bumped changelog version

to avoid permission issues

.gitignore

@@ -0,0 +1 @@
+pkgs

COPYING

@@ -1,212 +1,668 @@
 Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
 
 Files: *
-Copyright: 2012 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
-License: GPL-3+-with-additional-terms-1
- This program is free software: you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation, either version 3 of the License, or
- (at your option) any later version.
+Copyright: 2012 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+License: AGPL-3+
+
+License: AGPL-3+
+                    GNU AFFERO GENERAL PUBLIC LICENSE
+                       Version 3, 19 November 2007
  .
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- GNU General Public License for more details.
+ Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
  .
- You should have received a copy of the GNU General Public License
- along with this program.  If not, see <https://www.gnu.org/licenses/>.
+                            Preamble
  .
- On Debian systems, the full text of the GNU General Public
- License version 3 can be found in the file
- `/usr/share/common-licenses/GPL-3'.
+ The GNU Affero General Public License is a free, copyleft license for
+ software and other kinds of works, specifically designed to ensure
+ cooperation with the community in the case of network server software.
  .
- ADDITIONAL TERMS APPLICABLE per GNU GPL version 3 section 7
+ The licenses for most software and other practical works are designed
+ to take away your freedom to share and change the works.  By contrast,
+ our General Public Licenses are intended to guarantee your freedom to
+ share and change all versions of a program--to make sure it remains free
+ software for all its users.
  .
- 1. Replacement of Section 15.  Section 15 of the GPL shall be deleted in its
- entirety and replaced with the following:
+  When we speak of free software, we are referring to freedom, not
+ price.  Our General Public Licenses are designed to make sure that you
+ have the freedom to distribute copies of free software (and charge for
+ them if you wish), that you receive source code or can get it if you
+ want it, that you can change the software or use pieces of it in new
+ free programs, and that you know you can do these things.
  .
- 15. Disclaimer of Warranty.
+  Developers that use our General Public Licenses protect your rights
+ with two steps: (1) assert copyright on the software, and (2) offer
+ you this License which gives you legal permission to copy, distribute
+ and/or modify the software.
  .
- THE PROGRAM IS PROVIDED WITHOUT ANY WARRANTIES, WHETHER EXPRESSED OR IMPLIED,
- INCLUDING, WITHOUT LIMITATION, IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR
- PURPOSE, NON-INFRINGEMENT, TITLE AND MERCHANTABILITY.  THE PROGRAM IS BEING
- DELIVERED OR MADE AVAILABLE 'AS IS', 'WITH ALL FAULTS' AND WITHOUT WARRANTY OR
- REPRESENTATION.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE
- PROGRAM IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
+ A secondary benefit of defending all users' freedom is that
+ improvements made in alternate versions of the program, if they
+ receive widespread use, become available for other developers to
+ incorporate.  Many developers of free software are heartened and
+ encouraged by the resulting cooperation.  However, in the case of
+ software used on network servers, this result may fail to come about.
+ The GNU General Public License permits making a modified version and
+ letting the public access it on a server without ever releasing its
+ source code to the public.
+ .
+ The GNU Affero General Public License is designed specifically to
+ ensure that, in such cases, the modified source code becomes available
+ to the community.  It requires the operator of a network server to
+ provide the source code of the modified version running there to the
+ users of that server.  Therefore, public use of a modified version, on
+ a publicly accessible server, gives the public access to the source
+ code of the modified version.
+ .
+ An older license, called the Affero General Public License and
+ published by Affero, was designed to accomplish similar goals.  This is
+ a different license, not a version of the Affero GPL, but Affero has
+ released a new version of the Affero GPL which permits relicensing under
+ this license.
+ .
+ The precise terms and conditions for copying, distribution and
+ modification follow.
+ .
+                       TERMS AND CONDITIONS
+ .
+  0. Definitions.
+ .
+  "This License" refers to version 3 of the GNU Affero General Public License.
+ .
+  "Copyright" also means copyright-like laws that apply to other kinds of
+ works, such as semiconductor masks.
+ .
+ "The Program" refers to any copyrightable work licensed under this
+ License.  Each licensee is addressed as "you".  "Licensees" and
+ "recipients" may be individuals or organizations.
+ .
+ To "modify" a work means to copy from or adapt all or part of the work
+ in a fashion requiring copyright permission, other than the making of an
+ exact copy.  The resulting work is called a "modified version" of the
+ earlier work or a work "based on" the earlier work.
+ .
+ A "covered work" means either the unmodified Program or a work based
+ on the Program.
+ .
+ To "propagate" a work means to do anything with it that, without
+ permission, would make you directly or secondarily liable for
+ infringement under applicable copyright law, except executing it on a
+ computer or modifying a private copy.  Propagation includes copying,
+ distribution (with or without modification), making available to the
+ public, and in some countries other activities as well.
+ .
+ To "convey" a work means any kind of propagation that enables other
+ parties to make or receive copies.  Mere interaction with a user through
+ a computer network, with no transfer of a copy, is not conveying.
+ .
+ An interactive user interface displays "Appropriate Legal Notices"
+ to the extent that it includes a convenient and prominently visible
+ feature that (1) displays an appropriate copyright notice, and (2)
+ tells the user that there is no warranty for the work (except to the
+ extent that warranties are provided), that licensees may convey the
+ work under this License, and how to view a copy of this License.  If
+ the interface presents a list of user commands or options, such as a
+ menu, a prominent item in the list meets this criterion.
+ .
+ 1. Source Code.
+ .
+ The "source code" for a work means the preferred form of the work
+ for making modifications to it.  "Object code" means any non-source
+ form of a work.
+ .
+ A "Standard Interface" means an interface that either is an official
+ standard defined by a recognized standards body, or, in the case of
+ interfaces specified for a particular programming language, one that
+ is widely used among developers working in that language.
+ .
+ The "System Libraries" of an executable work include anything, other
+ than the work as a whole, that (a) is included in the normal form of
+ packaging a Major Component, but which is not part of that Major
+ Component, and (b) serves only to enable use of the work with that
+ Major Component, or to implement a Standard Interface for which an
+ implementation is available to the public in source code form.  A
+ "Major Component", in this context, means a major essential component
+ (kernel, window system, and so on) of the specific operating system
+ (if any) on which the executable work runs, or a compiler used to
+ produce the work, or an object code interpreter used to run it.
+ .
+ The "Corresponding Source" for a work in object code form means all
+ the source code needed to generate, install, and (for an executable
+ work) run the object code and to modify the work, including scripts to
+ control those activities.  However, it does not include the work's
+ System Libraries, or general-purpose tools or generally available free
+ programs which are used unmodified in performing those activities but
+ which are not part of the work.  For example, Corresponding Source
+ includes interface definition files associated with source files for
+ the work, and the source code for shared libraries and dynamically
+ linked subprograms that the work is specifically designed to require,
+ such as by intimate data communication or control flow between those
+ subprograms and other parts of the work.
+ .
+ The Corresponding Source need not include anything that users
+ can regenerate automatically from other parts of the Corresponding
+ Source.
+ .
+ The Corresponding Source for a work in source code form is that
+ same work.
+ .
+  2. Basic Permissions.
+ .
+  All rights granted under this License are granted for the term of
+ copyright on the Program, and are irrevocable provided the stated
+ conditions are met.  This License explicitly affirms your unlimited
+ permission to run the unmodified Program.  The output from running a
+ covered work is covered by this License only if the output, given its
+ content, constitutes a covered work.  This License acknowledges your
+ rights of fair use or other equivalent, as provided by copyright law.
+ .
+ You may make, run and propagate covered works that you do not
+ convey, without conditions so long as your license otherwise remains
+ in force.  You may convey covered works to others for the sole purpose
+ of having them make modifications exclusively for you, or provide you
+ with facilities for running those works, provided that you comply with
+ the terms of this License in conveying all material for which you do
+ not control copyright.  Those thus making or running the covered works
+ for you must do so exclusively on your behalf, under your direction
+ and control, on terms that prohibit them from making any copies of
+ your copyrighted material outside their relationship with you.
+ .
+ Conveying under any other circumstances is permitted solely under
+ the conditions stated below.  Sublicensing is not allowed; section 10
+ makes it unnecessary.
+ .
+  3. Protecting Users' Legal Rights From Anti-Circumvention Law.
+ .
+ No covered work shall be deemed part of an effective technological
+ measure under any applicable law fulfilling obligations under article
+ 11 of the WIPO copyright treaty adopted on 20 December 1996, or
+ similar laws prohibiting or restricting circumvention of such
+ measures.
+ .
+ When you convey a covered work, you waive any legal power to forbid
+ circumvention of technological measures to the extent such circumvention
+ is effected by exercising rights under this License with respect to
+ the covered work, and you disclaim any intention to limit operation or
+ modification of the work as a means of enforcing, against the work's
+ users, your or third parties' legal rights to forbid circumvention of
+ technological measures.
+ .
+  4. Conveying Verbatim Copies.
+ .
+ You may convey verbatim copies of the Program's source code as you
+ receive it, in any medium, provided that you conspicuously and
+ appropriately publish on each copy an appropriate copyright notice;
+ keep intact all notices stating that this License and any
+ non-permissive terms added in accord with section 7 apply to the code;
+ keep intact all notices of the absence of any warranty; and give all
+ recipients a copy of this License along with the Program.
+ .
+ You may charge any price or no price for each copy that you convey,
+ and you may offer support or warranty protection for a fee.
+ .
+  5. Conveying Modified Source Versions.
+ .
+ You may convey a work based on the Program, or the modifications to
+ produce it from the Program, in the form of source code under the
+ terms of section 4, provided that you also meet all of these conditions:
+ .
+    a) The work must carry prominent notices stating that you modified
+    it, and giving a relevant date.
+ .
+    b) The work must carry prominent notices stating that it is
+    released under this License and any conditions added under section
+    7.  This requirement modifies the requirement in section 4 to
+    "keep intact all notices".
+ .
+    c) You must license the entire work, as a whole, under this
+    License to anyone who comes into possession of a copy.  This
+    License will therefore apply, along with any applicable section 7
+    additional terms, to the whole of the work, and all its parts,
+    regardless of how they are packaged.  This License gives no
+    permission to license the work in any other way, but it does not
+    invalidate such permission if you have separately received it.
+ .
+    d) If the work has interactive user interfaces, each must display
+    Appropriate Legal Notices; however, if the Program has interactive
+    interfaces that do not display Appropriate Legal Notices, your
+    work need not make them do so.
+ .
+ A compilation of a covered work with other separate and independent
+ works, which are not by their nature extensions of the covered work,
+ and which are not combined with it such as to form a larger program,
+ in or on a volume of a storage or distribution medium, is called an
+ "aggregate" if the compilation and its resulting copyright are not
+ used to limit the access or legal rights of the compilation's users
+ beyond what the individual works permit.  Inclusion of a covered work
+ in an aggregate does not cause this License to apply to the other
+ parts of the aggregate.
+ .
+  6. Conveying Non-Source Forms.
+ .
+ You may convey a covered work in object code form under the terms
+ of sections 4 and 5, provided that you also convey the
+ machine-readable Corresponding Source under the terms of this License,
+ in one of these ways:
+ .
+    a) Convey the object code in, or embodied in, a physical product
+    (including a physical distribution medium), accompanied by the
+    Corresponding Source fixed on a durable physical medium
+    customarily used for software interchange.
+ .
+    b) Convey the object code in, or embodied in, a physical product
+    (including a physical distribution medium), accompanied by a
+    written offer, valid for at least three years and valid for as
+    long as you offer spare parts or customer support for that product
+    model, to give anyone who possesses the object code either (1) a
+    copy of the Corresponding Source for all the software in the
+    product that is covered by this License, on a durable physical
+    medium customarily used for software interchange, for a price no
+    more than your reasonable cost of physically performing this
+    conveying of source, or (2) access to copy the
+    Corresponding Source from a network server at no charge.
+ .
+    c) Convey individual copies of the object code with a copy of the
+    written offer to provide the Corresponding Source.  This
+    alternative is allowed only occasionally and noncommercially, and
+    only if you received the object code with such an offer, in accord
+    with subsection 6b.
+ .
+    d) Convey the object code by offering access from a designated
+    place (gratis or for a charge), and offer equivalent access to the
+    Corresponding Source in the same way through the same place at no
+    further charge.  You need not require recipients to copy the
+    Corresponding Source along with the object code.  If the place to
+    copy the object code is a network server, the Corresponding Source
+    may be on a different server (operated by you or a third party)
+    that supports equivalent copying facilities, provided you maintain
+    clear directions next to the object code saying where to find the
+    Corresponding Source.  Regardless of what server hosts the
+    Corresponding Source, you remain obligated to ensure that it is
+    available for as long as needed to satisfy these requirements.
+ .
+    e) Convey the object code using peer-to-peer transmission, provided
+    you inform other peers where the object code and Corresponding
+    Source of the work are being offered to the general public at no
+    charge under subsection 6d.
+ .
+ A separable portion of the object code, whose source code is excluded
+ from the Corresponding Source as a System Library, need not be
+ included in conveying the object code work.
+ .
+ A "User Product" is either (1) a "consumer product", which means any
+ tangible personal property which is normally used for personal, family,
+ or household purposes, or (2) anything designed or sold for incorporation
+ into a dwelling.  In determining whether a product is a consumer product,
+ doubtful cases shall be resolved in favor of coverage.  For a particular
+  product received by a particular user, "normally used" refers to a
+ typical or common use of that class of product, regardless of the status
+ of the particular user or of the way in which the particular user
+ actually uses, or expects or is expected to use, the product.  A product
+ is a consumer product regardless of whether the product has substantial
+ commercial, industrial or non-consumer uses, unless such uses represent
+ the only significant mode of use of the product.
+ .
+ "Installation Information" for a User Product means any methods,
+ procedures, authorization keys, or other information required to install
+ and execute modified versions of a covered work in that User Product from
+ a modified version of its Corresponding Source.  The information must
+ suffice to ensure that the continued functioning of the modified object
+ code is in no case prevented or interfered with solely because
+ modification has been made.
+ .
+ If you convey an object code work under this section in, or with, or
+ specifically for use in, a User Product, and the conveying occurs as
+ part of a transaction in which the right of possession and use of the
+ User Product is transferred to the recipient in perpetuity or for a
+ fixed term (regardless of how the transaction is characterized), the
+ Corresponding Source conveyed under this section must be accompanied
+ by the Installation Information.  But this requirement does not apply
+ if neither you nor any third party retains the ability to install
+ modified object code on the User Product (for example, the work has
+ been installed in ROM).
+ .
+ The requirement to provide Installation Information does not include a
+ requirement to continue to provide support service, warranty, or updates
+ for a work that has been modified or installed by the recipient, or for
+ the User Product in which it has been modified or installed.  Access to a
+ network may be denied when the modification itself materially and
+ adversely affects the operation of the network or violates the rules and
+ protocols for communication across the network.
+ .
+ Corresponding Source conveyed, and Installation Information provided,
+ in accord with this section must be in a format that is publicly
+ documented (and with an implementation available to the public in
+ source code form), and must require no special password or key for
+ unpacking, reading or copying.
+ .
+  7. Additional Terms.
+ .
+ "Additional permissions" are terms that supplement the terms of this
+ License by making exceptions from one or more of its conditions.
+ Additional permissions that are applicable to the entire Program shall
+ be treated as though they were included in this License, to the extent
+ that they are valid under applicable law.  If additional permissions
+ apply only to part of the Program, that part may be used separately
+ under those permissions, but the entire Program remains governed by
+ this License without regard to the additional permissions.
+ .
+ When you convey a copy of a covered work, you may at your option
+ remove any additional permissions from that copy, or from any part of
+ it.  (Additional permissions may be written to require their own
+ removal in certain cases when you modify the work.)  You may place
+ additional permissions on material, added by you to a covered work,
+ for which you have or can give appropriate copyright permission.
+ .
+ Notwithstanding any other provision of this License, for material you
+ add to a covered work, you may (if authorized by the copyright holders of
+ that material) supplement the terms of this License with terms:
+ .
+    a) Disclaiming warranty or limiting liability differently from the
+    terms of sections 15 and 16 of this License; or
+ .
+    b) Requiring preservation of specified reasonable legal notices or
+    author attributions in that material or in the Appropriate Legal
+    Notices displayed by works containing it; or
+ .
+    c) Prohibiting misrepresentation of the origin of that material, or
+    requiring that modified versions of such material be marked in
+    reasonable ways as different from the original version; or
+ .
+    d) Limiting the use for publicity purposes of names of licensors or
+    authors of the material; or
+ .
+    e) Declining to grant rights under trademark law for use of some
+    trade names, trademarks, or service marks; or
+ .
+    f) Requiring indemnification of licensors and authors of that
+    material by anyone who conveys the material (or modified versions of
+    it) with contractual assumptions of liability to the recipient, for
+    any liability that these contractual assumptions directly impose on
+    those licensors and authors.
+ .
+ All other non-permissive additional terms are considered "further
+ restrictions" within the meaning of section 10.  If the Program as you
+ received it, or any part of it, contains a notice stating that it is
+ governed by this License along with a term that is a further
+ restriction, you may remove that term.  If a license document contains
+ a further restriction but permits relicensing or conveying under this
+ License, you may add to a covered work material governed by the terms
+ of that license document, provided that the further restriction does
+ not survive such relicensing or conveying.
+ .
+ If you add terms to a covered work in accord with this section, you
+ must place, in the relevant source files, a statement of the
+ additional terms that apply to those files, or a notice indicating
+ where to find the applicable terms.
+ .
+ Additional terms, permissive or non-permissive, may be stated in the
+ form of a separately written license, or stated as exceptions;
+ the above requirements apply either way.
+ .
+  8. Termination.
+ .
+ You may not propagate or modify a covered work except as expressly
+ provided under this License.  Any attempt otherwise to propagate or
+ modify it is void, and will automatically terminate your rights under
+ this License (including any patent licenses granted under the third
+ paragraph of section 11).
+ .
+ However, if you cease all violation of this License, then your
+ license from a particular copyright holder is reinstated (a)
+ provisionally, unless and until the copyright holder explicitly and
+ finally terminates your license, and (b) permanently, if the copyright
+ holder fails to notify you of the violation by some reasonable means
+ prior to 60 days after the cessation.
+ .
+ Moreover, your license from a particular copyright holder is
+ reinstated permanently if the copyright holder notifies you of the
+ violation by some reasonable means, this is the first time you have
+ received notice of violation of this License (for any work) from that
+ copyright holder, and you cure the violation prior to 30 days after
+ your receipt of the notice.
+ .
+ Termination of your rights under this section does not terminate the
+ licenses of parties who have received copies or rights from you under
+ this License.  If your rights have been terminated and not permanently
+ reinstated, you do not qualify to receive new licenses for the same
+ material under section 10.
+ .
+  9. Acceptance Not Required for Having Copies.
+ .
+ You are not required to accept this License in order to receive or
+ run a copy of the Program.  Ancillary propagation of a covered work
+ occurring solely as a consequence of using peer-to-peer transmission
+ to receive a copy likewise does not require acceptance.  However,
+ nothing other than this License grants you permission to propagate or
+ modify any covered work.  These actions infringe copyright if you do
+ not accept this License.  Therefore, by modifying or propagating a
+ covered work, you indicate your acceptance of this License to do so.
+ .
+  10. Automatic Licensing of Downstream Recipients.
+ .
+ Each time you convey a covered work, the recipient automatically
+ receives a license from the original licensors, to run, modify and
+ propagate that work, subject to this License.  You are not responsible
+ for enforcing compliance by third parties with this License.
+ .
+ An "entity transaction" is a transaction transferring control of an
+ organization, or substantially all assets of one, or subdividing an
+ organization, or merging organizations.  If propagation of a covered
+ work results from an entity transaction, each party to that
+ transaction who receives a copy of the work also receives whatever
+ licenses to the work the party's predecessor in interest had or could
+ give under the previous paragraph, plus a right to possession of the
+ Corresponding Source of the work from the predecessor in interest, if
+ the predecessor has it or can get it with reasonable efforts.
+ .
+  You may not impose any further restrictions on the exercise of the
+ rights granted or affirmed under this License.  For example, you may
+ not impose a license fee, royalty, or other charge for exercise of
+ rights granted under this License, and you may not initiate litigation
+ (including a cross-claim or counterclaim in a lawsuit) alleging that
+ any patent claim is infringed by making, using, selling, offering for
+ sale, or importing the Program or any portion of it.
+ .
+  11. Patents.
+ .
+ A "contributor" is a copyright holder who authorizes use under this
+ License of the Program or a work on which the Program is based.  The
+ work thus licensed is called the contributor's "contributor version".
+ .
+ A contributor's "essential patent claims" are all patent claims
+ owned or controlled by the contributor, whether already acquired or
+ hereafter acquired, that would be infringed by some manner, permitted
+ by this License, of making, using, or selling its contributor version,
+ but do not include claims that would be infringed only as a
+ consequence of further modification of the contributor version.  For
+ purposes of this definition, "control" includes the right to grant
+ patent sublicenses in a manner consistent with the requirements of
+ this License.
+ .
+ Each contributor grants you a non-exclusive, worldwide, royalty-free
+ patent license under the contributor's essential patent claims, to
+ make, use, sell, offer for sale, import and otherwise run, modify and
+ propagate the contents of its contributor version.
+ .
+ In the following three paragraphs, a "patent license" is any express
+ agreement or commitment, however denominated, not to enforce a patent
+ (such as an express permission to practice a patent or covenant not to
+ sue for patent infringement).  To "grant" such a patent license to a
+ party means to make such an agreement or commitment not to enforce a
+ patent against the party.
+ .
+ If you convey a covered work, knowingly relying on a patent license,
+ and the Corresponding Source of the work is not available for anyone
+ to copy, free of charge and under the terms of this License, through a
+ publicly available network server or other readily accessible means,
+ then you must either (1) cause the Corresponding Source to be so
+ available, or (2) arrange to deprive yourself of the benefit of the
+ patent license for this particular work, or (3) arrange, in a manner
+ consistent with the requirements of this License, to extend the patent
+ license to downstream recipients.  "Knowingly relying" means you have
+ actual knowledge that, but for the patent license, your conveying the
+ covered work in a country, or your recipient's use of the covered work
+ in a country, would infringe one or more identifiable patents in that
+ country that you have reason to believe are valid.
+ .
+ If, pursuant to or in connection with a single transaction or
+ arrangement, you convey, or propagate by procuring conveyance of, a
+ covered work, and grant a patent license to some of the parties
+ receiving the covered work authorizing them to use, propagate, modify
+ or convey a specific copy of the covered work, then the patent license
+ you grant is automatically extended to all recipients of the covered
+ work and works based on it.
+ .
+ A patent license is "discriminatory" if it does not include within
+ the scope of its coverage, prohibits the exercise of, or is
+ conditioned on the non-exercise of one or more of the rights that are
+ specifically granted under this License.  You may not convey a covered
+ work if you are a party to an arrangement with a third party that is
+ in the business of distributing software, under which you make payment
+ to the third party based on the extent of your activity of conveying
+ the work, and under which the third party grants, to any of the
+ parties who would receive the covered work from you, a discriminatory
+ patent license (a) in connection with copies of the covered work
+ conveyed by you (or copies made from those copies), or (b) primarily
+ for and in connection with specific products or compilations that
+ contain the covered work, unless you entered into that arrangement,
+ or that patent license was granted, prior to 28 March 2007.
+ .
+ Nothing in this License shall be construed as excluding or limiting
+ any implied license or other defenses to infringement that may
+ otherwise be available to you under applicable patent law.
+ .
+  12. No Surrender of Others' Freedom.
+ .
+ If conditions are imposed on you (whether by court order, agreement or
+ otherwise) that contradict the conditions of this License, they do not
+ excuse you from the conditions of this License.  If you cannot convey a
+ covered work so as to satisfy simultaneously your obligations under this
+ License and any other pertinent obligations, then as a consequence you may
+ not convey it at all.  For example, if you agree to terms that obligate you
+ to collect a royalty for further conveying from those to whom you convey
+ the Program, the only way you could satisfy both those terms and this
+ License would be to refrain entirely from conveying the Program.
+ .
+  13. Remote Network Interaction; Use with the GNU General Public License.
+ .
+ Notwithstanding any other provision of this License, if you modify the
+ Program, your modified version must prominently offer all users
+ interacting with it remotely through a computer network (if your version
+ supports such interaction) an opportunity to receive the Corresponding
+ Source of your version by providing access to the Corresponding Source
+ from a network server at no charge, through some standard or customary
+ means of facilitating copying of software.  This Corresponding Source
+ shall include the Corresponding Source for any work covered by version 3
+ of the GNU General Public License that is incorporated pursuant to the
+ following paragraph.
+ .
+ Notwithstanding any other provision of this License, you have
+ permission to link or combine any covered work with a work licensed
+ under version 3 of the GNU General Public License into a single
+ combined work, and to convey the resulting work.  The terms of this
+ License will continue to apply to the part which is the covered work,
+ but the work with which it is combined will remain governed by version
+ 3 of the GNU General Public License.
+ .
+ 14. Revised Versions of this License.
+ .
+ The Free Software Foundation may publish revised and/or new versions of
+ the GNU Affero General Public License from time to time.  Such new versions
+ will be similar in spirit to the present version, but may differ in detail to
+ address new problems or concerns.
+ .
+ Each version is given a distinguishing version number.  If the
+ Program specifies that a certain numbered version of the GNU Affero General
+ Public License "or any later version" applies to it, you have the
+ option of following the terms and conditions either of that numbered
+ version or of any later version published by the Free Software
+ Foundation.  If the Program does not specify a version number of the
+ GNU Affero General Public License, you may choose any version ever published
+ by the Free Software Foundation.
+ .
+ If the Program specifies that a proxy can decide which future
+ versions of the GNU Affero General Public License can be used, that proxy's
+ public statement of acceptance of a version permanently authorizes you
+ to choose that version for the Program.
+ .
+ Later license versions may give you additional or different
+ permissions.  However, no additional obligations are imposed on any
+ author or copyright holder as a result of your choosing to follow a
+ later version.
+ .
+  15. Disclaimer of Warranty.
+ .
+ THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
+ APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
+ HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
+ OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
+ THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
+ IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
  ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
  .
- 2. Replacement of Section 16.  Section 16 of the GPL shall be deleted in its
- entirety and replaced with the following:
+  16. Limitation of Liability.
  .
- 16. LIMITATION OF LIABILITY.
+ IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+ WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
+ THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
+ GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
+ USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
+ DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
+ PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
+ EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
+ SUCH DAMAGES.
  .
- UNDER NO CIRCUMSTANCES SHALL ANY COPYRIGHT HOLDER OR ITS AFFILIATES, OR ANY
- OTHER PARTY WHO MODIFIES AND/OR CONVEYS THE PROGRAM AS PERMITTED ABOVE, BE
- LIABLE TO YOU, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, FOR ANY
- DAMAGES OR OTHER LIABILITY, INCLUDING ANY GENERAL, DIRECT, INDIRECT, SPECIAL,
- INCIDENTAL, CONSEQUENTIAL OR PUNITIVE DAMAGES ARISING FROM, OUT OF OR IN
- CONNECTION WITH THE USE OR INABILITY TO USE THE PROGRAM OR OTHER DEALINGS WITH
- THE PROGRAM(INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED
- INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE
- PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), WHETHER OR NOT ANY COPYRIGHT HOLDER
- OR SUCH OTHER PARTY RECEIVES NOTICE OF ANY SUCH DAMAGES AND WHETHER OR NOT SUCH
- DAMAGES COULD HAVE BEEN FORESEEN.
+  17. Interpretation of Sections 15 and 16.
  .
- 3. LEGAL NOTICES; NO TRADEMARK LICENSE; ORIGIN.  You must reproduce faithfully
- all trademark, copyright and other proprietary and legal notices on any copies
- of the Program or any other required author attributions.  This license does not
- grant you rights to use any copyright holder or any other party's name, logo, or
- trademarks.  Neither the name of the copyright holder or its affiliates, or any
- other party who modifies and/or conveys the Program may be used to endorse or
- promote products derived from this software without specific prior written
- permission.  The origin of the Program must not be misrepresented; you must not
- claim that you wrote the original Program.  Altered source versions must be
- plainly marked as such, and must not be misrepresented as being the original
- Program.
+ If the disclaimer of warranty and limitation of liability provided
+ above cannot be given local legal effect according to their terms,
+ reviewing courts shall apply local law that most closely approximates
+ an absolute waiver of all civil liability in connection with the
+ Program, unless a warranty or assumption of liability accompanies a
+ copy of the Program in return for a fee.
  .
- 4. INDEMNIFICATION.  IF YOU CONVEY A COVERED WORK AND AGREE WITH ANY RECIPIENT
- OF THAT COVERED WORK THAT YOU WILL ASSUME ANY LIABILITY FOR THAT COVERED WORK,
- YOU HEREBY AGREE TO INDEMNIFY, DEFEND AND HOLD HARMLESS THE OTHER LICENSORS AND
- AUTHORS OF THAT COVERED WORK FOR ANY DAMAGES, DEMANDS, CLAIMS, LOSSES, CAUSES OF
- ACTION, LAWSUITS, JUDGMENTS EXPENSES (INCLUDING WITHOUT LIMITATION REASONABLE
- ATTORNEYS' FEES AND EXPENSES) OR ANY OTHER LIABILITY ARISING FROM, RELATED TO OR
- IN CONNECTION WITH YOUR ASSUMPTIONS OF LIABILITY.
+                     END OF TERMS AND CONDITIONS
  .
-
-Files: etc/login.defs.security-misc
-Copyright:
- This is Debian GNU/Linux's prepackaged version of the shadow utilities.
+            How to Apply These Terms to Your New Programs
  .
- It was downloaded from: <ftp://ftp.pld.org.pl/software/shadow/>.
- As of May 2007, this site is no longer available.
+ If you develop a new program, and you want it to be of the greatest
+ possible use to the public, the best way to achieve this is to make it
+ free software which everyone can redistribute and change under these terms.
  .
- Copyright:
+ To do so, attach the following notices to the program.  It is safest
+ to attach them to the start of each source file to most effectively
+ state the exclusion of warranty; and each file should have at least
+ the "copyright" line and a pointer to where the full notice is found.
  .
- Parts of this software are copyright 1988 - 1994, Julianne Frances Haugh.
- All rights reserved.
+    <one line to give the program's name and a brief idea of what it does.>
+    Copyright (C) <year>  <name of author>
  .
- Parts of this software are copyright 1997 - 2001, Marek Michałkiewicz.
- All rights reserved.
+    This program is free software: you can redistribute it and/or modify
+    it under the terms of the GNU Affero General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
  .
- Parts of this software are copyright 2001 - 2004, Andrzej Krzysztofowicz
- All rights reserved.
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU Affero General Public License for more details.
  .
- Parts of this software are copyright 2000 - 2007, Tomasz Kłoczko.
- All rights reserved.
-License: shadow-license
- Redistribution and use in source and binary forms, with or without
- modification, are permitted provided that the following conditions
- are met:
- 1. Redistributions of source code must retain the above copyright
-    notice, this list of conditions and the following disclaimer.
- 2. Redistributions in binary form must reproduce the above copyright
-    notice, this list of conditions and the following disclaimer in the
-    documentation and/or other materials provided with the distribution.
- 3. Neither the name of Julianne F. Haugh nor the names of its contributors
-    may be used to endorse or promote products derived from this software
-    without specific prior written permission.
+    You should have received a copy of the GNU Affero General Public License
+    along with this program.  If not, see <https://www.gnu.org/licenses/>.
  .
- THIS SOFTWARE IS PROVIDED BY JULIE HAUGH AND CONTRIBUTORS ``AS IS'' AND
- ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- ARE DISCLAIMED.  IN NO EVENT SHALL JULIE HAUGH OR CONTRIBUTORS BE LIABLE
- FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- SUCH DAMAGE.
+ Also add information on how to contact you by electronic and paper mail.
  .
- This source code is currently archived on ftp.uu.net in the
- comp.sources.misc portion of the USENET archives.  You may also contact
- the author, Julianne F. Haugh, at jockgrrl@ix.netcom.com if you have
- any questions regarding this package.
+ If your software can interact with users remotely through a computer
+ network, you should also make sure that it provides a way for users to
+ get its source.  For example, if your program is a web application, its
+ interface could display a "Source" link that leads users to an archive
+ of the code.  There are many ways you could offer source, and different
+ solutions will be better for different programs; see section 13 for the
+ specific requirements.
  .
- THIS SOFTWARE IS BEING DISTRIBUTED AS-IS.  THE AUTHORS DISCLAIM ALL
- LIABILITY FOR ANY CONSEQUENCES OF USE.  THE USER IS SOLELY RESPONSIBLE
- FOR THE MAINTENANCE OF THIS SOFTWARE PACKAGE.  THE AUTHORS ARE UNDER NO
- OBLIGATION TO PROVIDE MODIFICATIONS OR IMPROVEMENTS.  THE USER IS
- ENCOURAGED TO TAKE ANY AND ALL STEPS NEEDED TO PROTECT AGAINST ACCIDENTAL
- LOSS OF INFORMATION OR MACHINE RESOURCES.
- .
- Special thanks are due to Chip Rosenthal for his fine testing efforts;
- to Steve Simmons for his work in porting this code to BSD; and to Bill
- Kennedy for his contributions of LaserJet printer time and energies.
- Also, thanks for Dennis L. Mumaugh for the initial shadow password
- information and to Tony Walton (olapw@olgb1.oliv.co.uk) for the System
- V Release 4 changes.  Effort in porting to SunOS has been contributed
- by Dr. Michael Newberry (miken@cs.adfa.oz.au) and Micheal J. Miller, Jr.
- (mke@kaberd.rain.com).  Effort in porting to AT&T UNIX System V Release
- 4 has been provided by Andrew Herbert (andrew@werple.pub.uu.oz.au).
- Special thanks to Marek Michalkiewicz (marekm@i17linuxb.ists.pwr.wroc.pl)
- for taking over the Linux port of this software.
-
-Files: etc/pam.d/*
-Copyright:
- This package was debianized by J.H.M. Dassen (Ray) jdassen@debian.org on
- Wed, 23 Sep 1998 20:29:32 +0200.
- .
- It was downloaded from ftp://ftp.kernel.org/pub/linux/libs/pam/pre/
- .
- Copyright (C) 1994, 1995, 1996 Olaf Kirch, <okir@monad.swb.de>
- Copyright (C) 1995 Wietse Venema
- Copyright (C) 1995, 2001-2008 Red Hat, Inc.
- Copyright (C) 1996-1999, 2000-2003, 2005 Andrew G. Morgan <morgan@kernel.org>
- Copyright (C) 1996, 1997, 1999 Cristian Gafton <gafton@redhat.com>
- Copyright (C) 1996, 1999 Theodore Ts'o
- Copyright (C) 1996 Alexander O. Yuriev
- Copyright (C) 1996 Elliot Lee
- Copyright (C) 1997 Philip W. Dalrymple <pwd@mdtsoft.com>
- Copyright (C) 1999 Jan Rękorajski
- Copyright (C) 1999 Ben Collins <bcollins@debian.org>
- Copyright (C) 2000-2001, 2003, 2005, 2007 Steve Langasek
- Copyright (C) 2003, 2005 IBM Corporation
- Copyright (C) 2003, 2006 SuSE Linux AG.
- Copyright (C) 2003 Nalin Dahyabhai <nalin@redhat.com>
- Copyright (C) 2005-2008 Thorsten Kukuk <kukuk@thkukuk.de>
- Copyright (C) 2005 Darren Tucker
-License: Linux-PAM-license
- Unless otherwise *explicitly* stated the following text describes the
- licensed conditions under which the contents of this Linux-PAM release
- may be distributed:
- .
- -------------------------------------------------------------------------
- Redistribution and use in source and binary forms of Linux-PAM, with
- or without modification, are permitted provided that the following
- conditions are met:
- .
- 1. Redistributions of source code must retain any existing copyright
-    notice, and this entire permission notice in its entirety,
-    including the disclaimer of warranties.
- .
- 2. Redistributions in binary form must reproduce all prior and current
-    copyright notices, this list of conditions, and the following
-    disclaimer in the documentation and/or other materials provided
-    with the distribution.
- .
- 3. The name of any author may not be used to endorse or promote
-    products derived from this software without their specific prior
-    written permission.
- .
- ALTERNATIVELY, this product may be distributed under the terms of the
- GNU General Public License, in which case the provisions of the GNU
- GPL are required INSTEAD OF the above restrictions.  (This clause is
- necessary due to a potential conflict between the GNU GPL and the
- restrictions contained in a BSD-style copyright.)
- .
- THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
- WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
- MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- IN NO EVENT SHALL THE AUTHOR(S) BE LIABLE FOR ANY DIRECT, INDIRECT,
- INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
- BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
- OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
- ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR
- TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
- USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
- DAMAGE.
- -------------------------------------------------------------------------
- .
- On Debian GNU/Linux systems, the complete text of the GNU General
- Public License can be found in `/usr/share/common-licenses/GPL-1'.
+ You should also get your employer (if you work as a programmer) or school,
+ if any, to sign a "copyright disclaimer" for the program, if necessary.
+ For more information on this, and how to apply and follow the GNU AGPL, see
+ <https://www.gnu.org/licenses/>.

