Jul 19 02:30:49 2022 +1000 - - CPU mitigation - SRBDS - -commit 73f1e233327cc0edec83eac322b7f03bcb7fba22 -Author: Raja Grewal -Date: Tue Jul 19 02:29:46 2022 +1000 - - shuffle and rewording - -commit 39314b291263a93fcb11756ce12bd8691a1fa0f6 -Merge: bb831d5 c4a1094 -Author: Raja Grewal -Date: Tue Jul 19 00:49:08 2022 +1000 - - Merge branch 'harden' of https://github.com/raja-grewal/security-misc into harden - -commit bb831d57bcdcc8195a4b8169a4ddc25fb0c61173 -Author: Raja Grewal -Date: Tue Jul 19 00:38:32 2022 +1000 - - delete repeated commands - -commit c77a2a78bc48df2af7653a306bd1b046a8f99a6b -Author: Raja Grewal -Date: Tue Jul 19 00:37:31 2022 +1000 - - enforce default net.ipv6.icmp_ignore_bogus_error_responses - -commit c4a10947608b0d5508ef5b18e0ab34a2ee4f35de -Merge: 2b23703 465775c -Author: Raja Grewal -Date: Mon Jul 18 13:36:23 2022 +0000 - - Merge branch 'Kicksecure:master' into harden - -commit 465775c9dc1b97c98a5470acaffabb103ea7239f -Author: Patrick Schleizer -Date: Sat Jul 16 08:00:16 2022 -0400 - - bumped changelog version - -commit 1fafb5f53bbec57812f535e79bfb475628cc58e3 -Merge: 24d6a93 27aa523 -Author: Patrick Schleizer -Date: Fri Jul 15 08:09:16 2022 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 27aa5231e2d1dafd89ba19c8d6becf461e781605 -Merge: 24d6a93 a72bbb1 -Author: Patrick Schleizer -Date: Fri Jul 15 08:06:08 2022 -0400 - - Merge pull request #112 from raja-grewal/blacklist - - Corrected kernel module disabling - -commit a72bbb1883613ee56be29949c153e0edb2d72a29 -Author: Raja Grewal -Date: Wed Jul 13 23:42:13 2022 +1000 - - Corrected kerenl module disabling - -commit 24d6a93eacf5b41cfb9133471049776a16a07b03 -Author: Patrick Schleizer -Date: Wed Jul 13 08:28:34 2022 -0400 - - bumped changelog version - -commit 2b237039cf1db66100f7f0bb4880981ee0489abf -Author: Raja Grewal -Date: Wed Jul 13 22:25:53 2022 +1000 - - Update README.md - -commit 8f31e5d1d172eb117bde63702f63081da182d5c5 -Merge: 6aa9a94 c410890 -Author: Patrick Schleizer -Date: Wed Jul 13 07:26:58 2022 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit c410890a8ade6d4be13dc99a7003f03ebded8153 -Merge: 6aa9a94 fe0cc10 -Author: Patrick Schleizer -Date: Wed Jul 13 07:24:12 2022 -0400 - - Merge pull request #110 from raja-grewal/master - - Incorporated Ubuntu’s kernel module blacklists and more verbose errors - -commit 4e93b4d37e4c6d23a0ac76ddb2144c6504a66ad1 -Author: Raja Grewal -Date: Wed Jul 13 21:10:39 2022 +1000 - - Revert "enforce defualt net.ipv4.ip_forward" - - This reverts commit 57b5b2145c4e6779f0b879ee4199d46938f20965. - -commit a47922ad28fc9ebba93615a6ffdaaeb4887cc140 -Author: Raja Grewal -Date: Wed Jul 13 04:47:07 2022 +1000 - - enforce of IOMMU TLB invalidation - -commit 33df16af805597057c7aad0d5a4fb135ed9e286b -Author: Raja Grewal -Date: Wed Jul 13 04:37:03 2022 +1000 - - disables random.trust_bootloader - -commit d0779a96fc054df925523a76510c1aae5d672f96 -Author: Raja Grewal -Date: Wed Jul 13 04:36:34 2022 +1000 - - add reference - -commit 74858d257b8de40f082ce21241e680a5eeaf4053 -Author: Raja Grewal -Date: Wed Jul 13 04:34:35 2022 +1000 - - enable randomize_kstack_offset - -commit f572332108c06eb77d24e776910463e69d49acd3 -Author: Raja Grewal -Date: Wed Jul 13 04:32:03 2022 +1000 - - disable slub_debug - -commit 57b5b2145c4e6779f0b879ee4199d46938f20965 -Author: Raja Grewal -Date: Wed Jul 13 04:30:43 2022 +1000 - - enforce defualt net.ipv4.ip_forward - -commit 79156262c9e3fe92344847b627afc64b2c7f7717 -Author: Raja Grewal -Date: Wed Jul 13 04:29:42 2022 +1000 - - enforce default net.ipv4.icmp_ignore_bogus_error_responses - -commit dabcaf22e1006cc60297c55e3e254f080562d552 -Author: Raja Grewal -Date: Wed Jul 13 04:28:03 2022 +1000 - - enforce default kernel.randomize_va_space - -commit fe0cc1089086273794bd6b54df3528ff78c10f6a -Author: Raja Grewal -Date: Tue Jul 12 17:18:47 2022 +1000 - - Updated README.md - -commit 48089e5ba43b0b72449f888b98b63119ed57e2fd -Author: Raja Grewal -Date: Tue Jul 12 17:02:12 2022 +1000 - - More verbose kernel module blocking error logs - -commit 40ec791774f2a6ae7d42ccf2bfbe4a98a9963f08 -Author: Raja Grewal -Date: Tue Jul 12 16:58:16 2022 +1000 - - Updated comments - -commit ef1ef9917d896f1cd837f399def6a75704e9bfd2 -Author: Raja Grewal -Date: Sun Jul 10 04:53:25 2022 +1000 - - Blacklist automatic loading of CD-ROM modules - -commit 61ef9bd59f9ff39c140f782ff5b41d0a3c6d97bc -Author: Raja Grewal -Date: Sun Jul 10 04:52:00 2022 +1000 - - Incorporated Ubuntu’s kernel module blacklists - -commit 6aa9a9472f10d4d6270dd59fbcd94d9001aca9e6 -Author: Patrick Schleizer -Date: Sat Jul 9 11:42:24 2022 -0400 - - bumped changelog version - -commit 3b844eaab25fecf90292c88291be77abf0be694c -Author: Patrick Schleizer -Date: Sat Jul 9 11:42:11 2022 -0400 - - output - -commit 73d2c9d921c5c75ef3cca5461acc350c648f26d2 -Author: Patrick Schleizer -Date: Sat Jul 9 11:40:15 2022 -0400 - - output - -commit adfdac6dea0e8f971c59557b383d116cd51619fd -Author: Patrick Schleizer -Date: Sat Jul 9 11:40:01 2022 -0400 - - output - -commit 1df2cfd1add8b2277cb37499ced4fbb713c17668 -Author: Patrick Schleizer -Date: Sat Jul 9 11:38:37 2022 -0400 - - comment - -commit fede41e6e03c33f2f6569f03593f76edb9969e6a -Author: Patrick Schleizer -Date: Sat Jul 9 11:38:04 2022 -0400 - - fix - -commit 52c46e4706d5799d452f260616a3909c9a3bc78f -Merge: 1b8500c dc41a58 -Author: Patrick Schleizer -Date: Sat Jul 9 11:37:41 2022 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit dc41a58102a114e21209aabeef9ad6b851365898 -Merge: 1b8500c e5f8004 -Author: Patrick Schleizer -Date: Sat Jul 9 11:37:57 2022 -0400 - - Merge pull request #108 from Krish-sysadmin/master - - Continue for loop if unable to change one directory's permission - -commit 1b8500cc22fdd6a51ec66ae1b04abccb9a529150 -Author: Patrick Schleizer -Date: Thu Jul 7 17:41:13 2022 -0400 - - bumped changelog version - -commit 277749f27b2da8d33b70fb6f88c6757fab77e636 -Author: Patrick Schleizer -Date: Thu Jul 7 15:49:08 2022 -0400 - - genmkfile debinstfile - -commit eb8535fe870e79a5c818a38c414147819d32346d -Author: Patrick Schleizer -Date: Thu Jul 7 15:48:39 2022 -0400 - - renamed: usr/bin/disabled-by-security-misc -> bin/disabled-by-security-misc - -commit 26b2c9727f5ba6f78f5cd10c28c3561a97c81be9 -Author: Patrick Schleizer -Date: Thu Jul 7 15:39:40 2022 -0400 - - not blacklist CD-ROM / DVD yet - - https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/31 - -commit d5c16503411bee4199c35a51226fc59924d6e142 -Author: Patrick Schleizer -Date: Thu Jul 7 15:28:09 2022 -0400 - - shuffle - -commit ca19d78d48ca88f5b00dcceb18ac4803c7893ca4 -Author: Patrick Schleizer -Date: Thu Jul 7 15:27:15 2022 -0400 - - shuffle - -commit d018bdaf73e109a61c0687a171af843c890729e0 -Merge: 1b287a6 780dc8e -Author: Patrick Schleizer -Date: Thu Jul 7 15:26:08 2022 -0400 - - Merge remote-tracking branch 'raja-gerwal/master' - -commit 780dc8eec99915a7466249e219ad59c5db5f0364 -Author: Raja Grewal -Date: Fri Jul 8 04:11:25 2022 +1000 - - replace /bin/false -> /bin/disabled-by-security-misc - -commit fa2e30f5125e438250acfdc52107a936ecb7b1b4 -Author: Raja Grewal -Date: Fri Jul 8 03:04:37 2022 +1000 - - Updated descriptions of disabled modules - -commit da389d6682f6eb1d0c0172c50a4b529152384415 -Author: Raja Grewal -Date: Fri Jul 8 02:12:04 2022 +1000 - - Revert "replace /bin/false -> /bin/true" - - This reverts commit f0511635a9725f79863c41a7b8d9f8a077ba8788. - -commit 28381e81d4a57c59929a37745fa8ba5f3e0b25cb -Author: raja-grewal -Date: Thu Jul 7 09:28:30 2022 +0000 - - Update README.md - -commit f0511635a9725f79863c41a7b8d9f8a077ba8788 -Author: raja-grewal -Date: Thu Jul 7 09:27:53 2022 +0000 - - replace /bin/false -> /bin/true - -commit 18d67dbc5309a2403bece92881e671f46dc27f86 -Author: raja-grewal -Date: Thu Jul 7 09:26:55 2022 +0000 - - Blacklist more modules - -commit 1b287a6430527c762f9bf909bcda58ab52041668 -Author: Patrick Schleizer -Date: Tue Jul 5 11:16:33 2022 -0400 - - bumped changelog version - -commit 92ff868ecefed4377c5f1e99eb5e5eecbb021564 -Author: Patrick Schleizer -Date: Tue Jul 5 11:05:36 2022 -0400 - - readme - -commit b8ba6085357631fb1f346a613d7e354aaf780560 -Author: Patrick Schleizer -Date: Tue Jul 5 10:57:28 2022 -0400 - - readme - -commit 949edf3e1753fcd403015c2d0dc8f3503a7f62d2 -Author: Patrick Schleizer -Date: Tue Jul 5 10:48:58 2022 -0400 - - readme - -commit 1c0e0719483c68ce04b5c14159ad09a87c386deb -Author: Patrick Schleizer -Date: Tue Jul 5 10:45:55 2022 -0400 - - comments - -commit 5d47f5f74cc9f5e186de8db5305a44029ebbb362 -Author: Patrick Schleizer -Date: Tue Jul 5 10:45:09 2022 -0400 - - comments - -commit 435c689cf9ee9e94dec42ab3c45bc02beb8f9c40 -Author: Patrick Schleizer -Date: Tue Jul 5 10:44:28 2022 -0400 - - comments - -commit c20d588d7871bce1b8a02d46e6f658844a014572 -Author: Patrick Schleizer -Date: Tue Jul 5 10:42:37 2022 -0400 - - comments - -commit 8f03ce049a1f48bb088cf92f4f39cceb2e3a5ae6 -Author: Patrick Schleizer -Date: Tue Jul 5 10:41:55 2022 -0400 - - readme - -commit b342ce930ea14a365ba23f37642cc9c098470362 -Author: Patrick Schleizer -Date: Tue Jul 5 10:28:22 2022 -0400 - - add `/etc/default/grub.d/40_cold_boot_attack_defense.cfg` - -commit e5f8004a9401727f1be2db492ea756bc19090866 -Author: Krish-sysadmin -Date: Tue Jul 5 03:37:40 2022 +0200 - - Update hide-hardware-info - -commit 69af8be7b80dcc30e3a5d1b0a1d1aa198528b876 -Author: Patrick Schleizer -Date: Sat Jul 2 19:10:55 2022 -0400 - - drop_caches before and after sdmem - -commit 67bdd58bf2a8090a29e35b85fb4a25d42a8f8a1a -Author: Patrick Schleizer -Date: Sat Jul 2 19:07:06 2022 -0400 - - sync - -commit 01b82bf0f0b96b3e08e272b8b2e69c1b3f0dcc16 -Author: Patrick Schleizer -Date: Sat Jul 2 18:30:06 2022 -0400 - - bumped changelog version - -commit 973f117aa6a7418ea29125753f6c6b6f7e7986a4 -Author: Patrick Schleizer -Date: Sat Jul 2 18:12:36 2022 -0400 - - wipe RAM at shutdown: Ensure any remaining disk cache is erased by Linux' memory poisoning - - by running: - `echo 3 > /proc/sys/vm/drop_caches` - - Inspired by Tails: - https://gitlab.tails.boum.org/tails/tails/-/blob/master/config/chroot_local-includes/usr/local/lib/initramfs-pre-shutdown-hook - -commit e783ddc71e5e528051e1bd0fda3f60decc0af9bf -Author: Patrick Schleizer -Date: Sat Jul 2 17:37:16 2022 -0400 - - bumped changelog version - -commit 95187bd357e6f2f855afbf546da42c6229a8394e -Author: Patrick Schleizer -Date: Sat Jul 2 17:21:33 2022 -0400 - - fix - -commit 3bd87d019fb08644578d2ee73d2ac7185687f115 -Author: Patrick Schleizer -Date: Sat Jul 2 16:03:52 2022 -0400 - - bumped changelog version - -commit 148a050468658c254b67de2de61cad3e147e2178 -Author: Patrick Schleizer -Date: Sat Jul 2 16:03:45 2022 -0400 - - fix - -commit 82e7863d5b1efff2c558204bfdf04812af10660b -Author: Patrick Schleizer -Date: Sat Jul 2 16:02:28 2022 -0400 - - improvement - -commit aebca1b3dce026bbccefa38381e62f30904e5a6d -Author: Patrick Schleizer -Date: Sat Jul 2 15:52:08 2022 -0400 - - bumped changelog version - -commit 1144b39e5efcb318ad92413f623b6f039fd7a5fa -Author: Patrick Schleizer -Date: Sat Jul 2 15:50:59 2022 -0400 - - debugging - -commit c29b21c08a839d8dafe2c9654a58f2b178055935 -Author: Patrick Schleizer -Date: Sat Jul 2 15:45:19 2022 -0400 - - output - -commit ed8ce9a7d0869d62eecea7ffc59c176bec061d08 -Author: Patrick Schleizer -Date: Sat Jul 2 15:32:51 2022 -0400 - - bumped changelog version - -commit d34fe21963442c6025b56209d0ba10479cde09a6 -Author: Patrick Schleizer -Date: Sat Jul 2 15:32:42 2022 -0400 - - fix - -commit 7a448e01a1f2be432c763678742301b64739b920 -Author: Patrick Schleizer -Date: Sat Jul 2 14:27:04 2022 -0400 - - bumped changelog version - -commit 32fdcf522be994e693f39c347ab1063ccd94255b -Author: Patrick Schleizer -Date: Thu Jun 30 14:47:45 2022 -0400 - - - introduce `wiperam=skip` kernel parameter to skip wipe ram - - introduce `wiperam=force` kernel parameter to force wipe ram inside VMs - -commit 036f518ddc067461979f5b61a576b7f74b7c6e65 -Author: Patrick Schleizer -Date: Thu Jun 30 13:56:29 2022 -0400 - - improvement - -commit 0e2fae2b693d6c45344cfdf592bac0adf3338d58 -Author: Patrick Schleizer -Date: Thu Jun 30 13:50:18 2022 -0400 - - skip ram wipe inside VMs - - https://forums.whonix.org/t/is-ram-wipe-possible-inside-whonix-cold-boot-attack-defense/5596/40 - -commit e06405c7be683450e6c6f737171b4f10513254e7 -Author: Patrick Schleizer -Date: Wed Jun 29 16:56:16 2022 -0400 - - undo - -commit 1b97d9cb766b00914769e5add699a8bdbcf1e7aa -Author: Patrick Schleizer -Date: Wed Jun 29 16:30:31 2022 -0400 - - fix - -commit 26be74bfe5c51a8ae41bb736847d3e93e7ae27d7 -Author: Patrick Schleizer -Date: Wed Jun 29 16:25:07 2022 -0400 - - bumped changelog version - -commit 92c543e71ff5386f4458102e1795132399292328 -Author: Patrick Schleizer -Date: Wed Jun 29 16:24:52 2022 -0400 - - output - -commit d4161b2748665ca3b67e5ced5ae576acb93cda46 -Author: Patrick Schleizer -Date: Wed Jun 29 16:23:42 2022 -0400 - - output - -commit 1ce7b27297bce446fb5726eba1cbb0cd3746fa85 -Author: Patrick Schleizer -Date: Wed Jun 29 16:23:12 2022 -0400 - - improvement - -commit aae4fdcffd0e3ed168975bc84db149843ffdfe47 -Author: Patrick Schleizer -Date: Wed Jun 29 16:06:33 2022 -0400 - - bumped changelog version - -commit 8b584c570af5d9ada8083af9bd80f3f992e3dceb -Author: Patrick Schleizer -Date: Wed Jun 29 16:06:22 2022 -0400 - - lintian - -commit a1f752ad00563b61a62a2dd33058365f1b6027de -Author: Patrick Schleizer -Date: Wed Jun 29 16:03:58 2022 -0400 - - bumped changelog version - -commit f5e0c1742abc009b1af95f0d106a5e1cd90d1ef4 -Author: Patrick Schleizer -Date: Wed Jun 29 16:02:05 2022 -0400 - - credits - -commit 42e24f3c241471d91af6f16b74b5bf85dfad85d7 -Author: Patrick Schleizer -Date: Wed Jun 29 15:54:49 2022 -0400 - - update file names - -commit 52aaac9b6d3a9611317e919d78840554bfce9778 -Author: Patrick Schleizer -Date: Wed Jun 29 15:53:52 2022 -0400 - - rename - -commit 619bb3cf4d347c1575c58c74adbbede94d60f79b -Author: Patrick Schleizer -Date: Wed Jun 29 15:53:24 2022 -0400 - - rename - -commit 2a8504cf1bd2a4d7e373bde3f34f6f22e3d5ebc4 -Author: Patrick Schleizer -Date: Wed Jun 29 15:51:14 2022 -0400 - - move - -commit af8b211c238f6fe83db5990dc0984d1c532456ae -Author: Patrick Schleizer -Date: Wed Jun 29 15:50:20 2022 -0400 - - improvements - -commit 0b0cda8f8f2ff1da256473115df37456273cdcdd -Author: Patrick Schleizer -Date: Wed Jun 29 15:24:40 2022 -0400 - - bumped changelog version - -commit e9cd5d934b04f7d06a14616ef52a914198f03b97 -Author: Patrick Schleizer -Date: Wed Jun 29 15:24:27 2022 -0400 - - copyright - -commit 1c51d156494e743c7ad89f76510209a97eef5e45 -Author: Patrick Schleizer -Date: Wed Jun 29 15:23:53 2022 -0400 - - lintian - -commit 4b0cd53fee691f68dd6292869b6f6870bc0b6cbe -Author: Patrick Schleizer -Date: Wed Jun 29 15:22:41 2022 -0400 - - bumped changelog version - -commit 9ab81d45810b71374520603c32812e22685f59cb -Author: Patrick Schleizer -Date: Wed Jun 29 15:22:00 2022 -0400 - - do not power off too fast so wipe ram messages can be read - -commit 19439033de840ed39039f04db7b13f6e168a627e -Author: Patrick Schleizer -Date: Wed Jun 29 15:19:56 2022 -0400 - - copyright - -commit fc202ede16ee41aceeec356ba35ba71cc7fc821d -Author: Patrick Schleizer -Date: Wed Jun 29 15:18:28 2022 -0400 - - delete no longer required `usr/lib/dracut/modules.d/40sdmem-security-misc/README.md` - -commit 6d3a08a9365207923edd2f0b6f8aebdc635d3b33 -Author: Patrick Schleizer -Date: Wed Jun 29 15:17:40 2022 -0400 - - improvements - -commit 87e5f49f8dc72f14e96cc06b924566668991037f -Author: Patrick Schleizer -Date: Wed Jun 29 14:18:02 2022 -0400 - - bumped changelog version - -commit 6eba53767f3af2436fd00b807e71a94dff813dfc -Author: Patrick Schleizer -Date: Wed Jun 29 14:17:52 2022 -0400 - - lintian - -commit 81c15e88afd11d3359ae748d5c43e7bcc8b9a855 -Author: Patrick Schleizer -Date: Wed Jun 29 14:15:48 2022 -0400 - - bumped changelog version - -commit 8a072437cc6478757a8f21f3a6a0ea51a97b978b -Author: Patrick Schleizer -Date: Wed Jun 29 14:13:30 2022 -0400 - - ram wipe on shutdown: fix, added `need_shutdown` hook - - Otherwise dracut does not run on shutdown. - - Without `need_shutdown` file `/run/initramfs/.need_shutdown` does not get created. - And without that file `/usr/lib/dracut/dracut-initramfs-restore`, - which itself is started by `/lib/systemd/system/dracut-shutdown.service` does nothing. - -commit 4d937f551f6cccf40f933576a7fa210066f1fc8a -Author: Patrick Schleizer -Date: Wed Jun 29 13:03:35 2022 -0400 - - bumped changelog version - -commit 924077e04cd0d5b06a410b2a9289047286500e8a -Author: Patrick Schleizer -Date: Wed Jun 29 13:02:53 2022 -0400 - - verbose - -commit db301dfd7feb07799a00871f0e1f8fdccef0b777 -Author: Patrick Schleizer -Date: Wed Jun 29 13:02:39 2022 -0400 - - comment - -commit 73d2ada0deb98064979ea1feedb01c6312c4b4d5 -Author: Patrick Schleizer -Date: Wed Jun 29 13:02:01 2022 -0400 - - comment - -commit 67eaf8c9167da545189390b6f0f58b0b5b20976c -Author: Patrick Schleizer -Date: Wed Jun 29 11:40:38 2022 -0400 - - comments - -commit 72908d6b0dd65d6c9691977047b2bfdaa16ba147 -Author: Patrick Schleizer -Date: Wed Jun 29 11:34:55 2022 -0400 - - comments - -commit 43ea4dbb8363c511270fd704b138633da9ad088a -Author: Patrick Schleizer -Date: Wed Jun 29 11:18:59 2022 -0400 - - bumped changelog version - -commit 295811a88f9505687447ebf605fa108bc795da46 -Author: Patrick Schleizer -Date: Wed Jun 29 11:14:52 2022 -0400 - - improvements - -commit e5d85d69efefdfcee63c8c7d4ced1ed1bf1aeee7 -Author: Patrick Schleizer -Date: Wed Jun 29 10:02:18 2022 -0400 - - bumped changelog version - -commit af8ff65f8404ac1d423ad3c28342d8fe7bc3a018 -Author: Patrick Schleizer -Date: Wed Jun 29 10:01:51 2022 -0400 - - comment - -commit cfae7de6a842b77e50f9e6f5cb1eed0eac63ff2f -Author: Patrick Schleizer -Date: Wed Jun 29 09:58:37 2022 -0400 - - lintian - -commit 83519a58c7c1eccee7544fbc3ec0cf67bda976a7 -Author: Patrick Schleizer -Date: Wed Jun 29 09:54:27 2022 -0400 - - bumped changelog version - -commit 024d52a67ebb6028d5df890e469fec5dc42be00a -Author: Patrick Schleizer -Date: Wed Jun 29 09:52:53 2022 -0400 - - improve usr/lib/dracut/modules.d/40sdmem-security-misc/module-setup.sh - -commit 29253004b6be7c7d2b3fce6cceff2df3e845f15a -Author: Patrick Schleizer -Date: Wed Jun 29 09:38:18 2022 -0400 - - minor - -commit 6f19af1542d3b6d2d6af89136ce909f7f7335ff1 -Author: Patrick Schleizer -Date: Wed Jun 29 09:35:08 2022 -0400 - - add shebang /bin/sh - - to fix lintian warning - security-misc: executable-not-elf-or-script usr/lib/dracut/modules.d/40sdmem-security-misc/wipe.sh - -commit 38cdf2722bc0aa224e1ec253e77728d4e00b9be0 -Author: Patrick Schleizer -Date: Wed Jun 29 09:32:55 2022 -0400 - - - Wipe LUKS Disk Encryption Key for Root Disk from RAM during Shutdown to defeat Cold Boot Attacks - - Confirm in console output if encrypted mounts (root disk) is unmounted. (Because that is a pre-condition for wiping the LUKS full disk encryption key from RAM.) - - Thanks to @friedy10! - - https://github.com/friedy10/dracut/tree/master/modules.d/40sdmem - - https://forums.whonix.org/t/is-ram-wipe-possible-inside-whonix-cold-boot-attack-defense/5596 - -commit adca1ebdf6c83c5c1c846cdb29f3e16ea9cdf32f -Author: Patrick Schleizer -Date: Wed Jun 8 11:05:07 2022 -0400 - - bumped changelog version - -commit d7dd188651a5227be6b1d95e7ae9a97e0cbb34f0 -Author: Patrick Schleizer -Date: Wed Jun 8 09:27:02 2022 -0400 - - remove unicode - -commit 55d16e1602c0221dbe00996a206d0691ef93ae71 -Author: Patrick Schleizer -Date: Wed Jun 8 09:04:03 2022 -0400 - - remove unicode - -commit fcaec49675ce7e240bdd049aab184fbee0945c7d -Merge: 5c43197 995e4ba -Author: Patrick Schleizer -Date: Wed Jun 8 08:20:24 2022 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 995e4ba7fafc1bf4f691b83dde415c57cebed63d -Merge: 616fe85 6e8f584 -Author: Patrick Schleizer -Date: Wed Jun 8 08:19:03 2022 -0400 - - Merge pull request #104 from ntninja/patch-1 - - Fix issues found with permission-hardening on my system - -commit 5c43197f10df3a49704a66ef3e3d56f122be4775 -Author: Patrick Schleizer -Date: Wed Jun 8 08:11:28 2022 -0400 - - minor - -commit 6e8f584d88333d3a6fec1318ba92f76e328bf7ce -Author: Kuri Schlarb <246386+ntninja@users.noreply.github.com> -Date: Wed Jun 8 05:29:42 2022 +0000 - - permission-hardening: Keep `pam_unix.so` password checking helper SetGID shadow - -commit 2bdda9d0a0a289dafb260c926d29df274c9a67da -Author: Kuri Schlarb <246386+ntninja@users.noreply.github.com> -Date: Tue Jun 7 08:18:05 2022 +0000 - - permssion-hardening: Do not skip config file lines without trailing newline (ancient bash bug) - -commit 3910e4ee159d8b5f80c5086915583e4e20ecd6fe -Author: Kuri Schlarb <246386+ntninja@users.noreply.github.com> -Date: Tue Jun 7 08:11:51 2022 +0000 - - permission-hardening: Keep `passwd` executable but non-SetUID - -commit 9fd8e1c9b0250c9e00b555838bd381f162dfd8c4 -Author: Kuri Schlarb <246386+ntninja@users.noreply.github.com> -Date: Tue Jun 7 08:03:56 2022 +0000 - - permission-hardening: Fix issue with pipelining failures causing incorrect user/group lookup results - -commit 616fe857f7a5cde1f4ad0d31e03876dcd2ab7f0f -Author: Patrick Schleizer -Date: Wed May 25 06:07:17 2022 -0400 - - bumped changelog version - -commit 7e2efe0155b97955428e64181c9a6b32402ee9db -Author: Patrick Schleizer -Date: Fri May 20 15:27:10 2022 -0400 - - readme - -commit 2d37e3a1af3739eedd9191a0f0c78a2762c5fa38 -Author: Patrick Schleizer -Date: Fri May 20 14:46:38 2022 -0400 - - copyright - -commit 78a9956b73498bad471ee1cb0fa0993f2e5ce3c0 -Merge: 4a3ed17 7651308 -Author: Patrick Schleizer -Date: Thu May 19 19:41:33 2022 -0400 - - Merge remote-tracking branch 'github-kicksecure/master' - -commit 76513087872943442df32451de5af158c2bbe944 -Merge: 4a3ed17 93efa50 -Author: Patrick Schleizer -Date: Thu May 19 19:39:42 2022 -0400 - - Merge pull request #103 from 0xC0ncord/bugfix/selinuxfs_restrictions - - hide-hardware-info: re-enable restrictions on sysfs when using SELinux - -commit 4a3ed17160c14ba7122d770665b53bde96038307 -Author: Patrick Schleizer -Date: Thu May 19 17:25:58 2022 -0400 - - readme - -commit bb0307290b59d0273f9ad585e881c91071e3edea -Author: Patrick Schleizer -Date: Sat Apr 16 14:18:35 2022 -0400 - - update link - -commit 2677db34baeb120a402b684d4a62ccf616b5528c -Author: Patrick Schleizer -Date: Sun Apr 10 12:40:16 2022 -0400 - - readme - -commit 93efa506dac6135f1a5c260ec95d985e7fedc53d -Author: 0xC0ncord -Date: Thu Mar 17 11:41:57 2022 -0400 - - hide-hardware-info: disable selinux whitelist by default - -commit 0051a6935acd2f452a9189d1581ccac7377dd23d -Author: Patrick Schleizer -Date: Thu Feb 10 14:06:54 2022 -0500 - - bumped changelog version - -commit b0a0004a85387a4f7520a688f6d2a9826d8e68fb -Author: Patrick Schleizer -Date: Thu Feb 10 13:47:10 2022 -0500 - - output - -commit 4f6f588fb53d2756d867ac7e29fb42f4f8fdb335 -Author: Patrick Schleizer -Date: Thu Feb 10 13:44:55 2022 -0500 - - fix, skip deletion of system.map files on read-only filesystems - - This is required for Qubes /lib/modules read-only implementation at time of writing. - - Thanks to @marmarek for the bug report! - - https://forums.whonix.org/t/remove-system-map-cannot-work-lib-modules-is-mounted-read-only/13324 - -commit 356232677a036cd1a673d805caa4d74a327ea096 -Author: Patrick Schleizer -Date: Tue Nov 9 14:32:33 2021 -0500 - - readme - -commit 4172232eb75aaca301e51529e49df76ca86b93b3 -Author: 0xC0ncord -Date: Fri Oct 8 22:17:12 2021 -0400 - - hide-hardware-info: make indentation consistent - -commit 060d7d890a0292addaa1e85bb1b2ff7eece23378 -Author: 0xC0ncord -Date: Fri Oct 8 22:11:58 2021 -0400 - - hide-hardware-info: re-enable restrictions on sysfs when using SELinux - - When using SELinux, restrict the parts of sysfs explicitly to ensure - restrictions are working as expected. - -commit 96026a5e90a56cade2dff5f3dfc3687687e92c56 -Author: Patrick Schleizer -Date: Tue Sep 14 14:18:52 2021 -0400 - - bumped changelog version - -commit c72567dbd215fcd60c4719fe1ebc9a0f350a2b97 -Author: Patrick Schleizer -Date: Tue Sep 14 14:18:44 2021 -0400 - - fix - -commit 03276fbec502df9e9fc228a0c05f3c85fd1483af -Author: Patrick Schleizer -Date: Sun Sep 12 11:57:20 2021 -0400 - - bumped changelog version - -commit d62bbaab82a33a485a82d42d8db5674d200a1c3d -Author: Patrick Schleizer -Date: Sun Sep 12 11:40:58 2021 -0400 - - fix, unduplicate kernel command line - -commit fb0540650c26689165b2fd0558b87ef7c3154a6e -Author: Patrick Schleizer -Date: Sat Sep 11 16:33:14 2021 -0400 - - readme - -commit 64e9f0016aa5804740a099890a5ef648dde07883 -Author: Patrick Schleizer -Date: Thu Sep 9 12:35:37 2021 -0400 - - bumped changelog version - -commit bd31b4085c853d8b182e3a13534827a695f5493a -Author: Patrick Schleizer -Date: Thu Sep 9 12:16:18 2021 -0400 - - remove Debian buster support in /etc/default/grub.d - -commit d16d9a545502af1ec25a165a27bdbc1033b97d59 -Author: Patrick Schleizer -Date: Mon Sep 6 09:46:20 2021 -0400 - - bumped changelog version - -commit ac0c492663b9d90f99e5969193b35b53d4175d1d -Author: Patrick Schleizer -Date: Mon Sep 6 08:22:55 2021 -0400 - - do not set kernel parameter `quiet loglevel=0` for recovery boot option - - for easier debugging - -commit 49902b8c56512c3ee8b3d16b0ca513e44349c66d -Author: Patrick Schleizer -Date: Mon Sep 6 08:19:41 2021 -0400 - - move grub quiet to separate config file /etc/default/grub.d/41_quiet.cfg - -commit bb3a3178f17d1b882f38ba18db7835833f758805 -Author: Patrick Schleizer -Date: Mon Sep 6 04:55:23 2021 -0400 - - bumped changelog version - -commit f5b0e4b5b856ba6fa0dea7fa18c38221d972e8a3 -Author: Patrick Schleizer -Date: Mon Sep 6 04:55:16 2021 -0400 - - debugging - -commit a67d1754d459a221930cb92754b51bec348f8035 -Author: Patrick Schleizer -Date: Sun Sep 5 16:04:28 2021 -0400 - - bumped changelog version - -commit 6257bfa926f960b3b772dd528fe6004f81d990ea -Author: Patrick Schleizer -Date: Sun Sep 5 15:54:20 2021 -0400 - - debugging - -commit 1b09d5671829c51bd17f44410d4122b6de7aa6e9 -Author: Patrick Schleizer -Date: Sat Sep 4 18:29:00 2021 -0400 - - bumped changelog version - -commit a4e18a2ae8c19a664bb1be5bc4ec43f10a876969 -Author: Patrick Schleizer -Date: Sat Sep 4 18:28:37 2021 -0400 - - `dracut` `reproducible=yes` - -commit 1a10293b0408a4197620ce78cffb62cb8c00908c -Author: Patrick Schleizer -Date: Sat Sep 4 12:00:55 2021 -0400 - - bumped changelog version - -commit e2810f348b413bb307449a911c12a46924686a9f -Author: Patrick Schleizer -Date: Sat Sep 4 11:50:31 2021 -0400 - - Depends: libpam-modules-bin - -commit 3c64ec8f917ed1237454d1526647a84bf00c9e83 -Author: Patrick Schleizer -Date: Thu Sep 2 14:36:53 2021 -0400 - - bumped changelog version - -commit be8c10496f26d33378deb2427e56892771456ee5 -Author: Patrick Schleizer -Date: Wed Sep 1 15:55:53 2021 -0400 - - fix faillock implementation - - dovecot / ssh are exempted - -commit 8b104f544a9e4e8da1691659fefa4999a4f6f085 -Author: Patrick Schleizer -Date: Wed Sep 1 15:45:36 2021 -0400 - - fix, add sshd to pam_service_exclusion_list - - to avoid faillock - -commit 224ae730c13f4add672fffaf58206eeb7ae24090 -Author: Patrick Schleizer -Date: Sun Aug 22 05:32:18 2021 -0400 - - bumped changelog version - -commit db43cedcfdf918556ae3989209a4d984527a6416 -Author: Patrick Schleizer -Date: Sun Aug 22 05:23:24 2021 -0400 - - LANG=C str_replace - -commit ef2b067c0385dbae7b16bc79a10582995d8ba5fe -Author: Patrick Schleizer -Date: Tue Aug 17 15:24:12 2021 -0400 - - bumped changelog version - -commit 08adf4a07d97940ef924f53863ec4aa62f88fb04 -Author: Patrick Schleizer -Date: Tue Aug 17 15:23:49 2021 -0400 - - readme - -commit 7d73b3ffa0bf13ba78debfb7f099758b0d0fbef3 -Author: Patrick Schleizer -Date: Tue Aug 17 15:21:26 2021 -0400 - - add hardened malloc compatibility for haveged workaround - - `/lib/systemd/system/haveged.service.d/30_security-misc.conf` - - `SystemCallFilter=getrandom` - - Otherwise haveged will exit with a core dump. - -commit 8676beef90040bdf0782e0a9c683c6463ddb48b5 -Author: Patrick Schleizer -Date: Tue Aug 10 18:26:32 2021 -0400 - - bumped changelog version - -commit 582492d6d8c5f756be4d809898707cb196c5c765 -Author: Patrick Schleizer -Date: Tue Aug 10 17:13:00 2021 -0400 - - port from pam_tally2 to pam_faillock - - since pam_tally2 was deprecated upstream - -commit 2bf0e7471cbd3b813ce385d994e43e48636f7a0b -Author: Patrick Schleizer -Date: Tue Aug 10 15:11:01 2021 -0400 - - port from pam_tally2 to pam_faillock - - since pam_tally2 was deprecated upstream - -commit 2aea74bd715d865f44f91aaab6ca1bf0a00a2b0b -Author: Patrick Schleizer -Date: Tue Aug 10 15:06:04 2021 -0400 - - renamed: usr/libexec/security-misc/pam_tally2-info -> usr/libexec/security-misc/pam-info - renamed: usr/libexec/security-misc/pam_tally2_not_if_x -> usr/libexec/security-misc/pam_faillock_not_if_x - renamed: usr/share/pam-configs/tally2-security-misc -> usr/share/pam-configs/faillock-security-misc - -commit 6376bbff801f79dbb154611c3ad330b4cd863f69 -Author: Patrick Schleizer -Date: Thu Aug 5 17:03:43 2021 -0400 - - bumped changelog version - -commit 3756016f42d97c6bf32c9bf5fed02904a63f4a5c -Author: Patrick Schleizer -Date: Tue Aug 3 13:04:34 2021 -0400 - - `lintian --suppress-tags obsolete-command-in-modprobe.d-file` - - https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/24 - -commit 50bdd097df4c87cd4507311df9c0b14d237c534b -Author: Patrick Schleizer -Date: Tue Aug 3 12:56:31 2021 -0400 - - move /usr/lib/security-misc to /usr/libexec/security-misc as per lintian FHS - -commit 4fadaad8c0a79df5996372c05db635d500e41fee -Author: Patrick Schleizer -Date: Tue Aug 3 12:52:10 2021 -0400 - - lintian FHS - -commit 6607c1e4bd085ee952952e6db17714326df4b7f6 -Author: Patrick Schleizer -Date: Tue Aug 3 12:48:57 2021 -0400 - - move /usr/lib/helper-scripts and /usr/lib/curl-scripts to /usr/libexec/helper-scripts as per lintian FHS - -commit 0492f28aa10dc93063ff3b46107fa705c5ee0d7e -Author: Patrick Schleizer -Date: Tue Aug 3 12:37:39 2021 -0400 - - enable "`apt-get --error-on=any`" by default - - makes apt exit non-zero for transient failures - - `/etc/apt/apt.conf.d/40error-on-any` - - https://forums.whonix.org/t/debian-bullseye-apt-get-error-on-any/12068 - -commit 240ec7672a4d513e7e6cca280aca3d67c265d1cc -Author: Patrick Schleizer -Date: Tue Aug 3 12:19:26 2021 -0400 - - replace no longer required `/usr/lib/security-misc/apt-get-wrapper` with `apt-get --error-on=any` - -commit 8eae6356684052415f8bc494db077e033653d971 -Author: Patrick Schleizer -Date: Tue Aug 3 11:51:31 2021 -0400 - - update lintian tag name - -commit 5e3338f8d3ff799a2da4257e24b57bd55541187f -Author: Patrick Schleizer -Date: Tue Aug 3 05:48:25 2021 -0400 - - bullseye - -commit bb3e65f7a80770238bda3733bed89c15a9c76852 -Author: Patrick Schleizer -Date: Tue Aug 3 03:25:35 2021 -0400 - - bullseye - -commit c94281121e20289b718f24c13e399e5e8cac0ebd -Author: Patrick Schleizer -Date: Sun Aug 1 16:37:02 2021 -0400 - - comment - -commit 3599e8e2dabf13ad76901a9c282469f23d4d1308 -Author: Patrick Schleizer -Date: Sun Aug 1 16:24:41 2021 -0400 - - readme - -commit 82f3961a7165cc1e778be785950f1a255af43b4f -Author: Patrick Schleizer -Date: Sun Aug 1 13:12:08 2021 -0400 - - bumped changelog version - -commit 5a65c35479f267b026c03e195658ef9d98ee519c -Author: Patrick Schleizer -Date: Sun Aug 1 13:11:18 2021 -0400 - - port LKRG compatibility settings automation for VirtualBox hosts from systemd to dpkg trigger - -commit f03c7978c7c12eb0efed1d9298f52149a8149cb3 -Author: Patrick Schleizer -Date: Sun Jul 25 11:31:45 2021 -0400 - - bumped changelog version - -commit b3e34f7f43346c123d20e9a1606b1023b535f669 -Author: Patrick Schleizer -Date: Sun Jul 25 11:27:07 2021 -0400 - - comment - -commit 7e128636b3a4ea7fe5dfa12018685ab7b5dda706 -Author: Patrick Schleizer -Date: Sun Jul 25 11:26:20 2021 -0400 - - improve LKRG VirtualBox host configuration - - as per https://github.com/openwall/lkrg/issues/82#issuecomment-886188999 - -commit 3ebe9e7c530b39f1b0429a97eab2627f2bbd1635 -Author: Patrick Schleizer -Date: Sat Jul 24 18:10:06 2021 -0400 - - bumped changelog version - -commit 257cef24baa038b21ef511e9d95c4229a5e16f68 -Author: Patrick Schleizer -Date: Sat Jul 24 18:03:40 2021 -0400 - - add LKRG compatibility settings automation for VirtualBox hosts - - https://github.com/openwall/lkrg/issues/82 - -commit 0f86ffef04e533be1c88584b6419c276d176fc05 -Author: Patrick Schleizer -Date: Wed Jun 23 11:20:39 2021 -0400 - - bumped changelog version - -commit 74e39cbf690dae2bf72bd9f152ea91c364f5feff -Author: Patrick Schleizer -Date: Sun Jun 20 11:18:56 2021 -0400 - - pam-abort-on-locked-password: more descriptive error handling - - https://forums.whonix.org/t/restrict-root-access/7658/1 - -commit 0f3dbfc4a1fb08b5542e265dfbeab4e7f401549d -Author: Patrick Schleizer -Date: Sun Jun 20 10:16:57 2021 -0400 - - bumped changelog version - -commit eff5af03184f52181894884b90a8d867a1f10956 -Author: Patrick Schleizer -Date: Sun Jun 20 10:16:33 2021 -0400 - - https://forums.whonix.org/t/restrict-root-access/7658/116 - -commit 419f1d89c25ca833ac63f2e174beeb9afb0cce00 -Author: Patrick Schleizer -Date: Mon Jun 7 12:13:37 2021 -0400 - - bumped changelog version - -commit 30d1ce36af7835d47e0b53af475f3a7e99617b77 -Merge: 0305baf 70a1eb2 -Author: Patrick Schleizer -Date: Mon Jun 7 12:11:58 2021 -0400 - - Merge remote-tracking branch 'github-whonix/master' - -commit 70a1eb25a5976e0461056ff2c56bd82ab5df6c2c -Merge: 0305baf 97d8db3 -Author: Patrick Schleizer -Date: Sat Jun 5 15:55:41 2021 -0400 - - Merge pull request #101 from madaidan/sudo - - Restrict sudo's file permissions - -commit 97d8db3f74b9fc00c8f4416cb72966e62c7de88e -Author: madaidan <50278627+madaidan@users.noreply.github.com> -Date: Sat Jun 5 19:16:42 2021 +0000 - - Restrict sudo's file permissions - -commit 0305baf21173f0ee292986200f1242ca0395c74d -Author: Patrick Schleizer -Date: Tue Jun 1 07:36:59 2021 -0400 - - bumped changelog version - -commit d87bee37f788fb7605626cd4a8d61ed9e6fee252 -Author: Patrick Schleizer -Date: Tue Jun 1 07:21:18 2021 -0400 - - comment - -commit 809930c0212aa41d60b1a498bd4ce85f06668bae -Author: Patrick Schleizer -Date: Tue Jun 1 05:36:01 2021 -0400 - - comment - -commit 5bd59991cbf72ba9ebd8feadd4da397bbcd9d469 -Author: Patrick Schleizer -Date: Wed May 5 08:37:56 2021 -0400 - - bumped changelog version - -commit 6e759f9196412b1742db1e4c68a70867e1ad8629 -Author: Patrick Schleizer -Date: Thu Apr 29 11:17:30 2021 -0400 - - config-package-dev displace /etc/dkms/framework.conf - - https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/58 - -commit e2afd00627b097f75467cd0e2fe7e15977141026 -Author: Patrick Schleizer -Date: Thu Apr 29 11:14:30 2021 -0400 - - modify DKMS configuration file `/etc/dkms/framework.conf` - - Lower parallel compilation jobs to 1 if less than 2 GB RAM to avoid freezing of virtual machines. - - `parallel_jobs=1` - - This does not necessarily belong into security-misc, however likely - security-misc will need to modify `/etc/dkms/framework.conf` in the future to - enable kernel module signing. - - https://forums.whonix.org/t/linux-kernel-runtime-guard-lkrg-linux-kernel-runtime-integrity-checking-and-exploit-detection/8477/26 - - https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/58 - -commit 3ba3b371873d221db6845fb0fe52191b8b349b0a -Author: Patrick Schleizer -Date: Thu Apr 29 11:08:30 2021 -0400 - - add `/etc/dkms/framework.conf.security-misc` - - original, from - - https://github.com/dell/dkms/blob/master/dkms_framework.conf - - https://raw.githubusercontent.com/dell/dkms/master/dkms_framework.conf - - https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/58 - -commit 1d35bdf2912d1dfd0b49ce727338f86d17decd72 -Author: Patrick Schleizer -Date: Mon Apr 5 11:58:47 2021 -0400 - - bumped changelog version - -commit 41734ec523eb3cd233fe4651b9807222c8ccb1d5 -Author: Patrick Schleizer -Date: Sat Apr 3 11:44:13 2021 -0400 - - systemd RemainAfterExit=yes - - for better usability - - https://forums.whonix.org/t/restrict-hardware-information-to-root-testers-wanted/8618/33 - -commit e8ea94325b1df7bc0c47eabdfbd7c24b2fe51539 -Author: Patrick Schleizer -Date: Wed Mar 17 12:31:34 2021 -0400 - - bumped changelog version - -commit a67007f4b7b7763a0b131acb246cfe84ac65540f -Author: Patrick Schleizer -Date: Wed Mar 17 09:45:21 2021 -0400 - - copyright - -commit 0c4a7207e46933a504badfb9c1ce26a9ef82d370 -Author: Patrick Schleizer -Date: Thu Mar 4 07:09:01 2021 -0500 - - bumped changelog version - -commit a1819e8cabc45ea197da7e3a4a94ffbab1376423 -Author: Patrick Schleizer -Date: Mon Mar 1 09:15:44 2021 -0500 - - comment - -commit 3382192b89de3891d45261f138652bdb48c5674b -Merge: 7f30d70 2e8e3c0 -Author: Patrick Schleizer -Date: Mon Mar 1 09:12:18 2021 -0500 - - Merge remote-tracking branch 'github/master' - -commit 2e8e3c07c4dda7f8500237dfa7a1d2bc7aecef5d -Merge: 7f30d70 4db7d6b -Author: Patrick Schleizer -Date: Mon Mar 1 14:11:28 2021 +0000 - - Merge pull request #100 from 0xC0ncord/bugfix/selinuxfs_restrictions - - hide-hardware-info: allow unrestricting selinuxfs - -commit 7f30d702953b2e46255e3e8e71ee47af3f5a5725 -Author: Patrick Schleizer -Date: Sat Feb 6 06:31:45 2021 -0500 - - bumped changelog version - -commit 83c0be5177929b67e3c9eba18c02904498d378cb -Author: Patrick Schleizer -Date: Sat Feb 6 06:27:54 2021 -0500 - - readme - -commit 4db7d6be643f9e7c9c3b81d3945b8d2c3e4c5269 -Author: Kenton Groombridge -Date: Sat Feb 6 03:02:08 2021 -0500 - - hide-hardware-info: allow unrestricting selinuxfs - - On SELinux systems, the /sys/fs/selinux directory must be visible to - userspace utilities in order to function properly. - -commit 3120ff3ec98edecdc2855261d3ba26cad8803c74 -Author: Patrick Schleizer -Date: Fri Jan 29 23:37:03 2021 -0500 - - bumped changelog version - -commit af3244741dba7425148378aacf853e82deddee1f -Author: Patrick Schleizer -Date: Fri Jan 29 23:15:52 2021 -0500 - - comment - -commit d9aaf5910553b04b965ea729476b586d72043aea -Author: Patrick Schleizer -Date: Thu Jan 28 02:15:46 2021 -0500 - - bumped changelog version - -commit b0b7f569ee7da1101c9100c1b053b910f8660436 -Author: Patrick Schleizer -Date: Thu Jan 28 02:11:54 2021 -0500 - - comment - -commit f2595cc2542b326a74d4c651897160c04bd1e162 -Author: Patrick Schleizer -Date: Wed Jan 27 05:50:16 2021 -0500 - - bumped changelog version - -commit 9622f28e255a101ee7239e3ffd42d8d80637654a -Author: Patrick Schleizer -Date: Wed Jan 27 05:49:34 2021 -0500 - - skip counting failed login attempts from dovecot - - Failed dovecot logins should not result in account getting locked. - - revert "use pam_tally2 only for login" - -commit 480f74cab6d79886fe29eeecc5b7ebc1f138f8dd -Author: Patrick Schleizer -Date: Sun Jan 24 05:10:36 2021 -0500 - - bumped changelog version - -commit 6757104aa4d1e661b046e71f7bda511d73e83d61 -Author: Patrick Schleizer -Date: Sun Jan 24 05:04:48 2021 -0500 - - use pam_tally2 only for login - - to skip counting failed login attempts over ssh and mail login - -commit 126c31c37d17a55b0980dcae8c546aeed4282a99 -Author: Patrick Schleizer -Date: Tue Jan 19 19:41:43 2021 -0500 - - bumped changelog version - -commit 14d13fb03ed627cfb378873ad46f4d3ac795a9f6 -Author: Patrick Schleizer -Date: Tue Jan 19 19:41:42 2021 -0500 - - readme - -commit 611fbe2c619d9b5fab748faf2b0f59274a914187 -Author: Patrick Schleizer -Date: Mon Jan 18 05:39:34 2021 -0500 - - description - -commit 0e8ea5eb727d609d70e8f639dde62583a3ff47f3 -Author: Patrick Schleizer -Date: Thu Jan 14 02:36:49 2021 -0500 - - bumped changelog version - -commit ddd62c1eef031c2befc626acbe4d48d8cdbea1d0 -Author: Patrick Schleizer -Date: Tue Jan 12 03:24:11 2021 -0500 - - readme - -commit 468d8b600dda7cce87bbdf972244ef2f610935d5 -Author: Patrick Schleizer -Date: Tue Jan 12 03:20:58 2021 -0500 - - readme - -commit b5cee63999a7277b32f3850a5d8821c73ed05933 -Author: Patrick Schleizer -Date: Tue Jan 12 03:19:31 2021 -0500 - - new file: README_generic.md - -commit 94627f0875e69c9314faab8b0dc2dbe22af5c88f -Merge: 353e74f 79876f7 -Author: Patrick Schleizer -Date: Tue Jan 12 03:18:41 2021 -0500 - - Merge remote-tracking branch 'github/master' - -commit 79876f7b1261006885a713dbfda97609c8e81f3f -Merge: 353e74f 3066b5a -Author: Patrick Schleizer -Date: Tue Jan 12 08:17:04 2021 +0000 - - Merge pull request #99 from madaidan/docs - - Overhaul documentation - -commit 3066b5ad972f16069361999afbca0978986db862 -Author: madaidan <50278627+madaidan@users.noreply.github.com> -Date: Tue Jan 12 02:17:13 2021 +0000 - - Overhaul documentation - -commit 353e74fb5f0c150b9de3554b88619480c338ef59 -Author: Patrick Schleizer -Date: Tue Jan 5 08:30:37 2021 -0500 - - bumped changelog version - -commit a258f35f385aff7b6fef71e23b94c4681e52bed2 -Author: Patrick Schleizer -Date: Tue Jan 5 02:11:08 2021 -0500 - - comment - -commit a4d7e4614174e6f0357a068af0b7fd46e963a89f -Author: Patrick Schleizer -Date: Thu Dec 10 05:20:57 2020 -0500 - - bumped changelog version - -commit c5097ed599078091aef1fcb63b237d9835040c34 -Author: Patrick Schleizer -Date: Sun Dec 6 04:23:09 2020 -0500 - - comment - -commit b2b614ed2a1a62ff4c917aba80eeef505810dbf8 -Author: Patrick Schleizer -Date: Sun Dec 6 04:15:52 2020 -0500 - - cover more folders in /usr/local - -commit 5bd267d7747521fa5bb053da19dc79991e2c4bb5 -Author: Patrick Schleizer -Date: Sun Dec 6 04:10:50 2020 -0500 - - refactoring - -commit 11cdce02a048b323c6f56cb15f98e6060aab8346 -Author: Patrick Schleizer -Date: Sun Dec 6 04:10:10 2020 -0500 - - refactoring - -commit f73c55f16c10ee2cd0532f4032cec56c484bd4d5 -Author: Patrick Schleizer -Date: Sun Dec 6 04:08:58 2020 -0500 - - /opt - - https://forums.whonix.org/t/suid-disabler-and-permission-hardener/7706/68 - -commit 261ef85c14ff9c13d3d7734d8c9eba5a54497187 -Author: Patrick Schleizer -Date: Tue Dec 1 05:53:06 2020 -0500 - - bumped changelog version - -commit c031f22995a1e073bd81189ee97a3de32a2b278f -Author: Patrick Schleizer -Date: Tue Dec 1 05:14:48 2020 -0500 - - SUID Disabler and Permission Hardener: introduce configuration option to disable all whitelists - - `whitelists_disable_all=true` - -commit b09cc0de6af2d7e12110a0f3030234539288abad -Author: Patrick Schleizer -Date: Tue Dec 1 05:10:26 2020 -0500 - - Revert "SUID Disabler and Permission Hardener: introduce configuration option to disable all whitelists" - - This reverts commit 36a471ebce883f7a1660977f486b21ece320d0c2. - -commit 704f0500ba4e23a1e5b33688db02e03b1169046d -Author: Patrick Schleizer -Date: Tue Dec 1 05:03:16 2020 -0500 - - fix, rename 40_default_whitelist_[...].conf to 25_default_whitelist_[...].conf - - since whitelist needs to be defined before SUID removal commands - -commit 36a471ebce883f7a1660977f486b21ece320d0c2 -Author: Patrick Schleizer -Date: Tue Dec 1 05:02:34 2020 -0500 - - SUID Disabler and Permission Hardener: introduce configuration option to disable all whitelists - - `whitelists_disable_all=true` - -commit 318ab570aacd48b7f163331dc2ba8b012e0d2336 -Author: Patrick Schleizer -Date: Tue Dec 1 04:28:15 2020 -0500 - - simplify disabling of SUID Disabler and Permission Hardener whitelist - - split `/etc/permission-hardening.d/30_default.conf` into multiple files - - `/etc/permission-hardening.d/40_default_whitelist_[...].conf` - - therefore make it easier to delete any whitelisted SUID binaries - -commit cf07e977bd6697af7a4326d7705447d500d35593 -Author: Patrick Schleizer -Date: Sun Nov 29 09:09:42 2020 -0500 - - add `/bin/pkexec exactwhitelist` for consistency - - since there is already `/usr/bin/pkexec exactwhitelist` - -commit fe274838861ada125eccdca11ba044123fdae663 -Author: Patrick Schleizer -Date: Sat Nov 28 06:08:10 2020 -0500 - - bumped changelog version - -commit 28a326a8a14f56d588ed6f2b4d7d748d53120109 -Author: Patrick Schleizer -Date: Sat Nov 28 05:31:12 2020 -0500 - - add feature `/usr/lib/security-misc/permission-hardening-undo /path/to/filename` - - to allow removing 1 SUID - - fix, show INFO message if file does not exist during removal rather than ERROR - -commit 0ef35f877066ddac21737e707829c4571bb76abd -Author: Patrick Schleizer -Date: Fri Nov 6 10:18:09 2020 -0500 - - bumped changelog version - -commit abae787186d48b2cccf220cbf7b553f8478e60be -Author: Patrick Schleizer -Date: Thu Nov 5 06:47:16 2020 -0500 - - usability: pam abort when attempting to login to root when root password is locked - -commit 581e31af81015fb85ee1bdd81586dbea13804955 -Author: Patrick Schleizer -Date: Thu Nov 5 06:46:57 2020 -0500 - - comment - -commit dfe9b0f6c7364e4d3cc3bf13ad7c0fccc2cb7e10 -Author: Patrick Schleizer -Date: Thu Nov 5 06:42:47 2020 -0500 - - fix, no longer unconditionally abort pam for user accounts with locked passwords - - as locked user accounts might have valid sudoers exceptions - - Thanks to @mimp for the bug report! - - https://forums.whonix.org/t/pam-abort-on-locked-password-and-running-privileged-command-from-web-browser/10521 - -commit 211769dc65a5c98cbdb55ce62e83c9e2a9fa1540 -Author: Patrick Schleizer -Date: Thu Nov 5 06:41:51 2020 -0500 - - comment - -commit 79521397310f5e4e200291b2e2380e8e58953f18 -Author: Patrick Schleizer -Date: Thu Nov 5 06:39:32 2020 -0500 - - comment - -commit bb72c1278dd02a48a631d8e798cd78100576a1a8 -Author: Patrick Schleizer -Date: Thu Nov 5 06:36:39 2020 -0500 - - copyright - -commit f4843b1deb95948f9fe2a2870ecbe61c1cab798a -Author: Patrick Schleizer -Date: Sat Oct 31 06:29:25 2020 -0400 - - bumped changelog version - -commit c1e0bb831025854afbd88e5c353a000c4dadaede -Author: Patrick Schleizer -Date: Sat Oct 31 06:11:49 2020 -0400 - - shebang - -commit b06d4ca29983938fa81acfc379366e6c1516c69a -Author: Patrick Schleizer -Date: Sat Oct 31 06:09:22 2020 -0400 - - bumped changelog version - -commit 3f656be5746ec4d219371fb0d67c222df7fe52d1 -Author: Patrick Schleizer -Date: Sat Oct 31 05:48:10 2020 -0400 - - chmod +x /etc/X11/Xsession.d/50panic_on_oops - chmod +x /etc/X11/Xsession.d/50security-misc - -commit 881d695bff7d65c66bbf8e0973f883c75a3d1ebb -Author: Patrick Schleizer -Date: Mon Oct 5 07:03:37 2020 -0400 - - bumped changelog version - -commit 3adb2c92d9551f649b177753fede18da3cc4b0eb -Merge: feb7cea 5856013 -Author: Patrick Schleizer -Date: Sat Oct 3 14:10:32 2020 -0400 - - Merge remote-tracking branch 'github/master' - -commit 58560138cdc36fa5f6142f75f0fed53bcad96363 -Merge: feb7cea 06ffd5d -Author: Patrick Schleizer -Date: Sat Oct 3 18:09:07 2020 +0000 - - Merge pull request #77 from madaidan/debugfs - - Restrict access to debugfs - -commit 06ffd5d2201152c60eb4309860b8c42be386dccb -Author: madaidan <50278627+madaidan@users.noreply.github.com> -Date: Mon Sep 28 19:21:20 2020 +0000 - - Restrict access to debugfs - -commit feb7cea4c508a94d1140bc08856d0fe586da694e -Author: Patrick Schleizer -Date: Mon Sep 28 10:30:42 2020 -0400 - - bumped changelog version - -commit da1ac48cde8ea5057d1606a2fba42ea179677378 -Author: Patrick Schleizer -Date: Mon Sep 28 10:29:50 2020 -0400 - - unblacklist squashfs as this would likely break Whonix-Host ISO - - https://github.com/Whonix/security-misc/pull/75#issuecomment-700044182 - -commit 4070133ed65af409adeb6f8c7970d3bc7074b02b -Author: Patrick Schleizer -Date: Mon Sep 28 10:25:57 2020 -0400 - - unblacklist vfat - - https://github.com/Whonix/security-misc/pull/75#issuecomment-695201068 - -commit 77d461ec08ffdf0eb6a5d124927d9f9748c0dd3c -Merge: 5fc7b79 3684ab5 -Author: Patrick Schleizer -Date: Mon Sep 28 10:24:59 2020 -0400 - - Merge remote-tracking branch 'github/master' - -commit 3684ab585eeab46ff17a1d410ce1bcff1a63968c -Merge: ae90107 a813e7d -Author: Patrick Schleizer -Date: Mon Sep 28 14:24:15 2020 +0000 - - Merge pull request #75 from flawedworld/patch-1 - - Blacklist more modules (based on OpenSCAP for RHEL 8) - -commit ae90107e6df4d312a6734985df38b8533d1283c8 -Merge: 5fc7b79 8f7727e -Author: Patrick Schleizer -Date: Mon Sep 28 14:23:42 2020 +0000 - - Merge pull request #76 from flawedworld/patch-2 - - Add IPv6 sysctl options and enforce kernel.perf_event_paranoid=3 - -commit a813e7da07a39e96e0cd7937aee7568307a00287 -Author: flawedworld <38294951+flawedworld@users.noreply.github.com> -Date: Sat Sep 19 20:46:19 2020 +0100 - - Blacklist more modules - -commit 5fc7b791db473c22ea43ff899e2dbe232c42a2b7 -Author: Patrick Schleizer -Date: Sat Sep 19 09:28:27 2020 -0400 - - bumped changelog version - -commit bff6ce7abb920d55edc49b19340a1e9251a4cd8c -Merge: 98c0dec 9239c8b -Author: Patrick Schleizer -Date: Sat Sep 19 06:54:50 2020 -0400 - - Merge remote-tracking branch 'github/master' - -commit 9239c8b8074018090d4fa1381aa06e66a99359cc -Merge: 98c0dec 8dfdec1 -Author: Patrick Schleizer -Date: Sat Sep 19 10:54:21 2020 +0000 - - Merge pull request #71 from onions-knight/patch-1 - - Update thunar.xml - -commit 8f7727e823a86a1826686d5c95d0070721c7acba -Author: flawedworld <38294951+flawedworld@users.noreply.github.com> -Date: Fri Sep 18 23:36:30 2020 +0100 - - Add some IPv6 options - -commit 944fed3c459dd55820cb1eca68f86816bdf8469f -Author: flawedworld <38294951+flawedworld@users.noreply.github.com> -Date: Fri Sep 18 23:29:04 2020 +0100 - - Disallow kernel profiling by users without CAP_SYS_ADMIN - - It's the default on a lot of stuff, but still nice to have. - -commit 98c0decaa46c6fb839062ff9af0556d821c254e6 -Author: Patrick Schleizer -Date: Mon Aug 3 09:43:43 2020 -0400 - - bumped changelog version - -commit 7e267ab49850362c02374a15fdba2409a5487a0f -Author: Patrick Schleizer -Date: Mon Aug 3 08:12:19 2020 -0400 - - fix, allow group `sudo` and `console` to use consoles - - fix /etc/security/access-security-misc.conf syntax error - - Thanks to @81a989 for the bug report! - - https://forums.whonix.org/t/etc-security-hardening-console-lockdown-pam-access-access-conf/8592/31 - -commit b09f5ddc154d6561fd97b436feeb6a6225f89206 -Author: Patrick Schleizer -Date: Wed Jul 29 08:33:07 2020 -0400 - - bumped changelog version - -commit ac8bc4f006dbc1583e35ba033e38dac8392127e9 -Author: Patrick Schleizer -Date: Wed Jul 29 06:30:07 2020 -0400 - - readme - -commit 861f9d1022e61766c7474d9eb79489ba64ac2055 -Author: Patrick Schleizer -Date: Thu May 14 13:57:32 2020 -0400 - - bumped changelog version - -commit 3cd7b144bba1a92ca771b16fc5215073c7561a1a -Author: Patrick Schleizer -Date: Thu May 14 13:47:58 2020 -0400 - - move "kernel.printk = 3 3 3 3" to separate file /etc/sysctl.d/30_silent-kernel-printk.conf - - so package debug-misc can easily disable it - - https://phabricator.whonix.org/T950 - -commit 81cb6ad2462a900f9c5193278de70ada62a5585b -Author: Patrick Schleizer -Date: Thu Apr 23 12:27:25 2020 -0400 - - bumped changelog version - -commit 6485df8126b52a2072824fa442e8d1dd5cb18981 -Author: Patrick Schleizer -Date: Thu Apr 23 12:26:31 2020 -0400 - - Prevent kernel info leaks in console during boot. - - add kernel parameter `quiet loglevel=0` - - https://phabricator.whonix.org/T950 - -commit aa5631b02b0127b4681ae08c973b08b23befd701 -Author: Patrick Schleizer -Date: Thu Apr 16 08:43:40 2020 -0400 - - bumped changelog version - -commit 8d2e4b68dcae87b27f519196488e0ed7e8b95ef2 -Author: Patrick Schleizer -Date: Thu Apr 16 08:00:31 2020 -0400 - - Prevent kernel info leaks in console during boot. - - By setting `kernel.printk = 3 3 3 3`. - - https://phabricator.whonix.org/T950 - - Thanks to @madaidan for the suggestion! - -commit 4898a9e753e9399e83e4a39d8fa340e1ad9d4f6d -Author: Patrick Schleizer -Date: Thu Apr 16 07:54:33 2020 -0400 - - fix, sysctl-initramfs: switch log to /run/initramfs/sysctl-initramfs-error.log - - since ephemeral, in RAM, not written to disk, no conflict with grub-live - - https://forums.whonix.org/t/kernel-hardening/7296/435 - -commit 701da5f6cc911e3946904c152078dc6c637e5070 -Author: Patrick Schleizer -Date: Thu Apr 16 07:24:44 2020 -0400 - - formatting - -commit cb51847085c1b62c99ab160373c52a388bdfe300 -Author: Patrick Schleizer -Date: Wed Apr 15 14:05:37 2020 -0400 - - readme - -commit df218ad6582ab88be16e66cf13951d0a5271411b -Author: Patrick Schleizer -Date: Tue Apr 14 12:40:31 2020 -0400 - - bumped changelog version - -commit 8851c9ed29e79d2ef5df9c7b7086878e69b90bd4 -Author: Patrick Schleizer -Date: Tue Apr 14 12:39:34 2020 -0400 - - fix: disable proc-hidepid.service - -commit b6dde34bfb696218cc14ac89d169ec0e37814bff -Author: Patrick Schleizer -Date: Mon Apr 13 06:56:34 2020 -0400 - - bumped changelog version - -commit e0b8640fb9d03feb6b01fed4469d901e3f9a5dc0 -Author: Patrick Schleizer -Date: Mon Apr 13 06:56:34 2020 -0400 - - readme - -commit 253578afdf9a4aeb8c5495ca815d0326086dc986 -Author: Patrick Schleizer -Date: Mon Apr 13 06:50:32 2020 -0400 - - /etc/security/access-security-misc.conf white list ttyS0 etc. - - ttyS0 ttyS1 ttyS2 ttyS3 ttyS4 ttyS5 ttyS6 ttyS7 ttyS8 ttyS9 - - Thanks to @subpar_marlin for the bug report and helping to fix this! - - https://forums.whonix.org/t/how-do-i-enter-the-whonix-shell-from-cli/7271/43 - - https://forums.whonix.org/t/etc-security-hardening/8592 - -commit b3ce18f0f9f1da0552a4a1bd882a5b5dda13626e -Author: Patrick Schleizer -Date: Sun Apr 12 16:54:10 2020 -0400 - - disable proc-hidepid by default because incompatible with pkexec - - and undo pkexec wrapper - -commit 442931529121e9e402e7ac56e27df3dcec43167b -Author: Patrick Schleizer -Date: Sun Apr 12 16:52:55 2020 -0400 - - disable proc-hidepid by default because incompatible with pkexec - - and undo pkexec wrapper - -commit 72be31e870057b035651c1b5a7e9a9db149e9d25 -Author: Patrick Schleizer -Date: Sun Apr 12 16:48:13 2020 -0400 - - disable proc-hidepid by default because incompatible with pkexec - - and undo pkexec wrapper - -commit 938e929f39ff68296ab01a4b619f963ad3bdf535 -Author: Patrick Schleizer -Date: Sun Apr 12 16:37:51 2020 -0400 - - add pkexec to suid default whitelist - - /usr/bin/pkexec exactwhitelist - /usr/bin/pkexec.security-misc-orig exactwhitelist - -commit 695ad5b83d0e89b1c3b8a5f09f2d7d0a17d8e72f -Author: Patrick Schleizer -Date: Thu Apr 9 09:45:30 2020 +0000 - - bumped changelog version - -commit 67b9d06b25a651b89e35abdd227a1740871395cd -Author: Patrick Schleizer -Date: Thu Apr 9 09:45:29 2020 +0000 - - readme - -commit 565ff136e5f1e714b4094fcd9cfdf99a0fb99850 -Author: Patrick Schleizer -Date: Wed Apr 8 21:04:02 2020 +0000 - - vm.swappiness=1 - - import from swappiness-lowest - - https://forums.whonix.org/t/vm-swappiness-1-set-swapiness-to-lowest-setting-still-useful-swappiness-lowest/9278 - -commit 642d4d8d939f33c19564dcc5a0ed46d85feb80aa -Author: Patrick Schleizer -Date: Wed Apr 8 17:13:21 2020 +0000 - - bumped changelog version - -commit a9d0baffe600b9ac5bb7d6ee4e7c5c5830bc60ba -Author: Patrick Schleizer -Date: Wed Apr 8 16:57:32 2020 +0000 - - python -> python3 - -commit 4153d8d08874256647d3200333d6754baac2ea63 -Author: Patrick Schleizer -Date: Wed Apr 8 16:51:22 2020 +0000 - - apparmor-profile-anondist -> apparmor-profile-dist - -commit 72228946dca93b5c8257ac5a6ad59e54b7b14d11 -Author: Patrick Schleizer -Date: Wed Apr 8 16:46:11 2020 +0000 - - fix etc/default/grub.d/40_kernel_hardening.cfg - - in Qubes if no kernel package is installed - -commit bfd6018d8d108ee8691556529121fe2a679de1d2 -Author: Patrick Schleizer -Date: Wed Apr 8 12:51:11 2020 +0000 - - bumped changelog version - -commit 0441f2ed7ad01585c11c9fb6a05cd3884408c9d6 -Author: Patrick Schleizer -Date: Wed Apr 8 12:30:05 2020 +0000 - - readme - -commit 663811a8192d7d08769eaf5e9c057b9dcca34562 -Author: Patrick Schleizer -Date: Wed Apr 8 12:04:13 2020 +0000 - - anon-base-files -> dist-base-files - -commit cc8489df2ff655276be31073ec2fff57a9e8b448 -Author: Patrick Schleizer -Date: Mon Apr 6 13:29:23 2020 -0400 - - bumped changelog version - -commit 350a15dfbf9186c4bd81159b7656b5707a95c5db -Author: Patrick Schleizer -Date: Mon Apr 6 13:22:32 2020 -0400 - - readme - -commit 5c81e1f23fa07a0e3c96d15dc3cc24d41332fe3c -Author: Patrick Schleizer -Date: Mon Apr 6 09:25:45 2020 -0400 - - import from anon-gpg-conf - -commit 1b2a34ea80fa9efeb02acaa8595e3c38fd9d06ca -Author: Patrick Schleizer -Date: Sat Apr 4 16:51:42 2020 -0400 - - bumped changelog version - -commit 1188a44f47602248911d81f4dc3af08b830b65b9 -Author: Patrick Schleizer -Date: Sat Apr 4 16:49:30 2020 -0400 - - port to python 3.7 - -commit a2c932aa5a354798ce1383e988519f9a2cb69374 -Author: Patrick Schleizer -Date: Thu Apr 2 07:58:51 2020 -0400 - - bumped changelog version - -commit ae8c5fff3c70c00931b95cd04b8729d2c1bd2a60 -Author: Patrick Schleizer -Date: Thu Apr 2 07:22:47 2020 -0400 - - readme - -commit a7f2a2a3b6b408a0545f55b8fed9cc17fbd8f843 -Author: Patrick Schleizer -Date: Thu Apr 2 06:04:45 2020 -0400 - - console lockdown: allow members of group `sudo` to use console - - https://forums.whonix.org/t/etc-security-hardening/8592 - - https://github.com/Whonix/security-misc/pull/74#issuecomment-607748407 - - https://www.whonix.org/wiki/Dev/Strong_Linux_User_Account_Isolation#Console_Lockdown - -commit 7764ee0d202193dc67f5805fc23be2b804962186 -Author: Patrick Schleizer -Date: Thu Apr 2 05:58:16 2020 -0400 - - comments - -commit d9f2a0e4a1837ef1604e4cd17ce8ae60996c9782 -Author: Patrick Schleizer -Date: Wed Apr 1 17:34:59 2020 -0400 - - remove 'Build-Depends: ronn' since no longer required - -commit eda9c57a628ebf1083f87789842d5403c6e05122 -Author: Patrick Schleizer -Date: Wed Apr 1 16:57:33 2020 -0400 - - remove genmkfile - -commit 2609fe9c3efff611dc5bce20d62580dace02757b -Author: Patrick Schleizer -Date: Wed Apr 1 16:33:29 2020 -0400 - - add debian install file - -commit d4b2baa9b66d480d5e45c628f8bc4ff11fab765f -Author: Patrick Schleizer -Date: Wed Apr 1 10:58:16 2020 -0400 - - bumped changelog version - -commit 2ceea8d1fe9f2425488c6696f75f2ecfd9ff2235 -Author: Patrick Schleizer -Date: Wed Apr 1 08:49:59 2020 -0400 - - update copyright year - -commit b6de867dec85efb03cf38aa85494607edb4500f4 -Author: Patrick Schleizer -Date: Wed Apr 1 08:26:44 2020 -0400 - - bumped changelog version - -commit ad022fc0b703f28f24665d28b072f1a993978370 -Author: Patrick Schleizer -Date: Wed Apr 1 08:21:06 2020 -0400 - - fix - -commit 354af7085be7e266913c3ae79701cd1abc729d06 -Author: Patrick Schleizer -Date: Tue Mar 31 07:41:45 2020 -0400 - - bumped changelog version - -commit 814f613a2fac12b892dfb6dcf53ee628e340c7b2 -Author: Patrick Schleizer -Date: Tue Mar 31 07:08:25 2020 -0400 - - When using systemd-nspawn (chroot) then `login` requires console 'console' to be permitted. - -commit a369a0a94dca7fff68234e4f75d74a4e9d63df5b -Author: Patrick Schleizer -Date: Mon Mar 30 18:42:02 2020 -0400 - - bumped changelog version - -commit c22adbd92fcab45fb3b1d3e98528c4790bb20a6a -Author: Patrick Schleizer -Date: Mon Mar 30 18:39:23 2020 -0400 - - notify if security-misc installation is forced - -commit 7ee5fc1b760dff0f86d8cf07a77cbd42d40f7a53 -Author: Patrick Schleizer -Date: Mon Mar 30 17:16:46 2020 -0400 - - bumped changelog version - -commit f663b5eff8a6f2fa406039ced4441c5a4a9c1477 -Author: Patrick Schleizer -Date: Mon Mar 30 17:15:02 2020 -0400 - - skip check if any non-root user is a member of group sudo and console if - environment variable `SECURITY_MISC_INSTALL` is set to `force` - -commit bc22fc9fdba834d0a2d8fdc75b86934e56b317c9 -Author: Patrick Schleizer -Date: Mon Mar 30 17:12:43 2020 -0400 - - skip check if any non-root user is a member of group sudo and console if file - /var/lib/security-misc/skip_install_check exists - -commit d7a69628b1def631b04219da7aee764eebea37df -Author: Patrick Schleizer -Date: Sat Mar 21 14:56:48 2020 -0400 - - bumped changelog version - -commit 5f0dd8270ba6311018e654cca3b8b86818af5a82 -Author: Patrick Schleizer -Date: Sat Mar 21 14:14:35 2020 -0400 - - consistent use of quotes - -commit 66ea1a3a127642c5515ac6fd80952a56568620bc -Author: Patrick Schleizer -Date: Sat Mar 21 14:14:15 2020 -0400 - - minor - -commit 23bd7ead59c0bdd793a955aaa613552b37a38dab -Author: Patrick Schleizer -Date: Sat Mar 21 14:12:42 2020 -0400 - - remove trailing space - -commit 7c25fc517e6f42d4364a55407f6bf0c84d130c8e -Merge: 20f0c57 1cbc7f6 -Author: Patrick Schleizer -Date: Sat Mar 21 14:12:25 2020 -0400 - - Merge remote-tracking branch 'origin/master' - -commit 1cbc7f6bed8acc112b610e05f527cffc6e9e1e87 -Merge: 20f0c57 89ada11 -Author: Patrick Schleizer -Date: Sat Mar 21 18:11:57 2020 +0000 - - Merge pull request #73 from madaidan/sysctl-initramfs - - Only remount in sysctl-initramfs if already mounted read-only - -commit 89ada11cf9a76cf02b3d5f92fd5c66194fe40ff0 -Author: madaidan <50278627+madaidan@users.noreply.github.com> -Date: Sat Mar 21 17:49:07 2020 +0000 - - Only remount if already mounted read-only - -commit 20f0c574d5424c78ab6b4d3829a6662615967ba5 -Merge: e4118cb 2938182 -Author: Patrick Schleizer -Date: Sat Mar 21 13:28:43 2020 -0400 - - Merge remote-tracking branch 'origin/master' - -commit 2938182ce6303e6e55086e2e9e82f8263a3c8e76 -Merge: e4118cb c8826d6 -Author: Patrick Schleizer -Date: Sat Mar 21 17:26:37 2020 +0000 - - Merge pull request #72 from madaidan/master - - Fix sysctl-initramfs logs - -commit c8826d6702ebaf280994effb22aea39b4cfd2dac -Author: madaidan <50278627+madaidan@users.noreply.github.com> -Date: Sat Mar 21 17:15:25 2020 +0000 - - Fix sysctl-initramfs logs - -commit 8dfdec1d3b0fde7b2836b38e5aefab1b6b6df9f2 -Author: onions-knight <38859709+onions-knight@users.noreply.github.com> -Date: Tue Mar 17 16:38:53 2020 +0000 - - Update thunar.xml - - Adding Delete option for thunar on right mouse click (removed in Debian 10). See https://forums.whonix.org/t/whonix-host-calamares-branding-suggestion/7772/26 - -commit e4118cb21eb8765bc8f4e7b5e05d464d72575824 -Author: Patrick Schleizer -Date: Thu Mar 12 04:43:08 2020 -0400 - - bumped changelog version - -commit e6e7886a6e3dca1a75943c5a04c4d29ab8682cec -Merge: 04a87f7 711e786 -Author: Patrick Schleizer -Date: Wed Mar 11 09:08:41 2020 -0400 - - Merge remote-tracking branch 'origin/master' - -commit 711e786be504179c832172acb39d567b323520e6 -Merge: 04a87f7 4d0de87 -Author: Patrick Schleizer -Date: Wed Mar 11 13:06:23 2020 +0000 - - Merge pull request #70 from madaidan/userfaultfd - - Fix unprivileged_userfaultfd - -commit 4d0de87f799d8032731140e9a5815d4773d91baa -Author: madaidan <50278627+madaidan@users.noreply.github.com> -Date: Sun Mar 8 17:49:49 2020 +0000 - - Disable unprivileged userfaultfd use again - -commit efb2683cfc168c3b110c6664ee61eabcf85f3f30 -Author: madaidan <50278627+madaidan@users.noreply.github.com> -Date: Sun Mar 8 17:49:12 2020 +0000 - - Hide unprivileged_userfaultfd error - -commit 04a87f7029736e5ce66f18bb6c42cadf3500b26b -Author: Patrick Schleizer -Date: Sun Mar 8 09:43:24 2020 -0400 - - bumped changelog version - -commit 284a49110030b21aa3136447217273337a12acaf -Author: Patrick Schleizer -Date: Sun Mar 8 08:07:10 2020 -0400 - - disable `vm.unprivileged_userfaultfd=0` for now - - because broken - - https://forums.whonix.org/t/kernel-hardening/7296/406 - - reverts "Restrict the userfaultfd() syscall to root as it can make heap sprays easier." - - https://duasynt.com/blog/linux-kernel-heap-spray - -commit 44351ec9b78d59aeeef44675e8e203c7ace243f0 -Author: Patrick Schleizer -Date: Sat Mar 7 21:44:19 2020 -0500 - - remove no longer needed code for installation of apparmor profiles - -commit 71ae6239168d829e25670ffa856ee0f011a168a9 -Author: Patrick Schleizer -Date: Thu Mar 5 08:36:27 2020 -0500 - - bumped changelog version - -commit 76eb9579a3038982301fc622c84cd48fa3d88ffd -Author: Patrick Schleizer -Date: Thu Mar 5 08:33:00 2020 -0500 - - readme - -commit 15dde15a36c3cac0088773670b84f7e1e2b1423f -Author: Patrick Schleizer -Date: Tue Mar 3 09:42:24 2020 -0500 - - typo - -commit 8887af26d6a82613ee1f9c3a10ba42fdd2444d1c -Author: Patrick Schleizer -Date: Tue Mar 3 09:19:49 2020 -0500 - - bumped changelog version - -commit 1dea4dbcf6fa3299e513d01005b514e42bf51538 -Author: Patrick Schleizer -Date: Tue Mar 3 09:18:38 2020 -0500 - - readme - -commit cd19c2da006d38cd0cd3653b31e398d16396d825 -Author: Patrick Schleizer -Date: Tue Mar 3 09:18:24 2020 -0500 - - fix lintian warning - -commit 7e3fedefb234e584d900c036c424ac083a9efa3d -Author: Patrick Schleizer -Date: Tue Mar 3 09:12:50 2020 -0500 - - bumped changelog version - -commit 201d6b5efc355b08b5f94f9284d2242dec9c56b8 -Author: Patrick Schleizer -Date: Tue Mar 3 09:07:42 2020 -0500 - - readme - -commit 63c6405ab74f0dd5f3ec3838135b29304a3d1fc8 -Merge: e3e39f2 453aa8a -Author: Patrick Schleizer -Date: Sat Feb 29 07:34:46 2020 -0500 - - Merge remote-tracking branch 'origin/master' - -commit 453aa8a4eb76fe56ad67f1aea8abfeb122e68a9c -Merge: e3e39f2 60fbf8b -Author: Patrick Schleizer -Date: Sat Feb 29 12:28:32 2020 +0000 - - Merge pull request #65 from madaidan/userfaultfd - - Restrict the userfaultfd() syscall to root - -commit e3e39f22354595c9f21c243d7bdadc1487374db8 -Merge: 649ec5d bd7678c -Author: Patrick Schleizer -Date: Sat Feb 29 05:01:41 2020 -0500 - - Merge remote-tracking branch 'origin/master' - -commit 649ec5dfa1d2c0e324d8054b4c7402ab2b462d93 -Author: Patrick Schleizer -Date: Sat Feb 29 04:59:56 2020 -0500 - - pkexec wrapper: fix gdebi / synaptic - - but at cost of checking for passwordless sudo /etc/suders /etc/sudoers.d - exceptions. - - http://forums.whonix.org/t/cannot-use-pkexec/8129/53 - -commit 32269d32b63e549f76b4090b675dd53256fbc42d -Author: Patrick Schleizer -Date: Sat Feb 29 04:59:15 2020 -0500 - - description - -commit b31caefdeb8b76537982e359e708b57081d7b381 -Author: Patrick Schleizer -Date: Sat Feb 29 04:59:02 2020 -0500 - - description - -commit bd7678c574819298b364185fe7e3362c7e8d4930 -Merge: d04d4bf 42d3b98 -Author: Patrick Schleizer -Date: Fri Feb 28 12:04:05 2020 +0000 - - Merge pull request #66 from madaidan/mce - - Fix docs - -commit 42d3b986c41854fc2990557d2333874e9379793b -Author: madaidan <50278627+madaidan@users.noreply.github.com> -Date: Thu Feb 27 17:41:14 2020 +0000 - - Update control - -commit d04d4bf0950b60b8e5bf51b2303bbecdbc5fe326 -Author: Patrick Schleizer -Date: Tue Feb 25 02:08:10 2020 -0500 - - description - -commit 4043d2af3f8239a2056610363fc9d53770ebc336 -Author: Patrick Schleizer -Date: Tue Feb 25 02:06:48 2020 -0500 - - description - -commit 0e5187ff249c686908506896e01125e37d194543 -Author: Patrick Schleizer -Date: Tue Feb 25 02:00:27 2020 -0500 - - description - -commit 60fbf8b0de8a631d8a63c64f7e8181fee501c237 -Author: madaidan <50278627+madaidan@users.noreply.github.com> -Date: Mon Feb 24 18:24:07 2020 +0000 - - Update control - -commit 6b64b36b0190198f5edfda6c704a9efe3ea5b9a6 -Author: madaidan <50278627+madaidan@users.noreply.github.com> -Date: Mon Feb 24 18:23:15 2020 +0000 - - Restrict the userfaultfd() syscall to root - -commit 221000db5b184664c09dfe9cb7055de45331a7e1 -Merge: 01eaee9 c7f2537 -Author: Patrick Schleizer -Date: Mon Feb 17 03:17:11 2020 -0500 - - Merge remote-tracking branch 'origin/master' - -commit c7f2537930925e3ec250db81791a107af003079b -Merge: 01eaee9 8ea4e50 -Author: Patrick Schleizer -Date: Mon Feb 17 08:16:34 2020 +0000 - - Merge pull request #64 from madaidan/extra_latent_entropy - - Gather more entropy during boot - -commit 8ea4e50c8e9c3c9ee650b665a32b78f67aedc1aa -Author: madaidan <50278627+madaidan@users.noreply.github.com> -Date: Sun Feb 16 19:52:40 2020 +0000 - - Update control - -commit f6b6ab374ea2b24dfd4ac49bc1a595b50ab3d952 -Author: madaidan <50278627+madaidan@users.noreply.github.com> -Date: Sun Feb 16 19:51:32 2020 +0000 - - Gather more entropy during boot - -commit 01eaee997e34aa73a11dffe032ace5ef23c37e28 -Author: Patrick Schleizer -Date: Sat Feb 15 15:35:44 2020 -0500 - - bumped changelog version - -commit 412a83923dd09f36a25ebf9ce1991369d09c5e34 -Merge: dce54d5 4399a51 -Author: Patrick Schleizer -Date: Sat Feb 15 15:30:32 2020 -0500 - - Merge remote-tracking branch 'origin/master' - -commit dce54d5d0f7c6017037b5fb6a5851dd90ce5d762 -Author: Patrick Schleizer -Date: Sat Feb 15 15:29:38 2020 -0500 - - bumped changelog version - -commit 3df008f0b9aa08c8b92c89439abeb029f5d1f316 -Author: Patrick Schleizer -Date: Sat Feb 15 15:28:30 2020 -0500 - - readme - -commit 4399a512bef77ddec428bd4150cacebb77fc22da -Merge: 757df8f a79ce7f -Author: Patrick Schleizer -Date: Sat Feb 15 19:43:05 2020 +0000 - - Merge pull request #63 from madaidan/ldisc_autoload - - Document ldisc_autoload better - -commit a79ce7fa68c22048d3e10789fe209b14b818d0fb -Author: madaidan <50278627+madaidan@users.noreply.github.com> -Date: Sat Feb 15 17:30:21 2020 +0000 - - Document ldisc_autoload better - -commit 757df8fceb29d9b6143cf26e73cb31dde69d0a71 -Merge: 9bbae90 a9a1581 -Author: Patrick Schleizer -Date: Sat Feb 15 05:43:43 2020 -0500 - - Merge remote-tracking branch 'origin/master' - -commit a9a1581720739966e94f18be556552e9d75d63b1 -Merge: 9bbae90 1e5946c -Author: Patrick Schleizer -Date: Sat Feb 15 10:42:20 2020 +0000 - - Merge pull request #60 from madaidan/sysrq - - Restrict the SysRq key - -commit 1e5946c795e3962fdc2229146b9331d36a1d6c41 -Merge: 0f49736 9bbae90 -Author: Patrick Schleizer -Date: Sat Feb 15 10:41:52 2020 +0000 - - Merge branch 'master' into sysrq - -commit 9bbae903fe5ee58d4a22dfeab51cbb179b8cfb14 -Author: Patrick Schleizer -Date: Sat Feb 15 05:29:48 2020 -0500 - - remove-system.map: lower verbosity output - -commit cce35e5109489df44916a08722d9016bb1e578ec -Merge: 14140ad e403517 -Author: Patrick Schleizer -Date: Sat Feb 15 05:27:52 2020 -0500 - - Merge remote-tracking branch 'origin/master' - -commit e40351796e297673e1ec45dee7483079e96d9639 -Merge: 5124f8c 31009f0 -Author: Patrick Schleizer -Date: Sat Feb 15 10:25:15 2020 +0000 - - Merge pull request #62 from madaidan/shred - - Shred System.map files - -commit 5124f8cebcf6113547d11fc5193f83af1a2b6f84 -Merge: ac8757a 9b76713 -Author: Patrick Schleizer -Date: Sat Feb 15 10:18:56 2020 +0000 - - Merge pull request #61 from madaidan/disable_early_pci_dma - - Avoid holes in IOMMU - -commit ac8757a031a02c6cbad564e6a857954c0cf01a54 -Merge: ad6b766 ace6211 -Author: Patrick Schleizer -Date: Sat Feb 15 10:09:46 2020 +0000 - - Merge pull request #59 from madaidan/ldisc - - Restrict loading line disciplines to CAP_SYS_MODULE - -commit 31009f0bfa10e7b67f5823a5be92273e5414fff3 -Author: madaidan <50278627+madaidan@users.noreply.github.com> -Date: Fri Feb 14 23:46:19 2020 +0000 - - Shred System.map files - -commit 9b767139ef82279e00d86f7f1e1e8bf73d795651 -Author: madaidan <50278627+madaidan@users.noreply.github.com> -Date: Fri Feb 14 18:52:01 2020 +0000 - - Avoid holes in IOMMU - -commit 0f497369574811b0e7fb832636a5618e62618619 -Author: madaidan <50278627+madaidan@users.noreply.github.com> -Date: Fri Feb 14 18:18:18 2020 +0000 - - Update control - -commit d251c43344a04e1dd8afbf12352432810874e021 -Author: madaidan <50278627+madaidan@users.noreply.github.com> -Date: Fri Feb 14 18:17:20 2020 +0000 - - Restrict the SysRq key - -commit ace62111761451a13c446767dfd3c32b9b70a7f8 -Author: madaidan <50278627+madaidan@users.noreply.github.com> -Date: Fri Feb 14 17:51:17 2020 +0000 - - Update control - -commit 0ea7dd161b3e643c23624e6dcb450116824b6301 -Author: madaidan <50278627+madaidan@users.noreply.github.com> -Date: Fri Feb 14 17:50:19 2020 +0000 - - Restrict loading line disciplines to CAP_SYS_MODULE - -commit ad6b76688677cd4f9f0b2f2524c0f6b0a381bf29 -Merge: 14140ad 14f8458 -Author: Patrick Schleizer -Date: Thu Feb 13 18:40:58 2020 +0000 - - Merge pull request #57 from madaidan/sysctl - - Prevent symlink/hardlink TOCTOU races - -commit 14140ad41ba45b2457570a7df28b42cfd3bf3155 -Author: Patrick Schleizer -Date: Thu Feb 13 13:39:45 2020 -0500 - - bumped changelog version - -commit d1fa191bc0ad58ea4fbb5b4db383311f87319dfe -Author: Patrick Schleizer -Date: Thu Feb 13 13:38:21 2020 -0500 - - readme - -commit 76a51a3b45113b4f771397bf32daae3fb38af6a6 -Merge: 163e20b 5ebab39 -Author: Patrick Schleizer -Date: Thu Feb 13 13:37:34 2020 -0500 - - Merge remote-tracking branch 'origin/master' - -commit 5ebab397b201f431e3d0ca3bebfb71fa61a7ed2b -Merge: 163e20b 2796c2d -Author: Patrick Schleizer -Date: Thu Feb 13 18:36:41 2020 +0000 - - Merge pull request #58 from madaidan/mitigations - - Improve CPU mitigations documentation - -commit 2796c2dd00fca0bb458bdb4ea5c2cdbd35854bef -Author: madaidan <50278627+madaidan@users.noreply.github.com> -Date: Wed Feb 12 18:43:19 2020 +0000 - - Update control - -commit 700c7ed9085f2c9f0f271ddf8781f119e8ac5714 -Author: madaidan <50278627+madaidan@users.noreply.github.com> -Date: Wed Feb 12 18:42:13 2020 +0000 - - Create 40_cpu_mitigations.cfg - -commit ba0043b8a7249e55e0a0d3b87f6c54de5283f057 -Author: madaidan <50278627+madaidan@users.noreply.github.com> -Date: Wed Feb 12 18:36:05 2020 +0000 - - Update 40_kernel_hardening.cfg - -commit 14f845837476810f1eb3038d9d41f9ad8088b916 -Author: madaidan <50278627+madaidan@users.noreply.github.com> -Date: Wed Feb 12 18:05:32 2020 +0000 - - Update control - -commit 5cb21d0d4d36fd516f17a9b5378443859f497027 -Author: madaidan <50278627+madaidan@users.noreply.github.com> -Date: Wed Feb 12 18:03:23 2020 +0000 - - Prevent symlink/hardlink TOCTOU races - -commit 163e20b886f298cb9d3aca54c14f66991001b396 -Author: Patrick Schleizer -Date: Wed Feb 5 06:31:48 2020 -0500 - - bumped changelog version - -commit 3024006f63be34f0c9d2968b1839a855419792dd -Merge: 8c5cd86 024576e -Author: Patrick Schleizer -Date: Tue Feb 4 00:24:50 2020 -0500 - - Merge remote-tracking branch 'origin/master' - -commit 024576e3307e45c90b97ed8658ee82ceb1ed00aa -Merge: 8c5cd86 e4c6e89 -Author: Patrick Schleizer -Date: Tue Feb 4 05:24:05 2020 +0000 - - Merge pull request #56 from HulaHoop0/patch-1 - - kvm.nx_huge_pages=force - -commit e4c6e897cf37cbf5de6d90888a0ddbe56db11c2f -Author: HulaHoop0 <55955185+HulaHoop0@users.noreply.github.com> -Date: Mon Feb 3 16:06:46 2020 +0000 - - kvm.nx_huge_pages=force - -commit 8c5cd865f49cea986cdfc00a4cb4f0f913d4d3e6 -Author: Patrick Schleizer -Date: Mon Feb 3 09:23:13 2020 -0500 - - bumped changelog version - -commit 1f6ed2cc7047e1144e811d94dddc7306ee93b61e -Author: Patrick Schleizer -Date: Mon Feb 3 08:55:20 2020 -0500 - - add support for passing parameters to usr/lib/security-misc/apt-get-update - -commit 2291b7f787bcec5f64f632c6f3e8dfb12c67b4ee -Author: Patrick Schleizer -Date: Mon Feb 3 08:43:31 2020 -0500 - - bumped changelog version - -commit 8627c9f76d1bdf26a423a92506d3d8c0eb1afc2e -Author: Patrick Schleizer -Date: Fri Jan 31 12:18:02 2020 -0500 - - /usr/lib/security-misc/apt-get-update increase default timeout_after="600" - -commit 829e28aa90ff5cb38edcc3cfab8ec91939ae5844 -Author: Patrick Schleizer -Date: Fri Jan 31 12:17:07 2020 -0500 - - /usr/lib/security-misc/apt-get-update environment variable timeout_after kill_after support - -commit 0bd0a4a647aef9899e1cbb5671ccfa3ca36efe18 -Author: Patrick Schleizer -Date: Thu Jan 30 06:14:34 2020 -0500 - - bumped changelog version - -commit 85d2aa1365ae5dfc43944a938794954452c26fe0 -Author: Patrick Schleizer -Date: Thu Jan 30 06:13:42 2020 -0500 - - hide stdout (but not stderr) by sysctl during initramfs - -commit d69c1839cd30145c30247e0962a97cfd38f79d60 -Author: Patrick Schleizer -Date: Thu Jan 30 06:02:26 2020 -0500 - - bumped changelog version - -commit b9d65338bcc76552e4d2169106cd04e6276eb320 -Author: Patrick Schleizer -Date: Thu Jan 30 05:55:13 2020 -0500 - - unconditionally enable all CPU bugs (spectre, meltdown, L1TF, ...) - - this might reduce performance - - * `spectre_v2=on` - * `spec_store_bypass_disable=on` - * `tsx=off` - * `tsx_async_abort=full,nosmt` - - Thanks to @madaidan for the suggestion! - - https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647 - -commit 2711d0f7f08362f97383fbae81ce9d520b19dcbc -Author: Patrick Schleizer -Date: Thu Jan 30 01:22:32 2020 -0500 - - bumped changelog version - -commit 4df0d6c01cc91139dc9eef1dc4265e8cacde8cdf -Author: Patrick Schleizer -Date: Thu Jan 30 01:22:06 2020 -0500 - - readme - -commit c1a0da60beacd027c1c7c94ae44a9d7b1ab708b9 -Author: Patrick Schleizer -Date: Thu Jan 30 00:46:48 2020 -0500 - - set kernel boot parameter `l1tf=full,force` and `nosmt=force` - - https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647/17 - -commit efc40da4fb1fffcc760685cda0e49dc04da4c5fe -Author: Patrick Schleizer -Date: Fri Jan 24 12:02:27 2020 -0500 - - bumped changelog version - -commit 07dcb32fc28abf33eaf0425c67cc5cf9ee1f5a5b -Author: Patrick Schleizer -Date: Fri Jan 24 11:55:38 2020 -0500 - - readme - -commit f4c54881ac21ed095f54a59f9c0baf582ef76d9b -Author: Patrick Schleizer -Date: Fri Jan 24 04:49:19 2020 -0500 - - description - -commit 25317f23e3a80fdd9f6965990cd397ddcab11a4b -Author: Patrick Schleizer -Date: Fri Jan 24 04:41:16 2020 -0500 - - bumped changelog version - -commit be79f0688a47dca129ac61dd78b18a2638e8650c -Author: Patrick Schleizer -Date: Fri Jan 24 04:40:20 2020 -0500 - - readme - -commit c0d3726b002d136e602c6bdaf07c5d94c5591ee4 -Author: Patrick Schleizer -Date: Fri Jan 24 04:40:03 2020 -0500 - - comment - -commit a37da1c96880b14a8271712801e6da3d3ea766eb -Author: Patrick Schleizer -Date: Fri Jan 24 04:39:06 2020 -0500 - - add digits to drop-in file names - -commit 2ab940c60311ae38079d2ceb09e04eedac2aad90 -Author: Patrick Schleizer -Date: Fri Jan 24 04:34:18 2020 -0500 - - bumped changelog version - -commit bac6cd601baaca7453c55719e9dfa84d5109135d -Author: Patrick Schleizer -Date: Fri Jan 24 04:33:54 2020 -0500 - - readme - -commit 3a4d283169b381bdc93c4ff5ce7b08c11a0830b3 -Author: Patrick Schleizer -Date: Fri Jan 24 04:33:30 2020 -0500 - - description - -commit e0aa67677d3561cae6544c24e12021dd04f26133 -Author: Patrick Schleizer -Date: Fri Jan 24 04:30:36 2020 -0500 - - merge the many modprobe.d config files into 1 - - and use a name starting with double digits - - to make it easier to disable settings using a lexically higher config file - -commit 6a4c493213929b354a3c8d2acf2325473ae63cfd -Author: Patrick Schleizer -Date: Fri Jan 24 04:26:36 2020 -0500 - - merge the many sysctl config files into 1 - - and use a name starting with double digits - - to make it easier to disable settings using a lexically higher config file - -commit f653b94e7747436323e2083d416ab86560e3cd71 -Author: Patrick Schleizer -Date: Fri Jan 24 03:49:02 2020 -0500 - - bumped changelog version - -commit ca057713e2e1f3c4a47216aadb51ba0ca012e39e -Author: Patrick Schleizer -Date: Fri Jan 24 03:39:04 2020 -0500 - - readme - -commit 8616728ce0a6e5eaa799949abb5bfccd0a7effa7 -Author: Patrick Schleizer -Date: Fri Jan 24 03:35:15 2020 -0500 - - remove duplicate - -commit d4a37b6df2a2de4822e3e4bac93ca3e10712af7c -Author: Patrick Schleizer -Date: Fri Jan 24 03:18:17 2020 -0500 - - remove-system.map: source /usr/lib/helper-scripts/pre.bsh - -commit 3b283ec00f03b580d2f8b76f95449240a163dd48 -Author: Patrick Schleizer -Date: Wed Jan 22 07:10:47 2020 -0500 - - bumped changelog version - -commit 531f17cb68b331beb19a6e6c8b76575ebe38f95e -Author: Patrick Schleizer -Date: Wed Jan 22 07:08:08 2020 -0500 - - add update initramfs trigger - - https://github.com/Whonix/security-misc/pull/53 - -commit df0b2afda1e1d5a3fddfd8c48b62a5de8295d687 -Author: Patrick Schleizer -Date: Tue Jan 21 10:12:32 2020 -0500 - - bumped changelog version - -commit 18041efa2f704d2a177b033ff8008aacdb7dde3f -Author: Patrick Schleizer -Date: Tue Jan 21 10:01:17 2020 -0500 - - fix pam tally2 check when read-only disk boot without ro-mode-init or grub-live - -commit 627b95e0b363e2e46a5de8a7aa5065bc66242293 -Author: Patrick Schleizer -Date: Mon Jan 20 08:51:25 2020 -0500 - - bumped changelog version - -commit fbe9b60d95d43452bf661461197efced431806a5 -Author: Patrick Schleizer -Date: Mon Jan 20 08:49:02 2020 -0500 - - fix Whonix / Kicksecure - - /var/lib/dpkg/tmp.ci/preinst: ERROR: No user is a member of group 'console'. Installation aborted. - /var/lib/dpkg/tmp.ci/preinst: ERROR: You probably want to run: - - sudo adduser user console - -commit 960e1ff6e82f8593c2d242a6a0f1e1cf5805c85b -Author: Patrick Schleizer -Date: Fri Jan 17 03:32:57 2020 -0500 - - bumped changelog version - -commit 130434186811930d40407115af99116d4982da49 -Author: Patrick Schleizer -Date: Fri Jan 17 03:10:56 2020 -0500 - - readme - -commit 6f8d89c6c5609ed83d9dcd174375cb1ccfca91d8 -Author: Patrick Schleizer -Date: Wed Jan 15 15:54:06 2020 -0500 - - error handling - -commit 7211f6e0199d2ccb50437c7a5b0842050590b5dc -Merge: e110ea0 f6cc76a -Author: Patrick Schleizer -Date: Wed Jan 15 15:53:36 2020 -0500 - - Merge remote-tracking branch 'origin/master' - -commit f6cc76acd729428f83d3497a2e83bfc4b14f1ff8 -Merge: e110ea0 1df48a2 -Author: Patrick Schleizer -Date: Wed Jan 15 20:52:33 2020 +0000 - - Merge pull request #55 from madaidan/sysctl.conf - - Process sysctl.conf in initramfs - -commit 1df48a226d83b98dadc8bfb8dbc479dd656e2313 -Author: madaidan <50278627+madaidan@users.noreply.github.com> -Date: Wed Jan 15 20:30:17 2020 +0000 - - Update control - -commit f7fde60b67a7ef44658cde3b835565407aafd133 -Author: madaidan <50278627+madaidan@users.noreply.github.com> -Date: Wed Jan 15 20:28:32 2020 +0000 - - Process sysctl.conf too - -commit e110ea0b84329dfbe0175298b21e7732f7105436 -Author: Patrick Schleizer -Date: Wed Jan 15 11:37:52 2020 -0500 - - bumped changelog version - -commit 0f17596aacb86afb7abcdd4781a9995dde23d3bb -Author: Patrick Schleizer -Date: Wed Jan 15 11:35:41 2020 -0500 - - readme - -commit 0618b5346493723865cc6f2a632822c8b6fa690a -Author: Patrick Schleizer -Date: Wed Jan 15 11:35:07 2020 -0500 - - fix lintian warning - -commit 47ce3bec75f9aeb808993a70579ba93d2527a371 -Author: Patrick Schleizer -Date: Wed Jan 15 11:05:54 2020 -0500 - - bumped changelog version - -commit 73e830d0ac1ece338b0e80ca1a020d84a15d1774 -Author: Patrick Schleizer -Date: Wed Jan 15 10:08:57 2020 -0500 - - readme - -commit 8ab4623f8e81ad1b67858b458f2ae4085e7c8e65 -Merge: 8015954 087465a -Author: Patrick Schleizer -Date: Wed Jan 15 06:06:39 2020 -0500 - - Merge remote-tracking branch 'origin/master' - -commit 087465a0cdecc4765f7b659256cdd5e8cdef73ab -Merge: 8015954 528c5fc -Author: Patrick Schleizer -Date: Wed Jan 15 11:02:30 2020 +0000 - - Merge pull request #53 from madaidan/sysctl-initramfs - - Set sysctl values in initramfs - -commit 528c5fc4c41026396a63ac91af7c156dd0d4f191 -Merge: 9dc43ea 8015954 -Author: Patrick Schleizer -Date: Wed Jan 15 11:02:03 2020 +0000 - - Merge branch 'master' into sysctl-initramfs - -commit 80159545a580830565ec01a507915add9c44838a -Author: Patrick Schleizer -Date: Wed Jan 15 02:42:10 2020 -0500 - - fix xfce4-power-manager xfpm-power-backlight-helper pkexec lxsudo popup - - https://forums.whonix.org/t/xfce4-power-manager-xfpm-power-backlight-helper-pkexec-lxsudo-popup/8764 - - do show lxqt-sudo password prompt if there is a sudoers exceptoin - - improved pkexec wrapper logging - -commit d90ca4b1ad18289d6bcfcef51cfb032a0b4423eb -Author: Patrick Schleizer -Date: Tue Jan 14 15:12:13 2020 -0500 - - refactoring - -commit 082f04f2d4101828455a4a9b2852376a72ced6ce -Author: Patrick Schleizer -Date: Tue Jan 14 15:04:58 2020 -0500 - - add logging to pkexec wrapper - -commit 1059ccf2254d0aac40d2c14680fea2a4012a2d66 -Author: Patrick Schleizer -Date: Tue Jan 14 09:28:28 2020 -0500 - - bumped changelog version - -commit 660837dc380440f6b00d3baf9395222376163b3b -Author: Patrick Schleizer -Date: Tue Jan 14 09:25:32 2020 -0500 - - fix case when user "user" does not exists - -commit 18c726c3eebc93f69062f1e4c1d3c7ab394985c3 -Author: Patrick Schleizer -Date: Tue Jan 14 09:23:02 2020 -0500 - - comment - -commit b8652681e741236af2e20876d7103b2dfb0ae9bf -Author: Patrick Schleizer -Date: Tue Jan 14 09:21:47 2020 -0500 - - fix legacy - -commit cc21f912a372faef8322801e9a48882f29159c2d -Author: Patrick Schleizer -Date: Tue Jan 14 09:20:36 2020 -0500 - - bumped changelog version - -commit 2078cd237f2aaad8d68c1c5eab3f9942460ecd3c -Author: Patrick Schleizer -Date: Tue Jan 14 09:18:30 2020 -0500 - - readme - -commit c377c5ff83437a5447ecc9c873150421f4f1e691 -Merge: 8341242 539f24b -Author: Patrick Schleizer -Date: Tue Jan 14 09:01:38 2020 -0500 - - Merge remote-tracking branch 'origin/master' - -commit 539f24b65ee7739487d8038fcb1fdfb1ed62ab22 -Merge: 8341242 0953bbe -Author: Patrick Schleizer -Date: Tue Jan 14 14:01:17 2020 +0000 - - Merge pull request #54 from madaidan/panic_on_oops - - Document panic_on_oops - -commit 0953bbe1d7f3e789aef2218a65c14c586dab4bcb -Author: madaidan <50278627+madaidan@users.noreply.github.com> -Date: Mon Jan 13 21:05:35 2020 +0000 - - Update control - -commit 9dc43eae38b55951cae2a9bf93114bcf742f8c8b -Author: madaidan <> -Date: Sun Jan 12 21:42:07 2020 +0000 - - Description - -commit 8c4e0ff1c4d6191dbb40b28cfc23a8185cc0cbdb -Author: madaidan -Date: Sun Jan 12 21:37:37 2020 +0000 - - Set sysctl values in initramfs - -commit 8341242abc342d9cbd82afe12f512daf73a9e59a -Author: Patrick Schleizer -Date: Sat Jan 11 15:19:29 2020 -0500 - - bumped changelog version - -commit 130a4cf6d433f4d862e10e31abbc2b1f3b1614d2 -Author: Patrick Schleizer -Date: Sat Jan 11 15:17:06 2020 -0500 - - readme - -commit 61a2d390a7d6195d556898db8afa57822a9bc76a -Author: Patrick Schleizer -Date: Sat Jan 11 15:15:12 2020 -0500 - - lintian - -commit 3fae8e771ffbdd3023921b296e46cf982034d2ac -Merge: 13a1e13 e9f4dbd -Author: Patrick Schleizer -Date: Sat Jan 11 15:14:43 2020 -0500 - - Merge remote-tracking branch 'origin/master' - -commit e9f4dbdda579db83f330054253100bc7c5d1e2be -Merge: 13a1e13 6088444 -Author: Patrick Schleizer -Date: Sat Jan 11 20:14:10 2020 +0000 - - Merge pull request #52 from madaidan/vivid - - Blacklist the vivid kernel module - -commit 6088444c371f021ca23daa3a0ab1ee431d429a61 -Author: madaidan <50278627+madaidan@users.noreply.github.com> -Date: Sat Jan 11 18:38:17 2020 +0000 - - Update control - -commit a662a76a52970530a4a3c3d6a284ce9400dc74c6 -Author: madaidan <50278627+madaidan@users.noreply.github.com> -Date: Sat Jan 11 18:37:00 2020 +0000 - - Blacklist vivid - -commit 13a1e1321e05965ad9449fafa4406c4d3b781dcf -Author: Patrick Schleizer -Date: Wed Jan 1 05:59:59 2020 -0500 - - bumped changelog version - -commit 5031e7cc4b8bfc4037ba6ea029e20637090ccacb -Author: Patrick Schleizer -Date: Tue Dec 31 08:18:38 2019 -0500 - - better output if trying to login with non-existing user - -commit b2bdeb90957da4ebe38e7f12fba0330b89e0983d -Author: Patrick Schleizer -Date: Tue Dec 31 06:08:32 2019 -0500 - - bumped changelog version - -commit 2a3aae62b1cf97313b925fac94261e28af7ea3d1 -Author: Patrick Schleizer -Date: Tue Dec 31 06:06:52 2019 -0500 - - fix - -commit 427deec3f50664f2fbb244b6cf060bb5b9e821b6 -Author: Patrick Schleizer -Date: Tue Dec 31 06:03:48 2019 -0500 - - bumped changelog version - -commit e89552c9846f85b4bbf73595080d71dcd873fe29 -Author: Patrick Schleizer -Date: Tue Dec 31 05:55:44 2019 -0500 - - add user "user" to group "console" in Whonix and Kicksecure - - enable Console Lockdown in Whonix and Kicksecure - -commit b5a2d1dc581b53974aaa148f6d8f3054c9d1c5fe -Author: Patrick Schleizer -Date: Tue Dec 31 02:54:58 2019 -0500 - - bumped changelog version - -commit 20697db3ee5d227176c4d31e6c96454a64f47797 -Author: Patrick Schleizer -Date: Tue Dec 31 02:53:02 2019 -0500 - - improve console lockdown info output - -commit 788914de95ee9299d685e8b65466feee1085cf18 -Author: Patrick Schleizer -Date: Tue Dec 31 02:46:32 2019 -0500 - - group ssh check was removed - - https://forums.whonix.org/t/etc-security-hardening-console-lockdown-pam-access-access-conf/8592/27 - -commit 06ed728d791abe0ad3c93091fd8ebc088f73c4ef -Author: Patrick Schleizer -Date: Mon Dec 30 06:42:14 2019 -0500 - - bumped changelog version - -commit f3ff32ddbb8a7cf7555b9f1b2154e83154532a3d -Author: Patrick Schleizer -Date: Mon Dec 30 06:39:24 2019 -0500 - - Protect /bin/mount from 'chmod -x'. - - /bin/mount exactwhitelist - /usr/bin/mount exactwhitelist - - Remove SUID from 'mount' but keep executable. - - /bin/mount 745 root root - /usr/bin/mount 745 root root - - https://forums.whonix.org/t/disable-suid-binaries/7706/61 - -commit e4e9c4e3b09138af25e94a6db81b0f759ddb4d1b -Author: Patrick Schleizer -Date: Mon Dec 30 05:59:43 2019 -0500 - - bumped changelog version - -commit 9c0d6b605707dbcb7db9cd227257a5dcd612f784 -Author: Patrick Schleizer -Date: Sun Dec 29 05:09:07 2019 -0500 - - copyright - -commit edc08988f26532daf90bc4a4f007aef53e62eeaf -Author: Patrick Schleizer -Date: Sun Dec 29 05:08:53 2019 -0500 - - copyright - -commit 9156d3584cd7ba9064d5af54afd95b6d8e73907b -Author: Patrick Schleizer -Date: Sun Dec 29 04:59:05 2019 -0500 - - Description - -commit 3ea946b365d8b05cabce63f4d26b3153559aa465 -Author: Patrick Schleizer -Date: Sun Dec 29 04:56:51 2019 -0500 - - RemainAfterExit=yes - -commit 2787ae976580d20ea4da5213c7f624f984510934 -Author: Patrick Schleizer -Date: Sun Dec 29 04:56:35 2019 -0500 - - copyright - -commit 6d56eb9ef0e2cfbba46df2294deb9c8e6b9aa2b7 -Author: Patrick Schleizer -Date: Sun Dec 29 04:56:18 2019 -0500 - - minor - -commit 0e14706f32728123f1d345b73266934fe454a989 -Author: Patrick Schleizer -Date: Sun Dec 29 04:45:26 2019 -0500 - - copyright - -commit 1a0f7a77335940a11e33ca519d8f64429b8ee966 -Author: Patrick Schleizer -Date: Sun Dec 29 04:43:32 2019 -0500 - - debugging - -commit 5271892cb1e4646b79388d064227d4662b682583 -Author: Patrick Schleizer -Date: Sun Dec 29 04:42:54 2019 -0500 - - debugging - -commit 683028049c46516ba105b1b73364960b3b87efd6 -Author: Patrick Schleizer -Date: Sun Dec 29 04:41:23 2019 -0500 - - debugging - -commit e3e1ff2a310c46fab67309edd88e73096843edcb -Author: Patrick Schleizer -Date: Sun Dec 29 04:35:46 2019 -0500 - - exit with error if a config line cannot be processed rather than skipping - - https://forums.whonix.org/t/disable-suid-binaries/7706/59 - -commit d5c99f3a60372a00ded4b1b4340775aab1421d31 -Author: Patrick Schleizer -Date: Sun Dec 29 04:27:21 2019 -0500 - - output - -commit e5623fcd2b32b58e72c2ef80955072f013672e0d -Author: Patrick Schleizer -Date: Sun Dec 29 04:21:52 2019 -0500 - - comment - -commit d7f58db52c926c11157671c4555ca97f02929a76 -Author: Patrick Schleizer -Date: Fri Dec 27 05:30:12 2019 -0500 - - bumped changelog version - -commit 674840e6f9fb362dc713da3edde07132b5ae17d4 -Author: Patrick Schleizer -Date: Thu Dec 26 05:44:35 2019 -0500 - - /fusermount matchwhitelist - - unbreak AppImages such as electrum Bitcoin wallet - - https://forums.whonix.org/t/disable-suid-binaries/7706/57 - -commit 507a30d6e39f17fcb09b92033fe1d831e7d4baf4 -Author: Patrick Schleizer -Date: Tue Dec 24 18:35:49 2019 -0500 - - bumped changelog version - -commit 04f438f75d4566822026373e78988e9d4e42b8b5 -Author: Patrick Schleizer -Date: Tue Dec 24 18:09:37 2019 -0500 - - comment - -commit 9da0e428ed4635fb5ca98b2d72b56b553404a742 -Author: Patrick Schleizer -Date: Tue Dec 24 17:54:31 2019 -0500 - - debugging - -commit e18ec533c3ebb382f974d30db3cd1f5eace648c2 -Author: Patrick Schleizer -Date: Tue Dec 24 17:54:02 2019 -0500 - - comment - -commit 0326cd5ee9371213420d2afdcbfb0a05d9a808e6 -Author: Patrick Schleizer -Date: Tue Dec 24 08:07:55 2019 -0500 - - bumped changelog version - -commit ede536913daa0c7ddfe55e20c93d7b752daa5de3 -Author: Patrick Schleizer -Date: Tue Dec 24 06:00:41 2019 -0500 - - no longer hardcode amd64 - -commit d03a3d9ac03bc29ba349107855936dd194e12271 -Merge: 9d77d88 27a42a9 -Author: Patrick Schleizer -Date: Tue Dec 24 05:57:24 2019 -0500 - - Merge remote-tracking branch 'origin/master' - -commit 27a42a9da82bc1f22135ffa509925f63177f25d9 -Merge: ac49c55 79241c5 -Author: Patrick Schleizer -Date: Tue Dec 24 10:55:11 2019 +0000 - - Merge pull request #50 from madaidan/modules - - Make /lib/modules unreadable - -commit ac49c55d1fafff5f36bd7c595f50db295ff616a2 -Merge: 0c3d4ad 98e88d1 -Author: Patrick Schleizer -Date: Tue Dec 24 10:55:03 2019 +0000 - - Merge pull request #49 from madaidan/kver - - Detect kernel upgrades - -commit 0c3d4ad255de75b57a2e316bf8a7fd77a2fc0d4d -Merge: 9d77d88 d1a0650 -Author: Patrick Schleizer -Date: Tue Dec 24 10:54:23 2019 +0000 - - Merge pull request #48 from madaidan/kernel-hardening - - Use only one slub_debug parameter - -commit 79241c5d09c4a7123cf90b45289b53d893135efb -Author: madaidan <50278627+madaidan@users.noreply.github.com> -Date: Mon Dec 23 20:28:29 2019 +0000 - - Make /lib/modules unreadable - -commit 98e88d1456ca0e8fa23809115c51c380a4bb2d3b -Author: madaidan <50278627+madaidan@users.noreply.github.com> -Date: Mon Dec 23 19:57:43 2019 +0000 - - Detect kernel upgrades - -commit d1a0650fd944973ab614c1da06f8e555b31b73ae -Author: madaidan <50278627+madaidan@users.noreply.github.com> -Date: Mon Dec 23 19:44:52 2019 +0000 - - Use only one slub_debug parameter - -commit 9d77d88a4dfd0f42a2a671bbec49f4ebd90af882 -Author: Patrick Schleizer -Date: Mon Dec 23 09:39:50 2019 -0500 - - comments - -commit 7a80837b4f0a7201f3e092ad9b99b4cddb6043b3 -Author: Patrick Schleizer -Date: Mon Dec 23 08:48:04 2019 -0500 - - bumped changelog version - -commit 617c0a0e15f1c113b6e7fd748bb75978e4f23fcd -Author: Patrick Schleizer -Date: Mon Dec 23 07:21:26 2019 -0500 - - disable remount-secure.service - Disable for now until development finished / tested. - -commit 3e131174d5919303462295cb0852a9254885ae7c -Author: Patrick Schleizer -Date: Mon Dec 23 05:00:35 2019 -0500 - - comments - -commit bef41a38c26548d50101f7ea636316e1e2107a55 -Author: Patrick Schleizer -Date: Mon Dec 23 03:58:00 2019 -0500 - - bumped changelog version - -commit 046ceeae4df3b45916f35b0789af341c4f3d911a -Author: Patrick Schleizer -Date: Mon Dec 23 03:57:36 2019 -0500 - - readme - -commit 9f072ce4f99467f82986be348c9cedc2eb7f017d -Author: Patrick Schleizer -Date: Mon Dec 23 03:46:02 2019 -0500 - - comment - -commit 26fe9394fff2eb5be2f19272ea76ed187a8237e5 -Author: Patrick Schleizer -Date: Mon Dec 23 03:41:54 2019 -0500 - - disable lockdown for now due to module loading - -commit 9ec5b0ee82263e1afb38c44348e69437ddc5c9c2 -Author: Patrick Schleizer -Date: Mon Dec 23 03:38:49 2019 -0500 - - description: lockdown not enabled yet - -commit b05669accfe6fac8070003bbd57939ca2c621445 -Merge: 11b4192 1ff51ee -Author: Patrick Schleizer -Date: Mon Dec 23 03:38:04 2019 -0500 - - Merge branch 'madaidan-kernel-hardening' - -commit 1ff51ee061dcdb1a898ebb68c0267ce926e0fca0 -Author: Patrick Schleizer -Date: Mon Dec 23 03:37:28 2019 -0500 - - merge - -commit 535c258b834028e5638fd2b37b1a6f352e2b4558 -Author: madaidan <50278627+madaidan@users.noreply.github.com> -Date: Wed Dec 18 20:43:01 2019 +0000 - - More kernel hardening - -commit 11b4192fbdbc02af97e7dc32677bdb3a549b0000 -Author: Patrick Schleizer -Date: Mon Dec 23 03:28:42 2019 -0500 - - comments - -commit 42ff53e9ad26190dcbff154f6cfd039e3f6bdf83 -Author: Patrick Schleizer -Date: Mon Dec 23 02:42:07 2019 -0500 - - bumped changelog version - -commit 2152fa2d61fa72935b70e60b98ccbe2e1b31db43 -Author: Patrick Schleizer -Date: Mon Dec 23 02:38:53 2019 -0500 - - comment - -commit f8f2e6c7041d98572452be2e53094d0c539b1616 -Author: Patrick Schleizer -Date: Mon Dec 23 02:35:13 2019 -0500 - - fix disablewhitelist feature - -commit 47ddcad0c0af27093f61cf77008224bf66572532 -Author: Patrick Schleizer -Date: Mon Dec 23 02:29:47 2019 -0500 - - rename keyword whitelist to exactwhitelist - - add new keyword disablewhitelist - - refactoring - -commit 175d1c284552a08881286e8c3ca5d8eb9b97a144 -Author: Patrick Schleizer -Date: Mon Dec 23 02:13:13 2019 -0500 - - bumped changelog version - -commit 0409aac3aeb7acc273e19b16e78409994c731f2a -Author: Patrick Schleizer -Date: Mon Dec 23 02:09:04 2019 -0500 - - readme - -commit 1ff56625a170c392f6099b41f371c56032362ea0 -Author: Patrick Schleizer -Date: Mon Dec 23 01:42:03 2019 -0500 - - polkit-agent-helper-1 matchwhitelist to match both - - - /usr/lib/policykit-1/polkit-agent-helper-1 matchwhitelist - - /lib/policykit-1/polkit-agent-helper-1 - -commit d484b299ea1a93a401d00a212d675b5837b8aaa9 -Author: Patrick Schleizer -Date: Mon Dec 23 01:38:31 2019 -0500 - - matchwhitelist /qubes/qfile-unpacker to match both - - - /usr/lib/qubes/qfile-unpacker whitelist - - /lib/qubes/qfile-unpacker - -commit 34bf2457136db227cc27a5d0fe9282f09780a310 -Author: Patrick Schleizer -Date: Mon Dec 23 01:35:45 2019 -0500 - - output - -commit ba30e45d15ec53b2d0a67ce96f5132d3f59bf870 -Author: Patrick Schleizer -Date: Mon Dec 23 01:32:42 2019 -0500 - - output - -commit ee9c5742da99673785068b0393e3587a77c99a31 -Author: Patrick Schleizer -Date: Mon Dec 23 01:29:48 2019 -0500 - - output - -commit 6d05359abcf460cbec266401530a9ab1aaaaf47f -Author: Patrick Schleizer -Date: Mon Dec 23 01:21:52 2019 -0500 - - output - -commit a1e78e8515a87ebc8fc2211b3e1e91824fd3865a -Author: Patrick Schleizer -Date: Mon Dec 23 01:20:56 2019 -0500 - - fix needlessly re-adding entries - -commit 906b3d32e769bbd30ed5698268899a7d2ec71d95 -Author: Patrick Schleizer -Date: Mon Dec 23 01:09:57 2019 -0500 - - output - -commit 4f76867da6ce5710cf486175cd84adcd72640049 -Author: Patrick Schleizer -Date: Mon Dec 23 01:08:02 2019 -0500 - - lower debugging - -commit dc6e5d8508a09bd7f2b9bfed02bc502797c11361 -Author: Patrick Schleizer -Date: Mon Dec 23 01:06:38 2019 -0500 - - fix - -commit 87b999f92aab4f4176f366308c27c4fe5471580c -Author: Patrick Schleizer -Date: Mon Dec 23 00:59:43 2019 -0500 - - refactoring - -commit 065ff4bd058ab26df3d3af1022da9d6a7405ab61 -Author: Patrick Schleizer -Date: Mon Dec 23 00:59:24 2019 -0500 - - sanity_tests - -commit fef1469fe62bf923ba89077934c8b0e5d8cd0258 -Author: Patrick Schleizer -Date: Mon Dec 23 00:51:14 2019 -0500 - - exit non-zero if capability removal failed - -commit 3670fcf48baecffe098c96eb67cbd601bc3e0069 -Author: Patrick Schleizer -Date: Mon Dec 23 00:49:33 2019 -0500 - - depend on libcap2-bin for setcap / getcap / capsh - -commit 17a8c294702acb30c397abc984d69c356cec2cd7 -Author: Patrick Schleizer -Date: Mon Dec 23 00:47:49 2019 -0500 - - fix capability removal error handling - - https://forums.whonix.org/t/disable-suid-binaries/7706/45 - -commit b631e2ecd8ae0e08850edd81bf64b02666fb6234 -Author: Patrick Schleizer -Date: Mon Dec 23 00:36:41 2019 -0500 - - refactoring - -commit 7aea304549cea2c885c2d813c7a15f617f4ebf2a -Author: Patrick Schleizer -Date: Mon Dec 23 00:26:15 2019 -0500 - - comment - -commit f4b1df02ee66309d12724cf7124b14180c855f14 -Author: Patrick Schleizer -Date: Sun Dec 22 19:42:40 2019 -0500 - - Remove suid / gid and execute permission for 'group' and 'others'. - - Similar to: chmod og-ugx /path/to/filename - - Removing execution permission is useful to make binaries such as 'su' fail closed rather - than fail open if suid was removed from these. - - Do not remove read access since no security benefit and easier to manually undo for users. - - chmod 744 - -commit 58a4e0bc7d1b87d4d169f31dc5935c75e929c0b4 -Author: Patrick Schleizer -Date: Sun Dec 22 19:12:10 2019 -0500 - - dbus-daemon-launch-helper matchwhitelist - -commit 15e3a2832da603f5caa9aadc6d68aaf503f013c9 -Author: Patrick Schleizer -Date: Sun Dec 22 18:57:23 2019 -0500 - - comment - -commit 6eb8fd257aecd84686b4d7a9824a98bace9a705e -Author: Patrick Schleizer -Date: Sun Dec 22 18:56:36 2019 -0500 - - suid utempter/utempter matchwhitelist - - to cover both: - - /usr/lib/x86_64-linux-gnu/utempter/utempter - /lib/x86_64-linux-gnu/utempter/utempter - -commit 9409209b48fb8f803b88d72c0e7febaa74f5bd2c -Merge: 008ce48 bce02ff -Author: Patrick Schleizer -Date: Sun Dec 22 10:29:08 2019 -0500 - - Merge remote-tracking branch 'origin/master' - -commit bce02ffdc01c22c8d5528eb5eaa7729a6b3137dd -Merge: 008ce48 8f11a52 -Author: Patrick Schleizer -Date: Sun Dec 22 15:26:07 2019 +0000 - - Merge pull request #47 from madaidan/msr - - Blacklist CPU MSRs - -commit 8f11a520f4c406fa3187ad530f945a564b78a28c -Author: madaidan <50278627+madaidan@users.noreply.github.com> -Date: Sun Dec 22 13:54:16 2019 +0000 - - Update control - -commit dd93b11321e171c56affcd660c0830d6a91ad87e -Author: madaidan <50278627+madaidan@users.noreply.github.com> -Date: Sun Dec 22 13:52:43 2019 +0000 - - Blacklist CPU MSRs - -commit 008ce4817c6ad2218af05d14626b0f2c70a6e90d -Author: Patrick Schleizer -Date: Sat Dec 21 14:55:03 2019 -0500 - - bumped changelog version - -commit d300db3cde0f7ee8e3884a1225ec1d196a318728 -Author: Patrick Schleizer -Date: Sat Dec 21 14:45:11 2019 -0500 - - output - -commit 3921846df6e21a80d87f451e89f96f5b3092dd53 -Author: Patrick Schleizer -Date: Sat Dec 21 14:36:42 2019 -0500 - - comment - -commit 1213415ce649e7305af0b6c6ef2f8435caab5cd8 -Author: Patrick Schleizer -Date: Sat Dec 21 14:23:35 2019 -0500 - - bumped changelog version - -commit 2ddf7b5db5d335d4f64d0df2c0caab0c80a2a046 -Author: Patrick Schleizer -Date: Sat Dec 21 14:06:51 2019 -0500 - - /lib/ nosuid - -commit 1e8457ea476a693dd1e455e4c455bf2e763cec23 -Author: Patrick Schleizer -Date: Sat Dec 21 14:06:10 2019 -0500 - - no longer remount /lib - - https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707/25 - -commit 10c19d6a8fc6b6bc03067dc3be88f486aa78d438 -Merge: b2260f4 fffdf50 -Author: Patrick Schleizer -Date: Sat Dec 21 13:00:41 2019 -0500 - - Merge remote-tracking branch 'origin/master' - -commit fffdf5090c707c698de4adacfd5837809b33aa99 -Merge: 1c99b56 f5a52ae -Author: Patrick Schleizer -Date: Sat Dec 21 17:59:56 2019 +0000 - - Merge pull request #46 from madaidan/remount-secure - - Don't remount /sys/kernel/security - -commit f5a52aeddc4742b4dbd8a0075d759b2ceaaae691 -Author: madaidan <50278627+madaidan@users.noreply.github.com> -Date: Sat Dec 21 14:55:28 2019 +0000 - - Don't remount /sys/kernel/security - -commit b2260f48f4ab978b531d8ca9df2dc1a787b6666f -Author: Patrick Schleizer -Date: Sat Dec 21 08:03:33 2019 -0500 - - add support for /etc/exec / /usr/local/etc/exec - - to allow enabling exec on a per VM basis - -commit 1c99b56c9b99cceab6fe38580d06197dd4bcfb77 -Author: Patrick Schleizer -Date: Sat Dec 21 07:49:55 2019 -0500 - - bumped changelog version - -commit 161b6f6b885586cd65b8ac13b0bd113691465522 -Author: Patrick Schleizer -Date: Sat Dec 21 07:49:29 2019 -0500 - - readme - -commit b74e5ca97244209e041f55483027365eacdf44c9 -Author: Patrick Schleizer -Date: Sat Dec 21 07:47:00 2019 -0500 - - comment - -commit 8fb17624bc3471a3676e76b3695179cde1ec21da -Author: Patrick Schleizer -Date: Sat Dec 21 07:44:51 2019 -0500 - - comment - -commit aef796a524f9156b584a7d8d203decc446c5d3b9 -Author: Patrick Schleizer -Date: Sat Dec 21 07:44:23 2019 -0500 - - disable debugging - -commit 1fe83d683f97af6730948aecce3216a51979c695 -Author: Patrick Schleizer -Date: Sat Dec 21 07:43:55 2019 -0500 - - comment - -commit 7c3da38bd53427501bcb0ac0d56bd626ce9e6adb -Author: Patrick Schleizer -Date: Sat Dec 21 07:42:25 2019 -0500 - - comment - -commit 9050058bc2427a701095901a5bd275767437391b -Author: Patrick Schleizer -Date: Sat Dec 21 07:42:01 2019 -0500 - - fix - -commit 0c4db8c2b054a10554f163c31e3e626a80981c52 -Author: Patrick Schleizer -Date: Sat Dec 21 07:38:25 2019 -0500 - - bumped changelog version - -commit 6b13a644df279ec3ccf3814e86233baafc0cf437 -Author: Patrick Schleizer -Date: Sat Dec 21 07:37:41 2019 -0500 - - add /usr/lib/security-misc/permission-hardening-undo - -commit af8b04b73d6d64792fc1ffb7f6b04b273c0ca7ec -Author: Patrick Schleizer -Date: Sat Dec 21 06:58:01 2019 -0500 - - rm_conffile /etc/apparmor.d/usr.lib.security-misc.pam_tally2-info - rm_conffile /etc/apparmor.d/usr.lib.security-misc.permission-lockdown - - https://github.com/Whonix/security-misc/pull/45 - -commit 2350e0f5d06d9625835ba1547aab0054b795c0c5 -Merge: 3ea5871 efd65a3 -Author: Patrick Schleizer -Date: Sat Dec 21 06:57:10 2019 -0500 - - Merge remote-tracking branch 'origin/master' - -commit efd65a3f15fc9380e2019c9d7ad0bf82adcc230d -Merge: c336bc4 c28ddf5 -Author: Patrick Schleizer -Date: Sat Dec 21 11:56:31 2019 +0000 - - Merge pull request #45 from madaidan/apparmor - - Delete apparmor profiles - -commit 3ea587187e9d0a927799a66d15d163ee56a41978 -Author: Patrick Schleizer -Date: Sat Dec 21 06:53:07 2019 -0500 - - no need to exclude xorg nosuid on Debian - - http://forums.whonix.org/t/permission-hardening/8655/25 - -commit c336bc4fd229d9a6370df5520aaa4e872465de5a -Author: Patrick Schleizer -Date: Sat Dec 21 06:39:13 2019 -0500 - - comment - -commit fac17a963d3dec1b399fd9b41ebebcedb7e90f43 -Author: Patrick Schleizer -Date: Sat Dec 21 06:28:19 2019 -0500 - - bumped changelog version - -commit b5f88efe2072eca99c245fc60442c82a270fab8e -Author: Patrick Schleizer -Date: Sat Dec 21 06:27:01 2019 -0500 - - fix - -commit 2088628c8d44306e51c8a1407caee99e5eb4ce5b -Author: Patrick Schleizer -Date: Sat Dec 21 06:24:08 2019 -0500 - - debugging - -commit 2dca031527fa38a932619ed2336a5aa472a85205 -Author: Patrick Schleizer -Date: Sat Dec 21 06:22:46 2019 -0500 - - debugging - -commit 195e00cc8796d532a68f90b7c1f8f30d17f24246 -Author: Patrick Schleizer -Date: Sat Dec 21 06:16:38 2019 -0500 - - output - -commit 78d33d8b57fdef3b16e8ab5b4f6b0487d51b9657 -Author: Patrick Schleizer -Date: Sat Dec 21 06:12:20 2019 -0500 - - bumped changelog version - -commit 4b21b6df4167a2a95392a39182c636bdc097bc7e -Author: Patrick Schleizer -Date: Sat Dec 21 06:11:44 2019 -0500 - - fix - -commit ff48b672a8537e65c3d0b3ccfb65fb29c2d3766c -Author: Patrick Schleizer -Date: Sat Dec 21 06:00:17 2019 -0500 - - bumped changelog version - -commit 8436da2b7b0b9d309b57ed6ab36f2042fd82f4ae -Author: Patrick Schleizer -Date: Sat Dec 21 05:58:50 2019 -0500 - - output - -commit da15265e1c311be16c1dd0a8681e630548fac0e9 -Author: Patrick Schleizer -Date: Sat Dec 21 05:55:23 2019 -0500 - - fix - -commit 2a248fe0de1b86b416c705ecce81dcb549581d9b -Author: Patrick Schleizer -Date: Sat Dec 21 05:54:39 2019 -0500 - - fix - -commit 4f12664362fb4304ed43185ed5805f686bdeb0af -Author: Patrick Schleizer -Date: Sat Dec 21 05:54:07 2019 -0500 - - output - -commit e3355843c835c650d4701a2b94b93cc0040ca419 -Author: Patrick Schleizer -Date: Sat Dec 21 05:51:22 2019 -0500 - - fix - -commit 234ec5fe93c9b03c02e076621ac919f12062c4e5 -Author: Patrick Schleizer -Date: Sat Dec 21 05:47:35 2019 -0500 - - fix - -commit 65b5adb2d731f52533bda24eb6868d9e2968e2ed -Author: Patrick Schleizer -Date: Sat Dec 21 05:38:39 2019 -0500 - - bumped changelog version - -commit 7ff900c20457ee42d415c4eddf3b08f1ac5e4461 -Author: Patrick Schleizer -Date: Sat Dec 21 05:37:43 2019 -0500 - - fix - -commit 2b5a49a61b221161f3b42d3a692d2e22df2afec2 -Author: Patrick Schleizer -Date: Sat Dec 21 05:31:55 2019 -0500 - - bumped changelog version - -commit e1a5ee4bcf5ecb447ae7da0b137f81d520673cde -Author: Patrick Schleizer -Date: Sat Dec 21 05:26:55 2019 -0500 - - output - -commit 66aaf3e22cda9bb58ab72e750a5711556cf1de25 -Author: Patrick Schleizer -Date: Sat Dec 21 05:25:54 2019 -0500 - - output - -commit 7aa7d0b5a0e3b602b527131581f350b9b32fb0d6 -Author: Patrick Schleizer -Date: Sat Dec 21 05:22:27 2019 -0500 - - improve error handling - -commit 8919d38de9206b4802b471c2f40787a2f9d70269 -Author: Patrick Schleizer -Date: Sat Dec 21 05:21:46 2019 -0500 - - disable debugging - -commit cf5dee64fd4e1c44a8726db49b8328841ee6327f -Author: Patrick Schleizer -Date: Sat Dec 21 05:18:34 2019 -0500 - - refactoring - -commit 29cd9a0c38924fc2eb7520db886efc19541476cb -Author: Patrick Schleizer -Date: Sat Dec 21 05:17:35 2019 -0500 - - fix - -commit 486027a4d75917fe2741370aa1e707b8ca14f693 -Author: Patrick Schleizer -Date: Sat Dec 21 05:15:38 2019 -0500 - - fix - -commit 1fd26be864ebd0dab8419e0b2b321522166d6271 -Author: Patrick Schleizer -Date: Sat Dec 21 05:14:51 2019 -0500 - - fix - -commit 0fc97c37beae5d48fed9ec714f19007f402952c9 -Author: Patrick Schleizer -Date: Sat Dec 21 05:14:39 2019 -0500 - - fix - -commit 1018d5b3b0b58a641aaca0419a06c246091932d5 -Author: Patrick Schleizer -Date: Sat Dec 21 05:11:51 2019 -0500 - - output - -commit 4388fc4d5ace9046c9eacb8354d9960599735ee4 -Author: Patrick Schleizer -Date: Sat Dec 21 05:11:19 2019 -0500 - - refactoring - -commit ed20980f4c6c3fb304d8436399f5e14ead7b3ae3 -Author: Patrick Schleizer -Date: Sat Dec 21 05:07:10 2019 -0500 - - refactoring - -commit 315ce86b9a66d15aea2d50f5271c228ee8bd3909 -Author: Patrick Schleizer -Date: Sat Dec 21 04:33:03 2019 -0500 - - refactoring - -commit 0c5848494b147b067afa2b70451fc7e5087823f2 -Author: Patrick Schleizer -Date: Sat Dec 21 04:21:26 2019 -0500 - - do not remount if already has intended mount options - -commit 203f4ad46e6a6950edd4b2a83f47ac71428928e5 -Author: Patrick Schleizer -Date: Sat Dec 21 04:17:10 2019 -0500 - - refactoring - -commit e7fd0dadb03e7f90adfa9ebdaf07530f02a846e7 -Author: Patrick Schleizer -Date: Sat Dec 21 04:09:35 2019 -0500 - - output - -commit e6ea21c7757ad732bd9bcce2c6a7a364780e1b14 -Author: Patrick Schleizer -Date: Sat Dec 21 04:08:35 2019 -0500 - - record existing modes in separate dpkg-statoverwrite databases - - to have a history of what was modified and to allow to undo changes - -commit 89be5f2ecb998c46ff4864996cd86b97fa56d176 -Author: Patrick Schleizer -Date: Sat Dec 21 02:05:39 2019 -0500 - - bumped changelog version - -commit c28ddf5c4dbfd92aba9a59874f529a4afe69c497 -Author: madaidan <50278627+madaidan@users.noreply.github.com> -Date: Fri Dec 20 22:44:31 2019 +0000 - - Delete usr.lib.security-misc.pam_tally2-info - -commit cfe69dd66900f7aad5311c02d2b4ee7b400fb90b -Author: madaidan <50278627+madaidan@users.noreply.github.com> -Date: Fri Dec 20 22:44:27 2019 +0000 - - Delete usr.lib.security-misc.permission-lockdown - -commit d220bb3bc4aaf923dcb2e2a48ac05dd5f1326442 -Author: Patrick Schleizer -Date: Fri Dec 20 13:07:01 2019 -0500 - - suid /usr/lib/chromium/chrome-sandbox whitelist - -commit 77b3dd5d6b5de0070da7e71154ecbe2e099e3b7f -Author: Patrick Schleizer -Date: Fri Dec 20 13:02:33 2019 -0500 - - comments - -commit d7bd477e7379cd5d74d81e81080d375041cc3b29 -Author: Patrick Schleizer -Date: Fri Dec 20 12:59:27 2019 -0500 - - add "/usr/lib/xorg/Xorg.wrap whitelist" - - until this is researched - - https://manpages.debian.org/buster/xserver-xorg-legacy/Xorg.wrap.1.en.html - https://lwn.net/Articles/590315/ - -commit 17e8605119fc671c4cbe4343851cf3c46b830508 -Author: Patrick Schleizer -Date: Fri Dec 20 12:57:24 2019 -0500 - - add matchwhitelist feature - - add "/usr/lib/virtualbox/ matchwhitelist" - -commit 3fab3876693f20303c95f03c45af9adb9ae680e2 -Author: Patrick Schleizer -Date: Fri Dec 20 12:50:35 2019 -0500 - - suid /usr/bin/firejail whitelist - - There is a controversy about firejail but those who choose to install it - should be able to use it. - https://www.whonix.org/wiki/Dev/Firejail#Security - -commit d3f16a5bf46a7d10316259788f3d97364fe2e545 -Author: Patrick Schleizer -Date: Fri Dec 20 12:47:10 2019 -0500 - - sgid /usr/lib/qubes/qfile-unpacker whitelist - -commit 508ec0c6fa44d9185aa22f5fa81ae9dbbefdb19c -Author: Patrick Schleizer -Date: Fri Dec 20 12:34:07 2019 -0500 - - comment - -commit 1b569ea7908dcba409c94dacd477d2fbfeafe522 -Author: Patrick Schleizer -Date: Fri Dec 20 12:32:36 2019 -0500 - - comment - -commit f88ca2588920ac16a6b41e8c48021bf85801c2a9 -Author: Patrick Schleizer -Date: Fri Dec 20 11:58:07 2019 -0500 - - fix terminology, sguid -> sgid - - Thanks to @madaidan for the bug report! - - https://forums.whonix.org/t/permission-hardening/8655/21 - -commit 1cd5fb6a0020504c7897acf169772d39b67f4bd4 -Author: Patrick Schleizer -Date: Fri Dec 20 11:50:25 2019 -0500 - - bumped changelog version - -commit ff0a26fb5d65450c0a2b5fb86758d3d823a717e9 -Author: Patrick Schleizer -Date: Fri Dec 20 11:49:19 2019 -0500 - - comment - -commit 71496a33ab27455d2856284d21f261dd20780dc2 -Author: Patrick Schleizer -Date: Fri Dec 20 11:47:53 2019 -0500 - - skip folders are these are not suid / guid - -commit 9321ecff4139f0776f93a9bd8c9606bcaf94f568 -Author: Patrick Schleizer -Date: Fri Dec 20 11:43:53 2019 -0500 - - no more need to add/remove / - -commit b95225b6a6b45b84778ba2427ae4628f102e6d05 -Author: Patrick Schleizer -Date: Fri Dec 20 11:37:05 2019 -0500 - - pipefail - -commit cad6f328f40bb8b3c414e2bd6c7cb86e625f6d64 -Author: Patrick Schleizer -Date: Fri Dec 20 11:34:44 2019 -0500 - - minor - -commit 3265f9894d1c677419718de52570d304a4e69279 -Author: Patrick Schleizer -Date: Fri Dec 20 11:27:43 2019 -0500 - - output - -commit 28d12c3966e3ddfadbf7d44e7c7bcdc37e1a7d25 -Author: Patrick Schleizer -Date: Fri Dec 20 11:09:22 2019 -0500 - - bumped changelog version - -commit 1615ebec58b563224c7c02cd2b1f83b0954c48ca -Author: Patrick Schleizer -Date: Fri Dec 20 11:07:44 2019 -0500 - - output - -commit 1e11b775cf1d2994f2e0da8d0191ef38eebe21a8 -Author: Patrick Schleizer -Date: Fri Dec 20 11:05:05 2019 -0500 - - output - -commit 731f80289566e118ba6c121c406775abc4c03bd4 -Author: Patrick Schleizer -Date: Fri Dec 20 11:04:12 2019 -0500 - - output - -commit cd8efe58008c7b0e90ac88ac098b3fd08e75d716 -Author: Patrick Schleizer -Date: Fri Dec 20 11:03:22 2019 -0500 - - output - -commit c0ddb76d7463753e3250fc7da466fa763ef08dd5 -Author: Patrick Schleizer -Date: Fri Dec 20 10:50:51 2019 -0500 - - bumped changelog version - -commit b31abea0af60874d4a48fd0da56978b0081eaef8 -Author: Patrick Schleizer -Date: Fri Dec 20 10:49:31 2019 -0500 - - improve error handling - -commit 79cd3b86b6e5e186da66fd329b04fb3b42c0276e -Author: Patrick Schleizer -Date: Fri Dec 20 10:47:23 2019 -0500 - - comment - -commit b3458cc6ee368968de1510e9d05ddd3791fe5f6d -Author: Patrick Schleizer -Date: Fri Dec 20 10:45:59 2019 -0500 - - fix checking existing entries to avoid needless calls to dpkg-statoverride - -commit 370f3c5e541612021fa181e39507aa4ba8131731 -Author: Patrick Schleizer -Date: Fri Dec 20 10:35:05 2019 -0500 - - comment - -commit 133d09f2984506e0b0fd2e17a893b8d3e37b8431 -Author: Patrick Schleizer -Date: Fri Dec 20 10:33:16 2019 -0500 - - output - -commit 1ffa8e197e9ba9722d5fb2695de343df9d9db597 -Author: Patrick Schleizer -Date: Fri Dec 20 10:31:26 2019 -0500 - - speed up setuid removal by using find with '-perm /u=s,g=s' - - https://forums.whonix.org/t/permission-hardening/8655/19 - -commit 4cfdf2c65b57f410163653304871ee3eb1d3f6ea -Author: Patrick Schleizer -Date: Fri Dec 20 10:21:27 2019 -0500 - - fix, re-enforce nosuid even if changed on the disk - -commit e36868e675cbd80a36053956dbef71992cceca24 -Author: Patrick Schleizer -Date: Fri Dec 20 10:02:46 2019 -0500 - - output - -commit 50b8f65490555d9d12fd28991040c00a358b3b84 -Author: Patrick Schleizer -Date: Fri Dec 20 09:59:28 2019 -0500 - - add sanity test: count if we really processed all files - -commit e28da89253f646969cdc2b0b46617bd603f917a5 -Author: Patrick Schleizer -Date: Fri Dec 20 09:48:06 2019 -0500 - - /bin/sudo whitelist / /bin/bwrap whitelist - -commit 55faa7b9978df52bcb98a562554473f80db1f171 -Author: Patrick Schleizer -Date: Fri Dec 20 09:43:23 2019 -0500 - - fix missing processing files bug - - https://forums.whonix.org/t/permission-hardening/8655/16 - -commit fbe2479f486add30cd29f5c4063a140c42c502fe -Author: Patrick Schleizer -Date: Fri Dec 20 08:54:56 2019 -0500 - - count processed file system objects - - to be able to verify if any were "forgotten" - -commit 195ea522f5a8582851792b53047185717a6f679e -Author: Patrick Schleizer -Date: Fri Dec 20 08:52:14 2019 -0500 - - fix - -commit 6f8231be70940e2afb0ec8e4a0d60bb4f166f5b9 -Author: Patrick Schleizer -Date: Fri Dec 20 08:51:55 2019 -0500 - - debugging - -commit ed50f98010c8b7878d518273703e00fa561e980b -Author: Patrick Schleizer -Date: Fri Dec 20 08:47:22 2019 -0500 - - output - -commit 089c40135f2a7f0da128808a27b696e36aff6821 -Author: Patrick Schleizer -Date: Fri Dec 20 08:15:00 2019 -0500 - - bumped changelog version - -commit 6d30e3b4a2c0e5cf53d88b4a033511aa49b8f227 -Author: Patrick Schleizer -Date: Fri Dec 20 08:13:23 2019 -0500 - - do not remove suid from whitelisted binaries ever - - https://forums.whonix.org/t/permission-hardening/8655/13 - -commit d5f1bd8dd29a4f9e1ccb6fed82a255f7b7abfe6f -Author: Patrick Schleizer -Date: Fri Dec 20 08:02:30 2019 -0500 - - fix mode sanity check - - no longer use seq due to issue - - https://forums.whonix.org/t/permission-hardening/8655/13 - -commit ddc0eec63d744e4600f3b1b8cdf60fef6d647cbe -Author: Patrick Schleizer -Date: Fri Dec 20 07:12:36 2019 -0500 - - bumped changelog version - -commit 65248a94efa4646127d8e11447e49a37f3ff986e -Author: Patrick Schleizer -Date: Fri Dec 20 07:06:50 2019 -0500 - - readme - -commit 8e112c34232b8ef88fb0c0fb19f2983de4e5a0a1 -Author: Patrick Schleizer -Date: Fri Dec 20 06:53:24 2019 -0500 - - description - -commit 24ea70384bb6c34f283ff1e71e4f7ed34133db5f -Author: Patrick Schleizer -Date: Fri Dec 20 06:53:03 2019 -0500 - - description - -commit 0ae3e689b5f12101156b4be84631679c622f2e98 -Author: Patrick Schleizer -Date: Fri Dec 20 06:35:02 2019 -0500 - - comment - -commit 050f4d8b9482e1513ceccfb39394606b173fd8a5 -Author: Patrick Schleizer -Date: Fri Dec 20 06:34:37 2019 -0500 - - comment - -commit 36043fe5ccdbd798483096a104a40b9cc013a487 -Author: Patrick Schleizer -Date: Fri Dec 20 06:33:41 2019 -0500 - - comment - -commit fb4254547b39160c410b1f83ed56aa7653291df1 -Author: Patrick Schleizer -Date: Fri Dec 20 06:32:04 2019 -0500 - - comment - -commit cca0908d9a73430fb97577fb6ae42b7416e72e6a -Author: Patrick Schleizer -Date: Fri Dec 20 06:11:38 2019 -0500 - - fix - -commit e254b8b52d61432084273a3ec91bb5f4b377163f -Author: Patrick Schleizer -Date: Fri Dec 20 06:09:17 2019 -0500 - - fix - -commit 7f8b3c76de6e140b676d960004e779f9846c8cb8 -Author: Patrick Schleizer -Date: Fri Dec 20 06:02:17 2019 -0500 - - output - -commit 071c64dc413c8a868866ddf699f653b371ac3b19 -Author: Patrick Schleizer -Date: Fri Dec 20 06:01:49 2019 -0500 - - enable 'set -e' - -commit b97c66707c3d3e8bb9164a35fe83974642f9652c -Author: Patrick Schleizer -Date: Fri Dec 20 05:59:05 2019 -0500 - - minor - -commit 17b4f12276349f28d9fc37944ece87fb6f7827a9 -Author: Patrick Schleizer -Date: Fri Dec 20 05:58:42 2019 -0500 - - output - -commit 48fe7312bf6b87a94678ed8a2eb0a01f2a88e371 -Author: Patrick Schleizer -Date: Fri Dec 20 05:57:41 2019 -0500 - - update config - -commit 87d820d84cd44e427c8990cf295da7ab6890040e -Author: Patrick Schleizer -Date: Fri Dec 20 05:54:16 2019 -0500 - - comment - -commit 918cbb4e257bab0ee4bb6eb303df5e65e34b9963 -Author: Patrick Schleizer -Date: Fri Dec 20 05:51:25 2019 -0500 - - output - -commit c8cf09a4cbe7721e3d97c62785a5d25fe3f61115 -Author: Patrick Schleizer -Date: Fri Dec 20 05:50:16 2019 -0500 - - output - -commit 46466c12ad9dcc62d52dd3e887665ced6bdedf3a -Author: Patrick Schleizer -Date: Fri Dec 20 05:49:11 2019 -0500 - - parse drop-in config folder rather than only one config file - -commit 66fd31189dd1c2ccc5e6fb51278b0646c5188320 -Author: Patrick Schleizer -Date: Fri Dec 20 05:37:33 2019 -0500 - - improve output if set-user-id / set-group-id is set - -commit 6dd6530fa539a55feecc28cecdc812b787b555a6 -Author: Patrick Schleizer -Date: Fri Dec 20 05:32:26 2019 -0500 - - remove hardening-enable - - please invent package security-paranoid instead - - https://forums.whonix.org/t/security-hardening-tool-usr-bin-hardening-enable-by-security-misc/8609 - -commit 6c8127e3cd32c04a6eb4641ad856c7bf2c777fee -Author: Patrick Schleizer -Date: Fri Dec 20 05:29:37 2019 -0500 - - remove "/lib/ nosuid" from permission hardening - - Takes 1 minute to parse. No SUID binaries there by default. - remount-secure mounts it with nosuid anyhow. - Therefore no processing it here. - -commit af0f074987b21ba4ad3f331ddaa622082d76fceb -Author: Patrick Schleizer -Date: Fri Dec 20 05:27:11 2019 -0500 - - remount /lib with nosuid,nodev - - https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707/22 - -commit 7f201604779e442660c4c13798b2b48d706576ac -Author: Patrick Schleizer -Date: Fri Dec 20 05:24:00 2019 -0500 - - comment - -commit a135ae94009c4f6492ed8c779ceaefcfaf19e123 -Author: Patrick Schleizer -Date: Fri Dec 20 05:22:59 2019 -0500 - - use must manually enable permission-hardening.service - - until development finished - -commit fa6f1e156898572513cacb1d65b042482896011a -Author: Patrick Schleizer -Date: Fri Dec 20 05:19:39 2019 -0500 - - output - -commit a26cb94bfd252f939f02ee50c76efb67dcb0235c -Author: Patrick Schleizer -Date: Fri Dec 20 04:49:21 2019 -0500 - - globstar no longer required - -commit c66e9abe18f0809df4f6b84772774431afcadd6f -Author: Patrick Schleizer -Date: Fri Dec 20 04:48:57 2019 -0500 - - comment - -commit d1d0afff34a562d29726fbb3382ebe932e04a267 -Author: Patrick Schleizer -Date: Fri Dec 20 04:48:02 2019 -0500 - - fix - - fso: /lib/ - usr/lib/security-misc/permission-hardening: line 19: /usr/bin/stat: Argument list too long - - https://forums.whonix.org/t/kernel-hardening/7296/326 - -commit e74d2e4f94f4cdb2f3a83f27e17e19e9e4078961 -Author: Patrick Schleizer -Date: Fri Dec 20 04:23:14 2019 -0500 - - output - -commit eb8635903379d1245c2c1c35eaf33c1a45ef514a -Author: Patrick Schleizer -Date: Fri Dec 20 04:20:05 2019 -0500 - - refactoring - -commit bb84fca184ee32f227fb5b210f9eea7afbdf75c0 -Author: Patrick Schleizer -Date: Fri Dec 20 04:08:46 2019 -0500 - - refactoring - -commit f92b41419558f01e7ec0ec3edba3af6a550c5911 -Author: Patrick Schleizer -Date: Fri Dec 20 04:06:28 2019 -0500 - - refactoring - -commit 4c44871e9d3070d73f298eca051ee303b01ea56c -Author: Patrick Schleizer -Date: Fri Dec 20 04:02:05 2019 -0500 - - comment - -commit 6876a2eaa87e3eead822e5f4f7d1fc53d0853ebd -Author: Patrick Schleizer -Date: Fri Dec 20 04:01:40 2019 -0500 - - comment - -commit 35c4fce61b784a4093339b64e5564d93c1f91870 -Author: Patrick Schleizer -Date: Fri Dec 20 03:54:46 2019 -0500 - - fix "dpkg-statoverride: warning: stripping trailing /" - -commit 9bd9012ab17f2c3422cdab20f57e3852ae1f14de -Author: Patrick Schleizer -Date: Fri Dec 20 03:46:50 2019 -0500 - - refactoring - -commit 788a2c1ba3d35eb26440386e2c3269fb8cf4992d -Author: Patrick Schleizer -Date: Fri Dec 20 03:45:01 2019 -0500 - - comment - -commit 55933f88766f9b2fa2f284c5d0ff098e1e11b657 -Author: Patrick Schleizer -Date: Fri Dec 20 03:43:36 2019 -0500 - - refactoring - -commit 9e493a9f481e03d8bd41794eee4e4efd0e39a593 -Author: Patrick Schleizer -Date: Fri Dec 20 03:42:09 2019 -0500 - - refactoring - -commit b92a690c166cf3bc97d34ae977cc0c6d2342cb86 -Author: Patrick Schleizer -Date: Fri Dec 20 03:40:47 2019 -0500 - - refactoring - -commit 98535e3a2bc5d0d54694a1ea71f3afef3f468943 -Author: Patrick Schleizer -Date: Fri Dec 20 03:39:25 2019 -0500 - - refactoring - -commit ecbba2fd61f6d182dcd51f42b579ecb50ffdbedd -Author: Patrick Schleizer -Date: Fri Dec 20 03:38:39 2019 -0500 - - refactoring - -commit 20b8a407ac5984ba621ebb0150b47067c32ddc76 -Author: Patrick Schleizer -Date: Fri Dec 20 03:25:17 2019 -0500 - - refactoring - -commit 6cd9eb44fbc451a08908a9899ca114843c32edf3 -Author: Patrick Schleizer -Date: Fri Dec 20 03:24:07 2019 -0500 - - refactoring - -commit 706dba104d201de4eed6886bf9570bf6851c2c3f -Author: Patrick Schleizer -Date: Fri Dec 20 03:19:12 2019 -0500 - - code simplification - -commit 01dd567f8b3764ae241a4df39d54617089532b9d -Author: Patrick Schleizer -Date: Fri Dec 20 03:16:43 2019 -0500 - - fix, if fso has exactly the mode we want (not 3 instead of 4 string length), not need to reset it - -commit 4f65b0fc1e33037e86289627e1c9bcf040af86c8 -Author: Patrick Schleizer -Date: Fri Dec 20 03:13:27 2019 -0500 - - refactoring - -commit bfee6b60cbd799e31b75e20bc5820f65f9993899 -Author: Patrick Schleizer -Date: Fri Dec 20 03:11:11 2019 -0500 - - comment - -commit d64cdc124793bda57916b2c4d73465b17ae44af6 -Author: Patrick Schleizer -Date: Fri Dec 20 03:04:41 2019 -0500 - - refactoring - -commit 7c5c65a6c13ddf23d7324283815d653974802fd9 -Author: Patrick Schleizer -Date: Fri Dec 20 03:04:13 2019 -0500 - - comment - -commit b31d8cd3fc905b61707f77e08cff72e74f18c46b -Author: Patrick Schleizer -Date: Fri Dec 20 03:03:40 2019 -0500 - - fix - -commit c626290673d44b2a6485aeb24888f35c3782c151 -Author: Patrick Schleizer -Date: Fri Dec 20 03:02:26 2019 -0500 - - refactoring - -commit d5ff1d6f28a62f858fd0a9edf905d6727413a3c2 -Author: Patrick Schleizer -Date: Fri Dec 20 03:00:39 2019 -0500 - - refactoring - -commit 640ca1d24dad657f0590c98a353dc21ed18b4395 -Author: Patrick Schleizer -Date: Fri Dec 20 02:57:57 2019 -0500 - - skip symlinks - - https://forums.whonix.org/t/kernel-hardening/7296/323? - -commit cc8f795799e76d61b60f31e718effb88478b0fea -Author: Patrick Schleizer -Date: Fri Dec 20 02:47:04 2019 -0500 - - comment - -commit 4e5b222a081a5e8463ebe6832e7fbe68a1fb7978 -Author: Patrick Schleizer -Date: Fri Dec 20 02:43:33 2019 -0500 - - comment - -commit fa895ee11ec5897eb73ce066dfe5bde337cb297c -Author: Patrick Schleizer -Date: Fri Dec 20 02:40:42 2019 -0500 - - refactoring - -commit 2c163bf4398d67730efb23d70e2f9fc41ebb0459 -Author: Patrick Schleizer -Date: Fri Dec 20 02:39:53 2019 -0500 - - check string length of permission variable - - https://forums.whonix.org/t/kernel-hardening/7296/322 - -commit a89befd902f6976ebef303b22ee9f9cbc3a1cc23 -Author: Patrick Schleizer -Date: Fri Dec 20 02:20:54 2019 -0500 - - code simplification - -commit 72812da63f60bd1955e52ac52ce583c9d9a18c95 -Author: Patrick Schleizer -Date: Fri Dec 20 02:16:32 2019 -0500 - - comment - -commit 39a41cc27ba93ede21e69270b3b113a037f77064 -Author: Patrick Schleizer -Date: Fri Dec 20 02:14:45 2019 -0500 - - refactoring - -commit 2ed6452590c443d88862f12ef25dcd5acbe98de9 -Author: Patrick Schleizer -Date: Fri Dec 20 02:12:43 2019 -0500 - - downgrade to info - -commit a5e55dfcfca5b15bbbdc22788e6615d080c44819 -Author: Patrick Schleizer -Date: Fri Dec 20 02:11:39 2019 -0500 - - quotes - -commit 3187cee4fba89d72f8d0c26a9987b33adc0d8faa -Author: Patrick Schleizer -Date: Fri Dec 20 02:10:13 2019 -0500 - - output - -commit 5160b4c7816ce449e0dd9cbfaae28050ef2af676 -Author: Patrick Schleizer -Date: Fri Dec 20 02:08:05 2019 -0500 - - disable xtrace - -commit 27bfe95d253178790ee10f591af0d586907463d7 -Author: Patrick Schleizer -Date: Fri Dec 20 02:07:49 2019 -0500 - - add echo wrapper - -commit a6988f3fb8034c2f5be6d3ee6300f9e756e0dfce -Author: Patrick Schleizer -Date: Fri Dec 20 02:06:31 2019 -0500 - - output - -commit 1819577b88ae795c1a6107cf76e084859c9f6d2e -Author: Patrick Schleizer -Date: Fri Dec 20 02:04:34 2019 -0500 - - fix - -commit 278c60c5a01c8dcb8a035950bd9e56ed7d1d431d -Author: Patrick Schleizer -Date: Fri Dec 20 02:01:36 2019 -0500 - - exit non-zero if some line cannot be parsed - - therefore make systemd notice this - - therefore allow the sysadmin to notice this - -commit 66bcba831317cf4810e9123b305597ee85fc94bf -Author: Patrick Schleizer -Date: Fri Dec 20 01:58:35 2019 -0500 - - improve character whitelisting - -commit 8f14e808a9b27f980299ed493f1ecb85acbe1c70 -Author: Patrick Schleizer -Date: Fri Dec 20 01:32:49 2019 -0500 - - send error messages to stderr - -commit d8c9fac2e5c8bc511f593d9a477307f8a15cf2e7 -Author: Patrick Schleizer -Date: Fri Dec 20 01:32:08 2019 -0500 - - output - -commit f19abaf6271fcd87226b9ef5ae3f1b567d96cd90 -Author: Patrick Schleizer -Date: Fri Dec 20 01:31:37 2019 -0500 - - refactoring - -commit c5d1e9dda7059d18fad303128f6f09c98fe955b7 -Merge: 62eb462 a20b300 -Author: Patrick Schleizer -Date: Fri Dec 20 01:30:31 2019 -0500 - - Merge remote-tracking branch 'origin/master' - -commit a20b30013f9ae229d1fe86cc5992aac474a9d8e6 -Merge: 62eb462 9df7407 -Author: Patrick Schleizer -Date: Fri Dec 20 06:29:58 2019 +0000 - - Merge pull request #44 from madaidan/permission-hardening - - Remove SUID bits - -commit 9df74072862b31871d0aad7bed8333fc8344ffec -Author: madaidan <50278627+madaidan@users.noreply.github.com> -Date: Thu Dec 19 17:01:33 2019 +0000 - - Remove SUID bits - -commit 3c2ca0257f08f2c7fa0d0adb74345110801f9fc0 -Author: madaidan <50278627+madaidan@users.noreply.github.com> -Date: Thu Dec 19 17:01:08 2019 +0000 - - Support for removing SUID bits - -commit 62eb462920e8614ea904a8d3517f7592e67ecab8 -Author: Patrick Schleizer -Date: Mon Dec 16 06:46:48 2019 -0500 - - skip console_users_check for Qubes users - -commit ab68182e118b8e76e2ce2a749b956cf96e3d02b6 -Author: Patrick Schleizer -Date: Mon Dec 16 06:27:51 2019 -0500 - - bumped changelog version - -commit 2cab38a8b3f7423f8956c72f1bf6c399ea70c495 -Author: Patrick Schleizer -Date: Mon Dec 16 06:24:14 2019 -0500 - - readme - -commit 4ca9fc592029cbd28969f1e7fe56907bc7c261cb -Author: Patrick Schleizer -Date: Mon Dec 16 03:53:10 2019 -0500 - - fix - -commit f68efd53cf000b92818e6c97b4c590a2c4b73a5b -Author: Patrick Schleizer -Date: Mon Dec 16 03:52:09 2019 -0500 - - remount /sys/kernel/security with nodev,nosuid[,noexec] - - as suggested by @madaidan - - http://forums.whonix.org/t/apparmor-for-complete-system-including-init-pid1-systemd-everything-full-system-mac-policy/8339/238 - -commit 2c4170e6f3366709c391db396a74547d4fed9589 -Author: Patrick Schleizer -Date: Thu Dec 12 09:47:58 2019 -0500 - - description - -commit 2d5ef378f36af5d2d94c342c284be4395352bc34 -Author: Patrick Schleizer -Date: Thu Dec 12 09:39:39 2019 -0500 - - description - -commit 300f010fc24846b6416501929ca24c4d80eca8d5 -Author: Patrick Schleizer -Date: Thu Dec 12 09:29:00 2019 -0500 - - increase priority of pam-abort-on-locked-password-security-misc - - since it has its own user help output - - so it shows before pam tally2 info - - to avoid duplicate non-applicable help text - -commit a10597de92c316cc32ab552865a6658b38b19f5e -Author: Patrick Schleizer -Date: Thu Dec 12 09:04:15 2019 -0500 - - bumped changelog version - -commit 729fa26eca292d60bcbeaba05d8878ff6112876e -Author: Patrick Schleizer -Date: Thu Dec 12 09:00:08 2019 -0500 - - use pam_acccess only for /etc/pam.d/login - remove "Allow members of group 'ssh' to login." - remove "+:ssh:ALL EXCEPT LOCAL" - -commit 22b6480bc4691e76ef155452d2b9df05c5265f68 -Author: Patrick Schleizer -Date: Tue Dec 10 11:44:02 2019 -0500 - - bumped changelog version - -commit 88bea2a6efa8823739ba65b2f5b67cb90071ca3f -Author: Patrick Schleizer -Date: Tue Dec 10 03:53:10 2019 -0500 - - comment - -commit 7d8001ddc9801046289b2f4e31d25dfc3bca6cc5 -Author: Patrick Schleizer -Date: Tue Dec 10 03:51:39 2019 -0500 - - refactoring - -commit d2f6ac0491f179382f4b68455d19956049e6cd23 -Author: Patrick Schleizer -Date: Tue Dec 10 03:50:23 2019 -0500 - - fix, do user/group modifications in preinst rather than postinst - -commit 64ae53edb90929492e11ac81e3e18bcc8164b428 -Author: Patrick Schleizer -Date: Mon Dec 9 08:25:30 2019 -0500 - - bumped changelog version - -commit d80bf036f3b6b70df9208d1ca603c5602298bbf8 -Author: Patrick Schleizer -Date: Mon Dec 9 03:50:43 2019 -0500 - - Disable permission hardening now until development finished / tested. - -commit b72eb30056e186ce13b03907fc37e8d5ebb5df44 -Author: Patrick Schleizer -Date: Mon Dec 9 02:32:05 2019 -0500 - - quotes - -commit c258376b7ed565d0e23963ddab56ce35892ff23f -Author: Patrick Schleizer -Date: Mon Dec 9 02:31:10 2019 -0500 - - use read (built-in) rather than awk (external) - -commit 02165201ab850e32c9f9ad5c4f46cb26dd71dddb -Author: Patrick Schleizer -Date: Mon Dec 9 02:23:43 2019 -0500 - - read -r; refactoring - - as per https://mywiki.wooledge.org/BashFAQ/001 - -commit 7467252122cb2e7600ce5ab3dce9dac2aa7a0676 -Author: Patrick Schleizer -Date: Mon Dec 9 02:22:16 2019 -0500 - - quotes - -commit 9bea9960173cf06dcbc0aefa2fb3b10df1f84c69 -Merge: 6f94423 af62da3 -Author: Patrick Schleizer -Date: Mon Dec 9 02:21:47 2019 -0500 - - Merge remote-tracking branch 'origin/master' - -commit af62da34457a56fee43a6003036a3bb387b23b32 -Merge: 6f94423 d7e2dea -Author: Patrick Schleizer -Date: Sun Dec 8 20:45:16 2019 +0000 - - Merge pull request #42 from madaidan/permission-hardening - - File permission hardening - -commit d7e2deae9250abd79ab83c2025b98476dde710d3 -Author: madaidan <50278627+madaidan@users.noreply.github.com> -Date: Sun Dec 8 16:50:54 2019 +0000 - - Create permission-hardening.service - -commit 6c564f6e9549462412299fd5b2f7e303409c5dad -Author: madaidan <50278627+madaidan@users.noreply.github.com> -Date: Sun Dec 8 16:50:11 2019 +0000 - - Create permission-hardening.conf - -commit 61e19fa5f1343554e9a213a1a9762cef4707ab3d -Author: madaidan <50278627+madaidan@users.noreply.github.com> -Date: Sun Dec 8 16:49:28 2019 +0000 - - Create permission-hardening - -commit 6f944234a988b226942832473a5a6825006dcac9 -Author: Patrick Schleizer -Date: Sun Dec 8 05:26:29 2019 -0500 - - bumped changelog version - -commit e64741c01e94849f7ad57231a106e45c4fe3dc65 -Author: Patrick Schleizer -Date: Sun Dec 8 05:25:19 2019 -0500 - - readme - -commit c192644ee328ff8d5d244d10c082b3a871b151b1 -Author: Patrick Schleizer -Date: Sun Dec 8 05:21:35 2019 -0500 - - security-misc `/usr/share/pam-configs/permission-lockdown-security-misc` is no longer required, removed. - - Thereby fix apparmor issue. - - > Dec 08 09:47:50 host audit[3232]: AVC apparmor="DENIED" operation="exec" profile="/usr/bin/whonixcheck" name="/usr/lib/security-misc/permission-lockdown" pid=3232 comm="sudo" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 - > Dec 08 09:47:50 host sudo[3232]: pam_exec(sudo:session): execve(/usr/lib/security-misc/permission-lockdown,...) failed: Permission denied - - It is no longer required, because... - - existing linux user accounts: - - * Get permission lock down because security-misc `debian/security-misc.postinst` calls `/usr/lib/security-misc/permission-lockdown`. - - new linux user accounts (created at first boot): - - * security-misc `/usr/share/pam-configs/mkhomedir-security-misc` pam mkhomedir sets secure permissions using `umask=027`. - -commit edcc2de71dea9cf2f94ec008d2817a0cdfdf5b7c -Author: Patrick Schleizer -Date: Sun Dec 8 04:38:33 2019 -0500 - - bumped changelog version - -commit 1227ccd1f7aa8d96f70d6c5fa20aa985435ca89c -Author: Patrick Schleizer -Date: Sun Dec 8 04:37:53 2019 -0500 - - After=qubes-sysinit.service - -commit 17d81d0083b05316515461154473c8a5d769b776 -Author: Patrick Schleizer -Date: Sun Dec 8 04:27:01 2019 -0500 - - bumped changelog version - -commit ebae9eef38035a75c8aa3281735eab79ed6f4c46 -Author: Patrick Schleizer -Date: Sun Dec 8 04:25:19 2019 -0500 - - skip sudo_users_check in Qubes - - Qubes users can use dom0 to get a root terminal emulator. - - For example: - qvm-run -u root debian-10 xterm - -commit 53e4717c629039104f45a1da8251e3dd1b5e3baa -Author: Patrick Schleizer -Date: Sun Dec 8 04:05:29 2019 -0500 - - bumped changelog version - -commit bc45ed385e5a2b1b53f81915698e1176359dedf7 -Author: Patrick Schleizer -Date: Sun Dec 8 04:03:02 2019 -0500 - - readme - -commit ac96708b243a766d65e39a037bcf142e526a2382 -Author: Patrick Schleizer -Date: Sun Dec 8 04:01:11 2019 -0500 - - improve usr/bin/hardening-enable - -commit a345a0fb64f7b8421356b913730284b0e6e3e953 -Author: Patrick Schleizer -Date: Sun Dec 8 03:27:12 2019 -0500 - - abort installation if ssh.service is enabled but no user is member of group ssh - -commit 50ac03363f6074cc88b6a7c965a822335624924c -Author: Patrick Schleizer -Date: Sun Dec 8 03:18:32 2019 -0500 - - output - -commit c7c65fe4e7a1fb73921a1b8de25662ff2a21e2a8 -Author: Patrick Schleizer -Date: Sun Dec 8 03:15:53 2019 -0500 - - higher priority usr/share/pam-configs/tally2-security-misc - - so it can give info before pam stack gets aborted by other pam modules - -commit 3bd0b3f837d5ad8c87e59b99c6baef1e2c74507b -Author: Patrick Schleizer -Date: Sun Dec 8 03:10:41 2019 -0500 - - notify when attempting to use ssh but user is member of group ssh - -commit cea598dc1a96245c4ccd00646e9790f3c9635ffe -Author: Patrick Schleizer -Date: Sun Dec 8 02:43:05 2019 -0500 - - refactoring - -commit 54f5e02c2192a1cd6a30bc04abd77b177b1953c3 -Author: Patrick Schleizer -Date: Sun Dec 8 02:42:30 2019 -0500 - - comment - -commit b4265195f4823618c60274458f885ef61c2452e1 -Author: Patrick Schleizer -Date: Sun Dec 8 02:41:36 2019 -0500 - - refactoring - -commit 0f65b2e85c74a379d8ec5321b13e7e332d8eaaa3 -Author: Patrick Schleizer -Date: Sun Dec 8 02:38:19 2019 -0500 - - abort installation if no user is a member of group "console"; output - - https://forums.whonix.org/t/etc-security-hardening-console-lockdown-pam-access-access-conf/8592/7 - -commit 1dbca1ea2d80ff7f60a0f426b444994d6bd97d30 -Author: Patrick Schleizer -Date: Sun Dec 8 02:27:09 2019 -0500 - - add usr/bin/hardening-enable - -commit 19cc6d7555364c5d2ee548899679c153e1555a20 -Author: Patrick Schleizer -Date: Sun Dec 8 02:10:43 2019 -0500 - - pam description - -commit 24423b42f0dc23704bddbb0f205ad3115e77d90f -Author: Patrick Schleizer -Date: Sun Dec 8 02:03:05 2019 -0500 - - description - -commit 6b01e5be149f9126308404e6a32931efb3bac277 -Author: Patrick Schleizer -Date: Sun Dec 8 02:01:22 2019 -0500 - - comment - -commit 66bebefc9fa26341c41847f35f26e16df3ce0a37 -Author: Patrick Schleizer -Date: Sun Dec 8 02:00:23 2019 -0500 - - description - -commit 52e0f104cc6edf1fe0953ca815445c351f813812 -Author: Patrick Schleizer -Date: Sun Dec 8 01:59:55 2019 -0500 - - comment - -commit 731d486fa061756b129188959230cb8bf1d78fae -Author: Patrick Schleizer -Date: Sun Dec 8 01:58:58 2019 -0500 - - refactoring - -commit 221a2df2a2621b1d3f391ee3265af7d4f35e1b2b -Author: Patrick Schleizer -Date: Sun Dec 8 01:58:37 2019 -0500 - - refactoring - -commit b871421a542af37771dbe56f09cc16472aa691c7 -Author: Patrick Schleizer -Date: Sun Dec 8 01:57:43 2019 -0500 - - usr/share/pam-configs/console-lockdown -> usr/share/pam-configs/console-lockdown-security-misc - -commit d36669596f4c71ce885e46fce66fffc7a7443d27 -Author: Patrick Schleizer -Date: Sun Dec 8 01:56:30 2019 -0500 - - comment - -commit 1a0f353708832217b9bc5e3ecd044605de6adca0 -Author: Patrick Schleizer -Date: Sun Dec 8 01:47:40 2019 -0500 - - comment - -commit eed1f0a4620d7db5933fb29189328c934db50d9e -Author: Patrick Schleizer -Date: Sun Dec 8 01:46:32 2019 -0500 - - comment - -commit 2491b6239319c52221f6c58fcfa1c3a247a9ee30 -Author: Patrick Schleizer -Date: Sun Dec 8 01:43:45 2019 -0500 - - refactoring, add all groups first before adding any users to any groups - -commit 1464f01d191ee4e01ed2ec94f4faf8d17ec62b03 -Author: Patrick Schleizer -Date: Sun Dec 8 01:30:42 2019 -0500 - - description - -commit 491dd4d93d133ca23eaf5c501b7ab3d3bbf52a27 -Merge: 9432d16 a78a7e5 -Author: Patrick Schleizer -Date: Sun Dec 8 01:22:16 2019 -0500 - - Merge remote-tracking branch 'origin/master' - -commit a78a7e5571b178cbf4cddd065306d130431bc185 -Merge: 373e873 6846a94 -Author: Patrick Schleizer -Date: Sun Dec 8 06:21:44 2019 +0000 - - Merge pull request #41 from madaidan/system.map - - Check for more locations of System.map - -commit 6846a943277c5ad9049cbf3e21fcd739c316cf44 -Author: madaidan <50278627+madaidan@users.noreply.github.com> -Date: Sat Dec 7 19:38:12 2019 +0000 - - Check for more locations of System.map - -commit 9432d1637866087bcc2f1bf0837535a10f96faeb -Author: Patrick Schleizer -Date: Sat Dec 7 12:13:42 2019 -0500 - - /usr/bin/cat mrix, - -commit 373e8733d37cb795c7c48642346b0b6dc6dce30c -Merge: c1800b1 447eb14 -Author: Patrick Schleizer -Date: Sat Dec 7 11:34:42 2019 -0500 - - Merge remote-tracking branch 'origin/master' - -commit 447eb144325a532b0aaf7ce772d5a04005b2af1f -Merge: c1800b1 668b642 -Author: Patrick Schleizer -Date: Sat Dec 7 16:34:21 2019 +0000 - - Merge pull request #40 from madaidan/system.map - - Remove hyphen from remove-system.map - -commit c1800b13fe33a1c129dcb30c51dbead7f894b818 -Author: Patrick Schleizer -Date: Sat Dec 7 11:26:39 2019 -0500 - - separate group "ssh" for incoming ssh console permission - - Thanks to @madaidan - - https://forums.whonix.org/t/etc-security-hardening-console-lockdown-pam-access-access-conf/8592/16 - -commit 668b6420de8024fdeaf948f1750beb8b62d9ffb7 -Author: madaidan <50278627+madaidan@users.noreply.github.com> -Date: Sat Dec 7 14:15:02 2019 +0000 - - Remove hyphen - -commit 55225aa30e78e9a988527ed2da2019dc0a0b2631 -Author: Patrick Schleizer -Date: Sat Dec 7 07:16:07 2019 -0500 - - description - -commit 34a2bc16c85b06e1eccb2f72da89e198184ba72c -Author: Patrick Schleizer -Date: Sat Dec 7 07:15:58 2019 -0500 - - description - -commit d823f06c7858c1380325e3dbbbcfb1854fa64309 -Author: Patrick Schleizer -Date: Sat Dec 7 07:13:42 2019 -0500 - - description - -commit 9ba84f34c68263e5151d5b54264c1edb90603424 -Author: Patrick Schleizer -Date: Sat Dec 7 06:51:59 2019 -0500 - - comment - -commit dc1dfc8c20218a5ca986f49dc96cbfc71d50533e -Author: Patrick Schleizer -Date: Sat Dec 7 06:51:16 2019 -0500 - - output - -commit 8636d2f62995947620fbbd76fc653aab89dda7eb -Author: Patrick Schleizer -Date: Sat Dec 7 06:51:10 2019 -0500 - - add securetty - -commit 532a1525c2350a634b14a84d94997b8db81243a0 -Author: Patrick Schleizer -Date: Sat Dec 7 06:26:55 2019 -0500 - - comment - -commit 14aa6c50774786890686fee2a6d6eed49dadcac1 -Author: Patrick Schleizer -Date: Sat Dec 7 06:26:23 2019 -0500 - - comment - -commit 8b3f5a555ba04bb1d2e6bafb8345782aae875a51 -Author: Patrick Schleizer -Date: Sat Dec 7 06:25:45 2019 -0500 - - add console lockdown to pam info output - -commit 021b06dac95dd742952446e9ff455305c7d2b09b -Author: Patrick Schleizer -Date: Sat Dec 7 06:04:45 2019 -0500 - - add hvc0 to hvc9 - -commit 8a59662a44ea46c5ba86be82ec2bc43e912c79be -Author: Patrick Schleizer -Date: Sat Dec 7 06:02:45 2019 -0500 - - comment - -commit 090ddbe96a48424e0e3f187b917e023f9b710798 -Author: Patrick Schleizer -Date: Sat Dec 7 06:00:41 2019 -0500 - - description - -commit cda67247557ce2028017ba4e6e8824c2ae2f5118 -Author: Patrick Schleizer -Date: Sat Dec 7 05:56:57 2019 -0500 - - add pts/0 to pts/9 - -commit 218cbddba9b053eac4ecb486ea7fbc9e160f18c6 -Author: Patrick Schleizer -Date: Sat Dec 7 05:52:06 2019 -0500 - - comment - -commit 6479c883bf04464b299ce42185df2429f7b5cab5 -Author: Patrick Schleizer -Date: Sat Dec 7 05:40:20 2019 -0500 - - Console Lockdown. - - Allow members of group 'console' to use tty1 to tty7. Everyone else except - members of group 'console-unrestricted' are restricted from using console - using ancient, unpopular login methods such as using /bin/login over networks, - which might be exploitable. (CVE-2001-0797) - - Not enabled by default in this package since this package does not know which - users shall be added to group 'console'. - - In new Whonix builds, user 'user" will be added to group 'console' and - pam console-lockdown enabled by package anon-base-files. - - /usr/share/pam-configs/console-lockdown - - /etc/security/access-security-misc.conf - - https://forums.whonix.org/t/etc-security-hardening/8592 - -commit 52934c9288a596b233c1ce3b5f68a29248602c96 -Author: Patrick Schleizer -Date: Sat Dec 7 02:02:32 2019 -0500 - - bumped changelog version - -commit 6faa977cd73efd90809c7034d15102095adcfe63 -Author: Patrick Schleizer -Date: Sat Dec 7 02:02:06 2019 -0500 - - readme - -commit 6d92d03b31c8251d3df72aab5e9dfa3327feed1c -Author: Patrick Schleizer -Date: Sat Dec 7 01:54:50 2019 -0500 - - description - -commit 5a4eda0d05bc57680e3f3df2b84471f5f16b8356 -Author: Patrick Schleizer -Date: Sat Dec 7 01:53:33 2019 -0500 - - also support /usr/local/etc/remount-disable and /usr/local/etc/noexec - -commit 0afcc5e798823f4ed3eff2d5f94b3d3fe8ad5069 -Author: Patrick Schleizer -Date: Fri Dec 6 12:43:21 2019 -0500 - - bumped changelog version - -commit 2954dcbccfb2990e95056d20fc9b279569dcacee -Author: Patrick Schleizer -Date: Fri Dec 6 12:24:55 2019 -0500 - - minor - -commit f3647e74787483f0d8076de742cc6f36645f1396 -Author: Patrick Schleizer -Date: Fri Dec 6 12:18:18 2019 -0500 - - RemainAfterExit=yes - -commit af0cf058e7ad5b26c708b1013d8ca8dc172a15e8 -Author: Patrick Schleizer -Date: Fri Dec 6 11:18:20 2019 -0500 - - bumped changelog version - -commit 9b14f24d5e24ac4a6facb20d4fd436f35bed305f -Author: Patrick Schleizer -Date: Fri Dec 6 11:17:32 2019 -0500 - - refactoring - -commit a6133f59125db7482c3f56110ce6ba1a17d15e09 -Author: Patrick Schleizer -Date: Fri Dec 6 11:16:43 2019 -0500 - - output - -commit c1ea35e2ef54119d940b225da41c87e6db32981e -Author: Patrick Schleizer -Date: Fri Dec 6 11:15:54 2019 -0500 - - output - -commit 4bec41379d2baaa81930395ff2329ff42f10ff13 -Author: Patrick Schleizer -Date: Fri Dec 6 11:15:13 2019 -0500 - - fix remount with noexec if /etc/noexec exists - -commit bff425fec2adc3c80fee50466ef81bec19c237cf -Author: Patrick Schleizer -Date: Fri Dec 6 09:32:18 2019 -0500 - - bumped changelog version - -commit b22289f2a8e77ccd9a693871612b61842b1f48c8 -Author: Patrick Schleizer -Date: Fri Dec 6 09:30:05 2019 -0500 - - readme - -commit 470cad6e9176f57d33b038640b20443c3fa971fc -Author: Patrick Schleizer -Date: Fri Dec 6 05:14:02 2019 -0500 - - remount /home /tmp /dev/shm /run with nosuid,nodev (default) and noexec (opt-in) - - https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707 - -commit 8cf5ed990a3940c108d661c6c169b5720b1459d1 -Author: Patrick Schleizer -Date: Thu Dec 5 15:52:24 2019 -0500 - - comment - -commit 19add3299c9215d05208e3c2e748527bf87e66b5 -Merge: 0c25a96 9679292 -Author: Patrick Schleizer -Date: Thu Dec 5 15:46:19 2019 -0500 - - Merge remote-tracking branch 'origin/master' - -commit 96792928787c1c129a964bd81e97450d2edb29a6 -Merge: 0c25a96 af9e19c -Author: Patrick Schleizer -Date: Thu Dec 5 20:33:47 2019 +0000 - - Merge pull request #39 from madaidan/rp_filter - - Enable reverse path filtering - -commit af9e19c51f256504c5c2206e31da1911872b6ef8 -Author: madaidan <50278627+madaidan@users.noreply.github.com> -Date: Thu Dec 5 20:14:55 2019 +0000 - - Update control - -commit 30289c68c24a8aa2ce5f336b79f92cffb7aa98c7 -Author: madaidan <50278627+madaidan@users.noreply.github.com> -Date: Thu Dec 5 20:13:10 2019 +0000 - - Enable reverse path filtering - -commit 0c25a96b59b5bb55c04c88015eb8b50d79815a23 -Author: Patrick Schleizer -Date: Tue Dec 3 02:18:32 2019 -0500 - - description / comments - -commit d26ba05c4776cdff0750b872f3da70fd25fca1f4 -Merge: 6ca48ff 73c6410 -Author: Patrick Schleizer -Date: Tue Dec 3 01:52:04 2019 -0500 - - Merge remote-tracking branch 'origin/master' - -commit 73c6410a0e1e6e56529ba8ea98681867bd8acb37 -Merge: 6ca48ff 8d63da3 -Author: Patrick Schleizer -Date: Tue Dec 3 06:51:31 2019 +0000 - - Merge pull request #38 from madaidan/distrust-cpu - - Distrust the CPU for initial entropy - -commit 8d63da3cef6e114deaa6943ea9a633d6620a974b -Author: madaidan <50278627+madaidan@users.noreply.github.com> -Date: Mon Dec 2 16:46:12 2019 +0000 - - Update control - -commit 5da2a27bf064d6efefd0d0ba8041e85c4941d3a2 -Author: madaidan <50278627+madaidan@users.noreply.github.com> -Date: Mon Dec 2 16:43:00 2019 +0000 - - Distrust the CPU for initial entropy - -commit 6ca48fffdcab8665d75584435dd6a24d6b881347 -Author: Patrick Schleizer -Date: Thu Nov 28 10:22:41 2019 -0500 - - bumped changelog version - -commit ab696f557140fca19c09ac08ba61e9ce55947ed8 -Author: Patrick Schleizer -Date: Thu Nov 28 10:05:39 2019 -0500 - - readme - -commit 25aed91eb167a092ece06a9aa4ab56fea165073e -Author: Patrick Schleizer -Date: Thu Nov 28 09:20:46 2019 -0500 - - description - -commit 0c4e5df3e0214c10390b672645d9f80ef4457392 -Author: Patrick Schleizer -Date: Thu Nov 28 09:18:05 2019 -0500 - - description - -commit 5ac2a6f9ac53f75256c655d329149bccd2d9aa37 -Author: Patrick Schleizer -Date: Thu Nov 28 09:17:32 2019 -0500 - - description - -commit ff3412fbe06476cb295dfd9d61b26694f289d389 -Author: Patrick Schleizer -Date: Wed Nov 27 10:22:31 2019 -0500 - - fix, make sure to undo pam changes on package removal - - Thanks to minimal for the bug report! - - https://forums.whonix.org/t/is-security-misc-suitable-for-hardening-bridges-and-relays/8299/11 - -commit 62b924eea7d50f58649e089ff9cf8d73075cac63 -Merge: 9091f69 ba02dcb -Author: Patrick Schleizer -Date: Tue Nov 26 13:00:36 2019 -0500 - - Merge remote-tracking branch 'origin/master' - -commit ba02dcb267a95d332bd01bb3fc725e051ccb3246 -Merge: 9091f69 d9d6d07 -Author: Patrick Schleizer -Date: Tue Nov 26 18:00:11 2019 +0000 - - Merge pull request #37 from madaidan/apparmor-fixes - - Fix permission-lockdown - -commit d9d6d0771433700f49c4ddf156a0b5bc7098d94b -Author: madaidan <50278627+madaidan@users.noreply.github.com> -Date: Tue Nov 26 17:12:12 2019 +0000 - - /dev/pts/[0-9]* rw, - -commit 9091f69eddb76059995e2f44734437746a3fd108 -Author: Patrick Schleizer -Date: Mon Nov 25 08:51:36 2019 +0000 - - bumped changelog version - -commit 57ce06c0ebaa1e451c39b85c8db27babed4b149e -Author: Patrick Schleizer -Date: Mon Nov 25 08:41:45 2019 +0000 - - readme - -commit aa5451c8cda02e6df3dc089bf813e6acd9878a59 -Author: Patrick Schleizer -Date: Mon Nov 25 01:39:53 2019 -0500 - - Lock user accounts after 50 rather than 100 failed login attempts. - - https://forums.whonix.org/t/how-strong-do-linux-user-account-passwords-have-to-be-when-using-full-disk-encryption-fde-too/7698/19 - -commit 6277db1383451822769948bbebac31f719e98e74 -Author: Patrick Schleizer -Date: Sat Nov 23 14:07:45 2019 +0000 - - bumped changelog version - -commit 6a6a638ef01d337da137dc04bcff984f7a36f425 -Author: Patrick Schleizer -Date: Sat Nov 23 14:06:28 2019 +0000 - - readme - -commit fe1f1b73a77d11c136cedcdb3efcb57f4c68c6af -Author: Patrick Schleizer -Date: Sat Nov 23 11:20:32 2019 +0000 - - load jitterentropy_rng kernel module for better entropy collection - - https://www.whonix.org/wiki/Dev/Entropy - - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927972 - - https://forums.whonix.org/t/jitterentropy-rngd/7204 - -commit d32024a3da3cdfbb07f61dd3e9a52535e747de6b -Author: Patrick Schleizer -Date: Sat Nov 23 05:53:19 2019 -0500 - - /usr/sbin/pam_tally2 mrix, - - https://forums.whonix.org/t/apparmor-for-complete-system-including-init-pid1-systemd-everything-full-system-mac-policy/8339/152 - -commit 03e80238477bef26cf14a86a136d2ab688c87d08 -Author: Patrick Schleizer -Date: Fri Nov 22 14:11:30 2019 -0500 - - output - -commit e76e1475b0009451b930061bff553684b6490d33 -Author: Patrick Schleizer -Date: Fri Nov 22 12:24:35 2019 -0500 - - comment - -commit a99dfd067ac8a43bdcd779cf57b3533bdaa404fb -Author: Patrick Schleizer -Date: Tue Nov 19 15:31:55 2019 +0000 - - bumped changelog version - -commit 81e4f580af1ea12e79e387d4977771f37c50e7c1 -Author: Patrick Schleizer -Date: Tue Nov 19 15:29:02 2019 +0000 - - etc/apparmor.d/usr.lib.security-misc.permission-lockdown: /usr/bin/chmod mrix, - -commit 8ad8dbea5a5c0bacd03cefb66ad8a1989e1cb0fb -Author: Patrick Schleizer -Date: Mon Nov 18 19:16:16 2019 +0000 - - bumped changelog version - -commit 9a20b85fe16584dda909fd5f1aa6bbb62d06bcf0 -Merge: 477d476 2b17c0f -Author: Patrick Schleizer -Date: Sun Nov 17 11:20:17 2019 -0500 - - Merge remote-tracking branch 'origin/master' - -commit 2b17c0f3e4dcd7cb9f2239da649b4a885c27e7cf -Merge: 477d476 e92022a -Author: Patrick Schleizer -Date: Sun Nov 17 16:19:55 2019 +0000 - - Merge pull request #36 from madaidan/hidepid-fix - - Remove proc-hidepid systemd sandboxing - -commit e92022a21cbe2df76026b36482f5c71e3471b344 -Author: madaidan <50278627+madaidan@users.noreply.github.com> -Date: Sat Nov 16 14:56:28 2019 +0000 - - Remove systemd sandboxing - -commit 477d476bb1a7507951c2c04622056de5a8d41a56 -Author: Patrick Schleizer -Date: Sun Nov 10 08:29:44 2019 -0500 - - etc/apparmor.d/usr.lib.security-misc.pam_tally2-info: add '#include ' - -commit 11dc23bf082cb0579b5a4a1bc5788ec0b5140973 -Author: Patrick Schleizer -Date: Sun Nov 10 08:28:32 2019 -0500 - - etc/apparmor.d/usr.lib.security-misc.permission-lockdown: add '#include ' - -commit d1d61b106b54a360ca71bb506e2410ac70ea07ed -Author: Patrick Schleizer -Date: Sat Nov 9 18:44:50 2019 +0000 - - bumped changelog version - -commit 9f2932faab4be91528f3404fcbace7012040dac5 -Author: Patrick Schleizer -Date: Sat Nov 9 13:32:21 2019 -0500 - - /usr/bin/id rix, - -commit 6b7df973f621dc9cbe107ee5d709600005f49e65 -Author: Patrick Schleizer -Date: Sat Nov 9 12:57:45 2019 +0000 - - bumped changelog version - -commit 2e73c053b561eb2ffcd815cba8006da810b02184 -Author: Patrick Schleizer -Date: Sat Nov 9 12:55:00 2019 +0000 - - fix lintian warning - -commit 6e28774f95414c5660b76fca3696710beb2affa2 -Author: Patrick Schleizer -Date: Sat Nov 9 12:23:15 2019 +0000 - - bumped changelog version - -commit 94d40c68d4292c0c399c3b12e1af76cb89e7f436 -Author: Patrick Schleizer -Date: Tue Nov 5 10:02:55 2019 -0500 - - do not set kernel boot parameter page_poison=1 in Qubes since does not work - - https://github.com/QubesOS/qubes-issues/issues/5212#issuecomment-533873012 - -commit f57702c1589047f5d0eff7a7bdffb928117532f6 -Author: Patrick Schleizer -Date: Tue Nov 5 09:55:43 2019 -0500 - - comments; copyright - -commit 74293bcd2f2670abf3e62ac8dad54d9f4e545bb1 -Author: Patrick Schleizer -Date: Tue Nov 5 01:59:25 2019 -0500 - - output - -commit 2b5b06b602f9537c9a5473651cd1a16a4e16e5ba -Author: Patrick Schleizer -Date: Tue Nov 5 01:59:19 2019 -0500 - - output - -commit d6977becbaf644cdc98c081b3c3e3fd366c4072d -Author: Patrick Schleizer -Date: Tue Nov 5 01:51:14 2019 -0500 - - refactoring - -commit daf00067953a61d749a07a0e0b4ec7cd397e4c39 -Author: Patrick Schleizer -Date: Tue Nov 5 01:50:27 2019 -0500 - - comment - -commit 78defc4d0bedf4a727d617f3de0294d9f59e3aa9 -Author: Patrick Schleizer -Date: Sun Nov 3 04:34:31 2019 -0500 - - add /var/cache/security-misc/state-files/placeholder file - - to make sure folder already exists to avoid AppArmor issue - - https://forums.whonix.org/t/apparmor-for-complete-system-including-init-pid1-systemd-everything-full-system-mac-policy/8339/76 - -commit 7c0ec7e50797c0da719f389e61445ff7d8e252b3 -Author: Patrick Schleizer -Date: Sun Nov 3 04:23:40 2019 -0500 - - readme - -commit b55c2fd62e200f96bd552445ad4c517d6a0aee92 -Author: Patrick Schleizer -Date: Sun Nov 3 02:50:51 2019 -0500 - - Enables punycode (`network.IDN_show_punycode`) by default in Thunderbird - to make phising attacks more difficult. Fixing URL not showing real Domain - Name (Homograph attack). - - https://forums.whonix.org/t/enable-network-idn-show-punycode-by-default-in-thunderbird-to-fix-url-not-showing-real-domain-name-homograph-attack-punycode/8415 - -commit bf62306d4fc3b3168204254ca354028a1fe857a7 -Author: Patrick Schleizer -Date: Thu Oct 31 16:34:35 2019 +0000 - - bumped changelog version - -commit e1375802eb1521eb0bc9089f2ab12056fa326f17 -Author: Patrick Schleizer -Date: Thu Oct 31 16:32:28 2019 +0000 - - apparmor fix - - https://forums.whonix.org/t/apparmor-for-complete-system-including-init-pid1-systemd-everything-full-system-mac-policy/8339/67 - -commit 6e5d8b357d977991953e153d618dbdda2b05c0e6 -Author: Patrick Schleizer -Date: Thu Oct 31 16:06:51 2019 +0000 - - bumped changelog version - -commit 203d5cfa6845e23d73ff3790019bac9579f3524b -Author: Patrick Schleizer -Date: Thu Oct 31 11:19:44 