From 39fd125eb0f0c16c8a64933bbd04709287a2686a Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Wed, 17 Jul 2024 21:44:44 +1000 Subject: [PATCH 1/2] Provide explanation on the disabling of IPv6 Privacy Extensions --- .../NetworkManager/conf.d/80_ipv6-privacy.conf | 8 ++++++++ .../NetworkManager/conf.d/80_randomize-mac.conf | 8 ++++++++ usr/lib/sysctl.d/990-security-misc.conf | 17 +++++++++++++++++ .../80_ipv6-privacy-extensions.conf | 8 ++++++++ 4 files changed, 41 insertions(+) diff --git a/usr/lib/NetworkManager/conf.d/80_ipv6-privacy.conf b/usr/lib/NetworkManager/conf.d/80_ipv6-privacy.conf index bc2280c..0605c37 100644 --- a/usr/lib/NetworkManager/conf.d/80_ipv6-privacy.conf +++ b/usr/lib/NetworkManager/conf.d/80_ipv6-privacy.conf @@ -1,2 +1,10 @@ +## MAC randomisation breaks root server and VirtualBox DHCP likely due to IPv6 Privacy Extensions. +## +## https://datatracker.ietf.org/doc/html/rfc4941 +## https://github.com/Kicksecure/security-misc/pull/145 +## https://github.com/Kicksecure/security-misc/issues/184 +## +## The use of IPv6 Privacy Extenstions is currently diasbled due to these breakages. + #[connection] #ipv6.ip6-privacy=2 diff --git a/usr/lib/NetworkManager/conf.d/80_randomize-mac.conf b/usr/lib/NetworkManager/conf.d/80_randomize-mac.conf index 428c0e2..04d0312 100644 --- a/usr/lib/NetworkManager/conf.d/80_randomize-mac.conf +++ b/usr/lib/NetworkManager/conf.d/80_randomize-mac.conf @@ -1,3 +1,11 @@ +## MAC randomisation breaks root server and VirtualBox DHCP likely due to IPv6 Privacy Extensions. +## +## https://datatracker.ietf.org/doc/html/rfc4941 +## https://github.com/Kicksecure/security-misc/pull/145 +## https://github.com/Kicksecure/security-misc/issues/184 +## +## The use of IPv6 Privacy Extenstions is currently diasbled due to these breakages. + #[device-mac-randomization] #wifi.scan-rand-mac-address=yes diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 3cebc76..2235dfc 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -337,3 +337,20 @@ net.ipv4.tcp_timestamps=0 ## #net.ipv4.conf.all.log_martians=1 #net.ipv4.conf.default.log_martians=1 + +## Enable IPv6 Privacy Extensions prefer temporary addresses over public addresses. +## The temporary/privacy address is used as the source of all outgoing traffic. +## Must be used in combination with /usr/lib/systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf. +## Must be used in combination with /usr/lib/NetworkManager/conf.d/80_ipv6-privacy.conf. +## Should be used with MAC randomisation in /usr/lib/NetworkManager/conf.d/80_randomize-mac.conf. +## +## MAC randomisation breaks root server and VirtualBox DHCP likely due to IPv6 Privacy Extensions. +## +## https://datatracker.ietf.org/doc/html/rfc4941 +## https://github.com/Kicksecure/security-misc/pull/145 +## https://github.com/Kicksecure/security-misc/issues/184 +## +## The use of IPv6 Privacy Extenstions is currently diasbled due to these breakages. +## +#net.ipv6.conf.all.use_tempaddr=2 +#net.ipv6.conf.default.use_tempaddr=2 \ No newline at end of file diff --git a/usr/lib/systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf b/usr/lib/systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf index ad1e947..e53c635 100644 --- a/usr/lib/systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf +++ b/usr/lib/systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf @@ -1,2 +1,10 @@ +## MAC randomisation breaks root server and VirtualBox DHCP likely due to IPv6 Privacy Extensions. +## +## https://datatracker.ietf.org/doc/html/rfc4941 +## https://github.com/Kicksecure/security-misc/pull/145 +## https://github.com/Kicksecure/security-misc/issues/184 +## +## The use of IPv6 Privacy Extenstions is currently diasbled due to these breakages. + #[Network] #IPv6PrivacyExtensions=kernel From 25fd532ce62399d5bb42d844ad32b5128eaf748d Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Wed, 17 Jul 2024 21:56:40 +1000 Subject: [PATCH 2/2] Update README.md relating to `sysctl`'s --- README.md | 24 ++++++++++++++++-------- 1 file changed, 16 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 14d1a23..1a4efa6 100644 --- a/README.md +++ b/README.md @@ -36,8 +36,8 @@ space, user space, core dumps, and swap space. - Entirely disables the SysRq key so that the Secure Attention Key (SAK) can no longer be utilised. See [documentation](https://www.kicksecure.com/wiki/SysRq). -- Provide option to disable unprivileged user namespaces as they can lead to - privilege escalation. +- Provide the option to disable unprivileged user namespaces as they can lead to + substantial privilege escalation. - Restrict kernel profiling and the performance events system to `CAP_PERFMON`. @@ -46,8 +46,8 @@ space, user space, core dumps, and swap space. - Disable asynchronous I/O (when using Linux kernel version >= 6.6). - Restrict usage of `ptrace()` to only processes with `CAP_SYS_PTRACE` as it - enables programs to inspect and modify other active processes. Provide option - to also entirely disable the use of `ptrace()` for all processes. + enables programs to inspect and modify other active processes. Provide the + option to also entirely disable the use of `ptrace()` for all processes. - Prevent hardlink and symlink TOCTOU races in world-writable directories. @@ -82,13 +82,15 @@ Various networking components of the TCP/IP stack are hardened for IPv4/6. - Do not accept IPv6 router advertisements and solicitations. -- Provide option to disable SACK and DSACK as they have historically been a - vector for exploitation. +- Provide the option to disable SACK and DSACK as they have historically been + a known vector for exploitation. - Disable TCP timestamps as it can allow detecting the system time. -- Provide option to log of packets with impossible source or destination - addresses to enable inspection and further analysis. +- Provide the option to log of packets with impossible source or destination + addresses to enable further inspection and analysis. + +- Provide the option to enable IPv6 Privacy Extensions. ### mmap ASLR @@ -225,6 +227,12 @@ rather it is a form of badness enumeration. ## Network hardening +Not yet due to issues: + +- https://github.com/Kicksecure/security-misc/pull/145 + +- https://github.com/Kicksecure/security-misc/issues/184 + - Unlike version 4, IPv6 addresses can provide information not only about the originating network, but also the originating device. We prevent this from happening by enabling the respective privacy extensions for IPv6.