2021-01-11 21:17:13 -05:00
|
|
|
# Enhances miscellaneous security settings
|
2015-12-15 16:05:03 -05:00
|
|
|
|
2021-01-11 21:17:13 -05:00
|
|
|
## Kernel hardening
|
2019-09-15 10:07:50 -04:00
|
|
|
|
2021-01-11 21:17:13 -05:00
|
|
|
This section is inspired by the Kernel Self Protection Project (KSPP). It
|
|
|
|
implements all recommended Linux kernel settings by the KSPP and many
|
|
|
|
more.
|
2019-09-15 10:07:50 -04:00
|
|
|
|
|
|
|
* https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project
|
|
|
|
|
2021-01-11 21:17:13 -05:00
|
|
|
### sysctl
|
2016-11-21 12:42:55 -05:00
|
|
|
|
2021-01-11 21:17:13 -05:00
|
|
|
sysctl settings are configured via the `/etc/sysctl.d/30_security-misc.conf`
|
|
|
|
configuration file.
|
|
|
|
|
|
|
|
* A kernel pointer points to a specific location in kernel memory. These
|
|
|
|
can be very useful in exploiting the kernel so they are restricted to `CAP_SYSLOG`.
|
|
|
|
|
|
|
|
* The kernel logs are restricted to `CAP_SYSLOG` as they can often leak sensitive
|
|
|
|
information such as kernel pointers.
|
|
|
|
|
|
|
|
* The `ptrace()` system call is restricted to `CAP_SYS_PTRACE`.
|
|
|
|
|
|
|
|
* eBPF is restricted to `CAP_BPF` (`CAP_SYS_ADMIN` on kernel versions prior
|
|
|
|
to 5.8) and JIT hardening techniques such as constant blinding are enabled.
|
|
|
|
|
|
|
|
* Restricts performance events to `CAP_PERFMON` (`CAP_SYS_ADMIN` on kernel
|
|
|
|
versions prior to 5.8).
|
|
|
|
|
|
|
|
* Restricts loading line disciplines to `CAP_SYS_MODULE` to prevent unprivileged
|
|
|
|
attackers from loading vulnerable line disciplines with the `TIOCSETD` ioctl which
|
|
|
|
has been abused in a number of exploits before.
|
|
|
|
|
|
|
|
* Restricts the `userfaultfd()` syscall to `CAP_SYS_PTRACE` as `userfaultfd()` is
|
|
|
|
often abused to exploit use-after-free flaws.
|
2019-06-23 15:51:53 -04:00
|
|
|
|
2021-01-11 21:17:13 -05:00
|
|
|
* Kexec is disabled as it can be used to load a malicious kernel and gain
|
|
|
|
arbitrary code execution in kernel mode.
|
2019-06-23 15:51:53 -04:00
|
|
|
|
2021-01-11 21:17:13 -05:00
|
|
|
* The bits of entropy used for mmap ASLR are increased, therefore improving
|
|
|
|
its effectiveness.
|
2019-06-23 15:51:53 -04:00
|
|
|
|
2021-01-11 21:17:13 -05:00
|
|
|
* Prevents unintentional writes to attacker-controlled files.
|
2019-06-23 15:51:53 -04:00
|
|
|
|
2021-01-11 21:17:13 -05:00
|
|
|
* Prevents common symlink and hardlink TOCTOU races.
|
2019-06-23 15:51:53 -04:00
|
|
|
|
2021-01-11 21:17:13 -05:00
|
|
|
* Restricts the SysRq key so it can only be used for shutdowns and the
|
|
|
|
Secure Attention Key.
|
|
|
|
|
|
|
|
* The kernel is only allowed to swap if it is absolutely necessary. This
|
|
|
|
prevents writing potentially sensitive contents of memory to disk.
|
|
|
|
|
|
|
|
* TCP timestamps are disabled as it can allow detecting the system time.
