Patrick Schleizer
b9dfe70a01
check first if file_name is empty
2024-07-24 10:58:05 -04:00
Patrick Schleizer
1cbda79981
check first if array is empty before parsing further
2024-07-24 10:57:13 -04:00
Patrick Schleizer
a077ae54ea
modify call of stat to use NUL delimiter
...
for more robust string parsing
2024-07-24 10:56:08 -04:00
Patrick Schleizer
7200e9bd8c
output
2024-07-24 09:15:02 -04:00
Patrick Schleizer
1b6161c2dc
Merge remote-tracking branch 'ben-grande/fuzz'
2024-07-24 09:13:48 -04:00
Ben Grande
8be21b6eff
Handle newlines in file names
2024-07-23 19:36:12 +02:00
Ben Grande
aa99de68d3
Log output with defined levels
2024-07-23 18:50:16 +02:00
Ben Grande
06fbcdac1d
Prettify log messages
2024-07-23 09:55:02 +02:00
Ben Grande
7ee1ea2cc7
Unify functions that evaluate commands
2024-07-22 17:06:07 +02:00
Ben Grande
9c3566f524
Delimit file names with null terminator
2024-07-22 16:56:42 +02:00
Raja Grewal
a189956adc
Typo
2024-07-20 20:11:09 +10:00
Raja Grewal
c4965ed838
Disable legacy framebuffer drivers
...
These were all previously blacklisted for over 2 years.
2024-07-20 14:55:10 +10:00
Raja Grewal
8f3896c3da
Upgrade hyperlinks to HTTPS
2024-07-17 23:44:37 +10:00
Patrick Schleizer
df80385289
Merge pull request #237 from raja-grewal/intel_pmt
...
Disable some Intel PMT kernel modules
2024-07-17 09:04:18 -04:00
Patrick Schleizer
6e63fc8985
Merge remote-tracking branch 'ben-grande/fuzz'
2024-07-15 17:14:25 -04:00
Raja Grewal
61941da375
Create disabled-intelpmt-by-security-misc
2024-07-15 22:38:09 +10:00
Raja Grewal
a8bc1144c3
Updated wording of error files for disabled modules
2024-07-15 21:10:13 +10:00
Raja Grewal
fda3832eaf
Replace bash file presented for disabling of miscellaneous modules
2024-07-15 21:08:45 +10:00
Raja Grewal
c52b1a3fd2
Create disabled-miscellaneous-by-security-misc
2024-07-15 20:58:45 +10:00
Raja Grewal
f31dc8aebc
Fix error in error script
2024-07-12 16:21:03 +10:00
Raja Grewal
b02230a783
Split modprobe into blacklisted and disabled configurations
2024-07-12 02:42:37 +10:00
Ben Grande
b7796a5334
Unify method to find SUID files
2024-07-11 11:04:22 +02:00
Raja Grewal
1bb843ec38
Update Copyright (C) to 2024
2024-05-11 13:18:36 +10:00
Patrick Schleizer
8d01fc2d35
chmod +x
2024-05-10 06:48:26 -04:00
raja-grewal
f3800a4e2b
Create disabled-gps-by-security-misc
2024-05-09 02:25:46 +00:00
Patrick Schleizer
7dba3fb7be
no longer disable MSR by default
...
fixes https://github.com/Kicksecure/security-misc/issues/215
2024-04-01 02:56:27 -04:00
Patrick Schleizer
d13d1aa7ec
comments
2024-02-22 15:07:53 -05:00
Patrick Schleizer
c3dd178b19
output
2024-02-22 14:57:50 -05:00
Patrick Schleizer
6d7cf3c12a
output
2024-02-22 09:49:48 -05:00
Patrick Schleizer
f7831db197
do not exit non-zero if folder does not exist
2024-02-22 09:17:41 -05:00
Patrick Schleizer
5bdd7b8475
output
2024-02-22 09:14:52 -05:00
Patrick Schleizer
44a15cd97d
mount --make-private
...
https://github.com/Kicksecure/security-misc/issues/172
2024-02-22 09:13:56 -05:00
Patrick Schleizer
c0f98b05b6
comment
...
https://github.com/Kicksecure/security-misc/pull/202
2024-02-22 06:03:59 -05:00
Patrick Schleizer
1e1613aa93
allow /opt exec as usually optional binaries are placed there such as firefox
...
