mirror of
https://github.com/Kicksecure/security-misc.git
synced 2025-01-07 09:07:53 -05:00
Merge pull request #264 from raja-grewal/kspp_compliance
Add KSPP compliance notices to corresponding parameters and `sysctls`
This commit is contained in:
commit
328840c933
13
README.md
13
README.md
@ -3,10 +3,12 @@
|
||||
## Kernel hardening
|
||||
|
||||
This section is inspired by the Kernel Self Protection Project (KSPP). It
|
||||
implements all recommended Linux kernel settings by the KSPP and many more.
|
||||
attempts to implement all recommended Linux kernel settings by the KSPP and
|
||||
many more sources.
|
||||
|
||||
- https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project
|
||||
- https://kspp.github.io/Recommended_Settings
|
||||
- https://github.com/KSPP/kspp.github.io
|
||||
|
||||
### sysctl
|
||||
|
||||
@ -23,7 +25,8 @@ Kernel space:
|
||||
|
||||
- Prevent kernel information leaks in the console during boot.
|
||||
|
||||
- Restrict eBPF access to `CAP_BPF` and enable associated JIT compiler hardening.
|
||||
- Restrict usage of `bpf()` to `CAP_BPF` to prevent the loading of BPF programs
|
||||
by unprivileged users.
|
||||
|
||||
- Restrict loading TTY line disciplines to `CAP_SYS_MODULE`.
|
||||
|
||||
@ -42,7 +45,7 @@ Kernel space:
|
||||
|
||||
- Force the kernel to panic on "oopses" that can potentially indicate and thwart
|
||||
certain kernel exploitation attempts. Optional - Force immediate reboot on the
|
||||
occurrence of a kernel panic.
|
||||
occurrence of a kernel panic and also set panic limit to one (when using Linux kernel >= 6.2).
|
||||
|
||||
- Disable the use of legacy TIOCSTI operations which can be used to inject keypresses.
|
||||
|
||||
@ -74,10 +77,14 @@ Core dumps:
|
||||
- Disable core dump files and prevent their creation. If core dump files are
|
||||
enabled, they will be named based on `core.PID` instead of the default `core`.
|
||||
|
||||
Swap space:
|
||||
|
||||
- Limit the copying of potentially sensitive content in memory to the swap device.
|
||||
|
||||
Networking:
|
||||
|
||||
- Enable hardening of the BPF JIT compiler protect against JIT spraying.
|
||||
|
||||
- Enable TCP SYN cookie protection to assist against SYN flood attacks.
|
||||
|
||||
- Protect against TCP time-wait assassination hazards.
|
||||
|
@ -1,6 +1,10 @@
|
||||
## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
|
||||
## See the file COPYING for copying conditions.
|
||||
|
||||
## Definitions:
|
||||
## KSPP=yes: compliant with recommendations by the KSPP
|
||||
## KSPP=partial: partially compliant with recommendations by the KSPP
|
||||
|
||||
## Enable known mitigations for CPU vulnerabilities.
|
||||
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html
|
||||
## https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html
|
||||
@ -13,6 +17,9 @@
|
||||
|
||||
## Enable a subset of known mitigations for CPU vulnerabilities and disable SMT.
|
||||
##
|
||||
## KSPP=yes
|
||||
## KSPP sets the kernel parameters.
|
||||
##
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mitigations=auto,nosmt"
|
||||
|
||||
## Disable SMT as it has been the cause of and amplified numerous CPU exploits.
|
||||
@ -24,6 +31,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mitigations=auto,nosmt"
