-
-
Save ArrayBolt3/1fef29b2214f27054cd85785530e7f7f to your computer and use it in GitHub Desktop.
Suggested way to split the security-misc package into shared, desktop, and server packages.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| How to split apart security-misc into shared, desktop, and server packages: | |
| Legend: | |
| * [x] Reviewed, looks good | |
| * [!] Reviewed, potential bug spotted | |
| All packages have been checked for which package they should go into. | |
| ┌─╴aaron@kf-ir16:/srv/data/vmshare/kicksecure/git/security-misc | |
| └─╴$ tree | |
| * [x] . (package) (rationale) | |
| * [x] ├── changelog.upstream (shared) (no good reason to move anywhere else) | |
| * [x] ├── CONTRIBUTING.md (shared) (useful on desktop and server) | |
| * [x] ├── COPYING (shared) (useful on desktop and server) | |
| * [x] ├── debian (n/a) (n/a) | |
| * [x] │ ├── changelog (n/a) (n/a) | |
| * [x] │ ├── control (n/a) (n/a) | |
| * [x] │ ├── copyright (n/a) (n/a) | |
| * [x] │ ├── make-helper-overrides.bsh (n/a) (n/a) | |
| * [x] │ ├── rules (n/a) (n/a) | |
| * [x] │ ├── security-misc.displace (shared) (useful on desktop and server, other files can be created for desktop and server if needed) | |
| * [x] │ ├── security-misc.displace-extension (shared) (useful on desktop and server, other files can be created for desktop and server if needed) | |
| * [x] │ ├── security-misc.gconf-defaults (desktop) (nautilus won't be present on a server) | |
| * [x] │ ├── security-misc.install (shared) (for shared file installation, separate files will be made for desktop and server) | |
| * [x] │ ├── security-misc.links (shared) (useful on desktop and server) | |
| * [x] │ ├── security-misc.maintscript (shared) (needs to remain in shared since the original security-misc used to ship these and now doesn't. New files can be created for desktop and server if need be) | |
| * [x] │ ├── security-misc.postinst (mixed) (see below) | |
| * [x] │ │ ├── `glib-compile-schemas /usr/share/glib-2.0/schemas || true` (desktop) (glib-compile-schemas is of no use on a server) | |
| * [x] │ │ └── everything else (shared) (useful for server and desktop) | |
| * [x] │ ├── security-misc.postrm (shared) (useful on desktop and server) | |
| * [x] │ ├── security-misc.preinst (shared) (useful on desktop and server) | |
| * [x] │ ├── security-misc.prerm (shared) (useful on desktop and server) | |
| * [x] │ ├── security-misc.triggers (shared) (needs to remain with security-mist.postinst's shared components) | |
| * [x] │ ├── security-misc.undisplace (shared) (needs to remain in the package that once displaced the listed files) | |
| * [x] │ ├── source (n/a) (n/a) | |
| * [x] │ │ ├── format (n/a) (n/a) | |
| * [x] │ │ └── lintian-overrides (n/a) (n/a) | |
| * [x] │ └── watch (n/a) (n/a) | |
| * [x] ├── etc (shared) (useful on desktop and server) | |
| * [x] │ ├── apparmor.d (shared) (useful on desktop and server) | |
| * [x] │ │ └── tunables (shared) (useful on desktop and server) | |
| * [x] │ │ └── home.d (shared) (useful on desktop and server) | |
| * [x] │ │ └── security-misc (shared) (useful on desktop and server) | |
| * [x] │ ├── apt (shared) (all subfiles are shared) | |
| * [x] │ │ └── apt.conf.d (shared) (all subfiles are shared) | |
| * [x] │ │ ├── 40error-on-any (shared) (useful on both desktop and server) | |
| * [x] │ │ └── 40sandbox (shared) (useful on both desktop and server) | |
| * [x] │ ├── bluetooth (desktop) (all subfiles are desktop) | |
| * [x] │ │ └── 30_security-misc.conf (desktop) (bluez should only be present on desktops) | |
| * [x] │ ├── default (shared) (useful on both desktop and server) | |
| * [x] │ │ └── grub.d (shared) (useful on both desktop and server) | |
| * [x] │ │ ├── 40_cpu_mitigations.cfg (shared) (useful on both desktop and server) | |
| * [x] │ │ ├── 40_kernel_hardening.cfg (shared) (useful on both desktop and server) | |
| * [x] │ │ ├── 40_remount_secure.cfg (shared) (useful on both desktop and server) | |
