Merge remote-tracking branch 'github-kicksecure/master'

2025-02-08 12:45:20 -05:00 · 2024-08-16 04:22:43 -04:00 · 2024-08-16 04:22:43 -04:00 · 12296c68dc
commit 12296c68dc
parent 4bc12b07b4 036bcea4e6
5 changed files with 116 additions and 52 deletions
--- a/README.md
+++ b/README.md
@ -42,27 +42,32 @@ space, user space, core dumps, and swap space.
 - Restrict kernel profiling and the performance events system to `CAP_PERFMON`.

 - Force the kernel to panic on "oopses" that can potentially indicate and thwart
-  certain kernel exploitation attempts. Provide the option to reboot immediately
-  on a kernel panic.
-
- Randomize the addresses (ASLR) for mmap base, stack, VDSO pages, and heap.
+  certain kernel exploitation attempts. Optional - Force immediate reboot on the
+  occurrence of a kernel panic.

 - Disable the use of legacy TIOCSTI operations which can be used to inject keypresses.

- Disable asynchronous I/O as `io_uring` has been the source
-  of numerous kernel exploits (when using Linux kernel version >= 6.6).
+- Disable asynchronous I/O (when using Linux kernel >= 6.6) as `io_uring` has been
+  the source of numerous kernel exploits.

 - Restrict usage of `ptrace()` to only processes with `CAP_SYS_PTRACE` as it
-  enables programs to inspect and modify other active processes. Provide the
-  option to entirely disable the use of `ptrace()` for all processes.
+  enables programs to inspect and modify other active processes. Optional - Disable
+  usage of `ptrace()` by all processes.
+
+- Maximize the bits of entropy used for mmap ASLR across all architectures.

 - Prevent hardlink and symlink TOCTOU races in world-writable directories.

 - Disallow unintentional writes to files in world-writable directories unless
  they are owned by the directory owner to mitigate some data spoofing attacks.

+- Randomize the addresses (ASLR) for mmap base, stack, VDSO pages, and heap.
+
 - Increase the maximum number of memory map areas a process is able to utilize.

+- Disallow registering interpreters for various (miscellaneous) binary formats based
+  on a magic number or their file extension to prevent unintended code execution.
+
 - Disable core dump files and prevent their creation. If core dump files are
  enabled, they will be named based on `core.PID` instead of the default `core`.

@ -89,15 +94,15 @@ Various networking components of the TCP/IP stack are hardened for IPv4/6.

 - Do not accept IPv6 router advertisements and solicitations.

- Provide the option to disable SACK and DSACK as they have historically been
-  a known vector for exploitation.
+- Optional - Disable SACK and DSACK as they have historically been a known
+  vector for exploitation.

 - Disable TCP timestamps as they can allow detecting the system time.

- Provide the option to log packets with impossible source or destination
-  addresses to enable further inspection and analysis.
+- Optional - Log packets with impossible source or destination addresses to
+  enable further inspection and analysis.

- Provide the option to enable IPv6 Privacy Extensions.
+- Optional - Enable IPv6 Privacy Extensions.

 ### mmap ASLR

@ -143,22 +148,27 @@ configuration file.
 - Force kernel panics on "oopses" to potentially indicate and thwart certain
  kernel exploitation attempts.

- Provide the option to modify machine check exception handler.
+- Optional - Modify the machine check exception handler.
+
+- Prevent sensitive kernel information leaks in the console during boot.

 - Enable the kernel Electric-Fence sampling-based memory safety error detector
  which can identify heap out-of-bounds access, use-after-free, and invalid-free errors.

 - Disable 32-bit vDSO mappings as they are a legacy compatibility feature.

- Provide the option to use kCFI as the default CFI implementation since it may be
-  slightly more resilient to attacks that are able to write arbitrary executables
-  in memory (when using Linux kernel version >= 6.2).
+- Optional - Use kCFI as the default CFI implementation (when using Linux kernel >= 6.2)
+  since it may be slightly more resilient to attacks that are able to write
+  arbitrary executables in memory.

