|
|
b9d65338bc
|
unconditionally enable all CPU bugs (spectre, meltdown, L1TF, ...)
this might reduce performance
* `spectre_v2=on`
* `spec_store_bypass_disable=on`
* `tsx=off`
* `tsx_async_abort=full,nosmt`
Thanks to @madaidan for the suggestion!
https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647
|
2020-01-30 05:55:13 -05:00 |
|
|
|
c1a0da60be
|
set kernel boot parameter l1tf=full,force and nosmt=force
https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647/17
|
2020-01-30 00:46:48 -05:00 |
|
|
|
a37da1c968
|
add digits to drop-in file names
|
2020-01-24 04:39:06 -05:00 |
|
|
|
e0aa67677d
|
merge the many modprobe.d config files into 1
and use a name starting with double digits
to make it easier to disable settings using a lexically higher config file
|
2020-01-24 04:30:36 -05:00 |
|
|
|
6a4c493213
|
merge the many sysctl config files into 1
and use a name starting with double digits
to make it easier to disable settings using a lexically higher config file
|
2020-01-24 04:26:36 -05:00 |
|
|
|
6f8d89c6c5
|
error handling
|
2020-01-15 15:54:06 -05:00 |
|
|
|
f7fde60b67
|
Process sysctl.conf too
|
2020-01-15 20:28:32 +00:00 |
|
|
|
528c5fc4c4
|
Merge branch 'master' into sysctl-initramfs
|
2020-01-15 11:02:03 +00:00 |
|
|
|
80159545a5
|
fix xfce4-power-manager xfpm-power-backlight-helper pkexec lxsudo popup
https://forums.whonix.org/t/xfce4-power-manager-xfpm-power-backlight-helper-pkexec-lxsudo-popup/8764
do show lxqt-sudo password prompt if there is a sudoers exceptoin
improved pkexec wrapper logging
|
2020-01-15 02:42:10 -05:00 |
|
|
|
8c4e0ff1c4
|
Set sysctl values in initramfs
|
2020-01-12 21:37:37 +00:00 |
|
|
|
a662a76a52
|
Blacklist vivid
|
2020-01-11 18:37:00 +00:00 |
|
|
|
f3ff32ddbb
|
Protect /bin/mount from 'chmod -x'.
/bin/mount exactwhitelist
/usr/bin/mount exactwhitelist
Remove SUID from 'mount' but keep executable.
/bin/mount 745 root root
/usr/bin/mount 745 root root
https://forums.whonix.org/t/disable-suid-binaries/7706/61
|
2019-12-30 06:39:24 -05:00 |
|
|
|
e5623fcd2b
|
comment
|
2019-12-29 04:21:52 -05:00 |
|
|
|
674840e6f9
|
/fusermount matchwhitelist
unbreak AppImages such as electrum Bitcoin wallet
https://forums.whonix.org/t/disable-suid-binaries/7706/57
|
2019-12-26 05:44:35 -05:00 |
|
|
|
ede536913d
|
no longer hardcode amd64
|
2019-12-24 06:00:41 -05:00 |
|
|
|
27a42a9da8
|
Merge pull request #50 from madaidan/modules
Make /lib/modules unreadable
|
2019-12-24 10:55:11 +00:00 |
|
|
|
ac49c55d1f
|
Merge pull request #49 from madaidan/kver
Detect kernel upgrades
|
2019-12-24 10:55:03 +00:00 |
|
|
|
79241c5d09
|
Make /lib/modules unreadable
|
2019-12-23 20:28:29 +00:00 |
|
|
|
98e88d1456
|
Detect kernel upgrades
|
2019-12-23 19:57:43 +00:00 |
|
|
|
d1a0650fd9
|
Use only one slub_debug parameter
|
2019-12-23 19:44:52 +00:00 |
|
|
|
9d77d88a4d
|
comments
|
2019-12-23 09:39:50 -05:00 |
|
|
|
3e131174d5
|
comments
|
2019-12-23 05:00:35 -05:00 |
|
|
|
9f072ce4f9
|
comment
|