GPLv3

@@ -1,674 +0,0 @@
-                    GNU GENERAL PUBLIC LICENSE
-                       Version 3, 29 June 2007
-
- Copyright (C) 2007 Free Software Foundation, Inc. <http://fsf.org/>
- Everyone is permitted to copy and distribute verbatim copies
- of this license document, but changing it is not allowed.
-
-                            Preamble
-
-  The GNU General Public License is a free, copyleft license for
-software and other kinds of works.
-
-  The licenses for most software and other practical works are designed
-to take away your freedom to share and change the works.  By contrast,
-the GNU General Public License is intended to guarantee your freedom to
-share and change all versions of a program--to make sure it remains free
-software for all its users.  We, the Free Software Foundation, use the
-GNU General Public License for most of our software; it applies also to
-any other work released this way by its authors.  You can apply it to
-your programs, too.
-
-  When we speak of free software, we are referring to freedom, not
-price.  Our General Public Licenses are designed to make sure that you
-have the freedom to distribute copies of free software (and charge for
-them if you wish), that you receive source code or can get it if you
-want it, that you can change the software or use pieces of it in new
-free programs, and that you know you can do these things.
-
-  To protect your rights, we need to prevent others from denying you
-these rights or asking you to surrender the rights.  Therefore, you have
-certain responsibilities if you distribute copies of the software, or if
-you modify it: responsibilities to respect the freedom of others.
-
-  For example, if you distribute copies of such a program, whether
-gratis or for a fee, you must pass on to the recipients the same
-freedoms that you received.  You must make sure that they, too, receive
-or can get the source code.  And you must show them these terms so they
-know their rights.
-
-  Developers that use the GNU GPL protect your rights with two steps:
-(1) assert copyright on the software, and (2) offer you this License
-giving you legal permission to copy, distribute and/or modify it.
-
-  For the developers' and authors' protection, the GPL clearly explains
-that there is no warranty for this free software.  For both users' and
-authors' sake, the GPL requires that modified versions be marked as
-changed, so that their problems will not be attributed erroneously to
-authors of previous versions.
-
-  Some devices are designed to deny users access to install or run
-modified versions of the software inside them, although the manufacturer
-can do so.  This is fundamentally incompatible with the aim of
-protecting users' freedom to change the software.  The systematic
-pattern of such abuse occurs in the area of products for individuals to
-use, which is precisely where it is most unacceptable.  Therefore, we
-have designed this version of the GPL to prohibit the practice for those
-products.  If such problems arise substantially in other domains, we
-stand ready to extend this provision to those domains in future versions
-of the GPL, as needed to protect the freedom of users.
-
-  Finally, every program is threatened constantly by software patents.
-States should not allow patents to restrict development and use of
-software on general-purpose computers, but in those that do, we wish to
-avoid the special danger that patents applied to a free program could
-make it effectively proprietary.  To prevent this, the GPL assures that
-patents cannot be used to render the program non-free.
-
-  The precise terms and conditions for copying, distribution and
-modification follow.
-
-                       TERMS AND CONDITIONS
-
-  0. Definitions.
-
-  "This License" refers to version 3 of the GNU General Public License.
-
-  "Copyright" also means copyright-like laws that apply to other kinds of
-works, such as semiconductor masks.
-
-  "The Program" refers to any copyrightable work licensed under this
-License.  Each licensee is addressed as "you".  "Licensees" and
-"recipients" may be individuals or organizations.
-
-  To "modify" a work means to copy from or adapt all or part of the work
-in a fashion requiring copyright permission, other than the making of an
-exact copy.  The resulting work is called a "modified version" of the
-earlier work or a work "based on" the earlier work.
-
-  A "covered work" means either the unmodified Program or a work based
-on the Program.
-
-  To "propagate" a work means to do anything with it that, without
-permission, would make you directly or secondarily liable for
-infringement under applicable copyright law, except executing it on a
-computer or modifying a private copy.  Propagation includes copying,
-distribution (with or without modification), making available to the
-public, and in some countries other activities as well.
-
-  To "convey" a work means any kind of propagation that enables other
-parties to make or receive copies.  Mere interaction with a user through
-a computer network, with no transfer of a copy, is not conveying.
-
-  An interactive user interface displays "Appropriate Legal Notices"
-to the extent that it includes a convenient and prominently visible
-feature that (1) displays an appropriate copyright notice, and (2)
-tells the user that there is no warranty for the work (except to the
-extent that warranties are provided), that licensees may convey the
-work under this License, and how to view a copy of this License.  If
-the interface presents a list of user commands or options, such as a
-menu, a prominent item in the list meets this criterion.
-
-  1. Source Code.
-
-  The "source code" for a work means the preferred form of the work
-for making modifications to it.  "Object code" means any non-source
-form of a work.
-
-  A "Standard Interface" means an interface that either is an official
-standard defined by a recognized standards body, or, in the case of
-interfaces specified for a particular programming language, one that
-is widely used among developers working in that language.
-
-  The "System Libraries" of an executable work include anything, other
-than the work as a whole, that (a) is included in the normal form of
-packaging a Major Component, but which is not part of that Major
-Component, and (b) serves only to enable use of the work with that
-Major Component, or to implement a Standard Interface for which an
-implementation is available to the public in source code form.  A
-"Major Component", in this context, means a major essential component
-(kernel, window system, and so on) of the specific operating system
-(if any) on which the executable work runs, or a compiler used to
-produce the work, or an object code interpreter used to run it.
-
-  The "Corresponding Source" for a work in object code form means all
-the source code needed to generate, install, and (for an executable
-work) run the object code and to modify the work, including scripts to
-control those activities.  However, it does not include the work's
-System Libraries, or general-purpose tools or generally available free
-programs which are used unmodified in performing those activities but
-which are not part of the work.  For example, Corresponding Source
-includes interface definition files associated with source files for
-the work, and the source code for shared libraries and dynamically
-linked subprograms that the work is specifically designed to require,
-such as by intimate data communication or control flow between those
-subprograms and other parts of the work.
-
-  The Corresponding Source need not include anything that users
-can regenerate automatically from other parts of the Corresponding
-Source.
-
-  The Corresponding Source for a work in source code form is that
-same work.
-
-  2. Basic Permissions.
-
-  All rights granted under this License are granted for the term of
-copyright on the Program, and are irrevocable provided the stated
-conditions are met.  This License explicitly affirms your unlimited
-permission to run the unmodified Program.  The output from running a
-covered work is covered by this License only if the output, given its
-content, constitutes a covered work.  This License acknowledges your
-rights of fair use or other equivalent, as provided by copyright law.
-
-  You may make, run and propagate covered works that you do not
-convey, without conditions so long as your license otherwise remains
-in force.  You may convey covered works to others for the sole purpose
-of having them make modifications exclusively for you, or provide you
-with facilities for running those works, provided that you comply with
-the terms of this License in conveying all material for which you do
-not control copyright.  Those thus making or running the covered works
-for you must do so exclusively on your behalf, under your direction
-and control, on terms that prohibit them from making any copies of
-your copyrighted material outside their relationship with you.
-
-  Conveying under any other circumstances is permitted solely under
-the conditions stated below.  Sublicensing is not allowed; section 10
-makes it unnecessary.
-
-  3. Protecting Users' Legal Rights From Anti-Circumvention Law.
-
-  No covered work shall be deemed part of an effective technological
-measure under any applicable law fulfilling obligations under article
-11 of the WIPO copyright treaty adopted on 20 December 1996, or
-similar laws prohibiting or restricting circumvention of such
-measures.
-
-  When you convey a covered work, you waive any legal power to forbid
-circumvention of technological measures to the extent such circumvention
-is effected by exercising rights under this License with respect to
-the covered work, and you disclaim any intention to limit operation or
-modification of the work as a means of enforcing, against the work's
-users, your or third parties' legal rights to forbid circumvention of
-technological measures.
-
-  4. Conveying Verbatim Copies.
-
-  You may convey verbatim copies of the Program's source code as you
-receive it, in any medium, provided that you conspicuously and
-appropriately publish on each copy an appropriate copyright notice;
-keep intact all notices stating that this License and any
-non-permissive terms added in accord with section 7 apply to the code;
-keep intact all notices of the absence of any warranty; and give all
-recipients a copy of this License along with the Program.
-
-  You may charge any price or no price for each copy that you convey,
-and you may offer support or warranty protection for a fee.
-
-  5. Conveying Modified Source Versions.
-
-  You may convey a work based on the Program, or the modifications to
-produce it from the Program, in the form of source code under the
-terms of section 4, provided that you also meet all of these conditions:
-
-    a) The work must carry prominent notices stating that you modified
-    it, and giving a relevant date.
-
-    b) The work must carry prominent notices stating that it is
-    released under this License and any conditions added under section
-    7.  This requirement modifies the requirement in section 4 to
-    "keep intact all notices".
-
-    c) You must license the entire work, as a whole, under this
-    License to anyone who comes into possession of a copy.  This
-    License will therefore apply, along with any applicable section 7
-    additional terms, to the whole of the work, and all its parts,
-    regardless of how they are packaged.  This License gives no
-    permission to license the work in any other way, but it does not
-    invalidate such permission if you have separately received it.
-
-    d) If the work has interactive user interfaces, each must display
-    Appropriate Legal Notices; however, if the Program has interactive
-    interfaces that do not display Appropriate Legal Notices, your
-    work need not make them do so.
-
-  A compilation of a covered work with other separate and independent
-works, which are not by their nature extensions of the covered work,
-and which are not combined with it such as to form a larger program,
-in or on a volume of a storage or distribution medium, is called an
-"aggregate" if the compilation and its resulting copyright are not
-used to limit the access or legal rights of the compilation's users
-beyond what the individual works permit.  Inclusion of a covered work
-in an aggregate does not cause this License to apply to the other
-parts of the aggregate.
-
-  6. Conveying Non-Source Forms.
-
-  You may convey a covered work in object code form under the terms
-of sections 4 and 5, provided that you also convey the
-machine-readable Corresponding Source under the terms of this License,
-in one of these ways:
-
-    a) Convey the object code in, or embodied in, a physical product
-    (including a physical distribution medium), accompanied by the
-    Corresponding Source fixed on a durable physical medium
-    customarily used for software interchange.
-
-    b) Convey the object code in, or embodied in, a physical product
-    (including a physical distribution medium), accompanied by a
-    written offer, valid for at least three years and valid for as
-    long as you offer spare parts or customer support for that product
-    model, to give anyone who possesses the object code either (1) a
-    copy of the Corresponding Source for all the software in the
-    product that is covered by this License, on a durable physical
-    medium customarily used for software interchange, for a price no
-    more than your reasonable cost of physically performing this
-    conveying of source, or (2) access to copy the
-    Corresponding Source from a network server at no charge.
-
-    c) Convey individual copies of the object code with a copy of the
-    written offer to provide the Corresponding Source.  This
-    alternative is allowed only occasionally and noncommercially, and
-    only if you received the object code with such an offer, in accord
-    with subsection 6b.
-
-    d) Convey the object code by offering access from a designated
-    place (gratis or for a charge), and offer equivalent access to the
-    Corresponding Source in the same way through the same place at no
-    further charge.  You need not require recipients to copy the
-    Corresponding Source along with the object code.  If the place to
-    copy the object code is a network server, the Corresponding Source
-    may be on a different server (operated by you or a third party)
-    that supports equivalent copying facilities, provided you maintain
-    clear directions next to the object code saying where to find the
-    Corresponding Source.  Regardless of what server hosts the
-    Corresponding Source, you remain obligated to ensure that it is
-    available for as long as needed to satisfy these requirements.
-
-    e) Convey the object code using peer-to-peer transmission, provided
-    you inform other peers where the object code and Corresponding
-    Source of the work are being offered to the general public at no
-    charge under subsection 6d.
-
-  A separable portion of the object code, whose source code is excluded
-from the Corresponding Source as a System Library, need not be
-included in conveying the object code work.
-
-  A "User Product" is either (1) a "consumer product", which means any
-tangible personal property which is normally used for personal, family,
-or household purposes, or (2) anything designed or sold for incorporation
-into a dwelling.  In determining whether a product is a consumer product,
-doubtful cases shall be resolved in favor of coverage.  For a particular
-product received by a particular user, "normally used" refers to a
-typical or common use of that class of product, regardless of the status
-of the particular user or of the way in which the particular user
-actually uses, or expects or is expected to use, the product.  A product
-is a consumer product regardless of whether the product has substantial
-commercial, industrial or non-consumer uses, unless such uses represent
-the only significant mode of use of the product.
-
-  "Installation Information" for a User Product means any methods,
-procedures, authorization keys, or other information required to install
-and execute modified versions of a covered work in that User Product from
-a modified version of its Corresponding Source.  The information must
-suffice to ensure that the continued functioning of the modified object
-code is in no case prevented or interfered with solely because
-modification has been made.
-
-  If you convey an object code work under this section in, or with, or
-specifically for use in, a User Product, and the conveying occurs as
-part of a transaction in which the right of possession and use of the
-User Product is transferred to the recipient in perpetuity or for a
-fixed term (regardless of how the transaction is characterized), the
-Corresponding Source conveyed under this section must be accompanied
-by the Installation Information.  But this requirement does not apply
-if neither you nor any third party retains the ability to install
-modified object code on the User Product (for example, the work has
-been installed in ROM).
-
-  The requirement to provide Installation Information does not include a
-requirement to continue to provide support service, warranty, or updates
-for a work that has been modified or installed by the recipient, or for
-the User Product in which it has been modified or installed.  Access to a
-network may be denied when the modification itself materially and
-adversely affects the operation of the network or violates the rules and
-protocols for communication across the network.
-
-  Corresponding Source conveyed, and Installation Information provided,
-in accord with this section must be in a format that is publicly
-documented (and with an implementation available to the public in
-source code form), and must require no special password or key for
-unpacking, reading or copying.
-
-  7. Additional Terms.
-
-  "Additional permissions" are terms that supplement the terms of this
-License by making exceptions from one or more of its conditions.
-Additional permissions that are applicable to the entire Program shall
-be treated as though they were included in this License, to the extent
-that they are valid under applicable law.  If additional permissions
-apply only to part of the Program, that part may be used separately
-under those permissions, but the entire Program remains governed by
-this License without regard to the additional permissions.
-
-  When you convey a copy of a covered work, you may at your option
-remove any additional permissions from that copy, or from any part of
-it.  (Additional permissions may be written to require their own
-removal in certain cases when you modify the work.)  You may place
-additional permissions on material, added by you to a covered work,
-for which you have or can give appropriate copyright permission.
-
-  Notwithstanding any other provision of this License, for material you
-add to a covered work, you may (if authorized by the copyright holders of
-that material) supplement the terms of this License with terms:
-
-    a) Disclaiming warranty or limiting liability differently from the
-    terms of sections 15 and 16 of this License; or
-
-    b) Requiring preservation of specified reasonable legal notices or
-    author attributions in that material or in the Appropriate Legal
-    Notices displayed by works containing it; or
-
-    c) Prohibiting misrepresentation of the origin of that material, or
-    requiring that modified versions of such material be marked in
-    reasonable ways as different from the original version; or
-
-    d) Limiting the use for publicity purposes of names of licensors or
-    authors of the material; or
-
-    e) Declining to grant rights under trademark law for use of some
-    trade names, trademarks, or service marks; or
-
-    f) Requiring indemnification of licensors and authors of that
-    material by anyone who conveys the material (or modified versions of
-    it) with contractual assumptions of liability to the recipient, for
-    any liability that these contractual assumptions directly impose on
-    those licensors and authors.
-
-  All other non-permissive additional terms are considered "further
-restrictions" within the meaning of section 10.  If the Program as you
-received it, or any part of it, contains a notice stating that it is
-governed by this License along with a term that is a further
-restriction, you may remove that term.  If a license document contains
-a further restriction but permits relicensing or conveying under this
-License, you may add to a covered work material governed by the terms
-of that license document, provided that the further restriction does
-not survive such relicensing or conveying.
-
-  If you add terms to a covered work in accord with this section, you
-must place, in the relevant source files, a statement of the
-additional terms that apply to those files, or a notice indicating
-where to find the applicable terms.
-
-  Additional terms, permissive or non-permissive, may be stated in the
-form of a separately written license, or stated as exceptions;
-the above requirements apply either way.
-
-  8. Termination.
-
-  You may not propagate or modify a covered work except as expressly
-provided under this License.  Any attempt otherwise to propagate or
-modify it is void, and will automatically terminate your rights under
-this License (including any patent licenses granted under the third
-paragraph of section 11).
-
-  However, if you cease all violation of this License, then your
-license from a particular copyright holder is reinstated (a)
-provisionally, unless and until the copyright holder explicitly and
-finally terminates your license, and (b) permanently, if the copyright
-holder fails to notify you of the violation by some reasonable means
-prior to 60 days after the cessation.
-
-  Moreover, your license from a particular copyright holder is
-reinstated permanently if the copyright holder notifies you of the
-violation by some reasonable means, this is the first time you have
-received notice of violation of this License (for any work) from that
-copyright holder, and you cure the violation prior to 30 days after
-your receipt of the notice.
-
-  Termination of your rights under this section does not terminate the
-licenses of parties who have received copies or rights from you under
-this License.  If your rights have been terminated and not permanently
-reinstated, you do not qualify to receive new licenses for the same
-material under section 10.
-
-  9. Acceptance Not Required for Having Copies.
-
-  You are not required to accept this License in order to receive or
-run a copy of the Program.  Ancillary propagation of a covered work
-occurring solely as a consequence of using peer-to-peer transmission
-to receive a copy likewise does not require acceptance.  However,
-nothing other than this License grants you permission to propagate or
-modify any covered work.  These actions infringe copyright if you do
-not accept this License.  Therefore, by modifying or propagating a
-covered work, you indicate your acceptance of this License to do so.
-
-  10. Automatic Licensing of Downstream Recipients.
-
-  Each time you convey a covered work, the recipient automatically
-receives a license from the original licensors, to run, modify and
-propagate that work, subject to this License.  You are not responsible
-for enforcing compliance by third parties with this License.
-
-  An "entity transaction" is a transaction transferring control of an
-organization, or substantially all assets of one, or subdividing an
-organization, or merging organizations.  If propagation of a covered
-work results from an entity transaction, each party to that
-transaction who receives a copy of the work also receives whatever
-licenses to the work the party's predecessor in interest had or could
-give under the previous paragraph, plus a right to possession of the
-Corresponding Source of the work from the predecessor in interest, if
-the predecessor has it or can get it with reasonable efforts.
-
-  You may not impose any further restrictions on the exercise of the
-rights granted or affirmed under this License.  For example, you may
-not impose a license fee, royalty, or other charge for exercise of
-rights granted under this License, and you may not initiate litigation
-(including a cross-claim or counterclaim in a lawsuit) alleging that
-any patent claim is infringed by making, using, selling, offering for
-sale, or importing the Program or any portion of it.
-
-  11. Patents.
-
-  A "contributor" is a copyright holder who authorizes use under this
-License of the Program or a work on which the Program is based.  The
-work thus licensed is called the contributor's "contributor version".
-
-  A contributor's "essential patent claims" are all patent claims
-owned or controlled by the contributor, whether already acquired or
-hereafter acquired, that would be infringed by some manner, permitted
-by this License, of making, using, or selling its contributor version,
-but do not include claims that would be infringed only as a
-consequence of further modification of the contributor version.  For
-purposes of this definition, "control" includes the right to grant
-patent sublicenses in a manner consistent with the requirements of
-this License.
-
-  Each contributor grants you a non-exclusive, worldwide, royalty-free
-patent license under the contributor's essential patent claims, to
-make, use, sell, offer for sale, import and otherwise run, modify and
-propagate the contents of its contributor version.
-
-  In the following three paragraphs, a "patent license" is any express
-agreement or commitment, however denominated, not to enforce a patent
-(such as an express permission to practice a patent or covenant not to
-sue for patent infringement).  To "grant" such a patent license to a
-party means to make such an agreement or commitment not to enforce a
-patent against the party.
-
-  If you convey a covered work, knowingly relying on a patent license,
-and the Corresponding Source of the work is not available for anyone
-to copy, free of charge and under the terms of this License, through a
-publicly available network server or other readily accessible means,
-then you must either (1) cause the Corresponding Source to be so
-available, or (2) arrange to deprive yourself of the benefit of the
-patent license for this particular work, or (3) arrange, in a manner
-consistent with the requirements of this License, to extend the patent
-license to downstream recipients.  "Knowingly relying" means you have
-actual knowledge that, but for the patent license, your conveying the
-covered work in a country, or your recipient's use of the covered work
-in a country, would infringe one or more identifiable patents in that
-country that you have reason to believe are valid.
-
-  If, pursuant to or in connection with a single transaction or
-arrangement, you convey, or propagate by procuring conveyance of, a
-covered work, and grant a patent license to some of the parties
-receiving the covered work authorizing them to use, propagate, modify
-or convey a specific copy of the covered work, then the patent license
-you grant is automatically extended to all recipients of the covered
-work and works based on it.
-
-  A patent license is "discriminatory" if it does not include within
-the scope of its coverage, prohibits the exercise of, or is
-conditioned on the non-exercise of one or more of the rights that are
-specifically granted under this License.  You may not convey a covered
-work if you are a party to an arrangement with a third party that is
-in the business of distributing software, under which you make payment
-to the third party based on the extent of your activity of conveying
-the work, and under which the third party grants, to any of the
-parties who would receive the covered work from you, a discriminatory
-patent license (a) in connection with copies of the covered work
-conveyed by you (or copies made from those copies), or (b) primarily
-for and in connection with specific products or compilations that
-contain the covered work, unless you entered into that arrangement,
-or that patent license was granted, prior to 28 March 2007.
-
-  Nothing in this License shall be construed as excluding or limiting
-any implied license or other defenses to infringement that may
-otherwise be available to you under applicable patent law.
-
-  12. No Surrender of Others' Freedom.
-
-  If conditions are imposed on you (whether by court order, agreement or
-otherwise) that contradict the conditions of this License, they do not
-excuse you from the conditions of this License.  If you cannot convey a
-covered work so as to satisfy simultaneously your obligations under this
-License and any other pertinent obligations, then as a consequence you may
-not convey it at all.  For example, if you agree to terms that obligate you
-to collect a royalty for further conveying from those to whom you convey
-the Program, the only way you could satisfy both those terms and this
-License would be to refrain entirely from conveying the Program.
-
-  13. Use with the GNU Affero General Public License.
-
-  Notwithstanding any other provision of this License, you have
-permission to link or combine any covered work with a work licensed
-under version 3 of the GNU Affero General Public License into a single
-combined work, and to convey the resulting work.  The terms of this
-License will continue to apply to the part which is the covered work,
-but the special requirements of the GNU Affero General Public License,
-section 13, concerning interaction through a network will apply to the
-combination as such.
-
-  14. Revised Versions of this License.
-
-  The Free Software Foundation may publish revised and/or new versions of
-the GNU General Public License from time to time.  Such new versions will
-be similar in spirit to the present version, but may differ in detail to
-address new problems or concerns.
-
-  Each version is given a distinguishing version number.  If the
-Program specifies that a certain numbered version of the GNU General
-Public License "or any later version" applies to it, you have the
-option of following the terms and conditions either of that numbered
-version or of any later version published by the Free Software
-Foundation.  If the Program does not specify a version number of the
-GNU General Public License, you may choose any version ever published
-by the Free Software Foundation.
-
-  If the Program specifies that a proxy can decide which future
-versions of the GNU General Public License can be used, that proxy's
-public statement of acceptance of a version permanently authorizes you
-to choose that version for the Program.
-
-  Later license versions may give you additional or different
-permissions.  However, no additional obligations are imposed on any
-author or copyright holder as a result of your choosing to follow a
-later version.
-
-  15. Disclaimer of Warranty.
-
-  THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
-APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
-HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
-OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
-THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
-IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
-ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
-
-  16. Limitation of Liability.
-
-  IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
-WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
-THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
-GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
-USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
-DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
-PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
-EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
-SUCH DAMAGES.
-
-  17. Interpretation of Sections 15 and 16.
-
-  If the disclaimer of warranty and limitation of liability provided
-above cannot be given local legal effect according to their terms,
-reviewing courts shall apply local law that most closely approximates
-an absolute waiver of all civil liability in connection with the
-Program, unless a warranty or assumption of liability accompanies a
-copy of the Program in return for a fee.
-
-                     END OF TERMS AND CONDITIONS
-
-            How to Apply These Terms to Your New Programs
-
-  If you develop a new program, and you want it to be of the greatest
-possible use to the public, the best way to achieve this is to make it
-free software which everyone can redistribute and change under these terms.
-
-  To do so, attach the following notices to the program.  It is safest
-to attach them to the start of each source file to most effectively
-state the exclusion of warranty; and each file should have at least
-the "copyright" line and a pointer to where the full notice is found.
-
-    <one line to give the program's name and a brief idea of what it does.>
-    Copyright (C) <year>  <name of author>
-
-    This program is free software: you can redistribute it and/or modify
-    it under the terms of the GNU General Public License as published by
-    the Free Software Foundation, either version 3 of the License, or
-    (at your option) any later version.
-
-    This program is distributed in the hope that it will be useful,
-    but WITHOUT ANY WARRANTY; without even the implied warranty of
-    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-    GNU General Public License for more details.
-
-    You should have received a copy of the GNU General Public License
-    along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-Also add information on how to contact you by electronic and paper mail.
-
-  If the program does terminal interaction, make it output a short
-notice like this when it starts in an interactive mode:
-
-    <program>  Copyright (C) <year>  <name of author>
-    This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
-    This is free software, and you are welcome to redistribute it
-    under certain conditions; type `show c' for details.
-
-The hypothetical commands `show w' and `show c' should show the appropriate
-parts of the General Public License.  Of course, your program's commands
-might be different; for a GUI interface, you would use an "about box".
-
-  You should also get your employer (if you work as a programmer) or school,
-if any, to sign a "copyright disclaimer" for the program, if necessary.
-For more information on this, and how to apply and follow the GNU GPL, see
-<http://www.gnu.org/licenses/>.
-
-  The GNU General Public License does not permit incorporating your program
-into proprietary programs.  If your program is a subroutine library, you
-may consider it more useful to permit linking proprietary applications with
-the library.  If this is what you want to do, use the GNU Lesser General
-Public License instead of this License.  But first, please read
-<http://www.gnu.org/philosophy/why-not-lgpl.html>.

Makefile

@@ -1,18 +0,0 @@
-#!/usr/bin/make -f
-
-## Copyright (C) 2012 - 2018 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
-## See the file COPYING for copying conditions.
-
-## genmkfile - Makefile - version 1.5
-
-## This is a copy.
-## master location:
-## https://github.com/Whonix/genmkfile/blob/master/usr/share/genmkfile/Makefile
-
-GENMKFILE_PATH ?= /usr/share/genmkfile
-GENMKFILE_ROOT_DIR := $(dir $(abspath $(lastword $(MAKEFILE_LIST))))
-
-export GENMKFILE_PATH
-export GENMKFILE_ROOT_DIR
-
-include $(GENMKFILE_PATH)/makefile-full

README.md

@@ -1,119 +1,860 @@
-# enhances misc security settings #
+# Enhances miscellaneous security settings
 
-The following settings are changed:
+## Kernel hardening
 
-deactivates previews in Dolphin;
-deactivates previews in Nautilus;
-deactivates thumbnails in Thunar;
-deactivates TCP timestamps;
-deactivates Netfilter's connection tracking helper;
+This section is inspired by the Kernel Self Protection Project (KSPP). It
+attempts to implement all recommended Linux kernel settings by the KSPP and
+many more sources.
 
-TCP time stamps (RFC 1323) allow for tracking clock
-information with millisecond resolution. This may or may not allow an
-attacker to learn information about the system clock at such
-a resolution, depending on various issues such as network lag.
-This information is available to anyone who monitors the network
-somewhere between the attacked system and the destination server.
-It may allow an attacker to find out how long a given
-system has been running, and to distinguish several
-systems running behind NAT and using the same IP address. It might
-also allow one to look for clocks that match an expected value to find the
-public IP used by a user.
+- https://kspp.github.io/Recommended_Settings
+- https://github.com/KSPP/kspp.github.io
 
-Hence, this package disables this feature by shipping the
-/etc/sysctl.d/tcp_timestamps.conf configuration file.
+### sysctl
 
-Note that TCP time stamps normally have some usefulness. They are
-needed for:
+sysctl settings are configured via the `/usr/lib/sysctl.d/990-security-misc.conf`
+configuration file and significant hardening is applied to a myriad of components.
 
-* the TCP protection against wrapped sequence numbers; however, to
-trigger a wrap, one needs to send roughly 2^32 packets in one
-minute:  as said in RFC 1700, "The current recommended default
-time to live (TTL) for the Internet Protocol (IP) [45,105] is 64".
-So, this probably won't be a practical problem in the context
-of Anonymity Distributions.
+#### Kernel space
 
-* "Round-Trip Time Measurement", which is only useful when the user
-manages to saturate their connection. When using Anonymity Distributions,
-probably the limiting factor for transmission speed is rarely the capacity
-of the user connection.
+- Restrict access to kernel addresses through the use of kernel pointers regardless
+  of user privileges.
 
-Netfilter's connection tracking helper module increases kernel attack
-surface by enabling superfluous functionality such as IRC parsing in
-the kernel. (!)
+- Restrict access to the kernel logs to `CAP_SYSLOG` as they often contain
+  sensitive information.
 
-Hence, this package disables this feature by shipping the
-/etc/sysctl.d/nf_conntrack_helper.conf configuration file.
+- Prevent kernel information leaks in the console during boot.
 
-Kernel symbols in /proc/kallsyms are hidden to prevent malware from
-reading them and using them to learn more about what to attack on your system.
+- Restrict usage of `bpf()` to `CAP_BPF` to prevent the loading of BPF programs
+  by unprivileged users.
 
-Kexec is disabled as it can be used for live patching of the running kernel.
+- Restrict loading TTY line disciplines to `CAP_SYS_MODULE`.
 
-The BPF JIT compiler is restricted to the root user and is hardened.
+- Restrict the `userfaultfd()` syscall to `CAP_SYS_PTRACE`, which reduces the
+  likelihood of use-after-free exploits.
 
-ASLR effectiveness for mmap is increased.
+- Disable `kexec` as it can be used to replace the running kernel.
 
-The ptrace system call is restricted to the root user only.
+- Entirely disable the SysRq key so that the Secure Attention Key (SAK)
+  can no longer be utilized. See [documentation](https://www.kicksecure.com/wiki/SysRq).
 
-The TCP/IP stack is hardened.
+- Optional - Disable all use of user namespaces.
 
-This package makes some data spoofing attacks harder.
+- Optional - Restrict user namespaces to `CAP_SYS_ADMIN` as they can lead to substantial
+  privilege escalation.
 
-SACK is disabled as it is commonly exploited and is rarely used.
+- Restrict kernel profiling and the performance events system to `CAP_PERFMON`.
 
-This package disables the merging of slabs of similar sizes to prevent an
-attacker from exploiting them.
+- Force the kernel to panic on both "oopses", which can potentially indicate and thwart
+  certain kernel exploitation attempts, and also kernel warnings in the `WARN()` path.
 
-Sanity checks, redzoning, and memory poisoning are enabled.
+- Optional - Force immediate reboot on the occurrence of a single kernel panic and also
+  (when using Linux kernel >= 6.2) limit the number of allowed panics to one.
 
-The kernel now panics on uncorrectable errors in ECC memory which could
-be exploited.
+- Disable the use of legacy TIOCSTI operations which can be used to inject keypresses.
 
-Kernel Page Table Isolation is enabled to mitigate Meltdown and increase
-KASLR effectiveness.
+- Disable asynchronous I/O (when using Linux kernel >= 6.6) as `io_uring` has been
+  the source of numerous kernel exploits.
 
-SMT is disabled as it can be used to exploit the MDS vulnerability.
+#### User space
 
-All mitigations for the MDS vulnerability are enabled.
+- Restrict usage of `ptrace()` to only processes with `CAP_SYS_PTRACE` as it
+  enables programs to inspect and modify other active processes. Optional - Disable
+  usage of `ptrace()` by all processes.
 
-DCCP, SCTP, TIPC and RDS are blacklisted as they are rarely used and may have
-unknown vulnerabilities.
-## How to install `security-misc` using apt-get ##
+- Maximize the bits of entropy used for mmap ASLR across all CPU architectures.
 
