2020-04-01 08:49:59 -04:00
|
|
|
## Copyright (C) 2012 - 2020 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
|
2015-12-14 21:00:24 -05:00
|
|
|
## See the file COPYING for copying conditions.
|
|
|
|
|
|
|
|
Source: security-misc
|
|
|
|
Section: misc
|
|
|
|
Priority: optional
|
|
|
|
Maintainer: Patrick Schleizer <adrelanos@riseup.net>
|
2020-04-01 17:34:59 -04:00
|
|
|
Build-Depends: debhelper (>= 12), config-package-dev, dh-apparmor
|
2015-12-14 21:00:24 -05:00
|
|
|
Homepage: https://github.com/Whonix/security-misc
|
|
|
|
Vcs-Browser: https://github.com/Whonix/security-misc
|
|
|
|
Vcs-Git: https://github.com/Whonix/security-misc.git
|
2019-04-04 05:51:06 -04:00
|
|
|
Standards-Version: 4.3.0
|
2015-12-14 21:00:24 -05:00
|
|
|
|
|
|
|
Package: security-misc
|
|
|
|
Architecture: all
|
2020-04-08 12:57:32 -04:00
|
|
|
Depends: python3, libglib2.0-bin, libpam-runtime, sudo, adduser, libcap2-bin,
|
2020-04-08 12:51:22 -04:00
|
|
|
apparmor-profile-dist, helper-scripts, ${misc:Depends}
|
2020-04-08 17:04:02 -04:00
|
|
|
Replaces: tcp-timestamps-disable, anon-gpg-tweaks, swappiness-lowest
|
2015-12-14 21:00:24 -05:00
|
|
|
Description: enhances misc security settings
|
2019-09-15 10:00:24 -04:00
|
|
|
Inspired by Kernel Self Protection Project (KSPP)
|
|
|
|
.
|
|
|
|
* Implements most if not all recommended Linux kernel settings (sysctl) and
|
|
|
|
kernel parameters by KSPP.
|
2019-09-15 09:56:37 -04:00
|
|
|
.
|
|
|
|
* https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project
|
|
|
|
.
|
2019-07-16 07:28:50 -04:00
|
|
|
kernel hardening:
|
2019-07-15 09:01:46 -04:00
|
|
|
.
|
|
|
|
* deactivates Netfilter's connection tracking helper
|
2016-03-31 11:53:40 -04:00
|
|
|
Netfilter's connection tracking helper module increases kernel attack
|
|
|
|
surface by enabling superfluous functionality such as IRC parsing in
|
2019-07-13 12:25:08 -04:00
|
|
|
the kernel. (!) Hence, this package disables this feature by shipping the
|
2020-02-25 02:06:48 -05:00
|
|
|
`/etc/modprobe.d/30_security-misc.conf` configuration file.
|
2019-06-23 15:47:05 -04:00
|
|
|
.
|
2020-02-25 02:06:48 -05:00
|
|
|
* Kernel symbols in various files in `/proc` are hidden as they can be
|
2019-10-16 15:21:24 -04:00
|
|
|
very useful for kernel exploits.
|
2019-06-23 15:47:05 -04:00
|
|
|
.
|
2019-09-06 07:46:22 -04:00
|
|
|
* Kexec is disabled as it can be used to load a malicious kernel.
|
2020-02-25 02:06:48 -05:00
|
|
|
`/etc/modprobe.d/30_security-misc.conf`
|
2019-06-23 15:47:05 -04:00
|
|
|
.
|
2019-07-15 09:01:46 -04:00
|
|
|
* ASLR effectiveness for mmap is increased.
|
2019-06-23 15:47:05 -04:00
|
|
|
.
|
2019-10-16 15:21:24 -04:00
|
|
|
* The TCP/IP stack is hardened by disabling ICMP redirect acceptance,
|
|
|
|
ICMP redirect sending and source routing to prevent man-in-the-middle attacks,
|
2019-10-18 06:36:44 -04:00
|
|
|
ignoring all ICMP requests, enabling TCP syncookies to prevent SYN flood
|
2019-12-05 15:14:55 -05:00
|
|
|
attacks, enabling RFC1337 to protect against time-wait assassination
|
|
|
|
attacks and enabling reverse path filtering to prevent IP spoofing and
|
|
|
|
mitigate vulnerabilities such as CVE-2019-14899.
