mirror of
https://github.com/Kicksecure/security-misc.git
synced 2024-10-01 08:25:45 -04:00
128 lines
4.2 KiB
Plaintext
128 lines
4.2 KiB
Plaintext
## Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
|
|
## See the file COPYING for copying conditions.
|
|
|
|
## Please use "/etc/permission-hardening.d/50_user.conf" or
|
|
## "/usr/local/etc/permission-hardening.d/50_user.conf" for your custom
|
|
## configuration. When security-misc is updated, this file may be overwritten.
|
|
|
|
## File permission hardening.
|
|
##
|
|
## Syntax:
|
|
## [filename] [mode] [owner] [group] [capability]
|
|
##
|
|
## To remove all SUID/SGID binaries in a directory, you can use the "nosuid"
|
|
## argument.
|
|
|
|
## TODO: white spaces inside file name untested and probably will not work.
|
|
|
|
######################################################################
|
|
# SUID disablewhitelist
|
|
######################################################################
|
|
|
|
## disablewhitelist disables below (or in lexically higher) files
|
|
## exactwhitelist and matchwhitelist. Add these here (discouraged) or better
|
|
## in file "/etc/permission-hardening.d/20_user.conf".
|
|
|
|
## For example, if you are not using SELinux the following might make sense to
|
|
## enable. TODO: research
|
|
#/utempter/utempter disablewhitelist
|
|
|
|
######################################################################
|
|
# SUID exact match whitelist
|
|
######################################################################
|
|
|
|
/usr/bin/sudo exactwhitelist
|
|
/bin/sudo exactwhitelist
|
|
/usr/bin/bwrap exactwhitelist
|
|
/bin/bwrap exactwhitelist
|
|
/usr/lib/spice-gtk/spice-client-glib-usb-acl-helper exactwhitelist
|
|
/usr/lib/chromium/chrome-sandbox exactwhitelist
|
|
|
|
## There is a controversy about firejail but those who choose to install it
|
|
## should be able to use it.
|
|
## https://www.whonix.org/wiki/Dev/Firejail#Security
|
|
/usr/bin/firejail exactwhitelist
|
|
|
|
## In case you need to use 'su'. See also:
|
|
## https://www.whonix.org/wiki/root#su
|
|
#/bin/su exactwhitelist
|
|
#/usr/bin/su exactwhitelist
|
|
|
|
######################################################################
|
|
# SUID exact match whitelist
|
|
######################################################################
|
|
|
|
## https://manpages.debian.org/buster/xserver-xorg-legacy/Xorg.wrap.1.en.html
|
|
## https://lwn.net/Articles/590315/
|
|
## http://forums.whonix.org/t/permission-hardening/8655/25
|
|
#/usr/lib/xorg/Xorg.wrap whitelist
|
|
|
|
######################################################################
|
|
# SUID regex match whitelist - research required
|
|
######################################################################
|
|
|
|
/usr/lib/virtualbox/ matchwhitelist
|
|
|
|
## https://github.com/QubesOS/qubes-core-agent-linux/blob/master/qubes-rpc/qfile-unpacker.c
|
|
## match both:
|
|
#/usr/lib/qubes/qfile-unpacker whitelist
|
|
#/lib/qubes/qfile-unpacker
|
|
/qubes/qfile-unpacker matchwhitelist
|
|
|
|
## match both:
|
|
#/usr/lib/policykit-1/polkit-agent-helper-1 matchwhitelist
|
|
#/lib/policykit-1/polkit-agent-helper-1
|
|
polkit-agent-helper-1 matchwhitelist
|
|
|
|
######################################################################
|
|
# SUID regex match whitelist
|
|
######################################################################
|
|
|
|
dbus-daemon-launch-helper matchwhitelist
|
|
/utempter/utempter matchwhitelist
|
|
|
|
######################################################################
|
|
# Permission Hardening
|
|
######################################################################
|
|
|
|
/home/ 0755 root root
|
|
/home/user/ 0700 user user
|
|
/root/ 0700 root root
|
|
/boot/ 0700 root root
|
|
/etc/permission-hardening.d 0600 root root
|
|
/usr/local/etc/permission-hardening.d 0600 root root
|
|
|
|
######################################################################
|
|
# SUID/SGID Removal
|
|
######################################################################
|
|
|
|
## Remove all SUID/SGID binaries/libraries.
|
|
|
|
/bin/ nosuid
|
|
/usr/bin/ nosuid
|
|
/usr/local/bin/ nosuid
|
|
/sbin/ nosuid
|
|
/usr/sbin/ nosuid
|
|
/usr/local/sbin/ nosuid
|
|
/lib/ nosuid
|
|
/lib32/ nosuid
|
|
/lib64/ nosuid
|
|
/usr/lib/ nosuid
|
|
/usr/lib32/ nosuid
|
|
/usr/lib64/ nosuid
|
|
/usr/local/lib/ nosuid
|
|
/usr/local/lib32/ nosuid
|
|
/usr/local/lib64/ nosuid
|
|
|
|
######################################################################
|
|
# Capability Removal
|
|
######################################################################
|
|
|
|
## Ping doesn't work with Tor anyway so its capabilities are removed to
|
|
## reduce attack surface.
|
|
## anon-apps-config does this.
|
|
#/bin/ping 0744 root root none
|
|
|
|
## TODO: research
|
|
#/usr/lib/x86_64-linux-gnu/gstreamer1.0/grstreamer-1.0/gst-ptp-helper 0744 root root none
|