mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2024-12-22 20:33:35 +07:00
Code Issues Packages Projects Releases Wiki Activity
2,492 Commits 4 Branches 407 Tags 14 MiB
master
Commit Graph

907 Commits

Author SHA1 Message Date
Patrick Schleizer
8ec23ed712
echo does not support end-of-options 2024-07-26 10:28:57 -04:00
Patrick Schleizer
6096ed1109
comment 2024-07-26 10:26:43 -04:00
Patrick Schleizer
ac41d1cfff
comment 2024-07-26 10:25:59 -04:00
Patrick Schleizer
3b033ceba2
shellcheck 2024-07-26 10:17:24 -04:00
Patrick Schleizer
04d9ca1ebe
use find with safe_echo_nonewline 2024-07-26 10:16:20 -04:00
raja-grewal
20454fb811
Merge branch 'Kicksecure:master' into blacklist_to_disable 2024-07-27 00:09:30 +10:00
Patrick Schleizer
6bbf176e3b
consider end-of-options for find 2024-07-26 09:33:45 -04:00
Patrick Schleizer
794f6a25fa
comment 2024-07-26 09:08:29 -04:00
Patrick Schleizer
7e0f1a8701
dpkg-statoverride can actually handle '--file-name'. 2024-07-26 09:08:04 -04:00
Patrick Schleizer
ee037c01a1
Skip file names starting with '--', 
because this would be interpreted by dpkg-statoverride as an option.
 2024-07-26 08:58:44 -04:00
Patrick Schleizer
82d401a7de
sanity test 2024-07-26 08:52:42 -04:00
Patrick Schleizer
0e661bc688
output 2024-07-26 08:49:14 -04:00
Patrick Schleizer
d144f68d1a
output 2024-07-26 08:46:08 -04:00
Patrick Schleizer
05504b9ab2
minor 2024-07-26 08:40:10 -04:00
Patrick Schleizer
d96c0633d4
more use of end of options 2024-07-26 08:39:11 -04:00
Patrick Schleizer
8e40c10c31
comment 2024-07-26 08:31:17 -04:00
Patrick Schleizer
f2c9c2f5d1
output 2024-07-26 08:26:16 -04:00
Patrick Schleizer
2b40ea75e9
cleanup 2024-07-26 08:24:23 -04:00
Patrick Schleizer
6f0551b944
refactoring 2024-07-26 08:23:54 -04:00
Patrick Schleizer
aac450f808
refactoring 2024-07-26 08:22:04 -04:00
Patrick Schleizer
30f46790a4
use end of options whenever possible 2024-07-26 08:21:21 -04:00
Patrick Schleizer
95722d6d79
use long option name 2024-07-26 08:13:33 -04:00
Patrick Schleizer
19f131c742
code simplification 
https://github.com/Kicksecure/security-misc/pull/251
 2024-07-26 08:07:08 -04:00
Patrick Schleizer
9694cf0cd1
output 2024-07-26 07:43:59 -04:00
Ben Grande
652a06c8e9
Only print SUID or SGID values when set 2024-07-25 12:37:21 +02:00
Ben Grande
3b8a3f9b83
Unduplicate stat call 2024-07-25 12:20:16 +02:00
Raja Grewal
ed3336694c
Provide the option to immediately reboot on a kernel panics 2024-07-25 10:28:27 +10:00
Raja Grewal
3926b91dcf
Add documentation on sysctl kernel.panic_on_oops=1 2024-07-25 10:26:23 +10:00
Raja Grewal
f699eb02a2
Set sysctl fs.binfmt_misc.status=0 2024-07-25 10:11:33 +10:00
Patrick Schleizer
9231f05891
todo 2024-07-24 13:31:49 -04:00
Patrick Schleizer
4cc1289e89
output 2024-07-24 13:30:30 -04:00
Patrick Schleizer
