Kicksecure/security-misc

Issues

• Restrict umask to 027 except for sudo/root broken

  #185 opened a month ago by adrelanos
  26

• review secureblue sysctl

  #283 opened 2 months ago by adrelanos
  1

• default SUID for umount (un-mount) may be incorrect

  #284 opened a month ago by the-moog
  2

• Split the `security-misc` into `security-misc-shared`, `security-misc-desktop` and `security-misc-server`

  #187 opened a year ago by monsieuremre
  22

• Security-misc boot time kernel parameters missing from Qubes VMs

  #281 opened 2 months ago by hoppity2
  1

• review Brace to see if there are security settings which aren't part of security-misc (or Kicksecure yet)

  #278 opened 3 months ago by adrelanos
  1

• Protecting /sys and /proc

  #277 opened 3 months ago by monsieuremre
  3

• slightly confusing KSPP header, introduce `KSPP=undocumented` comment in case KSPP does not mention it

  #275 opened 3 months ago by adrelanos
  3

• `kernel.unprivileged_userns_clone=0` breaks too much

  #274 opened 4 months ago by adrelanos
  0

• kernel module blacklist breaks VirtualBox audio devices ICH AC97 and maybe Intel HD

  #271 opened 4 months ago by adrelanos
  0

• criteria for kernel module blacklisting / disabling / Suggestions for kernel modules blacklisted in /etc/modprobe.d/30_security-misc.conf

  #224 opened 8 months ago by MikeHorn-git
  11

• Redundant kernel args

  #199 opened a year ago by TommyTran732
  12

• document sysctl settings / kernel parameters using KSPP=yes / KSPP=no

  #256 opened 5 months ago by adrelanos
  7

• file/folder permissions issue `d????????? ? ? ? ? ? .` | Firefox no longer starting (probably not not a Firefox issue) | caused by disallow registering interpreters for miscellaneous binary formats `sysctl fs.binfmt_misc.status=0`

  #267 opened 5 months ago by adrelanos
  1

• Kicksecure Default Browser Discussion

  #192 opened 9 months ago by monsieuremre
  73

• Use `slub_debug=FZ`?

  #253 opened 6 months ago by cynicsketch
  6

• no longer disable Intel ME related kernel modules

  #239 opened 6 months ago by adrelanos
  10

• Harden all system services by default

  #213 opened 10 months ago by monsieuremre
  10

• improve GnuPG configuration file `/etc/skel/.gnupg/gpg.conf`

  #223 opened 8 months ago by adrelanos
  4

• MAC randomization breaks root server and VirtualBox DHCP / IPv6PrivacyExtensions might be problematic

  #184 opened a year ago by adrelanos
  16

• Wayland Default DE for Real Security

  #168 opened a year ago by monsieuremre
  32

• add `/etc/gitconfig` for better git security

  #225 opened 8 months ago by adrelanos
  2

• Serious Question - Porting to new distro - Procedure

  #162 opened a year ago by monsieuremre
  8

• /lib/sysctl.d/990-security-misc.conf - log_martians

  #214 opened 8 months ago by the-moog
  2

• allow MSR kernel module being load / move from security-misc to vm-config-dist

  #215 opened 10 months ago by adrelanos
  0

• test remount-secure script and systemd unit

  #203 opened a year ago by adrelanos
  3

• `proc-hidepid.service`: Fixing Systemd related issues

  #208 opened a year ago by wryMitts
  7

• `proc-hidepid.service`: Fixing `pkexec` related issues

  #212 opened 10 months ago by adrelanos
  0

• `remount-secure`: use `procfs` mount option `subset` (`hide-hardware-info.service`)

  #205 opened a year ago by adrelanos
  5

• improve hide-hardware-info.service, make `/sys` hiding optional

  #172 opened 10 months ago by monsieuremre
  20

• `proc-hidepid.service` fails if proc user does not exist

  #210 opened 10 months ago by wryMitts
  0

• `hide-hardware-info.service`: hide `/sys/kernel/notes` due to accidental pointer leaks on xen systems. Leak defeats KASLR

  #209 opened 10 months ago by wryMitts
  1

• qfile-unpacker permission-hardener whitelist security issue

  #163 opened a year ago by adrelanos
  10

• `hide-hardware-info.service`: hide `/proc/dynamic_debug/`

  #207 opened a year ago by wryMitts
  1

• `hide-hardware-info.service`: hide `/proc/kallsyms`

  #206 opened a year ago by adrelanos
  1

• sgid (set-group-ID) pkexec to fix hidepid

  #201 opened a year ago by adrelanos
  2

• pam-tmpdir-helper breaks certain initramfs-update actions on systems with noexec on the /tmp mount

  #198 opened a year ago by wryMitts
  4

• use SRSO spec_rstack_overflow kernel setting?

  #177 opened a year ago by adrelanos
  16

• automatic trigger of permission-hardener after APT package installation broken

  #196 opened a year ago by adrelanos
  0

• `flatpak remote-add` TOFU and TLS security issue / use stronger authentication than TLS

  #191 opened a year ago by adrelanos
  1

• Harden Network

  #186 opened a year ago by monsieuremre
  1

• usrmerge

  #190 opened a year ago by adrelanos
  0

• run permission-hardener after APT package installation

  #189 opened a year ago by adrelanos
  1

• fix Bluetooth readme

  #180 opened a year ago by adrelanos
  4

• consider excluding hardened malloc from SUID Disabler

  #179 opened a year ago by adrelanos
  0

• Force IOMMU

  #175 opened a year ago by TommyTran732
  6

• `Depends:` vs `Recommends:` vs none

  #169 opened a year ago by adrelanos
  8

• systemd-coredump

  #174 opened a year ago by adrelanos
  2

• Hide Proc | New Approach

  #173 opened a year ago by monsieuremre
  13

• Backport Firmware and Kernel | Protect against spectre/meltdown and various hardware vulnurabilities

  #164 opened a year ago by monsieuremre
  4