https://github.com/Kicksecure/security-misc/pull/202
2024-02-22 06:02:28 -05:00
Patrick Schleizer
7c7b4b24b4
fix home_noexec_maybe -> most_noexec_maybe
...
https://github.com/Kicksecure/security-misc/pull/202
2024-02-22 06:02:00 -05:00
Patrick Schleizer
38783faf60
add more bind mounts of mount options hardening
...
as suggested in https://github.com/Kicksecure/security-misc/pull/202
2024-02-22 05:58:53 -05:00
Patrick Schleizer
0efee2f50f
usrmerge
...
fixes https://github.com/Kicksecure/security-misc/issues/190
2024-01-17 13:39:56 -05:00
Patrick Schleizer
3ba8fe586e
update permission-hardener.service
...
Which is now only an additional opt-in systemd unit,
because permission-hardener is run by default at security-misc
package installation time.
https://github.com/Kicksecure/security-misc/pull/181
2024-01-16 09:23:54 -05:00
Ben Grande
bc02c72018
Fix unbound variable
...
- Run messages preceded by INFO;
- Comment unknown unused variables;
- Remove unnecessary variables; and
- Deal with unbound variable due to subshell by writing to a file;
2024-01-02 17:08:45 +01:00
Ben Grande
abf72c2ee4
Rename file permission hardening script
...
Hardener as the script is the agent that is hardening the file
permissions.
2024-01-02 13:34:29 +01:00
Ben Grande
f138cf0f78
Refactor permission-hardener
...
- Organize comments from default configuration;
- Apply and undo changes from a single file controlled by parameters;
- Arrays should be evaluated as arrays and not normal variables;
- Quote variables;
- Brackets around variables;
- Standardize test cases to "test" command;
- Test against empty or non-empty variables with "-z" and "-n";
- Show a usage message when necessary;
- Require root to run the script with informative message;
- Permit the user to see the help message without running as root;
- Do not create root directories without passing root check;
- Use long options for "set" command;
2024-01-02 12:17:16 +01:00
Patrick Schleizer
b0dd967611
usrmerge
...
https://github.com/Kicksecure/security-misc/issues/157
2023-12-25 09:28:08 -05:00
Patrick Schleizer
a1e00be0e0
update link
2023-11-06 16:58:23 -05:00
Patrick Schleizer
df5f3e8056
output
2023-11-06 16:36:22 -05:00
Patrick Schleizer
4219347f0a
fix permission-hardener config parsing issue
2023-11-05 16:43:44 -05:00
Patrick Schleizer
e72f79236b
refactoring
2023-11-05 16:41:41 -05:00
Patrick Schleizer
dea0d9a78a
fix permission-hardener config parsing issue
2023-11-05 16:40:49 -05:00
Patrick Schleizer
017ae18ad7
fix permission-hardener config parsing issue
2023-11-05 16:39:10 -05:00
Patrick Schleizer
65e3c14643
fix permission-hardener config parsing issue
2023-11-05 16:35:11 -05:00
Patrick Schleizer
4a19fbae0b
move permission-hardening to /usr/bin to make it more easily accessible
2023-11-05 15:13:01 -05:00
Patrick Schleizer
1123d23114
remount-secure: disable debugging to save space in initrd
2023-10-26 18:45:07 -04:00
monsieuremre
f0857fd560
Fix double mount issue for /var/log and /var/tmp
...
Mounting var with bind and mounting a subdirectory causes /var/tmp and /var/log bind mounted twice each. can be checked with lsblk. When we bind mount var only after having mounted the subdirectories, everything is mounted only one.
