mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-02-23 13:12:02 +07:00
Code Issues Packages Projects Releases Wiki Activity
2,541 Commits 4 Branches 436 Tags 18 MiB
42.4-1
Commit Graph

932 Commits

Author SHA1 Message Date
Patrick Schleizer
1b33e83529
Merge pull request #291 from raja-grewal/drop_gratuitous_arp 
Drop gratuitous ARP packets
 2025-01-10 10:29:30 -05:00
Patrick Schleizer
486757bfae
Merge pull request #290 from raja-grewal/arp_ignore 
Respond to ARP requests only if the target IP address is on-link
 2025-01-10 10:29:12 -05:00
Patrick Schleizer
17ff249150
Merge pull request #289 from raja-grewal/arp_filter 
Enable ARP filtering
 2025-01-10 10:28:48 -05:00
Patrick Schleizer
27d19ba568
Merge pull request #288 from raja-grewal/shared_media 
Deny sending and receiving shared media redirects
 2025-01-10 10:28:05 -05:00
Patrick Schleizer
482960d056
permission-hardener: move to new state folder /var/lib/permission-hardener-v2 without migration 
https://github.com/Kicksecure/security-misc/pull/294
 2025-01-10 10:21:12 -05:00
Patrick Schleizer
3a31cc99b3
Merge remote-tracking branch 'ArrayBolt3/arraybolt3/usrmerge' 2025-01-09 09:30:58 -05:00
raja-grewal
1f8eee4720
Add missing sentence full stop 2025-01-08 18:36:00 +11:00
Aaron Rainbolt
5941195e96
Don't worry about files under /bin anymore, Bookworm uses a merged /usr directory 2025-01-07 14:10:46 -06:00
Patrick Schleizer
c4cfb8597d
Merge remote-tracking branch 'ArrayBolt3/arraybolt3/permission-hardener-refactor' 2025-01-06 08:43:54 -05:00
Patrick Schleizer
6e0787957b
increase priority of pam wheel so it is checked even before faillock 
in case of attemtping to use `su` without being a member of the required group `sudo`, it's useful to abort the PAM stack as early as possible to avoid needlessly propmting for a password to later
be rejected tu to lack of group membership
 2025-01-06 05:29:40 -05:00
Patrick Schleizer
d4767b7520
fix: apply PAM wheal only to su PAM service 2025-01-06 04:24:44 -05:00
Aaron Rainbolt
93ebf176c5
Make the main field count check in permission-hardener a bit more elegant 2025-01-02 20:42:06 -05:00
Aaron Rainbolt
895c0f541f
Merge branch 'master' into arraybolt3/permission-hardener-refactor 2025-01-01 15:04:01 -06:00
Patrick Schleizer
33114f771a
copyright 2024-12-31 13:26:21 -05:00
Aaron Rainbolt
717e6fcfbe
Post-review improvements to permission-hardener 2024-12-30 21:34:23 -06:00
Aaron Rainbolt
dbcb612517
Polish permission-hardener refactor 2024-12-26 00:43:26 -06:00
Aaron Rainbolt
83d3867959
Refactor permission-hardener to be more idempotent 2024-12-25 16:53:55 -06:00
Aaron Rainbolt
6602fb102d
Adjust pam-info messaging for sysmaint mode 2024-12-24 20:52:34 -06:00
Aaron Rainbolt
2f3a2bce77
Add warning about using non-sysmaint accounts in sysmaint mode 2024-12-20 11:04:22 -06:00
Patrick Schleizer
ad6e1f5ad4
move from /etc/permission-hardener.d to /usr/lib/permission-hardener.d 2024-12-20 00:41:06 -05:00
Patrick Schleizer
6de5d2d076
permission hardener: also parse /usr/lib/permission-hardener.d/*.conf folder 2024-12-20 00:37:44 -05:00
Patrick Schleizer
175b442d5b
use long option name 2024-12-19 05:56:50 -05:00
Patrick Schleizer
c99021bb0c
Merge remote-tracking branch 'ArrayBolt3/arraybolt3/sysmaint' 2024-12-19 05:56:01 -05:00