|
2020-02-15 15:28:30 -05:00
|
|
|
|
2021-01-11 21:17:13 -05:00
|
|
|
### Boot parameters
|
2019-06-23 15:51:53 -04:00
|
|
|
|
2021-01-11 21:17:13 -05:00
|
|
|
Boot parameters are configured via the `/etc/modprobe.d/30_security-misc.conf`
|
|
|
|
configuration file.
|
2019-10-14 06:10:08 -04:00
|
|
|
|
2021-01-11 21:17:13 -05:00
|
|
|
* Slab merging is disabled which significantly increases the difficulty of
|
|
|
|
heap exploitation by preventing overwriting objects from merged caches and
|
|
|
|
by making it harder to influence slab cache layout.
|
2019-06-23 15:51:53 -04:00
|
|
|
|
2021-01-11 21:17:13 -05:00
|
|
|
* Sanity checks are enabled which add various checks to prevent corruption
|
|
|
|
in certain slab operations.
|
2019-12-23 03:57:36 -05:00
|
|
|
|
2021-01-11 21:17:13 -05:00
|
|
|
* Redzoning is enabled which adds extra areas around slabs that detect when
|
|
|
|
a slab is overwritten past its real size which can help detect overflows.
|
|
|
|
|
|
|
|
* Memory zeroing at allocation and free time is enabled to mitigate some
|
|
|
|
use-after-free vulnerabilities and erase sensitive information in memory.
|
|
|
|
|
|
|
|
* Page allocator freelist randomization is enabled.
|
2019-06-23 15:51:53 -04:00
|
|
|
|
2020-03-03 09:07:42 -05:00
|
|
|
* The machine check tolerance level is decreased which makes the kernel panic
|
2019-10-18 04:54:43 -04:00
|
|
|
on uncorrectable errors in ECC memory that could be exploited.
|
2019-06-23 15:51:53 -04:00
|
|
|
|
2019-07-15 09:03:30 -04:00
|
|
|
* Kernel Page Table Isolation is enabled to mitigate Meltdown and increase
|
2019-06-23 15:51:53 -04:00
|
|
|
KASLR effectiveness.
|
|
|
|
|
2021-01-11 21:17:13 -05:00
|
|
|
* vsyscalls are disabled as they are obsolete, are at fixed addresses and thus,
|
|
|
|
are a potential target for ROP.
|
2020-01-30 01:22:06 -05:00
|
|
|
|
2021-01-11 21:17:13 -05:00
|
|
|
* The kernel panics on oopses to thwart certain kernel exploits.
|
2019-07-15 09:03:30 -04:00
|
|
|
|
2021-01-11 21:17:13 -05:00
|
|
|
* All mitigations for known CPU vulnerabilities are enabled and SMT is
|
|
|
|
disabled.
|
|
|
|
|
|
|
|
* IOMMU is enabled to prevent DMA attacks.
|
|
|
|
|
|
|
|
### Blacklisted kernel modules
|
|
|
|
|
|
|
|
Certain kernel modules are blacklisted to reduce attack surface via the
|
|
|
|
`/etc/modprobe.d/30_security-misc.conf` configuration file.
|
|
|
|
|
|
|
|
* Deactivates Netfilter's connection tracking helper — this module
|
|
|
|
increases kernel attack surface by enabling superfluous functionality
|
|
|
|
such as IRC parsing in the kernel. Hence, this feature is disabled.
