Page MenuHomePhabricator

security-miscProject
ActivePublic

Watchers

  • This project does not have any watchers.
  • View All

Recent Activity

Mon, Sep 28

Patrick closed T950: set kernel.printk sysctl to prevent kernel info leaks as Resolved.

Looks all good and quite in Whonix 15.0.1.5.1.

Mon, Sep 28, 4:32 PM · Debian version 11 codename Bullseye, Whonix 15, Whonix, security-misc

May 14 2020

Patrick added a comment to T950: set kernel.printk sysctl to prevent kernel info leaks.
May 14 2020, 8:58 PM · Debian version 11 codename Bullseye, Whonix 15, Whonix, security-misc

Apr 23 2020

Patrick added a comment to T950: set kernel.printk sysctl to prevent kernel info leaks.

Setting quiet loglevel=0 in that exact order as per https://github.com/Whonix/security-misc/commit/6485df8126b52a2072824fa442e8d1dd5cb18981 does now hide [sda] Incomplete mode parameter data. However, messages by LKRG are not yet hidden.

Apr 23 2020, 6:40 PM · Debian version 11 codename Bullseye, Whonix 15, Whonix, security-misc

Apr 16 2020

Patrick added a comment to T950: set kernel.printk sysctl to prevent kernel info leaks.

Even kernel parameter quiet loglevel=3 rd.systemd.show_status=auto rd.udev.log_priority=3
(from https://wiki.archlinux.org/index.php/Silent_boot)
does not hide [sda] Incomplete mode parameter data.

Apr 16 2020, 4:02 PM · Debian version 11 codename Bullseye, Whonix 15, Whonix, security-misc
Patrick updated the task description for T950: set kernel.printk sysctl to prevent kernel info leaks.
Apr 16 2020, 2:07 PM · Debian version 11 codename Bullseye, Whonix 15, Whonix, security-misc
Patrick updated the task description for T950: set kernel.printk sysctl to prevent kernel info leaks.
Apr 16 2020, 2:04 PM · Debian version 11 codename Bullseye, Whonix 15, Whonix, security-misc
Patrick added a comment to T950: set kernel.printk sysctl to prevent kernel info leaks.

https://github.com/Whonix/security-misc/commit/8d2e4b68dcae87b27f519196488e0ed7e8b95ef2

Apr 16 2020, 2:01 PM · Debian version 11 codename Bullseye, Whonix 15, Whonix, security-misc
Patrick added a comment to T950: set kernel.printk sysctl to prevent kernel info leaks.

kernel.printk = 3 3 3 3

Apr 16 2020, 1:29 PM · Debian version 11 codename Bullseye, Whonix 15, Whonix, security-misc
Patrick updated the task description for T950: set kernel.printk sysctl to prevent kernel info leaks.
Apr 16 2020, 11:37 AM · Debian version 11 codename Bullseye, Whonix 15, Whonix, security-misc
Patrick added a comment to T950: set kernel.printk sysctl to prevent kernel info leaks.

And of course these messages are attributed to whatever Whonix issue someone is having.

Apr 16 2020, 11:30 AM · Debian version 11 codename Bullseye, Whonix 15, Whonix, security-misc

Mar 22 2020

Patrick reopened T950: set kernel.printk sysctl to prevent kernel info leaks as "Open".

Not fully fixed.

Mar 22 2020, 7:47 PM · Debian version 11 codename Bullseye, Whonix 15, Whonix, security-misc
Patrick closed T950: set kernel.printk sysctl to prevent kernel info leaks as Invalid.

Thanks!

Mar 22 2020, 12:48 PM · Debian version 11 codename Bullseye, Whonix 15, Whonix, security-misc

Mar 21 2020

madaidan added a comment to T950: set kernel.printk sysctl to prevent kernel info leaks.

This issue is fixed now due to the quiet boot parameter. kernel.printk=3 3 3 3 isn't needed anymore.

Mar 21 2020, 6:55 PM · Debian version 11 codename Bullseye, Whonix 15, Whonix, security-misc

Jan 15 2020

Patrick added a comment to T950: set kernel.printk sysctl to prevent kernel info leaks.
In T950#19249, @Patrick wrote:

The loader of tirdad is currently using dmesg.

