scottk/secureblue
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/secureblue.git synced 2025-11-11 17:26:04 +00:00
Code Issues Packages Projects Releases Wiki Activity
810 Commits 1 Branch 0 Tags
c38d505e24e00bc3705a7169309e31d9cabe5ac6
Commit Graph

127 Commits

Author SHA1 Message Date
qoijjj
c38d505e24 fix: use sigstore attachments for davincibox 2024-06-17 00:45:12 -07:00
qoijjj
791f8846bb feat: add davincibox container signing policy 2024-06-17 00:12:53 -07:00
Tommy
91b823b195 Use /bin/false everywhere in kernel module blacklist (#288) 
Signed-off-by: Tommy <contact@tommytran.io>
 2024-06-16 20:51:20 -07:00
friendly-rabbit-35
062237545e fix: remove Chromium policies that are deprecated and not applicable (#286) 
* Remove deprecated and inapplicable Chromium policies

* Remove mentions of deleted Chromium policies from docs
 2024-06-15 23:02:42 -07:00
qoijjj
fb98c74e4e docs: update based on latest policy 2024-06-11 19:07:55 -07:00
qoijjj
8a74542573 chore: remove policies for whom the default setting requires user consent 
For parity with Vanadium
 2024-06-11 18:02:31 -07:00
qoijjj
8fed632ba8 docs: fix broken link 2024-06-10 22:13:54 -07:00
Tommy
cfe7314af1 Disable fs.binfmt_misc.status (#282) 2024-06-08 18:02:50 -07:00
qoijjj
df2daf1736 chore: drop swappiness sysctl in favor of the default 
Fedora uses zram so this adds no benefit unless the user manually created a swapfile. In that case the user can manually set this if desired.
 2024-06-04 08:53:52 -07:00
qoijjj
b17446c3bb chore: add debugfs=off (working again) back to unstable kargs 2024-06-02 22:01:43 -07:00
qoijjj
3cc114c80a chore: add additional modules to blacklist 2024-06-02 21:43:57 -07:00
qoijjj
c283e2677d chore: document module blacklist and fix typos 2024-06-02 21:36:42 -07:00
qoijjj
87ad303f5d chore: fix tabs/spaces 2024-06-02 14:18:12 -07:00
qoijjj
b897d2a87f docs: add details for new chromium flags 2024-06-02 13:38:04 -07:00
qoijjj
44b433ff9d feat: audio and network sandboxes in chromium policies 2024-06-02 13:35:32 -07:00
qoijjj
4ec0bb93b7 feat: move chromium flags to a script to append to upstream 2024-05-28 10:06:24 -07:00
qoijjj
83da62112d docs: minor clarification 2024-05-24 00:24:25 -07:00
qoijjj
fcad88df91 docs: update vanadium comparison 2024-05-22 23:05:45 -07:00
qoijjj
d3f6ae206e feat: set distrobox/toolbox to default to signed images (#280) 2024-05-18 15:08:52 -07:00
qoijjj
eb9f173fb1 docs: pull in latest vanadium changes 2024-05-12 20:01:37 -07:00
qoijjj
c2d6c72556 docs: another whitespace fix 2024-05-07 18:01:20 +02:00
qoijjj
c3ab4e8107 docs: fix whitespace 2024-05-07 18:00:45 +02:00
qoijjj
9102eb4bfa docs: correct vanadium comparison 2024-05-07 17:59:09 +02:00
qoijjj
828cc318b6 docs: pull latest vanadium patches for comparison 2024-05-07 17:57:36 +02:00
qoijjj
656bf9b5e2 feat: disable chromium internal pdf viewer 2024-04-19 16:22:38 -07:00
qoijjj
a86a3b7a02 feat: add additional chromium hardening based on vanadium 2024-04-17 22:53:33 -07:00
qoijjj
23020bab4e docs: update vanadium comparison readme 2024-04-17 22:28:05 -07:00
qoijjj
3c546eb01b docs: minor justfile messaging changes 2024-04-17 10:13:09 -07:00
Cheng Zhang
1cfb2b30d8 feat: just commands to override modprobe blacklist (#260) 2024-04-17 10:11:12 -07:00
qoijjj