-1\. Add [Whonix's Signing Key](https://www.whonix.org/wiki/Whonix_Signing_Key).
+- Prevent hardlink and symlink TOCTOU races in world-writable directories.
+
+- Disallow unintentional writes to files in world-writable directories unless
+  they are owned by the directory owner to mitigate some data spoofing attacks.
+
+- Randomize the addresses (ASLR) for mmap base, stack, VDSO pages, and heap.
+
+- Raise the minimum address a process can request for memory mapping to 64KB to
+  protect against kernel null pointer dereference vulnerabilities.
+
+- Increase the maximum number of memory map areas a process is able to utilize to 1,048,576.
+
+- Optional - Disallow registering interpreters for various (miscellaneous) binary formats based
+  on a magic number or their file extension to prevent unintended code execution.
+  See issue: https://github.com/Kicksecure/security-misc/issues/267
+
+#### Core dumps
+
+- Disable core dump files and prevent their creation. If core dump files are
+  enabled, they will be named based on `core.PID` instead of the default `core`.
+
+#### Swap space
+
+- Limit the copying of potentially sensitive content in memory to the swap device.
+
+#### Networking
+
+- Enable hardening of the BPF JIT compiler protect against JIT spraying.
+
+- Enable TCP SYN cookie protection to assist against SYN flood attacks.
+
+- Protect against TCP time-wait assassination hazards.
+
+- Enable reverse path filtering (source validation) of packets received
+  from all interfaces to prevent IP spoofing.
+
+- Disable ICMP redirect acceptance and redirect sending messages to prevent
+  man-in-the-middle attacks and minimize information disclosure.
+
+- Deny sending and receiving shared media redirects to reduce the risk of IP
+  spoofing attacks.
+
+- Enable ARP filtering to mitigate some ARP spoofing and ARP cache poisoning attacks.
+
+- Respond to ARP requests only if the target IP address is  on-link,
+  preventing some IP spoofing attacks.
+
+- Drop gratuitous ARP packets to prevent ARP cache poisoning via
+  man-in-the-middle and denial-of-service attacks.
+
+- Ignore ICMP echo requests to prevent clock fingerprinting and Smurf attacks.
+
+- Ignore bogus ICMP error responses.
+
+- Disable source routing which allows users to redirect network traffic that
+  can result in man-in-the-middle attacks.
+
+- Do not accept IPv6 router advertisements and solicitations.
+
+- Optional - Disable SACK and DSACK as they have historically been a known
+  vector for exploitation.
+
+- Disable TCP timestamps as they can allow detecting the system time.
+
+- Optional - Log packets with impossible source or destination addresses to
+  enable further inspection and analysis.
+
+- Optional - Enable IPv6 Privacy Extensions.
+
+- Documentation: https://www.kicksecure.com/wiki/Networking
+
+### Boot parameters
+
+Mitigations for known CPU vulnerabilities are enabled in their strictest form
+and simultaneous multithreading (SMT) is disabled. See the
+`/etc/default/grub.d/40_cpu_mitigations.cfg` configuration file.
+
+Note, to achieve complete protection for known CPU vulnerabilities, the latest
+security microcode (BIOS/UEFI) updates must be installed on the system. Furthermore,
+if using Secure Boot, the Secure Boot Forbidden Signature Database (DBX) must be kept
+up to date through [UEFI Revocation List](https://uefi.org/revocationlistfile) updates.
+
+CPU mitigations:
+
+- Disable Simultaneous Multithreading (SMT)
+
+- Spectre Side Channels (BTI and BHI)
+
+- Speculative Store Bypass (SSB)
+
+- L1 Terminal Fault (L1TF)
+
+- Microarchitectural Data Sampling (MDS)
+
+- TSX Asynchronous Abort (TAA)
+
+- iTLB Multihit
+
+- Special Register Buffer Data Sampling (SRBDS)
+
+- L1D Flushing
+
+- Processor MMIO Stale Data
+
+- Arbitrary Speculative Code Execution with Return Instructions (Retbleed)
+
+- Cross-Thread Return Address Predictions
+
+- Speculative Return Stack Overflow (SRSO)
+
+- Gather Data Sampling (GDS)
+
+- Register File Data Sampling (RFDS)
+
+Boot parameters relating to kernel hardening, DMA mitigations, and entropy
+generation are outlined in the `/etc/default/grub.d/40_kernel_hardening.cfg`
+configuration file.
+
+Kernel space:
+
+- Disable merging of slabs with similar size, which reduces the risk of
+  triggering heap overflows and limits influencing slab cache layout.
+
+- Enable sanity checks and red zoning via slab debugging. This will implicitly
+  disable kernel pointer hashing, leaking very sensitive information to root.
+
+- Enable memory zeroing at both allocation and free time, which mitigates some
+  use-after-free vulnerabilities by erasing sensitive information in memory.
+
+- Enable the kernel page allocator to randomize free lists to limit some data
+  exfiltration and ROP attacks, especially during the early boot process.
+
+- Enable kernel page table isolation to increase KASLR effectiveness and also
+  mitigate the Meltdown CPU vulnerability.
+
+- Enable randomization of the kernel stack offset on syscall entries to harden
+  against memory corruption attacks.
+
+- Disable vsyscalls as they are vulnerable to ROP attacks and have now been
+  replaced by vDSO.
+
+- Restrict access to debugfs by not registering the file system since it can
+  contain sensitive information.
+
+- Force kernel panics on "oopses" to potentially indicate and thwart certain
+  kernel exploitation attempts.
+
+- Optional - Modify the machine check exception handler.
+
+- Prevent sensitive kernel information leaks in the console during boot.
+
+- Enable the kernel Electric-Fence sampling-based memory safety error detector
+  which can identify heap out-of-bounds access, use-after-free, and invalid-free errors.
+
+- Disable 32-bit vDSO mappings as they are a legacy compatibility feature.
+
+- Optional - Use kCFI as the default CFI implementation (when using Linux kernel >= 6.2)
+  since it may be slightly more resilient to attacks that are able to write
+  arbitrary executables in memory.
+
+- Optional - Disable support for all x86 processes and syscalls (when using Linux kernel >= 6.7)
+  to reduce attack surface.
+
+- Disable EFI persistent storage feature, preventing the kernel from writing crash logs and
+  other persistent data to the EFI variable store.
+
+Direct memory access:
+
+- Enable strict IOMMU translation to protect against some DMA attacks via the use
+  of both CPU manufacturer-specific drivers and kernel settings.
+
+- Clear the busmaster bit on all PCI bridges during the EFI hand-off, which disables
+  DMA before the IOMMU is configured. May cause boot failure on certain hardware.
+
+Entropy:
+
+- Do not credit the CPU or bootloader as entropy sources at boot in order to
+  maximize the absolute quantity of entropy in the combined pool.
+
+- Obtain more entropy at boot from RAM as the runtime memory allocator is
+  being initialized.
+
+Networking:
+
+- Optional - Disable the entire IPv6 stack to reduce attack surface.
+
+### mmap ASLR
+
+- The bits of entropy used for mmap ASLR for all CPU architectures are maxed
+  out via `/usr/libexec/security-misc/mmap-rnd-bits` (set to the values of
+  `CONFIG_ARCH_MMAP_RND_BITS_MAX` and `CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX`
+  that the kernel was built with), therefore improving its effectiveness.
+
+### Kernel Self Protection Project (KSPP) compliance status
+
+**Summary:**
+
+`security-misc` is in full compliance with KSPP recommendations wherever feasible. However,
+there are a few cases of partial or non-compliance due to technical limitations.
+
+* [KSPP Recommended Settings](https://kspp.github.io/Recommended_Settings)
+
+**Full compliance:**
+
+More than 30 kernel boot parameters and over 30 sysctl settings are fully aligned with
+the KSPP's recommendations.
+
+**Partial compliance:**
+
+1. `sysctl kernel.yama.ptrace_scope=3`
+
+Completely disables `ptrace()`. Can be enabled easily if needed.
+
+* [security-misc pull request #242](https://github.com/Kicksecure/security-misc/pull/242)
+
+2. `sysctl kernel.panic=-1`
+
+Forces an immediate reboot on kernel panic. This can be enabled, but it may lead to unexpected
+system crashes.
+
+* [security-misc pull request #264](https://github.com/Kicksecure/security-misc/pull/264)
+* [security-misc pull request #268](https://github.com/Kicksecure/security-misc/pull/268)
+
+**Non-compliance:**
+
+3. `sysctl user.max_user_namespaces=0`
+
+Disables user namespaces entirely. Not recommended due to the potential for widespread breakages.
+
+* [security-misc pull request #263](https://github.com/Kicksecure/security-misc/pull/263)
+
+4. `sysctl fs.binfmt_misc.status=0`
+
+Disables the registration of interpreters for miscellaneous binary formats. Currently not
+feasible due to compatibility issues with Firefox.
+
+* [security-misc pull request #249](https://github.com/Kicksecure/security-misc/pull/249)
+* [security-misc issue #267](https://github.com/Kicksecure/security-misc/issues/267)
+
+### Kernel Modules
+
+#### Kernel Module Signature Verification
+
+Not yet implemented due to issues:
+
+- https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/64
+- https://github.com/dell/dkms/issues/359
+
+See:
+
+- `/etc/default/grub.d/40_signed_modules.cfg`
+
+#### Disables the loading of new modules to the kernel after the fact
+
+Not yet implemented due to issues:
+
+- https://github.com/Kicksecure/security-misc/pull/152
+
+A systemd service dynamically sets the kernel parameter `modules_disabled` to 1,
+preventing new modules from being loaded. Since this isn't configured directly
+within systemctl, it does not break the loading of legitimate and necessary
+modules for the user, like drivers etc., given they are plugged in on startup.
+
+#### Blacklist and disable kernel modules
+
+Conntrack: Deactivates Netfilter's connection tracking helper module which
+increases kernel attack surface by enabling superfluous functionality such
+as IRC parsing in the kernel. See `/etc/modprobe.d/30_security-misc_conntrack.conf`.
+
+Certain kernel modules are blacklisted by default to reduce attack surface via
+`/etc/modprobe.d/30_security-misc_blacklist.conf`. Blacklisting prevents kernel
+modules from automatically starting.
+
+- CD-ROM/DVD: Blacklist modules required for CD-ROM/DVD devices.
+
+- Miscellaneous: Blacklist an assortment of other modules to prevent them from
+  automatically loading.
+
+Specific kernel modules are entirely disabled to reduce attack surface via
+`/etc/modprobe.d/30_security-misc_disable.conf`. Disabling prohibits kernel
+modules from starting. This approach should not be considered comprehensive;
+rather, it is a form of badness enumeration. Any potential candidates for future
+disabling should first be blacklisted for a suitable amount of time.
+
+Hardware modules:
+
+- Optional - Bluetooth: Disabled to reduce attack surface.
+
+- FireWire (IEEE 1394): Disabled as they are often vulnerable to DMA attacks.
+
+- GPS: Disable GPS-related modules such as those required for Global Navigation
+  Satellite Systems (GNSS).
+
+- Optional - Intel Management Engine (ME): Provides some disabling of the interface
+  between the Intel ME and the OS. May lead to breakages in places such as firmware
+  updates, security, power management, display, and DRM. See discussion: https://github.com/Kicksecure/security-misc/issues/239
+
+- Intel Platform Monitoring Technology (PMT) Telemetry: Disable some functionality
+  of the Intel PMT components.
+
+- Thunderbolt: Disabled as they are often vulnerable to DMA attacks.
+
+File system modules:
+
+- File Systems: Disable uncommon and legacy file systems.
+
+- Network File Systems: Disable uncommon and legacy network file systems.
+
+Networking modules:
+
+- Network Protocols: A wide array of uncommon and legacy network protocols and drivers
+  are disabled.
+
+Miscellaneous modules:
+
+- Amateur Radios: Disabled to reduce attack surface.
+
+- Optional - CPU MSRs: Disabled as can be abused to write to arbitrary memory.
+
+- Floppy Disks: Disabled to reduce attack surface.
+
+- Framebuffer (fbdev): Disabled as these drivers are well-known to be buggy, cause
+  kernel panics, and are generally only used by legacy devices.
+
+- Replaced Modules: Disabled legacy drivers that have been entirely replaced and
+  superseded by newer drivers.
+
+- Optional - USB Video Device Class: Disables the USB-based video streaming driver for
+  devices like some webcams and digital camcorders.
+
+- Vivid: Disabled to reduce attack surface given previous vulnerabilities.
+
+### Other
+
+- A systemd service clears the System.map file on boot as these contain kernel
+  pointers. The file is completely overwritten with zeroes to ensure it cannot
+  be recovered. See:
+
+`/etc/kernel/postinst.d/30_remove-system-map`
+
+`/usr/lib/systemd/system/remove-system-map.service`
+
+`/usr/libexec/security-misc/remove-system.map`
+
+- Coredumps are disabled as they may contain important information such as
+  encryption keys or passwords. See:
+
+`/etc/security/limits.d/30_security-misc.conf`
+
+`/usr/lib/sysctl.d/30_security-misc.conf`
+
+`/usr/lib/systemd/coredump.conf.d/30_security-misc.conf`
+
+- PStore is disabled as crash logs can contain sensitive system data such as
+  kernel version, hostname, and users. See:
+
+  `/usr/lib/systemd/pstore.conf.d/30_security-misc.conf`
+
+- An initramfs hook sets the sysctl values in `/etc/sysctl.conf` and
+  `/etc/sysctl.d` before init is executed so sysctl hardening is enabled as
+  early as possible. This is implemented for `initramfs-tools` only because
+  this is not needed for `dracut` as `dracut` does that by default, at
+  least on `systemd` enabled systems. Not researched for non-`systemd` systems
+  by the author of this part of the readme.
+
+## Network hardening
+
+Not yet implemented due to issues:
+
+- https://github.com/Kicksecure/security-misc/pull/145
+
+- https://github.com/Kicksecure/security-misc/issues/184
+
+- Unlike version 4, IPv6 addresses can provide information not only about the
+  originating network but also the originating device. We prevent this from
+  happening by enabling the respective privacy extensions for IPv6.
+
+- In addition, we deny the capability to track the originating device in the
+  network at all, by using randomized MAC addresses per connection by
+  default.
+
+See:
+
+- `/usr/lib/NetworkManager/conf.d/80_ipv6-privacy.conf`
+- `/usr/lib/NetworkManager/conf.d/80_randomize-mac.conf`
+- `/usr/lib/systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf`
+
+## Bluetooth Hardening
+
+### Bluetooth Status: Enabled but Defaulted to Off
+
+- **Default Behavior**: Although Bluetooth capability is 'enabled' in the kernel,
+  security-misc deviates from the usual behavior by starting with Bluetooth
+  turned off at system start. This setting remains until the user explicitly opts
+  to activate Bluetooth.
+
+- **User Control**: Users have the freedom to easily switch Bluetooth on and off
+  in the usual way, exercising their own discretion. This can be done via the
+  Bluetooth toggle through the usual way, that is either through GUI settings
+  application or command line commands.
+
+- **Enhanced Privacy Settings**: We enforce more private defaults for Bluetooth
+  connections. This includes the use of private addresses and strict timeout
+  settings for discoverability and visibility.
+
+- **Security Considerations**: Despite these measures, it's important to note that
+  Bluetooth technology, by its nature, may still be prone to exploits due to its
+  history of security vulnerabilities. Thus, we recommend users to opt-out of
+  using Bluetooth when possible.
+
+### Configuration Details
+
+- See configuration: `/etc/bluetooth/30_security-misc.conf`
+- For more information and discussion: [GitHub Pull Request](https://github.com/Kicksecure/security-misc/pull/145)
+
+### Understanding Bluetooth Terms
+
+- **Disabling Bluetooth**: This means the absence of the Bluetooth kernel module.
+  When disabled, Bluetooth is non-existent in the system - it cannot be seen, set,
+  configured, or interacted with in any way.
+
+- **Turning Bluetooth On/Off**: This refers to a software toggle. Normally, on
+  Debian systems, Bluetooth is 'on' when the system boots up. It actively searches
+  for known devices to auto-connect and may be discoverable or visible under certain
+  conditions. Our default ensures that Bluetooth is off on startup. However, it
+  remains 'enabled' in the kernel, meaning the kernel can use the Bluetooth protocol
+  and has the necessary modules.
+
+### Quick Toggle Guide
+
+- **Turning Bluetooth On**: Simply click the Bluetooth button in the settings
+  application or on the tray, and switch the toggle. It's a straightforward action
+  that can be completed in less than a second.
+
+- **Turning Bluetooth Off**: Follow the same procedure as turning it on but switch
+  the toggle to the off position.
+
+## Entropy collection improvements
+
+- The `jitterentropy_rng` kernel module is loaded as early as possible during
+  boot to gather more entropy via the
+  `/usr/lib/modules-load.d/30_security-misc.conf` configuration file.
+
+- Distrusts the CPU for initial entropy at boot as it is not possible to
+  audit, may contain weaknesses or a backdoor. Similarly, do not credit the
+  bootloader seed for initial entropy. For references, see:
+  `/etc/default/grub.d/40_kernel_hardening.cfg`
+
+- Gathers more entropy during boot if using the linux-hardened kernel patch.
+
+## Restrictive mount options
+
+A systemd service is triggered on boot to remount all sensitive partitions and
+directories with significantly more secure hardened mount options. Since this
+would require manual tuning for a given specific system, we handle it by
+creating a very solid configuration file for that very system on package
+installation.
+
+Not enabled by default yet. In development. Help welcome.
+
+- https://www.kicksecure.com/wiki/Dev/remount-secure
+- https://github.com/Kicksecure/security-misc/issues/157
+- https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/
+
+## Root access restrictions
+
+- `su` is restricted to only users within the group `sudo` which prevents
+  users from using `su` to gain root access or to switch user accounts -
+  `/usr/share/pam-configs/wheel-security-misc` (which results in a change in
+  file `/etc/pam.d/common-auth`).
+
+- Add user `root` to group `sudo`. This is required due to the above
+  restriction so that logging in from a virtual console is still possible -
+  `debian/security-misc.postinst`
+
+- Abort login for users with locked passwords -
+  `/usr/libexec/security-misc/pam-abort-on-locked-password`.
+
+- Logging into the root account from a virtual, serial, or other console is
+  prevented by shipping an existing and empty `/etc/securetty` file (deletion
+  of `/etc/securetty` has a different effect).
+
+This package does not yet automatically lock the root account password. It is
+not clear if this would be sane in such a package, although it is recommended to
+lock and expire the root account.
+
+In new Kicksecure builds, the root account will be locked by package
+dist-base-files.
+
+See:
+
+- https://www.kicksecure.com/wiki/Root
+- https://www.kicksecure.com/wiki/Dev/Permissions
+- https://forums.whonix.org/t/restrict-root-access/7658
+
+However, a locked root password will break rescue and emergency shell.
+Therefore, this package enables passwordless rescue and emergency shell. This is
+the same solution that Debian will likely adopt for the Debian installer:
+https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802211
+
+See:
+
+- `/etc/systemd/system/emergency.service.d/override.conf`
+- `/etc/systemd/system/rescue.service.d/override.conf`
+
+Adverse security effects can be prevented by setting up BIOS password
+protection, GRUB password protection, and/or full disk encryption.
+
+## Console lockdown
+
+This uses pam_access to allow members of group `console` to use the console but
+restrict everyone else (except members of group `console-unrestricted`) from
+using the console with ancient, unpopular login methods such as `/bin/login` over
+networks as this might be exploitable. (CVE-2001-0797)
+
+This is not enabled by default in this package since this package does not know
+which users should be added to group 'console' and thus, would break console access.
+
+See:
+
+- `/usr/share/pam-configs/console-lockdown-security-misc`
+- `/etc/security/access-security-misc.conf`
+
+## Brute force attack protection
+
+User accounts are locked after 50 failed login attempts using `pam_faillock`.
+
+Informational output during Linux PAM:
+
+- Show failed and remaining password attempts.
+- Document unlock procedure if Linux user account got locked.
+- Point out that there is no password feedback for `su`.
+- Explain locked root account if locked.
+
+See:
+
+- `/usr/share/pam-configs/tally2-security-misc`
+- `/usr/libexec/security-misc/pam-info`
+- `/usr/libexec/security-misc/pam-abort-on-locked-password`
+
+## Access rights restrictions
+
+### Strong user account separation
+
+#### Permission Lockdown
+
+Read, write, and execute access for "others" are removed during package
+installation, upgrade, or PAM `mkhomedir` for all users who have home folders in
+`/home` by running, for example:
 
 ```
-sudo apt-key --keyring /etc/apt/trusted.gpg.d/whonix.gpg adv --keyserver hkp://ipv4.pool.sks-keyservers.net:80 --recv-keys 916B8D99C38EAF5E8ADC7A2A8D66066A2EEACCDA
+chmod o-rwx /home/user
 ```
 
-3\. Add Whonix's APT repository.
+This will be done only once per folder in `/home` so users who wish to relax
+file permissions are free to do so. This is to protect files in a home folder
+that were previously created with lax file permissions prior to the installation
+of this package.
 
-```
-echo "deb http://deb.whonix.org buster main contrib non-free" | sudo tee /etc/apt/sources.list.d/whonix.list
-```
+See:
 
-4\. Update your package lists.
+- `debian/security-misc.postinst`
+- `/usr/libexec/security-misc/permission-lockdown`
+- `/usr/share/pam-configs/mkhomedir-security-misc`
 
-```
-sudo apt-get update
-```
+#### umask
 
-5\. Install `security-misc`.
+The default `umask` is set to `027` for files created by non-root users, such
+as the account `user`.
 
-```
-sudo apt-get install security-misc
-```
+This is done using the PAM module `pam_mkhomedir.so umask=027`.
 
-## How to Build deb Package ##
+This configuration ensures that files created by non-root users cannot be read
+by other non-root users by default. While Permission Lockdown already protects
+the `/home` folder, this setting extends protection to other folders such as
+`/tmp`.
 
-Replace `apparmor-profile-torbrowser` with the actual name of this package with `security-misc` and see [instructions](https://www.whonix.org/wiki/Dev/Build_Documentation/apparmor-profile-torbrowser).
+`group` read permissions are not removed. This is unnecessary due to Debian's
+use of User Private Groups (UPGs). See also:
+https://wiki.debian.org/UserPrivateGroups
 
-## Contact ##
+The default `umask` is unchanged for root because configuration files created
+in `/etc` by the system administrator would otherwise be unreadable by
+"others," potentially breaking applications. Examples include `/etc/firefox-esr`
+and `/etc/thunderbird`. Additionally, the `umask` is set to `022` via `sudoers`
+configuration, ensuring that files created as root are world-readable, even
+when using commands such as `sudo vi /etc/file` or `sudo -i; touch /etc/file`.
 
-* [Free Forum Support](https://forums.whonix.org)
-* [Professional Support](https://www.whonix.org/wiki/Professional_Support)
+When using `sudo`, the `umask` is set to `022` rather than `027` to ensure
+compatibility with commands such as `sudo vi /etc/configfile` and
+`sudo -i; touch /etc/file`.
 
-## Donate ##
+See:
 
-`security-misc` requires [donations](https://www.whonix.org/wiki/Donate) to stay alive!
+- `/usr/share/pam-configs/umask-security-misc`
+
+### SUID / SGID removal and permission hardening
+
+#### SUID / SGID removal
+
+A systemd service removes SUID / SGID bits from non-essential binaries as these
+are often used in privilege escalation attacks.
+
+#### File permission hardening
+
+Various file permissions are reset with more secure and hardened defaults. These
+include but are not limited to:
+
+- Limiting `/home` and `/root` to the root only.
+- Limiting crontab to root as well as all the configuration files for cron.
+- Limiting the configuration for cups and ssh.
+- Protecting the information of sudoers from others.
+- Protecting various system-relevant files and modules.
+
+##### permission-hardener
+
+`permission-hardener` removes SUID / SGID bits from non-essential binaries as
+these are often used in privilege escalation attacks. It is enabled by default
+and applied at security-misc package installation and upgrade time.
+
+There is also an optional systemd unit which does the same at boot time that
+can be enabled by running `systemctl enable permission-hardener.service` as
+root. The hardening at boot time is not the default because this slows down
+the boot process too much.
+
+See:
+
+* `/usr/bin/permission-hardener`
+* `debian/security-misc.postinst`
+* `/lib/systemd/system/permission-hardener.service`
+* `/etc/permission-hardener.d`
+* https://forums.whonix.org/t/disable-suid-binaries/7706
+* https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener
+
+### Access rights relaxations
+
+This is not enabled yet because hidepid is not enabled by default.
+
+Calls to `pkexec` are redirected to `lxqt-sudo` because `pkexec` is
+incompatible with `hidepid=2`.
+
+See:
+
+* `/usr/bin/pkexec.security-misc`
+* https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860040
+* https://forums.whonix.org/t/cannot-use-pkexec/8129
+
+## Application-specific hardening
+
+- Enables "`apt-get --error-on=any`" which makes apt exit non-zero for
+  transient failures. - `/etc/apt/apt.conf.d/40error-on-any`.
+- Enables APT seccomp-BPF sandboxing - `/etc/apt/apt.conf.d/40sandbox`.
+- Deactivates previews in Dolphin.
+- Deactivates previews in Nautilus -
+  `/usr/share/glib-2.0/schemas/30_security-misc.gschema.override`.
+- Deactivates thumbnails in Thunar.
+  - Rationale: lower attack surface when using the file manager
+  - https://forums.whonix.org/t/disable-preview-in-file-manager-by-default/18904
+- Thunderbird is hardened with the following options:
+  - Displays domain names in punycode to prevent IDN homograph attacks (a
+    form of phishing).
+  - Strips email client information from sent email headers.
+  - Strips user time information from sent email headers by replacing the
+    originating time zone with UTC and rounding the timestamp to the nearest
+    minute.
+  - Disables scripting when viewing PDF files.
+  - Disables implicit outgoing connections.
+  - Disables all and any kind of telemetry.
+- Security and privacy enhancements for gnupg's config file
+  `/etc/skel/.gnupg/gpg.conf`. See also:
+  - https://raw.github.com/ioerror/torbirdy/master/gpg.conf
+  - https://github.com/ioerror/torbirdy/pull/11
+
+### Project scope of application-specific hardening
+
+Added in December 2023.
+
+Before sending pull requests to harden arbitrary applications, please note the
+scope of security-misc is limited to default installed applications in
+Kicksecure and Whonix. This includes:
+
+- Thunderbird, VLC Media Player, KeePassXC
+- Debian Specific System Components (APT, DPKG)
+- System Services (NetworkManager IPv6 privacy options, MAC address
+  randomization)
+- Actually used development utilities such as `git`.
+
+It will not be possible to review and merge "1500" settings profiles for
+arbitrary applications outside of this context.
+
+The main objective of security-misc is to harden Kicksecure and its derivatives,
+such as Whonix, by implementing robust security settings. It's designed to be
+compatible with Debian, reflecting a commitment to clean implementation and
+sound design principles. However, it's important to note that security-misc is a
+component of Kicksecure, not a substitute for it. The intention isn't to
+recreate Kicksecure within security-misc. Instead, specific security
+enhancements, like recommending a curated list of security-focused
+default packages (e.g., `libpam-tmpdir`), should be integrated directly into
+those appropriate areas of Kicksecure (e.g. `kicksecure-meta-packages`).
+
+Discussion: https://github.com/Kicksecure/security-misc/issues/154
+
+### Development philosophy
+
+Added in December 2023.
+
+Maintainability is a key priority \[1\]. Before modifying settings in the
+downstream security-misc, it's essential to first engage with upstream
+developers to propose these changes as defaults. This step should only be
+bypassed if there's a clear, prior indication from upstream that such changes
+won't be accepted. Additionally, before implementing any workarounds, consulting
+with upstream is necessary to avoid future unmaintainable complexity.
+
+If debugging features are disabled, pull requests won't be merged until there is
+a corresponding pull request for the debug-misc package to re-enable these. This
+is to avoid configuring the system into a corner where it can no longer be
+debugged.
+
+\[1\] https://www.kicksecure.com/wiki/Dev/maintainability
+
+## Opt-in hardening
+
+Some hardening is opt-in as it causes too much breakage to be enabled by
+default.
+
+- An optional systemd service mounts `/proc` with `hidepid=2` at boot to
+  prevent users from seeing another user's processes. This is disabled by
+  default because it is incompatible with `pkexec`. It can be enabled by
+  executing `systemctl enable proc-hidepid.service` as root.
+
+- A systemd service restricts `/proc/cpuinfo`, `/proc/bus`, `/proc/scsi`, and
+  `/sys` to the root user. This hides a lot of hardware identifiers from
+  unprivileged users and increases security as `/sys` exposes a lot of
+  information that shouldn't be accessible to unprivileged users. As this will
+  break many things, it is disabled by default and can optionally be enabled
+  by executing `systemctl enable hide-hardware-info.service` as root.
+
+## Miscellaneous
+
+- Hardened malloc compatibility for haveged workaround
+  `/lib/systemd/system/haveged.service.d/30_security-misc.conf`
+
+- Set `dracut` `reproducible=yes` setting
+
+## Legal
+
+`/usr/lib/issue.d/20_security-misc.issue`
+
+https://github.com/Kicksecure/security-misc/pull/167
+
+## Related
+
+-   Linux Kernel Runtime Guard (LKRG)
+-   tirdad - TCP ISN CPU Information Leak Protection.
+-   Kicksecure (TM) - a security-hardened Linux Distribution
+-   And more.
+-   https://www.kicksecure.com/wiki/Linux_Kernel_Runtime_Guard_LKRG
+-   https://github.com/Kicksecure/tirdad
+-   https://www.kicksecure.com
+-   https://github.com/Kicksecure
+
+## Discussion
+
+Happening primarily in forums.
+
+https://forums.whonix.org/t/kernel-hardening/7296
+
+## How to install `security-misc`
+
+See https://www.kicksecure.com/wiki/Security-misc#install
+
+## How to Build deb Package from Source Code
+
+Can be build using standard Debian package build tools such as:
+
+    dpkg-buildpackage -b
+
+See instructions. (Replace `generic-package` with the actual name of this
+package `security-misc`.)
+
+-   **A)**
+    [easy](https://www.kicksecure.com/wiki/Dev/Build_Documentation/generic-package/easy),
+    *OR*
+-   **B)** [including verifying software
+    signatures](https://www.kicksecure.com/wiki/Dev/Build_Documentation/generic-package)
+
+## Contact
+
+-   [Free Forum Support](https://forums.kicksecure.com)
+-   [Professional Support](https://www.kicksecure.com/wiki/Professional_Support)
+
+## Donate
+
+`security-misc` requires [donations](https://www.kicksecure.com/wiki/Donate) to
+stay alive!

README_generic.md

@@ -0,0 +1,68 @@
+# Enhances Miscellaneous Security Settings #
+
+https://github.com/Kicksecure/security-misc/blob/master/README.md
+
+https://www.kicksecure.com/wiki/Security-misc
+
+Discussion:
+
+Happening primarily in Whonix forums.
+https://forums.whonix.org/t/kernel-hardening/7296
+
+## How to install `security-misc` using apt-get ##
+
+1\. Download the APT Signing Key.
+
+```
+wget https://www.kicksecure.com/keys/derivative.asc
+```
+
+Users can [check the Signing Key](https://www.kicksecure.com/wiki/Signing_Key) for better security.
+
+2\. Add the APT Signing Key.
+
+```
+sudo cp ~/derivative.asc /usr/share/keyrings/derivative.asc
+```
+
+3\. Add the derivative repository.
+
+```
+echo "deb [signed-by=/usr/share/keyrings/derivative.asc] https://deb.kicksecure.com bookworm main contrib non-free" | sudo tee /etc/apt/sources.list.d/derivative.list
+```
+
+4\. Update your package lists.
+
+```
+sudo apt-get update
+```
+
+5\. Install `security-misc`.
+
+```
+sudo apt-get install security-misc
+```
+
+## How to Build deb Package from Source Code ##
+
+Can be build using standard Debian package build tools such as:
+
+```
+dpkg-buildpackage -b
+```
+
+See instructions.
+
+NOTE: Replace `generic-package` with the actual name of this package `security-misc`.
+
+* **A)** [easy](https://www.kicksecure.com/wiki/Dev/Build_Documentation/generic-package/easy), _OR_
+* **B)** [including verifying software signatures](https://www.kicksecure.com/wiki/Dev/Build_Documentation/generic-package)
+
+## Contact ##
+
+* [Free Forum Support](https://forums.kicksecure.com)
+* [Premium Support](https://www.kicksecure.com/wiki/Premium_Support)
+
+## Donate ##
+
+`security-misc` requires [donations](https://www.kicksecure.com/wiki/Donate) to stay alive!

debian/compat

@@ -1 +0,0 @@
-12

debian/control

@@ -1,155 +1,43 @@
-## Copyright (C) 2012 - 2018 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
+## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@kicksecure.com>
 ## See the file COPYING for copying conditions.
 
 Source: security-misc
 Section: misc
 Priority: optional
-Maintainer: Patrick Schleizer <adrelanos@riseup.net>
-Build-Depends: debhelper (>= 12), genmkfile, config-package-dev
-Homepage: https://github.com/Whonix/security-misc
-Vcs-Browser: https://github.com/Whonix/security-misc
-Vcs-Git: https://github.com/Whonix/security-misc.git
-Standards-Version: 4.3.0
+Maintainer: Patrick Schleizer <adrelanos@kicksecure.com>
+Build-Depends: config-package-dev,
+               debhelper (>= 13),
+               debhelper-compat (= 13),
+               dh-apparmor,
+               po-debconf
+Homepage: https://www.kicksecure.com/wiki/Security-misc
+Vcs-Browser: https://github.com/Kicksecure/security-misc
+Vcs-Git: https://github.com/Kicksecure/security-misc.git
+Standards-Version: 4.6.2
+Rules-Requires-Root: no
 
 Package: security-misc
 Architecture: all
-Depends: python, libglib2.0-bin, libpam-runtime, libpam-cgfs, ${misc:Depends}
-Replaces: tcp-timestamps-disable
-Description: enhances misc security settings
- The following settings are changed:
+Depends: adduser,
+         apparmor-profile-dist,
+         dmsetup,
+         helper-scripts,
+         libcap2-bin,
+         libglib2.0-bin,
+         libpam-modules-bin,
+         libpam-runtime,
+         libpam-umask,
+         python3,
+         secure-delete,
+         sudo,
+         ${misc:Depends}
+Replaces: anon-gpg-tweaks, swappiness-lowest, tcp-timestamps-disable
+Description: Enhances Miscellaneous Security Settings
+ https://github.com/Kicksecure/security-misc/blob/master/README.md
  .
- deactivates previews in Dolphin;
- deactivates previews in Nautilus;
- deactivates thumbnails in Thunar;
- deactivates TCP timestamps;
- deactivates Netfilter's connection tracking helper;
- implements some kernel hardening;
- prevents DMA attacks;
- restricts access to the root account;
- increases the amount of hashing rounds used by shadow;
+ https://www.kicksecure.com/wiki/Security-misc
  .
- TCP time stamps (RFC 1323) allow for tracking clock
- information with millisecond resolution. This may or may not allow an
- attacker to learn information about the system clock at such
- a resolution, depending on various issues such as network lag.
- This information is available to anyone who monitors the network
- somewhere between the attacked system and the destination server.
- It may allow an attacker to find out how long a given
- system has been running, and to distinguish several
- systems running behind NAT and using the same IP address. It might
- also allow one to look for clocks that match an expected value to find the
- public IP used by a user.
+ Discussion:
  .
- Hence, this package disables this feature by shipping the
- /etc/sysctl.d/tcp_timestamps.conf configuration file.
- .
- Note that TCP time stamps normally have some usefulness. They are
- needed for:
- .
- * the TCP protection against wrapped sequence numbers; however, to
-   trigger a wrap, one needs to send roughly 2^32 packets in one
-   minute:  as said in RFC 1700, "The current recommended default
-   time to live (TTL) for the Internet Protocol (IP) [45,105] is 64".
-   So, this probably won't be a practical problem in the context
-   of Anonymity Distributions.
- .
- * "Round-Trip Time Measurement", which is only useful when the user
-   manages to saturate their connection. When using Anonymity Distributions,
-   probably the limiting factor for transmission speed is rarely the capacity
-   of the user connection.
- .
- Netfilter's connection tracking helper module increases kernel attack
- surface by enabling superfluous functionality such as IRC parsing in
- the kernel. (!)
- .
- Hence, this package disables this feature by shipping the
- /etc/modprobe.d/30_nf_conntrack_helper_disable.conf configuration file.
- .
- Kernel symbols in /proc/kallsyms are hidden to prevent malware from
- reading them and using them to learn more about what to attack on your system.
- .
- Kexec is disabled as it can be used for live patching of the running kernel.
- .
- The BPF JIT compiler is restricted to the root user and is hardened.
- .
- ASLR effectiveness for mmap is increased.
- .
- The ptrace system call is restricted to the root user only.
- .
- The TCP/IP stack is hardened.
- .
- This package makes some data spoofing attacks harder.
- .
- SACK is disabled as it is commonly exploited and is rarely used.
- .
- This package disables the merging of slabs of similar sizes to prevent an
- attacker from exploiting them.
- .
- Sanity checks, redzoning, and memory poisoning are enabled.
- .
- The kernel now panics on uncorrectable errors in ECC memory which could
- be exploited.
- .
- Kernel Page Table Isolation is enabled to mitigate Meltdown and increase
- KASLR effectiveness.
- .
- SMT is disabled as it can be used to exploit the MDS vulnerability.
- .
- All mitigations for the MDS vulnerability are enabled.
- .
- Uncommon network protocols are blacklisted in
- /etc/modprobe.d/uncommon-network-protocols.conf as they are rarely used and
- may have unknown vulnerabilities.
- .
- The network protocols that are blacklisted are:
- .
-  * DCCP - Datagram Congestion Control Protocol
-  * SCTP - Stream Control Transmission Protocol
-  * RDS - Reliable Datagram Sockets
-  * TIPC - Transparent Inter-process Communication
-  * HDLC - High-Level Data Link Control
-  * AX25 - Amateur X.25
-  * NetRom
-  * X25
-  * ROSE
-  * DECnet
-  * Econet
-  * af_802154 - IEEE 802.15.4
-  * IPX - Internetwork Packet Exchange
-  * AppleTalk
-  * PSNAP - Subnetwork Access Protocol
-  * p8023 - Novell raw IEEE 802.3
-  * LLC - IEEE 802.2
-  * p8022 - IEEE 802.2
- .
- The kernel logs are restricted to root only.
- .
- A systemd service clears System.map on boot as these contain kernel symbols
- that could be useful to an attacker.
- .
- The SysRq key is restricted to only allow shutdowns/reboots.
- .
- The thunderbolt and firewire modules are blacklisted as they can be used for
- DMA (Direct Memory Access) attacks.
- .
- IOMMU is enabled with a boot parameter to prevent DMA attacks.
- .
- Coredumps are disabled as they may contain important information such as
- encryption keys or passwords.
- .
- A systemd service mounts /proc with hidepid=2 at boot to prevent users from
- seeing each other's processes.
- .
- The default umask is changed to 006. This allows only the owner and group to
- read and write to newly created files.
- .
- The kernel now panics on oopses to prevent it from continuing running a
- flawed process.
- .
- Su is restricted to only users within the root group which prevents users from
- using su to gain root access or switch user accounts.
- .
- Logging into the root account from a terminal is prevented.
- .
- The amount of hashing rounds used by shadow is bumped to 65536. This increases
- the security of hashed passwords.
+ Happening primarily in Whonix forums.
+ https://forums.whonix.org/t/kernel-hardening/7296

