mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-07-14 18:00:54 +07:00
Code Issues Packages Projects Releases Wiki Activity
NaN Commits 4 Branches 456 Tags
01eaee997e34aa73a11dffe032ace5ef23c37e28
Commit Graph

160 Commits

Author SHA1 Message Date
Patrick Schleizer
1e5946c795 Merge branch 'master' into sysrq 2020-02-15 10:41:52 +00:00
madaidan
0f49736957 Update control 2020-02-14 18:18:18 +00:00
madaidan
ace6211176 Update control 2020-02-14 17:51:17 +00:00
Patrick Schleizer
ad6b766886 Merge pull request #57 from madaidan/sysctl 
Prevent symlink/hardlink TOCTOU races
 2020-02-13 18:40:58 +00:00
madaidan
2796c2dd00 Update control 2020-02-12 18:43:19 +00:00
madaidan
14f8458374 Update control 2020-02-12 18:05:32 +00:00
Patrick Schleizer
c1a0da60be set kernel boot parameter l1tf=full,force and nosmt=force 
https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647/17
 2020-01-30 00:46:48 -05:00
Patrick Schleizer
f4c54881ac description 2020-01-24 04:49:19 -05:00
Patrick Schleizer
a37da1c968 add digits to drop-in file names 2020-01-24 04:39:06 -05:00
Patrick Schleizer
3a4d283169 description 2020-01-24 04:33:30 -05:00
Patrick Schleizer
8616728ce0 remove duplicate 2020-01-24 03:35:15 -05:00
madaidan
1df48a226d Update control 2020-01-15 20:30:17 +00:00
Patrick Schleizer
0618b53464 fix lintian warning 2020-01-15 11:35:07 -05:00
Patrick Schleizer
528c5fc4c4 Merge branch 'master' into sysctl-initramfs 2020-01-15 11:02:03 +00:00
madaidan
0953bbe1d7 Update control 2020-01-13 21:05:35 +00:00
madaidan
9dc43eae38 Description 2020-01-12 21:42:07 +00:00
Patrick Schleizer
61a2d390a7 lintian 2020-01-11 15:15:12 -05:00
madaidan
6088444c37 Update control 2020-01-11 18:38:17 +00:00
Patrick Schleizer
9ec5b0ee82 description: lockdown not enabled yet 2019-12-23 03:38:49 -05:00
Patrick Schleizer
1ff51ee061 merge 2019-12-23 03:37:28 -05:00
Patrick Schleizer
3670fcf48b depend on libcap2-bin for setcap / getcap / capsh 2019-12-23 00:49:33 -05:00
madaidan
8f11a520f4 Update control 2019-12-22 13:54:16 +00:00
Patrick Schleizer
b74e5ca972 comment 2019-12-21 07:47:00 -05:00
Patrick Schleizer
ed20980f4c refactoring 2019-12-21 05:07:10 -05:00
Patrick Schleizer
8e112c3423 description 2019-12-20 06:53:24 -05:00
Patrick Schleizer
24ea70384b description 2019-12-20 06:53:03 -05:00
Patrick Schleizer
2c4170e6f3 description 2019-12-12 09:47:58 -05:00
Patrick Schleizer
2d5ef378f3 description 2019-12-12 09:39:39 -05:00
Patrick Schleizer
c192644ee3 security-misc /usr/share/pam-configs/permission-lockdown-security-misc is no longer required, removed. 
Thereby fix apparmor issue.

