diff --git a/COPYING b/COPYING index 513503a..829d909 100644 --- a/COPYING +++ b/COPYING @@ -1,73 +1,668 @@ Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Files: * -Copyright: 2012 - 2019 ENCRYPTED SUPPORT LP -License: GPL-3+-with-additional-terms-1 - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. +Copyright: 2012 - 2025 ENCRYPTED SUPPORT LLC +License: AGPL-3+ + +License: AGPL-3+ + GNU AFFERO GENERAL PUBLIC LICENSE + Version 3, 19 November 2007 . - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. + Copyright (C) 2007 Free Software Foundation, Inc. + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. . - You should have received a copy of the GNU General Public License - along with this program. If not, see . + Preamble . - On Debian systems, the full text of the GNU General Public - License version 3 can be found in the file - `/usr/share/common-licenses/GPL-3'. + The GNU Affero General Public License is a free, copyleft license for + software and other kinds of works, specifically designed to ensure + cooperation with the community in the case of network server software. . - ADDITIONAL TERMS APPLICABLE per GNU GPL version 3 section 7 + The licenses for most software and other practical works are designed + to take away your freedom to share and change the works. By contrast, + our General Public Licenses are intended to guarantee your freedom to + share and change all versions of a program--to make sure it remains free + software for all its users. . - 1. Replacement of Section 15. Section 15 of the GPL shall be deleted in its - entirety and replaced with the following: + When we speak of free software, we are referring to freedom, not + price. Our General Public Licenses are designed to make sure that you + have the freedom to distribute copies of free software (and charge for + them if you wish), that you receive source code or can get it if you + want it, that you can change the software or use pieces of it in new + free programs, and that you know you can do these things. . - 15. Disclaimer of Warranty. + Developers that use our General Public Licenses protect your rights + with two steps: (1) assert copyright on the software, and (2) offer + you this License which gives you legal permission to copy, distribute + and/or modify the software. . - THE PROGRAM IS PROVIDED WITHOUT ANY WARRANTIES, WHETHER EXPRESSED OR IMPLIED, - INCLUDING, WITHOUT LIMITATION, IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR - PURPOSE, NON-INFRINGEMENT, TITLE AND MERCHANTABILITY. THE PROGRAM IS BEING - DELIVERED OR MADE AVAILABLE 'AS IS', 'WITH ALL FAULTS' AND WITHOUT WARRANTY OR - REPRESENTATION. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE - PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF + A secondary benefit of defending all users' freedom is that + improvements made in alternate versions of the program, if they + receive widespread use, become available for other developers to + incorporate. Many developers of free software are heartened and + encouraged by the resulting cooperation. However, in the case of + software used on network servers, this result may fail to come about. + The GNU General Public License permits making a modified version and + letting the public access it on a server without ever releasing its + source code to the public. + . + The GNU Affero General Public License is designed specifically to + ensure that, in such cases, the modified source code becomes available + to the community. It requires the operator of a network server to + provide the source code of the modified version running there to the + users of that server. Therefore, public use of a modified version, on + a publicly accessible server, gives the public access to the source + code of the modified version. + . + An older license, called the Affero General Public License and + published by Affero, was designed to accomplish similar goals. This is + a different license, not a version of the Affero GPL, but Affero has + released a new version of the Affero GPL which permits relicensing under + this license. + . + The precise terms and conditions for copying, distribution and + modification follow. + . + TERMS AND CONDITIONS + . + 0. Definitions. + . + "This License" refers to version 3 of the GNU Affero General Public License. + . + "Copyright" also means copyright-like laws that apply to other kinds of + works, such as semiconductor masks. + . + "The Program" refers to any copyrightable work licensed under this + License. Each licensee is addressed as "you". "Licensees" and + "recipients" may be individuals or organizations. + . + To "modify" a work means to copy from or adapt all or part of the work + in a fashion requiring copyright permission, other than the making of an + exact copy. The resulting work is called a "modified version" of the + earlier work or a work "based on" the earlier work. + . + A "covered work" means either the unmodified Program or a work based + on the Program. + . + To "propagate" a work means to do anything with it that, without + permission, would make you directly or secondarily liable for + infringement under applicable copyright law, except executing it on a + computer or modifying a private copy. Propagation includes copying, + distribution (with or without modification), making available to the + public, and in some countries other activities as well. + . + To "convey" a work means any kind of propagation that enables other + parties to make or receive copies. Mere interaction with a user through + a computer network, with no transfer of a copy, is not conveying. + . + An interactive user interface displays "Appropriate Legal Notices" + to the extent that it includes a convenient and prominently visible + feature that (1) displays an appropriate copyright notice, and (2) + tells the user that there is no warranty for the work (except to the + extent that warranties are provided), that licensees may convey the + work under this License, and how to view a copy of this License. If + the interface presents a list of user commands or options, such as a + menu, a prominent item in the list meets this criterion. + . + 1. Source Code. + . + The "source code" for a work means the preferred form of the work + for making modifications to it. "Object code" means any non-source + form of a work. + . + A "Standard Interface" means an interface that either is an official + standard defined by a recognized standards body, or, in the case of + interfaces specified for a particular programming language, one that + is widely used among developers working in that language. + . + The "System Libraries" of an executable work include anything, other + than the work as a whole, that (a) is included in the normal form of + packaging a Major Component, but which is not part of that Major + Component, and (b) serves only to enable use of the work with that + Major Component, or to implement a Standard Interface for which an + implementation is available to the public in source code form. A + "Major Component", in this context, means a major essential component + (kernel, window system, and so on) of the specific operating system + (if any) on which the executable work runs, or a compiler used to + produce the work, or an object code interpreter used to run it. + . + The "Corresponding Source" for a work in object code form means all + the source code needed to generate, install, and (for an executable + work) run the object code and to modify the work, including scripts to + control those activities. However, it does not include the work's + System Libraries, or general-purpose tools or generally available free + programs which are used unmodified in performing those activities but + which are not part of the work. For example, Corresponding Source + includes interface definition files associated with source files for + the work, and the source code for shared libraries and dynamically + linked subprograms that the work is specifically designed to require, + such as by intimate data communication or control flow between those + subprograms and other parts of the work. + . + The Corresponding Source need not include anything that users + can regenerate automatically from other parts of the Corresponding + Source. + . + The Corresponding Source for a work in source code form is that + same work. + . + 2. Basic Permissions. + . + All rights granted under this License are granted for the term of + copyright on the Program, and are irrevocable provided the stated + conditions are met. This License explicitly affirms your unlimited + permission to run the unmodified Program. The output from running a + covered work is covered by this License only if the output, given its + content, constitutes a covered work. This License acknowledges your + rights of fair use or other equivalent, as provided by copyright law. + . + You may make, run and propagate covered works that you do not + convey, without conditions so long as your license otherwise remains + in force. You may convey covered works to others for the sole purpose + of having them make modifications exclusively for you, or provide you + with facilities for running those works, provided that you comply with + the terms of this License in conveying all material for which you do + not control copyright. Those thus making or running the covered works + for you must do so exclusively on your behalf, under your direction + and control, on terms that prohibit them from making any copies of + your copyrighted material outside their relationship with you. + . + Conveying under any other circumstances is permitted solely under + the conditions stated below. Sublicensing is not allowed; section 10 + makes it unnecessary. + . + 3. Protecting Users' Legal Rights From Anti-Circumvention Law. + . + No covered work shall be deemed part of an effective technological + measure under any applicable law fulfilling obligations under article + 11 of the WIPO copyright treaty adopted on 20 December 1996, or + similar laws prohibiting or restricting circumvention of such + measures. + . + When you convey a covered work, you waive any legal power to forbid + circumvention of technological measures to the extent such circumvention + is effected by exercising rights under this License with respect to + the covered work, and you disclaim any intention to limit operation or + modification of the work as a means of enforcing, against the work's + users, your or third parties' legal rights to forbid circumvention of + technological measures. + . + 4. Conveying Verbatim Copies. + . + You may convey verbatim copies of the Program's source code as you + receive it, in any medium, provided that you conspicuously and + appropriately publish on each copy an appropriate copyright notice; + keep intact all notices stating that this License and any + non-permissive terms added in accord with section 7 apply to the code; + keep intact all notices of the absence of any warranty; and give all + recipients a copy of this License along with the Program. + . + You may charge any price or no price for each copy that you convey, + and you may offer support or warranty protection for a fee. + . + 5. Conveying Modified Source Versions. + . + You may convey a work based on the Program, or the modifications to + produce it from the Program, in the form of source code under the + terms of section 4, provided that you also meet all of these conditions: + . + a) The work must carry prominent notices stating that you modified + it, and giving a relevant date. + . + b) The work must carry prominent notices stating that it is + released under this License and any conditions added under section + 7. This requirement modifies the requirement in section 4 to + "keep intact all notices". + . + c) You must license the entire work, as a whole, under this + License to anyone who comes into possession of a copy. This + License will therefore apply, along with any applicable section 7 + additional terms, to the whole of the work, and all its parts, + regardless of how they are packaged. This License gives no + permission to license the work in any other way, but it does not + invalidate such permission if you have separately received it. + . + d) If the work has interactive user interfaces, each must display + Appropriate Legal Notices; however, if the Program has interactive + interfaces that do not display Appropriate Legal Notices, your + work need not make them do so. + . + A compilation of a covered work with other separate and independent + works, which are not by their nature extensions of the covered work, + and which are not combined with it such as to form a larger program, + in or on a volume of a storage or distribution medium, is called an + "aggregate" if the compilation and its resulting copyright are not + used to limit the access or legal rights of the compilation's users + beyond what the individual works permit. Inclusion of a covered work + in an aggregate does not cause this License to apply to the other + parts of the aggregate. + . + 6. Conveying Non-Source Forms. + . + You may convey a covered work in object code form under the terms + of sections 4 and 5, provided that you also convey the + machine-readable Corresponding Source under the terms of this License, + in one of these ways: + . + a) Convey the object code in, or embodied in, a physical product + (including a physical distribution medium), accompanied by the + Corresponding Source fixed on a durable physical medium + customarily used for software interchange. + . + b) Convey the object code in, or embodied in, a physical product + (including a physical distribution medium), accompanied by a + written offer, valid for at least three years and valid for as + long as you offer spare parts or customer support for that product + model, to give anyone who possesses the object code either (1) a + copy of the Corresponding Source for all the software in the + product that is covered by this License, on a durable physical + medium customarily used for software interchange, for a price no + more than your reasonable cost of physically performing this + conveying of source, or (2) access to copy the + Corresponding Source from a network server at no charge. + . + c) Convey individual copies of the object code with a copy of the + written offer to provide the Corresponding Source. This + alternative is allowed only occasionally and noncommercially, and + only if you received the object code with such an offer, in accord + with subsection 6b. + . + d) Convey the object code by offering access from a designated + place (gratis or for a charge), and offer equivalent access to the + Corresponding Source in the same way through the same place at no + further charge. You need not require recipients to copy the + Corresponding Source along with the object code. If the place to + copy the object code is a network server, the Corresponding Source + may be on a different server (operated by you or a third party) + that supports equivalent copying facilities, provided you maintain + clear directions next to the object code saying where to find the + Corresponding Source. Regardless of what server hosts the + Corresponding Source, you remain obligated to ensure that it is + available for as long as needed to satisfy these requirements. + . + e) Convey the object code using peer-to-peer transmission, provided + you inform other peers where the object code and Corresponding + Source of the work are being offered to the general public at no + charge under subsection 6d. + . + A separable portion of the object code, whose source code is excluded + from the Corresponding Source as a System Library, need not be + included in conveying the object code work. + . + A "User Product" is either (1) a "consumer product", which means any + tangible personal property which is normally used for personal, family, + or household purposes, or (2) anything designed or sold for incorporation + into a dwelling. In determining whether a product is a consumer product, + doubtful cases shall be resolved in favor of coverage. For a particular + product received by a particular user, "normally used" refers to a + typical or common use of that class of product, regardless of the status + of the particular user or of the way in which the particular user + actually uses, or expects or is expected to use, the product. A product + is a consumer product regardless of whether the product has substantial + commercial, industrial or non-consumer uses, unless such uses represent + the only significant mode of use of the product. + . + "Installation Information" for a User Product means any methods, + procedures, authorization keys, or other information required to install + and execute modified versions of a covered work in that User Product from + a modified version of its Corresponding Source. The information must + suffice to ensure that the continued functioning of the modified object + code is in no case prevented or interfered with solely because + modification has been made. + . + If you convey an object code work under this section in, or with, or + specifically for use in, a User Product, and the conveying occurs as + part of a transaction in which the right of possession and use of the + User Product is transferred to the recipient in perpetuity or for a + fixed term (regardless of how the transaction is characterized), the + Corresponding Source conveyed under this section must be accompanied + by the Installation Information. But this requirement does not apply + if neither you nor any third party retains the ability to install + modified object code on the User Product (for example, the work has + been installed in ROM). + . + The requirement to provide Installation Information does not include a + requirement to continue to provide support service, warranty, or updates + for a work that has been modified or installed by the recipient, or for + the User Product in which it has been modified or installed. Access to a + network may be denied when the modification itself materially and + adversely affects the operation of the network or violates the rules and + protocols for communication across the network. + . + Corresponding Source conveyed, and Installation Information provided, + in accord with this section must be in a format that is publicly + documented (and with an implementation available to the public in + source code form), and must require no special password or key for + unpacking, reading or copying. + . + 7. Additional Terms. + . + "Additional permissions" are terms that supplement the terms of this + License by making exceptions from one or more of its conditions. + Additional permissions that are applicable to the entire Program shall + be treated as though they were included in this License, to the extent + that they are valid under applicable law. If additional permissions + apply only to part of the Program, that part may be used separately + under those permissions, but the entire Program remains governed by + this License without regard to the additional permissions. + . + When you convey a copy of a covered work, you may at your option + remove any additional permissions from that copy, or from any part of + it. (Additional permissions may be written to require their own + removal in certain cases when you modify the work.) You may place + additional permissions on material, added by you to a covered work, + for which you have or can give appropriate copyright permission. + . + Notwithstanding any other provision of this License, for material you + add to a covered work, you may (if authorized by the copyright holders of + that material) supplement the terms of this License with terms: + . + a) Disclaiming warranty or limiting liability differently from the + terms of sections 15 and 16 of this License; or + . + b) Requiring preservation of specified reasonable legal notices or + author attributions in that material or in the Appropriate Legal + Notices displayed by works containing it; or + . + c) Prohibiting misrepresentation of the origin of that material, or + requiring that modified versions of such material be marked in + reasonable ways as different from the original version; or + . + d) Limiting the use for publicity purposes of names of licensors or + authors of the material; or + . + e) Declining to grant rights under trademark law for use of some + trade names, trademarks, or service marks; or + . + f) Requiring indemnification of licensors and authors of that + material by anyone who conveys the material (or modified versions of + it) with contractual assumptions of liability to the recipient, for + any liability that these contractual assumptions directly impose on + those licensors and authors. + . + All other non-permissive additional terms are considered "further + restrictions" within the meaning of section 10. If the Program as you + received it, or any part of it, contains a notice stating that it is + governed by this License along with a term that is a further + restriction, you may remove that term. If a license document contains + a further restriction but permits relicensing or conveying under this + License, you may add to a covered work material governed by the terms + of that license document, provided that the further restriction does + not survive such relicensing or conveying. + . + If you add terms to a covered work in accord with this section, you + must place, in the relevant source files, a statement of the + additional terms that apply to those files, or a notice indicating + where to find the applicable terms. + . + Additional terms, permissive or non-permissive, may be stated in the + form of a separately written license, or stated as exceptions; + the above requirements apply either way. + . + 8. Termination. + . + You may not propagate or modify a covered work except as expressly + provided under this License. Any attempt otherwise to propagate or + modify it is void, and will automatically terminate your rights under + this License (including any patent licenses granted under the third + paragraph of section 11). + . + However, if you cease all violation of this License, then your + license from a particular copyright holder is reinstated (a) + provisionally, unless and until the copyright holder explicitly and + finally terminates your license, and (b) permanently, if the copyright + holder fails to notify you of the violation by some reasonable means + prior to 60 days after the cessation. + . + Moreover, your license from a particular copyright holder is + reinstated permanently if the copyright holder notifies you of the + violation by some reasonable means, this is the first time you have + received notice of violation of this License (for any work) from that + copyright holder, and you cure the violation prior to 30 days after + your receipt of the notice. + . + Termination of your rights under this section does not terminate the + licenses of parties who have received copies or rights from you under + this License. If your rights have been terminated and not permanently + reinstated, you do not qualify to receive new licenses for the same + material under section 10. + . + 9. Acceptance Not Required for Having Copies. + . + You are not required to accept this License in order to receive or + run a copy of the Program. Ancillary propagation of a covered work + occurring solely as a consequence of using peer-to-peer transmission + to receive a copy likewise does not require acceptance. However, + nothing other than this License grants you permission to propagate or + modify any covered work. These actions infringe copyright if you do + not accept this License. Therefore, by modifying or propagating a + covered work, you indicate your acceptance of this License to do so. + . + 10. Automatic Licensing of Downstream Recipients. + . + Each time you convey a covered work, the recipient automatically + receives a license from the original licensors, to run, modify and + propagate that work, subject to this License. You are not responsible + for enforcing compliance by third parties with this License. + . + An "entity transaction" is a transaction transferring control of an + organization, or substantially all assets of one, or subdividing an + organization, or merging organizations. If propagation of a covered + work results from an entity transaction, each party to that + transaction who receives a copy of the work also receives whatever + licenses to the work the party's predecessor in interest had or could + give under the previous paragraph, plus a right to possession of the + Corresponding Source of the work from the predecessor in interest, if + the predecessor has it or can get it with reasonable efforts. + . + You may not impose any further restrictions on the exercise of the + rights granted or affirmed under this License. For example, you may + not impose a license fee, royalty, or other charge for exercise of + rights granted under this License, and you may not initiate litigation + (including a cross-claim or counterclaim in a lawsuit) alleging that + any patent claim is infringed by making, using, selling, offering for + sale, or importing the Program or any portion of it. + . + 11. Patents. + . + A "contributor" is a copyright holder who authorizes use under this + License of the Program or a work on which the Program is based. The + work thus licensed is called the contributor's "contributor version". + . + A contributor's "essential patent claims" are all patent claims + owned or controlled by the contributor, whether already acquired or + hereafter acquired, that would be infringed by some manner, permitted + by this License, of making, using, or selling its contributor version, + but do not include claims that would be infringed only as a + consequence of further modification of the contributor version. For + purposes of this definition, "control" includes the right to grant + patent sublicenses in a manner consistent with the requirements of + this License. + . + Each contributor grants you a non-exclusive, worldwide, royalty-free + patent license under the contributor's essential patent claims, to + make, use, sell, offer for sale, import and otherwise run, modify and + propagate the contents of its contributor version. + . + In the following three paragraphs, a "patent license" is any express + agreement or commitment, however denominated, not to enforce a patent + (such as an express permission to practice a patent or covenant not to + sue for patent infringement). To "grant" such a patent license to a + party means to make such an agreement or commitment not to enforce a + patent against the party. + . + If you convey a covered work, knowingly relying on a patent license, + and the Corresponding Source of the work is not available for anyone + to copy, free of charge and under the terms of this License, through a + publicly available network server or other readily accessible means, + then you must either (1) cause the Corresponding Source to be so + available, or (2) arrange to deprive yourself of the benefit of the + patent license for this particular work, or (3) arrange, in a manner + consistent with the requirements of this License, to extend the patent + license to downstream recipients. "Knowingly relying" means you have + actual knowledge that, but for the patent license, your conveying the + covered work in a country, or your recipient's use of the covered work + in a country, would infringe one or more identifiable patents in that + country that you have reason to believe are valid. + . + If, pursuant to or in connection with a single transaction or + arrangement, you convey, or propagate by procuring conveyance of, a + covered work, and grant a patent license to some of the parties + receiving the covered work authorizing them to use, propagate, modify + or convey a specific copy of the covered work, then the patent license + you grant is automatically extended to all recipients of the covered + work and works based on it. + . + A patent license is "discriminatory" if it does not include within + the scope of its coverage, prohibits the exercise of, or is + conditioned on the non-exercise of one or more of the rights that are + specifically granted under this License. You may not convey a covered + work if you are a party to an arrangement with a third party that is + in the business of distributing software, under which you make payment + to the third party based on the extent of your activity of conveying + the work, and under which the third party grants, to any of the + parties who would receive the covered work from you, a discriminatory + patent license (a) in connection with copies of the covered work + conveyed by you (or copies made from those copies), or (b) primarily + for and in connection with specific products or compilations that + contain the covered work, unless you entered into that arrangement, + or that patent license was granted, prior to 28 March 2007. + . + Nothing in this License shall be construed as excluding or limiting + any implied license or other defenses to infringement that may + otherwise be available to you under applicable patent law. + . + 12. No Surrender of Others' Freedom. + . + If conditions are imposed on you (whether by court order, agreement or + otherwise) that contradict the conditions of this License, they do not + excuse you from the conditions of this License. If you cannot convey a + covered work so as to satisfy simultaneously your obligations under this + License and any other pertinent obligations, then as a consequence you may + not convey it at all. For example, if you agree to terms that obligate you + to collect a royalty for further conveying from those to whom you convey + the Program, the only way you could satisfy both those terms and this + License would be to refrain entirely from conveying the Program. + . + 13. Remote Network Interaction; Use with the GNU General Public License. + . + Notwithstanding any other provision of this License, if you modify the + Program, your modified version must prominently offer all users + interacting with it remotely through a computer network (if your version + supports such interaction) an opportunity to receive the Corresponding + Source of your version by providing access to the Corresponding Source + from a network server at no charge, through some standard or customary + means of facilitating copying of software. This Corresponding Source + shall include the Corresponding Source for any work covered by version 3 + of the GNU General Public License that is incorporated pursuant to the + following paragraph. + . + Notwithstanding any other provision of this License, you have + permission to link or combine any covered work with a work licensed + under version 3 of the GNU General Public License into a single + combined work, and to convey the resulting work. The terms of this + License will continue to apply to the part which is the covered work, + but the work with which it is combined will remain governed by version + 3 of the GNU General Public License. + . + 14. Revised Versions of this License. + . + The Free Software Foundation may publish revised and/or new versions of + the GNU Affero General Public License from time to time. Such new versions + will be similar in spirit to the present version, but may differ in detail to + address new problems or concerns. + . + Each version is given a distinguishing version number. If the + Program specifies that a certain numbered version of the GNU Affero General + Public License "or any later version" applies to it, you have the + option of following the terms and conditions either of that numbered + version or of any later version published by the Free Software + Foundation. If the Program does not specify a version number of the + GNU Affero General Public License, you may choose any version ever published + by the Free Software Foundation. + . + If the Program specifies that a proxy can decide which future + versions of the GNU Affero General Public License can be used, that proxy's + public statement of acceptance of a version permanently authorizes you + to choose that version for the Program. + . + Later license versions may give you additional or different + permissions. However, no additional obligations are imposed on any + author or copyright holder as a result of your choosing to follow a + later version. + . + 15. Disclaimer of Warranty. + . + THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY + APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT + HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY + OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, + THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM + IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. . - 2. Replacement of Section 16. Section 16 of the GPL shall be deleted in its - entirety and replaced with the following: + 16. Limitation of Liability. . - 16. LIMITATION OF LIABILITY. + IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING + WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS + THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY + GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE + USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF + DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD + PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), + EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF + SUCH DAMAGES. . - UNDER NO CIRCUMSTANCES SHALL ANY COPYRIGHT HOLDER OR ITS AFFILIATES, OR ANY - OTHER PARTY WHO MODIFIES AND/OR CONVEYS THE PROGRAM AS PERMITTED ABOVE, BE - LIABLE TO YOU, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, FOR ANY - DAMAGES OR OTHER LIABILITY, INCLUDING ANY GENERAL, DIRECT, INDIRECT, SPECIAL, - INCIDENTAL, CONSEQUENTIAL OR PUNITIVE DAMAGES ARISING FROM, OUT OF OR IN - CONNECTION WITH THE USE OR INABILITY TO USE THE PROGRAM OR OTHER DEALINGS WITH - THE PROGRAM(INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED - INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE - PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), WHETHER OR NOT ANY COPYRIGHT HOLDER - OR SUCH OTHER PARTY RECEIVES NOTICE OF ANY SUCH DAMAGES AND WHETHER OR NOT SUCH - DAMAGES COULD HAVE BEEN FORESEEN. + 17. Interpretation of Sections 15 and 16. . - 3. LEGAL NOTICES; NO TRADEMARK LICENSE; ORIGIN. You must reproduce faithfully - all trademark, copyright and other proprietary and legal notices on any copies - of the Program or any other required author attributions. This license does not - grant you rights to use any copyright holder or any other party's name, logo, or - trademarks. Neither the name of the copyright holder or its affiliates, or any - other party who modifies and/or conveys the Program may be used to endorse or - promote products derived from this software without specific prior written - permission. The origin of the Program must not be misrepresented; you must not - claim that you wrote the original Program. Altered source versions must be - plainly marked as such, and must not be misrepresented as being the original - Program. + If the disclaimer of warranty and limitation of liability provided + above cannot be given local legal effect according to their terms, + reviewing courts shall apply local law that most closely approximates + an absolute waiver of all civil liability in connection with the + Program, unless a warranty or assumption of liability accompanies a + copy of the Program in return for a fee. . - 4. INDEMNIFICATION. IF YOU CONVEY A COVERED WORK AND AGREE WITH ANY RECIPIENT - OF THAT COVERED WORK THAT YOU WILL ASSUME ANY LIABILITY FOR THAT COVERED WORK, - YOU HEREBY AGREE TO INDEMNIFY, DEFEND AND HOLD HARMLESS THE OTHER LICENSORS AND - AUTHORS OF THAT COVERED WORK FOR ANY DAMAGES, DEMANDS, CLAIMS, LOSSES, CAUSES OF - ACTION, LAWSUITS, JUDGMENTS EXPENSES (INCLUDING WITHOUT LIMITATION REASONABLE - ATTORNEYS' FEES AND EXPENSES) OR ANY OTHER LIABILITY ARISING FROM, RELATED TO OR - IN CONNECTION WITH YOUR ASSUMPTIONS OF LIABILITY. + END OF TERMS AND CONDITIONS + . + How to Apply These Terms to Your New Programs + . + If you develop a new program, and you want it to be of the greatest + possible use to the public, the best way to achieve this is to make it + free software which everyone can redistribute and change under these terms. + . + To do so, attach the following notices to the program. It is safest + to attach them to the start of each source file to most effectively + state the exclusion of warranty; and each file should have at least + the "copyright" line and a pointer to where the full notice is found. + . + + Copyright (C) + . + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU Affero General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + . + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU Affero General Public License for more details. + . + You should have received a copy of the GNU Affero General Public License + along with this program. If not, see . + . + Also add information on how to contact you by electronic and paper mail. + . + If your software can interact with users remotely through a computer + network, you should also make sure that it provides a way for users to + get its source. For example, if your program is a web application, its + interface could display a "Source" link that leads users to an archive + of the code. There are many ways you could offer source, and different + solutions will be better for different programs; see section 13 for the + specific requirements. + . + You should also get your employer (if you work as a programmer) or school, + if any, to sign a "copyright disclaimer" for the program, if necessary. + For more information on this, and how to apply and follow the GNU AGPL, see + . diff --git a/GPLv3 b/GPLv3 deleted file mode 100644 index 94a9ed0..0000000 --- a/GPLv3 +++ /dev/null @@ -1,674 +0,0 @@ - GNU GENERAL PUBLIC LICENSE - Version 3, 29 June 2007 - - Copyright (C) 2007 Free Software Foundation, Inc. - Everyone is permitted to copy and distribute verbatim copies - of this license document, but changing it is not allowed. - - Preamble - - The GNU General Public License is a free, copyleft license for -software and other kinds of works. - - The licenses for most software and other practical works are designed -to take away your freedom to share and change the works. By contrast, -the GNU General Public License is intended to guarantee your freedom to -share and change all versions of a program--to make sure it remains free -software for all its users. We, the Free Software Foundation, use the -GNU General Public License for most of our software; it applies also to -any other work released this way by its authors. You can apply it to -your programs, too. - - When we speak of free software, we are referring to freedom, not -price. Our General Public Licenses are designed to make sure that you -have the freedom to distribute copies of free software (and charge for -them if you wish), that you receive source code or can get it if you -want it, that you can change the software or use pieces of it in new -free programs, and that you know you can do these things. - - To protect your rights, we need to prevent others from denying you -these rights or asking you to surrender the rights. Therefore, you have -certain responsibilities if you distribute copies of the software, or if -you modify it: responsibilities to respect the freedom of others. - - For example, if you distribute copies of such a program, whether -gratis or for a fee, you must pass on to the recipients the same -freedoms that you received. You must make sure that they, too, receive -or can get the source code. And you must show them these terms so they -know their rights. - - Developers that use the GNU GPL protect your rights with two steps: -(1) assert copyright on the software, and (2) offer you this License -giving you legal permission to copy, distribute and/or modify it. - - For the developers' and authors' protection, the GPL clearly explains -that there is no warranty for this free software. For both users' and -authors' sake, the GPL requires that modified versions be marked as -changed, so that their problems will not be attributed erroneously to -authors of previous versions. - - Some devices are designed to deny users access to install or run -modified versions of the software inside them, although the manufacturer -can do so. This is fundamentally incompatible with the aim of -protecting users' freedom to change the software. The systematic -pattern of such abuse occurs in the area of products for individuals to -use, which is precisely where it is most unacceptable. Therefore, we -have designed this version of the GPL to prohibit the practice for those -products. If such problems arise substantially in other domains, we -stand ready to extend this provision to those domains in future versions -of the GPL, as needed to protect the freedom of users. - - Finally, every program is threatened constantly by software patents. -States should not allow patents to restrict development and use of -software on general-purpose computers, but in those that do, we wish to -avoid the special danger that patents applied to a free program could -make it effectively proprietary. To prevent this, the GPL assures that -patents cannot be used to render the program non-free. - - The precise terms and conditions for copying, distribution and -modification follow. - - TERMS AND CONDITIONS - - 0. Definitions. - - "This License" refers to version 3 of the GNU General Public License. - - "Copyright" also means copyright-like laws that apply to other kinds of -works, such as semiconductor masks. - - "The Program" refers to any copyrightable work licensed under this -License. Each licensee is addressed as "you". "Licensees" and -"recipients" may be individuals or organizations. - - To "modify" a work means to copy from or adapt all or part of the work -in a fashion requiring copyright permission, other than the making of an -exact copy. The resulting work is called a "modified version" of the -earlier work or a work "based on" the earlier work. - - A "covered work" means either the unmodified Program or a work based -on the Program. - - To "propagate" a work means to do anything with it that, without -permission, would make you directly or secondarily liable for -infringement under applicable copyright law, except executing it on a -computer or modifying a private copy. Propagation includes copying, -distribution (with or without modification), making available to the -public, and in some countries other activities as well. - - To "convey" a work means any kind of propagation that enables other -parties to make or receive copies. Mere interaction with a user through -a computer network, with no transfer of a copy, is not conveying. - - An interactive user interface displays "Appropriate Legal Notices" -to the extent that it includes a convenient and prominently visible -feature that (1) displays an appropriate copyright notice, and (2) -tells the user that there is no warranty for the work (except to the -extent that warranties are provided), that licensees may convey the -work under this License, and how to view a copy of this License. If -the interface presents a list of user commands or options, such as a -menu, a prominent item in the list meets this criterion. - - 1. Source Code. - - The "source code" for a work means the preferred form of the work -for making modifications to it. "Object code" means any non-source -form of a work. - - A "Standard Interface" means an interface that either is an official -standard defined by a recognized standards body, or, in the case of -interfaces specified for a particular programming language, one that -is widely used among developers working in that language. - - The "System Libraries" of an executable work include anything, other -than the work as a whole, that (a) is included in the normal form of -packaging a Major Component, but which is not part of that Major -Component, and (b) serves only to enable use of the work with that -Major Component, or to implement a Standard Interface for which an -implementation is available to the public in source code form. A -"Major Component", in this context, means a major essential component -(kernel, window system, and so on) of the specific operating system -(if any) on which the executable work runs, or a compiler used to -produce the work, or an object code interpreter used to run it. - - The "Corresponding Source" for a work in object code form means all -the source code needed to generate, install, and (for an executable -work) run the object code and to modify the work, including scripts to -control those activities. However, it does not include the work's -System Libraries, or general-purpose tools or generally available free -programs which are used unmodified in performing those activities but -which are not part of the work. For example, Corresponding Source -includes interface definition files associated with source files for -the work, and the source code for shared libraries and dynamically -linked subprograms that the work is specifically designed to require, -such as by intimate data communication or control flow between those -subprograms and other parts of the work. - - The Corresponding Source need not include anything that users -can regenerate automatically from other parts of the Corresponding -Source. - - The Corresponding Source for a work in source code form is that -same work. - - 2. Basic Permissions. - - All rights granted under this License are granted for the term of -copyright on the Program, and are irrevocable provided the stated -conditions are met. This License explicitly affirms your unlimited -permission to run the unmodified Program. The output from running a -covered work is covered by this License only if the output, given its -content, constitutes a covered work. This License acknowledges your -rights of fair use or other equivalent, as provided by copyright law. - - You may make, run and propagate covered works that you do not -convey, without conditions so long as your license otherwise remains -in force. You may convey covered works to others for the sole purpose -of having them make modifications exclusively for you, or provide you -with facilities for running those works, provided that you comply with -the terms of this License in conveying all material for which you do -not control copyright. Those thus making or running the covered works -for you must do so exclusively on your behalf, under your direction -and control, on terms that prohibit them from making any copies of -your copyrighted material outside their relationship with you. - - Conveying under any other circumstances is permitted solely under -the conditions stated below. Sublicensing is not allowed; section 10 -makes it unnecessary. - - 3. Protecting Users' Legal Rights From Anti-Circumvention Law. - - No covered work shall be deemed part of an effective technological -measure under any applicable law fulfilling obligations under article -11 of the WIPO copyright treaty adopted on 20 December 1996, or -similar laws prohibiting or restricting circumvention of such -measures. - - When you convey a covered work, you waive any legal power to forbid -circumvention of technological measures to the extent such circumvention -is effected by exercising rights under this License with respect to -the covered work, and you disclaim any intention to limit operation or -modification of the work as a means of enforcing, against the work's -users, your or third parties' legal rights to forbid circumvention of -technological measures. - - 4. Conveying Verbatim Copies. - - You may convey verbatim copies of the Program's source code as you -receive it, in any medium, provided that you conspicuously and -appropriately publish on each copy an appropriate copyright notice; -keep intact all notices stating that this License and any -non-permissive terms added in accord with section 7 apply to the code; -keep intact all notices of the absence of any warranty; and give all -recipients a copy of this License along with the Program. - - You may charge any price or no price for each copy that you convey, -and you may offer support or warranty protection for a fee. - - 5. Conveying Modified Source Versions. - - You may convey a work based on the Program, or the modifications to -produce it from the Program, in the form of source code under the -terms of section 4, provided that you also meet all of these conditions: - - a) The work must carry prominent notices stating that you modified - it, and giving a relevant date. - - b) The work must carry prominent notices stating that it is - released under this License and any conditions added under section - 7. This requirement modifies the requirement in section 4 to - "keep intact all notices". - - c) You must license the entire work, as a whole, under this - License to anyone who comes into possession of a copy. This - License will therefore apply, along with any applicable section 7 - additional terms, to the whole of the work, and all its parts, - regardless of how they are packaged. This License gives no - permission to license the work in any other way, but it does not - invalidate such permission if you have separately received it. - - d) If the work has interactive user interfaces, each must display - Appropriate Legal Notices; however, if the Program has interactive - interfaces that do not display Appropriate Legal Notices, your - work need not make them do so. - - A compilation of a covered work with other separate and independent -works, which are not by their nature extensions of the covered work, -and which are not combined with it such as to form a larger program, -in or on a volume of a storage or distribution medium, is called an -"aggregate" if the compilation and its resulting copyright are not -used to limit the access or legal rights of the compilation's users -beyond what the individual works permit. Inclusion of a covered work -in an aggregate does not cause this License to apply to the other -parts of the aggregate. - - 6. Conveying Non-Source Forms. - - You may convey a covered work in object code form under the terms -of sections 4 and 5, provided that you also convey the -machine-readable Corresponding Source under the terms of this License, -in one of these ways: - - a) Convey the object code in, or embodied in, a physical product - (including a physical distribution medium), accompanied by the - Corresponding Source fixed on a durable physical medium - customarily used for software interchange. - - b) Convey the object code in, or embodied in, a physical product - (including a physical distribution medium), accompanied by a - written offer, valid for at least three years and valid for as - long as you offer spare parts or customer support for that product - model, to give anyone who possesses the object code either (1) a - copy of the Corresponding Source for all the software in the - product that is covered by this License, on a durable physical - medium customarily used for software interchange, for a price no - more than your reasonable cost of physically performing this - conveying of source, or (2) access to copy the - Corresponding Source from a network server at no charge. - - c) Convey individual copies of the object code with a copy of the - written offer to provide the Corresponding Source. This - alternative is allowed only occasionally and noncommercially, and - only if you received the object code with such an offer, in accord - with subsection 6b. - - d) Convey the object code by offering access from a designated - place (gratis or for a charge), and offer equivalent access to the - Corresponding Source in the same way through the same place at no - further charge. You need not require recipients to copy the - Corresponding Source along with the object code. If the place to - copy the object code is a network server, the Corresponding Source - may be on a different server (operated by you or a third party) - that supports equivalent copying facilities, provided you maintain - clear directions next to the object code saying where to find the - Corresponding Source. Regardless of what server hosts the - Corresponding Source, you remain obligated to ensure that it is - available for as long as needed to satisfy these requirements. - - e) Convey the object code using peer-to-peer transmission, provided - you inform other peers where the object code and Corresponding - Source of the work are being offered to the general public at no - charge under subsection 6d. - - A separable portion of the object code, whose source code is excluded -from the Corresponding Source as a System Library, need not be -included in conveying the object code work. - - A "User Product" is either (1) a "consumer product", which means any -tangible personal property which is normally used for personal, family, -or household purposes, or (2) anything designed or sold for incorporation -into a dwelling. In determining whether a product is a consumer product, -doubtful cases shall be resolved in favor of coverage. For a particular -product received by a particular user, "normally used" refers to a -typical or common use of that class of product, regardless of the status -of the particular user or of the way in which the particular user -actually uses, or expects or is expected to use, the product. A product -is a consumer product regardless of whether the product has substantial -commercial, industrial or non-consumer uses, unless such uses represent -the only significant mode of use of the product. - - "Installation Information" for a User Product means any methods, -procedures, authorization keys, or other information required to install -and execute modified versions of a covered work in that User Product from -a modified version of its Corresponding Source. The information must -suffice to ensure that the continued functioning of the modified object -code is in no case prevented or interfered with solely because -modification has been made. - - If you convey an object code work under this section in, or with, or -specifically for use in, a User Product, and the conveying occurs as -part of a transaction in which the right of possession and use of the -User Product is transferred to the recipient in perpetuity or for a -fixed term (regardless of how the transaction is characterized), the -Corresponding Source conveyed under this section must be accompanied -by the Installation Information. But this requirement does not apply -if neither you nor any third party retains the ability to install -modified object code on the User Product (for example, the work has -been installed in ROM). - - The requirement to provide Installation Information does not include a -requirement to continue to provide support service, warranty, or updates -for a work that has been modified or installed by the recipient, or for -the User Product in which it has been modified or installed. Access to a -network may be denied when the modification itself materially and -adversely affects the operation of the network or violates the rules and -protocols for communication across the network. - - Corresponding Source conveyed, and Installation Information provided, -in accord with this section must be in a format that is publicly -documented (and with an implementation available to the public in -source code form), and must require no special password or key for -unpacking, reading or copying. - - 7. Additional Terms. - - "Additional permissions" are terms that supplement the terms of this -License by making exceptions from one or more of its conditions. -Additional permissions that are applicable to the entire Program shall -be treated as though they were included in this License, to the extent -that they are valid under applicable law. If additional permissions -apply only to part of the Program, that part may be used separately -under those permissions, but the entire Program remains governed by -this License without regard to the additional permissions. - - When you convey a copy of a covered work, you may at your option -remove any additional permissions from that copy, or from any part of -it. (Additional permissions may be written to require their own -removal in certain cases when you modify the work.) You may place -additional permissions on material, added by you to a covered work, -for which you have or can give appropriate copyright permission. - - Notwithstanding any other provision of this License, for material you -add to a covered work, you may (if authorized by the copyright holders of -that material) supplement the terms of this License with terms: - - a) Disclaiming warranty or limiting liability differently from the - terms of sections 15 and 16 of this License; or - - b) Requiring preservation of specified reasonable legal notices or - author attributions in that material or in the Appropriate Legal - Notices displayed by works containing it; or - - c) Prohibiting misrepresentation of the origin of that material, or - requiring that modified versions of such material be marked in - reasonable ways as different from the original version; or - - d) Limiting the use for publicity purposes of names of licensors or - authors of the material; or - - e) Declining to grant rights under trademark law for use of some - trade names, trademarks, or service marks; or - - f) Requiring indemnification of licensors and authors of that - material by anyone who conveys the material (or modified versions of - it) with contractual assumptions of liability to the recipient, for - any liability that these contractual assumptions directly impose on - those licensors and authors. - - All other non-permissive additional terms are considered "further -restrictions" within the meaning of section 10. If the Program as you -received it, or any part of it, contains a notice stating that it is -governed by this License along with a term that is a further -restriction, you may remove that term. If a license document contains -a further restriction but permits relicensing or conveying under this -License, you may add to a covered work material governed by the terms -of that license document, provided that the further restriction does -not survive such relicensing or conveying. - - If you add terms to a covered work in accord with this section, you -must place, in the relevant source files, a statement of the -additional terms that apply to those files, or a notice indicating -where to find the applicable terms. - - Additional terms, permissive or non-permissive, may be stated in the -form of a separately written license, or stated as exceptions; -the above requirements apply either way. - - 8. Termination. - - You may not propagate or modify a covered work except as expressly -provided under this License. Any attempt otherwise to propagate or -modify it is void, and will automatically terminate your rights under -this License (including any patent licenses granted under the third -paragraph of section 11). - - However, if you cease all violation of this License, then your -license from a particular copyright holder is reinstated (a) -provisionally, unless and until the copyright holder explicitly and -finally terminates your license, and (b) permanently, if the copyright -holder fails to notify you of the violation by some reasonable means -prior to 60 days after the cessation. - - Moreover, your license from a particular copyright holder is -reinstated permanently if the copyright holder notifies you of the -violation by some reasonable means, this is the first time you have -received notice of violation of this License (for any work) from that -copyright holder, and you cure the violation prior to 30 days after -your receipt of the notice. - - Termination of your rights under this section does not terminate the -licenses of parties who have received copies or rights from you under -this License. If your rights have been terminated and not permanently -reinstated, you do not qualify to receive new licenses for the same -material under section 10. - - 9. Acceptance Not Required for Having Copies. - - You are not required to accept this License in order to receive or -run a copy of the Program. Ancillary propagation of a covered work -occurring solely as a consequence of using peer-to-peer transmission -to receive a copy likewise does not require acceptance. However, -nothing other than this License grants you permission to propagate or -modify any covered work. These actions infringe copyright if you do -not accept this License. Therefore, by modifying or propagating a -covered work, you indicate your acceptance of this License to do so. - - 10. Automatic Licensing of Downstream Recipients. - - Each time you convey a covered work, the recipient automatically -receives a license from the original licensors, to run, modify and -propagate that work, subject to this License. You are not responsible -for enforcing compliance by third parties with this License. - - An "entity transaction" is a transaction transferring control of an -organization, or substantially all assets of one, or subdividing an -organization, or merging organizations. If propagation of a covered -work results from an entity transaction, each party to that -transaction who receives a copy of the work also receives whatever -licenses to the work the party's predecessor in interest had or could -give under the previous paragraph, plus a right to possession of the -Corresponding Source of the work from the predecessor in interest, if -the predecessor has it or can get it with reasonable efforts. - - You may not impose any further restrictions on the exercise of the -rights granted or affirmed under this License. For example, you may -not impose a license fee, royalty, or other charge for exercise of -rights granted under this License, and you may not initiate litigation -(including a cross-claim or counterclaim in a lawsuit) alleging that -any patent claim is infringed by making, using, selling, offering for -sale, or importing the Program or any portion of it. - - 11. Patents. - - A "contributor" is a copyright holder who authorizes use under this -License of the Program or a work on which the Program is based. The -work thus licensed is called the contributor's "contributor version". - - A contributor's "essential patent claims" are all patent claims -owned or controlled by the contributor, whether already acquired or -hereafter acquired, that would be infringed by some manner, permitted -by this License, of making, using, or selling its contributor version, -but do not include claims that would be infringed only as a -consequence of further modification of the contributor version. For -purposes of this definition, "control" includes the right to grant -patent sublicenses in a manner consistent with the requirements of -this License. - - Each contributor grants you a non-exclusive, worldwide, royalty-free -patent license under the contributor's essential patent claims, to -make, use, sell, offer for sale, import and otherwise run, modify and -propagate the contents of its contributor version. - - In the following three paragraphs, a "patent license" is any express -agreement or commitment, however denominated, not to enforce a patent -(such as an express permission to practice a patent or covenant not to -sue for patent infringement). To "grant" such a patent license to a -party means to make such an agreement or commitment not to enforce a -patent against the party. - - If you convey a covered work, knowingly relying on a patent license, -and the Corresponding Source of the work is not available for anyone -to copy, free of charge and under the terms of this License, through a -publicly available network server or other readily accessible means, -then you must either (1) cause the Corresponding Source to be so -available, or (2) arrange to deprive yourself of the benefit of the -patent license for this particular work, or (3) arrange, in a manner -consistent with the requirements of this License, to extend the patent -license to downstream recipients. "Knowingly relying" means you have -actual knowledge that, but for the patent license, your conveying the -covered work in a country, or your recipient's use of the covered work -in a country, would infringe one or more identifiable patents in that -country that you have reason to believe are valid. - - If, pursuant to or in connection with a single transaction or -arrangement, you convey, or propagate by procuring conveyance of, a -covered work, and grant a patent license to some of the parties -receiving the covered work authorizing them to use, propagate, modify -or convey a specific copy of the covered work, then the patent license -you grant is automatically extended to all recipients of the covered -work and works based on it. - - A patent license is "discriminatory" if it does not include within -the scope of its coverage, prohibits the exercise of, or is -conditioned on the non-exercise of one or more of the rights that are -specifically granted under this License. You may not convey a covered -work if you are a party to an arrangement with a third party that is -in the business of distributing software, under which you make payment -to the third party based on the extent of your activity of conveying -the work, and under which the third party grants, to any of the -parties who would receive the covered work from you, a discriminatory -patent license (a) in connection with copies of the covered work -conveyed by you (or copies made from those copies), or (b) primarily -for and in connection with specific products or compilations that -contain the covered work, unless you entered into that arrangement, -or that patent license was granted, prior to 28 March 2007. - - Nothing in this License shall be construed as excluding or limiting -any implied license or other defenses to infringement that may -otherwise be available to you under applicable patent law. - - 12. No Surrender of Others' Freedom. - - If conditions are imposed on you (whether by court order, agreement or -otherwise) that contradict the conditions of this License, they do not -excuse you from the conditions of this License. If you cannot convey a -covered work so as to satisfy simultaneously your obligations under this -License and any other pertinent obligations, then as a consequence you may -not convey it at all. For example, if you agree to terms that obligate you -to collect a royalty for further conveying from those to whom you convey -the Program, the only way you could satisfy both those terms and this -License would be to refrain entirely from conveying the Program. - - 13. Use with the GNU Affero General Public License. - - Notwithstanding any other provision of this License, you have -permission to link or combine any covered work with a work licensed -under version 3 of the GNU Affero General Public License into a single -combined work, and to convey the resulting work. The terms of this -License will continue to apply to the part which is the covered work, -but the special requirements of the GNU Affero General Public License, -section 13, concerning interaction through a network will apply to the -combination as such. - - 14. Revised Versions of this License. - - The Free Software Foundation may publish revised and/or new versions of -the GNU General Public License from time to time. Such new versions will -be similar in spirit to the present version, but may differ in detail to -address new problems or concerns. - - Each version is given a distinguishing version number. If the -Program specifies that a certain numbered version of the GNU General -Public License "or any later version" applies to it, you have the -option of following the terms and conditions either of that numbered -version or of any later version published by the Free Software -Foundation. If the Program does not specify a version number of the -GNU General Public License, you may choose any version ever published -by the Free Software Foundation. - - If the Program specifies that a proxy can decide which future -versions of the GNU General Public License can be used, that proxy's -public statement of acceptance of a version permanently authorizes you -to choose that version for the Program. - - Later license versions may give you additional or different -permissions. However, no additional obligations are imposed on any -author or copyright holder as a result of your choosing to follow a -later version. - - 15. Disclaimer of Warranty. - - THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY -APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT -HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY -OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, -THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM -IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF -ALL NECESSARY SERVICING, REPAIR OR CORRECTION. - - 16. Limitation of Liability. - - IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING -WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS -THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY -GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE -USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF -DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD -PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), -EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF -SUCH DAMAGES. - - 17. Interpretation of Sections 15 and 16. - - If the disclaimer of warranty and limitation of liability provided -above cannot be given local legal effect according to their terms, -reviewing courts shall apply local law that most closely approximates -an absolute waiver of all civil liability in connection with the -Program, unless a warranty or assumption of liability accompanies a -copy of the Program in return for a fee. - - END OF TERMS AND CONDITIONS - - How to Apply These Terms to Your New Programs - - If you develop a new program, and you want it to be of the greatest -possible use to the public, the best way to achieve this is to make it -free software which everyone can redistribute and change under these terms. - - To do so, attach the following notices to the program. It is safest -to attach them to the start of each source file to most effectively -state the exclusion of warranty; and each file should have at least -the "copyright" line and a pointer to where the full notice is found. - - - Copyright (C) - - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see . - -Also add information on how to contact you by electronic and paper mail. - - If the program does terminal interaction, make it output a short -notice like this when it starts in an interactive mode: - - Copyright (C) - This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'. - This is free software, and you are welcome to redistribute it - under certain conditions; type `show c' for details. - -The hypothetical commands `show w' and `show c' should show the appropriate -parts of the General Public License. Of course, your program's commands -might be different; for a GUI interface, you would use an "about box". - - You should also get your employer (if you work as a programmer) or school, -if any, to sign a "copyright disclaimer" for the program, if necessary. -For more information on this, and how to apply and follow the GNU GPL, see -. - - The GNU General Public License does not permit incorporating your program -into proprietary programs. If your program is a subroutine library, you -may consider it more useful to permit linking proprietary applications with -the library. If this is what you want to do, use the GNU Lesser General -Public License instead of this License. But first, please read -. diff --git a/Makefile b/Makefile deleted file mode 100644 index c48a9e7..0000000 --- a/Makefile +++ /dev/null @@ -1,18 +0,0 @@ -#!/usr/bin/make -f - -## Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -## genmkfile - Makefile - version 1.5 - -## This is a copy. -## master location: -## https://github.com/Whonix/genmkfile/blob/master/usr/share/genmkfile/Makefile - -GENMKFILE_PATH ?= /usr/share/genmkfile -GENMKFILE_ROOT_DIR := $(dir $(abspath $(lastword $(MAKEFILE_LIST)))) - -export GENMKFILE_PATH -export GENMKFILE_ROOT_DIR - -include $(GENMKFILE_PATH)/makefile-full diff --git a/README.md b/README.md index 369a3dd..ab0c69a 100644 --- a/README.md +++ b/README.md @@ -1,345 +1,860 @@ -# enhances misc security settings # +# Enhances miscellaneous security settings -Inspired by Kernel Self Protection Project (KSPP) +## Kernel hardening -* Implements most if not all recommended Linux kernel settings (sysctl) and -kernel parameters by KSPP. +This section is inspired by the Kernel Self Protection Project (KSPP). It +attempts to implement all recommended Linux kernel settings by the KSPP and +many more sources. -* https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project +- https://kspp.github.io/Recommended_Settings +- https://github.com/KSPP/kspp.github.io -kernel hardening: +### sysctl -* deactivates Netfilter's connection tracking helper -Netfilter's connection tracking helper module increases kernel attack -surface by enabling superfluous functionality such as IRC parsing in -the kernel. (!) Hence, this package disables this feature by shipping the -/etc/modprobe.d/30_nf_conntrack_helper_disable.conf configuration file. +sysctl settings are configured via the `/usr/lib/sysctl.d/990-security-misc.conf` +configuration file and significant hardening is applied to a myriad of components. -* Kernel symbols in various files in /proc are hidden as they can be -very useful for kernel exploits. +#### Kernel space -* Kexec is disabled as it can be used to load a malicious kernel. -/etc/sysctl.d/kexec.conf +- Restrict access to kernel addresses through the use of kernel pointers regardless + of user privileges. -* ASLR effectiveness for mmap is increased. +- Restrict access to the kernel logs to `CAP_SYSLOG` as they often contain + sensitive information. -* The TCP/IP stack is hardened by disabling ICMP redirect acceptance, -ICMP redirect sending and source routing to prevent man-in-the-middle attacks, -ignoring all ICMP requests, enabling TCP syncookies to prevent SYN flood -attacks, enabling RFC1337 to protect against time-wait assassination -attacks and enabling reverse path filtering to prevent IP spoofing and -mitigate vulnerabilities such as CVE-2019-14899. +- Prevent kernel information leaks in the console during boot. -* Some data spoofing attacks are made harder. +- Restrict usage of `bpf()` to `CAP_BPF` to prevent the loading of BPF programs + by unprivileged users. -* SACK can be disabled as it is commonly exploited and is rarely used by -uncommenting settings in file /etc/sysctl.d/tcp_sack.conf. +- Restrict loading TTY line disciplines to `CAP_SYS_MODULE`. -* Slab merging is disabled as sometimes a slab can be used in a vulnerable -way which an attacker can exploit. +- Restrict the `userfaultfd()` syscall to `CAP_SYS_PTRACE`, which reduces the + likelihood of use-after-free exploits. -* Sanity checks, redzoning, and memory poisoning are enabled. +- Disable `kexec` as it can be used to replace the running kernel. -* Machine checks (MCE) are disabled which makes the kernel panic -on uncorrectable errors in ECC memory that could be exploited. +- Entirely disable the SysRq key so that the Secure Attention Key (SAK) + can no longer be utilized. See [documentation](https://www.kicksecure.com/wiki/SysRq). -* Kernel Page Table Isolation is enabled to mitigate Meltdown and increase -KASLR effectiveness. +- Optional - Disable all use of user namespaces. -* SMT is disabled as it can be used to exploit the MDS and other -vulnerabilities. +- Optional - Restrict user namespaces to `CAP_SYS_ADMIN` as they can lead to substantial + privilege escalation. -* All mitigations for the MDS vulnerability are enabled. +- Restrict kernel profiling and the performance events system to `CAP_PERFMON`. -* A systemd service clears System.map on boot as these contain kernel symbols -that could be useful to an attacker. -/etc/kernel/postinst.d/30_remove-system-map -/lib/systemd/system/remove-system-map.service -/usr/lib/security-misc/remove-system.map +- Force the kernel to panic on both "oopses", which can potentially indicate and thwart + certain kernel exploitation attempts, and also kernel warnings in the `WARN()` path. -* Coredumps are disabled as they may contain important information such as -encryption keys or passwords. -/etc/security/limits.d/disable-coredumps.conf -/etc/sysctl.d/coredumps.conf -/lib/systemd/coredump.conf.d/disable-coredumps.conf +- Optional - Force immediate reboot on the occurrence of a single kernel panic and also + (when using Linux kernel >= 6.2) limit the number of allowed panics to one. -* The thunderbolt and firewire kernel modules are blacklisted as they can be -used for DMA (Direct Memory Access) attacks. +- Disable the use of legacy TIOCSTI operations which can be used to inject keypresses. -* IOMMU is enabled with a boot parameter to prevent DMA attacks. +- Disable asynchronous I/O (when using Linux kernel >= 6.6) as `io_uring` has been + the source of numerous kernel exploits. -* The kernel now panics on oopses to prevent it from continuing running a -flawed process. +#### User space -* Bluetooth is blacklisted to reduce attack surface. Bluetooth also has -a history of security concerns. -https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns +- Restrict usage of `ptrace()` to only processes with `CAP_SYS_PTRACE` as it + enables programs to inspect and modify other active processes. Optional - Disable + usage of `ptrace()` by all processes. -* A systemd service restricts /proc/cpuinfo, /proc/bus, /proc/scsi and -/sys to the root user only. This hides a lot of hardware identifiers from -unprivileged users and increases security as /sys exposes a lot of information -that shouldn't be accessible to unprivileged users. As this will break many -things, it is disabled by default and can optionally be enabled by running -`systemctl enable hide-hardware-info.service` as root. -/usr/lib/security-misc/hide-hardware-info -/lib/systemd/system/hide-hardware-info.service -/lib/systemd/system/user@.service.d/sysfs.conf -/etc/hide-hardware-info.d/30_default.conf +- Maximize the bits of entropy used for mmap ASLR across all CPU architectures. -Improve Entropy Collection +- Prevent hardlink and symlink TOCTOU races in world-writable directories. -* Load jitterentropy_rng kernel module. -/usr/lib/modules-load.d/30_security-misc.conf +- Disallow unintentional writes to files in world-writable directories unless + they are owned by the directory owner to mitigate some data spoofing attacks. -* Distrusts the CPU for initial entropy at boot as it is not possible to -audit, may contain weaknesses or a backdoor. -* https://en.wikipedia.org/wiki/RDRAND#Reception -* https://twitter.com/pid_eins/status/1149649806056280069 -* For more references, see: -* /etc/default/grub.d/40_distrust_cpu.cfg +- Randomize the addresses (ASLR) for mmap base, stack, VDSO pages, and heap. -Uncommon network protocols are blacklisted: -These are rarely used and may have unknown vulnerabilities. -/etc/modprobe.d/uncommon-network-protocols.conf -The network protocols that are blacklisted are: +- Raise the minimum address a process can request for memory mapping to 64KB to + protect against kernel null pointer dereference vulnerabilities. -* DCCP - Datagram Congestion Control Protocol -* SCTP - Stream Control Transmission Protocol -* RDS - Reliable Datagram Sockets -* TIPC - Transparent Inter-process Communication -* HDLC - High-Level Data Link Control -* AX25 - Amateur X.25 -* NetRom -* X25 -* ROSE -* DECnet -* Econet -* af_802154 - IEEE 802.15.4 -* IPX - Internetwork Packet Exchange -* AppleTalk -* PSNAP - Subnetwork Access Protocol -* p8023 - Novell raw IEEE 802.3 -* p8022 - IEEE 802.2 +- Increase the maximum number of memory map areas a process is able to utilize to 1,048,576. -user restrictions: +- Optional - Disallow registering interpreters for various (miscellaneous) binary formats based + on a magic number or their file extension to prevent unintended code execution. + See issue: https://github.com/Kicksecure/security-misc/issues/267 -* remount /home, /tmp, /dev/shm and /run with nosuid,nodev (default) and -noexec (opt-in). To disable this, run "sudo touch /etc/remount-disable". To -opt-in noexec, run "sudo touch /etc/noexec" and reboot (easiest). -Alternatively file /usr/local/etc/remount-disable or file -/usr/local/etc/noexec could be used. -/lib/systemd/system/remount-secure.service -/usr/lib/security-misc/remount-secure +#### Core dumps -* A systemd service mounts /proc with hidepid=2 at boot to prevent users from -seeing each other's processes. +- Disable core dump files and prevent their creation. If core dump files are + enabled, they will be named based on `core.PID` instead of the default `core`. -* The kernel logs are restricted to root only. +#### Swap space -* The BPF JIT compiler is restricted to the root user and is hardened. +- Limit the copying of potentially sensitive content in memory to the swap device. -* The ptrace system call is restricted to the root user only. +#### Networking -restricts access to the root account: +- Enable hardening of the BPF JIT compiler protect against JIT spraying. -* `su` is restricted to only users within the group `sudo` which prevents -users from using `su` to gain root access or to switch user accounts. -/usr/share/pam-configs/wheel-security-misc -(Which results in a change in file `/etc/pam.d/common-auth`.) +- Enable TCP SYN cookie protection to assist against SYN flood attacks. -* Add user `root` to group `sudo`. This is required to make above work so -login as a user in a virtual console is still possible. -debian/security-misc.postinst +- Protect against TCP time-wait assassination hazards. -* Abort login for users with locked passwords. -/usr/lib/security-misc/pam-abort-on-locked-password +- Enable reverse path filtering (source validation) of packets received + from all interfaces to prevent IP spoofing. -* Logging into the root account from a virtual, serial, whatnot console is -prevented by shipping an existing and empty /etc/securetty. -(Deletion of /etc/securetty has a different effect.) -/etc/securetty.security-misc +- Disable ICMP redirect acceptance and redirect sending messages to prevent + man-in-the-middle attacks and minimize information disclosure. -* Console Lockdown. -Allow members of group 'console' to use console. -Everyone else except members of group -'console-unrestricted' are restricted from using console using ancient, -unpopular login methods such as using /bin/login over networks, which might -be exploitable. (CVE-2001-0797) Using pam_access. -Not enabled by default in this package since this package does not know which -users shall be added to group 'console' and would break console. -/usr/share/pam-configs/console-lockdown-security-misc -/etc/security/access-security-misc.conf +- Deny sending and receiving shared media redirects to reduce the risk of IP + spoofing attacks. -Protect Linux user accounts against brute force attacks. -Lock user accounts after 50 failed login attempts using pam_tally2. -/usr/share/pam-configs/tally2-security-misc +- Enable ARP filtering to mitigate some ARP spoofing and ARP cache poisoning attacks. -informational output during Linux PAM: +- Respond to ARP requests only if the target IP address is on-link, + preventing some IP spoofing attacks. -* Show failed and remaining password attempts. -* Document unlock procedure if Linux user account got locked. -* Point out, that there is no password feedback for `su`. -* Explain locked (root) account if locked. -* /usr/share/pam-configs/tally2-security-misc -* /usr/lib/security-misc/pam_tally2-info -* /usr/lib/security-misc/pam-abort-on-locked-password +- Drop gratuitous ARP packets to prevent ARP cache poisoning via + man-in-the-middle and denial-of-service attacks. -access rights restrictions: +- Ignore ICMP echo requests to prevent clock fingerprinting and Smurf attacks. -* Strong Linux User Account Separation. -Removes read, write and execute access for others for all users who have -home folders under folder /home by running for example -"chmod o-rwx /home/user" -during package installation, upgrade or pam mkhomedir. This will be done only -once per -folder in folder /home so users who wish to relax file permissions are free to -do so. This is to protect previously created files in user home folder which -were previously created with lax file permissions prior installation of this -package. -debian/security-misc.postinst -/usr/lib/security-misc/permission-lockdown -/usr/share/pam-configs/mkhomedir-security-misc +- Ignore bogus ICMP error responses. -* SUID / GUID removal and permission hardening. -A systemd service removed SUID / GUID from non-essential binaries as these are -often used in privilege escalation attacks. -It is disabled by default for now during testing and can optionally be enabled -by running `systemctl enable permission-hardening.service` as root. -https://forums.whonix.org/t/permission-hardening/8655 -/usr/lib/security-misc/permission-hardening -/lib/systemd/system/permission-hardening.service -/etc/permission-hardening.d/30_default.conf +- Disable source routing which allows users to redirect network traffic that + can result in man-in-the-middle attacks. -access rights relaxations: +- Do not accept IPv6 router advertisements and solicitations. -Redirect calls for pkexec to lxqt-sudo because pkexec is incompatible with -hidepid. -https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860040 -https://forums.whonix.org/t/cannot-use-pkexec/8129 -/usr/bin/pkexec.security-misc +- Optional - Disable SACK and DSACK as they have historically been a known + vector for exploitation. + +- Disable TCP timestamps as they can allow detecting the system time. + +- Optional - Log packets with impossible source or destination addresses to + enable further inspection and analysis. + +- Optional - Enable IPv6 Privacy Extensions. + +- Documentation: https://www.kicksecure.com/wiki/Networking + +### Boot parameters + +Mitigations for known CPU vulnerabilities are enabled in their strictest form +and simultaneous multithreading (SMT) is disabled. See the +`/etc/default/grub.d/40_cpu_mitigations.cfg` configuration file. + +Note, to achieve complete protection for known CPU vulnerabilities, the latest +security microcode (BIOS/UEFI) updates must be installed on the system. Furthermore, +if using Secure Boot, the Secure Boot Forbidden Signature Database (DBX) must be kept +up to date through [UEFI Revocation List](https://github.com/microsoft/secureboot_objects) updates. + +CPU mitigations: + +- Disable Simultaneous Multithreading (SMT) + +- Spectre Side Channels (BTI and BHI) + +- Speculative Store Bypass (SSB) + +- L1 Terminal Fault (L1TF) + +- Microarchitectural Data Sampling (MDS) + +- TSX Asynchronous Abort (TAA) + +- iTLB Multihit + +- Special Register Buffer Data Sampling (SRBDS) + +- L1D Flushing + +- Processor MMIO Stale Data + +- Arbitrary Speculative Code Execution with Return Instructions (Retbleed) + +- Cross-Thread Return Address Predictions + +- Speculative Return Stack Overflow (SRSO) + +- Gather Data Sampling (GDS) + +- Register File Data Sampling (RFDS) + +Boot parameters relating to kernel hardening, DMA mitigations, and entropy +generation are outlined in the `/etc/default/grub.d/40_kernel_hardening.cfg` +configuration file. + +Kernel space: + +- Disable merging of slabs with similar size, which reduces the risk of + triggering heap overflows and limits influencing slab cache layout. + +- Enable sanity checks and red zoning via slab debugging. This will implicitly + disable kernel pointer hashing, leaking very sensitive information to root. + +- Enable memory zeroing at both allocation and free time, which mitigates some + use-after-free vulnerabilities by erasing sensitive information in memory. + +- Enable the kernel page allocator to randomize free lists to limit some data + exfiltration and ROP attacks, especially during the early boot process. + +- Enable kernel page table isolation to increase KASLR effectiveness and also + mitigate the Meltdown CPU vulnerability. + +- Enable randomization of the kernel stack offset on syscall entries to harden + against memory corruption attacks. + +- Disable vsyscalls as they are vulnerable to ROP attacks and have now been + replaced by vDSO. + +- Restrict access to debugfs by not registering the file system since it can + contain sensitive information. + +- Force kernel panics on "oopses" to potentially indicate and thwart certain + kernel exploitation attempts. + +- Optional - Modify the machine check exception handler. + +- Prevent sensitive kernel information leaks in the console during boot. + +- Enable the kernel Electric-Fence sampling-based memory safety error detector + which can identify heap out-of-bounds access, use-after-free, and invalid-free errors. + +- Disable 32-bit vDSO mappings as they are a legacy compatibility feature. + +- Optional - Use kCFI as the default CFI implementation (when using Linux kernel >= 6.2) + since it may be slightly more resilient to attacks that are able to write + arbitrary executables in memory. + +- Optional - Disable support for all x86 processes and syscalls (when using Linux kernel >= 6.7) + to reduce attack surface. + +- Disable the EFI persistent storage feature which prevents the kernel from writing crash logs + and other persistent data to either the UEFI variable storage or ACPI ERST backends. + +Direct memory access: + +- Enable strict IOMMU translation to protect against some DMA attacks via the use + of both CPU manufacturer-specific drivers and kernel settings. + +- Clear the busmaster bit on all PCI bridges during the EFI hand-off, which disables + DMA before the IOMMU is configured. May cause boot failure on certain hardware. + +Entropy: + +- Do not credit the CPU or bootloader as entropy sources at boot in order to + maximize the absolute quantity of entropy in the combined pool. + +- Obtain more entropy at boot from RAM as the runtime memory allocator is + being initialized. + +Networking: + +- Optional - Disable the entire IPv6 stack to reduce attack surface. + +### mmap ASLR + +- The bits of entropy used for mmap ASLR for all CPU architectures are maxed + out via `/usr/libexec/security-misc/mmap-rnd-bits` (set to the values of + `CONFIG_ARCH_MMAP_RND_BITS_MAX` and `CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX` + that the kernel was built with), therefore improving its effectiveness. + +### Kernel Self Protection Project (KSPP) compliance status + +**Summary:** + +`security-misc` is in full compliance with KSPP recommendations wherever feasible. However, +there are a few cases of partial or non-compliance due to technical limitations. + +* [KSPP Recommended Settings](https://kspp.github.io/Recommended_Settings) + +**Full compliance:** + +More than 30 kernel boot parameters and over 30 sysctl settings are fully aligned with +the KSPP's recommendations. + +**Partial compliance:** + +1. `sysctl kernel.yama.ptrace_scope=3` + +Completely disables `ptrace()`. Can be enabled easily if needed. + +* [security-misc pull request #242](https://github.com/Kicksecure/security-misc/pull/242) + +2. `sysctl kernel.panic=-1` + +Forces an immediate reboot on kernel panic. This can be enabled, but it may lead to unexpected +system crashes. + +* [security-misc pull request #264](https://github.com/Kicksecure/security-misc/pull/264) +* [security-misc pull request #268](https://github.com/Kicksecure/security-misc/pull/268) + +**Non-compliance:** + +3. `sysctl user.max_user_namespaces=0` + +Disables user namespaces entirely. Not recommended due to the potential for widespread breakages. + +* [security-misc pull request #263](https://github.com/Kicksecure/security-misc/pull/263) + +4. `sysctl fs.binfmt_misc.status=0` + +Disables the registration of interpreters for miscellaneous binary formats. Currently not +feasible due to compatibility issues with Firefox. + +* [security-misc pull request #249](https://github.com/Kicksecure/security-misc/pull/249) +* [security-misc issue #267](https://github.com/Kicksecure/security-misc/issues/267) + +### Kernel Modules + +#### Kernel Module Signature Verification + +Not yet implemented due to issues: + +- https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/64 +- https://github.com/dell/dkms/issues/359 + +See: + +- `/etc/default/grub.d/40_signed_modules.cfg` + +#### Disables the loading of new modules to the kernel after the fact + +Not yet implemented due to issues: + +- https://github.com/Kicksecure/security-misc/pull/152 + +A systemd service dynamically sets the kernel parameter `modules_disabled` to 1, +preventing new modules from being loaded. Since this isn't configured directly +within systemctl, it does not break the loading of legitimate and necessary +modules for the user, like drivers etc., given they are plugged in on startup. + +#### Blacklist and disable kernel modules + +Conntrack: Deactivates Netfilter's connection tracking helper module which +increases kernel attack surface by enabling superfluous functionality such +as IRC parsing in the kernel. See `/etc/modprobe.d/30_security-misc_conntrack.conf`. + +Certain kernel modules are blacklisted by default to reduce attack surface via +`/etc/modprobe.d/30_security-misc_blacklist.conf`. Blacklisting prevents kernel +modules from automatically starting. + +- CD-ROM/DVD: Blacklist modules required for CD-ROM/DVD devices. + +- Miscellaneous: Blacklist an assortment of other modules to prevent them from + automatically loading. + +Specific kernel modules are entirely disabled to reduce attack surface via +`/etc/modprobe.d/30_security-misc_disable.conf`. Disabling prohibits kernel +modules from starting. This approach should not be considered comprehensive; +rather, it is a form of badness enumeration. Any potential candidates for future +disabling should first be blacklisted for a suitable amount of time. + +Hardware modules: + +- Optional - Bluetooth: Disabled to reduce attack surface. + +- FireWire (IEEE 1394): Disabled as they are often vulnerable to DMA attacks. + +- GPS: Disable GPS-related modules such as those required for Global Navigation + Satellite Systems (GNSS). + +- Optional - Intel Management Engine (ME): Provides some disabling of the interface + between the Intel ME and the OS. May lead to breakages in places such as firmware + updates, security, power management, display, and DRM. See discussion: https://github.com/Kicksecure/security-misc/issues/239 + +- Intel Platform Monitoring Technology (PMT) Telemetry: Disable some functionality + of the Intel PMT components. + +- Thunderbolt: Disabled as they are often vulnerable to DMA attacks. + +File system modules: + +- File Systems: Disable uncommon and legacy file systems. + +- Network File Systems: Disable uncommon and legacy network file systems. + +Networking modules: + +- Network Protocols: A wide array of uncommon and legacy network protocols and drivers + are disabled. + +Miscellaneous modules: + +- Amateur Radios: Disabled to reduce attack surface. + +- Optional - CPU MSRs: Disabled as can be abused to write to arbitrary memory. + +- Floppy Disks: Disabled to reduce attack surface. + +- Framebuffer (fbdev): Disabled as these drivers are well-known to be buggy, cause + kernel panics, and are generally only used by legacy devices. + +- Replaced Modules: Disabled legacy drivers that have been entirely replaced and + superseded by newer drivers. + +- Optional - USB Video Device Class: Disables the USB-based video streaming driver for + devices like some webcams and digital camcorders. + +- Vivid: Disabled to reduce attack surface given previous vulnerabilities. + +### Other + +- A systemd service clears the System.map file on boot as these contain kernel + pointers. The file is completely overwritten with zeroes to ensure it cannot + be recovered. See: + +`/etc/kernel/postinst.d/30_remove-system-map` + +`/usr/lib/systemd/system/remove-system-map.service` + +`/usr/libexec/security-misc/remove-system.map` + +- Coredumps are disabled as they may contain important information such as + encryption keys or passwords. See: + +`/etc/security/limits.d/30_security-misc.conf` + +`/usr/lib/sysctl.d/30_security-misc.conf` + +`/usr/lib/systemd/coredump.conf.d/30_security-misc.conf` + +- PStore is disabled as crash logs can contain sensitive system data such as + kernel version, hostname, and users. See: + + `/usr/lib/systemd/pstore.conf.d/30_security-misc.conf` + +- An initramfs hook sets the sysctl values in `/etc/sysctl.conf` and + `/etc/sysctl.d` before init is executed so sysctl hardening is enabled as + early as possible. This is implemented for `initramfs-tools` only because + this is not needed for `dracut` as `dracut` does that by default, at + least on `systemd` enabled systems. Not researched for non-`systemd` systems + by the author of this part of the readme. + +## Network hardening + +Not yet implemented due to issues: + +- https://github.com/Kicksecure/security-misc/pull/145 + +- https://github.com/Kicksecure/security-misc/issues/184 + +- Unlike version 4, IPv6 addresses can provide information not only about the + originating network but also the originating device. We prevent this from + happening by enabling the respective privacy extensions for IPv6. + +- In addition, we deny the capability to track the originating device in the + network at all, by using randomized MAC addresses per connection by + default. + +See: + +- `/usr/lib/NetworkManager/conf.d/80_ipv6-privacy.conf` +- `/usr/lib/NetworkManager/conf.d/80_randomize-mac.conf` +- `/usr/lib/systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf` + +## Bluetooth Hardening + +### Bluetooth Status: Enabled but Defaulted to Off + +- **Default Behavior**: Although Bluetooth capability is 'enabled' in the kernel, + security-misc deviates from the usual behavior by starting with Bluetooth + turned off at system start. This setting remains until the user explicitly opts + to activate Bluetooth. + +- **User Control**: Users have the freedom to easily switch Bluetooth on and off + in the usual way, exercising their own discretion. This can be done via the + Bluetooth toggle through the usual way, that is either through GUI settings + application or command line commands. + +- **Enhanced Privacy Settings**: We enforce more private defaults for Bluetooth + connections. This includes the use of private addresses and strict timeout + settings for discoverability and visibility. + +- **Security Considerations**: Despite these measures, it's important to note that + Bluetooth technology, by its nature, may still be prone to exploits due to its + history of security vulnerabilities. Thus, we recommend users to opt-out of + using Bluetooth when possible. + +### Configuration Details + +- See configuration: `/etc/bluetooth/30_security-misc.conf` +- For more information and discussion: [GitHub Pull Request](https://github.com/Kicksecure/security-misc/pull/145) + +### Understanding Bluetooth Terms + +- **Disabling Bluetooth**: This means the absence of the Bluetooth kernel module. + When disabled, Bluetooth is non-existent in the system - it cannot be seen, set, + configured, or interacted with in any way. + +- **Turning Bluetooth On/Off**: This refers to a software toggle. Normally, on + Debian systems, Bluetooth is 'on' when the system boots up. It actively searches + for known devices to auto-connect and may be discoverable or visible under certain + conditions. Our default ensures that Bluetooth is off on startup. However, it + remains 'enabled' in the kernel, meaning the kernel can use the Bluetooth protocol + and has the necessary modules. + +### Quick Toggle Guide + +- **Turning Bluetooth On**: Simply click the Bluetooth button in the settings + application or on the tray, and switch the toggle. It's a straightforward action + that can be completed in less than a second. + +- **Turning Bluetooth Off**: Follow the same procedure as turning it on but switch + the toggle to the off position. + +## Entropy collection improvements + +- The `jitterentropy_rng` kernel module is loaded as early as possible during + boot to gather more entropy via the + `/usr/lib/modules-load.d/30_security-misc.conf` configuration file. + +- Distrusts the CPU for initial entropy at boot as it is not possible to + audit, may contain weaknesses or a backdoor. Similarly, do not credit the + bootloader seed for initial entropy. For references, see: + `/etc/default/grub.d/40_kernel_hardening.cfg` + +- Gathers more entropy during boot if using the linux-hardened kernel patch. + +## Restrictive mount options + +A systemd service is triggered on boot to remount all sensitive partitions and +directories with significantly more secure hardened mount options. Since this +would require manual tuning for a given specific system, we handle it by +creating a very solid configuration file for that very system on package +installation. + +Not enabled by default yet. In development. Help welcome. + +- https://www.kicksecure.com/wiki/Dev/remount-secure +- https://github.com/Kicksecure/security-misc/issues/157 +- https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/ + +## Root access restrictions + +- `su` is restricted to only users within the group `sudo` which prevents + users from using `su` to gain root access or to switch user accounts - + `/usr/share/pam-configs/wheel-security-misc` (which results in a change in + file `/etc/pam.d/common-auth`). + +- Add user `root` to group `sudo`. This is required due to the above + restriction so that logging in from a virtual console is still possible - + `debian/security-misc.postinst` + +- Abort login for users with locked passwords - + `/usr/libexec/security-misc/pam-abort-on-locked-password`. + +- Logging into the root account from a virtual, serial, or other console is + prevented by shipping an existing and empty `/etc/securetty` file (deletion + of `/etc/securetty` has a different effect). + +This package does not yet automatically lock the root account password. It is +not clear if this would be sane in such a package, although it is recommended to +lock and expire the root account. + +In new Kicksecure builds, the root account will be locked by package +dist-base-files. + +See: + +- https://www.kicksecure.com/wiki/Root +- https://www.kicksecure.com/wiki/Dev/Permissions +- https://forums.whonix.org/t/restrict-root-access/7658 -This package does (not yet) automatically lock the root account password. -It is not clear that would be sane in such a package. -It is recommended to lock and expire the root account. -In new Whonix builds, root account will be locked by package -anon-base-files. -https://www.whonix.org/wiki/Root -https://www.whonix.org/wiki/Dev/Permissions -https://forums.whonix.org/t/restrict-root-access/7658 However, a locked root password will break rescue and emergency shell. -Therefore this package enables passwordless resuce and emergency shell. -This is the same solution that Debian will likely addapt for Debian -installer. +Therefore, this package enables passwordless rescue and emergency shell. This is +the same solution that Debian will likely adopt for the Debian installer: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802211 + +See: + +- `/etc/systemd/system/emergency.service.d/override.conf` +- `/etc/systemd/system/rescue.service.d/override.conf` + Adverse security effects can be prevented by setting up BIOS password -protection, grub password protection and/or full disk encryption. -/etc/systemd/system/emergency.service.d/override.conf -/etc/systemd/system/rescue.service.d/override.conf +protection, GRUB password protection, and/or full disk encryption. -Disables TCP Time Stamps: +## Console lockdown -TCP time stamps (RFC 1323) allow for tracking clock -information with millisecond resolution. This may or may not allow an -attacker to learn information about the system clock at such -a resolution, depending on various issues such as network lag. -This information is available to anyone who monitors the network -somewhere between the attacked system and the destination server. -It may allow an attacker to find out how long a given -system has been running, and to distinguish several -systems running behind NAT and using the same IP address. It might -also allow one to look for clocks that match an expected value to find the -public IP used by a user. +This uses pam_access to allow members of group `console` to use the console but +restrict everyone else (except members of group `console-unrestricted`) from +using the console with ancient, unpopular login methods such as `/bin/login` over +networks as this might be exploitable. (CVE-2001-0797) -Hence, this package disables this feature by shipping the -/etc/sysctl.d/tcp_timestamps.conf configuration file. +This is not enabled by default in this package since this package does not know +which users should be added to group 'console' and thus, would break console access. -Note that TCP time stamps normally have some usefulness. They are -needed for: +See: -* the TCP protection against wrapped sequence numbers; however, to -trigger a wrap, one needs to send roughly 2^32 packets in one -minute: as said in RFC 1700, "The current recommended default -time to live (TTL) for the Internet Protocol (IP) [45,105] is 64". -So, this probably won't be a practical problem in the context -of Anonymity Distributions. -* "Round-Trip Time Measurement", which is only useful when the user -manages to saturate their connection. When using Anonymity Distributions, -probably the limiting factor for transmission speed is rarely the capacity -of the user connection. +- `/usr/share/pam-configs/console-lockdown-security-misc` +- `/etc/security/access-security-misc.conf` -Application specific hardening: +## Brute force attack protection -* Enables APT seccomp-BPF sandboxing. /etc/apt/apt.conf.d/40sandbox -* Deactivates previews in Dolphin. -* Deactivates previews in Nautilus. -/usr/share/glib-2.0/schemas/30_security-misc.gschema.override -* Deactivates thumbnails in Thunar. -* Enables punycode (`network.IDN_show_punycode`) by default in Thunderbird -to make phising attacks more difficult. Fixing URL not showing real Domain -Name (Homograph attack). +User accounts are locked after 50 failed login attempts using `pam_faillock`. -Want more? Look into these: +Informational output during Linux PAM: -* Linux Kernel Runtime Guard (LKRG). Kills whole Classes of Kernel Exploits. -* tirdad - TCP ISN CPU Information Leak Protection. -* Whonix ™ - Anonymous Operating System -* Kicksecure ™ - A Security-hardened, Non-anonymous Linux Distribution -* SecBrowser ™ - A Security-hardened, Non-anonymous Browser -* And more. -* https://www.whonix.org/wiki/Linux_Kernel_Runtime_Guard_LKRG -* https://github.com/Whonix/tirdad -* https://www.whonix.org -* https://www.whonix.org/wiki/Kicksecure -* https://www.whonix.org/wiki/SecBrowser -* https://github.com/Whonix +- Show failed and remaining password attempts. +- Document unlock procedure if Linux user account got locked. +- Point out that there is no password feedback for `su`. +- Explain locked root account if locked. -Discussion: +See: + +- `/usr/share/pam-configs/tally2-security-misc` +- `/usr/libexec/security-misc/pam-info` +- `/usr/libexec/security-misc/pam-abort-on-locked-password` + +## Access rights restrictions + +### Strong user account separation + +#### Permission Lockdown + +Read, write, and execute access for "others" are removed during package +installation, upgrade, or PAM `mkhomedir` for all users who have home folders in +`/home` by running, for example: + +``` +chmod o-rwx /home/user +``` + +This will be done only once per folder in `/home` so users who wish to relax +file permissions are free to do so. This is to protect files in a home folder +that were previously created with lax file permissions prior to the installation +of this package. + +See: + +- `debian/security-misc.postinst` +- `/usr/libexec/security-misc/permission-lockdown` +- `/usr/share/pam-configs/mkhomedir-security-misc` + +#### umask + +The default `umask` is set to `027` for files created by non-root users, such +as the account `user`. + +This is done using the PAM module `pam_mkhomedir.so umask=027`. + +This configuration ensures that files created by non-root users cannot be read +by other non-root users by default. While Permission Lockdown already protects +the `/home` folder, this setting extends protection to other folders such as +`/tmp`. + +`group` read permissions are not removed. This is unnecessary due to Debian's +use of User Private Groups (UPGs). See also: +https://wiki.debian.org/UserPrivateGroups + +The default `umask` is unchanged for root because configuration files created +in `/etc` by the system administrator would otherwise be unreadable by +"others," potentially breaking applications. Examples include `/etc/firefox-esr` +and `/etc/thunderbird`. Additionally, the `umask` is set to `022` via `sudoers` +configuration, ensuring that files created as root are world-readable, even +when using commands such as `sudo vi /etc/file` or `sudo -i; touch /etc/file`. + +When using `sudo`, the `umask` is set to `022` rather than `027` to ensure +compatibility with commands such as `sudo vi /etc/configfile` and +`sudo -i; touch /etc/file`. + +See: + +- `/usr/share/pam-configs/umask-security-misc` + +### SUID / SGID removal and permission hardening + +#### SUID / SGID removal + +A systemd service removes SUID / SGID bits from non-essential binaries as these +are often used in privilege escalation attacks. + +#### File permission hardening + +Various file permissions are reset with more secure and hardened defaults. These +include but are not limited to: + +- Limiting `/home` and `/root` to the root only. +- Limiting crontab to root as well as all the configuration files for cron. +- Limiting the configuration for cups and ssh. +- Protecting the information of sudoers from others. +- Protecting various system-relevant files and modules. + +##### permission-hardener + +`permission-hardener` removes SUID / SGID bits from non-essential binaries as +these are often used in privilege escalation attacks. It is enabled by default +and applied at security-misc package installation and upgrade time. + +There is also an optional systemd unit which does the same at boot time that +can be enabled by running `systemctl enable permission-hardener.service` as +root. The hardening at boot time is not the default because this slows down +the boot process too much. + +See: + +* `/usr/bin/permission-hardener` +* `debian/security-misc.postinst` +* `/lib/systemd/system/permission-hardener.service` +* `/etc/permission-hardener.d` +* https://forums.whonix.org/t/disable-suid-binaries/7706 +* https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener + +### Access rights relaxations + +This is not enabled yet because hidepid is not enabled by default. + +Calls to `pkexec` are redirected to `lxqt-sudo` because `pkexec` is +incompatible with `hidepid=2`. + +See: + +* `/usr/bin/pkexec.security-misc` +* https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860040 +* https://forums.whonix.org/t/cannot-use-pkexec/8129 + +## Application-specific hardening + +- Enables "`apt-get --error-on=any`" which makes apt exit non-zero for + transient failures. - `/etc/apt/apt.conf.d/40error-on-any`. +- Enables APT seccomp-BPF sandboxing - `/etc/apt/apt.conf.d/40sandbox`. +- Deactivates previews in Dolphin. +- Deactivates previews in Nautilus - + `/usr/share/glib-2.0/schemas/30_security-misc.gschema.override`. +- Deactivates thumbnails in Thunar. + - Rationale: lower attack surface when using the file manager + - https://forums.whonix.org/t/disable-preview-in-file-manager-by-default/18904 +- Thunderbird is hardened with the following options: + - Displays domain names in punycode to prevent IDN homograph attacks (a + form of phishing). + - Strips email client information from sent email headers. + - Strips user time information from sent email headers by replacing the + originating time zone with UTC and rounding the timestamp to the nearest + minute. + - Disables scripting when viewing PDF files. + - Disables implicit outgoing connections. + - Disables all and any kind of telemetry. +- Security and privacy enhancements for gnupg's config file + `/etc/skel/.gnupg/gpg.conf`. See also: + - https://raw.github.com/ioerror/torbirdy/master/gpg.conf + - https://github.com/ioerror/torbirdy/pull/11 + +### Project scope of application-specific hardening + +Added in December 2023. + +Before sending pull requests to harden arbitrary applications, please note the +scope of security-misc is limited to default installed applications in +Kicksecure and Whonix. This includes: + +- Thunderbird, VLC Media Player, KeePassXC +- Debian Specific System Components (APT, DPKG) +- System Services (NetworkManager IPv6 privacy options, MAC address + randomization) +- Actually used development utilities such as `git`. + +It will not be possible to review and merge "1500" settings profiles for +arbitrary applications outside of this context. + +The main objective of security-misc is to harden Kicksecure and its derivatives, +such as Whonix, by implementing robust security settings. It's designed to be +compatible with Debian, reflecting a commitment to clean implementation and +sound design principles. However, it's important to note that security-misc is a +component of Kicksecure, not a substitute for it. The intention isn't to +recreate Kicksecure within security-misc. Instead, specific security +enhancements, like recommending a curated list of security-focused +default packages (e.g., `libpam-tmpdir`), should be integrated directly into +those appropriate areas of Kicksecure (e.g. `kicksecure-meta-packages`). + +Discussion: https://github.com/Kicksecure/security-misc/issues/154 + +### Development philosophy + +Added in December 2023. + +Maintainability is a key priority \[1\]. Before modifying settings in the +downstream security-misc, it's essential to first engage with upstream +developers to propose these changes as defaults. This step should only be +bypassed if there's a clear, prior indication from upstream that such changes +won't be accepted. Additionally, before implementing any workarounds, consulting +with upstream is necessary to avoid future unmaintainable complexity. + +If debugging features are disabled, pull requests won't be merged until there is +a corresponding pull request for the debug-misc package to re-enable these. This +is to avoid configuring the system into a corner where it can no longer be +debugged. + +\[1\] https://www.kicksecure.com/wiki/Dev/maintainability + +## Opt-in hardening + +Some hardening is opt-in as it causes too much breakage to be enabled by +default. + +- An optional systemd service mounts `/proc` with `hidepid=2` at boot to + prevent users from seeing another user's processes. This is disabled by + default because it is incompatible with `pkexec`. It can be enabled by + executing `systemctl enable proc-hidepid.service` as root. + +- A systemd service restricts `/proc/cpuinfo`, `/proc/bus`, `/proc/scsi`, and + `/sys` to the root user. This hides a lot of hardware identifiers from + unprivileged users and increases security as `/sys` exposes a lot of + information that shouldn't be accessible to unprivileged users. As this will + break many things, it is disabled by default and can optionally be enabled + by executing `systemctl enable hide-hardware-info.service` as root. + +## Miscellaneous + +- Hardened malloc compatibility for haveged workaround + `/lib/systemd/system/haveged.service.d/30_security-misc.conf` + +- Set `dracut` `reproducible=yes` setting + +## Legal + +`/usr/lib/issue.d/20_security-misc.issue` + +https://github.com/Kicksecure/security-misc/pull/167 + +## Related + +- Linux Kernel Runtime Guard (LKRG) +- tirdad - TCP ISN CPU Information Leak Protection. +- Kicksecure (TM) - a security-hardened Linux Distribution +- And more. +- https://www.kicksecure.com/wiki/Linux_Kernel_Runtime_Guard_LKRG +- https://github.com/Kicksecure/tirdad +- https://www.kicksecure.com +- https://github.com/Kicksecure + +## Discussion + +Happening primarily in forums. -Happening primarily in Whonix forums. https://forums.whonix.org/t/kernel-hardening/7296 -## How to install `security-misc` using apt-get ## -1\. Download [Whonix's Signing Key](). +## How to install `security-misc` -``` -wget https://www.whonix.org/patrick.asc -``` +See https://www.kicksecure.com/wiki/Security-misc#install -Users can [check Whonix Signing Key](https://www.whonix.org/wiki/Whonix_Signing_Key) for better security. +## How to Build deb Package from Source Code -2\. Add Whonix's signing key. +Can be build using standard Debian package build tools such as: -``` -sudo apt-key --keyring /etc/apt/trusted.gpg.d/whonix.gpg add ~/patrick.asc -``` + dpkg-buildpackage -b -3\. Add Whonix's APT repository. +See instructions. (Replace `generic-package` with the actual name of this +package `security-misc`.) -``` -echo "deb https://deb.whonix.org buster main contrib non-free" | sudo tee /etc/apt/sources.list.d/whonix.list -``` +- **A)** + [easy](https://www.kicksecure.com/wiki/Dev/Build_Documentation/generic-package/easy), + *OR* +- **B)** [including verifying software + signatures](https://www.kicksecure.com/wiki/Dev/Build_Documentation/generic-package) -4\. Update your package lists. +## Contact -``` -sudo apt-get update -``` +- [Free Forum Support](https://forums.kicksecure.com) +- [Professional Support](https://www.kicksecure.com/wiki/Professional_Support) -5\. Install `security-misc`. +## Donate -``` -sudo apt-get install security-misc -``` - -## How to Build deb Package ## - -Replace `apparmor-profile-torbrowser` with the actual name of this package with `security-misc` and see [instructions](https://www.whonix.org/wiki/Dev/Build_Documentation/apparmor-profile-torbrowser). - -## Contact ## - -* [Free Forum Support](https://forums.whonix.org) -* [Professional Support](https://www.whonix.org/wiki/Professional_Support) - -## Donate ## - -`security-misc` requires [donations](https://www.whonix.org/wiki/Donate) to stay alive! +`security-misc` requires [donations](https://www.kicksecure.com/wiki/Donate) to +stay alive! diff --git a/README_generic.md b/README_generic.md new file mode 100644 index 0000000..787af72 --- /dev/null +++ b/README_generic.md @@ -0,0 +1,68 @@ +# Enhances Miscellaneous Security Settings # + +https://github.com/Kicksecure/security-misc/blob/master/README.md + +https://www.kicksecure.com/wiki/Security-misc + +Discussion: + +Happening primarily in Whonix forums. +https://forums.whonix.org/t/kernel-hardening/7296 + +## How to install `security-misc` using apt-get ## + +1\. Download the APT Signing Key. + +``` +wget https://www.kicksecure.com/keys/derivative.asc +``` + +Users can [check the Signing Key](https://www.kicksecure.com/wiki/Signing_Key) for better security. + +2\. Add the APT Signing Key. + +``` +sudo cp ~/derivative.asc /usr/share/keyrings/derivative.asc +``` + +3\. Add the derivative repository. + +``` +echo "deb [signed-by=/usr/share/keyrings/derivative.asc] https://deb.kicksecure.com bookworm main contrib non-free" | sudo tee /etc/apt/sources.list.d/derivative.list +``` + +4\. Update your package lists. + +``` +sudo apt-get update +``` + +5\. Install `security-misc`. + +``` +sudo apt-get install security-misc +``` + +## How to Build deb Package from Source Code ## + +Can be build using standard Debian package build tools such as: + +``` +dpkg-buildpackage -b +``` + +See instructions. + +NOTE: Replace `generic-package` with the actual name of this package `security-misc`. + +* **A)** [easy](https://www.kicksecure.com/wiki/Dev/Build_Documentation/generic-package/easy), _OR_ +* **B)** [including verifying software signatures](https://www.kicksecure.com/wiki/Dev/Build_Documentation/generic-package) + +## Contact ## + +* [Free Forum Support](https://forums.kicksecure.com) +* [Premium Support](https://www.kicksecure.com/wiki/Premium_Support) + +## Donate ## + +`security-misc` requires [donations](https://www.kicksecure.com/wiki/Donate) to stay alive! diff --git a/changelog.upstream b/changelog.upstream index 5af0404..fb9687f 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,12888 @@ +commit b06fb5428051518390439ce95c9d6894e6338951 +Merge: 115b6f6 468cf40 +Author: Patrick Schleizer +Date: Wed Jul 2 13:47:12 2025 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 468cf40e2a216625d02066b609b0991e37c50ebc +Merge: 865a052 bb208fb +Author: Patrick Schleizer +Date: Wed Jul 2 13:45:28 2025 -0400 + + Merge pull request #306 from raja-grewal/erst + + Set `erst_disable` + +commit 865a052bf47f28c0084b2bbd51e3c606df9eda96 +Merge: 115b6f6 e3c4519 +Author: Patrick Schleizer +Date: Wed Jul 2 13:44:17 2025 -0400 + + Merge pull request #309 from RebornRider/patch-1 + + remove TemporaryTimeout=0 in Bluetooth config + +commit bb208fb134fe25fc3539494f331072a851369064 +Merge: 4314b1e 115b6f6 +Author: raja-grewal +Date: Wed Jul 2 11:35:50 2025 +1000 + + Merge branch 'Kicksecure:master' into erst + +commit 4314b1e85bd5495832b4398bdbd358c41703dcc9 +Author: raja-grewal +Date: Tue Jul 1 13:36:39 2025 +1000 + + Add comment + +commit e3c451917931aa4e63056fb03470c203694d399f +Author: Kevin Agwaze <7119346+RebornRider@users.noreply.github.com> +Date: Mon Jun 16 10:35:16 2025 +0100 + + remove misleading TemporaryTimeout=0 in Bluetooth config + +commit 115b6f6aa2a4d00ad5690c2c0889e142540c01ca +Author: Patrick Schleizer +Date: Sat Jun 14 11:51:44 2025 +0000 + + bumped changelog version + +commit 4639d1aab572bb4ad751bd1da5b936b9d73d3264 +Merge: 5159de6 109c013 +Author: Patrick Schleizer +Date: Fri Jun 13 15:09:52 2025 -0400 + + Merge remote-tracking branch 'ArrayBolt3/arraybolt3/approx' + +commit 109c0134677d991c449aa009773cb22babeee8db +Author: Aaron Rainbolt +Date: Thu Jun 12 01:08:34 2025 -0500 + + Add comment related to approx package caching proxy + +commit 72613203b9692d1098b13ff98119499a5a30a6da +Author: raja-grewal +Date: Fri Jun 6 13:07:52 2025 +0000 + + Add reference + +commit dd0b55cc45f9ccd64d0075ba37ab6a4723d94a02 +Author: raja-grewal +Date: Tue Jun 3 12:32:17 2025 +1000 + + Add reference + +commit 5159de63438e8c1274658e7175a80fb693d6554a +Author: Patrick Schleizer +Date: Wed May 28 13:48:11 2025 +0000 + + bumped changelog version + +commit 3e102df76583a14b5efc18238aefbf539ab0d8a1 +Author: Patrick Schleizer +Date: Wed May 28 08:37:03 2025 -0400 + + fix + +commit d5edc243ac2db861f1600d3906a02494eaf9a824 +Author: Patrick Schleizer +Date: Wed May 28 12:12:00 2025 +0000 + + bumped changelog version + +commit eda1d0aef640af1ea73c72d6caa876733de4e5a0 +Merge: e966774 5a10ad0 +Author: Patrick Schleizer +Date: Wed May 28 07:22:16 2025 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 5a10ad031d67acc8fa4c16f9e2db191bde559caa +Merge: e966774 3559bc8 +Author: Patrick Schleizer +Date: Wed May 28 07:21:31 2025 -0400 + + Merge pull request #307 from maybebyte/ssh-agent-to-allowlist + + fix(permission-hardener): ssh-agent gets 2755 perms + +commit 3559bc86b7aed8122ff7996ce0ab4a65bdaf05c0 +Author: Ashlen +Date: Tue May 27 15:32:41 2025 -0600 + + fix(permission-hardener): ssh-agent gets 2755 perms + + Change from exactwhitelist to matchwhitelist. Discussion revealed that + there's a good reason to leave setgid in here, which is essentially + defense-in-depth (sometimes users may want to revert Kicksecure's + default of kernel.yama.ptrace_scope=2, e.g. to debug a program, and + Kicksecure should not be less secure than vanilla Debian in that + situation). + +commit c59b2e4bc53cad4c9cc90ddd5abaca0705ccff90 +Merge: 017ee29 e966774 +Author: maybebyte <99762926+maybebyte@users.noreply.github.com> +Date: Tue May 27 20:33:07 2025 +0000 + + Merge branch 'Kicksecure:master' into ssh-agent-to-allowlist + +commit e96677486201ebddc145af7962ad5e89f6fa253b +Author: Patrick Schleizer +Date: Tue May 27 19:41:25 2025 +0000 + + bumped changelog version + +commit 017ee29eb39d84edc89f128a633a619cad852241 +Merge: 7a079c3 abb2207 +Author: maybebyte <99762926+maybebyte@users.noreply.github.com> +Date: Tue May 27 18:25:47 2025 +0000 + + Merge branch 'Kicksecure:master' into ssh-agent-to-allowlist + +commit 5195977be474e29a29b6392306e909e9f2d05ada +Author: Patrick Schleizer +Date: Tue May 27 11:57:21 2025 -0400 + + protect against grep pipefail + +commit abb2207313810966dad381c3a9f637c445a5834d +Author: Patrick Schleizer +Date: Tue May 27 15:51:50 2025 +0000 + + bumped changelog version + +commit 45016146f7c77d383f2254d19dc66ba9b883b8f2 +Merge: ace45d7 395169f +Author: Patrick Schleizer +Date: Tue May 27 11:03:23 2025 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 395169fbce1854bfed727d1784f4e5c0d8e7c6ff +Merge: ace45d7 e14b81b +Author: Patrick Schleizer +Date: Tue May 27 10:58:50 2025 -0400 + + Merge pull request #308 from maybebyte/permission-hardener-speedboost + + perf(permission-hardener): optimize string match + +commit 1c353032046f556bb11c32506019310c9f6d47c0 +Merge: 35fa32e ace45d7 +Author: raja-grewal +Date: Fri May 23 20:20:19 2025 +1000 + + Merge branch 'Kicksecure:master' into erst + +commit ace45d7c95ed6b83c1897f76da5af4a0c97cab10 +Author: Patrick Schleizer +Date: Wed May 21 22:06:02 2025 +0000 + + bumped changelog version + +commit 142ea2118989faddafa17db48efed379c4ac3f45 +Author: Patrick Schleizer +Date: Wed May 21 12:42:16 2025 -0400 + + fix + +commit a969fa350e28ca296966509821a7c62b68f09a5a +Author: Patrick Schleizer +Date: Wed May 21 12:40:27 2025 -0400 + + fix + +commit f023651c984c52a997bc241f99f118255cf60809 +Author: Patrick Schleizer +Date: Wed May 21 12:35:37 2025 -0400 + + nounset + +commit f086787464191a07e028dd92649c48b145023858 +Author: Patrick Schleizer +Date: Wed May 21 12:35:23 2025 -0400 + + fix + +commit d7643954d184846c8b7fb5eda7200779126274eb +Author: Patrick Schleizer +Date: Wed May 21 12:33:50 2025 -0400 + + minor + +commit aa905fc8875c5c56351f10f4e40e6d2a7dd6d918 +Author: Patrick Schleizer +Date: Wed May 21 12:32:16 2025 -0400 + + further validation of output of `faillock` + +commit 92d3a36a0f43615db622c6b0daa7064b8e8ebbbb +Author: Patrick Schleizer +Date: Wed May 21 12:29:01 2025 -0400 + + fix + +commit 2c1abb23e03cfe449347ba692d35f5ba1f33cff4 +Author: Patrick Schleizer +Date: Wed May 21 12:26:46 2025 -0400 + + output + +commit 0801b96ae74256f36dcf8757d0ba8abc66ea0b9b +Author: Patrick Schleizer +Date: Wed May 21 12:25:49 2025 -0400 + + output + +commit ef8515ba82996b137c386eeb91e6f853d58a515f +Author: Patrick Schleizer +Date: Wed May 21 12:23:45 2025 -0400 + + improve error handling + +commit 784867e24b4d6f2899fa9b215ec9e3c4e2fb9d84 +Author: Patrick Schleizer +Date: Wed May 21 12:21:45 2025 -0400 + + fix + +commit 0eea681ce893a259563f8e9d5a2ec9722fbc635d +Author: Patrick Schleizer +Date: Wed May 21 15:52:16 2025 +0000 + + bumped changelog version + +commit e1bae1c68aabc424924b6386fe4980d657dc2cdf +Author: Patrick Schleizer +Date: Wed May 21 11:50:59 2025 -0400 + + fix + +commit bd01a683054b1f7d5a5f6cc4848da73b1b1ef5ff +Author: Patrick Schleizer +Date: Wed May 21 13:58:18 2025 +0000 + + bumped changelog version + +commit 14cf205579ff65fa765d7574e5d0e301a30a1904 +Author: Patrick Schleizer +Date: Wed May 21 08:36:16 2025 -0400 + + fix + +commit ff6bc5d5b6097bcdddd8e66c2541106c2cbabbaf +Author: Patrick Schleizer +Date: Wed May 21 11:23:39 2025 +0000 + + bumped changelog version + +commit 353b6e83c55d52b47a2a35063406324cec7237c4 +Author: Patrick Schleizer +Date: Wed May 21 07:20:13 2025 -0400 + + test that `wc` is functional + + https://github.com/Kicksecure/security-misc/pull/305#issuecomment-2892378246 + +commit 5930e270521e0e5d6a0a3877c813accbf5253051 +Author: Patrick Schleizer +Date: Wed May 21 07:05:25 2025 -0400 + + pam-info: improve error handling + + https://github.com/Kicksecure/security-misc/pull/305#issuecomment-2892378246 + +commit 5c981e0891ef009c5c2355f5f6383aca22c45638 +Author: Patrick Schleizer +Date: Wed May 21 06:55:09 2025 -0400 + + pam-info: fix, consistently write errors and warnings to stderr + +commit e14b81b15e479afbc4820a2b9bb60f3cf65bfb12 +Author: Ashlen +Date: Tue May 20 21:34:03 2025 -0600 + + perf(permission-hardener): optimize string match + + Replace subprocess grep calls with bash substring matching in + check_nosuid_whitelist function. This eliminates ~10k unneeded + subprocess spawns that were causing significant performance + degradation. + + In testing, it improves overall script execution speed by an + order of magnitude: + + Before patch: + $ sudo hyperfine -- './permission-hardener enable' + Benchmark 1: ./permission-hardener enable + Time (mean ± σ): 11.906 s ± 0.974 s [User: 3.639 s, System: 8.728 s] + Range (min … max): 10.430 s … 14.090 s 10 runs + + After patch: + $ sudo hyperfine -- './permission-hardener enable' + Benchmark 1: ./permission-hardener enable + Time (mean ± σ): 802.8 ms ± 178.5 ms [User: 283.0 ms, System: 471.9 ms] + Range (min … max): 639.4 ms … 1092.3 ms 10 runs + +commit 7a079c3de8bd8b4e026a1bd1b932a04610a1e386 +Author: Ashlen +Date: Tue May 20 18:41:48 2025 -0600 + + fix(permission-hardener): add exactwhitelist here + + Without this, the permissions for ssh-agent won't be changed properly. + +commit 94dc9da4ab8fb93760dbb3b325bdeaa155e492cb +Author: Ashlen +Date: Tue May 20 17:07:51 2025 -0600 + + fix(permission-hardener): ssh-agent gets 755 perms + + Replace the commented-out matchwhitelist entry for ssh-agent with an + explicit permission entry (755) for /usr/bin/ssh-agent. + + When ssh-agent's matchwhitelist entry was commented out in commit + 7a5f8b87af, permission-hardener began resetting it to restrictive + defaults (744), preventing non-root users from executing ssh-agent. This + broke split SSH functionality in Qubes OS for me because I was using + Kicksecure in the vault qube, and ssh-agent runs under a non-root user in + that configuration (see https://forum.qubes-os.org/t/split-ssh/19060). + + As noted in the comment, Debian installs with 2755 permissions as a way + to mitigate ptrace attacks, but this rationale doesn't apply due to + kernel.yama.ptrace_scope=2 being set in Kicksecure. + +commit 19d7e1af5d7acf6eb3a20fe3ebf5f14cef041f92 +Author: Patrick Schleizer +Date: Tue May 20 11:40:27 2025 +0000 + + bumped changelog version + +commit 405880e63b92319626332d083a6c5ad5101dbf77 +Author: Patrick Schleizer +Date: Sun May 18 06:44:42 2025 -0400 + + handle case of non-existence of /proc/cmdline + +commit 88235cc97b8b54f3fe78d6ad76f64326e8b53f3e +Author: Patrick Schleizer +Date: Sun May 18 06:44:04 2025 -0400 + + refactoring + +commit 601ea77b005d18b57a85e0701f3981edd61b7881 +Author: Patrick Schleizer +Date: Sun May 18 06:42:39 2025 -0400 + + end-of-options + +commit d8feca12768441b0499ead7cc9f9bce4e89b1edf +Author: Patrick Schleizer +Date: Sun May 18 06:41:41 2025 -0400 + + printf + +commit 7f2ba0980d17360fc014c6a412fc4ee57e1032fd +Author: Patrick Schleizer +Date: Sun May 18 06:40:50 2025 -0400 + + refactoring + +commit 4d1f8c44d28895587abce586ed5b2fe354544f6a +Merge: 341dce3 e478750 +Author: Patrick Schleizer +Date: Sun May 18 06:36:08 2025 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit e478750814798f3d9aa60354b6cecbb84769ed53 +Merge: 341dce3 91a76db +Author: Patrick Schleizer +Date: Sun May 18 06:35:23 2025 -0400 + + Merge pull request #305 from DMHalford/pam-info-failed_login_counter-fix + + Prevent erroneous "Login blocked after [negative number] attempts" errors + +commit 35fa32e4ed6333f3ab87d09828f13155aa1e7a72 +Author: raja-grewal +Date: Sat May 17 15:06:49 2025 +1000 + + Reword + +commit a1bde21ccb475fc21a084559dbe766f6315d9287 +Author: raja-grewal +Date: Sat May 17 04:41:06 2025 +0000 + + Set `erst_disable` + +commit 91a76db66bb496ba4650ada38df31636297738cf +Author: DMHalford <161769419+DMHalford@users.noreply.github.com> +Date: Thu May 15 15:42:50 2025 -0400 + + Prevent erroneous "Login blocked after [negative number] attempts" errors + + For root, faillock appears to always* return an empty string (i.e. no table headers are present), yielding a zero-initialized pam_faillock_output_count and thus resulting in the calculation of a negative failed_login_counter value. + + This can cause erroneous errors of the form "ERROR: Login blocked after [negative number] attempts" during sudo-ing and screen unlocking. + + This commit modifies the initialization of failed_login_counter such that it cannot be negative and prevents the display of these incorrect warnings. + + * Only rudimentary local tests were conducted + +commit 6c3be9ced071e73e78451c82e8def9c5a5b02598 +Author: DMHalford <161769419+DMHalford@users.noreply.github.com> +Date: Thu May 15 15:06:10 2025 -0400 + + Prevent erroneous "Login blocked after [negative number] attempts" errors + + For root, faillock appears to always* return an empty string (i.e. no table headers are present), yielding a zero-initialized pam_faillock_output_count and thus resulting in the calculation of a negative failed_login_counter value. + + This can cause erroneous errors of the form "ERROR: Login blocked after [negative number] attempts" during sudo-ing and screen unlocking. + + This commit modifies the initialization of failed_login_counter such that it cannot be negative and prevents the display of these incorrect warnings. + + * Only rudimentary tests were conducted + +commit 341dce33fb806ab03822470e6af91604662c22dd +Author: Patrick Schleizer +Date: Fri Apr 25 09:54:23 2025 +0000 + + bumped changelog version + +commit 06e1e44b0039807baa862102b12fc5e199c3ccb3 +Author: Patrick Schleizer +Date: Fri Apr 25 05:51:21 2025 -0400 + + comments + +commit ba1012ca8767baf34ed762d80b25b03bb70e6765 +Author: Patrick Schleizer +Date: Fri Apr 25 08:19:35 2025 +0000 + + bumped changelog version + +commit a8f6132bec1a6f4a639d58295b3e50faf5494d98 +Author: Patrick Schleizer +Date: Fri Apr 25 03:11:27 2025 -0400 + + output + +commit 1d14a9f32435b8131c251e03bff2af5c929bbf49 +Merge: e154d0a 612f5f9 +Author: Patrick Schleizer +Date: Fri Apr 25 02:59:09 2025 -0400 + + Merge remote-tracking branch 'ArrayBolt3/arraybolt3/fix-pkexec-umask' + +commit 612f5f92fde236b86928428fd0247c8e971b0460 +Author: Aaron Rainbolt +Date: Thu Apr 24 20:01:35 2025 -0500 + + Fix umask for pkexec-run commands + +commit e154d0af6dd41e392122fbe3d09219734c5ad588 +Author: Patrick Schleizer +Date: Mon Apr 21 10:21:54 2025 +0000 + + bumped changelog version + +commit 4bf0e3a63667c284d053e5b8517440a884a42441 +Author: Patrick Schleizer +Date: Mon Apr 21 04:57:07 2025 -0400 + + comments + +commit 502f5953c734346edc680a0b898b435e6c6f6e27 +Author: Patrick Schleizer +Date: Mon Apr 21 04:55:19 2025 -0400 + + comments + +commit abb0c83619b820b7b66258efa9e141850eaa8b6c +Author: Patrick Schleizer +Date: Mon Apr 21 04:54:06 2025 -0400 + + comments + +commit efa2967fca36c776d43419dd5bf12696bc61c426 +Author: Patrick Schleizer +Date: Mon Apr 21 04:53:04 2025 -0400 + + comments + +commit dc7e8579040a96630ab1bbf7b4b901e3e3abe8c7 +Author: Patrick Schleizer +Date: Sat Apr 19 17:33:56 2025 +0000 + + bumped changelog version + +commit 9948ae114d4c6bbd650022c9985137c0fdea5675 +Author: Patrick Schleizer +Date: Sat Apr 19 13:24:17 2025 -0400 + + fix + +commit 4aca622706f33e85832e67650259a7751ba87a72 +Author: Patrick Schleizer +Date: Sat Apr 19 13:23:26 2025 -0400 + + fix + +commit 701f4a0e88a32e4c9312fd92b73cef5d4f755f0a +Author: Patrick Schleizer +Date: Sat Apr 19 13:20:04 2025 -0400 + + output + +commit a670c0d873eba8d84bde90ebbeecc7aecc22349e +Author: Patrick Schleizer +Date: Sat Apr 19 13:18:23 2025 -0400 + + comment + +commit 4799f3ce02e5683dad0fff13f5d7fe0aadb0a0db +Author: Patrick Schleizer +Date: Sat Apr 19 13:17:28 2025 -0400 + + make `/usr/libexec/security-misc/apt-get-update` more reliable + +commit c4f0e1d16f6999b055b0fa310456870f12a6dbea +Author: Patrick Schleizer +Date: Sat Apr 19 12:57:14 2025 -0400 + + refactoring + +commit 81634930fa13a240b9fff9a878dd84af1dccc6b3 +Author: Patrick Schleizer +Date: Sat Apr 19 12:55:32 2025 -0400 + + refactoring + +commit 90330a1ec958f82f9322ecc62bcfb7169d641af4 +Author: Patrick Schleizer +Date: Sat Apr 19 12:49:18 2025 -0400 + + refactoring + +commit ce2c9a21a357b3981335336eaf7ac8a6a3bcb052 +Author: Patrick Schleizer +Date: Sat Apr 19 12:47:40 2025 -0400 + + /usr/libexec/security-misc/apt-get-update: use `/run/helper-scripts` folder for pid file instead of `$TMP` + + to avoid permission issues + +commit 96ff7c8dc67809a3199d0b7f22d9e50483634a9c +Author: Patrick Schleizer +Date: Sat Apr 19 12:45:06 2025 -0400 + + refactoring + +commit 5a37790e6bd80ffd4f74d9596523ef72366d35d9 +Author: Patrick Schleizer +Date: Sat Apr 19 12:43:15 2025 -0400 + + cleanup + +commit 7512aa67572c97267fd176e63ae4862b6d37f8ae +Author: Patrick Schleizer +Date: Tue Apr 15 20:59:37 2025 +0000 + + bumped changelog version + +commit e0e2a9b61c61b34a6fe10782e294d58adff15cfe +Merge: 5e88dfe 9f2836d +Author: Patrick Schleizer +Date: Tue Apr 15 15:27:10 2025 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 9f2836d2baae900222cbae74d7a32bcdc69e589f +Merge: 5e88dfe aa0ffff +Author: Patrick Schleizer +Date: Tue Apr 15 15:17:25 2025 -0400 + + Merge pull request #304 from raja-grewal/stop_pstore + + Disable PStore + +commit 5e88dfe809a762aeebf62ea2de131cfbdea9ae32 +Author: Patrick Schleizer +Date: Thu Apr 10 11:38:17 2025 +0000 + + bumped changelog version + +commit c0a18c5a7122fe3c7b52d0e02ca5e8817efb3996 +Merge: da9dd3c 74ca63d +Author: Patrick Schleizer +Date: Thu Apr 10 06:07:55 2025 -0400 + + Merge remote-tracking branch 'ArrayBolt3/arraybolt3/rename-boot-modes' + +commit 74ca63d12c716017d022f5dfc5348ae7b787e220 +Author: Aaron Rainbolt +Date: Wed Apr 9 21:01:41 2025 -0500 + + Mass-change "PERSISTENCE mode USERNAME" to "PERSISTENCE Mode - USERNAME Session" + +commit aa0ffff42753f68e67bc92680a22986a5b9ef9e0 +Author: raja-grewal +Date: Thu Apr 10 11:49:45 2025 +1000 + + README.md: Revert error + +commit da9dd3c3f14103701ad82af775b4fb547f5b3e2e +Author: Patrick Schleizer +Date: Wed Apr 9 15:16:00 2025 +0000 + + bumped changelog version + +commit 163d51f32a1888a52ea78ba32a4e4a2d72aea87d +Author: Patrick Schleizer +Date: Wed Apr 9 09:47:52 2025 -0400 + + newline at the end + +commit 4d2b2e65468522b1d1beda63b0b16cfa12b1d535 +Author: Patrick Schleizer +Date: Tue Apr 8 14:08:24 2025 +0000 + + bumped changelog version + +commit 39f4f5b60739c387f02970018e14f1ae93677e00 +Author: Patrick Schleizer +Date: Tue Apr 8 06:53:08 2025 -0400 + + comments + +commit 173606891ad0c064a22b4ec0aee772105d8be54a +Author: Patrick Schleizer +Date: Tue Apr 8 06:48:29 2025 -0400 + + output + +commit f0d17c7e4134d8a54ce7331c1e9d3ce932278987 +Author: raja-grewal +Date: Sun Mar 16 03:31:24 2025 +0000 + + README: Fix a few links + +commit df2fc2cf6b0437d23c7641118ebd24d2e3a670ce +Author: raja-grewal +Date: Sun Mar 16 03:30:04 2025 +0000 + + Set `efi_pstore.pstore_disable=1` + +commit f643ebc2f923ba4d7231e5aeaf1d91d1a9d1d0df +Author: raja-grewal +Date: Sun Mar 16 03:28:39 2025 +0000 + + Disable pstore processing by systemd-pstore service + +commit d927fe238cc5369f7fe1632a4173fe4bdf0ffdfb +Author: Patrick Schleizer +Date: Mon Mar 3 11:00:38 2025 +0000 + + bumped changelog version + +commit cd0ba94ac5e7e8360183ac6f440d941b4067025b +Author: Patrick Schleizer +Date: Mon Mar 3 05:57:59 2025 -0500 + + no longer disable `vivid` kernel module by default, + because it breaks Qubes Video Companion + + Thanks to @marmarek for the bug report! + + https://forums.whonix.org/t/testing-qubes-video-companion-on-whonix/21393 + + fixes https://github.com/Kicksecure/security-misc/issues/298 + +commit 3e7d1b4e23e1e8ef4ad138dbe4119eee7e72511c +Author: Patrick Schleizer +Date: Sun Feb 9 23:04:36 2025 +0000 + + bumped changelog version + +commit 0615e6e995eb25d8e1bff181ecc49ff51e4029cc +Merge: 2a4a228 4d62ee3 +Author: Patrick Schleizer +Date: Sun Feb 9 18:01:43 2025 -0500 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 4d62ee3ab31bde80eebde265c2513233f10f751a +Merge: 2a4a228 ce4b57d +Author: Patrick Schleizer +Date: Sun Feb 9 18:00:59 2025 -0500 + + Merge pull request #297 from raja-grewal/warn_path + + Update docs on kernel panics + +commit ce4b57d1cb179f18c1ac41681626d01054355fe6 +Author: raja-grewal +Date: Mon Feb 3 00:31:45 2025 +0000 + + Update docs on kernel panics + +commit 2a4a228b150e06c7ff796315719d41e825dd8ad3 +Author: Patrick Schleizer +Date: Fri Jan 31 19:38:42 2025 +0000 + + bumped changelog version + +commit 041caf286b343268e6db69f2957f23c1dd20812a +Author: Patrick Schleizer +Date: Fri Jan 31 14:33:54 2025 -0500 + + update pkg_installed function + +commit ac1493fcfc194b8d1a680d7e8bf53a90caa984ac +Author: Patrick Schleizer +Date: Fri Jan 31 14:33:17 2025 -0500 + + comment + +commit c0f2f110146410428fc12815b30aaba67ff16126 +Author: Patrick Schleizer +Date: Thu Jan 30 12:58:48 2025 +0000 + + bumped changelog version + +commit 9f5e522b83ba969112abf6a9fba77c1eff31b14d +Author: Patrick Schleizer +Date: Thu Jan 30 07:53:04 2025 -0500 + + LC_ALL=C + +commit 7c150d116d1d1f95e2fb729934906eb4391a389a +Author: Patrick Schleizer +Date: Thu Jan 30 07:45:08 2025 -0500 + + LANG=C str_replace: no longer requires LANG=C, therefore removed + +commit 6aaf7082177fe4d02415aac4317cde74665f495c +Author: Patrick Schleizer +Date: Wed Jan 29 14:36:41 2025 +0000 + + bumped changelog version + +commit 10508cb5801c28f8fff306957e867a1626aa6489 +Merge: 6b4fa1e b9dee26 +Author: Patrick Schleizer +Date: Wed Jan 29 09:36:28 2025 -0500 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit b9dee2633128577245763bad41cf3cb6b49751f3 +Merge: 6b4fa1e 4b1e530 +Author: Patrick Schleizer +Date: Wed Jan 29 09:35:50 2025 -0500 + + Merge pull request #296 from raja-grewal/cpu_details + + Hardware-related Documentation + +commit 6b4fa1ef0055d36a45d65481129dabfee77027e4 +Author: Patrick Schleizer +Date: Thu Jan 23 16:28:58 2025 +0000 + + bumped changelog version + +commit b10f5489a3e3317f01339ea34a0e5c7bfb850a01 +Author: Patrick Schleizer +Date: Thu Jan 23 11:12:26 2025 -0500 + + copyright + +commit 3c18734db32b2d19c3a30e282435f083d307d86e +Author: Patrick Schleizer +Date: Wed Jan 22 14:11:21 2025 +0000 + + bumped changelog version + +commit f90ffacac3d3c12f62f62106a69cb6caeca69041 +Author: Patrick Schleizer +Date: Wed Jan 22 09:09:56 2025 -0500 + + bump permission hardner migration code version + +commit 3a056c9d9c17ed3968f48ac332cee94f714320c7 +Author: Patrick Schleizer +Date: Wed Jan 22 09:05:50 2025 -0500 + + bump permission hardner migration code version + +commit d5ad29a7324dfbece3185026a3f4c58121c453b6 +Author: Patrick Schleizer +Date: Wed Jan 22 09:04:44 2025 -0500 + + add /usr/lib/polkit-1/polkit-agent-helper-1 to permission hardener hardcoded statoverride file + +commit c8a2483cf6735b29ef9b265cc09b58b00b14b6f0 +Author: Patrick Schleizer +Date: Wed Jan 22 13:52:29 2025 +0000 + + bumped changelog version + +commit 80bd314436b99b723359f25e52bbd14683929b56 +Author: Patrick Schleizer +Date: Wed Jan 22 08:25:14 2025 -0500 + + add `.whonix` files to hardcoded files + +commit 9b012bdeee03e73de537e7fe65c0bb8d16b38e79 +Merge: 507130a 42f34f5 +Author: Patrick Schleizer +Date: Wed Jan 22 08:23:49 2025 -0500 + + Merge remote-tracking branch 'ArrayBolt3/arraybolt3/permission-hardener-symlink-fix' + +commit 507130a1cc0592bd4a4b280da7496dade470e637 +Merge: f1b6bff ed767e0 +Author: Patrick Schleizer +Date: Wed Jan 22 08:21:39 2025 -0500 + + Merge remote-tracking branch 'ArrayBolt3/arraybolt3/permission-hardener-diag' + +commit 42f34f5a4ccf95d504e28a26aeb0747fef4685ba +Author: Aaron Rainbolt +Date: Tue Jan 21 21:49:03 2025 -0600 + + Don't handle files with multiple hardlinks + +commit 5e60416c864a7d06f635161a185864fc36d5685c +Author: Aaron Rainbolt +Date: Tue Jan 21 21:05:03 2025 -0600 + + Make permission-hardener always apply changes to real files, not symlinks + +commit ed767e00b0260d29c18c710efe07d68a9beffb34 +Author: Aaron Rainbolt +Date: Tue Jan 21 16:41:30 2025 -0600 + + Add some local variable declarations + +commit 4b1e530674146d4d2b62ff4a87fe3add5667403c +Author: raja-grewal +Date: Tue Jan 21 12:39:06 2025 +0000 + + README.md: List CPU mitigations + +commit 15d13a8571d1f38b2bc36387f61bce24c86be97b +Author: raja-grewal +Date: Tue Jan 21 12:36:04 2025 +0000 + + Add info on DBX updates via the UEFI Revocation List + +commit a97620a2e491cc039adb15af94958f26b39319a2 +Author: Aaron Rainbolt +Date: Mon Jan 20 22:43:55 2025 -0600 + + Add print-diagnostics command to permission-hardener + +commit f1b6bff30b1891bfbe870de9edd78fa7dbd66e7c +Author: Patrick Schleizer +Date: Mon Jan 20 11:35:08 2025 +0000 + + bumped changelog version + +commit df9d058ed9635b168508ded20277c174a24cf3f5 +Author: Patrick Schleizer +Date: Mon Jan 20 06:28:16 2025 -0500 + + usrmerge + +commit 8ff5f3b22125488f64cd384ffbfcbd8f2ecd61a6 +Author: Patrick Schleizer +Date: Mon Jan 20 10:11:43 2025 +0000 + + bumped changelog version + +commit 4e0d5a196ccb8ef3fdf2b67d974f28d02a532f91 +Author: Patrick Schleizer +Date: Mon Jan 20 04:30:26 2025 -0500 + + delete comment only configuration file (moved to user-sysmaint-split) + +commit 1b4d1edfc316f125ff5039bf17897802205750e2 +Author: Patrick Schleizer +Date: Mon Jan 20 04:29:42 2025 -0500 + + comments + +commit 51c7010e8f47ce6e6a28e6267c735e897dcfb053 +Author: Patrick Schleizer +Date: Fri Jan 17 13:35:28 2025 +0000 + + bumped changelog version + +commit 876d596a071ac916f7d220ee2449358aedba7efe +Author: Patrick Schleizer +Date: Fri Jan 17 07:55:54 2025 -0500 + + comment + +commit c9e2f82bd01813682998c775f75bac0841239e5e +Merge: 5971869 bf73f1f +Author: Patrick Schleizer +Date: Fri Jan 17 07:53:59 2025 -0500 + + Merge remote-tracking branch 'ArrayBolt3/master' + +commit bf73f1f2b5e429caaf01bfbcdc7d5d032e3c0efb +Author: Aaron Rainbolt +Date: Wed Jan 15 19:10:41 2025 -0600 + + Avoid impossible-to-satisfy dependency on helper-scripts, improve string handling robustness in postinst + +commit 597186972e463ce7a0b44662f7656f351ddf1030 +Author: Patrick Schleizer +Date: Wed Jan 15 15:02:44 2025 +0000 + + bumped changelog version + +commit ca257164105c4f66576024b64c52a42921455d16 +Author: Patrick Schleizer +Date: Wed Jan 15 09:44:48 2025 -0500 + + improve permission hardener migration code + +commit 2dfd30a44ae332faa50bc4920486cdd9480c7e5d +Merge: a84d3ba 328f747 +Author: Patrick Schleizer +Date: Wed Jan 15 09:33:57 2025 -0500 + + Merge remote-tracking branch 'ArrayBolt3/arraybolt3/more-permission-hardener' + +commit 328f747179ffb2e7705a73bc9a0c5133a17da829 +Author: Aaron Rainbolt +Date: Tue Jan 14 20:35:28 2025 -0600 + + Restore permission-hardener's notice about how to compare old and new states + +commit c6f09748f383fdf7c1b07441c73477b3f18d2768 +Author: Aaron Rainbolt +Date: Tue Jan 14 20:27:53 2025 -0600 + + Handle de-corruption of new_mode a bit better + +commit a0f81958dfb020d311d86cbd00d4f86f678d8be9 +Author: Aaron Rainbolt +Date: Tue Jan 14 19:25:15 2025 -0600 + + De-corrupt the new_mode permission-hardener statoverride database too + +commit 396372c1295e2a09d596f3e23fccc26794a26f05 +Author: Aaron Rainbolt +Date: Tue Jan 14 18:50:24 2025 -0600 + + Avoid scanning unnecessary packages for modified permission-hardener config + +commit a84d3ba732bcbd2fb93ea2bc145a0db0f33f1b77 +Author: Patrick Schleizer +Date: Tue Jan 14 14:32:13 2025 +0000 + + bumped changelog version + +commit 709036c79f8efc9fefa9e7709780a75f9f5004d2 +Author: Patrick Schleizer +Date: Tue Jan 14 09:31:58 2025 -0500 + + debconf-updatepo + +commit 659c7037c6956f6d905e55a1ebb13ebe6a273dee +Author: Patrick Schleizer +Date: Tue Jan 14 14:30:58 2025 +0000 + + bumped changelog version + +commit 86d3db15bf94dc0f4547105e18ef5f26ca124fa8 +Author: Patrick Schleizer +Date: Tue Jan 14 09:30:46 2025 -0500 + + output + +commit 876c0b618785fc71d1d399ff7ab649382104a714 +Author: Patrick Schleizer +Date: Tue Jan 14 09:29:35 2025 -0500 + + output + +commit c46178dee46f88e8d0007a12a48addc2493faab7 +Author: Patrick Schleizer +Date: Tue Jan 14 09:27:37 2025 -0500 + + output + +commit f3c07a2451fd2818daca6bc248cbbcba213516e7 +Author: Patrick Schleizer +Date: Tue Jan 14 09:24:06 2025 -0500 + + update link + +commit bbc4ad7c2a0827d079ccbb18dce4aaae042a2253 +Author: Patrick Schleizer +Date: Tue Jan 14 14:16:45 2025 +0000 + + bumped changelog version + +commit 9bb92e91a8f364a9d9e5d69e907fe8ed8a3c58a2 +Author: Patrick Schleizer +Date: Tue Jan 14 09:16:25 2025 -0500 + + debhelper + +commit 95dd8f419fc7e9832d8ce6f74d35af9b36752f3f +Author: Patrick Schleizer +Date: Tue Jan 14 14:07:50 2025 +0000 + + bumped changelog version + +commit 0a2f06b456854f1cec3ff93952edef928ac7a184 +Author: Patrick Schleizer +Date: Tue Jan 14 09:07:32 2025 -0500 + + use pre.bsh + +commit 6a4f9c1bd8c48bb1a711eee077ea7a05646b0598 +Author: Patrick Schleizer +Date: Tue Jan 14 14:06:50 2025 +0000 + + bumped changelog version + +commit e60183ec073d278f8d69a5475aa52d75870cd9b0 +Author: Patrick Schleizer +Date: Tue Jan 14 09:06:41 2025 -0500 + + output + +commit a812961beabacca052b4b25b78ecd2c35184d5d5 +Author: Patrick Schleizer +Date: Tue Jan 14 09:06:12 2025 -0500 + + verbose + +commit 0e4dfc59dd9c06dd732affd8ca7f72a1a70a95b0 +Author: Patrick Schleizer +Date: Tue Jan 14 13:53:49 2025 +0000 + + bumped changelog version + +commit cdf179f1277bcae3ef681d35aeca6289d55b3a6a +Author: Patrick Schleizer +Date: Tue Jan 14 08:53:38 2025 -0500 + + fix + +commit 41cd09933a506d55bab1f8bf101840cf4bbbf028 +Author: Patrick Schleizer +Date: Tue Jan 14 09:26:05 2025 +0000 + + bumped changelog version + +commit eec2e2c8ee621c6ebb152abbfe3951fa0322a0d0 +Author: Patrick Schleizer +Date: Tue Jan 14 04:13:39 2025 -0500 + + comment + +commit 6d282226ef653accf1de32582b999ff31775f60f +Author: Patrick Schleizer +Date: Tue Jan 14 04:12:12 2025 -0500 + + comment + +commit 466308e4f9ebd496ff54dd9f77881ce10a558802 +Author: Patrick Schleizer +Date: Tue Jan 14 04:09:57 2025 -0500 + + permission hardener: disable SUID for `chrome-sandbox` + +commit 7a5f8b87af7142ce973bd88abf98279ce15559a9 +Author: Patrick Schleizer +Date: Tue Jan 14 04:06:44 2025 -0500 + + permission hardener: disable SUID for `ssh-agent`, `ssh-keysign`, `/lib/openssh/*` + + This might break SSH host-based authentication. + +commit d89ffcde30f6115c25c1bc807eb30b18c21e2b6e +Author: Patrick Schleizer +Date: Tue Jan 14 04:04:09 2025 -0500 + + comment + +commit 9f1759ba0ea7ecee87c8777226eb8a56482deeb5 +Author: Patrick Schleizer +Date: Tue Jan 14 03:56:55 2025 -0500 + + comment + +commit 0ac85ea9f56abdf621ec1b4f2acf08a2450067ba +Author: Patrick Schleizer +Date: Tue Jan 14 03:54:35 2025 -0500 + + comment + +commit fce6a5f8303cd891efd8bbfef861e357dc90e88e +Author: Patrick Schleizer +Date: Tue Jan 14 03:51:43 2025 -0500 + + comment + +commit 1e9940481318d8d7a443b98f0906089759f27a5d +Author: Patrick Schleizer +Date: Tue Jan 14 03:50:16 2025 -0500 + + comment + +commit b198591537a01f5b35c9301ca28a24c70864bcbd +Author: Patrick Schleizer +Date: Tue Jan 14 03:49:42 2025 -0500 + + comment + +commit 7d44db2cb268c4eb31b50bbd44b87b8001dc068c +Author: Patrick Schleizer +Date: Tue Jan 14 03:49:15 2025 -0500 + + usrmerge + +commit 7e7632a55396e10e20a6e9d8d563011694cccc85 +Author: Patrick Schleizer +Date: Tue Jan 14 08:24:05 2025 +0000 + + bumped changelog version + +commit 420cb3f86f69c4505702a8f38271fb095316cb6f +Author: Patrick Schleizer +Date: Tue Jan 14 03:19:21 2025 -0500 + + refactoring + +commit b7e7b2767eb957dd1401f5abcff07bfcb47a4c00 +Author: Patrick Schleizer +Date: Tue Jan 14 03:18:17 2025 -0500 + + refactoring + +commit b2a1a0ec9f8db1d84c222e734737b7ed149f6d92 +Author: Patrick Schleizer +Date: Tue Jan 14 03:17:00 2025 -0500 + + refactoring + +commit 69ae2d9ea0826aa81c70e957bb5a9241a84346ad +Merge: de1f31e de9ebab +Author: Patrick Schleizer +Date: Tue Jan 14 03:15:45 2025 -0500 + + Merge remote-tracking branch 'ArrayBolt3/arraybolt3/permission-hardener-migrate' + +commit de9ebabd46798ff2afa259907b6a7b976070e7f0 +Author: Aaron Rainbolt +Date: Mon Jan 13 21:57:10 2025 -0600 + + Fix minor migration bugs, don't run the migration code on new image builds + +commit a9e87e9d308f5e61a2d2054fa038dae6faadad3a +Author: Aaron Rainbolt +Date: Sun Jan 12 21:13:43 2025 -0600 + + Prevent installation failures when installing non-interactively + +commit 5570d3e5b9f97f14c772facff16dc45df66d42e9 +Author: Aaron Rainbolt +Date: Sun Jan 12 20:40:41 2025 -0600 + + Add a forgotten set -e + +commit 07786de03953b91310588e0b37b9e150bf1b4736 +Author: Aaron Rainbolt +Date: Sun Jan 12 19:34:41 2025 -0600 + + Enable smooth migration from permission-hardener-v1 to permission-hardener-v2 + +commit de1f31e3df1a0fba0a4c6e41b9b46e076266cfd4 +Author: Patrick Schleizer +Date: Sun Jan 12 11:47:18 2025 +0000 + + bumped changelog version + +commit b0baa8baa57937358dc988b88adab4858a1d8cae +Author: Patrick Schleizer +Date: Sun Jan 12 05:38:35 2025 -0500 + + add link + +commit d6a7cd3e0d1e677c1fa8c1fb3b307cdbe0f45031 +Author: Patrick Schleizer +Date: Sun Jan 12 05:36:16 2025 -0500 + + formatting. + + use chapter to make allow for deep linking + +commit 485d9abd1d14e445b48f0fd63290a985b05a5ac7 +Author: Patrick Schleizer +Date: Fri Jan 10 15:34:21 2025 +0000 + + bumped changelog version + +commit c17485baa118e76cc8074ce3e72ac3ac38c577cd +Merge: 482960d e9ef360 +Author: Patrick Schleizer +Date: Fri Jan 10 10:32:26 2025 -0500 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit e9ef3602dd1661de0c0c3781d7e0246720643354 +Merge: 1b33e83 cf435a8 +Author: Patrick Schleizer +Date: Fri Jan 10 10:30:34 2025 -0500 + + Merge pull request #292 from raja-grewal/cpu_table + + Add link to tabular comparison of CPU mitigations + +commit 1b33e83529d652dab4468e0b386e333b3ca4745b +Merge: 486757b 2e6e170 +Author: Patrick Schleizer +Date: Fri Jan 10 10:29:30 2025 -0500 + + Merge pull request #291 from raja-grewal/drop_gratuitous_arp + + Drop gratuitous ARP packets + +commit 486757bfae5e7ecc389b16c49704e742fd267565 +Merge: 17ff249 c37f4ef +Author: Patrick Schleizer +Date: Fri Jan 10 10:29:12 2025 -0500 + + Merge pull request #290 from raja-grewal/arp_ignore + + Respond to ARP requests only if the target IP address is on-link + +commit 17ff24915062736a32d4d54da7163fe34aa70fd3 +Merge: 27d19ba 1f8eee4 +Author: Patrick Schleizer +Date: Fri Jan 10 10:28:48 2025 -0500 + + Merge pull request #289 from raja-grewal/arp_filter + + Enable ARP filtering + +commit 27d19ba568e601c37035a310ae6cdd7d953be286 +Merge: 482960d 5e3785d +Author: Patrick Schleizer +Date: Fri Jan 10 10:28:05 2025 -0500 + + Merge pull request #288 from raja-grewal/shared_media + + Deny sending and receiving shared media redirects + +commit 482960d056ec8d624f127bfe9b1c69a4c30c7e34 +Author: Patrick Schleizer +Date: Fri Jan 10 10:21:12 2025 -0500 + + permission-hardener: move to new state folder `/var/lib/permission-hardener-v2` without migration + + https://github.com/Kicksecure/security-misc/pull/294 + +commit cf435a8fa8e6f795a25ef004cf44a65d461dd32c +Author: raja-grewal +Date: Fri Jan 10 13:22:21 2025 +1100 + + README.md: Note importance of microcode updates + +commit 3a31cc99b34617cdd3c5f8e8950a37158849cb56 +Merge: c4cfb85 5941195 +Author: Patrick Schleizer +Date: Thu Jan 9 09:30:58 2025 -0500 + + Merge remote-tracking branch 'ArrayBolt3/arraybolt3/usrmerge' + +commit 538b312349a97bcecb12e62519d77840afcd6ca3 +Author: raja-grewal +Date: Thu Jan 9 15:28:56 2025 +1100 + + Add comment about microcode updates + +commit 1f8eee47200221e2e38291a31e852e9c222d8c64 +Author: raja-grewal +Date: Wed Jan 8 18:36:00 2025 +1100 + + Add missing sentence full stop + +commit 5e3785d76e616f49407e720b37138f35a50fe4fb +Author: raja-grewal +Date: Wed Jan 8 18:35:52 2025 +1100 + + README.md: Remove double space + +commit 5941195e96880b8beb2a791d3c21f3a4c6d429eb +Author: Aaron Rainbolt +Date: Tue Jan 7 14:10:46 2025 -0600 + + Don't worry about files under /bin anymore, Bookworm uses a merged /usr directory + +commit c4cfb8597d1a8631a4cbfa7e88212b798e2bc514 +Merge: c6be621 93ebf17 +Author: Patrick Schleizer +Date: Mon Jan 6 08:43:54 2025 -0500 + + Merge remote-tracking branch 'ArrayBolt3/arraybolt3/permission-hardener-refactor' + +commit c6be621968c898f792ef1a450d2e1be5cd6056da +Author: Patrick Schleizer +Date: Mon Jan 6 10:31:40 2025 +0000 + + bumped changelog version + +commit 6e0787957b53a64132b64e2a29bafe3e4b66d178 +Author: Patrick Schleizer +Date: Mon Jan 6 05:29:40 2025 -0500 + + increase priority of pam wheel so it is checked even before faillock + + in case of attemtping to use `su` without being a member of the required group `sudo`, it's useful to abort the PAM stack as early as possible to avoid needlessly propmting for a password to later + be rejected tu to lack of group membership + +commit d4767b75206b46f1a006cd91b00239a7b828fc89 +Author: Patrick Schleizer +Date: Mon Jan 6 04:24:44 2025 -0500 + + fix: apply PAM wheal only to `su` PAM service + +commit 93ebf176c5f38bd268e5394e01421e46b9ae7dff +Author: Aaron Rainbolt +Date: Thu Jan 2 20:41:40 2025 -0500 + + Make the main field count check in permission-hardener a bit more elegant + +commit 895c0f541fb34f9ebfee9c7ef79c053d5af4a7cc +Merge: 717e6fc 40b23cf +Author: Aaron Rainbolt +Date: Wed Jan 1 15:04:01 2025 -0600 + + Merge branch 'master' into arraybolt3/permission-hardener-refactor + +commit 40b23cfad40825eefc3686e562d78250b58bbc82 +Author: Patrick Schleizer +Date: Tue Dec 31 18:42:01 2024 +0000 + + bumped changelog version + +commit 33114f771aaeb4dccb0b465861d1239129deb8b2 +Author: Patrick Schleizer +Date: Tue Dec 31 13:26:21 2024 -0500 + + copyright + +commit bb24bff2965ca31de6337820eafd787a11a44a2b +Author: Patrick Schleizer +Date: Tue Dec 31 14:09:34 2024 +0000 + + bumped changelog version + +commit 0640964c35b0d977ba718629d4a8791e67700202 +Author: Patrick Schleizer +Date: Tue Dec 31 06:14:29 2024 -0500 + + readme + +commit 717e6fcfbea38cef9d3e201cf2e2b725e3da2267 +Author: Aaron Rainbolt +Date: Mon Dec 30 19:23:20 2024 -0600 + + Post-review improvements to permission-hardener + +commit dbcb612517abbf8d162cfb31ba0585c518df8817 +Author: Aaron Rainbolt +Date: Wed Dec 25 19:48:28 2024 -0600 + + Polish permission-hardener refactor + +commit 397b476a822c9f7e41ec911f5d689b67026660ad +Author: Patrick Schleizer +Date: Thu Dec 26 04:12:02 2024 +0000 + + bumped changelog version + +commit 66f8c18c65f33676d242b57ebb1d4410876461b3 +Merge: aa82202 6602fb1 +Author: Patrick Schleizer +Date: Wed Dec 25 22:43:04 2024 -0500 + + Merge remote-tracking branch 'ArrayBolt3/arraybolt3/sysmaint' + +commit 83d386795940099e0835c51f3522aae3d9217dc8 +Author: Aaron Rainbolt +Date: Tue Dec 24 20:14:57 2024 -0600 + + Refactor permission-hardener to be more idempotent + +commit 6602fb102dedc21300ae4c4519f3d9ef4e668045 +Author: Aaron Rainbolt +Date: Tue Dec 24 20:52:34 2024 -0600 + + Adjust pam-info messaging for sysmaint mode + +commit aa82202e701167eacb63eac208469844e983ca43 +Author: Patrick Schleizer +Date: Tue Dec 24 05:16:22 2024 +0000 + + bumped changelog version + +commit 27d015d58ebc5e750d9d06f042b761720473941d +Merge: 3c73c0c 2f3a2bc +Author: Patrick Schleizer +Date: Tue Dec 24 00:08:58 2024 -0500 + + Merge remote-tracking branch 'ArrayBolt3/arraybolt3/sysmaint' + +commit 2f3a2bce7756efe75cd8aaf5066b599b4c49bbdc +Author: Aaron Rainbolt +Date: Fri Dec 20 11:04:22 2024 -0600 + + Add warning about using non-sysmaint accounts in sysmaint mode + +commit 3c73c0cd3a845d1a484551ff50f59e5f2ef56a68 +Author: Patrick Schleizer +Date: Fri Dec 20 06:01:27 2024 +0000 + + bumped changelog version + +commit a4c76c617a18a49168e0ffdba2d8b0ae834f2877 +Author: Patrick Schleizer +Date: Fri Dec 20 01:01:13 2024 -0500 + + syntax fix + +commit b40bc0a2c9b17b3569918a6839bce1c67af5c9df +Author: Patrick Schleizer +Date: Fri Dec 20 05:58:24 2024 +0000 + + bumped changelog version + +commit b21c394ea52401c0d77b6ec396af6a49335f5e0b +Author: Patrick Schleizer +Date: Fri Dec 20 00:56:20 2024 -0500 + + Trigger permission hardener when new configuration files are being installed. + +commit cd027b86e710b6f6b8fac6dd0ebcdcd691e86dd3 +Author: Patrick Schleizer +Date: Fri Dec 20 05:48:48 2024 +0000 + + bumped changelog version + +commit ad6e1f5ad490e12fc5e69b82da5dc1830cc41c96 +Author: Patrick Schleizer +Date: Fri Dec 20 00:41:06 2024 -0500 + + move from `/etc/permission-hardener.d` to `/usr/lib/permission-hardener.d` + +commit a2c1e8c218117a47ef70dd767d753be5d084adfa +Author: Patrick Schleizer +Date: Fri Dec 20 00:39:51 2024 -0500 + + clean up old files in `/etc/permission-hardener.d` + because will be moved to `/usr/lib/permission-hardener.d` + +commit 6de5d2d0763539d6d0d4b19b501bb316ed3b2c94 +Author: Patrick Schleizer +Date: Fri Dec 20 00:37:44 2024 -0500 + + permission hardener: also parse `/usr/lib/permission-hardener.d/*.conf` folder + +commit 721b100fb64136b7c36c8d43c90c716a1fed42d0 +Author: Patrick Schleizer +Date: Thu Dec 19 10:58:50 2024 +0000 + + bumped changelog version + +commit 642b4eeedc43e69bb82ea259b52c0946ce638983 +Author: raja-grewal +Date: Thu Dec 19 21:57:25 2024 +1100 + + Add link to tabular comparison of CPU mitigations + +commit 175b442d5bb9dfcb4e9b524ec2077e72c74598cc +Author: Patrick Schleizer +Date: Thu Dec 19 05:56:50 2024 -0500 + + use long option name + +commit c99021bb0c1d5b6bf361cc483449330cdd218ee6 +Merge: 95b5357 9d69cd1 +Author: Patrick Schleizer +Date: Thu Dec 19 05:56:01 2024 -0500 + + Merge remote-tracking branch 'ArrayBolt3/arraybolt3/sysmaint' + +commit 2e6e1701a052ef32711f6c3abaad693a773323f6 +Author: raja-grewal +Date: Thu Dec 19 10:35:08 2024 +0000 + + Set `net.ipv4.conf.*.drop_gratuitous_arp=1` + +commit c37f4efadf8f046168732871172cb66f58eb7c78 +Author: raja-grewal +Date: Thu Dec 19 10:33:49 2024 +0000 + + Set `net.ipv4.conf.*.arp_ignore=2` + +commit af1d06973bdd46af3e39b0bdfda81b950ccac996 +Author: raja-grewal +Date: Thu Dec 19 10:31:43 2024 +0000 + + Set `net.ipv4.conf.*.arp_filter=1` + +commit 750367a9066ca2a0ff819b438a92cb1f6c325edb +Author: raja-grewal +Date: Thu Dec 19 10:29:56 2024 +0000 + + Set `net.ipv4.conf.*.shared_media=0` + +commit 95b535764c8a98b67a71ee1fd57b7f01da464106 +Author: Patrick Schleizer +Date: Thu Dec 19 09:43:26 2024 +0000 + + bumped changelog version + +commit daf0a0900b780a9d44d0d9b49b3fca6ddbd20d18 +Author: Patrick Schleizer +Date: Thu Dec 19 04:39:34 2024 -0500 + + fix apt-get-update for non-English locale + + https://forums.kicksecure.com/t/systemcheck-reports-warning-debian-package-update-check-result-apt-get-reports-that-packages-can-be-updated-but-system-is-already-fully-upgraded/785 + +commit e9a5b14a0db6f071424c19e6f4b006386afb6ab4 +Author: Patrick Schleizer +Date: Thu Dec 19 06:57:42 2024 +0000 + + bumped changelog version + +commit 3135a03e21f9e5816097e25aaa7f4a1671f8f87d +Merge: f0c611d c7f7196 +Author: Patrick Schleizer +Date: Thu Dec 19 00:34:56 2024 -0500 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit c7f7196471b07a580c6d4a5d86739215508142cd +Merge: e5b67e0 3749f8f +Author: Patrick Schleizer +Date: Thu Dec 19 00:31:25 2024 -0500 + + Merge pull request #287 from raja-grewal/patch + + Refactor and add two CPU mitigations + +commit f0c611d9edb5fd7a3e00d13b248c65abda2c9d8a +Author: Patrick Schleizer +Date: Thu Dec 19 00:18:25 2024 -0500 + + comment + +commit 4f681be77429984695a1b0f689065051884e7bf7 +Merge: 4c3ca68 4cf5757 +Author: Patrick Schleizer +Date: Thu Dec 19 00:17:44 2024 -0500 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit e5b67e044bb5011dd667879a73a670f2c5f74057 +Merge: 4cf5757 c116796 +Author: Patrick Schleizer +Date: Thu Dec 19 00:15:02 2024 -0500 + + Merge pull request #279 from raja-grewal/arp + + Provide network-related hardening options via `sysctl`'s + +commit 4cf5757575c1257a14331f0169a9d8d163e1326d +Merge: 9d06341 1708a03 +Author: Patrick Schleizer +Date: Thu Dec 19 00:08:56 2024 -0500 + + Merge pull request #282 from ArrayBolt3/arraybolt3/umask + + Enable umask hardening + +commit 9d69cd1912ab657e7916b38f56b477c2b7abd0a3 +Author: Aaron Rainbolt +Date: Wed Dec 18 21:34:16 2024 -0600 + + Add sysmaint account lock detection + +commit 3749f8ff097551a843e5ed80de52c6770a32e0c6 +Author: raja-grewal +Date: Wed Dec 18 03:36:09 2024 +0000 + + Update presentation on user namespaces + +commit 0dff2cd28fd769955757cdef1b7f9d637a1180c5 +Author: raja-grewal +Date: Wed Dec 18 03:32:35 2024 +0000 + + Minor additions + +commit 3e96fdd9ccb6268403d6c4f9a061c4a33e6f6dd2 +Author: raja-grewal +Date: Tue Dec 17 11:44:11 2024 +0000 + + Enable `kvm.mitigate_smt_rsb=1` + +commit 45355aabdc180a6a2fdd4a374c6f7d72f4d36240 +Author: raja-grewal +Date: Tue Dec 17 11:42:52 2024 +0000 + + Enable `kvm-intel.vmentry_l1d_flush=always` + +commit defba1f2450b2c8bbc668bf5f6f6f0d101338cc7 +Author: raja-grewal +Date: Tue Dec 17 11:42:03 2024 +0000 + + Refactor CPU mitigations + +commit 943c421889ce5dfe3869380e4587ca22724f2ce7 +Author: raja-grewal +Date: Tue Dec 17 11:40:38 2024 +0000 + + Minor refactoring + +commit ca3a73ac13d805515f71f1be7ecedc33d3a1b519 +Author: raja-grewal +Date: Tue Dec 17 11:37:10 2024 +0000 + + Typo + +commit 4c3ca68453b44074025a1ec9f31451c57344f3cf +Author: Aaron Rainbolt +Date: Mon Dec 9 12:37:11 2024 -0600 + + Disable unnecessary sudoers exceptions + +commit 9d06341c91b51f9c737fe67457045924323635f0 +Merge: a9dd592 5b88e92 +Author: Patrick Schleizer +Date: Sat Dec 14 15:18:56 2024 -0500 + + Merge pull request #285 from Kicksecure/permission-hardener-mount + + Permission Hardener: treat mount same as umount + +commit c1167968542a62d0677517e11505f6e9222ec378 +Author: raja-grewal +Date: Thu Dec 12 06:36:47 2024 +0000 + + `arp_ignore`: Add reference to 2024-12-10 Mullvad VPN audit details + +commit a9dd592a8b49226f326e90111178aebba3cc144f +Author: Patrick Schleizer +Date: Tue Dec 10 19:19:10 2024 +0000 + + bumped changelog version + +commit 58722324ec0be98c3e44938df8cb60ca9b261210 +Merge: 518224b 439fa7f +Author: Patrick Schleizer +Date: Tue Dec 10 14:18:50 2024 -0500 + + Merge remote-tracking branch 'ArrayBolt3/arraybolt3/no-recovery-mode' + +commit 518224b8cf9e99a830b584d8d54b5dea2925c8f5 +Author: Patrick Schleizer +Date: Tue Dec 10 19:17:10 2024 +0000 + + bumped changelog version + +commit 439fa7f3be74f5eba4b98f73c0bb50fd37e8b0e1 +Author: Aaron Rainbolt +Date: Sun Dec 8 03:21:27 2024 -0600 + + Harden/disable recovery mode options + +commit 7902311c570edd4286ba36f0cb85223d1e909a03 +Author: Patrick Schleizer +Date: Sat Dec 7 04:54:47 2024 -0500 + + do not create /etc/sysctl.d/30-lkrg-virtualbox.conf if LKRG is not installed + +commit 1ce37d42cd2c132eca8c45ddb04fdb594349d08f +Author: Patrick Schleizer +Date: Sat Dec 7 04:50:40 2024 -0500 + + . + +commit 5b88e92e5c4b951e659e1574fc248bd11158dfb2 +Author: Patrick Schleizer +Date: Fri Dec 6 09:48:58 2024 -0500 + + permission hardner: treat `mount` the same way we treat `umount` + + Thanks to @the-moog for the bug report! + + fixes https://github.com/Kicksecure/security-misc/issues/284 + +commit 93b51819d4693955936456916188b4118fe68a66 +Author: Patrick Schleizer +Date: Fri Dec 6 09:47:08 2024 -0500 + + permission hardener mount chmod change from `745` to `755` + + https://github.com/Kicksecure/security-misc/issues/284 + +commit 1708a03e1edda821ef091f10c46d32f740511d38 +Author: Aaron Rainbolt +Date: Thu Nov 28 15:20:57 2024 -0600 + + Enable umask hardening + +commit 59299a6639fef31565b8f3cef857c9faa331e0f7 +Author: Patrick Schleizer +Date: Mon Nov 25 21:07:42 2024 +0000 + + bumped changelog version + +commit 98d7c245ee11f16e566422a17543aaed2c155d88 +Author: Patrick Schleizer +Date: Mon Nov 25 15:57:30 2024 -0500 + + "|| exit 1" no longer required thanks to errexit + +commit f9b5d7d3f4f2ed8d1baae67d8427f13cf26aee8d +Author: Patrick Schleizer +Date: Mon Nov 25 15:48:01 2024 -0500 + + use strict shell options + +commit d32cb8c95b09721e52c4d682a0ddd39d590a4368 +Author: Patrick Schleizer +Date: Mon Nov 25 15:44:00 2024 -0500 + + use TMP, sponge, refactoring + +commit 62a551cfe39a6a640f32e6e97f3e915aa8673514 +Merge: af43472 d7475e2 +Author: Patrick Schleizer +Date: Mon Nov 25 15:38:01 2024 -0500 + + Merge remote-tracking branch 'ArrayBolt3/arraybolt3/sudoers' + +commit d7475e252a64e296913ed8893261e52e72163d55 +Author: Aaron Rainbolt +Date: Thu Nov 21 20:03:42 2024 -0600 + + Make apt-get-update able to be terminated securely + +commit af43472d0ccdecb1725a200d10aeeb1b8d51f31a +Author: Patrick Schleizer +Date: Thu Nov 14 22:24:50 2024 +0000 + + bumped changelog version + +commit c7e9460b2ae8dcb96196fef69a7e0ed992c1b43b +Author: Patrick Schleizer +Date: Thu Nov 14 16:31:12 2024 -0500 + + output + +commit 31804e30ecc9c5a1c5a8e1e014d3dcb85cee4f36 +Author: Patrick Schleizer +Date: Thu Nov 14 20:46:26 2024 +0000 + + bumped changelog version + +commit ef95b3f9a5aed9652c541cf4bf05b20011718466 +Author: Patrick Schleizer +Date: Thu Nov 14 14:41:14 2024 -0500 + + Revert "fix `panic-on-oops.service`" + + This reverts commit 862d23cb10b7687084f8e7e207d1e2c9c1ef6751. + +commit 412b371e85044962f6620386b767369b9e25d71e +Merge: 141b84c 57e1edd +Author: raja-grewal +Date: Wed Nov 13 16:47:57 2024 +1100 + + Merge branch 'Kicksecure:master' into arp + +commit 141b84c40de76988ec78bdccf1c1d67fc4367b3f +Author: raja-grewal +Date: Wed Nov 13 05:42:56 2024 +0000 + + Provide option to deny sending and receiving shared media redirects + +commit 18aec201bfb0477fee8800ad1388099e11920016 +Author: raja-grewal +Date: Wed Nov 13 05:41:25 2024 +0000 + + Provide option to harden response to ARP requests + +commit a25d4f8df88908e83e56049204aa625f1196a948 +Author: raja-grewal +Date: Wed Nov 13 05:40:21 2024 +0000 + + Provide option to enable ARP filtering + +commit c2aae73ce161811571e4c85609a0b043399c1b65 +Author: raja-grewal +Date: Wed Nov 13 05:38:03 2024 +0000 + + Add reference and move text + +commit 57e1edde23aa3f313ce087e00ebc14d158356d6c +Author: Patrick Schleizer +Date: Tue Nov 12 09:11:57 2024 +0000 + + bumped changelog version + +commit 7987a3914d364e674eb7479b15708c450041af02 +Author: Patrick Schleizer +Date: Tue Nov 12 02:29:42 2024 -0500 + + deleted no longer used and out-commented `/etc/sudoers.d/xfce-security-misc` leftover + +commit 8c2e8e69798e5255529ab3dbee6ca07b8b293100 +Author: Patrick Schleizer +Date: Tue Nov 12 01:41:12 2024 -0500 + + deleted no longer used and out-commented `etc/sudoers.d/pkexec-security-misc` leftover + +commit 65fc0419a84d62e07c61d7e37ef27d144b6b6794 +Author: Patrick Schleizer +Date: Mon Nov 11 11:07:57 2024 +0000 + + bumped changelog version + +commit 50161f5d79eea2ab796863e4eb30eccc17e0b41d +Author: Patrick Schleizer +Date: Mon Nov 11 05:48:11 2024 -0500 + + moved /etc/dkms/framework.conf.d/30_security-misc.conf (renamed) to usability-misc + +commit 7c06e22c7d11c345428f3ad42ba43805ebc8d810 +Author: Patrick Schleizer +Date: Mon Nov 11 05:43:25 2024 -0500 + + deleted `/usr/bin/pkexec.security-misc` + + This was not used anymore for anything. In the past, we used to `config-package-dev` `replace` `/usr/bin/pkexec` with `/usr/bin/pkexec.security-misc` for the purpose of: + + > Redirect calls for pkexec to lxqt-sudo because pkexec is incompatible with hidepid. + + * https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860040 + * https://forums.whonix.org/t/cannot-use-pkexec/8129 + + This was a worthwhile effort, interesting approach but ultimately a dead-end. + +commit ef05b1a160b24d5aa42da9cc15009d94a37cf120 +Author: Patrick Schleizer +Date: Mon Nov 11 05:40:41 2024 -0500 + + disable legacy matroxfb_base framebuffer driver + + fix typo matroxfb_bases -> matroxfb_base + + Thanks to @ArrayBolt3 for the bug report! + +commit 862d23cb10b7687084f8e7e207d1e2c9c1ef6751 +Author: Patrick Schleizer +Date: Mon Nov 11 05:36:41 2024 -0500 + + fix `panic-on-oops.service` + + remove `After=multi-user.target` because already using `WantedBy=multi-user.target` + + Thanks to @ArrayBolt3 for the bug report! + +commit 29ae5f5980d521f6a4b468f5bf41210f78fdf10a +Author: Patrick Schleizer +Date: Mon Nov 11 05:28:31 2024 -0500 + + fix optional opt-in `harden-module-loading.service` + + by making `/usr/libexec/security-misc/disable-kernel-module-loading` executable + + Thanks to @ArrayBolt3 for the bug report! + +commit 4c649577f053af12bcd02c20576bf2d8aec1476d +Author: Patrick Schleizer +Date: Sun Nov 10 11:52:42 2024 +0000 + + bumped changelog version + +commit 29b1f1ec5f3a4bf3991fc1b862751c8eb9769ecd +Merge: 5bd0a27 238f32e +Author: Patrick Schleizer +Date: Sun Nov 10 06:32:30 2024 -0500 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 5bd0a277bf39812c6adf40a7a3ef6390935fa08e +Author: Patrick Schleizer +Date: Sun Nov 10 06:29:17 2024 -0500 + + fix permission-hardener issue "Removing capabilities failed. File: '/bin/ping'" + + no longer user end-of-options marker (`--`) for `setcap` + since setcap does not support it + + Fixes https://github.com/QubesOS/qubes-issues/issues/9569 + + https://forums.whonix.org/t/permission-hardener-error/20719 + +commit 238f32e81d835e5b9d3bc43a0654d05efa4c4313 +Merge: 3af2684 8107782 +Author: Patrick Schleizer +Date: Fri Nov 8 07:39:40 2024 -0500 + + Merge pull request #280 from raja-grewal/ssbd + + Enable `ssbd=force-on` + +commit 8107782fa54ec0e21893e6bd4a6baabb71eb864b +Author: raja-grewal +Date: Fri Nov 8 15:36:04 2024 +1100 + + Enable `ssbd=force-on` + +commit a1d1f97955fd9fd3cee77dc04e2eb5e5fa29d243 +Author: raja-grewal +Date: Fri Nov 8 03:58:23 2024 +0000 + + Provide option to drop gratuitous ARP packets + +commit 3af2684134279ba6f5b18b40986f02a50baa5604 +Author: Patrick Schleizer +Date: Wed Oct 30 09:43:05 2024 +0000 + + bumped changelog version + +commit 71c58442ca6d57cd95b72a76ed87f8c248cdbd98 +Author: Patrick Schleizer +Date: Mon Oct 28 05:10:19 2024 -0400 + + minor + +commit cfe19e31d858d7899f4d95e21117c992d236d328 +Author: Patrick Schleizer +Date: Mon Oct 28 05:09:53 2024 -0400 + + shell options + +commit 0d506156587f87a303184f22259ffb57dd92cbc8 +Author: Patrick Schleizer +Date: Mon Oct 28 05:07:00 2024 -0400 + + local + +commit ef0eb5f7a0c5a62c5d26bf6dc534f6aa3decc4b0 +Author: Patrick Schleizer +Date: Mon Oct 28 05:06:26 2024 -0400 + + refactoring + +commit fdd1f4b7f88efc22bb57c2ad3e83c0c2e8cbb064 +Author: Patrick Schleizer +Date: Mon Oct 28 05:06:05 2024 -0400 + + refactoring + +commit d00235897d686895a7e2e7da7435832fee008164 +Author: Patrick Schleizer +Date: Mon Oct 28 05:03:59 2024 -0400 + + hide-hardware-info: also parse `/usr/local/etc/hide-hardware-info.d/*.conf` + +commit 6c2e808b9f34900840bd2857fed10d1ffd4cc4c2 +Author: Patrick Schleizer +Date: Mon Oct 28 05:03:20 2024 -0400 + + refactoring + +commit b44e507900defe3db68f31f3e110b1c3e5aa684c +Author: Patrick Schleizer +Date: Wed Oct 23 09:56:05 2024 +0000 + + bumped changelog version + +commit 566cda5e4bc69f54d63d72f1e30703074fdf0ce8 +Author: Patrick Schleizer +Date: Mon Oct 21 05:47:38 2024 -0400 + + output + +commit 5991a23049491dd04c19d9ea80f7d7381dd494a0 +Author: Patrick Schleizer +Date: Mon Oct 21 05:47:25 2024 -0400 + + comment + +commit fd34baff8ff17ed572469d9d6d884e6c0d881d20 +Merge: b643330 690e8dd +Author: Patrick Schleizer +Date: Mon Oct 21 05:43:53 2024 -0400 + + Merge remote-tracking branch 'ArrayBolt3/master' + +commit 690e8dd826d1cb39c0c12c03792781862cc2dd23 +Author: Aaron Rainbolt +Date: Sat Oct 19 23:49:07 2024 -0500 + + Avoid faillock lock/tally reset on reboot or timeout + +commit b6433309fd7d6839cfba89e1197590e1ff62ef58 +Author: Patrick Schleizer +Date: Fri Oct 18 12:45:02 2024 -0400 + + use end-of-options + +commit 0cfcdf4f89dc75f2a8e3f8a9e8c69dc3ba3da78a +Author: Patrick Schleizer +Date: Wed Oct 16 10:57:20 2024 +0000 + + bumped changelog version + +commit 0adb9b7c0609a51d503b61ab40ae7d8e55635043 +Merge: 263335f e50ad80 +Author: Patrick Schleizer +Date: Wed Oct 16 06:31:09 2024 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit e50ad807c01b5753c67d579126d7b79d38070c0a +Merge: 263335f eb72163 +Author: Patrick Schleizer +Date: Wed Oct 16 06:29:25 2024 -0400 + + Merge pull request #276 from raja-grewal/KSPP_header + + Clarify KSPP compliance header + +commit eb72163d5707c7673db1f12405d2e04261bd43c8 +Author: raja-grewal +Date: Mon Oct 14 03:01:15 2024 +0000 + + README.md: Make line lengths consistent + +commit a9f238fe048acfeff49f96c00570acc6ca4c37e8 +Author: raja-grewal +Date: Mon Oct 14 02:57:31 2024 +0000 + + README.md: Split optional setting to new line + +commit 09fe46adc956e8c6de232f1093c37cdd30933acd +Author: raja-grewal +Date: Mon Oct 14 02:54:30 2024 +0000 + + Clarify KSPP compliance header for the undocumented case + +commit 263335f74ea0f050f9c259e20141c3345e7fa789 +Author: Patrick Schleizer +Date: Tue Oct 8 11:24:56 2024 +0000 + + bumped changelog version + +commit 9169611645d0cd5a308ff48862f351ef5ea5f7e8 +Merge: 8a2d432 8227a3d +Author: Patrick Schleizer +Date: Tue Oct 8 05:54:50 2024 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 8227a3dde2995ceb113164baf49591d52c2b53e1 +Merge: 8a2d432 0c0774f +Author: Patrick Schleizer +Date: Tue Oct 8 05:53:48 2024 -0400 + + Merge pull request #273 from raja-grewal/text_2 + + Documentation update 2 + +commit 0c0774f6c0927ed1cc599f931175985b8f01ec30 +Merge: dc470ca 8a2d432 +Author: raja-grewal +Date: Sun Oct 6 10:48:52 2024 +0000 + + Merge branch 'master' into text_2 + +commit dc470cac1d93656354aeaaac0a6f8cbbd39f9f0f +Author: raja-grewal +Date: Sun Oct 6 10:46:05 2024 +0000 + + Remmove deprecated link + +commit 8a2d432ffe6d4eb661026b6e7dbf534bb1db971b +Author: Patrick Schleizer +Date: Thu Oct 3 07:22:23 2024 +0000 + + bumped changelog version + +commit 0e3ffa3f11a0049e57803c8f2e75dbb7d8ceb22c +Author: Patrick Schleizer +Date: Thu Oct 3 02:58:58 2024 -0400 + + no longer set `kernel.unprivileged_userns_clone=0` + + because it breaks too much + + fixes https://github.com/Kicksecure/security-misc/issues/274 + +commit f401d94d5e0d0f26e93be55deda440fe565a6b22 +Author: Patrick Schleizer +Date: Thu Oct 3 02:44:06 2024 -0400 + + expand documentation on `kernel.unprivileged_userns_clone=0` sysctl + + https://github.com/Kicksecure/security-misc/issues/274 + +commit ac1378743c7448c9a7e7e02bebcf3270592d42a5 +Author: raja-grewal +Date: Mon Sep 30 16:56:18 2024 +1000 + + Consistent formatting + +commit eae38e72f30ff9b9f8d0b8b0b33182a918333e48 +Author: raja-grewal +Date: Thu Sep 26 13:10:36 2024 +0000 + + README.md: Show the current max_map_count + +commit f3b50a23c976ba4feff34eee721c50f698ecc5bf +Author: raja-grewal +Date: Thu Sep 26 13:10:01 2024 +0000 + + Add reference on unprivileged_userns_restriction + +commit 39d063d494cb540f45747f6253ab896200ba03c3 +Author: raja-grewal +Date: Thu Sep 26 13:09:21 2024 +0000 + + Add KSPP=no definition + +commit 5572eb897a10455041df8abec6b6be6de29431a0 +Author: Patrick Schleizer +Date: Wed Sep 25 01:03:42 2024 +0000 + + bumped changelog version + +commit e04f9cd4c17305d5201aa973c34778e81508734b +Merge: 18d426f 65aa910 +Author: Patrick Schleizer +Date: Tue Sep 24 20:16:06 2024 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 65aa910503c07f708abf20f78be2f519ef58764a +Merge: 18d426f 870ff88 +Author: Patrick Schleizer +Date: Tue Sep 24 20:15:03 2024 -0400 + + Merge pull request #272 from raja-grewal/text + + Documentation update + +commit 870ff88605b8167c8882162cc3da005d71ca0cd3 +Author: raja-grewal +Date: Wed Sep 25 10:01:45 2024 +1000 + + Comment on Flatpak requiring unprivileged user namespaces + +commit 769767a96a5de2a8bc05e70ca490d8340b553061 +Author: raja-grewal +Date: Wed Sep 25 09:54:49 2024 +1000 + + Update mmap ASLR docs + +commit 18d426f521b2b1369fe68e143dc8a0be064d0dcc +Author: Patrick Schleizer +Date: Sat Sep 14 02:56:09 2024 +0000 + + bumped changelog version + +commit 3280dbd5d562d7f6b50118ac0da36c3285493be6 +Author: Patrick Schleizer +Date: Fri Sep 13 22:52:47 2024 -0400 + + Fix VirtualBox audio device ICH AC97. + + no longer `blacklist snd_intel8x0` + + Breaks VirtualBox audio device ICH AC97, which is unfortunately still required by some users. + https://www.kicksecure.com/wiki/Dev/audio + + Fixes https://github.com/Kicksecure/security-misc/issues/271 + +commit 1bc694fa124eaeb6e1517d2191a8fd97446872c4 +Author: Patrick Schleizer +Date: Sun Sep 8 17:41:30 2024 +0000 + + bumped changelog version + +commit 01908d505a59e7ec37cc3de3e1d49ff35ba127aa +Author: Patrick Schleizer +Date: Thu Sep 5 07:00:11 2024 -0400 + + readme + +commit e914028be7a48a3bfdf86e09c029011807f080d7 +Author: Patrick Schleizer +Date: Thu Sep 5 06:03:05 2024 -0400 + + add KSPP compliance status to readme based on comment by @raja-grewal + + https://github.com/Kicksecure/security-misc/issues/256#issuecomment-2330376651 + +commit 40fb14c654df94e9bdfb30ae55fc3bc4f0a0aef4 +Author: Patrick Schleizer +Date: Wed Sep 4 14:13:15 2024 +0000 + + bumped changelog version + +commit 5a255d4831470449a26b324a8f16594432bf834b +Merge: d618f9f 563a898 +Author: Patrick Schleizer +Date: Wed Sep 4 10:12:34 2024 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 563a8980133e15e33ac95a631e37ecfff88f6f8f +Merge: 175945e e61027a +Author: Patrick Schleizer +Date: Wed Sep 4 10:11:48 2024 -0400 + + Merge pull request #265 from raja-grewal/mmap_min_addr + + Set `sysctl vm.mmap_min_addr=65536` + +commit d618f9f35b8e8c6eee1e164a6ec300d63b1ee797 +Merge: 59374ce 175945e +Author: Patrick Schleizer +Date: Wed Sep 4 10:07:50 2024 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 175945ec9a28bf1e5b0fa0d2ae2bd6546d6c6172 +Merge: b0a8544 3101035 +Author: Patrick Schleizer +Date: Wed Sep 4 10:05:47 2024 -0400 + + Merge pull request #268 from raja-grewal/panic_on_warn + + Enable `panic_on_warn=1` + +commit b0a8544182f6ff3c8c3f1068176ff5e9e4f557ef +Merge: 59374ce 7393ba1 +Author: Patrick Schleizer +Date: Wed Sep 4 10:04:45 2024 -0400 + + Merge pull request #270 from raja-grewal/typo + + Small typo + +commit 7393ba159192fdfc45ef31a3fa60786f899dbf25 +Author: raja-grewal +Date: Wed Sep 4 23:23:24 2024 +1000 + + Typo + +commit 59374ce902127e2125addc2ebb57d0d856a63671 +Author: Patrick Schleizer +Date: Thu Aug 29 09:49:51 2024 +0000 + + bumped changelog version + +commit 7e2838ec077b53e41d468d5655290152761c8745 +Merge: 9c918eb 0762794 +Author: Patrick Schleizer +Date: Thu Aug 29 05:06:07 2024 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 0762794ff684049a62b5b92b61177615a5376ad7 +Merge: 9c918eb 6294729 +Author: Patrick Schleizer +Date: Thu Aug 29 04:46:26 2024 -0400 + + Merge pull request #269 from raja-grewal/tidy + + Minor correction + +commit 6294729c8ef24077cd342b4557653806c3aacd34 +Author: Raja Grewal +Date: Thu Aug 29 15:34:24 2024 +1000 + + Follow-up on https://github.com/Kicksecure/security-misc/commit/f70fe308a9f65873d34de2d1906d825f3a56e272 + +commit 3101035a3fd5fbe87c79e95e51dc2da39fee93d5 +Author: Raja Grewal +Date: Thu Aug 29 01:57:32 2024 +1000 + + Enable `panic_on_warn=1` + +commit 9c918eb4313b60dc15aa9fa4474a7977602030c1 +Author: Patrick Schleizer +Date: Wed Aug 28 11:01:37 2024 +0000 + + bumped changelog version + +commit f70fe308a9f65873d34de2d1906d825f3a56e272 +Author: Patrick Schleizer +Date: Wed Aug 28 06:49:50 2024 -0400 + + no longer set sysctl `fs.binfmt_misc.status=0` / + no longer disallow registering interpreters for miscellaneous binary formats + + causing file/folder permissions issue `d????????? ? ? ? ? ? .` + + Firefox no longer starting (probably not not a Firefox issue) + + https://github.com/Kicksecure/security-misc/issues/267 + +commit 463aa58f28b6389d0925fed87096b348b652cc16 +Merge: cf824dd 328840c +Author: Patrick Schleizer +Date: Wed Aug 28 06:42:49 2024 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 328840c933a583adc5458aa08c63fb627b31b298 +Merge: cf824dd 9e91c98 +Author: Patrick Schleizer +Date: Wed Aug 28 06:38:57 2024 -0400 + + Merge pull request #264 from raja-grewal/kspp_compliance + + Add KSPP compliance notices to corresponding parameters and `sysctls` + +commit 9e91c98cc926e7a166458cd78e3c1d1ced23c753 +Author: Raja Grewal +Date: Mon Aug 26 12:40:04 2024 +1000 + + Add details on BPF hardening and split the `sysctl`s + +commit 2c356e8b0ef7db56e7b453535c8cb6c83fc2e3c6 +Author: Raja Grewal +Date: Mon Aug 26 11:34:12 2024 +1000 + + Add KSPP notice definitions + +commit 2841d789bebbd43f855b6ffb92a3a6f017007a72 +Author: Raja Grewal +Date: Mon Aug 26 11:21:26 2024 +1000 + + README: Update + +commit ac6602ac3531ae57603e8a9e5ac2ee1652164b23 +Author: Raja Grewal +Date: Mon Aug 26 11:19:20 2024 +1000 + + Add detail on disabling user namespaces breaking UPower + +commit 9dbd200be415c86e7039463c6269fad8395a4373 +Merge: 32de5e7 cf824dd +Author: raja-grewal +Date: Mon Aug 26 11:08:21 2024 +1000 + + Merge branch 'Kicksecure:master' into kspp_compliance + +commit cf824ddb248957fd9e542c1a5adc5e90381f684c +Author: Patrick Schleizer +Date: Sun Aug 25 15:34:55 2024 +0000 + + bumped changelog version + +commit 500568e322b2e3623fc649209d671c7b9d9fa097 +Merge: 43d13b7 73900b5 +Author: Patrick Schleizer +Date: Sun Aug 25 11:01:58 2024 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 73900b59db37d77bc24bd5088aae3cc760aacc69 +Merge: 43d13b7 1f51d4e +Author: Patrick Schleizer +Date: Sun Aug 25 11:00:51 2024 -0400 + + Merge pull request #263 from raja-grewal/max_user_namespaces + + Provide option to disable user namespaces + +commit 43d13b70f12d2198a800054ce4d1ff901cc474f9 +Merge: 8353764 fae586c +Author: Patrick Schleizer +Date: Sun Aug 25 10:55:52 2024 -0400 + + Merge remote-tracking branch 'raja/syntax' + +commit 835376418d616699023f8e638666f43d34241863 +Merge: ae85fd5 342caf8 +Author: Patrick Schleizer +Date: Sun Aug 25 10:48:25 2024 -0400 + + Merge remote-tracking branch 'raja/mod' + +commit ae85fd5b4ce6f4716f95332c19b79d3daa8f7220 +Author: Patrick Schleizer +Date: Sun Aug 25 14:33:40 2024 +0000 + + bumped changelog version + +commit 433b15f985545f531b87d09659bbbb89993b5a67 +Author: Raja Grewal +Date: Wed Aug 21 12:51:51 2024 +1000 + + README.md: Organise `sysctl`s + +commit af87a84b4f40b2ad9ac05dd9bce837665f239454 +Author: Raja Grewal +Date: Wed Aug 21 12:52:48 2024 +1000 + + README.md: Organise kernel boot parameters + +commit 32de5e7c49d301b62b838ba88550f58b02b6562b +Author: Raja Grewal +Date: Sun Aug 25 12:57:22 2024 +1000 + + Add details on oopses and warnings + +commit e4909b5e28e16f09de0e548c9221578ebe1190a3 +Author: Raja Grewal +Date: Sun Aug 25 12:47:04 2024 +1000 + + Add details on kernel panics + +commit 342caf82b20acc2931563449fafe9a98cbedaba2 +Author: Raja Grewal +Date: Wed Aug 21 12:52:48 2024 +1000 + + README.md: Organise kernel boot parameters + +commit b87a18d4050bbf2add5cc4920684876a440e65bb +Author: Raja Grewal +Date: Wed Aug 21 12:51:51 2024 +1000 + + README.md: Organise `sysctl`s + +commit 18ed77ecc93e9ee759a4990a32edb3dd671b8c26 +Author: Raja Grewal +Date: Wed Aug 21 12:50:14 2024 +1000 + + Refactor modprobe.d to minimise potential future merge conflicts + +commit 56b28e38264fe742b8d694176f1057c15574fc08 +Author: Raja Grewal +Date: Mon Aug 19 11:50:08 2024 +1000 + + Typo + +commit e61027a40e2ab82fac3ae4cfd5f91fd0a47f31e5 +Author: Raja Grewal +Date: Mon Aug 19 11:32:20 2024 +1000 + + Set `sysctl vm.mmap_min_addr=65536` + +commit 94dab1b7c503429e2fa91019a0183b2f36c6693f +Author: Raja Grewal +Date: Mon Aug 19 10:53:05 2024 +1000 + + Partial compliance with the KSPP on kernel panics + +commit 683110e7f02fa5fc6415354386552640cdb8758b +Author: Raja Grewal +Date: Mon Aug 19 01:34:14 2024 +1000 + + Correction + +commit 1f51d4eeb2b0c6e23ce64fb272eecb97e089324d +Author: Raja Grewal +Date: Sun Aug 18 13:53:11 2024 +1000 + + Add details on user namespaces + +commit 248e094b8e0bbf7892f79ad1c3ec77c7ed00d008 +Author: Raja Grewal +Date: Sat Aug 17 01:06:21 2024 +1000 + + Include KSPP compliance notices + +commit 759aee8150a2d1258d73217c071b25432d47496f +Author: Raja Grewal +Date: Fri Aug 16 22:54:57 2024 +1000 + + Provide option to disable user namespaces + +commit fae586c3c5e8382ca01c60f810b26d88189a5514 +Author: Raja Grewal +Date: Fri Aug 16 19:23:48 2024 +1000 + + Patch bug in existing `rp_filter` `sysctl` + +commit e962153f84c4cb8e13fb0cc25d611ae481c7a0c7 +Author: Patrick Schleizer +Date: Fri Aug 16 08:38:12 2024 +0000 + + bumped changelog version + +commit 40b12f5a2a4a40d7033569b11ad4e1c228e7389b +Merge: 12296c6 305467c +Author: Patrick Schleizer +Date: Fri Aug 16 04:30:29 2024 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 305467c652af933bb5aa5a677b10a992a5f19cab +Merge: 12296c6 a5373af +Author: Patrick Schleizer +Date: Fri Aug 16 04:25:43 2024 -0400 + + Merge pull request #245 from raja-grewal/blacklist_to_disable + + Update `/etc/modprobe.d/*` + +commit 12296c68dc0aaa3703e1c36f854a02de8db412fe +Merge: 4bc12b0 036bcea +Author: Patrick Schleizer +Date: Fri Aug 16 04:22:43 2024 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 036bcea4e6757de094fcafdadcf56aaa90729d79 +Merge: ef60c5b 81bf7a8 +Author: Patrick Schleizer +Date: Fri Aug 16 04:20:32 2024 -0400 + + Merge pull request #262 from raja-grewal/docs + + Miscellaneous updates to presentation + +commit 81bf7a8f90098a7107dcb3c783b87a168f5c090f +Merge: cea8e75 ef60c5b +Author: raja-grewal +Date: Fri Aug 16 16:57:01 2024 +1000 + + Merge branch 'Kicksecure:master' into docs + +commit ef60c5b153a521e1cfd522ac471a8ca6dc076d90 +Merge: 4bc12b0 b552b92 +Author: Patrick Schleizer +Date: Fri Aug 16 02:43:57 2024 -0400 + + Merge pull request #249 from raja-grewal/binfmt_misc + + Disallow registering interpreters for miscellaneous binary formats + +commit cea8e753786d100ebe961ad74a99925e54d47771 +Author: Raja Grewal +Date: Fri Aug 16 14:55:22 2024 +1000 + + Consistent formating + +commit 84376d23fc17d2ced890ffca0b05d15907d42a6f +Author: Raja Grewal +Date: Fri Aug 16 13:39:11 2024 +1000 + + Add details on ASLR and move to user space section + +commit a13298002350a39491a509d15633edb95a2e3edd +Author: Raja Grewal +Date: Fri Aug 16 13:24:25 2024 +1000 + + Update README.md + +commit 9212a4e93754a4505be3fcf0ff4b029c073d2f07 +Author: Raja Grewal +Date: Fri Aug 16 13:12:07 2024 +1000 + + Typos + +commit 23a77d4973ec20b2aaab6a9c3a9fd8a98034923e +Author: Raja Grewal +Date: Fri Aug 16 12:46:51 2024 +1000 + + Simplify syntax of some network-related `sysctl`'s + +commit e3a3207a4447568a17129afe9dde34debc465e21 +Author: Raja Grewal +Date: Fri Aug 16 12:41:36 2024 +1000 + + Clarify DMA hardening + +commit be9308e490f79a7b7788a744524d1d91cc870726 +Merge: 73db68d 4bc12b0 +Author: raja-grewal +Date: Fri Aug 16 11:45:43 2024 +1000 + + Merge branch 'Kicksecure:master' into docs + +commit 4bc12b07b42def786862b938e3f63c18cf874158 +Author: Patrick Schleizer +Date: Thu Aug 15 17:51:18 2024 +0000 + + bumped changelog version + +commit 9e61e37c17524b57f185b796f2ac19ba193205a8 +Merge: 89e816d dfd1c97 +Author: Patrick Schleizer +Date: Thu Aug 15 13:47:33 2024 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit dfd1c97168249b229495cbd873d4d8493e244663 +Merge: 89e816d ec3038c +Author: Patrick Schleizer +Date: Thu Aug 15 13:46:30 2024 -0400 + + Merge pull request #248 from raja-grewal/secure_redirects + + Re-enable (default) `secure_redirects` for ICMP redirect messages + +commit b552b92401f67d59e12ac6fda2f7fe1c54b0c8a7 +Author: Raja Grewal +Date: Thu Aug 15 11:54:21 2024 +1000 + + Add references on `fs.binfmt_misc.status` + +commit 326d82a9beee130956dd817812016a6ee16fccbc +Author: Raja Grewal +Date: Thu Aug 15 11:46:56 2024 +1000 + + Revert "Provide optional `sysctl fs.binfmt_misc.status=0`" + + This reverts commit debd7a7b7ae8b03e04d2c8597bcccf2c79000570. + +commit 73db68dbf9a1f9ded95a593db36a4960ce06a173 +Author: Raja Grewal +Date: Fri Aug 9 14:27:30 2024 +1000 + + Add details on KFENCE + +commit f8fa89b245d929aee9884937fdcf44a6551df4cf +Author: Raja Grewal +Date: Fri Aug 9 14:21:59 2024 +1000 + + Add details on `tcp_timestamps` + +commit 3456f1c1d7725846ec201c28dd693bf9b07bab89 +Author: Raja Grewal +Date: Fri Aug 9 13:39:25 2024 +1000 + + Minor consistency update in README.md + +commit 15c638acad64cc3dcc7b5c43d9a6be2fa2350654 +Author: Raja Grewal +Date: Fri Aug 9 13:36:47 2024 +1000 + + Add reference on RDRAND + +commit 077bc48a26d1d3f5d1f758d7e251edccba64742b +Author: Raja Grewal +Date: Fri Aug 9 13:35:33 2024 +1000 + + Add reference on `rp_filter` + +commit d8bcec881f66604e29d6e0c1426635e2ad4979f1 +Author: Raja Grewal +Date: Fri Aug 9 13:33:32 2024 +1000 + + Add some notices for future Debian 13 rebase + +commit 0b0683499a6a21e3995a115c377eb19008bc4cd1 +Author: Raja Grewal +Date: Fri Aug 9 13:30:39 2024 +1000 + + Consistent line length formatting + +commit e5a38fc856c66d2bd6abc35fc08d4f2083ea8e54 +Author: Raja Grewal +Date: Fri Aug 9 13:30:15 2024 +1000 + + Typo + +commit a5373afc55e789f4657f3d843243e878e4afffa2 +Author: Raja Grewal +Date: Wed Aug 7 14:44:14 2024 +1000 + + Details on disabled `fbdev` kernel modules + +commit e98dc8c4f8af32dd3b10c034477fd2154df189ac +Author: Raja Grewal +Date: Wed Aug 7 14:14:47 2024 +1000 + + Update notifications for disabled kernel modules + +commit 50fa721fd54cd696ae90a35bc7df7c8f1eb17a13 +Author: Raja Grewal +Date: Wed Aug 7 14:01:49 2024 +1000 + + Update docs regarding Intel module disabling + +commit ec3038c7bc625f6c8eddb753ffe295ff2697a717 +Author: Raja Grewal +Date: Wed Aug 7 13:48:53 2024 +1000 + + Clarify `secure_redirects` + +commit debd7a7b7ae8b03e04d2c8597bcccf2c79000570 +Author: Raja Grewal +Date: Wed Aug 7 13:33:44 2024 +1000 + + Provide optional `sysctl fs.binfmt_misc.status=0` + +commit 89e816dda6c5a00512b276071c4d9fe108ee63b5 +Author: Patrick Schleizer +Date: Tue Aug 6 14:01:39 2024 +0000 + + bumped changelog version + +commit 967f9e257b09bc73ddb579292d507f7cb9832643 +Merge: fa90918 a25aaf9 +Author: Patrick Schleizer +Date: Tue Aug 6 09:57:56 2024 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit a25aaf900a12666046278a9fab6933b3d5670679 +Merge: 6bc039a 8559079 +Author: Patrick Schleizer +Date: Tue Aug 6 09:55:20 2024 -0400 + + Merge pull request #260 from raja-grewal/vdso32 + + Enable `vdso32=0` + +commit 6bc039a430289342f06857a52a5f13829d6e50f5 +Merge: ce60d56 d102ec1 +Author: Patrick Schleizer +Date: Tue Aug 6 09:52:56 2024 -0400 + + Merge pull request #259 from raja-grewal/kfence + + Enable `kfence.sample_interval=100` + +commit ce60d5615fe99e41c48d459f562d581a688c295a +Merge: b027842 c0d140f +Author: Patrick Schleizer +Date: Tue Aug 6 09:48:08 2024 -0400 + + Merge pull request #258 from raja-grewal/legacy_tiocsti + + Enable `dev.tty.legacy_tiocsti=0` + +commit b0278428a73cd3d329aaa36626005e0c593331f0 +Merge: fa90918 aa34d86 +Author: Patrick Schleizer +Date: Tue Aug 6 09:39:04 2024 -0400 + + Merge pull request #257 from raja-grewal/slab_debug + + Enable `slab_debug=FZ` + +commit 8559079312adb4ed92e5f478120b408dfe7a1124 +Author: Raja Grewal +Date: Mon Aug 5 15:10:02 2024 +1000 + + Enable `vdso32=0` + +commit d102ec19972865032f12f90bffe3e592546f0267 +Author: Raja Grewal +Date: Mon Aug 5 15:07:56 2024 +1000 + + Enable `kfence.sample_interval=100` + +commit c0d140f2211e6490d13e3cd327005027c668905f +Author: Raja Grewal +Date: Mon Aug 5 15:06:34 2024 +1000 + + Enable `dev.tty.legacy_tiocsti=0` + +commit aa34d86598f5b846b007730104e4c99c59f9984d +Author: Raja Grewal +Date: Mon Aug 5 14:27:17 2024 +1000 + + Enable `slab_debug=FZ` + +commit 4f7f82016015f61002ac8f778b61968c572dc7dc +Author: Raja Grewal +Date: Mon Aug 5 14:16:33 2024 +1000 + + Add reference + +commit fa9091869d417c6494840d0cb32623037d70c8be +Merge: 06f0c27 725118c +Author: Patrick Schleizer +Date: Sun Aug 4 16:20:36 2024 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 725118c5759b45118bbd2804492526ea2a7c1a81 +Merge: 6d97408 6d211fa +Author: Patrick Schleizer +Date: Sun Aug 4 16:19:52 2024 -0400 + + Merge pull request #243 from raja-grewal/namespaces + + Restrict unprivileged user namespaces + +commit 06f0c27128a66c1074f405de3139651519e48204 +Merge: 8abc5ae 6d97408 +Author: Patrick Schleizer +Date: Sun Aug 4 16:15:01 2024 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 6d97408a6d2f002461ae6ca1d647fbf24bf1b99e +Merge: 8abc5ae 6f14d68 +Author: Patrick Schleizer +Date: Sun Aug 4 16:11:46 2024 -0400 + + Merge pull request #255 from raja-grewal/SLUB + + Restore option to enable `slub_debug=FZ` + +commit 8abc5ae8f0f152c68f855f0e8d993880589c5d5c +Merge: de6f3ea eab66da +Author: Patrick Schleizer +Date: Sun Aug 4 16:09:52 2024 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit eab66dad0994e408c1beaade3fdcf2cd1d605b31 +Merge: de6f3ea ca2179b +Author: Patrick Schleizer +Date: Sun Aug 4 16:08:32 2024 -0400 + + Merge pull request #254 from raja-grewal/patch + + Updates to kernel and `sysctl` hardening + +commit 6f14d68cdcad3784311e33029eba6906ea0784c2 +Author: Raja Grewal +Date: Sat Aug 3 15:12:15 2024 +1000 + + Update legacy name `slub_debug` -> `slab_debug` + +commit 22b6cee80c74aff3d0f9cd36822ae88f8fa8e601 +Author: Raja Grewal +Date: Sat Aug 3 15:11:14 2024 +1000 + + Add details about `slub_debug` + +commit b77d1a2b980ae20158aa628eec67b016282d0a40 +Author: Raja Grewal +Date: Sat Aug 3 14:49:48 2024 +1000 + + Revert "Remove the optional `slub_debug` parameter since it is no longer recommended" + + This reverts commit 48e1ac416314d2c66f3a0d5044a3c51cb6fb4093. + +commit ca2179bb6a01e3ebbb1e04e3507cc305f25bca4e +Author: Raja Grewal +Date: Sat Aug 3 00:25:49 2024 +1000 + + Provide the option to disable legacy TIOCSTI operation + +commit 52aeacb4da4a8458b0ffdc1ade4094a178def6f4 +Author: Raja Grewal +Date: Sat Aug 3 00:13:38 2024 +1000 + + Provide option to disable 32 bit vDSO mappings + +commit 9099ecce8ae12352f2b739d3d7adf6069488ff49 +Author: Raja Grewal +Date: Sat Aug 3 00:12:50 2024 +1000 + + Provide option to enable the kernel Electric-Fence + +commit f6a16258a116ce5c5f4f6bad9d8ab9b6e1ec6bb7 +Author: Raja Grewal +Date: Sat Aug 3 00:11:06 2024 +1000 + + Add references to KSPP + +commit e53d24fc48b51a21fc182cc59890e97a1d7ac647 +Author: Raja Grewal +Date: Sat Aug 3 00:09:42 2024 +1000 + + Add missing GRUB command lines for disabled boot parameters + +commit de6f3ea74a5a1408e4351c955ecb7010825364c5 +Author: Patrick Schleizer +Date: Sun Jul 28 20:50:22 2024 +0000 + + bumped changelog version + +commit d036094089e3e3a74df981c50882481273fcb6c0 +Merge: e60ce50 0f86fbd +Author: Patrick Schleizer +Date: Sun Jul 28 15:44:40 2024 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 0f86fbd8ceea3157ee035eb9f4a0ff13024f1bc9 +Merge: e60ce50 73979d4 +Author: Patrick Schleizer +Date: Sun Jul 28 15:43:54 2024 -0400 + + Merge pull request #242 from raja-grewal/ptrace + + Disable the usage of `ptrace()` by all processes + +commit 9cabaa1bd15a0639c87bf2e965755d06ff0a7bb4 +Author: Raja Grewal +Date: Sun Jul 28 22:04:30 2024 +1000 + + Typo + +commit d2d024ebe9a371eaf90b7b72f8a227e5d2e9babe +Author: Raja Grewal +Date: Sun Jul 28 22:03:33 2024 +1000 + + Typo + +commit 9fbee9fc82768c3b436307459d174378ee471335 +Author: Raja Grewal +Date: Sun Jul 28 21:57:25 2024 +1000 + + Clarify + +commit e60ce50d30c8981f13d8bab1d6ca8b8efb9d8928 +Author: Patrick Schleizer +Date: Sat Jul 27 16:13:35 2024 +0000 + + bumped changelog version + +commit e86b2e7f8fcda5727b158579610cb6a0354e89cf +Author: Patrick Schleizer +Date: Sat Jul 27 12:13:18 2024 -0400 + + output + +commit 144545762674e914046bb94100237329320e8ece +Author: Raja Grewal +Date: Sat Jul 27 14:00:30 2024 +1000 + + Show details regarding `secure_redirects` (again) + +commit 73979d4342dae2017be52d5182bb66fa28be398d +Author: Raja Grewal +Date: Sat Jul 27 13:28:59 2024 +1000 + + Link to `ptrace()` discussion + +commit 1c9f33f90606fb930744f1b9afc11caf87626194 +Author: Raja Grewal +Date: Sat Jul 27 13:24:08 2024 +1000 + + Revert "Disable the usage of `ptrace()` by all processes" + + This reverts commit b04828f858fa6d101099773d3156841fd6d33b6f. + +commit 330cf14eab248d035fa467dba4f7bc3eb92a33bb +Author: Patrick Schleizer +Date: Fri Jul 26 15:40:24 2024 +0000 + + bumped changelog version + +commit 62bb4bc6269a0603c15f1efaad7ca365ea15c9d7 +Merge: 7969e86 886f609 +Author: Patrick Schleizer +Date: Fri Jul 26 11:10:25 2024 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 886f6095dba71d76d5fd98277374417657e0cd31 +Merge: 7969e86 ed33366 +Author: Patrick Schleizer +Date: Fri Jul 26 11:08:30 2024 -0400 + + Merge pull request #250 from raja-grewal/Panik-Kalm + + Add details on "oopes" and kernel panics + +commit 7969e8607160eae0cb5a3adddeec8d07c1d6e097 +Merge: e2ae93a 0318f57 +Author: Patrick Schleizer +Date: Fri Jul 26 11:06:13 2024 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 0318f577ab554ae2ac0f9417b18134723ea2b580 +Merge: e2ae93a 4397de0 +Author: Patrick Schleizer +Date: Fri Jul 26 11:04:29 2024 -0400 + + Merge pull request #246 from raja-grewal/cfi + + Provide the option to change the default CFI implementation in the future + +commit e2ae93a9571f2f0c9077ea61436a540a3be5a894 +Author: Patrick Schleizer +Date: Fri Jul 26 10:30:45 2024 -0400 + + port to safe_echo + +commit 8ec23ed7128580ed0092df43945ba55e94163a6d +Author: Patrick Schleizer +Date: Fri Jul 26 10:28:57 2024 -0400 + + echo does not support end-of-options + +commit 6096ed1109a0d5a62a844552fee500ebe66071c8 +Author: Patrick Schleizer +Date: Fri Jul 26 10:26:43 2024 -0400 + + comment + +commit ac41d1cfff8b722248a5ef1dfe38a8c704f04134 +Author: Patrick Schleizer +Date: Fri Jul 26 10:25:59 2024 -0400 + + comment + +commit 3b033ceba24e5e14056d54710d782397e5c669df +Author: Patrick Schleizer +Date: Fri Jul 26 10:17:24 2024 -0400 + + shellcheck + +commit 04d9ca1ebe79cae5cce04b6533285b8d1299d692 +Author: Patrick Schleizer +Date: Fri Jul 26 10:16:20 2024 -0400 + + use `find` with `safe_echo_nonewline` + +commit 20454fb81157f1f962f36d9c37d34f4ac650a1e6 +Merge: 28b25bd 6bbf176 +Author: raja-grewal +Date: Sat Jul 27 00:09:30 2024 +1000 + + Merge branch 'Kicksecure:master' into blacklist_to_disable + +commit 6bbf176e3b91f842cf4cdeaf8cb1f4c60e159a0c +Author: Patrick Schleizer +Date: Fri Jul 26 09:33:45 2024 -0400 + + consider end-of-options for `find` + +commit 794f6a25fa87a9d6d796b07ee06b690ea0badc92 +Author: Patrick Schleizer +Date: Fri Jul 26 09:08:29 2024 -0400 + + comment + +commit 7e0f1a87010674c63963b70c87e903cf27b288ef +Author: Patrick Schleizer +Date: Fri Jul 26 09:08:04 2024 -0400 + + dpkg-statoverride can actually handle '--file-name'. + +commit ee037c01a1208b9247c3ae144fa3faa68657ffdb +Author: Patrick Schleizer +Date: Fri Jul 26 08:58:44 2024 -0400 + + Skip file names starting with '--', + + because this would be interpreted by dpkg-statoverride as an option. + +commit 82d401a7de58b74448113bed36c8f0cc073c7f82 +Author: Patrick Schleizer +Date: Fri Jul 26 08:52:42 2024 -0400 + + sanity test + +commit 0e661bc688c7222840c9d83fb3ccab6549b3ac11 +Author: Patrick Schleizer +Date: Fri Jul 26 08:49:14 2024 -0400 + + output + +commit d144f68d1a06a1153c4178b2f6ba9643dededbb8 +Author: Patrick Schleizer +Date: Fri Jul 26 08:46:08 2024 -0400 + + output + +commit 05504b9ab251ae6e48b5d28eb5fdcd12d730ea8a +Author: Patrick Schleizer +Date: Fri Jul 26 08:40:10 2024 -0400 + + minor + +commit d96c0633d431dafd034ae8d1ae0ffbb59c49be4a +Author: Patrick Schleizer +Date: Fri Jul 26 08:39:11 2024 -0400 + + more use of end of options + +commit 8e40c10c319a76e0256c8f135182b0ca7f532f85 +Author: Patrick Schleizer +Date: Fri Jul 26 08:31:17 2024 -0400 + + comment + +commit f2c9c2f5d1b59127b22fae4dd4b8bb7a6f98a485 +Author: Patrick Schleizer +Date: Fri Jul 26 08:26:16 2024 -0400 + + output + +commit 2b40ea75e9c3f679fd09ae331a56f294c3ac7607 +Author: Patrick Schleizer +Date: Fri Jul 26 08:24:23 2024 -0400 + + cleanup + +commit 6f0551b944cbf83d82f7a1a554c4461bc971520b +Author: Patrick Schleizer +Date: Fri Jul 26 08:23:54 2024 -0400 + + refactoring + +commit aac450f80836b03478b9e2632afc5a4519f9b37a +Author: Patrick Schleizer +Date: Fri Jul 26 08:22:04 2024 -0400 + + refactoring + +commit 30f46790a4df7662926fa43d44ac34c3286dd590 +Author: Patrick Schleizer +Date: Fri Jul 26 08:21:21 2024 -0400 + + use end of options whenever possible + +commit 95722d6d7902367afb44175263a8628df9ad01b2 +Author: Patrick Schleizer +Date: Fri Jul 26 08:13:33 2024 -0400 + + use long option name + +commit 19f131c7426aaa5199504e75aba180a7771a2520 +Author: Patrick Schleizer +Date: Fri Jul 26 08:07:08 2024 -0400 + + code simplification + + https://github.com/Kicksecure/security-misc/pull/251 + +commit 9694cf0cd1a225c68d45814e0f4d6995659a0066 +Author: Patrick Schleizer +Date: Fri Jul 26 07:43:59 2024 -0400 + + output + +commit bdfe764f9d805b14dca4196e623e81ce95145d9b +Merge: 9f13523 652a06c +Author: Patrick Schleizer +Date: Fri Jul 26 07:19:05 2024 -0400 + + Merge remote-tracking branch 'ben-grande/stat-dedup' + +commit 9f135231ccdc3f6eba27db2e1794eff23f03fc0f +Author: Patrick Schleizer +Date: Fri Jul 26 06:43:01 2024 -0400 + + no longer disable Intel ME related kernel modules + + because that might break firmware updates + + This reverts commit 64f8b2eb5870664fca06aa060f2f50af358ced55. + + https://github.com/Kicksecure/security-misc/issues/239 + +commit f616da7c0690fc0dffc21be59174ed8754ec55fb +Author: Patrick Schleizer +Date: Fri Jul 26 09:40:59 2024 +0000 + + bumped changelog version + +commit 4397de0138dac47aee66570fcfe4ef38c8179321 +Author: Raja Grewal +Date: Fri Jul 26 11:30:46 2024 +1000 + + Update description of `cfi=kcfi` kerenel parameter + +commit 652a06c8e9f841e043cc5b5fb030b149cb70dc85 +Author: Ben Grande +Date: Thu Jul 25 12:37:21 2024 +0200 + + Only print SUID or SGID values when set + +commit 3b8a3f9b832ee1eee959fbcce8b5eed417d4712e +Author: Ben Grande +Date: Thu Jul 25 12:20:16 2024 +0200 + + Unduplicate stat call + +commit 28b25bda3f51c7d5a6ee6d28446cb5f731f452d0 +Author: Raja Grewal +Date: Thu Jul 25 15:51:32 2024 +1000 + + Partial inclusion of GrapheneOS infrastructure blacklist + +commit ed3336694ce35614ab47db42bce29d3c69d46752 +Author: Raja Grewal +Date: Thu Jul 25 10:28:27 2024 +1000 + + Provide the option to immediately reboot on a kernel panics + +commit 3926b91dcf371377d38c747e5c7718ac2fed3c83 +Author: Raja Grewal +Date: Thu Jul 25 10:26:23 2024 +1000 + + Add documentation on `sysctl kernel.panic_on_oops=1` + +commit f699eb02a27ef54b9ced5866447b63152984af66 +Author: Raja Grewal +Date: Thu Jul 25 10:11:33 2024 +1000 + + Set `sysctl fs.binfmt_misc.status=0` + +commit 9231f058911ab9059e91c4c0c1677ef66b5bb666 +Author: Patrick Schleizer +Date: Wed Jul 24 13:31:49 2024 -0400 + + todo + +commit 4cc1289e89b341e15725d65e405e607ea4784f9f +Author: Patrick Schleizer +Date: Wed Jul 24 13:30:30 2024 -0400 + + output + +commit 10c73b326f824f783169383888b9464965a53cbb +Author: Patrick Schleizer +Date: Wed Jul 24 12:07:26 2024 -0400 + + fix delimiter parsing + +commit a16dd8474bf72c2b8c63adc7500140e89d19fedb +Author: Patrick Schleizer +Date: Wed Jul 24 11:50:30 2024 -0400 + + sanity test + +commit cc2b335ee692cc04a2c4e298902f3503927b2c50 +Author: Patrick Schleizer +Date: Wed Jul 24 11:48:32 2024 -0400 + + cleanup + +commit 6cadc70a96cd709fb7a94abcb14e7dd97c57fdb8 +Author: Patrick Schleizer +Date: Wed Jul 24 11:47:52 2024 -0400 + + output + +commit cda0d26af7c057dab8edf4897f98c2e8f83e3d56 +Author: Patrick Schleizer +Date: Wed Jul 24 11:45:13 2024 -0400 + + cannot use NULL inside a bash variable + + use custom delimiter instead + +commit 4a5312b3a9419c8b3e07dda2b650d5fbf9a38d34 +Author: Patrick Schleizer +Date: Wed Jul 24 11:27:51 2024 -0400 + + output + +commit 3bf1f26c0bb271d63c16b314e4da040abf5b3713 +Author: Patrick Schleizer +Date: Wed Jul 24 11:20:26 2024 -0400 + + downgrade warning of non-existing folders to info + + to avoid all users by default getting a warning for expected non-existing folders + +commit 151ca659a9f5565744ff57f3b581c8c051def148 +Author: Patrick Schleizer +Date: Wed Jul 24 11:19:15 2024 -0400 + + output + +commit c9fd2ceb61ea176c731432f02a9fa40652fbddc8 +Author: Patrick Schleizer +Date: Wed Jul 24 11:13:35 2024 -0400 + + downgrade warning of non-existing files to info + + to avoid all users by default getting a warning for expected non-existing files + +commit 721392901be384014298f59deb57747b825c8b37 +Author: Patrick Schleizer +Date: Wed Jul 24 11:12:39 2024 -0400 + + remove duplicate test + +commit 9712b5b4e3cff3eac8ef03b5e562ff89d74ef4b8 +Author: Patrick Schleizer +Date: Wed Jul 24 11:12:18 2024 -0400 + + output + +commit 00911df5c1de24960ad6d21b4cd99450f2d08a88 +Author: Patrick Schleizer +Date: Wed Jul 24 11:10:56 2024 -0400 + + modify call of stat to use NUL delimiter + + for more robust string parsing + +commit d5366835112cc5fabef7ec46a9c582c08121cb14 +Author: Patrick Schleizer +Date: Wed Jul 24 11:03:28 2024 -0400 + + local clean_output_prefix clean_output + +commit a6e517736b83c124cf8cec52bac184612a29ad0d +Author: Patrick Schleizer +Date: Wed Jul 24 11:02:25 2024 -0400 + + local stat_output + +commit ced02fb9e03e12c7d51923511e7d6a54b09a6274 +Author: Patrick Schleizer +Date: Wed Jul 24 11:01:24 2024 -0400 + + add sanity test for file_name output from stat + +commit b9dfe70a016e46e1f275918be19890526182cfa2 +Author: Patrick Schleizer +Date: Wed Jul 24 10:58:05 2024 -0400 + + check first if file_name is empty + +commit 1cbda7998196dc04e83c48526d15f9ad5f11e6c9 +Author: Patrick Schleizer +Date: Wed Jul 24 10:57:13 2024 -0400 + + check first if array is empty before parsing further + +commit a077ae54ea050af8828813b781738cba24e27624 +Author: Patrick Schleizer +Date: Wed Jul 24 10:56:08 2024 -0400 + + modify call of stat to use NUL delimiter + + for more robust string parsing + +commit 1135d34ab334c9b39e51a147dc94df568f982512 +Author: Raja Grewal +Date: Wed Jul 24 23:33:36 2024 +1000 + + Reword description of `cfi=kcfi` kerenel parameter + +commit 7200e9bd8c793f5ea30c3448fd03fbd38c6292b5 +Author: Patrick Schleizer +Date: Wed Jul 24 09:15:02 2024 -0400 + + output + +commit 1b6161c2dcd9a0686503c84cda4c9f6a29fe4e02 +Merge: d2563ed 8be21b6 +Author: Patrick Schleizer +Date: Wed Jul 24 09:13:48 2024 -0400 + + Merge remote-tracking branch 'ben-grande/fuzz' + +commit 88c88187f2909322211cc08598717068ea7cf1d1 +Author: Raja Grewal +Date: Wed Jul 24 17:26:50 2024 +1000 + + Re-enable (default) `secure_redirects` for ICMP redirect messages + +commit 8be21b6eff40fdd3909ef63468463fc52e8bf45f +Author: Ben Grande +Date: Tue Jul 23 19:36:12 2024 +0200 + + Handle newlines in file names + +commit aa99de68d307cd88462665424996d9b730ab5087 +Author: Ben Grande +Date: Tue Jul 23 18:46:47 2024 +0200 + + Log output with defined levels + +commit 06fbcdac1de6f1830d911f05a4f7c14fd522fad4 +Author: Ben Grande +Date: Tue Jul 23 09:55:02 2024 +0200 + + Prettify log messages + +commit fb494c2ba5b7fd0f864a59896710d9cddf92b458 +Author: Raja Grewal +Date: Tue Jul 23 13:12:13 2024 +1000 + + Update docs relating to the `cfi=kcfi` kernel parameter + +commit 7ee1ea2cc7dd62feee3243d64b414130e68d35e9 +Author: Ben Grande +Date: Mon Jul 22 17:06:07 2024 +0200 + + Unify functions that evaluate commands + +commit 9c3566f524f748b9f7c98a36b3f2b1064cdba3ed +Author: Ben Grande +Date: Mon Jul 22 16:01:14 2024 +0200 + + Delimit file names with null terminator + +commit d6fc71dba78a9c871015ebdde3bef61943369b47 +Author: Raja Grewal +Date: Mon Jul 22 17:26:00 2024 +1000 + + Add option to switch (back) to using kCFI in the future + +commit f582e543434ba20a2fb7f7300058f7c8a7d62878 +Merge: a189956 d2563ed +Author: raja-grewal +Date: Mon Jul 22 15:12:00 2024 +1000 + + Merge branch 'Kicksecure:master' into blacklist_to_disable + +commit d2563ed92317a029340dbb83f30da008b01325f2 +Author: Patrick Schleizer +Date: Sun Jul 21 10:40:14 2024 +0000 + + bumped changelog version + +commit 64f8b2eb5870664fca06aa060f2f50af358ced55 +Author: Patrick Schleizer +Date: Sun Jul 21 06:36:22 2024 -0400 + + Revert "no longer disable Intel ME related kernel modules" + + This reverts commit 6157e328f40a7f3780208489b1ffecef8e6d738a. + + https://www.kicksecure.com/wiki/Out-of-band_Management_Technology#Intel_ME_Kernel_Modules + + https://github.com/Kicksecure/security-misc/issues/239 + +commit 04fb00572f2e4c9bdfaaa0f6da8007999daab641 +Author: Patrick Schleizer +Date: Sat Jul 20 17:02:05 2024 +0000 + + bumped changelog version + +commit f0a478c7c91697988926a73d3a1880dd8caaca68 +Author: Patrick Schleizer +Date: Sat Jul 20 12:57:56 2024 -0400 + + permission hardener: allow postfix + + postqueue matchwhitelist + postdrop matchwhitelist + +commit a189956adc2cf5a1c8311d0e0e9c7cfbc6e4afe3 +Author: Raja Grewal +Date: Sat Jul 20 20:11:09 2024 +1000 + + Typo + +commit 3c720a0715191c858e8d1df9795dddfea5dbdcf1 +Author: Raja Grewal +Date: Sat Jul 20 15:03:21 2024 +1000 + + Disable some legacy drivers + These were all previously blacklisted for over 2 years. + +commit c4965ed838b1df93ddb9e947fb2f0d23fa8ffc17 +Author: Raja Grewal +Date: Sat Jul 20 14:55:10 2024 +1000 + + Disable legacy framebuffer drivers + These were all previously blacklisted for over 2 years. + +commit 9f53a0182b5f6a7cf8228bf19b04661d39c7a2fe +Author: Patrick Schleizer +Date: Fri Jul 19 07:20:59 2024 -0400 + + undo io_uring related changes + + as these should be done in a separate pull request (if apprpriate) + + https://github.com/Kicksecure/security-misc/pull/244#issuecomment-2238889062 + +commit 8791aecb38a41aa0b0c108505726bc6a1ace903e +Merge: 2d11436 06894d1 +Author: Patrick Schleizer +Date: Fri Jul 19 07:19:09 2024 -0400 + + Merge remote-tracking branch 'raja/fixes' + +commit 06894d1c98e91f43af58cc438559ea76b6a361e3 +Author: Raja Grewal +Date: Fri Jul 19 18:30:42 2024 +1000 + + Typo + +commit 2d11436432d3b2b75f84b05550de06cd77ec6e79 +Author: Patrick Schleizer +Date: Thu Jul 18 18:05:07 2024 +0000 + + bumped changelog version + +commit cac5bbad99a9c083c5b5f85f07c7368287c64f72 +Author: Patrick Schleizer +Date: Thu Jul 18 14:04:00 2024 -0400 + + comment + +commit a5eed00eba76f83c310f62d000830f38b0e87d21 +Author: Patrick Schleizer +Date: Thu Jul 18 14:02:38 2024 -0400 + + cleanup comments + +commit 21efacf1b111d9599e72cef23b791cf4961c04c3 +Author: Patrick Schleizer +Date: Thu Jul 18 14:00:28 2024 -0400 + + cleanup duplicate comments which are already in `/etc/dkms/framework.conf` + +commit 61628c2baf58ca2859bc5fc99782985ef0822750 +Author: Patrick Schleizer +Date: Thu Jul 18 14:11:35 2024 +0000 + + bumped changelog version + +commit 05cf438199ca75f96cf8e67131f4a409b465e7e7 +Author: Patrick Schleizer +Date: Thu Jul 18 10:11:03 2024 -0400 + + no comments / copyright allowed in .displace-extension + +commit 2ccc95f6d44bacd3da97d586542695f33d5faf38 +Author: Patrick Schleizer +Date: Thu Jul 18 14:05:23 2024 +0000 + + bumped changelog version + +commit 95286df50274953326accb615487e21d409b652a +Author: Raja Grewal +Date: Thu Jul 18 15:28:31 2024 +1000 + + Update README.md regarding secure ICMP redirects + +commit 13cc1f0986033855a399b50442a86a8d8552eb96 +Author: Raja Grewal +Date: Thu Jul 18 12:25:00 2024 +1000 + + Clarify (future) disabling of `io_uring` + +commit 9e6facda7017498e8310a9c39403e95e81c5a903 +Author: Raja Grewal +Date: Thu Jul 18 12:21:37 2024 +1000 + + Update module disabling presentation + +commit faa9181a6c0c78b9471c9a4e6bdd3291aec704f6 +Author: Raja Grewal +Date: Thu Jul 18 12:19:27 2024 +1000 + + Typos + +commit 6d211faf591608ea6e7f484e8bc69dd567877abf +Author: Raja Grewal +Date: Thu Jul 18 11:04:54 2024 +1000 + + Restrict unprivileged user namespaces + +commit b04828f858fa6d101099773d3156841fd6d33b6f +Author: Raja Grewal +Date: Thu Jul 18 11:01:41 2024 +1000 + + Disable the usage of `ptrace()` by all processes + +commit d454f36c63bd653e47353fb1c93107b2d5584fe2 +Author: Patrick Schleizer +Date: Wed Jul 17 11:52:29 2024 -0400 + + spelling + +commit f4da582aa31b869413aef6f4e252b7985e961339 +Author: Patrick Schleizer +Date: Wed Jul 17 11:44:17 2024 -0400 + + spelling + +commit 9e976474d5d620be9e4f8d8a97f73c6cc3e64573 +Author: Patrick Schleizer +Date: Wed Jul 17 11:40:51 2024 -0400 + + spelling + +commit b569fc02a4650187e69b62b95439c05ee2611e91 +Author: Patrick Schleizer +Date: Wed Jul 17 11:38:53 2024 -0400 + + spelling + +commit a2e26f441b6f44831c7b1bf3bf9dc2cf6f06e176 +Author: Patrick Schleizer +Date: Wed Jul 17 11:04:03 2024 -0400 + + spelling + +commit c8be4ac83c2563798ee35d56200eb8d11a2c32e3 +Author: Patrick Schleizer +Date: Wed Jul 17 10:56:14 2024 -0400 + + comment + +commit 24cd70a014b221b25669755b955bc114fe083643 +Author: Patrick Schleizer +Date: Wed Jul 17 10:55:12 2024 -0400 + + spelling + +commit 5cec685cf9b0845838f17fba78ac65d6c2e63386 +Author: Patrick Schleizer +Date: Wed Jul 17 10:49:21 2024 -0400 + + spelling + +commit 821a416fe39e11ca030c63f25a5220772d80eae5 +Author: Patrick Schleizer +Date: Wed Jul 17 10:43:16 2024 -0400 + + spelling + +commit 9a387f95e9346030e2adc3252a45942949561b52 +Merge: fd41acd 4afe257 +Author: Patrick Schleizer +Date: Wed Jul 17 10:32:26 2024 -0400 + + Merge remote-tracking branch 'raja/miscellaneous' + +commit fd41acdc721a6463813bc347cb965b6211fb9447 +Merge: 0da22c2 1087387 +Author: Patrick Schleizer +Date: Wed Jul 17 10:27:31 2024 -0400 + + Merge remote-tracking branch 'raja/fack_off' + +commit 4afe257a42576158a54a68948440a2b4c043b67c +Author: Raja Grewal +Date: Thu Jul 18 00:14:13 2024 +1000 + + minor + +commit d0a59617f6b8a90fd5c758699e910af9d7496c98 +Author: Raja Grewal +Date: Thu Jul 18 00:13:30 2024 +1000 + + Add missing Copyright (C) statements + +commit 8f3896c3dac13b604e36d4249f976598f271a215 +Author: Raja Grewal +Date: Wed Jul 17 23:44:37 2024 +1000 + + Upgrade hyperlinks to HTTPS + +commit 1087387b362d5598e44262db07ab0fff9118b064 +Author: Raja Grewal +Date: Wed Jul 17 23:35:25 2024 +1000 + + Remove obsolete `#net.ipv4.tcp_fack=0` + +commit 0da22c20316c8f0f574e0127926506e52ccbc269 +Author: Patrick Schleizer +Date: Wed Jul 17 09:07:31 2024 -0400 + + minor + +commit c336b266f61528cce27e1cafac6377370927a787 +Merge: afe3c25 df80385 +Author: Patrick Schleizer +Date: Wed Jul 17 09:06:44 2024 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit df80385289717fee0266436d056c9aedd0fb06af +Merge: afe3c25 724435e +Author: Patrick Schleizer +Date: Wed Jul 17 09:04:18 2024 -0400 + + Merge pull request #237 from raja-grewal/intel_pmt + + Disable some Intel PMT kernel modules + +commit afe3c25a49940f7f322414c08e8dbd631e696215 +Author: Patrick Schleizer +Date: Wed Jul 17 08:58:00 2024 -0400 + + update readme + + https://github.com/Kicksecure/security-misc/issues/239 + +commit f7772fb85a1fe6d3c0749e5f34fc29111b6a8125 +Author: Patrick Schleizer +Date: Wed Jul 17 08:57:35 2024 -0400 + + minor + +commit 6157e328f40a7f3780208489b1ffecef8e6d738a +Author: Patrick Schleizer +Date: Wed Jul 17 08:52:11 2024 -0400 + + no longer disable Intel ME related kernel modules + + https://github.com/Kicksecure/security-misc/issues/239 + +commit daee8b900b3057235aedc17b1231c3c05599140c +Merge: 954ff1b a4ba6e4 +Author: Patrick Schleizer +Date: Wed Jul 17 08:47:55 2024 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit a4ba6e485d94512fdf737b9f66137c3f692c9904 +Merge: 9a75135 abafb19 +Author: Patrick Schleizer +Date: Wed Jul 17 08:46:27 2024 -0400 + + Merge pull request #236 from raja-grewal/intel_me + + Disable more Intel ME kernel modules + +commit 954ff1be41288b5fa2e50d492d92544915f93bb5 +Merge: d29a616 9a75135 +Author: Patrick Schleizer +Date: Wed Jul 17 08:42:52 2024 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 9a75135633ad172f7cbf318e1206865493c28bb4 +Merge: d29a616 a340899 +Author: Patrick Schleizer +Date: Wed Jul 17 08:41:43 2024 -0400 + + Merge pull request #238 from raja-grewal/uvcvideo_2 + + Minor additions to `30_security-misc_disable.conf` + +commit d29a616142562492db6c45c299f002100e905828 +Author: Patrick Schleizer +Date: Wed Jul 17 08:39:20 2024 -0400 + + minor + +commit a2802f352fc7021ead0d431c665cc16b2821ae0b +Merge: 0b873b7 81a3715 +Author: Patrick Schleizer +Date: Wed Jul 17 08:38:23 2024 -0400 + + Merge remote-tracking branch 'raja/kargs' + +commit 0b873b765e20b06113d808075fa95c8acbb1e0fc +Author: Patrick Schleizer +Date: Wed Jul 17 08:05:27 2024 -0400 + + minor + +commit 070bb46a08afcd84fb638472c39bd543bad4fb17 +Merge: 6d6e547 25fd532 +Author: Patrick Schleizer +Date: Wed Jul 17 08:02:45 2024 -0400 + + Merge remote-tracking branch 'raja/sysctl' + +commit 6d6e5473f2778a2a5b1ca7826d0a3a5a63cff08a +Author: Patrick Schleizer +Date: Wed Jul 17 08:00:24 2024 -0400 + + minor + +commit cf5f0edbb85589a72ec891e9c3e090f9e81c4fda +Merge: fe5c840 693b47e +Author: Patrick Schleizer +Date: Wed Jul 17 07:59:35 2024 -0400 + + Merge remote-tracking branch 'raja/sysctl' + +commit 25fd532ce62399d5bb42d844ad32b5128eaf748d +Author: Raja Grewal +Date: Wed Jul 17 21:56:40 2024 +1000 + + Update README.md relating to `sysctl`'s + +commit 39fd125eb0f0c16c8a64933bbd04709287a2686a +Author: Raja Grewal +Date: Wed Jul 17 21:44:44 2024 +1000 + + Provide explanation on the disabling of IPv6 Privacy Extensions + +commit a3408990ab439e6edbf8691cf7d65fb16c0d24df +Author: Raja Grewal +Date: Wed Jul 17 15:03:39 2024 +1000 + + Uncomment disabling of already disabled ATM modules + +commit 693b47e6235528ab7a9032818cce22fd63a4f5ea +Author: Raja Grewal +Date: Wed Jul 17 14:58:30 2024 +1000 + + Clarify ICMP redirect acceptance and sending + +commit 81a3715c7c0b73796a62297ebe55e861a46f7686 +Author: Raja Grewal +Date: Wed Jul 17 13:32:08 2024 +1000 + + Add info regarding the downsides of disabling SMT + +commit abafb1945cace774429fefd0c1a037fb2ec3f774 +Author: Raja Grewal +Date: Wed Jul 17 13:26:03 2024 +1000 + + Add Intel ME references + +commit f317aaebab126bafe3cfaef8159bf0820c392c87 +Author: Raja Grewal +Date: Wed Jul 17 01:09:02 2024 +1000 + + Disable two network modules + These were previously blacklisted for two years in https://github.com/Kicksecure/security-misc/commit/61ef9bd59f9ff39c140f782ff5b41d0a3c6d97bc. + +commit d69fe88091c7212a9af86306c797aed40398584b +Author: Raja Grewal +Date: Wed Jul 17 01:08:01 2024 +1000 + + Provide option to disable `uvcvideo` driver + +commit 49594ccb223c09d70f00434e5875c9dae1a2360d +Author: Raja Grewal +Date: Wed Jul 17 00:49:25 2024 +1000 + + Partially revert https://github.com/raja-grewal/security-misc/commit/f4d652fa7b5dd350b577521c6bba22c9eb3c13f1 + +commit 824d9b82e53485eed8eaf24e9815ac07ad0f2406 +Author: Raja Grewal +Date: Wed Jul 17 00:36:18 2024 +1000 + + Uncomment redundant disabling of TCP FACK` + +commit d1119c38b6ad4193919d4b800de0a3cb014f92c1 +Author: Raja Grewal +Date: Wed Jul 17 00:31:23 2024 +1000 + + Apply changes from code review + +commit fe5c840b79c4aabd5c21a286d3ce1a3ee460812c +Author: Patrick Schleizer +Date: Mon Jul 15 21:18:55 2024 +0000 + + bumped changelog version + +commit 6e63fc8985b97902dbae2553ded51950168dc222 +Merge: fe0846c b7796a5 +Author: Patrick Schleizer +Date: Mon Jul 15 17:14:25 2024 -0400 + + Merge remote-tracking branch 'ben-grande/fuzz' + +commit fe0846c8c2bdfc0534850b1e9bf9c4130381def9 +Author: Patrick Schleizer +Date: Mon Jul 15 12:30:38 2024 -0400 + + fix + + https://github.com/Kicksecure/security-misc/pull/234#discussion_r1678065395 + +commit 94df2e3d244f5e6e8e4320c1f28cc11dba00dd36 +Author: Patrick Schleizer +Date: Mon Jul 15 12:29:52 2024 -0400 + + further discussion required + + https://github.com/Kicksecure/security-misc/pull/234#issuecomment-2228909249 + +commit 41f0b53dd62d2968a6ff88a6fd907ca42f581847 +Merge: 5ba5a85 9300c20 +Author: Patrick Schleizer +Date: Mon Jul 15 12:28:03 2024 -0400 + + Merge remote-tracking branch 'raja/kernel_modules' + +commit 73f6d4b26f51f0c920fe020677f464c536d75410 +Author: Raja Grewal +Date: Tue Jul 16 01:03:41 2024 +1000 + + Fix transcription error + +commit 724435e56ea059183241044a4fc09423187533eb +Author: Raja Grewal +Date: Mon Jul 15 22:38:43 2024 +1000 + + Disable some Intel Platform Monitoring Technology Telemetry (PMT) modules + +commit 61941da37509a4bb809212536b79f461a209f584 +Author: Raja Grewal +Date: Mon Jul 15 22:38:09 2024 +1000 + + Create `disabled-intelpmt-by-security-misc` + +commit 22ba7a7c393a8c9005dfe26aea396815a4d54803 +Author: Raja Grewal +Date: Mon Jul 15 22:21:20 2024 +1000 + + Disable more Intel Management Engine (ME) modules + +commit 9300c208e25d936f2c633a0904126566afc1c275 +Author: Raja Grewal +Date: Mon Jul 15 21:36:25 2024 +1000 + + Fix script + +commit f2db11269e89d4c945642b661aa9cbe356f89037 +Author: Raja Grewal +Date: Mon Jul 15 21:18:32 2024 +1000 + + Fix script + +commit 382f1e9ec00ab5f012f028fa324d6cf73040c37d +Author: Raja Grewal +Date: Mon Jul 15 21:13:25 2024 +1000 + + Fix error + +commit a8bc1144c32b4b4f20904af5f813da1051fe4c9c +Author: Raja Grewal +Date: Mon Jul 15 21:10:13 2024 +1000 + + Updated wording of error files for disabled modules + +commit fda3832eaf293915ab77ce73a0be2caec15e21fa +Author: Raja Grewal +Date: Mon Jul 15 21:08:45 2024 +1000 + + Replace bash file presented for disabling of miscellaneous modules + +commit 8219a1e257525d487a49e7b3a6b14c1e180a7b52 +Author: Raja Grewal +Date: Mon Jul 15 21:02:10 2024 +1000 + + Update README.md relating to disabled miscellaneous modules + +commit cb2fb95b81efa2ebb2bd80aeaacad9122f0f073c +Author: Raja Grewal +Date: Mon Jul 15 21:01:36 2024 +1000 + + Disable more miscellaneous drivers + +commit c52b1a3fd269ef4f98028dd5eead476abe5d138d +Author: Raja Grewal +Date: Mon Jul 15 20:58:45 2024 +1000 + + Create `disabled-miscellaneous-by-security-misc` + +commit 96aa63267a6fcee03f252f0791f37b7b6222a7c1 +Author: Raja Grewal +Date: Mon Jul 15 20:57:14 2024 +1000 + + Disable more Thunderbolt modules + +commit 51f7776bc8722752d53fc503b0c79564d8715d4c +Author: Raja Grewal +Date: Mon Jul 15 20:56:12 2024 +1000 + + Disable more network protocols/drivers + +commit 9e40ff055195b1e8637d1e957c3f8db01f99bbc1 +Author: Raja Grewal +Date: Mon Jul 15 20:54:18 2024 +1000 + + Disable more network file systems + +commit 82c5a93f7cf2846490120c5262a146a313a5ce47 +Author: Raja Grewal +Date: Mon Jul 15 20:53:07 2024 +1000 + + Disable another GPS module + +commit 99b0ce7948213e7f7adf42ddd7c7beb229374bd4 +Author: Raja Grewal +Date: Mon Jul 15 20:47:56 2024 +1000 + + Disable more file systems + +commit 4476a477a77c98cf4334fbcb866bc8f113f568ac +Author: Raja Grewal +Date: Mon Jul 15 20:47:07 2024 +1000 + + Provide option to disable more Bluetooth modules + +commit e0696d02a234e6f7ab9fb601ffe58e7d953846a2 +Author: Raja Grewal +Date: Mon Jul 15 20:46:04 2024 +1000 + + Update `security-misc.maintscript` + Due to previous splitting IN https://github.com/Kicksecure/security-misc/commit/b02230a783941da412be72fb52053db0c6b8010f. + +commit b2657bc61fb15bb89d62f0743a36835c1f0dda8a +Author: Raja Grewal +Date: Mon Jul 15 15:05:00 2024 +1000 + + Improve docs + +commit 1c2afc1f253e15d2605d1bef0e323e6e972a2484 +Author: Raja Grewal +Date: Mon Jul 15 15:01:48 2024 +1000 + + Update presentation of the `kernel.printk` sysctl + +commit c8385d82fbd6ba16ba1f0b4969661474966b74f1 +Author: Raja Grewal +Date: Mon Jul 15 14:57:40 2024 +1000 + + Clarify instructions for increasing log verbosity + +commit d229e8b04d914803fa66c3a695022cfb2d9b2a25 +Author: Raja Grewal +Date: Mon Jul 15 14:50:29 2024 +1000 + + Fix link + +commit fbfdb0fa99087e4160979b612db04e63a1d3e3b1 +Author: Raja Grewal +Date: Mon Jul 15 14:40:03 2024 +1000 + + Update `security-misc.maintscript` relating to grub + +commit f4d652fa7b5dd350b577521c6bba22c9eb3c13f1 +Author: Raja Grewal +Date: Mon Jul 15 14:39:12 2024 +1000 + + Update presentation of `quiet loglevel=0` + +commit 69c8e849270393537d3e024137bc20a42c848333 +Author: Raja Grewal +Date: Mon Jul 15 14:38:21 2024 +1000 + + Fix typos + +commit 48e1ac416314d2c66f3a0d5044a3c51cb6fb4093 +Author: Raja Grewal +Date: Mon Jul 15 02:04:25 2024 +1000 + + Remove the optional `slub_debug` parameter since it is no longer recommended + +commit 99038c7a0621f5c9852638c1706c5306b42e6480 +Author: Raja Grewal +Date: Mon Jul 15 02:02:01 2024 +1000 + + Add option to disable support for x86 processes and syscalls in the future + +commit f550fbe07cafb75112e98268730d1bcc511489e2 +Author: Raja Grewal +Date: Mon Jul 15 01:59:04 2024 +1000 + + Add option to disable the entire IPv6 stack functionality + +commit a33d4cd099b8cbf569ff35627eeacf3562a4371e +Author: Raja Grewal +Date: Mon Jul 15 01:56:25 2024 +1000 + + Refactor existing kernel parameters for clarity + +commit acd60e45d8cbc98ea935c9bf035f2840622ab58d +Author: Raja Grewal +Date: Sun Jul 14 20:07:31 2024 +1000 + + Add comment about enabling core dump files + +commit 5cf9afc21563712b851850e2041141807503807c +Author: Raja Grewal +Date: Sun Jul 14 17:05:49 2024 +1000 + + Include optional `sysctl`'s in README.md + +commit 2b9e174c9db69f2c30828aae236c631d46255e07 +Author: Raja Grewal +Date: Sun Jul 14 16:22:52 2024 +1000 + + Remove empty lines + +commit dd1741c4a1cd18f34f69437c00f3a78a9ebd402a +Author: Raja Grewal +Date: Sun Jul 14 13:40:53 2024 +1000 + + Some documentation additions and fixes + +commit 565597c9a282b08697d04204f5eb9c22153e77bd +Author: Raja Grewal +Date: Sun Jul 14 01:21:24 2024 +1000 + + Minor documentation changes and fixes + +commit 5ba5a85ad09b74a29c5ed0e5c265d54d93da9d32 +Author: Patrick Schleizer +Date: Sat Jul 13 15:01:16 2024 +0000 + + bumped changelog version + +commit ad860063aba0443a8ac8b9cf191d008617d6d904 +Merge: f34b9d7 9f58266 +Author: Patrick Schleizer +Date: Sat Jul 13 10:55:45 2024 -0400 + + Merge remote-tracking branch 'raja/modprobe' + +commit 9f582665467fd4fdf20c83841305785024bceedf +Author: Raja Grewal +Date: Sat Jul 13 23:32:01 2024 +1000 + + Move nf_conntrack_helper disabling into separate file + +commit 8f2ec75f8173b6ab970a5ef213dcf5a3f67aa84a +Author: Raja Grewal +Date: Sat Jul 13 23:30:55 2024 +1000 + + Clarify README.mmd relating to module disabling + +commit 98580bb39a495a141e7b40792fd9d232fcf29d23 +Author: Raja Grewal +Date: Sat Jul 13 23:29:52 2024 +1000 + + Update modprobe presentation + +commit 2de3a795990234134be15be90aa55f547c064d92 +Author: Raja Grewal +Date: Sat Jul 13 22:41:40 2024 +1000 + + Refactor existing sysctl for clarity + +commit f34b9d7c45cd723535eedd3df99896ee7f852388 +Merge: 05c1711 5f10cc8 +Author: Patrick Schleizer +Date: Sat Jul 13 06:14:43 2024 -0400 + + Merge remote-tracking branch 'raja/modules' + +commit 5f10cc8bcf11654f5e0f97c07e0a7ff198013c1e +Author: Raja Grewal +Date: Fri Jul 12 16:22:10 2024 +1000 + + Update README.md relating to modprobe + +commit 41a3bf92fbdac88a1884dee735600cafa35134bf +Author: Raja Grewal +Date: Fri Jul 12 16:21:41 2024 +1000 + + Sort `30_security-misc_disable.conf` + +commit f31dc8aebc652b2037c375351fc478d9b5ba4c27 +Author: Raja Grewal +Date: Fri Jul 12 16:21:03 2024 +1000 + + Fix error in error script + +commit b02230a783941da412be72fb52053db0c6b8010f +Author: Raja Grewal +Date: Fri Jul 12 02:42:37 2024 +1000 + + Split modprobe into blacklisted and disabled configurations + +commit fc792ff23234399ed299c3fdc086d47c87d9b4a3 +Author: Raja Grewal +Date: Fri Jul 12 02:29:36 2024 +1000 + + Alphabetically sort existing modprobe + +commit fe20f3240e2f31099bcaa9f9e2045320df810edf +Author: Raja Grewal +Date: Fri Jul 12 02:28:48 2024 +1000 + + Refactor existing modprobe for clarity + +commit 275a4ffc1114856cbd9a1cd49701dcb25d87bfb5 +Author: Raja Grewal +Date: Fri Jul 12 02:27:56 2024 +1000 + + Remove redundant disabled modules + +commit b7796a5334075d5fa538d7579003fde6287d7e6d +Author: Ben Grande +Date: Thu Jul 11 11:04:22 2024 +0200 + + Unify method to find SUID files + +commit 05c1711b16c96a221c13a011a6666fe6b385ec1e +Author: Patrick Schleizer +Date: Tue Jun 11 12:56:56 2024 +0000 + + bumped changelog version + +commit e48115588caae8e51bb980ac84b1f0f415ca0d17 +Merge: b316352 cad8d85 +Author: Patrick Schleizer +Date: Tue Jun 11 07:25:47 2024 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit cad8d857556e29544f742fdac8fe82758a4f885c +Merge: b316352 e198447 +Author: Patrick Schleizer +Date: Tue Jun 11 07:25:07 2024 -0400 + + Merge pull request #227 from 3uryd1ce/fix-pam.d-path + + fix(etc): delete typo in /etc/apparmor.d tunables + +commit e1984478662fc51e6eacc989bc6bba0ca1fc07cd +Author: Ashlen +Date: Sat Jun 8 22:17:05 2024 -0600 + + fix(etc): delete typo in /etc/apparmor.d tunables + + /etc/pam.d was present twice in a row ("/etc/pam.d//etc/pam.d") in this + file: /etc/apparmor.d/tunables/home.d/security-misc. + +commit b316352ede379d96cff4813735b93eb59506fe42 +Author: Patrick Schleizer +Date: Sat Jun 1 18:13:08 2024 +0000 + + bumped changelog version + +commit c815304026d30f7774f804498d20431ccdf8dc7f +Author: Patrick Schleizer +Date: Sat Jun 1 14:12:57 2024 -0400 + + readme + +commit 641e98e57714f7d38962bfd12d673500b8114356 +Author: Patrick Schleizer +Date: Sat Jun 1 17:35:04 2024 +0000 + + bumped changelog version + +commit e0cd9579d64e6d16667832de51f77a3091ef213e +Author: Patrick Schleizer +Date: Sat Jun 1 13:32:13 2024 -0400 + + remove duplicate `fsckobjects = true` from `/etc/gitconfig` + +commit bbe64a0b7992610dfef6002271718a2aee115cae +Author: Patrick Schleizer +Date: Tue May 28 12:04:53 2024 +0000 + + bumped changelog version + +commit ae24a97d4d0ffcfb3d1cc92edb61e7ecf4535ee7 +Merge: bfca98e a735857 +Author: Patrick Schleizer +Date: Tue May 28 08:02:21 2024 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit a7358578520294b51e1001199670a0bbeeb43eb1 +Merge: bfca98e 4efa293 +Author: Patrick Schleizer +Date: Tue May 28 07:55:31 2024 -0400 + + Merge pull request #226 from Kicksecure/gitconfig + + add `/etc/gitconfig` by default for better `git` security + +commit 4efa293f3b76814bc5399a959482d7db6e7431ec +Author: Patrick Schleizer +Date: Tue May 28 07:51:06 2024 -0400 + + add `/etc/gitconfig` by default for better `git` security + + ``` + [core] + symlinks = false + + [transfer] + fsckobjects = true + fsckobjects = true + [fetch] + fsckobjects = true + fsckobjects = true + [receive] + fsckobjects = true + fsckobjects = true + ``` + + + additional suggestions as comments + + fixes https://github.com/Kicksecure/security-misc/issues/225 + +commit bfca98ea89cea0f8604ecca0c8640860320e8e33 +Author: Patrick Schleizer +Date: Sat May 18 20:45:12 2024 +0000 + + bumped changelog version + +commit eb82884fb2e3d3bb4fa5555d8212146042ba8aa4 +Merge: 5867b1b 12e006e +Author: Patrick Schleizer +Date: Sat May 18 16:42:41 2024 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 12e006ef9cabbbcbe9cb45d9a6631e9a7a47cf3a +Merge: 5867b1b 2f71605 +Author: Patrick Schleizer +Date: Sat May 18 16:30:07 2024 -0400 + + Merge pull request #222 from raja-grewal/text + + Update Readme and Copyright + +commit 2f716050d17016be6f550a7de8e0c1030e869e8f +Author: raja-grewal +Date: Sun May 12 01:06:34 2024 +0000 + + Update README.md + +commit 1bb843ec3863696170242c57668d0b3f44f41d7b +Author: Raja Grewal +Date: Sat May 11 13:18:36 2024 +1000 + + Update Copyright (C) to 2024 + +commit dddac1dc4015a28fc6b12244809685295272edd1 +Author: Raja Grewal +Date: Sat May 11 13:15:42 2024 +1000 + + Update README.md + +commit 5867b1b014f450acdf70c203ffe2f27831f1d9b0 +Author: Patrick Schleizer +Date: Fri May 10 11:20:36 2024 +0000 + + bumped changelog version + +commit 9b589bc3116c8f9d6d574021bcec7b5dec3888b8 +Author: Patrick Schleizer +Date: Fri May 10 06:49:34 2024 -0400 + + comment + +commit 8d01fc2d351285c9c2f810bf5cf10797c9b9eb41 +Author: Patrick Schleizer +Date: Fri May 10 06:48:26 2024 -0400 + + chmod +x + +commit 8a28c1bc38b87bf55f25764c96a0e81e22137232 +Merge: a9886a3 0f1119f +Author: Patrick Schleizer +Date: Fri May 10 06:48:04 2024 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 0f1119f326cd769db8995e8eb54ff35503c70562 +Merge: 547757f 677f75a +Author: Patrick Schleizer +Date: Fri May 10 06:45:57 2024 -0400 + + Merge pull request #221 from raja-grewal/firewire + + Disable Firewire Module + +commit 547757f4514a54437d044656c5e2b6d413a4cc30 +Merge: 7b9fe44 06f13bb +Author: Patrick Schleizer +Date: Fri May 10 06:45:34 2024 -0400 + + Merge pull request #220 from raja-grewal/block_gps + + Block Several GPS-related Modules + +commit 7b9fe44a20f3caf67f386969a5fc7c980e5f0282 +Merge: 62ea4dc 132b41a +Author: Patrick Schleizer +Date: Fri May 10 06:43:43 2024 -0400 + + Merge pull request #219 from raja-grewal/logging_martians + + Revert Logging of Martians + +commit 62ea4dc1768f69bb28a69c20e55c87ae692cc0c8 +Merge: a9886a3 4694268 +Author: Patrick Schleizer +Date: Fri May 10 06:43:15 2024 -0400 + + Merge pull request #218 from raja-grewal/secure_cpu + + More CPU Mitigations and Additional References + +commit 677f75ae8ed64af599f837ced15f34990df498e5 +Author: raja-grewal +Date: Thu May 9 02:34:02 2024 +0000 + + Disable `firewire-net` module + +commit 06f13bb766bd84182331aeb1632b917de4b36020 +Author: raja-grewal +Date: Thu May 9 02:28:53 2024 +0000 + + Disable GPS modules like GNSS + +commit f3800a4e2b7bef87cc3bd8791f9e7f654f8d782a +Author: raja-grewal +Date: Thu May 9 02:25:46 2024 +0000 + + Create disabled-gps-by-security-misc + +commit 132b41ae73e9ea72bc3d8aff22ae75fc622758a3 +Author: raja-grewal +Date: Thu May 9 02:16:50 2024 +0000 + + Revert logging of martians + +commit 4694268b8f779c1a0a56546dc6d12bf9f23a7cdd +Author: raja-grewal +Date: Sun May 5 12:52:51 2024 +0000 + + Remove a word + +commit 8f7768ce96e32e3f1ec52118afffc2a44a160976 +Author: raja-grewal +Date: Sun May 5 12:50:39 2024 +0000 + + Add vendor links + +commit 0c031a29d33d13d9106746d61b87f9d98a80b5cd +Author: raja-grewal +Date: Wed May 1 13:55:09 2024 +1000 + + RFDS mitigation on Intel Atom CPUs (including E-cores) + +commit 1122b3402c0856a087415d7ba1a313048b7e3eea +Author: raja-grewal +Date: Wed May 1 13:50:42 2024 +1000 + + GDS mitigation for CPUs + +commit c002bd62e8584a19e73b3f42673a3f9bafba6a2c +Author: raja-grewal +Date: Wed May 1 13:49:34 2024 +1000 + + Clarify use of `mitigations=auto` + +commit d89d7e8ef8ee3fd45456e82e8f649f7f28c93e80 +Author: raja-grewal +Date: Wed May 1 13:49:00 2024 +1000 + + Add reference for RETBleed + +commit 015dcc4212736417a2202ea0e0a92e5c2e58d6a5 +Author: raja-grewal +Date: Wed May 1 13:48:13 2024 +1000 + + Add reference for SSB + +commit de4f4be94762c9751ea62f744d7d6ede3ef30e88 +Author: raja-grewal +Date: Wed May 1 13:47:40 2024 +1000 + + Merge spectre mitigations + +commit 965c8641fd28e0ee592b50605edb7494fe9c3a28 +Author: raja-grewal +Date: Wed May 1 13:47:02 2024 +1000 + + Update BHI mitigation reference + +commit a9886a3119f9b662b15fc26d28a7fedf316b72c4 +Author: Patrick Schleizer +Date: Fri Apr 12 06:56:39 2024 +0000 + + bumped changelog version + +commit 5cbdf3c1262d26ae03b28baee87b1d268329da40 +Merge: 7fba04d ab8b6da +Author: Patrick Schleizer +Date: Fri Apr 12 02:54:17 2024 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit ab8b6da484a90e9a62f8ba515c757aa3758baf48 +Merge: 7fba04d 4935768 +Author: Patrick Schleizer +Date: Fri Apr 12 02:53:08 2024 -0400 + + Merge pull request #216 from raja-grewal/spectre_bhi + + BHI mitigation on Intel CPUs + +commit 493576836c90653f9c3514fcd5b3bf816e56d689 +Author: raja-grewal +Date: Fri Apr 12 00:17:06 2024 +1000 + + BHI mitigation on Intel CPUs + +commit 7fba04d1485187fe648f3d3ab44cd834b0eb9791 +Author: Patrick Schleizer +Date: Mon Apr 1 06:56:45 2024 +0000 + + bumped changelog version + +commit 7dba3fb7bebd4fdc7f168df378c2d505971f2c04 +Author: Patrick Schleizer +Date: Mon Apr 1 02:55:59 2024 -0400 + + no longer disable MSR by default + + fixes https://github.com/Kicksecure/security-misc/issues/215 + +commit d9ac01ba5c26f9730feb17fe573d447e625e59f8 +Author: Patrick Schleizer +Date: Mon Mar 18 15:10:10 2024 +0000 + + bumped changelog version + +commit ecaa024f226f4f45ac9d2a4f38bcdb82a6e35a2f +Author: Patrick Schleizer +Date: Mon Mar 18 11:01:56 2024 -0400 + + lower debugging + +commit 357ea5deab85debb9dff5d9e4e80a972954249c8 +Author: Patrick Schleizer +Date: Mon Mar 11 15:07:50 2024 +0000 + + bumped changelog version + +commit 0a018bdebca167d671d8bda81a2b0d929d396945 +Merge: 57fc487 0b81316 +Author: Patrick Schleizer +Date: Mon Mar 11 10:13:57 2024 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 0b8131630041dbd80f1aa61dcedde446208c06f7 +Merge: 57fc487 03ed546 +Author: Patrick Schleizer +Date: Mon Mar 11 10:12:46 2024 -0400 + + Merge pull request #211 from wryMitts/patch-1 + + Create proc group on install + +commit 03ed546cd8992b29855ca1c2748ed988dd3c765d +Author: wryMitts <158655396+wryMitts@users.noreply.github.com> +Date: Sun Mar 10 16:55:10 2024 -0400 + + Create proc group on install + + Fixes https://github.com/Kicksecure/security-misc/issues/210 + +commit 57fc487e5e5ffad765f1418236744319cc666871 +Author: Patrick Schleizer +Date: Sun Mar 10 13:19:26 2024 +0000 + + bumped changelog version + +commit a5206bde336c159be065345e7dd5cb86b2b6a27f +Author: Patrick Schleizer +Date: Sun Mar 10 08:44:53 2024 -0400 + + `proc-hidepid.service` add `gid=proc` + + This allows users that are a member of the `proc` group to be excluded from `hidepid` protections. + + https://github.com/Kicksecure/security-misc/issues/208 + +commit 0f0d9ca2a42cf9fc04e405ae90f3d67bc0794e12 +Author: Patrick Schleizer +Date: Mon Mar 4 11:48:30 2024 +0000 + + bumped changelog version + +commit 6b76373395622bac0e701c6d15c6656658febced +Author: Patrick Schleizer +Date: Mon Mar 4 06:44:26 2024 -0500 + + fix panic-on-oops started every 10s in Qubes-Whonix + + by changing from a /etc/profile.d etc. related mechanism to start to a systemd unit file based approach + + Thanks to @marmarek for the bug report! + + https://forums.whonix.org/t/panic-on-oops-started-every-10s/19450 + +commit af6c6971a741c69a584ba3f92dbfed12e40784dc +Author: Patrick Schleizer +Date: Mon Mar 4 06:33:51 2024 -0500 + + comment + +commit e013070e0bfc43d006e09ae1c5ae3533f7bebc5f +Author: Patrick Schleizer +Date: Mon Mar 4 06:33:21 2024 -0500 + + newline + +commit a5cc1774f2fbf6475e7b56601fbcd84a2a63fed0 +Author: Patrick Schleizer +Date: Mon Feb 26 13:32:44 2024 +0000 + + bumped changelog version + +commit 808e72f24bf30b3476ab6b87f96eb636632c195c +Author: Patrick Schleizer +Date: Mon Feb 26 08:11:26 2024 -0500 + + use long options + + https://github.com/Kicksecure/security-misc/issues/172 + +commit 2d1d1b246f3fe061d4f817da5cecf46010839e1d +Author: Patrick Schleizer +Date: Mon Feb 26 08:07:29 2024 -0500 + + improve output + + https://github.com/Kicksecure/security-misc/issues/172 + +commit d8f5376c4f36f5deb734e6dead42a62566d13480 +Author: Patrick Schleizer +Date: Mon Feb 26 07:58:06 2024 -0500 + + improve output + + https://github.com/Kicksecure/security-misc/issues/172 + +commit cf84762a3a84d2be3b9510dddb32bdc433170dfa +Author: Patrick Schleizer +Date: Mon Feb 26 07:52:41 2024 -0500 + + improve output + + https://github.com/Kicksecure/security-misc/issues/172 + +commit f2958bbfa5e67ee10380a25d996826233469080a +Author: Patrick Schleizer +Date: Mon Feb 26 07:49:30 2024 -0500 + + comment + +commit bc8f9edc3197e33e75ea1d691834d9abbdcdefd0 +Merge: 02d6f67 b23d167 +Author: Patrick Schleizer +Date: Mon Feb 26 07:48:19 2024 -0500 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit b23d167342ef242a1e9d4e91b6a4b945e80c3e7e +Merge: 02d6f67 ef44ece +Author: Patrick Schleizer +Date: Mon Feb 26 07:46:02 2024 -0500 + + Merge pull request #204 from DanWin/sysfs-mount + + Make /sys hardening optional and allow access to /sys/fs to make polkit work + +commit 02d6f67741ef93d9ab39e02ac56b27c551a19dca +Author: Patrick Schleizer +Date: Thu Feb 22 20:08:17 2024 +0000 + + bumped changelog version + +commit d13d1aa7ec7e9ac9f1aa87e4b36228bfd3af6eb2 +Author: Patrick Schleizer +Date: Thu Feb 22 15:07:53 2024 -0500 + + comments + +commit a1f898e3b317f49a5bb9507c8b9d3bd3c4e23abf +Author: Patrick Schleizer +Date: Thu Feb 22 19:58:01 2024 +0000 + + bumped changelog version + +commit c3dd178b19be8c078ed6a2f46a072bef3d144c06 +Author: Patrick Schleizer +Date: Thu Feb 22 14:57:50 2024 -0500 + + output + +commit ef44ecea44ee516b1ba92175eb78b2e8143c4502 +Author: Daniel Winzen +Date: Thu Feb 22 16:51:23 2024 +0100 + + Add option to disabe /sys hardening + +commit 3bc1765dbbd333a1d607ab6962281b4d0a5c4b60 +Author: Daniel Winzen +Date: Wed Feb 21 20:37:34 2024 +0100 + + Allow access to /sys/fs for polkit + +commit 6b73e6c2a9ff1efe211e41e005e4ecaa63731d82 +Author: Patrick Schleizer +Date: Thu Feb 22 16:07:16 2024 +0000 + + bumped changelog version + +commit 37a7abdf0c1e6d8179bd09d3c1bd0363e8bc0a96 +Author: Patrick Schleizer +Date: Thu Feb 22 11:07:01 2024 -0500 + + ConditionKernelCommandLine=!remountsecure=0 + +commit eb3e0b9292f71a5dba312500508f893779fb1b9c +Author: Patrick Schleizer +Date: Thu Feb 22 14:52:55 2024 +0000 + + bumped changelog version + +commit c0924321b84874ae7fc72c59fd58e4c4ae8bc6d9 +Author: Patrick Schleizer +Date: Thu Feb 22 09:52:36 2024 -0500 + + fix systemd unit ExecStart + +commit d148a769b7106831c0b27a7ad63d91ab42257678 +Author: Patrick Schleizer +Date: Thu Feb 22 14:50:05 2024 +0000 + + bumped changelog version + +commit 6d7cf3c12a8a772fee1cd893d5504767690b3b77 +Author: Patrick Schleizer +Date: Thu Feb 22 09:49:48 2024 -0500 + + output + +commit f7831db197b2fff33b66eeb44efd749e482315e0 +Author: Patrick Schleizer +Date: Thu Feb 22 09:17:41 2024 -0500 + + do not exit non-zero if folder does not exist + +commit 5bdd7b8475bdfde8dbee5318fb43d0c2a236e3b0 +Author: Patrick Schleizer +Date: Thu Feb 22 09:14:52 2024 -0500 + + output + +commit 44a15cd97da3066e39d2d7df1f456e703036a6e9 +Author: Patrick Schleizer +Date: Thu Feb 22 09:13:56 2024 -0500 + + mount --make-private + + https://github.com/Kicksecure/security-misc/issues/172 + +commit c0f98b05b609c7c8ac6f86e123af9e0642d82697 +Author: Patrick Schleizer +Date: Thu Feb 22 06:03:59 2024 -0500 + + comment + + https://github.com/Kicksecure/security-misc/pull/202 + +commit 1e1613aa93dca1e7fe7f24dbd32028a0cadd21fd +Author: Patrick Schleizer +Date: Thu Feb 22 06:02:28 2024 -0500 + + allow /opt exec as usually optional binaries are placed there such as firefox + + https://github.com/Kicksecure/security-misc/pull/202 + +commit 7c7b4b24b4959f3ef96ff7ef0b11fa4c0bd48c8e +Author: Patrick Schleizer +Date: Thu Feb 22 06:01:00 2024 -0500 + + fix home_noexec_maybe -> most_noexec_maybe + + https://github.com/Kicksecure/security-misc/pull/202 + +commit 38783faf60b85c4e855bf78c87e1c07765776b50 +Author: Patrick Schleizer +Date: Thu Feb 22 05:58:53 2024 -0500 + + add more bind mounts of mount options hardening + + as suggested in https://github.com/Kicksecure/security-misc/pull/202 + +commit ad9d913902d7e696f1114da74d84f9cdcb22bc25 +Author: Patrick Schleizer +Date: Sat Feb 3 18:28:27 2024 +0000 + + bumped changelog version + +commit 02090da08cfd411314ffeeb6df95f73c701f06c6 +Merge: 8037ce5 ba13657 +Author: Patrick Schleizer +Date: Sat Feb 3 12:51:07 2024 -0500 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit ba13657d894f2f30d8deb7c08b85e5fbc1dcea21 +Merge: 8037ce5 b16c99a +Author: Patrick Schleizer +Date: Sat Feb 3 12:50:28 2024 -0500 + + Merge pull request #197 from raja-grewal/mitigations + + Additional Explicit CPU Mitigations + +commit b16c99ab62a902b1f61b9d4fe63273cd614e757c +Author: raja-grewal +Date: Mon Jan 29 13:39:40 2024 +0000 + + Remove hardcoded `spec_rstack_overflow` setting + +commit 139b10a9aad85018f87bdc4bb227e938f7955235 +Author: raja-grewal +Date: Mon Jan 29 12:59:13 2024 +0000 + + Control RAS overflow mitigation on AMD Zen CPUs + +commit 6c54e35027e86ec045102cd1d95f84aa30bc55c9 +Author: raja-grewal +Date: Mon Jan 29 12:58:51 2024 +0000 + + Enable mitigations for RETBleed vulnerability and disable SMT + +commit 4509a5fc95204080f2855849d22c7e05393455d9 +Author: raja-grewal +Date: Mon Jan 29 12:58:14 2024 +0000 + + Enable known mitigations for CPU vulnerabilities and disable SMT + +commit 4231155efa0970d2456b67cc89c8828b0766cf7f +Author: raja-grewal +Date: Mon Jan 29 12:57:48 2024 +0000 + + Add reference for kernel parameters + +commit 8037ce52f96dcc6f8007c1567daf38ff013352d6 +Author: Patrick Schleizer +Date: Thu Jan 25 13:59:29 2024 +0000 + + bumped changelog version + +commit 185bfe749787a8c6e93103ae8c6b0751a169e276 +Author: Patrick Schleizer +Date: Thu Jan 25 06:54:36 2024 -0500 + + use `interest-noawait` instead of `interest-await` + + fixes https://github.com/Kicksecure/security-misc/issues/196 + +commit 64e41b113cae893d1f27f441f99340389ba8b9b3 +Author: Patrick Schleizer +Date: Thu Jan 18 14:10:51 2024 +0000 + + bumped changelog version + +commit 1855fa08b1386b1ea8697767104e7ad0f1521c9c +Author: Patrick Schleizer +Date: Thu Jan 18 08:54:39 2024 -0500 + + readme + +commit f0e2a82b558f64611f037424c6f8f12de32737f6 +Author: Patrick Schleizer +Date: Wed Jan 17 19:18:25 2024 +0000 + + bumped changelog version + +commit 314e5b490c6864b745fbf5fd6d9bb2c724d478b8 +Author: Patrick Schleizer +Date: Wed Jan 17 14:03:09 2024 -0500 + + use wildcards + + instead of outdated, incomplete list + + https://github.com/Kicksecure/security-misc/issues/160 + +commit 08619d6a7307b6ab05a3ba7e71ea33b00db20b27 +Author: Patrick Schleizer +Date: Wed Jan 17 13:59:36 2024 -0500 + + minor RPM updates + + https://github.com/Kicksecure/security-misc/issues/160 + +commit 3048e0ac76e4eba1c53b43ba2424157505578cdd +Author: Patrick Schleizer +Date: Wed Jan 17 13:54:07 2024 -0500 + + usrmerge + + https://github.com/Kicksecure/security-misc/issues/190 + +commit 5a6cd4c2abd243c91575e9477a921aa290c68ba5 +Author: Patrick Schleizer +Date: Wed Jan 17 13:51:30 2024 -0500 + + remove now empty /bin from copying since it is empty after usrmerge + + https://github.com/Kicksecure/security-misc/issues/190 + +commit 071b984a1eaaa8a8ea6a40e4ee36eabcde2d630d +Author: Patrick Schleizer +Date: Wed Jan 17 13:49:05 2024 -0500 + + `sort -d` + + https://github.com/Kicksecure/security-misc/issues/190 + +commit 011e55e3e52485ccd728b4bb249efbc816f38806 +Author: Patrick Schleizer +Date: Wed Jan 17 13:45:17 2024 -0500 + + remove duplicates after usrmerge + + https://github.com/Kicksecure/security-misc/issues/190 + +commit 0efee2f50fd38feade7700c2f033cc3d4c200d34 +Author: Patrick Schleizer +Date: Wed Jan 17 13:39:56 2024 -0500 + + usrmerge + + fixes https://github.com/Kicksecure/security-misc/issues/190 + +commit 18a06935e0cca3dc090643aad406d861e4583085 +Author: Patrick Schleizer +Date: Wed Jan 17 13:23:20 2024 -0500 + + run permission hardener when new packages are install files to /usr or /opt + + (basically anywhere) + + fixes https://github.com/Kicksecure/security-misc/issues/189 + +commit 66e6371221c3395a0523e30e8ef1a051d3e6cdd0 +Author: Patrick Schleizer +Date: Tue Jan 16 14:26:34 2024 +0000 + + bumped changelog version + +commit 0d78ecaee37536379ad2f230f45904f57425cb19 +Author: Patrick Schleizer +Date: Tue Jan 16 09:26:21 2024 -0500 + + README + +commit 3ba8fe586e1abe133bd41076278f8663aba7e641 +Author: Patrick Schleizer +Date: Tue Jan 16 09:23:54 2024 -0500 + + update permission-hardener.service + + Which is now only an additional opt-in systemd unit, + because permission-hardener is run by default at security-misc + package installation time. + + https://github.com/Kicksecure/security-misc/pull/181 + +commit 186f6015da7b3314c95c2833032c6fe953a71afd +Author: Patrick Schleizer +Date: Tue Jan 16 14:14:18 2024 +0000 + + bumped changelog version + +commit 6aa55698ab2a0f3771d28293d7ad14da2763a16f +Author: Patrick Schleizer +Date: Tue Jan 16 09:10:59 2024 -0500 + + delete legacy folder /etc/permission-hardening.d if empty + + https://github.com/Kicksecure/security-misc/pull/181 + +commit 9cafd78fe21baa3c2a36853f57e0638b2facfe5c +Author: Patrick Schleizer +Date: Tue Jan 16 09:05:09 2024 -0500 + + rm_conffile /etc/permission-hardening.d + + https://github.com/Kicksecure/security-misc/pull/181 + +commit fa53848b5cda135fbb8a3855e8508692084fc7e9 +Author: Patrick Schleizer +Date: Tue Jan 16 13:58:55 2024 +0000 + + bumped changelog version + +commit 4f7973bc5628cdc24f5224bd98858249307635d3 +Author: Patrick Schleizer +Date: Tue Jan 16 08:56:26 2024 -0500 + + comment + +commit ed7c09fc46b26440439adf748f597da277a3f1e4 +Author: Patrick Schleizer +Date: Tue Jan 16 08:45:13 2024 -0500 + + permission-hardening -> permission-hardener migration + + mv --verbose /var/lib/permission-hardening /var/lib/permission-hardener + + https://github.com/Kicksecure/security-misc/pull/181 + +commit a90cd43631216f28a18a1b3f066b9f6ef3301ac4 +Author: Patrick Schleizer +Date: Tue Jan 16 08:32:52 2024 -0500 + + fix postinst for new permission-hardener + + https://github.com/Kicksecure/security-misc/pull/181 + +commit 862bf6b5ab29917138325023eb3507f5fbd5653c +Merge: dc8d9ee bc02c72 +Author: Patrick Schleizer +Date: Tue Jan 16 08:19:28 2024 -0500 + + Merge remote-tracking branch 'ben-grande/clean' + +commit dc8d9eece32dec06e63c580c886a240019b3f33e +Author: Patrick Schleizer +Date: Tue Jan 9 05:52:49 2024 +0000 + + bumped changelog version + +commit 1199871d7bbc7316a7e5822d77eee0666b55b203 +Author: Patrick Schleizer +Date: Sun Jan 7 06:37:34 2024 -0500 + + undo IPv6 privacy due to potential server issues + + https://github.com/Kicksecure/security-misc/issues/184 + +commit 128bb01b35d20e97351dfb53768f35482f9756a2 +Author: Patrick Schleizer +Date: Sun Jan 7 06:36:25 2024 -0500 + + undo IPv6 privacy due to potential server issues + + https://github.com/Kicksecure/security-misc/issues/184 + +commit df0f9d3267644c4aea87add2dcade86044c496f0 +Author: Patrick Schleizer +Date: Sat Jan 6 09:19:57 2024 -0500 + + README + +commit 86f91e3030ef0b08000fc28a3a172e6a47918e4e +Author: Patrick Schleizer +Date: Sat Jan 6 09:10:45 2024 -0500 + + revert umask 027 by default + + because broken because this also happens for root while it should not + + https://github.com/Kicksecure/security-misc/issues/185 + +commit 3f1304403fbf04f15dac01963c66f82cd84452d4 +Author: Patrick Schleizer +Date: Sat Jan 6 08:15:31 2024 -0500 + + disable MAC randomization in Network Manager (NM) because it breaks VirtualBox DHCP + + https://github.com/Kicksecure/security-misc/issues/184 + +commit e8f8dcd0fb1c23a62974849f55516da9dce5948e +Author: Patrick Schleizer +Date: Thu Jan 4 02:03:26 2024 +0000 + + bumped changelog version + +commit 70a86fa994c0a894643e876fc86226ad0443a741 +Merge: db0503e 71060f1 +Author: Patrick Schleizer +Date: Wed Jan 3 05:12:48 2024 -0500 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 71060f1f53ca7a275f10c4b6ab3e6c25585d5440 +Merge: db0503e 74afcc9 +Author: Patrick Schleizer +Date: Wed Jan 3 05:00:41 2024 -0500 + + Merge pull request #182 from raja-grewal/io_uring + + Clarify validity of disabling io_uring + +commit 74afcc9c63ad064f20778ad2870690925c3cee81 +Author: Raja Grewal +Date: Wed Jan 3 17:52:23 2024 +1100 + + Clarify validity of disabling io_uring + +commit bc02c72018d6458d4c1852dd441287b277421514 +Author: Ben Grande +Date: Tue Jan 2 17:08:45 2024 +0100 + + Fix unbound variable + + - Run messages preceded by INFO; + - Comment unknown unused variables; + - Remove unnecessary variables; and + - Deal with unbound variable due to subshell by writing to a file; + +commit db0503e71d5c37865cbb0a01cb8fa00af2a4e574 +Author: Patrick Schleizer +Date: Tue Jan 2 14:55:13 2024 +0000 + + bumped changelog version + +commit abf72c2ee4286ec069f75e66acf05a42f3645c89 +Author: Ben Grande +Date: Tue Jan 2 13:34:29 2024 +0100 + + Rename file permission hardening script + + Hardener as the script is the agent that is hardening the file + permissions. + +commit f138cf0f78c03e3952801d01d25d5f8065ff1457 +Author: Ben Grande +Date: Tue Jan 2 12:17:16 2024 +0100 + + Refactor permission-hardener + + - Organize comments from default configuration; + - Apply and undo changes from a single file controlled by parameters; + - Arrays should be evaluated as arrays and not normal variables; + - Quote variables; + - Brackets around variables; + - Standardize test cases to "test" command; + - Test against empty or non-empty variables with "-z" and "-n"; + - Show a usage message when necessary; + - Require root to run the script with informative message; + - Permit the user to see the help message without running as root; + - Do not create root directories without passing root check; + - Use long options for "set" command; + +commit a94f2a3f4626a9292660bc7f98a6513f34d0f5b2 +Merge: 94c0e26 8daf97a +Author: Patrick Schleizer +Date: Tue Jan 2 05:30:49 2024 -0500 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 8daf97ab0181a9cbb9e9dec57f1f00270dbb3a50 +Merge: 94c0e26 f055fe5 +Author: Patrick Schleizer +Date: Tue Jan 2 05:29:35 2024 -0500 + + Merge pull request #178 from raja-grewal/io_uring + + Disable asynchronous I/O + +commit 94c0e26a082f61f71e89b1fb7386a58166ffa411 +Author: Patrick Schleizer +Date: Fri Dec 29 20:15:50 2023 +0000 + + bumped changelog version + +commit 5b36599c0ce35857239c82459828db1ec4215411 +Author: Patrick Schleizer +Date: Fri Dec 29 14:57:38 2023 -0500 + + /dev/, /dev/shm, /tmp + + https://github.com/Kicksecure/security-misc/issues/157#issuecomment-1869073716 + +commit e15596e7af6fc645dd652c043397baaa91954915 +Author: Patrick Schleizer +Date: Mon Dec 25 16:28:10 2023 +0000 + + bumped changelog version + +commit f64a869bfdd4c746afd206367885851946deb692 +Author: Patrick Schleizer +Date: Mon Dec 25 11:03:22 2023 -0500 + + readme + +commit c86c83cef760906a0d1c56ee8a8c744b2e07f212 +Author: Patrick Schleizer +Date: Mon Dec 25 10:31:58 2023 -0500 + + formatting + + https://github.com/Kicksecure/security-misc/issues/157 + +commit 971ff687b1423499c54495a03e5e6fafcbfefb2a +Author: Patrick Schleizer +Date: Mon Dec 25 10:30:35 2023 -0500 + + do not mount /dev/cdrom by default + + https://github.com/Kicksecure/security-misc/issues/157 + +commit 9fce67fcd942a7e3e0dd2e874226fcdab5e33ba3 +Author: Patrick Schleizer +Date: Mon Dec 25 10:28:47 2023 -0500 + + remove superfluous, broken `remount` mount option + + https://github.com/Kicksecure/security-misc/issues/157 + +commit 40fd8cb6081512e2bc0ef1a7a1ee17cd317024c2 +Author: Patrick Schleizer +Date: Mon Dec 25 09:51:09 2023 -0500 + + no `nofail` mount option to avoid breaking the boot of a system + + unit testing belongs elsewhere + + https://github.com/Kicksecure/security-misc/issues/157 + +commit 4aa645f29ff741b6e5cdf629deade1923fdcc234 +Author: Patrick Schleizer +Date: Mon Dec 25 09:46:33 2023 -0500 + + comment + + https://github.com/Kicksecure/security-misc/issues/157 + +commit 2b7aeedb4a543d0a43a35918999338097d13bb16 +Author: Patrick Schleizer +Date: Mon Dec 25 09:44:51 2023 -0500 + + mount /dev/cdrom to /mnt/cdrom (instead of /mnt/cdrom0) and + nodev,nosuid,noexec + + as per: + https://www.debian.org/doc/manuals/securing-debian-manual/ch04s10.en.html + + https://github.com/Kicksecure/security-misc/issues/157 + +commit 0d9e9780daca563a726470a3a5d6fa8c20487240 +Author: Patrick Schleizer +Date: Mon Dec 25 09:37:14 2023 -0500 + + formatting + + https://github.com/Kicksecure/security-misc/issues/157 + +commit 00f9ab43947795c1144d797547968c7c149d6f21 +Author: Patrick Schleizer +Date: Mon Dec 25 09:36:05 2023 -0500 + + /dev devtmpfs + + https://github.com/Kicksecure/security-misc/issues/157 + +commit 55709b3aa0acd6cad0c9fedb8782c49fbea79689 +Author: Patrick Schleizer +Date: Mon Dec 25 09:30:57 2023 -0500 + + /tmp tmpfs + + https://github.com/Kicksecure/security-misc/issues/157 + +commit b0dd967611c27f5b8e2472bb74a664aead7a229e +Author: Patrick Schleizer +Date: Mon Dec 25 09:27:45 2023 -0500 + + usrmerge + + https://github.com/Kicksecure/security-misc/issues/157 + +commit 269fada14a616c53d7421e88e662f6893eb1fd88 +Author: Patrick Schleizer +Date: Mon Dec 25 09:25:14 2023 -0500 + + combine bind lines + + https://github.com/Kicksecure/security-misc/issues/157 + +commit 0810c1ce3c9e19c745b8f0d2cd9410353b172779 +Author: Patrick Schleizer +Date: Mon Dec 25 09:10:31 2023 -0500 + + fix bluetooth in readme + + fixes https://github.com/Kicksecure/security-misc/issues/180 + +commit 37b4ab15a823134e616a2a0fe1dda18d5ebfa3c0 +Author: Patrick Schleizer +Date: Mon Dec 25 09:04:10 2023 -0500 + + readme + +commit 79f398d219b9c4cdf8ea0f9e3135a08fa32659a8 +Author: Patrick Schleizer +Date: Mon Dec 25 08:45:20 2023 -0500 + + formatting + +commit c90ada3c398205227d906e2b2108d36d92edcf3c +Author: Patrick Schleizer +Date: Mon Dec 25 08:37:23 2023 -0500 + + pandoc -f markdown -t markdown --wrap=auto --columns=80 README.md -o README.md + +commit 34bf297bd17af2adf59804bd133a00b7dc1942b7 +Author: Patrick Schleizer +Date: Mon Dec 25 08:32:34 2023 -0500 + + formatting + +commit d5fc9f620169b6975c8d3ef685f47e62cb6b9262 +Author: Patrick Schleizer +Date: Mon Dec 25 08:26:03 2023 -0500 + + improve bluetooth in readme + + as suggested by @monsieuremre + + https://github.com/Kicksecure/security-misc/issues/180 + +commit 7fa597deca7ff2b2932a5f5fad56be57bd78b6cf +Author: Patrick Schleizer +Date: Fri Dec 22 16:31:58 2023 +0000 + + bumped changelog version + +commit f70a034da2b4b615855504e7080baf1a7e7b461c +Author: Patrick Schleizer +Date: Fri Dec 22 08:31:58 2023 -0500 + + exclude hardened malloc from SUID disabler + + fixes https://github.com/Kicksecure/security-misc/issues/179 + +commit f055fe5da2219b68f46c3c577d79fcfd7e79cfc6 +Author: Raja Grewal +Date: Fri Dec 15 08:33:36 2023 +0000 + + Disable asynchronous I/O + + io_uring creation is disabled for all processes. io_uring_setup always fails with -EPERM. Existing io_uring instances can still be used. + +commit 99f2edd4f685cdc9a47b32107125408e12a294c2 +Author: Patrick Schleizer +Date: Tue Dec 12 16:51:21 2023 +0000 + + bumped changelog version + +commit 039de1dc9bd6f3cc6595d66f54d0d88d9b537b17 +Author: Patrick Schleizer +Date: Tue Dec 12 11:50:11 2023 -0500 + + add hardened fstab `/usr/share/doc/security-misc/fstab-vm` + + to the documentation folder as an example + + not directly used by security-misc + + will later be used by Kicksecure VM build process + + https://github.com/Kicksecure/security-misc/issues/157 + +commit dcaafa6c8bf380dd990942e9c10e280943b442a6 +Author: Patrick Schleizer +Date: Mon Dec 4 17:06:45 2023 +0000 + + bumped changelog version + +commit 5a73817a9575fe5bcaf3fd354e5f175db7d45ba4 +Author: Patrick Schleizer +Date: Mon Dec 4 11:38:49 2023 -0500 + + move to `/usr/lib/issue.d/20_security-misc.issue` + + https://github.com/Kicksecure/security-misc/pull/167 + +commit dfaea492c76a277b9cbe84982a135cb4f03a557c +Author: Patrick Schleizer +Date: Mon Dec 4 11:37:02 2023 -0500 + + remove `etc/issue.net.d/20_security-misc` + + since not mentioned on debian.org + +commit 69c895af09f05000ace5f273f3e5032aabf8c64e +Merge: c9ea7a4 36850f8 +Author: Patrick Schleizer +Date: Mon Dec 4 11:27:53 2023 -0500 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 36850f89fb07678ca24eb580a18247e593eac608 +Merge: c9ea7a4 0d7af97 +Author: Patrick Schleizer +Date: Mon Dec 4 11:27:16 2023 -0500 + + Merge pull request #167 from monsieuremre/patch-4 + + Non-Identifiable and Generic Issue Banners that include the Recommended Keywords + +commit c9ea7a4dca6e985c3a1044a3b4ddda83909fbc51 +Author: Patrick Schleizer +Date: Mon Dec 4 11:02:55 2023 -0500 + + use `amd_iommu=force_isolation` instead of `amd_iommu=force_enable` + + because we set `iommu=force` already anyhow + + fixes https://github.com/Kicksecure/security-misc/issues/175 + +commit e83c1d7ed662bb0533c670dd5b7a6745a75e9ca4 +Merge: c4e21ca befd21e +Author: Patrick Schleizer +Date: Mon Dec 4 11:01:02 2023 -0500 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit befd21e0c0c38eaf91c7096e9f60120f533a5842 +Merge: c4e21ca f2ad838 +Author: Patrick Schleizer +Date: Mon Dec 4 11:00:29 2023 -0500 + + Merge pull request #176 from monsieuremre/patch-1 + + Iommu Kernel Parameters + +commit c4e21ca5f49fbc2d67853eebca647539acbca815 +Author: Patrick Schleizer +Date: Mon Dec 4 10:58:16 2023 -0500 + + added development philosophy + + https://github.com/Kicksecure/security-misc/issues/154 + +commit feab1432f9d0966118ca233c9f88270b98c3f120 +Author: Patrick Schleizer +Date: Mon Dec 4 10:48:27 2023 -0500 + + clarify scope + + https://github.com/Kicksecure/security-misc/issues/154 + +commit dc04040cb3644c9e3be9b44a34da4a5f7b61f2cc +Author: Patrick Schleizer +Date: Mon Dec 4 10:36:48 2023 -0500 + + typo + +commit 2634dbff2bd9d7482e7b02be2b5b6fa1c58ef6c7 +Author: Patrick Schleizer +Date: Mon Dec 4 10:36:21 2023 -0500 + + shuffle + +commit f2ad8383cfea4bba42e8b246b05b85101d707641 +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Sun Dec 3 19:51:38 2023 +0000 + + fix + +commit dd15823a97e953750d7a8288c7d3b8d5f554d6f9 +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Sun Dec 3 19:50:07 2023 +0000 + + undo superfluousness + +commit 83e13bb62d028cfeea7a4d3f3def3bff8d2b5eaa +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Sun Dec 3 19:42:34 2023 +0000 + + Update 40_enable_iommu.cfg + +commit 0d7af9707f802fb600d9eb39bbe0b3bd4a65e3b0 +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Sun Dec 3 19:31:12 2023 +0000 + + Update 20_security-misc + +commit 04d27a10b0cd1c22cb166c9fccb93a09d5f388f0 +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Sun Dec 3 19:30:55 2023 +0000 + + Update 20_security-misc + +commit 7963f811e1bb6f5e0e2ba41e96b14e4a3a70f847 +Merge: c8b9f5a 82bd913 +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Sun Dec 3 19:30:22 2023 +0000 + + Merge branch 'Kicksecure:master' into patch-4 + +commit 82bd9138de750a3590be9c91c898cbd04c550e7e +Author: Patrick Schleizer +Date: Mon Nov 20 13:13:10 2023 +0000 + + bumped changelog version + +commit c2b3ff5243c69c4e1ba28e9966bf0ffd3ce550ce +Author: Patrick Schleizer +Date: Mon Nov 20 04:40:28 2023 -0500 + + moved libpam-tmpdir dependency to kicksecure-meta-packages + + https://github.com/Kicksecure/security-misc/pull/147 + +commit c8b9f5a917e6c415575d6763a65930f1a91a7c78 +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Sat Nov 18 10:03:19 2023 +0000 + + net + +commit 3b614f3753608bd62ff6bc6e56e15f280994c646 +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Sat Nov 18 10:02:16 2023 +0000 + + 20_security-misc + +commit 4e4df5dd7c6b5cf1deb179a2c3f8fe7a8844884d +Author: Patrick Schleizer +Date: Sat Nov 11 22:29:57 2023 +0000 + + bumped changelog version + +commit a51674410cb8a7ac2119ea7c85f986223ce8fc25 +Author: Patrick Schleizer +Date: Sat Nov 11 17:29:37 2023 -0500 + + fix + +commit 8d58077d68e6363313cdc62f7fac14840f5d9a8e +Author: Patrick Schleizer +Date: Sat Nov 11 20:22:34 2023 +0000 + + bumped changelog version + +commit 5b85a0b34d30d191654158506e0209b34a8f9fe8 +Author: Patrick Schleizer +Date: Sat Nov 11 14:46:35 2023 -0500 + + license + +commit 7757080519858492a7fcbf735ec854029b29d67a +Author: Patrick Schleizer +Date: Sat Nov 11 13:41:28 2023 -0500 + + change license to AGPL-3+ + + https://forums.whonix.org/t/license-change-to-agplv3/17455 + +commit 20f804f19c046e3ef2b38c367de9d5c80cccccd9 +Author: Patrick Schleizer +Date: Mon Nov 6 17:28:21 2023 -0500 + + bumped changelog version + +commit a1e00be0e09a7271a3fae9e9abdbe9a2279b7197 +Author: Patrick Schleizer +Date: Mon Nov 6 16:58:23 2023 -0500 + + update link + +commit 5bb357cac02c7217f4e897a0625f531602ac69cf +Author: Patrick Schleizer +Date: Mon Nov 6 16:55:00 2023 -0500 + + spice-client-glib-usb-acl-helper matchwhitelist + +commit 7309445ee518c093ba3f9aec56197e391e0a194a +Author: Patrick Schleizer +Date: Mon Nov 6 16:52:27 2023 -0500 + + comment + +commit f09d97fc9efc98d8b197a497e2ce4c5965be531a +Author: Patrick Schleizer +Date: Mon Nov 6 16:50:19 2023 -0500 + + whitelist VirtualBox + +commit 64c8c7a8d5a42d2e3da9ce243bc708d1bcbe6039 +Author: Patrick Schleizer +Date: Mon Nov 6 16:47:31 2023 -0500 + + whitelist SSH + +commit 9682b51d548396717867a0c336f1fb1677ccfe2b +Author: Patrick Schleizer +Date: Mon Nov 6 16:44:36 2023 -0500 + + whitelist virtualbox + +commit a40b9bc095bb0f363911dacee050234b3a555744 +Author: Patrick Schleizer +Date: Mon Nov 6 16:40:22 2023 -0500 + + comments + +commit 2c1a3da433b8dc96039caab17e81666896ade58c +Author: Patrick Schleizer +Date: Mon Nov 6 16:38:50 2023 -0500 + + VirtualBoxVM matchwhitelist + +commit 4e96ffaabb7c2e73bf686e56bcaa220f4d2e9e93 +Author: Patrick Schleizer +Date: Mon Nov 6 16:37:19 2023 -0500 + + chrome-sandbox matchwhitelist + +commit df5f3e80566da210ee5d807cc1b5dd53678fdae0 +Author: Patrick Schleizer +Date: Mon Nov 6 16:36:22 2023 -0500 + + output + +commit 72f6e6bb9c2426535bfc48175d88707331ec5346 +Author: Patrick Schleizer +Date: Mon Nov 6 16:28:23 2023 -0500 + + output + +commit 3bc831a1f71a80a178601bdd5c7f06b22ada75ab +Author: Patrick Schleizer +Date: Mon Nov 6 16:27:29 2023 -0500 + + lintian + +commit fd1f38b2ebe31aec04b22d968b38305504f7f935 +Author: Patrick Schleizer +Date: Mon Nov 6 16:22:42 2023 -0500 + + remount-secure systemd unit + + https://github.com/Kicksecure/security-misc/pull/152 + +commit 79f9c1fb3adac319342a22c099401cb21af4429f +Author: Patrick Schleizer +Date: Mon Nov 6 15:48:09 2023 -0500 + + add sysinit-post.target + + https://github.com/Kicksecure/security-misc/pull/152 + +commit 2de5ab41201c561a2684f15196ce37b0f34038a9 +Author: Patrick Schleizer +Date: Mon Nov 6 13:47:30 2023 -0500 + + clarify scope of application specific hardening + + fixes https://github.com/Kicksecure/security-misc/issues/154 + +commit 5a96616b39e7188903bd0d35c9812a02fddc02f9 +Author: Patrick Schleizer +Date: Sun Nov 5 21:13:14 2023 -0500 + + bumped changelog version + +commit ad079ac5cc4d7ce2270e9abf21fa520fc9b2761f +Author: Patrick Schleizer +Date: Sun Nov 5 20:55:55 2023 -0500 + + readme + + https://github.com/Kicksecure/security-misc/pull/152 + +commit be023c77223c4ec0e26ffe2a88acd94653efee9a +Author: Patrick Schleizer +Date: Sun Nov 5 20:54:43 2023 -0500 + + readme + + https://github.com/Kicksecure/security-misc/issues/159 + +commit e1f413c1ee5107468cb2a9c4aa8bd061d0dc911b +Author: Patrick Schleizer +Date: Sun Nov 5 20:53:26 2023 -0500 + + disable harden-module-loading.service for now + + due to issues + + https://github.com/Kicksecure/security-misc/issues/159 + +commit f2ea1abc9b3efc035f4d1381bece458de9b89ff3 +Author: Patrick Schleizer +Date: Sun Nov 5 20:53:03 2023 -0500 + + comment + +commit 95d1cfb4a03afc987cf89bb0f4cd6d2f1ad431b1 +Author: Patrick Schleizer +Date: Sun Nov 5 20:49:36 2023 -0500 + + Revert "remove no longer required remount-service systemd unit" + + This reverts commit 479ab61a1d0c91d26c2cd200d97b39b2b786e073. + + https://github.com/Kicksecure/security-misc/pull/152 + +commit 24b4d59ce41bc95e0b0aadf401223dc40b0f9c8f +Author: Patrick Schleizer +Date: Sun Nov 5 20:14:33 2023 -0500 + + bumped changelog version + +commit 4482f1841cfc6caa063e2274db890cfa01944811 +Author: Patrick Schleizer +Date: Sun Nov 5 20:13:14 2023 -0500 + + newline + +commit c5167c8f0d398946fdfae56fa78b32fade4cb451 +Author: Patrick Schleizer +Date: Sun Nov 5 20:12:03 2023 -0500 + + fix systemd unit + + https://github.com/Kicksecure/security-misc/issues/159 + +commit 2571bbf315693f65f564ef4ad1b2ff4941f2ebc3 +Author: Patrick Schleizer +Date: Sun Nov 5 18:42:25 2023 -0500 + + duplicate + +commit aa170878838b2218da8295be8b6898bc86056cec +Author: Patrick Schleizer +Date: Sun Nov 5 18:42:08 2023 -0500 + + update path + +commit d203e539aa975b042cd6ec9608a0cc16b3314372 +Author: Patrick Schleizer +Date: Sun Nov 5 18:17:59 2023 -0500 + + bumped changelog version + +commit 4ebab940c750154a396c4ffdbde61367e12c72f8 +Author: Patrick Schleizer +Date: Sun Nov 5 17:56:35 2023 -0500 + + description too long, fixed + +commit ad010ef5b4c90e4abbd1c88724f99450740fb2eb +Author: Patrick Schleizer +Date: Sun Nov 5 17:52:44 2023 -0500 + + debugging + +commit 826e76d037f88636fdde7d4ef1eb72f29ac5f4a5 +Author: Patrick Schleizer +Date: Sun Nov 5 17:43:33 2023 -0500 + + bumped changelog version + +commit 3130a39d8c280d913fb632a40562438b82a499bb +Author: Patrick Schleizer +Date: Sun Nov 5 17:43:07 2023 -0500 + + set -e + +commit 18a2d814cc0c477599b276bb319ed8bdd34499ea +Merge: 4fda9d2 36f3c30 +Author: Patrick Schleizer +Date: Sun Nov 5 17:42:28 2023 -0500 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 36f3c30440e73c8bf4946742095f0495994fed99 +Merge: 4fda9d2 2e64d89 +Author: Patrick Schleizer +Date: Sun Nov 5 17:41:56 2023 -0500 + + Merge pull request #148 from monsieuremre/module-loading-hardening + + Harden the loading of new modules to the kernel after install + +commit 4fda9d2e8459c043ec27178ceb87483229b45d5f +Author: Patrick Schleizer +Date: Sun Nov 5 16:46:18 2023 -0500 + + bumped changelog version + +commit 4219347f0a739ed1ea93a596968295ddcd3a940f +Author: Patrick Schleizer +Date: Sun Nov 5 16:43:44 2023 -0500 + + fix permission-hardener config parsing issue + +commit e72f79236b7b704c60c6920b51c86832f4fda9e3 +Author: Patrick Schleizer +Date: Sun Nov 5 16:41:41 2023 -0500 + + refactoring + +commit dea0d9a78a99c441a1738f88cef2cd3c5f433454 +Author: Patrick Schleizer +Date: Sun Nov 5 16:40:49 2023 -0500 + + fix permission-hardener config parsing issue + +commit 017ae18ad7a757a18c5a7a92677f24053280e8b5 +Author: Patrick Schleizer +Date: Sun Nov 5 16:39:10 2023 -0500 + + fix permission-hardener config parsing issue + +commit 65e3c14643ca2b5167e0f5bc30a6bbc45cb4f645 +Author: Patrick Schleizer +Date: Sun Nov 5 16:35:11 2023 -0500 + + fix permission-hardener config parsing issue + +commit 40e536a9beb48f1938e67ae2010fc34f80e3bd1f +Author: Patrick Schleizer +Date: Sun Nov 5 16:04:03 2023 -0500 + + bumped changelog version + +commit 51decff2fd48c2437b08136e97d4211e5eaccd89 +Author: Patrick Schleizer +Date: Sun Nov 5 16:03:36 2023 -0500 + + exclude qfile-unpacker from permission hardener + +commit 52b6e92e002987952c908eeb05a293dd401ee9be +Author: Patrick Schleizer +Date: Sun Nov 5 15:58:21 2023 -0500 + + bumped changelog version + +commit 1900c1ab07e4d55577815b942b34457596a1d703 +Author: Patrick Schleizer +Date: Sun Nov 5 15:57:49 2023 -0500 + + pam exclude from permission-hardener + +commit 76e3a3c5f9fa5e95b90e4ea3f3ba7019615a3d1a +Author: Patrick Schleizer +Date: Sun Nov 5 15:29:38 2023 -0500 + + bumped changelog version + +commit d4494fd3c341796081dd8c114c8cc97e627c236c +Author: Patrick Schleizer +Date: Sun Nov 5 15:27:09 2023 -0500 + + disable remount-secure dracut modules + + pending new systemd based implementation + + https://github.com/Kicksecure/security-misc/pull/152 + +commit 949c1633701ac168e908794d4dd74c5a9b09a437 +Author: Patrick Schleizer +Date: Sun Nov 5 15:14:43 2023 -0500 + + bumped changelog version + +commit 4a19fbae0be2ab99c1f21826eca2ec3cef605a0e +Author: Patrick Schleizer +Date: Sun Nov 5 15:13:01 2023 -0500 + + move permission-hardening to /usr/bin to make it more easily accessible + +commit c75f80b29f2fee3f2ead579390b8d3a8ff86b9d2 +Author: Patrick Schleizer +Date: Sun Nov 5 15:09:29 2023 -0500 + + lower verbosity of permission hardener + + fixes https://github.com/Kicksecure/security-misc/issues/158 + +commit 0544657123100b333211a91ef32054dc7e14c7db +Author: Patrick Schleizer +Date: Sun Nov 5 14:56:06 2023 -0500 + + bumped changelog version + +commit 42be6310237bdb663f38982b221327a337251e0a +Author: Patrick Schleizer +Date: Sun Nov 5 14:54:05 2023 -0500 + + readme + +commit 55ba5d48321ec4224bcbf03cf2bf51226cf34e50 +Author: Patrick Schleizer +Date: Sun Nov 5 14:51:31 2023 -0500 + + renamed: usr/lib/NetworkManager/conf.d/99_ipv6-privacy.conf -> usr/lib/NetworkManager/conf.d/80_ipv6-privacy.conf + renamed: usr/lib/NetworkManager/conf.d/99_randomize-mac.conf -> usr/lib/NetworkManager/conf.d/80_randomize-mac.conf + renamed: usr/lib/systemd/networkd.conf.d/99_ipv6-privacy-extensions.conf -> usr/lib/systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf + +commit eab5d7d4ec58baaf7eedc777e250ad9f00e4b71b +Author: Patrick Schleizer +Date: Sun Nov 5 14:50:13 2023 -0500 + + cleanup + +commit 811d1cd0dd0dcb9021d2f72638dd6c12b734964c +Merge: 9343795 5a75bcf +Author: Patrick Schleizer +Date: Sun Nov 5 14:49:43 2023 -0500 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 5a75bcfb19ac6c555a52cb1600e4efd13a8cfc06 +Merge: 9343795 229032d +Author: Patrick Schleizer +Date: Sun Nov 5 14:49:00 2023 -0500 + + Merge pull request #145 from monsieuremre/wifi-and-bluetooth + + Wifi and Bluetooth Patch | Security and Privacy + +commit 93437952b4f64866dfe6067d8caf19415112418d +Author: Patrick Schleizer +Date: Sun Nov 5 14:41:01 2023 -0500 + + readme + +commit f32b5438872ad0b9e10cb7b0519f1f18fce1913e +Merge: 56b90ee 4946f85 +Author: Patrick Schleizer +Date: Sun Nov 5 14:38:20 2023 -0500 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 4946f85d43083c64bc3f8f02e26b08f79b622bfe +Merge: 817ca11 1abac79 +Author: Patrick Schleizer +Date: Sun Nov 5 14:37:47 2023 -0500 + + Merge pull request #146 from monsieuremre/thunderbird + + Thunderbird Hardening + +commit 56b90eecbfb21e546d52d1f41ce9361f2843cd71 +Merge: 3178677 817ca11 +Author: Patrick Schleizer +Date: Sun Nov 5 14:35:23 2023 -0500 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 817ca116f693893e6dcb69254ee91815d200b8a1 +Merge: d9b5d77 fbd9e5d +Author: Patrick Schleizer +Date: Sun Nov 5 14:34:13 2023 -0500 + + Merge pull request #153 from monsieuremre/readme + + Updated Readme + +commit 317867758478619fe1df4ebdb5e22240c40104c0 +Merge: dcead44 d9b5d77 +Author: Patrick Schleizer +Date: Sun Nov 5 14:32:21 2023 -0500 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit d9b5d770cfd5f7747f1d606f3136a93034928f30 +Merge: dcead44 ac224b2 +Author: Patrick Schleizer +Date: Sun Nov 5 14:31:26 2023 -0500 + + Merge pull request #150 from monsieuremre/sysreq + + Disable SysRq by default + +commit dcead44cc6d4272b0966562046f9dab1792845b6 +Author: Patrick Schleizer +Date: Sun Nov 5 11:32:46 2023 -0500 + + output + +commit f6bf69b41fa3e1168c2c49884197770e1a78b888 +Author: Patrick Schleizer +Date: Sun Nov 5 11:31:09 2023 -0500 + + update link + +commit 2e64d89b042227fe5f38bb6d6a859deb4c5183b7 +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Sat Nov 4 21:18:45 2023 +0000 + + undo unnecessary manual activation + +commit 19eceaa8108879ee5477b157fb2175993c487959 +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Sat Nov 4 20:56:46 2023 +0000 + + more fix + +commit a187d23c4187fd08611e5cba85d09666dfd9f735 +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Sat Nov 4 20:56:08 2023 +0000 + + big fix + +commit fbd9e5d017c4b00d838e9f225c7748c4b362f023 +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Sat Nov 4 14:33:35 2023 +0000 + + README.md + +commit 97054b2b1076d6d428996967304b29620923eff4 +Author: Patrick Schleizer +Date: Fri Nov 3 15:55:17 2023 -0400 + + revert enabling kernel module signature enforcement + + due to issues + + https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/63 + + https://github.com/dell/dkms/issues/359 + +commit 978e3e4abd8f55a877dfe0d6e39b45ee9f58ba6d +Author: Patrick Schleizer +Date: Fri Nov 3 14:53:40 2023 -0400 + + readme + +commit 0242c04dc26638dc1250e3f681b46d15459cf8aa +Author: Patrick Schleizer +Date: Fri Nov 3 14:51:14 2023 -0400 + + port to DKMS drop-in folder + + undisplace /etc/dkms/framework.conf.security-misc + moved to /etc/dkms/framework.conf.d/30_security-misc.conf + +commit d1b5a3ffd525ec92554ffc9c666f8007c8522aac +Author: Patrick Schleizer +Date: Fri Nov 3 12:55:34 2023 -0400 + + /usr/sbin/pam-tmpdir-helper exactwhitelist + + https://github.com/Kicksecure/security-misc/pull/147 + +commit 48adb44c6fd157673cdf7fab3b86ecf7c6b31966 +Author: Patrick Schleizer +Date: Fri Nov 3 12:17:24 2023 -0400 + + bumped changelog version + +commit b6d53f698d0ad21a31da6bf74a44577a0c8869fc +Author: Patrick Schleizer +Date: Fri Nov 3 12:17:00 2023 -0400 + + Revert "allow loading unsigned modules due to issues" + + This reverts commit 661bcd8603425934188cf139f33e20675ff4b765. + +commit 04b210ee88589ef9e6e214d3a5a614780244abc9 +Author: Patrick Schleizer +Date: Fri Nov 3 12:10:48 2023 -0400 + + bumped changelog version + +commit 5e73f78ed9282bf0895b01d44d9c261ea0050cce +Merge: ceffd2b 8e66a41 +Author: Patrick Schleizer +Date: Fri Nov 3 12:10:33 2023 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 8e66a4177868ee7b51dafdb06062b0cb7cbc7415 +Merge: ceffd2b 7dc99d5 +Author: Patrick Schleizer +Date: Fri Nov 3 12:10:00 2023 -0400 + + Merge pull request #147 from monsieuremre/PAM-tmp-files-hardening + + Depend on libpam-tmpdir for very solid extra security + +commit 7dc99d54c0358842745ee48c7cc24f589fd63d14 +Author: Patrick Schleizer +Date: Fri Nov 3 12:09:39 2023 -0400 + + fix + +commit 2a602e78d6ca0f87f11de9a30ae2114468243075 +Merge: 3ee4be6 ceffd2b +Author: Patrick Schleizer +Date: Fri Nov 3 12:08:50 2023 -0400 + + Merge branch 'master' into PAM-tmp-files-hardening + +commit ceffd2b3ee453122e66f594ec31dde6ec3bb7187 +Author: Patrick Schleizer +Date: Fri Nov 3 12:06:43 2023 -0400 + + bumped changelog version + +commit cdd66ee3762c441843d421a9e6b11a20580ed7ac +Author: Patrick Schleizer +Date: Fri Nov 3 10:48:46 2023 -0400 + + wrap-and-sort + +commit c33a3d9aadcc4c0ff90f330239eff4b7c905a022 +Author: Patrick Schleizer +Date: Fri Nov 3 10:44:48 2023 -0400 + + readme + +commit d71ac03d96c9861513ff56c68aec9090ef5c50bb +Author: Patrick Schleizer +Date: Fri Nov 3 10:36:15 2023 -0400 + + comment + +commit 8326aecdb460fffa450bbf3ec0b051010f87ee2a +Author: Patrick Schleizer +Date: Fri Nov 3 10:33:02 2023 -0400 + + bumped changelog version + +commit b85d48eb83005da8fd9edc658c71493f407e3670 +Author: Patrick Schleizer +Date: Fri Nov 3 10:31:59 2023 -0400 + + do not change default umask for root + + since this causes permission issues in `/etc/` + + https://github.com/Kicksecure/security-misc/pull/151 + +commit 07540db90d60b10cbd10881b0024d8e8871330de +Author: Patrick Schleizer +Date: Fri Nov 3 09:45:12 2023 -0400 + + Revert "Revert "set default umask to 027"" + + This reverts commit f8913ceb2e2fdd274011377c41b5d08e7459e4af. + +commit f8913ceb2e2fdd274011377c41b5d08e7459e4af +Author: Patrick Schleizer +Date: Fri Nov 3 09:43:44 2023 -0400 + + Revert "set default umask to 027" + + This reverts commit cd216095eb8d9387437e653d7764ec765ce42a10. + +commit 43bd789c30a562aa60349d019107277a428aece8 +Author: Patrick Schleizer +Date: Fri Nov 3 09:28:08 2023 -0400 + + bumped changelog version + +commit cd216095eb8d9387437e653d7764ec765ce42a10 +Author: Patrick Schleizer +Date: Fri Nov 3 09:12:24 2023 -0400 + + set default umask to 027 + + using package libpam-umask + + https://www.debian.org/doc/manuals/securing-debian-manual/ch04s11.en.html#id-1.5.14.19 + + https://github.com/Kicksecure/security-misc/pull/151 + +commit ac224b270a3a0945d187202f8cca89af0e71a166 +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Thu Nov 2 13:01:55 2023 +0000 + + disable sysrq + +commit 07882f61a8003026a9e4c135a6e18a8fd204060f +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Thu Nov 2 10:44:19 2023 +0000 + + enable service on install + + not sure if this would be the right way to do it + +commit 9f063584c1f96267b04f8f7fe0eee773f9345370 +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Thu Nov 2 10:28:41 2023 +0000 + + disable-kernel-module-loading + +commit 3e604618a8ba2531553af4f9af00470bd9629615 +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Thu Nov 2 10:24:35 2023 +0000 + + harden-module-loading.service + +commit 3ee4be652b28201ba208757ce5144e51c453ad70 +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Thu Nov 2 09:36:58 2023 +0000 + + depend on libpam-tmpdir + +commit 1abac794b564d178df37a385cf0d25bac5842c3c +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Thu Nov 2 09:15:20 2023 +0000 + + very secure and private defaults + +commit 5a583ca48ce608fee4fe55c1d6948505e83a98d8 +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Thu Nov 2 08:30:26 2023 +0000 + + typo in file name + +commit 229032d691c614a926cf3cf96b44752364e4e087 +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Wed Nov 1 17:54:05 2023 +0000 + + Rename etc/systemd/networkd.conf.d/99_ipv6-privacy-extensions.conf to usr/lib/systemd/networkd.conf.d/99_ipv6-privacy-extensions.conf + +commit 1049298e7bfa4ca0e8f02b4086f8aa086d51c725 +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Wed Nov 1 17:52:40 2023 +0000 + + Update and rename etc/NetworkManager/conf.d/99_randomize-mac.conf to usr/lib/NetworkManager/conf.d/99_randomize-mac.conf + +commit 76e684cc0ac0544219d200eeefae1356864fe702 +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Wed Nov 1 17:51:27 2023 +0000 + + Update and rename etc/NetworkManager/conf.d/99_ipv6-privacy.conf to usr/lib/NetworkManager/conf.d/99_ipv6-privacy.conf + +commit a768f1f1ebfc29b0c0105f2965a4290f8dfd8e63 +Author: Patrick Schleizer +Date: Wed Nov 1 12:26:21 2023 -0400 + + bumped changelog version + +commit bb14a058520b13e242fea9f3022c439c4677bd1d +Merge: 5ed2a5c 44906e8 +Author: Patrick Schleizer +Date: Wed Nov 1 11:11:54 2023 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 44906e8f398aae6e9565b131b82124e738e2d0d1 +Merge: 5ed2a5c f2c23a2 +Author: Patrick Schleizer +Date: Wed Nov 1 11:11:27 2023 -0400 + + Merge pull request #142 from monsieuremre/patch-5 + + ssh config + +commit 5ed2a5ce4a24a1a9c3e722a30aa9c6af1dc5d78a +Author: Patrick Schleizer +Date: Wed Nov 1 11:10:36 2023 -0400 + + bumped changelog version + +commit bb1161986b6d108c4fc5a16a48cdac55f98ab35d +Merge: 7d57684 b7cddd6 +Author: Patrick Schleizer +Date: Wed Nov 1 10:31:04 2023 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit b7cddd6e552cb5f5139de91ef2aeae6fde691136 +Merge: 7d57684 c975c3c +Author: Patrick Schleizer +Date: Wed Nov 1 10:30:26 2023 -0400 + + Merge pull request #143 from monsieuremre/patch-6 + + new lines 990-security-misc.conf + +commit fc8e201e84e4c777c087fd113c539ca368fd3a31 +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Fri Oct 27 14:49:24 2023 +0000 + + rename + +commit 90a88225a4fde2f09cc14b24f8467bb1ded90c9d +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Fri Oct 27 14:38:31 2023 +0000 + + security-misc.maintscript + +commit 13b4ddbb627d2279b41d1dcbe5c8ce1ac384b088 +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Fri Oct 27 14:34:21 2023 +0000 + + 30_security-misc.conf + +commit b298d152fc10c66892698d9dcae769a44a32037b +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Fri Oct 27 14:32:08 2023 +0000 + + 30_security-misc.conf + +commit 3d4b04fddc16067ed345074683281e74f41eeadf +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Fri Oct 27 12:35:39 2023 +0000 + + 99_ipv6-privacy.conf + +commit e90f62eaabfeee7483af573ef8e9d015ba1977dc +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Fri Oct 27 12:34:15 2023 +0000 + + 99_randomize_mac.conf + +commit 604d839537c409604ed2c4c88992ea1a31368f6f +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Fri Oct 27 12:30:26 2023 +0000 + + 99_ipv6-privacy-extensions.conf + +commit c975c3c0ff7cc5a1e29b651c2db6c27e3f952870 +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Fri Oct 27 11:07:53 2023 +0000 + + new lines 990-security-misc.conf + + added new recommended hardening settings with comments + +commit f2c23a28319e359c642da2dde424456a1064763f +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Fri Oct 27 10:53:45 2023 +0000 + + ssh config + +commit 7d576842fb6f3c124db2b6deb5abfc095974a67f +Author: Patrick Schleizer +Date: Thu Oct 26 20:08:41 2023 -0400 + + bumped changelog version + +commit 7cff267002485fd0abca98d12b0024e061f4ba51 +Author: Patrick Schleizer +Date: Thu Oct 26 19:31:14 2023 -0400 + + remove duplicates + +commit 928cdb81d43dfd337c82917182d2914d9c9d0915 +Merge: a330a9f 39fed05 +Author: Patrick Schleizer +Date: Thu Oct 26 19:29:55 2023 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 39fed058f4734029b303fac4ea9a1b11f652fab4 +Merge: 92a6ecc 99355c6 +Author: Patrick Schleizer +Date: Thu Oct 26 19:27:41 2023 -0400 + + Merge pull request #140 from monsieuremre/patch-3 + + New lines in default permission config + +commit a330a9fd75314931639e7e873adc31c5cc65d555 +Author: Patrick Schleizer +Date: Thu Oct 26 19:20:21 2023 -0400 + + refactor permission-lockdown + +commit 8bf5ff82be706599f33228ecd6df42be0dc29f39 +Merge: 1123d23 92a6ecc +Author: Patrick Schleizer +Date: Thu Oct 26 19:15:04 2023 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 92a6ecc40a4d3bd4d8f3cec7dd9b1334c72399dc +Merge: ca9603a 91c4452 +Author: Patrick Schleizer +Date: Thu Oct 26 19:13:34 2023 -0400 + + Merge pull request #141 from monsieuremre/patch-4 + + New permission-lockdown + +commit 1123d23114201988ac3f5f50ab6e74a5307d3d52 +Author: Patrick Schleizer +Date: Thu Oct 26 18:45:07 2023 -0400 + + remount-secure: disable debugging to save space in initrd + +commit 91c445244c47c163e2466f8c4dff710eda20c337 +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Thu Oct 26 19:41:07 2023 +0000 + + actually we do it once indeed + +commit 88f396264ca9d072e4e5de4e1acaee54f3b39749 +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Thu Oct 26 19:35:59 2023 +0000 + + avoiding /etc/passwd + +commit b5ba03247a5b5bb1f4e010130e4a575ad1397117 +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Thu Oct 26 19:31:25 2023 +0000 + + readability + +commit f487752ba1b469eb0b2f85657e2ee0860f58496b +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Thu Oct 26 19:30:58 2023 +0000 + + not limiting ourselves. we do not do this not just once. + +commit 88cd5a905d8aa0f6033ac4ba72903fbad4a90b4b +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Thu Oct 26 19:25:24 2023 +0000 + + strip unnecessary + +commit d9f10c221a2b6794f0a3c5bcd1c15e2a4f352751 +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Thu Oct 26 18:17:50 2023 +0000 + + new permission-lockdown + +commit 99355c616974d167e3a5424d63cd56b1f64f0eaf +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Thu Oct 26 17:45:28 2023 +0000 + + new lines 30_default.conf + +commit ca9603af1713ff37392662c9d1b4251052e7b983 +Author: Patrick Schleizer +Date: Thu Oct 26 12:23:48 2023 -0400 + + bumped changelog version + +commit 5f4222c1c3d7fa057b31bba7b0b5c2e83c92a7be +Author: Patrick Schleizer +Date: Thu Oct 26 12:20:48 2023 -0400 + + enable SUID Disabler and Permission Hardener by default + + https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener + + https://forums.whonix.org/t/suid-disabler-and-permission-hardener/7706 + +commit e5d989af5ac2899985c48d60311856fb86e0ddeb +Author: Patrick Schleizer +Date: Thu Oct 26 12:04:13 2023 -0400 + + comment + +commit 8557e0963ed6159f7f6c816ad4e009cc7323a760 +Author: Patrick Schleizer +Date: Wed Oct 25 17:55:37 2023 -0400 + + bumped changelog version + +commit b7e2d49f5f3f49fab2e1c0647f10bda1921e0a80 +Author: Patrick Schleizer +Date: Wed Oct 25 17:41:05 2023 -0400 + + comment + +commit 5d71217e597aa3366658524ec5395c9f76dd527b +Merge: 6a22351 a2f811a +Author: Patrick Schleizer +Date: Wed Oct 25 17:40:13 2023 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 6a22351d298e475ecae22bb99249a308b294ff9a +Author: Patrick Schleizer +Date: Wed Oct 25 17:30:07 2023 -0400 + + renamed: usr/lib/sysctl.d/30_security-misc.conf -> usr/lib/sysctl.d/990-security-misc.conf + +commit b7c52800f4c16b1573e372089704a68fd47c5906 +Author: Patrick Schleizer +Date: Wed Oct 25 17:28:43 2023 -0400 + + renamed: etc/sysctl.d/30_security-misc.conf -> usr/lib/sysctl.d/30_security-misc.conf + renamed: etc/sysctl.d/30_security-misc_kexec-disable.conf -> usr/lib/sysctl.d/30_security-misc_kexec-disable.conf + renamed: etc/sysctl.d/30_silent-kernel-printk.conf -> usr/lib/sysctl.d/30_silent-kernel-printk.conf + +commit a2f811aff0cb4e73c3975093012c223127495707 +Merge: 3317332 ee6716e +Author: Patrick Schleizer +Date: Wed Oct 25 17:26:46 2023 -0400 + + Merge pull request #135 from monsieuremre/kernel-fix + + Kernel hardening fix + +commit ee6716e178806912da08b671ae31504ed2f3ac56 +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Tue Oct 24 20:43:10 2023 +0000 + + security-misc.maintscript + +commit 3317332cb431115f81d832ba974181c74427c884 +Author: Patrick Schleizer +Date: Tue Oct 24 05:51:11 2023 -0400 + + bumped changelog version + +commit 42c802cd1eca3d2586abde871e4842cdf83490c4 +Merge: f3b40f1 5320c11 +Author: Patrick Schleizer +Date: Tue Oct 24 05:30:15 2023 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 5320c11f3f92b66b7dcab7ca1f67fcba2de5deba +Merge: f3b40f1 f0857fd +Author: Patrick Schleizer +Date: Tue Oct 24 05:22:33 2023 -0400 + + Merge pull request #134 from monsieuremre/patch-1 + + Fix double mount issue for /var/log and /var/tmp + +commit 1f489719efb37492b9c040ba4e332e8dd70fde1f +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Mon Oct 23 16:38:58 2023 +0000 + + rename + +commit 9dda6f69a7df792966005f9c6feb057483cd9ea4 +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Mon Oct 23 16:38:40 2023 +0000 + + more rename + +commit 89381fe7abcc2f4418b95c3eb290c975bf6d612c +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Mon Oct 23 16:38:23 2023 +0000 + + rename + +commit f0857fd5608525115bd8a96c2f75368263f6f830 +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Mon Oct 23 15:33:05 2023 +0000 + + Fix double mount issue for /var/log and /var/tmp + + Mounting var with bind and mounting a subdirectory causes /var/tmp and /var/log bind mounted twice each. can be checked with lsblk. When we bind mount var only after having mounted the subdirectories, everything is mounted only one. + +commit f3b40f12cb4bad0f2f00d4ba2dec59fb315c0798 +Author: Patrick Schleizer +Date: Sun Oct 22 19:23:22 2023 -0400 + + bumped changelog version + +commit d2e8a6dad3b94d574cb9c043303160b06893ab97 +Author: Patrick Schleizer +Date: Sun Oct 22 19:21:51 2023 -0400 + + debugging + +commit e7aafd64d4418d43426b310653861f9024a54255 +Author: Patrick Schleizer +Date: Sun Oct 22 19:16:12 2023 -0400 + + refactoring + +commit ee15f749bb4e68350498e52e8505bed43c98cbaf +Author: Patrick Schleizer +Date: Sun Oct 22 16:54:58 2023 -0400 + + bumped changelog version + +commit d521662d04892fb6d5477fa4450fb5488892a87a +Author: Patrick Schleizer +Date: Sun Oct 22 16:49:36 2023 -0400 + + comment + +commit 0e80acf38d430784fbb779f4f10c81bfe8a3813f +Author: Patrick Schleizer +Date: Sun Oct 22 16:45:10 2023 -0400 + + fix + +commit a1c3b87fcee07496af4b42e387b46488b58b73a0 +Author: Patrick Schleizer +Date: Sun Oct 22 16:29:08 2023 -0400 + + bumped changelog version + +commit f6d1346e2bde51cd70bc60246c0bfba923c00c3d +Author: Patrick Schleizer +Date: Sun Oct 22 16:22:08 2023 -0400 + + fix + +commit 9a649ddd091b116c9091f3fa582d411b5186375a +Author: Patrick Schleizer +Date: Sun Oct 22 16:16:40 2023 -0400 + + bumped changelog version + +commit 11382881b56556741fad5f0291ccb57a24e9c617 +Author: Patrick Schleizer +Date: Sun Oct 22 16:12:26 2023 -0400 + + comments + +commit 5182d7502b34a95fd751c69c4bc3f01d5f5e02b9 +Author: Patrick Schleizer +Date: Sun Oct 22 16:08:21 2023 -0400 + + improve remount-secure + +commit 555d83792df9aa599ae9e0e7c41af49b0601c1c1 +Author: Patrick Schleizer +Date: Sun Oct 22 15:44:47 2023 -0400 + + bumped changelog version + +commit a88c0a3ad2d83fe72612faf97866e255c5527384 +Author: Patrick Schleizer +Date: Sun Oct 22 15:44:30 2023 -0400 + + fix + +commit 316282952f7d2470c89f268beea01b8bac9bb4bb +Author: Patrick Schleizer +Date: Sun Oct 22 15:40:59 2023 -0400 + + bumped changelog version + +commit a7629b98cf4e7f86bab07c2b75fa712adcd63ee5 +Author: Patrick Schleizer +Date: Sun Oct 22 15:40:49 2023 -0400 + + fix + +commit 7112eac3be014938f757e0c0def74bb04dc72d2f +Author: Patrick Schleizer +Date: Sun Oct 22 15:37:21 2023 -0400 + + output + +commit f80b5fe3767502f6890bdfb7bc32a602c94828d6 +Author: Patrick Schleizer +Date: Sun Oct 22 15:36:16 2023 -0400 + + fix + +commit ce0babce215dc4ec08101cff5e0d25ad6ec87e70 +Author: Patrick Schleizer +Date: Sun Oct 22 15:35:03 2023 -0400 + + comment + +commit fa0804b7ae46ecfc1e9e82ca83342c9d456aa9c3 +Author: Patrick Schleizer +Date: Sun Oct 22 15:33:21 2023 -0400 + + bumped changelog version + +commit 70cbe4daaa5cd857c49f2f9b9241f24e2867ab5a +Author: Patrick Schleizer +Date: Sun Oct 22 15:33:11 2023 -0400 + + fix + +commit 36f2acb93f65958b27bae030f1d2bd66a278e073 +Author: Patrick Schleizer +Date: Sun Oct 22 15:28:04 2023 -0400 + + bumped changelog version + +commit 9b9e9ce1c0feb4ca854189754c47ca826eef1c32 +Author: Patrick Schleizer +Date: Sun Oct 22 15:27:01 2023 -0400 + + fix + +commit 3731716a497c233127bff3febbe22d5cf088aad8 +Author: Patrick Schleizer +Date: Sun Oct 22 15:14:22 2023 -0400 + + fix + +commit eec87a0508a6242430a1f0b8ad341f4c3ea43059 +Author: Patrick Schleizer +Date: Sun Oct 22 15:11:26 2023 -0400 + + fix + +commit f3286cf440992661ba85b5c7e41b92ffaca62cf3 +Author: Patrick Schleizer +Date: Sun Oct 22 15:10:21 2023 -0400 + + fix + +commit eb90d38d8ca6d6292dbb8013bb9bca8ec26f4792 +Author: Patrick Schleizer +Date: Sun Oct 22 15:05:33 2023 -0400 + + fix + +commit f44020973897d98fdc21ced748ad64106979829e +Author: Patrick Schleizer +Date: Sun Oct 22 14:46:42 2023 -0400 + + bumped changelog version + +commit 7f03c2b13742e583e426c91ff4e111b6c0e7da43 +Author: Patrick Schleizer +Date: Sun Oct 22 14:45:45 2023 -0400 + + fix + +commit c85db586cadbe781704e62405a76e43650046d2c +Author: Patrick Schleizer +Date: Sun Oct 22 14:44:58 2023 -0400 + + improve + +commit 7c0ea4324aa1713f365f7352a3e4db1b703d9750 +Author: Patrick Schleizer +Date: Sun Oct 22 14:39:52 2023 -0400 + + fix + +commit b29b626b41545fd49b67631820ae40d0fe000f22 +Author: Patrick Schleizer +Date: Sun Oct 22 14:30:28 2023 -0400 + + bumped changelog version + +commit 6198ae317c4d8cbd06d95d5e2a585892f455cab6 +Author: Patrick Schleizer +Date: Sun Oct 22 14:29:02 2023 -0400 + + fix + +commit 245fad09868c2d84bee66d65ecca32704786919b +Author: Patrick Schleizer +Date: Sun Oct 22 14:00:06 2023 -0400 + + fix + +commit 619f1705e13232680f38bc630f19f2ace32f48ad +Author: Patrick Schleizer +Date: Sun Oct 22 13:58:55 2023 -0400 + + output + +commit 52fa7db0874be85a3db296499ab76f84a5f518db +Author: Patrick Schleizer +Date: Sun Oct 22 13:57:38 2023 -0400 + + output + +commit 8a592c2e371de1136d566e707ba56ce89309230a +Author: Patrick Schleizer +Date: Sun Oct 22 13:56:17 2023 -0400 + + fix remountsecure kernel parameter logic + +commit 3c183294cd8a402418eafc1e657c6524be49c487 +Author: Patrick Schleizer +Date: Sun Oct 22 13:31:55 2023 -0400 + + bumped changelog version + +commit e689f38ad0ba9727d482dbab25ea5d88e67a8edf +Author: Patrick Schleizer +Date: Sun Oct 22 13:31:44 2023 -0400 + + todo + +commit 6675a2e93194ea15daeb22bee707cf49563f69fe +Author: Patrick Schleizer +Date: Sun Oct 22 13:30:50 2023 -0400 + + fix + +commit 4288e10554f854d6dd9be092ddbf6a62686b1549 +Author: Patrick Schleizer +Date: Sun Oct 22 13:25:31 2023 -0400 + + fix, rework remount-secure kernel parameters parsing + +commit b0181af099a2bc20a6d8cc20e6e27371ecc50bf1 +Author: Patrick Schleizer +Date: Sun Oct 22 13:12:25 2023 -0400 + + fix + +commit 28cb53341d48ece9e042caea03e7159b0f93c2ee +Author: Patrick Schleizer +Date: Sun Oct 22 13:11:44 2023 -0400 + + remount-secure dracut module: improve output + +commit f70f36e6cfead0038075d715e430e15aedae459f +Author: Patrick Schleizer +Date: Sun Oct 22 12:55:41 2023 -0400 + + bumped changelog version + +commit 479ab61a1d0c91d26c2cd200d97b39b2b786e073 +Author: Patrick Schleizer +Date: Sun Oct 22 12:55:20 2023 -0400 + + remove no longer required remount-service systemd unit + +commit 84ca0ac8a0b6a72a28e030081299b402749b9348 +Author: Patrick Schleizer +Date: Sun Oct 22 12:54:25 2023 -0400 + + improve remount-secure + +commit 1696c37251fe6158118ac3a694c2e11439de5c46 +Author: Patrick Schleizer +Date: Sun Oct 22 11:28:18 2023 -0400 + + bumped changelog version + +commit e7d30955e88b0a052e9159c11f4c1e1a47dadb49 +Author: Patrick Schleizer +Date: Sun Oct 22 11:28:08 2023 -0400 + + debugging + +commit 975a017dec26f671b7869ba4ad94b3a4d2faf999 +Author: Patrick Schleizer +Date: Sun Oct 22 11:13:05 2023 -0400 + + bumped changelog version + +commit 8eb4607a0e8c3db10f64e4ed5a02e87fd3ee8903 +Author: Patrick Schleizer +Date: Sun Oct 22 11:12:54 2023 -0400 + + improve + +commit f1da0ce7461fab2eeb421daa886ddd9856c9fd52 +Author: Patrick Schleizer +Date: Sun Oct 22 11:11:10 2023 -0400 + + fix + +commit 26826e8398c4d3feed07e8e3e095a87bbde9907a +Author: Patrick Schleizer +Date: Sun Oct 22 11:06:34 2023 -0400 + + fix + +commit a423b85f81e0c066271ad7db78902ccddbeabb5a +Author: Patrick Schleizer +Date: Sun Oct 22 10:50:30 2023 -0400 + + bumped changelog version + +commit 233fa4625bb60ef65c707d28e7c8a51ef5a1d66e +Author: Patrick Schleizer +Date: Sun Oct 22 10:49:53 2023 -0400 + + output + +commit 3ebe8cf4de5c77f26f93ac40bdc596c0c38451f5 +Author: Patrick Schleizer +Date: Sun Oct 22 10:41:42 2023 -0400 + + refactoring + +commit 24d2e26397e8f1e8e350fb60206ab1c5b597cbe6 +Author: Patrick Schleizer +Date: Sun Oct 22 10:40:19 2023 -0400 + + no longer reproducible + +commit fcba70df2e4e6c71fd29852d6f0b20f80e2e2d5e +Author: Patrick Schleizer +Date: Sun Oct 22 10:38:48 2023 -0400 + + refactoring + +commit a05bd3dd0e7319807fa7ea523407ec82ce8aa39c +Author: Patrick Schleizer +Date: Sun Oct 22 10:37:02 2023 -0400 + + /home last because most likely to fail + +commit 41077c94fbc1a0c90ee870292fe82e16a70b52f1 +Author: Patrick Schleizer +Date: Sun Oct 22 10:32:24 2023 -0400 + + improve remount-secure + +commit ef69e512bd2e2eba0e292470bfef6336216e2605 +Author: Patrick Schleizer +Date: Sun Oct 22 10:25:57 2023 -0400 + + refactoring + +commit d5cb7ecec9d10069e2e37a2f88680dff6d3f6eb6 +Author: Patrick Schleizer +Date: Sun Oct 22 10:22:21 2023 -0400 + + use findmnt + +commit 1120d0652ddead556801958973d61502b75f9fc7 +Author: Patrick Schleizer +Date: Sun Oct 22 10:16:53 2023 -0400 + + bumped changelog version + +commit 45ce0ff74d8f42d6a424e0742989008403891f8a +Author: Patrick Schleizer +Date: Sun Oct 22 10:16:43 2023 -0400 + + debugging + +commit b81a991731e912fa0f7d4ca59b0531bafb02a25a +Author: Patrick Schleizer +Date: Sun Oct 22 10:15:11 2023 -0400 + + fix + +commit 292a5c3a8a37bc9dd807913bd76826e57e978b67 +Author: Patrick Schleizer +Date: Sun Oct 22 10:11:31 2023 -0400 + + fix + +commit bb57b1a289cc64cc5b2ab5518c151df5355a9f29 +Author: Patrick Schleizer +Date: Sun Oct 22 10:10:51 2023 -0400 + + fix + +commit 4f6f45fb3902f6c49d01b5ccb33a4e24804cd02a +Author: Patrick Schleizer +Date: Sun Oct 22 10:01:54 2023 -0400 + + bumped changelog version + +commit 181a6424796b1cafc87a8d74aad197135381a389 +Author: Patrick Schleizer +Date: Sun Oct 22 10:01:38 2023 -0400 + + root check + +commit 84fd41931ce3ba4d6e3785dc8052ee14ce62b80e +Author: Patrick Schleizer +Date: Sun Oct 22 09:44:17 2023 -0400 + + /var/run -> /run + +commit 33d97a2560fe4aaab24f90057e825802541a408b +Author: Patrick Schleizer +Date: Sun Oct 22 09:39:54 2023 -0400 + + improve output of remount-secure dracut module + +commit c409e3221e179437ed0b162dde1e72cd116ba795 +Author: Patrick Schleizer +Date: Sun Oct 22 09:36:03 2023 -0400 + + implement remount-secure + +commit f472ce690ae350085d40cfd5ec46084dc559a51d +Author: Patrick Schleizer +Date: Sun Oct 22 08:57:35 2023 -0400 + + comments + +commit 90f2b5e11c341c38bb0b11db603ceeba28e14b1c +Author: Patrick Schleizer +Date: Sun Oct 22 08:51:37 2023 -0400 + + code simplification + +commit 167683ce763e97838e62950f00313b63d7c968b0 +Author: Patrick Schleizer +Date: Sun Oct 22 08:50:57 2023 -0400 + + code simplification + +commit 05e9accf64a3a6bfa24aac7aaa62620f814b05d1 +Author: Patrick Schleizer +Date: Sun Oct 22 08:12:30 2023 -0400 + + bumped changelog version + +commit e065f85c8809d04a9a4c041dd8b9b81bacd04e24 +Author: Patrick Schleizer +Date: Sun Oct 22 08:10:48 2023 -0400 + + add remount-secure dracut module + +commit f0ee470ecd0fc37125165dd6a5cefb47339b14b4 +Author: Patrick Schleizer +Date: Sun Oct 22 07:51:05 2023 -0400 + + comment + +commit e257f2a3806ba7013e8e47005fde1385044bc8d9 +Author: Patrick Schleizer +Date: Sun Oct 22 07:50:14 2023 -0400 + + remount-secure: + no longer use /usr/libexec/helper-scripts/pre.bsh as not simple with dracut + +commit 27b3ba8bdf2556066a4be02cd1be9a4451a591b2 +Author: Patrick Schleizer +Date: Sun Oct 22 07:06:00 2023 -0400 + + bumped changelog version + +commit ed11c68ac64c1ec4eaa590dbb56734d450c89b04 +Author: Patrick Schleizer +Date: Sun Oct 22 06:51:52 2023 -0400 + + move remount-secure to /usr/bin/remount-secure to make it easier to manually run + +commit 6f4bf57ff2bc878f03a50d91a5db0afaf897d70e +Author: Patrick Schleizer +Date: Sun Oct 22 06:48:56 2023 -0400 + + `remount-secure`: add support for `--force`; output + +commit 6dec5cb1d6b841bc6ea92986d6567902109f5ed0 +Author: Patrick Schleizer +Date: Sun Oct 22 06:32:19 2023 -0400 + + debugging + +commit bc768aa196a08218aac0b6ef1c4ca013f2034122 +Author: Patrick Schleizer +Date: Sun Oct 22 06:31:57 2023 -0400 + + output + +commit c069c73109b45fbb8fa230ad4f90f4252db730f2 +Author: Patrick Schleizer +Date: Sun Oct 22 06:29:38 2023 -0400 + + refactoring + +commit abc35927345e14bbe4b9f13d205a648ce7a8bd8d +Author: Patrick Schleizer +Date: Sun Oct 22 06:23:48 2023 -0400 + + remount-secure: stricter error handling + +commit 59a5fea25d0b0c39a6e7b3b11f9242ebe5eaa462 +Author: Patrick Schleizer +Date: Sun Oct 22 05:41:56 2023 -0400 + + documentation + +commit ac63b0eb3db3d168908459fecd6b3275cce015bc +Author: Patrick Schleizer +Date: Sun Oct 22 05:41:11 2023 -0400 + + remove duplicate + +commit ef3f1575733c668f652326cdb4f4fba8c71bf0ed +Author: Patrick Schleizer +Date: Sat Oct 21 14:19:24 2023 -0400 + + bumped changelog version + +commit ae2c1c5a7a02a5f3f6a8bcd4a90fdc9e3b512e62 +Author: Patrick Schleizer +Date: Sat Oct 21 14:18:50 2023 -0400 + + fix xession environment variable + +commit 43375fa1f4d32f04907edf1297fef737342b49ea +Author: Patrick Schleizer +Date: Sat Oct 21 12:34:59 2023 -0400 + + bumped changelog version + +commit d543825d85a5d84274c21cd85db6df777948606e +Author: Patrick Schleizer +Date: Sat Oct 21 12:24:59 2023 -0400 + + comments + +commit dd43ab634d9ab0a59234798e1b14ba99099c65c9 +Author: Patrick Schleizer +Date: Fri Oct 13 15:22:58 2023 -0400 + + bumped changelog version + +commit 645ee814e4f3dc330dd6fb24ec4fac0e278c4f42 +Author: Patrick Schleizer +Date: Fri Oct 13 15:22:48 2023 -0400 + + fix + +commit 13a4f37e50805a0e51b8f63808e166318e39a074 +Author: Patrick Schleizer +Date: Thu Oct 12 12:51:37 2023 -0400 + + bumped changelog version + +commit 2d4524108445829d7ac80e828e9a1442cf038a6b +Author: Patrick Schleizer +Date: Thu Oct 12 11:37:01 2023 -0400 + + avoid duplicate environment variables + +commit e96e6aa38e29888a64fa35f85becc1596118a812 +Author: Patrick Schleizer +Date: Thu Oct 12 10:43:40 2023 -0400 + + bumped changelog version + +commit fa820e897895eda93011a0f2bbd915ffffcb1459 +Author: Patrick Schleizer +Date: Thu Oct 12 10:40:27 2023 -0400 + + refactoring environment variables loading mechanism + +commit 358e4226f1b3db32e560e4bbe1c663828eac7059 +Author: Patrick Schleizer +Date: Mon Jul 17 11:48:35 2023 -0400 + + bumped changelog version + +commit 81ad786dfcdd416056c6ae8a9d02231bda6fcbde +Author: Patrick Schleizer +Date: Mon Jul 17 11:19:07 2023 -0400 + + Kicksecure + +commit ab56b7ca0cf1a2cb6bc19514750ca618f4ebb7fe +Author: Patrick Schleizer +Date: Mon Jul 17 11:10:05 2023 -0400 + + Kicksecure + +commit 29aaf13c13ec1023d33e84442db0f5afeaa4436d +Author: Patrick Schleizer +Date: Fri Jun 23 08:18:12 2023 +0000 + + bumped changelog version + +commit 8a6baea99017fd971ae4a5e89599b87bc945b276 +Author: Patrick Schleizer +Date: Thu Jun 22 16:16:15 2023 +0000 + + comment + +commit 609c8c0697ecf3414e38de9d32dc367a25172802 +Author: Patrick Schleizer +Date: Wed Jun 21 09:36:44 2023 +0000 + + bumped changelog version + +commit 94a326ec7ff8704be224e76b2f3f9c2a12cbd4a7 +Author: Patrick Schleizer +Date: Wed Jun 21 09:11:31 2023 +0000 + + bookworm + +commit b610cdcbcd85ee4c433a3df0662e225b52b592cd +Author: Patrick Schleizer +Date: Fri Jun 16 11:09:02 2023 +0000 + + bumped changelog version + +commit 0c56d3d9d2dd1b40b07226b70d3d1b9343757d1a +Author: Patrick Schleizer +Date: Fri Jun 16 10:49:05 2023 +0000 + + readme + +commit 63599a09d795d82b0f069f88d73fd607129af0ef +Author: Patrick Schleizer +Date: Wed Jun 14 09:59:20 2023 +0000 + + bumped changelog version + +commit 25760f70246dd07376465d9a4222098fd24b8516 +Author: Patrick Schleizer +Date: Tue Jun 13 08:34:41 2023 +0000 + + bookworm + +commit be990188f56f059585cf70589de03afb992b9ea2 +Author: Patrick Schleizer +Date: Mon Jun 12 18:01:55 2023 +0000 + + bumped changelog version + +commit 07b3ce0bcdb6ddb72c7064f527ff4d6250b54ad2 +Author: Patrick Schleizer +Date: Mon Jun 12 16:22:32 2023 +0000 + + Standards-Version: 4.6.1.0 + +commit 4e28ace103e11373d1b5cf5de8be6b1f94c567ce +Author: Patrick Schleizer +Date: Mon May 15 17:31:59 2023 +0000 + + bumped changelog version + +commit b11a336b4ff6c748d20aade6e98b25c251bd8c8e +Merge: c921d4e b0b73db +Author: Patrick Schleizer +Date: Mon May 15 16:58:11 2023 +0000 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit b0b73db3c84f8cc7594b6b181e0e495cd7e92571 +Merge: c921d4e cf003df +Author: Patrick Schleizer +Date: Mon May 15 12:57:46 2023 -0400 + + Merge pull request #126 from raja-grewal/Comment + + Update comments + +commit cf003dfad85434f5a52524fdd97a7f619ba82429 +Author: Raja Grewal +Date: Tue May 16 02:11:44 2023 +1000 + + Update comments + +commit c921d4e915af50dd1773016b0015be584e1e3f5f +Author: Patrick Schleizer +Date: Mon May 15 11:56:30 2023 +0000 + + bumped changelog version + +commit 39676395f814007f74ce1edb0aee0ada4d4fa478 +Merge: 6511dac 1f38fcf +Author: Patrick Schleizer +Date: Mon May 15 11:34:57 2023 +0000 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 1f38fcfefa1ccd732e4500522cc0978bda69ab0b +Merge: d66a9ba 6ab400c +Author: Patrick Schleizer +Date: Mon May 15 07:34:16 2023 -0400 + + Merge pull request #125 from JeremyRand/typo + + mmap-rnd-bits: Fix typo in error message + +commit d66a9bac551e7544eed592a69f576d27880e2bf3 +Merge: 6511dac 9d23717 +Author: Patrick Schleizer +Date: Mon May 15 07:34:00 2023 -0400 + + Merge pull request #124 from JeremyRand/doc-aslr + + README: Document mmap-rnd-bits + +commit 6ab400c9d982bde16271052f181c87255046037e +Author: Jeremy Rand +Date: Tue May 9 10:55:31 2023 +0000 + + mmap-rnd-bits: Fix typo in error message + +commit 9d23717b6d3f94d8fad5ab00628dcbf41fa2cab5 +Author: Jeremy Rand +Date: Mon May 8 13:45:18 2023 +0000 + + README: Document mmap-rnd-bits + +commit 6511dac1d4aea1800ce8e51d1f6cdbae4d31e10c +Author: Patrick Schleizer +Date: Sat May 6 12:00:12 2023 +0000 + + bumped changelog version + +commit 0c10b3f0383d69c2d504b3e346da68b056d1dca8 +Author: Patrick Schleizer +Date: Sat May 6 11:59:59 2023 +0000 + + output + +commit a815c9b9867b0ec56737e60eb1dfeec6a57af6f1 +Author: Patrick Schleizer +Date: Sat May 6 11:54:31 2023 +0000 + + bumped changelog version + +commit 5d4d04a2ebeeea7e096c1680779f2897a03838c6 +Author: Patrick Schleizer +Date: Sat May 6 11:54:00 2023 +0000 + + output + +commit 2d465c624975cc2ca308878e0ef1508316d3316e +Author: Patrick Schleizer +Date: Sat May 6 11:51:25 2023 +0000 + + refactoring + +commit b756314eb894dde4d017e0aec5876b56f0178de4 +Author: Patrick Schleizer +Date: Fri May 5 15:09:32 2023 +0000 + + bumped changelog version + +commit 014a28ba07406e5d69f86e90ddb8a27b3778c3a8 +Author: Patrick Schleizer +Date: Fri May 5 15:04:21 2023 +0000 + + comment + +commit ec01c1a99630f44a73763b019a1bad6dc52bbf4e +Author: Patrick Schleizer +Date: Fri May 5 15:02:31 2023 +0000 + + minor mmap-rnd-bits improvements + +commit 3dc406f138ee3dc81b54db2c8c4b795fc6b7c9d5 +Author: Patrick Schleizer +Date: Fri May 5 15:01:22 2023 +0000 + + minor + +commit 40e940ec58928049bb38b85d15beaead80740192 +Author: Patrick Schleizer +Date: Fri May 5 14:54:24 2023 +0000 + + minor mmap-rnd-bits improvements + +commit f4fd0f90120e8983b37bc5822cf98a215d25990e +Author: Patrick Schleizer +Date: Fri May 5 14:53:07 2023 +0000 + + minor mmap-rnd-bits improvements + +commit a8e4121befe19bb7d2f74582655a14bded23a37d +Author: Patrick Schleizer +Date: Fri May 5 14:52:07 2023 +0000 + + minor mmap-rnd-bits improvements + +commit 9184e6bb921a9c7356e8d2c7216a1da91f963304 +Author: Patrick Schleizer +Date: Fri May 5 14:51:19 2023 +0000 + + fix + +commit 89168ef40ce713b27974e4e38f6e3e63646d78bc +Author: Patrick Schleizer +Date: Fri May 5 14:49:56 2023 +0000 + + minor mmap-rnd-bits improvements + +commit d6d79e96c9a3f25b75d92a46dc97d6191d6ac691 +Author: Patrick Schleizer +Date: Fri May 5 14:44:29 2023 +0000 + + minor mmap-rnd-bits improvements + +commit 15d0ee100834e01e3f17ee179c3120f37eb3cae5 +Merge: 1137e6c 2d40bbc +Author: Patrick Schleizer +Date: Fri May 5 14:37:34 2023 +0000 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 2d40bbc8fec7ceea47b64fdebc9e751b26e0cf27 +Merge: 5c6db28 48a68ba +Author: Patrick Schleizer +Date: Fri May 5 10:14:43 2023 -0400 + + Merge pull request #120 from JeremyRand/aslr-ppc64le + + vm.mmap_rnd_bits: Fix ppc64le + +commit 48a68ba237895c0c6c24ebd256ae6a9adec2628f +Author: Jeremy Rand +Date: Sat Apr 22 04:43:41 2023 +0000 + + mmap-rnd-bits: Handle unwritable /etc/sysctl.d/ + +commit 434cfb427f739258bd3280ce148cdbe85c800f8a +Author: Jeremy Rand +Date: Sat Apr 22 04:36:05 2023 +0000 + + mmap-rnd-bits: Check that configs are valid integers + +commit 76ca8a27f94d89ed783b900257934c0749e631ce +Author: Jeremy Rand +Date: Sat Apr 22 04:29:14 2023 +0000 + + mmap-rnd-bits: Handle missing kernel config file + +commit 2cf105700a98297f65026e43b435fe017a04ba07 +Author: Jeremy Rand +Date: Sat Apr 22 04:08:20 2023 +0000 + + postinst: Don't fail if mmap-rnd-bits fails + +commit 61f63255acdf942e52af35d7f6d1c271a671e6f7 +Author: Jeremy Rand +Date: Fri Mar 24 12:32:58 2023 +0000 + + vm.mmap_rnd_bits: Fix ppc64le + + Probably fixes a bunch of other non-x86_64 arches too. + +commit 5c6db28881463e8c764872a8cd268c23ac64b8f1 +Merge: 8a34d6c ed5f8be +Author: Patrick Schleizer +Date: Fri Mar 31 04:52:55 2023 -0400 + + Merge pull request #122 from raja-grewal/tcp + + Remove outdated comment about SACK, DSACK, and FACK + +commit 8a34d6c067bdebc513f34cd3c434b0675f118e10 +Merge: 1137e6c 7a4212d +Author: Patrick Schleizer +Date: Fri Mar 31 04:52:18 2023 -0400 + + Merge pull request #121 from raja-grewal/copyright + + Update Copyright + +commit ed5f8be9ebd4f34c8b8de78abe0a8df0775b80aa +Author: Raja Grewal +Date: Thu Mar 30 19:17:43 2023 +1100 + + Remove outdated comment about SACK, DSACK, and FACK + +commit 7a4212dd76c866e1db4dd4875e51c0d49bb3574d +Author: Raja Grewal +Date: Thu Mar 30 17:08:47 2023 +1100 + + Update copyright + +commit 1137e6c9104565b8f7546a9a5450ec2c2330efb7 +Author: Patrick Schleizer +Date: Mon Jan 30 05:58:47 2023 -0500 + + bumped changelog version + +commit 8c3204a5e42b0c4dc6ff9c66568ac78abc4dbd47 +Author: Patrick Schleizer +Date: Wed Jan 25 15:20:30 2023 -0500 + + comment + +commit 65c29f493b56798bc67de7ea451f8f65d99d3093 +Author: Patrick Schleizer +Date: Wed Jan 25 15:13:19 2023 -0500 + + move kexec disabling to dedicated file `/etc/sysctl.d/30_security-misc_kexec-disable.conf` + + so ram-wipe can `config-package-dev` `hide` this config file + +commit 56c7c57b3a3929f57c9173f9156b2b9f7f7f854e +Author: Patrick Schleizer +Date: Tue Jan 24 07:09:40 2023 -0500 + + bumped changelog version + +commit b87d9eb86544a7f06772a0db803711b49ec3f554 +Author: Patrick Schleizer +Date: Tue Jan 24 07:08:13 2023 -0500 + + lintian + +commit a4820086508a64156aa222d61d5f0f88bf56fb3e +Author: Patrick Schleizer +Date: Tue Jan 24 07:05:53 2023 -0500 + + bumped changelog version + +commit 7bda2ad3e8f30668428e054f57613d7c2ed2a4d6 +Author: Patrick Schleizer +Date: Tue Jan 24 06:34:17 2023 -0500 + + move ram-wipe scripts to dedicated ram-wipe package + +commit 11d0bb2c006eb7add5f9b0e70a199098972af25e +Author: Patrick Schleizer +Date: Mon Jan 9 07:05:18 2023 -0500 + + bumped changelog version + +commit c50665218776733919845044b39466c57117542d +Author: Patrick Schleizer +Date: Mon Jan 9 07:05:06 2023 -0500 + + fix + +commit b3d85f115cf486f4a2805d954ba6dd741817dd71 +Author: Patrick Schleizer +Date: Mon Jan 9 07:02:01 2023 -0500 + + bumped changelog version + +commit 6faa050dd8d26bd6436688b32bbc7a6515f9cb14 +Author: Patrick Schleizer +Date: Mon Jan 9 06:54:04 2023 -0500 + + migrate ram-wipe to dedicated package + +commit ad5d0d4b12e73b74166aafb5c34252f1e1af1854 +Author: Patrick Schleizer +Date: Mon Jan 9 06:37:45 2023 -0500 + + disable kexec (revert enabling kexec) + + remove kexec-utils for ram-wipe since moved to its own package + +commit 87c4e77c017aba7d57ae1fc7cf41a1f3143f1a04 +Author: Patrick Schleizer +Date: Mon Jan 9 06:23:00 2023 -0500 + + migrate to ram-wipe package + +commit 3867acf723f26416a047260010518829adcefc03 +Author: Patrick Schleizer +Date: Mon Jan 9 05:34:48 2023 -0500 + + bumped changelog version + +commit d769099db1dbf90350838430cda2de7196076c5d +Author: Patrick Schleizer +Date: Mon Jan 9 05:34:07 2023 -0500 + + use warn instead of info for now + + because dracut does not show info messages when kernel parameter quiet is set + +commit 7fa6946694a997e04b17ecb3a167d767543093a2 +Author: Patrick Schleizer +Date: Sun Jan 8 07:17:02 2023 -0500 + + bumped changelog version + +commit f3b84e15be40ef64969b70bc62ab4bf8d40352b6 +Author: Patrick Schleizer +Date: Sun Jan 8 07:16:18 2023 -0500 + + refactoring + +commit 96d6ca7ae01d537ab972798417b9453d57c03cd7 +Author: Patrick Schleizer +Date: Sun Jan 8 07:09:09 2023 -0500 + + improve kernel and initrd file detection + +commit 8367b27a0df2e6ea5bc2d57d1520cfdd2f4d35e2 +Author: Patrick Schleizer +Date: Sun Jan 8 07:08:18 2023 -0500 + + output + +commit da0fc9f5bd5d1551f46fb5625010b317d30274b3 +Author: Patrick Schleizer +Date: Sun Jan 8 07:07:43 2023 -0500 + + improve kernel and initrd file detection + +commit 5b11eecaecdec7487224b90708da82c10ccc4d63 +Author: Patrick Schleizer +Date: Sun Jan 8 06:45:10 2023 -0500 + + refactoring + +commit e81dd6cd25f58871c1f6b4a082f81eec34a518b5 +Author: Patrick Schleizer +Date: Sat Jan 7 18:13:57 2023 -0500 + + bumped changelog version + +commit 938b87d26c195b6804796d4fa6050a453278700c +Author: Patrick Schleizer +Date: Sat Jan 7 18:06:10 2023 -0500 + + comment + +commit 0b1310a21944939d94de18d8ac6d494446d23d0c +Author: Patrick Schleizer +Date: Sat Jan 7 18:05:47 2023 -0500 + + output + +commit 2fd302f580509842d290b2b0a27079dca445d5cd +Author: Patrick Schleizer +Date: Sat Jan 7 18:02:21 2023 -0500 + + output + +commit 921bc3e867411e5a96ca3e4641a7501038cf5139 +Author: Patrick Schleizer +Date: Sat Jan 7 17:49:24 2023 -0500 + + bumped changelog version + +commit 080abe574ba10b8365587a1c89085efe88f210ee +Author: Patrick Schleizer +Date: Sat Jan 7 17:48:21 2023 -0500 + + output + +commit 5689c07f97d2775b9445f75a10554e70875a5636 +Author: Patrick Schleizer +Date: Sat Jan 7 17:37:46 2023 -0500 + + comment + +commit 8e2db269b01e5d3c28346dd7713074a346fa3e72 +Author: Patrick Schleizer +Date: Sat Jan 7 17:36:51 2023 -0500 + + cleanup + +commit a07af631559e9c9312c263826969b5b028509a2e +Author: Patrick Schleizer +Date: Sat Jan 7 17:35:56 2023 -0500 + + output + +commit 1d22ebde08984968deb143dab244a2b6e30d45e9 +Author: Patrick Schleizer +Date: Sat Jan 7 17:23:35 2023 -0500 + + bumped changelog version + +commit 539156c0dad74c584adb02beacdcf7a3a9b8b982 +Author: Patrick Schleizer +Date: Sat Jan 7 17:23:25 2023 -0500 + + drop_caches + +commit 02f44459ad194444122e98a9f743c2725edb4e43 +Author: Patrick Schleizer +Date: Sat Jan 7 17:22:45 2023 -0500 + + DRACUT_QUIET=no + +commit abbaea582de898e48a852a0a153fe336341afe17 +Author: Patrick Schleizer +Date: Sat Jan 7 17:16:23 2023 -0500 + + bumped changelog version + +commit ab89d0e06e68fa47fa4058416a6c8700551f1b9a +Author: Patrick Schleizer +Date: Sat Jan 7 16:59:00 2023 -0500 + + cleanup + +commit 2e833b40a1af1f194ec392ff0c05b0060bb27fe8 +Author: Patrick Schleizer +Date: Sat Jan 7 16:43:09 2023 -0500 + + prevent "wait: pid 55 is not a child of this shell" + +commit 3777ecba8568cf5458b05b3eeedf98f0ba51cd69 +Author: Patrick Schleizer +Date: Sat Jan 7 16:34:19 2023 -0500 + + comment + +commit e0ded5e69d38a02f9896277a67c0d209e4ee4ad4 +Author: Patrick Schleizer +Date: Sat Jan 7 16:34:04 2023 -0500 + + comment + +commit 996c6af2d84cf23f323ca80c04fab26beea2aa1b +Author: Patrick Schleizer +Date: Sat Jan 7 16:31:23 2023 -0500 + + lower debugging + +commit 4fca8f4225f134316e734d5f85d12b9e39b99b0f +Author: Patrick Schleizer +Date: Sat Jan 7 16:28:11 2023 -0500 + + comment + +commit fa579cad8980c8d9231a9e2682267910544be175 +Author: Patrick Schleizer +Date: Sat Jan 7 16:20:48 2023 -0500 + + bumped changelog version + +commit c9107bb044e3038d837e371aa7467edcedbbdb16 +Author: Patrick Schleizer +Date: Sat Jan 7 16:11:48 2023 -0500 + + debugging + +commit b7bb24f984cb5669d9cc9b3522ee57a05070cef9 +Author: Patrick Schleizer +Date: Sat Jan 7 16:09:11 2023 -0500 + + description + +commit 2bd9cc5bc1ac94d039a7e515d3a839af820fb4be +Author: Patrick Schleizer +Date: Sat Jan 7 16:08:12 2023 -0500 + + output + +commit 2456fed3614268abfb238f3a0783719adb45b711 +Author: Patrick Schleizer +Date: Sat Jan 7 16:00:42 2023 -0500 + + output + +commit c0b5fea6806ea07b667a341b2400aacb7191b27f +Author: Patrick Schleizer +Date: Sat Jan 7 15:59:52 2023 -0500 + + protect against wipe RAM reboot loop + +commit c1b87d250c4e5decd726e7fd67b482ff1eaecbf1 +Author: Patrick Schleizer +Date: Sat Jan 7 15:37:47 2023 -0500 + + bumped changelog version + +commit 91aedb234aa7c516dca8016f6b82536cfe25f410 +Author: Patrick Schleizer +Date: Sat Jan 7 15:36:36 2023 -0500 + + output + +commit 368ad8e636ae30eb60c8f2c6ce7117970a77c021 +Author: Patrick Schleizer +Date: Sat Jan 7 15:36:05 2023 -0500 + + cleanup + +commit d8bf40f7a28f53f2f51c41b77663e5a40a5d8fb4 +Author: Patrick Schleizer +Date: Sat Jan 7 15:35:45 2023 -0500 + + refactoring + +commit 166a6863a1c249e68e3f38109b115503bc5663ec +Author: Patrick Schleizer +Date: Sat Jan 7 15:35:15 2023 -0500 + + output + +commit 20596488be39f92f069523a3d86c0e6b6ec15399 +Author: Patrick Schleizer +Date: Sat Jan 7 15:34:20 2023 -0500 + + long options + +commit 1e19c2cbad8cdf97f6bb460c90cfa330492b8019 +Author: Patrick Schleizer +Date: Sat Jan 7 15:32:25 2023 -0500 + + Depends: kexec-tools + + required for cold boot attack defense second RAM wipe after reboot + +commit b0630f58c136d6c7a964447806ec8ee603a73aa8 +Author: Patrick Schleizer +Date: Sat Jan 7 15:24:05 2023 -0500 + + debugging + +commit dde01f36634337a24d0cd37cfe5a456ff77e8b0e +Author: Patrick Schleizer +Date: Sat Jan 7 15:23:23 2023 -0500 + + long options + +commit 6e0926eece54a55502fa67c2abedf5b718e306e6 +Author: Patrick Schleizer +Date: Sat Jan 7 15:22:58 2023 -0500 + + long options + +commit 51a5f68c7654774d37986916029607da588189ab +Author: Patrick Schleizer +Date: Sat Jan 7 15:22:25 2023 -0500 + + refactoring + +commit 83800fcb4fd365aab58a5f70f78f39af7d9371dc +Author: Patrick Schleizer +Date: Sat Jan 7 15:18:58 2023 -0500 + + --no-legend + +commit 822cf646182f8ff649ea08da2fd4365022871a61 +Author: Patrick Schleizer +Date: Sat Jan 7 15:13:36 2023 -0500 + + output + +commit bb2f0a3c4421e3686477a6dff81bb87d5dcd836f +Author: Patrick Schleizer +Date: Sat Jan 7 15:12:15 2023 -0500 + + minor + +commit c3a822af0e9c8bb6c9b34b732ba48710e3ee1974 +Author: Patrick Schleizer +Date: Sat Jan 7 15:09:25 2023 -0500 + + test if readable + +commit 227871c12c57ecc5ff6d4075ea59a7dc9eca3dd3 +Author: Patrick Schleizer +Date: Sat Jan 7 15:07:34 2023 -0500 + + output + +commit c09f4da1922f40f666dae0570295b5ab5c02e8a9 +Author: Patrick Schleizer +Date: Sat Jan 7 15:06:56 2023 -0500 + + code simplification + +commit 01fee8a7b4a12c8c2be4173337decc37ec3e6019 +Author: Patrick Schleizer +Date: Sat Jan 7 15:06:31 2023 -0500 + + refactoring + +commit f675f8da0d33ab18efa782ee155a8632e9a3dc0f +Author: Patrick Schleizer +Date: Sat Jan 7 15:05:58 2023 -0500 + + quotes + +commit d0daf75db3529e206565604a63e11ee1268ed39b +Author: Patrick Schleizer +Date: Sat Jan 7 15:05:24 2023 -0500 + + quotes + +commit 8bcf7e3c235c1193f3a6d43a7c8b23b50e972de7 +Author: Patrick Schleizer +Date: Sat Jan 7 15:04:57 2023 -0500 + + minor + +commit 2cc3c6c59ca88cf44751bc2e9bb7055b46102284 +Author: Patrick Schleizer +Date: Sat Jan 7 15:04:42 2023 -0500 + + lower debugging + +commit 10932bb5d83c469f556b46f42ee517e882d87a4f +Author: Patrick Schleizer +Date: Sat Jan 7 15:04:23 2023 -0500 + + minor + +commit c88e95ce33f30f67726ac086c1b8d020b1024ebc +Author: Patrick Schleizer +Date: Sat Jan 7 15:04:07 2023 -0500 + + output + +commit 06034d2e4f97712fc84ad75e3fa8ba6bf4fccfee +Author: Patrick Schleizer +Date: Sat Jan 7 15:03:06 2023 -0500 + + fix + +commit 059ebb212d03f5d01d46362530702dbeaefdce5e +Author: Patrick Schleizer +Date: Sat Jan 7 14:35:30 2023 -0500 + + comment + +commit c0304ec029198665aaf63c843f5b7d5567f95208 +Author: Patrick Schleizer +Date: Sat Jan 7 14:35:09 2023 -0500 + + minor + +commit d5271d6250f0f6ea5adf7bc71fc48fddab1a9af4 +Author: Patrick Schleizer +Date: Sat Jan 7 14:31:40 2023 -0500 + + bumped changelog version + +commit d31c17ea047fbbd698ad9f074a00d6fba2aaf283 +Author: Patrick Schleizer +Date: Sat Jan 7 14:31:14 2023 -0500 + + fix + +commit 41d116aa2f6d5ab33a1d5889f6ae251e5b8b5538 +Author: Patrick Schleizer +Date: Sat Jan 7 14:30:12 2023 -0500 + + lintian + +commit e83ba18553832134b2f6da6ce98b0ee0c852961e +Author: Patrick Schleizer +Date: Sat Jan 7 14:29:12 2023 -0500 + + minor + +commit 53ab93d8f6553eab1682290d42faf0d466f06219 +Author: Patrick Schleizer +Date: Sat Jan 7 14:27:42 2023 -0500 + + bumped changelog version + +commit bb121e52bbab151b2104f1a333cabc3889ef47b0 +Author: Patrick Schleizer +Date: Sat Jan 7 14:27:22 2023 -0500 + + chmod +x + +commit 42ab341a58de4c54b20b8f6dc4e048ce61068cf4 +Author: Patrick Schleizer +Date: Sat Jan 7 12:57:36 2023 -0500 + + bumped changelog version + +commit d37b19fb6bb3cadbb74d011be026fd8d2653ac17 +Author: Patrick Schleizer +Date: Sat Jan 7 12:55:05 2023 -0500 + + comment + +commit 0367250dc74f9e6ec38f9da5809ff661493134a8 +Author: Patrick Schleizer +Date: Sat Jan 7 12:54:35 2023 -0500 + + comment + +commit c1df2fd601f3445a0a811a679efa7d2176026558 +Author: Patrick Schleizer +Date: Sat Jan 7 12:52:14 2023 -0500 + + comment + +commit c2b20603fdd62a3f82c842c7ebeaad0f70e005d0 +Author: Patrick Schleizer +Date: Sat Jan 7 12:49:18 2023 -0500 + + output + +commit 999a82ed946c8fd57654a0a90e2a2e53ef98a788 +Author: Patrick Schleizer +Date: Sat Jan 7 12:46:21 2023 -0500 + + output + +commit 2860560edb7951a8ac9de1c23c9655c655b40f23 +Author: Patrick Schleizer +Date: Sat Jan 7 12:43:07 2023 -0500 + + minor + +commit 450ff378b067070618e4a972f8131acac5b292e0 +Merge: 929f49f b8e82ff +Author: Patrick Schleizer +Date: Sat Jan 7 12:38:14 2023 -0500 + + Merge remote-tracking branch 'friedy10/master' + +commit b8e82fffca0138afaf20e1b2faf755ce1533af45 +Author: Friedrich Doku +Date: Sat Jan 7 11:31:02 2023 -0500 + + Get rid of /dev/kmsg + +commit 78a4fad6674bb11fa682b908e0d3bc63705e7d20 +Author: Friedrich Doku +Date: Sat Jan 7 11:14:31 2023 -0500 + + Change echo to info. Included more reliable way of getting initrd and kernel. Allow user custom kexec + +commit 8da3b9c40c6ee073addcc06d5227b3043438b768 +Author: Friedrich Doku +Date: Fri Jan 6 21:40:17 2023 -0500 + + fix last line + +commit 7cf51a1b433bfb2ccf4fa14b7807184e9e3681c5 +Author: Friedrich Doku +Date: Fri Jan 6 21:32:57 2023 -0500 + + Checking job queue instead of dbus + +commit 4b7053a6353cf0e092a6ef712e955b4318671bfc +Author: Friedrich Doku +Date: Fri Jan 6 13:53:28 2023 -0500 + + Update wipe-ram.sh + +commit 779ad24b573b83c08e89569e5213e018377d1535 +Author: Friedrich Doku +Date: Fri Jan 6 13:53:18 2023 -0500 + + Update wipe-ram-needshutdown.sh + +commit d45ba826bca6f5efef846de01a34a0a8c7936442 +Author: Friedrich Doku +Date: Fri Jan 6 13:53:10 2023 -0500 + + Update module-setup.sh + +commit b3d4314a069a608380ca9dd01d76c653bdb87078 +Author: Friedrich Doku +Date: Fri Jan 6 13:52:51 2023 -0500 + + Update wipe-ram.sh + +commit 33877250172349cccb2c776c1fa7aed2e8ad716f +Author: Friedrich Doku +Date: Fri Jan 6 13:52:42 2023 -0500 + + Update wipe-ram-needshutdown.sh + +commit ec68ee6ded7294c161b3d0793bf8874b12262190 +Author: Friedrich Doku +Date: Fri Jan 6 13:52:32 2023 -0500 + + Update module-setup.sh + +commit 014d10b9778907a9282ec337023f8c2b01b0ca6b +Author: Friedrich Doku +Date: Fri Jan 6 13:52:09 2023 -0500 + + Update cold-boot-attack-defense-kexec-prepare.service + +commit 62dcdcf7649175e0587a84708e8f0aa318a45d30 +Author: Friedrich Doku +Date: Fri Jan 6 13:51:45 2023 -0500 + + Update cold-boot-attack-defense-kexec-prepare + +commit f4637509205c11eddaa13151b93c961e9d345be6 +Author: Friedrich Doku +Date: Fri Jan 6 13:48:22 2023 -0500 + + Update cold-boot-attack-defense-kexec-prepare.service + +commit 14abfbfccdd3403d90a16dd5b2a1057ccf4da3d5 +Author: Friedrich Doku +Date: Fri Jan 6 13:48:03 2023 -0500 + + Update cold-boot-attack-defense-kexec-prepare + +commit 37a5264696797c0807570606361e04cb8dcb2395 +Author: Friedrich Doku +Date: Fri Jan 6 13:47:34 2023 -0500 + + Update wipe-ram.sh + +commit 7ac45acd0f3e3e0a68e3fc4036787e8e7d4ebe9f +Author: Friedrich Doku +Date: Fri Jan 6 13:47:23 2023 -0500 + + Update wipe-ram-needshutdown.sh + +commit 114a37fcd39ff20ddd9e8cca829763a9b96a8115 +Author: Friedrich Doku +Date: Fri Jan 6 13:47:14 2023 -0500 + + Update module-setup.sh + +commit 1eeb32b7b96ab1df63d808b6715fef7a6e1a9482 +Author: Friedrich Doku +Date: Fri Jan 6 13:47:01 2023 -0500 + + Update wipe-ram.sh + +commit c5accc5ad191fe54a96e12cd1f1286508da8243c +Author: Friedrich Doku +Date: Fri Jan 6 13:46:51 2023 -0500 + + Update wipe-ram-needshutdown.sh + +commit f9ebc3cfa86674025ccd65c22cde2427ea2f4ae3 +Author: Friedrich Doku +Date: Fri Jan 6 13:46:40 2023 -0500 + + Update module-setup.sh + +commit 28687092ef4f57afab5e8d32f68492799694a379 +Author: Friedrich Doku +Date: Fri Jan 6 12:52:36 2023 -0500 + + Update cold-boot-attack-defense-kexec-prepare + +commit d67d3c1d7d788fff589806457ff140e8f82089a0 +Author: Friedrich Doku +Date: Fri Jan 6 12:51:18 2023 -0500 + + Update wipe-ram.sh + +commit 7fa64d68423d24668e44eb0d7e19ccf4845ee711 +Author: Friedrich Doku +Date: Fri Jan 6 12:50:58 2023 -0500 + + Update wipe-ram-needshutdown.sh + +commit 14c7239681300edc4f715bc96c5235cddf677c60 +Author: Friedrich Doku +Date: Fri Jan 6 12:50:42 2023 -0500 + + Update