2019 -0400 - - copyright - -commit f001250ae61789bef7b2b19d5c40831273b0acca -Merge: d832ab9 5a3cbe8 -Author: Patrick Schleizer -Date: Mon Oct 28 10:31:30 2019 -0400 - - Merge remote-tracking branch 'origin/master' - -commit 5a3cbe81000c3a9bbc69ba03c944c6c5ae9115bf -Merge: d832ab9 0e49bdc -Author: Patrick Schleizer -Date: Mon Oct 28 14:30:45 2019 +0000 - - Merge pull request #35 from madaidan/apparmor - - Apparmor profiles - -commit 0e49bdc45f6c94b3f6c2874fd48a6b1c75519790 -Author: madaidan <50278627+madaidan@users.noreply.github.com> -Date: Mon Oct 28 14:26:14 2019 +0000 - - Licensing - -commit 5d5ad92638ea0ca079bbf8bb03201e8d5c030b1c -Author: madaidan <50278627+madaidan@users.noreply.github.com> -Date: Mon Oct 28 14:26:05 2019 +0000 - - Licensing - -commit 0699747fcb6d79ba6abeccdba99c3bc032c615c6 -Author: madaidan <50278627+madaidan@users.noreply.github.com> -Date: Mon Oct 28 14:24:37 2019 +0000 - - Debian packaging - -commit fe4e29d392ed8db5571d69b10ef0f8a24eec1829 -Author: madaidan <50278627+madaidan@users.noreply.github.com> -Date: Mon Oct 28 14:22:47 2019 +0000 - - Depend on dh-apparmor - -commit 1b8b3610b17ae31bc81c3827cea24bd09822a0e3 -Author: madaidan <50278627+madaidan@users.noreply.github.com> -Date: Mon Oct 28 14:20:59 2019 +0000 - - Create usr.lib.security-misc.pam_tally2-info - -commit 29b05546e4248bdf95b62ea356bd98767e3a59b0 -Author: madaidan <50278627+madaidan@users.noreply.github.com> -Date: Mon Oct 28 14:20:08 2019 +0000 - - Create usr.lib.security-misc.permission-lockdown - -commit d832ab91bdd9cdbf2a9c3bbee39351082a59f759 -Author: Patrick Schleizer -Date: Wed Oct 23 10:22:03 2019 +0000 - - bumped changelog version - -commit bce5274a15e4d34907c2f65b9811dd44705c120e -Author: Patrick Schleizer -Date: Tue Oct 22 09:22:29 2019 -0400 - - quotes fix - -commit e20b9e21334ef9e16e1fd147fec4ff33f0721d4a -Author: Patrick Schleizer -Date: Tue Oct 22 09:08:18 2019 -0400 - - better solution when using pkexec with --user: wrap sudo --user with lxqt-sudo - -commit d4e02de43a068a22a9fd1b15c4d2b314baf97283 -Author: Patrick Schleizer -Date: Tue Oct 22 09:04:44 2019 -0400 - - set SUDO_ASKPASS for pkexec wrapper when using sudo --askpass - -commit 1a65a91039276f73c68feb5c19b1a3dd86b07cbb -Author: Patrick Schleizer -Date: Tue Oct 22 08:56:05 2019 -0400 - - long rather than short option - -commit b55913637bb66b3c1e9fcab3d1576cb1325419ea -Author: Patrick Schleizer -Date: Tue Oct 22 08:54:48 2019 -0400 - - silence output by mount/grep - -commit a1154170c9f65011ae1a9da51ea1d797381853a7 -Author: Patrick Schleizer -Date: Tue Oct 22 08:54:17 2019 -0400 - - Call original pkexec in case there are no arguments. - -commit 9c8f678cb935d5d63b238d4641bde84c5495127b -Author: Patrick Schleizer -Date: Mon Oct 21 09:55:41 2019 +0000 - - bumped changelog version - -commit 1e4d0ea1d072c193281ac176592108c88e80bad0 -Author: Patrick Schleizer -Date: Mon Oct 21 09:55:05 2019 +0000 - - fix lintian warning - -commit 343d9cc9169dd3e0b4afebaeaa43d0051cbb5e37 -Author: Patrick Schleizer -Date: Mon Oct 21 09:53:55 2019 +0000 - - fix - -commit 2d436f36021d1148862ff5e2db62577580761bf6 -Author: Patrick Schleizer -Date: Mon Oct 21 09:51:36 2019 +0000 - - bumped changelog version - -commit af3f42dabf708b6f6e2c4e2595d6af496b520372 -Author: Patrick Schleizer -Date: Mon Oct 21 09:51:12 2019 +0000 - - readme - -commit 40707e70dbbf74e5ee3cd25bd2737f880d4bca5c -Author: Patrick Schleizer -Date: Mon Oct 21 05:46:49 2019 -0400 - - Redirect calls for pkexec to lxqt-sudo because pkexec is incompatible with hidepid. - - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860040 - - https://forums.whonix.org/t/cannot-use-pkexec/8129 - - Thanks to AnonymousUser for the bug report! - -commit 31b771ac2e1cd692851f0d58191c3147d4a09335 -Author: Patrick Schleizer -Date: Fri Oct 18 10:39:43 2019 +0000 - - bumped changelog version - -commit 2613525b945c98c676a919cb4a9d54b90e51cbbf -Author: Patrick Schleizer -Date: Fri Oct 18 10:39:19 2019 +0000 - - readme - -commit 957deac5cb1e3fdf54990bad21c502388af2407e -Author: Patrick Schleizer -Date: Fri Oct 18 10:38:25 2019 +0000 - - fix lintian warning - - W: security-misc: maintainer-script-should-not-parse-etc-passwd-or-group preinst:19 - -commit d301e7f3653bdb4b56c42deab9d0566ff1b27380 -Author: Patrick Schleizer -Date: Fri Oct 18 10:36:44 2019 +0000 - - description, fix lintian warning - -commit ce6b64a9baba3763f2137c81c1e022c4e6344d3c -Author: Patrick Schleizer -Date: Fri Oct 18 08:55:07 2019 +0000 - - bumped changelog version - -commit 20b7faa61fb7c425f15492fd8aaa67e4fe06a6d9 -Author: Patrick Schleizer -Date: Fri Oct 18 08:54:43 2019 +0000 - - readme - -commit c9d75ef9ea76fee0cff882143f289d9662826330 -Author: Patrick Schleizer -Date: Thu Oct 17 06:46:47 2019 -0400 - - abort installation if no user is part of group sudo - - https://forums.whonix.org/t/is-security-misc-suitable-for-hardening-bridges-and-relays/8299/4 - - Thanks to minimal for the bug report! - -commit a5045dc26e3b7d6acd6ae2c5727920824f992cc7 -Author: Patrick Schleizer -Date: Thu Oct 17 06:18:32 2019 -0400 - - set -e - -commit 0b8725306f2c603c28ab78be7000df25ca2ea430 -Author: Patrick Schleizer -Date: Thu Oct 17 06:13:44 2019 -0400 - - renamed: etc/hide-hardware-info.d/30_whitelist.conf -> etc/hide-hardware-info.d/30_default.conf - -commit 4aba02756680eb5e0dac9d84ba434edd735c68c1 -Author: Patrick Schleizer -Date: Thu Oct 17 06:12:36 2019 -0400 - - syntax check - -commit 8b9aa8841a67adb9b3b64a1d43022e950768bc42 -Author: Patrick Schleizer -Date: Thu Oct 17 06:11:01 2019 -0400 - - fix - -commit cfbd77040a51b68dc6e3c1f8f82861cfc4b6e761 -Author: Patrick Schleizer -Date: Thu Oct 17 06:10:29 2019 -0400 - - set "shopt -s nullglob" to avoid failing when folder /etc/hide-hardware-info.d - does not exist or is empty - -commit b05663c5f65f59ce652995c403feb9b4e088b4ec -Author: Patrick Schleizer -Date: Thu Oct 17 06:08:55 2019 -0400 - - shuffle - - https://forums.whonix.org/t/restrict-hardware-information-to-root/7329/80 - -commit 28a440091dd98fd4f3284cce01d692c08aa96bf1 -Author: Patrick Schleizer -Date: Thu Oct 17 06:08:16 2019 -0400 - - code simplification - -commit 3c4e261c20ce7cab51ad9b6596db09e009efbdeb -Author: Patrick Schleizer -Date: Thu Oct 17 06:05:23 2019 -0400 - - remove trailing spaces - -commit c8e0303d6d59e3303c0582ff8ab2664762199c81 -Merge: 4b1b3b7 8a42c5b -Author: Patrick Schleizer -Date: Thu Oct 17 06:04:34 2019 -0400 - - Merge remote-tracking branch 'origin/master' - -commit 8a42c5b02387da454ff5661057be88a7c6fe9d9c -Merge: 994ca02 61f7423 -Author: Patrick Schleizer -Date: Thu Oct 17 09:59:12 2019 +0000 - - Merge pull request #34 from madaidan/whitelist - - Add a whitelist for /sys and /proc/cpuinfo - -commit 994ca024c24cf80075b2f03bc65475a5d9980d94 -Merge: 4b1b3b7 259b1f2 -Author: Patrick Schleizer -Date: Thu Oct 17 06:19:46 2019 +0000 - - Merge pull request #33 from madaidan/documentation - - Improve documentation - -commit 61f742304d26e73df8433bd6fa03d33d39e39625 -Author: madaidan <50278627+madaidan@users.noreply.github.com> -Date: Wed Oct 16 19:46:59 2019 +0000 - - return 0 - -commit 259b1f2c71ec4566011a148e5bc703a41f0ebd90 -Author: madaidan <50278627+madaidan@users.noreply.github.com> -Date: Wed Oct 16 19:21:24 2019 +0000 - - Update control - -commit ffba0e017940d2be08c1e37514d396ac39f55e35 -Author: madaidan <50278627+madaidan@users.noreply.github.com> -Date: Wed Oct 16 19:04:15 2019 +0000 - - Elaborate - -commit 4f5b7816ecda6375b051c75a3b0aff93519b4a66 -Author: madaidan <50278627+madaidan@users.noreply.github.com> -Date: Wed Oct 16 19:01:49 2019 +0000 - - Elaborate - -commit 99a762d3dc6ecbdb160b7840081848444b56c3fa -Author: madaidan <50278627+madaidan@users.noreply.github.com> -Date: Wed Oct 16 18:53:04 2019 +0000 - - KASLR is different from ASLR - -commit a14a2854c6e72f2b4b3e5c8d02b63a46c3179a00 -Author: madaidan <50278627+madaidan@users.noreply.github.com> -Date: Wed Oct 16 18:52:14 2019 +0000 - - Elaborate - -commit f08c03ab21126b2d3ef5d4c2e4e3f0eae14fa5c0 -Author: madaidan <50278627+madaidan@users.noreply.github.com> -Date: Wed Oct 16 15:39:23 2019 +0000 - - Restrict sysfs/cpuinfo if the whitelist is disabled - -commit af607d5eb233d85d493d796afde76728f0e0e3cd -Author: madaidan <50278627+madaidan@users.noreply.github.com> -Date: Tue Oct 15 21:02:03 2019 +0000 - - Create sysfs and cpuinfo groups - -commit 42c1701d5ca446da37a493b27c125b78bd8d183d -Author: madaidan <50278627+madaidan@users.noreply.github.com> -Date: Tue Oct 15 21:00:03 2019 +0000 - - Whitelist user@.service - -commit a47a2fca8bcdf8ff480cea879720b9599c491358 -Author: madaidan <50278627+madaidan@users.noreply.github.com> -Date: Tue Oct 15 20:58:58 2019 +0000 - - Create 30_whitelist.conf - -commit 6b78dbcd07a9d2361c5ab41f5151e24a80309e13 -Author: madaidan <50278627+madaidan@users.noreply.github.com> -Date: Tue Oct 15 20:57:02 2019 +0000 - - Add way to whitelist things - -commit 4b1b3b7d6675adbde57d9cf5cbcc880f95199ef1 -Author: Patrick Schleizer -Date: Mon Oct 14 10:23:01 2019 +0000 - - bumped changelog version - -commit c19964360a6d42e73e5d2f3b90afd5f676933d30 -Author: Patrick Schleizer -Date: Mon Oct 14 10:10:08 2019 +0000 - - readme - -commit c22738be027f69391a4ac40ce85bfacf35ff1742 -Author: Patrick Schleizer -Date: Mon Oct 7 08:25:45 2019 +0000 - - comments - -commit 75f36bc2c9bf5c50061f05198c504d84b128e5da -Author: Patrick Schleizer -Date: Mon Oct 7 08:25:07 2019 +0000 - - comments - -commit e92a8a69665f982e8b5a37f7081fa75197cde828 -Author: Patrick Schleizer -Date: Mon Oct 7 08:24:02 2019 +0000 - - comments - -commit 60c044a9d669dd816ff473f19e19b87f87cc9008 -Author: Patrick Schleizer -Date: Mon Oct 7 05:30:56 2019 +0000 - - copyright / comments - -commit cd2135ff82de82278eaa680d30bea2fe68f94f52 -Author: Patrick Schleizer -Date: Sun Oct 6 10:18:24 2019 +0000 - - comments - -commit 8b4f2befd46d4db4d2a83d9e79ebcf9abf98fd02 -Author: Patrick Schleizer -Date: Sat Oct 5 13:15:34 2019 +0000 - - comment out sack by default - - https://forums.whonix.org/t/disabling-tcp-sack-dsack-fack/8109/8?u=patrick - -commit 02096f8d7c7ee1f61285cf96564616f2828aa6c2 -Author: Patrick Schleizer -Date: Sat Oct 5 13:13:46 2019 +0000 - - Revert "undo Disabling TCP SACK, DSACK, FACK" - - This reverts commit 5fb4eb8e561e7c37cea977072944501fc32ee883. - -commit 62a0239207ee355e3d07e0097c963a0ded496e76 -Author: Patrick Schleizer -Date: Sat Oct 5 11:33:15 2019 +0000 - - bumped changelog version - -commit 54b83ae44dbda76b9b2696488194b53612bfc377 -Author: Patrick Schleizer -Date: Sat Oct 5 07:20:18 2019 -0400 - - readme - -commit 5fb4eb8e561e7c37cea977072944501fc32ee883 -Author: Patrick Schleizer -Date: Sat Oct 5 07:00:47 2019 -0400 - - undo Disabling TCP SACK, DSACK, FACK - - https://forums.whonix.org/t/disabling-tcp-sack-dsack-fack/8109/5 - -commit c19942f72b8d74056dd8da8c3cd9ac7e0fbe8991 -Merge: 213aef6 a33851a -Author: Patrick Schleizer -Date: Sat Oct 5 06:58:27 2019 -0400 - - Merge remote-tracking branch 'origin/master' - -commit a33851a3c99a5eb9021d2d28b3164ed10025fbd9 -Merge: 213aef6 d0c6bb1 -Author: Patrick Schleizer -Date: Sat Oct 5 10:58:08 2019 +0000 - - Merge pull request #32 from madaidan/disable-dsack-fack - - Disable TCP DSACK and FACK - -commit 213aef6eb9288efffe9fb0458f0aa8a44a6dafa6 -Author: Patrick Schleizer -Date: Sat Oct 5 09:40:26 2019 +0000 - - bumped changelog version - -commit aaebb32b668f4447c011f4e150f959c8d0e1ce09 -Author: Patrick Schleizer -Date: Sat Oct 5 09:39:05 2019 +0000 - - readme - -commit c87fc75f2a7d6ed38362729d27030f83b08292d3 -Author: Patrick Schleizer -Date: Sat Oct 5 09:36:21 2019 +0000 - - fix, run remove-system-map.service during sysinit.target - -commit 25b674678472623c06d948f4cbb967f360ba15f0 -Author: Patrick Schleizer -Date: Sat Oct 5 09:14:54 2019 +0000 - - fix systemd unit file proc-hidepid.service: WantedBy=sysinit.target - -commit d2bc3a2a08a00c68f05ed99caf16aad0b1e11ea4 -Author: Patrick Schleizer -Date: Sat Oct 5 09:14:41 2019 +0000 - - chmod +x usr/lib/security-misc/hide-hardware-info - -commit ffe0d62c8148ec60f7528002e988b969ebb868ca -Merge: ddc778b 7bcf73d -Author: Patrick Schleizer -Date: Sat Oct 5 04:49:05 2019 -0400 - - Merge remote-tracking branch 'origin/master' - -commit 7bcf73deaa1c77f9c650d8844ad94d24e38746fd -Merge: ddc778b 7345287 -Author: Patrick Schleizer -Date: Sat Oct 5 08:46:21 2019 +0000 - - Merge pull request #31 from madaidan/hide-hardware-info - - Restrict /proc/cpuinfo, /proc/bus, /proc/scsi and /sys to root - -commit d0c6bb1e9064ffdf45f7ac606f708c3f5e7dc247 -Author: madaidan <50278627+madaidan@users.noreply.github.com> -Date: Fri Oct 4 17:35:54 2019 +0000 - - Disable TCP DSACK and FACK - -commit 7345287560bc701f8b4aead985238d66104b228c -Author: madaidan <50278627+madaidan@users.noreply.github.com> -Date: Fri Oct 4 17:32:52 2019 +0000 - - Use sysinit.target instead - -commit e06eeec6788a46a28682b2c83f1de9f83eacf3bd -Author: madaidan <50278627+madaidan@users.noreply.github.com> -Date: Thu Oct 3 21:42:06 2019 +0000 - - Disable hide-hardware-info.service by default - -commit 87917d2f03d5e510f4e2cbdbea2a7692146e820b -Author: madaidan <50278627+madaidan@users.noreply.github.com> -Date: Thu Oct 3 21:38:07 2019 +0000 - - Add licensing - -commit b06ab912c04d3d8746afa7492d0c3bb17bf71932 -Author: madaidan <50278627+madaidan@users.noreply.github.com> -Date: Thu Oct 3 21:37:29 2019 +0000 - - Add licensing - -commit ec5fcf813b80347e5d8aa55dbd5d77860e62ccc6 -Author: madaidan <50278627+madaidan@users.noreply.github.com> -Date: Thu Oct 3 20:50:48 2019 +0000 - - Update control - -commit ce97e5ed8203809619d8fdf630242712c188cede -Author: madaidan <50278627+madaidan@users.noreply.github.com> -Date: Thu Oct 3 20:45:29 2019 +0000 - - Create hide-hardware-info.service - -commit 9449f5017a6feff7e70d625d54d75d514ed2e596 -Author: madaidan <50278627+madaidan@users.noreply.github.com> -Date: Thu Oct 3 20:45:14 2019 +0000 - - Create hide-hardware-info - -commit ddc778b45281b9f7f42496ffbd4f2137d6fa9d5a -Author: Patrick Schleizer -Date: Mon Sep 16 13:34:11 2019 +0000 - - bumped changelog version - -commit 75258843e9d4da9b0be7aec42528e093e0861992 -Author: Patrick Schleizer -Date: Mon Sep 16 13:03:43 2019 +0000 - - copyright - -commit 8e39cea876a8ff9ca496b9230dd13e4201f1e2f6 -Author: Patrick Schleizer -Date: Mon Sep 16 13:03:25 2019 +0000 - - comment - -commit bac462f2112d0290cad82717e1efed19c8fafac5 -Author: Patrick Schleizer -Date: Mon Sep 16 13:03:02 2019 +0000 - - comment - -commit bec680d4f3ccc406c5d8c5a67d7957be04f6a0de -Author: Patrick Schleizer -Date: Mon Sep 16 12:30:23 2019 +0000 - - pam_tally2-info: fix, do nothing when started as user "user" - - xscreensaver runs as user "user", therefore pam_tally2 cannot function. - xscreensaver has its own failed login counter. - - as user "user" - /sbin/pam_tally2 -u user - pam_tally2: Error opening /var/log/tallylog for update: Permission denied - /sbin/pam_tally2: Authentication error - - https://askubuntu.com/questions/983183/how-lock-the-unlock-screen-after-wrong-password-attempts - - https://forums.whonix.org/t/how-strong-do-linux-user-account-passwords-have-to-be-when-using-full-disk-encryption-fde-too/7698 - -commit c2e444479cf723a7ddb3c51cd6394795daba108e -Author: Patrick Schleizer -Date: Sun Sep 15 14:08:13 2019 +0000 - - bumped changelog version - -commit c9425a1404af73bf5d92fd7d1665130335d9e789 -Author: Patrick Schleizer -Date: Sun Sep 15 14:07:50 2019 +0000 - - readme - -commit 619550da2393dfe683be827a51d4390b6280ace1 -Author: Patrick Schleizer -Date: Sun Sep 15 14:00:24 2019 +0000 - - description - -commit b95b66e42986a359835127d6c56aabb1e9d9008f -Author: Patrick Schleizer -Date: Sun Sep 15 13:56:37 2019 +0000 - - description - -commit ae804a15e73a4a8b9ef3b605e3fca7ba24e135a6 -Author: Patrick Schleizer -Date: Sun Sep 15 13:21:02 2019 +0000 - - description - -commit 3d187dab99cd6d0a2906e73c86e0dd8c94cbc648 -Author: Patrick Schleizer -Date: Thu Sep 12 12:50:42 2019 +0000 - - bumped changelog version - -commit f13a73e569e6adacd38aaa59f4484919a3896359 -Author: Patrick Schleizer -Date: Tue Sep 10 12:35:42 2019 -0400 - - undo SysRq restrictions - - https://forums.whonix.org/t/sysrq-magic-sysrq-key/8079 - -commit fbd1a5bde922be9c571d54567c977618e2c4bfc5 -Author: Patrick Schleizer -Date: Tue Sep 10 12:23:00 2019 -0400 - - hidepid before sysinit.target - -commit 1f75a1065049a1c75e0cb597f2bcc1a8e0eca93b -Author: Patrick Schleizer -Date: Mon Sep 9 12:10:24 2019 +0000 - - bumped changelog version - -commit 1b4391417619a51cfe22d9eee21d9fa644d145b6 -Merge: 9d875d7 d0b3bc7 -Author: Patrick Schleizer -Date: Mon Sep 9 11:45:36 2019 +0000 - - Merge remote-tracking branch 'origin/master' - -commit d0b3bc7d3da6a4e3a04adb85cc5c7aa6c22bb466 -Merge: 9d875d7 60db7e6 -Author: Patrick Schleizer -Date: Mon Sep 9 11:45:19 2019 +0000 - - Merge pull request #30 from madaidan/patch-23 - - fix typo - -commit 60db7e6294ab405a862c1cbc62140c9e89208b25 -Author: madaidan <50278627+madaidan@users.noreply.github.com> -Date: Sat Sep 7 20:08:56 2019 +0000 - - fix typo - -commit 9d875d7c31b4cd15873709c57ebb338d89477ab5 -Author: Patrick Schleizer -Date: Sat Sep 7 06:11:32 2019 +0000 - - bumped changelog version - -commit b3103b1ba8a1b8d7718ee167230dc938bc8b64b4 -Author: Patrick Schleizer -Date: Sat Sep 7 06:10:35 2019 +0000 - - readme - -commit 7affddb3bbfaa8183bad5986dbbb6ea728df1fe4 -Author: Patrick Schleizer -Date: Sat Sep 7 05:47:34 2019 +0000 - - blacklist modules with /bin/false rather than /bin/true to fail with error - - message rather than failing without notification - -commit 8132052ce01215a98cb4464e5f78d75349e77b10 -Author: Patrick Schleizer -Date: Sat Sep 7 05:44:23 2019 +0000 - - run update-grub from postinst so /etc/default/grub.d changes take effect - -commit 661bcd8603425934188cf139f33e20675ff4b765 -Author: Patrick Schleizer -Date: Sat Sep 7 05:39:56 2019 +0000 - - allow loading unsigned modules due to issues - - https://forums.whonix.org/t/allow-loading-signed-kernel-modules-by-default-disallow-kernel-module-loading-by-default/7880/23 - -commit 9ee9309f542472a8c8045df44573a5ec38e32a90 -Author: Patrick Schleizer -Date: Fri Sep 6 13:04:57 2019 +0000 - - bumped changelog version - -commit ea0779e42aa8416c142eb3d37f8cede42794e0f7 -Author: Patrick Schleizer -Date: Fri Sep 6 13:00:20 2019 +0000 - - rm_conffile /etc/sudoers.d/umask-security-misc - -commit 3a9939dccbea16408e8ba1c739748234bde68d89 -Author: Patrick Schleizer -Date: Fri Sep 6 11:47:40 2019 +0000 - - bumped changelog version - -commit 51705c201bd9959a77a53201e492100b751d0508 -Author: Patrick Schleizer -Date: Fri Sep 6 11:47:17 2019 +0000 - - readme - -commit 5960c1682a5177355147fce67c383ce6f861d60c -Author: Patrick Schleizer -Date: Fri Sep 6 11:46:22 2019 +0000 - - description - -commit fccfacfdafd197951e5a9598b9fb47309021ec84 -Author: Patrick Schleizer -Date: Fri Sep 6 11:45:54 2019 +0000 - - description - -commit cb8170fd800816c2f6123cd67819340da8f51551 -Author: Patrick Schleizer -Date: Fri Sep 6 11:44:56 2019 +0000 - - comment - -commit ccdbc52b82993f0078c16ba99248eb4569539344 -Author: Patrick Schleizer -Date: Fri Sep 6 11:43:55 2019 +0000 - - comment - -commit 051856bc8e587250d9b6936661d8f05d965c3e59 -Author: Patrick Schleizer -Date: Fri Sep 6 11:42:38 2019 +0000 - - remove trailing space - -commit 610d3488e9d4372c442eeb33c57a4a791c48267b -Author: Patrick Schleizer -Date: Fri Sep 6 09:33:06 2019 +0000 - - bumped changelog version - -commit b15becd48d3437b8a3965b84d5cdb80012fe32e8 -Author: Patrick Schleizer -Date: Fri Sep 6 09:32:42 2019 +0000 - - readme - -commit 0e20e33d1629e532e77e1f3e21b546ea125f28b0 -Author: Patrick Schleizer -Date: Thu Sep 5 02:31:57 2019 -0400 - - description - -commit 0b3dcef13d6462d9586908a91ff4d976070b26a3 -Author: Patrick Schleizer -Date: Thu Sep 5 02:30:40 2019 -0400 - - description - -commit f2e5883b4c72118d00f77e4dfc3187e5d9bf6391 -Author: Patrick Schleizer -Date: Thu Sep 5 02:29:48 2019 -0400 - - description - -commit a4913ae092e26af4368e0f493b8b79d11329eb18 -Author: Patrick Schleizer -Date: Thu Sep 5 02:28:43 2019 -0400 - - description - -commit a2aeb401a25f3576b8ed95b62fd47edad8e61e2c -Author: Patrick Schleizer -Date: Sat Aug 31 13:44:37 2019 +0000 - - bumped changelog version - -commit 3a5bdddf5c790829252ff7d5443a3d4d3b9218d8 -Author: Patrick Schleizer -Date: Sat Aug 31 08:43:46 2019 -0400 - - depend on adduser - -commit 8bbebf64cff87ce37a100a1da74cfd0e811ed571 -Author: Patrick Schleizer -Date: Sat Aug 24 16:41:27 2019 +0000 - - bumped changelog version - -commit 07cba361ed663672de3d0263e8262c61b4d43b4e -Author: Patrick Schleizer -Date: Sat Aug 24 16:39:56 2019 +0000 - - readme - -commit 0ae5c5ff14c308ff5307926fbe6d93f44e1c7615 -Author: Patrick Schleizer -Date: Sat Aug 24 12:14:22 2019 -0400 - - remove umask changes since these are causing issues are are not needed anymore - - thanks to home folder permission lockdown - - https://forums.whonix.org/t/change-default-umask/7416/45 - -commit 41c4682280b7bc8e700d9ed41b55e464c0511b69 -Author: Patrick Schleizer -Date: Fri Aug 23 16:57:12 2019 +0000 - - bumped changelog version - -commit e77260fd9cab49f85d5790188485dce7f9eeee23 -Author: Patrick Schleizer -Date: Fri Aug 23 16:53:55 2019 +0000 - - readme - -commit 793c9b6801ffda5d75d389b8e7a2a6d140d8d382 -Merge: a74b983 44d62e0 -Author: Patrick Schleizer -Date: Mon Aug 19 12:48:23 2019 +0000 - - Merge remote-tracking branch 'origin/master' - -commit a74b983283e9aa1662cd6be87148184f380fa297 -Author: Patrick Schleizer -Date: Mon Aug 19 12:46:59 2019 +0000 - - remove LLC - IEEE 802.2 from blacklist - - since required by KVM - - https://forums.whonix.org/t/whonix-desktop-installer-with-calamares-field-report/7350/107 - - https://forums.whonix.org/t/blacklist-uncommon-network-protocols/7391/22 - - https://github.com/Whonix/security-misc/pull/29 - -commit 44d62e05b5a60a3d45afd829fb67970afa7678b7 -Merge: 0140df8 a8b6281 -Author: Patrick Schleizer -Date: Mon Aug 19 12:45:52 2019 +0000 - - Merge pull request #29 from onions-knight/patch-1 - - Update uncommon-network-protocols.conf - -commit a8b62811199b6c4e5d86439cd0fc9e9c18dc027b -Author: onions-knight <38859709+onions-knight@users.noreply.github.com> -Date: Mon Aug 19 11:30:57 2019 +0000 - - Update uncommon-network-protocols.conf - - Removing llc from blacklisted network protocols as it is needed by KVM for networking. - See https://hub.packtpub.com/kvm-networking-libvirt/ and https://forums.whonix.org/t/whonix-desktop-installer-with-calamares-field-report/7350/107 - -commit 0140df866839d4f02ba5988eec8c72a71136482a -Author: Patrick Schleizer -Date: Mon Aug 19 08:43:28 2019 +0000 - - virusforget - -commit 113ab4256861edc068ea09b2d8fb96355cb71867 -Author: Patrick Schleizer -Date: Mon Aug 19 08:31:23 2019 +0000 - - virusforget - -commit 416906d4f9ad522a65d8847c9d03f4497bbd898f -Author: Patrick Schleizer -Date: Mon Aug 19 08:19:35 2019 +0000 - - virusforget - -commit 2d867d9fee691ba088cf42badc4def562d82bd0d -Author: Patrick Schleizer -Date: Mon Aug 19 08:10:18 2019 +0000 - - virusforget - -commit 8e76e6b8b3129bcda1c82322cc56e31edac43e3f -Author: Patrick Schleizer -Date: Mon Aug 19 07:48:12 2019 +0000 - - fix - -commit 3f068f77febebbe425f9d6cd1ef2d620fb6ec379 -Author: Patrick Schleizer -Date: Mon Aug 19 07:47:20 2019 +0000 - - keep cache folder outside of reach of user since even user can remove files - - owned by root in its home folder - -commit 1fa1efa58e6f719766394bc8b94d4aa4076bdc0d -Author: Patrick Schleizer -Date: Mon Aug 19 07:22:09 2019 +0000 - - credits - -commit 1e026a3ebbacb1011edbbf5b0fbcfe7b5e6338c0 -Author: Patrick Schleizer -Date: Sun Aug 18 22:50:44 2019 +0000 - - initial development version of VirusForget - -commit e15b5603057fd9c67ac1ab34493e8b9f05fbac9b -Author: Patrick Schleizer -Date: Sat Aug 17 10:54:08 2019 +0000 - - bumped changelog version - -commit c897682794639fa7848acf5ba4b33aabbbcd0644 -Author: Patrick Schleizer -Date: Sat Aug 17 10:53:45 2019 +0000 - - readme - -commit e535232728ec7ff6846a3102b73707c549ea64c0 -Author: Patrick Schleizer -Date: Sat Aug 17 10:37:49 2019 +0000 - - description - -commit 7ffdd7c240b55c1d5fae9279b42319a5e8be74ba -Author: Patrick Schleizer -Date: Sat Aug 17 10:37:42 2019 +0000 - - description - -commit 207399439f29b4b421a8e91fc1b965d9e82ba35c -Author: Patrick Schleizer -Date: Sat Aug 17 10:37:36 2019 +0000 - - description - -commit d4fb485e7090a7424f3f80b18b010fbc9859283c -Author: Patrick Schleizer -Date: Sat Aug 17 10:35:31 2019 +0000 - - description - -commit 41b2819ec88364290c5d91daa2236919ea589c1c -Author: Patrick Schleizer -Date: Sat Aug 17 10:33:47 2019 +0000 - - PAM: abort on locked password - - to avoid needlessly bumping pam_tally2 counter - - https://forums.whonix.org/t/restrict-root-access/7658/1 - -commit e0e25364e2d14459b918eea2cb63cbe10b8371f3 -Author: Patrick Schleizer -Date: Sat Aug 17 09:57:48 2019 +0000 - - bumped changelog version - -commit cfd18d4486c763a79bc174bded7d8cf0b3dd567f -Author: Patrick Schleizer -Date: Sat Aug 17 09:56:29 2019 +0000 - - readme - -commit ed90d8b025c1f852856fea0e620c240f35e78a53 -Author: Patrick Schleizer -Date: Sat Aug 17 09:55:20 2019 +0000 - - change default umask to 027 - - as per: - - https://forums.whonix.org/t/change-default-umask/7416/47 - -commit b9127faac300024f7d8851d41037bebd5d3fe05c -Author: Patrick Schleizer -Date: Fri Aug 16 16:05:51 2019 +0000 - - bumped changelog version - -commit e004a5e0cf22c5add683ed8c1ff6f88bdc4053ba -Author: Patrick Schleizer -Date: Fri Aug 16 16:05:25 2019 +0000 - - readme - -commit f9e3825e9166b9814beb5e0a8e30caa540e66a27 -Author: Patrick Schleizer -Date: Fri Aug 16 16:05:09 2019 +0000 - - fix lintian warning - -commit ec99720811c53bf0ad3a1f36e0d34371ebc6d283 -Author: Patrick Schleizer -Date: Fri Aug 16 15:59:14 2019 +0000 - - bumped changelog version - -commit 6a68c3bd9cd47a8542460a95d90bcf7e34d9f768 -Author: Patrick Schleizer -Date: Fri Aug 16 15:57:30 2019 +0000 - - readme - -commit 224f95799c36f56c2165fe9284abaceaa84f1d3b -Author: Patrick Schleizer -Date: Fri Aug 16 11:15:25 2019 -0400 - - sudo default umask 006 - - https://forums.whonix.org/t/change-default-umask/7416/43 - -commit 17cfcb63b6358f51a65df9623bc23ddf869b06cc -Author: Patrick Schleizer -Date: Fri Aug 16 10:50:56 2019 -0400 - - code simplification; report locked account earlier - -commit 5754671c460c67bd7d8e064841383ea7b7f90824 -Merge: 34672b8 9781598 -Author: Patrick Schleizer -Date: Fri Aug 16 10:36:43 2019 -0400 - - Merge remote-tracking branch 'origin/master' - -commit 97815986321b6daf9c1f0c6f33a4b282ca05438c -Merge: 34672b8 85502ad -Author: Patrick Schleizer -Date: Fri Aug 16 14:36:00 2019 +0000 - - Merge pull request #27 from madaidan/patch-21 - - Blacklist bluetooth - -commit 85502ad430f560070806c8b95b7fed3fe7028587 -Merge: 4a6f87f 34672b8 -Author: Patrick Schleizer -Date: Fri Aug 16 14:35:51 2019 +0000 - - Merge branch 'master' into patch-21 - -commit 34672b88a86285e1d3eaf35f0a2b3c2e974ffd26 -Author: Patrick Schleizer -Date: Thu Aug 15 15:18:02 2019 +0000 - - bumped changelog version - -commit a11e3cea9eb160ba84dbc273ea4cb48bc687158f -Author: Patrick Schleizer -Date: Thu Aug 15 15:08:48 2019 +0000 - - readme - -commit ff9bc1d7ea81a8507f44d9bb1301b9665614ebdd -Author: Patrick Schleizer -Date: Thu Aug 15 13:37:28 2019 +0000 - - informational output during PAM: - - * Show failed and remaining password attempts. - * Document unlock procedure if Linux user account got locked. - * Point out, that there is no password feedback for `su`. - * Explain locked (root) account if locked. - * /usr/share/pam-configs/tally2-security-misc - * /usr/lib/security-misc/pam_tally2-info - -commit 454e1358220abf75def0d88a22426086a55c0802 -Author: Patrick Schleizer -Date: Thu Aug 15 07:33:41 2019 +0000 - - pam_tally2.so even_deny_root - -commit 63b476221c7b9ece6b99f9e194fab80e300275d9 -Author: Patrick Schleizer -Date: Thu Aug 15 07:30:56 2019 +0000 - - use requisite rather than required to avoid asking for password needlessly - - if login will fail anyhow - -commit ce4a30d3cecb7e9bddb96c79aab871804cb90bd4 -Author: Patrick Schleizer -Date: Wed Aug 14 11:52:26 2019 +0000 - - bumped changelog version - -commit a7c25a451c78f7b9a5720e1b6fc7d168eb0afa4f -Author: Patrick Schleizer -Date: Wed Aug 14 11:50:53 2019 +0000 - - remove unneeded dependency on libpam-cgfs - -commit 633854c6bec439af9718439c8207012322800166 -Author: Patrick Schleizer -Date: Wed Aug 14 11:13:25 2019 +0000 - - bumped changelog version - -commit 0feb54b28e90b5c4cfcd529914a3892362c34966 -Author: Patrick Schleizer -Date: Wed Aug 14 11:10:18 2019 +0000 - - add Depends: apparmor-profile-anondist to fix apparmor issue - - sudo[19806]: pam_exec(sudo:session): execve(/usr/lib/security-misc/permission-lockdown,...) failed: Permission denied - sudo[18961]: pam_exec(sudo:session): /usr/lib/security-misc/permission-lockdown failed: exit code 13 - kernel: audit: type=1400 audit(1565780860.972:224): apparmor="DENIED" operation="exec" profile="/usr/bin/whonixcheck" name="/usr/lib/security-misc/permission-lockdown" pid=19806 comm="sudo" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 - -commit 8fdc77fed553d7ba6123d738b9cb3efe98f3f08f -Author: Patrick Schleizer -Date: Wed Aug 14 10:33:23 2019 +0000 - - output to stdout - -commit 5213cfbcdcb41a5aa714d1031b36436adeb0359c -Author: Patrick Schleizer -Date: Wed Aug 14 10:08:18 2019 +0000 - - bumped changelog version - -commit 2875adb7221769dcd23ef701dae8b9ad24708590 -Author: Patrick Schleizer -Date: Wed Aug 14 10:07:55 2019 +0000 - - readme - -commit 01b3a0bfaeda0dad87644ad8d54c61e07dd501f7 -Author: Patrick Schleizer -Date: Wed Aug 14 09:52:53 2019 +0000 - - description - -commit 547ba91d799780487782cdd8088c556d978494e8 -Author: Patrick Schleizer -Date: Wed Aug 14 09:45:30 2019 +0000 - - sanity test - -commit dee195d89e94ff343cec60308cbbb5464d2a7b18 -Author: Patrick Schleizer -Date: Wed Aug 14 09:40:41 2019 +0000 - - description - -commit 799acad724977dea220c2228f9da0db3d6b5170e -Author: Patrick Schleizer -Date: Wed Aug 14 09:39:43 2019 +0000 - - skip, if not a folder - -commit 6321ff5ad5938a929d4a997b4f1b03db2ac4b5fd -Author: Patrick Schleizer -Date: Wed Aug 14 09:38:44 2019 +0000 - - refactoring - -commit 15094cab4fbbb1fd0c20bd8241ea20bd6c0bd331 -Author: Patrick Schleizer -Date: Wed Aug 14 09:36:30 2019 +0000 - - avoid ' character in usr/share/pam-configs; in description - -commit 97d1945e61053efd3b73fb9f761b3ea1c9271cdc -Author: Patrick Schleizer -Date: Wed Aug 14 09:32:58 2019 +0000 - - no log needed, informative output to stdout instead - -commit a085d46c567b0b5dbbaddd8f3e5873d87d904c4a -Author: Patrick Schleizer -Date: Wed Aug 14 09:31:58 2019 +0000 - - change priories so "pam_umask.so usergroups umask=006" runs before pam_exec.so /usr/lib/security-misc/permission-lockdown - -commit f8c828b69a8f52108d19af4076e718930b5dcd07 -Author: Patrick Schleizer -Date: Wed Aug 14 05:19:02 2019 -0400 - - output - -commit e5da6d9699de1d3c4aaefee7d301a4c47f33e4bd -Author: Patrick Schleizer -Date: Wed Aug 14 05:17:54 2019 -0400 - - copyright - -commit 1595789d7c310c80196345e06b6bacc8fb7c0baf -Author: Patrick Schleizer -Date: Wed Aug 14 05:17:16 2019 -0400 - - comment - -commit ce06fdf91103afbaf84523ce998570af733b5bbe -Author: Patrick Schleizer -Date: Wed Aug 14 05:15:53 2019 -0400 - - formatting - -commit 21489111d107023f150988137180154ba62e1ff2 -Author: Patrick Schleizer -Date: Wed Aug 14 08:34:03 2019 +0000 - - run permission lockdown during pam - - https://forums.whonix.org/t/change-default-umask/7416 - -commit 42f2d5f6664f15baebdaf200a5690cf32cdbe284 -Author: Patrick Schleizer -Date: Wed Aug 14 07:39:28 2019 +0000 - - description - -commit 52df8dc0149d597c3106daa7112a01db444e34f1 -Author: Patrick Schleizer -Date: Wed Aug 14 07:37:21 2019 +0000 - - optional pam_umask.so usergroups umask=006 - -commit f210294f4091b6a09c902a446b125c26022c5d2a -Author: Patrick Schleizer -Date: Wed Aug 14 07:24:24 2019 +0000 - - description - -commit dbea7d1511d8e1b2604960d37146ec931d9dfe15 -Author: Patrick Schleizer -Date: Wed Aug 14 07:22:14 2019 +0000 - - add hook etc/kernel/postinst.d/30_remove-system-map to remove system.map - - on kernel package upgrade; - - self-document this package: during upgrade the following will be written - to stdout: - - Setting up linux-image-4.19.0-5-amd64 (4.19.37-5+deb10u2) ... - /etc/kernel/postinst.d/30_remove-system-map: - removed '/boot/System.map-4.19.0-5-amd64 - -commit f1d8cbc9fb2b800205923cce77a8e242dddd133c -Author: Patrick Schleizer -Date: Wed Aug 14 07:02:09 2019 +0000 - - bumped changelog version - -commit 41f4441d9dc5777d4ea7424f8422164c548da091 -Author: Patrick Schleizer -Date: Wed Aug 14 07:01:47 2019 +0000 - - readme - -commit a82448d46af4fb9dce2de84025b8b820a11fae01 -Author: Patrick Schleizer -Date: Wed Aug 14 07:01:25 2019 +0000 - - description - -commit ff8c0979435b491cf462c5ef6e8e02f6d85f1d81 -Merge: 6f8acf0 a8ea379 -Author: Patrick Schleizer -Date: Wed Aug 14 06:59:50 2019 +0000 - - Merge remote-tracking branch 'origin/master' - -commit a8ea37952669b3f40a452cb580442126ec44233a -Merge: 6f8acf0 9a49b8e -Author: Patrick Schleizer -Date: Wed Aug 14 06:59:34 2019 +0000 - - Merge pull request #28 from madaidan/patch-22 - - Require all loaded kernel modules to be signed with a valid key. - -commit 9a49b8ecbb863a995862a4d380c6a03f6c0991ac -Author: madaidan <50278627+madaidan@users.noreply.github.com> -Date: Tue Aug 13 13:33:07 2019 +0000 - - Create 40_only_allow_signed_modules.cfg - - Require all loaded kernel modules to be signed with a valid key. - -commit 6f8acf06d79c77e3bee15cc8696a433271e2b7c9 -Author: Patrick Schleizer -Date: Sun Aug 11 12:07:07 2019 +0000 - - bumped changelog version - -commit 52cee9128316d649ba7ffa9600d0fdc33c99a9a9 -Author: Patrick Schleizer -Date: Sun Aug 11 11:39:32 2019 +0000 - - readme - -commit aacd9c7679b05b7ee59df484f21a24fe7aa5901d -Author: Patrick Schleizer -Date: Sun Aug 11 10:34:38 2019 +0000 - - description - -commit c0b5c70de498d891e4edd5b9af2292909be36776 -Author: Patrick Schleizer -Date: Sun Aug 11 10:33:22 2019 +0000 - - description - -commit 2f37a66fd009c9cba423c0f95833a71c8669af46 -Author: Patrick Schleizer -Date: Sun Aug 11 10:31:29 2019 +0000 - - description - -commit e83ec79a25d09b2467e2389959d87267bab7f1f0 -Author: Patrick Schleizer -Date: Sun Aug 11 10:30:51 2019 +0000 - - enable usr/share/pam-configs/mkhomedir-security-misc by default - -commit 1eb806a03ef25bb387fa80f45dd6509925437048 -Author: Patrick Schleizer -Date: Sun Aug 11 10:29:49 2019 +0000 - - pam_mkhomedir.so umask=006 - -commit c50eb3c9b07b9e54951eb08206db6d28383f6cdc -Author: Patrick Schleizer -Date: Sun Aug 11 10:28:55 2019 +0000 - - add usr/share/pam-configs/mkhomedir-security-misc based on - /usr/share/pam-configs/mkhomedir - -commit 75769151cd7980042357f18c5567adab2a031049 -Author: Patrick Schleizer -Date: Sat Aug 10 11:37:02 2019 +0000 - - bumped changelog version - -commit a2fa18c38159161418edcdaacb1baad215f5d31d -Author: Patrick Schleizer -Date: Sat Aug 10 07:07:28 2019 -0400 - - pam_tally2.so deny=100 - - during testing, due to issues - - https://github.com/Whonix/security-misc/commit/d17e25272b9b7bbb6abc4dccd500a6b34311a7dd - - https://forums.whonix.org/t/how-strong-do-linux-user-account-passwords-have-to-be-when-using-full-disk-encryption-fde-too/7698/12 - -commit d17e25272b9b7bbb6abc4dccd500a6b34311a7dd -Author: Patrick Schleizer -Date: Sat Aug 10 06:06:39 2019 -0400 - - effectively (not directly) add "required pam_tally2.so debug" to /etc/pam.d/common-account - - This is required because otherwise something like "sudo bash" would count as a - failed login for pam_tally2 even though it was successful. - - https://bugzilla.redhat.com/show_bug.cgi?id=707660 - - https://forums.whonix.org/t/restrict-root-access/7658 - -commit 0f896a9d8d6f7c125311a0e226755f8a00214f3c -Author: Patrick Schleizer -Date: Sat Aug 10 06:05:37 2019 -0400 - - add onerr=fail audit to pam_tally2 - -commit a703865dcf736996a58e6f684fc02f0e9dfa8cc7 -Author: Patrick Schleizer -Date: Thu Aug 1 12:02:41 2019 +0000 - - bumped changelog version - -commit 1fe3036a4903588b89edd82e7097a665271fd27f -Author: Patrick Schleizer -Date: Thu Aug 1 11:13:43 2019 +0000 - - readme - -commit e076470f68dc18908c5ab1889232aaaa0fcb9f3d -Author: Patrick Schleizer -Date: Thu Aug 1 11:04:58 2019 +0000 - - renamed: usr/share/pam-configs/usergroups -> usr/share/pam-configs/usergroups-security-misc - -commit 830111e99aa6f45688c4ba00a7f41ea323f15f2a -Author: Patrick Schleizer -Date: Thu Aug 1 11:04:22 2019 +0000 - - split usr/share/pam-configs/security-misc - into - usr/share/pam-configs/tally2-security-misc - usr/share/pam-configs/wheel-security-misc - -commit 5d0aec1321b4f46f1834ba9ad166d2445a995fbb -Author: Patrick Schleizer -Date: Wed Jul 31 19:12:27 2019 +0000 - - bumped changelog version - -commit 89d32402b2dd2182dc6e7788d41708eaaeeb02c1 -Author: Patrick Schleizer -Date: Wed Jul 31 14:52:29 2019 -0400 - - fix, do not use "," inside /usr/share/pam-configs files - -commit 4a6f87f3fa104f0e0a62809fe08f7d07d15dd9f7 -Author: madaidan <50278627+madaidan@users.noreply.github.com> -Date: Wed Jul 31 18:33:28 2019 +0000 - - Update control - -commit 5a4ea39566621431e931d5bc09957e04f18bbeee -Author: madaidan <50278627+madaidan@users.noreply.github.com> -Date: Wed Jul 31 18:30:57 2019 +0000 - - Create blacklist-bluetooth.conf - -commit 864de10659d0145ae8883b98b1746a7debc9492a -Author: Patrick Schleizer -Date: Wed Jul 31 15:17:51 2019 +0000 - - bumped changelog version - -commit 47368ae4fccc85ab3197f07316b03c123187f9a2 -Author: Patrick Schleizer -Date: Wed Jul 31 15:15:30 2019 +0000 - - readme - -commit c09fb208d163be4ff7ace9f41cfee03147018cd8 -Author: Patrick Schleizer -Date: Wed Jul 31 07:44:50 2019 +0000 - - bumped changelog version - -commit ac1220e14bd9428420cf01ef68e5acb690b6afa4 -Author: Patrick Schleizer -Date: Wed Jul 31 07:32:59 2019 +0000 - - depend on sudo so group sudo exists during postinst - -commit 09f75fb1ff03d7a95951a0f6bcb9d84f1744b583 -Author: Patrick Schleizer -Date: Wed Jul 31 07:32:36 2019 +0000 - - description - -commit 2ad087dcd9e4fd3e747a47577b9d4ba1088d6a33 -Author: Patrick Schleizer -Date: Wed Jul 31 07:30:40 2019 +0000 - - description - -commit 404f597c0aaddeef3c8c555d2d7f5a9993f9e512 -Author: Patrick Schleizer -Date: Wed Jul 31 07:29:42 2019 +0000 - - description - -commit c921872016672073927fce34ed764263c8d6db5b -Author: Patrick Schleizer -Date: Wed Jul 31 07:27:13 2019 +0000 - - description - -commit 39e1b1c5f0622c062f12c532400ca170d3eb789f -Author: Patrick Schleizer -Date: Wed Jul 31 07:26:25 2019 +0000 - - update file path - -commit cf906687561acee7f61fdf100b801d670a74a94f -Author: Patrick Schleizer -Date: Wed Jul 31 03:25:02 2019 -0400 - - lock user accounts after 5 failed authentication attempts using pam_tally2 - -commit 3e29761560085f9e3d84250e29a2ea5e34766432 -Author: Patrick Schleizer -Date: Wed Jul 31 03:17:06 2019 -0400 - - debug at the end - -commit 5cdb3edb321046bf9dc09e91665e63faf16e9786 -Author: Patrick Schleizer -Date: Wed Jul 31 03:16:41 2019 -0400 - - usr/share/pam-configs/wheel -> usr/share/pam-configs/security-misc - -commit 031a1c8751504b00f131fd8d518f59b975353369 -Author: Patrick Schleizer -Date: Mon Jul 22 01:16:18 2019 +0000 - - bumped changelog version - -commit f38f307b37d2efb036c5b4e85f48921b0acfadeb -Merge: 8c538ba b2582fb -Author: Patrick Schleizer -Date: Sun Jul 21 09:12:33 2019 -0400 - - Merge remote-tracking branch 'origin/master' - -commit b2582fbd4c2364c7bca95b4038eec2ef2a2fae41 -Merge: 8c538ba 077899c -Author: Patrick Schleizer -Date: Sun Jul 21 12:40:37 2019 +0000 - - Merge pull request #26 from fepitre/fix-files - - Fix files - -commit 077899c23d518416cd9ee801a3607585d3a51aab -Author: Frédéric Pierret (fepitre) -Date: Sun Jul 21 11:23:06 2019 +0200 - - Add .gitignore - -commit 5fbe7537613a2034d80983e095cdd8d2971b1bcc -Author: Frédéric Pierret (fepitre) -Date: Sun Jul 21 11:19:35 2019 +0200 - - spec: update %files section - - QubesOS/qubes-issues#1885 - -commit 8c538ba318e5524d07034f2f718e4b5ae483176d -Author: Patrick Schleizer -Date: Wed Jul 17 21:38:26 2019 +0000 - - bumped changelog version - -commit 1c7441ddf194fd54f40f1b0d16c408fd29d49b9e -Author: Patrick Schleizer -Date: Wed Jul 17 21:16:14 2019 +0000 - - alias /etc/securetty -> /etc/securetty.security-misc, - -commit 940054d53ff9b7027f414268370245627675a60a -Author: Patrick Schleizer -Date: Wed Jul 17 21:08:23 2019 +0000 - - bumped changelog version - -commit 08d37471d486f13aebeb2c355280f3b207eb044b -Author: Patrick Schleizer -Date: Wed Jul 17 21:06:17 2019 +0000 - - readme - -commit c0a4a10d6b89000735227f51464cc1ce76f8419b -Author: Patrick Schleizer -Date: Wed Jul 17 21:05:11 2019 +0000 - - description - -commit 7352b2ac31d7fde7e15da044c7f7279d7eddc8ae -Author: Patrick Schleizer -Date: Wed Jul 17 21:03:54 2019 +0000 - - description - -commit b153e8f7df1f2a8e815b910aa6962ae3abe80755 -Author: Patrick Schleizer -Date: Wed Jul 17 21:02:48 2019 +0000 - - fix path - -commit 4bf2360b9579b12775487e4215af5afa1c180f04 -Author: Patrick Schleizer -Date: Wed Jul 17 21:02:27 2019 +0000 - - description - -commit 9f2e300e72263380a0a99e59efe636652f4a8ce1 -Author: Patrick Schleizer -Date: Wed Jul 17 20:48:33 2019 +0000 - - description - -commit d044780c04e0bcfc9d91a0cf6fc26d9f778bb50d -Author: Patrick Schleizer -Date: Wed Jul 17 20:42:14 2019 +0000 - - description - -commit 75e5714d183b8ad08bc7a96643b2a38727620530 -Author: Patrick Schleizer -Date: Wed Jul 17 20:40:01 2019 +0000 - - description - -commit 8c2f983578a0af63258bfe7e2b95f230e43df860 -Author: Patrick Schleizer -Date: Wed Jul 17 20:39:42 2019 +0000 - - description - -commit 2299ed041f101f1fa9711d83a31ad6e8d07d3023 -Author: Patrick Schleizer -Date: Wed Jul 17 20:36:51 2019 +0000 - - passwordless recovery / emergency console - - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802211 - https://salsa.debian.org/ah/user-setup/commit/bc5ca2de85ec27845d0b46059cb7cc02bae7b44d - - https://forums.whonix.org/t/restrict-root-access/7658/46 - -commit 50036b2934410b57936a4909d022d436cd27cdfc -Author: Patrick Schleizer -Date: Wed Jul 17 19:13:57 2019 +0000 - - bumped changelog version - -commit 3f9437f1ecfd292f06ce021f12cb5430da280f84 -Author: Patrick Schleizer -Date: Wed Jul 17 14:25:19 2019 -0400 - - Revert "set back to default group "root" rather than group "sudo" membership required to use su" - - This reverts commit 2f276cdb10aedf0d30c01d25e50b17cac7d1c62c. - -commit 1b772c6a9aac9e6c203c0c89b49e589a2b6e83d3 -Author: Patrick Schleizer -Date: Tue Jul 16 19:45:52 2019 +0000 - - bumped changelog version - -commit 2499ae0890bb524d3756e6135d5d6986e74210ed -Author: Patrick Schleizer -Date: Tue Jul 16 07:28:50 2019 -0400 - - description - -commit d0124b24d19e0c34c23931bd252ccffe2f786b3d -Author: Patrick Schleizer -Date: Tue Jul 16 07:27:56 2019 -0400 - - description - -commit 4b604bbb240d5fb32428ef0aafde3d6646752d31 -Author: Patrick Schleizer -Date: Mon Jul 15 13:26:47 2019 +0000 - - bumped changelog version - -commit f21fa8d95d19665e1cb1320062007472284bd9b8 -Author: Patrick Schleizer -Date: Mon Jul 15 13:03:30 2019 +0000 - - readme - -commit 5c741d2149f12554e63d0fcb0d129cbbdad66569 -Author: Patrick Schleizer -Date: Mon Jul 15 13:02:30 2019 +0000 - - shuffle - -commit d247b7534b9e3a161fdba296c32dd85b7e91a665 -Author: Patrick Schleizer -Date: Mon Jul 15 13:01:46 2019 +0000 - - sort description by categories - -commit 168ea5a660561fdaa438fdf88f6cecf1f2677324 -Author: Patrick Schleizer -Date: Mon Jul 15 08:48:17 2019 -0400 - - shuffle - -commit 2f276cdb10aedf0d30c01d25e50b17cac7d1c62c -Author: Patrick Schleizer -Date: Mon Jul 15 08:44:28 2019 -0400 - - set back to default group "root" rather than group "sudo" membership required to use su - - since root login will be locked by default anyhow - - Thanks to @madaidan for providing the rationale! - - https://forums.whonix.org/t/restrict-root-access/7658/42 - -commit 6d1e8ac9a4657bb3d49a9674ce3a1500350d4bba -Author: Patrick Schleizer -Date: Sun Jul 14 11:16:49 2019 +0000 - - description - -commit ffb61f43ea8011d71cf9c5bba1e277a2f825eea7 -Author: Patrick Schleizer -Date: Sun Jul 14 11:11:59 2019 +0000 - - fix, add 'group=sudo' and 'debug' for debugging - - https://forums.whonix.org/t/restrict-root-access/7658 - -commit 1731196c9fda93233917bcf6dba48834be03a448 -Author: Patrick Schleizer -Date: Sat Jul 13 18:51:32 2019 +0000 - - bumped changelog version - -commit 6af2d7facb391724d48dece28c1a34f4aaaf3929 -Author: Patrick Schleizer -Date: Sat Jul 13 18:12:25 2019 +0000 - - copyright - -commit 75f0ca565d10fd1c02800387d52b1db8a039ecc8 -Author: Patrick Schleizer -Date: Sat Jul 13 18:12:04 2019 +0000 - - set -e - -commit c389e13e1a6143fb69dbd57e4c2e5a80aa8cbf84 -Author: Patrick Schleizer -Date: Sat Jul 13 17:59:49 2019 +0000 - - use pre.bsh - -commit 7afddb028f423254adcd6026aaf12627cebbee17 -Author: Patrick Schleizer -Date: Sat Jul 13 16:30:39 2019 +0000 - - bumped changelog version - -commit c13485f532203dbb3675d367be3bc16811719442 -Author: Patrick Schleizer -Date: Sat Jul 13 16:29:10 2019 +0000 - - readme - -commit ea90f95f1c7b8200db222e42a5f72221212a71e1 -Author: Patrick Schleizer -Date: Sat Jul 13 16:26:40 2019 +0000 - - cleanup - -commit ea8b22ee78439a3cd5f7305f9588940320740ab9 -Author: Patrick Schleizer -Date: Sat Jul 13 16:26:14 2019 +0000 - - shuffle - -commit ca7e0e0161d6eaa2a166d7a7a26e5577f5a4dd6a -Author: Patrick Schleizer -Date: Sat Jul 13 16:25:08 2019 +0000 - - description - -commit ffb5a9c48201dc38a886cbd26753ff56b1ed832a -Author: Patrick Schleizer -Date: Sat Jul 13 16:23:39 2019 +0000 - - formatting - -commit 41675ddcff4d561282db9b43d2d9f993a39600c8 -Author: Patrick Schleizer -Date: Sat Jul 13 16:21:34 2019 +0000 - - removed: The amount of hashing rounds used by shadow is bumped to 65536. - This increases the security of hashed passwords. - - Since we do not do that currently. - - https://forums.whonix.org/t/restrict-root-access/7658/37 - -commit 3f031a297dc2d54346e9c9b3d566c3fa3a469240 -Author: Patrick Schleizer -Date: Sat Jul 13 16:20:14 2019 +0000 - - Removes read, write and execute access for others for all users who have home - folders under folder /home by running for example "chmod o-rwx /home/user" - during package installation or upgrade. This will be done only once per folder - in folder /home so users who wish to relax file permissions are free to do so. - This is to protect previously created files in user home folder which were - previously created with lax file permissions prior installation of this - package. - -commit 4740e8b3357914aee16079b980b8861376cd222c -Author: Patrick Schleizer -Date: Sat Jul 13 16:13:55 2019 +0000 - - cleanup - -commit 834fcc4671a50f10426a62cb5986d79f991903b8 -Author: Patrick Schleizer -Date: Sat Jul 13 15:17:16 2019 +0000 - - bumped changelog version - -commit e9eb38b5dbbddffb12103c14edc3745e239365a5 -Author: Patrick Schleizer -Date: Sat Jul 13 15:04:09 2019 +0000 - - formatting - -commit e2b626870221971b1f6202dbb8eb0f9b0b0654ec -Author: Patrick Schleizer -Date: Sat Jul 13 14:58:47 2019 +0000 - - bumped changelog version - -commit 1d8a0dbec7ca5418b1c4fa70ae14a063c94bd119 -Author: Patrick Schleizer -Date: Sat Jul 13 14:57:51 2019 +0000 - - remove no longer shipped files in etc/pam.d/* - -commit 8e5d45352eaacd9ee4ae1357efb7d4f393dedf9b -Author: Patrick Schleizer -Date: Sat Jul 13 14:55:31 2019 +0000 - - bumped changelog version - -commit cb668459e81d74baf28ac43173bb50c7210e37a4 -Author: Patrick Schleizer -Date: Sat Jul 13 10:35:10 2019 -0400 - - port umask from /etc/pam.d to /usr/share/pam-configs implementation - - https://forums.whonix.org/t/change-default-umask/7416 - -commit ac25733de871b0da5ef42e2e0283a44d94ac3112 -Author: Patrick Schleizer -Date: Sat Jul 13 14:01:53 2019 +0000 - - remove etc/pam.d/common-password.security-misc rounds=65536 - - due to unclean implementation, see: - - https://forums.whonix.org/t/restrict-root-access/7658/37 - -commit 69b97981f3b5e4efc75954d6957659f1bb8e7d18 -Author: Patrick Schleizer -Date: Sat Jul 13 12:33:51 2019 +0000 - - convert etc/pam.d/su.security-misc to usr/share/pam-configs/wheel - - https://forums.whonix.org/t/restrict-root-access/7658/32 - -commit 4079632d1aed4f3e50ea21de674a9b6d537d3e05 -Author: Patrick Schleizer -Date: Sat Jul 13 11:41:37 2019 +0000 - - remove modifying to /etc/pam.d directly (unrelased) - config-package-dev displace /etc/securetty - remove trailing spaces - - https://forums.whonix.org/t/restrict-root-access/7658/31 - -commit cdb7c6f7eb8e61bd203c9a4cb755da0b97cc9a3d -Author: Patrick Schleizer -Date: Thu Jul 11 18:28:04 2019 +0000 - - bumped changelog version - commit aee6b346359db4973fdc80d565f7a6972bb884a0 Author: Patrick Schleizer Date: Thu Jul 11 18:26:17 2019 +0000 diff --git a/debian/changelog b/debian/changelog index a0ef4b0..8aa94cc 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,2729 +1,293 @@ -security-misc (3:45.2-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Fri, 25 Apr 2025 09:54:23 +0000 - -security-misc (3:45.1-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Fri, 25 Apr 2025 08:19:34 +0000 - -security-misc (3:45.0-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 21 Apr 2025 10:21:54 +0000 - -security-misc (3:44.9-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 19 Apr 2025 17:33:56 +0000 - -security-misc (3:44.8-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 15 Apr 2025 20:59:37 +0000 - -security-misc (3:44.7-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 10 Apr 2025 11:38:17 +0000 - -security-misc (3:44.6-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 09 Apr 2025 15:15:59 +0000 - -security-misc (3:44.5-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 08 Apr 2025 14:08:24 +0000 - -security-misc (3:44.4-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 03 Mar 2025 11:00:37 +0000 - -security-misc (3:44.3-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 09 Feb 2025 23:04:36 +0000 - -security-misc (3:44.2-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Fri, 31 Jan 2025 19:38:41 +0000 - -security-misc (3:44.1-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 30 Jan 2025 12:58:48 +0000 - -security-misc (3:44.0-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 29 Jan 2025 14:36:41 +0000 - -security-misc (3:43.9-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 23 Jan 2025 16:28:58 +0000 - -security-misc (3:43.8-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 22 Jan 2025 14:11:21 +0000 - -security-misc (3:43.7-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 22 Jan 2025 13:52:29 +0000 - -security-misc (3:43.6-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 20 Jan 2025 11:35:08 +0000 - -security-misc (3:43.5-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 20 Jan 2025 10:11:42 +0000 - -security-misc (3:43.4-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Fri, 17 Jan 2025 13:35:27 +0000 - -security-misc (3:43.3-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 15 Jan 2025 15:02:43 +0000 - -security-misc (3:43.2-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 14 Jan 2025 14:32:12 +0000 - -security-misc (3:43.1-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 14 Jan 2025 14:30:58 +0000 - -security-misc (3:43.0-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 14 Jan 2025 14:16:45 +0000 - -security-misc (3:42.9-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 14 Jan 2025 14:07:50 +0000 - -security-misc (3:42.8-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 14 Jan 2025 14:06:50 +0000 - -security-misc (3:42.7-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 14 Jan 2025 13:53:49 +0000 - -security-misc (3:42.6-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 14 Jan 2025 09:26:05 +0000 - -security-misc (3:42.5-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 14 Jan 2025 08:24:05 +0000 - -security-misc (3:42.4-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 12 Jan 2025 11:47:17 +0000 - -security-misc (3:42.3-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Fri, 10 Jan 2025 15:34:20 +0000 - -security-misc (3:42.2-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 06 Jan 2025 10:31:40 +0000 - -security-misc (3:42.1-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 31 Dec 2024 18:42:01 +0000 - -security-misc (3:42.0-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 31 Dec 2024 14:09:34 +0000 - -security-misc (3:41.9-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 26 Dec 2024 04:12:02 +0000 - -security-misc (3:41.8-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 24 Dec 2024 05:16:21 +0000 - -security-misc (3:41.7-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Fri, 20 Dec 2024 06:01:27 +0000 - -security-misc (3:41.6-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Fri, 20 Dec 2024 05:58:24 +0000 - -security-misc (3:41.5-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Fri, 20 Dec 2024 05:48:48 +0000 - -security-misc (3:41.4-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 19 Dec 2024 10:58:50 +0000 - -security-misc (3:41.3-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 19 Dec 2024 09:43:26 +0000 - -security-misc (3:41.2-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 19 Dec 2024 06:57:42 +0000 - -security-misc (3:41.1-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 10 Dec 2024 19:19:10 +0000 - -security-misc (3:41.0-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 10 Dec 2024 19:17:10 +0000 - -security-misc (3:40.9-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 25 Nov 2024 21:07:41 +0000 - -security-misc (3:40.8-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 14 Nov 2024 22:24:50 +0000 - -security-misc (3:40.7-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 14 Nov 2024 20:46:26 +0000 - -security-misc (3:40.6-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 12 Nov 2024 09:11:57 +0000 - -security-misc (3:40.5-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 11 Nov 2024 11:07:57 +0000 - -security-misc (3:40.4-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 10 Nov 2024 11:52:42 +0000 - -security-misc (3:40.3-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 30 Oct 2024 09:43:05 +0000 - -security-misc (3:40.2-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 23 Oct 2024 09:56:05 +0000 - -security-misc (3:40.1-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 16 Oct 2024 10:57:20 +0000 - -security-misc (3:40.0-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 08 Oct 2024 11:24:55 +0000 - -security-misc (3:39.9-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 03 Oct 2024 07:22:23 +0000 - -security-misc (3:39.8-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 25 Sep 2024 01:03:42 +0000 - -security-misc (3:39.7-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 14 Sep 2024 02:56:08 +0000 - -security-misc (3:39.6-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 08 Sep 2024 17:41:30 +0000 - -security-misc (3:39.5-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 04 Sep 2024 14:13:15 +0000 - -security-misc (3:39.4-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 29 Aug 2024 09:49:51 +0000 - -security-misc (3:39.3-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 28 Aug 2024 11:01:36 +0000 - -security-misc (3:39.2-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 25 Aug 2024 15:34:54 +0000 - -security-misc (3:39.1-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 25 Aug 2024 14:33:39 +0000 - -security-misc (3:39.0-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Fri, 16 Aug 2024 08:38:11 +0000 - -security-misc (3:38.9-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 15 Aug 2024 17:51:18 +0000 - -security-misc (3:38.8-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 06 Aug 2024 14:01:38 +0000 - -security-misc (3:38.7-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 28 Jul 2024 20:50:21 +0000 - -security-misc (3:38.6-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 27 Jul 2024 16:13:34 +0000 - -security-misc (3:38.5-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Fri, 26 Jul 2024 15:40:23 +0000 - -security-misc (3:38.4-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Fri, 26 Jul 2024 09:40:58 +0000 - -security-misc (3:38.3-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 21 Jul 2024 10:40:13 +0000 - -security-misc (3:38.2-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 20 Jul 2024 17:02:04 +0000 - -security-misc (3:38.1-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 18 Jul 2024 18:05:06 +0000 - -security-misc (3:38.0-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 18 Jul 2024 14:11:35 +0000 - -security-misc (3:37.9-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 18 Jul 2024 14:05:22 +0000 - -security-misc (3:37.8-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 15 Jul 2024 21:18:54 +0000 - -security-misc (3:37.7-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 13 Jul 2024 15:01:15 +0000 - -security-misc (3:37.6-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 11 Jun 2024 12:56:56 +0000 - -security-misc (3:37.5-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 01 Jun 2024 18:13:08 +0000 - -security-misc (3:37.4-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 01 Jun 2024 17:35:04 +0000 - -security-misc (3:37.3-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 28 May 2024 12:04:52 +0000 - -security-misc (3:37.2-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 18 May 2024 20:45:11 +0000 - -security-misc (3:37.1-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Fri, 10 May 2024 11:20:36 +0000 - -security-misc (3:37.0-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Fri, 12 Apr 2024 06:56:38 +0000 - -security-misc (3:36.9-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 01 Apr 2024 06:56:44 +0000 - -security-misc (3:36.8-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 18 Mar 2024 15:10:10 +0000 - -security-misc (3:36.7-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 11 Mar 2024 15:07:50 +0000 - -security-misc (3:36.6-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 10 Mar 2024 13:19:26 +0000 - -security-misc (3:36.5-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 04 Mar 2024 11:48:30 +0000 - -security-misc (3:36.4-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 26 Feb 2024 13:32:44 +0000 - -security-misc (3:36.3-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 22 Feb 2024 20:08:17 +0000 - -security-misc (3:36.2-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 22 Feb 2024 19:58:00 +0000 - -security-misc (3:36.1-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 22 Feb 2024 16:07:16 +0000 - -security-misc (3:36.0-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 22 Feb 2024 14:52:54 +0000 - -security-misc (3:35.9-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 22 Feb 2024 14:50:05 +0000 - -security-misc (3:35.8-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 03 Feb 2024 18:28:26 +0000 - -security-misc (3:35.7-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 25 Jan 2024 13:59:29 +0000 - -security-misc (3:35.6-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 18 Jan 2024 14:10:50 +0000 - -security-misc (3:35.5-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 17 Jan 2024 19:18:24 +0000 - -security-misc (3:35.4-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 16 Jan 2024 14:26:34 +0000 - -security-misc (3:35.3-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 16 Jan 2024 14:14:18 +0000 - -security-misc (3:35.2-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 16 Jan 2024 13:58:54 +0000 - -security-misc (3:35.1-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 09 Jan 2024 05:52:48 +0000 - -security-misc (3:35.0-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 04 Jan 2024 02:03:26 +0000 - -security-misc (3:34.9-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 02 Jan 2024 14:55:13 +0000 - -security-misc (3:34.8-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Fri, 29 Dec 2023 20:15:50 +0000 - -security-misc (3:34.7-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 25 Dec 2023 16:28:09 +0000 - -security-misc (3:34.6-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Fri, 22 Dec 2023 16:31:57 +0000 - -security-misc (3:34.5-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 12 Dec 2023 16:51:21 +0000 - -security-misc (3:34.4-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 04 Dec 2023 17:06:45 +0000 - -security-misc (3:34.3-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 20 Nov 2023 13:13:10 +0000 - -security-misc (3:34.2-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 11 Nov 2023 22:29:57 +0000 - -security-misc (3:34.1-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 11 Nov 2023 20:22:34 +0000 - -security-misc (3:34.0-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 06 Nov 2023 22:28:21 +0000 - -security-misc (3:33.9-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 06 Nov 2023 02:13:14 +0000 - -security-misc (3:33.8-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 06 Nov 2023 01:14:33 +0000 - -security-misc (3:33.7-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 05 Nov 2023 23:17:59 +0000 - -security-misc (3:33.6-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 05 Nov 2023 22:43:33 +0000 - -security-misc (3:33.5-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 05 Nov 2023 21:46:18 +0000 - -security-misc (3:33.4-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 05 Nov 2023 21:04:02 +0000 - -security-misc (3:33.3-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 05 Nov 2023 20:58:21 +0000 - -security-misc (3:33.2-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 05 Nov 2023 20:29:38 +0000 - -security-misc (3:33.1-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 05 Nov 2023 20:14:43 +0000 - -security-misc (3:33.0-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 05 Nov 2023 19:56:06 +0000 - -security-misc (3:32.9-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Fri, 03 Nov 2023 16:17:24 +0000 - -security-misc (3:32.8-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Fri, 03 Nov 2023 16:10:48 +0000 - -security-misc (3:32.7-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Fri, 03 Nov 2023 16:06:43 +0000 - -security-misc (3:32.6-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Fri, 03 Nov 2023 14:33:02 +0000 - -security-misc (3:32.5-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Fri, 03 Nov 2023 13:28:08 +0000 - -security-misc (3:32.4-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 01 Nov 2023 16:26:21 +0000 - -security-misc (3:32.3-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 01 Nov 2023 15:10:36 +0000 - -security-misc (3:32.2-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Fri, 27 Oct 2023 00:08:41 +0000 - -security-misc (3:32.1-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 26 Oct 2023 16:23:48 +0000 - -security-misc (3:32.0-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 25 Oct 2023 21:55:37 +0000 - -security-misc (3:31.9-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 24 Oct 2023 09:51:11 +0000 - -security-misc (3:31.8-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 22 Oct 2023 23:23:22 +0000 - -security-misc (3:31.7-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 22 Oct 2023 20:54:58 +0000 - -security-misc (3:31.6-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 22 Oct 2023 20:29:08 +0000 - -security-misc (3:31.5-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 22 Oct 2023 20:16:40 +0000 - -security-misc (3:31.4-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 22 Oct 2023 19:44:47 +0000 - -security-misc (3:31.3-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 22 Oct 2023 19:40:59 +0000 - -security-misc (3:31.2-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 22 Oct 2023 19:33:21 +0000 - -security-misc (3:31.1-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 22 Oct 2023 19:28:04 +0000 - -security-misc (3:31.0-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 22 Oct 2023 18:46:42 +0000 - -security-misc (3:30.9-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 22 Oct 2023 18:30:28 +0000 - -security-misc (3:30.8-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 22 Oct 2023 17:31:55 +0000 - -security-misc (3:30.7-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 22 Oct 2023 16:55:41 +0000 - -security-misc (3:30.6-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 22 Oct 2023 15:28:18 +0000 - -security-misc (3:30.5-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 22 Oct 2023 15:13:05 +0000 - -security-misc (3:30.4-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 22 Oct 2023 14:50:30 +0000 - -security-misc (3:30.3-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 22 Oct 2023 14:16:53 +0000 - -security-misc (3:30.2-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 22 Oct 2023 14:01:54 +0000 - -security-misc (3:30.1-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 22 Oct 2023 12:12:30 +0000 - -security-misc (3:30.0-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 22 Oct 2023 11:06:00 +0000 - -security-misc (3:29.9-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 21 Oct 2023 18:19:24 +0000 - -security-misc (3:29.8-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 21 Oct 2023 16:34:59 +0000 - -security-misc (3:29.7-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Fri, 13 Oct 2023 19:22:58 +0000 - -security-misc (3:29.6-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 12 Oct 2023 16:51:37 +0000 - -security-misc (3:29.5-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 12 Oct 2023 14:43:40 +0000 - -security-misc (3:29.4-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 17 Jul 2023 15:48:35 +0000 - -security-misc (3:29.3-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Fri, 23 Jun 2023 08:18:12 +0000 - -security-misc (3:29.2-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 21 Jun 2023 09:36:44 +0000 - -security-misc (3:29.1-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Fri, 16 Jun 2023 11:09:01 +0000 - -security-misc (3:29.0-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 14 Jun 2023 09:59:20 +0000 - -security-misc (3:28.9-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 12 Jun 2023 18:01:55 +0000 - -security-misc (3:28.8-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 15 May 2023 17:31:59 +0000 - -security-misc (3:28.7-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 15 May 2023 11:56:30 +0000 - -security-misc (3:28.6-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 06 May 2023 12:00:12 +0000 - -security-misc (3:28.5-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 06 May 2023 11:54:31 +0000 - -security-misc (3:28.4-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Fri, 05 May 2023 15:09:32 +0000 - -security-misc (3:28.3-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 30 Jan 2023 10:58:47 +0000 - -security-misc (3:28.2-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 24 Jan 2023 12:09:40 +0000 - -security-misc (3:28.1-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 24 Jan 2023 12:05:53 +0000 - -security-misc (3:28.0-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 09 Jan 2023 12:05:18 +0000 - -security-misc (3:27.9-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 09 Jan 2023 12:02:01 +0000 - -security-misc (3:27.8-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 09 Jan 2023 10:34:48 +0000 - -security-misc (3:27.7-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 08 Jan 2023 12:17:02 +0000 - -security-misc (3:27.6-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 07 Jan 2023 23:13:57 +0000 - -security-misc (3:27.5-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 07 Jan 2023 22:49:24 +0000 - -security-misc (3:27.4-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 07 Jan 2023 22:23:35 +0000 - -security-misc (3:27.3-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 07 Jan 2023 22:16:23 +0000 - -security-misc (3:27.2-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 07 Jan 2023 21:20:48 +0000 - -security-misc (3:27.1-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 07 Jan 2023 20:37:47 +0000 - -security-misc (3:27.0-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 07 Jan 2023 19:31:40 +0000 - -security-misc (3:26.9-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 07 Jan 2023 19:27:42 +0000 - -security-misc (3:26.8-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 07 Jan 2023 17:57:36 +0000 - -security-misc (3:26.7-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 18 Dec 2022 19:37:51 +0000 - -security-misc (3:26.6-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 24 Nov 2022 12:21:58 +0000 - -security-misc (3:26.5-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 24 Nov 2022 12:00:33 +0000 - -security-misc (3:26.4-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 24 Nov 2022 11:49:25 +0000 - -security-misc (3:26.3-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 24 Nov 2022 11:31:37 +0000 - -security-misc (3:26.2-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 24 Nov 2022 11:14:15 +0000 - -security-misc (3:26.1-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 22 Nov 2022 11:03:13 +0000 - -security-misc (3:26.0-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 17 Nov 2022 15:15:36 +0000 - -security-misc (3:25.9-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 24 Aug 2022 22:28:39 +0000 - -security-misc (3:25.8-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 13 Aug 2022 15:40:04 +0000 - -security-misc (3:25.7-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Fri, 12 Aug 2022 11:52:26 +0000 - -security-misc (3:25.6-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 26 Jul 2022 14:00:53 +0000 - -security-misc (3:25.5-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 23 Jul 2022 12:07:37 +0000 - -security-misc (3:25.4-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 16 Jul 2022 12:00:16 +0000 - -security-misc (3:25.3-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 13 Jul 2022 12:28:34 +0000 - -security-misc (3:25.2-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 09 Jul 2022 15:42:24 +0000 - -security-misc (3:25.1-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 07 Jul 2022 21:41:13 +0000 - -security-misc (3:25.0-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 05 Jul 2022 15:16:33 +0000 - -security-misc (3:24.9-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 02 Jul 2022 22:30:06 +0000 - -security-misc (3:24.8-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 02 Jul 2022 21:37:16 +0000 - -security-misc (3:24.7-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 02 Jul 2022 20:03:52 +0000 - -security-misc (3:24.6-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 02 Jul 2022 19:52:08 +0000 - -security-misc (3:24.5-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 02 Jul 2022 19:32:50 +0000 - -security-misc (3:24.4-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 02 Jul 2022 18:27:04 +0000 - -security-misc (3:24.3-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 29 Jun 2022 20:25:07 +0000 - -security-misc (3:24.2-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 29 Jun 2022 20:06:33 +0000 - -security-misc (3:24.1-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 29 Jun 2022 20:03:58 +0000 - -security-misc (3:24.0-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 29 Jun 2022 19:24:40 +0000 - -security-misc (3:23.9-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 29 Jun 2022 19:22:41 +0000 - -security-misc (3:23.8-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 29 Jun 2022 18:18:02 +0000 - -security-misc (3:23.7-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 29 Jun 2022 18:15:48 +0000 - -security-misc (3:23.6-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 29 Jun 2022 17:03:35 +0000 - -security-misc (3:23.5-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 29 Jun 2022 15:18:59 +0000 - -security-misc (3:23.4-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 29 Jun 2022 14:02:18 +0000 - -security-misc (3:23.3-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 29 Jun 2022 13:54:27 +0000 - -security-misc (3:23.2-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 08 Jun 2022 15:05:07 +0000 - -security-misc (3:23.1-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 25 May 2022 10:07:17 +0000 - -security-misc (3:23.0-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 10 Feb 2022 19:06:54 +0000 - -security-misc (3:22.9-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 14 Sep 2021 18:18:52 +0000 - -security-misc (3:22.8-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 12 Sep 2021 15:57:20 +0000 - -security-misc (3:22.7-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 09 Sep 2021 16:35:37 +0000 - -security-misc (3:22.6-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 06 Sep 2021 13:46:20 +0000 - -security-misc (3:22.5-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 06 Sep 2021 08:55:23 +0000 - -security-misc (3:22.4-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 05 Sep 2021 20:04:28 +0000 - -security-misc (3:22.3-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 04 Sep 2021 22:29:00 +0000 - -security-misc (3:22.2-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 04 Sep 2021 16:00:55 +0000 - -security-misc (3:22.1-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 02 Sep 2021 18:36:53 +0000 - -security-misc (3:22.0-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 22 Aug 2021 09:32:18 +0000 - -security-misc (3:21.9-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 17 Aug 2021 19:24:12 +0000 - -security-misc (3:21.8-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 10 Aug 2021 22:26:32 +0000 - -security-misc (3:21.7-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 05 Aug 2021 21:03:43 +0000 - -security-misc (3:21.6-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 01 Aug 2021 17:12:08 +0000 - -security-misc (3:21.5-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 25 Jul 2021 15:31:45 +0000 - -security-misc (3:21.4-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 24 Jul 2021 22:10:05 +0000 - -security-misc (3:21.3-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 23 Jun 2021 15:20:39 +0000 - -security-misc (3:21.2-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 20 Jun 2021 14:16:57 +0000 - -security-misc (3:21.1-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 07 Jun 2021 16:13:37 +0000 - -security-misc (3:21.0-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 01 Jun 2021 11:36:59 +0000 - -security-misc (3:20.9-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 05 May 2021 12:37:56 +0000 - -security-misc (3:20.8-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 05 Apr 2021 15:58:47 +0000 - -security-misc (3:20.7-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 17 Mar 2021 16:31:34 +0000 - -security-misc (3:20.6-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 04 Mar 2021 12:09:01 +0000 - -security-misc (3:20.5-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 06 Feb 2021 11:31:45 +0000 - -security-misc (3:20.4-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 30 Jan 2021 04:37:03 +0000 - -security-misc (3:20.3-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 28 Jan 2021 07:15:46 +0000 - -security-misc (3:20.2-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 27 Jan 2021 10:50:16 +0000 - -security-misc (3:20.1-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 24 Jan 2021 10:10:36 +0000 - -security-misc (3:20.0-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 20 Jan 2021 00:41:43 +0000 - -security-misc (3:19.9-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 14 Jan 2021 07:36:49 +0000 - -security-misc (3:19.8-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 05 Jan 2021 13:30:37 +0000 - -security-misc (3:19.7-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 10 Dec 2020 10:20:57 +0000 - -security-misc (3:19.6-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 01 Dec 2020 10:53:06 +0000 - -security-misc (3:19.5-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 28 Nov 2020 11:08:10 +0000 - -security-misc (3:19.4-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Fri, 06 Nov 2020 15:18:09 +0000 - -security-misc (3:19.3-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 31 Oct 2020 10:29:25 +0000 - -security-misc (3:19.2-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 31 Oct 2020 10:09:22 +0000 - -security-misc (3:19.1-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 05 Oct 2020 11:03:37 +0000 - -security-misc (3:19.0-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 28 