diff --git a/COPYING b/COPYING index 4d66db5..829d909 100644 --- a/COPYING +++ b/COPYING @@ -1,73 +1,668 @@ Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Files: * -Copyright: 2012 - 2023 ENCRYPTED SUPPORT LP -License: GPL-3+-with-additional-terms-1 - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. +Copyright: 2012 - 2025 ENCRYPTED SUPPORT LLC +License: AGPL-3+ + +License: AGPL-3+ + GNU AFFERO GENERAL PUBLIC LICENSE + Version 3, 19 November 2007 . - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. + Copyright (C) 2007 Free Software Foundation, Inc. + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. . - You should have received a copy of the GNU General Public License - along with this program. If not, see . + Preamble . - On Debian systems, the full text of the GNU General Public - License version 3 can be found in the file - `/usr/share/common-licenses/GPL-3'. + The GNU Affero General Public License is a free, copyleft license for + software and other kinds of works, specifically designed to ensure + cooperation with the community in the case of network server software. . - ADDITIONAL TERMS APPLICABLE per GNU GPL version 3 section 7 + The licenses for most software and other practical works are designed + to take away your freedom to share and change the works. By contrast, + our General Public Licenses are intended to guarantee your freedom to + share and change all versions of a program--to make sure it remains free + software for all its users. . - 1. Replacement of Section 15. Section 15 of the GPL shall be deleted in its - entirety and replaced with the following: + When we speak of free software, we are referring to freedom, not + price. Our General Public Licenses are designed to make sure that you + have the freedom to distribute copies of free software (and charge for + them if you wish), that you receive source code or can get it if you + want it, that you can change the software or use pieces of it in new + free programs, and that you know you can do these things. . - 15. Disclaimer of Warranty. + Developers that use our General Public Licenses protect your rights + with two steps: (1) assert copyright on the software, and (2) offer + you this License which gives you legal permission to copy, distribute + and/or modify the software. . - THE PROGRAM IS PROVIDED WITHOUT ANY WARRANTIES, WHETHER EXPRESSED OR IMPLIED, - INCLUDING, WITHOUT LIMITATION, IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR - PURPOSE, NON-INFRINGEMENT, TITLE AND MERCHANTABILITY. THE PROGRAM IS BEING - DELIVERED OR MADE AVAILABLE 'AS IS', 'WITH ALL FAULTS' AND WITHOUT WARRANTY OR - REPRESENTATION. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE - PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF + A secondary benefit of defending all users' freedom is that + improvements made in alternate versions of the program, if they + receive widespread use, become available for other developers to + incorporate. Many developers of free software are heartened and + encouraged by the resulting cooperation. However, in the case of + software used on network servers, this result may fail to come about. + The GNU General Public License permits making a modified version and + letting the public access it on a server without ever releasing its + source code to the public. + . + The GNU Affero General Public License is designed specifically to + ensure that, in such cases, the modified source code becomes available + to the community. It requires the operator of a network server to + provide the source code of the modified version running there to the + users of that server. Therefore, public use of a modified version, on + a publicly accessible server, gives the public access to the source + code of the modified version. + . + An older license, called the Affero General Public License and + published by Affero, was designed to accomplish similar goals. This is + a different license, not a version of the Affero GPL, but Affero has + released a new version of the Affero GPL which permits relicensing under + this license. + . + The precise terms and conditions for copying, distribution and + modification follow. + . + TERMS AND CONDITIONS + . + 0. Definitions. + . + "This License" refers to version 3 of the GNU Affero General Public License. + . + "Copyright" also means copyright-like laws that apply to other kinds of + works, such as semiconductor masks. + . + "The Program" refers to any copyrightable work licensed under this + License. Each licensee is addressed as "you". "Licensees" and + "recipients" may be individuals or organizations. + . + To "modify" a work means to copy from or adapt all or part of the work + in a fashion requiring copyright permission, other than the making of an + exact copy. The resulting work is called a "modified version" of the + earlier work or a work "based on" the earlier work. + . + A "covered work" means either the unmodified Program or a work based + on the Program. + . + To "propagate" a work means to do anything with it that, without + permission, would make you directly or secondarily liable for + infringement under applicable copyright law, except executing it on a + computer or modifying a private copy. Propagation includes copying, + distribution (with or without modification), making available to the + public, and in some countries other activities as well. + . + To "convey" a work means any kind of propagation that enables other + parties to make or receive copies. Mere interaction with a user through + a computer network, with no transfer of a copy, is not conveying. + . + An interactive user interface displays "Appropriate Legal Notices" + to the extent that it includes a convenient and prominently visible + feature that (1) displays an appropriate copyright notice, and (2) + tells the user that there is no warranty for the work (except to the + extent that warranties are provided), that licensees may convey the + work under this License, and how to view a copy of this License. If + the interface presents a list of user commands or options, such as a + menu, a prominent item in the list meets this criterion. + . + 1. Source Code. + . + The "source code" for a work means the preferred form of the work + for making modifications to it. "Object code" means any non-source + form of a work. + . + A "Standard Interface" means an interface that either is an official + standard defined by a recognized standards body, or, in the case of + interfaces specified for a particular programming language, one that + is widely used among developers working in that language. + . + The "System Libraries" of an executable work include anything, other + than the work as a whole, that (a) is included in the normal form of + packaging a Major Component, but which is not part of that Major + Component, and (b) serves only to enable use of the work with that + Major Component, or to implement a Standard Interface for which an + implementation is available to the public in source code form. A + "Major Component", in this context, means a major essential component + (kernel, window system, and so on) of the specific operating system + (if any) on which the executable work runs, or a compiler used to + produce the work, or an object code interpreter used to run it. + . + The "Corresponding Source" for a work in object code form means all + the source code needed to generate, install, and (for an executable + work) run the object code and to modify the work, including scripts to + control those activities. However, it does not include the work's + System Libraries, or general-purpose tools or generally available free + programs which are used unmodified in performing those activities but + which are not part of the work. For example, Corresponding Source + includes interface definition files associated with source files for + the work, and the source code for shared libraries and dynamically + linked subprograms that the work is specifically designed to require, + such as by intimate data communication or control flow between those + subprograms and other parts of the work. + . + The Corresponding Source need not include anything that users + can regenerate automatically from other parts of the Corresponding + Source. + . + The Corresponding Source for a work in source code form is that + same work. + . + 2. Basic Permissions. + . + All rights granted under this License are granted for the term of + copyright on the Program, and are irrevocable provided the stated + conditions are met. This License explicitly affirms your unlimited + permission to run the unmodified Program. The output from running a + covered work is covered by this License only if the output, given its + content, constitutes a covered work. This License acknowledges your + rights of fair use or other equivalent, as provided by copyright law. + . + You may make, run and propagate covered works that you do not + convey, without conditions so long as your license otherwise remains + in force. You may convey covered works to others for the sole purpose + of having them make modifications exclusively for you, or provide you + with facilities for running those works, provided that you comply with + the terms of this License in conveying all material for which you do + not control copyright. Those thus making or running the covered works + for you must do so exclusively on your behalf, under your direction + and control, on terms that prohibit them from making any copies of + your copyrighted material outside their relationship with you. + . + Conveying under any other circumstances is permitted solely under + the conditions stated below. Sublicensing is not allowed; section 10 + makes it unnecessary. + . + 3. Protecting Users' Legal Rights From Anti-Circumvention Law. + . + No covered work shall be deemed part of an effective technological + measure under any applicable law fulfilling obligations under article + 11 of the WIPO copyright treaty adopted on 20 December 1996, or + similar laws prohibiting or restricting circumvention of such + measures. + . + When you convey a covered work, you waive any legal power to forbid + circumvention of technological measures to the extent such circumvention + is effected by exercising rights under this License with respect to + the covered work, and you disclaim any intention to limit operation or + modification of the work as a means of enforcing, against the work's + users, your or third parties' legal rights to forbid circumvention of + technological measures. + . + 4. Conveying Verbatim Copies. + . + You may convey verbatim copies of the Program's source code as you + receive it, in any medium, provided that you conspicuously and + appropriately publish on each copy an appropriate copyright notice; + keep intact all notices stating that this License and any + non-permissive terms added in accord with section 7 apply to the code; + keep intact all notices of the absence of any warranty; and give all + recipients a copy of this License along with the Program. + . + You may charge any price or no price for each copy that you convey, + and you may offer support or warranty protection for a fee. + . + 5. Conveying Modified Source Versions. + . + You may convey a work based on the Program, or the modifications to + produce it from the Program, in the form of source code under the + terms of section 4, provided that you also meet all of these conditions: + . + a) The work must carry prominent notices stating that you modified + it, and giving a relevant date. + . + b) The work must carry prominent notices stating that it is + released under this License and any conditions added under section + 7. This requirement modifies the requirement in section 4 to + "keep intact all notices". + . + c) You must license the entire work, as a whole, under this + License to anyone who comes into possession of a copy. This + License will therefore apply, along with any applicable section 7 + additional terms, to the whole of the work, and all its parts, + regardless of how they are packaged. This License gives no + permission to license the work in any other way, but it does not + invalidate such permission if you have separately received it. + . + d) If the work has interactive user interfaces, each must display + Appropriate Legal Notices; however, if the Program has interactive + interfaces that do not display Appropriate Legal Notices, your + work need not make them do so. + . + A compilation of a covered work with other separate and independent + works, which are not by their nature extensions of the covered work, + and which are not combined with it such as to form a larger program, + in or on a volume of a storage or distribution medium, is called an + "aggregate" if the compilation and its resulting copyright are not + used to limit the access or legal rights of the compilation's users + beyond what the individual works permit. Inclusion of a covered work + in an aggregate does not cause this License to apply to the other + parts of the aggregate. + . + 6. Conveying Non-Source Forms. + . + You may convey a covered work in object code form under the terms + of sections 4 and 5, provided that you also convey the + machine-readable Corresponding Source under the terms of this License, + in one of these ways: + . + a) Convey the object code in, or embodied in, a physical product + (including a physical distribution medium), accompanied by the + Corresponding Source fixed on a durable physical medium + customarily used for software interchange. + . + b) Convey the object code in, or embodied in, a physical product + (including a physical distribution medium), accompanied by a + written offer, valid for at least three years and valid for as + long as you offer spare parts or customer support for that product + model, to give anyone who possesses the object code either (1) a + copy of the Corresponding Source for all the software in the + product that is covered by this License, on a durable physical + medium customarily used for software interchange, for a price no + more than your reasonable cost of physically performing this + conveying of source, or (2) access to copy the + Corresponding Source from a network server at no charge. + . + c) Convey individual copies of the object code with a copy of the + written offer to provide the Corresponding Source. This + alternative is allowed only occasionally and noncommercially, and + only if you received the object code with such an offer, in accord + with subsection 6b. + . + d) Convey the object code by offering access from a designated + place (gratis or for a charge), and offer equivalent access to the + Corresponding Source in the same way through the same place at no + further charge. You need not require recipients to copy the + Corresponding Source along with the object code. If the place to + copy the object code is a network server, the Corresponding Source + may be on a different server (operated by you or a third party) + that supports equivalent copying facilities, provided you maintain + clear directions next to the object code saying where to find the + Corresponding Source. Regardless of what server hosts the + Corresponding Source, you remain obligated to ensure that it is + available for as long as needed to satisfy these requirements. + . + e) Convey the object code using peer-to-peer transmission, provided + you inform other peers where the object code and Corresponding + Source of the work are being offered to the general public at no + charge under subsection 6d. + . + A separable portion of the object code, whose source code is excluded + from the Corresponding Source as a System Library, need not be + included in conveying the object code work. + . + A "User Product" is either (1) a "consumer product", which means any + tangible personal property which is normally used for personal, family, + or household purposes, or (2) anything designed or sold for incorporation + into a dwelling. In determining whether a product is a consumer product, + doubtful cases shall be resolved in favor of coverage. For a particular + product received by a particular user, "normally used" refers to a + typical or common use of that class of product, regardless of the status + of the particular user or of the way in which the particular user + actually uses, or expects or is expected to use, the product. A product + is a consumer product regardless of whether the product has substantial + commercial, industrial or non-consumer uses, unless such uses represent + the only significant mode of use of the product. + . + "Installation Information" for a User Product means any methods, + procedures, authorization keys, or other information required to install + and execute modified versions of a covered work in that User Product from + a modified version of its Corresponding Source. The information must + suffice to ensure that the continued functioning of the modified object + code is in no case prevented or interfered with solely because + modification has been made. + . + If you convey an object code work under this section in, or with, or + specifically for use in, a User Product, and the conveying occurs as + part of a transaction in which the right of possession and use of the + User Product is transferred to the recipient in perpetuity or for a + fixed term (regardless of how the transaction is characterized), the + Corresponding Source conveyed under this section must be accompanied + by the Installation Information. But this requirement does not apply + if neither you nor any third party retains the ability to install + modified object code on the User Product (for example, the work has + been installed in ROM). + . + The requirement to provide Installation Information does not include a + requirement to continue to provide support service, warranty, or updates + for a work that has been modified or installed by the recipient, or for + the User Product in which it has been modified or installed. Access to a + network may be denied when the modification itself materially and + adversely affects the operation of the network or violates the rules and + protocols for communication across the network. + . + Corresponding Source conveyed, and Installation Information provided, + in accord with this section must be in a format that is publicly + documented (and with an implementation available to the public in + source code form), and must require no special password or key for + unpacking, reading or copying. + . + 7. Additional Terms. + . + "Additional permissions" are terms that supplement the terms of this + License by making exceptions from one or more of its conditions. + Additional permissions that are applicable to the entire Program shall + be treated as though they were included in this License, to the extent + that they are valid under applicable law. If additional permissions + apply only to part of the Program, that part may be used separately + under those permissions, but the entire Program remains governed by + this License without regard to the additional permissions. + . + When you convey a copy of a covered work, you may at your option + remove any additional permissions from that copy, or from any part of + it. (Additional permissions may be written to require their own + removal in certain cases when you modify the work.) You may place + additional permissions on material, added by you to a covered work, + for which you have or can give appropriate copyright permission. + . + Notwithstanding any other provision of this License, for material you + add to a covered work, you may (if authorized by the copyright holders of + that material) supplement the terms of this License with terms: + . + a) Disclaiming warranty or limiting liability differently from the + terms of sections 15 and 16 of this License; or + . + b) Requiring preservation of specified reasonable legal notices or + author attributions in that material or in the Appropriate Legal + Notices displayed by works containing it; or + . + c) Prohibiting misrepresentation of the origin of that material, or + requiring that modified versions of such material be marked in + reasonable ways as different from the original version; or + . + d) Limiting the use for publicity purposes of names of licensors or + authors of the material; or + . + e) Declining to grant rights under trademark law for use of some + trade names, trademarks, or service marks; or + . + f) Requiring indemnification of licensors and authors of that + material by anyone who conveys the material (or modified versions of + it) with contractual assumptions of liability to the recipient, for + any liability that these contractual assumptions directly impose on + those licensors and authors. + . + All other non-permissive additional terms are considered "further + restrictions" within the meaning of section 10. If the Program as you + received it, or any part of it, contains a notice stating that it is + governed by this License along with a term that is a further + restriction, you may remove that term. If a license document contains + a further restriction but permits relicensing or conveying under this + License, you may add to a covered work material governed by the terms + of that license document, provided that the further restriction does + not survive such relicensing or conveying. + . + If you add terms to a covered work in accord with this section, you + must place, in the relevant source files, a statement of the + additional terms that apply to those files, or a notice indicating + where to find the applicable terms. + . + Additional terms, permissive or non-permissive, may be stated in the + form of a separately written license, or stated as exceptions; + the above requirements apply either way. + . + 8. Termination. + . + You may not propagate or modify a covered work except as expressly + provided under this License. Any attempt otherwise to propagate or + modify it is void, and will automatically terminate your rights under + this License (including any patent licenses granted under the third + paragraph of section 11). + . + However, if you cease all violation of this License, then your + license from a particular copyright holder is reinstated (a) + provisionally, unless and until the copyright holder explicitly and + finally terminates your license, and (b) permanently, if the copyright + holder fails to notify you of the violation by some reasonable means + prior to 60 days after the cessation. + . + Moreover, your license from a particular copyright holder is + reinstated permanently if the copyright holder notifies you of the + violation by some reasonable means, this is the first time you have + received notice of violation of this License (for any work) from that + copyright holder, and you cure the violation prior to 30 days after + your receipt of the notice. + . + Termination of your rights under this section does not terminate the + licenses of parties who have received copies or rights from you under + this License. If your rights have been terminated and not permanently + reinstated, you do not qualify to receive new licenses for the same + material under section 10. + . + 9. Acceptance Not Required for Having Copies. + . + You are not required to accept this License in order to receive or + run a copy of the Program. Ancillary propagation of a covered work + occurring solely as a consequence of using peer-to-peer transmission + to receive a copy likewise does not require acceptance. However, + nothing other than this License grants you permission to propagate or + modify any covered work. These actions infringe copyright if you do + not accept this License. Therefore, by modifying or propagating a + covered work, you indicate your acceptance of this License to do so. + . + 10. Automatic Licensing of Downstream Recipients. + . + Each time you convey a covered work, the recipient automatically + receives a license from the original licensors, to run, modify and + propagate that work, subject to this License. You are not responsible + for enforcing compliance by third parties with this License. + . + An "entity transaction" is a transaction transferring control of an + organization, or substantially all assets of one, or subdividing an + organization, or merging organizations. If propagation of a covered + work results from an entity transaction, each party to that + transaction who receives a copy of the work also receives whatever + licenses to the work the party's predecessor in interest had or could + give under the previous paragraph, plus a right to possession of the + Corresponding Source of the work from the predecessor in interest, if + the predecessor has it or can get it with reasonable efforts. + . + You may not impose any further restrictions on the exercise of the + rights granted or affirmed under this License. For example, you may + not impose a license fee, royalty, or other charge for exercise of + rights granted under this License, and you may not initiate litigation + (including a cross-claim or counterclaim in a lawsuit) alleging that + any patent claim is infringed by making, using, selling, offering for + sale, or importing the Program or any portion of it. + . + 11. Patents. + . + A "contributor" is a copyright holder who authorizes use under this + License of the Program or a work on which the Program is based. The + work thus licensed is called the contributor's "contributor version". + . + A contributor's "essential patent claims" are all patent claims + owned or controlled by the contributor, whether already acquired or + hereafter acquired, that would be infringed by some manner, permitted + by this License, of making, using, or selling its contributor version, + but do not include claims that would be infringed only as a + consequence of further modification of the contributor version. For + purposes of this definition, "control" includes the right to grant + patent sublicenses in a manner consistent with the requirements of + this License. + . + Each contributor grants you a non-exclusive, worldwide, royalty-free + patent license under the contributor's essential patent claims, to + make, use, sell, offer for sale, import and otherwise run, modify and + propagate the contents of its contributor version. + . + In the following three paragraphs, a "patent license" is any express + agreement or commitment, however denominated, not to enforce a patent + (such as an express permission to practice a patent or covenant not to + sue for patent infringement). To "grant" such a patent license to a + party means to make such an agreement or commitment not to enforce a + patent against the party. + . + If you convey a covered work, knowingly relying on a patent license, + and the Corresponding Source of the work is not available for anyone + to copy, free of charge and under the terms of this License, through a + publicly available network server or other readily accessible means, + then you must either (1) cause the Corresponding Source to be so + available, or (2) arrange to deprive yourself of the benefit of the + patent license for this particular work, or (3) arrange, in a manner + consistent with the requirements of this License, to extend the patent + license to downstream recipients. "Knowingly relying" means you have + actual knowledge that, but for the patent license, your conveying the + covered work in a country, or your recipient's use of the covered work + in a country, would infringe one or more identifiable patents in that + country that you have reason to believe are valid. + . + If, pursuant to or in connection with a single transaction or + arrangement, you convey, or propagate by procuring conveyance of, a + covered work, and grant a patent license to some of the parties + receiving the covered work authorizing them to use, propagate, modify + or convey a specific copy of the covered work, then the patent license + you grant is automatically extended to all recipients of the covered + work and works based on it. + . + A patent license is "discriminatory" if it does not include within + the scope of its coverage, prohibits the exercise of, or is + conditioned on the non-exercise of one or more of the rights that are + specifically granted under this License. You may not convey a covered + work if you are a party to an arrangement with a third party that is + in the business of distributing software, under which you make payment + to the third party based on the extent of your activity of conveying + the work, and under which the third party grants, to any of the + parties who would receive the covered work from you, a discriminatory + patent license (a) in connection with copies of the covered work + conveyed by you (or copies made from those copies), or (b) primarily + for and in connection with specific products or compilations that + contain the covered work, unless you entered into that arrangement, + or that patent license was granted, prior to 28 March 2007. + . + Nothing in this License shall be construed as excluding or limiting + any implied license or other defenses to infringement that may + otherwise be available to you under applicable patent law. + . + 12. No Surrender of Others' Freedom. + . + If conditions are imposed on you (whether by court order, agreement or + otherwise) that contradict the conditions of this License, they do not + excuse you from the conditions of this License. If you cannot convey a + covered work so as to satisfy simultaneously your obligations under this + License and any other pertinent obligations, then as a consequence you may + not convey it at all. For example, if you agree to terms that obligate you + to collect a royalty for further conveying from those to whom you convey + the Program, the only way you could satisfy both those terms and this + License would be to refrain entirely from conveying the Program. + . + 13. Remote Network Interaction; Use with the GNU General Public License. + . + Notwithstanding any other provision of this License, if you modify the + Program, your modified version must prominently offer all users + interacting with it remotely through a computer network (if your version + supports such interaction) an opportunity to receive the Corresponding + Source of your version by providing access to the Corresponding Source + from a network server at no charge, through some standard or customary + means of facilitating copying of software. This Corresponding Source + shall include the Corresponding Source for any work covered by version 3 + of the GNU General Public License that is incorporated pursuant to the + following paragraph. + . + Notwithstanding any other provision of this License, you have + permission to link or combine any covered work with a work licensed + under version 3 of the GNU General Public License into a single + combined work, and to convey the resulting work. The terms of this + License will continue to apply to the part which is the covered work, + but the work with which it is combined will remain governed by version + 3 of the GNU General Public License. + . + 14. Revised Versions of this License. + . + The Free Software Foundation may publish revised and/or new versions of + the GNU Affero General Public License from time to time. Such new versions + will be similar in spirit to the present version, but may differ in detail to + address new problems or concerns. + . + Each version is given a distinguishing version number. If the + Program specifies that a certain numbered version of the GNU Affero General + Public License "or any later version" applies to it, you have the + option of following the terms and conditions either of that numbered + version or of any later version published by the Free Software + Foundation. If the Program does not specify a version number of the + GNU Affero General Public License, you may choose any version ever published + by the Free Software Foundation. + . + If the Program specifies that a proxy can decide which future + versions of the GNU Affero General Public License can be used, that proxy's + public statement of acceptance of a version permanently authorizes you + to choose that version for the Program. + . + Later license versions may give you additional or different + permissions. However, no additional obligations are imposed on any + author or copyright holder as a result of your choosing to follow a + later version. + . + 15. Disclaimer of Warranty. + . + THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY + APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT + HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY + OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, + THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM + IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. . - 2. Replacement of Section 16. Section 16 of the GPL shall be deleted in its - entirety and replaced with the following: + 16. Limitation of Liability. . - 16. LIMITATION OF LIABILITY. + IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING + WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS + THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY + GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE + USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF + DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD + PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), + EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF + SUCH DAMAGES. . - UNDER NO CIRCUMSTANCES SHALL ANY COPYRIGHT HOLDER OR ITS AFFILIATES, OR ANY - OTHER PARTY WHO MODIFIES AND/OR CONVEYS THE PROGRAM AS PERMITTED ABOVE, BE - LIABLE TO YOU, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, FOR ANY - DAMAGES OR OTHER LIABILITY, INCLUDING ANY GENERAL, DIRECT, INDIRECT, SPECIAL, - INCIDENTAL, CONSEQUENTIAL OR PUNITIVE DAMAGES ARISING FROM, OUT OF OR IN - CONNECTION WITH THE USE OR INABILITY TO USE THE PROGRAM OR OTHER DEALINGS WITH - THE PROGRAM(INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED - INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE - PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), WHETHER OR NOT ANY COPYRIGHT HOLDER - OR SUCH OTHER PARTY RECEIVES NOTICE OF ANY SUCH DAMAGES AND WHETHER OR NOT SUCH - DAMAGES COULD HAVE BEEN FORESEEN. + 17. Interpretation of Sections 15 and 16. . - 3. LEGAL NOTICES; NO TRADEMARK LICENSE; ORIGIN. You must reproduce faithfully - all trademark, copyright and other proprietary and legal notices on any copies - of the Program or any other required author attributions. This license does not - grant you rights to use any copyright holder or any other party's name, logo, or - trademarks. Neither the name of the copyright holder or its affiliates, or any - other party who modifies and/or conveys the Program may be used to endorse or - promote products derived from this software without specific prior written - permission. The origin of the Program must not be misrepresented; you must not - claim that you wrote the original Program. Altered source versions must be - plainly marked as such, and must not be misrepresented as being the original - Program. + If the disclaimer of warranty and limitation of liability provided + above cannot be given local legal effect according to their terms, + reviewing courts shall apply local law that most closely approximates + an absolute waiver of all civil liability in connection with the + Program, unless a warranty or assumption of liability accompanies a + copy of the Program in return for a fee. . - 4. INDEMNIFICATION. IF YOU CONVEY A COVERED WORK AND AGREE WITH ANY RECIPIENT - OF THAT COVERED WORK THAT YOU WILL ASSUME ANY LIABILITY FOR THAT COVERED WORK, - YOU HEREBY AGREE TO INDEMNIFY, DEFEND AND HOLD HARMLESS THE OTHER LICENSORS AND - AUTHORS OF THAT COVERED WORK FOR ANY DAMAGES, DEMANDS, CLAIMS, LOSSES, CAUSES OF - ACTION, LAWSUITS, JUDGMENTS EXPENSES (INCLUDING WITHOUT LIMITATION REASONABLE - ATTORNEYS' FEES AND EXPENSES) OR ANY OTHER LIABILITY ARISING FROM, RELATED TO OR - IN CONNECTION WITH YOUR ASSUMPTIONS OF LIABILITY. + END OF TERMS AND CONDITIONS + . + How to Apply These Terms to Your New Programs + . + If you develop a new program, and you want it to be of the greatest + possible use to the public, the best way to achieve this is to make it + free software which everyone can redistribute and change under these terms. + . + To do so, attach the following notices to the program. It is safest + to attach them to the start of each source file to most effectively + state the exclusion of warranty; and each file should have at least + the "copyright" line and a pointer to where the full notice is found. + . + + Copyright (C) + . + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU Affero General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + . + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU Affero General Public License for more details. + . + You should have received a copy of the GNU Affero General Public License + along with this program. If not, see . + . + Also add information on how to contact you by electronic and paper mail. + . + If your software can interact with users remotely through a computer + network, you should also make sure that it provides a way for users to + get its source. For example, if your program is a web application, its + interface could display a "Source" link that leads users to an archive + of the code. There are many ways you could offer source, and different + solutions will be better for different programs; see section 13 for the + specific requirements. + . + You should also get your employer (if you work as a programmer) or school, + if any, to sign a "copyright disclaimer" for the program, if necessary. + For more information on this, and how to apply and follow the GNU AGPL, see + . diff --git a/GPLv3 b/GPLv3 deleted file mode 100644 index 94a9ed0..0000000 --- a/GPLv3 +++ /dev/null @@ -1,674 +0,0 @@ - GNU GENERAL PUBLIC LICENSE - Version 3, 29 June 2007 - - Copyright (C) 2007 Free Software Foundation, Inc. - Everyone is permitted to copy and distribute verbatim copies - of this license document, but changing it is not allowed. - - Preamble - - The GNU General Public License is a free, copyleft license for -software and other kinds of works. - - The licenses for most software and other practical works are designed -to take away your freedom to share and change the works. By contrast, -the GNU General Public License is intended to guarantee your freedom to -share and change all versions of a program--to make sure it remains free -software for all its users. We, the Free Software Foundation, use the -GNU General Public License for most of our software; it applies also to -any other work released this way by its authors. You can apply it to -your programs, too. - - When we speak of free software, we are referring to freedom, not -price. Our General Public Licenses are designed to make sure that you -have the freedom to distribute copies of free software (and charge for -them if you wish), that you receive source code or can get it if you -want it, that you can change the software or use pieces of it in new -free programs, and that you know you can do these things. - - To protect your rights, we need to prevent others from denying you -these rights or asking you to surrender the rights. Therefore, you have -certain responsibilities if you distribute copies of the software, or if -you modify it: responsibilities to respect the freedom of others. - - For example, if you distribute copies of such a program, whether -gratis or for a fee, you must pass on to the recipients the same -freedoms that you received. You must make sure that they, too, receive -or can get the source code. And you must show them these terms so they -know their rights. - - Developers that use the GNU GPL protect your rights with two steps: -(1) assert copyright on the software, and (2) offer you this License -giving you legal permission to copy, distribute and/or modify it. - - For the developers' and authors' protection, the GPL clearly explains -that there is no warranty for this free software. For both users' and -authors' sake, the GPL requires that modified versions be marked as -changed, so that their problems will not be attributed erroneously to -authors of previous versions. - - Some devices are designed to deny users access to install or run -modified versions of the software inside them, although the manufacturer -can do so. This is fundamentally incompatible with the aim of -protecting users' freedom to change the software. The systematic -pattern of such abuse occurs in the area of products for individuals to -use, which is precisely where it is most unacceptable. Therefore, we -have designed this version of the GPL to prohibit the practice for those -products. If such problems arise substantially in other domains, we -stand ready to extend this provision to those domains in future versions -of the GPL, as needed to protect the freedom of users. - - Finally, every program is threatened constantly by software patents. -States should not allow patents to restrict development and use of -software on general-purpose computers, but in those that do, we wish to -avoid the special danger that patents applied to a free program could -make it effectively proprietary. To prevent this, the GPL assures that -patents cannot be used to render the program non-free. - - The precise terms and conditions for copying, distribution and -modification follow. - - TERMS AND CONDITIONS - - 0. Definitions. - - "This License" refers to version 3 of the GNU General Public License. - - "Copyright" also means copyright-like laws that apply to other kinds of -works, such as semiconductor masks. - - "The Program" refers to any copyrightable work licensed under this -License. Each licensee is addressed as "you". "Licensees" and -"recipients" may be individuals or organizations. - - To "modify" a work means to copy from or adapt all or part of the work -in a fashion requiring copyright permission, other than the making of an -exact copy. The resulting work is called a "modified version" of the -earlier work or a work "based on" the earlier work. - - A "covered work" means either the unmodified Program or a work based -on the Program. - - To "propagate" a work means to do anything with it that, without -permission, would make you directly or secondarily liable for -infringement under applicable copyright law, except executing it on a -computer or modifying a private copy. Propagation includes copying, -distribution (with or without modification), making available to the -public, and in some countries other activities as well. - - To "convey" a work means any kind of propagation that enables other -parties to make or receive copies. Mere interaction with a user through -a computer network, with no transfer of a copy, is not conveying. - - An interactive user interface displays "Appropriate Legal Notices" -to the extent that it includes a convenient and prominently visible -feature that (1) displays an appropriate copyright notice, and (2) -tells the user that there is no warranty for the work (except to the -extent that warranties are provided), that licensees may convey the -work under this License, and how to view a copy of this License. If -the interface presents a list of user commands or options, such as a -menu, a prominent item in the list meets this criterion. - - 1. Source Code. - - The "source code" for a work means the preferred form of the work -for making modifications to it. "Object code" means any non-source -form of a work. - - A "Standard Interface" means an interface that either is an official -standard defined by a recognized standards body, or, in the case of -interfaces specified for a particular programming language, one that -is widely used among developers working in that language. - - The "System Libraries" of an executable work include anything, other -than the work as a whole, that (a) is included in the normal form of -packaging a Major Component, but which is not part of that Major -Component, and (b) serves only to enable use of the work with that -Major Component, or to implement a Standard Interface for which an -implementation is available to the public in source code form. A -"Major Component", in this context, means a major essential component -(kernel, window system, and so on) of the specific operating system -(if any) on which the executable work runs, or a compiler used to -produce the work, or an object code interpreter used to run it. - - The "Corresponding Source" for a work in object code form means all -the source code needed to generate, install, and (for an executable -work) run the object code and to modify the work, including scripts to -control those activities. However, it does not include the work's -System Libraries, or general-purpose tools or generally available free -programs which are used unmodified in performing those activities but -which are not part of the work. For example, Corresponding Source -includes interface definition files associated with source files for -the work, and the source code for shared libraries and dynamically -linked subprograms that the work is specifically designed to require, -such as by intimate data communication or control flow between those -subprograms and other parts of the work. - - The Corresponding Source need not include anything that users -can regenerate automatically from other parts of the Corresponding -Source. - - The Corresponding Source for a work in source code form is that -same work. - - 2. Basic Permissions. - - All rights granted under this License are granted for the term of -copyright on the Program, and are irrevocable provided the stated -conditions are met. This License explicitly affirms your unlimited -permission to run the unmodified Program. The output from running a -covered work is covered by this License only if the output, given its -content, constitutes a covered work. This License acknowledges your -rights of fair use or other equivalent, as provided by copyright law. - - You may make, run and propagate covered works that you do not -convey, without conditions so long as your license otherwise remains -in force. You may convey covered works to others for the sole purpose -of having them make modifications exclusively for you, or provide you -with facilities for running those works, provided that you comply with -the terms of this License in conveying all material for which you do -not control copyright. Those thus making or running the covered works -for you must do so exclusively on your behalf, under your direction -and control, on terms that prohibit them from making any copies of -your copyrighted material outside their relationship with you. - - Conveying under any other circumstances is permitted solely under -the conditions stated below. Sublicensing is not allowed; section 10 -makes it unnecessary. - - 3. Protecting Users' Legal Rights From Anti-Circumvention Law. - - No covered work shall be deemed part of an effective technological -measure under any applicable law fulfilling obligations under article -11 of the WIPO copyright treaty adopted on 20 December 1996, or -similar laws prohibiting or restricting circumvention of such -measures. - - When you convey a covered work, you waive any legal power to forbid -circumvention of technological measures to the extent such circumvention -is effected by exercising rights under this License with respect to -the covered work, and you disclaim any intention to limit operation or -modification of the work as a means of enforcing, against the work's -users, your or third parties' legal rights to forbid circumvention of -technological measures. - - 4. Conveying Verbatim Copies. - - You may convey verbatim copies of the Program's source code as you -receive it, in any medium, provided that you conspicuously and -appropriately publish on each copy an appropriate copyright notice; -keep intact all notices stating that this License and any -non-permissive terms added in accord with section 7 apply to the code; -keep intact all notices of the absence of any warranty; and give all -recipients a copy of this License along with the Program. - - You may charge any price or no price for each copy that you convey, -and you may offer support or warranty protection for a fee. - - 5. Conveying Modified Source Versions. - - You may convey a work based on the Program, or the modifications to -produce it from the Program, in the form of source code under the -terms of section 4, provided that you also meet all of these conditions: - - a) The work must carry prominent notices stating that you modified - it, and giving a relevant date. - - b) The work must carry prominent notices stating that it is - released under this License and any conditions added under section - 7. This requirement modifies the requirement in section 4 to - "keep intact all notices". - - c) You must license the entire work, as a whole, under this - License to anyone who comes into possession of a copy. This - License will therefore apply, along with any applicable section 7 - additional terms, to the whole of the work, and all its parts, - regardless of how they are packaged. This License gives no - permission to license the work in any other way, but it does not - invalidate such permission if you have separately received it. - - d) If the work has interactive user interfaces, each must display - Appropriate Legal Notices; however, if the Program has interactive - interfaces that do not display Appropriate Legal Notices, your - work need not make them do so. - - A compilation of a covered work with other separate and independent -works, which are not by their nature extensions of the covered work, -and which are not combined with it such as to form a larger program, -in or on a volume of a storage or distribution medium, is called an -"aggregate" if the compilation and its resulting copyright are not -used to limit the access or legal rights of the compilation's users -beyond what the individual works permit. Inclusion of a covered work -in an aggregate does not cause this License to apply to the other -parts of the aggregate. - - 6. Conveying Non-Source Forms. - - You may convey a covered work in object code form under the terms -of sections 4 and 5, provided that you also convey the -machine-readable Corresponding Source under the terms of this License, -in one of these ways: - - a) Convey the object code in, or embodied in, a physical product - (including a physical distribution medium), accompanied by the - Corresponding Source fixed on a durable physical medium - customarily used for software interchange. - - b) Convey the object code in, or embodied in, a physical product - (including a physical distribution medium), accompanied by a - written offer, valid for at least three years and valid for as - long as you offer spare parts or customer support for that product - model, to give anyone who possesses the object code either (1) a - copy of the Corresponding Source for all the software in the - product that is covered by this License, on a durable physical - medium customarily used for software interchange, for a price no - more than your reasonable cost of physically performing this - conveying of source, or (2) access to copy the - Corresponding Source from a network server at no charge. - - c) Convey individual copies of the object code with a copy of the - written offer to provide the Corresponding Source. This - alternative is allowed only occasionally and noncommercially, and - only if you received the object code with such an offer, in accord - with subsection 6b. - - d) Convey the object code by offering access from a designated - place (gratis or for a charge), and offer equivalent access to the - Corresponding Source in the same way through the same place at no - further charge. You need not require recipients to copy the - Corresponding Source along with the object code. If the place to - copy the object code is a network server, the Corresponding Source - may be on a different server (operated by you or a third party) - that supports equivalent copying facilities, provided you maintain - clear directions next to the object code saying where to find the - Corresponding Source. Regardless of what server hosts the - Corresponding Source, you remain obligated to ensure that it is - available for as long as needed to satisfy these requirements. - - e) Convey the object code using peer-to-peer transmission, provided - you inform other peers where the object code and Corresponding - Source of the work are being offered to the general public at no - charge under subsection 6d. - - A separable portion of the object code, whose source code is excluded -from the Corresponding Source as a System Library, need not be -included in conveying the object code work. - - A "User Product" is either (1) a "consumer product", which means any -tangible personal property which is normally used for personal, family, -or household purposes, or (2) anything designed or sold for incorporation -into a dwelling. In determining whether a product is a consumer product, -doubtful cases shall be resolved in favor of coverage. For a particular -product received by a particular user, "normally used" refers to a -typical or common use of that class of product, regardless of the status -of the particular user or of the way in which the particular user -actually uses, or expects or is expected to use, the product. A product -is a consumer product regardless of whether the product has substantial -commercial, industrial or non-consumer uses, unless such uses represent -the only significant mode of use of the product. - - "Installation Information" for a User Product means any methods, -procedures, authorization keys, or other information required to install -and execute modified versions of a covered work in that User Product from -a modified version of its Corresponding Source. The information must -suffice to ensure that the continued functioning of the modified object -code is in no case prevented or interfered with solely because -modification has been made. - - If you convey an object code work under this section in, or with, or -specifically for use in, a User Product, and the conveying occurs as -part of a transaction in which the right of possession and use of the -User Product is transferred to the recipient in perpetuity or for a -fixed term (regardless of how the transaction is characterized), the -Corresponding Source conveyed under this section must be accompanied -by the Installation Information. But this requirement does not apply -if neither you nor any third party retains the ability to install -modified object code on the User Product (for example, the work has -been installed in ROM). - - The requirement to provide Installation Information does not include a -requirement to continue to provide support service, warranty, or updates -for a work that has been modified or installed by the recipient, or for -the User Product in which it has been modified or installed. Access to a -network may be denied when the modification itself materially and -adversely affects the operation of the network or violates the rules and -protocols for communication across the network. - - Corresponding Source conveyed, and Installation Information provided, -in accord with this section must be in a format that is publicly -documented (and with an implementation available to the public in -source code form), and must require no special password or key for -unpacking, reading or copying. - - 7. Additional Terms. - - "Additional permissions" are terms that supplement the terms of this -License by making exceptions from one or more of its conditions. -Additional permissions that are applicable to the entire Program shall -be treated as though they were included in this License, to the extent -that they are valid under applicable law. If additional permissions -apply only to part of the Program, that part may be used separately -under those permissions, but the entire Program remains governed by -this License without regard to the additional permissions. - - When you convey a copy of a covered work, you may at your option -remove any additional permissions from that copy, or from any part of -it. (Additional permissions may be written to require their own -removal in certain cases when you modify the work.) You may place -additional permissions on material, added by you to a covered work, -for which you have or can give appropriate copyright permission. - - Notwithstanding any other provision of this License, for material you -add to a covered work, you may (if authorized by the copyright holders of -that material) supplement the terms of this License with terms: - - a) Disclaiming warranty or limiting liability differently from the - terms of sections 15 and 16 of this License; or - - b) Requiring preservation of specified reasonable legal notices or - author attributions in that material or in the Appropriate Legal - Notices displayed by works containing it; or - - c) Prohibiting misrepresentation of the origin of that material, or - requiring that modified versions of such material be marked in - reasonable ways as different from the original version; or - - d) Limiting the use for publicity purposes of names of licensors or - authors of the material; or - - e) Declining to grant rights under trademark law for use of some - trade names, trademarks, or service marks; or - - f) Requiring indemnification of licensors and authors of that - material by anyone who conveys the material (or modified versions of - it) with contractual assumptions of liability to the recipient, for - any liability that these contractual assumptions directly impose on - those licensors and authors. - - All other non-permissive additional terms are considered "further -restrictions" within the meaning of section 10. If the Program as you -received it, or any part of it, contains a notice stating that it is -governed by this License along with a term that is a further -restriction, you may remove that term. If a license document contains -a further restriction but permits relicensing or conveying under this -License, you may add to a covered work material governed by the terms -of that license document, provided that the further restriction does -not survive such relicensing or conveying. - - If you add terms to a covered work in accord with this section, you -must place, in the relevant source files, a statement of the -additional terms that apply to those files, or a notice indicating -where to find the applicable terms. - - Additional terms, permissive or non-permissive, may be stated in the -form of a separately written license, or stated as exceptions; -the above requirements apply either way. - - 8. Termination. - - You may not propagate or modify a covered work except as expressly -provided under this License. Any attempt otherwise to propagate or -modify it is void, and will automatically terminate your rights under -this License (including any patent licenses granted under the third -paragraph of section 11). - - However, if you cease all violation of this License, then your -license from a particular copyright holder is reinstated (a) -provisionally, unless and until the copyright holder explicitly and -finally terminates your license, and (b) permanently, if the copyright -holder fails to notify you of the violation by some reasonable means -prior to 60 days after the cessation. - - Moreover, your license from a particular copyright holder is -reinstated permanently if the copyright holder notifies you of the -violation by some reasonable means, this is the first time you have -received notice of violation of this License (for any work) from that -copyright holder, and you cure the violation prior to 30 days after -your receipt of the notice. - - Termination of your rights under this section does not terminate the -licenses of parties who have received copies or rights from you under -this License. If your rights have been terminated and not permanently -reinstated, you do not qualify to receive new licenses for the same -material under section 10. - - 9. Acceptance Not Required for Having Copies. - - You are not required to accept this License in order to receive or -run a copy of the Program. Ancillary propagation of a covered work -occurring solely as a consequence of using peer-to-peer transmission -to receive a copy likewise does not require acceptance. However, -nothing other than this License grants you permission to propagate or -modify any covered work. These actions infringe copyright if you do -not accept this License. Therefore, by modifying or propagating a -covered work, you indicate your acceptance of this License to do so. - - 10. Automatic Licensing of Downstream Recipients. - - Each time you convey a covered work, the recipient automatically -receives a license from the original licensors, to run, modify and -propagate that work, subject to this License. You are not responsible -for enforcing compliance by third parties with this License. - - An "entity transaction" is a transaction transferring control of an -organization, or substantially all assets of one, or subdividing an -organization, or merging organizations. If propagation of a covered -work results from an entity transaction, each party to that -transaction who receives a copy of the work also receives whatever -licenses to the work the party's predecessor in interest had or could -give under the previous paragraph, plus a right to possession of the -Corresponding Source of the work from the predecessor in interest, if -the predecessor has it or can get it with reasonable efforts. - - You may not impose any further restrictions on the exercise of the -rights granted or affirmed under this License. For example, you may -not impose a license fee, royalty, or other charge for exercise of -rights granted under this License, and you may not initiate litigation -(including a cross-claim or counterclaim in a lawsuit) alleging that -any patent claim is infringed by making, using, selling, offering for -sale, or importing the Program or any portion of it. - - 11. Patents. - - A "contributor" is a copyright holder who authorizes use under this -License of the Program or a work on which the Program is based. The -work thus licensed is called the contributor's "contributor version". - - A contributor's "essential patent claims" are all patent claims -owned or controlled by the contributor, whether already acquired or -hereafter acquired, that would be infringed by some manner, permitted -by this License, of making, using, or selling its contributor version, -but do not include claims that would be infringed only as a -consequence of further modification of the contributor version. For -purposes of this definition, "control" includes the right to grant -patent sublicenses in a manner consistent with the requirements of -this License. - - Each contributor grants you a non-exclusive, worldwide, royalty-free -patent license under the contributor's essential patent claims, to -make, use, sell, offer for sale, import and otherwise run, modify and -propagate the contents of its contributor version. - - In the following three paragraphs, a "patent license" is any express -agreement or commitment, however denominated, not to enforce a patent -(such as an express permission to practice a patent or covenant not to -sue for patent infringement). To "grant" such a patent license to a -party means to make such an agreement or commitment not to enforce a -patent against the party. - - If you convey a covered work, knowingly relying on a patent license, -and the Corresponding Source of the work is not available for anyone -to copy, free of charge and under the terms of this License, through a -publicly available network server or other readily accessible means, -then you must either (1) cause the Corresponding Source to be so -available, or (2) arrange to deprive yourself of the benefit of the -patent license for this particular work, or (3) arrange, in a manner -consistent with the requirements of this License, to extend the patent -license to downstream recipients. "Knowingly relying" means you have -actual knowledge that, but for the patent license, your conveying the -covered work in a country, or your recipient's use of the covered work -in a country, would infringe one or more identifiable patents in that -country that you have reason to believe are valid. - - If, pursuant to or in connection with a single transaction or -arrangement, you convey, or propagate by procuring conveyance of, a -covered work, and grant a patent license to some of the parties -receiving the covered work authorizing them to use, propagate, modify -or convey a specific copy of the covered work, then the patent license -you grant is automatically extended to all recipients of the covered -work and works based on it. - - A patent license is "discriminatory" if it does not include within -the scope of its coverage, prohibits the exercise of, or is -conditioned on the non-exercise of one or more of the rights that are -specifically granted under this License. You may not convey a covered -work if you are a party to an arrangement with a third party that is -in the business of distributing software, under which you make payment -to the third party based on the extent of your activity of conveying -the work, and under which the third party grants, to any of the -parties who would receive the covered work from you, a discriminatory -patent license (a) in connection with copies of the covered work -conveyed by you (or copies made from those copies), or (b) primarily -for and in connection with specific products or compilations that -contain the covered work, unless you entered into that arrangement, -or that patent license was granted, prior to 28 March 2007. - - Nothing in this License shall be construed as excluding or limiting -any implied license or other defenses to infringement that may -otherwise be available to you under applicable patent law. - - 12. No Surrender of Others' Freedom. - - If conditions are imposed on you (whether by court order, agreement or -otherwise) that contradict the conditions of this License, they do not -excuse you from the conditions of this License. If you cannot convey a -covered work so as to satisfy simultaneously your obligations under this -License and any other pertinent obligations, then as a consequence you may -not convey it at all. For example, if you agree to terms that obligate you -to collect a royalty for further conveying from those to whom you convey -the Program, the only way you could satisfy both those terms and this -License would be to refrain entirely from conveying the Program. - - 13. Use with the GNU Affero General Public License. - - Notwithstanding any other provision of this License, you have -permission to link or combine any covered work with a work licensed -under version 3 of the GNU Affero General Public License into a single -combined work, and to convey the resulting work. The terms of this -License will continue to apply to the part which is the covered work, -but the special requirements of the GNU Affero General Public License, -section 13, concerning interaction through a network will apply to the -combination as such. - - 14. Revised Versions of this License. - - The Free Software Foundation may publish revised and/or new versions of -the GNU General Public License from time to time. Such new versions will -be similar in spirit to the present version, but may differ in detail to -address new problems or concerns. - - Each version is given a distinguishing version number. If the -Program specifies that a certain numbered version of the GNU General -Public License "or any later version" applies to it, you have the -option of following the terms and conditions either of that numbered -version or of any later version published by the Free Software -Foundation. If the Program does not specify a version number of the -GNU General Public License, you may choose any version ever published -by the Free Software Foundation. - - If the Program specifies that a proxy can decide which future -versions of the GNU General Public License can be used, that proxy's -public statement of acceptance of a version permanently authorizes you -to choose that version for the Program. - - Later license versions may give you additional or different -permissions. However, no additional obligations are imposed on any -author or copyright holder as a result of your choosing to follow a -later version. - - 15. Disclaimer of Warranty. - - THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY -APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT -HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY -OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, -THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM -IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF -ALL NECESSARY SERVICING, REPAIR OR CORRECTION. - - 16. Limitation of Liability. - - IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING -WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS -THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY -GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE -USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF -DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD -PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), -EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF -SUCH DAMAGES. - - 17. Interpretation of Sections 15 and 16. - - If the disclaimer of warranty and limitation of liability provided -above cannot be given local legal effect according to their terms, -reviewing courts shall apply local law that most closely approximates -an absolute waiver of all civil liability in connection with the -Program, unless a warranty or assumption of liability accompanies a -copy of the Program in return for a fee. - - END OF TERMS AND CONDITIONS - - How to Apply These Terms to Your New Programs - - If you develop a new program, and you want it to be of the greatest -possible use to the public, the best way to achieve this is to make it -free software which everyone can redistribute and change under these terms. - - To do so, attach the following notices to the program. It is safest -to attach them to the start of each source file to most effectively -state the exclusion of warranty; and each file should have at least -the "copyright" line and a pointer to where the full notice is found. - - - Copyright (C) - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . - -Also add information on how to contact you by electronic and paper mail. - - If the program does terminal interaction, make it output a short -notice like this when it starts in an interactive mode: - - Copyright (C) - This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'. - This is free software, and you are welcome to redistribute it - under certain conditions; type `show c' for details. - -The hypothetical commands `show w' and `show c' should show the appropriate -parts of the General Public License. Of course, your program's commands -might be different; for a GUI interface, you would use an "about box". - - You should also get your employer (if you work as a programmer) or school, -if any, to sign a "copyright disclaimer" for the program, if necessary. -For more information on this, and how to apply and follow the GNU GPL, see -. - - The GNU General Public License does not permit incorporating your program -into proprietary programs. If your program is a subroutine library, you -may consider it more useful to permit linking proprietary applications with -the library. If this is what you want to do, use the GNU Lesser General -Public License instead of this License. But first, please read -. diff --git a/README.md b/README.md index ea335fb..ab0c69a 100644 --- a/README.md +++ b/README.md @@ -3,295 +3,588 @@ ## Kernel hardening This section is inspired by the Kernel Self Protection Project (KSPP). It -implements all recommended Linux kernel settings by the KSPP and many -more. +attempts to implement all recommended Linux kernel settings by the KSPP and +many more sources. -* https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project +- https://kspp.github.io/Recommended_Settings +- https://github.com/KSPP/kspp.github.io ### sysctl -sysctl settings are configured via the `/etc/sysctl.d/30_security-misc.conf` -configuration file. +sysctl settings are configured via the `/usr/lib/sysctl.d/990-security-misc.conf` +configuration file and significant hardening is applied to a myriad of components. -* A kernel pointer points to a specific location in kernel memory. These -can be very useful in exploiting the kernel so they are restricted to `CAP_SYSLOG`. +#### Kernel space -* The kernel logs are restricted to `CAP_SYSLOG` as they can often leak sensitive -information such as kernel pointers. +- Restrict access to kernel addresses through the use of kernel pointers regardless + of user privileges. -* The `ptrace()` system call is restricted to `CAP_SYS_PTRACE`. +- Restrict access to the kernel logs to `CAP_SYSLOG` as they often contain + sensitive information. -* eBPF is restricted to `CAP_BPF` (`CAP_SYS_ADMIN` on kernel versions prior -to 5.8) and JIT hardening techniques such as constant blinding are enabled. +- Prevent kernel information leaks in the console during boot. -* Restricts performance events to `CAP_PERFMON` (`CAP_SYS_ADMIN` on kernel -versions prior to 5.8). +- Restrict usage of `bpf()` to `CAP_BPF` to prevent the loading of BPF programs + by unprivileged users. -* Restricts loading line disciplines to `CAP_SYS_MODULE` to prevent unprivileged -attackers from loading vulnerable line disciplines with the `TIOCSETD` ioctl which -has been abused in a number of exploits before. +- Restrict loading TTY line disciplines to `CAP_SYS_MODULE`. -* Restricts the `userfaultfd()` syscall to `CAP_SYS_PTRACE` as `userfaultfd()` is -often abused to exploit use-after-free flaws. +- Restrict the `userfaultfd()` syscall to `CAP_SYS_PTRACE`, which reduces the + likelihood of use-after-free exploits. -* Kexec is disabled as it can be used to load a malicious kernel and gain -arbitrary code execution in kernel mode. +- Disable `kexec` as it can be used to replace the running kernel. -* Randomises the addresses for mmap base, heap, stack, and VDSO pages. +- Entirely disable the SysRq key so that the Secure Attention Key (SAK) + can no longer be utilized. See [documentation](https://www.kicksecure.com/wiki/SysRq). -* Prevents unintentional writes to attacker-controlled files. +- Optional - Disable all use of user namespaces. -* Prevents common symlink and hardlink TOCTOU races. +- Optional - Restrict user namespaces to `CAP_SYS_ADMIN` as they can lead to substantial + privilege escalation. -* Restricts the SysRq key so it can only be used for shutdowns and the -Secure Attention Key. +- Restrict kernel profiling and the performance events system to `CAP_PERFMON`. -* The kernel is only allowed to swap if it is absolutely necessary. This -prevents writing potentially sensitive contents of memory to disk. +- Force the kernel to panic on both "oopses", which can potentially indicate and thwart + certain kernel exploitation attempts, and also kernel warnings in the `WARN()` path. -* TCP timestamps are disabled as it can allow detecting the system time. +- Optional - Force immediate reboot on the occurrence of a single kernel panic and also + (when using Linux kernel >= 6.2) limit the number of allowed panics to one. -### mmap ASLR +- Disable the use of legacy TIOCSTI operations which can be used to inject keypresses. -* The bits of entropy used for mmap ASLR are maxed out via -`/usr/libexec/security-misc/mmap-rnd-bits` (set to the values of -`CONFIG_ARCH_MMAP_RND_BITS_MAX` and `CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX` that -the kernel was built with), therefore improving its effectiveness. +- Disable asynchronous I/O (when using Linux kernel >= 6.6) as `io_uring` has been + the source of numerous kernel exploits. + +#### User space + +- Restrict usage of `ptrace()` to only processes with `CAP_SYS_PTRACE` as it + enables programs to inspect and modify other active processes. Optional - Disable + usage of `ptrace()` by all processes. + +- Maximize the bits of entropy used for mmap ASLR across all CPU architectures. + +- Prevent hardlink and symlink TOCTOU races in world-writable directories. + +- Disallow unintentional writes to files in world-writable directories unless + they are owned by the directory owner to mitigate some data spoofing attacks. + +- Randomize the addresses (ASLR) for mmap base, stack, VDSO pages, and heap. + +- Raise the minimum address a process can request for memory mapping to 64KB to + protect against kernel null pointer dereference vulnerabilities. + +- Increase the maximum number of memory map areas a process is able to utilize to 1,048,576. + +- Optional - Disallow registering interpreters for various (miscellaneous) binary formats based + on a magic number or their file extension to prevent unintended code execution. + See issue: https://github.com/Kicksecure/security-misc/issues/267 + +#### Core dumps + +- Disable core dump files and prevent their creation. If core dump files are + enabled, they will be named based on `core.PID` instead of the default `core`. + +#### Swap space + +- Limit the copying of potentially sensitive content in memory to the swap device. + +#### Networking + +- Enable hardening of the BPF JIT compiler protect against JIT spraying. + +- Enable TCP SYN cookie protection to assist against SYN flood attacks. + +- Protect against TCP time-wait assassination hazards. + +- Enable reverse path filtering (source validation) of packets received + from all interfaces to prevent IP spoofing. + +- Disable ICMP redirect acceptance and redirect sending messages to prevent + man-in-the-middle attacks and minimize information disclosure. + +- Deny sending and receiving shared media redirects to reduce the risk of IP + spoofing attacks. + +- Enable ARP filtering to mitigate some ARP spoofing and ARP cache poisoning attacks. + +- Respond to ARP requests only if the target IP address is on-link, + preventing some IP spoofing attacks. + +- Drop gratuitous ARP packets to prevent ARP cache poisoning via + man-in-the-middle and denial-of-service attacks. + +- Ignore ICMP echo requests to prevent clock fingerprinting and Smurf attacks. + +- Ignore bogus ICMP error responses. + +- Disable source routing which allows users to redirect network traffic that + can result in man-in-the-middle attacks. + +- Do not accept IPv6 router advertisements and solicitations. + +- Optional - Disable SACK and DSACK as they have historically been a known + vector for exploitation. + +- Disable TCP timestamps as they can allow detecting the system time. + +- Optional - Log packets with impossible source or destination addresses to + enable further inspection and analysis. + +- Optional - Enable IPv6 Privacy Extensions. + +- Documentation: https://www.kicksecure.com/wiki/Networking ### Boot parameters -Boot parameters are outlined in configuration files located in the -`etc/default/grub.d/` directory. +Mitigations for known CPU vulnerabilities are enabled in their strictest form +and simultaneous multithreading (SMT) is disabled. See the +`/etc/default/grub.d/40_cpu_mitigations.cfg` configuration file. -* Slab merging is disabled which significantly increases the difficulty of -heap exploitation by preventing overwriting objects from merged caches and -by making it harder to influence slab cache layout. +Note, to achieve complete protection for known CPU vulnerabilities, the latest +security microcode (BIOS/UEFI) updates must be installed on the system. Furthermore, +if using Secure Boot, the Secure Boot Forbidden Signature Database (DBX) must be kept +up to date through [UEFI Revocation List](https://github.com/microsoft/secureboot_objects) updates. -* Memory zeroing at allocation and free time is enabled to mitigate some -use-after-free vulnerabilities and erase sensitive information in memory. +CPU mitigations: -* Page allocator freelist randomization is enabled. +- Disable Simultaneous Multithreading (SMT) -* Kernel Page Table Isolation is enabled to mitigate Meltdown and increase -KASLR effectiveness. +- Spectre Side Channels (BTI and BHI) -* vsyscalls are disabled as they are obsolete, are at fixed addresses and thus, -are a potential target for ROP. +- Speculative Store Bypass (SSB) -* The kernel panics on oopses to thwart certain kernel exploits. +- L1 Terminal Fault (L1TF) -* Enables randomisation of the kernel stack offset on syscall entries. +- Microarchitectural Data Sampling (MDS) -* All mitigations for known CPU vulnerabilities are enabled and SMT is -disabled. +- TSX Asynchronous Abort (TAA) -* IOMMU is enabled to prevent DMA attacks along with strict enforcement of IOMMU -TLB invalidation so devices will never be able to access stale data contents. +- iTLB Multihit -* Distrust the 'randomly' generated CPU and bootloader seeds. +- Special Register Buffer Data Sampling (SRBDS) -### Disables and blacklists kernel modules +- L1D Flushing -Certain kernel modules are disabled and blacklisted by default to reduce attack surface via the -`/etc/modprobe.d/30_security-misc.conf` configuration file. +- Processor MMIO Stale Data -* Deactivates Netfilter's connection tracking helper - this module -increases kernel attack surface by enabling superfluous functionality -such as IRC parsing in the kernel. Hence, this feature is disabled. +- Arbitrary Speculative Code Execution with Return Instructions (Retbleed) -* Bluetooth is disabled to reduce attack surface. Bluetooth has -a lengthy history of security concerns. +- Cross-Thread Return Address Predictions -* Thunderbolt and numerous FireWire kernel modules are also disabled as they are -often vulnerable to DMA attacks. +- Speculative Return Stack Overflow (SRSO) -* The MSR kernel module is disabled to prevent CPU MSRs from being -abused to write to arbitrary memory. +- Gather Data Sampling (GDS) -* Uncommon network protocols are blacklisted. This includes: +- Register File Data Sampling (RFDS) - DCCP - Datagram Congestion Control Protocol +Boot parameters relating to kernel hardening, DMA mitigations, and entropy +generation are outlined in the `/etc/default/grub.d/40_kernel_hardening.cfg` +configuration file. - SCTP - Stream Control Transmission Protocol +Kernel space: - RDS - Reliable Datagram Sockets +- Disable merging of slabs with similar size, which reduces the risk of + triggering heap overflows and limits influencing slab cache layout. - TIPC - Transparent Inter-process Communication +- Enable sanity checks and red zoning via slab debugging. This will implicitly + disable kernel pointer hashing, leaking very sensitive information to root. - HDLC - High-Level Data Link Control +- Enable memory zeroing at both allocation and free time, which mitigates some + use-after-free vulnerabilities by erasing sensitive information in memory. - AX25 - Amateur X.25 +- Enable the kernel page allocator to randomize free lists to limit some data + exfiltration and ROP attacks, especially during the early boot process. - NetRom +- Enable kernel page table isolation to increase KASLR effectiveness and also + mitigate the Meltdown CPU vulnerability. - X25 +- Enable randomization of the kernel stack offset on syscall entries to harden + against memory corruption attacks. - ROSE +- Disable vsyscalls as they are vulnerable to ROP attacks and have now been + replaced by vDSO. - DECnet +- Restrict access to debugfs by not registering the file system since it can + contain sensitive information. - Econet +- Force kernel panics on "oopses" to potentially indicate and thwart certain + kernel exploitation attempts. - af_802154 - IEEE 802.15.4 +- Optional - Modify the machine check exception handler. - IPX - Internetwork Packet Exchange +- Prevent sensitive kernel information leaks in the console during boot. - AppleTalk +- Enable the kernel Electric-Fence sampling-based memory safety error detector + which can identify