|
||||
## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647/17
|
||||
## https://github.com/anthraxx/linux-hardened/issues/37#issuecomment-619597365
|
||||
##
|
||||
## KSPP=yes
|
||||
## KSPP sets the kernel parameter.
|
||||
##
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX nosmt=force"
|
||||
|
||||
## Enable mitigations for both Spectre Variant 2 (indirect branch speculation)
|
||||
|
@ -5,6 +5,10 @@ kpkg="linux-image-$(dpkg --print-architecture)" || true
|
||||
kver="$(dpkg-query --show --showformat='${Version}' "$kpkg")" 2>/dev/null || true
|
||||
#echo "## kver: $kver"
|
||||
|
||||
## Definitions:
|
||||
## KSPP=yes: compliant with recommendations by the KSPP
|
||||
## KSPP=partial: partially compliant with recommendations by the KSPP
|
||||
|
||||
## This configuration file is split into 4 sections:
|
||||
## 1. Kernel Space
|
||||
## 2. Direct Memory Access
|
||||
@ -27,6 +31,9 @@ kver="$(dpkg-query --show --showformat='${Version}' "$kpkg")" 2>/dev/null || tru
|
||||
## https://www.openwall.com/lists/kernel-hardening/2017/06/19/33
|
||||
## https://www.openwall.com/lists/kernel-hardening/2017/06/20/10
|
||||
##
|
||||
## KSPP=yes
|
||||
## KSPP sets the kernel parameter and does not set CONFIG_SLAB_MERGE_DEFAULT.
|
||||
##
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_nomerge"
|
||||
|
||||
## Enable sanity checks and red zoning of slabs via debugging options to detect corruption.
|
||||
@ -39,6 +46,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_nomerge"
|
||||
## https://gitlab.tails.boum.org/tails/tails/-/issues/19613
|
||||
## https://github.com/Kicksecure/security-misc/issues/253
|
||||
##
|
||||
## KSPP=yes
|
||||
## KSPP sets the kernel parameters and CONFIG_SLUB_DEBUG.
|
||||
##
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_debug=FZ"
|
||||
|
||||
## Zero memory at allocation time and free time.
|
||||
@ -47,6 +57,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_debug=FZ"
|
||||
##
|
||||
## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6471384af2a6530696fc0203bafe4de41a23c9ef
|
||||
##
|
||||
## KSPP=yes
|
||||
## KSPP sets the kernel parameters, CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y, and CONFIG_INIT_ON_FREE_DEFAULT_ON=y.
|
||||
##
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX init_on_alloc=1"
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX init_on_free=1"
|
||||
|
||||
@ -58,6 +71,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX init_on_free=1"
|
||||
## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e900a918b0984ec8f2eb150b8477a47b75d17692
|
||||
## https://en.wikipedia.org/wiki/Return-oriented_programming#Attacks
|
||||
##
|
||||
## KSPP=yes
|
||||
## KSPP sets the kernel parameter and CONFIG_SHUFFLE_PAGE_ALLOCATOR=y.
|
||||
##
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX page_alloc.shuffle=1"
|
||||
|
||||
## Enable kernel page table isolation to harden against kernel ASLR (KASLR) bypasses.
|
||||
@ -65,6 +81,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX page_alloc.shuffle=1"
|
||||
##
|
||||
## https://en.wikipedia.org/wiki/Kernel_page-table_isolation
|
||||
##
|
||||
## KSPP=yes
|
||||
## KSPP sets the kernel parameter and CONFIG_MITIGATION_PAGE_TABLE_ISOLATION=y.
|
||||
##
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX pti=on"
|
||||
|
||||
## Enable randomization of the kernel stack offset on syscall entries.
|
||||
@ -74,6 +93,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX pti=on"
|
||||
## https://lkml.org/lkml/2019/3/18/246
|
||||
## https://a13xp0p0v.github.io/2020/02/15/CVE-2019-18683.html
|
||||
##
|
||||
## KSPP=yes
|
||||
## KSPP sets the kernel parameter and CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y.
|
||||
##
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX randomize_kstack_offset=on"
|
||||
|
||||
## Disable vsyscalls to reduce attack surface as they have been replaced by vDSO.
|
||||
@ -82,6 +104,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX randomize_kstack_offset=on"
|
||||
## https://lwn.net/Articles/446528/
|
||||
## https://en.wikipedia.org/wiki/VDSO
|
||||
##
|
||||
## KSPP=yes
|
||||
## KSPP sets the kernel parameter, CONFIG_LEGACY_VSYSCALL_NONE=y and does not set CONFIG_X86_VSYSCALL_EMULATION.
|
||||
##
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vsyscall=none"
|
||||
|
||||
## Restrict access to debugfs by not registering the file system.
|
||||
@ -93,11 +118,15 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off"