| * [x] │ │ ├── 40_signed_modules.cfg (shared) (useful on both desktop and server) | |
| * [x] │ │ └── 41_quiet_boot.cfg (shared) (useful on both desktop and server) | |
| * [!] │ ├── dkms (none) (see files below) | |
| * [!] │ │ └── framework.conf.d (none) (see files below) | |
| * [!] │ │ └── 30_security-misc.conf (none) (should be moved out of security-isc) | |
| * [x] │ ├── dracut.conf.d (shared) (useful on desktop and server) | |
| * [x] │ │ └── 30-security-misc.conf (shared) (useful on desktop and server) | |
| * [x] │ ├── gitconfig (shared) (useful on desktop and server, servers may use git too) | |
| * [x] │ ├── hide-hardware-info.d (shared) (useful on desktop and server) | |
| * [x] │ │ └── 30_default.conf (shared) (useful on desktop and server) | |
| * [x] │ ├── initramfs-tools (shared) (useful on desktop and server) | |
| * [x] │ │ ├── hooks (shared) (useful on desktop and server) | |
| * [x] │ │ │ └── sysctl-initramfs (shared) (useful on desktop and server) | |
| * [x] │ │ └── scripts (shared) (useful on desktop and server) | |
| * [x] │ │ └── init-bottom (shared) (useful on desktop and server) | |
| * [x] │ │ └── sysctl-initramfs (shared) (useful on desktop and server) | |
| * [x] │ ├── kernel (shared) (useful on desktop and server) | |
| * [x] │ │ └── postinst.d (shared) (useful on desktop and server) | |
| * [x] │ │ └── 30_remove-system-map (shared) (useful on desktop and server) | |
| * [x] │ ├── modprobe.d (mixed) (see below) | |
| * [x] │ │ ├── 30_security-misc_blacklist.conf (shared) (useful on desktop and server) | |
| * [x] │ │ ├── 30_security-misc_conntrack.conf (shared) (useful on desktop and server) | |
| * [x] │ │ └── 30_security-misc_disable.conf (mixed) (**MUST** be split up, exactly how is unsure currently) | |
| * [x] │ │ ├── ## Firewire (IEEE 1394): (shared) (useful on desktop and server) | |
| * [x] │ │ ├── install dv1394 /usr/bin/disabled-firewire-by-security-misc (^) (^) | |
| * [x] │ │ ├── install firewire-core /usr/bin/disabled-firewire-by-security-misc (^) (^) | |
| * [x] │ │ ├── install firewire-ohci /usr/bin/disabled-firewire-by-security-misc (^) (^) | |
| * [x] │ │ ├── install firewire-net /usr/bin/disabled-firewire-by-security-misc (^) (^) | |
| * [x] │ │ ├── install firewire-sbp2 /usr/bin/disabled-firewire-by-security-misc (^) (^) | |
| * [x] │ │ ├── install ohci1394 /usr/bin/disabled-firewire-by-security-misc (^) (^) | |
| * [x] │ │ ├── install raw1394 /usr/bin/disabled-firewire-by-security-misc (^) (^) | |
| * [x] │ │ ├── install sbp2 /usr/bin/disabled-firewire-by-security-misc (^) (^) | |
| * [x] │ │ ├── install video1394 /usr/bin/disabled-firewire-by-security-misc (^) (^) | |
| * [x] │ │ ├── ## Global Positioning System (GPS): (shared) (useful on desktop and server) | |
| * [x] │ │ ├── install garmin_gps /usr/bin/disabled-gps-by-security-misc (^) (^) | |
| * [x] │ │ ├── install gnss /usr/bin/disabled-gps-by-security-misc (^) (^) | |
| * [x] │ │ ├── install gnss-mtk /usr/bin/disabled-gps-by-security-misc (^) (^) | |
| * [x] │ │ ├── install gnss-serial /usr/bin/disabled-gps-by-security-misc (^) (^) | |
| * [x] │ │ ├── install gnss-sirf /usr/bin/disabled-gps-by-security-misc (^) (^) | |
| * [x] │ │ ├── install gnss-ubx /usr/bin/disabled-gps-by-security-misc (^) (^) | |
| * [x] │ │ ├── install gnss-usb /usr/bin/disabled-gps-by-security-misc (^) (^) | |
| * [x] │ │ ├── ## Intel Platform Monitoring Technology (PMT) Telemetry: (shared) (useful on desktop and server, sysadmin can enable themselves if they want) | |
| * [x] │ │ ├── install pmt_class /usr/bin/disabled-intelpmt-by-security-misc (^) (^) | |
| * [x] │ │ ├── install pmt_crashlog /usr/bin/disabled-intelpmt-by-security-misc (^) (^) | |
| * [x] │ │ ├── install pmt_telemetry /usr/bin/disabled-intelpmt-by-security-misc (^) (^) | |
| * [x] │ │ ├── ## Thunderbolt (shared) (useful on desktop and server) | |
| * [x] │ │ ├── install intel-wmi-thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc (^) (^) | |