Jan 15 2020, 12:11 PM · Debian version 11 codename Bullseye, Whonix 15, Whonix, security-misc

Jan 1 2020

Patrick added a comment to T950: set kernel.printk sysctl to prevent kernel info leaks.

The loader of tirdad is currently using dmesg.

Jan 1 2020, 12:31 PM · Debian version 11 codename Bullseye, Whonix 15, Whonix, security-misc
Patrick added a comment to T950: set kernel.printk sysctl to prevent kernel info leaks.

quiet

Jan 1 2020, 12:05 PM · Debian version 11 codename Bullseye, Whonix 15, Whonix, security-misc

Dec 25 2019

Patrick updated the task description for T950: set kernel.printk sysctl to prevent kernel info leaks.
Dec 25 2019, 10:39 AM · Debian version 11 codename Bullseye, Whonix 15, Whonix, security-misc
Patrick updated the task description for T950: set kernel.printk sysctl to prevent kernel info leaks.
Dec 25 2019, 10:38 AM · Debian version 11 codename Bullseye, Whonix 15, Whonix, security-misc

Dec 24 2019

madaidan added a comment to T950: set kernel.printk sysctl to prevent kernel info leaks.

This just prevents writing to /dev/kmsg. It doesn't stop kernel logs being displayed during boot.

Dec 24 2019, 7:09 PM · Debian version 11 codename Bullseye, Whonix 15, Whonix, security-misc
Patrick added a comment to T950: set kernel.printk sysctl to prevent kernel info leaks.

Still wondering if initramfs modification this can be avoided... Still wondering if kernel.printk can be set through a kernel parameter. Looking again at https://github.com/torvalds/linux/blob/master/Documentation/admin-guide/kernel-parameters.txt...

Dec 24 2019, 6:24 PM · Debian version 11 codename Bullseye, Whonix 15, Whonix, security-misc
Patrick added a comment to T950: set kernel.printk sysctl to prevent kernel info leaks.

Sounds good.

Dec 24 2019, 5:54 PM · Debian version 11 codename Bullseye, Whonix 15, Whonix, security-misc
madaidan added a comment to T950: set kernel.printk sysctl to prevent kernel info leaks.

https://github.com/Whonix/security-misc/pull/51

Dec 24 2019, 5:34 PM · Debian version 11 codename Bullseye, Whonix 15, Whonix, security-misc
madaidan added a comment to T950: set kernel.printk sysctl to prevent kernel info leaks.

We can use a sysctl.d drop-in and an initramfs hook in security-misc so non-initramfs users will still be mostly protected.

Dec 24 2019, 5:10 PM · Debian version 11 codename Bullseye, Whonix 15, Whonix, security-misc
Patrick added a comment to T950: set kernel.printk sysctl to prevent kernel info leaks.

I guess because a sysctl.d drop-in config file is easy and catches most.
initramfs hook covers only initramfs users. Not dracut. But
security-misc initramfs hook sounds good enough. dracut support can
come later, if ever. Please implement.

Dec 24 2019, 4:47 PM · Debian version 11 codename Bullseye, Whonix 15, Whonix, security-misc
madaidan added a comment to T950: set kernel.printk sysctl to prevent kernel info leaks.

Why not use an initramfs hook in security-misc? Not everyone will have security-misc and apparmor-profile-everything installed. Users with just security-misc installed will still have some kernel logs shown during early boot.

Dec 24 2019, 4:39 PM · Debian version 11 codename Bullseye, Whonix 15, Whonix, security-misc
Patrick closed T937: make /boot and /lib/modules unreadable for non-root users as Resolved.
Dec 24 2019, 12:15 PM · security-misc, Whonix
Patrick closed T945: /etc/default/grub.d/40_kernel_hardening.cfg fails to detect kernel upgrade as Resolved.

https://github.com/Whonix/security-misc/commit/ede536913daa0c7ddfe55e20c93d7b752daa5de3

Dec 24 2019, 12:15 PM · Whonix, security-misc
Patrick added a comment to T950: set kernel.printk sysctl to prevent kernel info leaks.

