Commit Graph

904 Commits

Author SHA1 Message Date
Patrick Schleizer
daf0a0900b
fix apt-get-update for non-English locale
https://forums.kicksecure.com/t/systemcheck-reports-warning-debian-package-update-check-result-apt-get-reports-that-packages-can-be-updated-but-system-is-already-fully-upgraded/785
2024-12-19 04:39:34 -05:00
Patrick Schleizer
c7f7196471
Merge pull request #287 from raja-grewal/patch
Refactor and add two CPU mitigations
2024-12-19 00:31:25 -05:00
Patrick Schleizer
e5b67e044b
Merge pull request #279 from raja-grewal/arp
Provide network-related hardening options via `sysctl`'s
2024-12-19 00:15:02 -05:00
Patrick Schleizer
4cf5757575
Merge pull request #282 from ArrayBolt3/arraybolt3/umask
Enable umask hardening
2024-12-19 00:08:56 -05:00
raja-grewal
3749f8ff09
Update presentation on user namespaces 2024-12-18 03:36:09 +00:00
raja-grewal
ca3a73ac13
Typo 2024-12-17 11:37:10 +00:00
raja-grewal
c116796854
arp_ignore: Add reference to 2024-12-10 Mullvad VPN audit details 2024-12-12 06:36:47 +00:00
Patrick Schleizer
7902311c57
do not create /etc/sysctl.d/30-lkrg-virtualbox.conf if LKRG is not installed 2024-12-07 04:54:47 -05:00
Patrick Schleizer
1ce37d42cd
. 2024-12-07 04:50:40 -05:00
Aaron Rainbolt
1708a03e1e
Enable umask hardening 2024-11-28 15:39:59 -06:00
Patrick Schleizer
98d7c245ee
"|| exit 1" no longer required thanks to errexit 2024-11-25 15:57:30 -05:00
Patrick Schleizer
f9b5d7d3f4
use strict shell options 2024-11-25 15:48:01 -05:00
Patrick Schleizer
d32cb8c95b
use TMP, sponge, refactoring 2024-11-25 15:44:00 -05:00
Aaron Rainbolt
d7475e252a
Make apt-get-update able to be terminated securely 2024-11-21 20:03:42 -06:00
Patrick Schleizer
c7e9460b2a
output 2024-11-14 16:31:12 -05:00
Patrick Schleizer
ef95b3f9a5
Revert "fix panic-on-oops.service"
This reverts commit 862d23cb10.
2024-11-14 14:41:14 -05:00
raja-grewal
412b371e85
Merge branch 'Kicksecure:master' into arp 2024-11-13 16:47:57 +11:00
raja-grewal
141b84c40d
Provide option to deny sending and receiving shared media redirects 2024-11-13 05:42:56 +00:00
raja-grewal
18aec201bf
Provide option to harden response to ARP requests 2024-11-13 05:41:25 +00:00
raja-grewal
a25d4f8df8
Provide option to enable ARP filtering 2024-11-13 05:40:21 +00:00
raja-grewal
c2aae73ce1
Add reference and move text 2024-11-13 05:38:03 +00:00
Patrick Schleizer
7c06e22c7d
deleted /usr/bin/pkexec.security-misc
This was not used anymore for anything. In the past, we used to `config-package-dev` `replace` `/usr/bin/pkexec` with `/usr/bin/pkexec.security-misc` for the purpose of:

> Redirect calls for pkexec to lxqt-sudo because pkexec is incompatible with hidepid.

* https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860040
* https://forums.whonix.org/t/cannot-use-pkexec/8129

This was a worthwhile effort, interesting approach but ultimately a dead-end.
2024-11-11 05:43:25 -05:00
Patrick Schleizer
862d23cb10
fix panic-on-oops.service
remove `After=multi-user.target` because already using `WantedBy=multi-user.target`

Thanks to @ArrayBolt3 for the bug report!
2024-11-11 05:36:41 -05:00
Patrick Schleizer
29ae5f5980
fix optional opt-in harden-module-loading.service
by making `/usr/libexec/security-misc/disable-kernel-module-loading` executable