heap out-of-bounds access, use-after-free, and invalid-free errors. - PSNAP - Subnetwork Access Protocol +- Disable 32-bit vDSO mappings as they are a legacy compatibility feature. - p8023 - Novell raw IEEE 802.3 +- Optional - Use kCFI as the default CFI implementation (when using Linux kernel >= 6.2) + since it may be slightly more resilient to attacks that are able to write + arbitrary executables in memory. - p8022 - IEEE 802.2 +- Optional - Disable support for all x86 processes and syscalls (when using Linux kernel >= 6.7) + to reduce attack surface. - CAN - Controller Area Network +- Disable the EFI persistent storage feature which prevents the kernel from writing crash logs + and other persistent data to either the UEFI variable storage or ACPI ERST backends. - ATM +Direct memory access: -* Disables a large array of uncommon file systems and network file systems that reduces the attack surface especially against legacy approaches. +- Enable strict IOMMU translation to protect against some DMA attacks via the use + of both CPU manufacturer-specific drivers and kernel settings. -* The vivid kernel module is only required for testing and has been the cause -of multiple vulnerabilities so it is disabled. +- Clear the busmaster bit on all PCI bridges during the EFI hand-off, which disables + DMA before the IOMMU is configured. May cause boot failure on certain hardware. -* Provides some disabling of the interface between the [Intel Management Engine (ME)](https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html) and the OS. +Entropy: -* Incorporates much of [Ubuntu's](https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d?h=ubuntu/disco) default blacklist of modules to be blocked from automatically loading. However, they are still permitted to load. +- Do not credit the CPU or bootloader as entropy sources at boot in order to + maximize the absolute quantity of entropy in the combined pool. -* Blocks automatic loading of the modules needed to use of CD-ROM devices by default. Not completely disabled yet. +- Obtain more entropy at boot from RAM as the runtime memory allocator is + being initialized. + +Networking: + +- Optional - Disable the entire IPv6 stack to reduce attack surface. + +### mmap ASLR + +- The bits of entropy used for mmap ASLR for all CPU architectures are maxed + out via `/usr/libexec/security-misc/mmap-rnd-bits` (set to the values of + `CONFIG_ARCH_MMAP_RND_BITS_MAX` and `CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX` + that the kernel was built with), therefore improving its effectiveness. + +### Kernel Self Protection Project (KSPP) compliance status + +**Summary:** + +`security-misc` is in full compliance with KSPP recommendations wherever feasible. However, +there are a few cases of partial or non-compliance due to technical limitations. + +* [KSPP Recommended Settings](https://kspp.github.io/Recommended_Settings) + +**Full compliance:** + +More than 30 kernel boot parameters and over 30 sysctl settings are fully aligned with +the KSPP's recommendations. + +**Partial compliance:** + +1. `sysctl kernel.yama.ptrace_scope=3` + +Completely disables `ptrace()`. Can be enabled easily if needed. + +* [security-misc pull request #242](https://github.com/Kicksecure/security-misc/pull/242) + +2. `sysctl kernel.panic=-1` + +Forces an immediate reboot on kernel panic. This can be enabled, but it may lead to unexpected +system crashes. + +* [security-misc pull request #264](https://github.com/Kicksecure/security-misc/pull/264) +* [security-misc pull request #268](https://github.com/Kicksecure/security-misc/pull/268) + +**Non-compliance:** + +3. `sysctl user.max_user_namespaces=0` + +Disables user namespaces entirely. Not recommended due to the potential for widespread breakages. + +* [security-misc pull request #263](https://github.com/Kicksecure/security-misc/pull/263) + +4. `sysctl fs.binfmt_misc.status=0` + +Disables the registration of interpreters for miscellaneous binary formats. Currently not +feasible due to compatibility issues with Firefox. + +* [security-misc pull request #249](https://github.com/Kicksecure/security-misc/pull/249) +* [security-misc issue #267](https://github.com/Kicksecure/security-misc/issues/267) + +### Kernel Modules + +#### Kernel Module Signature Verification + +Not yet implemented due to issues: + +- https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/64 +- https://github.com/dell/dkms/issues/359 + +See: + +- `/etc/default/grub.d/40_signed_modules.cfg` + +#### Disables the loading of new modules to the kernel after the fact + +Not yet implemented due to issues: + +- https://github.com/Kicksecure/security-misc/pull/152 + +A systemd service dynamically sets the kernel parameter `modules_disabled` to 1, +preventing new modules from being loaded. Since this isn't configured directly +within systemctl, it does not break the loading of legitimate and necessary +modules for the user, like drivers etc., given they are plugged in on startup. + +#### Blacklist and disable kernel modules + +Conntrack: Deactivates Netfilter's connection tracking helper module which +increases kernel attack surface by enabling superfluous functionality such +as IRC parsing in the kernel. See `/etc/modprobe.d/30_security-misc_conntrack.conf`. + +Certain kernel modules are blacklisted by default to reduce attack surface via +`/etc/modprobe.d/30_security-misc_blacklist.conf`. Blacklisting prevents kernel +modules from automatically starting. + +- CD-ROM/DVD: Blacklist modules required for CD-ROM/DVD devices. + +- Miscellaneous: Blacklist an assortment of other modules to prevent them from + automatically loading. + +Specific kernel modules are entirely disabled to reduce attack surface via +`/etc/modprobe.d/30_security-misc_disable.conf`. Disabling prohibits kernel +modules from starting. This approach should not be considered comprehensive; +rather, it is a form of badness enumeration. Any potential candidates for future +disabling should first be blacklisted for a suitable amount of time. + +Hardware modules: + +- Optional - Bluetooth: Disabled to reduce attack surface. + +- FireWire (IEEE 1394): Disabled as they are often vulnerable to DMA attacks. + +- GPS: Disable GPS-related modules such as those required for Global Navigation + Satellite Systems (GNSS). + +- Optional - Intel Management Engine (ME): Provides some disabling of the interface + between the Intel ME and the OS. May lead to breakages in places such as firmware + updates, security, power management, display, and DRM. See discussion: https://github.com/Kicksecure/security-misc/issues/239 + +- Intel Platform Monitoring Technology (PMT) Telemetry: Disable some functionality + of the Intel PMT components. + +- Thunderbolt: Disabled as they are often vulnerable to DMA attacks. + +File system modules: + +- File Systems: Disable uncommon and legacy file systems. + +- Network File Systems: Disable uncommon and legacy network file systems. + +Networking modules: + +- Network Protocols: A wide array of uncommon and legacy network protocols and drivers + are disabled. + +Miscellaneous modules: + +- Amateur Radios: Disabled to reduce attack surface. + +- Optional - CPU MSRs: Disabled as can be abused to write to arbitrary memory. + +- Floppy Disks: Disabled to reduce attack surface. + +- Framebuffer (fbdev): Disabled as these drivers are well-known to be buggy, cause + kernel panics, and are generally only used by legacy devices. + +- Replaced Modules: Disabled legacy drivers that have been entirely replaced and + superseded by newer drivers. + +- Optional - USB Video Device Class: Disables the USB-based video streaming driver for + devices like some webcams and digital camcorders. + +- Vivid: Disabled to reduce attack surface given previous vulnerabilities. ### Other -* A systemd service clears the System.map file on boot as these contain kernel -pointers. The file is completely overwritten with zeroes to ensure it cannot -be recovered. See: +- A systemd service clears the System.map file on boot as these contain kernel + pointers. The file is completely overwritten with zeroes to ensure it cannot + be recovered. See: `/etc/kernel/postinst.d/30_remove-system-map` -`/lib/systemd/system/remove-system-map.service` +`/usr/lib/systemd/system/remove-system-map.service` `/usr/libexec/security-misc/remove-system.map` -* Coredumps are disabled as they may contain important information such as -encryption keys or passwords. See: +- Coredumps are disabled as they may contain important information such as + encryption keys or passwords. See: `/etc/security/limits.d/30_security-misc.conf` -`/etc/sysctl.d/30_security-misc.conf` +`/usr/lib/sysctl.d/30_security-misc.conf` -`/lib/systemd/coredump.conf.d/30_security-misc.conf` +`/usr/lib/systemd/coredump.conf.d/30_security-misc.conf` -* An initramfs hook sets the sysctl values in `/etc/sysctl.conf` and -`/etc/sysctl.d` before init is executed so sysctl hardening is enabled -as early as possible. This is implemented for `initramfs-tools` only because -this is not needed for `dracut` because `dracut` does that by default, at least -on `systemd` enabled systems. Not researched for non-`systemd` systems by the -author of this part of the readme. +- PStore is disabled as crash logs can contain sensitive system data such as + kernel version, hostname, and users. See: + + `/usr/lib/systemd/pstore.conf.d/30_security-misc.conf` + +- An initramfs hook sets the sysctl values in `/etc/sysctl.conf` and + `/etc/sysctl.d` before init is executed so sysctl hardening is enabled as + early as possible. This is implemented for `initramfs-tools` only because + this is not needed for `dracut` as `dracut` does that by default, at + least on `systemd` enabled systems. Not researched for non-`systemd` systems + by the author of this part of the readme. ## Network hardening -* TCP syncookies are enabled to prevent SYN flood attacks. +Not yet implemented due to issues: -* ICMP redirect acceptance, ICMP redirect sending, source routing and -IPv6 router advertisements are disabled to prevent man-in-the-middle attacks. +- https://github.com/Kicksecure/security-misc/pull/145 -* The kernel is configured to ignore all ICMP requests to avoid Smurf attacks, -make the device more difficult to enumerate on the network and prevent clock -fingerprinting through ICMP timestamps. +- https://github.com/Kicksecure/security-misc/issues/184 -* RFC1337 is enabled to protect against time-wait assassination attacks by -dropping RST packets for sockets in the time-wait state. +- Unlike version 4, IPv6 addresses can provide information not only about the + originating network but also the originating device. We prevent this from + happening by enabling the respective privacy extensions for IPv6. -* Reverse path filtering is enabled to prevent IP spoofing and mitigate -vulnerabilities such as CVE-2019-14899. +- In addition, we deny the capability to track the originating device in the + network at all, by using randomized MAC addresses per connection by + default. + +See: + +- `/usr/lib/NetworkManager/conf.d/80_ipv6-privacy.conf` +- `/usr/lib/NetworkManager/conf.d/80_randomize-mac.conf` +- `/usr/lib/systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf` + +## Bluetooth Hardening + +### Bluetooth Status: Enabled but Defaulted to Off + +- **Default Behavior**: Although Bluetooth capability is 'enabled' in the kernel, + security-misc deviates from the usual behavior by starting with Bluetooth + turned off at system start. This setting remains until the user explicitly opts + to activate Bluetooth. + +- **User Control**: Users have the freedom to easily switch Bluetooth on and off + in the usual way, exercising their own discretion. This can be done via the + Bluetooth toggle through the usual way, that is either through GUI settings + application or command line commands. + +- **Enhanced Privacy Settings**: We enforce more private defaults for Bluetooth + connections. This includes the use of private addresses and strict timeout + settings for discoverability and visibility. + +- **Security Considerations**: Despite these measures, it's important to note that + Bluetooth technology, by its nature, may still be prone to exploits due to its + history of security vulnerabilities. Thus, we recommend users to opt-out of + using Bluetooth when possible. + +### Configuration Details + +- See configuration: `/etc/bluetooth/30_security-misc.conf` +- For more information and discussion: [GitHub Pull Request](https://github.com/Kicksecure/security-misc/pull/145) + +### Understanding Bluetooth Terms + +- **Disabling Bluetooth**: This means the absence of the Bluetooth kernel module. + When disabled, Bluetooth is non-existent in the system - it cannot be seen, set, + configured, or interacted with in any way. + +- **Turning Bluetooth On/Off**: This refers to a software toggle. Normally, on + Debian systems, Bluetooth is 'on' when the system boots up. It actively searches + for known devices to auto-connect and may be discoverable or visible under certain + conditions. Our default ensures that Bluetooth is off on startup. However, it + remains 'enabled' in the kernel, meaning the kernel can use the Bluetooth protocol + and has the necessary modules. + +### Quick Toggle Guide + +- **Turning Bluetooth On**: Simply click the Bluetooth button in the settings + application or on the tray, and switch the toggle. It's a straightforward action + that can be completed in less than a second. + +- **Turning Bluetooth Off**: Follow the same procedure as turning it on but switch + the toggle to the off position. ## Entropy collection improvements -* The `jitterentropy_rng` kernel module is loaded as early as possible -during boot to gather more entropy via the -`/usr/lib/modules-load.d/30_security-misc.conf` configuration file. +- The `jitterentropy_rng` kernel module is loaded as early as possible during + boot to gather more entropy via the + `/usr/lib/modules-load.d/30_security-misc.conf` configuration file. -* Distrusts the CPU for initial entropy at boot as it is not possible to -audit, may contain weaknesses or a backdoor. For references, see: -`/etc/default/grub.d/40_distrust_cpu.cfg` +- Distrusts the CPU for initial entropy at boot as it is not possible to + audit, may contain weaknesses or a backdoor. Similarly, do not credit the + bootloader seed for initial entropy. For references, see: + `/etc/default/grub.d/40_kernel_hardening.cfg` -* Gathers more entropy during boot if using the linux-hardened kernel patch. +- Gathers more entropy during boot if using the linux-hardened kernel patch. ## Restrictive mount options +A systemd service is triggered on boot to remount all sensitive partitions and +directories with significantly more secure hardened mount options. Since this +would require manual tuning for a given specific system, we handle it by +creating a very solid configuration file for that very system on package +installation. + Not enabled by default yet. In development. Help welcome. -https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/ - -`/home`, `/tmp`, `/dev/shm` and `/run` are remounted with the `nosuid` and `nodev` -mount options to prevent execution of setuid or setgid binaries and creation of -devices on those filesystems. - -Optionally, they can also be mounted with `noexec` to prevent execution of any -binary. To opt-in to applying `noexec`, execute `touch /etc/noexec` as root -and reboot. - -To disable this, execute `touch /etc/remount-disable` as root. - -Alternatively, file `/usr/local/etc/remount-disable` or `/usr/local/etc/noexec` -could be used. +- https://www.kicksecure.com/wiki/Dev/remount-secure +- https://github.com/Kicksecure/security-misc/issues/157 +- https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/ ## Root access restrictions -* `su` is restricted to only users within the group `sudo` which prevents -users from using `su` to gain root access or to switch user accounts - -`/usr/share/pam-configs/wheel-security-misc` -(which results in a change in file `/etc/pam.d/common-auth`). +- `su` is restricted to only users within the group `sudo` which prevents + users from using `su` to gain root access or to switch user accounts - + `/usr/share/pam-configs/wheel-security-misc` (which results in a change in + file `/etc/pam.d/common-auth`). -* Add user `root` to group `sudo`. This is required due to the above restriction so -that logging in from a virtual console is still possible - `debian/security-misc.postinst` +- Add user `root` to group `sudo`. This is required due to the above + restriction so that logging in from a virtual console is still possible - + `debian/security-misc.postinst` -* Abort login for users with locked passwords - -`/usr/libexec/security-misc/pam-abort-on-locked-password`. +- Abort login for users with locked passwords - + `/usr/libexec/security-misc/pam-abort-on-locked-password`. -* Logging into the root account from a virtual, serial, whatnot console is -prevented by shipping an existing and empty `/etc/securetty` file -(deletion of `/etc/securetty` has a different effect). +- Logging into the root account from a virtual, serial, or other console is + prevented by shipping an existing and empty `/etc/securetty` file (deletion + of `/etc/securetty` has a different effect). -This package does not yet automatically lock the root account password. It -is not clear if this would be sane in such a package although, it is recommended -to lock and expire the root account. +This package does not yet automatically lock the root account password. It is +not clear if this would be sane in such a package, although it is recommended to +lock and expire the root account. -In new Kicksecure builds, root account will be locked by package +In new Kicksecure builds, the root account will be locked by package dist-base-files. See: -* https://www.kicksecure.com/wiki/Root -* https://www.kicksecure.com/wiki/Dev/Permissions -* https://forums.whonix.org/t/restrict-root-access/7658 +- https://www.kicksecure.com/wiki/Root +- https://www.kicksecure.com/wiki/Dev/Permissions +- https://forums.whonix.org/t/restrict-root-access/7658 However, a locked root password will break rescue and emergency shell. -Therefore, this package enables passwordless rescue and emergency shell. -This is the same solution that Debian will likely adapt for Debian -installer: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802211 +Therefore, this package enables passwordless rescue and emergency shell. This is +the same solution that Debian will likely adopt for the Debian installer: +https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802211 See: -* `/etc/systemd/system/emergency.service.d/override.conf` -* `/etc/systemd/system/rescue.service.d/override.conf` +- `/etc/systemd/system/emergency.service.d/override.conf` +- `/etc/systemd/system/rescue.service.d/override.conf` Adverse security effects can be prevented by setting up BIOS password -protection, GRUB password protection and/or full disk encryption. +protection, GRUB password protection, and/or full disk encryption. ## Console lockdown -This uses pam_access to allow members of group `console` to use console but +This uses pam_access to allow members of group `console` to use the console but restrict everyone else (except members of group `console-unrestricted`) from -using console with ancient, unpopular login methods such as `/bin/login` -over networks as this might be exploitable. (CVE-2001-0797) +using the console with ancient, unpopular login methods such as `/bin/login` over +networks as this might be exploitable. (CVE-2001-0797) -This is not enabled by default in this package since this package does not -know which users shall be added to group 'console' and thus, would break console. +This is not enabled by default in this package since this package does not know +which users should be added to group 'console' and thus, would break console access. See: -* `/usr/share/pam-configs/console-lockdown-security-misc` -* `/etc/security/access-security-misc.conf` +- `/usr/share/pam-configs/console-lockdown-security-misc` +- `/etc/security/access-security-misc.conf` ## Brute force attack protection @@ -299,54 +592,108 @@ User accounts are locked after 50 failed login attempts using `pam_faillock`. Informational output during Linux PAM: -* Show failed and remaining password attempts. -* Document unlock procedure if Linux user account got locked. -* Point out that there is no password feedback for `su`. -* Explain locked root account if locked. +- Show failed and remaining password attempts. +- Document unlock procedure if Linux user account got locked. +- Point out that there is no password feedback for `su`. +- Explain locked root account if locked. See: -* `/usr/share/pam-configs/tally2-security-misc` -* `/usr/libexec/security-misc/pam-info` -* `/usr/libexec/security-misc/pam-abort-on-locked-password` +- `/usr/share/pam-configs/tally2-security-misc` +- `/usr/libexec/security-misc/pam-info` +- `/usr/libexec/security-misc/pam-abort-on-locked-password` ## Access rights restrictions ### Strong user account separation -Read, write and execute access for "others" are removed during package -installation, upgrade or PAM `mkhomedir` for all users who have home -folders in `/home` by running, for example: +#### Permission Lockdown + +Read, write, and execute access for "others" are removed during package +installation, upgrade, or PAM `mkhomedir` for all users who have home folders in +`/home` by running, for example: ``` chmod o-rwx /home/user ``` -This will be done only once per folder in `/home` so users who wish to -relax file permissions are free to do so. This is to protect files in a -home folder that were previously created with lax file permissions prior -to the installation of this package. +This will be done only once per folder in `/home` so users who wish to relax +file permissions are free to do so. This is to protect files in a home folder +that were previously created with lax file permissions prior to the installation +of this package. See: -* `debian/security-misc.postinst` -* `/usr/libexec/security-misc/permission-lockdown` -* `/usr/share/pam-configs/mkhomedir-security-misc` +- `debian/security-misc.postinst` +- `/usr/libexec/security-misc/permission-lockdown` +- `/usr/share/pam-configs/mkhomedir-security-misc` + +#### umask + +The default `umask` is set to `027` for files created by non-root users, such +as the account `user`. + +This is done using the PAM module `pam_mkhomedir.so umask=027`. + +This configuration ensures that files created by non-root users cannot be read +by other non-root users by default. While Permission Lockdown already protects +the `/home` folder, this setting extends protection to other folders such as +`/tmp`. + +`group` read permissions are not removed. This is unnecessary due to Debian's +use of User Private Groups (UPGs). See also: +https://wiki.debian.org/UserPrivateGroups + +The default `umask` is unchanged for root because configuration files created +in `/etc` by the system administrator would otherwise be unreadable by +"others," potentially breaking applications. Examples include `/etc/firefox-esr` +and `/etc/thunderbird`. Additionally, the `umask` is set to `022` via `sudoers` +configuration, ensuring that files created as root are world-readable, even +when using commands such as `sudo vi /etc/file` or `sudo -i; touch /etc/file`. + +When using `sudo`, the `umask` is set to `022` rather than `027` to ensure +compatibility with commands such as `sudo vi /etc/configfile` and +`sudo -i; touch /etc/file`. + +See: + +- `/usr/share/pam-configs/umask-security-misc` ### SUID / SGID removal and permission hardening -Not enabled by default yet. +#### SUID / SGID removal -A systemd service removes SUID / SGID bits from non-essential binaries as -these are often used in privilege escalation attacks. It is disabled by -default for now during testing and can optionally be enabled by running -`systemctl enable permission-hardening.service` as root. +A systemd service removes SUID / SGID bits from non-essential binaries as these +are often used in privilege escalation attacks. + +#### File permission hardening + +Various file permissions are reset with more secure and hardened defaults. These +include but are not limited to: + +- Limiting `/home` and `/root` to the root only. +- Limiting crontab to root as well as all the configuration files for cron. +- Limiting the configuration for cups and ssh. +- Protecting the information of sudoers from others. +- Protecting various system-relevant files and modules. + +##### permission-hardener + +`permission-hardener` removes SUID / SGID bits from non-essential binaries as +these are often used in privilege escalation attacks. It is enabled by default +and applied at security-misc package installation and upgrade time. + +There is also an optional systemd unit which does the same at boot time that +can be enabled by running `systemctl enable permission-hardener.service` as +root. The hardening at boot time is not the default because this slows down +the boot process too much. See: -* `/usr/libexec/security-misc/permission-hardening` -* `/lib/systemd/system/permission-hardening.service` -* `/etc/permission-hardening.d` +* `/usr/bin/permission-hardener` +* `debian/security-misc.postinst` +* `/lib/systemd/system/permission-hardener.service` +* `/etc/permission-hardener.d` * https://forums.whonix.org/t/disable-suid-binaries/7706 * https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener @@ -365,56 +712,117 @@ See: ## Application-specific hardening -* Enables "`apt-get --error-on=any`" which makes apt exit non-zero for - transient failures. - `/etc/apt/apt.conf.d/40error-on-any`. -* Enables APT seccomp-BPF sandboxing - `/etc/apt/apt.conf.d/40sandbox`. -* Deactivates previews in Dolphin. -* Deactivates previews in Nautilus - -`/usr/share/glib-2.0/schemas/30_security-misc.gschema.override`. -* Deactivates thumbnails in Thunar. -* Displays domain names in punycode (`network.IDN_show_punycode`) in -Thunderbird to prevent IDN homograph attacks (a form of phishing). -* Security and privacy enhancements for gnupg's config file -`/etc/skel/.gnupg/gpg.conf`. See also: +- Enables "`apt-get --error-on=any`" which makes apt exit non-zero for + transient failures. - `/etc/apt/apt.conf.d/40error-on-any`. +- Enables APT seccomp-BPF sandboxing - `/etc/apt/apt.conf.d/40sandbox`. +- Deactivates previews in Dolphin. +- Deactivates previews in Nautilus - + `/usr/share/glib-2.0/schemas/30_security-misc.gschema.override`. +- Deactivates thumbnails in Thunar. + - Rationale: lower attack surface when using the file manager + - https://forums.whonix.org/t/disable-preview-in-file-manager-by-default/18904 +- Thunderbird is hardened with the following options: + - Displays domain names in punycode to prevent IDN homograph attacks (a + form of phishing). + - Strips email client information from sent email headers. + - Strips user time information from sent email headers by replacing the + originating time zone with UTC and rounding the timestamp to the nearest + minute. + - Disables scripting when viewing PDF files. + - Disables implicit outgoing connections. + - Disables all and any kind of telemetry. +- Security and privacy enhancements for gnupg's config file + `/etc/skel/.gnupg/gpg.conf`. See also: + - https://raw.github.com/ioerror/torbirdy/master/gpg.conf + - https://github.com/ioerror/torbirdy/pull/11 -https://raw.github.com/ioerror/torbirdy/master/gpg.conf +### Project scope of application-specific hardening -https://github.com/ioerror/torbirdy/pull/11 +Added in December 2023. + +Before sending pull requests to harden arbitrary applications, please note the +scope of security-misc is limited to default installed applications in +Kicksecure and Whonix. This includes: + +- Thunderbird, VLC Media Player, KeePassXC +- Debian Specific System Components (APT, DPKG) +- System Services (NetworkManager IPv6 privacy options, MAC address + randomization) +- Actually used development utilities such as `git`. + +It will not be possible to review and merge "1500" settings profiles for +arbitrary applications outside of this context. + +The main objective of security-misc is to harden Kicksecure and its derivatives, +such as Whonix, by implementing robust security settings. It's designed to be +compatible with Debian, reflecting a commitment to clean implementation and +sound design principles. However, it's important to note that security-misc is a +component of Kicksecure, not a substitute for it. The intention isn't to +recreate Kicksecure within security-misc. Instead, specific security +enhancements, like recommending a curated list of security-focused +default packages (e.g., `libpam-tmpdir`), should be integrated directly into +those appropriate areas of Kicksecure (e.g. `kicksecure-meta-packages`). + +Discussion: https://github.com/Kicksecure/security-misc/issues/154 + +### Development philosophy + +Added in December 2023. + +Maintainability is a key priority \[1\]. Before modifying settings in the +downstream security-misc, it's essential to first engage with upstream +developers to propose these changes as defaults. This step should only be +bypassed if there's a clear, prior indication from upstream that such changes +won't be accepted. Additionally, before implementing any workarounds, consulting +with upstream is necessary to avoid future unmaintainable complexity. + +If debugging features are disabled, pull requests won't be merged until there is +a corresponding pull request for the debug-misc package to re-enable these. This +is to avoid configuring the system into a corner where it can no longer be +debugged. + +\[1\] https://www.kicksecure.com/wiki/Dev/maintainability ## Opt-in hardening Some hardening is opt-in as it causes too much breakage to be enabled by default. -* An optional systemd service mounts `/proc` with `hidepid=2` at boot to -prevent users from seeing another user's processes. This is disabled by -default because it is incompatible with `pkexec`. It can be enabled by -executing `systemctl enable proc-hidepid.service` as root. +- An optional systemd service mounts `/proc` with `hidepid=2` at boot to + prevent users from seeing another user's processes. This is disabled by + default because it is incompatible with `pkexec`. It can be enabled by + executing `systemctl enable proc-hidepid.service` as root. -* A systemd service restricts `/proc/cpuinfo`, `/proc/bus`, `/proc/scsi` and -`/sys` to the root user. This hides a lot of hardware identifiers from -unprivileged users and increases security as `/sys` exposes a lot of -information that shouldn't be accessible to unprivileged users. As this will -break many things, it is disabled by default and can optionally be enabled by -executing `systemctl enable hide-hardware-info.service` as root. +- A systemd service restricts `/proc/cpuinfo`, `/proc/bus`, `/proc/scsi`, and + `/sys` to the root user. This hides a lot of hardware identifiers from + unprivileged users and increases security as `/sys` exposes a lot of + information that shouldn't be accessible to unprivileged users. As this will + break many things, it is disabled by default and can optionally be enabled + by executing `systemctl enable hide-hardware-info.service` as root. -## miscellaneous +## Miscellaneous -* hardened malloc compatibility for haveged workaround -`/lib/systemd/system/haveged.service.d/30_security-misc.conf` +- Hardened malloc compatibility for haveged workaround + `/lib/systemd/system/haveged.service.d/30_security-misc.conf` -* set `dracut` `reproducible=yes` setting +- Set `dracut` `reproducible=yes` setting + +## Legal + +`/usr/lib/issue.d/20_security-misc.issue` + +https://github.com/Kicksecure/security-misc/pull/167 ## Related -* Linux Kernel Runtime Guard (LKRG) -* tirdad - TCP ISN CPU Information Leak Protection. -* Kicksecure (TM) - a security-hardened Linux Distribution -* And more. -* https://www.kicksecure.com/wiki/Linux_Kernel_Runtime_Guard_LKRG -* https://github.com/Kicksecure/tirdad -* https://www.kicksecure.com -* https://github.com/Kicksecure +- Linux Kernel Runtime Guard (LKRG) +- tirdad - TCP ISN CPU Information Leak Protection. +- Kicksecure (TM) - a security-hardened Linux Distribution +- And more. +- https://www.kicksecure.com/wiki/Linux_Kernel_Runtime_Guard_LKRG +- https://github.com/Kicksecure/tirdad +- https://www.kicksecure.com +- https://github.com/Kicksecure ## Discussion @@ -430,20 +838,23 @@ See https://www.kicksecure.com/wiki/Security-misc#install Can be build using standard Debian package build tools such as: -``` -dpkg-buildpackage -b -``` + dpkg-buildpackage -b -See instructions. (Replace `generic-package` with the actual name of this package `security-misc`.) +See instructions. (Replace `generic-package` with the actual name of this +package `security-misc`.) -* **A)** [easy](https://www.kicksecure.com/wiki/Dev/Build_Documentation/generic-package/easy), _OR_ -* **B)** [including verifying software signatures](https://www.kicksecure.com/wiki/Dev/Build_Documentation/generic-package) +- **A)** + [easy](https://www.kicksecure.com/wiki/Dev/Build_Documentation/generic-package/easy), + *OR* +- **B)** [including verifying software + signatures](https://www.kicksecure.com/wiki/Dev/Build_Documentation/generic-package) ## Contact -* [Free Forum Support](https://forums.kicksecure.com) -* [Professional Support](https://www.kicksecure.com/wiki/Professional_Support) +- [Free Forum Support](https://forums.kicksecure.com) +- [Professional Support](https://www.kicksecure.com/wiki/Professional_Support) ## Donate -`security-misc` requires [donations](https://www.kicksecure.com/wiki/Donate) to stay alive! +`security-misc` requires [donations](https://www.kicksecure.com/wiki/Donate) to +stay alive! diff --git a/README_generic.md b/README_generic.md index e5c0e76..787af72 100644 --- a/README_generic.md +++ b/README_generic.md @@ -1,8 +1,8 @@ # Enhances Miscellaneous Security Settings # -https://github.com/Whonix/security-misc/blob/master/README.md +https://github.com/Kicksecure/security-misc/blob/master/README.md -https://www.whonix.org/wiki/Security-misc +https://www.kicksecure.com/wiki/Security-misc Discussion: diff --git a/bin/disabled-bluetooth-by-security-misc b/bin/disabled-bluetooth-by-security-misc deleted file mode 100755 index 55b1e63..0000000 --- a/bin/disabled-bluetooth-by-security-misc +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -## Alerts the user that a kernel module failed to load due to it being blacklisted by default. - -echo "$0: ERROR: This bluetooth kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2 - -exit 1 diff --git a/bin/disabled-cdrom-by-security-misc b/bin/disabled-cdrom-by-security-misc deleted file mode 100755 index 9efd765..0000000 --- a/bin/disabled-cdrom-by-security-misc +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -## Alerts the user that a kernel module failed to load due to it being blacklisted by default. - -echo "$0: ERROR: This CD-ROM kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2 - -exit 1 diff --git a/bin/disabled-filesys-by-security-misc b/bin/disabled-filesys-by-security-misc deleted file mode 100755 index 50dd638..0000000 --- a/bin/disabled-filesys-by-security-misc +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -## Alerts the user that a kernel module failed to load due to it being blacklisted by default. - -echo "$0: ERROR: This file system kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2 - -exit 1 diff --git a/bin/disabled-firewire-by-security-misc b/bin/disabled-firewire-by-security-misc deleted file mode 100755 index ca04ab1..0000000 --- a/bin/disabled-firewire-by-security-misc +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -## Alerts the user that a kernel module failed to load due to it being blacklisted by default. - -echo "$0: ERROR: This firewire kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2 - -exit 1 diff --git a/bin/disabled-intelme-by-security-misc b/bin/disabled-intelme-by-security-misc deleted file mode 100755 index 108cc81..0000000 --- a/bin/disabled-intelme-by-security-misc +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -## Alerts the user that a kernel module failed to load due to it being blacklisted by default. - -echo "$0: ERROR: This Intel Management Engine (ME) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2 - -exit 1 diff --git a/bin/disabled-msr-by-security-misc b/bin/disabled-msr-by-security-misc deleted file mode 100755 index 2c5e6e1..0000000 --- a/bin/disabled-msr-by-security-misc +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -## Alerts the user that a kernel module failed to load due to it being blacklisted by default. - -echo "$0: ERROR: This CPU MSR kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2 - -exit 1 diff --git a/bin/disabled-netfilesys-by-security-misc b/bin/disabled-netfilesys-by-security-misc deleted file mode 100755 index 5c15b39..0000000 --- a/bin/disabled-netfilesys-by-security-misc +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -## Alerts the user that a kernel module failed to load due to it being blacklisted by default. - -echo "$0: ERROR: This network file system kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2 - -exit 1 diff --git a/bin/disabled-network-by-security-misc b/bin/disabled-network-by-security-misc deleted file mode 100755 index d2ae58c..0000000 --- a/bin/disabled-network-by-security-misc +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -## Alerts the user that a kernel module failed to load due to it being blacklisted by default. - -echo "$0: ERROR: This network protocol kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2 - -exit 1 diff --git a/bin/disabled-thunderbolt-by-security-misc b/bin/disabled-thunderbolt-by-security-misc deleted file mode 100755 index e086d4a..0000000 --- a/bin/disabled-thunderbolt-by-security-misc +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -## Alerts the user that a kernel module failed to load due to it being blacklisted by default. - -echo "$0: ERROR: This thunderbolt kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2 - -exit 1 diff --git a/bin/disabled-vivid-by-security-misc b/bin/disabled-vivid-by-security-misc deleted file mode 100755 index ed1487f..0000000 --- a/bin/disabled-vivid-by-security-misc +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -## Alerts the user that a kernel module failed to load due to it being blacklisted by default. - -echo "$0: ERROR: This vivid kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2 - -exit 1 diff --git a/changelog.upstream b/changelog.upstream index cc00b01..fb9687f 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,7173 @@ +commit b06fb5428051518390439ce95c9d6894e6338951 +Merge: 115b6f6 468cf40 +Author: Patrick Schleizer +Date: Wed Jul 2 13:47:12 2025 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 468cf40e2a216625d02066b609b0991e37c50ebc +Merge: 865a052 bb208fb +Author: Patrick Schleizer +Date: Wed Jul 2 13:45:28 2025 -0400 + + Merge pull request #306 from raja-grewal/erst + + Set `erst_disable` + +commit 865a052bf47f28c0084b2bbd51e3c606df9eda96 +Merge: 115b6f6 e3c4519 +Author: Patrick Schleizer +Date: Wed Jul 2 13:44:17 2025 -0400 + + Merge pull request #309 from RebornRider/patch-1 + + remove TemporaryTimeout=0 in Bluetooth config + +commit bb208fb134fe25fc3539494f331072a851369064 +Merge: 4314b1e 115b6f6 +Author: raja-grewal +Date: Wed Jul 2 11:35:50 2025 +1000 + + Merge branch 'Kicksecure:master' into erst + +commit 4314b1e85bd5495832b4398bdbd358c41703dcc9 +Author: raja-grewal +Date: Tue Jul 1 13:36:39 2025 +1000 + + Add comment + +commit e3c451917931aa4e63056fb03470c203694d399f +Author: Kevin Agwaze <7119346+RebornRider@users.noreply.github.com> +Date: Mon Jun 16 10:35:16 2025 +0100 + + remove misleading TemporaryTimeout=0 in Bluetooth config + +commit 115b6f6aa2a4d00ad5690c2c0889e142540c01ca +Author: Patrick Schleizer +Date: Sat Jun 14 11:51:44 2025 +0000 + + bumped changelog version + +commit 4639d1aab572bb4ad751bd1da5b936b9d73d3264 +Merge: 5159de6 109c013 +Author: Patrick Schleizer +Date: Fri Jun 13 15:09:52 2025 -0400 + + Merge remote-tracking branch 'ArrayBolt3/arraybolt3/approx' + +commit 109c0134677d991c449aa009773cb22babeee8db +Author: Aaron Rainbolt +Date: Thu Jun 12 01:08:34 2025 -0500 + + Add comment related to approx package caching proxy + +commit 72613203b9692d1098b13ff98119499a5a30a6da +Author: raja-grewal +Date: Fri Jun 6 13:07:52 2025 +0000 + + Add reference + +commit dd0b55cc45f9ccd64d0075ba37ab6a4723d94a02 +Author: raja-grewal +Date: Tue Jun 3 12:32:17 2025 +1000 + + Add reference + +commit 5159de63438e8c1274658e7175a80fb693d6554a +Author: Patrick Schleizer +Date: Wed May 28 13:48:11 2025 +0000 + + bumped changelog version + +commit 3e102df76583a14b5efc18238aefbf539ab0d8a1 +Author: Patrick Schleizer +Date: Wed May 28 08:37:03 2025 -0400 + + fix + +commit d5edc243ac2db861f1600d3906a02494eaf9a824 +Author: Patrick Schleizer +Date: Wed May 28 12:12:00 2025 +0000 + + bumped changelog version + +commit eda1d0aef640af1ea73c72d6caa876733de4e5a0 +Merge: e966774 5a10ad0 +Author: Patrick Schleizer +Date: Wed May 28 07:22:16 2025 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 5a10ad031d67acc8fa4c16f9e2db191bde559caa +Merge: e966774 3559bc8 +Author: Patrick Schleizer +Date: Wed May 28 07:21:31 2025 -0400 + + Merge pull request #307 from maybebyte/ssh-agent-to-allowlist + + fix(permission-hardener): ssh-agent gets 2755 perms + +commit 3559bc86b7aed8122ff7996ce0ab4a65bdaf05c0 +Author: Ashlen +Date: Tue May 27 15:32:41 2025 -0600 + + fix(permission-hardener): ssh-agent gets 2755 perms + + Change from exactwhitelist to matchwhitelist. Discussion revealed that + there's a good reason to leave setgid in here, which is essentially + defense-in-depth (sometimes users may want to revert Kicksecure's + default of kernel.yama.ptrace_scope=2, e.g. to debug a program, and + Kicksecure should not be less secure than vanilla Debian in that + situation). + +commit c59b2e4bc53cad4c9cc90ddd5abaca0705ccff90 +Merge: 017ee29 e966774 +Author: maybebyte <99762926+maybebyte@users.noreply.github.com> +Date: Tue May 27 20:33:07 2025 +0000 + + Merge branch 'Kicksecure:master' into ssh-agent-to-allowlist + +commit e96677486201ebddc145af7962ad5e89f6fa253b +Author: Patrick Schleizer +Date: Tue May 27 19:41:25 2025 +0000 + + bumped changelog version + +commit 017ee29eb39d84edc89f128a633a619cad852241 +Merge: 7a079c3 abb2207 +Author: maybebyte <99762926+maybebyte@users.noreply.github.com> +Date: Tue May 27 18:25:47 2025 +0000 + + Merge branch 'Kicksecure:master' into ssh-agent-to-allowlist + +commit 5195977be474e29a29b6392306e909e9f2d05ada +Author: Patrick Schleizer +Date: Tue May 27 11:57:21 2025 -0400 + + protect against grep pipefail + +commit abb2207313810966dad381c3a9f637c445a5834d +Author: Patrick Schleizer +Date: Tue May 27 15:51:50 2025 +0000 + + bumped changelog version + +commit 45016146f7c77d383f2254d19dc66ba9b883b8f2 +Merge: ace45d7 395169f +Author: Patrick Schleizer +Date: Tue May 27 11:03:23 2025 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 395169fbce1854bfed727d1784f4e5c0d8e7c6ff +Merge: ace45d7 e14b81b +Author: Patrick Schleizer +Date: Tue May 27 10:58:50 2025 -0400 + + Merge pull request #308 from maybebyte/permission-hardener-speedboost + + perf(permission-hardener): optimize string match + +commit 1c353032046f556bb11c32506019310c9f6d47c0 +Merge: 35fa32e ace45d7 +Author: raja-grewal +Date: Fri May 23 20:20:19 2025 +1000 + + Merge branch 'Kicksecure:master' into erst + +commit ace45d7c95ed6b83c1897f76da5af4a0c97cab10 +Author: Patrick Schleizer +Date: Wed May 21 22:06:02 2025 +0000 + + bumped changelog version + +commit 142ea2118989faddafa17db48efed379c4ac3f45 +Author: Patrick Schleizer +Date: Wed May 21 12:42:16 2025 -0400 + + fix + +commit a969fa350e28ca296966509821a7c62b68f09a5a +Author: Patrick Schleizer +Date: Wed May 21 12:40:27 2025 -0400 + + fix + +commit f023651c984c52a997bc241f99f118255cf60809 +Author: Patrick Schleizer +Date: Wed May 21 12:35:37 2025 -0400 + + nounset + +commit f086787464191a07e028dd92649c48b145023858 +Author: Patrick Schleizer +Date: Wed May 21 12:35:23 2025 -0400 + + fix + +commit d7643954d184846c8b7fb5eda7200779126274eb +Author: Patrick Schleizer +Date: Wed May 21 12:33:50 2025 -0400 + + minor + +commit aa905fc8875c5c56351f10f4e40e6d2a7dd6d918 +Author: Patrick Schleizer +Date: Wed May 21 12:32:16 2025 -0400 + + further validation of output of `faillock` + +commit 92d3a36a0f43615db622c6b0daa7064b8e8ebbbb +Author: Patrick Schleizer +Date: Wed May 21 12:29:01 2025 -0400 + + fix + +commit 2c1abb23e03cfe449347ba692d35f5ba1f33cff4 +Author: Patrick Schleizer +Date: Wed May 21 12:26:46 2025 -0400 + + output + +commit 0801b96ae74256f36dcf8757d0ba8abc66ea0b9b +Author: Patrick Schleizer +Date: Wed May 21 12:25:49 2025 -0400 + + output + +commit ef8515ba82996b137c386eeb91e6f853d58a515f +Author: Patrick Schleizer +Date: Wed May 21 12:23:45 2025 -0400 + + improve error handling + +commit 784867e24b4d6f2899fa9b215ec9e3c4e2fb9d84 +Author: Patrick Schleizer +Date: Wed May 21 12:21:45 2025 -0400 + + fix + +commit 0eea681ce893a259563f8e9d5a2ec9722fbc635d +Author: Patrick Schleizer +Date: Wed May 21 15:52:16 2025 +0000 + + bumped changelog version + +commit e1bae1c68aabc424924b6386fe4980d657dc2cdf +Author: Patrick Schleizer +Date: Wed May 21 11:50:59 2025 -0400 + + fix + +commit bd01a683054b1f7d5a5f6cc4848da73b1b1ef5ff +Author: Patrick Schleizer +Date: Wed May 21 13:58:18 2025 +0000 + + bumped changelog version + +commit 14cf205579ff65fa765d7574e5d0e301a30a1904 +Author: Patrick Schleizer +Date: Wed May 21 08:36:16 2025 -0400 + + fix + +commit ff6bc5d5b6097bcdddd8e66c2541106c2cbabbaf +Author: Patrick Schleizer +Date: Wed May 21 11:23:39 2025 +0000 + + bumped changelog version + +commit 353b6e83c55d52b47a2a35063406324cec7237c4 +Author: Patrick Schleizer +Date: Wed May 21 07:20:13 2025 -0400 + + test that `wc` is functional + + https://github.com/Kicksecure/security-misc/pull/305#issuecomment-2892378246 + +commit 5930e270521e0e5d6a0a3877c813accbf5253051 +Author: Patrick Schleizer +Date: Wed May 21 07:05:25 2025 -0400 + + pam-info: improve error handling + + https://github.com/Kicksecure/security-misc/pull/305#issuecomment-2892378246 + +commit 5c981e0891ef009c5c2355f5f6383aca22c45638 +Author: Patrick Schleizer +Date: Wed May 21 06:55:09 2025 -0400 + + pam-info: fix, consistently write errors and warnings to stderr + +commit e14b81b15e479afbc4820a2b9bb60f3cf65bfb12 +Author: Ashlen +Date: Tue May 20 21:34:03 2025 -0600 + + perf(permission-hardener): optimize string match + + Replace subprocess grep calls with bash substring matching in + check_nosuid_whitelist function. This eliminates ~10k unneeded + subprocess spawns that were causing significant performance + degradation. + + In testing, it improves overall script execution speed by an + order of magnitude: + + Before patch: + $ sudo hyperfine -- './permission-hardener enable' + Benchmark 1: ./permission-hardener enable + Time (mean ± σ): 11.906 s ± 0.974 s [User: 3.639 s, System: 8.728 s] + Range (min … max): 10.430 s … 14.090 s 10 runs + + After patch: + $ sudo hyperfine -- './permission-hardener enable' + Benchmark 1: ./permission-hardener enable + Time (mean ± σ): 802.8 ms ± 178.5 ms [User: 283.0 ms, System: 471.9 ms] + Range (min … max): 639.4 ms … 1092.3 ms 10 runs + +commit 7a079c3de8bd8b4e026a1bd1b932a04610a1e386 +Author: Ashlen +Date: Tue May 20 18:41:48 2025 -0600 + + fix(permission-hardener): add exactwhitelist here + + Without this, the permissions for ssh-agent won't be changed properly. + +commit 94dc9da4ab8fb93760dbb3b325bdeaa155e492cb +Author: Ashlen +Date: Tue May 20 17:07:51 2025 -0600 + + fix(permission-hardener): ssh-agent gets 755 perms + + Replace the commented-out matchwhitelist entry for ssh-agent with an + explicit permission entry (755) for /usr/bin/ssh-agent. + + When ssh-agent's matchwhitelist entry was commented out in commit + 7a5f8b87af, permission-hardener began resetting it to restrictive + defaults (744), preventing non-root users from executing ssh-agent. This + broke split SSH functionality in Qubes OS for me because I was using + Kicksecure in the vault qube, and ssh-agent runs under a non-root user in + that configuration (see https://forum.qubes-os.org/t/split-ssh/19060). + + As noted in the comment, Debian installs with 2755 permissions as a way + to mitigate ptrace attacks, but this rationale doesn't apply due to + kernel.yama.ptrace_scope=2 being set in Kicksecure. + +commit 19d7e1af5d7acf6eb3a20fe3ebf5f14cef041f92 +Author: Patrick Schleizer +Date: Tue May 20 11:40:27 2025 +0000 + + bumped changelog version + +commit 405880e63b92319626332d083a6c5ad5101dbf77 +Author: Patrick Schleizer +Date: Sun May 18 06:44:42 2025 -0400 + + handle case of non-existence of /proc/cmdline + +commit 88235cc97b8b54f3fe78d6ad76f64326e8b53f3e +Author: Patrick Schleizer +Date: Sun May 18 06:44:04 2025 -0400 + + refactoring + +commit 601ea77b005d18b57a85e0701f3981edd61b7881 +Author: Patrick Schleizer +Date: Sun May 18 06:42:39 2025 -0400 + + end-of-options + +commit d8feca12768441b0499ead7cc9f9bce4e89b1edf +Author: Patrick Schleizer +Date: Sun May 18 06:41:41 2025 -0400 + + printf + +commit 7f2ba0980d17360fc014c6a412fc4ee57e1032fd +Author: Patrick Schleizer +Date: Sun May 18 06:40:50 2025 -0400 + + refactoring + +commit 4d1f8c44d28895587abce586ed5b2fe354544f6a +Merge: 341dce3 e478750 +Author: Patrick Schleizer +Date: Sun May 18 06:36:08 2025 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit e478750814798f3d9aa60354b6cecbb84769ed53 +Merge: 341dce3 91a76db +Author: Patrick Schleizer +Date: Sun May 18 06:35:23 2025 -0400 + + Merge pull request #305 from DMHalford/pam-info-failed_login_counter-fix + + Prevent erroneous "Login blocked after [negative number] attempts" errors + +commit 35fa32e4ed6333f3ab87d09828f13155aa1e7a72 +Author: raja-grewal +Date: Sat May 17 15:06:49 2025 +1000 + + Reword + +commit a1bde21ccb475fc21a084559dbe766f6315d9287 +Author: raja-grewal +Date: Sat May 17 04:41:06 2025 +0000 + + Set `erst_disable` + +commit 91a76db66bb496ba4650ada38df31636297738cf +Author: DMHalford <161769419+DMHalford@users.noreply.github.com> +Date: Thu May 15 15:42:50 2025 -0400 + + Prevent erroneous "Login blocked after [negative number] attempts" errors + + For root, faillock appears to always* return an empty string (i.e. no table headers are present), yielding a zero-initialized pam_faillock_output_count and thus resulting in the calculation of a negative failed_login_counter value. + + This can cause erroneous errors of the form "ERROR: Login blocked after [negative number] attempts" during sudo-ing and screen unlocking. + + This commit modifies the initialization of failed_login_counter such that it cannot be negative and prevents the display of these incorrect warnings. + + * Only rudimentary local tests were conducted + +commit 6c3be9ced071e73e78451c82e8def9c5a5b02598 +Author: DMHalford <161769419+DMHalford@users.noreply.github.com> +Date: Thu May 15 15:06:10 2025 -0400 + + Prevent erroneous "Login blocked after [negative number] attempts" errors + + For root, faillock appears to always* return an empty string (i.e. no table headers are present), yielding a zero-initialized pam_faillock_output_count and thus resulting in the calculation of a negative failed_login_counter value. + + This can cause erroneous errors of the form "ERROR: Login blocked after [negative number] attempts" during sudo-ing and screen unlocking. + + This commit modifies the initialization of failed_login_counter such that it cannot be negative and prevents the display of these incorrect warnings. + + * Only rudimentary tests were conducted + +commit 341dce33fb806ab03822470e6af91604662c22dd +Author: Patrick Schleizer +Date: Fri Apr 25 09:54:23 2025 +0000 + + bumped changelog version + +commit 06e1e44b0039807baa862102b12fc5e199c3ccb3 +Author: Patrick Schleizer +Date: Fri Apr 25 05:51:21 2025 -0400 + + comments + +commit ba1012ca8767baf34ed762d80b25b03bb70e6765 +Author: Patrick Schleizer +Date: Fri Apr 25 08:19:35 2025 +0000 + + bumped changelog version + +commit a8f6132bec1a6f4a639d58295b3e50faf5494d98 +Author: Patrick Schleizer +Date: Fri Apr 25 03:11:27 2025 -0400 + + output + +commit 1d14a9f32435b8131c251e03bff2af5c929bbf49 +Merge: e154d0a 612f5f9 +Author: Patrick Schleizer +Date: Fri Apr 25 02:59:09 2025 -0400 + + Merge remote-tracking branch 'ArrayBolt3/arraybolt3/fix-pkexec-umask' + +commit 612f5f92fde236b86928428fd0247c8e971b0460 +Author: Aaron Rainbolt +Date: Thu Apr 24 20:01:35 2025 -0500 + + Fix umask for pkexec-run commands + +commit e154d0af6dd41e392122fbe3d09219734c5ad588 +Author: Patrick Schleizer +Date: Mon Apr 21 10:21:54 2025 +0000 + + bumped changelog version + +commit 4bf0e3a63667c284d053e5b8517440a884a42441 +Author: Patrick Schleizer +Date: Mon Apr 21 04:57:07 2025 -0400 + + comments + +commit 502f5953c734346edc680a0b898b435e6c6f6e27 +Author: Patrick Schleizer +Date: Mon Apr 21 04:55:19 2025 -0400 + + comments + +commit abb0c83619b820b7b66258efa9e141850eaa8b6c +Author: Patrick Schleizer +Date: Mon Apr 21 04:54:06 2025 -0400 + + comments + +commit efa2967fca36c776d43419dd5bf12696bc61c426 +Author: Patrick Schleizer +Date: Mon Apr 21 04:53:04 2025 -0400 + + comments + +commit dc7e8579040a96630ab1bbf7b4b901e3e3abe8c7 +Author: Patrick Schleizer +Date: Sat Apr 19 17:33:56 2025 +0000 + + bumped changelog version + +commit 9948ae114d4c6bbd650022c9985137c0fdea5675 +Author: Patrick Schleizer +Date: Sat Apr 19 13:24:17 2025 -0400 + + fix + +commit 4aca622706f33e85832e67650259a7751ba87a72 +Author: Patrick Schleizer +Date: Sat Apr 19 13:23:26 2025 -0400 + + fix + +commit 701f4a0e88a32e4c9312fd92b73cef5d4f755f0a +Author: Patrick Schleizer +Date: Sat Apr 19 13:20:04 2025 -0400 + + output + +commit a670c0d873eba8d84bde90ebbeecc7aecc22349e +Author: Patrick Schleizer +Date: Sat Apr 19 13:18:23 2025 -0400 + + comment + +commit 4799f3ce02e5683dad0fff13f5d7fe0aadb0a0db +Author: Patrick Schleizer +Date: Sat Apr 19 13:17:28 2025 -0400 + + make `/usr/libexec/security-misc/apt-get-update` more reliable + +commit c4f0e1d16f6999b055b0fa310456870f12a6dbea +Author: Patrick Schleizer +Date: Sat Apr 19 12:57:14 2025 -0400 + + refactoring + +commit 81634930fa13a240b9fff9a878dd84af1dccc6b3 +Author: Patrick Schleizer +Date: Sat Apr 19 12:55:32 2025 -0400 + + refactoring + +commit 90330a1ec958f82f9322ecc62bcfb7169d641af4 +Author: Patrick Schleizer +Date: Sat Apr 19 12:49:18 2025 -0400 + + refactoring + +commit ce2c9a21a357b3981335336eaf7ac8a6a3bcb052 +Author: Patrick Schleizer +Date: Sat Apr 19 12:47:40 2025 -0400 + + /usr/libexec/security-misc/apt-get-update: use `/run/helper-scripts` folder for pid file instead of `$TMP` + + to avoid permission issues + +commit 96ff7c8dc67809a3199d0b7f22d9e50483634a9c +Author: Patrick Schleizer +Date: Sat Apr 19 12:45:06 2025 -0400 + + refactoring + +commit 5a37790e6bd80ffd4f74d9596523ef72366d35d9 +Author: Patrick Schleizer +Date: Sat Apr 19 12:43:15 2025 -0400 + + cleanup + +commit 7512aa67572c97267fd176e63ae4862b6d37f8ae +Author: Patrick Schleizer +Date: Tue Apr 15 20:59:37 2025 +0000 + + bumped changelog version + +commit e0e2a9b61c61b34a6fe10782e294d58adff15cfe +Merge: 5e88dfe 9f2836d +Author: Patrick Schleizer +Date: Tue Apr 15 15:27:10 2025 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 9f2836d2baae900222cbae74d7a32bcdc69e589f +Merge: 5e88dfe aa0ffff +Author: Patrick Schleizer +Date: Tue Apr 15 15:17:25 2025 -0400 + + Merge pull request #304 from raja-grewal/stop_pstore + + Disable PStore + +commit 5e88dfe809a762aeebf62ea2de131cfbdea9ae32 +Author: Patrick Schleizer +Date: Thu Apr 10 11:38:17 2025 +0000 + + bumped changelog version + +commit c0a18c5a7122fe3c7b52d0e02ca5e8817efb3996 +Merge: da9dd3c 74ca63d +Author: Patrick Schleizer +Date: Thu Apr 10 06:07:55 2025 -0400 + + Merge remote-tracking branch 'ArrayBolt3/arraybolt3/rename-boot-modes' + +commit 74ca63d12c716017d022f5dfc5348ae7b787e220 +Author: Aaron Rainbolt +Date: Wed Apr 9 21:01:41 2025 -0500 + + Mass-change "PERSISTENCE mode USERNAME" to "PERSISTENCE Mode - USERNAME Session" + +commit aa0ffff42753f68e67bc92680a22986a5b9ef9e0 +Author: raja-grewal +Date: Thu Apr 10 11:49:45 2025 +1000 + + README.md: Revert error + +commit da9dd3c3f14103701ad82af775b4fb547f5b3e2e +Author: Patrick Schleizer +Date: Wed Apr 9 15:16:00 2025 +0000 + + bumped changelog version + +commit 163d51f32a1888a52ea78ba32a4e4a2d72aea87d +Author: Patrick Schleizer +Date: Wed Apr 9 09:47:52 2025 -0400 + + newline at the end + +commit 4d2b2e65468522b1d1beda63b0b16cfa12b1d535 +Author: Patrick Schleizer +Date: Tue Apr 8 14:08:24 2025 +0000 + + bumped changelog version + +commit 39f4f5b60739c387f02970018e14f1ae93677e00 +Author: Patrick Schleizer +Date: Tue Apr 8 06:53:08 2025 -0400 + + comments + +commit 173606891ad0c064a22b4ec0aee772105d8be54a +Author: Patrick Schleizer +Date: Tue Apr 8 06:48:29 2025 -0400 + + output + +commit f0d17c7e4134d8a54ce7331c1e9d3ce932278987 +Author: raja-grewal +Date: Sun Mar 16 03:31:24 2025 +0000 + + README: Fix a few links + +commit df2fc2cf6b0437d23c7641118ebd24d2e3a670ce +Author: raja-grewal +Date: Sun Mar 16 03:30:04 2025 +0000 + + Set `efi_pstore.pstore_disable=1` + +commit f643ebc2f923ba4d7231e5aeaf1d91d1a9d1d0df +Author: raja-grewal +Date: Sun Mar 16 03:28:39 2025 +0000 + + Disable pstore processing by systemd-pstore service + +commit d927fe238cc5369f7fe1632a4173fe4bdf0ffdfb +Author: Patrick Schleizer +Date: Mon Mar 3 11:00:38 2025 +0000 + + bumped changelog version + +commit cd0ba94ac5e7e8360183ac6f440d941b4067025b +Author: Patrick Schleizer +Date: Mon Mar 3 05:57:59 2025 -0500 + + no longer disable `vivid` kernel module by default, + because it breaks Qubes Video Companion + + Thanks to @marmarek for the bug report! + + https://forums.whonix.org/t/testing-qubes-video-companion-on-whonix/21393 + + fixes https://github.com/Kicksecure/security-misc/issues/298 + +commit 3e7d1b4e23e1e8ef4ad138dbe4119eee7e72511c +Author: Patrick Schleizer +Date: Sun Feb 9 23:04:36 2025 +0000 + + bumped changelog version + +commit 0615e6e995eb25d8e1bff181ecc49ff51e4029cc +Merge: 2a4a228 4d62ee3 +Author: Patrick Schleizer +Date: Sun Feb 9 18:01:43 2025 -0500 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 4d62ee3ab31bde80eebde265c2513233f10f751a +Merge: 2a4a228 ce4b57d +Author: Patrick Schleizer +Date: Sun Feb 9 18:00:59 2025 -0500 + + Merge pull request #297 from raja-grewal/warn_path + + Update docs on kernel panics + +commit ce4b57d1cb179f18c1ac41681626d01054355fe6 +Author: raja-grewal +Date: Mon Feb 3 00:31:45 2025 +0000 + + Update docs on kernel panics + +commit 2a4a228b150e06c7ff796315719d41e825dd8ad3 +Author: Patrick Schleizer +Date: Fri Jan 31 19:38:42 2025 +0000 + + bumped changelog version + +commit 041caf286b343268e6db69f2957f23c1dd20812a +Author: Patrick Schleizer +Date: Fri Jan 31 14:33:54 2025 -0500 + + update pkg_installed function + +commit ac1493fcfc194b8d1a680d7e8bf53a90caa984ac +Author: Patrick Schleizer +Date: Fri Jan 31 14:33:17 2025 -0500 + + comment + +commit c0f2f110146410428fc12815b30aaba67ff16126 +Author: Patrick Schleizer +Date: Thu Jan 30 12:58:48 2025 +0000 + + bumped changelog version + +commit 9f5e522b83ba969112abf6a9fba77c1eff31b14d +Author: Patrick Schleizer +Date: Thu Jan 30 07:53:04 2025 -0500 + + LC_ALL=C + +commit 7c150d116d1d1f95e2fb729934906eb4391a389a +Author: Patrick Schleizer +Date: Thu Jan 30 07:45:08 2025 -0500 + + LANG=C str_replace: no longer requires LANG=C, therefore removed + +commit 6aaf7082177fe4d02415aac4317cde74665f495c +Author: Patrick Schleizer +Date: Wed Jan 29 14:36:41 2025 +0000 + + bumped changelog version + +commit 10508cb5801c28f8fff306957e867a1626aa6489 +Merge: 6b4fa1e b9dee26 +Author: Patrick Schleizer +Date: Wed Jan 29 09:36:28 2025 -0500 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit b9dee2633128577245763bad41cf3cb6b49751f3 +Merge: 6b4fa1e 4b1e530 +Author: Patrick Schleizer +Date: Wed Jan 29 09:35:50 2025 -0500 + + Merge pull request #296 from raja-grewal/cpu_details + + Hardware-related Documentation + +commit 6b4fa1ef0055d36a45d65481129dabfee77027e4 +Author: Patrick Schleizer +Date: Thu Jan 23 16:28:58 2025 +0000 + + bumped changelog version + +commit b10f5489a3e3317f01339ea34a0e5c7bfb850a01 +Author: Patrick Schleizer +Date: Thu Jan 23 11:12:26 2025 -0500 + + copyright + +commit 3c18734db32b2d19c3a30e282435f083d307d86e +Author: Patrick Schleizer +Date: Wed Jan 22 14:11:21 2025 +0000 + + bumped changelog version + +commit f90ffacac3d3c12f62f62106a69cb6caeca69041 +Author: Patrick Schleizer +Date: Wed Jan 22 09:09:56 2025 -0500 + + bump permission hardner migration code version + +commit 3a056c9d9c17ed3968f48ac332cee94f714320c7 +Author: Patrick Schleizer +Date: Wed Jan 22 09:05:50 2025 -0500 + + bump permission hardner migration code version + +commit d5ad29a7324dfbece3185026a3f4c58121c453b6 +Author: Patrick Schleizer +Date: Wed Jan 22 09:04:44 2025 -0500 + + add /usr/lib/polkit-1/polkit-agent-helper-1 to permission hardener hardcoded statoverride file + +commit c8a2483cf6735b29ef9b265cc09b58b00b14b6f0 +Author: Patrick Schleizer +Date: Wed Jan 22 13:52:29 2025 +0000 + + bumped changelog version + +commit 80bd314436b99b723359f25e52bbd14683929b56 +Author: Patrick Schleizer +Date: Wed Jan 22 08:25:14 2025 -0500 + + add `.whonix` files to hardcoded files + +commit 9b012bdeee03e73de537e7fe65c0bb8d16b38e79 +Merge: 507130a 42f34f5 +Author: Patrick Schleizer +Date: Wed Jan 22 08:23:49 2025 -0500 + + Merge remote-tracking branch 'ArrayBolt3/arraybolt3/permission-hardener-symlink-fix' + +commit 507130a1cc0592bd4a4b280da7496dade470e637 +Merge: f1b6bff ed767e0 +Author: Patrick Schleizer +Date: Wed Jan 22 08:21:39 2025 -0500 + + Merge remote-tracking branch 'ArrayBolt3/arraybolt3/permission-hardener-diag' + +commit 42f34f5a4ccf95d504e28a26aeb0747fef4685ba +Author: Aaron Rainbolt +Date: Tue Jan 21 21:49:03 2025 -0600 + + Don't handle files with multiple hardlinks + +commit 5e60416c864a7d06f635161a185864fc36d5685c +Author: Aaron Rainbolt +Date: Tue Jan 21 21:05:03 2025 -0600 + + Make permission-hardener always apply changes to real files, not symlinks + +commit ed767e00b0260d29c18c710efe07d68a9beffb34 +Author: Aaron Rainbolt +Date: Tue Jan 21 16:41:30 2025 -0600 + + Add some local variable declarations + +commit 4b1e530674146d4d2b62ff4a87fe3add5667403c +Author: raja-grewal +Date: Tue Jan 21 12:39:06 2025 +0000 + + README.md: List CPU mitigations + +commit 15d13a8571d1f38b2bc36387f61bce24c86be97b +Author: raja-grewal +Date: Tue Jan 21 12:36:04 2025 +0000 + + Add info on DBX updates via the UEFI Revocation List + +commit a97620a2e491cc039adb15af94958f26b39319a2 +Author: Aaron Rainbolt +Date: Mon Jan 20 22:43:55 2025 -0600 + + Add print-diagnostics command to permission-hardener + +commit f1b6bff30b1891bfbe870de9edd78fa7dbd66e7c +Author: Patrick Schleizer +Date: Mon Jan 20 11:35:08 2025 +0000 + + bumped changelog version + +commit df9d058ed9635b168508ded20277c174a24cf3f5 +Author: Patrick Schleizer +Date: Mon Jan 20 06:28:16 2025 -0500 + + usrmerge + +commit 8ff5f3b22125488f64cd384ffbfcbd8f2ecd61a6 +Author: Patrick Schleizer +Date: Mon Jan 20 10:11:43 2025 +0000 + + bumped changelog version + +commit 4e0d5a196ccb8ef3fdf2b67d974f28d02a532f91 +Author: Patrick Schleizer +Date: Mon Jan 20 04:30:26 2025 -0500 + + delete comment only configuration file (moved to user-sysmaint-split) + +commit 1b4d1edfc316f125ff5039bf17897802205750e2 +Author: Patrick Schleizer +Date: Mon Jan 20 04:29:42 2025 -0500 + + comments + +commit 51c7010e8f47ce6e6a28e6267c735e897dcfb053 +Author: Patrick Schleizer +Date: Fri Jan 17 13:35:28 2025 +0000 + + bumped changelog version + +commit 876d596a071ac916f7d220ee2449358aedba7efe +Author: Patrick Schleizer +Date: Fri Jan 17 07:55:54 2025 -0500 + + comment + +commit c9e2f82bd01813682998c775f75bac0841239e5e +Merge: 5971869 bf73f1f +Author: Patrick Schleizer +Date: Fri Jan 17 07:53:59 2025 -0500 + + Merge remote-tracking branch 'ArrayBolt3/master' + +commit bf73f1f2b5e429caaf01bfbcdc7d5d032e3c0efb +Author: Aaron Rainbolt +Date: Wed Jan 15 19:10:41 2025 -0600 + + Avoid impossible-to-satisfy dependency on helper-scripts, improve string handling robustness in postinst + +commit 597186972e463ce7a0b44662f7656f351ddf1030 +Author: Patrick Schleizer +Date: Wed Jan 15 15:02:44 2025 +0000 + + bumped changelog version + +commit ca257164105c4f66576024b64c52a42921455d16 +Author: Patrick Schleizer +Date: Wed Jan 15 09:44:48 2025 -0500 + + improve permission hardener migration code + +commit 2dfd30a44ae332faa50bc4920486cdd9480c7e5d +Merge: a84d3ba 328f747 +Author: Patrick Schleizer +Date: Wed Jan 15 09:33:57 2025 -0500 + + Merge remote-tracking branch 'ArrayBolt3/arraybolt3/more-permission-hardener' + +commit 328f747179ffb2e7705a73bc9a0c5133a17da829 +Author: Aaron Rainbolt +Date: Tue Jan 14 20:35:28 2025 -0600 + + Restore permission-hardener's notice about how to compare old and new states + +commit c6f09748f383fdf7c1b07441c73477b3f18d2768 +Author: Aaron Rainbolt +Date: Tue Jan 14 20:27:53 2025 -0600 + + Handle de-corruption of new_mode a bit better + +commit a0f81958dfb020d311d86cbd00d4f86f678d8be9 +Author: Aaron Rainbolt +Date: Tue Jan 14 19:25:15 2025 -0600 + + De-corrupt the new_mode permission-hardener statoverride database too + +commit 396372c1295e2a09d596f3e23fccc26794a26f05 +Author: Aaron Rainbolt +Date: Tue Jan 14 18:50:24 2025 -0600 + + Avoid scanning unnecessary packages for modified permission-hardener config + +commit a84d3ba732bcbd2fb93ea2bc145a0db0f33f1b77 +Author: Patrick Schleizer +Date: Tue Jan 14 14:32:13 2025 +0000 + + bumped changelog version + +commit 709036c79f8efc9fefa9e7709780a75f9f5004d2 +Author: Patrick Schleizer +Date: Tue Jan 14 09:31:58 2025 -0500 + + debconf-updatepo + +commit 659c7037c6956f6d905e55a1ebb13ebe6a273dee +Author: Patrick Schleizer +Date: Tue Jan 14 14:30:58 2025 +0000 + + bumped changelog version + +commit 86d3db15bf94dc0f4547105e18ef5f26ca124fa8 +Author: Patrick Schleizer +Date: Tue Jan 14 09:30:46 2025 -0500 + + output + +commit 876c0b618785fc71d1d399ff7ab649382104a714 +Author: Patrick Schleizer +Date: Tue Jan 14 09:29:35 2025 -0500 + + output + +commit c46178dee46f88e8d0007a12a48addc2493faab7 +Author: Patrick Schleizer +Date: Tue Jan 14 09:27:37 2025 -0500 + + output + +commit f3c07a2451fd2818daca6bc248cbbcba213516e7 +Author: Patrick Schleizer +Date: Tue Jan 14 09:24:06 2025 -0500 + + update link + +commit bbc4ad7c2a0827d079ccbb18dce4aaae042a2253 +Author: Patrick Schleizer +Date: Tue Jan 14 14:16:45 2025 +0000 + + bumped changelog version + +commit 9bb92e91a8f364a9d9e5d69e907fe8ed8a3c58a2 +Author: Patrick Schleizer +Date: Tue Jan 14 09:16:25 2025 -0500 + + debhelper + +commit 95dd8f419fc7e9832d8ce6f74d35af9b36752f3f +Author: Patrick Schleizer +Date: Tue Jan 14 14:07:50 2025 +0000 + + bumped changelog version + +commit 0a2f06b456854f1cec3ff93952edef928ac7a184 +Author: Patrick Schleizer +Date: Tue Jan 14 09:07:32 2025 -0500 + + use pre.bsh + +commit 6a4f9c1bd8c48bb1a711eee077ea7a05646b0598 +Author: Patrick Schleizer +Date: Tue Jan 14 14:06:50 2025 +0000 + + bumped changelog version + +commit e60183ec073d278f8d69a5475aa52d75870cd9b0 +Author: Patrick Schleizer +Date: Tue Jan 14 09:06:41 2025 -0500 + + output + +commit a812961beabacca052b4b25b78ecd2c35184d5d5 +Author: Patrick Schleizer +Date: Tue Jan 14 09:06:12 2025 -0500 + + verbose + +commit 0e4dfc59dd9c06dd732affd8ca7f72a1a70a95b0 +Author: Patrick Schleizer +Date: Tue Jan 14 13:53:49 2025 +0000 + + bumped changelog version + +commit cdf179f1277bcae3ef681d35aeca6289d55b3a6a +Author: Patrick Schleizer +Date: Tue Jan 14 08:53:38 2025 -0500 + + fix + +commit 41cd09933a506d55bab1f8bf101840cf4bbbf028 +Author: Patrick Schleizer +Date: Tue Jan 14 09:26:05 2025 +0000 + + bumped changelog version + +commit eec2e2c8ee621c6ebb152abbfe3951fa0322a0d0 +Author: Patrick Schleizer +Date: Tue Jan 14 04:13:39 2025 -0500 + + comment + +commit 6d282226ef653accf1de32582b999ff31775f60f +Author: Patrick Schleizer +Date: Tue Jan 14 04:12:12 2025 -0500 + + comment + +commit 466308e4f9ebd496ff54dd9f77881ce10a558802 +Author: Patrick Schleizer +Date: Tue Jan 14 04:09:57 2025 -0500 + + permission hardener: disable SUID for `chrome-sandbox` + +commit 7a5f8b87af7142ce973bd88abf98279ce15559a9 +Author: Patrick Schleizer +Date: Tue Jan 14 04:06:44 2025 -0500 + + permission hardener: disable SUID for `ssh-agent`, `ssh-keysign`, `/lib/openssh/*` + + This might break SSH host-based authentication. + +commit d89ffcde30f6115c25c1bc807eb30b18c21e2b6e +Author: Patrick Schleizer +Date: Tue Jan 14 04:04:09 2025 -0500 + + comment + +commit 9f1759ba0ea7ecee87c8777226eb8a56482deeb5 +Author: Patrick Schleizer +Date: Tue Jan 14 03:56:55 2025 -0500 + + comment + +commit 0ac85ea9f56abdf621ec1b4f2acf08a2450067ba +Author: Patrick Schleizer +Date: Tue Jan 14 03:54:35 2025 -0500 + + comment + +commit fce6a5f8303cd891efd8bbfef861e357dc90e88e +Author: Patrick Schleizer +Date: Tue Jan 14 03:51:43 2025 -0500 + + comment + +commit 1e9940481318d8d7a443b98f0906089759f27a5d +Author: Patrick Schleizer +Date: Tue Jan 14 03:50:16 2025 -0500 + + comment + +commit b198591537a01f5b35c9301ca28a24c70864bcbd +Author: Patrick Schleizer +Date: Tue Jan 14 03:49:42 2025 -0500 + + comment + +commit 7d44db2cb268c4eb31b50bbd44b87b8001dc068c +Author: Patrick Schleizer +Date: Tue Jan 14 03:49:15 2025 -0500 + + usrmerge + +commit 7e7632a55396e10e20a6e9d8d563011694cccc85 +Author: Patrick Schleizer +Date: Tue Jan 14 08:24:05 2025 +0000 + + bumped changelog version + +commit 420cb3f86f69c4505702a8f38271fb095316cb6f +Author: Patrick Schleizer +Date: Tue Jan 14 03:19:21 2025 -0500 + + refactoring + +commit b7e7b2767eb957dd1401f5abcff07bfcb47a4c00 +Author: Patrick Schleizer +Date: Tue Jan 14 03:18:17 2025 -0500 + + refactoring + +commit b2a1a0ec9f8db1d84c222e734737b7ed149f6d92 +Author: Patrick Schleizer +Date: Tue Jan 14 03:17:00 2025 -0500 + + refactoring + +commit 69ae2d9ea0826aa81c70e957bb5a9241a84346ad +Merge: de1f31e de9ebab +Author: Patrick Schleizer +Date: Tue Jan 14 03:15:45 2025 -0500 + + Merge remote-tracking branch 'ArrayBolt3/arraybolt3/permission-hardener-migrate' + +commit de9ebabd46798ff2afa259907b6a7b976070e7f0 +Author: Aaron Rainbolt +Date: Mon Jan 13 21:57:10 2025 -0600 + + Fix minor migration bugs, don't run the migration code on new image builds + +commit a9e87e9d308f5e61a2d2054fa038dae6faadad3a +Author: Aaron Rainbolt +Date: Sun Jan 12 21:13:43 2025 -0600 + + Prevent installation failures when installing non-interactively + +commit 5570d3e5b9f97f14c772facff16dc45df66d42e9 +Author: Aaron Rainbolt +Date: Sun Jan 12 20:40:41 2025 -0600 + + Add a forgotten set -e + +commit 07786de03953b91310588e0b37b9e150bf1b4736 +Author: Aaron Rainbolt +Date: Sun Jan 12 19:34:41 2025 -0600 + + Enable smooth migration from permission-hardener-v1 to permission-hardener-v2 + +commit de1f31e3df1a0fba0a4c6e41b9b46e076266cfd4 +Author: Patrick Schleizer +Date: Sun Jan 12 11:47:18 2025 +0000 + + bumped changelog version + +commit b0baa8baa57937358dc988b88adab4858a1d8cae +Author: Patrick Schleizer +Date: Sun Jan 12 05:38:35 2025 -0500 + + add link + +commit d6a7cd3e0d1e677c1fa8c1fb3b307cdbe0f45031 +Author: Patrick Schleizer +Date: Sun Jan 12 05:36:16 2025 -0500 + + formatting. + + use chapter to make allow for deep linking + +commit 485d9abd1d14e445b48f0fd63290a985b05a5ac7 +Author: Patrick Schleizer +Date: Fri Jan 10 15:34:21 2025 +0000 + + bumped changelog version + +commit c17485baa118e76cc8074ce3e72ac3ac38c577cd +Merge: 482960d e9ef360 +Author: Patrick Schleizer +Date: Fri Jan 10 10:32:26 2025 -0500 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit e9ef3602dd1661de0c0c3781d7e0246720643354 +Merge: 1b33e83 cf435a8 +Author: Patrick Schleizer +Date: Fri Jan 10 10:30:34 2025 -0500 + + Merge pull request #292 from raja-grewal/cpu_table + + Add link to tabular comparison of CPU mitigations + +commit 1b33e83529d652dab4468e0b386e333b3ca4745b +Merge: 486757b 2e6e170 +Author: Patrick Schleizer +Date: Fri Jan 10 10:29:30 2025 -0500 + + Merge pull request #291 from raja-grewal/drop_gratuitous_arp + + Drop gratuitous ARP packets + +commit 486757bfae5e7ecc389b16c49704e742fd267565 +Merge: 17ff249 c37f4ef +Author: Patrick Schleizer +Date: Fri Jan 10 10:29:12 2025 -0500 + + Merge pull request #290 from raja-grewal/arp_ignore + + Respond to ARP requests only if the target IP address is on-link + +commit 17ff24915062736a32d4d54da7163fe34aa70fd3 +Merge: 27d19ba 1f8eee4 +Author: Patrick Schleizer +Date: Fri Jan 10 10:28:48 2025 -0500 + + Merge pull request #289 from raja-grewal/arp_filter + + Enable ARP filtering + +commit 27d19ba568e601c37035a310ae6cdd7d953be286 +Merge: 482960d 5e3785d +Author: Patrick Schleizer +Date: Fri Jan 10 10:28:05 2025 -0500 + + Merge pull request #288 from raja-grewal/shared_media + + Deny sending and receiving shared media redirects + +commit 482960d056ec8d624f127bfe9b1c69a4c30c7e34 +Author: Patrick Schleizer +Date: Fri Jan 10 10:21:12 2025 -0500 + + permission-hardener: move to new state folder `/var/lib/permission-hardener-v2` without migration + + https://github.com/Kicksecure/security-misc/pull/294 + +commit cf435a8fa8e6f795a25ef004cf44a65d461dd32c +Author: raja-grewal +Date: Fri Jan 10 13:22:21 2025 +1100 + + README.md: Note importance of microcode updates + +commit 3a31cc99b34617cdd3c5f8e8950a37158849cb56 +Merge: c4cfb85 5941195 +Author: Patrick Schleizer +Date: Thu Jan 9 09:30:58 2025 -0500 + + Merge remote-tracking branch 'ArrayBolt3/arraybolt3/usrmerge' + +commit 538b312349a97bcecb12e62519d77840afcd6ca3 +Author: raja-grewal +Date: Thu Jan 9 15:28:56 2025 +1100 + + Add comment about microcode updates + +commit 1f8eee47200221e2e38291a31e852e9c222d8c64 +Author: raja-grewal +Date: Wed Jan 8 18:36:00 2025 +1100 + + Add missing sentence full stop + +commit 5e3785d76e616f49407e720b37138f35a50fe4fb +Author: raja-grewal +Date: Wed Jan 8 18:35:52 2025 +1100 + + README.md: Remove double space + +commit 5941195e96880b8beb2a791d3c21f3a4c6d429eb +Author: Aaron Rainbolt +Date: Tue Jan 7 14:10:46 2025 -0600 + + Don't worry about files under /bin anymore, Bookworm uses a merged /usr directory + +commit c4cfb8597d1a8631a4cbfa7e88212b798e2bc514 +Merge: c6be621 93ebf17 +Author: Patrick Schleizer +Date: Mon Jan 6 08:43:54 2025 -0500 + + Merge remote-tracking branch 'ArrayBolt3/arraybolt3/permission-hardener-refactor' + +commit c6be621968c898f792ef1a450d2e1be5cd6056da +Author: Patrick Schleizer +Date: Mon Jan 6 10:31:40 2025 +0000 + + bumped changelog version + +commit 6e0787957b53a64132b64e2a29bafe3e4b66d178 +Author: Patrick Schleizer +Date: Mon Jan 6 05:29:40 2025 -0500 + + increase priority of pam wheel so it is checked even before faillock + + in case of attemtping to use `su` without being a member of the required group `sudo`, it's useful to abort the PAM stack as early as possible to avoid needlessly propmting for a password to later + be rejected tu to lack of group membership + +commit d4767b75206b46f1a006cd91b00239a7b828fc89 +Author: Patrick Schleizer +Date: Mon Jan 6 04:24:44 2025 -0500 + + fix: apply PAM wheal only to `su` PAM service + +commit 93ebf176c5f38bd268e5394e01421e46b9ae7dff +Author: Aaron Rainbolt +Date: Thu Jan 2 20:41:40 2025 -0500 + + Make the main field count check in permission-hardener a bit more elegant + +commit 895c0f541fb34f9ebfee9c7ef79c053d5af4a7cc +Merge: 717e6fc 40b23cf +Author: Aaron Rainbolt +Date: Wed Jan 1 15:04:01 2025 -0600 + + Merge branch 'master' into arraybolt3/permission-hardener-refactor + +commit 40b23cfad40825eefc3686e562d78250b58bbc82 +Author: Patrick Schleizer +Date: Tue Dec 31 18:42:01 2024 +0000 + + bumped changelog version + +commit 33114f771aaeb4dccb0b465861d1239129deb8b2 +Author: Patrick Schleizer +Date: Tue Dec 31 13:26:21 2024 -0500 + + copyright + +commit bb24bff2965ca31de6337820eafd787a11a44a2b +Author: Patrick Schleizer +Date: Tue Dec 31 14:09:34 2024 +0000 + + bumped changelog version + +commit 0640964c35b0d977ba718629d4a8791e67700202 +Author: Patrick Schleizer +Date: Tue Dec 31 06:14:29 2024 -0500 + + readme + +commit 717e6fcfbea38cef9d3e201cf2e2b725e3da2267 +Author: Aaron Rainbolt +Date: Mon Dec 30 19:23:20 2024 -0600 + + Post-review improvements to permission-hardener + +commit dbcb612517abbf8d162cfb31ba0585c518df8817 +Author: Aaron Rainbolt +Date: Wed Dec 25 19:48:28 2024 -0600 + + Polish permission-hardener refactor + +commit 397b476a822c9f7e41ec911f5d689b67026660ad +Author: Patrick Schleizer +Date: Thu Dec 26 04:12:02 2024 +0000 + + bumped changelog version + +commit 66f8c18c65f33676d242b57ebb1d4410876461b3 +Merge: aa82202 6602fb1 +Author: Patrick Schleizer +Date: Wed Dec 25 22:43:04 2024 -0500 + + Merge remote-tracking branch 'ArrayBolt3/arraybolt3/sysmaint' + +commit 83d386795940099e0835c51f3522aae3d9217dc8 +Author: Aaron Rainbolt +Date: Tue Dec 24 20:14:57 2024 -0600 + + Refactor permission-hardener to be more idempotent + +commit 6602fb102dedc21300ae4c4519f3d9ef4e668045 +Author: Aaron Rainbolt +Date: Tue Dec 24 20:52:34 2024 -0600 + + Adjust pam-info messaging for sysmaint mode + +commit aa82202e701167eacb63eac208469844e983ca43 +Author: Patrick Schleizer +Date: Tue Dec 24 05:16:22 2024 +0000 + + bumped changelog version + +commit 27d015d58ebc5e750d9d06f042b761720473941d +Merge: 3c73c0c 2f3a2bc +Author: Patrick Schleizer +Date: Tue Dec 24 00:08:58 2024 -0500 + + Merge remote-tracking branch 'ArrayBolt3/arraybolt3/sysmaint' + +commit 2f3a2bce7756efe75cd8aaf5066b599b4c49bbdc +Author: Aaron Rainbolt +Date: Fri Dec 20 11:04:22 2024 -0600 + + Add warning about using non-sysmaint accounts in sysmaint mode + +commit 3c73c0cd3a845d1a484551ff50f59e5f2ef56a68 +Author: Patrick Schleizer +Date: Fri Dec 20 06:01:27 2024 +0000 + + bumped changelog version + +commit a4c76c617a18a49168e0ffdba2d8b0ae834f2877 +Author: Patrick Schleizer +Date: Fri Dec 20 01:01:13 2024 -0500 + + syntax fix + +commit b40bc0a2c9b17b3569918a6839bce1c67af5c9df +Author: Patrick Schleizer +Date: Fri Dec 20 05:58:24 2024 +0000 + + bumped changelog version + +commit b21c394ea52401c0d77b6ec396af6a49335f5e0b +Author: Patrick Schleizer +Date: Fri Dec 20 00:56:20 2024 -0500 + + Trigger permission hardener when new configuration files are being installed. + +commit cd027b86e710b6f6b8fac6dd0ebcdcd691e86dd3 +Author: Patrick Schleizer +Date: Fri Dec 20 05:48:48 2024 +0000 + + bumped changelog version + +commit ad6e1f5ad490e12fc5e69b82da5dc1830cc41c96 +Author: Patrick Schleizer +Date: Fri Dec 20 00:41:06 2024 -0500 + + move from `/etc/permission-hardener.d` to `/usr/lib/permission-hardener.d` + +commit a2c1e8c218117a47ef70dd767d753be5d084adfa +Author: Patrick Schleizer +Date: Fri Dec 20 00:39:51 2024 -0500 + + clean up old files in `/etc/permission-hardener.d` + because will be moved to `/usr/lib/permission-hardener.d` + +commit 6de5d2d0763539d6d0d4b19b501bb316ed3b2c94 +Author: Patrick Schleizer +Date: Fri Dec 20 00:37:44 2024 -0500 + + permission hardener: also parse `/usr/lib/permission-hardener.d/*.conf` folder + +commit 721b100fb64136b7c36c8d43c90c716a1fed42d0 +Author: Patrick Schleizer +Date: Thu Dec 19 10:58:50 2024 +0000 + + bumped changelog version + +commit 642b4eeedc43e69bb82ea259b52c0946ce638983 +Author: raja-grewal +Date: Thu Dec 19 21:57:25 2024 +1100 + + Add link to tabular comparison of CPU mitigations + +commit 175b442d5bb9dfcb4e9b524ec2077e72c74598cc +Author: Patrick Schleizer +Date: Thu Dec 19 05:56:50 2024 -0500 + + use long option name + +commit c99021bb0c1d5b6bf361cc483449330cdd218ee6 +Merge: 95b5357 9d69cd1 +Author: Patrick Schleizer +Date: Thu Dec 19 05:56:01 2024 -0500 + + Merge remote-tracking branch 'ArrayBolt3/arraybolt3/sysmaint' + +commit 2e6e1701a052ef32711f6c3abaad693a773323f6 +Author: raja-grewal +Date: Thu Dec 19 10:35:08 2024 +0000 + + Set `net.ipv4.conf.*.drop_gratuitous_arp=1` + +commit c37f4efadf8f046168732871172cb66f58eb7c78 +Author: raja-grewal +Date: Thu Dec 19 10:33:49 2024 +0000 + + Set `net.ipv4.conf.*.arp_ignore=2` + +commit af1d06973bdd46af3e39b0bdfda81b950ccac996 +Author: raja-grewal +Date: Thu Dec 19 10:31:43 2024 +0000 + + Set `net.ipv4.conf.*.arp_filter=1` + +commit 750367a9066ca2a0ff819b438a92cb1f6c325edb +Author: raja-grewal +Date: Thu Dec 19 10:29:56 2024 +0000 + + Set `net.ipv4.conf.