|
2019-06-23 15:47:05 -04:00
|
|
|
.
|
2020-02-12 13:05:32 -05:00
|
|
|
* Avoids unintentional writes to attacker-controlled files.
|
|
|
|
.
|
|
|
|
* Prevents symlink/hardlink TOCTOU races.
|
2019-10-05 09:13:46 -04:00
|
|
|
.
|
2019-10-05 09:15:34 -04:00
|
|
|
* SACK can be disabled as it is commonly exploited and is rarely used by
|
2020-02-25 02:06:48 -05:00
|
|
|
uncommenting settings in file `/etc/sysctl.d/30_security-misc.conf`.
|
2019-06-23 15:47:05 -04:00
|
|
|
.
|
2019-10-16 15:21:24 -04:00
|
|
|
* Slab merging is disabled as sometimes a slab can be used in a vulnerable
|
|
|
|
way which an attacker can exploit.
|
2019-06-23 15:47:05 -04:00
|
|
|
.
|
2019-12-23 03:37:28 -05:00
|
|
|
* Sanity checks and redzoning are enabled.
|
|
|
|
.
|
|
|
|
* Memory zeroing at allocation and free time is enabled.
|
2019-06-23 15:47:05 -04:00
|
|
|
.
|
2020-02-27 12:41:14 -05:00
|
|
|
* The machine check tolerance level is decreased which makes the kernel panic
|
2019-10-16 15:21:24 -04:00
|
|
|
on uncorrectable errors in ECC memory that could be exploited.
|
2019-06-23 15:47:05 -04:00
|
|
|
.
|
2019-07-15 09:01:46 -04:00
|
|
|
* Kernel Page Table Isolation is enabled to mitigate Meltdown and increase
|
2019-06-23 15:26:03 -04:00
|
|
|
KASLR effectiveness.
|
2019-06-23 15:47:05 -04:00
|
|
|
.
|
2020-02-12 13:43:19 -05:00
|
|
|
* Enables all mitigations for CPU vulnerabilities and disables SMT.
|
2019-09-05 02:28:43 -04:00
|
|
|
.
|
|
|
|
* A systemd service clears System.map on boot as these contain kernel symbols
|
2019-07-15 09:01:46 -04:00
|
|
|
that could be useful to an attacker.
|
2020-02-25 02:06:48 -05:00
|
|
|
`/etc/kernel/postinst.d/30_remove-system-map`
|
|
|
|
`/lib/systemd/system/remove-system-map.service`
|
|
|
|
`/usr/lib/security-misc/remove-system.map`
|
2019-07-15 09:01:46 -04:00
|
|
|
.
|
|
|
|
* Coredumps are disabled as they may contain important information such as
|
|
|
|
encryption keys or passwords.
|
2020-02-25 02:06:48 -05:00
|
|
|
`/etc/security/limits.d/30_security-misc.conf`
|
|
|
|
`/etc/sysctl.d/30_security-misc.conf`
|
|
|
|
`/lib/systemd/coredump.conf.d/30_security-misc.conf`
|
2019-07-15 09:01:46 -04:00
|
|
|
.
|
2019-10-16 15:21:24 -04:00
|
|
|
* The thunderbolt and firewire kernel modules are blacklisted as they can be
|
|
|
|
used for DMA (Direct Memory Access) attacks.
|
2019-07-15 09:01:46 -04:00
|
|
|
.
|
|
|
|
* IOMMU is enabled with a boot parameter to prevent DMA attacks.
|
2019-07-31 14:33:28 -04:00
|
|
|
.
|
|
|
|
* Bluetooth is blacklisted to reduce attack surface. Bluetooth also has
|
2019-08-16 12:05:09 -04:00
|
|
|
a history of security concerns.
|
|
|
|
https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns
|
2020-02-25 02:00:27 -05:00
|
|
|
`/etc/modprobe.d/30_security-misc.conf`
|
2019-10-03 16:50:48 -04:00
|
|
|
.
