Page MenuHomePhabricator

WhonixProject
ActivePublic

Members (2)

Watchers

  • This project does not have any watchers.
  • View All

Details

Recent Activity

Yesterday

Patrick added a comment to T868: mediawiki fixes #2.

JasonJAyalaP (Jason J. Ayala P.):

JasonJAyalaP added a comment.

**too  much whitespace**
This is unnecessary whitespace from the html line:
  <h5 id="siteSub" class="subtitle"></h5>
which shows nothing + padding all h5's get.
The proper way, I presume, is to tell mediawiki to not display "subtitle", whatever that is. It seems to be similar to "tagline" which is set to "From Whonix" and outputted in html but set to hidden via css (dumb but whatever).
Mon, Jan 20, 1:08 PM · website, Whonix

Sat, Jan 18

Patrick closed T470: Whonix home page redesign as Resolved.
Sat, Jan 18, 1:22 PM · html, user documentation, Whonix
Patrick updated the task description for T868: mediawiki fixes #2.
Sat, Jan 18, 12:42 PM · website, Whonix
Patrick added a comment to T868: mediawiki fixes #2.

JasonJAyalaP (Jason J. Ayala P.):

JasonJAyalaP added a comment.

**clickable expand button inside text**
Done. Check: https://www.whonix.org/wiki/Template:Reload_Tor
Sat, Jan 18, 12:39 PM · website, Whonix
Patrick updated the task description for T868: mediawiki fixes #2.
Sat, Jan 18, 12:14 PM · website, Whonix
Patrick added a comment to T868: mediawiki fixes #2.

replace Menu bar with hardcoded links
Isn't this a mediawiki configuration option? It should have basic nav choices.

Sat, Jan 18, 12:14 PM · website, Whonix
Patrick updated the task description for T868: mediawiki fixes #2.
Sat, Jan 18, 12:12 PM · website, Whonix
Patrick added a comment to T868: mediawiki fixes #2.

two separate pre tags get intermingled and shown as one box
Can you link me to an example (or create a page with one)?

Sat, Jan 18, 12:12 PM · website, Whonix
JasonJAyalaP added a comment to T868: mediawiki fixes #2.

clickable expand button inside text

Sat, Jan 18, 5:32 AM · website, Whonix
JasonJAyalaP added a comment to T868: mediawiki fixes #2.

replace Menu bar with hardcoded links
Isn't this a mediawiki configuration option? It should have basic nav choices.

Sat, Jan 18, 5:01 AM · website, Whonix
JasonJAyalaP added a comment to T868: mediawiki fixes #2.

two separate pre tags get intermingled and shown as one box
Can you link me to an example (or create a page with one)?

Sat, Jan 18, 5:00 AM · website, Whonix
JasonJAyalaP added a comment to T868: mediawiki fixes #2.

too much whitespace
This is unnecessary whitespace from the html line:

Sat, Jan 18, 4:53 AM · website, Whonix

Fri, Jan 17

Patrick updated the task description for T868: mediawiki fixes #2.
Fri, Jan 17, 9:03 AM · website, Whonix
Patrick updated the task description for T868: mediawiki fixes #2.
Fri, Jan 17, 8:40 AM · website, Whonix

Wed, Jan 15

Patrick added a comment to T950: set kernel.printk sysctl to prevent kernel info leaks.
In T950#19249, @Patrick wrote:

The loader of tirdad is currently using dmesg.

Wed, Jan 15, 12:11 PM · Whonix 15, security-misc, Whonix

Tue, Jan 7

HulaHoop added a comment to T552: Packaging USBKill.

An interesting product that triggers a system wipe if the cable is pulled:

Tue, Jan 7, 5:51 PM · Whonix-Host, security, Whonix
Patrick updated the task description for T868: mediawiki fixes #2.
Tue, Jan 7, 6:39 AM · website, Whonix

Wed, Jan 1

Patrick added a comment to T950: set kernel.printk sysctl to prevent kernel info leaks.

