907 Commits

Author	SHA1	Message	Date
Patrick Schleizer	175b442d5b	use long option name	2024-12-19 05:56:50 -05:00
Patrick Schleizer	c99021bb0c	Merge remote-tracking branch 'ArrayBolt3/arraybolt3/sysmaint'	2024-12-19 05:56:01 -05:00
Patrick Schleizer	daf0a0900b	fix apt-get-update for non-English locale ... https://forums.kicksecure.com/t/systemcheck-reports-warning-debian-package-update-check-result-apt-get-reports-that-packages-can-be-updated-but-system-is-already-fully-upgraded/785	2024-12-19 04:39:34 -05:00
Patrick Schleizer	c7f7196471	Merge pull request #287 from raja-grewal/patch ... Refactor and add two CPU mitigations	2024-12-19 00:31:25 -05:00
Patrick Schleizer	e5b67e044b	Merge pull request #279 from raja-grewal/arp ... Provide network-related hardening options via `sysctl`'s	2024-12-19 00:15:02 -05:00
Patrick Schleizer	4cf5757575	Merge pull request #282 from ArrayBolt3/arraybolt3/umask ... Enable umask hardening	2024-12-19 00:08:56 -05:00
Aaron Rainbolt	9d69cd1912	Add sysmaint account lock detection	2024-12-18 21:34:37 -06:00
raja-grewal	3749f8ff09	Update presentation on user namespaces	2024-12-18 03:36:09 +00:00
raja-grewal	ca3a73ac13	Typo	2024-12-17 11:37:10 +00:00
raja-grewal	c116796854	arp_ignore: Add reference to 2024-12-10 Mullvad VPN audit details	2024-12-12 06:36:47 +00:00
Patrick Schleizer	7902311c57	do not create /etc/sysctl.d/30-lkrg-virtualbox.conf if LKRG is not installed	2024-12-07 04:54:47 -05:00
Patrick Schleizer	1ce37d42cd	.	2024-12-07 04:50:40 -05:00
Aaron Rainbolt	1708a03e1e	Enable umask hardening	2024-11-28 15:39:59 -06:00
Patrick Schleizer	98d7c245ee	"|| exit 1" no longer required thanks to errexit	2024-11-25 15:57:30 -05:00
Patrick Schleizer	f9b5d7d3f4	use strict shell options	2024-11-25 15:48:01 -05:00
Patrick Schleizer	d32cb8c95b	use TMP, sponge, refactoring	2024-11-25 15:44:00 -05:00
Aaron Rainbolt	d7475e252a	Make apt-get-update able to be terminated securely	2024-11-21 20:03:42 -06:00
Patrick Schleizer	c7e9460b2a	output	2024-11-14 16:31:12 -05:00
Patrick Schleizer	ef95b3f9a5	Revert "fix panic-on-oops.service" ... This reverts commit 862d23cb10.	2024-11-14 14:41:14 -05:00
raja-grewal	412b371e85	Merge branch 'Kicksecure:master' into arp	2024-11-13 16:47:57 +11:00
raja-grewal	141b84c40d	Provide option to deny sending and receiving shared media redirects	2024-11-13 05:42:56 +00:00
raja-grewal	18aec201bf	Provide option to harden response to ARP requests	2024-11-13 05:41:25 +00:00
raja-grewal	a25d4f8df8	Provide option to enable ARP filtering	2024-11-13 05:40:21 +00:00
raja-grewal	c2aae73ce1	Add reference and move text	2024-11-13 05:38:03 +00:00
Patrick Schleizer	7c06e22c7d	deleted /usr/bin/pkexec.security-misc ... This was not used anymore for anything. In the past, we used to `config-package-dev` `replace` `/usr/bin/pkexec` with `/usr/bin/pkexec.security-misc` for the purpose of: > Redirect calls for pkexec to lxqt-sudo because pkexec is incompatible with hidepid. * https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860040 * https://forums.whonix.org/t/cannot-use-pkexec/8129 This was a worthwhile effort, interesting approach but ultimately a dead-end.	2024-11-11 05:43:25 -05:00