|
|
|
|
|
|
|
|
* Uncommon network protocols are blacklisted. This includes:
|
|
|
|
|
|
|
|
DCCP - Datagram Congestion Control Protocol
|
|
|
|
|
|
|
|
SCTP - Stream Control Transmission Protocol
|
|
|
|
|
|
|
|
RDS - Reliable Datagram Sockets
|
|
|
|
|
|
|
|
TIPC - Transparent Inter-process Communication
|
2019-07-15 09:03:30 -04:00
|
|
|
|
2021-01-11 21:17:13 -05:00
|
|
|
HDLC - High-Level Data Link Control
|
2019-06-23 15:51:53 -04:00
|
|
|
|
2021-01-11 21:17:13 -05:00
|
|
|
AX25 - Amateur X.25
|
2019-06-23 15:51:53 -04:00
|
|
|
|
2021-01-11 21:17:13 -05:00
|
|
|
NetRom
|
|
|
|
|
|
|
|
X25
|
|
|
|
|
|
|
|
ROSE
|
|
|
|
|
|
|
|
DECnet
|
|
|
|
|
|
|
|
Econet
|
|
|
|
|
|
|
|
af_802154 - IEEE 802.15.4
|
|
|
|
|
|
|
|
IPX - Internetwork Packet Exchange
|
|
|
|
|
|
|
|
AppleTalk
|
|
|
|
|
|
|
|
PSNAP - Subnetwork Access Protocol
|
|
|
|
|
|
|
|
p8023 - Novell raw IEEE 802.3
|
|
|
|
|
|
|
|
p8022 - IEEE 802.2
|
|
|
|
|
|
|
|
CAN — Controller Area Network
|
|
|
|
|
|
|
|
ATM
|
|
|
|
|
|
|
|
* Bluetooth is also blacklisted to reduce attack surface. Bluetooth has
|
2019-08-16 12:05:25 -04:00
|
|
|
a history of security concerns.
|
2019-08-16 11:57:30 -04:00
|
|
|
|
2021-01-11 21:17:13 -05:00
|
|
|
* The Thunderbolt and FireWire kernel modules are blacklisted as they are
|
|
|
|
often vulnerable to DMA attacks.
|
|
|
|
|
|
|
|
* The vivid kernel module is only required for testing and has been the cause
|
|
|
|
of multiple vulnerabilities so it is blacklisted.
|
2019-10-05 05:39:05 -04:00
|
|
|
|
2019-12-23 02:09:04 -05:00
|
|
|
* The MSR kernel module is blacklisted to prevent CPU MSRs from being
|
|
|
|
abused to write to arbitrary memory.
|
|
|
|
|
2021-01-11 21:17:13 -05:00
|
|
|
### Other
|
2019-12-23 03:57:36 -05:00
|
|
|
|
2021-01-11 21:17:13 -05:00
|
|
|
* A systemd service clears the System.map file on boot as these contain kernel
|
|
|
|
pointers. The file is completely overwritten with zeroes to ensure it cannot
|
|
|
|
be recovered. See:
|
|
|
|
|
|
|
|
`/etc/kernel/postinst.d/30_remove-system-map`
|
|
|
|
|
|
|
|
`/lib/systemd/system/remove-system-map.service`
|
|
|
|
|
2021-08-03 12:56:31 -04:00
|
|
|
`/usr/libexec/security-misc/remove-system.map`
|
2021-01-11 21:17:13 -05:00
|
|
|
|
|
|
|
* Coredumps are disabled as they may contain important information such as
|
|
|
|
encryption keys or passwords. See:
|
|
|
|
|
|
|
|
`/etc/security/limits.d/30_security-misc.conf`
|
|
|
|
|
|
|
|
`/etc/sysctl.d/30_security-misc.conf`
|
2019-12-23 03:57:36 -05:00
|
|
|
|
2021-01-11 21:17:13 -05:00
|
|
|
`/lib/systemd/coredump.conf.d/30_security-misc.conf`
|
2020-01-11 15:17:06 -05:00
|
|
|
|
2020-02-25 02:08:10 -05:00
|
|
|
* An initramfs hook sets the sysctl values in `/etc/sysctl.conf` and
|
|
|
|
`/etc/sysctl.d` before init is executed so sysctl hardening is enabled
|
2020-01-17 03:10:56 -05:00
|
|
|
as early as possible.