|
2020-02-25 02:06:48 -05:00
|
|
|
* A systemd service restricts `/proc/cpuinfo`, `/proc/bus`, `/proc/scsi` and
|
|
|
|
`/sys` to the root user only. This hides a lot of hardware identifiers from
|
2020-03-03 09:18:24 -05:00
|
|
|
unprivileged users and increases security as `/sys` exposes a lot of
|
|
|
|
information that shouldn't be accessible to unprivileged users. As this will
|
|
|
|
break many things, it is disabled by default and can optionally be enabled by
|
|
|
|
running `systemctl enable hide-hardware-info.service` as root.
|
2020-02-25 02:06:48 -05:00
|
|
|
`/usr/lib/security-misc/hide-hardware-info`
|
|
|
|
`/lib/systemd/system/hide-hardware-info.service`
|
|
|
|
`/lib/systemd/system/user@.service.d/sysfs.conf`
|
|
|
|
`/etc/hide-hardware-info.d/30_default.conf`
|
2019-12-22 08:54:16 -05:00
|
|
|
.
|
|
|
|
* The MSR kernel module is blacklisted to prevent CPU MSRs from being
|
|
|
|
abused to write to arbitrary memory.
|
2019-12-23 03:37:28 -05:00
|
|
|
.
|
|
|
|
* Vsyscalls are disabled as they are obsolete, are at fixed addresses and are
|
|
|
|
a target for ROP.
|
|
|
|
.
|
|
|
|
* Page allocator freelist randomization is enabled.
|
2020-01-11 13:38:17 -05:00
|
|
|
.
|
2020-01-11 15:15:12 -05:00
|
|
|
* The vivid kernel module is blacklisted as it's only required for testing
|
|
|
|
and has been the cause of multiple vulnerabilities.
|
2020-01-12 16:42:07 -05:00
|
|
|
.
|
2020-02-25 02:06:48 -05:00
|
|
|
* An initramfs hook sets the sysctl values in `/etc/sysctl.conf` and
|
|
|
|
`/etc/sysctl.d` before init is executed so sysctl hardening is enabled
|
2020-01-15 15:30:17 -05:00
|
|
|
as early as possible.
|
2020-01-13 16:05:35 -05:00
|
|
|
.
|
|
|
|
* The kernel panics on oopses to prevent it from continuing to run a flawed
|
|
|
|
process and to deter brute forcing.
|
2020-02-14 13:18:18 -05:00
|
|
|
.
|
|
|
|
* Restricts the SysRq key so it can only be used for shutdowns and the
|
|
|
|
Secure Attention Key.
|
2020-02-14 12:51:17 -05:00
|
|
|
.
|
2020-02-25 02:06:48 -05:00
|
|
|
* Restricts loading line disciplines to `CAP_SYS_MODULE`.
|
2020-02-24 13:24:07 -05:00
|
|
|
.
|
|
|
|
* Restricts the `userfaultfd()` syscall to root.
|
2019-06-28 07:34:35 -04:00
|
|
|
.
|
2019-11-23 06:20:32 -05:00
|
|
|
Improve Entropy Collection
|
|
|
|
.
|
2020-02-25 02:06:48 -05:00
|
|
|
* Load `jitterentropy_rng` kernel module.
|
|
|
|
`/usr/lib/modules-load.d/30_security-misc.conf`
|
2019-12-02 11:46:12 -05:00
|
|
|
.
|
2019-12-03 02:18:32 -05:00
|
|
|
* Distrusts the CPU for initial entropy at boot as it is not possible to
|
|
|
|
audit, may contain weaknesses or a backdoor.
|
|
|
|
* https://en.wikipedia.org/wiki/RDRAND#Reception
|
|
|
|
* https://twitter.com/pid_eins/status/1149649806056280069
|
|
|
|
* For more references, see:
|
2020-02-25 02:06:48 -05:00
|
|
|
* `/etc/default/grub.d/40_distrust_cpu.cfg`
|
2020-02-16 14:52:40 -05:00
|
|
|
.
|
|
|
|
* Gathers more entropy during boot if using the linux-hardened kernel patch.
|
2019-11-23 06:20:32 -05:00
|
|
|
.
