Page MenuHomePhabricator
Feed Advanced Search

Jan 15 2020

Patrick added a comment to T950: set kernel.printk sysctl to prevent kernel info leaks.
In T950#19249, @Patrick wrote:

The loader of tirdad is currently using dmesg.

Jan 15 2020, 12:11 PM · Whonix 15, security-misc, Whonix

Jan 1 2020

Patrick added a comment to T950: set kernel.printk sysctl to prevent kernel info leaks.

The loader of tirdad is currently using dmesg.

Jan 1 2020, 12:31 PM · Whonix 15, security-misc, Whonix
Patrick added a comment to T950: set kernel.printk sysctl to prevent kernel info leaks.

quiet

Jan 1 2020, 12:05 PM · Whonix 15, security-misc, Whonix

Dec 25 2019

Patrick updated the task description for T950: set kernel.printk sysctl to prevent kernel info leaks.
Dec 25 2019, 10:39 AM · Whonix 15, security-misc, Whonix
Patrick updated the task description for T950: set kernel.printk sysctl to prevent kernel info leaks.
Dec 25 2019, 10:38 AM · Whonix 15, security-misc, Whonix

Dec 24 2019

madaidan added a comment to T950: set kernel.printk sysctl to prevent kernel info leaks.

This just prevents writing to /dev/kmsg. It doesn't stop kernel logs being displayed during boot.

Dec 24 2019, 7:09 PM · Whonix 15, security-misc, Whonix
Patrick added a comment to T950: set kernel.printk sysctl to prevent kernel info leaks.

Still wondering if initramfs modification this can be avoided... Still wondering if kernel.printk can be set through a kernel parameter. Looking again at https://github.com/torvalds/linux/blob/master/Documentation/admin-guide/kernel-parameters.txt...

Dec 24 2019, 6:24 PM · Whonix 15, security-misc, Whonix
Patrick added a comment to T950: set kernel.printk sysctl to prevent kernel info leaks.

Sounds good.

Dec 24 2019, 5:54 PM · Whonix 15, security-misc, Whonix
madaidan added a comment to T950: set kernel.printk sysctl to prevent kernel info leaks.

https://github.com/Whonix/security-misc/pull/51

Dec 24 2019, 5:34 PM · Whonix 15, security-misc, Whonix
madaidan added a comment to T950: set kernel.printk sysctl to prevent kernel info leaks.

We can use a sysctl.d drop-in and an initramfs hook in security-misc so non-initramfs users will still be mostly protected.

Dec 24 2019, 5:10 PM · Whonix 15, security-misc, Whonix
Patrick added a comment to T950: set kernel.printk sysctl to prevent kernel info leaks.

I guess because a sysctl.d drop-in config file is easy and catches most.
initramfs hook covers only initramfs users. Not dracut. But
security-misc initramfs hook sounds good enough. dracut support can
come later, if ever. Please implement.

Dec 24 2019, 4:47 PM · Whonix 15, security-misc, Whonix
madaidan added a comment to T950: set kernel.printk sysctl to prevent kernel info leaks.

Why not use an initramfs hook in security-misc? Not everyone will have security-misc and apparmor-profile-everything installed. Users with just security-misc installed will still have some kernel logs shown during early boot.

Dec 24 2019, 4:39 PM · Whonix 15, security-misc, Whonix
Patrick closed T937: make /boot and /lib/modules unreadable for non-root users as Resolved.
Dec 24 2019, 12:15 PM · security-misc, Whonix
Patrick closed T945: /etc/default/grub.d/40_kernel_hardening.cfg fails to detect kernel upgrade as Resolved.

https://github.com/Whonix/security-misc/commit/ede536913daa0c7ddfe55e20c93d7b752daa5de3

Dec 24 2019, 12:15 PM · Whonix, security-misc
Patrick added a comment to T950: set kernel.printk sysctl to prevent kernel info leaks.

Yes. Probably both. initramfs for apparmor-profile-everything users and
/etc/sysctl.d/ security-misc.