debian/copyright

@@ -1,212 +1,668 @@
 Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
 
 Files: *
-Copyright: 2012 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
-License: GPL-3+-with-additional-terms-1
- This program is free software: you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation, either version 3 of the License, or
- (at your option) any later version.
+Copyright: 2012 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+License: AGPL-3+
+
+License: AGPL-3+
+                    GNU AFFERO GENERAL PUBLIC LICENSE
+                       Version 3, 19 November 2007
  .
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- GNU General Public License for more details.
+ Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
  .
- You should have received a copy of the GNU General Public License
- along with this program.  If not, see <https://www.gnu.org/licenses/>.
+                            Preamble
  .
- On Debian systems, the full text of the GNU General Public
- License version 3 can be found in the file
- `/usr/share/common-licenses/GPL-3'.
+ The GNU Affero General Public License is a free, copyleft license for
+ software and other kinds of works, specifically designed to ensure
+ cooperation with the community in the case of network server software.
  .
- ADDITIONAL TERMS APPLICABLE per GNU GPL version 3 section 7
+ The licenses for most software and other practical works are designed
+ to take away your freedom to share and change the works.  By contrast,
+ our General Public Licenses are intended to guarantee your freedom to
+ share and change all versions of a program--to make sure it remains free
+ software for all its users.
  .
- 1. Replacement of Section 15.  Section 15 of the GPL shall be deleted in its
- entirety and replaced with the following:
+  When we speak of free software, we are referring to freedom, not
+ price.  Our General Public Licenses are designed to make sure that you
+ have the freedom to distribute copies of free software (and charge for
+ them if you wish), that you receive source code or can get it if you
+ want it, that you can change the software or use pieces of it in new
+ free programs, and that you know you can do these things.
  .
- 15. Disclaimer of Warranty.
+  Developers that use our General Public Licenses protect your rights
+ with two steps: (1) assert copyright on the software, and (2) offer
+ you this License which gives you legal permission to copy, distribute
+ and/or modify the software.
  .
- THE PROGRAM IS PROVIDED WITHOUT ANY WARRANTIES, WHETHER EXPRESSED OR IMPLIED,
- INCLUDING, WITHOUT LIMITATION, IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR
- PURPOSE, NON-INFRINGEMENT, TITLE AND MERCHANTABILITY.  THE PROGRAM IS BEING
- DELIVERED OR MADE AVAILABLE 'AS IS', 'WITH ALL FAULTS' AND WITHOUT WARRANTY OR
- REPRESENTATION.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE
- PROGRAM IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
+ A secondary benefit of defending all users' freedom is that
+ improvements made in alternate versions of the program, if they
+ receive widespread use, become available for other developers to
+ incorporate.  Many developers of free software are heartened and
+ encouraged by the resulting cooperation.  However, in the case of
+ software used on network servers, this result may fail to come about.
+ The GNU General Public License permits making a modified version and
+ letting the public access it on a server without ever releasing its
+ source code to the public.
+ .
+ The GNU Affero General Public License is designed specifically to
+ ensure that, in such cases, the modified source code becomes available
+ to the community.  It requires the operator of a network server to
+ provide the source code of the modified version running there to the
+ users of that server.  Therefore, public use of a modified version, on
+ a publicly accessible server, gives the public access to the source
+ code of the modified version.
+ .
+ An older license, called the Affero General Public License and
+ published by Affero, was designed to accomplish similar goals.  This is
+ a different license, not a version of the Affero GPL, but Affero has
+ released a new version of the Affero GPL which permits relicensing under
+ this license.
+ .
+ The precise terms and conditions for copying, distribution and
+ modification follow.
+ .
+                       TERMS AND CONDITIONS
+ .
+  0. Definitions.
+ .
+  "This License" refers to version 3 of the GNU Affero General Public License.
+ .
+  "Copyright" also means copyright-like laws that apply to other kinds of
+ works, such as semiconductor masks.
+ .
+ "The Program" refers to any copyrightable work licensed under this
+ License.  Each licensee is addressed as "you".  "Licensees" and
+ "recipients" may be individuals or organizations.
+ .
+ To "modify" a work means to copy from or adapt all or part of the work
+ in a fashion requiring copyright permission, other than the making of an
+ exact copy.  The resulting work is called a "modified version" of the
+ earlier work or a work "based on" the earlier work.
+ .
+ A "covered work" means either the unmodified Program or a work based
+ on the Program.
+ .
+ To "propagate" a work means to do anything with it that, without
+ permission, would make you directly or secondarily liable for
+ infringement under applicable copyright law, except executing it on a
+ computer or modifying a private copy.  Propagation includes copying,
+ distribution (with or without modification), making available to the
+ public, and in some countries other activities as well.
+ .
+ To "convey" a work means any kind of propagation that enables other
+ parties to make or receive copies.  Mere interaction with a user through
+ a computer network, with no transfer of a copy, is not conveying.
+ .
+ An interactive user interface displays "Appropriate Legal Notices"
+ to the extent that it includes a convenient and prominently visible
+ feature that (1) displays an appropriate copyright notice, and (2)
+ tells the user that there is no warranty for the work (except to the
+ extent that warranties are provided), that licensees may convey the
+ work under this License, and how to view a copy of this License.  If
+ the interface presents a list of user commands or options, such as a
+ menu, a prominent item in the list meets this criterion.
+ .
+ 1. Source Code.
+ .
+ The "source code" for a work means the preferred form of the work
+ for making modifications to it.  "Object code" means any non-source
+ form of a work.
+ .
+ A "Standard Interface" means an interface that either is an official
+ standard defined by a recognized standards body, or, in the case of
+ interfaces specified for a particular programming language, one that
+ is widely used among developers working in that language.
+ .
+ The "System Libraries" of an executable work include anything, other
+ than the work as a whole, that (a) is included in the normal form of
+ packaging a Major Component, but which is not part of that Major
+ Component, and (b) serves only to enable use of the work with that
+ Major Component, or to implement a Standard Interface for which an
+ implementation is available to the public in source code form.  A
+ "Major Component", in this context, means a major essential component
+ (kernel, window system, and so on) of the specific operating system
+ (if any) on which the executable work runs, or a compiler used to
+ produce the work, or an object code interpreter used to run it.
+ .
+ The "Corresponding Source" for a work in object code form means all
+ the source code needed to generate, install, and (for an executable
+ work) run the object code and to modify the work, including scripts to
+ control those activities.  However, it does not include the work's
+ System Libraries, or general-purpose tools or generally available free
+ programs which are used unmodified in performing those activities but
+ which are not part of the work.  For example, Corresponding Source
+ includes interface definition files associated with source files for
+ the work, and the source code for shared libraries and dynamically
+ linked subprograms that the work is specifically designed to require,
+ such as by intimate data communication or control flow between those
+ subprograms and other parts of the work.
+ .
+ The Corresponding Source need not include anything that users
+ can regenerate automatically from other parts of the Corresponding
+ Source.
+ .
+ The Corresponding Source for a work in source code form is that
+ same work.
+ .
+  2. Basic Permissions.
+ .
+  All rights granted under this License are granted for the term of
+ copyright on the Program, and are irrevocable provided the stated
+ conditions are met.  This License explicitly affirms your unlimited
+ permission to run the unmodified Program.  The output from running a
+ covered work is covered by this License only if the output, given its
+ content, constitutes a covered work.  This License acknowledges your
+ rights of fair use or other equivalent, as provided by copyright law.
+ .
+ You may make, run and propagate covered works that you do not
+ convey, without conditions so long as your license otherwise remains
+ in force.  You may convey covered works to others for the sole purpose
+ of having them make modifications exclusively for you, or provide you
+ with facilities for running those works, provided that you comply with
+ the terms of this License in conveying all material for which you do
+ not control copyright.  Those thus making or running the covered works
+ for you must do so exclusively on your behalf, under your direction
+ and control, on terms that prohibit them from making any copies of
+ your copyrighted material outside their relationship with you.
+ .
+ Conveying under any other circumstances is permitted solely under
+ the conditions stated below.  Sublicensing is not allowed; section 10
+ makes it unnecessary.
+ .
+  3. Protecting Users' Legal Rights From Anti-Circumvention Law.
+ .
+ No covered work shall be deemed part of an effective technological
+ measure under any applicable law fulfilling obligations under article
+ 11 of the WIPO copyright treaty adopted on 20 December 1996, or
+ similar laws prohibiting or restricting circumvention of such
+ measures.
+ .
+ When you convey a covered work, you waive any legal power to forbid
+ circumvention of technological measures to the extent such circumvention
+ is effected by exercising rights under this License with respect to
+ the covered work, and you disclaim any intention to limit operation or
+ modification of the work as a means of enforcing, against the work's
+ users, your or third parties' legal rights to forbid circumvention of
+ technological measures.
+ .
+  4. Conveying Verbatim Copies.
+ .
+ You may convey verbatim copies of the Program's source code as you
+ receive it, in any medium, provided that you conspicuously and
+ appropriately publish on each copy an appropriate copyright notice;
+ keep intact all notices stating that this License and any
+ non-permissive terms added in accord with section 7 apply to the code;
+ keep intact all notices of the absence of any warranty; and give all
+ recipients a copy of this License along with the Program.
+ .
+ You may charge any price or no price for each copy that you convey,
+ and you may offer support or warranty protection for a fee.
+ .
+  5. Conveying Modified Source Versions.
+ .
+ You may convey a work based on the Program, or the modifications to
+ produce it from the Program, in the form of source code under the
+ terms of section 4, provided that you also meet all of these conditions:
+ .
+    a) The work must carry prominent notices stating that you modified
+    it, and giving a relevant date.
+ .
+    b) The work must carry prominent notices stating that it is
+    released under this License and any conditions added under section
+    7.  This requirement modifies the requirement in section 4 to
+    "keep intact all notices".
+ .
+    c) You must license the entire work, as a whole, under this
+    License to anyone who comes into possession of a copy.  This
+    License will therefore apply, along with any applicable section 7
+    additional terms, to the whole of the work, and all its parts,
+    regardless of how they are packaged.  This License gives no
+    permission to license the work in any other way, but it does not
+    invalidate such permission if you have separately received it.
+ .
+    d) If the work has interactive user interfaces, each must display
+    Appropriate Legal Notices; however, if the Program has interactive
+    interfaces that do not display Appropriate Legal Notices, your
+    work need not make them do so.
+ .
+ A compilation of a covered work with other separate and independent
+ works, which are not by their nature extensions of the covered work,
+ and which are not combined with it such as to form a larger program,
+ in or on a volume of a storage or distribution medium, is called an
+ "aggregate" if the compilation and its resulting copyright are not
+ used to limit the access or legal rights of the compilation's users
+ beyond what the individual works permit.  Inclusion of a covered work
+ in an aggregate does not cause this License to apply to the other
+ parts of the aggregate.
+ .
+  6. Conveying Non-Source Forms.
+ .
+ You may convey a covered work in object code form under the terms
+ of sections 4 and 5, provided that you also convey the
+ machine-readable Corresponding Source under the terms of this License,
+ in one of these ways:
+ .
+    a) Convey the object code in, or embodied in, a physical product
+    (including a physical distribution medium), accompanied by the
+    Corresponding Source fixed on a durable physical medium
+    customarily used for software interchange.
+ .
+    b) Convey the object code in, or embodied in, a physical product
+    (including a physical distribution medium), accompanied by a
+    written offer, valid for at least three years and valid for as
+    long as you offer spare parts or customer support for that product
+    model, to give anyone who possesses the object code either (1) a
+    copy of the Corresponding Source for all the software in the
+    product that is covered by this License, on a durable physical
+    medium customarily used for software interchange, for a price no
+    more than your reasonable cost of physically performing this
+    conveying of source, or (2) access to copy the
+    Corresponding Source from a network server at no charge.
+ .
+    c) Convey individual copies of the object code with a copy of the
+    written offer to provide the Corresponding Source.  This
+    alternative is allowed only occasionally and noncommercially, and
+    only if you received the object code with such an offer, in accord
+    with subsection 6b.
+ .
+    d) Convey the object code by offering access from a designated
+    place (gratis or for a charge), and offer equivalent access to the
+    Corresponding Source in the same way through the same place at no
+    further charge.  You need not require recipients to copy the
+    Corresponding Source along with the object code.  If the place to
+    copy the object code is a network server, the Corresponding Source
+    may be on a different server (operated by you or a third party)
+    that supports equivalent copying facilities, provided you maintain
+    clear directions next to the object code saying where to find the
+    Corresponding Source.  Regardless of what server hosts the
+    Corresponding Source, you remain obligated to ensure that it is
+    available for as long as needed to satisfy these requirements.
+ .
+    e) Convey the object code using peer-to-peer transmission, provided
+    you inform other peers where the object code and Corresponding
+    Source of the work are being offered to the general public at no
+    charge under subsection 6d.
+ .
+ A separable portion of the object code, whose source code is excluded
+ from the Corresponding Source as a System Library, need not be
+ included in conveying the object code work.
+ .
+ A "User Product" is either (1) a "consumer product", which means any
+ tangible personal property which is normally used for personal, family,
+ or household purposes, or (2) anything designed or sold for incorporation
+ into a dwelling.  In determining whether a product is a consumer product,
+ doubtful cases shall be resolved in favor of coverage.  For a particular
+  product received by a particular user, "normally used" refers to a
+ typical or common use of that class of product, regardless of the status
+ of the particular user or of the way in which the particular user
+ actually uses, or expects or is expected to use, the product.  A product
+ is a consumer product regardless of whether the product has substantial
+ commercial, industrial or non-consumer uses, unless such uses represent
+ the only significant mode of use of the product.
+ .
+ "Installation Information" for a User Product means any methods,
+ procedures, authorization keys, or other information required to install
+ and execute modified versions of a covered work in that User Product from
+ a modified version of its Corresponding Source.  The information must
+ suffice to ensure that the continued functioning of the modified object
+ code is in no case prevented or interfered with solely because
+ modification has been made.
+ .
+ If you convey an object code work under this section in, or with, or
+ specifically for use in, a User Product, and the conveying occurs as
+ part of a transaction in which the right of possession and use of the
+ User Product is transferred to the recipient in perpetuity or for a
+ fixed term (regardless of how the transaction is characterized), the
+ Corresponding Source conveyed under this section must be accompanied
+ by the Installation Information.  But this requirement does not apply
+ if neither you nor any third party retains the ability to install
+ modified object code on the User Product (for example, the work has
+ been installed in ROM).
+ .
+ The requirement to provide Installation Information does not include a
+ requirement to continue to provide support service, warranty, or updates
+ for a work that has been modified or installed by the recipient, or for
+ the User Product in which it has been modified or installed.  Access to a
+ network may be denied when the modification itself materially and
+ adversely affects the operation of the network or violates the rules and
+ protocols for communication across the network.
+ .
+ Corresponding Source conveyed, and Installation Information provided,
+ in accord with this section must be in a format that is publicly
+ documented (and with an implementation available to the public in
+ source code form), and must require no special password or key for
+ unpacking, reading or copying.
+ .
+  7. Additional Terms.
+ .
+ "Additional permissions" are terms that supplement the terms of this
+ License by making exceptions from one or more of its conditions.
+ Additional permissions that are applicable to the entire Program shall
+ be treated as though they were included in this License, to the extent
+ that they are valid under applicable law.  If additional permissions
+ apply only to part of the Program, that part may be used separately
+ under those permissions, but the entire Program remains governed by
+ this License without regard to the additional permissions.
+ .
+ When you convey a copy of a covered work, you may at your option
+ remove any additional permissions from that copy, or from any part of
+ it.  (Additional permissions may be written to require their own
+ removal in certain cases when you modify the work.)  You may place
+ additional permissions on material, added by you to a covered work,
+ for which you have or can give appropriate copyright permission.
+ .
+ Notwithstanding any other provision of this License, for material you
+ add to a covered work, you may (if authorized by the copyright holders of
+ that material) supplement the terms of this License with terms:
+ .
+    a) Disclaiming warranty or limiting liability differently from the
+    terms of sections 15 and 16 of this License; or
+ .
+    b) Requiring preservation of specified reasonable legal notices or
+    author attributions in that material or in the Appropriate Legal
+    Notices displayed by works containing it; or
+ .
+    c) Prohibiting misrepresentation of the origin of that material, or
+    requiring that modified versions of such material be marked in
+    reasonable ways as different from the original version; or
+ .
+    d) Limiting the use for publicity purposes of names of licensors or
+    authors of the material; or
+ .
+    e) Declining to grant rights under trademark law for use of some
+    trade names, trademarks, or service marks; or
+ .
+    f) Requiring indemnification of licensors and authors of that
+    material by anyone who conveys the material (or modified versions of
+    it) with contractual assumptions of liability to the recipient, for
+    any liability that these contractual assumptions directly impose on
+    those licensors and authors.
+ .
+ All other non-permissive additional terms are considered "further
+ restrictions" within the meaning of section 10.  If the Program as you
+ received it, or any part of it, contains a notice stating that it is
+ governed by this License along with a term that is a further
+ restriction, you may remove that term.  If a license document contains
+ a further restriction but permits relicensing or conveying under this
+ License, you may add to a covered work material governed by the terms
+ of that license document, provided that the further restriction does
+ not survive such relicensing or conveying.
+ .
+ If you add terms to a covered work in accord with this section, you
+ must place, in the relevant source files, a statement of the
+ additional terms that apply to those files, or a notice indicating
+ where to find the applicable terms.
+ .
+ Additional terms, permissive or non-permissive, may be stated in the
+ form of a separately written license, or stated as exceptions;
+ the above requirements apply either way.
+ .
+  8. Termination.
+ .
+ You may not propagate or modify a covered work except as expressly
+ provided under this License.  Any attempt otherwise to propagate or
+ modify it is void, and will automatically terminate your rights under
+ this License (including any patent licenses granted under the third
+ paragraph of section 11).
+ .
+ However, if you cease all violation of this License, then your
+ license from a particular copyright holder is reinstated (a)
+ provisionally, unless and until the copyright holder explicitly and
+ finally terminates your license, and (b) permanently, if the copyright
+ holder fails to notify you of the violation by some reasonable means
+ prior to 60 days after the cessation.
+ .
+ Moreover, your license from a particular copyright holder is
+ reinstated permanently if the copyright holder notifies you of the
+ violation by some reasonable means, this is the first time you have
+ received notice of violation of this License (for any work) from that
+ copyright holder, and you cure the violation prior to 30 days after
+ your receipt of the notice.
+ .
+ Termination of your rights under this section does not terminate the
+ licenses of parties who have received copies or rights from you under
+ this License.  If your rights have been terminated and not permanently
+ reinstated, you do not qualify to receive new licenses for the same
+ material under section 10.
+ .
+  9. Acceptance Not Required for Having Copies.
+ .
+ You are not required to accept this License in order to receive or
+ run a copy of the Program.  Ancillary propagation of a covered work
+ occurring solely as a consequence of using peer-to-peer transmission
+ to receive a copy likewise does not require acceptance.  However,
+ nothing other than this License grants you permission to propagate or
+ modify any covered work.  These actions infringe copyright if you do
+ not accept this License.  Therefore, by modifying or propagating a
+ covered work, you indicate your acceptance of this License to do so.
+ .
+  10. Automatic Licensing of Downstream Recipients.
+ .
+ Each time you convey a covered work, the recipient automatically
+ receives a license from the original licensors, to run, modify and
+ propagate that work, subject to this License.  You are not responsible
+ for enforcing compliance by third parties with this License.
+ .
+ An "entity transaction" is a transaction transferring control of an
+ organization, or substantially all assets of one, or subdividing an
+ organization, or merging organizations.  If propagation of a covered
+ work results from an entity transaction, each party to that
+ transaction who receives a copy of the work also receives whatever
+ licenses to the work the party's predecessor in interest had or could
+ give under the previous paragraph, plus a right to possession of the
+ Corresponding Source of the work from the predecessor in interest, if
+ the predecessor has it or can get it with reasonable efforts.
+ .
+  You may not impose any further restrictions on the exercise of the
+ rights granted or affirmed under this License.  For example, you may
+ not impose a license fee, royalty, or other charge for exercise of
+ rights granted under this License, and you may not initiate litigation
+ (including a cross-claim or counterclaim in a lawsuit) alleging that
+ any patent claim is infringed by making, using, selling, offering for
+ sale, or importing the Program or any portion of it.
+ .
+  11. Patents.
+ .
+ A "contributor" is a copyright holder who authorizes use under this
+ License of the Program or a work on which the Program is based.  The
+ work thus licensed is called the contributor's "contributor version".
+ .
+ A contributor's "essential patent claims" are all patent claims
+ owned or controlled by the contributor, whether already acquired or
+ hereafter acquired, that would be infringed by some manner, permitted
+ by this License, of making, using, or selling its contributor version,
+ but do not include claims that would be infringed only as a
+ consequence of further modification of the contributor version.  For
+ purposes of this definition, "control" includes the right to grant
+ patent sublicenses in a manner consistent with the requirements of
+ this License.
+ .
+ Each contributor grants you a non-exclusive, worldwide, royalty-free
+ patent license under the contributor's essential patent claims, to
+ make, use, sell, offer for sale, import and otherwise run, modify and
+ propagate the contents of its contributor version.
+ .
+ In the following three paragraphs, a "patent license" is any express
+ agreement or commitment, however denominated, not to enforce a patent
+ (such as an express permission to practice a patent or covenant not to
+ sue for patent infringement).  To "grant" such a patent license to a
+ party means to make such an agreement or commitment not to enforce a
+ patent against the party.
+ .
+ If you convey a covered work, knowingly relying on a patent license,
+ and the Corresponding Source of the work is not available for anyone
+ to copy, free of charge and under the terms of this License, through a
+ publicly available network server or other readily accessible means,
+ then you must either (1) cause the Corresponding Source to be so
+ available, or (2) arrange to deprive yourself of the benefit of the
+ patent license for this particular work, or (3) arrange, in a manner
+ consistent with the requirements of this License, to extend the patent
+ license to downstream recipients.  "Knowingly relying" means you have
+ actual knowledge that, but for the patent license, your conveying the
+ covered work in a country, or your recipient's use of the covered work
+ in a country, would infringe one or more identifiable patents in that
+ country that you have reason to believe are valid.
+ .
+ If, pursuant to or in connection with a single transaction or
+ arrangement, you convey, or propagate by procuring conveyance of, a
+ covered work, and grant a patent license to some of the parties
+ receiving the covered work authorizing them to use, propagate, modify
+ or convey a specific copy of the covered work, then the patent license
+ you grant is automatically extended to all recipients of the covered
+ work and works based on it.
+ .
+ A patent license is "discriminatory" if it does not include within
+ the scope of its coverage, prohibits the exercise of, or is
+ conditioned on the non-exercise of one or more of the rights that are
+ specifically granted under this License.  You may not convey a covered
+ work if you are a party to an arrangement with a third party that is
+ in the business of distributing software, under which you make payment
+ to the third party based on the extent of your activity of conveying
+ the work, and under which the third party grants, to any of the
+ parties who would receive the covered work from you, a discriminatory
+ patent license (a) in connection with copies of the covered work
+ conveyed by you (or copies made from those copies), or (b) primarily
+ for and in connection with specific products or compilations that
+ contain the covered work, unless you entered into that arrangement,
+ or that patent license was granted, prior to 28 March 2007.
+ .
+ Nothing in this License shall be construed as excluding or limiting
+ any implied license or other defenses to infringement that may
+ otherwise be available to you under applicable patent law.
+ .
+  12. No Surrender of Others' Freedom.
+ .
+ If conditions are imposed on you (whether by court order, agreement or
+ otherwise) that contradict the conditions of this License, they do not
+ excuse you from the conditions of this License.  If you cannot convey a
+ covered work so as to satisfy simultaneously your obligations under this
+ License and any other pertinent obligations, then as a consequence you may
+ not convey it at all.  For example, if you agree to terms that obligate you
+ to collect a royalty for further conveying from those to whom you convey
+ the Program, the only way you could satisfy both those terms and this
+ License would be to refrain entirely from conveying the Program.
+ .
+  13. Remote Network Interaction; Use with the GNU General Public License.
+ .
+ Notwithstanding any other provision of this License, if you modify the
+ Program, your modified version must prominently offer all users
+ interacting with it remotely through a computer network (if your version
+ supports such interaction) an opportunity to receive the Corresponding
+ Source of your version by providing access to the Corresponding Source
+ from a network server at no charge, through some standard or customary
+ means of facilitating copying of software.  This Corresponding Source
+ shall include the Corresponding Source for any work covered by version 3
+ of the GNU General Public License that is incorporated pursuant to the
+ following paragraph.
+ .
+ Notwithstanding any other provision of this License, you have
+ permission to link or combine any covered work with a work licensed
+ under version 3 of the GNU General Public License into a single
+ combined work, and to convey the resulting work.  The terms of this
+ License will continue to apply to the part which is the covered work,
+ but the work with which it is combined will remain governed by version
+ 3 of the GNU General Public License.
+ .
+ 14. Revised Versions of this License.
+ .
+ The Free Software Foundation may publish revised and/or new versions of
+ the GNU Affero General Public License from time to time.  Such new versions
+ will be similar in spirit to the present version, but may differ in detail to
+ address new problems or concerns.
+ .
+ Each version is given a distinguishing version number.  If the
+ Program specifies that a certain numbered version of the GNU Affero General
+ Public License "or any later version" applies to it, you have the
+ option of following the terms and conditions either of that numbered
+ version or of any later version published by the Free Software
+ Foundation.  If the Program does not specify a version number of the
+ GNU Affero General Public License, you may choose any version ever published
+ by the Free Software Foundation.
+ .
+ If the Program specifies that a proxy can decide which future
+ versions of the GNU Affero General Public License can be used, that proxy's
+ public statement of acceptance of a version permanently authorizes you
+ to choose that version for the Program.
+ .
+ Later license versions may give you additional or different
+ permissions.  However, no additional obligations are imposed on any
+ author or copyright holder as a result of your choosing to follow a
+ later version.
+ .
+  15. Disclaimer of Warranty.
+ .
+ THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
+ APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
+ HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
+ OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
+ THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
+ IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
  ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
  .
- 2. Replacement of Section 16.  Section 16 of the GPL shall be deleted in its
- entirety and replaced with the following:
+  16. Limitation of Liability.
  .
- 16. LIMITATION OF LIABILITY.
+ IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+ WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
+ THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
+ GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
+ USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
+ DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
+ PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
+ EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
+ SUCH DAMAGES.
  .
- UNDER NO CIRCUMSTANCES SHALL ANY COPYRIGHT HOLDER OR ITS AFFILIATES, OR ANY
- OTHER PARTY WHO MODIFIES AND/OR CONVEYS THE PROGRAM AS PERMITTED ABOVE, BE
- LIABLE TO YOU, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, FOR ANY
- DAMAGES OR OTHER LIABILITY, INCLUDING ANY GENERAL, DIRECT, INDIRECT, SPECIAL,
- INCIDENTAL, CONSEQUENTIAL OR PUNITIVE DAMAGES ARISING FROM, OUT OF OR IN
- CONNECTION WITH THE USE OR INABILITY TO USE THE PROGRAM OR OTHER DEALINGS WITH
- THE PROGRAM(INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED
- INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE
- PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), WHETHER OR NOT ANY COPYRIGHT HOLDER
- OR SUCH OTHER PARTY RECEIVES NOTICE OF ANY SUCH DAMAGES AND WHETHER OR NOT SUCH
- DAMAGES COULD HAVE BEEN FORESEEN.
+  17. Interpretation of Sections 15 and 16.
  .
- 3. LEGAL NOTICES; NO TRADEMARK LICENSE; ORIGIN.  You must reproduce faithfully
- all trademark, copyright and other proprietary and legal notices on any copies
- of the Program or any other required author attributions.  This license does not
- grant you rights to use any copyright holder or any other party's name, logo, or
- trademarks.  Neither the name of the copyright holder or its affiliates, or any
- other party who modifies and/or conveys the Program may be used to endorse or
- promote products derived from this software without specific prior written
- permission.  The origin of the Program must not be misrepresented; you must not
- claim that you wrote the original Program.  Altered source versions must be
- plainly marked as such, and must not be misrepresented as being the original
- Program.
+ If the disclaimer of warranty and limitation of liability provided
+ above cannot be given local legal effect according to their terms,
+ reviewing courts shall apply local law that most closely approximates
+ an absolute waiver of all civil liability in connection with the
+ Program, unless a warranty or assumption of liability accompanies a
+ copy of the Program in return for a fee.
  .
- 4. INDEMNIFICATION.  IF YOU CONVEY A COVERED WORK AND AGREE WITH ANY RECIPIENT
- OF THAT COVERED WORK THAT YOU WILL ASSUME ANY LIABILITY FOR THAT COVERED WORK,
- YOU HEREBY AGREE TO INDEMNIFY, DEFEND AND HOLD HARMLESS THE OTHER LICENSORS AND
- AUTHORS OF THAT COVERED WORK FOR ANY DAMAGES, DEMANDS, CLAIMS, LOSSES, CAUSES OF
- ACTION, LAWSUITS, JUDGMENTS EXPENSES (INCLUDING WITHOUT LIMITATION REASONABLE
- ATTORNEYS' FEES AND EXPENSES) OR ANY OTHER LIABILITY ARISING FROM, RELATED TO OR
- IN CONNECTION WITH YOUR ASSUMPTIONS OF LIABILITY.
+                     END OF TERMS AND CONDITIONS
  .
-
-Files: etc/login.defs.security-misc
-Copyright:
- This is Debian GNU/Linux's prepackaged version of the shadow utilities.
+            How to Apply These Terms to Your New Programs
  .
- It was downloaded from: <ftp://ftp.pld.org.pl/software/shadow/>.
- As of May 2007, this site is no longer available.
+ If you develop a new program, and you want it to be of the greatest
+ possible use to the public, the best way to achieve this is to make it
+ free software which everyone can redistribute and change under these terms.
  .
- Copyright:
+ To do so, attach the following notices to the program.  It is safest
+ to attach them to the start of each source file to most effectively
+ state the exclusion of warranty; and each file should have at least
+ the "copyright" line and a pointer to where the full notice is found.
  .
- Parts of this software are copyright 1988 - 1994, Julianne Frances Haugh.
- All rights reserved.
+    <one line to give the program's name and a brief idea of what it does.>
+    Copyright (C) <year>  <name of author>
  .
- Parts of this software are copyright 1997 - 2001, Marek Michałkiewicz.
- All rights reserved.
+    This program is free software: you can redistribute it and/or modify
+    it under the terms of the GNU Affero General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
  .
- Parts of this software are copyright 2001 - 2004, Andrzej Krzysztofowicz
- All rights reserved.
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU Affero General Public License for more details.
  .
- Parts of this software are copyright 2000 - 2007, Tomasz Kłoczko.
- All rights reserved.
-License: shadow-license
- Redistribution and use in source and binary forms, with or without
- modification, are permitted provided that the following conditions
- are met:
- 1. Redistributions of source code must retain the above copyright
-    notice, this list of conditions and the following disclaimer.
- 2. Redistributions in binary form must reproduce the above copyright
-    notice, this list of conditions and the following disclaimer in the
-    documentation and/or other materials provided with the distribution.
- 3. Neither the name of Julianne F. Haugh nor the names of its contributors
-    may be used to endorse or promote products derived from this software
-    without specific prior written permission.
+    You should have received a copy of the GNU Affero General Public License
+    along with this program.  If not, see <https://www.gnu.org/licenses/>.
  .
- THIS SOFTWARE IS PROVIDED BY JULIE HAUGH AND CONTRIBUTORS ``AS IS'' AND
- ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- ARE DISCLAIMED.  IN NO EVENT SHALL JULIE HAUGH OR CONTRIBUTORS BE LIABLE
- FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- SUCH DAMAGE.
+ Also add information on how to contact you by electronic and paper mail.
  .
- This source code is currently archived on ftp.uu.net in the
- comp.sources.misc portion of the USENET archives.  You may also contact
- the author, Julianne F. Haugh, at jockgrrl@ix.netcom.com if you have
- any questions regarding this package.
+ If your software can interact with users remotely through a computer
+ network, you should also make sure that it provides a way for users to
+ get its source.  For example, if your program is a web application, its
+ interface could display a "Source" link that leads users to an archive
+ of the code.  There are many ways you could offer source, and different
+ solutions will be better for different programs; see section 13 for the
+ specific requirements.
  .
- THIS SOFTWARE IS BEING DISTRIBUTED AS-IS.  THE AUTHORS DISCLAIM ALL
- LIABILITY FOR ANY CONSEQUENCES OF USE.  THE USER IS SOLELY RESPONSIBLE
- FOR THE MAINTENANCE OF THIS SOFTWARE PACKAGE.  THE AUTHORS ARE UNDER NO
- OBLIGATION TO PROVIDE MODIFICATIONS OR IMPROVEMENTS.  THE USER IS
- ENCOURAGED TO TAKE ANY AND ALL STEPS NEEDED TO PROTECT AGAINST ACCIDENTAL
- LOSS OF INFORMATION OR MACHINE RESOURCES.
- .
- Special thanks are due to Chip Rosenthal for his fine testing efforts;
- to Steve Simmons for his work in porting this code to BSD; and to Bill
- Kennedy for his contributions of LaserJet printer time and energies.
- Also, thanks for Dennis L. Mumaugh for the initial shadow password
- information and to Tony Walton (olapw@olgb1.oliv.co.uk) for the System
- V Release 4 changes.  Effort in porting to SunOS has been contributed
- by Dr. Michael Newberry (miken@cs.adfa.oz.au) and Micheal J. Miller, Jr.
- (mke@kaberd.rain.com).  Effort in porting to AT&T UNIX System V Release
- 4 has been provided by Andrew Herbert (andrew@werple.pub.uu.oz.au).
- Special thanks to Marek Michalkiewicz (marekm@i17linuxb.ists.pwr.wroc.pl)
- for taking over the Linux port of this software.
-
-Files: etc/pam.d/*
-Copyright:
- This package was debianized by J.H.M. Dassen (Ray) jdassen@debian.org on
- Wed, 23 Sep 1998 20:29:32 +0200.
- .
- It was downloaded from ftp://ftp.kernel.org/pub/linux/libs/pam/pre/
- .
- Copyright (C) 1994, 1995, 1996 Olaf Kirch, <okir@monad.swb.de>
- Copyright (C) 1995 Wietse Venema
- Copyright (C) 1995, 2001-2008 Red Hat, Inc.
- Copyright (C) 1996-1999, 2000-2003, 2005 Andrew G. Morgan <morgan@kernel.org>
- Copyright (C) 1996, 1997, 1999 Cristian Gafton <gafton@redhat.com>
- Copyright (C) 1996, 1999 Theodore Ts'o
- Copyright (C) 1996 Alexander O. Yuriev
- Copyright (C) 1996 Elliot Lee
- Copyright (C) 1997 Philip W. Dalrymple <pwd@mdtsoft.com>
- Copyright (C) 1999 Jan Rękorajski
- Copyright (C) 1999 Ben Collins <bcollins@debian.org>
- Copyright (C) 2000-2001, 2003, 2005, 2007 Steve Langasek
- Copyright (C) 2003, 2005 IBM Corporation
- Copyright (C) 2003, 2006 SuSE Linux AG.
- Copyright (C) 2003 Nalin Dahyabhai <nalin@redhat.com>
- Copyright (C) 2005-2008 Thorsten Kukuk <kukuk@thkukuk.de>
- Copyright (C) 2005 Darren Tucker
-License: Linux-PAM-license
- Unless otherwise *explicitly* stated the following text describes the
- licensed conditions under which the contents of this Linux-PAM release
- may be distributed:
- .
- -------------------------------------------------------------------------
- Redistribution and use in source and binary forms of Linux-PAM, with
- or without modification, are permitted provided that the following
- conditions are met:
- .
- 1. Redistributions of source code must retain any existing copyright
-    notice, and this entire permission notice in its entirety,
-    including the disclaimer of warranties.
- .
- 2. Redistributions in binary form must reproduce all prior and current
-    copyright notices, this list of conditions, and the following
-    disclaimer in the documentation and/or other materials provided
-    with the distribution.
- .
- 3. The name of any author may not be used to endorse or promote
-    products derived from this software without their specific prior
-    written permission.
- .
- ALTERNATIVELY, this product may be distributed under the terms of the
- GNU General Public License, in which case the provisions of the GNU
- GPL are required INSTEAD OF the above restrictions.  (This clause is
- necessary due to a potential conflict between the GNU GPL and the
- restrictions contained in a BSD-style copyright.)
- .
- THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
- WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
- MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- IN NO EVENT SHALL THE AUTHOR(S) BE LIABLE FOR ANY DIRECT, INDIRECT,
- INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
- BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
- OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
- ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR
- TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
- USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
- DAMAGE.
- -------------------------------------------------------------------------
- .
- On Debian GNU/Linux systems, the complete text of the GNU General
- Public License can be found in `/usr/share/common-licenses/GPL-1'.
+ You should also get your employer (if you work as a programmer) or school,
+ if any, to sign a "copyright disclaimer" for the program, if necessary.
+ For more information on this, and how to apply and follow the GNU AGPL, see
+ <https://www.gnu.org/licenses/>.