*.shared_media=0` + +commit 95b535764c8a98b67a71ee1fd57b7f01da464106 +Author: Patrick Schleizer +Date: Thu Dec 19 09:43:26 2024 +0000 + + bumped changelog version + +commit daf0a0900b780a9d44d0d9b49b3fca6ddbd20d18 +Author: Patrick Schleizer +Date: Thu Dec 19 04:39:34 2024 -0500 + + fix apt-get-update for non-English locale + + https://forums.kicksecure.com/t/systemcheck-reports-warning-debian-package-update-check-result-apt-get-reports-that-packages-can-be-updated-but-system-is-already-fully-upgraded/785 + +commit e9a5b14a0db6f071424c19e6f4b006386afb6ab4 +Author: Patrick Schleizer +Date: Thu Dec 19 06:57:42 2024 +0000 + + bumped changelog version + +commit 3135a03e21f9e5816097e25aaa7f4a1671f8f87d +Merge: f0c611d c7f7196 +Author: Patrick Schleizer +Date: Thu Dec 19 00:34:56 2024 -0500 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit c7f7196471b07a580c6d4a5d86739215508142cd +Merge: e5b67e0 3749f8f +Author: Patrick Schleizer +Date: Thu Dec 19 00:31:25 2024 -0500 + + Merge pull request #287 from raja-grewal/patch + + Refactor and add two CPU mitigations + +commit f0c611d9edb5fd7a3e00d13b248c65abda2c9d8a +Author: Patrick Schleizer +Date: Thu Dec 19 00:18:25 2024 -0500 + + comment + +commit 4f681be77429984695a1b0f689065051884e7bf7 +Merge: 4c3ca68 4cf5757 +Author: Patrick Schleizer +Date: Thu Dec 19 00:17:44 2024 -0500 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit e5b67e044bb5011dd667879a73a670f2c5f74057 +Merge: 4cf5757 c116796 +Author: Patrick Schleizer +Date: Thu Dec 19 00:15:02 2024 -0500 + + Merge pull request #279 from raja-grewal/arp + + Provide network-related hardening options via `sysctl`'s + +commit 4cf5757575c1257a14331f0169a9d8d163e1326d +Merge: 9d06341 1708a03 +Author: Patrick Schleizer +Date: Thu Dec 19 00:08:56 2024 -0500 + + Merge pull request #282 from ArrayBolt3/arraybolt3/umask + + Enable umask hardening + +commit 9d69cd1912ab657e7916b38f56b477c2b7abd0a3 +Author: Aaron Rainbolt +Date: Wed Dec 18 21:34:16 2024 -0600 + + Add sysmaint account lock detection + +commit 3749f8ff097551a843e5ed80de52c6770a32e0c6 +Author: raja-grewal +Date: Wed Dec 18 03:36:09 2024 +0000 + + Update presentation on user namespaces + +commit 0dff2cd28fd769955757cdef1b7f9d637a1180c5 +Author: raja-grewal +Date: Wed Dec 18 03:32:35 2024 +0000 + + Minor additions + +commit 3e96fdd9ccb6268403d6c4f9a061c4a33e6f6dd2 +Author: raja-grewal +Date: Tue Dec 17 11:44:11 2024 +0000 + + Enable `kvm.mitigate_smt_rsb=1` + +commit 45355aabdc180a6a2fdd4a374c6f7d72f4d36240 +Author: raja-grewal +Date: Tue Dec 17 11:42:52 2024 +0000 + + Enable `kvm-intel.vmentry_l1d_flush=always` + +commit defba1f2450b2c8bbc668bf5f6f6f0d101338cc7 +Author: raja-grewal +Date: Tue Dec 17 11:42:03 2024 +0000 + + Refactor CPU mitigations + +commit 943c421889ce5dfe3869380e4587ca22724f2ce7 +Author: raja-grewal +Date: Tue Dec 17 11:40:38 2024 +0000 + + Minor refactoring + +commit ca3a73ac13d805515f71f1be7ecedc33d3a1b519 +Author: raja-grewal +Date: Tue Dec 17 11:37:10 2024 +0000 + + Typo + +commit 4c3ca68453b44074025a1ec9f31451c57344f3cf +Author: Aaron Rainbolt +Date: Mon Dec 9 12:37:11 2024 -0600 + + Disable unnecessary sudoers exceptions + +commit 9d06341c91b51f9c737fe67457045924323635f0 +Merge: a9dd592 5b88e92 +Author: Patrick Schleizer +Date: Sat Dec 14 15:18:56 2024 -0500 + + Merge pull request #285 from Kicksecure/permission-hardener-mount + + Permission Hardener: treat mount same as umount + +commit c1167968542a62d0677517e11505f6e9222ec378 +Author: raja-grewal +Date: Thu Dec 12 06:36:47 2024 +0000 + + `arp_ignore`: Add reference to 2024-12-10 Mullvad VPN audit details + +commit a9dd592a8b49226f326e90111178aebba3cc144f +Author: Patrick Schleizer +Date: Tue Dec 10 19:19:10 2024 +0000 + + bumped changelog version + +commit 58722324ec0be98c3e44938df8cb60ca9b261210 +Merge: 518224b 439fa7f +Author: Patrick Schleizer +Date: Tue Dec 10 14:18:50 2024 -0500 + + Merge remote-tracking branch 'ArrayBolt3/arraybolt3/no-recovery-mode' + +commit 518224b8cf9e99a830b584d8d54b5dea2925c8f5 +Author: Patrick Schleizer +Date: Tue Dec 10 19:17:10 2024 +0000 + + bumped changelog version + +commit 439fa7f3be74f5eba4b98f73c0bb50fd37e8b0e1 +Author: Aaron Rainbolt +Date: Sun Dec 8 03:21:27 2024 -0600 + + Harden/disable recovery mode options + +commit 7902311c570edd4286ba36f0cb85223d1e909a03 +Author: Patrick Schleizer +Date: Sat Dec 7 04:54:47 2024 -0500 + + do not create /etc/sysctl.d/30-lkrg-virtualbox.conf if LKRG is not installed + +commit 1ce37d42cd2c132eca8c45ddb04fdb594349d08f +Author: Patrick Schleizer +Date: Sat Dec 7 04:50:40 2024 -0500 + + . + +commit 5b88e92e5c4b951e659e1574fc248bd11158dfb2 +Author: Patrick Schleizer +Date: Fri Dec 6 09:48:58 2024 -0500 + + permission hardner: treat `mount` the same way we treat `umount` + + Thanks to @the-moog for the bug report! + + fixes https://github.com/Kicksecure/security-misc/issues/284 + +commit 93b51819d4693955936456916188b4118fe68a66 +Author: Patrick Schleizer +Date: Fri Dec 6 09:47:08 2024 -0500 + + permission hardener mount chmod change from `745` to `755` + + https://github.com/Kicksecure/security-misc/issues/284 + +commit 1708a03e1edda821ef091f10c46d32f740511d38 +Author: Aaron Rainbolt +Date: Thu Nov 28 15:20:57 2024 -0600 + + Enable umask hardening + +commit 59299a6639fef31565b8f3cef857c9faa331e0f7 +Author: Patrick Schleizer +Date: Mon Nov 25 21:07:42 2024 +0000 + + bumped changelog version + +commit 98d7c245ee11f16e566422a17543aaed2c155d88 +Author: Patrick Schleizer +Date: Mon Nov 25 15:57:30 2024 -0500 + + "|| exit 1" no longer required thanks to errexit + +commit f9b5d7d3f4f2ed8d1baae67d8427f13cf26aee8d +Author: Patrick Schleizer +Date: Mon Nov 25 15:48:01 2024 -0500 + + use strict shell options + +commit d32cb8c95b09721e52c4d682a0ddd39d590a4368 +Author: Patrick Schleizer +Date: Mon Nov 25 15:44:00 2024 -0500 + + use TMP, sponge, refactoring + +commit 62a551cfe39a6a640f32e6e97f3e915aa8673514 +Merge: af43472 d7475e2 +Author: Patrick Schleizer +Date: Mon Nov 25 15:38:01 2024 -0500 + + Merge remote-tracking branch 'ArrayBolt3/arraybolt3/sudoers' + +commit d7475e252a64e296913ed8893261e52e72163d55 +Author: Aaron Rainbolt +Date: Thu Nov 21 20:03:42 2024 -0600 + + Make apt-get-update able to be terminated securely + +commit af43472d0ccdecb1725a200d10aeeb1b8d51f31a +Author: Patrick Schleizer +Date: Thu Nov 14 22:24:50 2024 +0000 + + bumped changelog version + +commit c7e9460b2ae8dcb96196fef69a7e0ed992c1b43b +Author: Patrick Schleizer +Date: Thu Nov 14 16:31:12 2024 -0500 + + output + +commit 31804e30ecc9c5a1c5a8e1e014d3dcb85cee4f36 +Author: Patrick Schleizer +Date: Thu Nov 14 20:46:26 2024 +0000 + + bumped changelog version + +commit ef95b3f9a5aed9652c541cf4bf05b20011718466 +Author: Patrick Schleizer +Date: Thu Nov 14 14:41:14 2024 -0500 + + Revert "fix `panic-on-oops.service`" + + This reverts commit 862d23cb10b7687084f8e7e207d1e2c9c1ef6751. + +commit 412b371e85044962f6620386b767369b9e25d71e +Merge: 141b84c 57e1edd +Author: raja-grewal +Date: Wed Nov 13 16:47:57 2024 +1100 + + Merge branch 'Kicksecure:master' into arp + +commit 141b84c40de76988ec78bdccf1c1d67fc4367b3f +Author: raja-grewal +Date: Wed Nov 13 05:42:56 2024 +0000 + + Provide option to deny sending and receiving shared media redirects + +commit 18aec201bfb0477fee8800ad1388099e11920016 +Author: raja-grewal +Date: Wed Nov 13 05:41:25 2024 +0000 + + Provide option to harden response to ARP requests + +commit a25d4f8df88908e83e56049204aa625f1196a948 +Author: raja-grewal +Date: Wed Nov 13 05:40:21 2024 +0000 + + Provide option to enable ARP filtering + +commit c2aae73ce161811571e4c85609a0b043399c1b65 +Author: raja-grewal +Date: Wed Nov 13 05:38:03 2024 +0000 + + Add reference and move text + +commit 57e1edde23aa3f313ce087e00ebc14d158356d6c +Author: Patrick Schleizer +Date: Tue Nov 12 09:11:57 2024 +0000 + + bumped changelog version + +commit 7987a3914d364e674eb7479b15708c450041af02 +Author: Patrick Schleizer +Date: Tue Nov 12 02:29:42 2024 -0500 + + deleted no longer used and out-commented `/etc/sudoers.d/xfce-security-misc` leftover + +commit 8c2e8e69798e5255529ab3dbee6ca07b8b293100 +Author: Patrick Schleizer +Date: Tue Nov 12 01:41:12 2024 -0500 + + deleted no longer used and out-commented `etc/sudoers.d/pkexec-security-misc` leftover + +commit 65fc0419a84d62e07c61d7e37ef27d144b6b6794 +Author: Patrick Schleizer +Date: Mon Nov 11 11:07:57 2024 +0000 + + bumped changelog version + +commit 50161f5d79eea2ab796863e4eb30eccc17e0b41d +Author: Patrick Schleizer +Date: Mon Nov 11 05:48:11 2024 -0500 + + moved /etc/dkms/framework.conf.d/30_security-misc.conf (renamed) to usability-misc + +commit 7c06e22c7d11c345428f3ad42ba43805ebc8d810 +Author: Patrick Schleizer +Date: Mon Nov 11 05:43:25 2024 -0500 + + deleted `/usr/bin/pkexec.security-misc` + + This was not used anymore for anything. In the past, we used to `config-package-dev` `replace` `/usr/bin/pkexec` with `/usr/bin/pkexec.security-misc` for the purpose of: + + > Redirect calls for pkexec to lxqt-sudo because pkexec is incompatible with hidepid. + + * https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860040 + * https://forums.whonix.org/t/cannot-use-pkexec/8129 + + This was a worthwhile effort, interesting approach but ultimately a dead-end. + +commit ef05b1a160b24d5aa42da9cc15009d94a37cf120 +Author: Patrick Schleizer +Date: Mon Nov 11 05:40:41 2024 -0500 + + disable legacy matroxfb_base framebuffer driver + + fix typo matroxfb_bases -> matroxfb_base + + Thanks to @ArrayBolt3 for the bug report! + +commit 862d23cb10b7687084f8e7e207d1e2c9c1ef6751 +Author: Patrick Schleizer +Date: Mon Nov 11 05:36:41 2024 -0500 + + fix `panic-on-oops.service` + + remove `After=multi-user.target` because already using `WantedBy=multi-user.target` + + Thanks to @ArrayBolt3 for the bug report! + +commit 29ae5f5980d521f6a4b468f5bf41210f78fdf10a +Author: Patrick Schleizer +Date: Mon Nov 11 05:28:31 2024 -0500 + + fix optional opt-in `harden-module-loading.service` + + by making `/usr/libexec/security-misc/disable-kernel-module-loading` executable + + Thanks to @ArrayBolt3 for the bug report! + +commit 4c649577f053af12bcd02c20576bf2d8aec1476d +Author: Patrick Schleizer +Date: Sun Nov 10 11:52:42 2024 +0000 + + bumped changelog version + +commit 29b1f1ec5f3a4bf3991fc1b862751c8eb9769ecd +Merge: 5bd0a27 238f32e +Author: Patrick Schleizer +Date: Sun Nov 10 06:32:30 2024 -0500 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 5bd0a277bf39812c6adf40a7a3ef6390935fa08e +Author: Patrick Schleizer +Date: Sun Nov 10 06:29:17 2024 -0500 + + fix permission-hardener issue "Removing capabilities failed. File: '/bin/ping'" + + no longer user end-of-options marker (`--`) for `setcap` + since setcap does not support it + + Fixes https://github.com/QubesOS/qubes-issues/issues/9569 + + https://forums.whonix.org/t/permission-hardener-error/20719 + +commit 238f32e81d835e5b9d3bc43a0654d05efa4c4313 +Merge: 3af2684 8107782 +Author: Patrick Schleizer +Date: Fri Nov 8 07:39:40 2024 -0500 + + Merge pull request #280 from raja-grewal/ssbd + + Enable `ssbd=force-on` + +commit 8107782fa54ec0e21893e6bd4a6baabb71eb864b +Author: raja-grewal +Date: Fri Nov 8 15:36:04 2024 +1100 + + Enable `ssbd=force-on` + +commit a1d1f97955fd9fd3cee77dc04e2eb5e5fa29d243 +Author: raja-grewal +Date: Fri Nov 8 03:58:23 2024 +0000 + + Provide option to drop gratuitous ARP packets + +commit 3af2684134279ba6f5b18b40986f02a50baa5604 +Author: Patrick Schleizer +Date: Wed Oct 30 09:43:05 2024 +0000 + + bumped changelog version + +commit 71c58442ca6d57cd95b72a76ed87f8c248cdbd98 +Author: Patrick Schleizer +Date: Mon Oct 28 05:10:19 2024 -0400 + + minor + +commit cfe19e31d858d7899f4d95e21117c992d236d328 +Author: Patrick Schleizer +Date: Mon Oct 28 05:09:53 2024 -0400 + + shell options + +commit 0d506156587f87a303184f22259ffb57dd92cbc8 +Author: Patrick Schleizer +Date: Mon Oct 28 05:07:00 2024 -0400 + + local + +commit ef0eb5f7a0c5a62c5d26bf6dc534f6aa3decc4b0 +Author: Patrick Schleizer +Date: Mon Oct 28 05:06:26 2024 -0400 + + refactoring + +commit fdd1f4b7f88efc22bb57c2ad3e83c0c2e8cbb064 +Author: Patrick Schleizer +Date: Mon Oct 28 05:06:05 2024 -0400 + + refactoring + +commit d00235897d686895a7e2e7da7435832fee008164 +Author: Patrick Schleizer +Date: Mon Oct 28 05:03:59 2024 -0400 + + hide-hardware-info: also parse `/usr/local/etc/hide-hardware-info.d/*.conf` + +commit 6c2e808b9f34900840bd2857fed10d1ffd4cc4c2 +Author: Patrick Schleizer +Date: Mon Oct 28 05:03:20 2024 -0400 + + refactoring + +commit b44e507900defe3db68f31f3e110b1c3e5aa684c +Author: Patrick Schleizer +Date: Wed Oct 23 09:56:05 2024 +0000 + + bumped changelog version + +commit 566cda5e4bc69f54d63d72f1e30703074fdf0ce8 +Author: Patrick Schleizer +Date: Mon Oct 21 05:47:38 2024 -0400 + + output + +commit 5991a23049491dd04c19d9ea80f7d7381dd494a0 +Author: Patrick Schleizer +Date: Mon Oct 21 05:47:25 2024 -0400 + + comment + +commit fd34baff8ff17ed572469d9d6d884e6c0d881d20 +Merge: b643330 690e8dd +Author: Patrick Schleizer +Date: Mon Oct 21 05:43:53 2024 -0400 + + Merge remote-tracking branch 'ArrayBolt3/master' + +commit 690e8dd826d1cb39c0c12c03792781862cc2dd23 +Author: Aaron Rainbolt +Date: Sat Oct 19 23:49:07 2024 -0500 + + Avoid faillock lock/tally reset on reboot or timeout + +commit b6433309fd7d6839cfba89e1197590e1ff62ef58 +Author: Patrick Schleizer +Date: Fri Oct 18 12:45:02 2024 -0400 + + use end-of-options + +commit 0cfcdf4f89dc75f2a8e3f8a9e8c69dc3ba3da78a +Author: Patrick Schleizer +Date: Wed Oct 16 10:57:20 2024 +0000 + + bumped changelog version + +commit 0adb9b7c0609a51d503b61ab40ae7d8e55635043 +Merge: 263335f e50ad80 +Author: Patrick Schleizer +Date: Wed Oct 16 06:31:09 2024 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit e50ad807c01b5753c67d579126d7b79d38070c0a +Merge: 263335f eb72163 +Author: Patrick Schleizer +Date: Wed Oct 16 06:29:25 2024 -0400 + + Merge pull request #276 from raja-grewal/KSPP_header + + Clarify KSPP compliance header + +commit eb72163d5707c7673db1f12405d2e04261bd43c8 +Author: raja-grewal +Date: Mon Oct 14 03:01:15 2024 +0000 + + README.md: Make line lengths consistent + +commit a9f238fe048acfeff49f96c00570acc6ca4c37e8 +Author: raja-grewal +Date: Mon Oct 14 02:57:31 2024 +0000 + + README.md: Split optional setting to new line + +commit 09fe46adc956e8c6de232f1093c37cdd30933acd +Author: raja-grewal +Date: Mon Oct 14 02:54:30 2024 +0000 + + Clarify KSPP compliance header for the undocumented case + +commit 263335f74ea0f050f9c259e20141c3345e7fa789 +Author: Patrick Schleizer +Date: Tue Oct 8 11:24:56 2024 +0000 + + bumped changelog version + +commit 9169611645d0cd5a308ff48862f351ef5ea5f7e8 +Merge: 8a2d432 8227a3d +Author: Patrick Schleizer +Date: Tue Oct 8 05:54:50 2024 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 8227a3dde2995ceb113164baf49591d52c2b53e1 +Merge: 8a2d432 0c0774f +Author: Patrick Schleizer +Date: Tue Oct 8 05:53:48 2024 -0400 + + Merge pull request #273 from raja-grewal/text_2 + + Documentation update 2 + +commit 0c0774f6c0927ed1cc599f931175985b8f01ec30 +Merge: dc470ca 8a2d432 +Author: raja-grewal +Date: Sun Oct 6 10:48:52 2024 +0000 + + Merge branch 'master' into text_2 + +commit dc470cac1d93656354aeaaac0a6f8cbbd39f9f0f +Author: raja-grewal +Date: Sun Oct 6 10:46:05 2024 +0000 + + Remmove deprecated link + +commit 8a2d432ffe6d4eb661026b6e7dbf534bb1db971b +Author: Patrick Schleizer +Date: Thu Oct 3 07:22:23 2024 +0000 + + bumped changelog version + +commit 0e3ffa3f11a0049e57803c8f2e75dbb7d8ceb22c +Author: Patrick Schleizer +Date: Thu Oct 3 02:58:58 2024 -0400 + + no longer set `kernel.unprivileged_userns_clone=0` + + because it breaks too much + + fixes https://github.com/Kicksecure/security-misc/issues/274 + +commit f401d94d5e0d0f26e93be55deda440fe565a6b22 +Author: Patrick Schleizer +Date: Thu Oct 3 02:44:06 2024 -0400 + + expand documentation on `kernel.unprivileged_userns_clone=0` sysctl + + https://github.com/Kicksecure/security-misc/issues/274 + +commit ac1378743c7448c9a7e7e02bebcf3270592d42a5 +Author: raja-grewal +Date: Mon Sep 30 16:56:18 2024 +1000 + + Consistent formatting + +commit eae38e72f30ff9b9f8d0b8b0b33182a918333e48 +Author: raja-grewal +Date: Thu Sep 26 13:10:36 2024 +0000 + + README.md: Show the current max_map_count + +commit f3b50a23c976ba4feff34eee721c50f698ecc5bf +Author: raja-grewal +Date: Thu Sep 26 13:10:01 2024 +0000 + + Add reference on unprivileged_userns_restriction + +commit 39d063d494cb540f45747f6253ab896200ba03c3 +Author: raja-grewal +Date: Thu Sep 26 13:09:21 2024 +0000 + + Add KSPP=no definition + +commit 5572eb897a10455041df8abec6b6be6de29431a0 +Author: Patrick Schleizer +Date: Wed Sep 25 01:03:42 2024 +0000 + + bumped changelog version + +commit e04f9cd4c17305d5201aa973c34778e81508734b +Merge: 18d426f 65aa910 +Author: Patrick Schleizer +Date: Tue Sep 24 20:16:06 2024 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 65aa910503c07f708abf20f78be2f519ef58764a +Merge: 18d426f 870ff88 +Author: Patrick Schleizer +Date: Tue Sep 24 20:15:03 2024 -0400 + + Merge pull request #272 from raja-grewal/text + + Documentation update + +commit 870ff88605b8167c8882162cc3da005d71ca0cd3 +Author: raja-grewal +Date: Wed Sep 25 10:01:45 2024 +1000 + + Comment on Flatpak requiring unprivileged user namespaces + +commit 769767a96a5de2a8bc05e70ca490d8340b553061 +Author: raja-grewal +Date: Wed Sep 25 09:54:49 2024 +1000 + + Update mmap ASLR docs + +commit 18d426f521b2b1369fe68e143dc8a0be064d0dcc +Author: Patrick Schleizer +Date: Sat Sep 14 02:56:09 2024 +0000 + + bumped changelog version + +commit 3280dbd5d562d7f6b50118ac0da36c3285493be6 +Author: Patrick Schleizer +Date: Fri Sep 13 22:52:47 2024 -0400 + + Fix VirtualBox audio device ICH AC97. + + no longer `blacklist snd_intel8x0` + + Breaks VirtualBox audio device ICH AC97, which is unfortunately still required by some users. + https://www.kicksecure.com/wiki/Dev/audio + + Fixes https://github.com/Kicksecure/security-misc/issues/271 + +commit 1bc694fa124eaeb6e1517d2191a8fd97446872c4 +Author: Patrick Schleizer +Date: Sun Sep 8 17:41:30 2024 +0000 + + bumped changelog version + +commit 01908d505a59e7ec37cc3de3e1d49ff35ba127aa +Author: Patrick Schleizer +Date: Thu Sep 5 07:00:11 2024 -0400 + + readme + +commit e914028be7a48a3bfdf86e09c029011807f080d7 +Author: Patrick Schleizer +Date: Thu Sep 5 06:03:05 2024 -0400 + + add KSPP compliance status to readme based on comment by @raja-grewal + + https://github.com/Kicksecure/security-misc/issues/256#issuecomment-2330376651 + +commit 40fb14c654df94e9bdfb30ae55fc3bc4f0a0aef4 +Author: Patrick Schleizer +Date: Wed Sep 4 14:13:15 2024 +0000 + + bumped changelog version + +commit 5a255d4831470449a26b324a8f16594432bf834b +Merge: d618f9f 563a898 +Author: Patrick Schleizer +Date: Wed Sep 4 10:12:34 2024 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 563a8980133e15e33ac95a631e37ecfff88f6f8f +Merge: 175945e e61027a +Author: Patrick Schleizer +Date: Wed Sep 4 10:11:48 2024 -0400 + + Merge pull request #265 from raja-grewal/mmap_min_addr + + Set `sysctl vm.mmap_min_addr=65536` + +commit d618f9f35b8e8c6eee1e164a6ec300d63b1ee797 +Merge: 59374ce 175945e +Author: Patrick Schleizer +Date: Wed Sep 4 10:07:50 2024 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 175945ec9a28bf1e5b0fa0d2ae2bd6546d6c6172 +Merge: b0a8544 3101035 +Author: Patrick Schleizer +Date: Wed Sep 4 10:05:47 2024 -0400 + + Merge pull request #268 from raja-grewal/panic_on_warn + + Enable `panic_on_warn=1` + +commit b0a8544182f6ff3c8c3f1068176ff5e9e4f557ef +Merge: 59374ce 7393ba1 +Author: Patrick Schleizer +Date: Wed Sep 4 10:04:45 2024 -0400 + + Merge pull request #270 from raja-grewal/typo + + Small typo + +commit 7393ba159192fdfc45ef31a3fa60786f899dbf25 +Author: raja-grewal +Date: Wed Sep 4 23:23:24 2024 +1000 + + Typo + +commit 59374ce902127e2125addc2ebb57d0d856a63671 +Author: Patrick Schleizer +Date: Thu Aug 29 09:49:51 2024 +0000 + + bumped changelog version + +commit 7e2838ec077b53e41d468d5655290152761c8745 +Merge: 9c918eb 0762794 +Author: Patrick Schleizer +Date: Thu Aug 29 05:06:07 2024 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 0762794ff684049a62b5b92b61177615a5376ad7 +Merge: 9c918eb 6294729 +Author: Patrick Schleizer +Date: Thu Aug 29 04:46:26 2024 -0400 + + Merge pull request #269 from raja-grewal/tidy + + Minor correction + +commit 6294729c8ef24077cd342b4557653806c3aacd34 +Author: Raja Grewal +Date: Thu Aug 29 15:34:24 2024 +1000 + + Follow-up on https://github.com/Kicksecure/security-misc/commit/f70fe308a9f65873d34de2d1906d825f3a56e272 + +commit 3101035a3fd5fbe87c79e95e51dc2da39fee93d5 +Author: Raja Grewal +Date: Thu Aug 29 01:57:32 2024 +1000 + + Enable `panic_on_warn=1` + +commit 9c918eb4313b60dc15aa9fa4474a7977602030c1 +Author: Patrick Schleizer +Date: Wed Aug 28 11:01:37 2024 +0000 + + bumped changelog version + +commit f70fe308a9f65873d34de2d1906d825f3a56e272 +Author: Patrick Schleizer +Date: Wed Aug 28 06:49:50 2024 -0400 + + no longer set sysctl `fs.binfmt_misc.status=0` / + no longer disallow registering interpreters for miscellaneous binary formats + + causing file/folder permissions issue `d????????? ? ? ? ? ? .` + + Firefox no longer starting (probably not not a Firefox issue) + + https://github.com/Kicksecure/security-misc/issues/267 + +commit 463aa58f28b6389d0925fed87096b348b652cc16 +Merge: cf824dd 328840c +Author: Patrick Schleizer +Date: Wed Aug 28 06:42:49 2024 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 328840c933a583adc5458aa08c63fb627b31b298 +Merge: cf824dd 9e91c98 +Author: Patrick Schleizer +Date: Wed Aug 28 06:38:57 2024 -0400 + + Merge pull request #264 from raja-grewal/kspp_compliance + + Add KSPP compliance notices to corresponding parameters and `sysctls` + +commit 9e91c98cc926e7a166458cd78e3c1d1ced23c753 +Author: Raja Grewal +Date: Mon Aug 26 12:40:04 2024 +1000 + + Add details on BPF hardening and split the `sysctl`s + +commit 2c356e8b0ef7db56e7b453535c8cb6c83fc2e3c6 +Author: Raja Grewal +Date: Mon Aug 26 11:34:12 2024 +1000 + + Add KSPP notice definitions + +commit 2841d789bebbd43f855b6ffb92a3a6f017007a72 +Author: Raja Grewal +Date: Mon Aug 26 11:21:26 2024 +1000 + + README: Update + +commit ac6602ac3531ae57603e8a9e5ac2ee1652164b23 +Author: Raja Grewal +Date: Mon Aug 26 11:19:20 2024 +1000 + + Add detail on disabling user namespaces breaking UPower + +commit 9dbd200be415c86e7039463c6269fad8395a4373 +Merge: 32de5e7 cf824dd +Author: raja-grewal +Date: Mon Aug 26 11:08:21 2024 +1000 + + Merge branch 'Kicksecure:master' into kspp_compliance + +commit cf824ddb248957fd9e542c1a5adc5e90381f684c +Author: Patrick Schleizer +Date: Sun Aug 25 15:34:55 2024 +0000 + + bumped changelog version + +commit 500568e322b2e3623fc649209d671c7b9d9fa097 +Merge: 43d13b7 73900b5 +Author: Patrick Schleizer +Date: Sun Aug 25 11:01:58 2024 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 73900b59db37d77bc24bd5088aae3cc760aacc69 +Merge: 43d13b7 1f51d4e +Author: Patrick Schleizer +Date: Sun Aug 25 11:00:51 2024 -0400 + + Merge pull request #263 from raja-grewal/max_user_namespaces + + Provide option to disable user namespaces + +commit 43d13b70f12d2198a800054ce4d1ff901cc474f9 +Merge: 8353764 fae586c +Author: Patrick Schleizer +Date: Sun Aug 25 10:55:52 2024 -0400 + + Merge remote-tracking branch 'raja/syntax' + +commit 835376418d616699023f8e638666f43d34241863 +Merge: ae85fd5 342caf8 +Author: Patrick Schleizer +Date: Sun Aug 25 10:48:25 2024 -0400 + + Merge remote-tracking branch 'raja/mod' + +commit ae85fd5b4ce6f4716f95332c19b79d3daa8f7220 +Author: Patrick Schleizer +Date: Sun Aug 25 14:33:40 2024 +0000 + + bumped changelog version + +commit 433b15f985545f531b87d09659bbbb89993b5a67 +Author: Raja Grewal +Date: Wed Aug 21 12:51:51 2024 +1000 + + README.md: Organise `sysctl`s + +commit af87a84b4f40b2ad9ac05dd9bce837665f239454 +Author: Raja Grewal +Date: Wed Aug 21 12:52:48 2024 +1000 + + README.md: Organise kernel boot parameters + +commit 32de5e7c49d301b62b838ba88550f58b02b6562b +Author: Raja Grewal +Date: Sun Aug 25 12:57:22 2024 +1000 + + Add details on oopses and warnings + +commit e4909b5e28e16f09de0e548c9221578ebe1190a3 +Author: Raja Grewal +Date: Sun Aug 25 12:47:04 2024 +1000 + + Add details on kernel panics + +commit 342caf82b20acc2931563449fafe9a98cbedaba2 +Author: Raja Grewal +Date: Wed Aug 21 12:52:48 2024 +1000 + + README.md: Organise kernel boot parameters + +commit b87a18d4050bbf2add5cc4920684876a440e65bb +Author: Raja Grewal +Date: Wed Aug 21 12:51:51 2024 +1000 + + README.md: Organise `sysctl`s + +commit 18ed77ecc93e9ee759a4990a32edb3dd671b8c26 +Author: Raja Grewal +Date: Wed Aug 21 12:50:14 2024 +1000 + + Refactor modprobe.d to minimise potential future merge conflicts + +commit 56b28e38264fe742b8d694176f1057c15574fc08 +Author: Raja Grewal +Date: Mon Aug 19 11:50:08 2024 +1000 + + Typo + +commit e61027a40e2ab82fac3ae4cfd5f91fd0a47f31e5 +Author: Raja Grewal +Date: Mon Aug 19 11:32:20 2024 +1000 + + Set `sysctl vm.mmap_min_addr=65536` + +commit 94dab1b7c503429e2fa91019a0183b2f36c6693f +Author: Raja Grewal +Date: Mon Aug 19 10:53:05 2024 +1000 + + Partial compliance with the KSPP on kernel panics + +commit 683110e7f02fa5fc6415354386552640cdb8758b +Author: Raja Grewal +Date: Mon Aug 19 01:34:14 2024 +1000 + + Correction + +commit 1f51d4eeb2b0c6e23ce64fb272eecb97e089324d +Author: Raja Grewal +Date: Sun Aug 18 13:53:11 2024 +1000 + + Add details on user namespaces + +commit 248e094b8e0bbf7892f79ad1c3ec77c7ed00d008 +Author: Raja Grewal +Date: Sat Aug 17 01:06:21 2024 +1000 + + Include KSPP compliance notices + +commit 759aee8150a2d1258d73217c071b25432d47496f +Author: Raja Grewal +Date: Fri Aug 16 22:54:57 2024 +1000 + + Provide option to disable user namespaces + +commit fae586c3c5e8382ca01c60f810b26d88189a5514 +Author: Raja Grewal +Date: Fri Aug 16 19:23:48 2024 +1000 + + Patch bug in existing `rp_filter` `sysctl` + +commit e962153f84c4cb8e13fb0cc25d611ae481c7a0c7 +Author: Patrick Schleizer +Date: Fri Aug 16 08:38:12 2024 +0000 + + bumped changelog version + +commit 40b12f5a2a4a40d7033569b11ad4e1c228e7389b +Merge: 12296c6 305467c +Author: Patrick Schleizer +Date: Fri Aug 16 04:30:29 2024 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 305467c652af933bb5aa5a677b10a992a5f19cab +Merge: 12296c6 a5373af +Author: Patrick Schleizer +Date: Fri Aug 16 04:25:43 2024 -0400 + + Merge pull request #245 from raja-grewal/blacklist_to_disable + + Update `/etc/modprobe.d/*` + +commit 12296c68dc0aaa3703e1c36f854a02de8db412fe +Merge: 4bc12b0 036bcea +Author: Patrick Schleizer +Date: Fri Aug 16 04:22:43 2024 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 036bcea4e6757de094fcafdadcf56aaa90729d79 +Merge: ef60c5b 81bf7a8 +Author: Patrick Schleizer +Date: Fri Aug 16 04:20:32 2024 -0400 + + Merge pull request #262 from raja-grewal/docs + + Miscellaneous updates to presentation + +commit 81bf7a8f90098a7107dcb3c783b87a168f5c090f +Merge: cea8e75 ef60c5b +Author: raja-grewal +Date: Fri Aug 16 16:57:01 2024 +1000 + + Merge branch 'Kicksecure:master' into docs + +commit ef60c5b153a521e1cfd522ac471a8ca6dc076d90 +Merge: 4bc12b0 b552b92 +Author: Patrick Schleizer +Date: Fri Aug 16 02:43:57 2024 -0400 + + Merge pull request #249 from raja-grewal/binfmt_misc + + Disallow registering interpreters for miscellaneous binary formats + +commit cea8e753786d100ebe961ad74a99925e54d47771 +Author: Raja Grewal +Date: Fri Aug 16 14:55:22 2024 +1000 + + Consistent formating + +commit 84376d23fc17d2ced890ffca0b05d15907d42a6f +Author: Raja Grewal +Date: Fri Aug 16 13:39:11 2024 +1000 + + Add details on ASLR and move to user space section + +commit a13298002350a39491a509d15633edb95a2e3edd +Author: Raja Grewal +Date: Fri Aug 16 13:24:25 2024 +1000 + + Update README.md + +commit 9212a4e93754a4505be3fcf0ff4b029c073d2f07 +Author: Raja Grewal +Date: Fri Aug 16 13:12:07 2024 +1000 + + Typos + +commit 23a77d4973ec20b2aaab6a9c3a9fd8a98034923e +Author: Raja Grewal +Date: Fri Aug 16 12:46:51 2024 +1000 + + Simplify syntax of some network-related `sysctl`'s + +commit e3a3207a4447568a17129afe9dde34debc465e21 +Author: Raja Grewal +Date: Fri Aug 16 12:41:36 2024 +1000 + + Clarify DMA hardening + +commit be9308e490f79a7b7788a744524d1d91cc870726 +Merge: 73db68d 4bc12b0 +Author: raja-grewal +Date: Fri Aug 16 11:45:43 2024 +1000 + + Merge branch 'Kicksecure:master' into docs + +commit 4bc12b07b42def786862b938e3f63c18cf874158 +Author: Patrick Schleizer +Date: Thu Aug 15 17:51:18 2024 +0000 + + bumped changelog version + +commit 9e61e37c17524b57f185b796f2ac19ba193205a8 +Merge: 89e816d dfd1c97 +Author: Patrick Schleizer +Date: Thu Aug 15 13:47:33 2024 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit dfd1c97168249b229495cbd873d4d8493e244663 +Merge: 89e816d ec3038c +Author: Patrick Schleizer +Date: Thu Aug 15 13:46:30 2024 -0400 + + Merge pull request #248 from raja-grewal/secure_redirects + + Re-enable (default) `secure_redirects` for ICMP redirect messages + +commit b552b92401f67d59e12ac6fda2f7fe1c54b0c8a7 +Author: Raja Grewal +Date: Thu Aug 15 11:54:21 2024 +1000 + + Add references on `fs.binfmt_misc.status` + +commit 326d82a9beee130956dd817812016a6ee16fccbc +Author: Raja Grewal +Date: Thu Aug 15 11:46:56 2024 +1000 + + Revert "Provide optional `sysctl fs.binfmt_misc.status=0`" + + This reverts commit debd7a7b7ae8b03e04d2c8597bcccf2c79000570. + +commit 73db68dbf9a1f9ded95a593db36a4960ce06a173 +Author: Raja Grewal +Date: Fri Aug 9 14:27:30 2024 +1000 + + Add details on KFENCE + +commit f8fa89b245d929aee9884937fdcf44a6551df4cf +Author: Raja Grewal +Date: Fri Aug 9 14:21:59 2024 +1000 + + Add details on `tcp_timestamps` + +commit 3456f1c1d7725846ec201c28dd693bf9b07bab89 +Author: Raja Grewal +Date: Fri Aug 9 13:39:25 2024 +1000 + + Minor consistency update in README.md + +commit 15c638acad64cc3dcc7b5c43d9a6be2fa2350654 +Author: Raja Grewal +Date: Fri Aug 9 13:36:47 2024 +1000 + + Add reference on RDRAND + +commit 077bc48a26d1d3f5d1f758d7e251edccba64742b +Author: Raja Grewal +Date: Fri Aug 9 13:35:33 2024 +1000 + + Add reference on `rp_filter` + +commit d8bcec881f66604e29d6e0c1426635e2ad4979f1 +Author: Raja Grewal +Date: Fri Aug 9 13:33:32 2024 +1000 + + Add some notices for future Debian 13 rebase + +commit 0b0683499a6a21e3995a115c377eb19008bc4cd1 +Author: Raja Grewal +Date: Fri Aug 9 13:30:39 2024 +1000 + + Consistent line length formatting + +commit e5a38fc856c66d2bd6abc35fc08d4f2083ea8e54 +Author: Raja Grewal +Date: Fri Aug 9 13:30:15 2024 +1000 + + Typo + +commit a5373afc55e789f4657f3d843243e878e4afffa2 +Author: Raja Grewal +Date: Wed Aug 7 14:44:14 2024 +1000 + + Details on disabled `fbdev` kernel modules + +commit e98dc8c4f8af32dd3b10c034477fd2154df189ac +Author: Raja Grewal +Date: Wed Aug 7 14:14:47 2024 +1000 + + Update notifications for disabled kernel modules + +commit 50fa721fd54cd696ae90a35bc7df7c8f1eb17a13 +Author: Raja Grewal +Date: Wed Aug 7 14:01:49 2024 +1000 + + Update docs regarding Intel module disabling + +commit ec3038c7bc625f6c8eddb753ffe295ff2697a717 +Author: Raja Grewal +Date: Wed Aug 7 13:48:53 2024 +1000 + + Clarify `secure_redirects` + +commit debd7a7b7ae8b03e04d2c8597bcccf2c79000570 +Author: Raja Grewal +Date: Wed Aug 7 13:33:44 2024 +1000 + + Provide optional `sysctl fs.binfmt_misc.status=0` + +commit 89e816dda6c5a00512b276071c4d9fe108ee63b5 +Author: Patrick Schleizer +Date: Tue Aug 6 14:01:39 2024 +0000 + + bumped changelog version + +commit 967f9e257b09bc73ddb579292d507f7cb9832643 +Merge: fa90918 a25aaf9 +Author: Patrick Schleizer +Date: Tue Aug 6 09:57:56 2024 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit a25aaf900a12666046278a9fab6933b3d5670679 +Merge: 6bc039a 8559079 +Author: Patrick Schleizer +Date: Tue Aug 6 09:55:20 2024 -0400 + + Merge pull request #260 from raja-grewal/vdso32 + + Enable `vdso32=0` + +commit 6bc039a430289342f06857a52a5f13829d6e50f5 +Merge: ce60d56 d102ec1 +Author: Patrick Schleizer +Date: Tue Aug 6 09:52:56 2024 -0400 + + Merge pull request #259 from raja-grewal/kfence + + Enable `kfence.sample_interval=100` + +commit ce60d5615fe99e41c48d459f562d581a688c295a +Merge: b027842 c0d140f +Author: Patrick Schleizer +Date: Tue Aug 6 09:48:08 2024 -0400 + + Merge pull request #258 from raja-grewal/legacy_tiocsti + + Enable `dev.tty.legacy_tiocsti=0` + +commit b0278428a73cd3d329aaa36626005e0c593331f0 +Merge: fa90918 aa34d86 +Author: Patrick Schleizer +Date: Tue Aug 6 09:39:04 2024 -0400 + + Merge pull request #257 from raja-grewal/slab_debug + + Enable `slab_debug=FZ` + +commit 8559079312adb4ed92e5f478120b408dfe7a1124 +Author: Raja Grewal +Date: Mon Aug 5 15:10:02 2024 +1000 + + Enable `vdso32=0` + +commit d102ec19972865032f12f90bffe3e592546f0267 +Author: Raja Grewal +Date: Mon Aug 5 15:07:56 2024 +1000 + + Enable `kfence.sample_interval=100` + +commit c0d140f2211e6490d13e3cd327005027c668905f +Author: Raja Grewal +Date: Mon Aug 5 15:06:34 2024 +1000 + + Enable `dev.tty.legacy_tiocsti=0` + +commit aa34d86598f5b846b007730104e4c99c59f9984d +Author: Raja Grewal +Date: Mon Aug 5 14:27:17 2024 +1000 + + Enable `slab_debug=FZ` + +commit 4f7f82016015f61002ac8f778b61968c572dc7dc +Author: Raja Grewal +Date: Mon Aug 5 14:16:33 2024 +1000 + + Add reference + +commit fa9091869d417c6494840d0cb32623037d70c8be +Merge: 06f0c27 725118c +Author: Patrick Schleizer +Date: Sun Aug 4 16:20:36 2024 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 725118c5759b45118bbd2804492526ea2a7c1a81 +Merge: 6d97408 6d211fa +Author: Patrick Schleizer +Date: Sun Aug 4 16:19:52 2024 -0400 + + Merge pull request #243 from raja-grewal/namespaces + + Restrict unprivileged user namespaces + +commit 06f0c27128a66c1074f405de3139651519e48204 +Merge: 8abc5ae 6d97408 +Author: Patrick Schleizer +Date: Sun Aug 4 16:15:01 2024 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 6d97408a6d2f002461ae6ca1d647fbf24bf1b99e +Merge: 8abc5ae 6f14d68 +Author: Patrick Schleizer +Date: Sun Aug 4 16:11:46 2024 -0400 + + Merge pull request #255 from raja-grewal/SLUB + + Restore option to enable `slub_debug=FZ` + +commit 8abc5ae8f0f152c68f855f0e8d993880589c5d5c +Merge: de6f3ea eab66da +Author: Patrick Schleizer +Date: Sun Aug 4 16:09:52 2024 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit eab66dad0994e408c1beaade3fdcf2cd1d605b31 +Merge: de6f3ea ca2179b +Author: Patrick Schleizer +Date: Sun Aug 4 16:08:32 2024 -0400 + + Merge pull request #254 from raja-grewal/patch + + Updates to kernel and `sysctl` hardening + +commit 6f14d68cdcad3784311e33029eba6906ea0784c2 +Author: Raja Grewal +Date: Sat Aug 3 15:12:15 2024 +1000 + + Update legacy name `slub_debug` -> `slab_debug` + +commit 22b6cee80c74aff3d0f9cd36822ae88f8fa8e601 +Author: Raja Grewal +Date: Sat Aug 3 15:11:14 2024 +1000 + + Add details about `slub_debug` + +commit b77d1a2b980ae20158aa628eec67b016282d0a40 +Author: Raja Grewal +Date: Sat Aug 3 14:49:48 2024 +1000 + + Revert "Remove the optional `slub_debug` parameter since it is no longer recommended" + + This reverts commit 48e1ac416314d2c66f3a0d5044a3c51cb6fb4093. + +commit ca2179bb6a01e3ebbb1e04e3507cc305f25bca4e +Author: Raja Grewal +Date: Sat Aug 3 00:25:49 2024 +1000 + + Provide the option to disable legacy TIOCSTI operation + +commit 52aeacb4da4a8458b0ffdc1ade4094a178def6f4 +Author: Raja Grewal +Date: Sat Aug 3 00:13:38 2024 +1000 + + Provide option to disable 32 bit vDSO mappings + +commit 9099ecce8ae12352f2b739d3d7adf6069488ff49 +Author: Raja Grewal +Date: Sat Aug 3 00:12:50 2024 +1000 + + Provide option to enable the kernel Electric-Fence + +commit f6a16258a116ce5c5f4f6bad9d8ab9b6e1ec6bb7 +Author: Raja Grewal +Date: Sat Aug 3 00:11:06 2024 +1000 + + Add references to KSPP + +commit e53d24fc48b51a21fc182cc59890e97a1d7ac647 +Author: Raja Grewal +Date: Sat Aug 3 00:09:42 2024 +1000 + + Add missing GRUB command lines for disabled boot parameters + +commit de6f3ea74a5a1408e4351c955ecb7010825364c5 +Author: Patrick Schleizer +Date: Sun Jul 28 20:50:22 2024 +0000 + + bumped changelog version + +commit d036094089e3e3a74df981c50882481273fcb6c0 +Merge: e60ce50 0f86fbd +Author: Patrick Schleizer +Date: Sun Jul 28 15:44:40 2024 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 0f86fbd8ceea3157ee035eb9f4a0ff13024f1bc9 +Merge: e60ce50 73979d4 +Author: Patrick Schleizer +Date: Sun Jul 28 15:43:54 2024 -0400 + + Merge pull request #242 from raja-grewal/ptrace + + Disable the usage of `ptrace()` by all processes + +commit 9cabaa1bd15a0639c87bf2e965755d06ff0a7bb4 +Author: Raja Grewal +Date: Sun Jul 28 22:04:30 2024 +1000 + + Typo + +commit d2d024ebe9a371eaf90b7b72f8a227e5d2e9babe +Author: Raja Grewal +Date: Sun Jul 28 22:03:33 2024 +1000 + + Typo + +commit 9fbee9fc82768c3b436307459d174378ee471335 +Author: Raja Grewal +Date: Sun Jul 28 21:57:25 2024 +1000 + + Clarify + +commit e60ce50d30c8981f13d8bab1d6ca8b8efb9d8928 +Author: Patrick Schleizer +Date: Sat Jul 27 16:13:35 2024 +0000 + + bumped changelog version + +commit e86b2e7f8fcda5727b158579610cb6a0354e89cf +Author: Patrick Schleizer +Date: Sat Jul 27 12:13:18 2024 -0400 + + output + +commit 144545762674e914046bb94100237329320e8ece +Author: Raja Grewal +Date: Sat Jul 27 14:00:30 2024 +1000 + + Show details regarding `secure_redirects` (again) + +commit 73979d4342dae2017be52d5182bb66fa28be398d +Author: Raja Grewal +Date: Sat Jul 27 13:28:59 2024 +1000 + + Link to `ptrace()` discussion + +commit 1c9f33f90606fb930744f1b9afc11caf87626194 +Author: Raja Grewal +Date: Sat Jul 27 13:24:08 2024 +1000 + + Revert "Disable the usage of `ptrace()` by all processes" + + This reverts commit b04828f858fa6d101099773d3156841fd6d33b6f. + +commit 330cf14eab248d035fa467dba4f7bc3eb92a33bb +Author: Patrick Schleizer +Date: Fri Jul 26 15:40:24 2024 +0000 + + bumped changelog version + +commit 62bb4bc6269a0603c15f1efaad7ca365ea15c9d7 +Merge: 7969e86 886f609 +Author: Patrick Schleizer +Date: Fri Jul 26 11:10:25 2024 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 886f6095dba71d76d5fd98277374417657e0cd31 +Merge: 7969e86 ed33366 +Author: Patrick Schleizer +Date: Fri Jul 26 11:08:30 2024 -0400 + + Merge pull request #250 from raja-grewal/Panik-Kalm + + Add details on "oopes" and kernel panics + +commit 7969e8607160eae0cb5a3adddeec8d07c1d6e097 +Merge: e2ae93a 0318f57 +Author: Patrick Schleizer +Date: Fri Jul 26 11:06:13 2024 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 0318f577ab554ae2ac0f9417b18134723ea2b580 +Merge: e2ae93a 4397de0 +Author: Patrick Schleizer +Date: Fri Jul 26 11:04:29 2024 -0400 + + Merge pull request #246 from raja-grewal/cfi + + Provide the option to change the default CFI implementation in the future + +commit e2ae93a9571f2f0c9077ea61436a540a3be5a894 +Author: Patrick Schleizer +Date: Fri Jul 26 10:30:45 2024 -0400 + + port to safe_echo + +commit 8ec23ed7128580ed0092df43945ba55e94163a6d +Author: Patrick Schleizer +Date: Fri Jul 26 10:28:57 2024 -0400 + + echo does not support end-of-options + +commit 6096ed1109a0d5a62a844552fee500ebe66071c8 +Author: Patrick Schleizer +Date: Fri Jul 26 10:26:43 2024 -0400 + + comment + +commit ac41d1cfff8b722248a5ef1dfe38a8c704f04134 +Author: Patrick Schleizer +Date: Fri Jul 26 10:25:59 2024 -0400 + + comment + +commit 3b033ceba24e5e14056d54710d782397e5c669df +Author: Patrick Schleizer +Date: Fri Jul 26 10:17:24 2024 -0400 + + shellcheck + +commit 04d9ca1ebe79cae5cce04b6533285b8d1299d692 +Author: Patrick Schleizer +Date: Fri Jul 26 10:16:20 2024 -0400 + + use `find` with `safe_echo_nonewline` + +commit 20454fb81157f1f962f36d9c37d34f4ac650a1e6 +Merge: 28b25bd 6bbf176 +Author: raja-grewal +Date: Sat Jul 27 00:09:30 2024 +1000 + + Merge branch 'Kicksecure:master' into blacklist_to_disable + +commit 6bbf176e3b91f842cf4cdeaf8cb1f4c60e159a0c +Author: Patrick Schleizer +Date: Fri Jul 26 09:33:45 2024 -0400 + + consider end-of-options for `find` + +commit 794f6a25fa87a9d6d796b07ee06b690ea0badc92 +Author: Patrick Schleizer +Date: Fri Jul 26 09:08:29 2024 -0400 + + comment + +commit 7e0f1a87010674c63963b70c87e903cf27b288ef +Author: Patrick Schleizer +Date: Fri Jul 26 09:08:04 2024 -0400 + + dpkg-statoverride can actually handle '--file-name'. + +commit ee037c01a1208b9247c3ae144fa3faa68657ffdb +Author: Patrick Schleizer +Date: Fri Jul 26 08:58:44 2024 -0400 + + Skip file names starting with '--', + + because this would be interpreted by dpkg-statoverride as an option. + +commit 82d401a7de58b74448113bed36c8f0cc073c7f82 +Author: Patrick Schleizer +Date: Fri Jul 26 08:52:42 2024 -0400 + + sanity test + +commit 0e661bc688c7222840c9d83fb3ccab6549b3ac11 +Author: Patrick Schleizer +Date: Fri Jul 26 08:49:14 2024 -0400 + + output + +commit d144f68d1a06a1153c4178b2f6ba9643dededbb8 +Author: Patrick Schleizer +Date: Fri Jul 26 08:46:08 2024 -0400 + + output + +commit 05504b9ab251ae6e48b5d28eb5fdcd12d730ea8a +Author: Patrick Schleizer +Date: Fri Jul 26 08:40:10 2024 -0400 + + minor + +commit d96c0633d431dafd034ae8d1ae0ffbb59c49be4a +Author: Patrick Schleizer +Date: Fri Jul 26 08:39:11 2024 -0400 + + more use of end of options + +commit 8e40c10c319a76e0256c8f135182b0ca7f532f85 +Author: Patrick Schleizer +Date: Fri Jul 26 08:31:17 2024 -0400 + + comment + +commit f2c9c2f5d1b59127b22fae4dd4b8bb7a6f98a485 +Author: Patrick Schleizer +Date: Fri Jul 26 08:26:16 2024 -0400 + + output + +commit 2b40ea75e9c3f679fd09ae331a56f294c3ac7607 +Author: Patrick Schleizer +Date: Fri Jul 26 08:24:23 2024 -0400 + + cleanup + +commit 6f0551b944cbf83d82f7a1a554c4461bc971520b +Author: Patrick Schleizer +Date: Fri Jul 26 08:23:54 2024 -0400 + + refactoring + +commit aac450f80836b03478b9e2632afc5a4519f9b37a +Author: Patrick Schleizer +Date: Fri Jul 26 08:22:04 2024 -0400 + + refactoring + +commit 30f46790a4df7662926fa43d44ac34c3286dd590 +Author: Patrick Schleizer +Date: Fri Jul 26 08:21:21 2024 -0400 + + use end of options whenever possible + +commit 95722d6d7902367afb44175263a8628df9ad01b2 +Author: Patrick Schleizer +Date: Fri Jul 26 08:13:33 2024 -0400 + + use long option name + +commit 19f131c7426aaa5199504e75aba180a7771a2520 +Author: Patrick Schleizer +Date: Fri Jul 26 08:07:08 2024 -0400 + + code simplification + + https://github.com/Kicksecure/security-misc/pull/251 + +commit 9694cf0cd1a225c68d45814e0f4d6995659a0066 +Author: Patrick Schleizer +Date: Fri Jul 26 07:43:59 2024 -0400 + + output + +commit bdfe764f9d805b14dca4196e623e81ce95145d9b +Merge: 9f13523 652a06c +Author: Patrick Schleizer +Date: Fri Jul 26 07:19:05 2024 -0400 + + Merge remote-tracking branch 'ben-grande/stat-dedup' + +commit 9f135231ccdc3f6eba27db2e1794eff23f03fc0f +Author: Patrick Schleizer +Date: Fri Jul 26 06:43:01 2024 -0400 + + no longer disable Intel ME related kernel modules + + because that might break firmware updates + + This reverts commit 64f8b2eb5870664fca06aa060f2f50af358ced55. + + https://github.com/Kicksecure/security-misc/issues/239 + +commit f616da7c0690fc0dffc21be59174ed8754ec55fb +Author: Patrick Schleizer +Date: Fri Jul 26 09:40:59 2024 +0000 + + bumped changelog version + +commit 4397de0138dac47aee66570fcfe4ef38c8179321 +Author: Raja Grewal +Date: Fri Jul 26 11:30:46 2024 +1000 + + Update description of `cfi=kcfi` kerenel parameter + +commit 652a06c8e9f841e043cc5b5fb030b149cb70dc85 +Author: Ben Grande +Date: Thu Jul 25 12:37:21 2024 +0200 + + Only print SUID or SGID values when set + +commit 3b8a3f9b832ee1eee959fbcce8b5eed417d4712e +Author: Ben Grande +Date: Thu Jul 25 12:20:16 2024 +0200 + + Unduplicate stat call + +commit 28b25bda3f51c7d5a6ee6d28446cb5f731f452d0 +Author: Raja Grewal +Date: Thu Jul 25 15:51:32 2024 +1000 + + Partial inclusion of GrapheneOS infrastructure blacklist + +commit ed3336694ce35614ab47db42bce29d3c69d46752 +Author: Raja Grewal +Date: Thu Jul 25 10:28:27 2024 +1000 + + Provide the option to immediately reboot on a kernel panics + +commit 3926b91dcf371377d38c747e5c7718ac2fed3c83 +Author: Raja Grewal +Date: Thu Jul 25 10:26:23 2024 +1000 + + Add documentation on `sysctl kernel.panic_on_oops=1` + +commit f699eb02a27ef54b9ced5866447b63152984af66 +Author: Raja Grewal +Date: Thu Jul 25 10:11:33 2024 +1000 + + Set `sysctl fs.binfmt_misc.status=0` + +commit 9231f058911ab9059e91c4c0c1677ef66b5bb666 +Author: Patrick Schleizer +Date: Wed Jul 24 13:31:49 2024 -0400 + + todo + +commit 4cc1289e89b341e15725d65e405e607ea4784f9f +Author: Patrick Schleizer +Date: Wed Jul 24 13:30:30 2024 -0400 + + output + +commit 10c73b326f824f783169383888b9464965a53cbb +Author: Patrick Schleizer +Date: Wed Jul 24 12:07:26 2024 -0400 + + fix delimiter parsing + +commit a16dd8474bf72c2b8c63adc7500140e89d19fedb +Author: Patrick Schleizer +Date: Wed Jul 24 11:50:30 2024 -0400 + + sanity test + +commit cc2b335ee692cc04a2c4e298902f3503927b2c50 +Author: Patrick Schleizer +Date: Wed Jul 24 11:48:32 2024 -0400 + + cleanup + +commit 6cadc70a96cd709fb7a94abcb14e7dd97c57fdb8 +Author: Patrick Schleizer +Date: Wed Jul 24 11:47:52 2024 -0400 + + output + +commit cda0d26af7c057dab8edf4897f98c2e8f83e3d56 +Author: Patrick Schleizer +Date: Wed Jul 24 11:45:13 2024 -0400 + + cannot use NULL inside a bash variable + + use custom delimiter instead + +commit 4a5312b3a9419c8b3e07dda2b650d5fbf9a38d34 +Author: Patrick Schleizer +Date: Wed Jul 24 11:27:51 2024 -0400 + + output + +commit 3bf1f26c0bb271d63c16b314e4da040abf5b3713 +Author: Patrick Schleizer +Date: Wed Jul 24 11:20:26 2024 -0400 + + downgrade warning of non-existing folders to info + + to avoid all users by default getting a warning for expected non-existing folders + +commit 151ca659a9f5565744ff57f3b581c8c051def148 +Author: Patrick Schleizer +Date: Wed Jul 24 11:19:15 2024 -0400 + + output + +commit c9fd2ceb61ea176c731432f02a9fa40652fbddc8 +Author: Patrick Schleizer +Date: Wed Jul 24 11:13:35 2024 -0400 + + downgrade warning of non-existing files to info + + to avoid all users by default getting a warning for expected non-existing files + +commit 721392901be384014298f59deb57747b825c8b37 +Author: Patrick Schleizer +Date: Wed Jul 24 11:12:39 2024 -0400 + + remove duplicate test + +commit 9712b5b4e3cff3eac8ef03b5e562ff89d74ef4b8 +Author: Patrick Schleizer +Date: Wed Jul 24 11:12:18 2024 -0400 + + output + +commit 00911df5c1de24960ad6d21b4cd99450f2d08a88 +Author: Patrick Schleizer +Date: Wed Jul 24 11:10:56 2024 -0400 + + modify call of stat to use NUL delimiter + + for more robust string parsing + +commit d5366835112cc5fabef7ec46a9c582c08121cb14 +Author: Patrick Schleizer +Date: Wed Jul 24 11:03:28 2024 -0400 + + local clean_output_prefix clean_output + +commit a6e517736b83c124cf8cec52bac184612a29ad0d +Author: Patrick Schleizer +Date: Wed Jul 24 11:02:25 2024 -0400 + + local stat_output + +commit ced02fb9e03e12c7d51923511e7d6a54b09a6274 +Author: Patrick Schleizer +Date: Wed Jul 24 11:01:24 2024 -0400 + + add sanity test for file_name output from stat + +commit b9dfe70a016e46e1f275918be19890526182cfa2 +Author: Patrick Schleizer +Date: Wed Jul 24 10:58:05 2024 -0400 + + check first if file_name is empty + +commit 1cbda7998196dc04e83c48526d15f9ad5f11e6c9 +Author: Patrick Schleizer +Date: Wed Jul 24 10:57:13 2024 -0400 + + check first if array is empty before parsing further + +commit a077ae54ea050af8828813b781738cba24e27624 +Author: Patrick Schleizer +Date: Wed Jul 24 10:56:08 2024 -0400 + + modify call of stat to use NUL delimiter + + for more robust string parsing + +commit 1135d34ab334c9b39e51a147dc94df568f982512 +Author: Raja Grewal +Date: Wed Jul 24 23:33:36 2024 +1000 + + Reword description of `cfi=kcfi` kerenel parameter + +commit 7200e9bd8c793f5ea30c3448fd03fbd38c6292b5 +Author: Patrick Schleizer +Date: Wed Jul 24 09:15:02 2024 -0400 + + output + +commit 1b6161c2dcd9a0686503c84cda4c9f6a29fe4e02 +Merge: d2563ed 8be21b6 +Author: Patrick Schleizer +Date: Wed Jul 24 09:13:48 2024 -0400 + + Merge remote-tracking branch 'ben-grande/fuzz' + +commit 88c88187f2909322211cc08598717068ea7cf1d1 +Author: Raja Grewal +Date: Wed Jul 24 17:26:50 2024 +1000 + + Re-enable (default) `secure_redirects` for ICMP redirect messages + +commit 8be21b6eff40fdd3909ef63468463fc52e8bf45f +Author: Ben Grande +Date: Tue Jul 23 19:36:12 2024 +0200 + + Handle newlines in file names + +commit aa99de68d307cd88462665424996d9b730ab5087 +Author: Ben Grande +Date: Tue Jul 23 18:46:47 2024 +0200 + + Log output with defined levels + +commit 06fbcdac1de6f1830d911f05a4f7c14fd522fad4 +Author: Ben Grande +Date: Tue Jul 23 09:55:02 2024 +0200 + + Prettify log messages + +commit fb494c2ba5b7fd0f864a59896710d9cddf92b458 +Author: Raja Grewal +Date: Tue Jul 23 13:12:13 2024 +1000 + + Update docs relating to the `cfi=kcfi` kernel parameter + +commit 7ee1ea2cc7dd62feee3243d64b414130e68d35e9 +Author: Ben Grande +Date: Mon Jul 22 17:06:07 2024 +0200 + + Unify functions that evaluate commands + +commit 9c3566f524f748b9f7c98a36b3f2b1064cdba3ed +Author: Ben Grande +Date: Mon Jul 22 16:01:14 2024 +0200 + + Delimit file names with null terminator + +commit d6fc71dba78a9c871015ebdde3bef61943369b47 +Author: Raja Grewal +Date: Mon Jul 22 17:26:00 2024 +1000 + + Add option to switch (back) to using kCFI in the future + +commit f582e543434ba20a2fb7f7300058f7c8a7d62878 +Merge: a189956 d2563ed +Author: raja-grewal +Date: Mon Jul 22 15:12:00 2024 +1000 + + Merge branch 'Kicksecure:master' into blacklist_to_disable + +commit d2563ed92317a029340dbb83f30da008b01325f2 +Author: Patrick Schleizer +Date: Sun Jul 21 10:40:14 2024 +0000 + + bumped changelog version + +commit 64f8b2eb5870664fca06aa060f2f50af358ced55 +Author: Patrick Schleizer +Date: Sun Jul 21 06:36:22 2024 -0400 + + Revert "no longer disable Intel ME related kernel modules" + + This reverts commit 6157e328f40a7f3780208489b1ffecef8e6d738a. + + https://www.kicksecure.com/wiki/Out-of-band_Management_Technology#Intel_ME_Kernel_Modules + + https://github.com/Kicksecure/security-misc/issues/239 + +commit 04fb00572f2e4c9bdfaaa0f6da8007999daab641 +Author: Patrick Schleizer +Date: Sat Jul 20 17:02:05 2024 +0000 + + bumped changelog version + +commit f0a478c7c91697988926a73d3a1880dd8caaca68 +Author: Patrick Schleizer +Date: Sat Jul 20 12:57:56 2024 -0400 + + permission hardener: allow postfix + + postqueue matchwhitelist + postdrop matchwhitelist + +commit a189956adc2cf5a1c8311d0e0e9c7cfbc6e4afe3 +Author: Raja Grewal +Date: Sat Jul 20 20:11:09 2024 +1000 + + Typo + +commit 3c720a0715191c858e8d1df9795dddfea5dbdcf1 +Author: Raja Grewal +Date: Sat Jul 20 15:03:21 2024 +1000 + + Disable some legacy drivers + These were all previously blacklisted for over 2 years. + +commit c4965ed838b1df93ddb9e947fb2f0d23fa8ffc17 +Author: Raja Grewal +Date: Sat Jul 20 14:55:10 2024 +1000 + + Disable legacy framebuffer drivers + These were all previously blacklisted for over 2 years. + +commit 9f53a0182b5f6a7cf8228bf19b04661d39c7a2fe +Author: Patrick Schleizer +Date: Fri Jul 19 07:20:59 2024 -0400 + + undo io_uring related changes + + as these should be done in a separate pull request (if apprpriate) + + https://github.com/Kicksecure/security-misc/pull/244#issuecomment-2238889062 + +commit 8791aecb38a41aa0b0c108505726bc6a1ace903e +Merge: 2d11436 06894d1 +Author: Patrick Schleizer +Date: Fri Jul 19 07:19:09 2024 -0400 + + Merge remote-tracking branch 'raja/fixes' + +commit 06894d1c98e91f43af58cc438559ea76b6a361e3 +Author: Raja Grewal +Date: Fri Jul 19 18:30:42 2024 +1000 + + Typo + +commit 2d11436432d3b2b75f84b05550de06cd77ec6e79 +Author: Patrick Schleizer +Date: Thu Jul 18 18:05:07 2024 +0000 + + bumped changelog version + +commit cac5bbad99a9c083c5b5f85f07c7368287c64f72 +Author: Patrick Schleizer +Date: Thu Jul 18 14:04:00 2024 -0400 + + comment + +commit a5eed00eba76f83c310f62d000830f38b0e87d21 +Author: Patrick Schleizer +Date: Thu Jul 18 14:02:38 2024 -0400 + + cleanup comments + +commit 21efacf1b111d9599e72cef23b791cf4961c04c3 +Author: Patrick Schleizer +Date: Thu Jul 18 14:00:28 2024 -0400 + + cleanup duplicate comments which are already in `/etc/dkms/framework.conf` + +commit 61628c2baf58ca2859bc5fc99782985ef0822750 +Author: Patrick Schleizer +Date: Thu Jul 18 14:11:35 2024 +0000 + + bumped changelog version + +commit 05cf438199ca75f96cf8e67131f4a409b465e7e7 +Author: Patrick Schleizer +Date: Thu Jul 18 10:11:03 2024 -0400 + + no comments / copyright allowed in .displace-extension + +commit 2ccc95f6d44bacd3da97d586542695f33d5faf38 +Author: Patrick Schleizer +Date: Thu Jul 18 14:05:23 2024 +0000 + + bumped changelog version + +commit 95286df50274953326accb615487e21d409b652a +Author: Raja Grewal +Date: Thu Jul 18 15:28:31 2024 +1000 + + Update README.md regarding secure ICMP redirects + +commit 13cc1f0986033855a399b50442a86a8d8552eb96 +Author: Raja Grewal +Date: Thu Jul 18 12:25:00 2024 +1000 + + Clarify (future) disabling of `io_uring` + +commit 9e6facda7017498e8310a9c39403e95e81c5a903 +Author: Raja Grewal +Date: Thu Jul 18 12:21:37 2024 +1000 + + Update module disabling presentation + +commit faa9181a6c0c78b9471c9a4e6bdd3291aec704f6 +Author: Raja Grewal +Date: Thu Jul 18 12:19:27 2024 +1000 + + Typos + +commit 6d211faf591608ea6e7f484e8bc69dd567877abf +Author: Raja Grewal +Date: Thu Jul 18 11:04:54 2024 +1000 + + Restrict unprivileged user namespaces + +commit b04828f858fa6d101099773d3156841fd6d33b6f +Author: Raja Grewal +Date: Thu Jul 18 11:01:41 2024 +1000 + + Disable the usage of `ptrace()` by all processes + +commit d454f36c63bd653e47353fb1c93107b2d5584fe2 +Author: Patrick Schleizer +Date: Wed Jul 17 11:52:29 2024 -0400 + + spelling + +commit f4da582aa31b869413aef6f4e252b7985e961339 +Author: Patrick Schleizer +Date: Wed Jul 17 11:44:17 2024 -0400 + + spelling + +commit 9e976474d5d620be9e4f8d8a97f73c6cc3e64573 +Author: Patrick Schleizer +Date: Wed Jul 17 11:40:51 2024 -0400 + + spelling + +commit b569fc02a4650187e69b62b95439c05ee2611e91 +Author: Patrick Schleizer +Date: Wed Jul 17 11:38:53 2024 -0400 + + spelling + +commit a2e26f441b6f44831c7b1bf3bf9dc2cf6f06e176 +Author: Patrick Schleizer +Date: Wed Jul 17 11:04:03 2024 -0400 + + spelling + +commit c8be4ac83c2563798ee35d56200eb8d11a2c32e3 +Author: Patrick Schleizer +Date: Wed Jul 17 10:56:14 2024 -0400 + + comment + +commit 24cd70a014b221b25669755b955bc114fe083643 +Author: Patrick Schleizer +Date: Wed Jul 17 10:55:12 2024 -0400 + + spelling + +commit 5cec685cf9b0845838f17fba78ac65d6c2e63386 +Author: Patrick Schleizer +Date: Wed Jul 17 10:49:21 2024 -0400 + + spelling + +commit 821a416fe39e11ca030c63f25a5220772d80eae5 +Author: Patrick Schleizer +Date: Wed Jul 17 10:43:16 2024 -0400 + + spelling + +commit 9a387f95e9346030e2adc3252a45942949561b52 +Merge: fd41acd 4afe257 +Author: Patrick Schleizer +Date: Wed Jul 17 10:32:26 2024 -0400 + + Merge remote-tracking branch 'raja/miscellaneous' + +commit fd41acdc721a6463813bc347cb965b6211fb9447 +Merge: 0da22c2 1087387 +Author: Patrick Schleizer +Date: Wed Jul 17 10:27:31 2024 -0400 + + Merge remote-tracking branch 'raja/fack_off' + +commit 4afe257a42576158a54a68948440a2b4c043b67c +Author: Raja Grewal +Date: Thu Jul 18 00:14:13 2024 +1000 + + minor + +commit d0a59617f6b8a90fd5c758699e910af9d7496c98 +Author: Raja Grewal +Date: Thu Jul 18 00:13:30 2024 +1000 + + Add missing Copyright (C) statements + +commit 8f3896c3dac13b604e36d4249f976598f271a215 +Author: Raja Grewal +Date: Wed Jul 17 23:44:37 2024 +1000 + + Upgrade hyperlinks to HTTPS + +commit 1087387b362d5598e44262db07ab0fff9118b064 +Author: Raja Grewal +Date: Wed Jul 17 23:35:25 2024 +1000 + + Remove obsolete `#net.ipv4.tcp_fack=0` + +commit 0da22c20316c8f0f574e0127926506e52ccbc269 +Author: Patrick Schleizer +Date: Wed Jul 17 09:07:31 2024 -0400 + + minor + +commit c336b266f61528cce27e1cafac6377370927a787 +Merge: afe3c25 df80385 +Author: Patrick Schleizer +Date: Wed Jul 17 09:06:44 2024 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit df80385289717fee0266436d056c9aedd0fb06af +Merge: afe3c25 724435e +Author: Patrick Schleizer +Date: Wed Jul 17 09:04:18 2024 -0400 + + Merge pull request #237 from raja-grewal/intel_pmt + + Disable some Intel PMT kernel modules + +commit afe3c25a49940f7f322414c08e8dbd631e696215 +Author: Patrick Schleizer +Date: Wed Jul 17 08:58:00 2024 -0400 + + update readme + + https://github.com/Kicksecure/security-misc/issues/239 + +commit f7772fb85a1fe6d3c0749e5f34fc29111b6a8125 +Author: Patrick Schleizer +Date: Wed Jul 17 08:57:35 2024 -0400 + + minor + +commit 6157e328f40a7f3780208489b1ffecef8e6d738a +Author: Patrick Schleizer +Date: Wed Jul 17 08:52:11 2024 -0400 + + no longer disable Intel ME related kernel modules + + https://github.com/Kicksecure/security-misc/issues/239 + +commit daee8b900b3057235aedc17b1231c3c05599140c +Merge: 954ff1b a4ba6e4 +Author: Patrick Schleizer +Date: Wed Jul 17 08:47:55 2024 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit a4ba6e485d94512fdf737b9f66137c3f692c9904 +Merge: 9a75135 abafb19 +Author: Patrick Schleizer +Date: Wed Jul 17 08:46:27 2024 -0400 + + Merge pull request #236 from raja-grewal/intel_me + + Disable more Intel ME kernel modules + +commit 954ff1be41288b5fa2e50d492d92544915f93bb5 +Merge: d29a616 9a75135 +Author: Patrick Schleizer +Date: Wed Jul 17 08:42:52 2024 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 9a75135633ad172f7cbf318e1206865493c28bb4 +Merge: d29a616 a340899 +Author: Patrick Schleizer +Date: Wed Jul 17 08:41:43 2024 -0400 + + Merge pull request #238 from raja-grewal/uvcvideo_2 + + Minor additions to `30_security-misc_disable.conf` + +commit d29a616142562492db6c45c299f002100e905828 +Author: Patrick Schleizer +Date: Wed Jul 17 08:39:20 2024 -0400 + + minor + +commit a2802f352fc7021ead0d431c665cc16b2821ae0b +Merge: 0b873b7 81a3715 +Author: Patrick Schleizer +Date: Wed Jul 17 08:38:23 2024 -0400 + + Merge remote-tracking branch 'raja/kargs' + +commit 0b873b765e20b06113d808075fa95c8acbb1e0fc +Author: Patrick Schleizer +Date: Wed Jul 17 08:05:27 2024 -0400 + + minor + +commit 070bb46a08afcd84fb638472c39bd543bad4fb17 +Merge: 6d6e547 25fd532 +Author: Patrick Schleizer +Date: Wed Jul 17 08:02:45 2024 -0400 + + Merge remote-tracking branch 'raja/sysctl' + +commit 6d6e5473f2778a2a5b1ca7826d0a3a5a63cff08a +Author: Patrick Schleizer +Date: Wed Jul 17 08:00:24 2024 -0400 + + minor + +commit cf5f0edbb85589a72ec891e9c3e090f9e81c4fda +Merge: fe5c840 693b47e +Author: Patrick Schleizer +Date: Wed Jul 17 07:59:35 2024 -0400 + + Merge remote-tracking branch 'raja/sysctl' + +commit 25fd532ce62399d5bb42d844ad32b5128eaf748d +Author: Raja Grewal +Date: Wed Jul 17 21:56:40 2024 +1000 + + Update README.md relating to `sysctl`'s + +commit 39fd125eb0f0c16c8a64933bbd04709287a2686a +Author: Raja Grewal +Date: Wed Jul 17 21:44:44 2024 +1000 + + Provide explanation on the disabling of IPv6 Privacy Extensions + +commit a3408990ab439e6edbf8691cf7d65fb16c0d24df +Author: Raja Grewal +Date: Wed Jul 17 15:03:39 2024 +1000 + + Uncomment disabling of already disabled ATM modules + +commit 693b47e6235528ab7a9032818cce22fd63a4f5ea +Author: Raja Grewal +Date: Wed Jul 17 14:58:30 2024 +1000 + + Clarify ICMP redirect acceptance and sending + +commit 81a3715c7c0b73796a62297ebe55e861a46f7686 +Author: Raja Grewal +Date: Wed Jul 17 13:32:08 2024 +1000 + + Add info regarding the downsides of disabling SMT + +commit abafb1945cace774429fefd0c1a037fb2ec3f774 +Author: Raja Grewal +Date: Wed Jul 17 13:26:03 2024 +1000 + + Add Intel ME references + +commit f317aaebab126bafe3cfaef8159bf0820c392c87 +Author: Raja Grewal +Date: Wed Jul 17 01:09:02 2024 +1000 + + Disable two network modules + These were previously blacklisted for two years in https://github.com/Kicksecure/security-misc/commit/61ef9bd59f9ff39c140f782ff5b41d0a3c6d97bc. + +commit d69fe88091c7212a9af86306c797aed40398584b +Author: Raja Grewal +Date: Wed Jul 17 01:08:01 2024 +1000 + + Provide option to disable `uvcvideo` driver + +commit 49594ccb223c09d70f00434e5875c9dae1a2360d +Author: Raja Grewal +Date: Wed Jul 17 00:49:25 2024 +1000 + + Partially revert https://github.com/raja-grewal/security-misc/commit/f4d652fa7b5dd350b577521c6bba22c9eb3c13f1 + +commit 824d9b82e53485eed8eaf24e9815ac07ad0f2406 +Author: Raja Grewal +Date: Wed Jul 17 00:36:18 2024 +1000 + + Uncomment redundant disabling of TCP FACK` + +commit d1119c38b6ad4193919d4b800de0a3cb014f92c1 +Author: Raja Grewal +Date: Wed Jul 17 00:31:23 2024 +1000 + + Apply changes from code review + +commit fe5c840b79c4aabd5c21a286d3ce1a3ee460812c +Author: Patrick Schleizer +Date: Mon Jul 15 21:18:55 2024 +0000 + + bumped changelog version + +commit 6e63fc8985b97902dbae2553ded51950168dc222 +Merge: fe0846c b7796a5 +Author: Patrick Schleizer +Date: Mon Jul 15 17:14:25 2024 -0400 + + Merge remote-tracking branch 'ben-grande/fuzz' + +commit fe0846c8c2bdfc0534850b1e9bf9c4130381def9 +Author: Patrick Schleizer +Date: Mon Jul 15 12:30:38 2024 -0400 + + fix + + https://github.com/Kicksecure/security-misc/pull/234#discussion_r1678065395 + +commit 94df2e3d244f5e6e8e4320c1f28cc11dba00dd36 +Author: Patrick Schleizer +Date: Mon Jul 15 12:29:52 2024 -0400 + + further discussion required + + https://github.com/Kicksecure/security-misc/pull/234#issuecomment-2228909249 + +commit 41f0b53dd62d2968a6ff88a6fd907ca42f581847 +Merge: 5ba5a85 9300c20 +Author: Patrick Schleizer +Date: Mon Jul 15 12:28:03 2024 -0400 + + Merge remote-tracking branch 'raja/kernel_modules' + +commit 73f6d4b26f51f0c920fe020677f464c536d75410 +Author: Raja Grewal +Date: Tue Jul 16 01:03:41 2024 +1000 + + Fix transcription error + +commit 724435e56ea059183241044a4fc09423187533eb +Author: Raja Grewal +Date: Mon Jul 15 22:38:43 2024 +1000 + + Disable some Intel Platform Monitoring Technology Telemetry (PMT) modules + +commit 61941da37509a4bb809212536b79f461a209f584 +Author: Raja Grewal +Date: Mon Jul 15 22:38:09 2024 +1000 + + Create `disabled-intelpmt-by-security-misc` + +commit 22ba7a7c393a8c9005dfe26aea396815a4d54803 +Author: Raja Grewal +Date: Mon Jul 15 22:21:20 2024 +1000 + + Disable more Intel Management Engine (ME) modules + +commit 9300c208e25d936f2c633a0904126566afc1c275 +Author: Raja Grewal +Date: Mon Jul 15 21:36:25 2024 +1000 + + Fix script + +commit f2db11269e89d4c945642b661aa9cbe356f89037 +Author: Raja Grewal +Date: Mon Jul 15 21:18:32 2024 +1000 + + Fix script + +commit 382f1e9ec00ab5f012f028fa324d6cf73040c37d +Author: Raja Grewal +Date: Mon Jul 15 21:13:25 2024 +1000 + + Fix error + +commit a8bc1144c32b4b4f20904af5f813da1051fe4c9c +Author: Raja Grewal +Date: Mon Jul 15 21:10:13 2024 +1000 + + Updated wording of error files for disabled modules + +commit fda3832eaf293915ab77ce73a0be2caec15e21fa +Author: Raja Grewal +Date: Mon Jul 15 21:08:45 2024 +1000 + + Replace bash file presented for disabling of miscellaneous modules + +commit 8219a1e257525d487a49e7b3a6b14c1e180a7b52 +Author: Raja Grewal +Date: Mon Jul 15 21:02:10 2024 +1000 + + Update README.md relating to disabled miscellaneous modules + +commit cb2fb95b81efa2ebb2bd80aeaacad9122f0f073c +Author: Raja Grewal +Date: Mon Jul 15 21:01:36 2024 +1000 + + Disable more miscellaneous drivers + +commit c52b1a3fd269ef4f98028dd5eead476abe5d138d +Author: Raja Grewal +Date: Mon Jul 15 20:58:45 2024 +1000 + + Create `disabled-miscellaneous-by-security-misc` + +commit 96aa63267a6fcee03f252f0791f37b7b6222a7c1 +Author: Raja Grewal +Date: Mon Jul 15 20:57:14 2024 +1000 + + Disable more Thunderbolt modules + +commit 51f7776bc8722752d53fc503b0c79564d8715d4c +Author: Raja Grewal +Date: Mon Jul 15 20:56:12 2024 +1000 + + Disable more network protocols/drivers + +commit 9e40ff055195b1e8637d1e957c3f8db01f99bbc1 +Author: Raja Grewal +Date: Mon Jul 15 20:54:18 2024 +1000 + + Disable more network file systems + +commit 82c5a93f7cf2846490120c5262a146a313a5ce47 +Author: Raja Grewal +Date: Mon Jul 15 20:53:07 2024 +1000 + + Disable another GPS module + +commit 99b0ce7948213e7f7adf42ddd7c7beb229374bd4 +Author: Raja Grewal +Date: Mon Jul 15 20:47:56 2024 +1000 + + Disable more file systems + +commit 4476a477a77c98cf4334fbcb866bc8f113f568ac +Author: Raja Grewal +Date: Mon Jul 15 20:47:07 2024 +1000 + + Provide option to disable more Bluetooth modules + +commit e0696d02a234e6f7ab9fb601ffe58e7d953846a2 +Author: Raja Grewal +Date: Mon Jul 15 20:46:04 2024 +1000 + + Update `security-misc.maintscript` + Due to previous splitting IN https://github.com/Kicksecure/security-misc/commit/b02230a783941da412be72fb52053db0c6b8010f. + +commit b2657bc61fb15bb89d62f0743a36835c1f0dda8a +Author: Raja Grewal +Date: Mon Jul 15 15:05:00 2024 +1000 + + Improve docs + +commit 1c2afc1f253e15d2605d1bef0e323e6e972a2484 +Author: Raja Grewal +Date: Mon Jul 15 15:01:48 2024 +1000 + + Update presentation of the `kernel.printk` sysctl + +commit c8385d82fbd6ba16ba1f0b4969661474966b74f1 +Author: Raja Grewal +Date: Mon Jul 15 14:57:40 2024 +1000 + + Clarify instructions for increasing log verbosity + +commit d229e8b04d914803fa66c3a695022cfb2d9b2a25 +Author: Raja Grewal +Date: Mon Jul 15 14:50:29 2024 +1000 + + Fix link + +commit fbfdb0fa99087e4160979b612db04e63a1d3e3b1 +Author: Raja Grewal +Date: Mon Jul 15 14:40:03 2024 +1000 + + Update `security-misc.maintscript` relating to grub + +commit f4d652fa7b5dd350b577521c6bba22c9eb3c13f1 +Author: Raja Grewal +Date: Mon Jul 15 14:39:12 2024 +1000 + + Update presentation of `quiet loglevel=0` + +commit 69c8e849270393537d3e024137bc20a42c848333 +Author: Raja Grewal +Date: Mon Jul 15 14:38:21 2024 +1000 + + Fix typos + +commit 48e1ac416314d2c66f3a0d5044a3c51cb6fb4093 +Author: Raja Grewal +Date: Mon Jul 15 02:04:25 2024 +1000 + + Remove the optional `slub_debug` parameter since it is no longer recommended + +commit 99038c7a0621f5c9852638c1706c5306b42e6480 +Author: Raja Grewal +Date: Mon Jul 15 02:02:01 2024 +1000 + + Add option to disable support for x86 processes and syscalls in the future + +commit f550fbe07cafb75112e98268730d1bcc511489e2 +Author: Raja Grewal +Date: Mon Jul 15 01:59:04 2024 +1000 + + Add option to disable the entire IPv6 stack functionality + +commit a33d4cd099b8cbf569ff35627eeacf3562a4371e +Author: Raja Grewal +Date: Mon Jul 15 01:56:25 2024 +1000 + + Refactor existing kernel parameters for clarity + +commit acd60e45d8cbc98ea935c9bf035f2840622ab58d +Author: Raja Grewal +Date: Sun Jul 14 20:07:31 2024 +1000 + + Add comment about enabling core dump files + +commit 5cf9afc21563712b851850e2041141807503807c +Author: Raja Grewal +Date: Sun Jul 14 17:05:49 2024 +1000 + + Include optional `sysctl`'s in README.md + +commit 2b9e174c9db69f2c30828aae236c631d46255e07 +Author: Raja Grewal +Date: Sun Jul 14 16:22:52 2024 +1000 + + Remove empty lines + +commit dd1741c4a1cd18f34f69437c00f3a78a9ebd402a +Author: Raja Grewal +Date: Sun Jul 14 13:40:53 2024 +1000 + + Some documentation additions and fixes + +commit 565597c9a282b08697d04204f5eb9c22153e77bd +Author: Raja Grewal +Date: Sun Jul 14 01:21:24 2024 +1000 + + Minor documentation changes and fixes + +commit 5ba5a85ad09b74a29c5ed0e5c265d54d93da9d32 +Author: Patrick Schleizer +Date: Sat Jul 13 15:01:16 2024 +0000 + + bumped changelog version + +commit ad860063aba0443a8ac8b9cf191d008617d6d904 +Merge: f34b9d7 9f58266 +Author: Patrick Schleizer +Date: Sat Jul 13 10:55:45 2024 -0400 + + Merge remote-tracking branch 'raja/modprobe' + +commit 9f582665467fd4fdf20c83841305785024bceedf +Author: Raja Grewal +Date: Sat Jul 13 23:32:01 2024 +1000 + + Move nf_conntrack_helper disabling into separate file + +commit 8f2ec75f8173b6ab970a5ef213dcf5a3f67aa84a +Author: Raja Grewal +Date: Sat Jul 13 23:30:55 2024 +1000 + + Clarify README.mmd relating to module disabling + +commit 98580bb39a495a141e7b40792fd9d232fcf29d23 +Author: Raja Grewal +Date: Sat Jul 13 23:29:52 2024 +1000 + + Update modprobe presentation + +commit 2de3a795990234134be15be90aa55f547c064d92 +Author: Raja Grewal +Date: Sat Jul 13 22:41:40 2024 +1000 + + Refactor existing sysctl for clarity + +commit f34b9d7c45cd723535eedd3df99896ee7f852388 +Merge: 05c1711 5f10cc8 +Author: Patrick Schleizer +Date: Sat Jul 13 06:14:43 2024 -0400 + + Merge remote-tracking branch 'raja/modules' + +commit 5f10cc8bcf11654f5e0f97c07e0a7ff198013c1e +Author: Raja Grewal +Date: Fri Jul 12 16:22:10 2024 +1000 + + Update README.md relating to modprobe + +commit 41a3bf92fbdac88a1884dee735600cafa35134bf +Author: Raja Grewal +Date: Fri Jul 12 16:21:41 2024 +1000 + + Sort `30_security-misc_disable.conf` + +commit f31dc8aebc652b2037c375351fc478d9b5ba4c27 +Author: Raja Grewal +Date: Fri Jul 12 16:21:03 2024 +1000 + + Fix error in error script + +commit b02230a783941da412be72fb52053db0c6b8010f +Author: Raja Grewal +Date: Fri Jul 12 02:42:37 2024 +1000 + + Split modprobe into blacklisted and disabled configurations + +commit fc792ff23234399ed299c3fdc086d47c87d9b4a3 +Author: Raja Grewal +Date: Fri Jul 12 02:29:36 2024 +1000 + + Alphabetically sort existing modprobe + +commit fe20f3240e2f31099bcaa9f9e2045320df810edf +Author: Raja Grewal +Date: Fri Jul 12 02:28:48 2024 +1000 + + Refactor existing modprobe for clarity + +commit 275a4ffc1114856cbd9a1cd49701dcb25d87bfb5 +Author: Raja Grewal +Date: Fri Jul 12 02:27:56 2024 +1000 + + Remove redundant disabled modules + +commit b7796a5334075d5fa538d7579003fde6287d7e6d +Author: Ben Grande +Date: Thu Jul 11 11:04:22 2024 +0200 + + Unify method to find SUID files + +commit 05c1711b16c96a221c13a011a6666fe6b385ec1e +Author: Patrick Schleizer +Date: Tue Jun 11 12:56:56 2024 +0000 + + bumped changelog version + +commit e48115588caae8e51bb980ac84b1f0f415ca0d17 +Merge: b316352 cad8d85 +Author: Patrick Schleizer +Date: Tue Jun 11 07:25:47 2024 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit cad8d857556e29544f742fdac8fe82758a4f885c +Merge: b316352 e198447 +Author: Patrick Schleizer +Date: Tue Jun 11 07:25:07 2024 -0400 + + Merge pull request #227 from 3uryd1ce/fix-pam.d-path + + fix(etc): delete typo in /etc/apparmor.d tunables + +commit e1984478662fc51e6eacc989bc6bba0ca1fc07cd +Author: Ashlen +Date: Sat Jun 8 22:17:05 2024 -0600 + + fix(etc): delete typo in /etc/apparmor.d tunables + + /etc/pam.d was present twice in a row ("/etc/pam.d//etc/pam.d") in this + file: /etc/apparmor.d/tunables/home.d/security-misc. + +commit b316352ede379d96cff4813735b93eb59506fe42 +Author: Patrick Schleizer +Date: Sat Jun 1 18:13:08 2024 +0000 + + bumped changelog version + +commit c815304026d30f7774f804498d20431ccdf8dc7f +Author: Patrick Schleizer +Date: Sat Jun 1 14:12:57 2024 -0400 + + readme + +commit 641e98e57714f7d38962bfd12d673500b8114356 +Author: Patrick Schleizer +Date: Sat Jun 1 17:35:04 2024 +0000 + + bumped changelog version + +commit e0cd9579d64e6d16667832de51f77a3091ef213e +Author: Patrick Schleizer +Date: Sat Jun 1 13:32:13 2024 -0400 + + remove duplicate `fsckobjects = true` from `/etc/gitconfig` + +commit bbe64a0b7992610dfef6002271718a2aee115cae +Author: Patrick Schleizer +Date: Tue May 28 12:04:53 2024 +0000 + + bumped changelog version + +commit ae24a97d4d0ffcfb3d1cc92edb61e7ecf4535ee7 +Merge: bfca98e a735857 +Author: Patrick Schleizer +Date: Tue May 28 08:02:21 2024 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit a7358578520294b51e1001199670a0bbeeb43eb1 +Merge: bfca98e 4efa293 +Author: Patrick Schleizer +Date: Tue May 28 07:55:31 2024 -0400 + + Merge pull request #226 from Kicksecure/gitconfig + + add `/etc/gitconfig` by default for better `git` security + +commit 4efa293f3b76814bc5399a959482d7db6e7431ec +Author: Patrick Schleizer +Date: Tue May 28 07:51:06 2024 -0400 + + add `/etc/gitconfig` by default for better `git` security + + ``` + [core] + symlinks = false + + [transfer] + fsckobjects = true + fsckobjects = true + [fetch] + fsckobjects = true + fsckobjects = true + [receive] + fsckobjects = true + fsckobjects = true + ``` + + + additional suggestions as comments + + fixes https://github.com/Kicksecure/security-misc/issues/225 + +commit bfca98ea89cea0f8604ecca0c8640860320e8e33 +Author: Patrick Schleizer +Date: Sat May 18 20:45:12 2024 +0000 + + bumped changelog version + +commit eb82884fb2e3d3bb4fa5555d8212146042ba8aa4 +Merge: 5867b1b 12e006e +Author: Patrick Schleizer +Date: Sat May 18 16:42:41 2024 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 12e006ef9cabbbcbe9cb45d9a6631e9a7a47cf3a +Merge: 5867b1b 2f71605 +Author: Patrick Schleizer +Date: Sat May 18 16:30:07 2024 -0400 + + Merge pull request #222 from raja-grewal/text + + Update Readme and Copyright + +commit 2f716050d17016be6f550a7de8e0c1030e869e8f +Author: raja-grewal +Date: Sun May 12 01:06:34 2024 +0000 + + Update README.md + +commit 1bb843ec3863696170242c57668d0b3f44f41d7b +Author: Raja Grewal +Date: Sat May 11 13:18:36 2024 +1000 + + Update Copyright (C) to 2024 + +commit dddac1dc4015a28fc6b12244809685295272edd1 +Author: Raja Grewal +Date: Sat May 11 13:15:42 2024 +1000 + + Update README.md + +commit 5867b1b014f450acdf70c203ffe2f27831f1d9b0 +Author: Patrick Schleizer +Date: Fri May 10 11:20:36 2024 +0000 + + bumped changelog version + +commit 9b589bc3116c8f9d6d574021bcec7b5dec3888b8 +Author: Patrick Schleizer +Date: Fri May 10 06:49:34 2024 -0400 + + comment + +commit 8d01fc2d351285c9c2f810bf5cf10797c9b9eb41 +Author: Patrick Schleizer +Date: Fri May 10 06:48:26 2024 -0400 + + chmod +x + +commit 8a28c1bc38b87bf55f25764c96a0e81e22137232 +Merge: a9886a3 0f1119f +Author: Patrick Schleizer +Date: Fri May 10 06:48:04 2024 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 0f1119f326cd769db8995e8eb54ff35503c70562 +Merge: 547757f 677f75a +Author: Patrick Schleizer +Date: Fri May 10 06:45:57 2024 -0400 + + Merge pull request #221 from raja-grewal/firewire + + Disable Firewire Module + +commit 547757f4514a54437d044656c5e2b6d413a4cc30 +Merge: 7b9fe44 06f13bb +Author: Patrick Schleizer +Date: Fri May 10 06:45:34 2024 -0400 + + Merge pull request #220 from raja-grewal/block_gps + + Block Several GPS-related Modules + +commit 7b9fe44a20f3caf67f386969a5fc7c980e5f0282 +Merge: 62ea4dc 132b41a +Author: Patrick Schleizer +Date: Fri May 10 06:43:43 2024 -0400 + + Merge pull request #219 from raja-grewal/logging_martians + + Revert Logging of Martians + +commit 62ea4dc1768f69bb28a69c20e55c87ae692cc0c8 +Merge: a9886a3 4694268 +Author: Patrick Schleizer +Date: Fri May 10 06:43:15 2024 -0400 + + Merge pull request #218 from raja-grewal/secure_cpu + + More CPU Mitigations and Additional References + +commit 677f75ae8ed64af599f837ced15f34990df498e5 +Author: raja-grewal +Date: Thu May 9 02:34:02 2024 +0000 + + Disable `firewire-net` module + +commit 06f13bb766bd84182331aeb1632b917de4b36020 +Author: raja-grewal +Date: Thu May 9 02:28:53 2024 +0000 + + Disable GPS modules like GNSS + +commit f3800a4e2b7bef87cc3bd8791f9e7f654f8d782a +Author: raja-grewal +Date: Thu May 9 02:25:46 2024 +0000 + + Create disabled-gps-by-security-misc + +commit 132b41ae73e9ea72bc3d8aff22ae75fc622758a3 +Author: raja-grewal +Date: Thu May 9 02:16:50 2024 +0000 + + Revert logging of martians + +commit 4694268b8f779c1a0a56546dc6d12bf9f23a7cdd +Author: raja-grewal +Date: Sun May 5 12:52:51 2024 +0000 + + Remove a word + +commit 8f7768ce96e32e3f1ec52118afffc2a44a160976 +Author: raja-grewal +Date: Sun May 5 12:50:39 2024 +0000 + + Add vendor links + +commit 0c031a29d33d13d9106746d61b87f9d98a80b5cd +Author: raja-grewal +Date: Wed May 1 13:55:09 2024 +1000 + + RFDS mitigation on Intel Atom CPUs (including E-cores) + +commit 1122b3402c0856a087415d7ba1a313048b7e3eea +Author: raja-grewal +Date: Wed May 1 13:50:42 2024 +1000 + + GDS mitigation for CPUs + +commit c002bd62e8584a19e73b3f42673a3f9bafba6a2c +Author: raja-grewal +Date: Wed May 1 13:49:34 2024 +1000 + + Clarify use of `mitigations=auto` + +commit d89d7e8ef8ee3fd45456e82e8f649f7f28c93e80 +Author: raja-grewal +Date: Wed May 1 13:49:00 2024 +1000 + + Add reference for RETBleed + +commit 015dcc4212736417a2202ea0e0a92e5c2e58d6a5 +Author: raja-grewal +Date: Wed May 1 13:48:13 2024 +1000 + + Add reference for SSB + +commit de4f4be94762c9751ea62f744d7d6ede3ef30e88 +Author: raja-grewal +Date: Wed May 1 13:47:40 2024 +1000 + + Merge spectre mitigations + +commit 965c8641fd28e0ee592b50605edb7494fe9c3a28 +Author: raja-grewal +Date: Wed May 1 13:47:02 2024 +1000 + + Update BHI mitigation reference + +commit a9886a3119f9b662b15fc26d28a7fedf316b72c4 +Author: Patrick Schleizer +Date: Fri Apr 12 06:56:39 2024 +0000 + + bumped changelog version + +commit 5cbdf3c1262d26ae03b28baee87b1d268329da40 +Merge: 7fba04d ab8b6da +Author: Patrick Schleizer +Date: Fri Apr 12 02:54:17 2024 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit ab8b6da484a90e9a62f8ba515c757aa3758baf48 +Merge: 7fba04d 4935768 +Author: Patrick Schleizer +Date: Fri Apr 12 02:53:08 2024 -0400 + + Merge pull request #216 from raja-grewal/spectre_bhi + + BHI mitigation on Intel CPUs + +commit 493576836c90653f9c3514fcd5b3bf816e56d689 +Author: raja-grewal +Date: Fri Apr 12 00:17:06 2024 +1000 + + BHI mitigation on Intel CPUs + +commit 7fba04d1485187fe648f3d3ab44cd834b0eb9791 +Author: Patrick Schleizer +Date: Mon Apr 1 06:56:45 2024 +0000 + + bumped changelog version + +commit 7dba3fb7bebd4fdc7f168df378c2d505971f2c04 +Author: Patrick Schleizer +Date: Mon Apr 1 02:55:59 2024 -0400 + + no longer disable MSR by default + + fixes https://github.com/Kicksecure/security-misc/issues/215 + +commit d9ac01ba5c26f9730feb17fe573d447e625e59f8 +Author: Patrick Schleizer +Date: Mon Mar 18 15:10:10 2024 +0000 + + bumped changelog version + +commit ecaa024f226f4f45ac9d2a4f38bcdb82a6e35a2f +Author: Patrick Schleizer +Date: Mon Mar 18 11:01:56 2024 -0400 + + lower debugging + +commit 357ea5deab85debb9dff5d9e4e80a972954249c8 +Author: Patrick Schleizer +Date: Mon Mar 11 15:07:50 2024 +0000 + + bumped changelog version + +commit 0a018bdebca167d671d8bda81a2b0d929d396945 +Merge: 57fc487 0b81316 +Author: Patrick Schleizer +Date: Mon Mar 11 10:13:57 2024 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 0b8131630041dbd80f1aa61dcedde446208c06f7 +Merge: 57fc487 03ed546 +Author: Patrick Schleizer +Date: Mon Mar 11 10:12:46 2024 -0400 + + Merge pull request #211 from wryMitts/patch-1 + + Create proc group on install + +commit 03ed546cd8992b29855ca1c2748ed988dd3c765d +Author: wryMitts <158655396+wryMitts@users.noreply.github.com> +Date: Sun Mar 10 16:55:10 2024 -0400 + + Create proc group on install + + Fixes https://github.com/Kicksecure/security-misc/issues/210 + +commit 57fc487e5e5ffad765f1418236744319cc666871 +Author: Patrick Schleizer +Date: Sun Mar 10 13:19:26 2024 +0000 + + bumped changelog version + +commit a5206bde336c159be065345e7dd5cb86b2b6a27f +Author: Patrick Schleizer +Date: Sun Mar 10 08:44:53 2024 -0400 + + `proc-hidepid.service` add `gid=proc` + + This allows users that are a member of the `proc` group to be excluded from `hidepid` protections. + + https://github.com/Kicksecure/security-misc/issues/208 + +commit 0f0d9ca2a42cf9fc04e405ae90f3d67bc0794e12 +Author: Patrick Schleizer +Date: Mon Mar 4 11:48:30 2024 +0000 + + bumped changelog version + +commit 6b76373395622bac0e701c6d15c6656658febced +Author: Patrick Schleizer +Date: Mon Mar 4 06:44:26 2024 -0500 + + fix panic-on-oops started every 10s in Qubes-Whonix + + by changing from a /etc/profile.d etc. related mechanism to start to a systemd unit file based approach + + Thanks to @marmarek for the bug report! + + https://forums.whonix.org/t/panic-on-oops-started-every-10s/19450 + +commit af6c6971a741c69a584ba3f92dbfed12e40784dc +Author: Patrick Schleizer +Date: Mon Mar 4 06:33:51 2024 -0500 + + comment + +commit e013070e0bfc43d006e09ae1c5ae3533f7bebc5f +Author: Patrick Schleizer +Date: Mon Mar 4 06:33:21 2024 -0500 + + newline + +commit a5cc1774f2fbf6475e7b56601fbcd84a2a63fed0 +Author: Patrick Schleizer +Date: Mon Feb 26 13:32:44 2024 +0000 + + bumped changelog version + +commit 808e72f24bf30b3476ab6b87f96eb636632c195c +Author: Patrick Schleizer +Date: Mon Feb 26 08:11:26 2024 -0500 + + use long options + + https://github.com/Kicksecure/security-misc/issues/172 + +commit 2d1d1b246f3fe061d4f817da5cecf46010839e1d +Author: Patrick Schleizer +Date: Mon Feb 26 08:07:29 2024 -0500 + + improve output + + https://github.com/Kicksecure/security-misc/issues/172 + +commit d8f5376c4f36f5deb734e6dead42a62566d13480 +Author: Patrick Schleizer +Date: Mon Feb 26 07:58:06 2024 -0500 + + improve output + + https://github.com/Kicksecure/security-misc/issues/172 + +commit cf84762a3a84d2be3b9510dddb32bdc433170dfa +Author: Patrick Schleizer +Date: Mon Feb 26 07:52:41 2024 -0500 + + improve output + + https://github.com/Kicksecure/security-misc/issues/172 + +commit f2958bbfa5e67ee10380a25d996826233469080a +Author: Patrick Schleizer +Date: Mon Feb 26 07:49:30 2024 -0500 + + comment + +commit bc8f9edc3197e33e75ea1d691834d9abbdcdefd0 +Merge: 02d6f67 b23d167 +Author: Patrick Schleizer +Date: Mon Feb 26 07:48:19 2024 -0500 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit b23d167342ef242a1e9d4e91b6a4b945e80c3e7e +Merge: 02d6f67 ef44ece +Author: Patrick Schleizer +Date: Mon Feb 26 07:46:02 2024 -0500 + + Merge pull request #204 from DanWin/sysfs-mount + + Make /sys hardening optional and allow access to /sys/fs to make polkit work + +commit 02d6f67741ef93d9ab39e02ac56b27c551a19dca +Author: Patrick Schleizer +Date: Thu Feb 22 20:08:17 2024 +0000 + + bumped changelog version + +commit d13d1aa7ec7e9ac9f1aa87e4b36228bfd3af6eb2 +Author: Patrick Schleizer +Date: Thu Feb 22 15:07:53 2024 -0500 + + comments + +commit a1f898e3b317f49a5bb9507c8b9d3bd3c4e23abf +Author: Patrick Schleizer +Date: Thu Feb 22 19:58:01 2024 +0000 + + bumped changelog version + +commit c3dd178b19be8c078ed6a2f46a072bef3d144c06 +Author: Patrick Schleizer +Date: Thu Feb 22 14:57:50 2024 -0500 + + output + +commit ef44ecea44ee516b1ba92175eb78b2e8143c4502 +Author: Daniel Winzen +Date: Thu Feb 22 16:51:23 2024 +0100 + + Add option to disabe /sys hardening + +commit 3bc1765dbbd333a1d607ab6962281b4d0a5c4b60 +Author: Daniel Winzen +Date: Wed Feb 21 20:37:34 2024 +0100 + + Allow access to /sys/fs for polkit + +commit 6b73e6c2a9ff1efe211e41e005e4ecaa63731d82 +Author: Patrick Schleizer +Date: Thu Feb 22 16:07:16 2024 +0000 + + bumped changelog version + +commit 37a7abdf0c1e6d8179bd09d3c1bd0363e8bc0a96 +Author: Patrick Schleizer +Date: Thu Feb 22 11:07:01 2024 -0500 + + ConditionKernelCommandLine=!remountsecure=0 + +commit eb3e0b9292f71a5dba312500508f893779fb1b9c +Author: Patrick Schleizer +Date: Thu Feb 22 14:52:55 2024 +0000 + + bumped changelog version + +commit c0924321b84874ae7fc72c59fd58e4c4ae8bc6d9 +Author: Patrick Schleizer +Date: Thu Feb 22 09:52:36 2024 -0500 + + fix systemd unit ExecStart + +commit d148a769b7106831c0b27a7ad63d91ab42257678 +Author: Patrick Schleizer +Date: Thu Feb 22 14:50:05 2024 +0000 + + bumped changelog version + +commit 6d7cf3c12a8a772fee1cd893d5504767690b3b77 +Author: Patrick Schleizer +Date: Thu Feb 22 09:49:48 2024 -0500 + + output + +commit f7831db197b2fff33b66eeb44efd749e482315e0 +Author: Patrick Schleizer +Date: Thu Feb 22 09:17:41 2024 -0500 + + do not exit non-zero if folder does not exist + +commit 5bdd7b8475bdfde8dbee5318fb43d0c2a236e3b0 +Author: Patrick Schleizer +Date: Thu Feb 22 09:14:52 2024 -0500 + + output + +commit 44a15cd97da3066e39d2d7df1f456e703036a6e9 +Author: Patrick Schleizer +Date: Thu Feb 22 09:13:56 2024 -0500 + + mount --make-private + + https://github.com/Kicksecure/security-misc/issues/172 + +commit c0f98b05b609c7c8ac6f86e123af9e0642d82697 +Author: Patrick Schleizer +Date: Thu Feb 22 06:03:59 2024 -0500 + + comment + + https://github.com/Kicksecure/security-misc/pull/202 + +commit 1e1613aa93dca1e7fe7f24dbd32028a0cadd21fd +Author: Patrick Schleizer +Date: Thu Feb 22 06:02:28 2024 -0500 + + allow /opt exec as usually optional binaries are placed there such as firefox + + https://github.com/Kicksecure/security-misc/pull/202 + +commit 7c7b4b24b4959f3ef96ff7ef0b11fa4c0bd48c8e +Author: Patrick Schleizer +Date: Thu Feb 22 06:01:00 2024 -0500 + + fix home_noexec_maybe -> most_noexec_maybe + + https://github.com/Kicksecure/security-misc/pull/202 + +commit 38783faf60b85c4e855bf78c87e1c07765776b50 +Author: Patrick Schleizer +Date: Thu Feb 22 05:58:53 2024 -0500 + + add more bind mounts of mount options hardening + + as suggested in https://github.com/Kicksecure/security-misc/pull/202 + +commit ad9d913902d7e696f1114da74d84f9cdcb22bc25 +Author: Patrick Schleizer +Date: Sat Feb 3 18:28:27 2024 +0000 + + bumped changelog version + +commit 02090da08cfd411314ffeeb6df95f73c701f06c6 +Merge: 8037ce5 ba13657 +Author: Patrick Schleizer +Date: Sat Feb 3 12:51:07 2024 -0500 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit ba13657d894f2f30d8deb7c08b85e5fbc1dcea21 +Merge: 8037ce5 b16c99a +Author: Patrick Schleizer +Date: Sat Feb 3 12:50:28 2024 -0500 + + Merge pull request #197 from raja-grewal/mitigations + + Additional Explicit CPU Mitigations + +commit b16c99ab62a902b1f61b9d4fe63273cd614e757c +Author: raja-grewal +Date: Mon Jan 29 13:39:40 2024 +0000 + + Remove hardcoded `spec_rstack_overflow` setting + +commit 139b10a9aad85018f87bdc4bb227e938f7955235 +Author: raja-grewal +Date: Mon Jan 29 12:59:13 2024 +0000 + + Control RAS overflow mitigation on AMD Zen CPUs + +commit 6c54e35027e86ec045102cd1d95f84aa30bc55c9 +Author: raja-grewal +Date: Mon Jan 29 12:58:51 2024 +0000 + + Enable mitigations for RETBleed vulnerability and disable SMT + +commit 4509a5fc95204080f2855849d22c7e05393455d9 +Author: raja-grewal +Date: Mon Jan 29 12:58:14 2024 +0000 + + Enable known mitigations for CPU vulnerabilities and disable SMT + +commit 4231155efa0970d2456b67cc89c8828b0766cf7f +Author: raja-grewal +Date: Mon Jan 29 12:57:48 2024 +0000 + + Add reference for kernel parameters + +commit 8037ce52f96dcc6f8007c1567daf38ff013352d6 +Author: Patrick Schleizer +Date: Thu Jan 25 13:59:29 2024 +0000 + + bumped changelog version + +commit 185bfe749787a8c6e93103ae8c6b0751a169e276 +Author: Patrick Schleizer +Date: Thu Jan 25 06:54:36 2024 -0500 + + use `interest-noawait` instead of `interest-await` + + fixes https://github.com/Kicksecure/security-misc/issues/196 + +commit 64e41b113cae893d1f27f441f99340389ba8b9b3 +Author: Patrick Schleizer +Date: Thu Jan 18 14:10:51 2024 +0000 + + bumped changelog version + +commit 1855fa08b1386b1ea8697767104e7ad0f1521c9c +Author: Patrick Schleizer +Date: Thu Jan 18 08:54:39 2024 -0500 + + readme + +commit f0e2a82b558f64611f037424c6f8f12de32737f6 +Author: Patrick Schleizer +Date: Wed Jan 17 19:18:25 2024 +0000 + + bumped changelog version + +commit 314e5b490c6864b745fbf5fd6d9bb2c724d478b8 +Author: Patrick Schleizer +Date: Wed Jan 17 14:03:09 2024 -0500 + + use wildcards + + instead of outdated, incomplete list + + https://github.com/Kicksecure/security-misc/issues/160 + +commit 08619d6a7307b6ab05a3ba7e71ea33b00db20b27 +Author: Patrick Schleizer +Date: Wed Jan 17 13:59:36 2024 -0500 + + minor RPM updates + + https://github.com/Kicksecure/security-misc/issues/160 + +commit 3048e0ac76e4eba1c53b43ba2424157505578cdd +Author: Patrick Schleizer +Date: Wed Jan 17 13:54:07 2024 -0500 + + usrmerge + + https://github.com/Kicksecure/security-misc/issues/190 + +commit 5a6cd4c2abd243c91575e9477a921aa290c68ba5 +Author: Patrick Schleizer +Date: Wed Jan 17 13:51:30 2024 -0500 + + remove now empty /bin from copying since it is empty after usrmerge + + https://github.com/Kicksecure/security-misc/issues/190 + +commit 071b984a1eaaa8a8ea6a40e4ee36eabcde2d630d +Author: Patrick Schleizer +Date: Wed Jan 17 13:49:05 2024 -0500 + + `sort -d` + + https://github.com/Kicksecure/security-misc/issues/190 + +commit 011e55e3e52485ccd728b4bb249efbc816f38806 +Author: Patrick Schleizer +Date: Wed Jan 17 13:45:17 2024 -0500 + + remove duplicates after usrmerge + + https://github.com/Kicksecure/security-misc/issues/190 + +commit 0efee2f50fd38feade7700c2f033cc3d4c200d34 +Author: Patrick Schleizer +Date: Wed Jan 17 13:39:56 2024 -0500 + + usrmerge + + fixes https://github.com/Kicksecure/security-misc/issues/190 + +commit 18a06935e0cca3dc090643aad406d861e4583085 +Author: Patrick Schleizer +Date: Wed Jan 17 13:23:20 2024 -0500 + + run permission hardener when new packages are install files to /usr or /opt + + (basically anywhere) + + fixes https://github.com/Kicksecure/security-misc/issues/189 + +commit 66e6371221c3395a0523e30e8ef1a051d3e6cdd0 +Author: Patrick Schleizer +Date: Tue Jan 16 14:26:34 2024 +0000 + + bumped changelog version + +commit 0d78ecaee37536379ad2f230f45904f57425cb19 +Author: Patrick Schleizer +Date: Tue Jan 16 09:26:21 2024 -0500 + + README + +commit 3ba8fe586e1abe133bd41076278f8663aba7e641 +Author: Patrick Schleizer +Date: Tue Jan 16 09:23:54 2024 -0500 + + update permission-hardener.service + + Which is now only an additional opt-in systemd unit, + because permission-hardener is run by default at security-misc + package installation time. + + https://github.com/Kicksecure/security-misc/pull/181 + +commit 186f6015da7b3314c95c2833032c6fe953a71afd +Author: Patrick Schleizer +Date: Tue Jan 16 14:14:18 2024 +0000 + + bumped changelog version + +commit 6aa55698ab2a0f3771d28293d7ad14da2763a16f +Author: Patrick Schleizer +Date: Tue Jan 16 09:10:59 2024 -0500 + + delete legacy folder /etc/permission-hardening.d if empty + + https://github.com/Kicksecure/security-misc/pull/181 + +commit 9cafd78fe21baa3c2a36853f57e0638b2facfe5c +Author: Patrick Schleizer +Date: Tue Jan 16 09:05:09 2024 -0500 + + rm_conffile /etc/permission-hardening.d + + https://github.com/Kicksecure/security-misc/pull/181 + +commit fa53848b5cda135fbb8a3855e8508692084fc7e9 +Author: Patrick Schleizer +Date: Tue Jan 16 13:58:55 2024 +0000 + + bumped changelog version + +commit 4f7973bc5628cdc24f5224bd98858249307635d3 +Author: Patrick Schleizer +Date: Tue Jan 16 08:56:26 2024 -0500 + + comment + +commit ed7c09fc46b26440439adf748f597da277a3f1e4 +Author: Patrick Schleizer +Date: Tue Jan 16 08:45:13 2024 -0500 + + permission-hardening -> permission-hardener migration + + mv --verbose /var/lib/permission-hardening /var/lib/permission-hardener + + https://github.com/Kicksecure/security-misc/pull/181 + +commit a90cd43631216f28a18a1b3f066b9f6ef3301ac4 +Author: Patrick Schleizer +Date: Tue Jan 16 08:32:52 2024 -0500 + + fix postinst for new permission-hardener + + https://github.com/Kicksecure/security-misc/pull/181 + +commit 862bf6b5ab29917138325023eb3507f5fbd5653c +Merge: dc8d9ee bc02c72 +Author: Patrick Schleizer +Date: Tue Jan 16 08:19:28 2024 -0500 + + Merge remote-tracking branch 'ben-grande/clean' + +commit dc8d9eece32dec06e63c580c886a240019b3f33e +Author: Patrick Schleizer +Date: Tue Jan 9 05:52:49 2024 +0000 + + bumped changelog version + +commit 1199871d7bbc7316a7e5822d77eee0666b55b203 +Author: Patrick Schleizer +Date: Sun Jan 7 06:37:34 2024 -0500 + + undo IPv6 privacy due to potential server issues + + https://github.com/Kicksecure/security-misc/issues/184 + +commit 128bb01b35d20e97351dfb53768f35482f9756a2 +Author: Patrick Schleizer +Date: Sun Jan 7 06:36:25 2024 -0500 + + undo IPv6 privacy due to potential server issues + + https://github.com/Kicksecure/security-misc/issues/184 + +commit df0f9d3267644c4aea87add2dcade86044c496f0 +Author: Patrick Schleizer +Date: Sat Jan 6 09:19:57 2024 -0500 + + README + +commit 86f91e3030ef0b08000fc28a3a172e6a47918e4e +Author: Patrick Schleizer +Date: Sat Jan 6 09:10:45 2024 -0500 + + revert umask 027 by default + + because broken because this also happens for root while it should not + + https://github.com/Kicksecure/security-misc/issues/185 + +commit 3f1304403fbf04f15dac01963c66f82cd84452d4 +Author: Patrick Schleizer +Date: Sat Jan 6 08:15:31 2024 -0500 + + disable MAC randomization in Network Manager (NM) because it breaks VirtualBox DHCP + + https://github.com/Kicksecure/security-misc/issues/184 + +commit e8f8dcd0fb1c23a62974849f55516da9dce5948e +Author: Patrick Schleizer +Date: Thu Jan 4 02:03:26 2024 +0000 + + bumped changelog version + +commit 70a86fa994c0a894643e876fc86226ad0443a741 +Merge: db0503e 71060f1 +Author: Patrick Schleizer +Date: Wed Jan 3 05:12:48 2024 -0500 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 71060f1f53ca7a275f10c4b6ab3e6c25585d5440 +Merge: db0503e 74afcc9 +Author: Patrick Schleizer +Date: Wed Jan 3 05:00:41 2024 -0500 + + Merge pull request #182 from raja-grewal/io_uring + + Clarify validity of disabling io_uring + +commit 74afcc9c63ad064f20778ad2870690925c3cee81 +Author: Raja Grewal +Date: Wed Jan 3 17:52:23 2024 +1100 + + Clarify validity of disabling io_uring + +commit bc02c72018d6458d4c1852dd441287b277421514 +Author: Ben Grande +Date: Tue Jan 2 17:08:45 2024 +0100 + + Fix unbound variable + + - Run messages preceded by INFO; + - Comment unknown unused variables; + - Remove unnecessary variables; and + - Deal with unbound variable due to subshell by writing to a file; + +commit db0503e71d5c37865cbb0a01cb8fa00af2a4e574 +Author: Patrick Schleizer +Date: Tue Jan 2 14:55:13 2024 +0000 + + bumped changelog version + +commit abf72c2ee4286ec069f75e66acf05a42f3645c89 +Author: Ben Grande +Date: Tue Jan 2 13:34:29 2024 +0100 + + Rename file permission hardening script + + Hardener as the script is the agent that is hardening the file + permissions. + +commit f138cf0f78c03e3952801d01d25d5f8065ff1457 +Author: Ben Grande +Date: Tue Jan 2 12:17:16 2024 +0100 + + Refactor permission-hardener + + - Organize comments from default configuration; + - Apply and undo changes from a single file controlled by parameters; + - Arrays should be evaluated as arrays and not normal variables; + - Quote variables; + - Brackets around variables; + - Standardize test cases to "test" command; + - Test against empty or non-empty variables with "-z" and "-n"; + - Show a usage message when necessary; + - Require root to run the script with informative message; + - Permit the user to see the help message without running as root; + - Do not create root directories without passing root check; + - Use long options for "set" command; + +commit a94f2a3f4626a9292660bc7f98a6513f34d0f5b2 +Merge: 94c0e26 8daf97a +Author: Patrick Schleizer +Date: Tue Jan 2 05:30:49 2024 -0500 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 8daf97ab0181a9cbb9e9dec57f1f00270dbb3a50 +Merge: 94c0e26 f055fe5 +Author: Patrick Schleizer +Date: Tue Jan 2 05:29:35 2024 -0500 + + Merge pull request #178 from raja-grewal/io_uring + + Disable asynchronous I/O + +commit 94c0e26a082f61f71e89b1fb7386a58166ffa411 +Author: Patrick Schleizer +Date: Fri Dec 29 20:15:50 2023 +0000 + + bumped changelog version + +commit 5b36599c0ce35857239c82459828db1ec4215411 +Author: Patrick Schleizer +Date: Fri Dec 29 14:57:38 2023 -0500 + + /dev/, /dev/shm, /tmp + + https://github.com/Kicksecure/security-misc/issues/157#issuecomment-1869073716 + +commit e15596e7af6fc645dd652c043397baaa91954915 +Author: Patrick Schleizer +Date: Mon Dec 25 16:28:10 2023 +0000 + + bumped changelog version + +commit f64a869bfdd4c746afd206367885851946deb692 +Author: Patrick Schleizer +Date: Mon Dec 25 11:03:22 2023 -0500 + + readme + +commit c86c83cef760906a0d1c56ee8a8c744b2e07f212 +Author: Patrick Schleizer +Date: Mon Dec 25 10:31:58 2023 -0500 + + formatting + + https://github.com/Kicksecure/security-misc/issues/157 + +commit 971ff687b1423499c54495a03e5e6fafcbfefb2a +Author: Patrick Schleizer +Date: Mon Dec 25 10:30:35 2023 -0500 + + do not mount /dev/cdrom by default + + https://github.com/Kicksecure/security-misc/issues/157 + +commit 9fce67fcd942a7e3e0dd2e874226fcdab5e33ba3 +Author: Patrick Schleizer +Date: Mon Dec 25 10:28:47 2023 -0500 + + remove superfluous, broken `remount` mount option + + https://github.com/Kicksecure/security-misc/issues/157 + +commit 40fd8cb6081512e2bc0ef1a7a1ee17cd317024c2 +Author: Patrick Schleizer +Date: Mon Dec 25 09:51:09 2023 -0500 + + no `nofail` mount option to avoid breaking the boot of a system + + unit testing belongs elsewhere + + https://github.com/Kicksecure/security-misc/issues/157 + +commit 4aa645f29ff741b6e5cdf629deade1923fdcc234 +Author: Patrick Schleizer +Date: Mon Dec 25 09:46:33 2023 -0500 + + comment + + https://github.com/Kicksecure/security-misc/issues/157 + +commit 2b7aeedb4a543d0a43a35918999338097d13bb16 +Author: Patrick Schleizer +Date: Mon Dec 25 09:44:51 2023 -0500 + + mount /dev/cdrom to /mnt/cdrom (instead of /mnt/cdrom0) and + nodev,nosuid,noexec + + as per: + https://www.debian.org/doc/manuals/securing-debian-manual/ch04s10.en.html + + https://github.com/Kicksecure/security-misc/issues/157 + +commit 0d9e9780daca563a726470a3a5d6fa8c20487240 +Author: Patrick Schleizer +Date: Mon Dec 25 09:37:14 2023 -0500 + + formatting + + https://github.com/Kicksecure/security-misc/issues/157 + +commit 00f9ab43947795c1144d797547968c7c149d6f21 +Author: Patrick Schleizer +Date: Mon Dec 25 09:36:05 2023 -0500 + + /dev devtmpfs + + https://github.com/Kicksecure/security-misc/issues/157 + +commit 55709b3aa0acd6cad0c9fedb8782c49fbea79689 +Author: Patrick Schleizer +Date: Mon Dec 25 09:30:57 2023 -0500 + + /tmp tmpfs + + https://github.com/Kicksecure/security-misc/issues/157 + +commit b0dd967611c27f5b8e2472bb74a664aead7a229e +Author: Patrick Schleizer +Date: Mon Dec 25 09:27:45 2023 -0500 + + usrmerge + + https://github.com/Kicksecure/security-misc/issues/157 + +commit 269fada14a616c53d7421e88e662f6893eb1fd88 +Author: Patrick Schleizer +Date: Mon Dec 25 09:25:14 2023 -0500 + + combine bind lines + + https://github.com/Kicksecure/security-misc/issues/157 + +commit 0810c1ce3c9e19c745b8f0d2cd9410353b172779 +Author: Patrick Schleizer +Date: Mon Dec 25 09:10:31 2023 -0500 + + fix bluetooth in readme + + fixes https://github.com/Kicksecure/security-misc/issues/180 + +commit 37b4ab15a823134e616a2a0fe1dda18d5ebfa3c0 +Author: Patrick Schleizer +Date: Mon Dec 25 09:04:10 2023 -0500 + + readme + +commit 79f398d219b9c4cdf8ea0f9e3135a08fa32659a8 +Author: Patrick Schleizer +Date: Mon Dec 25 08:45:20 2023 -0500 + + formatting + +commit c90ada3c398205227d906e2b2108d36d92edcf3c +Author: Patrick Schleizer +Date: Mon Dec 25 08:37:23 2023 -0500 + + pandoc -f markdown -t markdown --wrap=auto --columns=80 README.md -o README.md + +commit 34bf297bd17af2adf59804bd133a00b7dc1942b7 +Author: Patrick Schleizer +Date: Mon Dec 25 08:32:34 2023 -0500 + + formatting + +commit d5fc9f620169b6975c8d3ef685f47e62cb6b9262 +Author: Patrick Schleizer +Date: Mon Dec 25 08:26:03 2023 -0500 + + improve bluetooth in readme + + as suggested by @monsieuremre + + https://github.com/Kicksecure/security-misc/issues/180 + +commit 7fa597deca7ff2b2932a5f5fad56be57bd78b6cf +Author: Patrick Schleizer +Date: Fri Dec 22 16:31:58 2023 +0000 + + bumped changelog version + +commit f70a034da2b4b615855504e7080baf1a7e7b461c +Author: Patrick Schleizer +Date: Fri Dec 22 08:31:58 2023 -0500 + + exclude hardened malloc from SUID disabler + + fixes https://github.com/Kicksecure/security-misc/issues/179 + +commit f055fe5da2219b68f46c3c577d79fcfd7e79cfc6 +Author: Raja Grewal +Date: Fri Dec 15 08:33:36 2023 +0000 + + Disable asynchronous I/O + + io_uring creation is disabled for all processes. io_uring_setup always fails with -EPERM. Existing io_uring instances can still be used. + +commit 99f2edd4f685cdc9a47b32107125408e12a294c2 +Author: Patrick Schleizer +Date: Tue Dec 12 16:51:21 2023 +0000 + + bumped changelog version + +commit 039de1dc9bd6f3cc6595d66f54d0d88d9b537b17 +Author: Patrick Schleizer +Date: Tue Dec 12 11:50:11 2023 -0500 + + add hardened fstab `/usr/share/doc/security-misc/fstab-vm` + + to the documentation folder as an example + + not directly used by security-misc + + will later be used by Kicksecure VM build process + + https://github.com/Kicksecure/security-misc/issues/157 + +commit dcaafa6c8bf380dd990942e9c10e280943b442a6 +Author: Patrick Schleizer +Date: Mon Dec 4 17:06:45 2023 +0000 + + bumped changelog version + +commit 5a73817a9575fe5bcaf3fd354e5f175db7d45ba4 +Author: Patrick Schleizer +Date: Mon Dec 4 11:38:49 2023 -0500 + + move to `/usr/lib/issue.d/20_security-misc.issue` + + https://github.com/Kicksecure/security-misc/pull/167 + +commit dfaea492c76a277b9cbe84982a135cb4f03a557c +Author: Patrick Schleizer +Date: Mon Dec 4 11:37:02 2023 -0500 + + remove `etc/issue.net.d/20_security-misc` + + since not mentioned on debian.org + +commit 69c895af09f05000ace5f273f3e5032aabf8c64e +Merge: c9ea7a4 36850f8 +Author: Patrick Schleizer +Date: Mon Dec 4 11:27:53 2023 -0500 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 36850f89fb07678ca24eb580a18247e593eac608 +Merge: c9ea7a4 0d7af97 +Author: Patrick Schleizer +Date: Mon Dec 4 11:27:16 2023 -0500 + + Merge pull request #167 from monsieuremre/patch-4 + + Non-Identifiable and Generic Issue Banners that include the Recommended Keywords + +commit c9ea7a4dca6e985c3a1044a3b4ddda83909fbc51 +Author: Patrick Schleizer +Date: Mon Dec 4 11:02:55 2023 -0500 + + use `amd_iommu=force_isolation` instead of `amd_iommu=force_enable` + + because we set `iommu=force` already anyhow + + fixes https://github.com/Kicksecure/security-misc/issues/175 + +commit e83c1d7ed662bb0533c670dd5b7a6745a75e9ca4 +Merge: c4e21ca befd21e +Author: Patrick Schleizer +Date: Mon Dec 4 11:01:02 2023 -0500 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit befd21e0c0c38eaf91c7096e9f60120f533a5842 +Merge: c4e21ca f2ad838 +Author: Patrick Schleizer +Date: Mon Dec 4 11:00:29 2023 -0500 + + Merge pull request #176 from monsieuremre/patch-1 + + Iommu Kernel Parameters + +commit c4e21ca5f49fbc2d67853eebca647539acbca815 +Author: Patrick Schleizer +Date: Mon Dec 4 10:58:16 2023 -0500 + + added development philosophy + + https://github.com/Kicksecure/security-misc/issues/154 + +commit feab1432f9d0966118ca233c9f88270b98c3f120 +Author: Patrick Schleizer +Date: Mon Dec 4 10:48:27 2023 -0500 + + clarify scope + + https://github.com/Kicksecure/security-misc/issues/154 + +commit dc04040cb3644c9e3be9b44a34da4a5f7b61f2cc +Author: Patrick Schleizer +Date: Mon Dec 4 10:36:48 2023 -0500 + + typo + +commit 2634dbff2bd9d7482e7b02be2b5b6fa1c58ef6c7 +Author: Patrick Schleizer +Date: Mon Dec 4 10:36:21 2023 -0500 + + shuffle + +commit f2ad8383cfea4bba42e8b246b05b85101d707641 +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Sun Dec 3 19:51:38 2023 +0000 + + fix + +commit dd15823a97e953750d7a8288c7d3b8d5f554d6f9 +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Sun Dec 3 19:50:07 2023 +0000 + + undo superfluousness + +commit 83e13bb62d028cfeea7a4d3f3def3bff8d2b5eaa +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Sun Dec 3 19:42:34 2023 +0000 + + Update 40_enable_iommu.cfg + +commit 0d7af9707f802fb600d9eb39bbe0b3bd4a65e3b0 +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Sun Dec 3 19:31:12 2023 +0000 + + Update 20_security-misc + +commit 04d27a10b0cd1c22cb166c9fccb93a09d5f388f0 +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Sun Dec 3 19:30:55 2023 +0000 + + Update 20_security-misc + +commit 7963f811e1bb6f5e0e2ba41e96b14e4a3a70f847 +Merge: c8b9f5a 82bd913 +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Sun Dec 3 19:30:22 2023 +0000 + + Merge branch 'Kicksecure:master' into patch-4 + +commit 82bd9138de750a3590be9c91c898cbd04c550e7e +Author: Patrick Schleizer +Date: Mon Nov 20 13:13:10 2023 +0000 + + bumped changelog version + +commit c2b3ff5243c69c4e1ba28e9966bf0ffd3ce550ce +Author: Patrick Schleizer +Date: Mon Nov 20 04:40:28 2023 -0500 + + moved libpam-tmpdir dependency to kicksecure-meta-packages + + https://github.com/Kicksecure/security-misc/pull/147 + +commit c8b9f5a917e6c415575d6763a65930f1a91a7c78 +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Sat Nov 18 10:03:19 2023 +0000 + + net + +commit 3b614f3753608bd62ff6bc6e56e15f280994c646 +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Sat Nov 18 10:02:16 2023 +0000 + + 20_security-misc + +commit 4e4df5dd7c6b5cf1deb179a2c3f8fe7a8844884d +Author: Patrick Schleizer +Date: Sat Nov 11 22:29:57 2023 +0000 + + bumped changelog version + +commit a51674410cb8a7ac2119ea7c85f986223ce8fc25 +Author: Patrick Schleizer +Date: Sat Nov 11 17:29:37 2023 -0500 + + fix + +commit 8d58077d68e6363313cdc62f7fac14840f5d9a8e +Author: Patrick Schleizer +Date: Sat Nov 11 20:22:34 2023 +0000 + + bumped changelog version + +commit 5b85a0b34d30d191654158506e0209b34a8f9fe8 +Author: Patrick Schleizer +Date: Sat Nov 11 14:46:35 2023 -0500 + + license + +commit 7757080519858492a7fcbf735ec854029b29d67a +Author: Patrick Schleizer +Date: Sat Nov 11 13:41:28 2023 -0500 + + change license to AGPL-3+ + + https://forums.whonix.org/t/license-change-to-agplv3/17455 + +commit 20f804f19c046e3ef2b38c367de9d5c80cccccd9 +Author: Patrick Schleizer +Date: Mon Nov 6 17:28:21 2023 -0500 + + bumped changelog version + +commit a1e00be0e09a7271a3fae9e9abdbe9a2279b7197 +Author: Patrick Schleizer +Date: Mon Nov 6 16:58:23 2023 -0500 + + update link + +commit 5bb357cac02c7217f4e897a0625f531602ac69cf +Author: Patrick Schleizer +Date: Mon Nov 6 16:55:00 2023 -0500 + + spice-client-glib-usb-acl-helper matchwhitelist + +commit 7309445ee518c093ba3f9aec56197e391e0a194a +Author: Patrick Schleizer +Date: Mon Nov 6 16:52:27 2023 -0500 + + comment + +commit f09d97fc9efc98d8b197a497e2ce4c5965be531a +Author: Patrick Schleizer +Date: Mon Nov 6 16:50:19 2023 -0500 + + whitelist VirtualBox + +commit 64c8c7a8d5a42d2e3da9ce243bc708d1bcbe6039 +Author: Patrick Schleizer +Date: Mon Nov 6 16:47:31 2023 -0500 + + whitelist SSH + +commit 9682b51d548396717867a0c336f1fb1677ccfe2b +Author: Patrick Schleizer +Date: Mon Nov 6 16:44:36 2023 -0500 + + whitelist virtualbox + +commit a40b9bc095bb0f363911dacee050234b3a555744 +Author: Patrick Schleizer +Date: Mon Nov 6 16:40:22 2023 -0500 + + comments + +commit 2c1a3da433b8dc96039caab17e81666896ade58c +Author: Patrick Schleizer +Date: Mon Nov 6 16:38:50 2023 -0500 + + VirtualBoxVM matchwhitelist + +commit 4e96ffaabb7c2e73bf686e56bcaa220f4d2e9e93 +Author: Patrick Schleizer +Date: Mon Nov 6 16:37:19 2023 -0500 + + chrome-sandbox matchwhitelist + +commit df5f3e80566da210ee5d807cc1b5dd53678fdae0 +Author: Patrick Schleizer +Date: Mon Nov 6 16:36:22 2023 -0500 + + output + +commit 72f6e6bb9c2426535bfc48175d88707331ec5346 +Author: Patrick Schleizer +Date: Mon Nov 6 16:28:23 2023 -0500 + + output + +commit 3bc831a1f71a80a178601bdd5c7f06b22ada75ab +Author: Patrick Schleizer +Date: Mon Nov 6 16:27:29 2023 -0500 + + lintian + +commit fd1f38b2ebe31aec04b22d968b38305504f7f935 +Author: Patrick Schleizer +Date: Mon Nov 6 16:22:42 2023 -0500 + + remount-secure systemd unit + + https://github.com/Kicksecure/security-misc/pull/152 + +commit 79f9c1fb3adac319342a22c099401cb21af4429f +Author: Patrick Schleizer +Date: Mon Nov 6 15:48:09 2023 -0500 + + add sysinit-post.target + + https://github.com/Kicksecure/security-misc/pull/152 + +commit 2de5ab41201c561a2684f15196ce37b0f34038a9 +Author: Patrick Schleizer +Date: Mon Nov 6 13:47:30 2023 -0500 + + clarify scope of application specific hardening + + fixes https://github.com/Kicksecure/security-misc/issues/154 + +commit 5a96616b39e7188903bd0d35c9812a02fddc02f9 +Author: Patrick Schleizer +Date: Sun Nov 5 21:13:14 2023 -0500 + + bumped changelog version + +commit ad079ac5cc4d7ce2270e9abf21fa520fc9b2761f +Author: Patrick Schleizer +Date: Sun Nov 5 20:55:55 2023 -0500 + + readme + + https://github.com/Kicksecure/security-misc/pull/152 + +commit be023c77223c4ec0e26ffe2a88acd94653efee9a +Author: Patrick Schleizer +Date: Sun Nov 5 20:54:43 2023 -0500 + + readme + + https://github.com/Kicksecure/security-misc/issues/159 + +commit e1f413c1ee5107468cb2a9c4aa8bd061d0dc911b +Author: Patrick Schleizer +Date: Sun Nov 5 20:53:26 2023 -0500 + + disable harden-module-loading.service for now + + due to issues + + https://github.com/Kicksecure/security-misc/issues/159 + +commit f2ea1abc9b3efc035f4d1381bece458de9b89ff3 +Author: Patrick Schleizer +Date: Sun Nov 5 20:53:03 2023 -0500 + + comment + +commit 95d1cfb4a03afc987cf89bb0f4cd6d2f1ad431b1 +Author: Patrick Schleizer +Date: Sun Nov 5 20:49:36 2023 -0500 + + Revert "remove no longer required remount-service systemd unit" + + This reverts commit 479ab61a1d0c91d26c2cd200d97b39b2b786e073. + + https://github.com/Kicksecure/security-misc/pull/152 + +commit 24b4d59ce41bc95e0b0aadf401223dc40b0f9c8f +Author: Patrick Schleizer +Date: Sun Nov 5 20:14:33 2023 -0500 + + bumped changelog version + +commit 4482f1841cfc6caa063e2274db890cfa01944811 +Author: Patrick Schleizer +Date: Sun Nov 5 20:13:14 2023 -0500 + + newline + +commit c5167c8f0d398946fdfae56fa78b32fade4cb451 +Author: Patrick Schleizer +Date: Sun Nov 5 20:12:03 2023 -0500 + + fix systemd unit + + https://github.com/Kicksecure/security-misc/issues/159 + +commit 2571bbf315693f65f564ef4ad1b2ff4941f2ebc3 +Author: Patrick Schleizer +Date: Sun Nov 5 18:42:25 2023 -0500 + + duplicate + +commit aa170878838b2218da8295be8b6898bc86056cec +Author: Patrick Schleizer +Date: Sun Nov 5 18:42:08 2023 -0500 + + update path + +commit d203e539aa975b042cd6ec9608a0cc16b3314372 +Author: Patrick Schleizer +Date: Sun Nov 5 18:17:59 2023 -0500 + + bumped changelog version + +commit 4ebab940c750154a396c4ffdbde61367e12c72f8 +Author: Patrick Schleizer +Date: Sun Nov 5 17:56:35 2023 -0500 + + description too long, fixed + +commit ad010ef5b4c90e4abbd1c88724f99450740fb2eb +Author: Patrick Schleizer +Date: Sun Nov 5 17:52:44 2023 -0500 + + debugging + +commit 826e76d037f88636fdde7d4ef1eb72f29ac5f4a5 +Author: Patrick Schleizer +Date: Sun Nov 5 17:43:33 2023 -0500 + + bumped changelog version + +commit 3130a39d8c280d913fb632a40562438b82a499bb +Author: Patrick Schleizer +Date: Sun Nov 5 17:43:07 2023 -0500 + + set -e + +commit 18a2d814cc0c477599b276bb319ed8bdd34499ea +Merge: 4fda9d2 36f3c30 +Author: Patrick Schleizer +Date: Sun Nov 5 17:42:28 2023 -0500 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 36f3c30440e73c8bf4946742095f0495994fed99 +Merge: 4fda9d2 2e64d89 +Author: Patrick Schleizer +Date: Sun Nov 5 17:41:56 2023 -0500 + + Merge pull request #148 from monsieuremre/module-loading-hardening + + Harden the loading of new modules to the kernel after install + +commit 4fda9d2e8459c043ec27178ceb87483229b45d5f +Author: Patrick Schleizer +Date: Sun Nov 5 16:46:18 2023 -0500 + + bumped changelog version + +commit 4219347f0a739ed1ea93a596968295ddcd3a940f +Author: Patrick Schleizer +Date: Sun Nov 5 16:43:44 2023 -0500 + + fix permission-hardener config parsing issue + +commit e72f79236b7b704c60c6920b51c86832f4fda9e3 +Author: Patrick Schleizer +Date: Sun Nov 5 16:41:41 2023 -0500 + + refactoring + +commit dea0d9a78a99c441a1738f88cef2cd3c5f433454 +Author: Patrick Schleizer +Date: Sun Nov 5 16:40:49 2023 -0500 + + fix permission-hardener config parsing issue + +commit 017ae18ad7a757a18c5a7a92677f24053280e8b5 +Author: Patrick Schleizer +Date: Sun Nov 5 16:39:10 2023 -0500 + + fix permission-hardener config parsing issue + +commit 65e3c14643ca2b5167e0f5bc30a6bbc45cb4f645 +Author: Patrick Schleizer +Date: Sun Nov 5 16:35:11 2023 -0500 + + fix permission-hardener config parsing issue + +commit 40e536a9beb48f1938e67ae2010fc34f80e3bd1f +Author: Patrick Schleizer +Date: Sun Nov 5 16:04:03 2023 -0500 + + bumped changelog version + +commit 51decff2fd48c2437b08136e97d4211e5eaccd89 +Author: Patrick Schleizer +Date: Sun Nov 5 16:03:36 2023 -0500 + + exclude qfile-unpacker from permission hardener + +commit 52b6e92e002987952c908eeb05a293dd401ee9be +Author: Patrick Schleizer +Date: Sun Nov 5 15:58:21 2023 -0500 + + bumped changelog version + +commit 1900c1ab07e4d55577815b942b34457596a1d703 +Author: Patrick Schleizer +Date: Sun Nov 5 15:57:49 2023 -0500 + + pam exclude from permission-hardener + +commit 76e3a3c5f9fa5e95b90e4ea3f3ba7019615a3d1a +Author: Patrick Schleizer +Date: Sun Nov 5 15:29:38 2023 -0500 + + bumped changelog version + +commit d4494fd3c341796081dd8c114c8cc97e627c236c +Author: Patrick Schleizer +Date: Sun Nov 5 15:27:09 2023 -0500 + + disable remount-secure dracut modules + + pending new systemd based implementation + + https://github.com/Kicksecure/security-misc/pull/152 + +commit 949c1633701ac168e908794d4dd74c5a9b09a437 +Author: Patrick Schleizer +Date: Sun Nov 5 15:14:43 2023 -0500 + + bumped changelog version + +commit 4a19fbae0be2ab99c1f21826eca2ec3cef605a0e +Author: Patrick Schleizer +Date: Sun Nov 5 15:13:01 2023 -0500 + + move permission-hardening to /usr/bin to make it more easily accessible + +commit c75f80b29f2fee3f2ead579390b8d3a8ff86b9d2 +Author: Patrick Schleizer +Date: Sun Nov 5 15:09:29 2023 -0500 + + lower verbosity of permission hardener + + fixes https://github.com/Kicksecure/security-misc/issues/158 + +commit 0544657123100b333211a91ef32054dc7e14c7db +Author: Patrick Schleizer +Date: Sun Nov 5 14:56:06 2023 -0500 + + bumped changelog version + +commit 42be6310237bdb663f38982b221327a337251e0a +Author: Patrick Schleizer +Date: Sun Nov 5 14:54:05 2023 -0500 + + readme + +commit 55ba5d48321ec4224bcbf03cf2bf51226cf34e50 +Author: Patrick Schleizer +Date: Sun Nov 5 14:51:31 2023 -0500 + + renamed: usr/lib/NetworkManager/conf.d/99_ipv6-privacy.conf -> usr/lib/NetworkManager/conf.d/80_ipv6-privacy.conf + renamed: usr/lib/NetworkManager/conf.d/99_randomize-mac.conf -> usr/lib/NetworkManager/conf.d/80_randomize-mac.conf + renamed: usr/lib/systemd/networkd.conf.d/99_ipv6-privacy-extensions.conf -> usr/lib/systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf + +commit eab5d7d4ec58baaf7eedc777e250ad9f00e4b71b +Author: Patrick Schleizer +Date: Sun Nov 5 14:50:13 2023 -0500 + + cleanup + +commit 811d1cd0dd0dcb9021d2f72638dd6c12b734964c +Merge: 9343795 5a75bcf +Author: Patrick Schleizer +Date: Sun Nov 5 14:49:43 2023 -0500 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 5a75bcfb19ac6c555a52cb1600e4efd13a8cfc06 +Merge: 9343795 229032d +Author: Patrick Schleizer +Date: Sun Nov 5 14:49:00 2023 -0500 + + Merge pull request #145 from monsieuremre/wifi-and-bluetooth + + Wifi and Bluetooth Patch | Security and Privacy + +commit 93437952b4f64866dfe6067d8caf19415112418d +Author: Patrick Schleizer +Date: Sun Nov 5 14:41:01 2023 -0500 + + readme + +commit f32b5438872ad0b9e10cb7b0519f1f18fce1913e +Merge: 56b90ee 4946f85 +Author: Patrick Schleizer +Date: Sun Nov 5 14:38:20 2023 -0500 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 4946f85d43083c64bc3f8f02e26b08f79b622bfe +Merge: 817ca11 1abac79 +Author: Patrick Schleizer +Date: Sun Nov 5 14:37:47 2023 -0500 + + Merge pull request #146 from monsieuremre/thunderbird + + Thunderbird Hardening + +commit 56b90eecbfb21e546d52d1f41ce9361f2843cd71 +Merge: 3178677 817ca11 +Author: Patrick Schleizer +Date: Sun Nov 5 14:35:23 2023 -0500 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 817ca116f693893e6dcb69254ee91815d200b8a1 +Merge: d9b5d77 fbd9e5d +Author: Patrick Schleizer +Date: Sun Nov 5 14:34:13 2023 -0500 + + Merge pull request #153 from monsieuremre/readme + + Updated Readme + +commit 317867758478619fe1df4ebdb5e22240c40104c0 +Merge: dcead44 d9b5d77 +Author: Patrick Schleizer +Date: Sun Nov 5 14:32:21 2023 -0500 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit d9b5d770cfd5f7747f1d606f3136a93034928f30 +Merge: dcead44 ac224b2 +Author: Patrick Schleizer +Date: Sun Nov 5 14:31:26 2023 -0500 + + Merge pull request #150 from monsieuremre/sysreq + + Disable SysRq by default + +commit dcead44cc6d4272b0966562046f9dab1792845b6 +Author: Patrick Schleizer +Date: Sun Nov 5 11:32:46 2023 -0500 + + output + +commit f6bf69b41fa3e1168c2c49884197770e1a78b888 +Author: Patrick Schleizer +Date: Sun Nov 5 11:31:09 2023 -0500 + + update link + +commit 2e64d89b042227fe5f38bb6d6a859deb4c5183b7 +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Sat Nov 4 21:18:45 2023 +0000 + + undo unnecessary manual activation + +commit 19eceaa8108879ee5477b157fb2175993c487959 +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Sat Nov 4 20:56:46 2023 +0000 + + more fix + +commit a187d23c4187fd08611e5cba85d09666dfd9f735 +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Sat Nov 4 20:56:08 2023 +0000 + + big fix + +commit fbd9e5d017c4b00d838e9f225c7748c4b362f023 +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Sat Nov 4 14:33:35 2023 +0000 + + README.md + +commit 97054b2b1076d6d428996967304b29620923eff4 +Author: Patrick Schleizer +Date: Fri Nov 3 15:55:17 2023 -0400 + + revert enabling kernel module signature enforcement + + due to issues + + https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/63 + + https://github.com/dell/dkms/issues/359 + +commit 978e3e4abd8f55a877dfe0d6e39b45ee9f58ba6d +Author: Patrick Schleizer +Date: Fri Nov 3 14:53:40 2023 -0400 + + readme + +commit 0242c04dc26638dc1250e3f681b46d15459cf8aa +Author: Patrick Schleizer +Date: Fri Nov 3 14:51:14 2023 -0400 + + port to DKMS drop-in folder + + undisplace /etc/dkms/framework.conf.security-misc + moved to /etc/dkms/framework.conf.d/30_security-misc.conf + +commit d1b5a3ffd525ec92554ffc9c666f8007c8522aac +Author: Patrick Schleizer +Date: Fri Nov 3 12:55:34 2023 -0400 + + /usr/sbin/pam-tmpdir-helper exactwhitelist + + https://github.com/Kicksecure/security-misc/pull/147 + +commit 48adb44c6fd157673cdf7fab3b86ecf7c6b31966 +Author: Patrick Schleizer +Date: Fri Nov 3 12:17:24 2023 -0400 + + bumped changelog version + +commit b6d53f698d0ad21a31da6bf74a44577a0c8869fc +Author: Patrick Schleizer +Date: Fri Nov 3 12:17:00 2023 -0400 + + Revert "allow loading unsigned modules due to issues" + + This reverts commit 661bcd8603425934188cf139f33e20675ff4b765. + +commit 04b210ee88589ef9e6e214d3a5a614780244abc9 +Author: Patrick Schleizer +Date: Fri Nov 3 12:10:48 2023 -0400 + + bumped changelog version + +commit 5e73f78ed9282bf0895b01d44d9c261ea0050cce +Merge: ceffd2b 8e66a41 +Author: Patrick Schleizer +Date: Fri Nov 3 12:10:33 2023 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 8e66a4177868ee7b51dafdb06062b0cb7cbc7415 +Merge: ceffd2b 7dc99d5 +Author: Patrick Schleizer +Date: Fri Nov 3 12:10:00 2023 -0400 + + Merge pull request #147 from monsieuremre/PAM-tmp-files-hardening + + Depend on libpam-tmpdir for very solid extra security + +commit 7dc99d54c0358842745ee48c7cc24f589fd63d14 +Author: Patrick Schleizer +Date: Fri Nov 3 12:09:39 2023 -0400 + + fix + +commit 2a602e78d6ca0f87f11de9a30ae2114468243075 +Merge: 3ee4be6 ceffd2b +Author: Patrick Schleizer +Date: Fri Nov 3 12:08:50 2023 -0400 + + Merge branch 'master' into PAM-tmp-files-hardening + +commit ceffd2b3ee453122e66f594ec31dde6ec3bb7187 +Author: Patrick Schleizer +Date: Fri Nov 3 12:06:43 2023 -0400 + + bumped changelog version + +commit cdd66ee3762c441843d421a9e6b11a20580ed7ac +Author: Patrick Schleizer +Date: Fri Nov 3 10:48:46 2023 -0400 + + wrap-and-sort + +commit c33a3d9aadcc4c0ff90f330239eff4b7c905a022 +Author: Patrick Schleizer +Date: Fri Nov 3 10:44:48 2023 -0400 + + readme + +commit d71ac03d96c9861513ff56c68aec9090ef5c50bb +Author: Patrick Schleizer +Date: Fri Nov 3 10:36:15 2023 -0400 + + comment + +commit 8326aecdb460fffa450bbf3ec0b051010f87ee2a +Author: Patrick Schleizer +Date: Fri Nov 3 10:33:02 2023 -0400 + + bumped changelog version + +commit b85d48eb83005da8fd9edc658c71493f407e3670 +Author: Patrick Schleizer +Date: Fri Nov 3 10:31:59 2023 -0400 + + do not change default umask for root + + since this causes permission issues in `/etc/` + + https://github.com/Kicksecure/security-misc/pull/151 + +commit 07540db90d60b10cbd10881b0024d8e8871330de +Author: Patrick Schleizer +Date: Fri Nov 3 09:45:12 2023 -0400 + + Revert "Revert "set default umask to 027"" + + This reverts commit f8913ceb2e2fdd274011377c41b5d08e7459e4af. + +commit f8913ceb2e2fdd274011377c41b5d08e7459e4af +Author: Patrick Schleizer +Date: Fri Nov 3 09:43:44 2023 -0400 + + Revert "set default umask to 027" + + This reverts commit cd216095eb8d9387437e653d7764ec765ce42a10. + +commit 43bd789c30a562aa60349d019107277a428aece8 +Author: Patrick Schleizer +Date: Fri Nov 3 09:28:08 2023 -0400 + + bumped changelog version + +commit cd216095eb8d9387437e653d7764ec765ce42a10 +Author: Patrick Schleizer +Date: Fri Nov 3 09:12:24 2023 -0400 + + set default umask to 027 + + using package libpam-umask + + https://www.debian.org/doc/manuals/securing-debian-manual/ch04s11.en.html#id-1.5.14.19 + + https://github.com/Kicksecure/security-misc/pull/151 + +commit ac224b270a3a0945d187202f8cca89af0e71a166 +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Thu Nov 2 13:01:55 2023 +0000 + + disable sysrq + +commit 07882f61a8003026a9e4c135a6e18a8fd204060f +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Thu Nov 2 10:44:19 2023 +0000 + + enable service on install + + not sure if this would be the right way to do it + +commit 9f063584c1f96267b04f8f7fe0eee773f9345370 +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Thu Nov 2 10:28:41 2023 +0000 + + disable-kernel-module-loading + +commit 3e604618a8ba2531553af4f9af00470bd9629615 +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Thu Nov 2 10:24:35 2023 +0000 + + harden-module-loading.service + +commit 3ee4be652b28201ba208757ce5144e51c453ad70 +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Thu Nov 2 09:36:58 2023 +0000 + + depend on libpam-tmpdir + +commit 1abac794b564d178df37a385cf0d25bac5842c3c +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Thu Nov 2 09:15:20 2023 +0000 + + very secure and private defaults + +commit 5a583ca48ce608fee4fe55c1d6948505e83a98d8 +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Thu Nov 2 08:30:26 2023 +0000 + + typo in file name + +commit 229032d691c614a926cf3cf96b44752364e4e087 +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Wed Nov 1 17:54:05 2023 +0000 + + Rename etc/systemd/networkd.conf.d/99_ipv6-privacy-extensions.conf to usr/lib/systemd/networkd.conf.d/99_ipv6-privacy-extensions.conf + +commit 1049298e7bfa4ca0e8f02b4086f8aa086d51c725 +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Wed Nov 1 17:52:40 2023 +0000 + + Update and rename etc/NetworkManager/conf.d/99_randomize-mac.conf to usr/lib/NetworkManager/conf.d/99_randomize-mac.conf + +commit 76e684cc0ac0544219d200eeefae1356864fe702 +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Wed Nov 1 17:51:27 2023 +0000 + + Update and rename etc/NetworkManager/conf.d/99_ipv6-privacy.conf to usr/lib/NetworkManager/conf.d/99_ipv6-privacy.conf + +commit a768f1f1ebfc29b0c0105f2965a4290f8dfd8e63 +Author: Patrick Schleizer +Date: Wed Nov 1 12:26:21 2023 -0400 + + bumped changelog version + +commit bb14a058520b13e242fea9f3022c439c4677bd1d +Merge: 5ed2a5c 44906e8 +Author: Patrick Schleizer +Date: Wed Nov 1 11:11:54 2023 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 44906e8f398aae6e9565b131b82124e738e2d0d1 +Merge: 5ed2a5c f2c23a2 +Author: Patrick Schleizer +Date: Wed Nov 1 11:11:27 2023 -0400 + + Merge pull request #142 from monsieuremre/patch-5 + + ssh config + +commit 5ed2a5ce4a24a1a9c3e722a30aa9c6af1dc5d78a +Author: Patrick Schleizer +Date: Wed Nov 1 11:10:36 2023 -0400 + + bumped changelog version + +commit bb1161986b6d108c4fc5a16a48cdac55f98ab35d +Merge: 7d57684 b7cddd6 +Author: Patrick Schleizer +Date: Wed Nov 1 10:31:04 2023 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit b7cddd6e552cb5f5139de91ef2aeae6fde691136 +Merge: 7d57684 c975c3c +Author: Patrick Schleizer +Date: Wed Nov 1 10:30:26 2023 -0400 + + Merge pull request #143 from monsieuremre/patch-6 + + new lines 990-security-misc.conf + +commit fc8e201e84e4c777c087fd113c539ca368fd3a31 +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Fri Oct 27 14:49:24 2023 +0000 + + rename + +commit 90a88225a4fde2f09cc14b24f8467bb1ded90c9d +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Fri Oct 27 14:38:31 2023 +0000 + + security-misc.maintscript + +commit 13b4ddbb627d2279b41d1dcbe5c8ce1ac384b088 +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Fri Oct 27 14:34:21 2023 +0000 + + 30_security-misc.conf + +commit b298d152fc10c66892698d9dcae769a44a32037b +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Fri Oct 27 14:32:08 2023 +0000 + + 30_security-misc.conf + +commit 3d4b04fddc16067ed345074683281e74f41eeadf +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Fri Oct 27 12:35:39 2023 +0000 + + 99_ipv6-privacy.conf + +commit e90f62eaabfeee7483af573ef8e9d015ba1977dc +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Fri Oct 27 12:34:15 2023 +0000 + + 99_randomize_mac.conf + +commit 604d839537c409604ed2c4c88992ea1a31368f6f +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Fri Oct 27 12:30:26 2023 +0000 + + 99_ipv6-privacy-extensions.conf + +commit c975c3c0ff7cc5a1e29b651c2db6c27e3f952870 +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Fri Oct 27 11:07:53 2023 +0000 + + new lines 990-security-misc.conf + + added new recommended hardening settings with comments + +commit f2c23a28319e359c642da2dde424456a1064763f +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Fri Oct 27 10:53:45 2023 +0000 + + ssh config + +commit 7d576842fb6f3c124db2b6deb5abfc095974a67f +Author: Patrick Schleizer +Date: Thu Oct 26 20:08:41 2023 -0400 + + bumped changelog version + +commit 7cff267002485fd0abca98d12b0024e061f4ba51 +Author: Patrick Schleizer +Date: Thu Oct 26 19:31:14 2023 -0400 + + remove duplicates + +commit 928cdb81d43dfd337c82917182d2914d9c9d0915 +Merge: a330a9f 39fed05 +Author: Patrick Schleizer +Date: Thu Oct 26 19:29:55 2023 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 39fed058f4734029b303fac4ea9a1b11f652fab4 +Merge: 92a6ecc 99355c6 +Author: Patrick Schleizer +Date: Thu Oct 26 19:27:41 2023 -0400 + + Merge pull request #140 from monsieuremre/patch-3 + + New lines in default permission config + +commit a330a9fd75314931639e7e873adc31c5cc65d555 +Author: Patrick Schleizer +Date: Thu Oct 26 19:20:21 2023 -0400 + + refactor permission-lockdown + +commit 8bf5ff82be706599f33228ecd6df42be0dc29f39 +Merge: 1123d23 92a6ecc +Author: Patrick Schleizer +Date: Thu Oct 26 19:15:04 2023 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 92a6ecc40a4d3bd4d8f3cec7dd9b1334c72399dc +Merge: ca9603a 91c4452 +Author: Patrick Schleizer +Date: Thu Oct 26 19:13:34 2023 -0400 + + Merge pull request #141 from monsieuremre/patch-4 + + New permission-lockdown + +commit 1123d23114201988ac3f5f50ab6e74a5307d3d52 +Author: Patrick Schleizer +Date: Thu Oct 26 18:45:07 2023 -0400 + + remount-secure: disable debugging to save space in initrd + +commit 91c445244c47c163e2466f8c4dff710eda20c337 +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Thu Oct 26 19:41:07 2023 +0000 + + actually we do it once indeed + +commit 88f396264ca9d072e4e5de4e1acaee54f3b39749 +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Thu Oct 26 19:35:59 2023 +0000 + + avoiding /etc/passwd + +commit b5ba03247a5b5bb1f4e010130e4a575ad1397117 +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Thu Oct 26 19:31:25 2023 +0000 + + readability + +commit f487752ba1b469eb0b2f85657e2ee0860f58496b +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Thu Oct 26 19:30:58 2023 +0000 + + not limiting ourselves. we do not do this not just once. + +commit 88cd5a905d8aa0f6033ac4ba72903fbad4a90b4b +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Thu Oct 26 19:25:24 2023 +0000 + + strip unnecessary + +commit d9f10c221a2b6794f0a3c5bcd1c15e2a4f352751 +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Thu Oct 26 18:17:50 2023 +0000 + + new permission-lockdown + +commit 99355c616974d167e3a5424d63cd56b1f64f0eaf +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Thu Oct 26 17:45:28 2023 +0000 + + new lines 30_default.conf + +commit ca9603af1713ff37392662c9d1b4251052e7b983 +Author: Patrick Schleizer +Date: Thu Oct 26 12:23:48 2023 -0400 + + bumped changelog version + +commit 5f4222c1c3d7fa057b31bba7b0b5c2e83c92a7be +Author: Patrick Schleizer +Date: Thu Oct 26 12:20:48 2023 -0400 + + enable SUID Disabler and Permission Hardener by default + + https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener + + https://forums.whonix.org/t/suid-disabler-and-permission-hardener/7706 + +commit e5d989af5ac2899985c48d60311856fb86e0ddeb +Author: Patrick Schleizer +Date: Thu Oct 26 12:04:13 2023 -0400 + + comment + +commit 8557e0963ed6159f7f6c816ad4e009cc7323a760 +Author: Patrick Schleizer +Date: Wed Oct 25 17:55:37 2023 -0400 + + bumped changelog version + +commit b7e2d49f5f3f49fab2e1c0647f10bda1921e0a80 +Author: Patrick Schleizer +Date: Wed Oct 25 17:41:05 2023 -0400 + + comment + +commit 5d71217e597aa3366658524ec5395c9f76dd527b +Merge: 6a22351 a2f811a +Author: Patrick Schleizer +Date: Wed Oct 25 17:40:13 2023 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 6a22351d298e475ecae22bb99249a308b294ff9a +Author: Patrick Schleizer +Date: Wed Oct 25 17:30:07 2023 -0400 + + renamed: usr/lib/sysctl.d/30_security-misc.conf -> usr/lib/sysctl.d/990-security-misc.conf + +commit b7c52800f4c16b1573e372089704a68fd47c5906 +Author: Patrick Schleizer +Date: Wed Oct 25 17:28:43 2023 -0400 + + renamed: etc/sysctl.d/30_security-misc.conf -> usr/lib/sysctl.d/30_security-misc.conf + renamed: etc/sysctl.d/30_security-misc_kexec-disable.conf -> usr/lib/sysctl.d/30_security-misc_kexec-disable.conf + renamed: etc/sysctl.d/30_silent-kernel-printk.conf -> usr/lib/sysctl.d/30_silent-kernel-printk.conf + +commit a2f811aff0cb4e73c3975093012c223127495707 +Merge: 3317332 ee6716e +Author: Patrick Schleizer +Date: Wed Oct 25 17:26:46 2023 -0400 + + Merge pull request #135 from monsieuremre/kernel-fix + + Kernel hardening fix + +commit ee6716e178806912da08b671ae31504ed2f3ac56 +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Tue Oct 24 20:43:10 2023 +0000 + + security-misc.maintscript + +commit 3317332cb431115f81d832ba974181c74427c884 +Author: Patrick Schleizer +Date: Tue Oct 24 05:51:11 2023 -0400 + + bumped changelog version + +commit 42c802cd1eca3d2586abde871e4842cdf83490c4 +Merge: f3b40f1 5320c11 +Author: Patrick Schleizer +Date: Tue Oct 24 05:30:15 2023 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 5320c11f3f92b66b7dcab7ca1f67fcba2de5deba +Merge: f3b40f1 f0857fd +Author: Patrick Schleizer +Date: Tue Oct 24 05:22:33 2023 -0400 + + Merge pull request #134 from monsieuremre/patch-1 + + Fix double mount issue for /var/log and /var/tmp + +commit 1f489719efb37492b9c040ba4e332e8dd70fde1f +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Mon Oct 23 16:38:58 2023 +0000 + + rename + +commit 9dda6f69a7df792966005f9c6feb057483cd9ea4 +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Mon Oct 23 16:38:40 2023 +0000 + + more rename + +commit 89381fe7abcc2f4418b95c3eb290c975bf6d612c +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Mon Oct 23 16:38:23 2023 +0000 + + rename + +commit f0857fd5608525115bd8a96c2f75368263f6f830 +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Mon Oct 23 15:33:05 2023 +0000 + + Fix double mount issue for /var/log and /var/tmp + + Mounting var with bind and mounting a subdirectory causes /var/tmp and /var/log bind mounted twice each. can be checked with lsblk. When we bind mount var only after having mounted the subdirectories, everything is mounted only one. + +commit f3b40f12cb4bad0f2f00d4ba2dec59fb315c0798 +Author: Patrick Schleizer +Date: Sun Oct 22 19:23:22 2023 -0400 + + bumped changelog version + +commit d2e8a6dad3b94d574cb9c043303160b06893ab97 +Author: Patrick Schleizer +Date: Sun Oct 22 19:21:51 2023 -0400 + + debugging + +commit e7aafd64d4418d43426b310653861f9024a54255 +Author: Patrick Schleizer +Date: Sun Oct 22 19:16:12 2023 -0400 + + refactoring + +commit ee15f749bb4e68350498e52e8505bed43c98cbaf +Author: Patrick Schleizer +Date: Sun Oct 22 16:54:58 2023 -0400 + + bumped changelog version + +commit d521662d04892fb6d5477fa4450fb5488892a87a +Author: Patrick Schleizer +Date: Sun Oct 22 16:49:36 2023 -0400 + + comment + +commit 0e80acf38d430784fbb779f4f10c81bfe8a3813f +Author: Patrick Schleizer +Date: Sun Oct 22 16:45:10 2023 -0400 + + fix + +commit a1c3b87fcee07496af4b42e387b46488b58b73a0 +Author: Patrick Schleizer +Date: Sun Oct 22 16:29:08 2023 -0400 + + bumped changelog version + +commit f6d1346e2bde51cd70bc60246c0bfba923c00c3d +Author: Patrick Schleizer +Date: Sun Oct 22 16:22:08 2023 -0400 + + fix + +commit 9a649ddd091b116c9091f3fa582d411b5186375a +Author: Patrick Schleizer +Date: Sun Oct 22 16:16:40 2023 -0400 + + bumped changelog version + +commit 11382881b56556741fad5f0291ccb57a24e9c617 +Author: Patrick Schleizer +Date: Sun Oct 22 16:12:26 2023 -0400 + + comments + +commit 5182d7502b34a95fd751c69c4bc3f01d5f5e02b9 +Author: Patrick Schleizer +Date: Sun Oct 22 16:08:21 2023 -0400 + + improve remount-secure + +commit 555d83792df9aa599ae9e0e7c41af49b0601c1c1 +Author: Patrick Schleizer +Date: Sun Oct 22 15:44:47 2023 -0400 + + bumped changelog version + +commit a88c0a3ad2d83fe72612faf97866e255c5527384 +Author: Patrick Schleizer +Date: Sun Oct 22 15:44:30 2023 -0400 + + fix + +commit 316282952f7d2470c89f268beea01b8bac9bb4bb +Author: Patrick Schleizer +Date: Sun Oct 22 15:40:59 2023 -0400 + + bumped changelog version + +commit a7629b98cf4e7f86bab07c2b75fa712adcd63ee5 +Author: Patrick Schleizer +Date: Sun Oct 22 15:40:49 2023 -0400 + + fix + +commit 7112eac3be014938f757e0c0def74bb04dc72d2f +Author: Patrick Schleizer +Date: Sun Oct 22 15:37:21 2023 -0400 + + output + +commit f80b5fe3767502f6890bdfb7bc32a602c94828d6 +Author: Patrick Schleizer +Date: Sun Oct 22 15:36:16 2023 -0400 + + fix + +commit ce0babce215dc4ec08101cff5e0d25ad6ec87e70 +Author: Patrick Schleizer +Date: Sun Oct 22 15:35:03 2023 -0400 + + comment + +commit fa0804b7ae46ecfc1e9e82ca83342c9d456aa9c3 +Author: Patrick Schleizer +Date: Sun Oct 22 15:33:21 2023 -0400 + + bumped changelog version + +commit 70cbe4daaa5cd857c49f2f9b9241f24e2867ab5a +Author: Patrick Schleizer +Date: Sun Oct 22 15:33:11 2023 -0400 + + fix + +commit 36f2acb93f65958b27bae030f1d2bd66a278e073 +Author: Patrick Schleizer +Date: Sun Oct 22 15:28:04 2023 -0400 + + bumped changelog version + +commit 9b9e9ce1c0feb4ca854189754c47ca826eef1c32 +Author: Patrick Schleizer +Date: Sun Oct 22 15:27:01 2023 -0400 + + fix + +commit 3731716a497c233127bff3febbe22d5cf088aad8 +Author: Patrick Schleizer +Date: Sun Oct 22 15:14:22 2023 -0400 + + fix + +commit eec87a0508a6242430a1f0b8ad341f4c3ea43059 +Author: Patrick Schleizer +Date: Sun Oct 22 15:11:26 2023 -0400 + + fix + +commit f3286cf440992661ba85b5c7e41b92ffaca62cf3 +Author: Patrick Schleizer +Date: Sun Oct 22 15:10:21 2023 -0400 + + fix + +commit eb90d38d8ca6d6292dbb8013bb9bca8ec26f4792 +Author: Patrick Schleizer +Date: Sun Oct 22 15:05:33 2023 -0400 + + fix + +commit f44020973897d98fdc21ced748ad64106979829e +Author: Patrick Schleizer +Date: Sun Oct 22 14:46:42 2023 -0400 + + bumped changelog version + +commit 7f03c2b13742e583e426c91ff4e111b6c0e7da43 +Author: Patrick Schleizer +Date: Sun Oct 22 14:45:45 2023 -0400 + + fix + +commit c85db586cadbe781704e62405a76e43650046d2c +Author: Patrick Schleizer +Date: Sun Oct 22 14:44:58 2023 -0400 + + improve + +commit 7c0ea4324aa1713f365f7352a3e4db1b703d9750 +Author: Patrick Schleizer +Date: Sun Oct 22 14:39:52 2023 -0400 + + fix + +commit b29b626b41545fd49b67631820ae40d0fe000f22 +Author: Patrick Schleizer +Date: Sun Oct 22 14:30:28 2023 -0400 + + bumped changelog version + +commit 6198ae317c4d8cbd06d95d5e2a585892f455cab6 +Author: Patrick Schleizer +Date: Sun Oct 22 14:29:02 2023 -0400 + + fix + +commit 245fad09868c2d84bee66d65ecca32704786919b +Author: Patrick Schleizer +Date: Sun Oct 22 14:00:06 2023 -0400 + + fix + +commit 619f1705e13232680f38bc630f19f2ace32f48ad +Author: Patrick Schleizer +Date: Sun Oct 22 13:58:55 2023 -0400 + + output + +commit 52fa7db0874be85a3db296499ab76f84a5f518db +Author: Patrick Schleizer +Date: Sun Oct 22 13:57:38 2023 -0400 + + output + +commit 8a592c2e371de1136d566e707ba56ce89309230a +Author: Patrick Schleizer +Date: Sun Oct 22 13:56:17 2023 -0400 + + fix remountsecure kernel parameter logic + +commit 3c183294cd8a402418eafc1e657c6524be49c487 +Author: Patrick Schleizer +Date: Sun Oct 22 13:31:55 2023 -0400 + + bumped changelog version + +commit e689f38ad0ba9727d482dbab25ea5d88e67a8edf +Author: Patrick Schleizer +Date: Sun Oct 22 13:31:44 2023 -0400 + + todo + +commit 6675a2e93194ea15daeb22bee707cf49563f69fe +Author: Patrick Schleizer +Date: Sun Oct 22 13:30:50 2023 -0400 + + fix + +commit 4288e10554f854d6dd9be092ddbf6a62686b1549 +Author: Patrick Schleizer +Date: Sun Oct 22 13:25:31 2023 -0400 + + fix, rework remount-secure kernel parameters parsing + +commit b0181af099a2bc20a6d8cc20e6e27371ecc50bf1 +Author: Patrick Schleizer +Date: Sun Oct 22 13:12:25 2023 -0400 + + fix + +commit 28cb53341d48ece9e042caea03e7159b0f93c2ee +Author: Patrick Schleizer +Date: Sun Oct 22 13:11:44 2023 -0400 + + remount-secure dracut module: improve output + +commit f70f36e6cfead0038075d715e430e15aedae459f +Author: Patrick Schleizer +Date: Sun Oct 22 12:55:41 2023 -0400 + + bumped changelog version + +commit 479ab61a1d0c91d26c2cd200d97b39b2b786e073 +Author: Patrick Schleizer +Date: Sun Oct 22 12:55:20 2023 -0400 + + remove no longer required remount-service systemd unit + +commit 84ca0ac8a0b6a72a28e030081299b402749b9348 +Author: Patrick Schleizer +Date: Sun Oct 22 12:54:25 2023 -0400 + + improve remount-secure + +commit 1696c37251fe6158118ac3a694c2e11439de5c46 +Author: Patrick Schleizer +Date: Sun Oct 22 11:28:18 2023 -0400 + + bumped changelog version + +commit e7d30955e88b0a052e9159c11f4c1e1a47dadb49 +Author: Patrick Schleizer +Date: Sun Oct 22 11:28:08 2023 -0400 + + debugging + +commit 975a017dec26f671b7869ba4ad94b3a4d2faf999 +Author: Patrick Schleizer +Date: Sun Oct 22 11:13:05 2023 -0400 + + bumped changelog version + +commit 8eb4607a0e8c3db10f64e4ed5a02e87fd3ee8903 +Author: Patrick Schleizer +Date: Sun Oct 22 11:12:54 2023 -0400 + + improve + +commit f1da0ce7461fab2eeb421daa886ddd9856c9fd52 +Author: Patrick Schleizer +Date: Sun Oct 22 11:11:10 2023 -0400 + + fix + +commit 26826e8398c4d3feed07e8e3e095a87bbde9907a +Author: Patrick Schleizer +Date: Sun Oct 22 11:06:34 2023 -0400 + + fix + +commit a423b85f81e0c066271ad7db78902ccddbeabb5a +Author: Patrick Schleizer +Date: Sun Oct 22 10:50:30 2023 -0400 + + bumped changelog version + +commit 233fa4625bb60ef65c707d28e7c8a51ef5a1d66e +Author: Patrick Schleizer +Date: Sun Oct 22 10:49:53 2023 -0400 + + output + +commit 3ebe8cf4de5c77f26f93ac40bdc596c0c38451f5 +Author: Patrick Schleizer +Date: Sun Oct 22 10:41:42 2023 -0400 + + refactoring + +commit 24d2e26397e8f1e8e350fb60206ab1c5b597cbe6 +Author: Patrick Schleizer +Date: Sun Oct 22 10:40:19 2023 -0400 + + no longer reproducible + +commit fcba70df2e4e6c71fd29852d6f0b20f80e2e2d5e +Author: Patrick Schleizer +Date: Sun Oct 22 10:38:48 2023 -0400 + + refactoring + +commit a05bd3dd0e7319807fa7ea523407ec82ce8aa39c +Author: Patrick Schleizer +Date: Sun Oct 22 10:37:02 2023 -0400 + + /home last because most likely to fail + +commit 41077c94fbc1a0c90ee870292fe82e16a70b52f1 +Author: Patrick Schleizer +Date: Sun Oct 22 10:32:24 2023 -0400 + + improve remount-secure + +commit ef69e512bd2e2eba0e292470bfef6336216e2605 +Author: Patrick Schleizer +Date: Sun Oct 22 10:25:57 2023 -0400 + + refactoring + +commit d5cb7ecec9d10069e2e37a2f88680dff6d3f6eb6 +Author: Patrick Schleizer +Date: Sun Oct 22 10:22:21 2023 -0400 + + use findmnt + +commit 1120d0652ddead556801958973d61502b75f9fc7 +Author: Patrick Schleizer +Date: Sun Oct 22 10:16:53 2023 -0400 + + bumped changelog version + +commit 45ce0ff74d8f42d6a424e0742989008403891f8a +Author: Patrick Schleizer +Date: Sun Oct 22 10:16:43 2023 -0400 + + debugging + +commit b81a991731e912fa0f7d4ca59b0531bafb02a25a +Author: Patrick Schleizer +Date: Sun Oct 22 10:15:11 2023 -0400 + + fix + +commit 292a5c3a8a37bc9dd807913bd76826e57e978b67 +Author: Patrick Schleizer +Date: Sun Oct 22 10:11:31 2023 -0400 + + fix + +commit bb57b1a289cc64cc5b2ab5518c151df5355a9f29 +Author: Patrick Schleizer +Date: Sun Oct 22 10:10:51 2023 -0400 + + fix + +commit 4f6f45fb3902f6c49d01b5ccb33a4e24804cd02a +Author: Patrick Schleizer +Date: Sun Oct 22 10:01:54 2023 -0400 + + bumped changelog version + +commit 181a6424796b1cafc87a8d74aad197135381a389 +Author: Patrick Schleizer +Date: Sun Oct 22 10:01:38 2023 -0400 + + root check + +commit 84fd41931ce3ba4d6e3785dc8052ee14ce62b80e +Author: Patrick Schleizer +Date: Sun Oct 22 09:44:17 2023 -0400 + + /var/run -> /run + +commit 33d97a2560fe4aaab24f90057e825802541a408b +Author: Patrick Schleizer +Date: Sun Oct 22 09:39:54 2023 -0400 + + improve output of remount-secure dracut module + +commit c409e3221e179437ed0b162dde1e72cd116ba795 +Author: Patrick Schleizer +Date: Sun Oct 22 09:36:03 2023 -0400 + + implement remount-secure + +commit f472ce690ae350085d40cfd5ec46084dc559a51d +Author: Patrick Schleizer +Date: Sun Oct 22 08:57:35 2023 -0400 + + comments + +commit 90f2b5e11c341c38bb0b11db603ceeba28e14b1c +Author: Patrick Schleizer +Date: Sun Oct 22 08:51:37 2023 -0400 + + code simplification + +commit 167683ce763e97838e62950f00313b63d7c968b0 +Author: Patrick Schleizer +Date: Sun Oct 22 08:50:57 2023 -0400 + + code simplification + +commit 05e9accf64a3a6bfa24aac7aaa62620f814b05d1 +Author: Patrick Schleizer +Date: Sun Oct 22 08:12:30 2023 -0400 + + bumped changelog version + +commit e065f85c8809d04a9a4c041dd8b9b81bacd04e24 +Author: Patrick Schleizer +Date: Sun Oct 22 08:10:48 2023 -0400 + + add remount-secure dracut module + +commit f0ee470ecd0fc37125165dd6a5cefb47339b14b4 +Author: Patrick Schleizer +Date: Sun Oct 22 07:51:05 2023 -0400 + + comment + +commit e257f2a3806ba7013e8e47005fde1385044bc8d9 +Author: Patrick Schleizer +Date: Sun Oct 22 07:50:14 2023 -0400 + + remount-secure: + no longer use /usr/libexec/helper-scripts/pre.bsh as not simple with dracut + +commit 27b3ba8bdf2556066a4be02cd1be9a4451a591b2 +Author: Patrick Schleizer +Date: Sun Oct 22 07:06:00 2023 -0400 + + bumped changelog version + +commit ed11c68ac64c1ec4eaa590dbb56734d450c89b04 +Author: Patrick Schleizer +Date: Sun Oct 22 06:51:52 2023 -0400 + + move remount-secure to /usr/bin/remount-secure to make it easier to manually run + +commit 6f4bf57ff2bc878f03a50d91a5db0afaf897d70e +Author: Patrick Schleizer +Date: Sun Oct 22 06:48:56 2023 -0400 + + `remount-secure`: add support for `--force`; output + +commit 6dec5cb1d6b841bc6ea92986d6567902109f5ed0 +Author: Patrick Schleizer +Date: Sun Oct 22 06:32:19 2023 -0400 + + debugging + +commit bc768aa196a08218aac0b6ef1c4ca013f2034122 +Author: Patrick Schleizer +Date: Sun Oct 22 06:31:57 2023 -0400 + + output + +commit c069c73109b45fbb8fa230ad4f90f4252db730f2 +Author: Patrick Schleizer +Date: Sun Oct 22 06:29:38 2023 -0400 + + refactoring + +commit abc35927345e14bbe4b9f13d205a648ce7a8bd8d +Author: Patrick Schleizer +Date: Sun Oct 22 06:23:48 2023 -0400 + + remount-secure: stricter error handling + +commit 59a5fea25d0b0c39a6e7b3b11f9242ebe5eaa462 +Author: Patrick Schleizer +Date: Sun Oct 22 05:41:56 2023 -0400 + + documentation + +commit ac63b0eb3db3d168908459fecd6b3275cce015bc +Author: Patrick Schleizer +Date: Sun Oct 22 05:41:11 2023 -0400 + + remove duplicate + +commit ef3f1575733c668f652326cdb4f4fba8c71bf0ed +Author: Patrick Schleizer +Date: Sat Oct 21 14:19:24 2023 -0400 + + bumped changelog version + +commit ae2c1c5a7a02a5f3f6a8bcd4a90fdc9e3b512e62 +Author: Patrick Schleizer +Date: Sat Oct 21 14:18:50 2023 -0400 + + fix xession environment variable + +commit 43375fa1f4d32f04907edf1297fef737342b49ea +Author: Patrick Schleizer +Date: Sat Oct 21 12:34:59 2023 -0400 + + bumped changelog version + +commit d543825d85a5d84274c21cd85db6df777948606e +Author: Patrick Schleizer +Date: Sat Oct 21 12:24:59 2023 -0400 + + comments + +commit dd43ab634d9ab0a59234798e1b14ba99099c65c9 +Author: Patrick Schleizer +Date: Fri Oct 13 15:22:58 2023 -0400 + + bumped changelog version + +commit 645ee814e4f3dc330dd6fb24ec4fac0e278c4f42 +Author: Patrick Schleizer +Date: Fri Oct 13 15:22:48 2023 -0400 + + fix + +commit 13a4f37e50805a0e51b8f63808e166318e39a074 +Author: Patrick Schleizer +Date: Thu Oct 12 12:51:37 2023 -0400 + + bumped changelog version + +commit 2d4524108445829d7ac80e828e9a1442cf038a6b +Author: Patrick Schleizer +Date: Thu Oct 12 11:37:01 2023 -0400 + + avoid duplicate environment variables + +commit e96e6aa38e29888a64fa35f85becc1596118a812 +Author: Patrick Schleizer +Date: Thu Oct 12 10:43:40 2023 -0400 + + bumped changelog version + +commit fa820e897895eda93011a0f2bbd915ffffcb1459 +Author: Patrick Schleizer +Date: Thu Oct 12 10:40:27 2023 -0400 + + refactoring environment variables loading mechanism + +commit 358e4226f1b3db32e560e4bbe1c663828eac7059 +Author: Patrick Schleizer +Date: Mon Jul 17 11:48:35 2023 -0400 + + bumped changelog version + +commit 81ad786dfcdd416056c6ae8a9d02231bda6fcbde +Author: Patrick Schleizer +Date: Mon Jul 17 11:19:07 2023 -0400 + + Kicksecure + +commit ab56b7ca0cf1a2cb6bc19514750ca618f4ebb7fe +Author: Patrick Schleizer +Date: Mon Jul 17 11:10:05 2023 -0400 + + Kicksecure + +commit 29aaf13c13ec1023d33e84442db0f5afeaa4436d +Author: Patrick Schleizer +Date: Fri Jun 23 08:18:12 2023 +0000 + + bumped changelog version + commit 8a6baea99017fd971ae4a5e89599b87bc945b276 Author: Patrick Schleizer Date: Thu Jun 22 16:16:15 2023 +0000 diff --git a/debian/changelog b/debian/changelog index feb67f5..63a49d9 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,1023 @@ +security-misc (3:46.3-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 02 Jul 2025 20:52:17 +0000 + +security-misc (3:46.2-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 14 Jun 2025 11:51:44 +0000 + +security-misc (3:46.1-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 28 May 2025 13:48:11 +0000 + +security-misc (3:46.0-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 28 May 2025 12:12:00 +0000 + +security-misc (3:45.9-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 27 May 2025 19:41:25 +0000 + +security-misc (3:45.8-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 27 May 2025 15:51:50 +0000 + +security-misc (3:45.7-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 21 May 2025 22:06:01 +0000 + +security-misc (3:45.6-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 21 May 2025 15:52:16 +0000 + +security-misc (3:45.5-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 21 May 2025 13:58:18 +0000 + +security-misc (3:45.4-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 21 May 2025 11:23:39 +0000 + +security-misc (3:45.3-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 20 May 2025 11:40:27 +0000 + +security-misc (3:45.2-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 25 Apr 2025 09:54:23 +0000 + +security-misc (3:45.1-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 25 Apr 2025 08:19:34 +0000 + +security-misc (3:45.0-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 21 Apr 2025 10:21:54 +0000 + +security-misc (3:44.9-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 19 Apr 2025 17:33:56 +0000 + +security-misc (3:44.8-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 15 Apr 2025 20:59:37 +0000 + +security-misc (3:44.7-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 10 Apr 2025 11:38:17 +0000 + +security-misc (3:44.6-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 09 Apr 2025 15:15:59 +0000 + +security-misc (3:44.5-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 08 Apr 2025 14:08:24 +0000 + +security-misc (3:44.4-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 03 Mar 2025 11:00:37 +0000 + +security-misc (3:44.3-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 09 Feb 2025 23:04:36 +0000 + +security-misc (3:44.2-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 31 Jan 2025 19:38:41 +0000 + +security-misc (3:44.1-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 30 Jan 2025 12:58:48 +0000 + +security-misc (3:44.0-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 29 Jan 2025 14:36:41 +0000 + +security-misc (3:43.9-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 23 Jan 2025 16:28:58 +0000 + +security-misc (3:43.8-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 22 Jan 2025 14:11:21 +0000 + +security-misc (3:43.7-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 22 Jan 2025 13:52:29 +0000 + +security-misc (3:43.6-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 20 Jan 2025 11:35:08 +0000 + +security-misc (3:43.5-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 20 Jan 2025 10:11:42 +0000 + +security-misc (3:43.4-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 17 Jan 2025 13:35:27 +0000 + +security-misc (3:43.3-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 15 Jan 2025 15:02:43 +0000 + +security-misc (3:43.2-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 14 Jan 2025 14:32:12 +0000 + +security-misc (3:43.1-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 14 Jan 2025 14:30:58 +0000 + +security-misc (3:43.0-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 14 Jan 2025 14:16:45 +0000 + +security-misc (3:42.9-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 14 Jan 2025 14:07:50 +0000 + +security-misc (3:42.8-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 14 Jan 2025 14:06:50 +0000 + +security-misc (3:42.7-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 14 Jan 2025 13:53:49 +0000 + +security-misc (3:42.6-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 14 Jan 2025 09:26:05 +0000 + +security-misc (3:42.5-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 14 Jan 2025 08:24:05 +0000 + +security-misc (3:42.4-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 12 Jan 2025 11:47:17 +0000 + +security-misc (3:42.3-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 10 Jan 2025 15:34:20 +0000 + +security-misc (3:42.2-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 06 Jan 2025 10:31:40 +0000 + +security-misc (3:42.1-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 31 Dec 2024 18:42:01 +0000 + +security-misc (3:42.0-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 31 Dec 2024 14:09:34 +0000 + +security-misc (3:41.9-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 26 Dec 2024 04:12:02 +0000 + +security-misc (3:41.8-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 24 Dec 2024 05:16:21 +0000 + +security-misc (3:41.7-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 20 Dec 2024 06:01:27 +0000 + +security-misc (3:41.6-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 20 Dec 2024 05:58:24 +0000 + +security-misc (3:41.5-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 20 Dec 2024 05:48:48 +0000 + +security-misc (3:41.4-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 19 Dec 2024 10:58:50 +0000 + +security-misc (3:41.3-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 19 Dec 2024 09:43:26 +0000 + +security-misc (3:41.2-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 19 Dec 2024 06:57:42 +0000 + +security-misc (3:41.1-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 10 Dec 2024 19:19:10 +0000 + +security-misc (3:41.0-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 10 Dec 2024 19:17:10 +0000 + +security-misc (3:40.9-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 25 Nov 2024 21:07:41 +0000 + +security-misc (3:40.8-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 14 Nov 2024 22:24:50 +0000 + +security-misc (3:40.7-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 14 Nov 2024 20:46:26 +0000 + +security-misc (3:40.6-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 12 Nov 2024 09:11:57 +0000 + +security-misc (3:40.5-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 11 Nov 2024 11:07:57 +0000 + +security-misc (3:40.4-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 10 Nov 2024 11:52:42 +0000 + +security-misc (3:40.3-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 30 Oct 2024 09:43:05 +0000 + +security-misc (3:40.2-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 23 Oct 2024 09:56:05 +0000 + +security-misc (3:40.1-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 16 Oct 2024 10:57:20 +0000 + +security-misc (3:40.0-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 08 Oct 2024 11:24:55 +0000 + +security-misc (3:39.9-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 03 Oct 2024 07:22:23 +0000 + +security-misc (3:39.8-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 25 Sep 2024 01:03:42 +0000 + +security-misc (3:39.7-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 14 Sep 2024 02:56:08 +0000 + +security-misc (3:39.6-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 08 Sep 2024 17:41:30 +0000 + +security-misc (3:39.5-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 04 Sep 2024 14:13:15 +0000 + +security-misc (3:39.4-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 29 Aug 2024 09:49:51 +0000 + +security-misc (3:39.3-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 28 Aug 2024 11:01:36 +0000 + +security-misc (3:39.2-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 25 Aug 2024 15:34:54 +0000 + +security-misc (3:39.1-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 25 Aug 2024 14:33:39 +0000 + +security-misc (3:39.0-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 16 Aug 2024 08:38:11 +0000 + +security-misc (3:38.9-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 15 Aug 2024 17:51:18 +0000 + +security-misc (3:38.8-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 06 Aug 2024 14:01:38 +0000 + +security-misc (3:38.7-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 28 Jul 2024 20:50:21 +0000 + +security-misc (3:38.6-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 27 Jul 2024 16:13:34 +0000 + +security-misc (3:38.5-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 26 Jul 2024 15:40:23 +0000 + +security-misc (3:38.4-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 26 Jul 2024 09:40:58 +0000 + +security-misc (3:38.3-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 21 Jul 2024 10:40:13 +0000 + +security-misc (3:38.2-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 20 Jul 2024 17:02:04 +0000 + +security-misc (3:38.1-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 18 Jul 2024 18:05:06 +0000 + +security-misc (3:38.0-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 18 Jul 2024 14:11:35 +0000 + +security-misc (3:37.9-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 18 Jul 2024 14:05:22 +0000 + +security-misc (3:37.8-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 15 Jul 2024 21:18:54 +0000 + +security-misc (3:37.7-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 13 Jul 2024 15:01:15 +0000 + +security-misc (3:37.6-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 11 Jun 2024 12:56:56 +0000 + +security-misc (3:37.5-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 01 Jun 2024 18:13:08 +0000 + +security-misc (3:37.4-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 01 Jun 2024 17:35:04 +0000 + +security-misc (3:37.3-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 28 May 2024 12:04:52 +0000 + +security-misc (3:37.2-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 18 May 2024 20:45:11 +0000 + +security-misc (3:37.1-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 10 May 2024 11:20:36 +0000 + +security-misc (3:37.0-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 12 Apr 2024 06:56:38 +0000 + +security-misc (3:36.9-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 01 Apr 2024 06:56:44 +0000 + +security-misc (3:36.8-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 18 Mar 2024 15:10:10 +0000 + +security-misc (3:36.7-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 11 Mar 2024 15:07:50 +0000 + +security-misc (3:36.6-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 10 Mar 2024 13:19:26 +0000 + +security-misc (3:36.5-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 04 Mar 2024 11:48:30 +0000 + +security-misc (3:36.4-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 26 Feb 2024 13:32:44 +0000 + +security-misc (3:36.3-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 22 Feb 2024 20:08:17 +0000 + +security-misc (3:36.2-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 22 Feb 2024 19:58:00 +0000 + +security-misc (3:36.1-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 22 Feb 2024 16:07:16 +0000 + +security-misc (3:36.0-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 22 Feb 2024 14:52:54 +0000 + +security-misc (3:35.9-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 22 Feb 2024 14:50:05 +0000 + +security-misc (3:35.8-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 03 Feb 2024 18:28:26 +0000 + +security-misc (3:35.7-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 25 Jan 2024 13:59:29 +0000 + +security-misc (3:35.6-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 18 Jan 2024 14:10:50 +0000 + +security-misc (3:35.5-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 17 Jan 2024 19:18:24 +0000 + +security-misc (3:35.4-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 16 Jan 2024 14:26:34 +0000 + +security-misc (3:35.3-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 16 Jan 2024 14:14:18 +0000 + +security-misc (3:35.2-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 16 Jan 2024 13:58:54 +0000 + +security-misc (3:35.1-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 09 Jan 2024 05:52:48 +0000 + +security-misc (3:35.0-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 04 Jan 2024 02:03:26 +0000 + +security-misc (3:34.9-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 02 Jan 2024 14:55:13 +0000 + +security-misc (3:34.8-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 29 Dec 2023 20:15:50 +0000 + +security-misc (3:34.7-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 25 Dec 2023 16:28:09 +0000 + +security-misc (3:34.6-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 22 Dec 2023 16:31:57 +0000 + +security-misc (3:34.5-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 12 Dec 2023 16:51:21 +0000 + +security-misc (3:34.4-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 04 Dec 2023 17:06:45 +0000 + +security-misc (3:34.3-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 20 Nov 2023 13:13:10 +0000 + +security-misc (3:34.2-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 11 Nov 2023 22:29:57 +0000 + +security-misc (3:34.1-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 11 Nov 2023 20:22:34 +0000 + +security-misc (3:34.0-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 06 Nov 2023 22:28:21 +0000 + +security-misc (3:33.9-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 06 Nov 2023 02:13:14 +0000 + +security-misc (3:33.8-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 06 Nov 2023 01:14:33 +0000 + +security-misc (3:33.7-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 05 Nov 2023 23:17:59 +0000 + +security-misc (3:33.6-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 05 Nov 2023 22:43:33 +0000 + +security-misc (3:33.5-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 05 Nov 2023 21:46:18 +0000 + +security-misc (3:33.4-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 05 Nov 2023 21:04:02 +0000 + +security-misc (3:33.3-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 05 Nov 2023 20:58:21 +0000 + +security-misc (3:33.2-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 05 Nov 2023 20:29:38 +0000 + +security-misc (3:33.1-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 05 Nov 2023 20:14:43 +0000 + +security-misc (3:33.0-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 05 Nov 2023 19:56:06 +0000 + +security-misc (3:32.9-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 03 Nov 2023 16:17:24 +0000 + +security-misc (3:32.8-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 03 Nov 2023 16:10:48 +0000 + +security-misc (3:32.7-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 03 Nov 2023 16:06:43 +0000 + +security-misc (3:32.6-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 03 Nov 2023 14:33:02 +0000 + +security-misc (3:32.5-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 03 Nov 2023 13:28:08 +0000 + +security-misc (3:32.4-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 01 Nov 2023 16:26:21 +0000 + +security-misc (3:32.3-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 01 Nov 2023 15:10:36 +0000 + +security-misc (3:32.2-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 27 Oct 2023 00:08:41 +0000 + +security-misc (3:32.1-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 26 Oct 2023 16:23:48 +0000 + +security-misc (3:32.0-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 25 Oct 2023 21:55:37 +0000 + +security-misc (3:31.9-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 24 Oct 2023 09:51:11 +0000 + +security-misc (3:31.8-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 22 Oct 2023 23:23:22 +0000 + +security-misc (3:31.7-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 22 Oct 2023 20:54:58 +0000 + +security-misc (3:31.6-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 22 Oct 2023 20:29:08 +0000 + +security-misc (3:31.5-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 22 Oct 2023 20:16:40 +0000 + +security-misc (3:31.4-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 22 Oct 2023 19:44:47 +0000 + +security-misc (3:31.3-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 22 Oct 2023 19:40:59 +0000 + +security-misc (3:31.2-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 22 Oct 2023 19:33:21 +0000 + +security-misc (3:31.1-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 22 Oct 2023 19:28:04 +0000 + +security-misc (3:31.0-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 22 Oct 2023 18:46:42 +0000 + +security-misc (3:30.9-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 22 Oct 2023 18:30:28 +0000 + +security-misc (3:30.8-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 22 Oct 2023 17:31:55 +0000 + +security-misc (3:30.7-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 22 Oct 2023 16:55:41 +0000 + +security-misc (3:30.6-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 22 Oct 2023 15:28:18 +0000 + +security-misc (3:30.5-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 22 Oct 2023 15:13:05 +0000 + +security-misc (3:30.4-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 22 Oct 2023 14:50:30 +0000 + +security-misc (3:30.3-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 22 Oct 2023 14:16:53 +0000 + +security-misc (3:30.2-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 22 Oct 2023 14:01:54 +0000 + +security-misc (3:30.1-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 22 Oct 2023 12:12:30 +0000 + +security-misc (3:30.0-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 22 Oct 2023 11:06:00 +0000 + +security-misc (3:29.9-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 21 Oct 2023 18:19:24 +0000 + +security-misc (3:29.8-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 21 Oct 2023 16:34:59 +0000 + +security-misc (3:29.7-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 13 Oct 2023 19:22:58 +0000 + +security-misc (3:29.6-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 12 Oct 2023 16:51:37 +0000 + +security-misc (3:29.5-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 12 Oct 2023 14:43:40 +0000 + +security-misc (3:29.4-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 17 Jul 2023 15:48:35 +0000 + security-misc (3:29.3-1) unstable; urgency=medium * New upstream version (local package). diff --git a/debian/control b/debian/control index 1c2f199..fd56b5f 100644 --- a/debian/control +++ b/debian/control @@ -1,27 +1,41 @@ -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. Source: security-misc Section: misc Priority: optional -Maintainer: Patrick Schleizer -Build-Depends: debhelper (>= 13), debhelper-compat (= 13), config-package-dev, dh-apparmor -Homepage: https://github.com/Whonix/security-misc -Vcs-Browser: https://github.com/Whonix/security-misc -Vcs-Git: https://github.com/Whonix/security-misc.git +Maintainer: Patrick Schleizer +Build-Depends: config-package-dev, + debhelper (>= 13), + debhelper-compat (= 13), + dh-apparmor, + po-debconf +Homepage: https://www.kicksecure.com/wiki/Security-misc +Vcs-Browser: https://github.com/Kicksecure/security-misc +Vcs-Git: https://github.com/Kicksecure/security-misc.git Standards-Version: 4.6.2 Rules-Requires-Root: no Package: security-misc Architecture: all -Depends: python3, libglib2.0-bin, libpam-runtime, sudo, adduser, libcap2-bin, - apparmor-profile-dist, helper-scripts, libpam-modules-bin, - secure-delete, dmsetup, ${misc:Depends} -Replaces: tcp-timestamps-disable, anon-gpg-tweaks, swappiness-lowest +Depends: adduser, + apparmor-profile-dist, + dmsetup, + helper-scripts, + libcap2-bin, + libglib2.0-bin, + libpam-modules-bin, + libpam-runtime, + libpam-umask, + python3, + secure-delete, + sudo, + ${misc:Depends} +Replaces: anon-gpg-tweaks, swappiness-lowest, tcp-timestamps-disable Description: Enhances Miscellaneous Security Settings - https://github.com/Whonix/security-misc/blob/master/README.md + https://github.com/Kicksecure/security-misc/blob/master/README.md . - https://www.whonix.org/wiki/Security-misc + https://www.kicksecure.com/wiki/Security-misc . Discussion: . diff --git a/debian/copyright b/debian/copyright index 4d66db5..829d909 100644 --- a/debian/copyright +++ b/debian/copyright @@ -1,73 +1,668 @@ Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Files: * -Copyright: 2012 - 2023 ENCRYPTED SUPPORT LP -License: GPL-3+-with-additional-terms-1 - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. +Copyright: 2012 - 2025 ENCRYPTED SUPPORT LLC +License: AGPL-3+ + +License: AGPL-3+ + GNU AFFERO GENERAL PUBLIC LICENSE + Version 3, 19 November 2007 . - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. + Copyright (C) 2007 Free Software Foundation, Inc. + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. . - You should have received a copy of the GNU General Public License - along with this program. If not, see . + Preamble . - On Debian systems, the full text of the GNU General Public - License version 3 can be found in the file - `/usr/share/common-licenses/GPL-3'. + The GNU Affero General Public License is a free, copyleft license for + software and other kinds of works, specifically designed to ensure + cooperation with the community in the case of network server software. . - ADDITIONAL TERMS APPLICABLE per GNU GPL version 3 section 7 + The licenses for most software and other practical works are designed + to take away your freedom to share and change the works. By contrast, + our General Public Licenses are intended to guarantee your freedom to + share and change all versions of a program--to make sure it remains free + software for all its users. . - 1. Replacement of Section 15. Section 15 of the GPL shall be deleted in its - entirety and replaced with the following: + When we speak of free software, we are referring to freedom, not + price. Our General Public Licenses are designed to make sure that you + have the freedom to distribute copies of free software (and charge for + them if you wish), that you receive source code or can get it if you + want it, that you can change the software or use pieces of it in new + free programs, and that you know you can do these things. . - 15. Disclaimer of Warranty. + Developers that use our General Public Licenses protect your rights + with two steps: (1) assert copyright on the software, and (2) offer + you this License which gives you legal permission to copy, distribute + and/or modify the software. . - THE PROGRAM IS PROVIDED WITHOUT ANY WARRANTIES, WHETHER EXPRESSED OR IMPLIED, - INCLUDING, WITHOUT LIMITATION, IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR - PURPOSE, NON-INFRINGEMENT, TITLE AND MERCHANTABILITY. THE PROGRAM IS BEING - DELIVERED OR MADE AVAILABLE 'AS IS', 'WITH ALL FAULTS' AND WITHOUT WARRANTY OR - REPRESENTATION. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE - PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF + A secondary benefit of defending all users' freedom is that + improvements made in alternate versions of the program, if they + receive widespread use, become available for other developers to + incorporate. Many developers of free software are heartened and + encouraged by the resulting cooperation. However, in the case of + software used on network servers, this result may fail to come about. + The GNU General Public License permits making a modified version and + letting the public access it on a server without ever releasing its + source code to the public. + . + The GNU Affero General Public License is designed specifically to + ensure that, in such cases, the modified source code becomes available + to the community. It requires the operator of a network server to + provide the source code of the modified version running there to the + users of that server. Therefore, public use of a modified version, on + a publicly accessible server, gives the public access to the source + code of the modified version. + . + An older license, called the Affero General Public License and + published by Affero, was designed to accomplish similar goals. This is + a different license, not a version of the Affero GPL, but Affero has + released a new version of the Affero GPL which permits relicensing under + this license. + . + The precise terms and conditions for copying, distribution and + modification follow. + . + TERMS AND CONDITIONS + . + 0. Definitions. + . + "This License" refers to version 3 of the GNU Affero General Public License. + . + "Copyright" also means copyright-like laws that apply to other kinds of + works, such as semiconductor masks. + . + "The Program" refers to any copyrightable work licensed under this + License. Each licensee is addressed as "you". "Licensees" and + "recipients" may be individuals or organizations. + . + To "modify" a work means to copy from or adapt all or part of the work + in a fashion requiring copyright permission, other than the making of an + exact copy. The resulting work is called a "modified version" of the + earlier work or a work "based on" the earlier work. + . + A "covered work" means either the unmodified Program or a work based + on the Program. + . + To "propagate" a work means to do anything with it that, without + permission, would make you directly or secondarily liable for + infringement under applicable copyright law, except executing it on a + computer or modifying a private copy. Propagation includes copying, + distribution (with or without modification), making available to the + public, and in some countries other activities as well. + . + To "convey" a work means any kind of propagation that enables other + parties to make or receive copies. Mere interaction with a user through + a computer network, with no transfer of a copy, is not conveying. + . + An interactive user interface displays "Appropriate Legal Notices" + to the extent that it includes a convenient and prominently visible + feature that (1) displays an appropriate copyright notice, and (2) + tells the user that there is no warranty for the work (except to the + extent that warranties are provided), that licensees may convey the + work under this License, and how to view a copy of this License. If + the interface presents a list of user commands or options, such as a + menu, a prominent item in the list meets this criterion. + . + 1. Source Code. + . + The "source code" for a work means the preferred form of the work + for making modifications to it. "Object code" means any non-source + form of a work. + . + A "Standard Interface" means an interface that either is an official + standard defined by a recognized standards body, or, in the case of + interfaces specified for a particular programming language, one that + is widely used among developers working in that language. + . + The "System Libraries" of an executable work include anything, other + than the work as a whole, that (a) is included in the normal form of + packaging a Major Component, but which is not part of that Major + Component, and (b) serves only to enable use of the work with that + Major Component, or to implement a Standard Interface for which an + implementation is available to the public in source code form. A + "Major Component", in this context, means a major essential component + (kernel, window system, and so on) of the specific operating system + (if any) on which the executable work runs, or a compiler used to + produce the work, or an object code interpreter used to run it. + . + The "Corresponding Source" for a work in object code form means all + the source code needed to generate, install, and (for an executable + work) run the object code and to modify the work, including scripts to + control those activities. However, it does not include the work's + System Libraries, or general-purpose tools or generally available free + programs which are used unmodified in performing those activities but + which are not part of the work. For example, Corresponding Source + includes interface definition files associated with source files for + the work, and the source code for shared libraries and dynamically + linked subprograms that the work is specifically designed to require, + such as by intimate data communication or control flow between those + subprograms and other parts of the work. + . + The Corresponding Source need not include anything that users + can regenerate automatically from other parts of the Corresponding + Source. + . + The Corresponding Source for a work in source code form is that + same work. + . + 2. Basic Permissions. + . + All rights granted under this License are granted for the term of + copyright on the Program, and are irrevocable provided the stated + conditions are met. This License explicitly affirms your unlimited + permission to run the unmodified Program. The output from running a + covered work is covered by this License only if the output, given its + content, constitutes a covered work. This License acknowledges your + rights of fair use or other equivalent, as provided by copyright law. + . + You may make, run and propagate covered works that you do not + convey, without conditions so long as your license otherwise remains + in force. You may convey covered works to others for the sole purpose + of having them make modifications exclusively for you, or provide you + with facilities for running those works, provided that you comply with + the terms of this License in conveying all material for which you do + not control copyright. Those thus making or running the covered works + for you must do so exclusively on your behalf, under your direction + and control, on terms that prohibit them from making any copies of + your copyrighted material outside their relationship with you. + . + Conveying under any other circumstances is permitted solely under + the conditions stated below. Sublicensing is not allowed; section 10 + makes it unnecessary. + . + 3. Protecting Users' Legal Rights From Anti-Circumvention Law. + . + No covered work shall be deemed part of an effective technological + measure under any applicable law fulfilling obligations under article + 11 of the WIPO copyright treaty adopted on 20 December 1996, or + similar laws prohibiting or restricting circumvention of such + measures. + . + When you convey a covered work, you waive any legal power to forbid + circumvention of technological measures to the extent such circumvention + is effected by exercising rights under this License with respect to + the covered work, and you disclaim any intention to limit operation or + modification of the work as a means of enforcing, against the work's + users, your or third parties' legal rights to forbid circumvention of + technological measures. + . + 4. Conveying Verbatim Copies. + . + You may convey verbatim copies of the Program's source code as you + receive it, in any medium, provided that you conspicuously and + appropriately publish on each copy an appropriate copyright notice; + keep intact all notices stating that this License and any + non-permissive terms added in accord with section 7 apply to the code; + keep intact all notices of the absence of any warranty; and give all + recipients a copy of this License along with the Program. + . + You may charge any price or no price for each copy that you convey, + and you may offer support or warranty protection for a fee. + . + 5. Conveying Modified Source Versions. + . + You may convey a work based on the Program, or the modifications to + produce it from the Program, in the form of source code under the + terms of section 4, provided that you also meet all of these conditions: + . + a) The work must carry prominent notices stating that you modified + it, and giving a relevant date. + . + b) The work must carry prominent notices stating that it is + released under this License and any conditions added under section + 7. This requirement modifies the requirement in section 4 to + "keep intact all notices". + . + c) You must license the entire work, as a whole, under this + License to anyone who comes into possession of a copy. This + License will therefore apply, along with any applicable section 7 + additional terms, to the whole of the work, and all its parts, + regardless of how they are packaged. This License gives no + permission to license the work in any other way, but it does not + invalidate such permission if you have separately received it. + . + d) If the work has interactive user interfaces, each must display + Appropriate Legal Notices; however, if the Program has interactive + interfaces that do not display Appropriate Legal Notices, your + work need not make them do so. + . + A compilation of a covered work with other separate and independent + works, which are not by their nature extensions of the covered work, + and which are not combined with it such as to form a larger program, + in or on a volume of a storage or distribution medium, is called an + "aggregate" if the compilation and its resulting copyright are not + used to limit the access or legal rights of the compilation's users + beyond what the individual works permit. Inclusion of a covered work + in an aggregate does not cause this License to apply to the other + parts of the aggregate. + . + 6. Conveying Non-Source Forms. + . + You may convey a covered work in object code form under the terms + of sections 4 and 5, provided that you also convey the + machine-readable Corresponding Source under the terms of this License, + in one of these ways: + . + a) Convey the object code in, or embodied in, a physical product + (including a physical distribution medium), accompanied by the + Corresponding Source fixed on a durable physical medium + customarily used for software interchange. + . + b) Convey the object code in, or embodied in, a physical product + (including a physical distribution medium), accompanied by a + written offer, valid for at least three years and valid for as + long as you offer spare parts or customer support for that product + model, to give anyone who possesses the object code either (1) a + copy of the Corresponding Source for all the software in the + product that is covered by this License, on a durable physical + medium customarily used for software interchange, for a price no + more than your reasonable cost of physically performing this + conveying of source, or (2) access to copy the + Corresponding Source from a network server at no charge. + . + c) Convey individual copies of the object code with a copy of the + written offer to provide the Corresponding Source. This + alternative is allowed only occasionally and noncommercially, and + only if you received the object code with such an offer, in accord + with subsection 6b. + . + d) Convey the object code by offering access from a designated + place (gratis or for a charge), and offer equivalent access to the + Corresponding Source in the same way through the same place at no + further charge. You need not require recipients to copy the + Corresponding Source along with the object code. If the place to + copy the object code is a network server, the Corresponding Source + may be on a different server (operated by you or a third party) + that supports equivalent copying facilities, provided you maintain + clear directions next to the object code saying where to find the + Corresponding Source. Regardless of what server hosts the + Corresponding Source, you remain obligated to ensure that it is + available for as long as needed to satisfy these requirements. + . + e) Convey the object code using peer-to-peer transmission, provided + you inform other peers where the object code and Corresponding + Source of the work are being offered to the general public at no + charge under subsection 6d. + . + A separable portion of the object code, whose source code is excluded + from the Corresponding Source as a System Library, need not be + included in conveying the object code work. + . + A "User Product" is either (1) a "consumer product", which means any + tangible personal property which is normally used for personal, family, + or household purposes, or (2) anything designed or sold for incorporation + into a dwelling. In determining whether a product is a consumer product, + doubtful cases shall be resolved in favor of coverage. For a particular + product received by a particular user, "normally used" refers to a + typical or common use of that class of product, regardless of the status + of the particular user or of the way in which the particular user + actually uses, or expects or is expected to use, the product. A product + is a consumer product regardless of whether the product has substantial + commercial, industrial or non-consumer uses, unless such uses represent + the only significant mode of use of the product. + . + "Installation Information" for a User Product means any methods, + procedures, authorization keys, or other information required to install + and execute modified versions of a covered work in that User Product from + a modified version of its Corresponding Source. The information must + suffice to ensure that the continued functioning of the modified object + code is in no case prevented or interfered with solely because + modification has been made. + . + If you convey an object code work under this section in, or with, or + specifically for use in, a User Product, and the conveying occurs as + part of a transaction in which the right of possession and use of the + User Product is transferred to the recipient in perpetuity or for a + fixed term (regardless of how the transaction is characterized), the + Corresponding Source conveyed under this section must be accompanied + by the Installation Information. But this requirement does not apply + if neither you nor any third party retains the ability to install + modified object code on the User Product (for example, the work has + been installed in ROM). + . + The requirement to provide Installation Information does not include a + requirement to continue to provide support service, warranty, or updates + for a work that has been modified or installed by the recipient, or for + the User Product in which it has been modified or installed. Access to a + network may be denied when the modification itself materially and + adversely affects the operation of the network or violates the rules and + protocols for communication across the network. + . + Corresponding Source conveyed, and Installation Information provided, + in accord with this section must be in a format that is publicly + documented (and with an implementation available to the public in + source code form), and must require no special password or key for + unpacking, reading or copying. + . + 7. Additional Terms. + . + "Additional permissions" are terms that supplement the terms of this + License by making exceptions from one or more of its conditions. + Additional permissions that are applicable to the entire Program shall + be treated as though they were included in this License, to the extent + that they are valid under applicable law. If additional permissions + apply only to part of the Program, that part may be used separately + under those permissions, but the entire Program remains governed by + this License without regard to the additional permissions. + . + When you convey a copy of a covered work, you may at your option + remove any additional permissions from that copy, or from any part of + it. (Additional permissions may be written to require their own + removal in certain cases when you modify the work.) You may place + additional permissions on material, added by you to a covered work, + for which you have or can give appropriate copyright permission. + . + Notwithstanding any other provision of this License, for material you + add to a covered work, you may (if authorized by the copyright holders of + that material) supplement the terms of this License with terms: + . + a) Disclaiming warranty or limiting liability differently from the + terms of sections 15 and 16 of this License; or + . + b) Requiring preservation of specified reasonable legal notices or + author attributions in that material or in the Appropriate Legal + Notices displayed by works containing it; or + . + c) Prohibiting misrepresentation of the origin of that material, or + requiring that modified versions of such material be marked in + reasonable ways as different from the original version; or + . + d) Limiting the use for publicity purposes of names of licensors or + authors of the material; or + . + e) Declining to grant rights under trademark law for use of some + trade names, trademarks, or service marks; or + . + f) Requiring indemnification of licensors and authors of that + material by anyone who conveys the material (or modified versions of + it) with contractual assumptions of liability to the recipient, for + any liability that these contractual assumptions directly impose on + those licensors and authors. + . + All other non-permissive additional terms are considered "further + restrictions" within the meaning of section 10. If the Program as you + received it, or any part of it, contains a notice stating that it is + governed by this License along with a term that is a further + restriction, you may remove that term. If a license document contains + a further restriction but permits relicensing or conveying under this + License, you may add to a covered work material governed by the terms + of that license document, provided that the further restriction does + not survive such relicensing or conveying. + . + If you add terms to a covered work in accord with this section, you + must place, in the relevant source files, a statement of the + additional terms that apply to those files, or a notice indicating + where to find the applicable terms. + . + Additional terms, permissive or non-permissive, may be stated in the + form of a separately written license, or stated as exceptions; + the above requirements apply either way. + . + 8. Termination. + . + You may not propagate or modify a covered work except as expressly + provided under this License. Any attempt otherwise to propagate or + modify it is void, and will automatically terminate your rights under + this License (including any patent licenses granted under the third + paragraph of section 11). + . + However, if you cease all violation of this License, then your + license from a particular copyright holder is reinstated (a) + provisionally, unless and until the copyright holder explicitly and + finally terminates your license, and (b) permanently, if the copyright + holder fails to notify you of the violation by some reasonable means + prior to 60 days after the cessation. + . + Moreover, your license from a particular copyright holder is + reinstated permanently if the copyright holder notifies you of the + violation by some reasonable means, this is the first time you have + received notice of violation of this License (for any work) from that + copyright holder, and you cure the violation prior to 30 days after + your receipt of the notice. + . + Termination of your rights under this section does not terminate the + licenses of parties who have received copies or rights from you under + this License. If your rights have been terminated and not permanently + reinstated, you do not qualify to receive new licenses for the same + material under section 10. + . + 9. Acceptance Not Required for Having Copies. + . + You are not required to accept this License in order to receive or + run a copy of the Program. Ancillary propagation of a covered work + occurring solely as a consequence of using peer-to-peer transmission + to receive a copy likewise does not require acceptance. However, + nothing other than this License grants you permission to propagate or + modify any covered work. These actions infringe copyright if you do + not accept this License. Therefore, by modifying or propagating a + covered work, you indicate your acceptance of this License to do so. + . + 10. Automatic Licensing of Downstream Recipients. + . + Each time you convey a covered work, the recipient automatically + receives a license from the original licensors, to run, modify and + propagate that work, subject to this License. You are not responsible + for enforcing compliance by third parties with this License. + . + An "entity transaction" is a transaction transferring control of an + organization, or substantially all assets of one, or subdividing an + organization, or merging organizations. If propagation of a covered + work results from an entity transaction, each party to that + transaction who receives a copy of the work also receives whatever + licenses to the work the party's predecessor in interest had or could + give under the previous paragraph, plus a right to possession of the + Corresponding Source of the work from the predecessor in interest, if + the predecessor has it or can get it with reasonable efforts. + . + You may not impose any further restrictions on the exercise of the + rights granted or affirmed under this License. For example, you may + not impose a license fee, royalty, or other charge for exercise of + rights granted under this License, and you may not initiate litigation + (including a cross-claim or counterclaim in a lawsuit) alleging that + any patent claim is infringed by making, using, selling, offering for + sale, or importing the Program or any portion of it. + . + 11. Patents. + . + A "contributor" is a copyright holder who authorizes use under this + License of the Program or a work on which the Program is based. The + work thus licensed is called the contributor's "contributor version". + . + A contributor's "essential patent claims" are all patent claims + owned or controlled by the contributor, whether already acquired or + hereafter acquired, that would be infringed by some manner, permitted + by this License, of making, using, or selling its contributor version, + but do not include claims that would be infringed only as a + consequence of further modification of the contributor version. For + purposes of this definition, "control" includes the right to grant + patent sublicenses in a manner consistent with the requirements of + this License. + . + Each contributor grants you a non-exclusive, worldwide, royalty-free + patent license under the contributor's essential patent claims, to + make, use, sell, offer for sale, import and otherwise run, modify and + propagate the contents of its contributor version. + . + In the following three paragraphs, a "patent license" is any express + agreement or commitment, however denominated, not to enforce a patent + (such as an express permission to practice a patent or covenant not to + sue for patent infringement). To "grant" such a patent license to a + party means to make such an agreement or commitment not to enforce a + patent against the party. + . + If you convey a covered work, knowingly relying on a patent license, + and the Corresponding Source of the work is not available for anyone + to copy, free of charge and under the terms of this License, through a + publicly available network server or other readily accessible means, + then you must either (1) cause the Corresponding Source to be so + available, or (2) arrange to deprive yourself of the benefit of the + patent license for this particular work, or (3) arrange, in a manner + consistent with the requirements of this License, to extend the patent + license to downstream recipients. "Knowingly relying" means you have + actual knowledge that, but for the patent license, your conveying the + covered work in a country, or your recipient's use of the covered work + in a country, would infringe one or more identifiable patents in that + country that you have reason to believe are valid. + . + If, pursuant to or in connection with a single transaction or + arrangement, you convey, or propagate by procuring conveyance of, a + covered work, and grant a patent license to some of the parties + receiving the covered work authorizing them to use, propagate, modify + or convey a specific copy of the covered work, then the patent license + you grant is automatically extended to all recipients of the covered + work and works based on it. + . + A patent license is "discriminatory" if it does not include within + the scope of its coverage, prohibits the exercise of, or is + conditioned on the non-exercise of one or more of the rights that are + specifically granted under this License. You may not convey a covered + work if you are a party to an arrangement with a third party that is + in the business of distributing software, under which you make payment + to the third party based on the extent of your activity of conveying + the work, and under which the third party grants, to any of the + parties who would receive the covered work from you, a discriminatory + patent license (a) in connection with copies of the covered work + conveyed by you (or copies made from those copies), or (b) primarily + for and in connection with specific products or compilations that + contain the covered work, unless you entered into that arrangement, + or that patent license was granted, prior to 28 March 2007. + . + Nothing in this License shall be construed as excluding or limiting + any implied license or other defenses to infringement that may + otherwise be available to you under applicable patent law. + . + 12. No Surrender of Others' Freedom. + . + If conditions are imposed on you (whether by court order, agreement or + otherwise) that contradict the conditions of this License, they do not + excuse you from the conditions of this License. If you cannot convey a + covered work so as to satisfy simultaneously your obligations under this + License and any other pertinent obligations, then as a consequence you may + not convey it at all. For example, if you agree to terms that obligate you + to collect a royalty for further conveying from those to whom you convey + the Program, the only way you could satisfy both those terms and this + License would be to refrain entirely from conveying the Program. + . + 13. Remote Network Interaction; Use with the GNU General Public License. + . + Notwithstanding any other provision of this License, if you modify the + Program, your modified version must prominently offer all users + interacting with it remotely through a computer network (if your version + supports such interaction) an opportunity to receive the Corresponding + Source of your version by providing access to the Corresponding Source + from a network server at no charge, through some standard or customary + means of facilitating copying of software. This Corresponding Source + shall include the Corresponding Source for any work covered by version 3 + of the GNU General Public License that is incorporated pursuant to the + following paragraph. + . + Notwithstanding any other provision of this License, you have + permission to link or combine any covered work with a work licensed + under version 3 of the GNU General Public License into a single + combined work, and to convey the resulting work. The terms of this + License will continue to apply to the part which is the covered work, + but the work with which it is combined will remain governed by version + 3 of the GNU General Public License. + . + 14. Revised Versions of this License. + . + The Free Software Foundation may publish revised and/or new versions of + the GNU Affero General Public License from time to time. Such new versions + will be similar in spirit to the present version, but may differ in detail to + address new problems or concerns. + . + Each version is given a distinguishing version number. If the + Program specifies that a certain numbered version of the GNU Affero General + Public License "or any later version" applies to it, you have the + option of following the terms and conditions either of that numbered + version or of any later version published by the Free Software + Foundation. If the Program does not specify a version number of the + GNU Affero General Public License, you may choose any version ever published + by the Free Software Foundation. + . + If the Program specifies that a proxy can decide which future + versions of the GNU Affero General Public License can be used, that proxy's + public statement of acceptance of a version permanently authorizes you + to choose that version for the Program. + . + Later license versions may give you additional or different + permissions. However, no additional obligations are imposed on any + author or copyright holder as a result of your choosing to follow a + later version. + . + 15. Disclaimer of Warranty. + . + THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY + APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT + HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY + OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, + THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM + IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. . - 2. Replacement of Section 16. Section 16 of the GPL shall be deleted in its - entirety and replaced with the following: + 16. Limitation of Liability. . - 16. LIMITATION OF LIABILITY. + IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING + WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS + THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY + GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE + USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF + DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD + PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), + EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF + SUCH DAMAGES. . - UNDER NO CIRCUMSTANCES SHALL ANY COPYRIGHT HOLDER OR ITS AFFILIATES, OR ANY - OTHER PARTY WHO MODIFIES AND/OR CONVEYS THE PROGRAM AS PERMITTED ABOVE, BE - LIABLE TO YOU, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, FOR ANY - DAMAGES OR OTHER LIABILITY, INCLUDING ANY GENERAL, DIRECT, INDIRECT, SPECIAL, - INCIDENTAL, CONSEQUENTIAL OR PUNITIVE DAMAGES ARISING FROM, OUT OF OR IN - CONNECTION WITH THE USE OR INABILITY TO USE THE PROGRAM OR OTHER DEALINGS WITH - THE PROGRAM(INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED - INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE - PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), WHETHER OR NOT ANY COPYRIGHT HOLDER - OR SUCH OTHER PARTY RECEIVES NOTICE OF ANY SUCH DAMAGES AND WHETHER OR NOT SUCH - DAMAGES COULD HAVE BEEN FORESEEN. + 17. Interpretation of Sections 15 and 16. . - 3. LEGAL NOTICES; NO TRADEMARK LICENSE; ORIGIN. You must reproduce faithfully - all trademark, copyright and other proprietary and legal notices on any copies - of the Program or any other required author attributions. This license does not - grant you rights to use any copyright holder or any other party's name, logo, or - trademarks. Neither the name of the copyright holder or its affiliates, or any - other party who modifies and/or conveys the Program may be used to endorse or - promote products derived from this software without specific prior written - permission. The origin of the Program must not be misrepresented; you must not - claim that you wrote the original Program. Altered source versions must be - plainly marked as such, and must not be misrepresented as being the original - Program. + If the disclaimer of warranty and limitation of liability provided + above cannot be given local legal effect according to their terms, + reviewing courts shall apply local law that most closely approximates + an absolute waiver of all civil liability in connection with the + Program, unless a warranty or assumption of liability accompanies a + copy of the Program in return for a fee. . - 4. INDEMNIFICATION. IF YOU CONVEY A COVERED WORK AND AGREE WITH ANY RECIPIENT - OF THAT COVERED WORK THAT YOU WILL ASSUME ANY LIABILITY FOR THAT COVERED WORK, - YOU HEREBY AGREE TO INDEMNIFY, DEFEND AND HOLD HARMLESS THE OTHER LICENSORS AND - AUTHORS OF THAT COVERED WORK FOR ANY DAMAGES, DEMANDS, CLAIMS, LOSSES, CAUSES OF - ACTION, LAWSUITS, JUDGMENTS EXPENSES (INCLUDING WITHOUT LIMITATION REASONABLE - ATTORNEYS' FEES AND EXPENSES) OR ANY OTHER LIABILITY ARISING FROM, RELATED TO OR - IN CONNECTION WITH YOUR ASSUMPTIONS OF LIABILITY. + END OF TERMS AND CONDITIONS + . + How to Apply These Terms to Your New Programs + . + If you develop a new program, and you want it to be of the greatest + possible use to the public, the best way to achieve this is to make it + free software which everyone can redistribute and change under these terms. + . + To do so, attach the following notices to the program. It is safest + to attach them to the start of each source file to most effectively + state the exclusion of warranty; and each file should have at least + the "copyright" line and a pointer to where the full notice is found. + . + + Copyright (C) + . + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU Affero General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + . + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU Affero General Public License for more details. + . + You should have received a copy of the GNU Affero General Public License + along with this program. If not, see . + . + Also add information on how to contact you by electronic and paper mail. + . + If your software can interact with users remotely through a computer + network, you should also make sure that it provides a way for users to + get its source. For example, if your program is a web application, its + interface could display a "Source" link that leads users to an archive + of the code. There are many ways you could offer source, and different + solutions will be better for different programs; see section 13 for the + specific requirements. + . + You should also get your employer (if you work as a programmer) or school, + if any, to sign a "copyright disclaimer" for the program, if necessary. + For more information on this, and how to apply and follow the GNU AGPL, see + . diff --git a/debian/make-helper-overrides.bsh b/debian/make-helper-overrides.bsh index c43ca87..4804b3e 100755 --- a/debian/make-helper-overrides.bsh +++ b/debian/make-helper-overrides.bsh @@ -1,7 +1,7 @@ #!/bin/bash -## Copyright (C) 2021 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2021 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/24 -genmkfile_lintian_post_opts+=" --suppress-tags obsolete-command-in-modprobe.d-file" +genmkfile_lintian_post_opts+=" --suppress-tags obsolete-command-in-modprobe.d-file --suppress-tags no-complete-debconf-translation" diff --git a/debian/po/POTFILES.in b/debian/po/POTFILES.in new file mode 100644 index 0000000..435938f --- /dev/null +++ b/debian/po/POTFILES.in @@ -0,0 +1 @@ +[type: gettext/rfc822deb] security-misc.templates diff --git a/debian/po/templates.pot b/debian/po/templates.pot new file mode 100644 index 0000000..adb123b --- /dev/null +++ b/debian/po/templates.pot @@ -0,0 +1,36 @@ +# SOME DESCRIPTIVE TITLE. +# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER +# This file is distributed under the same license as the security-misc package. +# FIRST AUTHOR , YEAR. +# +#, fuzzy +msgid "" +msgstr "" +"Project-Id-Version: security-misc\n" +"Report-Msgid-Bugs-To: security-misc@packages.debian.org\n" +"POT-Creation-Date: 2025-01-14 09:31-0500\n" +"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" +"Last-Translator: FULL NAME \n" +"Language-Team: LANGUAGE \n" +"Language: \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=CHARSET\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: note +#. Description +#: ../security-misc.templates:1001 +msgid "Manual intervention may be required for permission-hardener update" +msgstr "" + +#. Type: note +#. Description +#: ../security-misc.templates:1001 +msgid "" +"No need to panic. Nothing is broken. A rare condition has been encountered. " +"permission-hardener is being updated to fix a minor bug that caused " +"corruption in the permission-hardener state file. If you installed your own " +"custom permission-hardener configuration, some manual intervention may be " +"required. See: https://www.kicksecure.com/wiki/" +"SUID_Disabler_and_Permission_Hardener#fixing_state_files" +msgstr "" diff --git a/debian/rules b/debian/rules index a1570ba..ca5e85c 100755 --- a/debian/rules +++ b/debian/rules @@ -1,6 +1,6 @@ #!/usr/bin/make -f -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. #export DH_VERBOSE=1 diff --git a/debian/security-misc.config b/debian/security-misc.config new file mode 100755 index 0000000..e200fb6 --- /dev/null +++ b/debian/security-misc.config @@ -0,0 +1,190 @@ +#!/bin/bash + +## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then + source /usr/libexec/helper-scripts/pre.bsh +fi + +source /usr/share/debconf/confmodule + +set -e + +## Not set by DPKG for '.config' script. +DPKG_MAINTSCRIPT_PACKAGE="security-misc" +DPKG_MAINTSCRIPT_NAME="config" + +true " +##################################################################### +## INFO: BEGIN: $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $* +##################################################################### +" + +## NOTE: Code duplication. +## Copied from: helper-scripts /usr/libexec/helper-scripts/package_installed_check.bsh +## +## '.config' scripts are run very early. Even 'Pre-Depends: helper-scripts' would be insufficient. +## Therefore the code is duplicated here. +pkg_installed() { + local package_name dpkg_query_output + local requested_action status error_state + + package_name="$1" + ## Cannot use '&>' because it is a bashism. + dpkg_query_output="$(dpkg-query --show --showformat='${Status}' "$package_name" 2>/dev/null)" || true + ## dpkg_query_output Examples: + ## install ok half-configured + ## install ok installed + + requested_action=$(printf '%s' "$dpkg_query_output" | awk '{print $1}') + status=$(printf '%s' "$dpkg_query_output" | awk '{print $2}') + error_state=$(printf '%s' "$dpkg_query_output" | awk '{print $3}') + + if [ "$requested_action" = 'install' ]; then + true "$0: INFO: $package_name is installed, ok." + return 0 + fi + + true "$0: INFO: $package_name is not installed, ok." + return 1 +} + +check_migrate_permission_hardener_state() { + local pkg_list modified_pkg_data_str custom_hardening_arr config_file + + ## If folder /var/lib/permission-hardener (version 1) does not exist, this migration is unneeded. + if [ ! -d '/var/lib/permission-hardener' ]; then + return 0 + fi + + local orig_hardening_arr custom_hardening_arr config_file custom_config_file + if [ -f "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_2" ]; then + return 0 + fi + mkdir --parents '/var/lib/security-misc/do_once' + + orig_hardening_arr=( + '/usr/lib/permission-hardener.d/25_default_passwd.conf' + '/usr/lib/permission-hardener.d/25_default_sudo.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_bubblewrap.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_chromium.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_dbus.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_firejail.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_fuse.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_hardened_malloc.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_mount.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_pam.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_passwd.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_postfix.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_selinux.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_spice.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_sudo.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_virtualbox.conf' + '/usr/lib/permission-hardener.d/20_user-sysmaint-split.conf' + '/usr/lib/permission-hardener.d/30_ping.conf' + '/usr/lib/permission-hardener.d/30_default.conf' + '/etc/permission-hardener.d/25_default_passwd.conf' + '/etc/permission-hardener.d/25_default_sudo.conf' + '/etc/permission-hardener.d/25_default_whitelist_bubblewrap.conf' + '/etc/permission-hardener.d/25_default_whitelist_chromium.conf' + '/etc/permission-hardener.d/25_default_whitelist_dbus.conf' + '/etc/permission-hardener.d/25_default_whitelist_firejail.conf' + '/etc/permission-hardener.d/25_default_whitelist_fuse.conf' + '/etc/permission-hardener.d/25_default_whitelist_hardened_malloc.conf' + '/etc/permission-hardener.d/25_default_whitelist_mount.conf' + '/etc/permission-hardener.d/25_default_whitelist_pam.conf' + '/etc/permission-hardener.d/25_default_whitelist_passwd.conf' + '/etc/permission-hardener.d/25_default_whitelist_policykit.conf' + '/etc/permission-hardener.d/25_default_whitelist_postfix.conf' + '/etc/permission-hardener.d/25_default_whitelist_qubes.conf' + '/etc/permission-hardener.d/25_default_whitelist_selinux.conf' + '/etc/permission-hardener.d/25_default_whitelist_spice.conf' + '/etc/permission-hardener.d/25_default_whitelist_ssh.conf' + '/etc/permission-hardener.d/25_default_whitelist_sudo.conf' + '/etc/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf' + '/etc/permission-hardener.d/25_default_whitelist_virtualbox.conf' + '/etc/permission-hardener.d/20_user-sysmaint-split.conf' + '/etc/permission-hardener.d/30_ping.conf' + '/etc/permission-hardener.d/30_default.conf' + ) + + pkg_list=( "security-misc" ) + if pkg_installed user-sysmaint-split ; then + pkg_list+=( "user-sysmaint-split" ) + fi + if pkg_installed anon-apps-config ; then + pkg_list+=( "anon-apps-config" ) + fi + + ## This will exit non-zero if some of the packages don't exist, but we + ## don't care. The packages that *are* installed will still be scanned. + modified_pkg_data_str="$(dpkg --verify "${pkg_list[@]}")" || true + + ## Example modified_pkg_data_str: + #modified_pkg_data_str='missing /usr/lib/permission-hardener.d/20_user-sysmaint-split.conf' + + readarray -t custom_hardening_arr < <(awk '/permission-hardener.d/{ print $NF }' <<< "${modified_pkg_data_str}") + + ## If the above `dpkg --verify` command doesn't return any permission-hardener + ## related lines, the array will contain no meaningful info, just a single + ## blank element at the start. Set the array to be explicitly empty in + ## this scenario. + if [ -z "${custom_hardening_arr[0]}" ]; then + custom_hardening_arr=() + fi + + for config_file in \ + /usr/lib/permission-hardener.d/*.conf \ + /etc/permission-hardener.d/*.conf \ + /usr/local/etc/permission-hardener.d/*.conf \ + /etc/permission-hardening.d/*.conf \ + /usr/local/etc/permission-hardening.d/*.conf + do + # shellcheck disable=SC2076 + if ! [[ " ${orig_hardening_arr[*]} " =~ " ${config_file} " ]]; then + if [ -f "${config_file}" ]; then + custom_hardening_arr+=( "${config_file}" ) + fi + fi + done + + if [ "${#custom_hardening_arr[@]}" != '0' ]; then + for custom_config_file in "${custom_hardening_arr[@]}"; do + if ! test -e "${custom_config_file}" ; then + echo "$0: INFO: Possible missing configuration file found: '${custom_config_file}'" + else + echo "$0: INFO: Possible custom configuration file found: '${custom_config_file}'" + fi + done + ## db_input will return code 30 if the message won't be displayed, which + ## causes a non-interactive install to error out if you don't use || true + db_input critical security-misc/alert-on-permission-hardener-v2-upgrade || true + ## db_go can return code 30 too in some instances, we don't care here + # shellcheck disable=SC2119 + db_go || true + fi + + touch "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_2" +} + +check_migrate_permission_hardener_state + +true "INFO: debhelper beginning here." + +#DEBHELPER# + +true "INFO: Done with debhelper." + +true " +##################################################################### +## INFO: END : $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $* +##################################################################### +" + +## Explicitly "exit 0", so eventually trapped errors can be ignored. +exit 0 diff --git a/debian/security-misc.displace b/debian/security-misc.displace index 54c5862..78257f6 100644 --- a/debian/security-misc.displace +++ b/debian/security-misc.displace @@ -1,6 +1,5 @@ -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. /etc/securetty.security-misc /etc/security/faillock.conf.security-misc -/etc/dkms/framework.conf.security-misc diff --git a/debian/security-misc.gconf-defaults b/debian/security-misc.gconf-defaults index 26d57ff..b79536a 100644 --- a/debian/security-misc.gconf-defaults +++ b/debian/security-misc.gconf-defaults @@ -1,3 +1,6 @@ +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + /apps/nautilus/preview_sound never /apps/nautilus/show_icon_text never /apps/nautilus/show-image-thumbnails never diff --git a/debian/security-misc.install b/debian/security-misc.install index 126a525..6d5f850 100644 --- a/debian/security-misc.install +++ b/debian/security-misc.install @@ -1,10 +1,8 @@ -## Copyright (C) 2020 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2020 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## This file was generated using 'genmkfile debinstfile'. -bin/* etc/* -lib/* usr/* var/* diff --git a/debian/security-misc.links b/debian/security-misc.links new file mode 100644 index 0000000..c3369df --- /dev/null +++ b/debian/security-misc.links @@ -0,0 +1,5 @@ +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +/etc/profile.d/30_security-misc.sh /etc/zprofile.d/30_security-misc.zsh +/etc/profile.d/30_security-misc.sh /etc/X11/Xsession.d/30_security-misc diff --git a/debian/security-misc.maintscript b/debian/security-misc.maintscript index 4be0d9a..0a1759b 100644 --- a/debian/security-misc.maintscript +++ b/debian/security-misc.maintscript @@ -1,11 +1,8 @@ -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. rm_conffile /etc/sudoers.d/umask-security-misc -## https://forums.whonix.org/t/allow-loading-signed-kernel-modules-by-default-disallow-kernel-module-loading-by-default/7880/23 -rm_conffile /etc/default/grub.d/40_only_allow_signed_modules.cfg - ## https://forums.whonix.org/t/sysrq-magic-sysrq-key/8079 rm_conffile /etc/sysctl.d/sysrq.conf @@ -13,7 +10,7 @@ rm_conffile /etc/sysctl.d/sysrq.conf rm_conffile /etc/apparmor.d/usr.lib.security-misc.pam_tally2-info rm_conffile /etc/apparmor.d/usr.lib.security-misc.permission-lockdown -## merged into 1 file /etc/sysctl.d/30_security-misc.conf +## merged into 3 files /usr/lib/sysctl.d/30_security-misc_kexec-disable.conf, /usr/lib/sysctl.d/30_silent-kernel-printk.conf, and /usr/lib/sysctl.d/990-security-misc.conf rm_conffile /etc/sysctl.d/fs_protected.conf rm_conffile /etc/sysctl.d/kptr_restrict.conf rm_conffile /etc/sysctl.d/suid_dumpable.conf @@ -27,16 +24,88 @@ rm_conffile /etc/sysctl.d/kexec.conf rm_conffile /etc/sysctl.d/tcp_hardening.conf rm_conffile /etc/sysctl.d/tcp_sack.conf -## merged into 1 file /etc/modprobe.d/30_security-misc.conf +## merged into 3 files /etc/modprobe.d/30_security-misc_blacklist.conf, 30_security-misc_conntrack.conf, and /etc/modprobe.d/30_security-misc_disable.conf rm_conffile /etc/modprobe.d/uncommon-network-protocols.conf rm_conffile /etc/modprobe.d/blacklist-bluetooth.conf rm_conffile /etc/modprobe.d/vivid.conf rm_conffile /etc/modprobe.d/blacklist-dma.conf rm_conffile /etc/modprobe.d/msr.conf rm_conffile /etc/modprobe.d/30_nf_conntrack_helper_disable.conf +rm_conffile /etc/modprobe.d/30_security-misc.conf ## renamed to /etc/security/limits.d/30_security-misc.conf rm_conffile /etc/security/limits.d/disable-coredumps.conf ## moved to separate package ram-wipe rm_conffile /etc/default/grub.d/40_cold_boot_attack_defense.cfg + +rm_conffile /etc/X11/Xsession.d/50panic_on_oops +rm_conffile /etc/X11/Xsession.d/50security-misc + +## moved to /usr/lib/sysctl.d +rm_conffile /etc/sysctl.d/30_security-misc.conf +rm_conffile /etc/sysctl.d/30_silent-kernel-printk.conf +rm_conffile /etc/sysctl.d/30_security-misc_kexec-disable.conf + +## moved to /etc/permission-hardener.d +rm_conffile /etc/permission-hardening.d/25_default_passwd.conf +rm_conffile /etc/permission-hardening.d/25_default_sudo.conf +rm_conffile /etc/permission-hardening.d/25_default_whitelist_bubblewrap.conf +rm_conffile /etc/permission-hardening.d/25_default_whitelist_chromium.conf +rm_conffile /etc/permission-hardening.d/25_default_whitelist_dbus.conf +rm_conffile /etc/permission-hardening.d/25_default_whitelist_firejail.conf +rm_conffile /etc/permission-hardening.d/25_default_whitelist_fuse.conf +rm_conffile /etc/permission-hardening.d/25_default_whitelist_hardened_malloc.conf +rm_conffile /etc/permission-hardening.d/25_default_whitelist_mount.conf +rm_conffile /etc/permission-hardening.d/25_default_whitelist_pam.conf +rm_conffile /etc/permission-hardening.d/25_default_whitelist_policykit.conf +rm_conffile /etc/permission-hardening.d/25_default_whitelist_qubes.conf +rm_conffile /etc/permission-hardening.d/25_default_whitelist_selinux.conf +rm_conffile /etc/permission-hardening.d/25_default_whitelist_spice.conf +rm_conffile /etc/permission-hardening.d/25_default_whitelist_ssh.conf +rm_conffile /etc/permission-hardening.d/25_default_whitelist_sudo.conf +rm_conffile /etc/permission-hardening.d/25_default_whitelist_unix_chkpwd.conf +rm_conffile /etc/permission-hardening.d/25_default_whitelist_virtualbox.conf +rm_conffile /etc/permission-hardening.d/30_default.conf + +## moved to /usr/lib/permission-hardener.d +rm_conffile /etc/permission-hardener.d/25_default_passwd.conf +rm_conffile /etc/permission-hardener.d/25_default_sudo.conf +rm_conffile /etc/permission-hardener.d/25_default_whitelist_bubblewrap.conf +rm_conffile /etc/permission-hardener.d/25_default_whitelist_chromium.conf +rm_conffile /etc/permission-hardener.d/25_default_whitelist_dbus.conf +rm_conffile /etc/permission-hardener.d/25_default_whitelist_firejail.conf +rm_conffile /etc/permission-hardener.d/25_default_whitelist_fuse.conf +rm_conffile /etc/permission-hardener.d/25_default_whitelist_hardened_malloc.conf +rm_conffile /etc/permission-hardener.d/25_default_whitelist_mount.conf +rm_conffile /etc/permission-hardener.d/25_default_whitelist_pam.conf +rm_conffile /etc/permission-hardener.d/25_default_whitelist_policykit.conf +rm_conffile /etc/permission-hardener.d/25_default_whitelist_postfix.conf +rm_conffile /etc/permission-hardener.d/25_default_whitelist_qubes.conf +rm_conffile /etc/permission-hardener.d/25_default_whitelist_selinux.conf +rm_conffile /etc/permission-hardener.d/25_default_whitelist_spice.conf +rm_conffile /etc/permission-hardener.d/25_default_whitelist_ssh.conf +rm_conffile /etc/permission-hardener.d/25_default_whitelist_sudo.conf +rm_conffile /etc/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf +rm_conffile /etc/permission-hardener.d/25_default_whitelist_virtualbox.conf +rm_conffile /etc/permission-hardener.d/30_default.conf + +## merged into 1 file /etc/default/grub.d/40_kernel_hardening.cfg +rm_conffile /etc/default/grub.d/40_distrust_bootloader.cfg +rm_conffile /etc/default/grub.d/40_distrust_cpu.cfg +rm_conffile /etc/default/grub.d/40_enable_iommu.cfg + +## renamed to /etc/default/grub.d/40_remount_secure.cfg +rm_conffile /etc/default/grub.d/40_remmount-secure.cfg + +## renamed to /etc/default/grub.d/40_signed_modules.cfg +rm_conffile /etc/default/grub.d/40_only_allow_signed_modules.cfg + +## renamed to /etc/default/grub.d/41_quiet_boot.cfg +rm_conffile /etc/default/grub.d/41_quiet.cfg + +## moved to usability-misc +rm_conffile /etc/dkms/framework.conf.d/30_security-misc.conf + +## renamed to reflect the fact that this uses a whitelist +rm_conffile /usr/lib/permission-hardener.d/25_default_passwd.conf diff --git a/debian/security-misc.postinst b/debian/security-misc.postinst index d00d8cf..ac81a23 100644 --- a/debian/security-misc.postinst +++ b/debian/security-misc.postinst @@ -1,20 +1,79 @@ #!/bin/bash -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then source /usr/libexec/helper-scripts/pre.bsh fi +## Required since this package uses debconf - this is mandatory even though +## the postinst itself does not use debconf commands. +source /usr/share/debconf/confmodule + set -e true " ##################################################################### -## INFO: BEGIN: $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $@ +## INFO: BEGIN: $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $* ##################################################################### " +permission_hardening_legacy_config_folder() { + if ! test -d /etc/permission-hardening.d ; then + return 0 + fi + rmdir --verbose --ignore-fail-on-non-empty /etc/permission-hardening.d || true +} + +permission_hardening() { + echo "Running SUID Disabler and Permission Hardener... See also:" + echo "https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener" + echo "$0: INFO: running: permission-hardener enable" + if ! permission-hardener enable ; then + echo "$0: ERROR: Permission hardening failed." >&2 + return 0 + fi + echo "$0: INFO: Permission hardening success." +} + +migrate_permission_hardener_state() { + local existing_mode_dir new_mode_dir dpkg_statoverride_list + ## If folder /var/lib/permission-hardener (version 1) does not exist, this migration is unneeded. + if [ ! -d '/var/lib/permission-hardener' ]; then + return 0 + fi + + if [ -f "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_2" ]; then + return 0 + fi + mkdir --parents '/var/lib/security-misc/do_once' + + existing_mode_dir='/var/lib/permission-hardener-v2/existing_mode' + new_mode_dir='/var/lib/permission-hardener-v2/new_mode' + + mkdir --parents "${existing_mode_dir}"; + mkdir --parents "${new_mode_dir}"; + + cp --verbose '/usr/share/security-misc/permission-hardener-existing-mode-legacy-hardcoded' "${existing_mode_dir}/statoverride" + cp --verbose '/usr/share/security-misc/permission-hardener-new-mode-legacy-hardcoded' "${new_mode_dir}/statoverride" + + dpkg_statoverride_list="$(dpkg-statoverride --admindir "${new_mode_dir}" --list)" + + if [ "$(stat --format '%G' /usr/bin/sudo)" = 'sysmaint' ]; then + if ! [[ "${dpkg_statoverride_list}" =~ '/usr/bin/sudo' ]]; then + dpkg-statoverride --admindir "${new_mode_dir}" --add 'root' 'sysmaint' '4750' '/usr/bin/sudo' + fi + fi + if [ "$(stat --format '%G' /usr/bin/pkexec)" = 'sysmaint' ]; then + if ! [[ "${dpkg_statoverride_list}" =~ '/usr/bin/pkexec' ]]; then + dpkg-statoverride --admindir "${new_mode_dir}" --add 'root' 'sysmaint' '4750' '/usr/bin/pkexec' + fi + fi + + touch "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_2" +} + case "$1" in configure) if [ -d /etc/skel/.gnupg ]; then @@ -24,15 +83,22 @@ case "$1" in ## /usr/share/glib-2.0/schemas/30_security-misc.gschema.override glib-compile-schemas /usr/share/glib-2.0/schemas || true + + ## state dir for faillock + mkdir -p /var/lib/security-misc/faillock + + ## migrate permission_hardener state to v2 if applicable + migrate_permission_hardener_state ;; abort-upgrade|abort-remove|abort-deconfigure) ;; triggered) - echo "INFO: triggered $DPKG_MAINTSCRIPT_PACKAGE: '$DPKG_MAINTSCRIPT_PACKAGE' $DPKG_MAINTSCRIPT_PACKAGE DPKG_MAINTSCRIPT_NAME: '$DPKG_MAINTSCRIPT_NAME' $\@: '$@' 2: '$2'" + echo "INFO: triggered $DPKG_MAINTSCRIPT_PACKAGE: '$DPKG_MAINTSCRIPT_PACKAGE' $DPKG_MAINTSCRIPT_PACKAGE DPKG_MAINTSCRIPT_NAME: '$DPKG_MAINTSCRIPT_NAME' $\*: '$*' 2: '$2'" /usr/share/security-misc/lkrg/lkrg-virtualbox || true /usr/libexec/security-misc/mmap-rnd-bits || true + permission_hardening exit 0 ;; @@ -46,6 +112,8 @@ pam-auth-update --package /usr/libexec/security-misc/permission-lockdown +permission_hardening + ## https://phabricator.whonix.org/T377 ## Debian has no update-grub trigger yet: ## https://bugs.debian.org/481542 @@ -66,9 +134,11 @@ true "INFO: debhelper beginning here." true "INFO: Done with debhelper." +permission_hardening_legacy_config_folder + true " ##################################################################### -## INFO: END : $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $@ +## INFO: END : $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $* ##################################################################### " diff --git a/debian/security-misc.postrm b/debian/security-misc.postrm index c40721f..13dc588 100644 --- a/debian/security-misc.postrm +++ b/debian/security-misc.postrm @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then diff --git a/debian/security-misc.preinst b/debian/security-misc.preinst index 43f8e2c..8e900d0 100644 --- a/debian/security-misc.preinst +++ b/debian/security-misc.preinst @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then @@ -20,6 +20,9 @@ user_groups_modifications() { addgroup --system sysfs addgroup --system cpuinfo + ## /usr/lib/systemd/system/proc-hidepid.service + addgroup --system proc + ## group 'sudo' membership required to use 'su' ## /usr/share/pam-configs/wheel-security-misc adduser root sudo @@ -44,7 +47,7 @@ user_groups_modifications() { ## an "empty" /etc/securetty. ## In case a system administrator edits /etc/securetty, there is no need to ## block for this to be still blocked by console lockdown. See also: - ## https://www.whonix.org/wiki/Root#Root_Login + ## https://www.kicksecure.com/wiki/Root#Root_Login adduser root console } @@ -95,12 +98,13 @@ sudo_users_check () { ## https://forums.whonix.org/t/is-security-misc-suitable-for-hardening-bridges-and-relays/8299/4 echo "$0: ERROR: No user is a member of group 'sudo'. Installation aborted." >&2 echo "$0: ERROR: You probably want to run:" >&2 + echo "$0: NOTE: Replace user 'user' with your actual Linux user account name." >&2 echo "" >&2 echo "sudo adduser user sudo" >&2 echo "sudo adduser user console" >&2 echo "" >&2 echo "$0: ERROR: See also installation instructions:" >&2 - echo "https://www.whonix.org/wiki/security-misc#install" >&2 + echo "https://www.kicksecure.com/wiki/security-misc#install" >&2 if [ "$SECURITY_MISC_INSTALL" = "force" ]; then output_skip_checks "Environment variable SECURITY_MISC_INSTALL is set to 'force'." diff --git a/debian/security-misc.prerm b/debian/security-misc.prerm index 78d5f3a..1c4cd87 100644 --- a/debian/security-misc.prerm +++ b/debian/security-misc.prerm @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then diff --git a/debian/security-misc.templates b/debian/security-misc.templates new file mode 100644 index 0000000..1b543e7 --- /dev/null +++ b/debian/security-misc.templates @@ -0,0 +1,9 @@ +Template: security-misc/alert-on-permission-hardener-v2-upgrade +Type: note +_Description: Manual intervention may be required for permission-hardener update + No need to panic. Nothing is broken. A rare condition has been encountered. + permission-hardener is being updated to fix a minor bug that caused + corruption in the permission-hardener state file. If you installed your own + custom permission-hardener configuration, some manual intervention may be + required. See: + https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener#fixing_state_files diff --git a/debian/security-misc.triggers b/debian/security-misc.triggers index 5dc870f..1f4a592 100644 --- a/debian/security-misc.triggers +++ b/debian/security-misc.triggers @@ -1,25 +1,16 @@ -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2024 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. -#### meta start -#### project Whonix -#### category security -#### description +## use noawait +## https://github.com/Kicksecure/security-misc/issues/196 -## Trigger 'activate-noawait update-initramfs' also works with both, -## initramfs-tools as well as dracut. -## - Activate initramfs hook that sets the sysctl values before init is executed. -## - dracut module 40sdmem-security-misc -activate-noawait update-initramfs +## Trigger permission hardener when new binaries are being installed. +interest-noawait /usr +interest-noawait /opt -## LKRG /usr/share/security-misc/lkrg/lkrg-virtualbox -interest-noawait /usr/bin/vboxmanage - -## /usr/libexec/security-misc/mmap-rnd-bits -## auto generates: -## /etc/sysctl.d/30_security-misc_aslr-mmap.conf -## sets: -## vm.mmap_rnd_bits -interest-noawait /boot - -#### meta end +## Trigger permission hardener when new configuration files are being installed. +interest-noawait /usr/lib/permission-hardener.d +interest-noawait /etc/permission-hardener.d +interest-noawait /usr/local/etc/permission-hardener.d +interest-noawait /etc/permission-hardening.d +interest-noawait /usr/local/etc/permission-hardening.d diff --git a/debian/security-misc.undisplace b/debian/security-misc.undisplace index 0b23381..990101a 100644 --- a/debian/security-misc.undisplace +++ b/debian/security-misc.undisplace @@ -1,5 +1,6 @@ -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. /etc/login.defs.security-misc /usr/bin/pkexec.security-misc +/etc/dkms/framework.conf.security-misc diff --git a/debian/watch b/debian/watch index 4a80d35..86f015f 100644 --- a/debian/watch +++ b/debian/watch @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. version=4 diff --git a/etc/X11/Xsession.d/50panic_on_oops b/etc/X11/Xsession.d/50panic_on_oops deleted file mode 100755 index 79646cb..0000000 --- a/etc/X11/Xsession.d/50panic_on_oops +++ /dev/null @@ -1,8 +0,0 @@ -#!/bin/sh - -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -if [ -x /usr/libexec/security-misc/panic-on-oops ]; then - sudo --non-interactive /usr/libexec/security-misc/panic-on-oops -fi diff --git a/etc/X11/Xsession.d/50security-misc b/etc/X11/Xsession.d/50security-misc deleted file mode 100755 index 0d8efce..0000000 --- a/etc/X11/Xsession.d/50security-misc +++ /dev/null @@ -1,9 +0,0 @@ -#!/bin/sh - -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -if [ -z "$XDG_CONFIG_DIRS" ]; then - XDG_CONFIG_DIRS=/etc/xdg -fi -export XDG_CONFIG_DIRS=/usr/share/security-misc/:$XDG_CONFIG_DIRS diff --git a/etc/apparmor.d/tunables/home.d/security-misc b/etc/apparmor.d/tunables/home.d/security-misc index b1aad3d..d63d5db 100644 --- a/etc/apparmor.d/tunables/home.d/security-misc +++ b/etc/apparmor.d/tunables/home.d/security-misc @@ -1,7 +1,7 @@ -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. -alias /etc/pam.d/common-session -> /etc/pam.d//etc/pam.d/common-session.security-misc, +alias /etc/pam.d/common-session -> /etc/pam.d/common-session.security-misc, alias /etc/pam.d/common-session-noninteractive -> /etc/pam.d/common-session-noninteractive.security-misc, alias /etc/login.defs -> /etc/login.defs.security-misc, alias /etc/securetty -> /etc/securetty.security-misc, diff --git a/etc/apt/apt.conf.d/40error-on-any b/etc/apt/apt.conf.d/40error-on-any index fbde1db..f1be472 100644 --- a/etc/apt/apt.conf.d/40error-on-any +++ b/etc/apt/apt.conf.d/40error-on-any @@ -1,4 +1,4 @@ -## Copyright (C) 2021 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2021 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## Make "sudo apt-get update" exit non-zero for transient failures. diff --git a/etc/apt/apt.conf.d/40sandbox b/etc/apt/apt.conf.d/40sandbox index eb7ef7a..43150ec 100644 --- a/etc/apt/apt.conf.d/40sandbox +++ b/etc/apt/apt.conf.d/40sandbox @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## https://forums.whonix.org/t/apt-seccomp-bpf-sandboxing/7702 diff --git a/etc/bluetooth/30_security-misc.conf b/etc/bluetooth/30_security-misc.conf new file mode 100644 index 0000000..8de8384 --- /dev/null +++ b/etc/bluetooth/30_security-misc.conf @@ -0,0 +1,28 @@ +## Copyright (C) 2023 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +[General] +# How long to stay in pairable mode before going back to non-discoverable +# The value is in seconds. Default is 0. +# 0 = disable timer, i.e. stay pairable forever +PairableTimeout = 30 + +# How long to stay in discoverable mode before going back to non-discoverable +# The value is in seconds. Default is 180, i.e. 3 minutes. +# 0 = disable timer, i.e. stay discoverable forever +DiscoverableTimeout = 30 + +# Maximum number of controllers allowed to be exposed to the system. +# Default=0 (unlimited) +MaxControllers=1 + +[Policy] +# AutoEnable defines option to enable all controllers when they are found. +# This includes adapters present on start as well as adapters that are plugged +# in later on. Defaults to 'true'. +AutoEnable=false + +# network/on: A device will only accept advertising packets from peer +# devices that contain private addresses. It may not be compatible with some +# legacy devices since it requires the use of RPA(s) all the time. +Privacy=network/on diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index 1351206..efc9e5e 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -1,61 +1,189 @@ -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. -## Enables all known mitigations for CPU vulnerabilities. -## +## Definitions: +## KSPP=yes: compliant with recommendations by the KSPP +## KSPP=partial: partially compliant with recommendations by the KSPP +## KSPP=no: not (currently) compliant with recommendations by the KSPP +## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP. + +## Enable known mitigations for CPU vulnerabilities. +## Note, the mitigations for SSB and Retbleed are not currently mentioned in the first link. ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html +## https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html ## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647 -## Enable mitigations for Spectre variant 2 (indirect branch speculation). +## Check for potential updates directly from AMD and Intel. +## https://www.amd.com/en/resources/product-security.html +## https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/advisory-guidance.html +## https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/disclosure-documentation.html + +## Tabular comparison between the utility and functionality of various mitigations. +## https://forums.whonix.org/t/kernel-hardening-security-misc/7296/587 + +## For complete protection, users must install the latest relevant security microcode update. +## BIOS/UEFI updates should only be obtained directly from OEMs and/or motherboard manufacturers. +## Note that incorrectly performing system BIOS/UEFI updates can potentially lead to serious functionality issues. +## The parameters below only provide (partial) protection at both the kernel and user space level. + +## If using Secure Boot, users must also ensure the Secure Boot Forbidden Signature Database (DBX) is up to date. +## The UEFI Revocation List contains signatures of now revoked firmware and software used in booting systems. +## If using compatible hardware, the database can be updated directly in user space using fwupd. +## Note that incorrectly performing DBX updates can potentially lead to serious functionality issues. +## https://github.com/microsoft/secureboot_objects +## https://uefi.org/revocationlistfile +## https://github.com/fwupd/fwupd + +## Enable a subset of known mitigations for some CPU vulnerabilities and disable SMT. +## +## KSPP=yes +## KSPP sets the kernel parameters. +## +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mitigations=auto,nosmt" + +## Disable SMT as it has been the cause of and amplified numerous CPU exploits. +## The only full mitigation of cross-HT attacks is to disable SMT. +## Disabling will significantly decrease system performance on multi-threaded tasks. +## Note, this setting will prevent re-enabling SMT via the sysfs interface. +## +## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/core-scheduling.html +## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647/17 +## https://github.com/anthraxx/linux-hardened/issues/37#issuecomment-619597365 +## +## KSPP=yes +## KSPP sets the kernel parameter. +## +## To re-enable SMT: +## - Remove "nosmt=force". +## - Remove all occurrences of ",nosmt" in this file (note the comma ","). +## - Downgrade "l1tf=full,force" protection to "l1tf=flush". +## - Regenerate the dracut initramfs and then reboot system. +## +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX nosmt=force" + +## Spectre Side Channels (BTI and BHI): +## Unconditionally enable mitigation for Spectre Variant 2 (branch target injection). +## Enable mitigation for the Intel branch history injection vulnerability. +## Currently affects both AMD and Intel CPUs. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/spectre.html +## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_v2=on" +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_bhi=on" -## Disable Speculative Store Bypass. +## Speculative Store Bypass (SSB): +## Mitigate Spectre Variant 4 by disabling speculative store bypass system-wide. +## Unconditionally enable the mitigation for both kernel and userspace. +## Currently affects both AMD and Intel CPUs. +## +## https://en.wikipedia.org/wiki/Speculative_Store_Bypass +## https://www.suse.com/support/kb/doc/?id=000019189 +## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spec_store_bypass_disable=on" +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ssbd=force-on" -## Enable mitigations for the L1TF vulnerability through disabling SMT -## and L1D flush runtime control. +## L1 Terminal Fault (L1TF): +## Mitigate the vulnerability by disabling L1D flush runtime control and SMT. +## If L1D flushing is conditional, mitigate the vulnerability for certain KVM hypervisor configurations. +## Currently affects Intel CPUs. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html +## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX l1tf=full,force" +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm-intel.vmentry_l1d_flush=always" -## Enable mitigations for the MDS vulnerability through clearing buffer cache -## and disabling SMT. +## Microarchitectural Data Sampling (MDS): +## Mitigate the vulnerability by clearing the CPU buffer cache and disabling SMT. +## Currently affects Intel CPUs. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html +## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mds=full,nosmt" -## Patches the TAA vulnerability by disabling TSX and enables mitigations using -## TSX Async Abort along with disabling SMT. +## TSX Asynchronous Abort (TAA): +## Mitigate the vulnerability by disabling TSX. +## If TSX is enabled, clear CPU buffer rings on transitions and disable SMT. +## Currently affects Intel CPUs. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/tsx_async_abort.html -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX tsx=off tsx_async_abort=full,nosmt" +## +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX tsx=off" +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX tsx_async_abort=full,nosmt" -## Mark all huge pages in the EPT as non-executable to mitigate iTLB multihit. +## iTLB Multihit: +## Mitigate the vulnerability by marking all huge pages in the EPT as non-executable. +## Currently affects Intel CPUs. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/multihit.html +## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm.nx_huge_pages=force" -## Enables mitigations for SRBDS to prevent MDS attacks on RDRAND and RDSEED instructions. -## Only mitigated through microcode updates from Intel. +## Special Register Buffer Data Sampling (SRBDS): +## Mitigation of the vulnerability is only possible via microcode update from Intel. +## Currently affects Intel CPUs. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/special-register-buffer-data-sampling.html ## https://access.redhat.com/solutions/5142691 -## Force disable SMT as it has caused numerous CPU vulnerabilities. -## The only full mitigation of cross-HT attacks is to disable SMT. -## -## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/core-scheduling.html -## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647/17 -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX nosmt=force" - -## Enables the prctl interface to prevent leaks from L1D on context switches. +## L1D Flushing: +## Mitigate leaks from the L1D cache on context switches by enabling the prctl() interface. +## Currently affects Intel CPUs. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1d_flush.html +## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX l1d_flush=on" -## Mitigates numerous MMIO Stale Data vulnerabilities and disables SMT. +## Processor MMIO Stale Data: +## Mitigate the vulnerabilities by appropriately clearing the CPU buffer and disabling SMT. +## Currently affects Intel CPUs. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/processor_mmio_stale_data.html +## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mmio_stale_data=full,nosmt" + +## Arbitrary Speculative Code Execution with Return Instructions (Retbleed): +## Mitigate the vulnerability through CPU-dependent implementation and disable SMT. +## Currently affects both AMD Zen 1-2 and Intel CPUs. +## +## https://en.wikipedia.org/wiki/Retbleed +## https://comsec.ethz.ch/research/microarch/retbleed/ +## https://www.suse.com/support/kb/doc/?id=000020693 +## https://access.redhat.com/solutions/retbleed +## +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX retbleed=auto,nosmt" + +## Cross-Thread Return Address Predictions: +## Mitigate the vulnerability for certain KVM hypervisor configurations. +## Currently affects AMD Zen 1-2 CPUs. +## +## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/cross-thread-rsb.html +## +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm.mitigate_smt_rsb=1" + +## Speculative Return Stack Overflow (SRSO): +## Mitigate the vulnerability by ensuring all RET instructions speculate to a controlled location. +## Currently affects AMD Zen 1-4 CPUs. +## +## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/srso.html +## +## The default kernel setting will be utilized until provided sufficient evidence to modify. +## Using "spec_rstack_overflow=ipbp" may provide stronger security at a greater performance impact. +## +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spec_rstack_overflow=safe-ret" + +## Gather Data Sampling (GDS): +## Mitigate the vulnerability either via microcode update or by disabling AVX. +## Note, without a suitable microcode update, this will entirely disable use of the AVX instructions set. +## Currently affects Intel CPUs. +## +## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/gather_data_sampling.html +## +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX gather_data_sampling=force" + +## Register File Data Sampling (RFDS): +## Mitigate the vulnerability by appropriately clearing the CPU buffer. +## Currently affects Intel Atom CPUs (which encompasses E-cores on hybrid architectures). +## +## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/reg-file-data-sampling.html +## +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX reg_file_data_sampling=on" diff --git a/etc/default/grub.d/40_distrust_bootloader.cfg b/etc/default/grub.d/40_distrust_bootloader.cfg deleted file mode 100644 index 36ce183..0000000 --- a/etc/default/grub.d/40_distrust_bootloader.cfg +++ /dev/null @@ -1,7 +0,0 @@ -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -## Distrusts the bootloader for initial entropy at boot. -## -## https://lkml.org/lkml/2022/6/5/271 -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_bootloader=off" diff --git a/etc/default/grub.d/40_distrust_cpu.cfg b/etc/default/grub.d/40_distrust_cpu.cfg deleted file mode 100644 index 107b717..0000000 --- a/etc/default/grub.d/40_distrust_cpu.cfg +++ /dev/null @@ -1,12 +0,0 @@ -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -## Distrusts the CPU for initial entropy at boot as it is not possible to -## audit, may contain weaknesses or a backdoor. -## -## https://en.wikipedia.org/wiki/RDRAND#Reception -## https://twitter.com/pid_eins/status/1149649806056280069 -## https://archive.nytimes.com/www.nytimes.com/interactive/2013/09/05/us/documents-reveal-nsa-campaign-against-encryption.html -## https://forums.whonix.org/t/entropy-config-random-trust-cpu-yes-or-no-rng-core-default-quality/8566 -## https://lkml.org/lkml/2022/6/5/271 -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_cpu=off" diff --git a/etc/default/grub.d/40_enable_iommu.cfg b/etc/default/grub.d/40_enable_iommu.cfg deleted file mode 100644 index 579ccca..0000000 --- a/etc/default/grub.d/40_enable_iommu.cfg +++ /dev/null @@ -1,17 +0,0 @@ -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -## Enables IOMMU to prevent DMA attacks. -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX intel_iommu=on amd_iommu=on" - -## Disable the busmaster bit on all PCI bridges during very -## early boot to avoid holes in IOMMU. -## -## https://mjg59.dreamwidth.org/54433.html -## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4444f8541dad16fefd9b8807ad1451e806ef1d94 -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi=disable_early_pci_dma" - -## Enables strict enforcement of IOMMU TLB invalidation so devices will never be able to access stale data contents -## https://github.com/torvalds/linux/blob/master/drivers/iommu/Kconfig#L97 -## Page 11 of https://lenovopress.lenovo.com/lp1467.pdf -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu.passthrough=0 iommu.strict=1" diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index b673d6d..671c28b 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -1,64 +1,332 @@ -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. kpkg="linux-image-$(dpkg --print-architecture)" || true kver="$(dpkg-query --show --showformat='${Version}' "$kpkg")" 2>/dev/null || true #echo "## kver: $kver" -## Disables the merging of slabs of similar sizes. -## Sometimes a slab can be used in a vulnerable way which an attacker can exploit. +## Definitions: +## KSPP=yes: compliant with recommendations by the KSPP +## KSPP=partial: partially compliant with recommendations by the KSPP +## KSPP=no: not (currently) compliant with recommendations by the KSPP +## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP. + +## This configuration file is split into 4 sections: +## 1. Kernel Space +## 2. Direct Memory Access +## 3. Entropy +## 4. Networking + +## See the documentation below for details on the majority of the selected commands: +## https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html +## https://wiki.archlinux.org/title/Kernel_parameters#GRUB + +## 1. Kernel Space: +## +## https://madaidans-insecurities.github.io/guides/linux-hardening.html#boot-parameters +## https://kspp.github.io/Recommended_Settings#kernel-command-line-options + +## Disable merging of slabs with similar size. +## Reduces the risk of triggering heap overflows. +## Prevents overwriting objects from merged caches and limits influencing slab cache layout. +## +## https://www.openwall.com/lists/kernel-hardening/2017/06/19/33 +## https://www.openwall.com/lists/kernel-hardening/2017/06/20/10 +## +## KSPP=yes +## KSPP sets the kernel parameter and does not set CONFIG_SLAB_MERGE_DEFAULT. +## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_nomerge" -## Enables sanity checks (F) and redzoning (Z). -## Disabled due to kernel deciding to implicitly disable kernel pointer hashing -## https://github.com/torvalds/linux/commit/792702911f581f7793962fbeb99d5c3a1b28f4c3 -#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slub_debug=FZ" +## Enable sanity checks and red zoning of slabs via debugging options to detect corruption. +## As a by product of debugging, this will implicitly disabling kernel pointer hashing. +## Enabling will therefore leak exact and all kernel memory addresses to root. +## Has the potential to cause a noticeable performance decrease. +## +## https://www.kernel.org/doc/html/latest/mm/slub.html +## https://lore.kernel.org/all/20210601182202.3011020-5-swboyd@chromium.org/T/#u +## https://gitlab.tails.boum.org/tails/tails/-/issues/19613 +## https://github.com/Kicksecure/security-misc/issues/253 +## +## KSPP=yes +## KSPP sets the kernel parameters and CONFIG_SLUB_DEBUG. +## +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_debug=FZ" -## Zero memory at allocation and free time. -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX init_on_alloc=1 init_on_free=1" +## Zero memory at allocation time and free time. +## Fills newly allocated pages, freed pages, and heap objects with zeros. +## Mitigates use-after-free exploits by erasing sensitive information in memory. +## +## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6471384af2a6530696fc0203bafe4de41a23c9ef +## +## KSPP=yes +## KSPP sets the kernel parameters, CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y, and CONFIG_INIT_ON_FREE_DEFAULT_ON=y. +## +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX init_on_alloc=1" +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX init_on_free=1" -## Machine check exception handler decides whether the system should panic or not based on the exception that happened. -## https://forums.whonix.org/t/kernel-hardening/7296/494 -#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mce=0" - -## Enables Kernel Page Table Isolation which mitigates Meltdown and improves KASLR. -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX pti=on" - -## Vsyscalls are obsolete, are at fixed addresses and are a target for ROP. -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vsyscall=none" - -## Enables page allocator freelist randomization. +## Enable the kernel page allocator to randomize free lists. +## During early boot, the page allocator has predictable FIFO behavior for physical pages. +## Limits some data exfiltration and ROP attacks that rely on inferring sensitive data location. +## Also improves performance by optimizing memory-side cache utilization. +## +## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e900a918b0984ec8f2eb150b8477a47b75d17692 +## https://en.wikipedia.org/wiki/Return-oriented_programming#Attacks +## +## KSPP=yes +## KSPP sets the kernel parameter and CONFIG_SHUFFLE_PAGE_ALLOCATOR=y. +## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX page_alloc.shuffle=1" -## Enables randomisation of the kernel stack offset on syscall entries (introduced in kernel 5.13). +## Enable kernel page table isolation to harden against kernel ASLR (KASLR) bypasses. +## Mitigates the Meltdown CPU vulnerability. +## +## https://en.wikipedia.org/wiki/Kernel_page-table_isolation +## +## KSPP=yes +## KSPP sets the kernel parameter and CONFIG_MITIGATION_PAGE_TABLE_ISOLATION=y. +## +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX pti=on" + +## Enable randomization of the kernel stack offset on syscall entries. +## Hardens against memory corruption attacks due to increased entropy. +## Limits attacks relying on deterministic stack addresses or cross-syscall address exposure. +## ## https://lkml.org/lkml/2019/3/18/246 +## https://a13xp0p0v.github.io/2020/02/15/CVE-2019-18683.html +## +## KSPP=yes +## KSPP sets the kernel parameter and CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y. +## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX randomize_kstack_offset=on" -## Enables kernel lockdown. +## Disable vsyscalls to reduce attack surface as they have been replaced by vDSO. +## Vulnerable to ROP attacks as vsyscalls are located at fixed addresses in memory. ## -## Disabled for now as it enforces module signature verification which breaks -## too many things. -## https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880 +## https://lwn.net/Articles/446528/ +## https://en.wikipedia.org/wiki/VDSO ## -#if dpkg --compare-versions "${kver}" ge "5.4"; then -# GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX lockdown=confidentiality" -#fi +## KSPP=yes +## KSPP sets the kernel parameter, CONFIG_LEGACY_VSYSCALL_NONE=y and does not set CONFIG_X86_VSYSCALL_EMULATION. +## +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vsyscall=none" -## Gather more entropy during boot. +## Restrict access to debugfs by not registering the file system. +## Deactivated since the file system can contain sensitive information. ## -## Requires linux-hardened kernel patch. -## https://github.com/anthraxx/linux-hardened -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX extra_latent_entropy" - -## Restrict access to debugfs since it can contain a lot of sensitive information. ## https://lkml.org/lkml/2020/7/16/122 -## https://github.com/torvalds/linux/blob/fb1201aececc59990b75ef59fca93ae4aa1e1444/Documentation/admin-guide/kernel-parameters.txt#L835-L848 +## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off" -## Force the kernel to panic on "oopses" (which may be due to false positives) +## Force the kernel to panic on "oopses". +## Can sometimes potentially indicate and thwart certain kernel exploitation attempts. +## Panics may be due to false-positives such as bad drivers. +## +## https://en.wikipedia.org/wiki/Kernel_panic#Linux +## https://en.wikipedia.org/wiki/Linux_kernel_oops ## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panic-on-oops-1-sysctl-for-better-security/7713 -## Implemented differently: -## /usr/libexec/security-misc/panic-on-oops -## /etc/X11/Xsession.d/50panic_on_oops -## /etc/sudoers.d/security-misc +## +## KSPP=partial +## KSPP sets CONFIG_PANIC_ON_OOPS=y, but also requires CONFIG_PANIC_TIMEOUT=-1. +## +## See /usr/libexec/security-misc/panic-on-oops for implementation. +## #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX oops=panic" + +## Modify machine check exception handler. +## Can decide whether the system should panic or not based on the occurrence of an exception. +## +## https://www.kernel.org/doc/html/latest/arch/x86/x86_64/machinecheck.html +## https://www.kernel.org/doc/html/latest/arch/x86/x86_64/boot-options.html#machine-check +## https://forums.whonix.org/t/kernel-hardening/7296/494 +## +## The default kernel setting will be utilized until provided sufficient evidence to modify. +## +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mce=0" + +## Prevent sensitive kernel information leaks in the console during boot. +## Must be used in combination with the kernel.printk sysctl. +## See /usr/lib/sysctl.d/30_silent-kernel-printk.conf for implementation. +## +## https://www.kernel.org/doc/html/latest/core-api/printk-basics.html +## https://wiki.archlinux.org/title/silent_boot +## +## See /etc/default/grub.d/41_quiet_boot.cfg for implementation. +## +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX loglevel=0" +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX quiet" + +## Enable the kernel "Electric-Fence" sampling-based memory safety error detector. +## KFENCE detects heap out-of-bounds access, use-after-free, and invalid-free errors. +## Aims to have very low processing overhead at each sampling interval. +## Sampling interval is set to occur every 100 milliseconds as per KSPP recommendation. +## +## https://www.kernel.org/doc/html/latest/dev-tools/kfence.html +## https://google.github.io/kernel-sanitizers/KFENCE.html +## https://blogs.oracle.com/linux/post/linux-slub-allocator-internals-and-debugging-4 +## https://lwn.net/Articles/835542/ +## +## KSPP=yes +## KSPP sets the kernel parameter, CONFIG_KFENCE=y, and CONFIG_KFENCE_SAMPLE_INTERVAL=100. +## +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kfence.sample_interval=100" + +## Disable 32-bit Virtual Dynamic Shared Object (vDSO) mappings. +## Legacy compatibility feature for superseded glibc versions. +## +## https://lore.kernel.org/lkml/20080409082927.BD59E26F992@magilla.localdomain/T/ +## https://lists.openwall.net/linux-kernel/2014/03/11/3 +## +## KSPP=yes +## KSPP sets the kernel parameter and does not set CONFIG_COMPAT_VDSO. +## +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0" + +## Switch (back) to using kCFI as the default Control Flow Integrity (CFI) implementation. +## The default implementation is FineIBT as of Linux kernel 6.2. +## The Intel-developed IBT (Indirect Branch Tracking) is only used if supported by the CPU. +## kCFI is software-only while FineIBT is a hybrid software/hardware implementation. +## FineIBT may result in some performance benefits as it only performs checking at destinations. +## FineIBT is considered weaker against attacks that can write arbitrary executables into memory. +## Upstream hardening work has provided users the ability to disable FineIBT based on requests. +## Choice of CFI implementation is highly dependent on user threat model as there are pros/cons to both. +## Do not modify from the default setting if unsure of implications. +## +## https://lore.kernel.org/all/20221027092842.699804264@infradead.org/ +## https://lore.kernel.org/lkml/202210010918.4918F847C4@keescook/T/#u +## https://lore.kernel.org/lkml/202210182217.486CBA50@keescook/T/ +## https://lore.kernel.org/lkml/202407150933.E1871BE@keescook/ +## https://isopenbsdsecu.re/mitigations/forward_edge_cfi/ +## https://docs.kernel.org/next/x86/shstk.html +## https://source.android.com/docs/security/test/kcfi +## https://lpc.events/event/16/contributions/1315/attachments/1067/2169/cfi.pdf +## https://forums.whonix.org/t/kernel-hardening-security-misc/7296/561 +## +## KSPP=yes +## KSPP sets the kernel parameter. +## +## TODO: Debian 13 Trixie +## Applicable when using Linux kernel >= 6.2 (retained here for future-proofing and completeness). +## +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX cfi=kcfi" + +## Disable support for x86 processes and syscalls. +## Unconditionally disables IA32 emulation to substantially reduce attack surface. +## +## https://lore.kernel.org/all/20230623111409.3047467-7-nik.borisov@suse.com/ +## +## KSPP=yes +## KSPP does not set CONFIG_COMPAT, CONFIG_IA32_EMULATION, CONFIG_X86_X32, CONFIG_X86_X32_ABI, and CONFIG_MODIFY_LDT_SYSCALL. +## +## TODO: Debian 13 Trixie +## Applicable when using Linux kernel >= 6.7 (retained here for future-proofing and completeness). +## +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ia32_emulation=0" + +## Disable EFI persistent storage feature. +## Disable Error Record Serialization Table (ERST) support as a form of defense-in-depth. +## Prevents the kernel from writing crash logs and other persistent data to the storage backend. +## Both the UEFI variable storage and ACPI ERST backends are deactivated. +## +## https://blogs.oracle.com/linux/post/pstore-linux-kernel-persistent-storage-file-system +## https://www.ais.com/understanding-pstore-linux-kernel-persistent-storage-file-system/ +## https://lwn.net/Articles/434821/ +## https://manpages.debian.org/testing/systemd/systemd-pstore.service.8.en.html +## https://gitlab.tails.boum.org/tails/tails/-/issues/20813 +## https://github.com/Kicksecure/security-misc/issues/299 +## +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi_pstore.pstore_disable=1" +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX erst_disable" + +## 2. Direct Memory Access: +## +## https://madaidans-insecurities.github.io/guides/linux-hardening.html#dma-attacks + +## Enable CPU manufacturer-specific IOMMU drivers to mitigate some DMA attacks. +## +## KSPP=yes +## KSPP sets CONFIG_INTEL_IOMMU=y, CONFIG_INTEL_IOMMU_DEFAULT_ON=y, CONFIG_INTEL_IOMMU_SVM=y, CONFIG_AMD_IOMMU=y, and CONFIG_AMD_IOMMU_V2=y. +## +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX amd_iommu=force_isolation" +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX intel_iommu=on" + +## Enable and force use of IOMMU translation to protect against some DMA attacks. +## Strictly force DMA unmap operations to synchronously invalidate IOMMU hardware TLBs. +## Ensures devices will never be able to access stale data contents. +## +## https://en.wikipedia.org/wiki/Input%E2%80%93output_memory_management_unit +## https://en.wikipedia.org/wiki/DMA_attack +## https://lenovopress.lenovo.com/lp1467.pdf +## +## KSPP=yes +## KSPP sets the kernel parameters, CONFIG_IOMMU_SUPPORT=y, CONFIG_IOMMU_DEFAULT_DMA_STRICT=y, and does not set CONFIG_IOMMU_DEFAULT_PASSTHROUGH. +## +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu=force" +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu.passthrough=0" +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu.strict=1" + +## Clear the busmaster bit on all PCI bridges during the EFI hand-off. +## Terminates all existing DMA transactions prior to the kernel's IOMMU setup. +## Forces third party PCI devices to then re-set their busmaster bit in order to perform DMA. +## Assumes that the motherboard chipset and firmware are not malicious. +## May cause complete boot failure on certain hardware with incompatible firmware. +## +## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4444f8541dad16fefd9b8807ad1451e806ef1d94 +## https://mjg59.dreamwidth.org/54433.html +## +## KSPP=yes +## KSPP sets CONFIG_EFI_DISABLE_PCI_DMA=y. +## +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi=disable_early_pci_dma" + +## 3. Entropy: +## +## https://madaidans-insecurities.github.io/guides/linux-hardening.html#rdrand + +## Do not credit the CPU or bootloader seeds as entropy sources at boot. +## The RDRAND CPU (RNG) instructions are proprietary and closed-source. +## Numerous implementations of RDRAND have a long history of being defective. +## The RNG seed passed by the bootloader could also potentially be tampered. +## Maximizing the entropy pool at boot is desirable for all cryptographic operations. +## These settings ensure additional entropy is obtained from other sources to initialize the RNG. +## Note that distrusting these (relatively fast) sources of entropy will increase boot time. +## +## https://en.wikipedia.org/wiki/RDRAND#Reception +## https://systemd.io/RANDOM_SEEDS/ +## https://www.kicksecure.com/wiki/Dev/Entropy#RDRAND +## https://arstechnica.com/gadgets/2019/10/how-a-months-old-amd-microcode-bug-destroyed-my-weekend/ +## https://x.com/pid_eins/status/1149649806056280069 +## https://archive.nytimes.com/www.nytimes.com/interactive/2013/09/05/us/documents-reveal-nsa-campaign-against-encryption.html +## https://forums.whonix.org/t/entropy-config-random-trust-cpu-yes-or-no-rng-core-default-quality/8566 +## https://github.com/NixOS/nixpkgs/pull/165355 +## https://lkml.org/lkml/2022/6/5/271 +## +## KSPP=yes +## KSPP sets CONFIG_RANDOM_TRUST_BOOTLOADER=y and CONFIG_RANDOM_TRUST_CPU=y. +## +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_bootloader=off" +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_cpu=off" + +## Obtain more entropy during boot as the runtime memory allocator is being initialized. +## Entropy will be extracted from up to the first 4GB of RAM. +## Requires the linux-hardened kernel patch. +## +## https://www.kicksecure.com/wiki/Hardened-kernel#linux-hardened +## https://github.com/anthraxx/linux-hardened/commit/c3e7df1dba1eb8105d6d5143079a6a0ad9e9ebc7 +## https://github.com/anthraxx/linux-hardened/commit/a04458f97fe1f7e95888c77c0165b646375db9c4 +## +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX extra_latent_entropy" + +## 4. Networking +## +## https://madaidans-insecurities.github.io/guides/linux-hardening.html#kasr-boot-parameters + +## Disable the entire IPv6 stack functionality. +## Removes attack surface associated with the IPv6 module. +## +## https://www.kernel.org/doc/html/latest/networking/ipv6.html +## https://wiki.archlinux.org/title/IPv6#Disable_IPv6 +## +## Enabling makes redundant many network hardening sysctl's in /usr/lib/sysctl.d/990-security-misc.conf. +## +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ipv6.disable=1" diff --git a/etc/default/grub.d/40_remount_secure.cfg b/etc/default/grub.d/40_remount_secure.cfg new file mode 100644 index 0000000..c3cc30a --- /dev/null +++ b/etc/default/grub.d/40_remount_secure.cfg @@ -0,0 +1,31 @@ +## Copyright (C) 2023 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## Definitions: +## KSPP=yes: compliant with recommendations by the KSPP +## KSPP=partial: partially compliant with recommendations by the KSPP +## KSPP=no: not (currently) compliant with recommendations by the KSPP +## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP. + +## Remount Secure provides enhanced security via mount options: +## https://www.kicksecure.com/wiki/Security-misc#Remount_Secure + +## Option A (No Security): +## Disable Remount Secure. +## +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=0" + +## Option B (Low Security): +## Re-mount with nodev and nosuid only. +## +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=1" + +## Option C (Medium Security): +## Re-mount with nodev, nosuid, and noexec for most mount points, excluding /home. +## +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=2" + +## Option D (Highest Security): +## Re-mount with nodev, nosuid, and noexec for all mount points including /home. +## +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=3" diff --git a/etc/default/grub.d/40_signed_modules.cfg b/etc/default/grub.d/40_signed_modules.cfg new file mode 100644 index 0000000..36af7f3 --- /dev/null +++ b/etc/default/grub.d/40_signed_modules.cfg @@ -0,0 +1,37 @@ +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## Definitions: +## KSPP=yes: compliant with recommendations by the KSPP +## KSPP=partial: partially compliant with recommendations by the KSPP +## KSPP=no: not (currently) compliant with recommendations by the KSPP +## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP. + +## Require every kernel module to be signed before being loaded. +## Any module that is unsigned or signed with an invalid key cannot be loaded. +## This prevents all out-of-tree kernel modules unless signed. +## This makes it harder to load a malicious module. +## +## https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/61 +## https://github.com/dell/dkms/issues/359 +## +## KSPP=yes +## KSPP sets CONFIG_MODULE_SIG=y, CONFIG_MODULE_SIG_FORCE=y, and CONFIG_MODULE_SIG_ALL=y. +## +## Not enabled by default yet due to several issues. +## +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX module.sig_enforce=1" + +## Enable kernel lockdown to enforce security boundary between user and kernel space. +## Confidentiality mode enforces module signature verification. +## +## https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880 +## +## KSPP=yes +## KSPP sets CONFIG_SECURITY_LOCKDOWN_LSM=y, CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y, and CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y. +## +## Not enabled by default yet due to several issues. +## +#if dpkg --compare-versions "${kver}" ge "5.4"; then +# GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX lockdown=confidentiality" +#fi diff --git a/etc/default/grub.d/41_quiet.cfg b/etc/default/grub.d/41_quiet.cfg deleted file mode 100644 index b863029..0000000 --- a/etc/default/grub.d/41_quiet.cfg +++ /dev/null @@ -1,27 +0,0 @@ -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -## Prevent kernel info leaks in console during boot. -## https://phabricator.whonix.org/T950 - -## LANG=C str_replace is provided by package helper-scripts. - -## The following command actually removed "quiet" from the kernel command line. -## If verbosity is desired, the user might want to keep this line. -## Remove "quiet" from GRUB_CMDLINE_LINUX_DEFAULT because "quiet" must be first. -GRUB_CMDLINE_LINUX_DEFAULT="$(echo "$GRUB_CMDLINE_LINUX_DEFAULT" | LANG=C str_replace "quiet" "")" - -## If verbosity is desired, the user might want to out-comment the following line. -GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT quiet loglevel=0" - -## NOTE: -## After editing this file, running: -## sudo update-grub -## is required. -## -## If higher verbosity is desired, the user might also want to delete file -## /etc/sysctl.d/30_silent-kernel-printk.conf -## (or out-comment its settings). -## -## Alternatively, the user could consider to install the debug-misc package, -## which will undo the settings found here. diff --git a/etc/default/grub.d/41_quiet_boot.cfg b/etc/default/grub.d/41_quiet_boot.cfg new file mode 100644 index 0000000..7221ac0 --- /dev/null +++ b/etc/default/grub.d/41_quiet_boot.cfg @@ -0,0 +1,35 @@ +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## Definitions: +## KSPP=yes: compliant with recommendations by the KSPP +## KSPP=partial: partially compliant with recommendations by the KSPP +## KSPP=no: not (currently) compliant with recommendations by the KSPP +## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP. + +## Some default configuration files automatically include the "quiet" parameter. +## Therefore, first remove "quiet" from GRUB_CMDLINE_LINUX_DEFAULT since "quiet" must be first. +## str_replace is provided by package helper-scripts. +## +## https://github.com/Kicksecure/security-misc/pull/233#issuecomment-2228792461 +## +GRUB_CMDLINE_LINUX_DEFAULT="$(echo "$GRUB_CMDLINE_LINUX_DEFAULT" | str_replace "quiet" "")" + +## Prevent sensitive kernel information leaks in the console during boot. +## Must be used in combination with the kernel.printk sysctl. +## See /usr/lib/sysctl.d/30_silent-kernel-printk.conf for implementation. +## +## https://www.kernel.org/doc/html/latest/core-api/printk-basics.html +## https://wiki.archlinux.org/title/silent_boot +## +## For easier debugging, these are not applied to the recovery boot option. +## Switch the pair of commands to universally apply parameters to all boot options. +## +GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT loglevel=0" +GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT quiet" +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX loglevel=0" +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX quiet" + +## For Increased Log Verbosity: +## Adjust (or comment out) the kernel.printk sysctl in /usr/lib/sysctl.d/30_silent-kernel-printk.conf. +## Alternatively, installing the debug-misc package will undo these settings. diff --git a/etc/default/grub.d/41_recovery_restrict.cfg b/etc/default/grub.d/41_recovery_restrict.cfg new file mode 100644 index 0000000..f54247b --- /dev/null +++ b/etc/default/grub.d/41_recovery_restrict.cfg @@ -0,0 +1,21 @@ +## Copyright (C) 2024 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## Definitions: +## KSPP=yes: compliant with recommendations by the KSPP +## KSPP=partial: partially compliant with recommendations by the KSPP +## KSPP=no: not (currently) compliant with recommendations by the KSPP +## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP. + +## Disable access to single-user (recovery) mode. +## +## https://forums.kicksecure.com/t/remove-linux-recovery-mode-boot-option-from-default-grub-boot-menu/727 +## +GRUB_DISABLE_RECOVERY="true" + +## Disable access to Dracut's recovery console. +## +## https://forums.kicksecure.com/t/harden-dracut-initramfs-generator-by-disabling-recovery-console/724 +## +GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT rd.emergency=halt" +GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT rd.shell=0" diff --git a/etc/dkms/framework.conf.security-misc b/etc/dkms/framework.conf.security-misc deleted file mode 100644 index f9a643d..0000000 --- a/etc/dkms/framework.conf.security-misc +++ /dev/null @@ -1,64 +0,0 @@ -## This configuration file modifies the behavior of -## DKMS (Dynamic Kernel Module Support) and is sourced -## in by DKMS every time it is run. - -## Source Tree Location (default: /usr/src) -# source_tree="/usr/src" - -## DKMS Tree Location (default: /var/lib/dkms) -# dkms_tree="/var/lib/dkms" - -## Install Tree Location (default: /lib/modules) -# install_tree="/lib/modules" - -## tmp Location (default: /tmp) -# tmp_location="/tmp" - -## verbosity setting (verbose will be active if you set it to a non-null value) -# verbose="" - -## symlink kernel modules (will be active if you set it to a non-null value) -## This creates symlinks from the install_tree into the dkms_tree instead of -## copying the modules. This preserves some space on the costs of being less -## safe. -# symlink_modules="" - -## Automatic installation and upgrade for all installed kernels (if set to a -## non-null value) -# autoinstall_all_kernels="" - -## Script to sign modules during build, script is called with kernel version -## and module name -# sign_tool="/etc/dkms/sign_helper.sh" - -### BEGIN modifications by package security-misc ### - -## original: -## https://github.com/dell/dkms/blob/master/dkms_framework.conf - -## DKMS feature request: -## add /etc/dkms/framework.conf.d configuration file drop-in folder -## https://github.com/dell/dkms/issues/116 - -## Lower parallel compilation jobs to 1 if less than 2 GB RAM to avoid freezing -## of virtual machines. -## -## This does not necessarily belong into security-misc, however likely -## security-misc will need to modify /etc/dkms/framework.conf in the future to -## enable kernel module signing. See below. -## -## https://forums.whonix.org/t/linux-kernel-runtime-guard-lkrg-linux-kernel-runtime-integrity-checking-and-exploit-detection/8477/26 -ENOUGH_RAM="1950" -total_ram="$(free -m | sed -n -e '/^Mem:/s/^[^0-9]*\([0-9]*\) .*/\1/p')" -if [ "$total_ram" -ge "$ENOUGH_RAM" ]; then - true "INFO: Enough RAM available. Not lowering compilation cores." -else - true "INFO: Not enough RAM available. Lowering compilation cores to 1." - parallel_jobs=1 -fi - -## https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/58 -## https://github.com/dell/dkms/blob/master/sign_helper.sh -#sign_tool="/etc/dkms/sign_helper.sh" - -### END modifications by package security-misc ### diff --git a/etc/dracut.conf.d/30-security-misc.conf b/etc/dracut.conf.d/30-security-misc.conf index 90c7698..5b3c7b5 100644 --- a/etc/dracut.conf.d/30-security-misc.conf +++ b/etc/dracut.conf.d/30-security-misc.conf @@ -1,3 +1,6 @@ +## Copyright (C) 2021 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + reproducible=yes ## Debugging. diff --git a/etc/gitconfig b/etc/gitconfig new file mode 100644 index 0000000..8ce67b4 --- /dev/null +++ b/etc/gitconfig @@ -0,0 +1,38 @@ +## Copyright (C) 2024 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## Lines starting with a hash symbol ('#') are comments. +## https://github.com/Kicksecure/security-misc/issues/225 + +[core] +## https://github.com/git/git/security/advisories/GHSA-8prw-h3cq-mghm + symlinks = false + +## https://forums.whonix.org/t/git-users-enable-fsck-by-default-for-better-security/2066 +[transfer] + fsckobjects = true +[fetch] + fsckobjects = true +[receive] + fsckobjects = true + +## Generally a good idea but too intrusive to enable by default. +## Listed here as suggestions what users should put into their ~/.gitconfig +## file. + +## Not enabled by default because it requires essential knowledge about OpenPG +## and an already existing local signing key. Otherwise would prevent all new +## commits. +#[commit] +# gpgsign = true + +## Not enabled by default because it would break the 'git merge' command for +## unsigned commits and require the '--no-verify-signature' command line +## option. +#[merge] +# verifySignatures = true + +## Not enabled by default because it would break for users who are not having +## an account at the git server and having added a SSH public key. +#[url "ssh://git@github.com/"] +# insteadOf = https://github.com/ diff --git a/etc/hide-hardware-info.d/30_default.conf b/etc/hide-hardware-info.d/30_default.conf index df6952e..d1bc221 100644 --- a/etc/hide-hardware-info.d/30_default.conf +++ b/etc/hide-hardware-info.d/30_default.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## Disable the /sys whitelist. @@ -7,6 +7,9 @@ ## Disable the /proc/cpuinfo whitelist. #cpuinfo_whitelist=0 +## Disable /sys hardening. +#sysfs=0 + ## Disable selinux mode. -## https://www.whonix.org/wiki/Security-misc#selinux +## https://www.kicksecure.com/wiki/Security-misc#selinux #selinux=0 diff --git a/etc/initramfs-tools/hooks/sysctl-initramfs b/etc/initramfs-tools/hooks/sysctl-initramfs index f1e3589..022c6af 100755 --- a/etc/initramfs-tools/hooks/sysctl-initramfs +++ b/etc/initramfs-tools/hooks/sysctl-initramfs @@ -1,6 +1,6 @@ #!/bin/sh -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. set -e @@ -18,4 +18,4 @@ prereqs) esac . /usr/share/initramfs-tools/hook-functions -copy_exec /sbin/sysctl /sbin +copy_exec /usr/sbin/sysctl /usr/sbin diff --git a/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs b/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs index d932fc1..e4792e7 100755 --- a/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs +++ b/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs @@ -1,6 +1,6 @@ #!/bin/sh -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. PREREQ="" diff --git a/etc/kernel/postinst.d/30_remove-system-map b/etc/kernel/postinst.d/30_remove-system-map index 14ac9b6..416c808 100755 --- a/etc/kernel/postinst.d/30_remove-system-map +++ b/etc/kernel/postinst.d/30_remove-system-map @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. if test -x /usr/libexec/security-misc/remove-system.map ; then diff --git a/etc/modprobe.d/30_security-misc.conf b/etc/modprobe.d/30_security-misc.conf deleted file mode 100644 index 128ab9c..0000000 --- a/etc/modprobe.d/30_security-misc.conf +++ /dev/null @@ -1,146 +0,0 @@ -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -## See the following links for a community discussion and overview regarding the selections -## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989 -## https://madaidans-insecurities.github.io/guides/linux-hardening.html#kasr-kernel-modules - -## Disable automatic conntrack helper assignment -## https://phabricator.whonix.org/T486 -options nf_conntrack nf_conntrack_helper=0 - -## Disable bluetooth to reduce attack surface due to extended history of security vulnerabilities -## https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns -install bluetooth /bin/disabled-bluetooth-by-security-misc -install btusb /bin/disabled-bluetooth-by-security-misc - -## Disable thunderbolt and firewire modules to prevent some DMA attacks -install thunderbolt /bin/disabled-thunderbolt-by-security-misc -install firewire-core /bin/disabled-firewire-by-security-misc -install firewire_core /bin/disabled-firewire-by-security-misc -install firewire-ohci /bin/disabled-firewire-by-security-misc -install firewire_ohci /bin/disabled-firewire-by-security-misc -install firewire_sbp2 /bin/disabled-firewire-by-security-misc -install firewire-sbp2 /bin/disabled-firewire-by-security-misc -install ohci1394 /bin/disabled-firewire-by-security-misc -install sbp2 /bin/disabled-firewire-by-security-misc -install dv1394 /bin/disabled-firewire-by-security-misc -install raw1394 /bin/disabled-firewire-by-security-misc -install video1394 /bin/disabled-firewire-by-security-misc - -## Disable CPU MSRs as they can be abused to write to arbitrary memory. -## https://security.stackexchange.com/questions/119712/methods-root-can-use-to-elevate-itself-to-kernel-mode -install msr /bin/disabled-msr-by-security-misc - -## Disables unneeded network protocols that will likely not be used as these may have unknown vulnerabilties. -## Credit to Tails (https://tails.boum.org/blueprint/blacklist_modules/) for some of these. -## > Debian ships a long list of modules for wide support of devices, filesystems, protocols. Some of these modules have a pretty bad security track record, and some of those are simply not used by most of our users. -## > Other distributions like Ubuntu[1] and Fedora[2] already ship a blacklist for various network protocols which aren't much in use by users and have a poor security track record. -install dccp /bin/disabled-network-by-security-misc -install sctp /bin/disabled-network-by-security-misc -install rds /bin/disabled-network-by-security-misc -install tipc /bin/disabled-network-by-security-misc -install n-hdlc /bin/disabled-network-by-security-misc -install ax25 /bin/disabled-network-by-security-misc -install netrom /bin/disabled-network-by-security-misc -install x25 /bin/disabled-network-by-security-misc -install rose /bin/disabled-network-by-security-misc -install decnet /bin/disabled-network-by-security-misc -install econet /bin/disabled-network-by-security-misc -install af_802154 /bin/disabled-network-by-security-misc -install ipx /bin/disabled-network-by-security-misc -install appletalk /bin/disabled-network-by-security-misc -install psnap /bin/disabled-network-by-security-misc -install p8023 /bin/disabled-network-by-security-misc -install p8022 /bin/disabled-network-by-security-misc -install can /bin/disabled-network-by-security-misc -install atm /bin/disabled-network-by-security-misc - -## Disable uncommon file systems to reduce attack surface -## HFS and HFS+ are legacy Apple filesystems that may be required depending on the EFI parition format -install cramfs /bin/disabled-filesys-by-security-misc -install freevxfs /bin/disabled-filesys-by-security-misc -install jffs2 /bin/disabled-filesys-by-security-misc -install hfs /bin/disabled-filesys-by-security-misc -install hfsplus /bin/disabled-filesys-by-security-misc -install udf /bin/disabled-filesys-by-security-misc - -## Disable uncommon network file systems to reduce attack surface -install cifs /bin/disabled-netfilesys-by-security-misc -install nfs /bin/disabled-netfilesys-by-security-misc -install nfsv3 /bin/disabled-netfilesys-by-security-misc -install nfsv4 /bin/disabled-netfilesys-by-security-misc -install ksmbd /bin/disabled-netfilesys-by-security-misc -install gfs2 /bin/disabled-netfilesys-by-security-misc - -## Disables the vivid kernel module as it's only required for testing and has been the cause of multiple vulnerabilities -## https://forums.whonix.org/t/kernel-recompilation-for-better-hardening/7598/233 -## https://www.openwall.com/lists/oss-security/2019/11/02/1 -## https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475 -install vivid /bin/disabled-vivid-by-security-misc - -## Disable Intel Management Engine (ME) interface with the OS -## https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html -install mei /bin/disabled-intelme-by-security-misc -install mei-me /bin/disabled-intelme-by-security-misc - -## Blacklist automatic loading of the Atheros 5K RF MACs madwifi driver -## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-ath_pci.conf?h=ubuntu/disco -blacklist ath_pci - -## Blacklist automatic loading of miscellaneous modules -## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist.conf?h=ubuntu/disco -blacklist evbug -blacklist usbmouse -blacklist usbkbd -blacklist eepro100 -blacklist de4x5 -blacklist eth1394 -blacklist snd_intel8x0m -blacklist snd_aw2 -blacklist prism54 -blacklist bcm43xx -blacklist garmin_gps -blacklist asus_acpi -blacklist snd_pcsp -blacklist pcspkr -blacklist amd76x_edac - -## Blacklist automatic loading of framebuffer drivers -## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-framebuffer.conf?h=ubuntu/disco -blacklist aty128fb -blacklist atyfb -blacklist radeonfb -blacklist cirrusfb -blacklist cyber2000fb -blacklist cyblafb -blacklist gx1fb -blacklist hgafb -blacklist i810fb -blacklist intelfb -blacklist kyrofb -blacklist lxfb -blacklist matroxfb_bases -blacklist neofb -blacklist nvidiafb -blacklist pm2fb -blacklist rivafb -blacklist s1d13xxxfb -blacklist savagefb -blacklist sisfb -blacklist sstfb -blacklist tdfxfb -blacklist tridentfb -blacklist vesafb -blacklist vfb -blacklist viafb -blacklist vt8623fb -blacklist udlfb - -## Disable CD-ROM devices -## https://nvd.nist.gov/vuln/detail/CVE-2018-11506 -## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/31 -#install cdrom /bin/disabled-cdrom-by-security-misc -#install sr_mod /bin/disabled-cdrom-by-security-misc -blacklist cdrom -blacklist sr_mod diff --git a/etc/modprobe.d/30_security-misc_blacklist.conf b/etc/modprobe.d/30_security-misc_blacklist.conf new file mode 100644 index 0000000..5ce1edc --- /dev/null +++ b/etc/modprobe.d/30_security-misc_blacklist.conf @@ -0,0 +1,63 @@ +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## See the following links for a community discussion and overview regarding the selections. +## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989 +## https://madaidans-insecurities.github.io/guides/linux-hardening.html#kasr-kernel-modules + +## Blacklisting prevents kernel modules from automatically starting. +## Disabling prohibits kernel modules from starting. + +## CD-ROM/DVD: +## Blacklist CD-ROM and DVD modules. +## Not disabled by default due to potential future ISO plans. +## +## https://nvd.nist.gov/vuln/detail/CVE-2018-11506 +## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/31 +## +blacklist cdrom +blacklist sr_mod +## +#install cdrom /usr/bin/disabled-cdrom-by-security-misc +#install sr_mod /usr/bin/disabled-cdrom-by-security-misc + +## Miscellaneous: + +## GrapheneOS: +## Partial selection of their infrastructure blacklist. +## Duplicate and already disabled modules have been omitted. +## +## https://github.com/GrapheneOS/infrastructure/blob/main/modprobe.d/local.conf +## +#blacklist cfg80211 +#blacklist intel_agp +#blacklist ip_tables +blacklist joydev +#blacklist mousedev +#blacklist psmouse +## TODO: Re-check in Debian trixie +## In GrapheneOS list, yes, "should" be out-commented here. +## But not actually out-commented. +## Breaks VirtualBox audio device ICH AC97, which is unfortunately still required by some users. +## https://www.kicksecure.com/wiki/Dev/audio +## https://github.com/Kicksecure/security-misc/issues/271 +#blacklist snd_intel8x0 +#blacklist tls +#blacklist virtio_balloon +#blacklist virtio_console + +## Ubuntu: +## Already disabled modules have been omitted. +## +## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist.conf?h=ubuntu/disco +## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-ath_pci.conf?h=ubuntu/disco +## +blacklist amd76x_edac +blacklist ath_pci +blacklist evbug +blacklist pcspkr +blacklist snd_aw2 +blacklist snd_intel8x0m +blacklist snd_pcsp +blacklist usbkbd +blacklist usbmouse diff --git a/etc/modprobe.d/30_security-misc_conntrack.conf b/etc/modprobe.d/30_security-misc_conntrack.conf new file mode 100644 index 0000000..7f36327 --- /dev/null +++ b/etc/modprobe.d/30_security-misc_conntrack.conf @@ -0,0 +1,12 @@ +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## Conntrack: +## Disable Netfilter's automatic connection tracking helper assignment. +## This functionality adds unnecessary features, such as IRC protocol parsing, into the kernel. +## Disabling it reduces the kernel attack surface and improves security. +## +## https://conntrack-tools.netfilter.org/manual.html +## https://forums.whonix.org/t/disable-conntrack-helper/18917 +## +options nf_conntrack nf_conntrack_helper=0 diff --git a/etc/modprobe.d/30_security-misc_disable.conf b/etc/modprobe.d/30_security-misc_disable.conf new file mode 100644 index 0000000..79b5ed6 --- /dev/null +++ b/etc/modprobe.d/30_security-misc_disable.conf @@ -0,0 +1,310 @@ +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## See the following links for a community discussion and overview regarding the selections: +## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989 +## https://madaidans-insecurities.github.io/guides/linux-hardening.html#kasr-kernel-modules + +## Blacklisting prevents kernel modules from automatically starting. +## Disabling prohibits kernel modules from starting. + +## This configuration file is split into 4 sections: +## 1. Hardware +## 2. File Systems +## 3. Networking +## 4. Miscellaneous + +## 1. Hardware: + +## Bluetooth: +## Disable Bluetooth to reduce the attack surface due to its long history of security vulnerabilities. +## +## https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns +## +## Now replaced with a privacy- and security-preserving default Bluetooth configuration for better usability. +## https://github.com/Kicksecure/security-misc/pull/145 +## +#install bluetooth /usr/bin/disabled-bluetooth-by-security-misc +#install bluetooth_6lowpan /usr/bin/disabled-bluetooth-by-security-misc +#install bt3c_cs /usr/bin/disabled-bluetooth-by-security-misc +#install btbcm /usr/bin/disabled-bluetooth-by-security-misc +#install btintel /usr/bin/disabled-bluetooth-by-security-misc +#install btmrvl /usr/bin/disabled-bluetooth-by-security-misc +#install btmrvl_sdio /usr/bin/disabled-bluetooth-by-security-misc +#install btmtk /usr/bin/disabled-bluetooth-by-security-misc +#install btmtksdio /usr/bin/disabled-bluetooth-by-security-misc +#install btmtkuart /usr/bin/disabled-bluetooth-by-security-misc +#install btnxpuart /usr/bin/disabled-bluetooth-by-security-misc +#install btqca /usr/bin/disabled-bluetooth-by-security-misc +#install btrsi /usr/bin/disabled-bluetooth-by-security-misc +#install btrtl /usr/bin/disabled-bluetooth-by-security-misc +#install btsdio /usr/bin/disabled-bluetooth-by-security-misc +#install btusb /usr/bin/disabled-bluetooth-by-security-misc +#install virtio_bt /usr/bin/disabled-bluetooth-by-security-misc + +## FireWire (IEEE 1394): +## Disable IEEE 1394 (FireWire/i.LINK/Lynx) modules to prevent certain DMA attacks. +## +## https://en.wikipedia.org/wiki/IEEE_1394#Security_issues +## +install dv1394 /usr/bin/disabled-firewire-by-security-misc +install firewire-core /usr/bin/disabled-firewire-by-security-misc +install firewire-ohci /usr/bin/disabled-firewire-by-security-misc +install firewire-net /usr/bin/disabled-firewire-by-security-misc +install firewire-sbp2 /usr/bin/disabled-firewire-by-security-misc +install ohci1394 /usr/bin/disabled-firewire-by-security-misc +install raw1394 /usr/bin/disabled-firewire-by-security-misc +install sbp2 /usr/bin/disabled-firewire-by-security-misc +install video1394 /usr/bin/disabled-firewire-by-security-misc + +## Global Positioning Systems (GPS): +## Disable GPS-related modules like GNSS (Global Navigation Satellite System). +## +install garmin_gps /usr/bin/disabled-gps-by-security-misc +install gnss /usr/bin/disabled-gps-by-security-misc +install gnss-mtk /usr/bin/disabled-gps-by-security-misc +install gnss-serial /usr/bin/disabled-gps-by-security-misc +install gnss-sirf /usr/bin/disabled-gps-by-security-misc +install gnss-ubx /usr/bin/disabled-gps-by-security-misc +install gnss-usb /usr/bin/disabled-gps-by-security-misc + +## Intel Management Engine (ME): +## Partially disable the Intel ME interface with the OS. +## ME functionality has increasingly become intertwined with basic Intel system operation. +## Disabling it may lead to breakages in various components without clear debugging/error messages. +## It may affect firmware updates, security, power management, display, and DRM. +## +## https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html +## https://en.wikipedia.org/wiki/Intel_Management_Engine#Security_vulnerabilities +## https://www.kicksecure.com/wiki/Out-of-band_Management_Technology#Intel_ME_Disabling_Disadvantages +## https://github.com/Kicksecure/security-misc/pull/236#issuecomment-2229092813 +## https://github.com/Kicksecure/security-misc/issues/239 +## +#install mei /usr/bin/disabled-intelme-by-security-misc +#install mei-gsc /usr/bin/disabled-intelme-by-security-misc +#install mei_gsc_proxy /usr/bin/disabled-intelme-by-security-misc +#install mei_hdcp /usr/bin/disabled-intelme-by-security-misc +#install mei-me /usr/bin/disabled-intelme-by-security-misc +#install mei_phy /usr/bin/disabled-intelme-by-security-misc +#install mei_pxp /usr/bin/disabled-intelme-by-security-misc +#install mei-txe /usr/bin/disabled-intelme-by-security-misc +#install mei-vsc /usr/bin/disabled-intelme-by-security-misc +#install mei-vsc-hw /usr/bin/disabled-intelme-by-security-misc +#install mei_wdt /usr/bin/disabled-intelme-by-security-misc +#install microread_mei /usr/bin/disabled-intelme-by-security-misc + +## Intel Platform Monitoring Technology (PMT) Telemetry: +## Disable certain functionalities of the Intel PMT components. +## +## https://github.com/intel/Intel-PMT +## +install pmt_class /usr/bin/disabled-intelpmt-by-security-misc +install pmt_crashlog /usr/bin/disabled-intelpmt-by-security-misc +install pmt_telemetry /usr/bin/disabled-intelpmt-by-security-misc + +## Thunderbolt: +## Disable Thunderbolt modules to prevent certain DMA attacks. +## +## https://en.wikipedia.org/wiki/Thunderbolt_(interface)#Security_vulnerabilities +## +install intel-wmi-thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc +install thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc +install thunderbolt_net /usr/bin/disabled-thunderbolt-by-security-misc + +## 2. File Systems: + +## File Systems: +## Disable uncommon file systems to reduce attack surface. +## HFS/HFS+ are legacy Apple file systems that may be required depending on the EFI partition format. +## +install cramfs /usr/bin/disabled-filesys-by-security-misc +install freevxfs /usr/bin/disabled-filesys-by-security-misc +install hfs /usr/bin/disabled-filesys-by-security-misc +install hfsplus /usr/bin/disabled-filesys-by-security-misc +install jffs2 /usr/bin/disabled-filesys-by-security-misc +install jfs /usr/bin/disabled-filesys-by-security-misc +install reiserfs /usr/bin/disabled-filesys-by-security-misc +install udf /usr/bin/disabled-filesys-by-security-misc + +## Network File Systems: +## Disable uncommon network file systems to reduce attack surface. +## +install gfs2 /usr/bin/disabled-netfilesys-by-security-misc +install ksmbd /usr/bin/disabled-netfilesys-by-security-misc +## +## Common Internet File System (CIFS): +## +install cifs /usr/bin/disabled-netfilesys-by-security-misc +install cifs_arc4 /usr/bin/disabled-netfilesys-by-security-misc +install cifs_md4 /usr/bin/disabled-netfilesys-by-security-misc +## +## Network File System (NFS): +## +install nfs /usr/bin/disabled-netfilesys-by-security-misc +install nfs_acl /usr/bin/disabled-netfilesys-by-security-misc +install nfs_layout_nfsv41_files /usr/bin/disabled-netfilesys-by-security-misc +install nfs_layout_flexfiles /usr/bin/disabled-netfilesys-by-security-misc +install nfsd /usr/bin/disabled-netfilesys-by-security-misc +install nfsv2 /usr/bin/disabled-netfilesys-by-security-misc +install nfsv3 /usr/bin/disabled-netfilesys-by-security-misc +install nfsv4 /usr/bin/disabled-netfilesys-by-security-misc + +## 2. Networking: + +## Network Protocols: +## Disables rare and unneeded network protocols that are a common source of unknown vulnerabilities. +## Previously had blacklisted eepro100 and eth1394. +## +## https://tails.boum.org/blueprint/blacklist_modules/ +## https://fedoraproject.org/wiki/Security_Features_Matrix#Blacklist_Rare_Protocols +## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-rare-network.conf?h=ubuntu/disco +## https://github.com/Kicksecure/security-misc/pull/234#issuecomment-2230732015 +## +install af_802154 /usr/bin/disabled-network-by-security-misc +install appletalk /usr/bin/disabled-network-by-security-misc +install ax25 /usr/bin/disabled-network-by-security-misc +#install brcm80211 /usr/bin/disabled-network-by-security-misc +install decnet /usr/bin/disabled-network-by-security-misc +install dccp /usr/bin/disabled-network-by-security-misc +install econet /usr/bin/disabled-network-by-security-misc +install eepro100 /usr/bin/disabled-network-by-security-misc +install eth1394 /usr/bin/disabled-network-by-security-misc +install ipx /usr/bin/disabled-network-by-security-misc +install n-hdlc /usr/bin/disabled-network-by-security-misc +install netrom /usr/bin/disabled-network-by-security-misc +install p8022 /usr/bin/disabled-network-by-security-misc +install p8023 /usr/bin/disabled-network-by-security-misc +install psnap /usr/bin/disabled-network-by-security-misc +install rose /usr/bin/disabled-network-by-security-misc +install x25 /usr/bin/disabled-network-by-security-misc +## +## Asynchronous Transfer Mode (ATM): +## +install atm /usr/bin/disabled-network-by-security-misc +install ueagle-atm /usr/bin/disabled-network-by-security-misc +install usbatm /usr/bin/disabled-network-by-security-misc +install xusbatm /usr/bin/disabled-network-by-security-misc +## +## Controller Area Network (CAN) Protocol: +## +install c_can /usr/bin/disabled-network-by-security-misc +install c_can_pci /usr/bin/disabled-network-by-security-misc +install c_can_platform /usr/bin/disabled-network-by-security-misc +install can /usr/bin/disabled-network-by-security-misc +install can-bcm /usr/bin/disabled-network-by-security-misc +install can-dev /usr/bin/disabled-network-by-security-misc +install can-gw /usr/bin/disabled-network-by-security-misc +install can-isotp /usr/bin/disabled-network-by-security-misc +install can-raw /usr/bin/disabled-network-by-security-misc +install can-j1939 /usr/bin/disabled-network-by-security-misc +install can327 /usr/bin/disabled-network-by-security-misc +install ifi_canfd /usr/bin/disabled-network-by-security-misc +install janz-ican3 /usr/bin/disabled-network-by-security-misc +install m_can /usr/bin/disabled-network-by-security-misc +install m_can_pci /usr/bin/disabled-network-by-security-misc +install m_can_platform /usr/bin/disabled-network-by-security-misc +install phy-can-transceiver /usr/bin/disabled-network-by-security-misc +install slcan /usr/bin/disabled-network-by-security-misc +install ucan /usr/bin/disabled-network-by-security-misc +install vxcan /usr/bin/disabled-network-by-security-misc +install vcan /usr/bin/disabled-network-by-security-misc +## +## Transparent Inter Process Communication (TIPC): +## +install tipc /usr/bin/disabled-network-by-security-misc +install tipc_diag /usr/bin/disabled-network-by-security-misc +## +## Reliable Datagram Sockets (RDS): +## +install rds /usr/bin/disabled-network-by-security-misc +install rds_rdma /usr/bin/disabled-network-by-security-misc +install rds_tcp /usr/bin/disabled-network-by-security-misc +## +## Stream Control Transmission Protocol (SCTP): +## +install sctp /usr/bin/disabled-network-by-security-misc +install sctp_diag /usr/bin/disabled-network-by-security-misc + +## 4. Miscellaneous: + +## Amateur Radios: +## +install hamradio /usr/bin/disabled-miscellaneous-by-security-misc + +## CPU Model-Specific Registers (MSRs): +## Disable CPU MSRs as they can be abused to write to arbitrary memory. +## +## https://security.stackexchange.com/questions/119712/methods-root-can-use-to-elevate-itself-to-kernel-mode +## https://github.com/Kicksecure/security-misc/issues/215 +## +#install msr /usr/bin/disabled-miscellaneous-by-security-misc + +## Floppy Disks: +## +install floppy /usr/bin/disabled-miscellaneous-by-security-misc + +## Framebuffer (fbdev): +## Video drivers are known to be buggy, cause kernel panics, and are generally only used by legacy devices. +## These were all previously blacklisted. +## +## https://docs.kernel.org/fb/index.html +## https://en.wikipedia.org/wiki/Linux_framebuffer +## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-framebuffer.conf?h=ubuntu/disco +## +install aty128fb /usr/bin/disabled-framebuffer-by-security-misc +install atyfb /usr/bin/disabled-framebuffer-by-security-misc +install cirrusfb /usr/bin/disabled-framebuffer-by-security-misc +install cyber2000fb /usr/bin/disabled-framebuffer-by-security-misc +install cyblafb /usr/bin/disabled-framebuffer-by-security-misc +install gx1fb /usr/bin/disabled-framebuffer-by-security-misc +install hgafb /usr/bin/disabled-framebuffer-by-security-misc +install i810fb /usr/bin/disabled-framebuffer-by-security-misc +install intelfb /usr/bin/disabled-framebuffer-by-security-misc +install kyrofb /usr/bin/disabled-framebuffer-by-security-misc +install lxfb /usr/bin/disabled-framebuffer-by-security-misc +install matroxfb_base /usr/bin/disabled-framebuffer-by-security-misc +install neofb /usr/bin/disabled-framebuffer-by-security-misc +install nvidiafb /usr/bin/disabled-framebuffer-by-security-misc +install pm2fb /usr/bin/disabled-framebuffer-by-security-misc +install radeonfb /usr/bin/disabled-framebuffer-by-security-misc +install rivafb /usr/bin/disabled-framebuffer-by-security-misc +install s1d13xxxfb /usr/bin/disabled-framebuffer-by-security-misc +install savagefb /usr/bin/disabled-framebuffer-by-security-misc +install sisfb /usr/bin/disabled-framebuffer-by-security-misc +install sstfb /usr/bin/disabled-framebuffer-by-security-misc +install tdfxfb /usr/bin/disabled-framebuffer-by-security-misc +install tridentfb /usr/bin/disabled-framebuffer-by-security-misc +install vesafb /usr/bin/disabled-framebuffer-by-security-misc +install vfb /usr/bin/disabled-framebuffer-by-security-misc +install viafb /usr/bin/disabled-framebuffer-by-security-misc +install vt8623fb /usr/bin/disabled-framebuffer-by-security-misc +install udlfb /usr/bin/disabled-framebuffer-by-security-misc + +## Replaced Modules: +## These legacy drivers have all been entirely replaced and superseded by newer drivers. +## These were all previously blacklisted. +## +## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist.conf?h=ubuntu/disco +## +install asus_acpi /usr/bin/disabled-miscellaneous-by-security-misc +install bcm43xx /usr/bin/disabled-miscellaneous-by-security-misc +install de4x5 /usr/bin/disabled-miscellaneous-by-security-misc +install prism54 /usr/bin/disabled-miscellaneous-by-security-misc + +## USB Video Device Class: +## Disables the USB-based video streaming driver for devices like some webcams and digital camcorders. +## +#install uvcvideo /usr/bin/disabled-miscellaneous-by-security-misc + +## Vivid: +## Disables the vivid kernel module since it has been the cause of multiple vulnerabilities. +## +## https://forums.whonix.org/t/kernel-recompilation-for-better-hardening/7598/233 +## https://www.openwall.com/lists/oss-security/2019/11/02/1 +## https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475 +## +## No longer disabled by default: +## https://forums.whonix.org/t/testing-qubes-video-companion-on-whonix/21393 +## https://github.com/Kicksecure/security-misc/issues/298 +## +#install vivid /usr/bin/disabled-miscellaneous-by-security-misc diff --git a/etc/permission-hardening.d/25_default_sudo.conf b/etc/permission-hardening.d/25_default_sudo.conf deleted file mode 100644 index 67be9ac..0000000 --- a/etc/permission-hardening.d/25_default_sudo.conf +++ /dev/null @@ -1,20 +0,0 @@ -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -## Please use "/etc/permission-hardening.d/20_user.conf" or -## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom -## configuration. When security-misc is updated, this file may be overwritten. - -## https://forums.whonix.org/t/restrict-root-access/7658/116 -## This restricts the file permissions of the sudo executable so that a vulnerability -## in the program will not be exploitable by any users not in the "sudo" group. sudo -## is a very complex program and is setuid so vulnerabilities in it can allow privilege -## escalation, regardless of other root access restrictions. For example, the following -## buffer overflow vulnerability could have been exploited by any user on the system: -## https://www.openwall.com/lists/oss-security/2021/01/26/3 -## With this restriction, only users explicitly permitted to use sudo by being added to -## the "sudo" group could exploit such vulnerabilities. For example, this would prevent a -## compromised network-facing daemon (such as web servers, time synchronization daemons, -## etc.) running as its own user from exploiting sudo to escalate privileges. -#/usr/bin/sudo 4750 root sudo -#/bin/sudo 4750 root sudo diff --git a/etc/permission-hardening.d/25_default_whitelist_bubblewrap.conf b/etc/permission-hardening.d/25_default_whitelist_bubblewrap.conf deleted file mode 100644 index 2ffc8c2..0000000 --- a/etc/permission-hardening.d/25_default_whitelist_bubblewrap.conf +++ /dev/null @@ -1,9 +0,0 @@ -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -## Please use "/etc/permission-hardening.d/20_user.conf" or -## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom -## configuration. When security-misc is updated, this file may be overwritten. - -/usr/bin/bwrap exactwhitelist -/bin/bwrap exactwhitelist diff --git a/etc/permission-hardening.d/25_default_whitelist_chromium.conf b/etc/permission-hardening.d/25_default_whitelist_chromium.conf deleted file mode 100644 index 1bd3206..0000000 --- a/etc/permission-hardening.d/25_default_whitelist_chromium.conf +++ /dev/null @@ -1,8 +0,0 @@ -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -## Please use "/etc/permission-hardening.d/20_user.conf" or -## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom -## configuration. When security-misc is updated, this file may be overwritten. - -/usr/lib/chromium/chrome-sandbox exactwhitelist diff --git a/etc/permission-hardening.d/25_default_whitelist_dbus.conf b/etc/permission-hardening.d/25_default_whitelist_dbus.conf deleted file mode 100644 index e1325ff..0000000 --- a/etc/permission-hardening.d/25_default_whitelist_dbus.conf +++ /dev/null @@ -1,8 +0,0 @@ -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -## Please use "/etc/permission-hardening.d/20_user.conf" or -## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom -## configuration. When security-misc is updated, this file may be overwritten. - -dbus-daemon-launch-helper matchwhitelist diff --git a/etc/permission-hardening.d/25_default_whitelist_fuse.conf b/etc/permission-hardening.d/25_default_whitelist_fuse.conf deleted file mode 100644 index 1293214..0000000 --- a/etc/permission-hardening.d/25_default_whitelist_fuse.conf +++ /dev/null @@ -1,10 +0,0 @@ -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -## Please use "/etc/permission-hardening.d/20_user.conf" or -## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom -## configuration. When security-misc is updated, this file may be overwritten. - -## required for AppImages such as electrum Bitcoin wallet -## https://forums.whonix.org/t/disable-suid-binaries/7706/57 -/fusermount matchwhitelist diff --git a/etc/permission-hardening.d/25_default_whitelist_policykit.conf b/etc/permission-hardening.d/25_default_whitelist_policykit.conf deleted file mode 100644 index fb4fa86..0000000 --- a/etc/permission-hardening.d/25_default_whitelist_policykit.conf +++ /dev/null @@ -1,17 +0,0 @@ -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -## Please use "/etc/permission-hardening.d/20_user.conf" or -## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom -## configuration. When security-misc is updated, this file may be overwritten. - -/usr/bin/pkexec exactwhitelist -/bin/pkexec exactwhitelist -/usr/bin/pkexec.security-misc-orig exactwhitelist -/bin/pkexec.security-misc-orig exactwhitelist - -## TODO: research -## match both: -#/usr/lib/policykit-1/polkit-agent-helper-1 matchwhitelist -#/lib/policykit-1/polkit-agent-helper-1 -polkit-agent-helper-1 matchwhitelist diff --git a/etc/permission-hardening.d/25_default_whitelist_qubes.conf b/etc/permission-hardening.d/25_default_whitelist_qubes.conf deleted file mode 100644 index bb6e951..0000000 --- a/etc/permission-hardening.d/25_default_whitelist_qubes.conf +++ /dev/null @@ -1,13 +0,0 @@ -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -## Please use "/etc/permission-hardening.d/20_user.conf" or -## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom -## configuration. When security-misc is updated, this file may be overwritten. - -## TODO: research -## https://github.com/QubesOS/qubes-core-agent-linux/blob/master/qubes-rpc/qfile-unpacker.c -## match both: -#/usr/lib/qubes/qfile-unpacker whitelist -#/lib/qubes/qfile-unpacker -/qubes/qfile-unpacker matchwhitelist diff --git a/etc/permission-hardening.d/25_default_whitelist_selinux.conf b/etc/permission-hardening.d/25_default_whitelist_selinux.conf deleted file mode 100644 index f0464b9..0000000 --- a/etc/permission-hardening.d/25_default_whitelist_selinux.conf +++ /dev/null @@ -1,8 +0,0 @@ -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -## Please use "/etc/permission-hardening.d/20_user.conf" or -## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom -## configuration. When security-misc is updated, this file may be overwritten. - -/utempter/utempter matchwhitelist diff --git a/etc/permission-hardening.d/25_default_whitelist_spice.conf b/etc/permission-hardening.d/25_default_whitelist_spice.conf deleted file mode 100644 index 1ed1ed2..0000000 --- a/etc/permission-hardening.d/25_default_whitelist_spice.conf +++ /dev/null @@ -1,8 +0,0 @@ -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -## Please use "/etc/permission-hardening.d/20_user.conf" or -## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom -## configuration. When security-misc is updated, this file may be overwritten. - -/usr/lib/spice-gtk/spice-client-glib-usb-acl-helper exactwhitelist diff --git a/etc/permission-hardening.d/25_default_whitelist_sudo.conf b/etc/permission-hardening.d/25_default_whitelist_sudo.conf deleted file mode 100644 index 07051dd..0000000 --- a/etc/permission-hardening.d/25_default_whitelist_sudo.conf +++ /dev/null @@ -1,9 +0,0 @@ -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -## Please use "/etc/permission-hardening.d/20_user.conf" or -## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom -## configuration. When security-misc is updated, this file may be overwritten. - -/usr/bin/sudo exactwhitelist -/bin/sudo exactwhitelist diff --git a/etc/permission-hardening.d/25_default_whitelist_virtualbox.conf b/etc/permission-hardening.d/25_default_whitelist_virtualbox.conf deleted file mode 100644 index fc2369e..0000000 --- a/etc/permission-hardening.d/25_default_whitelist_virtualbox.conf +++ /dev/null @@ -1,9 +0,0 @@ -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -## Please use "/etc/permission-hardening.d/20_user.conf" or -## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom -## configuration. When security-misc is updated, this file may be overwritten. - -## TODO: research -/usr/lib/virtualbox/ matchwhitelist diff --git a/etc/profile.d/30_security-misc.sh b/etc/profile.d/30_security-misc.sh new file mode 100755 index 0000000..8cb5673 --- /dev/null +++ b/etc/profile.d/30_security-misc.sh @@ -0,0 +1,11 @@ +#!/bin/sh + +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +if [ -z "$XDG_CONFIG_DIRS" ]; then + XDG_CONFIG_DIRS="/etc/xdg" +fi +if ! printf '%s\n' "$XDG_CONFIG_DIRS" | grep -- "/usr/share/security-misc/" >/dev/null 2>/dev/null ; then + export XDG_CONFIG_DIRS="/usr/share/security-misc/:$XDG_CONFIG_DIRS" +fi diff --git a/etc/securetty.security-misc b/etc/securetty.security-misc index ca0d81b..c98d20d 100644 --- a/etc/securetty.security-misc +++ b/etc/securetty.security-misc @@ -1,2 +1,5 @@ +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + # /etc/securetty: list of terminals on which root is allowed to login. # See securetty(5) and login(1). diff --git a/etc/security/access-security-misc.conf b/etc/security/access-security-misc.conf index 248335c..e8bc2ab 100644 --- a/etc/security/access-security-misc.conf +++ b/etc/security/access-security-misc.conf @@ -1,8 +1,8 @@ -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## To enable root login, see: -## https://www.whonix.org/wiki/Root#Root_Login +## https://www.kicksecure.com/wiki/Root#Root_Login ## Console Lockdown ## https://forums.whonix.org/t/etc-security-hardening/8592 diff --git a/etc/security/faillock.conf.security-misc b/etc/security/faillock.conf.security-misc index bb81754..4b70cde 100644 --- a/etc/security/faillock.conf.security-misc +++ b/etc/security/faillock.conf.security-misc @@ -1,9 +1,12 @@ +## Copyright (C) 2021 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + # Configuration for locking the user after multiple failed # authentication attempts. # # The directory where the user files with the failure records are kept. # The default is /var/run/faillock. -# dir = /var/run/faillock +dir = /var/lib/security-misc/faillock # # Will log the user name into the system log if the user is not found. # Enabled if option is present. @@ -35,14 +38,19 @@ deny = 50 # authentication failures must happen for the user account # lock out is n seconds. # The default is 900 (15 minutes). -# fail_interval = 900 +# security-misc note: the interval should be set to infinity if possible, +# however pam_faillock arbitrarily limits this variable to a maximum of 604800 +# seconds (7 days). See +# https://github.com/linux-pam/linux-pam/blob/539816e4a0a277dbb632412be91e482fff9d9d09/modules/pam_faillock/faillock_config.h#L59 +# for details. Therefore we set this to the maximum allowable value of 7 days. +fail_interval = 604800 # # The access will be re-enabled after n seconds after the lock out. # The value 0 has the same meaning as value `never` - the access # will not be re-enabled without resetting the faillock # entries by the `faillock` command. # The default is 600 (10 minutes). -# unlock_time = 600 +unlock_time = never # # Root account can become locked as well as regular accounts. # Enabled if option is present. diff --git a/etc/security/limits.d/30_security-misc.conf b/etc/security/limits.d/30_security-misc.conf index bbbe31d..d494b14 100644 --- a/etc/security/limits.d/30_security-misc.conf +++ b/etc/security/limits.d/30_security-misc.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## Disable coredumps. diff --git a/etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml b/etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml index fa9d01d..dd94349 100644 --- a/etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml +++ b/etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml @@ -1,6 +1,6 @@ - + diff --git a/etc/skel/.gnupg/gpg.conf b/etc/skel/.gnupg/gpg.conf index f8004fe..f0ed5a4 100644 --- a/etc/skel/.gnupg/gpg.conf +++ b/etc/skel/.gnupg/gpg.conf @@ -282,13 +282,13 @@ display-charset utf-8 ################################################################## ################################################################## -## BEGIN Some suggestions from Debian http://keyring.debian.org/creating-key.html +## BEGIN Some suggestions from Debian https://keyring.debian.org/creating-key.html personal-digest-preferences SHA512 cert-digest-algo SHA512 default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed -## END Some suggestions from Debian http://keyring.debian.org/creating-key.html +## END Some suggestions from Debian https://keyring.debian.org/creating-key.html ################################################################## ################################################################## diff --git a/etc/sudoers.d/pkexec-security-misc b/etc/sudoers.d/pkexec-security-misc deleted file mode 100644 index db5f32f..0000000 --- a/etc/sudoers.d/pkexec-security-misc +++ /dev/null @@ -1,11 +0,0 @@ -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -## REVIEW: is it ok that users can find out the PATH setting of root? -#%sudo ALL=NOPASSWD: /usr/libexec/security-misc/echo-path - -## xfpm-power-backlight-helper demands environment variable PKEXEC_UID to be -## set. Would otherwise error out with the following error message: -## "This program must only be run through pkexec" -## REVIEW: Can bad things be done by spoofing PKEXEC_UID? -#Defaults:ALL env_keep += "PKEXEC_UID" diff --git a/etc/sudoers.d/security-misc b/etc/sudoers.d/security-misc index 4256683..1fa2146 100644 --- a/etc/sudoers.d/security-misc +++ b/etc/sudoers.d/security-misc @@ -1,6 +1,12 @@ -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. -user ALL=NOPASSWD: /usr/libexec/security-misc/panic-on-oops -%sudo ALL=NOPASSWD: /usr/libexec/security-misc/panic-on-oops +## Neither of these are needed. +#user ALL=NOPASSWD: /usr/libexec/security-misc/panic-on-oops +#%sudo ALL=NOPASSWD: /usr/libexec/security-misc/panic-on-oops +## Use a more open umask when executing commands with sudo +## Can be overridden on a per-user basis using .[z]profile if desirable +## https://www.kicksecure.com/wiki/Dev/Strong_Linux_User_Account_Isolation#umask_hardening +Defaults umask_override +Defaults umask=0022 diff --git a/etc/sudoers.d/xfce-security-misc b/etc/sudoers.d/xfce-security-misc deleted file mode 100644 index be92ce9..0000000 --- a/etc/sudoers.d/xfce-security-misc +++ /dev/null @@ -1,19 +0,0 @@ -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -## https://forums.whonix.org/t/xfce4-power-manager-xfpm-power-backlight-helper-pkexec-lxsudo-popup/8764 -## /usr/share/polkit-1/actions/org.xfce.power.policy - -## Feel free to out comment this if you are not using xfce4-power-manager or Xfce. - -#%sudo ALL=NOPASSWD: /usr/sbin/xfpm-power-backlight-helper --set-brightness [[\:digit\:]] -#%sudo ALL=NOPASSWD: /usr/sbin/xfpm-power-backlight-helper --set-brightness [[\:digit\:]][[\:digit\:]] -#%sudo ALL=NOPASSWD: /usr/sbin/xfpm-power-backlight-helper --set-brightness [[\:digit\:]][[\:digit\:]][[\:digit\:]] - -#%sudo ALL=NOPASSWD: /usr/sbin/xfpm-power-backlight-helper --set-brightness-switch [[\:digit\:]] -#%sudo ALL=NOPASSWD: /usr/sbin/xfpm-power-backlight-helper --set-brightness-switch [[\:digit\:]][[\:digit\:]] -#%sudo ALL=NOPASSWD: /usr/sbin/xfpm-power-backlight-helper --set-brightness-switch [[\:digit\:]][[\:digit\:]][[\:digit\:]] - -## XXX: Should we allow this? -#%sudo ALL=NOPASSWD: /usr/sbin/xfce4-pm-helper --suspend -#%sudo ALL=NOPASSWD: /usr/sbin/xfce4-pm-helper --hibernate diff --git a/etc/sysctl.d/30_security-misc.conf b/etc/sysctl.d/30_security-misc.conf deleted file mode 100644 index 1fcb0ea..0000000 --- a/etc/sysctl.d/30_security-misc.conf +++ /dev/null @@ -1,158 +0,0 @@ -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -## Disables coredumps. This setting may be overwritten by systemd so this may not be useful. -## security-misc also disables coredumps in other ways. -kernel.core_pattern=|/bin/false - -## Restricts the kernel log to root only. -kernel.dmesg_restrict=1 - -## Don't allow writes to files that we don't own -## in world writable sticky directories, unless -## they are owned by the owner of the directory. -fs.protected_fifos=2 -fs.protected_regular=2 - -## Only allow symlinks to be followed when outside of -## a world-writable sticky directory, or when the owner -## of the symlink and follower match, or when the directory -## owner matches the symlink's owner. -## -## Prevent hardlinks from being created by users that do not -## have read/write access to the source file. -## -## These prevent many TOCTOU races. -fs.protected_symlinks=1 -fs.protected_hardlinks=1 - -## Hardens the BPF JIT compiler and restricts it to root. -kernel.unprivileged_bpf_disabled=1 -net.core.bpf_jit_harden=2 - -## Hides kernel addresses in various files in /proc. -## Kernel addresses can be very useful in certain exploits. -## -## https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak -kernel.kptr_restrict=2 - -## Improves ASLR effectiveness for mmap. -## Both explicit sysctl are made redundant due to automation -## https://forums.whonix.org/t/automate-mmap-randomisation-to-fix-ppc64el/16514 -## Do NOT enable either - displaying only for clarity -## -#vm.mmap_rnd_bits=32 -#vm.mmap_rnd_compat_bits=16 - -## Restricts the use of ptrace to root. This might break some programs running under WINE. -## A workaround for WINE would be to give the wineserver and wine-preloader ptrace capabilities. This can be done by running: -## -## sudo apt-get install libcap2-bin -## sudo setcap cap_sys_ptrace=eip /usr/bin/wineserver -## sudo setcap cap_sys_ptrace=eip /usr/bin/wine-preloader -kernel.yama.ptrace_scope=2 - -## Prevent setuid processes from creating coredumps. -fs.suid_dumpable=0 - -## Randomize the addresses for mmap base, heap, stack, and VDSO pages -kernel.randomize_va_space=2 - -#### meta start -#### project Kicksecure -#### category networking and security -#### description -## TCP/IP stack hardening - -## Protects against time-wait assassination. -## It drops RST packets for sockets in the time-wait state. -net.ipv4.tcp_rfc1337=1 - -## Disables ICMP redirect acceptance. -net.ipv4.conf.all.accept_redirects=0 -net.ipv4.conf.default.accept_redirects=0 -net.ipv4.conf.all.secure_redirects=0 -net.ipv4.conf.default.secure_redirects=0 -net.ipv6.conf.all.accept_redirects=0 -net.ipv6.conf.default.accept_redirects=0 - -## Disables ICMP redirect sending. -net.ipv4.conf.all.send_redirects=0 -net.ipv4.conf.default.send_redirects=0 - -## Ignores ICMP requests. -net.ipv4.icmp_echo_ignore_all=1 -net.ipv6.icmp.echo_ignore_all=1 - -## Ignores bogus ICMP error responses -net.ipv4.icmp_ignore_bogus_error_responses=1 - -## Enables TCP syncookies. -net.ipv4.tcp_syncookies=1 - -## Disable source routing. -net.ipv4.conf.all.accept_source_route=0 -net.ipv4.conf.default.accept_source_route=0 -net.ipv6.conf.all.accept_source_route=0 -net.ipv6.conf.default.accept_source_route=0 - -## Enable reverse path filtering to prevent IP spoofing and -## mitigate vulnerabilities such as CVE-2019-14899. -## https://forums.whonix.org/t/enable-reverse-path-filtering/8594 -net.ipv4.conf.default.rp_filter=1 -net.ipv4.conf.all.rp_filter=1 - -#### meta end - - -## Previously disabled SACK, DSACK, and FACK. -## https://forums.whonix.org/t/disabling-tcp-sack-dsack-fack/8109 -#net.ipv4.tcp_sack=0 -#net.ipv4.tcp_dsack=0 -#net.ipv4.tcp_fack=0 - - -#### meta start -#### project Kicksecure -#### category networking and security -#### description -## disable IPv4 TCP Timestamps - -net.ipv4.tcp_timestamps=0 - -#### meta end - - -## Only allow the SysRq key to be used for shutdowns and the -## Secure Attention Key (SAK). -## -## https://forums.whonix.org/t/sysrq-magic-sysrq-key/8079/ -kernel.sysrq=132 - -## Restrict loading TTY line disciplines to CAP_SYS_MODULE to prevent -## unprivileged attackers from loading vulnerable line disciplines -## with the TIOCSETD ioctl which has been used in exploits before -## such as https://a13xp0p0v.github.io/2017/03/24/CVE-2017-2636.html -## -## https://lkml.org/lkml/2019/4/15/890 -dev.tty.ldisc_autoload=0 - -## Restrict the userfaultfd() syscall to root as it can make heap sprays -## easier. -## -## https://duasynt.com/blog/linux-kernel-heap-spray -vm.unprivileged_userfaultfd=0 - -## Let the kernel only swap if it is absolutely necessary. -## Better not be set to zero: -## - https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Performance_Tuning_Guide/s-memory-tunables.html -## - https://en.wikipedia.org/wiki/Swappiness -vm.swappiness=1 - -## Disallow kernel profiling by users without CAP_SYS_ADMIN -## https://www.kernel.org/doc/Documentation/sysctl/kernel.txt -kernel.perf_event_paranoid=3 - -# Do not accept router advertisments -net.ipv6.conf.all.accept_ra=0 -net.ipv6.conf.default.accept_ra=0 diff --git a/etc/sysctl.d/30_security-misc_kexec-disable.conf b/etc/sysctl.d/30_security-misc_kexec-disable.conf deleted file mode 100644 index 5cca304..0000000 --- a/etc/sysctl.d/30_security-misc_kexec-disable.conf +++ /dev/null @@ -1,16 +0,0 @@ -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -## Quote https://www.kernel.org/doc/html/latest/admin-guide/sysctl/kernel.html -## -## kexec_load_disabled: -## -## A toggle indicating if the kexec_load syscall has been disabled. This value defaults to 0 (false: kexec_load enabled), but can be set to 1 (true: kexec_load disabled). Once true, kexec can no longer be used, and the toggle cannot be set back to false. This allows a kexec image to be loaded before disabling the syscall, allowing a system to set up (and later use) an image without it being altered. Generally used together with the "modules_disabled" sysctl. -## Disables kexec which can be used to replace the running kernel. -kernel.kexec_load_disabled=1 - -## Why is this in a dedicated config file? -## Package ram-wipe requires kexec. However, ram-wipe could not ship a config -## file /etc/sysctl.d/40_ram-wipe.conf which sets 'kernel.kexec_load_disabled=0'. -## This is because once systemd-sysctl.service has set 'kernel.kexec_load_disabled=1' -## it cannot be undone without reboot. This is a upstream Linux security feature. diff --git a/etc/sysctl.d/30_silent-kernel-printk.conf b/etc/sysctl.d/30_silent-kernel-printk.conf deleted file mode 100644 index e99f0b5..0000000 --- a/etc/sysctl.d/30_silent-kernel-printk.conf +++ /dev/null @@ -1,14 +0,0 @@ -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -## Prevent kernel info leaks in console during boot. -## https://phabricator.whonix.org/T950 -kernel.printk = 3 3 3 3 - -## NOTE: -## For higher verbosity, the user might also want to delete file -## /etc/default/grub.d/41_quiet.cfg -## (or out-comment its settings). -## -## Alternatively, the user could consider to install the debug-misc package, -## which will undo the settings found here. diff --git a/etc/systemd/system/emergency.service.d/override.conf b/etc/systemd/system/emergency.service.d/override.conf index b24186a..42fefd4 100644 --- a/etc/systemd/system/emergency.service.d/override.conf +++ b/etc/systemd/system/emergency.service.d/override.conf @@ -1,3 +1,6 @@ +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + ## https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802211 ## https://salsa.debian.org/ah/user-setup/commit/bc5ca2de85ec27845d0b46059cb7cc02bae7b44d diff --git a/etc/systemd/system/rescue.service.d/override.conf b/etc/systemd/system/rescue.service.d/override.conf index b24186a..42fefd4 100644 --- a/etc/systemd/system/rescue.service.d/override.conf +++ b/etc/systemd/system/rescue.service.d/override.conf @@ -1,3 +1,6 @@ +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + ## https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802211 ## https://salsa.debian.org/ah/user-setup/commit/bc5ca2de85ec27845d0b46059cb7cc02bae7b44d diff --git a/etc/thunderbird/pref/40_security-mic.js b/etc/thunderbird/pref/40_security-mic.js deleted file mode 100644 index 5d849ea..0000000 --- a/etc/thunderbird/pref/40_security-mic.js +++ /dev/null @@ -1,11 +0,0 @@ -//#### Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP -//#### See the file COPYING for copying conditions. - -//#### meta start -//#### project Whonix and Kicksecure -//#### category security and apps -//#### description https://forums.whonix.org/t/enable-network-idn-show-punycode-by-default-in-thunderbird-to-fix-url-not-showing-real-domain-name-homograph-attack-punycode/8415 -//#### meta end - -// https://forums.whonix.org/t/enable-network-idn-show-punycode-by-default-in-thunderbird-to-fix-url-not-showing-real-domain-name-homograph-attack-punycode/8415 -pref("network.IDN_show_punycode", true); diff --git a/etc/thunderbird/pref/40_security-misc.js b/etc/thunderbird/pref/40_security-misc.js new file mode 100644 index 0000000..931f9d2 --- /dev/null +++ b/etc/thunderbird/pref/40_security-misc.js @@ -0,0 +1,59 @@ +//#### Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +//#### See the file COPYING for copying conditions. + +//#### meta start +//#### project Whonix and Kicksecure +//#### category security and apps +//#### description https://forums.whonix.org/t/enable-network-idn-show-punycode-by-default-in-thunderbird-to-fix-url-not-showing-real-domain-name-homograph-attack-punycode/8415 +//#### meta end + +// https://forums.whonix.org/t/enable-network-idn-show-punycode-by-default-in-thunderbird-to-fix-url-not-showing-real-domain-name-homograph-attack-punycode/8415 +pref("network.IDN_show_punycode", true); + +// Disable all and any kind of telemetry by default +pref("toolkit.telemetry.enabled", false); +pref("toolkit.telemetry.unified", false); +pref("toolkit.telemetry.shutdownPingSender.enabled", false); +pref("toolkit.telemetry.updatePing.enabled", false); +pref("toolkit.telemetry.archive.enabled", false); +pref("toolkit.telemetry.bhrPing.enabled", false); +pref("toolkit.telemetry.firstShutdownPing.enabled", false); +pref("toolkit.telemetry.newProfilePing.enabled", false); +pref("toolkit.telemetry.server", ""); // Defense in depth +pref("toolkit.telemetry.server_owner", ""); // Defense in depth +pref("datareporting.healthreport.uploadEnabled", false); +pref("datareporting.policy.dataSubmissionEnabled", false); +pref("toolkit.telemetry.coverage.opt-out", true); // from Firefox +pref("toolkit.coverage.opt-out", true); // from Firefox + +// Disable implicit outbound traffic +pref("network.connectivity-service.enabled", false); +pref("network.prefetch-next", false); +pref("network.dns.disablePrefetch", true); +pref("network.predictor.enabled", false); + +// No need to explain the problems with javascript +// If you want javascript, use your browser +// Thunderbird needs no javascript +// pref("javascript.enabled", false); // Will break setting up services that require redirecting to their javascripted webpage for login, like gmail etc. So commented out for now. + +// Disable scripting when viewing pdf files +user_pref("pdfjs.enableScripting", false); + +// If you want cookies, use your browser +pref("network.cookie.cookieBehavior", 2); + +// Do not send user agent information +// For email clients, this is more like a relic of the past +// Completely not necessary and just exposes a lot of information about the client +// Since v115.0 Thunderbird already minimizes the user agent +// But we want it gone for good for no information leak at all +// https://hg.mozilla.org/comm-central/rev/cbbbc8d93cd7 +pref("mailnews.headers.sendUserAgent", false); + +// Normally we send emails after marking them with a time stamp +// That includes our local time zone +// This option makes our local time zone appear as UTC +// And rounds the time stamp to the closes minute +// https://hg.mozilla.org/comm-central/rev/98aa0bf2e719 +pref("mail.sanitize_date_header", true); diff --git a/lib/systemd/coredump.conf.d/30_security-misc.conf b/lib/systemd/coredump.conf.d/30_security-misc.conf deleted file mode 100644 index 519f838..0000000 --- a/lib/systemd/coredump.conf.d/30_security-misc.conf +++ /dev/null @@ -1,2 +0,0 @@ -[Coredump] -Storage=none diff --git a/lib/systemd/system/permission-hardening.service b/lib/systemd/system/permission-hardening.service deleted file mode 100644 index 4987d02..0000000 --- a/lib/systemd/system/permission-hardening.service +++ /dev/null @@ -1,20 +0,0 @@ -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -[Unit] -Description=SUID, SGID, Capability and File Permission Hardening -Documentation=https://github.com/Whonix/security-misc - -DefaultDependencies=no -Before=sysinit.target -Requires=local-fs.target -After=local-fs.target - -[Service] -Type=oneshot -RemainAfterExit=yes -ExecStart=/usr/libexec/security-misc/permission-hardening -RemainAfterExit=yes - -[Install] -WantedBy=sysinit.target diff --git a/lib/systemd/system/remount-secure.service b/lib/systemd/system/remount-secure.service deleted file mode 100644 index 2e08b65..0000000 --- a/lib/systemd/system/remount-secure.service +++ /dev/null @@ -1,22 +0,0 @@ -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -[Unit] -Description=remount /home /tmp /dev/shm /run with nosuid,nodev (default) and noexec (opt-in) -Documentation=https://github.com/Whonix/security-misc - -DefaultDependencies=no -Before=sysinit.target -Requires=local-fs.target -After=local-fs.target - -After=qubes-sysinit.service - -[Service] -Type=oneshot -RemainAfterExit=yes -ExecStart=/usr/libexec/security-misc/remount-secure -RemainAfterExit=yes - -[Install] -WantedBy=sysinit.target diff --git a/lib/systemd/system/user@.service.d/sysfs.conf b/lib/systemd/system/user@.service.d/sysfs.conf deleted file mode 100644 index e0cf3a7..0000000 --- a/lib/systemd/system/user@.service.d/sysfs.conf +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -SupplementaryGroups=sysfs diff --git a/rpm_spec/security-misc.spec.in b/rpm_spec/security-misc.spec.in index bdc4e61..b42625e 100644 --- a/rpm_spec/security-misc.spec.in +++ b/rpm_spec/security-misc.spec.in @@ -3,8 +3,8 @@ Version: @VERSION@ Release: 1%{?dist} Summary: enhances misc security settings -License: GPL-3+-with-additional-terms-1 -URL: https://github.com/Whonix/security-misc +License: AGPL-3+ +URL: https://github.com/Kicksecure/security-misc Source0: %{name}-%{version}.tar.xz BuildRequires: dpkg-dev @@ -13,50 +13,7 @@ Requires: make BuildArch: noarch %description -The following settings are changed: - -deactivates previews in Dolphin; -deactivates previews in Nautilus; -deactivates thumbnails in Thunar; -deactivates TCP timestamps; -deactivates Netfilter's connection tracking helper; - -TCP time stamps (RFC 1323) allow for tracking clock -information with millisecond resolution. This may or may not allow an -attacker to learn information about the system clock at such -a resolution, depending on various issues such as network lag. -This information is available to anyone who monitors the network -somewhere between the attacked system and the destination server. -It may allow an attacker to find out how long a given -system has been running, and to distinguish several -systems running behind NAT and using the same IP address. It might -also allow one to look for clocks that match an expected value to find the -public IP used by a user. - -Hence, this package disables this feature by shipping the -/etc/sysctl.d/tcp_timestamps.conf configuration file. - -Note that TCP time stamps normally have some usefulness. They are -needed for: - -* the TCP protection against wrapped sequence numbers; however, to - trigger a wrap, one needs to send roughly 2^32 packets in one - minute: as said in RFC 1700, "The current recommended default - time to live (TTL) for the Internet Protocol (IP) [45,105] is 64". - So, this probably won't be a practical problem in the context - of Anonymity Distributions. - -* "Round-Trip Time Measurement", which is only useful when the user - manages to saturate their connection. When using Anonymity Distributions, - probably the limiting factor for transmission speed is rarely the capacity - of the user connection. - -Netfilter's connection tracking helper module increases kernel attack -surface by enabling superfluous functionality such as IRC parsing in -the kernel. (!) - -Hence, this package disables this feature by shipping the -/etc/sysctl.d/nf_conntrack_helper.conf configuration file. +See README. %prep %setup -q @@ -72,47 +29,9 @@ make %{?_smp_mflags} %files %license debian/copyright -/etc/X11/Xsession.d/50panic_on_oops -/etc/X11/Xsession.d/50security-misc -/etc/apparmor.d/tunables/home.d/security-misc -/etc/apt/apt.conf.d/40sandbox -/etc/default/grub.d/40_enable_iommu.cfg -/etc/default/grub.d/40_kernel_hardening.cfg -/etc/login.defs.security-misc -/etc/modprobe.d/30_nf_conntrack_helper_disable.conf -/etc/modprobe.d/blacklist-dma.conf -/etc/modprobe.d/uncommon-network-protocols.conf -/etc/securetty.security-misc -/etc/security/limits.d/disable-coredumps.conf -/etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml -/etc/sudoers.d/security-misc -/etc/sysctl.d/coredumps.conf -/etc/sysctl.d/dmesg_restrict.conf -/etc/sysctl.d/fs_protected.conf -/etc/sysctl.d/harden_bpf.conf -/etc/sysctl.d/kexec.conf -/etc/sysctl.d/kptr_restrict.conf -/etc/sysctl.d/mmap_aslr.conf -/etc/sysctl.d/ptrace_scope.conf -/etc/sysctl.d/suid_dumpable.conf -/etc/sysctl.d/sysrq.conf -/etc/sysctl.d/tcp_hardening.conf -/etc/sysctl.d/tcp_sack.conf -/etc/sysctl.d/tcp_timestamps.conf -/etc/systemd/system/emergency.service.d/override.conf -/etc/systemd/system/rescue.service.d/override.conf -/lib/systemd/coredump.conf.d/disable-coredumps.conf -/lib/systemd/system/proc-hidepid.service -/lib/systemd/system/remove-system-map.service -/usr/libexec/security-misc/apt-get-update -/usr/libexec/security-misc/apt-get-update-sanity-test -/usr/libexec/security-misc/panic-on-oops -/usr/libexec/security-misc/remove-system.map -/usr/share/glib-2.0/schemas/30_security-misc.gschema.override -/usr/share/lintian/overrides/security-misc -/usr/share/pam-configs/usergroups -/usr/share/pam-configs/wheel -/usr/share/security-misc/dolphinrc +/etc/* +/lib/* +/usr/* %changelog @CHANGELOG@ diff --git a/usr/bin/disabled-bluetooth-by-security-misc b/usr/bin/disabled-bluetooth-by-security-misc new file mode 100755 index 0000000..0a4c308 --- /dev/null +++ b/usr/bin/disabled-bluetooth-by-security-misc @@ -0,0 +1,10 @@ +#!/bin/bash + +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. + +echo "$0: ALERT: This Bluetooth kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2 + +exit 1 diff --git a/usr/bin/disabled-cdrom-by-security-misc b/usr/bin/disabled-cdrom-by-security-misc new file mode 100755 index 0000000..f017e76 --- /dev/null +++ b/usr/bin/disabled-cdrom-by-security-misc @@ -0,0 +1,10 @@ +#!/bin/bash + +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. + +echo "$0: ALERT: This CD-ROM/DVD kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2 + +exit 1 diff --git a/usr/bin/disabled-filesys-by-security-misc b/usr/bin/disabled-filesys-by-security-misc new file mode 100755 index 0000000..f0cf9b4 --- /dev/null +++ b/usr/bin/disabled-filesys-by-security-misc @@ -0,0 +1,10 @@ +#!/bin/bash + +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. + +echo "$0: ALERT: This file system kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2 + +exit 1 diff --git a/usr/bin/disabled-firewire-by-security-misc b/usr/bin/disabled-firewire-by-security-misc new file mode 100755 index 0000000..c0d035a --- /dev/null +++ b/usr/bin/disabled-firewire-by-security-misc @@ -0,0 +1,10 @@ +#!/bin/bash + +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. + +echo "$0: ALERT: This FireWire (IEEE 1394) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2 + +exit 1 diff --git a/usr/bin/disabled-framebuffer-by-security-misc b/usr/bin/disabled-framebuffer-by-security-misc new file mode 100755 index 0000000..c287c21 --- /dev/null +++ b/usr/bin/disabled-framebuffer-by-security-misc @@ -0,0 +1,10 @@ +#!/bin/bash + +## Copyright (C) 2024 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. + +echo "$0: ALERT: This framebuffer (fbdev) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2 + +exit 1 diff --git a/usr/bin/disabled-gps-by-security-misc b/usr/bin/disabled-gps-by-security-misc new file mode 100755 index 0000000..149249a --- /dev/null +++ b/usr/bin/disabled-gps-by-security-misc @@ -0,0 +1,10 @@ +#!/bin/bash + +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. + +echo "$0: ALERT: This Global Positioning System (GPS) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2 + +exit 1 diff --git a/usr/bin/disabled-intelme-by-security-misc b/usr/bin/disabled-intelme-by-security-misc new file mode 100755 index 0000000..094fa29 --- /dev/null +++ b/usr/bin/disabled-intelme-by-security-misc @@ -0,0 +1,10 @@ +#!/bin/bash + +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. + +echo "$0: ALERT: This Intel Management Engine (ME) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2 + +exit 1 diff --git a/usr/bin/disabled-intelpmt-by-security-misc b/usr/bin/disabled-intelpmt-by-security-misc new file mode 100755 index 0000000..45a7aa4 --- /dev/null +++ b/usr/bin/disabled-intelpmt-by-security-misc @@ -0,0 +1,10 @@ +#!/bin/bash + +## Copyright (C) 2024 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. + +echo "$0: ALERT: This Intel Platform Monitoring Technology (PMT) Telemetry kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2 + +exit 1 diff --git a/usr/bin/disabled-miscellaneous-by-security-misc b/usr/bin/disabled-miscellaneous-by-security-misc new file mode 100755 index 0000000..5848c6e --- /dev/null +++ b/usr/bin/disabled-miscellaneous-by-security-misc @@ -0,0 +1,10 @@ +#!/bin/bash + +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. + +echo "$0: ALERT: This kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2 + +exit 1 diff --git a/usr/bin/disabled-netfilesys-by-security-misc b/usr/bin/disabled-netfilesys-by-security-misc new file mode 100755 index 0000000..ed4e792 --- /dev/null +++ b/usr/bin/disabled-netfilesys-by-security-misc @@ -0,0 +1,10 @@ +#!/bin/bash + +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. + +echo "$0: ALERT: This network file system kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2 + +exit 1 diff --git a/usr/bin/disabled-network-by-security-misc b/usr/bin/disabled-network-by-security-misc new file mode 100755 index 0000000..f8c3129 --- /dev/null +++ b/usr/bin/disabled-network-by-security-misc @@ -0,0 +1,10 @@ +#!/bin/bash + +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. + +echo "$0: ALERT: This network protocol kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2 + +exit 1 diff --git a/usr/bin/disabled-thunderbolt-by-security-misc b/usr/bin/disabled-thunderbolt-by-security-misc new file mode 100755 index 0000000..c6d1d71 --- /dev/null +++ b/usr/bin/disabled-thunderbolt-by-security-misc @@ -0,0 +1,10 @@ +#!/bin/bash + +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. + +echo "$0: ALERT: This Thunderbolt kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2 + +exit 1 diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener new file mode 100755 index 0000000..2d9a729 --- /dev/null +++ b/usr/bin/permission-hardener @@ -0,0 +1,993 @@ +#!