|
2019-07-15 09:01:46 -04:00
|
|
|
Uncommon network protocols are blacklisted:
|
|
|
|
These are rarely used and may have unknown vulnerabilities.
|
2020-02-25 02:06:48 -05:00
|
|
|
`/etc/modprobe.d/30_security-misc.conf`
|
2019-07-11 14:26:17 -04:00
|
|
|
The network protocols that are blacklisted are:
|
|
|
|
.
|
|
|
|
* DCCP - Datagram Congestion Control Protocol
|
|
|
|
* SCTP - Stream Control Transmission Protocol
|
|
|
|
* RDS - Reliable Datagram Sockets
|
|
|
|
* TIPC - Transparent Inter-process Communication
|
|
|
|
* HDLC - High-Level Data Link Control
|
|
|
|
* AX25 - Amateur X.25
|
|
|
|
* NetRom
|
|
|
|
* X25
|
|
|
|
* ROSE
|
|
|
|
* DECnet
|
|
|
|
* Econet
|
|
|
|
* af_802154 - IEEE 802.15.4
|
|
|
|
* IPX - Internetwork Packet Exchange
|
|
|
|
* AppleTalk
|
|
|
|
* PSNAP - Subnetwork Access Protocol
|
|
|
|
* p8023 - Novell raw IEEE 802.3
|
|
|
|
* p8022 - IEEE 802.2
|
2019-07-11 11:26:14 -04:00
|
|
|
.
|
2019-07-15 09:01:46 -04:00
|
|
|
user restrictions:
|
2019-12-06 05:14:02 -05:00
|
|
|
.
|
2020-02-25 02:06:48 -05:00
|
|
|
* remount `/home`, `/tmp`, `/dev/shm` and `/run` with `nosuid,nodev`
|
|
|
|
(default) and `noexec` (opt-in). To disable this, run
|
|
|
|
`sudo touch /etc/remount-disable`. To opt-in `noexec`, run
|
|
|
|
`sudo touch /etc/noexec` and reboot (easiest).
|
|
|
|
Alternatively file `/usr/local/etc/remount-disable` or file
|
|
|
|
`/usr/local/etc/noexec` could be used.
|
|
|
|
`/lib/systemd/system/remount-secure.service`
|
|
|
|
`/usr/lib/security-misc/remount-secure`
|
2019-06-28 07:34:35 -04:00
|
|
|
.
|
2020-04-12 16:48:13 -04:00
|
|
|
* An optional systemd service mounts `/proc` with `hidepid=2` at boot to
|
|
|
|
prevent users from seeing each other's processes. Not enabled because not
|
|
|
|
compatible with pkexec.
|
2019-07-15 08:48:17 -04:00
|
|
|
.
|
2019-07-15 09:01:46 -04:00
|
|
|
* The kernel logs are restricted to root only.
|
2019-06-28 07:34:35 -04:00
|
|
|
.
|
2019-07-15 09:01:46 -04:00
|
|
|
* The BPF JIT compiler is restricted to the root user and is hardened.
|
2019-06-28 07:34:35 -04:00
|
|
|
.
|
2019-07-15 09:01:46 -04:00
|
|
|
* The ptrace system call is restricted to the root user only.
|
2019-07-15 08:48:17 -04:00
|
|
|
.
|
2019-07-15 09:01:46 -04:00
|
|
|
restricts access to the root account:
|
2019-06-28 07:34:35 -04:00
|
|
|
.
|
2019-07-31 03:32:36 -04:00
|
|
|
* `su` is restricted to only users within the group `sudo` which prevents
|
|
|
|
users from using `su` to gain root access or to switch user accounts.
|
2020-02-25 02:06:48 -05:00
|
|
|
`/usr/share/pam-configs/wheel-security-misc`
|
2019-07-31 03:32:36 -04:00
|
|
|
(Which results in a change in file `/etc/pam.d/common-auth`.)
|
2019-07-31 03:29:42 -04:00
|
|
|
.
|
2019-07-31 03:32:36 -04:00
|
|
|
* Add user `root` to group `sudo`. This is required to make above work so
|
|
|
|
login as a user in a virtual console is still possible.
|
2020-02-25 02:06:48 -05:00
|
|
|
`debian/security-misc.postinst`
|
2019-08-17 06:37:36 -04:00
|
|
|
.