|
||||
|
||||
## Force the kernel to panic on "oopses".
|
||||
## Can sometimes potentially indicate and thwart certain kernel exploitation attempts.
|
||||
## Also cause panics on machine check exceptions.
|
||||
## Panics may be due to false-positives such as bad drivers.
|
||||
##
|
||||
## https://en.wikipedia.org/wiki/Kernel_panic#Linux
|
||||
## https://en.wikipedia.org/wiki/Linux_kernel_oops
|
||||
## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panic-on-oops-1-sysctl-for-better-security/7713
|
||||
##
|
||||
## KSPP=partial
|
||||
## KSPP sets CONFIG_PANIC_ON_OOPS=y, but also requires CONFIG_PANIC_TIMEOUT=-1.
|
||||
##
|
||||
## See /usr/libexec/security-misc/panic-on-oops for implementation.
|
||||
##
|
||||
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX oops=panic"
|
||||
@ -135,6 +164,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off"
|
||||
## https://blogs.oracle.com/linux/post/linux-slub-allocator-internals-and-debugging-4
|
||||
## https://lwn.net/Articles/835542/
|
||||
##
|
||||
## KSPP=yes
|
||||
## KSPP sets the kernel parameter, CONFIG_KFENCE=y, and CONFIG_KFENCE_SAMPLE_INTERVAL=100.
|
||||
##
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kfence.sample_interval=100"
|
||||
|
||||
## Disable 32-bit Virtual Dynamic Shared Object (vDSO) mappings.
|
||||
@ -143,6 +175,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kfence.sample_interval=100"
|
||||
## https://lore.kernel.org/lkml/20080409082927.BD59E26F992@magilla.localdomain/T/
|
||||
## https://lists.openwall.net/linux-kernel/2014/03/11/3
|
||||
##
|
||||
## KSPP=yes
|
||||
## KSPP sets the kernel parameter and does not set CONFIG_COMPAT_VDSO.
|
||||
##
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0"
|
||||
|
||||
## Switch (back) to using kCFI as the default Control Flow Integrity (CFI) implementation.
|
||||
@ -165,6 +200,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0"
|
||||
## https://lpc.events/event/16/contributions/1315/attachments/1067/2169/cfi.pdf
|
||||
## https://forums.whonix.org/t/kernel-hardening-security-misc/7296/561
|
||||
##
|
||||
## KSPP=yes
|
||||
## KSPP sets the kernel parameter.
|
||||
##
|
||||
## TODO: Debian 13 Trixie
|
||||
## Applicable when using Linux kernel >= 6.2 (retained here for future-proofing and completeness).
|
||||
##
|
||||
@ -175,6 +213,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0"
|
||||
##
|
||||
## https://lore.kernel.org/all/20230623111409.3047467-7-nik.borisov@suse.com/
|
||||
##
|
||||
## KSPP=yes
|
||||
## KSPP does not set CONFIG_COMPAT, CONFIG_IA32_EMULATION, CONFIG_X86_X32, CONFIG_X86_X32_ABI, and CONFIG_MODIFY_LDT_SYSCALL.
|
||||
##
|
||||
## TODO: Debian 13 Trixie
|
||||
## Applicable when using Linux kernel >= 6.7 (retained here for future-proofing and completeness).
|
||||
##
|
||||
@ -186,6 +227,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0"
|
||||
|
||||
## Enable CPU manufacturer-specific IOMMU drivers to mitigate some DMA attacks.
|
||||
##
|
||||
## KSPP=yes
|
||||
## KSPP sets CONFIG_INTEL_IOMMU=y, CONFIG_INTEL_IOMMU_DEFAULT_ON=y, CONFIG_INTEL_IOMMU_SVM=y, CONFIG_AMD_IOMMU=y, and CONFIG_AMD_IOMMU_V2=y.
|
||||
##
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX amd_iommu=force_isolation"
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX intel_iommu=on"
|
||||
|
||||
@ -197,6 +241,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX intel_iommu=on"
|
||||
## https://en.wikipedia.org/wiki/DMA_attack
|
||||
## https://lenovopress.lenovo.com/lp1467.pdf
|
||||
##
|
||||
## KSPP=yes
|
||||
## KSPP sets the kernel parameters, CONFIG_IOMMU_SUPPORT=y, CONFIG_IOMMU_DEFAULT_DMA_STRICT=y, and does not set CONFIG_IOMMU_DEFAULT_PASSTHROUGH.