/bin/bash +# shellcheck disable=SC2076 + +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## https://forums.whonix.org/t/disable-suid-binaries/7706 +## https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707 + +## dpkg-statoverride does not support end-of-options ("--"). + +## SC2076 is disabled because ShellCheck seems to think that any use of +## [[ ... =~ ... ]] is supposed to be a regex match. But [[ '...' =~ '...' ]] +## works very well for literal matching, and it is used that way extensively +## throughout this script. + +set -o errexit -o nounset -o pipefail + +## Constants +# shellcheck disable=SC2034 +log_level=notice +store_dir="/var/lib/permission-hardener-v2" +state_file="${store_dir}/existing_mode/statoverride" +dpkg_admindir_parameter_existing_mode="--admindir ${store_dir}/existing_mode" +dpkg_admindir_parameter_new_mode="--admindir ${store_dir}/new_mode" +delimiter="#permission-hardener-delimiter#" + +## Library imports +# shellcheck disable=SC1091 +source /usr/libexec/helper-scripts/safe_echo.sh +# shellcheck disable=SC1091 +source /usr/libexec/helper-scripts/log_run_die.sh + +## Functions +echo_wrapper_ignore() { + if [ "${1}" = 'verbose' ]; then + shift + log notice "Executing: $*" + elif [ "${1}" = 'silent' ]; then + shift + else + log error "Unrecognized command '${1}'! calling function name: '${FUNCNAME[1]}'" >&2 + return + fi + "$@" 2>/dev/null || true +} + +echo_wrapper_audit() { + local return_code + if [ "${1}" = 'verbose' ]; then + shift + log notice "Executing: $*" + elif [ "${1}" = 'silent' ]; then + shift + else + log error "Unrecognized command '${1}'! calling function name: '${FUNCNAME[1]}'" >&2 + return + fi + return_code=0 + "$@" || + { + return_code="$?" + exit_code=203 + log error "Command '$*' failed with exit code '${return_code}'! calling function name: '${FUNCNAME[1]}'" >&2 + } +} + +## Some tools may fail on newlines and even variable assignment to array may +## fail if a variable that will be assigned to an array element contains +## characters that are used as delimiters. +block_newlines() { + local newline_variable newline_value + newline_variable="${1:-}" + newline_value="${2:-}" + ## dpkg-statoverride: error: path may not contain newlines + if [[ "${newline_value}" != "${newline_value//$'\n'/NEWLINE}" ]]; then + log warn "Skipping ${newline_variable} that contains newlines: '${newline_value}'" >&2 + return 1 + fi +} + +output_stat() { + local file_name stat_output stat_output_newlined hardlink_count + declare -a arr + file_name="${1:-}" + + if [ -z "${file_name}" ]; then + log error "File name is empty. file_name: '${file_name}'" >&2 + return 1 + fi + + block_newlines file "${file_name}" + + if [ ! -e "${file_name}" ]; then + log info "File does not exist. file_name: '${file_name}'" >&2 + existing_mode='' + existing_owner='' + existing_group='' + file_name_from_stat='' + return 0 + fi + + if ! stat_output="$(stat -L \ + --format="%a${delimiter}%U${delimiter}%G${delimiter}%n${delimiter}%h${delimiter}" \ + -- "${file_name}")"; then + log error "Failed to run 'stat' on file: '${file_name}'!" >&2 + return 1 + fi + + if [ -z "$stat_output" ]; then + log error "stat_output is empty. +File name: '${file_name}' +Stat output: '${stat_output}' +stat_output_newlined: '${stat_output_newlined}' +line: '${processed_config_line}' +" >&2 + return 1 + fi + + stat_output_newlined="$(printf '%s\n' "${stat_output//${delimiter}/$'\n'}")" + + if [ -z "${stat_output_newlined}" ]; then + log error "stat_output_newlined is empty. +File name: '${file_name}' +Stat output: '${stat_output}' +stat_output_newlined: '${stat_output_newlined}' +line: '${processed_config_line}' +" >&2 + return 1 + fi + + readarray -t arr <<< "${stat_output_newlined}" + + if [ "${#arr[@]}" = '0' ]; then + log error "Array length is 0. +File name: '${file_name}' +Stat output: '${stat_output}' +stat_output_newlined: '${stat_output_newlined}' +line: '${processed_config_line}' +" >&2 + return 1 + fi + + existing_mode="${arr[0]}" + existing_owner="${arr[1]}" + existing_group="${arr[2]}" + file_name_from_stat="${arr[3]}" + hardlink_count="${arr[4]}" + + if [ "$file_name" != "$file_name_from_stat" ]; then + log error "\ +File name is different from file name received from stat: +File name: '${file_name}' +File name from stat: '${file_name_from_stat}' +line: '${processed_config_line}' +" >&2 + return 1 + fi + + ## We can't handle files with hardlinks because figuring out all of the files + ## in a "hardlink pool" requires scanning the whole filesystem, which would + ## result in an unacceptable performance hit for this script. We don't check + ## directory hardlinks since directories can't have traditional hardlinks. + if [ ! -d "${file_name_from_stat}" ]; then + if (( hardlink_count > 1 )); then + log error "\ +File has unexpected hardlinks, cannot handle. +File name: '${file_name}' +File name from stat: '${file_name_from_stat}' +line: '${processed_config_line}' +" >&2 + return 1 + fi + fi + + if [ -z "${existing_mode}" ]; then + log error "Existing mode is empty. Stat output: '${stat_output}', line: '${processed_config_line}'" >&2 + return 1 + fi + if [ -z "${existing_owner}" ]; then + log error "Existing owner is empty. Stat output: '${stat_output}', line: '${processed_config_line}'" >&2 + return 1 + fi + if [ -z "${existing_group}" ]; then + log error "Existing group is empty. Stat output: '${stat_output}', line: '${processed_config_line}'" >&2 + return 1 + fi + + ## If a symlink was passed as input, return the original file's path rather + ## than the symlink to avoid problems stemming from using the wrong path + if [ -h "${file_name_from_stat}" ]; then + file_name_from_stat="$(realpath "${file_name_from_stat}")" + fi +} + +print_usage(){ + safe_echo "Usage: ${0##*/} enable + ${0##*/} disable [FILE|all] + ${0##*/} print-policy + ${0##*/} print-state + ${0##*/} print-policy-applied-state + ${0##*/} print-diagnostics + +Examples: + ${0##*/} enable + ${0##*/} disable all + ${0##*/} disable /usr/bin/newgrp" >&2 +} + +add_to_policy() { + local file_name file_mode file_owner file_group updated_entry policy_idx \ + file_capabilities + file_name="${1:-}" + file_mode="${2:-}" + file_owner="${3:-}" + file_group="${4:-}" + file_capabilities="${5:-}" + updated_entry=false + + if [ -h "${file_name}" ]; then + file_name="$(realpath "${file_name}")" || return 1 + fi + + for (( policy_idx=0; policy_idx < ${#policy_file_list[@]}; policy_idx++ )); do + if [ "${policy_file_list[policy_idx]}" = "${file_name}" ]; then + policy_mode_list[policy_idx]="${file_mode}" + policy_user_owner_list[policy_idx]="${file_owner}" + policy_group_owner_list[policy_idx]="${file_group}" + policy_capability_list[policy_idx]="${file_capabilities}" + updated_entry=true + break + fi + done + + if [ "${updated_entry}" != 'true' ]; then + policy_file_list+=( "${file_name}" ) + policy_mode_list+=( "${file_mode}" ) + policy_user_owner_list+=( "${file_owner}" ) + policy_group_owner_list+=( "${file_group}" ) + policy_capability_list+=( "${file_capabilities}" ) + fi +} + +check_nosuid_whitelist() { + local target_file match_white_list_entry + + target_file="${1:-}" + + ## Handle whitelists, if we're supposed to + [ "${whitelists_disable_all}" = 'true' ] && return 0 + + ## literal matching is intentional here + [[ " ${policy_disable_white_list[*]} " =~ " ${target_file} " ]] && return 0 + + ## literal matching is intentional here too + [[ " ${policy_exact_white_list[*]} " =~ " ${target_file} " ]] && return 1 + + for match_white_list_entry in "${policy_match_white_list[@]:-}"; do + if [[ "${target_file}" == *"${match_white_list_entry}"* ]]; then + return 1 + fi + done + + return 0 +} + +load_early_nosuid_policy() { + local target_file find_list_item + + target_file="${1:-}" + + # shellcheck disable=SC2185 + while IFS="" read -r -d "" find_list_item; do + check_nosuid_whitelist "${find_list_item}" || continue + + ## sets: + ## exiting_mode + ## existing_owner + ## existing_group + output_stat "${find_list_item}" + if [ -z "${file_name_from_stat}" ]; then + continue + fi + + ## -h file True if file is a symbolic link. + if [ -h "${find_list_item}" ]; then + ## https://forums.whonix.org/t/disable-suid-binaries/7706/14 + log info "Skip symlink: '${find_list_item}'" + continue + fi + + if [ -d "${find_list_item}" ]; then + log info "Skip directory: '${find_list_item}'" + continue + fi + + ## Remove suid / gid and execute permission for 'group' and 'others'. + ## Similar to: chmod og-ugx /path/to/filename + ## Removing execution permission is useful to make binaries such as 'su' + ## fail closed rather than fail open if suid was removed from these. + ## Do not remove read access since no security benefit and easier to + ## manually undo for users. + ## Are there suid or sgid binaries which are still useful if suid / sgid + ## has been removed from these? + local new_mode + new_mode='744' + + add_to_policy "${file_name_from_stat}" "${new_mode}" "${existing_owner}" \ + "${existing_group}" + done < <(safe_echo_nonewline "${target_file}" \ + | find -files0-from - -perm /u=s,g=s -print0) +} + +## If the "target file" matches the start of the state file name, that's a +## likely match. This is used by load_late_nosuid_policy for detecting info +## about files that need SUID-locked that are in the state. +match_dir() { + local base_str match_str base_arr match_arr base_idx + + base_str="${1}" + match_str="${2}" + [[ "${base_str}" =~ '//' ]] && return 1 + [[ "${match_str}" =~ '//' ]] && return 1 + + IFS='/' read -r -a base_arr <<< "${base_str}" + IFS='/' read -r -a match_arr <<< "${match_str}" + (( ${#base_arr[@]} > ${#match_arr[@]} )) && return 1 + + for (( base_idx=0; base_idx < ${#base_arr[@]}; base_idx++ )); do + if [ "${base_arr[base_idx]}" != "${match_arr[base_idx]}" ]; then + return 1 + fi + done + + return 0 +} + +load_late_nosuid_policy() { + local target_file state_idx state_file_item state_user_owner_item \ + state_group_owner_item new_mode + + target_file="${1:-}" + for (( state_idx=0; state_idx < ${#state_file_list[@]}; state_idx++ )); do + state_file_item="${state_file_list[state_idx]}" + check_nosuid_whitelist "${state_file_item}" || continue + + match_dir "${target_file}" "${state_file_item}" || continue + + if [ -h "${state_file_item}" ]; then + ## https://forums.whonix.org/t/disable-suid-binaries/7706/14 + log info "Skip symlink: '${state_file_item}'" + continue + fi + + if [ -d "${state_file_item}" ]; then + log info "Skip directory: '${state_file_item}'" + continue + fi + + state_user_owner_item="${state_user_owner_list[state_idx]}" + state_group_owner_item="${state_group_owner_list[state_idx]}" + new_mode='744' + add_to_policy "${state_file_item}" "${new_mode}" \ + "${state_user_owner_item}" "${state_group_owner_item}" + done +} + +load_state_without_policy() { + local line field_list + + ## Load the state file from disk + if [ -f "${state_file}" ]; then + while read -r line; do + read -r -a field_list <<< "${line}" + if (( ${#field_list[@]} != 4 )); then + log info \ + "Invalid number of fields in state file line: '${line}'. Skipping." + continue + fi + state_user_owner_list+=( "${field_list[0]}" ) + state_group_owner_list+=( "${field_list[1]}" ) + state_mode_list+=( "${field_list[2]}" ) + state_file_list+=( "${field_list[3]}" ) + done < "${state_file}" + fi +} + +load_state() { + ## Config format: + ## path options + ## where options is one of: + ## user_owner group_owner filemode [capability-setting] + ## [nosuid|exactwhitelist|matchwhitelist|disablewhitelist] + ## + ## Additionally, the special value 'whitelists_disable_all=true' is understood + ## to mean that all whitelisting should be ignored. + + local config_file line field_list policy_nosuid_file_item policy_file_item + + ## Load configuration, deferring whitelist handling until later + for config_file in \ + /usr/lib/permission-hardener.d/*.conf \ + /etc/permission-hardener.d/*.conf \ + /usr/local/etc/permission-hardener.d/*.conf \ + /etc/permission-hardening.d/*.conf \ + /usr/local/etc/permission-hardening.d/*.conf + do + if [ ! -f "${config_file}" ]; then + continue + fi + + while read -r line; do + if [ -z "${line}" ]; then + true 'DEBUG: line is empty. Skipping.' + continue + fi + + if [[ "${line}" =~ ^\s*# ]]; then + continue + fi + + if ! [[ "${line}" =~ ^[-0-9a-zA-Z._/[:space:]]*$ ]]; then + exit_code=200 + log error "Line contains invalid characters: '${line}'" >&2 + ## Safer to exit with error in this case. + ## https://forums.whonix.org/t/disable-suid-binaries/7706/59 + exit "${exit_code}" + fi + + if [ "${line}" = 'whitelists_disable_all=true' ]; then + whitelists_disable_all=true + log info "whitelists_disable_all=true" + continue + fi + + processed_config_line="${line}" + + IFS=' ' read -r -a field_list <<< "${line}" + + case "${#field_list[@]}" in + 2|4|5) true;; + *) + exit_code=200 + log error "Line contains an invalid number of fields: '${line}'" >&2 + exit "${exit_code}" + ;; + esac + + # Strip trailing slash if appropriate + field_list[0]="${field_list[0]%/}" + + case "${field_list[1]}" in + 'exactwhitelist') + [ ! -e "${field_list[0]}" ] && continue + policy_exact_white_list+=( "${field_list[0]}" ) + continue + ;; + 'matchwhitelist') + policy_match_white_list+=( "${field_list[0]}" ) + continue + ;; + 'disablewhitelist') + policy_disable_white_list+=( "${field_list[0]}" ) + continue + ;; + 'nosuid') + [ ! -e "${field_list[0]}" ] && continue + policy_nosuid_file_list+=( "${field_list[0]}" ) + ;; + *) + [ ! -e "${field_list[0]}" ] && continue + add_to_policy "${field_list[@]}" + ;; + esac + done < "${config_file}" + done + + ## We have to handle nosuid files at the end since the whitelist arrays need + ## built first. + for policy_nosuid_file_item in "${policy_nosuid_file_list[@]}"; do + load_early_nosuid_policy "${policy_nosuid_file_item}" + done + + load_state_without_policy + + ## Find any files in the policy that don't already have a matching file in + ## the state. Add those files to the state, and save them to the state file + ## as well. + for policy_file_item in "${policy_file_list[@]}"; do + if [[ " ${state_file_list[*]} " =~ " ${policy_file_item} " ]]; then + continue + fi + output_stat "${policy_file_item}" + if [ -z "${file_name_from_stat}" ]; then + continue + fi + state_file_list+=( "${file_name_from_stat}" ) + state_user_owner_list+=( "${existing_owner}" ) + state_group_owner_list+=( "${existing_group}" ) + state_mode_list+=( "${existing_mode}" ) + # shellcheck disable=SC2086 + echo_wrapper_audit silent dpkg-statoverride \ + ${dpkg_admindir_parameter_existing_mode} \ + --add "${existing_owner}" "${existing_group}" "${existing_mode}" \ + "${file_name_from_stat}" + done + + ## Fix up nosuid policies using state information + for policy_nosuid_file_item in "${policy_nosuid_file_list[@]}"; do + load_late_nosuid_policy "${policy_nosuid_file_item}" + done +} + +apply_policy() { + local policy_idx did_state_update state_idx + + ## Modify the in-memory state so that all items that the policy affects match + ## the policy. DO NOT save these changes to the state file! + for (( policy_idx=0; policy_idx < ${#policy_file_list[@]}; policy_idx++ )); do + did_state_update=false + for (( state_idx=0; state_idx < ${#state_file_list[@]}; state_idx++ )); do + if [ "${state_file_list[state_idx]}" = "${policy_file_list[policy_idx]}" ]; then + state_user_owner_list[state_idx]="${policy_user_owner_list[policy_idx]}" + state_group_owner_list[state_idx]="${policy_group_owner_list[policy_idx]}" + state_mode_list[state_idx]="${policy_mode_list[policy_idx]}" + did_state_update=true + break + fi + done + if [ "${did_state_update}" = 'false' ]; then + exit_code=206 + log error \ + "File exists in policy but not in state! File: '${policy_file_list[policy_idx]}'" + exit "${exit_code}" + fi + done +} + +commit_policy() { + local policy_idx state_idx state_file_item \ + state_user_owner_item state_group_owner_item \ + state_mode_item orig_main_statoverride_db orig_new_statoverride_db \ + policy_file_item policy_capability_item + + ## Check each file on the filesystem against the state, and update it if the + ## state does not match. Also ensure the consistency of the new_mode database + ## so that people can compare the original permissions of files with the new + ## permissions. + orig_main_statoverride_db="$(dpkg-statoverride --list)" || true + # shellcheck disable=SC2086 + orig_new_statoverride_db="$(dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --list)" || true + + for (( state_idx=0; state_idx < ${#state_file_list[@]}; state_idx++ )); do + state_file_item="${state_file_list[state_idx]}" + state_user_owner_item="${state_user_owner_list[state_idx]}" + state_group_owner_item="${state_group_owner_list[state_idx]}" + state_mode_item="${state_mode_list[state_idx]}" + + ## Get rid of leading zeros, stat doesn't output them due to how we use it. + ## Using BASH_REMATCH is faster than sed. We capture all leading zeros into + ## one group, and the rest of the string into a second group. The second + ## group is the string we want. BASH_REMATCH[0] is the entire string, + ## BASH_REMATCH[1] is the first match that we want to discard, and + ## BASH_REMATCH[2] is the desired second group. + [[ "${state_mode_item}" =~ ^(0*)(.*) ]] || true; + state_mode_item="${BASH_REMATCH[2]}" + + output_stat "${state_file_item}" + if [ -z "${file_name_from_stat}" ]; then + continue + fi + + if [ "${existing_owner}" != "${state_user_owner_item}" ] \ + || [ "${existing_group}" != "${state_group_owner_item}" ] \ + || [ "${existing_mode}" != "${state_mode_item}" ]; then + if ! [[ "${passwd_file_contents}" =~ "${state_user_owner_item}:" ]]; then + log error "Owner from config does not exist: '${state_user_owner_item}'" >&2 + continue + fi + + if ! [[ "${group_file_contents}" =~ "${state_group_owner_item}:" ]]; then + log error "Group from config does not exist: '${state_group_owner_item}'" >&2 + continue + fi + ## Remove and reapply in main list + if [[ "${orig_main_statoverride_db}" =~ "${file_name_from_stat}" ]]; then + echo_wrapper_ignore silent dpkg-statoverride --remove \ + "${file_name_from_stat}" + fi + echo_wrapper_audit verbose dpkg-statoverride --add --update \ + "${state_user_owner_item}" "${state_group_owner_item}" \ + "${state_mode_item}" "${file_name_from_stat}" + + ## Update item in secondary list + if [[ "${orig_new_statoverride_db}" =~ "${file_name_from_stat}" ]]; then + # shellcheck disable=SC2086 + echo_wrapper_ignore silent dpkg-statoverride \ + ${dpkg_admindir_parameter_new_mode} --remove \ + "${file_name_from_stat}" + fi + # shellcheck disable=SC2086 + echo_wrapper_audit verbose dpkg-statoverride \ + ${dpkg_admindir_parameter_new_mode} --add \ + "${state_user_owner_item}" "${state_group_owner_item}" \ + "${state_mode_item}" "${file_name_from_stat}" + fi + done + + ## Apply capability hardening, dpkg-statoverride can't handle this so we have + ## to do this manually + for (( policy_idx=0; policy_idx < ${#policy_file_list[@]}; policy_idx++ )); do + policy_file_item="${policy_file_list[policy_idx]}" + policy_capability_item="${policy_capability_list[policy_idx]}" + if [ -z "${policy_capability_item}" ]; then + continue + fi + + if [ "${policy_capability_item}" = 'none' ]; then + echo_wrapper_ignore verbose setcap -r "${policy_file_item}" + if [ -n "$(getcap -- "${policy_file_item}")" ]; then + exit_code=205 + log error \ + "Removing capabilities failed. File: '${policy_file_item}'" >&2 + continue + fi + else + if ! capsh --print \ + | grep --fixed-strings -- "Bounding set" \ + | grep -- "${policy_capability_item}" >/dev/null; then + log error \ + "Capability from config does not exist: '${policy_capability_item}'" \ + >&2 + continue + fi + + ## feature request: dpkg-statoverride: support for capabilities + ## https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=502580 + echo_wrapper_audit verbose setcap "${policy_capability_item}+ep" \ + -- "${policy_file_item}" + fi + done + + log notice "\ +To compare the current and previous permission modes, install 'meld' (or preferred diff tool) for comparison of file mode changes: + sudo apt install --no-install-recommends meld + meld ${store_dir}/existing_mode/statoverride ${store_dir}/new_mode/statoverride" +} + +undo_policy_for_file() { + local undo_file state_idx state_file_item did_undo \ + undo_all verbose orig_main_statoverride_db orig_new_statoverride_db \ + state_user_owner_item state_group_owner_item state_mode_item + + undo_file="${1}" + undo_all=false + verbose='--verbose' + if [ "${undo_file}" = 'all' ]; then + undo_all=true + verbose='' + fi + + if [ ! -f "${state_file}" ]; then + true 'DEBUG: State file does not exist, hardening was not applied before.' + return 0 + fi + + did_undo=false + + for (( state_idx=0; state_idx < ${#state_file_list[@]}; state_idx++ )); do + state_file_item="${state_file_list[state_idx]}" + if [ "${undo_all}" = 'true' ]; then + undo_file="${state_file_item}" + fi + + if [ "${state_file_item}" = "${undo_file}" ]; then + orig_main_statoverride_db="$(dpkg-statoverride --list)" || true + # shellcheck disable=SC2086 + orig_new_statoverride_db="$(dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --list)" || true + + if [[ "${orig_main_statoverride_db}" =~ "${undo_file}" ]]; then + echo_wrapper_ignore silent dpkg-statoverride --remove \ + "${undo_file}" + fi + + if [[ "${orig_new_statoverride_db}" =~ "${undo_file}" ]]; then + # shellcheck disable=SC2086 + echo_wrapper_ignore silent dpkg-statoverride \ + ${dpkg_admindir_parameter_new_mode} --remove \ + "${undo_file}" + fi + + if [ -e "${undo_file}" ]; then + state_user_owner_item="${state_user_owner_list[state_idx]}" + state_group_owner_item="${state_group_owner_list[state_idx]}" + state_mode_item="${state_mode_list[state_idx]}" + chown ${verbose} -- "${state_user_owner_item}:${state_group_owner_item}" \ + "${undo_file}" || exit_code=202 + ## chmod needs to be run after chown since chown removes suid. + chmod ${verbose} "${state_mode_item}" "${undo_file}" || exit_code=203 + else + log info "File does not exist: '${undo_file}'" + fi + did_undo=true + + if [ "${undo_all}" = 'false' ]; then + break + fi + fi + done + + if ! [[ "${did_undo}" = 'false' ]]; then + log info "The specified file is not hardened, leaving unchanged. + + File '${undo_file}' has not been removed from SUID Disabler and Permission Hardener during this invocation. This is expected if no policy was ever applied to the file before. + + This program expects the full path to the file. Example: + $0 disable /usr/bin/newgrp # absolute path: works + $0 disable newgrp # relative path: does not work + + To remove all: + $0 disable all + + This change might not be permanent. For full instructions, see: + https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener + + To view list of changed by SUID Disabler and Permission Hardener: + https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener#View_List_of_Permissions_Changed_by_SUID_Disabler_and_Permission_Hardener + + For re-enabling any specific SUID binary: + https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener#Re-Enable_Specific_SUID_Binaries + + For completely disabling SUID Disabler and Permission Hardener: + https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener#Disable_SUID_Disabler_and_Permission_Hardener" + fi +} + +print_columns() { + local format_str bogus_str + format_str='' + for bogus_str in "$@"; do + format_str="${format_str}%s\t" + done + format_str="${format_str}\n" + ## Using a dynamically generated format string on purpose. + # shellcheck disable=SC2059 + printf "${format_str}" "$@" +} + +print_policy() { + local policy_idx + + print_columns 'File' 'User' 'Group' 'Mode' 'Capabilities' + + for (( policy_idx=0; policy_idx < ${#policy_file_list[@]}; policy_idx++ )); do + print_columns \ + "${policy_file_list[policy_idx]}" \ + "${policy_user_owner_list[policy_idx]}" \ + "${policy_group_owner_list[policy_idx]}" \ + "${policy_mode_list[policy_idx]}" \ + "${policy_capability_list[policy_idx]}" + done +} + +print_state() { + local state_idx + + print_columns 'File' 'User' 'Group' 'Mode' + for (( state_idx=0; state_idx < ${#state_file_list[@]}; state_idx++ )); do + print_columns \ + "${state_file_list[state_idx]}" \ + "${state_user_owner_list[state_idx]}" \ + "${state_group_owner_list[state_idx]}" \ + "${state_mode_list[state_idx]}" + done +} + +print_raw_policy_config() { + local config_file + for config_file in \ + /usr/lib/permission-hardener.d/*.conf \ + /etc/permission-hardener.d/*.conf \ + /usr/local/etc/permission-hardener.d/*.conf \ + /etc/permission-hardening.d/*.conf \ + /usr/local/etc/permission-hardening.d/*.conf + do + if [ ! -f "${config_file}" ]; then + continue + fi + echo "*** begin ${config_file} ***" + cat "${config_file}" + echo "*** end ${config_file} ***" + done +} + +print_raw_state() { + local state_file + for state_file in "${store_dir}/existing_mode/statoverride" \ + "${store_dir}/new_mode/statoverride"; do + echo "*** begin ${state_file} ***" + cat "${state_file}" + echo "*** end ${state_file} ***" + done +} + +print_fs_audit() { + local state_idx state_file_item state_user_owner_item state_group_owner_item \ + state_mode_item + + echo 'Legend:' + echo '... - Warning about an unusual, but not necessarily wrong, condition' + echo '!!! - Warning about an unusual and definitely wrong condition' + echo '*** - File permission data, actual state on filesystem is consistent with policy' + echo '^^^ - File permission data, actual state on filesystem is inconsistent with policy' + echo 'vvv - File permissions specified by state, always shown after a ^^^ item' + echo + + for (( state_idx=0; state_idx < ${#state_file_list[@]}; state_idx++ )); do + state_file_item="${state_file_list[state_idx]}" + state_user_owner_item="${state_user_owner_list[state_idx]}" + state_group_owner_item="${state_group_owner_list[state_idx]}" + state_mode_item="${state_mode_list[state_idx]}" + + ## Get rid of leading zeros, stat doesn't output them due to how we use it. + ## Using BASH_REMATCH is faster than sed. We capture all leading zeros into + ## one group, and the rest of the string into a second group. The second + ## group is the string we want. BASH_REMATCH[0] is the entire string, + ## BASH_REMATCH[1] is the first match that we want to discard, and + ## BASH_REMATCH[2] is the desired second group. + [[ "${state_mode_item}" =~ ^(0*)(.*) ]] || true; + state_mode_item="${BASH_REMATCH[2]}" + + output_stat "${state_file_item}" + if [ -z "${file_name_from_stat}" ]; then + echo "... '${file_name_from_stat}' does not exist" + continue + fi + + if [ "${existing_owner}" != "${state_user_owner_item}" ] \ + || [ "${existing_group}" != "${state_group_owner_item}" ] \ + || [ "${existing_mode}" != "${state_mode_item}" ]; then + if ! [[ "${passwd_file_contents}" =~ "${state_user_owner_item}:" ]]; then + echo "!!! Owner from config does not exist: '${state_user_owner_item}'" + continue + fi + + if ! [[ "${group_file_contents}" =~ "${state_group_owner_item}:" ]]; then + echo "!!! Group from config does not exist: '${state_group_owner_item}'" + continue + fi + + echo "^^^ ${file_name_from_stat} ${existing_owner}:${existing_group} ${existing_mode}" + echo "vvv ${file_name_from_stat} ${state_user_owner_item}:${state_group_owner_item} ${state_mode_item}" + else + echo "*** ${file_name_from_stat} ${existing_owner}:${existing_group} ${existing_mode}" + fi + done +} + +reset_global_vars() { + ## Global variables + policy_file_list=() + policy_user_owner_list=() + policy_group_owner_list=() + policy_mode_list=() + policy_capability_list=() + policy_exact_white_list=() + policy_match_white_list=() + policy_disable_white_list=() + policy_nosuid_file_list=() + state_file_list=() + state_user_owner_list=() + state_group_owner_list=() + state_mode_list=() + whitelists_disable_all=false + existing_mode='' + existing_owner='' + existing_group='' + processed_config_line='' + file_name_from_stat='' + passwd_file_contents="$(getent passwd)" + group_file_contents="$(getent group)" + exit_code=0 +} + +reset_global_vars + +## Setup and sanity checking +if [ "$(id -u)" != '0' ]; then + log error "Not running as root, aborting." + exit 1 +fi + +mkdir --parents "${store_dir}/existing_mode" +mkdir --parents "${store_dir}/new_mode" + +echo_wrapper_audit silent which capsh getcap setcap stat find \ + dpkg-statoverride getent grep 1>/dev/null + +## Command parsing and execution +case "${1:-}" in + enable) + shift + load_state + apply_policy + commit_policy + ;; + disable) + shift + case "${1:-}" in + "") + print_usage + exit 1 + ;; + *) + load_state_without_policy + undo_policy_for_file "${1}" + ;; + esac + ;; + print-policy) + load_state + print_policy + ;; + print-state) + load_state + print_state + ;; + print-policy-applied-state) + load_state + apply_policy + print_state + ;; + print-diagnostics) + echo '=== BEGIN PERMISSION-HARDENER DIAGNOSTICS ===' + + echo '--- BEGIN State without policy ---' + load_state_without_policy + print_state + echo '--- END State without policy ---' + + reset_global_vars + + echo '--- BEGIN Policy without state ---' + load_state + print_policy + echo '--- END Policy without state ---' + + reset_global_vars + + echo '--- BEGIN Policy-applied-state ---' + load_state + apply_policy + print_state + echo '--- END Policy-applied state ---' + + reset_global_vars + + echo '--- BEGIN Master dpkg-statoverride database ---' + dpkg-statoverride --list + echo '--- END Master dpkg-statoverride database ---' + + echo '--- BEGIN Raw policy configuration ---' + print_raw_policy_config + echo '--- END Raw policy configuration ---' + + echo '--- BEGIN Raw state data ---' + print_raw_state + echo '--- END Raw state data ---' + + echo '--- BEGIN Filesystem state audit ---' + load_state + apply_policy + print_fs_audit + echo '--- END Filesystem state audit ---' + + echo '=== END PERMISSION-HARDENER DIAGNOSTICS ===' + ;; + -h|--help) + print_usage + exit 0 + ;; + *) + print_usage + exit 1 + ;; +esac + +## Exit +if test "${exit_code}" != "0"; then + log error "Exiting with non-zero exit code: '${exit_code}'" >&2 +fi + +exit "${exit_code}" diff --git a/usr/bin/pkexec.security-misc b/usr/bin/pkexec.security-misc deleted file mode 100755 index cb57c9a..0000000 --- a/usr/bin/pkexec.security-misc +++ /dev/null @@ -1,132 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -## Redirect calls for pkexec to lxqt-sudo because pkexec is incompatible with -## hidepid. -## * https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860040 -## * https://forums.whonix.org/t/cannot-use-pkexec/8129 - -set -e - -my_real_path="$(realpath "$0")" || true -identifier="$my_real_path wrapper" -exec > >(systemd-cat --identifier="$identifier output by program:") 2>&1 - -log_to_journal() { - echo "$@" | systemd-cat --identifier="$identifier output by wrapper:" || true -} - -log_to_journal "$0 $@" -log_to_journal "DISPLAY: '$DISPLAY'" -my_pstree="$(pstree -p $$)" || true -log_to_journal "my_pstree: '$my_pstree'" - -## If hidepid is not in use, just use pkexec normally. -if ! mount | grep "/proc" | grep "hidepid=2" &>/dev/null ; then - pkexec.security-misc-orig "$@" - exit $? -fi - -switch_user=false - -original_args="$@" - -## Thanks to: -## http://mywiki.wooledge.org/BashFAQ/035 - -while : -do - case $1 in - ## Should show 'pkexec --version' or fail? - --version) - shift - pkexec.security-misc-orig "$original_args" - exit $? - ;; - ## Should show 'pkexec --help' or fail? - --help) - shift - pkexec.security-misc-orig "$original_args" - exit $? - ;; - ## Drop --disable-internal-agent as not needed and breaking both, - ## lxqt-sudo and sudo. - --disable-internal-agent) - shift - ;; - --user) - ## lxqt-sudo does not support "--user". - ## We should not make this wrapper run something as root which - ## is supposed to run under a different user. Try using - ## "sudo -A --user user --set-home" instead. - user_pkexec_wrapper="$2" - if [ "$user_pkexec_wrapper" = "" ]; then - shift - else - shift 2 - fi - switch_user=true - maybe_switch_to_user="--user $user_pkexec_wrapper" - ;; - --) - shift - break - ;; - *) - break - ;; - esac -done - -## If there are input files (for example) that follow the options, they -## will remain in the "$@" positional parameters. - -if [ "$PKEXEC_UID" = "" ]; then - if [ ! "$user_pkexec_wrapper" = "" ]; then - PKEXEC_UID="$user_pkexec_wrapper" - elif [ ! "$SUDO_USER" = "" ]; then - PKEXEC_UID="$SUDO_USER" - else - PKEXEC_UID="$(whoami)" - fi -fi -export PKEXEC_UID - -if [[ "$@" = "" ]]; then - ## Call original pkexec in case there are no arguments. - pkexec.security-misc-orig $original_args - exit $? -fi - -exit_code=0 - -## lxqt-sudo does not check /etc/sudoers / /etc/sudoers.d exceptions. -## Therefore use 'sudo -l' to see if there is any already existing sudoers exception. -## Did not work. 'sudo -l' will always exit with exit code '0'. -# if sudo -l --non-interactive $maybe_switch_to_user --set-home PKEXEC_UID="$PKEXEC_UID" "$@" ; then -# log_to_journal "sudoers exception: yes" -# sudo --non-interactive $maybe_switch_to_user --set-home PKEXEC_UID="$PKEXEC_UID" "$@" || { exit_code=$? ; true; }; -# log_to_journal "sudo --user | exit_code: '$exit_code'" -# exit "$exit_code" -# fi -# -# log_to_journal "sudoers exception: no" - -if [ "$switch_user" = "true" ]; then - ## 'sudo --user user' clears environment variables such as PATH. - lxqt-sudo sudo $maybe_switch_to_user --set-home PKEXEC_UID="$PKEXEC_UID" "$@" || { exit_code=$? ; true; }; -else - ## set PATH same as root - ## This is required for gdebi. - ## REVIEW: is it ok that users can find out the PATH setting of root? - ## lxqt-sudo does not clear environment variable PATH. - PATH="$(sudo --non-interactive /usr/libexec/security-misc/echo-path)" - export PATH - lxqt-sudo "$@" || { exit_code=$? ; true; }; -fi - -log_to_journal "exit_code: '$exit_code'" - -exit "$exit_code" diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure new file mode 100755 index 0000000..957ad46 --- /dev/null +++ b/usr/bin/remount-secure @@ -0,0 +1,388 @@ +#!/bin/bash + +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## features: +## - nodev,nosuid where appropriate +## - optional noexec for most except /home +## - optional noexec for all including /home +## - idempotent (script can be safely re-run) +## - can be run from: +## - systemd +## - dracut +## - manually from command line +## - can safely handle non-existing folders +## - error handling +## - log output: +## - shows each and every command executed +## - shows old mount options prior running remount-secure +## - shows new mount options after running remount-secure + +## noexec in /tmp and/or /home can break some malware but also legitimate +## applications. + +## https://www.kicksecure.com/wiki/Noexec +## https://www.kicksecure.com/wiki/Dev/remount-secure +## https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707 + +#set -x +set -e +set -o pipefail +set -o nounset + +init() { + if test -o xtrace ; then + output_command=true + else + output_command=echo + fi + + $output_command "$0: INFO: START" + + ## dracut does not have id. Saving space in initial ramdisk. + if command -v id &>/dev/null ; then + if [ "$(id -u)" != "0" ]; then + $output_command "ERROR: must be run as root! sudo $0" + exit 1 + fi + fi + + mkdir --parents "/run/remount-secure" + exit_code=0 + + ## dracut sets NEWROOT=/sysroot + [[ -v NEWROOT ]] || NEWROOT="" + if [ "$NEWROOT" = "" ]; then + $output_command "INFO: dracut detected: no" + else + $output_command "INFO: dracut detected: yes - NEWROOT: '$NEWROOT'" + fi + + ## Debugging. + #echo "ls -la /root/" + #ls -la / || true + #echo "ls -la /sysroot/" + #ls -la /sysroot/ || true + #echo "env" + #env || true +} + +parse_options() { + ## Thanks to: + ## https://mywiki.wooledge.org/BashFAQ/035 + + while : + do + case ${1:-} in + 0) + $output_command "WARNING: Not using remount-secure." + exit 0 + shift + ;; + 1) + $output_command "INFO: level 1/3 (low)" + most_noexec_maybe="" + home_noexec_maybe="" + parsed=true + shift + ;; + 2) + $output_command "INFO: level 2/3 (medium)" + most_noexec_maybe=",noexec" + home_noexec_maybe="" + parsed=true + shift + ;; + 3) + $output_command "INFO: level 3/3 (high)" + most_noexec_maybe=",noexec" + home_noexec_maybe=",noexec" + parsed=true + shift + ;; + --force) + $output_command "INFO: --force" + option_force=true + shift + ;; + --) + shift + break + ;; + -*) + echo "ERROR: unknown option: $1" >&2 + exit 1 + ;; + *) + break + ;; + esac + done + + [[ -v option_force ]] || option_force="" + [[ -v parsed ]] || parsed=false + [[ -v home_noexec_maybe ]] || home_noexec_maybe="" + [[ -v most_noexec_maybe ]] || most_noexec_maybe="" + + $output_command "INFO: using nosuid,nodev: yes" + + if [ "$home_noexec_maybe" = "" ]; then + $output_command "INFO: using noexec for all: no" + else + $output_command "INFO: using noexec for all: yes" + return 0 + fi + + if [ "$most_noexec_maybe" = "" ]; then + $output_command "INFO: using noexec for most: no" + else + $output_command "INFO: using noexec for most (not all): yes" + return 0 + fi + + if [ "$parsed" = "true" ]; then + return 0 + fi + + $output_command "ERROR: syntax error. use either: +$0 0 +$0 1 +$0 2 +$0 3" + + exit 1 +} + +preparation() { + ## Debugging. + #$output_command "INFO: 'findmnt --list' output at the START." + #$output_command "$(findmnt --list)" + #$output_command "" + true +} + +remount_secure() { + $output_command "" + + ## ${FUNCNAME[1]} is the name of the calling function. I.e. the function + ## which called this function. + status_file_name="${FUNCNAME[1]}" + ## example status_file_name: + ## _home + status_file_full_path="/run/remount-secure/${status_file_name}" + ## example status_file_full_path: + ## /run/remount-secure/_home + + old_mount_options="$(findmnt --noheadings --output options -- "$mount_folder")" || true + ## example old_mount_options: + ## rw,nosuid,nodev,relatime,discard + + $output_command "INFO: '$mount_folder' old_mount_options: '$old_mount_options'" + + if printf '%s\n' "$old_mount_options" | grep "$intended_mount_options" >/dev/null 2>/dev/null ; then + $output_command "INFO: '$mount_folder' has already intended mount options. ('$intended_mount_options')" + return 0 + fi + + ## When this package is upgraded, the systemd unit will run again. + ## If the user meanwhile manually relaxed mount options, this should not be undone. + + if [ ! "$option_force" == "true" ]; then + if [ -e "$status_file_full_path" ]; then + $output_command "INFO: '$mount_folder' already remounted earlier. Not remounting again. Use --force if this is what you want." + return 0 + fi + fi + + if ! test -d "$mount_folder" ; then + ## For example /boot/efi does not always exist on all systems. + $output_command "INFO: '$mount_folder' folder exists: no" + return 0 + fi + $output_command "INFO: '$mount_folder' folder exists: yes" + + if findmnt --noheadings "$mount_folder" >/dev/null ; then + $output_command "INFO: '$mount_folder' already mounted, therefore using remount." + $output_command INFO: Executing: mount --make-private --options "remount,${intended_mount_options}" "$mount_folder" + mount --make-private --options "remount,${intended_mount_options}" "$mount_folder" || exit_code=100 + else + $output_command "INFO: '$mount_folder' not yet mounted, therefore using mount bind." + $output_command INFO: Executing: mount --make-private --options "$intended_mount_options" --bind "$mount_folder" "$mount_folder" + mount --make-private --options "$intended_mount_options" --bind "$mount_folder" "$mount_folder" || exit_code=101 + fi + + new_mount_options="$(findmnt --noheadings --output options -- "$mount_folder")" || true + $output_command "INFO: '$mount_folder' new_mount_options: '$new_mount_options'" + + touch "$status_file_full_path" +} + +_boot() { + mount_folder="$NEWROOT/boot" + ## https://lists.freedesktop.org/archives/systemd-devel/2015-February/028456.html + intended_mount_options="nosuid,nodev,noexec" + remount_secure +} + +_boot_efi() { + ## TODO: new, test + mount_folder="$NEWROOT/boot/efi" + intended_mount_options="nosuid,nodev,noexec" + remount_secure +} + +_run() { + mount_folder="/run" + ## https://lists.freedesktop.org/archives/systemd-devel/2015-February/028456.html + intended_mount_options="nosuid,nodev${most_noexec_maybe}" + remount_secure +} + +_dev() { + mount_folder="/dev" + ## /dev should be nosuid,noexec as per: + ## https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1991975 + intended_mount_options="nosuid,noexec" + remount_secure +} + +_dev_shm() { + mount_folder="/dev/shm" + intended_mount_options="nosuid,nodev${most_noexec_maybe}" + remount_secure +} + +_sys() { + ## TODO: new, test + mount_folder="/sys" + intended_mount_options="nosuid,nodev,noexec" + remount_secure +} + +_tmp() { + mount_folder="$NEWROOT/tmp" + intended_mount_options="nosuid,nodev${most_noexec_maybe}" + remount_secure +} + +_var_tmp() { + mount_folder="$NEWROOT/var/tmp" + intended_mount_options="nosuid,nodev${most_noexec_maybe}" + remount_secure +} + +_var_log() { + mount_folder="$NEWROOT/var/log" + intended_mount_options="nosuid,nodev,noexec" + remount_secure +} + +_var() { + mount_folder="$NEWROOT/var" + ## noexec: Not possible. Reason: + ## Debian stores executable maintainer scripts in /var/lib/dpkg/info folder. + intended_mount_options="nosuid,nodev" + remount_secure +} + +_usr() { + ## TODO: new, test + mount_folder="$NEWROOT/usr" + intended_mount_options="nodev" + remount_secure +} + +_home() { + mount_folder="$NEWROOT/home" + intended_mount_options="nosuid,nodev${home_noexec_maybe}" + remount_secure +} + +_root() { + ## TODO: new, test + mount_folder="$NEWROOT/root" + intended_mount_options="nosuid,nodev${home_noexec_maybe}" + remount_secure +} + +_srv() { + ## TODO: new, test + mount_folder="$NEWROOT/srv" + intended_mount_options="nosuid,nodev${most_noexec_maybe}" + remount_secure +} + +_media() { + ## TODO: new, test + mount_folder="$NEWROOT/media" + intended_mount_options="nosuid,nodev${most_noexec_maybe}" + remount_secure +} + +_mnt() { + ## TODO: new, test + mount_folder="$NEWROOT/mnt" + intended_mount_options="nosuid,nodev${most_noexec_maybe}" + remount_secure +} + +_opt() { + ## TODO: new, test + mount_folder="$NEWROOT/opt" + ## Allow /opt exec as usually optional binaries are placed there such as Firefox + ## when manually installed from tarball. + intended_mount_options="nosuid,nodev" + remount_secure +} + +_etc() { + ## TODO: new, test + ## /etc cannot be noexec because various executables are there. To find, run: + ## sudo find /etc -executable + mount_folder="$NEWROOT/etc" + intended_mount_options="nosuid,nodev" + remount_secure +} + +end() { + ## Debugging. + #$output_command "INFO: 'findmnt --list' output at the END." + #$output_command "$(findmnt --list)" + + $output_command "" + $output_command "INFO: exit_code: $exit_code" + $output_command "$0: INFO: END" + exit $exit_code +} + +main() { + init + parse_options "$@" + preparation + + _boot + _boot_efi + _run + _dev + _dev_shm + _tmp + _var_tmp + _var_log + _var + _usr + _home + _root + _srv + _media + _mnt + _opt + _etc + + end +} + +## TODO: see also hidepid /usr/lib/systemd/system/proc-hidepid.service +#mount --options defaults,nosuid,nodev,noexec,remount,subset=pid /proc + +main "$@" diff --git a/usr/lib/NetworkManager/conf.d/80_ipv6-privacy.conf b/usr/lib/NetworkManager/conf.d/80_ipv6-privacy.conf new file mode 100644 index 0000000..3d0a483 --- /dev/null +++ b/usr/lib/NetworkManager/conf.d/80_ipv6-privacy.conf @@ -0,0 +1,13 @@ +## Copyright (C) 2023 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## MAC randomisation breaks root server and VirtualBox DHCP likely due to IPv6 Privacy Extensions. +## +## https://datatracker.ietf.org/doc/html/rfc4941 +## https://github.com/Kicksecure/security-misc/pull/145 +## https://github.com/Kicksecure/security-misc/issues/184 +## +## The use of IPv6 Privacy Extenstions is currently diasbled due to these breakages. + +#[connection] +#ipv6.ip6-privacy=2 diff --git a/usr/lib/NetworkManager/conf.d/80_randomize-mac.conf b/usr/lib/NetworkManager/conf.d/80_randomize-mac.conf new file mode 100644 index 0000000..8088591 --- /dev/null +++ b/usr/lib/NetworkManager/conf.d/80_randomize-mac.conf @@ -0,0 +1,17 @@ +## Copyright (C) 2023 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## MAC randomisation breaks root server and VirtualBox DHCP likely due to IPv6 Privacy Extensions. +## +## https://datatracker.ietf.org/doc/html/rfc4941 +## https://github.com/Kicksecure/security-misc/pull/145 +## https://github.com/Kicksecure/security-misc/issues/184 +## +## The use of IPv6 Privacy Extenstions is currently diasbled due to these breakages. + +#[device-mac-randomization] +#wifi.scan-rand-mac-address=yes + +#[connection-mac-randomization] +#ethernet.cloned-mac-address=random +#wifi.cloned-mac-address=random diff --git a/usr/lib/dracut/modules.d-disabled/20remount-secure/module-setup.sh b/usr/lib/dracut/modules.d-disabled/20remount-secure/module-setup.sh new file mode 100755 index 0000000..8917091 --- /dev/null +++ b/usr/lib/dracut/modules.d-disabled/20remount-secure/module-setup.sh @@ -0,0 +1,44 @@ +#!/bin/bash + +## Copyright (C) 2023 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +# called by dracut +check() { + ## For debugging only. + ## Saving space in initial ramdisk. + #require_binaries id || return 1 + #require_binaries env || return 1 + + require_binaries findmnt || return 1 + require_binaries touch || return 1 + require_binaries grep || return 1 + require_binaries mount || return 1 + require_binaries remount-secure || return 1 + return 0 +} + +# called by dracut +depends() { + return 0 +} + +# called by dracut +install() { + ## For debugging only. + ## Saving space in initial ramdisk. + #inst_multiple id + #inst_multiple env + + inst_multiple findmnt + inst_multiple touch + inst_multiple grep + inst_multiple mount + inst_multiple remount-secure + inst_hook cleanup 90 "$moddir/remount-secure.sh" +} + +# called by dracut +installkernel() { + return 0 +} diff --git a/usr/lib/dracut/modules.d-disabled/20remount-secure/remount-secure.sh b/usr/lib/dracut/modules.d-disabled/20remount-secure/remount-secure.sh new file mode 100755 index 0000000..0e0a0c1 --- /dev/null +++ b/usr/lib/dracut/modules.d-disabled/20remount-secure/remount-secure.sh @@ -0,0 +1,23 @@ +#!/bin/sh + +## Copyright (C) 2023 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## This script is intended to remount specified mount points with more secure +## options based on kernel command line parameters. + +remount_hook() { + local remountsecure_action + ## getarg returns the last parameter only. + ## If /proc/cmdline contains 'remountsecure=0 remountsecure=1' the last one wins. + remountsecure_action=$(getarg remountsecure) + + if ! remount-secure $remountsecure_action; then + warn "$0: ERROR: 'remount-secure $remountsecure_action' failed." + return 1 + fi + info "$0: INFO: 'remount-secure $remountsecure_action' success." + return 0 +} + +remount_hook diff --git a/usr/lib/issue.d/20_security-misc.issue b/usr/lib/issue.d/20_security-misc.issue new file mode 100644 index 0000000..d03f39b --- /dev/null +++ b/usr/lib/issue.d/20_security-misc.issue @@ -0,0 +1,2 @@ +By continuing, you acknowledge and give consent that the owner of this system has a right to keep a log of all activity. +Unauthorized access is strictly prohibited and may result in legal action. Do not proceed! diff --git a/usr/lib/modules-load.d/30_security-misc.conf b/usr/lib/modules-load.d/30_security-misc.conf index 072c9b0..6ee13ca 100644 --- a/usr/lib/modules-load.d/30_security-misc.conf +++ b/usr/lib/modules-load.d/30_security-misc.conf @@ -1,7 +1,7 @@ -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. -## https://www.whonix.org/wiki/Dev/Entropy +## https://www.kicksecure.com/wiki/Dev/Entropy ## https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927972 ## https://forums.whonix.org/t/jitterentropy-rngd/7204 jitterentropy_rng diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_bubblewrap.conf b/usr/lib/permission-hardener.d/25_default_whitelist_bubblewrap.conf new file mode 100644 index 0000000..f1e873f --- /dev/null +++ b/usr/lib/permission-hardener.d/25_default_whitelist_bubblewrap.conf @@ -0,0 +1,8 @@ +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## Please use "/etc/permission-hardener.d/20_user.conf" or +## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom +## configuration. When security-misc is updated, this file may be overwritten. + +/usr/bin/bwrap exactwhitelist diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_chromium.conf b/usr/lib/permission-hardener.d/25_default_whitelist_chromium.conf new file mode 100644 index 0000000..bdb2b2a --- /dev/null +++ b/usr/lib/permission-hardener.d/25_default_whitelist_chromium.conf @@ -0,0 +1,17 @@ +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## Please use "/etc/permission-hardener.d/20_user.conf" or +## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom +## configuration. When security-misc is updated, this file may be overwritten. + +## Chrome/Chromium now uses namespace-based sandboxing rather than a SUID +## sandbox for most use cases, and while the SUID sandbox is still technically +## supported [1], it's also virtually unused [2]. Chromium still works fine +## when it is stripped of its SUID bit and rendered no longer executable, +## and opening `chrome://sandbox` while in this state shows that sandboxing is +## still working perfectly fine. +## +## [1] https://chromium.googlesource.com/chromium/src/+/0e94f26e8/docs/linux_sandboxing.md +## [2] https://chromium.googlesource.com/chromium/src/+/0e94f26e8/docs/linux_suid_sandbox.md +#chrome-sandbox matchwhitelist diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_dbus.conf b/usr/lib/permission-hardener.d/25_default_whitelist_dbus.conf new file mode 100644 index 0000000..4b455ae --- /dev/null +++ b/usr/lib/permission-hardener.d/25_default_whitelist_dbus.conf @@ -0,0 +1,16 @@ +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## Please use "/etc/permission-hardener.d/20_user.conf" or +## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom +## configuration. When security-misc is updated, this file may be overwritten. + +## Needed for D-Bus system activation to work. +## https://dbus.freedesktop.org/doc/system-activation.txt +## +## May be vital for desktop features to work normally. +## +## Appears to have been designed with security in mind and can only be called +## by root or a user in the `messagebus` group (which currently has one member, +## namely user `messagebus`). +dbus-daemon-launch-helper matchwhitelist diff --git a/etc/permission-hardening.d/25_default_whitelist_firejail.conf b/usr/lib/permission-hardener.d/25_default_whitelist_firejail.conf similarity index 50% rename from etc/permission-hardening.d/25_default_whitelist_firejail.conf rename to usr/lib/permission-hardener.d/25_default_whitelist_firejail.conf index 99608df..e3441e1 100644 --- a/etc/permission-hardening.d/25_default_whitelist_firejail.conf +++ b/usr/lib/permission-hardener.d/25_default_whitelist_firejail.conf @@ -1,11 +1,11 @@ -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. -## Please use "/etc/permission-hardening.d/20_user.conf" or -## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## Please use "/etc/permission-hardener.d/20_user.conf" or +## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom ## configuration. When security-misc is updated, this file may be overwritten. ## There is a controversy about firejail but those who choose to install it ## should be able to use it. -## https://www.whonix.org/wiki/Dev/Firejail#Security +## https://www.kicksecure.com/wiki/Dev/Firejail#Security /usr/bin/firejail exactwhitelist diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_fuse.conf b/usr/lib/permission-hardener.d/25_default_whitelist_fuse.conf new file mode 100644 index 0000000..084510c --- /dev/null +++ b/usr/lib/permission-hardener.d/25_default_whitelist_fuse.conf @@ -0,0 +1,17 @@ +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## Please use "/etc/permission-hardener.d/20_user.conf" or +## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom +## configuration. When security-misc is updated, this file may be overwritten. + +## Critical component of FUSE (Filesystem in USErspace) +## +## Used by things such as: +## - AppImages +## - such as electrum Bitcoin wallet +## - Docker +## If not SUID, unprivileged users will be unable to use FUSE any longer. +## +## https://forums.whonix.org/t/disable-suid-binaries/7706/57 +/fusermount matchwhitelist diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_hardened_malloc.conf b/usr/lib/permission-hardener.d/25_default_whitelist_hardened_malloc.conf new file mode 100644 index 0000000..acf20b6 --- /dev/null +++ b/usr/lib/permission-hardener.d/25_default_whitelist_hardened_malloc.conf @@ -0,0 +1,9 @@ +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## Please use "/etc/permission-hardener.d/20_user.conf" or +## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom +## configuration. When security-misc is updated, this file may be overwritten. + +libhardened_malloc.so matchwhitelist +libhardened_malloc-light.so matchwhitelist diff --git a/etc/permission-hardening.d/25_default_whitelist_mount.conf b/usr/lib/permission-hardener.d/25_default_whitelist_mount.conf similarity index 59% rename from etc/permission-hardening.d/25_default_whitelist_mount.conf rename to usr/lib/permission-hardener.d/25_default_whitelist_mount.conf index 1557318..ac5e9d1 100644 --- a/etc/permission-hardening.d/25_default_whitelist_mount.conf +++ b/usr/lib/permission-hardener.d/25_default_whitelist_mount.conf @@ -1,17 +1,17 @@ -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. -## Please use "/etc/permission-hardening.d/20_user.conf" or -## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## Please use "/etc/permission-hardener.d/20_user.conf" or +## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom ## configuration. When security-misc is updated, this file may be overwritten. ## https://forums.whonix.org/t/disable-suid-binaries/7706/61 ## Protect from 'chmod -x' (and SUID removal). ## SUID will be removed below in separate step. -/bin/mount exactwhitelist /usr/bin/mount exactwhitelist +/usr/bin/umount exactwhitelist ## Remove SUID from 'mount' but keep executable. ## https://forums.whonix.org/t/disable-suid-binaries/7706/61 -/bin/mount 745 root root -/usr/bin/mount 745 root root +/usr/bin/mount 755 root root +/usr/bin/umount 755 root root diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_pam.conf b/usr/lib/permission-hardener.d/25_default_whitelist_pam.conf new file mode 100644 index 0000000..b787e5f --- /dev/null +++ b/usr/lib/permission-hardener.d/25_default_whitelist_pam.conf @@ -0,0 +1,22 @@ +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## Please use "/etc/permission-hardener.d/20_user.conf" or +## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom +## configuration. When security-misc is updated, this file may be overwritten. + +## Used by the pam_tmpdir module to create a secure temporary directory for the +## user that is logging in. +## https://manpages.ubuntu.com/manpages/oracular/man8/pam-tmpdir-helper.8.html +## Apparently specific to Debian, there isn't actually any Git repo with this +## code in it, it's just a "floating" package in the Debian archive. Written by +## the same person who maintains the package. Almost certainly cannot be +## disabled without causing serious problems, but may be worth auditing. +## (Worthy of note, it doesn't seem this program takes any user input, but +## relies solely on the calling user's UID and GID, though this could require +## further review.) +## +## Without this, Xfce fails to start with a dbus-launch error. +## +## TODO: audit pam-tmpdir-helper +pam-tmpdir-helper matchwhitelist diff --git a/etc/permission-hardening.d/25_default_passwd.conf b/usr/lib/permission-hardener.d/25_default_whitelist_passwd.conf similarity index 51% rename from etc/permission-hardening.d/25_default_passwd.conf rename to usr/lib/permission-hardener.d/25_default_whitelist_passwd.conf index 32fd72e..e7bc816 100644 --- a/etc/permission-hardening.d/25_default_passwd.conf +++ b/usr/lib/permission-hardener.d/25_default_whitelist_passwd.conf @@ -1,14 +1,15 @@ -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. -## Please use "/etc/permission-hardening.d/20_user.conf" or -## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## Please use "/etc/permission-hardener.d/20_user.conf" or +## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom ## configuration. When security-misc is updated, this file may be overwritten. # Keep the `passwd` utility executable to prevent issues with the # /usr/libexec/security-misc/pam-abort-on-locked-password script blocking -# user logins with `su` and KScreenLocker +# user logins with `su` and KScreenLocker. exactwhitelist is needed to keep +# the nosuid rule on /usr/bin from fighting with these rules. # # See also: https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener#passwd +/usr/bin/passwd exactwhitelist /usr/bin/passwd 0755 root root -/bin/passwd 0755 root root diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf b/usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf new file mode 100644 index 0000000..de20400 --- /dev/null +++ b/usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf @@ -0,0 +1,27 @@ +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## Please use "/etc/permission-hardener.d/20_user.conf" or +## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom +## configuration. When security-misc is updated, this file may be overwritten. + +## user-sysmaint-split hardens this further. +/usr/bin/pkexec exactwhitelist +/usr/bin/pkexec.security-misc-orig exactwhitelist + +## Required for PolicyKit (Polkit) to function. +## +## https://polkit-devel.freedesktop.narkive.com/zXO4yEg7/documentation-on-polkit-agent-helper-1-and-suid# +## https://gitlab.freedesktop.org/polkit/polkit/-/issues/168 +## https://cgit.freedesktop.org/polkit/tree/src/polkitagent/polkitagenthelper-pam.c#n93 +## +## Changing permissions here may break more than just normal privilege escalation. +## May be safe to disable for users other than sysmaint similar to what was done with pkexec and sudo, +## however even that might not be safe. +## +## matches both: +## - /usr/lib/policykit-1/polkit-agent-helper-1 +## - /lib/policykit-1/polkit-agent-helper-1 +## +## user-sysmaint-split hardens this further. +polkit-agent-helper-1 matchwhitelist diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_postfix.conf b/usr/lib/permission-hardener.d/25_default_whitelist_postfix.conf new file mode 100644 index 0000000..bf76069 --- /dev/null +++ b/usr/lib/permission-hardener.d/25_default_whitelist_postfix.conf @@ -0,0 +1,10 @@ +## Copyright (C) 2023 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## Please use "/etc/permission-hardener.d/20_user.conf" or +## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom +## configuration. When security-misc is updated, this file may be overwritten. + +## TODO: research and document +postqueue matchwhitelist +postdrop matchwhitelist diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf b/usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf new file mode 100644 index 0000000..40f9b59 --- /dev/null +++ b/usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf @@ -0,0 +1,24 @@ +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## Please use "/etc/permission-hardener.d/20_user.conf" or +## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom +## configuration. When security-misc is updated, this file may be overwritten. + +## TODO: research +## https://github.com/QubesOS/qubes-core-agent-linux/blob/master/qubes-rpc/qfile-unpacker.c +## +## Historic Qubes upstream security issue: +## qfile-unpacker allows unprivileged users in VMs to gain root privileges +## https://github.com/QubesOS/qubes-issues/issues/8633 +## +## matches both: +## - /usr/lib/qubes/qfile-unpacker whitelist +## - Not bit-for-bit identical to /usr/lib/qubes/qfile-unpacker. +## - Stripping SUID from this does *not* break file copying. +## - TODO: further reserach required on its purpose +## - /usr/bin/qfile-unpacker +## - Appears to be an integral part of file transfer between qubes, stripping +## SUID from this in an AppVM results in that AppVM being unable to receive +## files any longer. (It can still send files to other qubes though.) +qfile-unpacker matchwhitelist diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_selinux.conf b/usr/lib/permission-hardener.d/25_default_whitelist_selinux.conf new file mode 100644 index 0000000..62d3198 --- /dev/null +++ b/usr/lib/permission-hardener.d/25_default_whitelist_selinux.conf @@ -0,0 +1,9 @@ +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## Please use "/etc/permission-hardener.d/20_user.conf" or +## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom +## configuration. When security-misc is updated, this file may be overwritten. + +## TODO: research and document +/utempter/utempter matchwhitelist diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_spice.conf b/usr/lib/permission-hardener.d/25_default_whitelist_spice.conf new file mode 100644 index 0000000..5b79059 --- /dev/null +++ b/usr/lib/permission-hardener.d/25_default_whitelist_spice.conf @@ -0,0 +1,9 @@ +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## Please use "/etc/permission-hardener.d/20_user.conf" or +## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom +## configuration. When security-misc is updated, this file may be overwritten. + +## TODO: research and document +spice-client-glib-usb-acl-helper matchwhitelist diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf b/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf new file mode 100644 index 0000000..2b55bd2 --- /dev/null +++ b/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf @@ -0,0 +1,21 @@ +## Copyright (C) 2023 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## Please use "/etc/permission-hardener.d/20_user.conf" or +## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom +## configuration. When security-misc is updated, this file may be overwritten. + +## Used for SSH client key management +## https://manpages.debian.org/bookworm/openssh-client/ssh-agent.1.en.html +## Debian installs ssh-agent with setgid permissions (2755) and with +## _ssh as the group to help mitigate ptrace attacks that could extract +## private keys from the agent's memory. +ssh-agent matchwhitelist + +## Used only for SSH host-based authentication +## https://linux.die.net/man/8/ssh-keysign +## Needed to allow access to the machine's host key for use in the +## authentication process. This is a non-default method of authenticating to +## SSH, and is likely rarely used, thus this should be safe to disable. +#ssh-keysign matchwhitelist +#/usr/lib/openssh matchwhitelist diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_sudo.conf b/usr/lib/permission-hardener.d/25_default_whitelist_sudo.conf new file mode 100644 index 0000000..e15b265 --- /dev/null +++ b/usr/lib/permission-hardener.d/25_default_whitelist_sudo.conf @@ -0,0 +1,9 @@ +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## Please use "/etc/permission-hardener.d/20_user.conf" or +## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom +## configuration. When security-misc is updated, this file may be overwritten. + +## user-sysmaint-split hardens this further. +/usr/bin/sudo exactwhitelist diff --git a/etc/permission-hardening.d/25_default_whitelist_unix_chkpwd.conf b/usr/lib/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf similarity index 54% rename from etc/permission-hardening.d/25_default_whitelist_unix_chkpwd.conf rename to usr/lib/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf index c086dab..1faf380 100644 --- a/etc/permission-hardening.d/25_default_whitelist_unix_chkpwd.conf +++ b/usr/lib/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf @@ -1,11 +1,10 @@ -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. -## Please use "/etc/permission-hardening.d/20_user.conf" or -## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## Please use "/etc/permission-hardener.d/20_user.conf" or +## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom ## configuration. When security-misc is updated, this file may be overwritten. ## required for performing password validation from unprivileged user ## processes such as KScreenLocker's unlock prompt /usr/sbin/unix_chkpwd exactwhitelist -/sbin/unix_chkpwd exactwhitelist diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_virtualbox.conf b/usr/lib/permission-hardener.d/25_default_whitelist_virtualbox.conf new file mode 100644 index 0000000..76c2eee --- /dev/null +++ b/usr/lib/permission-hardener.d/25_default_whitelist_virtualbox.conf @@ -0,0 +1,15 @@ +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## Please use "/etc/permission-hardener.d/20_user.conf" or +## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom +## configuration. When security-misc is updated, this file may be overwritten. + +## TODO: research +/usr/lib/virtualbox/ matchwhitelist +VirtualBoxVM matchwhitelist +VBoxSDL matchwhitelist +VBoxNetNAT matchwhitelist +VBoxNetDHCP matchwhitelist +VBoxHeadless matchwhitelist +VBoxNetAdpCtl matchwhitelist diff --git a/etc/permission-hardening.d/30_default.conf b/usr/lib/permission-hardener.d/30_default.conf similarity index 67% rename from etc/permission-hardening.d/30_default.conf rename to usr/lib/permission-hardener.d/30_default.conf index e0d310d..27605d9 100644 --- a/etc/permission-hardening.d/30_default.conf +++ b/usr/lib/permission-hardener.d/30_default.conf @@ -1,18 +1,16 @@ -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. -## Please use "/etc/permission-hardening.d/20_user.conf" or -## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## Please use "/etc/permission-hardener.d/20_user.conf" or +## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom ## configuration. When security-misc is updated, this file may be overwritten. ## File permission hardening. ## ## Syntax: ## [filename] [mode] [owner] [group] [capability] +## [filename] [exactwhitelist|matchwhitelist|disablewhitelist|nosuid] ## -## To remove all SUID/SGID binaries in a directory, you can use the "nosuid" -## argument. - ## TODO: white spaces inside file name untested and probably will not work. ###################################################################### @@ -22,13 +20,9 @@ #whitelists_disable_all=true ###################################################################### -# SUID disablewhitelist +# SUID disables below (or in lexically higher) files: disablewhitelist ###################################################################### -## disablewhitelist disables below (or in lexically higher) files -## exactwhitelist and matchwhitelist. Add these here (discouraged) or better -## in file "/etc/permission-hardening.d/20_user.conf". - ## For example, if you are not using SELinux the following might make sense to ## enable. TODO: research #/utempter/utempter disablewhitelist @@ -37,82 +31,83 @@ #/fusermount disablewhitelist ###################################################################### -# SUID exact match whitelist +# SUID whitelist matches full path: exactwhitelist ###################################################################### ## In case you need to use 'su'. See also: ## https://www.kicksecure.com/wiki/root#su -#/bin/su exactwhitelist #/usr/bin/su exactwhitelist -###################################################################### -# SUID exact match whitelist -###################################################################### - ## https://manpages.debian.org/xserver-xorg-legacy/Xorg.wrap.1.en.html ## https://lwn.net/Articles/590315/ -## http://forums.whonix.org/t/permission-hardening/8655/25 +## https://forums.whonix.org/t/suid-disabler-and-permission-hardener/7706/35 #/usr/lib/xorg/Xorg.wrap whitelist ###################################################################### -# SUID regex match whitelist +# SUID whitelist matches in any section of the path: matchwhitelist ###################################################################### -###################################################################### -# SUID regex match whitelist -###################################################################### +## Examples below are already configured: +#ssh-agent matchwhitelist +#/usr/lib/openssh matchwhitelist ###################################################################### # Permission Hardening ###################################################################### /home/ 0755 root root -/home/user/ 0700 user user /root/ 0700 root root /boot/ 0700 root root -/etc/permission-hardening.d 0600 root root -/usr/local/etc/permission-hardening.d 0600 root root -/lib/modules/ 0700 root root +/etc/permission-hardener.d 0600 root root +/usr/local/etc/permission-hardener.d 0600 root root +/usr/lib/modules/ 0700 root root +/usr/src 0700 root root +/etc/cups/cupsd.conf 0400 root root +/etc/syslog.conf 0600 root root +/etc/ssh/sshd_config 0600 root root +/etc/crontab 0600 root root +/etc/cron.d 0700 root root +/etc/cron.daily 0700 root root +/etc/sudoers.d 0700 root root +/etc/cron.hourly 0700 root root +/etc/cron.weekly 0700 root root +/etc/cron.monthly 0700 root root +/etc/group 0644 root root +/etc/group- 0644 root root +/etc/hosts.allow 0644 root root +/etc/hosts.deny 0644 root root +/etc/issue 0644 root root +/etc/issue.net 0644 root root +/etc/motd 0644 root root +/etc/passwd 0644 root root +/etc/passwd- 0644 root root ###################################################################### -# SUID/SGID Removal +# SUID/SGID Removal: nosuid ###################################################################### +## To remove all SUID/SGID binaries in a directory, you can use the "nosuid" +## argument. +## ## Remove all SUID/SGID binaries/libraries. -/bin/ nosuid -/usr/local/bin/ nosuid - -/usr/bin/ nosuid -/usr/local/usr/bin/ nosuid - -/sbin/ nosuid -/usr/local/sbin/ nosuid - -/usr/sbin/ nosuid -/usr/local/usr/sbin/ nosuid - -/lib/ nosuid -/usr/local/lib/ nosuid - -/lib32/ nosuid -/usr/local/lib32/ nosuid - -/lib64/ nosuid -/usr/local/lib64/ nosuid - -/usr/lib/ nosuid -/usr/local/usr/lib/ nosuid - -/usr/lib32/ nosuid -/usr/local/usr/lib32/ nosuid - -/usr/lib64/ nosuid -/usr/local/usr/lib64/ nosuid - -## https://forums.whonix.org/t/suid-disabler-and-permission-hardener/7706/68 /opt/ nosuid +/usr/bin/ nosuid +/usr/lib32/ nosuid +/usr/lib64/ nosuid +/usr/lib/ nosuid +/usr/local/bin/ nosuid +/usr/local/lib32/ nosuid +/usr/local/lib64/ nosuid +/usr/local/lib/ nosuid /usr/local/opt/ nosuid +/usr/local/sbin/ nosuid +/usr/local/usr/bin/ nosuid +/usr/local/usr/lib32/ nosuid +/usr/local/usr/lib64/ nosuid +/usr/local/usr/lib/ nosuid +/usr/local/usr/sbin/ nosuid +/usr/sbin/ nosuid ###################################################################### # Capability Removal @@ -121,7 +116,7 @@ ## Ping doesn't work with Tor anyway so its capabilities are removed to ## reduce attack surface. ## anon-apps-config does this. -#/bin/ping 0744 root root none +#/usr/bin/ping 0744 root root none ## TODO: research #/usr/lib/x86_64-linux-gnu/gstreamer1.0/grstreamer-1.0/gst-ptp-helper 0744 root root none diff --git a/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf b/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf new file mode 100644 index 0000000..0ef99da --- /dev/null +++ b/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf @@ -0,0 +1,26 @@ +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## Definitions: +## KSPP=yes: compliant with recommendations by the KSPP +## KSPP=partial: partially compliant with recommendations by the KSPP +## KSPP=no: not (currently) compliant with recommendations by the KSPP +## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP. + +## NOTE: +## This configuration is in a dedicated file because the ram-wipe package +## requires kexec. However, ram-wipe cannot ship a config file +## /etc/sysctl.d/40_ram-wipe.conf that sets 'kernel.kexec_load_disabled=0'. +## Once systemd-sysctl.service has set 'kernel.kexec_load_disabled=1', +## it cannot be undone without a reboot. This is an upstream Linux security feature. +## Instead, ram-wipe will config-package-dev 'hide' this file. + +## Disables kexec, which can be used to replace the running kernel. +## Useful for live kernel patching without rebooting. +## +## https://en.wikipedia.org/wiki/Kexec +## +## KSPP=yes +## KSPP sets the sysctl and does not set CONFIG_KEXEC. +## +kernel.kexec_load_disabled=1 diff --git a/usr/lib/sysctl.d/30_silent-kernel-printk.conf b/usr/lib/sysctl.d/30_silent-kernel-printk.conf new file mode 100644 index 0000000..d8febf9 --- /dev/null +++ b/usr/lib/sysctl.d/30_silent-kernel-printk.conf @@ -0,0 +1,20 @@ +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## Definitions: +## KSPP=yes: compliant with recommendations by the KSPP +## KSPP=partial: partially compliant with recommendations by the KSPP +## KSPP=no: not (currently) compliant with recommendations by the KSPP +## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP. + +## Prevent kernel information leaks in the console during boot. +## Must be used in conjunction with kernel boot parameters. +## See /etc/default/grub.d/41_quiet_boot.cfg for implementation. +## +## https://www.kernel.org/doc/html/latest/core-api/printk-basics.html +## +kernel.printk=3 3 3 3 + +## For increased log verbosity: +## A) Adjust (or comment out) the kernel parameters in /etc/default/grub.d/41_quiet_boot.cfg. Or, +## B) Alternatively, install the debug-misc package to undo these settings. diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf new file mode 100644 index 0000000..eaa671e --- /dev/null +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -0,0 +1,579 @@ +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## NOTE: +## This file has a special name to ensure that /usr/lib/sysctl.d/99-protect-links.conf +## is parsed first, followed by /usr/lib/sysctl.d/990-security-misc.conf. +## https://github.com/Kicksecure/security-misc/pull/135 + +## Definitions: +## KSPP=yes: compliant with recommendations by the KSPP +## KSPP=partial: partially compliant with recommendations by the KSPP +## KSPP=no: not (currently) compliant with recommendations by the KSPP +## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP. + +## This configuration file is divided into 5 sections: +## 1. Kernel Space +## 2. User Space +## 3. Core Dumps +## 4. Swap Space +## 5. Networking + +## For detailed explanations of most of the selected commands, refer to: +## https://www.kernel.org/doc/html/latest/admin-guide/sysctl/kernel.html +## https://www.kernel.org/doc/html/latest/admin-guide/sysctl/fs.html +## https://www.kernel.org/doc/html/latest/admin-guide/sysctl/net.html +## https://www.kernel.org/doc/html/latest/admin-guide/sysctl/vm.html +## https://www.kernel.org/doc/html/latest//networking/ip-sysctl.html + +## 1. Kernel Space: +## +## https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel +## https://kspp.github.io/Recommended_Settings#sysctls +## https://wiki.archlinux.org/title/Security#Kernel_hardening + +## Restrict kernel address visibility via /proc and other interfaces, regardless of user privileges. +## Kernel pointers expose specific locations in kernel memory. +## +## https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak +## +## KSPP=yes +## KSPP sets the sysctl. +## +kernel.kptr_restrict=2 + +## Restrict access to the kernel log buffer to users with CAP_SYSLOG. +## Kernel logs often contain sensitive information such as kernel pointers. +## +## KSPP=yes +## KSPP sets the sysctl and CONFIG_SECURITY_DMESG_RESTRICT=y. +## +kernel.dmesg_restrict=1 + +## Prevent kernel information leaks in the console during boot. +## Must be used in conjunction with kernel boot parameters. +## See /etc/default/grub.d/41_quiet_boot.cfg for implementation. +## +## https://www.kernel.org/doc/html/latest/core-api/printk-basics.html +## +## See /usr/lib/sysctl.d/30_silent-kernel-printk.conf for implementation. +## +#kernel.printk=3 3 3 3 + +## Restrict eBPF access to CAP_BPF. +## Disables unprivileged calls to bpf() without recovery. +## +## https://en.wikipedia.org/wiki/EBPF#Security +## https://lwn.net/Articles/660331/ +## +## KSPP=yes +## KSPP sets the sysctl. +## +kernel.unprivileged_bpf_disabled=1 + +## Restrict loading TTY line disciplines to users with CAP_SYS_MODULE. +## Prevents unprivileged users from loading vulnerable line disciplines with the TIOCSETD ioctl. +## +## https://a13xp0p0v.github.io/2017/03/24/CVE-2017-2636.html +## https://lkml.org/lkml/2019/4/15/890 +## +## KSPP=yes +## KSPP sets the sysctl does not set CONFIG_LDISC_AUTOLOAD. +## +dev.tty.ldisc_autoload=0 + +## Restrict the userfaultfd() syscall to users with SYS_CAP_PTRACE. +## Reduces the likelihood of use-after-free exploits from heap sprays. +## +## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=cefdca0a86be517bc390fc4541e3674b8e7803b0 +## https://duasynt.com/blog/linux-kernel-heap-spray +## +## KSPP=yes +## KSPP sets the sysctl. +## +vm.unprivileged_userfaultfd=0 + +## Disables kexec, which can be used to replace the running kernel. +## Useful for live kernel patching without rebooting. +## +## https://en.wikipedia.org/wiki/Kexec +## +## See /usr/lib/sysctl.d/30_security-misc_kexec-disable.conf for implementation. +## +## KSPP=yes +## KSPP sets the sysctl and does not set CONFIG_KEXEC. +## +#kernel.kexec_load_disabled=1 + +## Disable the SysRq key to prevent leakage of kernel information. +## The Secure Attention Key (SAK) can no longer be utilized. +## +## https://www.kernel.org/doc/html/latest/admin-guide/sysrq.html +## https://www.kicksecure.com/wiki/SysRq +## https://github.com/xairy/unlockdown +## +## KSPP=yes +## KSPP sets the less strict CONFIG_MAGIC_SYSRQ_DEFAULT_ENABLE=176. +## +kernel.sysrq=0 + +## Disable user namespaces entirely. +## User namespaces aim to improve sandboxing and accessibility for unprivileged users. +## Disabling entirely will reduce compatibility with some AppArmor profiles. +## Disabling entirely is known to break the UPower systemd service. +## Not recommended due to well-known breakages across numerous software packages. +## +## https://lwn.net/Articles/673597/ +## https://madaidans-insecurities.github.io/linux.html#kernel +## https://github.com/a13xp0p0v/kernel-hardening-checker#questions-and-answers +## https://github.com/NixOS/nixpkgs/pull/84522#issuecomment-614640601 +## https://github.com/Kicksecure/security-misc/pull/263 +## +## KSPP=no +## KSPP sets the sysctl. +## +#user.max_user_namespaces=0 + +## Restrict user namespaces to users with CAP_SYS_ADMIN. +## See the user.max_user_namespaces setting for more details. +## This is a Debian-specific kernel feature, not a Linux mainline setting. +## Unprivileged user namespaces pose substantial privilege escalation risks. +## Flatpak requires unprivileged users to create new user namespaces for sandboxing. +## Restricting is known to cause breakages in some AppImages and the Evolution Email Client. +## Not recommended due to widespread breakages across many software packages. +## +## https://salsa.debian.org/debian/bubblewrap/-/blob/debian/latest/debian/README.Debian +## https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction +## https://github.com/flatpak/flatpak/wiki/User-namespace-requirements +## https://forums.kicksecure.com/t/can-not-run-flatpak-apps-after-kicksecure-update/592 +## https://forums.kicksecure.com/t/cannot-run-some-appimage-apps-after-kicksecure-upate/594 +## https://forums.kicksecure.com/t/impossible-to-start-evolution-app-since-the-last-update/601 +## https://github.com/Kicksecure/security-misc/issues/274 +## +#kernel.unprivileged_userns_clone=0 + +## Restricts kernel profiling to users with CAP_PERFMON. +## The performance events system should not be accessible by unprivileged users. +## Other distributions such as Ubuntu and Fedora may permit further restricting. +## +## https://www.kernel.org/doc/html/latest/admin-guide/perf-security.html#unprivileged-users +## https://lore.kernel.org/kernel-hardening/1469630746-32279-1-git-send-email-jeffv@google.com/ +## +## KSPP=yes +## KSPP sets the sysctl. +## +kernel.perf_event_paranoid=3 + +## Force the kernel to panic on "oopses" and kernel warnings in the WARN() path. +## Can sometimes potentially indicate and thwart certain kernel exploitation attempts. +## Panics may be due to false-positives such as bad drivers. +## Oopses are serious but non-fatal errors. +## Warnings are messages generated by the kernel to indicate unexpected conditions or errors. +## By default, code execution continues regardless of warnings emitted by macros like WARN() and WARN_ON(). +## Note that by forcing kernel panics on oopses and warnings, this exposes the system to targeted denial of service attacks. +## Forcing immediate system reboots on any single kernel panic is an extreme option. +## +## https://en.wikipedia.org/wiki/Kernel_panic#Linux +## https://en.wikipedia.org/wiki/Linux_kernel_oops +## https://en.wikipedia.org/wiki/Kdump_(Linux) +## https://lwn.net/Articles/876209/ +## https://git.sr.ht/~gregkh/presentation-security/tree/3fdaf81a2f8b2c8d64cdb2f529cc714624868aa8/item/security-stuff.pdf +## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panisc-on-oops-1-sysctl-for-better-security/7713 +## +## KSPP=partial +## KSPP sets the sysctls, CONFIG_PANIC_ON_OOPS=y, but also requires CONFIG_PANIC_TIMEOUT=-1. +## +## See /usr/libexec/security-misc/panic-on-oops for implementation. +## +## TODO: Debian 13 Trixie +## The limits are applicable when using Linux kernel >= 6.2 (retained here for future-proofing and completeness). +## +#kernel.panic=-1 +#kernel.panic_on_oops=1 +#kernel.panic_on_warn=1 +#kernel.oops_limit=1 +#kernel.warn_limit=1 + +## Disable the use of legacy TIOCSTI operations which can be used to inject keypresses. +## Can lead to privilege escalation by pushing characters into a controlling TTY. +## Will break out-dated screen readers that continue to rely on this legacy functionality. +## +## https://lore.kernel.org/lkml/20221228205726.rfevry7ud6gmttg5@begin/T/ +## +## KSPP=yes +## KSPP sets the sysctl and does not set CONFIG_LEGACY_TIOCSTI. +## +## TODO: Debian 13 Trixie +## This is disabled by default when using Linux kernel >= 6.2. +## +dev.tty.legacy_tiocsti=0 + +## Disable asynchronous I/O for all processes. +## Leading cause of numerous kernel exploits. +## Disabling will reduce the read/write performance of storage devices. +## +## https://en.wikipedia.org/wiki/Io_uring#Security +## https://lwn.net/Articles/902466/ +## https://security.googleblog.com/2023/06/learnings-from-kctf-vrps-42-linux.html +## https://github.com/moby/moby/pull/46762 +## https://forums.whonix.org/t/io-uring-security-vulnerabilties/16890 +## +## TODO: Debian 13 Trixie +## Applicable when using Linux kernel >= 6.6 (retained here for future-proofing and completeness). +## +kernel.io_uring_disabled=2 + +## 2. User Space: +## +## https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-userspace + +## Restrict usage of the ptrace() system call to only processes with CAP_SYS_PTRACE. +## Limit ptrace() as it enables programs to inspect and modify other active processes. +## Prevents native code debugging which some programs use as a method to detect tampering. +## May cause breakages in 'anti-cheat' software and programs running under Proton/WINE. +## +## https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html#ptrace-scope +## https://en.wikipedia.org/wiki/Ptrace +## https://grapheneos.org/features#attack-surface-reduction +## https://github.com/GrapheneOS/os-issue-tracker/issues/651#issuecomment-917599928 +## https://github.com/netblue30/firejail/issues/2860 +## +## KSPP=partial +## KSPP sets the stricter sysctl kernel.yama.ptrace_scope=3. +## +## It is possible to harden further by disabling ptrace() for all users, see documentation. +## https://github.com/Kicksecure/security-misc/pull/242 +## +kernel.yama.ptrace_scope=2 + +## Maximize bits of entropy for improved effectiveness of mmap ASLR. +## The maximum number of bits depends on CPU architecture (the ones shown below are for x86). +## Both explicit sysctl are made redundant due to automation. +## Do NOT enable either sysctl - displaying only for clarity. +## +## https://forums.whonix.org/t/automate-mmap-randomisation-to-fix-ppc64el/16514 +## +## See /usr/libexec/security-misc/mmap-rnd-bits for implementation. +## +#vm.mmap_rnd_bits=32 +#vm.mmap_rnd_compat_bits=16 + +## Prevent hardlink creation by users who do not have read/write/ownership of source file. +## Only allow symlinks to be followed when outside of world-writable sticky directories. +## Allow symlinks when the owner and follower match or when the directory owner matches the symlink's owner. +## Hardens cross-privilege boundaries if root process follows a hardlink/symlink belonging to another user. +## This mitigates many hardlink/symlink-based TOCTOU races in world-writable directories like /tmp. +## +## https://wiki.archlinux.org/title/Security#File_systems +## https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=/tmp +## https://en.wikipedia.org/wiki/Time-of-check_to_time-of-use#Preventing_TOCTOU +## +## KSPP=yes +## KSPP sets the sysctls. +## +fs.protected_hardlinks=1 +fs.protected_symlinks=1 + +## Disallow writes to files in world-writable sticky directories unless owned by the directory owner. +## Also applies to group-writable sticky directories to make data spoofing attacks more difficult. +## Prevents unintentional writes to attacker-controlled files. +## +## KSPP=yes +## KSPP sets the sysctls. +## +fs.protected_fifos=2 +fs.protected_regular=2 + +## Enable ASLR for mmap base, stack, VDSO pages, and heap. +## Forces shared libraries to be loaded to random addresses. +## Start location of PIE-linked binaries is randomized. +## Heap randomization can lead to breakages with legacy applications. +## +## https://en.wikipedia.org/wiki/Address_space_layout_randomization#Linux +## +## KSPP=yes +## KSPP sets the sysctl. +## +kernel.randomize_va_space=2 + +## Raise the minimum address a process can request for memory mapping to 64KB as a form of defense-in-depth. +## Prevents kernel null pointer dereference vulnerabilities which may trigger kernel panics. +## Protects against local unprivileged users gaining root privileges by mapping data to low memory pages. +## Some legacy applications may still depend on low virtual memory addresses for proper functionality. +## +## https://googleprojectzero.blogspot.com/2023/01/exploiting-null-dereferences-in-linux.html +## https://access.redhat.com/articles/20484 +## https://wiki.debian.org/mmap_min_addr +## +## KSPP=yes +## KSPP sets CONFIG_DEFAULT_MMAP_MIN_ADDR=65536. +## +vm.mmap_min_addr=65536 + +## Increase the maximum number of memory map areas a process is permitted to utilize. +## Addresses performance, crash, and start-up issues for some memory-intensive applications. +## Required to accommodate the very large number of guard pages created by hardened_malloc. +## Kicksecure version 18 will deprecate hardened_malloc, so this sysctl will be applied here instead. +## +## https://archlinux.org/news/increasing-the-default-vmmax_map_count-value/ +## https://github.com/GrapheneOS/hardened_malloc#traditional-linux-based-operating-systems +## https://github.com/Kicksecure/hardened_malloc/blob/master/debian/hardened_malloc.conf +## https://www.kicksecure.com/wiki/Hardened_Malloc#Deprecation_in_Kicksecure +## +vm.max_map_count=1048576 + +## Disable the miscellaneous binary format virtual file system to prevent unintended code execution. +## Prevents registering interpreters for various binary formats based on a magic number or their file extension. +## Otherwise arbitrary executables with recognized file formats will be passed to relevant user space applications. +## These interpreters will then run with root permissions when a setuid binary is owned by root. +## Can stop maliciously crafted files with specific file extensions from automatically executing. +## Breaks many scripts that do not have appropriate shebang interpreter directives (#!