Sep 2020 14:30:42 +0000 - -security-misc (3:18.9-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 19 Sep 2020 13:28:27 +0000 - -security-misc (3:18.8-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 03 Aug 2020 13:43:43 +0000 - -security-misc (3:18.7-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 29 Jul 2020 12:33:07 +0000 - -security-misc (3:18.6-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 14 May 2020 17:57:32 +0000 - -security-misc (3:18.5-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 23 Apr 2020 16:27:25 +0000 - -security-misc (3:18.4-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 16 Apr 2020 12:43:40 +0000 - -security-misc (3:18.3-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 14 Apr 2020 16:40:31 +0000 - -security-misc (3:18.2-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 13 Apr 2020 10:56:34 +0000 - -security-misc (3:18.1-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 09 Apr 2020 09:45:30 +0000 - -security-misc (3:18.0-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 08 Apr 2020 17:13:21 +0000 - -security-misc (3:17.9-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 08 Apr 2020 12:51:11 +0000 - -security-misc (3:17.8-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 06 Apr 2020 17:29:23 +0000 - -security-misc (3:17.7-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 04 Apr 2020 20:51:42 +0000 - -security-misc (3:17.6-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 02 Apr 2020 11:58:51 +0000 - -security-misc (3:17.5-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 01 Apr 2020 14:58:16 +0000 - -security-misc (3:17.4-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 01 Apr 2020 12:26:44 +0000 - -security-misc (3:17.3-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 31 Mar 2020 11:41:45 +0000 - -security-misc (3:17.2-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 30 Mar 2020 22:42:02 +0000 - -security-misc (3:17.1-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 30 Mar 2020 21:16:46 +0000 - -security-misc (3:17.0-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 21 Mar 2020 18:56:48 +0000 - -security-misc (3:16.9-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 12 Mar 2020 08:43:08 +0000 - -security-misc (3:16.8-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 08 Mar 2020 13:43:24 +0000 - -security-misc (3:16.7-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 05 Mar 2020 13:36:27 +0000 - -security-misc (3:16.6-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 03 Mar 2020 14:19:49 +0000 - -security-misc (3:16.5-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 03 Mar 2020 14:12:50 +0000 - -security-misc (3:16.4-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 15 Feb 2020 20:35:44 +0000 - -security-misc (3:16.3-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 15 Feb 2020 20:29:38 +0000 - -security-misc (3:16.2-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 13 Feb 2020 18:39:45 +0000 - -security-misc (3:16.1-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 05 Feb 2020 11:31:48 +0000 - -security-misc (3:16.0-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 03 Feb 2020 14:23:13 +0000 - -security-misc (3:15.9-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 03 Feb 2020 13:43:31 +0000 - -security-misc (3:15.8-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 30 Jan 2020 11:14:34 +0000 - -security-misc (3:15.7-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 30 Jan 2020 11:02:26 +0000 - -security-misc (3:15.6-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 30 Jan 2020 06:22:32 +0000 - -security-misc (3:15.5-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Fri, 24 Jan 2020 17:02:27 +0000 - -security-misc (3:15.4-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Fri, 24 Jan 2020 09:41:16 +0000 - -security-misc (3:15.3-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Fri, 24 Jan 2020 09:34:18 +0000 - -security-misc (3:15.2-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Fri, 24 Jan 2020 08:49:02 +0000 - -security-misc (3:15.1-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 22 Jan 2020 12:10:47 +0000 - -security-misc (3:15.0-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 21 Jan 2020 15:12:32 +0000 - -security-misc (3:14.9-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 20 Jan 2020 13:51:25 +0000 - -security-misc (3:14.8-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Fri, 17 Jan 2020 08:32:57 +0000 - -security-misc (3:14.7-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 15 Jan 2020 16:37:52 +0000 - -security-misc (3:14.6-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 15 Jan 2020 16:05:54 +0000 - -security-misc (3:14.5-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 14 Jan 2020 14:28:28 +0000 - -security-misc (3:14.4-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 14 Jan 2020 14:20:36 +0000 - -security-misc (3:14.3-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 11 Jan 2020 20:19:28 +0000 - -security-misc (3:14.2-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 01 Jan 2020 10:59:58 +0000 - -security-misc (3:14.1-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 31 Dec 2019 11:08:32 +0000 - -security-misc (3:14.0-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 31 Dec 2019 11:03:48 +0000 - -security-misc (3:13.9-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 31 Dec 2019 07:54:58 +0000 - -security-misc (3:13.8-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 30 Dec 2019 11:42:14 +0000 - -security-misc (3:13.7-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 30 Dec 2019 10:59:43 +0000 - -security-misc (3:13.6-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Fri, 27 Dec 2019 10:30:12 +0000 - -security-misc (3:13.5-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 24 Dec 2019 23:35:49 +0000 - -security-misc (3:13.4-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 24 Dec 2019 13:07:55 +0000 - -security-misc (3:13.3-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 23 Dec 2019 13:48:04 +0000 - -security-misc (3:13.2-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 23 Dec 2019 08:58:00 +0000 - -security-misc (3:13.1-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 23 Dec 2019 07:42:07 +0000 - -security-misc (3:13.0-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 23 Dec 2019 07:13:13 +0000 - -security-misc (3:12.9-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 21 Dec 2019 19:55:03 +0000 - -security-misc (3:12.8-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 21 Dec 2019 19:23:35 +0000 - -security-misc (3:12.7-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 21 Dec 2019 12:49:55 +0000 - -security-misc (3:12.6-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 21 Dec 2019 12:38:25 +0000 - -security-misc (3:12.5-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 21 Dec 2019 11:28:19 +0000 - -security-misc (3:12.4-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 21 Dec 2019 11:12:20 +0000 - -security-misc (3:12.3-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 21 Dec 2019 11:00:17 +0000 - -security-misc (3:12.2-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 21 Dec 2019 10:38:39 +0000 - -security-misc (3:12.1-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 21 Dec 2019 10:31:55 +0000 - -security-misc (3:12.0-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 21 Dec 2019 07:05:39 +0000 - -security-misc (3:11.9-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Fri, 20 Dec 2019 16:50:25 +0000 - -security-misc (3:11.8-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Fri, 20 Dec 2019 16:09:22 +0000 - -security-misc (3:11.7-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Fri, 20 Dec 2019 15:50:51 +0000 - -security-misc (3:11.6-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Fri, 20 Dec 2019 13:15:00 +0000 - -security-misc (3:11.5-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Fri, 20 Dec 2019 12:12:36 +0000 - -security-misc (3:11.4-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 16 Dec 2019 11:27:51 +0000 - -security-misc (3:11.3-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 12 Dec 2019 14:04:15 +0000 - -security-misc (3:11.2-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 10 Dec 2019 16:44:02 +0000 - -security-misc (3:11.1-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 09 Dec 2019 13:25:30 +0000 - -security-misc (3:11.0-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 08 Dec 2019 10:26:29 +0000 - -security-misc (3:10.9-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 08 Dec 2019 09:38:33 +0000 - -security-misc (3:10.8-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 08 Dec 2019 09:27:01 +0000 - -security-misc (3:10.7-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 08 Dec 2019 09:05:29 +0000 - -security-misc (3:10.6-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 07 Dec 2019 07:02:32 +0000 - -security-misc (3:10.5-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Fri, 06 Dec 2019 17:43:21 +0000 - -security-misc (3:10.4-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Fri, 06 Dec 2019 16:18:20 +0000 - -security-misc (3:10.3-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Fri, 06 Dec 2019 14:32:18 +0000 - -security-misc (3:10.2-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 28 Nov 2019 15:22:41 +0000 - -security-misc (3:10.1-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 25 Nov 2019 08:51:36 +0000 - -security-misc (3:10.0-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 25 Nov 2019 08:49:15 +0000 - -security-misc (3:9.12-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 23 Nov 2019 14:07:45 +0000 - -security-misc (3:9.11-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 19 Nov 2019 15:31:55 +0000 - -security-misc (3:9.10-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 18 Nov 2019 19:16:16 +0000 - -security-misc (3:9.9-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 09 Nov 2019 18:44:50 +0000 - -security-misc (3:9.8-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 09 Nov 2019 12:57:45 +0000 - -security-misc (3:9.7-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 09 Nov 2019 12:23:15 +0000 - -security-misc (3:9.6-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 31 Oct 2019 16:34:35 +0000 - -security-misc (3:9.5-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 31 Oct 2019 16:06:51 +0000 - -security-misc (3:9.4-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 23 Oct 2019 10:22:03 +0000 - -security-misc (3:9.3-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 21 Oct 2019 09:55:41 +0000 - -security-misc (3:9.2-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 21 Oct 2019 09:51:36 +0000 - -security-misc (3:9.1-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Fri, 18 Oct 2019 10:39:43 +0000 - -security-misc (3:9.0-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Fri, 18 Oct 2019 08:55:07 +0000 - -security-misc (3:8.9-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 14 Oct 2019 10:23:01 +0000 - -security-misc (3:8.8-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 05 Oct 2019 11:33:15 +0000 - -security-misc (3:8.7-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 05 Oct 2019 09:40:26 +0000 - -security-misc (3:8.6-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 16 Sep 2019 13:34:11 +0000 - -security-misc (3:8.5-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 15 Sep 2019 14:08:13 +0000 - -security-misc (3:8.4-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 12 Sep 2019 12:50:42 +0000 - -security-misc (3:8.3-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 09 Sep 2019 12:10:24 +0000 - -security-misc (3:8.2-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 07 Sep 2019 06:11:32 +0000 - -security-misc (3:8.1-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Fri, 06 Sep 2019 13:04:57 +0000 - -security-misc (3:8.0-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Fri, 06 Sep 2019 11:47:40 +0000 - -security-misc (3:7.9-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Fri, 06 Sep 2019 09:33:06 +0000 - -security-misc (3:7.8-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 31 Aug 2019 13:44:37 +0000 - -security-misc (3:7.7-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 24 Aug 2019 16:41:27 +0000 - -security-misc (3:7.6-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Fri, 23 Aug 2019 16:57:12 +0000 - -security-misc (3:7.5-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 17 Aug 2019 10:54:08 +0000 - -security-misc (3:7.4-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 17 Aug 2019 09:57:48 +0000 - -security-misc (3:7.3-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Fri, 16 Aug 2019 16:05:51 +0000 - -security-misc (3:7.2-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Fri, 16 Aug 2019 15:59:14 +0000 - -security-misc (3:7.1-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 15 Aug 2019 15:18:02 +0000 - -security-misc (3:7.0-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 14 Aug 2019 11:52:26 +0000 - -security-misc (3:6.9-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 14 Aug 2019 11:13:25 +0000 - -security-misc (3:6.8-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 14 Aug 2019 10:08:18 +0000 - -security-misc (3:6.7-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 14 Aug 2019 07:02:09 +0000 - -security-misc (3:6.6-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sun, 11 Aug 2019 12:07:07 +0000 - -security-misc (3:6.5-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 10 Aug 2019 11:37:02 +0000 - -security-misc (3:6.4-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Thu, 01 Aug 2019 12:02:41 +0000 - -security-misc (3:6.3-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 31 Jul 2019 19:12:27 +0000 - -security-misc (3:6.2-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 31 Jul 2019 15:17:50 +0000 - -security-misc (3:6.1-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 31 Jul 2019 07:44:50 +0000 - -security-misc (3:6.0-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 22 Jul 2019 01:16:18 +0000 - -security-misc (3:5.9-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 17 Jul 2019 21:38:26 +0000 - -security-misc (3:5.8-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 17 Jul 2019 21:08:23 +0000 - -security-misc (3:5.7-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Wed, 17 Jul 2019 19:13:57 +0000 - -security-misc (3:5.6-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Tue, 16 Jul 2019 19:45:52 +0000 - -security-misc (3:5.5-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Mon, 15 Jul 2019 13:26:47 +0000 - -security-misc (3:5.4-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 13 Jul 2019 18:51:32 +0000 - -security-misc (3:5.3-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 13 Jul 2019 16:30:39 +0000 - -security-misc (3:5.2-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 13 Jul 2019 15:17:16 +0000 - -security-misc (3:5.1-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 13 Jul 2019 14:58:47 +0000 - -security-misc (3:5.0-1) unstable; urgency=medium - - * New upstream version (local package). - - -- Patrick Schleizer Sat, 13 Jul 2019 14:55:31 +0000 - security-misc (3:4.9-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Thu, 11 Jul 2019 18:28:04 +0000 + -- Patrick Schleizer Thu, 11 Jul 2019 18:28:04 +0000 security-misc (3:4.8-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Thu, 11 Jul 2019 07:16:38 +0000 + -- Patrick Schleizer Thu, 11 Jul 2019 07:16:38 +0000 security-misc (3:4.7-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Mon, 08 Jul 2019 00:23:52 +0000 + -- Patrick Schleizer Mon, 08 Jul 2019 00:23:52 +0000 security-misc (3:4.6-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sun, 07 Jul 2019 23:00:27 +0000 + -- Patrick Schleizer Sun, 07 Jul 2019 23:00:27 +0000 security-misc (3:4.5-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sun, 07 Jul 2019 21:11:08 +0000 + -- Patrick Schleizer Sun, 07 Jul 2019 21:11:08 +0000 security-misc (3:4.4-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sun, 07 Jul 2019 09:39:12 +0000 + -- Patrick Schleizer Sun, 07 Jul 2019 09:39:12 +0000 security-misc (3:4.3-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sat, 06 Jul 2019 13:56:28 +0000 + -- Patrick Schleizer Sat, 06 Jul 2019 13:56:28 +0000 security-misc (3:4.2-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sat, 06 Jul 2019 13:53:10 +0000 + -- Patrick Schleizer Sat, 06 Jul 2019 13:53:10 +0000 security-misc (3:4.1-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Mon, 01 Jul 2019 15:23:49 +0000 + -- Patrick Schleizer Mon, 01 Jul 2019 15:23:49 +0000 security-misc (3:4.0-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sun, 30 Jun 2019 11:21:58 +0000 + -- Patrick Schleizer Sun, 30 Jun 2019 11:21:58 +0000 security-misc (3:3.9-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sun, 30 Jun 2019 08:23:51 +0000 + -- Patrick Schleizer Sun, 30 Jun 2019 08:23:51 +0000 security-misc (3:3.8-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sat, 29 Jun 2019 10:35:13 +0000 + -- Patrick Schleizer Sat, 29 Jun 2019 10:35:13 +0000 security-misc (3:3.7-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Fri, 28 Jun 2019 07:20:53 +0000 + -- Patrick Schleizer Fri, 28 Jun 2019 07:20:53 +0000 security-misc (3:3.6-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Fri, 28 Jun 2019 07:09:35 +0000 + -- Patrick Schleizer Fri, 28 Jun 2019 07:09:35 +0000 security-misc (3:3.5-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sun, 23 Jun 2019 19:57:42 +0000 + -- Patrick Schleizer Sun, 23 Jun 2019 19:57:42 +0000 security-misc (3:3.4-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sun, 23 Jun 2019 12:22:13 +0000 + -- Patrick Schleizer Sun, 23 Jun 2019 12:22:13 +0000 security-misc (3:3.3-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sun, 23 Jun 2019 08:38:01 +0000 + -- Patrick Schleizer Sun, 23 Jun 2019 08:38:01 +0000 security-misc (3:3.2-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Fri, 21 Jun 2019 05:40:04 +0000 + -- Patrick Schleizer Fri, 21 Jun 2019 05:40:04 +0000 security-misc (3:3.1-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Mon, 10 Jun 2019 15:42:58 +0000 + -- Patrick Schleizer Mon, 10 Jun 2019 15:42:58 +0000 security-misc (3:3.0-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sat, 08 Jun 2019 11:32:12 +0000 + -- Patrick Schleizer Sat, 08 Jun 2019 11:32:12 +0000 security-misc (3:2.9-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Fri, 24 May 2019 20:48:59 +0000 + -- Patrick Schleizer Fri, 24 May 2019 20:48:59 +0000 security-misc (3:2.8-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Thu, 23 May 2019 22:38:13 +0000 + -- Patrick Schleizer Thu, 23 May 2019 22:38:13 +0000 security-misc (3:2.7-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Thu, 16 May 2019 20:25:46 +0000 + -- Patrick Schleizer Thu, 16 May 2019 20:25:46 +0000 security-misc (3:2.6-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sun, 12 May 2019 11:08:32 +0000 + -- Patrick Schleizer Sun, 12 May 2019 11:08:32 +0000 security-misc (3:2.5-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sun, 12 May 2019 10:48:27 +0000 + -- Patrick Schleizer Sun, 12 May 2019 10:48:27 +0000 security-misc (3:2.4-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Mon, 06 May 2019 09:58:44 +0000 + -- Patrick Schleizer Mon, 06 May 2019 09:58:44 +0000 security-misc (3:2.3-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Fri, 03 May 2019 11:34:25 +0000 + -- Patrick Schleizer Fri, 03 May 2019 11:34:25 +0000 security-misc (3:2.2-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sat, 06 Apr 2019 12:13:43 +0000 + -- Patrick Schleizer Sat, 06 Apr 2019 12:13:43 +0000 security-misc (3:2.1-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Fri, 29 Mar 2019 10:02:51 +0000 + -- Patrick Schleizer Fri, 29 Mar 2019 10:02:51 +0000 security-misc (3:2.0-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Tue, 12 Mar 2019 11:36:25 +0000 + -- Patrick Schleizer Tue, 12 Mar 2019 11:36:25 +0000 security-misc (3:1.9-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Wed, 28 Nov 2018 06:33:14 +0000 + -- Patrick Schleizer Wed, 28 Nov 2018 06:33:14 +0000 security-misc (3:1.8-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Thu, 08 Nov 2018 09:55:41 +0000 + -- Patrick Schleizer Thu, 08 Nov 2018 09:55:41 +0000 security-misc (3:1.7-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Thu, 01 Nov 2018 07:42:29 +0000 + -- Patrick Schleizer Thu, 01 Nov 2018 07:42:29 +0000 security-misc (3:1.6-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Fri, 14 Sep 2018 13:20:11 +0000 + -- Patrick Schleizer Fri, 14 Sep 2018 13:20:11 +0000 security-misc (3:1.5-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Mon, 27 Aug 2018 16:49:44 +0000 + -- Patrick Schleizer Mon, 27 Aug 2018 16:49:44 +0000 security-misc (3:1.4-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Thu, 01 Feb 2018 15:18:55 +0000 + -- Patrick Schleizer Thu, 01 Feb 2018 15:18:55 +0000 security-misc (3:1.3-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Thu, 21 Dec 2017 20:35:29 +0000 + -- Patrick Schleizer Thu, 21 Dec 2017 20:35:29 +0000 security-misc (3:1.2-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Wed, 26 Jul 2017 14:37:34 +0000 + -- Patrick Schleizer Wed, 26 Jul 2017 14:37:34 +0000 security-misc (3:1.1-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Mon, 06 Mar 2017 16:16:31 +0000 + -- Patrick Schleizer Mon, 06 Mar 2017 16:16:31 +0000 security-misc (3:1.0-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Mon, 27 Feb 2017 02:04:00 +0000 + -- Patrick Schleizer Mon, 27 Feb 2017 02:04:00 +0000 security-misc (3:0.9-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Fri, 17 Feb 2017 14:08:56 +0000 + -- Patrick Schleizer Fri, 17 Feb 2017 14:08:56 +0000 security-misc (3:0.8-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sun, 15 Jan 2017 15:35:31 +0000 + -- Patrick Schleizer Sun, 15 Jan 2017 15:35:31 +0000 security-misc (3:0.7-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Thu, 12 Jan 2017 02:56:55 +0000 + -- Patrick Schleizer Thu, 12 Jan 2017 02:56:55 +0000 security-misc (3:0.6-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sat, 10 Dec 2016 02:30:50 +0000 + -- Patrick Schleizer Sat, 10 Dec 2016 02:30:50 +0000 security-misc (3:0.5-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Mon, 25 Apr 2016 23:27:58 +0000 + -- Patrick Schleizer Mon, 25 Apr 2016 23:27:58 +0000 security-misc (3:0.4-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Thu, 07 Apr 2016 22:54:45 +0000 + -- Patrick Schleizer Thu, 07 Apr 2016 22:54:45 +0000 security-misc (3:0.3-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Tue, 15 Dec 2015 04:16:07 +0000 + -- Patrick Schleizer Tue, 15 Dec 2015 04:16:07 +0000 security-misc (3:0.2-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Tue, 15 Dec 2015 02:00:33 +0000 + -- Patrick Schleizer Tue, 15 Dec 2015 02:00:33 +0000 security-misc (3:0.1-2) unstable; urgency=low * Initial release. - -- Patrick Schleizer Sun, 17 Aug 2014 17:56:36 +0000 + -- Patrick Schleizer Sun, 17 Aug 2014 17:56:36 +0000 diff --git a/debian/compat b/debian/compat new file mode 100644 index 0000000..48082f7 --- /dev/null +++ b/debian/compat @@ -0,0 +1 @@ +12 diff --git a/debian/control b/debian/control index fd56b5f..b57465b 100644 --- a/debian/control +++ b/debian/control @@ -1,43 +1,155 @@ -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC +## Copyright (C) 2012 - 2018 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. Source: security-misc Section: misc Priority: optional -Maintainer: Patrick Schleizer -Build-Depends: config-package-dev, - debhelper (>= 13), - debhelper-compat (= 13), - dh-apparmor, - po-debconf -Homepage: https://www.kicksecure.com/wiki/Security-misc -Vcs-Browser: https://github.com/Kicksecure/security-misc -Vcs-Git: https://github.com/Kicksecure/security-misc.git -Standards-Version: 4.6.2 -Rules-Requires-Root: no +Maintainer: Patrick Schleizer +Build-Depends: debhelper (>= 12), genmkfile, config-package-dev +Homepage: https://github.com/Whonix/security-misc +Vcs-Browser: https://github.com/Whonix/security-misc +Vcs-Git: https://github.com/Whonix/security-misc.git +Standards-Version: 4.3.0 Package: security-misc Architecture: all -Depends: adduser, - apparmor-profile-dist, - dmsetup, - helper-scripts, - libcap2-bin, - libglib2.0-bin, - libpam-modules-bin, - libpam-runtime, - libpam-umask, - python3, - secure-delete, - sudo, - ${misc:Depends} -Replaces: anon-gpg-tweaks, swappiness-lowest, tcp-timestamps-disable -Description: Enhances Miscellaneous Security Settings - https://github.com/Kicksecure/security-misc/blob/master/README.md +Depends: python, libglib2.0-bin, libpam-runtime, libpam-cgfs, ${misc:Depends} +Replaces: tcp-timestamps-disable +Description: enhances misc security settings + The following settings are changed: . - https://www.kicksecure.com/wiki/Security-misc + deactivates previews in Dolphin; + deactivates previews in Nautilus; + deactivates thumbnails in Thunar; + deactivates TCP timestamps; + deactivates Netfilter's connection tracking helper; + implements some kernel hardening; + prevents DMA attacks; + restricts access to the root account; + increases the amount of hashing rounds used by shadow; . - Discussion: + TCP time stamps (RFC 1323) allow for tracking clock + information with millisecond resolution. This may or may not allow an + attacker to learn information about the system clock at such + a resolution, depending on various issues such as network lag. + This information is available to anyone who monitors the network + somewhere between the attacked system and the destination server. + It may allow an attacker to find out how long a given + system has been running, and to distinguish several + systems running behind NAT and using the same IP address. It might + also allow one to look for clocks that match an expected value to find the + public IP used by a user. . - Happening primarily in Whonix forums. - https://forums.whonix.org/t/kernel-hardening/7296 + Hence, this package disables this feature by shipping the + /etc/sysctl.d/tcp_timestamps.conf configuration file. + . + Note that TCP time stamps normally have some usefulness. They are + needed for: + . + * the TCP protection against wrapped sequence numbers; however, to + trigger a wrap, one needs to send roughly 2^32 packets in one + minute: as said in RFC 1700, "The current recommended default + time to live (TTL) for the Internet Protocol (IP) [45,105] is 64". + So, this probably won't be a practical problem in the context + of Anonymity Distributions. + . + * "Round-Trip Time Measurement", which is only useful when the user + manages to saturate their connection. When using Anonymity Distributions, + probably the limiting factor for transmission speed is rarely the capacity + of the user connection. + . + Netfilter's connection tracking helper module increases kernel attack + surface by enabling superfluous functionality such as IRC parsing in + the kernel. (!) + . + Hence, this package disables this feature by shipping the + /etc/modprobe.d/30_nf_conntrack_helper_disable.conf configuration file. + . + Kernel symbols in /proc/kallsyms are hidden to prevent malware from + reading them and using them to learn more about what to attack on your system. + . + Kexec is disabled as it can be used for live patching of the running kernel. + . + The BPF JIT compiler is restricted to the root user and is hardened. + . + ASLR effectiveness for mmap is increased. + . + The ptrace system call is restricted to the root user only. + . + The TCP/IP stack is hardened. + . + This package makes some data spoofing attacks harder. + . + SACK is disabled as it is commonly exploited and is rarely used. + . + This package disables the merging of slabs of similar sizes to prevent an + attacker from exploiting them. + . + Sanity checks, redzoning, and memory poisoning are enabled. + . + The kernel now panics on uncorrectable errors in ECC memory which could + be exploited. + . + Kernel Page Table Isolation is enabled to mitigate Meltdown and increase + KASLR effectiveness. + . + SMT is disabled as it can be used to exploit the MDS vulnerability. + . + All mitigations for the MDS vulnerability are enabled. + . + Uncommon network protocols are blacklisted in + /etc/modprobe.d/uncommon-network-protocols.conf as they are rarely used and + may have unknown vulnerabilities. + . + The network protocols that are blacklisted are: + . + * DCCP - Datagram Congestion Control Protocol + * SCTP - Stream Control Transmission Protocol + * RDS - Reliable Datagram Sockets + * TIPC - Transparent Inter-process Communication + * HDLC - High-Level Data Link Control + * AX25 - Amateur X.25 + * NetRom + * X25 + * ROSE + * DECnet + * Econet + * af_802154 - IEEE 802.15.4 + * IPX - Internetwork Packet Exchange + * AppleTalk + * PSNAP - Subnetwork Access Protocol + * p8023 - Novell raw IEEE 802.3 + * LLC - IEEE 802.2 + * p8022 - IEEE 802.2 + . + The kernel logs are restricted to root only. + . + A systemd service clears System.map on boot as these contain kernel symbols + that could be useful to an attacker. + . + The SysRq key is restricted to only allow shutdowns/reboots. + . + The thunderbolt and firewire modules are blacklisted as they can be used for + DMA (Direct Memory Access) attacks. + . + IOMMU is enabled with a boot parameter to prevent DMA attacks. + . + Coredumps are disabled as they may contain important information such as + encryption keys or passwords. + . + A systemd service mounts /proc with hidepid=2 at boot to prevent users from + seeing each other's processes. + . + The default umask is changed to 006. This allows only the owner and group to + read and write to newly created files. + . + The kernel now panics on oopses to prevent it from continuing running a + flawed process. + . + Su is restricted to only users within the root group which prevents users from + using su to gain root access or switch user accounts. + . + Logging into the root account from a terminal is prevented. + . + The amount of hashing rounds used by shadow is bumped to 65536. This increases + the security of hashed passwords. diff --git a/debian/copyright b/debian/copyright index 829d909..4cfb76c 100644 --- a/debian/copyright +++ b/debian/copyright @@ -1,668 +1,212 @@ Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Files: * -Copyright: 2012 - 2025 ENCRYPTED SUPPORT LLC -License: AGPL-3+ - -License: AGPL-3+ - GNU AFFERO GENERAL PUBLIC LICENSE - Version 3, 19 November 2007 - . - Copyright (C) 2007 Free Software Foundation, Inc. - Everyone is permitted to copy and distribute verbatim copies - of this license document, but changing it is not allowed. - . - Preamble - . - The GNU Affero General Public License is a free, copyleft license for - software and other kinds of works, specifically designed to ensure - cooperation with the community in the case of network server software. - . - The licenses for most software and other practical works are designed - to take away your freedom to share and change the works. By contrast, - our General Public Licenses are intended to guarantee your freedom to - share and change all versions of a program--to make sure it remains free - software for all its users. - . - When we speak of free software, we are referring to freedom, not - price. Our General Public Licenses are designed to make sure that you - have the freedom to distribute copies of free software (and charge for - them if you wish), that you receive source code or can get it if you - want it, that you can change the software or use pieces of it in new - free programs, and that you know you can do these things. - . - Developers that use our General Public Licenses protect your rights - with two steps: (1) assert copyright on the software, and (2) offer - you this License which gives you legal permission to copy, distribute - and/or modify the software. - . - A secondary benefit of defending all users' freedom is that - improvements made in alternate versions of the program, if they - receive widespread use, become available for other developers to - incorporate. Many developers of free software are heartened and - encouraged by the resulting cooperation. However, in the case of - software used on network servers, this result may fail to come about. - The GNU General Public License permits making a modified version and - letting the public access it on a server without ever releasing its - source code to the public. - . - The GNU Affero General Public License is designed specifically to - ensure that, in such cases, the modified source code becomes available - to the community. It requires the operator of a network server to - provide the source code of the modified version running there to the - users of that server. Therefore, public use of a modified version, on - a publicly accessible server, gives the public access to the source - code of the modified version. - . - An older license, called the Affero General Public License and - published by Affero, was designed to accomplish similar goals. This is - a different license, not a version of the Affero GPL, but Affero has - released a new version of the Affero GPL which permits relicensing under - this license. - . - The precise terms and conditions for copying, distribution and - modification follow. - . - TERMS AND CONDITIONS - . - 0. Definitions. - . - "This License" refers to version 3 of the GNU Affero General Public License. - . - "Copyright" also means copyright-like laws that apply to other kinds of - works, such as semiconductor masks. - . - "The Program" refers to any copyrightable work licensed under this - License. Each licensee is addressed as "you". "Licensees" and - "recipients" may be individuals or organizations. - . - To "modify" a work means to copy from or adapt all or part of the work - in a fashion requiring copyright permission, other than the making of an - exact copy. The resulting work is called a "modified version" of the - earlier work or a work "based on" the earlier work. - . - A "covered work" means either the unmodified Program or a work based - on the Program. - . - To "propagate" a work means to do anything with it that, without - permission, would make you directly or secondarily liable for - infringement under applicable copyright law, except executing it on a - computer or modifying a private copy. Propagation includes copying, - distribution (with or without modification), making available to the - public, and in some countries other activities as well. - . - To "convey" a work means any kind of propagation that enables other - parties to make or receive copies. Mere interaction with a user through - a computer network, with no transfer of a copy, is not conveying. - . - An interactive user interface displays "Appropriate Legal Notices" - to the extent that it includes a convenient and prominently visible - feature that (1) displays an appropriate copyright notice, and (2) - tells the user that there is no warranty for the work (except to the - extent that warranties are provided), that licensees may convey the - work under this License, and how to view a copy of this License. If - the interface presents a list of user commands or options, such as a - menu, a prominent item in the list meets this criterion. - . - 1. Source Code. - . - The "source code" for a work means the preferred form of the work - for making modifications to it. "Object code" means any non-source - form of a work. - . - A "Standard Interface" means an interface that either is an official - standard defined by a recognized standards body, or, in the case of - interfaces specified for a particular programming language, one that - is widely used among developers working in that language. - . - The "System Libraries" of an executable work include anything, other - than the work as a whole, that (a) is included in the normal form of - packaging a Major Component, but which is not part of that Major - Component, and (b) serves only to enable use of the work with that - Major Component, or to implement a Standard Interface for which an - implementation is available to the public in source code form. A - "Major Component", in this context, means a major essential component - (kernel, window system, and so on) of the specific operating system - (if any) on which the executable work runs, or a compiler used to - produce the work, or an object code interpreter used to run it. - . - The "Corresponding Source" for a work in object code form means all - the source code needed to generate, install, and (for an executable - work) run the object code and to modify the work, including scripts to - control those activities. However, it does not include the work's - System Libraries, or general-purpose tools or generally available free - programs which are used unmodified in performing those activities but - which are not part of the work. For example, Corresponding Source - includes interface definition files associated with source files for - the work, and the source code for shared libraries and dynamically - linked subprograms that the work is specifically designed to require, - such as by intimate data communication or control flow between those - subprograms and other parts of the work. - . - The Corresponding Source need not include anything that users - can regenerate automatically from other parts of the Corresponding - Source. - . - The Corresponding Source for a work in source code form is that - same work. - . - 2. Basic Permissions. - . - All rights granted under this License are granted for the term of - copyright on the Program, and are irrevocable provided the stated - conditions are met. This License explicitly affirms your unlimited - permission to run the unmodified Program. The output from running a - covered work is covered by this License only if the output, given its - content, constitutes a covered work. This License acknowledges your - rights of fair use or other equivalent, as provided by copyright law. - . - You may make, run and propagate covered works that you do not - convey, without conditions so long as your license otherwise remains - in force. You may convey covered works to others for the sole purpose - of having them make modifications exclusively for you, or provide you - with facilities for running those works, provided that you comply with - the terms of this License in conveying all material for which you do - not control copyright. Those thus making or running the covered works - for you must do so exclusively on your behalf, under your direction - and control, on terms that prohibit them from making any copies of - your copyrighted material outside their relationship with you. - . - Conveying under any other circumstances is permitted solely under - the conditions stated below. Sublicensing is not allowed; section 10 - makes it unnecessary. - . - 3. Protecting Users' Legal Rights From Anti-Circumvention Law. - . - No covered work shall be deemed part of an effective technological - measure under any applicable law fulfilling obligations under article - 11 of the WIPO copyright treaty adopted on 20 December 1996, or - similar laws prohibiting or restricting circumvention of such - measures. - . - When you convey a covered work, you waive any legal power to forbid - circumvention of technological measures to the extent such circumvention - is effected by exercising rights under this License with respect to - the covered work, and you disclaim any intention to limit operation or - modification of the work as a means of enforcing, against the work's - users, your or third parties' legal rights to forbid circumvention of - technological measures. - . - 4. Conveying Verbatim Copies. - . - You may convey verbatim copies of the Program's source code as you - receive it, in any medium, provided that you conspicuously and - appropriately publish on each copy an appropriate copyright notice; - keep intact all notices stating that this License and any - non-permissive terms added in accord with section 7 apply to the code; - keep intact all notices of the absence of any warranty; and give all - recipients a copy of this License along with the Program. - . - You may charge any price or no price for each copy that you convey, - and you may offer support or warranty protection for a fee. - . - 5. Conveying Modified Source Versions. - . - You may convey a work based on the Program, or the modifications to - produce it from the Program, in the form of source code under the - terms of section 4, provided that you also meet all of these conditions: - . - a) The work must carry prominent notices stating that you modified - it, and giving a relevant date. - . - b) The work must carry prominent notices stating that it is - released under this License and any conditions added under section - 7. This requirement modifies the requirement in section 4 to - "keep intact all notices". - . - c) You must license the entire work, as a whole, under this - License to anyone who comes into possession of a copy. This - License will therefore apply, along with any applicable section 7 - additional terms, to the whole of the work, and all its parts, - regardless of how they are packaged. This License gives no - permission to license the work in any other way, but it does not - invalidate such permission if you have separately received it. - . - d) If the work has interactive user interfaces, each must display - Appropriate Legal Notices; however, if the Program has interactive - interfaces that do not display Appropriate Legal Notices, your - work need not make them do so. - . - A compilation of a covered work with other separate and independent - works, which are not by their nature extensions of the covered work, - and which are not combined with it such as to form a larger program, - in or on a volume of a storage or distribution medium, is called an - "aggregate" if the compilation and its resulting copyright are not - used to limit the access or legal rights of the compilation's users - beyond what the individual works permit. Inclusion of a covered work - in an aggregate does not cause this License to apply to the other - parts of the aggregate. - . - 6. Conveying Non-Source Forms. - . - You may convey a covered work in object code form under the terms - of sections 4 and 5, provided that you also convey the - machine-readable Corresponding Source under the terms of this License, - in one of these ways: - . - a) Convey the object code in, or embodied in, a physical product - (including a physical distribution medium), accompanied by the - Corresponding Source fixed on a durable physical medium - customarily used for software interchange. - . - b) Convey the object code in, or embodied in, a physical product - (including a physical distribution medium), accompanied by a - written offer, valid for at least three years and valid for as - long as you offer spare parts or customer support for that product - model, to give anyone who possesses the object code either (1) a - copy of the Corresponding Source for all the software in the - product that is covered by this License, on a durable physical - medium customarily used for software interchange, for a price no - more than your reasonable cost of physically performing this - conveying of source, or (2) access to copy the - Corresponding Source from a network server at no charge. - . - c) Convey individual copies of the object code with a copy of the - written offer to provide the Corresponding Source. This - alternative is allowed only occasionally and noncommercially, and - only if you received the object code with such an offer, in accord - with subsection 6b. - . - d) Convey the object code by offering access from a designated - place (gratis or for a charge), and offer equivalent access to the - Corresponding Source in the same way through the same place at no - further charge. You need not require recipients to copy the - Corresponding Source along with the object code. If the place to - copy the object code is a network server, the Corresponding Source - may be on a different server (operated by you or a third party) - that supports equivalent copying facilities, provided you maintain - clear directions next to the object code saying where to find the - Corresponding Source. Regardless of what server hosts the - Corresponding Source, you remain obligated to ensure that it is - available for as long as needed to satisfy these requirements. - . - e) Convey the object code using peer-to-peer transmission, provided - you inform other peers where the object code and Corresponding - Source of the work are being offered to the general public at no - charge under subsection 6d. - . - A separable portion of the object code, whose source code is excluded - from the Corresponding Source as a System Library, need not be - included in conveying the object code work. - . - A "User Product" is either (1) a "consumer product", which means any - tangible personal property which is normally used for personal, family, - or household purposes, or (2) anything designed or sold for incorporation - into a dwelling. In determining whether a product is a consumer product, - doubtful cases shall be resolved in favor of coverage. For a particular - product received by a particular user, "normally used" refers to a - typical or common use of that class of product, regardless of the status - of the particular user or of the way in which the particular user - actually uses, or expects or is expected to use, the product. A product - is a consumer product regardless of whether the product has substantial - commercial, industrial or non-consumer uses, unless such uses represent - the only significant mode of use of the product. - . - "Installation Information" for a User Product means any methods, - procedures, authorization keys, or other information required to install - and execute modified versions of a covered work in that User Product from - a modified version of its Corresponding Source. The information must - suffice to ensure that the continued functioning of the modified object - code is in no case prevented or interfered with solely because - modification has been made. - . - If you convey an object code work under this section in, or with, or - specifically for use in, a User Product, and the conveying occurs as - part of a transaction in which the right of possession and use of the - User Product is transferred to the recipient in perpetuity or for a - fixed term (regardless of how the transaction is characterized), the - Corresponding Source conveyed under this section must be accompanied - by the Installation Information. But this requirement does not apply - if neither you nor any third party retains the ability to install - modified object code on the User Product (for example, the work has - been installed in ROM). - . - The requirement to provide Installation Information does not include a - requirement to continue to provide support service, warranty, or updates - for a work that has been modified or installed by the recipient, or for - the User Product in which it has been modified or installed. Access to a - network may be denied when the modification itself materially and - adversely affects the operation of the network or violates the rules and - protocols for communication across the network. - . - Corresponding Source conveyed, and Installation Information provided, - in accord with this section must be in a format that is publicly - documented (and with an implementation available to the public in - source code form), and must require no special password or key for - unpacking, reading or copying. - . - 7. Additional Terms. - . - "Additional permissions" are terms that supplement the terms of this - License by making exceptions from one or more of its conditions. - Additional permissions that are applicable to the entire Program shall - be treated as though they were included in this License, to the extent - that they are valid under applicable law. If additional permissions - apply only to part of the Program, that part may be used separately - under those permissions, but the entire Program remains governed by - this License without regard to the additional permissions. - . - When you convey a copy of a covered work, you may at your option - remove any additional permissions from that copy, or from any part of - it. (Additional permissions may be written to require their own - removal in certain cases when you modify the work.) You may place - additional permissions on material, added by you to a covered work, - for which you have or can give appropriate copyright permission. - . - Notwithstanding any other provision of this License, for material you - add to a covered work, you may (if authorized by the copyright holders of - that material) supplement the terms of this License with terms: - . - a) Disclaiming warranty or limiting liability differently from the - terms of sections 15 and 16 of this License; or - . - b) Requiring preservation of specified reasonable legal notices or - author attributions in that material or in the Appropriate Legal - Notices displayed by works containing it; or - . - c) Prohibiting misrepresentation of the origin of that material, or - requiring that modified versions of such material be marked in - reasonable ways as different from the original version; or - . - d) Limiting the use for publicity purposes of names of licensors or - authors of the material; or - . - e) Declining to grant rights under trademark law for use of some - trade names, trademarks, or service marks; or - . - f) Requiring indemnification of licensors and authors of that - material by anyone who conveys the material (or modified versions of - it) with contractual assumptions of liability to the recipient, for - any liability that these contractual assumptions directly impose on - those licensors and authors. - . - All other non-permissive additional terms are considered "further - restrictions" within the meaning of section 10. If the Program as you - received it, or any part of it, contains a notice stating that it is - governed by this License along with a term that is a further - restriction, you may remove that term. If a license document contains - a further restriction but permits relicensing or conveying under this - License, you may add to a covered work material governed by the terms - of that license document, provided that the further restriction does - not survive such relicensing or conveying. - . - If you add terms to a covered work in accord with this section, you - must place, in the relevant source files, a statement of the - additional terms that apply to those files, or a notice indicating - where to find the applicable terms. - . - Additional terms, permissive or non-permissive, may be stated in the - form of a separately written license, or stated as exceptions; - the above requirements apply either way. - . - 8. Termination. - . - You may not propagate or modify a covered work except as expressly - provided under this License. Any attempt otherwise to propagate or - modify it is void, and will automatically terminate your rights under - this License (including any patent licenses granted under the third - paragraph of section 11). - . - However, if you cease all violation of this License, then your - license from a particular copyright holder is reinstated (a) - provisionally, unless and until the copyright holder explicitly and - finally terminates your license, and (b) permanently, if the copyright - holder fails to notify you of the violation by some reasonable means - prior to 60 days after the cessation. - . - Moreover, your license from a particular copyright holder is - reinstated permanently if the copyright holder notifies you of the - violation by some reasonable means, this is the first time you have - received notice of violation of this License (for any work) from that - copyright holder, and you cure the violation prior to 30 days after - your receipt of the notice. - . - Termination of your rights under this section does not terminate the - licenses of parties who have received copies or rights from you under - this License. If your rights have been terminated and not permanently - reinstated, you do not qualify to receive new licenses for the same - material under section 10. - . - 9. Acceptance Not Required for Having Copies. - . - You are not required to accept this License in order to receive or - run a copy of the Program. Ancillary propagation of a covered work - occurring solely as a consequence of using peer-to-peer transmission - to receive a copy likewise does not require acceptance. However, - nothing other than this License grants you permission to propagate or - modify any covered work. These actions infringe copyright if you do - not accept this License. Therefore, by modifying or propagating a - covered work, you indicate your acceptance of this License to do so. - . - 10. Automatic Licensing of Downstream Recipients. - . - Each time you convey a covered work, the recipient automatically - receives a license from the original licensors, to run, modify and - propagate that work, subject to this License. You are not responsible - for enforcing compliance by third parties with this License. - . - An "entity transaction" is a transaction transferring control of an - organization, or substantially all assets of one, or subdividing an - organization, or merging organizations. If propagation of a covered - work results from an entity transaction, each party to that - transaction who receives a copy of the work also receives whatever - licenses to the work the party's predecessor in interest had or could - give under the previous paragraph, plus a right to possession of the - Corresponding Source of the work from the predecessor in interest, if - the predecessor has it or can get it with reasonable efforts. - . - You may not impose any further restrictions on the exercise of the - rights granted or affirmed under this License. For example, you may - not impose a license fee, royalty, or other charge for exercise of - rights granted under this License, and you may not initiate litigation - (including a cross-claim or counterclaim in a lawsuit) alleging that - any patent claim is infringed by making, using, selling, offering for - sale, or importing the Program or any portion of it. - . - 11. Patents. - . - A "contributor" is a copyright holder who authorizes use under this - License of the Program or a work on which the Program is based. The - work thus licensed is called the contributor's "contributor version". - . - A contributor's "essential patent claims" are all patent claims - owned or controlled by the contributor, whether already acquired or - hereafter acquired, that would be infringed by some manner, permitted - by this License, of making, using, or selling its contributor version, - but do not include claims that would be infringed only as a - consequence of further modification of the contributor version. For - purposes of this definition, "control" includes the right to grant - patent sublicenses in a manner consistent with the requirements of - this License. - . - Each contributor grants you a non-exclusive, worldwide, royalty-free - patent license under the contributor's essential patent claims, to - make, use, sell, offer for sale, import and otherwise run, modify and - propagate the contents of its contributor version. - . - In the following three paragraphs, a "patent license" is any express - agreement or commitment, however denominated, not to enforce a patent - (such as an express permission to practice a patent or covenant not to - sue for patent infringement). To "grant" such a patent license to a - party means to make such an agreement or commitment not to enforce a - patent against the party. - . - If you convey a covered work, knowingly relying on a patent license, - and the Corresponding Source of the work is not available for anyone - to copy, free of charge and under the terms of this License, through a - publicly available network server or other readily accessible means, - then you must either (1) cause the Corresponding Source to be so - available, or (2) arrange to deprive yourself of the benefit of the - patent license for this particular work, or (3) arrange, in a manner - consistent with the requirements of this License, to extend the patent - license to downstream recipients. "Knowingly relying" means you have - actual knowledge that, but for the patent license, your conveying the - covered work in a country, or your recipient's use of the covered work - in a country, would infringe one or more identifiable patents in that - country that you have reason to believe are valid. - . - If, pursuant to or in connection with a single transaction or - arrangement, you convey, or propagate by procuring conveyance of, a - covered work, and grant a patent license to some of the parties - receiving the covered work authorizing them to use, propagate, modify - or convey a specific copy of the covered work, then the patent license - you grant is automatically extended to all recipients of the covered - work and works based on it. - . - A patent license is "discriminatory" if it does not include within - the scope of its coverage, prohibits the exercise of, or is - conditioned on the non-exercise of one or more of the rights that are - specifically granted under this License. You may not convey a covered - work if you are a party to an arrangement with a third party that is - in the business of distributing software, under which you make payment - to the third party based on the extent of your activity of conveying - the work, and under which the third party grants, to any of the - parties who would receive the covered work from you, a discriminatory - patent license (a) in connection with copies of the covered work - conveyed by you (or copies made from those copies), or (b) primarily - for and in connection with specific products or compilations that - contain the covered work, unless you entered into that arrangement, - or that patent license was granted, prior to 28 March 2007. - . - Nothing in this License shall be construed as excluding or limiting - any implied license or other defenses to infringement that may - otherwise be available to you under applicable patent law. - . - 12. No Surrender of Others' Freedom. - . - If conditions are imposed on you (whether by court order, agreement or - otherwise) that contradict the conditions of this License, they do not - excuse you from the conditions of this License. If you cannot convey a - covered work so as to satisfy simultaneously your obligations under this - License and any other pertinent obligations, then as a consequence you may - not convey it at all. For example, if you agree to terms that obligate you - to collect a royalty for further conveying from those to whom you convey - the Program, the only way you could satisfy both those terms and this - License would be to refrain entirely from conveying the Program. - . - 13. Remote Network Interaction; Use with the GNU General Public License. - . - Notwithstanding any other provision of this License, if you modify the - Program, your modified version must prominently offer all users - interacting with it remotely through a computer network (if your version - supports such interaction) an opportunity to receive the Corresponding - Source of your version by providing access to the Corresponding Source - from a network server at no charge, through some standard or customary - means of facilitating copying of software. This Corresponding Source - shall include the Corresponding Source for any work covered by version 3 - of the GNU General Public License that is incorporated pursuant to the - following paragraph. - . - Notwithstanding any other provision of this License, you have - permission to link or combine any covered work with a work licensed - under version 3 of the GNU General Public License into a single - combined work, and to convey the resulting work. The terms of this - License will continue to apply to the part which is the covered work, - but the work with which it is combined will remain governed by version - 3 of the GNU General Public License. - . - 14. Revised Versions of this License. - . - The Free Software Foundation may publish revised and/or new versions of - the GNU Affero General Public License from time to time. Such new versions - will be similar in spirit to the present version, but may differ in detail to - address new problems or concerns. - . - Each version is given a distinguishing version number. If the - Program specifies that a certain numbered version of the GNU Affero General - Public License "or any later version" applies to it, you have the - option of following the terms and conditions either of that numbered - version or of any later version published by the Free Software - Foundation. If the Program does not specify a version number of the - GNU Affero General Public License, you may choose any version ever published - by the Free Software Foundation. - . - If the Program specifies that a proxy can decide which future - versions of the GNU Affero General Public License can be used, that proxy's - public statement of acceptance of a version permanently authorizes you - to choose that version for the Program. - . - Later license versions may give you additional or different - permissions. However, no additional obligations are imposed on any - author or copyright holder as a result of your choosing to follow a - later version. - . - 15. Disclaimer of Warranty. - . - THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY - APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT - HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY - OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, - THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM - IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF +Copyright: 2012 - 2019 ENCRYPTED SUPPORT LP +License: GPL-3+-with-additional-terms-1 + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + . + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + . + You should have received a copy of the GNU General Public License + along with this program. If not, see . + . + On Debian systems, the full text of the GNU General Public + License version 3 can be found in the file + `/usr/share/common-licenses/GPL-3'. + . + ADDITIONAL TERMS APPLICABLE per GNU GPL version 3 section 7 + . + 1. Replacement of Section 15. Section 15 of the GPL shall be deleted in its + entirety and replaced with the following: + . + 15. Disclaimer of Warranty. + . + THE PROGRAM IS PROVIDED WITHOUT ANY WARRANTIES, WHETHER EXPRESSED OR IMPLIED, + INCLUDING, WITHOUT LIMITATION, IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR + PURPOSE, NON-INFRINGEMENT, TITLE AND MERCHANTABILITY. THE PROGRAM IS BEING + DELIVERED OR MADE AVAILABLE 'AS IS', 'WITH ALL FAULTS' AND WITHOUT WARRANTY OR + REPRESENTATION. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE + PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. . - 16. Limitation of Liability. + 2. Replacement of Section 16. Section 16 of the GPL shall be deleted in its + entirety and replaced with the following: . - IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING - WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS - THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY - GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE - USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF - DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD - PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), - EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF - SUCH DAMAGES. + 16. LIMITATION OF LIABILITY. . - 17. Interpretation of Sections 15 and 16. + UNDER NO CIRCUMSTANCES SHALL ANY COPYRIGHT HOLDER OR ITS AFFILIATES, OR ANY + OTHER PARTY WHO MODIFIES AND/OR CONVEYS THE PROGRAM AS PERMITTED ABOVE, BE + LIABLE TO YOU, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, FOR ANY + DAMAGES OR OTHER LIABILITY, INCLUDING ANY GENERAL, DIRECT, INDIRECT, SPECIAL, + INCIDENTAL, CONSEQUENTIAL OR PUNITIVE DAMAGES ARISING FROM, OUT OF OR IN + CONNECTION WITH THE USE OR INABILITY TO USE THE PROGRAM OR OTHER DEALINGS WITH + THE PROGRAM(INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED + INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE + PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), WHETHER OR NOT ANY COPYRIGHT HOLDER + OR SUCH OTHER PARTY RECEIVES NOTICE OF ANY SUCH DAMAGES AND WHETHER OR NOT SUCH + DAMAGES COULD HAVE BEEN FORESEEN. . - If the disclaimer of warranty and limitation of liability provided - above cannot be given local legal effect according to their terms, - reviewing courts shall apply local law that most closely approximates - an absolute waiver of all civil liability in connection with the - Program, unless a warranty or assumption of liability accompanies a - copy of the Program in return for a fee. + 3. LEGAL NOTICES; NO TRADEMARK LICENSE; ORIGIN. You must reproduce faithfully + all trademark, copyright and other proprietary and legal notices on any copies + of the Program or any other required author attributions. This license does not + grant you rights to use any copyright holder or any other party's name, logo, or + trademarks. Neither the name of the copyright holder or its affiliates, or any + other party who modifies and/or conveys the Program may be used to endorse or + promote products derived from this software without specific prior written + permission. The origin of the Program must not be misrepresented; you must not + claim that you wrote the original Program. Altered source versions must be + plainly marked as such, and must not be misrepresented as being the original + Program. . - END OF TERMS AND CONDITIONS + 4. INDEMNIFICATION. IF YOU CONVEY A COVERED WORK AND AGREE WITH ANY RECIPIENT + OF THAT COVERED WORK THAT YOU WILL ASSUME ANY LIABILITY FOR THAT COVERED WORK, + YOU HEREBY AGREE TO INDEMNIFY, DEFEND AND HOLD HARMLESS THE OTHER LICENSORS AND + AUTHORS OF THAT COVERED WORK FOR ANY DAMAGES, DEMANDS, CLAIMS, LOSSES, CAUSES OF + ACTION, LAWSUITS, JUDGMENTS EXPENSES (INCLUDING WITHOUT LIMITATION REASONABLE + ATTORNEYS' FEES AND EXPENSES) OR ANY OTHER LIABILITY ARISING FROM, RELATED TO OR + IN CONNECTION WITH YOUR ASSUMPTIONS OF LIABILITY. . - How to Apply These Terms to Your New Programs + +Files: etc/login.defs.security-misc +Copyright: + This is Debian GNU/Linux's prepackaged version of the shadow utilities. . - If you develop a new program, and you want it to be of the greatest - possible use to the public, the best way to achieve this is to make it - free software which everyone can redistribute and change under these terms. + It was downloaded from: . + As of May 2007, this site is no longer available. . - To do so, attach the following notices to the program. It is safest - to attach them to the start of each source file to most effectively - state the exclusion of warranty; and each file should have at least - the "copyright" line and a pointer to where the full notice is found. + Copyright: . - - Copyright (C) + Parts of this software are copyright 1988 - 1994, Julianne Frances Haugh. + All rights reserved. . - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU Affero General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. + Parts of this software are copyright 1997 - 2001, Marek Michałkiewicz. + All rights reserved. . - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU Affero General Public License for more details. + Parts of this software are copyright 2001 - 2004, Andrzej Krzysztofowicz + All rights reserved. . - You should have received a copy of the GNU Affero General Public License - along with this program. If not, see . + Parts of this software are copyright 2000 - 2007, Tomasz Kłoczko. + All rights reserved. +License: shadow-license + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + 1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + 3. Neither the name of Julianne F. Haugh nor the names of its contributors + may be used to endorse or promote products derived from this software + without specific prior written permission. . - Also add information on how to contact you by electronic and paper mail. + THIS SOFTWARE IS PROVIDED BY JULIE HAUGH AND CONTRIBUTORS ``AS IS'' AND + ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + ARE DISCLAIMED. IN NO EVENT SHALL JULIE HAUGH OR CONTRIBUTORS BE LIABLE + FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + SUCH DAMAGE. . - If your software can interact with users remotely through a computer - network, you should also make sure that it provides a way for users to - get its source. For example, if your program is a web application, its - interface could display a "Source" link that leads users to an archive - of the code. There are many ways you could offer source, and different - solutions will be better for different programs; see section 13 for the - specific requirements. + This source code is currently archived on ftp.uu.net in the + comp.sources.misc portion of the USENET archives. You may also contact + the author, Julianne F. Haugh, at jockgrrl@ix.netcom.com if you have + any questions regarding this package. . - You should also get your employer (if you work as a programmer) or school, - if any, to sign a "copyright disclaimer" for the program, if necessary. - For more information on this, and how to apply and follow the GNU AGPL, see - . + THIS SOFTWARE IS BEING DISTRIBUTED AS-IS. THE AUTHORS DISCLAIM ALL + LIABILITY FOR ANY CONSEQUENCES OF USE. THE USER IS SOLELY RESPONSIBLE + FOR THE MAINTENANCE OF THIS SOFTWARE PACKAGE. THE AUTHORS ARE UNDER NO + OBLIGATION TO PROVIDE MODIFICATIONS OR IMPROVEMENTS. THE USER IS + ENCOURAGED TO TAKE ANY AND ALL STEPS NEEDED TO PROTECT AGAINST ACCIDENTAL + LOSS OF INFORMATION OR MACHINE RESOURCES. + . + Special thanks are due to Chip Rosenthal for his fine testing efforts; + to Steve Simmons for his work in porting this code to BSD; and to Bill + Kennedy for his contributions of LaserJet printer time and energies. + Also, thanks for Dennis L. Mumaugh for the initial shadow password + information and to Tony Walton (olapw@olgb1.oliv.co.uk) for the System + V Release 4 changes. Effort in porting to SunOS has been contributed + by Dr. Michael Newberry (miken@cs.adfa.oz.au) and Micheal J. Miller, Jr. + (mke@kaberd.rain.com). Effort in porting to AT&T UNIX System V Release + 4 has been provided by Andrew Herbert (andrew@werple.pub.uu.oz.au). + Special thanks to Marek Michalkiewicz (marekm@i17linuxb.ists.pwr.wroc.pl) + for taking over the Linux port of this software. + +Files: etc/pam.d/* +Copyright: + This package was debianized by J.H.M. Dassen (Ray) jdassen@debian.org on + Wed, 23 Sep 1998 20:29:32 +0200. + . + It was downloaded from ftp://ftp.kernel.org/pub/linux/libs/pam/pre/ + . + Copyright (C) 1994, 1995, 1996 Olaf Kirch, + Copyright (C) 1995 Wietse Venema + Copyright (C) 1995, 2001-2008 Red Hat, Inc. + Copyright (C) 1996-1999, 2000-2003, 2005 Andrew G. Morgan + Copyright (C) 1996, 1997, 1999 Cristian Gafton + Copyright (C) 1996, 1999 Theodore Ts'o + Copyright (C) 1996 Alexander O. Yuriev + Copyright (C) 1996 Elliot Lee + Copyright (C) 1997 Philip W. Dalrymple + Copyright (C) 1999 Jan Rękorajski + Copyright (C) 1999 Ben Collins + Copyright (C) 2000-2001, 2003, 2005, 2007 Steve Langasek + Copyright (C) 2003, 2005 IBM Corporation + Copyright (C) 2003, 2006 SuSE Linux AG. + Copyright (C) 2003 Nalin Dahyabhai + Copyright (C) 2005-2008 Thorsten Kukuk + Copyright (C) 2005 Darren Tucker +License: Linux-PAM-license + Unless otherwise *explicitly* stated the following text describes the + licensed conditions under which the contents of this Linux-PAM release + may be distributed: + . + ------------------------------------------------------------------------- + Redistribution and use in source and binary forms of Linux-PAM, with + or without modification, are permitted provided that the following + conditions are met: + . + 1. Redistributions of source code must retain any existing copyright + notice, and this entire permission notice in its entirety, + including the disclaimer of warranties. + . + 2. Redistributions in binary form must reproduce all prior and current + copyright notices, this list of conditions, and the following + disclaimer in the documentation and/or other materials provided + with the distribution. + . + 3. The name of any author may not be used to endorse or promote + products derived from this software without their specific prior + written permission. + . + ALTERNATIVELY, this product may be distributed under the terms of the + GNU General Public License, in which case the provisions of the GNU + GPL are required INSTEAD OF the above restrictions. (This clause is + necessary due to a potential conflict between the GNU GPL and the + restrictions contained in a BSD-style copyright.) + . + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED + WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF + MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + IN NO EVENT SHALL THE AUTHOR(S) BE LIABLE FOR ANY DIRECT, INDIRECT, + INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS + OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND + ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR + TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE + USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH + DAMAGE. + ------------------------------------------------------------------------- + . + On Debian GNU/Linux systems, the complete text of the GNU General + Public License can be found in `/usr/share/common-licenses/GPL-1'. diff --git a/debian/make-helper-overrides.bsh b/debian/make-helper-overrides.bsh deleted file mode 100755 index 4804b3e..0000000 --- a/debian/make-helper-overrides.bsh +++ /dev/null @@ -1,7 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2021 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/24 -genmkfile_lintian_post_opts+=" --suppress-tags obsolete-command-in-modprobe.d-file --suppress-tags no-complete-debconf-translation" diff --git a/debian/po/POTFILES.in b/debian/po/POTFILES.in deleted file mode 100644 index 435938f..0000000 --- a/debian/po/POTFILES.in +++ /dev/null @@ -1 +0,0 @@ -[type: gettext/rfc822deb] security-misc.templates diff --git a/debian/po/templates.pot b/debian/po/templates.pot deleted file mode 100644 index adb123b..0000000 --- a/debian/po/templates.pot +++ /dev/null @@ -1,36 +0,0 @@ -# SOME DESCRIPTIVE TITLE. -# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER -# This file is distributed under the same license as the security-misc package. -# FIRST AUTHOR , YEAR. -# -#, fuzzy -msgid "" -msgstr "" -"Project-Id-Version: security-misc\n" -"Report-Msgid-Bugs-To: security-misc@packages.debian.org\n" -"POT-Creation-Date: 2025-01-14 09:31-0500\n" -"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" -"Last-Translator: FULL NAME \n" -"Language-Team: LANGUAGE \n" -"Language: \n" -"MIME-Version: 1.0\n" -"Content-Type: text/plain; charset=CHARSET\n" -"Content-Transfer-Encoding: 8bit\n" - -#. Type: note -#. Description -#: ../security-misc.templates:1001 -msgid "Manual intervention may be required for permission-hardener update" -msgstr "" - -#. Type: note -#. Description -#: ../security-misc.templates:1001 -msgid "" -"No need to panic. Nothing is broken. A rare condition has been encountered. " -"permission-hardener is being updated to fix a minor bug that caused " -"corruption in the permission-hardener state file. If you installed your own " -"custom permission-hardener configuration, some manual intervention may be " -"required. See: https://www.kicksecure.com/wiki/" -"SUID_Disabler_and_Permission_Hardener#fixing_state_files" -msgstr "" diff --git a/debian/rules b/debian/rules index ca5e85c..ae11b19 100755 --- a/debian/rules +++ b/debian/rules @@ -1,6 +1,6 @@ #!