- Provide the option to disable support for all x86 processes and syscalls to reduce
-  attack surface (when using Linux kernel version >= 6.7).
+- Optional - Disable support for all x86 processes and syscalls (when using Linux kernel >= 6.7)
+  to reduce attack surface.

- Enable strict IOMMU translation to protect against DMA attacks and disable
-  the busmaster bit on all PCI bridges during the early boot process.
+- Enable strict IOMMU translation to protect against some DMA attacks via the use
+  of both CPU manufacturer-specific drivers and kernel settings.
+
+- Clear the busmaster bit on all PCI bridges during the EFI hand-off, which disables
+  DMA before the IOMMU is configured. May cause boot failure on certain hardware.

 - Do not credit the CPU or bootloader as entropy sources at boot in order to
  maximize the absolute quantity of entropy in the combined pool.
@ -166,10 +176,7 @@ configuration file.
 - Obtain more entropy at boot from RAM as the runtime memory allocator is
  being initialized.

- Provide the option to disable the entire IPv6 stack to reduce attack surface.
-
-Disallow sensitive kernel information leaks in the console during boot. See
-the `/etc/default/grub.d/41_quiet_boot.cfg` configuration file.
+- Optional - Disable the entire IPv6 stack to reduce attack surface.

 ### Kernel Modules

@ -304,13 +311,24 @@ See:

 ### Bluetooth Status: Enabled but Defaulted to Off

- **Default Behavior**: Although Bluetooth capability is 'enabled' in the kernel, security-misc deviates from the usual behavior by starting with Bluetooth turned off at system start. This setting remains until the user explicitly opts to activate Bluetooth.
+- **Default Behavior**: Although Bluetooth capability is 'enabled' in the kernel,
+  security-misc deviates from the usual behavior by starting with Bluetooth
+  turned off at system start. This setting remains until the user explicitly opts
+  to activate Bluetooth.

- **User Control**: Users have the freedom to easily switch Bluetooth on and off in the usual way, exercising their own discretion. This can be done via the Bluetooth toggle through the usual way, that is either through GUI settings application or command line commands.
+- **User Control**: Users have the freedom to easily switch Bluetooth on and off
+  in the usual way, exercising their own discretion. This can be done via the
+  Bluetooth toggle through the usual way, that is either through GUI settings
+  application or command line commands.

- **Enhanced Privacy Settings**: We enforce more private defaults for Bluetooth connections. This includes the use of private addresses and strict timeout settings for discoverability and visibility.
+- **Enhanced Privacy Settings**: We enforce more private defaults for Bluetooth
+  connections. This includes the use of private addresses and strict timeout
+  settings for discoverability and visibility.

- **Security Considerations**: Despite these measures, it's important to note that Bluetooth technology, by its nature, may still be prone to exploits due to its history of security vulnerabilities. Thus, we recommend users to opt-out of using Bluetooth when possible.
+- **Security Considerations**: Despite these measures, it's important to note that
+  Bluetooth technology, by its nature, may still be prone to exploits due to its
+  history of security vulnerabilities. Thus, we recommend users to opt-out of
+  using Bluetooth when possible.

 ### Configuration Details

@ -319,15 +337,25 @@ See:

 ### Understanding Bluetooth Terms

- **Disabling Bluetooth**: This means the absence of the Bluetooth kernel module. When disabled, Bluetooth is non-existent in the system - it cannot be seen, set, configured, or interacted with in any way.
+- **Disabling Bluetooth**: This means the absence of the Bluetooth kernel module.
+  When disabled, Bluetooth is non-existent in the system - it cannot be seen, set,
+  configured, or interacted with in any way.

