f4d652fa7b
Update presentation of quiet loglevel=0
2024-07-15 14:39:12 +10:00
48e1ac4163
Remove the optional slub_debug parameter since it is no longer recommended
2024-07-15 02:04:25 +10:00
99038c7a06
Add option to disable support for x86 processes and syscalls in the future
2024-07-15 02:02:01 +10:00
f550fbe07c
Add option to disable the entire IPv6 stack functionality
2024-07-15 01:59:04 +10:00
a33d4cd099
Refactor existing kernel parameters for clarity
2024-07-15 01:56:25 +10:00
9f58266546
Move nf_conntrack_helper disabling into separate file
2024-07-13 23:32:01 +10:00
98580bb39a
Update modprobe presentation
2024-07-13 23:29:52 +10:00
41a3bf92fb
Sort 30_security-misc_disable.conf
2024-07-12 16:21:41 +10:00
b02230a783
Split modprobe into blacklisted and disabled configurations
2024-07-12 02:42:37 +10:00
fc792ff232
Alphabetically sort existing modprobe
2024-07-12 02:29:36 +10:00
fe20f3240e
Refactor existing modprobe for clarity
2024-07-12 02:28:48 +10:00
275a4ffc11
Remove redundant disabled modules
2024-07-12 02:27:56 +10:00
e198447866
fix(etc): delete typo in /etc/apparmor.d tunables
...
/etc/pam.d was present twice in a row ("/etc/pam.d//etc/pam.d") in this
file: /etc/apparmor.d/tunables/home.d/security-misc.
2024-06-08 22:17:05 -06:00
e0cd9579d6
remove duplicate fsckobjects = true from /etc/gitconfig
2024-06-01 13:32:13 -04:00
4efa293f3b
add /etc/gitconfig by default for better git security
...
```
[core]
symlinks = false
[transfer]
fsckobjects = true
fsckobjects = true
[fetch]
fsckobjects = true
fsckobjects = true
[receive]
fsckobjects = true
fsckobjects = true
```
+ additional suggestions as comments
fixes https://github.com/Kicksecure/security-misc/issues/225
2024-05-28 07:51:06 -04:00
1bb843ec38
Update Copyright (C) to 2024
2024-05-11 13:18:36 +10:00
0f1119f326
Merge pull request #221 from raja-grewal/firewire
...
Disable Firewire Module
2024-05-10 06:45:57 -04:00
547757f451
Merge pull request #220 from raja-grewal/block_gps
...
Block Several GPS-related Modules
2024-05-10 06:45:34 -04:00
677f75ae8e
Disable firewire-net module
2024-05-09 02:34:02 +00:00
06f13bb766
Disable GPS modules like GNSS
2024-05-09 02:28:53 +00:00
4694268b8f
Remove a word
2024-05-05 12:52:51 +00:00
8f7768ce96
Add vendor links
2024-05-05 12:50:39 +00:00
0c031a29d3
RFDS mitigation on Intel Atom CPUs (including E-cores)
2024-05-01 13:55:09 +10:00
1122b3402c
GDS mitigation for CPUs
2024-05-01 13:50:42 +10:00
c002bd62e8
Clarify use of mitigations=auto
2024-05-01 13:49:34 +10:00
d89d7e8ef8
Add reference for RETBleed
2024-05-01 13:49:00 +10:00
015dcc4212
Add reference for SSB
2024-05-01 13:48:13 +10:00
de4f4be947
Merge spectre mitigations
2024-05-01 13:47:40 +10:00
965c8641fd
Update BHI mitigation reference
2024-05-01 13:47:02 +10:00
493576836c
BHI mitigation on Intel CPUs
2024-04-12 00:17:06 +10:00
7dba3fb7be
no longer disable MSR by default
...
fixes https://github.com/Kicksecure/security-misc/issues/215
2024-04-01 02:56:27 -04:00
6b76373395
fix panic-on-oops started every 10s in Qubes-Whonix
...
by changing from a /etc/profile.d etc. related mechanism to start to a systemd unit file based approach
Thanks to @marmarek for the bug report!
https://forums.whonix.org/t/panic-on-oops-started-every-10s/19450
2024-03-04 06:44:26 -05:00
af6c6971a7
comment
2024-03-04 06:33:51 -05:00
e013070e0b
newline
2024-03-04 06:33:21 -05:00
ef44ecea44
Add option to disabe /sys hardening
2024-02-22 17:27:46 +01:00
b16c99ab62
Remove hardcoded spec_rstack_overflow setting
2024-01-29 13:39:40 +00:00
139b10a9aa
Control RAS overflow mitigation on AMD Zen CPUs
2024-01-29 12:59:13 +00:00
6c54e35027
Enable mitigations for RETBleed vulnerability and disable SMT
2024-01-29 12:58:51 +00:00
4509a5fc95
Enable known mitigations for CPU vulnerabilities and disable SMT
2024-01-29 12:58:14 +00:00
4231155efa
Add reference for kernel parameters
2024-01-29 12:57:48 +00:00
071b984a1e
sort -d
...
https://github.com/Kicksecure/security-misc/issues/190
2024-01-17 13:49:05 -05:00
011e55e3e5
remove duplicates after usrmerge
...
https://github.com/Kicksecure/security-misc/issues/190
2024-01-17 13:45:17 -05:00
0efee2f50f
usrmerge
...
fixes https://github.com/Kicksecure/security-misc/issues/190
2024-01-17 13:39:56 -05:00
4f7973bc56
comment
2024-01-16 08:56:26 -05:00
abf72c2ee4
Rename file permission hardening script
...
Hardener as the script is the agent that is hardening the file
permissions.
2024-01-02 13:34:29 +01:00
f138cf0f78
Refactor permission-hardener
...
- Organize comments from default configuration;
- Apply and undo changes from a single file controlled by parameters;
- Arrays should be evaluated as arrays and not normal variables;
- Quote variables;
- Brackets around variables;
- Standardize test cases to "test" command;
- Test against empty or non-empty variables with "-z" and "-n";
- Show a usage message when necessary;
- Require root to run the script with informative message;
- Permit the user to see the help message without running as root;
- Do not create root directories without passing root check;
- Use long options for "set" command;
2024-01-02 12:17:16 +01:00
f70a034da2
exclude hardened malloc from SUID disabler
...
fixes https://github.com/Kicksecure/security-misc/issues/179
2023-12-22 08:31:58 -05:00
5a73817a95
move to /usr/lib/issue.d/20_security-misc.issue
...
https://github.com/Kicksecure/security-misc/pull/167
2023-12-04 11:38:49 -05:00
dfaea492c7
remove etc/issue.net.d/20_security-misc
...
since not mentioned on debian.org
2023-12-04 11:37:02 -05:00
36850f89fb
Merge pull request #167 from monsieuremre/patch-4
...
Non-Identifiable and Generic Issue Banners that include the Recommended Keywords
2023-12-04 11:27:16 -05:00
