security-misc
security-misc copied to clipboard
Kicksecure
Kernel Hardening; Protect Linux User Accounts against Brute Force Attacks; Improve Entropy Collection; Strong Linux User Account Separation; Enhances Misc Security Settings - https://www.kicksecure.co...
pam-tmpdir-helper breaks certain initramfs-update actions on systems with noexec on the /tmp mount
### The Bug Initramfs related bootscripts may not add all dependencies needed for a system to boot when it's build directory has the **noexec** flag. On Kicksecure systems still running...
Set umask as 0077 for all users and services using the pam module. Then override this by setting the umask 0022 for ```root``` under ```/etc/environment.d/```. Any valid use case where...
related: https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/63 Perhaps a separate issue. (Not suggested as a replacement. Enforcing signature verification would be in addition.) _Originally posted by @adrelanos in https://github.com/Kicksecure/security-misc/issues/148#issuecomment-1792985196_
https://github.com/Kicksecure/security-misc/blob/master/usr/lib/NetworkManager/conf.d/80_randomize-mac.conf ``` [device-mac-randomization] wifi.scan-rand-mac-address=yes [connection-mac-randomization] ethernet.cloned-mac-address=random wifi.cloned-mac-address=random ``` 1) Breaks root servers, namely broke kicksecure.com. This is what the server provide sent by e-mail. ``` We have detected that your...
>https://source.android.com/docs/core/connect/wifi-mac-randomization-behavior > > The MAC randomization feature randomizes the address by setting the locally administered bit to 1, and the unicast bit to 0. The other 46 bits are randomized....
In response to * https://github.com/Kicksecure/security-misc/pull/151 How to even re-enable coredumps as of now? Is this implemented in debug-misc? I don't want to configure us into a corner and then when...
Using "normal" (default settings) kernel. Not VM kernel. sudo journalctl -u harden-module-loading.service ``` Nov 05 22:44:57 host systemd[1]: Starting harden-module-loading.service - Disable the loading of modules to the kernel after...
> Since we have modified ```home_folder_access_rights_lockdown``` to work for all users with all usernames all the time, I don't see any reason to require the user to have a user...
Stronger ciphers? Any other hardening suggestions? https://github.com/Kicksecure/security-misc/blob/master/etc/skel/.gnupg/gpg.conf https://forums.whonix.org/t/anon-gpg-tweaks-gpg-conf-enhancements-duraconf-a-collection-of-hardened-configuration-files/5378 https://www.kicksecure.com/wiki/Air_Gapped_OpenPGP_Key https://www.kicksecure.com/wiki/OpenPGP
Metadata
Owner
Metadata
Kernel Hardening; Protect Linux User Accounts against Brute Force Attacks; Improve Entropy Collection; Strong Linux User Account Separation; Enhances Misc Security Settings - https://www.kicksecure.co...