|
||||
##
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu=force"
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu.passthrough=0"
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu.strict=1"
|
||||
@ -210,6 +257,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu.strict=1"
|
||||
## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4444f8541dad16fefd9b8807ad1451e806ef1d94
|
||||
## https://mjg59.dreamwidth.org/54433.html
|
||||
##
|
||||
## KSPP=yes
|
||||
## KSPP sets CONFIG_EFI_DISABLE_PCI_DMA=y.
|
||||
##
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi=disable_early_pci_dma"
|
||||
|
||||
## 3. Entropy:
|
||||
@ -234,6 +284,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi=disable_early_pci_dma"
|
||||
## https://github.com/NixOS/nixpkgs/pull/165355
|
||||
## https://lkml.org/lkml/2022/6/5/271
|
||||
##
|
||||
## KSPP=yes
|
||||
## KSPP sets CONFIG_RANDOM_TRUST_BOOTLOADER=y and CONFIG_RANDOM_TRUST_CPU=y.
|
||||
##
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_bootloader=off"
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_cpu=off"
|
||||
|
||||
|
@ -1,6 +1,10 @@
|
||||
## Copyright (C) 2023 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
|
||||
## See the file COPYING for copying conditions.
|
||||
|
||||
## Definitions:
|
||||
## KSPP=yes: compliant with recommendations by the KSPP
|
||||
## KSPP=partial: partially compliant with recommendations by the KSPP
|
||||
|
||||
## Remount Secure provides enhanced security via mount options:
|
||||
## https://www.kicksecure.com/wiki/Security-misc#Remount_Secure
|
||||
|
||||
|
@ -1,6 +1,10 @@
|
||||
## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
|
||||
## See the file COPYING for copying conditions.
|
||||
|
||||
## Definitions:
|
||||
## KSPP=yes: compliant with recommendations by the KSPP
|
||||
## KSPP=partial: partially compliant with recommendations by the KSPP
|
||||
|
||||
## Require every kernel module to be signed before being loaded.
|
||||
## Any module that is unsigned or signed with an invalid key cannot be loaded.
|
||||
## This prevents all out-of-tree kernel modules unless signed.
|
||||
@ -9,6 +13,9 @@
|
||||
## https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/61
|
||||
## https://github.com/dell/dkms/issues/359
|
||||
##
|
||||
## KSPP=yes
|
||||
## KSPP sets CONFIG_MODULE_SIG=y, CONFIG_MODULE_SIG_FORCE=y, and CONFIG_MODULE_SIG_ALL=y.
|
||||
##
|
||||
## Not enabled by default yet due to several issues.
|
||||
##
|
||||
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX module.sig_enforce=1"
|
||||
@ -18,7 +25,10 @@
|
||||
##
|
||||
## https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880
|
||||
##
|
||||
## ## Not enabled by default yet due to several issues.
|
||||
## KSPP=yes
|
||||
## KSPP sets CONFIG_SECURITY_LOCKDOWN_LSM=y, CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y, and CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y.