10c73b326f
fix delimiter parsing 2024-07-24 12:07:26 -04:00
Patrick Schleizer
a16dd8474b
sanity test 2024-07-24 11:50:30 -04:00
Patrick Schleizer
cc2b335ee6
cleanup 2024-07-24 11:48:32 -04:00
Patrick Schleizer
6cadc70a96
output 2024-07-24 11:47:52 -04:00
Patrick Schleizer
cda0d26af7
cannot use NULL inside a bash variable 
use custom delimiter instead
 2024-07-24 11:45:13 -04:00
Patrick Schleizer
4a5312b3a9
output 2024-07-24 11:27:51 -04:00
Patrick Schleizer
3bf1f26c0b
downgrade warning of non-existing folders to info 
to avoid all users by default getting a warning for expected non-existing folders
 2024-07-24 11:20:26 -04:00
Patrick Schleizer
151ca659a9
output 2024-07-24 11:19:15 -04:00
Patrick Schleizer
c9fd2ceb61
downgrade warning of non-existing files to info 
to avoid all users by default getting a warning for expected non-existing files
 2024-07-24 11:13:35 -04:00
Patrick Schleizer
721392901b
remove duplicate test 2024-07-24 11:12:39 -04:00
Patrick Schleizer
9712b5b4e3
output 2024-07-24 11:12:18 -04:00
Patrick Schleizer
00911df5c1
modify call of stat to use NUL delimiter 
for more robust string parsing
 2024-07-24 11:10:56 -04:00
Patrick Schleizer
d536683511
local clean_output_prefix clean_output 2024-07-24 11:03:28 -04:00
Patrick Schleizer
a6e517736b
local stat_output 2024-07-24 11:02:25 -04:00
Patrick Schleizer
ced02fb9e0
add sanity test for file_name output from stat 2024-07-24 11:01:24 -04:00
Patrick Schleizer
b9dfe70a01
check first if file_name is empty 2024-07-24 10:58:05 -04:00
Patrick Schleizer
1cbda79981
check first if array is empty before parsing further 2024-07-24 10:57:13 -04:00
Patrick Schleizer
a077ae54ea
modify call of stat to use NUL delimiter 
for more robust string parsing
 2024-07-24 10:56:08 -04:00
Patrick Schleizer
7200e9bd8c
output 2024-07-24 09:15:02 -04:00
Patrick Schleizer
1b6161c2dc
Merge remote-tracking branch 'ben-grande/fuzz' 2024-07-24 09:13:48 -04:00
Raja Grewal
88c88187f2
Re-enable (default) secure_redirects for ICMP redirect messages 2024-07-24 17:26:50 +10:00
Ben Grande
8be21b6eff
Handle newlines in file names 2024-07-23 19:36:12 +02:00
Ben Grande
aa99de68d3
Log output with defined levels 2024-07-23 18:50:16 +02:00
Ben Grande
06fbcdac1d
Prettify log messages 2024-07-23 09:55:02 +02:00
Ben Grande
7ee1ea2cc7
Unify functions that evaluate commands 2024-07-22 17:06:07 +02:00
Ben Grande
9c3566f524
Delimit file names with null terminator 2024-07-22 16:56:42 +02:00
Raja Grewal
a189956adc
Typo 2024-07-20 20:11:09 +10:00
Raja Grewal
c4965ed838
Disable legacy framebuffer drivers 
These were all previously blacklisted for over 2 years.
 2024-07-20 14:55:10 +10:00
Patrick Schleizer
9f53a0182b
undo io_uring related changes 
as these should be done in a separate pull request (if apprpriate)

