Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-01-14 01:39:29 -05:00
Code Issues Packages Projects Releases Wiki Activity

Update control

Browse Source
This commit is contained in:
madaidan 2019-10-16 19:21:24 +00:00 committed by GitHub
parent ffba0e0179
commit 259b1f2c71
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 15 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
debian/control vendored
View File

@ -32,33 +32,36 @@ Description: enhances misc security settings
the kernel. (!) Hence, this package disables this feature by shipping the the kernel. (!) Hence, this package disables this feature by shipping the
/etc/modprobe.d/30_nf_conntrack_helper_disable.conf configuration file. /etc/modprobe.d/30_nf_conntrack_helper_disable.conf configuration file.
. .
* Kernel symbols in /proc/kallsyms are hidden to prevent malware from * Kernel symbols in various files in /proc are hidden as they can be
reading them and using them to learn more about what to attack on your system. very useful for kernel exploits.
. .
* Kexec is disabled as it can be used to load a malicious kernel. * Kexec is disabled as it can be used to load a malicious kernel.
/etc/sysctl.d/kexec.conf /etc/sysctl.d/kexec.conf
. .
* ASLR effectiveness for mmap is increased. * ASLR effectiveness for mmap is increased.
. .
* The TCP/IP stack is hardened. * The TCP/IP stack is hardened by disabling ICMP redirect acceptance,
ICMP redirect sending and source routing to prevent man-in-the-middle attacks,
ignoring all ICMP requests, enabling TCP syncookies to prevent SYN flood attacks
and enabling RFC1337 to protect against time-wait assassination attacks.
. .
* This package makes some data spoofing attacks harder. * Some data spoofing attacks are made harder.
. .
* SACK can be disabled as it is commonly exploited and is rarely used by * SACK can be disabled as it is commonly exploited and is rarely used by
commenting in settings in file /etc/sysctl.d/tcp_sack.conf. uncommenting settings in file /etc/sysctl.d/tcp_sack.conf.
. .
* This package disables the merging of slabs of similar sizes to prevent an * Slab merging is disabled as sometimes a slab can be used in a vulnerable
attacker from exploiting them. way which an attacker can exploit.
. .
* Sanity checks, redzoning, and memory poisoning are enabled. * Sanity checks, redzoning, and memory poisoning are enabled.
. .
* The kernel now panics on uncorrectable errors in ECC memory which could * Machine checks (MCE) are disabled which makes the kernel panic
be exploited. on uncorrectable errors in ECC memory that could be exploited.
. .
* Kernel Page Table Isolation is enabled to mitigate Meltdown and increase * Kernel Page Table Isolation is enabled to mitigate Meltdown and increase
KASLR effectiveness. KASLR effectiveness.
. .
* SMT is disabled as it can be used to exploit the MDS vulnerability. * SMT is disabled as it can be used to exploit the MDS and other vulnerabilities.
. .
* All mitigations for the MDS vulnerability are enabled. * All mitigations for the MDS vulnerability are enabled.
. .
@ -74,8 +77,8 @@ Description: enhances misc security settings
/etc/sysctl.d/coredumps.conf /etc/sysctl.d/coredumps.conf
/lib/systemd/coredump.conf.d/disable-coredumps.conf /lib/systemd/coredump.conf.d/disable-coredumps.conf
. .
* The thunderbolt and firewire modules are blacklisted as they can be used * The thunderbolt and firewire kernel modules are blacklisted as they can be
for DMA (Direct Memory Access) attacks. used for DMA (Direct Memory Access) attacks.
. .
* IOMMU is enabled with a boot parameter to prevent DMA attacks. * IOMMU is enabled with a boot parameter to prevent DMA attacks.
. .