mirror of
https://github.com/trailofbits/algo.git
synced 2025-09-06 03:53:39 +02:00
0aaca43019
* Security hardening and certificate authority constraints This commit addresses Issues #75 and #14804 with defensive security enhancements that provide additional protection layers for edge case scenarios. ## Issue #75: Technically Constrain Root CA - Add pathlen:0 basic constraints preventing subordinate CA creation - Implement name constraints restricting certificate issuance to specific IPs - Add extended key usage restrictions limiting CA scope to VPN certificates - Separate client/server certificate extensions (serverAuth vs clientAuth) - Enhanced CA with critical constraints for defense-in-depth when CA keys saved ## Issue #14804: Comprehensive SystemD Security Hardening - WireGuard: Added systemd hardening as additional defense-in-depth - StrongSwan: Enhanced systemd configuration complementing AppArmor profiles - dnscrypt-proxy: Additional systemd security alongside AppArmor protection - Applied privilege restrictions, filesystem isolation, and system call filtering ## Technical Changes - CA certificate constraints only relevant when users opt to save CA keys - SystemD hardening provides additional isolation layers beyond existing AppArmor - Enhanced client certificate validation for iOS/macOS profiles - Reliable AppArmor profile enforcement for Ubuntu 22.04 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Address PR review feedback and improve code quality ## Fixes Based on Review Feedback: ### Handler Consistency Issues - Fix notification naming: "daemon reload" → "daemon-reload" for consistency - Update deprecated syntax: `daemon_reload: yes` → `daemon_reload: true` ### Enhanced CA Certificate Constraints - Add .mil and .int to excluded DNS domains for completeness - Add .mil and .int to excluded email domains for consistency - Add explanatory comment for openssl_constraint_random_id security purpose ## Technical Improvements: - Ensures proper handler invocation across DNS and WireGuard services - Provides more comprehensive CA name constraints protection - Documents the security rationale for UUID-based CA constraints 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> * Address PR review feedback - improve documentation and fix duplicate key - Add IPv6 documentation range (2001:db8::/32) to excluded ranges - Add explanatory comment for CA name constraints defense-in-depth purpose - Remove duplicate DisableMOBIKE key from iOS configuration - Add comprehensive comments to iOS/macOS mobileconfig parameters - Explain MOBIKE, redirect disabling, certificate type, and routing settings 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com> --------- Co-authored-by: Claude <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| main.yml | ||