raja-grewal
2e6e1701a0
Set net.ipv4.conf.*.drop_gratuitous_arp=1 2024-12-19 10:35:08 +00:00
raja-grewal
c37f4efadf
Set net.ipv4.conf.*.arp_ignore=2 2024-12-19 10:33:49 +00:00
raja-grewal
af1d06973b
Set net.ipv4.conf.*.arp_filter=1 2024-12-19 10:31:43 +00:00
raja-grewal
750367a906
Set net.ipv4.conf.*.shared_media=0 2024-12-19 10:29:56 +00:00
Patrick Schleizer
daf0a0900b
fix apt-get-update for non-English locale 
https://forums.kicksecure.com/t/systemcheck-reports-warning-debian-package-update-check-result-apt-get-reports-that-packages-can-be-updated-but-system-is-already-fully-upgraded/785
 2024-12-19 04:39:34 -05:00
Patrick Schleizer
c7f7196471
Merge pull request #287 from raja-grewal/patch 
Refactor and add two CPU mitigations
 2024-12-19 00:31:25 -05:00
Patrick Schleizer
e5b67e044b
Merge pull request #279 from raja-grewal/arp 
Provide network-related hardening options via `sysctl`'s
 2024-12-19 00:15:02 -05:00
Patrick Schleizer
4cf5757575
Merge pull request #282 from ArrayBolt3/arraybolt3/umask 
Enable umask hardening
 2024-12-19 00:08:56 -05:00
Aaron Rainbolt
9d69cd1912
Add sysmaint account lock detection 2024-12-18 21:34:37 -06:00
raja-grewal
3749f8ff09
Update presentation on user namespaces 2024-12-18 03:36:09 +00:00
raja-grewal
ca3a73ac13
Typo 2024-12-17 11:37:10 +00:00
raja-grewal
c116796854
arp_ignore: Add reference to 2024-12-10 Mullvad VPN audit details 2024-12-12 06:36:47 +00:00
Patrick Schleizer
7902311c57
do not create /etc/sysctl.d/30-lkrg-virtualbox.conf if LKRG is not installed 2024-12-07 04:54:47 -05:00
Patrick Schleizer
1ce37d42cd
. 2024-12-07 04:50:40 -05:00
Aaron Rainbolt
1708a03e1e
Enable umask hardening 2024-11-28 15:39:59 -06:00
Patrick Schleizer
98d7c245ee
"|| exit 1" no longer required thanks to errexit 2024-11-25 15:57:30 -05:00
Patrick Schleizer
f9b5d7d3f4
use strict shell options 2024-11-25 15:48:01 -05:00
Patrick Schleizer
d32cb8c95b
use TMP, sponge, refactoring 2024-11-25 15:44:00 -05:00
Aaron Rainbolt
d7475e252a
Make apt-get-update able to be terminated securely 2024-11-21 20:03:42 -06:00
Patrick Schleizer
c7e9460b2a
output 2024-11-14 16:31:12 -05:00
Patrick Schleizer
ef95b3f9a5
Revert "fix panic-on-oops.service" 
This reverts commit 862d23cb10.
 2024-11-14 14:41:14 -05:00
raja-grewal
412b371e85
Merge branch 'Kicksecure:master' into arp 2024-11-13 16:47:57 +11:00
raja-grewal
141b84c40d
Provide option to deny sending and receiving shared media redirects 2024-11-13 05:42:56 +00:00
raja-grewal
18aec201bf
Provide option to harden response to ARP requests 2024-11-13 05:41:25 +00:00
raja-grewal
a25d4f8df8
Provide option to enable ARP filtering 2024-11-13 05:40:21 +00:00
raja-grewal
c2aae73ce1
Add reference and move text 2024-11-13 05:38:03 +00:00
Patrick Schleizer
7c06e22c7d
deleted /usr/bin/pkexec.security-misc 
This was not used anymore for anything. In the past, we used to `config-package-dev` `replace` `/usr/bin/pkexec` with `/usr/bin/pkexec.security-misc` for the purpose of:

> Redirect calls for pkexec to lxqt-sudo because pkexec is incompatible with hidepid.

* https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860040
* https://forums.whonix.org/t/cannot-use-pkexec/8129

This was a worthwhile effort, interesting approach but ultimately a dead-end.
 2024-11-11 05:43:25 -05:00