module-setup.sh + +commit 73913ea5afef8354f433f7cf87c7cd64c16be0a0 +Author: Friedrich Doku +Date: Fri Jan 6 12:49:34 2023 -0500 + + Added checks + +commit a7015f4ddff892cab17f96713ddb0a720ebb7901 +Author: Friedrich Doku +Date: Fri Jan 6 10:50:34 2023 -0500 + + added files + +commit 929f49f333fc88d91ed4cef849921b0b4a69bfea +Author: Patrick Schleizer +Date: Sun Dec 18 14:37:51 2022 -0500 + + bumped changelog version + +commit 75beb52bd5b7cee4a48eead53dbbe7fac9f6cc9e +Merge: 98f753d 58b622f +Author: Patrick Schleizer +Date: Sun Dec 18 06:24:41 2022 -0500 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 58b622f0fe373b6e2fb30b9564b22f1064f690b0 +Merge: 98f753d f81714b +Author: Patrick Schleizer +Date: Sun Dec 18 06:23:26 2022 -0500 + + Merge pull request #114 from raja-grewal/framebuffer + + Add some framebuffer drivers into blacklist + +commit f81714be506d1b15c0e79cbe8378bf8a18a2256f +Merge: d67845f 98f753d +Author: Raja Grewal +Date: Tue Dec 13 05:14:56 2022 +0000 + + Merge branch 'Kicksecure:master' into framebuffer + +commit d67845fea89f4a74ed4b0a6eefbf2bf228b13a1b +Author: Raja Grewal +Date: Tue Dec 13 16:11:24 2022 +1100 + + Typo + +commit 98f753d8ffcf6673a3130d45c23b84a4c35917b1 +Author: Patrick Schleizer +Date: Thu Nov 24 07:21:58 2022 -0500 + + bumped changelog version + +commit 6d7a78262464c054c46df155605a480f1b32f22c +Author: Patrick Schleizer +Date: Thu Nov 24 07:21:46 2022 -0500 + + fix + +commit 421f03ae9e648d366146415532d4dd9dda106980 +Author: Patrick Schleizer +Date: Thu Nov 24 07:20:56 2022 -0500 + + fix + +commit ad1e722879ef049ef421f0062ee383770d66bfee +Author: Patrick Schleizer +Date: Thu Nov 24 07:00:33 2022 -0500 + + bumped changelog version + +commit a806c782d78d691617dd650808a0403ce72d4a1a +Author: Patrick Schleizer +Date: Thu Nov 24 07:00:23 2022 -0500 + + fix + +commit 4601e106c4823f2cb0dc7a8ba601670395c96326 +Author: Patrick Schleizer +Date: Thu Nov 24 06:49:26 2022 -0500 + + bumped changelog version + +commit 39b35ef9ac7489685df5486334a0acf5936e9b47 +Author: Patrick Schleizer +Date: Thu Nov 24 06:49:15 2022 -0500 + + fix + +commit 73963a9e6847fd8099093da1253267d79db7d261 +Author: Patrick Schleizer +Date: Thu Nov 24 06:31:37 2022 -0500 + + bumped changelog version + +commit d05c10172178d04781976026243297fa153125a0 +Author: Patrick Schleizer +Date: Thu Nov 24 06:31:24 2022 -0500 + + debugging + +commit 36454c2dbf43de4805f2f156b05d263c37b9615a +Author: Patrick Schleizer +Date: Thu Nov 24 06:25:47 2022 -0500 + + debugging + +commit e06b173a1be8c0e3e47a9c4bab2d94fe88d422e0 +Author: Patrick Schleizer +Date: Thu Nov 24 06:24:14 2022 -0500 + + debugging + +commit 97722d1926bc106a0645783fcb55b7d5691c873b +Author: Patrick Schleizer +Date: Thu Nov 24 06:14:15 2022 -0500 + + bumped changelog version + +commit 497b5b45442b1293b130fef63de1b84d091d27eb +Author: Patrick Schleizer +Date: Thu Nov 24 06:14:04 2022 -0500 + + fix + +commit 6f695902fb70cbbc95b71f827216ab84edcfeb83 +Author: Raja Grewal +Date: Wed Nov 23 23:53:40 2022 +1100 + + Add comment about legacy Apple fiesystems + +commit d7222b5678aa182866c389d8a88f55b6488e74e0 +Author: Patrick Schleizer +Date: Tue Nov 22 06:03:13 2022 -0500 + + bumped changelog version + +commit e5255a630ad3c9c99b6b7ffa4c7be43a44dffba9 +Author: Patrick Schleizer +Date: Tue Nov 22 05:57:30 2022 -0500 + + pam-info: support non-root environments (such as during graphical display manager login and xscreensaver) + +commit d419898ee494fb159ed6811a719dbb4a5ffb469a +Author: Patrick Schleizer +Date: Thu Nov 17 10:15:36 2022 -0500 + + bumped changelog version + +commit 09e6af5c080f776d56d7e2390f88c4ae7e01bdb7 +Author: Patrick Schleizer +Date: Wed Nov 16 02:01:23 2022 -0500 + + pam-info refactoring + +commit caf0099064747a2048363e3600a53af51df549ad +Author: Patrick Schleizer +Date: Wed Nov 16 02:00:32 2022 -0500 + + pam-info refactoring + +commit 487f63bb01c6dfc71d0e4efef2c70dae94093dce +Author: Patrick Schleizer +Date: Wed Nov 16 01:56:01 2022 -0500 + + comment + +commit f59f959a8d43ebd80a4037e65ec26df7143bcaf5 +Author: Patrick Schleizer +Date: Wed Nov 16 01:55:14 2022 -0500 + + pam-info fix + +commit ae113442a162969561a24fcf17718ceb6a11d928 +Author: Patrick Schleizer +Date: Wed Nov 16 01:49:45 2022 -0500 + + pam-info refactoring + +commit bb6b509d06a1ae34ee407cb309c530e5dddfedfd +Author: Patrick Schleizer +Date: Wed Nov 16 01:44:21 2022 -0500 + + pam-info refactoring + +commit e5d7ab7082908e64596ccd1da835a781cae22456 +Author: Patrick Schleizer +Date: Tue Nov 15 12:44:12 2022 -0500 + + comment + +commit 23b936b573c8989222a50d1ef8c35dc95589bb0e +Author: Patrick Schleizer +Date: Tue Nov 15 12:31:14 2022 -0500 + + also support /usr/local/etc/pam-info-debug + +commit 95487346dbb18c4ac9133fc21b4abed12dc346b3 +Author: Patrick Schleizer +Date: Tue Nov 15 12:29:41 2022 -0500 + + pam-info: create debug log file ~/pam-info-debug.txt + + when file /etc/pam-info-debug exists + +commit 2872c2ab52ae9a1eaa25ea8b9852401e82d5616a +Author: Patrick Schleizer +Date: Tue Nov 15 12:00:59 2022 -0500 + + comments + +commit 6033de78152cb5d7a9659f58aa8035ae2a7d6532 +Author: Patrick Schleizer +Date: Tue Nov 15 11:58:50 2022 -0500 + + debugging + +commit daa30d4e7830ba38ed52f83e6ac93c3a4e03ee33 +Author: Raja Grewal +Date: Wed Nov 9 20:43:59 2022 +1100 + + Include several framebuffer drivers into blacklist + + These were previously commented out to test for compatibility issues. + +commit 2319458e9f1a0ae2b60cf5786122c19459bbaea1 +Author: Patrick Schleizer +Date: Wed Aug 24 18:28:39 2022 -0400 + + bumped changelog version + +commit cdfc175953a8ab358bb8e6db2610df11733ba258 +Merge: ff84514 ae4d498 +Author: Patrick Schleizer +Date: Mon Aug 22 06:09:30 2022 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit ae4d4989b0e8ea79b5661f098e9814379ff9401e +Merge: ff84514 d500205 +Author: Patrick Schleizer +Date: Mon Aug 22 06:09:40 2022 -0400 + + Merge pull request #113 from raja-grewal/master + + Comment out machine check exception + +commit d500205f556ba896417eb0bae1df0144b00ef7b9 +Author: Raja Grewal +Date: Sun Aug 21 23:03:13 2022 +1000 + + Update README.md + +commit 92669dba186c6ac40ff601fd39639945cd7633c6 +Author: Raja Grewal +Date: Sun Aug 21 23:02:44 2022 +1000 + + Comment out machine check exception + +commit ff8451469ad3b9cbd101ca4b93d72a2ac6cebe37 +Author: Patrick Schleizer +Date: Sat Aug 13 11:40:04 2022 -0400 + + bumped changelog version + +commit 272a33fe2c3c7666de96f9037094db8e9ab8e09e +Author: Patrick Schleizer +Date: Sat Aug 13 11:35:25 2022 -0400 + + addgroup -> adduser fix + +commit 7d5246693c5c07f76e3f2e29c3ed39d4910673ff +Author: Patrick Schleizer +Date: Fri Aug 12 07:52:26 2022 -0400 + + bumped changelog version + +commit 82da4ed18f5682c0cc76cd435b6de2459c7b5f83 +Author: Patrick Schleizer +Date: Thu Jul 28 09:56:24 2022 -0400 + + comments + +commit a6bee1493d4113ab63f8d0671f97989b00d23544 +Author: Patrick Schleizer +Date: Thu Jul 28 09:55:12 2022 -0400 + + cold-boot-attack-defense wait longer to make messages readable by user + +commit 109594952335f94c2a21f22d6a517ecc8b864d81 +Author: Patrick Schleizer +Date: Tue Jul 26 10:00:53 2022 -0400 + + bumped changelog version + +commit 053142cdb57f23172fd0155dde4ff4c0183c4f65 +Author: Patrick Schleizer +Date: Tue Jul 26 10:00:21 2022 -0400 + + fix + +commit 73f6523e09f12fc56da0ed3555d050686ff441f3 +Author: Patrick Schleizer +Date: Sat Jul 23 08:07:37 2022 -0400 + + bumped changelog version + +commit 0c5b1e9f577d52e2c056e786e32c14ff37db344b +Author: Patrick Schleizer +Date: Sat Jul 23 07:49:56 2022 -0400 + + undo `"force kernel to panic on "oopses"` + + because implemented differently already + + https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panic-on-oops-1-sysctl-for-better-security/7713 + +commit c1c04b4619eea4c79a0dbb5cced3ebb77482877c +Merge: 465775c bfe6b88 +Author: Patrick Schleizer +Date: Sat Jul 23 07:43:19 2022 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit bfe6b888395abf554623a9e530fe7e6605047e12 +Merge: 465775c ca764d8 +Author: Patrick Schleizer +Date: Sat Jul 23 07:27:24 2022 -0400 + + Merge pull request #111 from raja-grewal/harden + + Increased kernel hardening at boot + +commit ca764d8de0f17bb7e6d44e3d79ea1805276fc521 +Author: Raja Grewal +Date: Wed Jul 20 04:06:35 2022 +1000 + + force kernel to panic on "oopses" + +commit 1660aaa6dd1013ede105baebbb8ff3e1afc7b268 +Author: Raja Grewal +Date: Tue Jul 19 03:38:41 2022 +1000 + + update details around disabling SMT + +commit bfd78a2c06153ebadfee39190055edf0a13958f4 +Author: Raja Grewal +Date: Tue Jul 19 03:16:08 2022 +1000 + + update SRBDS mitigation + +commit c3ebb9160ffbbd2972cc898e3c1c0055d89beb5c +Author: Raja Grewal +Date: Tue Jul 19 02:33:16 2022 +1000 + + CPU mitigation - MMIO Stale Data + +commit 59e90ff1226bd6330d85244cf7c73ecf7fd5fdf1 +Author: Raja Grewal +Date: Tue Jul 19 02:32:41 2022 +1000 + + CPU mitigation - L1D FLushing + +commit 8531fbf99dea1b4cd806babd6072a8a1f0506eb3 +Author: Raja Grewal +Date: Tue Jul 19 02:30:49 2022 +1000 + + CPU mitigation - SRBDS + +commit 73f1e233327cc0edec83eac322b7f03bcb7fba22 +Author: Raja Grewal +Date: Tue Jul 19 02:29:46 2022 +1000 + + shuffle and rewording + +commit 39314b291263a93fcb11756ce12bd8691a1fa0f6 +Merge: bb831d5 c4a1094 +Author: Raja Grewal +Date: Tue Jul 19 00:49:08 2022 +1000 + + Merge branch 'harden' of https://github.com/raja-grewal/security-misc into harden + +commit bb831d57bcdcc8195a4b8169a4ddc25fb0c61173 +Author: Raja Grewal +Date: Tue Jul 19 00:38:32 2022 +1000 + + delete repeated commands + +commit c77a2a78bc48df2af7653a306bd1b046a8f99a6b +Author: Raja Grewal +Date: Tue Jul 19 00:37:31 2022 +1000 + + enforce default net.ipv6.icmp_ignore_bogus_error_responses + +commit c4a10947608b0d5508ef5b18e0ab34a2ee4f35de +Merge: 2b23703 465775c +Author: Raja Grewal +Date: Mon Jul 18 13:36:23 2022 +0000 + + Merge branch 'Kicksecure:master' into harden + +commit 465775c9dc1b97c98a5470acaffabb103ea7239f +Author: Patrick Schleizer +Date: Sat Jul 16 08:00:16 2022 -0400 + + bumped changelog version + +commit 1fafb5f53bbec57812f535e79bfb475628cc58e3 +Merge: 24d6a93 27aa523 +Author: Patrick Schleizer +Date: Fri Jul 15 08:09:16 2022 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 27aa5231e2d1dafd89ba19c8d6becf461e781605 +Merge: 24d6a93 a72bbb1 +Author: Patrick Schleizer +Date: Fri Jul 15 08:06:08 2022 -0400 + + Merge pull request #112 from raja-grewal/blacklist + + Corrected kernel module disabling + +commit a72bbb1883613ee56be29949c153e0edb2d72a29 +Author: Raja Grewal +Date: Wed Jul 13 23:42:13 2022 +1000 + + Corrected kerenl module disabling + +commit 24d6a93eacf5b41cfb9133471049776a16a07b03 +Author: Patrick Schleizer +Date: Wed Jul 13 08:28:34 2022 -0400 + + bumped changelog version + +commit 2b237039cf1db66100f7f0bb4880981ee0489abf +Author: Raja Grewal +Date: Wed Jul 13 22:25:53 2022 +1000 + + Update README.md + +commit 8f31e5d1d172eb117bde63702f63081da182d5c5 +Merge: 6aa9a94 c410890 +Author: Patrick Schleizer +Date: Wed Jul 13 07:26:58 2022 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit c410890a8ade6d4be13dc99a7003f03ebded8153 +Merge: 6aa9a94 fe0cc10 +Author: Patrick Schleizer +Date: Wed Jul 13 07:24:12 2022 -0400 + + Merge pull request #110 from raja-grewal/master + + Incorporated Ubuntu’s kernel module blacklists and more verbose errors + +commit 4e93b4d37e4c6d23a0ac76ddb2144c6504a66ad1 +Author: Raja Grewal +Date: Wed Jul 13 21:10:39 2022 +1000 + + Revert "enforce defualt net.ipv4.ip_forward" + + This reverts commit 57b5b2145c4e6779f0b879ee4199d46938f20965. + +commit a47922ad28fc9ebba93615a6ffdaaeb4887cc140 +Author: Raja Grewal +Date: Wed Jul 13 04:47:07 2022 +1000 + + enforce of IOMMU TLB invalidation + +commit 33df16af805597057c7aad0d5a4fb135ed9e286b +Author: Raja Grewal +Date: Wed Jul 13 04:37:03 2022 +1000 + + disables random.trust_bootloader + +commit d0779a96fc054df925523a76510c1aae5d672f96 +Author: Raja Grewal +Date: Wed Jul 13 04:36:34 2022 +1000 + + add reference + +commit 74858d257b8de40f082ce21241e680a5eeaf4053 +Author: Raja Grewal +Date: Wed Jul 13 04:34:35 2022 +1000 + + enable randomize_kstack_offset + +commit f572332108c06eb77d24e776910463e69d49acd3 +Author: Raja Grewal +Date: Wed Jul 13 04:32:03 2022 +1000 + + disable slub_debug + +commit 57b5b2145c4e6779f0b879ee4199d46938f20965 +Author: Raja Grewal +Date: Wed Jul 13 04:30:43 2022 +1000 + + enforce defualt net.ipv4.ip_forward + +commit 79156262c9e3fe92344847b627afc64b2c7f7717 +Author: Raja Grewal +Date: Wed Jul 13 04:29:42 2022 +1000 + + enforce default net.ipv4.icmp_ignore_bogus_error_responses + +commit dabcaf22e1006cc60297c55e3e254f080562d552 +Author: Raja Grewal +Date: Wed Jul 13 04:28:03 2022 +1000 + + enforce default kernel.randomize_va_space + +commit fe0cc1089086273794bd6b54df3528ff78c10f6a +Author: Raja Grewal +Date: Tue Jul 12 17:18:47 2022 +1000 + + Updated README.md + +commit 48089e5ba43b0b72449f888b98b63119ed57e2fd +Author: Raja Grewal +Date: Tue Jul 12 17:02:12 2022 +1000 + + More verbose kernel module blocking error logs + +commit 40ec791774f2a6ae7d42ccf2bfbe4a98a9963f08 +Author: Raja Grewal +Date: Tue Jul 12 16:58:16 2022 +1000 + + Updated comments + +commit ef1ef9917d896f1cd837f399def6a75704e9bfd2 +Author: Raja Grewal +Date: Sun Jul 10 04:53:25 2022 +1000 + + Blacklist automatic loading of CD-ROM modules + +commit 61ef9bd59f9ff39c140f782ff5b41d0a3c6d97bc +Author: Raja Grewal +Date: Sun Jul 10 04:52:00 2022 +1000 + + Incorporated Ubuntu’s kernel module blacklists + +commit 6aa9a9472f10d4d6270dd59fbcd94d9001aca9e6 +Author: Patrick Schleizer +Date: Sat Jul 9 11:42:24 2022 -0400 + + bumped changelog version + +commit 3b844eaab25fecf90292c88291be77abf0be694c +Author: Patrick Schleizer +Date: Sat Jul 9 11:42:11 2022 -0400 + + output + +commit 73d2c9d921c5c75ef3cca5461acc350c648f26d2 +Author: Patrick Schleizer +Date: Sat Jul 9 11:40:15 2022 -0400 + + output + +commit adfdac6dea0e8f971c59557b383d116cd51619fd +Author: Patrick Schleizer +Date: Sat Jul 9 11:40:01 2022 -0400 + + output + +commit 1df2cfd1add8b2277cb37499ced4fbb713c17668 +Author: Patrick Schleizer +Date: Sat Jul 9 11:38:37 2022 -0400 + + comment + +commit fede41e6e03c33f2f6569f03593f76edb9969e6a +Author: Patrick Schleizer +Date: Sat Jul 9 11:38:04 2022 -0400 + + fix + +commit 52c46e4706d5799d452f260616a3909c9a3bc78f +Merge: 1b8500c dc41a58 +Author: Patrick Schleizer +Date: Sat Jul 9 11:37:41 2022 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit dc41a58102a114e21209aabeef9ad6b851365898 +Merge: 1b8500c e5f8004 +Author: Patrick Schleizer +Date: Sat Jul 9 11:37:57 2022 -0400 + + Merge pull request #108 from Krish-sysadmin/master + + Continue for loop if unable to change one directory's permission + +commit 1b8500cc22fdd6a51ec66ae1b04abccb9a529150 +Author: Patrick Schleizer +Date: Thu Jul 7 17:41:13 2022 -0400 + + bumped changelog version + +commit 277749f27b2da8d33b70fb6f88c6757fab77e636 +Author: Patrick Schleizer +Date: Thu Jul 7 15:49:08 2022 -0400 + + genmkfile debinstfile + +commit eb8535fe870e79a5c818a38c414147819d32346d +Author: Patrick Schleizer +Date: Thu Jul 7 15:48:39 2022 -0400 + + renamed: usr/bin/disabled-by-security-misc -> bin/disabled-by-security-misc + +commit 26b2c9727f5ba6f78f5cd10c28c3561a97c81be9 +Author: Patrick Schleizer +Date: Thu Jul 7 15:39:40 2022 -0400 + + not blacklist CD-ROM / DVD yet + + https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/31 + +commit d5c16503411bee4199c35a51226fc59924d6e142 +Author: Patrick Schleizer +Date: Thu Jul 7 15:28:09 2022 -0400 + + shuffle + +commit ca19d78d48ca88f5b00dcceb18ac4803c7893ca4 +Author: Patrick Schleizer +Date: Thu Jul 7 15:27:15 2022 -0400 + + shuffle + +commit d018bdaf73e109a61c0687a171af843c890729e0 +Merge: 1b287a6 780dc8e +Author: Patrick Schleizer +Date: Thu Jul 7 15:26:08 2022 -0400 + + Merge remote-tracking branch 'raja-gerwal/master' + +commit 780dc8eec99915a7466249e219ad59c5db5f0364 +Author: Raja Grewal +Date: Fri Jul 8 04:11:25 2022 +1000 + + replace /bin/false -> /bin/disabled-by-security-misc + +commit fa2e30f5125e438250acfdc52107a936ecb7b1b4 +Author: Raja Grewal +Date: Fri Jul 8 03:04:37 2022 +1000 + + Updated descriptions of disabled modules + +commit da389d6682f6eb1d0c0172c50a4b529152384415 +Author: Raja Grewal +Date: Fri Jul 8 02:12:04 2022 +1000 + + Revert "replace /bin/false -> /bin/true" + + This reverts commit f0511635a9725f79863c41a7b8d9f8a077ba8788. + +commit 28381e81d4a57c59929a37745fa8ba5f3e0b25cb +Author: raja-grewal +Date: Thu Jul 7 09:28:30 2022 +0000 + + Update README.md + +commit f0511635a9725f79863c41a7b8d9f8a077ba8788 +Author: raja-grewal +Date: Thu Jul 7 09:27:53 2022 +0000 + + replace /bin/false -> /bin/true + +commit 18d67dbc5309a2403bece92881e671f46dc27f86 +Author: raja-grewal +Date: Thu Jul 7 09:26:55 2022 +0000 + + Blacklist more modules + +commit 1b287a6430527c762f9bf909bcda58ab52041668 +Author: Patrick Schleizer +Date: Tue Jul 5 11:16:33 2022 -0400 + + bumped changelog version + +commit 92ff868ecefed4377c5f1e99eb5e5eecbb021564 +Author: Patrick Schleizer +Date: Tue Jul 5 11:05:36 2022 -0400 + + readme + +commit b8ba6085357631fb1f346a613d7e354aaf780560 +Author: Patrick Schleizer +Date: Tue Jul 5 10:57:28 2022 -0400 + + readme + +commit 949edf3e1753fcd403015c2d0dc8f3503a7f62d2 +Author: Patrick Schleizer +Date: Tue Jul 5 10:48:58 2022 -0400 + + readme + +commit 1c0e0719483c68ce04b5c14159ad09a87c386deb +Author: Patrick Schleizer +Date: Tue Jul 5 10:45:55 2022 -0400 + + comments + +commit 5d47f5f74cc9f5e186de8db5305a44029ebbb362 +Author: Patrick Schleizer +Date: Tue Jul 5 10:45:09 2022 -0400 + + comments + +commit 435c689cf9ee9e94dec42ab3c45bc02beb8f9c40 +Author: Patrick Schleizer +Date: Tue Jul 5 10:44:28 2022 -0400 + + comments + +commit c20d588d7871bce1b8a02d46e6f658844a014572 +Author: Patrick Schleizer +Date: Tue Jul 5 10:42:37 2022 -0400 + + comments + +commit 8f03ce049a1f48bb088cf92f4f39cceb2e3a5ae6 +Author: Patrick Schleizer +Date: Tue Jul 5 10:41:55 2022 -0400 + + readme + +commit b342ce930ea14a365ba23f37642cc9c098470362 +Author: Patrick Schleizer +Date: Tue Jul 5 10:28:22 2022 -0400 + + add `/etc/default/grub.d/40_cold_boot_attack_defense.cfg` + +commit e5f8004a9401727f1be2db492ea756bc19090866 +Author: Krish-sysadmin +Date: Tue Jul 5 03:37:40 2022 +0200 + + Update hide-hardware-info + +commit 69af8be7b80dcc30e3a5d1b0a1d1aa198528b876 +Author: Patrick Schleizer +Date: Sat Jul 2 19:10:55 2022 -0400 + + drop_caches before and after sdmem + +commit 67bdd58bf2a8090a29e35b85fb4a25d42a8f8a1a +Author: Patrick Schleizer +Date: Sat Jul 2 19:07:06 2022 -0400 + + sync + +commit 01b82bf0f0b96b3e08e272b8b2e69c1b3f0dcc16 +Author: Patrick Schleizer +Date: Sat Jul 2 18:30:06 2022 -0400 + + bumped changelog version + +commit 973f117aa6a7418ea29125753f6c6b6f7e7986a4 +Author: Patrick Schleizer +Date: Sat Jul 2 18:12:36 2022 -0400 + + wipe RAM at shutdown: Ensure any remaining disk cache is erased by Linux' memory poisoning + + by running: + `echo 3 > /proc/sys/vm/drop_caches` + + Inspired by Tails: + https://gitlab.tails.boum.org/tails/tails/-/blob/master/config/chroot_local-includes/usr/local/lib/initramfs-pre-shutdown-hook + +commit e783ddc71e5e528051e1bd0fda3f60decc0af9bf +Author: Patrick Schleizer +Date: Sat Jul 2 17:37:16 2022 -0400 + + bumped changelog version + +commit 95187bd357e6f2f855afbf546da42c6229a8394e +Author: Patrick Schleizer +Date: Sat Jul 2 17:21:33 2022 -0400 + + fix + +commit 3bd87d019fb08644578d2ee73d2ac7185687f115 +Author: Patrick Schleizer +Date: Sat Jul 2 16:03:52 2022 -0400 + + bumped changelog version + +commit 148a050468658c254b67de2de61cad3e147e2178 +Author: Patrick Schleizer +Date: Sat Jul 2 16:03:45 2022 -0400 + + fix + +commit 82e7863d5b1efff2c558204bfdf04812af10660b +Author: Patrick Schleizer +Date: Sat Jul 2 16:02:28 2022 -0400 + + improvement + +commit aebca1b3dce026bbccefa38381e62f30904e5a6d +Author: Patrick Schleizer +Date: Sat Jul 2 15:52:08 2022 -0400 + + bumped changelog version + +commit 1144b39e5efcb318ad92413f623b6f039fd7a5fa +Author: Patrick Schleizer +Date: Sat Jul 2 15:50:59 2022 -0400 + + debugging + +commit c29b21c08a839d8dafe2c9654a58f2b178055935 +Author: Patrick Schleizer +Date: Sat Jul 2 15:45:19 2022 -0400 + + output + +commit ed8ce9a7d0869d62eecea7ffc59c176bec061d08 +Author: Patrick Schleizer +Date: Sat Jul 2 15:32:51 2022 -0400 + + bumped changelog version + +commit d34fe21963442c6025b56209d0ba10479cde09a6 +Author: Patrick Schleizer +Date: Sat Jul 2 15:32:42 2022 -0400 + + fix + +commit 7a448e01a1f2be432c763678742301b64739b920 +Author: Patrick Schleizer +Date: Sat Jul 2 14:27:04 2022 -0400 + + bumped changelog version + +commit 32fdcf522be994e693f39c347ab1063ccd94255b +Author: Patrick Schleizer +Date: Thu Jun 30 14:47:45 2022 -0400 + + - introduce `wiperam=skip` kernel parameter to skip wipe ram + - introduce `wiperam=force` kernel parameter to force wipe ram inside VMs + +commit 036f518ddc067461979f5b61a576b7f74b7c6e65 +Author: Patrick Schleizer +Date: Thu Jun 30 13:56:29 2022 -0400 + + improvement + +commit 0e2fae2b693d6c45344cfdf592bac0adf3338d58 +Author: Patrick Schleizer +Date: Thu Jun 30 13:50:18 2022 -0400 + + skip ram wipe inside VMs + + https://forums.whonix.org/t/is-ram-wipe-possible-inside-whonix-cold-boot-attack-defense/5596/40 + +commit e06405c7be683450e6c6f737171b4f10513254e7 +Author: Patrick Schleizer +Date: Wed Jun 29 16:56:16 2022 -0400 + + undo + +commit 1b97d9cb766b00914769e5add699a8bdbcf1e7aa +Author: Patrick Schleizer +Date: Wed Jun 29 16:30:31 2022 -0400 + + fix + +commit 26be74bfe5c51a8ae41bb736847d3e93e7ae27d7 +Author: Patrick Schleizer +Date: Wed Jun 29 16:25:07 2022 -0400 + + bumped changelog version + +commit 92c543e71ff5386f4458102e1795132399292328 +Author: Patrick Schleizer +Date: Wed Jun 29 16:24:52 2022 -0400 + + output + +commit d4161b2748665ca3b67e5ced5ae576acb93cda46 +Author: Patrick Schleizer +Date: Wed Jun 29 16:23:42 2022 -0400 + + output + +commit 1ce7b27297bce446fb5726eba1cbb0cd3746fa85 +Author: Patrick Schleizer +Date: Wed Jun 29 16:23:12 2022 -0400 + + improvement + +commit aae4fdcffd0e3ed168975bc84db149843ffdfe47 +Author: Patrick Schleizer +Date: Wed Jun 29 16:06:33 2022 -0400 + + bumped changelog version + +commit 8b584c570af5d9ada8083af9bd80f3f992e3dceb +Author: Patrick Schleizer +Date: Wed Jun 29 16:06:22 2022 -0400 + + lintian + +commit a1f752ad00563b61a62a2dd33058365f1b6027de +Author: Patrick Schleizer +Date: Wed Jun 29 16:03:58 2022 -0400 + + bumped changelog version + +commit f5e0c1742abc009b1af95f0d106a5e1cd90d1ef4 +Author: Patrick Schleizer +Date: Wed Jun 29 16:02:05 2022 -0400 + + credits + +commit 42e24f3c241471d91af6f16b74b5bf85dfad85d7 +Author: Patrick Schleizer +Date: Wed Jun 29 15:54:49 2022 -0400 + + update file names + +commit 52aaac9b6d3a9611317e919d78840554bfce9778 +Author: Patrick Schleizer +Date: Wed Jun 29 15:53:52 2022 -0400 + + rename + +commit 619bb3cf4d347c1575c58c74adbbede94d60f79b +Author: Patrick Schleizer +Date: Wed Jun 29 15:53:24 2022 -0400 + + rename + +commit 2a8504cf1bd2a4d7e373bde3f34f6f22e3d5ebc4 +Author: Patrick Schleizer +Date: Wed Jun 29 15:51:14 2022 -0400 + + move + +commit af8b211c238f6fe83db5990dc0984d1c532456ae +Author: Patrick Schleizer +Date: Wed Jun 29 15:50:20 2022 -0400 + + improvements + +commit 0b0cda8f8f2ff1da256473115df37456273cdcdd +Author: Patrick Schleizer +Date: Wed Jun 29 15:24:40 2022 -0400 + + bumped changelog version + +commit e9cd5d934b04f7d06a14616ef52a914198f03b97 +Author: Patrick Schleizer +Date: Wed Jun 29 15:24:27 2022 -0400 + + copyright + +commit 1c51d156494e743c7ad89f76510209a97eef5e45 +Author: Patrick Schleizer +Date: Wed Jun 29 15:23:53 2022 -0400 + + lintian + +commit 4b0cd53fee691f68dd6292869b6f6870bc0b6cbe +Author: Patrick Schleizer +Date: Wed Jun 29 15:22:41 2022 -0400 + + bumped changelog version + +commit 9ab81d45810b71374520603c32812e22685f59cb +Author: Patrick Schleizer +Date: Wed Jun 29 15:22:00 2022 -0400 + + do not power off too fast so wipe ram messages can be read + +commit 19439033de840ed39039f04db7b13f6e168a627e +Author: Patrick Schleizer +Date: Wed Jun 29 15:19:56 2022 -0400 + + copyright + +commit fc202ede16ee41aceeec356ba35ba71cc7fc821d +Author: Patrick Schleizer +Date: Wed Jun 29 15:18:28 2022 -0400 + + delete no longer required `usr/lib/dracut/modules.d/40sdmem-security-misc/README.md` + +commit 6d3a08a9365207923edd2f0b6f8aebdc635d3b33 +Author: Patrick Schleizer +Date: Wed Jun 29 15:17:40 2022 -0400 + + improvements + +commit 87e5f49f8dc72f14e96cc06b924566668991037f +Author: Patrick Schleizer +Date: Wed Jun 29 14:18:02 2022 -0400 + + bumped changelog version + +commit 6eba53767f3af2436fd00b807e71a94dff813dfc +Author: Patrick Schleizer +Date: Wed Jun 29 14:17:52 2022 -0400 + + lintian + +commit 81c15e88afd11d3359ae748d5c43e7bcc8b9a855 +Author: Patrick Schleizer +Date: Wed Jun 29 14:15:48 2022 -0400 + + bumped changelog version + +commit 8a072437cc6478757a8f21f3a6a0ea51a97b978b +Author: Patrick Schleizer +Date: Wed Jun 29 14:13:30 2022 -0400 + + ram wipe on shutdown: fix, added `need_shutdown` hook + + Otherwise dracut does not run on shutdown. + + Without `need_shutdown` file `/run/initramfs/.need_shutdown` does not get created. + And without that file `/usr/lib/dracut/dracut-initramfs-restore`, + which itself is started by `/lib/systemd/system/dracut-shutdown.service` does nothing. + +commit 4d937f551f6cccf40f933576a7fa210066f1fc8a +Author: Patrick Schleizer +Date: Wed Jun 29 13:03:35 2022 -0400 + + bumped changelog version + +commit 924077e04cd0d5b06a410b2a9289047286500e8a +Author: Patrick Schleizer +Date: Wed Jun 29 13:02:53 2022 -0400 + + verbose + +commit db301dfd7feb07799a00871f0e1f8fdccef0b777 +Author: Patrick Schleizer +Date: Wed Jun 29 13:02:39 2022 -0400 + + comment + +commit 73d2ada0deb98064979ea1feedb01c6312c4b4d5 +Author: Patrick Schleizer +Date: Wed Jun 29 13:02:01 2022 -0400 + + comment + +commit 67eaf8c9167da545189390b6f0f58b0b5b20976c +Author: Patrick Schleizer +Date: Wed Jun 29 11:40:38 2022 -0400 + + comments + +commit 72908d6b0dd65d6c9691977047b2bfdaa16ba147 +Author: Patrick Schleizer +Date: Wed Jun 29 11:34:55 2022 -0400 + + comments + +commit 43ea4dbb8363c511270fd704b138633da9ad088a +Author: Patrick Schleizer +Date: Wed Jun 29 11:18:59 2022 -0400 + + bumped changelog version + +commit 295811a88f9505687447ebf605fa108bc795da46 +Author: Patrick Schleizer +Date: Wed Jun 29 11:14:52 2022 -0400 + + improvements + +commit e5d85d69efefdfcee63c8c7d4ced1ed1bf1aeee7 +Author: Patrick Schleizer +Date: Wed Jun 29 10:02:18 2022 -0400 + + bumped changelog version + +commit af8ff65f8404ac1d423ad3c28342d8fe7bc3a018 +Author: Patrick Schleizer +Date: Wed Jun 29 10:01:51 2022 -0400 + + comment + +commit cfae7de6a842b77e50f9e6f5cb1eed0eac63ff2f +Author: Patrick Schleizer +Date: Wed Jun 29 09:58:37 2022 -0400 + + lintian + +commit 83519a58c7c1eccee7544fbc3ec0cf67bda976a7 +Author: Patrick Schleizer +Date: Wed Jun 29 09:54:27 2022 -0400 + + bumped changelog version + +commit 024d52a67ebb6028d5df890e469fec5dc42be00a +Author: Patrick Schleizer +Date: Wed Jun 29 09:52:53 2022 -0400 + + improve usr/lib/dracut/modules.d/40sdmem-security-misc/module-setup.sh + +commit 29253004b6be7c7d2b3fce6cceff2df3e845f15a +Author: Patrick Schleizer +Date: Wed Jun 29 09:38:18 2022 -0400 + + minor + +commit 6f19af1542d3b6d2d6af89136ce909f7f7335ff1 +Author: Patrick Schleizer +Date: Wed Jun 29 09:35:08 2022 -0400 + + add shebang /bin/sh + + to fix lintian warning + security-misc: executable-not-elf-or-script usr/lib/dracut/modules.d/40sdmem-security-misc/wipe.sh + +commit 38cdf2722bc0aa224e1ec253e77728d4e00b9be0 +Author: Patrick Schleizer +Date: Wed Jun 29 09:32:55 2022 -0400 + + - Wipe LUKS Disk Encryption Key for Root Disk from RAM during Shutdown to defeat Cold Boot Attacks + - Confirm in console output if encrypted mounts (root disk) is unmounted. (Because that is a pre-condition for wiping the LUKS full disk encryption key from RAM.) + + Thanks to @friedy10! + + https://github.com/friedy10/dracut/tree/master/modules.d/40sdmem + + https://forums.whonix.org/t/is-ram-wipe-possible-inside-whonix-cold-boot-attack-defense/5596 + +commit adca1ebdf6c83c5c1c846cdb29f3e16ea9cdf32f +Author: Patrick Schleizer +Date: Wed Jun 8 11:05:07 2022 -0400 + + bumped changelog version + +commit d7dd188651a5227be6b1d95e7ae9a97e0cbb34f0 +Author: Patrick Schleizer +Date: Wed Jun 8 09:27:02 2022 -0400 + + remove unicode + +commit 55d16e1602c0221dbe00996a206d0691ef93ae71 +Author: Patrick Schleizer +Date: Wed Jun 8 09:04:03 2022 -0400 + + remove unicode + +commit fcaec49675ce7e240bdd049aab184fbee0945c7d +Merge: 5c43197 995e4ba +Author: Patrick Schleizer +Date: Wed Jun 8 08:20:24 2022 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 995e4ba7fafc1bf4f691b83dde415c57cebed63d +Merge: 616fe85 6e8f584 +Author: Patrick Schleizer +Date: Wed Jun 8 08:19:03 2022 -0400 + + Merge pull request #104 from ntninja/patch-1 + + Fix issues found with permission-hardening on my system + +commit 5c43197f10df3a49704a66ef3e3d56f122be4775 +Author: Patrick Schleizer +Date: Wed Jun 8 08:11:28 2022 -0400 + + minor + +commit 6e8f584d88333d3a6fec1318ba92f76e328bf7ce +Author: Kuri Schlarb <246386+ntninja@users.noreply.github.com> +Date: Wed Jun 8 05:29:42 2022 +0000 + + permission-hardening: Keep `pam_unix.so` password checking helper SetGID shadow + +commit 2bdda9d0a0a289dafb260c926d29df274c9a67da +Author: Kuri Schlarb <246386+ntninja@users.noreply.github.com> +Date: Tue Jun 7 08:18:05 2022 +0000 + + permssion-hardening: Do not skip config file lines without trailing newline (ancient bash bug) + +commit 3910e4ee159d8b5f80c5086915583e4e20ecd6fe +Author: Kuri Schlarb <246386+ntninja@users.noreply.github.com> +Date: Tue Jun 7 08:11:51 2022 +0000 + + permission-hardening: Keep `passwd` executable but non-SetUID + +commit 9fd8e1c9b0250c9e00b555838bd381f162dfd8c4 +Author: Kuri Schlarb <246386+ntninja@users.noreply.github.com> +Date: Tue Jun 7 08:03:56 2022 +0000 + + permission-hardening: Fix issue with pipelining failures causing incorrect user/group lookup results + +commit 616fe857f7a5cde1f4ad0d31e03876dcd2ab7f0f +Author: Patrick Schleizer +Date: Wed May 25 06:07:17 2022 -0400 + + bumped changelog version + +commit 7e2efe0155b97955428e64181c9a6b32402ee9db +Author: Patrick Schleizer +Date: Fri May 20 15:27:10 2022 -0400 + + readme + +commit 2d37e3a1af3739eedd9191a0f0c78a2762c5fa38 +Author: Patrick Schleizer +Date: Fri May 20 14:46:38 2022 -0400 + + copyright + +commit 78a9956b73498bad471ee1cb0fa0993f2e5ce3c0 +Merge: 4a3ed17 7651308 +Author: Patrick Schleizer +Date: Thu May 19 19:41:33 2022 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 76513087872943442df32451de5af158c2bbe944 +Merge: 4a3ed17 93efa50 +Author: Patrick Schleizer +Date: Thu May 19 19:39:42 2022 -0400 + + Merge pull request #103 from 0xC0ncord/bugfix/selinuxfs_restrictions + + hide-hardware-info: re-enable restrictions on sysfs when using SELinux + +commit 4a3ed17160c14ba7122d770665b53bde96038307 +Author: Patrick Schleizer +Date: Thu May 19 17:25:58 2022 -0400 + + readme + +commit bb0307290b59d0273f9ad585e881c91071e3edea +Author: Patrick Schleizer +Date: Sat Apr 16 14:18:35 2022 -0400 + + update link + +commit 2677db34baeb120a402b684d4a62ccf616b5528c +Author: Patrick Schleizer +Date: Sun Apr 10 12:40:16 2022 -0400 + + readme + +commit 93efa506dac6135f1a5c260ec95d985e7fedc53d +Author: 0xC0ncord +Date: Thu Mar 17 11:41:57 2022 -0400 + + hide-hardware-info: disable selinux whitelist by default + +commit 0051a6935acd2f452a9189d1581ccac7377dd23d +Author: Patrick Schleizer +Date: Thu Feb 10 14:06:54 2022 -0500 + + bumped changelog version + +commit b0a0004a85387a4f7520a688f6d2a9826d8e68fb +Author: Patrick Schleizer +Date: Thu Feb 10 13:47:10 2022 -0500 + + output + +commit 4f6f588fb53d2756d867ac7e29fb42f4f8fdb335 +Author: Patrick Schleizer +Date: Thu Feb 10 13:44:55 2022 -0500 + + fix, skip deletion of system.map files on read-only filesystems + + This is required for Qubes /lib/modules read-only implementation at time of writing. + + Thanks to @marmarek for the bug report! + + https://forums.whonix.org/t/remove-system-map-cannot-work-lib-modules-is-mounted-read-only/13324 + +commit 356232677a036cd1a673d805caa4d74a327ea096 +Author: Patrick Schleizer +Date: Tue Nov 9 14:32:33 2021 -0500 + + readme + +commit 4172232eb75aaca301e51529e49df76ca86b93b3 +Author: 0xC0ncord +Date: Fri Oct 8 22:17:12 2021 -0400 + + hide-hardware-info: make indentation consistent + +commit 060d7d890a0292addaa1e85bb1b2ff7eece23378 +Author: 0xC0ncord +Date: Fri Oct 8 22:11:58 2021 -0400 + + hide-hardware-info: re-enable restrictions on sysfs when using SELinux + + When using SELinux, restrict the parts of sysfs explicitly to ensure + restrictions are working as expected. + +commit 96026a5e90a56cade2dff5f3dfc3687687e92c56 +Author: Patrick Schleizer +Date: Tue Sep 14 14:18:52 2021 -0400 + + bumped changelog version + +commit c72567dbd215fcd60c4719fe1ebc9a0f350a2b97 +Author: Patrick Schleizer +Date: Tue Sep 14 14:18:44 2021 -0400 + + fix + +commit 03276fbec502df9e9fc228a0c05f3c85fd1483af +Author: Patrick Schleizer +Date: Sun Sep 12 11:57:20 2021 -0400 + + bumped changelog version + +commit d62bbaab82a33a485a82d42d8db5674d200a1c3d +Author: Patrick Schleizer +Date: Sun Sep 12 11:40:58 2021 -0400 + + fix, unduplicate kernel command line + +commit fb0540650c26689165b2fd0558b87ef7c3154a6e +Author: Patrick Schleizer +Date: Sat Sep 11 16:33:14 2021 -0400 + + readme + +commit 64e9f0016aa5804740a099890a5ef648dde07883 +Author: Patrick Schleizer +Date: Thu Sep 9 12:35:37 2021 -0400 + + bumped changelog version + +commit bd31b4085c853d8b182e3a13534827a695f5493a +Author: Patrick Schleizer +Date: Thu Sep 9 12:16:18 2021 -0400 + + remove Debian buster support in /etc/default/grub.d + +commit d16d9a545502af1ec25a165a27bdbc1033b97d59 +Author: Patrick Schleizer +Date: Mon Sep 6 09:46:20 2021 -0400 + + bumped changelog version + +commit ac0c492663b9d90f99e5969193b35b53d4175d1d +Author: Patrick Schleizer +Date: Mon Sep 6 08:22:55 2021 -0400 + + do not set kernel parameter `quiet loglevel=0` for recovery boot option + + for easier debugging + +commit 49902b8c56512c3ee8b3d16b0ca513e44349c66d +Author: Patrick Schleizer +Date: Mon Sep 6 08:19:41 2021 -0400 + + move grub quiet to separate config file /etc/default/grub.d/41_quiet.cfg + +commit bb3a3178f17d1b882f38ba18db7835833f758805 +Author: Patrick Schleizer +Date: Mon Sep 6 04:55:23 2021 -0400 + + bumped changelog version + +commit f5b0e4b5b856ba6fa0dea7fa18c38221d972e8a3 +Author: Patrick Schleizer +Date: Mon Sep 6 04:55:16 2021 -0400 + + debugging + +commit a67d1754d459a221930cb92754b51bec348f8035 +Author: Patrick Schleizer +Date: Sun Sep 5 16:04:28 2021 -0400 + + bumped changelog version + +commit 6257bfa926f960b3b772dd528fe6004f81d990ea +Author: Patrick Schleizer +Date: Sun Sep 5 15:54:20 2021 -0400 + + debugging + +commit 1b09d5671829c51bd17f44410d4122b6de7aa6e9 +Author: Patrick Schleizer +Date: Sat Sep 4 18:29:00 2021 -0400 + + bumped changelog version + +commit a4e18a2ae8c19a664bb1be5bc4ec43f10a876969 +Author: Patrick Schleizer +Date: Sat Sep 4 18:28:37 2021 -0400 + + `dracut` `reproducible=yes` + +commit 1a10293b0408a4197620ce78cffb62cb8c00908c +Author: Patrick Schleizer +Date: Sat Sep 4 12:00:55 2021 -0400 + + bumped changelog version + +commit e2810f348b413bb307449a911c12a46924686a9f +Author: Patrick Schleizer +Date: Sat Sep 4 11:50:31 2021 -0400 + + Depends: libpam-modules-bin + +commit 3c64ec8f917ed1237454d1526647a84bf00c9e83 +Author: Patrick Schleizer +Date: Thu Sep 2 14:36:53 2021 -0400 + + bumped changelog version + +commit be8c10496f26d33378deb2427e56892771456ee5 +Author: Patrick Schleizer +Date: Wed Sep 1 15:55:53 2021 -0400 + + fix faillock implementation + + dovecot / ssh are exempted + +commit 8b104f544a9e4e8da1691659fefa4999a4f6f085 +Author: Patrick Schleizer +Date: Wed Sep 1 15:45:36 2021 -0400 + + fix, add sshd to pam_service_exclusion_list + + to avoid faillock + +commit 224ae730c13f4add672fffaf58206eeb7ae24090 +Author: Patrick Schleizer +Date: Sun Aug 22 05:32:18 2021 -0400 + + bumped changelog version + +commit db43cedcfdf918556ae3989209a4d984527a6416 +Author: Patrick Schleizer +Date: Sun Aug 22 05:23:24 2021 -0400 + + LANG=C str_replace + +commit ef2b067c0385dbae7b16bc79a10582995d8ba5fe +Author: Patrick Schleizer +Date: Tue Aug 17 15:24:12 2021 -0400 + + bumped changelog version + +commit 08adf4a07d97940ef924f53863ec4aa62f88fb04 +Author: Patrick Schleizer +Date: Tue Aug 17 15:23:49 2021 -0400 + + readme + +commit 7d73b3ffa0bf13ba78debfb7f099758b0d0fbef3 +Author: Patrick Schleizer +Date: Tue Aug 17 15:21:26 2021 -0400 + + add hardened malloc compatibility for haveged workaround + + `/lib/systemd/system/haveged.service.d/30_security-misc.conf` + + `SystemCallFilter=getrandom` + + Otherwise haveged will exit with a core dump. + +commit 8676beef90040bdf0782e0a9c683c6463ddb48b5 +Author: Patrick Schleizer +Date: Tue Aug 10 18:26:32 2021 -0400 + + bumped changelog version + +commit 582492d6d8c5f756be4d809898707cb196c5c765 +Author: Patrick Schleizer +Date: Tue Aug 10 17:13:00 2021 -0400 + + port from pam_tally2 to pam_faillock + + since pam_tally2 was deprecated upstream + +commit 2bf0e7471cbd3b813ce385d994e43e48636f7a0b +Author: Patrick Schleizer +Date: Tue Aug 10 15:11:01 2021 -0400 + + port from pam_tally2 to pam_faillock + + since pam_tally2 was deprecated upstream + +commit 2aea74bd715d865f44f91aaab6ca1bf0a00a2b0b +Author: Patrick Schleizer +Date: Tue Aug 10 15:06:04 2021 -0400 + + renamed: usr/libexec/security-misc/pam_tally2-info -> usr/libexec/security-misc/pam-info + renamed: usr/libexec/security-misc/pam_tally2_not_if_x -> usr/libexec/security-misc/pam_faillock_not_if_x + renamed: usr/share/pam-configs/tally2-security-misc -> usr/share/pam-configs/faillock-security-misc + +commit 6376bbff801f79dbb154611c3ad330b4cd863f69 +Author: Patrick Schleizer +Date: Thu Aug 5 17:03:43 2021 -0400 + + bumped changelog version + +commit 3756016f42d97c6bf32c9bf5fed02904a63f4a5c +Author: Patrick Schleizer +Date: Tue Aug 3 13:04:34 2021 -0400 + + `lintian --suppress-tags obsolete-command-in-modprobe.d-file` + + https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/24 + +commit 50bdd097df4c87cd4507311df9c0b14d237c534b +Author: Patrick Schleizer +Date: Tue Aug 3 12:56:31 2021 -0400 + + move /usr/lib/security-misc to /usr/libexec/security-misc as per lintian FHS + +commit 4fadaad8c0a79df5996372c05db635d500e41fee +Author: Patrick Schleizer +Date: Tue Aug 3 12:52:10 2021 -0400 + + lintian FHS + +commit 6607c1e4bd085ee952952e6db17714326df4b7f6 +Author: Patrick Schleizer +Date: Tue Aug 3 12:48:57 2021 -0400 + + move /usr/lib/helper-scripts and /usr/lib/curl-scripts to /usr/libexec/helper-scripts as per lintian FHS + +commit 0492f28aa10dc93063ff3b46107fa705c5ee0d7e +Author: Patrick Schleizer +Date: Tue Aug 3 12:37:39 2021 -0400 + + enable "`apt-get --error-on=any`" by default + + makes apt exit non-zero for transient failures + + `/etc/apt/apt.conf.d/40error-on-any` + + https://forums.whonix.org/t/debian-bullseye-apt-get-error-on-any/12068 + +commit 240ec7672a4d513e7e6cca280aca3d67c265d1cc +Author: Patrick Schleizer +Date: Tue Aug 3 12:19:26 2021 -0400 + + replace no longer required `/usr/lib/security-misc/apt-get-wrapper` with `apt-get --error-on=any` + +commit 8eae6356684052415f8bc494db077e033653d971 +Author: Patrick Schleizer +Date: Tue Aug 3 11:51:31 2021 -0400 + + update lintian tag name + +commit 5e3338f8d3ff799a2da4257e24b57bd55541187f +Author: Patrick Schleizer +Date: Tue Aug 3 05:48:25 2021 -0400 + + bullseye + +commit bb3e65f7a80770238bda3733bed89c15a9c76852 +Author: Patrick Schleizer +Date: Tue Aug 3 03:25:35 2021 -0400 + + bullseye + +commit c94281121e20289b718f24c13e399e5e8cac0ebd +Author: Patrick Schleizer +Date: Sun Aug 1 16:37:02 2021 -0400 + + comment + +commit 3599e8e2dabf13ad76901a9c282469f23d4d1308 +Author: Patrick Schleizer +Date: Sun Aug 1 16:24:41 2021 -0400 + + readme + +commit 82f3961a7165cc1e778be785950f1a255af43b4f +Author: Patrick Schleizer +Date: Sun Aug 1 13:12:08 2021 -0400 + + bumped changelog version + +commit 5a65c35479f267b026c03e195658ef9d98ee519c +Author: Patrick Schleizer +Date: Sun Aug 1 13:11:18 2021 -0400 + + port LKRG compatibility settings automation for VirtualBox hosts from systemd to dpkg trigger + +commit f03c7978c7c12eb0efed1d9298f52149a8149cb3 +Author: Patrick Schleizer +Date: Sun Jul 25 11:31:45 2021 -0400 + + bumped changelog version + +commit b3e34f7f43346c123d20e9a1606b1023b535f669 +Author: Patrick Schleizer +Date: Sun Jul 25 11:27:07 2021 -0400 + + comment + +commit 7e128636b3a4ea7fe5dfa12018685ab7b5dda706 +Author: Patrick Schleizer +Date: Sun Jul 25 11:26:20 2021 -0400 + + improve LKRG VirtualBox host configuration + + as per https://github.com/openwall/lkrg/issues/82#issuecomment-886188999 + +commit 3ebe9e7c530b39f1b0429a97eab2627f2bbd1635 +Author: Patrick Schleizer +Date: Sat Jul 24 18:10:06 2021 -0400 + + bumped changelog version + +commit 257cef24baa038b21ef511e9d95c4229a5e16f68 +Author: Patrick Schleizer +Date: Sat Jul 24 18:03:40 2021 -0400 + + add LKRG compatibility settings automation for VirtualBox hosts + + https://github.com/openwall/lkrg/issues/82 + +commit 0f86ffef04e533be1c88584b6419c276d176fc05 +Author: Patrick Schleizer +Date: Wed Jun 23 11:20:39 2021 -0400 + + bumped changelog version + +commit 74e39cbf690dae2bf72bd9f152ea91c364f5feff +Author: Patrick Schleizer +Date: Sun Jun 20 11:18:56 2021 -0400 + + pam-abort-on-locked-password: more descriptive error handling + + https://forums.whonix.org/t/restrict-root-access/7658/1 + +commit 0f3dbfc4a1fb08b5542e265dfbeab4e7f401549d +Author: Patrick Schleizer +Date: Sun Jun 20 10:16:57 2021 -0400 + + bumped changelog version + +commit eff5af03184f52181894884b90a8d867a1f10956 +Author: Patrick Schleizer +Date: Sun Jun 20 10:16:33 2021 -0400 + + https://forums.whonix.org/t/restrict-root-access/7658/116 + +commit 419f1d89c25ca833ac63f2e174beeb9afb0cce00 +Author: Patrick Schleizer +Date: Mon Jun 7 12:13:37 2021 -0400 + + bumped changelog version + +commit 30d1ce36af7835d47e0b53af475f3a7e99617b77 +Merge: 0305baf 70a1eb2 +Author: Patrick Schleizer +Date: Mon Jun 7 12:11:58 2021 -0400 + + Merge remote-tracking branch 'github-whonix/master' + +commit 70a1eb25a5976e0461056ff2c56bd82ab5df6c2c +Merge: 0305baf 97d8db3 +Author: Patrick Schleizer +Date: Sat Jun 5 15:55:41 2021 -0400 + + Merge pull request #101 from madaidan/sudo + + Restrict sudo's file permissions + +commit 97d8db3f74b9fc00c8f4416cb72966e62c7de88e +Author: madaidan <50278627+madaidan@users.noreply.github.com> +Date: Sat Jun 5 19:16:42 2021 +0000 + + Restrict sudo's file permissions + +commit 0305baf21173f0ee292986200f1242ca0395c74d +Author: Patrick Schleizer +Date: Tue Jun 1 07:36:59 2021 -0400 + + bumped changelog version + +commit d87bee37f788fb7605626cd4a8d61ed9e6fee252 +Author: Patrick Schleizer +Date: Tue Jun 1 07:21:18 2021 -0400 + + comment + +commit 809930c0212aa41d60b1a498bd4ce85f06668bae +Author: Patrick Schleizer +Date: Tue Jun 1 05:36:01 2021 -0400 + + comment + +commit 5bd59991cbf72ba9ebd8feadd4da397bbcd9d469 +Author: Patrick Schleizer +Date: Wed May 5 08:37:56 2021 -0400 + + bumped changelog version + +commit 6e759f9196412b1742db1e4c68a70867e1ad8629 +Author: Patrick Schleizer +Date: Thu Apr 29 11:17:30 2021 -0400 + + config-package-dev displace /etc/dkms/framework.conf + + https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/58 + +commit e2afd00627b097f75467cd0e2fe7e15977141026 +Author: Patrick Schleizer +Date: Thu Apr 29 11:14:30 2021 -0400 + + modify DKMS configuration file `/etc/dkms/framework.conf` + + Lower parallel compilation jobs to 1 if less than 2 GB RAM to avoid freezing of virtual machines. + + `parallel_jobs=1` + + This does not necessarily belong into security-misc, however likely + security-misc will need to modify `/etc/dkms/framework.conf` in the future to + enable kernel module signing. + + https://forums.whonix.org/t/linux-kernel-runtime-guard-lkrg-linux-kernel-runtime-integrity-checking-and-exploit-detection/8477/26 + + https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/58 + +commit 3ba3b371873d221db6845fb0fe52191b8b349b0a +Author: Patrick Schleizer +Date: Thu Apr 29 11:08:30 2021 -0400 + + add `/etc/dkms/framework.conf.security-misc` + + original, from + - https://github.com/dell/dkms/blob/master/dkms_framework.conf + - https://raw.githubusercontent.com/dell/dkms/master/dkms_framework.conf + + https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/58 + +commit 1d35bdf2912d1dfd0b49ce727338f86d17decd72 +Author: Patrick Schleizer +Date: Mon Apr 5 11:58:47 2021 -0400 + + bumped changelog version + +commit 41734ec523eb3cd233fe4651b9807222c8ccb1d5 +Author: Patrick Schleizer +Date: Sat Apr 3 11:44:13 2021 -0400 + + systemd RemainAfterExit=yes + + for better usability + + https://forums.whonix.org/t/restrict-hardware-information-to-root-testers-wanted/8618/33 + +commit e8ea94325b1df7bc0c47eabdfbd7c24b2fe51539 +Author: Patrick Schleizer +Date: Wed Mar 17 12:31:34 2021 -0400 + + bumped changelog version + +commit a67007f4b7b7763a0b131acb246cfe84ac65540f +Author: Patrick Schleizer +Date: Wed Mar 17 09:45:21 2021 -0400 + + copyright + +commit 0c4a7207e46933a504badfb9c1ce26a9ef82d370 +Author: Patrick Schleizer +Date: Thu Mar 4 07:09:01 2021 -0500 + + bumped changelog version + +commit a1819e8cabc45ea197da7e3a4a94ffbab1376423 +Author: Patrick Schleizer +Date: Mon Mar 1 09:15:44 2021 -0500 + + comment + +commit 3382192b89de3891d45261f138652bdb48c5674b +Merge: 7f30d70 2e8e3c0 +Author: Patrick Schleizer +Date: Mon Mar 1 09:12:18 2021 -0500 + + Merge remote-tracking branch 'github/master' + +commit 2e8e3c07c4dda7f8500237dfa7a1d2bc7aecef5d +Merge: 7f30d70 4db7d6b +Author: Patrick Schleizer +Date: Mon Mar 1 14:11:28 2021 +0000 + + Merge pull request #100 from 0xC0ncord/bugfix/selinuxfs_restrictions + + hide-hardware-info: allow unrestricting selinuxfs + +commit 7f30d702953b2e46255e3e8e71ee47af3f5a5725 +Author: Patrick Schleizer +Date: Sat Feb 6 06:31:45 2021 -0500 + + bumped changelog version + +commit 83c0be5177929b67e3c9eba18c02904498d378cb +Author: Patrick Schleizer +Date: Sat Feb 6 06:27:54 2021 -0500 + + readme + +commit 4db7d6be643f9e7c9c3b81d3945b8d2c3e4c5269 +Author: Kenton Groombridge +Date: Sat Feb 6 03:02:08 2021 -0500 + + hide-hardware-info: allow unrestricting selinuxfs + + On SELinux systems, the /sys/fs/selinux directory must be visible to + userspace utilities in order to function properly. + +commit 3120ff3ec98edecdc2855261d3ba26cad8803c74 +Author: Patrick Schleizer +Date: Fri Jan 29 23:37:03 2021 -0500 + + bumped changelog version + +commit af3244741dba7425148378aacf853e82deddee1f +Author: Patrick Schleizer +Date: Fri Jan 29 23:15:52 2021 -0500 + + comment + +commit d9aaf5910553b04b965ea729476b586d72043aea +Author: Patrick Schleizer +Date: Thu Jan 28 02:15:46 2021 -0500 + + bumped changelog version + +commit b0b7f569ee7da1101c9100c1b053b910f8660436 +Author: Patrick Schleizer +Date: Thu Jan 28 02:11:54 2021 -0500 + + comment + +commit f2595cc2542b326a74d4c651897160c04bd1e162 +Author: Patrick Schleizer +Date: Wed Jan 27 05:50:16 2021 -0500 + + bumped changelog version + +commit 9622f28e255a101ee7239e3ffd42d8d80637654a +Author: Patrick Schleizer +Date: Wed Jan 27 05:49:34 2021 -0500 + + skip counting failed login attempts from dovecot + + Failed dovecot logins should not result in account getting locked. + + revert "use pam_tally2 only for login" + +commit 480f74cab6d79886fe29eeecc5b7ebc1f138f8dd +Author: Patrick Schleizer +Date: Sun Jan 24 05:10:36 2021 -0500 + + bumped changelog version + +commit 6757104aa4d1e661b046e71f7bda511d73e83d61 +Author: Patrick Schleizer +Date: Sun Jan 24 05:04:48 2021 -0500 + + use pam_tally2 only for login + + to skip counting failed login attempts over ssh and mail login + +commit 126c31c37d17a55b0980dcae8c546aeed4282a99 +Author: Patrick Schleizer +Date: Tue Jan 19 19:41:43 2021 -0500 + + bumped changelog version + +commit 14d13fb03ed627cfb378873ad46f4d3ac795a9f6 +Author: Patrick Schleizer +Date: Tue Jan 19 19:41:42 2021 -0500 + + readme + +commit 611fbe2c619d9b5fab748faf2b0f59274a914187 +Author: Patrick Schleizer +Date: Mon Jan 18 05:39:34 2021 -0500 + + description + +commit 0e8ea5eb727d609d70e8f639dde62583a3ff47f3 +Author: Patrick Schleizer +Date: Thu Jan 14 02:36:49 2021 -0500 + + bumped changelog version + +commit ddd62c1eef031c2befc626acbe4d48d8cdbea1d0 +Author: Patrick Schleizer +Date: Tue Jan 12 03:24:11 2021 -0500 + + readme + +commit 468d8b600dda7cce87bbdf972244ef2f610935d5 +Author: Patrick Schleizer +Date: Tue Jan 12 03:20:58 2021 -0500 + + readme + +commit b5cee63999a7277b32f3850a5d8821c73ed05933 +Author: Patrick Schleizer +Date: Tue Jan 12 03:19:31 2021 -0500 + + new file: README_generic.md + +commit 94627f0875e69c9314faab8b0dc2dbe22af5c88f +Merge: 353e74f 79876f7 +Author: Patrick Schleizer +Date: Tue Jan 12 03:18:41 2021 -0500 + + Merge remote-tracking branch 'github/master' + +commit 79876f7b1261006885a713dbfda97609c8e81f3f +Merge: 353e74f 3066b5a +Author: Patrick Schleizer +Date: Tue Jan 12 08:17:04 2021 +0000 + + Merge pull request #99 from madaidan/docs + + Overhaul documentation + +commit 3066b5ad972f16069361999afbca0978986db862 +Author: madaidan <50278627+madaidan@users.noreply.github.com> +Date: Tue Jan 12 02:17:13 2021 +0000 + + Overhaul documentation + +commit 353e74fb5f0c150b9de3554b88619480c338ef59 +Author: Patrick Schleizer +Date: Tue Jan 5 08:30:37 2021 -0500 + + bumped changelog version + +commit a258f35f385aff7b6fef71e23b94c4681e52bed2 +Author: Patrick Schleizer +Date: Tue Jan 5 02:11:08 2021 -0500 + + comment + +commit a4d7e4614174e6f0357a068af0b7fd46e963a89f +Author: Patrick Schleizer +Date: Thu Dec 10 05:20:57 2020 -0500 + + bumped changelog version + +commit c5097ed599078091aef1fcb63b237d9835040c34 +Author: Patrick Schleizer +Date: Sun Dec 6 04:23:09 2020 -0500 + + comment + +commit b2b614ed2a1a62ff4c917aba80eeef505810dbf8 +Author: Patrick Schleizer +Date: Sun Dec 6 04:15:52 2020 -0500 + + cover more folders in /usr/local + +commit 5bd267d7747521fa5bb053da19dc79991e2c4bb5 +Author: Patrick Schleizer +Date: Sun Dec 6 04:10:50 2020 -0500 + + refactoring + +commit 11cdce02a048b323c6f56cb15f98e6060aab8346 +Author: Patrick Schleizer +Date: Sun Dec 6 04:10:10 2020 -0500 + + refactoring + +commit f73c55f16c10ee2cd0532f4032cec56c484bd4d5 +Author: Patrick Schleizer +Date: Sun Dec 6 04:08:58 2020 -0500 + + /opt + + https://forums.whonix.org/t/suid-disabler-and-permission-hardener/7706/68 + +commit 261ef85c14ff9c13d3d7734d8c9eba5a54497187 +Author: Patrick Schleizer +Date: Tue Dec 1 05:53:06 2020 -0500 + + bumped changelog version + +commit c031f22995a1e073bd81189ee97a3de32a2b278f +Author: Patrick Schleizer +Date: Tue Dec 1 05:14:48 2020 -0500 + + SUID Disabler and Permission Hardener: introduce configuration option to disable all whitelists + + `whitelists_disable_all=true` + +commit b09cc0de6af2d7e12110a0f3030234539288abad +Author: Patrick Schleizer +Date: Tue Dec 1 05:10:26 2020 -0500 + + Revert "SUID Disabler and Permission Hardener: introduce configuration option to disable all whitelists" + + This reverts commit 36a471ebce883f7a1660977f486b21ece320d0c2. + +commit 704f0500ba4e23a1e5b33688db02e03b1169046d +Author: Patrick Schleizer +Date: Tue Dec 1 05:03:16 2020 -0500 + + fix, rename 40_default_whitelist_[...].conf to 25_default_whitelist_[...].conf + + since whitelist needs to be defined before SUID removal commands + +commit 36a471ebce883f7a1660977f486b21ece320d0c2 +Author: Patrick Schleizer +Date: Tue Dec 1 05:02:34 2020 -0500 + + SUID Disabler and Permission Hardener: introduce configuration option to disable all whitelists + + `whitelists_disable_all=true` + +commit 318ab570aacd48b7f163331dc2ba8b012e0d2336 +Author: Patrick Schleizer +Date: Tue Dec 1 04:28:15 2020 -0500 + + simplify disabling of SUID Disabler and Permission Hardener whitelist + + split `/etc/permission-hardening.d/30_default.conf` into multiple files + + `/etc/permission-hardening.d/40_default_whitelist_[...].conf` + + therefore make it easier to delete any whitelisted SUID binaries + +commit cf07e977bd6697af7a4326d7705447d500d35593 +Author: Patrick Schleizer +Date: Sun Nov 29 09:09:42 2020 -0500 + + add `/bin/pkexec exactwhitelist` for consistency + + since there is already `/usr/bin/pkexec exactwhitelist` + +commit fe274838861ada125eccdca11ba044123fdae663 +Author: Patrick Schleizer +Date: Sat Nov 28 06:08:10 2020 -0500 + + bumped changelog version + +commit 28a326a8a14f56d588ed6f2b4d7d748d53120109 +Author: Patrick Schleizer +Date: Sat Nov 28 05:31:12 2020 -0500 + + add feature `/usr/lib/security-misc/permission-hardening-undo /path/to/filename` + + to allow removing 1 SUID + + fix, show INFO message if file does not exist during removal rather than ERROR + +commit 0ef35f877066ddac21737e707829c4571bb76abd +Author: Patrick Schleizer +Date: Fri Nov 6 10:18:09 2020 -0500 + + bumped changelog version + +commit abae787186d48b2cccf220cbf7b553f8478e60be +Author: Patrick Schleizer +Date: Thu Nov 5 06:47:16 2020 -0500 + + usability: pam abort when attempting to login to root when root password is locked + +commit 581e31af81015fb85ee1bdd81586dbea13804955 +Author: Patrick Schleizer +Date: Thu Nov 5 06:46:57 2020 -0500 + + comment + +commit dfe9b0f6c7364e4d3cc3bf13ad7c0fccc2cb7e10 +Author: Patrick Schleizer +Date: Thu Nov 5 06:42:47 2020 -0500 + + fix, no longer unconditionally abort pam for user accounts with locked passwords + + as locked user accounts might have valid sudoers exceptions + + Thanks to @mimp for the bug report! + + https://forums.whonix.org/t/pam-abort-on-locked-password-and-running-privileged-command-from-web-browser/10521 + +commit 211769dc65a5c98cbdb55ce62e83c9e2a9fa1540 +Author: Patrick Schleizer +Date: Thu Nov 5 06:41:51 2020 -0500 + + comment + +commit 79521397310f5e4e200291b2e2380e8e58953f18 +Author: Patrick Schleizer +Date: Thu Nov 5 06:39:32 2020 -0500 + + comment + +commit bb72c1278dd02a48a631d8e798cd78100576a1a8 +Author: Patrick Schleizer +Date: Thu Nov 5 06:36:39 2020 -0500 + + copyright + +commit f4843b1deb95948f9fe2a2870ecbe61c1cab798a +Author: Patrick Schleizer +Date: Sat Oct 31 06:29:25 2020 -0400 + + bumped changelog version + +commit c1e0bb831025854afbd88e5c353a000c4dadaede +Author: Patrick Schleizer +Date: Sat Oct 31 06:11:49 2020 -0400 + + shebang + +commit b06d4ca29983938fa81acfc379366e6c1516c69a +Author: Patrick Schleizer +Date: Sat Oct 31 06:09:22 2020 -0400 + + bumped changelog version + +commit 3f656be5746ec4d219371fb0d67c222df7fe52d1 +Author: Patrick Schleizer +Date: Sat Oct 31 05:48:10 2020 -0400 + + chmod +x /etc/X11/Xsession.d/50panic_on_oops + chmod +x /etc/X11/Xsession.d/50security-misc + +commit 881d695bff7d65c66bbf8e0973f883c75a3d1ebb +Author: Patrick Schleizer +Date: Mon Oct 5 07:03:37 2020 -0400 + + bumped changelog version + +commit 3adb2c92d9551f649b177753fede18da3cc4b0eb +Merge: feb7cea 5856013 +Author: Patrick Schleizer +Date: Sat Oct 3 14:10:32 2020 -0400 + + Merge remote-tracking branch 'github/master' + +commit 58560138cdc36fa5f6142f75f0fed53bcad96363 +Merge: feb7cea 06ffd5d +Author: Patrick Schleizer +Date: Sat Oct 3 18:09:07 2020 +0000 + + Merge pull request #77 from madaidan/debugfs + + Restrict access to debugfs + +commit 06ffd5d2201152c60eb4309860b8c42be386dccb +Author: madaidan <50278627+madaidan@users.noreply.github.com> +Date: Mon Sep 28 19:21:20 2020 +0000 + + Restrict access to debugfs + +commit feb7cea4c508a94d1140bc08856d0fe586da694e +Author: Patrick Schleizer +Date: Mon Sep 28 10:30:42 2020 -0400 + + bumped changelog version + +commit da1ac48cde8ea5057d1606a2fba42ea179677378 +Author: Patrick Schleizer +Date: Mon Sep 28 10:29:50 2020 -0400 + + unblacklist squashfs as this would likely break Whonix-Host ISO + + https://github.com/Whonix/security-misc/pull/75#issuecomment-700044182 + +commit 4070133ed65af409adeb6f8c7970d3bc7074b02b +Author: Patrick Schleizer +Date: Mon Sep 28 10:25:57 2020 -0400 + + unblacklist vfat + + https://github.com/Whonix/security-misc/pull/75#issuecomment-695201068 + +commit 77d461ec08ffdf0eb6a5d124927d9f9748c0dd3c +Merge: 5fc7b79 3684ab5 +Author: Patrick Schleizer +Date: Mon Sep 28 10:24:59 2020 -0400 + + Merge remote-tracking branch 'github/master' + +commit 3684ab585eeab46ff17a1d410ce1bcff1a63968c +Merge: ae90107 a813e7d +Author: Patrick Schleizer +Date: Mon Sep 28 14:24:15 2020 +0000 + + Merge pull request #75 from flawedworld/patch-1 + + Blacklist more modules (based on OpenSCAP for RHEL 8) + +commit ae90107e6df4d312a6734985df38b8533d1283c8 +Merge: 5fc7b79 8f7727e +Author: Patrick Schleizer +Date: Mon Sep 28 14:23:42 2020 +0000 + + Merge pull request #76 from flawedworld/patch-2 + + Add IPv6 sysctl options and enforce kernel.perf_event_paranoid=3 + +commit a813e7da07a39e96e0cd7937aee7568307a00287 +Author: flawedworld <38294951+flawedworld@users.noreply.github.com> +Date: Sat Sep 19 20:46:19 2020 +0100 + + Blacklist more modules + +commit 5fc7b791db473c22ea43ff899e2dbe232c42a2b7 +Author: Patrick Schleizer +Date: Sat Sep 19 09:28:27 2020 -0400 + + bumped changelog version + +commit bff6ce7abb920d55edc49b19340a1e9251a4cd8c +Merge: 98c0dec 9239c8b +Author: Patrick Schleizer +Date: Sat Sep 19 06:54:50 2020 -0400 + + Merge remote-tracking branch 'github/master' + +commit 9239c8b8074018090d4fa1381aa06e66a99359cc +Merge: 98c0dec 8dfdec1 +Author: Patrick Schleizer +Date: Sat Sep 19 10:54:21 2020 +0000 + + Merge pull request #71 from onions-knight/patch-1 + + Update thunar.xml + +commit 8f7727e823a86a1826686d5c95d0070721c7acba +Author: flawedworld <38294951+flawedworld@users.noreply.github.com> +Date: Fri Sep 18 23:36:30 2020 +0100 + + Add some IPv6 options + +commit 944fed3c459dd55820cb1eca68f86816bdf8469f +Author: flawedworld <38294951+flawedworld@users.noreply.github.com> +Date: Fri Sep 18 23:29:04 2020 +0100 + + Disallow kernel profiling by users without CAP_SYS_ADMIN + + It's the default on a lot of stuff, but still nice to have. + +commit 98c0decaa46c6fb839062ff9af0556d821c254e6 +Author: Patrick Schleizer +Date: Mon Aug 3 09:43:43 2020 -0400 + + bumped changelog version + +commit 7e267ab49850362c02374a15fdba2409a5487a0f +Author: Patrick Schleizer +Date: Mon Aug 3 08:12:19 2020 -0400 + + fix, allow group `sudo` and `console` to use consoles + + fix /etc/security/access-security-misc.conf syntax error + + Thanks to @81a989 for the bug report! + + https://forums.whonix.org/t/etc-security-hardening-console-lockdown-pam-access-access-conf/8592/31 + +commit b09f5ddc154d6561fd97b436feeb6a6225f89206 +Author: Patrick Schleizer +Date: Wed Jul 29 08:33:07 2020 -0400 + + bumped changelog version + +commit ac8bc4f006dbc1583e35ba033e38dac8392127e9 +Author: Patrick Schleizer +Date: Wed Jul 29 06:30:07 2020 -0400 + + readme + +commit 861f9d1022e61766c7474d9eb79489ba64ac2055 +Author: Patrick Schleizer +Date: Thu May 14 13:57:32 2020 -0400 + + bumped changelog version + +commit 3cd7b144bba1a92ca771b16fc5215073c7561a1a +Author: Patrick Schleizer +Date: Thu May 14 13:47:58 2020 -0400 + + move "kernel.printk = 3 3 3 3" to separate file /etc/sysctl.d/30_silent-kernel-printk.conf + + so package debug-misc can easily disable it + + https://phabricator.whonix.org/T950 + +commit 81cb6ad2462a900f9c5193278de70ada62a5585b +Author: Patrick Schleizer +Date: Thu Apr 23 12:27:25 2020 -0400 + + bumped changelog version + +commit 6485df8126b52a2072824fa442e8d1dd5cb18981 +Author: Patrick Schleizer +Date: Thu Apr 23 12:26:31 2020 -0400 + + Prevent kernel info leaks in console during boot. + + add kernel parameter `quiet loglevel=0` + + https://phabricator.whonix.org/T950 + +commit aa5631b02b0127b4681ae08c973b08b23befd701 +Author: Patrick Schleizer +Date: Thu Apr 16 08:43:40 2020 -0400 + + bumped changelog version + +commit 8d2e4b68dcae87b27f519196488e0ed7e8b95ef2 +Author: Patrick Schleizer +Date: Thu Apr 16 08:00:31 2020 -0400 + + Prevent kernel info leaks in console during boot. + + By setting `kernel.printk = 3 3 3 3`. + + https://phabricator.whonix.org/T950 + + Thanks to @madaidan for the suggestion! + +commit 4898a9e753e9399e83e4a39d8fa340e1ad9d4f6d +Author: Patrick Schleizer +Date: Thu Apr 16 07:54:33 2020 -0400 + + fix, sysctl-initramfs: switch log to /run/initramfs/sysctl-initramfs-error.log + + since ephemeral, in RAM, not written to disk, no conflict with grub-live + + https://forums.whonix.org/t/kernel-hardening/7296/435 + +commit 701da5f6cc911e3946904c152078dc6c637e5070 +Author: Patrick Schleizer +Date: Thu Apr 16 07:24:44 2020 -0400 + + formatting + +commit cb51847085c1b62c99ab160373c52a388bdfe300 +Author: Patrick Schleizer +Date: Wed Apr 15 14:05:37 2020 -0400 + + readme + +commit df218ad6582ab88be16e66cf13951d0a5271411b +Author: Patrick Schleizer +Date: Tue Apr 14 12:40:31 2020 -0400 + + bumped changelog version + +commit 8851c9ed29e79d2ef5df9c7b7086878e69b90bd4 +Author: Patrick Schleizer +Date: Tue Apr 14 12:39:34 2020 -0400 + + fix: disable proc-hidepid.service + +commit b6dde34bfb696218cc14ac89d169ec0e37814bff +Author: Patrick Schleizer +Date: Mon Apr 13 06:56:34 2020 -0400 + + bumped changelog version + +commit e0b8640fb9d03feb6b01fed4469d901e3f9a5dc0 +Author: Patrick Schleizer +Date: Mon Apr 13 06:56:34 2020 -0400 + + readme + +commit 253578afdf9a4aeb8c5495ca815d0326086dc986 +Author: Patrick Schleizer +Date: Mon Apr 13 06:50:32 2020 -0400 + + /etc/security/access-security-misc.conf white list ttyS0 etc. + + ttyS0 ttyS1 ttyS2 ttyS3 ttyS4 ttyS5 ttyS6 ttyS7 ttyS8 ttyS9 + + Thanks to @subpar_marlin for the bug report and helping to fix this! + + https://forums.whonix.org/t/how-do-i-enter-the-whonix-shell-from-cli/7271/43 + + https://forums.whonix.org/t/etc-security-hardening/8592 + +commit b3ce18f0f9f1da0552a4a1bd882a5b5dda13626e +Author: Patrick Schleizer +Date: Sun Apr 12 16:54:10 2020 -0400 + + disable proc-hidepid by default because incompatible with pkexec + + and undo pkexec wrapper + +commit 442931529121e9e402e7ac56e27df3dcec43167b +Author: Patrick Schleizer +Date: Sun Apr 12 16:52:55 2020 -0400 + + disable proc-hidepid by default because incompatible with pkexec + + and undo pkexec wrapper + +commit 72be31e870057b035651c1b5a7e9a9db149e9d25 +Author: Patrick Schleizer +Date: Sun Apr 12 16:48:13 2020 -0400 + + disable proc-hidepid by default because incompatible with pkexec + + and undo pkexec wrapper + +commit 938e929f39ff68296ab01a4b619f963ad3bdf535 +Author: Patrick Schleizer +Date: Sun Apr 12 16:37:51 2020 -0400 + + add pkexec to suid default whitelist + + /usr/bin/pkexec exactwhitelist + /usr/bin/pkexec.security-misc-orig exactwhitelist + +commit 695ad5b83d0e89b1c3b8a5f09f2d7d0a17d8e72f +Author: Patrick Schleizer +Date: Thu Apr 9 09:45:30 2020 +0000 + + bumped changelog version + +commit 67b9d06b25a651b89e35abdd227a1740871395cd +Author: Patrick Schleizer +Date: Thu Apr 9 09:45:29 2020 +0000 + + readme + +commit 565ff136e5f1e714b4094fcd9cfdf99a0fb99850 +Author: Patrick Schleizer +Date: Wed Apr 8 21:04:02 2020 +0000 + + vm.swappiness=1 + + import from swappiness-lowest + + https://forums.whonix.org/t/vm-swappiness-1-set-swapiness-to-lowest-setting-still-useful-swappiness-lowest/9278 + +commit 642d4d8d939f33c19564dcc5a0ed46d85feb80aa +Author: Patrick Schleizer +Date: Wed Apr 8 17:13:21 2020 +0000 + + bumped changelog version + +commit a9d0baffe600b9ac5bb7d6ee4e7c5c5830bc60ba +Author: Patrick Schleizer +Date: Wed Apr 8 16:57:32 2020 +0000 + + python -> python3 + +commit 4153d8d08874256647d3200333d6754baac2ea63 +Author: Patrick Schleizer +Date: Wed Apr 8 16:51:22 2020 +0000 + + apparmor-profile-anondist -> apparmor-profile-dist + +commit 72228946dca93b5c8257ac5a6ad59e54b7b14d11 +Author: Patrick Schleizer +Date: Wed Apr 8 16:46:11 2020 +0000 + + fix etc/default/grub.d/40_kernel_hardening.cfg + + in Qubes if no kernel package is installed + +commit bfd6018d8d108ee8691556529121fe2a679de1d2 +Author: Patrick Schleizer +Date: Wed Apr 8 12:51:11 2020 +0000 + + bumped changelog version + +commit 0441f2ed7ad01585c11c9fb6a05cd3884408c9d6 +Author: Patrick Schleizer +Date: Wed Apr 8 12:30:05 2020 +0000 + + readme + +commit 663811a8192d7d08769eaf5e9c057b9dcca34562 +Author: Patrick Schleizer +Date: Wed Apr 8 12:04:13 2020 +0000 + + anon-base-files -> dist-base-files + +commit cc8489df2ff655276be31073ec2fff57a9e8b448 +Author: Patrick Schleizer +Date: Mon Apr 6 13:29:23 2020 -0400 + + bumped changelog version + +commit 350a15dfbf9186c4bd81159b7656b5707a95c5db +Author: Patrick Schleizer +Date: Mon Apr 6 13:22:32 2020 -0400 + + readme + +commit 5c81e1f23fa07a0e3c96d15dc3cc24d41332fe3c +Author: Patrick Schleizer +Date: Mon Apr 6 09:25:45 2020 -0400 + + import from anon-gpg-conf + +commit 1b2a34ea80fa9efeb02acaa8595e3c38fd9d06ca +Author: Patrick Schleizer +Date: Sat Apr 4 16:51:42 2020 -0400 + + bumped changelog version + +commit 1188a44f47602248911d81f4dc3af08b830b65b9 +Author: Patrick Schleizer +Date: Sat Apr 4 16:49:30 2020 -0400 + + port to python 3.7 + +commit a2c932aa5a354798ce1383e988519f9a2cb69374 +Author: Patrick Schleizer +Date: Thu Apr 2 07:58:51 2020 -0400 + + bumped changelog version + +commit ae8c5fff3c70c00931b95cd04b8729d2c1bd2a60 +Author: Patrick Schleizer +Date: Thu Apr 2 07:22:47 2020 -0400 + + readme + +commit a7f2a2a3b6b408a0545f55b8fed9cc17fbd8f843 +Author: Patrick Schleizer +Date: Thu Apr 2 06:04:45 2020 -0400 + + console lockdown: allow members of group `sudo` to use console + + https://forums.whonix.org/t/etc-security-hardening/8592 + + https://github.com/Whonix/security-misc/pull/74#issuecomment-607748407 + + https://www.whonix.org/wiki/Dev/Strong_Linux_User_Account_Isolation#Console_Lockdown + +commit 7764ee0d202193dc67f5805fc23be2b804962186 +Author: Patrick Schleizer +Date: Thu Apr 2 05:58:16 2020 -0400 + + comments + +commit d9f2a0e4a1837ef1604e4cd17ce8ae60996c9782 +Author: Patrick Schleizer +Date: Wed Apr 1 17:34:59 2020 -0400 + + remove 'Build-Depends: ronn' since no longer required + +commit eda9c57a628ebf1083f87789842d5403c6e05122 +Author: Patrick Schleizer +Date: Wed Apr 1 16:57:33 2020 -0400 + + remove genmkfile + +commit 2609fe9c3efff611dc5bce20d62580dace02757b +Author: Patrick Schleizer +Date: Wed Apr 1 16:33:29 2020 -0400 + + add debian install file + +commit d4b2baa9b66d480d5e45c628f8bc4ff11fab765f +Author: Patrick Schleizer +Date: Wed Apr 1 10:58:16 2020 -0400 + + bumped changelog version + +commit 2ceea8d1fe9f2425488c6696f75f2ecfd9ff2235 +Author: Patrick Schleizer +Date: Wed Apr 1 08:49:59 2020 -0400 + + update copyright year + +commit b6de867dec85efb03cf38aa85494607edb4500f4 +Author: Patrick Schleizer +Date: Wed Apr 1 08:26:44 2020 -0400 + + bumped changelog version + +commit ad022fc0b703f28f24665d28b072f1a993978370 +Author: Patrick Schleizer +Date: Wed Apr 1 08:21:06 2020 -0400 + + fix + +commit 354af7085be7e266913c3ae79701cd1abc729d06 +Author: Patrick Schleizer +Date: Tue Mar 31 07:41:45 2020 -0400 + + bumped changelog version + +commit 814f613a2fac12b892dfb6dcf53ee628e340c7b2 +Author: Patrick Schleizer +Date: Tue Mar 31 07:08:25 2020 -0400 + + When using systemd-nspawn (chroot) then `login` requires console 'console' to be permitted. + +commit a369a0a94dca7fff68234e4f75d74a4e9d63df5b +Author: Patrick Schleizer +Date: Mon Mar 30 18:42:02 2020 -0400 + + bumped changelog version + +commit c22adbd92fcab45fb3b1d3e98528c4790bb20a6a +Author: Patrick Schleizer +Date: Mon Mar 30 18:39:23 2020 -0400 + + notify if security-misc installation is forced + +commit 7ee5fc1b760dff0f86d8cf07a77cbd42d40f7a53 +Author: Patrick Schleizer +Date: Mon Mar 30 17:16:46 2020 -0400 + + bumped changelog version + +commit f663b5eff8a6f2fa406039ced4441c5a4a9c1477 +Author: Patrick Schleizer +Date: Mon Mar 30 17:15:02 2020 -0400 + + skip check if any non-root user is a member of group sudo and console if + environment variable `SECURITY_MISC_INSTALL` is set to `force` + +commit bc22fc9fdba834d0a2d8fdc75b86934e56b317c9 +Author: Patrick Schleizer +Date: Mon Mar 30 17:12:43 2020 -0400 + + skip check if any non-root user is a member of group sudo and console if file + /var/lib/security-misc/skip_install_check exists + +commit d7a69628b1def631b04219da7aee764eebea37df +Author: Patrick Schleizer +Date: Sat Mar 21 14:56:48 2020 -0400 + + bumped changelog version + +commit 5f0dd8270ba6311018e654cca3b8b86818af5a82 +Author: Patrick Schleizer +Date: Sat Mar 21 14:14:35 2020 -0400 + + consistent use of quotes + +commit 66ea1a3a127642c5515ac6fd80952a56568620bc +Author: Patrick Schleizer +Date: Sat Mar 21 14:14:15 2020 -0400 + + minor + +commit 23bd7ead59c0bdd793a955aaa613552b37a38dab +Author: Patrick Schleizer +Date: Sat Mar 21 14:12:42 2020 -0400 + + remove trailing space + +commit 7c25fc517e6f42d4364a55407f6bf0c84d130c8e +Merge: 20f0c57 1cbc7f6 +Author: Patrick Schleizer +Date: Sat Mar 21 14:12:25 2020 -0400 + + Merge remote-tracking branch 'origin/master' + +commit 1cbc7f6bed8acc112b610e05f527cffc6e9e1e87 +Merge: 20f0c57 89ada11 +Author: Patrick Schleizer +Date: Sat Mar 21 18:11:57 2020 +0000 + + Merge pull request #73 from madaidan/sysctl-initramfs + + Only remount in sysctl-initramfs if already mounted read-only + +commit 89ada11cf9a76cf02b3d5f92fd5c66194fe40ff0 +Author: madaidan <50278627+madaidan@users.noreply.github.com> +Date: Sat Mar 21 17:49:07 2020 +0000 + + Only remount if already mounted read-only + +commit 20f0c574d5424c78ab6b4d3829a6662615967ba5 +Merge: e4118cb 2938182 +Author: Patrick Schleizer +Date: Sat Mar 21 13:28:43 2020 -0400 + + Merge remote-tracking branch 'origin/master' + +commit 2938182ce6303e6e55086e2e9e82f8263a3c8e76 +Merge: e4118cb c8826d6 +Author: Patrick Schleizer +Date: Sat Mar 21 17:26:37 2020 +0000 + + Merge pull request #72 from madaidan/master + + Fix sysctl-initramfs logs + +commit c8826d6702ebaf280994effb22aea39b4cfd2dac +Author: madaidan <50278627+madaidan@users.noreply.github.com> +Date: Sat Mar 21 17:15:25 2020 +0000 + + Fix sysctl-initramfs logs + +commit 8dfdec1d3b0fde7b2836b38e5aefab1b6b6df9f2 +Author: onions-knight <38859709+onions-knight@users.noreply.github.com> +Date: Tue Mar 17 16:38:53 2020 +0000 + + Update thunar.xml + + Adding Delete option for thunar on right mouse click (removed in Debian 10). See https://forums.whonix.org/t/whonix-host-calamares-branding-suggestion/7772/26 + +commit e4118cb21eb8765bc8f4e7b5e05d464d72575824 +Author: Patrick Schleizer +Date: Thu Mar 12 04:43:08 2020 -0400 + + bumped changelog version + +commit e6e7886a6e3dca1a75943c5a04c4d29ab8682cec +Merge: 04a87f7 711e786 +Author: Patrick Schleizer +Date: Wed Mar 11 09:08:41 2020 -0400 + + Merge remote-tracking branch 'origin/master' + +commit 711e786be504179c832172acb39d567b323520e6 +Merge: 04a87f7 4d0de87 +Author: Patrick Schleizer +Date: Wed Mar 11 13:06:23 2020 +0000 + + Merge pull request #70 from madaidan/userfaultfd + + Fix unprivileged_userfaultfd + +commit 4d0de87f799d8032731140e9a5815d4773d91baa +Author: madaidan <50278627+madaidan@users.noreply.github.com> +Date: Sun Mar 8 17:49:49 2020 +0000 + + Disable unprivileged userfaultfd use again + +commit efb2683cfc168c3b110c6664ee61eabcf85f3f30 +Author: madaidan <50278627+madaidan@users.noreply.github.com> +Date: Sun Mar 8 17:49:12 2020 +0000 + + Hide unprivileged_userfaultfd error + +commit 04a87f7029736e5ce66f18bb6c42cadf3500b26b +Author: Patrick Schleizer +Date: Sun Mar 8 09:43:24 2020 -0400 + + bumped changelog version + +commit 284a49110030b21aa3136447217273337a12acaf +Author: Patrick Schleizer +Date: Sun Mar 8 08:07:10 2020 -0400 + + disable `vm.unprivileged_userfaultfd=0` for now + + because broken + + https://forums.whonix.org/t/kernel-hardening/7296/406 + + reverts "Restrict the userfaultfd() syscall to root as it can make heap sprays easier." + + https://duasynt.com/blog/linux-kernel-heap-spray + +commit 44351ec9b78d59aeeef44675e8e203c7ace243f0 +Author: Patrick Schleizer +Date: Sat Mar 7 21:44:19 2020 -0500 + + remove no longer needed code for installation of apparmor profiles + +commit 71ae6239168d829e25670ffa856ee0f011a168a9 +Author: Patrick Schleizer +Date: Thu Mar 5 08:36:27 2020 -0500 + + bumped changelog version + +commit 76eb9579a3038982301fc622c84cd48fa3d88ffd +Author: Patrick Schleizer +Date: Thu Mar 5 08:33:00 2020 -0500 + + readme + +commit 15dde15a36c3cac0088773670b84f7e1e2b1423f +Author: Patrick Schleizer +Date: Tue Mar 3 09:42:24 2020 -0500 + + typo + +commit 8887af26d6a82613ee1f9c3a10ba42fdd2444d1c +Author: Patrick Schleizer +Date: Tue Mar 3 09:19:49 2020 -0500 + + bumped changelog version + +commit 1dea4dbcf6fa3299e513d01005b514e42bf51538 +Author: Patrick Schleizer +Date: Tue Mar 3 09:18:38 2020 -0500 + + readme + +commit cd19c2da006d38cd0cd3653b31e398d16396d825 +Author: Patrick Schleizer +Date: Tue Mar 3 09:18:24 2020 -0500 + + fix lintian warning + +commit 7e3fedefb234e584d900c036c424ac083a9efa3d +Author: Patrick Schleizer +Date: Tue Mar 3 09:12:50 2020 -0500 + + bumped changelog version + +commit 201d6b5efc355b08b5f94f9284d2242dec9c56b8 +Author: Patrick Schleizer +Date: Tue Mar 3 09:07:42 2020 -0500 + + readme + +commit 63c6405ab74f0dd5f3ec3838135b29304a3d1fc8 +Merge: e3e39f2 453aa8a +Author: Patrick Schleizer +Date: Sat Feb 29 07:34:46 2020 -0500 + + Merge remote-tracking branch 'origin/master' + +commit 453aa8a4eb76fe56ad67f1aea8abfeb122e68a9c +Merge: e3e39f2 60fbf8b +Author: Patrick Schleizer +Date: Sat Feb 29 12:28:32 2020 +0000 + + Merge pull request #65 from madaidan/userfaultfd + + Restrict the userfaultfd() syscall to root + +commit e3e39f22354595c9f21c243d7bdadc1487374db8 +Merge: 649ec5d bd7678c +Author: Patrick Schleizer +Date: Sat Feb 29 05:01:41 2020 -0500 + + Merge remote-tracking branch 'origin/master' + +commit 649ec5dfa1d2c0e324d8054b4c7402ab2b462d93 +Author: Patrick Schleizer +Date: Sat Feb 29 04:59:56 2020 -0500 + + pkexec wrapper: fix gdebi / synaptic + + but at cost of checking for passwordless sudo /etc/suders /etc/sudoers.d + exceptions. + + http://forums.whonix.org/t/cannot-use-pkexec/8129/53 + +commit 32269d32b63e549f76b4090b675dd53256fbc42d +Author: Patrick Schleizer +Date: Sat Feb 29 04:59:15 2020 -0500 + + description + +commit b31caefdeb8b76537982e359e708b57081d7b381 +Author: Patrick Schleizer +Date: Sat Feb 29 04:59:02 2020 -0500 + + description + +commit bd7678c574819298b364185fe7e3362c7e8d4930 +Merge: d04d4bf 42d3b98 +Author: Patrick Schleizer +Date: Fri Feb 28 12:04:05 2020 +0000 + + Merge pull request #66 from madaidan/mce + + Fix docs + +commit 42d3b986c41854fc2990557d2333874e9379793b +Author: madaidan <50278627+madaidan@users.noreply.github.com> +Date: Thu Feb 27 17:41:14 2020 +0000 + + Update control + +commit d04d4bf0950b60b8e5bf51b2303bbecdbc5fe326 +Author: Patrick Schleizer +Date: Tue Feb 25 02:08:10 2020 -0500 + + description + +commit 4043d2af3f8239a2056610363fc9d53770ebc336 +Author: Patrick Schleizer +Date: Tue Feb 25 02:06:48 2020 -0500 + + description + +commit 0e5187ff249c686908506896e01125e37d194543 +Author: Patrick Schleizer +Date: Tue Feb 25 02:00:27 2020 -0500 + + description + +commit 60fbf8b0de8a631d8a63c64f7e8181fee501c237 +Author: madaidan <50278627+madaidan@users.noreply.github.com> +Date: Mon Feb 24 18:24:07 2020 +0000 + + Update control + +commit 6b64b36b0190198f5edfda6c704a9efe3ea5b9a6 +Author: madaidan <50278627+madaidan@users.noreply.github.com> +Date: Mon Feb 24 18:23:15 2020 +0000 + + Restrict the userfaultfd() syscall to root + +commit 221000db5b184664c09dfe9cb7055de45331a7e1 +Merge: 01eaee9 c7f2537 +Author: Patrick Schleizer +Date: Mon Feb 17 03:17:11 2020 -0500 + + Merge remote-tracking branch 'origin/master' + +commit c7f2537930925e3ec250db81791a107af003079b +Merge: 01eaee9 8ea4e50 +Author: Patrick Schleizer +Date: Mon Feb 17 08:16:34 2020 +0000 + + Merge pull request #64 from madaidan/extra_latent_entropy + + Gather more entropy during boot + +commit 8ea4e50c8e9c3c9ee650b665a32b78f67aedc1aa +Author: madaidan <50278627+madaidan@users.noreply.github.com> +Date: Sun Feb 16 19:52:40 2020 +0000 + + Update control + +commit f6b6ab374ea2b24dfd4ac49bc1a595b50ab3d952 +Author: madaidan <50278627+madaidan@users.noreply.github.com> +Date: Sun Feb 16 19:51:32 2020 +0000 + + Gather more entropy during boot + +commit 01eaee997e34aa73a11dffe032ace5ef23c37e28 +Author: Patrick Schleizer +Date: Sat Feb 15 15:35:44 2020 -0500 + + bumped changelog version + +commit 412a83923dd09f36a25ebf9ce1991369d09c5e34 +Merge: dce54d5 4399a51 +Author: Patrick Schleizer +Date: Sat Feb 15 15:30:32 2020 -0500 + + Merge remote-tracking branch 'origin/master' + +commit dce54d5d0f7c6017037b5fb6a5851dd90ce5d762 +Author: Patrick Schleizer +Date: Sat Feb 15 15:29:38 2020 -0500 + + bumped changelog version + +commit 3df008f0b9aa08c8b92c89439abeb029f5d1f316 +Author: Patrick Schleizer +Date: Sat Feb 15 15:28:30 2020 -0500 + + readme + +commit 4399a512bef77ddec428bd4150cacebb77fc22da +Merge: 757df8f a79ce7f +Author: Patrick Schleizer +Date: Sat Feb 15 19:43:05 2020 +0000 + + Merge pull request #63 from madaidan/ldisc_autoload + + Document ldisc_autoload better + +commit a79ce7fa68c22048d3e10789fe209b14b818d0fb +Author: madaidan <50278627+madaidan@users.noreply.github.com> +Date: Sat Feb 15 17:30:21 2020 +0000 + + Document ldisc_autoload better + +commit 757df8fceb29d9b6143cf26e73cb31dde69d0a71 +Merge: 9bbae90 a9a1581 +Author: Patrick Schleizer +Date: Sat Feb 15 05:43:43 2020 -0500 + + Merge remote-tracking branch 'origin/master' + +commit a9a1581720739966e94f18be556552e9d75d63b1 +Merge: 9bbae90 1e5946c +Author: Patrick Schleizer +Date: Sat Feb 15 10:42:20 2020 +0000 + + Merge pull request #60 from madaidan/sysrq + + Restrict the SysRq key + +commit 1e5946c795e3962fdc2229146b9331d36a1d6c41 +Merge: 0f49736 9bbae90 +Author: Patrick Schleizer +Date: Sat Feb 15 10:41:52 2020 +0000 + + Merge branch 'master' into sysrq + +commit 9bbae903fe5ee58d4a22dfeab51cbb179b8cfb14 +Author: Patrick Schleizer +Date: Sat Feb 15 05:29:48 2020 -0500 + + remove-system.map: lower verbosity output + +commit cce35e5109489df44916a08722d9016bb1e578ec +Merge: 14140ad e403517 +Author: Patrick Schleizer +Date: Sat Feb 15 05:27:52 2020 -0500 + + Merge remote-tracking branch 'origin/master' + +commit e40351796e297673e1ec45dee7483079e96d9639 +Merge: 5124f8c 31009f0 +Author: Patrick Schleizer +Date: Sat Feb 15 10:25:15 2020 +0000 + + Merge pull request #62 from madaidan/shred + + Shred System.map files + +commit 5124f8cebcf6113547d11fc5193f83af1a2b6f84 +Merge: ac8757a 9b76713 +Author: Patrick Schleizer +Date: Sat Feb 15 10:18:56 2020 +0000 + + Merge pull request #61 from madaidan/disable_early_pci_dma + + Avoid holes in IOMMU + +commit ac8757a031a02c6cbad564e6a857954c0cf01a54 +Merge: ad6b766 ace6211 +Author: Patrick Schleizer +Date: Sat Feb 15 10:09:46 2020 +0000 + + Merge pull request #59 from madaidan/ldisc + + Restrict loading line disciplines to CAP_SYS_MODULE + +commit 31009f0bfa10e7b67f5823a5be92273e5414fff3 +Author: madaidan <50278627+madaidan@users.noreply.github.com> +Date: Fri Feb 14 23:46:19 2020 +0000 + + Shred System.map files + +commit 9b767139ef82279e00d86f7f1e1e8bf73d795651 +Author: madaidan <50278627+madaidan@users.noreply.github.com> +Date: Fri Feb 14 18:52:01 2020 +0000 + + Avoid holes in IOMMU + +commit 0f497369574811b0e7fb832636a5618e62618619 +Author: madaidan <50278627+madaidan@users.noreply.github.com> +Date: Fri Feb 14 18:18:18 2020 +0000 + + Update control + +commit d251c43344a04e1dd8afbf12352432810874e021 +Author: madaidan <50278627+madaidan@users.noreply.github.com> +Date: Fri Feb 14 18:17:20 2020 +0000 + + Restrict the SysRq key + +commit ace62111761451a13c446767dfd3c32b9b70a7f8 +Author: madaidan <50278627+madaidan@users.noreply.github.com> +Date: Fri Feb 14 17:51:17 2020 +0000 + + Update control + +commit 0ea7dd161b3e643c23624e6dcb450116824b6301 +Author: madaidan <50278627+madaidan@users.noreply.github.com> +Date: Fri Feb 14 17:50:19 2020 +0000 + + Restrict loading line disciplines to CAP_SYS_MODULE + +commit ad6b76688677cd4f9f0b2f2524c0f6b0a381bf29 +Merge: 14140ad 14f8458 +Author: Patrick Schleizer +Date: Thu Feb 13 18:40:58 2020 +0000 + + Merge pull request #57 from madaidan/sysctl + + Prevent symlink/hardlink TOCTOU races + +commit 14140ad41ba45b2457570a7df28b42cfd3bf3155 +Author: Patrick Schleizer +Date: Thu Feb 13 13:39:45 2020 -0500 + + bumped changelog version + +commit d1fa191bc0ad58ea4fbb5b4db383311f87319dfe +Author: Patrick Schleizer +Date: Thu Feb 13 13:38:21 2020 -0500 + + readme + +commit 76a51a3b45113b4f771397bf32daae3fb38af6a6 +Merge: 163e20b 5ebab39 +Author: Patrick Schleizer +Date: Thu Feb 13 13:37:34 2020 -0500 + + Merge remote-tracking branch 'origin/master' + +commit 5ebab397b201f431e3d0ca3bebfb71fa61a7ed2b +Merge: 163e20b 2796c2d +Author: Patrick Schleizer +Date: Thu Feb 13 18:36:41 2020 +0000 + + Merge pull request #58 from madaidan/mitigations + + Improve CPU mitigations documentation + +commit 2796c2dd00fca0bb458bdb4ea5c2cdbd35854bef +Author: madaidan <50278627+madaidan@users.noreply.github.com> +Date: Wed Feb 12 18:43:19 2020 +0000 + + Update control + +commit 700c7ed9085f2c9f0f271ddf8781f119e8ac5714 +Author: madaidan <50278627+madaidan@users.noreply.github.com> +Date: Wed Feb 12 18:42:13 2020 +0000 + + Create 40_cpu_mitigations.cfg + +commit ba0043b8a7249e55e0a0d3b87f6c54de5283f057 +Author: madaidan <50278627+madaidan@users.noreply.github.com> +Date: Wed Feb 12 18:36:05 2020 +0000 + + Update 40_kernel_hardening.cfg + +commit 14f845837476810f1eb3038d9d41f9ad8088b916 +Author: madaidan <50278627+madaidan@users.noreply.github.com> +Date: Wed Feb 12 18:05:32 2020 +0000 + + Update control + +commit 5cb21d0d4d36fd516f17a9b5378443859f497027 +Author: madaidan <50278627+madaidan@users.noreply.github.com> +Date: Wed Feb 12 18:03:23 2020 +0000 + + Prevent symlink/hardlink TOCTOU races + +commit 163e20b886f298cb9d3aca54c14f66991001b396 +Author: Patrick Schleizer +Date: Wed Feb 5 06:31:48 2020 -0500 + + bumped changelog version + +commit 3024006f63be34f0c9d2968b1839a855419792dd +Merge: 8c5cd86 024576e +Author: Patrick Schleizer +Date: Tue Feb 4 00:24:50 2020 -0500 + + Merge remote-tracking branch 'origin/master' + +commit 024576e3307e45c90b97ed8658ee82ceb1ed00aa +Merge: 8c5cd86 e4c6e89 +Author: Patrick Schleizer +Date: Tue Feb 4 05:24:05 2020 +0000 + + Merge pull request #56 from HulaHoop0/patch-1 + + kvm.nx_huge_pages=force + +commit e4c6e897cf37cbf5de6d90888a0ddbe56db11c2f +Author: HulaHoop0 <55955185+HulaHoop0@users.noreply.github.com> +Date: Mon Feb 3 16:06:46 2020 +0000 + + kvm.nx_huge_pages=force + +commit 8c5cd865f49cea986cdfc00a4cb4f0f913d4d3e6 +Author: Patrick Schleizer +Date: Mon Feb 3 09:23:13 2020 -0500 + + bumped changelog version + +commit 1f6ed2cc7047e1144e811d94dddc7306ee93b61e +Author: Patrick Schleizer +Date: Mon Feb 3 08:55:20 2020 -0500 + + add support for passing parameters to usr/lib/security-misc/apt-get-update + +commit 2291b7f787bcec5f64f632c6f3e8dfb12c67b4ee +Author: Patrick Schleizer +Date: Mon Feb 3 08:43:31 2020 -0500 + + bumped changelog version + +commit 8627c9f76d1bdf26a423a92506d3d8c0eb1afc2e +Author: Patrick Schleizer +Date: Fri Jan 31 12:18:02 2020 -0500 + + /usr/lib/security-misc/apt-get-update increase default timeout_after="600" + +commit 829e28aa90ff5cb38edcc3cfab8ec91939ae5844 +Author: Patrick Schleizer +Date: Fri Jan 31 12:17:07 2020 -0500 + + /usr/lib/security-misc/apt-get-update environment variable timeout_after kill_after support + +commit 0bd0a4a647aef9899e1cbb5671ccfa3ca36efe18 +Author: Patrick Schleizer +Date: Thu Jan 30 06:14:34 2020 -0500 + + bumped changelog version + +commit 85d2aa1365ae5dfc43944a938794954452c26fe0 +Author: Patrick Schleizer +Date: Thu Jan 30 06:13:42 2020 -0500 + + hide stdout (but not stderr) by sysctl during initramfs + +commit d69c1839cd30145c30247e0962a97cfd38f79d60 +Author: Patrick Schleizer +Date: Thu Jan 30 06:02:26 2020 -0500 + + bumped changelog version + +commit b9d65338bcc76552e4d2169106cd04e6276eb320 +Author: Patrick Schleizer +Date: Thu Jan 30 05:55:13 2020 -0500 + + unconditionally enable all CPU bugs (spectre, meltdown, L1TF, ...) + + this might reduce performance + + * `spectre_v2=on` + * `spec_store_bypass_disable=on` + * `tsx=off` + * `tsx_async_abort=full,nosmt` + + Thanks to @madaidan for the suggestion! + + https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647 + +commit 2711d0f7f08362f97383fbae81ce9d520b19dcbc +Author: Patrick Schleizer +Date: Thu Jan 30 01:22:32 2020 -0500 + + bumped changelog version + +commit 4df0d6c01cc91139dc9eef1dc4265e8cacde8cdf +Author: Patrick Schleizer +Date: Thu Jan 30 01:22:06 2020 -0500 + + readme + +commit c1a0da60beacd027c1c7c94ae44a9d7b1ab708b9 +Author: Patrick Schleizer +Date: Thu Jan 30 00:46:48 2020 -0500 + + set kernel boot parameter `l1tf=full,force` and `nosmt=force` + + https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647/17 + +commit efc40da4fb1fffcc760685cda0e49dc04da4c5fe +Author: Patrick Schleizer +Date: Fri Jan 24 12:02:27 2020 -0500 + + bumped changelog version + +commit 07dcb32fc28abf33eaf0425c67cc5cf9ee1f5a5b +Author: Patrick Schleizer +Date: Fri Jan 24 11:55:38 2020 -0500 + + readme + +commit f4c54881ac21ed095f54a59f9c0baf582ef76d9b +Author: Patrick Schleizer +Date: Fri Jan 24 04:49:19 2020 -0500 + + description + +commit 25317f23e3a80fdd9f6965990cd397ddcab11a4b +Author: Patrick Schleizer +Date: Fri Jan 24 04:41:16 2020 -0500 + + bumped changelog version + +commit be79f0688a47dca129ac61dd78b18a2638e8650c +Author: Patrick Schleizer +Date: Fri Jan 24 04:40:20 2020 -0500 + + readme + +commit c0d3726b002d136e602c6bdaf07c5d94c5591ee4 +Author: Patrick Schleizer +Date: Fri Jan 24 04:40:03 2020 -0500 + + comment + +commit a37da1c96880b14a8271712801e6da3d3ea766eb +Author: Patrick Schleizer +Date: Fri Jan 24 04:39:06 2020 -0500 + + add digits to drop-in file names + +commit 2ab940c60311ae38079d2ceb09e04eedac2aad90 +Author: Patrick Schleizer +Date: Fri Jan 24 04:34:18 2020 -0500 + + bumped changelog version + +commit bac6cd601baaca7453c55719e9dfa84d5109135d +Author: Patrick Schleizer +Date: Fri Jan 24 04:33:54 2020 -0500 + + readme + +commit 3a4d283169b381bdc93c4ff5ce7b08c11a0830b3 +Author: Patrick Schleizer +Date: Fri Jan 24 04:33:30 2020 -0500 + + description + +commit e0aa67677d3561cae6544c24e12021dd04f26133 +Author: Patrick Schleizer +Date: Fri Jan 24 04:30:36 2020 -0500 + + merge the many modprobe.d config files into 1 + + and use a name starting with double digits + + to make it easier to disable settings using a lexically higher config file + +commit 6a4c493213929b354a3c8d2acf2325473ae63cfd +Author: Patrick Schleizer +Date: Fri Jan 24 04:26:36 2020 -0500 + + merge the many sysctl config files into 1 + + and use a name starting with double digits + + to make it easier to disable settings using a lexically higher config file + +commit f653b94e7747436323e2083d416ab86560e3cd71 +Author: Patrick Schleizer +Date: Fri Jan 24 03:49:02 2020 -0500 + + bumped changelog version + +commit ca057713e2e1f3c4a47216aadb51ba0ca012e39e +Author: Patrick Schleizer +Date: Fri Jan 24 03:39:04 2020 -0500 + + readme + +commit 8616728ce0a6e5eaa799949abb5bfccd0a7effa7 +Author: Patrick Schleizer +Date: Fri Jan 24 03:35:15 2020 -0500 + + remove duplicate + +commit d4a37b6df2a2de4822e3e4bac93ca3e10712af7c +Author: Patrick Schleizer +Date: Fri Jan 24 03:18:17 2020 -0500 + + remove-system.map: source /usr/lib/helper-scripts/pre.bsh + +commit 3b283ec00f03b580d2f8b76f95449240a163dd48 +Author: Patrick Schleizer +Date: Wed Jan 22 07:10:47 2020 -0500 + + bumped changelog version + +commit 531f17cb68b331beb19a6e6c8b76575ebe38f95e +Author: Patrick Schleizer +Date: Wed Jan 22 07:08:08 2020 -0500 + + add update initramfs trigger + + https://github.com/Whonix/security-misc/pull/53 + +commit df0b2afda1e1d5a3fddfd8c48b62a5de8295d687 +Author: Patrick Schleizer +Date: Tue Jan 21 10:12:32 2020 -0500 + + bumped changelog version + +commit 18041efa2f704d2a177b033ff8008aacdb7dde3f +Author: Patrick Schleizer +Date: Tue Jan 21 10:01:17 2020 -0500 + + fix pam tally2 check when read-only disk boot without ro-mode-init or grub-live + +commit 627b95e0b363e2e46a5de8a7aa5065bc66242293 +Author: Patrick Schleizer +Date: Mon Jan 20 08:51:25 2020 -0500 + + bumped changelog version + +commit fbe9b60d95d43452bf661461197efced431806a5 +Author: Patrick Schleizer +Date: Mon Jan 20 08:49:02 2020 -0500 + + fix Whonix / Kicksecure + + /var/lib/dpkg/tmp.ci/preinst: ERROR: No user is a member of group 'console'. Installation aborted. + /var/lib/dpkg/tmp.ci/preinst: ERROR: You probably want to run: + + sudo adduser user console + +commit 960e1ff6e82f8593c2d242a6a0f1e1cf5805c85b +Author: Patrick Schleizer +Date: Fri Jan 17 03:32:57 2020 -0500 + + bumped changelog version + +commit 130434186811930d40407115af99116d4982da49 +Author: Patrick Schleizer +Date: Fri Jan 17 03:10:56 2020 -0500 + + readme + +commit 6f8d89c6c5609ed83d9dcd174375cb1ccfca91d8 +Author: Patrick Schleizer +Date: Wed Jan 15 15:54:06 2020 -0500 + + error handling + +commit 7211f6e0199d2ccb50437c7a5b0842050590b5dc +Merge: e110ea0 f6cc76a +Author: Patrick Schleizer +Date: Wed Jan 15 15:53:36 2020 -0500 + + Merge remote-tracking branch 'origin/master' + +commit f6cc76acd729428f83d3497a2e83bfc4b14f1ff8 +Merge: e110ea0 1df48a2 +Author: Patrick Schleizer +Date: Wed Jan 15 20:52:33 2020 +0000 + + Merge pull request #55 from madaidan/sysctl.conf + + Process sysctl.conf in initramfs + +commit 1df48a226d83b98dadc8bfb8dbc479dd656e2313 +Author: madaidan <50278627+madaidan@users.noreply.github.com> +Date: Wed Jan 15 20:30:17 2020 +0000 + + Update control + +commit f7fde60b67a7ef44658cde3b835565407aafd133 +Author: madaidan <50278627+madaidan@users.noreply.github.com> +Date: Wed Jan 15 20:28:32 2020 +0000 + + Process sysctl.conf too + +commit e110ea0b84329dfbe0175298b21e7732f7105436 +Author: Patrick Schleizer +Date: Wed Jan 15 11:37:52 2020 -0500 + + bumped changelog version + +commit 0f17596aacb86afb7abcdd4781a9995dde23d3bb +Author: Patrick Schleizer +Date: Wed Jan 15 11:35:41 2020 -0500 + + readme + +commit 0618b5346493723865cc6f2a632822c8b6fa690a +Author: Patrick Schleizer +Date: Wed Jan 15 11:35:07 2020 -0500 + + fix lintian warning + +commit 47ce3bec75f9aeb808993a70579ba93d2527a371 +Author: Patrick Schleizer +Date: Wed Jan 15 11:05:54 2020 -0500 + + bumped changelog version + +commit 73e830d0ac1ece338b0e80ca1a020d84a15d1774 +Author: Patrick Schleizer +Date: Wed Jan 15 10:08:57 2020 -0500 + + readme + +commit 8ab4623f8e81ad1b67858b458f2ae4085e7c8e65 +Merge: 8015954 087465a +Author: Patrick Schleizer +Date: Wed Jan 15 06:06:39 2020 -0500 + + Merge remote-tracking branch 'origin/master' + +commit 087465a0cdecc4765f7b659256cdd5e8cdef73ab +Merge: 8015954 528c5fc +Author: Patrick Schleizer +Date: Wed Jan 15 11:02:30 2020 +0000 + + Merge pull request #53 from madaidan/sysctl-initramfs + + Set sysctl values in initramfs + +commit 528c5fc4c41026396a63ac91af7c156dd0d4f191 +Merge: 9dc43ea 8015954 +Author: Patrick Schleizer +Date: Wed Jan 15 11:02:03 2020 +0000 + + Merge branch 'master' into sysctl-initramfs + +commit 80159545a580830565ec01a507915add9c44838a +Author: Patrick Schleizer +Date: Wed Jan 15 02:42:10 2020 -0500 + + fix xfce4-power-manager xfpm-power-backlight-helper pkexec lxsudo popup + + https://forums.whonix.org/t/xfce4-power-manager-xfpm-power-backlight-helper-pkexec-lxsudo-popup/8764 + + do show lxqt-sudo password prompt if there is a sudoers exceptoin + + improved pkexec wrapper logging + +commit d90ca4b1ad18289d6bcfcef51cfb032a0b4423eb +Author: Patrick Schleizer +Date: Tue Jan 14 15:12:13 2020 -0500 + + refactoring + +commit 082f04f2d4101828455a4a9b2852376a72ced6ce +Author: Patrick Schleizer +Date: Tue Jan 14 15:04:58 2020 -0500 + + add logging to pkexec wrapper + +commit 1059ccf2254d0aac40d2c14680fea2a4012a2d66 +Author: Patrick Schleizer +Date: Tue Jan 14 09:28:28 2020 -0500 + + bumped changelog version + +commit 660837dc380440f6b00d3baf9395222376163b3b +Author: Patrick Schleizer +Date: Tue Jan 14 09:25:32 2020 -0500 + + fix case when user "user" does not exists + +commit 18c726c3eebc93f69062f1e4c1d3c7ab394985c3 +Author: Patrick Schleizer +Date: Tue Jan 14 09:23:02 2020 -0500 + + comment + +commit b8652681e741236af2e20876d7103b2dfb0ae9bf +Author: Patrick Schleizer +Date: Tue Jan 14 09:21:47 2020 -0500 + + fix legacy + +commit cc21f912a372faef8322801e9a48882f29159c2d +Author: Patrick Schleizer +Date: Tue Jan 14 09:20:36 2020 -0500 + + bumped changelog version + +commit 2078cd237f2aaad8d68c1c5eab3f9942460ecd3c +Author: Patrick Schleizer +Date: Tue Jan 14 09:18:30 2020 -0500 + + readme + +commit c377c5ff83437a5447ecc9c873150421f4f1e691 +Merge: 8341242 539f24b +Author: Patrick Schleizer +Date: Tue Jan 14 09:01:38 2020 -0500 + + Merge remote-tracking branch 'origin/master' + +commit 539f24b65ee7739487d8038fcb1fdfb1ed62ab22 +Merge: 8341242 0953bbe +Author: Patrick Schleizer +Date: Tue Jan 14 14:01:17 2020 +0000 + + Merge pull request #54 from madaidan/panic_on_oops + + Document panic_on_oops + +commit 0953bbe1d7f3e789aef2218a65c14c586dab4bcb +Author: madaidan <50278627+madaidan@users.noreply.github.com> +Date: Mon Jan 13 21:05:35 2020 +0000 + + Update control + +commit 9dc43eae38b55951cae2a9bf93114bcf742f8c8b +Author: madaidan <> +Date: Sun Jan 12 21:42:07 2020 +0000 + + Description + +commit 8c4e0ff1c4d6191dbb40b28cfc23a8185cc0cbdb +Author: madaidan +Date: Sun Jan 12 21:37:37 2020 +0000 + + Set sysctl values in initramfs + +commit 8341242abc342d9cbd82afe12f512daf73a9e59a +Author: Patrick Schleizer +Date: Sat Jan 11 15:19:29 2020 -0500 + + bumped changelog version + +commit 130a4cf6d433f4d862e10e31abbc2b1f3b1614d2 +Author: Patrick Schleizer +Date: Sat Jan 11 15:17:06 2020 -0500 + + readme + +commit 61a2d390a7d6195d556898db8afa57822a9bc76a +Author: Patrick Schleizer +Date: Sat Jan 11 15:15:12 2020 -0500 + + lintian + +commit 3fae8e771ffbdd3023921b296e46cf982034d2ac +Merge: 13a1e13 e9f4dbd +Author: Patrick Schleizer +Date: Sat Jan 11 15:14:43 2020 -0500 + + Merge remote-tracking branch 'origin/master' + +commit e9f4dbdda579db83f330054253100bc7c5d1e2be +Merge: 13a1e13 6088444 +Author: Patrick Schleizer +Date: Sat Jan 11 20:14:10 2020 +0000 + + Merge pull request #52 from madaidan/vivid + + Blacklist the vivid kernel module + +commit 6088444c371f021ca23daa3a0ab1ee431d429a61 +Author: madaidan <50278627+madaidan@users.noreply.github.com> +Date: Sat Jan 11 18:38:17 2020 +0000 + + Update control + +commit a662a76a52970530a4a3c3d6a284ce9400dc74c6 +Author: madaidan <50278627+madaidan@users.noreply.github.com> +Date: Sat Jan 11 18:37:00 2020 +0000 + + Blacklist vivid + +commit 13a1e1321e05965ad9449fafa4406c4d3b781dcf +Author: Patrick Schleizer +Date: Wed Jan 1 05:59:59 2020 -0500 + + bumped changelog version + +commit 5031e7cc4b8bfc4037ba6ea029e20637090ccacb +Author: Patrick Schleizer +Date: Tue Dec 31 08:18:38 2019 -0500 + + better output if trying to login with non-existing user + +commit b2bdeb90957da4ebe38e7f12fba0330b89e0983d +Author: Patrick Schleizer +Date: Tue Dec 31 06:08:32 2019 -0500 + + bumped changelog version + +commit 2a3aae62b1cf97313b925fac94261e28af7ea3d1 +Author: Patrick Schleizer +Date: Tue Dec 31 06:06:52 2019 -0500 + + fix + +commit 427deec3f50664f2fbb244b6cf060bb5b9e821b6 +Author: Patrick Schleizer +Date: Tue Dec 31 06:03:48 2019 -0500 + + bumped changelog version + +commit e89552c9846f85b4bbf73595080d71dcd873fe29 +Author: Patrick Schleizer +Date: Tue Dec 31 05:55:44 2019 -0500 + + add user "user" to group "console" in Whonix and Kicksecure + + enable Console Lockdown in Whonix and Kicksecure + +commit b5a2d1dc581b53974aaa148f6d8f3054c9d1c5fe +Author: Patrick Schleizer +Date: Tue Dec 31 02:54:58 2019 -0500 + + bumped changelog version + +commit 20697db3ee5d227176c4d31e6c96454a64f47797 +Author: Patrick Schleizer +Date: Tue Dec 31 02:53:02 2019 -0500 + + improve console lockdown info output + +commit 788914de95ee9299d685e8b65466feee1085cf18 +Author: Patrick Schleizer +Date: Tue Dec 31 02:46:32 2019 -0500 + + group ssh check was removed + + https://forums.whonix.org/t/etc-security-hardening-console-lockdown-pam-access-access-conf/8592/27 + +commit 06ed728d791abe0ad3c93091fd8ebc088f73c4ef +Author: Patrick Schleizer +Date: Mon Dec 30 06:42:14 2019 -0500 + + bumped changelog version + +commit f3ff32ddbb8a7cf7555b9f1b2154e83154532a3d +Author: Patrick Schleizer +Date: Mon Dec 30 06:39:24 2019 -0500 + + Protect /bin/mount from 'chmod -x'. + + /bin/mount exactwhitelist + /usr/bin/mount exactwhitelist + + Remove SUID from 'mount' but keep executable. + + /bin/mount 745 root root + /usr/bin/mount 745 root root + + https://forums.whonix.org/t/disable-suid-binaries/7706/61 + +commit e4e9c4e3b09138af25e94a6db81b0f759ddb4d1b +Author: Patrick Schleizer +Date: Mon Dec 30 05:59:43 2019 -0500 + + bumped changelog version + +commit 9c0d6b605707dbcb7db9cd227257a5dcd612f784 +Author: Patrick Schleizer +Date: Sun Dec 29 05:09:07 2019 -0500 + + copyright + +commit edc08988f26532daf90bc4a4f007aef53e62eeaf +Author: Patrick Schleizer +Date: Sun Dec 29 05:08:53 2019 -0500 + + copyright + +commit 9156d3584cd7ba9064d5af54afd95b6d8e73907b +Author: Patrick Schleizer +Date: Sun Dec 29 04:59:05 2019 -0500 + + Description + +commit 3ea946b365d8b05cabce63f4d26b3153559aa465 +Author: Patrick Schleizer +Date: Sun Dec 29 04:56:51 2019 -0500 + + RemainAfterExit=yes + +commit 2787ae976580d20ea4da5213c7f624f984510934 +Author: Patrick Schleizer +Date: Sun Dec 29 04:56:35 2019 -0500 + + copyright + +commit 6d56eb9ef0e2cfbba46df2294deb9c8e6b9aa2b7 +Author: Patrick Schleizer +Date: Sun Dec 29 04:56:18 2019 -0500 + + minor + +commit 0e14706f32728123f1d345b73266934fe454a989 +Author: Patrick Schleizer +Date: Sun Dec 29 04:45:26 2019 -0500 + + copyright + +commit 1a0f7a77335940a11e33ca519d8f64429b8ee966 +Author: Patrick Schleizer +Date: Sun Dec 29 04:43:32 2019 -0500 + + debugging + +commit 5271892cb1e4646b79388d064227d4662b682583 +Author: Patrick Schleizer +Date: Sun Dec 29 04:42:54 2019 -0500 + + debugging + +commit 683028049c46516ba105b1b73364960b3b87efd6 +Author: Patrick Schleizer +Date: Sun Dec 29 04:41:23 2019 -0500 + + debugging + +commit e3e1ff2a310c46fab67309edd88e73096843edcb +Author: Patrick Schleizer +Date: Sun Dec 29 04:35:46 2019 -0500 + + exit with error if a config line cannot be processed rather than skipping + + https://forums.whonix.org/t/disable-suid-binaries/7706/59 + +commit d5c99f3a60372a00ded4b1b4340775aab1421d31 +Author: Patrick Schleizer +Date: Sun Dec 29 04:27:21 2019 -0500 + + output + +commit e5623fcd2b32b58e72c2ef80955072f013672e0d +Author: Patrick Schleizer +Date: Sun Dec 29 04:21:52 2019 -0500 + + comment + +commit d7f58db52c926c11157671c4555ca97f02929a76 +Author: Patrick Schleizer +Date: Fri Dec 27 05:30:12 2019 -0500 + + bumped changelog version + +commit 674840e6f9fb362dc713da3edde07132b5ae17d4 +Author: Patrick Schleizer +Date: Thu Dec 26 05:44:35 2019 -0500 + + /fusermount matchwhitelist + + unbreak AppImages such as electrum Bitcoin wallet + + https://forums.whonix.org/t/disable-suid-binaries/7706/57 + +commit 507a30d6e39f17fcb09b92033fe1d831e7d4baf4 +Author: Patrick Schleizer +Date: Tue Dec 24 18:35:49 2019 -0500 + + bumped changelog version + +commit 04f438f75d4566822026373e78988e9d4e42b8b5 +Author: Patrick Schleizer +Date: Tue Dec 24 18:09:37 2019 -0500 + + comment + +commit 9da0e428ed4635fb5ca98b2d72b56b553404a742 +Author: Patrick Schleizer +Date: Tue Dec 24 17:54:31 2019 -0500 + + debugging + +commit e18ec533c3ebb382f974d30db3cd1f5eace648c2 +Author: Patrick Schleizer +Date: Tue Dec 24 17:54:02 2019 -0500 + + comment + +commit 0326cd5ee9371213420d2afdcbfb0a05d9a808e6 +Author: Patrick Schleizer +Date: Tue Dec 24 08:07:55 2019 -0500 + + bumped changelog version + +commit ede536913daa0c7ddfe55e20c93d7b752daa5de3 +Author: Patrick Schleizer +Date: Tue Dec 24 06:00:41 2019 -0500 + + no longer hardcode amd64 + +commit d03a3d9ac03bc29ba349107855936dd194e12271 +Merge: 9d77d88 27a42a9 +Author: Patrick Schleizer +Date: Tue Dec 24 05:57:24 2019 -0500 + + Merge remote-tracking branch 'origin/master' + +commit 27a42a9da82bc1f22135ffa509925f63177f25d9 +Merge: ac49c55 79241c5 +Author: Patrick Schleizer +Date: Tue Dec 24 10:55:11 2019 +0000 + + Merge pull request #50 from madaidan/modules + + Make /lib/modules unreadable + +commit ac49c55d1fafff5f36bd7c595f50db295ff616a2 +Merge: 0c3d4ad 98e88d1 +Author: Patrick Schleizer +Date: Tue Dec 24 10:55:03 2019 +0000 + + Merge pull request #49 from madaidan/kver + + Detect kernel upgrades + +commit 0c3d4ad255de75b57a2e316bf8a7fd77a2fc0d4d +Merge: 9d77d88 d1a0650 +Author: Patrick Schleizer +Date: Tue Dec 24 10:54:23 2019 +0000 + + Merge pull request #48 from madaidan/kernel-hardening + + Use only one slub_debug parameter + +commit 79241c5d09c4a7123cf90b45289b53d893135efb +Author: madaidan <50278627+madaidan@users.noreply.github.com> +Date: Mon Dec 23 20:28:29 2019 +0000 + + Make /lib/modules unreadable + +commit 98e88d1456ca0e8fa23809115c51c380a4bb2d3b +Author: madaidan <50278627+madaidan@users.noreply.github.com> +Date: Mon Dec 23 19:57:43 2019 +0000 + + Detect kernel upgrades + +commit d1a0650fd944973ab614c1da06f8e555b31b73ae +Author: madaidan <50278627+madaidan@users.noreply.github.com> +Date: Mon Dec 23 19:44:52 2019 +0000 + + Use only one slub_debug parameter + +commit 9d77d88a4dfd0f42a2a671bbec49f4ebd90af882 +Author: Patrick Schleizer +Date: Mon Dec 23 09:39:50 2019 -0500 + + comments + +commit 7a80837b4f0a7201f3e092ad9b99b4cddb6043b3 +Author: Patrick Schleizer +Date: Mon Dec 23 08:48:04 2019 -0500 + + bumped changelog version + +commit 617c0a0e15f1c113b6e7fd748bb75978e4f23fcd +Author: Patrick Schleizer +Date: Mon Dec 23 07:21:26 2019 -0500 + + disable remount-secure.service - Disable for now until development finished / tested. + +commit 3e131174d5919303462295cb0852a9254885ae7c +Author: Patrick Schleizer +Date: Mon Dec 23 05:00:35 2019 -0500 + + comments + +commit bef41a38c26548d50101f7ea636316e1e2107a55 +Author: Patrick Schleizer +Date: Mon Dec 23 03:58:00 2019 -0500 + + bumped changelog version + +commit 046ceeae4df3b45916f35b0789af341c4f3d911a +Author: Patrick Schleizer +Date: Mon Dec 23 03:57:36 2019 -0500 + + readme + +commit 9f072ce4f99467f82986be348c9cedc2eb7f017d +Author: Patrick Schleizer +Date: Mon Dec 23 03:46:02 2019 -0500 + + comment + +commit 26fe9394fff2eb5be2f19272ea76ed187a8237e5 +Author: Patrick Schleizer +Date: Mon Dec 23 03:41:54 2019 -0500 + + disable lockdown for now due to module loading + +commit 9ec5b0ee82263e1afb38c44348e69437ddc5c9c2 +Author: Patrick Schleizer +Date: Mon Dec 23 03:38:49 2019 -0500 + + description: lockdown not enabled yet + +commit b05669accfe6fac8070003bbd57939ca2c621445 +Merge: 11b4192 1ff51ee +Author: Patrick Schleizer +Date: Mon Dec 23 03:38:04 2019 -0500 + + Merge branch 'madaidan-kernel-hardening' + +commit 1ff51ee061dcdb1a898ebb68c0267ce926e0fca0 +Author: Patrick Schleizer +Date: Mon Dec 23 03:37:28 2019 -0500 + + merge + +commit 535c258b834028e5638fd2b37b1a6f352e2b4558 +Author: madaidan <50278627+madaidan@users.noreply.github.com> +Date: Wed Dec 18 20:43:01 2019 +0000 + + More kernel hardening + +commit 11b4192fbdbc02af97e7dc32677bdb3a549b0000 +Author: Patrick Schleizer +Date: Mon Dec 23 03:28:42 2019 -0500 + + comments + +commit 42ff53e9ad26190dcbff154f6cfd039e3f6bdf83 +Author: Patrick Schleizer +Date: Mon Dec 23 02:42:07 2019 -0500 + + bumped changelog version + +commit 2152fa2d61fa72935b70e60b98ccbe2e1b31db43 +Author: Patrick Schleizer +Date: Mon Dec 23 02:38:53 2019 -0500 + + comment + +commit f8f2e6c7041d98572452be2e53094d0c539b1616 +Author: Patrick Schleizer +Date: Mon Dec 23 02:35:13 2019 -0500 + + fix disablewhitelist feature + +commit 47ddcad0c0af27093f61cf77008224bf66572532 +Author: Patrick Schleizer +Date: Mon Dec 23 02:29:47 2019 -0500 + + rename keyword whitelist to exactwhitelist + + add new keyword disablewhitelist + + refactoring + +commit 175d1c284552a08881286e8c3ca5d8eb9b97a144 +Author: Patrick Schleizer +Date: Mon Dec 23 02:13:13 2019 -0500 + + bumped changelog version + +commit 0409aac3aeb7acc273e19b16e78409994c731f2a +Author: Patrick Schleizer +Date: Mon Dec 23 02:09:04 2019 -0500 + + readme + +commit 1ff56625a170c392f6099b41f371c56032362ea0 +Author: Patrick Schleizer +Date: Mon Dec 23 01:42:03 2019 -0500 + + polkit-agent-helper-1 matchwhitelist to match both + + - /usr/lib/policykit-1/polkit-agent-helper-1 matchwhitelist + - /lib/policykit-1/polkit-agent-helper-1 + +commit d484b299ea1a93a401d00a212d675b5837b8aaa9 +Author: Patrick Schleizer +Date: Mon Dec 23 01:38:31 2019 -0500 + + matchwhitelist /qubes/qfile-unpacker to match both + + - /usr/lib/qubes/qfile-unpacker whitelist + - /lib/qubes/qfile-unpacker + +commit 34bf2457136db227cc27a5d0fe9282f09780a310 +Author: Patrick Schleizer +Date: Mon Dec 23 01:35:45 2019 -0500 + + output + +commit ba30e45d15ec53b2d0a67ce96f5132d3f59bf870 +Author: Patrick Schleizer +Date: Mon Dec 23 01:32:42 2019 -0500 + + output + +commit ee9c5742da99673785068b0393e3587a77c99a31 +Author: Patrick Schleizer +Date: Mon Dec 23 01:29:48 2019 -0500 + + output + +commit 6d05359abcf460cbec266401530a9ab1aaaaf47f +Author: Patrick Schleizer +Date: Mon Dec 23 01:21:52 2019 -0500 + + output + +commit a1e78e8515a87ebc8fc2211b3e1e91824fd3865a +Author: Patrick Schleizer +Date: Mon Dec 23 01:20:56 2019 -0500 + + fix needlessly re-adding entries + +commit 906b3d32e769bbd30ed5698268899a7d2ec71d95 +Author: Patrick Schleizer +Date: Mon Dec 23 01:09:57 2019 -0500 + + output + +commit 4f76867da6ce5710cf486175cd84adcd72640049 +Author: Patrick Schleizer +Date: Mon Dec 23 01:08:02 2019 -0500 + + lower debugging + +commit dc6e5d8508a09bd7f2b9bfed02bc502797c11361 +Author: Patrick Schleizer +Date: Mon Dec 23 01:06:38 2019 -0500 + + fix + +commit 87b999f92aab4f4176f366308c27c4fe5471580c +Author: Patrick Schleizer +Date: Mon Dec 23 00:59:43 2019 -0500 + + refactoring + +commit 065ff4bd058ab26df3d3af1022da9d6a7405ab61 +Author: Patrick Schleizer +Date: Mon Dec 23 00:59:24 2019 -0500 + + sanity_tests + +commit fef1469fe62bf923ba89077934c8b0e5d8cd0258 +Author: Patrick Schleizer +Date: Mon Dec 23 00:51:14 2019 -0500 + + exit non-zero if capability removal failed + +commit 3670fcf48baecffe098c96eb67cbd601bc3e0069 +Author: Patrick Schleizer +Date: Mon Dec 23 00:49:33 2019 -0500 + + depend on libcap2-bin for setcap / getcap / capsh + +commit 17a8c294702acb30c397abc984d69c356cec2cd7 +Author: Patrick Schleizer +Date: Mon Dec 23 00:47:49 2019 -0500 + + fix capability removal error handling + + https://forums.whonix.org/t/disable-suid-binaries/7706/45 + +commit b631e2ecd8ae0e08850edd81bf64b02666fb6234 +Author: Patrick Schleizer +Date: Mon Dec 23 00:36:41 2019 -0500 + + refactoring + +commit 7aea304549cea2c885c2d813c7a15f617f4ebf2a +Author: Patrick Schleizer +Date: Mon Dec 23 00:26:15 2019 -0500 + + comment + +commit f4b1df02ee66309d12724cf7124b14180c855f14 +Author: Patrick Schleizer +Date: Sun Dec 22 19:42:40 2019 -0500 + + Remove suid / gid and execute permission for 'group' and 'others'. + + Similar to: chmod og-ugx /path/to/filename + + Removing execution permission is useful to make binaries such as 'su' fail closed rather + than fail open if suid was removed from these. + + Do not remove read access since no security benefit and easier to manually undo for users. + + chmod 744 + +commit 58a4e0bc7d1b87d4d169f31dc5935c75e929c0b4 +Author: Patrick Schleizer +Date: Sun Dec 22 19:12:10 2019 -0500 + + dbus-daemon-launch-helper matchwhitelist + +commit 15e3a2832da603f5caa9aadc6d68aaf503f013c9 +Author: Patrick Schleizer +Date: Sun Dec 22 18:57:23 2019 -0500 + + comment + +commit 6eb8fd257aecd84686b4d7a9824a98bace9a705e +Author: Patrick Schleizer +Date: Sun Dec 22 18:56:36 2019 -0500 + + suid utempter/utempter matchwhitelist + + to cover both: + + /usr/lib/x86_64-linux-gnu/utempter/utempter + /lib/x86_64-linux-gnu/utempter/utempter + +commit 9409209b48fb8f803b88d72c0e7febaa74f5bd2c +Merge: 008ce48 bce02ff +Author: Patrick Schleizer +Date: Sun Dec 22 10:29:08 2019 -0500 + + Merge remote-tracking branch 'origin/master' + +commit bce02ffdc01c22c8d5528eb5eaa7729a6b3137dd +Merge: 008ce48 8f11a52 +Author: Patrick Schleizer +Date: Sun Dec 22 15:26:07 2019 +0000 + + Merge pull request #47 from madaidan/msr + + Blacklist CPU MSRs + +commit 8f11a520f4c406fa3187ad530f945a564b78a28c +Author: madaidan <50278627+madaidan@users.noreply.github.com> +Date: Sun Dec 22 13:54:16 2019 +0000 + + Update control + +commit dd93b11321e171c56affcd660c0830d6a91ad87e +Author: madaidan <50278627+madaidan@users.noreply.github.com> +Date: Sun Dec 22 13:52:43 2019 +0000 + + Blacklist CPU MSRs + +commit 008ce4817c6ad2218af05d14626b0f2c70a6e90d +Author: Patrick Schleizer +Date: Sat Dec 21 14:55:03 2019 -0500 + + bumped changelog version + +commit d300db3cde0f7ee8e3884a1225ec1d196a318728 +Author: Patrick Schleizer +Date: Sat Dec 21 14:45:11 2019 -0500 + + output + +commit 3921846df6e21a80d87f451e89f96f5b3092dd53 +Author: Patrick Schleizer +Date: Sat Dec 21 14:36:42 2019 -0500 + + comment + +commit 1213415ce649e7305af0b6c6ef2f8435caab5cd8 +Author: Patrick Schleizer +Date: Sat Dec 21 14:23:35 2019 -0500 + + bumped changelog version + +commit 2ddf7b5db5d335d4f64d0df2c0caab0c80a2a046 +Author: Patrick Schleizer +Date: Sat Dec 21 14:06:51 2019 -0500 + + /lib/ nosuid + +commit 1e8457ea476a693dd1e455e4c455bf2e763cec23 +Author: Patrick Schleizer +Date: Sat Dec 21 14:06:10 2019 -0500 + + no longer remount /lib + + https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707/25 + +commit 10c19d6a8fc6b6bc03067dc3be88f486aa78d438 +Merge: b2260f4 fffdf50 +Author: Patrick Schleizer +Date: Sat Dec 21 13:00:41 2019 -0500 + + Merge remote-tracking branch 'origin/master' + +commit fffdf5090c707c698de4adacfd5837809b33aa99 +Merge: 1c99b56 f5a52ae +Author: Patrick Schleizer +Date: Sat Dec 21 17:59:56 2019 +0000 + + Merge pull request #46 from madaidan/remount-secure + + Don't remount /sys/kernel/security + +commit f5a52aeddc4742b4dbd8a0075d759b2ceaaae691 +Author: madaidan <50278627+madaidan@users.noreply.github.com> +Date: Sat Dec 21 14:55:28 2019 +0000 + + Don't remount /sys/kernel/security + +commit b2260f48f4ab978b531d8ca9df2dc1a787b6666f +Author: Patrick Schleizer +Date: Sat Dec 21 08:03:33 2019 -0500 + + add support for /etc/exec / /usr/local/etc/exec + + to allow enabling exec