mirror of
https://github.com/Kicksecure/security-misc.git
synced 2024-12-18 08:44:20 -05:00
119 lines
3.9 KiB
RPMSpec
119 lines
3.9 KiB
RPMSpec
Name: security-misc
|
|
Version: @VERSION@
|
|
Release: 1%{?dist}
|
|
Summary: enhances misc security settings
|
|
|
|
License: GPL-3+-with-additional-terms-1
|
|
URL: https://github.com/Whonix/security-misc
|
|
Source0: %{name}-%{version}.tar.xz
|
|
|
|
BuildRequires: dpkg-dev
|
|
BuildRequires: genmkfile
|
|
Requires: make
|
|
BuildArch: noarch
|
|
|
|
%description
|
|
The following settings are changed:
|
|
|
|
deactivates previews in Dolphin;
|
|
deactivates previews in Nautilus;
|
|
deactivates thumbnails in Thunar;
|
|
deactivates TCP timestamps;
|
|
deactivates Netfilter's connection tracking helper;
|
|
|
|
TCP time stamps (RFC 1323) allow for tracking clock
|
|
information with millisecond resolution. This may or may not allow an
|
|
attacker to learn information about the system clock at such
|
|
a resolution, depending on various issues such as network lag.
|
|
This information is available to anyone who monitors the network
|
|
somewhere between the attacked system and the destination server.
|
|
It may allow an attacker to find out how long a given
|
|
system has been running, and to distinguish several
|
|
systems running behind NAT and using the same IP address. It might
|
|
also allow one to look for clocks that match an expected value to find the
|
|
public IP used by a user.
|
|
|
|
Hence, this package disables this feature by shipping the
|
|
/etc/sysctl.d/tcp_timestamps.conf configuration file.
|
|
|
|
Note that TCP time stamps normally have some usefulness. They are
|
|
needed for:
|
|
|
|
* the TCP protection against wrapped sequence numbers; however, to
|
|
trigger a wrap, one needs to send roughly 2^32 packets in one
|
|
minute: as said in RFC 1700, "The current recommended default
|
|
time to live (TTL) for the Internet Protocol (IP) [45,105] is 64".
|
|
So, this probably won't be a practical problem in the context
|
|
of Anonymity Distributions.
|
|
|
|
* "Round-Trip Time Measurement", which is only useful when the user
|
|
manages to saturate their connection. When using Anonymity Distributions,
|
|
probably the limiting factor for transmission speed is rarely the capacity
|
|
of the user connection.
|
|
|
|
Netfilter's connection tracking helper module increases kernel attack
|
|
surface by enabling superfluous functionality such as IRC parsing in
|
|
the kernel. (!)
|
|
|
|
Hence, this package disables this feature by shipping the
|
|
/etc/sysctl.d/nf_conntrack_helper.conf configuration file.
|
|
|
|
%prep
|
|
%setup -q
|
|
|
|
|
|
%build
|
|
make %{?_smp_mflags}
|
|
|
|
|
|
%install
|
|
%make_install
|
|
|
|
|
|
%files
|
|
%license debian/copyright
|
|
/etc/X11/Xsession.d/50panic_on_oops
|
|
/etc/X11/Xsession.d/50security-misc
|
|
/etc/apparmor.d/tunables/home.d/security-misc
|
|
/etc/apt/apt.conf.d/40sandbox
|
|
/etc/default/grub.d/40_enable_iommu.cfg
|
|
/etc/default/grub.d/40_kernel_hardening.cfg
|
|
/etc/login.defs.security-misc
|
|
/etc/modprobe.d/30_nf_conntrack_helper_disable.conf
|
|
/etc/modprobe.d/blacklist-dma.conf
|
|
/etc/modprobe.d/uncommon-network-protocols.conf
|
|
/etc/securetty.security-misc
|
|
/etc/security/limits.d/disable-coredumps.conf
|
|
/etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml
|
|
/etc/sudoers.d/security-misc
|
|
/etc/sysctl.d/coredumps.conf
|
|
/etc/sysctl.d/dmesg_restrict.conf
|
|
/etc/sysctl.d/fs_protected.conf
|
|
/etc/sysctl.d/harden_bpf.conf
|
|
/etc/sysctl.d/kexec.conf
|
|
/etc/sysctl.d/kptr_restrict.conf
|
|
/etc/sysctl.d/mmap_aslr.conf
|
|
/etc/sysctl.d/ptrace_scope.conf
|
|
/etc/sysctl.d/suid_dumpable.conf
|
|
/etc/sysctl.d/sysrq.conf
|
|
/etc/sysctl.d/tcp_hardening.conf
|
|
/etc/sysctl.d/tcp_sack.conf
|
|
/etc/sysctl.d/tcp_timestamps.conf
|
|
/etc/systemd/system/emergency.service.d/override.conf
|
|
/etc/systemd/system/rescue.service.d/override.conf
|
|
/lib/systemd/coredump.conf.d/disable-coredumps.conf
|
|
/lib/systemd/system/proc-hidepid.service
|
|
/lib/systemd/system/remove-system-map.service
|
|
/usr/libexec/security-misc/apt-get-update
|
|
/usr/libexec/security-misc/apt-get-update-sanity-test
|
|
/usr/libexec/security-misc/panic-on-oops
|
|
/usr/libexec/security-misc/remove-system.map
|
|
/usr/share/glib-2.0/schemas/30_security-misc.gschema.override
|
|
/usr/share/lintian/overrides/security-misc
|
|
/usr/share/pam-configs/usergroups
|
|
/usr/share/pam-configs/wheel
|
|
/usr/share/security-misc/dolphinrc
|
|
|
|
%changelog
|
|
@CHANGELOG@
|