| * [x] │ │ ├── install thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc (^) (^) | |
| * [x] │ │ ├── install thunderbolt_net /usr/bin/disabled-thunderbolt-by-security-misc (^) (^) | |
| * [x] │ │ ├── ## File Systems: (shared) (useful on desktop and server, don't expect these will be needed on a server usually) | |
| * [x] │ │ ├── install cramfs /usr/bin/disabled-filesys-by-security-misc (^) (^) | |
| * [x] │ │ ├── install freevxfs /usr/bin/disabled-filesys-by-security-misc (^) (^) | |
| * [x] │ │ ├── install hfs /usr/bin/disabled-filesys-by-security-misc (^) (^) | |
| * [x] │ │ ├── install hfsplus /usr/bin/disabled-filesys-by-security-misc (^) (^) | |
| * [x] │ │ ├── install jffs2 /usr/bin/disabled-filesys-by-security-misc (^) (^) | |
| * [x] │ │ ├── install jfs /usr/bin/disabled-filesys-by-security-misc (^) (^) | |
| * [x] │ │ ├── install reiserfs /usr/bin/disabled-filesys-by-security-misc (^) (^) | |
| * [x] │ │ ├── install udf /usr/bin/disabled-filesys-by-security-misc (^) (^) | |
| * [x] │ │ ├── ## Network File Systems: (shared) (useful on desktop and server, sysadmin can enable themselves if they want) | |
| * [x] │ │ ├── install gfs2 /usr/bin/disabled-netfilesys-by-security-misc (^) (^) | |
| * [x] │ │ ├── install ksmbd /usr/bin/disabled-netfilesys-by-security-misc (^) (^) | |
| * [x] │ │ ├── ## Common Internet File System (CIFS): (shared) (CIFS is obsolete) | |
| * [x] │ │ ├── install cifs /usr/bin/disabled-netfilesys-by-security-misc (^) (^) | |
| * [x] │ │ ├── install cifs_arc4 /usr/bin/disabled-netfilesys-by-security-misc (^) (^) | |
| * [x] │ │ ├── install cifs_md4 /usr/bin/disabled-netfilesys-by-security-misc (^) (^) | |
| * [x] │ │ ├── ## Network File System (NFS): (^) (^) | |
| * [x] │ │ ├── install nfs /usr/bin/disabled-netfilesys-by-security-misc (desktop) (NFS is vital on file servers) | |
| * [x] │ │ ├── install nfs_acl /usr/bin/disabled-netfilesys-by-security-misc (^) (^) | |
| * [x] │ │ ├── install nfs_layout_nfsv41_files /usr/bin/disabled-netfilesys-by-security-misc (^) (^) | |
| * [x] │ │ ├── install nfs_layout_flexfiles /usr/bin/disabled-netfilesys-by-security-misc (^) (^) | |
| * [x] │ │ ├── install nfsd /usr/bin/disabled-netfilesys-by-security-misc (^) (^) | |
| * [x] │ │ ├── install nfsv2 /usr/bin/disabled-netfilesys-by-security-misc (^) (^) | |
| * [x] │ │ ├── install nfsv3 /usr/bin/disabled-netfilesys-by-security-misc (^) (^) | |
| * [x] │ │ ├── install nfsv4 /usr/bin/disabled-netfilesys-by-security-misc (^) (^) | |
| * [x] │ │ ├── ## Network Protocols: (shared) (obscure protocols, probably useless on most servers, sysadmin can manually override if needed) | |
| * [x] │ │ ├── install af_802154 /usr/bin/disabled-network-by-security-misc (^) (^) | |
| * [x] │ │ ├── install appletalk /usr/bin/disabled-network-by-security-misc (^) (^) | |
| * [x] │ │ ├── install ax25 /usr/bin/disabled-network-by-security-misc (^) (^) | |
| * [x] │ │ ├── install decnet /usr/bin/disabled-network-by-security-misc (^) (^) | |
| * [x] │ │ ├── install dccp /usr/bin/disabled-network-by-security-misc (^) (^) | |
| * [x] │ │ ├── install econet /usr/bin/disabled-network-by-security-misc (^) (^) | |
| * [x] │ │ ├── install eepro100 /usr/bin/disabled-network-by-security-misc (^) (^) | |
| * [x] │ │ ├── install eth1394 /usr/bin/disabled-network-by-security-misc (^) (^) | |
| * [x] │ │ ├── install ipx /usr/bin/disabled-network-by-security-misc (^) (^) | |
| * [x] │ │ ├── install n-hdlc /usr/bin/disabled-network-by-security-misc (^) (^) | |
| * [x] │ │ ├── install netrom /usr/bin/disabled-network-by-security-misc (^) (^) | |
| * [x] │ │ ├── install p8022 /usr/bin/disabled-network-by-security-misc (^) (^) | |
| * [x] │ │ ├── install p8023 /usr/bin/disabled-network-by-security-misc (^) (^) | |
| * [x] │ │ ├── install psnap /usr/bin/disabled-network-by-security-misc (^) (^) | |
| * [x] │ │ ├── install rose /usr/bin/disabled-network-by-security-misc (^) (^) | |