on a per VM basis + +commit 1c99b56c9b99cceab6fe38580d06197dd4bcfb77 +Author: Patrick Schleizer +Date: Sat Dec 21 07:49:55 2019 -0500 + + bumped changelog version + +commit 161b6f6b885586cd65b8ac13b0bd113691465522 +Author: Patrick Schleizer +Date: Sat Dec 21 07:49:29 2019 -0500 + + readme + +commit b74e5ca97244209e041f55483027365eacdf44c9 +Author: Patrick Schleizer +Date: Sat Dec 21 07:47:00 2019 -0500 + + comment + +commit 8fb17624bc3471a3676e76b3695179cde1ec21da +Author: Patrick Schleizer +Date: Sat Dec 21 07:44:51 2019 -0500 + + comment + +commit aef796a524f9156b584a7d8d203decc446c5d3b9 +Author: Patrick Schleizer +Date: Sat Dec 21 07:44:23 2019 -0500 + + disable debugging + +commit 1fe83d683f97af6730948aecce3216a51979c695 +Author: Patrick Schleizer +Date: Sat Dec 21 07:43:55 2019 -0500 + + comment + +commit 7c3da38bd53427501bcb0ac0d56bd626ce9e6adb +Author: Patrick Schleizer +Date: Sat Dec 21 07:42:25 2019 -0500 + + comment + +commit 9050058bc2427a701095901a5bd275767437391b +Author: Patrick Schleizer +Date: Sat Dec 21 07:42:01 2019 -0500 + + fix + +commit 0c4db8c2b054a10554f163c31e3e626a80981c52 +Author: Patrick Schleizer +Date: Sat Dec 21 07:38:25 2019 -0500 + + bumped changelog version + +commit 6b13a644df279ec3ccf3814e86233baafc0cf437 +Author: Patrick Schleizer +Date: Sat Dec 21 07:37:41 2019 -0500 + + add /usr/lib/security-misc/permission-hardening-undo + +commit af8b04b73d6d64792fc1ffb7f6b04b273c0ca7ec +Author: Patrick Schleizer +Date: Sat Dec 21 06:58:01 2019 -0500 + + rm_conffile /etc/apparmor.d/usr.lib.security-misc.pam_tally2-info + rm_conffile /etc/apparmor.d/usr.lib.security-misc.permission-lockdown + + https://github.com/Whonix/security-misc/pull/45 + +commit 2350e0f5d06d9625835ba1547aab0054b795c0c5 +Merge: 3ea5871 efd65a3 +Author: Patrick Schleizer +Date: Sat Dec 21 06:57:10 2019 -0500 + + Merge remote-tracking branch 'origin/master' + +commit efd65a3f15fc9380e2019c9d7ad0bf82adcc230d +Merge: c336bc4 c28ddf5 +Author: Patrick Schleizer +Date: Sat Dec 21 11:56:31 2019 +0000 + + Merge pull request #45 from madaidan/apparmor + + Delete apparmor profiles + +commit 3ea587187e9d0a927799a66d15d163ee56a41978 +Author: Patrick Schleizer +Date: Sat Dec 21 06:53:07 2019 -0500 + + no need to exclude xorg nosuid on Debian + + http://forums.whonix.org/t/permission-hardening/8655/25 + +commit c336bc4fd229d9a6370df5520aaa4e872465de5a +Author: Patrick Schleizer +Date: Sat Dec 21 06:39:13 2019 -0500 + + comment + +commit fac17a963d3dec1b399fd9b41ebebcedb7e90f43 +Author: Patrick Schleizer +Date: Sat Dec 21 06:28:19 2019 -0500 + + bumped changelog version + +commit b5f88efe2072eca99c245fc60442c82a270fab8e +Author: Patrick Schleizer +Date: Sat Dec 21 06:27:01 2019 -0500 + + fix + +commit 2088628c8d44306e51c8a1407caee99e5eb4ce5b +Author: Patrick Schleizer +Date: Sat Dec 21 06:24:08 2019 -0500 + + debugging + +commit 2dca031527fa38a932619ed2336a5aa472a85205 +Author: Patrick Schleizer +Date: Sat Dec 21 06:22:46 2019 -0500 + + debugging + +commit 195e00cc8796d532a68f90b7c1f8f30d17f24246 +Author: Patrick Schleizer +Date: Sat Dec 21 06:16:38 2019 -0500 + + output + +commit 78d33d8b57fdef3b16e8ab5b4f6b0487d51b9657 +Author: Patrick Schleizer +Date: Sat Dec 21 06:12:20 2019 -0500 + + bumped changelog version + +commit 4b21b6df4167a2a95392a39182c636bdc097bc7e +Author: Patrick Schleizer +Date: Sat Dec 21 06:11:44 2019 -0500 + + fix + +commit ff48b672a8537e65c3d0b3ccfb65fb29c2d3766c +Author: Patrick Schleizer +Date: Sat Dec 21 06:00:17 2019 -0500 + + bumped changelog version + +commit 8436da2b7b0b9d309b57ed6ab36f2042fd82f4ae +Author: Patrick Schleizer +Date: Sat Dec 21 05:58:50 2019 -0500 + + output + +commit da15265e1c311be16c1dd0a8681e630548fac0e9 +Author: Patrick Schleizer +Date: Sat Dec 21 05:55:23 2019 -0500 + + fix + +commit 2a248fe0de1b86b416c705ecce81dcb549581d9b +Author: Patrick Schleizer +Date: Sat Dec 21 05:54:39 2019 -0500 + + fix + +commit 4f12664362fb4304ed43185ed5805f686bdeb0af +Author: Patrick Schleizer +Date: Sat Dec 21 05:54:07 2019 -0500 + + output + +commit e3355843c835c650d4701a2b94b93cc0040ca419 +Author: Patrick Schleizer +Date: Sat Dec 21 05:51:22 2019 -0500 + + fix + +commit 234ec5fe93c9b03c02e076621ac919f12062c4e5 +Author: Patrick Schleizer +Date: Sat Dec 21 05:47:35 2019 -0500 + + fix + +commit 65b5adb2d731f52533bda24eb6868d9e2968e2ed +Author: Patrick Schleizer +Date: Sat Dec 21 05:38:39 2019 -0500 + + bumped changelog version + +commit 7ff900c20457ee42d415c4eddf3b08f1ac5e4461 +Author: Patrick Schleizer +Date: Sat Dec 21 05:37:43 2019 -0500 + + fix + +commit 2b5a49a61b221161f3b42d3a692d2e22df2afec2 +Author: Patrick Schleizer +Date: Sat Dec 21 05:31:55 2019 -0500 + + bumped changelog version + +commit e1a5ee4bcf5ecb447ae7da0b137f81d520673cde +Author: Patrick Schleizer +Date: Sat Dec 21 05:26:55 2019 -0500 + + output + +commit 66aaf3e22cda9bb58ab72e750a5711556cf1de25 +Author: Patrick Schleizer +Date: Sat Dec 21 05:25:54 2019 -0500 + + output + +commit 7aa7d0b5a0e3b602b527131581f350b9b32fb0d6 +Author: Patrick Schleizer +Date: Sat Dec 21 05:22:27 2019 -0500 + + improve error handling + +commit 8919d38de9206b4802b471c2f40787a2f9d70269 +Author: Patrick Schleizer +Date: Sat Dec 21 05:21:46 2019 -0500 + + disable debugging + +commit cf5dee64fd4e1c44a8726db49b8328841ee6327f +Author: Patrick Schleizer +Date: Sat Dec 21 05:18:34 2019 -0500 + + refactoring + +commit 29cd9a0c38924fc2eb7520db886efc19541476cb +Author: Patrick Schleizer +Date: Sat Dec 21 05:17:35 2019 -0500 + + fix + +commit 486027a4d75917fe2741370aa1e707b8ca14f693 +Author: Patrick Schleizer +Date: Sat Dec 21 05:15:38 2019 -0500 + + fix + +commit 1fd26be864ebd0dab8419e0b2b321522166d6271 +Author: Patrick Schleizer +Date: Sat Dec 21 05:14:51 2019 -0500 + + fix + +commit 0fc97c37beae5d48fed9ec714f19007f402952c9 +Author: Patrick Schleizer +Date: Sat Dec 21 05:14:39 2019 -0500 + + fix + +commit 1018d5b3b0b58a641aaca0419a06c246091932d5 +Author: Patrick Schleizer +Date: Sat Dec 21 05:11:51 2019 -0500 + + output + +commit 4388fc4d5ace9046c9eacb8354d9960599735ee4 +Author: Patrick Schleizer +Date: Sat Dec 21 05:11:19 2019 -0500 + + refactoring + +commit ed20980f4c6c3fb304d8436399f5e14ead7b3ae3 +Author: Patrick Schleizer +Date: Sat Dec 21 05:07:10 2019 -0500 + + refactoring + +commit 315ce86b9a66d15aea2d50f5271c228ee8bd3909 +Author: Patrick Schleizer +Date: Sat Dec 21 04:33:03 2019 -0500 + + refactoring + +commit 0c5848494b147b067afa2b70451fc7e5087823f2 +Author: Patrick Schleizer +Date: Sat Dec 21 04:21:26 2019 -0500 + + do not remount if already has intended mount options + +commit 203f4ad46e6a6950edd4b2a83f47ac71428928e5 +Author: Patrick Schleizer +Date: Sat Dec 21 04:17:10 2019 -0500 + + refactoring + +commit e7fd0dadb03e7f90adfa9ebdaf07530f02a846e7 +Author: Patrick Schleizer +Date: Sat Dec 21 04:09:35 2019 -0500 + + output + +commit e6ea21c7757ad732bd9bcce2c6a7a364780e1b14 +Author: Patrick Schleizer +Date: Sat Dec 21 04:08:35 2019 -0500 + + record existing modes in separate dpkg-statoverwrite databases + + to have a history of what was modified and to allow to undo changes + +commit 89be5f2ecb998c46ff4864996cd86b97fa56d176 +Author: Patrick Schleizer +Date: Sat Dec 21 02:05:39 2019 -0500 + + bumped changelog version + +commit c28ddf5c4dbfd92aba9a59874f529a4afe69c497 +Author: madaidan <50278627+madaidan@users.noreply.github.com> +Date: Fri Dec 20 22:44:31 2019 +0000 + + Delete usr.lib.security-misc.pam_tally2-info + +commit cfe69dd66900f7aad5311c02d2b4ee7b400fb90b +Author: madaidan <50278627+madaidan@users.noreply.github.com> +Date: Fri Dec 20 22:44:27 2019 +0000 + + Delete usr.lib.security-misc.permission-lockdown + +commit d220bb3bc4aaf923dcb2e2a48ac05dd5f1326442 +Author: Patrick Schleizer +Date: Fri Dec 20 13:07:01 2019 -0500 + + suid /usr/lib/chromium/chrome-sandbox whitelist + +commit 77b3dd5d6b5de0070da7e71154ecbe2e099e3b7f +Author: Patrick Schleizer +Date: Fri Dec 20 13:02:33 2019 -0500 + + comments + +commit d7bd477e7379cd5d74d81e81080d375041cc3b29 +Author: Patrick Schleizer +Date: Fri Dec 20 12:59:27 2019 -0500 + + add "/usr/lib/xorg/Xorg.wrap whitelist" + + until this is researched + + https://manpages.debian.org/buster/xserver-xorg-legacy/Xorg.wrap.1.en.html + https://lwn.net/Articles/590315/ + +commit 17e8605119fc671c4cbe4343851cf3c46b830508 +Author: Patrick Schleizer +Date: Fri Dec 20 12:57:24 2019 -0500 + + add matchwhitelist feature + + add "/usr/lib/virtualbox/ matchwhitelist" + +commit 3fab3876693f20303c95f03c45af9adb9ae680e2 +Author: Patrick Schleizer +Date: Fri Dec 20 12:50:35 2019 -0500 + + suid /usr/bin/firejail whitelist + + There is a controversy about firejail but those who choose to install it + should be able to use it. + https://www.whonix.org/wiki/Dev/Firejail#Security + +commit d3f16a5bf46a7d10316259788f3d97364fe2e545 +Author: Patrick Schleizer +Date: Fri Dec 20 12:47:10 2019 -0500 + + sgid /usr/lib/qubes/qfile-unpacker whitelist + +commit 508ec0c6fa44d9185aa22f5fa81ae9dbbefdb19c +Author: Patrick Schleizer +Date: Fri Dec 20 12:34:07 2019 -0500 + + comment + +commit 1b569ea7908dcba409c94dacd477d2fbfeafe522 +Author: Patrick Schleizer +Date: Fri Dec 20 12:32:36 2019 -0500 + + comment + +commit f88ca2588920ac16a6b41e8c48021bf85801c2a9 +Author: Patrick Schleizer +Date: Fri Dec 20 11:58:07 2019 -0500 + + fix terminology, sguid -> sgid + + Thanks to @madaidan for the bug report! + + https://forums.whonix.org/t/permission-hardening/8655/21 + +commit 1cd5fb6a0020504c7897acf169772d39b67f4bd4 +Author: Patrick Schleizer +Date: Fri Dec 20 11:50:25 2019 -0500 + + bumped changelog version + +commit ff0a26fb5d65450c0a2b5fb86758d3d823a717e9 +Author: Patrick Schleizer +Date: Fri Dec 20 11:49:19 2019 -0500 + + comment + +commit 71496a33ab27455d2856284d21f261dd20780dc2 +Author: Patrick Schleizer +Date: Fri Dec 20 11:47:53 2019 -0500 + + skip folders are these are not suid / guid + +commit 9321ecff4139f0776f93a9bd8c9606bcaf94f568 +Author: Patrick Schleizer +Date: Fri Dec 20 11:43:53 2019 -0500 + + no more need to add/remove / + +commit b95225b6a6b45b84778ba2427ae4628f102e6d05 +Author: Patrick Schleizer +Date: Fri Dec 20 11:37:05 2019 -0500 + + pipefail + +commit cad6f328f40bb8b3c414e2bd6c7cb86e625f6d64 +Author: Patrick Schleizer +Date: Fri Dec 20 11:34:44 2019 -0500 + + minor + +commit 3265f9894d1c677419718de52570d304a4e69279 +Author: Patrick Schleizer +Date: Fri Dec 20 11:27:43 2019 -0500 + + output + +commit 28d12c3966e3ddfadbf7d44e7c7bcdc37e1a7d25 +Author: Patrick Schleizer +Date: Fri Dec 20 11:09:22 2019 -0500 + + bumped changelog version + +commit 1615ebec58b563224c7c02cd2b1f83b0954c48ca +Author: Patrick Schleizer +Date: Fri Dec 20 11:07:44 2019 -0500 + + output + +commit 1e11b775cf1d2994f2e0da8d0191ef38eebe21a8 +Author: Patrick Schleizer +Date: Fri Dec 20 11:05:05 2019 -0500 + + output + +commit 731f80289566e118ba6c121c406775abc4c03bd4 +Author: Patrick Schleizer +Date: Fri Dec 20 11:04:12 2019 -0500 + + output + +commit cd8efe58008c7b0e90ac88ac098b3fd08e75d716 +Author: Patrick Schleizer +Date: Fri Dec 20 11:03:22 2019 -0500 + + output + +commit c0ddb76d7463753e3250fc7da466fa763ef08dd5 +Author: Patrick Schleizer +Date: Fri Dec 20 10:50:51 2019 -0500 + + bumped changelog version + commit b31abea0af60874d4a48fd0da56978b0081eaef8 Author: Patrick Schleizer Date: Fri Dec 20 10:49:31 2019 -0500 diff --git a/debian/changelog b/debian/changelog index c209c9f..63a49d9 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,719 +1,2795 @@ +security-misc (3:46.3-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 02 Jul 2025 20:52:17 +0000 + +security-misc (3:46.2-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 14 Jun 2025 11:51:44 +0000 + +security-misc (3:46.1-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 28 May 2025 13:48:11 +0000 + +security-misc (3:46.0-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 28 May 2025 12:12:00 +0000 + +security-misc (3:45.9-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 27 May 2025 19:41:25 +0000 + +security-misc (3:45.8-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 27 May 2025 15:51:50 +0000 + +security-misc (3:45.7-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 21 May 2025 22:06:01 +0000 + +security-misc (3:45.6-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 21 May 2025 15:52:16 +0000 + +security-misc (3:45.5-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 21 May 2025 13:58:18 +0000 + +security-misc (3:45.4-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 21 May 2025 11:23:39 +0000 + +security-misc (3:45.3-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 20 May 2025 11:40:27 +0000 + +security-misc (3:45.2-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 25 Apr 2025 09:54:23 +0000 + +security-misc (3:45.1-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 25 Apr 2025 08:19:34 +0000 + +security-misc (3:45.0-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 21 Apr 2025 10:21:54 +0000 + +security-misc (3:44.9-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 19 Apr 2025 17:33:56 +0000 + +security-misc (3:44.8-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 15 Apr 2025 20:59:37 +0000 + +security-misc (3:44.7-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 10 Apr 2025 11:38:17 +0000 + +security-misc (3:44.6-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 09 Apr 2025 15:15:59 +0000 + +security-misc (3:44.5-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 08 Apr 2025 14:08:24 +0000 + +security-misc (3:44.4-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 03 Mar 2025 11:00:37 +0000 + +security-misc (3:44.3-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 09 Feb 2025 23:04:36 +0000 + +security-misc (3:44.2-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 31 Jan 2025 19:38:41 +0000 + +security-misc (3:44.1-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 30 Jan 2025 12:58:48 +0000 + +security-misc (3:44.0-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 29 Jan 2025 14:36:41 +0000 + +security-misc (3:43.9-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 23 Jan 2025 16:28:58 +0000 + +security-misc (3:43.8-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 22 Jan 2025 14:11:21 +0000 + +security-misc (3:43.7-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 22 Jan 2025 13:52:29 +0000 + +security-misc (3:43.6-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 20 Jan 2025 11:35:08 +0000 + +security-misc (3:43.5-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 20 Jan 2025 10:11:42 +0000 + +security-misc (3:43.4-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 17 Jan 2025 13:35:27 +0000 + +security-misc (3:43.3-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 15 Jan 2025 15:02:43 +0000 + +security-misc (3:43.2-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 14 Jan 2025 14:32:12 +0000 + +security-misc (3:43.1-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 14 Jan 2025 14:30:58 +0000 + +security-misc (3:43.0-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 14 Jan 2025 14:16:45 +0000 + +security-misc (3:42.9-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 14 Jan 2025 14:07:50 +0000 + +security-misc (3:42.8-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 14 Jan 2025 14:06:50 +0000 + +security-misc (3:42.7-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 14 Jan 2025 13:53:49 +0000 + +security-misc (3:42.6-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 14 Jan 2025 09:26:05 +0000 + +security-misc (3:42.5-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 14 Jan 2025 08:24:05 +0000 + +security-misc (3:42.4-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 12 Jan 2025 11:47:17 +0000 + +security-misc (3:42.3-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 10 Jan 2025 15:34:20 +0000 + +security-misc (3:42.2-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 06 Jan 2025 10:31:40 +0000 + +security-misc (3:42.1-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 31 Dec 2024 18:42:01 +0000 + +security-misc (3:42.0-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 31 Dec 2024 14:09:34 +0000 + +security-misc (3:41.9-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 26 Dec 2024 04:12:02 +0000 + +security-misc (3:41.8-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 24 Dec 2024 05:16:21 +0000 + +security-misc (3:41.7-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 20 Dec 2024 06:01:27 +0000 + +security-misc (3:41.6-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 20 Dec 2024 05:58:24 +0000 + +security-misc (3:41.5-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 20 Dec 2024 05:48:48 +0000 + +security-misc (3:41.4-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 19 Dec 2024 10:58:50 +0000 + +security-misc (3:41.3-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 19 Dec 2024 09:43:26 +0000 + +security-misc (3:41.2-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 19 Dec 2024 06:57:42 +0000 + +security-misc (3:41.1-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 10 Dec 2024 19:19:10 +0000 + +security-misc (3:41.0-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 10 Dec 2024 19:17:10 +0000 + +security-misc (3:40.9-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 25 Nov 2024 21:07:41 +0000 + +security-misc (3:40.8-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 14 Nov 2024 22:24:50 +0000 + +security-misc (3:40.7-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 14 Nov 2024 20:46:26 +0000 + +security-misc (3:40.6-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 12 Nov 2024 09:11:57 +0000 + +security-misc (3:40.5-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 11 Nov 2024 11:07:57 +0000 + +security-misc (3:40.4-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 10 Nov 2024 11:52:42 +0000 + +security-misc (3:40.3-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 30 Oct 2024 09:43:05 +0000 + +security-misc (3:40.2-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 23 Oct 2024 09:56:05 +0000 + +security-misc (3:40.1-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 16 Oct 2024 10:57:20 +0000 + +security-misc (3:40.0-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 08 Oct 2024 11:24:55 +0000 + +security-misc (3:39.9-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 03 Oct 2024 07:22:23 +0000 + +security-misc (3:39.8-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 25 Sep 2024 01:03:42 +0000 + +security-misc (3:39.7-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 14 Sep 2024 02:56:08 +0000 + +security-misc (3:39.6-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 08 Sep 2024 17:41:30 +0000 + +security-misc (3:39.5-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 04 Sep 2024 14:13:15 +0000 + +security-misc (3:39.4-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 29 Aug 2024 09:49:51 +0000 + +security-misc (3:39.3-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 28 Aug 2024 11:01:36 +0000 + +security-misc (3:39.2-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 25 Aug 2024 15:34:54 +0000 + +security-misc (3:39.1-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 25 Aug 2024 14:33:39 +0000 + +security-misc (3:39.0-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 16 Aug 2024 08:38:11 +0000 + +security-misc (3:38.9-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 15 Aug 2024 17:51:18 +0000 + +security-misc (3:38.8-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 06 Aug 2024 14:01:38 +0000 + +security-misc (3:38.7-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 28 Jul 2024 20:50:21 +0000 + +security-misc (3:38.6-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 27 Jul 2024 16:13:34 +0000 + +security-misc (3:38.5-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 26 Jul 2024 15:40:23 +0000 + +security-misc (3:38.4-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 26 Jul 2024 09:40:58 +0000 + +security-misc (3:38.3-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 21 Jul 2024 10:40:13 +0000 + +security-misc (3:38.2-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 20 Jul 2024 17:02:04 +0000 + +security-misc (3:38.1-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 18 Jul 2024 18:05:06 +0000 + +security-misc (3:38.0-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 18 Jul 2024 14:11:35 +0000 + +security-misc (3:37.9-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 18 Jul 2024 14:05:22 +0000 + +security-misc (3:37.8-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 15 Jul 2024 21:18:54 +0000 + +security-misc (3:37.7-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 13 Jul 2024 15:01:15 +0000 + +security-misc (3:37.6-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 11 Jun 2024 12:56:56 +0000 + +security-misc (3:37.5-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 01 Jun 2024 18:13:08 +0000 + +security-misc (3:37.4-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 01 Jun 2024 17:35:04 +0000 + +security-misc (3:37.3-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 28 May 2024 12:04:52 +0000 + +security-misc (3:37.2-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 18 May 2024 20:45:11 +0000 + +security-misc (3:37.1-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 10 May 2024 11:20:36 +0000 + +security-misc (3:37.0-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 12 Apr 2024 06:56:38 +0000 + +security-misc (3:36.9-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 01 Apr 2024 06:56:44 +0000 + +security-misc (3:36.8-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 18 Mar 2024 15:10:10 +0000 + +security-misc (3:36.7-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 11 Mar 2024 15:07:50 +0000 + +security-misc (3:36.6-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 10 Mar 2024 13:19:26 +0000 + +security-misc (3:36.5-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 04 Mar 2024 11:48:30 +0000 + +security-misc (3:36.4-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 26 Feb 2024 13:32:44 +0000 + +security-misc (3:36.3-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 22 Feb 2024 20:08:17 +0000 + +security-misc (3:36.2-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 22 Feb 2024 19:58:00 +0000 + +security-misc (3:36.1-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 22 Feb 2024 16:07:16 +0000 + +security-misc (3:36.0-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 22 Feb 2024 14:52:54 +0000 + +security-misc (3:35.9-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 22 Feb 2024 14:50:05 +0000 + +security-misc (3:35.8-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 03 Feb 2024 18:28:26 +0000 + +security-misc (3:35.7-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 25 Jan 2024 13:59:29 +0000 + +security-misc (3:35.6-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 18 Jan 2024 14:10:50 +0000 + +security-misc (3:35.5-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 17 Jan 2024 19:18:24 +0000 + +security-misc (3:35.4-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 16 Jan 2024 14:26:34 +0000 + +security-misc (3:35.3-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 16 Jan 2024 14:14:18 +0000 + +security-misc (3:35.2-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 16 Jan 2024 13:58:54 +0000 + +security-misc (3:35.1-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 09 Jan 2024 05:52:48 +0000 + +security-misc (3:35.0-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 04 Jan 2024 02:03:26 +0000 + +security-misc (3:34.9-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 02 Jan 2024 14:55:13 +0000 + +security-misc (3:34.8-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 29 Dec 2023 20:15:50 +0000 + +security-misc (3:34.7-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 25 Dec 2023 16:28:09 +0000 + +security-misc (3:34.6-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 22 Dec 2023 16:31:57 +0000 + +security-misc (3:34.5-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 12 Dec 2023 16:51:21 +0000 + +security-misc (3:34.4-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 04 Dec 2023 17:06:45 +0000 + +security-misc (3:34.3-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 20 Nov 2023 13:13:10 +0000 + +security-misc (3:34.2-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 11 Nov 2023 22:29:57 +0000 + +security-misc (3:34.1-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 11 Nov 2023 20:22:34 +0000 + +security-misc (3:34.0-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 06 Nov 2023 22:28:21 +0000 + +security-misc (3:33.9-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 06 Nov 2023 02:13:14 +0000 + +security-misc (3:33.8-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 06 Nov 2023 01:14:33 +0000 + +security-misc (3:33.7-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 05 Nov 2023 23:17:59 +0000 + +security-misc (3:33.6-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 05 Nov 2023 22:43:33 +0000 + +security-misc (3:33.5-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 05 Nov 2023 21:46:18 +0000 + +security-misc (3:33.4-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 05 Nov 2023 21:04:02 +0000 + +security-misc (3:33.3-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 05 Nov 2023 20:58:21 +0000 + +security-misc (3:33.2-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 05 Nov 2023 20:29:38 +0000 + +security-misc (3:33.1-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 05 Nov 2023 20:14:43 +0000 + +security-misc (3:33.0-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 05 Nov 2023 19:56:06 +0000 + +security-misc (3:32.9-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 03 Nov 2023 16:17:24 +0000 + +security-misc (3:32.8-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 03 Nov 2023 16:10:48 +0000 + +security-misc (3:32.7-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 03 Nov 2023 16:06:43 +0000 + +security-misc (3:32.6-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 03 Nov 2023 14:33:02 +0000 + +security-misc (3:32.5-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 03 Nov 2023 13:28:08 +0000 + +security-misc (3:32.4-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 01 Nov 2023 16:26:21 +0000 + +security-misc (3:32.3-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 01 Nov 2023 15:10:36 +0000 + +security-misc (3:32.2-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 27 Oct 2023 00:08:41 +0000 + +security-misc (3:32.1-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 26 Oct 2023 16:23:48 +0000 + +security-misc (3:32.0-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 25 Oct 2023 21:55:37 +0000 + +security-misc (3:31.9-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 24 Oct 2023 09:51:11 +0000 + +security-misc (3:31.8-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 22 Oct 2023 23:23:22 +0000 + +security-misc (3:31.7-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 22 Oct 2023 20:54:58 +0000 + +security-misc (3:31.6-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 22 Oct 2023 20:29:08 +0000 + +security-misc (3:31.5-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 22 Oct 2023 20:16:40 +0000 + +security-misc (3:31.4-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 22 Oct 2023 19:44:47 +0000 + +security-misc (3:31.3-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 22 Oct 2023 19:40:59 +0000 + +security-misc (3:31.2-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 22 Oct 2023 19:33:21 +0000 + +security-misc (3:31.1-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 22 Oct 2023 19:28:04 +0000 + +security-misc (3:31.0-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 22 Oct 2023 18:46:42 +0000 + +security-misc (3:30.9-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 22 Oct 2023 18:30:28 +0000 + +security-misc (3:30.8-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 22 Oct 2023 17:31:55 +0000 + +security-misc (3:30.7-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 22 Oct 2023 16:55:41 +0000 + +security-misc (3:30.6-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 22 Oct 2023 15:28:18 +0000 + +security-misc (3:30.5-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 22 Oct 2023 15:13:05 +0000 + +security-misc (3:30.4-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 22 Oct 2023 14:50:30 +0000 + +security-misc (3:30.3-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 22 Oct 2023 14:16:53 +0000 + +security-misc (3:30.2-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 22 Oct 2023 14:01:54 +0000 + +security-misc (3:30.1-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 22 Oct 2023 12:12:30 +0000 + +security-misc (3:30.0-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 22 Oct 2023 11:06:00 +0000 + +security-misc (3:29.9-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 21 Oct 2023 18:19:24 +0000 + +security-misc (3:29.8-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 21 Oct 2023 16:34:59 +0000 + +security-misc (3:29.7-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 13 Oct 2023 19:22:58 +0000 + +security-misc (3:29.6-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 12 Oct 2023 16:51:37 +0000 + +security-misc (3:29.5-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 12 Oct 2023 14:43:40 +0000 + +security-misc (3:29.4-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 17 Jul 2023 15:48:35 +0000 + +security-misc (3:29.3-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 23 Jun 2023 08:18:12 +0000 + +security-misc (3:29.2-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 21 Jun 2023 09:36:44 +0000 + +security-misc (3:29.1-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 16 Jun 2023 11:09:01 +0000 + +security-misc (3:29.0-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 14 Jun 2023 09:59:20 +0000 + +security-misc (3:28.9-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 12 Jun 2023 18:01:55 +0000 + +security-misc (3:28.8-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 15 May 2023 17:31:59 +0000 + +security-misc (3:28.7-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 15 May 2023 11:56:30 +0000 + +security-misc (3:28.6-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 06 May 2023 12:00:12 +0000 + +security-misc (3:28.5-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 06 May 2023 11:54:31 +0000 + +security-misc (3:28.4-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 05 May 2023 15:09:32 +0000 + +security-misc (3:28.3-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 30 Jan 2023 10:58:47 +0000 + +security-misc (3:28.2-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 24 Jan 2023 12:09:40 +0000 + +security-misc (3:28.1-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 24 Jan 2023 12:05:53 +0000 + +security-misc (3:28.0-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 09 Jan 2023 12:05:18 +0000 + +security-misc (3:27.9-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 09 Jan 2023 12:02:01 +0000 + +security-misc (3:27.8-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 09 Jan 2023 10:34:48 +0000 + +security-misc (3:27.7-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 08 Jan 2023 12:17:02 +0000 + +security-misc (3:27.6-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 07 Jan 2023 23:13:57 +0000 + +security-misc (3:27.5-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 07 Jan 2023 22:49:24 +0000 + +security-misc (3:27.4-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 07 Jan 2023 22:23:35 +0000 + +security-misc (3:27.3-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 07 Jan 2023 22:16:23 +0000 + +security-misc (3:27.2-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 07 Jan 2023 21:20:48 +0000 + +security-misc (3:27.1-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 07 Jan 2023 20:37:47 +0000 + +security-misc (3:27.0-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 07 Jan 2023 19:31:40 +0000 + +security-misc (3:26.9-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 07 Jan 2023 19:27:42 +0000 + +security-misc (3:26.8-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 07 Jan 2023 17:57:36 +0000 + +security-misc (3:26.7-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 18 Dec 2022 19:37:51 +0000 + +security-misc (3:26.6-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 24 Nov 2022 12:21:58 +0000 + +security-misc (3:26.5-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 24 Nov 2022 12:00:33 +0000 + +security-misc (3:26.4-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 24 Nov 2022 11:49:25 +0000 + +security-misc (3:26.3-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 24 Nov 2022 11:31:37 +0000 + +security-misc (3:26.2-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 24 Nov 2022 11:14:15 +0000 + +security-misc (3:26.1-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 22 Nov 2022 11:03:13 +0000 + +security-misc (3:26.0-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 17 Nov 2022 15:15:36 +0000 + +security-misc (3:25.9-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 24 Aug 2022 22:28:39 +0000 + +security-misc (3:25.8-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 13 Aug 2022 15:40:04 +0000 + +security-misc (3:25.7-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 12 Aug 2022 11:52:26 +0000 + +security-misc (3:25.6-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 26 Jul 2022 14:00:53 +0000 + +security-misc (3:25.5-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 23 Jul 2022 12:07:37 +0000 + +security-misc (3:25.4-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 16 Jul 2022 12:00:16 +0000 + +security-misc (3:25.3-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 13 Jul 2022 12:28:34 +0000 + +security-misc (3:25.2-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 09 Jul 2022 15:42:24 +0000 + +security-misc (3:25.1-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 07 Jul 2022 21:41:13 +0000 + +security-misc (3:25.0-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 05 Jul 2022 15:16:33 +0000 + +security-misc (3:24.9-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 02 Jul 2022 22:30:06 +0000 + +security-misc (3:24.8-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 02 Jul 2022 21:37:16 +0000 + +security-misc (3:24.7-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 02 Jul 2022 20:03:52 +0000 + +security-misc (3:24.6-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 02 Jul 2022 19:52:08 +0000 + +security-misc (3:24.5-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 02 Jul 2022 19:32:50 +0000 + +security-misc (3:24.4-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 02 Jul 2022 18:27:04 +0000 + +security-misc (3:24.3-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 29 Jun 2022 20:25:07 +0000 + +security-misc (3:24.2-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 29 Jun 2022 20:06:33 +0000 + +security-misc (3:24.1-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 29 Jun 2022 20:03:58 +0000 + +security-misc (3:24.0-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 29 Jun 2022 19:24:40 +0000 + +security-misc (3:23.9-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 29 Jun 2022 19:22:41 +0000 + +security-misc (3:23.8-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 29 Jun 2022 18:18:02 +0000 + +security-misc (3:23.7-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 29 Jun 2022 18:15:48 +0000 + +security-misc (3:23.6-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 29 Jun 2022 17:03:35 +0000 + +security-misc (3:23.5-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 29 Jun 2022 15:18:59 +0000 + +security-misc (3:23.4-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 29 Jun 2022 14:02:18 +0000 + +security-misc (3:23.3-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 29 Jun 2022 13:54:27 +0000 + +security-misc (3:23.2-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 08 Jun 2022 15:05:07 +0000 + +security-misc (3:23.1-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 25 May 2022 10:07:17 +0000 + +security-misc (3:23.0-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 10 Feb 2022 19:06:54 +0000 + +security-misc (3:22.9-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 14 Sep 2021 18:18:52 +0000 + +security-misc (3:22.8-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 12 Sep 2021 15:57:20 +0000 + +security-misc (3:22.7-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 09 Sep 2021 16:35:37 +0000 + +security-misc (3:22.6-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 06 Sep 2021 13:46:20 +0000 + +security-misc (3:22.5-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 06 Sep 2021 08:55:23 +0000 + +security-misc (3:22.4-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 05 Sep 2021 20:04:28 +0000 + +security-misc (3:22.3-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 04 Sep 2021 22:29:00 +0000 + +security-misc (3:22.2-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 04 Sep 2021 16:00:55 +0000 + +security-misc (3:22.1-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 02 Sep 2021 18:36:53 +0000 + +security-misc (3:22.0-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 22 Aug 2021 09:32:18 +0000 + +security-misc (3:21.9-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 17 Aug 2021 19:24:12 +0000 + +security-misc (3:21.8-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 10 Aug 2021 22:26:32 +0000 + +security-misc (3:21.7-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 05 Aug 2021 21:03:43 +0000 + +security-misc (3:21.6-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 01 Aug 2021 17:12:08 +0000 + +security-misc (3:21.5-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 25 Jul 2021 15:31:45 +0000 + +security-misc (3:21.4-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 24 Jul 2021 22:10:05 +0000 + +security-misc (3:21.3-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 23 Jun 2021 15:20:39 +0000 + +security-misc (3:21.2-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 20 Jun 2021 14:16:57 +0000 + +security-misc (3:21.1-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 07 Jun 2021 16:13:37 +0000 + +security-misc (3:21.0-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 01 Jun 2021 11:36:59 +0000 + +security-misc (3:20.9-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 05 May 2021 12:37:56 +0000 + +security-misc (3:20.8-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 05 Apr 2021 15:58:47 +0000 + +security-misc (3:20.7-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 17 Mar 2021 16:31:34 +0000 + +security-misc (3:20.6-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 04 Mar 2021 12:09:01 +0000 + +security-misc (3:20.5-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 06 Feb 2021 11:31:45 +0000 + +security-misc (3:20.4-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 30 Jan 2021 04:37:03 +0000 + +security-misc (3:20.3-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 28 Jan 2021 07:15:46 +0000 + +security-misc (3:20.2-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 27 Jan 2021 10:50:16 +0000 + +security-misc (3:20.1-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 24 Jan 2021 10:10:36 +0000 + +security-misc (3:20.0-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 20 Jan 2021 00:41:43 +0000 + +security-misc (3:19.9-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 14 Jan 2021 07:36:49 +0000 + +security-misc (3:19.8-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 05 Jan 2021 13:30:37 +0000 + +security-misc (3:19.7-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 10 Dec 2020 10:20:57 +0000 + +security-misc (3:19.6-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 01 Dec 2020 10:53:06 +0000 + +security-misc (3:19.5-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 28 Nov 2020 11:08:10 +0000 + +security-misc (3:19.4-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 06 Nov 2020 15:18:09 +0000 + +security-misc (3:19.3-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 31 Oct 2020 10:29:25 +0000 + +security-misc (3:19.2-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 31 Oct 2020 10:09:22 +0000 + +security-misc (3:19.1-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 05 Oct 2020 11:03:37 +0000 + +security-misc (3:19.0-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 28 Sep 2020 14:30:42 +0000 + +security-misc (3:18.9-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 19 Sep 2020 13:28:27 +0000 + +security-misc (3:18.8-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 03 Aug 2020 13:43:43 +0000 + +security-misc (3:18.7-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 29 Jul 2020 12:33:07 +0000 + +security-misc (3:18.6-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 14 May 2020 17:57:32 +0000 + +security-misc (3:18.5-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 23 Apr 2020 16:27:25 +0000 + +security-misc (3:18.4-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 16 Apr 2020 12:43:40 +0000 + +security-misc (3:18.3-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 14 Apr 2020 16:40:31 +0000 + +security-misc (3:18.2-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 13 Apr 2020 10:56:34 +0000 + +security-misc (3:18.1-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 09 Apr 2020 09:45:30 +0000 + +security-misc (3:18.0-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 08 Apr 2020 17:13:21 +0000 + +security-misc (3:17.9-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 08 Apr 2020 12:51:11 +0000 + +security-misc (3:17.8-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 06 Apr 2020 17:29:23 +0000 + +security-misc (3:17.7-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 04 Apr 2020 20:51:42 +0000 + +security-misc (3:17.6-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 02 Apr 2020 11:58:51 +0000 + +security-misc (3:17.5-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 01 Apr 2020 14:58:16 +0000 + +security-misc (3:17.4-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 01 Apr 2020 12:26:44 +0000 + +security-misc (3:17.3-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 31 Mar 2020 11:41:45 +0000 + +security-misc (3:17.2-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 30 Mar 2020 22:42:02 +0000 + +security-misc (3:17.1-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 30 Mar 2020 21:16:46 +0000 + +security-misc (3:17.0-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 21 Mar 2020 18:56:48 +0000 + +security-misc (3:16.9-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 12 Mar 2020 08:43:08 +0000 + +security-misc (3:16.8-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 08 Mar 2020 13:43:24 +0000 + +security-misc (3:16.7-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 05 Mar 2020 13:36:27 +0000 + +security-misc (3:16.6-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 03 Mar 2020 14:19:49 +0000 + +security-misc (3:16.5-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 03 Mar 2020 14:12:50 +0000 + +security-misc (3:16.4-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 15 Feb 2020 20:35:44 +0000 + +security-misc (3:16.3-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 15 Feb 2020 20:29:38 +0000 + +security-misc (3:16.2-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 13 Feb 2020 18:39:45 +0000 + +security-misc (3:16.1-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 05 Feb 2020 11:31:48 +0000 + +security-misc (3:16.0-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 03 Feb 2020 14:23:13 +0000 + +security-misc (3:15.9-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 03 Feb 2020 13:43:31 +0000 + +security-misc (3:15.8-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 30 Jan 2020 11:14:34 +0000 + +security-misc (3:15.7-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 30 Jan 2020 11:02:26 +0000 + +security-misc (3:15.6-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 30 Jan 2020 06:22:32 +0000 + +security-misc (3:15.5-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 24 Jan 2020 17:02:27 +0000 + +security-misc (3:15.4-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 24 Jan 2020 09:41:16 +0000 + +security-misc (3:15.3-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 24 Jan 2020 09:34:18 +0000 + +security-misc (3:15.2-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 24 Jan 2020 08:49:02 +0000 + +security-misc (3:15.1-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 22 Jan 2020 12:10:47 +0000 + +security-misc (3:15.0-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 21 Jan 2020 15:12:32 +0000 + +security-misc (3:14.9-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 20 Jan 2020 13:51:25 +0000 + +security-misc (3:14.8-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 17 Jan 2020 08:32:57 +0000 + +security-misc (3:14.7-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 15 Jan 2020 16:37:52 +0000 + +security-misc (3:14.6-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 15 Jan 2020 16:05:54 +0000 + +security-misc (3:14.5-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 14 Jan 2020 14:28:28 +0000 + +security-misc (3:14.4-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 14 Jan 2020 14:20:36 +0000 + +security-misc (3:14.3-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 11 Jan 2020 20:19:28 +0000 + +security-misc (3:14.2-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 01 Jan 2020 10:59:58 +0000 + +security-misc (3:14.1-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 31 Dec 2019 11:08:32 +0000 + +security-misc (3:14.0-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 31 Dec 2019 11:03:48 +0000 + +security-misc (3:13.9-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 31 Dec 2019 07:54:58 +0000 + +security-misc (3:13.8-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 30 Dec 2019 11:42:14 +0000 + +security-misc (3:13.7-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 30 Dec 2019 10:59:43 +0000 + +security-misc (3:13.6-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 27 Dec 2019 10:30:12 +0000 + +security-misc (3:13.5-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 24 Dec 2019 23:35:49 +0000 + +security-misc (3:13.4-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 24 Dec 2019 13:07:55 +0000 + +security-misc (3:13.3-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 23 Dec 2019 13:48:04 +0000 + +security-misc (3:13.2-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 23 Dec 2019 08:58:00 +0000 + +security-misc (3:13.1-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 23 Dec 2019 07:42:07 +0000 + +security-misc (3:13.0-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 23 Dec 2019 07:13:13 +0000 + +security-misc (3:12.9-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 21 Dec 2019 19:55:03 +0000 + +security-misc (3:12.8-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 21 Dec 2019 19:23:35 +0000 + +security-misc (3:12.7-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 21 Dec 2019 12:49:55 +0000 + +security-misc (3:12.6-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 21 Dec 2019 12:38:25 +0000 + +security-misc (3:12.5-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 21 Dec 2019 11:28:19 +0000 + +security-misc (3:12.4-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 21 Dec 2019 11:12:20 +0000 + +security-misc (3:12.3-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 21 Dec 2019 11:00:17 +0000 + +security-misc (3:12.2-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 21 Dec 2019 10:38:39 +0000 + +security-misc (3:12.1-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 21 Dec 2019 10:31:55 +0000 + +security-misc (3:12.0-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 21 Dec 2019 07:05:39 +0000 + +security-misc (3:11.9-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 20 Dec 2019 16:50:25 +0000 + +security-misc (3:11.8-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 20 Dec 2019 16:09:22 +0000 + security-misc (3:11.7-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Fri, 20 Dec 2019 15:50:51 +0000 + -- Patrick Schleizer Fri, 20 Dec 2019 15:50:51 +0000 security-misc (3:11.6-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Fri, 20 Dec 2019 13:15:00 +0000 + -- Patrick Schleizer Fri, 20 Dec 2019 13:15:00 +0000 security-misc (3:11.5-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Fri, 20 Dec 2019 12:12:36 +0000 + -- Patrick Schleizer Fri, 20 Dec 2019 12:12:36 +0000 security-misc (3:11.4-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Mon, 16 Dec 2019 11:27:51 +0000 + -- Patrick Schleizer Mon, 16 Dec 2019 11:27:51 +0000 security-misc (3:11.3-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Thu, 12 Dec 2019 14:04:15 +0000 + -- Patrick Schleizer Thu, 12 Dec 2019 14:04:15 +0000 security-misc (3:11.2-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Tue, 10 Dec 2019 16:44:02 +0000 + -- Patrick Schleizer Tue, 10 Dec 2019 16:44:02 +0000 security-misc (3:11.1-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Mon, 09 Dec 2019 13:25:30 +0000 + -- Patrick Schleizer Mon, 09 Dec 2019 13:25:30 +0000 security-misc (3:11.0-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sun, 08 Dec 2019 10:26:29 +0000 + -- Patrick Schleizer Sun, 08 Dec 2019 10:26:29 +0000 security-misc (3:10.9-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sun, 08 Dec 2019 09:38:33 +0000 + -- Patrick Schleizer Sun, 08 Dec 2019 09:38:33 +0000 security-misc (3:10.8-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sun, 08 Dec 2019 09:27:01 +0000 + -- Patrick Schleizer Sun, 08 Dec 2019 09:27:01 +0000 security-misc (3:10.7-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sun, 08 Dec 2019 09:05:29 +0000 + -- Patrick Schleizer Sun, 08 Dec 2019 09:05:29 +0000 security-misc (3:10.6-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sat, 07 Dec 2019 07:02:32 +0000 + -- Patrick Schleizer Sat, 07 Dec 2019 07:02:32 +0000 security-misc (3:10.5-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Fri, 06 Dec 2019 17:43:21 +0000 + -- Patrick Schleizer Fri, 06 Dec 2019 17:43:21 +0000 security-misc (3:10.4-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Fri, 06 Dec 2019 16:18:20 +0000 + -- Patrick Schleizer Fri, 06 Dec 2019 16:18:20 +0000 security-misc (3:10.3-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Fri, 06 Dec 2019 14:32:18 +0000 + -- Patrick Schleizer Fri, 06 Dec 2019 14:32:18 +0000 security-misc (3:10.2-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Thu, 28 Nov 2019 15:22:41 +0000 + -- Patrick Schleizer Thu, 28 Nov 2019 15:22:41 +0000 security-misc (3:10.1-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Mon, 25 Nov 2019 08:51:36 +0000 + -- Patrick Schleizer Mon, 25 Nov 2019 08:51:36 +0000 security-misc (3:10.0-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Mon, 25 Nov 2019 08:49:15 +0000 + -- Patrick Schleizer Mon, 25 Nov 2019 08:49:15 +0000 security-misc (3:9.12-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sat, 23 Nov 2019 14:07:45 +0000 + -- Patrick Schleizer Sat, 23 Nov 2019 14:07:45 +0000 security-misc (3:9.11-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Tue, 19 Nov 2019 15:31:55 +0000 + -- Patrick Schleizer Tue, 19 Nov 2019 15:31:55 +0000 security-misc (3:9.10-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Mon, 18 Nov 2019 19:16:16 +0000 + -- Patrick Schleizer Mon, 18 Nov 2019 19:16:16 +0000 security-misc (3:9.9-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sat, 09 Nov 2019 18:44:50 +0000 + -- Patrick Schleizer Sat, 09 Nov 2019 18:44:50 +0000 security-misc (3:9.8-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sat, 09 Nov 2019 12:57:45 +0000 + -- Patrick Schleizer Sat, 09 Nov 2019 12:57:45 +0000 security-misc (3:9.7-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sat, 09 Nov 2019 12:23:15 +0000 + -- Patrick Schleizer Sat, 09 Nov 2019 12:23:15 +0000 security-misc (3:9.6-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Thu, 31 Oct 2019 16:34:35 +0000 + -- Patrick Schleizer Thu, 31 Oct 2019 16:34:35 +0000 security-misc (3:9.5-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Thu, 31 Oct 2019 16:06:51 +0000 + -- Patrick Schleizer Thu, 31 Oct 2019 16:06:51 +0000 security-misc (3:9.4-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Wed, 23 Oct 2019 10:22:03 +0000 + -- Patrick Schleizer Wed, 23 Oct 2019 10:22:03 +0000 security-misc (3:9.3-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Mon, 21 Oct 2019 09:55:41 +0000 + -- Patrick Schleizer Mon, 21 Oct 2019 09:55:41 +0000 security-misc (3:9.2-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Mon, 21 Oct 2019 09:51:36 +0000 + -- Patrick Schleizer Mon, 21 Oct 2019 09:51:36 +0000 security-misc (3:9.1-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Fri, 18 Oct 2019 10:39:43 +0000 + -- Patrick Schleizer Fri, 18 Oct 2019 10:39:43 +0000 security-misc (3:9.0-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Fri, 18 Oct 2019 08:55:07 +0000 + -- Patrick Schleizer Fri, 18 Oct 2019 08:55:07 +0000 security-misc (3:8.9-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Mon, 14 Oct 2019 10:23:01 +0000 + -- Patrick Schleizer Mon, 14 Oct 2019 10:23:01 +0000 security-misc (3:8.8-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sat, 05 Oct 2019 11:33:15 +0000 + -- Patrick Schleizer Sat, 05 Oct 2019 11:33:15 +0000 security-misc (3:8.7-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sat, 05 Oct 2019 09:40:26 +0000 + -- Patrick Schleizer Sat, 05 Oct 2019 09:40:26 +0000 security-misc (3:8.6-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Mon, 16 Sep 2019 13:34:11 +0000 + -- Patrick Schleizer Mon, 16 Sep 2019 13:34:11 +0000 security-misc (3:8.5-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sun, 15 Sep 2019 14:08:13 +0000 + -- Patrick Schleizer Sun, 15 Sep 2019 14:08:13 +0000 security-misc (3:8.4-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Thu, 12 Sep 2019 12:50:42 +0000 + -- Patrick Schleizer Thu, 12 Sep 2019 12:50:42 +0000 security-misc (3:8.3-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Mon, 09 Sep 2019 12:10:24 +0000 + -- Patrick Schleizer Mon, 09 Sep 2019 12:10:24 +0000 security-misc (3:8.2-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sat, 07 Sep 2019 06:11:32 +0000 + -- Patrick Schleizer Sat, 07 Sep 2019 06:11:32 +0000 security-misc (3:8.1-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Fri, 06 Sep 2019 13:04:57 +0000 + -- Patrick Schleizer Fri, 06 Sep 2019 13:04:57 +0000 security-misc (3:8.0-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Fri, 06 Sep 2019 11:47:40 +0000 + -- Patrick Schleizer Fri, 06 Sep 2019 11:47:40 +0000 security-misc (3:7.9-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Fri, 06 Sep 2019 09:33:06 +0000 + -- Patrick Schleizer Fri, 06 Sep 2019 09:33:06 +0000 security-misc (3:7.8-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sat, 31 Aug 2019 13:44:37 +0000 + -- Patrick Schleizer Sat, 31 Aug 2019 13:44:37 +0000 security-misc (3:7.7-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sat, 24 Aug 2019 16:41:27 +0000 + -- Patrick Schleizer Sat, 24 Aug 2019 16:41:27 +0000 security-misc (3:7.6-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Fri, 23 Aug 2019 16:57:12 +0000 + -- Patrick Schleizer Fri, 23 Aug 2019 16:57:12 +0000 security-misc (3:7.5-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sat, 17 Aug 2019 10:54:08 +0000 + -- Patrick Schleizer Sat, 17 Aug 2019 10:54:08 +0000 security-misc (3:7.4-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sat, 17 Aug 2019 09:57:48 +0000 + -- Patrick Schleizer Sat, 17 Aug 2019 09:57:48 +0000 security-misc (3:7.3-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Fri, 16 Aug 2019 16:05:51 +0000 + -- Patrick Schleizer Fri, 16 Aug 2019 16:05:51 +0000 security-misc (3:7.2-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Fri, 16 Aug 2019 15:59:14 +0000 + -- Patrick Schleizer Fri, 16 Aug 2019 15:59:14 +0000 security-misc (3:7.1-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Thu, 15 Aug 2019 15:18:02 +0000 + -- Patrick Schleizer Thu, 15 Aug 2019 15:18:02 +0000 security-misc (3:7.0-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Wed, 14 Aug 2019 11:52:26 +0000 + -- Patrick Schleizer Wed, 14 Aug 2019 11:52:26 +0000 security-misc (3:6.9-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Wed, 14 Aug 2019 11:13:25 +0000 + -- Patrick Schleizer Wed, 14 Aug 2019 11:13:25 +0000 security-misc (3:6.8-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Wed, 14 Aug 2019 10:08:18 +0000 + -- Patrick Schleizer Wed, 14 Aug 2019 10:08:18 +0000 security-misc (3:6.7-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Wed, 14 Aug 2019 07:02:09 +0000 + -- Patrick Schleizer Wed, 14 Aug 2019 07:02:09 +0000 security-misc (3:6.6-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sun, 11 Aug 2019 12:07:07 +0000 + -- Patrick Schleizer Sun, 11 Aug 2019 12:07:07 +0000 security-misc (3:6.5-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sat, 10 Aug 2019 11:37:02 +0000 + -- Patrick Schleizer Sat, 10 Aug 2019 11:37:02 +0000 security-misc (3:6.4-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Thu, 01 Aug 2019 12:02:41 +0000 + -- Patrick Schleizer Thu, 01 Aug 2019 12:02:41 +0000 security-misc (3:6.3-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Wed, 31 Jul 2019 19:12:27 +0000 + -- Patrick Schleizer Wed, 31 Jul 2019 19:12:27 +0000 security-misc (3:6.2-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Wed, 31 Jul 2019 15:17:50 +0000 + -- Patrick Schleizer Wed, 31 Jul 2019 15:17:50 +0000 security-misc (3:6.1-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Wed, 31 Jul 2019 07:44:50 +0000 + -- Patrick Schleizer Wed, 31 Jul 2019 07:44:50 +0000 security-misc (3:6.0-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Mon, 22 Jul 2019 01:16:18 +0000 + -- Patrick Schleizer Mon, 22 Jul 2019 01:16:18 +0000 security-misc (3:5.9-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Wed, 17 Jul 2019 21:38:26 +0000 + -- Patrick Schleizer Wed, 17 Jul 2019 21:38:26 +0000 security-misc (3:5.8-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Wed, 17 Jul 2019 21:08:23 +0000 + -- Patrick Schleizer Wed, 17 Jul 2019 21:08:23 +0000 security-misc (3:5.7-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Wed, 17 Jul 2019 19:13:57 +0000 + -- Patrick Schleizer Wed, 17 Jul 2019 19:13:57 +0000 security-misc (3:5.6-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Tue, 16 Jul 2019 19:45:52 +0000 + -- Patrick Schleizer Tue, 16 Jul 2019 19:45:52 +0000 security-misc (3:5.5-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Mon, 15 Jul 2019 13:26:47 +0000 + -- Patrick Schleizer Mon, 15 Jul 2019 13:26:47 +0000 security-misc (3:5.4-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sat, 13 Jul 2019 18:51:32 +0000 + -- Patrick Schleizer Sat, 13 Jul 2019 18:51:32 +0000 security-misc (3:5.3-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sat, 13 Jul 2019 16:30:39 +0000 + -- Patrick Schleizer Sat, 13 Jul 2019 16:30:39 +0000 security-misc (3:5.2-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sat, 13 Jul 2019 15:17:16 +0000 + -- Patrick Schleizer Sat, 13 Jul 2019 15:17:16 +0000 security-misc (3:5.1-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sat, 13 Jul 2019 14:58:47 +0000 + -- Patrick Schleizer Sat, 13 Jul 2019 14:58:47 +0000 security-misc (3:5.0-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sat, 13 Jul 2019 14:55:31 +0000 + -- Patrick Schleizer Sat, 13 Jul 2019 14:55:31 +0000 security-misc (3:4.9-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Thu, 11 Jul 2019 18:28:04 +0000 + -- Patrick Schleizer Thu, 11 Jul 2019 18:28:04 +0000 security-misc (3:4.8-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Thu, 11 Jul 2019 07:16:38 +0000 + -- Patrick Schleizer Thu, 11 Jul 2019 07:16:38 +0000 security-misc (3:4.7-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Mon, 08 Jul 2019 00:23:52 +0000 + -- Patrick Schleizer Mon, 08 Jul 2019 00:23:52 +0000 security-misc (3:4.6-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sun, 07 Jul 2019 23:00:27 +0000 + -- Patrick Schleizer Sun, 07 Jul 2019 23:00:27 +0000 security-misc (3:4.5-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sun, 07 Jul 2019 21:11:08 +0000 + -- Patrick Schleizer Sun, 07 Jul 2019 21:11:08 +0000 security-misc (3:4.4-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sun, 07 Jul 2019 09:39:12 +0000 + -- Patrick Schleizer Sun, 07 Jul 2019 09:39:12 +0000 security-misc (3:4.3-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sat, 06 Jul 2019 13:56:28 +0000 + -- Patrick Schleizer Sat, 06 Jul 2019 13:56:28 +0000 security-misc (3:4.2-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sat, 06 Jul 2019 13:53:10 +0000 + -- Patrick Schleizer Sat, 06 Jul 2019 13:53:10 +0000 security-misc (3:4.1-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Mon, 01 Jul 2019 15:23:49 +0000 + -- Patrick Schleizer Mon, 01 Jul 2019 15:23:49 +0000 security-misc (3:4.0-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sun, 30 Jun 2019 11:21:58 +0000 + -- Patrick Schleizer Sun, 30 Jun 2019 11:21:58 +0000 security-misc (3:3.9-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sun, 30 Jun 2019 08:23:51 +0000 + -- Patrick Schleizer Sun, 30 Jun 2019 08:23:51 +0000 security-misc (3:3.8-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sat, 29 Jun 2019 10:35:13 +0000 + -- Patrick Schleizer Sat, 29 Jun 2019 10:35:13 +0000 security-misc (3:3.7-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Fri, 28 Jun 2019 07:20:53 +0000 + -- Patrick Schleizer Fri, 28 Jun 2019 07:20:53 +0000 security-misc (3:3.6-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Fri, 28 Jun 2019 07:09:35 +0000 + -- Patrick Schleizer Fri, 28 Jun 2019 07:09:35 +0000 security-misc (3:3.5-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sun, 23 Jun 2019 19:57:42 +0000 + -- Patrick Schleizer Sun, 23 Jun 2019 19:57:42 +0000 security-misc (3:3.4-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sun, 23 Jun 2019 12:22:13 +0000 + -- Patrick Schleizer Sun, 23 Jun 2019 12:22:13 +0000 security-misc (3:3.3-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sun, 23 Jun 2019 08:38:01 +0000 + -- Patrick Schleizer Sun, 23 Jun 2019 08:38:01 +0000 security-misc (3:3.2-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Fri, 21 Jun 2019 05:40:04 +0000 + -- Patrick Schleizer Fri, 21 Jun 2019 05:40:04 +0000 security-misc (3:3.1-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Mon, 10 Jun 2019 15:42:58 +0000 + -- Patrick Schleizer Mon, 10 Jun 2019 15:42:58 +0000 security-misc (3:3.0-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sat, 08 Jun 2019 11:32:12 +0000 + -- Patrick Schleizer Sat, 08 Jun 2019 11:32:12 +0000 security-misc (3:2.9-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Fri, 24 May 2019 20:48:59 +0000 + -- Patrick Schleizer Fri, 24 May 2019 20:48:59 +0000 security-misc (3:2.8-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Thu, 23 May 2019 22:38:13 +0000 + -- Patrick Schleizer Thu, 23 May 2019 22:38:13 +0000 security-misc (3:2.7-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Thu, 16 May 2019 20:25:46 +0000 + -- Patrick Schleizer Thu, 16 May 2019 20:25:46 +0000 security-misc (3:2.6-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sun, 12 May 2019 11:08:32 +0000 + -- Patrick Schleizer Sun, 12 May 2019 11:08:32 +0000 security-misc (3:2.5-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sun, 12 May 2019 10:48:27 +0000 + -- Patrick Schleizer Sun, 12 May 2019 10:48:27 +0000 security-misc (3:2.4-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Mon, 06 May 2019 09:58:44 +0000 + -- Patrick Schleizer Mon, 06 May 2019 09:58:44 +0000 security-misc (3:2.3-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Fri, 03 May 2019 11:34:25 +0000 + -- Patrick Schleizer Fri, 03 May 2019 11:34:25 +0000 security-misc (3:2.2-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sat, 06 Apr 2019 12:13:43 +0000 + -- Patrick Schleizer Sat, 06 Apr 2019 12:13:43 +0000 security-misc (3:2.1-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Fri, 29 Mar 2019 10:02:51 +0000 + -- Patrick Schleizer Fri, 29 Mar 2019 10:02:51 +0000 security-misc (3:2.0-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Tue, 12 Mar 2019 11:36:25 +0000 + -- Patrick Schleizer Tue, 12 Mar 2019 11:36:25 +0000 security-misc (3:1.9-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Wed, 28 Nov 2018 06:33:14 +0000 + -- Patrick Schleizer Wed, 28 Nov 2018 06:33:14 +0000 security-misc (3:1.8-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Thu, 08 Nov 2018 09:55:41 +0000 + -- Patrick Schleizer Thu, 08 Nov 2018 09:55:41 +0000 security-misc (3:1.7-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Thu, 01 Nov 2018 07:42:29 +0000 + -- Patrick Schleizer Thu, 01 Nov 2018 07:42:29 +0000 security-misc (3:1.6-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Fri, 14 Sep 2018 13:20:11 +0000 + -- Patrick Schleizer Fri, 14 Sep 2018 13:20:11 +0000 security-misc (3:1.5-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Mon, 27 Aug 2018 16:49:44 +0000 + -- Patrick Schleizer Mon, 27 Aug 2018 16:49:44 +0000 security-misc (3:1.4-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Thu, 01 Feb 2018 15:18:55 +0000 + -- Patrick Schleizer Thu, 01 Feb 2018 15:18:55 +0000 security-misc (3:1.3-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Thu, 21 Dec 2017 20:35:29 +0000 + -- Patrick Schleizer Thu, 21 Dec 2017 20:35:29 +0000 security-misc (3:1.2-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Wed, 26 Jul 2017 14:37:34 +0000 + -- Patrick Schleizer Wed, 26 Jul 2017 14:37:34 +0000 security-misc (3:1.1-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Mon, 06 Mar 2017 16:16:31 +0000 + -- Patrick Schleizer Mon, 06 Mar 2017 16:16:31 +0000 security-misc (3:1.0-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Mon, 27 Feb 2017 02:04:00 +0000 + -- Patrick Schleizer Mon, 27 Feb 2017 02:04:00 +0000 security-misc (3:0.9-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Fri, 17 Feb 2017 14:08:56 +0000 + -- Patrick Schleizer Fri, 17 Feb 2017 14:08:56 +0000 security-misc (3:0.8-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sun, 15 Jan 2017 15:35:31 +0000 + -- Patrick Schleizer Sun, 15 Jan 2017 15:35:31 +0000 security-misc (3:0.7-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Thu, 12 Jan 2017 02:56:55 +0000 + -- Patrick Schleizer Thu, 12 Jan 2017 02:56:55 +0000 security-misc (3:0.6-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Sat, 10 Dec 2016 02:30:50 +0000 + -- Patrick Schleizer Sat, 10 Dec 2016 02:30:50 +0000 security-misc (3:0.5-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Mon, 25 Apr 2016 23:27:58 +0000 + -- Patrick Schleizer Mon, 25 Apr 2016 23:27:58 +0000 security-misc (3:0.4-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Thu, 07 Apr 2016 22:54:45 +0000 + -- Patrick Schleizer Thu, 07 Apr 2016 22:54:45 +0000 security-misc (3:0.3-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Tue, 15 Dec 2015 04:16:07 +0000 + -- Patrick Schleizer Tue, 15 Dec 2015 04:16:07 +0000 security-misc (3:0.2-1) unstable; urgency=medium * New upstream version (local package). - -- Patrick Schleizer Tue, 15 Dec 2015 02:00:33 +0000 + -- Patrick Schleizer Tue, 15 Dec 2015 02:00:33 +0000 security-misc (3:0.1-2) unstable; urgency=low * Initial release. - -- Patrick Schleizer Sun, 17 Aug 2014 17:56:36 +0000 + -- Patrick Schleizer Sun, 17 Aug 2014 17:56:36 +0000 diff --git a/debian/compat b/debian/compat deleted file mode 100644 index 48082f7..0000000 --- a/debian/compat +++ /dev/null @@ -1 +0,0 @@ -12 diff --git a/debian/control b/debian/control index dfe6cc0..fd56b5f 100644 --- a/debian/control +++ b/debian/control @@ -1,315 +1,41 @@ -## Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. Source: security-misc Section: misc Priority: optional -Maintainer: Patrick Schleizer -Build-Depends: debhelper (>= 12), genmkfile, config-package-dev, dh-apparmor, - ronn -Homepage: https://github.com/Whonix/security-misc -Vcs-Browser: https://github.com/Whonix/security-misc -Vcs-Git: https://github.com/Whonix/security-misc.git -Standards-Version: 4.3.0 +Maintainer: Patrick Schleizer +Build-Depends: config-package-dev, + debhelper (>= 13), + debhelper-compat (= 13), + dh-apparmor, + po-debconf +Homepage: https://www.kicksecure.com/wiki/Security-misc +Vcs-Browser: https://github.com/Kicksecure/security-misc +Vcs-Git: https://github.com/Kicksecure/security-misc.git +Standards-Version: 4.6.2 +Rules-Requires-Root: no Package: security-misc Architecture: all -Depends: python, libglib2.0-bin, libpam-runtime, sudo, adduser, - apparmor-profile-anondist, ${misc:Depends} -Replaces: tcp-timestamps-disable -Description: enhances misc security settings - Inspired by Kernel Self Protection Project (KSPP) +Depends: adduser, + apparmor-profile-dist, + dmsetup, + helper-scripts, + libcap2-bin, + libglib2.0-bin, + libpam-modules-bin, + libpam-runtime, + libpam-umask, + python3, + secure-delete, + sudo, + ${misc:Depends} +Replaces: anon-gpg-tweaks, swappiness-lowest, tcp-timestamps-disable +Description: Enhances Miscellaneous Security Settings + https://github.com/Kicksecure/security-misc/blob/master/README.md . - * Implements most if not all recommended Linux kernel settings (sysctl) and - kernel parameters by KSPP. - . - * https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project - . - kernel hardening: - . - * deactivates Netfilter's connection tracking helper - Netfilter's connection tracking helper module increases kernel attack - surface by enabling superfluous functionality such as IRC parsing in - the kernel. (!) Hence, this package disables this feature by shipping the - /etc/modprobe.d/30_nf_conntrack_helper_disable.conf configuration file. - . - * Kernel symbols in various files in /proc are hidden as they can be - very useful for kernel exploits. - . - * Kexec is disabled as it can be used to load a malicious kernel. - /etc/sysctl.d/kexec.conf - . - * ASLR effectiveness for mmap is increased. - . - * The TCP/IP stack is hardened by disabling ICMP redirect acceptance, - ICMP redirect sending and source routing to prevent man-in-the-middle attacks, - ignoring all ICMP requests, enabling TCP syncookies to prevent SYN flood - attacks, enabling RFC1337 to protect against time-wait assassination - attacks and enabling reverse path filtering to prevent IP spoofing and - mitigate vulnerabilities such as CVE-2019-14899. - . - * Some data spoofing attacks are made harder. - . - * SACK can be disabled as it is commonly exploited and is rarely used by - uncommenting settings in file /etc/sysctl.d/tcp_sack.conf. - . - * Slab merging is disabled as sometimes a slab can be used in a vulnerable - way which an attacker can exploit. - . - * Sanity checks, redzoning, and memory poisoning are enabled. - . - * Machine checks (MCE) are disabled which makes the kernel panic - on uncorrectable errors in ECC memory that could be exploited. - . - * Kernel Page Table Isolation is enabled to mitigate Meltdown and increase - KASLR effectiveness. - . - * SMT is disabled as it can be used to exploit the MDS and other - vulnerabilities. - . - * All mitigations for the MDS vulnerability are enabled. - . - * A systemd service clears System.map on boot as these contain kernel symbols - that could be useful to an attacker. - /etc/kernel/postinst.d/30_remove-system-map - /lib/systemd/system/remove-system-map.service - /usr/lib/security-misc/remove-system.map - . - * Coredumps are disabled as they may contain important information such as - encryption keys or passwords. - /etc/security/limits.d/disable-coredumps.conf - /etc/sysctl.d/coredumps.conf - /lib/systemd/coredump.conf.d/disable-coredumps.conf - . - * The thunderbolt and firewire kernel modules are blacklisted as they can be - used for DMA (Direct Memory Access) attacks. - . - * IOMMU is enabled with a boot parameter to prevent DMA attacks. - . - * The kernel now panics on oopses to prevent it from continuing running a - flawed process. - . - * Bluetooth is blacklisted to reduce attack surface. Bluetooth also has - a history of security concerns. - https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns - . - * A systemd service restricts /proc/cpuinfo, /proc/bus, /proc/scsi and - /sys to the root user only. This hides a lot of hardware identifiers from - unprivileged users and increases security as /sys exposes a lot of information - that shouldn't be accessible to unprivileged users. As this will break many - things, it is disabled by default and can optionally be enabled by running - `systemctl enable hide-hardware-info.service` as root. - /usr/lib/security-misc/hide-hardware-info - /lib/systemd/system/hide-hardware-info.service - /lib/systemd/system/user@.service.d/sysfs.conf - /etc/hide-hardware-info.d/30_default.conf - . - Improve Entropy Collection - . - * Load jitterentropy_rng kernel module. - /usr/lib/modules-load.d/30_security-misc.conf - . - * Distrusts the CPU for initial entropy at boot as it is not possible to - audit, may contain weaknesses or a backdoor. - * https://en.wikipedia.org/wiki/RDRAND#Reception - * https://twitter.com/pid_eins/status/1149649806056280069 - * For more references, see: - * /etc/default/grub.d/40_distrust_cpu.cfg - . - Uncommon network protocols are blacklisted: - These are rarely used and may have unknown vulnerabilities. - /etc/modprobe.d/uncommon-network-protocols.conf - The network protocols that are blacklisted are: - . - * DCCP - Datagram Congestion Control Protocol - * SCTP - Stream Control Transmission Protocol - * RDS - Reliable Datagram Sockets - * TIPC - Transparent Inter-process Communication - * HDLC - High-Level Data Link Control - * AX25 - Amateur X.25 - * NetRom - * X25 - * ROSE - * DECnet - * Econet - * af_802154 - IEEE 802.15.4 - * IPX - Internetwork Packet Exchange - * AppleTalk - * PSNAP - Subnetwork Access Protocol - * p8023 - Novell raw IEEE 802.3 - * p8022 - IEEE 802.2 - . - user restrictions: - . - * remount /home, /tmp, /dev/shm and /run with nosuid,nodev (default) and - noexec (opt-in). To disable this, run "sudo touch /etc/remount-disable". To - opt-in noexec, run "sudo touch /etc/noexec" and reboot (easiest). - Alternatively file /usr/local/etc/remount-disable or file - /usr/local/etc/noexec could be used. - /lib/systemd/system/remount-secure.service - /usr/lib/security-misc/remount-secure - . - * A systemd service mounts /proc with hidepid=2 at boot to prevent users from - seeing each other's processes. - . - * The kernel logs are restricted to root only. - . - * The BPF JIT compiler is restricted to the root user and is hardened. - . - * The ptrace system call is restricted to the root user only. - . - restricts access to the root account: - . - * `su` is restricted to only users within the group `sudo` which prevents - users from using `su` to gain root access or to switch user accounts. - /usr/share/pam-configs/wheel-security-misc - (Which results in a change in file `/etc/pam.d/common-auth`.) - . - * Add user `root` to group `sudo`. This is required to make above work so - login as a user in a virtual console is still possible. - debian/security-misc.postinst - . - * Abort login for users with locked passwords. - /usr/lib/security-misc/pam-abort-on-locked-password - . - * Logging into the root account from a virtual, serial, whatnot console is - prevented by shipping an existing and empty /etc/securetty. - (Deletion of /etc/securetty has a different effect.) - /etc/securetty.security-misc - . - * Console Lockdown. - Allow members of group 'console' to use console. - Everyone else except members of group - 'console-unrestricted' are restricted from using console using ancient, - unpopular login methods such as using /bin/login over networks, which might - be exploitable. (CVE-2001-0797) Using pam_access. - Not enabled by default in this package since this package does not know which - users shall be added to group 'console' and would break console. - /usr/share/pam-configs/console-lockdown-security-misc - /etc/security/access-security-misc.conf - . - Protect Linux user accounts against brute force attacks. - Lock user accounts after 50 failed login attempts using pam_tally2. - /usr/share/pam-configs/tally2-security-misc - . - informational output during Linux PAM: - . - * Show failed and remaining password attempts. - * Document unlock procedure if Linux user account got locked. - * Point out, that there is no password feedback for `su`. - * Explain locked (root) account if locked. - * /usr/share/pam-configs/tally2-security-misc - * /usr/lib/security-misc/pam_tally2-info - * /usr/lib/security-misc/pam-abort-on-locked-password - . - access rights restrictions: - . - * Strong Linux User Account Separation. - Removes read, write and execute access for others for all users who have - home folders under folder /home by running for example - "chmod o-rwx /home/user" - during package installation, upgrade or pam mkhomedir. This will be done only - once per - folder in folder /home so users who wish to relax file permissions are free to - do so. This is to protect previously created files in user home folder which - were previously created with lax file permissions prior installation of this - package. - debian/security-misc.postinst - /usr/lib/security-misc/permission-lockdown - /usr/share/pam-configs/mkhomedir-security-misc - . - * SUID / GUID removal and permission hardening. - A systemd service removed SUID / GUID from non-essential binaries as these are - often used in privilege escalation attacks. - It is disabled by default for now during testing and can optionally be enabled - by running `systemctl enable permission-hardening.service` as root. - https://forums.whonix.org/t/permission-hardening/8655 - /usr/lib/security-misc/permission-hardening - /lib/systemd/system/permission-hardening.service - /etc/permission-hardening.d/30_default.conf - . - access rights relaxations: - . - Redirect calls for pkexec to lxqt-sudo because pkexec is incompatible with - hidepid. - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860040 - https://forums.whonix.org/t/cannot-use-pkexec/8129 - /usr/bin/pkexec.security-misc - . - This package does (not yet) automatically lock the root account password. - It is not clear that would be sane in such a package. - It is recommended to lock and expire the root account. - In new Whonix builds, root account will be locked by package - anon-base-files. - https://www.whonix.org/wiki/Root - https://www.whonix.org/wiki/Dev/Permissions - https://forums.whonix.org/t/restrict-root-access/7658 - However, a locked root password will break rescue and emergency shell. - Therefore this package enables passwordless resuce and emergency shell. - This is the same solution that Debian will likely addapt for Debian - installer. - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802211 - Adverse security effects can be prevented by setting up BIOS password - protection, grub password protection and/or full disk encryption. - /etc/systemd/system/emergency.service.d/override.conf - /etc/systemd/system/rescue.service.d/override.conf - . - Disables TCP Time Stamps: - . - TCP time stamps (RFC 1323) allow for tracking clock - information with millisecond resolution. This may or may not allow an - attacker to learn information about the system clock at such - a resolution, depending on various issues such as network lag. - This information is available to anyone who monitors the network - somewhere between the attacked system and the destination server. - It may allow an attacker to find out how long a given - system has been running, and to distinguish several - systems running behind NAT and using the same IP address. It might - also allow one to look for clocks that match an expected value to find the - public IP used by a user. - . - Hence, this package disables this feature by shipping the - /etc/sysctl.d/tcp_timestamps.conf configuration file. - . - Note that TCP time stamps normally have some usefulness. They are - needed for: - . - * the TCP protection against wrapped sequence numbers; however, to - trigger a wrap, one needs to send roughly 2^32 packets in one - minute: as said in RFC 1700, "The current recommended default - time to live (TTL) for the Internet Protocol (IP) [45,105] is 64". - So, this probably won't be a practical problem in the context - of Anonymity Distributions. - * "Round-Trip Time Measurement", which is only useful when the user - manages to saturate their connection. When using Anonymity Distributions, - probably the limiting factor for transmission speed is rarely the capacity - of the user connection. - . - Application specific hardening: - . - * Enables APT seccomp-BPF sandboxing. /etc/apt/apt.conf.d/40sandbox - * Deactivates previews in Dolphin. - * Deactivates previews in Nautilus. - /usr/share/glib-2.0/schemas/30_security-misc.gschema.override - * Deactivates thumbnails in Thunar. - * Enables punycode (`network.IDN_show_punycode`) by default in Thunderbird - to make phising attacks more difficult. Fixing URL not showing real Domain - Name (Homograph attack). - . - Want more? Look into these: - . - * Linux Kernel Runtime Guard (LKRG). Kills whole Classes of Kernel Exploits. - * tirdad - TCP ISN CPU Information Leak Protection. - * Whonix ™ - Anonymous Operating System - * Kicksecure ™ - A Security-hardened, Non-anonymous Linux Distribution - * SecBrowser ™ - A Security-hardened, Non-anonymous Browser - * And more. - * https://www.whonix.org/wiki/Linux_Kernel_Runtime_Guard_LKRG - * https://github.com/Whonix/tirdad - * https://www.whonix.org - * https://www.whonix.org/wiki/Kicksecure - * https://www.whonix.org/wiki/SecBrowser - * https://github.com/Whonix + https://www.kicksecure.com/wiki/Security-misc . Discussion: . diff --git a/debian/copyright b/debian/copyright index 513503a..829d909 100644 --- a/debian/copyright +++ b/debian/copyright @@ -1,73 +1,668 @@ Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Files: * -Copyright: 2012 - 2019 ENCRYPTED SUPPORT LP -License: GPL-3+-with-additional-terms-1 - This program is free software: you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation, either version 3 of the License, or - (at your option) any later version. +Copyright: 2012 - 2025 ENCRYPTED SUPPORT LLC +License: AGPL-3+ + +License: AGPL-3+ + GNU AFFERO GENERAL PUBLIC LICENSE + Version 3, 19 November 2007 . - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. + Copyright (C) 2007 Free Software Foundation, Inc. + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. . - You should have received a copy of the GNU General Public License - along with this program. If not, see . + Preamble . - On Debian systems, the full text of the GNU General Public - License version 3 can be found in the file - `/usr/share/common-licenses/GPL-3'. + The GNU Affero General Public License is a free, copyleft license for + software and other kinds of works, specifically designed to ensure + cooperation with the community in the case of network server software. . - ADDITIONAL TERMS APPLICABLE per GNU GPL version 3 section 7 + The licenses for most software and other practical works are designed + to take away your freedom to share and change the works. By contrast, + our General Public Licenses are intended to guarantee your freedom to + share and change all versions of a program--to make sure it remains free + software for all its users. . - 1. Replacement of Section 15. Section 15 of the GPL shall be deleted in its - entirety and replaced with the following: + When we speak of free software, we are referring to freedom, not + price. Our General Public Licenses are designed to make sure that you + have the freedom to distribute copies of free software (and charge for + them if you wish), that you receive source code or can get it if you + want it, that you can change the software or use pieces of it in new + free programs, and that you know you can do these things. . - 15. Disclaimer of Warranty. + Developers that use our General Public Licenses protect your rights + with two steps: (1) assert copyright on the software, and (2) offer + you this License which gives you legal permission to copy, distribute + and/or modify the software. . - THE PROGRAM IS PROVIDED WITHOUT ANY WARRANTIES, WHETHER EXPRESSED OR IMPLIED, - INCLUDING, WITHOUT LIMITATION, IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR - PURPOSE, NON-INFRINGEMENT, TITLE AND MERCHANTABILITY. THE PROGRAM IS BEING - DELIVERED OR MADE AVAILABLE 'AS IS', 'WITH ALL FAULTS' AND WITHOUT WARRANTY OR - REPRESENTATION. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE - PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF + A secondary benefit of defending all users' freedom is that + improvements made in alternate versions of the program, if they + receive widespread use, become available for other developers to + incorporate. Many developers of free software are heartened and + encouraged by the resulting cooperation. However, in the case of + software used on network servers, this result may fail to come about. + The GNU General Public License permits making a modified version and + letting the public access it on a server without ever releasing its + source code to the public. + . + The GNU Affero General Public License is designed specifically to + ensure that, in such cases, the modified source code becomes available + to the community. It requires the operator of a network server to + provide the source code of the modified version running there to the + users of that server. Therefore, public use of a modified version, on + a publicly accessible server, gives the public access to the source + code of the modified version. + . + An older license, called the Affero General Public License and + published by Affero, was designed to accomplish similar goals. This is + a different license, not a version of the Affero GPL, but Affero has + released a new version of the Affero GPL which permits relicensing under + this license. + . + The precise terms and conditions for copying, distribution and + modification follow. + . + TERMS AND CONDITIONS + . + 0. Definitions. + . + "This License" refers to version 3 of the GNU Affero General Public License. + . + "Copyright" also means copyright-like laws that apply to other kinds of + works, such as semiconductor masks. + . + "The Program" refers to any copyrightable work licensed under this + License. Each licensee is addressed as "you". "Licensees" and + "recipients" may be individuals or organizations. + . + To "modify" a work means to copy from or adapt all or part of the work + in a fashion requiring copyright permission, other than the making of an + exact copy. The resulting work is called a "modified version" of the + earlier work or a work "based on" the earlier work. + . + A "covered work" means either the unmodified Program or a work based + on the Program. + . + To "propagate" a work means to do anything with it that, without + permission, would make you directly or secondarily liable for + infringement under applicable copyright law, except executing it on a + computer or modifying a private copy. Propagation includes copying, + distribution (with or without modification), making available to the + public, and in some countries other activities as well. + . + To "convey" a work means any kind of propagation that enables other + parties to make or receive copies. Mere interaction with a user through + a computer network, with no transfer of a copy, is not conveying. + . + An interactive user interface displays "Appropriate Legal Notices" + to the extent that it includes a convenient and prominently visible + feature that (1) displays an appropriate copyright notice, and (2) + tells the user that there is no warranty for the work (except to the + extent that warranties are provided), that licensees may convey the + work under this License, and how to view a copy of this License. If + the interface presents a list of user commands or options, such as a + menu, a prominent item in the list meets this criterion. + . + 1. Source Code. + . + The "source code" for a work means the preferred form of the work + for making modifications to it. "Object code" means any non-source + form of a work. + . + A "Standard Interface" means an interface that either is an official + standard defined by a recognized standards body, or, in the case of + interfaces specified for a particular programming language, one that + is widely used among developers working in that language. + . + The "System Libraries" of an executable work include anything, other + than the work as a whole, that (a) is included in the normal form of + packaging a Major Component, but which is not part of that Major + Component, and (b) serves only to enable use of the work with that + Major Component, or to implement a Standard Interface for which an + implementation is available to the public in source code form. A + "Major Component", in this context, means a major essential component + (kernel, window system, and so on) of the specific operating system + (if any) on which the executable work runs, or a compiler used to + produce the work, or an object code interpreter used to run it. + . + The "Corresponding Source" for a work in object code form means all + the source code needed to generate, install, and (for an executable + work) run the object code and to modify the work, including scripts to + control those activities. However, it does not include the work's + System Libraries, or general-purpose tools or generally available free + programs which are used unmodified in performing those activities but + which are not part of the work. For example, Corresponding Source + includes interface definition files associated with source files for + the work, and the source code for shared libraries and dynamically + linked subprograms that the work is specifically designed to require, + such as by intimate data communication or control flow between those + subprograms and other parts of the work. + . + The Corresponding Source need not include anything that users + can regenerate automatically from other parts of the Corresponding + Source. + . + The Corresponding Source for a work in source code form is that + same work. + . + 2. Basic Permissions. + . + All rights granted under this License are granted for the term of + copyright on the Program, and are irrevocable provided the stated + conditions are met. This License explicitly affirms your unlimited + permission to run the unmodified Program. The output from running a + covered work is covered by this License only if the output, given its + content, constitutes a covered work. This License acknowledges your + rights of fair use or other equivalent, as provided by copyright law. + . + You may make, run and propagate covered works that you do not + convey, without conditions so long as your license otherwise remains + in force. You may convey covered works to others for the sole purpose + of having them make modifications exclusively for you, or provide you + with facilities for running those works, provided that you comply with + the terms of this License in conveying all material for which you do + not control copyright. Those thus making or running the covered works + for you must do so exclusively on your behalf, under your direction + and control, on terms that prohibit them from making any copies of + your copyrighted material outside their relationship with you. + . + Conveying under any other circumstances is permitted solely under + the conditions stated below. Sublicensing is not allowed; section 10 + makes it unnecessary. + . + 3. Protecting Users' Legal Rights From Anti-Circumvention Law. + . + No covered work shall be deemed part of an effective technological + measure under any applicable law fulfilling obligations under article + 11 of the WIPO copyright treaty adopted on 20 December 1996, or + similar laws prohibiting or restricting circumvention of such + measures. + . + When you convey a covered work, you waive any legal power to forbid + circumvention of technological measures to the extent such circumvention + is effected by exercising rights under this License with respect to + the covered work, and you disclaim any intention to limit operation or + modification of the work as a means of enforcing, against the work's + users, your or third parties' legal rights to forbid circumvention of + technological measures. + . + 4. Conveying Verbatim Copies. + . + You may convey verbatim copies of the Program's source code as you + receive it, in any medium, provided that you conspicuously and + appropriately publish on each copy an appropriate copyright notice; + keep intact all notices stating that this License and any + non-permissive terms added in accord with section 7 apply to the code; + keep intact all notices of the absence of any warranty; and give all + recipients a copy of this License along with the Program. + . + You may charge any price or no price for each copy that you convey, + and you may offer support or warranty protection for a fee. + . + 5. Conveying Modified Source Versions. + . + You may convey a work based on the Program, or the modifications to + produce it from the Program, in the form of source code under the + terms of section 4, provided that you also meet all of these conditions: + . + a) The work must carry prominent notices stating that you modified + it, and giving a relevant date. + . + b) The work must carry prominent notices stating that it is + released under this License and any conditions added under section + 7. This requirement modifies the requirement in section 4 to + "keep intact all notices". + . + c) You must license the entire work, as a whole, under this + License to anyone who comes into possession of a copy. This + License will therefore apply, along with any applicable section 7 + additional terms, to the whole of the work, and all its parts, + regardless of how they are packaged. This License gives no + permission to license the work in any other way, but it does not + invalidate such permission if you have separately received it. + . + d) If the work has interactive user interfaces, each must display + Appropriate Legal Notices; however, if the Program has interactive + interfaces that do not display Appropriate Legal Notices, your + work need not make them do so. + . + A compilation of a covered work with other separate and independent + works, which are not by their nature extensions of the covered work, + and which are not combined with it such as to form a larger program, + in or on a volume of a storage or distribution medium, is called an + "aggregate" if the compilation and its resulting copyright are not + used to limit the access or legal rights of the compilation's users + beyond what the individual works permit. Inclusion of a covered work + in an aggregate does not cause this License to apply to the other + parts of the aggregate. + . + 6. Conveying Non-Source Forms. + . + You may convey a covered work in object code form under the terms + of sections 4 and 5, provided that you also convey the + machine-readable Corresponding Source under the terms of this License, + in one of these ways: + . + a) Convey the object code in, or embodied in, a physical product + (including a physical distribution medium), accompanied by the + Corresponding Source fixed on a durable physical medium + customarily used for software interchange. + . + b) Convey the object code in, or embodied in, a physical product + (including a physical distribution medium), accompanied by a + written offer, valid for at least three years and valid for as + long as you offer spare parts or customer support for that product + model, to give anyone who possesses the object code either (1) a + copy of the Corresponding Source for all the software in the + product that is covered by this License, on a durable physical + medium customarily used for software interchange, for a price no + more than your reasonable cost of physically performing this + conveying of source, or (2) access to copy the + Corresponding Source from a network server at no charge. + . + c) Convey individual copies of the object code with a copy of the + written offer to provide the Corresponding Source. This + alternative is allowed only occasionally and noncommercially, and + only if you received the object code with such an offer, in accord + with subsection 6b. + . + d) Convey the object code by offering access from a designated + place (gratis or for a charge), and offer equivalent access to the + Corresponding Source in the same way through the same place at no + further charge. You need not require recipients to copy the + Corresponding Source along with the object code. If the place to + copy the object code is a network server, the Corresponding Source + may be on a different server (operated by you or a third party) + that supports equivalent copying facilities, provided you maintain + clear directions next to the object code saying where to find the + Corresponding Source. Regardless of what server hosts the + Corresponding Source, you remain obligated to ensure that it is + available for as long as needed to satisfy these requirements. + . + e) Convey the object code using peer-to-peer transmission, provided + you inform other peers where the object code and Corresponding + Source of the work are being offered to the general public at no + charge under subsection 6d. + . + A separable portion of the object code, whose source code is excluded + from the Corresponding Source as a System Library, need not be + included in conveying the object code work. + . + A "User Product" is either (1) a "consumer product", which means any + tangible personal property which is normally used for personal, family, + or household purposes, or (2) anything designed or sold for incorporation + into a dwelling. In determining whether a product is a consumer product, + doubtful cases shall be resolved in favor of coverage. For a particular + product received by a particular user, "normally used" refers to a + typical or common use of that class of product, regardless of the status + of the particular user or of the way in which the particular user + actually uses, or expects or is expected to use, the product. A product + is a consumer product regardless of whether the product has substantial + commercial, industrial or non-consumer uses, unless such uses represent + the only significant mode of use of the product. + . + "Installation Information" for a User Product means any methods, + procedures, authorization keys, or other information required to install + and execute modified versions of a covered work in that User Product from + a modified version of its Corresponding Source. The information must + suffice to ensure that the continued functioning of the modified object + code is in no case prevented or interfered with solely because + modification has been made. + . + If you convey an object code work under this section in, or with, or + specifically for use in, a User Product, and the conveying occurs as + part of a transaction in which the right of possession and use of the + User Product is transferred to the recipient in perpetuity or for a + fixed term (regardless of how the transaction is characterized), the + Corresponding Source conveyed under this section must be accompanied + by the Installation Information. But this requirement does not apply + if neither you nor any third party retains the ability to install + modified object code on the User Product (for example, the work has + been installed in ROM). + . + The requirement to provide Installation Information does not include a + requirement to continue to provide support service, warranty, or updates + for a work that has been modified or installed by the recipient, or for + the User Product in which it has been modified or installed. Access to a + network may be denied when the modification itself materially and + adversely affects the operation of the network or violates the rules and + protocols for communication across the network. + . + Corresponding Source conveyed, and Installation Information provided, + in accord with this section must be in a format that is publicly + documented (and with an implementation available to the public in + source code form), and must require no special password or key for + unpacking, reading or copying. + . + 7. Additional Terms. + . + "Additional permissions" are terms that supplement the terms of this + License by making exceptions from one or more of its conditions. + Additional permissions that are applicable to the entire Program shall + be treated as though they were included in this License, to the extent + that they are valid under applicable law. If additional permissions + apply only to part of the Program, that part may be used separately + under those permissions, but the entire Program remains governed by + this License without regard to the additional permissions. + . + When you convey a copy of a covered work, you may at your option + remove any additional permissions from that copy, or from any part of + it. (Additional permissions may be written to require their own + removal in certain cases when you modify the work.) You may place + additional permissions on material, added by you to a covered work, + for which you have or can give appropriate copyright permission. + . + Notwithstanding any other provision of this License, for material you + add to a covered work, you may (if authorized by the copyright holders of + that material) supplement the terms of this License with terms: + . + a) Disclaiming warranty or limiting liability differently from the + terms of sections 15 and 16 of this License; or + . + b) Requiring preservation of specified reasonable legal notices or + author attributions in that material or in the Appropriate Legal + Notices displayed by works containing it; or + . + c) Prohibiting misrepresentation of the origin of that material, or + requiring that modified versions of such material be marked in + reasonable ways as different from the original version; or + . + d) Limiting the use for publicity purposes of names of licensors or + authors of the material; or + . + e) Declining to grant rights under trademark law for use of some + trade names, trademarks, or service marks; or + . + f) Requiring indemnification of licensors and authors of that + material by anyone who conveys the material (or modified versions of + it) with contractual assumptions of liability to the recipient, for + any liability that these contractual assumptions directly impose on + those licensors and authors. + . + All other non-permissive additional terms are considered "further + restrictions" within the meaning of section 10. If the Program as you + received it, or any part of it, contains a notice stating that it is + governed by this License along with a term that is a further + restriction, you may remove that term. If a license document contains + a further restriction but permits relicensing or conveying under this + License, you may add to a covered work material governed by the terms + of that license document, provided that the further restriction does + not survive such relicensing or conveying. + . + If you add terms to a covered work in accord with this section, you + must place, in the relevant source files, a statement of the + additional terms that apply to those files, or a notice indicating + where to find the applicable terms. + . + Additional terms, permissive or non-permissive, may be stated in the + form of a separately written license, or stated as exceptions; + the above requirements apply either way. + . + 8. Termination. + . + You may not propagate or modify a covered work except as expressly + provided under this License. Any attempt otherwise to propagate or + modify it is void, and will automatically terminate your rights under + this License (including any patent licenses granted under the third + paragraph of section 11). + . + However, if you cease all violation of this License, then your + license from a particular copyright holder is reinstated (a) + provisionally, unless and until the copyright holder explicitly and + finally terminates your license, and (b) permanently, if the copyright + holder fails to notify you of the violation by some reasonable means + prior to 60 days after the cessation. + . + Moreover, your license from a particular copyright holder is + reinstated permanently if the copyright holder notifies you of the + violation by some reasonable means, this is the first time you have + received notice of violation of this License (for any work) from that + copyright holder, and you cure the violation prior to 30 days after + your receipt of the notice. + . + Termination of your rights under this section does not terminate the + licenses of parties who have received copies or rights from you under + this License. If your rights have been terminated and not permanently + reinstated, you do not qualify to receive new licenses for the same + material under section 10. + . + 9. Acceptance Not Required for Having Copies. + . + You are not required to accept this License in order to receive or + run a copy of the Program. Ancillary propagation of a covered work + occurring solely as a consequence of using peer-to-peer transmission + to receive a copy likewise does not require acceptance. However, + nothing other than this License grants you permission to propagate or + modify any covered work. These actions infringe copyright if you do + not accept this License. Therefore, by modifying or propagating a + covered work, you indicate your acceptance of this License to do so. + . + 10. Automatic Licensing of Downstream Recipients. + . + Each time you convey a covered work, the recipient automatically + receives a license from the original licensors, to run, modify and + propagate that work, subject to this License. You are not responsible + for enforcing compliance by third parties with this License. + . + An "entity transaction" is a transaction transferring control of an + organization, or substantially all assets of one, or subdividing an + organization, or merging organizations. If propagation of a covered + work results from an entity transaction, each party to that + transaction who receives a copy of the work also receives whatever + licenses to the work the party's predecessor in interest had or could + give under the previous paragraph, plus a right to possession of the + Corresponding Source of the work from the predecessor in interest, if + the predecessor has it or can get it with reasonable efforts. + . + You may not impose any further restrictions on the exercise of the + rights granted or affirmed under this License. For example, you may + not impose a license fee, royalty, or other charge for exercise of + rights granted under this License, and you may not initiate litigation + (including a cross-claim or counterclaim in a lawsuit) alleging that + any patent claim is infringed by making, using, selling, offering for + sale, or importing the Program or any portion of it. + . + 11. Patents. + . + A "contributor" is a copyright holder who authorizes use under this + License of the Program or a work on which the Program is based. The + work thus licensed is called the contributor's "contributor version". + . + A contributor's "essential patent claims" are all patent claims + owned or controlled by the contributor, whether already acquired or + hereafter acquired, that would be infringed by some manner, permitted + by this License, of making, using, or selling its contributor version, + but do not include claims that would be infringed only as a + consequence of further modification of the contributor version. For + purposes of this definition, "control" includes the right to grant + patent sublicenses in a manner consistent with the requirements of + this License. + . + Each contributor grants you a non-exclusive, worldwide, royalty-free + patent license under the contributor's essential patent claims, to + make, use, sell, offer for sale, import and otherwise run, modify and + propagate the contents of its contributor version. + . + In the following three paragraphs, a "patent license" is any express + agreement or commitment, however denominated, not to enforce a patent + (such as an express permission to practice a patent or covenant not to + sue for patent infringement). To "grant" such a patent license to a + party means to make such an agreement or commitment not to enforce a + patent against the party. + . + If you convey a covered work, knowingly relying on a patent license, + and the Corresponding Source of the work is not available for anyone + to copy, free of charge and under the terms of this License, through a + publicly available network server or other readily accessible means, + then you must either (1) cause the Corresponding Source to be so + available, or (2) arrange to deprive yourself of the benefit of the + patent license for this particular work, or (3) arrange, in a manner + consistent with the requirements of this License, to extend the patent + license to downstream recipients. "Knowingly relying" means you have + actual knowledge that, but for the patent license, your conveying the + covered work in a country, or your recipient's use of the covered work + in a country, would infringe one or more identifiable patents in that + country that you have reason to believe are valid. + . + If, pursuant to or in connection with a single transaction or + arrangement, you convey, or propagate by procuring conveyance of, a + covered work, and grant a patent license to some of the parties + receiving the covered work authorizing them to use, propagate, modify + or convey a specific copy of the covered work, then the patent license + you grant is automatically extended to all recipients of the covered + work and works based on it. + . + A patent license is "discriminatory" if it does not include within + the scope of its coverage, prohibits the exercise of, or is + conditioned on the non-exercise of one or more of the rights that are + specifically granted under this License. You may not convey a covered + work if you are a party to an arrangement with a third party that is + in the business of distributing software, under which you make payment + to the third party based on the extent of your activity of conveying + the work, and under which the third party grants, to any of the + parties who would receive the covered work from you, a discriminatory + patent license (a) in connection with copies of the covered work + conveyed by you (or copies made from those copies), or (b) primarily + for and in connection with specific products or compilations that + contain the covered work, unless you entered into that arrangement, + or that patent license was granted, prior to 28 March 2007. + . + Nothing in this License shall be construed as excluding or limiting + any implied license or other defenses to infringement that may + otherwise be available to you under applicable patent law. + . + 12. No Surrender of Others' Freedom. + . + If conditions are imposed on you (whether by court order, agreement or + otherwise) that contradict the conditions of this License, they do not + excuse you from the conditions of this License. If you cannot convey a + covered work so as to satisfy simultaneously your obligations under this + License and any other pertinent obligations, then as a consequence you may + not convey it at all. For example, if you agree to terms that obligate you + to collect a royalty for further conveying from those to whom you convey + the Program, the only way you could satisfy both those terms and this + License would be to refrain entirely from conveying the Program. + . + 13. Remote Network Interaction; Use with the GNU General Public License. + . + Notwithstanding any other provision of this License, if you modify the + Program, your modified version must prominently offer all users + interacting with it remotely through a computer network (if your version + supports such interaction) an opportunity to receive the Corresponding + Source of your version by providing access to the Corresponding Source + from a network server at no charge, through some standard or customary + means of facilitating copying of software. This Corresponding Source + shall include the Corresponding Source for any work covered by version 3 + of the GNU General Public License that is incorporated pursuant to the + following paragraph. + . + Notwithstanding any other provision of this License, you have + permission to link or combine any covered work with a work licensed + under version 3 of the GNU General Public License into a single + combined work, and to convey the resulting work. The terms of this + License will continue to apply to the part which is the covered work, + but the work with which it is combined will remain governed by version + 3 of the GNU General Public License. + . + 14. Revised Versions of this License. + . + The Free Software Foundation may publish revised and/or new versions of + the GNU Affero General Public License from time to time. Such new versions + will be similar in spirit to the present version, but may differ in detail to + address new problems or concerns. + . + Each version is given a distinguishing version number. If the + Program specifies that a certain numbered version of the GNU Affero General + Public License "or any later version" applies to it, you have the + option of following the terms and conditions either of that numbered + version or of any later version published by the Free Software + Foundation. If the Program does not specify a version number of the + GNU Affero General Public License, you may choose any version ever published + by the Free Software Foundation. + . + If the Program specifies that a proxy can decide which future + versions of the GNU Affero General Public License can be used, that proxy's + public statement of acceptance of a version permanently authorizes you + to choose that version for the Program. + . + Later license versions may give you additional or different + permissions. However, no additional obligations are imposed on any + author or copyright holder as a result of your choosing to follow a + later version. + . + 15. Disclaimer of Warranty. + . + THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY + APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT + HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY + OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, + THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM + IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. . - 2. Replacement of Section 16. Section 16 of the GPL shall be deleted in its - entirety and replaced with the following: + 16. Limitation of Liability. . - 16. LIMITATION OF LIABILITY. + IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING + WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS + THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY + GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE + USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF + DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD + PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), + EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF + SUCH DAMAGES. . - UNDER NO CIRCUMSTANCES SHALL ANY COPYRIGHT HOLDER OR ITS AFFILIATES, OR ANY - OTHER PARTY WHO MODIFIES AND/OR CONVEYS THE PROGRAM AS PERMITTED ABOVE, BE - LIABLE TO YOU, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, FOR ANY - DAMAGES OR OTHER LIABILITY, INCLUDING ANY GENERAL, DIRECT, INDIRECT, SPECIAL, - INCIDENTAL, CONSEQUENTIAL OR PUNITIVE DAMAGES ARISING FROM, OUT OF OR IN - CONNECTION WITH THE USE OR INABILITY TO USE THE PROGRAM OR OTHER DEALINGS WITH - THE PROGRAM(INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED - INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE - PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), WHETHER OR NOT ANY COPYRIGHT HOLDER - OR SUCH OTHER PARTY RECEIVES NOTICE OF ANY SUCH DAMAGES AND WHETHER OR NOT SUCH - DAMAGES COULD HAVE BEEN FORESEEN. + 17. Interpretation of Sections 15 and 16. . - 3. LEGAL NOTICES; NO TRADEMARK LICENSE; ORIGIN. You must reproduce faithfully - all trademark, copyright and other proprietary and legal notices on any copies - of the Program or any other required author attributions. This license does not - grant you rights to use any copyright holder or any other party's name, logo, or - trademarks. Neither the name of the copyright holder or its affiliates, or any - other party who modifies and/or conveys the Program may be used to endorse or - promote products derived from this software without specific prior written - permission. The origin of the Program must not be misrepresented; you must not - claim that you wrote the original Program. Altered source versions must be - plainly marked as such, and must not be misrepresented as being the original - Program. + If the disclaimer of warranty and limitation of liability provided + above cannot be given local legal effect according to their terms, + reviewing courts shall apply local law that most closely approximates + an absolute waiver of all civil liability in connection with the + Program, unless a warranty or assumption of liability accompanies a + copy of the Program in return for a fee. . - 4. INDEMNIFICATION. IF YOU CONVEY A COVERED WORK AND AGREE WITH ANY RECIPIENT - OF THAT COVERED WORK THAT YOU WILL ASSUME ANY LIABILITY FOR THAT COVERED WORK, - YOU HEREBY AGREE TO INDEMNIFY, DEFEND AND HOLD HARMLESS THE OTHER LICENSORS AND - AUTHORS OF THAT COVERED WORK FOR ANY DAMAGES, DEMANDS, CLAIMS, LOSSES, CAUSES OF - ACTION, LAWSUITS, JUDGMENTS EXPENSES (INCLUDING WITHOUT LIMITATION REASONABLE - ATTORNEYS' FEES AND EXPENSES) OR ANY OTHER LIABILITY ARISING FROM, RELATED TO OR - IN CONNECTION WITH YOUR ASSUMPTIONS OF LIABILITY. + END OF TERMS AND CONDITIONS + . + How to Apply These Terms to Your New Programs + . + If you develop a new program, and you want it to be of the greatest + possible use to the public, the best way to achieve this is to make it + free software which everyone can redistribute and change under these terms. + . + To do so, attach the following notices to the program. It is safest + to attach them to the start of each source file to most effectively + state the exclusion of warranty; and each file should have at least + the "copyright" line and a pointer to where the full notice is found. + . + + Copyright (C) + . + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU Affero General Public License as published by + the Free Software Foundation, either version 3 of the License, or + (at your option) any later version. + . + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU Affero General Public License for more details. + . + You should have received a copy of the GNU Affero General Public License + along with this program. If not, see . + . + Also add information on how to contact you by electronic and paper mail. + . + If your software can interact with users remotely through a computer + network, you should also make sure that it provides a way for users to + get its source. For example, if your program is a web application, its + interface could display a "Source" link that leads users to an archive + of the code. There are many ways you could offer source, and different + solutions will be better for different programs; see section 13 for the + specific requirements. + . + You should also get your employer (if you work as a programmer) or school, + if any, to sign a "copyright disclaimer" for the program, if necessary. + For more information on this, and how to apply and follow the GNU AGPL, see + . diff --git a/debian/make-helper-overrides.bsh b/debian/make-helper-overrides.bsh new file mode 100755 index 0000000..4804b3e --- /dev/null +++ b/debian/make-helper-overrides.bsh @@ -0,0 +1,7 @@ +#!