The loader of tirdad is currently using dmesg.

Wed, Jan 1, 12:31 PM · Whonix 15, security-misc, Whonix
Patrick added a comment to T950: set kernel.printk sysctl to prevent kernel info leaks.

quiet

Wed, Jan 1, 12:05 PM · Whonix 15, security-misc, Whonix

Thu, Dec 26

Patrick edited projects for T953: extrepo - safely adding repos, added: Whonix 15; removed Restricted Project.
Thu, Dec 26, 4:06 PM · Whonix 15, Whonix
Patrick triaged T953: extrepo - safely adding repos as Normal priority.
Thu, Dec 26, 4:05 PM · Whonix 15, Whonix

Wed, Dec 25

Patrick updated the task description for T950: set kernel.printk sysctl to prevent kernel info leaks.
Wed, Dec 25, 10:39 AM · Whonix 15, security-misc, Whonix
Patrick updated the task description for T950: set kernel.printk sysctl to prevent kernel info leaks.
Wed, Dec 25, 10:38 AM · Whonix 15, security-misc, Whonix

Tue, Dec 24

madaidan added a comment to T950: set kernel.printk sysctl to prevent kernel info leaks.

This just prevents writing to /dev/kmsg. It doesn't stop kernel logs being displayed during boot.

Tue, Dec 24, 7:09 PM · Whonix 15, security-misc, Whonix
Patrick added a comment to T950: set kernel.printk sysctl to prevent kernel info leaks.

Still wondering if initramfs modification this can be avoided... Still wondering if kernel.printk can be set through a kernel parameter. Looking again at https://github.com/torvalds/linux/blob/master/Documentation/admin-guide/kernel-parameters.txt...

Tue, Dec 24, 6:24 PM · Whonix 15, security-misc, Whonix
Patrick added a comment to T950: set kernel.printk sysctl to prevent kernel info leaks.

Sounds good.

Tue, Dec 24, 5:54 PM · Whonix 15, security-misc, Whonix
madaidan added a comment to T950: set kernel.printk sysctl to prevent kernel info leaks.

https://github.com/Whonix/security-misc/pull/51

Tue, Dec 24, 5:34 PM · Whonix 15, security-misc, Whonix
madaidan added a comment to T950: set kernel.printk sysctl to prevent kernel info leaks.

We can use a sysctl.d drop-in and an initramfs hook in security-misc so non-initramfs users will still be mostly protected.

Tue, Dec 24, 5:10 PM · Whonix 15, security-misc, Whonix
madaidan added a comment to T943: make /boot and /lib/modules unreadable even for root.

Any attempted access of /boot would be logged the same way anyway although it might be good to use that to stop it from showing up in aa-logprof.

Tue, Dec 24, 5:07 PM · security, apparmor-profile-everything, Whonix
Patrick closed T943: make /boot and /lib/modules unreadable even for root as Resolved.

Would an audit denyrule for /boot be useful for the sake of audit?

Tue, Dec 24, 4:49 PM · security, apparmor-profile-everything, Whonix
Patrick added a comment to T950: set kernel.printk sysctl to prevent kernel info leaks.

I guess because a sysctl.d drop-in config file is easy and catches most.
initramfs hook covers only initramfs users. Not dracut. But
security-misc initramfs hook sounds good enough. dracut support can
come later, if ever. Please implement.

Tue, Dec 24, 4:47 PM · Whonix 15, security-misc, Whonix
madaidan added a comment to T950: set kernel.printk sysctl to prevent kernel info leaks.

Why not use an initramfs hook in security-misc? Not everyone will have security-misc and apparmor-profile-everything installed. Users with just security-misc installed will still have some kernel logs shown during early boot.

Tue, Dec 24, 4:39 PM · Whonix 15, security-misc, Whonix
madaidan added a comment to T943: make /boot and /lib/modules unreadable even for root.

