mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-07-13 17:29:47 +07:00
Code Issues Packages Projects Releases Wiki Activity
NaN Commits 4 Branches 456 Tags
92669dba186c6ac40ff601fd39639945cd7633c6
Commit Graph

62 Commits

Author SHA1 Message Date
Raja Grewal
bb831d57bc delete repeated commands 2022-07-19 00:38:32 +10:00
Raja Grewal
c77a2a78bc enforce default net.ipv6.icmp_ignore_bogus_error_responses 2022-07-19 00:37:31 +10:00
Raja Grewal
4e93b4d37e Revert "enforce defualt net.ipv4.ip_forward" 
This reverts commit 57b5b2145c.
 2022-07-13 21:10:39 +10:00
Raja Grewal
57b5b2145c enforce defualt net.ipv4.ip_forward 2022-07-13 04:30:43 +10:00
Raja Grewal
79156262c9 enforce default net.ipv4.icmp_ignore_bogus_error_responses 2022-07-13 04:29:42 +10:00
Raja Grewal
dabcaf22e1 enforce default kernel.randomize_va_space 2022-07-13 04:28:03 +10:00
Patrick Schleizer
72908d6b0d comments 2022-06-29 11:34:55 -04:00
Patrick Schleizer
2d37e3a1af copyright 2022-05-20 14:46:38 -04:00
Patrick Schleizer
a67007f4b7 copyright 2021-03-17 09:45:21 -04:00
flawedworld
8f7727e823 Add some IPv6 options 2020-09-18 23:36:30 +01:00
flawedworld
944fed3c45 Disallow kernel profiling by users without CAP_SYS_ADMIN 
It's the default on a lot of stuff, but still nice to have.
 2020-09-18 23:29:04 +01:00
Patrick Schleizer
3cd7b144bb move "kernel.printk = 3 3 3 3" to separate file /etc/sysctl.d/30_silent-kernel-printk.conf 
so package debug-misc can easily disable it

https://phabricator.whonix.org/T950
 2020-05-14 13:47:58 -04:00
Patrick Schleizer
8d2e4b68dc Prevent kernel info leaks in console during boot. 
By setting `kernel.printk = 3 3 3 3`.

https://phabricator.whonix.org/T950

Thanks to @madaidan for the suggestion!
 2020-04-16 08:00:31 -04:00
Patrick Schleizer
565ff136e5 vm.swappiness=1 
import from swappiness-lowest

https://forums.whonix.org/t/vm-swappiness-1-set-swapiness-to-lowest-setting-still-useful-swappiness-lowest/9278
 2020-04-08 21:04:02 +00:00
Patrick Schleizer
2ceea8d1fe update copyright year 2020-04-01 08:49:59 -04:00
madaidan
4d0de87f79 Disable unprivileged userfaultfd use again 2020-03-08 17:49:49 +00:00
Patrick Schleizer
284a491100 disable vm.unprivileged_userfaultfd=0 for now 
because broken

https://forums.whonix.org/t/kernel-hardening/7296/406

reverts "Restrict the userfaultfd() syscall to root as it can make heap sprays easier."

https://duasynt.com/blog/linux-kernel-heap-spray
 2020-03-08 08:07:10 -04:00
madaidan
6b64b36b01 Restrict the userfaultfd() syscall to root 2020-02-24 18:23:15 +00:00
madaidan
a79ce7fa68 Document ldisc_autoload better 2020-02-15 17:30:21 +00:00
Patrick Schleizer
1e5946c795 Merge branch 'master' into sysrq 2020-02-15 10:41:52 +00:00
madaidan
d251c43344 Restrict the SysRq key 2020-02-14 18:17:20 +00:00
madaidan
0ea7dd161b Restrict loading line disciplines to CAP_SYS_MODULE 2020-02-14 17:50:19 +00:00
madaidan
5cb21d0d4d Prevent symlink/hardlink TOCTOU races 2020-02-12 18:03:23 +00:00
Patrick Schleizer
6a4c493213 merge the many sysctl config files into 1 
and use a name starting with double digits

to make it easier to disable settings using a lexically higher config file
 2020-01-24 04:26:36 -05:00
Patrick Schleizer
8cf5ed990a comment 2019-12-05 15:52:24 -05:00
madaidan
30289c68c2 Enable reverse path filtering 2019-12-05 20:13:10 +00:00
madaidan
4f5b7816ec Elaborate 2019-10-16 19:01:49 +00:00
madaidan
99a762d3dc KASLR is different from ASLR 2019-10-16 18:53:04 +00:00
Patrick Schleizer
c22738be02 comments 2019-10-07 08:25:45 +00:00
Patrick Schleizer
75f36bc2c9 comments 2019-10-07 08:25:07 +00:00
Patrick Schleizer
e92a8a6966 comments 2019-10-07 08:24:02 +00:00
Patrick Schleizer
60c044a9d6 copyright / comments 2019-10-07 05:30:56 +00:00
Patrick Schleizer
cd2135ff82 comments 2019-10-06 10:18:24 +00:00
Patrick Schleizer
8b4f2befd4 comment out sack by default 
https://forums.whonix.org/t/disabling-tcp-sack-dsack-fack/8109/8?u=patrick
 2019-10-05 13:15:34 +00:00
Patrick Schleizer
02096f8d7c Revert "undo Disabling TCP SACK, DSACK, FACK" 
This reverts commit 5fb4eb8e56.
 2019-10-05 13:13:46 +00:00
Patrick Schleizer
5fb4eb8e56 undo Disabling TCP SACK, DSACK, FACK 
https://forums.whonix.org/t/disabling-tcp-sack-dsack-fack/8109/5
 2019-10-05 07:00:47 -04:00
madaidan
d0c6bb1e90 Disable TCP DSACK and FACK 2019-10-04 17:35:54 +00:00
Patrick Schleizer
f13a73e569 undo SysRq restrictions 
https://forums.whonix.org/t/sysrq-magic-sysrq-key/8079
 2019-09-10 12:35:42 -04:00
Patrick Schleizer
ccdbc52b82 comment 2019-09-06 11:43:55 +00:00
Patrick Schleizer
051856bc8e remove trailing space 2019-09-06 11:42:38 +00:00
madaidan
1bf802f846 Create coredumps.conf 2019-06-30 00:16:50 +00:00
madaidan
f040081a59 Prevent setuid processes from creating coredumps. 2019-06-30 00:13:52 +00:00
Patrick Schleizer
ab312235ba Merge pull request #14 from madaidan/patch-10 
Add some hardening for other distributions
 2019-06-28 06:59:16 +00:00
Patrick Schleizer
5e02100e34 Merge pull request #13 from madaidan/patch-9 
Remove System.map and restrict the SysRq key.
 2019-06-28 06:58:32 +00:00
madaidan
3801a53a9e Update tcp_hardening.conf 2019-06-27 18:17:58 +00:00
madaidan
c54125270b Create dmesg_restrict.conf 2019-06-27 18:15:57 +00:00
madaidan
01c839c815 Restrict what the SysRq key can do 2019-06-25 19:16:43 +00:00
madaidan
807ac7d659 Create tcp_sack.conf 2019-06-22 16:08:30 +00:00
madaidan
b814f338b8 Update tcp_hardening.conf 2019-05-16 16:33:03 +00:00
madaidan
e6794721bd Update ptrace_scope.conf 2019-05-16 16:29:20 +00:00