debian/make-helper-overrides.bsh

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+## Copyright (C) 2021 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/24
+genmkfile_lintian_post_opts+=" --suppress-tags obsolete-command-in-modprobe.d-file --suppress-tags no-complete-debconf-translation"

debian/po/POTFILES.in

@@ -0,0 +1 @@
+[type: gettext/rfc822deb] security-misc.templates

debian/po/templates.pot

@@ -0,0 +1,36 @@
+# SOME DESCRIPTIVE TITLE.
+# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER
+# This file is distributed under the same license as the security-misc package.
+# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
+#
+#, fuzzy
+msgid ""
+msgstr ""
+"Project-Id-Version: security-misc\n"
+"Report-Msgid-Bugs-To: security-misc@packages.debian.org\n"
+"POT-Creation-Date: 2025-01-14 09:31-0500\n"
+"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
+"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
+"Language-Team: LANGUAGE <LL@li.org>\n"
+"Language: \n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=CHARSET\n"
+"Content-Transfer-Encoding: 8bit\n"
+
+#. Type: note
+#. Description
+#: ../security-misc.templates:1001
+msgid "Manual intervention may be required for permission-hardener update"
+msgstr ""
+
+#. Type: note
+#. Description
+#: ../security-misc.templates:1001
+msgid ""
+"No need to panic. Nothing is broken. A rare condition has been encountered. "
+"permission-hardener is being updated to fix a minor bug that caused "
+"corruption in the permission-hardener state file. If you installed your own "
+"custom permission-hardener configuration, some manual intervention may be "
+"required. See: https://www.kicksecure.com/wiki/"
+"SUID_Disabler_and_Permission_Hardener#fixing_state_files"
+msgstr ""

debian/rules

@@ -1,6 +1,6 @@
 #!/usr/bin/make -f
 
-## Copyright (C) 2012 - 2018 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
+## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
 #export DH_VERBOSE=1

debian/security-misc.config

@@ -0,0 +1,190 @@
+#!/bin/bash
+
+## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then
+   source /usr/libexec/helper-scripts/pre.bsh
+fi
+
+source /usr/share/debconf/confmodule
+
+set -e
+
+## Not set by DPKG for '.config' script.
+DPKG_MAINTSCRIPT_PACKAGE="security-misc"
+DPKG_MAINTSCRIPT_NAME="config"
+
+true "
+#####################################################################
+## INFO: BEGIN: $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $*
+#####################################################################
+"
+
+## NOTE: Code duplication.
+## Copied from: helper-scripts /usr/libexec/helper-scripts/package_installed_check.bsh
+##
+## '.config' scripts are run very early. Even 'Pre-Depends: helper-scripts' would be insufficient.
+## Therefore the code is duplicated here.
+pkg_installed() {
+   local package_name dpkg_query_output
+   local requested_action status error_state
+
+   package_name="$1"
+   ## Cannot use '&>' because it is a bashism.
+   dpkg_query_output="$(dpkg-query --show --showformat='${Status}' "$package_name" 2>/dev/null)" || true
+   ## dpkg_query_output Examples:
+   ## install ok half-configured
+   ## install ok installed
+
+   requested_action=$(printf '%s' "$dpkg_query_output" | awk '{print $1}')
+   status=$(printf '%s' "$dpkg_query_output" | awk '{print $2}')
+   error_state=$(printf '%s' "$dpkg_query_output" | awk '{print $3}')
+
+   if [ "$requested_action" = 'install' ]; then
+      true "$0: INFO: $package_name is installed, ok."
+      return 0
+   fi
+
+   true "$0: INFO: $package_name is not installed, ok."
+   return 1
+}
+
+check_migrate_permission_hardener_state() {
+   local pkg_list modified_pkg_data_str custom_hardening_arr config_file
+
+   ## If folder /var/lib/permission-hardener (version 1) does not exist, this migration is unneeded.
+   if [ ! -d '/var/lib/permission-hardener' ]; then
+      return 0
+   fi
+
+   local orig_hardening_arr custom_hardening_arr config_file custom_config_file
+   if [ -f "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_2" ]; then
+     return 0
+   fi
+   mkdir --parents '/var/lib/security-misc/do_once'
+
+   orig_hardening_arr=(
+      '/usr/lib/permission-hardener.d/25_default_passwd.conf'
+      '/usr/lib/permission-hardener.d/25_default_sudo.conf'
+      '/usr/lib/permission-hardener.d/25_default_whitelist_bubblewrap.conf'
+      '/usr/lib/permission-hardener.d/25_default_whitelist_chromium.conf'
+      '/usr/lib/permission-hardener.d/25_default_whitelist_dbus.conf'
+      '/usr/lib/permission-hardener.d/25_default_whitelist_firejail.conf'
+      '/usr/lib/permission-hardener.d/25_default_whitelist_fuse.conf'
+      '/usr/lib/permission-hardener.d/25_default_whitelist_hardened_malloc.conf'
+      '/usr/lib/permission-hardener.d/25_default_whitelist_mount.conf'
+      '/usr/lib/permission-hardener.d/25_default_whitelist_pam.conf'
+      '/usr/lib/permission-hardener.d/25_default_whitelist_passwd.conf'
+      '/usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf'
+      '/usr/lib/permission-hardener.d/25_default_whitelist_postfix.conf'
+      '/usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf'
+      '/usr/lib/permission-hardener.d/25_default_whitelist_selinux.conf'
+      '/usr/lib/permission-hardener.d/25_default_whitelist_spice.conf'
+      '/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf'
+      '/usr/lib/permission-hardener.d/25_default_whitelist_sudo.conf'
+      '/usr/lib/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf'
+      '/usr/lib/permission-hardener.d/25_default_whitelist_virtualbox.conf'
+      '/usr/lib/permission-hardener.d/20_user-sysmaint-split.conf'
+      '/usr/lib/permission-hardener.d/30_ping.conf'
+      '/usr/lib/permission-hardener.d/30_default.conf'
+      '/etc/permission-hardener.d/25_default_passwd.conf'
+      '/etc/permission-hardener.d/25_default_sudo.conf'
+      '/etc/permission-hardener.d/25_default_whitelist_bubblewrap.conf'
+      '/etc/permission-hardener.d/25_default_whitelist_chromium.conf'
+      '/etc/permission-hardener.d/25_default_whitelist_dbus.conf'
+      '/etc/permission-hardener.d/25_default_whitelist_firejail.conf'
+      '/etc/permission-hardener.d/25_default_whitelist_fuse.conf'
+      '/etc/permission-hardener.d/25_default_whitelist_hardened_malloc.conf'
+      '/etc/permission-hardener.d/25_default_whitelist_mount.conf'
+      '/etc/permission-hardener.d/25_default_whitelist_pam.conf'
+      '/etc/permission-hardener.d/25_default_whitelist_passwd.conf'
+      '/etc/permission-hardener.d/25_default_whitelist_policykit.conf'
+      '/etc/permission-hardener.d/25_default_whitelist_postfix.conf'
+      '/etc/permission-hardener.d/25_default_whitelist_qubes.conf'
+      '/etc/permission-hardener.d/25_default_whitelist_selinux.conf'
+      '/etc/permission-hardener.d/25_default_whitelist_spice.conf'
+      '/etc/permission-hardener.d/25_default_whitelist_ssh.conf'
+      '/etc/permission-hardener.d/25_default_whitelist_sudo.conf'
+      '/etc/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf'
+      '/etc/permission-hardener.d/25_default_whitelist_virtualbox.conf'
+      '/etc/permission-hardener.d/20_user-sysmaint-split.conf'
+      '/etc/permission-hardener.d/30_ping.conf'
+      '/etc/permission-hardener.d/30_default.conf'
+   )
+
+   pkg_list=( "security-misc" )
+   if pkg_installed user-sysmaint-split ; then
+      pkg_list+=( "user-sysmaint-split" )
+   fi
+   if pkg_installed anon-apps-config ; then
+      pkg_list+=( "anon-apps-config" )
+   fi
+
+   ## This will exit non-zero if some of the packages don't exist, but we
+   ## don't care. The packages that *are* installed will still be scanned.
+   modified_pkg_data_str="$(dpkg --verify "${pkg_list[@]}")" || true
+
+   ## Example modified_pkg_data_str:
+   #modified_pkg_data_str='missing     /usr/lib/permission-hardener.d/20_user-sysmaint-split.conf'
+
+   readarray -t custom_hardening_arr < <(awk '/permission-hardener.d/{ print $NF }' <<< "${modified_pkg_data_str}")
+
+   ## If the above `dpkg --verify` command doesn't return any permission-hardener
+   ## related lines, the array will contain no meaningful info, just a single
+   ## blank element at the start. Set the array to be explicitly empty in
+   ## this scenario.
+   if [ -z "${custom_hardening_arr[0]}" ]; then
+      custom_hardening_arr=()
+   fi
+
+   for config_file in \
+      /usr/lib/permission-hardener.d/*.conf \
+      /etc/permission-hardener.d/*.conf \
+      /usr/local/etc/permission-hardener.d/*.conf \
+      /etc/permission-hardening.d/*.conf \
+      /usr/local/etc/permission-hardening.d/*.conf
+   do
+      # shellcheck disable=SC2076
+      if ! [[ " ${orig_hardening_arr[*]} " =~ " ${config_file} " ]]; then
+         if [ -f "${config_file}" ]; then
+            custom_hardening_arr+=( "${config_file}" )
+         fi
+      fi
+   done
+
+   if [ "${#custom_hardening_arr[@]}" != '0' ]; then
+      for custom_config_file in "${custom_hardening_arr[@]}"; do
+         if ! test -e "${custom_config_file}" ; then
+            echo "$0: INFO: Possible missing configuration file found: '${custom_config_file}'"
+         else
+            echo "$0: INFO: Possible custom configuration file found: '${custom_config_file}'"
+         fi
+      done
+      ## db_input will return code 30 if the message won't be displayed, which
+      ## causes a non-interactive install to error out if you don't use || true
+      db_input critical security-misc/alert-on-permission-hardener-v2-upgrade || true
+      ## db_go can return code 30 too in some instances, we don't care here
+      # shellcheck disable=SC2119
+      db_go || true
+   fi
+
+   touch "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_2"
+}
+
+check_migrate_permission_hardener_state
+
+true "INFO: debhelper beginning here."
+
+#DEBHELPER#
+
+true "INFO: Done with debhelper."
+
+true "
+#####################################################################
+## INFO: END  : $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $*
+#####################################################################
+"
+
+## Explicitly "exit 0", so eventually trapped errors can be ignored.
+exit 0

debian/security-misc.displace

@@ -1,6 +1,5 @@
-## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
+## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
-/etc/login.defs.security-misc
-/etc/pam.d/common-session-noninteractive.security-misc
-/etc/pam.d/common-session.security-misc
+/etc/securetty.security-misc
+/etc/security/faillock.conf.security-misc

debian/security-misc.gconf-defaults

@@ -1,3 +1,6 @@
+## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
 /apps/nautilus/preview_sound never
 /apps/nautilus/show_icon_text never
 /apps/nautilus/show-image-thumbnails never

debian/security-misc.install

@@ -0,0 +1,8 @@
+## Copyright (C) 2020 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## This file was generated using 'genmkfile debinstfile'.
+
+etc/*
+usr/*
+var/*

debian/security-misc.links

@@ -0,0 +1,5 @@
+## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+/etc/profile.d/30_security-misc.sh /etc/zprofile.d/30_security-misc.zsh
+/etc/profile.d/30_security-misc.sh /etc/X11/Xsession.d/30_security-misc

debian/security-misc.maintscript

@@ -0,0 +1,111 @@
+## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+rm_conffile /etc/sudoers.d/umask-security-misc
+
+## https://forums.whonix.org/t/sysrq-magic-sysrq-key/8079
+rm_conffile /etc/sysctl.d/sysrq.conf
+
+## https://github.com/Whonix/security-misc/pull/45
+rm_conffile /etc/apparmor.d/usr.lib.security-misc.pam_tally2-info
+rm_conffile /etc/apparmor.d/usr.lib.security-misc.permission-lockdown
+
+## merged into 3 files /usr/lib/sysctl.d/30_security-misc_kexec-disable.conf, /usr/lib/sysctl.d/30_silent-kernel-printk.conf, and /usr/lib/sysctl.d/990-security-misc.conf
+rm_conffile /etc/sysctl.d/fs_protected.conf
+rm_conffile /etc/sysctl.d/kptr_restrict.conf
+rm_conffile /etc/sysctl.d/suid_dumpable.conf
+rm_conffile /etc/sysctl.d/harden_bpf.conf
+rm_conffile /etc/sysctl.d/ptrace_scope.conf
+rm_conffile /etc/sysctl.d/tcp_timestamps.conf
+rm_conffile /etc/sysctl.d/mmap_aslr.conf
+rm_conffile /etc/sysctl.d/dmesg_restrict.conf
+rm_conffile /etc/sysctl.d/coredumps.conf
+rm_conffile /etc/sysctl.d/kexec.conf
+rm_conffile /etc/sysctl.d/tcp_hardening.conf
+rm_conffile /etc/sysctl.d/tcp_sack.conf
+
+## merged into 3 files /etc/modprobe.d/30_security-misc_blacklist.conf, 30_security-misc_conntrack.conf, and /etc/modprobe.d/30_security-misc_disable.conf
+rm_conffile /etc/modprobe.d/uncommon-network-protocols.conf
+rm_conffile /etc/modprobe.d/blacklist-bluetooth.conf
+rm_conffile /etc/modprobe.d/vivid.conf
+rm_conffile /etc/modprobe.d/blacklist-dma.conf
+rm_conffile /etc/modprobe.d/msr.conf
+rm_conffile /etc/modprobe.d/30_nf_conntrack_helper_disable.conf
+rm_conffile /etc/modprobe.d/30_security-misc.conf
+
+## renamed to /etc/security/limits.d/30_security-misc.conf
+rm_conffile /etc/security/limits.d/disable-coredumps.conf
+
+## moved to separate package ram-wipe
+rm_conffile /etc/default/grub.d/40_cold_boot_attack_defense.cfg
+
+rm_conffile /etc/X11/Xsession.d/50panic_on_oops
+rm_conffile /etc/X11/Xsession.d/50security-misc
+
+## moved to /usr/lib/sysctl.d
+rm_conffile /etc/sysctl.d/30_security-misc.conf
+rm_conffile /etc/sysctl.d/30_silent-kernel-printk.conf
+rm_conffile /etc/sysctl.d/30_security-misc_kexec-disable.conf
+
+## moved to /etc/permission-hardener.d
+rm_conffile /etc/permission-hardening.d/25_default_passwd.conf
+rm_conffile /etc/permission-hardening.d/25_default_sudo.conf
+rm_conffile /etc/permission-hardening.d/25_default_whitelist_bubblewrap.conf
+rm_conffile /etc/permission-hardening.d/25_default_whitelist_chromium.conf
+rm_conffile /etc/permission-hardening.d/25_default_whitelist_dbus.conf
+rm_conffile /etc/permission-hardening.d/25_default_whitelist_firejail.conf
+rm_conffile /etc/permission-hardening.d/25_default_whitelist_fuse.conf
+rm_conffile /etc/permission-hardening.d/25_default_whitelist_hardened_malloc.conf
+rm_conffile /etc/permission-hardening.d/25_default_whitelist_mount.conf
+rm_conffile /etc/permission-hardening.d/25_default_whitelist_pam.conf
+rm_conffile /etc/permission-hardening.d/25_default_whitelist_policykit.conf
+rm_conffile /etc/permission-hardening.d/25_default_whitelist_qubes.conf
+rm_conffile /etc/permission-hardening.d/25_default_whitelist_selinux.conf
+rm_conffile /etc/permission-hardening.d/25_default_whitelist_spice.conf
+rm_conffile /etc/permission-hardening.d/25_default_whitelist_ssh.conf
+rm_conffile /etc/permission-hardening.d/25_default_whitelist_sudo.conf
+rm_conffile /etc/permission-hardening.d/25_default_whitelist_unix_chkpwd.conf
+rm_conffile /etc/permission-hardening.d/25_default_whitelist_virtualbox.conf
+rm_conffile /etc/permission-hardening.d/30_default.conf
+
+## moved to /usr/lib/permission-hardener.d
+rm_conffile /etc/permission-hardener.d/25_default_passwd.conf
+rm_conffile /etc/permission-hardener.d/25_default_sudo.conf
+rm_conffile /etc/permission-hardener.d/25_default_whitelist_bubblewrap.conf
+rm_conffile /etc/permission-hardener.d/25_default_whitelist_chromium.conf
+rm_conffile /etc/permission-hardener.d/25_default_whitelist_dbus.conf
+rm_conffile /etc/permission-hardener.d/25_default_whitelist_firejail.conf
+rm_conffile /etc/permission-hardener.d/25_default_whitelist_fuse.conf
+rm_conffile /etc/permission-hardener.d/25_default_whitelist_hardened_malloc.conf
+rm_conffile /etc/permission-hardener.d/25_default_whitelist_mount.conf
+rm_conffile /etc/permission-hardener.d/25_default_whitelist_pam.conf
+rm_conffile /etc/permission-hardener.d/25_default_whitelist_policykit.conf
+rm_conffile /etc/permission-hardener.d/25_default_whitelist_postfix.conf
+rm_conffile /etc/permission-hardener.d/25_default_whitelist_qubes.conf
+rm_conffile /etc/permission-hardener.d/25_default_whitelist_selinux.conf
+rm_conffile /etc/permission-hardener.d/25_default_whitelist_spice.conf
+rm_conffile /etc/permission-hardener.d/25_default_whitelist_ssh.conf
+rm_conffile /etc/permission-hardener.d/25_default_whitelist_sudo.conf
+rm_conffile /etc/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf
+rm_conffile /etc/permission-hardener.d/25_default_whitelist_virtualbox.conf
+rm_conffile /etc/permission-hardener.d/30_default.conf
+
+## merged into 1 file /etc/default/grub.d/40_kernel_hardening.cfg
+rm_conffile /etc/default/grub.d/40_distrust_bootloader.cfg
+rm_conffile /etc/default/grub.d/40_distrust_cpu.cfg
+rm_conffile /etc/default/grub.d/40_enable_iommu.cfg
+
+## renamed to /etc/default/grub.d/40_remount_secure.cfg
+rm_conffile /etc/default/grub.d/40_remmount-secure.cfg
+
+## renamed to /etc/default/grub.d/40_signed_modules.cfg
+rm_conffile /etc/default/grub.d/40_only_allow_signed_modules.cfg
+
+## renamed to /etc/default/grub.d/41_quiet_boot.cfg
+rm_conffile /etc/default/grub.d/41_quiet.cfg
+
+## moved to usability-misc
+rm_conffile /etc/dkms/framework.conf.d/30_security-misc.conf
+
+## renamed to reflect the fact that this uses a whitelist
+rm_conffile /usr/lib/permission-hardener.d/25_default_passwd.conf

debian/security-misc.postinst

@@ -1,44 +1,132 @@
 #!/bin/bash
 
-## Copyright (C) 2012 - 2018 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
+## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
-if [ -f /usr/lib/helper-scripts/pre.bsh ]; then
-   source /usr/lib/helper-scripts/pre.bsh
+if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then
+   source /usr/libexec/helper-scripts/pre.bsh
 fi
 
+## Required since this package uses debconf - this is mandatory even though
+## the postinst itself does not use debconf commands.
+source /usr/share/debconf/confmodule
+
 set -e
 
 true "
 #####################################################################
-## INFO: BEGIN: $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $@
+## INFO: BEGIN: $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $*
 #####################################################################
 "
 
+permission_hardening_legacy_config_folder() {
+    if ! test -d /etc/permission-hardening.d ; then
+        return 0
+    fi
+    rmdir --verbose --ignore-fail-on-non-empty /etc/permission-hardening.d || true
+}
+
+permission_hardening() {
+    echo "Running SUID Disabler and Permission Hardener... See also:"
+    echo "https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener"
+    echo "$0: INFO: running: permission-hardener enable"
+    if ! permission-hardener enable ; then
+        echo "$0: ERROR: Permission hardening failed." >&2
+        return 0
+    fi
+    echo "$0: INFO: Permission hardening success."
+}
+
+migrate_permission_hardener_state() {
+   local existing_mode_dir new_mode_dir dpkg_statoverride_list
+   ## If folder /var/lib/permission-hardener (version 1) does not exist, this migration is unneeded.
+   if [ ! -d '/var/lib/permission-hardener' ]; then
+      return 0
+   fi
+
+   if [ -f "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_2" ]; then
+     return 0
+   fi
+   mkdir --parents '/var/lib/security-misc/do_once'
+
+   existing_mode_dir='/var/lib/permission-hardener-v2/existing_mode'
+   new_mode_dir='/var/lib/permission-hardener-v2/new_mode'
+
+   mkdir --parents "${existing_mode_dir}";
+   mkdir --parents "${new_mode_dir}";
+
+   cp --verbose '/usr/share/security-misc/permission-hardener-existing-mode-legacy-hardcoded' "${existing_mode_dir}/statoverride"
+   cp --verbose '/usr/share/security-misc/permission-hardener-new-mode-legacy-hardcoded' "${new_mode_dir}/statoverride"
+
+   dpkg_statoverride_list="$(dpkg-statoverride --admindir "${new_mode_dir}" --list)"
+
+   if [ "$(stat --format '%G' /usr/bin/sudo)" = 'sysmaint' ]; then
+      if ! [[ "${dpkg_statoverride_list}" =~ '/usr/bin/sudo' ]]; then
+         dpkg-statoverride --admindir "${new_mode_dir}" --add 'root' 'sysmaint' '4750' '/usr/bin/sudo'
+      fi
+   fi
+   if [ "$(stat --format '%G' /usr/bin/pkexec)" = 'sysmaint' ]; then
+      if ! [[ "${dpkg_statoverride_list}" =~ '/usr/bin/pkexec' ]]; then
+         dpkg-statoverride --admindir "${new_mode_dir}" --add 'root' 'sysmaint' '4750' '/usr/bin/pkexec'
+      fi
+   fi
+
+   touch "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_2"
+}
+
 case "$1" in
     configure)
+        if [ -d /etc/skel/.gnupg ]; then
+            ## Lintian warns against use of chmod --recursive.
+            chmod 700 /etc/skel/.gnupg
+        fi
+
+        ## /usr/share/glib-2.0/schemas/30_security-misc.gschema.override
         glib-compile-schemas /usr/share/glib-2.0/schemas || true
+
+        ## state dir for faillock
+        mkdir -p /var/lib/security-misc/faillock
+
+        ## migrate permission_hardener state to v2 if applicable
+        migrate_permission_hardener_state
     ;;
 
     abort-upgrade|abort-remove|abort-deconfigure)
     ;;
 
+    triggered)
+      echo "INFO: triggered $DPKG_MAINTSCRIPT_PACKAGE: '$DPKG_MAINTSCRIPT_PACKAGE' $DPKG_MAINTSCRIPT_PACKAGE DPKG_MAINTSCRIPT_NAME: '$DPKG_MAINTSCRIPT_NAME' $\*: '$*' 2: '$2'"
+      /usr/share/security-misc/lkrg/lkrg-virtualbox || true
+      /usr/libexec/security-misc/mmap-rnd-bits || true
+      permission_hardening
+      exit 0
+    ;;
+
     *)
         echo "$DPKG_MAINTSCRIPT_NAME called with unknown argument \`$1'" >&2
         exit 1
     ;;
 esac
 
-[ -n "$DEBIAN_FRONTEND" ] || DEBIAN_FRONTEND="noninteractive"
-[ -n "$DEBIAN_PRIORITY" ] || DEBIAN_PRIORITY="critical"
-[ -n "$DEBCONF_NOWARNINGS" ] || DEBCONF_NOWARNINGS="yes"
-[ -n "$APT_LISTCHANGES_FRONTEND" ] || APT_LISTCHANGES_FRONTEND="text"
-export POLICYRCD DEBIAN_FRONTEND DEBIAN_PRIORITY DEBCONF_NOWARNINGS APT_LISTCHANGES_FRONTEND
+pam-auth-update --package
 
-## Jul 07 20:35:39 host sudo[16090]: PAM unable to dlopen(pam_cgfs.so): /lib/security/pam_cgfs.so: cannot open shared object file: No such file or directory
-## Jul 07 20:35:39 host sudo[16090]: PAM adding faulty module: pam_cgfs.so
-## --package hangs in Qubes updater since it starts whiptail for interactive dpkg configuration dialog.
-pam-auth-update --force
+/usr/libexec/security-misc/permission-lockdown
+
+permission_hardening
+
+## https://phabricator.whonix.org/T377
+## Debian has no update-grub trigger yet:
+## https://bugs.debian.org/481542
+if command -v update-grub >/dev/null 2>&1; then
+   update-grub || \
+      echo "$DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME ERROR: Running \
+'update-grub' failed with exit code $?. $DPKG_MAINTSCRIPT_PACKAGE is most \
+likely only the trigger, not the cause. Unless you know this is not an issue, \
+you should fix running 'update-grub', otherwise your system might no longer \
+boot." >&2
+fi
+
+/usr/libexec/security-misc/mmap-rnd-bits || true
 
 true "INFO: debhelper beginning here."
 
@@ -46,9 +134,11 @@ true "INFO: debhelper beginning here."
 
 true "INFO: Done with debhelper."
 
+permission_hardening_legacy_config_folder
+
 true "
 #####################################################################
-## INFO: END  : $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $@
+## INFO: END  : $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $*
 #####################################################################
 "
 

debian/security-misc.postrm

@@ -0,0 +1,36 @@
+#!/bin/bash
+
+## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then
+   source /usr/libexec/helper-scripts/pre.bsh
+fi
+
+set -e
+
+true "
+#####################################################################
+## INFO: BEGIN: $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $@
+#####################################################################
+"
+
+## https://forums.whonix.org/t/is-security-misc-suitable-for-hardening-bridges-and-relays/8299/11
+pam-auth-update --package --remove "$DPKG_MAINTSCRIPT_PACKAGE"
+
+rm -f /etc/sysctl.d/30_security-misc_aslr-mmap.conf
+
+true "INFO: debhelper beginning here."
+
+#DEBHELPER#
+
+true "INFO: Done with debhelper."
+
+true "
+#####################################################################
+## INFO: END  : $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $@
+#####################################################################
+"
+
+## Explicitly "exit 0", so eventually trapped errors can be ignored.
+exit 0

debian/security-misc.preinst

@@ -0,0 +1,249 @@
+#!/bin/bash
+
+## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then
+   source /usr/libexec/helper-scripts/pre.bsh
+fi
+
+set -e
+
+true "
+#####################################################################
+## INFO: BEGIN: $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $@
+#####################################################################
+"
+
+user_groups_modifications() {
+   ## /usr/libexec/security-misc/hide-hardware-info
+   addgroup --system sysfs
+   addgroup --system cpuinfo
+
+   ## /usr/lib/systemd/system/proc-hidepid.service
+   addgroup --system proc
+
+   ## group 'sudo' membership required to use 'su'
+   ## /usr/share/pam-configs/wheel-security-misc
+   adduser root sudo
+
+   ## Useful to create groups in preinst rather than postinst.
+   ## Otherwise if a user saw an error message such as this:
+   ##
+   ## /var/lib/ dpkg/tmp.ci/preinst: ERROR: No user is a member of group 'console'. Installation aborted.
+   ## /var/lib/ dpkg/tmp.ci/preinst: ERROR: You probably want to run:
+   ## sudo adduser user console
+   ##
+   ## Then the user could not run 'sudo adduser user console' but also would
+   ## have to create the groups himself.
+
+   ## Related to Console Lockdown.
+   ## /usr/share/pam-configs/console-lockdown-security-misc
+   ## /etc/security/access-security-misc.conf
+   addgroup --system console
+   addgroup --system console-unrestricted
+   ## This has no effect since by default this package also ships and an
+   ## /etc/securetty configuration file that contains nothing but comments, i.e.
+   ## an "empty" /etc/securetty.
+   ## In case a system administrator edits /etc/securetty, there is no need to
+   ## block for this to be still blocked by console lockdown. See also:
+   ## https://www.kicksecure.com/wiki/Root#Root_Login
+   adduser root console
+}
+
+output_skip_checks() {
+   echo "security-misc '$0' INFO: Allow installation of security-misc anyway." >&2
+   echo "security-misc '$0' INFO: (technical reason: $@)" >&2
+   echo "security-misc '$0' INFO: If this is a chroot this is probably OK." >&2
+   echo "security-misc '$0' INFO: Otherwise you might not be able to login." >&2
+}
+
+sudo_users_check () {
+   if command -v "qubesdb-read" &>/dev/null; then
+      ## Qubes users can use dom0 to get a root terminal emulator.
+      ## For example:
+      ## qvm-run -u root debian-10 xterm
+      return 0
+   fi
+
+   local sudo_users user_with_sudo are_there_any_sudo_users OLD_IFS
+
+   sudo_users="$(getent group sudo | cut -d: -f4)"
+   ## example sudo_users:
+   ## user,root
+
+   OLD_IFS="$IFS"
+   IFS=","
+   export IFS
+
+   for user_with_sudo in $sudo_users ; do
+      if [ "$user_with_sudo" = "root" ]; then
+         ## root login is also restricted.
+         ## Therefore user "root" being member of group "sudo" is
+         ## considered insufficient.
+         continue
+      fi
+      are_there_any_sudo_users=yes
+      break
+   done
+
+   IFS="$OLD_IFS"
+   export IFS
+
+   if [ "$are_there_any_sudo_users" = "yes" ]; then
+      return 0
+   fi
+
+   ## Prevent users from locking themselves out.
+   ## https://forums.whonix.org/t/is-security-misc-suitable-for-hardening-bridges-and-relays/8299/4
+   echo "$0: ERROR: No user is a member of group 'sudo'. Installation aborted." >&2
+   echo "$0: ERROR: You probably want to run:" >&2
+   echo "$0: NOTE: Replace user 'user' with your actual Linux user account name." >&2
+   echo "" >&2
+   echo "sudo adduser user sudo" >&2
+   echo "sudo adduser user console" >&2
+   echo "" >&2
+   echo "$0: ERROR: See also installation instructions:" >&2
+   echo "https://www.kicksecure.com/wiki/security-misc#install" >&2
+
+   if [ "$SECURITY_MISC_INSTALL" = "force" ]; then
+      output_skip_checks "Environment variable SECURITY_MISC_INSTALL is set to 'force'."
+      return 0
+   fi
+   if test -f "/var/lib/security-misc/skip_install_check" ; then
+      output_skip_checks "File '/var/lib/security-misc/skip_install_check' exists."
+      return 0
+   fi
+
+   exit 200
+}
+
+console_users_check() {
+   if [ "$SECURITY_MISC_INSTALL" = "force" ]; then
+      return 0
+   fi
+   if test -f "/var/lib/security-misc/skip_install_check" ; then
+      return 0
+   fi
+   if command -v "qubesdb-read" &>/dev/null; then
+      ## Qubes users can use dom0 to get a root terminal emulator.
+      ## For example:
+      ## qvm-run -u root debian-10 xterm
+      return 0
+   fi
+
+   local console_users console_unrestricted_users user_with_console are_there_any_console_users OLD_IFS
+
+   console_users="$(getent group console | cut -d: -f4)"
+   ## example console_users:
+   ## user
+   console_unrestricted_users="$(getent group console-unrestricted | cut -d: -f4)"
+
+   OLD_IFS="$IFS"
+   IFS=","
+   export IFS
+
+   for user_with_console in $console_users $console_unrestricted_users ; do
+      if [ "$user_with_console" = "root" ]; then
+         ## root login is also restricted.
+         ## Therefore user "root" being member of group "console" is
+         ## considered insufficient.
+         continue
+      fi
+      are_there_any_console_users=yes
+      break
+   done
+
+   IFS="$OLD_IFS"
+   export IFS
+
+   ## Prevent users from locking themselves out.
+   ## https://forums.whonix.org/t/is-security-misc-suitable-for-hardening-bridges-and-relays/8299/4
+   if [ "$are_there_any_console_users" = "yes" ]; then
+      return 0
+   fi
+
+   echo "$0: ERROR: No user is a member of group 'console'. Installation aborted." >&2
+   echo "$0: ERROR: You probably want to run:" >&2
+   echo "" >&2
+   echo "sudo adduser user console" >&2
+   echo "" >&2
+   echo "$0: ERROR: See also installation instructions:" >&2
+   echo "https://www.whonix.org/wiki/security-misc#install" >&2
+
+   if [ "$SECURITY_MISC_INSTALL" = "force" ]; then
+      output_skip_checks "Environment variable SECURITY_MISC_INSTALL is set to 'force'."
+      return 0
+   fi
+   if test -f "/var/lib/security-misc/skip_install_check" ; then
+      output_skip_checks "File '/var/lib/security-misc/skip_install_check' exists."
+      return 0
+   fi
+
+   exit 201
+}
+
+legacy() {
+   if [ -f "/var/lib/legacy/do_once/${FUNCNAME}_version_1" ]; then
+      return 0
+   fi
+
+   local continue_yes user_to_be_created
+
+   if [ -f "/usr/share/whonix/marker" ]; then
+      continue_yes=true
+   fi
+   if [ -f "/usr/share/kicksecure/marker" ]; then
+      continue_yes=true
+   fi
+
+   if [ ! "$continue_yes" = "true" ]; then
+      return 0
+   fi
+
+   if command -v "qubesdb-read" &>/dev/null; then
+      ## Qubes users can use dom0 to get a root terminal emulator.
+      ## For example:
+      ## qvm-run -u root debian-10 xterm
+      return 0
+   fi
+
+   ## https://forums.whonix.org/t/etc-security-hardening-console-lockdown-pam-access-access-conf/8592/7
+
+   user_to_be_created=user
+
+   if ! id "$user_to_be_created" &>/dev/null ; then
+      true "INFO: user '$user_to_be_created' does not exist. Skipping adduser console and pam-auth-update."
+      return 0
+   fi
+
+   adduser "$user_to_be_created" console
+
+   pam-auth-update --enable console-lockdown-security-misc
+
+   mkdir --parents "/var/lib/legacy/do_once"
+   touch "/var/lib/legacy/do_once/${FUNCNAME}_version_1"
+}
+
+user_groups_modifications
+legacy
+
+if [ "$1" = "install" ] || [ "$1" = "upgrade" ]; then
+   sudo_users_check
+   console_users_check
+fi
+
+true "INFO: debhelper beginning here."
+
+#DEBHELPER#
+
+true "INFO: Done with debhelper."
+
+true "
+#####################################################################
+## INFO: END  : $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $@
+#####################################################################
+"
+
+## Explicitly "exit 0", so eventually trapped errors can be ignored.
+exit 0

debian/security-misc.prerm

@@ -1,10 +1,10 @@
 #!/bin/bash
 
-## Copyright (C) 2012 - 2018 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
+## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
-if [ -f /usr/lib/helper-scripts/pre.bsh ]; then
-   source /usr/lib/helper-scripts/pre.bsh
+if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then
+   source /usr/libexec/helper-scripts/pre.bsh
 fi
 
 set -e
@@ -15,30 +15,9 @@ true "
 #####################################################################
 "
 
-[ -n "$DEBIAN_FRONTEND" ] || DEBIAN_FRONTEND="noninteractive"
-[ -n "$DEBIAN_PRIORITY" ] || DEBIAN_PRIORITY="critical"
-[ -n "$DEBCONF_NOWARNINGS" ] || DEBCONF_NOWARNINGS="yes"
-[ -n "$APT_LISTCHANGES_FRONTEND" ] || APT_LISTCHANGES_FRONTEND="text"
-export POLICYRCD DEBIAN_FRONTEND DEBIAN_PRIORITY DEBCONF_NOWARNINGS APT_LISTCHANGES_FRONTEND
-
-## pam-auth-update is usually used in postinst and prerm.
-## Added extra space after /var to avoid lintian false positive warning.
-#grep -r -l pam-auth-update /var /lib/dpkg/info
-# /var /lib/dpkg/info/libpam-runtime.postinst
-# /var /lib/dpkg/info/libpam-runtime.prerm
-# /var /lib/dpkg/info/libpam-cap:amd64.postinst
-# /var /lib/dpkg/info/libpam-cap:amd64.prerm
-# /var /lib/dpkg/info/libpam-systemd:amd64.postinst
-# /var /lib/dpkg/info/libpam-systemd:amd64.prerm
-# /var /lib/dpkg/info/libpam-cgfs.postinst
-# /var /lib/dpkg/info/libpam-cgfs.prerm
-# /var /lib/dpkg/info/libpam-gnome-keyring:amd64.postinst
-# /var /lib/dpkg/info/libpam-gnome-keyring:amd64.prerm
-
-## Jul 07 20:35:39 host sudo[16090]: PAM unable to dlopen(pam_cgfs.so): /lib/security/pam_cgfs.so: cannot open shared object file: No such file or directory
-## Jul 07 20:35:39 host sudo[16090]: PAM adding faulty module: pam_cgfs.so
-## --package hangs in Qubes updater since it starts whiptail for interactive dpkg configuration dialog.
-pam-auth-update --force
+if [ "$1" = remove ]; then
+   pam-auth-update --package --remove "$DPKG_MAINTSCRIPT_PACKAGE"
+fi
 
 true "INFO: debhelper beginning here."
 

