Include KSPP compliance notices

2025-05-05 03:34:59 -04:00 · 2024-08-17 01:06:21 +10:00 · 2024-08-17 01:06:21 +10:00 · 248e094b8e
commit 248e094b8e
parent e962153f84
5 changed files with 112 additions and 1 deletions
--- a/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf
+++ b/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf
@ -14,4 +14,7 @@
 ##
 ## https://en.wikipedia.org/wiki/Kexec
 ##
+## KSPP=yes
+## KSPP sets the sysctl and does not set CONFIG_KEXEC.
+##
 kernel.kexec_load_disabled=1
--- a/usr/lib/sysctl.d/990-security-misc.conf
+++ b/usr/lib/sysctl.d/990-security-misc.conf
@ -31,11 +31,17 @@
 ##
 ## https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak
 ##
+## KSPP=yes
+## KSPP sets the sysctl.
+##
 kernel.kptr_restrict=2

 ## Restrict access to the kernel log buffer to users with CAP_SYSLOG.
 ## Kernel logs often contain sensitive information such as kernel pointers.
 ##
+## KSPP=yes
+## KSPP sets the sysctl and CONFIG_SECURITY_DMESG_RESTRICT=y.
+##
 kernel.dmesg_restrict=1

 ## Prevent kernel information leaks in the console during boot.
@ -52,6 +58,9 @@ kernel.dmesg_restrict=1
 ##
 ## https://en.wikipedia.org/wiki/EBPF#Security
 ##
+## KSPP=yes
+## KSPP sets the sysctls.
+##
 kernel.unprivileged_bpf_disabled=1
 net.core.bpf_jit_harden=2

@ -61,6 +70,9 @@ net.core.bpf_jit_harden=2
 ## https://a13xp0p0v.github.io/2017/03/24/CVE-2017-2636.html
 ## https://lkml.org/lkml/2019/4/15/890
 ##
+## KSPP=yes
+## KSPP sets the sysctl does not set CONFIG_LDISC_AUTOLOAD.
+##
 dev.tty.ldisc_autoload=0

 ## Restrict the userfaultfd() syscall to users with SYS_CAP_PTRACE.
@ -69,6 +81,9 @@ dev.tty.ldisc_autoload=0
 ## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=cefdca0a86be517bc390fc4541e3674b8e7803b0
 ## https://duasynt.com/blog/linux-kernel-heap-spray
 ##
+## KSPP=yes
+## KSPP sets the sysctl.
+##
 vm.unprivileged_userfaultfd=0

 ## Disables kexec, which can be used to replace the running kernel.
@ -78,6 +93,9 @@ vm.unprivileged_userfaultfd=0
 ##
 ## See /usr/lib/sysctl.d/30_security-misc_kexec-disable.conf for implementation.
 ##
+## KSPP=yes
+## KSPP sets the sysctl and does not set CONFIG_KEXEC.
+##
 #kernel.kexec_load_disabled=1

 ## Disable the SysRq key to prevent leakage of kernel information.
@ -87,6 +105,9 @@ vm.unprivileged_userfaultfd=0
 ## https://www.kicksecure.com/wiki/SysRq
 ## https://github.com/xairy/unlockdown
 ##
+## KSPP=yes
+## KSPP sets the less strict CONFIG_MAGIC_SYSRQ_DEFAULT_ENABLE=176.
+##
 kernel.sysrq=0

 ## Restrict user namespaces to users with CAP_SYS_ADMIN.
@ -106,6 +127,9 @@ kernel.unprivileged_userns_clone=0
 ## https://www.kernel.org/doc/html/latest/admin-guide/perf-security.html#unprivileged-users
 ## https://lore.kernel.org/kernel-hardening/1469630746-32279-1-git-send-email-jeffv@google.com/
 ##
+## KSPP=yes
+## KSPP sets the sysctl.
+##
 kernel.perf_event_paranoid=3

 ## Force the kernel to panic on "oopses".
@ -115,6 +139,9 @@ kernel.perf_event_paranoid=3
 ##
 ## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panic-on-oops-1-sysctl-for-better-security/7713
 ##
+## KSPP=yes
+## KSPP sets CONFIG_PANIC_ON_OOPS=y and CONFIG_PANIC_TIMEOUT=-1.
+##
 ## See /usr/libexec/security-misc/panic-on-oops for implementation.
 ##
 #kernel.panic_on_oops=1
@ -126,6 +153,9 @@ kernel.perf_event_paranoid=3
 ##
 ## https://lore.kernel.org/lkml/20221228205726.rfevry7ud6gmttg5@begin/T/
 ##
+## KSPP=yes
+## KSPP sets the sysctl and does not set CONFIG_LEGACY_TIOCSTI.
+##
 ## TODO: Debian 13 Trixie
 ## This is disabled by default when using Linux kernel >= 6.2.
 ##
@ -161,6 +191,9 @@ kernel.io_uring_disabled=2
 ## https://github.com/GrapheneOS/os-issue-tracker/issues/651#issuecomment-917599928
 ## https://github.com/netblue30/firejail/issues/2860
 ##
+## KSPP=partial
+## KSPP sets the stricter sysctl kernel.yama.ptrace_scope=3.
+##
 ## It is possible to harden further by disabling ptrace() for all users, see documentation.
 ## https://github.com/Kicksecure/security-misc/pull/242
 ##
@ -188,6 +221,9 @@ kernel.yama.ptrace_scope=2
 ## https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=/tmp
 ## https://en.wikipedia.org/wiki/Time-of-check_to_time-of-use#Preventing_TOCTOU
 ##
+## KSPP=yes
+## KSPP sets the sysctls.
+##
 fs.protected_hardlinks=1
 fs.protected_symlinks=1

@ -195,6 +231,9 @@ fs.protected_symlinks=1
 ## Also applies to group-writable sticky directories to make data spoofing attacks more difficult.
 ## Prevents unintentional writes to attacker-controlled files.
 ##
+## KSPP=yes
+## KSPP sets the sysctls.
+##
 fs.protected_fifos=2
 fs.protected_regular=2

@ -205,6 +244,9 @@ fs.protected_regular=2
 ##
 ## https://en.wikipedia.org/wiki/Address_space_layout_randomization#Linux
 ##
+## KSPP=yes
+## KSPP sets the sysctl.
+##
 kernel.randomize_va_space=2

 ## Increase the maximum number of memory map areas a process is permitted to utilize.
@ -254,6 +296,9 @@ kernel.core_pattern=|/bin/false
 ## Prevent setuid processes or otherwise protected/tainted binaries from creating core dumps.
 ## Any process which has changed privilege levels or is execute-only will not be dumped.
 ##
+## KSPP=yes
+## KSPP sets the sysctl.
+##
 fs.suid_dumpable=0

 ## Set core dump file name to 'core.PID' instead of 'core' as a form of defense-in-depth.
@ -284,6 +329,9 @@ vm.swappiness=1
 ## https://en.wikipedia.org/wiki/SYN_flood
 ## https://cateee.net/lkddb/web-lkddb/SYN_COOKIES.html
 ##
+## KSPP=yes
+## KSPP sets CONFIG_SYN_COOKIES=y.
+##
 net.ipv4.tcp_syncookies=1

 ## Protect against TCP time-wait assassination hazards.