| * [x] │ │ ├── install x25 /usr/bin/disabled-network-by-security-misc (^) (^) | |
| * [x] │ │ ├── ## Asynchronous Transfer Mode (ATM): (shared) (obsolete networking technology) | |
| * [x] │ │ ├── install atm /usr/bin/disabled-network-by-security-misc (^) (^) | |
| * [x] │ │ ├── install ueagle-atm /usr/bin/disabled-network-by-security-misc (^) (^) | |
| * [x] │ │ ├── install usbatm /usr/bin/disabled-network-by-security-misc (^) (^) | |
| * [x] │ │ ├── install xusbatm /usr/bin/disabled-network-by-security-misc (^) (^) | |
| * [x] │ │ ├── ## Controller Area Network (CAN) Protocol: (shared) (used in machinery and vehicles mostly, almost certainly unnecessary) | |
| * [x] │ │ ├── install c_can /usr/bin/disabled-network-by-security-misc (^) (^) | |
| * [x] │ │ ├── install c_can_pci /usr/bin/disabled-network-by-security-misc (^) (^) | |
| * [x] │ │ ├── install c_can_platform /usr/bin/disabled-network-by-security-misc (^) (^) | |
| * [x] │ │ ├── install can /usr/bin/disabled-network-by-security-misc (^) (^) | |
| * [x] │ │ ├── install can-bcm /usr/bin/disabled-network-by-security-misc (^) (^) | |
| * [x] │ │ ├── install can-dev /usr/bin/disabled-network-by-security-misc (^) (^) | |
| * [x] │ │ ├── install can-gw /usr/bin/disabled-network-by-security-misc (^) (^) | |
| * [x] │ │ ├── install can-isotp /usr/bin/disabled-network-by-security-misc (^) (^) | |
| * [x] │ │ ├── install can-raw /usr/bin/disabled-network-by-security-misc (^) (^) | |
| * [x] │ │ ├── install can-j1939 /usr/bin/disabled-network-by-security-misc (^) (^) | |
| * [x] │ │ ├── install can327 /usr/bin/disabled-network-by-security-misc (^) (^) | |
| * [x] │ │ ├── install ifi_canfd /usr/bin/disabled-network-by-security-misc (^) (^) | |
| * [x] │ │ ├── install janz-ican3 /usr/bin/disabled-network-by-security-misc (^) (^) | |
| * [x] │ │ ├── install m_can /usr/bin/disabled-network-by-security-misc (^) (^) | |
| * [x] │ │ ├── install m_can_pci /usr/bin/disabled-network-by-security-misc (^) (^) | |
| * [x] │ │ ├── install m_can_platform /usr/bin/disabled-network-by-security-misc (^) (^) | |
| * [x] │ │ ├── install phy-can-transceiver /usr/bin/disabled-network-by-security-misc (^) (^) | |
| * [x] │ │ ├── install slcan /usr/bin/disabled-network-by-security-misc (^) (^) | |
| * [x] │ │ ├── install ucan /usr/bin/disabled-network-by-security-misc (^) (^) | |
| * [x] │ │ ├── install vxcan /usr/bin/disabled-network-by-security-misc (^) (^) | |
| * [x] │ │ ├── install vcan /usr/bin/disabled-network-by-security-misc (^) (^) | |
| * [x] │ │ ├── ## Transparent Inter Process Communication (TIPC): (^) (^) | |
| * [x] │ │ ├── install tipc /usr/bin/disabled-network-by-security-misc (shared) (obscure protocol for communication in clusters) | |
| * [x] │ │ ├── install tipc_diag /usr/bin/disabled-network-by-security-misc (^) (^) | |
| * [x] │ │ ├── ## Reliable Datagram Sockets (RDS): (^) (^) | |
| * [x] │ │ ├── install rds /usr/bin/disabled-network-by-security-misc (shared) (obscure protocol, has had serious vulnerabilities) | |
| * [x] │ │ ├── install rds_rdma /usr/bin/disabled-network-by-security-misc (^) (^) | |
| * [x] │ │ ├── install rds_tcp /usr/bin/disabled-network-by-security-misc (^) (^) | |
| * [x] │ │ ├── ## Stream Control Transmission Protocol (SCTP): (shared) (somewhat obscure protocol, sysadmin can enable themselves if they want) | |
| * [x] │ │ ├── install sctp /usr/bin/disabled-network-by-security-misc (^) (^) | |
| * [x] │ │ ├── install sctp_diag /usr/bin/disabled-network-by-security-misc (^) (^) | |
| * [x] │ │ ├── ## Amateur Radios (shared) (can be enabled by end user if wanted) | |
| * [x] │ │ ├── install hamradio /usr/bin/disabled-miscellaneous-by-security-misc (^) (^) | |
| * [x] │ │ ├── ## Floppy Disks: (shared) (it's 2024 for crying out loud, we don't use these) | |
| * [x] │ │ ├── install floppy /usr/bin/disabled-miscellaneous-by-security-misc (^) (^) | |
| * [x] │ │ ├── ## Framebuffer (fbdev): (shared) (ancient, obsolete) | |