> Dec 08 09:47:50 host audit[3232]: AVC apparmor="DENIED" operation="exec" profile="/usr/bin/whonixcheck" name="/usr/lib/security-misc/permission-lockdown" pid=3232 comm="sudo" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
> Dec 08 09:47:50 host sudo[3232]: pam_exec(sudo:session): execve(/usr/lib/security-misc/permission-lockdown,...) failed: Permission denied

It is no longer required, because...

existing linux user accounts:

* Get permission lock down because security-misc `debian/security-misc.postinst` calls `/usr/lib/security-misc/permission-lockdown`.

new linux user accounts (created at first boot):

* security-misc `/usr/share/pam-configs/mkhomedir-security-misc` pam mkhomedir sets secure permissions using `umask=027`.
 2019-12-08 05:21:35 -05:00
Patrick Schleizer
1dbca1ea2d add usr/bin/hardening-enable 2019-12-08 02:27:09 -05:00
Patrick Schleizer
24423b42f0 description 2019-12-08 02:03:05 -05:00
Patrick Schleizer
66bebefc9f description 2019-12-08 02:00:23 -05:00
Patrick Schleizer
b871421a54 usr/share/pam-configs/console-lockdown -> usr/share/pam-configs/console-lockdown-security-misc 2019-12-08 01:57:43 -05:00
Patrick Schleizer
1464f01d19 description 2019-12-08 01:30:42 -05:00
Patrick Schleizer
55225aa30e description 2019-12-07 07:16:07 -05:00
Patrick Schleizer
34a2bc16c8 description 2019-12-07 07:15:58 -05:00
Patrick Schleizer
d823f06c78 description 2019-12-07 07:13:42 -05:00
Patrick Schleizer
090ddbe96a description 2019-12-07 06:00:41 -05:00
Patrick Schleizer
6479c883bf Console Lockdown. 
Allow members of group 'console' to use tty1 to tty7. Everyone else except
members of group 'console-unrestricted' are restricted from using console
using ancient, unpopular login methods such as using /bin/login over networks,
which might be exploitable. (CVE-2001-0797)

Not enabled by default in this package since this package does not know which
users shall be added to group 'console'.

In new Whonix builds, user 'user" will be added to group 'console' and
pam console-lockdown enabled by package anon-base-files.

/usr/share/pam-configs/console-lockdown

/etc/security/access-security-misc.conf

https://forums.whonix.org/t/etc-security-hardening/8592
 2019-12-07 05:40:20 -05:00
Patrick Schleizer
6d92d03b31 description 2019-12-07 01:54:50 -05:00
Patrick Schleizer
470cad6e91 remount /home /tmp /dev/shm /run with nosuid,nodev (default) and noexec (opt-in) 
https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707
 2019-12-06 05:14:02 -05:00
madaidan
af9e19c51f Update control 2019-12-05 20:14:55 +00:00
Patrick Schleizer
0c25a96b59 description / comments 2019-12-03 02:18:32 -05:00
madaidan
8d63da3cef Update control 2019-12-02 16:46:12 +00:00
Patrick Schleizer
25aed91eb1 description 2019-11-28 09:20:46 -05:00
Patrick Schleizer
0c4e5df3e0 description 2019-11-28 09:18:05 -05:00
Patrick Schleizer
5ac2a6f9ac description 2019-11-28 09:17:32 -05:00
Patrick Schleizer
aa5451c8cd Lock user accounts after 50 rather than 100 failed login attempts. 
https://forums.whonix.org/t/how-strong-do-linux-user-account-passwords-have-to-be-when-using-full-disk-encryption-fde-too/7698/19
 2019-11-25 01:39:53 -05:00
Patrick Schleizer
fe1f1b73a7 load jitterentropy_rng kernel module for better entropy collection 
https://www.whonix.org/wiki/Dev/Entropy

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927972

https://forums.whonix.org/t/jitterentropy-rngd/7204
 2019-11-23 11:20:32 +00:00
Patrick Schleizer
b55c2fd62e Enables punycode (network.IDN_show_punycode) by default in Thunderbird 
to make phising attacks more difficult. Fixing URL not showing real Domain
Name (Homograph attack).

https://forums.whonix.org/t/enable-network-idn-show-punycode-by-default-in-thunderbird-to-fix-url-not-showing-real-domain-name-homograph-attack-punycode/8415
 2019-11-03 02:50:51 -05:00