|
|
|
|
* Abort login for users with locked passwords.
|
2020-02-25 02:06:48 -05:00
|
|
|
`/usr/lib/security-misc/pam-abort-on-locked-password`
|
2019-06-29 20:21:46 -04:00
|
|
|
.
|
2019-07-17 16:39:42 -04:00
|
|
|
* Logging into the root account from a virtual, serial, whatnot console is
|
2020-02-25 02:06:48 -05:00
|
|
|
prevented by shipping an existing and empty `/etc/securetty`.
|
|
|
|
(Deletion of `/etc/securetty` has a different effect.)
|
|
|
|
`/etc/securetty.security-misc`
|
2019-12-07 05:40:20 -05:00
|
|
|
.
|
|
|
|
* Console Lockdown.
|
2019-12-12 09:39:39 -05:00
|
|
|
Allow members of group 'console' to use console.
|
|
|
|
Everyone else except members of group
|
2019-12-08 01:30:42 -05:00
|
|
|
'console-unrestricted' are restricted from using console using ancient,
|
2020-02-25 02:06:48 -05:00
|
|
|
unpopular login methods such as using `/bin/login` over networks, which might
|
2019-12-08 01:30:42 -05:00
|
|
|
be exploitable. (CVE-2001-0797) Using pam_access.
|
2019-12-07 05:40:20 -05:00
|
|
|
Not enabled by default in this package since this package does not know which
|
2019-12-12 09:39:39 -05:00
|
|
|
users shall be added to group 'console' and would break console.
|
2020-02-25 02:06:48 -05:00
|
|
|
`/usr/share/pam-configs/console-lockdown-security-misc`
|
|
|
|
`/etc/security/access-security-misc.conf`
|
2019-06-29 18:30:41 -04:00
|
|
|
.
|
2019-11-28 09:18:05 -05:00
|
|
|
Protect Linux user accounts against brute force attacks.
|
2020-02-25 02:06:48 -05:00
|
|
|
Lock user accounts after 50 failed login attempts using `pam_tally2`.
|
|
|
|
`/usr/share/pam-configs/tally2-security-misc`
|
2019-11-28 09:18:05 -05:00
|
|
|
.
|
2019-08-17 06:35:31 -04:00
|
|
|
informational output during Linux PAM:
|
2019-08-15 09:37:28 -04:00
|
|
|
.
|
|
|
|
* Show failed and remaining password attempts.
|
|
|
|
* Document unlock procedure if Linux user account got locked.
|
|
|
|
* Point out, that there is no password feedback for `su`.
|
|
|
|
* Explain locked (root) account if locked.
|
2020-02-25 02:06:48 -05:00
|
|
|
* `/usr/share/pam-configs/tally2-security-misc`
|
|
|
|
* `/usr/lib/security-misc/pam_tally2-info`
|
|
|
|
* `/usr/lib/security-misc/pam-abort-on-locked-password`
|
2019-08-15 09:37:28 -04:00
|
|
|
.
|
2019-07-15 09:01:46 -04:00
|
|
|
access rights restrictions:
|
2019-07-08 19:04:47 -04:00
|
|
|
.
|
2019-11-28 09:20:46 -05:00
|
|
|
* Strong Linux User Account Separation.
|
|
|
|
Removes read, write and execute access for others for all users who have
|
2020-02-25 02:06:48 -05:00
|
|
|
home folders under folder `/home` by running for example
|
2019-07-15 09:01:46 -04:00
|
|
|
"chmod o-rwx /home/user"
|
2020-02-25 02:06:48 -05:00
|
|
|
during package installation, upgrade or pam `mkhomedir`. This will be done
|
|
|
|
only once per folder in folder `/home` so users who wish to relax file
|
|
|
|
permissions are free to
|
2019-08-14 05:52:53 -04:00
|
|
|
do so. This is to protect previously created files in user home folder which
|
|
|
|
were previously created with lax file permissions prior installation of this
|
2019-07-13 12:20:14 -04:00
|
|
|
package.