| * [x] │ │ ├── install aty128fb /usr/bin/disabled-framebuffer-by-security-misc (^) (^) | |
| * [x] │ │ ├── install atyfb /usr/bin/disabled-framebuffer-by-security-misc (^) (^) | |
| * [x] │ │ ├── install cirrusfb /usr/bin/disabled-framebuffer-by-security-misc (^) (^) | |
| * [x] │ │ ├── install cyber2000fb /usr/bin/disabled-framebuffer-by-security-misc (^) (^) | |
| * [x] │ │ ├── install cyblafb /usr/bin/disabled-framebuffer-by-security-misc (^) (^) | |
| * [x] │ │ ├── install gx1fb /usr/bin/disabled-framebuffer-by-security-misc (^) (^) | |
| * [x] │ │ ├── install hgafb /usr/bin/disabled-framebuffer-by-security-misc (^) (^) | |
| * [x] │ │ ├── install i810fb /usr/bin/disabled-framebuffer-by-security-misc (^) (^) | |
| * [x] │ │ ├── install intelfb /usr/bin/disabled-framebuffer-by-security-misc (^) (^) | |
| * [x] │ │ ├── install kyrofb /usr/bin/disabled-framebuffer-by-security-misc (^) (^) | |
| * [x] │ │ ├── install lxfb /usr/bin/disabled-framebuffer-by-security-misc (^) (^) | |
| * [x] │ │ ├── install matroxfb_bases /usr/bin/disabled-framebuffer-by-security-misc (shared) (ancient, obsolete, TYPO'D - THIS SHOULD BE BASE, NOT BASES) | |
| * [x] │ │ ├── install neofb /usr/bin/disabled-framebuffer-by-security-misc (^) (^) | |
| * [x] │ │ ├── install nvidiafb /usr/bin/disabled-framebuffer-by-security-misc (^) (^) | |
| * [x] │ │ ├── install pm2fb /usr/bin/disabled-framebuffer-by-security-misc (^) (^) | |
| * [x] │ │ ├── install radeonfb /usr/bin/disabled-framebuffer-by-security-misc (^) (^) | |
| * [x] │ │ ├── install rivafb /usr/bin/disabled-framebuffer-by-security-misc (^) (^) | |
| * [x] │ │ ├── install s1d13xxxfb /usr/bin/disabled-framebuffer-by-security-misc (^) (^) | |
| * [x] │ │ ├── install savagefb /usr/bin/disabled-framebuffer-by-security-misc (^) (^) | |
| * [x] │ │ ├── install sisfb /usr/bin/disabled-framebuffer-by-security-misc (^) (^) | |
| * [x] │ │ ├── install sstfb /usr/bin/disabled-framebuffer-by-security-misc (^) (^) | |
| * [x] │ │ ├── install tdfxfb /usr/bin/disabled-framebuffer-by-security-misc (^) (^) | |
| * [x] │ │ ├── install tridentfb /usr/bin/disabled-framebuffer-by-security-misc (^) (^) | |
| * [x] │ │ ├── install vesafb /usr/bin/disabled-framebuffer-by-security-misc (^) (^) | |
| * [x] │ │ ├── install vfb /usr/bin/disabled-framebuffer-by-security-misc (^) (^) | |
| * [x] │ │ ├── install viafb /usr/bin/disabled-framebuffer-by-security-misc (^) (^) | |
| * [x] │ │ ├── install vt8623fb /usr/bin/disabled-framebuffer-by-security-misc (^) (^) | |
| * [x] │ │ ├── install udlfb /usr/bin/disabled-framebuffer-by-security-misc (^) (^) | |
| * [x] │ │ ├── ## Replaced Modules: (shared) (useful on desktop and server) | |
| * [x] │ │ ├── install asus_acpi /usr/bin/disabled-miscellaneous-by-security-misc (^) (^) | |
| * [x] │ │ ├── install bcm43xx /usr/bin/disabled-miscellaneous-by-security-misc (^) (^) | |
| * [x] │ │ ├── install de4x5 /usr/bin/disabled-miscellaneous-by-security-misc (^) (^) | |
| * [x] │ │ ├── install prism54 /usr/bin/disabled-miscellaneous-by-security-misc (^) (^) | |
| * [x] │ │ ├── ## Vivid: (shared) (useful on desktop and server) | |
| * [x] │ │ └── install vivid /usr/bin/disabled-miscellaneous-by-security-misc (^) (^) | |
| * [x] │ ├── permission-hardener.d (mixed) (see file comments below) | |
| * [x] │ │ ├── 25_default_passwd.conf (shared) (useful on desktop and server) | |
| * [x] │ │ ├── 25_default_sudo.conf (shared) (useful on desktop and server) | |
| * [x] │ │ ├── 25_default_whitelist_bubblewrap.conf (desktop) (bubblewrap sandboxing isn't useful on a server in most instances) | |
| * [x] │ │ ├── 25_default_whitelist_chromium.conf (desktop) (chrome-sandbox should NEVER exist on a server) | |
| * [x] │ │ ├── 25_default_whitelist_dbus.conf (shared) (useful on desktop and server) | |
| * [x] │ │ ├── 25_default_whitelist_firejail.conf (shared) (useful on desktop and server) | |
| * [x] │ │ ├── 25_default_whitelist_fuse.conf (desktop) (servers should probably not be using appimages) | |