/bin/bash + +## Copyright (C) 2021 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/24 +genmkfile_lintian_post_opts+=" --suppress-tags obsolete-command-in-modprobe.d-file --suppress-tags no-complete-debconf-translation" diff --git a/debian/po/POTFILES.in b/debian/po/POTFILES.in new file mode 100644 index 0000000..435938f --- /dev/null +++ b/debian/po/POTFILES.in @@ -0,0 +1 @@ +[type: gettext/rfc822deb] security-misc.templates diff --git a/debian/po/templates.pot b/debian/po/templates.pot new file mode 100644 index 0000000..adb123b --- /dev/null +++ b/debian/po/templates.pot @@ -0,0 +1,36 @@ +# SOME DESCRIPTIVE TITLE. +# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER +# This file is distributed under the same license as the security-misc package. +# FIRST AUTHOR , YEAR. +# +#, fuzzy +msgid "" +msgstr "" +"Project-Id-Version: security-misc\n" +"Report-Msgid-Bugs-To: security-misc@packages.debian.org\n" +"POT-Creation-Date: 2025-01-14 09:31-0500\n" +"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" +"Last-Translator: FULL NAME \n" +"Language-Team: LANGUAGE \n" +"Language: \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=CHARSET\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: note +#. Description +#: ../security-misc.templates:1001 +msgid "Manual intervention may be required for permission-hardener update" +msgstr "" + +#. Type: note +#. Description +#: ../security-misc.templates:1001 +msgid "" +"No need to panic. Nothing is broken. A rare condition has been encountered. " +"permission-hardener is being updated to fix a minor bug that caused " +"corruption in the permission-hardener state file. If you installed your own " +"custom permission-hardener configuration, some manual intervention may be " +"required. See: https://www.kicksecure.com/wiki/" +"SUID_Disabler_and_Permission_Hardener#fixing_state_files" +msgstr "" diff --git a/debian/rules b/debian/rules index 963b738..ca5e85c 100755 --- a/debian/rules +++ b/debian/rules @@ -1,6 +1,6 @@ #!/usr/bin/make -f -## Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. #export DH_VERBOSE=1 @@ -10,8 +10,3 @@ override_dh_installchangelogs: dh_installchangelogs changelog.upstream upstream - -override_dh_install: - dh_apparmor --profile-name='usr.lib.security-misc.pam_tally2-info' - dh_apparmor --profile-name='usr.lib.security-misc.permission-lockdown' - dh_install diff --git a/debian/security-misc.config b/debian/security-misc.config new file mode 100755 index 0000000..e200fb6 --- /dev/null +++ b/debian/security-misc.config @@ -0,0 +1,190 @@ +#!/bin/bash + +## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then + source /usr/libexec/helper-scripts/pre.bsh +fi + +source /usr/share/debconf/confmodule + +set -e + +## Not set by DPKG for '.config' script. +DPKG_MAINTSCRIPT_PACKAGE="security-misc" +DPKG_MAINTSCRIPT_NAME="config" + +true " +##################################################################### +## INFO: BEGIN: $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $* +##################################################################### +" + +## NOTE: Code duplication. +## Copied from: helper-scripts /usr/libexec/helper-scripts/package_installed_check.bsh +## +## '.config' scripts are run very early. Even 'Pre-Depends: helper-scripts' would be insufficient. +## Therefore the code is duplicated here. +pkg_installed() { + local package_name dpkg_query_output + local requested_action status error_state + + package_name="$1" + ## Cannot use '&>' because it is a bashism. + dpkg_query_output="$(dpkg-query --show --showformat='${Status}' "$package_name" 2>/dev/null)" || true + ## dpkg_query_output Examples: + ## install ok half-configured + ## install ok installed + + requested_action=$(printf '%s' "$dpkg_query_output" | awk '{print $1}') + status=$(printf '%s' "$dpkg_query_output" | awk '{print $2}') + error_state=$(printf '%s' "$dpkg_query_output" | awk '{print $3}') + + if [ "$requested_action" = 'install' ]; then + true "$0: INFO: $package_name is installed, ok." + return 0 + fi + + true "$0: INFO: $package_name is not installed, ok." + return 1 +} + +check_migrate_permission_hardener_state() { + local pkg_list modified_pkg_data_str custom_hardening_arr config_file + + ## If folder /var/lib/permission-hardener (version 1) does not exist, this migration is unneeded. + if [ ! -d '/var/lib/permission-hardener' ]; then + return 0 + fi + + local orig_hardening_arr custom_hardening_arr config_file custom_config_file + if [ -f "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_2" ]; then + return 0 + fi + mkdir --parents '/var/lib/security-misc/do_once' + + orig_hardening_arr=( + '/usr/lib/permission-hardener.d/25_default_passwd.conf' + '/usr/lib/permission-hardener.d/25_default_sudo.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_bubblewrap.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_chromium.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_dbus.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_firejail.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_fuse.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_hardened_malloc.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_mount.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_pam.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_passwd.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_postfix.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_selinux.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_spice.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_sudo.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_virtualbox.conf' + '/usr/lib/permission-hardener.d/20_user-sysmaint-split.conf' + '/usr/lib/permission-hardener.d/30_ping.conf' + '/usr/lib/permission-hardener.d/30_default.conf' + '/etc/permission-hardener.d/25_default_passwd.conf' + '/etc/permission-hardener.d/25_default_sudo.conf' + '/etc/permission-hardener.d/25_default_whitelist_bubblewrap.conf' + '/etc/permission-hardener.d/25_default_whitelist_chromium.conf' + '/etc/permission-hardener.d/25_default_whitelist_dbus.conf' + '/etc/permission-hardener.d/25_default_whitelist_firejail.conf' + '/etc/permission-hardener.d/25_default_whitelist_fuse.conf' + '/etc/permission-hardener.d/25_default_whitelist_hardened_malloc.conf' + '/etc/permission-hardener.d/25_default_whitelist_mount.conf' + '/etc/permission-hardener.d/25_default_whitelist_pam.conf' + '/etc/permission-hardener.d/25_default_whitelist_passwd.conf' + '/etc/permission-hardener.d/25_default_whitelist_policykit.conf' + '/etc/permission-hardener.d/25_default_whitelist_postfix.conf' + '/etc/permission-hardener.d/25_default_whitelist_qubes.conf' + '/etc/permission-hardener.d/25_default_whitelist_selinux.conf' + '/etc/permission-hardener.d/25_default_whitelist_spice.conf' + '/etc/permission-hardener.d/25_default_whitelist_ssh.conf' + '/etc/permission-hardener.d/25_default_whitelist_sudo.conf' + '/etc/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf' + '/etc/permission-hardener.d/25_default_whitelist_virtualbox.conf' + '/etc/permission-hardener.d/20_user-sysmaint-split.conf' + '/etc/permission-hardener.d/30_ping.conf' + '/etc/permission-hardener.d/30_default.conf' + ) + + pkg_list=( "security-misc" ) + if pkg_installed user-sysmaint-split ; then + pkg_list+=( "user-sysmaint-split" ) + fi + if pkg_installed anon-apps-config ; then + pkg_list+=( "anon-apps-config" ) + fi + + ## This will exit non-zero if some of the packages don't exist, but we + ## don't care. The packages that *are* installed will still be scanned. + modified_pkg_data_str="$(dpkg --verify "${pkg_list[@]}")" || true + + ## Example modified_pkg_data_str: + #modified_pkg_data_str='missing /usr/lib/permission-hardener.d/20_user-sysmaint-split.conf' + + readarray -t custom_hardening_arr < <(awk '/permission-hardener.d/{ print $NF }' <<< "${modified_pkg_data_str}") + + ## If the above `dpkg --verify` command doesn't return any permission-hardener + ## related lines, the array will contain no meaningful info, just a single + ## blank element at the start. Set the array to be explicitly empty in + ## this scenario. + if [ -z "${custom_hardening_arr[0]}" ]; then + custom_hardening_arr=() + fi + + for config_file in \ + /usr/lib/permission-hardener.d/*.conf \ + /etc/permission-hardener.d/*.conf \ + /usr/local/etc/permission-hardener.d/*.conf \ + /etc/permission-hardening.d/*.conf \ + /usr/local/etc/permission-hardening.d/*.conf + do + # shellcheck disable=SC2076 + if ! [[ " ${orig_hardening_arr[*]} " =~ " ${config_file} " ]]; then + if [ -f "${config_file}" ]; then + custom_hardening_arr+=( "${config_file}" ) + fi + fi + done + + if [ "${#custom_hardening_arr[@]}" != '0' ]; then + for custom_config_file in "${custom_hardening_arr[@]}"; do + if ! test -e "${custom_config_file}" ; then + echo "$0: INFO: Possible missing configuration file found: '${custom_config_file}'" + else + echo "$0: INFO: Possible custom configuration file found: '${custom_config_file}'" + fi + done + ## db_input will return code 30 if the message won't be displayed, which + ## causes a non-interactive install to error out if you don't use || true + db_input critical security-misc/alert-on-permission-hardener-v2-upgrade || true + ## db_go can return code 30 too in some instances, we don't care here + # shellcheck disable=SC2119 + db_go || true + fi + + touch "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_2" +} + +check_migrate_permission_hardener_state + +true "INFO: debhelper beginning here." + +#DEBHELPER# + +true "INFO: Done with debhelper." + +true " +##################################################################### +## INFO: END : $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $* +##################################################################### +" + +## Explicitly "exit 0", so eventually trapped errors can be ignored. +exit 0 diff --git a/debian/security-misc.displace b/debian/security-misc.displace index ec8a20b..78257f6 100644 --- a/debian/security-misc.displace +++ b/debian/security-misc.displace @@ -1,5 +1,5 @@ -## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. -/usr/bin/pkexec.security-misc /etc/securetty.security-misc +/etc/security/faillock.conf.security-misc diff --git a/debian/security-misc.gconf-defaults b/debian/security-misc.gconf-defaults index 26d57ff..b79536a 100644 --- a/debian/security-misc.gconf-defaults +++ b/debian/security-misc.gconf-defaults @@ -1,3 +1,6 @@ +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + /apps/nautilus/preview_sound never /apps/nautilus/show_icon_text never /apps/nautilus/show-image-thumbnails never diff --git a/debian/security-misc.install b/debian/security-misc.install new file mode 100644 index 0000000..6d5f850 --- /dev/null +++ b/debian/security-misc.install @@ -0,0 +1,8 @@ +## Copyright (C) 2020 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## This file was generated using 'genmkfile debinstfile'. + +etc/* +usr/* +var/* diff --git a/debian/security-misc.links b/debian/security-misc.links new file mode 100644 index 0000000..c3369df --- /dev/null +++ b/debian/security-misc.links @@ -0,0 +1,5 @@ +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +/etc/profile.d/30_security-misc.sh /etc/zprofile.d/30_security-misc.zsh +/etc/profile.d/30_security-misc.sh /etc/X11/Xsession.d/30_security-misc diff --git a/debian/security-misc.maintscript b/debian/security-misc.maintscript index 2c93164..0a1759b 100644 --- a/debian/security-misc.maintscript +++ b/debian/security-misc.maintscript @@ -1,10 +1,111 @@ -## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. rm_conffile /etc/sudoers.d/umask-security-misc -## https://forums.whonix.org/t/allow-loading-signed-kernel-modules-by-default-disallow-kernel-module-loading-by-default/7880/23 -rm_conffile /etc/default/grub.d/40_only_allow_signed_modules.cfg - ## https://forums.whonix.org/t/sysrq-magic-sysrq-key/8079 rm_conffile /etc/sysctl.d/sysrq.conf + +## https://github.com/Whonix/security-misc/pull/45 +rm_conffile /etc/apparmor.d/usr.lib.security-misc.pam_tally2-info +rm_conffile /etc/apparmor.d/usr.lib.security-misc.permission-lockdown + +## merged into 3 files /usr/lib/sysctl.d/30_security-misc_kexec-disable.conf, /usr/lib/sysctl.d/30_silent-kernel-printk.conf, and /usr/lib/sysctl.d/990-security-misc.conf +rm_conffile /etc/sysctl.d/fs_protected.conf +rm_conffile /etc/sysctl.d/kptr_restrict.conf +rm_conffile /etc/sysctl.d/suid_dumpable.conf +rm_conffile /etc/sysctl.d/harden_bpf.conf +rm_conffile /etc/sysctl.d/ptrace_scope.conf +rm_conffile /etc/sysctl.d/tcp_timestamps.conf +rm_conffile /etc/sysctl.d/mmap_aslr.conf +rm_conffile /etc/sysctl.d/dmesg_restrict.conf +rm_conffile /etc/sysctl.d/coredumps.conf +rm_conffile /etc/sysctl.d/kexec.conf +rm_conffile /etc/sysctl.d/tcp_hardening.conf +rm_conffile /etc/sysctl.d/tcp_sack.conf + +## merged into 3 files /etc/modprobe.d/30_security-misc_blacklist.conf, 30_security-misc_conntrack.conf, and /etc/modprobe.d/30_security-misc_disable.conf +rm_conffile /etc/modprobe.d/uncommon-network-protocols.conf +rm_conffile /etc/modprobe.d/blacklist-bluetooth.conf +rm_conffile /etc/modprobe.d/vivid.conf +rm_conffile /etc/modprobe.d/blacklist-dma.conf +rm_conffile /etc/modprobe.d/msr.conf +rm_conffile /etc/modprobe.d/30_nf_conntrack_helper_disable.conf +rm_conffile /etc/modprobe.d/30_security-misc.conf + +## renamed to /etc/security/limits.d/30_security-misc.conf +rm_conffile /etc/security/limits.d/disable-coredumps.conf + +## moved to separate package ram-wipe +rm_conffile /etc/default/grub.d/40_cold_boot_attack_defense.cfg + +rm_conffile /etc/X11/Xsession.d/50panic_on_oops +rm_conffile /etc/X11/Xsession.d/50security-misc + +## moved to /usr/lib/sysctl.d +rm_conffile /etc/sysctl.d/30_security-misc.conf +rm_conffile /etc/sysctl.d/30_silent-kernel-printk.conf +rm_conffile /etc/sysctl.d/30_security-misc_kexec-disable.conf + +## moved to /etc/permission-hardener.d +rm_conffile /etc/permission-hardening.d/25_default_passwd.conf +rm_conffile /etc/permission-hardening.d/25_default_sudo.conf +rm_conffile /etc/permission-hardening.d/25_default_whitelist_bubblewrap.conf +rm_conffile /etc/permission-hardening.d/25_default_whitelist_chromium.conf +rm_conffile /etc/permission-hardening.d/25_default_whitelist_dbus.conf +rm_conffile /etc/permission-hardening.d/25_default_whitelist_firejail.conf +rm_conffile /etc/permission-hardening.d/25_default_whitelist_fuse.conf +rm_conffile /etc/permission-hardening.d/25_default_whitelist_hardened_malloc.conf +rm_conffile /etc/permission-hardening.d/25_default_whitelist_mount.conf +rm_conffile /etc/permission-hardening.d/25_default_whitelist_pam.conf +rm_conffile /etc/permission-hardening.d/25_default_whitelist_policykit.conf +rm_conffile /etc/permission-hardening.d/25_default_whitelist_qubes.conf +rm_conffile /etc/permission-hardening.d/25_default_whitelist_selinux.conf +rm_conffile /etc/permission-hardening.d/25_default_whitelist_spice.conf +rm_conffile /etc/permission-hardening.d/25_default_whitelist_ssh.conf +rm_conffile /etc/permission-hardening.d/25_default_whitelist_sudo.conf +rm_conffile /etc/permission-hardening.d/25_default_whitelist_unix_chkpwd.conf +rm_conffile /etc/permission-hardening.d/25_default_whitelist_virtualbox.conf +rm_conffile /etc/permission-hardening.d/30_default.conf + +## moved to /usr/lib/permission-hardener.d +rm_conffile /etc/permission-hardener.d/25_default_passwd.conf +rm_conffile /etc/permission-hardener.d/25_default_sudo.conf +rm_conffile /etc/permission-hardener.d/25_default_whitelist_bubblewrap.conf +rm_conffile /etc/permission-hardener.d/25_default_whitelist_chromium.conf +rm_conffile /etc/permission-hardener.d/25_default_whitelist_dbus.conf +rm_conffile /etc/permission-hardener.d/25_default_whitelist_firejail.conf +rm_conffile /etc/permission-hardener.d/25_default_whitelist_fuse.conf +rm_conffile /etc/permission-hardener.d/25_default_whitelist_hardened_malloc.conf +rm_conffile /etc/permission-hardener.d/25_default_whitelist_mount.conf +rm_conffile /etc/permission-hardener.d/25_default_whitelist_pam.conf +rm_conffile /etc/permission-hardener.d/25_default_whitelist_policykit.conf +rm_conffile /etc/permission-hardener.d/25_default_whitelist_postfix.conf +rm_conffile /etc/permission-hardener.d/25_default_whitelist_qubes.conf +rm_conffile /etc/permission-hardener.d/25_default_whitelist_selinux.conf +rm_conffile /etc/permission-hardener.d/25_default_whitelist_spice.conf +rm_conffile /etc/permission-hardener.d/25_default_whitelist_ssh.conf +rm_conffile /etc/permission-hardener.d/25_default_whitelist_sudo.conf +rm_conffile /etc/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf +rm_conffile /etc/permission-hardener.d/25_default_whitelist_virtualbox.conf +rm_conffile /etc/permission-hardener.d/30_default.conf + +## merged into 1 file /etc/default/grub.d/40_kernel_hardening.cfg +rm_conffile /etc/default/grub.d/40_distrust_bootloader.cfg +rm_conffile /etc/default/grub.d/40_distrust_cpu.cfg +rm_conffile /etc/default/grub.d/40_enable_iommu.cfg + +## renamed to /etc/default/grub.d/40_remount_secure.cfg +rm_conffile /etc/default/grub.d/40_remmount-secure.cfg + +## renamed to /etc/default/grub.d/40_signed_modules.cfg +rm_conffile /etc/default/grub.d/40_only_allow_signed_modules.cfg + +## renamed to /etc/default/grub.d/41_quiet_boot.cfg +rm_conffile /etc/default/grub.d/41_quiet.cfg + +## moved to usability-misc +rm_conffile /etc/dkms/framework.conf.d/30_security-misc.conf + +## renamed to reflect the fact that this uses a whitelist +rm_conffile /usr/lib/permission-hardener.d/25_default_passwd.conf diff --git a/debian/security-misc.postinst b/debian/security-misc.postinst index aabb3d5..ac81a23 100644 --- a/debian/security-misc.postinst +++ b/debian/security-misc.postinst @@ -1,29 +1,107 @@ #!/bin/bash -## Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. -if [ -f /usr/lib/helper-scripts/pre.bsh ]; then - source /usr/lib/helper-scripts/pre.bsh +if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then + source /usr/libexec/helper-scripts/pre.bsh fi +## Required since this package uses debconf - this is mandatory even though +## the postinst itself does not use debconf commands. +source /usr/share/debconf/confmodule + set -e true " ##################################################################### -## INFO: BEGIN: $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $@ +## INFO: BEGIN: $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $* ##################################################################### " +permission_hardening_legacy_config_folder() { + if ! test -d /etc/permission-hardening.d ; then + return 0 + fi + rmdir --verbose --ignore-fail-on-non-empty /etc/permission-hardening.d || true +} + +permission_hardening() { + echo "Running SUID Disabler and Permission Hardener... See also:" + echo "https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener" + echo "$0: INFO: running: permission-hardener enable" + if ! permission-hardener enable ; then + echo "$0: ERROR: Permission hardening failed." >&2 + return 0 + fi + echo "$0: INFO: Permission hardening success." +} + +migrate_permission_hardener_state() { + local existing_mode_dir new_mode_dir dpkg_statoverride_list + ## If folder /var/lib/permission-hardener (version 1) does not exist, this migration is unneeded. + if [ ! -d '/var/lib/permission-hardener' ]; then + return 0 + fi + + if [ -f "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_2" ]; then + return 0 + fi + mkdir --parents '/var/lib/security-misc/do_once' + + existing_mode_dir='/var/lib/permission-hardener-v2/existing_mode' + new_mode_dir='/var/lib/permission-hardener-v2/new_mode' + + mkdir --parents "${existing_mode_dir}"; + mkdir --parents "${new_mode_dir}"; + + cp --verbose '/usr/share/security-misc/permission-hardener-existing-mode-legacy-hardcoded' "${existing_mode_dir}/statoverride" + cp --verbose '/usr/share/security-misc/permission-hardener-new-mode-legacy-hardcoded' "${new_mode_dir}/statoverride" + + dpkg_statoverride_list="$(dpkg-statoverride --admindir "${new_mode_dir}" --list)" + + if [ "$(stat --format '%G' /usr/bin/sudo)" = 'sysmaint' ]; then + if ! [[ "${dpkg_statoverride_list}" =~ '/usr/bin/sudo' ]]; then + dpkg-statoverride --admindir "${new_mode_dir}" --add 'root' 'sysmaint' '4750' '/usr/bin/sudo' + fi + fi + if [ "$(stat --format '%G' /usr/bin/pkexec)" = 'sysmaint' ]; then + if ! [[ "${dpkg_statoverride_list}" =~ '/usr/bin/pkexec' ]]; then + dpkg-statoverride --admindir "${new_mode_dir}" --add 'root' 'sysmaint' '4750' '/usr/bin/pkexec' + fi + fi + + touch "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_2" +} + case "$1" in configure) + if [ -d /etc/skel/.gnupg ]; then + ## Lintian warns against use of chmod --recursive. + chmod 700 /etc/skel/.gnupg + fi + ## /usr/share/glib-2.0/schemas/30_security-misc.gschema.override glib-compile-schemas /usr/share/glib-2.0/schemas || true + + ## state dir for faillock + mkdir -p /var/lib/security-misc/faillock + + ## migrate permission_hardener state to v2 if applicable + migrate_permission_hardener_state ;; abort-upgrade|abort-remove|abort-deconfigure) ;; + triggered) + echo "INFO: triggered $DPKG_MAINTSCRIPT_PACKAGE: '$DPKG_MAINTSCRIPT_PACKAGE' $DPKG_MAINTSCRIPT_PACKAGE DPKG_MAINTSCRIPT_NAME: '$DPKG_MAINTSCRIPT_NAME' $\*: '$*' 2: '$2'" + /usr/share/security-misc/lkrg/lkrg-virtualbox || true + /usr/libexec/security-misc/mmap-rnd-bits || true + permission_hardening + exit 0 + ;; + *) echo "$DPKG_MAINTSCRIPT_NAME called with unknown argument \`$1'" >&2 exit 1 @@ -32,7 +110,9 @@ esac pam-auth-update --package -/usr/lib/security-misc/permission-lockdown +/usr/libexec/security-misc/permission-lockdown + +permission_hardening ## https://phabricator.whonix.org/T377 ## Debian has no update-grub trigger yet: @@ -46,15 +126,19 @@ you should fix running 'update-grub', otherwise your system might no longer \ boot." >&2 fi +/usr/libexec/security-misc/mmap-rnd-bits || true + true "INFO: debhelper beginning here." #DEBHELPER# true "INFO: Done with debhelper." +permission_hardening_legacy_config_folder + true " ##################################################################### -## INFO: END : $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $@ +## INFO: END : $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $* ##################################################################### " diff --git a/debian/security-misc.postrm b/debian/security-misc.postrm index 4ff6c36..13dc588 100644 --- a/debian/security-misc.postrm +++ b/debian/security-misc.postrm @@ -1,10 +1,10 @@ #!/bin/bash -## Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. -if [ -f /usr/lib/helper-scripts/pre.bsh ]; then - source /usr/lib/helper-scripts/pre.bsh +if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then + source /usr/libexec/helper-scripts/pre.bsh fi set -e @@ -18,6 +18,8 @@ true " ## https://forums.whonix.org/t/is-security-misc-suitable-for-hardening-bridges-and-relays/8299/11 pam-auth-update --package --remove "$DPKG_MAINTSCRIPT_PACKAGE" +rm -f /etc/sysctl.d/30_security-misc_aslr-mmap.conf + true "INFO: debhelper beginning here." #DEBHELPER# diff --git a/debian/security-misc.preinst b/debian/security-misc.preinst index 4fa5c52..8e900d0 100644 --- a/debian/security-misc.preinst +++ b/debian/security-misc.preinst @@ -1,10 +1,10 @@ #!/bin/bash -## Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. -if [ -f /usr/lib/helper-scripts/pre.bsh ]; then - source /usr/lib/helper-scripts/pre.bsh +if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then + source /usr/libexec/helper-scripts/pre.bsh fi set -e @@ -16,13 +16,16 @@ true " " user_groups_modifications() { - ## /usr/lib/security-misc/hide-hardware-info + ## /usr/libexec/security-misc/hide-hardware-info addgroup --system sysfs addgroup --system cpuinfo + ## /usr/lib/systemd/system/proc-hidepid.service + addgroup --system proc + ## group 'sudo' membership required to use 'su' ## /usr/share/pam-configs/wheel-security-misc - addgroup root sudo + adduser root sudo ## Useful to create groups in preinst rather than postinst. ## Otherwise if a user saw an error message such as this: @@ -44,8 +47,15 @@ user_groups_modifications() { ## an "empty" /etc/securetty. ## In case a system administrator edits /etc/securetty, there is no need to ## block for this to be still blocked by console lockdown. See also: - ## https://www.whonix.org/wiki/Root#Root_Login - addgroup root console + ## https://www.kicksecure.com/wiki/Root#Root_Login + adduser root console +} + +output_skip_checks() { + echo "security-misc '$0' INFO: Allow installation of security-misc anyway." >&2 + echo "security-misc '$0' INFO: (technical reason: $@)" >&2 + echo "security-misc '$0' INFO: If this is a chroot this is probably OK." >&2 + echo "security-misc '$0' INFO: Otherwise you might not be able to login." >&2 } sudo_users_check () { @@ -56,6 +66,8 @@ sudo_users_check () { return 0 fi + local sudo_users user_with_sudo are_there_any_sudo_users OLD_IFS + sudo_users="$(getent group sudo | cut -d: -f4)" ## example sudo_users: ## user,root @@ -78,22 +90,41 @@ sudo_users_check () { IFS="$OLD_IFS" export IFS + if [ "$are_there_any_sudo_users" = "yes" ]; then + return 0 + fi + ## Prevent users from locking themselves out. ## https://forums.whonix.org/t/is-security-misc-suitable-for-hardening-bridges-and-relays/8299/4 - if [ ! "$are_there_any_sudo_users" = "yes" ]; then - echo "$0: ERROR: No user is a member of group 'sudo'. Installation aborted." >&2 - echo "$0: ERROR: You probably want to run:" >&2 - echo "" >&2 - echo "sudo adduser user sudo" >&2 - echo "sudo adduser user console" >&2 - echo "" >&2 - echo "$0: ERROR: See also installation instructions:" >&2 - echo "https://www.whonix.org/wiki/security-misc#install" >&2 - exit 200 + echo "$0: ERROR: No user is a member of group 'sudo'. Installation aborted." >&2 + echo "$0: ERROR: You probably want to run:" >&2 + echo "$0: NOTE: Replace user 'user' with your actual Linux user account name." >&2 + echo "" >&2 + echo "sudo adduser user sudo" >&2 + echo "sudo adduser user console" >&2 + echo "" >&2 + echo "$0: ERROR: See also installation instructions:" >&2 + echo "https://www.kicksecure.com/wiki/security-misc#install" >&2 + + if [ "$SECURITY_MISC_INSTALL" = "force" ]; then + output_skip_checks "Environment variable SECURITY_MISC_INSTALL is set to 'force'." + return 0 fi + if test -f "/var/lib/security-misc/skip_install_check" ; then + output_skip_checks "File '/var/lib/security-misc/skip_install_check' exists." + return 0 + fi + + exit 200 } console_users_check() { + if [ "$SECURITY_MISC_INSTALL" = "force" ]; then + return 0 + fi + if test -f "/var/lib/security-misc/skip_install_check" ; then + return 0 + fi if command -v "qubesdb-read" &>/dev/null; then ## Qubes users can use dom0 to get a root terminal emulator. ## For example: @@ -101,8 +132,10 @@ console_users_check() { return 0 fi + local console_users console_unrestricted_users user_with_console are_there_any_console_users OLD_IFS + console_users="$(getent group console | cut -d: -f4)" - ## example ssh_users: + ## example console_users: ## user console_unrestricted_users="$(getent group console-unrestricted | cut -d: -f4)" @@ -126,19 +159,74 @@ console_users_check() { ## Prevent users from locking themselves out. ## https://forums.whonix.org/t/is-security-misc-suitable-for-hardening-bridges-and-relays/8299/4 - if [ ! "$are_there_any_console_users" = "yes" ]; then - echo "$0: ERROR: No user is a member of group 'console'. Installation aborted." >&2 - echo "$0: ERROR: You probably want to run:" >&2 - echo "" >&2 - echo "sudo adduser user console" >&2 - echo "" >&2 - echo "$0: ERROR: See also installation instructions:" >&2 - echo "https://www.whonix.org/wiki/security-misc#install" >&2 - exit 201 + if [ "$are_there_any_console_users" = "yes" ]; then + return 0 fi + + echo "$0: ERROR: No user is a member of group 'console'. Installation aborted." >&2 + echo "$0: ERROR: You probably want to run:" >&2 + echo "" >&2 + echo "sudo adduser user console" >&2 + echo "" >&2 + echo "$0: ERROR: See also installation instructions:" >&2 + echo "https://www.whonix.org/wiki/security-misc#install" >&2 + + if [ "$SECURITY_MISC_INSTALL" = "force" ]; then + output_skip_checks "Environment variable SECURITY_MISC_INSTALL is set to 'force'." + return 0 + fi + if test -f "/var/lib/security-misc/skip_install_check" ; then + output_skip_checks "File '/var/lib/security-misc/skip_install_check' exists." + return 0 + fi + + exit 201 +} + +legacy() { + if [ -f "/var/lib/legacy/do_once/${FUNCNAME}_version_1" ]; then + return 0 + fi + + local continue_yes user_to_be_created + + if [ -f "/usr/share/whonix/marker" ]; then + continue_yes=true + fi + if [ -f "/usr/share/kicksecure/marker" ]; then + continue_yes=true + fi + + if [ ! "$continue_yes" = "true" ]; then + return 0 + fi + + if command -v "qubesdb-read" &>/dev/null; then + ## Qubes users can use dom0 to get a root terminal emulator. + ## For example: + ## qvm-run -u root debian-10 xterm + return 0 + fi + + ## https://forums.whonix.org/t/etc-security-hardening-console-lockdown-pam-access-access-conf/8592/7 + + user_to_be_created=user + + if ! id "$user_to_be_created" &>/dev/null ; then + true "INFO: user '$user_to_be_created' does not exist. Skipping adduser console and pam-auth-update." + return 0 + fi + + adduser "$user_to_be_created" console + + pam-auth-update --enable console-lockdown-security-misc + + mkdir --parents "/var/lib/legacy/do_once" + touch "/var/lib/legacy/do_once/${FUNCNAME}_version_1" } user_groups_modifications +legacy if [ "$1" = "install" ] || [ "$1" = "upgrade" ]; then sudo_users_check diff --git a/debian/security-misc.prerm b/debian/security-misc.prerm index f6ceea5..1c4cd87 100644 --- a/debian/security-misc.prerm +++ b/debian/security-misc.prerm @@ -1,10 +1,10 @@ #!/bin/bash -## Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. -if [ -f /usr/lib/helper-scripts/pre.bsh ]; then - source /usr/lib/helper-scripts/pre.bsh +if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then + source /usr/libexec/helper-scripts/pre.bsh fi set -e diff --git a/debian/security-misc.templates b/debian/security-misc.templates new file mode 100644 index 0000000..1b543e7 --- /dev/null +++ b/debian/security-misc.templates @@ -0,0 +1,9 @@ +Template: security-misc/alert-on-permission-hardener-v2-upgrade +Type: note +_Description: Manual intervention may be required for permission-hardener update + No need to panic. Nothing is broken. A rare condition has been encountered. + permission-hardener is being updated to fix a minor bug that caused + corruption in the permission-hardener state file. If you installed your own + custom permission-hardener configuration, some manual intervention may be + required. See: + https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener#fixing_state_files diff --git a/debian/security-misc.triggers b/debian/security-misc.triggers new file mode 100644 index 0000000..1f4a592 --- /dev/null +++ b/debian/security-misc.triggers @@ -0,0 +1,16 @@ +## Copyright (C) 2024 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## use noawait +## https://github.com/Kicksecure/security-misc/issues/196 + +## Trigger permission hardener when new binaries are being installed. +interest-noawait /usr +interest-noawait /opt + +## Trigger permission hardener when new configuration files are being installed. +interest-noawait /usr/lib/permission-hardener.d +interest-noawait /etc/permission-hardener.d +interest-noawait /usr/local/etc/permission-hardener.d +interest-noawait /etc/permission-hardening.d +interest-noawait /usr/local/etc/permission-hardening.d diff --git a/debian/security-misc.undisplace b/debian/security-misc.undisplace index db0d1fd..990101a 100644 --- a/debian/security-misc.undisplace +++ b/debian/security-misc.undisplace @@ -1,4 +1,6 @@ -## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. /etc/login.defs.security-misc +/usr/bin/pkexec.security-misc +/etc/dkms/framework.conf.security-misc diff --git a/debian/source/lintian-overrides b/debian/source/lintian-overrides index 942fd18..c657565 100644 --- a/debian/source/lintian-overrides +++ b/debian/source/lintian-overrides @@ -1,2 +1,2 @@ ## https://phabricator.whonix.org/T277 -debian-watch-does-not-check-gpg-signature +debian-watch-does-not-check-openpgp-signature diff --git a/debian/watch b/debian/watch index 16e01a4..86f015f 100644 --- a/debian/watch +++ b/debian/watch @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. version=4 diff --git a/etc/X11/Xsession.d/50panic_on_oops b/etc/X11/Xsession.d/50panic_on_oops deleted file mode 100644 index ef21228..0000000 --- a/etc/X11/Xsession.d/50panic_on_oops +++ /dev/null @@ -1,8 +0,0 @@ -#!/bin/sh - -## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -if [ -x /usr/lib/security-misc/panic-on-oops ]; then - sudo --non-interactive /usr/lib/security-misc/panic-on-oops -fi diff --git a/etc/X11/Xsession.d/50security-misc b/etc/X11/Xsession.d/50security-misc deleted file mode 100644 index 9ec65bd..0000000 --- a/etc/X11/Xsession.d/50security-misc +++ /dev/null @@ -1,7 +0,0 @@ -## Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -if [ -z "$XDG_CONFIG_DIRS" ]; then - XDG_CONFIG_DIRS=/etc/xdg -fi -export XDG_CONFIG_DIRS=/usr/share/security-misc/:$XDG_CONFIG_DIRS diff --git a/etc/apparmor.d/tunables/home.d/security-misc b/etc/apparmor.d/tunables/home.d/security-misc index 61735d3..d63d5db 100644 --- a/etc/apparmor.d/tunables/home.d/security-misc +++ b/etc/apparmor.d/tunables/home.d/security-misc @@ -1,7 +1,7 @@ -## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. -alias /etc/pam.d/common-session -> /etc/pam.d//etc/pam.d/common-session.security-misc, +alias /etc/pam.d/common-session -> /etc/pam.d/common-session.security-misc, alias /etc/pam.d/common-session-noninteractive -> /etc/pam.d/common-session-noninteractive.security-misc, alias /etc/login.defs -> /etc/login.defs.security-misc, alias /etc/securetty -> /etc/securetty.security-misc, diff --git a/etc/apparmor.d/usr.lib.security-misc.pam_tally2-info b/etc/apparmor.d/usr.lib.security-misc.pam_tally2-info deleted file mode 100644 index 50803fb..0000000 --- a/etc/apparmor.d/usr.lib.security-misc.pam_tally2-info +++ /dev/null @@ -1,42 +0,0 @@ -## Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -#include - -/usr/lib/security-misc/pam_tally2-info flags=(attach_disconnected) { - #include - #include - - capability dac_override, - capability dac_read_search, - - /bin/bash ix, - /bin/cat mrix, - /usr/bin/cat mrix, - /bin/grep mrix, - /usr/bin/id rix, - /usr/bin/cut mrix, - /usr/bin/tail mrix, - /sbin/pam_tally2 mrix, - /usr/sbin/pam_tally2 mrix, - /usr/lib/security-misc/pam_tally2-info r, - - /etc/ld.so.cache r, - /etc/locale.alias r, - - /{usr/,}lib{,32,64}/** mr, - - owner /etc/nsswitch.conf r, - owner /etc/pam.d/* r, - owner /etc/passwd r, - owner /etc/group r, - owner /etc/securetty r, - - owner /usr/share/zoneinfo/** r, - owner /var/log/tallylog rw, - - /dev/tty rw, - owner /dev/pts/[0-9]* rw, - - #include -} diff --git a/etc/apparmor.d/usr.lib.security-misc.permission-lockdown b/etc/apparmor.d/usr.lib.security-misc.permission-lockdown deleted file mode 100644 index cffcb0d..0000000 --- a/etc/apparmor.d/usr.lib.security-misc.permission-lockdown +++ /dev/null @@ -1,42 +0,0 @@ -## Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -#include - -/usr/lib/security-misc/permission-lockdown flags=(attach_disconnected) { - #include - #include - - capability dac_override, - capability dac_read_search, - capability fowner, - capability fsetid, - - /bin/bash rix, - /usr/bin/bash rix, - /bin/chmod mrix, - /bin/echo mrix, - /bin/mkdir mrix, - /bin/touch mrix, - /usr/bin/chmod mrix, - /usr/bin/basename mrix, - /usr/bin/touch mrix, - /usr/lib/security-misc/permission-lockdown r, - - /home/*/ w, - - /{usr/,}lib{,32,64}/** mr, - - /etc/ld.so.cache r, - owner /etc/locale.alias r, - owner /etc/nsswitch.conf r, - owner /etc/passwd r, - - owner /var/cache/security-misc/state-files/ rw, - owner /var/cache/security-misc/state-files/* rw, - - /dev/tty rw, - /dev/pts/[0-9]* rw, - - #include -} diff --git a/etc/apt/apt.conf.d/40error-on-any b/etc/apt/apt.conf.d/40error-on-any new file mode 100644 index 0000000..f1be472 --- /dev/null +++ b/etc/apt/apt.conf.d/40error-on-any @@ -0,0 +1,9 @@ +## Copyright (C) 2021 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## Make "sudo apt-get update" exit non-zero for transient failures. +## Same as "apt-get --error-on=any". +## https://forums.whonix.org/t/debian-bullseye-apt-get-error-on-any/12068 +## https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=594813 +## https://salsa.debian.org/apt-team/apt/-/commit/c7123bea6a8dc2c9e327ce41ddfc25e29f1bb145 +APT::Update::Error-Mode any; diff --git a/etc/apt/apt.conf.d/40sandbox b/etc/apt/apt.conf.d/40sandbox index e79194f..43150ec 100644 --- a/etc/apt/apt.conf.d/40sandbox +++ b/etc/apt/apt.conf.d/40sandbox @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## https://forums.whonix.org/t/apt-seccomp-bpf-sandboxing/7702 diff --git a/etc/bluetooth/30_security-misc.conf b/etc/bluetooth/30_security-misc.conf new file mode 100644 index 0000000..8de8384 --- /dev/null +++ b/etc/bluetooth/30_security-misc.conf @@ -0,0 +1,28 @@ +## Copyright (C) 2023 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +[General] +# How long to stay in pairable mode before going back to non-discoverable +# The value is in seconds. Default is 0. +# 0 = disable timer, i.e. stay pairable forever +PairableTimeout = 30 + +# How long to stay in discoverable mode before going back to non-discoverable +# The value is in seconds. Default is 180, i.e. 3 minutes. +# 0 = disable timer, i.e. stay discoverable forever +DiscoverableTimeout = 30 + +# Maximum number of controllers allowed to be exposed to the system. +# Default=0 (unlimited) +MaxControllers=1 + +[Policy] +# AutoEnable defines option to enable all controllers when they are found. +# This includes adapters present on start as well as adapters that are plugged +# in later on. Defaults to 'true'. +AutoEnable=false + +# network/on: A device will only accept advertising packets from peer +# devices that contain private addresses. It may not be compatible with some +# legacy devices since it requires the use of RPA(s) all the time. +Privacy=network/on diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg new file mode 100644 index 0000000..efc9e5e --- /dev/null +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -0,0 +1,189 @@ +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## Definitions: +## KSPP=yes: compliant with recommendations by the KSPP +## KSPP=partial: partially compliant with recommendations by the KSPP +## KSPP=no: not (currently) compliant with recommendations by the KSPP +## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP. + +## Enable known mitigations for CPU vulnerabilities. +## Note, the mitigations for SSB and Retbleed are not currently mentioned in the first link. +## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html +## https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html +## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647 + +## Check for potential updates directly from AMD and Intel. +## https://www.amd.com/en/resources/product-security.html +## https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/advisory-guidance.html +## https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/disclosure-documentation.html + +## Tabular comparison between the utility and functionality of various mitigations. +## https://forums.whonix.org/t/kernel-hardening-security-misc/7296/587 + +## For complete protection, users must install the latest relevant security microcode update. +## BIOS/UEFI updates should only be obtained directly from OEMs and/or motherboard manufacturers. +## Note that incorrectly performing system BIOS/UEFI updates can potentially lead to serious functionality issues. +## The parameters below only provide (partial) protection at both the kernel and user space level. + +## If using Secure Boot, users must also ensure the Secure Boot Forbidden Signature Database (DBX) is up to date. +## The UEFI Revocation List contains signatures of now revoked firmware and software used in booting systems. +## If using compatible hardware, the database can be updated directly in user space using fwupd. +## Note that incorrectly performing DBX updates can potentially lead to serious functionality issues. +## https://github.com/microsoft/secureboot_objects +## https://uefi.org/revocationlistfile +## https://github.com/fwupd/fwupd + +## Enable a subset of known mitigations for some CPU vulnerabilities and disable SMT. +## +## KSPP=yes +## KSPP sets the kernel parameters. +## +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mitigations=auto,nosmt" + +## Disable SMT as it has been the cause of and amplified numerous CPU exploits. +## The only full mitigation of cross-HT attacks is to disable SMT. +## Disabling will significantly decrease system performance on multi-threaded tasks. +## Note, this setting will prevent re-enabling SMT via the sysfs interface. +## +## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/core-scheduling.html +## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647/17 +## https://github.com/anthraxx/linux-hardened/issues/37#issuecomment-619597365 +## +## KSPP=yes +## KSPP sets the kernel parameter. +## +## To re-enable SMT: +## - Remove "nosmt=force". +## - Remove all occurrences of ",nosmt" in this file (note the comma ","). +## - Downgrade "l1tf=full,force" protection to "l1tf=flush". +## - Regenerate the dracut initramfs and then reboot system. +## +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX nosmt=force" + +## Spectre Side Channels (BTI and BHI): +## Unconditionally enable mitigation for Spectre Variant 2 (branch target injection). +## Enable mitigation for the Intel branch history injection vulnerability. +## Currently affects both AMD and Intel CPUs. +## +## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/spectre.html +## +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_v2=on" +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_bhi=on" + +## Speculative Store Bypass (SSB): +## Mitigate Spectre Variant 4 by disabling speculative store bypass system-wide. +## Unconditionally enable the mitigation for both kernel and userspace. +## Currently affects both AMD and Intel CPUs. +## +## https://en.wikipedia.org/wiki/Speculative_Store_Bypass +## https://www.suse.com/support/kb/doc/?id=000019189 +## +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spec_store_bypass_disable=on" +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ssbd=force-on" + +## L1 Terminal Fault (L1TF): +## Mitigate the vulnerability by disabling L1D flush runtime control and SMT. +## If L1D flushing is conditional, mitigate the vulnerability for certain KVM hypervisor configurations. +## Currently affects Intel CPUs. +## +## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html +## +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX l1tf=full,force" +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm-intel.vmentry_l1d_flush=always" + +## Microarchitectural Data Sampling (MDS): +## Mitigate the vulnerability by clearing the CPU buffer cache and disabling SMT. +## Currently affects Intel CPUs. +## +## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html +## +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mds=full,nosmt" + +## TSX Asynchronous Abort (TAA): +## Mitigate the vulnerability by disabling TSX. +## If TSX is enabled, clear CPU buffer rings on transitions and disable SMT. +## Currently affects Intel CPUs. +## +## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/tsx_async_abort.html +## +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX tsx=off" +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX tsx_async_abort=full,nosmt" + +## iTLB Multihit: +## Mitigate the vulnerability by marking all huge pages in the EPT as non-executable. +## Currently affects Intel CPUs. +## +## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/multihit.html +## +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm.nx_huge_pages=force" + +## Special Register Buffer Data Sampling (SRBDS): +## Mitigation of the vulnerability is only possible via microcode update from Intel. +## Currently affects Intel CPUs. +## +## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/special-register-buffer-data-sampling.html +## https://access.redhat.com/solutions/5142691 + +## L1D Flushing: +## Mitigate leaks from the L1D cache on context switches by enabling the prctl() interface. +## Currently affects Intel CPUs. +## +## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1d_flush.html +## +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX l1d_flush=on" + +## Processor MMIO Stale Data: +## Mitigate the vulnerabilities by appropriately clearing the CPU buffer and disabling SMT. +## Currently affects Intel CPUs. +## +## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/processor_mmio_stale_data.html +## +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mmio_stale_data=full,nosmt" + +## Arbitrary Speculative Code Execution with Return Instructions (Retbleed): +## Mitigate the vulnerability through CPU-dependent implementation and disable SMT. +## Currently affects both AMD Zen 1-2 and Intel CPUs. +## +## https://en.wikipedia.org/wiki/Retbleed +## https://comsec.ethz.ch/research/microarch/retbleed/ +## https://www.suse.com/support/kb/doc/?id=000020693 +## https://access.redhat.com/solutions/retbleed +## +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX retbleed=auto,nosmt" + +## Cross-Thread Return Address Predictions: +## Mitigate the vulnerability for certain KVM hypervisor configurations. +## Currently affects AMD Zen 1-2 CPUs. +## +## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/cross-thread-rsb.html +## +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm.mitigate_smt_rsb=1" + +## Speculative Return Stack Overflow (SRSO): +## Mitigate the vulnerability by ensuring all RET instructions speculate to a controlled location. +## Currently affects AMD Zen 1-4 CPUs. +## +## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/srso.html +## +## The default kernel setting will be utilized until provided sufficient evidence to modify. +## Using "spec_rstack_overflow=ipbp" may provide stronger security at a greater performance impact. +## +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spec_rstack_overflow=safe-ret" + +## Gather Data Sampling (GDS): +## Mitigate the vulnerability either via microcode update or by disabling AVX. +## Note, without a suitable microcode update, this will entirely disable use of the AVX instructions set. +## Currently affects Intel CPUs. +## +## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/gather_data_sampling.html +## +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX gather_data_sampling=force" + +## Register File Data Sampling (RFDS): +## Mitigate the vulnerability by appropriately clearing the CPU buffer. +## Currently affects Intel Atom CPUs (which encompasses E-cores on hybrid architectures). +## +## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/reg-file-data-sampling.html +## +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX reg_file_data_sampling=on" diff --git a/etc/default/grub.d/40_distrust_cpu.cfg b/etc/default/grub.d/40_distrust_cpu.cfg deleted file mode 100644 index f3f2fab..0000000 --- a/etc/default/grub.d/40_distrust_cpu.cfg +++ /dev/null @@ -1,11 +0,0 @@ -## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -## Distrusts the CPU for initial entropy at boot as it is not possible to -## audit, may contain weaknesses or a backdoor. -## -## https://en.wikipedia.org/wiki/RDRAND#Reception -## https://twitter.com/pid_eins/status/1149649806056280069 -## https://archive.nytimes.com/www.nytimes.com/interactive/2013/09/05/us/documents-reveal-nsa-campaign-against-encryption.html -## https://forums.whonix.org/t/entropy-config-random-trust-cpu-yes-or-no-rng-core-default-quality/8566 -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_cpu=off" diff --git a/etc/default/grub.d/40_enable_iommu.cfg b/etc/default/grub.d/40_enable_iommu.cfg deleted file mode 100644 index 1d6dd0a..0000000 --- a/etc/default/grub.d/40_enable_iommu.cfg +++ /dev/null @@ -1,5 +0,0 @@ -## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -## Enables IOMMU to prevent DMA attacks. -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX intel_iommu=on amd_iommu=on" diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index 7a50db8..671c28b 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -1,26 +1,332 @@ -## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. -## Disables the merging of slabs of similar sizes. Sometimes a slab can be used in a vulnerable way which an attacker can exploit. +kpkg="linux-image-$(dpkg --print-architecture)" || true +kver="$(dpkg-query --show --showformat='${Version}' "$kpkg")" 2>/dev/null || true +#echo "## kver: $kver" + +## Definitions: +## KSPP=yes: compliant with recommendations by the KSPP +## KSPP=partial: partially compliant with recommendations by the KSPP +## KSPP=no: not (currently) compliant with recommendations by the KSPP +## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP. + +## This configuration file is split into 4 sections: +## 1. Kernel Space +## 2. Direct Memory Access +## 3. Entropy +## 4. Networking + +## See the documentation below for details on the majority of the selected commands: +## https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html +## https://wiki.archlinux.org/title/Kernel_parameters#GRUB + +## 1. Kernel Space: +## +## https://madaidans-insecurities.github.io/guides/linux-hardening.html#boot-parameters +## https://kspp.github.io/Recommended_Settings#kernel-command-line-options + +## Disable merging of slabs with similar size. +## Reduces the risk of triggering heap overflows. +## Prevents overwriting objects from merged caches and limits influencing slab cache layout. +## +## https://www.openwall.com/lists/kernel-hardening/2017/06/19/33 +## https://www.openwall.com/lists/kernel-hardening/2017/06/20/10 +## +## KSPP=yes +## KSPP sets the kernel parameter and does not set CONFIG_SLAB_MERGE_DEFAULT. +## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_nomerge" -## Enables sanity checks (F), redzoning (Z) and poisoning (P). -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slub_debug=FZP" +## Enable sanity checks and red zoning of slabs via debugging options to detect corruption. +## As a by product of debugging, this will implicitly disabling kernel pointer hashing. +## Enabling will therefore leak exact and all kernel memory addresses to root. +## Has the potential to cause a noticeable performance decrease. +## +## https://www.kernel.org/doc/html/latest/mm/slub.html +## https://lore.kernel.org/all/20210601182202.3011020-5-swboyd@chromium.org/T/#u +## https://gitlab.tails.boum.org/tails/tails/-/issues/19613 +## https://github.com/Kicksecure/security-misc/issues/253 +## +## KSPP=yes +## KSPP sets the kernel parameters and CONFIG_SLUB_DEBUG. +## +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_debug=FZ" -if command -v "qubesdb-read" >/dev/null 2>&1 ; then - ## https://github.com/QubesOS/qubes-issues/issues/5212#issuecomment-533873012 - true "skip adding page_poison=1 in Qubes" -else - ## Wipes free memory so it can't leak in various ways and prevents some use-after-free vulnerabilites. - GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX page_poison=1" -fi +## Zero memory at allocation time and free time. +## Fills newly allocated pages, freed pages, and heap objects with zeros. +## Mitigates use-after-free exploits by erasing sensitive information in memory. +## +## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6471384af2a6530696fc0203bafe4de41a23c9ef +## +## KSPP=yes +## KSPP sets the kernel parameters, CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y, and CONFIG_INIT_ON_FREE_DEFAULT_ON=y. +## +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX init_on_alloc=1" +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX init_on_free=1" -## Makes the kernel panic on uncorrectable errors in ECC memory that an attacker could exploit. -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mce=0" +## Enable the kernel page allocator to randomize free lists. +## During early boot, the page allocator has predictable FIFO behavior for physical pages. +## Limits some data exfiltration and ROP attacks that rely on inferring sensitive data location. +## Also improves performance by optimizing memory-side cache utilization. +## +## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e900a918b0984ec8f2eb150b8477a47b75d17692 +## https://en.wikipedia.org/wiki/Return-oriented_programming#Attacks +## +## KSPP=yes +## KSPP sets the kernel parameter and CONFIG_SHUFFLE_PAGE_ALLOCATOR=y. +## +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX page_alloc.shuffle=1" -## Enables Kernel Page Table Isolation which mitigates Meltdown and improves KASLR. +## Enable kernel page table isolation to harden against kernel ASLR (KASLR) bypasses. +## Mitigates the Meltdown CPU vulnerability. +## +## https://en.wikipedia.org/wiki/Kernel_page-table_isolation +## +## KSPP=yes +## KSPP sets the kernel parameter and CONFIG_MITIGATION_PAGE_TABLE_ISOLATION=y. +## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX pti=on" -## Enables all mitigations for the MDS vulnerability. -## Disables smt which can be used to exploit the MDS vulnerability. -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mds=full,nosmt" +## Enable randomization of the kernel stack offset on syscall entries. +## Hardens against memory corruption attacks due to increased entropy. +## Limits attacks relying on deterministic stack addresses or cross-syscall address exposure. +## +## https://lkml.org/lkml/2019/3/18/246 +## https://a13xp0p0v.github.io/2020/02/15/CVE-2019-18683.html +## +## KSPP=yes +## KSPP sets the kernel parameter and CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y. +## +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX randomize_kstack_offset=on" + +## Disable vsyscalls to reduce attack surface as they have been replaced by vDSO. +## Vulnerable to ROP attacks as vsyscalls are located at fixed addresses in memory. +## +## https://lwn.net/Articles/446528/ +## https://en.wikipedia.org/wiki/VDSO +## +## KSPP=yes +## KSPP sets the kernel parameter, CONFIG_LEGACY_VSYSCALL_NONE=y and does not set CONFIG_X86_VSYSCALL_EMULATION. +## +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vsyscall=none" + +## Restrict access to debugfs by not registering the file system. +## Deactivated since the file system can contain sensitive information. +## +## https://lkml.org/lkml/2020/7/16/122 +## +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off" + +## Force the kernel to panic on "oopses". +## Can sometimes potentially indicate and thwart certain kernel exploitation attempts. +## Panics may be due to false-positives such as bad drivers. +## +## https://en.wikipedia.org/wiki/Kernel_panic#Linux +## https://en.wikipedia.org/wiki/Linux_kernel_oops +## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panic-on-oops-1-sysctl-for-better-security/7713 +## +## KSPP=partial +## KSPP sets CONFIG_PANIC_ON_OOPS=y, but also requires CONFIG_PANIC_TIMEOUT=-1. +## +## See /usr/libexec/security-misc/panic-on-oops for implementation. +## +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX oops=panic" + +## Modify machine check exception handler. +## Can decide whether the system should panic or not based on the occurrence of an exception. +## +## https://www.kernel.org/doc/html/latest/arch/x86/x86_64/machinecheck.html +## https://www.kernel.org/doc/html/latest/arch/x86/x86_64/boot-options.html#machine-check +## https://forums.whonix.org/t/kernel-hardening/7296/494 +## +## The default kernel setting will be utilized until provided sufficient evidence to modify. +## +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mce=0" + +## Prevent sensitive kernel information leaks in the console during boot. +## Must be used in combination with the kernel.printk sysctl. +## See /usr/lib/sysctl.d/30_silent-kernel-printk.conf for implementation. +## +## https://www.kernel.org/doc/html/latest/core-api/printk-basics.html +## https://wiki.archlinux.org/title/silent_boot +## +## See /etc/default/grub.d/41_quiet_boot.cfg for implementation. +## +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX loglevel=0" +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX quiet" + +## Enable the kernel "Electric-Fence" sampling-based memory safety error detector. +## KFENCE detects heap out-of-bounds access, use-after-free, and invalid-free errors. +## Aims to have very low processing overhead at each sampling interval. +## Sampling interval is set to occur every 100 milliseconds as per KSPP recommendation. +## +## https://www.kernel.org/doc/html/latest/dev-tools/kfence.html +## https://google.github.io/kernel-sanitizers/KFENCE.html +## https://blogs.oracle.com/linux/post/linux-slub-allocator-internals-and-debugging-4 +## https://lwn.net/Articles/835542/ +## +## KSPP=yes +## KSPP sets the kernel parameter, CONFIG_KFENCE=y, and CONFIG_KFENCE_SAMPLE_INTERVAL=100. +## +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kfence.sample_interval=100" + +## Disable 32-bit Virtual Dynamic Shared Object (vDSO) mappings. +## Legacy compatibility feature for superseded glibc versions. +## +## https://lore.kernel.org/lkml/20080409082927.BD59E26F992@magilla.localdomain/T/ +## https://lists.openwall.net/linux-kernel/2014/03/11/3 +## +## KSPP=yes +## KSPP sets the kernel parameter and does not set CONFIG_COMPAT_VDSO. +## +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0" + +## Switch (back) to using kCFI as the default Control Flow Integrity (CFI) implementation. +## The default implementation is FineIBT as of Linux kernel 6.2. +## The Intel-developed IBT (Indirect Branch Tracking) is only used if supported by the CPU. +## kCFI is software-only while FineIBT is a hybrid software/hardware implementation. +## FineIBT may result in some performance benefits as it only performs checking at destinations. +## FineIBT is considered weaker against attacks that can write arbitrary executables into memory. +## Upstream hardening work has provided users the ability to disable FineIBT based on requests. +## Choice of CFI implementation is highly dependent on user threat model as there are pros/cons to both. +## Do not modify from the default setting if unsure of implications. +## +## https://lore.kernel.org/all/20221027092842.699804264@infradead.org/ +## https://lore.kernel.org/lkml/202210010918.4918F847C4@keescook/T/#u +## https://lore.kernel.org/lkml/202210182217.486CBA50@keescook/T/ +## https://lore.kernel.org/lkml/202407150933.E1871BE@keescook/ +## https://isopenbsdsecu.re/mitigations/forward_edge_cfi/ +## https://docs.kernel.org/next/x86/shstk.html +## https://source.android.com/docs/security/test/kcfi +## https://lpc.events/event/16/contributions/1315/attachments/1067/2169/cfi.pdf +## https://forums.whonix.org/t/kernel-hardening-security-misc/7296/561 +## +## KSPP=yes +## KSPP sets the kernel parameter. +## +## TODO: Debian 13 Trixie +## Applicable when using Linux kernel >= 6.2 (retained here for future-proofing and completeness). +## +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX cfi=kcfi" + +## Disable support for x86 processes and syscalls. +## Unconditionally disables IA32 emulation to substantially reduce attack surface. +## +## https://lore.kernel.org/all/20230623111409.3047467-7-nik.borisov@suse.com/ +## +## KSPP=yes +## KSPP does not set CONFIG_COMPAT, CONFIG_IA32_EMULATION, CONFIG_X86_X32, CONFIG_X86_X32_ABI, and CONFIG_MODIFY_LDT_SYSCALL. +## +## TODO: Debian 13 Trixie +## Applicable when using Linux kernel >= 6.7 (retained here for future-proofing and completeness). +## +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ia32_emulation=0" + +## Disable EFI persistent storage feature. +## Disable Error Record Serialization Table (ERST) support as a form of defense-in-depth. +## Prevents the kernel from writing crash logs and other persistent data to the storage backend. +## Both the UEFI variable storage and ACPI ERST backends are deactivated. +## +## https://blogs.oracle.com/linux/post/pstore-linux-kernel-persistent-storage-file-system +## https://www.ais.com/understanding-pstore-linux-kernel-persistent-storage-file-system/ +## https://lwn.net/Articles/434821/ +## https://manpages.debian.org/testing/systemd/systemd-pstore.service.8.en.html +## https://gitlab.tails.boum.org/tails/tails/-/issues/20813 +## https://github.com/Kicksecure/security-misc/issues/299 +## +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi_pstore.pstore_disable=1" +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX erst_disable" + +## 2. Direct Memory Access: +## +## https://madaidans-insecurities.github.io/guides/linux-hardening.html#dma-attacks + +## Enable CPU manufacturer-specific IOMMU drivers to mitigate some DMA attacks. +## +## KSPP=yes +## KSPP sets CONFIG_INTEL_IOMMU=y, CONFIG_INTEL_IOMMU_DEFAULT_ON=y, CONFIG_INTEL_IOMMU_SVM=y, CONFIG_AMD_IOMMU=y, and CONFIG_AMD_IOMMU_V2=y. +## +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX amd_iommu=force_isolation" +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX intel_iommu=on" + +## Enable and force use of IOMMU translation to protect against some DMA attacks. +## Strictly force DMA unmap operations to synchronously invalidate IOMMU hardware TLBs. +## Ensures devices will never be able to access stale data contents. +## +## https://en.wikipedia.org/wiki/Input%E2%80%93output_memory_management_unit +## https://en.wikipedia.org/wiki/DMA_attack +## https://lenovopress.lenovo.com/lp1467.pdf +## +## KSPP=yes +## KSPP sets the kernel parameters, CONFIG_IOMMU_SUPPORT=y, CONFIG_IOMMU_DEFAULT_DMA_STRICT=y, and does not set CONFIG_IOMMU_DEFAULT_PASSTHROUGH. +## +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu=force" +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu.passthrough=0" +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu.strict=1" + +## Clear the busmaster bit on all PCI bridges during the EFI hand-off. +## Terminates all existing DMA transactions prior to the kernel's IOMMU setup. +## Forces third party PCI devices to then re-set their busmaster bit in order to perform DMA. +## Assumes that the motherboard chipset and firmware are not malicious. +## May cause complete boot failure on certain hardware with incompatible firmware. +## +## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4444f8541dad16fefd9b8807ad1451e806ef1d94 +## https://mjg59.dreamwidth.org/54433.html +## +## KSPP=yes +## KSPP sets CONFIG_EFI_DISABLE_PCI_DMA=y. +## +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi=disable_early_pci_dma" + +## 3. Entropy: +## +## https://madaidans-insecurities.github.io/guides/linux-hardening.html#rdrand + +## Do not credit the CPU or bootloader seeds as entropy sources at boot. +## The RDRAND CPU (RNG) instructions are proprietary and closed-source. +## Numerous implementations of RDRAND have a long history of being defective. +## The RNG seed passed by the bootloader could also potentially be tampered. +## Maximizing the entropy pool at boot is desirable for all cryptographic operations. +## These settings ensure additional entropy is obtained from other sources to initialize the RNG. +## Note that distrusting these (relatively fast) sources of entropy will increase boot time. +## +## https://en.wikipedia.org/wiki/RDRAND#Reception +## https://systemd.io/RANDOM_SEEDS/ +## https://www.kicksecure.com/wiki/Dev/Entropy#RDRAND +## https://arstechnica.com/gadgets/2019/10/how-a-months-old-amd-microcode-bug-destroyed-my-weekend/ +## https://x.com/pid_eins/status/1149649806056280069 +## https://archive.nytimes.com/www.nytimes.com/interactive/2013/09/05/us/documents-reveal-nsa-campaign-against-encryption.html +## https://forums.whonix.org/t/entropy-config-random-trust-cpu-yes-or-no-rng-core-default-quality/8566 +## https://github.com/NixOS/nixpkgs/pull/165355 +## https://lkml.org/lkml/2022/6/5/271 +## +## KSPP=yes +## KSPP sets CONFIG_RANDOM_TRUST_BOOTLOADER=y and CONFIG_RANDOM_TRUST_CPU=y. +## +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_bootloader=off" +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_cpu=off" + +## Obtain more entropy during boot as the runtime memory allocator is being initialized. +## Entropy will be extracted from up to the first 4GB of RAM. +## Requires the linux-hardened kernel patch. +## +## https://www.kicksecure.com/wiki/Hardened-kernel#linux-hardened +## https://github.com/anthraxx/linux-hardened/commit/c3e7df1dba1eb8105d6d5143079a6a0ad9e9ebc7 +## https://github.com/anthraxx/linux-hardened/commit/a04458f97fe1f7e95888c77c0165b646375db9c4 +## +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX extra_latent_entropy" + +## 4. Networking +## +## https://madaidans-insecurities.github.io/guides/linux-hardening.html#kasr-boot-parameters + +## Disable the entire IPv6 stack functionality. +## Removes attack surface associated with the IPv6 module. +## +## https://www.kernel.org/doc/html/latest/networking/ipv6.html +## https://wiki.archlinux.org/title/IPv6#Disable_IPv6 +## +## Enabling makes redundant many network hardening sysctl's in /usr/lib/sysctl.d/990-security-misc.conf. +## +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ipv6.disable=1" diff --git a/etc/default/grub.d/40_remount_secure.cfg b/etc/default/grub.d/40_remount_secure.cfg new file mode 100644 index 0000000..c3cc30a --- /dev/null +++ b/etc/default/grub.d/40_remount_secure.cfg @@ -0,0 +1,31 @@ +## Copyright (C) 2023 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## Definitions: +## KSPP=yes: compliant with recommendations by the KSPP +## KSPP=partial: partially compliant with recommendations by the KSPP +## KSPP=no: not (currently) compliant with recommendations by the KSPP +## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP. + +## Remount Secure provides enhanced security via mount options: +## https://www.kicksecure.com/wiki/Security-misc#Remount_Secure + +## Option A (No Security): +## Disable Remount Secure. +## +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=0" + +## Option B (Low Security): +## Re-mount with nodev and nosuid only. +## +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=1" + +## Option C (Medium Security): +## Re-mount with nodev, nosuid, and noexec for most mount points, excluding /home. +## +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=2" + +## Option D (Highest Security): +## Re-mount with nodev, nosuid, and noexec for all mount points including /home. +## +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=3" diff --git a/etc/default/grub.d/40_signed_modules.cfg b/etc/default/grub.d/40_signed_modules.cfg new file mode 100644 index 0000000..36af7f3 --- /dev/null +++ b/etc/default/grub.d/40_signed_modules.cfg @@ -0,0 +1,37 @@ +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## Definitions: +## KSPP=yes: compliant with recommendations by the KSPP +## KSPP=partial: partially compliant with recommendations by the KSPP +## KSPP=no: not (currently) compliant with recommendations by the KSPP +## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP. + +## Require every kernel module to be signed before being loaded. +## Any module that is unsigned or signed with an invalid key cannot be loaded. +## This prevents all out-of-tree kernel modules unless signed. +## This makes it harder to load a malicious module. +## +## https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/61 +## https://github.com/dell/dkms/issues/359 +## +## KSPP=yes +## KSPP sets CONFIG_MODULE_SIG=y, CONFIG_MODULE_SIG_FORCE=y, and CONFIG_MODULE_SIG_ALL=y. +## +## Not enabled by default yet due to several issues. +## +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX module.sig_enforce=1" + +## Enable kernel lockdown to enforce security boundary between user and kernel space. +## Confidentiality mode enforces module signature verification. +## +## https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880 +## +## KSPP=yes +## KSPP sets CONFIG_SECURITY_LOCKDOWN_LSM=y, CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y, and CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y. +## +## Not enabled by default yet due to several issues. +## +#if dpkg --compare-versions "${kver}" ge "5.4"; then +# GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX lockdown=confidentiality" +#fi diff --git a/etc/default/grub.d/41_quiet_boot.cfg b/etc/default/grub.d/41_quiet_boot.cfg new file mode 100644 index 0000000..7221ac0 --- /dev/null +++ b/etc/default/grub.d/41_quiet_boot.cfg @@ -0,0 +1,35 @@ +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## Definitions: +## KSPP=yes: compliant with recommendations by the KSPP +## KSPP=partial: partially compliant with recommendations by the KSPP +## KSPP=no: not (currently) compliant with recommendations by the KSPP +## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP. + +## Some default configuration files automatically include the "quiet" parameter. +## Therefore, first remove "quiet" from GRUB_CMDLINE_LINUX_DEFAULT since "quiet" must be first. +## str_replace is provided by package helper-scripts. +## +## https://github.com/Kicksecure/security-misc/pull/233#issuecomment-2228792461 +## +GRUB_CMDLINE_LINUX_DEFAULT="$(echo "$GRUB_CMDLINE_LINUX_DEFAULT" | str_replace "quiet" "")" + +## Prevent sensitive kernel information leaks in the console during boot. +## Must be used in combination with the kernel.printk sysctl. +## See /usr/lib/sysctl.d/30_silent-kernel-printk.conf for implementation. +## +## https://www.kernel.org/doc/html/latest/core-api/printk-basics.html +## https://wiki.archlinux.org/title/silent_boot +## +## For easier debugging, these are not applied to the recovery boot option. +## Switch the pair of commands to universally apply parameters to all boot options. +## +GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT loglevel=0" +GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT quiet" +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX loglevel=0" +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX quiet" + +## For Increased Log Verbosity: +## Adjust (or comment out) the kernel.printk sysctl in /usr/lib/sysctl.d/30_silent-kernel-printk.conf. +## Alternatively, installing the debug-misc package will undo these settings. diff --git a/etc/default/grub.d/41_recovery_restrict.cfg b/etc/default/grub.d/41_recovery_restrict.cfg new file mode 100644 index 0000000..f54247b --- /dev/null +++ b/etc/default/grub.d/41_recovery_restrict.cfg @@ -0,0 +1,21 @@ +## Copyright (C) 2024 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## Definitions: +## KSPP=yes: compliant with recommendations by the KSPP +## KSPP=partial: partially compliant with recommendations by the KSPP +## KSPP=no: not (currently) compliant with recommendations by the KSPP +## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP. + +## Disable access to single-user (recovery) mode. +## +## https://forums.kicksecure.com/t/remove-linux-recovery-mode-boot-option-from-default-grub-boot-menu/727 +## +GRUB_DISABLE_RECOVERY="true" + +## Disable access to Dracut's recovery console. +## +## https://forums.kicksecure.com/t/harden-dracut-initramfs-generator-by-disabling-recovery-console/724 +## +GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT rd.emergency=halt" +GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT rd.shell=0" diff --git a/etc/dracut.conf.d/30-security-misc.conf b/etc/dracut.conf.d/30-security-misc.conf new file mode 100644 index 0000000..5b3c7b5 --- /dev/null +++ b/etc/dracut.conf.d/30-security-misc.conf @@ -0,0 +1,7 @@ +## Copyright (C) 2021 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +reproducible=yes + +## Debugging. +#show_modules=yes diff --git a/etc/gitconfig b/etc/gitconfig new file mode 100644 index 0000000..8ce67b4 --- /dev/null +++ b/etc/gitconfig @@ -0,0 +1,38 @@ +## Copyright (C) 2024 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## Lines starting with a hash symbol ('#') are comments. +## https://github.com/Kicksecure/security-misc/issues/225 + +[core] +## https://github.com/git/git/security/advisories/GHSA-8prw-h3cq-mghm + symlinks = false + +## https://forums.whonix.org/t/git-users-enable-fsck-by-default-for-better-security/2066 +[transfer] + fsckobjects = true +[fetch] + fsckobjects = true +[receive] + fsckobjects = true + +## Generally a good idea but too intrusive to enable by default. +## Listed here as suggestions what users should put into their ~/.gitconfig +## file. + +## Not enabled by default because it requires essential knowledge about OpenPG +## and an already existing local signing key. Otherwise would prevent all new +## commits. +#[commit] +# gpgsign = true + +## Not enabled by default because it would break the 'git merge' command for +## unsigned commits and require the '--no-verify-signature' command line +## option. +#[merge] +# verifySignatures = true + +## Not enabled by default because it would break for users who are not having +## an account at the git server and having added a SSH public key. +#[url "ssh://git@github.com/"] +# insteadOf = https://github.com/ diff --git a/etc/hide-hardware-info.d/30_default.conf b/etc/hide-hardware-info.d/30_default.conf index 8c9ee9a..d1bc221 100644 --- a/etc/hide-hardware-info.d/30_default.conf +++ b/etc/hide-hardware-info.d/30_default.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## Disable the /sys whitelist. @@ -6,3 +6,10 @@ ## Disable the /proc/cpuinfo whitelist. #cpuinfo_whitelist=0 + +## Disable /sys hardening. +#sysfs=0 + +## Disable selinux mode. +## https://www.kicksecure.com/wiki/Security-misc#selinux +#selinux=0 diff --git a/etc/initramfs-tools/hooks/sysctl-initramfs b/etc/initramfs-tools/hooks/sysctl-initramfs new file mode 100755 index 0000000..022c6af --- /dev/null +++ b/etc/initramfs-tools/hooks/sysctl-initramfs @@ -0,0 +1,21 @@ +#!/bin/sh + +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +set -e + +PREREQ="" +prereqs() +{ + echo "$PREREQ" +} +case $1 in +prereqs) + prereqs + exit 0 + ;; +esac + +. /usr/share/initramfs-tools/hook-functions +copy_exec /usr/sbin/sysctl /usr/sbin diff --git a/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs b/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs new file mode 100755 index 0000000..e4792e7 --- /dev/null +++ b/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs @@ -0,0 +1,26 @@ +#!/bin/sh + +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +PREREQ="" +prereqs() +{ + echo "$PREREQ" +} +case $1 in +prereqs) + prereqs + exit 0 + ;; +esac + +## Write to '/run/initramfs' folder. +## https://forums.whonix.org/t/kernel-hardening/7296/435 + +sysctl -p ${rootmnt}/etc/sysctl.conf >/dev/null 2> "/run/initramfs/sysctl-initramfs-error.log" +sysctl -p ${rootmnt}/etc/sysctl.d/*.conf >/dev/null 2>> "/run/initramfs/sysctl-initramfs-error.log" + +grep -v "unprivileged_userfaultfd" "/run/initramfs/sysctl-initramfs-error.log" + +true diff --git a/etc/kernel/postinst.d/30_remove-system-map b/etc/kernel/postinst.d/30_remove-system-map index fc4a604..416c808 100755 --- a/etc/kernel/postinst.d/30_remove-system-map +++ b/etc/kernel/postinst.d/30_remove-system-map @@ -1,5 +1,8 @@ #!/bin/bash -if test -x /usr/lib/security-misc/remove-system.map ; then - /usr/lib/security-misc/remove-system.map +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +if test -x /usr/libexec/security-misc/remove-system.map ; then + /usr/libexec/security-misc/remove-system.map fi diff --git a/etc/modprobe.d/30_nf_conntrack_helper_disable.conf b/etc/modprobe.d/30_nf_conntrack_helper_disable.conf deleted file mode 100644 index bd42a28..0000000 --- a/etc/modprobe.d/30_nf_conntrack_helper_disable.conf +++ /dev/null @@ -1,2 +0,0 @@ -## https://phabricator.whonix.org/T486 -options nf_conntrack nf_conntrack_helper=0 diff --git a/etc/modprobe.d/30_security-misc_blacklist.conf b/etc/modprobe.d/30_security-misc_blacklist.conf new file mode 100644 index 0000000..5ce1edc --- /dev/null +++ b/etc/modprobe.d/30_security-misc_blacklist.conf @@ -0,0 +1,63 @@ +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## See the following links for a community discussion and overview regarding the selections. +## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989 +## https://madaidans-insecurities.github.io/guides/linux-hardening.html#kasr-kernel-modules + +## Blacklisting prevents kernel modules from automatically starting. +## Disabling prohibits kernel modules from starting. + +## CD-ROM/DVD: +## Blacklist CD-ROM and DVD modules. +## Not disabled by default due to potential future ISO plans. +## +## https://nvd.nist.gov/vuln/detail/CVE-2018-11506 +## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/31 +## +blacklist cdrom +blacklist sr_mod +## +#install cdrom /usr/bin/disabled-cdrom-by-security-misc +#install sr_mod /usr/bin/disabled-cdrom-by-security-misc + +## Miscellaneous: + +## GrapheneOS: +## Partial selection of their infrastructure blacklist. +## Duplicate and already disabled modules have been omitted. +## +## https://github.com/GrapheneOS/infrastructure/blob/main/modprobe.d/local.conf +## +#blacklist cfg80211 +#blacklist intel_agp +#blacklist ip_tables +blacklist joydev +#blacklist mousedev +#blacklist psmouse +## TODO: Re-check in Debian trixie +## In GrapheneOS list, yes, "should" be out-commented here. +## But not actually out-commented. +## Breaks VirtualBox audio device ICH AC97, which is unfortunately still required by some users. +## https://www.kicksecure.com/wiki/Dev/audio +## https://github.com/Kicksecure/security-misc/issues/271 +#blacklist snd_intel8x0 +#blacklist tls +#blacklist virtio_balloon +#blacklist virtio_console + +## Ubuntu: +## Already disabled modules have been omitted. +## +## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist.conf?h=ubuntu/disco +## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-ath_pci.conf?h=ubuntu/disco +## +blacklist amd76x_edac +blacklist ath_pci +blacklist evbug +blacklist pcspkr +blacklist snd_aw2 +blacklist snd_intel8x0m +blacklist snd_pcsp +blacklist usbkbd +blacklist usbmouse diff --git a/etc/modprobe.d/30_security-misc_conntrack.conf b/etc/modprobe.d/30_security-misc_conntrack.conf new file mode 100644 index 0000000..7f36327 --- /dev/null +++ b/etc/modprobe.d/30_security-misc_conntrack.conf @@ -0,0 +1,12 @@ +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## Conntrack: +## Disable Netfilter's automatic connection tracking helper assignment. +## This functionality adds unnecessary features, such as IRC protocol parsing, into the kernel. +## Disabling it reduces the kernel attack surface and improves security. +## +## https://conntrack-tools.netfilter.org/manual.html +## https://forums.whonix.org/t/disable-conntrack-helper/18917 +## +options nf_conntrack nf_conntrack_helper=0 diff --git a/etc/modprobe.d/30_security-misc_disable.conf b/etc/modprobe.d/30_security-misc_disable.conf new file mode 100644 index 0000000..79b5ed6 --- /dev/null +++ b/etc/modprobe.d/30_security-misc_disable.conf @@ -0,0 +1,310 @@ +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## See the following links for a community discussion and overview regarding the selections: +## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989 +## https://madaidans-insecurities.github.io/guides/linux-hardening.html#kasr-kernel-modules + +## Blacklisting prevents kernel modules from automatically starting. +## Disabling prohibits kernel modules from starting. + +## This configuration file is split into 4 sections: +## 1. Hardware +## 2. File Systems +## 3. Networking +## 4. Miscellaneous + +## 1. Hardware: + +## Bluetooth: +## Disable Bluetooth to reduce the attack surface due to its long history of security vulnerabilities. +## +## https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns +## +## Now replaced with a privacy- and security-preserving default Bluetooth configuration for better usability. +## https://github.com/Kicksecure/security-misc/pull/145 +## +#install bluetooth /usr/bin/disabled-bluetooth-by-security-misc +#install bluetooth_6lowpan /usr/bin/disabled-bluetooth-by-security-misc +#install bt3c_cs /usr/bin/disabled-bluetooth-by-security-misc +#install btbcm /usr/bin/disabled-bluetooth-by-security-misc +#install btintel /usr/bin/disabled-bluetooth-by-security-misc +#install btmrvl /usr/bin/disabled-bluetooth-by-security-misc +#install btmrvl_sdio /usr/bin/disabled-bluetooth-by-security-misc +#install btmtk /usr/bin/disabled-bluetooth-by-security-misc +#install btmtksdio /usr/bin/disabled-bluetooth-by-security-misc +#install btmtkuart /usr/bin/disabled-bluetooth-by-security-misc +#install btnxpuart /usr/bin/disabled-bluetooth-by-security-misc +#install btqca /usr/bin/disabled-bluetooth-by-security-misc +#install btrsi /usr/bin/disabled-bluetooth-by-security-misc +#install btrtl /usr/bin/disabled-bluetooth-by-security-misc +#install btsdio /usr/bin/disabled-bluetooth-by-security-misc +#install btusb /usr/bin/disabled-bluetooth-by-security-misc +#install virtio_bt /usr/bin/disabled-bluetooth-by-security-misc + +## FireWire (IEEE 1394): +## Disable IEEE 1394 (FireWire/i.LINK/Lynx) modules to prevent certain DMA attacks. +## +## https://en.wikipedia.org/wiki/IEEE_1394#Security_issues +## +install dv1394 /usr/bin/disabled-firewire-by-security-misc +install firewire-core /usr/bin/disabled-firewire-by-security-misc +install firewire-ohci /usr/bin/disabled-firewire-by-security-misc +install firewire-net /usr/bin/disabled-firewire-by-security-misc +install firewire-sbp2 /usr/bin/disabled-firewire-by-security-misc +install ohci1394 /usr/bin/disabled-firewire-by-security-misc +install raw1394 /usr/bin/disabled-firewire-by-security-misc +install sbp2 /usr/bin/disabled-firewire-by-security-misc +install video1394 /usr/bin/disabled-firewire-by-security-misc + +## Global Positioning Systems (GPS): +## Disable GPS-related modules like GNSS (Global Navigation Satellite System). +## +install garmin_gps /usr/bin/disabled-gps-by-security-misc +install gnss /usr/bin/disabled-gps-by-security-misc +install gnss-mtk /usr/bin/disabled-gps-by-security-misc +install gnss-serial /usr/bin/disabled-gps-by-security-misc +install gnss-sirf /usr/bin/disabled-gps-by-security-misc +install gnss-ubx /usr/bin/disabled-gps-by-security-misc +install gnss-usb /usr/bin/disabled-gps-by-security-misc + +## Intel Management Engine (ME): +## Partially disable the Intel ME interface with the OS. +## ME functionality has increasingly become intertwined with basic Intel system operation. +## Disabling it may lead to breakages in various components without clear debugging/error messages. +## It may affect firmware updates, security, power management, display, and DRM. +## +## https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html +## https://en.wikipedia.org/wiki/Intel_Management_Engine#Security_vulnerabilities +## https://www.kicksecure.com/wiki/Out-of-band_Management_Technology#Intel_ME_Disabling_Disadvantages +## https://github.com/Kicksecure/security-misc/pull/236#issuecomment-2229092813 +## https://github.com/Kicksecure/security-misc/issues/239 +## +#install mei /usr/bin/disabled-intelme-by-security-misc +#install mei-gsc /usr/bin/disabled-intelme-by-security-misc +#install mei_gsc_proxy /usr/bin/disabled-intelme-by-security-misc +#install mei_hdcp /usr/bin/disabled-intelme-by-security-misc +#install mei-me /usr/bin/disabled-intelme-by-security-misc +#install mei_phy /usr/bin/disabled-intelme-by-security-misc +#install mei_pxp /usr/bin/disabled-intelme-by-security-misc +#install mei-txe /usr/bin/disabled-intelme-by-security-misc +#install mei-vsc /usr/bin/disabled-intelme-by-security-misc +#install mei-vsc-hw /usr/bin/disabled-intelme-by-security-misc +#install mei_wdt /usr/bin/disabled-intelme-by-security-misc +#install microread_mei /usr/bin/disabled-intelme-by-security-misc + +## Intel Platform Monitoring Technology (PMT) Telemetry: +## Disable certain functionalities of the Intel PMT components. +## +## https://github.com/intel/Intel-PMT +## +install pmt_class /usr/bin/disabled-intelpmt-by-security-misc +install pmt_crashlog /usr/bin/disabled-intelpmt-by-security-misc +install pmt_telemetry /usr/bin/disabled-intelpmt-by-security-misc + +## Thunderbolt: +## Disable Thunderbolt modules to prevent certain DMA attacks. +## +## https://en.wikipedia.org/wiki/Thunderbolt_(interface)#Security_vulnerabilities +## +install intel-wmi-thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc +install thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc +install thunderbolt_net /usr/bin/disabled-thunderbolt-by-security-misc + +## 2. File Systems: + +## File Systems: +## Disable uncommon file systems to reduce attack surface. +## HFS/HFS+ are legacy Apple file systems that may be required depending on the EFI partition format. +## +install cramfs /usr/bin/disabled-filesys-by-security-misc +install freevxfs /usr/bin/disabled-filesys-by-security-misc +install hfs /usr/bin/disabled-filesys-by-security-misc +install hfsplus /usr/bin/disabled-filesys-by-security-misc +install jffs2 /usr/bin/disabled-filesys-by-security-misc +install jfs /usr/bin/disabled-filesys-by-security-misc +install reiserfs /usr/bin/disabled-filesys-by-security-misc +install udf /usr/bin/disabled-filesys-by-security-misc + +## Network File Systems: +## Disable uncommon network file systems to reduce attack surface. +## +install gfs2 /usr/bin/disabled-netfilesys-by-security-misc +install ksmbd /usr/bin/disabled-netfilesys-by-security-misc +## +## Common Internet File System (CIFS): +## +install cifs /usr/bin/disabled-netfilesys-by-security-misc +install cifs_arc4 /usr/bin/disabled-netfilesys-by-security-misc +install cifs_md4 /usr/bin/disabled-netfilesys-by-security-misc +## +## Network File System (NFS): +## +install nfs /usr/bin/disabled-netfilesys-by-security-misc +install nfs_acl /usr/bin/disabled-netfilesys-by-security-misc +install nfs_layout_nfsv41_files /usr/bin/disabled-netfilesys-by-security-misc +install nfs_layout_flexfiles /usr/bin/disabled-netfilesys-by-security-misc +install nfsd /usr/bin/disabled-netfilesys-by-security-misc +install nfsv2 /usr/bin/disabled-netfilesys-by-security-misc +install nfsv3 /usr/bin/disabled-netfilesys-by-security-misc +install nfsv4 /usr/bin/disabled-netfilesys-by-security-misc + +## 2. Networking: + +## Network Protocols: +## Disables rare and unneeded network protocols that are a common source of unknown vulnerabilities. +## Previously had blacklisted eepro100 and eth1394. +## +## https://tails.boum.org/blueprint/blacklist_modules/ +## https://fedoraproject.org/wiki/Security_Features_Matrix#Blacklist_Rare_Protocols +## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-rare-network.conf?h=ubuntu/disco +## https://github.com/Kicksecure/security-misc/pull/234#issuecomment-2230732015 +## +install af_802154 /usr/bin/disabled-network-by-security-misc +install appletalk /usr/bin/disabled-network-by-security-misc +install ax25 /usr/bin/disabled-network-by-security-misc +#install brcm80211 /usr/bin/disabled-network-by-security-misc +install decnet /usr/bin/disabled-network-by-security-misc +install dccp /usr/bin/disabled-network-by-security-misc +install econet /usr/bin/disabled-network-by-security-misc +install eepro100 /usr/bin/disabled-network-by-security-misc +install eth1394 /usr/bin/disabled-network-by-security-misc +install ipx /usr/bin/disabled-network-by-security-misc +install n-hdlc /usr/bin/disabled-network-by-security-misc +install netrom /usr/bin/disabled-network-by-security-misc +install p8022 /usr/bin/disabled-network-by-security-misc +install p8023 /usr/bin/disabled-network-by-security-misc +install psnap /usr/bin/disabled-network-by-security-misc +install rose /usr/bin/disabled-network-by-security-misc +install x25 /usr/bin/disabled-network-by-security-misc +## +## Asynchronous Transfer Mode (ATM): +## +install atm /usr/bin/disabled-network-by-security-misc +install ueagle-atm /usr/bin/disabled-network-by-security-misc +install usbatm /usr/bin/disabled-network-by-security-misc +install xusbatm /usr/bin/disabled-network-by-security-misc +## +## Controller Area Network (CAN) Protocol: +## +install c_can /usr/bin/disabled-network-by-security-misc +install c_can_pci /usr/bin/disabled-network-by-security-misc +install c_can_platform /usr/bin/disabled-network-by-security-misc +install can /usr/bin/disabled-network-by-security-misc +install can-bcm /usr/bin/disabled-network-by-security-misc +install can-dev /usr/bin/disabled-network-by-security-misc +install can-gw /usr/bin/disabled-network-by-security-misc +install can-isotp /usr/bin/disabled-network-by-security-misc +install can-raw /usr/bin/disabled-network-by-security-misc +install can-j1939 /usr/bin/disabled-network-by-security-misc +install can327 /usr/bin/disabled-network-by-security-misc +install ifi_canfd /usr/bin/disabled-network-by-security-misc +install janz-ican3 /usr/bin/disabled-network-by-security-misc +install m_can /usr/bin/disabled-network-by-security-misc +install m_can_pci /usr/bin/disabled-network-by-security-misc +install m_can_platform /usr/bin/disabled-network-by-security-misc +install phy-can-transceiver /usr/bin/disabled-network-by-security-misc +install slcan /usr/bin/disabled-network-by-security-misc +install ucan /usr/bin/disabled-network-by-security-misc +install vxcan /usr/bin/disabled-network-by-security-misc +install vcan /usr/bin/disabled-network-by-security-misc +## +## Transparent Inter Process Communication (TIPC): +## +install tipc /usr/bin/disabled-network-by-security-misc +install tipc_diag /usr/bin/disabled-network-by-security-misc +## +## Reliable Datagram Sockets (RDS): +## +install rds /usr/bin/disabled-network-by-security-misc +install rds_rdma /usr/bin/disabled-network-by-security-misc +install rds_tcp /usr/bin/disabled-network-by-security-misc +## +## Stream Control Transmission Protocol (SCTP): +## +install sctp /usr/bin/disabled-network-by-security-misc +install sctp_diag /usr/bin/disabled-network-by-security-misc + +## 4. Miscellaneous: + +## Amateur Radios: +## +install hamradio /usr/bin/disabled-miscellaneous-by-security-misc + +## CPU Model-Specific Registers (MSRs): +## Disable CPU MSRs as they can be abused to write to arbitrary memory. +## +## https://security.stackexchange.com/questions/119712/methods-root-can-use-to-elevate-itself-to-kernel-mode +## https://github.com/Kicksecure/security-misc/issues/215 +## +#install msr /usr/bin/disabled-miscellaneous-by-security-misc + +## Floppy Disks: +## +install floppy /usr/bin/disabled-miscellaneous-by-security-misc + +## Framebuffer (fbdev): +## Video drivers are known to be buggy, cause kernel panics, and are generally only used by legacy devices. +## These were all previously blacklisted. +## +## https://docs.kernel.org/fb/index.html +## https://en.wikipedia.org/wiki/Linux_framebuffer +## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-framebuffer.conf?h=ubuntu/disco +## +install aty128fb /usr/bin/disabled-framebuffer-by-security-misc +install atyfb /usr/bin/disabled-framebuffer-by-security-misc +install cirrusfb /usr/bin/disabled-framebuffer-by-security-misc +install cyber2000fb /usr/bin/disabled-framebuffer-by-security-misc +install cyblafb /usr/bin/disabled-framebuffer-by-security-misc +install gx1fb /usr/bin/disabled-framebuffer-by-security-misc +install hgafb /usr/bin/disabled-framebuffer-by-security-misc +install i810fb /usr/bin/disabled-framebuffer-by-security-misc +install intelfb /usr/bin/disabled-framebuffer-by-security-misc +install kyrofb /usr/bin/disabled-framebuffer-by-security-misc +install lxfb /usr/bin/disabled-framebuffer-by-security-misc +install matroxfb_base /usr/bin/disabled-framebuffer-by-security-misc +install neofb /usr/bin/disabled-framebuffer-by-security-misc +install nvidiafb /usr/bin/disabled-framebuffer-by-security-misc +install pm2fb /usr/bin/disabled-framebuffer-by-security-misc +install radeonfb /usr/bin/disabled-framebuffer-by-security-misc +install rivafb /usr/bin/disabled-framebuffer-by-security-misc +install s1d13xxxfb /usr/bin/disabled-framebuffer-by-security-misc +install savagefb /usr/bin/disabled-framebuffer-by-security-misc +install sisfb /usr/bin/disabled-framebuffer-by-security-misc +install sstfb /usr/bin/disabled-framebuffer-by-security-misc +install tdfxfb /usr/bin/disabled-framebuffer-by-security-misc +install tridentfb /usr/bin/disabled-framebuffer-by-security-misc +install vesafb /usr/bin/disabled-framebuffer-by-security-misc +install vfb /usr/bin/disabled-framebuffer-by-security-misc +install viafb /usr/bin/disabled-framebuffer-by-security-misc +install vt8623fb /usr/bin/disabled-framebuffer-by-security-misc +install udlfb /usr/bin/disabled-framebuffer-by-security-misc + +## Replaced Modules: +## These legacy drivers have all been entirely replaced and superseded by newer drivers. +## These were all previously blacklisted. +## +## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist.conf?h=ubuntu/disco +## +install asus_acpi /usr/bin/disabled-miscellaneous-by-security-misc +install bcm43xx /usr/bin/disabled-miscellaneous-by-security-misc +install de4x5 /usr/bin/disabled-miscellaneous-by-security-misc +install prism54 /usr/bin/disabled-miscellaneous-by-security-misc + +## USB Video Device Class: +## Disables the USB-based video streaming driver for devices like some webcams and digital camcorders. +## +#install uvcvideo /usr/bin/disabled-miscellaneous-by-security-misc + +## Vivid: +## Disables the vivid kernel module since it has been the cause of multiple vulnerabilities. +## +## https://forums.whonix.org/t/kernel-recompilation-for-better-hardening/7598/233 +## https://www.openwall.com/lists/oss-security/2019/11/02/1 +## https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475 +## +## No longer disabled by default: +## https://forums.whonix.org/t/testing-qubes-video-companion-on-whonix/21393 +## https://github.com/Kicksecure/security-misc/issues/298 +## +#install vivid /usr/bin/disabled-miscellaneous-by-security-misc diff --git a/etc/modprobe.d/blacklist-bluetooth.conf b/etc/modprobe.d/blacklist-bluetooth.conf deleted file mode 100644 index 2bfc7fb..0000000 --- a/etc/modprobe.d/blacklist-bluetooth.conf +++ /dev/null @@ -1,6 +0,0 @@ -# Blacklists bluetooth to reduce attack surface. -# Bluetooth also has a history of security vulnerabilities: -# -# https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns -install bluetooth /bin/false -install btusb /bin/false diff --git a/etc/modprobe.d/blacklist-dma.conf b/etc/modprobe.d/blacklist-dma.conf deleted file mode 100644 index e06eaa1..0000000 --- a/etc/modprobe.d/blacklist-dma.conf +++ /dev/null @@ -1,3 +0,0 @@ -# Blacklist thunderbolt and firewire to prevent some DMA attacks. -install firewire-core /bin/false -install thunderbolt /bin/false diff --git a/etc/modprobe.d/uncommon-network-protocols.conf b/etc/modprobe.d/uncommon-network-protocols.conf deleted file mode 100644 index 500ee10..0000000 --- a/etc/modprobe.d/uncommon-network-protocols.conf +++ /dev/null @@ -1,25 +0,0 @@ -# Disables unneeded network protocols that will likely not be used as these may have unknown vulnerabilties. -# -# Credit to Tails (https://tails.boum.org/blueprint/blacklist_modules/) for some of these. -# -# > Debian ships a long list of modules for wide support of devices, filesystems, protocols. Some of these modules have a pretty bad security track record, and some of those are simply not used by most of our users. -# -# > Other distributions like Ubuntu[1] and Fedora[2] already ship a blacklist for various network protocols which aren't much in use by users and have a poor security track record. -# -install dccp /bin/false -install sctp /bin/false -install rds /bin/false -install tipc /bin/false -install n-hdlc /bin/false -install ax25 /bin/false -install netrom /bin/false -install x25 /bin/false -install rose /bin/false -install decnet /bin/false -install econet /bin/false -install af_802154 /bin/false -install ipx /bin/false -install appletalk /bin/false -install psnap /bin/false -install p8023 /bin/false -install p8022 /bin/false diff --git a/etc/permission-hardening.d/30_default.conf b/etc/permission-hardening.d/30_default.conf deleted file mode 100644 index a70b6e5..0000000 --- a/etc/permission-hardening.d/30_default.conf +++ /dev/null @@ -1,54 +0,0 @@ -## Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -## Please use "/etc/permission-hardening.d/50_user.conf" or -## "/usr/local/etc/permission-hardening.d/50_user.conf" for your custom -## configuration. When security-misc is updated, this file may be overwritten. - -## File permission hardening. -## -## Syntax: -## [filename] [mode] [owner] [group] [capability] -## -## To remove all SUID/SGID binaries in a directory, you can use the "nosuid" -## argument. - -## SUID whitelist. -/usr/bin/sudo whitelist -/bin/sudo whitelist -/usr/bin/bwrap whitelist -/bin/bwrap whitelist -/usr/lib/policykit-1/polkit-agent-helper-1 whitelist -/usr/lib/dbus-1.0/dbus-daemon-launch-helper whitelist -/usr/lib/spice-gtk/spice-client-glib-usb-acl-helper whitelist -/usr/lib/x86_64-linux-gnu/utempter/utempter whitelist - -## Permission hardening. -/home/ 0755 root root -/home/user/ 0700 user user -/root/ 0700 root root -/boot/ 0700 root root -/etc/permission-hardening.d 0600 root root -/usr/local/etc/permission-hardening.d 0600 root root - -## Remove all SUID/SGID binaries/libraries. -/bin/ nosuid -/usr/bin/ nosuid -/usr/local/bin/ nosuid -/sbin/ nosuid -/usr/sbin/ nosuid -/usr/local/sbin/ nosuid - -## Takes 1 minute to parse. No SUID binaries there by default. -## remount-secure mounts it with nosuid anyhow. -## Therefore no processing it here. -#/lib/ nosuid - -/lib32/ nosuid -/lib64/ nosuid -/usr/lib/ nosuid -/usr/lib32/ nosuid -/usr/lib64/ nosuid -/usr/local/lib/ nosuid -/usr/local/lib32/ nosuid -/usr/local/lib64/ nosuid diff --git a/etc/profile.d/30_security-misc.sh b/etc/profile.d/30_security-misc.sh new file mode 100755 index 0000000..8cb5673 --- /dev/null +++ b/etc/profile.d/30_security-misc.sh @@ -0,0 +1,11 @@ +#!