https://github.com/Kicksecure/security-misc/pull/244#issuecomment-2238889062
 2024-07-19 07:20:59 -04:00
Raja Grewal
13cc1f0986
Clarify (future) disabling of io_uring 2024-07-18 12:25:00 +10:00
Raja Grewal
6d211faf59
Restrict unprivileged user namespaces 2024-07-18 11:04:54 +10:00
Raja Grewal
b04828f858
Disable the usage of ptrace() by all processes 2024-07-18 11:01:41 +10:00
Patrick Schleizer
a2e26f441b
spelling 2024-07-17 11:04:03 -04:00
Patrick Schleizer
c8be4ac83c
comment 2024-07-17 10:56:14 -04:00
Patrick Schleizer
24cd70a014
spelling 2024-07-17 10:55:12 -04:00
Patrick Schleizer
9a387f95e9
Merge remote-tracking branch 'raja/miscellaneous' 2024-07-17 10:32:26 -04:00
Raja Grewal
4afe257a42
minor 2024-07-18 00:14:13 +10:00
Raja Grewal
d0a59617f6
Add missing Copyright (C) statements 2024-07-18 00:13:30 +10:00
Raja Grewal
8f3896c3da
Upgrade hyperlinks to HTTPS 2024-07-17 23:44:37 +10:00
Raja Grewal
1087387b36
Remove obsolete #net.ipv4.tcp_fack=0 2024-07-17 23:35:25 +10:00
Patrick Schleizer
df80385289
Merge pull request #237 from raja-grewal/intel_pmt 
Disable some Intel PMT kernel modules
 2024-07-17 09:04:18 -04:00
Patrick Schleizer
0b873b765e
minor 2024-07-17 08:05:27 -04:00
Patrick Schleizer
070bb46a08
Merge remote-tracking branch 'raja/sysctl' 2024-07-17 08:02:45 -04:00
Patrick Schleizer
6d6e5473f2
minor 2024-07-17 08:00:24 -04:00
Patrick Schleizer
cf5f0edbb8
Merge remote-tracking branch 'raja/sysctl' 2024-07-17 07:59:35 -04:00
Raja Grewal
39fd125eb0
Provide explanation on the disabling of IPv6 Privacy Extensions 2024-07-17 21:44:44 +10:00
Raja Grewal
693b47e623
Clarify ICMP redirect acceptance and sending 2024-07-17 14:58:30 +10:00
Raja Grewal
824d9b82e5
Uncomment redundant disabling of TCP FACK` 2024-07-17 00:36:18 +10:00
Raja Grewal
d1119c38b6
Apply changes from code review 2024-07-17 00:31:23 +10:00
Patrick Schleizer
6e63fc8985
Merge remote-tracking branch 'ben-grande/fuzz' 2024-07-15 17:14:25 -04:00
Raja Grewal
61941da375
Create disabled-intelpmt-by-security-misc 2024-07-15 22:38:09 +10:00
Raja Grewal
a8bc1144c3
Updated wording of error files for disabled modules 2024-07-15 21:10:13 +10:00
Raja Grewal
fda3832eaf
Replace bash file presented for disabling of miscellaneous modules 2024-07-15 21:08:45 +10:00
Raja Grewal
c52b1a3fd2
Create disabled-miscellaneous-by-security-misc 2024-07-15 20:58:45 +10:00
Raja Grewal
1c2afc1f25
Update presentation of the kernel.printk sysctl 2024-07-15 15:01:48 +10:00
Raja Grewal
2b9e174c9d
Remove empty lines 2024-07-14 16:22:52 +10:00
Raja Grewal
dd1741c4a1
Some documentation additions and fixes 2024-07-14 13:40:53 +10:00
Raja Grewal
565597c9a2
Minor documentation changes and fixes 2024-07-14 01:21:24 +10:00
Raja Grewal
2de3a79599
Refactor existing sysctl for clarity 2024-07-13 22:41:40 +10:00
Raja Grewal
f31dc8aebc
Fix error in error script 2024-07-12 16:21:03 +10:00
Raja Grewal
b02230a783
Split modprobe into blacklisted and disabled configurations 2024-07-12 02:42:37 +10:00
Ben Grande
b7796a5334
Unify method to find SUID files 2024-07-11 11:04:22 +02:00
Raja Grewal
1bb843ec38
Update Copyright (C) to 2024 2024-05-11 13:18:36 +10:00
Patrick Schleizer
9b589bc311
comment 2024-05-10 06:49:34 -04:00
Patrick Schleizer
8d01fc2d35
chmod +x 2024-05-10 06:48:26 -04:00
Patrick Schleizer
547757f451
Merge pull request #220 from raja-grewal/block_gps 
Block Several GPS-related Modules
 2024-05-10 06:45:34 -04:00
raja-grewal
f3800a4e2b
Create disabled-gps-by-security-misc 2024-05-09 02:25:46 +00:00
raja-grewal
132b41ae73
Revert logging of martians 2024-05-09 02:16:50 +00:00
Patrick Schleizer
7dba3fb7be
no longer disable MSR by default 
fixes https://github.com/Kicksecure/security-misc/issues/215
 2024-04-01 02:56:27 -04:00
Patrick Schleizer
ecaa024f22
lower debugging 2024-03-18 11:01:56 -04:00
Patrick Schleizer
a5206bde33
proc-hidepid.service add gid=proc 
This allows users that are a member of the `proc` group to be excluded from `hidepid` protections.