/usr/bin/make -f -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC +## Copyright (C) 2012 - 2018 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. #export DH_VERBOSE=1 diff --git a/debian/security-misc.config b/debian/security-misc.config deleted file mode 100755 index e200fb6..0000000 --- a/debian/security-misc.config +++ /dev/null @@ -1,190 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then - source /usr/libexec/helper-scripts/pre.bsh -fi - -source /usr/share/debconf/confmodule - -set -e - -## Not set by DPKG for '.config' script. -DPKG_MAINTSCRIPT_PACKAGE="security-misc" -DPKG_MAINTSCRIPT_NAME="config" - -true " -##################################################################### -## INFO: BEGIN: $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $* -##################################################################### -" - -## NOTE: Code duplication. -## Copied from: helper-scripts /usr/libexec/helper-scripts/package_installed_check.bsh -## -## '.config' scripts are run very early. Even 'Pre-Depends: helper-scripts' would be insufficient. -## Therefore the code is duplicated here. -pkg_installed() { - local package_name dpkg_query_output - local requested_action status error_state - - package_name="$1" - ## Cannot use '&>' because it is a bashism. - dpkg_query_output="$(dpkg-query --show --showformat='${Status}' "$package_name" 2>/dev/null)" || true - ## dpkg_query_output Examples: - ## install ok half-configured - ## install ok installed - - requested_action=$(printf '%s' "$dpkg_query_output" | awk '{print $1}') - status=$(printf '%s' "$dpkg_query_output" | awk '{print $2}') - error_state=$(printf '%s' "$dpkg_query_output" | awk '{print $3}') - - if [ "$requested_action" = 'install' ]; then - true "$0: INFO: $package_name is installed, ok." - return 0 - fi - - true "$0: INFO: $package_name is not installed, ok." - return 1 -} - -check_migrate_permission_hardener_state() { - local pkg_list modified_pkg_data_str custom_hardening_arr config_file - - ## If folder /var/lib/permission-hardener (version 1) does not exist, this migration is unneeded. - if [ ! -d '/var/lib/permission-hardener' ]; then - return 0 - fi - - local orig_hardening_arr custom_hardening_arr config_file custom_config_file - if [ -f "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_2" ]; then - return 0 - fi - mkdir --parents '/var/lib/security-misc/do_once' - - orig_hardening_arr=( - '/usr/lib/permission-hardener.d/25_default_passwd.conf' - '/usr/lib/permission-hardener.d/25_default_sudo.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_bubblewrap.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_chromium.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_dbus.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_firejail.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_fuse.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_hardened_malloc.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_mount.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_pam.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_passwd.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_postfix.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_selinux.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_spice.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_sudo.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_virtualbox.conf' - '/usr/lib/permission-hardener.d/20_user-sysmaint-split.conf' - '/usr/lib/permission-hardener.d/30_ping.conf' - '/usr/lib/permission-hardener.d/30_default.conf' - '/etc/permission-hardener.d/25_default_passwd.conf' - '/etc/permission-hardener.d/25_default_sudo.conf' - '/etc/permission-hardener.d/25_default_whitelist_bubblewrap.conf' - '/etc/permission-hardener.d/25_default_whitelist_chromium.conf' - '/etc/permission-hardener.d/25_default_whitelist_dbus.conf' - '/etc/permission-hardener.d/25_default_whitelist_firejail.conf' - '/etc/permission-hardener.d/25_default_whitelist_fuse.conf' - '/etc/permission-hardener.d/25_default_whitelist_hardened_malloc.conf' - '/etc/permission-hardener.d/25_default_whitelist_mount.conf' - '/etc/permission-hardener.d/25_default_whitelist_pam.conf' - '/etc/permission-hardener.d/25_default_whitelist_passwd.conf' - '/etc/permission-hardener.d/25_default_whitelist_policykit.conf' - '/etc/permission-hardener.d/25_default_whitelist_postfix.conf' - '/etc/permission-hardener.d/25_default_whitelist_qubes.conf' - '/etc/permission-hardener.d/25_default_whitelist_selinux.conf' - '/etc/permission-hardener.d/25_default_whitelist_spice.conf' - '/etc/permission-hardener.d/25_default_whitelist_ssh.conf' - '/etc/permission-hardener.d/25_default_whitelist_sudo.conf' - '/etc/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf' - '/etc/permission-hardener.d/25_default_whitelist_virtualbox.conf' - '/etc/permission-hardener.d/20_user-sysmaint-split.conf' - '/etc/permission-hardener.d/30_ping.conf' - '/etc/permission-hardener.d/30_default.conf' - ) - - pkg_list=( "security-misc" ) - if pkg_installed user-sysmaint-split ; then - pkg_list+=( "user-sysmaint-split" ) - fi - if pkg_installed anon-apps-config ; then - pkg_list+=( "anon-apps-config" ) - fi - - ## This will exit non-zero if some of the packages don't exist, but we - ## don't care. The packages that *are* installed will still be scanned. - modified_pkg_data_str="$(dpkg --verify "${pkg_list[@]}")" || true - - ## Example modified_pkg_data_str: - #modified_pkg_data_str='missing /usr/lib/permission-hardener.d/20_user-sysmaint-split.conf' - - readarray -t custom_hardening_arr < <(awk '/permission-hardener.d/{ print $NF }' <<< "${modified_pkg_data_str}") - - ## If the above `dpkg --verify` command doesn't return any permission-hardener - ## related lines, the array will contain no meaningful info, just a single - ## blank element at the start. Set the array to be explicitly empty in - ## this scenario. - if [ -z "${custom_hardening_arr[0]}" ]; then - custom_hardening_arr=() - fi - - for config_file in \ - /usr/lib/permission-hardener.d/*.conf \ - /etc/permission-hardener.d/*.conf \ - /usr/local/etc/permission-hardener.d/*.conf \ - /etc/permission-hardening.d/*.conf \ - /usr/local/etc/permission-hardening.d/*.conf - do - # shellcheck disable=SC2076 - if ! [[ " ${orig_hardening_arr[*]} " =~ " ${config_file} " ]]; then - if [ -f "${config_file}" ]; then - custom_hardening_arr+=( "${config_file}" ) - fi - fi - done - - if [ "${#custom_hardening_arr[@]}" != '0' ]; then - for custom_config_file in "${custom_hardening_arr[@]}"; do - if ! test -e "${custom_config_file}" ; then - echo "$0: INFO: Possible missing configuration file found: '${custom_config_file}'" - else - echo "$0: INFO: Possible custom configuration file found: '${custom_config_file}'" - fi - done - ## db_input will return code 30 if the message won't be displayed, which - ## causes a non-interactive install to error out if you don't use || true - db_input critical security-misc/alert-on-permission-hardener-v2-upgrade || true - ## db_go can return code 30 too in some instances, we don't care here - # shellcheck disable=SC2119 - db_go || true - fi - - touch "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_2" -} - -check_migrate_permission_hardener_state - -true "INFO: debhelper beginning here." - -#DEBHELPER# - -true "INFO: Done with debhelper." - -true " -##################################################################### -## INFO: END : $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $* -##################################################################### -" - -## Explicitly "exit 0", so eventually trapped errors can be ignored. -exit 0 diff --git a/debian/security-misc.displace b/debian/security-misc.displace index 78257f6..a152262 100644 --- a/debian/security-misc.displace +++ b/debian/security-misc.displace @@ -1,5 +1,6 @@ -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -/etc/securetty.security-misc -/etc/security/faillock.conf.security-misc +/etc/login.defs.security-misc +/etc/pam.d/common-session-noninteractive.security-misc +/etc/pam.d/common-session.security-misc diff --git a/debian/security-misc.gconf-defaults b/debian/security-misc.gconf-defaults index b79536a..26d57ff 100644 --- a/debian/security-misc.gconf-defaults +++ b/debian/security-misc.gconf-defaults @@ -1,6 +1,3 @@ -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - /apps/nautilus/preview_sound never /apps/nautilus/show_icon_text never /apps/nautilus/show-image-thumbnails never diff --git a/debian/security-misc.install b/debian/security-misc.install deleted file mode 100644 index 6d5f850..0000000 --- a/debian/security-misc.install +++ /dev/null @@ -1,8 +0,0 @@ -## Copyright (C) 2020 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## This file was generated using 'genmkfile debinstfile'. - -etc/* -usr/* -var/* diff --git a/debian/security-misc.links b/debian/security-misc.links deleted file mode 100644 index c3369df..0000000 --- a/debian/security-misc.links +++ /dev/null @@ -1,5 +0,0 @@ -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -/etc/profile.d/30_security-misc.sh /etc/zprofile.d/30_security-misc.zsh -/etc/profile.d/30_security-misc.sh /etc/X11/Xsession.d/30_security-misc diff --git a/debian/security-misc.maintscript b/debian/security-misc.maintscript deleted file mode 100644 index 0a1759b..0000000 --- a/debian/security-misc.maintscript +++ /dev/null @@ -1,111 +0,0 @@ -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -rm_conffile /etc/sudoers.d/umask-security-misc - -## https://forums.whonix.org/t/sysrq-magic-sysrq-key/8079 -rm_conffile /etc/sysctl.d/sysrq.conf - -## https://github.com/Whonix/security-misc/pull/45 -rm_conffile /etc/apparmor.d/usr.lib.security-misc.pam_tally2-info -rm_conffile /etc/apparmor.d/usr.lib.security-misc.permission-lockdown - -## merged into 3 files /usr/lib/sysctl.d/30_security-misc_kexec-disable.conf, /usr/lib/sysctl.d/30_silent-kernel-printk.conf, and /usr/lib/sysctl.d/990-security-misc.conf -rm_conffile /etc/sysctl.d/fs_protected.conf -rm_conffile /etc/sysctl.d/kptr_restrict.conf -rm_conffile /etc/sysctl.d/suid_dumpable.conf -rm_conffile /etc/sysctl.d/harden_bpf.conf -rm_conffile /etc/sysctl.d/ptrace_scope.conf -rm_conffile /etc/sysctl.d/tcp_timestamps.conf -rm_conffile /etc/sysctl.d/mmap_aslr.conf -rm_conffile /etc/sysctl.d/dmesg_restrict.conf -rm_conffile /etc/sysctl.d/coredumps.conf -rm_conffile /etc/sysctl.d/kexec.conf -rm_conffile /etc/sysctl.d/tcp_hardening.conf -rm_conffile /etc/sysctl.d/tcp_sack.conf - -## merged into 3 files /etc/modprobe.d/30_security-misc_blacklist.conf, 30_security-misc_conntrack.conf, and /etc/modprobe.d/30_security-misc_disable.conf -rm_conffile /etc/modprobe.d/uncommon-network-protocols.conf -rm_conffile /etc/modprobe.d/blacklist-bluetooth.conf -rm_conffile /etc/modprobe.d/vivid.conf -rm_conffile /etc/modprobe.d/blacklist-dma.conf -rm_conffile /etc/modprobe.d/msr.conf -rm_conffile /etc/modprobe.d/30_nf_conntrack_helper_disable.conf -rm_conffile /etc/modprobe.d/30_security-misc.conf - -## renamed to /etc/security/limits.d/30_security-misc.conf -rm_conffile /etc/security/limits.d/disable-coredumps.conf - -## moved to separate package ram-wipe -rm_conffile /etc/default/grub.d/40_cold_boot_attack_defense.cfg - -rm_conffile /etc/X11/Xsession.d/50panic_on_oops -rm_conffile /etc/X11/Xsession.d/50security-misc - -## moved to /usr/lib/sysctl.d -rm_conffile /etc/sysctl.d/30_security-misc.conf -rm_conffile /etc/sysctl.d/30_silent-kernel-printk.conf -rm_conffile /etc/sysctl.d/30_security-misc_kexec-disable.conf - -## moved to /etc/permission-hardener.d -rm_conffile /etc/permission-hardening.d/25_default_passwd.conf -rm_conffile /etc/permission-hardening.d/25_default_sudo.conf -rm_conffile /etc/permission-hardening.d/25_default_whitelist_bubblewrap.conf -rm_conffile /etc/permission-hardening.d/25_default_whitelist_chromium.conf -rm_conffile /etc/permission-hardening.d/25_default_whitelist_dbus.conf -rm_conffile /etc/permission-hardening.d/25_default_whitelist_firejail.conf -rm_conffile /etc/permission-hardening.d/25_default_whitelist_fuse.conf -rm_conffile /etc/permission-hardening.d/25_default_whitelist_hardened_malloc.conf -rm_conffile /etc/permission-hardening.d/25_default_whitelist_mount.conf -rm_conffile /etc/permission-hardening.d/25_default_whitelist_pam.conf -rm_conffile /etc/permission-hardening.d/25_default_whitelist_policykit.conf -rm_conffile /etc/permission-hardening.d/25_default_whitelist_qubes.conf -rm_conffile /etc/permission-hardening.d/25_default_whitelist_selinux.conf -rm_conffile /etc/permission-hardening.d/25_default_whitelist_spice.conf -rm_conffile /etc/permission-hardening.d/25_default_whitelist_ssh.conf -rm_conffile /etc/permission-hardening.d/25_default_whitelist_sudo.conf -rm_conffile /etc/permission-hardening.d/25_default_whitelist_unix_chkpwd.conf -rm_conffile /etc/permission-hardening.d/25_default_whitelist_virtualbox.conf -rm_conffile /etc/permission-hardening.d/30_default.conf - -## moved to /usr/lib/permission-hardener.d -rm_conffile /etc/permission-hardener.d/25_default_passwd.conf -rm_conffile /etc/permission-hardener.d/25_default_sudo.conf -rm_conffile /etc/permission-hardener.d/25_default_whitelist_bubblewrap.conf -rm_conffile /etc/permission-hardener.d/25_default_whitelist_chromium.conf -rm_conffile /etc/permission-hardener.d/25_default_whitelist_dbus.conf -rm_conffile /etc/permission-hardener.d/25_default_whitelist_firejail.conf -rm_conffile /etc/permission-hardener.d/25_default_whitelist_fuse.conf -rm_conffile /etc/permission-hardener.d/25_default_whitelist_hardened_malloc.conf -rm_conffile /etc/permission-hardener.d/25_default_whitelist_mount.conf -rm_conffile /etc/permission-hardener.d/25_default_whitelist_pam.conf -rm_conffile /etc/permission-hardener.d/25_default_whitelist_policykit.conf -rm_conffile /etc/permission-hardener.d/25_default_whitelist_postfix.conf -rm_conffile /etc/permission-hardener.d/25_default_whitelist_qubes.conf -rm_conffile /etc/permission-hardener.d/25_default_whitelist_selinux.conf -rm_conffile /etc/permission-hardener.d/25_default_whitelist_spice.conf -rm_conffile /etc/permission-hardener.d/25_default_whitelist_ssh.conf -rm_conffile /etc/permission-hardener.d/25_default_whitelist_sudo.conf -rm_conffile /etc/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf -rm_conffile /etc/permission-hardener.d/25_default_whitelist_virtualbox.conf -rm_conffile /etc/permission-hardener.d/30_default.conf - -## merged into 1 file /etc/default/grub.d/40_kernel_hardening.cfg -rm_conffile /etc/default/grub.d/40_distrust_bootloader.cfg -rm_conffile /etc/default/grub.d/40_distrust_cpu.cfg -rm_conffile /etc/default/grub.d/40_enable_iommu.cfg - -## renamed to /etc/default/grub.d/40_remount_secure.cfg -rm_conffile /etc/default/grub.d/40_remmount-secure.cfg - -## renamed to /etc/default/grub.d/40_signed_modules.cfg -rm_conffile /etc/default/grub.d/40_only_allow_signed_modules.cfg - -## renamed to /etc/default/grub.d/41_quiet_boot.cfg -rm_conffile /etc/default/grub.d/41_quiet.cfg - -## moved to usability-misc -rm_conffile /etc/dkms/framework.conf.d/30_security-misc.conf - -## renamed to reflect the fact that this uses a whitelist -rm_conffile /usr/lib/permission-hardener.d/25_default_passwd.conf diff --git a/debian/security-misc.postinst b/debian/security-misc.postinst index ac81a23..11e808d 100644 --- a/debian/security-misc.postinst +++ b/debian/security-misc.postinst @@ -1,132 +1,44 @@ #!/bin/bash -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC +## Copyright (C) 2012 - 2018 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then - source /usr/libexec/helper-scripts/pre.bsh +if [ -f /usr/lib/helper-scripts/pre.bsh ]; then + source /usr/lib/helper-scripts/pre.bsh fi -## Required since this package uses debconf - this is mandatory even though -## the postinst itself does not use debconf commands. -source /usr/share/debconf/confmodule - set -e true " ##################################################################### -## INFO: BEGIN: $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $* +## INFO: BEGIN: $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $@ ##################################################################### " -permission_hardening_legacy_config_folder() { - if ! test -d /etc/permission-hardening.d ; then - return 0 - fi - rmdir --verbose --ignore-fail-on-non-empty /etc/permission-hardening.d || true -} - -permission_hardening() { - echo "Running SUID Disabler and Permission Hardener... See also:" - echo "https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener" - echo "$0: INFO: running: permission-hardener enable" - if ! permission-hardener enable ; then - echo "$0: ERROR: Permission hardening failed." >&2 - return 0 - fi - echo "$0: INFO: Permission hardening success." -} - -migrate_permission_hardener_state() { - local existing_mode_dir new_mode_dir dpkg_statoverride_list - ## If folder /var/lib/permission-hardener (version 1) does not exist, this migration is unneeded. - if [ ! -d '/var/lib/permission-hardener' ]; then - return 0 - fi - - if [ -f "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_2" ]; then - return 0 - fi - mkdir --parents '/var/lib/security-misc/do_once' - - existing_mode_dir='/var/lib/permission-hardener-v2/existing_mode' - new_mode_dir='/var/lib/permission-hardener-v2/new_mode' - - mkdir --parents "${existing_mode_dir}"; - mkdir --parents "${new_mode_dir}"; - - cp --verbose '/usr/share/security-misc/permission-hardener-existing-mode-legacy-hardcoded' "${existing_mode_dir}/statoverride" - cp --verbose '/usr/share/security-misc/permission-hardener-new-mode-legacy-hardcoded' "${new_mode_dir}/statoverride" - - dpkg_statoverride_list="$(dpkg-statoverride --admindir "${new_mode_dir}" --list)" - - if [ "$(stat --format '%G' /usr/bin/sudo)" = 'sysmaint' ]; then - if ! [[ "${dpkg_statoverride_list}" =~ '/usr/bin/sudo' ]]; then - dpkg-statoverride --admindir "${new_mode_dir}" --add 'root' 'sysmaint' '4750' '/usr/bin/sudo' - fi - fi - if [ "$(stat --format '%G' /usr/bin/pkexec)" = 'sysmaint' ]; then - if ! [[ "${dpkg_statoverride_list}" =~ '/usr/bin/pkexec' ]]; then - dpkg-statoverride --admindir "${new_mode_dir}" --add 'root' 'sysmaint' '4750' '/usr/bin/pkexec' - fi - fi - - touch "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_2" -} - case "$1" in configure) - if [ -d /etc/skel/.gnupg ]; then - ## Lintian warns against use of chmod --recursive. - chmod 700 /etc/skel/.gnupg - fi - - ## /usr/share/glib-2.0/schemas/30_security-misc.gschema.override glib-compile-schemas /usr/share/glib-2.0/schemas || true - - ## state dir for faillock - mkdir -p /var/lib/security-misc/faillock - - ## migrate permission_hardener state to v2 if applicable - migrate_permission_hardener_state ;; abort-upgrade|abort-remove|abort-deconfigure) ;; - triggered) - echo "INFO: triggered $DPKG_MAINTSCRIPT_PACKAGE: '$DPKG_MAINTSCRIPT_PACKAGE' $DPKG_MAINTSCRIPT_PACKAGE DPKG_MAINTSCRIPT_NAME: '$DPKG_MAINTSCRIPT_NAME' $\*: '$*' 2: '$2'" - /usr/share/security-misc/lkrg/lkrg-virtualbox || true - /usr/libexec/security-misc/mmap-rnd-bits || true - permission_hardening - exit 0 - ;; - *) echo "$DPKG_MAINTSCRIPT_NAME called with unknown argument \`$1'" >&2 exit 1 ;; esac -pam-auth-update --package +[ -n "$DEBIAN_FRONTEND" ] || DEBIAN_FRONTEND="noninteractive" +[ -n "$DEBIAN_PRIORITY" ] || DEBIAN_PRIORITY="critical" +[ -n "$DEBCONF_NOWARNINGS" ] || DEBCONF_NOWARNINGS="yes" +[ -n "$APT_LISTCHANGES_FRONTEND" ] || APT_LISTCHANGES_FRONTEND="text" +export POLICYRCD DEBIAN_FRONTEND DEBIAN_PRIORITY DEBCONF_NOWARNINGS APT_LISTCHANGES_FRONTEND -/usr/libexec/security-misc/permission-lockdown - -permission_hardening - -## https://phabricator.whonix.org/T377 -## Debian has no update-grub trigger yet: -## https://bugs.debian.org/481542 -if command -v update-grub >/dev/null 2>&1; then - update-grub || \ - echo "$DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME ERROR: Running \ -'update-grub' failed with exit code $?. $DPKG_MAINTSCRIPT_PACKAGE is most \ -likely only the trigger, not the cause. Unless you know this is not an issue, \ -you should fix running 'update-grub', otherwise your system might no longer \ -boot." >&2 -fi - -/usr/libexec/security-misc/mmap-rnd-bits || true +## Jul 07 20:35:39 host sudo[16090]: PAM unable to dlopen(pam_cgfs.so): /lib/security/pam_cgfs.so: cannot open shared object file: No such file or directory +## Jul 07 20:35:39 host sudo[16090]: PAM adding faulty module: pam_cgfs.so +## --package hangs in Qubes updater since it starts whiptail for interactive dpkg configuration dialog. +pam-auth-update --force true "INFO: debhelper beginning here." @@ -134,11 +46,9 @@ true "INFO: debhelper beginning here." true "INFO: Done with debhelper." -permission_hardening_legacy_config_folder - true " ##################################################################### -## INFO: END : $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $* +## INFO: END : $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $@ ##################################################################### " diff --git a/debian/security-misc.postrm b/debian/security-misc.postrm deleted file mode 100644 index 13dc588..0000000 --- a/debian/security-misc.postrm +++ /dev/null @@ -1,36 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then - source /usr/libexec/helper-scripts/pre.bsh -fi - -set -e - -true " -##################################################################### -## INFO: BEGIN: $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $@ -##################################################################### -" - -## https://forums.whonix.org/t/is-security-misc-suitable-for-hardening-bridges-and-relays/8299/11 -pam-auth-update --package --remove "$DPKG_MAINTSCRIPT_PACKAGE" - -rm -f /etc/sysctl.d/30_security-misc_aslr-mmap.conf - -true "INFO: debhelper beginning here." - -#DEBHELPER# - -true "INFO: Done with debhelper." - -true " -##################################################################### -## INFO: END : $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $@ -##################################################################### -" - -## Explicitly "exit 0", so eventually trapped errors can be ignored. -exit 0 diff --git a/debian/security-misc.preinst b/debian/security-misc.preinst deleted file mode 100644 index 8e900d0..0000000 --- a/debian/security-misc.preinst +++ /dev/null @@ -1,249 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then - source /usr/libexec/helper-scripts/pre.bsh -fi - -set -e - -true " -##################################################################### -## INFO: BEGIN: $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $@ -##################################################################### -" - -user_groups_modifications() { - ## /usr/libexec/security-misc/hide-hardware-info - addgroup --system sysfs - addgroup --system cpuinfo - - ## /usr/lib/systemd/system/proc-hidepid.service - addgroup --system proc - - ## group 'sudo' membership required to use 'su' - ## /usr/share/pam-configs/wheel-security-misc - adduser root sudo - - ## Useful to create groups in preinst rather than postinst. - ## Otherwise if a user saw an error message such as this: - ## - ## /var/lib/ dpkg/tmp.ci/preinst: ERROR: No user is a member of group 'console'. Installation aborted. - ## /var/lib/ dpkg/tmp.ci/preinst: ERROR: You probably want to run: - ## sudo adduser user console - ## - ## Then the user could not run 'sudo adduser user console' but also would - ## have to create the groups himself. - - ## Related to Console Lockdown. - ## /usr/share/pam-configs/console-lockdown-security-misc - ## /etc/security/access-security-misc.conf - addgroup --system console - addgroup --system console-unrestricted - ## This has no effect since by default this package also ships and an - ## /etc/securetty configuration file that contains nothing but comments, i.e. - ## an "empty" /etc/securetty. - ## In case a system administrator edits /etc/securetty, there is no need to - ## block for this to be still blocked by console lockdown. See also: - ## https://www.kicksecure.com/wiki/Root#Root_Login - adduser root console -} - -output_skip_checks() { - echo "security-misc '$0' INFO: Allow installation of security-misc anyway." >&2 - echo "security-misc '$0' INFO: (technical reason: $@)" >&2 - echo "security-misc '$0' INFO: If this is a chroot this is probably OK." >&2 - echo "security-misc '$0' INFO: Otherwise you might not be able to login." >&2 -} - -sudo_users_check () { - if command -v "qubesdb-read" &>/dev/null; then - ## Qubes users can use dom0 to get a root terminal emulator. - ## For example: - ## qvm-run -u root debian-10 xterm - return 0 - fi - - local sudo_users user_with_sudo are_there_any_sudo_users OLD_IFS - - sudo_users="$(getent group sudo | cut -d: -f4)" - ## example sudo_users: - ## user,root - - OLD_IFS="$IFS" - IFS="," - export IFS - - for user_with_sudo in $sudo_users ; do - if [ "$user_with_sudo" = "root" ]; then - ## root login is also restricted. - ## Therefore user "root" being member of group "sudo" is - ## considered insufficient. - continue - fi - are_there_any_sudo_users=yes - break - done - - IFS="$OLD_IFS" - export IFS - - if [ "$are_there_any_sudo_users" = "yes" ]; then - return 0 - fi - - ## Prevent users from locking themselves out. - ## https://forums.whonix.org/t/is-security-misc-suitable-for-hardening-bridges-and-relays/8299/4 - echo "$0: ERROR: No user is a member of group 'sudo'. Installation aborted." >&2 - echo "$0: ERROR: You probably want to run:" >&2 - echo "$0: NOTE: Replace user 'user' with your actual Linux user account name." >&2 - echo "" >&2 - echo "sudo adduser user sudo" >&2 - echo "sudo adduser user console" >&2 - echo "" >&2 - echo "$0: ERROR: See also installation instructions:" >&2 - echo "https://www.kicksecure.com/wiki/security-misc#install" >&2 - - if [ "$SECURITY_MISC_INSTALL" = "force" ]; then - output_skip_checks "Environment variable SECURITY_MISC_INSTALL is set to 'force'." - return 0 - fi - if test -f "/var/lib/security-misc/skip_install_check" ; then - output_skip_checks "File '/var/lib/security-misc/skip_install_check' exists." - return 0 - fi - - exit 200 -} - -console_users_check() { - if [ "$SECURITY_MISC_INSTALL" = "force" ]; then - return 0 - fi - if test -f "/var/lib/security-misc/skip_install_check" ; then - return 0 - fi - if command -v "qubesdb-read" &>/dev/null; then - ## Qubes users can use dom0 to get a root terminal emulator. - ## For example: - ## qvm-run -u root debian-10 xterm - return 0 - fi - - local console_users console_unrestricted_users user_with_console are_there_any_console_users OLD_IFS - - console_users="$(getent group console | cut -d: -f4)" - ## example console_users: - ## user - console_unrestricted_users="$(getent group console-unrestricted | cut -d: -f4)" - - OLD_IFS="$IFS" - IFS="," - export IFS - - for user_with_console in $console_users $console_unrestricted_users ; do - if [ "$user_with_console" = "root" ]; then - ## root login is also restricted. - ## Therefore user "root" being member of group "console" is - ## considered insufficient. - continue - fi - are_there_any_console_users=yes - break - done - - IFS="$OLD_IFS" - export IFS - - ## Prevent users from locking themselves out. - ## https://forums.whonix.org/t/is-security-misc-suitable-for-hardening-bridges-and-relays/8299/4 - if [ "$are_there_any_console_users" = "yes" ]; then - return 0 - fi - - echo "$0: ERROR: No user is a member of group 'console'. Installation aborted." >&2 - echo "$0: ERROR: You probably want to run:" >&2 - echo "" >&2 - echo "sudo adduser user console" >&2 - echo "" >&2 - echo "$0: ERROR: See also installation instructions:" >&2 - echo "https://www.whonix.org/wiki/security-misc#install" >&2 - - if [ "$SECURITY_MISC_INSTALL" = "force" ]; then - output_skip_checks "Environment variable SECURITY_MISC_INSTALL is set to 'force'." - return 0 - fi - if test -f "/var/lib/security-misc/skip_install_check" ; then - output_skip_checks "File '/var/lib/security-misc/skip_install_check' exists." - return 0 - fi - - exit 201 -} - -legacy() { - if [ -f "/var/lib/legacy/do_once/${FUNCNAME}_version_1" ]; then - return 0 - fi - - local continue_yes user_to_be_created - - if [ -f "/usr/share/whonix/marker" ]; then - continue_yes=true - fi - if [ -f "/usr/share/kicksecure/marker" ]; then - continue_yes=true - fi - - if [ ! "$continue_yes" = "true" ]; then - return 0 - fi - - if command -v "qubesdb-read" &>/dev/null; then - ## Qubes users can use dom0 to get a root terminal emulator. - ## For example: - ## qvm-run -u root debian-10 xterm - return 0 - fi - - ## https://forums.whonix.org/t/etc-security-hardening-console-lockdown-pam-access-access-conf/8592/7 - - user_to_be_created=user - - if ! id "$user_to_be_created" &>/dev/null ; then - true "INFO: user '$user_to_be_created' does not exist. Skipping adduser console and pam-auth-update." - return 0 - fi - - adduser "$user_to_be_created" console - - pam-auth-update --enable console-lockdown-security-misc - - mkdir --parents "/var/lib/legacy/do_once" - touch "/var/lib/legacy/do_once/${FUNCNAME}_version_1" -} - -user_groups_modifications -legacy - -if [ "$1" = "install" ] || [ "$1" = "upgrade" ]; then - sudo_users_check - console_users_check -fi - -true "INFO: debhelper beginning here." - -#DEBHELPER# - -true "INFO: Done with debhelper." - -true " -##################################################################### -## INFO: END : $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $@ -##################################################################### -" - -## Explicitly "exit 0", so eventually trapped errors can be ignored. -exit 0 diff --git a/debian/security-misc.prerm b/debian/security-misc.prerm index 1c4cd87..95a420a 100644 --- a/debian/security-misc.prerm +++ b/debian/security-misc.prerm @@ -1,10 +1,10 @@ #!/bin/bash -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC +## Copyright (C) 2012 - 2018 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then - source /usr/libexec/helper-scripts/pre.bsh +if [ -f /usr/lib/helper-scripts/pre.bsh ]; then + source /usr/lib/helper-scripts/pre.bsh fi set -e @@ -15,9 +15,30 @@ true " ##################################################################### " -if [ "$1" = remove ]; then - pam-auth-update --package --remove "$DPKG_MAINTSCRIPT_PACKAGE" -fi +[ -n "$DEBIAN_FRONTEND" ] || DEBIAN_FRONTEND="noninteractive" +[ -n "$DEBIAN_PRIORITY" ] || DEBIAN_PRIORITY="critical" +[ -n "$DEBCONF_NOWARNINGS" ] || DEBCONF_NOWARNINGS="yes" +[ -n "$APT_LISTCHANGES_FRONTEND" ] || APT_LISTCHANGES_FRONTEND="text" +export POLICYRCD DEBIAN_FRONTEND DEBIAN_PRIORITY DEBCONF_NOWARNINGS APT_LISTCHANGES_FRONTEND + +## pam-auth-update is usually used in postinst and prerm. +## Added extra space after /var to avoid lintian false positive warning. +#grep -r -l pam-auth-update /var /lib/dpkg/info +# /var /lib/dpkg/info/libpam-runtime.postinst +# /var /lib/dpkg/info/libpam-runtime.prerm +# /var /lib/dpkg/info/libpam-cap:amd64.postinst +# /var /lib/dpkg/info/libpam-cap:amd64.prerm +# /var /lib/dpkg/info/libpam-systemd:amd64.postinst +# /var /lib/dpkg/info/libpam-systemd:amd64.prerm +# /var /lib/dpkg/info/libpam-cgfs.postinst +# /var /lib/dpkg/info/libpam-cgfs.prerm +# /var /lib/dpkg/info/libpam-gnome-keyring:amd64.postinst +# /var /lib/dpkg/info/libpam-gnome-keyring:amd64.prerm + +## Jul 07 20:35:39 host sudo[16090]: PAM unable to dlopen(pam_cgfs.so): /lib/security/pam_cgfs.so: cannot open shared object file: No such file or directory +## Jul 07 20:35:39 host sudo[16090]: PAM adding faulty module: pam_cgfs.so +## --package hangs in Qubes updater since it starts whiptail for interactive dpkg configuration dialog. +pam-auth-update --force true "INFO: debhelper beginning here." diff --git a/debian/security-misc.templates b/debian/security-misc.templates deleted file mode 100644 index 1b543e7..0000000 --- a/debian/security-misc.templates +++ /dev/null @@ -1,9 +0,0 @@ -Template: security-misc/alert-on-permission-hardener-v2-upgrade -Type: note -_Description: Manual intervention may be required for permission-hardener update - No need to panic. Nothing is broken. A rare condition has been encountered. - permission-hardener is being updated to fix a minor bug that caused - corruption in the permission-hardener state file. If you installed your own - custom permission-hardener configuration, some manual intervention may be - required. See: - https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener#fixing_state_files diff --git a/debian/security-misc.triggers b/debian/security-misc.triggers deleted file mode 100644 index 1f4a592..0000000 --- a/debian/security-misc.triggers +++ /dev/null @@ -1,16 +0,0 @@ -## Copyright (C) 2024 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## use noawait -## https://github.com/Kicksecure/security-misc/issues/196 - -## Trigger permission hardener when new binaries are being installed. -interest-noawait /usr -interest-noawait /opt - -## Trigger permission hardener when new configuration files are being installed. -interest-noawait /usr/lib/permission-hardener.d -interest-noawait /etc/permission-hardener.d -interest-noawait /usr/local/etc/permission-hardener.d -interest-noawait /etc/permission-hardening.d -interest-noawait /usr/local/etc/permission-hardening.d diff --git a/debian/security-misc.undisplace b/debian/security-misc.undisplace deleted file mode 100644 index 990101a..0000000 --- a/debian/security-misc.undisplace +++ /dev/null @@ -1,6 +0,0 @@ -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -/etc/login.defs.security-misc -/usr/bin/pkexec.security-misc -/etc/dkms/framework.conf.security-misc diff --git a/debian/source/lintian-overrides b/debian/source/lintian-overrides index c657565..942fd18 100644 --- a/debian/source/lintian-overrides +++ b/debian/source/lintian-overrides @@ -1,2 +1,2 @@ ## https://phabricator.whonix.org/T277 -debian-watch-does-not-check-openpgp-signature +debian-watch-does-not-check-gpg-signature diff --git a/debian/watch b/debian/watch index 86f015f..16e01a4 100644 --- a/debian/watch +++ b/debian/watch @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC +## Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. version=4 diff --git a/etc/X11/Xsession.d/50panic_on_oops b/etc/X11/Xsession.d/50panic_on_oops new file mode 100644 index 0000000..ef21228 --- /dev/null +++ b/etc/X11/Xsession.d/50panic_on_oops @@ -0,0 +1,8 @@ +#!/bin/sh + +## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +if [ -x /usr/lib/security-misc/panic-on-oops ]; then + sudo --non-interactive /usr/lib/security-misc/panic-on-oops +fi diff --git a/etc/X11/Xsession.d/50security-misc b/etc/X11/Xsession.d/50security-misc new file mode 100644 index 0000000..ec530b2 --- /dev/null +++ b/etc/X11/Xsession.d/50security-misc @@ -0,0 +1,7 @@ +## Copyright (C) 2012 - 2018 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +if [ -z "$XDG_CONFIG_DIRS" ]; then + XDG_CONFIG_DIRS=/etc/xdg +fi +export XDG_CONFIG_DIRS=/usr/share/security-misc/:$XDG_CONFIG_DIRS diff --git a/etc/apparmor.d/tunables/home.d/security-misc b/etc/apparmor.d/tunables/home.d/security-misc index d63d5db..cb9ad99 100644 --- a/etc/apparmor.d/tunables/home.d/security-misc +++ b/etc/apparmor.d/tunables/home.d/security-misc @@ -1,7 +1,7 @@ -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -alias /etc/pam.d/common-session -> /etc/pam.d/common-session.security-misc, +alias /etc/pam.d/common-session -> /etc/pam.d//etc/pam.d/common-session.security-misc, alias /etc/pam.d/common-session-noninteractive -> /etc/pam.d/common-session-noninteractive.security-misc, alias /etc/login.defs -> /etc/login.defs.security-misc, -alias /etc/securetty -> /etc/securetty.security-misc, + diff --git a/etc/apt/apt.conf.d/40error-on-any b/etc/apt/apt.conf.d/40error-on-any deleted file mode 100644 index f1be472..0000000 --- a/etc/apt/apt.conf.d/40error-on-any +++ /dev/null @@ -1,9 +0,0 @@ -## Copyright (C) 2021 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Make "sudo apt-get update" exit non-zero for transient failures. -## Same as "apt-get --error-on=any". -## https://forums.whonix.org/t/debian-bullseye-apt-get-error-on-any/12068 -## https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=594813 -## https://salsa.debian.org/apt-team/apt/-/commit/c7123bea6a8dc2c9e327ce41ddfc25e29f1bb145 -APT::Update::Error-Mode any; diff --git a/etc/apt/apt.conf.d/40sandbox b/etc/apt/apt.conf.d/40sandbox index 43150ec..e79194f 100644 --- a/etc/apt/apt.conf.d/40sandbox +++ b/etc/apt/apt.conf.d/40sandbox @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## https://forums.whonix.org/t/apt-seccomp-bpf-sandboxing/7702 diff --git a/etc/bluetooth/30_security-misc.conf b/etc/bluetooth/30_security-misc.conf deleted file mode 100644 index 91ce2d3..0000000 --- a/etc/bluetooth/30_security-misc.conf +++ /dev/null @@ -1,33 +0,0 @@ -## Copyright (C) 2023 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -[General] -# How long to stay in pairable mode before going back to non-discoverable -# The value is in seconds. Default is 0. -# 0 = disable timer, i.e. stay pairable forever -PairableTimeout = 30 - -# How long to stay in discoverable mode before going back to non-discoverable -# The value is in seconds. Default is 180, i.e. 3 minutes. -# 0 = disable timer, i.e. stay discoverable forever -DiscoverableTimeout = 30 - -# Maximum number of controllers allowed to be exposed to the system. -# Default=0 (unlimited) -MaxControllers=1 - -# How long to keep temporary devices around -# The value is in seconds. Default is 30. -# 0 = disable timer, i.e. never keep temporary devices -TemporaryTimeout = 0 - -[Policy] -# AutoEnable defines option to enable all controllers when they are found. -# This includes adapters present on start as well as adapters that are plugged -# in later on. Defaults to 'true'. -AutoEnable=false - -# network/on: A device will only accept advertising packets from peer -# devices that contain private addresses. It may not be compatible with some -# legacy devices since it requires the use of RPA(s) all the time. -Privacy=network/on diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg deleted file mode 100644 index 9b29760..0000000 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ /dev/null @@ -1,188 +0,0 @@ -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Definitions: -## KSPP=yes: compliant with recommendations by the KSPP -## KSPP=partial: partially compliant with recommendations by the KSPP -## KSPP=no: not (currently) compliant with recommendations by the KSPP -## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP. - -## Enable known mitigations for CPU vulnerabilities. -## Note, the mitigations for SSB and Retbleed are not currently mentioned in the first link. -## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html -## https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html -## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647 - -## Check for potential updates directly from AMD and Intel. -## https://www.amd.com/en/resources/product-security.html -## https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/advisory-guidance.html -## https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/disclosure-documentation.html - -## Tabular comparison between the utility and functionality of various mitigations. -## https://forums.whonix.org/t/kernel-hardening-security-misc/7296/587 - -## For complete protection, users must install the latest relevant security microcode update. -## BIOS/UEFI updates should only be obtained directly from OEMs and/or motherboard manufacturers. -## Note that incorrectly performing system BIOS/UEFI updates can potentially lead to serious functionality issues. -## The parameters below only provide (partial) protection at both the kernel and user space level. - -## If using Secure Boot, users must also ensure the Secure Boot Forbidden Signature Database (DBX) is up to date. -## The UEFI Revocation List contains signatures of now revoked firmware and software used in booting systems. -## If using compatible hardware, the database can be updated directly in user space using fwupd. -## Note that incorrectly performing DBX updates can potentially lead to serious functionality issues. -## https://uefi.org/revocationlistfile -## https://github.com/fwupd/fwupd - -## Enable a subset of known mitigations for some CPU vulnerabilities and disable SMT. -## -## KSPP=yes -## KSPP sets the kernel parameters. -## -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mitigations=auto,nosmt" - -## Disable SMT as it has been the cause of and amplified numerous CPU exploits. -## The only full mitigation of cross-HT attacks is to disable SMT. -## Disabling will significantly decrease system performance on multi-threaded tasks. -## Note, this setting will prevent re-enabling SMT via the sysfs interface. -## -## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/core-scheduling.html -## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647/17 -## https://github.com/anthraxx/linux-hardened/issues/37#issuecomment-619597365 -## -## KSPP=yes -## KSPP sets the kernel parameter. -## -## To re-enable SMT: -## - Remove "nosmt=force". -## - Remove all occurrences of ",nosmt" in this file (note the comma ","). -## - Downgrade "l1tf=full,force" protection to "l1tf=flush". -## - Regenerate the dracut initramfs and then reboot system. -## -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX nosmt=force" - -## Spectre Side Channels (BTI and BHI): -## Unconditionally enable mitigation for Spectre Variant 2 (branch target injection). -## Enable mitigation for the Intel branch history injection vulnerability. -## Currently affects both AMD and Intel CPUs. -## -## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/spectre.html -## -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_v2=on" -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_bhi=on" - -## Speculative Store Bypass (SSB): -## Mitigate Spectre Variant 4 by disabling speculative store bypass system-wide. -## Unconditionally enable the mitigation for both kernel and userspace. -## Currently affects both AMD and Intel CPUs. -## -## https://en.wikipedia.org/wiki/Speculative_Store_Bypass -## https://www.suse.com/support/kb/doc/?id=000019189 -## -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spec_store_bypass_disable=on" -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ssbd=force-on" - -## L1 Terminal Fault (L1TF): -## Mitigate the vulnerability by disabling L1D flush runtime control and SMT. -## If L1D flushing is conditional, mitigate the vulnerability for certain KVM hypervisor configurations. -## Currently affects Intel CPUs. -## -## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html -## -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX l1tf=full,force" -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm-intel.vmentry_l1d_flush=always" - -## Microarchitectural Data Sampling (MDS): -## Mitigate the vulnerability by clearing the CPU buffer cache and disabling SMT. -## Currently affects Intel CPUs. -## -## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html -## -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mds=full,nosmt" - -## TSX Asynchronous Abort (TAA): -## Mitigate the vulnerability by disabling TSX. -## If TSX is enabled, clear CPU buffer rings on transitions and disable SMT. -## Currently affects Intel CPUs. -## -## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/tsx_async_abort.html -## -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX tsx=off" -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX tsx_async_abort=full,nosmt" - -## iTLB Multihit: -## Mitigate the vulnerability by marking all huge pages in the EPT as non-executable. -## Currently affects Intel CPUs. -## -## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/multihit.html -## -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm.nx_huge_pages=force" - -## Special Register Buffer Data Sampling (SRBDS): -## Mitigation of the vulnerability is only possible via microcode update from Intel. -## Currently affects Intel CPUs. -## -## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/special-register-buffer-data-sampling.html -## https://access.redhat.com/solutions/5142691 - -## L1D Flushing: -## Mitigate leaks from the L1D cache on context switches by enabling the prctl() interface. -## Currently affects Intel CPUs. -## -## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1d_flush.html -## -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX l1d_flush=on" - -## Processor MMIO Stale Data: -## Mitigate the vulnerabilities by appropriately clearing the CPU buffer and disabling SMT. -## Currently affects Intel CPUs. -## -## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/processor_mmio_stale_data.html -## -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mmio_stale_data=full,nosmt" - -## Arbitrary Speculative Code Execution with Return Instructions (Retbleed): -## Mitigate the vulnerability through CPU-dependent implementation and disable SMT. -## Currently affects both AMD Zen 1-2 and Intel CPUs. -## -## https://en.wikipedia.org/wiki/Retbleed -## https://comsec.ethz.ch/research/microarch/retbleed/ -## https://www.suse.com/support/kb/doc/?id=000020693 -## https://access.redhat.com/solutions/retbleed -## -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX retbleed=auto,nosmt" - -## Cross-Thread Return Address Predictions: -## Mitigate the vulnerability for certain KVM hypervisor configurations. -## Currently affects AMD Zen 1-2 CPUs. -## -## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/cross-thread-rsb.html -## -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm.mitigate_smt_rsb=1" - -## Speculative Return Stack Overflow (SRSO): -## Mitigate the vulnerability by ensuring all RET instructions speculate to a controlled location. -## Currently affects AMD Zen 1-4 CPUs. -## -## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/srso.html -## -## The default kernel setting will be utilized until provided sufficient evidence to modify. -## Using "spec_rstack_overflow=ipbp" may provide stronger security at a greater performance impact. -## -#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spec_rstack_overflow=safe-ret" - -## Gather Data Sampling (GDS): -## Mitigate the vulnerability either via microcode update or by disabling AVX. -## Note, without a suitable microcode update, this will entirely disable use of the AVX instructions set. -## Currently affects Intel CPUs. -## -## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/gather_data_sampling.html -## -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX gather_data_sampling=force" - -## Register File Data Sampling (RFDS): -## Mitigate the vulnerability by appropriately clearing the CPU buffer. -## Currently affects Intel Atom CPUs (which encompasses E-cores on hybrid architectures). -## -## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/reg-file-data-sampling.html -## -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX reg_file_data_sampling=on" diff --git a/etc/default/grub.d/40_enable_iommu.cfg b/etc/default/grub.d/40_enable_iommu.cfg new file mode 100644 index 0000000..8e2baff --- /dev/null +++ b/etc/default/grub.d/40_enable_iommu.cfg @@ -0,0 +1,2 @@ +# Enables IOMMU to prevent DMA attacks. +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX intel_iommu=on amd_iommu=on" diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index 99f2d16..0506e49 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -1,329 +1,18 @@ -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -kpkg="linux-image-$(dpkg --print-architecture)" || true -kver="$(dpkg-query --show --showformat='${Version}' "$kpkg")" 2>/dev/null || true -#echo "## kver: $kver" - -## Definitions: -## KSPP=yes: compliant with recommendations by the KSPP -## KSPP=partial: partially compliant with recommendations by the KSPP -## KSPP=no: not (currently) compliant with recommendations by the KSPP -## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP. - -## This configuration file is split into 4 sections: -## 1. Kernel Space -## 2. Direct Memory Access -## 3. Entropy -## 4. Networking - -## See the documentation below for details on the majority of the selected commands: -## https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html -## https://wiki.archlinux.org/title/Kernel_parameters#GRUB - -## 1. Kernel Space: -## -## https://madaidans-insecurities.github.io/guides/linux-hardening.html#boot-parameters -## https://kspp.github.io/Recommended_Settings#kernel-command-line-options - -## Disable merging of slabs with similar size. -## Reduces the risk of triggering heap overflows. -## Prevents overwriting objects from merged caches and limits influencing slab cache layout. -## -## https://www.openwall.com/lists/kernel-hardening/2017/06/19/33 -## https://www.openwall.com/lists/kernel-hardening/2017/06/20/10 -## -## KSPP=yes -## KSPP sets the kernel parameter and does not set CONFIG_SLAB_MERGE_DEFAULT. -## +# Disables the merging of slabs of similar sizes. Sometimes a slab can be used in a vulnerable way which an attacker can exploit. GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_nomerge" -## Enable sanity checks and red zoning of slabs via debugging options to detect corruption. -## As a by product of debugging, this will implicitly disabling kernel pointer hashing. -## Enabling will therefore leak exact and all kernel memory addresses to root. -## Has the potential to cause a noticeable performance decrease. -## -## https://www.kernel.org/doc/html/latest/mm/slub.html -## https://lore.kernel.org/all/20210601182202.3011020-5-swboyd@chromium.org/T/#u -## https://gitlab.tails.boum.org/tails/tails/-/issues/19613 -## https://github.com/Kicksecure/security-misc/issues/253 -## -## KSPP=yes -## KSPP sets the kernel parameters and CONFIG_SLUB_DEBUG. -## -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_debug=FZ" +# Enables sanity checks (F), redzoning (Z) and poisoning (P). +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_debug=FZP" -## Zero memory at allocation time and free time. -## Fills newly allocated pages, freed pages, and heap objects with zeros. -## Mitigates use-after-free exploits by erasing sensitive information in memory. -## -## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6471384af2a6530696fc0203bafe4de41a23c9ef -## -## KSPP=yes -## KSPP sets the kernel parameters, CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y, and CONFIG_INIT_ON_FREE_DEFAULT_ON=y. -## -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX init_on_alloc=1" -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX init_on_free=1" +# Wipes free memory so it can't leak in various ways and prevents some use-after-free vulnerabilites. +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX page_poison=1" -## Enable the kernel page allocator to randomize free lists. -## During early boot, the page allocator has predictable FIFO behavior for physical pages. -## Limits some data exfiltration and ROP attacks that rely on inferring sensitive data location. -## Also improves performance by optimizing memory-side cache utilization. -## -## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e900a918b0984ec8f2eb150b8477a47b75d17692 -## https://en.wikipedia.org/wiki/Return-oriented_programming#Attacks -## -## KSPP=yes -## KSPP sets the kernel parameter and CONFIG_SHUFFLE_PAGE_ALLOCATOR=y. -## -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX page_alloc.shuffle=1" +# Makes the kernel panic on uncorrectable errors in ECC memory that an attacker could exploit. +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mce=0" -## Enable kernel page table isolation to harden against kernel ASLR (KASLR) bypasses. -## Mitigates the Meltdown CPU vulnerability. -## -## https://en.wikipedia.org/wiki/Kernel_page-table_isolation -## -## KSPP=yes -## KSPP sets the kernel parameter and CONFIG_MITIGATION_PAGE_TABLE_ISOLATION=y. -## +# Enables Kernel Page Table Isolation which mitigates Meltdown and improves KASLR. GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX pti=on" -## Enable randomization of the kernel stack offset on syscall entries. -## Hardens against memory corruption attacks due to increased entropy. -## Limits attacks relying on deterministic stack addresses or cross-syscall address exposure. -## -## https://lkml.org/lkml/2019/3/18/246 -## https://a13xp0p0v.github.io/2020/02/15/CVE-2019-18683.html -## -## KSPP=yes -## KSPP sets the kernel parameter and CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y. -## -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX randomize_kstack_offset=on" - -## Disable vsyscalls to reduce attack surface as they have been replaced by vDSO. -## Vulnerable to ROP attacks as vsyscalls are located at fixed addresses in memory. -## -## https://lwn.net/Articles/446528/ -## https://en.wikipedia.org/wiki/VDSO -## -## KSPP=yes -## KSPP sets the kernel parameter, CONFIG_LEGACY_VSYSCALL_NONE=y and does not set CONFIG_X86_VSYSCALL_EMULATION. -## -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vsyscall=none" - -## Restrict access to debugfs by not registering the file system. -## Deactivated since the file system can contain sensitive information. -## -## https://lkml.org/lkml/2020/7/16/122 -## -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off" - -## Force the kernel to panic on "oopses". -## Can sometimes potentially indicate and thwart certain kernel exploitation attempts. -## Panics may be due to false-positives such as bad drivers. -## -## https://en.wikipedia.org/wiki/Kernel_panic#Linux -## https://en.wikipedia.org/wiki/Linux_kernel_oops -## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panic-on-oops-1-sysctl-for-better-security/7713 -## -## KSPP=partial -## KSPP sets CONFIG_PANIC_ON_OOPS=y, but also requires CONFIG_PANIC_TIMEOUT=-1. -## -## See /usr/libexec/security-misc/panic-on-oops for implementation. -## -#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX oops=panic" - -## Modify machine check exception handler. -## Can decide whether the system should panic or not based on the occurrence of an exception. -## -## https://www.kernel.org/doc/html/latest/arch/x86/x86_64/machinecheck.html -## https://www.kernel.org/doc/html/latest/arch/x86/x86_64/boot-options.html#machine-check -## https://forums.whonix.org/t/kernel-hardening/7296/494 -## -## The default kernel setting will be utilized until provided sufficient evidence to modify. -## -#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mce=0" - -## Prevent sensitive kernel information leaks in the console during boot. -## Must be used in combination with the kernel.printk sysctl. -## See /usr/lib/sysctl.d/30_silent-kernel-printk.conf for implementation. -## -## https://www.kernel.org/doc/html/latest/core-api/printk-basics.html -## https://wiki.archlinux.org/title/silent_boot -## -## See /etc/default/grub.d/41_quiet_boot.cfg for implementation. -## -#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX loglevel=0" -#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX quiet" - -## Enable the kernel "Electric-Fence" sampling-based memory safety error detector. -## KFENCE detects heap out-of-bounds access, use-after-free, and invalid-free errors. -## Aims to have very low processing overhead at each sampling interval. -## Sampling interval is set to occur every 100 milliseconds as per KSPP recommendation. -## -## https://www.kernel.org/doc/html/latest/dev-tools/kfence.html -## https://google.github.io/kernel-sanitizers/KFENCE.html -## https://blogs.oracle.com/linux/post/linux-slub-allocator-internals-and-debugging-4 -## https://lwn.net/Articles/835542/ -## -## KSPP=yes -## KSPP sets the kernel parameter, CONFIG_KFENCE=y, and CONFIG_KFENCE_SAMPLE_INTERVAL=100. -## -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kfence.sample_interval=100" - -## Disable 32-bit Virtual Dynamic Shared Object (vDSO) mappings. -## Legacy compatibility feature for superseded glibc versions. -## -## https://lore.kernel.org/lkml/20080409082927.BD59E26F992@magilla.localdomain/T/ -## https://lists.openwall.net/linux-kernel/2014/03/11/3 -## -## KSPP=yes -## KSPP sets the kernel parameter and does not set CONFIG_COMPAT_VDSO. -## -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0" - -## Switch (back) to using kCFI as the default Control Flow Integrity (CFI) implementation. -## The default implementation is FineIBT as of Linux kernel 6.2. -## The Intel-developed IBT (Indirect Branch Tracking) is only used if supported by the CPU. -## kCFI is software-only while FineIBT is a hybrid software/hardware implementation. -## FineIBT may result in some performance benefits as it only performs checking at destinations. -## FineIBT is considered weaker against attacks that can write arbitrary executables into memory. -## Upstream hardening work has provided users the ability to disable FineIBT based on requests. -## Choice of CFI implementation is highly dependent on user threat model as there are pros/cons to both. -## Do not modify from the default setting if unsure of implications. -## -## https://lore.kernel.org/all/20221027092842.699804264@infradead.org/ -## https://lore.kernel.org/lkml/202210010918.4918F847C4@keescook/T/#u -## https://lore.kernel.org/lkml/202210182217.486CBA50@keescook/T/ -## https://lore.kernel.org/lkml/202407150933.E1871BE@keescook/ -## https://isopenbsdsecu.re/mitigations/forward_edge_cfi/ -## https://docs.kernel.org/next/x86/shstk.html -## https://source.android.com/docs/security/test/kcfi -## https://lpc.events/event/16/contributions/1315/attachments/1067/2169/cfi.pdf -## https://forums.whonix.org/t/kernel-hardening-security-misc/7296/561 -## -## KSPP=yes -## KSPP sets the kernel parameter. -## -## TODO: Debian 13 Trixie -## Applicable when using Linux kernel >= 6.2 (retained here for future-proofing and completeness). -## -#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX cfi=kcfi" - -## Disable support for x86 processes and syscalls. -## Unconditionally disables IA32 emulation to substantially reduce attack surface. -## -## https://lore.kernel.org/all/20230623111409.3047467-7-nik.borisov@suse.com/ -## -## KSPP=yes -## KSPP does not set CONFIG_COMPAT, CONFIG_IA32_EMULATION, CONFIG_X86_X32, CONFIG_X86_X32_ABI, and CONFIG_MODIFY_LDT_SYSCALL. -## -## TODO: Debian 13 Trixie -## Applicable when using Linux kernel >= 6.7 (retained here for future-proofing and completeness). -## -#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ia32_emulation=0" - -## Disable EFI persistent storage feature. -## Prevents the kernel from writing crash logs and other persistent data to the EFI variable store. -## -## https://blogs.oracle.com/linux/post/pstore-linux-kernel-persistent-storage-file-system -## https://www.ais.com/understanding-pstore-linux-kernel-persistent-storage-file-system/ -## https://lwn.net/Articles/434821/ -## https://manpages.debian.org/testing/systemd/systemd-pstore.service.8.en.html -## https://gitlab.tails.boum.org/tails/tails/-/issues/20813 -## https://github.com/Kicksecure/security-misc/issues/299 -## -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi_pstore.pstore_disable=1" - -## 2. Direct Memory Access: -## -## https://madaidans-insecurities.github.io/guides/linux-hardening.html#dma-attacks - -## Enable CPU manufacturer-specific IOMMU drivers to mitigate some DMA attacks. -## -## KSPP=yes -## KSPP sets CONFIG_INTEL_IOMMU=y, CONFIG_INTEL_IOMMU_DEFAULT_ON=y, CONFIG_INTEL_IOMMU_SVM=y, CONFIG_AMD_IOMMU=y, and CONFIG_AMD_IOMMU_V2=y. -## -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX amd_iommu=force_isolation" -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX intel_iommu=on" - -## Enable and force use of IOMMU translation to protect against some DMA attacks. -## Strictly force DMA unmap operations to synchronously invalidate IOMMU hardware TLBs. -## Ensures devices will never be able to access stale data contents. -## -## https://en.wikipedia.org/wiki/Input%E2%80%93output_memory_management_unit -## https://en.wikipedia.org/wiki/DMA_attack -## https://lenovopress.lenovo.com/lp1467.pdf -## -## KSPP=yes -## KSPP sets the kernel parameters, CONFIG_IOMMU_SUPPORT=y, CONFIG_IOMMU_DEFAULT_DMA_STRICT=y, and does not set CONFIG_IOMMU_DEFAULT_PASSTHROUGH. -## -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu=force" -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu.passthrough=0" -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu.strict=1" - -## Clear the busmaster bit on all PCI bridges during the EFI hand-off. -## Terminates all existing DMA transactions prior to the kernel's IOMMU setup. -## Forces third party PCI devices to then re-set their busmaster bit in order to perform DMA. -## Assumes that the motherboard chipset and firmware are not malicious. -## May cause complete boot failure on certain hardware with incompatible firmware. -## -## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4444f8541dad16fefd9b8807ad1451e806ef1d94 -## https://mjg59.dreamwidth.org/54433.html -## -## KSPP=yes -## KSPP sets CONFIG_EFI_DISABLE_PCI_DMA=y. -## -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi=disable_early_pci_dma" - -## 3. Entropy: -## -## https://madaidans-insecurities.github.io/guides/linux-hardening.html#rdrand - -## Do not credit the CPU or bootloader seeds as entropy sources at boot. -## The RDRAND CPU (RNG) instructions are proprietary and closed-source. -## Numerous implementations of RDRAND have a long history of being defective. -## The RNG seed passed by the bootloader could also potentially be tampered. -## Maximizing the entropy pool at boot is desirable for all cryptographic operations. -## These settings ensure additional entropy is obtained from other sources to initialize the RNG. -## Note that distrusting these (relatively fast) sources of entropy will increase boot time. -## -## https://en.wikipedia.org/wiki/RDRAND#Reception -## https://systemd.io/RANDOM_SEEDS/ -## https://www.kicksecure.com/wiki/Dev/Entropy#RDRAND -## https://arstechnica.com/gadgets/2019/10/how-a-months-old-amd-microcode-bug-destroyed-my-weekend/ -## https://x.com/pid_eins/status/1149649806056280069 -## https://archive.nytimes.com/www.nytimes.com/interactive/2013/09/05/us/documents-reveal-nsa-campaign-against-encryption.html -## https://forums.whonix.org/t/entropy-config-random-trust-cpu-yes-or-no-rng-core-default-quality/8566 -## https://github.com/NixOS/nixpkgs/pull/165355 -## https://lkml.org/lkml/2022/6/5/271 -## -## KSPP=yes -## KSPP sets CONFIG_RANDOM_TRUST_BOOTLOADER=y and CONFIG_RANDOM_TRUST_CPU=y. -## -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_bootloader=off" -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_cpu=off" - -## Obtain more entropy during boot as the runtime memory allocator is being initialized. -## Entropy will be extracted from up to the first 4GB of RAM. -## Requires the linux-hardened kernel patch. -## -## https://www.kicksecure.com/wiki/Hardened-kernel#linux-hardened -## https://github.com/anthraxx/linux-hardened/commit/c3e7df1dba1eb8105d6d5143079a6a0ad9e9ebc7 -## https://github.com/anthraxx/linux-hardened/commit/a04458f97fe1f7e95888c77c0165b646375db9c4 -## -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX extra_latent_entropy" - -## 4. Networking -## -## https://madaidans-insecurities.github.io/guides/linux-hardening.html#kasr-boot-parameters - -## Disable the entire IPv6 stack functionality. -## Removes attack surface associated with the IPv6 module. -## -## https://www.kernel.org/doc/html/latest/networking/ipv6.html -## https://wiki.archlinux.org/title/IPv6#Disable_IPv6 -## -## Enabling makes redundant many network hardening sysctl's in /usr/lib/sysctl.d/990-security-misc.conf. -## -#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ipv6.disable=1" +# Enables all mitigations for the MDS vulnerability. +# Disables smt which can be used to exploit the MDS vulnerability. +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mds=full,nosmt" diff --git a/etc/default/grub.d/40_remount_secure.cfg b/etc/default/grub.d/40_remount_secure.cfg deleted file mode 100644 index c3cc30a..0000000 --- a/etc/default/grub.d/40_remount_secure.cfg +++ /dev/null @@ -1,31 +0,0 @@ -## Copyright (C) 2023 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Definitions: -## KSPP=yes: compliant with recommendations by the KSPP -## KSPP=partial: partially compliant with recommendations by the KSPP -## KSPP=no: not (currently) compliant with recommendations by the KSPP -## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP. - -## Remount Secure provides enhanced security via mount options: -## https://www.kicksecure.com/wiki/Security-misc#Remount_Secure - -## Option A (No Security): -## Disable Remount Secure. -## -#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=0" - -## Option B (Low Security): -## Re-mount with nodev and nosuid only. -## -#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=1" - -## Option C (Medium Security): -## Re-mount with nodev, nosuid, and noexec for most mount points, excluding /home. -## -#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=2" - -## Option D (Highest Security): -## Re-mount with nodev, nosuid, and noexec for all mount points including /home. -## -#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=3" diff --git a/etc/default/grub.d/40_signed_modules.cfg b/etc/default/grub.d/40_signed_modules.cfg deleted file mode 100644 index 36af7f3..0000000 --- a/etc/default/grub.d/40_signed_modules.cfg +++ /dev/null @@ -1,37 +0,0 @@ -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Definitions: -## KSPP=yes: compliant with recommendations by the KSPP -## KSPP=partial: partially compliant with recommendations by the KSPP -## KSPP=no: not (currently) compliant with recommendations by the KSPP -## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP. - -## Require every kernel module to be signed before being loaded. -## Any module that is unsigned or signed with an invalid key cannot be loaded. -## This prevents all out-of-tree kernel modules unless signed. -## This makes it harder to load a malicious module. -## -## https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/61 -## https://github.com/dell/dkms/issues/359 -## -## KSPP=yes -## KSPP sets CONFIG_MODULE_SIG=y, CONFIG_MODULE_SIG_FORCE=y, and CONFIG_MODULE_SIG_ALL=y. -## -## Not enabled by default yet due to several issues. -## -#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX module.sig_enforce=1" - -## Enable kernel lockdown to enforce security boundary between user and kernel space. -## Confidentiality mode enforces module signature verification. -## -## https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880 -## -## KSPP=yes -## KSPP sets CONFIG_SECURITY_LOCKDOWN_LSM=y, CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y, and CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y. -## -## Not enabled by default yet due to several issues. -## -#if dpkg --compare-versions "${kver}" ge "5.4"; then -# GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX lockdown=confidentiality" -#fi diff --git a/etc/default/grub.d/41_quiet_boot.cfg b/etc/default/grub.d/41_quiet_boot.cfg deleted file mode 100644 index 7221ac0..0000000 --- a/etc/default/grub.d/41_quiet_boot.cfg +++ /dev/null @@ -1,35 +0,0 @@ -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Definitions: -## KSPP=yes: compliant with recommendations by the KSPP -## KSPP=partial: partially compliant with recommendations by the KSPP -## KSPP=no: not (currently) compliant with recommendations by the KSPP -## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP. - -## Some default configuration files automatically include the "quiet" parameter. -## Therefore, first remove "quiet" from GRUB_CMDLINE_LINUX_DEFAULT since "quiet" must be first. -## str_replace is provided by package helper-scripts. -## -## https://github.com/Kicksecure/security-misc/pull/233#issuecomment-2228792461 -## -GRUB_CMDLINE_LINUX_DEFAULT="$(echo "$GRUB_CMDLINE_LINUX_DEFAULT" | str_replace "quiet" "")" - -## Prevent sensitive kernel information leaks in the console during boot. -## Must be used in combination with the kernel.printk sysctl. -## See /usr/lib/sysctl.d/30_silent-kernel-printk.conf for implementation. -## -## https://www.kernel.org/doc/html/latest/core-api/printk-basics.html -## https://wiki.archlinux.org/title/silent_boot -## -## For easier debugging, these are not applied to the recovery boot option. -## Switch the pair of commands to universally apply parameters to all boot options. -## -GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT loglevel=0" -GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT quiet" -#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX loglevel=0" -#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX quiet" - -## For Increased Log Verbosity: -## Adjust (or comment out) the kernel.printk sysctl in /usr/lib/sysctl.d/30_silent-kernel-printk.conf. -## Alternatively, installing the debug-misc package will undo these settings. diff --git a/etc/default/grub.d/41_recovery_restrict.cfg b/etc/default/grub.d/41_recovery_restrict.cfg deleted file mode 100644 index f54247b..0000000 --- a/etc/default/grub.d/41_recovery_restrict.cfg +++ /dev/null @@ -1,21 +0,0 @@ -## Copyright (C) 2024 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Definitions: -## KSPP=yes: compliant with recommendations by the KSPP -## KSPP=partial: partially compliant with recommendations by the KSPP -## KSPP=no: not (currently) compliant with recommendations by the KSPP -## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP. - -## Disable access to single-user (recovery) mode. -## -## https://forums.kicksecure.com/t/remove-linux-recovery-mode-boot-option-from-default-grub-boot-menu/727 -## -GRUB_DISABLE_RECOVERY="true" - -## Disable access to Dracut's recovery console. -## -## https://forums.kicksecure.com/t/harden-dracut-initramfs-generator-by-disabling-recovery-console/724 -## -GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT rd.emergency=halt" -GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT rd.shell=0" diff --git a/etc/dracut.conf.d/30-security-misc.conf b/etc/dracut.conf.d/30-security-misc.conf deleted file mode 100644 index 5b3c7b5..0000000 --- a/etc/dracut.conf.d/30-security-misc.conf +++ /dev/null @@ -1,7 +0,0 @@ -## Copyright (C) 2021 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -reproducible=yes - -## Debugging. -#show_modules=yes diff --git a/etc/gitconfig b/etc/gitconfig deleted file mode 100644 index 8ce67b4..0000000 --- a/etc/gitconfig +++ /dev/null @@ -1,38 +0,0 @@ -## Copyright (C) 2024 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Lines starting with a hash symbol ('#') are comments. -## https://github.com/Kicksecure/security-misc/issues/225 - -[core] -## https://github.com/git/git/security/advisories/GHSA-8prw-h3cq-mghm - symlinks = false - -## https://forums.whonix.org/t/git-users-enable-fsck-by-default-for-better-security/2066 -[transfer] - fsckobjects = true -[fetch] - fsckobjects = true -[receive] - fsckobjects = true - -## Generally a good idea but too intrusive to enable by default. -## Listed here as suggestions what users should put into their ~/.gitconfig -## file. - -## Not enabled by default because it requires essential knowledge about OpenPG -## and an already existing local signing key. Otherwise would prevent all new -## commits. -#[commit] -# gpgsign = true - -## Not enabled by default because it would break the 'git merge' command for -## unsigned commits and require the '--no-verify-signature' command line -## option. -#[merge] -# verifySignatures = true - -## Not enabled by default because it would break for users who are not having -## an account at the git server and having added a SSH public key. -#[url "ssh://git@github.com/"] -# insteadOf = https://github.com/ diff --git a/etc/hide-hardware-info.d/30_default.conf b/etc/hide-hardware-info.d/30_default.conf deleted file mode 100644 index d1bc221..0000000 --- a/etc/hide-hardware-info.d/30_default.conf +++ /dev/null @@ -1,15 +0,0 @@ -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Disable the /sys whitelist. -#sysfs_whitelist=0 - -## Disable the /proc/cpuinfo whitelist. -#cpuinfo_whitelist=0 - -## Disable /sys hardening. -#sysfs=0 - -## Disable selinux mode. -## https://www.kicksecure.com/wiki/Security-misc#selinux -#selinux=0 diff --git a/etc/initramfs-tools/hooks/sysctl-initramfs b/etc/initramfs-tools/hooks/sysctl-initramfs deleted file mode 100755 index 022c6af..0000000 --- a/etc/initramfs-tools/hooks/sysctl-initramfs +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/sh - -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -set -e - -PREREQ="" -prereqs() -{ - echo "$PREREQ" -} -case $1 in -prereqs) - prereqs - exit 0 - ;; -esac - -. /usr/share/initramfs-tools/hook-functions -copy_exec /usr/sbin/sysctl /usr/sbin diff --git a/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs b/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs deleted file mode 100755 index e4792e7..0000000 --- a/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs +++ /dev/null @@ -1,26 +0,0 @@ -#!