c94281121e
comment
2021-08-01 16:37:02 -04:00
eff5af0318
https://forums.whonix.org/t/restrict-root-access/7658/116
2021-06-20 10:16:33 -04:00
97d8db3f74
Restrict sudo's file permissions
2021-06-05 19:16:42 +00:00
d87bee37f7
comment
2021-06-01 07:21:18 -04:00
809930c021
comment
2021-06-01 05:36:01 -04:00
e2afd00627
modify DKMS configuration file /etc/dkms/framework.conf
...
Lower parallel compilation jobs to 1 if less than 2 GB RAM to avoid freezing of virtual machines.
`parallel_jobs=1`
This does not necessarily belong into security-misc, however likely
security-misc will need to modify `/etc/dkms/framework.conf` in the future to
enable kernel module signing.
https://forums.whonix.org/t/linux-kernel-runtime-guard-lkrg-linux-kernel-runtime-integrity-checking-and-exploit-detection/8477/26
https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/58
2021-04-29 11:14:30 -04:00
3ba3b37187
add /etc/dkms/framework.conf.security-misc
...
original, from
- https://github.com/dell/dkms/blob/master/dkms_framework.conf
- https://raw.githubusercontent.com/dell/dkms/master/dkms_framework.conf
https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/58
2021-04-29 11:08:30 -04:00
a67007f4b7
copyright
2021-03-17 09:45:21 -04:00
a1819e8cab
comment
2021-03-01 09:15:44 -05:00
4db7d6be64
hide-hardware-info: allow unrestricting selinuxfs
...
On SELinux systems, the /sys/fs/selinux directory must be visible to
userspace utilities in order to function properly.
2021-02-06 03:02:08 -05:00
a258f35f38
comment
2021-01-05 02:11:08 -05:00
b2b614ed2a
cover more folders in /usr/local
2020-12-06 04:15:52 -05:00
5bd267d774
refactoring
2020-12-06 04:10:50 -05:00
11cdce02a0
refactoring
2020-12-06 04:10:10 -05:00
f73c55f16c
/opt
...
https://forums.whonix.org/t/suid-disabler-and-permission-hardener/7706/68
2020-12-06 04:08:58 -05:00
c031f22995
SUID Disabler and Permission Hardener: introduce configuration option to disable all whitelists
...
`whitelists_disable_all=true`
2020-12-01 05:14:48 -05:00
b09cc0de6a
Revert "SUID Disabler and Permission Hardener: introduce configuration option to disable all whitelists"
...
This reverts commit 36a471ebce
2020-12-01 05:10:26 -05:00
704f0500ba
fix, rename 40_default_whitelist_[...].conf to 25_default_whitelist_[...].conf
...
since whitelist needs to be defined before SUID removal commands
2020-12-01 05:03:16 -05:00
36a471ebce
SUID Disabler and Permission Hardener: introduce configuration option to disable all whitelists
...
`whitelists_disable_all=true`
2020-12-01 05:02:34 -05:00
318ab570aa
simplify disabling of SUID Disabler and Permission Hardener whitelist
...
split `/etc/permission-hardening.d/30_default.conf` into multiple files
`/etc/permission-hardening.d/40_default_whitelist_[...].conf`
therefore make it easier to delete any whitelisted SUID binaries
2020-12-01 04:28:15 -05:00
cf07e977bd
add /bin/pkexec exactwhitelist for consistency
...
since there is already `/usr/bin/pkexec exactwhitelist`
2020-11-29 09:09:42 -05:00
bb72c1278d
copyright
2020-11-05 06:36:39 -05:00
c1e0bb8310
shebang
2020-10-31 06:11:49 -04:00
3f656be574
chmod +x /etc/X11/Xsession.d/50panic_on_oops
...
chmod +x /etc/X11/Xsession.d/50security-misc
2020-10-31 05:48:10 -04:00
06ffd5d220
Restrict access to debugfs
2020-09-28 19:21:20 +00:00
da1ac48cde
unblacklist squashfs as this would likely break Whonix-Host ISO
...
https://github.com/Whonix/security-misc/pull/75#issuecomment-700044182
2020-09-28 10:29:50 -04:00
4070133ed6
unblacklist vfat
...
https://github.com/Whonix/security-misc/pull/75#issuecomment-695201068
2020-09-28 10:25:57 -04:00
3684ab585e
Merge pull request #75 from flawedworld/patch-1
...