debian/security-misc.templates

@@ -0,0 +1,9 @@
+Template: security-misc/alert-on-permission-hardener-v2-upgrade
+Type: note
+_Description: Manual intervention may be required for permission-hardener update
+ No need to panic. Nothing is broken. A rare condition has been encountered.
+ permission-hardener is being updated to fix a minor bug that caused
+ corruption in the permission-hardener state file. If you installed your own
+ custom permission-hardener configuration, some manual intervention may be
+ required. See:
+ https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener#fixing_state_files

debian/security-misc.triggers

@@ -0,0 +1,16 @@
+## Copyright (C) 2024 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## use noawait
+## https://github.com/Kicksecure/security-misc/issues/196
+
+## Trigger permission hardener when new binaries are being installed.
+interest-noawait /usr
+interest-noawait /opt
+
+## Trigger permission hardener when new configuration files are being installed.
+interest-noawait /usr/lib/permission-hardener.d
+interest-noawait /etc/permission-hardener.d
+interest-noawait /usr/local/etc/permission-hardener.d
+interest-noawait /etc/permission-hardening.d
+interest-noawait /usr/local/etc/permission-hardening.d

debian/security-misc.undisplace

@@ -0,0 +1,6 @@
+## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+/etc/login.defs.security-misc
+/usr/bin/pkexec.security-misc
+/etc/dkms/framework.conf.security-misc

debian/source/lintian-overrides

@@ -1,2 +1,2 @@
 ## https://phabricator.whonix.org/T277
-debian-watch-does-not-check-gpg-signature
+debian-watch-does-not-check-openpgp-signature

debian/watch

@@ -1,4 +1,4 @@
-## Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
+## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
 version=4

etc/X11/Xsession.d/50panic_on_oops

@@ -1,8 +0,0 @@
-#!/bin/sh
-
-## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
-## See the file COPYING for copying conditions.
-
-if [ -x /usr/lib/security-misc/panic-on-oops ]; then
-   sudo --non-interactive /usr/lib/security-misc/panic-on-oops
-fi

etc/X11/Xsession.d/50security-misc

@@ -1,7 +0,0 @@
-## Copyright (C) 2012 - 2018 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
-## See the file COPYING for copying conditions.
-
-if [ -z "$XDG_CONFIG_DIRS" ]; then
-   XDG_CONFIG_DIRS=/etc/xdg
-fi
-export XDG_CONFIG_DIRS=/usr/share/security-misc/:$XDG_CONFIG_DIRS

etc/apparmor.d/tunables/home.d/security-misc

@@ -1,7 +1,7 @@
-## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
+## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
-alias /etc/pam.d/common-session -> /etc/pam.d//etc/pam.d/common-session.security-misc,
+alias /etc/pam.d/common-session -> /etc/pam.d/common-session.security-misc,
 alias /etc/pam.d/common-session-noninteractive -> /etc/pam.d/common-session-noninteractive.security-misc,
 alias /etc/login.defs -> /etc/login.defs.security-misc,
-
+alias /etc/securetty -> /etc/securetty.security-misc,

etc/apt/apt.conf.d/40error-on-any

@@ -0,0 +1,9 @@
+## Copyright (C) 2021 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## Make "sudo apt-get update" exit non-zero for transient failures.
+## Same as "apt-get --error-on=any".
+## https://forums.whonix.org/t/debian-bullseye-apt-get-error-on-any/12068
+## https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=594813
+## https://salsa.debian.org/apt-team/apt/-/commit/c7123bea6a8dc2c9e327ce41ddfc25e29f1bb145
+APT::Update::Error-Mode any;

etc/apt/apt.conf.d/40sandbox

@@ -1,4 +1,4 @@
-## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
+## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
 ## https://forums.whonix.org/t/apt-seccomp-bpf-sandboxing/7702

etc/bluetooth/30_security-misc.conf

@@ -0,0 +1,33 @@
+## Copyright (C) 2023 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+[General]
+# How long to stay in pairable mode before going back to non-discoverable
+# The value is in seconds. Default is 0.
+# 0 = disable timer, i.e. stay pairable forever
+PairableTimeout = 30
+
+# How long to stay in discoverable mode before going back to non-discoverable
+# The value is in seconds. Default is 180, i.e. 3 minutes.
+# 0 = disable timer, i.e. stay discoverable forever
+DiscoverableTimeout = 30
+
+# Maximum number of controllers allowed to be exposed to the system.
+# Default=0 (unlimited)
+MaxControllers=1
+
+# How long to keep temporary devices around
+# The value is in seconds. Default is 30.
+# 0 = disable timer, i.e. never keep temporary devices
+TemporaryTimeout = 0
+
+[Policy]
+# AutoEnable defines option to enable all controllers when they are found.
+# This includes adapters present on start as well as adapters that are plugged
+# in later on. Defaults to 'true'.
+AutoEnable=false
+
+# network/on: A device will only accept advertising packets from peer
+# devices that contain private addresses. It may not be compatible with some
+# legacy devices since it requires the use of RPA(s) all the time.
+Privacy=network/on

etc/default/grub.d/40_cpu_mitigations.cfg

@@ -0,0 +1,188 @@
+## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## Definitions:
+## KSPP=yes: compliant with recommendations by the KSPP
+## KSPP=partial: partially compliant with recommendations by the KSPP
+## KSPP=no: not (currently) compliant with recommendations by the KSPP
+## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP.
+
+## Enable known mitigations for CPU vulnerabilities.
+## Note, the mitigations for SSB and Retbleed are not currently mentioned in the first link.
+## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html
+## https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html
+## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647
+
+## Check for potential updates directly from AMD and Intel.
+## https://www.amd.com/en/resources/product-security.html
+## https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/advisory-guidance.html
+## https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/disclosure-documentation.html
+
+## Tabular comparison between the utility and functionality of various mitigations.
+## https://forums.whonix.org/t/kernel-hardening-security-misc/7296/587
+
+## For complete protection, users must install the latest relevant security microcode update.
+## BIOS/UEFI updates should only be obtained directly from OEMs and/or motherboard manufacturers.
+## Note that incorrectly performing system BIOS/UEFI updates can potentially lead to serious functionality issues.
+## The parameters below only provide (partial) protection at both the kernel and user space level.
+
+## If using Secure Boot, users must also ensure the Secure Boot Forbidden Signature Database (DBX) is up to date.
+## The UEFI Revocation List contains signatures of now revoked firmware and software used in booting systems.
+## If using compatible hardware, the database can be updated directly in user space using fwupd.
+## Note that incorrectly performing DBX updates can potentially lead to serious functionality issues.
+## https://uefi.org/revocationlistfile
+## https://github.com/fwupd/fwupd
+
+## Enable a subset of known mitigations for some CPU vulnerabilities and disable SMT.
+##
+## KSPP=yes
+## KSPP sets the kernel parameters.
+##
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mitigations=auto,nosmt"
+
+## Disable SMT as it has been the cause of and amplified numerous CPU exploits.
+## The only full mitigation of cross-HT attacks is to disable SMT.
+## Disabling will significantly decrease system performance on multi-threaded tasks.
+## Note, this setting will prevent re-enabling SMT via the sysfs interface.
+##
+## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/core-scheduling.html
+## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647/17
+## https://github.com/anthraxx/linux-hardened/issues/37#issuecomment-619597365
+##
+## KSPP=yes
+## KSPP sets the kernel parameter.
+##
+## To re-enable SMT:
+## - Remove "nosmt=force".
+## - Remove all occurrences of ",nosmt" in this file (note the comma ",").
+## - Downgrade "l1tf=full,force" protection to "l1tf=flush".
+## - Regenerate the dracut initramfs and then reboot system.
+##
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX nosmt=force"
+
+## Spectre Side Channels (BTI and BHI):
+## Unconditionally enable mitigation for Spectre Variant 2 (branch target injection).
+## Enable mitigation for the Intel branch history injection vulnerability.
+## Currently affects both AMD and Intel CPUs.
+##
+## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/spectre.html
+##
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_v2=on"
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_bhi=on"
+
+## Speculative Store Bypass (SSB):
+## Mitigate Spectre Variant 4 by disabling speculative store bypass system-wide.
+## Unconditionally enable the mitigation for both kernel and userspace.
+## Currently affects both AMD and Intel CPUs.
+##
+## https://en.wikipedia.org/wiki/Speculative_Store_Bypass
+## https://www.suse.com/support/kb/doc/?id=000019189
+##
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spec_store_bypass_disable=on"
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ssbd=force-on"
+
+## L1 Terminal Fault (L1TF):
+## Mitigate the vulnerability by disabling L1D flush runtime control and SMT.
+## If L1D flushing is conditional, mitigate the vulnerability for certain KVM hypervisor configurations.
+## Currently affects Intel CPUs.
+##
+## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html
+##
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX l1tf=full,force"
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm-intel.vmentry_l1d_flush=always"
+
+## Microarchitectural Data Sampling (MDS):
+## Mitigate the vulnerability by clearing the CPU buffer cache and disabling SMT.
+## Currently affects Intel CPUs.
+##
+## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html
+##
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mds=full,nosmt"
+
+## TSX Asynchronous Abort (TAA):
+## Mitigate the vulnerability by disabling TSX.
+## If TSX is enabled, clear CPU buffer rings on transitions and disable SMT.
+## Currently affects Intel CPUs.
+##
+## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/tsx_async_abort.html
+##
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX tsx=off"
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX tsx_async_abort=full,nosmt"
+
+## iTLB Multihit:
+## Mitigate the vulnerability by marking all huge pages in the EPT as non-executable.
+## Currently affects Intel CPUs.
+##
+## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/multihit.html
+##
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm.nx_huge_pages=force"
+
+## Special Register Buffer Data Sampling (SRBDS):
+## Mitigation of the vulnerability is only possible via microcode update from Intel.
+## Currently affects Intel CPUs.
+##
+## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/special-register-buffer-data-sampling.html
+## https://access.redhat.com/solutions/5142691
+
+## L1D Flushing:
+## Mitigate leaks from the L1D cache on context switches by enabling the prctl() interface.
+## Currently affects Intel CPUs.
+##
+## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1d_flush.html
+##
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX l1d_flush=on"
+
+## Processor MMIO Stale Data:
+## Mitigate the vulnerabilities by appropriately clearing the CPU buffer and disabling SMT.
+## Currently affects Intel CPUs.
+##
+## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/processor_mmio_stale_data.html
+##
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mmio_stale_data=full,nosmt"
+
+## Arbitrary Speculative Code Execution with Return Instructions (Retbleed):
+## Mitigate the vulnerability through CPU-dependent implementation and disable SMT.
+## Currently affects both AMD Zen 1-2 and Intel CPUs.
+##
+## https://en.wikipedia.org/wiki/Retbleed
+## https://comsec.ethz.ch/research/microarch/retbleed/
+## https://www.suse.com/support/kb/doc/?id=000020693
+## https://access.redhat.com/solutions/retbleed
+##
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX retbleed=auto,nosmt"
+
+## Cross-Thread Return Address Predictions:
+## Mitigate the vulnerability for certain KVM hypervisor configurations.
+## Currently affects AMD Zen 1-2 CPUs.
+##
+## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/cross-thread-rsb.html
+##
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm.mitigate_smt_rsb=1"
+
+## Speculative Return Stack Overflow (SRSO):
+## Mitigate the vulnerability by ensuring all RET instructions speculate to a controlled location.
+## Currently affects AMD Zen 1-4 CPUs.
+##
+## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/srso.html
+##
+## The default kernel setting will be utilized until provided sufficient evidence to modify.
+## Using "spec_rstack_overflow=ipbp" may provide stronger security at a greater performance impact.
+##
+#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spec_rstack_overflow=safe-ret"
+
+## Gather Data Sampling (GDS):
+## Mitigate the vulnerability either via microcode update or by disabling AVX.
+## Note, without a suitable microcode update, this will entirely disable use of the AVX instructions set.
+## Currently affects Intel CPUs.
+##
+## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/gather_data_sampling.html
+##
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX gather_data_sampling=force"
+
+## Register File Data Sampling (RFDS):
+## Mitigate the vulnerability by appropriately clearing the CPU buffer.
+## Currently affects Intel Atom CPUs (which encompasses E-cores on hybrid architectures).
+##
+## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/reg-file-data-sampling.html
+##
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX reg_file_data_sampling=on"

etc/default/grub.d/40_enable_iommu.cfg

@@ -1,2 +0,0 @@
-# Enables IOMMU to prevent DMA attacks.
-GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX intel_iommu=on amd_iommu=on"

etc/default/grub.d/40_kernel_hardening.cfg

@@ -1,18 +1,329 @@
-# Disables the merging of slabs of similar sizes. Sometimes a slab can be used in a vulnerable way which an attacker can exploit.
+## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+kpkg="linux-image-$(dpkg --print-architecture)" || true
+kver="$(dpkg-query --show --showformat='${Version}' "$kpkg")" 2>/dev/null || true
+#echo "## kver: $kver"
+
+## Definitions:
+## KSPP=yes: compliant with recommendations by the KSPP
+## KSPP=partial: partially compliant with recommendations by the KSPP
+## KSPP=no: not (currently) compliant with recommendations by the KSPP
+## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP.
+
+## This configuration file is split into 4 sections:
+## 1. Kernel Space
+## 2. Direct Memory Access
+## 3. Entropy
+## 4. Networking
+
+## See the documentation below for details on the majority of the selected commands:
+## https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html
+## https://wiki.archlinux.org/title/Kernel_parameters#GRUB
+
+## 1. Kernel Space:
+##
+## https://madaidans-insecurities.github.io/guides/linux-hardening.html#boot-parameters
+## https://kspp.github.io/Recommended_Settings#kernel-command-line-options
+
+## Disable merging of slabs with similar size.
+## Reduces the risk of triggering heap overflows.
+## Prevents overwriting objects from merged caches and limits influencing slab cache layout.
+##
+## https://www.openwall.com/lists/kernel-hardening/2017/06/19/33
+## https://www.openwall.com/lists/kernel-hardening/2017/06/20/10
+##
+## KSPP=yes
+## KSPP sets the kernel parameter and does not set CONFIG_SLAB_MERGE_DEFAULT.
+##
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_nomerge"
 
-# Enables sanity checks (F), redzoning (Z) and poisoning (P).
-GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_debug=FZP"
+## Enable sanity checks and red zoning of slabs via debugging options to detect corruption.
+## As a by product of debugging, this will implicitly disabling kernel pointer hashing.
+## Enabling will therefore leak exact and all kernel memory addresses to root.
+## Has the potential to cause a noticeable performance decrease.
+##
+## https://www.kernel.org/doc/html/latest/mm/slub.html
+## https://lore.kernel.org/all/20210601182202.3011020-5-swboyd@chromium.org/T/#u
+## https://gitlab.tails.boum.org/tails/tails/-/issues/19613
+## https://github.com/Kicksecure/security-misc/issues/253
+##
+## KSPP=yes
+## KSPP sets the kernel parameters and CONFIG_SLUB_DEBUG.
+##
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_debug=FZ"
 
-# Wipes free memory so it can't leak in various ways and prevents some use-after-free vulnerabilites.
-GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX page_poison=1"
+## Zero memory at allocation time and free time.
+## Fills newly allocated pages, freed pages, and heap objects with zeros.
+## Mitigates use-after-free exploits by erasing sensitive information in memory.
+##
+## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6471384af2a6530696fc0203bafe4de41a23c9ef
+##
+## KSPP=yes
+## KSPP sets the kernel parameters, CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y, and CONFIG_INIT_ON_FREE_DEFAULT_ON=y.
+##
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX init_on_alloc=1"
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX init_on_free=1"
 
-# Makes the kernel panic on uncorrectable errors in ECC memory that an attacker could exploit.
-GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mce=0"
+## Enable the kernel page allocator to randomize free lists.
+## During early boot, the page allocator has predictable FIFO behavior for physical pages.
+## Limits some data exfiltration and ROP attacks that rely on inferring sensitive data location.
+## Also improves performance by optimizing memory-side cache utilization.
+##
+## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e900a918b0984ec8f2eb150b8477a47b75d17692
+## https://en.wikipedia.org/wiki/Return-oriented_programming#Attacks
+##
+## KSPP=yes
+## KSPP sets the kernel parameter and CONFIG_SHUFFLE_PAGE_ALLOCATOR=y.
+##
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX page_alloc.shuffle=1"
 
-# Enables Kernel Page Table Isolation which mitigates Meltdown and improves KASLR.
+## Enable kernel page table isolation to harden against kernel ASLR (KASLR) bypasses.
+## Mitigates the Meltdown CPU vulnerability.
+##
+## https://en.wikipedia.org/wiki/Kernel_page-table_isolation
+##
+## KSPP=yes
+## KSPP sets the kernel parameter and CONFIG_MITIGATION_PAGE_TABLE_ISOLATION=y.
+##
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX pti=on"
 
-# Enables all mitigations for the MDS vulnerability.
-# Disables smt which can be used to exploit the MDS vulnerability.
-GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mds=full,nosmt"
+## Enable randomization of the kernel stack offset on syscall entries.
+## Hardens against memory corruption attacks due to increased entropy.
+## Limits attacks relying on deterministic stack addresses or cross-syscall address exposure.
+##
+## https://lkml.org/lkml/2019/3/18/246
+## https://a13xp0p0v.github.io/2020/02/15/CVE-2019-18683.html
+##
+## KSPP=yes
+## KSPP sets the kernel parameter and CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y.
+##
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX randomize_kstack_offset=on"
+
+## Disable vsyscalls to reduce attack surface as they have been replaced by vDSO.
+## Vulnerable to ROP attacks as vsyscalls are located at fixed addresses in memory.
+##
+## https://lwn.net/Articles/446528/
+## https://en.wikipedia.org/wiki/VDSO
+##
+## KSPP=yes
+## KSPP sets the kernel parameter, CONFIG_LEGACY_VSYSCALL_NONE=y and does not set CONFIG_X86_VSYSCALL_EMULATION.
+##
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vsyscall=none"
+
+## Restrict access to debugfs by not registering the file system.
+## Deactivated since the file system can contain sensitive information.
+##
+## https://lkml.org/lkml/2020/7/16/122
+##
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off"
+
+## Force the kernel to panic on "oopses".
+## Can sometimes potentially indicate and thwart certain kernel exploitation attempts.
+## Panics may be due to false-positives such as bad drivers.
+##
+## https://en.wikipedia.org/wiki/Kernel_panic#Linux
+## https://en.wikipedia.org/wiki/Linux_kernel_oops
+## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panic-on-oops-1-sysctl-for-better-security/7713
+##
+## KSPP=partial
+## KSPP sets CONFIG_PANIC_ON_OOPS=y, but also requires CONFIG_PANIC_TIMEOUT=-1.
+##
+## See /usr/libexec/security-misc/panic-on-oops for implementation.
+##
+#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX oops=panic"
+
+## Modify machine check exception handler.
+## Can decide whether the system should panic or not based on the occurrence of an exception.
+##
+## https://www.kernel.org/doc/html/latest/arch/x86/x86_64/machinecheck.html
+## https://www.kernel.org/doc/html/latest/arch/x86/x86_64/boot-options.html#machine-check
+## https://forums.whonix.org/t/kernel-hardening/7296/494
+##
+## The default kernel setting will be utilized until provided sufficient evidence to modify.
+##
+#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mce=0"
+
+## Prevent sensitive kernel information leaks in the console during boot.
+## Must be used in combination with the kernel.printk sysctl.
+## See /usr/lib/sysctl.d/30_silent-kernel-printk.conf for implementation.
+##
+## https://www.kernel.org/doc/html/latest/core-api/printk-basics.html
+## https://wiki.archlinux.org/title/silent_boot
+##
+## See /etc/default/grub.d/41_quiet_boot.cfg for implementation.
+##
+#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX loglevel=0"
+#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX quiet"
+
+## Enable the kernel "Electric-Fence" sampling-based memory safety error detector.
+## KFENCE detects heap out-of-bounds access, use-after-free, and invalid-free errors.
+## Aims to have very low processing overhead at each sampling interval.
+## Sampling interval is set to occur every 100 milliseconds as per KSPP recommendation.
+##
+## https://www.kernel.org/doc/html/latest/dev-tools/kfence.html
+## https://google.github.io/kernel-sanitizers/KFENCE.html
+## https://blogs.oracle.com/linux/post/linux-slub-allocator-internals-and-debugging-4
+## https://lwn.net/Articles/835542/
+##
+## KSPP=yes
+## KSPP sets the kernel parameter, CONFIG_KFENCE=y, and CONFIG_KFENCE_SAMPLE_INTERVAL=100.
+##
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kfence.sample_interval=100"
+
+## Disable 32-bit Virtual Dynamic Shared Object (vDSO) mappings.
+## Legacy compatibility feature for superseded glibc versions.
+##
+## https://lore.kernel.org/lkml/20080409082927.BD59E26F992@magilla.localdomain/T/
+## https://lists.openwall.net/linux-kernel/2014/03/11/3
+##
+## KSPP=yes
+## KSPP sets the kernel parameter and does not set CONFIG_COMPAT_VDSO.
+##
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0"
+
+## Switch (back) to using kCFI as the default Control Flow Integrity (CFI) implementation.
+## The default implementation is FineIBT as of Linux kernel 6.2.
+## The Intel-developed IBT (Indirect Branch Tracking) is only used if supported by the CPU.
+## kCFI is software-only while FineIBT is a hybrid software/hardware implementation.
+## FineIBT may result in some performance benefits as it only performs checking at destinations.
+## FineIBT is considered weaker against attacks that can write arbitrary executables into memory.
+## Upstream hardening work has provided users the ability to disable FineIBT based on requests.
+## Choice of CFI implementation is highly dependent on user threat model as there are pros/cons to both.
+## Do not modify from the default setting if unsure of implications.
+##
+## https://lore.kernel.org/all/20221027092842.699804264@infradead.org/
+## https://lore.kernel.org/lkml/202210010918.4918F847C4@keescook/T/#u
+## https://lore.kernel.org/lkml/202210182217.486CBA50@keescook/T/
+## https://lore.kernel.org/lkml/202407150933.E1871BE@keescook/
+## https://isopenbsdsecu.re/mitigations/forward_edge_cfi/
+## https://docs.kernel.org/next/x86/shstk.html
+## https://source.android.com/docs/security/test/kcfi
+## https://lpc.events/event/16/contributions/1315/attachments/1067/2169/cfi.pdf
+## https://forums.whonix.org/t/kernel-hardening-security-misc/7296/561
+##
+## KSPP=yes
+## KSPP sets the kernel parameter.
+##
+## TODO: Debian 13 Trixie
+## Applicable when using Linux kernel >= 6.2 (retained here for future-proofing and completeness).
+##
+#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX cfi=kcfi"
+
+## Disable support for x86 processes and syscalls.
+## Unconditionally disables IA32 emulation to substantially reduce attack surface.
+##
+## https://lore.kernel.org/all/20230623111409.3047467-7-nik.borisov@suse.com/
+##
+## KSPP=yes
+## KSPP does not set CONFIG_COMPAT, CONFIG_IA32_EMULATION, CONFIG_X86_X32, CONFIG_X86_X32_ABI, and CONFIG_MODIFY_LDT_SYSCALL.
+##
+## TODO: Debian 13 Trixie
+## Applicable when using Linux kernel >= 6.7 (retained here for future-proofing and completeness).
+##
+#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ia32_emulation=0"
+
+## Disable EFI persistent storage feature.
+## Prevents the kernel from writing crash logs and other persistent data to the EFI variable store.
+##
+## https://blogs.oracle.com/linux/post/pstore-linux-kernel-persistent-storage-file-system
+## https://www.ais.com/understanding-pstore-linux-kernel-persistent-storage-file-system/
+## https://lwn.net/Articles/434821/
+## https://manpages.debian.org/testing/systemd/systemd-pstore.service.8.en.html
+## https://gitlab.tails.boum.org/tails/tails/-/issues/20813
+## https://github.com/Kicksecure/security-misc/issues/299
+##
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi_pstore.pstore_disable=1"
+
+## 2. Direct Memory Access:
+##
+## https://madaidans-insecurities.github.io/guides/linux-hardening.html#dma-attacks
+
+## Enable CPU manufacturer-specific IOMMU drivers to mitigate some DMA attacks.
+##
+## KSPP=yes
+## KSPP sets CONFIG_INTEL_IOMMU=y, CONFIG_INTEL_IOMMU_DEFAULT_ON=y, CONFIG_INTEL_IOMMU_SVM=y, CONFIG_AMD_IOMMU=y, and CONFIG_AMD_IOMMU_V2=y.
+##
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX amd_iommu=force_isolation"
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX intel_iommu=on"
+
+## Enable and force use of IOMMU translation to protect against some DMA attacks.
+## Strictly force DMA unmap operations to synchronously invalidate IOMMU hardware TLBs.
+## Ensures devices will never be able to access stale data contents.
+##
+## https://en.wikipedia.org/wiki/Input%E2%80%93output_memory_management_unit
+## https://en.wikipedia.org/wiki/DMA_attack
+## https://lenovopress.lenovo.com/lp1467.pdf
+##
+## KSPP=yes
+## KSPP sets the kernel parameters, CONFIG_IOMMU_SUPPORT=y, CONFIG_IOMMU_DEFAULT_DMA_STRICT=y, and does not set CONFIG_IOMMU_DEFAULT_PASSTHROUGH.
+##
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu=force"
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu.passthrough=0"
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu.strict=1"
+
+## Clear the busmaster bit on all PCI bridges during the EFI hand-off.
+## Terminates all existing DMA transactions prior to the kernel's IOMMU setup.
+## Forces third party PCI devices to then re-set their busmaster bit in order to perform DMA.
+## Assumes that the motherboard chipset and firmware are not malicious.
+## May cause complete boot failure on certain hardware with incompatible firmware.
+##
+## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4444f8541dad16fefd9b8807ad1451e806ef1d94
+## https://mjg59.dreamwidth.org/54433.html
+##
+## KSPP=yes
+## KSPP sets CONFIG_EFI_DISABLE_PCI_DMA=y.
+##
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi=disable_early_pci_dma"
+
+## 3. Entropy:
+##
+## https://madaidans-insecurities.github.io/guides/linux-hardening.html#rdrand
+
+## Do not credit the CPU or bootloader seeds as entropy sources at boot.
+## The RDRAND CPU (RNG) instructions are proprietary and closed-source.
+## Numerous implementations of RDRAND have a long history of being defective.
+## The RNG seed passed by the bootloader could also potentially be tampered.
+## Maximizing the entropy pool at boot is desirable for all cryptographic operations.
+## These settings ensure additional entropy is obtained from other sources to initialize the RNG.
+## Note that distrusting these (relatively fast) sources of entropy will increase boot time.
+##
+## https://en.wikipedia.org/wiki/RDRAND#Reception
+## https://systemd.io/RANDOM_SEEDS/
+## https://www.kicksecure.com/wiki/Dev/Entropy#RDRAND
+## https://arstechnica.com/gadgets/2019/10/how-a-months-old-amd-microcode-bug-destroyed-my-weekend/
+## https://x.com/pid_eins/status/1149649806056280069
+## https://archive.nytimes.com/www.nytimes.com/interactive/2013/09/05/us/documents-reveal-nsa-campaign-against-encryption.html
+## https://forums.whonix.org/t/entropy-config-random-trust-cpu-yes-or-no-rng-core-default-quality/8566
+## https://github.com/NixOS/nixpkgs/pull/165355
+## https://lkml.org/lkml/2022/6/5/271
+##
+## KSPP=yes
+## KSPP sets CONFIG_RANDOM_TRUST_BOOTLOADER=y and CONFIG_RANDOM_TRUST_CPU=y.
+##
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_bootloader=off"
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_cpu=off"
+
+## Obtain more entropy during boot as the runtime memory allocator is being initialized.
+## Entropy will be extracted from up to the first 4GB of RAM.
+## Requires the linux-hardened kernel patch.
+##
+## https://www.kicksecure.com/wiki/Hardened-kernel#linux-hardened
+## https://github.com/anthraxx/linux-hardened/commit/c3e7df1dba1eb8105d6d5143079a6a0ad9e9ebc7
+## https://github.com/anthraxx/linux-hardened/commit/a04458f97fe1f7e95888c77c0165b646375db9c4
+##
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX extra_latent_entropy"
+
+## 4. Networking
+##
+## https://madaidans-insecurities.github.io/guides/linux-hardening.html#kasr-boot-parameters
+
+## Disable the entire IPv6 stack functionality.
+## Removes attack surface associated with the IPv6 module.
+##
+## https://www.kernel.org/doc/html/latest/networking/ipv6.html
+## https://wiki.archlinux.org/title/IPv6#Disable_IPv6
+##
+## Enabling makes redundant many network hardening sysctl's in /usr/lib/sysctl.d/990-security-misc.conf.
+##
+#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ipv6.disable=1"

etc/default/grub.d/40_remount_secure.cfg

@@ -0,0 +1,31 @@
+## Copyright (C) 2023 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## Definitions:
+## KSPP=yes: compliant with recommendations by the KSPP
+## KSPP=partial: partially compliant with recommendations by the KSPP
+## KSPP=no: not (currently) compliant with recommendations by the KSPP
+## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP.
+
+## Remount Secure provides enhanced security via mount options:
+## https://www.kicksecure.com/wiki/Security-misc#Remount_Secure
+
+## Option A (No Security):
+## Disable Remount Secure.
+##
+#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=0"
+
+## Option B (Low Security):
+## Re-mount with nodev and nosuid only.
+##
+#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=1"
+
+## Option C (Medium Security):
+## Re-mount with nodev, nosuid, and noexec for most mount points, excluding /home.
+##
+#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=2"
+
+## Option D (Highest Security):
+## Re-mount with nodev, nosuid, and noexec for all mount points including /home.
+##
+#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=3"

etc/default/grub.d/40_signed_modules.cfg

@@ -0,0 +1,37 @@
+## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## Definitions:
+## KSPP=yes: compliant with recommendations by the KSPP
+## KSPP=partial: partially compliant with recommendations by the KSPP
+## KSPP=no: not (currently) compliant with recommendations by the KSPP
+## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP.
+
+## Require every kernel module to be signed before being loaded.
+## Any module that is unsigned or signed with an invalid key cannot be loaded.
+## This prevents all out-of-tree kernel modules unless signed.
+## This makes it harder to load a malicious module.
+##
+## https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/61
+## https://github.com/dell/dkms/issues/359
+##
+## KSPP=yes
+## KSPP sets CONFIG_MODULE_SIG=y, CONFIG_MODULE_SIG_FORCE=y, and CONFIG_MODULE_SIG_ALL=y.
+##
+## Not enabled by default yet due to several issues.
+##
+#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX module.sig_enforce=1"
+
+## Enable kernel lockdown to enforce security boundary between user and kernel space.
+## Confidentiality mode enforces module signature verification.
+##
+## https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880
+##
+## KSPP=yes
+## KSPP sets CONFIG_SECURITY_LOCKDOWN_LSM=y, CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y, and CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y.
+##
+## Not enabled by default yet due to several issues.
+##
+#if dpkg --compare-versions "${kver}" ge "5.4"; then
+#  GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX lockdown=confidentiality"
+#fi

etc/default/grub.d/41_quiet_boot.cfg

@@ -0,0 +1,35 @@
+## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## Definitions:
+## KSPP=yes: compliant with recommendations by the KSPP
+## KSPP=partial: partially compliant with recommendations by the KSPP
+## KSPP=no: not (currently) compliant with recommendations by the KSPP
+## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP.
+
+## Some default configuration files automatically include the "quiet" parameter.
+## Therefore, first remove "quiet" from GRUB_CMDLINE_LINUX_DEFAULT since "quiet" must be first.
+## str_replace is provided by package helper-scripts.
+##
+## https://github.com/Kicksecure/security-misc/pull/233#issuecomment-2228792461
+##
+GRUB_CMDLINE_LINUX_DEFAULT="$(echo "$GRUB_CMDLINE_LINUX_DEFAULT" | str_replace "quiet" "")"
+
+## Prevent sensitive kernel information leaks in the console during boot.
+## Must be used in combination with the kernel.printk sysctl.
+## See /usr/lib/sysctl.d/30_silent-kernel-printk.conf for implementation.
+##
+## https://www.kernel.org/doc/html/latest/core-api/printk-basics.html
+## https://wiki.archlinux.org/title/silent_boot
+##
+## For easier debugging, these are not applied to the recovery boot option.
+## Switch the pair of commands to universally apply parameters to all boot options.
+##
+GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT loglevel=0"
+GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT quiet"
+#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX loglevel=0"
+#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX quiet"
+
+## For Increased Log Verbosity:
+## Adjust (or comment out) the kernel.printk sysctl in /usr/lib/sysctl.d/30_silent-kernel-printk.conf.
+## Alternatively, installing the debug-misc package will undo these settings.