|
||||
##
|
||||
## Not enabled by default yet due to several issues.
|
||||
##
|
||||
#if dpkg --compare-versions "${kver}" ge "5.4"; then
|
||||
# GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX lockdown=confidentiality"
|
||||
|
@ -1,6 +1,10 @@
|
||||
## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
|
||||
## See the file COPYING for copying conditions.
|
||||
|
||||
## Definitions:
|
||||
## KSPP=yes: compliant with recommendations by the KSPP
|
||||
## KSPP=partial: partially compliant with recommendations by the KSPP
|
||||
|
||||
## Some default configuration files automatically include the "quiet" parameter.
|
||||
## Therefore, first remove "quiet" from GRUB_CMDLINE_LINUX_DEFAULT since "quiet" must be first.
|
||||
## LANG=C str_replace is provided by package helper-scripts.
|
||||
|
@ -1,6 +1,10 @@
|
||||
## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
|
||||
## See the file COPYING for copying conditions.
|
||||
|
||||
## Definitions:
|
||||
## KSPP=yes: compliant with recommendations by the KSPP
|
||||
## KSPP=partial: partially compliant with recommendations by the KSPP
|
||||
|
||||
## NOTE:
|
||||
## This configuration is in a dedicated file because the ram-wipe package
|
||||
## requires kexec. However, ram-wipe cannot ship a config file
|
||||
@ -14,4 +18,7 @@
|
||||
##
|
||||
## https://en.wikipedia.org/wiki/Kexec
|
||||
##
|
||||
## KSPP=yes
|
||||
## KSPP sets the sysctl and does not set CONFIG_KEXEC.
|
||||
##
|
||||
kernel.kexec_load_disabled=1
|
||||
|
@ -1,6 +1,10 @@
|
||||
## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
|
||||
## See the file COPYING for copying conditions.
|
||||
|
||||
## Definitions:
|
||||
## KSPP=yes: compliant with recommendations by the KSPP
|
||||
## KSPP=partial: partially compliant with recommendations by the KSPP
|
||||
|
||||
## Prevent kernel information leaks in the console during boot.
|
||||
## Must be used in conjunction with kernel boot parameters.
|
||||
## See /etc/default/grub.d/41_quiet_boot.cfg for implementation.
|
||||
|
@ -6,6 +6,10 @@
|
||||
## is parsed first, followed by /usr/lib/sysctl.d/990-security-misc.conf.
|
||||
## https://github.com/Kicksecure/security-misc/pull/135
|
||||
|
||||
## Definitions:
|
||||
## KSPP=yes: compliant with recommendations by the KSPP
|
||||
## KSPP=partial: partially compliant with recommendations by the KSPP
|
||||
|
||||
## This configuration file is divided into 5 sections:
|
||||
## 1. Kernel Space
|
||||
## 2. User Space
|
||||
@ -31,11 +35,17 @@
|
||||
##
|
||||
## https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak
|
||||
##
|
||||
## KSPP=yes
|
||||
## KSPP sets the sysctl.
|
||||
##
|
||||
kernel.kptr_restrict=2
|
||||
|
||||
## Restrict access to the kernel log buffer to users with CAP_SYSLOG.
|
||||
## Kernel logs often contain sensitive information such as kernel pointers.
|
||||
##
|
||||
## KSPP=yes
|
||||
## KSPP sets the sysctl and CONFIG_SECURITY_DMESG_RESTRICT=y.
|
||||
##
|
||||
kernel.dmesg_restrict=1
|
||||
|
||||
## Prevent kernel information leaks in the console during boot.
|
||||
@ -48,12 +58,16 @@ kernel.dmesg_restrict=1
|
||||
##
|
||||
#kernel.printk=3 3 3 3
|
||||
|
||||
## Restrict eBPF access to CAP_BPF and enable associated JIT compiler hardening.
|
||||
## Restrict eBPF access to CAP_BPF.
|
||||
## Disables unprivileged calls to bpf() without recovery.
|
||||
##
|
||||
## https://en.wikipedia.org/wiki/EBPF#Security
|
||||
## https://lwn.net/Articles/660331/
|
||||
##
|
||||
## KSPP=yes
|
||||
## KSPP sets the sysctl.
|
||||
##
|
||||
kernel.unprivileged_bpf_disabled=1
|
||||
net.core.bpf_jit_harden=2
|
||||
|
||||
## Restrict loading TTY line disciplines to users with CAP_SYS_MODULE.
|
||||
## Prevents unprivileged users from loading vulnerable line disciplines with the TIOCSETD ioctl.
|
||||
@ -61,6 +75,9 @@ net.core.bpf_jit_harden=2
|
||||
## https://a13xp0p0v.github.io/2017/03/24/CVE-2017-2636.html
|
||||
## https://lkml.org/lkml/2019/4/15/890
|
||||
##
|
||||
## KSPP=yes
|
||||
## KSPP sets the sysctl does not set CONFIG_LDISC_AUTOLOAD.
|
||||
##
|
||||
dev.tty.ldisc_autoload=0
|
||||
|
||||
## Restrict the userfaultfd() syscall to users with SYS_CAP_PTRACE.
|
||||
@ -69,6 +86,9 @@ dev.tty.ldisc_autoload=0
|
||||
## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=cefdca0a86be517bc390fc4541e3674b8e7803b0
