Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2024-12-26 16:29:22 -05:00
Code Issues Packages Projects Releases Wiki Activity

Update control

Browse Source
This commit is contained in:
madaidan 2019-10-16 19:21:24 +00:00 committed by GitHub
parent ffba0e0179
commit 259b1f2c71
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 15 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
debian/control vendored
View File

@ -32,33 +32,36 @@ Description: enhances misc security settings
the kernel. (!) Hence, this package disables this feature by shipping the
/etc/modprobe.d/30_nf_conntrack_helper_disable.conf configuration file.
.
* Kernel symbols in /proc/kallsyms are hidden to prevent malware from
reading them and using them to learn more about what to attack on your system.
* Kernel symbols in various files in /proc are hidden as they can be
very useful for kernel exploits.
.
* Kexec is disabled as it can be used to load a malicious kernel.
/etc/sysctl.d/kexec.conf
.
* ASLR effectiveness for mmap is increased.
.
* The TCP/IP stack is hardened.
* The TCP/IP stack is hardened by disabling ICMP redirect acceptance,
ICMP redirect sending and source routing to prevent man-in-the-middle attacks,
ignoring all ICMP requests, enabling TCP syncookies to prevent SYN flood attacks
and enabling RFC1337 to protect against time-wait assassination attacks.
.
* This package makes some data spoofing attacks harder.
* Some data spoofing attacks are made harder.
.
* SACK can be disabled as it is commonly exploited and is rarely used by
commenting in settings in file /etc/sysctl.d/tcp_sack.conf.
uncommenting settings in file /etc/sysctl.d/tcp_sack.conf.
.
* This package disables the merging of slabs of similar sizes to prevent an
attacker from exploiting them.
* Slab merging is disabled as sometimes a slab can be used in a vulnerable
way which an attacker can exploit.
.
* Sanity checks, redzoning, and memory poisoning are enabled.
.
* The kernel now panics on uncorrectable errors in ECC memory which could
be exploited.
* Machine checks (MCE) are disabled which makes the kernel panic
on uncorrectable errors in ECC memory that could be exploited.
.
* Kernel Page Table Isolation is enabled to mitigate Meltdown and increase
KASLR effectiveness.
.
* SMT is disabled as it can be used to exploit the MDS vulnerability.
* SMT is disabled as it can be used to exploit the MDS and other vulnerabilities.
.
* All mitigations for the MDS vulnerability are enabled.
.
@ -74,8 +77,8 @@ Description: enhances misc security settings
/etc/sysctl.d/coredumps.conf
/lib/systemd/coredump.conf.d/disable-coredumps.conf
.
* The thunderbolt and firewire modules are blacklisted as they can be used
for DMA (Direct Memory Access) attacks.
* The thunderbolt and firewire kernel modules are blacklisted as they can be
used for DMA (Direct Memory Access) attacks.
.
* IOMMU is enabled with a boot parameter to prevent DMA attacks.
.