mirror of
https://github.com/Kicksecure/security-misc.git
synced 2025-04-06 13:03:43 -04:00
Merge branch 'master' into sysrq
This commit is contained in:
commit
1e5946c795
2
debian/control
vendored
2
debian/control
vendored
@ -122,6 +122,8 @@ Description: enhances misc security settings
|
||||
.
|
||||
* Restricts the SysRq key so it can only be used for shutdowns and the
|
||||
Secure Attention Key.
|
||||
.
|
||||
* Restricts loading line disciplines to CAP_SYS_MODULE.
|
||||
.
|
||||
Improve Entropy Collection
|
||||
.
|
||||
|
@ -3,3 +3,10 @@
|
||||
|
||||
## Enables IOMMU to prevent DMA attacks.
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX intel_iommu=on amd_iommu=on"
|
||||
|
||||
## Disable the busmaster bit on all PCI bridges during very
|
||||
## early boot to avoid holes in IOMMU.
|
||||
##
|
||||
## https://mjg59.dreamwidth.org/54433.html
|
||||
## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4444f8541dad16fefd9b8807ad1451e806ef1d94
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi=disable_early_pci_dma"
|
||||
|
@ -119,8 +119,14 @@ net.ipv4.tcp_timestamps=0
|
||||
|
||||
#### meta end
|
||||
|
||||
|
||||
## Only allow the SysRq key to be used for shutdowns and the
|
||||
## Secure Attention Key (SAK).
|
||||
##
|
||||
## https://forums.whonix.org/t/sysrq-magic-sysrq-key/8079/
|
||||
kernel.sysrq=132
|
||||
|
||||
## Restrict loading line disciplines to CAP_SYS_MODULE to prevent
|
||||
## unprivileged attackers from loading vulnerable line disciplines
|
||||
## with the TIOCSETD ioctl to exploit them.
|
||||
dev.tty.ldisc_autoload=0
|
||||
|
@ -26,7 +26,9 @@ fi
|
||||
## Removes the System.map files as they are only used for debugging or malware.
|
||||
for filename in ${system_map_location} ; do
|
||||
if [ -f "${filename}" ]; then
|
||||
rm --verbose --force "${filename}"
|
||||
## 'shred' with '--verbose' is too chatty. (7 lines)
|
||||
shred --force --zero -u "${filename}"
|
||||
echo "removed '${filename}'"
|
||||
fi
|
||||
done
|
||||
|
||||
|
Loading…
x
Reference in New Issue
Block a user