mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-07-09 23:41:24 +07:00
Code Issues Packages Projects Releases Wiki Activity
NaN Commits 4 Branches 456 Tags
3749f8ff097551a843e5ed80de52c6770a32e0c6
Commit Graph

892 Commits

Author SHA1 Message Date
Patrick Schleizer
6d7cf3c12a output 2024-02-22 09:49:48 -05:00
Patrick Schleizer
f7831db197 do not exit non-zero if folder does not exist 2024-02-22 09:17:41 -05:00
Patrick Schleizer
5bdd7b8475 output 2024-02-22 09:14:52 -05:00
Patrick Schleizer
44a15cd97d mount --make-private 
https://github.com/Kicksecure/security-misc/issues/172
 2024-02-22 09:13:56 -05:00
Patrick Schleizer
c0f98b05b6 comment 
https://github.com/Kicksecure/security-misc/pull/202
 2024-02-22 06:03:59 -05:00
Patrick Schleizer
1e1613aa93 allow /opt exec as usually optional binaries are placed there such as firefox 
https://github.com/Kicksecure/security-misc/pull/202
 2024-02-22 06:02:28 -05:00
Patrick Schleizer
7c7b4b24b4 fix home_noexec_maybe -> most_noexec_maybe 
https://github.com/Kicksecure/security-misc/pull/202
 2024-02-22 06:02:00 -05:00
Patrick Schleizer
38783faf60 add more bind mounts of mount options hardening 
as suggested in https://github.com/Kicksecure/security-misc/pull/202
 2024-02-22 05:58:53 -05:00
Patrick Schleizer
3048e0ac76 usrmerge 
https://github.com/Kicksecure/security-misc/issues/190
 2024-01-17 13:54:07 -05:00
Patrick Schleizer
0efee2f50f usrmerge 
fixes https://github.com/Kicksecure/security-misc/issues/190
 2024-01-17 13:39:56 -05:00
Patrick Schleizer
3ba8fe586e update permission-hardener.service 
Which is now only an additional opt-in systemd unit,
because permission-hardener is run by default at security-misc
package installation time.

https://github.com/Kicksecure/security-misc/pull/181
 2024-01-16 09:23:54 -05:00
Patrick Schleizer
862bf6b5ab Merge remote-tracking branch 'ben-grande/clean' 2024-01-16 08:19:28 -05:00
Patrick Schleizer
1199871d7b undo IPv6 privacy due to potential server issues 
https://github.com/Kicksecure/security-misc/issues/184
 2024-01-07 06:37:34 -05:00
Patrick Schleizer
128bb01b35 undo IPv6 privacy due to potential server issues 
https://github.com/Kicksecure/security-misc/issues/184
 2024-01-07 06:36:25 -05:00
Patrick Schleizer
86f91e3030 revert umask 027 by default 
because broken because this also happens for root while it should not

https://github.com/Kicksecure/security-misc/issues/185
 2024-01-06 09:11:54 -05:00
Patrick Schleizer
3f1304403f disable MAC randomization in Network Manager (NM) because it breaks VirtualBox DHCP 
https://github.com/Kicksecure/security-misc/issues/184
 2024-01-06 08:15:31 -05:00
Raja Grewal
74afcc9c63 Clarify validity of disabling io_uring 2024-01-03 17:52:23 +11:00
Ben Grande
bc02c72018 Fix unbound variable 
- Run messages preceded by INFO;
- Comment unknown unused variables;
- Remove unnecessary variables; and
- Deal with unbound variable due to subshell by writing to a file;
 2024-01-02 17:08:45 +01:00
Ben Grande
abf72c2ee4 Rename file permission hardening script 
Hardener as the script is the agent that is hardening the file
permissions.
 2024-01-02 13:34:29 +01:00
Ben Grande
f138cf0f78 Refactor permission-hardener 
- Organize comments from default configuration;
- Apply and undo changes from a single file controlled by parameters;
- Arrays should be evaluated as arrays and not normal variables;
- Quote variables;
- Brackets around variables;
- Standardize test cases to "test" command;
- Test against empty or non-empty variables with "-z" and "-n";
- Show a usage message when necessary;
- Require root to run the script with informative message;
- Permit the user to see the help message without running as root;
- Do not create root directories without passing root check;
- Use long options for "set" command;
 2024-01-02 12:17:16 +01:00
Patrick Schleizer
8daf97ab01 Merge pull request #178 from raja-grewal/io_uring 
Disable asynchronous I/O
 2024-01-02 05:29:35 -05:00
Patrick Schleizer
5b36599c0c /dev/, /dev/shm, /tmp 
https://github.com/Kicksecure/security-misc/issues/157#issuecomment-1869073716
 2023-12-29 14:57:38 -05:00
Patrick Schleizer
c86c83cef7 formatting 
https://github.com/Kicksecure/security-misc/issues/157
 2023-12-25 10:31:58 -05:00
Patrick Schleizer
971ff687b1 do not mount /dev/cdrom by default 
https://github.com/Kicksecure/security-misc/issues/157
 2023-12-25 10:30:35 -05:00
Patrick Schleizer
9fce67fcd9 remove superfluous, broken remount mount option 
https://github.com/Kicksecure/security-misc/issues/157
 2023-12-25 10:28:47 -05:00
Patrick Schleizer
40fd8cb608 no nofail mount option to avoid breaking the boot of a system 
unit testing belongs elsewhere