|
2020-01-15 10:08:57 -05:00
|
|
|
|
2021-01-11 21:17:13 -05:00
|
|
|
## Network hardening
|
2020-01-14 09:18:30 -05:00
|
|
|
|
2021-01-11 21:17:13 -05:00
|
|
|
* TCP syncookies are enabled to prevent SYN flood attacks.
|
|
|
|
|
|
|
|
* ICMP redirect acceptance, ICMP redirect sending, source routing and
|
|
|
|
IPv6 router advertisements are disabled to prevent man-in-the-middle attacks.
|
|
|
|
|
|
|
|
* The kernel is configured to ignore all ICMP requests to avoid Smurf attacks,
|
|
|
|
make the device more difficult to enumerate on the network and prevent clock
|
|
|
|
fingerprinting through ICMP timestamps.
|
2020-02-15 15:28:30 -05:00
|
|
|
|
2021-01-11 21:17:13 -05:00
|
|
|
* RFC1337 is enabled to protect against time-wait assassination attacks by
|
|
|
|
dropping RST packets for sockets in the time-wait state.
|
2020-02-15 15:28:30 -05:00
|
|
|
|
2021-01-11 21:17:13 -05:00
|
|
|
* Reverse path filtering is enabled to prevent IP spoofing and mitigate
|
|
|
|
vulnerabilities such as CVE-2019-14899.
|
2020-03-03 09:07:42 -05:00
|
|
|
|
2021-01-11 21:17:13 -05:00
|
|
|
## Entropy collection improvements
|
2019-11-23 09:06:28 -05:00
|
|
|
|
2021-01-11 21:17:13 -05:00
|
|
|
* The `jitterentropy_rng` kernel module is loaded as early as possible
|
|
|
|
during boot to gather more entropy via the
|
|
|
|
`/usr/lib/modules-load.d/30_security-misc.conf` configuration file.
|
2019-11-23 09:06:28 -05:00
|
|
|
|
2019-12-06 09:30:05 -05:00
|
|
|
* Distrusts the CPU for initial entropy at boot as it is not possible to
|
2021-01-11 21:17:13 -05:00
|
|
|
audit, may contain weaknesses or a backdoor. For references, see:
|
|
|
|
`/etc/default/grub.d/40_distrust_cpu.cfg`
|
2020-02-25 02:08:10 -05:00
|
|
|
|
|
|
|
* Gathers more entropy during boot if using the linux-hardened kernel patch.
|
2019-12-06 09:30:05 -05:00
|
|
|
|
2021-01-11 21:17:13 -05:00
|
|
|
## Restrictive mount options
|
2019-12-06 09:30:05 -05:00
|
|
|
|
2021-01-12 03:24:11 -05:00
|
|
|
Not enabled by default yet. In development. Help welcome.
|
|
|
|
|
|
|
|
https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/
|
|
|
|
|
2021-01-11 21:17:13 -05:00
|
|
|
`/home`, `/tmp`, `/dev/shm` and `/run` are remounted with the `nosuid` and `nodev`
|
|
|
|
mount options to prevent execution of setuid or setgid binaries and creation of
|
|
|
|
devices on those filesystems.
|
2019-07-13 12:29:10 -04:00
|
|
|
|
2021-01-11 21:17:13 -05:00
|
|
|
Optionally, they can also be mounted with `noexec` to prevent execution of any
|
|
|
|
binary. To opt-in to applying `noexec`, execute `touch /etc/noexec` as root
|
|
|
|
and reboot.
|
2019-07-13 12:29:10 -04:00
|
|
|
|
2021-01-11 21:17:13 -05:00
|
|
|
To disable this, execute `touch /etc/remount-disable` as root.
|
2019-07-13 12:29:10 -04:00
|
|
|
|
2021-01-11 21:17:13 -05:00
|
|
|
Alternatively, file `/usr/local/etc/remount-disable` or `/usr/local/etc/noexec`
|
|
|
|
could be used.