- **Turning Bluetooth On/Off**: This refers to a software toggle. Normally, on Debian systems, Bluetooth is 'on' when the system boots up. It actively searches for known devices to auto-connect and may be discoverable or visible under certain conditions. Our default ensures that Bluetooth is off on startup. However, it remains 'enabled' in the kernel, meaning the kernel can use the Bluetooth protocol and has the necessary modules.
+- **Turning Bluetooth On/Off**: This refers to a software toggle. Normally, on
+  Debian systems, Bluetooth is 'on' when the system boots up. It actively searches
+  for known devices to auto-connect and may be discoverable or visible under certain
+  conditions. Our default ensures that Bluetooth is off on startup. However, it
+  remains 'enabled' in the kernel, meaning the kernel can use the Bluetooth protocol
+  and has the necessary modules.

 ### Quick Toggle Guide

- **Turning Bluetooth On**: Simply click the Bluetooth button in the settings application or on the tray, and switch the toggle. It's a straightforward action that can be completed in less than a second.
+- **Turning Bluetooth On**: Simply click the Bluetooth button in the settings
+  application or on the tray, and switch the toggle. It's a straightforward action
+  that can be completed in less than a second.

- **Turning Bluetooth Off**: Follow the same procedure as turning it on but switch the toggle to the off position.
+- **Turning Bluetooth Off**: Follow the same procedure as turning it on but switch
+  the toggle to the off position.

 ## Entropy collection improvements

--- a/etc/default/grub.d/40_kernel_hardening.cfg
+++ b/etc/default/grub.d/40_kernel_hardening.cfg
@ -127,10 +127,13 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off"

 ## Enable the kernel "Electric-Fence" sampling-based memory safety error detector.
 ## KFENCE detects heap out-of-bounds access, use-after-free, and invalid-free errors.
-## Aims to have very low processing overhead at each sampling interval
+## Aims to have very low processing overhead at each sampling interval.
 ## Sampling interval is set to occur every 100 milliseconds as per KSPP recommendation.
 ##
 ## https://www.kernel.org/doc/html/latest/dev-tools/kfence.html
+## https://google.github.io/kernel-sanitizers/KFENCE.html
+## https://blogs.oracle.com/linux/post/linux-slub-allocator-internals-and-debugging-4
+## https://lwn.net/Articles/835542/
 ##
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kfence.sample_interval=100"

@ -143,7 +146,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kfence.sample_interval=100"
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0"

 ## Switch (back) to using kCFI as the default Control Flow Integrity (CFI) implementation.
-## The default implementation is FIneIBT as of Linux kernel 6.2.
+## The default implementation is FineIBT as of Linux kernel 6.2.
 ## The Intel-developed IBT (Indirect Branch Tracking) is only used if supported by the CPU.
 ## kCFI is software-only while FineIBT is a hybrid software/hardware implementation.
 ## FineIBT may result in some performance benefits as it only performs checking at destinations.
@ -172,6 +175,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0"
 ##
 ## https://lore.kernel.org/all/20230623111409.3047467-7-nik.borisov@suse.com/
 ##
+## TODO: Debian 13 Trixie
 ## Applicable when using Linux kernel >= 6.7 (retained here for future-proofing and completeness).
 ##
 #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ia32_emulation=0"
@ -180,12 +184,12 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0"
 ##
 ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#dma-attacks

-## Enable CPU manufacturer-specific IOMMU drivers to protect against DMA attacks.
+## Enable CPU manufacturer-specific IOMMU drivers to mitigate some DMA attacks.
 ##
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX amd_iommu=force_isolation"
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX intel_iommu=on"

-## Enable and force use of IOMMU translation to protect against DMA attacks.
+## Enable and force use of IOMMU translation to protect against some DMA attacks.
 ## Strictly force DMA unmap operations to synchronously invalidate IOMMU hardware TLBs.
 ## Ensures devices will never be able to access stale data contents.
 ##
@ -197,9 +201,11 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu=force"
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu.passthrough=0"
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu.strict=1"

-## Disable the busmaster bit on all PCI bridges during the early boot process.
-## Patches weak points in some existing IOMMU implementations.
-## May lead to issues such as complete system boot failure on certain devices.
+## Clear the busmaster bit on all PCI bridges during the EFI hand-off.
+## Terminates all existing DMA transactions prior to the kernel's IOMMU setup.
+## Forces third party PCI devices to then re-set their busmaster bit in order to perform DMA.
+## Assumes that the motherboard chipset and firmware are not malicious.
+## May cause complete boot failure on certain hardware with incompatible firmware.
 ##
 ## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4444f8541dad16fefd9b8807ad1451e806ef1d94
 ## https://mjg59.dreamwidth.org/54433.html
@ -220,6 +226,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi=disable_early_pci_dma"
 ##
 ## https://en.wikipedia.org/wiki/RDRAND#Reception
 ## https://systemd.io/RANDOM_SEEDS/
+## https://www.kicksecure.com/wiki/Dev/Entropy#RDRAND
 ## https://arstechnica.com/gadgets/2019/10/how-a-months-old-amd-microcode-bug-destroyed-my-weekend/
 ## https://x.com/pid_eins/status/1149649806056280069
 ## https://archive.nytimes.com/www.nytimes.com/interactive/2013/09/05/us/documents-reveal-nsa-campaign-against-encryption.html
--- a/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf
+++ b/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf
@ -10,9 +10,8 @@
 ## Instead, ram-wipe will config-package-dev 'hide' this file.

 ## Disables kexec, which can be used to replace the running kernel.
-## Kexec is useful for live kernel patching without rebooting.
+## Useful for live kernel patching without rebooting.
 ##
-## For more information, see:
 ## https://en.wikipedia.org/wiki/Kexec
 ##
 kernel.kexec_load_disabled=1
--- a/usr/lib/sysctl.d/30_silent-kernel-printk.conf
+++ b/usr/lib/sysctl.d/30_silent-kernel-printk.conf
@ -2,10 +2,9 @@
 ## See the file COPYING for copying conditions.

 ## Prevent kernel information leaks in the console during boot.
-## Must be used in combination with the kernel boot parameters.
+## Must be used in conjunction with kernel boot parameters.
 ## See /etc/default/grub.d/41_quiet_boot.cfg for implementation.
 ##
-## For more information, refer to:
 ## https://www.kernel.org/doc/html/latest/core-api/printk-basics.html
 ##
 kernel.printk=3 3 3 3
--- a/usr/lib/sysctl.d/990-security-misc.conf
+++ b/usr/lib/sysctl.d/990-security-misc.conf
@ -120,20 +120,15 @@ kernel.perf_event_paranoid=3
 #kernel.panic_on_oops=1
 #kernel.panic=-1

-## Enable ASLR for mmap base, stack, VDSO pages, and heap.
-## Heap randomization can lead to breakages with legacy applications.
-##
-## https://en.wikipedia.org/wiki/Address_space_layout_randomization#Linux
-##
-kernel.randomize_va_space=2
-
 ## Disable the use of legacy TIOCSTI operations which can be used to inject keypresses.
 ## Can lead to privilege escalation by pushing characters into a controlling TTY.
 ## Will break out-dated screen readers that continue to rely on this legacy functionality.
-## This is disabled by default when using Linux kernel >= 6.2.
 ##
 ## https://lore.kernel.org/lkml/20221228205726.rfevry7ud6gmttg5@begin/T/
 ##
+## TODO: Debian 13 Trixie
+## This is disabled by default when using Linux kernel >= 6.2.
+##
 dev.tty.legacy_tiocsti=0

 ## Disable asynchronous I/O for all processes.
@ -146,6 +141,7 @@ dev.tty.legacy_tiocsti=0
 ## https://github.com/moby/moby/pull/46762
 ## https://forums.whonix.org/t/io-uring-security-vulnerabilties/16890
 ##
+## TODO: Debian 13 Trixie
 ## Applicable when using Linux kernel >= 6.6 (retained here for future-proofing and completeness).
 ##
 kernel.io_uring_disabled=2
@ -202,6 +198,15 @@ fs.protected_symlinks=1
 fs.protected_fifos=2
 fs.protected_regular=2

+## Enable ASLR for mmap base, stack, VDSO pages, and heap.
+## Forces shared libraries to be loaded to random addresses
+## Start location of PIE-linked binaries is randomized.
+## Heap randomization can lead to breakages with legacy applications.
+##
+## https://en.wikipedia.org/wiki/Address_space_layout_randomization#Linux
+##
+kernel.randomize_va_space=2
+
 ## Increase the maximum number of memory map areas a process is permitted to utilize.
 ## Addresses performance, crash, and start-up issues for some memory-intensive applications.
 ## Required to accommodate the very large number of guard pages created by hardened_malloc.
@ -214,6 +219,26 @@ fs.protected_regular=2
 ##
 vm.max_map_count=1048576

+## Disable the miscellaneous binary format virtual file system to prevent unintended code execution.
+## Prevents registering interpreters for various binary formats based on a magic number or their file extension.
+## Otherwise arbitrary executables with recognized file formats will be passed to relevant user space applications.
+## These interpreters will then run with root permissions when a setuid binary is owned by root.
+## Can stop maliciously crafted files with specific file extensions from automatically executing.
+## Breaks many scripts that do not have appropriate shebang interpreter directives (#!/bin/...).
+##
+## https://www.kernel.org/doc/html/latest/admin-guide/binfmt-misc.html
+## https://salsa.debian.org/debian/binfmt-support
+## https://access.redhat.com/solutions/1985633
+## https://en.wikipedia.org/wiki/Binfmt_misc
+## https://security.stackexchange.com/questions/271786/does-allowing-binfmt-misc-significantly-increase-the-attack-surface-for-unprivil
+## https://unix.stackexchange.com/questions/439569/what-kinds-of-executable-formats-do-the-files-under-proc-sys-fs-binfmt-misc-al
+## https://github.com/Kicksecure/security-misc/pull/249
+##
+## KSPP=yes
+## KSPP does not set CONFIG_BINFMT_MISC.
+##
+fs.binfmt_misc.status=0
+
 ## 3. Core Dumps:
 ##
 ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#core-dumps
@ -272,6 +297,7 @@ net.ipv4.tcp_rfc1337=1
 ## Prevents IP spoofing and mitigates vulnerabilities such as CVE-2019-14899.
 ##
 ## https://en.wikipedia.org/wiki/IP_address_spoofing
+## https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/security_guide/sect-security_guide-server_security-reverse_path_forwarding#sect-Security_Guide-Server_Security-Reverse_Path_Forwarding
 ## https://forums.whonix.org/t/enable-reverse-path-filtering/8594
 ## https://seclists.org/oss-sec/2019/q4/122
 ##
@ -345,9 +371,14 @@ net.ipv6.conf.default.accept_ra=0
 #net.ipv4.tcp_dsack=0

 ## Disable TCP timestamps to limit device fingerprinting via system time.
+## Timestamps allow round-trip time measurement and protection against wrapped sequence numbers.
+## Disabling timestamps on very fast links is likely to cause TCP Sequence Numbers to wrap.
+## Segments with wrapped numbers will be incorrectly discarded, reducing network performance.
 ##
+## https://datatracker.ietf.org/doc/html/rfc1323
 ## https://forums.whonix.org/t/do-ntp-and-tcp-timestamps-really-leak-your-local-time/7824
 ## https://web.archive.org/web/20170201160732/https://mailman.boum.org/pipermail/tails-dev/2013-December/004520.html
+## https://access.redhat.com/sites/default/files/attachments/20150325_network_performance_tuning.pdf
 ##
 net.ipv4.tcp_timestamps=0