|
2020-02-25 02:06:48 -05:00
|
|
|
`debian/security-misc.postinst`
|
|
|
|
`/usr/lib/security-misc/permission-lockdown`
|
|
|
|
`/usr/share/pam-configs/mkhomedir-security-misc`
|
2019-12-20 06:53:03 -05:00
|
|
|
.
|
|
|
|
* SUID / GUID removal and permission hardening.
|
|
|
|
A systemd service removed SUID / GUID from non-essential binaries as these are
|
|
|
|
often used in privilege escalation attacks.
|
|
|
|
It is disabled by default for now during testing and can optionally be enabled
|
|
|
|
by running `systemctl enable permission-hardening.service` as root.
|
2019-12-21 07:47:00 -05:00
|
|
|
https://forums.whonix.org/t/disable-suid-binaries/7706
|
2020-02-25 02:06:48 -05:00
|
|
|
`/usr/lib/security-misc/permission-hardening`
|
|
|
|
`/lib/systemd/system/permission-hardening.service`
|
|
|
|
`/etc/permission-hardening.d/30_default.conf`
|
2019-07-13 12:20:14 -04:00
|
|
|
.
|
2019-07-17 17:02:27 -04:00
|
|
|
access rights relaxations:
|
|
|
|
.
|
2020-02-25 02:06:48 -05:00
|
|
|
Redirect calls for `pkexec` to `lxqt-sudo` because `pkexec` is incompatible
|
|
|
|
with `hidepid`.
|
2019-10-21 05:46:49 -04:00
|
|
|
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860040
|
|
|
|
https://forums.whonix.org/t/cannot-use-pkexec/8129
|
2020-02-25 02:06:48 -05:00
|
|
|
`/usr/bin/pkexec.security-misc`
|
2019-10-21 05:46:49 -04:00
|
|
|
.
|
2019-07-17 17:03:54 -04:00
|
|
|
This package does (not yet) automatically lock the root account password.
|
2019-07-17 17:02:27 -04:00
|
|
|
It is not clear that would be sane in such a package.
|
|
|
|
It is recommended to lock and expire the root account.
|
|
|
|
In new Whonix builds, root account will be locked by package
|
2020-04-08 08:04:13 -04:00
|
|
|
dist-base-files.
|
2019-07-17 17:02:27 -04:00
|
|
|
https://www.whonix.org/wiki/Root
|
|
|
|
https://www.whonix.org/wiki/Dev/Permissions
|
|
|
|
https://forums.whonix.org/t/restrict-root-access/7658
|
|
|
|
However, a locked root password will break rescue and emergency shell.
|
2020-02-25 02:06:48 -05:00
|
|
|
Therefore this package enables passwordless rescue and emergency shell.
|
|
|
|
This is the same solution that Debian will likely adapt for Debian
|
2019-07-17 17:02:27 -04:00
|
|
|
installer.
|
|
|
|
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802211
|
|
|
|
Adverse security effects can be prevented by setting up BIOS password
|
|
|
|
protection, grub password protection and/or full disk encryption.
|
2020-02-25 02:06:48 -05:00
|
|
|
`/etc/systemd/system/emergency.service.d/override.conf`
|
|
|
|
`/etc/systemd/system/rescue.service.d/override.conf`
|
2019-07-17 17:02:27 -04:00
|
|
|
.
|
2020-04-08 17:04:02 -04:00
|
|
|
Let the kernel only swap if it is absolutely necessary.
|
|
|
|
`/etc/sysctl.d/30_security-misc.conf`
|
|
|
|
.
|
2019-07-15 09:01:46 -04:00
|
|
|
Disables TCP Time Stamps:
|
2019-07-13 12:26:14 -04:00
|
|
|
.
|
|
|
|
TCP time stamps (RFC 1323) allow for tracking clock
|
|
|
|
information with millisecond resolution. This may or may not allow an
|
|
|
|
attacker to learn information about the system clock at such
|
|
|
|
a resolution, depending on various issues such as network lag.
|
|
|
|
This information is available to anyone who monitors the network
|
|
|
|
somewhere between the attacked system and the destination server.
|
|
|
|
It may allow an attacker to find out how long a given
|
|
|
|
system has been running, and to distinguish several
|
|
|
|
systems running behind NAT and using the same IP address. It might
|
|
|
|
also allow one to look for clocks that match an expected value to find the
|
|
|
|
public IP used by a user.
