security-misc

mirror of https://github.com/Kicksecure/security-misc.git synced 2025-07-31 07:10:24 +07:00

Author	SHA1	Message	Date
Patrick Schleizer	8e112c3423	description	2019-12-20 06:53:24 -05:00
Patrick Schleizer	24ea70384b	description	2019-12-20 06:53:03 -05:00
Patrick Schleizer	2c4170e6f3	description	2019-12-12 09:47:58 -05:00
Patrick Schleizer	2d5ef378f3	description	2019-12-12 09:39:39 -05:00
Patrick Schleizer	c192644ee3	security-misc `/usr/share/pam-configs/permission-lockdown-security-misc` is no longer required, removed. Thereby fix apparmor issue. > Dec 08 09:47:50 host audit[3232]: AVC apparmor="DENIED" operation="exec" profile="/usr/bin/whonixcheck" name="/usr/lib/security-misc/permission-lockdown" pid=3232 comm="sudo" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 > Dec 08 09:47:50 host sudo[3232]: pam_exec(sudo:session): execve(/usr/lib/security-misc/permission-lockdown,...) failed: Permission denied It is no longer required, because... existing linux user accounts: * Get permission lock down because security-misc `debian/security-misc.postinst` calls `/usr/lib/security-misc/permission-lockdown`. new linux user accounts (created at first boot): * security-misc `/usr/share/pam-configs/mkhomedir-security-misc` pam mkhomedir sets secure permissions using `umask=027`.	2019-12-08 05:21:35 -05:00
Patrick Schleizer	1dbca1ea2d	add usr/bin/hardening-enable	2019-12-08 02:27:09 -05:00
Patrick Schleizer	24423b42f0	description	2019-12-08 02:03:05 -05:00
Patrick Schleizer	66bebefc9f	description	2019-12-08 02:00:23 -05:00
Patrick Schleizer	b871421a54	usr/share/pam-configs/console-lockdown -> usr/share/pam-configs/console-lockdown-security-misc	2019-12-08 01:57:43 -05:00
Patrick Schleizer	1464f01d19	description	2019-12-08 01:30:42 -05:00
Patrick Schleizer	55225aa30e	description	2019-12-07 07:16:07 -05:00
Patrick Schleizer	34a2bc16c8	description	2019-12-07 07:15:58 -05:00
Patrick Schleizer	d823f06c78	description	2019-12-07 07:13:42 -05:00
Patrick Schleizer	090ddbe96a	description	2019-12-07 06:00:41 -05:00
Patrick Schleizer	6479c883bf	Console Lockdown. Allow members of group 'console' to use tty1 to tty7. Everyone else except members of group 'console-unrestricted' are restricted from using console using ancient, unpopular login methods such as using /bin/login over networks, which might be exploitable. (CVE-2001-0797) Not enabled by default in this package since this package does not know which users shall be added to group 'console'. In new Whonix builds, user 'user" will be added to group 'console' and pam console-lockdown enabled by package anon-base-files. /usr/share/pam-configs/console-lockdown /etc/security/access-security-misc.conf https://forums.whonix.org/t/etc-security-hardening/8592	2019-12-07 05:40:20 -05:00
Patrick Schleizer	6d92d03b31	description	2019-12-07 01:54:50 -05:00
Patrick Schleizer	470cad6e91	remount /home /tmp /dev/shm /run with nosuid,nodev (default) and noexec (opt-in) https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707	2019-12-06 05:14:02 -05:00
madaidan	af9e19c51f	Update control	2019-12-05 20:14:55 +00:00
Patrick Schleizer	0c25a96b59	description / comments	2019-12-03 02:18:32 -05:00
madaidan	8d63da3cef	Update control	2019-12-02 16:46:12 +00:00
Patrick Schleizer	25aed91eb1	description	2019-11-28 09:20:46 -05:00
Patrick Schleizer	0c4e5df3e0	description	2019-11-28 09:18:05 -05:00
Patrick Schleizer	5ac2a6f9ac	description	2019-11-28 09:17:32 -05:00
Patrick Schleizer	aa5451c8cd	Lock user accounts after 50 rather than 100 failed login attempts. https://forums.whonix.org/t/how-strong-do-linux-user-account-passwords-have-to-be-when-using-full-disk-encryption-fde-too/7698/19	2019-11-25 01:39:53 -05:00