Thanks to @ArrayBolt3 for the bug report!
2024-11-11 05:28:31 -05:00
Patrick Schleizer
5bd0a277bf
fix permission-hardener issue "Removing capabilities failed. File: '/bin/ping'"
no longer user end-of-options marker (`--`) for `setcap`
since setcap does not support it

Fixes https://github.com/QubesOS/qubes-issues/issues/9569

https://forums.whonix.org/t/permission-hardener-error/20719
2024-11-10 06:29:17 -05:00
raja-grewal
a1d1f97955
Provide option to drop gratuitous ARP packets 2024-11-08 03:58:23 +00:00
Patrick Schleizer
71c58442ca
minor 2024-10-28 05:10:19 -04:00
Patrick Schleizer
cfe19e31d8
shell options 2024-10-28 05:09:53 -04:00
Patrick Schleizer
0d50615658
local 2024-10-28 05:07:00 -04:00
Patrick Schleizer
ef0eb5f7a0
refactoring 2024-10-28 05:06:26 -04:00
Patrick Schleizer
fdd1f4b7f8
refactoring 2024-10-28 05:06:05 -04:00
Patrick Schleizer
d00235897d
hide-hardware-info: also parse /usr/local/etc/hide-hardware-info.d/*.conf 2024-10-28 05:03:59 -04:00
Patrick Schleizer
6c2e808b9f
refactoring 2024-10-28 05:03:20 -04:00
Patrick Schleizer
566cda5e4b
output 2024-10-21 05:47:38 -04:00
Patrick Schleizer
5991a23049
comment 2024-10-21 05:47:25 -04:00
Aaron Rainbolt
690e8dd826
Avoid faillock lock/tally reset on reboot or timeout 2024-10-19 23:52:51 -05:00
Patrick Schleizer
b6433309fd
use end-of-options 2024-10-18 12:45:02 -04:00
raja-grewal
09fe46adc9
Clarify KSPP compliance header for the undocumented case 2024-10-14 02:54:30 +00:00
raja-grewal
0c0774f6c0
Merge branch 'master' into text_2 2024-10-06 10:48:52 +00:00
Patrick Schleizer
0e3ffa3f11
no longer set kernel.unprivileged_userns_clone=0
because it breaks too much

fixes https://github.com/Kicksecure/security-misc/issues/274
2024-10-03 02:58:58 -04:00
Patrick Schleizer
f401d94d5e
expand documentation on kernel.unprivileged_userns_clone=0 sysctl
https://github.com/Kicksecure/security-misc/issues/274
2024-10-03 02:44:06 -04:00
raja-grewal
f3b50a23c9
Add reference on unprivileged_userns_restriction 2024-09-26 13:10:01 +00:00
raja-grewal
39d063d494
Add KSPP=no definition 2024-09-26 13:09:21 +00:00
raja-grewal
870ff88605
Comment on Flatpak requiring unprivileged user namespaces 2024-09-25 10:01:45 +10:00
Patrick Schleizer
563a898013
Merge pull request #265 from raja-grewal/mmap_min_addr
Set `sysctl vm.mmap_min_addr=65536`
2024-09-04 10:11:48 -04:00
Patrick Schleizer
175945ec9a
Merge pull request #268 from raja-grewal/panic_on_warn
Enable `panic_on_warn=1`
2024-09-04 10:05:47 -04:00
raja-grewal
7393ba1591
Typo 2024-09-04 23:23:24 +10:00
Raja Grewal
6294729c8e
Follow-up on f70fe308a9 2024-08-29 15:34:24 +10:00
Raja Grewal
3101035a3f
Enable panic_on_warn=1 2024-08-29 01:57:32 +10:00
Patrick Schleizer
f70fe308a9
no longer set sysctl fs.binfmt_misc.status=0 /
no longer disallow registering interpreters for miscellaneous binary formats

causing file/folder permissions issue `d????????? ? ? ? ?            ? .`

Firefox no longer starting (probably not not a Firefox issue)

https://github.com/Kicksecure/security-misc/issues/267
2024-08-28 06:49:50 -04:00