|
2019-07-13 12:29:10 -04:00
|
|
|
|
2021-01-11 21:17:13 -05:00
|
|
|
## Root access restrictions
|
2019-07-13 12:29:10 -04:00
|
|
|
|
2019-07-31 11:15:30 -04:00
|
|
|
* `su` is restricted to only users within the group `sudo` which prevents
|
2021-01-11 21:17:13 -05:00
|
|
|
users from using `su` to gain root access or to switch user accounts —
|
2020-02-25 02:08:10 -05:00
|
|
|
`/usr/share/pam-configs/wheel-security-misc`
|
2021-01-11 21:17:13 -05:00
|
|
|
(which results in a change in file `/etc/pam.d/common-auth`).
|
2019-07-31 11:15:30 -04:00
|
|
|
|
2021-01-11 21:17:13 -05:00
|
|
|
* Add user `root` to group `sudo`. This is required due to the above restriction so
|
|
|
|
that logging in from a virtual console is still possible — `debian/security-misc.postinst`
|
2019-07-31 11:15:30 -04:00
|
|
|
|
2021-01-11 21:17:13 -05:00
|
|
|
* Abort login for users with locked passwords —
|
2021-08-03 12:56:31 -04:00
|
|
|
`/usr/libexec/security-misc/pam-abort-on-locked-password`.
|
2019-08-17 06:53:45 -04:00
|
|
|
|
2019-07-17 17:06:17 -04:00
|
|
|
* Logging into the root account from a virtual, serial, whatnot console is
|
2021-01-11 21:17:13 -05:00
|
|
|
prevented by shipping an existing and empty `/etc/securetty` file
|
|
|
|
(deletion of `/etc/securetty` has a different effect).
|
2019-08-15 11:08:48 -04:00
|
|
|
|
2021-01-11 21:17:13 -05:00
|
|
|
This package does not yet automatically lock the root account password. It
|
|
|
|
is not clear if this would be sane in such a package although, it is recommended
|
|
|
|
to lock and expire the root account.
|
2019-08-15 11:08:48 -04:00
|
|
|
|
2019-07-17 17:06:17 -04:00
|
|
|
In new Whonix builds, root account will be locked by package
|
2020-04-08 08:30:05 -04:00
|
|
|
dist-base-files.
|
2021-01-11 21:17:13 -05:00
|
|
|
|
|
|
|
See:
|
|
|
|
|
|
|
|
* https://www.whonix.org/wiki/Root
|
|
|
|
* https://www.whonix.org/wiki/Dev/Permissions
|
|
|
|
* https://forums.whonix.org/t/restrict-root-access/7658
|
|
|
|
|
2019-07-17 17:06:17 -04:00
|
|
|
However, a locked root password will break rescue and emergency shell.
|
2021-01-11 21:17:13 -05:00
|
|
|
Therefore, this package enables passwordless rescue and emergency shell.
|
2020-02-25 02:08:10 -05:00
|
|
|
This is the same solution that Debian will likely adapt for Debian
|
2021-01-11 21:17:13 -05:00
|
|
|
installer: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802211
|
|
|
|
|
|
|
|
See:
|
|
|
|
|
|
|
|
* `/etc/systemd/system/emergency.service.d/override.conf`
|
|
|
|
* `/etc/systemd/system/rescue.service.d/override.conf`
|
|
|
|
|
2019-07-17 17:06:17 -04:00
|
|
|
Adverse security effects can be prevented by setting up BIOS password
|
2021-01-11 21:17:13 -05:00
|
|
|
protection, GRUB password protection and/or full disk encryption.