Dec 24 2019, 12:02 PM · Whonix 15, security-misc, Whonix

Dec 23 2019

madaidan added a comment to T937: make /boot and /lib/modules unreadable for non-root users.

https://github.com/Whonix/security-misc/pull/50

Dec 23 2019, 9:29 PM · security-misc, Whonix
madaidan added a comment to T937: make /boot and /lib/modules unreadable for non-root users.
Dec 23 2019, 9:26 PM · security-misc, Whonix
madaidan added a comment to T950: set kernel.printk sysctl to prevent kernel info leaks.

Should this be set in the initramfs?

Dec 23 2019, 9:08 PM · Whonix 15, security-misc, Whonix
madaidan added a comment to T945: /etc/default/grub.d/40_kernel_hardening.cfg fails to detect kernel upgrade.

That worked.

Dec 23 2019, 8:58 PM · Whonix, security-misc
Patrick triaged T951: sign kernel modules as Normal priority.
Dec 23 2019, 3:15 PM · Whonix 16, security-misc, Whonix
Patrick triaged T950: set kernel.printk sysctl to prevent kernel info leaks as Normal priority.
Dec 23 2019, 2:19 PM · Whonix 15, security-misc, Whonix
Patrick triaged T948: /tmp etc. separation through polyinstantiation by using namespaces.conf as Normal priority.
Dec 23 2019, 2:09 PM · research, Whonix, security-misc
Patrick triaged T945: /etc/default/grub.d/40_kernel_hardening.cfg fails to detect kernel upgrade as Normal priority.
Dec 23 2019, 1:53 PM · Whonix, security-misc

Dec 7 2019

Patrick renamed T937: make /boot and /lib/modules unreadable for non-root users from make /boot unreadable for non-root users to make /boot and /lib/modules unreadable for non-root users.
Dec 7 2019, 9:14 AM · security-misc, Whonix

Nov 23 2019

Patrick triaged T939: file permissions hardening lockdown as Normal priority.
Nov 23 2019, 5:25 PM · Whonix, security-misc
Patrick added a member for security-misc: madaidan.
Nov 23 2019, 5:20 PM
Patrick triaged T937: make /boot and /lib/modules unreadable for non-root users as Normal priority.
Nov 23 2019, 5:19 PM · security-misc, Whonix

Jun 20 2019

Patrick updated the task description for T920: consider /etc/xdg/xfce4/ defaults.
Jun 20 2019, 6:53 AM · Whonix 15, security-misc, whonix-xfce-desktop-config, Whonix

Jun 14 2019

Patrick created T920: consider /etc/xdg/xfce4/ defaults.
Jun 14 2019, 3:23 PM · Whonix 15, security-misc, whonix-xfce-desktop-config, Whonix

Mar 7 2018

Patrick closed T500: disable preview in nautilus by default as Resolved.
Mar 7 2018, 1:50 AM · Whonix 14, security-misc, enhancement, Whonix, security

Feb 19 2017

Patrick changed the status of T500: disable preview in nautilus by default from Open to Review.

https://github.com/Whonix/security-misc/commit/5ba2a5b6ff53df37ad38f082ad86ff2227158d93
https://github.com/Whonix/security-misc/commit/dfe8a569b639dd09ef4cd7f35c05efd7ea080406

Feb 19 2017, 11:35 PM · Whonix 14, security-misc, enhancement, Whonix, security

Dec 7 2016

Patrick updated the task description for T500: disable preview in nautilus by default.
Dec 7 2016, 4:51 PM · Whonix 14, security-misc, enhancement, Whonix, security
Patrick updated the task description for T500: disable preview in nautilus by default.
Dec 7 2016, 4:50 PM · Whonix 14, security-misc, enhancement, Whonix, security

Apr 21 2016

Patrick created T500: disable preview in nautilus by default.
Apr 21 2016, 9:30 PM · Whonix 14, security-misc, enhancement, Whonix, security
Patrick created security-misc.
Apr 21 2016, 9:29 PM