|
||||
## https://duasynt.com/blog/linux-kernel-heap-spray
|
||||
##
|
||||
## KSPP=yes
|
||||
## KSPP sets the sysctl.
|
||||
##
|
||||
vm.unprivileged_userfaultfd=0
|
||||
|
||||
## Disables kexec, which can be used to replace the running kernel.
|
||||
@ -78,6 +98,9 @@ vm.unprivileged_userfaultfd=0
|
||||
##
|
||||
## See /usr/lib/sysctl.d/30_security-misc_kexec-disable.conf for implementation.
|
||||
##
|
||||
## KSPP=yes
|
||||
## KSPP sets the sysctl and does not set CONFIG_KEXEC.
|
||||
##
|
||||
#kernel.kexec_load_disabled=1
|
||||
|
||||
## Disable the SysRq key to prevent leakage of kernel information.
|
||||
@ -87,6 +110,9 @@ vm.unprivileged_userfaultfd=0
|
||||
## https://www.kicksecure.com/wiki/SysRq
|
||||
## https://github.com/xairy/unlockdown
|
||||
##
|
||||
## KSPP=yes
|
||||
## KSPP sets the less strict CONFIG_MAGIC_SYSRQ_DEFAULT_ENABLE=176.
|
||||
##
|
||||
kernel.sysrq=0
|
||||
|
||||
## Restrict user namespaces to users with CAP_SYS_ADMIN.
|
||||
@ -95,6 +121,7 @@ kernel.sysrq=0
|
||||
## Restricting may lead to breakages in numerous software packages.
|
||||
## Uncomment the second sysctl to entirely disable user namespaces.
|
||||
## Disabling entirely will reduce compatibility with some AppArmor profiles.
|
||||
## Disabling entirely is known to break the UPower systemd servince.
|
||||
##
|
||||
## https://lwn.net/Articles/673597/
|
||||
## https://madaidans-insecurities.github.io/linux.html#kernel
|
||||
@ -115,19 +142,35 @@ kernel.unprivileged_userns_clone=0
|
||||
## https://www.kernel.org/doc/html/latest/admin-guide/perf-security.html#unprivileged-users
|
||||
## https://lore.kernel.org/kernel-hardening/1469630746-32279-1-git-send-email-jeffv@google.com/
|
||||
##
|
||||
## KSPP=yes
|
||||
## KSPP sets the sysctl.
|
||||
##
|
||||
kernel.perf_event_paranoid=3
|
||||
|
||||
## Force the kernel to panic on "oopses".
|
||||
## Force the kernel to panic on "oopses" and kernel warnings in the WARN() path.
|
||||
## Can sometimes potentially indicate and thwart certain kernel exploitation attempts.
|
||||
## Also cause panics on machine check exceptions.
|
||||
## Panics may be due to false-positives such as bad drivers.
|
||||
## Oopses are serious but non-fatal errors.
|
||||
## Kernel warnings are useful to avoid a when attempting to access the location of a WARN().
|
||||
##
|
||||
## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panic-on-oops-1-sysctl-for-better-security/7713
|
||||
## https://en.wikipedia.org/wiki/Kernel_panic#Linux
|
||||
## https://en.wikipedia.org/wiki/Linux_kernel_oops
|
||||
## https://en.wikipedia.org/wiki/Kdump_(Linux)
|
||||
## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panisc-on-oops-1-sysctl-for-better-security/7713
|
||||
##
|
||||
## KSPP=partial
|
||||
## KSPP sets the sysctls, CONFIG_PANIC_ON_OOPS=y, but also requires CONFIG_PANIC_TIMEOUT=-1.
|
||||
##
|
||||
## See /usr/libexec/security-misc/panic-on-oops for implementation.
|
||||
##
|
||||
#kernel.panic_on_oops=1
|
||||
## TODO: Debian 13 Trixie
|
||||
## The limits are applicable when using Linux kernel >= 6.2 (retained here for future-proofing and completeness).
|
||||
##
|
||||
#kernel.panic=-1
|
||||
#kernel.panic_on_oops=1
|
||||
#kernel.panic_on_warn=1
|
||||
#kernel.oops_limit=1
|
||||
#kernel.warn_limit=1
|
||||
|
||||
## Disable the use of legacy TIOCSTI operations which can be used to inject keypresses.
|
||||
## Can lead to privilege escalation by pushing characters into a controlling TTY.
|
||||
@ -135,6 +178,9 @@ kernel.perf_event_paranoid=3
|
||||
##
|
||||
## https://lore.kernel.org/lkml/20221228205726.rfevry7ud6gmttg5@begin/T/
|
||||
##
|
||||
## KSPP=yes
|
||||
## KSPP sets the sysctl and does not set CONFIG_LEGACY_TIOCSTI.
|
||||
##
|
||||
## TODO: Debian 13 Trixie
|
||||
## This is disabled by default when using Linux kernel >= 6.2.
|
||||
##
|
||||
@ -170,6 +216,9 @@ kernel.io_uring_disabled=2
|
||||
## https://github.com/GrapheneOS/os-issue-tracker/issues/651#issuecomment-917599928
|
||||
## https://github.com/netblue30/firejail/issues/2860
|
||||
##
|
||||
## KSPP=partial
|
||||
## KSPP sets the stricter sysctl kernel.yama.ptrace_scope=3.
|
||||
##
|
||||
## It is possible to harden further by disabling ptrace() for all users, see documentation.
|
||||
## https://github.com/Kicksecure/security-misc/pull/242
|
||||
##
|
||||
@ -197,6 +246,9 @@ kernel.yama.ptrace_scope=2
|
||||
## https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=/tmp
|
||||
## https://en.wikipedia.org/wiki/Time-of-check_to_time-of-use#Preventing_TOCTOU
|
||||
##
|
||||
## KSPP=yes
|
||||
## KSPP sets the sysctls.
|
||||
##
|
||||
fs.protected_hardlinks=1
|
||||
fs.protected_symlinks=1
|
||||
|
||||
@ -204,6 +256,9 @@ fs.protected_symlinks=1
|
||||
## Also applies to group-writable sticky directories to make data spoofing attacks more difficult.
|
||||
## Prevents unintentional writes to attacker-controlled files.
|
||||
##
|
||||
## KSPP=yes
|
||||
## KSPP sets the sysctls.
|
||||
##
|
||||
fs.protected_fifos=2
|
||||
fs.protected_regular=2
|
||||
|
||||
@ -214,6 +269,9 @@ fs.protected_regular=2
|
||||
##
|
||||
## https://en.wikipedia.org/wiki/Address_space_layout_randomization#Linux
|
||||
##
|
||||
## KSPP=yes
|
||||
## KSPP sets the sysctl.
|
||||
##
|
||||
kernel.randomize_va_space=2
|
||||
|
||||
## Increase the maximum number of memory map areas a process is permitted to utilize.
|
||||
@ -263,6 +321,9 @@ kernel.core_pattern=|/bin/false
|
||||
## Prevent setuid processes or otherwise protected/tainted binaries from creating core dumps.
|
||||
## Any process which has changed privilege levels or is execute-only will not be dumped.
|
||||
##
|
||||
## KSPP=yes
|
||||
## KSPP sets the sysctl.
|
||||
##
|
||||
fs.suid_dumpable=0
|
||||
|
||||
## Set core dump file name to 'core.PID' instead of 'core' as a form of defense-in-depth.
|
||||
@ -288,11 +349,27 @@ vm.swappiness=1
|
||||
## https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-network
|
||||
## https://wiki.archlinux.org/title/Sysctl#TCP/IP_stack_hardening
|
||||
|
||||
## Enable hardening of the BPF JIT compiler for all users.
|
||||
## Provides some mitigation against JIT spraying.
|
||||
##
|
||||
## https://en.wikipedia.org/wiki/JIT_spraying
|
||||
## https://www.blackhat.com/docs/eu-16/materials/eu-16-Reshetova-Randomization-Can't-Stop-BPF-JIT-Spray-wp.pdf
|
||||
## https://lwn.net/Articles/686098/
|
||||
## https://lwn.net/Articles/525609/
|
||||
##
|
||||
## KSPP=yes
|
||||
## KSPP sets the sysctl.
|
||||
##
|
||||
net.core.bpf_jit_harden=2
|
||||
|
||||
## Enable TCP SYN cookie protection to assist against SYN flood attacks.
|
||||
##
|
||||
## https://en.wikipedia.org/wiki/SYN_flood
|
||||
## https://cateee.net/lkddb/web-lkddb/SYN_COOKIES.html
|
||||
##
|
||||
## KSPP=yes
|
||||
## KSPP sets CONFIG_SYN_COOKIES=y.
|
||||
##
|
||||
net.ipv4.tcp_syncookies=1
|
||||
|
||||
## Protect against TCP time-wait assassination hazards.
|
||||
|
@ -14,6 +14,10 @@ fi
|
||||
|
||||
## Makes the kernel panic on oopses. This prevents the kernel
|
||||
## from continuing to run a flawed processes. Many kernel exploits
|
||||
## will also cause an oops which this will make the kernel kill.
|
||||
sysctl kernel.panic_on_oops=1
|
||||
## will also cause an oops which this will make the kernel kill
|
||||
## the offending processes.
|
||||
#sysctl kernel.panic=-1
|
||||
sysctl kernel.panic_on_oops=1
|
||||
#sysctl kernel.panic_on_warn=1
|
||||
#sysctl kernel.oops_limit=1
|
||||
#sysctl kernel.warn_limit=1
|
||||
|
Loading…
Reference in New Issue
Block a user