Blacklist more modules (based on OpenSCAP for RHEL 8)
2020-09-28 14:24:15 +00:00
ae90107e6d
Merge pull request #76 from flawedworld/patch-2
...
Add IPv6 sysctl options and enforce kernel.perf_event_paranoid=3
2020-09-28 14:23:42 +00:00
a813e7da07
Blacklist more modules
2020-09-19 20:46:19 +01:00
9239c8b807
Merge pull request #71 from onions-knight/patch-1
...
Update thunar.xml
2020-09-19 10:54:21 +00:00
8f7727e823
Add some IPv6 options
2020-09-18 23:36:30 +01:00
944fed3c45
Disallow kernel profiling by users without CAP_SYS_ADMIN
...
It's the default on a lot of stuff, but still nice to have.
2020-09-18 23:29:04 +01:00
7e267ab498
fix, allow group sudo and console to use consoles
...
fix /etc/security/access-security-misc.conf syntax error
Thanks to @81a989 for the bug report!
https://forums.whonix.org/t/etc-security-hardening-console-lockdown-pam-access-access-conf/8592/31
2020-08-03 08:12:19 -04:00
3cd7b144bb
move "kernel.printk = 3 3 3 3" to separate file /etc/sysctl.d/30_silent-kernel-printk.conf
...
so package debug-misc can easily disable it
https://phabricator.whonix.org/T950
2020-05-14 13:47:58 -04:00
6485df8126
Prevent kernel info leaks in console during boot.
...
add kernel parameter `quiet loglevel=0`
https://phabricator.whonix.org/T950
2020-04-23 12:26:31 -04:00
8d2e4b68dc
Prevent kernel info leaks in console during boot.
...
By setting `kernel.printk = 3 3 3 3`.
https://phabricator.whonix.org/T950
Thanks to @madaidan for the suggestion!
2020-04-16 08:00:31 -04:00
4898a9e753
fix, sysctl-initramfs: switch log to /run/initramfs/sysctl-initramfs-error.log
...
since ephemeral, in RAM, not written to disk, no conflict with grub-live
https://forums.whonix.org/t/kernel-hardening/7296/435
2020-04-16 07:54:33 -04:00
701da5f6cc
formatting
2020-04-16 07:24:44 -04:00
253578afdf
/etc/security/access-security-misc.conf white list ttyS0 etc.
...
ttyS0 ttyS1 ttyS2 ttyS3 ttyS4 ttyS5 ttyS6 ttyS7 ttyS8 ttyS9
Thanks to @subpar_marlin for the bug report and helping to fix this!
https://forums.whonix.org/t/how-do-i-enter-the-whonix-shell-from-cli/7271/43
https://forums.whonix.org/t/etc-security-hardening/8592
2020-04-13 06:50:32 -04:00
b3ce18f0f9
disable proc-hidepid by default because incompatible with pkexec
...
and undo pkexec wrapper
2020-04-12 16:54:10 -04:00
4429315291
disable proc-hidepid by default because incompatible with pkexec
...
and undo pkexec wrapper
2020-04-12 16:52:55 -04:00
938e929f39
add pkexec to suid default whitelist
...
/usr/bin/pkexec exactwhitelist
/usr/bin/pkexec.security-misc-orig exactwhitelist
2020-04-12 16:37:51 -04:00
565ff136e5
vm.swappiness=1
...
import from swappiness-lowest
https://forums.whonix.org/t/vm-swappiness-1-set-swapiness-to-lowest-setting-still-useful-swappiness-lowest/9278
2020-04-08 21:04:02 +00:00
72228946dc
fix etc/default/grub.d/40_kernel_hardening.cfg
...
in Qubes if no kernel package is installed
2020-04-08 16:46:11 +00:00
5c81e1f23f
import from anon-gpg-conf
2020-04-06 09:25:45 -04:00
a7f2a2a3b6
console lockdown: allow members of group sudo to use console
...
https://forums.whonix.org/t/etc-security-hardening/8592
https://github.com/Whonix/security-misc/pull/74#issuecomment-607748407
https://www.whonix.org/wiki/Dev/Strong_Linux_User_Account_Isolation#Console_Lockdown
2020-04-02 06:04:45 -04:00
7764ee0d20
comments
2020-04-02 05:58:16 -04:00
2ceea8d1fe
update copyright year
2020-04-01 08:49:59 -04:00
814f613a2f
When using systemd-nspawn (chroot) then login requires console 'console' to be permitted.
2020-03-31 07:08:25 -04:00
