mirror of
https://github.com/Kicksecure/security-misc.git
synced 2024-12-27 07:59:31 -05:00
Update control
This commit is contained in:
parent
ffba0e0179
commit
259b1f2c71
27
debian/control
vendored
27
debian/control
vendored
@ -32,33 +32,36 @@ Description: enhances misc security settings
|
||||
the kernel. (!) Hence, this package disables this feature by shipping the
|
||||
/etc/modprobe.d/30_nf_conntrack_helper_disable.conf configuration file.
|
||||
.
|
||||
* Kernel symbols in /proc/kallsyms are hidden to prevent malware from
|
||||
reading them and using them to learn more about what to attack on your system.
|
||||
* Kernel symbols in various files in /proc are hidden as they can be
|
||||
very useful for kernel exploits.
|
||||
.
|
||||
* Kexec is disabled as it can be used to load a malicious kernel.
|
||||
/etc/sysctl.d/kexec.conf
|
||||
.
|
||||
* ASLR effectiveness for mmap is increased.
|
||||
.
|
||||
* The TCP/IP stack is hardened.
|
||||
* The TCP/IP stack is hardened by disabling ICMP redirect acceptance,
|
||||
ICMP redirect sending and source routing to prevent man-in-the-middle attacks,
|
||||
ignoring all ICMP requests, enabling TCP syncookies to prevent SYN flood attacks
|
||||
and enabling RFC1337 to protect against time-wait assassination attacks.
|
||||
.
|
||||
* This package makes some data spoofing attacks harder.
|
||||
* Some data spoofing attacks are made harder.
|
||||
.
|
||||
* SACK can be disabled as it is commonly exploited and is rarely used by
|
||||
commenting in settings in file /etc/sysctl.d/tcp_sack.conf.
|
||||
uncommenting settings in file /etc/sysctl.d/tcp_sack.conf.
|
||||
.
|
||||
* This package disables the merging of slabs of similar sizes to prevent an
|
||||
attacker from exploiting them.
|
||||
* Slab merging is disabled as sometimes a slab can be used in a vulnerable
|
||||
way which an attacker can exploit.
|
||||
.
|
||||
* Sanity checks, redzoning, and memory poisoning are enabled.
|
||||
.
|
||||
* The kernel now panics on uncorrectable errors in ECC memory which could
|
||||
be exploited.
|
||||
* Machine checks (MCE) are disabled which makes the kernel panic
|
||||
on uncorrectable errors in ECC memory that could be exploited.
|
||||
.
|
||||
* Kernel Page Table Isolation is enabled to mitigate Meltdown and increase
|
||||
KASLR effectiveness.
|
||||
.
|
||||
* SMT is disabled as it can be used to exploit the MDS vulnerability.
|
||||
* SMT is disabled as it can be used to exploit the MDS and other vulnerabilities.
|
||||
.
|
||||
* All mitigations for the MDS vulnerability are enabled.
|
||||
.
|
||||
@ -74,8 +77,8 @@ Description: enhances misc security settings
|
||||
/etc/sysctl.d/coredumps.conf
|
||||
/lib/systemd/coredump.conf.d/disable-coredumps.conf
|
||||
.
|
||||
* The thunderbolt and firewire modules are blacklisted as they can be used
|
||||
for DMA (Direct Memory Access) attacks.
|
||||
* The thunderbolt and firewire kernel modules are blacklisted as they can be
|
||||
used for DMA (Direct Memory Access) attacks.
|
||||
.
|
||||
* IOMMU is enabled with a boot parameter to prevent DMA attacks.
|
||||
.
|
||||
|
Loading…
Reference in New Issue
Block a user