This commit is contained in:
Patrick Schleizer 2019-08-14 10:07:55 +00:00
parent 01b3a0bfae
commit 2875adb722
No known key found for this signature in database
GPG Key ID: CB8D50BB77BB3C48

View File

@ -40,6 +40,9 @@ KASLR effectiveness.
* The SysRq key is restricted to only allow shutdowns/reboots. * The SysRq key is restricted to only allow shutdowns/reboots.
A systemd service clears System.map on boot as these contain kernel symbols A systemd service clears System.map on boot as these contain kernel symbols
that could be useful to an attacker. that could be useful to an attacker.
/etc/kernel/postinst.d/30_remove-system-map
/lib/systemd/system/remove-system-map.service
/usr/lib/security-misc/remove-system.map
* Coredumps are disabled as they may contain important information such as * Coredumps are disabled as they may contain important information such as
encryption keys or passwords. encryption keys or passwords.
@ -116,6 +119,7 @@ access rights restrictions:
* The default umask is changed to 006. This allows only the owner and group * The default umask is changed to 006. This allows only the owner and group
to read and write to newly created files. to read and write to newly created files.
/etc/login.defs.security-misc /etc/login.defs.security-misc
/usr/share/pam-configs/usergroups-security-misc
* Enables pam_umask.so usergroups so group permissions are same as user * Enables pam_umask.so usergroups so group permissions are same as user
permissions. Debian by default uses User Private Groups (UPG). permissions. Debian by default uses User Private Groups (UPG).
@ -129,12 +133,14 @@ pam_mkhomedir.so umask=006
* Removes read, write and execute access for others for all users who have * Removes read, write and execute access for others for all users who have
home folders under folder /home by running for example home folders under folder /home by running for example
"chmod o-rwx /home/user" "chmod o-rwx /home/user"
during package installation or upgrade. This will be done only once per folder during package installation, upgrade or pam. This will be done only once per
in folder /home so users who wish to relax file permissions are free to do so. folder in folder /home so users who wish to relax file permissions are free to
This is to protect previously created files in user home folder which were do so. This is to protect previously created files in user home folder which
previously created with lax file permissions prior installation of this were previously created with lax file permissions prior installation of this
package. package.
debian/security-misc.postinst debian/security-misc.postinst
/usr/share/pam-configs/permission-lockdown-security-misc
/usr/lib/security-misc/permission-lockdown
access rights relaxations: access rights relaxations: