fixes https://github.com/Kicksecure/security-misc/issues/190
This commit is contained in:
Patrick Schleizer 2024-01-17 13:39:56 -05:00
parent 18a06935e0
commit 0efee2f50f
No known key found for this signature in database
GPG Key ID: CB8D50BB77BB3C48
27 changed files with 65 additions and 66 deletions

View File

@ -5,6 +5,5 @@
bin/* bin/*
etc/* etc/*
lib/*
usr/* usr/*
var/* var/*

View File

@ -18,4 +18,4 @@ prereqs)
esac esac
. /usr/share/initramfs-tools/hook-functions . /usr/share/initramfs-tools/hook-functions
copy_exec /sbin/sysctl /sbin copy_exec /usr/sbin/sysctl /usr/sbin

View File

@ -14,78 +14,78 @@ options nf_conntrack nf_conntrack_helper=0
# #
## Now replaced by a privacy and security preserving default bluetooth configuration for better usability ## Now replaced by a privacy and security preserving default bluetooth configuration for better usability
# #
# install bluetooth /bin/disabled-bluetooth-by-security-misc # install bluetooth /usr/bin/disabled-bluetooth-by-security-misc
# install btusb /bin/disabled-bluetooth-by-security-misc # install btusb /usr/bin/disabled-bluetooth-by-security-misc
## Disable thunderbolt and firewire modules to prevent some DMA attacks ## Disable thunderbolt and firewire modules to prevent some DMA attacks
install thunderbolt /bin/disabled-thunderbolt-by-security-misc install thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc
install firewire-core /bin/disabled-firewire-by-security-misc install firewire-core /usr/bin/disabled-firewire-by-security-misc
install firewire_core /bin/disabled-firewire-by-security-misc install firewire_core /usr/bin/disabled-firewire-by-security-misc
install firewire-ohci /bin/disabled-firewire-by-security-misc install firewire-ohci /usr/bin/disabled-firewire-by-security-misc
install firewire_ohci /bin/disabled-firewire-by-security-misc install firewire_ohci /usr/bin/disabled-firewire-by-security-misc
install firewire_sbp2 /bin/disabled-firewire-by-security-misc install firewire_sbp2 /usr/bin/disabled-firewire-by-security-misc
install firewire-sbp2 /bin/disabled-firewire-by-security-misc install firewire-sbp2 /usr/bin/disabled-firewire-by-security-misc
install ohci1394 /bin/disabled-firewire-by-security-misc install ohci1394 /usr/bin/disabled-firewire-by-security-misc
install sbp2 /bin/disabled-firewire-by-security-misc install sbp2 /usr/bin/disabled-firewire-by-security-misc
install dv1394 /bin/disabled-firewire-by-security-misc install dv1394 /usr/bin/disabled-firewire-by-security-misc
install raw1394 /bin/disabled-firewire-by-security-misc install raw1394 /usr/bin/disabled-firewire-by-security-misc
install video1394 /bin/disabled-firewire-by-security-misc install video1394 /usr/bin/disabled-firewire-by-security-misc
## Disable CPU MSRs as they can be abused to write to arbitrary memory. ## Disable CPU MSRs as they can be abused to write to arbitrary memory.
## https://security.stackexchange.com/questions/119712/methods-root-can-use-to-elevate-itself-to-kernel-mode ## https://security.stackexchange.com/questions/119712/methods-root-can-use-to-elevate-itself-to-kernel-mode
install msr /bin/disabled-msr-by-security-misc install msr /usr/bin/disabled-msr-by-security-misc
## Disables unneeded network protocols that will likely not be used as these may have unknown vulnerabilties. ## Disables unneeded network protocols that will likely not be used as these may have unknown vulnerabilties.
## Credit to Tails (https://tails.boum.org/blueprint/blacklist_modules/) for some of these. ## Credit to Tails (https://tails.boum.org/blueprint/blacklist_modules/) for some of these.
## > Debian ships a long list of modules for wide support of devices, filesystems, protocols. Some of these modules have a pretty bad security track record, and some of those are simply not used by most of our users. ## > Debian ships a long list of modules for wide support of devices, filesystems, protocols. Some of these modules have a pretty bad security track record, and some of those are simply not used by most of our users.
## > Other distributions like Ubuntu[1] and Fedora[2] already ship a blacklist for various network protocols which aren't much in use by users and have a poor security track record. ## > Other distributions like Ubuntu[1] and Fedora[2] already ship a blacklist for various network protocols which aren't much in use by users and have a poor security track record.
install dccp /bin/disabled-network-by-security-misc install dccp /usr/bin/disabled-network-by-security-misc
install sctp /bin/disabled-network-by-security-misc install sctp /usr/bin/disabled-network-by-security-misc
install rds /bin/disabled-network-by-security-misc install rds /usr/bin/disabled-network-by-security-misc
install tipc /bin/disabled-network-by-security-misc install tipc /usr/bin/disabled-network-by-security-misc
install n-hdlc /bin/disabled-network-by-security-misc install n-hdlc /usr/bin/disabled-network-by-security-misc
install ax25 /bin/disabled-network-by-security-misc install ax25 /usr/bin/disabled-network-by-security-misc
install netrom /bin/disabled-network-by-security-misc install netrom /usr/bin/disabled-network-by-security-misc
install x25 /bin/disabled-network-by-security-misc install x25 /usr/bin/disabled-network-by-security-misc
install rose /bin/disabled-network-by-security-misc install rose /usr/bin/disabled-network-by-security-misc
install decnet /bin/disabled-network-by-security-misc install decnet /usr/bin/disabled-network-by-security-misc
install econet /bin/disabled-network-by-security-misc install econet /usr/bin/disabled-network-by-security-misc
install af_802154 /bin/disabled-network-by-security-misc install af_802154 /usr/bin/disabled-network-by-security-misc
install ipx /bin/disabled-network-by-security-misc install ipx /usr/bin/disabled-network-by-security-misc
install appletalk /bin/disabled-network-by-security-misc install appletalk /usr/bin/disabled-network-by-security-misc
install psnap /bin/disabled-network-by-security-misc install psnap /usr/bin/disabled-network-by-security-misc
install p8023 /bin/disabled-network-by-security-misc install p8023 /usr/bin/disabled-network-by-security-misc
install p8022 /bin/disabled-network-by-security-misc install p8022 /usr/bin/disabled-network-by-security-misc
install can /bin/disabled-network-by-security-misc install can /usr/bin/disabled-network-by-security-misc
install atm /bin/disabled-network-by-security-misc install atm /usr/bin/disabled-network-by-security-misc
## Disable uncommon file systems to reduce attack surface ## Disable uncommon file systems to reduce attack surface
## HFS and HFS+ are legacy Apple filesystems that may be required depending on the EFI parition format ## HFS and HFS+ are legacy Apple filesystems that may be required depending on the EFI parition format
install cramfs /bin/disabled-filesys-by-security-misc install cramfs /usr/bin/disabled-filesys-by-security-misc
install freevxfs /bin/disabled-filesys-by-security-misc install freevxfs /usr/bin/disabled-filesys-by-security-misc
install jffs2 /bin/disabled-filesys-by-security-misc install jffs2 /usr/bin/disabled-filesys-by-security-misc
install hfs /bin/disabled-filesys-by-security-misc install hfs /usr/bin/disabled-filesys-by-security-misc
install hfsplus /bin/disabled-filesys-by-security-misc install hfsplus /usr/bin/disabled-filesys-by-security-misc
install udf /bin/disabled-filesys-by-security-misc install udf /usr/bin/disabled-filesys-by-security-misc
## Disable uncommon network file systems to reduce attack surface ## Disable uncommon network file systems to reduce attack surface
install cifs /bin/disabled-netfilesys-by-security-misc install cifs /usr/bin/disabled-netfilesys-by-security-misc
install nfs /bin/disabled-netfilesys-by-security-misc install nfs /usr/bin/disabled-netfilesys-by-security-misc
install nfsv3 /bin/disabled-netfilesys-by-security-misc install nfsv3 /usr/bin/disabled-netfilesys-by-security-misc
install nfsv4 /bin/disabled-netfilesys-by-security-misc install nfsv4 /usr/bin/disabled-netfilesys-by-security-misc
install ksmbd /bin/disabled-netfilesys-by-security-misc install ksmbd /usr/bin/disabled-netfilesys-by-security-misc
install gfs2 /bin/disabled-netfilesys-by-security-misc install gfs2 /usr/bin/disabled-netfilesys-by-security-misc
## Disables the vivid kernel module as it's only required for testing and has been the cause of multiple vulnerabilities ## Disables the vivid kernel module as it's only required for testing and has been the cause of multiple vulnerabilities
## https://forums.whonix.org/t/kernel-recompilation-for-better-hardening/7598/233 ## https://forums.whonix.org/t/kernel-recompilation-for-better-hardening/7598/233
## https://www.openwall.com/lists/oss-security/2019/11/02/1 ## https://www.openwall.com/lists/oss-security/2019/11/02/1
## https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475 ## https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475
install vivid /bin/disabled-vivid-by-security-misc install vivid /usr/bin/disabled-vivid-by-security-misc
## Disable Intel Management Engine (ME) interface with the OS ## Disable Intel Management Engine (ME) interface with the OS
## https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html ## https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html
install mei /bin/disabled-intelme-by-security-misc install mei /usr/bin/disabled-intelme-by-security-misc
install mei-me /bin/disabled-intelme-by-security-misc install mei-me /usr/bin/disabled-intelme-by-security-misc
## Blacklist automatic loading of the Atheros 5K RF MACs madwifi driver ## Blacklist automatic loading of the Atheros 5K RF MACs madwifi driver
## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-ath_pci.conf?h=ubuntu/disco ## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-ath_pci.conf?h=ubuntu/disco
@ -143,7 +143,7 @@ blacklist udlfb
## Disable CD-ROM devices ## Disable CD-ROM devices
## https://nvd.nist.gov/vuln/detail/CVE-2018-11506 ## https://nvd.nist.gov/vuln/detail/CVE-2018-11506
## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/31 ## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/31
#install cdrom /bin/disabled-cdrom-by-security-misc #install cdrom /usr/bin/disabled-cdrom-by-security-misc
#install sr_mod /bin/disabled-cdrom-by-security-misc #install sr_mod /usr/bin/disabled-cdrom-by-security-misc
blacklist cdrom blacklist cdrom
blacklist sr_mod blacklist sr_mod

View File

@ -36,14 +36,14 @@
## In case you need to use 'su'. See also: ## In case you need to use 'su'. See also:
## https://www.kicksecure.com/wiki/root#su ## https://www.kicksecure.com/wiki/root#su
#/bin/su exactwhitelist #/usr/bin/su exactwhitelist
#/usr/bin/su exactwhitelist #/usr/bin/su exactwhitelist
## https://manpages.debian.org/xserver-xorg-legacy/Xorg.wrap.1.en.html ## https://manpages.debian.org/xserver-xorg-legacy/Xorg.wrap.1.en.html
## https://lwn.net/Articles/590315/ ## https://lwn.net/Articles/590315/
## https://forums.whonix.org/t/suid-disabler-and-permission-hardener/7706/35 ## https://forums.whonix.org/t/suid-disabler-and-permission-hardener/7706/35
#/usr/lib/xorg/Xorg.wrap whitelist #/usr/lib/xorg/Xorg.wrap whitelist
#/lib/xorg/Xorg.wrap whitelist #/usr/lib/xorg/Xorg.wrap whitelist
###################################################################### ######################################################################
# SUID whitelist matches in any section of the path: matchwhitelist # SUID whitelist matches in any section of the path: matchwhitelist
@ -51,7 +51,7 @@
## Examples below are already configured: ## Examples below are already configured:
#ssh-agent matchwhitelist #ssh-agent matchwhitelist
#/lib/openssh matchwhitelist #/usr/lib/openssh matchwhitelist
###################################################################### ######################################################################
# Permission Hardening # Permission Hardening
@ -62,7 +62,7 @@
/boot/ 0700 root root /boot/ 0700 root root
/etc/permission-hardener.d 0600 root root /etc/permission-hardener.d 0600 root root
/usr/local/etc/permission-hardener.d 0600 root root /usr/local/etc/permission-hardener.d 0600 root root
/lib/modules/ 0700 root root /usr/lib/modules/ 0700 root root
/usr/src 0700 root root /usr/src 0700 root root
/etc/cups/cupsd.conf 0400 root root /etc/cups/cupsd.conf 0400 root root
/etc/syslog.conf 0600 root root /etc/syslog.conf 0600 root root
@ -93,25 +93,25 @@
## ##
## Remove all SUID/SGID binaries/libraries. ## Remove all SUID/SGID binaries/libraries.
/bin/ nosuid /usr/bin/ nosuid
/usr/local/bin/ nosuid /usr/local/bin/ nosuid
/usr/bin/ nosuid /usr/bin/ nosuid
/usr/local/usr/bin/ nosuid /usr/local/usr/bin/ nosuid
/sbin/ nosuid /usr/sbin/ nosuid
/usr/local/sbin/ nosuid /usr/local/sbin/ nosuid
/usr/sbin/ nosuid /usr/sbin/ nosuid
/usr/local/usr/sbin/ nosuid /usr/local/usr/sbin/ nosuid
/lib/ nosuid /usr/lib/ nosuid
/usr/local/lib/ nosuid /usr/local/lib/ nosuid
/lib32/ nosuid /usr/lib32/ nosuid
/usr/local/lib32/ nosuid /usr/local/lib32/ nosuid
/lib64/ nosuid /usr/lib64/ nosuid
/usr/local/lib64/ nosuid /usr/local/lib64/ nosuid
/usr/lib/ nosuid /usr/lib/ nosuid
@ -134,7 +134,7 @@
## Ping doesn't work with Tor anyway so its capabilities are removed to ## Ping doesn't work with Tor anyway so its capabilities are removed to
## reduce attack surface. ## reduce attack surface.
## anon-apps-config does this. ## anon-apps-config does this.
#/bin/ping 0744 root root none #/usr/bin/ping 0744 root root none
## TODO: research ## TODO: research
#/usr/lib/x86_64-linux-gnu/gstreamer1.0/grstreamer-1.0/gst-ptp-helper 0744 root root none #/usr/lib/x86_64-linux-gnu/gstreamer1.0/grstreamer-1.0/gst-ptp-helper 0744 root root none

View File

@ -221,7 +221,7 @@ add_nosuid_statoverride_entry() {
# shellcheck disable=SC2086 # shellcheck disable=SC2086
echo_wrapper_silent_audit dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --add "${existing_owner}" "${existing_group}" "${new_mode}" "${file_name}" echo_wrapper_silent_audit dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --add "${existing_owner}" "${existing_group}" "${new_mode}" "${file_name}"
## /lib will hit ARG_MAX if using bash 'shopt -s globstar' and '/lib/**'. ## /usr/lib will hit ARG_MAX if using bash 'shopt -s globstar' and '/usr/lib/**'.
## Using 'find' with '-perm /u=s,g=s' is faster and avoids ARG_MAX. ## Using 'find' with '-perm /u=s,g=s' is faster and avoids ARG_MAX.
## https://forums.whonix.org/t/disable-suid-binaries/7706/17 ## https://forums.whonix.org/t/disable-suid-binaries/7706/17
done < <(find "${fso_to_process}" -perm /u=s,g=s -print0 | xargs -I{} -0 stat -c "%n %a %U %G" {}) done < <(find "${fso_to_process}" -perm /u=s,g=s -print0 | xargs -I{} -0 stat -c "%n %a %U %G" {})

View File

@ -15,7 +15,7 @@
## /etc/sysctl.d/30-lkrg-virtualbox.conf ## /etc/sysctl.d/30-lkrg-virtualbox.conf
## by package security-misc, files: ## by package security-misc, files:
## /usr/share/security-misc/lkrg/lkrg-virtualbox ## /usr/share/security-misc/lkrg/lkrg-virtualbox
## /lib/systemd/system/lkrg.service.d/40-virtualbox.conf ## /usr/lib/systemd/system/lkrg.service.d/40-virtualbox.conf
## https://forums.whonix.org/t/linux-kernel-runtime-guard-lkrg-linux-kernel-runtime-integrity-checking-and-exploit-detection/8477/32 ## https://forums.whonix.org/t/linux-kernel-runtime-guard-lkrg-linux-kernel-runtime-integrity-checking-and-exploit-detection/8477/32
## https://www.openwall.com/lists/lkrg-users/2020/01/24/2 ## https://www.openwall.com/lists/lkrg-users/2020/01/24/2
@ -24,7 +24,7 @@
## https://github.com/openwall/lkrg/blob/main/scripts/bootup/lkrg.conf ## https://github.com/openwall/lkrg/blob/main/scripts/bootup/lkrg.conf
## https://github.com/openwall/lkrg/blob/main/scripts/bootup/systemd/lkrg.service ## https://github.com/openwall/lkrg/blob/main/scripts/bootup/systemd/lkrg.service
## /etc/sysctl.d/30-lkrg-dkms.conf ## /etc/sysctl.d/30-lkrg-dkms.conf
## /lib/systemd/system/lkrg.service ## /usr/lib/systemd/system/lkrg.service
## https://github.com/openwall/lkrg/issues/82#issuecomment-886188999 ## https://github.com/openwall/lkrg/issues/82#issuecomment-886188999
lkrg.pcfi_validate = 1 lkrg.pcfi_validate = 1