|
|
|
|
.
|
|
|
|
Hence, this package disables this feature by shipping the
|
2020-02-25 02:06:48 -05:00
|
|
|
`/etc/sysctl.d/30_security-misc.conf` configuration file.
|
2019-07-13 12:26:14 -04:00
|
|
|
.
|
|
|
|
Note that TCP time stamps normally have some usefulness. They are
|
|
|
|
needed for:
|
|
|
|
.
|
|
|
|
* the TCP protection against wrapped sequence numbers; however, to
|
|
|
|
trigger a wrap, one needs to send roughly 2^32 packets in one
|
|
|
|
minute: as said in RFC 1700, "The current recommended default
|
|
|
|
time to live (TTL) for the Internet Protocol (IP) [45,105] is 64".
|
|
|
|
So, this probably won't be a practical problem in the context
|
|
|
|
of Anonymity Distributions.
|
|
|
|
* "Round-Trip Time Measurement", which is only useful when the user
|
|
|
|
manages to saturate their connection. When using Anonymity Distributions,
|
|
|
|
probably the limiting factor for transmission speed is rarely the capacity
|
|
|
|
of the user connection.
|
2019-07-15 09:02:30 -04:00
|
|
|
.
|
|
|
|
Application specific hardening:
|
|
|
|
.
|
2020-02-25 02:06:48 -05:00
|
|
|
* Enables APT seccomp-BPF sandboxing. `/etc/apt/apt.conf.d/40sandbox`
|
2019-07-16 07:28:50 -04:00
|
|
|
* Deactivates previews in Dolphin.
|
|
|
|
* Deactivates previews in Nautilus.
|
2020-02-25 02:06:48 -05:00
|
|
|
`/usr/share/glib-2.0/schemas/30_security-misc.gschema.override`
|
2019-07-16 07:28:50 -04:00
|
|
|
* Deactivates thumbnails in Thunar.
|
2019-11-03 02:50:51 -05:00
|
|
|
* Enables punycode (`network.IDN_show_punycode`) by default in Thunderbird
|
2020-03-03 09:42:24 -05:00
|
|
|
to make phishing attacks more difficult. Fixing URL not showing real Domain
|
2019-11-03 02:50:51 -05:00
|
|
|
Name (Homograph attack).
|
2020-04-06 09:25:45 -04:00
|
|
|
* Security and privacy enhancements for gnupg's config file
|
|
|
|
`/etc/skel/.gnupg/gpg.conf`. See also:
|
|
|
|
https://raw.github.com/ioerror/torbirdy/master/gpg.conf
|
|
|
|
https://github.com/ioerror/torbirdy/pull/11
|
2019-09-15 09:21:02 -04:00
|
|
|
.
|
2019-12-12 09:47:58 -05:00
|
|
|
Want more? Look into these:
|
|
|
|
.
|
2020-02-29 04:59:02 -05:00
|
|
|
* Linux Kernel Runtime Guard (LKRG)
|
2019-12-12 09:47:58 -05:00
|
|
|
* tirdad - TCP ISN CPU Information Leak Protection.
|
|
|
|
* Whonix ™ - Anonymous Operating System
|
|
|
|
* Kicksecure ™ - A Security-hardened, Non-anonymous Linux Distribution
|
|
|
|
* SecBrowser ™ - A Security-hardened, Non-anonymous Browser
|
|
|
|
* And more.
|
|
|
|
* https://www.whonix.org/wiki/Linux_Kernel_Runtime_Guard_LKRG
|
|
|
|
* https://github.com/Whonix/tirdad
|
|
|
|
* https://www.whonix.org
|
|
|
|
* https://www.whonix.org/wiki/Kicksecure
|
|
|
|
* https://www.whonix.org/wiki/SecBrowser
|
|
|
|
* https://github.com/Whonix
|
|
|
|
.
|
2019-09-15 09:21:02 -04:00
|
|
|
Discussion:
|
|
|
|
.
|
|
|
|
Happening primarily in Whonix forums.
|
|
|
|
https://forums.whonix.org/t/kernel-hardening/7296
|