/bin/sh + +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +if [ -z "$XDG_CONFIG_DIRS" ]; then + XDG_CONFIG_DIRS="/etc/xdg" +fi +if ! printf '%s\n' "$XDG_CONFIG_DIRS" | grep -- "/usr/share/security-misc/" >/dev/null 2>/dev/null ; then + export XDG_CONFIG_DIRS="/usr/share/security-misc/:$XDG_CONFIG_DIRS" +fi diff --git a/etc/securetty.security-misc b/etc/securetty.security-misc index ca0d81b..c98d20d 100644 --- a/etc/securetty.security-misc +++ b/etc/securetty.security-misc @@ -1,2 +1,5 @@ +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + # /etc/securetty: list of terminals on which root is allowed to login. # See securetty(5) and login(1). diff --git a/etc/security/access-security-misc.conf b/etc/security/access-security-misc.conf index a081d33..e8bc2ab 100644 --- a/etc/security/access-security-misc.conf +++ b/etc/security/access-security-misc.conf @@ -1,6 +1,9 @@ -## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. +## To enable root login, see: +## https://www.kicksecure.com/wiki/Root#Root_Login + ## Console Lockdown ## https://forums.whonix.org/t/etc-security-hardening/8592 @@ -15,11 +18,24 @@ ## Usually tty7 is for X. ## Qubes uses tty1 for X. -## Allow members of group 'console' to use tty1 to tty7 and pts/0 to pts/9 and hvc0 to hvc9. ## Qubes has 'pts/0' when for example running "sudo" from a terminal emulator. ## Qubes uses 'hvc0' when using in dom0 "sudo xl console vm-name". -+:console:tty1 tty2 tty3 tty4 tty5 tty6 tty7 pts/0 pts/1 pts/2 pts/3 pts/4 pts/5 pts/6 pts/7 pts/8 pts/9 hvc0 hvc1 hvc2 hvc3 hvc4 hvc5 hvc6 hvc7 hvc8 hvc9 +## When using systemd-nspawn (chroot) then `login` requires console 'console' to be permitted. + +## Allow members of group `console` to use: +## - 'console' +## - 'tty1' to 'tty7' +## - 'pts/0' to 'pts/9' +## - 'hvc0' to 'hvc9' +## serial console +## https://forums.whonix.org/t/how-do-i-enter-the-whonix-shell-from-cli/7271/43 +## - 'ttyS0' to 'ttyS9' ++:(console):console tty1 tty2 tty3 tty4 tty5 tty6 tty7 pts/0 pts/1 pts/2 pts/3 pts/4 pts/5 pts/6 pts/7 pts/8 pts/9 hvc0 hvc1 hvc2 hvc3 hvc4 hvc5 hvc6 hvc7 hvc8 hvc9 ttyS0 ttyS1 ttyS2 ttyS3 ttyS4 ttyS5 ttyS6 ttyS7 ttyS8 ttyS9 + +## Same as above also for members of group `sudo`. +## https://github.com/Whonix/security-misc/pull/74#issuecomment-607748407 ++:(sudo):console tty1 tty2 tty3 tty4 tty5 tty6 tty7 pts/0 pts/1 pts/2 pts/3 pts/4 pts/5 pts/6 pts/7 pts/8 pts/9 hvc0 hvc1 hvc2 hvc3 hvc4 hvc5 hvc6 hvc7 hvc8 hvc9 ttyS0 ttyS1 ttyS2 ttyS3 ttyS4 ttyS5 ttyS6 ttyS7 ttyS8 ttyS9 ## Everyone else except members of group 'console-unrestricted' ## are restricted from everything else. --:ALL EXCEPT console-unrestricted :ALL +-:ALL EXCEPT (console-unrestricted):ALL diff --git a/etc/security/faillock.conf.security-misc b/etc/security/faillock.conf.security-misc new file mode 100644 index 0000000..4b70cde --- /dev/null +++ b/etc/security/faillock.conf.security-misc @@ -0,0 +1,70 @@ +## Copyright (C) 2021 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +# Configuration for locking the user after multiple failed +# authentication attempts. +# +# The directory where the user files with the failure records are kept. +# The default is /var/run/faillock. +dir = /var/lib/security-misc/faillock +# +# Will log the user name into the system log if the user is not found. +# Enabled if option is present. +audit +# +# Don't print informative messages. +# Enabled if option is present. +# silent +# +# Don't log informative messages via syslog. +# Enabled if option is present. +# no_log_info +# +# Only track failed user authentications attempts for local users +# in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users. +# The `faillock` command will also no longer track user failed +# authentication attempts. Enabling this option will prevent a +# double-lockout scenario where a user is locked out locally and +# in the centralized mechanism. +# Enabled if option is present. +# local_users_only +# +# Deny access if the number of consecutive authentication failures +# for this user during the recent interval exceeds n tries. +# The default is 3. +deny = 50 +# +# The length of the interval during which the consecutive +# authentication failures must happen for the user account +# lock out is n seconds. +# The default is 900 (15 minutes). +# security-misc note: the interval should be set to infinity if possible, +# however pam_faillock arbitrarily limits this variable to a maximum of 604800 +# seconds (7 days). See +# https://github.com/linux-pam/linux-pam/blob/539816e4a0a277dbb632412be91e482fff9d9d09/modules/pam_faillock/faillock_config.h#L59 +# for details. Therefore we set this to the maximum allowable value of 7 days. +fail_interval = 604800 +# +# The access will be re-enabled after n seconds after the lock out. +# The value 0 has the same meaning as value `never` - the access +# will not be re-enabled without resetting the faillock +# entries by the `faillock` command. +# The default is 600 (10 minutes). +unlock_time = never +# +# Root account can become locked as well as regular accounts. +# Enabled if option is present. +even_deny_root +# +# This option implies the `even_deny_root` option. +# Allow access after n seconds to root account after the +# account is locked. In case the option is not specified +# the value is the same as of the `unlock_time` option. +# root_unlock_time = 900 +# +# If a group name is specified with this option, members +# of the group will be handled by this module the same as +# the root account (the options `even_deny_root>` and +# `root_unlock_time` will apply to them. +# By default, the option is not set. +# admin_group = diff --git a/etc/security/limits.d/30_security-misc.conf b/etc/security/limits.d/30_security-misc.conf new file mode 100644 index 0000000..d494b14 --- /dev/null +++ b/etc/security/limits.d/30_security-misc.conf @@ -0,0 +1,5 @@ +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## Disable coredumps. +* hard core 0 diff --git a/etc/security/limits.d/disable-coredumps.conf b/etc/security/limits.d/disable-coredumps.conf deleted file mode 100644 index ea7c414..0000000 --- a/etc/security/limits.d/disable-coredumps.conf +++ /dev/null @@ -1,2 +0,0 @@ -# Disable coredumps. -* hard core 0 diff --git a/etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml b/etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml index f6909a3..dd94349 100644 --- a/etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml +++ b/etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml @@ -1,5 +1,8 @@ + + + @@ -13,4 +16,5 @@ + diff --git a/etc/skel/.gnupg/gpg.conf b/etc/skel/.gnupg/gpg.conf new file mode 100644 index 0000000..f0ed5a4 --- /dev/null +++ b/etc/skel/.gnupg/gpg.conf @@ -0,0 +1,350 @@ +# Options for GnuPG +# Copyright 1998, 1999, 2000, 2001, 2002, 2003, +# 2010 Free Software Foundation, Inc. +# +# This file is free software; as a special exception the author gives +# unlimited permission to copy and/or distribute it, with or without +# modifications, as long as this notice is preserved. +# +# This file is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY, to the extent permitted by law; without even the +# implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. +# +# Unless you specify which option file to use (with the command line +# option "--options filename"), GnuPG uses the file ~/.gnupg/gpg.conf +# by default. +# +# An options file can contain any long options which are available in +# GnuPG. If the first non white space character of a line is a '#', +# this line is ignored. Empty lines are also ignored. +# +# See the man page for a list of options. + +# Uncomment the following option to get rid of the copyright notice + +#no-greeting + +# If you have more than 1 secret key in your keyring, you may want to +# uncomment the following option and set your preferred keyid. + +#default-key 621CC013 + +# If you do not pass a recipient to gpg, it will ask for one. Using +# this option you can encrypt to a default key. Key validation will +# not be done in this case. The second form uses the default key as +# default recipient. + +#default-recipient some-user-id +#default-recipient-self + +# Use --encrypt-to to add the specified key as a recipient to all +# messages. This is useful, for example, when sending mail through a +# mail client that does not automatically encrypt mail to your key. +# In the example, this option allows you to read your local copy of +# encrypted mail that you've sent to others. + +#encrypt-to some-key-id + +# By default GnuPG creates version 4 signatures for data files as +# specified by OpenPGP. Some earlier (PGP 6, PGP 7) versions of PGP +# require the older version 3 signatures. Setting this option forces +# GnuPG to create version 3 signatures. + +#force-v3-sigs + +# Because some mailers change lines starting with "From " to ">From " +# it is good to handle such lines in a special way when creating +# cleartext signatures; all other PGP versions do it this way too. + +#no-escape-from-lines + +# If you do not use the Latin-1 (ISO-8859-1) charset, you should tell +# GnuPG which is the native character set. Please check the man page +# for supported character sets. This character set is only used for +# metadata and not for the actual message which does not undergo any +# translation. Note that future version of GnuPG will change to UTF-8 +# as default character set. In most cases this option is not required +# as GnuPG is able to figure out the correct charset at runtime. + +#charset utf-8 + +# Group names may be defined like this: +# group mynames = paige 0x12345678 joe patti +# +# Any time "mynames" is a recipient (-r or --recipient), it will be +# expanded to the names "paige", "joe", and "patti", and the key ID +# "0x12345678". Note that there is only one level of expansion - you +# cannot make a group that points to another group. Note also that +# if there are spaces in the recipient name, this will appear as two +# recipients. In these cases it is better to use the key ID. + +#group mynames = paige 0x12345678 joe patti + +# Lock the file only once for the lifetime of a process. If you do +# not define this, the lock will be obtained and released every time +# it is needed, which is usually preferable. + +#lock-once + +# GnuPG can send and receive keys to and from a keyserver. These +# servers can be HKP, email, or LDAP (if GnuPG is built with LDAP +# support). +# +# High-risk users should stop using the keyserver network immediately. +# https://forums.whonix.org/t/gpg-recv-keys-fails-no-longer-use-keyservers-for-anything/5607/8 +# +# Example HKP keyserver: +# hkp://keys.gnupg.net +# hkp://subkeys.pgp.net +# +# Example email keyserver: +# mailto:pgp-public-keys@keys.pgp.net +# +# Example LDAP keyservers: +# ldap://keyserver.pgp.com +# +# Regular URL syntax applies, and you can set an alternate port +# through the usual method: +# hkp://keyserver.example.net:22742 +# +# Most users just set the name and type of their preferred keyserver. +# Note that most servers (with the notable exception of +# ldap://keyserver.pgp.com) synchronize changes with each other. Note +# also that a single server name may actually point to multiple +# servers via DNS round-robin. hkp://keys.gnupg.net is an example of +# such a "server", which spreads the load over a number of physical +# servers. To see the IP address of the server actually used, you may use +# the "--keyserver-options debug". +# +#keyserver hkp://xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.onion +#keyserver mailto:pgp-public-keys@keys.nl.pgp.net +#keyserver ldap://keyserver.pgp.com + +# Common options for keyserver functions: +# +# include-disabled : when searching, include keys marked as "disabled" +# on the keyserver (not all keyservers support this). +# +# no-include-revoked : when searching, do not include keys marked as +# "revoked" on the keyserver. +# +# verbose : show more information as the keys are fetched. +# Can be used more than once to increase the amount +# of information shown. +# +# use-temp-files : use temporary files instead of a pipe to talk to the +# keyserver. Some platforms (Win32 for one) always +# have this on. +# +# keep-temp-files : do not delete temporary files after using them +# (really only useful for debugging) +# +# http-proxy="proxy" : set the proxy to use for HTTP and HKP keyservers. +# This overrides the "http_proxy" environment variable, +# if any. +# +# auto-key-retrieve : automatically fetch keys as needed from the keyserver +# when verifying signatures or when importing keys that +# have been revoked by a revocation key that is not +# present on the keyring. +# +# no-include-attributes : do not include attribute IDs (aka "photo IDs") +# when sending keys to the keyserver. + +#keyserver-options auto-key-retrieve + +# Display photo user IDs in key listings + +# list-options show-photos + +# Display photo user IDs when a signature from a key with a photo is +# verified + +# verify-options show-photos + +# Use this program to display photo user IDs +# +# %i is expanded to a temporary file that contains the photo. +# %I is the same as %i, but the file isn't deleted afterwards by GnuPG. +# %k is expanded to the key ID of the key. +# %K is expanded to the long OpenPGP key ID of the key. +# %t is expanded to the extension of the image (e.g. "jpg"). +# %T is expanded to the MIME type of the image (e.g. "image/jpeg"). +# %f is expanded to the fingerprint of the key. +# %% is %, of course. +# +# If %i or %I are not present, then the photo is supplied to the +# viewer on standard input. If your platform supports it, standard +# input is the best way to do this as it avoids the time and effort in +# generating and then cleaning up a secure temp file. +# +# If no photo-viewer is provided, GnuPG will look for xloadimage, eog, +# or display (ImageMagick). On Mac OS X and Windows, the default is +# to use your regular JPEG image viewer. +# +# Some other viewers: +# photo-viewer "qiv %i" +# photo-viewer "ee %i" +# +# This one saves a copy of the photo ID in your home directory: +# photo-viewer "cat > ~/photoid-for-key-%k.%t" +# +# Use your MIME handler to view photos: +# photo-viewer "metamail -q -d -b -c %T -s 'KeyID 0x%k' -f GnuPG" + +# Passphrase agent +# +# We support the old experimental passphrase agent protocol as well as +# the new Assuan based one (currently available in the "newpg" package +# at ftp.gnupg.org/gcrypt/alpha/aegypten/). To make use of the agent, +# you have to run an agent as daemon and use the option +# +# For Ubuntu we now use-agent by default to support more automatic +# use of GPG and S/MIME encryption by GUI programs. Depending on the +# program, users may still have to manually decide to install gnupg-agent. + +#use-agent + +# which tries to use the agent but will fallback to the regular mode +# if there is a problem connecting to the agent. The normal way to +# locate the agent is by looking at the environment variable +# GPG_AGENT_INFO which should have been set during gpg-agent startup. +# In certain situations the use of this variable is not possible, thus +# the option +# +# --gpg-agent-info=::1 +# +# may be used to override it. + +# Automatic key location +# +# GnuPG can automatically locate and retrieve keys as needed using the +# auto-key-locate option. This happens when encrypting to an email +# address (in the "user@example.com" form), and there are no +# user@example.com keys on the local keyring. This option takes the +# following arguments, in the order they are to be tried: +# +# cert = locate a key using DNS CERT, as specified in RFC-4398. +# GnuPG can handle both the PGP (key) and IPGP (URL + fingerprint) +# CERT methods. +# +# pka = locate a key using DNS PKA. +# +# ldap = locate a key using the PGP Universal method of checking +# "ldap://keys.(thedomain)". For example, encrypting to +# user@example.com will check ldap://keys.example.com. +# +# keyserver = locate a key using whatever keyserver is defined using +# the keyserver option. +# +# You may also list arbitrary keyservers here by URL. +# +# Try CERT, then PKA, then LDAP, then hkp://subkeys.net: +#auto-key-locate cert pka ldap hkp://subkeys.pgp.net + +## Begin Anonymity Distribution /home/user/.gnupg/gpg.conf changes. + +#### meta start +#### project Whonix +#### category networking and apps +#### description GnuPG gpg configuration +#### meta end + +## source: +## https://raw.github.com/ioerror/torbirdy/master/gpg.conf +## https://github.com/ioerror/torbirdy/commit/e6d7c9e6e103f0b3289675d04ed3f92e92d8d7b3 + +## Out commented proxy settings, because uwt wrapper keeps care of that. + +## gpg.conf optimized for privacy + +################################################################## +## BEGIN some suggestions from TorBirdy setting extensions.enigmail.agentAdditionalParam + +## Don't disclose the version +no-emit-version + +## Don't add additional comments (may leak language, etc) +no-comments + +## We want to force UTF-8 everywhere +display-charset utf-8 + +## Proxy settings +#keyserver-options http-proxy=socks5://TORIP:TORPORT + +## https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f +## https://dkg.fifthhorseman.net/blog/openpgp-certificate-flooding.html +## https://forums.whonix.org/t/gpg-recv-keys-fails-no-longer-use-keyservers-for-anything/5607 +#keyserver hkps://keys.openpgp.org + +## END some suggestions from TorBirdy TorBirdy setting extensions.enigmail.agentAdditionalParam +################################################################## + +################################################################## +## BEGIN Some suggestions from Debian https://keyring.debian.org/creating-key.html + +personal-digest-preferences SHA512 +cert-digest-algo SHA512 +default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed + +## END Some suggestions from Debian https://keyring.debian.org/creating-key.html +################################################################## + +################################################################## +## BEGIN Some suggestions added from riseup https://we.riseup.net/riseuplabs+paow/openpgp-best-practices + +## When creating a key, individuals may designate a specific keyserver to use to pull their keys from. +## The above option will disregard this designation and use the pool, which is useful because (1) it +## prevents someone from designating an insecure method for pulling their key and (2) if the server +## designated uses hkps, the refresh will fail because the ca-cert will not match, so the keys will +## never be refreshed. +keyserver-options no-honor-keyserver-url + +## when outputting certificates, view user IDs distinctly from keys: +fixed-list-mode + +## long keyids are more collision-resistant than short keyids (it's trivial to make a key with any desired short keyid) +keyid-format 0xlong + +## when multiple digests are supported by all recipients, choose the strongest one: +## already defined above +#personal-digest-preferences SHA512 SHA384 SHA256 SHA224 + +## preferences chosen for new keys should prioritize stronger algorithms: +## already defined above +#default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 BZIP2 ZLIB ZIP Uncompressed + +## If you use a graphical environment (and even if you don't) you should be using an agent: +## (similar arguments as https://www.debian-administration.org/users/dkg/weblog/64) +use-agent + +## You should always know at a glance which User IDs gpg thinks are legitimately bound to the keys in your keyring: +verify-options show-uid-validity +list-options show-uid-validity + +## include an unambiguous indicator of which key made a signature: +## (see http://thread.gmane.org/gmane.mail.notmuch.general/3721/focus=7234) +sig-notation issuer-fpr@notations.openpgp.fifthhorseman.net=%g + +## when making an OpenPGP certification, use a stronger digest than the default SHA1: +## already defined above +#cert-digest-algo SHA256 + +## END Some suggestions added from riseup https://we.riseup.net/riseuplabs+paow/openpgp-best-practices +################################################################## + +################################################################## +## BEGIN Some suggestions from TorBirdy opt-in's + +## Up to you whether you in comment it (remove the single # in front of +## it) or not. Disabled by default, because it causes too much complaints and +## confusion. + +## Don't include keyids that may disclose the sender or any other non-obvious keyids +#throw-keyids + +## END Some suggestions from TorBirdy opt-in's +################################################################## + +## End of Anonymity Distribution /home/user/.gnupg/gpg.conf changes. diff --git a/etc/sudoers.d/security-misc b/etc/sudoers.d/security-misc index a3a7114..1fa2146 100644 --- a/etc/sudoers.d/security-misc +++ b/etc/sudoers.d/security-misc @@ -1,7 +1,12 @@ -## Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. -user ALL=NOPASSWD: /usr/lib/security-misc/panic-on-oops -%sudo ALL=NOPASSWD: /usr/lib/security-misc/panic-on-oops +## Neither of these are needed. +#user ALL=NOPASSWD: /usr/libexec/security-misc/panic-on-oops +#%sudo ALL=NOPASSWD: /usr/libexec/security-misc/panic-on-oops -%sudo ALL=NOPASSWD: /usr/lib/security-misc/echo-path +## Use a more open umask when executing commands with sudo +## Can be overridden on a per-user basis using .[z]profile if desirable +## https://www.kicksecure.com/wiki/Dev/Strong_Linux_User_Account_Isolation#umask_hardening +Defaults umask_override +Defaults umask=0022 diff --git a/etc/sysctl.d/coredumps.conf b/etc/sysctl.d/coredumps.conf deleted file mode 100644 index 79c2922..0000000 --- a/etc/sysctl.d/coredumps.conf +++ /dev/null @@ -1,6 +0,0 @@ -## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -## Disables coredumps. This setting may be overwritten by systemd so this may not be useful. -## security-misc also disables coredumps in other ways. -kernel.core_pattern=|/bin/false diff --git a/etc/sysctl.d/dmesg_restrict.conf b/etc/sysctl.d/dmesg_restrict.conf deleted file mode 100644 index 0883bd3..0000000 --- a/etc/sysctl.d/dmesg_restrict.conf +++ /dev/null @@ -1,5 +0,0 @@ -## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -## Restricts the kernel log to root only. -kernel.dmesg_restrict=1 diff --git a/etc/sysctl.d/fs_protected.conf b/etc/sysctl.d/fs_protected.conf deleted file mode 100644 index 19c3920..0000000 --- a/etc/sysctl.d/fs_protected.conf +++ /dev/null @@ -1,6 +0,0 @@ -## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -## Makes some data spoofing attacks harder. -fs.protected_fifos=2 -fs.protected_regular=2 diff --git a/etc/sysctl.d/harden_bpf.conf b/etc/sysctl.d/harden_bpf.conf deleted file mode 100644 index e1c84b4..0000000 --- a/etc/sysctl.d/harden_bpf.conf +++ /dev/null @@ -1,6 +0,0 @@ -## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -## Hardens the BPF JIT compiler and restricts it to root. -kernel.unprivileged_bpf_disabled=1 -net.core.bpf_jit_harden=2 diff --git a/etc/sysctl.d/kexec.conf b/etc/sysctl.d/kexec.conf deleted file mode 100644 index 6fc9689..0000000 --- a/etc/sysctl.d/kexec.conf +++ /dev/null @@ -1,11 +0,0 @@ -## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -## Quote https://www.kernel.org/doc/html/latest/admin-guide/sysctl/kernel.html -## -## kexec_load_disabled: -## -## A toggle indicating if the kexec_load syscall has been disabled. This value defaults to 0 (false: kexec_load enabled), but can be set to 1 (true: kexec_load disabled). Once true, kexec can no longer be used, and the toggle cannot be set back to false. This allows a kexec image to be loaded before disabling the syscall, allowing a system to set up (and later use) an image without it being altered. Generally used together with the "modules_disabled" sysctl. - -## Disables kexec which can be used to replace the running kernel. -kernel.kexec_load_disabled=1 diff --git a/etc/sysctl.d/kptr_restrict.conf b/etc/sysctl.d/kptr_restrict.conf deleted file mode 100644 index 0ea871e..0000000 --- a/etc/sysctl.d/kptr_restrict.conf +++ /dev/null @@ -1,8 +0,0 @@ -## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -## Hides kernel addresses in various files in /proc. -## Kernel addresses can be very useful in certain exploits. -## -## https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak -kernel.kptr_restrict=2 diff --git a/etc/sysctl.d/mmap_aslr.conf b/etc/sysctl.d/mmap_aslr.conf deleted file mode 100644 index e38151b..0000000 --- a/etc/sysctl.d/mmap_aslr.conf +++ /dev/null @@ -1,6 +0,0 @@ -## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -## Improves ASLR effectiveness for mmap. -vm.mmap_rnd_bits=32 -vm.mmap_rnd_compat_bits=16 diff --git a/etc/sysctl.d/ptrace_scope.conf b/etc/sysctl.d/ptrace_scope.conf deleted file mode 100644 index b48ad18..0000000 --- a/etc/sysctl.d/ptrace_scope.conf +++ /dev/null @@ -1,10 +0,0 @@ -## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -## Restricts the use of ptrace to root. This might break some programs running under WINE. -## A workaround for WINE would be to give the wineserver and wine-preloader ptrace capabilities. This can be done by running: -## -## sudo apt-get install libcap2-bin -## sudo setcap cap_sys_ptrace=eip /usr/bin/wineserver -## sudo setcap cap_sys_ptrace=eip /usr/bin/wine-preloader -kernel.yama.ptrace_scope=2 diff --git a/etc/sysctl.d/suid_dumpable.conf b/etc/sysctl.d/suid_dumpable.conf deleted file mode 100644 index 54f19b6..0000000 --- a/etc/sysctl.d/suid_dumpable.conf +++ /dev/null @@ -1,5 +0,0 @@ -## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -## Prevent setuid processes from creating coredumps. -fs.suid_dumpable=0 diff --git a/etc/sysctl.d/tcp_hardening.conf b/etc/sysctl.d/tcp_hardening.conf deleted file mode 100644 index 85b6ddf..0000000 --- a/etc/sysctl.d/tcp_hardening.conf +++ /dev/null @@ -1,42 +0,0 @@ -## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -#### meta start -#### project Kicksecure -#### category networking and security -#### description -## TCP/IP stack hardening - -## Protects against time-wait assassination. -## It drops RST packets for sockets in the time-wait state. -net.ipv4.tcp_rfc1337=1 - -## Disables ICMP redirect acceptance. -net.ipv4.conf.all.accept_redirects=0 -net.ipv4.conf.default.accept_redirects=0 -net.ipv4.conf.all.secure_redirects=0 -net.ipv4.conf.default.secure_redirects=0 -net.ipv6.conf.all.accept_redirects=0 -net.ipv6.conf.default.accept_redirects=0 - -## Disables ICMP redirect sending. -net.ipv4.conf.all.send_redirects=0 -net.ipv4.conf.default.send_redirects=0 - -## Ignores ICMP requests. -net.ipv4.icmp_echo_ignore_all=1 - -## Enables TCP syncookies. -net.ipv4.tcp_syncookies=1 - -## Disable source routing. -net.ipv4.conf.all.accept_source_route=0 -net.ipv4.conf.default.accept_source_route=0 - -## Enable reverse path filtering to prevent IP spoofing and -## mitigate vulnerabilities such as CVE-2019-14899. -## https://forums.whonix.org/t/enable-reverse-path-filtering/8594 -net.ipv4.conf.default.rp_filter=1 -net.ipv4.conf.all.rp_filter=1 - -#### meta end diff --git a/etc/sysctl.d/tcp_sack.conf b/etc/sysctl.d/tcp_sack.conf deleted file mode 100644 index 4bd07eb..0000000 --- a/etc/sysctl.d/tcp_sack.conf +++ /dev/null @@ -1,8 +0,0 @@ -## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -## Disables SACK as it is commonly exploited and likely not needed. -## https://forums.whonix.org/t/disabling-tcp-sack-dsack-fack/8109 -#net.ipv4.tcp_sack=0 -#net.ipv4.tcp_dsack=0 -#net.ipv4.tcp_fack=0 diff --git a/etc/sysctl.d/tcp_timestamps.conf b/etc/sysctl.d/tcp_timestamps.conf deleted file mode 100644 index a1b874c..0000000 --- a/etc/sysctl.d/tcp_timestamps.conf +++ /dev/null @@ -1,12 +0,0 @@ -## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -#### meta start -#### project Kicksecure -#### category networking and security -#### description -## disable IPv4 TCP Timestamps - -net.ipv4.tcp_timestamps=0 - -#### meta end diff --git a/etc/systemd/system/emergency.service.d/override.conf b/etc/systemd/system/emergency.service.d/override.conf index b24186a..42fefd4 100644 --- a/etc/systemd/system/emergency.service.d/override.conf +++ b/etc/systemd/system/emergency.service.d/override.conf @@ -1,3 +1,6 @@ +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + ## https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802211 ## https://salsa.debian.org/ah/user-setup/commit/bc5ca2de85ec27845d0b46059cb7cc02bae7b44d diff --git a/etc/systemd/system/rescue.service.d/override.conf b/etc/systemd/system/rescue.service.d/override.conf index b24186a..42fefd4 100644 --- a/etc/systemd/system/rescue.service.d/override.conf +++ b/etc/systemd/system/rescue.service.d/override.conf @@ -1,3 +1,6 @@ +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + ## https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802211 ## https://salsa.debian.org/ah/user-setup/commit/bc5ca2de85ec27845d0b46059cb7cc02bae7b44d diff --git a/etc/thunderbird/pref/40_security-mic.js b/etc/thunderbird/pref/40_security-mic.js deleted file mode 100644 index fe36be2..0000000 --- a/etc/thunderbird/pref/40_security-mic.js +++ /dev/null @@ -1,8 +0,0 @@ -//#### meta start -//#### project Whonix and Kicksecure -//#### category security and apps -//#### description https://forums.whonix.org/t/enable-network-idn-show-punycode-by-default-in-thunderbird-to-fix-url-not-showing-real-domain-name-homograph-attack-punycode/8415 -//#### meta end - -// https://forums.whonix.org/t/enable-network-idn-show-punycode-by-default-in-thunderbird-to-fix-url-not-showing-real-domain-name-homograph-attack-punycode/8415 -pref("network.IDN_show_punycode", true); diff --git a/etc/thunderbird/pref/40_security-misc.js b/etc/thunderbird/pref/40_security-misc.js new file mode 100644 index 0000000..931f9d2 --- /dev/null +++ b/etc/thunderbird/pref/40_security-misc.js @@ -0,0 +1,59 @@ +//#### Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +//#### See the file COPYING for copying conditions. + +//#### meta start +//#### project Whonix and Kicksecure +//#### category security and apps +//#### description https://forums.whonix.org/t/enable-network-idn-show-punycode-by-default-in-thunderbird-to-fix-url-not-showing-real-domain-name-homograph-attack-punycode/8415 +//#### meta end + +// https://forums.whonix.org/t/enable-network-idn-show-punycode-by-default-in-thunderbird-to-fix-url-not-showing-real-domain-name-homograph-attack-punycode/8415 +pref("network.IDN_show_punycode", true); + +// Disable all and any kind of telemetry by default +pref("toolkit.telemetry.enabled", false); +pref("toolkit.telemetry.unified", false); +pref("toolkit.telemetry.shutdownPingSender.enabled", false); +pref("toolkit.telemetry.updatePing.enabled", false); +pref("toolkit.telemetry.archive.enabled", false); +pref("toolkit.telemetry.bhrPing.enabled", false); +pref("toolkit.telemetry.firstShutdownPing.enabled", false); +pref("toolkit.telemetry.newProfilePing.enabled", false); +pref("toolkit.telemetry.server", ""); // Defense in depth +pref("toolkit.telemetry.server_owner", ""); // Defense in depth +pref("datareporting.healthreport.uploadEnabled", false); +pref("datareporting.policy.dataSubmissionEnabled", false); +pref("toolkit.telemetry.coverage.opt-out", true); // from Firefox +pref("toolkit.coverage.opt-out", true); // from Firefox + +// Disable implicit outbound traffic +pref("network.connectivity-service.enabled", false); +pref("network.prefetch-next", false); +pref("network.dns.disablePrefetch", true); +pref("network.predictor.enabled", false); + +// No need to explain the problems with javascript +// If you want javascript, use your browser +// Thunderbird needs no javascript +// pref("javascript.enabled", false); // Will break setting up services that require redirecting to their javascripted webpage for login, like gmail etc. So commented out for now. + +// Disable scripting when viewing pdf files +user_pref("pdfjs.enableScripting", false); + +// If you want cookies, use your browser +pref("network.cookie.cookieBehavior", 2); + +// Do not send user agent information +// For email clients, this is more like a relic of the past +// Completely not necessary and just exposes a lot of information about the client +// Since v115.0 Thunderbird already minimizes the user agent +// But we want it gone for good for no information leak at all +// https://hg.mozilla.org/comm-central/rev/cbbbc8d93cd7 +pref("mailnews.headers.sendUserAgent", false); + +// Normally we send emails after marking them with a time stamp +// That includes our local time zone +// This option makes our local time zone appear as UTC +// And rounds the time stamp to the closes minute +// https://hg.mozilla.org/comm-central/rev/98aa0bf2e719 +pref("mail.sanitize_date_header", true); diff --git a/lib/systemd/coredump.conf.d/disable-coredumps.conf b/lib/systemd/coredump.conf.d/disable-coredumps.conf deleted file mode 100644 index 519f838..0000000 --- a/lib/systemd/coredump.conf.d/disable-coredumps.conf +++ /dev/null @@ -1,2 +0,0 @@ -[Coredump] -Storage=none diff --git a/lib/systemd/system-preset/50-security-misc.preset b/lib/systemd/system-preset/50-security-misc.preset deleted file mode 100644 index 802414b..0000000 --- a/lib/systemd/system-preset/50-security-misc.preset +++ /dev/null @@ -1,8 +0,0 @@ -## Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -## https://forums.whonix.org/t/restrict-hardware-information-to-root-testers-wanted/8618 -disable hide-hardware-info.service - -## Disable for now until development finished / tested. -disable permission-hardening.service diff --git a/lib/systemd/system/permission-hardening.service b/lib/systemd/system/permission-hardening.service deleted file mode 100644 index 216da23..0000000 --- a/lib/systemd/system/permission-hardening.service +++ /dev/null @@ -1,14 +0,0 @@ -[Unit] -Description=File permission hardening -Documentation=https://github.com/Whonix/security-misc -DefaultDependencies=no -Before=sysinit.target -Requires=local-fs.target -After=local-fs.target - -[Service] -Type=oneshot -ExecStart=/usr/lib/security-misc/permission-hardening - -[Install] -WantedBy=sysinit.target diff --git a/lib/systemd/system/remount-secure.service b/lib/systemd/system/remount-secure.service deleted file mode 100644 index 52c7c2e..0000000 --- a/lib/systemd/system/remount-secure.service +++ /dev/null @@ -1,21 +0,0 @@ -## Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -[Unit] -Description=remount /home /tmp /dev/shm /run with nosuid,nodev (default) and noexec (opt-in) -Documentation=https://github.com/Whonix/security-misc - -DefaultDependencies=no -Before=sysinit.target -Requires=local-fs.target -After=local-fs.target - -After=qubes-sysinit.service - -[Service] -Type=oneshot -RemainAfterExit=yes -ExecStart=/usr/lib/security-misc/remount-secure - -[Install] -WantedBy=sysinit.target diff --git a/lib/systemd/system/remove-system-map.service b/lib/systemd/system/remove-system-map.service deleted file mode 100644 index fdfbf6b..0000000 --- a/lib/systemd/system/remove-system-map.service +++ /dev/null @@ -1,14 +0,0 @@ -[Unit] -Description=Removes the System.map files -Documentation=https://github.com/Whonix/security-misc -DefaultDependencies=no -Before=sysinit.target -Requires=local-fs.target -After=local-fs.target - -[Service] -Type=oneshot -ExecStart=/usr/lib/security-misc/remove-system.map - -[Install] -WantedBy=sysinit.target diff --git a/lib/systemd/system/user@.service.d/sysfs.conf b/lib/systemd/system/user@.service.d/sysfs.conf deleted file mode 100644 index e0cf3a7..0000000 --- a/lib/systemd/system/user@.service.d/sysfs.conf +++ /dev/null @@ -1,2 +0,0 @@ -[Service] -SupplementaryGroups=sysfs diff --git a/rpm_spec/security-misc.spec.in b/rpm_spec/security-misc.spec.in index a2cfca6..b42625e 100644 --- a/rpm_spec/security-misc.spec.in +++ b/rpm_spec/security-misc.spec.in @@ -3,8 +3,8 @@ Version: @VERSION@ Release: 1%{?dist} Summary: enhances misc security settings -License: GPL-3+-with-additional-terms-1 -URL: https://github.com/Whonix/security-misc +License: AGPL-3+ +URL: https://github.com/Kicksecure/security-misc Source0: %{name}-%{version}.tar.xz BuildRequires: dpkg-dev @@ -13,50 +13,7 @@ Requires: make BuildArch: noarch %description -The following settings are changed: - -deactivates previews in Dolphin; -deactivates previews in Nautilus; -deactivates thumbnails in Thunar; -deactivates TCP timestamps; -deactivates Netfilter's connection tracking helper; - -TCP time stamps (RFC 1323) allow for tracking clock -information with millisecond resolution. This may or may not allow an -attacker to learn information about the system clock at such -a resolution, depending on various issues such as network lag. -This information is available to anyone who monitors the network -somewhere between the attacked system and the destination server. -It may allow an attacker to find out how long a given -system has been running, and to distinguish several -systems running behind NAT and using the same IP address. It might -also allow one to look for clocks that match an expected value to find the -public IP used by a user. - -Hence, this package disables this feature by shipping the -/etc/sysctl.d/tcp_timestamps.conf configuration file. - -Note that TCP time stamps normally have some usefulness. They are -needed for: - -* the TCP protection against wrapped sequence numbers; however, to - trigger a wrap, one needs to send roughly 2^32 packets in one - minute: as said in RFC 1700, "The current recommended default - time to live (TTL) for the Internet Protocol (IP) [45,105] is 64". - So, this probably won't be a practical problem in the context - of Anonymity Distributions. - -* "Round-Trip Time Measurement", which is only useful when the user - manages to saturate their connection. When using Anonymity Distributions, - probably the limiting factor for transmission speed is rarely the capacity - of the user connection. - -Netfilter's connection tracking helper module increases kernel attack -surface by enabling superfluous functionality such as IRC parsing in -the kernel. (!) - -Hence, this package disables this feature by shipping the -/etc/sysctl.d/nf_conntrack_helper.conf configuration file. +See README. %prep %setup -q @@ -72,48 +29,9 @@ make %{?_smp_mflags} %files %license debian/copyright -/etc/X11/Xsession.d/50panic_on_oops -/etc/X11/Xsession.d/50security-misc -/etc/apparmor.d/tunables/home.d/security-misc -/etc/apt/apt.conf.d/40sandbox -/etc/default/grub.d/40_enable_iommu.cfg -/etc/default/grub.d/40_kernel_hardening.cfg -/etc/login.defs.security-misc -/etc/modprobe.d/30_nf_conntrack_helper_disable.conf -/etc/modprobe.d/blacklist-dma.conf -/etc/modprobe.d/uncommon-network-protocols.conf -/etc/securetty.security-misc -/etc/security/limits.d/disable-coredumps.conf -/etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml -/etc/sudoers.d/security-misc -/etc/sysctl.d/coredumps.conf -/etc/sysctl.d/dmesg_restrict.conf -/etc/sysctl.d/fs_protected.conf -/etc/sysctl.d/harden_bpf.conf -/etc/sysctl.d/kexec.conf -/etc/sysctl.d/kptr_restrict.conf -/etc/sysctl.d/mmap_aslr.conf -/etc/sysctl.d/ptrace_scope.conf -/etc/sysctl.d/suid_dumpable.conf -/etc/sysctl.d/sysrq.conf -/etc/sysctl.d/tcp_hardening.conf -/etc/sysctl.d/tcp_sack.conf -/etc/sysctl.d/tcp_timestamps.conf -/etc/systemd/system/emergency.service.d/override.conf -/etc/systemd/system/rescue.service.d/override.conf -/lib/systemd/coredump.conf.d/disable-coredumps.conf -/lib/systemd/system/proc-hidepid.service -/lib/systemd/system/remove-system-map.service -/usr/lib/security-misc/apt-get-update -/usr/lib/security-misc/apt-get-update-sanity-test -/usr/lib/security-misc/apt-get-wrapper -/usr/lib/security-misc/panic-on-oops -/usr/lib/security-misc/remove-system.map -/usr/share/glib-2.0/schemas/30_security-misc.gschema.override -/usr/share/lintian/overrides/security-misc -/usr/share/pam-configs/usergroups -/usr/share/pam-configs/wheel -/usr/share/security-misc/dolphinrc +/etc/* +/lib/* +/usr/* %changelog @CHANGELOG@ diff --git a/usr/bin/disabled-bluetooth-by-security-misc b/usr/bin/disabled-bluetooth-by-security-misc new file mode 100755 index 0000000..0a4c308 --- /dev/null +++ b/usr/bin/disabled-bluetooth-by-security-misc @@ -0,0 +1,10 @@ +#!/bin/bash + +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. + +echo "$0: ALERT: This Bluetooth kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2 + +exit 1 diff --git a/usr/bin/disabled-cdrom-by-security-misc b/usr/bin/disabled-cdrom-by-security-misc new file mode 100755 index 0000000..f017e76 --- /dev/null +++ b/usr/bin/disabled-cdrom-by-security-misc @@ -0,0 +1,10 @@ +#!/bin/bash + +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. + +echo "$0: ALERT: This CD-ROM/DVD kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2 + +exit 1 diff --git a/usr/bin/disabled-filesys-by-security-misc b/usr/bin/disabled-filesys-by-security-misc new file mode 100755 index 0000000..f0cf9b4 --- /dev/null +++ b/usr/bin/disabled-filesys-by-security-misc @@ -0,0 +1,10 @@ +#!/bin/bash + +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. + +echo "$0: ALERT: This file system kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2 + +exit 1 diff --git a/usr/bin/disabled-firewire-by-security-misc b/usr/bin/disabled-firewire-by-security-misc new file mode 100755 index 0000000..c0d035a --- /dev/null +++ b/usr/bin/disabled-firewire-by-security-misc @@ -0,0 +1,10 @@ +#!/bin/bash + +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. + +echo "$0: ALERT: This FireWire (IEEE 1394) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2 + +exit 1 diff --git a/usr/bin/disabled-framebuffer-by-security-misc b/usr/bin/disabled-framebuffer-by-security-misc new file mode 100755 index 0000000..c287c21 --- /dev/null +++ b/usr/bin/disabled-framebuffer-by-security-misc @@ -0,0 +1,10 @@ +#!/bin/bash + +## Copyright (C) 2024 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. + +echo "$0: ALERT: This framebuffer (fbdev) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2 + +exit 1 diff --git a/usr/bin/disabled-gps-by-security-misc b/usr/bin/disabled-gps-by-security-misc new file mode 100755 index 0000000..149249a --- /dev/null +++ b/usr/bin/disabled-gps-by-security-misc @@ -0,0 +1,10 @@ +#!/bin/bash + +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. + +echo "$0: ALERT: This Global Positioning System (GPS) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2 + +exit 1 diff --git a/usr/bin/disabled-intelme-by-security-misc b/usr/bin/disabled-intelme-by-security-misc new file mode 100755 index 0000000..094fa29 --- /dev/null +++ b/usr/bin/disabled-intelme-by-security-misc @@ -0,0 +1,10 @@ +#!/bin/bash + +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. + +echo "$0: ALERT: This Intel Management Engine (ME) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2 + +exit 1 diff --git a/usr/bin/disabled-intelpmt-by-security-misc b/usr/bin/disabled-intelpmt-by-security-misc new file mode 100755 index 0000000..45a7aa4 --- /dev/null +++ b/usr/bin/disabled-intelpmt-by-security-misc @@ -0,0 +1,10 @@ +#!/bin/bash + +## Copyright (C) 2024 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. + +echo "$0: ALERT: This Intel Platform Monitoring Technology (PMT) Telemetry kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2 + +exit 1 diff --git a/usr/bin/disabled-miscellaneous-by-security-misc b/usr/bin/disabled-miscellaneous-by-security-misc new file mode 100755 index 0000000..5848c6e --- /dev/null +++ b/usr/bin/disabled-miscellaneous-by-security-misc @@ -0,0 +1,10 @@ +#!/bin/bash + +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. + +echo "$0: ALERT: This kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2 + +exit 1 diff --git a/usr/bin/disabled-netfilesys-by-security-misc b/usr/bin/disabled-netfilesys-by-security-misc new file mode 100755 index 0000000..ed4e792 --- /dev/null +++ b/usr/bin/disabled-netfilesys-by-security-misc @@ -0,0 +1,10 @@ +#!/bin/bash + +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. + +echo "$0: ALERT: This network file system kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2 + +exit 1 diff --git a/usr/bin/disabled-network-by-security-misc b/usr/bin/disabled-network-by-security-misc new file mode 100755 index 0000000..f8c3129 --- /dev/null +++ b/usr/bin/disabled-network-by-security-misc @@ -0,0 +1,10 @@ +#!/bin/bash + +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. + +echo "$0: ALERT: This network protocol kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2 + +exit 1 diff --git a/usr/bin/disabled-thunderbolt-by-security-misc b/usr/bin/disabled-thunderbolt-by-security-misc new file mode 100755 index 0000000..c6d1d71 --- /dev/null +++ b/usr/bin/disabled-thunderbolt-by-security-misc @@ -0,0 +1,10 @@ +#!/bin/bash + +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. + +echo "$0: ALERT: This Thunderbolt kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2 + +exit 1 diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener new file mode 100755 index 0000000..2d9a729 --- /dev/null +++ b/usr/bin/permission-hardener @@ -0,0 +1,993 @@ +#!/bin/bash +# shellcheck disable=SC2076 + +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## https://forums.whonix.org/t/disable-suid-binaries/7706 +## https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707 + +## dpkg-statoverride does not support end-of-options ("--"). + +## SC2076 is disabled because ShellCheck seems to think that any use of +## [[ ... =~ ... ]] is supposed to be a regex match. But [[ '...' =~ '...' ]] +## works very well for literal matching, and it is used that way extensively +## throughout this script. + +set -o errexit -o nounset -o pipefail + +## Constants +# shellcheck disable=SC2034 +log_level=notice +store_dir="/var/lib/permission-hardener-v2" +state_file="${store_dir}/existing_mode/statoverride" +dpkg_admindir_parameter_existing_mode="--admindir ${store_dir}/existing_mode" +dpkg_admindir_parameter_new_mode="--admindir ${store_dir}/new_mode" +delimiter="#permission-hardener-delimiter#" + +## Library imports +# shellcheck disable=SC1091 +source /usr/libexec/helper-scripts/safe_echo.sh +# shellcheck disable=SC1091 +source /usr/libexec/helper-scripts/log_run_die.sh + +## Functions +echo_wrapper_ignore() { + if [ "${1}" = 'verbose' ]; then + shift + log notice "Executing: $*" + elif [ "${1}" = 'silent' ]; then + shift + else + log error "Unrecognized command '${1}'! calling function name: '${FUNCNAME[1]}'" >&2 + return + fi + "$@" 2>/dev/null || true +} + +echo_wrapper_audit() { + local return_code + if [ "${1}" = 'verbose' ]; then + shift + log notice "Executing: $*" + elif [ "${1}" = 'silent' ]; then + shift + else + log error "Unrecognized command '${1}'! calling function name: '${FUNCNAME[1]}'" >&2 + return + fi + return_code=0 + "$@" || + { + return_code="$?" + exit_code=203 + log error "Command '$*' failed with exit code '${return_code}'! calling function name: '${FUNCNAME[1]}'" >&2 + } +} + +## Some tools may fail on newlines and even variable assignment to array may +## fail if a variable that will be assigned to an array element contains +## characters that are used as delimiters. +block_newlines() { + local newline_variable newline_value + newline_variable="${1:-}" + newline_value="${2:-}" + ## dpkg-statoverride: error: path may not contain newlines + if [[ "${newline_value}" != "${newline_value//$'\n'/NEWLINE}" ]]; then + log warn "Skipping ${newline_variable} that contains newlines: '${newline_value}'" >&2 + return 1 + fi +} + +output_stat() { + local file_name stat_output stat_output_newlined hardlink_count + declare -a arr + file_name="${1:-}" + + if [ -z "${file_name}" ]; then + log error "File name is empty. file_name: '${file_name}'" >&2 + return 1 + fi + + block_newlines file "${file_name}" + + if [ ! -e "${file_name}" ]; then + log info "File does not exist. file_name: '${file_name}'" >&2 + existing_mode='' + existing_owner='' + existing_group='' + file_name_from_stat='' + return 0 + fi + + if ! stat_output="$(stat -L \ + --format="%a${delimiter}%U${delimiter}%G${delimiter}%n${delimiter}%h${delimiter}" \ + -- "${file_name}")"; then + log error "Failed to run 'stat' on file: '${file_name}'!" >&2 + return 1 + fi + + if [ -z "$stat_output" ]; then + log error "stat_output is empty. +File name: '${file_name}' +Stat output: '${stat_output}' +stat_output_newlined: '${stat_output_newlined}' +line: '${processed_config_line}' +" >&2 + return 1 + fi + + stat_output_newlined="$(printf '%s\n' "${stat_output//${delimiter}/$'\n'}")" + + if [ -z "${stat_output_newlined}" ]; then + log error "stat_output_newlined is empty. +File name: '${file_name}' +Stat output: '${stat_output}' +stat_output_newlined: '${stat_output_newlined}' +line: '${processed_config_line}' +" >&2 + return 1 + fi + + readarray -t arr <<< "${stat_output_newlined}" + + if [ "${#arr[@]}" = '0' ]; then + log error "Array length is 0. +File name: '${file_name}' +Stat output: '${stat_output}' +stat_output_newlined: '${stat_output_newlined}' +line: '${processed_config_line}' +" >&2 + return 1 + fi + + existing_mode="${arr[0]}" + existing_owner="${arr[1]}" + existing_group="${arr[2]}" + file_name_from_stat="${arr[3]}" + hardlink_count="${arr[4]}" + + if [ "$file_name" != "$file_name_from_stat" ]; then + log error "\ +File name is different from file name received from stat: +File name: '${file_name}' +File name from stat: '${file_name_from_stat}' +line: '${processed_config_line}' +" >&2 + return 1 + fi + + ## We can't handle files with hardlinks because figuring out all of the files + ## in a "hardlink pool" requires scanning the whole filesystem, which would + ## result in an unacceptable performance hit for this script. We don't check + ## directory hardlinks since directories can't have traditional hardlinks. + if [ ! -d "${file_name_from_stat}" ]; then + if (( hardlink_count > 1 )); then + log error "\ +File has unexpected hardlinks, cannot handle. +File name: '${file_name}' +File name from stat: '${file_name_from_stat}' +line: '${processed_config_line}' +" >&2 + return 1 + fi + fi + + if [ -z "${existing_mode}" ]; then + log error "Existing mode is empty. Stat output: '${stat_output}', line: '${processed_config_line}'" >&2 + return 1 + fi + if [ -z "${existing_owner}" ]; then + log error "Existing owner is empty. Stat output: '${stat_output}', line: '${processed_config_line}'" >&2 + return 1 + fi + if [ -z "${existing_group}" ]; then + log error "Existing group is empty. Stat output: '${stat_output}', line: '${processed_config_line}'" >&2 + return 1 + fi + + ## If a symlink was passed as input, return the original file's path rather + ## than the symlink to avoid problems stemming from using the wrong path + if [ -h "${file_name_from_stat}" ]; then + file_name_from_stat="$(realpath "${file_name_from_stat}")" + fi +} + +print_usage(){ + safe_echo "Usage: ${0##*/} enable + ${0##*/} disable [FILE|all] + ${0##*/} print-policy + ${0##*/} print-state + ${0##*/} print-policy-applied-state + ${0##*/} print-diagnostics + +Examples: + ${0##*/} enable + ${0##*/} disable all + ${0##*/} disable /usr/bin/newgrp" >&2 +} + +add_to_policy() { + local file_name file_mode file_owner file_group updated_entry policy_idx \ + file_capabilities + file_name="${1:-}" + file_mode="${2:-}" + file_owner="${3:-}" + file_group="${4:-}" + file_capabilities="${5:-}" + updated_entry=false + + if [ -h "${file_name}" ]; then + file_name="$(realpath "${file_name}")" || return 1 + fi + + for (( policy_idx=0; policy_idx < ${#policy_file_list[@]}; policy_idx++ )); do + if [ "${policy_file_list[policy_idx]}" = "${file_name}" ]; then + policy_mode_list[policy_idx]="${file_mode}" + policy_user_owner_list[policy_idx]="${file_owner}" + policy_group_owner_list[policy_idx]="${file_group}" + policy_capability_list[policy_idx]="${file_capabilities}" + updated_entry=true + break + fi + done + + if [ "${updated_entry}" != 'true' ]; then + policy_file_list+=( "${file_name}" ) + policy_mode_list+=( "${file_mode}" ) + policy_user_owner_list+=( "${file_owner}" ) + policy_group_owner_list+=( "${file_group}" ) + policy_capability_list+=( "${file_capabilities}" ) + fi +} + +check_nosuid_whitelist() { + local target_file match_white_list_entry + + target_file="${1:-}" + + ## Handle whitelists, if we're supposed to + [ "${whitelists_disable_all}" = 'true' ] && return 0 + + ## literal matching is intentional here + [[ " ${policy_disable_white_list[*]} " =~ " ${target_file} " ]] && return 0 + + ## literal matching is intentional here too + [[ " ${policy_exact_white_list[*]} " =~ " ${target_file} " ]] && return 1 + + for match_white_list_entry in "${policy_match_white_list[@]:-}"; do + if [[ "${target_file}" == *"${match_white_list_entry}"* ]]; then + return 1 + fi + done + + return 0 +} + +load_early_nosuid_policy() { + local target_file find_list_item + + target_file="${1:-}" + + # shellcheck disable=SC2185 + while IFS="" read -r -d "" find_list_item; do + check_nosuid_whitelist "${find_list_item}" || continue + + ## sets: + ## exiting_mode + ## existing_owner + ## existing_group + output_stat "${find_list_item}" + if [ -z "${file_name_from_stat}" ]; then + continue + fi + + ## -h file True if file is a symbolic link. + if [ -h "${find_list_item}" ]; then + ## https://forums.whonix.org/t/disable-suid-binaries/7706/14 + log info "Skip symlink: '${find_list_item}'" + continue + fi + + if [ -d "${find_list_item}" ]; then + log info "Skip directory: '${find_list_item}'" + continue + fi + + ## Remove suid / gid and execute permission for 'group' and 'others'. + ## Similar to: chmod og-ugx /path/to/filename + ## Removing execution permission is useful to make binaries such as 'su' + ## fail closed rather than fail open if suid was removed from these. + ## Do not remove read access since no security benefit and easier to + ## manually undo for users. + ## Are there suid or sgid binaries which are still useful if suid / sgid + ## has been removed from these? + local new_mode + new_mode='744' + + add_to_policy "${file_name_from_stat}" "${new_mode}" "${existing_owner}" \ + "${existing_group}" + done < <(safe_echo_nonewline "${target_file}" \ + | find -files0-from - -perm /u=s,g=s -print0) +} + +## If the "target file" matches the start of the state file name, that's a +## likely match. This is used by load_late_nosuid_policy for detecting info +## about files that need SUID-locked that are in the state. +match_dir() { + local base_str match_str base_arr match_arr base_idx + + base_str="${1}" + match_str="${2}" + [[ "${base_str}" =~ '//' ]] && return 1 + [[ "${match_str}" =~ '//' ]] && return 1 + + IFS='/' read -r -a base_arr <<< "${base_str}" + IFS='/' read -r -a match_arr <<< "${match_str}" + (( ${#base_arr[@]} > ${#match_arr[@]} )) && return 1 + + for (( base_idx=0; base_idx < ${#base_arr[@]}; base_idx++ )); do + if [ "${base_arr[base_idx]}" != "${match_arr[base_idx]}" ]; then + return 1 + fi + done + + return 0 +} + +load_late_nosuid_policy() { + local target_file state_idx state_file_item state_user_owner_item \ + state_group_owner_item new_mode + + target_file="${1:-}" + for (( state_idx=0; state_idx < ${#state_file_list[@]}; state_idx++ )); do + state_file_item="${state_file_list[state_idx]}" + check_nosuid_whitelist "${state_file_item}" || continue + + match_dir "${target_file}" "${state_file_item}" || continue + + if [ -h "${state_file_item}" ]; then + ## https://forums.whonix.org/t/disable-suid-binaries/7706/14 + log info "Skip symlink: '${state_file_item}'" + continue + fi + + if [ -d "${state_file_item}" ]; then + log info "Skip directory: '${state_file_item}'" + continue + fi + + state_user_owner_item="${state_user_owner_list[state_idx]}" + state_group_owner_item="${state_group_owner_list[state_idx]}" + new_mode='744' + add_to_policy "${state_file_item}" "${new_mode}" \ + "${state_user_owner_item}" "${state_group_owner_item}" + done +} + +load_state_without_policy() { + local line field_list + + ## Load the state file from disk + if [ -f "${state_file}" ]; then + while read -r line; do + read -r -a field_list <<< "${line}" + if (( ${#field_list[@]} != 4 )); then + log info \ + "Invalid number of fields in state file line: '${line}'. Skipping." + continue + fi + state_user_owner_list+=( "${field_list[0]}" ) + state_group_owner_list+=( "${field_list[1]}" ) + state_mode_list+=( "${field_list[2]}" ) + state_file_list+=( "${field_list[3]}" ) + done < "${state_file}" + fi +} + +load_state() { + ## Config format: + ## path options + ## where options is one of: + ## user_owner group_owner filemode [capability-setting] + ## [nosuid|exactwhitelist|matchwhitelist|disablewhitelist] + ## + ## Additionally, the special value 'whitelists_disable_all=true' is understood + ## to mean that all whitelisting should be ignored. + + local config_file line field_list policy_nosuid_file_item policy_file_item + + ## Load configuration, deferring whitelist handling until later + for config_file in \ + /usr/lib/permission-hardener.d/*.conf \ + /etc/permission-hardener.d/*.conf \ + /usr/local/etc/permission-hardener.d/*.conf \ + /etc/permission-hardening.d/*.conf \ + /usr/local/etc/permission-hardening.d/*.conf + do + if [ ! -f "${config_file}" ]; then + continue + fi + + while read -r line; do + if [ -z "${line}" ]; then + true 'DEBUG: line is empty. Skipping.' + continue + fi + + if [[ "${line}" =~ ^\s*# ]]; then + continue + fi + + if ! [[ "${line}" =~ ^[-0-9a-zA-Z._/[:space:]]*$ ]]; then + exit_code=200 + log error "Line contains invalid characters: '${line}'" >&2 + ## Safer to exit with error in this case. + ## https://forums.whonix.org/t/disable-suid-binaries/7706/59 + exit "${exit_code}" + fi + + if [ "${line}" = 'whitelists_disable_all=true' ]; then + whitelists_disable_all=true + log info "whitelists_disable_all=true" + continue + fi + + processed_config_line="${line}" + + IFS=' ' read -r -a field_list <<< "${line}" + + case "${#field_list[@]}" in + 2|4|5) true;; + *) + exit_code=200 + log error "Line contains an invalid number of fields: '${line}'" >&2 + exit "${exit_code}" + ;; + esac + + # Strip trailing slash if appropriate + field_list[0]="${field_list[0]%/}" + + case "${field_list[1]}" in + 'exactwhitelist') + [ ! -e "${field_list[0]}" ] && continue + policy_exact_white_list+=( "${field_list[0]}" ) + continue + ;; + 'matchwhitelist') + policy_match_white_list+=( "${field_list[0]}" ) + continue + ;; + 'disablewhitelist') + policy_disable_white_list+=( "${field_list[0]}" ) + continue + ;; + 'nosuid') + [ ! -e "${field_list[0]}" ] && continue + policy_nosuid_file_list+=( "${field_list[0]}" ) + ;; + *) + [ ! -e "${field_list[0]}" ] && continue + add_to_policy "${field_list[@]}" + ;; + esac + done < "${config_file}" + done + + ## We have to handle nosuid files at the end since the whitelist arrays need + ## built first. + for policy_nosuid_file_item in "${policy_nosuid_file_list[@]}"; do + load_early_nosuid_policy "${policy_nosuid_file_item}" + done + + load_state_without_policy + + ## Find any files in the policy that don't already have a matching file in + ## the state. Add those files to the state, and save them to the state file + ## as well. + for policy_file_item in "${policy_file_list[@]}"; do + if [[ " ${state_file_list[*]} " =~ " ${policy_file_item} " ]]; then + continue + fi + output_stat "${policy_file_item}" + if [ -z "${file_name_from_stat}" ]; then + continue + fi + state_file_list+=( "${file_name_from_stat}" ) + state_user_owner_list+=( "${existing_owner}" ) + state_group_owner_list+=( "${existing_group}" ) + state_mode_list+=( "${existing_mode}" ) + # shellcheck disable=SC2086 + echo_wrapper_audit silent dpkg-statoverride \ + ${dpkg_admindir_parameter_existing_mode} \ + --add "${existing_owner}" "${existing_group}" "${existing_mode}" \ + "${file_name_from_stat}" + done + + ## Fix up nosuid policies using state information + for policy_nosuid_file_item in "${policy_nosuid_file_list[@]}"; do + load_late_nosuid_policy "${policy_nosuid_file_item}" + done +} + +apply_policy() { + local policy_idx did_state_update state_idx + + ## Modify the in-memory state so that all items that the policy affects match + ## the policy. DO NOT save these changes to the state file! + for (( policy_idx=0; policy_idx < ${#policy_file_list[@]}; policy_idx++ )); do + did_state_update=false + for (( state_idx=0; state_idx < ${#state_file_list[@]}; state_idx++ )); do + if [ "${state_file_list[state_idx]}" = "${policy_file_list[policy_idx]}" ]; then + state_user_owner_list[state_idx]="${policy_user_owner_list[policy_idx]}" + state_group_owner_list[state_idx]="${policy_group_owner_list[policy_idx]}" + state_mode_list[state_idx]="${policy_mode_list[policy_idx]}" + did_state_update=true + break + fi + done + if [ "${did_state_update}" = 'false' ]; then + exit_code=206 + log error \ + "File exists in policy but not in state! File: '${policy_file_list[policy_idx]}'" + exit "${exit_code}" + fi + done +} + +commit_policy() { + local policy_idx state_idx state_file_item \ + state_user_owner_item state_group_owner_item \ + state_mode_item orig_main_statoverride_db orig_new_statoverride_db \ + policy_file_item policy_capability_item + + ## Check each file on the filesystem against the state, and update it if the + ## state does not match. Also ensure the consistency of the new_mode database + ## so that people can compare the original permissions of files with the new + ## permissions. + orig_main_statoverride_db="$(dpkg-statoverride --list)" || true + # shellcheck disable=SC2086 + orig_new_statoverride_db="$(dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --list)" || true + + for (( state_idx=0; state_idx < ${#state_file_list[@]}; state_idx++ )); do + state_file_item="${state_file_list[state_idx]}" + state_user_owner_item="${state_user_owner_list[state_idx]}" + state_group_owner_item="${state_group_owner_list[state_idx]}" + state_mode_item="${state_mode_list[state_idx]}" + + ## Get rid of leading zeros, stat doesn't output them due to how we use it. + ## Using BASH_REMATCH is faster than sed. We capture all leading zeros into + ## one group, and the rest of the string into a second group. The second + ## group is the string we want. BASH_REMATCH[0] is the entire string, + ## BASH_REMATCH[1] is the first match that we want to discard, and + ## BASH_REMATCH[2] is the desired second group. + [[ "${state_mode_item}" =~ ^(0*)(.*) ]] || true; + state_mode_item="${BASH_REMATCH[2]}" + + output_stat "${state_file_item}" + if [ -z "${file_name_from_stat}" ]; then + continue + fi + + if [ "${existing_owner}" != "${state_user_owner_item}" ] \ + || [ "${existing_group}" != "${state_group_owner_item}" ] \ + || [ "${existing_mode}" != "${state_mode_item}" ]; then + if ! [[ "${passwd_file_contents}" =~ "${state_user_owner_item}:" ]]; then + log error "Owner from config does not exist: '${state_user_owner_item}'" >&2 + continue + fi + + if ! [[ "${group_file_contents}" =~ "${state_group_owner_item}:" ]]; then + log error "Group from config does not exist: '${state_group_owner_item}'" >&2 + continue + fi + ## Remove and reapply in main list + if [[ "${orig_main_statoverride_db}" =~ "${file_name_from_stat}" ]]; then + echo_wrapper_ignore silent dpkg-statoverride --remove \ + "${file_name_from_stat}" + fi + echo_wrapper_audit verbose dpkg-statoverride --add --update \ + "${state_user_owner_item}" "${state_group_owner_item}" \ + "${state_mode_item}" "${file_name_from_stat}" + + ## Update item in secondary list + if [[ "${orig_new_statoverride_db}" =~ "${file_name_from_stat}" ]]; then + # shellcheck disable=SC2086 + echo_wrapper_ignore silent dpkg-statoverride \ + ${dpkg_admindir_parameter_new_mode} --remove \ + "${file_name_from_stat}" + fi + # shellcheck disable=SC2086 + echo_wrapper_audit verbose dpkg-statoverride \ + ${dpkg_admindir_parameter_new_mode} --add \ + "${state_user_owner_item}" "${state_group_owner_item}" \ + "${state_mode_item}" "${file_name_from_stat}" + fi + done + + ## Apply capability hardening, dpkg-statoverride can't handle this so we have + ## to do this manually + for (( policy_idx=0; policy_idx < ${#policy_file_list[@]}; policy_idx++ )); do + policy_file_item="${policy_file_list[policy_idx]}" + policy_capability_item="${policy_capability_list[policy_idx]}" + if [ -z "${policy_capability_item}" ]; then + continue + fi + + if [ "${policy_capability_item}" = 'none' ]; then + echo_wrapper_ignore verbose setcap -r "${policy_file_item}" + if [ -n "$(getcap -- "${policy_file_item}")" ]; then + exit_code=205 + log error \ + "Removing capabilities failed. File: '${policy_file_item}'" >&2 + continue + fi + else + if ! capsh --print \ + | grep --fixed-strings -- "Bounding set" \ + | grep -- "${policy_capability_item}" >/dev/null; then + log error \ + "Capability from config does not exist: '${policy_capability_item}'" \ + >&2 + continue + fi + + ## feature request: dpkg-statoverride: support for capabilities + ## https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=502580 + echo_wrapper_audit verbose setcap "${policy_capability_item}+ep" \ + -- "${policy_file_item}" + fi + done + + log notice "\ +To compare the current and previous permission modes, install 'meld' (or preferred diff tool) for comparison of file mode changes: + sudo apt install --no-install-recommends meld + meld ${store_dir}/existing_mode/statoverride ${store_dir}/new_mode/statoverride" +} + +undo_policy_for_file() { + local undo_file state_idx state_file_item did_undo \ + undo_all verbose orig_main_statoverride_db orig_new_statoverride_db \ + state_user_owner_item state_group_owner_item state_mode_item + + undo_file="${1}" + undo_all=false + verbose='--verbose' + if [ "${undo_file}" = 'all' ]; then + undo_all=true + verbose='' + fi + + if [ ! -f "${state_file}" ]; then + true 'DEBUG: State file does not exist, hardening was not applied before.' + return 0 + fi + + did_undo=false + + for (( state_idx=0; state_idx < ${#state_file_list[@]}; state_idx++ )); do + state_file_item="${state_file_list[state_idx]}" + if [ "${undo_all}" = 'true' ]; then + undo_file="${state_file_item}" + fi + + if [ "${state_file_item}" = "${undo_file}" ]; then + orig_main_statoverride_db="$(dpkg-statoverride --list)" || true + # shellcheck disable=SC2086 + orig_new_statoverride_db="$(dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --list)" || true + + if [[ "${orig_main_statoverride_db}" =~ "${undo_file}" ]]; then + echo_wrapper_ignore silent dpkg-statoverride --remove \ + "${undo_file}" + fi + + if [[ "${orig_new_statoverride_db}" =~ "${undo_file}" ]]; then + # shellcheck disable=SC2086 + echo_wrapper_ignore silent dpkg-statoverride \ + ${dpkg_admindir_parameter_new_mode} --remove \ + "${undo_file}" + fi + + if [ -e "${undo_file}" ]; then + state_user_owner_item="${state_user_owner_list[state_idx]}" + state_group_owner_item="${state_group_owner_list[state_idx]}" + state_mode_item="${state_mode_list[state_idx]}" + chown ${verbose} -- "${state_user_owner_item}:${state_group_owner_item}" \ + "${undo_file}" || exit_code=202 + ## chmod needs to be run after chown since chown removes suid. + chmod ${verbose} "${state_mode_item}" "${undo_file}" || exit_code=203 + else + log info "File does not exist: '${undo_file}'" + fi + did_undo=true + + if [ "${undo_all}" = 'false' ]; then + break + fi + fi + done + + if ! [[ "${did_undo}" = 'false' ]]; then + log info "The specified file is not hardened, leaving unchanged. + + File '${undo_file}' has not been removed from SUID Disabler and Permission Hardener during this invocation. This is expected if no policy was ever applied to the file before. + + This program expects the full path to the file. Example: + $0 disable /usr/bin/newgrp # absolute path: works + $0 disable newgrp # relative path: does not work + + To remove all: + $0 disable all + + This change might not be permanent. For full instructions, see: + https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener + + To view list of changed by SUID Disabler and Permission Hardener: + https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener#View_List_of_Permissions_Changed_by_SUID_Disabler_and_Permission_Hardener + + For re-enabling any specific SUID binary: + https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener#Re-Enable_Specific_SUID_Binaries + + For completely disabling SUID Disabler and Permission Hardener: + https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener#Disable_SUID_Disabler_and_Permission_Hardener" + fi +} + +print_columns() { + local format_str bogus_str + format_str='' + for bogus_str in "$@"; do + format_str="${format_str}%s\t" + done + format_str="${format_str}\n" + ## Using a dynamically generated format string on purpose. + # shellcheck disable=SC2059 + printf "${format_str}" "$@" +} + +print_policy() { + local policy_idx + + print_columns 'File' 'User' 'Group' 'Mode' 'Capabilities' + + for (( policy_idx=0; policy_idx < ${#policy_file_list[@]}; policy_idx++ )); do + print_columns \ + "${policy_file_list[policy_idx]}" \ + "${policy_user_owner_list[policy_idx]}" \ + "${policy_group_owner_list[policy_idx]}" \ + "${policy_mode_list[policy_idx]}" \ + "${policy_capability_list[policy_idx]}" + done +} + +print_state() { + local state_idx + + print_columns 'File' 'User' 'Group' 'Mode' + for (( state_idx=0; state_idx < ${#state_file_list[@]}; state_idx++ )); do + print_columns \ + "${state_file_list[state_idx]}" \ + "${state_user_owner_list[state_idx]}" \ + "${state_group_owner_list[state_idx]}" \ + "${state_mode_list[state_idx]}" + done +} + +print_raw_policy_config() { + local config_file + for config_file in \ + /usr/lib/permission-hardener.d/*.conf \ + /etc/permission-hardener.d/*.conf \ + /usr/local/etc/permission-hardener.d/*.conf \ + /etc/permission-hardening.d/*.conf \ + /usr/local/etc/permission-hardening.d/*.conf + do + if [ ! -f "${config_file}" ]; then + continue + fi + echo "*** begin ${config_file} ***" + cat "${config_file}" + echo "*** end ${config_file} ***" + done +} + +print_raw_state() { + local state_file + for state_file in "${store_dir}/existing_mode/statoverride" \ + "${store_dir}/new_mode/statoverride"; do + echo "*** begin ${state_file} ***" + cat "${state_file}" + echo "*** end ${state_file} ***" + done +} + +print_fs_audit() { + local state_idx state_file_item state_user_owner_item state_group_owner_item \ + state_mode_item + + echo 'Legend:' + echo '... - Warning about an unusual, but not necessarily wrong, condition' + echo '!!! - Warning about an unusual and definitely wrong condition' + echo '*** - File permission data, actual state on filesystem is consistent with policy' + echo '^^^ - File permission data, actual state on filesystem is inconsistent with policy' + echo 'vvv - File permissions specified by state, always shown after a ^^^ item' + echo + + for (( state_idx=0; state_idx < ${#state_file_list[@]}; state_idx++ )); do + state_file_item="${state_file_list[state_idx]}" + state_user_owner_item="${state_user_owner_list[state_idx]}" + state_group_owner_item="${state_group_owner_list[state_idx]}" + state_mode_item="${state_mode_list[state_idx]}" + + ## Get rid of leading zeros, stat doesn't output them due to how we use it. + ## Using BASH_REMATCH is faster than sed. We capture all leading zeros into + ## one group, and the rest of the string into a second group. The second + ## group is the string we want. BASH_REMATCH[0] is the entire string, + ## BASH_REMATCH[1] is the first match that we want to discard, and + ## BASH_REMATCH[2] is the desired second group. + [[ "${state_mode_item}" =~ ^(0*)(.*) ]] || true; + state_mode_item="${BASH_REMATCH[2]}" + + output_stat "${state_file_item}" + if [ -z "${file_name_from_stat}" ]; then + echo "... '${file_name_from_stat}' does not exist" + continue + fi + + if [ "${existing_owner}" != "${state_user_owner_item}" ] \ + || [ "${existing_group}" != "${state_group_owner_item}" ] \ + || [ "${existing_mode}" != "${state_mode_item}" ]; then + if ! [[ "${passwd_file_contents}" =~ "${state_user_owner_item}:" ]]; then + echo "!!! Owner from config does not exist: '${state_user_owner_item}'" + continue + fi + + if ! [[ "${group_file_contents}" =~ "${state_group_owner_item}:" ]]; then + echo "!!! Group from config does not exist: '${state_group_owner_item}'" + continue + fi + + echo "^^^ ${file_name_from_stat} ${existing_owner}:${existing_group} ${existing_mode}" + echo "vvv ${file_name_from_stat} ${state_user_owner_item}:${state_group_owner_item} ${state_mode_item}" + else + echo "*** ${file_name_from_stat} ${existing_owner}:${existing_group} ${existing_mode}" + fi + done +} + +reset_global_vars() { + ## Global variables + policy_file_list=() + policy_user_owner_list=() + policy_group_owner_list=() + policy_mode_list=() + policy_capability_list=() + policy_exact_white_list=() + policy_match_white_list=() + policy_disable_white_list=() + policy_nosuid_file_list=() + state_file_list=() + state_user_owner_list=() + state_group_owner_list=() + state_mode_list=() + whitelists_disable_all=false + existing_mode='' + existing_owner='' + existing_group='' + processed_config_line='' + file_name_from_stat='' + passwd_file_contents="$(getent passwd)" + group_file_contents="$(getent group)" + exit_code=0 +} + +reset_global_vars + +## Setup and sanity checking +if [ "$(id -u)" != '0' ]; then + log error "Not running as root, aborting." + exit 1 +fi + +mkdir --parents "${store_dir}/existing_mode" +mkdir --parents "${store_dir}/new_mode" + +echo_wrapper_audit silent which capsh getcap setcap stat find \ + dpkg-statoverride getent grep 1>/dev/null + +## Command parsing and execution +case "${1:-}" in + enable) + shift + load_state + apply_policy + commit_policy + ;; + disable) + shift + case "${1:-}" in + "") + print_usage + exit 1 + ;; + *) + load_state_without_policy + undo_policy_for_file "${1}" + ;; + esac + ;; + print-policy) + load_state + print_policy + ;; + print-state) + load_state + print_state + ;; + print-policy-applied-state) + load_state + apply_policy + print_state + ;; + print-diagnostics) + echo '=== BEGIN PERMISSION-HARDENER DIAGNOSTICS ===' + + echo '--- BEGIN State without policy ---' + load_state_without_policy + print_state + echo '--- END State without policy ---' + + reset_global_vars + + echo '--- BEGIN Policy without state ---' + load_state + print_policy + echo '--- END Policy without state ---' + + reset_global_vars + + echo '--- BEGIN Policy-applied-state ---' + load_state + apply_policy + print_state + echo '--- END Policy-applied state ---' + + reset_global_vars + + echo '--- BEGIN Master dpkg-statoverride database ---' + dpkg-statoverride --list + echo '--- END Master dpkg-statoverride database ---' + + echo '--- BEGIN Raw policy configuration ---' + print_raw_policy_config + echo '--- END Raw policy configuration ---' + + echo '--- BEGIN Raw state data ---' + print_raw_state + echo '--- END Raw state data ---' + + echo '--- BEGIN Filesystem state audit ---' + load_state + apply_policy + print_fs_audit + echo '--- END Filesystem state audit ---' + + echo '=== END PERMISSION-HARDENER DIAGNOSTICS ===' + ;; + -h|--help) + print_usage + exit 0 + ;; + *) + print_usage + exit 1 + ;; +esac + +## Exit +if test "${exit_code}" != "0"; then + log error "Exiting with non-zero exit code: '${exit_code}'" >&2 +fi + +exit "${exit_code}" diff --git a/usr/bin/pkexec.security-misc b/usr/bin/pkexec.security-misc deleted file mode 100755 index b6e3f91..0000000 --- a/usr/bin/pkexec.security-misc +++ /dev/null @@ -1,89 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -## Redirect calls for pkexec to lxqt-sudo because pkexec is incompatible with -## hidepid. -## * https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860040 -## * https://forums.whonix.org/t/cannot-use-pkexec/8129 - -set -e - -## If hidepid is not in use, just use pkexec normally. -if ! mount | grep "/proc" | grep "hidepid=2" &>/dev/null ; then - pkexec.security-misc-orig "$@" - exit $? -fi - -## Prefer lxqt-sudo. -use_sudo=false - -original_args="$@" - -## Thanks to: -## http://mywiki.wooledge.org/BashFAQ/035 - -while : -do - case $1 in - ## Should show 'pkexec --version' or fail? - --version) - shift - pkexec.security-misc-orig "$original_args" - exit $? - ;; - ## Should show 'pkexec --help' or fail? - --help) - shift - pkexec.security-misc-orig "$original_args" - exit $? - ;; - ## Drop --disable-internal-agent as not needed and breaking both, - ## lxqt-sudo and sudo. - --disable-internal-agent) - shift - ;; - --user) - ## lxqt-sudo does not support "--user". - ## We should not make this wrapper run something as root which - ## is supposed to run under a different user. Try using - ## "sudo -A --user user --set-home" instead. - user_pkexec_wrapper="$2" - if [ "$user_pkexec_wrapper" = "" ]; then - shift - else - shift 2 - fi - use_sudo=true - ;; - --) - shift - break - ;; - *) - break - ;; - esac -done - -## If there are input files (for example) that follow the options, they -## will remain in the "$@" positional parameters. - -if [[ "$@" = "" ]]; then - ## Call original pkexec in case there are no arguments. - pkexec.security-misc-orig $original_args - exit $? -fi - -## set PATH same as root -## This is required for gdebi. -## REVIEW: is it ok that users can find out the PATH setting of root? -PATH="$(sudo --non-interactive /usr/lib/security-misc/echo-path)" -export PATH - -if [ "$use_sudo" = "true" ]; then - lxqt-sudo sudo --user "$user_pkexec_wrapper" --set-home "$@" -else - lxqt-sudo "$@" -fi diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure new file mode 100755 index 0000000..957ad46 --- /dev/null +++ b/usr/bin/remount-secure @@ -0,0 +1,388 @@ +#!/bin/bash + +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## features: +## - nodev,nosuid where appropriate +## - optional noexec for most except /home +## - optional noexec for all including /home +## - idempotent (script can be safely re-run) +## - can be run from: +## - systemd +## - dracut +## - manually from command line +## - can safely handle non-existing folders +## - error handling +## - log output: +## - shows each and every command executed +## - shows old mount options prior running remount-secure +## - shows new mount options after running remount-secure + +## noexec in /tmp and/or /home can break some malware but also legitimate +## applications. + +## https://www.kicksecure.com/wiki/Noexec +## https://www.kicksecure.com/wiki/Dev/remount-secure +## https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707 + +#set -x +set -e +set -o pipefail +set -o nounset + +init() { + if test -o xtrace ; then + output_command=true + else + output_command=echo + fi + + $output_command "$0: INFO: START" + + ## dracut does not have id. Saving space in initial ramdisk. + if command -v id &>/dev/null ; then + if [ "$(id -u)" != "0" ]; then + $output_command "ERROR: must be run as root! sudo $0" + exit 1 + fi + fi + + mkdir --parents "/run/remount-secure" + exit_code=0 + + ## dracut sets NEWROOT=/sysroot + [[ -v NEWROOT ]] || NEWROOT="" + if [ "$NEWROOT" = "" ]; then + $output_command "INFO: dracut detected: no" + else + $output_command "INFO: dracut detected: yes - NEWROOT: '$NEWROOT'" + fi + + ## Debugging. + #echo "ls -la /root/" + #ls -la / || true + #echo "ls -la /sysroot/" + #ls -la /sysroot/ || true + #echo "env" + #env || true +} + +parse_options() { + ## Thanks to: + ## https://mywiki.wooledge.org/BashFAQ/035 + + while : + do + case ${1:-} in + 0) + $output_command "WARNING: Not using remount-secure." + exit 0 + shift + ;; + 1) + $output_command "INFO: level 1/3 (low)" + most_noexec_maybe="" + home_noexec_maybe="" + parsed=true + shift + ;; + 2) + $output_command "INFO: level 2/3 (medium)" + most_noexec_maybe=",noexec" + home_noexec_maybe="" + parsed=true + shift + ;; + 3) + $output_command "INFO: level 3/3 (high)" + most_noexec_maybe=",noexec" + home_noexec_maybe=",noexec" + parsed=true + shift + ;; + --force) + $output_command "INFO: --force" + option_force=true + shift + ;; + --) + shift + break + ;; + -*) + echo "ERROR: unknown option: $1" >&2 + exit 1 + ;; + *) + break + ;; + esac + done + + [[ -v option_force ]] || option_force="" + [[ -v parsed ]] || parsed=false + [[ -v home_noexec_maybe ]] || home_noexec_maybe="" + [[ -v most_noexec_maybe ]] || most_noexec_maybe="" + + $output_command "INFO: using nosuid,nodev: yes" + + if [ "$home_noexec_maybe" = "" ]; then + $output_command "INFO: using noexec for all: no" + else + $output_command "INFO: using noexec for all: yes" + return 0 + fi + + if [ "$most_noexec_maybe" = "" ]; then + $output_command "INFO: using noexec for most: no" + else + $output_command "INFO: using noexec for most (not all): yes" + return 0 + fi + + if [ "$parsed" = "true" ]; then + return 0 + fi + + $output_command "ERROR: syntax error. use either: +$0 0 +$0 1 +$0 2 +$0 3" + + exit 1 +} + +preparation() { + ## Debugging. + #$output_command "INFO: 'findmnt --list' output at the START." + #$output_command "$(findmnt --list)" + #$output_command "" + true +} + +remount_secure() { + $output_command "" + + ## ${FUNCNAME[1]} is the name of the calling function. I.e. the function + ## which called this function. + status_file_name="${FUNCNAME[1]}" + ## example status_file_name: + ## _home + status_file_full_path="/run/remount-secure/${status_file_name}" + ## example status_file_full_path: + ## /run/remount-secure/_home + + old_mount_options="$(findmnt --noheadings --output options -- "$mount_folder")" || true + ## example old_mount_options: + ## rw,nosuid,nodev,relatime,discard + + $output_command "INFO: '$mount_folder' old_mount_options: '$old_mount_options'" + + if printf '%s\n' "$old_mount_options" | grep "$intended_mount_options" >/dev/null 2>/dev/null ; then + $output_command "INFO: '$mount_folder' has already intended mount options. ('$intended_mount_options')" + return 0 + fi + + ## When this package is upgraded, the systemd unit will run again. + ## If the user meanwhile manually relaxed mount options, this should not be undone. + + if [ ! "$option_force" == "true" ]; then + if [ -e "$status_file_full_path" ]; then + $output_command "INFO: '$mount_folder' already remounted earlier. Not remounting again. Use --force if this is what you want." + return 0 + fi + fi + + if ! test -d "$mount_folder" ; then + ## For example /boot/efi does not always exist on all systems. + $output_command "INFO: '$mount_folder' folder exists: no" + return 0 + fi + $output_command "INFO: '$mount_folder' folder exists: yes" + + if findmnt --noheadings "$mount_folder" >/dev/null ; then + $output_command "INFO: '$mount_folder' already mounted, therefore using remount." + $output_command INFO: Executing: mount --make-private --options "remount,${intended_mount_options}" "$mount_folder" + mount --make-private --options "remount,${intended_mount_options}" "$mount_folder" || exit_code=100 + else + $output_command "INFO: '$mount_folder' not yet mounted, therefore using mount bind." + $output_command INFO: Executing: mount --make-private --options "$intended_mount_options" --bind "$mount_folder" "$mount_folder" + mount --make-private --options "$intended_mount_options" --bind "$mount_folder" "$mount_folder" || exit_code=101 + fi + + new_mount_options="$(findmnt --noheadings --output options -- "$mount_folder")" || true + $output_command "INFO: '$mount_folder' new_mount_options: '$new_mount_options'" + + touch "$status_file_full_path" +} + +_boot() { + mount_folder="$NEWROOT/boot" + ## https://lists.freedesktop.org/archives/systemd-devel/2015-February/028456.html + intended_mount_options="nosuid,nodev,noexec" + remount_secure +} + +_boot_efi() { + ## TODO: new, test + mount_folder="$NEWROOT/boot/efi" + intended_mount_options="nosuid,nodev,noexec" + remount_secure +} + +_run() { + mount_folder="/run" + ## https://lists.freedesktop.org/archives/systemd-devel/2015-February/028456.html + intended_mount_options="nosuid,nodev${most_noexec_maybe}" + remount_secure +} + +_dev() { + mount_folder="/dev" + ## /dev should be nosuid,noexec as per: + ## https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1991975 + intended_mount_options="nosuid,noexec" + remount_secure +} + +_dev_shm() { + mount_folder="/dev/shm" + intended_mount_options="nosuid,nodev${most_noexec_maybe}" + remount_secure +} + +_sys() { + ## TODO: new, test + mount_folder="/sys" + intended_mount_options="nosuid,nodev,noexec" + remount_secure +} + +_tmp() { + mount_folder="$NEWROOT/tmp" + intended_mount_options="nosuid,nodev${most_noexec_maybe}" + remount_secure +} + +_var_tmp() { + mount_folder="$NEWROOT/var/tmp" + intended_mount_options="nosuid,nodev${most_noexec_maybe}" + remount_secure +} + +_var_log() { + mount_folder="$NEWROOT/var/log" + intended_mount_options="nosuid,nodev,noexec" + remount_secure +} + +_var() { + mount_folder="$NEWROOT/var" + ## noexec: Not possible. Reason: + ## Debian stores executable maintainer scripts in /var/lib/dpkg/info folder. + intended_mount_options="nosuid,nodev" + remount_secure +} + +_usr() { + ## TODO: new, test + mount_folder="$NEWROOT/usr" + intended_mount_options="nodev" + remount_secure +} + +_home() { + mount_folder="$NEWROOT/home" + intended_mount_options="nosuid,nodev${home_noexec_maybe}" + remount_secure +} + +_root() { + ## TODO: new, test + mount_folder="$NEWROOT/root" + intended_mount_options="nosuid,nodev${home_noexec_maybe}" + remount_secure +} + +_srv() { + ## TODO: new, test + mount_folder="$NEWROOT/srv" + intended_mount_options="nosuid,nodev${most_noexec_maybe}" + remount_secure +} + +_media() { + ## TODO: new, test + mount_folder="$NEWROOT/media" + intended_mount_options="nosuid,nodev${most_noexec_maybe}" + remount_secure +} + +_mnt() { + ## TODO: new, test + mount_folder="$NEWROOT/mnt" + intended_mount_options="nosuid,nodev${most_noexec_maybe}" + remount_secure +} + +_opt() { + ## TODO: new, test + mount_folder="$NEWROOT/opt" + ## Allow /opt exec as usually optional binaries are placed there such as Firefox + ## when manually installed from tarball. + intended_mount_options="nosuid,nodev" + remount_secure +} + +_etc() { + ## TODO: new, test + ## /etc cannot be noexec because various executables are there. To find, run: + ## sudo find /etc -executable + mount_folder="$NEWROOT/etc" + intended_mount_options="nosuid,nodev" + remount_secure +} + +end() { + ## Debugging. + #$output_command "INFO: 'findmnt --list' output at the END." + #$output_command "$(findmnt --list)" + + $output_command "" + $output_command "INFO: exit_code: $exit_code" + $output_command "$0: INFO: END" + exit $exit_code +} + +main() { + init + parse_options "$@" + preparation + + _boot + _boot_efi + _run + _dev + _dev_shm + _tmp + _var_tmp + _var_log + _var + _usr + _home + _root + _srv + _media + _mnt + _opt + _etc + + end +} + +## TODO: see also hidepid /usr/lib/systemd/system/proc-hidepid.service +#mount --options defaults,nosuid,nodev,noexec,remount,subset=pid /proc + +main "$@" diff --git a/usr/lib/NetworkManager/conf.d/80_ipv6-privacy.conf b/usr/lib/NetworkManager/conf.d/80_ipv6-privacy.conf new file mode 100644 index 0000000..3d0a483 --- /dev/null +++ b/usr/lib/NetworkManager/conf.d/80_ipv6-privacy.conf @@ -0,0 +1,13 @@ +## Copyright (C) 2023 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## MAC randomisation breaks root server and VirtualBox DHCP likely due to IPv6 Privacy Extensions. +## +## https://datatracker.ietf.org/doc/html/rfc4941 +## https://github.com/Kicksecure/security-misc/pull/145 +## https://github.com/Kicksecure/security-misc/issues/184 +## +## The use of IPv6 Privacy Extenstions is currently diasbled due to these breakages. + +#[connection] +#ipv6.ip6-privacy=2 diff --git a/usr/lib/NetworkManager/conf.d/80_randomize-mac.conf b/usr/lib/NetworkManager/conf.d/80_randomize-mac.conf new file mode 100644 index 0000000..8088591 --- /dev/null +++ b/usr/lib/NetworkManager/conf.d/80_randomize-mac.conf @@ -0,0 +1,17 @@ +## Copyright (C) 2023 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## MAC randomisation breaks root server and VirtualBox DHCP likely due to IPv6 Privacy Extensions. +## +## https://datatracker.ietf.org/doc/html/rfc4941 +## https://github.com/Kicksecure/security-misc/pull/145 +## https://github.com/Kicksecure/security-misc/issues/184 +## +## The use of IPv6 Privacy Extenstions is currently diasbled due to these breakages. + +#[device-mac-randomization] +#wifi.scan-rand-mac-address=yes + +#[connection-mac-randomization] +#ethernet.cloned-mac-address=random +#wifi.cloned-mac-address=random diff --git a/usr/lib/dracut/modules.d-disabled/20remount-secure/module-setup.sh b/usr/lib/dracut/modules.d-disabled/20remount-secure/module-setup.sh new file mode 100755 index 0000000..8917091 --- /dev/null +++ b/usr/lib/dracut/modules.d-disabled/20remount-secure/module-setup.sh @@ -0,0 +1,44 @@ +#!/bin/bash + +## Copyright (C) 2023 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +# called by dracut +check() { + ## For debugging only. + ## Saving space in initial ramdisk. + #require_binaries id || return 1 + #require_binaries env || return 1 + + require_binaries findmnt || return 1 + require_binaries touch || return 1 + require_binaries grep || return 1 + require_binaries mount || return 1 + require_binaries remount-secure || return 1 + return 0 +} + +# called by dracut +depends() { + return 0 +} + +# called by dracut +install() { + ## For debugging only. + ## Saving space in initial ramdisk. + #inst_multiple id + #inst_multiple env + + inst_multiple findmnt + inst_multiple touch + inst_multiple grep + inst_multiple mount + inst_multiple remount-secure + inst_hook cleanup 90 "$moddir/remount-secure.sh" +} + +# called by dracut +installkernel() { + return 0 +} diff --git a/usr/lib/dracut/modules.d-disabled/20remount-secure/remount-secure.sh b/usr/lib/dracut/modules.d-disabled/20remount-secure/remount-secure.sh new file mode 100755 index 0000000..0e0a0c1 --- /dev/null +++ b/usr/lib/dracut/modules.d-disabled/20remount-secure/remount-secure.sh @@ -0,0 +1,23 @@ +#!/bin/sh + +## Copyright (C) 2023 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## This script is intended to remount specified mount points with more secure +## options based on kernel command line parameters. + +remount_hook() { + local remountsecure_action + ## getarg returns the last parameter only. + ## If /proc/cmdline contains 'remountsecure=0 remountsecure=1' the last one wins. + remountsecure_action=$(getarg remountsecure) + + if ! remount-secure $remountsecure_action; then + warn "$0: ERROR: 'remount-secure $remountsecure_action' failed." + return 1 + fi + info "$0: INFO: 'remount-secure $remountsecure_action' success." + return 0 +} + +remount_hook diff --git a/usr/lib/issue.d/20_security-misc.issue b/usr/lib/issue.d/20_security-misc.issue new file mode 100644 index 0000000..d03f39b --- /dev/null +++ b/usr/lib/issue.d/20_security-misc.issue @@ -0,0 +1,2 @@ +By continuing, you acknowledge and give consent that the owner of this system has a right to keep a log of all activity. +Unauthorized access is strictly prohibited and may result in legal action. Do not proceed! diff --git a/usr/lib/modules-load.d/30_security-misc.conf b/usr/lib/modules-load.d/30_security-misc.conf index 02dc5f0..6ee13ca 100644 --- a/usr/lib/modules-load.d/30_security-misc.conf +++ b/usr/lib/modules-load.d/30_security-misc.conf @@ -1,7 +1,7 @@ -## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. -## https://www.whonix.org/wiki/Dev/Entropy +## https://www.kicksecure.com/wiki/Dev/Entropy ## https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927972 ## https://forums.whonix.org/t/jitterentropy-rngd/7204 jitterentropy_rng diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_bubblewrap.conf b/usr/lib/permission-hardener.d/25_default_whitelist_bubblewrap.conf new file mode 100644 index 0000000..f1e873f --- /dev/null +++ b/usr/lib/permission-hardener.d/25_default_whitelist_bubblewrap.conf @@ -0,0 +1,8 @@ +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## Please use "/etc/permission-hardener.d/20_user.conf" or +## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom +## configuration. When security-misc is updated, this file may be overwritten. + +/usr/bin/bwrap exactwhitelist diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_chromium.conf b/usr/lib/permission-hardener.d/25_default_whitelist_chromium.conf new file mode 100644 index 0000000..bdb2b2a --- /dev/null +++ b/usr/lib/permission-hardener.d/25_default_whitelist_chromium.conf @@ -0,0 +1,17 @@ +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## Please use "/etc/permission-hardener.d/20_user.conf" or +## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom +## configuration. When security-misc is updated, this file may be overwritten. + +## Chrome/Chromium now uses namespace-based sandboxing rather than a SUID +## sandbox for most use cases, and while the SUID sandbox is still technically +## supported [1], it's also virtually unused [2]. Chromium still works fine +## when it is stripped of its SUID bit and rendered no longer executable, +## and opening `chrome://sandbox` while in this state shows that sandboxing is +## still working perfectly fine. +## +## [1] https://chromium.googlesource.com/chromium/src/+/0e94f26e8/docs/linux_sandboxing.md +## [2] https://chromium.googlesource.com/chromium/src/+/0e94f26e8/docs/linux_suid_sandbox.md +#chrome-sandbox matchwhitelist diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_dbus.conf b/usr/lib/permission-hardener.d/25_default_whitelist_dbus.conf new file mode 100644 index 0000000..4b455ae --- /dev/null +++ b/usr/lib/permission-hardener.d/25_default_whitelist_dbus.conf @@ -0,0 +1,16 @@ +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## Please use "/etc/permission-hardener.d/20_user.conf" or +## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom +## configuration. When security-misc is updated, this file may be overwritten. + +## Needed for D-Bus system activation to work. +## https://dbus.freedesktop.org/doc/system-activation.txt +## +## May be vital for desktop features to work normally. +## +## Appears to have been designed with security in mind and can only be called +## by root or a user in the `messagebus` group (which currently has one member, +## namely user `messagebus`). +dbus-daemon-launch-helper matchwhitelist diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_firejail.conf b/usr/lib/permission-hardener.d/25_default_whitelist_firejail.conf new file mode 100644 index 0000000..e3441e1 --- /dev/null +++ b/usr/lib/permission-hardener.d/25_default_whitelist_firejail.conf @@ -0,0 +1,11 @@ +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## Please use "/etc/permission-hardener.d/20_user.conf" or +## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom +## configuration. When security-misc is updated, this file may be overwritten. + +## There is a controversy about firejail but those who choose to install it +## should be able to use it. +## https://www.kicksecure.com/wiki/Dev/Firejail#Security +/usr/bin/firejail exactwhitelist diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_fuse.conf b/usr/lib/permission-hardener.d/25_default_whitelist_fuse.conf new file mode 100644 index 0000000..084510c --- /dev/null +++ b/usr/lib/permission-hardener.d/25_default_whitelist_fuse.conf @@ -0,0 +1,17 @@ +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## Please use "/etc/permission-hardener.d/20_user.conf" or +## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom +## configuration. When security-misc is updated, this file may be overwritten. + +## Critical component of FUSE (Filesystem in USErspace) +## +## Used by things such as: +## - AppImages +## - such as electrum Bitcoin wallet +## - Docker +## If not SUID, unprivileged users will be unable to use FUSE any longer. +## +## https://forums.whonix.org/t/disable-suid-binaries/7706/57 +/fusermount matchwhitelist diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_hardened_malloc.conf b/usr/lib/permission-hardener.d/25_default_whitelist_hardened_malloc.conf new file mode 100644 index 0000000..acf20b6 --- /dev/null +++ b/usr/lib/permission-hardener.d/25_default_whitelist_hardened_malloc.conf @@ -0,0 +1,9 @@ +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## Please use "/etc/permission-hardener.d/20_user.conf" or +## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom +## configuration. When security-misc is updated, this file may be overwritten. + +libhardened_malloc.so matchwhitelist +libhardened_malloc-light.so matchwhitelist diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_mount.conf b/usr/lib/permission-hardener.d/25_default_whitelist_mount.conf new file mode 100644 index 0000000..ac5e9d1 --- /dev/null +++ b/usr/lib/permission-hardener.d/25_default_whitelist_mount.conf @@ -0,0 +1,17 @@ +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## Please use "/etc/permission-hardener.d/20_user.conf" or +## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom +## configuration. When security-misc is updated, this file may be overwritten. + +## https://forums.whonix.org/t/disable-suid-binaries/7706/61 +## Protect from 'chmod -x' (and SUID removal). +## SUID will be removed below in separate step. +/usr/bin/mount exactwhitelist +/usr/bin/umount exactwhitelist + +## Remove SUID from 'mount' but keep executable. +## https://forums.whonix.org/t/disable-suid-binaries/7706/61 +/usr/bin/mount 755 root root +/usr/bin/umount 755 root root diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_pam.conf b/usr/lib/permission-hardener.d/25_default_whitelist_pam.conf new file mode 100644 index 0000000..b787e5f --- /dev/null +++ b/usr/lib/permission-hardener.d/25_default_whitelist_pam.conf @@ -0,0 +1,22 @@ +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## Please use "/etc/permission-hardener.d/20_user.conf" or +## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom +## configuration. When security-misc is updated, this file may be overwritten. + +## Used by the pam_tmpdir module to create a secure temporary directory for the +## user that is logging in. +## https://manpages.ubuntu.com/manpages/oracular/man8/pam-tmpdir-helper.8.html +## Apparently specific to Debian, there isn't actually any Git repo with this +## code in it, it's just a "floating" package in the Debian archive. Written by +## the same person who maintains the package. Almost certainly cannot be +## disabled without causing serious problems, but may be worth auditing. +## (Worthy of note, it doesn't seem this program takes any user input, but +## relies solely on the calling user's UID and GID, though this could require +## further review.) +## +## Without this, Xfce fails to start with a dbus-launch error. +## +## TODO: audit pam-tmpdir-helper +pam-tmpdir-helper matchwhitelist diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_passwd.conf b/usr/lib/permission-hardener.d/25_default_whitelist_passwd.conf new file mode 100644 index 0000000..e7bc816 --- /dev/null +++ b/usr/lib/permission-hardener.d/25_default_whitelist_passwd.conf @@ -0,0 +1,15 @@ +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## Please use "/etc/permission-hardener.d/20_user.conf" or +## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom +## configuration. When security-misc is updated, this file may be overwritten. + +# Keep the `passwd` utility executable to prevent issues with the +# /usr/libexec/security-misc/pam-abort-on-locked-password script blocking +# user logins with `su` and KScreenLocker. exactwhitelist is needed to keep +# the nosuid rule on /usr/bin from fighting with these rules. +# +# See also: https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener#passwd +/usr/bin/passwd exactwhitelist +/usr/bin/passwd 0755 root root diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf b/usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf new file mode 100644 index 0000000..de20400 --- /dev/null +++ b/usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf @@ -0,0 +1,27 @@ +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## Please use "/etc/permission-hardener.d/20_user.conf" or +## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom +## configuration. When security-misc is updated, this file may be overwritten. + +## user-sysmaint-split hardens this further. +/usr/bin/pkexec exactwhitelist +/usr/bin/pkexec.security-misc-orig exactwhitelist + +## Required for PolicyKit (Polkit) to function. +## +## https://polkit-devel.freedesktop.narkive.com/zXO4yEg7/documentation-on-polkit-agent-helper-1-and-suid# +## https://gitlab.freedesktop.org/polkit/polkit/-/issues/168 +## https://cgit.freedesktop.org/polkit/tree/src/polkitagent/polkitagenthelper-pam.c#n93 +## +## Changing permissions here may break more than just normal privilege escalation. +## May be safe to disable for users other than sysmaint similar to what was done with pkexec and sudo, +## however even that might not be safe. +## +## matches both: +## - /usr/lib/policykit-1/polkit-agent-helper-1 +## - /lib/policykit-1/polkit-agent-helper-1 +## +## user-sysmaint-split hardens this further. +polkit-agent-helper-1 matchwhitelist diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_postfix.conf b/usr/lib/permission-hardener.d/25_default_whitelist_postfix.conf new file mode 100644 index 0000000..bf76069 --- /dev/null +++ b/usr/lib/permission-hardener.d/25_default_whitelist_postfix.conf @@ -0,0 +1,10 @@ +## Copyright (C) 2023 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## Please use "/etc/permission-hardener.d/20_user.conf" or +## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom +## configuration. When security-misc is updated, this file may be overwritten. + +## TODO: research and document +postqueue matchwhitelist +postdrop matchwhitelist diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf b/usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf new file mode 100644 index 0000000..40f9b59 --- /dev/null +++ b/usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf @@ -0,0 +1,24 @@ +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## Please use "/etc/permission-hardener.d/20_user.conf" or +## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom +## configuration. When security-misc is updated, this file may be overwritten. + +## TODO: research +## https://github.com/QubesOS/qubes-core-agent-linux/blob/master/qubes-rpc/qfile-unpacker.c +## +## Historic Qubes upstream security issue: +## qfile-unpacker allows unprivileged users in VMs to gain root privileges +## https://github.com/QubesOS/qubes-issues/issues/8633 +## +## matches both: +## - /usr/lib/qubes/qfile-unpacker whitelist +## - Not bit-for-bit identical to /usr/lib/qubes/qfile-unpacker. +## - Stripping SUID from this does *not* break file copying. +## - TODO: further reserach required on its purpose +## - /usr/bin/qfile-unpacker +## - Appears to be an integral part of file transfer between qubes, stripping +## SUID from this in an AppVM results in that AppVM being unable to receive +## files any longer. (It can still send files to other qubes though.) +qfile-unpacker matchwhitelist diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_selinux.conf b/usr/lib/permission-hardener.d/25_default_whitelist_selinux.conf new file mode 100644 index 0000000..62d3198 --- /dev/null +++ b/usr/lib/permission-hardener.d/25_default_whitelist_selinux.conf @@ -0,0 +1,9 @@ +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## Please use "/etc/permission-hardener.d/20_user.conf" or +## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom +## configuration. When security-misc is updated, this file may be overwritten. + +## TODO: research and document +/utempter/utempter matchwhitelist diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_spice.conf b/usr/lib/permission-hardener.d/25_default_whitelist_spice.conf new file mode 100644 index 0000000..5b79059 --- /dev/null +++ b/usr/lib/permission-hardener.d/25_default_whitelist_spice.conf @@ -0,0 +1,9 @@ +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## Please use "/etc/permission-hardener.d/20_user.conf" or +## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom +## configuration. When security-misc is updated, this file may be overwritten. + +## TODO: research and document +spice-client-glib-usb-acl-helper matchwhitelist diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf b/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf new file mode 100644 index 0000000..2b55bd2 --- /dev/null +++ b/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf @@ -0,0 +1,21 @@ +## Copyright (C) 2023 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## Please use "/etc/permission-hardener.d/20_user.conf" or +## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom +## configuration. When security-misc is updated, this file may be overwritten. + +## Used for SSH client key management +## https://manpages.debian.org/bookworm/openssh-client/ssh-agent.1.en.html +## Debian installs ssh-agent with setgid permissions (2755) and with +## _ssh as the group to help mitigate ptrace attacks that could extract +## private keys from the agent's memory. +ssh-agent matchwhitelist + +## Used only for SSH host-based authentication +## https://linux.die.net/man/8/ssh-keysign +## Needed to allow access to the machine's host key for use in the +## authentication process. This is a non-default method of authenticating to +## SSH, and is likely rarely used, thus this should be safe to disable. +#ssh-keysign matchwhitelist +#/usr/lib/openssh matchwhitelist diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_sudo.conf b/usr/lib/permission-hardener.d/25_default_whitelist_sudo.conf new file mode 100644 index 0000000..e15b265 --- /dev/null +++ b/usr/lib/permission-hardener.d/25_default_whitelist_sudo.conf @@ -0,0 +1,9 @@ +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## Please use "/etc/permission-hardener.d/20_user.conf" or +## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom +## configuration. When security-misc is updated, this file may be overwritten. + +## user-sysmaint-split hardens this further. +/usr/bin/sudo exactwhitelist diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf b/usr/lib/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf new file mode 100644 index 0000000..1faf380 --- /dev/null +++ b/usr/lib/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf @@ -0,0 +1,10 @@ +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## Please use "/etc/permission-hardener.d/20_user.conf" or +## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom +## configuration. When security-misc is updated, this file may be overwritten. + +## required for performing password validation from unprivileged user +## processes such as KScreenLocker's unlock prompt +/usr/sbin/unix_chkpwd exactwhitelist diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_virtualbox.conf b/usr/lib/permission-hardener.d/25_default_whitelist_virtualbox.conf new file mode 100644 index 0000000..76c2eee --- /dev/null +++ b/usr/lib/permission-hardener.d/25_default_whitelist_virtualbox.conf @@ -0,0 +1,15 @@ +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## Please use "/etc/permission-hardener.d/20_user.conf" or +## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom +## configuration. When security-misc is updated, this file may be overwritten. + +## TODO: research +/usr/lib/virtualbox/ matchwhitelist +VirtualBoxVM matchwhitelist +VBoxSDL matchwhitelist +VBoxNetNAT matchwhitelist +VBoxNetDHCP matchwhitelist +VBoxHeadless matchwhitelist +VBoxNetAdpCtl matchwhitelist diff --git a/usr/lib/permission-hardener.d/30_default.conf b/usr/lib/permission-hardener.d/30_default.conf new file mode 100644 index 0000000..27605d9 --- /dev/null +++ b/usr/lib/permission-hardener.d/30_default.conf @@ -0,0 +1,122 @@ +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## Please use "/etc/permission-hardener.d/20_user.conf" or +## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom +## configuration. When security-misc is updated, this file may be overwritten. + +## File permission hardening. +## +## Syntax: +## [filename] [mode] [owner] [group] [capability] +## [filename] [exactwhitelist|matchwhitelist|disablewhitelist|nosuid] +## +## TODO: white spaces inside file name untested and probably will not work. + +###################################################################### +# Global Settings +###################################################################### + +#whitelists_disable_all=true + +###################################################################### +# SUID disables below (or in lexically higher) files: disablewhitelist +###################################################################### + +## For example, if you are not using SELinux the following might make sense to +## enable. TODO: research +#/utempter/utempter disablewhitelist + +## If you are not going to use AppImages such as electrum Bitcoin wallet. +#/fusermount disablewhitelist + +###################################################################### +# SUID whitelist matches full path: exactwhitelist +###################################################################### + +## In case you need to use 'su'. See also: +## https://www.kicksecure.com/wiki/root#su +#/usr/bin/su exactwhitelist + +## https://manpages.debian.org/xserver-xorg-legacy/Xorg.wrap.1.en.html +## https://lwn.net/Articles/590315/ +## https://forums.whonix.org/t/suid-disabler-and-permission-hardener/7706/35 +#/usr/lib/xorg/Xorg.wrap whitelist + +###################################################################### +# SUID whitelist matches in any section of the path: matchwhitelist +###################################################################### + +## Examples below are already configured: +#ssh-agent matchwhitelist +#/usr/lib/openssh matchwhitelist + +###################################################################### +# Permission Hardening +###################################################################### + +/home/ 0755 root root +/root/ 0700 root root +/boot/ 0700 root root +/etc/permission-hardener.d 0600 root root +/usr/local/etc/permission-hardener.d 0600 root root +/usr/lib/modules/ 0700 root root +/usr/src 0700 root root +/etc/cups/cupsd.conf 0400 root root +/etc/syslog.conf 0600 root root +/etc/ssh/sshd_config 0600 root root +/etc/crontab 0600 root root +/etc/cron.d 0700 root root +/etc/cron.daily 0700 root root +/etc/sudoers.d 0700 root root +/etc/cron.hourly 0700 root root +/etc/cron.weekly 0700 root root +/etc/cron.monthly 0700 root root +/etc/group 0644 root root +/etc/group- 0644 root root +/etc/hosts.allow 0644 root root +/etc/hosts.deny 0644 root root +/etc/issue 0644 root root +/etc/issue.net 0644 root root +/etc/motd 0644 root root +/etc/passwd 0644 root root +/etc/passwd- 0644 root root + +###################################################################### +# SUID/SGID Removal: nosuid +###################################################################### + +## To remove all SUID/SGID binaries in a directory, you can use the "nosuid" +## argument. +## +## Remove all SUID/SGID binaries/libraries. + +/opt/ nosuid +/usr/bin/ nosuid +/usr/lib32/ nosuid +/usr/lib64/ nosuid +/usr/lib/ nosuid +/usr/local/bin/ nosuid +/usr/local/lib32/ nosuid +/usr/local/lib64/ nosuid +/usr/local/lib/ nosuid +/usr/local/opt/ nosuid +/usr/local/sbin/ nosuid +/usr/local/usr/bin/ nosuid +/usr/local/usr/lib32/ nosuid +/usr/local/usr/lib64/ nosuid +/usr/local/usr/lib/ nosuid +/usr/local/usr/sbin/ nosuid +/usr/sbin/ nosuid + +###################################################################### +# Capability Removal +###################################################################### + +## Ping doesn't work with Tor anyway so its capabilities are removed to +## reduce attack surface. +## anon-apps-config does this. +#/usr/bin/ping 0744 root root none + +## TODO: research +#/usr/lib/x86_64-linux-gnu/gstreamer1.0/grstreamer-1.0/gst-ptp-helper 0744 root root none diff --git a/usr/lib/security-misc/apt-get-update b/usr/lib/security-misc/apt-get-update deleted file mode 100755 index d1c6772..0000000 --- a/usr/lib/security-misc/apt-get-update +++ /dev/null @@ -1,32 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -sigterm_trap() { - if [ "$lastpid" = "" ]; then - exit 143 - fi - ps -p "$lastpid" >/dev/null 2>&1 - if [ ! "$?" = "0" ]; then - ## Already terminated. - exit 143 - fi - kill -s sigterm "$lastpid" - exit 143 -} - -trap "sigterm_trap" SIGTERM SIGINT - -timeout_after="240" -kill_after="10" - -timeout \ - --kill-after="$kill_after" \ - "$timeout_after" \ - /usr/lib/security-misc/apt-get-wrapper update & - -lastpid="$!" -wait "$lastpid" - -exit "$?" diff --git a/usr/lib/security-misc/apt-get-update-sanity-test b/usr/lib/security-misc/apt-get-update-sanity-test deleted file mode 100755 index 6e30381..0000000 --- a/usr/lib/security-misc/apt-get-update-sanity-test +++ /dev/null @@ -1,11 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -set -x -set -e -set -o pipefail - -wc -L "/var/lib/apt/lists/"*InRelease -wc -L "/var/lib/apt/lists/"*InRelease | awk '$1 > 1024 {print; exit 1}' diff --git a/usr/lib/security-misc/apt-get-wrapper b/usr/lib/security-misc/apt-get-wrapper deleted file mode 100755 index b3b60ad..0000000 --- a/usr/lib/security-misc/apt-get-wrapper +++ /dev/null @@ -1,50 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -set -e -set -o pipefail -set -o errtrace - -cleanup() { - if [ -d "$temp_dir" ]; then - rm --recursive --force "$temp_dir" - fi -} - -temp_dir="$(mktemp --directory)" -logfile="$temp_dir/log" - -trap "cleanup" EXIT - -apt_get_exit_code="0" - -## Thanks to: -## dmw -## http://stackoverflow.com/a/26263980/2605155 -## for the python way to create a pty. - -python -c 'import pty, sys; pty.spawn(sys.argv[1:])' \ - | apt-get "$@" 2>&1 \ - | tee -a "$logfile" \ - || { apt_get_exit_code="$?"; true; }; - -if [ ! "$apt_get_exit_code" = "0" ]; then - exit "$apt_get_exit_code" -fi - -log="$(cat "$logfile")" - -while read -r -d $'\n' line; do - line_lower_case="${line,,}" - first_two="${line_lower_case:0:2}" - if [ "$first_two" = "e:" ]; then - exit 125 - fi - if [ "$first_two" = "w:" ]; then - exit 125 - fi -done < <( echo "$log" ) - -exit "$apt_get_exit_code" diff --git a/usr/lib/security-misc/hide-hardware-info b/usr/lib/security-misc/hide-hardware-info deleted file mode 100755 index 2c8e075..0000000 --- a/usr/lib/security-misc/hide-hardware-info +++ /dev/null @@ -1,78 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -set -e - -sysfs_whitelist=1 -cpuinfo_whitelist=1 - -shopt -s nullglob - -## Allows for disabling the whitelist. -for i in /etc/hide-hardware-info.d/*.conf -do - bash -n "${i}" - source "${i}" -done - -create_whitelist() { - if [ "${1}" = "sysfs" ]; then - whitelist_path="/sys" - elif [ "${1}" = "cpuinfo" ]; then - whitelist_path="/proc/cpuinfo" - else - echo "ERROR: ${1} is not a correct parameter." - exit 1 - fi - - if grep -q "${1}" /etc/group; then - ## Changing the permissions of /sys recursively - ## causes errors as the permissions of /sys/kernel/debug - ## and /sys/fs/cgroup cannot be changed. - chgrp -fR "${1}" "${whitelist_path}" || true - - chmod o-rwx "${whitelist_path}" - else - echo "ERROR: The ${1} group does not exist, the ${1} whitelist was not created." - fi -} - -## sysfs and debugfs expose a lot of information -## that should not be accessible by an unprivileged -## user which includes hardware info, debug info and -## more. This restricts /sys, /proc/cpuinfo, /proc/bus -## and /proc/scsi to the root user only. This hides -## many hardware identifiers from ordinary users -## and increases security. -for i in /proc/cpuinfo /proc/bus /proc/scsi /sys -do - if [ -e "${i}" ]; then - if [ "${i}" = "/sys" ]; then - ## Whitelist for /sys. - if [ "${sysfs_whitelist}" = "1" ]; then - create_whitelist sysfs - else - chmod og-rwx /sys - echo "INFO: The sysfs whitelist is not enabled. Some things may not work properly." - fi - elif [ "${i}" = "/proc/cpuinfo" ]; then - ## Whitelist for /proc/cpuinfo. - if [ "${cpuinfo_whitelist}" = "1" ]; then - create_whitelist cpuinfo - else - chmod og-rwx /proc/cpuinfo - echo "INFO: The cpuinfo whitelist is not enabled. Some things may not work properly." - fi - else - chmod og-rwx "${i}" - fi - else - ## /proc/scsi doesn't exist on Debian so errors - ## are expected here. - if ! [ "${i}" = "/proc/scsi" ]; then - echo "ERROR: ${i} could not be found." - fi - fi -done diff --git a/usr/lib/security-misc/pam-abort-on-locked-password b/usr/lib/security-misc/pam-abort-on-locked-password deleted file mode 100755 index fcd5b23..0000000 --- a/usr/lib/security-misc/pam-abort-on-locked-password +++ /dev/null @@ -1,19 +0,0 @@ -#!