Patrick Schleizer	862d23cb10	fix panic-on-oops.service ... remove `After=multi-user.target` because already using `WantedBy=multi-user.target` Thanks to @ArrayBolt3 for the bug report!	2024-11-11 05:36:41 -05:00
Patrick Schleizer	29ae5f5980	fix optional opt-in harden-module-loading.service ... by making `/usr/libexec/security-misc/disable-kernel-module-loading` executable Thanks to @ArrayBolt3 for the bug report!	2024-11-11 05:28:31 -05:00
Patrick Schleizer	5bd0a277bf	fix permission-hardener issue "Removing capabilities failed. File: '/bin/ping'" ... no longer user end-of-options marker (`--`) for `setcap` since setcap does not support it Fixes https://github.com/QubesOS/qubes-issues/issues/9569 https://forums.whonix.org/t/permission-hardener-error/20719	2024-11-10 06:29:17 -05:00
raja-grewal	a1d1f97955	Provide option to drop gratuitous ARP packets	2024-11-08 03:58:23 +00:00
Patrick Schleizer	71c58442ca	minor	2024-10-28 05:10:19 -04:00
Patrick Schleizer	cfe19e31d8	shell options	2024-10-28 05:09:53 -04:00
Patrick Schleizer	0d50615658	local	2024-10-28 05:07:00 -04:00
Patrick Schleizer	ef0eb5f7a0	refactoring	2024-10-28 05:06:26 -04:00
Patrick Schleizer	fdd1f4b7f8	refactoring	2024-10-28 05:06:05 -04:00
Patrick Schleizer	d00235897d	hide-hardware-info: also parse /usr/local/etc/hide-hardware-info.d/*.conf	2024-10-28 05:03:59 -04:00
Patrick Schleizer	6c2e808b9f	refactoring	2024-10-28 05:03:20 -04:00
Patrick Schleizer	566cda5e4b	output	2024-10-21 05:47:38 -04:00
Patrick Schleizer	5991a23049	comment	2024-10-21 05:47:25 -04:00
Aaron Rainbolt	690e8dd826	Avoid faillock lock/tally reset on reboot or timeout	2024-10-19 23:52:51 -05:00
Patrick Schleizer	b6433309fd	use end-of-options	2024-10-18 12:45:02 -04:00
raja-grewal	09fe46adc9	Clarify KSPP compliance header for the undocumented case	2024-10-14 02:54:30 +00:00
raja-grewal	0c0774f6c0	Merge branch 'master' into text_2	2024-10-06 10:48:52 +00:00
Patrick Schleizer	0e3ffa3f11	no longer set kernel.unprivileged_userns_clone=0 ... because it breaks too much fixes https://github.com/Kicksecure/security-misc/issues/274	2024-10-03 02:58:58 -04:00
Patrick Schleizer	f401d94d5e	expand documentation on kernel.unprivileged_userns_clone=0 sysctl ... https://github.com/Kicksecure/security-misc/issues/274	2024-10-03 02:44:06 -04:00
raja-grewal	f3b50a23c9	Add reference on unprivileged_userns_restriction	2024-09-26 13:10:01 +00:00
raja-grewal	39d063d494	Add KSPP=no definition	2024-09-26 13:09:21 +00:00
raja-grewal	870ff88605	Comment on Flatpak requiring unprivileged user namespaces	2024-09-25 10:01:45 +10:00
Patrick Schleizer	563a898013	Merge pull request #265 from raja-grewal/mmap_min_addr ... Set `sysctl vm.mmap_min_addr=65536`	2024-09-04 10:11:48 -04:00
Patrick Schleizer	175945ec9a	Merge pull request #268 from raja-grewal/panic_on_warn ... Enable `panic_on_warn=1`	2024-09-04 10:05:47 -04:00
raja-grewal	7393ba1591	Typo	2024-09-04 23:23:24 +10:00