| * [x] │ │ ├── 25_default_whitelist_hardened_malloc.conf (server) (desktops don't use hardened-malloc) | |
| * [x] │ │ ├── 25_default_whitelist_mount.conf (shared) (useful on desktop and server) | |
| * [x] │ │ ├── 25_default_whitelist_pam.conf (shared) (seems to be mostly XFCE-related but PAM sounds important for servers too) | |
| * [x] │ │ ├── 25_default_whitelist_policykit.conf (shared) (useful on desktop and server, pkexec isn't necessarily limited to desktops) | |
| * [x] │ │ ├── 25_default_whitelist_postfix.conf (server) (desktops shouldn't run postfix) | |
| * [x] │ │ ├── 25_default_whitelist_qubes.conf (shared) (useful on desktop and server) | |
| * [x] │ │ ├── 25_default_whitelist_selinux.conf (shared) (useful on desktop and server) | |
| * [x] │ │ ├── 25_default_whitelist_spice.conf (desktop) (only desktops need USB passthrough with SPICE) | |
| * [x] │ │ ├── 25_default_whitelist_ssh.conf (shared) (useful on desktop and server) | |
| * [x] │ │ ├── 25_default_whitelist_sudo.conf (shared) (useful on desktop and server) | |
| * [x] │ │ ├── 25_default_whitelist_unix_chkpwd.conf (shared) (useful on desktop and server) | |
| * [x] │ │ ├── 25_default_whitelist_virtualbox.conf (shared) (useful on desktop and server, VBox is used for server virtualization sometimes) | |
| * [x] │ │ └── 30_default.conf (shared) (useful on desktop and server) | |
| * [x] │ ├── profile.d (shared) (useful on desktop and server) | |
| * [x] │ │ └── 30_security-misc.sh (shared) (useful on desktop and server) | |
| * [x] │ ├── securetty.security-misc (shared) (useful on desktop and server) | |
| * [x] │ ├── security (shared) (useful on desktop and server) | |
| * [x] │ │ ├── access-security-misc.conf (shared) (useful on desktop and server) | |
| * [x] │ │ ├── faillock.conf.security-misc (shared) (useful on desktop and server) | |
| * [x] │ │ └── limits.d (shared) (useful on desktop and server) | |
| * [x] │ │ └── 30_security-misc.conf (shared) (useful on desktop and server) | |
| * [x] │ ├── skel (mixed) (see file comments below) | |
| * [x] │ │ ├── .config (desktop) (see below) | |
| * [x] │ │ │ └── xfce4 (desktop) (xfce4 *is* a desktop) | |
| * [x] │ │ │ └── xfconf (desktop) (see above) | |
| * [x] │ │ │ └── xfce-perchannel-xml (desktop) (see above) | |
| * [x] │ │ │ └── thunar.xml (desktop) (see above) | |
| * [x] │ │ └── .gnupg (shared) (useful on desktop and server) | |
| * [x] │ │ └── gpg.conf (shared) (useful on desktop and server) | |
| * [x] │ ├── sudoers.d (mixed) (see file comments below) | |
| * [x] │ │ ├── pkexec-security-misc (shared) (useful on desktop and server) | |
| * [x] │ │ ├── security-misc (shared) (useful on desktop and server) | |
| * [x] │ │ └── xfce-security-misc (desktop) (only useful with XFCE) | |
| * [x] │ ├── systemd (shared) (useful on desktop and server) | |
| * [x] │ │ └── system (shared) (useful on desktop and server) | |
| * [x] │ │ ├── emergency.service.d (shared) (useful on desktop and server) | |
| * [x] │ │ │ └── override.conf (shared) (useful on desktop and server) | |
| * [x] │ │ └── rescue.service.d (shared) (useful on desktop and server) | |
| * [x] │ │ └── override.conf (shared) (useful on desktop and server) | |
| * [x] │ └── thunderbird (desktop) (thunderbird is a desktop app) | |
| * [x] │ └── pref (desktop) (see above) | |
| * [x] │ └── 40_security-misc.js (desktop) (see above) | |
| * [x] ├── Makefile.builder (n/a) (n/a) | |
| * [x] ├── README_generic.md (n/a) (n/a) | |
| * [x] ├── README.md (n/a) (n/a) | |
| * [x] ├── rpm_spec (n/a) (n/a) | |
| * [x] │ └── security-misc.spec.in (n/a) (n/a) | |
| * [x] ├── usr (mixed) (see below) | |
| * [x] │ ├── bin (mixed) (see below) | |
| * [x] │ │ ├── disabled-bluetooth-by-security-misc (shared) (useful on desktop and server) | |
| * [x] │ │ ├── disabled-cdrom-by-security-misc (shared) (useful on desktop and server) | |
| * [x] │ │ ├── disabled-filesys-by-security-misc (shared) (useful on desktop and server) | |