/bin/bash - -if [ "$(passwd -S "$PAM_USER" | cut -d ' ' -f 2)" = "P" ]; then - true "INFO: Password not locked." -else - echo "$0: ERROR: Password for user \"$PAM_USER\" is locked." >&2 - - if [ -f /usr/share/whonix/marker ] || [ -f /usr/share/kicksecure/marker ]; then - if [ "$PAM_USER" = "root" ]; then - echo "$0: ERROR: root account is locked by default. See:" >&2 - echo "https://www.whonix.org/wiki/root" >&2 - echo "" >&2 - fi - fi - - exit 1 -fi - -exit 0 diff --git a/usr/lib/security-misc/pam_tally2-info b/usr/lib/security-misc/pam_tally2-info deleted file mode 100755 index a392f7b..0000000 --- a/usr/lib/security-misc/pam_tally2-info +++ /dev/null @@ -1,163 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -grep_result="$(grep "accessfile=/etc/security/access-security-misc.conf" /etc/pam.d/common-account 2>/dev/null)" - -if ! echo "$grep_result" | grep -q "#" ; then - ## https://forums.whonix.org/t/etc-security-hardening-console-lockdown/8592 - - if [ "$PAM_SERVICE" = "sshd" ]; then - if id --name --groups --zero "$PAM_USER" | grep --quiet --null-data --line-regexp --fixed-strings "ssh"; then - ssh_allowed=true - fi - if [ ! "$ssh_allowed" = "true" ]; then - echo "$0: ERROR: PAM_USER: '$PAM_USER' is not a member of group 'ssh'" >&2 - echo "$0: To unlock, run the following command as superuser:" >&2 - echo "$0: (If you still have a sudo/root shell somewhere.)" >&2 - echo "" >&2 - echo "addgroup $PAM_USER ssh" >&2 - echo "" >&2 - echo "$0: However, possibly unlock procedure is required." >&2 - echo "$0: First boot into recovery mode at grub boot menu and then run above command." >&2 - echo "$0: See also:" >&2 - echo "https://www.whonix.org/wiki/root#ssh" >&2 - echo "" >&2 - exit 0 - fi - fi - - if id --name --groups --zero "$PAM_USER" | grep --quiet --null-data --line-regexp --fixed-strings "console"; then - console_allowed=true - fi - if id --name --groups --zero "$PAM_USER" | grep --quiet --null-data --line-regexp --fixed-strings "console-unrestricted"; then - console_allowed=true - fi - if [ ! "$console_allowed" = "true" ]; then - echo "$0: ERROR: PAM_USER: '$PAM_USER' is not a member of group 'console'" >&2 - echo "$0: To unlock, run the following command as superuser:" >&2 - echo "$0: (If you still have a sudo/root shell somewhere.)" >&2 - echo "" >&2 - echo "addgroup $PAM_USER console" >&2 - echo "" >&2 - echo "$0: However, possibly unlock procedure is required." >&2 - echo "$0: First boot into recovery mode at grub boot menu and then run above command." >&2 - echo "$0: See also:" >&2 - echo "https://www.whonix.org/wiki/root#console" >&2 - echo "" >&2 - exit 0 - fi -fi - -## https://forums.whonix.org/t/how-strong-do-linux-user-account-passwords-have-to-be-when-using-full-disk-encryption-fde-too/7698 - -if [ ! "$(id -u)" = "0" ]; then - ## as user "user" - ## /sbin/pam_tally2 -u user - ## pam_tally2: Error opening /var/log/tallylog for update: Permission denied - ## /sbin/pam_tally2: Authentication error - ## - ## xscreensaver runs as user "user", therefore pam_tally2 cannot function. - ## xscreensaver has its own failed login counter. - ## - ## https://askubuntu.com/questions/983183/how-lock-the-unlock-screen-after-wrong-password-attempts - ## - ## https://www.whonix.org/pipermail/whonix-devel/2019-September/001439.html - true "$0: not started as root, exiting." - exit 0 -fi - -## Does not work (yet) for login, pam_securetty runs before and aborts. -## Also this should only run for login since securetty covers only login. -# if [ "$PAM_USER" = "root" ]; then -# if [ -f /etc/securetty ]; then -# grep_result="$(grep "^[^#]" /etc/securetty)" -# if [ "$grep_result" = "" ]; then -# echo "$0: ERROR: Root login is disabled." >&2 -# echo "$0: ERROR: This is because /etc/securetty is empty." >&2 -# echo "$0: See also:" >&2 -# echo "https://www.whonix.org/wiki/root#login" >&2 -# echo "" >&2 -# exit 0 -# fi -# fi -# fi - -pam_tally2_output="$(pam_tally2 --user "$PAM_USER")" - -if [ "$pam_tally2_output" = "" ]; then - true "$0: no failed login" - exit 0 -fi - -## Example: -#Login Failures Latest failure From -#user 0 - -pam_tally2_output_last_line="$(echo "$pam_tally2_output" | tail -1)" -## Example: -#user 0 - -arr=($pam_tally2_output_last_line) -user_name="${arr[0]}" -failed_login_counter="${arr[1]}" - -if [ ! "$PAM_USER" = "$user_name" ]; then - echo "$0: ERROR: PAM_USER: '$PAM_USER' does not equal user_name: '$user_name'." >&2 - echo "$0: ERROR: Please report this bug." >&2 - echo "" >&2 - exit 0 -fi - -if [ "$failed_login_counter" = "0" ]; then - true "$0: INFO: Failed login counter is 0, ok." - exit 0 -fi - -deny_line="$(cat /etc/pam.d/common-auth | grep deny=)" -## Example: -#auth requisite pam_tally2.so even_deny_root deny=50 onerr=fail audit debug - -for word in $deny_line ; do - if echo "$word" | grep -q "deny=" ; then - deny="$(echo "$word" | cut -d "=" -f 2)" - break - fi -done - -if [[ "$deny" == *[!0-9]* ]]; then - echo "$0: ERROR: deny is not numeric." >&2 - echo "$0: ERROR: Please report this bug." >&2 - echo "" >&2 - exit 0 -fi - -remaining_attempts="$(( $deny - $failed_login_counter ))" - -if [ "$remaining_attempts" -le "0" ]; then - echo "$0: ERROR: Login blocked after $failed_login_counter attempts." >&2 - echo "$0: To unlock, run the following command as superuser:" >&2 - echo "$0: (If you still have a sudo/root shell somewhere.)" >&2 - echo "" >&2 - echo "pam_tally2 --quiet -r --user $PAM_USER" >&2 - echo "" >&2 - echo "$0: However, most likely unlock procedure is required." >&2 - echo "$0: First boot into recovery mode at grub boot menu and then run above command." >&2 - echo "$0: See also:" >&2 - echo "https://www.whonix.org/wiki/root#unlock" >&2 - echo "" >&2 - exit 0 -fi - -echo "$0: WARNING: $failed_login_counter failed login attempts." >&2 -echo "$0: Login will be blocked after $deny attempts." >&2 -echo "$0: You have $remaining_attempts more attempts before unlock procedure is required." >&2 -echo "" >&2 - -if [ "$PAM_SERVICE" = "su" ]; then - echo "$0: NOTE: Type the password. When entering the password, no password feedback (no asterisk (\"*\") symbol) will be shown." >&2 - echo "" >&2 -fi - -exit 0 diff --git a/usr/lib/security-misc/panic-on-oops b/usr/lib/security-misc/panic-on-oops deleted file mode 100755 index ed59cf6..0000000 --- a/usr/lib/security-misc/panic-on-oops +++ /dev/null @@ -1,18 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -set -e - -if [ -f /usr/lib/helper-scripts/pre.bsh ]; then - ## pre.bsh would `source` the following folders: - ## /etc/panic-on-oops_pre.d/*.conf - ## /usr/local/etc/panic-on-oops_pre.d/*.conf - source /usr/lib/helper-scripts/pre.bsh -fi - -## Makes the kernel panic on oopses. This prevents the kernel -## from continuing to run a flawed processes. Many kernel exploits -## will also cause an oops which this will make the kernel kill. -sysctl kernel.panic_on_oops=1 diff --git a/usr/lib/security-misc/permission-hardening b/usr/lib/security-misc/permission-hardening deleted file mode 100755 index 478a1dc..0000000 --- a/usr/lib/security-misc/permission-hardening +++ /dev/null @@ -1,259 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -## https://forums.whonix.org/t/permission-hardening/8655 -## https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707 - -#set -x -set -e - -exit_code=0 - -echo_wrapper() { - echo "run: $@" - "$@" || echo "ERROR: above command failed!" >&2 -} - -add_nosuid_statoverride_entry() { - fso_to_process="${fso_without_trailing_slash}/" - should_be_counter="$(find "$fso_to_process" -perm /u=s,g=s | wc -l)" - counter_actual=0 - - while read -r line; do - true "line: $line" - counter_actual="$(( counter_actual + 1 ))" - - arr=($line) - - file_name="${arr[0]}" - existing_mode="${arr[1]}" - owner="${arr[2]}" - group="${arr[3]}" - - if [ "$file_name" = "" ]; then - echo "ERROR: file_name is empty. line: '$line'" >&2 - continue - fi - if [ "$existing_mode" = "" ]; then - echo "ERROR: existing_mode is empty. line: '$line'" >&2 - continue - fi - if [ "owner" = "" ]; then - echo "ERROR: $owner is empty. line: '$line'" >&2 - continue - fi - if [ "$group" = "" ]; then - echo "ERROR: $group is empty. line: '$line'" >&2 - continue - fi - - ## -h file True if file is a symbolic Link. - ## -u file True if file has its set-user-id bit set. - ## -g file True if file has its set-group-id bit set. - - if test -h "$file_name" ; then - ## https://forums.whonix.org/t/kernel-hardening/7296/323 - true "skip symlink: $file_name" - continue - fi - - setuid="" - setuid_output="" - if test -u "$file_name" ; then - setuid=true - setuid_output="set-user-id" - fi - setguid="" - setguid_output="" - if test -g "$file_name"; then - setguid=true - setguid_output="set-group-id" - fi - - if [ "$setuid" = "true" ] || [ "$setguid" = "true" ]; then - string_length_of_existing_mode="${#existing_mode}" - if [ "$string_length_of_existing_mode" = "4" ]; then - new_mode="${existing_mode:1}" - else - new_mode="$existing_mode" - fi - -## Remove 'others' / 'group' execution ('chmod og-x /path/to/binary') rights for better usability? -## Make binaries such as 'su' fail closed rather than fail open if suid was removed from these? -## Are there suid or guid binaries which are still useful if suid / guid has been removed from these? -## https://forums.whonix.org/t/permission-hardening/8655/10 -# if [ "$new_mode" = "755" ]; then -# new_mode=744 -# fi -# if [ "$new_mode" = "754" ]; then -# new_mode=744 -# fi -# if [ "$new_mode" = "745" ]; then -# new_mode=744 -# fi - - is_whitelisted="" - for white_list_entry in $whitelist ; do - if [ "$file_name" = "$white_list_entry" ]; then - is_whitelisted="true" - ## Stop looping through the whitelist. - break - fi - done - - if [ "$is_whitelisted" = "true" ]; then - echo "INFO: SKIP whitelisted - $setuid_output $setguid_output found - file_name: '$file_name' | existing_mode: '$existing_mode'" - continue - fi - - echo "INFO: $setuid_output $setguid_output found - file_name: '$file_name' | existing_mode: '$existing_mode' | new_mode: '$new_mode'" - - ## No need to check "dpkg-statoverride --list" for existing entries. - ## If existing_mode was correct already, we would not have reached this point. - ## Since existing_mode is incorrect, remove from dpkg-statoverride and re-add. - echo_wrapper dpkg-statoverride --remove "$file_name" || true - echo_wrapper dpkg-statoverride --add --update "$owner" "$group" "$new_mode" "$file_name" - fi - - ## /lib will hit ARG_MAX. - ## That was before using '-perm /u=s,g=s'. - ## https://forums.whonix.org/t/kernel-hardening/7296/326 - done < <( find "$fso_to_process" -perm /u=s,g=s -print0 | xargs -I{} -0 stat -c "%n %a %U %G" {} ) - - ## Sanity test. - if [ ! "$should_be_counter" = "$counter_actual" ]; then - echo "INFO: fso_to_process: '$fso_to_process' | counter_actual : '$counter_actual'" - echo "INFO: fso_to_process: '$fso_to_process' | should_be_counter: '$should_be_counter'" - exit_code=202 - echo "ERROR: counter does not check out." >&2 - fi -} - -set_file_perms() { - while read -r line; do - if [ "$line" = "" ]; then - continue - fi - - if [[ "$line" =~ ^# ]]; then - continue - fi - - if [[ "$line" =~ [0-9a-zA-Z/] ]]; then - true OK - else - exit_code=200 - echo "ERROR: cannot parse line with invalid character: $line" >&2 - continue - fi - - if ! read -r fso mode_from_config owner group capability <<< "$line" ; then - exit_code=201 - echo "ERROR: cannot parse line: $line" >&2 - continue - fi - - fso_without_trailing_slash="${fso%/}" - - if [ "$mode_from_config" = "whitelist" ]; then - whitelist+="$fso_without_trailing_slash " - continue - fi - - if ! [ -e "$fso" ]; then - echo "INFO: fso: '$fso' - does not exist. This is likely normal." - continue - fi - - ## Use dpkg-statoverride so permissions are not reset during upgrades. - - nosuid="" - if [ "$mode_from_config" = "nosuid" ]; then - nosuid="true" - - ## If mode_from_config is "nosuid" the config does not set owner and - ## group. Therefore do not enforce owner/group check. - - add_nosuid_statoverride_entry - else - string_length_of_mode_from_config="${#mode_from_config}" - if [ "$string_length_of_mode_from_config" -gt "4" ]; then - echo "ERROR: Mode '$mode_from_config' is invalid!" >&2 - continue - fi - if [ "$string_length_of_mode_from_config" -lt "3" ]; then - echo "ERROR: Mode '$mode_from_config' is invalid!" >&2 - continue - fi - - if ! getent passwd | grep -q "^${owner}:"; then - echo "ERROR: User '$owner' does not exist!" >&2 - continue - fi - - if ! getent group | grep -q "^${group}:"; then - echo "ERROR: Group '$group' does not exist!" >&2 - continue - fi - - mode_for_grep="$mode_from_config" - first_character_of_mode_from_config="${mode_from_config::1}" - if [ "$first_character_of_mode_from_config" = "0" ]; then - ## Remove leading '0'. - mode_for_grep="${mode_from_config:1}" - fi - - ## Check there is an entry for the fso. - ## - ## example: dpkg-statoverride --list | grep /home - ## output: - ## root root 755 /home - ## - ## dpkg-statoverride does not show leading '0'. - if dpkg-statoverride --list | grep -q "$fso_without_trailing_slash"; then - ## There is an fso entry. Check if owner/group/mode match. - if dpkg-statoverride --list | grep -q "$owner $group $mode_for_grep $fso_without_trailing_slash"; then - ## The owner/group/mode matches. No further action required. - true OK - else - ## The owner/group/mode do not match, therefore remove and re-add the entry to update it. - ## fso_without_trailing_slash instead of fso to prevent - ## "dpkg-statoverride: warning: stripping trailing /" - echo_wrapper dpkg-statoverride --remove "$fso_without_trailing_slash" - echo_wrapper dpkg-statoverride --add --update "$owner" "$group" "$mode_from_config" "$fso_without_trailing_slash" - fi - else - ## There is no fso entry. Therefore add one. - echo_wrapper dpkg-statoverride --add --update "$owner" "$group" "$mode_from_config" "$fso_without_trailing_slash" - fi - fi - - if [ "$capability" = "" ]; then - continue - fi - - if [ "$capability" = "none" ]; then - echo_wrapper setcap -r "$fso" - else - if ! capsh --print | grep "Bounding set" | grep -q "$capability"; then - echo "ERROR: Capability '$capability' does not exist!" >&2 - continue - fi - - echo_wrapper setcap "${capability}+ep" "$fso" - fi - done < "$config_file" -} - -parse_config_folder() { - shopt -s nullglob - for config_file in /etc/permission-hardening.d/*.conf /usr/local/etc/permission-hardening.d/*.conf; do - set_file_perms - done -} - -parse_config_folder - -exit "$exit_code" diff --git a/usr/lib/security-misc/permission-lockdown b/usr/lib/security-misc/permission-lockdown deleted file mode 100755 index 2b4e802..0000000 --- a/usr/lib/security-misc/permission-lockdown +++ /dev/null @@ -1,68 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -## Doing this for all users would create many issues. -# /usr/lib/security-misc/permission-lockdown: user: root | chmod o-rwx "/root" -# /usr/lib/security-misc/permission-lockdown: user: daemon | chmod o-rwx "/usr/sbin" -# /usr/lib/security-misc/permission-lockdown: user: bin | chmod o-rwx "/bin" -# /usr/lib/security-misc/permission-lockdown: user: sys | chmod o-rwx "/dev" -# /usr/lib/security-misc/permission-lockdown: user: sync | chmod o-rwx "/bin" -# /usr/lib/security-misc/permission-lockdown: user: games | chmod o-rwx "/usr/games" -# /usr/lib/security-misc/permission-lockdown: user: man | chmod o-rwx "/var/cache/man" -# /usr/lib/security-misc/permission-lockdown: user: mail | chmod o-rwx "/var/mail" -# /usr/lib/security-misc/permission-lockdown: user: proxy | chmod o-rwx "/bin" -# /usr/lib/security-misc/permission-lockdown: user: backup | chmod o-rwx "/var/backups" -# /usr/lib/security-misc/permission-lockdown: user: systemd-timesync | chmod o-rwx "/run/systemd" -# /usr/lib/security-misc/permission-lockdown: user: systemd-network | chmod o-rwx "/run/systemd/netif" -# /usr/lib/security-misc/permission-lockdown: user: messagebus | chmod o-rwx "/var/run/dbus" -# /usr/lib/security-misc/permission-lockdown: user: tinyproxy | chmod o-rwx "/run/tinyproxy" -# /usr/lib/security-misc/permission-lockdown: user: rtkit | chmod o-rwx "/proc" -# /usr/lib/security-misc/permission-lockdown: user: colord | chmod o-rwx "/var/lib/colord" -# /usr/lib/security-misc/permission-lockdown: user: Debian-exim | chmod o-rwx "/var/spool/exim4" -# /usr/lib/security-misc/permission-lockdown: user: debian-tor | chmod o-rwx "/var/lib/tor" -# /usr/lib/security-misc/permission-lockdown: user: stunnel4 | chmod o-rwx "/var/run/stunnel4" -# /usr/lib/security-misc/permission-lockdown: user: iodine | chmod o-rwx "/var/run/iodine" -# /usr/lib/security-misc/permission-lockdown: user: apt-cacher-ng | chmod o-rwx "/var/cache/apt-cacher-ng" -# /usr/lib/security-misc/permission-lockdown: user: statd | chmod o-rwx "/var/lib/nfs" -# /usr/lib/security-misc/permission-lockdown: user: timidity | chmod o-rwx "/etc/timidity" -# /usr/lib/security-misc/permission-lockdown: user: uuidd | chmod o-rwx "/run/uuidd" -# /usr/lib/security-misc/permission-lockdown: user: _rpc | chmod o-rwx "/run/rpcbind" -# /usr/lib/security-misc/permission-lockdown: user: geoclue | chmod o-rwx "/var/lib/geoclue" - -home_folder_access_rights_lockdown() { - shopt -s nullglob - - ## Not using dotglob. - ## touch /var/cache/security-misc/state-files//home/.Trash - ## touch: cannot touch '/var/cache/security-misc/state-files//home/.Trash': No such file or directory - - local folder_name base_name - - for folder_name in /home/* ; do - base_name="$(basename "$folder_name")" - if [ -f "/var/cache/security-misc/state-files/$base_name" ]; then - continue - fi - if [ ! -d "$folder_name" ]; then - continue - fi - if [ "$folder_name" = "/home/" ]; then - continue - fi - mkdir -p /var/cache/security-misc/state-files - echo "$0: chmod o-rwx \"$folder_name\"" - chmod o-rwx "$folder_name" - ## Create a state-file so we do this only once. - ## Therefore a user who will manually undo this, will not get - ## annoyed by this being done over and over again. - touch "/var/cache/security-misc/state-files/$base_name" - done - - shopt -u nullglob -} - -home_folder_access_rights_lockdown - -exit 0 diff --git a/usr/lib/security-misc/remount-secure b/usr/lib/security-misc/remount-secure deleted file mode 100755 index 8f12d43..0000000 --- a/usr/lib/security-misc/remount-secure +++ /dev/null @@ -1,104 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -## noexec in /tmp and/or /home can break some malware but also legitimate -## applications. - -## https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707 - -set -e - -if [ -f /usr/lib/helper-scripts/pre.bsh ]; then - ## pre.bsh would `source` the following folders: - ## /etc/remount-secure_pre.d/*.conf - ## /usr/local/etc/remount-secure_pre.d/*.conf - source /usr/lib/helper-scripts/pre.bsh -fi - -if [ -e /etc/remount-disable ] || [ -e /usr/local/etc/remount-disable ]; then - echo "$0: file /etc/remount-disable exists. Doing nothing." - exit 0 -fi - -if [ -e /etc/noexec ] || [ -e /usr/local/etc/noexec ]; then - noexec=true - echo "$0: Will remount with noexec because file /etc/noexec exists." -else - echo "$0: Will not remount with noexec because file /etc/noexec does not exist." -fi - -mkdir --parents "/var/run/remount-secure" - -if [ "$noexec" = "true" ]; then - noexec_maybe=",noexec" -fi - -exit_code=0 - -home() { - if [ -e "/var/run/remount-secure/${FUNCNAME}" ]; then - return 0 - fi - mount -o remount,nosuid,nodev${noexec_maybe} /home || exit_code=2 - touch "/var/run/remount-secure/${FUNCNAME}" -} - -run() { - if [ -e "/var/run/remount-secure/${FUNCNAME}" ]; then - return 0 - fi - ## https://lists.freedesktop.org/archives/systemd-devel/2015-February/028456.html - mount -o remount,nosuid,nodev${noexec_maybe} /run || exit_code=3 - touch "/var/run/remount-secure/${FUNCNAME}" -} - -shm() { - if [ -e "/var/run/remount-secure/${FUNCNAME}" ]; then - return 0 - fi - mount -o remount,nosuid,nodev${noexec_maybe} /dev/shm || exit_code=4 - touch "/var/run/remount-secure/${FUNCNAME}" -} - -tmp() { - if [ -e "/var/run/remount-secure/${FUNCNAME}" ]; then - return 0 - fi - mount -o nosuid,nodev${noexec_maybe} --bind /tmp /tmp || exit_code=5 - touch "/var/run/remount-secure/${FUNCNAME}" -} - -securityfs() { - if [ -e "/var/run/remount-secure/${FUNCNAME}" ]; then - return 0 - fi - mount -o nosuid,nodev${noexec_maybe} --bind /sys/kernel/security /sys/kernel/security || exit_code=6 - touch "/var/run/remount-secure/${FUNCNAME}" -} - -lib() { - if [ -e "/var/run/remount-secure/${FUNCNAME}" ]; then - return 0 - fi - ## Not using noexec on /lib. - mount -o nosuid,nodev --bind /lib /lib || exit_code=7 - touch "/var/run/remount-secure/${FUNCNAME}" -} - -end() { - exit $exit_code -} - -main() { - home "$@" - run "$@" - shm "$@" - tmp "$@" - securityfs "$@" - lib "$@" - end "$@" -} - -main "$@" diff --git a/usr/lib/security-misc/remove-system.map b/usr/lib/security-misc/remove-system.map deleted file mode 100755 index 0cb8823..0000000 --- a/usr/lib/security-misc/remove-system.map +++ /dev/null @@ -1,28 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -shopt -s nullglob - -system_map_location="/boot/System.map* /usr/src/*/System.map* /lib/modules/*/*/System.map* /System.map*" - -counter=0 -for filename in ${system_map_location} ; do - counter=$(( counter + 1 )) -done - -if [ "$counter" -ge "1" ]; then - echo "Deleting system.map files..." -fi - -## Removes the System.map files as they are only used for debugging or malware. -for filename in ${system_map_location} ; do - if [ -f "${filename}" ]; then - rm --verbose --force "${filename}" - fi -done - -if [ "$counter" -ge "1" ]; then - echo "Done. Success." -fi diff --git a/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf b/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf new file mode 100644 index 0000000..0ef99da --- /dev/null +++ b/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf @@ -0,0 +1,26 @@ +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## Definitions: +## KSPP=yes: compliant with recommendations by the KSPP +## KSPP=partial: partially compliant with recommendations by the KSPP +## KSPP=no: not (currently) compliant with recommendations by the KSPP +## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP. + +## NOTE: +## This configuration is in a dedicated file because the ram-wipe package +## requires kexec. However, ram-wipe cannot ship a config file +## /etc/sysctl.d/40_ram-wipe.conf that sets 'kernel.kexec_load_disabled=0'. +## Once systemd-sysctl.service has set 'kernel.kexec_load_disabled=1', +## it cannot be undone without a reboot. This is an upstream Linux security feature. +## Instead, ram-wipe will config-package-dev 'hide' this file. + +## Disables kexec, which can be used to replace the running kernel. +## Useful for live kernel patching without rebooting. +## +## https://en.wikipedia.org/wiki/Kexec +## +## KSPP=yes +## KSPP sets the sysctl and does not set CONFIG_KEXEC. +## +kernel.kexec_load_disabled=1 diff --git a/usr/lib/sysctl.d/30_silent-kernel-printk.conf b/usr/lib/sysctl.d/30_silent-kernel-printk.conf new file mode 100644 index 0000000..d8febf9 --- /dev/null +++ b/usr/lib/sysctl.d/30_silent-kernel-printk.conf @@ -0,0 +1,20 @@ +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## Definitions: +## KSPP=yes: compliant with recommendations by the KSPP +## KSPP=partial: partially compliant with recommendations by the KSPP +## KSPP=no: not (currently) compliant with recommendations by the KSPP +## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP. + +## Prevent kernel information leaks in the console during boot. +## Must be used in conjunction with kernel boot parameters. +## See /etc/default/grub.d/41_quiet_boot.cfg for implementation. +## +## https://www.kernel.org/doc/html/latest/core-api/printk-basics.html +## +kernel.printk=3 3 3 3 + +## For increased log verbosity: +## A) Adjust (or comment out) the kernel parameters in /etc/default/grub.d/41_quiet_boot.cfg. Or, +## B) Alternatively, install the debug-misc package to undo these settings. diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf new file mode 100644 index 0000000..eaa671e --- /dev/null +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -0,0 +1,579 @@ +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## NOTE: +## This file has a special name to ensure that /usr/lib/sysctl.d/99-protect-links.conf +## is parsed first, followed by /usr/lib/sysctl.d/990-security-misc.conf. +## https://github.com/Kicksecure/security-misc/pull/135 + +## Definitions: +## KSPP=yes: compliant with recommendations by the KSPP +## KSPP=partial: partially compliant with recommendations by the KSPP +## KSPP=no: not (currently) compliant with recommendations by the KSPP +## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP. + +## This configuration file is divided into 5 sections: +## 1. Kernel Space +## 2. User Space +## 3. Core Dumps +## 4. Swap Space +## 5. Networking + +## For detailed explanations of most of the selected commands, refer to: +## https://www.kernel.org/doc/html/latest/admin-guide/sysctl/kernel.html +## https://www.kernel.org/doc/html/latest/admin-guide/sysctl/fs.html +## https://www.kernel.org/doc/html/latest/admin-guide/sysctl/net.html +## https://www.kernel.org/doc/html/latest/admin-guide/sysctl/vm.html +## https://www.kernel.org/doc/html/latest//networking/ip-sysctl.html + +## 1. Kernel Space: +## +## https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel +## https://kspp.github.io/Recommended_Settings#sysctls +## https://wiki.archlinux.org/title/Security#Kernel_hardening + +## Restrict kernel address visibility via /proc and other interfaces, regardless of user privileges. +## Kernel pointers expose specific locations in kernel memory. +## +## https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak +## +## KSPP=yes +## KSPP sets the sysctl. +## +kernel.kptr_restrict=2 + +## Restrict access to the kernel log buffer to users with CAP_SYSLOG. +## Kernel logs often contain sensitive information such as kernel pointers. +## +## KSPP=yes +## KSPP sets the sysctl and CONFIG_SECURITY_DMESG_RESTRICT=y. +## +kernel.dmesg_restrict=1 + +## Prevent kernel information leaks in the console during boot. +## Must be used in conjunction with kernel boot parameters. +## See /etc/default/grub.d/41_quiet_boot.cfg for implementation. +## +## https://www.kernel.org/doc/html/latest/core-api/printk-basics.html +## +## See /usr/lib/sysctl.d/30_silent-kernel-printk.conf for implementation. +## +#kernel.printk=3 3 3 3 + +## Restrict eBPF access to CAP_BPF. +## Disables unprivileged calls to bpf() without recovery. +## +## https://en.wikipedia.org/wiki/EBPF#Security +## https://lwn.net/Articles/660331/ +## +## KSPP=yes +## KSPP sets the sysctl. +## +kernel.unprivileged_bpf_disabled=1 + +## Restrict loading TTY line disciplines to users with CAP_SYS_MODULE. +## Prevents unprivileged users from loading vulnerable line disciplines with the TIOCSETD ioctl. +## +## https://a13xp0p0v.github.io/2017/03/24/CVE-2017-2636.html +## https://lkml.org/lkml/2019/4/15/890 +## +## KSPP=yes +## KSPP sets the sysctl does not set CONFIG_LDISC_AUTOLOAD. +## +dev.tty.ldisc_autoload=0 + +## Restrict the userfaultfd() syscall to users with SYS_CAP_PTRACE. +## Reduces the likelihood of use-after-free exploits from heap sprays. +## +## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=cefdca0a86be517bc390fc4541e3674b8e7803b0 +## https://duasynt.com/blog/linux-kernel-heap-spray +## +## KSPP=yes +## KSPP sets the sysctl. +## +vm.unprivileged_userfaultfd=0 + +## Disables kexec, which can be used to replace the running kernel. +## Useful for live kernel patching without rebooting. +## +## https://en.wikipedia.org/wiki/Kexec +## +## See /usr/lib/sysctl.d/30_security-misc_kexec-disable.conf for implementation. +## +## KSPP=yes +## KSPP sets the sysctl and does not set CONFIG_KEXEC. +## +#kernel.kexec_load_disabled=1 + +## Disable the SysRq key to prevent leakage of kernel information. +## The Secure Attention Key (SAK) can no longer be utilized. +## +## https://www.kernel.org/doc/html/latest/admin-guide/sysrq.html +## https://www.kicksecure.com/wiki/SysRq +## https://github.com/xairy/unlockdown +## +## KSPP=yes +## KSPP sets the less strict CONFIG_MAGIC_SYSRQ_DEFAULT_ENABLE=176. +## +kernel.sysrq=0 + +## Disable user namespaces entirely. +## User namespaces aim to improve sandboxing and accessibility for unprivileged users. +## Disabling entirely will reduce compatibility with some AppArmor profiles. +## Disabling entirely is known to break the UPower systemd service. +## Not recommended due to well-known breakages across numerous software packages. +## +## https://lwn.net/Articles/673597/ +## https://madaidans-insecurities.github.io/linux.html#kernel +## https://github.com/a13xp0p0v/kernel-hardening-checker#questions-and-answers +## https://github.com/NixOS/nixpkgs/pull/84522#issuecomment-614640601 +## https://github.com/Kicksecure/security-misc/pull/263 +## +## KSPP=no +## KSPP sets the sysctl. +## +#user.max_user_namespaces=0 + +## Restrict user namespaces to users with CAP_SYS_ADMIN. +## See the user.max_user_namespaces setting for more details. +## This is a Debian-specific kernel feature, not a Linux mainline setting. +## Unprivileged user namespaces pose substantial privilege escalation risks. +## Flatpak requires unprivileged users to create new user namespaces for sandboxing. +## Restricting is known to cause breakages in some AppImages and the Evolution Email Client. +## Not recommended due to widespread breakages across many software packages. +## +## https://salsa.debian.org/debian/bubblewrap/-/blob/debian/latest/debian/README.Debian +## https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction +## https://github.com/flatpak/flatpak/wiki/User-namespace-requirements +## https://forums.kicksecure.com/t/can-not-run-flatpak-apps-after-kicksecure-update/592 +## https://forums.kicksecure.com/t/cannot-run-some-appimage-apps-after-kicksecure-upate/594 +## https://forums.kicksecure.com/t/impossible-to-start-evolution-app-since-the-last-update/601 +## https://github.com/Kicksecure/security-misc/issues/274 +## +#kernel.unprivileged_userns_clone=0 + +## Restricts kernel profiling to users with CAP_PERFMON. +## The performance events system should not be accessible by unprivileged users. +## Other distributions such as Ubuntu and Fedora may permit further restricting. +## +## https://www.kernel.org/doc/html/latest/admin-guide/perf-security.html#unprivileged-users +## https://lore.kernel.org/kernel-hardening/1469630746-32279-1-git-send-email-jeffv@google.com/ +## +## KSPP=yes +## KSPP sets the sysctl. +## +kernel.perf_event_paranoid=3 + +## Force the kernel to panic on "oopses" and kernel warnings in the WARN() path. +## Can sometimes potentially indicate and thwart certain kernel exploitation attempts. +## Panics may be due to false-positives such as bad drivers. +## Oopses are serious but non-fatal errors. +## Warnings are messages generated by the kernel to indicate unexpected conditions or errors. +## By default, code execution continues regardless of warnings emitted by macros like WARN() and WARN_ON(). +## Note that by forcing kernel panics on oopses and warnings, this exposes the system to targeted denial of service attacks. +## Forcing immediate system reboots on any single kernel panic is an extreme option. +## +## https://en.wikipedia.org/wiki/Kernel_panic#Linux +## https://en.wikipedia.org/wiki/Linux_kernel_oops +## https://en.wikipedia.org/wiki/Kdump_(Linux) +## https://lwn.net/Articles/876209/ +## https://git.sr.ht/~gregkh/presentation-security/tree/3fdaf81a2f8b2c8d64cdb2f529cc714624868aa8/item/security-stuff.pdf +## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panisc-on-oops-1-sysctl-for-better-security/7713 +## +## KSPP=partial +## KSPP sets the sysctls, CONFIG_PANIC_ON_OOPS=y, but also requires CONFIG_PANIC_TIMEOUT=-1. +## +## See /usr/libexec/security-misc/panic-on-oops for implementation. +## +## TODO: Debian 13 Trixie +## The limits are applicable when using Linux kernel >= 6.2 (retained here for future-proofing and completeness). +## +#kernel.panic=-1 +#kernel.panic_on_oops=1 +#kernel.panic_on_warn=1 +#kernel.oops_limit=1 +#kernel.warn_limit=1 + +## Disable the use of legacy TIOCSTI operations which can be used to inject keypresses. +## Can lead to privilege escalation by pushing characters into a controlling TTY. +## Will break out-dated screen readers that continue to rely on this legacy functionality. +## +## https://lore.kernel.org/lkml/20221228205726.rfevry7ud6gmttg5@begin/T/ +## +## KSPP=yes +## KSPP sets the sysctl and does not set CONFIG_LEGACY_TIOCSTI. +## +## TODO: Debian 13 Trixie +## This is disabled by default when using Linux kernel >= 6.2. +## +dev.tty.legacy_tiocsti=0 + +## Disable asynchronous I/O for all processes. +## Leading cause of numerous kernel exploits. +## Disabling will reduce the read/write performance of storage devices. +## +## https://en.wikipedia.org/wiki/Io_uring#Security +## https://lwn.net/Articles/902466/ +## https://security.googleblog.com/2023/06/learnings-from-kctf-vrps-42-linux.html +## https://github.com/moby/moby/pull/46762 +## https://forums.whonix.org/t/io-uring-security-vulnerabilties/16890 +## +## TODO: Debian 13 Trixie +## Applicable when using Linux kernel >= 6.6 (retained here for future-proofing and completeness). +## +kernel.io_uring_disabled=2 + +## 2. User Space: +## +## https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-userspace + +## Restrict usage of the ptrace() system call to only processes with CAP_SYS_PTRACE. +## Limit ptrace() as it enables programs to inspect and modify other active processes. +## Prevents native code debugging which some programs use as a method to detect tampering. +## May cause breakages in 'anti-cheat' software and programs running under Proton/WINE. +## +## https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html#ptrace-scope +## https://en.wikipedia.org/wiki/Ptrace +## https://grapheneos.org/features#attack-surface-reduction +## https://github.com/GrapheneOS/os-issue-tracker/issues/651#issuecomment-917599928 +## https://github.com/netblue30/firejail/issues/2860 +## +## KSPP=partial +## KSPP sets the stricter sysctl kernel.yama.ptrace_scope=3. +## +## It is possible to harden further by disabling ptrace() for all users, see documentation. +## https://github.com/Kicksecure/security-misc/pull/242 +## +kernel.yama.ptrace_scope=2 + +## Maximize bits of entropy for improved effectiveness of mmap ASLR. +## The maximum number of bits depends on CPU architecture (the ones shown below are for x86). +## Both explicit sysctl are made redundant due to automation. +## Do NOT enable either sysctl - displaying only for clarity. +## +## https://forums.whonix.org/t/automate-mmap-randomisation-to-fix-ppc64el/16514 +## +## See /usr/libexec/security-misc/mmap-rnd-bits for implementation. +## +#vm.mmap_rnd_bits=32 +#vm.mmap_rnd_compat_bits=16 + +## Prevent hardlink creation by users who do not have read/write/ownership of source file. +## Only allow symlinks to be followed when outside of world-writable sticky directories. +## Allow symlinks when the owner and follower match or when the directory owner matches the symlink's owner. +## Hardens cross-privilege boundaries if root process follows a hardlink/symlink belonging to another user. +## This mitigates many hardlink/symlink-based TOCTOU races in world-writable directories like /tmp. +## +## https://wiki.archlinux.org/title/Security#File_systems +## https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=/tmp +## https://en.wikipedia.org/wiki/Time-of-check_to_time-of-use#Preventing_TOCTOU +## +## KSPP=yes +## KSPP sets the sysctls. +## +fs.protected_hardlinks=1 +fs.protected_symlinks=1 + +## Disallow writes to files in world-writable sticky directories unless owned by the directory owner. +## Also applies to group-writable sticky directories to make data spoofing attacks more difficult. +## Prevents unintentional writes to attacker-controlled files. +## +## KSPP=yes +## KSPP sets the sysctls. +## +fs.protected_fifos=2 +fs.protected_regular=2 + +## Enable ASLR for mmap base, stack, VDSO pages, and heap. +## Forces shared libraries to be loaded to random addresses. +## Start location of PIE-linked binaries is randomized. +## Heap randomization can lead to breakages with legacy applications. +## +## https://en.wikipedia.org/wiki/Address_space_layout_randomization#Linux +## +## KSPP=yes +## KSPP sets the sysctl. +## +kernel.randomize_va_space=2 + +## Raise the minimum address a process can request for memory mapping to 64KB as a form of defense-in-depth. +## Prevents kernel null pointer dereference vulnerabilities which may trigger kernel panics. +## Protects against local unprivileged users gaining root privileges by mapping data to low memory pages. +## Some legacy applications may still depend on low virtual memory addresses for proper functionality. +## +## https://googleprojectzero.blogspot.com/2023/01/exploiting-null-dereferences-in-linux.html +## https://access.redhat.com/articles/20484 +## https://wiki.debian.org/mmap_min_addr +## +## KSPP=yes +## KSPP sets CONFIG_DEFAULT_MMAP_MIN_ADDR=65536. +## +vm.mmap_min_addr=65536 + +## Increase the maximum number of memory map areas a process is permitted to utilize. +## Addresses performance, crash, and start-up issues for some memory-intensive applications. +## Required to accommodate the very large number of guard pages created by hardened_malloc. +## Kicksecure version 18 will deprecate hardened_malloc, so this sysctl will be applied here instead. +## +## https://archlinux.org/news/increasing-the-default-vmmax_map_count-value/ +## https://github.com/GrapheneOS/hardened_malloc#traditional-linux-based-operating-systems +## https://github.com/Kicksecure/hardened_malloc/blob/master/debian/hardened_malloc.conf +## https://www.kicksecure.com/wiki/Hardened_Malloc#Deprecation_in_Kicksecure +## +vm.max_map_count=1048576 + +## Disable the miscellaneous binary format virtual file system to prevent unintended code execution. +## Prevents registering interpreters for various binary formats based on a magic number or their file extension. +## Otherwise arbitrary executables with recognized file formats will be passed to relevant user space applications. +## These interpreters will then run with root permissions when a setuid binary is owned by root. +## Can stop maliciously crafted files with specific file extensions from automatically executing. +## Breaks many scripts that do not have appropriate shebang interpreter directives (#!/bin/...). +## +## https://www.kernel.org/doc/html/latest/admin-guide/binfmt-misc.html +## https://salsa.debian.org/debian/binfmt-support +## https://access.redhat.com/solutions/1985633 +## https://en.wikipedia.org/wiki/Binfmt_misc +## https://security.stackexchange.com/questions/271786/does-allowing-binfmt-misc-significantly-increase-the-attack-surface-for-unprivil +## https://unix.stackexchange.com/questions/439569/what-kinds-of-executable-formats-do-the-files-under-proc-sys-fs-binfmt-misc-al +## https://github.com/Kicksecure/security-misc/pull/249 +## +## KSPP=no +## KSPP does not set CONFIG_BINFMT_MISC. +## +## This is disabled by default due to file/folder permission issues: +## https://github.com/Kicksecure/security-misc/issues/267 +## +#fs.binfmt_misc.status=0 + +## 3. Core Dumps: +## +## https://madaidans-insecurities.github.io/guides/linux-hardening.html#core-dumps + +## Disable core dump files by preventing any pattern names. +## This setting may be overwritten by systemd and is not comprehensive. +## Core dumps are also disabled in security-misc via other means. +## +## https://wiki.archlinux.org/title/Core_dump#Disabling_automatic_core_dumps +## +kernel.core_pattern=|/bin/false + +## Prevent setuid processes or otherwise protected/tainted binaries from creating core dumps. +## Any process which has changed privilege levels or is execute-only will not be dumped. +## +## https://blog.qualys.com/vulnerabilities-threat-research/2025/05/29/qualys-tru-discovers-two-local-information-disclosure-vulnerabilities-in-apport-and-systemd-coredump-cve-2025-5054-and-cve-2025-4598 +## +## KSPP=yes +## KSPP sets the sysctl. +## +fs.suid_dumpable=0 + +## Set core dump file name to 'core.PID' instead of 'core' as a form of defense-in-depth. +## If core dumps are permitted, only useful if PID listings are hidden from non-root users. +## +kernel.core_uses_pid=1 + +## 4. Swap Space: +## +## https://madaidans-insecurities.github.io/guides/linux-hardening.html#swap + +## Limit the copying of memory to the swap device only if absolutely necessary. +## Minimizes the likelihood of writing potentially sensitive contents to disk. +## Not recommended to set to zero since this disables periodic write behavior. +## +## https://en.wikipedia.org/wiki/Memory_paging#Linux +## https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Performance_Tuning_Guide/s-memory-tunables.html +## +vm.swappiness=1 + +## 5. Networking: +## +## https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-network +## https://wiki.archlinux.org/title/Sysctl#TCP/IP_stack_hardening + +## Enable hardening of the BPF JIT compiler for all users. +## Provides some mitigation against JIT spraying. +## +## https://en.wikipedia.org/wiki/JIT_spraying +## https://www.blackhat.com/docs/eu-16/materials/eu-16-Reshetova-Randomization-Can't-Stop-BPF-JIT-Spray-wp.pdf +## https://lwn.net/Articles/686098/ +## https://lwn.net/Articles/525609/ +## +## KSPP=yes +## KSPP sets the sysctl. +## +net.core.bpf_jit_harden=2 + +## Enable TCP SYN cookie protection to assist against SYN flood attacks. +## +## https://en.wikipedia.org/wiki/SYN_flood +## https://cateee.net/lkddb/web-lkddb/SYN_COOKIES.html +## +## KSPP=yes +## KSPP sets CONFIG_SYN_COOKIES=y. +## +net.ipv4.tcp_syncookies=1 + +## Protect against TCP time-wait assassination hazards. +## Drops RST packets for sockets in the time-wait state. +## +## https://tools.ietf.org/html/rfc1337 +## +net.ipv4.tcp_rfc1337=1 + +## Enable reverse path filtering (source validation) of packets received from all interfaces. +## Prevents IP spoofing and mitigates vulnerabilities such as CVE-2019-14899. +## The second "default" command fixes a bug in the existing kernel implementation. +## +## https://en.wikipedia.org/wiki/IP_address_spoofing +## https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/security_guide/sect-security_guide-server_security-reverse_path_forwarding#sect-Security_Guide-Server_Security-Reverse_Path_Forwarding +## https://forums.whonix.org/t/enable-reverse-path-filtering/8594 +## https://seclists.org/oss-sec/2019/q4/122 +## https://github.com/Kicksecure/security-misc/pull/261 +## +net.ipv4.conf.*.rp_filter=1 +net.ipv4.conf.default.rp_filter=1 + +## Disable ICMP redirect acceptance and redirect sending messages. +## Prevents man-in-the-middle attacks and minimizes information disclosure. +## If ICMP redirects are permitted, accept messages only through approved gateways (kernel default). +## Approving gateways requires the managing of a default gateway list. +## +## https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/security_guide/sect-security_guide-server_security-disable-source-routing#sect-Security_Guide-Server_Security-Disable-Source-Routing +## https://www.frozentux.net/ipsysctl-tutorial/chunkyhtml/theconfvariables.html +## https://www.debian.org/doc/manuals/securing-debian-manual/network-secure.en.html +## https://askubuntu.com/questions/118273/what-are-icmp-redirects-and-should-they-be-blocked +## https://github.com/Kicksecure/security-misc/pull/248 +## +net.ipv4.conf.*.accept_redirects=0 +net.ipv4.conf.*.send_redirects=0 +net.ipv6.conf.*.accept_redirects=0 +#net.ipv4.conf.*.secure_redirects=1 + +## Deny sending and receiving RFC1620 shared media redirects. +## Relevant mainly for network interfaces that operate over shared media such as Ethernet hubs. +## Stops the kernel from sending ICMP redirects to specific networks from the connected network. +## This variable overrides the use secure_redirects. +## +## https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf +## https://datatracker.ietf.org/doc/html/rfc1620 +## https://www.frozentux.net/ipsysctl-tutorial/chunkyhtml/theconfvariables.html +## +net.ipv4.conf.*.shared_media=0 + +## Enable ARP (Address Resolution Protocol) filtering. +## Prevents the Linux kernel from handling the ARP table globally. +## Can mitigate some ARP spoofing and ARP cache poisoning attacks. +## Improper filtering can lead to increased ARP traffic and inadvertently block legitimate ARP requests. +## +## https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf +## +net.ipv4.conf.*.arp_filter=1 + +## Respond to ARP (Address Resolution Protocol) requests only if the target IP address is on-link. +## Reduces IP spoofing attacks by limiting the scope of allowable ARP responses. +## +## https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf +## https://github.com/mullvad/mullvadvpn-app/blob/main/audits/2024-12-10-X41-D-Sec.md#mllvd-cr-24-03-virtual-ip-address-of-tunnel-device-leaks-to-network-adjacent-participant-severity-medium +## https://github.com/mullvad/mullvadvpn-app/pull/7141 +## https://www.x41-dsec.de/static/reports/X41-Mullvad-Audit-Public-Report-2024-12-10.pdf +## +## Can lead to breakages with certain VM configurations that may be resolved by lowering protection to `arp_ignore=1`. +## https://github.com/Kicksecure/security-misc/pull/290 +## +net.ipv4.conf.*.arp_ignore=2 + +## Drop gratuitous ARP (Address Resolution Protocol) packets. +## Stops ARP responses sent by a device without being explicitly requested. +## Prevents ARP cache poisoning by rejecting fake ARP entries into a network. +## Prevents man-in-the-middle and denial-of-service attacks. +## May cause breakages when ARP proxies are used in the network. +## +## https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf +## https://patchwork.ozlabs.org/project/netdev/patch/1428652454-1224-3-git-send-email-johannes@sipsolutions.net/ +## https://www.practicalnetworking.net/series/arp/gratuitous-arp/ +## +net.ipv4.conf.*.drop_gratuitous_arp=1 + +## Ignore ICMP echo requests. +## Prevents clock fingerprinting through ICMP timestamps and Smurf attacks. +## +## https://en.wikipedia.org/wiki/Smurf_attack +## +net.ipv4.icmp_echo_ignore_all=1 +net.ipv6.icmp.echo_ignore_all=1 + +## Ignore bogus ICMP error responses. +## Mitigates attacks designed to fill log files with useless error messages. +## +net.ipv4.icmp_ignore_bogus_error_responses=1 + +## Disable source routing which allows users to redirect network traffic. +## Prevents man-in-the-middle attacks in which the traffic is redirected. +## +## https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/security_guide/sect-security_guide-server_security-disable-source-routing +## +net.ipv4.conf.*.accept_source_route=0 +net.ipv6.conf.*.accept_source_route=0 + +## Do not accept IPv6 router advertisements and solicitations. +## +net.ipv6.conf.*.accept_ra=0 + +## Disable SACK and DSACK. +## Select acknowledgements (SACKs) are a known common vector of exploitation. +## Duplicate select acknowledgements (DSACKs) are an extension of SACK. +## Disabling can cause severe connectivity issues on networks with high latency or packet loss. +## Enabling on stable high-bandwidth networks can lead to reduced efficiency of TCP connections. +## +## https://datatracker.ietf.org/doc/html/rfc2018 +## https://datatracker.ietf.org/doc/html/rfc2883 +## https://access.redhat.com/sites/default/files/attachments/20150325_network_performance_tuning.pdf +## https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md +## https://wiki.archlinux.org/title/Sysctl#TCP_Selective_Acknowledgement +## https://forums.whonix.org/t/disabling-tcp-sack-dsack-fack/8109/5 +## +## SACK and DSACK are currently enabled. +## +#net.ipv4.tcp_sack=0 +#net.ipv4.tcp_dsack=0 + +## Disable TCP timestamps to limit device fingerprinting via system time. +## Timestamps allow round-trip time measurement and protection against wrapped sequence numbers. +## Disabling timestamps on very fast links is likely to cause TCP Sequence Numbers to wrap. +## Segments with wrapped numbers will be incorrectly discarded, reducing network performance. +## +## https://datatracker.ietf.org/doc/html/rfc1323 +## https://forums.whonix.org/t/do-ntp-and-tcp-timestamps-really-leak-your-local-time/7824 +## https://web.archive.org/web/20170201160732/https://mailman.boum.org/pipermail/tails-dev/2013-December/004520.html +## https://access.redhat.com/sites/default/files/attachments/20150325_network_performance_tuning.pdf +## +net.ipv4.tcp_timestamps=0 + +## Enable logging of packets with impossible source or destination addresses. +## Martian and unroutable packets may be used for malicious purposes. +## Recommended to keep a (kernel dmesg) log of these to identify suspicious packets. +## Useful for troubleshooting and diagnostics but not necessary by default. +## Known to cause performance issues, especially on systems with multiple interfaces. +## +## https://wiki.archlinux.org/title/Sysctl#Log_martian_packets +## https://github.com/Kicksecure/security-misc/issues/214 +## +## The logging of martian packets is currently disabled. +## +#net.ipv4.conf.*.log_martians=1 + +## Enable IPv6 Privacy Extensions to prefer temporary addresses over public addresses. +## The temporary/privacy address is used as the source for all outgoing traffic. +## Must be used in combination with /usr/lib/systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf. +## Must be used in combination with /usr/lib/NetworkManager/conf.d/80_ipv6-privacy.conf. +## Should be used with MAC randomization in /usr/lib/NetworkManager/conf.d/80_randomize-mac.conf. +## +## MAC randomization breaks root server and VirtualBox DHCP, likely due to IPv6 Privacy Extensions. +## +## https://datatracker.ietf.org/doc/html/rfc4941 +## https://github.com/Kicksecure/security-misc/pull/145 +## https://github.com/Kicksecure/security-misc/issues/184 +## +## The use of IPv6 Privacy Extensions is currently disabled due to these breakages. +## +#net.ipv6.conf.*.use_tempaddr=2 diff --git a/usr/lib/systemd/coredump.conf.d/30_security-misc.conf b/usr/lib/systemd/coredump.conf.d/30_security-misc.conf new file mode 100644 index 0000000..2d02bc9 --- /dev/null +++ b/usr/lib/systemd/coredump.conf.d/30_security-misc.conf @@ -0,0 +1,5 @@ +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +[Coredump] +Storage=none diff --git a/usr/lib/systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf b/usr/lib/systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf new file mode 100644 index 0000000..5de38c4 --- /dev/null +++ b/usr/lib/systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf @@ -0,0 +1,13 @@ +## Copyright (C) 2023 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## MAC randomisation breaks root server and VirtualBox DHCP likely due to IPv6 Privacy Extensions. +## +## https://datatracker.ietf.org/doc/html/rfc4941 +## https://github.com/Kicksecure/security-misc/pull/145 +## https://github.com/Kicksecure/security-misc/issues/184 +## +## The use of IPv6 Privacy Extenstions is currently diasbled due to these breakages. + +#[Network] +#IPv6PrivacyExtensions=kernel diff --git a/usr/lib/systemd/pstore.conf.d/30_security-misc.conf b/usr/lib/systemd/pstore.conf.d/30_security-misc.conf new file mode 100644 index 0000000..9e513c6 --- /dev/null +++ b/usr/lib/systemd/pstore.conf.d/30_security-misc.conf @@ -0,0 +1,5 @@ +## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +[PStore] +Storage=none diff --git a/usr/lib/systemd/system-preset/50-security-misc.preset b/usr/lib/systemd/system-preset/50-security-misc.preset new file mode 100644 index 0000000..1895526 --- /dev/null +++ b/usr/lib/systemd/system-preset/50-security-misc.preset @@ -0,0 +1,19 @@ +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## https://forums.whonix.org/t/restrict-hardware-information-to-root-testers-wanted/8618 +disable hide-hardware-info.service + +## Disable for now until development finished / tested. +disable permission-hardener.service + +## Disable for now until development finished / tested. +## https://github.com/Kicksecure/security-misc/pull/152 +disable remount-secure.service + +## Disable due to pkexec issues. +disable proc-hidepid.service + +## Disable due to issues. See: +## https://github.com/Kicksecure/security-misc/issues/159 +disable harden-module-loading.service diff --git a/usr/lib/systemd/system/harden-module-loading.service b/usr/lib/systemd/system/harden-module-loading.service new file mode 100644 index 0000000..8efea40 --- /dev/null +++ b/usr/lib/systemd/system/harden-module-loading.service @@ -0,0 +1,24 @@ +## Copyright (C) 2023 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +[Unit] +Description=Disable the loading of additional modules after systemd-modules-load.service +Documentation=https://github.com/Kicksecure/security-misc + +DefaultDependencies=no +Before=sysinit.target +Requires=local-fs.target +Requires=systemd-modules-load.service +After=local-fs.target +After=systemd-modules-load.service + +# This functionality is implemented with this and not directly in the sysctl config is +# to allow systemd-modules-load.service to load the modules with no problem but +# to disallow anyone else do the same after the system boots up. + +[Service] +Type=oneshot +ExecStart=/usr/libexec/security-misc/disable-kernel-module-loading + +[Install] +WantedBy=sysinit.target diff --git a/usr/lib/systemd/system/haveged.service.d/30_security-misc.conf b/usr/lib/systemd/system/haveged.service.d/30_security-misc.conf new file mode 100644 index 0000000..2981464 --- /dev/null +++ b/usr/lib/systemd/system/haveged.service.d/30_security-misc.conf @@ -0,0 +1,7 @@ +## Copyright (C) 2021 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +[Service] +## hardened malloc compatibility +## Otherwise haveged will exit with a core dump. +SystemCallFilter=getrandom diff --git a/lib/systemd/system/hide-hardware-info.service b/usr/lib/systemd/system/hide-hardware-info.service similarity index 56% rename from lib/systemd/system/hide-hardware-info.service rename to usr/lib/systemd/system/hide-hardware-info.service index dafa531..659c3f5 100644 --- a/lib/systemd/system/hide-hardware-info.service +++ b/usr/lib/systemd/system/hide-hardware-info.service @@ -1,9 +1,10 @@ -## Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. [Unit] Description=Hide hardware information to unprivileged users -Documentation=https://github.com/Whonix/security-misc +Documentation=https://github.com/Kicksecure/security-misc + DefaultDependencies=no Before=sysinit.target Requires=local-fs.target @@ -11,7 +12,8 @@ After=local-fs.target [Service] Type=oneshot -ExecStart=/usr/lib/security-misc/hide-hardware-info +ExecStart=/usr/libexec/security-misc/hide-hardware-info +RemainAfterExit=yes [Install] WantedBy=sysinit.target diff --git a/usr/lib/systemd/system/panic-on-oops.service b/usr/lib/systemd/system/panic-on-oops.service new file mode 100644 index 0000000..6b10ddc --- /dev/null +++ b/usr/lib/systemd/system/panic-on-oops.service @@ -0,0 +1,20 @@ +## Copyright (C) 2024 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +[Unit] +Description=Sets 'sysctl kernel.panic_on_oops=1' late during the boot process. +Documentation=https://github.com/Kicksecure/security-misc + +ConditionKernelCommandLine=!panic-on-oops=0 + +After=multi-user.target +After=graphical.target +After=getty.target + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/usr/libexec/security-misc/panic-on-oops + +[Install] +WantedBy=multi-user.target diff --git a/usr/lib/systemd/system/permission-hardener.service b/usr/lib/systemd/system/permission-hardener.service new file mode 100644 index 0000000..109c9fd --- /dev/null +++ b/usr/lib/systemd/system/permission-hardener.service @@ -0,0 +1,19 @@ +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +[Unit] +Description=Permission Hardener at Boot Time (opt-in in addition to security-misc package installation time hardening) +Documentation=https://github.com/Kicksecure/security-misc + +DefaultDependencies=no +Before=sysinit.target +Requires=local-fs.target +After=local-fs.target + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=permission-hardener enable + +[Install] +WantedBy=sysinit.target diff --git a/lib/systemd/system/proc-hidepid.service b/usr/lib/systemd/system/proc-hidepid.service similarity index 51% rename from lib/systemd/system/proc-hidepid.service rename to usr/lib/systemd/system/proc-hidepid.service index e4cd70e..d7ea4d9 100644 --- a/lib/systemd/system/proc-hidepid.service +++ b/usr/lib/systemd/system/proc-hidepid.service @@ -1,9 +1,10 @@ -## Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. [Unit] Description=Mounts /proc with hidepid=2 -Documentation=https://github.com/Whonix/security-misc +Documentation=https://github.com/Kicksecure/security-misc + DefaultDependencies=no Before=sysinit.target Requires=local-fs.target @@ -11,7 +12,8 @@ After=local-fs.target [Service] Type=oneshot -ExecStart=/bin/mount -o remount,nosuid,nodev,noexec,hidepid=2 /proc +ExecStart=/bin/mount -o remount,nosuid,nodev,noexec,hidepid=2,gid=proc /proc +RemainAfterExit=yes [Install] WantedBy=sysinit.target diff --git a/usr/lib/systemd/system/remount-secure.service b/usr/lib/systemd/system/remount-secure.service new file mode 100644 index 0000000..2489d34 --- /dev/null +++ b/usr/lib/systemd/system/remount-secure.service @@ -0,0 +1,32 @@ +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +[Unit] +Description=remount /home /tmp /dev/shm /run with nosuid,nodev (default) and noexec (opt-in) +Documentation=https://github.com/Kicksecure/security-misc + +ConditionKernelCommandLine=!remountsecure=0 + +DefaultDependencies=no + +Before=sysinit-post.target +Before=basic.target +Before=multi-user.target +Before=graphical.target +Before=getty-pre.target +Before=network-pre.target + +After=local-fs.target +After=sysinit.target +After=qubes-sysinit.service + +Requires=local-fs.target +Requires=sysinit.target + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=remount-secure 3 + +[Install] +WantedBy=sysinit-post.target diff --git a/usr/lib/systemd/system/remove-system-map.service b/usr/lib/systemd/system/remove-system-map.service new file mode 100644 index 0000000..1e36d61 --- /dev/null +++ b/usr/lib/systemd/system/remove-system-map.service @@ -0,0 +1,19 @@ +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +[Unit] +Description=Removes the System.map files +Documentation=https://github.com/Kicksecure/security-misc + +DefaultDependencies=no +Before=sysinit.target +Requires=local-fs.target +After=local-fs.target + +[Service] +Type=oneshot +ExecStart=/usr/libexec/security-misc/remove-system.map +RemainAfterExit=yes + +[Install] +WantedBy=sysinit.target diff --git a/usr/lib/systemd/system/sysinit-post.target b/usr/lib/systemd/system/sysinit-post.target new file mode 100644 index 0000000..c00e91e --- /dev/null +++ b/usr/lib/systemd/system/sysinit-post.target @@ -0,0 +1,12 @@ +## Copyright (C) 2023 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +[Unit] +Description=sys-init.target by security-misc + +After=sysinit.target +Before=basic.target +Requires=sysinit.target + +[Install] +WantedBy=basic.target diff --git a/usr/lib/systemd/system/user@.service.d/sysfs.conf b/usr/lib/systemd/system/user@.service.d/sysfs.conf new file mode 100644 index 0000000..3a9129d --- /dev/null +++ b/usr/lib/systemd/system/user@.service.d/sysfs.conf @@ -0,0 +1,5 @@ +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +[Service] +SupplementaryGroups=sysfs diff --git a/usr/libexec/security-misc/apt-get-update b/usr/libexec/security-misc/apt-get-update new file mode 100755 index 0000000..9cbfd8e --- /dev/null +++ b/usr/libexec/security-misc/apt-get-update @@ -0,0 +1,46 @@ +#!/bin/bash + +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## TODO: Move this to helper-scripts. + +set -o errexit +set -o nounset +set -o errtrace +set -o pipefail + +command -v start-stop-daemon >/dev/null +command -v timeout >/dev/null +command -v apt-get >/dev/null + +export LC_ALL=C +pidfile="/run/helper-scripts/security-misc-apt-get-update-pid" + +sigterm_trap() { + /usr/libexec/helper-scripts/apt-get-update-kill-helper &>/dev/null + exit 143 +} + +## terminate potential previous invocations. +/usr/libexec/helper-scripts/apt-get-update-kill-helper &>/dev/null + +trap "sigterm_trap" SIGTERM SIGINT + +[[ -v timeout_after ]] || timeout_after="600" +[[ -v kill_after ]] || kill_after="10" + +start-stop-daemon \ + --make-pidfile \ + --pidfile "$pidfile" \ + --exec /usr/bin/timeout \ + --start \ + -- \ + --kill-after="$kill_after" \ + "$timeout_after" \ + apt-get update --error-on=any "$@" & + +lastpid="$!" +wait "$lastpid" + +exit "$?" diff --git a/usr/libexec/security-misc/apt-get-update-sanity-test b/usr/libexec/security-misc/apt-get-update-sanity-test new file mode 100755 index 0000000..7efac72 --- /dev/null +++ b/usr/libexec/security-misc/apt-get-update-sanity-test @@ -0,0 +1,21 @@ +#!/bin/bash + +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +set -x +set -e +set -o pipefail + +if ! printf '%s\n' "" | wc -l >/dev/null ; then + printf '%s\n' "\ +$0: ERROR: command 'wc' test failed! Do not ignore this! + +'wc' can core dump. Example: +zsh: illegal hardware instruction (core dumped) wc -l +https://github.com/rspamd/rspamd/issues/5137" >&2 + exit 1 +fi + +wc -L "/var/lib/apt/lists/"*InRelease +wc -L "/var/lib/apt/lists/"*InRelease | awk '$1 > 1024 {print; exit 1}' diff --git a/usr/lib/security-misc/askpass b/usr/libexec/security-misc/askpass similarity index 70% rename from usr/lib/security-misc/askpass rename to usr/libexec/security-misc/askpass index 0a7cb83..56ecffc 100755 --- a/usr/lib/security-misc/askpass +++ b/usr/libexec/security-misc/askpass @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. set -e diff --git a/usr/libexec/security-misc/disable-kernel-module-loading b/usr/libexec/security-misc/disable-kernel-module-loading new file mode 100755 index 0000000..80d3190 --- /dev/null +++ b/usr/libexec/security-misc/disable-kernel-module-loading @@ -0,0 +1,11 @@ +#!/bin/bash + +## Copyright (C) 2023 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +set -x +set -e + +sysctl -w kernel.modules_disabled=1 + +true "The loading of new modules to the kernel has been disabled by security-misc." diff --git a/usr/lib/security-misc/echo-path b/usr/libexec/security-misc/echo-path similarity index 52% rename from usr/lib/security-misc/echo-path rename to usr/libexec/security-misc/echo-path index ba4cdf4..3bcc2cd 100755 --- a/usr/lib/security-misc/echo-path +++ b/usr/libexec/security-misc/echo-path @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. set -e diff --git a/usr/libexec/security-misc/hide-hardware-info b/usr/libexec/security-misc/hide-hardware-info new file mode 100755 index 0000000..acf24ef --- /dev/null +++ b/usr/libexec/security-misc/hide-hardware-info @@ -0,0 +1,138 @@ +#!/bin/bash + +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +set -o errexit +set -o nounset +set -o errtrace +set -o pipefail +shopt -s nullglob + +run_cmd() { + echo "INFO: normal executing : $@" + "$@" +} + +run_cmd_whitelist() { + echo "INFO: whitelist executing: $@" + "$@" +} + +echo "$0: INFO: START" + +default_variables_set() { + sysfs_whitelist=1 + cpuinfo_whitelist=1 + sysfs=1 + ## https://www.kicksecure.com/wiki/Security-misc#selinux + selinux=0 +} + +parse_configuration() { + ## Allows for disabling the whitelist. + local i + for i in /usr/local/etc/hide-hardware-info.d/*.conf /etc/hide-hardware-info.d/*.conf ; do + bash -n "${i}" + source "${i}" + done +} + +create_whitelist() { + if [ "${1}" = "sysfs" ]; then + whitelist_path="/sys" + elif [ "${1}" = "cpuinfo" ]; then + whitelist_path="/proc/cpuinfo" + else + echo "ERROR: ${1} is not a correct parameter." + exit 1 + fi + + if grep -q "${1}" /etc/group; then + ## Changing the permissions of /sys recursively + ## causes errors as the permissions of /sys/kernel/debug + ## and /sys/fs/cgroup cannot be changed. + run_cmd_whitelist chgrp --quiet --recursive "${1}" "${whitelist_path}" || true + + run_cmd_whitelist chmod o-rwx "${whitelist_path}" + else + echo "ERROR: The ${1} group does not exist, the ${1} whitelist was not created." + fi +} + +default_variables_set +parse_configuration + +## sysfs and debugfs expose a lot of information +## that should not be accessible by an unprivileged +## user which includes hardware info, debug info and +## more. This restricts /sys, /proc/cpuinfo, /proc/bus +## and /proc/scsi to the root user only. This hides +## many hardware identifiers from ordinary users +## and increases security. +for i in /proc/cpuinfo /proc/bus /proc/scsi /sys ; do + if [ -e "${i}" ]; then + if [ "${i}" = "/sys" ]; then + if [ "${sysfs}" = "1" ]; then + ## Whitelist for /sys. + if [ "${sysfs_whitelist}" = "1" ]; then + create_whitelist sysfs + else + echo "INFO: The sysfs whitelist is not enabled. Some things may not work properly. Full sysfs hardening..." + run_cmd chmod og-rwx /sys + fi + fi + elif [ "${i}" = "/proc/cpuinfo" ]; then + if [ "${cpuinfo_whitelist}" = "1" ]; then + create_whitelist cpuinfo + else + echo "INFO: The cpuinfo whitelist is not enabled. Some things may not work properly. Full cpuinfo hardening..." + run_cmd chmod og-rwx /proc/cpuinfo + fi + else + run_cmd chmod og-rwx "${i}" + fi + else + ## /proc/scsi doesn't exist on Debian so errors + ## are expected here. + if ! [ "${i}" = "/proc/scsi" ]; then + echo "ERROR: ${i} could not be found." + fi + fi +done + + +if [ "${sysfs}" = "1" ]; then + ## restrict permissions on everything but + ## what is needed + for i in /sys/* /sys/fs/* ; do + ## Using '|| true': + ## https://github.com/Kicksecure/security-misc/pull/108 + if [ "${sysfs_whitelist}" = "1" ]; then + run_cmd chmod o-rwx "${i}" || true + else + run_cmd chmod og-rwx "${i}" || true + fi + done + + ## polkit needs stat access to /sys/fs/cgroup + ## to function properly + run_cmd chmod o+rx /sys /sys/fs + + ## on SELinux systems, at least /sys/fs/selinux + ## must be visible to unprivileged users, else + ## SELinux userspace utilities will not function + ## properly + if [ -d /sys/fs/selinux ]; then + echo "INFO: SELinux detected because folder /sys/fs/selinux exists. See also:" + echo "https://www.kicksecure.com/wiki/Security-misc#selinux" + if [ "${selinux}" = "1" ]; then + run_cmd chmod o+rx /sys /sys/fs /sys/fs/selinux + echo "INFO: SELinux mode enabled. Restrictions loosened slightly in order to allow userspace utilities to function." + else + echo "INFO: SELinux detected, but SELinux mode is not enabled. Some userspace utilities may not work properly." + fi + fi +fi + +echo "$0: INFO: END" diff --git a/usr/libexec/security-misc/mmap-rnd-bits b/usr/libexec/security-misc/mmap-rnd-bits new file mode 100755 index 0000000..25745c2 --- /dev/null +++ b/usr/libexec/security-misc/mmap-rnd-bits @@ -0,0 +1,81 @@ +#!/usr/bin/env bash + +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## This script enforces the maximum ASLR hardening settings for mmap, given the +## installed Linux config. +## See also: +## https://forums.whonix.org/t/automate-mmap-randomisation-to-fix-ppc64el/16514 + +set -euo pipefail +shopt -s failglob + +more_info_link="https://forums.whonix.org/t/automate-mmap-randomisation-to-fix-ppc64el/16514" +aslr_mmap_config_file="/etc/sysctl.d/30_security-misc_aslr-mmap.conf" + +exit_with_error() { + echo "$0: SEE ALSO:" >&2 + echo "" >&2 + echo "$more_info_link" >&2 + exit 1 +} + +if ! test -d /etc/sysctl.d ; then + echo "$0: ERROR: Folder /etc/sysctl.d does not exist!" >&2 + exit_with_error +fi + +if ! test -w /etc/sysctl.d ; then + echo "$0: ERROR: Folder /etc/sysctl.d not writeable! This script is supposed to be run as root." >&2 + exit_with_error +fi + +## Defaults in case Linux config detection fails. These are likely to work fine +## on x86_64, probably not elsewhere. +BITS_MAX_DEFAULT=32 +COMPAT_BITS_MAX_DEFAULT=16 + +## Find the most recently modified Linux config file. +if compgen -G "/boot/config-*" > /dev/null && CONFIG=$(ls -1 -t /boot/config-* | head -n 1) ; then + ## Find the relevant config options. + if ! BITS_MAX=$(grep -E '^CONFIG_ARCH_MMAP_RND_BITS_MAX=[0-9]+$' "${CONFIG}" | cut -d "=" -f 2) ; then + echo "$0: ERROR: Error detecting CONFIG_ARCH_MMAP_RND_BITS_MAX! Using built-in default." >&2 + BITS_MAX="${BITS_MAX_DEFAULT}" + fi + if ! COMPAT_BITS_MAX=$(grep -E '^CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX=[0-9]+$' "${CONFIG}" | cut -d "=" -f 2) ; then + echo "$0: ERROR: Error detecting CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX! Using built-in default." >&2 + COMPAT_BITS_MAX="${COMPAT_BITS_MAX_DEFAULT}" + fi +else + ## Could be a chroot. + echo "$0: INFO: No Linux config file detected in folder /boot/ (starting with 'config-'). Therefore using built-in defaults." >&2 + BITS_MAX="${BITS_MAX_DEFAULT}" + COMPAT_BITS_MAX="${COMPAT_BITS_MAX_DEFAULT}" +fi + +## Generate a sysctl.d conf file. +SYSCTL="\ +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## This file is automatically generated by: +## $0 +## Do not edit! +## See also: +## $more_info_link + +## Improves ASLR effectiveness for mmap. +vm.mmap_rnd_bits=${BITS_MAX} +vm.mmap_rnd_compat_bits=${COMPAT_BITS_MAX}" + +## Write the sysctl.d conf file. +if echo "${SYSCTL}" | tee "$aslr_mmap_config_file" > /dev/null ; then + echo "$0: INFO: Successfully written ASLR map config file: +$aslr_mmap_config_file" + exit 0 +fi + +echo "$0: ERROR: Error writing ASLR map config file: +$aslr_mmap_config_file" >&2 +exit_with_error diff --git a/usr/libexec/security-misc/pam-abort-on-locked-password b/usr/libexec/security-misc/pam-abort-on-locked-password new file mode 100755 index 0000000..35c2dd4 --- /dev/null +++ b/usr/libexec/security-misc/pam-abort-on-locked-password @@ -0,0 +1,53 @@ +#!/bin/bash + +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## This is only a usability feature to avoid needlessly bumping pam_faillock +## counter. This is not a security feature. +## https://forums.whonix.org/t/restrict-root-access/7658/1 + +passwd_bin="$(type -P -- "passwd")" + +if ! test -x "$passwd_bin" ; then + echo "\ +$0: ERROR: passwd_bin \"$passwd_bin\" is not executable. +See https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener#passwd" >&2 + ## Identifiable exit codes in case stdout / stderr is not logged in journal. + exit 2 +fi + +if ! passwd_output="$("$passwd_bin" -S -- "$PAM_USER" 2>/dev/null)" ; then + echo "$0: ERROR: user \"$PAM_USER\" does not exist." >&2 + exit 3 +fi + +password_status_field="$(echo "$passwd_output" | cut -d ' ' -f 2)" + +if [ "$password_status_field" = "P" ]; then + true "$0: INFO: user \"$PAM_USER\" has a usable password." +elif [ "$password_status_field" = "NP" ]; then + true "$0: INFO: user \"$PAM_USER\" has no password." +elif [ "$password_status_field" = "L" ]; then + echo "$0: INFO: Password for user \"$PAM_USER\" is locked." + + if [ -f /usr/share/whonix/marker ] || [ -f /usr/share/kicksecure/marker ]; then + if [ "$PAM_USER" = "root" ]; then + echo "$0: ERROR: root account is locked by default. See:" >&2 + echo "https://www.kicksecure.com/wiki/root" >&2 + echo "" >&2 + exit 4 + fi + fi + + ## Should not unconditionally 'exit 1' here. + ## Locked user accounts might have valid sudoers exceptions. + ## https://forums.whonix.org/t/pam-abort-on-locked-password-and-running-privileged-command-from-web-browser/10521 + ## 'exit 1' would be good for usability here because then the user would get + ## faster feedback. A new login attempt would not be needlessly delayed. + exit 0 +else + echo "$0: INFO: Password status field for user \"$PAM_USER\" could not be parsed. Please report this bug." +fi + +exit 0 diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info new file mode 100755 index 0000000..6d772ca --- /dev/null +++ b/usr/libexec/security-misc/pam-info @@ -0,0 +1,285 @@ +#!/bin/bash + +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## To enable debug log, run: +## sudo touch /etc/pam-info-debug +## +## Debug log if enabled can be found in file: +## /root/pam-info-debug.txt + +true "$0: START PHASE 1" + +if test -f /etc/pam-info-debug || test -f /usr/local/etc/pam-info-debug ; then + set -x + exec 5>&1 1>> ~/pam-info-debug.txt + exec 6>&2 2>> ~/pam-info-debug.txt +fi + +true "$0: START PHASE 2" + +set -o errexit +set -o errtrace +set -o pipefail +set -o nounset + +error_handler() { + exit_code="$?" + printf '%s\n' "\ +$0: ERROR: Unexpected error. +BASH_COMMAND: '$BASH_COMMAND' +exit_code: '$exit_code' +ERROR: Please report this bug." >&2 + exit 1 +} + +trap error_handler ERR + +if ! printf '%s\n' "" | wc -l >/dev/null ; then + printf '%s\n' "\ +$0: ERROR: command 'wc' test failed! Do not ignore this! + +'wc' can core dump. Example: +zsh: illegal hardware instruction (core dumped) wc -l +https://github.com/rspamd/rspamd/issues/5137" >&2 + exit 1 +fi + +command -v str_replace &>/dev/null + +## Named constants. +pam_faillock_state_dir="/var/lib/security-misc/faillock" + +[[ -v PAM_USER ]] || PAM_USER="" +[[ -v SUDO_USER ]] || SUDO_USER="" + +## Debugging. +who_ami="$(whoami)" +true "$0: who_ami: $who_ami" +true "$0: PAM_USER: $PAM_USER" +true "$0: SUDO_USER: $SUDO_USER" + +if [ "$PAM_USER" = "" ]; then + true "$0: ERROR: Environment variable PAM_USER is unset!" + exit 0 +fi + +grep_result="$(grep -- "accessfile=/etc/security/access-security-misc.conf" /etc/pam.d/common-account 2>/dev/null)" || true + +## Check if grep matched something. +if [ ! "$grep_result" = "" ]; then + ## Yes, grep matched. + + ## Check if not out commented. + if ! printf '%s\n' "$grep_result" | grep --quiet -- "#" ; then + ## Not out commented indeed. + + ## https://forums.whonix.org/t/etc-security-hardening-console-lockdown/8592 + + console_allowed="" + if id --name --groups --zero -- "$PAM_USER" | grep --quiet --null-data --line-regexp --fixed-strings -- "console"; then + console_allowed=true + fi + if id --name --groups --zero -- "$PAM_USER" | grep --quiet --null-data --line-regexp --fixed-strings -- "console-unrestricted"; then + console_allowed=true + fi + + if [ ! "$console_allowed" = "true" ]; then + printf '%s\n' "\ +$0: ERROR: PAM_USER: '$PAM_USER' is not a member of group 'console' +To unlock, run the following command as superuser: +(If you still have a sudo/root shell somewhere.) + +adduser $PAM_USER console + +However, possibly unlock procedure is required. +First boot into recovery mode at grub boot menu and then run above command. +See also: +https://www.kicksecure.com/wiki/root#console +" >&2 + exit 0 + fi + fi +fi + +if [ "$PAM_USER" = 'sysmaint' ]; then + sysmaint_passwd_info="$(passwd --status sysmaint 2>/dev/null)" || true + sysmaint_lock_info="$(cut -d' ' -f2 <<< "${sysmaint_passwd_info}")" + if [ "${sysmaint_lock_info}" = 'L' ]; then + printf '%s\n' "$0: ERROR: Reboot and choose 'PERSISTENT Mode - SYSMAINT Session' for system maintenance. See https://www.kicksecure.com/wiki/Sysmaint" >&2 + fi +fi + +kernel_cmdline="" +if test -f /proc/cmdline; then + kernel_cmdline="$(cat -- /proc/cmdline)" +fi + +if [ "$PAM_USER" != 'sysmaint' ]; then + if [[ "${kernel_cmdline}" =~ 'boot-role=sysmaint' ]]; then + printf '%s\n' "$0: WARNING: Use account 'sysmaint' for system maintenance. See https://www.kicksecure.com/wiki/Sysmaint" >&2 + fi +fi + +## https://forums.whonix.org/t/how-strong-do-linux-user-account-passwords-have-to-be-when-using-full-disk-encryption-fde-too/7698 + +## Does not work (yet) for login, pam_securetty runs before and aborts. +## Also this should only run for login since securetty covers only login. +# if [ "$PAM_USER" = "root" ]; then +# if [ -f /etc/securetty ]; then +# grep_result="$(grep -- "^[^#]" /etc/securetty)" +# if [ "$grep_result" = "" ]; then +# printf '%s\n' "\ +# $0: ERROR: Root login is disabled. +# ERROR: This is because file '/etc/securetty' is empty. +# See also: +# https://www.kicksecure.com/wiki/root#login +# " >&2 +# exit 0 +# fi +# fi +# fi + +## under account "user" +## /usr/sbin/faillock -u user +## faillock: Error opening /var/log/tallylog for update: Permission denied +## /usr/sbin/faillock: Authentication error +## +## xscreensaver runs under account "user", therefore pam_faillock cannot function. +## xscreensaver has its own failed login counter. +## +## https://askubuntu.com/questions/983183/how-lock-the-unlock-screen-after-wrong-password-attempts +## +## https://web.archive.org/web/20200919221439/https://www.whonix.org/pipermail/whonix-devel/2019-September/001439.html +## +## Checking exit code to avoid breaking when read-only disk boot but +## without ro-mode-init or grub-live being used. +## +## end-of-options ("--") unsupported by faillock. +if ! pam_faillock_output="$(faillock --dir "$pam_faillock_state_dir" --user "$PAM_USER")" ; then + true "$0: faillock non-zero exit code." + exit 0 +fi + +if [ "$pam_faillock_output" = "" ]; then + true "$0: no failed login" + exit 0 +fi + +## example pam_faillock_output (stdout): +## user: +## When Type Source Valid +## 2021-08-10 16:26:33 RHOST V +## 2021-08-10 16:26:54 RHOST V + +## example pam_faillock_output (stderr): +## faillock: No user name supplied. +## Usage: faillock [--dir /path/to/tally-directory] [--user username] [--reset] + +## Get first line. +#pam_faillock_output_first_line="$(printf '%s\n' "$pam_faillock_output" | head --lines=1)" +while read -t 10 -r pam_faillock_output_first_line ; do + break +done <<< "$pam_faillock_output" + +true "pam_faillock_output_first_line: '$pam_faillock_output_first_line'" +## example pam_faillock_output_first_line: +## user: + +user_name="$(printf '%s\n' "$pam_faillock_output_first_line" | str_replace ":" "")" +## example user_name: +## user +## root + +if [ "$PAM_USER" != "$user_name" ]; then + printf '%s\n' "\ +$0: ERROR: Variable 'PAM_USER' '$PAM_USER' does not match variable 'user_name' '$user_name'. +ERROR: Please report this bug. +" >&2 + exit 1 +fi + +pam_faillock_output_count="$(printf '%s\n' "$pam_faillock_output" | wc -l)" +## example pam_faillock_output_count: +## 2 +## example pam_faillock_output_count: +## 4 + +if [[ "$pam_faillock_output_count" == *[!0-9]* ]]; then + printf '%s\n' "\ +$0: ERROR: Variable 'pam_faillock_output_count' is not numeric. pam_faillock_output_count: '$pam_faillock_output_count' +ERROR: Please report this bug. +" >&2 + exit 0 +fi + +## Do not count the first two informational textual output lines (starting with "user:" and "When") if present, +failed_login_counter=$(( pam_faillock_output_count - 2 )) + +## example failed_login_counter: +## 2 + +## Ensuring failed_login_counter is not set to a negative value. +## https://github.com/Kicksecure/security-misc/pull/305 +if [ "$failed_login_counter" -lt "0" ]; then + true "$0: WARNING: Failed login counter is negative. Resetting to 0." + failed_login_counter=0 +fi + +if [ "$failed_login_counter" = "0" ]; then + true "$0: INFO: Failed login counter is 0, ok." + exit 0 +fi + +## pam_faillock default if it cannot be determined below. +deny=3 + +if test -f /etc/security/faillock.conf ; then + deny_line=$(grep --invert-match "#" -- /etc/security/faillock.conf | grep -- "deny =") || true + deny="$(printf '%s\n' "$deny_line" | str_replace "=" "" | str_replace "deny" "" | str_replace " " "")" + ## Example: + #deny=50 +fi + +if [[ "$deny" == *[!0-9]* ]]; then + printf '%s\n' "\ +$0: ERROR: Variable 'deny' is not numeric. deny: '$deny' +ERROR: Please report this bug. +" >&2 + exit 0 +fi + +remaining_attempts="$(( deny - failed_login_counter ))" + +if [ "$remaining_attempts" -le "0" ]; then + printf '%s\n' "\ +$0: ERROR: Login blocked after $failed_login_counter attempts. +To unlock, run the following command as superuser: +(If you still have a sudo/root shell somewhere.) + +faillock --dir $pam_faillock_state_dir --reset --user $PAM_USER + +However, most likely unlock procedure is required. +First boot into recovery mode at grub boot menu and then run above command. +See also: +https://www.kicksecure.com/wiki/root#unlock +" >&2 + exit 0 +fi + +printf '%s\n' "\ +$0: WARNING: $failed_login_counter failed login attempts for account '$user_name'. +Login will be blocked after $deny attempts. +You have $remaining_attempts more attempts before unlock procedure is required. +" >&2 + +if [ "$PAM_SERVICE" = "su" ]; then + printf '%s\n' "\ +$0: NOTE: Type the password. When entering the password, no password feedback (no asterisk (\"*\") symbol) will be shown. +" >&2 +fi + +true "$0: END" + +exit 0 diff --git a/usr/libexec/security-misc/pam_faillock_not_if_x b/usr/libexec/security-misc/pam_faillock_not_if_x new file mode 100755 index 0000000..433dca8 --- /dev/null +++ b/usr/libexec/security-misc/pam_faillock_not_if_x @@ -0,0 +1,40 @@ +#!/bin/bash + +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## https://serverfault.com/questions/134471/success-n-control-syntax-in-pam-conf-pam-d-files + +set -x + +true "PAM_SERVICE: $PAM_SERVICE" + +## PAM configuration notes +## +## success=$num +## "will specify how many rules to skip when successful." +## https://serverfault.com/questions/134471/success-n-control-syntax-in-pam-conf-pam-d-files +## +## ignore +## "when used with a stack of modules, the module's return status will not contribute to the return code the application obtains." +## http://www.linux-pam.org/Linux-PAM-html/sag-configuration-file.html + +## - Failed dovecot ssh logins from malicious remotes should not result in account getting locked. +## This list can later be extended as needed. +pam_service_exclusion_list="dovecot sshd" + +for pam_service_exclusion_item in $pam_service_exclusion_list ; do + if [ "$PAM_SERVICE" = "$pam_service_exclusion_item" ]; then + ## exit success so [success=1 default=ignore] will result in skipping the + ## next PAM module (the pam_faillock module). + exit 0 + fi +done + +## exit failure so [success=1 default=ignore] will result in running the +## next PAM module (the pam_faillock module). +## +## Causes confusing error message: +## pam_exec(sudo:auth): /usr/libexec/security-misc/pam_faillock_not_if_x failed: exit code 1 +## https://github.com/linux-pam/linux-pam/issues/329 +exit 1 diff --git a/usr/lib/security-misc/pam_only_if_login b/usr/libexec/security-misc/pam_only_if_login similarity index 71% rename from usr/lib/security-misc/pam_only_if_login rename to usr/libexec/security-misc/pam_only_if_login index 51b6d80..568f037 100755 --- a/usr/lib/security-misc/pam_only_if_login +++ b/usr/libexec/security-misc/pam_only_if_login @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## https://serverfault.com/questions/134471/success-n-control-syntax-in-pam-conf-pam-d-files @@ -12,7 +12,7 @@ true "PAM_SERVICE: $PAM_SERVICE" if [ "$PAM_SERVICE" = "login" ]; then ## FIXME: ## Creates unwanted journal log entry. - ## pam_exec(login:account): /usr/lib/security-misc/pam_only_if_login failed: exit code 1 + ## pam_exec(login:account): /usr/libexec/security-misc/pam_only_if_login failed: exit code 1 exit 1 else ## exit success so [success=1 default=ignore] will result in skipping the diff --git a/usr/libexec/security-misc/pam_only_if_su b/usr/libexec/security-misc/pam_only_if_su new file mode 100755 index 0000000..604510f --- /dev/null +++ b/usr/libexec/security-misc/pam_only_if_su @@ -0,0 +1,17 @@ +#!/bin/bash + +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## Similar to: +## /usr/libexec/security-misc/pam_only_if_login + +set -x + +true "PAM_SERVICE: $PAM_SERVICE" + +if [ "$PAM_SERVICE" = "su" ]; then + exit 1 +else + exit 0 +fi diff --git a/usr/libexec/security-misc/panic-on-oops b/usr/libexec/security-misc/panic-on-oops new file mode 100755 index 0000000..749eb3c --- /dev/null +++ b/usr/libexec/security-misc/panic-on-oops @@ -0,0 +1,23 @@ +#!/bin/bash + +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +set -e + +if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then + ## pre.bsh would `source` the following folders: + ## /etc/panic-on-oops_pre.d/*.conf + ## /usr/local/etc/panic-on-oops_pre.d/*.conf + source /usr/libexec/helper-scripts/pre.bsh +fi + +## Makes the kernel panic on oopses and warnings. This prevents the +## kernel from continuing to run a flawed processes. Many kernel +## exploits will also cause an oops, these settings will make the +## kernel kill the offending processes. +#sysctl kernel.panic=-1 +sysctl kernel.panic_on_oops=1 +sysctl kernel.panic_on_warn=1 +#sysctl kernel.oops_limit=1 +#sysctl kernel.warn_limit=1 diff --git a/usr/libexec/security-misc/permission-lockdown b/usr/libexec/security-misc/permission-lockdown new file mode 100755 index 0000000..19fbe89 --- /dev/null +++ b/usr/libexec/security-misc/permission-lockdown @@ -0,0 +1,62 @@ +#!/bin/bash + +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## Doing this for all users would create many issues. +# /usr/libexec/security-misc/permission-lockdown: user: root | chmod o-rwx "/root" +# /usr/libexec/security-misc/permission-lockdown: user: daemon | chmod o-rwx "/usr/sbin" +# /usr/libexec/security-misc/permission-lockdown: user: bin | chmod o-rwx "/bin" +# /usr/libexec/security-misc/permission-lockdown: user: sys | chmod o-rwx "/dev" +# /usr/libexec/security-misc/permission-lockdown: user: sync | chmod o-rwx "/bin" +# /usr/libexec/security-misc/permission-lockdown: user: games | chmod o-rwx "/usr/games" +# /usr/libexec/security-misc/permission-lockdown: user: man | chmod o-rwx "/var/cache/man" +# /usr/libexec/security-misc/permission-lockdown: user: mail | chmod o-rwx "/var/mail" +# /usr/libexec/security-misc/permission-lockdown: user: proxy | chmod o-rwx "/bin" +# /usr/libexec/security-misc/permission-lockdown: user: backup | chmod o-rwx "/var/backups" +# /usr/libexec/security-misc/permission-lockdown: user: systemd-timesync | chmod o-rwx "/run/systemd" +# /usr/libexec/security-misc/permission-lockdown: user: systemd-network | chmod o-rwx "/run/systemd/netif" +# /usr/libexec/security-misc/permission-lockdown: user: messagebus | chmod o-rwx "/var/run/dbus" +# /usr/libexec/security-misc/permission-lockdown: user: tinyproxy | chmod o-rwx "/run/tinyproxy" +# /usr/libexec/security-misc/permission-lockdown: user: rtkit | chmod o-rwx "/proc" +# /usr/libexec/security-misc/permission-lockdown: user: colord | chmod o-rwx "/var/lib/colord" +# /usr/libexec/security-misc/permission-lockdown: user: Debian-exim | chmod o-rwx "/var/spool/exim4" +# /usr/libexec/security-misc/permission-lockdown: user: debian-tor | chmod o-rwx "/var/lib/tor" +# /usr/libexec/security-misc/permission-lockdown: user: stunnel4 | chmod o-rwx "/var/run/stunnel4" +# /usr/libexec/security-misc/permission-lockdown: user: iodine | chmod o-rwx "/var/run/iodine" +# /usr/libexec/security-misc/permission-lockdown: user: apt-cacher-ng | chmod o-rwx "/var/cache/apt-cacher-ng" +# /usr/libexec/security-misc/permission-lockdown: user: approx | chmod o-rwx "/var/cache/approx" +# /usr/libexec/security-misc/permission-lockdown: user: statd | chmod o-rwx "/var/lib/nfs" +# /usr/libexec/security-misc/permission-lockdown: user: timidity | chmod o-rwx "/etc/timidity" +# /usr/libexec/security-misc/permission-lockdown: user: uuidd | chmod o-rwx "/run/uuidd" +# /usr/libexec/security-misc/permission-lockdown: user: _rpc | chmod o-rwx "/run/rpcbind" +# /usr/libexec/security-misc/permission-lockdown: user: geoclue | chmod o-rwx "/var/lib/geoclue" + +home_folder_access_rights_lockdown() { + mkdir --parents /var/cache/security-misc/state-files + local user + for user in $(dir /home); do ## lists directories only + if [ -f "/var/cache/security-misc/state-files/$user" ]; then + continue + fi + folder_name="/home/$user" + ## chmod: + ## The 'g' for 'group' is not needed. + ## Debian by default uses USERGROUPS=yes in /etc/adduser.conf. + ## The group which the user is being added to has the same name as the user. + ## If the username is user then the name of the group is also user. + ## Some background information here: + ## https://unix.stackexchange.com/questions/156473/reasons-behind-the-default-groups-and-users-on-linux + ## In short, this is useful for "file sharing". A if user1 wants to share data with user2 the command + ## required to run is sudo addgroup user1 user2. + ## See also: user private groups UPGs + ## https://wiki.debian.org/UserPrivateGroups + echo "$0: chmod o-rwx \"$folder_name\"" + chmod o-rwx "$folder_name" + touch "/var/cache/security-misc/state-files/$user" + done +} + +home_folder_access_rights_lockdown + +exit 0 diff --git a/usr/libexec/security-misc/remove-system.map b/usr/libexec/security-misc/remove-system.map new file mode 100755 index 0000000..5b75f6d --- /dev/null +++ b/usr/libexec/security-misc/remove-system.map @@ -0,0 +1,42 @@ +#!/bin/bash + +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then + ## pre.bsh would `source` the following folders: + ## /etc/remove-system.map_pre.d/*.conf + ## /usr/local/etc/remove-system.map_pre.d/*.conf + source /usr/libexec/helper-scripts/pre.bsh +fi + +shopt -s nullglob + +system_map_location="/boot/System.map* /usr/src/*/System.map* /lib/modules/*/*/System.map* /System.map*" + +counter=0 +for filename in ${system_map_location} ; do + counter=$(( counter + 1 )) +done + +if [ "$counter" -ge "1" ]; then + echo "INFO: Deleting system.map files..." +fi + +## Removes the System.map files as they are only used for debugging or malware. +for filename in ${system_map_location} ; do + if [ -f "${filename}" ]; then + if [ -w "${filename}" ]; then + ## 'shred' with '--verbose' is too chatty. (7 lines) + shred --force --zero -u "${filename}" + echo "INFO: removed '${filename}'" + else + echo "NOTE: Cannot delete '${filename}' - read-only. For details, see: https://www.kicksecure.com/wiki/security-misc#system_map" + exit 0 + fi + fi +done + +if [ "$counter" -ge "1" ]; then + echo "INFO: Done. Success." +fi diff --git a/usr/lib/security-misc/virusforget b/usr/libexec/security-misc/virusforget similarity index 98% rename from usr/lib/security-misc/virusforget rename to usr/libexec/security-misc/virusforget index 7081737..a5cb3ea 100755 --- a/usr/lib/security-misc/virusforget +++ b/usr/libexec/security-misc/virusforget @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## VirusForget is inspired by Christopher Laprise. @@ -29,7 +29,7 @@ root_check() { parse_cmd_options() { ## Thanks to: - ## http://mywiki.wooledge.org/BashFAQ/035 + ## https://mywiki.wooledge.org/BashFAQ/035 while : do diff --git a/usr/share/doc/security-misc/fstab-vm b/usr/share/doc/security-misc/fstab-vm new file mode 100644 index 0000000..e02a087 --- /dev/null +++ b/usr/share/doc/security-misc/fstab-vm @@ -0,0 +1,40 @@ +# + +/dev/disk/by-uuid/26ada0c0-1165-4098-884d-aafd2220c2c6 / auto nofail,defaults,errors=remount-ro 0 1 + +proc /proc proc nofail,defaults 0 0 + +/dev /dev devtmpfs nofail,bind,remount,nosuid,noexec 0 0 +#udev /dev devtmpfs defaults,nosuid,noexec 0 0 + +## noexec optional +/dev/shm /dev/shm tmpfs nofail,nosuid,nodev,noexec 0 0 +#tmpfs /dev/shm tmpfs defaults,nosuid,nodev,noexec 0 0 + +## nodev,nosuid,noexec as per: +## https://www.debian.org/doc/manuals/securing-debian-manual/ch04s10.en.html +## Commented out by default to prevent warning: +## mount: /mnt/cdrom: mount point does not exist. +#/dev/cdrom /mnt/cdrom iso9660 nofail,ro,users,nodev,nosuid,noexec 0 0 + +/boot /boot none nofail,bind,nosuid,nodev,noexec 0 0 + +## noexec optional +/tmp /tmp tmpfs nofail,bind,nosuid,nodev,noexec 0 0 +#tmpfs /tmp tmpfs defaults,nodev,nosuid,noexec 0 0 + +/var /var none nofail,bind,nosuid,nodev 0 0 + +## noexec optional +/var/tmp /var/tmp none nofail,bind,nosuid,nodev,noexec 0 0 + +/var/log /var/log none nofail,bind,nosuid,nodev,noexec 0 0 + +## noexec optional +/run /run none nofail,bind,nosuid,nodev,noexec 0 0 + +## noexec optional +/home /home none nofail,bind,nosuid,nodev,noexec 0 0 + +## TODO: +#/sys diff --git a/usr/share/glib-2.0/schemas/30_security-misc.gschema.override b/usr/share/glib-2.0/schemas/30_security-misc.gschema.override index 2ee9098..2f56805 100644 --- a/usr/share/glib-2.0/schemas/30_security-misc.gschema.override +++ b/usr/share/glib-2.0/schemas/30_security-misc.gschema.override @@ -1,2 +1,5 @@ +## Copyright (C) 2017 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + [org.gnome.nautilus.preferences] show-image-thumbnails="never" diff --git a/usr/share/lintian/overrides/security-misc b/usr/share/lintian/overrides/security-misc index 3217d4b..26c3c70 100644 --- a/usr/share/lintian/overrides/security-misc +++ b/usr/share/lintian/overrides/security-misc @@ -1,11 +1,17 @@ -## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## The whole point of the package. -security-misc: package-contains-file-in-etc-skel etc/skel/.config/* +security-misc: package-contains-file-in-etc-skel [etc/skel/*] ## Wrapper script. -security-misc: binary-without-manpage usr/bin/pkexec.security-misc +security-misc: no-manual-page [usr/bin/pkexec.security-misc] ## Non-ideal but still a good solution. -security-misc: file-in-unusual-dir var/cache/security-misc/state-files/placeholder +security-misc: file-in-unusual-dir [var/cache/security-misc/state-files/placeholder] + +## False-positive. Just a comment mentioning dpkg's folder. +security-misc: uses-dpkg-database-directly [usr/bin/remount-secure] + +## Special target to make sure this runs as non-parallelized as possible to avoid race conditions. +security-misc: systemd-service-file-refers-to-unusual-wantedby-target sysinit-post.target [usr/lib/systemd/system/remount-secure.service] diff --git a/usr/share/pam-configs/console-lockdown-security-misc b/usr/share/pam-configs/console-lockdown-security-misc index 61fec78..df57a85 100644 --- a/usr/share/pam-configs/console-lockdown-security-misc +++ b/usr/share/pam-configs/console-lockdown-security-misc @@ -3,5 +3,5 @@ Default: no Priority: 280 Account-Type: Primary Account: - [success=1 default=ignore] pam_exec.so seteuid quiet /usr/lib/security-misc/pam_only_if_login + [success=1 default=ignore] pam_exec.so seteuid quiet /usr/libexec/security-misc/pam_only_if_login required pam_access.so accessfile=/etc/security/access-security-misc.conf debug diff --git a/usr/share/pam-configs/faillock-preauth-security-misc b/usr/share/pam-configs/faillock-preauth-security-misc new file mode 100644 index 0000000..f72826c --- /dev/null +++ b/usr/share/pam-configs/faillock-preauth-security-misc @@ -0,0 +1,8 @@ +Name: lock accounts after 50 failed authentication attempts (preauth component) (by package security-misc) +Default: yes +Priority: 1024 +Auth-Type: Primary +Auth: + optional pam_exec.so debug stdout seteuid /usr/libexec/security-misc/pam-info + [success=1 default=ignore] pam_exec.so seteuid quiet /usr/libexec/security-misc/pam_faillock_not_if_x + required pam_faillock.so preauth diff --git a/usr/share/pam-configs/pam-abort-on-locked-password-security-misc b/usr/share/pam-configs/pam-abort-on-locked-password-security-misc index 7298601..4d2ffa2 100644 --- a/usr/share/pam-configs/pam-abort-on-locked-password-security-misc +++ b/usr/share/pam-configs/pam-abort-on-locked-password-security-misc @@ -3,4 +3,4 @@ Default: yes Priority: 300 Auth-Type: Primary Auth: - requisite pam_exec.so debug stdout seteuid /usr/lib/security-misc/pam-abort-on-locked-password + requisite pam_exec.so debug stdout seteuid /usr/libexec/security-misc/pam-abort-on-locked-password diff --git a/usr/share/pam-configs/tally2-security-misc b/usr/share/pam-configs/tally2-security-misc deleted file mode 100644 index 9638d26..0000000 --- a/usr/share/pam-configs/tally2-security-misc +++ /dev/null @@ -1,10 +0,0 @@ -Name: lock accounts after 50 failed authentication attempts (by package security-misc) -Default: yes -Priority: 290 -Auth-Type: Primary -Auth: - optional pam_exec.so debug stdout seteuid /usr/lib/security-misc/pam_tally2-info - requisite pam_tally2.so even_deny_root deny=50 onerr=fail audit debug -Account-Type: Primary -Account: - requisite pam_tally2.so debug diff --git a/usr/share/pam-configs/umask-security-misc b/usr/share/pam-configs/umask-security-misc new file mode 100644 index 0000000..b29e433 --- /dev/null +++ b/usr/share/pam-configs/umask-security-misc @@ -0,0 +1,9 @@ +Name: Restrict umask to 027 for non-root users (by package security-misc) +Default: yes +Priority: 100 +Session-Type: Additional +Session: + [success=1 default=ignore] pam_succeed_if.so uid eq 0 + optional pam_umask.so umask=027 + [success=1 default=ignore] pam_succeed_if.so uid ne 0 + optional pam_umask.so umask=022 diff --git a/usr/share/pam-configs/unix-faillock-security-misc b/usr/share/pam-configs/unix-faillock-security-misc new file mode 100644 index 0000000..876ffa8 --- /dev/null +++ b/usr/share/pam-configs/unix-faillock-security-misc @@ -0,0 +1,20 @@ +Name: Unix authentication with faillock (by package security-misc) +Default: yes +Priority: 384 +Auth-Type: Primary +Auth: + [success=3 default=ignore] pam_unix.so nullok try_first_pass + [success=1 default=ignore] pam_exec.so seteuid quiet /usr/libexec/security-misc/pam_faillock_not_if_x + [default=die] pam_faillock.so authfail + requisite pam_deny.so + [success=1 default=ignore] pam_exec.so seteuid quiet /usr/libexec/security-misc/pam_faillock_not_if_x + optional pam_faillock.so authsucc + required pam_permit.so +Auth-Initial: + [success=3 default=ignore] pam_unix.so nullok + [success=1 default=ignore] pam_exec.so seteuid quiet /usr/libexec/security-misc/pam_faillock_not_if_x + [default=die] pam_faillock.so authfail + requisite pam_deny.so + [success=1 default=ignore] pam_exec.so seteuid quiet /usr/libexec/security-misc/pam_faillock_not_if_x + optional pam_faillock.so authsucc + required pam_permit.so diff --git a/usr/share/pam-configs/wheel-security-misc b/usr/share/pam-configs/wheel-security-misc index 323ff72..eb8a9df 100644 --- a/usr/share/pam-configs/wheel-security-misc +++ b/usr/share/pam-configs/wheel-security-misc @@ -1,6 +1,7 @@ Name: group sudo membership required to use su (by package security-misc) Default: yes -Priority: 280 +Priority: 1050 Auth-Type: Primary Auth: + [success=1 default=ignore] pam_exec.so seteuid quiet /usr/libexec/security-misc/pam_only_if_su requisite pam_wheel.so group=sudo debug diff --git a/usr/share/security-misc/dolphinrc b/usr/share/security-misc/dolphinrc index 8683121..9028487 100644 --- a/usr/share/security-misc/dolphinrc +++ b/usr/share/security-misc/dolphinrc @@ -1,6 +1,5 @@ -## Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions [PreviewSettings] Plugins= - diff --git a/usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf b/usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf new file mode 100644 index 0000000..150e06b --- /dev/null +++ b/usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf @@ -0,0 +1,30 @@ +## Copyright (C) 2021 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## LKRG VirtualBox host configuration + +## DO NOT EDIT THIS FILE /etc/sysctl.d/30-lkrg-dkms.conf AS EDITS WILL BE LOST! +## This is an auto generated file. + +## Please use "/etc/sysctl.d/50-user.conf" for your custom +## configuration, which will override the defaults found here. + +## gets copied from: +## /usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf +## to: +## /etc/sysctl.d/30-lkrg-virtualbox.conf +## by package security-misc, files: +## /usr/share/security-misc/lkrg/lkrg-virtualbox +## /usr/lib/systemd/system/lkrg.service.d/40-virtualbox.conf + +## https://forums.whonix.org/t/linux-kernel-runtime-guard-lkrg-linux-kernel-runtime-integrity-checking-and-exploit-detection/8477/32 +## https://www.openwall.com/lists/lkrg-users/2020/01/24/2 +## https://www.openwall.com/lists/lkrg-users/2020/01/25/2 +## https://github.com/openwall/lkrg/issues/82 +## https://github.com/openwall/lkrg/blob/main/scripts/bootup/lkrg.conf +## https://github.com/openwall/lkrg/blob/main/scripts/bootup/systemd/lkrg.service +## /etc/sysctl.d/30-lkrg-dkms.conf +## /usr/lib/systemd/system/lkrg.service + +## https://github.com/openwall/lkrg/issues/82#issuecomment-886188999 +lkrg.pcfi_validate = 1 diff --git a/usr/share/security-misc/lkrg/lkrg-virtualbox b/usr/share/security-misc/lkrg/lkrg-virtualbox new file mode 100755 index 0000000..4e1754c --- /dev/null +++ b/usr/share/security-misc/lkrg/lkrg-virtualbox @@ -0,0 +1,35 @@ +#!/bin/bash + +## Copyright (C) 2021 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +#set -x +set -e + +## provides function: pkg_installed +source /usr/libexec/helper-scripts/package_installed_check.bsh + +## Check if the VirtualBox host software is installed. +if ! command -v vboxmanage &>/dev/null ; then + ## VirtualBox host software is not installed. + if test -f /etc/sysctl.d/30-lkrg-virtualbox.conf ; then + ## Delete using '--verbose' so user is notified. + rm --force --verbose /etc/sysctl.d/30-lkrg-virtualbox.conf + fi + exit 0 +fi + +if ! test -d /etc/sysctl.d ; then + exit 0 +fi + +if ! test -f /usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf ; then + exit 0 +fi + +if ! pkg_installed "lkrg" ; then + exit 0 +fi + +## Delete using '--verbose' so user is notified. +cp --verbose /usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf /etc/sysctl.d/30-lkrg-virtualbox.conf diff --git a/usr/share/security-misc/permission-hardener-existing-mode-legacy-hardcoded b/usr/share/security-misc/permission-hardener-existing-mode-legacy-hardcoded new file mode 100644 index 0000000..d40c552 --- /dev/null +++ b/usr/share/security-misc/permission-hardener-existing-mode-legacy-hardcoded @@ -0,0 +1,36 @@ +root root 644 /etc/passwd- +root root 755 /etc/cron.monthly +root root 755 /etc/sudoers.d +root shadow 2755 /usr/bin/expiry +root root 4755 /usr/bin/umount +root root 4755 /usr/bin/gpasswd +root root 755 /usr/lib/modules +root root 644 /etc/issue.net +root root 644 /etc/group- +root root 4755 /usr/bin/newgrp +root root 755 /etc/cron.weekly +root root 644 /etc/hosts.deny +root root 4755 /usr/bin/su +root root 644 /etc/hosts.allow +root root 700 /root +root root 755 /etc/cron.daily +root root 755 /bin/ping +root root 777 /etc/motd.kicksecure +root root 777 /etc/motd.whonix +root root 755 /boot +root root 755 /home +root shadow 2755 /usr/bin/chage +root root 4755 /usr/bin/chsh +root root 4755 /usr/bin/passwd +root root 4755 /usr/bin/chfn +root root 644 /etc/group +root root 755 /etc/permission-hardener.d +root root 644 /etc/passwd +root root 755 /usr/src +root root 4755 /usr/bin/mount +root root 777 /etc/issue.kicksecure +root root 777 /etc/issue.whonix +root root 755 /etc/cron.d +root root 4755 /usr/bin/sudo +root root 4755 /usr/bin/pkexec +root root 4755 /usr/lib/polkit-1/polkit-agent-helper-1 diff --git a/usr/share/security-misc/permission-hardener-new-mode-legacy-hardcoded b/usr/share/security-misc/permission-hardener-new-mode-legacy-hardcoded new file mode 100644 index 0000000..d1b3a80 --- /dev/null +++ b/usr/share/security-misc/permission-hardener-new-mode-legacy-hardcoded @@ -0,0 +1,26 @@ +root root 700 /etc/cron.monthly +root root 700 /etc/sudoers.d +root shadow 744 /usr/bin/expiry +root root 755 /usr/bin/umount +root root 744 /usr/bin/gpasswd +root root 700 /usr/lib/modules +root root 744 /usr/bin/newgrp +root root 700 /etc/cron.weekly +root root 744 /usr/bin/su +root root 700 /etc/cron.daily +root root 755 /bin/ping +root root 644 /etc/motd.kicksecure +root root 644 /etc/motd.whonix +root _ssh 744 /usr/bin/ssh-agent +root root 700 /boot +root shadow 744 /usr/bin/chage +root root 744 /usr/lib/openssh/ssh-keysign +root root 744 /usr/bin/chsh +root root 755 /usr/bin/passwd +root root 744 /usr/bin/chfn +root root 600 /etc/permission-hardener.d +root root 700 /usr/src +root root 755 /usr/bin/mount +root root 644 /etc/issue.kicksecure +root root 644 /etc/issue.whonix +root root 700 /etc/cron.d