/bin/sh - -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -PREREQ="" -prereqs() -{ - echo "$PREREQ" -} -case $1 in -prereqs) - prereqs - exit 0 - ;; -esac - -## Write to '/run/initramfs' folder. -## https://forums.whonix.org/t/kernel-hardening/7296/435 - -sysctl -p ${rootmnt}/etc/sysctl.conf >/dev/null 2> "/run/initramfs/sysctl-initramfs-error.log" -sysctl -p ${rootmnt}/etc/sysctl.d/*.conf >/dev/null 2>> "/run/initramfs/sysctl-initramfs-error.log" - -grep -v "unprivileged_userfaultfd" "/run/initramfs/sysctl-initramfs-error.log" - -true diff --git a/etc/kernel/postinst.d/30_remove-system-map b/etc/kernel/postinst.d/30_remove-system-map deleted file mode 100755 index 416c808..0000000 --- a/etc/kernel/postinst.d/30_remove-system-map +++ /dev/null @@ -1,8 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -if test -x /usr/libexec/security-misc/remove-system.map ; then - /usr/libexec/security-misc/remove-system.map -fi diff --git a/etc/login.defs.security-misc b/etc/login.defs.security-misc new file mode 100644 index 0000000..8a95443 --- /dev/null +++ b/etc/login.defs.security-misc @@ -0,0 +1,337 @@ +# +# /etc/login.defs - Configuration control definitions for the login package. +# +# Three items must be defined: MAIL_DIR, ENV_SUPATH, and ENV_PATH. +# If unspecified, some arbitrary (and possibly incorrect) value will +# be assumed. All other items are optional - if not specified then +# the described action or option will be inhibited. +# +# Comment lines (lines beginning with "#") and blank lines are ignored. +# +# Modified for Linux. --marekm + +# REQUIRED for useradd/userdel/usermod +# Directory where mailboxes reside, _or_ name of file, relative to the +# home directory. If you _do_ define MAIL_DIR and MAIL_FILE, +# MAIL_DIR takes precedence. +# +# Essentially: +# - MAIL_DIR defines the location of users mail spool files +# (for mbox use) by appending the username to MAIL_DIR as defined +# below. +# - MAIL_FILE defines the location of the users mail spool files as the +# fully-qualified filename obtained by prepending the user home +# directory before $MAIL_FILE +# +# NOTE: This is no more used for setting up users MAIL environment variable +# which is, starting from shadow 4.0.12-1 in Debian, entirely the +# job of the pam_mail PAM modules +# See default PAM configuration files provided for +# login, su, etc. +# +# This is a temporary situation: setting these variables will soon +# move to /etc/default/useradd and the variables will then be +# no more supported +MAIL_DIR /var/mail +#MAIL_FILE .mail + +# +# Enable logging and display of /var/log/faillog login failure info. +# This option conflicts with the pam_tally PAM module. +# +FAILLOG_ENAB yes + +# +# Enable display of unknown usernames when login failures are recorded. +# +# WARNING: Unknown usernames may become world readable. +# See #290803 and #298773 for details about how this could become a security +# concern +LOG_UNKFAIL_ENAB no + +# +# Enable logging of successful logins +# +LOG_OK_LOGINS no + +# +# Enable "syslog" logging of su activity - in addition to sulog file logging. +# SYSLOG_SG_ENAB does the same for newgrp and sg. +# +SYSLOG_SU_ENAB yes +SYSLOG_SG_ENAB yes + +# +# If defined, all su activity is logged to this file. +# +#SULOG_FILE /var/log/sulog + +# +# If defined, file which maps tty line to TERM environment parameter. +# Each line of the file is in a format something like "vt100 tty01". +# +#TTYTYPE_FILE /etc/ttytype + +# +# If defined, login failures will be logged here in a utmp format +# last, when invoked as lastb, will read /var/log/btmp, so... +# +FTMP_FILE /var/log/btmp + +# +# If defined, the command name to display when running "su -". For +# example, if this is defined as "su" then a "ps" will display the +# command is "-su". If not defined, then "ps" would display the +# name of the shell actually being run, e.g. something like "-sh". +# +SU_NAME su + +# +# If defined, file which inhibits all the usual chatter during the login +# sequence. If a full pathname, then hushed mode will be enabled if the +# user's name or shell are found in the file. If not a full pathname, then +# hushed mode will be enabled if the file exists in the user's home directory. +# +HUSHLOGIN_FILE .hushlogin +#HUSHLOGIN_FILE /etc/hushlogins + +# +# *REQUIRED* The default PATH settings, for superuser and normal users. +# +# (they are minimal, add the rest in the shell startup files) +ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin +ENV_PATH PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games + +# +# Terminal permissions +# +# TTYGROUP Login tty will be assigned this group ownership. +# TTYPERM Login tty will be set to this permission. +# +# If you have a "write" program which is "setgid" to a special group +# which owns the terminals, define TTYGROUP to the group number and +# TTYPERM to 0620. Otherwise leave TTYGROUP commented out and assign +# TTYPERM to either 622 or 600. +# +# In Debian /usr/bin/bsd-write or similar programs are setgid tty +# However, the default and recommended value for TTYPERM is still 0600 +# to not allow anyone to write to anyone else console or terminal + +# Users can still allow other people to write them by issuing +# the "mesg y" command. + +TTYGROUP tty +TTYPERM 0600 + +# +# Login configuration initializations: +# +# ERASECHAR Terminal ERASE character ('\010' = backspace). +# KILLCHAR Terminal KILL character ('\025' = CTRL/U). +# UMASK Default "umask" value. +# +# The ERASECHAR and KILLCHAR are used only on System V machines. +# +# UMASK is the default umask value for pam_umask and is used by +# useradd and newusers to set the mode of the new home directories. +# 022 is the "historical" value in Debian for UMASK +# 027, or even 077, could be considered better for privacy +# There is no One True Answer here : each sysadmin must make up his/her +# mind. +# +# If USERGROUPS_ENAB is set to "yes", that will modify this UMASK default value +# for private user groups, i. e. the uid is the same as gid, and username is +# the same as the primary group name: for these, the user permissions will be +# used as group permissions, e. g. 022 will become 002. +# +# Prefix these values with "0" to get octal, "0x" to get hexadecimal. +# +ERASECHAR 0177 +KILLCHAR 025 +UMASK 006 + +# +# Password aging controls: +# +# PASS_MAX_DAYS Maximum number of days a password may be used. +# PASS_MIN_DAYS Minimum number of days allowed between password changes. +# PASS_WARN_AGE Number of days warning given before a password expires. +# +PASS_MAX_DAYS 99999 +PASS_MIN_DAYS 0 +PASS_WARN_AGE 7 + +# +# Min/max values for automatic uid selection in useradd +# +UID_MIN 1000 +UID_MAX 60000 +# System accounts +#SYS_UID_MIN 100 +#SYS_UID_MAX 999 + +# +# Min/max values for automatic gid selection in groupadd +# +GID_MIN 1000 +GID_MAX 60000 +# System accounts +#SYS_GID_MIN 100 +#SYS_GID_MAX 999 + +# +# Max number of login retries if password is bad. This will most likely be +# overriden by PAM, since the default pam_unix module has it's own built +# in of 3 retries. However, this is a safe fallback in case you are using +# an authentication module that does not enforce PAM_MAXTRIES. +# +LOGIN_RETRIES 5 + +# +# Max time in seconds for login +# +LOGIN_TIMEOUT 60 + +# +# Which fields may be changed by regular users using chfn - use +# any combination of letters "frwh" (full name, room number, work +# phone, home phone). If not defined, no changes are allowed. +# For backward compatibility, "yes" = "rwh" and "no" = "frwh". +# +CHFN_RESTRICT rwh + +# +# Should login be allowed if we can't cd to the home directory? +# Default in no. +# +DEFAULT_HOME yes + +# +# If defined, this command is run when removing a user. +# It should remove any at/cron/print jobs etc. owned by +# the user to be removed (passed as the first argument). +# +#USERDEL_CMD /usr/sbin/userdel_local + +# +# If set to yes, userdel will remove the user's group if it contains no +# more members, and useradd will create by default a group with the name +# of the user. +# +# Other former uses of this variable such as setting the umask when +# user==primary group are not used in PAM environments, such as Debian +# +USERGROUPS_ENAB yes + +# +# Instead of the real user shell, the program specified by this parameter +# will be launched, although its visible name (argv[0]) will be the shell's. +# The program may do whatever it wants (logging, additional authentification, +# banner, ...) before running the actual shell. +# +# FAKE_SHELL /bin/fakeshell + +# +# If defined, either full pathname of a file containing device names or +# a ":" delimited list of device names. Root logins will be allowed only +# upon these devices. +# +# This variable is used by login and su. +# +#CONSOLE /etc/consoles +#CONSOLE console:tty01:tty02:tty03:tty04 + +# +# List of groups to add to the user's supplementary group set +# when logging in on the console (as determined by the CONSOLE +# setting). Default is none. +# +# Use with caution - it is possible for users to gain permanent +# access to these groups, even when not logged in on the console. +# How to do it is left as an exercise for the reader... +# +# This variable is used by login and su. +# +#CONSOLE_GROUPS floppy:audio:cdrom + +# +# If set to "yes", new passwords will be encrypted using the MD5-based +# algorithm compatible with the one used by recent releases of FreeBSD. +# It supports passwords of unlimited length and longer salt strings. +# Set to "no" if you need to copy encrypted passwords to other systems +# which don't understand the new algorithm. Default is "no". +# +# This variable is deprecated. You should use ENCRYPT_METHOD. +# +#MD5_CRYPT_ENAB no + +# +# If set to MD5 , MD5-based algorithm will be used for encrypting password +# If set to SHA256, SHA256-based algorithm will be used for encrypting password +# If set to SHA512, SHA512-based algorithm will be used for encrypting password +# If set to DES, DES-based algorithm will be used for encrypting password (default) +# Overrides the MD5_CRYPT_ENAB option +# +# Note: It is recommended to use a value consistent with +# the PAM modules configuration. +# +ENCRYPT_METHOD SHA512 + +# +# Only used if ENCRYPT_METHOD is set to SHA256 or SHA512. +# +# Define the number of SHA rounds. +# With a lot of rounds, it is more difficult to brute forcing the password. +# But note also that it more CPU resources will be needed to authenticate +# users. +# +# If not specified, the libc will choose the default number of rounds (5000). +# The values must be inside the 1000-999999999 range. +# If only one of the MIN or MAX values is set, then this value will be used. +# If MIN > MAX, the highest value will be used. +# +# SHA_CRYPT_MIN_ROUNDS 5000 +# SHA_CRYPT_MAX_ROUNDS 5000 + +################# OBSOLETED BY PAM ############## +# # +# These options are now handled by PAM. Please # +# edit the appropriate file in /etc/pam.d/ to # +# enable the equivelants of them. +# +############### + +#MOTD_FILE +#DIALUPS_CHECK_ENAB +#LASTLOG_ENAB +#MAIL_CHECK_ENAB +#OBSCURE_CHECKS_ENAB +#PORTTIME_CHECKS_ENAB +#SU_WHEEL_ONLY +#CRACKLIB_DICTPATH +#PASS_CHANGE_TRIES +#PASS_ALWAYS_WARN +#ENVIRON_FILE +#NOLOGINS_FILE +#ISSUE_FILE +#PASS_MIN_LEN +#PASS_MAX_LEN +#ULIMIT +#ENV_HZ +#CHFN_AUTH +#CHSH_AUTH +#FAIL_DELAY + +################# OBSOLETED ####################### +# # +# These options are no more handled by shadow. # +# # +# Shadow utilities will display a warning if they # +# still appear. # +# # +################################################### + +# CLOSE_SESSIONS +# LOGIN_STRING +# NO_PASSWORD_CONSOLE +# QMAIL_DIR diff --git a/etc/modprobe.d/30_nf_conntrack_helper_disable.conf b/etc/modprobe.d/30_nf_conntrack_helper_disable.conf new file mode 100644 index 0000000..bd42a28 --- /dev/null +++ b/etc/modprobe.d/30_nf_conntrack_helper_disable.conf @@ -0,0 +1,2 @@ +## https://phabricator.whonix.org/T486 +options nf_conntrack nf_conntrack_helper=0 diff --git a/etc/modprobe.d/30_security-misc_blacklist.conf b/etc/modprobe.d/30_security-misc_blacklist.conf deleted file mode 100644 index 5ce1edc..0000000 --- a/etc/modprobe.d/30_security-misc_blacklist.conf +++ /dev/null @@ -1,63 +0,0 @@ -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## See the following links for a community discussion and overview regarding the selections. -## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989 -## https://madaidans-insecurities.github.io/guides/linux-hardening.html#kasr-kernel-modules - -## Blacklisting prevents kernel modules from automatically starting. -## Disabling prohibits kernel modules from starting. - -## CD-ROM/DVD: -## Blacklist CD-ROM and DVD modules. -## Not disabled by default due to potential future ISO plans. -## -## https://nvd.nist.gov/vuln/detail/CVE-2018-11506 -## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/31 -## -blacklist cdrom -blacklist sr_mod -## -#install cdrom /usr/bin/disabled-cdrom-by-security-misc -#install sr_mod /usr/bin/disabled-cdrom-by-security-misc - -## Miscellaneous: - -## GrapheneOS: -## Partial selection of their infrastructure blacklist. -## Duplicate and already disabled modules have been omitted. -## -## https://github.com/GrapheneOS/infrastructure/blob/main/modprobe.d/local.conf -## -#blacklist cfg80211 -#blacklist intel_agp -#blacklist ip_tables -blacklist joydev -#blacklist mousedev -#blacklist psmouse -## TODO: Re-check in Debian trixie -## In GrapheneOS list, yes, "should" be out-commented here. -## But not actually out-commented. -## Breaks VirtualBox audio device ICH AC97, which is unfortunately still required by some users. -## https://www.kicksecure.com/wiki/Dev/audio -## https://github.com/Kicksecure/security-misc/issues/271 -#blacklist snd_intel8x0 -#blacklist tls -#blacklist virtio_balloon -#blacklist virtio_console - -## Ubuntu: -## Already disabled modules have been omitted. -## -## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist.conf?h=ubuntu/disco -## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-ath_pci.conf?h=ubuntu/disco -## -blacklist amd76x_edac -blacklist ath_pci -blacklist evbug -blacklist pcspkr -blacklist snd_aw2 -blacklist snd_intel8x0m -blacklist snd_pcsp -blacklist usbkbd -blacklist usbmouse diff --git a/etc/modprobe.d/30_security-misc_conntrack.conf b/etc/modprobe.d/30_security-misc_conntrack.conf deleted file mode 100644 index 7f36327..0000000 --- a/etc/modprobe.d/30_security-misc_conntrack.conf +++ /dev/null @@ -1,12 +0,0 @@ -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Conntrack: -## Disable Netfilter's automatic connection tracking helper assignment. -## This functionality adds unnecessary features, such as IRC protocol parsing, into the kernel. -## Disabling it reduces the kernel attack surface and improves security. -## -## https://conntrack-tools.netfilter.org/manual.html -## https://forums.whonix.org/t/disable-conntrack-helper/18917 -## -options nf_conntrack nf_conntrack_helper=0 diff --git a/etc/modprobe.d/30_security-misc_disable.conf b/etc/modprobe.d/30_security-misc_disable.conf deleted file mode 100644 index 79b5ed6..0000000 --- a/etc/modprobe.d/30_security-misc_disable.conf +++ /dev/null @@ -1,310 +0,0 @@ -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## See the following links for a community discussion and overview regarding the selections: -## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989 -## https://madaidans-insecurities.github.io/guides/linux-hardening.html#kasr-kernel-modules - -## Blacklisting prevents kernel modules from automatically starting. -## Disabling prohibits kernel modules from starting. - -## This configuration file is split into 4 sections: -## 1. Hardware -## 2. File Systems -## 3. Networking -## 4. Miscellaneous - -## 1. Hardware: - -## Bluetooth: -## Disable Bluetooth to reduce the attack surface due to its long history of security vulnerabilities. -## -## https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns -## -## Now replaced with a privacy- and security-preserving default Bluetooth configuration for better usability. -## https://github.com/Kicksecure/security-misc/pull/145 -## -#install bluetooth /usr/bin/disabled-bluetooth-by-security-misc -#install bluetooth_6lowpan /usr/bin/disabled-bluetooth-by-security-misc -#install bt3c_cs /usr/bin/disabled-bluetooth-by-security-misc -#install btbcm /usr/bin/disabled-bluetooth-by-security-misc -#install btintel /usr/bin/disabled-bluetooth-by-security-misc -#install btmrvl /usr/bin/disabled-bluetooth-by-security-misc -#install btmrvl_sdio /usr/bin/disabled-bluetooth-by-security-misc -#install btmtk /usr/bin/disabled-bluetooth-by-security-misc -#install btmtksdio /usr/bin/disabled-bluetooth-by-security-misc -#install btmtkuart /usr/bin/disabled-bluetooth-by-security-misc -#install btnxpuart /usr/bin/disabled-bluetooth-by-security-misc -#install btqca /usr/bin/disabled-bluetooth-by-security-misc -#install btrsi /usr/bin/disabled-bluetooth-by-security-misc -#install btrtl /usr/bin/disabled-bluetooth-by-security-misc -#install btsdio /usr/bin/disabled-bluetooth-by-security-misc -#install btusb /usr/bin/disabled-bluetooth-by-security-misc -#install virtio_bt /usr/bin/disabled-bluetooth-by-security-misc - -## FireWire (IEEE 1394): -## Disable IEEE 1394 (FireWire/i.LINK/Lynx) modules to prevent certain DMA attacks. -## -## https://en.wikipedia.org/wiki/IEEE_1394#Security_issues -## -install dv1394 /usr/bin/disabled-firewire-by-security-misc -install firewire-core /usr/bin/disabled-firewire-by-security-misc -install firewire-ohci /usr/bin/disabled-firewire-by-security-misc -install firewire-net /usr/bin/disabled-firewire-by-security-misc -install firewire-sbp2 /usr/bin/disabled-firewire-by-security-misc -install ohci1394 /usr/bin/disabled-firewire-by-security-misc -install raw1394 /usr/bin/disabled-firewire-by-security-misc -install sbp2 /usr/bin/disabled-firewire-by-security-misc -install video1394 /usr/bin/disabled-firewire-by-security-misc - -## Global Positioning Systems (GPS): -## Disable GPS-related modules like GNSS (Global Navigation Satellite System). -## -install garmin_gps /usr/bin/disabled-gps-by-security-misc -install gnss /usr/bin/disabled-gps-by-security-misc -install gnss-mtk /usr/bin/disabled-gps-by-security-misc -install gnss-serial /usr/bin/disabled-gps-by-security-misc -install gnss-sirf /usr/bin/disabled-gps-by-security-misc -install gnss-ubx /usr/bin/disabled-gps-by-security-misc -install gnss-usb /usr/bin/disabled-gps-by-security-misc - -## Intel Management Engine (ME): -## Partially disable the Intel ME interface with the OS. -## ME functionality has increasingly become intertwined with basic Intel system operation. -## Disabling it may lead to breakages in various components without clear debugging/error messages. -## It may affect firmware updates, security, power management, display, and DRM. -## -## https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html -## https://en.wikipedia.org/wiki/Intel_Management_Engine#Security_vulnerabilities -## https://www.kicksecure.com/wiki/Out-of-band_Management_Technology#Intel_ME_Disabling_Disadvantages -## https://github.com/Kicksecure/security-misc/pull/236#issuecomment-2229092813 -## https://github.com/Kicksecure/security-misc/issues/239 -## -#install mei /usr/bin/disabled-intelme-by-security-misc -#install mei-gsc /usr/bin/disabled-intelme-by-security-misc -#install mei_gsc_proxy /usr/bin/disabled-intelme-by-security-misc -#install mei_hdcp /usr/bin/disabled-intelme-by-security-misc -#install mei-me /usr/bin/disabled-intelme-by-security-misc -#install mei_phy /usr/bin/disabled-intelme-by-security-misc -#install mei_pxp /usr/bin/disabled-intelme-by-security-misc -#install mei-txe /usr/bin/disabled-intelme-by-security-misc -#install mei-vsc /usr/bin/disabled-intelme-by-security-misc -#install mei-vsc-hw /usr/bin/disabled-intelme-by-security-misc -#install mei_wdt /usr/bin/disabled-intelme-by-security-misc -#install microread_mei /usr/bin/disabled-intelme-by-security-misc - -## Intel Platform Monitoring Technology (PMT) Telemetry: -## Disable certain functionalities of the Intel PMT components. -## -## https://github.com/intel/Intel-PMT -## -install pmt_class /usr/bin/disabled-intelpmt-by-security-misc -install pmt_crashlog /usr/bin/disabled-intelpmt-by-security-misc -install pmt_telemetry /usr/bin/disabled-intelpmt-by-security-misc - -## Thunderbolt: -## Disable Thunderbolt modules to prevent certain DMA attacks. -## -## https://en.wikipedia.org/wiki/Thunderbolt_(interface)#Security_vulnerabilities -## -install intel-wmi-thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc -install thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc -install thunderbolt_net /usr/bin/disabled-thunderbolt-by-security-misc - -## 2. File Systems: - -## File Systems: -## Disable uncommon file systems to reduce attack surface. -## HFS/HFS+ are legacy Apple file systems that may be required depending on the EFI partition format. -## -install cramfs /usr/bin/disabled-filesys-by-security-misc -install freevxfs /usr/bin/disabled-filesys-by-security-misc -install hfs /usr/bin/disabled-filesys-by-security-misc -install hfsplus /usr/bin/disabled-filesys-by-security-misc -install jffs2 /usr/bin/disabled-filesys-by-security-misc -install jfs /usr/bin/disabled-filesys-by-security-misc -install reiserfs /usr/bin/disabled-filesys-by-security-misc -install udf /usr/bin/disabled-filesys-by-security-misc - -## Network File Systems: -## Disable uncommon network file systems to reduce attack surface. -## -install gfs2 /usr/bin/disabled-netfilesys-by-security-misc -install ksmbd /usr/bin/disabled-netfilesys-by-security-misc -## -## Common Internet File System (CIFS): -## -install cifs /usr/bin/disabled-netfilesys-by-security-misc -install cifs_arc4 /usr/bin/disabled-netfilesys-by-security-misc -install cifs_md4 /usr/bin/disabled-netfilesys-by-security-misc -## -## Network File System (NFS): -## -install nfs /usr/bin/disabled-netfilesys-by-security-misc -install nfs_acl /usr/bin/disabled-netfilesys-by-security-misc -install nfs_layout_nfsv41_files /usr/bin/disabled-netfilesys-by-security-misc -install nfs_layout_flexfiles /usr/bin/disabled-netfilesys-by-security-misc -install nfsd /usr/bin/disabled-netfilesys-by-security-misc -install nfsv2 /usr/bin/disabled-netfilesys-by-security-misc -install nfsv3 /usr/bin/disabled-netfilesys-by-security-misc -install nfsv4 /usr/bin/disabled-netfilesys-by-security-misc - -## 2. Networking: - -## Network Protocols: -## Disables rare and unneeded network protocols that are a common source of unknown vulnerabilities. -## Previously had blacklisted eepro100 and eth1394. -## -## https://tails.boum.org/blueprint/blacklist_modules/ -## https://fedoraproject.org/wiki/Security_Features_Matrix#Blacklist_Rare_Protocols -## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-rare-network.conf?h=ubuntu/disco -## https://github.com/Kicksecure/security-misc/pull/234#issuecomment-2230732015 -## -install af_802154 /usr/bin/disabled-network-by-security-misc -install appletalk /usr/bin/disabled-network-by-security-misc -install ax25 /usr/bin/disabled-network-by-security-misc -#install brcm80211 /usr/bin/disabled-network-by-security-misc -install decnet /usr/bin/disabled-network-by-security-misc -install dccp /usr/bin/disabled-network-by-security-misc -install econet /usr/bin/disabled-network-by-security-misc -install eepro100 /usr/bin/disabled-network-by-security-misc -install eth1394 /usr/bin/disabled-network-by-security-misc -install ipx /usr/bin/disabled-network-by-security-misc -install n-hdlc /usr/bin/disabled-network-by-security-misc -install netrom /usr/bin/disabled-network-by-security-misc -install p8022 /usr/bin/disabled-network-by-security-misc -install p8023 /usr/bin/disabled-network-by-security-misc -install psnap /usr/bin/disabled-network-by-security-misc -install rose /usr/bin/disabled-network-by-security-misc -install x25 /usr/bin/disabled-network-by-security-misc -## -## Asynchronous Transfer Mode (ATM): -## -install atm /usr/bin/disabled-network-by-security-misc -install ueagle-atm /usr/bin/disabled-network-by-security-misc -install usbatm /usr/bin/disabled-network-by-security-misc -install xusbatm /usr/bin/disabled-network-by-security-misc -## -## Controller Area Network (CAN) Protocol: -## -install c_can /usr/bin/disabled-network-by-security-misc -install c_can_pci /usr/bin/disabled-network-by-security-misc -install c_can_platform /usr/bin/disabled-network-by-security-misc -install can /usr/bin/disabled-network-by-security-misc -install can-bcm /usr/bin/disabled-network-by-security-misc -install can-dev /usr/bin/disabled-network-by-security-misc -install can-gw /usr/bin/disabled-network-by-security-misc -install can-isotp /usr/bin/disabled-network-by-security-misc -install can-raw /usr/bin/disabled-network-by-security-misc -install can-j1939 /usr/bin/disabled-network-by-security-misc -install can327 /usr/bin/disabled-network-by-security-misc -install ifi_canfd /usr/bin/disabled-network-by-security-misc -install janz-ican3 /usr/bin/disabled-network-by-security-misc -install m_can /usr/bin/disabled-network-by-security-misc -install m_can_pci /usr/bin/disabled-network-by-security-misc -install m_can_platform /usr/bin/disabled-network-by-security-misc -install phy-can-transceiver /usr/bin/disabled-network-by-security-misc -install slcan /usr/bin/disabled-network-by-security-misc -install ucan /usr/bin/disabled-network-by-security-misc -install vxcan /usr/bin/disabled-network-by-security-misc -install vcan /usr/bin/disabled-network-by-security-misc -## -## Transparent Inter Process Communication (TIPC): -## -install tipc /usr/bin/disabled-network-by-security-misc -install tipc_diag /usr/bin/disabled-network-by-security-misc -## -## Reliable Datagram Sockets (RDS): -## -install rds /usr/bin/disabled-network-by-security-misc -install rds_rdma /usr/bin/disabled-network-by-security-misc -install rds_tcp /usr/bin/disabled-network-by-security-misc -## -## Stream Control Transmission Protocol (SCTP): -## -install sctp /usr/bin/disabled-network-by-security-misc -install sctp_diag /usr/bin/disabled-network-by-security-misc - -## 4. Miscellaneous: - -## Amateur Radios: -## -install hamradio /usr/bin/disabled-miscellaneous-by-security-misc - -## CPU Model-Specific Registers (MSRs): -## Disable CPU MSRs as they can be abused to write to arbitrary memory. -## -## https://security.stackexchange.com/questions/119712/methods-root-can-use-to-elevate-itself-to-kernel-mode -## https://github.com/Kicksecure/security-misc/issues/215 -## -#install msr /usr/bin/disabled-miscellaneous-by-security-misc - -## Floppy Disks: -## -install floppy /usr/bin/disabled-miscellaneous-by-security-misc - -## Framebuffer (fbdev): -## Video drivers are known to be buggy, cause kernel panics, and are generally only used by legacy devices. -## These were all previously blacklisted. -## -## https://docs.kernel.org/fb/index.html -## https://en.wikipedia.org/wiki/Linux_framebuffer -## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-framebuffer.conf?h=ubuntu/disco -## -install aty128fb /usr/bin/disabled-framebuffer-by-security-misc -install atyfb /usr/bin/disabled-framebuffer-by-security-misc -install cirrusfb /usr/bin/disabled-framebuffer-by-security-misc -install cyber2000fb /usr/bin/disabled-framebuffer-by-security-misc -install cyblafb /usr/bin/disabled-framebuffer-by-security-misc -install gx1fb /usr/bin/disabled-framebuffer-by-security-misc -install hgafb /usr/bin/disabled-framebuffer-by-security-misc -install i810fb /usr/bin/disabled-framebuffer-by-security-misc -install intelfb /usr/bin/disabled-framebuffer-by-security-misc -install kyrofb /usr/bin/disabled-framebuffer-by-security-misc -install lxfb /usr/bin/disabled-framebuffer-by-security-misc -install matroxfb_base /usr/bin/disabled-framebuffer-by-security-misc -install neofb /usr/bin/disabled-framebuffer-by-security-misc -install nvidiafb /usr/bin/disabled-framebuffer-by-security-misc -install pm2fb /usr/bin/disabled-framebuffer-by-security-misc -install radeonfb /usr/bin/disabled-framebuffer-by-security-misc -install rivafb /usr/bin/disabled-framebuffer-by-security-misc -install s1d13xxxfb /usr/bin/disabled-framebuffer-by-security-misc -install savagefb /usr/bin/disabled-framebuffer-by-security-misc -install sisfb /usr/bin/disabled-framebuffer-by-security-misc -install sstfb /usr/bin/disabled-framebuffer-by-security-misc -install tdfxfb /usr/bin/disabled-framebuffer-by-security-misc -install tridentfb /usr/bin/disabled-framebuffer-by-security-misc -install vesafb /usr/bin/disabled-framebuffer-by-security-misc -install vfb /usr/bin/disabled-framebuffer-by-security-misc -install viafb /usr/bin/disabled-framebuffer-by-security-misc -install vt8623fb /usr/bin/disabled-framebuffer-by-security-misc -install udlfb /usr/bin/disabled-framebuffer-by-security-misc - -## Replaced Modules: -## These legacy drivers have all been entirely replaced and superseded by newer drivers. -## These were all previously blacklisted. -## -## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist.conf?h=ubuntu/disco -## -install asus_acpi /usr/bin/disabled-miscellaneous-by-security-misc -install bcm43xx /usr/bin/disabled-miscellaneous-by-security-misc -install de4x5 /usr/bin/disabled-miscellaneous-by-security-misc -install prism54 /usr/bin/disabled-miscellaneous-by-security-misc - -## USB Video Device Class: -## Disables the USB-based video streaming driver for devices like some webcams and digital camcorders. -## -#install uvcvideo /usr/bin/disabled-miscellaneous-by-security-misc - -## Vivid: -## Disables the vivid kernel module since it has been the cause of multiple vulnerabilities. -## -## https://forums.whonix.org/t/kernel-recompilation-for-better-hardening/7598/233 -## https://www.openwall.com/lists/oss-security/2019/11/02/1 -## https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475 -## -## No longer disabled by default: -## https://forums.whonix.org/t/testing-qubes-video-companion-on-whonix/21393 -## https://github.com/Kicksecure/security-misc/issues/298 -## -#install vivid /usr/bin/disabled-miscellaneous-by-security-misc diff --git a/etc/modprobe.d/blacklist-dma.conf b/etc/modprobe.d/blacklist-dma.conf new file mode 100644 index 0000000..3a1485b --- /dev/null +++ b/etc/modprobe.d/blacklist-dma.conf @@ -0,0 +1,3 @@ +# Blacklist thunderbolt and firewire to prevent some DMA attacks. +install firewire-core /bin/true +install thunderbolt /bin/true diff --git a/etc/modprobe.d/uncommon-network-protocols.conf b/etc/modprobe.d/uncommon-network-protocols.conf new file mode 100644 index 0000000..008e207 --- /dev/null +++ b/etc/modprobe.d/uncommon-network-protocols.conf @@ -0,0 +1,26 @@ +# Disables unneeded network protocols that will likely not be used as these may have unknown vulnerabilties. +# +# Credit to Tails (https://tails.boum.org/blueprint/blacklist_modules/) for some of these. +# +# > Debian ships a long list of modules for wide support of devices, filesystems, protocols. Some of these modules have a pretty bad security track record, and some of those are simply not used by most of our users. +# +# > Other distributions like Ubuntu[1] and Fedora[2] already ship a blacklist for various network protocols which aren't much in use by users and have a poor security track record. +# +install dccp /bin/true +install sctp /bin/true +install rds /bin/true +install tipc /bin/true +install n-hdlc /bin/true +install ax25 /bin/true +install netrom /bin/true +install x25 /bin/true +install rose /bin/true +install decnet /bin/true +install econet /bin/true +install af_802154 /bin/true +install ipx /bin/true +install appletalk /bin/true +install psnap /bin/true +install p8023 /bin/true +install llc /bin/true +install p8022 /bin/true diff --git a/etc/pam.d/common-password.security-misc b/etc/pam.d/common-password.security-misc new file mode 100644 index 0000000..2ad0af8 --- /dev/null +++ b/etc/pam.d/common-password.security-misc @@ -0,0 +1,33 @@ +# +# /etc/pam.d/common-password - password-related modules common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of modules that define the services to be +# used to change user passwords. The default is pam_unix. + +# Explanation of pam_unix options: +# +# The "sha512" option enables salted SHA512 passwords. Without this option, +# the default is Unix crypt. Prior releases used the option "md5". +# +# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in +# login.defs. +# +# See the pam_unix manpage for other options. + +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. +# To take advantage of this, it is recommended that you configure any +# local modules either before or after the default block, and use +# pam-auth-update to manage selection of other modules. See +# pam-auth-update(8) for details. + +# here are the per-package modules (the "Primary" block) +password [success=1 default=ignore] pam_unix.so obscure sha512 rounds=65536 +# here's the fallback if no module succeeds +password requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +password required pam_permit.so +# and here are more per-package modules (the "Additional" block) +# end of pam-auth-update config diff --git a/etc/pam.d/common-session-noninteractive.security-misc b/etc/pam.d/common-session-noninteractive.security-misc new file mode 100644 index 0000000..253b033 --- /dev/null +++ b/etc/pam.d/common-session-noninteractive.security-misc @@ -0,0 +1,28 @@ +# +# /etc/pam.d/common-session-noninteractive - session-related modules +# common to all non-interactive services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of modules that define tasks to be performed +# at the start and end of all non-interactive sessions. +# +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. +# To take advantage of this, it is recommended that you configure any +# local modules either before or after the default block, and use +# pam-auth-update to manage selection of other modules. See +# pam-auth-update(8) for details. + +# here are the per-package modules (the "Primary" block) +session [default=1] pam_permit.so +# here's the fallback if no module succeeds +session requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +session required pam_permit.so +# and here are more per-package modules (the "Additional" block) +session required pam_unix.so +session optional pam_cgfs.so -c freezer,memory,name=systemd +# end of pam-auth-update config +session optional pam_umask.so usergroups + diff --git a/etc/pam.d/common-session.security-misc b/etc/pam.d/common-session.security-misc new file mode 100644 index 0000000..371895a --- /dev/null +++ b/etc/pam.d/common-session.security-misc @@ -0,0 +1,29 @@ +# +# /etc/pam.d/common-session - session-related modules common to all services +# +# This file is included from other service-specific PAM config files, +# and should contain a list of modules that define tasks to be performed +# at the start and end of sessions of *any* kind (both interactive and +# non-interactive). +# +# As of pam 1.0.1-6, this file is managed by pam-auth-update by default. +# To take advantage of this, it is recommended that you configure any +# local modules either before or after the default block, and use +# pam-auth-update to manage selection of other modules. See +# pam-auth-update(8) for details. + +# here are the per-package modules (the "Primary" block) +session [default=1] pam_permit.so +# here's the fallback if no module succeeds +session requisite pam_deny.so +# prime the stack with a positive return value if there isn't one already; +# this avoids us returning an error just because nothing sets a success code +# since the modules above will each just jump around +session required pam_permit.so +# and here are more per-package modules (the "Additional" block) +session required pam_unix.so +session optional pam_systemd.so +session optional pam_cgfs.so -c freezer,memory,name=systemd +# end of pam-auth-update config +session optional pam_umask.so usergroups + diff --git a/etc/pam.d/su.security-misc b/etc/pam.d/su.security-misc new file mode 100644 index 0000000..6e3c5ea --- /dev/null +++ b/etc/pam.d/su.security-misc @@ -0,0 +1,61 @@ +# +# The PAM configuration file for the Shadow `su' service +# + +# This allows root to su without passwords (normal operation) +auth sufficient pam_rootok.so + +# Uncomment this to force users to be a member of group root +# before they can use `su'. You can also add "group=foo" +# to the end of this line if you want to use a group other +# than the default "root" (but this may have side effect of +# denying "root" user, unless she's a member of "foo" or explicitly +# permitted earlier by e.g. "sufficient pam_rootok.so"). +# (Replaces the `SU_WHEEL_ONLY' option from login.defs) +auth required pam_wheel.so + +# Uncomment this if you want wheel members to be able to +# su without a password. +# auth sufficient pam_wheel.so trust + +# Uncomment this if you want members of a specific group to not +# be allowed to use su at all. +# auth required pam_wheel.so deny group=nosu + +# Uncomment and edit /etc/security/time.conf if you need to set +# time restrainst on su usage. +# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs +# as well as /etc/porttime) +# account requisite pam_time.so + +# This module parses environment configuration file(s) +# and also allows you to use an extended config +# file /etc/security/pam_env.conf. +# +# parsing /etc/environment needs "readenv=1" +session required pam_env.so readenv=1 +# locale variables are also kept into /etc/default/locale in etch +# reading this file *in addition to /etc/environment* does not hurt +session required pam_env.so readenv=1 envfile=/etc/default/locale + +# Defines the MAIL environment variable +# However, userdel also needs MAIL_DIR and MAIL_FILE variables +# in /etc/login.defs to make sure that removing a user +# also removes the user's mail spool file. +# See comments in /etc/login.defs +# +# "nopen" stands to avoid reporting new mail when su'ing to another user +session optional pam_mail.so nopen + +# Sets up user limits according to /etc/security/limits.conf +# (Replaces the use of /etc/limits in old login) +session required pam_limits.so + +# The standard Unix authentication modules, used with +# NIS (man nsswitch) as well as normal /etc/passwd and +# /etc/shadow entries. +@include common-auth +@include common-account +@include common-session + + diff --git a/etc/profile.d/30_security-misc.sh b/etc/profile.d/30_security-misc.sh deleted file mode 100755 index c1adb22..0000000 --- a/etc/profile.d/30_security-misc.sh +++ /dev/null @@ -1,11 +0,0 @@ -#!/bin/sh - -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -if [ -z "$XDG_CONFIG_DIRS" ]; then - XDG_CONFIG_DIRS=/etc/xdg -fi -if ! echo "$XDG_CONFIG_DIRS" | grep --quiet /usr/share/security-misc/ ; then - export XDG_CONFIG_DIRS=/usr/share/security-misc/:$XDG_CONFIG_DIRS -fi diff --git a/etc/securetty.security-misc b/etc/securetty.security-misc index c98d20d..ca0d81b 100644 --- a/etc/securetty.security-misc +++ b/etc/securetty.security-misc @@ -1,5 +1,2 @@ -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - # /etc/securetty: list of terminals on which root is allowed to login. # See securetty(5) and login(1). diff --git a/etc/security/access-security-misc.conf b/etc/security/access-security-misc.conf deleted file mode 100644 index e8bc2ab..0000000 --- a/etc/security/access-security-misc.conf +++ /dev/null @@ -1,41 +0,0 @@ -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## To enable root login, see: -## https://www.kicksecure.com/wiki/Root#Root_Login - -## Console Lockdown -## https://forums.whonix.org/t/etc-security-hardening/8592 - -## This is the error message should this fail: -## sudo su -## sudo: PAM account management error: Permission denied - -## see also: -## man access.conf -## man pam_access - -## Usually tty7 is for X. -## Qubes uses tty1 for X. - -## Qubes has 'pts/0' when for example running "sudo" from a terminal emulator. -## Qubes uses 'hvc0' when using in dom0 "sudo xl console vm-name". -## When using systemd-nspawn (chroot) then `login` requires console 'console' to be permitted. - -## Allow members of group `console` to use: -## - 'console' -## - 'tty1' to 'tty7' -## - 'pts/0' to 'pts/9' -## - 'hvc0' to 'hvc9' -## serial console -## https://forums.whonix.org/t/how-do-i-enter-the-whonix-shell-from-cli/7271/43 -## - 'ttyS0' to 'ttyS9' -+:(console):console tty1 tty2 tty3 tty4 tty5 tty6 tty7 pts/0 pts/1 pts/2 pts/3 pts/4 pts/5 pts/6 pts/7 pts/8 pts/9 hvc0 hvc1 hvc2 hvc3 hvc4 hvc5 hvc6 hvc7 hvc8 hvc9 ttyS0 ttyS1 ttyS2 ttyS3 ttyS4 ttyS5 ttyS6 ttyS7 ttyS8 ttyS9 - -## Same as above also for members of group `sudo`. -## https://github.com/Whonix/security-misc/pull/74#issuecomment-607748407 -+:(sudo):console tty1 tty2 tty3 tty4 tty5 tty6 tty7 pts/0 pts/1 pts/2 pts/3 pts/4 pts/5 pts/6 pts/7 pts/8 pts/9 hvc0 hvc1 hvc2 hvc3 hvc4 hvc5 hvc6 hvc7 hvc8 hvc9 ttyS0 ttyS1 ttyS2 ttyS3 ttyS4 ttyS5 ttyS6 ttyS7 ttyS8 ttyS9 - -## Everyone else except members of group 'console-unrestricted' -## are restricted from everything else. --:ALL EXCEPT (console-unrestricted):ALL diff --git a/etc/security/faillock.conf.security-misc b/etc/security/faillock.conf.security-misc deleted file mode 100644 index 4b70cde..0000000 --- a/etc/security/faillock.conf.security-misc +++ /dev/null @@ -1,70 +0,0 @@ -## Copyright (C) 2021 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -# Configuration for locking the user after multiple failed -# authentication attempts. -# -# The directory where the user files with the failure records are kept. -# The default is /var/run/faillock. -dir = /var/lib/security-misc/faillock -# -# Will log the user name into the system log if the user is not found. -# Enabled if option is present. -audit -# -# Don't print informative messages. -# Enabled if option is present. -# silent -# -# Don't log informative messages via syslog. -# Enabled if option is present. -# no_log_info -# -# Only track failed user authentications attempts for local users -# in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users. -# The `faillock` command will also no longer track user failed -# authentication attempts. Enabling this option will prevent a -# double-lockout scenario where a user is locked out locally and -# in the centralized mechanism. -# Enabled if option is present. -# local_users_only -# -# Deny access if the number of consecutive authentication failures -# for this user during the recent interval exceeds n tries. -# The default is 3. -deny = 50 -# -# The length of the interval during which the consecutive -# authentication failures must happen for the user account -# lock out is n seconds. -# The default is 900 (15 minutes). -# security-misc note: the interval should be set to infinity if possible, -# however pam_faillock arbitrarily limits this variable to a maximum of 604800 -# seconds (7 days). See -# https://github.com/linux-pam/linux-pam/blob/539816e4a0a277dbb632412be91e482fff9d9d09/modules/pam_faillock/faillock_config.h#L59 -# for details. Therefore we set this to the maximum allowable value of 7 days. -fail_interval = 604800 -# -# The access will be re-enabled after n seconds after the lock out. -# The value 0 has the same meaning as value `never` - the access -# will not be re-enabled without resetting the faillock -# entries by the `faillock` command. -# The default is 600 (10 minutes). -unlock_time = never -# -# Root account can become locked as well as regular accounts. -# Enabled if option is present. -even_deny_root -# -# This option implies the `even_deny_root` option. -# Allow access after n seconds to root account after the -# account is locked. In case the option is not specified -# the value is the same as of the `unlock_time` option. -# root_unlock_time = 900 -# -# If a group name is specified with this option, members -# of the group will be handled by this module the same as -# the root account (the options `even_deny_root>` and -# `root_unlock_time` will apply to them. -# By default, the option is not set. -# admin_group = diff --git a/etc/security/limits.d/30_security-misc.conf b/etc/security/limits.d/30_security-misc.conf deleted file mode 100644 index d494b14..0000000 --- a/etc/security/limits.d/30_security-misc.conf +++ /dev/null @@ -1,5 +0,0 @@ -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Disable coredumps. -* hard core 0 diff --git a/etc/security/limits.d/disable-coredumps.conf b/etc/security/limits.d/disable-coredumps.conf new file mode 100644 index 0000000..ea7c414 --- /dev/null +++ b/etc/security/limits.d/disable-coredumps.conf @@ -0,0 +1,2 @@ +# Disable coredumps. +* hard core 0 diff --git a/etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml b/etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml index dd94349..f6909a3 100644 --- a/etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml +++ b/etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml @@ -1,8 +1,5 @@ - - - @@ -16,5 +13,4 @@ - diff --git a/etc/skel/.gnupg/gpg.conf b/etc/skel/.gnupg/gpg.conf deleted file mode 100644 index f0ed5a4..0000000 --- a/etc/skel/.gnupg/gpg.conf +++ /dev/null @@ -1,350 +0,0 @@ -# Options for GnuPG -# Copyright 1998, 1999, 2000, 2001, 2002, 2003, -# 2010 Free Software Foundation, Inc. -# -# This file is free software; as a special exception the author gives -# unlimited permission to copy and/or distribute it, with or without -# modifications, as long as this notice is preserved. -# -# This file is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY, to the extent permitted by law; without even the -# implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. -# -# Unless you specify which option file to use (with the command line -# option "--options filename"), GnuPG uses the file ~/.gnupg/gpg.conf -# by default. -# -# An options file can contain any long options which are available in -# GnuPG. If the first non white space character of a line is a '#', -# this line is ignored. Empty lines are also ignored. -# -# See the man page for a list of options. - -# Uncomment the following option to get rid of the copyright notice - -#no-greeting - -# If you have more than 1 secret key in your keyring, you may want to -# uncomment the following option and set your preferred keyid. - -#default-key 621CC013 - -# If you do not pass a recipient to gpg, it will ask for one. Using -# this option you can encrypt to a default key. Key validation will -# not be done in this case. The second form uses the default key as -# default recipient. - -#default-recipient some-user-id -#default-recipient-self - -# Use --encrypt-to to add the specified key as a recipient to all -# messages. This is useful, for example, when sending mail through a -# mail client that does not automatically encrypt mail to your key. -# In the example, this option allows you to read your local copy of -# encrypted mail that you've sent to others. - -#encrypt-to some-key-id - -# By default GnuPG creates version 4 signatures for data files as -# specified by OpenPGP. Some earlier (PGP 6, PGP 7) versions of PGP -# require the older version 3 signatures. Setting this option forces -# GnuPG to create version 3 signatures. - -#force-v3-sigs - -# Because some mailers change lines starting with "From " to ">From " -# it is good to handle such lines in a special way when creating -# cleartext signatures; all other PGP versions do it this way too. - -#no-escape-from-lines - -# If you do not use the Latin-1 (ISO-8859-1) charset, you should tell -# GnuPG which is the native character set. Please check the man page -# for supported character sets. This character set is only used for -# metadata and not for the actual message which does not undergo any -# translation. Note that future version of GnuPG will change to UTF-8 -# as default character set. In most cases this option is not required -# as GnuPG is able to figure out the correct charset at runtime. - -#charset utf-8 - -# Group names may be defined like this: -# group mynames = paige 0x12345678 joe patti -# -# Any time "mynames" is a recipient (-r or --recipient), it will be -# expanded to the names "paige", "joe", and "patti", and the key ID -# "0x12345678". Note that there is only one level of expansion - you -# cannot make a group that points to another group. Note also that -# if there are spaces in the recipient name, this will appear as two -# recipients. In these cases it is better to use the key ID. - -#group mynames = paige 0x12345678 joe patti - -# Lock the file only once for the lifetime of a process. If you do -# not define this, the lock will be obtained and released every time -# it is needed, which is usually preferable. - -#lock-once - -# GnuPG can send and receive keys to and from a keyserver. These -# servers can be HKP, email, or LDAP (if GnuPG is built with LDAP -# support). -# -# High-risk users should stop using the keyserver network immediately. -# https://forums.whonix.org/t/gpg-recv-keys-fails-no-longer-use-keyservers-for-anything/5607/8 -# -# Example HKP keyserver: -# hkp://keys.gnupg.net -# hkp://subkeys.pgp.net -# -# Example email keyserver: -# mailto:pgp-public-keys@keys.pgp.net -# -# Example LDAP keyservers: -# ldap://keyserver.pgp.com -# -# Regular URL syntax applies, and you can set an alternate port -# through the usual method: -# hkp://keyserver.example.net:22742 -# -# Most users just set the name and type of their preferred keyserver. -# Note that most servers (with the notable exception of -# ldap://keyserver.pgp.com) synchronize changes with each other. Note -# also that a single server name may actually point to multiple -# servers via DNS round-robin. hkp://keys.gnupg.net is an example of -# such a "server", which spreads the load over a number of physical -# servers. To see the IP address of the server actually used, you may use -# the "--keyserver-options debug". -# -#keyserver hkp://xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.onion -#keyserver mailto:pgp-public-keys@keys.nl.pgp.net -#keyserver ldap://keyserver.pgp.com - -# Common options for keyserver functions: -# -# include-disabled : when searching, include keys marked as "disabled" -# on the keyserver (not all keyservers support this). -# -# no-include-revoked : when searching, do not include keys marked as -# "revoked" on the keyserver. -# -# verbose : show more information as the keys are fetched. -# Can be used more than once to increase the amount -# of information shown. -# -# use-temp-files : use temporary files instead of a pipe to talk to the -# keyserver. Some platforms (Win32 for one) always -# have this on. -# -# keep-temp-files : do not delete temporary files after using them -# (really only useful for debugging) -# -# http-proxy="proxy" : set the proxy to use for HTTP and HKP keyservers. -# This overrides the "http_proxy" environment variable, -# if any. -# -# auto-key-retrieve : automatically fetch keys as needed from the keyserver -# when verifying signatures or when importing keys that -# have been revoked by a revocation key that is not -# present on the keyring. -# -# no-include-attributes : do not include attribute IDs (aka "photo IDs") -# when sending keys to the keyserver. - -#keyserver-options auto-key-retrieve - -# Display photo user IDs in key listings - -# list-options show-photos - -# Display photo user IDs when a signature from a key with a photo is -# verified - -# verify-options show-photos - -# Use this program to display photo user IDs -# -# %i is expanded to a temporary file that contains the photo. -# %I is the same as %i, but the file isn't deleted afterwards by GnuPG. -# %k is expanded to the key ID of the key. -# %K is expanded to the long OpenPGP key ID of the key. -# %t is expanded to the extension of the image (e.g. "jpg"). -# %T is expanded to the MIME type of the image (e.g. "image/jpeg"). -# %f is expanded to the fingerprint of the key. -# %% is %, of course. -# -# If %i or %I are not present, then the photo is supplied to the -# viewer on standard input. If your platform supports it, standard -# input is the best way to do this as it avoids the time and effort in -# generating and then cleaning up a secure temp file. -# -# If no photo-viewer is provided, GnuPG will look for xloadimage, eog, -# or display (ImageMagick). On Mac OS X and Windows, the default is -# to use your regular JPEG image viewer. -# -# Some other viewers: -# photo-viewer "qiv %i" -# photo-viewer "ee %i" -# -# This one saves a copy of the photo ID in your home directory: -# photo-viewer "cat > ~/photoid-for-key-%k.%t" -# -# Use your MIME handler to view photos: -# photo-viewer "metamail -q -d -b -c %T -s 'KeyID 0x%k' -f GnuPG" - -# Passphrase agent -# -# We support the old experimental passphrase agent protocol as well as -# the new Assuan based one (currently available in the "newpg" package -# at ftp.gnupg.org/gcrypt/alpha/aegypten/). To make use of the agent, -# you have to run an agent as daemon and use the option -# -# For Ubuntu we now use-agent by default to support more automatic -# use of GPG and S/MIME encryption by GUI programs. Depending on the -# program, users may still have to manually decide to install gnupg-agent. - -#use-agent - -# which tries to use the agent but will fallback to the regular mode -# if there is a problem connecting to the agent. The normal way to -# locate the agent is by looking at the environment variable -# GPG_AGENT_INFO which should have been set during gpg-agent startup. -# In certain situations the use of this variable is not possible, thus -# the option -# -# --gpg-agent-info=::1 -# -# may be used to override it. - -# Automatic key location -# -# GnuPG can automatically locate and retrieve keys as needed using the -# auto-key-locate option. This happens when encrypting to an email -# address (in the "user@example.com" form), and there are no -# user@example.com keys on the local keyring. This option takes the -# following arguments, in the order they are to be tried: -# -# cert = locate a key using DNS CERT, as specified in RFC-4398. -# GnuPG can handle both the PGP (key) and IPGP (URL + fingerprint) -# CERT methods. -# -# pka = locate a key using DNS PKA. -# -# ldap = locate a key using the PGP Universal method of checking -# "ldap://keys.(thedomain)". For example, encrypting to -# user@example.com will check ldap://keys.example.com. -# -# keyserver = locate a key using whatever keyserver is defined using -# the keyserver option. -# -# You may also list arbitrary keyservers here by URL. -# -# Try CERT, then PKA, then LDAP, then hkp://subkeys.net: -#auto-key-locate cert pka ldap hkp://subkeys.pgp.net - -## Begin Anonymity Distribution /home/user/.gnupg/gpg.conf changes. - -#### meta start -#### project Whonix -#### category networking and apps -#### description GnuPG gpg configuration -#### meta end - -## source: -## https://raw.github.com/ioerror/torbirdy/master/gpg.conf -## https://github.com/ioerror/torbirdy/commit/e6d7c9e6e103f0b3289675d04ed3f92e92d8d7b3 - -## Out commented proxy settings, because uwt wrapper keeps care of that. - -## gpg.conf optimized for privacy - -################################################################## -## BEGIN some suggestions from TorBirdy setting extensions.enigmail.agentAdditionalParam - -## Don't disclose the version -no-emit-version - -## Don't add additional comments (may leak language, etc) -no-comments - -## We want to force UTF-8 everywhere -display-charset utf-8 - -## Proxy settings -#keyserver-options http-proxy=socks5://TORIP:TORPORT - -## https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f -## https://dkg.fifthhorseman.net/blog/openpgp-certificate-flooding.html -## https://forums.whonix.org/t/gpg-recv-keys-fails-no-longer-use-keyservers-for-anything/5607 -#keyserver hkps://keys.openpgp.org - -## END some suggestions from TorBirdy TorBirdy setting extensions.enigmail.agentAdditionalParam -################################################################## - -################################################################## -## BEGIN Some suggestions from Debian https://keyring.debian.org/creating-key.html - -personal-digest-preferences SHA512 -cert-digest-algo SHA512 -default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed - -## END Some suggestions from Debian https://keyring.debian.org/creating-key.html -################################################################## - -################################################################## -## BEGIN Some suggestions added from riseup https://we.riseup.net/riseuplabs+paow/openpgp-best-practices - -## When creating a key, individuals may designate a specific keyserver to use to pull their keys from. -## The above option will disregard this designation and use the pool, which is useful because (1) it -## prevents someone from designating an insecure method for pulling their key and (2) if the server -## designated uses hkps, the refresh will fail because the ca-cert will not match, so the keys will -## never be refreshed. -keyserver-options no-honor-keyserver-url - -## when outputting certificates, view user IDs distinctly from keys: -fixed-list-mode - -## long keyids are more collision-resistant than short keyids (it's trivial to make a key with any desired short keyid) -keyid-format 0xlong - -## when multiple digests are supported by all recipients, choose the strongest one: -## already defined above -#personal-digest-preferences SHA512 SHA384 SHA256 SHA224 - -## preferences chosen for new keys should prioritize stronger algorithms: -## already defined above -#default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 BZIP2 ZLIB ZIP Uncompressed - -## If you use a graphical environment (and even if you don't) you should be using an agent: -## (similar arguments as https://www.debian-administration.org/users/dkg/weblog/64) -use-agent - -## You should always know at a glance which User IDs gpg thinks are legitimately bound to the keys in your keyring: -verify-options show-uid-validity -list-options show-uid-validity - -## include an unambiguous indicator of which key made a signature: -## (see http://thread.gmane.org/gmane.mail.notmuch.general/3721/focus=7234) -sig-notation issuer-fpr@notations.openpgp.fifthhorseman.net=%g - -## when making an OpenPGP certification, use a stronger digest than the default SHA1: -## already defined above -#cert-digest-algo SHA256 - -## END Some suggestions added from riseup https://we.riseup.net/riseuplabs+paow/openpgp-best-practices -################################################################## - -################################################################## -## BEGIN Some suggestions from TorBirdy opt-in's - -## Up to you whether you in comment it (remove the single # in front of -## it) or not. Disabled by default, because it causes too much complaints and -## confusion. - -## Don't include keyids that may disclose the sender or any other non-obvious keyids -#throw-keyids - -## END Some suggestions from TorBirdy opt-in's -################################################################## - -## End of Anonymity Distribution /home/user/.gnupg/gpg.conf changes. diff --git a/etc/sudoers.d/security-misc b/etc/sudoers.d/security-misc index 1fa2146..aa48b61 100644 --- a/etc/sudoers.d/security-misc +++ b/etc/sudoers.d/security-misc @@ -1,12 +1,5 @@ -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC +## Copyright (C) 2012 - 2018 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Neither of these are needed. -#user ALL=NOPASSWD: /usr/libexec/security-misc/panic-on-oops -#%sudo ALL=NOPASSWD: /usr/libexec/security-misc/panic-on-oops - -## Use a more open umask when executing commands with sudo -## Can be overridden on a per-user basis using .[z]profile if desirable -## https://www.kicksecure.com/wiki/Dev/Strong_Linux_User_Account_Isolation#umask_hardening -Defaults umask_override -Defaults umask=0022 +user ALL=NOPASSWD: /usr/lib/security-misc/panic-on-oops +%sudo ALL=NOPASSWD: /usr/lib/security-misc/panic-on-oops diff --git a/etc/sysctl.d/coredumps.conf b/etc/sysctl.d/coredumps.conf new file mode 100644 index 0000000..9ac4548 --- /dev/null +++ b/etc/sysctl.d/coredumps.conf @@ -0,0 +1,3 @@ +# Disables coredumps. This setting may be overwritten by systemd so this may not be useful. +# security-misc also disables coredumps in other ways. +kernel.core_pattern=|/bin/false diff --git a/etc/sysctl.d/dmesg_restrict.conf b/etc/sysctl.d/dmesg_restrict.conf new file mode 100644 index 0000000..789769d --- /dev/null +++ b/etc/sysctl.d/dmesg_restrict.conf @@ -0,0 +1,2 @@ +# Restricts the kernel log to root only. +kernel.dmesg_restrict=1 diff --git a/etc/sysctl.d/fs_protected.conf b/etc/sysctl.d/fs_protected.conf new file mode 100644 index 0000000..4e4117b --- /dev/null +++ b/etc/sysctl.d/fs_protected.conf @@ -0,0 +1,3 @@ +# Makes some data spoofing attacks harder. +fs.protected_fifos=2 +fs.protected_regular=2 diff --git a/etc/sysctl.d/harden_bpf.conf b/etc/sysctl.d/harden_bpf.conf new file mode 100644 index 0000000..a039bfd --- /dev/null +++ b/etc/sysctl.d/harden_bpf.conf @@ -0,0 +1,3 @@ +# Hardens the BPF JIT compiler and restricts it to root. +kernel.unprivileged_bpf_disabled=1 +net.core.bpf_jit_harden=2 diff --git a/etc/sysctl.d/kexec.conf b/etc/sysctl.d/kexec.conf new file mode 100644 index 0000000..cfe590a --- /dev/null +++ b/etc/sysctl.d/kexec.conf @@ -0,0 +1,2 @@ +# Disables kexec which can be used to replace the running kernel +kernel.kexec_load_disabled=1 diff --git a/etc/sysctl.d/kptr_restrict.conf b/etc/sysctl.d/kptr_restrict.conf new file mode 100644 index 0000000..f1bbc0e --- /dev/null +++ b/etc/sysctl.d/kptr_restrict.conf @@ -0,0 +1,2 @@ +# Hides kernel symbols in /proc/kallsyms +kernel.kptr_restrict=2 diff --git a/etc/sysctl.d/mmap_aslr.conf b/etc/sysctl.d/mmap_aslr.conf new file mode 100644 index 0000000..4bcdbeb --- /dev/null +++ b/etc/sysctl.d/mmap_aslr.conf @@ -0,0 +1,3 @@ +# Improves KASLR effectiveness for mmap. +vm.mmap_rnd_bits=32 +vm.mmap_rnd_compat_bits=16 diff --git a/etc/sysctl.d/ptrace_scope.conf b/etc/sysctl.d/ptrace_scope.conf new file mode 100644 index 0000000..f0bc04d --- /dev/null +++ b/etc/sysctl.d/ptrace_scope.conf @@ -0,0 +1,7 @@ +# Restricts the use of ptrace to root. This might break some programs running under WINE. +# A workaround for WINE would be to give the wineserver and wine-preloader ptrace capabilities. This can be done by running: +# +# sudo apt-get install libcap2-bin +# sudo setcap cap_sys_ptrace=eip /usr/bin/wineserver +# sudo setcap cap_sys_ptrace=eip /usr/bin/wine-preloader +kernel.yama.ptrace_scope=2 diff --git a/etc/sysctl.d/suid_dumpable.conf b/etc/sysctl.d/suid_dumpable.conf new file mode 100644 index 0000000..1ed3b79 --- /dev/null +++ b/etc/sysctl.d/suid_dumpable.conf @@ -0,0 +1,2 @@ +# Prevent setuid processes from creating coredumps. +fs.suid_dumpable=0 diff --git a/etc/sysctl.d/sysrq.conf b/etc/sysctl.d/sysrq.conf new file mode 100644 index 0000000..266e275 --- /dev/null +++ b/etc/sysctl.d/sysrq.conf @@ -0,0 +1,2 @@ +# Allow only rebooting/shutting down with the SysRq key. +kernel.sysrq=128 diff --git a/etc/sysctl.d/tcp_hardening.conf b/etc/sysctl.d/tcp_hardening.conf new file mode 100644 index 0000000..e192a8b --- /dev/null +++ b/etc/sysctl.d/tcp_hardening.conf @@ -0,0 +1,26 @@ +## TCP/IP stack hardening + +# Protects against time-wait assassination. It drops RST packets for sockets in the time-wait state. +net.ipv4.tcp_rfc1337=1 + +# Disables ICMP redirect acceptance. +net.ipv4.conf.all.accept_redirects=0 +net.ipv4.conf.default.accept_redirects=0 +net.ipv4.conf.all.secure_redirects=0 +net.ipv4.conf.default.secure_redirects=0 +net.ipv6.conf.all.accept_redirects=0 +net.ipv6.conf.default.accept_redirects=0 + +# Disables ICMP redirect sending. +net.ipv4.conf.all.send_redirects=0 +net.ipv4.conf.default.send_redirects=0 + +# Ignores ICMP requests. +net.ipv4.icmp_echo_ignore_all=1 + +# Enables TCP syncookies. +net.ipv4.tcp_syncookies=1 + +# Disable source routing. +net.ipv4.conf.all.accept_source_route=0 +net.ipv4.conf.default.accept_source_route=0 diff --git a/etc/sysctl.d/tcp_sack.conf b/etc/sysctl.d/tcp_sack.conf new file mode 100644 index 0000000..6245fff --- /dev/null +++ b/etc/sysctl.d/tcp_sack.conf @@ -0,0 +1,2 @@ +# Disables SACK as it is commonly exploited and likely not needed. +net.ipv4.tcp_sack=0 diff --git a/etc/sysctl.d/tcp_timestamps.conf b/etc/sysctl.d/tcp_timestamps.conf new file mode 100644 index 0000000..f47b8d3 --- /dev/null +++ b/etc/sysctl.d/tcp_timestamps.conf @@ -0,0 +1 @@ +net.ipv4.tcp_timestamps=0 diff --git a/etc/systemd/system/emergency.service.d/override.conf b/etc/systemd/system/emergency.service.d/override.conf deleted file mode 100644 index 42fefd4..0000000 --- a/etc/systemd/system/emergency.service.d/override.conf +++ /dev/null @@ -1,8 +0,0 @@ -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802211 -## https://salsa.debian.org/ah/user-setup/commit/bc5ca2de85ec27845d0b46059cb7cc02bae7b44d - -[Service] -Environment=SYSTEMD_SULOGIN_FORCE=1 diff --git a/etc/systemd/system/rescue.service.d/override.conf b/etc/systemd/system/rescue.service.d/override.conf deleted file mode 100644 index 42fefd4..0000000 --- a/etc/systemd/system/rescue.service.d/override.conf +++ /dev/null @@ -1,8 +0,0 @@ -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802211 -## https://salsa.debian.org/ah/user-setup/commit/bc5ca2de85ec27845d0b46059cb7cc02bae7b44d - -[Service] -Environment=SYSTEMD_SULOGIN_FORCE=1 diff --git a/etc/thunderbird/pref/40_security-misc.js b/etc/thunderbird/pref/40_security-misc.js deleted file mode 100644 index 931f9d2..0000000 --- a/etc/thunderbird/pref/40_security-misc.js +++ /dev/null @@ -1,59 +0,0 @@ -//#### Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -//#### See the file COPYING for copying conditions. - -//#### meta start -//#### project Whonix and Kicksecure -//#### category security and apps -//#### description https://forums.whonix.org/t/enable-network-idn-show-punycode-by-default-in-thunderbird-to-fix-url-not-showing-real-domain-name-homograph-attack-punycode/8415 -//#### meta end - -// https://forums.whonix.org/t/enable-network-idn-show-punycode-by-default-in-thunderbird-to-fix-url-not-showing-real-domain-name-homograph-attack-punycode/8415 -pref("network.IDN_show_punycode", true); - -// Disable all and any kind of telemetry by default -pref("toolkit.telemetry.enabled", false); -pref("toolkit.telemetry.unified", false); -pref("toolkit.telemetry.shutdownPingSender.enabled", false); -pref("toolkit.telemetry.updatePing.enabled", false); -pref("toolkit.telemetry.archive.enabled", false); -pref("toolkit.telemetry.bhrPing.enabled", false); -pref("toolkit.telemetry.firstShutdownPing.enabled", false); -pref("toolkit.telemetry.newProfilePing.enabled", false); -pref("toolkit.telemetry.server", ""); // Defense in depth -pref("toolkit.telemetry.server_owner", ""); // Defense in depth -pref("datareporting.healthreport.uploadEnabled", false); -pref("datareporting.policy.dataSubmissionEnabled", false); -pref("toolkit.telemetry.coverage.opt-out", true); // from Firefox -pref("toolkit.coverage.opt-out", true); // from Firefox - -// Disable implicit outbound traffic -pref("network.connectivity-service.enabled", false); -pref("network.prefetch-next", false); -pref("network.dns.disablePrefetch", true); -pref("network.predictor.enabled", false); - -// No need to explain the problems with javascript -// If you want javascript, use your browser -// Thunderbird needs no javascript -// pref("javascript.enabled", false); // Will break setting up services that require redirecting to their javascripted webpage for login, like gmail etc. So commented out for now. - -// Disable scripting when viewing pdf files -user_pref("pdfjs.enableScripting", false); - -// If you want cookies, use your browser -pref("network.cookie.cookieBehavior", 2); - -// Do not send user agent information -// For email clients, this is more like a relic of the past -// Completely not necessary and just exposes a lot of information about the client -// Since v115.0 Thunderbird already minimizes the user agent -// But we want it gone for good for no information leak at all -// https://hg.mozilla.org/comm-central/rev/cbbbc8d93cd7 -pref("mailnews.headers.sendUserAgent", false); - -// Normally we send emails after marking them with a time stamp -// That includes our local time zone -// This option makes our local time zone appear as UTC -// And rounds the time stamp to the closes minute -// https://hg.mozilla.org/comm-central/rev/98aa0bf2e719 -pref("mail.sanitize_date_header", true); diff --git a/lib/systemd/coredump.conf.d/disable-coredumps.conf b/lib/systemd/coredump.conf.d/disable-coredumps.conf new file mode 100644 index 0000000..519f838 --- /dev/null +++ b/lib/systemd/coredump.conf.d/disable-coredumps.conf @@ -0,0 +1,2 @@ +[Coredump] +Storage=none diff --git a/lib/systemd/system/proc-hidepid.service b/lib/systemd/system/proc-hidepid.service new file mode 100644 index 0000000..535b8b1 --- /dev/null +++ b/lib/systemd/system/proc-hidepid.service @@ -0,0 +1,33 @@ +## Copyright (C) 2012 - 2018 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +[Unit] +Description=Mounts /proc with hidepid=2 +Documentation=https://github.com/Whonix/security-misc +Requires=local-fs.target +After=local-fs.target + +[Service] +Type=oneshot +ExecStart=/bin/mount -o remount,nosuid,nodev,noexec,hidepid=2 /proc + +## Disabled since not working in Qubes. +#ProtectSystem=strict +#ProtectHome=true +#ProtectKernelTunables=true +#ProtectKernelModules=true +#ProtectControlGroups=true +#PrivateTmp=true +#PrivateMounts=true +#PrivateDevices=true +#MemoryDenyWriteExecute=true +#NoNewPrivileges=true +#RestrictRealtime=true +#SystemCallArchitectures=native +#RestrictNamespaces=true +#SystemCallFilter=mount munmap access read open close stat fstat lstat mmap mprotect brk rt_sigaction rt_sigprocmask execve readlink getrlimit getuid getgid geteuid getegid statfs prctl arch_prctl set_tid_address newfstatat set_robust_list openat mkdir + +PrivateNetwork=true + +[Install] +WantedBy=multi-user.target diff --git a/lib/systemd/system/remove-system-map.service b/lib/systemd/system/remove-system-map.service new file mode 100644 index 0000000..69dd333 --- /dev/null +++ b/lib/systemd/system/remove-system-map.service @@ -0,0 +1,10 @@ +[Unit] +Description=Removes the System.map files +Documentation=https://github.com/Whonix/security-misc + +[Service] +Type=oneshot +ExecStart=/usr/lib/security-misc/remove-system.map + +[Install] +WantedBy=multi-user.target diff --git a/rpm_spec/security-misc.spec.in b/rpm_spec/security-misc.spec.in index b42625e..8f5d0aa 100644 --- a/rpm_spec/security-misc.spec.in +++ b/rpm_spec/security-misc.spec.in @@ -3,8 +3,8 @@ Version: @VERSION@ Release: 1%{?dist} Summary: enhances misc security settings -License: AGPL-3+ -URL: https://github.com/Kicksecure/security-misc +License: GPL-3+-with-additional-terms-1 +URL: https://github.com/Whonix/security-misc Source0: %{name}-%{version}.tar.xz BuildRequires: dpkg-dev @@ -13,7 +13,50 @@ Requires: make BuildArch: noarch %description -See README. +The following settings are changed: + +deactivates previews in Dolphin; +deactivates previews in Nautilus; +deactivates thumbnails in Thunar; +deactivates TCP timestamps; +deactivates Netfilter's connection tracking helper; + +TCP time stamps (RFC 1323) allow for tracking clock +information with millisecond resolution. This may or may not allow an +attacker to learn information about the system clock at such +a resolution, depending on various issues such as network lag. +This information is available to anyone who monitors the network +somewhere between the attacked system and the destination server. +It may allow an attacker to find out how long a given +system has been running, and to distinguish several +systems running behind NAT and using the same IP address. It might +also allow one to look for clocks that match an expected value to find the +public IP used by a user. + +Hence, this package disables this feature by shipping the +/etc/sysctl.d/tcp_timestamps.conf configuration file. + +Note that TCP time stamps normally have some usefulness. They are +needed for: + +* the TCP protection against wrapped sequence numbers; however, to + trigger a wrap, one needs to send roughly 2^32 packets in one + minute: as said in RFC 1700, "The current recommended default + time to live (TTL) for the Internet Protocol (IP) [45,105] is 64". + So, this probably won't be a practical problem in the context + of Anonymity Distributions. + +* "Round-Trip Time Measurement", which is only useful when the user + manages to saturate their connection. When using Anonymity Distributions, + probably the limiting factor for transmission speed is rarely the capacity + of the user connection. + +Netfilter's connection tracking helper module increases kernel attack +surface by enabling superfluous functionality such as IRC parsing in +the kernel. (!) + +Hence, this package disables this feature by shipping the +/etc/sysctl.d/nf_conntrack_helper.conf configuration file. %prep %setup -q @@ -29,9 +72,32 @@ make %{?_smp_mflags} %files %license debian/copyright -/etc/* -/lib/* -/usr/* +/etc/X11/Xsession.d/50security-misc +/etc/default/grub.d/40_enable_iommu.cfg +/etc/default/grub.d/40_kernel_hardening.cfg +/etc/modprobe.d/30_nf_conntrack_helper_disable.conf +/etc/modprobe.d/blacklist-dma.conf +/etc/modprobe.d/uncommon-network-protocols.conf +/etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml +/etc/sysctl.d/dmesg_restrict.conf +/etc/sysctl.d/fs_protected.conf +/etc/sysctl.d/harden_bpf.conf +/etc/sysctl.d/kexec.conf +/etc/sysctl.d/kptr_restrict.conf +/etc/sysctl.d/mmap_aslr.conf +/etc/sysctl.d/ptrace_scope.conf +/etc/sysctl.d/sysrq.conf +/etc/sysctl.d/tcp_hardening.conf +/etc/sysctl.d/tcp_timestamps.conf +/etc/sysctl.d/tcp_sack.conf +/usr/lib/security-misc/apt-get-update +/usr/lib/security-misc/apt-get-update-sanity-test +/usr/lib/security-misc/apt-get-wrapper +/usr/lib/security-misc/remove-system.map +/usr/share/glib-2.0/schemas/30_security-misc.gschema.override +/usr/share/lintian/overrides/security-misc +/usr/share/security-misc/dolphinrc +/lib/systemd/system/remove-system-map.service %changelog @CHANGELOG@ diff --git a/usr/bin/disabled-bluetooth-by-security-misc b/usr/bin/disabled-bluetooth-by-security-misc deleted file mode 100755 index 0a4c308..0000000 --- a/usr/bin/disabled-bluetooth-by-security-misc +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. - -echo "$0: ALERT: This Bluetooth kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2 - -exit 1 diff --git a/usr/bin/disabled-cdrom-by-security-misc b/usr/bin/disabled-cdrom-by-security-misc deleted file mode 100755 index f017e76..0000000 --- a/usr/bin/disabled-cdrom-by-security-misc +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. - -echo "$0: ALERT: This CD-ROM/DVD kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2 - -exit 1 diff --git a/usr/bin/disabled-filesys-by-security-misc b/usr/bin/disabled-filesys-by-security-misc deleted file mode 100755 index f0cf9b4..0000000 --- a/usr/bin/disabled-filesys-by-security-misc +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. - -echo "$0: ALERT: This file system kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2 - -exit 1 diff --git a/usr/bin/disabled-firewire-by-security-misc b/usr/bin/disabled-firewire-by-security-misc deleted file mode 100755 index c0d035a..0000000 --- a/usr/bin/disabled-firewire-by-security-misc +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. - -echo "$0: ALERT: This FireWire (IEEE 1394) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2 - -exit 1 diff --git a/usr/bin/disabled-framebuffer-by-security-misc b/usr/bin/disabled-framebuffer-by-security-misc deleted file mode 100755 index c287c21..0000000 --- a/usr/bin/disabled-framebuffer-by-security-misc +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2024 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. - -echo "$0: ALERT: This framebuffer (fbdev) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2 - -exit 1 diff --git a/usr/bin/disabled-gps-by-security-misc b/usr/bin/disabled-gps-by-security-misc deleted file mode 100755 index 149249a..0000000 --- a/usr/bin/disabled-gps-by-security-misc +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. - -echo "$0: ALERT: This Global Positioning System (GPS) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2 - -exit 1 diff --git a/usr/bin/disabled-intelme-by-security-misc b/usr/bin/disabled-intelme-by-security-misc deleted file mode 100755 index 094fa29..0000000 --- a/usr/bin/disabled-intelme-by-security-misc +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. - -echo "$0: ALERT: This Intel Management Engine (ME) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2 - -exit 1 diff --git a/usr/bin/disabled-intelpmt-by-security-misc b/usr/bin/disabled-intelpmt-by-security-misc deleted file mode 100755 index 45a7aa4..0000000 --- a/usr/bin/disabled-intelpmt-by-security-misc +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2024 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. - -echo "$0: ALERT: This Intel Platform Monitoring Technology (PMT) Telemetry kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2 - -exit 1 diff --git a/usr/bin/disabled-miscellaneous-by-security-misc b/usr/bin/disabled-miscellaneous-by-security-misc deleted file mode 100755 index 5848c6e..0000000 --- a/usr/bin/disabled-miscellaneous-by-security-misc +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. - -echo "$0: ALERT: This kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2 - -exit 1 diff --git a/usr/bin/disabled-netfilesys-by-security-misc b/usr/bin/disabled-netfilesys-by-security-misc deleted file mode 100755 index ed4e792..0000000 --- a/usr/bin/disabled-netfilesys-by-security-misc +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. - -echo "$0: ALERT: This network file system kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2 - -exit 1 diff --git a/usr/bin/disabled-network-by-security-misc b/usr/bin/disabled-network-by-security-misc deleted file mode 100755 index f8c3129..0000000 --- a/usr/bin/disabled-network-by-security-misc +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. - -echo "$0: ALERT: This network protocol kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2 - -exit 1 diff --git a/usr/bin/disabled-thunderbolt-by-security-misc b/usr/bin/disabled-thunderbolt-by-security-misc deleted file mode 100755 index c6d1d71..0000000 --- a/usr/bin/disabled-thunderbolt-by-security-misc +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. - -echo "$0: ALERT: This Thunderbolt kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2 - -exit 1 diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener deleted file mode 100755 index 9f70834..0000000 --- a/usr/bin/permission-hardener +++ /dev/null @@ -1,994 +0,0 @@ -#!