|
2019-07-17 17:06:17 -04:00
|
|
|
|
2021-01-11 21:17:13 -05:00
|
|
|
## Console lockdown
|
|
|
|
|
|
|
|
This uses pam_access to allow members of group `console` to use console but
|
|
|
|
restrict everyone else (except members of group `console-unrestricted`) from
|
|
|
|
using console with ancient, unpopular login methods such as `/bin/login`
|
|
|
|
over networks as this might be exploitable. (CVE-2001-0797)
|
|
|
|
|
|
|
|
This is not enabled by default in this package since this package does not
|
|
|
|
know which users shall be added to group 'console' and thus, would break console.
|
|
|
|
|
|
|
|
See:
|
|
|
|
|
|
|
|
* `/usr/share/pam-configs/console-lockdown-security-misc`
|
|
|
|
* `/etc/security/access-security-misc.conf`
|
|
|
|
|
|
|
|
## Brute force attack protection
|
|
|
|
|
2021-08-10 15:11:01 -04:00
|
|
|
User accounts are locked after 50 failed login attempts using `pam_faillock`.
|
2021-01-11 21:17:13 -05:00
|
|
|
|
|
|
|
Informational output during Linux PAM:
|
|
|
|
|
|
|
|
* Show failed and remaining password attempts.
|
|
|
|
* Document unlock procedure if Linux user account got locked.
|
|
|
|
* Point out that there is no password feedback for `su`.
|
|
|
|
* Explain locked root account if locked.
|
|
|
|
|
|
|
|
See:
|
|
|
|
|
|
|
|
* `/usr/share/pam-configs/tally2-security-misc`
|
2021-08-10 15:11:01 -04:00
|
|
|
* `/usr/libexec/security-misc/pam-info`
|
2021-08-03 12:56:31 -04:00
|
|
|
* `/usr/libexec/security-misc/pam-abort-on-locked-password`
|
2020-04-09 05:45:29 -04:00
|
|
|
|
2021-01-11 21:17:13 -05:00
|
|
|
## Access rights restrictions
|
|
|
|
|
|
|
|
### Strong user account separation
|
|
|
|
|
|
|
|
Read, write and execute access for "others" are removed during package
|
|
|
|
installation, upgrade or PAM `mkhomedir` for all users who have home
|
|
|
|
folders in `/home` by running, for example:
|
|
|
|
|
|
|
|
```
|
|
|
|
chmod o-rwx /home/user
|
|
|
|
```
|
|
|
|
|
|
|
|
This will be done only once per folder in `/home` so users who wish to
|
|
|
|
relax file permissions are free to do so. This is to protect files in a
|
|
|
|
home folder that were previously created with lax file permissions prior
|
|
|
|
to the installation of this package.
|
|
|
|
|
|
|
|
See:
|
|
|
|
|
|
|
|
* `debian/security-misc.postinst`
|
2021-08-03 12:56:31 -04:00
|
|
|
* `/usr/libexec/security-misc/permission-lockdown`
|
2021-01-11 21:17:13 -05:00
|
|
|
* `/usr/share/pam-configs/mkhomedir-security-misc`
|
|
|
|
|
|
|
|
### SUID / SGID removal and permission hardening
|
|
|
|
|
2021-01-12 03:24:11 -05:00
|
|
|
Not enabled by default yet.
|
|
|
|
|
2021-01-11 21:17:13 -05:00
|
|
|
A systemd service removes SUID / SGID bits from non-essential binaries as
|
|
|
|
these are often used in privilege escalation attacks. It is disabled by
|
|
|
|
default for now during testing and can optionally be enabled by running
|
|
|
|
`systemctl enable permission-hardening.service` as root.
|
|
|
|
|
|
|
|
See:
|
|
|
|
|
2021-08-03 12:56:31 -04:00
|
|
|
* `/usr/libexec/security-misc/permission-hardening`
|
2021-01-11 21:17:13 -05:00
|
|
|
* `/lib/systemd/system/permission-hardening.service`
|
|
|
|
* `/etc/permission-hardening.d`
|
|
|
|
* https://forums.whonix.org/t/disable-suid-binaries/7706
|
2021-01-12 03:24:11 -05:00
|
|
|
* https://www.whonix.org/wiki/SUID_Disabler_and_Permission_Hardener
|
2021-01-11 21:17:13 -05:00
|
|
|
|
|
|
|
### Access rights relaxations
|
|
|
|
|
2021-01-12 03:24:11 -05:00
|
|
|
This is not enabled yet because hidepid is not enabled by default.