https://github.com/Kicksecure/security-misc/issues/157
 2023-12-25 09:51:09 -05:00
Patrick Schleizer
4aa645f29f comment 
https://github.com/Kicksecure/security-misc/issues/157
 2023-12-25 09:46:33 -05:00
Patrick Schleizer
2b7aeedb4a mount /dev/cdrom to /mnt/cdrom (instead of /mnt/cdrom0) and 
nodev,nosuid,noexec

as per:
https://www.debian.org/doc/manuals/securing-debian-manual/ch04s10.en.html

https://github.com/Kicksecure/security-misc/issues/157
 2023-12-25 09:44:51 -05:00
Patrick Schleizer
0d9e9780da formatting 
https://github.com/Kicksecure/security-misc/issues/157
 2023-12-25 09:37:14 -05:00
Patrick Schleizer
00f9ab4394 /dev devtmpfs 
https://github.com/Kicksecure/security-misc/issues/157
 2023-12-25 09:36:05 -05:00
Patrick Schleizer
55709b3aa0 /tmp tmpfs 
https://github.com/Kicksecure/security-misc/issues/157
 2023-12-25 09:30:57 -05:00
Patrick Schleizer
b0dd967611 usrmerge 
https://github.com/Kicksecure/security-misc/issues/157
 2023-12-25 09:28:08 -05:00
Patrick Schleizer
269fada14a combine bind lines 
https://github.com/Kicksecure/security-misc/issues/157
 2023-12-25 09:25:14 -05:00
Raja Grewal
f055fe5da2 Disable asynchronous I/O 
io_uring creation is disabled for all processes. io_uring_setup always fails with -EPERM. Existing io_uring instances can still be used.
 2023-12-15 08:33:36 +00:00
Patrick Schleizer
039de1dc9b add hardened fstab /usr/share/doc/security-misc/fstab-vm 
to the documentation folder as an example

not directly used by security-misc

will later be used by Kicksecure VM build process

https://github.com/Kicksecure/security-misc/issues/157
 2023-12-12 11:50:11 -05:00
Patrick Schleizer
5a73817a95 move to /usr/lib/issue.d/20_security-misc.issue 
https://github.com/Kicksecure/security-misc/pull/167
 2023-12-04 11:38:49 -05:00
Patrick Schleizer
dc04040cb3 typo 2023-12-04 10:36:48 -05:00
Patrick Schleizer
2634dbff2b shuffle 2023-12-04 10:36:21 -05:00
Patrick Schleizer
a1e00be0e0 update link 2023-11-06 16:58:23 -05:00
Patrick Schleizer
df5f3e8056 output 2023-11-06 16:36:22 -05:00
Patrick Schleizer
3bc831a1f7 lintian 2023-11-06 16:27:29 -05:00
Patrick Schleizer
ad010ef5b4 debugging 2023-11-05 17:52:44 -05:00
Patrick Schleizer
3130a39d8c set -e 2023-11-05 17:43:07 -05:00
Patrick Schleizer
36f3c30440 Merge pull request #148 from monsieuremre/module-loading-hardening 
Harden the loading of new modules to the kernel after install
 2023-11-05 17:41:56 -05:00
Patrick Schleizer
4219347f0a fix permission-hardener config parsing issue 2023-11-05 16:43:44 -05:00
Patrick Schleizer
e72f79236b refactoring 2023-11-05 16:41:41 -05:00
Patrick Schleizer
dea0d9a78a fix permission-hardener config parsing issue 2023-11-05 16:40:49 -05:00
Patrick Schleizer
017ae18ad7 fix permission-hardener config parsing issue 2023-11-05 16:39:10 -05:00
Patrick Schleizer
65e3c14643 fix permission-hardener config parsing issue 2023-11-05 16:35:11 -05:00
Patrick Schleizer
d4494fd3c3 disable remount-secure dracut modules 
pending new systemd based implementation

https://github.com/Kicksecure/security-misc/pull/152
 2023-11-05 15:27:09 -05:00