/bin/bash -# shellcheck disable=SC2076 - -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## https://forums.whonix.org/t/disable-suid-binaries/7706 -## https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707 - -## dpkg-statoverride does not support end-of-options ("--"). - -## SC2076 is disabled because ShellCheck seems to think that any use of -## [[ ... =~ ... ]] is supposed to be a regex match. But [[ '...' =~ '...' ]] -## works very well for literal matching, and it is used that way extensively -## throughout this script. - -set -o errexit -o nounset -o pipefail - -## Constants -# shellcheck disable=SC2034 -log_level=notice -store_dir="/var/lib/permission-hardener-v2" -state_file="${store_dir}/existing_mode/statoverride" -dpkg_admindir_parameter_existing_mode="--admindir ${store_dir}/existing_mode" -dpkg_admindir_parameter_new_mode="--admindir ${store_dir}/new_mode" -delimiter="#permission-hardener-delimiter#" - -## Library imports -# shellcheck disable=SC1091 -source /usr/libexec/helper-scripts/safe_echo.sh -# shellcheck disable=SC1091 -source /usr/libexec/helper-scripts/log_run_die.sh - -## Functions -echo_wrapper_ignore() { - if [ "${1}" = 'verbose' ]; then - shift - log notice "Executing: $*" - elif [ "${1}" = 'silent' ]; then - shift - else - log error "Unrecognized command '${1}'! calling function name: '${FUNCNAME[1]}'" >&2 - return - fi - "$@" 2>/dev/null || true -} - -echo_wrapper_audit() { - local return_code - if [ "${1}" = 'verbose' ]; then - shift - log notice "Executing: $*" - elif [ "${1}" = 'silent' ]; then - shift - else - log error "Unrecognized command '${1}'! calling function name: '${FUNCNAME[1]}'" >&2 - return - fi - return_code=0 - "$@" || - { - return_code="$?" - exit_code=203 - log error "Command '$*' failed with exit code '${return_code}'! calling function name: '${FUNCNAME[1]}'" >&2 - } -} - -## Some tools may fail on newlines and even variable assignment to array may -## fail if a variable that will be assigned to an array element contains -## characters that are used as delimiters. -block_newlines() { - local newline_variable newline_value - newline_variable="${1:-}" - newline_value="${2:-}" - ## dpkg-statoverride: error: path may not contain newlines - if [[ "${newline_value}" != "${newline_value//$'\n'/NEWLINE}" ]]; then - log warn "Skipping ${newline_variable} that contains newlines: '${newline_value}'" >&2 - return 1 - fi -} - -output_stat() { - local file_name stat_output stat_output_newlined hardlink_count - declare -a arr - file_name="${1:-}" - - if [ -z "${file_name}" ]; then - log error "File name is empty. file_name: '${file_name}'" >&2 - return 1 - fi - - block_newlines file "${file_name}" - - if [ ! -e "${file_name}" ]; then - log info "File does not exist. file_name: '${file_name}'" >&2 - existing_mode='' - existing_owner='' - existing_group='' - file_name_from_stat='' - return 0 - fi - - if ! stat_output="$(stat -L \ - --format="%a${delimiter}%U${delimiter}%G${delimiter}%n${delimiter}%h${delimiter}" \ - -- "${file_name}")"; then - log error "Failed to run 'stat' on file: '${file_name}'!" >&2 - return 1 - fi - - if [ -z "$stat_output" ]; then - log error "stat_output is empty. -File name: '${file_name}' -Stat output: '${stat_output}' -stat_output_newlined: '${stat_output_newlined}' -line: '${processed_config_line}' -" >&2 - return 1 - fi - - stat_output_newlined="$(printf '%s\n' "${stat_output//${delimiter}/$'\n'}")" - - if [ -z "${stat_output_newlined}" ]; then - log error "stat_output_newlined is empty. -File name: '${file_name}' -Stat output: '${stat_output}' -stat_output_newlined: '${stat_output_newlined}' -line: '${processed_config_line}' -" >&2 - return 1 - fi - - readarray -t arr <<< "${stat_output_newlined}" - - if [ "${#arr[@]}" = '0' ]; then - log error "Array length is 0. -File name: '${file_name}' -Stat output: '${stat_output}' -stat_output_newlined: '${stat_output_newlined}' -line: '${processed_config_line}' -" >&2 - return 1 - fi - - existing_mode="${arr[0]}" - existing_owner="${arr[1]}" - existing_group="${arr[2]}" - file_name_from_stat="${arr[3]}" - hardlink_count="${arr[4]}" - - if [ "$file_name" != "$file_name_from_stat" ]; then - log error "\ -File name is different from file name received from stat: -File name: '${file_name}' -File name from stat: '${file_name_from_stat}' -line: '${processed_config_line}' -" >&2 - return 1 - fi - - ## We can't handle files with hardlinks because figuring out all of the files - ## in a "hardlink pool" requires scanning the whole filesystem, which would - ## result in an unacceptable performance hit for this script. We don't check - ## directory hardlinks since directories can't have traditional hardlinks. - if [ ! -d "${file_name_from_stat}" ]; then - if (( hardlink_count > 1 )); then - log error "\ -File has unexpected hardlinks, cannot handle. -File name: '${file_name}' -File name from stat: '${file_name_from_stat}' -line: '${processed_config_line}' -" >&2 - return 1 - fi - fi - - if [ -z "${existing_mode}" ]; then - log error "Existing mode is empty. Stat output: '${stat_output}', line: '${processed_config_line}'" >&2 - return 1 - fi - if [ -z "${existing_owner}" ]; then - log error "Existing owner is empty. Stat output: '${stat_output}', line: '${processed_config_line}'" >&2 - return 1 - fi - if [ -z "${existing_group}" ]; then - log error "Existing group is empty. Stat output: '${stat_output}', line: '${processed_config_line}'" >&2 - return 1 - fi - - ## If a symlink was passed as input, return the original file's path rather - ## than the symlink to avoid problems stemming from using the wrong path - if [ -h "${file_name_from_stat}" ]; then - file_name_from_stat="$(realpath "${file_name_from_stat}")" - fi -} - -print_usage(){ - safe_echo "Usage: ${0##*/} enable - ${0##*/} disable [FILE|all] - ${0##*/} print-policy - ${0##*/} print-state - ${0##*/} print-policy-applied-state - ${0##*/} print-diagnostics - -Examples: - ${0##*/} enable - ${0##*/} disable all - ${0##*/} disable /usr/bin/newgrp" >&2 -} - -add_to_policy() { - local file_name file_mode file_owner file_group updated_entry policy_idx \ - file_capabilities - file_name="${1:-}" - file_mode="${2:-}" - file_owner="${3:-}" - file_group="${4:-}" - file_capabilities="${5:-}" - updated_entry=false - - if [ -h "${file_name}" ]; then - file_name="$(realpath "${file_name}")" || return 1 - fi - - for (( policy_idx=0; policy_idx < ${#policy_file_list[@]}; policy_idx++ )); do - if [ "${policy_file_list[policy_idx]}" = "${file_name}" ]; then - policy_mode_list[policy_idx]="${file_mode}" - policy_user_owner_list[policy_idx]="${file_owner}" - policy_group_owner_list[policy_idx]="${file_group}" - policy_capability_list[policy_idx]="${file_capabilities}" - updated_entry=true - break - fi - done - - if [ "${updated_entry}" != 'true' ]; then - policy_file_list+=( "${file_name}" ) - policy_mode_list+=( "${file_mode}" ) - policy_user_owner_list+=( "${file_owner}" ) - policy_group_owner_list+=( "${file_group}" ) - policy_capability_list+=( "${file_capabilities}" ) - fi -} - -check_nosuid_whitelist() { - local target_file match_white_list_entry - - target_file="${1:-}" - - ## Handle whitelists, if we're supposed to - [ "${whitelists_disable_all}" = 'true' ] && return 0 - - ## literal matching is intentional here - [[ " ${policy_disable_white_list[*]} " =~ " ${target_file} " ]] && return 0 - - ## literal matching is intentional here too - [[ " ${policy_exact_white_list[*]} " =~ " ${target_file} " ]] && return 1 - - for match_white_list_entry in "${policy_match_white_list[@]:-}"; do - if safe_echo "${target_file}" \ - | grep --quiet --fixed-strings -- "${match_white_list_entry}"; then - return 1 - fi - done - - return 0 -} - -load_early_nosuid_policy() { - local target_file find_list_item - - target_file="${1:-}" - - # shellcheck disable=SC2185 - while IFS="" read -r -d "" find_list_item; do - check_nosuid_whitelist "${find_list_item}" || continue - - ## sets: - ## exiting_mode - ## existing_owner - ## existing_group - output_stat "${find_list_item}" - if [ -z "${file_name_from_stat}" ]; then - continue - fi - - ## -h file True if file is a symbolic link. - if [ -h "${find_list_item}" ]; then - ## https://forums.whonix.org/t/disable-suid-binaries/7706/14 - log info "Skip symlink: '${find_list_item}'" - continue - fi - - if [ -d "${find_list_item}" ]; then - log info "Skip directory: '${find_list_item}'" - continue - fi - - ## Remove suid / gid and execute permission for 'group' and 'others'. - ## Similar to: chmod og-ugx /path/to/filename - ## Removing execution permission is useful to make binaries such as 'su' - ## fail closed rather than fail open if suid was removed from these. - ## Do not remove read access since no security benefit and easier to - ## manually undo for users. - ## Are there suid or sgid binaries which are still useful if suid / sgid - ## has been removed from these? - local new_mode - new_mode='744' - - add_to_policy "${file_name_from_stat}" "${new_mode}" "${existing_owner}" \ - "${existing_group}" - done < <(safe_echo_nonewline "${target_file}" \ - | find -files0-from - -perm /u=s,g=s -print0) -} - -## If the "target file" matches the start of the state file name, that's a -## likely match. This is used by load_late_nosuid_policy for detecting info -## about files that need SUID-locked that are in the state. -match_dir() { - local base_str match_str base_arr match_arr base_idx - - base_str="${1}" - match_str="${2}" - [[ "${base_str}" =~ '//' ]] && return 1 - [[ "${match_str}" =~ '//' ]] && return 1 - - IFS='/' read -r -a base_arr <<< "${base_str}" - IFS='/' read -r -a match_arr <<< "${match_str}" - (( ${#base_arr[@]} > ${#match_arr[@]} )) && return 1 - - for (( base_idx=0; base_idx < ${#base_arr[@]}; base_idx++ )); do - if [ "${base_arr[base_idx]}" != "${match_arr[base_idx]}" ]; then - return 1 - fi - done - - return 0 -} - -load_late_nosuid_policy() { - local target_file state_idx state_file_item state_user_owner_item \ - state_group_owner_item new_mode - - target_file="${1:-}" - for (( state_idx=0; state_idx < ${#state_file_list[@]}; state_idx++ )); do - state_file_item="${state_file_list[state_idx]}" - check_nosuid_whitelist "${state_file_item}" || continue - - match_dir "${target_file}" "${state_file_item}" || continue - - if [ -h "${state_file_item}" ]; then - ## https://forums.whonix.org/t/disable-suid-binaries/7706/14 - log info "Skip symlink: '${state_file_item}'" - continue - fi - - if [ -d "${state_file_item}" ]; then - log info "Skip directory: '${state_file_item}'" - continue - fi - - state_user_owner_item="${state_user_owner_list[state_idx]}" - state_group_owner_item="${state_group_owner_list[state_idx]}" - new_mode='744' - add_to_policy "${state_file_item}" "${new_mode}" \ - "${state_user_owner_item}" "${state_group_owner_item}" - done -} - -load_state_without_policy() { - local line field_list - - ## Load the state file from disk - if [ -f "${state_file}" ]; then - while read -r line; do - read -r -a field_list <<< "${line}" - if (( ${#field_list[@]} != 4 )); then - log info \ - "Invalid number of fields in state file line: '${line}'. Skipping." - continue - fi - state_user_owner_list+=( "${field_list[0]}" ) - state_group_owner_list+=( "${field_list[1]}" ) - state_mode_list+=( "${field_list[2]}" ) - state_file_list+=( "${field_list[3]}" ) - done < "${state_file}" - fi -} - -load_state() { - ## Config format: - ## path options - ## where options is one of: - ## user_owner group_owner filemode [capability-setting] - ## [nosuid|exactwhitelist|matchwhitelist|disablewhitelist] - ## - ## Additionally, the special value 'whitelists_disable_all=true' is understood - ## to mean that all whitelisting should be ignored. - - local config_file line field_list policy_nosuid_file_item policy_file_item - - ## Load configuration, deferring whitelist handling until later - for config_file in \ - /usr/lib/permission-hardener.d/*.conf \ - /etc/permission-hardener.d/*.conf \ - /usr/local/etc/permission-hardener.d/*.conf \ - /etc/permission-hardening.d/*.conf \ - /usr/local/etc/permission-hardening.d/*.conf - do - if [ ! -f "${config_file}" ]; then - continue - fi - - while read -r line; do - if [ -z "${line}" ]; then - true 'DEBUG: line is empty. Skipping.' - continue - fi - - if [[ "${line}" =~ ^\s*# ]]; then - continue - fi - - if ! [[ "${line}" =~ ^[-0-9a-zA-Z._/[:space:]]*$ ]]; then - exit_code=200 - log error "Line contains invalid characters: '${line}'" >&2 - ## Safer to exit with error in this case. - ## https://forums.whonix.org/t/disable-suid-binaries/7706/59 - exit "${exit_code}" - fi - - if [ "${line}" = 'whitelists_disable_all=true' ]; then - whitelists_disable_all=true - log info "whitelists_disable_all=true" - continue - fi - - processed_config_line="${line}" - - IFS=' ' read -r -a field_list <<< "${line}" - - case "${#field_list[@]}" in - 2|4|5) true;; - *) - exit_code=200 - log error "Line contains an invalid number of fields: '${line}'" >&2 - exit "${exit_code}" - ;; - esac - - # Strip trailing slash if appropriate - field_list[0]="${field_list[0]%/}" - - case "${field_list[1]}" in - 'exactwhitelist') - [ ! -e "${field_list[0]}" ] && continue - policy_exact_white_list+=( "${field_list[0]}" ) - continue - ;; - 'matchwhitelist') - policy_match_white_list+=( "${field_list[0]}" ) - continue - ;; - 'disablewhitelist') - policy_disable_white_list+=( "${field_list[0]}" ) - continue - ;; - 'nosuid') - [ ! -e "${field_list[0]}" ] && continue - policy_nosuid_file_list+=( "${field_list[0]}" ) - ;; - *) - [ ! -e "${field_list[0]}" ] && continue - add_to_policy "${field_list[@]}" - ;; - esac - done < "${config_file}" - done - - ## We have to handle nosuid files at the end since the whitelist arrays need - ## built first. - for policy_nosuid_file_item in "${policy_nosuid_file_list[@]}"; do - load_early_nosuid_policy "${policy_nosuid_file_item}" - done - - load_state_without_policy - - ## Find any files in the policy that don't already have a matching file in - ## the state. Add those files to the state, and save them to the state file - ## as well. - for policy_file_item in "${policy_file_list[@]}"; do - if [[ " ${state_file_list[*]} " =~ " ${policy_file_item} " ]]; then - continue - fi - output_stat "${policy_file_item}" - if [ -z "${file_name_from_stat}" ]; then - continue - fi - state_file_list+=( "${file_name_from_stat}" ) - state_user_owner_list+=( "${existing_owner}" ) - state_group_owner_list+=( "${existing_group}" ) - state_mode_list+=( "${existing_mode}" ) - # shellcheck disable=SC2086 - echo_wrapper_audit silent dpkg-statoverride \ - ${dpkg_admindir_parameter_existing_mode} \ - --add "${existing_owner}" "${existing_group}" "${existing_mode}" \ - "${file_name_from_stat}" - done - - ## Fix up nosuid policies using state information - for policy_nosuid_file_item in "${policy_nosuid_file_list[@]}"; do - load_late_nosuid_policy "${policy_nosuid_file_item}" - done -} - -apply_policy() { - local policy_idx did_state_update state_idx - - ## Modify the in-memory state so that all items that the policy affects match - ## the policy. DO NOT save these changes to the state file! - for (( policy_idx=0; policy_idx < ${#policy_file_list[@]}; policy_idx++ )); do - did_state_update=false - for (( state_idx=0; state_idx < ${#state_file_list[@]}; state_idx++ )); do - if [ "${state_file_list[state_idx]}" = "${policy_file_list[policy_idx]}" ]; then - state_user_owner_list[state_idx]="${policy_user_owner_list[policy_idx]}" - state_group_owner_list[state_idx]="${policy_group_owner_list[policy_idx]}" - state_mode_list[state_idx]="${policy_mode_list[policy_idx]}" - did_state_update=true - break - fi - done - if [ "${did_state_update}" = 'false' ]; then - exit_code=206 - log error \ - "File exists in policy but not in state! File: '${policy_file_list[policy_idx]}'" - exit "${exit_code}" - fi - done -} - -commit_policy() { - local policy_idx state_idx state_file_item \ - state_user_owner_item state_group_owner_item \ - state_mode_item orig_main_statoverride_db orig_new_statoverride_db \ - policy_file_item policy_capability_item - - ## Check each file on the filesystem against the state, and update it if the - ## state does not match. Also ensure the consistency of the new_mode database - ## so that people can compare the original permissions of files with the new - ## permissions. - orig_main_statoverride_db="$(dpkg-statoverride --list)" || true - # shellcheck disable=SC2086 - orig_new_statoverride_db="$(dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --list)" || true - - for (( state_idx=0; state_idx < ${#state_file_list[@]}; state_idx++ )); do - state_file_item="${state_file_list[state_idx]}" - state_user_owner_item="${state_user_owner_list[state_idx]}" - state_group_owner_item="${state_group_owner_list[state_idx]}" - state_mode_item="${state_mode_list[state_idx]}" - - ## Get rid of leading zeros, stat doesn't output them due to how we use it. - ## Using BASH_REMATCH is faster than sed. We capture all leading zeros into - ## one group, and the rest of the string into a second group. The second - ## group is the string we want. BASH_REMATCH[0] is the entire string, - ## BASH_REMATCH[1] is the first match that we want to discard, and - ## BASH_REMATCH[2] is the desired second group. - [[ "${state_mode_item}" =~ ^(0*)(.*) ]] || true; - state_mode_item="${BASH_REMATCH[2]}" - - output_stat "${state_file_item}" - if [ -z "${file_name_from_stat}" ]; then - continue - fi - - if [ "${existing_owner}" != "${state_user_owner_item}" ] \ - || [ "${existing_group}" != "${state_group_owner_item}" ] \ - || [ "${existing_mode}" != "${state_mode_item}" ]; then - if ! [[ "${passwd_file_contents}" =~ "${state_user_owner_item}:" ]]; then - log error "Owner from config does not exist: '${state_user_owner_item}'" >&2 - continue - fi - - if ! [[ "${group_file_contents}" =~ "${state_group_owner_item}:" ]]; then - log error "Group from config does not exist: '${state_group_owner_item}'" >&2 - continue - fi - ## Remove and reapply in main list - if [[ "${orig_main_statoverride_db}" =~ "${file_name_from_stat}" ]]; then - echo_wrapper_ignore silent dpkg-statoverride --remove \ - "${file_name_from_stat}" - fi - echo_wrapper_audit verbose dpkg-statoverride --add --update \ - "${state_user_owner_item}" "${state_group_owner_item}" \ - "${state_mode_item}" "${file_name_from_stat}" - - ## Update item in secondary list - if [[ "${orig_new_statoverride_db}" =~ "${file_name_from_stat}" ]]; then - # shellcheck disable=SC2086 - echo_wrapper_ignore silent dpkg-statoverride \ - ${dpkg_admindir_parameter_new_mode} --remove \ - "${file_name_from_stat}" - fi - # shellcheck disable=SC2086 - echo_wrapper_audit verbose dpkg-statoverride \ - ${dpkg_admindir_parameter_new_mode} --add \ - "${state_user_owner_item}" "${state_group_owner_item}" \ - "${state_mode_item}" "${file_name_from_stat}" - fi - done - - ## Apply capability hardening, dpkg-statoverride can't handle this so we have - ## to do this manually - for (( policy_idx=0; policy_idx < ${#policy_file_list[@]}; policy_idx++ )); do - policy_file_item="${policy_file_list[policy_idx]}" - policy_capability_item="${policy_capability_list[policy_idx]}" - if [ -z "${policy_capability_item}" ]; then - continue - fi - - if [ "${policy_capability_item}" = 'none' ]; then - echo_wrapper_ignore verbose setcap -r "${policy_file_item}" - if [ -n "$(getcap -- "${policy_file_item}")" ]; then - exit_code=205 - log error \ - "Removing capabilities failed. File: '${policy_file_item}'" >&2 - continue - fi - else - if ! capsh --print \ - | grep --fixed-strings -- "Bounding set" \ - | grep --quiet -- "${policy_capability_item}"; then - log error \ - "Capability from config does not exist: '${policy_capability_item}'" \ - >&2 - continue - fi - - ## feature request: dpkg-statoverride: support for capabilities - ## https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=502580 - echo_wrapper_audit verbose setcap "${policy_capability_item}+ep" \ - -- "${policy_file_item}" - fi - done - - log notice "\ -To compare the current and previous permission modes, install 'meld' (or preferred diff tool) for comparison of file mode changes: - sudo apt install --no-install-recommends meld - meld ${store_dir}/existing_mode/statoverride ${store_dir}/new_mode/statoverride" -} - -undo_policy_for_file() { - local undo_file state_idx state_file_item did_undo \ - undo_all verbose orig_main_statoverride_db orig_new_statoverride_db \ - state_user_owner_item state_group_owner_item state_mode_item - - undo_file="${1}" - undo_all=false - verbose='--verbose' - if [ "${undo_file}" = 'all' ]; then - undo_all=true - verbose='' - fi - - if [ ! -f "${state_file}" ]; then - true 'DEBUG: State file does not exist, hardening was not applied before.' - return 0 - fi - - did_undo=false - - for (( state_idx=0; state_idx < ${#state_file_list[@]}; state_idx++ )); do - state_file_item="${state_file_list[state_idx]}" - if [ "${undo_all}" = 'true' ]; then - undo_file="${state_file_item}" - fi - - if [ "${state_file_item}" = "${undo_file}" ]; then - orig_main_statoverride_db="$(dpkg-statoverride --list)" || true - # shellcheck disable=SC2086 - orig_new_statoverride_db="$(dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --list)" || true - - if [[ "${orig_main_statoverride_db}" =~ "${undo_file}" ]]; then - echo_wrapper_ignore silent dpkg-statoverride --remove \ - "${undo_file}" - fi - - if [[ "${orig_new_statoverride_db}" =~ "${undo_file}" ]]; then - # shellcheck disable=SC2086 - echo_wrapper_ignore silent dpkg-statoverride \ - ${dpkg_admindir_parameter_new_mode} --remove \ - "${undo_file}" - fi - - if [ -e "${undo_file}" ]; then - state_user_owner_item="${state_user_owner_list[state_idx]}" - state_group_owner_item="${state_group_owner_list[state_idx]}" - state_mode_item="${state_mode_list[state_idx]}" - chown ${verbose} -- "${state_user_owner_item}:${state_group_owner_item}" \ - "${undo_file}" || exit_code=202 - ## chmod needs to be run after chown since chown removes suid. - chmod ${verbose} "${state_mode_item}" "${undo_file}" || exit_code=203 - else - log info "File does not exist: '${undo_file}'" - fi - did_undo=true - - if [ "${undo_all}" = 'false' ]; then - break - fi - fi - done - - if ! [[ "${did_undo}" = 'false' ]]; then - log info "The specified file is not hardened, leaving unchanged. - - File '${undo_file}' has not been removed from SUID Disabler and Permission Hardener during this invocation. This is expected if no policy was ever applied to the file before. - - This program expects the full path to the file. Example: - $0 disable /usr/bin/newgrp # absolute path: works - $0 disable newgrp # relative path: does not work - - To remove all: - $0 disable all - - This change might not be permanent. For full instructions, see: - https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener - - To view list of changed by SUID Disabler and Permission Hardener: - https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener#View_List_of_Permissions_Changed_by_SUID_Disabler_and_Permission_Hardener - - For re-enabling any specific SUID binary: - https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener#Re-Enable_Specific_SUID_Binaries - - For completely disabling SUID Disabler and Permission Hardener: - https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener#Disable_SUID_Disabler_and_Permission_Hardener" - fi -} - -print_columns() { - local format_str bogus_str - format_str='' - for bogus_str in "$@"; do - format_str="${format_str}%s\t" - done - format_str="${format_str}\n" - ## Using a dynamically generated format string on purpose. - # shellcheck disable=SC2059 - printf "${format_str}" "$@" -} - -print_policy() { - local policy_idx - - print_columns 'File' 'User' 'Group' 'Mode' 'Capabilities' - - for (( policy_idx=0; policy_idx < ${#policy_file_list[@]}; policy_idx++ )); do - print_columns \ - "${policy_file_list[policy_idx]}" \ - "${policy_user_owner_list[policy_idx]}" \ - "${policy_group_owner_list[policy_idx]}" \ - "${policy_mode_list[policy_idx]}" \ - "${policy_capability_list[policy_idx]}" - done -} - -print_state() { - local state_idx - - print_columns 'File' 'User' 'Group' 'Mode' - for (( state_idx=0; state_idx < ${#state_file_list[@]}; state_idx++ )); do - print_columns \ - "${state_file_list[state_idx]}" \ - "${state_user_owner_list[state_idx]}" \ - "${state_group_owner_list[state_idx]}" \ - "${state_mode_list[state_idx]}" - done -} - -print_raw_policy_config() { - local config_file - for config_file in \ - /usr/lib/permission-hardener.d/*.conf \ - /etc/permission-hardener.d/*.conf \ - /usr/local/etc/permission-hardener.d/*.conf \ - /etc/permission-hardening.d/*.conf \ - /usr/local/etc/permission-hardening.d/*.conf - do - if [ ! -f "${config_file}" ]; then - continue - fi - echo "*** begin ${config_file} ***" - cat "${config_file}" - echo "*** end ${config_file} ***" - done -} - -print_raw_state() { - local state_file - for state_file in "${store_dir}/existing_mode/statoverride" \ - "${store_dir}/new_mode/statoverride"; do - echo "*** begin ${state_file} ***" - cat "${state_file}" - echo "*** end ${state_file} ***" - done -} - -print_fs_audit() { - local state_idx state_file_item state_user_owner_item state_group_owner_item \ - state_mode_item - - echo 'Legend:' - echo '... - Warning about an unusual, but not necessarily wrong, condition' - echo '!!! - Warning about an unusual and definitely wrong condition' - echo '*** - File permission data, actual state on filesystem is consistent with policy' - echo '^^^ - File permission data, actual state on filesystem is inconsistent with policy' - echo 'vvv - File permissions specified by state, always shown after a ^^^ item' - echo - - for (( state_idx=0; state_idx < ${#state_file_list[@]}; state_idx++ )); do - state_file_item="${state_file_list[state_idx]}" - state_user_owner_item="${state_user_owner_list[state_idx]}" - state_group_owner_item="${state_group_owner_list[state_idx]}" - state_mode_item="${state_mode_list[state_idx]}" - - ## Get rid of leading zeros, stat doesn't output them due to how we use it. - ## Using BASH_REMATCH is faster than sed. We capture all leading zeros into - ## one group, and the rest of the string into a second group. The second - ## group is the string we want. BASH_REMATCH[0] is the entire string, - ## BASH_REMATCH[1] is the first match that we want to discard, and - ## BASH_REMATCH[2] is the desired second group. - [[ "${state_mode_item}" =~ ^(0*)(.*) ]] || true; - state_mode_item="${BASH_REMATCH[2]}" - - output_stat "${state_file_item}" - if [ -z "${file_name_from_stat}" ]; then - echo "... '${file_name_from_stat}' does not exist" - continue - fi - - if [ "${existing_owner}" != "${state_user_owner_item}" ] \ - || [ "${existing_group}" != "${state_group_owner_item}" ] \ - || [ "${existing_mode}" != "${state_mode_item}" ]; then - if ! [[ "${passwd_file_contents}" =~ "${state_user_owner_item}:" ]]; then - echo "!!! Owner from config does not exist: '${state_user_owner_item}'" - continue - fi - - if ! [[ "${group_file_contents}" =~ "${state_group_owner_item}:" ]]; then - echo "!!! Group from config does not exist: '${state_group_owner_item}'" - continue - fi - - echo "^^^ ${file_name_from_stat} ${existing_owner}:${existing_group} ${existing_mode}" - echo "vvv ${file_name_from_stat} ${state_user_owner_item}:${state_group_owner_item} ${state_mode_item}" - else - echo "*** ${file_name_from_stat} ${existing_owner}:${existing_group} ${existing_mode}" - fi - done -} - -reset_global_vars() { - ## Global variables - policy_file_list=() - policy_user_owner_list=() - policy_group_owner_list=() - policy_mode_list=() - policy_capability_list=() - policy_exact_white_list=() - policy_match_white_list=() - policy_disable_white_list=() - policy_nosuid_file_list=() - state_file_list=() - state_user_owner_list=() - state_group_owner_list=() - state_mode_list=() - whitelists_disable_all=false - existing_mode='' - existing_owner='' - existing_group='' - processed_config_line='' - file_name_from_stat='' - passwd_file_contents="$(getent passwd)" - group_file_contents="$(getent group)" - exit_code=0 -} - -reset_global_vars - -## Setup and sanity checking -if [ "$(id -u)" != '0' ]; then - log error "Not running as root, aborting." - exit 1 -fi - -mkdir --parents "${store_dir}/existing_mode" -mkdir --parents "${store_dir}/new_mode" - -echo_wrapper_audit silent which capsh getcap setcap stat find \ - dpkg-statoverride getent grep 1>/dev/null - -## Command parsing and execution -case "${1:-}" in - enable) - shift - load_state - apply_policy - commit_policy - ;; - disable) - shift - case "${1:-}" in - "") - print_usage - exit 1 - ;; - *) - load_state_without_policy - undo_policy_for_file "${1}" - ;; - esac - ;; - print-policy) - load_state - print_policy - ;; - print-state) - load_state - print_state - ;; - print-policy-applied-state) - load_state - apply_policy - print_state - ;; - print-diagnostics) - echo '=== BEGIN PERMISSION-HARDENER DIAGNOSTICS ===' - - echo '--- BEGIN State without policy ---' - load_state_without_policy - print_state - echo '--- END State without policy ---' - - reset_global_vars - - echo '--- BEGIN Policy without state ---' - load_state - print_policy - echo '--- END Policy without state ---' - - reset_global_vars - - echo '--- BEGIN Policy-applied-state ---' - load_state - apply_policy - print_state - echo '--- END Policy-applied state ---' - - reset_global_vars - - echo '--- BEGIN Master dpkg-statoverride database ---' - dpkg-statoverride --list - echo '--- END Master dpkg-statoverride database ---' - - echo '--- BEGIN Raw policy configuration ---' - print_raw_policy_config - echo '--- END Raw policy configuration ---' - - echo '--- BEGIN Raw state data ---' - print_raw_state - echo '--- END Raw state data ---' - - echo '--- BEGIN Filesystem state audit ---' - load_state - apply_policy - print_fs_audit - echo '--- END Filesystem state audit ---' - - echo '=== END PERMISSION-HARDENER DIAGNOSTICS ===' - ;; - -h|--help) - print_usage - exit 0 - ;; - *) - print_usage - exit 1 - ;; -esac - -## Exit -if test "${exit_code}" != "0"; then - log error "Exiting with non-zero exit code: '${exit_code}'" >&2 -fi - -exit "${exit_code}" diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure deleted file mode 100755 index 865867d..0000000 --- a/usr/bin/remount-secure +++ /dev/null @@ -1,388 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## features: -## - nodev,nosuid where appropriate -## - optional noexec for most except /home -## - optional noexec for all including /home -## - idempotent (script can be safely re-run) -## - can be run from: -## - systemd -## - dracut -## - manually from command line -## - can safely handle non-existing folders -## - error handling -## - log output: -## - shows each and every command executed -## - shows old mount options prior running remount-secure -## - shows new mount options after running remount-secure - -## noexec in /tmp and/or /home can break some malware but also legitimate -## applications. - -## https://www.kicksecure.com/wiki/Noexec -## https://www.kicksecure.com/wiki/Dev/remount-secure -## https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707 - -#set -x -set -e -set -o pipefail -set -o nounset - -init() { - if test -o xtrace ; then - output_command=true - else - output_command=echo - fi - - $output_command "$0: INFO: START" - - ## dracut does not have id. Saving space in initial ramdisk. - if command -v id &>/dev/null ; then - if [ "$(id -u)" != "0" ]; then - $output_command "ERROR: must be run as root! sudo $0" - exit 1 - fi - fi - - mkdir --parents "/run/remount-secure" - exit_code=0 - - ## dracut sets NEWROOT=/sysroot - [[ -v NEWROOT ]] || NEWROOT="" - if [ "$NEWROOT" = "" ]; then - $output_command "INFO: dracut detected: no" - else - $output_command "INFO: dracut detected: yes - NEWROOT: '$NEWROOT'" - fi - - ## Debugging. - #echo "ls -la /root/" - #ls -la / || true - #echo "ls -la /sysroot/" - #ls -la /sysroot/ || true - #echo "env" - #env || true -} - -parse_options() { - ## Thanks to: - ## https://mywiki.wooledge.org/BashFAQ/035 - - while : - do - case ${1:-} in - 0) - $output_command "WARNING: Not using remount-secure." - exit 0 - shift - ;; - 1) - $output_command "INFO: level 1/3 (low)" - most_noexec_maybe="" - home_noexec_maybe="" - parsed=true - shift - ;; - 2) - $output_command "INFO: level 2/3 (medium)" - most_noexec_maybe=",noexec" - home_noexec_maybe="" - parsed=true - shift - ;; - 3) - $output_command "INFO: level 3/3 (high)" - most_noexec_maybe=",noexec" - home_noexec_maybe=",noexec" - parsed=true - shift - ;; - --force) - $output_command "INFO: --force" - option_force=true - shift - ;; - --) - shift - break - ;; - -*) - echo "ERROR: unknown option: $1" >&2 - exit 1 - ;; - *) - break - ;; - esac - done - - [[ -v option_force ]] || option_force="" - [[ -v parsed ]] || parsed=false - [[ -v home_noexec_maybe ]] || home_noexec_maybe="" - [[ -v most_noexec_maybe ]] || most_noexec_maybe="" - - $output_command "INFO: using nosuid,nodev: yes" - - if [ "$home_noexec_maybe" = "" ]; then - $output_command "INFO: using noexec for all: no" - else - $output_command "INFO: using noexec for all: yes" - return 0 - fi - - if [ "$most_noexec_maybe" = "" ]; then - $output_command "INFO: using noexec for most: no" - else - $output_command "INFO: using noexec for most (not all): yes" - return 0 - fi - - if [ "$parsed" = "true" ]; then - return 0 - fi - - $output_command "ERROR: syntax error. use either: -$0 0 -$0 1 -$0 2 -$0 3" - - exit 1 -} - -preparation() { - ## Debugging. - #$output_command "INFO: 'findmnt --list' output at the START." - #$output_command "$(findmnt --list)" - #$output_command "" - true -} - -remount_secure() { - $output_command "" - - ## ${FUNCNAME[1]} is the name of the calling function. I.e. the function - ## which called this function. - status_file_name="${FUNCNAME[1]}" - ## example status_file_name: - ## _home - status_file_full_path="/run/remount-secure/${status_file_name}" - ## example status_file_full_path: - ## /run/remount-secure/_home - - old_mount_options="$(findmnt --noheadings --output options -- "$mount_folder")" || true - ## example old_mount_options: - ## rw,nosuid,nodev,relatime,discard - - $output_command "INFO: '$mount_folder' old_mount_options: '$old_mount_options'" - - if echo "$old_mount_options" | grep --quiet "$intended_mount_options" ; then - $output_command "INFO: '$mount_folder' has already intended mount options. ('$intended_mount_options')" - return 0 - fi - - ## When this package is upgraded, the systemd unit will run again. - ## If the user meanwhile manually relaxed mount options, this should not be undone. - - if [ ! "$option_force" == "true" ]; then - if [ -e "$status_file_full_path" ]; then - $output_command "INFO: '$mount_folder' already remounted earlier. Not remounting again. Use --force if this is what you want." - return 0 - fi - fi - - if ! test -d "$mount_folder" ; then - ## For example /boot/efi does not always exist on all systems. - $output_command "INFO: '$mount_folder' folder exists: no" - return 0 - fi - $output_command "INFO: '$mount_folder' folder exists: yes" - - if findmnt --noheadings "$mount_folder" >/dev/null ; then - $output_command "INFO: '$mount_folder' already mounted, therefore using remount." - $output_command INFO: Executing: mount --make-private --options "remount,${intended_mount_options}" "$mount_folder" - mount --make-private --options "remount,${intended_mount_options}" "$mount_folder" || exit_code=100 - else - $output_command "INFO: '$mount_folder' not yet mounted, therefore using mount bind." - $output_command INFO: Executing: mount --make-private --options "$intended_mount_options" --bind "$mount_folder" "$mount_folder" - mount --make-private --options "$intended_mount_options" --bind "$mount_folder" "$mount_folder" || exit_code=101 - fi - - new_mount_options="$(findmnt --noheadings --output options -- "$mount_folder")" || true - $output_command "INFO: '$mount_folder' new_mount_options: '$new_mount_options'" - - touch "$status_file_full_path" -} - -_boot() { - mount_folder="$NEWROOT/boot" - ## https://lists.freedesktop.org/archives/systemd-devel/2015-February/028456.html - intended_mount_options="nosuid,nodev,noexec" - remount_secure -} - -_boot_efi() { - ## TODO: new, test - mount_folder="$NEWROOT/boot/efi" - intended_mount_options="nosuid,nodev,noexec" - remount_secure -} - -_run() { - mount_folder="/run" - ## https://lists.freedesktop.org/archives/systemd-devel/2015-February/028456.html - intended_mount_options="nosuid,nodev${most_noexec_maybe}" - remount_secure -} - -_dev() { - mount_folder="/dev" - ## /dev should be nosuid,noexec as per: - ## https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1991975 - intended_mount_options="nosuid,noexec" - remount_secure -} - -_dev_shm() { - mount_folder="/dev/shm" - intended_mount_options="nosuid,nodev${most_noexec_maybe}" - remount_secure -} - -_sys() { - ## TODO: new, test - mount_folder="/sys" - intended_mount_options="nosuid,nodev,noexec" - remount_secure -} - -_tmp() { - mount_folder="$NEWROOT/tmp" - intended_mount_options="nosuid,nodev${most_noexec_maybe}" - remount_secure -} - -_var_tmp() { - mount_folder="$NEWROOT/var/tmp" - intended_mount_options="nosuid,nodev${most_noexec_maybe}" - remount_secure -} - -_var_log() { - mount_folder="$NEWROOT/var/log" - intended_mount_options="nosuid,nodev,noexec" - remount_secure -} - -_var() { - mount_folder="$NEWROOT/var" - ## noexec: Not possible. Reason: - ## Debian stores executable maintainer scripts in /var/lib/dpkg/info folder. - intended_mount_options="nosuid,nodev" - remount_secure -} - -_usr() { - ## TODO: new, test - mount_folder="$NEWROOT/usr" - intended_mount_options="nodev" - remount_secure -} - -_home() { - mount_folder="$NEWROOT/home" - intended_mount_options="nosuid,nodev${home_noexec_maybe}" - remount_secure -} - -_root() { - ## TODO: new, test - mount_folder="$NEWROOT/root" - intended_mount_options="nosuid,nodev${home_noexec_maybe}" - remount_secure -} - -_srv() { - ## TODO: new, test - mount_folder="$NEWROOT/srv" - intended_mount_options="nosuid,nodev${most_noexec_maybe}" - remount_secure -} - -_media() { - ## TODO: new, test - mount_folder="$NEWROOT/media" - intended_mount_options="nosuid,nodev${most_noexec_maybe}" - remount_secure -} - -_mnt() { - ## TODO: new, test - mount_folder="$NEWROOT/mnt" - intended_mount_options="nosuid,nodev${most_noexec_maybe}" - remount_secure -} - -_opt() { - ## TODO: new, test - mount_folder="$NEWROOT/opt" - ## Allow /opt exec as usually optional binaries are placed there such as Firefox - ## when manually installed from tarball. - intended_mount_options="nosuid,nodev" - remount_secure -} - -_etc() { - ## TODO: new, test - ## /etc cannot be noexec because various executables are there. To find, run: - ## sudo find /etc -executable - mount_folder="$NEWROOT/etc" - intended_mount_options="nosuid,nodev" - remount_secure -} - -end() { - ## Debugging. - #$output_command "INFO: 'findmnt --list' output at the END." - #$output_command "$(findmnt --list)" - - $output_command "" - $output_command "INFO: exit_code: $exit_code" - $output_command "$0: INFO: END" - exit $exit_code -} - -main() { - init - parse_options "$@" - preparation - - _boot - _boot_efi - _run - _dev - _dev_shm - _tmp - _var_tmp - _var_log - _var - _usr - _home - _root - _srv - _media - _mnt - _opt - _etc - - end -} - -## TODO: see also hidepid /usr/lib/systemd/system/proc-hidepid.service -#mount --options defaults,nosuid,nodev,noexec,remount,subset=pid /proc - -main "$@" diff --git a/usr/lib/NetworkManager/conf.d/80_ipv6-privacy.conf b/usr/lib/NetworkManager/conf.d/80_ipv6-privacy.conf deleted file mode 100644 index 3d0a483..0000000 --- a/usr/lib/NetworkManager/conf.d/80_ipv6-privacy.conf +++ /dev/null @@ -1,13 +0,0 @@ -## Copyright (C) 2023 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## MAC randomisation breaks root server and VirtualBox DHCP likely due to IPv6 Privacy Extensions. -## -## https://datatracker.ietf.org/doc/html/rfc4941 -## https://github.com/Kicksecure/security-misc/pull/145 -## https://github.com/Kicksecure/security-misc/issues/184 -## -## The use of IPv6 Privacy Extenstions is currently diasbled due to these breakages. - -#[connection] -#ipv6.ip6-privacy=2 diff --git a/usr/lib/NetworkManager/conf.d/80_randomize-mac.conf b/usr/lib/NetworkManager/conf.d/80_randomize-mac.conf deleted file mode 100644 index 8088591..0000000 --- a/usr/lib/NetworkManager/conf.d/80_randomize-mac.conf +++ /dev/null @@ -1,17 +0,0 @@ -## Copyright (C) 2023 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## MAC randomisation breaks root server and VirtualBox DHCP likely due to IPv6 Privacy Extensions. -## -## https://datatracker.ietf.org/doc/html/rfc4941 -## https://github.com/Kicksecure/security-misc/pull/145 -## https://github.com/Kicksecure/security-misc/issues/184 -## -## The use of IPv6 Privacy Extenstions is currently diasbled due to these breakages. - -#[device-mac-randomization] -#wifi.scan-rand-mac-address=yes - -#[connection-mac-randomization] -#ethernet.cloned-mac-address=random -#wifi.cloned-mac-address=random diff --git a/usr/lib/dracut/modules.d-disabled/20remount-secure/module-setup.sh b/usr/lib/dracut/modules.d-disabled/20remount-secure/module-setup.sh deleted file mode 100755 index 8917091..0000000 --- a/usr/lib/dracut/modules.d-disabled/20remount-secure/module-setup.sh +++ /dev/null @@ -1,44 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2023 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -# called by dracut -check() { - ## For debugging only. - ## Saving space in initial ramdisk. - #require_binaries id || return 1 - #require_binaries env || return 1 - - require_binaries findmnt || return 1 - require_binaries touch || return 1 - require_binaries grep || return 1 - require_binaries mount || return 1 - require_binaries remount-secure || return 1 - return 0 -} - -# called by dracut -depends() { - return 0 -} - -# called by dracut -install() { - ## For debugging only. - ## Saving space in initial ramdisk. - #inst_multiple id - #inst_multiple env - - inst_multiple findmnt - inst_multiple touch - inst_multiple grep - inst_multiple mount - inst_multiple remount-secure - inst_hook cleanup 90 "$moddir/remount-secure.sh" -} - -# called by dracut -installkernel() { - return 0 -} diff --git a/usr/lib/dracut/modules.d-disabled/20remount-secure/remount-secure.sh b/usr/lib/dracut/modules.d-disabled/20remount-secure/remount-secure.sh deleted file mode 100755 index 0e0a0c1..0000000 --- a/usr/lib/dracut/modules.d-disabled/20remount-secure/remount-secure.sh +++ /dev/null @@ -1,23 +0,0 @@ -#!/bin/sh - -## Copyright (C) 2023 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## This script is intended to remount specified mount points with more secure -## options based on kernel command line parameters. - -remount_hook() { - local remountsecure_action - ## getarg returns the last parameter only. - ## If /proc/cmdline contains 'remountsecure=0 remountsecure=1' the last one wins. - remountsecure_action=$(getarg remountsecure) - - if ! remount-secure $remountsecure_action; then - warn "$0: ERROR: 'remount-secure $remountsecure_action' failed." - return 1 - fi - info "$0: INFO: 'remount-secure $remountsecure_action' success." - return 0 -} - -remount_hook diff --git a/usr/lib/issue.d/20_security-misc.issue b/usr/lib/issue.d/20_security-misc.issue deleted file mode 100644 index d03f39b..0000000 --- a/usr/lib/issue.d/20_security-misc.issue +++ /dev/null @@ -1,2 +0,0 @@ -By continuing, you acknowledge and give consent that the owner of this system has a right to keep a log of all activity. -Unauthorized access is strictly prohibited and may result in legal action. Do not proceed! diff --git a/usr/lib/modules-load.d/30_security-misc.conf b/usr/lib/modules-load.d/30_security-misc.conf deleted file mode 100644 index 6ee13ca..0000000 --- a/usr/lib/modules-load.d/30_security-misc.conf +++ /dev/null @@ -1,7 +0,0 @@ -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## https://www.kicksecure.com/wiki/Dev/Entropy -## https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927972 -## https://forums.whonix.org/t/jitterentropy-rngd/7204 -jitterentropy_rng diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_bubblewrap.conf b/usr/lib/permission-hardener.d/25_default_whitelist_bubblewrap.conf deleted file mode 100644 index f1e873f..0000000 --- a/usr/lib/permission-hardener.d/25_default_whitelist_bubblewrap.conf +++ /dev/null @@ -1,8 +0,0 @@ -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Please use "/etc/permission-hardener.d/20_user.conf" or -## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom -## configuration. When security-misc is updated, this file may be overwritten. - -/usr/bin/bwrap exactwhitelist diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_chromium.conf b/usr/lib/permission-hardener.d/25_default_whitelist_chromium.conf deleted file mode 100644 index bdb2b2a..0000000 --- a/usr/lib/permission-hardener.d/25_default_whitelist_chromium.conf +++ /dev/null @@ -1,17 +0,0 @@ -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Please use "/etc/permission-hardener.d/20_user.conf" or -## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom -## configuration. When security-misc is updated, this file may be overwritten. - -## Chrome/Chromium now uses namespace-based sandboxing rather than a SUID -## sandbox for most use cases, and while the SUID sandbox is still technically -## supported [1], it's also virtually unused [2]. Chromium still works fine -## when it is stripped of its SUID bit and rendered no longer executable, -## and opening `chrome://sandbox` while in this state shows that sandboxing is -## still working perfectly fine. -## -## [1] https://chromium.googlesource.com/chromium/src/+/0e94f26e8/docs/linux_sandboxing.md -## [2] https://chromium.googlesource.com/chromium/src/+/0e94f26e8/docs/linux_suid_sandbox.md -#chrome-sandbox matchwhitelist diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_dbus.conf b/usr/lib/permission-hardener.d/25_default_whitelist_dbus.conf deleted file mode 100644 index 4b455ae..0000000 --- a/usr/lib/permission-hardener.d/25_default_whitelist_dbus.conf +++ /dev/null @@ -1,16 +0,0 @@ -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Please use "/etc/permission-hardener.d/20_user.conf" or -## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom -## configuration. When security-misc is updated, this file may be overwritten. - -## Needed for D-Bus system activation to work. -## https://dbus.freedesktop.org/doc/system-activation.txt -## -## May be vital for desktop features to work normally. -## -## Appears to have been designed with security in mind and can only be called -## by root or a user in the `messagebus` group (which currently has one member, -## namely user `messagebus`). -dbus-daemon-launch-helper matchwhitelist diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_firejail.conf b/usr/lib/permission-hardener.d/25_default_whitelist_firejail.conf deleted file mode 100644 index e3441e1..0000000 --- a/usr/lib/permission-hardener.d/25_default_whitelist_firejail.conf +++ /dev/null @@ -1,11 +0,0 @@ -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Please use "/etc/permission-hardener.d/20_user.conf" or -## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom -## configuration. When security-misc is updated, this file may be overwritten. - -## There is a controversy about firejail but those who choose to install it -## should be able to use it. -## https://www.kicksecure.com/wiki/Dev/Firejail#Security -/usr/bin/firejail exactwhitelist diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_fuse.conf b/usr/lib/permission-hardener.d/25_default_whitelist_fuse.conf deleted file mode 100644 index 084510c..0000000 --- a/usr/lib/permission-hardener.d/25_default_whitelist_fuse.conf +++ /dev/null @@ -1,17 +0,0 @@ -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Please use "/etc/permission-hardener.d/20_user.conf" or -## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom -## configuration. When security-misc is updated, this file may be overwritten. - -## Critical component of FUSE (Filesystem in USErspace) -## -## Used by things such as: -## - AppImages -## - such as electrum Bitcoin wallet -## - Docker -## If not SUID, unprivileged users will be unable to use FUSE any longer. -## -## https://forums.whonix.org/t/disable-suid-binaries/7706/57 -/fusermount matchwhitelist diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_hardened_malloc.conf b/usr/lib/permission-hardener.d/25_default_whitelist_hardened_malloc.conf deleted file mode 100644 index acf20b6..0000000 --- a/usr/lib/permission-hardener.d/25_default_whitelist_hardened_malloc.conf +++ /dev/null @@ -1,9 +0,0 @@ -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Please use "/etc/permission-hardener.d/20_user.conf" or -## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom -## configuration. When security-misc is updated, this file may be overwritten. - -libhardened_malloc.so matchwhitelist -libhardened_malloc-light.so matchwhitelist diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_mount.conf b/usr/lib/permission-hardener.d/25_default_whitelist_mount.conf deleted file mode 100644 index ac5e9d1..0000000 --- a/usr/lib/permission-hardener.d/25_default_whitelist_mount.conf +++ /dev/null @@ -1,17 +0,0 @@ -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Please use "/etc/permission-hardener.d/20_user.conf" or -## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom -## configuration. When security-misc is updated, this file may be overwritten. - -## https://forums.whonix.org/t/disable-suid-binaries/7706/61 -## Protect from 'chmod -x' (and SUID removal). -## SUID will be removed below in separate step. -/usr/bin/mount exactwhitelist -/usr/bin/umount exactwhitelist - -## Remove SUID from 'mount' but keep executable. -## https://forums.whonix.org/t/disable-suid-binaries/7706/61 -/usr/bin/mount 755 root root -/usr/bin/umount 755 root root diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_pam.conf b/usr/lib/permission-hardener.d/25_default_whitelist_pam.conf deleted file mode 100644 index b787e5f..0000000 --- a/usr/lib/permission-hardener.d/25_default_whitelist_pam.conf +++ /dev/null @@ -1,22 +0,0 @@ -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Please use "/etc/permission-hardener.d/20_user.conf" or -## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom -## configuration. When security-misc is updated, this file may be overwritten. - -## Used by the pam_tmpdir module to create a secure temporary directory for the -## user that is logging in. -## https://manpages.ubuntu.com/manpages/oracular/man8/pam-tmpdir-helper.8.html -## Apparently specific to Debian, there isn't actually any Git repo with this -## code in it, it's just a "floating" package in the Debian archive. Written by -## the same person who maintains the package. Almost certainly cannot be -## disabled without causing serious problems, but may be worth auditing. -## (Worthy of note, it doesn't seem this program takes any user input, but -## relies solely on the calling user's UID and GID, though this could require -## further review.) -## -## Without this, Xfce fails to start with a dbus-launch error. -## -## TODO: audit pam-tmpdir-helper -pam-tmpdir-helper matchwhitelist diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_passwd.conf b/usr/lib/permission-hardener.d/25_default_whitelist_passwd.conf deleted file mode 100644 index e7bc816..0000000 --- a/usr/lib/permission-hardener.d/25_default_whitelist_passwd.conf +++ /dev/null @@ -1,15 +0,0 @@ -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Please use "/etc/permission-hardener.d/20_user.conf" or -## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom -## configuration. When security-misc is updated, this file may be overwritten. - -# Keep the `passwd` utility executable to prevent issues with the -# /usr/libexec/security-misc/pam-abort-on-locked-password script blocking -# user logins with `su` and KScreenLocker. exactwhitelist is needed to keep -# the nosuid rule on /usr/bin from fighting with these rules. -# -# See also: https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener#passwd -/usr/bin/passwd exactwhitelist -/usr/bin/passwd 0755 root root diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf b/usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf deleted file mode 100644 index de20400..0000000 --- a/usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf +++ /dev/null @@ -1,27 +0,0 @@ -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Please use "/etc/permission-hardener.d/20_user.conf" or -## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom -## configuration. When security-misc is updated, this file may be overwritten. - -## user-sysmaint-split hardens this further. -/usr/bin/pkexec exactwhitelist -/usr/bin/pkexec.security-misc-orig exactwhitelist - -## Required for PolicyKit (Polkit) to function. -## -## https://polkit-devel.freedesktop.narkive.com/zXO4yEg7/documentation-on-polkit-agent-helper-1-and-suid# -## https://gitlab.freedesktop.org/polkit/polkit/-/issues/168 -## https://cgit.freedesktop.org/polkit/tree/src/polkitagent/polkitagenthelper-pam.c#n93 -## -## Changing permissions here may break more than just normal privilege escalation. -## May be safe to disable for users other than sysmaint similar to what was done with pkexec and sudo, -## however even that might not be safe. -## -## matches both: -## - /usr/lib/policykit-1/polkit-agent-helper-1 -## - /lib/policykit-1/polkit-agent-helper-1 -## -## user-sysmaint-split hardens this further. -polkit-agent-helper-1 matchwhitelist diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_postfix.conf b/usr/lib/permission-hardener.d/25_default_whitelist_postfix.conf deleted file mode 100644 index bf76069..0000000 --- a/usr/lib/permission-hardener.d/25_default_whitelist_postfix.conf +++ /dev/null @@ -1,10 +0,0 @@ -## Copyright (C) 2023 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Please use "/etc/permission-hardener.d/20_user.conf" or -## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom -## configuration. When security-misc is updated, this file may be overwritten. - -## TODO: research and document -postqueue matchwhitelist -postdrop matchwhitelist diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf b/usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf deleted file mode 100644 index 40f9b59..0000000 --- a/usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf +++ /dev/null @@ -1,24 +0,0 @@ -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Please use "/etc/permission-hardener.d/20_user.conf" or -## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom -## configuration. When security-misc is updated, this file may be overwritten. - -## TODO: research -## https://github.com/QubesOS/qubes-core-agent-linux/blob/master/qubes-rpc/qfile-unpacker.c -## -## Historic Qubes upstream security issue: -## qfile-unpacker allows unprivileged users in VMs to gain root privileges -## https://github.com/QubesOS/qubes-issues/issues/8633 -## -## matches both: -## - /usr/lib/qubes/qfile-unpacker whitelist -## - Not bit-for-bit identical to /usr/lib/qubes/qfile-unpacker. -## - Stripping SUID from this does *not* break file copying. -## - TODO: further reserach required on its purpose -## - /usr/bin/qfile-unpacker -## - Appears to be an integral part of file transfer between qubes, stripping -## SUID from this in an AppVM results in that AppVM being unable to receive -## files any longer. (It can still send files to other qubes though.) -qfile-unpacker matchwhitelist diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_selinux.conf b/usr/lib/permission-hardener.d/25_default_whitelist_selinux.conf deleted file mode 100644 index 62d3198..0000000 --- a/usr/lib/permission-hardener.d/25_default_whitelist_selinux.conf +++ /dev/null @@ -1,9 +0,0 @@ -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Please use "/etc/permission-hardener.d/20_user.conf" or -## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom -## configuration. When security-misc is updated, this file may be overwritten. - -## TODO: research and document -/utempter/utempter matchwhitelist diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_spice.conf b/usr/lib/permission-hardener.d/25_default_whitelist_spice.conf deleted file mode 100644 index 5b79059..0000000 --- a/usr/lib/permission-hardener.d/25_default_whitelist_spice.conf +++ /dev/null @@ -1,9 +0,0 @@ -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Please use "/etc/permission-hardener.d/20_user.conf" or -## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom -## configuration. When security-misc is updated, this file may be overwritten. - -## TODO: research and document -spice-client-glib-usb-acl-helper matchwhitelist diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf b/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf deleted file mode 100644 index 8688dfe..0000000 --- a/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf +++ /dev/null @@ -1,15 +0,0 @@ -## Copyright (C) 2023 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Please use "/etc/permission-hardener.d/20_user.conf" or -## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom -## configuration. When security-misc is updated, this file may be overwritten. - -## Used only for SSH host-based authentication -## https://linux.die.net/man/8/ssh-keysign -## Needed to allow access to the machine's host key for use in the -## authentication process. This is a non-default method of authenticating to -## SSH, and is likely rarely used, thus this should be safe to disable. -#ssh-agent matchwhitelist -#ssh-keysign matchwhitelist -#/usr/lib/openssh matchwhitelist diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_sudo.conf b/usr/lib/permission-hardener.d/25_default_whitelist_sudo.conf deleted file mode 100644 index e15b265..0000000 --- a/usr/lib/permission-hardener.d/25_default_whitelist_sudo.conf +++ /dev/null @@ -1,9 +0,0 @@ -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Please use "/etc/permission-hardener.d/20_user.conf" or -## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom -## configuration. When security-misc is updated, this file may be overwritten. - -## user-sysmaint-split hardens this further. -/usr/bin/sudo exactwhitelist diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf b/usr/lib/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf deleted file mode 100644 index 1faf380..0000000 --- a/usr/lib/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf +++ /dev/null @@ -1,10 +0,0 @@ -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Please use "/etc/permission-hardener.d/20_user.conf" or -## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom -## configuration. When security-misc is updated, this file may be overwritten. - -## required for performing password validation from unprivileged user -## processes such as KScreenLocker's unlock prompt -/usr/sbin/unix_chkpwd exactwhitelist diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_virtualbox.conf b/usr/lib/permission-hardener.d/25_default_whitelist_virtualbox.conf deleted file mode 100644 index 76c2eee..0000000 --- a/usr/lib/permission-hardener.d/25_default_whitelist_virtualbox.conf +++ /dev/null @@ -1,15 +0,0 @@ -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Please use "/etc/permission-hardener.d/20_user.conf" or -## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom -## configuration. When security-misc is updated, this file may be overwritten. - -## TODO: research -/usr/lib/virtualbox/ matchwhitelist -VirtualBoxVM matchwhitelist -VBoxSDL matchwhitelist -VBoxNetNAT matchwhitelist -VBoxNetDHCP matchwhitelist -VBoxHeadless matchwhitelist -VBoxNetAdpCtl matchwhitelist diff --git a/usr/lib/permission-hardener.d/30_default.conf b/usr/lib/permission-hardener.d/30_default.conf deleted file mode 100644 index 27605d9..0000000 --- a/usr/lib/permission-hardener.d/30_default.conf +++ /dev/null @@ -1,122 +0,0 @@ -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Please use "/etc/permission-hardener.d/20_user.conf" or -## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom -## configuration. When security-misc is updated, this file may be overwritten. - -## File permission hardening. -## -## Syntax: -## [filename] [mode] [owner] [group] [capability] -## [filename] [exactwhitelist|matchwhitelist|disablewhitelist|nosuid] -## -## TODO: white spaces inside file name untested and probably will not work. - -###################################################################### -# Global Settings -###################################################################### - -#whitelists_disable_all=true - -###################################################################### -# SUID disables below (or in lexically higher) files: disablewhitelist -###################################################################### - -## For example, if you are not using SELinux the following might make sense to -## enable. TODO: research -#/utempter/utempter disablewhitelist - -## If you are not going to use AppImages such as electrum Bitcoin wallet. -#/fusermount disablewhitelist - -###################################################################### -# SUID whitelist matches full path: exactwhitelist -###################################################################### - -## In case you need to use 'su'. See also: -## https://www.kicksecure.com/wiki/root#su -#/usr/bin/su exactwhitelist - -## https://manpages.debian.org/xserver-xorg-legacy/Xorg.wrap.1.en.html -## https://lwn.net/Articles/590315/ -## https://forums.whonix.org/t/suid-disabler-and-permission-hardener/7706/35 -#/usr/lib/xorg/Xorg.wrap whitelist - -###################################################################### -# SUID whitelist matches in any section of the path: matchwhitelist -###################################################################### - -## Examples below are already configured: -#ssh-agent matchwhitelist -#/usr/lib/openssh matchwhitelist - -###################################################################### -# Permission Hardening -###################################################################### - -/home/ 0755 root root -/root/ 0700 root root -/boot/ 0700 root root -/etc/permission-hardener.d 0600 root root -/usr/local/etc/permission-hardener.d 0600 root root -/usr/lib/modules/ 0700 root root -/usr/src 0700 root root -/etc/cups/cupsd.conf 0400 root root -/etc/syslog.conf 0600 root root -/etc/ssh/sshd_config 0600 root root -/etc/crontab 0600 root root -/etc/cron.d 0700 root root -/etc/cron.daily 0700 root root -/etc/sudoers.d 0700 root root -/etc/cron.hourly 0700 root root -/etc/cron.weekly 0700 root root -/etc/cron.monthly 0700 root root -/etc/group 0644 root root -/etc/group- 0644 root root -/etc/hosts.allow 0644 root root -/etc/hosts.deny 0644 root root -/etc/issue 0644 root root -/etc/issue.net 0644 root root -/etc/motd 0644 root root -/etc/passwd 0644 root root -/etc/passwd- 0644 root root - -###################################################################### -# SUID/SGID Removal: nosuid -###################################################################### - -## To remove all SUID/SGID binaries in a directory, you can use the "nosuid" -## argument. -## -## Remove all SUID/SGID binaries/libraries. - -/opt/ nosuid -/usr/bin/ nosuid -/usr/lib32/ nosuid -/usr/lib64/ nosuid -/usr/lib/ nosuid -/usr/local/bin/ nosuid -/usr/local/lib32/ nosuid -/usr/local/lib64/ nosuid -/usr/local/lib/ nosuid -/usr/local/opt/ nosuid -/usr/local/sbin/ nosuid -/usr/local/usr/bin/ nosuid -/usr/local/usr/lib32/ nosuid -/usr/local/usr/lib64/ nosuid -/usr/local/usr/lib/ nosuid -/usr/local/usr/sbin/ nosuid -/usr/sbin/ nosuid - -###################################################################### -# Capability Removal -###################################################################### - -## Ping doesn't work with Tor anyway so its capabilities are removed to -## reduce attack surface. -## anon-apps-config does this. -#/usr/bin/ping 0744 root root none - -## TODO: research -#/usr/lib/x86_64-linux-gnu/gstreamer1.0/grstreamer-1.0/gst-ptp-helper 0744 root root none diff --git a/usr/lib/security-misc/apt-get-update b/usr/lib/security-misc/apt-get-update new file mode 100755 index 0000000..0d9b7be --- /dev/null +++ b/usr/lib/security-misc/apt-get-update @@ -0,0 +1,32 @@ +#!/bin/bash + +## Copyright (C) 2012 - 2018 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +sigterm_trap() { + if [ "$lastpid" = "" ]; then + exit 143 + fi + ps -p "$lastpid" >/dev/null 2>&1 + if [ ! "$?" = "0" ]; then + ## Already terminated. + exit 143 + fi + kill -s sigterm "$lastpid" + exit 143 +} + +trap "sigterm_trap" SIGTERM SIGINT + +timeout_after="240" +kill_after="10" + +timeout \ + --kill-after="$kill_after" \ + "$timeout_after" \ + /usr/lib/security-misc/apt-get-wrapper update & + +lastpid="$!" +wait "$lastpid" + +exit "$?" diff --git a/usr/libexec/security-misc/apt-get-update-sanity-test b/usr/lib/security-misc/apt-get-update-sanity-test similarity index 73% rename from usr/libexec/security-misc/apt-get-update-sanity-test rename to usr/lib/security-misc/apt-get-update-sanity-test index a5b7709..b9ea034 100755 --- a/usr/libexec/security-misc/apt-get-update-sanity-test +++ b/usr/lib/security-misc/apt-get-update-sanity-test @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC +## Copyright (C) 2012 - 2018 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. set -x diff --git a/usr/lib/security-misc/apt-get-wrapper b/usr/lib/security-misc/apt-get-wrapper new file mode 100755 index 0000000..97c4477 --- /dev/null +++ b/usr/lib/security-misc/apt-get-wrapper @@ -0,0 +1,50 @@ +#!/bin/bash + +## Copyright (C) 2012 - 2018 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +set -e +set -o pipefail +set -o errtrace + +cleanup() { + if [ -d "$temp_dir" ]; then + rm --recursive --force "$temp_dir" + fi +} + +temp_dir="$(mktemp --directory)" +logfile="$temp_dir/log" + +trap "cleanup" EXIT + +apt_get_exit_code="0" + +## Thanks to: +## dmw +## http://stackoverflow.com/a/26263980/2605155 +## for the python way to create a pty. + +python -c 'import pty, sys; pty.spawn(sys.argv[1:])' \ + | apt-get "$@" 2>&1 \ + | tee -a "$logfile" \ + || { apt_get_exit_code="$?"; true; }; + +if [ ! "$apt_get_exit_code" = "0" ]; then + exit "$apt_get_exit_code" +fi + +log="$(cat "$logfile")" + +while read -r -d $'\n' line; do + line_lower_case="${line,,}" + first_two="${line_lower_case:0:2}" + if [ "$first_two" = "e:" ]; then + exit 125 + fi + if [ "$first_two" = "w:" ]; then + exit 125 + fi +done < <( echo "$log" ) + +exit "$apt_get_exit_code" diff --git a/usr/lib/security-misc/panic-on-oops b/usr/lib/security-misc/panic-on-oops new file mode 100755 index 0000000..e67ab72 --- /dev/null +++ b/usr/lib/security-misc/panic-on-oops @@ -0,0 +1,7 @@ +#!/bin/bash + +## Copyright (C) 2012 - 2018 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +# Makes the kernel panic on oopses. +sysctl kernel.panic_on_oops=1 diff --git a/usr/lib/security-misc/remove-system.map b/usr/lib/security-misc/remove-system.map new file mode 100755 index 0000000..10071f8 --- /dev/null +++ b/usr/lib/security-misc/remove-system.map @@ -0,0 +1,14 @@ +#!/bin/bash + +## Copyright (C) 2012 - 2018 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +shopt -s nullglob + +# Removes the System.map files as they are only used for debugging or malware. +for filename in /boot/System.map-* +do + if [ -f "${filename}" ]; then + rm -f "${filename}" + fi +done diff --git a/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf b/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf deleted file mode 100644 index 0ef99da..0000000 --- a/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf +++ /dev/null @@ -1,26 +0,0 @@ -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Definitions: -## KSPP=yes: compliant with recommendations by the KSPP -## KSPP=partial: partially compliant with recommendations by the KSPP -## KSPP=no: not (currently) compliant with recommendations by the KSPP -## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP. - -## NOTE: -## This configuration is in a dedicated file because the ram-wipe package -## requires kexec. However, ram-wipe cannot ship a config file -## /etc/sysctl.d/40_ram-wipe.conf that sets 'kernel.kexec_load_disabled=0'. -## Once systemd-sysctl.service has set 'kernel.kexec_load_disabled=1', -## it cannot be undone without a reboot. This is an upstream Linux security feature. -## Instead, ram-wipe will config-package-dev 'hide' this file. - -## Disables kexec, which can be used to replace the running kernel. -## Useful for live kernel patching without rebooting. -## -## https://en.wikipedia.org/wiki/Kexec -## -## KSPP=yes -## KSPP sets the sysctl and does not set CONFIG_KEXEC. -## -kernel.kexec_load_disabled=1 diff --git a/usr/lib/sysctl.d/30_silent-kernel-printk.conf b/usr/lib/sysctl.d/30_silent-kernel-printk.conf deleted file mode 100644 index d8febf9..0000000 --- a/usr/lib/sysctl.d/30_silent-kernel-printk.conf +++ /dev/null @@ -1,20 +0,0 @@ -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Definitions: -## KSPP=yes: compliant with recommendations by the KSPP -## KSPP=partial: partially compliant with recommendations by the KSPP -## KSPP=no: not (currently) compliant with recommendations by the KSPP -## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP. - -## Prevent kernel information leaks in the console during boot. -## Must be used in conjunction with kernel boot parameters. -## See /etc/default/grub.d/41_quiet_boot.cfg for implementation. -## -## https://www.kernel.org/doc/html/latest/core-api/printk-basics.html -## -kernel.printk=3 3 3 3 - -## For increased log verbosity: -## A) Adjust (or comment out) the kernel parameters in /etc/default/grub.d/41_quiet_boot.cfg. Or, -## B) Alternatively, install the debug-misc package to undo these settings. diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf deleted file mode 100644 index 3b2e38c..0000000 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ /dev/null @@ -1,574 +0,0 @@ -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## NOTE: -## This file has a special name to ensure that /usr/lib/sysctl.d/99-protect-links.conf -## is parsed first, followed by /usr/lib/sysctl.d/990-security-misc.conf. -## https://github.com/Kicksecure/security-misc/pull/135 - -## Definitions: -## KSPP=yes: compliant with recommendations by the KSPP -## KSPP=partial: partially compliant with recommendations by the KSPP -## KSPP=no: not (currently) compliant with recommendations by the KSPP -## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP. - -## This configuration file is divided into 5 sections: -## 1. Kernel Space -## 2. User Space -## 3. Core Dumps -## 4. Swap Space -## 5. Networking - -## For detailed explanations of most of the selected commands, refer to: -## https://www.kernel.org/doc/html/latest/admin-guide/sysctl/kernel.html -## https://www.kernel.org/doc/html/latest/admin-guide/sysctl/fs.html -## https://www.kernel.org/doc/html/latest/admin-guide/sysctl/net.html -## https://www.kernel.org/doc/html/latest/admin-guide/sysctl/vm.html -## https://www.kernel.org/doc/html/latest//networking/ip-sysctl.html - -## 1. Kernel Space: -## -## https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel -## https://kspp.github.io/Recommended_Settings#sysctls -## https://wiki.archlinux.org/title/Security#Kernel_hardening - -## Restrict kernel address visibility via /proc and other interfaces, regardless of user privileges. -## Kernel pointers expose specific locations in kernel memory. -## -## https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak -## -## KSPP=yes -## KSPP sets the sysctl. -## -kernel.kptr_restrict=2 - -## Restrict access to the kernel log buffer to users with CAP_SYSLOG. -## Kernel logs often contain sensitive information such as kernel pointers. -## -## KSPP=yes -## KSPP sets the sysctl and CONFIG_SECURITY_DMESG_RESTRICT=y. -## -kernel.dmesg_restrict=1 - -## Prevent kernel information leaks in the console during boot. -## Must be used in conjunction with kernel boot parameters. -## See /etc/default/grub.d/41_quiet_boot.cfg for implementation. -## -## https://www.kernel.org/doc/html/latest/core-api/printk-basics.html -## -## See /usr/lib/sysctl.d/30_silent-kernel-printk.conf for implementation. -## -#kernel.printk=3 3 3 3 - -## Restrict eBPF access to CAP_BPF. -## Disables unprivileged calls to bpf() without recovery. -## -## https://en.wikipedia.org/wiki/EBPF#Security -## https://lwn.net/Articles/660331/ -## -## KSPP=yes -## KSPP sets the sysctl. -## -kernel.unprivileged_bpf_disabled=1 - -## Restrict loading TTY line disciplines to users with CAP_SYS_MODULE. -## Prevents unprivileged users from loading vulnerable line disciplines with the TIOCSETD ioctl. -## -## https://a13xp0p0v.github.io/2017/03/24/CVE-2017-2636.html -## https://lkml.org/lkml/2019/4/15/890 -## -## KSPP=yes -## KSPP sets the sysctl does not set CONFIG_LDISC_AUTOLOAD. -## -dev.tty.ldisc_autoload=0 - -## Restrict the userfaultfd() syscall to users with SYS_CAP_PTRACE. -## Reduces the likelihood of use-after-free exploits from heap sprays. -## -## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=cefdca0a86be517bc390fc4541e3674b8e7803b0 -## https://duasynt.com/blog/linux-kernel-heap-spray -## -## KSPP=yes -## KSPP sets the sysctl. -## -vm.unprivileged_userfaultfd=0 - -## Disables kexec, which can be used to replace the running kernel. -## Useful for live kernel patching without rebooting. -## -## https://en.wikipedia.org/wiki/Kexec -## -## See /usr/lib/sysctl.d/30_security-misc_kexec-disable.conf for implementation. -## -## KSPP=yes -## KSPP sets the sysctl and does not set CONFIG_KEXEC. -## -#kernel.kexec_load_disabled=1 - -## Disable the SysRq key to prevent leakage of kernel information. -## The Secure Attention Key (SAK) can no longer be utilized. -## -## https://www.kernel.org/doc/html/latest/admin-guide/sysrq.html -## https://www.kicksecure.com/wiki/SysRq -## https://github.com/xairy/unlockdown -## -## KSPP=yes -## KSPP sets the less strict CONFIG_MAGIC_SYSRQ_DEFAULT_ENABLE=176. -## -kernel.sysrq=0 - -## Disable user namespaces entirely. -## User namespaces aim to improve sandboxing and accessibility for unprivileged users. -## Disabling entirely will reduce compatibility with some AppArmor profiles. -## Disabling entirely is known to break the UPower systemd service. -## Not recommended due to well-known breakages across numerous software packages. -## -## https://lwn.net/Articles/673597/ -## https://madaidans-insecurities.github.io/linux.html#kernel -## https://github.com/a13xp0p0v/kernel-hardening-checker#questions-and-answers -## https://github.com/NixOS/nixpkgs/pull/84522#issuecomment-614640601 -## https://github.com/Kicksecure/security-misc/pull/263 -## -## KSPP=no -## KSPP sets the sysctl. -## -#user.max_user_namespaces=0 - -## Restrict user namespaces to users with CAP_SYS_ADMIN. -## See the user.max_user_namespaces setting for more details. -## This is a Debian-specific kernel feature, not a Linux mainline setting. -## Unprivileged user namespaces pose substantial privilege escalation risks. -## Flatpak requires unprivileged users to create new user namespaces for sandboxing. -## Restricting is known to cause breakages in some AppImages and the Evolution Email Client. -## Not recommended due to widespread breakages across many software packages. -## -## https://salsa.debian.org/debian/bubblewrap/-/blob/debian/latest/debian/README.Debian -## https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction -## https://github.com/flatpak/flatpak/wiki/User-namespace-requirements -## https://forums.kicksecure.com/t/can-not-run-flatpak-apps-after-kicksecure-update/592 -## https://forums.kicksecure.com/t/cannot-run-some-appimage-apps-after-kicksecure-upate/594 -## https://forums.kicksecure.com/t/impossible-to-start-evolution-app-since-the-last-update/601 -## https://github.com/Kicksecure/security-misc/issues/274 -## -#kernel.unprivileged_userns_clone=0 - -## Restricts kernel profiling to users with CAP_PERFMON. -## The performance events system should not be accessible by unprivileged users. -## Other distributions such as Ubuntu and Fedora may permit further restricting. -## -## https://www.kernel.org/doc/html/latest/admin-guide/perf-security.html#unprivileged-users -## https://lore.kernel.org/kernel-hardening/1469630746-32279-1-git-send-email-jeffv@google.com/ -## -## KSPP=yes -## KSPP sets the sysctl. -## -kernel.perf_event_paranoid=3 - -## Force the kernel to panic on "oopses" and kernel warnings in the WARN() path. -## Can sometimes potentially indicate and thwart certain kernel exploitation attempts. -## Panics may be due to false-positives such as bad drivers. -## Oopses are serious but non-fatal errors. -## Warnings are messages generated by the kernel to indicate unexpected conditions or errors. -## By default, code execution continues regardless of warnings emitted by macros like WARN() and WARN_ON(). -## Note that by forcing kernel panics on oopses and warnings, this exposes the system to targeted denial of service attacks. -## Forcing immediate system reboots on any single kernel panic is an extreme option. -## -## https://en.wikipedia.org/wiki/Kernel_panic#Linux -## https://en.wikipedia.org/wiki/Linux_kernel_oops -## https://en.wikipedia.org/wiki/Kdump_(Linux) -## https://lwn.net/Articles/876209/ -## https://git.sr.ht/~gregkh/presentation-security/tree/3fdaf81a2f8b2c8d64cdb2f529cc714624868aa8/item/security-stuff.pdf -## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panisc-on-oops-1-sysctl-for-better-security/7713 -## -## KSPP=partial -## KSPP sets the sysctls, CONFIG_PANIC_ON_OOPS=y, but also requires CONFIG_PANIC_TIMEOUT=-1. -## -## See /usr/libexec/security-misc/panic-on-oops for implementation. -## -## TODO: Debian 13 Trixie -## The limits are applicable when using Linux kernel >= 6.2 (retained here for future-proofing and completeness). -## -#kernel.panic=-1 -#kernel.panic_on_oops=1 -#kernel.panic_on_warn=1 -#kernel.oops_limit=1 -#kernel.warn_limit=1 - -## Disable the use of legacy TIOCSTI operations which can be used to inject keypresses. -## Can lead to privilege escalation by pushing characters into a controlling TTY. -## Will break out-dated screen readers that continue to rely on this legacy functionality. -## -## https://lore.kernel.org/lkml/20221228205726.rfevry7ud6gmttg5@begin/T/ -## -## KSPP=yes -## KSPP sets the sysctl and does not set CONFIG_LEGACY_TIOCSTI. -## -## TODO: Debian 13 Trixie -## This is disabled by default when using Linux kernel >= 6.2. -## -dev.tty.legacy_tiocsti=0 - -## Disable asynchronous I/O for all processes. -## Leading cause of numerous kernel exploits. -## Disabling will reduce the read/write performance of storage devices. -## -## https://en.wikipedia.org/wiki/Io_uring#Security -## https://lwn.net/Articles/902466/ -## https://security.googleblog.com/2023/06/learnings-from-kctf-vrps-42-linux.html -## https://github.com/moby/moby/pull/46762 -## https://forums.whonix.org/t/io-uring-security-vulnerabilties/16890 -## -## TODO: Debian 13 Trixie -## Applicable when using Linux kernel >= 6.6 (retained here for future-proofing and completeness). -## -kernel.io_uring_disabled=2 - -## 2. User Space: -## -## https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-userspace - -## Restrict usage of the ptrace() system call to only processes with CAP_SYS_PTRACE. -## Limit ptrace() as it enables programs to inspect and modify other active processes. -## Prevents native code debugging which some programs use as a method to detect tampering. -## May cause breakages in 'anti-cheat' software and programs running under Proton/WINE. -## -## https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html#ptrace-scope -## https://en.wikipedia.org/wiki/Ptrace -## https://grapheneos.org/features#attack-surface-reduction -## https://github.com/GrapheneOS/os-issue-tracker/issues/651#issuecomment-917599928 -## https://github.com/netblue30/firejail/issues/2860 -## -## KSPP=partial -## KSPP sets the stricter sysctl kernel.yama.ptrace_scope=3. -## -## It is possible to harden further by disabling ptrace() for all users, see documentation. -## https://github.com/Kicksecure/security-misc/pull/242 -## -kernel.yama.ptrace_scope=2 - -## Maximize bits of entropy for improved effectiveness of mmap ASLR. -## The maximum number of bits depends on CPU architecture (the ones shown below are for x86). -## Both explicit sysctl are made redundant due to automation. -## Do NOT enable either sysctl - displaying only for clarity. -## -## https://forums.whonix.org/t/automate-mmap-randomisation-to-fix-ppc64el/16514 -## -## See /usr/libexec/security-misc/mmap-rnd-bits for implementation. -## -#vm.mmap_rnd_bits=32 -#vm.mmap_rnd_compat_bits=16 - -## Prevent hardlink creation by users who do not have read/write/ownership of source file. -## Only allow symlinks to be followed when outside of world-writable sticky directories. -## Allow symlinks when the owner and follower match or when the directory owner matches the symlink's owner. -## Hardens cross-privilege boundaries if root process follows a hardlink/symlink belonging to another user. -## This mitigates many hardlink/symlink-based TOCTOU races in world-writable directories like /tmp. -## -## https://wiki.archlinux.org/title/Security#File_systems -## https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=/tmp -## https://en.wikipedia.org/wiki/Time-of-check_to_time-of-use#Preventing_TOCTOU -## -## KSPP=yes -## KSPP sets the sysctls. -## -fs.protected_hardlinks=1 -fs.protected_symlinks=1 - -## Disallow writes to files in world-writable sticky directories unless owned by the directory owner. -## Also applies to group-writable sticky directories to make data spoofing attacks more difficult. -## Prevents unintentional writes to attacker-controlled files. -## -## KSPP=yes -## KSPP sets the sysctls. -## -fs.protected_fifos=2 -fs.protected_regular=2 - -## Enable ASLR for mmap base, stack, VDSO pages, and heap. -## Forces shared libraries to be loaded to random addresses. -## Start location of PIE-linked binaries is randomized. -## Heap randomization can lead to breakages with legacy applications. -## -## https://en.wikipedia.org/wiki/Address_space_layout_randomization#Linux -## -## KSPP=yes -## KSPP sets the sysctl. -## -kernel.randomize_va_space=2 - -## Raise the minimum address a process can request for memory mapping to 64KB as a form of defense-in-depth. -## Prevents kernel null pointer dereference vulnerabilities which may trigger kernel panics. -## Protects against local unprivileged users gaining root privileges by mapping data to low memory pages. -## Some legacy applications may still depend on low virtual memory addresses for proper functionality. -## -## https://googleprojectzero.blogspot.com/2023/01/exploiting-null-dereferences-in-linux.html -## https://access.redhat.com/articles/20484 -## https://wiki.debian.org/mmap_min_addr -## -## KSPP=yes -## KSPP sets CONFIG_DEFAULT_MMAP_MIN_ADDR=65536. -## -vm.mmap_min_addr=65536 - -## Increase the maximum number of memory map areas a process is permitted to utilize. -## Addresses performance, crash, and start-up issues for some memory-intensive applications. -## Required to accommodate the very large number of guard pages created by hardened_malloc. -## Kicksecure version 18 will deprecate hardened_malloc, so this sysctl will be applied here instead. -## -## https://archlinux.org/news/increasing-the-default-vmmax_map_count-value/ -## https://github.com/GrapheneOS/hardened_malloc#traditional-linux-based-operating-systems -## https://github.com/Kicksecure/hardened_malloc/blob/master/debian/hardened_malloc.conf -## https://www.kicksecure.com/wiki/Hardened_Malloc#Deprecation_in_Kicksecure -## -vm.max_map_count=1048576 - -## Disable the miscellaneous binary format virtual file system to prevent unintended code execution. -## Prevents registering interpreters for various binary formats based on a magic number or their file extension. -## Otherwise arbitrary executables with recognized file formats will be passed to relevant user space applications. -## These interpreters will then run with root permissions when a setuid binary is owned by root. -## Can stop maliciously crafted files with specific file extensions from automatically executing. -## Breaks many scripts that do not have appropriate shebang interpreter directives (#!