Yes. Probably both. initramfs for apparmor-profile-everything users and
/etc/sysctl.d/ security-misc.

Dec 24 2019, 12:02 PM · Debian version 11 codename Bullseye, Whonix 15, Whonix, security-misc

Dec 23 2019

madaidan added a comment to T937: make /boot and /lib/modules unreadable for non-root users.

https://github.com/Whonix/security-misc/pull/50

Dec 23 2019, 9:29 PM · security-misc, Whonix
madaidan added a comment to T937: make /boot and /lib/modules unreadable for non-root users.
Dec 23 2019, 9:26 PM · security-misc, Whonix
madaidan added a comment to T950: set kernel.printk sysctl to prevent kernel info leaks.

Should this be set in the initramfs?

Dec 23 2019, 9:08 PM · Debian version 11 codename Bullseye, Whonix 15, Whonix, security-misc
madaidan added a comment to T945: /etc/default/grub.d/40_kernel_hardening.cfg fails to detect kernel upgrade.

That worked.

Dec 23 2019, 8:58 PM · Whonix, security-misc
Patrick triaged T951: sign kernel modules as Normal priority.
Dec 23 2019, 3:15 PM · Whonix 16, security-misc, Whonix
Patrick triaged T950: set kernel.printk sysctl to prevent kernel info leaks as Normal priority.
Dec 23 2019, 2:19 PM · Debian version 11 codename Bullseye, Whonix 15, Whonix, security-misc
Patrick triaged T948: /tmp etc. separation through polyinstantiation by using namespaces.conf as Normal priority.
Dec 23 2019, 2:09 PM · research, Whonix, security-misc
Patrick triaged T945: /etc/default/grub.d/40_kernel_hardening.cfg fails to detect kernel upgrade as Normal priority.
Dec 23 2019, 1:53 PM · Whonix, security-misc

Dec 7 2019

Patrick renamed T937: make /boot and /lib/modules unreadable for non-root users from make /boot unreadable for non-root users to make /boot and /lib/modules unreadable for non-root users.
Dec 7 2019, 9:14 AM · security-misc, Whonix

Nov 23 2019

Patrick triaged T939: file permissions hardening lockdown as Normal priority.
Nov 23 2019, 5:25 PM · Whonix, security-misc
Patrick added a member for security-misc: madaidan.
Nov 23 2019, 5:20 PM
Patrick triaged T937: make /boot and /lib/modules unreadable for non-root users as Normal priority.
Nov 23 2019, 5:19 PM · security-misc, Whonix

Jun 20 2019

Patrick updated the task description for T920: consider /etc/xdg/xfce4/ defaults.
Jun 20 2019, 6:53 AM · Whonix 15, security-misc, whonix-xfce-desktop-config, Whonix

Jun 14 2019

Patrick created T920: consider /etc/xdg/xfce4/ defaults.
Jun 14 2019, 3:23 PM · Whonix 15, security-misc, whonix-xfce-desktop-config, Whonix

Mar 7 2018

Patrick closed T500: disable preview in nautilus by default as Resolved.
Mar 7 2018, 1:50 AM · Whonix 14, security-misc, enhancement, Whonix, security

Feb 19 2017

Patrick changed the status of T500: disable preview in nautilus by default from Open to Review.

https://github.com/Whonix/security-misc/commit/5ba2a5b6ff53df37ad38f082ad86ff2227158d93
https://github.com/Whonix/security-misc/commit/dfe8a569b639dd09ef4cd7f35c05efd7ea080406

Feb 19 2017, 11:35 PM · Whonix 14, security-misc, enhancement, Whonix, security

Dec 7 2016

Patrick updated the task description for T500: disable preview in nautilus by default.
Dec 7 2016, 4:51 PM · Whonix 14, security-misc, enhancement, Whonix, security
Patrick updated the task description for T500: disable preview in nautilus by default.
Dec 7 2016, 4:50 PM · Whonix 14, security-misc, enhancement, Whonix, security

Apr 21 2016

Patrick created T500: disable preview in nautilus by default.
Apr 21 2016, 9:30 PM · Whonix 14, security-misc, enhancement, Whonix, security
Patrick created security-misc.
Apr 21 2016, 9:29 PM