Patrick Schleizer	fe1f1b73a7	load jitterentropy_rng kernel module for better entropy collection https://www.whonix.org/wiki/Dev/Entropy https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927972 https://forums.whonix.org/t/jitterentropy-rngd/7204	2019-11-23 11:20:32 +00:00
Patrick Schleizer	b55c2fd62e	Enables punycode (`network.IDN_show_punycode`) by default in Thunderbird to make phising attacks more difficult. Fixing URL not showing real Domain Name (Homograph attack). https://forums.whonix.org/t/enable-network-idn-show-punycode-by-default-in-thunderbird-to-fix-url-not-showing-real-domain-name-homograph-attack-punycode/8415	2019-11-03 02:50:51 -05:00
Patrick Schleizer	203d5cfa68	copyright	2019-10-31 11:19:44 -04:00
madaidan	fe4e29d392	Depend on dh-apparmor	2019-10-28 14:22:47 +00:00
Patrick Schleizer	40707e70db	Redirect calls for pkexec to lxqt-sudo because pkexec is incompatible with hidepid. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860040 https://forums.whonix.org/t/cannot-use-pkexec/8129 Thanks to AnonymousUser for the bug report!	2019-10-21 05:46:49 -04:00
Patrick Schleizer	d301e7f365	description, fix lintian warning	2019-10-18 10:36:44 +00:00
madaidan	259b1f2c71	Update control	2019-10-16 19:21:24 +00:00
Patrick Schleizer	8b4f2befd4	comment out sack by default https://forums.whonix.org/t/disabling-tcp-sack-dsack-fack/8109/8?u=patrick	2019-10-05 13:15:34 +00:00
Patrick Schleizer	02096f8d7c	Revert "undo Disabling TCP SACK, DSACK, FACK" This reverts commit `5fb4eb8e56`.	2019-10-05 13:13:46 +00:00
Patrick Schleizer	5fb4eb8e56	undo Disabling TCP SACK, DSACK, FACK https://forums.whonix.org/t/disabling-tcp-sack-dsack-fack/8109/5	2019-10-05 07:00:47 -04:00
madaidan	ec5fcf813b	Update control	2019-10-03 20:50:48 +00:00
Patrick Schleizer	619550da23	description	2019-09-15 14:00:24 +00:00
Patrick Schleizer	b95b66e429	description	2019-09-15 13:56:37 +00:00
Patrick Schleizer	ae804a15e7	description	2019-09-15 13:21:02 +00:00
Patrick Schleizer	f13a73e569	undo SysRq restrictions https://forums.whonix.org/t/sysrq-magic-sysrq-key/8079	2019-09-10 12:35:42 -04:00
Patrick Schleizer	661bcd8603	allow loading unsigned modules due to issues https://forums.whonix.org/t/allow-loading-signed-kernel-modules-by-default-disallow-kernel-module-loading-by-default/7880/23	2019-09-07 05:39:56 +00:00
Patrick Schleizer	5960c1682a	description	2019-09-06 11:46:22 +00:00
Patrick Schleizer	fccfacfdaf	description	2019-09-06 11:45:54 +00:00
Patrick Schleizer	0e20e33d16	description	2019-09-05 02:31:57 -04:00
Patrick Schleizer	0b3dcef13d	description	2019-09-05 02:30:40 -04:00
Patrick Schleizer	f2e5883b4c	description	2019-09-05 02:29:48 -04:00
Patrick Schleizer	a4913ae092	description	2019-09-05 02:28:43 -04:00
Patrick Schleizer	3a5bdddf5c	depend on adduser	2019-08-31 08:43:46 -04:00
Patrick Schleizer	0ae5c5ff14	remove umask changes since these are causing issues are are not needed anymore thanks to home folder permission lockdown https://forums.whonix.org/t/change-default-umask/7416/45	2019-08-24 12:14:22 -04:00
Patrick Schleizer	a74b983283	remove LLC - IEEE 802.2 from blacklist since required by KVM https://forums.whonix.org/t/whonix-desktop-installer-with-calamares-field-report/7350/107 https://forums.whonix.org/t/blacklist-uncommon-network-protocols/7391/22 https://github.com/Whonix/security-misc/pull/29	2019-08-19 12:46:59 +00:00
Patrick Schleizer	e535232728	description	2019-08-17 10:37:49 +00:00

1 2 3

136 Commits