https://github.com/Kicksecure/security-misc/issues/208
 2024-03-10 08:44:53 -04:00
Patrick Schleizer
6b76373395
fix panic-on-oops started every 10s in Qubes-Whonix 
by changing from a /etc/profile.d etc. related mechanism to start to a systemd unit file based approach

Thanks to @marmarek for the bug report!

https://forums.whonix.org/t/panic-on-oops-started-every-10s/19450
 2024-03-04 06:44:26 -05:00
Patrick Schleizer
808e72f24b
use long options 
https://github.com/Kicksecure/security-misc/issues/172
 2024-02-26 08:11:26 -05:00
Patrick Schleizer
2d1d1b246f
improve output 
https://github.com/Kicksecure/security-misc/issues/172
 2024-02-26 08:07:29 -05:00
Patrick Schleizer
d8f5376c4f
improve output 
https://github.com/Kicksecure/security-misc/issues/172
 2024-02-26 07:58:06 -05:00
Patrick Schleizer
cf84762a3a
improve output 
https://github.com/Kicksecure/security-misc/issues/172
 2024-02-26 07:52:41 -05:00
Patrick Schleizer
f2958bbfa5
comment 2024-02-26 07:49:30 -05:00
Patrick Schleizer
b23d167342
Merge pull request #204 from DanWin/sysfs-mount 
Make /sys hardening optional and allow access to /sys/fs to make polkit work
 2024-02-26 07:46:02 -05:00
Patrick Schleizer
d13d1aa7ec
comments 2024-02-22 15:07:53 -05:00
Patrick Schleizer
c3dd178b19
output 2024-02-22 14:57:50 -05:00
Daniel Winzen
ef44ecea44
Add option to disabe /sys hardening 2024-02-22 17:27:46 +01:00
Daniel Winzen
3bc1765dbb
Allow access to /sys/fs for polkit 2024-02-22 17:27:45 +01:00
Patrick Schleizer
37a7abdf0c
ConditionKernelCommandLine=!remountsecure=0 2024-02-22 11:07:01 -05:00
Patrick Schleizer
c0924321b8
fix systemd unit ExecStart 2024-02-22 09:52:36 -05:00
Patrick Schleizer
6d7cf3c12a
output 2024-02-22 09:49:48 -05:00
Patrick Schleizer
f7831db197
do not exit non-zero if folder does not exist 2024-02-22 09:17:41 -05:00
Patrick Schleizer
5bdd7b8475
output 2024-02-22 09:14:52 -05:00
Patrick Schleizer
44a15cd97d
mount --make-private 
https://github.com/Kicksecure/security-misc/issues/172
 2024-02-22 09:13:56 -05:00
Patrick Schleizer
c0f98b05b6
comment 
https://github.com/Kicksecure/security-misc/pull/202
 2024-02-22 06:03:59 -05:00
Patrick Schleizer
1e1613aa93
allow /opt exec as usually optional binaries are placed there such as firefox 
https://github.com/Kicksecure/security-misc/pull/202
 2024-02-22 06:02:28 -05:00
Patrick Schleizer
7c7b4b24b4
fix home_noexec_maybe -> most_noexec_maybe 
https://github.com/Kicksecure/security-misc/pull/202
 2024-02-22 06:02:00 -05:00
Patrick Schleizer
38783faf60
add more bind mounts of mount options hardening 
as suggested in https://github.com/Kicksecure/security-misc/pull/202
 2024-02-22 05:58:53 -05:00
Patrick Schleizer
3048e0ac76
usrmerge 
https://github.com/Kicksecure/security-misc/issues/190
 2024-01-17 13:54:07 -05:00
Patrick Schleizer
0efee2f50f
usrmerge 
fixes https://github.com/Kicksecure/security-misc/issues/190
 2024-01-17 13:39:56 -05:00
Patrick Schleizer
3ba8fe586e
update permission-hardener.service 
Which is now only an additional opt-in systemd unit,
because permission-hardener is run by default at security-misc
package installation time.

https://github.com/Kicksecure/security-misc/pull/181
 2024-01-16 09:23:54 -05:00
Patrick Schleizer
862bf6b5ab
Merge remote-tracking branch 'ben-grande/clean' 2024-01-16 08:19:28 -05:00
Patrick Schleizer
1199871d7b
undo IPv6 privacy due to potential server issues 
https://github.com/Kicksecure/security-misc/issues/184
 2024-01-07 06:37:34 -05:00
Patrick Schleizer
128bb01b35
undo IPv6 privacy due to potential server issues 
https://github.com/Kicksecure/security-misc/issues/184
 2024-01-07 06:36:25 -05:00
Patrick Schleizer
86f91e3030
revert umask 027 by default 
because broken because this also happens for root while it should not

https://github.com/Kicksecure/security-misc/issues/185
 2024-01-06 09:11:54 -05:00
Patrick Schleizer
3f1304403f
disable MAC randomization in Network Manager (NM) because it breaks VirtualBox DHCP 
https://github.com/Kicksecure/security-misc/issues/184
 2024-01-06 08:15:31 -05:00
Raja Grewal
74afcc9c63
Clarify validity of disabling io_uring 2024-01-03 17:52:23 +11:00
Ben Grande
bc02c72018
Fix unbound variable 
- Run messages preceded by INFO;
- Comment unknown unused variables;
- Remove unnecessary variables; and
- Deal with unbound variable due to subshell by writing to a file;
 2024-01-02 17:08:45 +01:00
Ben Grande
abf72c2ee4
Rename file permission hardening script 
Hardener as the script is the agent that is hardening the file
permissions.
 2024-01-02 13:34:29 +01:00
Ben Grande
f138cf0f78
Refactor permission-hardener 
- Organize comments from default configuration;
- Apply and undo changes from a single file controlled by parameters;
- Arrays should be evaluated as arrays and not normal variables;
- Quote variables;
- Brackets around variables;
- Standardize test cases to "test" command;
- Test against empty or non-empty variables with "-z" and "-n";
- Show a usage message when necessary;
- Require root to run the script with informative message;
- Permit the user to see the help message without running as root;
- Do not create root directories without passing root check;
- Use long options for "set" command;
 2024-01-02 12:17:16 +01:00
Patrick Schleizer
8daf97ab01
Merge pull request #178 from raja-grewal/io_uring 
Disable asynchronous I/O
 2024-01-02 05:29:35 -05:00
Patrick Schleizer
5b36599c0c
/dev/, /dev/shm, /tmp 
https://github.com/Kicksecure/security-misc/issues/157#issuecomment-1869073716
 2023-12-29 14:57:38 -05:00
Patrick Schleizer
c86c83cef7
formatting 
https://github.com/Kicksecure/security-misc/issues/157
 2023-12-25 10:31:58 -05:00
Patrick Schleizer
971ff687b1
do not mount /dev/cdrom by default 
https://github.com/Kicksecure/security-misc/issues/157
 2023-12-25 10:30:35 -05:00
Patrick Schleizer
9fce67fcd9
remove superfluous, broken remount mount option 
https://github.com/Kicksecure/security-misc/issues/157
 2023-12-25 10:28:47 -05:00
Patrick Schleizer
40fd8cb608
no nofail mount option to avoid breaking the boot of a system 
unit testing belongs elsewhere

https://github.com/Kicksecure/security-misc/issues/157
 2023-12-25 09:51:09 -05:00
Patrick Schleizer
4aa645f29f
comment 
https://github.com/Kicksecure/security-misc/issues/157
 2023-12-25 09:46:33 -05:00
Patrick Schleizer
2b7aeedb4a
mount /dev/cdrom to /mnt/cdrom (instead of /mnt/cdrom0) and 
nodev,nosuid,noexec

as per:
https://www.debian.org/doc/manuals/securing-debian-manual/ch04s10.en.html

https://github.com/Kicksecure/security-misc/issues/157
 2023-12-25 09:44:51 -05:00
Patrick Schleizer
0d9e9780da
formatting 
https://github.com/Kicksecure/security-misc/issues/157
 2023-12-25 09:37:14 -05:00
Patrick Schleizer
00f9ab4394
/dev devtmpfs 
https://github.com/Kicksecure/security-misc/issues/157
 2023-12-25 09:36:05 -05:00
Patrick Schleizer
55709b3aa0
/tmp tmpfs 
https://github.com/Kicksecure/security-misc/issues/157
 2023-12-25 09:30:57 -05:00
Patrick Schleizer
b0dd967611
usrmerge 
https://github.com/Kicksecure/security-misc/issues/157
 2023-12-25 09:28:08 -05:00
Patrick Schleizer
269fada14a
combine bind lines 
https://github.com/Kicksecure/security-misc/issues/157
 2023-12-25 09:25:14 -05:00
Raja Grewal
f055fe5da2
Disable asynchronous I/O 
io_uring creation is disabled for all processes. io_uring_setup always fails with -EPERM. Existing io_uring instances can still be used.
 2023-12-15 08:33:36 +00:00
Patrick Schleizer
039de1dc9b
add hardened fstab /usr/share/doc/security-misc/fstab-vm 
to the documentation folder as an example

not directly used by security-misc

will later be used by Kicksecure VM build process

https://github.com/Kicksecure/security-misc/issues/157
 2023-12-12 11:50:11 -05:00