|
|
26b2c9727f
|
not blacklist CD-ROM / DVD yet
https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/31
|
2022-07-07 15:39:40 -04:00 |
|
|
|
ca19d78d48
|
shuffle
|
2022-07-07 15:27:15 -04:00 |
|
|
|
780dc8eec9
|
replace /bin/false -> /bin/disabled-by-security-misc
|
2022-07-08 04:11:25 +10:00 |
|
|
|
fa2e30f512
|
Updated descriptions of disabled modules
|
2022-07-08 03:04:37 +10:00 |
|
|
|
da389d6682
|
Revert "replace /bin/false -> /bin/true"
This reverts commit f0511635a9.
|
2022-07-08 02:12:04 +10:00 |
|
|
|
f0511635a9
|
replace /bin/false -> /bin/true
|
2022-07-07 09:27:53 +00:00 |
|
|
|
18d67dbc53
|
Blacklist more modules
|
2022-07-07 09:26:55 +00:00 |
|
|
|
1c0e071948
|
comments
|
2022-07-05 10:45:55 -04:00 |
|
|
|
5d47f5f74c
|
comments
|
2022-07-05 10:45:09 -04:00 |
|
|
|
435c689cf9
|
comments
|
2022-07-05 10:44:28 -04:00 |
|
|
|
c20d588d78
|
comments
|
2022-07-05 10:42:37 -04:00 |
|
|
|
b342ce930e
|
add /etc/default/grub.d/40_cold_boot_attack_defense.cfg
|
2022-07-05 10:28:22 -04:00 |
|
|
|
67eaf8c916
|
comments
|
2022-06-29 11:40:38 -04:00 |
|
|
|
72908d6b0d
|
comments
|
2022-06-29 11:34:55 -04:00 |
|
|
|
55d16e1602
|
remove unicode
|
2022-06-08 09:04:03 -04:00 |
|
|
|
fcaec49675
|
Merge remote-tracking branch 'github-kicksecure/master'
|
2022-06-08 08:20:24 -04:00 |
|
|
|
5c43197f10
|
minor
|
2022-06-08 08:11:28 -04:00 |
|
|
|
6e8f584d88
|
permission-hardening: Keep pam_unix.so password checking helper SetGID shadow
|
2022-06-08 05:29:42 +00:00 |
|
|
|
3910e4ee15
|
permission-hardening: Keep passwd executable but non-SetUID
|
2022-06-07 08:11:51 +00:00 |
|
|
|
2d37e3a1af
|
copyright
|
2022-05-20 14:46:38 -04:00 |
|
|
|
bb0307290b
|
update link
|
2022-04-16 14:18:35 -04:00 |
|
|
|
c72567dbd2
|
fix
|
2021-09-14 14:18:44 -04:00 |
|
|
|
d62bbaab82
|
fix, unduplicate kernel command line
|
2021-09-12 11:40:58 -04:00 |
|
|
|
bd31b4085c
|
remove Debian buster support in /etc/default/grub.d
|
2021-09-09 12:16:18 -04:00 |
|
|
|
ac0c492663
|
do not set kernel parameter quiet loglevel=0 for recovery boot option
for easier debugging
|
2021-09-06 08:22:55 -04:00 |
|
|
|
49902b8c56
|
move grub quiet to separate config file /etc/default/grub.d/41_quiet.cfg
|
2021-09-06 08:19:41 -04:00 |
|
|
|
f5b0e4b5b8
|
debugging
|
2021-09-06 04:55:16 -04:00 |
|
|
|
6257bfa926
|
debugging
|
2021-09-05 15:54:20 -04:00 |
|
|
|
a4e18a2ae8
|
dracut reproducible=yes
|
2021-09-04 18:28:37 -04:00 |
|
|
|
db43cedcfd
|
LANG=C str_replace
|
2021-08-22 05:23:24 -04:00 |
|
|
|
582492d6d8
|
port from pam_tally2 to pam_faillock
since pam_tally2 was deprecated upstream
|
2021-08-10 17:13:00 -04:00 |
|
|
|
50bdd097df
|
move /usr/lib/security-misc to /usr/libexec/security-misc as per lintian FHS
|
2021-08-03 12:56:31 -04:00 |
|
|
|
0492f28aa1
|
enable "apt-get --error-on=any" by default
makes apt exit non-zero for transient failures
`/etc/apt/apt.conf.d/40error-on-any`
https://forums.whonix.org/t/debian-bullseye-apt-get-error-on-any/12068
|
2021-08-03 12:37:39 -04:00 |
|
|
|
c94281121e
|
comment
|
2021-08-01 16:37:02 -04:00 |
|
|
|
eff5af0318
|
https://forums.whonix.org/t/restrict-root-access/7658/116
|
2021-06-20 10:16:33 -04:00 |
|
|
|
97d8db3f74
|
Restrict sudo's file permissions
|
2021-06-05 19:16:42 +00:00 |
|
|
|
d87bee37f7
|
comment
|
2021-06-01 07:21:18 -04:00 |
|
|
|
809930c021
|
comment
|
2021-06-01 05:36:01 -04:00 |
|
|
|
e2afd00627
|
modify DKMS configuration file /etc/dkms/framework.conf
Lower parallel compilation jobs to 1 if less than 2 GB RAM to avoid freezing of virtual machines.
`parallel_jobs=1`
This does not necessarily belong into security-misc, however likely
security-misc will need to modify `/etc/dkms/framework.conf` in the future to
enable kernel module signing.
https://forums.whonix.org/t/linux-kernel-runtime-guard-lkrg-linux-kernel-runtime-integrity-checking-and-exploit-detection/8477/26
https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/58
|
2021-04-29 11:14:30 -04:00 |
|
|
|
3ba3b37187
|
add /etc/dkms/framework.conf.security-misc
original, from
- https://github.com/dell/dkms/blob/master/dkms_framework.conf
- https://raw.githubusercontent.com/dell/dkms/master/dkms_framework.conf
https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/58
|
2021-04-29 11:08:30 -04:00 |
|
|
|
a67007f4b7
|
copyright
|
2021-03-17 09:45:21 -04:00 |
|
|
|
a1819e8cab
|
comment
|
2021-03-01 09:15:44 -05:00 |
|
|
|
4db7d6be64
|
hide-hardware-info: allow unrestricting selinuxfs
On SELinux systems, the /sys/fs/selinux directory must be visible to
userspace utilities in order to function properly.
|
2021-02-06 03:02:08 -05:00 |
|
|
|
a258f35f38
|
comment
|
2021-01-05 02:11:08 -05:00 |
|
|
|
b2b614ed2a
|
cover more folders in /usr/local
|
2020-12-06 04:15:52 -05:00 |
|
|
|
5bd267d774
|
refactoring
|
2020-12-06 04:10:50 -05:00 |
|
|
|
11cdce02a0
|
refactoring
|
2020-12-06 04:10:10 -05:00 |
|
|
|
f73c55f16c
|
/opt
https://forums.whonix.org/t/suid-disabler-and-permission-hardener/7706/68
|
2020-12-06 04:08:58 -05:00 |
|
|
|
c031f22995
|
SUID Disabler and Permission Hardener: introduce configuration option to disable all whitelists
`whitelists_disable_all=true`
|
2020-12-01 05:14:48 -05:00 |
|
|
|
b09cc0de6a
|
Revert "SUID Disabler and Permission Hardener: introduce configuration option to disable all whitelists"
This reverts commit 36a471ebce.
|
2020-12-01 05:10:26 -05:00 |
|