2023-10-23 15:33:05 +00:00
Patrick Schleizer
d2e8a6dad3
debugging
2023-10-22 19:21:51 -04:00
Patrick Schleizer
e7aafd64d4
refactoring
2023-10-22 19:16:12 -04:00
Patrick Schleizer
d521662d04
comment
2023-10-22 16:49:36 -04:00
Patrick Schleizer
0e80acf38d
fix
2023-10-22 16:45:10 -04:00
Patrick Schleizer
5182d7502b
improve remount-secure
2023-10-22 16:08:21 -04:00
Patrick Schleizer
a88c0a3ad2
fix
2023-10-22 15:44:30 -04:00
Patrick Schleizer
a7629b98cf
fix
2023-10-22 15:40:49 -04:00
Patrick Schleizer
7112eac3be
output
2023-10-22 15:37:21 -04:00
Patrick Schleizer
f80b5fe376
fix
2023-10-22 15:36:16 -04:00
Patrick Schleizer
ce0babce21
comment
2023-10-22 15:35:03 -04:00
Patrick Schleizer
70cbe4daaa
fix
2023-10-22 15:33:11 -04:00
Patrick Schleizer
9b9e9ce1c0
fix
2023-10-22 15:27:01 -04:00
Patrick Schleizer
3731716a49
fix
2023-10-22 15:14:22 -04:00
Patrick Schleizer
eec87a0508
fix
2023-10-22 15:11:26 -04:00
Patrick Schleizer
f3286cf440
fix
2023-10-22 15:10:21 -04:00
Patrick Schleizer
eb90d38d8c
fix
2023-10-22 15:05:33 -04:00
Patrick Schleizer
7f03c2b137
fix
2023-10-22 14:45:45 -04:00
Patrick Schleizer
c85db586ca
improve
2023-10-22 14:44:58 -04:00
Patrick Schleizer
7c0ea4324a
fix
2023-10-22 14:39:52 -04:00
Patrick Schleizer
6198ae317c
fix
2023-10-22 14:29:02 -04:00
Patrick Schleizer
245fad0986
fix
2023-10-22 14:00:06 -04:00
Patrick Schleizer
619f1705e1
output
2023-10-22 13:58:55 -04:00
Patrick Schleizer
e689f38ad0
todo
2023-10-22 13:31:44 -04:00
Patrick Schleizer
6675a2e931
fix
2023-10-22 13:30:50 -04:00
Patrick Schleizer
84ca0ac8a0
improve remount-secure
2023-10-22 12:54:25 -04:00
Patrick Schleizer
e7d30955e8
debugging
2023-10-22 11:28:08 -04:00
Patrick Schleizer
8eb4607a0e
improve
2023-10-22 11:12:54 -04:00
Patrick Schleizer
f1da0ce746
fix
2023-10-22 11:11:10 -04:00
Patrick Schleizer
26826e8398
fix
2023-10-22 11:06:34 -04:00
Patrick Schleizer
233fa4625b
output
2023-10-22 10:49:53 -04:00
Patrick Schleizer
3ebe8cf4de
refactoring
2023-10-22 10:41:42 -04:00
Patrick Schleizer
24d2e26397
no longer reproducible
2023-10-22 10:40:19 -04:00
Patrick Schleizer
fcba70df2e
refactoring
2023-10-22 10:38:48 -04:00
Patrick Schleizer
a05bd3dd0e
/home last because most likely to fail
2023-10-22 10:37:02 -04:00
Patrick Schleizer
41077c94fb
improve remount-secure
2023-10-22 10:32:24 -04:00
Patrick Schleizer
ef69e512bd
refactoring
2023-10-22 10:25:57 -04:00
Patrick Schleizer
d5cb7ecec9
use findmnt
2023-10-22 10:22:21 -04:00
Patrick Schleizer
45ce0ff74d
debugging
2023-10-22 10:16:43 -04:00
Patrick Schleizer
292a5c3a8a
fix
2023-10-22 10:11:31 -04:00
Patrick Schleizer
181a642479
root check
2023-10-22 10:01:38 -04:00
Patrick Schleizer
84fd41931c
/var/run -> /run
2023-10-22 09:44:17 -04:00
Patrick Schleizer
c409e3221e
implement remount-secure
2023-10-22 09:36:03 -04:00
Patrick Schleizer
167683ce76
code simplification
2023-10-22 08:50:57 -04:00
Patrick Schleizer
f0ee470ecd
comment
2023-10-22 07:51:05 -04:00
Patrick Schleizer
e257f2a380
remount-secure:
...
no longer use /usr/libexec/helper-scripts/pre.bsh as not simple with dracut
2023-10-22 07:50:14 -04:00
Patrick Schleizer
ed11c68ac6
move remount-secure to /usr/bin/remount-secure to make it easier to manually run
2023-10-22 06:51:52 -04:00
Raja Grewal
7a4212dd76
Update copyright
2023-03-30 17:08:47 +11:00
Patrick Schleizer
6d7a782624
fix
2022-11-24 07:21:46 -05:00