/bin/...). -## -## https://www.kernel.org/doc/html/latest/admin-guide/binfmt-misc.html -## https://salsa.debian.org/debian/binfmt-support -## https://access.redhat.com/solutions/1985633 -## https://en.wikipedia.org/wiki/Binfmt_misc -## https://security.stackexchange.com/questions/271786/does-allowing-binfmt-misc-significantly-increase-the-attack-surface-for-unprivil -## https://unix.stackexchange.com/questions/439569/what-kinds-of-executable-formats-do-the-files-under-proc-sys-fs-binfmt-misc-al -## https://github.com/Kicksecure/security-misc/pull/249 -## -## KSPP=no -## KSPP does not set CONFIG_BINFMT_MISC. -## -## This is disabled by default due to file/folder permission issues: -## https://github.com/Kicksecure/security-misc/issues/267 -## -#fs.binfmt_misc.status=0 - -## 3. Core Dumps: -## -## https://madaidans-insecurities.github.io/guides/linux-hardening.html#core-dumps - -## Disable core dump files by preventing any pattern names. -## This setting may be overwritten by systemd and is not comprehensive. -## Core dumps are also disabled in security-misc via other means. -## -## https://wiki.archlinux.org/title/Core_dump#Disabling_automatic_core_dumps -## -kernel.core_pattern=|/bin/false - -## Prevent setuid processes or otherwise protected/tainted binaries from creating core dumps. -## Any process which has changed privilege levels or is execute-only will not be dumped. -## -## KSPP=yes -## KSPP sets the sysctl. -## -fs.suid_dumpable=0 - -## Set core dump file name to 'core.PID' instead of 'core' as a form of defense-in-depth. -## If core dumps are permitted, only useful if PID listings are hidden from non-root users. -## -kernel.core_uses_pid=1 - -## 4. Swap Space: -## -## https://madaidans-insecurities.github.io/guides/linux-hardening.html#swap - -## Limit the copying of memory to the swap device only if absolutely necessary. -## Minimizes the likelihood of writing potentially sensitive contents to disk. -## Not recommended to set to zero since this disables periodic write behavior. -## -## https://en.wikipedia.org/wiki/Memory_paging#Linux -## https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Performance_Tuning_Guide/s-memory-tunables.html -## -vm.swappiness=1 - -## 5. Networking: -## -## https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-network -## https://wiki.archlinux.org/title/Sysctl#TCP/IP_stack_hardening - -## Enable hardening of the BPF JIT compiler for all users. -## Provides some mitigation against JIT spraying. -## -## https://en.wikipedia.org/wiki/JIT_spraying -## https://www.blackhat.com/docs/eu-16/materials/eu-16-Reshetova-Randomization-Can't-Stop-BPF-JIT-Spray-wp.pdf -## https://lwn.net/Articles/686098/ -## https://lwn.net/Articles/525609/ -## -## KSPP=yes -## KSPP sets the sysctl. -## -net.core.bpf_jit_harden=2 - -## Enable TCP SYN cookie protection to assist against SYN flood attacks. -## -## https://en.wikipedia.org/wiki/SYN_flood -## https://cateee.net/lkddb/web-lkddb/SYN_COOKIES.html -## -## KSPP=yes -## KSPP sets CONFIG_SYN_COOKIES=y. -## -net.ipv4.tcp_syncookies=1 - -## Protect against TCP time-wait assassination hazards. -## Drops RST packets for sockets in the time-wait state. -## -## https://tools.ietf.org/html/rfc1337 -## -net.ipv4.tcp_rfc1337=1 - -## Enable reverse path filtering (source validation) of packets received from all interfaces. -## Prevents IP spoofing and mitigates vulnerabilities such as CVE-2019-14899. -## The second "default" command fixes a bug in the existing kernel implementation. -## -## https://en.wikipedia.org/wiki/IP_address_spoofing -## https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/security_guide/sect-security_guide-server_security-reverse_path_forwarding#sect-Security_Guide-Server_Security-Reverse_Path_Forwarding -## https://forums.whonix.org/t/enable-reverse-path-filtering/8594 -## https://seclists.org/oss-sec/2019/q4/122 -## https://github.com/Kicksecure/security-misc/pull/261 -## -net.ipv4.conf.*.rp_filter=1 -net.ipv4.conf.default.rp_filter=1 - -## Disable ICMP redirect acceptance and redirect sending messages. -## Prevents man-in-the-middle attacks and minimizes information disclosure. -## If ICMP redirects are permitted, accept messages only through approved gateways (kernel default). -## Approving gateways requires the managing of a default gateway list. -## -## https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/security_guide/sect-security_guide-server_security-disable-source-routing#sect-Security_Guide-Server_Security-Disable-Source-Routing -## https://www.frozentux.net/ipsysctl-tutorial/chunkyhtml/theconfvariables.html -## https://www.debian.org/doc/manuals/securing-debian-manual/network-secure.en.html -## https://askubuntu.com/questions/118273/what-are-icmp-redirects-and-should-they-be-blocked -## https://github.com/Kicksecure/security-misc/pull/248 -## -net.ipv4.conf.*.accept_redirects=0 -net.ipv4.conf.*.send_redirects=0 -net.ipv6.conf.*.accept_redirects=0 -#net.ipv4.conf.*.secure_redirects=1 - -## Deny sending and receiving RFC1620 shared media redirects. -## Relevant mainly for network interfaces that operate over shared media such as Ethernet hubs. -## Stops the kernel from sending ICMP redirects to specific networks from the connected network. -## This variable overrides the use secure_redirects. -## -## https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf -## https://datatracker.ietf.org/doc/html/rfc1620 -## https://www.frozentux.net/ipsysctl-tutorial/chunkyhtml/theconfvariables.html -## -net.ipv4.conf.*.shared_media=0 - -## Enable ARP (Address Resolution Protocol) filtering. -## Prevents the Linux kernel from handling the ARP table globally. -## Can mitigate some ARP spoofing and ARP cache poisoning attacks. -## Improper filtering can lead to increased ARP traffic and inadvertently block legitimate ARP requests. -## -## https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf -## -net.ipv4.conf.*.arp_filter=1 - -## Respond to ARP (Address Resolution Protocol) requests only if the target IP address is on-link. -## Reduces IP spoofing attacks by limiting the scope of allowable ARP responses. -## -## https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf -## https://github.com/mullvad/mullvadvpn-app/blob/main/audits/2024-12-10-X41-D-Sec.md#mllvd-cr-24-03-virtual-ip-address-of-tunnel-device-leaks-to-network-adjacent-participant-severity-medium -## https://github.com/mullvad/mullvadvpn-app/pull/7141 -## https://www.x41-dsec.de/static/reports/X41-Mullvad-Audit-Public-Report-2024-12-10.pdf -## -net.ipv4.conf.*.arp_ignore=2 - -## Drop gratuitous ARP (Address Resolution Protocol) packets. -## Stops ARP responses sent by a device without being explicitly requested. -## Prevents ARP cache poisoning by rejecting fake ARP entries into a network. -## Prevents man-in-the-middle and denial-of-service attacks. -## May cause breakages when ARP proxies are used in the network. -## -## https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf -## https://patchwork.ozlabs.org/project/netdev/patch/1428652454-1224-3-git-send-email-johannes@sipsolutions.net/ -## https://www.practicalnetworking.net/series/arp/gratuitous-arp/ -## -net.ipv4.conf.*.drop_gratuitous_arp=1 - -## Ignore ICMP echo requests. -## Prevents clock fingerprinting through ICMP timestamps and Smurf attacks. -## -## https://en.wikipedia.org/wiki/Smurf_attack -## -net.ipv4.icmp_echo_ignore_all=1 -net.ipv6.icmp.echo_ignore_all=1 - -## Ignore bogus ICMP error responses. -## Mitigates attacks designed to fill log files with useless error messages. -## -net.ipv4.icmp_ignore_bogus_error_responses=1 - -## Disable source routing which allows users to redirect network traffic. -## Prevents man-in-the-middle attacks in which the traffic is redirected. -## -## https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/security_guide/sect-security_guide-server_security-disable-source-routing -## -net.ipv4.conf.*.accept_source_route=0 -net.ipv6.conf.*.accept_source_route=0 - -## Do not accept IPv6 router advertisements and solicitations. -## -net.ipv6.conf.*.accept_ra=0 - -## Disable SACK and DSACK. -## Select acknowledgements (SACKs) are a known common vector of exploitation. -## Duplicate select acknowledgements (DSACKs) are an extension of SACK. -## Disabling can cause severe connectivity issues on networks with high latency or packet loss. -## Enabling on stable high-bandwidth networks can lead to reduced efficiency of TCP connections. -## -## https://datatracker.ietf.org/doc/html/rfc2018 -## https://datatracker.ietf.org/doc/html/rfc2883 -## https://access.redhat.com/sites/default/files/attachments/20150325_network_performance_tuning.pdf -## https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md -## https://wiki.archlinux.org/title/Sysctl#TCP_Selective_Acknowledgement -## https://forums.whonix.org/t/disabling-tcp-sack-dsack-fack/8109/5 -## -## SACK and DSACK are currently enabled. -## -#net.ipv4.tcp_sack=0 -#net.ipv4.tcp_dsack=0 - -## Disable TCP timestamps to limit device fingerprinting via system time. -## Timestamps allow round-trip time measurement and protection against wrapped sequence numbers. -## Disabling timestamps on very fast links is likely to cause TCP Sequence Numbers to wrap. -## Segments with wrapped numbers will be incorrectly discarded, reducing network performance. -## -## https://datatracker.ietf.org/doc/html/rfc1323 -## https://forums.whonix.org/t/do-ntp-and-tcp-timestamps-really-leak-your-local-time/7824 -## https://web.archive.org/web/20170201160732/https://mailman.boum.org/pipermail/tails-dev/2013-December/004520.html -## https://access.redhat.com/sites/default/files/attachments/20150325_network_performance_tuning.pdf -## -net.ipv4.tcp_timestamps=0 - -## Enable logging of packets with impossible source or destination addresses. -## Martian and unroutable packets may be used for malicious purposes. -## Recommended to keep a (kernel dmesg) log of these to identify suspicious packets. -## Useful for troubleshooting and diagnostics but not necessary by default. -## Known to cause performance issues, especially on systems with multiple interfaces. -## -## https://wiki.archlinux.org/title/Sysctl#Log_martian_packets -## https://github.com/Kicksecure/security-misc/issues/214 -## -## The logging of martian packets is currently disabled. -## -#net.ipv4.conf.*.log_martians=1 - -## Enable IPv6 Privacy Extensions to prefer temporary addresses over public addresses. -## The temporary/privacy address is used as the source for all outgoing traffic. -## Must be used in combination with /usr/lib/systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf. -## Must be used in combination with /usr/lib/NetworkManager/conf.d/80_ipv6-privacy.conf. -## Should be used with MAC randomization in /usr/lib/NetworkManager/conf.d/80_randomize-mac.conf. -## -## MAC randomization breaks root server and VirtualBox DHCP, likely due to IPv6 Privacy Extensions. -## -## https://datatracker.ietf.org/doc/html/rfc4941 -## https://github.com/Kicksecure/security-misc/pull/145 -## https://github.com/Kicksecure/security-misc/issues/184 -## -## The use of IPv6 Privacy Extensions is currently disabled due to these breakages. -## -#net.ipv6.conf.*.use_tempaddr=2 diff --git a/usr/lib/systemd/coredump.conf.d/30_security-misc.conf b/usr/lib/systemd/coredump.conf.d/30_security-misc.conf deleted file mode 100644 index 2d02bc9..0000000 --- a/usr/lib/systemd/coredump.conf.d/30_security-misc.conf +++ /dev/null @@ -1,5 +0,0 @@ -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -[Coredump] -Storage=none diff --git a/usr/lib/systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf b/usr/lib/systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf deleted file mode 100644 index 5de38c4..0000000 --- a/usr/lib/systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf +++ /dev/null @@ -1,13 +0,0 @@ -## Copyright (C) 2023 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## MAC randomisation breaks root server and VirtualBox DHCP likely due to IPv6 Privacy Extensions. -## -## https://datatracker.ietf.org/doc/html/rfc4941 -## https://github.com/Kicksecure/security-misc/pull/145 -## https://github.com/Kicksecure/security-misc/issues/184 -## -## The use of IPv6 Privacy Extenstions is currently diasbled due to these breakages. - -#[Network] -#IPv6PrivacyExtensions=kernel diff --git a/usr/lib/systemd/pstore.conf.d/30_security-misc.conf b/usr/lib/systemd/pstore.conf.d/30_security-misc.conf deleted file mode 100644 index 9e513c6..0000000 --- a/usr/lib/systemd/pstore.conf.d/30_security-misc.conf +++ /dev/null @@ -1,5 +0,0 @@ -## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -[PStore] -Storage=none diff --git a/usr/lib/systemd/system-preset/50-security-misc.preset b/usr/lib/systemd/system-preset/50-security-misc.preset deleted file mode 100644 index 1895526..0000000 --- a/usr/lib/systemd/system-preset/50-security-misc.preset +++ /dev/null @@ -1,19 +0,0 @@ -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## https://forums.whonix.org/t/restrict-hardware-information-to-root-testers-wanted/8618 -disable hide-hardware-info.service - -## Disable for now until development finished / tested. -disable permission-hardener.service - -## Disable for now until development finished / tested. -## https://github.com/Kicksecure/security-misc/pull/152 -disable remount-secure.service - -## Disable due to pkexec issues. -disable proc-hidepid.service - -## Disable due to issues. See: -## https://github.com/Kicksecure/security-misc/issues/159 -disable harden-module-loading.service diff --git a/usr/lib/systemd/system/harden-module-loading.service b/usr/lib/systemd/system/harden-module-loading.service deleted file mode 100644 index 8efea40..0000000 --- a/usr/lib/systemd/system/harden-module-loading.service +++ /dev/null @@ -1,24 +0,0 @@ -## Copyright (C) 2023 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -[Unit] -Description=Disable the loading of additional modules after systemd-modules-load.service -Documentation=https://github.com/Kicksecure/security-misc - -DefaultDependencies=no -Before=sysinit.target -Requires=local-fs.target -Requires=systemd-modules-load.service -After=local-fs.target -After=systemd-modules-load.service - -# This functionality is implemented with this and not directly in the sysctl config is -# to allow systemd-modules-load.service to load the modules with no problem but -# to disallow anyone else do the same after the system boots up. - -[Service] -Type=oneshot -ExecStart=/usr/libexec/security-misc/disable-kernel-module-loading - -[Install] -WantedBy=sysinit.target diff --git a/usr/lib/systemd/system/haveged.service.d/30_security-misc.conf b/usr/lib/systemd/system/haveged.service.d/30_security-misc.conf deleted file mode 100644 index 2981464..0000000 --- a/usr/lib/systemd/system/haveged.service.d/30_security-misc.conf +++ /dev/null @@ -1,7 +0,0 @@ -## Copyright (C) 2021 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -[Service] -## hardened malloc compatibility -## Otherwise haveged will exit with a core dump. -SystemCallFilter=getrandom diff --git a/usr/lib/systemd/system/hide-hardware-info.service b/usr/lib/systemd/system/hide-hardware-info.service deleted file mode 100644 index 659c3f5..0000000 --- a/usr/lib/systemd/system/hide-hardware-info.service +++ /dev/null @@ -1,19 +0,0 @@ -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -[Unit] -Description=Hide hardware information to unprivileged users -Documentation=https://github.com/Kicksecure/security-misc - -DefaultDependencies=no -Before=sysinit.target -Requires=local-fs.target -After=local-fs.target - -[Service] -Type=oneshot -ExecStart=/usr/libexec/security-misc/hide-hardware-info -RemainAfterExit=yes - -[Install] -WantedBy=sysinit.target diff --git a/usr/lib/systemd/system/panic-on-oops.service b/usr/lib/systemd/system/panic-on-oops.service deleted file mode 100644 index 6b10ddc..0000000 --- a/usr/lib/systemd/system/panic-on-oops.service +++ /dev/null @@ -1,20 +0,0 @@ -## Copyright (C) 2024 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -[Unit] -Description=Sets 'sysctl kernel.panic_on_oops=1' late during the boot process. -Documentation=https://github.com/Kicksecure/security-misc - -ConditionKernelCommandLine=!panic-on-oops=0 - -After=multi-user.target -After=graphical.target -After=getty.target - -[Service] -Type=oneshot -RemainAfterExit=yes -ExecStart=/usr/libexec/security-misc/panic-on-oops - -[Install] -WantedBy=multi-user.target diff --git a/usr/lib/systemd/system/permission-hardener.service b/usr/lib/systemd/system/permission-hardener.service deleted file mode 100644 index 109c9fd..0000000 --- a/usr/lib/systemd/system/permission-hardener.service +++ /dev/null @@ -1,19 +0,0 @@ -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -[Unit] -Description=Permission Hardener at Boot Time (opt-in in addition to security-misc package installation time hardening) -Documentation=https://github.com/Kicksecure/security-misc - -DefaultDependencies=no -Before=sysinit.target -Requires=local-fs.target -After=local-fs.target - -[Service] -Type=oneshot -RemainAfterExit=yes -ExecStart=permission-hardener enable - -[Install] -WantedBy=sysinit.target diff --git a/usr/lib/systemd/system/proc-hidepid.service b/usr/lib/systemd/system/proc-hidepid.service deleted file mode 100644 index d7ea4d9..0000000 --- a/usr/lib/systemd/system/proc-hidepid.service +++ /dev/null @@ -1,19 +0,0 @@ -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -[Unit] -Description=Mounts /proc with hidepid=2 -Documentation=https://github.com/Kicksecure/security-misc - -DefaultDependencies=no -Before=sysinit.target -Requires=local-fs.target -After=local-fs.target - -[Service] -Type=oneshot -ExecStart=/bin/mount -o remount,nosuid,nodev,noexec,hidepid=2,gid=proc /proc -RemainAfterExit=yes - -[Install] -WantedBy=sysinit.target diff --git a/usr/lib/systemd/system/remount-secure.service b/usr/lib/systemd/system/remount-secure.service deleted file mode 100644 index 2489d34..0000000 --- a/usr/lib/systemd/system/remount-secure.service +++ /dev/null @@ -1,32 +0,0 @@ -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -[Unit] -Description=remount /home /tmp /dev/shm /run with nosuid,nodev (default) and noexec (opt-in) -Documentation=https://github.com/Kicksecure/security-misc - -ConditionKernelCommandLine=!remountsecure=0 - -DefaultDependencies=no - -Before=sysinit-post.target -Before=basic.target -Before=multi-user.target -Before=graphical.target -Before=getty-pre.target -Before=network-pre.target - -After=local-fs.target -After=sysinit.target -After=qubes-sysinit.service - -Requires=local-fs.target -Requires=sysinit.target - -[Service] -Type=oneshot -RemainAfterExit=yes -ExecStart=remount-secure 3 - -[Install] -WantedBy=sysinit-post.target diff --git a/usr/lib/systemd/system/remove-system-map.service b/usr/lib/systemd/system/remove-system-map.service deleted file mode 100644 index 1e36d61..0000000 --- a/usr/lib/systemd/system/remove-system-map.service +++ /dev/null @@ -1,19 +0,0 @@ -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -[Unit] -Description=Removes the System.map files -Documentation=https://github.com/Kicksecure/security-misc - -DefaultDependencies=no -Before=sysinit.target -Requires=local-fs.target -After=local-fs.target - -[Service] -Type=oneshot -ExecStart=/usr/libexec/security-misc/remove-system.map -RemainAfterExit=yes - -[Install] -WantedBy=sysinit.target diff --git a/usr/lib/systemd/system/sysinit-post.target b/usr/lib/systemd/system/sysinit-post.target deleted file mode 100644 index c00e91e..0000000 --- a/usr/lib/systemd/system/sysinit-post.target +++ /dev/null @@ -1,12 +0,0 @@ -## Copyright (C) 2023 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -[Unit] -Description=sys-init.target by security-misc - -After=sysinit.target -Before=basic.target -Requires=sysinit.target - -[Install] -WantedBy=basic.target diff --git a/usr/lib/systemd/system/user@.service.d/sysfs.conf b/usr/lib/systemd/system/user@.service.d/sysfs.conf deleted file mode 100644 index 3a9129d..0000000 --- a/usr/lib/systemd/system/user@.service.d/sysfs.conf +++ /dev/null @@ -1,5 +0,0 @@ -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -[Service] -SupplementaryGroups=sysfs diff --git a/usr/libexec/security-misc/apt-get-update b/usr/libexec/security-misc/apt-get-update deleted file mode 100755 index 9cbfd8e..0000000 --- a/usr/libexec/security-misc/apt-get-update +++ /dev/null @@ -1,46 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## TODO: Move this to helper-scripts. - -set -o errexit -set -o nounset -set -o errtrace -set -o pipefail - -command -v start-stop-daemon >/dev/null -command -v timeout >/dev/null -command -v apt-get >/dev/null - -export LC_ALL=C -pidfile="/run/helper-scripts/security-misc-apt-get-update-pid" - -sigterm_trap() { - /usr/libexec/helper-scripts/apt-get-update-kill-helper &>/dev/null - exit 143 -} - -## terminate potential previous invocations. -/usr/libexec/helper-scripts/apt-get-update-kill-helper &>/dev/null - -trap "sigterm_trap" SIGTERM SIGINT - -[[ -v timeout_after ]] || timeout_after="600" -[[ -v kill_after ]] || kill_after="10" - -start-stop-daemon \ - --make-pidfile \ - --pidfile "$pidfile" \ - --exec /usr/bin/timeout \ - --start \ - -- \ - --kill-after="$kill_after" \ - "$timeout_after" \ - apt-get update --error-on=any "$@" & - -lastpid="$!" -wait "$lastpid" - -exit "$?" diff --git a/usr/libexec/security-misc/askpass b/usr/libexec/security-misc/askpass deleted file mode 100755 index 56ecffc..0000000 --- a/usr/libexec/security-misc/askpass +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -set -e - -title="$0: password required for $(whoami) to perform action as superuser" - -zenity --password --title="$title" diff --git a/usr/libexec/security-misc/disable-kernel-module-loading b/usr/libexec/security-misc/disable-kernel-module-loading deleted file mode 100755 index 80d3190..0000000 --- a/usr/libexec/security-misc/disable-kernel-module-loading +++ /dev/null @@ -1,11 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2023 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -set -x -set -e - -sysctl -w kernel.modules_disabled=1 - -true "The loading of new modules to the kernel has been disabled by security-misc." diff --git a/usr/libexec/security-misc/echo-path b/usr/libexec/security-misc/echo-path deleted file mode 100755 index 3bcc2cd..0000000 --- a/usr/libexec/security-misc/echo-path +++ /dev/null @@ -1,8 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -set -e - -echo "$PATH" diff --git a/usr/libexec/security-misc/hide-hardware-info b/usr/libexec/security-misc/hide-hardware-info deleted file mode 100755 index acf24ef..0000000 --- a/usr/libexec/security-misc/hide-hardware-info +++ /dev/null @@ -1,138 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -set -o errexit -set -o nounset -set -o errtrace -set -o pipefail -shopt -s nullglob - -run_cmd() { - echo "INFO: normal executing : $@" - "$@" -} - -run_cmd_whitelist() { - echo "INFO: whitelist executing: $@" - "$@" -} - -echo "$0: INFO: START" - -default_variables_set() { - sysfs_whitelist=1 - cpuinfo_whitelist=1 - sysfs=1 - ## https://www.kicksecure.com/wiki/Security-misc#selinux - selinux=0 -} - -parse_configuration() { - ## Allows for disabling the whitelist. - local i - for i in /usr/local/etc/hide-hardware-info.d/*.conf /etc/hide-hardware-info.d/*.conf ; do - bash -n "${i}" - source "${i}" - done -} - -create_whitelist() { - if [ "${1}" = "sysfs" ]; then - whitelist_path="/sys" - elif [ "${1}" = "cpuinfo" ]; then - whitelist_path="/proc/cpuinfo" - else - echo "ERROR: ${1} is not a correct parameter." - exit 1 - fi - - if grep -q "${1}" /etc/group; then - ## Changing the permissions of /sys recursively - ## causes errors as the permissions of /sys/kernel/debug - ## and /sys/fs/cgroup cannot be changed. - run_cmd_whitelist chgrp --quiet --recursive "${1}" "${whitelist_path}" || true - - run_cmd_whitelist chmod o-rwx "${whitelist_path}" - else - echo "ERROR: The ${1} group does not exist, the ${1} whitelist was not created." - fi -} - -default_variables_set -parse_configuration - -## sysfs and debugfs expose a lot of information -## that should not be accessible by an unprivileged -## user which includes hardware info, debug info and -## more. This restricts /sys, /proc/cpuinfo, /proc/bus -## and /proc/scsi to the root user only. This hides -## many hardware identifiers from ordinary users -## and increases security. -for i in /proc/cpuinfo /proc/bus /proc/scsi /sys ; do - if [ -e "${i}" ]; then - if [ "${i}" = "/sys" ]; then - if [ "${sysfs}" = "1" ]; then - ## Whitelist for /sys. - if [ "${sysfs_whitelist}" = "1" ]; then - create_whitelist sysfs - else - echo "INFO: The sysfs whitelist is not enabled. Some things may not work properly. Full sysfs hardening..." - run_cmd chmod og-rwx /sys - fi - fi - elif [ "${i}" = "/proc/cpuinfo" ]; then - if [ "${cpuinfo_whitelist}" = "1" ]; then - create_whitelist cpuinfo - else - echo "INFO: The cpuinfo whitelist is not enabled. Some things may not work properly. Full cpuinfo hardening..." - run_cmd chmod og-rwx /proc/cpuinfo - fi - else - run_cmd chmod og-rwx "${i}" - fi - else - ## /proc/scsi doesn't exist on Debian so errors - ## are expected here. - if ! [ "${i}" = "/proc/scsi" ]; then - echo "ERROR: ${i} could not be found." - fi - fi -done - - -if [ "${sysfs}" = "1" ]; then - ## restrict permissions on everything but - ## what is needed - for i in /sys/* /sys/fs/* ; do - ## Using '|| true': - ## https://github.com/Kicksecure/security-misc/pull/108 - if [ "${sysfs_whitelist}" = "1" ]; then - run_cmd chmod o-rwx "${i}" || true - else - run_cmd chmod og-rwx "${i}" || true - fi - done - - ## polkit needs stat access to /sys/fs/cgroup - ## to function properly - run_cmd chmod o+rx /sys /sys/fs - - ## on SELinux systems, at least /sys/fs/selinux - ## must be visible to unprivileged users, else - ## SELinux userspace utilities will not function - ## properly - if [ -d /sys/fs/selinux ]; then - echo "INFO: SELinux detected because folder /sys/fs/selinux exists. See also:" - echo "https://www.kicksecure.com/wiki/Security-misc#selinux" - if [ "${selinux}" = "1" ]; then - run_cmd chmod o+rx /sys /sys/fs /sys/fs/selinux - echo "INFO: SELinux mode enabled. Restrictions loosened slightly in order to allow userspace utilities to function." - else - echo "INFO: SELinux detected, but SELinux mode is not enabled. Some userspace utilities may not work properly." - fi - fi -fi - -echo "$0: INFO: END" diff --git a/usr/libexec/security-misc/mmap-rnd-bits b/usr/libexec/security-misc/mmap-rnd-bits deleted file mode 100755 index 25745c2..0000000 --- a/usr/libexec/security-misc/mmap-rnd-bits +++ /dev/null @@ -1,81 +0,0 @@ -#!/usr/bin/env bash - -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## This script enforces the maximum ASLR hardening settings for mmap, given the -## installed Linux config. -## See also: -## https://forums.whonix.org/t/automate-mmap-randomisation-to-fix-ppc64el/16514 - -set -euo pipefail -shopt -s failglob - -more_info_link="https://forums.whonix.org/t/automate-mmap-randomisation-to-fix-ppc64el/16514" -aslr_mmap_config_file="/etc/sysctl.d/30_security-misc_aslr-mmap.conf" - -exit_with_error() { - echo "$0: SEE ALSO:" >&2 - echo "" >&2 - echo "$more_info_link" >&2 - exit 1 -} - -if ! test -d /etc/sysctl.d ; then - echo "$0: ERROR: Folder /etc/sysctl.d does not exist!" >&2 - exit_with_error -fi - -if ! test -w /etc/sysctl.d ; then - echo "$0: ERROR: Folder /etc/sysctl.d not writeable! This script is supposed to be run as root." >&2 - exit_with_error -fi - -## Defaults in case Linux config detection fails. These are likely to work fine -## on x86_64, probably not elsewhere. -BITS_MAX_DEFAULT=32 -COMPAT_BITS_MAX_DEFAULT=16 - -## Find the most recently modified Linux config file. -if compgen -G "/boot/config-*" > /dev/null && CONFIG=$(ls -1 -t /boot/config-* | head -n 1) ; then - ## Find the relevant config options. - if ! BITS_MAX=$(grep -E '^CONFIG_ARCH_MMAP_RND_BITS_MAX=[0-9]+$' "${CONFIG}" | cut -d "=" -f 2) ; then - echo "$0: ERROR: Error detecting CONFIG_ARCH_MMAP_RND_BITS_MAX! Using built-in default." >&2 - BITS_MAX="${BITS_MAX_DEFAULT}" - fi - if ! COMPAT_BITS_MAX=$(grep -E '^CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX=[0-9]+$' "${CONFIG}" | cut -d "=" -f 2) ; then - echo "$0: ERROR: Error detecting CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX! Using built-in default." >&2 - COMPAT_BITS_MAX="${COMPAT_BITS_MAX_DEFAULT}" - fi -else - ## Could be a chroot. - echo "$0: INFO: No Linux config file detected in folder /boot/ (starting with 'config-'). Therefore using built-in defaults." >&2 - BITS_MAX="${BITS_MAX_DEFAULT}" - COMPAT_BITS_MAX="${COMPAT_BITS_MAX_DEFAULT}" -fi - -## Generate a sysctl.d conf file. -SYSCTL="\ -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## This file is automatically generated by: -## $0 -## Do not edit! -## See also: -## $more_info_link - -## Improves ASLR effectiveness for mmap. -vm.mmap_rnd_bits=${BITS_MAX} -vm.mmap_rnd_compat_bits=${COMPAT_BITS_MAX}" - -## Write the sysctl.d conf file. -if echo "${SYSCTL}" | tee "$aslr_mmap_config_file" > /dev/null ; then - echo "$0: INFO: Successfully written ASLR map config file: -$aslr_mmap_config_file" - exit 0 -fi - -echo "$0: ERROR: Error writing ASLR map config file: -$aslr_mmap_config_file" >&2 -exit_with_error diff --git a/usr/libexec/security-misc/pam-abort-on-locked-password b/usr/libexec/security-misc/pam-abort-on-locked-password deleted file mode 100755 index 35c2dd4..0000000 --- a/usr/libexec/security-misc/pam-abort-on-locked-password +++ /dev/null @@ -1,53 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## This is only a usability feature to avoid needlessly bumping pam_faillock -## counter. This is not a security feature. -## https://forums.whonix.org/t/restrict-root-access/7658/1 - -passwd_bin="$(type -P -- "passwd")" - -if ! test -x "$passwd_bin" ; then - echo "\ -$0: ERROR: passwd_bin \"$passwd_bin\" is not executable. -See https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener#passwd" >&2 - ## Identifiable exit codes in case stdout / stderr is not logged in journal. - exit 2 -fi - -if ! passwd_output="$("$passwd_bin" -S -- "$PAM_USER" 2>/dev/null)" ; then - echo "$0: ERROR: user \"$PAM_USER\" does not exist." >&2 - exit 3 -fi - -password_status_field="$(echo "$passwd_output" | cut -d ' ' -f 2)" - -if [ "$password_status_field" = "P" ]; then - true "$0: INFO: user \"$PAM_USER\" has a usable password." -elif [ "$password_status_field" = "NP" ]; then - true "$0: INFO: user \"$PAM_USER\" has no password." -elif [ "$password_status_field" = "L" ]; then - echo "$0: INFO: Password for user \"$PAM_USER\" is locked." - - if [ -f /usr/share/whonix/marker ] || [ -f /usr/share/kicksecure/marker ]; then - if [ "$PAM_USER" = "root" ]; then - echo "$0: ERROR: root account is locked by default. See:" >&2 - echo "https://www.kicksecure.com/wiki/root" >&2 - echo "" >&2 - exit 4 - fi - fi - - ## Should not unconditionally 'exit 1' here. - ## Locked user accounts might have valid sudoers exceptions. - ## https://forums.whonix.org/t/pam-abort-on-locked-password-and-running-privileged-command-from-web-browser/10521 - ## 'exit 1' would be good for usability here because then the user would get - ## faster feedback. A new login attempt would not be needlessly delayed. - exit 0 -else - echo "$0: INFO: Password status field for user \"$PAM_USER\" could not be parsed. Please report this bug." -fi - -exit 0 diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info deleted file mode 100755 index 5f8198a..0000000 --- a/usr/libexec/security-misc/pam-info +++ /dev/null @@ -1,228 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## To enable debug log, run: -## sudo touch /etc/pam-info-debug -## -## Debug log if enabled can be found in file: -## /root/pam-info-debug.txt - -true "$0: START PHASE 1" - -if test -f /etc/pam-info-debug || test -f /usr/local/etc/pam-info-debug ; then - set -x - exec 5>&1 1>> ~/pam-info-debug.txt - exec 6>&2 2>> ~/pam-info-debug.txt -fi - -true "$0: START PHASE 2" - -set -o pipefail - -## Named constants. -pam_faillock_state_dir="/var/lib/security-misc/faillock" - -## Debugging. -who_ami="$(whoami)" -true "$0: who_ami: $who_ami" -true "$0: PAM_USER: $PAM_USER" -true "$0: SUDO_USER: $SUDO_USER" - -if [ "$PAM_USER" = "" ]; then - true "$0: ERROR: Environment variable PAM_USER is unset!" - exit 0 -fi - -grep_result="$(grep -- "accessfile=/etc/security/access-security-misc.conf" /etc/pam.d/common-account 2>/dev/null)" - -## Check if grep matched something. -if [ ! "$grep_result" = "" ]; then - ## Yes, grep matched. - - ## Check if not out commented. - if ! echo "$grep_result" | grep --quiet -- "#" ; then - ## Not out commented indeed. - - ## https://forums.whonix.org/t/etc-security-hardening-console-lockdown/8592 - - if id --name --groups --zero -- "$PAM_USER" | grep --quiet --null-data --line-regexp --fixed-strings -- "console"; then - console_allowed=true - fi - if id --name --groups --zero -- "$PAM_USER" | grep --quiet --null-data --line-regexp --fixed-strings -- "console-unrestricted"; then - console_allowed=true - fi - - if [ ! "$console_allowed" = "true" ]; then - echo "\ -$0: ERROR: PAM_USER: '$PAM_USER' is not a member of group 'console' -To unlock, run the following command as superuser: -(If you still have a sudo/root shell somewhere.) - -adduser $PAM_USER console - -However, possibly unlock procedure is required. -First boot into recovery mode at grub boot menu and then run above command. -See also: -https://www.kicksecure.com/wiki/root#console -" >&2 - exit 0 - fi - fi -fi - -if [ "$PAM_USER" = 'sysmaint' ]; then - sysmaint_passwd_info="$(passwd --status sysmaint 2>/dev/null)" || true - sysmaint_lock_info="$(cut -d' ' -f2 <<< "${sysmaint_passwd_info}")" - if [ "${sysmaint_lock_info}" = 'L' ]; then - echo "$0: ERROR: Reboot and choose 'PERSISTENT Mode - SYSMAINT Session' for system maintenance. See https://www.kicksecure.com/wiki/Sysmaint" - fi -fi - -kernel_cmdline="$(cat /proc/cmdline)" - -if [ "$PAM_USER" != 'sysmaint' ] \ - && [[ "${kernel_cmdline}" =~ 'boot-role=sysmaint' ]]; then - echo "$0: WARNING: Use account 'sysmaint' for system maintenance. See https://www.kicksecure.com/wiki/Sysmaint" -fi - -## https://forums.whonix.org/t/how-strong-do-linux-user-account-passwords-have-to-be-when-using-full-disk-encryption-fde-too/7698 - -## Does not work (yet) for login, pam_securetty runs before and aborts. -## Also this should only run for login since securetty covers only login. -# if [ "$PAM_USER" = "root" ]; then -# if [ -f /etc/securetty ]; then -# grep_result="$(grep "^[^#]" /etc/securetty)" -# if [ "$grep_result" = "" ]; then -# echo "\ -# $0: ERROR: Root login is disabled. -# ERROR: This is because /etc/securetty is empty. -# See also: -# https://www.kicksecure.com/wiki/root#login -# " >&2 -# exit 0 -# fi -# fi -# fi - -## under account "user" -## /usr/sbin/faillock -u user -## faillock: Error opening /var/log/tallylog for update: Permission denied -## /usr/sbin/faillock: Authentication error -## -## xscreensaver runs under account "user", therefore pam_faillock cannot function. -## xscreensaver has its own failed login counter. -## -## https://askubuntu.com/questions/983183/how-lock-the-unlock-screen-after-wrong-password-attempts -## -## https://web.archive.org/web/20200919221439/https://www.whonix.org/pipermail/whonix-devel/2019-September/001439.html -## -## Checking exit code to avoid breaking when read-only disk boot but -## without ro-mode-init or grub-live being used. -## -## end-of-options ("--") unsupported by faillock. -if ! pam_faillock_output="$(faillock --dir "$pam_faillock_state_dir" --user "$PAM_USER")" ; then - true "$0: faillock non-zero exit code." - exit 0 -fi - -if [ "$pam_faillock_output" = "" ]; then - true "$0: no failed login" - exit 0 -fi - -## example pam_faillock_output (stdout): -## user: -## When Type Source Valid -## 2021-08-10 16:26:33 RHOST V -## 2021-08-10 16:26:54 RHOST V - -## example pam_faillock_output (stderr): -## faillock: No user name supplied. -## Usage: faillock [--dir /path/to/tally-directory] [--user username] [--reset] - -## Get first line. -#pam_faillock_output_first_line="$(echo "$pam_faillock_output" | head --lines=1)" -while read -t 10 -r pam_faillock_output_first_line ; do - break -done <<< "$pam_faillock_output" - -true "pam_faillock_output_first_line: '$pam_faillock_output_first_line'" -## example pam_faillock_output_first_line: -## user: - -user_name="$(echo "$pam_faillock_output_first_line" | str_replace ":" "")" -## example user_name: -## user -## root - -pam_faillock_output_count="$(echo "$pam_faillock_output" | wc -l)" -## example pam_faillock_output_count: -## 2 -## example pam_faillock_output_count: -## 4 - -## Do not count the first two informational textual output lines -## (starting with "user:" and "When"). -failed_login_counter=$(( pam_faillock_output_count - 2 )) - -## example failed_login_counter: -## 2 - -if [ "$failed_login_counter" = "0" ]; then - true "$0: INFO: Failed login counter is 0, ok." - exit 0 -fi - -## pam_faillock default if it cannot be determined below. -deny=3 - -if test -f /etc/security/faillock.conf ; then - deny_line=$(grep --invert-match "#" -- /etc/security/faillock.conf | grep -- "deny =") - deny="$(echo "$deny_line" | str_replace "=" "" | str_replace "deny" "" | str_replace " " "")" - ## Example: - #deny=50 -fi - -if [[ "$deny" == *[!0-9]* ]]; then - echo "\ -$0: ERROR: deny is not numeric. deny: '$deny' -ERROR: Please report this bug. -" >&2 - exit 0 -fi - -remaining_attempts="$(( $deny - $failed_login_counter ))" - -if [ "$remaining_attempts" -le "0" ]; then - echo "\ -$0: ERROR: Login blocked after $failed_login_counter attempts. -To unlock, run the following command as superuser: -(If you still have a sudo/root shell somewhere.) - -faillock --dir $pam_faillock_state_dir --reset --user $PAM_USER - -However, most likely unlock procedure is required. -First boot into recovery mode at grub boot menu and then run above command. -See also: -https://www.kicksecure.com/wiki/root#unlock -" >&2 - exit 0 -fi - -echo "\ -$0: WARNING: $failed_login_counter failed login attempts for user_name '$user_name'. -Login will be blocked after $deny attempts. -You have $remaining_attempts more attempts before unlock procedure is required. -" >&2 - -if [ "$PAM_SERVICE" = "su" ]; then - echo "\ -$0: NOTE: Type the password. When entering the password, no password feedback (no asterisk (\"*\") symbol) will be shown. -" >&2 -fi - -true "$0: END" - -exit 0 diff --git a/usr/libexec/security-misc/pam_faillock_not_if_x b/usr/libexec/security-misc/pam_faillock_not_if_x deleted file mode 100755 index 433dca8..0000000 --- a/usr/libexec/security-misc/pam_faillock_not_if_x +++ /dev/null @@ -1,40 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## https://serverfault.com/questions/134471/success-n-control-syntax-in-pam-conf-pam-d-files - -set -x - -true "PAM_SERVICE: $PAM_SERVICE" - -## PAM configuration notes -## -## success=$num -## "will specify how many rules to skip when successful." -## https://serverfault.com/questions/134471/success-n-control-syntax-in-pam-conf-pam-d-files -## -## ignore -## "when used with a stack of modules, the module's return status will not contribute to the return code the application obtains." -## http://www.linux-pam.org/Linux-PAM-html/sag-configuration-file.html - -## - Failed dovecot ssh logins from malicious remotes should not result in account getting locked. -## This list can later be extended as needed. -pam_service_exclusion_list="dovecot sshd" - -for pam_service_exclusion_item in $pam_service_exclusion_list ; do - if [ "$PAM_SERVICE" = "$pam_service_exclusion_item" ]; then - ## exit success so [success=1 default=ignore] will result in skipping the - ## next PAM module (the pam_faillock module). - exit 0 - fi -done - -## exit failure so [success=1 default=ignore] will result in running the -## next PAM module (the pam_faillock module). -## -## Causes confusing error message: -## pam_exec(sudo:auth): /usr/libexec/security-misc/pam_faillock_not_if_x failed: exit code 1 -## https://github.com/linux-pam/linux-pam/issues/329 -exit 1 diff --git a/usr/libexec/security-misc/pam_only_if_login b/usr/libexec/security-misc/pam_only_if_login deleted file mode 100755 index 568f037..0000000 --- a/usr/libexec/security-misc/pam_only_if_login +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## https://serverfault.com/questions/134471/success-n-control-syntax-in-pam-conf-pam-d-files - -set -x - -true "PAM_SERVICE: $PAM_SERVICE" - -if [ "$PAM_SERVICE" = "login" ]; then - ## FIXME: - ## Creates unwanted journal log entry. - ## pam_exec(login:account): /usr/libexec/security-misc/pam_only_if_login failed: exit code 1 - exit 1 -else - ## exit success so [success=1 default=ignore] will result in skipping the - ## next pam module. - exit 0 -fi diff --git a/usr/libexec/security-misc/pam_only_if_su b/usr/libexec/security-misc/pam_only_if_su deleted file mode 100755 index 604510f..0000000 --- a/usr/libexec/security-misc/pam_only_if_su +++ /dev/null @@ -1,17 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Similar to: -## /usr/libexec/security-misc/pam_only_if_login - -set -x - -true "PAM_SERVICE: $PAM_SERVICE" - -if [ "$PAM_SERVICE" = "su" ]; then - exit 1 -else - exit 0 -fi diff --git a/usr/libexec/security-misc/panic-on-oops b/usr/libexec/security-misc/panic-on-oops deleted file mode 100755 index 749eb3c..0000000 --- a/usr/libexec/security-misc/panic-on-oops +++ /dev/null @@ -1,23 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -set -e - -if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then - ## pre.bsh would `source` the following folders: - ## /etc/panic-on-oops_pre.d/*.conf - ## /usr/local/etc/panic-on-oops_pre.d/*.conf - source /usr/libexec/helper-scripts/pre.bsh -fi - -## Makes the kernel panic on oopses and warnings. This prevents the -## kernel from continuing to run a flawed processes. Many kernel -## exploits will also cause an oops, these settings will make the -## kernel kill the offending processes. -#sysctl kernel.panic=-1 -sysctl kernel.panic_on_oops=1 -sysctl kernel.panic_on_warn=1 -#sysctl kernel.oops_limit=1 -#sysctl kernel.warn_limit=1 diff --git a/usr/libexec/security-misc/permission-lockdown b/usr/libexec/security-misc/permission-lockdown deleted file mode 100755 index 31aaee4..0000000 --- a/usr/libexec/security-misc/permission-lockdown +++ /dev/null @@ -1,61 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Doing this for all users would create many issues. -# /usr/libexec/security-misc/permission-lockdown: user: root | chmod o-rwx "/root" -# /usr/libexec/security-misc/permission-lockdown: user: daemon | chmod o-rwx "/usr/sbin" -# /usr/libexec/security-misc/permission-lockdown: user: bin | chmod o-rwx "/bin" -# /usr/libexec/security-misc/permission-lockdown: user: sys | chmod o-rwx "/dev" -# /usr/libexec/security-misc/permission-lockdown: user: sync | chmod o-rwx "/bin" -# /usr/libexec/security-misc/permission-lockdown: user: games | chmod o-rwx "/usr/games" -# /usr/libexec/security-misc/permission-lockdown: user: man | chmod o-rwx "/var/cache/man" -# /usr/libexec/security-misc/permission-lockdown: user: mail | chmod o-rwx "/var/mail" -# /usr/libexec/security-misc/permission-lockdown: user: proxy | chmod o-rwx "/bin" -# /usr/libexec/security-misc/permission-lockdown: user: backup | chmod o-rwx "/var/backups" -# /usr/libexec/security-misc/permission-lockdown: user: systemd-timesync | chmod o-rwx "/run/systemd" -# /usr/libexec/security-misc/permission-lockdown: user: systemd-network | chmod o-rwx "/run/systemd/netif" -# /usr/libexec/security-misc/permission-lockdown: user: messagebus | chmod o-rwx "/var/run/dbus" -# /usr/libexec/security-misc/permission-lockdown: user: tinyproxy | chmod o-rwx "/run/tinyproxy" -# /usr/libexec/security-misc/permission-lockdown: user: rtkit | chmod o-rwx "/proc" -# /usr/libexec/security-misc/permission-lockdown: user: colord | chmod o-rwx "/var/lib/colord" -# /usr/libexec/security-misc/permission-lockdown: user: Debian-exim | chmod o-rwx "/var/spool/exim4" -# /usr/libexec/security-misc/permission-lockdown: user: debian-tor | chmod o-rwx "/var/lib/tor" -# /usr/libexec/security-misc/permission-lockdown: user: stunnel4 | chmod o-rwx "/var/run/stunnel4" -# /usr/libexec/security-misc/permission-lockdown: user: iodine | chmod o-rwx "/var/run/iodine" -# /usr/libexec/security-misc/permission-lockdown: user: apt-cacher-ng | chmod o-rwx "/var/cache/apt-cacher-ng" -# /usr/libexec/security-misc/permission-lockdown: user: statd | chmod o-rwx "/var/lib/nfs" -# /usr/libexec/security-misc/permission-lockdown: user: timidity | chmod o-rwx "/etc/timidity" -# /usr/libexec/security-misc/permission-lockdown: user: uuidd | chmod o-rwx "/run/uuidd" -# /usr/libexec/security-misc/permission-lockdown: user: _rpc | chmod o-rwx "/run/rpcbind" -# /usr/libexec/security-misc/permission-lockdown: user: geoclue | chmod o-rwx "/var/lib/geoclue" - -home_folder_access_rights_lockdown() { - mkdir --parents /var/cache/security-misc/state-files - local user - for user in $(dir /home); do ## lists directories only - if [ -f "/var/cache/security-misc/state-files/$user" ]; then - continue - fi - folder_name="/home/$user" - ## chmod: - ## The 'g' for 'group' is not needed. - ## Debian by default uses USERGROUPS=yes in /etc/adduser.conf. - ## The group which the user is being added to has the same name as the user. - ## If the username is user then the name of the group is also user. - ## Some background information here: - ## https://unix.stackexchange.com/questions/156473/reasons-behind-the-default-groups-and-users-on-linux - ## In short, this is useful for "file sharing". A if user1 wants to share data with user2 the command - ## required to run is sudo addgroup user1 user2. - ## See also: user private groups UPGs - ## https://wiki.debian.org/UserPrivateGroups - echo "$0: chmod o-rwx \"$folder_name\"" - chmod o-rwx "$folder_name" - touch "/var/cache/security-misc/state-files/$user" - done -} - -home_folder_access_rights_lockdown - -exit 0 diff --git a/usr/libexec/security-misc/remove-system.map b/usr/libexec/security-misc/remove-system.map deleted file mode 100755 index 5b75f6d..0000000 --- a/usr/libexec/security-misc/remove-system.map +++ /dev/null @@ -1,42 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then - ## pre.bsh would `source` the following folders: - ## /etc/remove-system.map_pre.d/*.conf - ## /usr/local/etc/remove-system.map_pre.d/*.conf - source /usr/libexec/helper-scripts/pre.bsh -fi - -shopt -s nullglob - -system_map_location="/boot/System.map* /usr/src/*/System.map* /lib/modules/*/*/System.map* /System.map*" - -counter=0 -for filename in ${system_map_location} ; do - counter=$(( counter + 1 )) -done - -if [ "$counter" -ge "1" ]; then - echo "INFO: Deleting system.map files..." -fi - -## Removes the System.map files as they are only used for debugging or malware. -for filename in ${system_map_location} ; do - if [ -f "${filename}" ]; then - if [ -w "${filename}" ]; then - ## 'shred' with '--verbose' is too chatty. (7 lines) - shred --force --zero -u "${filename}" - echo "INFO: removed '${filename}'" - else - echo "NOTE: Cannot delete '${filename}' - read-only. For details, see: https://www.kicksecure.com/wiki/security-misc#system_map" - exit 0 - fi - fi -done - -if [ "$counter" -ge "1" ]; then - echo "INFO: Done. Success." -fi diff --git a/usr/libexec/security-misc/virusforget b/usr/libexec/security-misc/virusforget deleted file mode 100755 index a5cb3ea..0000000 --- a/usr/libexec/security-misc/virusforget +++ /dev/null @@ -1,354 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## VirusForget is inspired by Christopher Laprise. -## tasket@protonmail.com -## https://github.com/tasket -## https://www.patreon.com/tasket/creators -## Because of his work on Qubes-VM-Hardening. -## https://github.com/tasket/Qubes-VM-hardening - -#set -x -set -e - -error_handler() { - ## TODO - exit 1 -} - -trap error_handler ERR - -root_check() { - if [ "$(id -u)" != "0" ]; then - echo "ERROR: must be run as root! sudo $0" - exit 1 - fi -} - -parse_cmd_options() { - ## Thanks to: - ## https://mywiki.wooledge.org/BashFAQ/035 - - while : - do - case $1 in - --user) - user_name="$2" - if [ "$user_name" = "" ]; then - echo "ERROR: --user needs username as argument!" >&2 - shift - exit 1 - else - shift 2 - fi - ;; - --simulate) - test_mode="true" - shift - ;; - --unittest) - unit_test="true" - shift - ;; - --commit) - commit="true" - shift - ;; - --clean) - clean="true" - shift - ;; - --check) - check="true" - shift - ;; - --) - shift - break - ;; - -*) - echo "ERROR: unknown option: $1" >&2 - exit 1 - ;; - *) - break - ;; - esac - done - - ## If there are input files (for example) that follow the options, they - ## will remain in the "$@" positional parameters. - - if [ "$user_name" = "" ]; then - echo "ERROR: must set --user username" >&2 - exit 1 - fi -} - -variables() { - chfiles+=" .bashrc " - chfiles+=" .bash_profile " - chfiles+=" .bash_login " - chfiles+=" .bash_logout " - chfiles+=" .profile " - chfiles+=" .pam_environment " - chfiles+=" .xprofile " - chfiles+=" .xinitrc " - chfiles+=" .xserverrc " - chfiles+=" .Xsession " - chfiles+=" .xsession " - chfiles+=" .xsessionrc " - chfiles+=" .virusforgetunitestone " - chfiles+=" .virusforgetunitesttwo " - - chdirs+=" bin " - chdirs+=" .local/bin " - chdirs+=" .config/autostart " - chdirs+=" .config/plasma-workspace/env " - chdirs+=" .config/plasma-workspace/shutdown " - chdirs+=" .config/autostart-scripts " - chdirs+=" .config/systemd " - - ## TODO - privdirs+=" /rw/config " - privdirs+=" /rw/usrlocal " - privdirs+=" /rw/bind-dirs " - - backup_folder="/home/virusforget/backup" - dangerous_folder="/home/virusforget/dangerous" -} - -init() { - adduser --home /home/virusforget --quiet --system --group virusforget - home_folder="/home/$user_name" -} - -process_file_system_objects() { - if [ "$store" = "true" ]; then - if [ "$test_mode" = "true" ]; then - echo Simulate: rm -r -f "$backup_folder" - else - rm -r -f "$backup_folder" - fi - fi - - if [ "$test_mode" = "true" ]; then - true - else - mkdir -p "$backup_folder" - fi - - process_files - process_folders -} - -process_files() { - for file_name in $chfiles ; do - full_path_original="$home_folder/$file_name" - full_path_original_dirname="${full_path_original%/*}" - full_path_backup="$backup_folder/$file_name" - full_path_dangerous="$dangerous_folder/$file_name" - full_path_dangerous_dirname="${full_path_dangerous%/*}" - if [ "$store" = "true" ]; then - if [ -e "$full_path_original" ]; then - if [ "$test_mode" = "true" ]; then - echo Simulate: cp --no-dereference --archive "$full_path_original" "$backup_folder/" - else - cp --no-dereference --archive "$full_path_original" "$backup_folder/" - fi - fi - else - check_file_walker - fi - done -} - -process_folders() { - for folder_name in $chdirs ; do - full_folder_name="$home_folder/$folder_name" - - if [ -e "$full_folder_name" ]; then - find "$full_folder_name" -print0 | \ - while IFS= read -r -d '' line; do - true "line: $line" - if [ "$full_folder_name" = "$line" ]; then - continue - fi - full_path_original="$line" - full_path_original_dirname="${full_path_original%/*}" - ## remove prepeneded $home_folder from $full_path_original - temp_one="$home_folder/" - temp="${full_path_original/#$temp_one/""}" - full_path_backup="$backup_folder/$temp" - full_path_backup_dirname="${full_path_backup%/*}" - full_path_dangerous="$dangerous_folder/$temp" - full_path_dangerous_dirname="${full_path_dangerous%/*}" - - if [ "$store" = "true" ]; then - if [ -d "$full_path_original" ]; then - true "ok" - else - ## Not needed since starting with new backup folder anyhow. - #if [ -e "$full_path_backup" ]; then - # echo chattr -i "$full_path_backup" - # echo rm "$full_path_backup" - #fi - if [ "$test_mode" = "true" ]; then - echo Simulate: cp --no-dereference --archive "$full_path_original" "$full_path_backup_dirname/" - else - mkdir -p "$full_path_backup_dirname" - cp --no-dereference --archive "$full_path_original" "$full_path_backup_dirname/" - fi - fi - else - check_file_walker - fi - done - fi - done -} - -check_file_walker() { - if [ -e "$full_path_backup" ]; then - if [ -e "$full_path_original" ]; then - if [ -d "$full_path_original" ]; then - ## REVIEW: ok to skip directory? - true - return 0 - fi - if diff "$full_path_original" "$full_path_backup" &>/dev/null ; then - true "OK" - else - echo "Difference detected! changed file: $full_path_original backup: $full_path_backup" >&2 - unexpected_file "$full_path_original" - fi - else - echo "Missing file detected! missing: $full_path_original" >&2 - restore_file - fi - else - if [ -e "$full_path_original" ]; then - if [ -d "$full_path_original" ]; then - ## REVIEW: ignore ok? - true - return 0 - fi - echo "Extraneous file! $full_path_original" >&2 - unexpected_file "$full_path_original" - else - true "OK" - fi - fi -} - -unexpected_file() { - if [ -d "$full_path_original" ]; then - ## REVIEW: ignore ok? - true - return 0 - fi - - mkdir -p "$full_path_dangerous_dirname" - - if [ "$test_mode" = "true" ]; then - echo "Simulate backup of current version... $full_path_original" >&2 - echo cp "$full_path_original" --no-dereference --archive --backup=existing "$full_path_dangerous" - elif [ "$clean" = "true" ]; then - echo "Creating backup of current version... $full_path_original" >&2 - echo cp "$full_path_original" --no-dereference --archive --backup=existing "$full_path_dangerous" - cp "$full_path_original" --no-dereference --archive --backup=existing "$full_path_dangerous" - echo "Created backup." >&2 - fi - - if test -h "$full_path_original" ; then - echo "is a symlink: $full_path_original" >&2 - if [ "$test_mode" = "true" ]; then - echo "Simulate only. unexpected symlink. Removing... unlink '$full_path_original'" >&2 - echo unlink "$full_path_original" - elif [ "$clean" = "true" ]; then - echo "unexpected symlink. Removing... unlink '$full_path_original'" >&2 - unlink "$full_path_original" - echo "Removed unexpect symlink." >&2 - fi - else - if [ "$test_mode" = "true" ]; then - echo "Simulate deleting modified version '$full_path_original'." >&2 - echo rm "$full_path_original" >&2 - elif [ "$clean" = "true" ]; then - ## chattr fails on symlinks such as symlink to /dev/random. - chattr -i "$full_path_original" - echo "Deleting modified version '$full_path_original'." >&2 - rm "$full_path_original" >&2 - echo "Deleted '$full_path_original'." >&2 - fi - - echo "View the diff:" >&2 - echo "diff $full_path_original $full_path_dangerous" >&2 - fi - - echo "" >&2 - - restore_file -} - -restore_file() { - if [ "$test_mode" = "true" ]; then - echo "Simulate restoring file... $full_path_original" >&2 - echo cp --no-dereference --archive "$full_path_backup" "$full_path_original" - echo "" >&2 - elif [ "$clean" = "true" ]; then - echo "Restoring file... $full_path_original" >&2 - echo mkdir --parents "$full_path_original_dirname" >&2 - mkdir --parents "$full_path_original_dirname" - if [ ! "$home_folder" = "$full_path_original_dirname" ]; then - chown --recursive "$user_name:$user_name" "$full_path_original_dirname" - fi - echo cp --no-dereference --archive "$full_path_backup" "$full_path_original" - cp --no-dereference --archive "$full_path_backup" "$full_path_original" >&2 - echo "Restored." >&2 - echo "" >&2 - fi -} - -unit_test_one() { - if [ ! "$unit_test" = "true" ]; then - return 0 - fi - echo "x" >> /home/user/.virusforgetunitestone - test -f /home/user/.virusforgetunitestone -} - -unit_test_two() { - if [ ! "$unit_test" = "true" ]; then - return 0 - fi - rm /home/user/.virusforgetunitestone - echo "x" >> /home/user/.virusforgetunitesttwo - test -f /home/user/.virusforgetunitesttwo - echo "x" >> /home/user/.config/systemd/user/virusforgetunittest - test -f /home/user/.config/systemd/user/virusforgetunittest - if test -h /home/user/.config/systemd/user/virusforgetunittestsymlink ; then - unlink /home/user/.config/systemd/user/virusforgetunittestsymlink - fi - ln -s /dev/random /home/user/.config/systemd/user/virusforgetunittestsymlink -} - -root_check -parse_cmd_options "$@" -init -variables -unit_test_one - -if [ "$commit" = "true" ]; then - store=true - process_file_system_objects -fi - -unit_test_two - -if [ "$check" = "true" ]; then - store=false - process_file_system_objects -fi diff --git a/usr/share/doc/security-misc/fstab-vm b/usr/share/doc/security-misc/fstab-vm deleted file mode 100644 index e02a087..0000000 --- a/usr/share/doc/security-misc/fstab-vm +++ /dev/null @@ -1,40 +0,0 @@ -# - -/dev/disk/by-uuid/26ada0c0-1165-4098-884d-aafd2220c2c6 / auto nofail,defaults,errors=remount-ro 0 1 - -proc /proc proc nofail,defaults 0 0 - -/dev /dev devtmpfs nofail,bind,remount,nosuid,noexec 0 0 -#udev /dev devtmpfs defaults,nosuid,noexec 0 0 - -## noexec optional -/dev/shm /dev/shm tmpfs nofail,nosuid,nodev,noexec 0 0 -#tmpfs /dev/shm tmpfs defaults,nosuid,nodev,noexec 0 0 - -## nodev,nosuid,noexec as per: -## https://www.debian.org/doc/manuals/securing-debian-manual/ch04s10.en.html -## Commented out by default to prevent warning: -## mount: /mnt/cdrom: mount point does not exist. -#/dev/cdrom /mnt/cdrom iso9660 nofail,ro,users,nodev,nosuid,noexec 0 0 - -/boot /boot none nofail,bind,nosuid,nodev,noexec 0 0 - -## noexec optional -/tmp /tmp tmpfs nofail,bind,nosuid,nodev,noexec 0 0 -#tmpfs /tmp tmpfs defaults,nodev,nosuid,noexec 0 0 - -/var /var none nofail,bind,nosuid,nodev 0 0 - -## noexec optional -/var/tmp /var/tmp none nofail,bind,nosuid,nodev,noexec 0 0 - -/var/log /var/log none nofail,bind,nosuid,nodev,noexec 0 0 - -## noexec optional -/run /run none nofail,bind,nosuid,nodev,noexec 0 0 - -## noexec optional -/home /home none nofail,bind,nosuid,nodev,noexec 0 0 - -## TODO: -#/sys diff --git a/usr/share/glib-2.0/schemas/30_security-misc.gschema.override b/usr/share/glib-2.0/schemas/30_security-misc.gschema.override index 2f56805..2ee9098 100644 --- a/usr/share/glib-2.0/schemas/30_security-misc.gschema.override +++ b/usr/share/glib-2.0/schemas/30_security-misc.gschema.override @@ -1,5 +1,2 @@ -## Copyright (C) 2017 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - [org.gnome.nautilus.preferences] show-image-thumbnails="never" diff --git a/usr/share/lintian/overrides/security-misc b/usr/share/lintian/overrides/security-misc index 26c3c70..d3cb760 100644 --- a/usr/share/lintian/overrides/security-misc +++ b/usr/share/lintian/overrides/security-misc @@ -1,17 +1,5 @@ -## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## The whole point of the package. -security-misc: package-contains-file-in-etc-skel [etc/skel/*] - -## Wrapper script. -security-misc: no-manual-page [usr/bin/pkexec.security-misc] - -## Non-ideal but still a good solution. -security-misc: file-in-unusual-dir [var/cache/security-misc/state-files/placeholder] - -## False-positive. Just a comment mentioning dpkg's folder. -security-misc: uses-dpkg-database-directly [usr/bin/remount-secure] - -## Special target to make sure this runs as non-parallelized as possible to avoid race conditions. -security-misc: systemd-service-file-refers-to-unusual-wantedby-target sysinit-post.target [usr/lib/systemd/system/remount-secure.service] +security-misc: package-contains-file-in-etc-skel etc/skel/.config/* diff --git a/usr/share/pam-configs/console-lockdown-security-misc b/usr/share/pam-configs/console-lockdown-security-misc deleted file mode 100644 index df57a85..0000000 --- a/usr/share/pam-configs/console-lockdown-security-misc +++ /dev/null @@ -1,7 +0,0 @@ -Name: allow only members of group console to use login (by package security-misc) -Default: no -Priority: 280 -Account-Type: Primary -Account: - [success=1 default=ignore] pam_exec.so seteuid quiet /usr/libexec/security-misc/pam_only_if_login - required pam_access.so accessfile=/etc/security/access-security-misc.conf debug diff --git a/usr/share/pam-configs/faillock-preauth-security-misc b/usr/share/pam-configs/faillock-preauth-security-misc deleted file mode 100644 index f72826c..0000000 --- a/usr/share/pam-configs/faillock-preauth-security-misc +++ /dev/null @@ -1,8 +0,0 @@ -Name: lock accounts after 50 failed authentication attempts (preauth component) (by package security-misc) -Default: yes -Priority: 1024 -Auth-Type: Primary -Auth: - optional pam_exec.so debug stdout seteuid /usr/libexec/security-misc/pam-info - [success=1 default=ignore] pam_exec.so seteuid quiet /usr/libexec/security-misc/pam_faillock_not_if_x - required pam_faillock.so preauth diff --git a/usr/share/pam-configs/mkhomedir-security-misc b/usr/share/pam-configs/mkhomedir-security-misc deleted file mode 100644 index 326013c..0000000 --- a/usr/share/pam-configs/mkhomedir-security-misc +++ /dev/null @@ -1,7 +0,0 @@ -Name: Create home directory on login (by package security-misc) -Default: yes -Priority: 100 -Session-Type: Additional -Session-Interactive-Only: yes -Session: - optional pam_mkhomedir.so umask=027 diff --git a/usr/share/pam-configs/pam-abort-on-locked-password-security-misc b/usr/share/pam-configs/pam-abort-on-locked-password-security-misc deleted file mode 100644 index 4d2ffa2..0000000 --- a/usr/share/pam-configs/pam-abort-on-locked-password-security-misc +++ /dev/null @@ -1,6 +0,0 @@ -Name: abort on locked password (by package security-misc) -Default: yes -Priority: 300 -Auth-Type: Primary -Auth: - requisite pam_exec.so debug stdout seteuid /usr/libexec/security-misc/pam-abort-on-locked-password diff --git a/usr/share/pam-configs/umask-security-misc b/usr/share/pam-configs/umask-security-misc deleted file mode 100644 index b29e433..0000000 --- a/usr/share/pam-configs/umask-security-misc +++ /dev/null @@ -1,9 +0,0 @@ -Name: Restrict umask to 027 for non-root users (by package security-misc) -Default: yes -Priority: 100 -Session-Type: Additional -Session: - [success=1 default=ignore] pam_succeed_if.so uid eq 0 - optional pam_umask.so umask=027 - [success=1 default=ignore] pam_succeed_if.so uid ne 0 - optional pam_umask.so umask=022 diff --git a/usr/share/pam-configs/unix-faillock-security-misc b/usr/share/pam-configs/unix-faillock-security-misc deleted file mode 100644 index 876ffa8..0000000 --- a/usr/share/pam-configs/unix-faillock-security-misc +++ /dev/null @@ -1,20 +0,0 @@ -Name: Unix authentication with faillock (by package security-misc) -Default: yes -Priority: 384 -Auth-Type: Primary -Auth: - [success=3 default=ignore] pam_unix.so nullok try_first_pass - [success=1 default=ignore] pam_exec.so seteuid quiet /usr/libexec/security-misc/pam_faillock_not_if_x - [default=die] pam_faillock.so authfail - requisite pam_deny.so - [success=1 default=ignore] pam_exec.so seteuid quiet /usr/libexec/security-misc/pam_faillock_not_if_x - optional pam_faillock.so authsucc - required pam_permit.so -Auth-Initial: - [success=3 default=ignore] pam_unix.so nullok - [success=1 default=ignore] pam_exec.so seteuid quiet /usr/libexec/security-misc/pam_faillock_not_if_x - [default=die] pam_faillock.so authfail - requisite pam_deny.so - [success=1 default=ignore] pam_exec.so seteuid quiet /usr/libexec/security-misc/pam_faillock_not_if_x - optional pam_faillock.so authsucc - required pam_permit.so diff --git a/usr/share/pam-configs/wheel-security-misc b/usr/share/pam-configs/wheel-security-misc deleted file mode 100644 index eb8a9df..0000000 --- a/usr/share/pam-configs/wheel-security-misc +++ /dev/null @@ -1,7 +0,0 @@ -Name: group sudo membership required to use su (by package security-misc) -Default: yes -Priority: 1050 -Auth-Type: Primary -Auth: - [success=1 default=ignore] pam_exec.so seteuid quiet /usr/libexec/security-misc/pam_only_if_su - requisite pam_wheel.so group=sudo debug diff --git a/usr/share/security-misc/dolphinrc b/usr/share/security-misc/dolphinrc index 9028487..207e60b 100644 --- a/usr/share/security-misc/dolphinrc +++ b/usr/share/security-misc/dolphinrc @@ -1,5 +1,6 @@ -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC +## Copyright (C) 2012 - 2018 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions [PreviewSettings] Plugins= + diff --git a/usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf b/usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf deleted file mode 100644 index 150e06b..0000000 --- a/usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf +++ /dev/null @@ -1,30 +0,0 @@ -## Copyright (C) 2021 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## LKRG VirtualBox host configuration - -## DO NOT EDIT THIS FILE /etc/sysctl.d/30-lkrg-dkms.conf AS EDITS WILL BE LOST! -## This is an auto generated file. - -## Please use "/etc/sysctl.d/50-user.conf" for your custom -## configuration, which will override the defaults found here. - -## gets copied from: -## /usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf -## to: -## /etc/sysctl.d/30-lkrg-virtualbox.conf -## by package security-misc, files: -## /usr/share/security-misc/lkrg/lkrg-virtualbox -## /usr/lib/systemd/system/lkrg.service.d/40-virtualbox.conf - -## https://forums.whonix.org/t/linux-kernel-runtime-guard-lkrg-linux-kernel-runtime-integrity-checking-and-exploit-detection/8477/32 -## https://www.openwall.com/lists/lkrg-users/2020/01/24/2 -## https://www.openwall.com/lists/lkrg-users/2020/01/25/2 -## https://github.com/openwall/lkrg/issues/82 -## https://github.com/openwall/lkrg/blob/main/scripts/bootup/lkrg.conf -## https://github.com/openwall/lkrg/blob/main/scripts/bootup/systemd/lkrg.service -## /etc/sysctl.d/30-lkrg-dkms.conf -## /usr/lib/systemd/system/lkrg.service - -## https://github.com/openwall/lkrg/issues/82#issuecomment-886188999 -lkrg.pcfi_validate = 1 diff --git a/usr/share/security-misc/lkrg/lkrg-virtualbox b/usr/share/security-misc/lkrg/lkrg-virtualbox deleted file mode 100755 index 4e1754c..0000000 --- a/usr/share/security-misc/lkrg/lkrg-virtualbox +++ /dev/null @@ -1,35 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2021 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -#set -x -set -e - -## provides function: pkg_installed -source /usr/libexec/helper-scripts/package_installed_check.bsh - -## Check if the VirtualBox host software is installed. -if ! command -v vboxmanage &>/dev/null ; then - ## VirtualBox host software is not installed. - if test -f /etc/sysctl.d/30-lkrg-virtualbox.conf ; then - ## Delete using '--verbose' so user is notified. - rm --force --verbose /etc/sysctl.d/30-lkrg-virtualbox.conf - fi - exit 0 -fi - -if ! test -d /etc/sysctl.d ; then - exit 0 -fi - -if ! test -f /usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf ; then - exit 0 -fi - -if ! pkg_installed "lkrg" ; then - exit 0 -fi - -## Delete using '--verbose' so user is notified. -cp --verbose /usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf /etc/sysctl.d/30-lkrg-virtualbox.conf diff --git a/usr/share/security-misc/permission-hardener-existing-mode-legacy-hardcoded b/usr/share/security-misc/permission-hardener-existing-mode-legacy-hardcoded deleted file mode 100644 index d40c552..0000000 --- a/usr/share/security-misc/permission-hardener-existing-mode-legacy-hardcoded +++ /dev/null @@ -1,36 +0,0 @@ -root root 644 /etc/passwd- -root root 755 /etc/cron.monthly -root root 755 /etc/sudoers.d -root shadow 2755 /usr/bin/expiry -root root 4755 /usr/bin/umount -root root 4755 /usr/bin/gpasswd -root root 755 /usr/lib/modules -root root 644 /etc/issue.net -root root 644 /etc/group- -root root 4755 /usr/bin/newgrp -root root 755 /etc/cron.weekly -root root 644 /etc/hosts.deny -root root 4755 /usr/bin/su -root root 644 /etc/hosts.allow -root root 700 /root -root root 755 /etc/cron.daily -root root 755 /bin/ping -root root 777 /etc/motd.kicksecure -root root 777 /etc/motd.whonix -root root 755 /boot -root root 755 /home -root shadow 2755 /usr/bin/chage -root root 4755 /usr/bin/chsh -root root 4755 /usr/bin/passwd -root root 4755 /usr/bin/chfn -root root 644 /etc/group -root root 755 /etc/permission-hardener.d -root root 644 /etc/passwd -root root 755 /usr/src -root root 4755 /usr/bin/mount -root root 777 /etc/issue.kicksecure -root root 777 /etc/issue.whonix -root root 755 /etc/cron.d -root root 4755 /usr/bin/sudo -root root 4755 /usr/bin/pkexec -root root 4755 /usr/lib/polkit-1/polkit-agent-helper-1 diff --git a/usr/share/security-misc/permission-hardener-new-mode-legacy-hardcoded b/usr/share/security-misc/permission-hardener-new-mode-legacy-hardcoded deleted file mode 100644 index d1b3a80..0000000 --- a/usr/share/security-misc/permission-hardener-new-mode-legacy-hardcoded +++ /dev/null @@ -1,26 +0,0 @@ -root root 700 /etc/cron.monthly -root root 700 /etc/sudoers.d -root shadow 744 /usr/bin/expiry -root root 755 /usr/bin/umount -root root 744 /usr/bin/gpasswd -root root 700 /usr/lib/modules -root root 744 /usr/bin/newgrp -root root 700 /etc/cron.weekly -root root 744 /usr/bin/su -root root 700 /etc/cron.daily -root root 755 /bin/ping -root root 644 /etc/motd.kicksecure -root root 644 /etc/motd.whonix -root _ssh 744 /usr/bin/ssh-agent -root root 700 /boot -root shadow 744 /usr/bin/chage -root root 744 /usr/lib/openssh/ssh-keysign -root root 744 /usr/bin/chsh -root root 755 /usr/bin/passwd -root root 744 /usr/bin/chfn -root root 600 /etc/permission-hardener.d -root root 700 /usr/src -root root 755 /usr/bin/mount -root root 644 /etc/issue.kicksecure -root root 644 /etc/issue.whonix -root root 700 /etc/cron.d diff --git a/var/cache/security-misc/state-files/placeholder b/var/cache/security-misc/state-files/placeholder deleted file mode 100644 index 201abb8..0000000 --- a/var/cache/security-misc/state-files/placeholder +++ /dev/null @@ -1,4 +0,0 @@ -This file is a simple placeholder to keep dpkg from removing -/var/cache/security-misc/state-files directory. - -https://forums.whonix.org/t/apparmor-for-complete-system-including-init-pid1-systemd-everything-full-system-mac-policy/8339/76