/boot isn't allowed in init-systemd anyway so we don't need to add it to dangerous-files. Apparmor denies access to files that aren't explicitly allowed. The only reason we need to blacklist /lib/modules and not /boot is because we give access to all libraries.

Tue, Dec 24, 4:37 PM · security, apparmor-profile-everything, Whonix
Patrick added a comment to T943: make /boot and /lib/modules unreadable even for root.

Still need to add /boot to https://github.com/Whonix/apparmor-profile-everything/blob/master/etc/apparmor.d/abstractions/dangerous-files? Currently cannot find it there.

Tue, Dec 24, 12:17 PM · security, apparmor-profile-everything, Whonix
Patrick closed T937: make /boot and /lib/modules unreadable for non-root users as Resolved.
Tue, Dec 24, 12:15 PM · Whonix, security-misc
Patrick closed T945: /etc/default/grub.d/40_kernel_hardening.cfg fails to detect kernel upgrade as Resolved.

https://github.com/Whonix/security-misc/commit/ede536913daa0c7ddfe55e20c93d7b752daa5de3

Tue, Dec 24, 12:15 PM · security-misc, Whonix
Patrick added a comment to T950: set kernel.printk sysctl to prevent kernel info leaks.

Yes. Probably both. initramfs for apparmor-profile-everything users and
/etc/sysctl.d/ security-misc.

Tue, Dec 24, 12:02 PM · Whonix 15, security-misc, Whonix

Mon, Dec 23

madaidan added a comment to T937: make /boot and /lib/modules unreadable for non-root users.

https://github.com/Whonix/security-misc/pull/50

Mon, Dec 23, 9:29 PM · Whonix, security-misc
madaidan added a comment to T943: make /boot and /lib/modules unreadable even for root.

/boot/ is already unreadable.

Mon, Dec 23, 9:27 PM · security, apparmor-profile-everything, Whonix
madaidan added a comment to T937: make /boot and /lib/modules unreadable for non-root users.
Mon, Dec 23, 9:26 PM · Whonix, security-misc
madaidan added a comment to T950: set kernel.printk sysctl to prevent kernel info leaks.

Should this be set in the initramfs?

Mon, Dec 23, 9:08 PM · Whonix 15, security-misc, Whonix
madaidan added a comment to T945: /etc/default/grub.d/40_kernel_hardening.cfg fails to detect kernel upgrade.

That worked.

Mon, Dec 23, 8:58 PM · security-misc, Whonix
madaidan added a comment to T12: virtualizer: enforce maximum system resources a virtual machine may use.

We should be able to create a drop-in file at /lib/systemd/system/user-.slice.d/ and add something such as

Mon, Dec 23, 8:54 PM · Whonix, VMware, Qubes, KVM, VirtualBox, virtualizer
Patrick triaged T952: warn against superadmin / superroot in grub boot menu or initramfs as Normal priority.
Mon, Dec 23, 4:00 PM · Whonix 16, apparmor-profile-everything, Whonix
Patrick triaged T951: sign kernel modules as Normal priority.
Mon, Dec 23, 3:15 PM · Whonix 16, security-misc, Whonix
Patrick updated the task description for T670: Activating Lockdown.
Mon, Dec 23, 3:14 PM · Debian version 10 codename Buster, Whonix
Patrick triaged T950: set kernel.printk sysctl to prevent kernel info leaks as Normal priority.
Mon, Dec 23, 2:19 PM · Whonix 15, security-misc, Whonix
Patrick updated subscribers of T949: easy remote support VNC alternative, NX, SPICE, X2Go, Remmina.
Mon, Dec 23, 2:14 PM · Whonix, usability
Patrick triaged T949: easy remote support VNC alternative, NX, SPICE, X2Go, Remmina as Normal priority.
Mon, Dec 23, 2:14 PM · Whonix, usability
Patrick triaged T948: /tmp etc. separation through polyinstantiation by using namespaces.conf as Normal priority.
Mon, Dec 23, 2:09 PM · research, Whonix, security-misc