|
|
|
|
|
2021-01-11 21:17:13 -05:00
|
|
|
Calls to `pkexec` are redirected to `lxqt-sudo` because `pkexec` is
|
|
|
|
incompatible with `hidepid=2`.
|
|
|
|
|
|
|
|
See:
|
|
|
|
|
|
|
|
* `/usr/bin/pkexec.security-misc`
|
|
|
|
* https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860040
|
|
|
|
* https://forums.whonix.org/t/cannot-use-pkexec/8129
|
|
|
|
|
|
|
|
## Application-specific hardening
|
|
|
|
|
2021-08-03 12:37:39 -04:00
|
|
|
* Enables "`apt-get --error-on=any`" which makes apt exit non-zero for
|
|
|
|
transient failures. — `/etc/apt/apt.conf.d/40error-on-any`.
|
2021-01-11 21:17:13 -05:00
|
|
|
* Enables APT seccomp-BPF sandboxing — `/etc/apt/apt.conf.d/40sandbox`.
|
2019-07-17 17:06:17 -04:00
|
|
|
* Deactivates previews in Dolphin.
|
2021-01-11 21:17:13 -05:00
|
|
|
* Deactivates previews in Nautilus —
|
|
|
|
`/usr/share/glib-2.0/schemas/30_security-misc.gschema.override`.
|
2019-07-17 17:06:17 -04:00
|
|
|
* Deactivates thumbnails in Thunar.
|
2021-01-11 21:17:13 -05:00
|
|
|
* Displays domain names in punycode (`network.IDN_show_punycode`) in
|
|
|
|
Thunderbird to prevent IDN homograph attacks (a form of phishing).
|
2020-04-06 13:22:32 -04:00
|
|
|
* Security and privacy enhancements for gnupg's config file
|
|
|
|
`/etc/skel/.gnupg/gpg.conf`. See also:
|
2021-01-11 21:17:13 -05:00
|
|
|
|
2020-04-06 13:22:32 -04:00
|
|
|
https://raw.github.com/ioerror/torbirdy/master/gpg.conf
|
2021-01-11 21:17:13 -05:00
|
|
|
|
2020-04-06 13:22:32 -04:00
|
|
|
https://github.com/ioerror/torbirdy/pull/11
|
2019-09-15 10:07:50 -04:00
|
|
|
|
2021-01-11 21:17:13 -05:00
|
|
|
## Opt-in hardening
|
|
|
|
|
|
|
|
Some hardening is opt-in as it causes too much breakage to be enabled by
|
|
|
|
default.
|
|
|
|
|
|
|
|
* TCP SACK can be disabled as it is commonly exploited and is rarely used by
|
|
|
|
uncommenting settings in the `/etc/sysctl.d/30_security-misc.conf`
|
|
|
|
configuration file.
|
|
|
|
|
|
|
|
* An optional systemd service mounts `/proc` with `hidepid=2` at boot to
|
|
|
|
prevent users from seeing another user's processes. This is disabled by
|
|
|
|
default because it is incompatible with `pkexec`. It can be enabled by
|
|
|
|
executing `systemctl enable proc-hidepid.service` as root.
|
|
|
|
|
|
|
|
* A systemd service restricts `/proc/cpuinfo`, `/proc/bus`, `/proc/scsi` and
|
|
|
|
`/sys` to the root user. This hides a lot of hardware identifiers from
|
|
|
|
unprivileged users and increases security as `/sys` exposes a lot of
|
|
|
|
information that shouldn't be accessible to unprivileged users. As this will
|
|
|
|
break many things, it is disabled by default and can optionally be enabled by
|
|
|
|
executing `systemctl enable hide-hardware-info.service` as root.