2019-12-23 03:46:02 -05:00 |
|
|
|
26fe9394ff
|
disable lockdown for now due to module loading
|
2019-12-23 03:41:54 -05:00 |
|
|
|
535c258b83
|
More kernel hardening
|
2019-12-23 03:35:07 -05:00 |
|
|
|
11b4192fbd
|
comments
|
2019-12-23 03:28:42 -05:00 |
|
|
|
2152fa2d61
|
comment
|
2019-12-23 02:38:53 -05:00 |
|
|
|
f8f2e6c704
|
fix disablewhitelist feature
|
2019-12-23 02:35:13 -05:00 |
|
|
|
47ddcad0c0
|
rename keyword whitelist to exactwhitelist
add new keyword disablewhitelist
refactoring
|
2019-12-23 02:29:47 -05:00 |
|
|
|
1ff56625a1
|
polkit-agent-helper-1 matchwhitelist to match both
- /usr/lib/policykit-1/polkit-agent-helper-1 matchwhitelist
- /lib/policykit-1/polkit-agent-helper-1
|
2019-12-23 01:42:03 -05:00 |
|
|
|
d484b299ea
|
matchwhitelist /qubes/qfile-unpacker to match both
- /usr/lib/qubes/qfile-unpacker whitelist
- /lib/qubes/qfile-unpacker
|
2019-12-23 01:38:31 -05:00 |
|
|
|
58a4e0bc7d
|
dbus-daemon-launch-helper matchwhitelist
|
2019-12-22 19:12:10 -05:00 |
|
|
|
15e3a2832d
|
comment
|
2019-12-22 18:57:23 -05:00 |
|
|
|
6eb8fd257a
|
suid utempter/utempter matchwhitelist
to cover both:
/usr/lib/x86_64-linux-gnu/utempter/utempter
/lib/x86_64-linux-gnu/utempter/utempter
|
2019-12-22 18:56:36 -05:00 |
|
|
|
bce02ffdc0
|
Merge pull request #47 from madaidan/msr
Blacklist CPU MSRs
|
2019-12-22 15:26:07 +00:00 |
|
|
|
dd93b11321
|
Blacklist CPU MSRs
|
2019-12-22 13:52:43 +00:00 |
|
|
|
2ddf7b5db5
|
/lib/ nosuid
|
2019-12-21 14:06:51 -05:00 |
|
|
|
2350e0f5d0
|
Merge remote-tracking branch 'origin/master'
|
2019-12-21 06:57:10 -05:00 |
|
|
|
efd65a3f15
|
Merge pull request #45 from madaidan/apparmor
Delete apparmor profiles
|
2019-12-21 11:56:31 +00:00 |
|
|
|
3ea587187e
|
no need to exclude xorg nosuid on Debian
http://forums.whonix.org/t/permission-hardening/8655/25
|
2019-12-21 06:53:07 -05:00 |
|
|
|
c28ddf5c4d
|
Delete usr.lib.security-misc.pam_tally2-info
|
2019-12-20 22:44:31 +00:00 |
|
|
|
cfe69dd669
|
Delete usr.lib.security-misc.permission-lockdown
|
2019-12-20 22:44:27 +00:00 |
|
|
|
d220bb3bc4
|
suid /usr/lib/chromium/chrome-sandbox whitelist
|
2019-12-20 13:07:01 -05:00 |
|
|
|
77b3dd5d6b
|
comments
|
2019-12-20 13:02:33 -05:00 |
|
|
|
d7bd477e73
|
add "/usr/lib/xorg/Xorg.wrap whitelist"
until this is researched
https://manpages.debian.org/buster/xserver-xorg-legacy/Xorg.wrap.1.en.html
https://lwn.net/Articles/590315/
|
2019-12-20 12:59:27 -05:00 |
|
|
|
17e8605119
|
add matchwhitelist feature
add "/usr/lib/virtualbox/ matchwhitelist"
|
2019-12-20 12:57:24 -05:00 |
|
|
|
3fab387669
|
suid /usr/bin/firejail whitelist
There is a controversy about firejail but those who choose to install it
should be able to use it.
https://www.whonix.org/wiki/Dev/Firejail#Security
|
2019-12-20 12:50:35 -05:00 |
|
|
|
d3f16a5bf4
|
sgid /usr/lib/qubes/qfile-unpacker whitelist
|
2019-12-20 12:47:10 -05:00 |
|
|
|
508ec0c6fa
|
comment
|
2019-12-20 12:34:07 -05:00 |
|
|
|
1b569ea790
|
comment
|
2019-12-20 12:32:36 -05:00 |
|