| * [x] │ │ ├── disabled-firewire-by-security-misc (shared) (useful on desktop and server) | |
| * [x] │ │ ├── disabled-framebuffer-by-security-misc (shared) (useful on desktop and server) | |
| * [x] │ │ ├── disabled-gps-by-security-misc (shared) (useful on desktop and server) | |
| * [x] │ │ ├── disabled-intelme-by-security-misc (shared) (useful on desktop and server) | |
| * [x] │ │ ├── disabled-intelpmt-by-security-misc (shared) (useful on desktop and server) | |
| * [x] │ │ ├── disabled-miscellaneous-by-security-misc (shared) (useful on desktop and server) | |
| * [x] │ │ ├── disabled-netfilesys-by-security-misc (shared) (useful on desktop and server) | |
| * [x] │ │ ├── disabled-network-by-security-misc (shared) (useful on desktop and server) | |
| * [x] │ │ ├── disabled-thunderbolt-by-security-misc (shared) (useful on desktop and server) | |
| * [x] │ │ ├── permission-hardener (shared) (useful on desktop and server) | |
| * [!] │ │ ├── pkexec.security-misc (shared) (useful on desktop and server, however lxqt-sudo won't be present on a server, but pkexec may be used on a server. Resolve by allowing the use of sudo.) | |
| * [x] │ │ └── remount-secure (shared) (useful on desktop and server) | |
| * [x] │ ├── lib (shared) (useful on desktop and server) | |
| * [x] │ │ ├── dracut (shared) (useful on desktop and server) | |
| * [x] │ │ │ └── modules.d-disabled (shared) (useful on desktop and server) | |
| * [x] │ │ │ └── 20remount-secure (shared) (useful on desktop and server) | |
| * [x] │ │ │ ├── module-setup.sh (shared) (useful on desktop and server) | |
| * [x] │ │ │ └── remount-secure.sh (shared) (useful on desktop and server) | |
| * [x] │ │ ├── issue.d (shared) (useful on desktop and server) | |
| * [x] │ │ │ └── 20_security-misc.issue (shared) (useful on desktop and server) | |
| * [x] │ │ ├── modules-load.d (shared) (useful on desktop and server) | |
| * [x] │ │ │ └── 30_security-misc.conf (shared) (useful on desktop and server) | |
| * [x] │ │ ├── NetworkManager (desktop) (options here are only useful on desktop, a server or shared variant can be made later if needed) | |
| * [x] │ │ │ └── conf.d (desktop) (options here are only useful on desktop, a server or shared variant can be made later if needed) | |
| * [x] │ │ │ ├── 80_ipv6-privacy.conf (desktop) (only useful and safe on desktop) | |
| * [x] │ │ │ └── 80_randomize-mac.conf (desktop) (only useful and safe on desktop) | |
| * [x] │ │ ├── sysctl.d (shared) (useful on desktop and server) | |
| * [x] │ │ │ ├── 30_security-misc_kexec-disable.conf (shared) (useful on desktop and server) | |
| * [x] │ │ │ ├── 30_silent-kernel-printk.conf (shared) (useful on desktop and server) | |
| * [x] │ │ │ └── 990-security-misc.conf (shared) (useful on desktop and server) | |
| * [x] │ │ └── systemd (mixed) (see below) | |
| * [x] │ │ ├── coredump.conf.d (shared) (useful on desktop and server) | |
| * [x] │ │ │ └── 30_security-misc.conf (shared) (useful on desktop and server) | |
| * [x] │ │ ├── networkd.conf.d (desktop) (only useful and safe on desktop) | |
| * [x] │ │ │ └── 80_ipv6-privacy-extensions.conf (desktop) (only useful and safe on desktop) | |
| * [x] │ │ ├── system (shared) (useful on desktop and server) | |
| * [x] │ │ │ ├── harden-module-loading.service (shared) (useful on desktop and server) | |
| * [x] │ │ │ ├── haveged.service.d (shared) (useful on desktop and server) | |
| * [x] │ │ │ │ └── 30_security-misc.conf (shared) (useful on desktop and server) | |
| * [x] │ │ │ ├── hide-hardware-info.service (shared) (useful on desktop and server) | |
| * [!] │ │ │ ├── panic-on-oops.service (shared) (useful on desktop and server, systemd config looks invalid with a conflict between WantedBy and After) | |
| * [x] │ │ │ ├── permission-hardener.service (shared) (useful on desktop and server) | |
| * [x] │ │ │ ├── proc-hidepid.service (shared) (useful on desktop and server) | |
| * [x] │ │ │ ├── remount-secure.service (shared) (useful on desktop and server) | |
