From 259b1f2c71ec4566011a148e5bc703a41f0ebd90 Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Wed, 16 Oct 2019 19:21:24 +0000 Subject: [PATCH] Update control --- debian/control | 27 +++++++++++++++------------ 1 file changed, 15 insertions(+), 12 deletions(-) diff --git a/debian/control b/debian/control index f1cd240..47356f9 100644 --- a/debian/control +++ b/debian/control @@ -32,33 +32,36 @@ Description: enhances misc security settings the kernel. (!) Hence, this package disables this feature by shipping the /etc/modprobe.d/30_nf_conntrack_helper_disable.conf configuration file. . - * Kernel symbols in /proc/kallsyms are hidden to prevent malware from - reading them and using them to learn more about what to attack on your system. + * Kernel symbols in various files in /proc are hidden as they can be + very useful for kernel exploits. . * Kexec is disabled as it can be used to load a malicious kernel. /etc/sysctl.d/kexec.conf . * ASLR effectiveness for mmap is increased. . - * The TCP/IP stack is hardened. + * The TCP/IP stack is hardened by disabling ICMP redirect acceptance, + ICMP redirect sending and source routing to prevent man-in-the-middle attacks, + ignoring all ICMP requests, enabling TCP syncookies to prevent SYN flood attacks + and enabling RFC1337 to protect against time-wait assassination attacks. . - * This package makes some data spoofing attacks harder. + * Some data spoofing attacks are made harder. . * SACK can be disabled as it is commonly exploited and is rarely used by - commenting in settings in file /etc/sysctl.d/tcp_sack.conf. + uncommenting settings in file /etc/sysctl.d/tcp_sack.conf. . - * This package disables the merging of slabs of similar sizes to prevent an - attacker from exploiting them. + * Slab merging is disabled as sometimes a slab can be used in a vulnerable + way which an attacker can exploit. . * Sanity checks, redzoning, and memory poisoning are enabled. . - * The kernel now panics on uncorrectable errors in ECC memory which could - be exploited. + * Machine checks (MCE) are disabled which makes the kernel panic + on uncorrectable errors in ECC memory that could be exploited. . * Kernel Page Table Isolation is enabled to mitigate Meltdown and increase KASLR effectiveness. . - * SMT is disabled as it can be used to exploit the MDS vulnerability. + * SMT is disabled as it can be used to exploit the MDS and other vulnerabilities. . * All mitigations for the MDS vulnerability are enabled. . @@ -74,8 +77,8 @@ Description: enhances misc security settings /etc/sysctl.d/coredumps.conf /lib/systemd/coredump.conf.d/disable-coredumps.conf . - * The thunderbolt and firewire modules are blacklisted as they can be used - for DMA (Direct Memory Access) attacks. + * The thunderbolt and firewire kernel modules are blacklisted as they can be + used for DMA (Direct Memory Access) attacks. . * IOMMU is enabled with a boot parameter to prevent DMA attacks. .