|
|
|
|
|
2021-08-17 15:23:49 -04:00
|
|
|
## miscellaneous
|
|
|
|
|
|
|
|
* hardened malloc compatibility for haveged workaround
|
|
|
|
`/lib/systemd/system/haveged.service.d/30_security-misc.conf`
|
|
|
|
|
2021-01-11 21:17:13 -05:00
|
|
|
## Related
|
2019-12-16 06:24:14 -05:00
|
|
|
|
2020-02-29 04:59:15 -05:00
|
|
|
* Linux Kernel Runtime Guard (LKRG)
|
2019-12-16 06:24:14 -05:00
|
|
|
* tirdad - TCP ISN CPU Information Leak Protection.
|
|
|
|
* Whonix ™ - Anonymous Operating System
|
|
|
|
* Kicksecure ™ - A Security-hardened, Non-anonymous Linux Distribution
|
|
|
|
* And more.
|
|
|
|
* https://www.whonix.org/wiki/Linux_Kernel_Runtime_Guard_LKRG
|
|
|
|
* https://github.com/Whonix/tirdad
|
|
|
|
* https://www.whonix.org
|
|
|
|
* https://www.whonix.org/wiki/Kicksecure
|
|
|
|
* https://github.com/Whonix
|
|
|
|
|
2021-01-11 21:17:13 -05:00
|
|
|
## Discussion
|
2019-09-15 10:07:50 -04:00
|
|
|
|
|
|
|
Happening primarily in Whonix forums.
|
2021-01-11 21:17:13 -05:00
|
|
|
|
2019-09-15 10:07:50 -04:00
|
|
|
https://forums.whonix.org/t/kernel-hardening/7296
|
2021-01-11 21:17:13 -05:00
|
|
|
|
|
|
|
## How to install `security-misc`
|
2015-12-14 21:00:24 -05:00
|
|
|
|
2020-07-29 06:30:07 -04:00
|
|
|
See https://www.whonix.org/wiki/Security-misc#install
|
2015-12-14 21:00:24 -05:00
|
|
|
|
2021-01-11 21:17:13 -05:00
|
|
|
## How to Build deb Package from Source Code
|
2015-12-14 21:00:24 -05:00
|
|
|
|
2020-04-02 07:22:47 -04:00
|
|
|
Can be build using standard Debian package build tools such as:
|
|
|
|
|
|
|
|
```
|
|
|
|
dpkg-buildpackage -b
|
|
|
|
```
|
|
|
|
|
2020-04-15 14:05:37 -04:00
|
|
|
See instructions. (Replace `generic-package` with the actual name of this package `security-misc`.)
|
|
|
|
|
|
|
|
* **A)** [easy](https://www.whonix.org/wiki/Dev/Build_Documentation/generic-package/easy), _OR_
|
|
|
|
* **B)** [including verifying software signatures](https://www.whonix.org/wiki/Dev/Build_Documentation/generic-package)
|
2015-12-14 21:00:24 -05:00
|
|
|
|
2021-01-11 21:17:13 -05:00
|
|
|
## Contact
|
2015-12-14 21:00:24 -05:00
|
|
|
|
2018-08-20 17:18:37 -04:00
|
|
|
* [Free Forum Support](https://forums.whonix.org)
|
|
|
|
* [Professional Support](https://www.whonix.org/wiki/Professional_Support)
|
2015-12-14 21:00:24 -05:00
|
|
|
|
2021-01-11 21:17:13 -05:00
|
|
|
## Donate
|
2015-12-14 21:00:24 -05:00
|
|
|
|
2019-05-24 12:29:08 -04:00
|
|
|
`security-misc` requires [donations](https://www.whonix.org/wiki/Donate) to stay alive!
|