/bin/...). +## +## https://www.kernel.org/doc/html/latest/admin-guide/binfmt-misc.html +## https://salsa.debian.org/debian/binfmt-support +## https://access.redhat.com/solutions/1985633 +## https://en.wikipedia.org/wiki/Binfmt_misc +## https://security.stackexchange.com/questions/271786/does-allowing-binfmt-misc-significantly-increase-the-attack-surface-for-unprivil +## https://unix.stackexchange.com/questions/439569/what-kinds-of-executable-formats-do-the-files-under-proc-sys-fs-binfmt-misc-al +## https://github.com/Kicksecure/security-misc/pull/249 +## +## KSPP=no +## KSPP does not set CONFIG_BINFMT_MISC. +## +## This is disabled by default due to file/folder permission issues: +## https://github.com/Kicksecure/security-misc/issues/267 +## +#fs.binfmt_misc.status=0 + +## 3. Core Dumps: +## +## https://madaidans-insecurities.github.io/guides/linux-hardening.html#core-dumps + +## Disable core dump files by preventing any pattern names. +## This setting may be overwritten by systemd and is not comprehensive. +## Core dumps are also disabled in security-misc via other means. +## +## https://wiki.archlinux.org/title/Core_dump#Disabling_automatic_core_dumps +## +kernel.core_pattern=|/bin/false + +## Prevent setuid processes or otherwise protected/tainted binaries from creating core dumps. +## Any process which has changed privilege levels or is execute-only will not be dumped. +## +## https://blog.qualys.com/vulnerabilities-threat-research/2025/05/29/qualys-tru-discovers-two-local-information-disclosure-vulnerabilities-in-apport-and-systemd-coredump-cve-2025-5054-and-cve-2025-4598 +## +## KSPP=yes +## KSPP sets the sysctl. +## +fs.suid_dumpable=0 + +## Set core dump file name to 'core.PID' instead of 'core' as a form of defense-in-depth. +## If core dumps are permitted, only useful if PID listings are hidden from non-root users. +## +kernel.core_uses_pid=1 + +## 4. Swap Space: +## +## https://madaidans-insecurities.github.io/guides/linux-hardening.html#swap + +## Limit the copying of memory to the swap device only if absolutely necessary. +## Minimizes the likelihood of writing potentially sensitive contents to disk. +## Not recommended to set to zero since this disables periodic write behavior. +## +## https://en.wikipedia.org/wiki/Memory_paging#Linux +## https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Performance_Tuning_Guide/s-memory-tunables.html +## +vm.swappiness=1 + +## 5. Networking: +## +## https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-network +## https://wiki.archlinux.org/title/Sysctl#TCP/IP_stack_hardening + +## Enable hardening of the BPF JIT compiler for all users. +## Provides some mitigation against JIT spraying. +## +## https://en.wikipedia.org/wiki/JIT_spraying +## https://www.blackhat.com/docs/eu-16/materials/eu-16-Reshetova-Randomization-Can't-Stop-BPF-JIT-Spray-wp.pdf +## https://lwn.net/Articles/686098/ +## https://lwn.net/Articles/525609/ +## +## KSPP=yes +## KSPP sets the sysctl. +## +net.core.bpf_jit_harden=2 + +## Enable TCP SYN cookie protection to assist against SYN flood attacks. +## +## https://en.wikipedia.org/wiki/SYN_flood +## https://cateee.net/lkddb/web-lkddb/SYN_COOKIES.html +## +## KSPP=yes +## KSPP sets CONFIG_SYN_COOKIES=y. +## +net.ipv4.tcp_syncookies=1 + +## Protect against TCP time-wait assassination hazards. +## Drops RST packets for sockets in the time-wait state. +## +## https://tools.ietf.org/html/rfc1337 +## +net.ipv4.tcp_rfc1337=1 + +## Enable reverse path filtering (source validation) of packets received from all interfaces. +## Prevents IP spoofing and mitigates vulnerabilities such as CVE-2019-14899. +## The second "default" command fixes a bug in the existing kernel implementation. +## +## https://en.wikipedia.org/wiki/IP_address_spoofing +## https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/security_guide/sect-security_guide-server_security-reverse_path_forwarding#sect-Security_Guide-Server_Security-Reverse_Path_Forwarding +## https://forums.whonix.org/t/enable-reverse-path-filtering/8594 +## https://seclists.org/oss-sec/2019/q4/122 +## https://github.com/Kicksecure/security-misc/pull/261 +## +net.ipv4.conf.*.rp_filter=1 +net.ipv4.conf.default.rp_filter=1 + +## Disable ICMP redirect acceptance and redirect sending messages. +## Prevents man-in-the-middle attacks and minimizes information disclosure. +## If ICMP redirects are permitted, accept messages only through approved gateways (kernel default). +## Approving gateways requires the managing of a default gateway list. +## +## https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/security_guide/sect-security_guide-server_security-disable-source-routing#sect-Security_Guide-Server_Security-Disable-Source-Routing +## https://www.frozentux.net/ipsysctl-tutorial/chunkyhtml/theconfvariables.html +## https://www.debian.org/doc/manuals/securing-debian-manual/network-secure.en.html +## https://askubuntu.com/questions/118273/what-are-icmp-redirects-and-should-they-be-blocked +## https://github.com/Kicksecure/security-misc/pull/248 +## +net.ipv4.conf.*.accept_redirects=0 +net.ipv4.conf.*.send_redirects=0 +net.ipv6.conf.*.accept_redirects=0 +#net.ipv4.conf.*.secure_redirects=1 + +## Deny sending and receiving RFC1620 shared media redirects. +## Relevant mainly for network interfaces that operate over shared media such as Ethernet hubs. +## Stops the kernel from sending ICMP redirects to specific networks from the connected network. +## This variable overrides the use secure_redirects. +## +## https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf +## https://datatracker.ietf.org/doc/html/rfc1620 +## https://www.frozentux.net/ipsysctl-tutorial/chunkyhtml/theconfvariables.html +## +net.ipv4.conf.*.shared_media=0 + +## Enable ARP (Address Resolution Protocol) filtering. +## Prevents the Linux kernel from handling the ARP table globally. +## Can mitigate some ARP spoofing and ARP cache poisoning attacks. +## Improper filtering can lead to increased ARP traffic and inadvertently block legitimate ARP requests. +## +## https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf +## +net.ipv4.conf.*.arp_filter=1 + +## Respond to ARP (Address Resolution Protocol) requests only if the target IP address is on-link. +## Reduces IP spoofing attacks by limiting the scope of allowable ARP responses. +## +## https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf +## https://github.com/mullvad/mullvadvpn-app/blob/main/audits/2024-12-10-X41-D-Sec.md#mllvd-cr-24-03-virtual-ip-address-of-tunnel-device-leaks-to-network-adjacent-participant-severity-medium +## https://github.com/mullvad/mullvadvpn-app/pull/7141 +## https://www.x41-dsec.de/static/reports/X41-Mullvad-Audit-Public-Report-2024-12-10.pdf +## +## Can lead to breakages with certain VM configurations that may be resolved by lowering protection to `arp_ignore=1`. +## https://github.com/Kicksecure/security-misc/pull/290 +## +net.ipv4.conf.*.arp_ignore=2 + +## Drop gratuitous ARP (Address Resolution Protocol) packets. +## Stops ARP responses sent by a device without being explicitly requested. +## Prevents ARP cache poisoning by rejecting fake ARP entries into a network. +## Prevents man-in-the-middle and denial-of-service attacks. +## May cause breakages when ARP proxies are used in the network. +## +## https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf +## https://patchwork.ozlabs.org/project/netdev/patch/1428652454-1224-3-git-send-email-johannes@sipsolutions.net/ +## https://www.practicalnetworking.net/series/arp/gratuitous-arp/ +## +net.ipv4.conf.*.drop_gratuitous_arp=1 + +## Ignore ICMP echo requests. +## Prevents clock fingerprinting through ICMP timestamps and Smurf attacks. +## +## https://en.wikipedia.org/wiki/Smurf_attack +## +net.ipv4.icmp_echo_ignore_all=1 +net.ipv6.icmp.echo_ignore_all=1 + +## Ignore bogus ICMP error responses. +## Mitigates attacks designed to fill log files with useless error messages. +## +net.ipv4.icmp_ignore_bogus_error_responses=1 + +## Disable source routing which allows users to redirect network traffic. +## Prevents man-in-the-middle attacks in which the traffic is redirected. +## +## https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/security_guide/sect-security_guide-server_security-disable-source-routing +## +net.ipv4.conf.*.accept_source_route=0 +net.ipv6.conf.*.accept_source_route=0 + +## Do not accept IPv6 router advertisements and solicitations. +## +net.ipv6.conf.*.accept_ra=0 + +## Disable SACK and DSACK. +## Select acknowledgements (SACKs) are a known common vector of exploitation. +## Duplicate select acknowledgements (DSACKs) are an extension of SACK. +## Disabling can cause severe connectivity issues on networks with high latency or packet loss. +## Enabling on stable high-bandwidth networks can lead to reduced efficiency of TCP connections. +## +## https://datatracker.ietf.org/doc/html/rfc2018 +## https://datatracker.ietf.org/doc/html/rfc2883 +## https://access.redhat.com/sites/default/files/attachments/20150325_network_performance_tuning.pdf +## https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md +## https://wiki.archlinux.org/title/Sysctl#TCP_Selective_Acknowledgement +## https://forums.whonix.org/t/disabling-tcp-sack-dsack-fack/8109/5 +## +## SACK and DSACK are currently enabled. +## +#net.ipv4.tcp_sack=0 +#net.ipv4.tcp_dsack=0 + +## Disable TCP timestamps to limit device fingerprinting via system time. +## Timestamps allow round-trip time measurement and protection against wrapped sequence numbers. +## Disabling timestamps on very fast links is likely to cause TCP Sequence Numbers to wrap. +## Segments with wrapped numbers will be incorrectly discarded, reducing network performance. +## +## https://datatracker.ietf.org/doc/html/rfc1323 +## https://forums.whonix.org/t/do-ntp-and-tcp-timestamps-really-leak-your-local-time/7824 +## https://web.archive.org/web/20170201160732/https://mailman.boum.org/pipermail/tails-dev/2013-December/004520.html +## https://access.redhat.com/sites/default/files/attachments/20150325_network_performance_tuning.pdf +## +net.ipv4.tcp_timestamps=0 + +## Enable logging of packets with impossible source or destination addresses. +## Martian and unroutable packets may be used for malicious purposes. +## Recommended to keep a (kernel dmesg) log of these to identify suspicious packets. +## Useful for troubleshooting and diagnostics but not necessary by default. +## Known to cause performance issues, especially on systems with multiple interfaces. +## +## https://wiki.archlinux.org/title/Sysctl#Log_martian_packets +## https://github.com/Kicksecure/security-misc/issues/214 +## +## The logging of martian packets is currently disabled. +## +#net.ipv4.conf.*.log_martians=1 + +## Enable IPv6 Privacy Extensions to prefer temporary addresses over public addresses. +## The temporary/privacy address is used as the source for all outgoing traffic. +## Must be used in combination with /usr/lib/systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf. +## Must be used in combination with /usr/lib/NetworkManager/conf.d/80_ipv6-privacy.conf. +## Should be used with MAC randomization in /usr/lib/NetworkManager/conf.d/80_randomize-mac.conf. +## +## MAC randomization breaks root server and VirtualBox DHCP, likely due to IPv6 Privacy Extensions. +## +## https://datatracker.ietf.org/doc/html/rfc4941 +## https://github.com/Kicksecure/security-misc/pull/145 +## https://github.com/Kicksecure/security-misc/issues/184 +## +## The use of IPv6 Privacy Extensions is currently disabled due to these breakages. +## +#net.ipv6.conf.*.use_tempaddr=2 diff --git a/usr/lib/systemd/coredump.conf.d/30_security-misc.conf b/usr/lib/systemd/coredump.conf.d/30_security-misc.conf new file mode 100644 index 0000000..2d02bc9 --- /dev/null +++ b/usr/lib/systemd/coredump.conf.d/30_security-misc.conf @@ -0,0 +1,5 @@ +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +[Coredump] +Storage=none diff --git a/usr/lib/systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf b/usr/lib/systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf new file mode 100644 index 0000000..5de38c4 --- /dev/null +++ b/usr/lib/systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf @@ -0,0 +1,13 @@ +## Copyright (C) 2023 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## MAC randomisation breaks root server and VirtualBox DHCP likely due to IPv6 Privacy Extensions. +## +## https://datatracker.ietf.org/doc/html/rfc4941 +## https://github.com/Kicksecure/security-misc/pull/145 +## https://github.com/Kicksecure/security-misc/issues/184 +## +## The use of IPv6 Privacy Extenstions is currently diasbled due to these breakages. + +#[Network] +#IPv6PrivacyExtensions=kernel diff --git a/usr/lib/systemd/pstore.conf.d/30_security-misc.conf b/usr/lib/systemd/pstore.conf.d/30_security-misc.conf new file mode 100644 index 0000000..9e513c6 --- /dev/null +++ b/usr/lib/systemd/pstore.conf.d/30_security-misc.conf @@ -0,0 +1,5 @@ +## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +[PStore] +Storage=none diff --git a/lib/systemd/system-preset/50-security-misc.preset b/usr/lib/systemd/system-preset/50-security-misc.preset similarity index 56% rename from lib/systemd/system-preset/50-security-misc.preset rename to usr/lib/systemd/system-preset/50-security-misc.preset index be35459..1895526 100644 --- a/lib/systemd/system-preset/50-security-misc.preset +++ b/usr/lib/systemd/system-preset/50-security-misc.preset @@ -1,14 +1,19 @@ -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## https://forums.whonix.org/t/restrict-hardware-information-to-root-testers-wanted/8618 disable hide-hardware-info.service ## Disable for now until development finished / tested. -disable permission-hardening.service +disable permission-hardener.service ## Disable for now until development finished / tested. +## https://github.com/Kicksecure/security-misc/pull/152 disable remount-secure.service ## Disable due to pkexec issues. disable proc-hidepid.service + +## Disable due to issues. See: +## https://github.com/Kicksecure/security-misc/issues/159 +disable harden-module-loading.service diff --git a/usr/lib/systemd/system/harden-module-loading.service b/usr/lib/systemd/system/harden-module-loading.service new file mode 100644 index 0000000..8efea40 --- /dev/null +++ b/usr/lib/systemd/system/harden-module-loading.service @@ -0,0 +1,24 @@ +## Copyright (C) 2023 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +[Unit] +Description=Disable the loading of additional modules after systemd-modules-load.service +Documentation=https://github.com/Kicksecure/security-misc + +DefaultDependencies=no +Before=sysinit.target +Requires=local-fs.target +Requires=systemd-modules-load.service +After=local-fs.target +After=systemd-modules-load.service + +# This functionality is implemented with this and not directly in the sysctl config is +# to allow systemd-modules-load.service to load the modules with no problem but +# to disallow anyone else do the same after the system boots up. + +[Service] +Type=oneshot +ExecStart=/usr/libexec/security-misc/disable-kernel-module-loading + +[Install] +WantedBy=sysinit.target diff --git a/lib/systemd/system/haveged.service.d/30_security-misc.conf b/usr/lib/systemd/system/haveged.service.d/30_security-misc.conf similarity index 69% rename from lib/systemd/system/haveged.service.d/30_security-misc.conf rename to usr/lib/systemd/system/haveged.service.d/30_security-misc.conf index fd79dc8..2981464 100644 --- a/lib/systemd/system/haveged.service.d/30_security-misc.conf +++ b/usr/lib/systemd/system/haveged.service.d/30_security-misc.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2021 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2021 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. [Service] diff --git a/lib/systemd/system/hide-hardware-info.service b/usr/lib/systemd/system/hide-hardware-info.service similarity index 72% rename from lib/systemd/system/hide-hardware-info.service rename to usr/lib/systemd/system/hide-hardware-info.service index d1e02fd..659c3f5 100644 --- a/lib/systemd/system/hide-hardware-info.service +++ b/usr/lib/systemd/system/hide-hardware-info.service @@ -1,9 +1,10 @@ -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. [Unit] Description=Hide hardware information to unprivileged users -Documentation=https://github.com/Whonix/security-misc +Documentation=https://github.com/Kicksecure/security-misc + DefaultDependencies=no Before=sysinit.target Requires=local-fs.target diff --git a/usr/lib/systemd/system/panic-on-oops.service b/usr/lib/systemd/system/panic-on-oops.service new file mode 100644 index 0000000..6b10ddc --- /dev/null +++ b/usr/lib/systemd/system/panic-on-oops.service @@ -0,0 +1,20 @@ +## Copyright (C) 2024 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +[Unit] +Description=Sets 'sysctl kernel.panic_on_oops=1' late during the boot process. +Documentation=https://github.com/Kicksecure/security-misc + +ConditionKernelCommandLine=!panic-on-oops=0 + +After=multi-user.target +After=graphical.target +After=getty.target + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/usr/libexec/security-misc/panic-on-oops + +[Install] +WantedBy=multi-user.target diff --git a/usr/lib/systemd/system/permission-hardener.service b/usr/lib/systemd/system/permission-hardener.service new file mode 100644 index 0000000..109c9fd --- /dev/null +++ b/usr/lib/systemd/system/permission-hardener.service @@ -0,0 +1,19 @@ +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +[Unit] +Description=Permission Hardener at Boot Time (opt-in in addition to security-misc package installation time hardening) +Documentation=https://github.com/Kicksecure/security-misc + +DefaultDependencies=no +Before=sysinit.target +Requires=local-fs.target +After=local-fs.target + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=permission-hardener enable + +[Install] +WantedBy=sysinit.target diff --git a/lib/systemd/system/proc-hidepid.service b/usr/lib/systemd/system/proc-hidepid.service similarity index 55% rename from lib/systemd/system/proc-hidepid.service rename to usr/lib/systemd/system/proc-hidepid.service index 8d4d207..d7ea4d9 100644 --- a/lib/systemd/system/proc-hidepid.service +++ b/usr/lib/systemd/system/proc-hidepid.service @@ -1,9 +1,10 @@ -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. [Unit] Description=Mounts /proc with hidepid=2 -Documentation=https://github.com/Whonix/security-misc +Documentation=https://github.com/Kicksecure/security-misc + DefaultDependencies=no Before=sysinit.target Requires=local-fs.target @@ -11,7 +12,7 @@ After=local-fs.target [Service] Type=oneshot -ExecStart=/bin/mount -o remount,nosuid,nodev,noexec,hidepid=2 /proc +ExecStart=/bin/mount -o remount,nosuid,nodev,noexec,hidepid=2,gid=proc /proc RemainAfterExit=yes [Install] diff --git a/usr/lib/systemd/system/remount-secure.service b/usr/lib/systemd/system/remount-secure.service new file mode 100644 index 0000000..2489d34 --- /dev/null +++ b/usr/lib/systemd/system/remount-secure.service @@ -0,0 +1,32 @@ +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +[Unit] +Description=remount /home /tmp /dev/shm /run with nosuid,nodev (default) and noexec (opt-in) +Documentation=https://github.com/Kicksecure/security-misc + +ConditionKernelCommandLine=!remountsecure=0 + +DefaultDependencies=no + +Before=sysinit-post.target +Before=basic.target +Before=multi-user.target +Before=graphical.target +Before=getty-pre.target +Before=network-pre.target + +After=local-fs.target +After=sysinit.target +After=qubes-sysinit.service + +Requires=local-fs.target +Requires=sysinit.target + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=remount-secure 3 + +[Install] +WantedBy=sysinit-post.target diff --git a/lib/systemd/system/remove-system-map.service b/usr/lib/systemd/system/remove-system-map.service similarity index 70% rename from lib/systemd/system/remove-system-map.service rename to usr/lib/systemd/system/remove-system-map.service index 1675c77..1e36d61 100644 --- a/lib/systemd/system/remove-system-map.service +++ b/usr/lib/systemd/system/remove-system-map.service @@ -1,9 +1,10 @@ -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. [Unit] Description=Removes the System.map files -Documentation=https://github.com/Whonix/security-misc +Documentation=https://github.com/Kicksecure/security-misc + DefaultDependencies=no Before=sysinit.target Requires=local-fs.target diff --git a/usr/lib/systemd/system/sysinit-post.target b/usr/lib/systemd/system/sysinit-post.target new file mode 100644 index 0000000..c00e91e --- /dev/null +++ b/usr/lib/systemd/system/sysinit-post.target @@ -0,0 +1,12 @@ +## Copyright (C) 2023 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +[Unit] +Description=sys-init.target by security-misc + +After=sysinit.target +Before=basic.target +Requires=sysinit.target + +[Install] +WantedBy=basic.target diff --git a/usr/lib/systemd/system/user@.service.d/sysfs.conf b/usr/lib/systemd/system/user@.service.d/sysfs.conf new file mode 100644 index 0000000..3a9129d --- /dev/null +++ b/usr/lib/systemd/system/user@.service.d/sysfs.conf @@ -0,0 +1,5 @@ +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +[Service] +SupplementaryGroups=sysfs diff --git a/usr/libexec/security-misc/apt-get-update b/usr/libexec/security-misc/apt-get-update index 39afd9c..9cbfd8e 100755 --- a/usr/libexec/security-misc/apt-get-update +++ b/usr/libexec/security-misc/apt-get-update @@ -1,30 +1,44 @@ #!/bin/bash -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. +## TODO: Move this to helper-scripts. + +set -o errexit +set -o nounset +set -o errtrace +set -o pipefail + +command -v start-stop-daemon >/dev/null +command -v timeout >/dev/null +command -v apt-get >/dev/null + +export LC_ALL=C +pidfile="/run/helper-scripts/security-misc-apt-get-update-pid" + sigterm_trap() { - if [ "$lastpid" = "" ]; then - exit 143 - fi - ps -p "$lastpid" >/dev/null 2>&1 - if [ ! "$?" = "0" ]; then - ## Already terminated. - exit 143 - fi - kill -s sigterm "$lastpid" + /usr/libexec/helper-scripts/apt-get-update-kill-helper &>/dev/null exit 143 } +## terminate potential previous invocations. +/usr/libexec/helper-scripts/apt-get-update-kill-helper &>/dev/null + trap "sigterm_trap" SIGTERM SIGINT -[ -n "$timeout_after" ] || timeout_after="600" -[ -n "$kill_after" ] || kill_after="10" +[[ -v timeout_after ]] || timeout_after="600" +[[ -v kill_after ]] || kill_after="10" -timeout \ - --kill-after="$kill_after" \ - "$timeout_after" \ - apt-get update --error-on=any "$@" & +start-stop-daemon \ + --make-pidfile \ + --pidfile "$pidfile" \ + --exec /usr/bin/timeout \ + --start \ + -- \ + --kill-after="$kill_after" \ + "$timeout_after" \ + apt-get update --error-on=any "$@" & lastpid="$!" wait "$lastpid" diff --git a/usr/libexec/security-misc/apt-get-update-sanity-test b/usr/libexec/security-misc/apt-get-update-sanity-test index d71e680..7efac72 100755 --- a/usr/libexec/security-misc/apt-get-update-sanity-test +++ b/usr/libexec/security-misc/apt-get-update-sanity-test @@ -1,11 +1,21 @@ #!/bin/bash -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. set -x set -e set -o pipefail +if ! printf '%s\n' "" | wc -l >/dev/null ; then + printf '%s\n' "\ +$0: ERROR: command 'wc' test failed! Do not ignore this! + +'wc' can core dump. Example: +zsh: illegal hardware instruction (core dumped) wc -l +https://github.com/rspamd/rspamd/issues/5137" >&2 + exit 1 +fi + wc -L "/var/lib/apt/lists/"*InRelease wc -L "/var/lib/apt/lists/"*InRelease | awk '$1 > 1024 {print; exit 1}' diff --git a/usr/libexec/security-misc/askpass b/usr/libexec/security-misc/askpass index 73f7d40..56ecffc 100755 --- a/usr/libexec/security-misc/askpass +++ b/usr/libexec/security-misc/askpass @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. set -e diff --git a/usr/libexec/security-misc/disable-kernel-module-loading b/usr/libexec/security-misc/disable-kernel-module-loading new file mode 100755 index 0000000..80d3190 --- /dev/null +++ b/usr/libexec/security-misc/disable-kernel-module-loading @@ -0,0 +1,11 @@ +#!/bin/bash + +## Copyright (C) 2023 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +set -x +set -e + +sysctl -w kernel.modules_disabled=1 + +true "The loading of new modules to the kernel has been disabled by security-misc." diff --git a/usr/libexec/security-misc/echo-path b/usr/libexec/security-misc/echo-path index 9231d85..3bcc2cd 100755 --- a/usr/libexec/security-misc/echo-path +++ b/usr/libexec/security-misc/echo-path @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. set -e diff --git a/usr/libexec/security-misc/hide-hardware-info b/usr/libexec/security-misc/hide-hardware-info index b55441f..acf24ef 100755 --- a/usr/libexec/security-misc/hide-hardware-info +++ b/usr/libexec/security-misc/hide-hardware-info @@ -1,24 +1,42 @@ #!/bin/bash -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. -set -e - -sysfs_whitelist=1 -cpuinfo_whitelist=1 - -## https://www.whonix.org/wiki/Security-misc#selinux -selinux=0 - +set -o errexit +set -o nounset +set -o errtrace +set -o pipefail shopt -s nullglob -## Allows for disabling the whitelist. -for i in /etc/hide-hardware-info.d/*.conf -do - bash -n "${i}" - source "${i}" -done +run_cmd() { + echo "INFO: normal executing : $@" + "$@" +} + +run_cmd_whitelist() { + echo "INFO: whitelist executing: $@" + "$@" +} + +echo "$0: INFO: START" + +default_variables_set() { + sysfs_whitelist=1 + cpuinfo_whitelist=1 + sysfs=1 + ## https://www.kicksecure.com/wiki/Security-misc#selinux + selinux=0 +} + +parse_configuration() { + ## Allows for disabling the whitelist. + local i + for i in /usr/local/etc/hide-hardware-info.d/*.conf /etc/hide-hardware-info.d/*.conf ; do + bash -n "${i}" + source "${i}" + done +} create_whitelist() { if [ "${1}" = "sysfs" ]; then @@ -34,14 +52,17 @@ create_whitelist() { ## Changing the permissions of /sys recursively ## causes errors as the permissions of /sys/kernel/debug ## and /sys/fs/cgroup cannot be changed. - chgrp -fR "${1}" "${whitelist_path}" || true + run_cmd_whitelist chgrp --quiet --recursive "${1}" "${whitelist_path}" || true - chmod o-rwx "${whitelist_path}" + run_cmd_whitelist chmod o-rwx "${whitelist_path}" else echo "ERROR: The ${1} group does not exist, the ${1} whitelist was not created." fi } +default_variables_set +parse_configuration + ## sysfs and debugfs expose a lot of information ## that should not be accessible by an unprivileged ## user which includes hardware info, debug info and @@ -49,27 +70,27 @@ create_whitelist() { ## and /proc/scsi to the root user only. This hides ## many hardware identifiers from ordinary users ## and increases security. -for i in /proc/cpuinfo /proc/bus /proc/scsi /sys -do +for i in /proc/cpuinfo /proc/bus /proc/scsi /sys ; do if [ -e "${i}" ]; then if [ "${i}" = "/sys" ]; then - ## Whitelist for /sys. - if [ "${sysfs_whitelist}" = "1" ]; then - create_whitelist sysfs - else - chmod og-rwx /sys - echo "INFO: The sysfs whitelist is not enabled. Some things may not work properly." + if [ "${sysfs}" = "1" ]; then + ## Whitelist for /sys. + if [ "${sysfs_whitelist}" = "1" ]; then + create_whitelist sysfs + else + echo "INFO: The sysfs whitelist is not enabled. Some things may not work properly. Full sysfs hardening..." + run_cmd chmod og-rwx /sys + fi fi elif [ "${i}" = "/proc/cpuinfo" ]; then - ## Whitelist for /proc/cpuinfo. if [ "${cpuinfo_whitelist}" = "1" ]; then create_whitelist cpuinfo else - chmod og-rwx /proc/cpuinfo - echo "INFO: The cpuinfo whitelist is not enabled. Some things may not work properly." + echo "INFO: The cpuinfo whitelist is not enabled. Some things may not work properly. Full cpuinfo hardening..." + run_cmd chmod og-rwx /proc/cpuinfo fi else - chmod og-rwx "${i}" + run_cmd chmod og-rwx "${i}" fi else ## /proc/scsi doesn't exist on Debian so errors @@ -80,29 +101,38 @@ do fi done -## on SELinux systems, at least /sys/fs/selinux -## must be visible to unprivileged users, else -## SELinux userspace utilities will not function -## properly -if [ -d /sys/fs/selinux ]; then - echo "INFO: SELinux detected because folder /sys/fs/selinux exists. See also:" - echo "https://www.kicksecure.com/wiki/Security-misc#selinux" - if [ "${selinux}" = "1" ]; then - ## restrict permissions on everything but - ## what is needed - for i in /sys/* /sys/fs/* - do - ## Using '|| true': - ## https://github.com/Kicksecure/security-misc/pull/108 - if [ "${sysfs_whitelist}" = "1" ]; then - chmod o-rwx "${i}" || true - else - chmod og-rwx "${i}" || true - fi - done - chmod o+rx /sys /sys/fs /sys/fs/selinux - echo "INFO: SELinux mode enabled. Restrictions loosened slightly in order to allow userspace utilities to function." - else - echo "INFO: SELinux detected, but SELinux mode is not enabled. Some userspace utilities may not work properly." + +if [ "${sysfs}" = "1" ]; then + ## restrict permissions on everything but + ## what is needed + for i in /sys/* /sys/fs/* ; do + ## Using '|| true': + ## https://github.com/Kicksecure/security-misc/pull/108 + if [ "${sysfs_whitelist}" = "1" ]; then + run_cmd chmod o-rwx "${i}" || true + else + run_cmd chmod og-rwx "${i}" || true + fi + done + + ## polkit needs stat access to /sys/fs/cgroup + ## to function properly + run_cmd chmod o+rx /sys /sys/fs + + ## on SELinux systems, at least /sys/fs/selinux + ## must be visible to unprivileged users, else + ## SELinux userspace utilities will not function + ## properly + if [ -d /sys/fs/selinux ]; then + echo "INFO: SELinux detected because folder /sys/fs/selinux exists. See also:" + echo "https://www.kicksecure.com/wiki/Security-misc#selinux" + if [ "${selinux}" = "1" ]; then + run_cmd chmod o+rx /sys /sys/fs /sys/fs/selinux + echo "INFO: SELinux mode enabled. Restrictions loosened slightly in order to allow userspace utilities to function." + else + echo "INFO: SELinux detected, but SELinux mode is not enabled. Some userspace utilities may not work properly." + fi fi fi + +echo "$0: INFO: END" diff --git a/usr/libexec/security-misc/mmap-rnd-bits b/usr/libexec/security-misc/mmap-rnd-bits index 17482bf..25745c2 100755 --- a/usr/libexec/security-misc/mmap-rnd-bits +++ b/usr/libexec/security-misc/mmap-rnd-bits @@ -1,6 +1,6 @@ #!/usr/bin/env bash -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## This script enforces the maximum ASLR hardening settings for mmap, given the @@ -56,7 +56,7 @@ fi ## Generate a sysctl.d conf file. SYSCTL="\ -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## This file is automatically generated by: diff --git a/usr/libexec/security-misc/pam-abort-on-locked-password b/usr/libexec/security-misc/pam-abort-on-locked-password index 8e2a575..35c2dd4 100755 --- a/usr/libexec/security-misc/pam-abort-on-locked-password +++ b/usr/libexec/security-misc/pam-abort-on-locked-password @@ -1,23 +1,23 @@ #!/bin/bash -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## This is only a usability feature to avoid needlessly bumping pam_faillock ## counter. This is not a security feature. ## https://forums.whonix.org/t/restrict-root-access/7658/1 -passwd_bin="$(type -P "passwd")" +passwd_bin="$(type -P -- "passwd")" if ! test -x "$passwd_bin" ; then echo "\ $0: ERROR: passwd_bin \"$passwd_bin\" is not executable. -See https://www.whonix.org/wiki/SUID_Disabler_and_Permission_Hardener#passwd" >&2 +See https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener#passwd" >&2 ## Identifiable exit codes in case stdout / stderr is not logged in journal. exit 2 fi -if ! passwd_output="$("$passwd_bin" -S "$PAM_USER" 2>/dev/null)" ; then +if ! passwd_output="$("$passwd_bin" -S -- "$PAM_USER" 2>/dev/null)" ; then echo "$0: ERROR: user \"$PAM_USER\" does not exist." >&2 exit 3 fi diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info index de6a3e0..6d772ca 100755 --- a/usr/libexec/security-misc/pam-info +++ b/usr/libexec/security-misc/pam-info @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## To enable debug log, run: @@ -19,7 +19,40 @@ fi true "$0: START PHASE 2" +set -o errexit +set -o errtrace set -o pipefail +set -o nounset + +error_handler() { + exit_code="$?" + printf '%s\n' "\ +$0: ERROR: Unexpected error. +BASH_COMMAND: '$BASH_COMMAND' +exit_code: '$exit_code' +ERROR: Please report this bug." >&2 + exit 1 +} + +trap error_handler ERR + +if ! printf '%s\n' "" | wc -l >/dev/null ; then + printf '%s\n' "\ +$0: ERROR: command 'wc' test failed! Do not ignore this! + +'wc' can core dump. Example: +zsh: illegal hardware instruction (core dumped) wc -l +https://github.com/rspamd/rspamd/issues/5137" >&2 + exit 1 +fi + +command -v str_replace &>/dev/null + +## Named constants. +pam_faillock_state_dir="/var/lib/security-misc/faillock" + +[[ -v PAM_USER ]] || PAM_USER="" +[[ -v SUDO_USER ]] || SUDO_USER="" ## Debugging. who_ami="$(whoami)" @@ -32,27 +65,28 @@ if [ "$PAM_USER" = "" ]; then exit 0 fi -grep_result="$(grep "accessfile=/etc/security/access-security-misc.conf" /etc/pam.d/common-account 2>/dev/null)" +grep_result="$(grep -- "accessfile=/etc/security/access-security-misc.conf" /etc/pam.d/common-account 2>/dev/null)" || true ## Check if grep matched something. if [ ! "$grep_result" = "" ]; then ## Yes, grep matched. ## Check if not out commented. - if ! echo "$grep_result" | grep -q "#" ; then + if ! printf '%s\n' "$grep_result" | grep --quiet -- "#" ; then ## Not out commented indeed. ## https://forums.whonix.org/t/etc-security-hardening-console-lockdown/8592 - if id --name --groups --zero "$PAM_USER" | grep --quiet --null-data --line-regexp --fixed-strings "console"; then + console_allowed="" + if id --name --groups --zero -- "$PAM_USER" | grep --quiet --null-data --line-regexp --fixed-strings -- "console"; then console_allowed=true fi - if id --name --groups --zero "$PAM_USER" | grep --quiet --null-data --line-regexp --fixed-strings "console-unrestricted"; then + if id --name --groups --zero -- "$PAM_USER" | grep --quiet --null-data --line-regexp --fixed-strings -- "console-unrestricted"; then console_allowed=true fi if [ ! "$console_allowed" = "true" ]; then - echo "\ + printf '%s\n' "\ $0: ERROR: PAM_USER: '$PAM_USER' is not a member of group 'console' To unlock, run the following command as superuser: (If you still have a sudo/root shell somewhere.) @@ -69,17 +103,36 @@ https://www.kicksecure.com/wiki/root#console fi fi +if [ "$PAM_USER" = 'sysmaint' ]; then + sysmaint_passwd_info="$(passwd --status sysmaint 2>/dev/null)" || true + sysmaint_lock_info="$(cut -d' ' -f2 <<< "${sysmaint_passwd_info}")" + if [ "${sysmaint_lock_info}" = 'L' ]; then + printf '%s\n' "$0: ERROR: Reboot and choose 'PERSISTENT Mode - SYSMAINT Session' for system maintenance. See https://www.kicksecure.com/wiki/Sysmaint" >&2 + fi +fi + +kernel_cmdline="" +if test -f /proc/cmdline; then + kernel_cmdline="$(cat -- /proc/cmdline)" +fi + +if [ "$PAM_USER" != 'sysmaint' ]; then + if [[ "${kernel_cmdline}" =~ 'boot-role=sysmaint' ]]; then + printf '%s\n' "$0: WARNING: Use account 'sysmaint' for system maintenance. See https://www.kicksecure.com/wiki/Sysmaint" >&2 + fi +fi + ## https://forums.whonix.org/t/how-strong-do-linux-user-account-passwords-have-to-be-when-using-full-disk-encryption-fde-too/7698 ## Does not work (yet) for login, pam_securetty runs before and aborts. ## Also this should only run for login since securetty covers only login. # if [ "$PAM_USER" = "root" ]; then # if [ -f /etc/securetty ]; then -# grep_result="$(grep "^[^#]" /etc/securetty)" +# grep_result="$(grep -- "^[^#]" /etc/securetty)" # if [ "$grep_result" = "" ]; then -# echo "\ +# printf '%s\n' "\ # $0: ERROR: Root login is disabled. -# ERROR: This is because /etc/securetty is empty. +# ERROR: This is because file '/etc/securetty' is empty. # See also: # https://www.kicksecure.com/wiki/root#login # " >&2 @@ -88,21 +141,23 @@ fi # fi # fi -## as user "user" +## under account "user" ## /usr/sbin/faillock -u user ## faillock: Error opening /var/log/tallylog for update: Permission denied ## /usr/sbin/faillock: Authentication error ## -## xscreensaver runs as user "user", therefore pam_faillock cannot function. +## xscreensaver runs under account "user", therefore pam_faillock cannot function. ## xscreensaver has its own failed login counter. ## ## https://askubuntu.com/questions/983183/how-lock-the-unlock-screen-after-wrong-password-attempts ## -## https://www.whonix.org/pipermail/whonix-devel/2019-September/001439.html +## https://web.archive.org/web/20200919221439/https://www.whonix.org/pipermail/whonix-devel/2019-September/001439.html ## ## Checking exit code to avoid breaking when read-only disk boot but ## without ro-mode-init or grub-live being used. -if ! pam_faillock_output="$(faillock --user "$PAM_USER")" ; then +## +## end-of-options ("--") unsupported by faillock. +if ! pam_faillock_output="$(faillock --dir "$pam_faillock_state_dir" --user "$PAM_USER")" ; then true "$0: faillock non-zero exit code." exit 0 fi @@ -123,7 +178,7 @@ fi ## Usage: faillock [--dir /path/to/tally-directory] [--user username] [--reset] ## Get first line. -#pam_faillock_output_first_line="$(echo "$pam_faillock_output" | head --lines=1)" +#pam_faillock_output_first_line="$(printf '%s\n' "$pam_faillock_output" | head --lines=1)" while read -t 10 -r pam_faillock_output_first_line ; do break done <<< "$pam_faillock_output" @@ -132,24 +187,46 @@ true "pam_faillock_output_first_line: '$pam_faillock_output_first_line'" ## example pam_faillock_output_first_line: ## user: -user_name="$(echo "$pam_faillock_output_first_line" | LANG=C str_replace ":" "")" +user_name="$(printf '%s\n' "$pam_faillock_output_first_line" | str_replace ":" "")" ## example user_name: ## user ## root -pam_faillock_output_count="$(echo "$pam_faillock_output" | wc -l)" +if [ "$PAM_USER" != "$user_name" ]; then + printf '%s\n' "\ +$0: ERROR: Variable 'PAM_USER' '$PAM_USER' does not match variable 'user_name' '$user_name'. +ERROR: Please report this bug. +" >&2 + exit 1 +fi + +pam_faillock_output_count="$(printf '%s\n' "$pam_faillock_output" | wc -l)" ## example pam_faillock_output_count: ## 2 ## example pam_faillock_output_count: ## 4 -## Do not count the first two informational textual output lines -## (starting with "user:" and "When"). +if [[ "$pam_faillock_output_count" == *[!0-9]* ]]; then + printf '%s\n' "\ +$0: ERROR: Variable 'pam_faillock_output_count' is not numeric. pam_faillock_output_count: '$pam_faillock_output_count' +ERROR: Please report this bug. +" >&2 + exit 0 +fi + +## Do not count the first two informational textual output lines (starting with "user:" and "When") if present, failed_login_counter=$(( pam_faillock_output_count - 2 )) ## example failed_login_counter: ## 2 +## Ensuring failed_login_counter is not set to a negative value. +## https://github.com/Kicksecure/security-misc/pull/305 +if [ "$failed_login_counter" -lt "0" ]; then + true "$0: WARNING: Failed login counter is negative. Resetting to 0." + failed_login_counter=0 +fi + if [ "$failed_login_counter" = "0" ]; then true "$0: INFO: Failed login counter is 0, ok." exit 0 @@ -159,29 +236,29 @@ fi deny=3 if test -f /etc/security/faillock.conf ; then - deny_line=$(grep --invert-match "#" /etc/security/faillock.conf | grep "deny =") - deny="$(echo "$deny_line" | LANG=C str_replace "=" "" | LANG=C str_replace "deny" "" | LANG=C str_replace " " "")" + deny_line=$(grep --invert-match "#" -- /etc/security/faillock.conf | grep -- "deny =") || true + deny="$(printf '%s\n' "$deny_line" | str_replace "=" "" | str_replace "deny" "" | str_replace " " "")" ## Example: #deny=50 fi if [[ "$deny" == *[!0-9]* ]]; then - echo "\ -$0: ERROR: deny is not numeric. deny: '$deny' + printf '%s\n' "\ +$0: ERROR: Variable 'deny' is not numeric. deny: '$deny' ERROR: Please report this bug. " >&2 exit 0 fi -remaining_attempts="$(( $deny - $failed_login_counter ))" +remaining_attempts="$(( deny - failed_login_counter ))" if [ "$remaining_attempts" -le "0" ]; then - echo "\ + printf '%s\n' "\ $0: ERROR: Login blocked after $failed_login_counter attempts. To unlock, run the following command as superuser: (If you still have a sudo/root shell somewhere.) -faillock --reset --user $PAM_USER +faillock --dir $pam_faillock_state_dir --reset --user $PAM_USER However, most likely unlock procedure is required. First boot into recovery mode at grub boot menu and then run above command. @@ -191,14 +268,14 @@ https://www.kicksecure.com/wiki/root#unlock exit 0 fi -echo "\ -$0: WARNING: $failed_login_counter failed login attempts for user_name '$user_name'. +printf '%s\n' "\ +$0: WARNING: $failed_login_counter failed login attempts for account '$user_name'. Login will be blocked after $deny attempts. You have $remaining_attempts more attempts before unlock procedure is required. " >&2 if [ "$PAM_SERVICE" = "su" ]; then - echo "\ + printf '%s\n' "\ $0: NOTE: Type the password. When entering the password, no password feedback (no asterisk (\"*\") symbol) will be shown. " >&2 fi diff --git a/usr/libexec/security-misc/pam_faillock_not_if_x b/usr/libexec/security-misc/pam_faillock_not_if_x index 3fcf10f..433dca8 100755 --- a/usr/libexec/security-misc/pam_faillock_not_if_x +++ b/usr/libexec/security-misc/pam_faillock_not_if_x @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## https://serverfault.com/questions/134471/success-n-control-syntax-in-pam-conf-pam-d-files diff --git a/usr/libexec/security-misc/pam_only_if_login b/usr/libexec/security-misc/pam_only_if_login index 11f56d4..568f037 100755 --- a/usr/libexec/security-misc/pam_only_if_login +++ b/usr/libexec/security-misc/pam_only_if_login @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## https://serverfault.com/questions/134471/success-n-control-syntax-in-pam-conf-pam-d-files diff --git a/usr/libexec/security-misc/pam_only_if_su b/usr/libexec/security-misc/pam_only_if_su new file mode 100755 index 0000000..604510f --- /dev/null +++ b/usr/libexec/security-misc/pam_only_if_su @@ -0,0 +1,17 @@ +#!/bin/bash + +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## Similar to: +## /usr/libexec/security-misc/pam_only_if_login + +set -x + +true "PAM_SERVICE: $PAM_SERVICE" + +if [ "$PAM_SERVICE" = "su" ]; then + exit 1 +else + exit 0 +fi diff --git a/usr/libexec/security-misc/panic-on-oops b/usr/libexec/security-misc/panic-on-oops index 20365df..749eb3c 100755 --- a/usr/libexec/security-misc/panic-on-oops +++ b/usr/libexec/security-misc/panic-on-oops @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. set -e @@ -12,7 +12,12 @@ if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then source /usr/libexec/helper-scripts/pre.bsh fi -## Makes the kernel panic on oopses. This prevents the kernel -## from continuing to run a flawed processes. Many kernel exploits -## will also cause an oops which this will make the kernel kill. +## Makes the kernel panic on oopses and warnings. This prevents the +## kernel from continuing to run a flawed processes. Many kernel +## exploits will also cause an oops, these settings will make the +## kernel kill the offending processes. +#sysctl kernel.panic=-1 sysctl kernel.panic_on_oops=1 +sysctl kernel.panic_on_warn=1 +#sysctl kernel.oops_limit=1 +#sysctl kernel.warn_limit=1 diff --git a/usr/libexec/security-misc/permission-hardening b/usr/libexec/security-misc/permission-hardening deleted file mode 100755 index 16df8d0..0000000 --- a/usr/libexec/security-misc/permission-hardening +++ /dev/null @@ -1,487 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -## https://forums.whonix.org/t/disable-suid-binaries/7706 -## https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707 - -## To view previous modes and how these were changed: -## meld /var/lib/permission-hardening/existing_mode/statoverride /var/lib/permission-hardening/new_mode/statoverride - -## To undo: -## sudo /usr/libexec/security-misc/permission-hardening-undo - -#set -x -set -e -set -o pipefail - -exit_code=0 - -mkdir -p /var/lib/permission-hardening/existing_mode -mkdir -p /var/lib/permission-hardening/new_mode -dpkg_admindir_parameter_existing_mode="--admindir /var/lib/permission-hardening/existing_mode" -dpkg_admindir_parameter_new_mode="--admindir /var/lib/permission-hardening/new_mode" - -echo_wrapper_ignore() { - echo "run: $@" - "$@" 2>/dev/null || true -} - -echo_wrapper_silent_ignore() { - #echo "run: $@" - "$@" 2>/dev/null || true -} - -echo_wrapper_audit() { - echo "run: $@" - return_code=0 - "$@" || \ - { \ - return_code="$?" ; \ - exit_code=203 ; \ - echo "ERROR: above command failed with exit code '$return_code'! calling function name: '${FUNCNAME[1]}'" >&2 ; \ - }; -} - -echo_wrapper_silent_audit() { - #echo "run (debugging): $@" - return_code=0 - "$@" || \ - { \ - return_code="$?" ; \ - exit_code=204 ; \ - echo "ERROR: above command '$@' failed with exit code '$return_code'! calling function name: '${FUNCNAME[1]}'" >&2 ; \ - }; -} - -sanity_tests() { - echo_wrapper_silent_audit which \ - capsh getcap setcap stat find dpkg-statoverride getent xargs grep 1>/dev/null -} - -add_nosuid_statoverride_entry() { - local fso_to_process - fso_to_process="$fso" - local should_be_counter - should_be_counter="$(find "$fso_to_process" -perm /u=s,g=s | wc -l)" || true - local counter_actual - counter_actual=0 - - local line - while read -r line; do - true "line: $line" - counter_actual="$(( counter_actual + 1 ))" - - local arr file_name existing_mode existing_owner existing_group - arr=($line) - file_name="${arr[0]}" - existing_mode="${arr[1]}" - existing_owner="${arr[2]}" - existing_group="${arr[3]}" - - if [ "$arr" = "" ]; then - echo "ERROR: arr is empty. line: '$line'" >&2 - continue - fi - if [ "$file_name" = "" ]; then - echo "ERROR: file_name is empty. line: '$line'" >&2 - continue - fi - if [ "$existing_mode" = "" ]; then - echo "ERROR: existing_mode is empty. line: '$line'" >&2 - continue - fi - if [ "$existing_owner" = "" ]; then - echo "ERROR: existing_owner is empty. line: '$line'" >&2 - continue - fi - if [ "$existing_group" = "" ]; then - echo "ERROR: existing_group is empty. line: '$line'" >&2 - continue - fi - - ## -h file True if file is a symbolic Link. - ## -u file True if file has its set-user-id bit set. - ## -g file True if file has its set-group-id bit set. - - if test -h "$file_name" ; then - ## https://forums.whonix.org/t/disable-suid-binaries/7706/14 - true "skip symlink: $file_name" - continue - fi - - if test -d "$file_name" ; then - true "skip directory: $file_name" - continue - fi - - local setuid setuid_output setsgid setsgid_output - setuid="" - setuid_output="" - if test -u "$file_name" ; then - setuid=true - setuid_output="set-user-id" - fi - setsgid="" - setsgid_output="" - if test -g "$file_name" ; then - setsgid=true - setsgid_output="set-group-id" - fi - - local setuid_or_setsgid - setuid_or_setsgid="" - if [ "$setuid" = "true" ] || [ "$setsgid" = "true" ]; then - setuid_or_setsgid=true - fi - if [ "$setuid_or_setsgid" = "" ]; then - continue - fi - - ## Remove suid / gid and execute permission for 'group' and 'others'. - ## Similar to: chmod og-ugx /path/to/filename - ## Removing execution permission is useful to make binaries such as 'su' fail closed rather - ## than fail open if suid was removed from these. - ## Do not remove read access since no security benefit and easier to manually undo for users. - ## Are there suid or sgid binaries which are still useful if suid / sgid has been removed from these? - new_mode="744" - - local is_exact_whitelisted - is_exact_whitelisted="" - for white_list_entry in $exact_white_list ; do - if [ "$file_name" = "$white_list_entry" ]; then - is_exact_whitelisted="true" - ## Stop looping through the whitelist. - break - fi - done - - local is_match_whitelisted - is_match_whitelisted="" - for matchwhite_list_entry in $match_white_list ; do - if echo "$file_name" | grep -q "$matchwhite_list_entry" ; then - is_match_whitelisted="true" - ## Stop looping through the match_white_list. - break - fi - done - - local is_disable_whitelisted - is_disable_whitelisted="" - for disablematch_list_entry in $disable_white_list ; do - if echo "$file_name" | grep -q "$disablematch_list_entry" ; then - is_disable_whitelisted="true" - ## Stop looping through the disablewhitelist. - break - fi - done - - if [ "$whitelists_disable_all" = "true" ]; then - true "INFO: whitelists_disable_all=true - $setuid_output $setsgid_output found - file_name: '$file_name' | existing_mode: '$existing_mode'" - elif [ "$is_disable_whitelisted" = "true" ]; then - echo "INFO: white list disabled - $setuid_output $setsgid_output found - file_name: '$file_name' | existing_mode: '$existing_mode'" - else - if [ "$is_exact_whitelisted" = "true" ]; then - echo "INFO: SKIP whitelisted - $setuid_output $setsgid_output found - file_name: '$file_name' | existing_mode: '$existing_mode'" - continue - fi - if [ "$is_match_whitelisted" = "true" ]; then - echo "INFO: SKIP matchwhitelisted - $setuid_output $setsgid_output found - file_name: '$file_name' | existing_mode: '$existing_mode' | matchwhite_list_entry: '$matchwhite_list_entry'" - continue - fi - fi - - echo "INFO: $setuid_output $setsgid_output found - file_name: '$file_name' | existing_mode: '$existing_mode' | new_mode: '$new_mode'" - - if dpkg-statoverride $dpkg_admindir_parameter_existing_mode --list "$file_name" >/dev/null ; then - true "OK Existing mode already saved previously. No need to save again." - else - ## Save existing_mode in separate database. - ## Not using --update as not intending to enforce existing_mode. - echo_wrapper_silent_audit dpkg-statoverride $dpkg_admindir_parameter_existing_mode --add "$existing_owner" "$existing_group" "$existing_mode" "$file_name" - fi - - ## No need to check "dpkg-statoverride --list" for existing entries. - ## If existing_mode was correct already, we would not have reached this point. - ## Since existing_mode is incorrect, remove from dpkg-statoverride and re-add. - - ## Remove from real database. - echo_wrapper_silent_ignore dpkg-statoverride --remove "$file_name" - - ## Remove from separate database. - echo_wrapper_silent_ignore dpkg-statoverride $dpkg_admindir_parameter_new_mode --remove "$file_name" - - ## Add to real database and use --update to make changes on disk. - echo_wrapper_audit dpkg-statoverride --add --update "$existing_owner" "$existing_group" "$new_mode" "$file_name" - - ## Not using --update as this is only for recording. - echo_wrapper_silent_audit dpkg-statoverride $dpkg_admindir_parameter_new_mode --add "$existing_owner" "$existing_group" "$new_mode" "$file_name" - - ## /lib will hit ARG_MAX if using bash 'shopt -s globstar' and '/lib/**'. - ## Using 'find' with '-perm /u=s,g=s' is faster and avoids ARG_MAX. - ## https://forums.whonix.org/t/disable-suid-binaries/7706/17 - done < <( find "$fso_to_process" -perm /u=s,g=s -print0 | xargs -I{} -0 stat -c "%n %a %U %G" {} ) - - ## Sanity test. - if [ ! "$should_be_counter" = "$counter_actual" ]; then - echo "INFO: fso_to_process: '$fso_to_process' | counter_actual : '$counter_actual'" - echo "INFO: fso_to_process: '$fso_to_process' | should_be_counter: '$should_be_counter'" - exit_code=202 - echo "ERROR: counter does not check out." >&2 - fi -} - -set_file_perms() { - echo "INFO: START parsing config_file: '$config_file'" - local line - while read -r line || [[ -n "${line}" ]]; do - if [ "$line" = "" ]; then - continue - fi - - if [[ "$line" =~ ^# ]]; then - continue - fi - - if [[ "$line" =~ [0-9a-zA-Z/] ]]; then - true "OK line contains only white listed characters." - else - exit_code=200 - echo "ERROR: cannot parse line with invalid character. line: '$line'" >&2 - ## Safer to exit with error in this case. - ## https://forums.whonix.org/t/disable-suid-binaries/7706/59 - exit "$exit_code" - fi - - if [ "$line" = 'whitelists_disable_all=true' ]; then - whitelists_disable_all=true - echo "INFO: whitelists_disable_all=true - all whitelists disabled." - continue - fi - - #global fso - local mode_from_config owner_from_config group_from_config capability_from_config - if ! read -r fso mode_from_config owner_from_config group_from_config capability_from_config <<< "$line" ; then - exit_code=201 - echo "ERROR: cannot parse. line: '$line'" >&2 - ## Debugging. - du -hs /tmp || true - echo "test -w /tmp: '$(test -w /tmp)'" >&2 || true - ## Safer to exit with error in this case. - ## https://forums.whonix.org/t/disable-suid-binaries/7706/59 - exit "$exit_code" - fi - - local fso_without_trailing_slash - fso_without_trailing_slash="${fso%/}" - - if [ "$mode_from_config" = "disablewhitelist" ]; then - ## TODO: test/add white spaces inside file name support - disable_white_list+="$fso " - continue - fi - - if [ "$mode_from_config" = "exactwhitelist" ]; then - ## TODO: test/add white spaces inside file name support - exact_white_list+="$fso " - continue - fi - - if [ "$mode_from_config" = "matchwhitelist" ]; then - ## TODO: test/add white spaces inside file name support - match_white_list+="$fso " - continue - fi - - if [ ! -e "$fso" ]; then - echo "INFO: fso: '$fso' - does not exist. This is likely normal." - continue - fi - - ## Use dpkg-statoverride so permissions are not reset during upgrades. - - if [ "$mode_from_config" = "nosuid" ]; then - ## If mode_from_config is "nosuid" the config does not set owner and - ## group. Therefore do not enforce owner/group check. - - add_nosuid_statoverride_entry - else - local string_length_of_mode_from_config - string_length_of_mode_from_config="${#mode_from_config}" - if [ "$string_length_of_mode_from_config" -gt "4" ]; then - echo "ERROR: Mode '$mode_from_config' is invalid!" >&2 - continue - fi - if [ "$string_length_of_mode_from_config" -lt "3" ]; then - echo "ERROR: Mode '$mode_from_config' is invalid!" >&2 - continue - fi - - if ! echo "${passwd_file_contents}" | grep -q "^${owner_from_config}:" ; then - echo "ERROR: owner_from_config '$owner_from_config' does not exist!" >&2 - continue - fi - - if ! echo "${group_file_contents}" | grep -q "^${group_from_config}:" ; then - echo "ERROR: group_from_config '$group_from_config' does not exist!" >&2 - continue - fi - - local mode_for_grep - mode_for_grep="$mode_from_config" - first_character_of_mode_from_config="${mode_from_config::1}" - if [ "$first_character_of_mode_from_config" = "0" ]; then - ## Remove leading '0'. - mode_for_grep="${mode_from_config:1}" - fi - - local stat_output - stat_output="" - if ! stat_output="$(stat -c "%n %a %U %G" "$fso_without_trailing_slash")" ; then - echo "ERROR: failed to run 'stat' for fso_without_trailing_slash: '$fso_without_trailing_slash'!" >&2 - continue - fi - - local arr file_name existing_mode existing_owner existing_group - arr=($stat_output) - file_name="${arr[0]}" - existing_mode="${arr[1]}" - existing_owner="${arr[2]}" - existing_group="${arr[3]}" - - if [ "$arr" = "" ]; then - echo "ERROR: arr is empty. stat_output: '$stat_output' | line: '$line'" >&2 - continue - fi - if [ "$file_name" = "" ]; then - echo "ERROR: file_name is empty. stat_output: '$stat_output' | line: '$line'" >&2 - continue - fi - if [ "$existing_mode" = "" ]; then - echo "ERROR: existing_mode is empty. stat_output: '$stat_output' | line: '$line'" >&2 - continue - fi - if [ "$existing_owner" = "" ]; then - echo "ERROR: existing_owner is empty. stat_output: '$stat_output' | line: '$line'" >&2 - continue - fi - if [ "$existing_group" = "" ]; then - echo "ERROR: $existing_group is empty. stat_output: '$stat_output' | line: '$line'" >&2 - continue - fi - - ## Check there is an entry for the fso. - ## - ## example: dpkg-statoverride --list | grep /home - ## output: - ## root root 755 /home - ## - ## dpkg-statoverride does not show leading '0'. - local dpkg_statoverride_list_output="" - local dpkg_statoverride_list_exit_code=0 - dpkg_statoverride_list_output="$(dpkg-statoverride --list "$fso_without_trailing_slash")" || { dpkg_statoverride_list_exit_code=$? ; true; }; - - if [ "$dpkg_statoverride_list_exit_code" = "0" ]; then - true "There is an fso entry. Check if owner/group/mode match." - local grep_line - grep_line="$owner_from_config $group_from_config $mode_for_grep $fso_without_trailing_slash" - if echo "$dpkg_statoverride_list_output" | grep -q "$grep_line" ; then - true "OK The owner/group/mode matches. No further action required." - else - true "The owner/group/mode do not match, therefore remove and re-add the entry to update it." - ## fso_without_trailing_slash instead of fso to prevent - ## "dpkg-statoverride: warning: stripping trailing /" - - if dpkg-statoverride $dpkg_admindir_parameter_existing_mode --list "$fso_without_trailing_slash" >/dev/null ; then - true "OK Existing mode already saved previously. No need to save again." - else - ## Save existing_mode in separate database. - ## Not using --update as not intending to enforce existing_mode. - echo_wrapper_silent_audit dpkg-statoverride $dpkg_admindir_parameter_existing_mode --add "$existing_owner" "$existing_group" "$existing_mode" "$fso_without_trailing_slash" - fi - - echo_wrapper_silent_ignore dpkg-statoverride $dpkg_admindir_parameter_new_mode --remove "$fso_without_trailing_slash" - - ## Remove from and add to real database. - echo_wrapper_silent_ignore dpkg-statoverride --remove "$fso_without_trailing_slash" - echo_wrapper_audit dpkg-statoverride --add --update "$owner_from_config" "$group_from_config" "$mode_from_config" "$fso_without_trailing_slash" - - ## Save in separate database. - ## Not using --update as this is only for saving. - echo_wrapper_silent_audit dpkg-statoverride $dpkg_admindir_parameter_new_mode --add "$owner_from_config" "$group_from_config" "$mode_from_config" "$fso_without_trailing_slash" - fi - else - true "There is no fso entry. Therefore add one." - - if dpkg-statoverride $dpkg_admindir_parameter_existing_mode --list "$fso_without_trailing_slash" >/dev/null ; then - true "OK Existing mode already saved previously. No need to save again." - else - ## Save existing_mode in separate database. - ## Not using --update as not intending to enforce existing_mode. - echo_wrapper_silent_audit dpkg-statoverride $dpkg_admindir_parameter_existing_mode --add "$existing_owner" "$existing_group" "$existing_mode" "$fso_without_trailing_slash" - fi - - ## Add to real database. - echo_wrapper_audit dpkg-statoverride --add --update "$owner_from_config" "$group_from_config" "$mode_from_config" "$fso_without_trailing_slash" - - ## Save in separate database. - ## Not using --update as this is only for saving. - echo_wrapper_silent_audit dpkg-statoverride $dpkg_admindir_parameter_new_mode --add "$owner_from_config" "$group_from_config" "$mode_from_config" "$fso_without_trailing_slash" - fi - fi - if [ "$capability_from_config" = "" ]; then - continue - fi - - if [ "$capability_from_config" = "none" ]; then - ## https://forums.whonix.org/t/disable-suid-binaries/7706/45 - # sudo setcap -r /bin/ping 2>/dev/null - # Failed to set capabilities on file '/bin/ping' (No data available) - # The value of the capability argument is not permitted for a file. Or the file is not a regular (non-symlink) file - ## Therefore use echo_wrapper_ignore. - echo_wrapper_ignore setcap -r "$fso" - getcap_output="$(getcap "$fso")" - if [ ! "$getcap_output" = "" ]; then - exit_code=205 - echo "ERROR: removing capabilities for fso '$fso' failed!" >&2 - continue - fi - else - if ! capsh --print | grep "Bounding set" | grep -q "$capability_from_config" ; then - echo "ERROR: capability_from_config '$capability_from_config' does not exist!" >&2 - continue - fi - - ## feature request: dpkg-statoverride: support for capabilities - ## https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=502580 - echo_wrapper_audit setcap "${capability_from_config}+ep" "$fso" - fi - done < "$config_file" - echo "INFO: END parsing config_file: '$config_file'" -} - -parse_config_folder() { - # Query contents of password and group databases only once and buffer them - # - # If we don't buffer we sometimes get incorrect results when checking for entries using - # 'if getent passwd | grep -q '^root:'; ...' since 'grep' exits after the first match in - # this case causing 'getent' to receive SIGPIPE, which then fails the pipeline since - # 'set -o pipefail' is set for this script. - passwd_file_contents="$(getent passwd)" - group_file_contents="$(getent group)" - - shopt -s nullglob - for config_file in /etc/permission-hardening.d/*.conf /usr/local/etc/permission-hardening.d/*.conf; do - set_file_perms - done -} - -sanity_tests -parse_config_folder - -if [ ! "$exit_code" = "0" ]; then - echo "ERROR: Will exit with non-zero exit code: '$exit_code'" >&2 -fi - -exit "$exit_code" diff --git a/usr/libexec/security-misc/permission-hardening-undo b/usr/libexec/security-misc/permission-hardening-undo deleted file mode 100755 index 981a2a6..0000000 --- a/usr/libexec/security-misc/permission-hardening-undo +++ /dev/null @@ -1,136 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -#set -x -set -e -set -o pipefail - -if [ "$1" = "all" ]; then - remove_file="all" -elif [ ! "$1" = "" ]; then - remove_file="$1" -else - echo "ERROR: need to give parameter 'all' or a filename. - -examples: - -$0 all - -$0 /usr/bin/newgrp - " >&2 -fi - -exit_code=0 - -dpkg_admindir_parameter_existing_mode="--admindir /var/lib/permission-hardening/existing_mode" -dpkg_admindir_parameter_new_mode="--admindir /var/lib/permission-hardening/new_mode" - -undo_permission_hardening() { - if [ ! -f /var/lib/permission-hardening/existing_mode/statoverride ]; then - return 0 - fi - - local line - - while read -r line; do - ## example line: - ## root root 4755 /usr/lib/eject/dmcrypt-get-device - - local owner group mode file_name - if ! read -r owner group mode file_name <<< "$line" ; then - exit_code=201 - echo "ERROR: cannot parse line: $line" >&2 - continue - fi - true "owner: '$owner' group: '$group' mode: '$mode' file_name: '$file_name'" - - if [ "$remove_file" = "all" ]; then - do_proceed=true - verbose_maybe="" - else - if [ "$remove_file" = "$file_name" ]; then - do_proceed=true - verbose_maybe="--verbose" - remove_one=true - else - do_proceed=false - verbose_maybe="" - fi - fi - - if [ "$do_proceed" = "false" ]; then - continue - fi - - if [ "$remove_one" = "true" ]; then - set -x - fi - - if test -e "$file_name" ; then - chown $verbose_maybe "${owner}:${group}" "$file_name" || exit_code=202 - ## chmod need to be run after chown since chown removes suid. - ## https://unix.stackexchange.com/questions/53665/chown-removes-setuid-bit-bug-or-feature - chmod $verbose_maybe "$mode" "$file_name" || exit_code=203 - else - echo "INFO: file_name: '$file_name' - does not exist. This is likely normal." - fi - - dpkg-statoverride --remove "$file_name" &>/dev/null || true - dpkg-statoverride $dpkg_admindir_parameter_existing_mode --remove "$file_name" &>/dev/null || true - dpkg-statoverride $dpkg_admindir_parameter_new_mode --remove "$file_name" &>/dev/null || true - - if [ "$remove_one" = "true" ]; then - set +x - break - fi - - done < "/var/lib/permission-hardening/existing_mode/statoverride" -} - -undo_permission_hardening - -if [ ! "$remove_file" = "all" ]; then - if [ ! "$remove_one" = "true" ]; then - echo "INFO: none removed. - -File '$remove_file' has not removed from SUID Disabler and Permission Hardener during this invocation of this program. - -Note: This is expected if already done earlier. - -Note: This program expects the full path to the file. Example: - -$0 /usr/bin/newgrp - -The following syntax will not work: - -$0 program-name - -The following example will not work: - -$0 newgrp - -To remove all: - -$0 all - -This change might not be permanent (because of the permission-hardening.service systemd unit). For full instructions, see: -https://www.whonix.org/wiki/SUID_Disabler_and_Permission_Hardener - -To view list of changed by SUID Disabler and Permission Hardener: -https://www.whonix.org/wiki/SUID_Disabler_and_Permission_Hardener#View_List_of_Permissions_Changed_by_SUID_Disabler_and_Permission_Hardener - -For re-enabling any specific SUID binary: -https://www.whonix.org/wiki/SUID_Disabler_and_Permission_Hardener#Re-Enable_Specific_SUID_Binaries - -For completely disabling SUID Disabler and Permission Hardener: -https://www.whonix.org/wiki/SUID_Disabler_and_Permission_Hardener#Disable_SUID_Disabler_and_Permission_Hardener" - fi -fi - -if [ ! "$exit_code" = "0" ]; then - echo "ERROR: Will exit with non-zero exit code: '$exit_code'" >&2 -fi - -exit "$exit_code" diff --git a/usr/libexec/security-misc/permission-lockdown b/usr/libexec/security-misc/permission-lockdown index 615bf6c..19fbe89 100755 --- a/usr/libexec/security-misc/permission-lockdown +++ b/usr/libexec/security-misc/permission-lockdown @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## Doing this for all users would create many issues. @@ -25,6 +25,7 @@ # /usr/libexec/security-misc/permission-lockdown: user: stunnel4 | chmod o-rwx "/var/run/stunnel4" # /usr/libexec/security-misc/permission-lockdown: user: iodine | chmod o-rwx "/var/run/iodine" # /usr/libexec/security-misc/permission-lockdown: user: apt-cacher-ng | chmod o-rwx "/var/cache/apt-cacher-ng" +# /usr/libexec/security-misc/permission-lockdown: user: approx | chmod o-rwx "/var/cache/approx" # /usr/libexec/security-misc/permission-lockdown: user: statd | chmod o-rwx "/var/lib/nfs" # /usr/libexec/security-misc/permission-lockdown: user: timidity | chmod o-rwx "/etc/timidity" # /usr/libexec/security-misc/permission-lockdown: user: uuidd | chmod o-rwx "/run/uuidd" @@ -32,35 +33,28 @@ # /usr/libexec/security-misc/permission-lockdown: user: geoclue | chmod o-rwx "/var/lib/geoclue" home_folder_access_rights_lockdown() { - shopt -s nullglob - - ## Not using dotglob. - ## touch /var/cache/security-misc/state-files//home/.Trash - ## touch: cannot touch '/var/cache/security-misc/state-files//home/.Trash': No such file or directory - - local folder_name base_name - - for folder_name in /home/* ; do - base_name="$(basename "$folder_name")" - if [ -f "/var/cache/security-misc/state-files/$base_name" ]; then + mkdir --parents /var/cache/security-misc/state-files + local user + for user in $(dir /home); do ## lists directories only + if [ -f "/var/cache/security-misc/state-files/$user" ]; then continue fi - if [ ! -d "$folder_name" ]; then - continue - fi - if [ "$folder_name" = "/home/" ]; then - continue - fi - mkdir -p /var/cache/security-misc/state-files + folder_name="/home/$user" + ## chmod: + ## The 'g' for 'group' is not needed. + ## Debian by default uses USERGROUPS=yes in /etc/adduser.conf. + ## The group which the user is being added to has the same name as the user. + ## If the username is user then the name of the group is also user. + ## Some background information here: + ## https://unix.stackexchange.com/questions/156473/reasons-behind-the-default-groups-and-users-on-linux + ## In short, this is useful for "file sharing". A if user1 wants to share data with user2 the command + ## required to run is sudo addgroup user1 user2. + ## See also: user private groups UPGs + ## https://wiki.debian.org/UserPrivateGroups echo "$0: chmod o-rwx \"$folder_name\"" chmod o-rwx "$folder_name" - ## Create a state-file so we do this only once. - ## Therefore a user who will manually undo this, will not get - ## annoyed by this being done over and over again. - touch "/var/cache/security-misc/state-files/$base_name" + touch "/var/cache/security-misc/state-files/$user" done - - shopt -u nullglob } home_folder_access_rights_lockdown diff --git a/usr/libexec/security-misc/remount-secure b/usr/libexec/security-misc/remount-secure deleted file mode 100755 index 57a26ca..0000000 --- a/usr/libexec/security-misc/remount-secure +++ /dev/null @@ -1,130 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -## noexec in /tmp and/or /home can break some malware but also legitimate -## applications. - -## https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707 - -set -x -set -e - -if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then - ## pre.bsh would `source` the following folders: - ## /etc/remount-secure_pre.d/*.conf - ## /usr/local/etc/remount-secure_pre.d/*.conf - source /usr/libexec/helper-scripts/pre.bsh -fi - -if [ -e /etc/remount-disable ] || [ -e /usr/local/etc/remount-disable ]; then - echo "INFO: file /etc/remount-disable exists. Doing nothing." - exit 0 -fi - -if [ -e /etc/exec ] || [ -e /usr/local/etc/exec ]; then - noexec=false - echo "INFO: Will remount with exec because file /etc/exec or /usr/local/etc/exec exists." -else - if [ -e /etc/noexec ] || [ -e /usr/local/etc/noexec ]; then - noexec=true - echo "INFO: Will remount with noexec because file /etc/noexec or /usr/local/etc/noexec exists." - else - echo "INFO: Will not remount with noexec because file /etc/noexec or /usr/local/etc/noexec does not exist." - fi -fi - -mkdir --parents "/var/run/remount-secure" - -if [ "$noexec" = "true" ]; then - noexec_maybe=",noexec" -fi - -exit_code=0 - -mount_output="$(mount)" - -remount_secure() { - ## ${FUNCNAME[1]} is the name of the calling function. I.e. the function - ## which called this function. - status_file_name="${FUNCNAME[1]}" - ## example status_file_name: - ## _home - status_file_full_path="/var/run/remount-secure/${status_file_name}" - ## example status_file_full_path: - ## /var/run/remount-secure/_home - - ## LANG=C str_replace is provided by package helper-scripts. - mount_folder="$(echo "${status_file_name}" | LANG=C str_replace "_" "/")" - ## example mount_folder: - ## /home - - mount_line_of_mount_folder="$(echo "$mount_output" | grep "$mount_folder ")" || true - - if echo "$mount_line_of_mount_folder" | grep -q "$new_mount_options" ; then - echo "INFO: $mount_folder has already intended mount options." - return 0 - fi - - if [ -e "$status_file_full_path" ]; then - echo "INFO: $mount_folder already remounted earlier. Not remounting again." - return 0 - fi - - ## BUG: echo: write error: Broken pipe - if echo "$mount_output" | grep -q "$mount_folder " ; then - ## Already mounted. Using remount. - echo mount -o "remount,${new_mount_options}" "$mount_folder" - mount -o "remount,${new_mount_options}" "$mount_folder" || exit_code=100 - else - ## Not yet mounted. Using mount bind. - echo mount -o "$new_mount_options" --bind "$mount_folder" "$mount_folder" - mount -o "$new_mount_options" --bind "$mount_folder" "$mount_folder" || exit_code=101 - fi - - touch "$status_file_full_path" -} - -_home() { - new_mount_options="nosuid,nodev${noexec_maybe}" - remount_secure "$@" -} - -_run() { - ## https://lists.freedesktop.org/archives/systemd-devel/2015-February/028456.html - new_mount_options="nosuid,nodev${noexec_maybe}" - remount_secure "$@" -} - -_dev_shm() { - new_mount_options="nosuid,nodev${noexec_maybe}" - remount_secure "$@" -} - -_tmp() { - new_mount_options="nosuid,nodev${noexec_maybe}" - remount_secure "$@" -} - -## https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707/25 -# _lib() { -# ## Not using noexec on /lib. -# new_mount_options="nosuid,nodev" -# remount_secure "$@" -# } - -end() { - exit $exit_code -} - -main() { - _home "$@" - _run "$@" - _dev_shm "$@" - _tmp "$@" - #_lib "$@" - end "$@" -} - -main "$@" diff --git a/usr/libexec/security-misc/remove-system.map b/usr/libexec/security-misc/remove-system.map index a541222..5b75f6d 100755 --- a/usr/libexec/security-misc/remove-system.map +++ b/usr/libexec/security-misc/remove-system.map @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then diff --git a/usr/libexec/security-misc/virusforget b/usr/libexec/security-misc/virusforget index 785d026..a5cb3ea 100755 --- a/usr/libexec/security-misc/virusforget +++ b/usr/libexec/security-misc/virusforget @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## VirusForget is inspired by Christopher Laprise. @@ -29,7 +29,7 @@ root_check() { parse_cmd_options() { ## Thanks to: - ## http://mywiki.wooledge.org/BashFAQ/035 + ## https://mywiki.wooledge.org/BashFAQ/035 while : do diff --git a/usr/share/doc/security-misc/fstab-vm b/usr/share/doc/security-misc/fstab-vm new file mode 100644 index 0000000..e02a087 --- /dev/null +++ b/usr/share/doc/security-misc/fstab-vm @@ -0,0 +1,40 @@ +# + +/dev/disk/by-uuid/26ada0c0-1165-4098-884d-aafd2220c2c6 / auto nofail,defaults,errors=remount-ro 0 1 + +proc /proc proc nofail,defaults 0 0 + +/dev /dev devtmpfs nofail,bind,remount,nosuid,noexec 0 0 +#udev /dev devtmpfs defaults,nosuid,noexec 0 0 + +## noexec optional +/dev/shm /dev/shm tmpfs nofail,nosuid,nodev,noexec 0 0 +#tmpfs /dev/shm tmpfs defaults,nosuid,nodev,noexec 0 0 + +## nodev,nosuid,noexec as per: +## https://www.debian.org/doc/manuals/securing-debian-manual/ch04s10.en.html +## Commented out by default to prevent warning: +## mount: /mnt/cdrom: mount point does not exist. +#/dev/cdrom /mnt/cdrom iso9660 nofail,ro,users,nodev,nosuid,noexec 0 0 + +/boot /boot none nofail,bind,nosuid,nodev,noexec 0 0 + +## noexec optional +/tmp /tmp tmpfs nofail,bind,nosuid,nodev,noexec 0 0 +#tmpfs /tmp tmpfs defaults,nodev,nosuid,noexec 0 0 + +/var /var none nofail,bind,nosuid,nodev 0 0 + +## noexec optional +/var/tmp /var/tmp none nofail,bind,nosuid,nodev,noexec 0 0 + +/var/log /var/log none nofail,bind,nosuid,nodev,noexec 0 0 + +## noexec optional +/run /run none nofail,bind,nosuid,nodev,noexec 0 0 + +## noexec optional +/home /home none nofail,bind,nosuid,nodev,noexec 0 0 + +## TODO: +#/sys diff --git a/usr/share/glib-2.0/schemas/30_security-misc.gschema.override b/usr/share/glib-2.0/schemas/30_security-misc.gschema.override index 2ee9098..2f56805 100644 --- a/usr/share/glib-2.0/schemas/30_security-misc.gschema.override +++ b/usr/share/glib-2.0/schemas/30_security-misc.gschema.override @@ -1,2 +1,5 @@ +## Copyright (C) 2017 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + [org.gnome.nautilus.preferences] show-image-thumbnails="never" diff --git a/usr/share/lintian/overrides/security-misc b/usr/share/lintian/overrides/security-misc index b18ab3b..26c3c70 100644 --- a/usr/share/lintian/overrides/security-misc +++ b/usr/share/lintian/overrides/security-misc @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## The whole point of the package. @@ -9,3 +9,9 @@ security-misc: no-manual-page [usr/bin/pkexec.security-misc] ## Non-ideal but still a good solution. security-misc: file-in-unusual-dir [var/cache/security-misc/state-files/placeholder] + +## False-positive. Just a comment mentioning dpkg's folder. +security-misc: uses-dpkg-database-directly [usr/bin/remount-secure] + +## Special target to make sure this runs as non-parallelized as possible to avoid race conditions. +security-misc: systemd-service-file-refers-to-unusual-wantedby-target sysinit-post.target [usr/lib/systemd/system/remount-secure.service] diff --git a/usr/share/pam-configs/faillock-security-misc b/usr/share/pam-configs/faillock-preauth-security-misc similarity index 60% rename from usr/share/pam-configs/faillock-security-misc rename to usr/share/pam-configs/faillock-preauth-security-misc index d337690..f72826c 100644 --- a/usr/share/pam-configs/faillock-security-misc +++ b/usr/share/pam-configs/faillock-preauth-security-misc @@ -1,11 +1,8 @@ -Name: lock accounts after 50 failed authentication attempts (part 1) (by package security-misc) +Name: lock accounts after 50 failed authentication attempts (preauth component) (by package security-misc) Default: yes -Priority: 290 +Priority: 1024 Auth-Type: Primary Auth: optional pam_exec.so debug stdout seteuid /usr/libexec/security-misc/pam-info [success=1 default=ignore] pam_exec.so seteuid quiet /usr/libexec/security-misc/pam_faillock_not_if_x required pam_faillock.so preauth -Account-Type: Primary -Account: - requisite pam_faillock.so diff --git a/usr/share/pam-configs/faillock2-security-misc b/usr/share/pam-configs/faillock2-security-misc deleted file mode 100644 index 7bc5fb7..0000000 --- a/usr/share/pam-configs/faillock2-security-misc +++ /dev/null @@ -1,8 +0,0 @@ -Name: lock accounts after 50 failed authentication attempts (part 2) (by package security-misc) -Default: yes -Priority: 245 -Auth-Type: Primary -Auth: - [success=2 default=ignore] pam_exec.so seteuid quiet /usr/libexec/security-misc/pam_faillock_not_if_x - [default=die] pam_faillock.so authfail - sufficient pam_faillock.so authsucc diff --git a/usr/share/pam-configs/umask-security-misc b/usr/share/pam-configs/umask-security-misc new file mode 100644 index 0000000..b29e433 --- /dev/null +++ b/usr/share/pam-configs/umask-security-misc @@ -0,0 +1,9 @@ +Name: Restrict umask to 027 for non-root users (by package security-misc) +Default: yes +Priority: 100 +Session-Type: Additional +Session: + [success=1 default=ignore] pam_succeed_if.so uid eq 0 + optional pam_umask.so umask=027 + [success=1 default=ignore] pam_succeed_if.so uid ne 0 + optional pam_umask.so umask=022 diff --git a/usr/share/pam-configs/unix-faillock-security-misc b/usr/share/pam-configs/unix-faillock-security-misc new file mode 100644 index 0000000..876ffa8 --- /dev/null +++ b/usr/share/pam-configs/unix-faillock-security-misc @@ -0,0 +1,20 @@ +Name: Unix authentication with faillock (by package security-misc) +Default: yes +Priority: 384 +Auth-Type: Primary +Auth: + [success=3 default=ignore] pam_unix.so nullok try_first_pass + [success=1 default=ignore] pam_exec.so seteuid quiet /usr/libexec/security-misc/pam_faillock_not_if_x + [default=die] pam_faillock.so authfail + requisite pam_deny.so + [success=1 default=ignore] pam_exec.so seteuid quiet /usr/libexec/security-misc/pam_faillock_not_if_x + optional pam_faillock.so authsucc + required pam_permit.so +Auth-Initial: + [success=3 default=ignore] pam_unix.so nullok + [success=1 default=ignore] pam_exec.so seteuid quiet /usr/libexec/security-misc/pam_faillock_not_if_x + [default=die] pam_faillock.so authfail + requisite pam_deny.so + [success=1 default=ignore] pam_exec.so seteuid quiet /usr/libexec/security-misc/pam_faillock_not_if_x + optional pam_faillock.so authsucc + required pam_permit.so diff --git a/usr/share/pam-configs/wheel-security-misc b/usr/share/pam-configs/wheel-security-misc index 323ff72..eb8a9df 100644 --- a/usr/share/pam-configs/wheel-security-misc +++ b/usr/share/pam-configs/wheel-security-misc @@ -1,6 +1,7 @@ Name: group sudo membership required to use su (by package security-misc) Default: yes -Priority: 280 +Priority: 1050 Auth-Type: Primary Auth: + [success=1 default=ignore] pam_exec.so seteuid quiet /usr/libexec/security-misc/pam_only_if_su requisite pam_wheel.so group=sudo debug diff --git a/usr/share/security-misc/dolphinrc b/usr/share/security-misc/dolphinrc index 0d4b739..9028487 100644 --- a/usr/share/security-misc/dolphinrc +++ b/usr/share/security-misc/dolphinrc @@ -1,6 +1,5 @@ -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions [PreviewSettings] Plugins= - diff --git a/usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf b/usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf index 1336b2c..150e06b 100644 --- a/usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf +++ b/usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2021 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2021 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## LKRG VirtualBox host configuration @@ -15,7 +15,7 @@ ## /etc/sysctl.d/30-lkrg-virtualbox.conf ## by package security-misc, files: ## /usr/share/security-misc/lkrg/lkrg-virtualbox -## /lib/systemd/system/lkrg.service.d/40-virtualbox.conf +## /usr/lib/systemd/system/lkrg.service.d/40-virtualbox.conf ## https://forums.whonix.org/t/linux-kernel-runtime-guard-lkrg-linux-kernel-runtime-integrity-checking-and-exploit-detection/8477/32 ## https://www.openwall.com/lists/lkrg-users/2020/01/24/2 @@ -24,7 +24,7 @@ ## https://github.com/openwall/lkrg/blob/main/scripts/bootup/lkrg.conf ## https://github.com/openwall/lkrg/blob/main/scripts/bootup/systemd/lkrg.service ## /etc/sysctl.d/30-lkrg-dkms.conf -## /lib/systemd/system/lkrg.service +## /usr/lib/systemd/system/lkrg.service ## https://github.com/openwall/lkrg/issues/82#issuecomment-886188999 lkrg.pcfi_validate = 1 diff --git a/usr/share/security-misc/lkrg/lkrg-virtualbox b/usr/share/security-misc/lkrg/lkrg-virtualbox index 022d2dc..4e1754c 100755 --- a/usr/share/security-misc/lkrg/lkrg-virtualbox +++ b/usr/share/security-misc/lkrg/lkrg-virtualbox @@ -1,13 +1,19 @@ #!/bin/bash -## Copyright (C) 2021 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2021 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. -set -x +#set -x set -e +## provides function: pkg_installed +source /usr/libexec/helper-scripts/package_installed_check.bsh + +## Check if the VirtualBox host software is installed. if ! command -v vboxmanage &>/dev/null ; then + ## VirtualBox host software is not installed. if test -f /etc/sysctl.d/30-lkrg-virtualbox.conf ; then + ## Delete using '--verbose' so user is notified. rm --force --verbose /etc/sysctl.d/30-lkrg-virtualbox.conf fi exit 0 @@ -21,4 +27,9 @@ if ! test -f /usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf ; then exit 0 fi +if ! pkg_installed "lkrg" ; then + exit 0 +fi + +## Delete using '--verbose' so user is notified. cp --verbose /usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf /etc/sysctl.d/30-lkrg-virtualbox.conf diff --git a/usr/share/security-misc/permission-hardener-existing-mode-legacy-hardcoded b/usr/share/security-misc/permission-hardener-existing-mode-legacy-hardcoded new file mode 100644 index 0000000..d40c552 --- /dev/null +++ b/usr/share/security-misc/permission-hardener-existing-mode-legacy-hardcoded @@ -0,0 +1,36 @@ +root root 644 /etc/passwd- +root root 755 /etc/cron.monthly +root root 755 /etc/sudoers.d +root shadow 2755 /usr/bin/expiry +root root 4755 /usr/bin/umount +root root 4755 /usr/bin/gpasswd +root root 755 /usr/lib/modules +root root 644 /etc/issue.net +root root 644 /etc/group- +root root 4755 /usr/bin/newgrp +root root 755 /etc/cron.weekly +root root 644 /etc/hosts.deny +root root 4755 /usr/bin/su +root root 644 /etc/hosts.allow +root root 700 /root +root root 755 /etc/cron.daily +root root 755 /bin/ping +root root 777 /etc/motd.kicksecure +root root 777 /etc/motd.whonix +root root 755 /boot +root root 755 /home +root shadow 2755 /usr/bin/chage +root root 4755 /usr/bin/chsh +root root 4755 /usr/bin/passwd +root root 4755 /usr/bin/chfn +root root 644 /etc/group +root root 755 /etc/permission-hardener.d +root root 644 /etc/passwd +root root 755 /usr/src +root root 4755 /usr/bin/mount +root root 777 /etc/issue.kicksecure +root root 777 /etc/issue.whonix +root root 755 /etc/cron.d +root root 4755 /usr/bin/sudo +root root 4755 /usr/bin/pkexec +root root 4755 /usr/lib/polkit-1/polkit-agent-helper-1 diff --git a/usr/share/security-misc/permission-hardener-new-mode-legacy-hardcoded b/usr/share/security-misc/permission-hardener-new-mode-legacy-hardcoded new file mode 100644 index 0000000..d1b3a80 --- /dev/null +++ b/usr/share/security-misc/permission-hardener-new-mode-legacy-hardcoded @@ -0,0 +1,26 @@ +root root 700 /etc/cron.monthly +root root 700 /etc/sudoers.d +root shadow 744 /usr/bin/expiry +root root 755 /usr/bin/umount +root root 744 /usr/bin/gpasswd +root root 700 /usr/lib/modules +root root 744 /usr/bin/newgrp +root root 700 /etc/cron.weekly +root root 744 /usr/bin/su +root root 700 /etc/cron.daily +root root 755 /bin/ping +root root 644 /etc/motd.kicksecure +root root 644 /etc/motd.whonix +root _ssh 744 /usr/bin/ssh-agent +root root 700 /boot +root shadow 744 /usr/bin/chage +root root 744 /usr/lib/openssh/ssh-keysign +root root 744 /usr/bin/chsh +root root 755 /usr/bin/passwd +root root 744 /usr/bin/chfn +root root 600 /etc/permission-hardener.d +root root 700 /usr/src +root root 755 /usr/bin/mount +root root 644 /etc/issue.kicksecure +root root 644 /etc/issue.whonix +root root 700 /etc/cron.d