etc/default/grub.d/41_recovery_restrict.cfg

@@ -0,0 +1,21 @@
+## Copyright (C) 2024 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## Definitions:
+## KSPP=yes: compliant with recommendations by the KSPP
+## KSPP=partial: partially compliant with recommendations by the KSPP
+## KSPP=no: not (currently) compliant with recommendations by the KSPP
+## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP.
+
+## Disable access to single-user (recovery) mode.
+##
+## https://forums.kicksecure.com/t/remove-linux-recovery-mode-boot-option-from-default-grub-boot-menu/727
+##
+GRUB_DISABLE_RECOVERY="true"
+
+## Disable access to Dracut's recovery console.
+##
+## https://forums.kicksecure.com/t/harden-dracut-initramfs-generator-by-disabling-recovery-console/724
+##
+GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT rd.emergency=halt"
+GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT rd.shell=0"

etc/dracut.conf.d/30-security-misc.conf

@@ -0,0 +1,7 @@
+## Copyright (C) 2021 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+reproducible=yes
+
+## Debugging.
+#show_modules=yes

etc/gitconfig

@@ -0,0 +1,38 @@
+## Copyright (C) 2024 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## Lines starting with a hash symbol ('#') are comments.
+## https://github.com/Kicksecure/security-misc/issues/225
+
+[core]
+## https://github.com/git/git/security/advisories/GHSA-8prw-h3cq-mghm
+	symlinks = false
+
+## https://forums.whonix.org/t/git-users-enable-fsck-by-default-for-better-security/2066
+[transfer]
+	fsckobjects = true
+[fetch]
+	fsckobjects = true
+[receive]
+	fsckobjects = true
+
+## Generally a good idea but too intrusive to enable by default.
+## Listed here as suggestions what users should put into their ~/.gitconfig
+## file.
+
+## Not enabled by default because it requires essential knowledge about OpenPG
+## and an already existing local signing key. Otherwise would prevent all new
+## commits.
+#[commit]
+#	gpgsign = true
+
+## Not enabled by default because it would break the 'git merge' command for
+## unsigned commits and require the '--no-verify-signature' command line
+## option.
+#[merge]
+#	verifySignatures = true
+
+## Not enabled by default because it would break for users who are not having
+## an account at the git server and having added a SSH public key.
+#[url "ssh://git@github.com/"]
+#	insteadOf = https://github.com/

etc/hide-hardware-info.d/30_default.conf

@@ -0,0 +1,15 @@
+## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## Disable the /sys whitelist.
+#sysfs_whitelist=0
+
+## Disable the /proc/cpuinfo whitelist.
+#cpuinfo_whitelist=0
+
+## Disable /sys hardening.
+#sysfs=0
+
+## Disable selinux mode.
+## https://www.kicksecure.com/wiki/Security-misc#selinux
+#selinux=0

etc/initramfs-tools/hooks/sysctl-initramfs

@@ -0,0 +1,21 @@
+#!/bin/sh
+
+## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+set -e
+
+PREREQ=""
+prereqs()
+{
+        echo "$PREREQ"
+}
+case $1 in
+prereqs)
+       prereqs
+       exit 0
+       ;;
+esac
+
+. /usr/share/initramfs-tools/hook-functions
+copy_exec /usr/sbin/sysctl /usr/sbin

etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs

@@ -0,0 +1,26 @@
+#!/bin/sh
+
+## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+PREREQ=""
+prereqs()
+{
+        echo "$PREREQ"
+}
+case $1 in
+prereqs)
+        prereqs
+        exit 0
+        ;;
+esac
+
+## Write to '/run/initramfs' folder.
+## https://forums.whonix.org/t/kernel-hardening/7296/435
+
+sysctl -p ${rootmnt}/etc/sysctl.conf >/dev/null 2> "/run/initramfs/sysctl-initramfs-error.log"
+sysctl -p ${rootmnt}/etc/sysctl.d/*.conf >/dev/null 2>> "/run/initramfs/sysctl-initramfs-error.log"
+
+grep -v "unprivileged_userfaultfd" "/run/initramfs/sysctl-initramfs-error.log"
+
+true

etc/kernel/postinst.d/30_remove-system-map

@@ -0,0 +1,8 @@
+#!/bin/bash
+
+## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+if test -x /usr/libexec/security-misc/remove-system.map ; then
+   /usr/libexec/security-misc/remove-system.map
+fi

etc/login.defs.security-misc

@@ -1,337 +0,0 @@
-#
-# /etc/login.defs - Configuration control definitions for the login package.
-#
-# Three items must be defined:  MAIL_DIR, ENV_SUPATH, and ENV_PATH.
-# If unspecified, some arbitrary (and possibly incorrect) value will
-# be assumed.  All other items are optional - if not specified then
-# the described action or option will be inhibited.
-#
-# Comment lines (lines beginning with "#") and blank lines are ignored.
-#
-# Modified for Linux.  --marekm
-
-# REQUIRED for useradd/userdel/usermod
-#   Directory where mailboxes reside, _or_ name of file, relative to the
-#   home directory.  If you _do_ define MAIL_DIR and MAIL_FILE,
-#   MAIL_DIR takes precedence.
-#
-#   Essentially:
-#      - MAIL_DIR defines the location of users mail spool files
-#        (for mbox use) by appending the username to MAIL_DIR as defined
-#        below.
-#      - MAIL_FILE defines the location of the users mail spool files as the
-#        fully-qualified filename obtained by prepending the user home
-#        directory before $MAIL_FILE
-#
-# NOTE: This is no more used for setting up users MAIL environment variable
-#       which is, starting from shadow 4.0.12-1 in Debian, entirely the
-#       job of the pam_mail PAM modules
-#       See default PAM configuration files provided for
-#       login, su, etc.
-#
-# This is a temporary situation: setting these variables will soon
-# move to /etc/default/useradd and the variables will then be
-# no more supported
-MAIL_DIR        /var/mail
-#MAIL_FILE      .mail
-
-#
-# Enable logging and display of /var/log/faillog login failure info.
-# This option conflicts with the pam_tally PAM module.
-#
-FAILLOG_ENAB		yes
-
-#
-# Enable display of unknown usernames when login failures are recorded.
-#
-# WARNING: Unknown usernames may become world readable. 
-# See #290803 and #298773 for details about how this could become a security
-# concern
-LOG_UNKFAIL_ENAB	no
-
-#
-# Enable logging of successful logins
-#
-LOG_OK_LOGINS		no
-
-#
-# Enable "syslog" logging of su activity - in addition to sulog file logging.
-# SYSLOG_SG_ENAB does the same for newgrp and sg.
-#
-SYSLOG_SU_ENAB		yes
-SYSLOG_SG_ENAB		yes
-
-#
-# If defined, all su activity is logged to this file.
-#
-#SULOG_FILE	/var/log/sulog
-
-#
-# If defined, file which maps tty line to TERM environment parameter.
-# Each line of the file is in a format something like "vt100  tty01".
-#
-#TTYTYPE_FILE	/etc/ttytype
-
-#
-# If defined, login failures will be logged here in a utmp format
-# last, when invoked as lastb, will read /var/log/btmp, so...
-#
-FTMP_FILE	/var/log/btmp
-
-#
-# If defined, the command name to display when running "su -".  For
-# example, if this is defined as "su" then a "ps" will display the
-# command is "-su".  If not defined, then "ps" would display the
-# name of the shell actually being run, e.g. something like "-sh".
-#
-SU_NAME		su
-
-#
-# If defined, file which inhibits all the usual chatter during the login
-# sequence.  If a full pathname, then hushed mode will be enabled if the
-# user's name or shell are found in the file.  If not a full pathname, then
-# hushed mode will be enabled if the file exists in the user's home directory.
-#
-HUSHLOGIN_FILE	.hushlogin
-#HUSHLOGIN_FILE	/etc/hushlogins
-
-#
-# *REQUIRED*  The default PATH settings, for superuser and normal users.
-#
-# (they are minimal, add the rest in the shell startup files)
-ENV_SUPATH	PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
-ENV_PATH	PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
-
-#
-# Terminal permissions
-#
-#	TTYGROUP	Login tty will be assigned this group ownership.
-#	TTYPERM		Login tty will be set to this permission.
-#
-# If you have a "write" program which is "setgid" to a special group
-# which owns the terminals, define TTYGROUP to the group number and
-# TTYPERM to 0620.  Otherwise leave TTYGROUP commented out and assign
-# TTYPERM to either 622 or 600.
-#
-# In Debian /usr/bin/bsd-write or similar programs are setgid tty
-# However, the default and recommended value for TTYPERM is still 0600
-# to not allow anyone to write to anyone else console or terminal
-
-# Users can still allow other people to write them by issuing 
-# the "mesg y" command.
-
-TTYGROUP	tty
-TTYPERM		0600
-
-#
-# Login configuration initializations:
-#
-#	ERASECHAR	Terminal ERASE character ('\010' = backspace).
-#	KILLCHAR	Terminal KILL character ('\025' = CTRL/U).
-#	UMASK		Default "umask" value.
-#
-# The ERASECHAR and KILLCHAR are used only on System V machines.
-# 
-# UMASK is the default umask value for pam_umask and is used by
-# useradd and newusers to set the mode of the new home directories.
-# 022 is the "historical" value in Debian for UMASK
-# 027, or even 077, could be considered better for privacy
-# There is no One True Answer here : each sysadmin must make up his/her
-# mind.
-#
-# If USERGROUPS_ENAB is set to "yes", that will modify this UMASK default value
-# for private user groups, i. e. the uid is the same as gid, and username is
-# the same as the primary group name: for these, the user permissions will be
-# used as group permissions, e. g. 022 will become 002.
-#
-# Prefix these values with "0" to get octal, "0x" to get hexadecimal.
-#
-ERASECHAR	0177
-KILLCHAR	025
-UMASK		  006
-
-#
-# Password aging controls:
-#
-#	PASS_MAX_DAYS	Maximum number of days a password may be used.
-#	PASS_MIN_DAYS	Minimum number of days allowed between password changes.
-#	PASS_WARN_AGE	Number of days warning given before a password expires.
-#
-PASS_MAX_DAYS	99999
-PASS_MIN_DAYS	0
-PASS_WARN_AGE	7
-
-#
-# Min/max values for automatic uid selection in useradd
-#
-UID_MIN			 1000
-UID_MAX			60000
-# System accounts
-#SYS_UID_MIN		  100
-#SYS_UID_MAX		  999
-
-#
-# Min/max values for automatic gid selection in groupadd
-#
-GID_MIN			 1000
-GID_MAX			60000
-# System accounts
-#SYS_GID_MIN		  100
-#SYS_GID_MAX		  999
-
-#
-# Max number of login retries if password is bad. This will most likely be
-# overriden by PAM, since the default pam_unix module has it's own built
-# in of 3 retries. However, this is a safe fallback in case you are using
-# an authentication module that does not enforce PAM_MAXTRIES.
-#
-LOGIN_RETRIES		5
-
-#
-# Max time in seconds for login
-#
-LOGIN_TIMEOUT		60
-
-#
-# Which fields may be changed by regular users using chfn - use
-# any combination of letters "frwh" (full name, room number, work
-# phone, home phone).  If not defined, no changes are allowed.
-# For backward compatibility, "yes" = "rwh" and "no" = "frwh".
-# 
-CHFN_RESTRICT		rwh
-
-#
-# Should login be allowed if we can't cd to the home directory?
-# Default in no.
-#
-DEFAULT_HOME	yes
-
-#
-# If defined, this command is run when removing a user.
-# It should remove any at/cron/print jobs etc. owned by
-# the user to be removed (passed as the first argument).
-#
-#USERDEL_CMD	/usr/sbin/userdel_local
-
-#
-# If set to yes, userdel will remove the user's group if it contains no
-# more members, and useradd will create by default a group with the name
-# of the user.
-#
-# Other former uses of this variable such as setting the umask when
-# user==primary group are not used in PAM environments, such as Debian
-#
-USERGROUPS_ENAB yes
-
-#
-# Instead of the real user shell, the program specified by this parameter
-# will be launched, although its visible name (argv[0]) will be the shell's.
-# The program may do whatever it wants (logging, additional authentification,
-# banner, ...) before running the actual shell.
-#
-# FAKE_SHELL /bin/fakeshell
-
-#
-# If defined, either full pathname of a file containing device names or
-# a ":" delimited list of device names.  Root logins will be allowed only
-# upon these devices.
-#
-# This variable is used by login and su.
-#
-#CONSOLE	/etc/consoles
-#CONSOLE	console:tty01:tty02:tty03:tty04
-
-#
-# List of groups to add to the user's supplementary group set
-# when logging in on the console (as determined by the CONSOLE
-# setting).  Default is none.
-#
-# Use with caution - it is possible for users to gain permanent
-# access to these groups, even when not logged in on the console.
-# How to do it is left as an exercise for the reader...
-#
-# This variable is used by login and su.
-#
-#CONSOLE_GROUPS		floppy:audio:cdrom
-
-#
-# If set to "yes", new passwords will be encrypted using the MD5-based
-# algorithm compatible with the one used by recent releases of FreeBSD.
-# It supports passwords of unlimited length and longer salt strings.
-# Set to "no" if you need to copy encrypted passwords to other systems
-# which don't understand the new algorithm.  Default is "no".
-#
-# This variable is deprecated. You should use ENCRYPT_METHOD.
-#
-#MD5_CRYPT_ENAB	no
-
-#
-# If set to MD5 , MD5-based algorithm will be used for encrypting password
-# If set to SHA256, SHA256-based algorithm will be used for encrypting password
-# If set to SHA512, SHA512-based algorithm will be used for encrypting password
-# If set to DES, DES-based algorithm will be used for encrypting password (default)
-# Overrides the MD5_CRYPT_ENAB option
-#
-# Note: It is recommended to use a value consistent with
-# the PAM modules configuration.
-#
-ENCRYPT_METHOD SHA512
-
-#
-# Only used if ENCRYPT_METHOD is set to SHA256 or SHA512.
-#
-# Define the number of SHA rounds.
-# With a lot of rounds, it is more difficult to brute forcing the password.
-# But note also that it more CPU resources will be needed to authenticate
-# users.
-#
-# If not specified, the libc will choose the default number of rounds (5000).
-# The values must be inside the 1000-999999999 range.
-# If only one of the MIN or MAX values is set, then this value will be used.
-# If MIN > MAX, the highest value will be used.
-#
-# SHA_CRYPT_MIN_ROUNDS 5000
-# SHA_CRYPT_MAX_ROUNDS 5000
-
-################# OBSOLETED BY PAM ##############
-#						#
-# These options are now handled by PAM. Please	#
-# edit the appropriate file in /etc/pam.d/ to	#
-# enable the equivelants of them.
-#
-###############
-
-#MOTD_FILE
-#DIALUPS_CHECK_ENAB
-#LASTLOG_ENAB
-#MAIL_CHECK_ENAB
-#OBSCURE_CHECKS_ENAB
-#PORTTIME_CHECKS_ENAB
-#SU_WHEEL_ONLY
-#CRACKLIB_DICTPATH
-#PASS_CHANGE_TRIES
-#PASS_ALWAYS_WARN
-#ENVIRON_FILE
-#NOLOGINS_FILE
-#ISSUE_FILE
-#PASS_MIN_LEN
-#PASS_MAX_LEN
-#ULIMIT
-#ENV_HZ
-#CHFN_AUTH
-#CHSH_AUTH
-#FAIL_DELAY
-
-################# OBSOLETED #######################
-#						  #
-# These options are no more handled by shadow.    #
-#                                                 #
-# Shadow utilities will display a warning if they #
-# still appear.                                   #
-#                                                 #
-###################################################
-
-# CLOSE_SESSIONS
-# LOGIN_STRING
-# NO_PASSWORD_CONSOLE
-# QMAIL_DIR

etc/modprobe.d/30_nf_conntrack_helper_disable.conf

@@ -1,2 +0,0 @@
-## https://phabricator.whonix.org/T486
-options nf_conntrack nf_conntrack_helper=0

etc/modprobe.d/30_security-misc_blacklist.conf

@@ -0,0 +1,63 @@
+## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## See the following links for a community discussion and overview regarding the selections.
+## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989
+## https://madaidans-insecurities.github.io/guides/linux-hardening.html#kasr-kernel-modules
+
+## Blacklisting prevents kernel modules from automatically starting.
+## Disabling prohibits kernel modules from starting.
+
+## CD-ROM/DVD:
+## Blacklist CD-ROM and DVD modules.
+## Do not disable by default for potential future ISO plans.
+##
+## https://nvd.nist.gov/vuln/detail/CVE-2018-11506
+## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/31
+##
+blacklist cdrom
+blacklist sr_mod
+##
+#install cdrom /usr/bin/disabled-cdrom-by-security-misc
+#install sr_mod /usr/bin/disabled-cdrom-by-security-misc
+
+## Miscellaneous:
+
+## GrapheneOS:
+## Partial selection of their infrastructure blacklist.
+## Duplicate and already disabled modules have been omitted.
+##
+## https://github.com/GrapheneOS/infrastructure/blob/main/modprobe.d/local.conf
+##
+#blacklist cfg80211
+#blacklist intel_agp
+#blacklist ip_tables
+blacklist joydev
+#blacklist mousedev
+#blacklist psmouse
+## TODO: Re-check in Debian trixie
+## In GrapheneOS list, yes, "should" be out-commented here.
+## But not actually out-commented.
+## Breaks VirtualBox audio device ICH AC97, which is unfortunately still required by some users.
+## https://www.kicksecure.com/wiki/Dev/audio
+## https://github.com/Kicksecure/security-misc/issues/271
+#blacklist snd_intel8x0
+#blacklist tls
+#blacklist virtio_balloon
+#blacklist virtio_console
+
+## Ubuntu:
+## Already disabled modules have been omitted.
+##
+## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist.conf?h=ubuntu/disco
+## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-ath_pci.conf?h=ubuntu/disco
+##
+blacklist amd76x_edac
+blacklist ath_pci
+blacklist evbug
+blacklist pcspkr
+blacklist snd_aw2
+blacklist snd_intel8x0m
+blacklist snd_pcsp
+blacklist usbkbd
+blacklist usbmouse

etc/modprobe.d/30_security-misc_conntrack.conf

@@ -0,0 +1,11 @@
+## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## Conntrack:
+## Disable Netfilter's automatic connection tracking helper assignment.
+## Increases kernel attack surface by enabling superfluous functionality such as IRC parsing in the kernel.
+##
+## https://conntrack-tools.netfilter.org/manual.html
+## https://forums.whonix.org/t/disable-conntrack-helper/18917
+##
+options nf_conntrack nf_conntrack_helper=0

etc/modprobe.d/30_security-misc_disable.conf

@@ -0,0 +1,310 @@
+## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## See the following links for a community discussion and overview regarding the selections.
+## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989
+## https://madaidans-insecurities.github.io/guides/linux-hardening.html#kasr-kernel-modules
+
+## Blacklisting prevents kernel modules from automatically starting.
+## Disabling prohibits kernel modules from starting.
+
+## This configuration file is split into 4 sections:
+## 1. Hardware
+## 2. File Systems
+## 3. Networking
+## 4. Miscellaneous
+
+## 1. Hardware:
+
+## Bluetooth:
+## Disable Bluetooth to reduce attack surface due to extended history of security vulnerabilities.
+##
+## https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns
+##
+## Now replaced by a privacy and security preserving default Bluetooth configuration for better usability.
+## https://github.com/Kicksecure/security-misc/pull/145
+##
+#install bluetooth /usr/bin/disabled-bluetooth-by-security-misc
+#install bluetooth_6lowpan  /usr/bin/disabled-bluetooth-by-security-misc
+#install bt3c_cs /usr/bin/disabled-bluetooth-by-security-misc
+#install btbcm /usr/bin/disabled-bluetooth-by-security-misc
+#install btintel /usr/bin/disabled-bluetooth-by-security-misc
+#install btmrvl /usr/bin/disabled-bluetooth-by-security-misc
+#install btmrvl_sdio /usr/bin/disabled-bluetooth-by-security-misc
+#install btmtk /usr/bin/disabled-bluetooth-by-security-misc
+#install btmtksdio /usr/bin/disabled-bluetooth-by-security-misc
+#install btmtkuart /usr/bin/disabled-bluetooth-by-security-misc
+#install btnxpuart /usr/bin/disabled-bluetooth-by-security-misc
+#install btqca /usr/bin/disabled-bluetooth-by-security-misc
+#install btrsi /usr/bin/disabled-bluetooth-by-security-misc
+#install btrtl /usr/bin/disabled-bluetooth-by-security-misc
+#install btsdio /usr/bin/disabled-bluetooth-by-security-misc
+#install btusb /usr/bin/disabled-bluetooth-by-security-misc
+#install virtio_bt /usr/bin/disabled-bluetooth-by-security-misc
+
+## FireWire (IEEE 1394):
+## Disable IEEE 1394 (FireWire/i.LINK/Lynx) modules to prevent some DMA attacks.
+##
+## https://en.wikipedia.org/wiki/IEEE_1394#Security_issues
+##
+install dv1394 /usr/bin/disabled-firewire-by-security-misc
+install firewire-core /usr/bin/disabled-firewire-by-security-misc
+install firewire-ohci /usr/bin/disabled-firewire-by-security-misc
+install firewire-net /usr/bin/disabled-firewire-by-security-misc
+install firewire-sbp2 /usr/bin/disabled-firewire-by-security-misc
+install ohci1394 /usr/bin/disabled-firewire-by-security-misc
+install raw1394 /usr/bin/disabled-firewire-by-security-misc
+install sbp2 /usr/bin/disabled-firewire-by-security-misc
+install video1394 /usr/bin/disabled-firewire-by-security-misc
+
+## Global Positioning Systems (GPS):
+## Disable GPS-related modules like GNSS (Global Navigation Satellite System).
+##
+install garmin_gps /usr/bin/disabled-gps-by-security-misc
+install gnss /usr/bin/disabled-gps-by-security-misc
+install gnss-mtk /usr/bin/disabled-gps-by-security-misc
+install gnss-serial /usr/bin/disabled-gps-by-security-misc
+install gnss-sirf /usr/bin/disabled-gps-by-security-misc
+install gnss-ubx /usr/bin/disabled-gps-by-security-misc
+install gnss-usb /usr/bin/disabled-gps-by-security-misc
+
+## Intel Management Engine (ME):
+## Partially disable the Intel ME interface with the OS.
+## ME functionality has increasing become more intertwined with basic Intel system operation.
+## Disabling may lead to breakages in numerous places without clear debugging/error messages.
+## May cause issues with firmware updates, security, power management, display, and DRM.
+##
+## https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html
+## https://en.wikipedia.org/wiki/Intel_Management_Engine#Security_vulnerabilities
+## https://www.kicksecure.com/wiki/Out-of-band_Management_Technology#Intel_ME_Disabling_Disadvantages
+## https://github.com/Kicksecure/security-misc/pull/236#issuecomment-2229092813
+## https://github.com/Kicksecure/security-misc/issues/239
+##
+#install mei /usr/bin/disabled-intelme-by-security-misc
+#install mei-gsc /usr/bin/disabled-intelme-by-security-misc
+#install mei_gsc_proxy /usr/bin/disabled-intelme-by-security-misc
+#install mei_hdcp /usr/bin/disabled-intelme-by-security-misc
+#install mei-me /usr/bin/disabled-intelme-by-security-misc
+#install mei_phy /usr/bin/disabled-intelme-by-security-misc
+#install mei_pxp /usr/bin/disabled-intelme-by-security-misc
+#install mei-txe /usr/bin/disabled-intelme-by-security-misc
+#install mei-vsc /usr/bin/disabled-intelme-by-security-misc
+#install mei-vsc-hw /usr/bin/disabled-intelme-by-security-misc
+#install mei_wdt /usr/bin/disabled-intelme-by-security-misc
+#install microread_mei /usr/bin/disabled-intelme-by-security-misc
+
+## Intel Platform Monitoring Technology (PMT) Telemetry:
+## Disable some functionality of the Intel PMT components.
+##
+## https://github.com/intel/Intel-PMT
+##
+install pmt_class /usr/bin/disabled-intelpmt-by-security-misc
+install pmt_crashlog /usr/bin/disabled-intelpmt-by-security-misc
+install pmt_telemetry /usr/bin/disabled-intelpmt-by-security-misc
+
+## Thunderbolt:
+## Disables Thunderbolt modules to prevent some DMA attacks.
+##
+## https://en.wikipedia.org/wiki/Thunderbolt_(interface)#Security_vulnerabilities
+##
+install intel-wmi-thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc
+install thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc
+install thunderbolt_net /usr/bin/disabled-thunderbolt-by-security-misc
+
+## 2. File Systems:
+
+## File Systems:
+## Disable uncommon file systems to reduce attack surface.
+## HFS/HFS+ are legacy Apple file systems that may be required depending on the EFI partition format.
+##
+install cramfs /usr/bin/disabled-filesys-by-security-misc
+install freevxfs /usr/bin/disabled-filesys-by-security-misc
+install hfs /usr/bin/disabled-filesys-by-security-misc
+install hfsplus /usr/bin/disabled-filesys-by-security-misc
+install jffs2 /usr/bin/disabled-filesys-by-security-misc
+install jfs /usr/bin/disabled-filesys-by-security-misc
+install reiserfs /usr/bin/disabled-filesys-by-security-misc
+install udf /usr/bin/disabled-filesys-by-security-misc
+
+## Network File Systems:
+## Disable uncommon network file systems to reduce attack surface.
+##
+install gfs2 /usr/bin/disabled-netfilesys-by-security-misc
+install ksmbd /usr/bin/disabled-netfilesys-by-security-misc
+##
+## Common Internet File System (CIFS):
+##
+install cifs /usr/bin/disabled-netfilesys-by-security-misc
+install cifs_arc4 /usr/bin/disabled-netfilesys-by-security-misc
+install cifs_md4 /usr/bin/disabled-netfilesys-by-security-misc
+##
+## Network File System (NFS):
+##
+install nfs /usr/bin/disabled-netfilesys-by-security-misc
+install nfs_acl /usr/bin/disabled-netfilesys-by-security-misc
+install nfs_layout_nfsv41_files /usr/bin/disabled-netfilesys-by-security-misc
+install nfs_layout_flexfiles /usr/bin/disabled-netfilesys-by-security-misc
+install nfsd /usr/bin/disabled-netfilesys-by-security-misc
+install nfsv2 /usr/bin/disabled-netfilesys-by-security-misc
+install nfsv3 /usr/bin/disabled-netfilesys-by-security-misc
+install nfsv4 /usr/bin/disabled-netfilesys-by-security-misc
+
+## 2. Networking:
+
+## Network Protocols:
+## Disables rare and unneeded network protocols that are a common source of unknown vulnerabilities.
+## Previously had blacklisted eepro100 and eth1394.
+##
+## https://tails.boum.org/blueprint/blacklist_modules/
+## https://fedoraproject.org/wiki/Security_Features_Matrix#Blacklist_Rare_Protocols
+## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-rare-network.conf?h=ubuntu/disco
+## https://github.com/Kicksecure/security-misc/pull/234#issuecomment-2230732015
+##
+install af_802154 /usr/bin/disabled-network-by-security-misc
+install appletalk /usr/bin/disabled-network-by-security-misc
+install ax25 /usr/bin/disabled-network-by-security-misc
+#install brcm80211 /usr/bin/disabled-network-by-security-misc
+install decnet /usr/bin/disabled-network-by-security-misc
+install dccp /usr/bin/disabled-network-by-security-misc
+install econet /usr/bin/disabled-network-by-security-misc
+install eepro100 /usr/bin/disabled-network-by-security-misc
+install eth1394 /usr/bin/disabled-network-by-security-misc
+install ipx /usr/bin/disabled-network-by-security-misc
+install n-hdlc /usr/bin/disabled-network-by-security-misc
+install netrom /usr/bin/disabled-network-by-security-misc
+install p8022 /usr/bin/disabled-network-by-security-misc
+install p8023 /usr/bin/disabled-network-by-security-misc
+install psnap /usr/bin/disabled-network-by-security-misc
+install rose /usr/bin/disabled-network-by-security-misc
+install x25 /usr/bin/disabled-network-by-security-misc
+##
+## Asynchronous Transfer Mode (ATM):
+##
+install atm /usr/bin/disabled-network-by-security-misc
+install ueagle-atm /usr/bin/disabled-network-by-security-misc
+install usbatm /usr/bin/disabled-network-by-security-misc
+install xusbatm /usr/bin/disabled-network-by-security-misc
+##
+## Controller Area Network (CAN) Protocol:
+##
+install c_can /usr/bin/disabled-network-by-security-misc
+install c_can_pci /usr/bin/disabled-network-by-security-misc
+install c_can_platform /usr/bin/disabled-network-by-security-misc
+install can /usr/bin/disabled-network-by-security-misc
+install can-bcm /usr/bin/disabled-network-by-security-misc
+install can-dev /usr/bin/disabled-network-by-security-misc
+install can-gw /usr/bin/disabled-network-by-security-misc
+install can-isotp /usr/bin/disabled-network-by-security-misc
+install can-raw /usr/bin/disabled-network-by-security-misc
+install can-j1939 /usr/bin/disabled-network-by-security-misc
+install can327 /usr/bin/disabled-network-by-security-misc
+install ifi_canfd /usr/bin/disabled-network-by-security-misc
+install janz-ican3 /usr/bin/disabled-network-by-security-misc
+install m_can /usr/bin/disabled-network-by-security-misc
+install m_can_pci /usr/bin/disabled-network-by-security-misc
+install m_can_platform /usr/bin/disabled-network-by-security-misc
+install phy-can-transceiver /usr/bin/disabled-network-by-security-misc
+install slcan /usr/bin/disabled-network-by-security-misc
+install ucan /usr/bin/disabled-network-by-security-misc
+install vxcan /usr/bin/disabled-network-by-security-misc
+install vcan /usr/bin/disabled-network-by-security-misc
+##
+## Transparent Inter Process Communication (TIPC):
+##
+install tipc /usr/bin/disabled-network-by-security-misc
+install tipc_diag /usr/bin/disabled-network-by-security-misc
+##
+## Reliable Datagram Sockets (RDS):
+##
+install rds /usr/bin/disabled-network-by-security-misc
+install rds_rdma /usr/bin/disabled-network-by-security-misc
+install rds_tcp /usr/bin/disabled-network-by-security-misc
+##
+## Stream Control Transmission Protocol (SCTP):
+##
+install sctp /usr/bin/disabled-network-by-security-misc
+install sctp_diag /usr/bin/disabled-network-by-security-misc
+
+## 4. Miscellaneous:
+
+## Amateur Radios:
+##
+install hamradio /usr/bin/disabled-miscellaneous-by-security-misc
+
+## CPU Model-Specific Registers (MSRs):
+## Disable CPU MSRs as they can be abused to write to arbitrary memory.
+##
+## https://security.stackexchange.com/questions/119712/methods-root-can-use-to-elevate-itself-to-kernel-mode
+## https://github.com/Kicksecure/security-misc/issues/215
+##
+#install msr /usr/bin/disabled-miscellaneous-by-security-misc
+
+## Floppy Disks:
+##
+install floppy /usr/bin/disabled-miscellaneous-by-security-misc
+
+## Framebuffer (fbdev):
+## Video drivers are known to be buggy, cause kernel panics, and are generally only used by legacy devices.
+## These were all previously blacklisted.
+##
+## https://docs.kernel.org/fb/index.html
+## https://en.wikipedia.org/wiki/Linux_framebuffer
+## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-framebuffer.conf?h=ubuntu/disco
+##
+install aty128fb /usr/bin/disabled-framebuffer-by-security-misc
+install atyfb /usr/bin/disabled-framebuffer-by-security-misc
+install cirrusfb /usr/bin/disabled-framebuffer-by-security-misc
+install cyber2000fb /usr/bin/disabled-framebuffer-by-security-misc
+install cyblafb /usr/bin/disabled-framebuffer-by-security-misc
+install gx1fb /usr/bin/disabled-framebuffer-by-security-misc
+install hgafb /usr/bin/disabled-framebuffer-by-security-misc
+install i810fb /usr/bin/disabled-framebuffer-by-security-misc
+install intelfb /usr/bin/disabled-framebuffer-by-security-misc
+install kyrofb /usr/bin/disabled-framebuffer-by-security-misc
+install lxfb /usr/bin/disabled-framebuffer-by-security-misc
+install matroxfb_base /usr/bin/disabled-framebuffer-by-security-misc
+install neofb /usr/bin/disabled-framebuffer-by-security-misc
+install nvidiafb /usr/bin/disabled-framebuffer-by-security-misc
+install pm2fb /usr/bin/disabled-framebuffer-by-security-misc
+install radeonfb /usr/bin/disabled-framebuffer-by-security-misc
+install rivafb /usr/bin/disabled-framebuffer-by-security-misc
+install s1d13xxxfb /usr/bin/disabled-framebuffer-by-security-misc
+install savagefb /usr/bin/disabled-framebuffer-by-security-misc
+install sisfb /usr/bin/disabled-framebuffer-by-security-misc
+install sstfb /usr/bin/disabled-framebuffer-by-security-misc
+install tdfxfb /usr/bin/disabled-framebuffer-by-security-misc
+install tridentfb /usr/bin/disabled-framebuffer-by-security-misc
+install vesafb /usr/bin/disabled-framebuffer-by-security-misc
+install vfb /usr/bin/disabled-framebuffer-by-security-misc
+install viafb /usr/bin/disabled-framebuffer-by-security-misc
+install vt8623fb /usr/bin/disabled-framebuffer-by-security-misc
+install udlfb /usr/bin/disabled-framebuffer-by-security-misc
+
+## Replaced Modules:
+## These legacy drivers have all been entirely replaced and superseded by newer drivers.
+## These were all previously blacklisted.
+##
+## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist.conf?h=ubuntu/disco
+##
+install asus_acpi /usr/bin/disabled-miscellaneous-by-security-misc
+install bcm43xx /usr/bin/disabled-miscellaneous-by-security-misc
+install de4x5 /usr/bin/disabled-miscellaneous-by-security-misc
+install prism54 /usr/bin/disabled-miscellaneous-by-security-misc
+
+## USB Video Device Class:
+## Disables the USB-based video streaming driver for devices like some webcams and digital camcorders.
+##
+#install uvcvideo /usr/bin/disabled-miscellaneous-by-security-misc
+
+## Vivid:
+## Disables the vivid kernel module since it has been the cause of multiple vulnerabilities.
+##
+## https://forums.whonix.org/t/kernel-recompilation-for-better-hardening/7598/233
+## https://www.openwall.com/lists/oss-security/2019/11/02/1
+## https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475
+##
+## No longer disabled by default:
+## https://forums.whonix.org/t/testing-qubes-video-companion-on-whonix/21393
+## https://github.com/Kicksecure/security-misc/issues/298
+##
+#install vivid /usr/bin/disabled-miscellaneous-by-security-misc

etc/modprobe.d/blacklist-dma.conf

@@ -1,3 +0,0 @@
-# Blacklist thunderbolt and firewire to prevent some DMA attacks.
-install firewire-core /bin/true
-install thunderbolt /bin/true

etc/modprobe.d/uncommon-network-protocols.conf

@@ -1,26 +0,0 @@
-# Disables unneeded network protocols that will likely not be used as these may have unknown vulnerabilties.
-#
-# Credit to Tails (https://tails.boum.org/blueprint/blacklist_modules/) for some of these.
-# 
-# > Debian ships a long list of modules for wide support of devices, filesystems, protocols. Some of these modules have a pretty bad security track record, and some of those are simply not used by most of our users.
-#
-# > Other distributions like Ubuntu[1] and Fedora[2] already ship a blacklist for various network protocols which aren't much in use by users and have a poor security track record.
-#
-install dccp /bin/true
-install sctp /bin/true
-install rds /bin/true
-install tipc /bin/true
-install n-hdlc /bin/true
-install ax25 /bin/true
-install netrom /bin/true
-install x25 /bin/true
-install rose /bin/true
-install decnet /bin/true
-install econet /bin/true
-install af_802154 /bin/true
-install ipx /bin/true
-install appletalk /bin/true
-install psnap /bin/true
-install p8023 /bin/true
-install llc /bin/true
-install p8022 /bin/true

etc/pam.d/common-password.security-misc

@@ -1,33 +0,0 @@
-#
-# /etc/pam.d/common-password - password-related modules common to all services
-#
-# This file is included from other service-specific PAM config files,
-# and should contain a list of modules that define the services to be
-# used to change user passwords.  The default is pam_unix.
-
-# Explanation of pam_unix options:
-#
-# The "sha512" option enables salted SHA512 passwords.  Without this option,
-# the default is Unix crypt.  Prior releases used the option "md5".
-#
-# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
-# login.defs.
-#
-# See the pam_unix manpage for other options.
-
-# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
-# To take advantage of this, it is recommended that you configure any
-# local modules either before or after the default block, and use
-# pam-auth-update to manage selection of other modules.  See
-# pam-auth-update(8) for details.
-
-# here are the per-package modules (the "Primary" block)
-password	[success=1 default=ignore]	pam_unix.so obscure sha512 rounds=65536
-# here's the fallback if no module succeeds
-password	requisite			pam_deny.so
-# prime the stack with a positive return value if there isn't one already;
-# this avoids us returning an error just because nothing sets a success code
-# since the modules above will each just jump around
-password	required			pam_permit.so
-# and here are more per-package modules (the "Additional" block)
-# end of pam-auth-update config

etc/pam.d/common-session-noninteractive.security-misc

@@ -1,28 +0,0 @@
-#
-# /etc/pam.d/common-session-noninteractive - session-related modules
-# common to all non-interactive services
-#
-# This file is included from other service-specific PAM config files,
-# and should contain a list of modules that define tasks to be performed
-# at the start and end of all non-interactive sessions.
-#
-# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
-# To take advantage of this, it is recommended that you configure any
-# local modules either before or after the default block, and use
-# pam-auth-update to manage selection of other modules.  See
-# pam-auth-update(8) for details.
-
-# here are the per-package modules (the "Primary" block)
-session	[default=1]			pam_permit.so
-# here's the fallback if no module succeeds
-session	requisite			pam_deny.so
-# prime the stack with a positive return value if there isn't one already;
-# this avoids us returning an error just because nothing sets a success code
-# since the modules above will each just jump around
-session	required			pam_permit.so
-# and here are more per-package modules (the "Additional" block)
-session	required	pam_unix.so 
-session	optional	pam_cgfs.so -c freezer,memory,name=systemd
-# end of pam-auth-update config
-session optional pam_umask.so usergroups
-

etc/pam.d/common-session.security-misc

@@ -1,29 +0,0 @@
-#
-# /etc/pam.d/common-session - session-related modules common to all services
-#
-# This file is included from other service-specific PAM config files,
-# and should contain a list of modules that define tasks to be performed
-# at the start and end of sessions of *any* kind (both interactive and
-# non-interactive).
-#
-# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
-# To take advantage of this, it is recommended that you configure any
-# local modules either before or after the default block, and use
-# pam-auth-update to manage selection of other modules.  See
-# pam-auth-update(8) for details.
-
-# here are the per-package modules (the "Primary" block)
-session	[default=1]			pam_permit.so
-# here's the fallback if no module succeeds
-session	requisite			pam_deny.so
-# prime the stack with a positive return value if there isn't one already;
-# this avoids us returning an error just because nothing sets a success code
-# since the modules above will each just jump around
-session	required			pam_permit.so
-# and here are more per-package modules (the "Additional" block)
-session	required	pam_unix.so 
-session	optional	pam_systemd.so 
-session	optional	pam_cgfs.so -c freezer,memory,name=systemd
-# end of pam-auth-update config
-session optional pam_umask.so usergroups
-

etc/pam.d/su.security-misc

@@ -1,61 +0,0 @@
-#
-# The PAM configuration file for the Shadow `su' service
-#
-
-# This allows root to su without passwords (normal operation)
-auth       sufficient pam_rootok.so
-
-# Uncomment this to force users to be a member of group root
-# before they can use `su'. You can also add "group=foo"
-# to the end of this line if you want to use a group other
-# than the default "root" (but this may have side effect of
-# denying "root" user, unless she's a member of "foo" or explicitly
-# permitted earlier by e.g. "sufficient pam_rootok.so").
-# (Replaces the `SU_WHEEL_ONLY' option from login.defs)
-auth       required   pam_wheel.so
-
-# Uncomment this if you want wheel members to be able to
-# su without a password.
-# auth       sufficient pam_wheel.so trust
-
-# Uncomment this if you want members of a specific group to not
-# be allowed to use su at all.
-# auth       required   pam_wheel.so deny group=nosu
-
-# Uncomment and edit /etc/security/time.conf if you need to set
-# time restrainst on su usage.
-# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
-# as well as /etc/porttime)
-# account    requisite  pam_time.so
-
-# This module parses environment configuration file(s)
-# and also allows you to use an extended config
-# file /etc/security/pam_env.conf.
-# 
-# parsing /etc/environment needs "readenv=1"
-session       required   pam_env.so readenv=1
-# locale variables are also kept into /etc/default/locale in etch
-# reading this file *in addition to /etc/environment* does not hurt
-session       required   pam_env.so readenv=1 envfile=/etc/default/locale
-
-# Defines the MAIL environment variable
-# However, userdel also needs MAIL_DIR and MAIL_FILE variables
-# in /etc/login.defs to make sure that removing a user 
-# also removes the user's mail spool file.
-# See comments in /etc/login.defs
-#
-# "nopen" stands to avoid reporting new mail when su'ing to another user
-session    optional   pam_mail.so nopen
-
-# Sets up user limits according to /etc/security/limits.conf
-# (Replaces the use of /etc/limits in old login)
-session    required   pam_limits.so
-
-# The standard Unix authentication modules, used with
-# NIS (man nsswitch) as well as normal /etc/passwd and
-# /etc/shadow entries.
-@include common-auth
-@include common-account
-@include common-session
-
-

etc/profile.d/30_security-misc.sh

@@ -0,0 +1,11 @@
+#!/bin/sh
+
+## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+if [ -z "$XDG_CONFIG_DIRS" ]; then
+   XDG_CONFIG_DIRS=/etc/xdg
+fi
+if ! echo "$XDG_CONFIG_DIRS" | grep --quiet /usr/share/security-misc/ ; then
+   export XDG_CONFIG_DIRS=/usr/share/security-misc/:$XDG_CONFIG_DIRS
+fi

etc/securetty.security-misc

@@ -1,2 +1,5 @@
+## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
 # /etc/securetty: list of terminals on which root is allowed to login.
 # See securetty(5) and login(1).