9f6aa640d4 feat: add just command to remove all hardening kargs 2024-04-06 17:08:00 -07:00
qoijjj
27f9c86430 docs: fix typo in kargs readme 2024-03-31 00:35:46 -07:00
qoijjj
e1f6b5ba9f feat: add additional chromium policy hardening and drop chkrootkit as its false positives make it low-utility 2024-03-31 06:32:39 +00:00
qoijjj
d3f2ba5d2e docs: fix broken links to the fedora chromium spec 2024-03-28 17:43:15 +00:00
qoijjj
8712beeb44 docs: add additional chromium documentation and fix existing documentation 2024-03-28 17:39:04 +00:00
qoijjj
f228f4e689 fix: motd script spacing 2024-03-24 22:53:19 -07:00
qoijjj
f1bacc015a feat: add image tag warning to advise users not to use specific tags 2024-03-24 21:56:06 -07:00
qoijjj
67e114ce4b fix: sudo timeout to 1min instead of 0min 2024-03-22 13:30:15 -07:00
qoijjj
cb67ab87f6 feat: disable ghns by default 2024-03-21 19:50:36 -07:00
qoijjj
f7856e7098 Revert "feat: add image tag warning to advise users not to use specific tags" 
This reverts commit 3dc08c057c.
 2024-03-21 14:12:24 -07:00
qoijjj
3dc08c057c feat: add image tag warning to advise users not to use specific tags 2024-03-21 12:39:32 -07:00
qoijjj
6d4884e3ad fix: just: remove broken karg entirely and remove just commands that were merged upstream 2024-03-21 12:34:09 -07:00
qoijjj
e53449e86e docs: fix broken markdown table 2024-03-20 17:47:03 -07:00
qoijjj
476252c130 chore: additional chromium improvements 2024-03-18 19:49:58 -07:00
qoijjj
b9f4abc3b8 feat: add chromium VAAPI flags 2024-03-18 19:11:41 -07:00
qoijjj
6732e2caa8 chore: remove unnecessary quotes 2024-03-18 18:46:03 -07:00
qoijjj
09032c19b0 docs: pull in new patch details from Vanadium 2024-03-18 15:53:20 -07:00
qoijjj
be9f5a54d4 docs: readability improvements 2024-03-18 15:01:22 -07:00
qoijjj
e53fac6fec feat: additional chromium hardening 2024-03-18 14:54:17 -07:00
fiftydinar
efba15919d fix: Assure that "disabling CoreDump tweak" is applied correctly (#241) 
* fix: Assure that "disabling CoreDump tweak" is applied correctly

Since Fedora uses systemd, we need to make this change too, else it won't be applied throughout the system, but only in SSH/TTY sessions.

Bluefin had the same issue with open-file limits tweak here:
https://github.com/ublue-os/bluefin/pull/988

I usually put those config overrides to `/usr/lib`, but I will put them in `/usr/etc` to comply with the project's structure.

As far as I look, this is the only tweak which needs this systemd conf change.

* fix: Assure that "disabling CoreDump tweak" is applied correctly

Since Fedora uses systemd, we need to make this change too, else it won't be applied throughout the system, but only in SSH/TTY sessions.

Bluefin had the same issue with open-file limits tweak here:
https://github.com/ublue-os/bluefin/pull/988

I usually put those config overrides to `/usr/lib`, but I will put them in `/usr/etc` to comply with the project's structure.

As far as I look, this is the only tweak which needs this systemd conf change.

Signed-off-by: fiftydinar <65243233+fiftydinar@users.noreply.github.com>

---------

Signed-off-by: fiftydinar <65243233+fiftydinar@users.noreply.github.com>
 2024-03-15 12:36:20 -07:00
qoijjj
9d19d8a9f3 feat: set yaml files as detectable by github 2024-03-13 13:27:40 -07:00