Patrick Schleizer
Patrick Schleizer
After applying the changes in https://github.com/Kicksecure/security-misc/issues/208, does `pkexec` work for you? @wryMitts ---- Test command (X11 only compatible, not working in Wayland): pkexec mousepad /tmp/testfile I.e. try running any application...
> But for sensitive proc, I think I found a better way. We can modify the mount options. Procfs has the mount option ```subset```. We can set this to the...
> How much work would it require to package this source as an ```.rpm```? I would really like to test this on opensuse. I can also a tool like alien,...
> Add /proc/kallsyms to the list as well, as this contains all the memory addresses for each kernel symbol. Originally posted by @monsieuremre in https://github.com/Kicksecure/security-misc/issues/172 Maybe not needed if we...
Currently umask is set to `027` (read, write for owner and group only). (Group is OK because Debian uses `usergroups` by default, [`UPG`](https://wiki.debian.org/UserPrivateGroups) (UserPrivateGroups)). This however should not be the...
related: https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/63 Perhaps a separate issue. (Not suggested as a replacement. Enforcing signature verification would be in addition.) _Originally posted by @adrelanos in https://github.com/Kicksecure/security-misc/issues/148#issuecomment-1792985196_
https://github.com/Kicksecure/security-misc/blob/master/usr/lib/NetworkManager/conf.d/80_randomize-mac.conf ``` [device-mac-randomization] wifi.scan-rand-mac-address=yes [connection-mac-randomization] ethernet.cloned-mac-address=random wifi.cloned-mac-address=random ``` 1) Breaks root servers, namely broke kicksecure.com. This is what the server provide sent by e-mail. ``` We have detected that your...
In response to * https://github.com/Kicksecure/security-misc/pull/151 How to even re-enable coredumps as of now? Is this implemented in debug-misc? I don't want to configure us into a corner and then when...
Using "normal" (default settings) kernel. Not VM kernel. sudo journalctl -u harden-module-loading.service ``` Nov 05 22:44:57 host systemd[1]: Starting harden-module-loading.service - Disable the loading of modules to the kernel after...
> Since we have modified ```home_folder_access_rights_lockdown``` to work for all users with all usernames all the time, I don't see any reason to require the user to have a user...