etc/security/access-security-misc.conf

@@ -0,0 +1,41 @@
+## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## To enable root login, see:
+## https://www.kicksecure.com/wiki/Root#Root_Login
+
+## Console Lockdown
+## https://forums.whonix.org/t/etc-security-hardening/8592
+
+## This is the error message should this fail:
+## sudo su
+## sudo: PAM account management error: Permission denied
+
+## see also:
+## man access.conf
+## man pam_access
+
+## Usually tty7 is for X.
+## Qubes uses tty1 for X.
+
+## Qubes has 'pts/0' when for example running "sudo" from a terminal emulator.
+## Qubes uses 'hvc0' when using in dom0 "sudo xl console vm-name".
+## When using systemd-nspawn (chroot) then `login` requires console 'console' to be permitted.
+
+## Allow members of group `console` to use:
+## - 'console'
+## - 'tty1' to 'tty7'
+## - 'pts/0' to 'pts/9'
+## - 'hvc0' to 'hvc9'
+## serial console
+## https://forums.whonix.org/t/how-do-i-enter-the-whonix-shell-from-cli/7271/43
+## - 'ttyS0' to 'ttyS9'
++:(console):console tty1 tty2 tty3 tty4 tty5 tty6 tty7 pts/0 pts/1 pts/2 pts/3 pts/4 pts/5 pts/6 pts/7 pts/8 pts/9 hvc0 hvc1 hvc2 hvc3 hvc4 hvc5 hvc6 hvc7 hvc8 hvc9 ttyS0 ttyS1 ttyS2 ttyS3 ttyS4 ttyS5 ttyS6 ttyS7 ttyS8 ttyS9
+
+## Same as above also for members of group `sudo`.
+## https://github.com/Whonix/security-misc/pull/74#issuecomment-607748407
++:(sudo):console tty1 tty2 tty3 tty4 tty5 tty6 tty7 pts/0 pts/1 pts/2 pts/3 pts/4 pts/5 pts/6 pts/7 pts/8 pts/9 hvc0 hvc1 hvc2 hvc3 hvc4 hvc5 hvc6 hvc7 hvc8 hvc9 ttyS0 ttyS1 ttyS2 ttyS3 ttyS4 ttyS5 ttyS6 ttyS7 ttyS8 ttyS9
+
+## Everyone else except members of group 'console-unrestricted'
+## are restricted from everything else.
+-:ALL EXCEPT (console-unrestricted):ALL

etc/security/faillock.conf.security-misc

@@ -0,0 +1,70 @@
+## Copyright (C) 2021 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+# Configuration for locking the user after multiple failed
+# authentication attempts.
+#
+# The directory where the user files with the failure records are kept.
+# The default is /var/run/faillock.
+dir = /var/lib/security-misc/faillock
+#
+# Will log the user name into the system log if the user is not found.
+# Enabled if option is present.
+audit
+#
+# Don't print informative messages.
+# Enabled if option is present.
+# silent
+#
+# Don't log informative messages via syslog.
+# Enabled if option is present.
+# no_log_info
+#
+# Only track failed user authentications attempts for local users
+# in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users.
+# The `faillock` command will also no longer track user failed
+# authentication attempts. Enabling this option will prevent a
+# double-lockout scenario where a user is locked out locally and
+# in the centralized mechanism.
+# Enabled if option is present.
+# local_users_only
+#
+# Deny access if the number of consecutive authentication failures
+# for this user during the recent interval exceeds n tries.
+# The default is 3.
+deny = 50
+#
+# The length of the interval during which the consecutive
+# authentication failures must happen for the user account
+# lock out is <replaceable>n</replaceable> seconds.
+# The default is 900 (15 minutes).
+# security-misc note: the interval should be set to infinity if possible,
+# however pam_faillock arbitrarily limits this variable to a maximum of 604800
+# seconds (7 days). See
+# https://github.com/linux-pam/linux-pam/blob/539816e4a0a277dbb632412be91e482fff9d9d09/modules/pam_faillock/faillock_config.h#L59
+# for details. Therefore we set this to the maximum allowable value of 7 days.
+fail_interval = 604800
+#
+# The access will be re-enabled after n seconds after the lock out.
+# The value 0 has the same meaning as value `never` - the access
+# will not be re-enabled without resetting the faillock
+# entries by the `faillock` command.
+# The default is 600 (10 minutes).
+unlock_time = never
+#
+# Root account can become locked as well as regular accounts.
+# Enabled if option is present.
+even_deny_root
+#
+# This option implies the `even_deny_root` option.
+# Allow access after n seconds to root account after the
+# account is locked. In case the option is not specified
+# the value is the same as of the `unlock_time` option.
+# root_unlock_time = 900
+#
+# If a group name is specified with this option, members
+# of the group will be handled by this module the same as
+# the root account (the options `even_deny_root>` and
+# `root_unlock_time` will apply to them.
+# By default, the option is not set.
+# admin_group = <admin_group_name>

etc/security/limits.d/30_security-misc.conf

@@ -0,0 +1,5 @@
+## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## Disable coredumps.
+* hard core 0

etc/security/limits.d/disable-coredumps.conf

@@ -1,2 +0,0 @@
-# Disable coredumps.
-* hard core 0

etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml

@@ -1,5 +1,8 @@
 <?xml version="1.0" encoding="UTF-8"?>
 
+<!-- ## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org> -->
+<!-- ## See the file COPYING for copying conditions. -->
+
 <!-- Configuration for Thunar. -->
 <!-- Changes date style to iso format. -->
 <!-- Disable thumbnails. -->
@@ -13,4 +16,5 @@
     <value type="string" value="network:///"/>
   </property>
   <property name="misc-volume-management" type="bool" value="false"/>
+  <property name="misc-show-delete-action" type="bool" value="true"/>
 </channel>

etc/skel/.gnupg/gpg.conf

@@ -0,0 +1,350 @@
+# Options for GnuPG
+# Copyright 1998, 1999, 2000, 2001, 2002, 2003,
+#           2010 Free Software Foundation, Inc.
+#
+# This file is free software; as a special exception the author gives
+# unlimited permission to copy and/or distribute it, with or without
+# modifications, as long as this notice is preserved.
+#
+# This file is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY, to the extent permitted by law; without even the
+# implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+#
+# Unless you specify which option file to use (with the command line
+# option "--options filename"), GnuPG uses the file ~/.gnupg/gpg.conf
+# by default.
+#
+# An options file can contain any long options which are available in
+# GnuPG. If the first non white space character of a line is a '#',
+# this line is ignored.  Empty lines are also ignored.
+#
+# See the man page for a list of options.
+
+# Uncomment the following option to get rid of the copyright notice
+
+#no-greeting
+
+# If you have more than 1 secret key in your keyring, you may want to
+# uncomment the following option and set your preferred keyid.
+
+#default-key 621CC013
+
+# If you do not pass a recipient to gpg, it will ask for one.  Using
+# this option you can encrypt to a default key.  Key validation will
+# not be done in this case.  The second form uses the default key as
+# default recipient.
+
+#default-recipient some-user-id
+#default-recipient-self
+
+# Use --encrypt-to to add the specified key as a recipient to all
+# messages.  This is useful, for example, when sending mail through a
+# mail client that does not automatically encrypt mail to your key.
+# In the example, this option allows you to read your local copy of
+# encrypted mail that you've sent to others.
+
+#encrypt-to some-key-id
+
+# By default GnuPG creates version 4 signatures for data files as
+# specified by OpenPGP.  Some earlier (PGP 6, PGP 7) versions of PGP
+# require the older version 3 signatures.  Setting this option forces
+# GnuPG to create version 3 signatures.
+
+#force-v3-sigs
+
+# Because some mailers change lines starting with "From " to ">From "
+# it is good to handle such lines in a special way when creating
+# cleartext signatures; all other PGP versions do it this way too.
+
+#no-escape-from-lines
+
+# If you do not use the Latin-1 (ISO-8859-1) charset, you should tell
+# GnuPG which is the native character set.  Please check the man page
+# for supported character sets.  This character set is only used for
+# metadata and not for the actual message which does not undergo any
+# translation.  Note that future version of GnuPG will change to UTF-8
+# as default character set.  In most cases this option is not required
+# as GnuPG is able to figure out the correct charset at runtime.
+
+#charset utf-8
+
+# Group names may be defined like this:
+#   group mynames = paige 0x12345678 joe patti
+#
+# Any time "mynames" is a recipient (-r or --recipient), it will be
+# expanded to the names "paige", "joe", and "patti", and the key ID
+# "0x12345678".  Note that there is only one level of expansion - you
+# cannot make a group that points to another group.  Note also that
+# if there are spaces in the recipient name, this will appear as two
+# recipients.  In these cases it is better to use the key ID.
+
+#group mynames = paige 0x12345678 joe patti
+
+# Lock the file only once for the lifetime of a process.  If you do
+# not define this, the lock will be obtained and released every time
+# it is needed, which is usually preferable.
+
+#lock-once
+
+# GnuPG can send and receive keys to and from a keyserver.  These
+# servers can be HKP, email, or LDAP (if GnuPG is built with LDAP
+# support).
+#
+# High-risk users should stop using the keyserver network immediately.
+# https://forums.whonix.org/t/gpg-recv-keys-fails-no-longer-use-keyservers-for-anything/5607/8
+#
+# Example HKP keyserver:
+#      hkp://keys.gnupg.net
+#      hkp://subkeys.pgp.net
+#
+# Example email keyserver:
+#      mailto:pgp-public-keys@keys.pgp.net
+#
+# Example LDAP keyservers:
+#      ldap://keyserver.pgp.com
+#
+# Regular URL syntax applies, and you can set an alternate port
+# through the usual method:
+#      hkp://keyserver.example.net:22742
+#
+# Most users just set the name and type of their preferred keyserver.
+# Note that most servers (with the notable exception of
+# ldap://keyserver.pgp.com) synchronize changes with each other.  Note
+# also that a single server name may actually point to multiple
+# servers via DNS round-robin.  hkp://keys.gnupg.net is an example of
+# such a "server", which spreads the load over a number of physical
+# servers.  To see the IP address of the server actually used, you may use
+# the "--keyserver-options debug".
+#
+#keyserver hkp://xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.onion
+#keyserver mailto:pgp-public-keys@keys.nl.pgp.net
+#keyserver ldap://keyserver.pgp.com
+
+# Common options for keyserver functions:
+#
+# include-disabled : when searching, include keys marked as "disabled"
+#                    on the keyserver (not all keyservers support this).
+#
+# no-include-revoked : when searching, do not include keys marked as
+#                      "revoked" on the keyserver.
+#
+# verbose : show more information as the keys are fetched.
+#           Can be used more than once to increase the amount
+#           of information shown.
+#
+# use-temp-files : use temporary files instead of a pipe to talk to the
+#                  keyserver.  Some platforms (Win32 for one) always
+#                  have this on.
+#
+# keep-temp-files : do not delete temporary files after using them
+#                   (really only useful for debugging)
+#
+# http-proxy="proxy" : set the proxy to use for HTTP and HKP keyservers.
+#                      This overrides the "http_proxy" environment variable,
+#                      if any.
+#
+# auto-key-retrieve : automatically fetch keys as needed from the keyserver
+#                     when verifying signatures or when importing keys that
+#                     have been revoked by a revocation key that is not
+#                     present on the keyring.
+#
+# no-include-attributes : do not include attribute IDs (aka "photo IDs")
+#                         when sending keys to the keyserver.
+
+#keyserver-options auto-key-retrieve
+
+# Display photo user IDs in key listings
+
+# list-options show-photos
+
+# Display photo user IDs when a signature from a key with a photo is
+# verified
+
+# verify-options show-photos
+
+# Use this program to display photo user IDs
+#
+# %i is expanded to a temporary file that contains the photo.
+# %I is the same as %i, but the file isn't deleted afterwards by GnuPG.
+# %k is expanded to the key ID of the key.
+# %K is expanded to the long OpenPGP key ID of the key.
+# %t is expanded to the extension of the image (e.g. "jpg").
+# %T is expanded to the MIME type of the image (e.g. "image/jpeg").
+# %f is expanded to the fingerprint of the key.
+# %% is %, of course.
+#
+# If %i or %I are not present, then the photo is supplied to the
+# viewer on standard input.  If your platform supports it, standard
+# input is the best way to do this as it avoids the time and effort in
+# generating and then cleaning up a secure temp file.
+#
+# If no photo-viewer is provided, GnuPG will look for xloadimage, eog,
+# or display (ImageMagick).  On Mac OS X and Windows, the default is
+# to use your regular JPEG image viewer.
+#
+# Some other viewers:
+# photo-viewer "qiv %i"
+# photo-viewer "ee %i"
+#
+# This one saves a copy of the photo ID in your home directory:
+# photo-viewer "cat > ~/photoid-for-key-%k.%t"
+#
+# Use your MIME handler to view photos:
+# photo-viewer "metamail -q -d -b -c %T -s 'KeyID 0x%k' -f GnuPG"
+
+# Passphrase agent
+#
+# We support the old experimental passphrase agent protocol as well as
+# the new Assuan based one (currently available in the "newpg" package
+# at ftp.gnupg.org/gcrypt/alpha/aegypten/).  To make use of the agent,
+# you have to run an agent as daemon and use the option
+#
+# For Ubuntu we now use-agent by default to support more automatic
+# use of GPG and S/MIME encryption by GUI programs.  Depending on the
+# program, users may still have to manually decide to install gnupg-agent.
+
+#use-agent
+
+# which tries to use the agent but will fallback to the regular mode
+# if there is a problem connecting to the agent.  The normal way to
+# locate the agent is by looking at the environment variable
+# GPG_AGENT_INFO which should have been set during gpg-agent startup.
+# In certain situations the use of this variable is not possible, thus
+# the option
+#
+# --gpg-agent-info=<path>:<pid>:1
+#
+# may be used to override it.
+
+# Automatic key location
+#
+# GnuPG can automatically locate and retrieve keys as needed using the
+# auto-key-locate option.  This happens when encrypting to an email
+# address (in the "user@example.com" form), and there are no
+# user@example.com keys on the local keyring.  This option takes the
+# following arguments, in the order they are to be tried:
+#
+# cert = locate a key using DNS CERT, as specified in RFC-4398.
+#        GnuPG can handle both the PGP (key) and IPGP (URL + fingerprint)
+#        CERT methods.
+#
+# pka = locate a key using DNS PKA.
+#
+# ldap = locate a key using the PGP Universal method of checking
+#        "ldap://keys.(thedomain)".  For example, encrypting to
+#        user@example.com will check ldap://keys.example.com.
+#
+# keyserver = locate a key using whatever keyserver is defined using
+#             the keyserver option.
+#
+# You may also list arbitrary keyservers here by URL.
+#
+# Try CERT, then PKA, then LDAP, then hkp://subkeys.net:
+#auto-key-locate cert pka ldap hkp://subkeys.pgp.net
+
+## Begin Anonymity Distribution /home/user/.gnupg/gpg.conf changes.
+
+#### meta start
+#### project Whonix
+#### category networking and apps
+#### description GnuPG gpg configuration
+#### meta end
+
+## source:
+## https://raw.github.com/ioerror/torbirdy/master/gpg.conf
+## https://github.com/ioerror/torbirdy/commit/e6d7c9e6e103f0b3289675d04ed3f92e92d8d7b3
+
+## Out commented proxy settings, because uwt wrapper keeps care of that.
+
+## gpg.conf optimized for privacy
+
+##################################################################
+## BEGIN some suggestions from TorBirdy setting extensions.enigmail.agentAdditionalParam
+
+## Don't disclose the version
+no-emit-version
+
+## Don't add additional comments (may leak language, etc)
+no-comments
+
+## We want to force UTF-8 everywhere
+display-charset utf-8
+
+## Proxy settings
+#keyserver-options http-proxy=socks5://TORIP:TORPORT
+
+## https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f
+## https://dkg.fifthhorseman.net/blog/openpgp-certificate-flooding.html
+## https://forums.whonix.org/t/gpg-recv-keys-fails-no-longer-use-keyservers-for-anything/5607
+#keyserver hkps://keys.openpgp.org
+
+## END some suggestions from TorBirdy TorBirdy setting extensions.enigmail.agentAdditionalParam
+##################################################################
+
+##################################################################
+## BEGIN Some suggestions from Debian https://keyring.debian.org/creating-key.html
+
+personal-digest-preferences SHA512
+cert-digest-algo SHA512
+default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
+
+## END Some suggestions from Debian https://keyring.debian.org/creating-key.html
+##################################################################
+
+##################################################################
+## BEGIN Some suggestions added from riseup https://we.riseup.net/riseuplabs+paow/openpgp-best-practices
+
+## When creating a key, individuals may designate a specific keyserver to use to pull their keys from.
+## The above option will disregard this designation and use the pool, which is useful because (1) it
+## prevents someone from designating an insecure method for pulling their key and (2) if the server
+## designated uses hkps, the refresh will fail because the ca-cert will not match, so the keys will
+## never be refreshed.
+keyserver-options no-honor-keyserver-url
+
+## when outputting certificates, view user IDs distinctly from keys:
+fixed-list-mode
+
+## long keyids are more collision-resistant than short keyids (it's trivial to make a key with any desired short keyid)
+keyid-format 0xlong
+
+## when multiple digests are supported by all recipients, choose the strongest one:
+## already defined above
+#personal-digest-preferences SHA512 SHA384 SHA256 SHA224
+
+## preferences chosen for new keys should prioritize stronger algorithms:
+## already defined above
+#default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 BZIP2 ZLIB ZIP Uncompressed
+
+## If you use a graphical environment (and even if you don't) you should be using an agent:
+## (similar arguments as https://www.debian-administration.org/users/dkg/weblog/64)
+use-agent
+
+## You should always know at a glance which User IDs gpg thinks are legitimately bound to the keys in your keyring:
+verify-options show-uid-validity
+list-options show-uid-validity
+
+## include an unambiguous indicator of which key made a signature:
+## (see http://thread.gmane.org/gmane.mail.notmuch.general/3721/focus=7234)
+sig-notation issuer-fpr@notations.openpgp.fifthhorseman.net=%g
+
+## when making an OpenPGP certification, use a stronger digest than the default SHA1:
+## already defined above
+#cert-digest-algo SHA256
+
+## END Some suggestions added from riseup https://we.riseup.net/riseuplabs+paow/openpgp-best-practices
+##################################################################
+
+##################################################################
+## BEGIN Some suggestions from TorBirdy opt-in's
+
+## Up to you whether you in comment it (remove the single # in front of
+## it) or not. Disabled by default, because it causes too much complaints and
+## confusion.
+
+## Don't include keyids that may disclose the sender or any other non-obvious keyids
+#throw-keyids
+
+## END Some suggestions from TorBirdy opt-in's
+##################################################################
+
+## End of Anonymity Distribution /home/user/.gnupg/gpg.conf changes.

etc/sudoers.d/security-misc

@@ -1,5 +1,12 @@
-## Copyright (C) 2012 - 2018 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
+## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
 
-user ALL=NOPASSWD: /usr/lib/security-misc/panic-on-oops
-%sudo ALL=NOPASSWD: /usr/lib/security-misc/panic-on-oops
+## Neither of these are needed.
+#user ALL=NOPASSWD: /usr/libexec/security-misc/panic-on-oops
+#%sudo ALL=NOPASSWD: /usr/libexec/security-misc/panic-on-oops
+
+## Use a more open umask when executing commands with sudo
+## Can be overridden on a per-user basis using .[z]profile if desirable
+## https://www.kicksecure.com/wiki/Dev/Strong_Linux_User_Account_Isolation#umask_hardening
+Defaults umask_override
+Defaults umask=0022

etc/sysctl.d/coredumps.conf

@@ -1,3 +0,0 @@
-# Disables coredumps. This setting may be overwritten by systemd so this may not be useful.
-# security-misc also disables coredumps in other ways.
-kernel.core_pattern=|/bin/false

etc/sysctl.d/dmesg_restrict.conf

@@ -1,2 +0,0 @@
-# Restricts the kernel log to root only.
-kernel.dmesg_restrict=1

etc/sysctl.d/fs_protected.conf

@@ -1,3 +0,0 @@
-# Makes some data spoofing attacks harder.
-fs.protected_fifos=2
-fs.protected_regular=2

etc/sysctl.d/harden_bpf.conf

@@ -1,3 +0,0 @@
-# Hardens the BPF JIT compiler and restricts it to root.
-kernel.unprivileged_bpf_disabled=1
-net.core.bpf_jit_harden=2

etc/sysctl.d/kexec.conf

@@ -1,2 +0,0 @@
-# Disables kexec which can be used to replace the running kernel 
-kernel.kexec_load_disabled=1

etc/sysctl.d/kptr_restrict.conf

@@ -1,2 +0,0 @@
-# Hides kernel symbols in /proc/kallsyms
-kernel.kptr_restrict=2

etc/sysctl.d/mmap_aslr.conf

@@ -1,3 +0,0 @@
-# Improves KASLR effectiveness for mmap.
-vm.mmap_rnd_bits=32
-vm.mmap_rnd_compat_bits=16

etc/sysctl.d/ptrace_scope.conf

@@ -1,7 +0,0 @@
-# Restricts the use of ptrace to root. This might break some programs running under WINE.
-# A workaround for WINE would be to give the wineserver and wine-preloader ptrace capabilities. This can be done by running:
-#
-# sudo apt-get install libcap2-bin 
-# sudo setcap cap_sys_ptrace=eip /usr/bin/wineserver
-# sudo setcap cap_sys_ptrace=eip /usr/bin/wine-preloader
-kernel.yama.ptrace_scope=2

etc/sysctl.d/suid_dumpable.conf

@@ -1,2 +0,0 @@
-# Prevent setuid processes from creating coredumps.
-fs.suid_dumpable=0

etc/sysctl.d/sysrq.conf

@@ -1,2 +0,0 @@
-# Allow only rebooting/shutting down with the SysRq key.
-kernel.sysrq=128

etc/sysctl.d/tcp_hardening.conf

@@ -1,26 +0,0 @@
-## TCP/IP stack hardening 
-
-# Protects against time-wait assassination. It drops RST packets for sockets in the time-wait state.
-net.ipv4.tcp_rfc1337=1
-
-# Disables ICMP redirect acceptance.
-net.ipv4.conf.all.accept_redirects=0
-net.ipv4.conf.default.accept_redirects=0
-net.ipv4.conf.all.secure_redirects=0
-net.ipv4.conf.default.secure_redirects=0
-net.ipv6.conf.all.accept_redirects=0
-net.ipv6.conf.default.accept_redirects=0
-
-# Disables ICMP redirect sending.
-net.ipv4.conf.all.send_redirects=0
-net.ipv4.conf.default.send_redirects=0
-
-# Ignores ICMP requests.
-net.ipv4.icmp_echo_ignore_all=1
-
-# Enables TCP syncookies.
-net.ipv4.tcp_syncookies=1
-
-# Disable source routing.
-net.ipv4.conf.all.accept_source_route=0
-net.ipv4.conf.default.accept_source_route=0

etc/sysctl.d/tcp_sack.conf

@@ -1,2 +0,0 @@
-# Disables SACK as it is commonly exploited and likely not needed.
-net.ipv4.tcp_sack=0

etc/sysctl.d/tcp_timestamps.conf

@@ -1 +0,0 @@
-net.ipv4.tcp_timestamps=0

etc/systemd/system/emergency.service.d/override.conf

@@ -0,0 +1,8 @@
+## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802211
+## https://salsa.debian.org/ah/user-setup/commit/bc5ca2de85ec27845d0b46059cb7cc02bae7b44d
+
+[Service]
+Environment=SYSTEMD_SULOGIN_FORCE=1

etc/systemd/system/rescue.service.d/override.conf

@@ -0,0 +1,8 @@
+## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802211
+## https://salsa.debian.org/ah/user-setup/commit/bc5ca2de85ec27845d0b46059cb7cc02bae7b44d
+
+[Service]
+Environment=SYSTEMD_SULOGIN_FORCE=1

etc/thunderbird/pref/40_security-misc.js

@@ -0,0 +1,59 @@
+//#### Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+//#### See the file COPYING for copying conditions.
+
+//#### meta start
+//#### project Whonix and Kicksecure
+//#### category security and apps
+//#### description https://forums.whonix.org/t/enable-network-idn-show-punycode-by-default-in-thunderbird-to-fix-url-not-showing-real-domain-name-homograph-attack-punycode/8415
+//#### meta end
+
+// https://forums.whonix.org/t/enable-network-idn-show-punycode-by-default-in-thunderbird-to-fix-url-not-showing-real-domain-name-homograph-attack-punycode/8415
+pref("network.IDN_show_punycode", true);
+
+// Disable all and any kind of telemetry by default
+pref("toolkit.telemetry.enabled", false);
+pref("toolkit.telemetry.unified", false);
+pref("toolkit.telemetry.shutdownPingSender.enabled", false);
+pref("toolkit.telemetry.updatePing.enabled", false);
+pref("toolkit.telemetry.archive.enabled", false);
+pref("toolkit.telemetry.bhrPing.enabled", false);
+pref("toolkit.telemetry.firstShutdownPing.enabled", false);
+pref("toolkit.telemetry.newProfilePing.enabled", false);
+pref("toolkit.telemetry.server", ""); // Defense in depth
+pref("toolkit.telemetry.server_owner", ""); // Defense in depth
+pref("datareporting.healthreport.uploadEnabled", false);
+pref("datareporting.policy.dataSubmissionEnabled", false);
+pref("toolkit.telemetry.coverage.opt-out", true); // from Firefox
+pref("toolkit.coverage.opt-out", true); // from Firefox
+
+// Disable implicit outbound traffic
+pref("network.connectivity-service.enabled", false);
+pref("network.prefetch-next", false);
+pref("network.dns.disablePrefetch", true);
+pref("network.predictor.enabled", false);
+
+// No need to explain the problems with javascript
+// If you want javascript, use your browser
+// Thunderbird needs no javascript
+// pref("javascript.enabled", false); // Will break setting up services that require redirecting to their javascripted webpage for login, like gmail etc. So commented out for now.
+
+// Disable scripting when viewing pdf files
+user_pref("pdfjs.enableScripting", false);
+
+// If you want cookies, use your browser
+pref("network.cookie.cookieBehavior", 2);
+
+// Do not send user agent information
+// For email clients, this is more like a relic of the past
+// Completely not necessary and just exposes a lot of information about the client
+// Since v115.0 Thunderbird already minimizes the user agent
+// But we want it gone for good for no information leak at all
+// https://hg.mozilla.org/comm-central/rev/cbbbc8d93cd7
+pref("mailnews.headers.sendUserAgent", false);
+
+// Normally we send emails after marking them with a time stamp
+// That includes our local time zone
+// This option makes our local time zone appear as UTC
+// And rounds the time stamp to the closes minute
+// https://hg.mozilla.org/comm-central/rev/98aa0bf2e719
+pref("mail.sanitize_date_header", true);

lib/systemd/coredump.conf.d/disable-coredumps.conf

@@ -1,2 +0,0 @@
-[Coredump]
-Storage=none

lib/systemd/system/proc-hidepid.service

@@ -1,33 +0,0 @@
-## Copyright (C) 2012 - 2018 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
-## See the file COPYING for copying conditions.
-
-[Unit]
-Description=Mounts /proc with hidepid=2
-Documentation=https://github.com/Whonix/security-misc
-Requires=local-fs.target
-After=local-fs.target
-
-[Service]
-Type=oneshot
-ExecStart=/bin/mount -o remount,nosuid,nodev,noexec,hidepid=2 /proc
-
-## Disabled since not working in Qubes.
-#ProtectSystem=strict
-#ProtectHome=true
-#ProtectKernelTunables=true
-#ProtectKernelModules=true
-#ProtectControlGroups=true
-#PrivateTmp=true
-#PrivateMounts=true
-#PrivateDevices=true
-#MemoryDenyWriteExecute=true
-#NoNewPrivileges=true
-#RestrictRealtime=true
-#SystemCallArchitectures=native
-#RestrictNamespaces=true
-#SystemCallFilter=mount munmap access read open close stat fstat lstat mmap mprotect brk rt_sigaction rt_sigprocmask execve readlink getrlimit getuid getgid geteuid getegid statfs prctl arch_prctl set_tid_address newfstatat set_robust_list openat mkdir
-
-PrivateNetwork=true
-
-[Install]
-WantedBy=multi-user.target

lib/systemd/system/remove-system-map.service

@@ -1,10 +0,0 @@
-[Unit]
-Description=Removes the System.map files
-Documentation=https://github.com/Whonix/security-misc
-
-[Service]
-Type=oneshot
-ExecStart=/usr/lib/security-misc/remove-system.map
-
-[Install]
-WantedBy=multi-user.target

rpm_spec/security-misc.spec.in

@@ -3,8 +3,8 @@ Version:	@VERSION@
 Release:	1%{?dist}
 Summary:	enhances misc security settings
 
-License:	GPL-3+-with-additional-terms-1
-URL:		https://github.com/Whonix/security-misc
+License:	AGPL-3+
+URL:		https://github.com/Kicksecure/security-misc
 Source0:	%{name}-%{version}.tar.xz
 
 BuildRequires: dpkg-dev
@@ -13,50 +13,7 @@ Requires:	make
 BuildArch:  noarch
 
 %description
-The following settings are changed:
-
-deactivates previews in Dolphin;
-deactivates previews in Nautilus;
-deactivates thumbnails in Thunar;
-deactivates TCP timestamps;
-deactivates Netfilter's connection tracking helper;
-
-TCP time stamps (RFC 1323) allow for tracking clock
-information with millisecond resolution. This may or may not allow an
-attacker to learn information about the system clock at such
-a resolution, depending on various issues such as network lag.
-This information is available to anyone who monitors the network
-somewhere between the attacked system and the destination server.
-It may allow an attacker to find out how long a given
-system has been running, and to distinguish several
-systems running behind NAT and using the same IP address. It might
-also allow one to look for clocks that match an expected value to find the
-public IP used by a user.
-
-Hence, this package disables this feature by shipping the
-/etc/sysctl.d/tcp_timestamps.conf configuration file.
-
-Note that TCP time stamps normally have some usefulness. They are
-needed for:
-
-* the TCP protection against wrapped sequence numbers; however, to
-  trigger a wrap, one needs to send roughly 2^32 packets in one
-  minute:  as said in RFC 1700, "The current recommended default
-  time to live (TTL) for the Internet Protocol (IP) [45,105] is 64".
-  So, this probably won't be a practical problem in the context
-  of Anonymity Distributions.
-
-* "Round-Trip Time Measurement", which is only useful when the user
-  manages to saturate their connection. When using Anonymity Distributions,
-  probably the limiting factor for transmission speed is rarely the capacity
-  of the user connection.
-
-Netfilter's connection tracking helper module increases kernel attack
-surface by enabling superfluous functionality such as IRC parsing in
-the kernel. (!)
-
-Hence, this package disables this feature by shipping the
-/etc/sysctl.d/nf_conntrack_helper.conf configuration file.
+See README.
 
 %prep
 %setup -q
@@ -72,32 +29,9 @@ make %{?_smp_mflags}
 
 %files
 %license    debian/copyright
-/etc/X11/Xsession.d/50security-misc
-/etc/default/grub.d/40_enable_iommu.cfg
-/etc/default/grub.d/40_kernel_hardening.cfg
-/etc/modprobe.d/30_nf_conntrack_helper_disable.conf
-/etc/modprobe.d/blacklist-dma.conf
-/etc/modprobe.d/uncommon-network-protocols.conf
-/etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml
-/etc/sysctl.d/dmesg_restrict.conf
-/etc/sysctl.d/fs_protected.conf
-/etc/sysctl.d/harden_bpf.conf
-/etc/sysctl.d/kexec.conf
-/etc/sysctl.d/kptr_restrict.conf
-/etc/sysctl.d/mmap_aslr.conf
-/etc/sysctl.d/ptrace_scope.conf
-/etc/sysctl.d/sysrq.conf
-/etc/sysctl.d/tcp_hardening.conf
-/etc/sysctl.d/tcp_timestamps.conf
-/etc/sysctl.d/tcp_sack.conf
-/usr/lib/security-misc/apt-get-update
-/usr/lib/security-misc/apt-get-update-sanity-test
-/usr/lib/security-misc/apt-get-wrapper
-/usr/lib/security-misc/remove-system.map
-/usr/share/glib-2.0/schemas/30_security-misc.gschema.override
-/usr/share/lintian/overrides/security-misc
-/usr/share/security-misc/dolphinrc
-/lib/systemd/system/remove-system-map.service
+/etc/*
+/lib/*
+/usr/*
 
 %changelog
 @CHANGELOG@

usr/bin/disabled-bluetooth-by-security-misc

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## Alerts user that a kernel module failed to load due to it being explicitly disabled by default.
+
+echo "$0: ALERT: This Bluetooth kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2
+
+exit 1

usr/bin/disabled-cdrom-by-security-misc

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## Alerts user that a kernel module failed to load due to it being explicitly disabled by default.
+
+echo "$0: ALERT: This CD-ROM/DVD kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2
+
+exit 1

usr/bin/disabled-filesys-by-security-misc

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## Alerts user that a kernel module failed to load due to it being explicitly disabled by default.
+
+echo "$0: ALERT: This file system kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2
+
+exit 1

usr/bin/disabled-firewire-by-security-misc

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## Alerts user that a kernel module failed to load due to it being explicitly disabled by default.
+
+echo "$0: ALERT: This FireWire (IEEE 1394) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2
+
+exit 1

usr/bin/disabled-framebuffer-by-security-misc

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+## Copyright (C) 2024 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## Alerts user that a kernel module failed to load due to it being explicitly disabled by default.
+
+echo "$0: ALERT: This framebuffer (fbdev) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2
+
+exit 1

usr/bin/disabled-gps-by-security-misc

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## Alerts user that a kernel module failed to load due to it being explicitly disabled by default.
+
+echo "$0: ALERT: This Global Positioning System (GPS) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2
+
+exit 1

usr/bin/disabled-intelme-by-security-misc

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## Alerts user that a kernel module failed to load due to it being explicitly disabled by default.
+
+echo "$0: ALERT: This Intel Management Engine (ME) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2
+
+exit 1

usr/bin/disabled-intelpmt-by-security-misc

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+## Copyright (C) 2024 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## Alerts user that a kernel module failed to load due to it being explicitly disabled by default.
+
+echo "$0: ALERT: This Intel Platform Monitoring Technology (PMT) Telemetry kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2
+
+exit 1

usr/bin/disabled-miscellaneous-by-security-misc

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## Alerts user that a kernel module failed to load due to it being explicitly disabled by default.
+
+echo "$0: ALERT: This kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2
+
+exit 1

usr/bin/disabled-netfilesys-by-security-misc

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## Alerts user that a kernel module failed to load due to it being explicitly disabled by default.
+
+echo "$0: ALERT: This network file system kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2
+
+exit 1

usr/bin/disabled-network-by-security-misc

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## Alerts user that a kernel module failed to load due to it being explicitly disabled by default.
+
+echo "$0: ALERT: This network protocol kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2
+
+exit 1