| * [x] │ │ │ ├── remove-system-map.service (shared) (useful on desktop and server) | |
| * [x] │ │ │ ├── sysinit-post.target (shared) (useful on desktop and server) | |
| * [x] │ │ │ └── user@.service.d (shared) (useful on desktop and server) | |
| * [x] │ │ │ └── sysfs.conf (shared) (useful on desktop and server) | |
| * [x] │ │ └── system-preset (shared) (useful on desktop and server) | |
| * [x] │ │ └── 50-security-misc.preset (shared) (useful on desktop and server) | |
| * [x] │ ├── libexec (shared) (useful on desktop and server) | |
| * [x] │ │ └── security-misc (shared) (useful on desktop and server | |
| * [x] │ │ ├── apt-get-update (shared) (useful on desktop and server) | |
| * [x] │ │ ├── apt-get-update-sanity-test (shared) (useful on desktop and server) | |
| * [x] │ │ ├── askpass (shared) (useful on desktop and server) | |
| * [!] │ │ ├── disable-kernel-module-loading (shared) (useful on desktop and server, BUT SOMEHOW ISN'T SET EXECUTABLE???) | |
| * [x] │ │ ├── echo-path (shared) (useful on desktop and server) | |
| * [x] │ │ ├── hide-hardware-info (shared) (useful on desktop and server) | |
| * [x] │ │ ├── mmap-rnd-bits (shared) (useful on desktop and server) | |
| * [x] │ │ ├── pam-abort-on-locked-password (shared) (useful on desktop and server) | |
| * [x] │ │ ├── pam_faillock_not_if_x (shared) (useful on desktop and server) | |
| * [x] │ │ ├── pam-info (shared) (useful on desktop and server) | |
| * [x] │ │ ├── pam_only_if_login (shared) (useful on desktop and server) | |
| * [x] │ │ ├── panic-on-oops (shared) (useful on desktop and server) | |
| * [x] │ │ ├── permission-lockdown (shared) (useful on desktop and server) | |
| * [x] │ │ ├── remove-system.map (shared) (useful on desktop and server) | |
| * [x] │ │ └── virusforget (shared) (useful on desktop and server) | |
| * [x] │ └── share (mixed) (see below) | |
| * [x] │ ├── doc (shared) (useful on desktop and server) | |
| * [x] │ │ └── security-misc (shared) (useful on desktop and server) | |
| * [x] │ │ └── fstab-vm (shared) (useful on desktop and server) | |
| * [x] │ ├── glib-2.0 (desktop) (see below) | |
| * [x] │ │ └── schemas (desktop) (see below) | |
| * [x] │ │ └── 30_security-misc.gschema.override (desktop) (file manager only exists on desktop) | |
| * [x] │ ├── lintian (shared) (needs to remain in shared) | |
| * [x] │ │ └── overrides (shared) (needs to remain in shared) | |
| * [x] │ │ └── security-misc (shared) (needs to remain in shared) | |
| * [x] │ ├── pam-configs (shared) (useful on desktop and server) | |
| * [x] │ │ ├── console-lockdown-security-misc (shared) (useful on desktop and server) | |
| * [x] │ │ ├── faillock-preauth-security-misc (shared) (useful on desktop and server) | |
| * [x] │ │ ├── mkhomedir-security-misc (shared) (useful on desktop and server) | |
| * [x] │ │ ├── pam-abort-on-locked-password-security-misc (shared) (useful on desktop and server) | |
| * [x] │ │ ├── unix-faillock-security-misc (shared) (useful on desktop and server) | |
| * [x] │ │ └── wheel-security-misc (shared) (useful on desktop and server) | |
| * [x] │ └── security-misc (mixed) (see below) | |
| * [x] │ ├── dolphinrc (desktop) (dolphin should only exist on a desktop) | |
| * [x] │ └── lkrg (shared) (useful on desktop and server) | |
| * [x] │ ├── 30-lkrg-virtualbox.conf (shared) (useful on desktop and server, servers use VBox too) | |
| * [x] │ └── lkrg-virtualbox (shared) (useful on desktop and server, servers use VBox too) | |
| * [x] ├── var (shared) (useful on desktop and server) | |
| * [x] │ └── cache (shared) (useful on desktop and server) | |
| * [x] │ └── security-misc (shared) (useful on desktop and server) | |
| * [x] │ └── state-files (shared) (useful on desktop and server) | |
| * [x] │ └── placeholder (shared) (useful on desktop and server) | |
| * [x] └── version (shared) (useful on desktop and server) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment