Skip to content

Update README with comprehensive documentation improvements#363

Open
assisted-by-ai wants to merge 1 commit intoKicksecure:masterfrom
assisted-by-ai:claude/audit-readme-docs-YaAJV
Open

Update README with comprehensive documentation improvements#363
assisted-by-ai wants to merge 1 commit intoKicksecure:masterfrom
assisted-by-ai:claude/audit-readme-docs-YaAJV

Conversation

@assisted-by-ai
Copy link
Copy Markdown

@assisted-by-ai assisted-by-ai commented Apr 9, 2026

Summary

This PR updates the README.md documentation to reflect recent implementation changes, add missing feature documentation, and improve clarity on various security hardening features.

Key Changes

Documentation Updates

  • Marked Speculative Return Stack Overflow (SRSO) mitigation as optional
  • Added comprehensive documentation for kernel console output suppression during boot
  • Added documentation for recovery mode restrictions
  • Expanded Bluetooth configuration details with specific settings and rationale
  • Added detailed faillock configuration documentation with specific parameters
  • Updated SSH client/server hardening descriptions with specific cryptographic restrictions
  • Added git configuration hardening documentation
  • Added comprehensive USBGuard section documenting USB device authorization rules
  • Added new "Systemd preset defaults" section documenting disabled-by-default services

File Path Updates

  • Updated references from debian/security-misc.postinst to debian/security-misc-shared.postinst
  • Updated systemd paths from /lib/systemd/ to /usr/lib/systemd/
  • Updated permission-hardener paths from /etc/permission-hardener.d to /usr/lib/permission-hardener.d

New Features Documented

  • Kernel console output suppression via loglevel=0 and quiet parameters
  • Recovery mode restrictions preventing physical attacks
  • Detailed Bluetooth controller restrictions and privacy settings
  • Faillock configuration with 7-day failure tracking window and manual unlock requirement
  • Emergency shutdown service with dracut module integration and udev rules
  • Thunar file manager hardening (thumbnails, volume management, network bookmarks)
  • Multiple new helper scripts and utilities:
    • virusforget for detecting unauthorized shell startup file changes
    • askpass for GUI password prompts
    • check-for-usb-controller for conditional USBGuard activation
    • pam_only_if_login and pam_only_if_su for PAM conditional helpers
    • block-unsafe-logins for privileged account protection
  • AppArmor tunable for config-package-dev displaced files
  • Custom sysinit-post.target for boot synchronization
  • Systemd drop-in for sysfs supplementary group access
  • LKRG VirtualBox compatibility management

Removed Content

  • Removed "Access rights relaxations" section (pkexec/lxqt-sudo workaround) as it's no longer applicable

Notable Implementation Details

  • Emergency shutdown service is disabled by default and requires manual enablement
  • Default panic key sequence changed from Ctrl+Alt+Delete to Ctrl+Alt+End
  • USBGuard uses implicit block policy with specific device class restrictions
  • Multiple systemd services are explicitly disabled by default in the preset
  • Faillock is skipped for remote services (sshd, dovecot) to prevent remote lockout attacks

https://claude.ai/code/session_0125G25dF8DVff618hmCMMNw

@claude
Audit and update README.md documentation
3163abf 
Fix outdated/wrong documentation:
- Replace tally2-security-misc PAM reference with faillock equivalents
- Fix debian/security-misc.postinst -> debian/security-misc-shared.postinst (3 locations)
- Fix /lib/systemd -> /usr/lib/systemd for permission-hardener.service
- Fix /etc/permission-hardener.d -> /usr/lib/permission-hardener.d
- Fix /lib/systemd -> /usr/lib/systemd for haveged drop-in
- Mark SRSO CPU mitigation as Optional (commented out in code)
- Fix emergency shutdown key combo from Ctrl+Alt+Delete to Ctrl+Alt+End
- Remove nonexistent pkexec.security-misc section

Add documentation for previously undocumented features:
- USBGuard integration (device rules, daemon config, IPC access)
- Recovery mode restriction (GRUB, dracut shell/emergency)
- Quiet boot configuration (loglevel, printk)
- Git hardening (symlinks, fsckObjects)
- LKRG VirtualBox compatibility
- Emergency shutdown dracut module and udev rules
- Block unsafe logins PAM module
- virusforget script (noted as WIP)
- askpass GUI helper
- check-for-usb-controller helper
- PAM conditional helpers (pam_only_if_login, pam_only_if_su)
- kill-vboxdrmclient-on-shutdown service
- XDG_CONFIG_DIRS setup via profile.d
- AppArmor tunable for displaced files
- sysinit-post.target custom ordering target
- user@.service.d sysfs group drop-in
- Systemd preset defaults section

Improve insufficient documentation:
- SSH: describe crypto restrictions, disabled password auth, disabled forwarding
- Faillock: add fail_interval, unlock_time, even_deny_root, remote skip
- Thunar: add volume management, network bookmark, date format
- Bluetooth: add AutoEnable, timeouts, MaxControllers, Privacy specifics

https://claude.ai/code/session_0125G25dF8DVff618hmCMMNw
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@assisted-by-ai @claude