0326cd5ee9
bumped changelog version
2019-12-24 08:07:55 -05:00
ede536913d
no longer hardcode amd64
2019-12-24 06:00:41 -05:00
d03a3d9ac0
Merge remote-tracking branch 'origin/master'
2019-12-24 05:57:24 -05:00
27a42a9da8
Merge pull request #50 from madaidan/modules
...
Make /lib/modules unreadable
2019-12-24 10:55:11 +00:00
ac49c55d1f
Merge pull request #49 from madaidan/kver
...
Detect kernel upgrades
2019-12-24 10:55:03 +00:00
0c3d4ad255
Merge pull request #48 from madaidan/kernel-hardening
...
Use only one slub_debug parameter
2019-12-24 10:54:23 +00:00
79241c5d09
Make /lib/modules unreadable
2019-12-23 20:28:29 +00:00
98e88d1456
Detect kernel upgrades
2019-12-23 19:57:43 +00:00
d1a0650fd9
Use only one slub_debug parameter
2019-12-23 19:44:52 +00:00
9d77d88a4d
comments
2019-12-23 09:39:50 -05:00
7a80837b4f
bumped changelog version
2019-12-23 08:48:04 -05:00
617c0a0e15
disable remount-secure.service - Disable for now until development finished / tested.
2019-12-23 07:21:26 -05:00
3e131174d5
comments
2019-12-23 05:00:35 -05:00
bef41a38c2
bumped changelog version
2019-12-23 03:58:00 -05:00
046ceeae4d
readme
2019-12-23 03:57:36 -05:00
9f072ce4f9
comment
2019-12-23 03:46:02 -05:00
26fe9394ff
disable lockdown for now due to module loading
2019-12-23 03:41:54 -05:00
9ec5b0ee82
description: lockdown not enabled yet
2019-12-23 03:38:49 -05:00
b05669accf
Merge branch 'madaidan-kernel-hardening'
2019-12-23 03:38:04 -05:00
1ff51ee061
merge
2019-12-23 03:37:28 -05:00
535c258b83
More kernel hardening
2019-12-23 03:35:07 -05:00
11b4192fbd
comments
2019-12-23 03:28:42 -05:00
42ff53e9ad
bumped changelog version
2019-12-23 02:42:07 -05:00
2152fa2d61
comment
2019-12-23 02:38:53 -05:00
f8f2e6c704
fix disablewhitelist feature
2019-12-23 02:35:13 -05:00
47ddcad0c0
rename keyword whitelist to exactwhitelist
...
add new keyword disablewhitelist
refactoring
2019-12-23 02:29:47 -05:00
175d1c2845
bumped changelog version
2019-12-23 02:13:13 -05:00
0409aac3ae
readme
2019-12-23 02:09:04 -05:00
1ff56625a1
polkit-agent-helper-1 matchwhitelist to match both
...
- /usr/lib/policykit-1/polkit-agent-helper-1 matchwhitelist
- /lib/policykit-1/polkit-agent-helper-1
2019-12-23 01:42:03 -05:00
d484b299ea
matchwhitelist /qubes/qfile-unpacker to match both
...
- /usr/lib/qubes/qfile-unpacker whitelist
- /lib/qubes/qfile-unpacker
2019-12-23 01:38:31 -05:00
34bf245713
output
2019-12-23 01:35:45 -05:00
ba30e45d15
output
2019-12-23 01:32:42 -05:00
ee9c5742da
output
2019-12-23 01:29:48 -05:00
6d05359abc
output
2019-12-23 01:21:52 -05:00
a1e78e8515
fix needlessly re-adding entries
2019-12-23 01:20:56 -05:00
906b3d32e7
output
2019-12-23 01:09:57 -05:00
4f76867da6
lower debugging
2019-12-23 01:08:02 -05:00
dc6e5d8508
fix
2019-12-23 01:06:38 -05:00
87b999f92a
refactoring
2019-12-23 00:59:43 -05:00
065ff4bd05
sanity_tests
2019-12-23 00:59:24 -05:00
fef1469fe6
exit non-zero if capability removal failed
2019-12-23 00:51:14 -05:00
3670fcf48b
depend on libcap2-bin for setcap / getcap / capsh
2019-12-23 00:49:33 -05:00
17a8c29470
fix capability removal error handling
...
https://forums.whonix.org/t/disable-suid-binaries/7706/45
2019-12-23 00:47:49 -05:00
b631e2ecd8
refactoring
2019-12-23 00:36:41 -05:00
7aea304549
comment
2019-12-23 00:26:15 -05:00
f4b1df02ee
Remove suid / gid and execute permission for 'group' and 'others'.
...
Similar to: chmod og-ugx /path/to/filename
Removing execution permission is useful to make binaries such as 'su' fail closed rather
than fail open if suid was removed from these.
Do not remove read access since no security benefit and easier to manually undo for users.
chmod 744
2019-12-22 19:42:40 -05:00
58a4e0bc7d
dbus-daemon-launch-helper matchwhitelist
2019-12-22 19:12:10 -05:00
15e3a2832d
comment
2019-12-22 18:57:23 -05:00
6eb8fd257a
suid utempter/utempter matchwhitelist
...
to cover both:
/usr/lib/x86_64-linux-gnu/utempter/utempter
/lib/x86_64-linux-gnu/utempter/utempter
2019-12-22 18:56:36 -05:00
9409209b48
Merge remote-tracking branch 'origin/master'
2019-12-22 10:29:08 -05:00
