description

This commit is contained in:
Patrick Schleizer 2020-02-25 02:06:48 -05:00
parent 0e5187ff24
commit 4043d2af3f
No known key found for this signature in database
GPG Key ID: CB8D50BB77BB3C48

135
debian/control vendored
View File

@ -31,13 +31,13 @@ Description: enhances misc security settings
Netfilter's connection tracking helper module increases kernel attack
surface by enabling superfluous functionality such as IRC parsing in
the kernel. (!) Hence, this package disables this feature by shipping the
/etc/modprobe.d/30_nf_conntrack_helper_disable.conf configuration file.
`/etc/modprobe.d/30_security-misc.conf` configuration file.
.
* Kernel symbols in various files in /proc are hidden as they can be
* Kernel symbols in various files in `/proc` are hidden as they can be
very useful for kernel exploits.
.
* Kexec is disabled as it can be used to load a malicious kernel.
/etc/sysctl.d/30_security-misc.conf
`/etc/modprobe.d/30_security-misc.conf`
.
* ASLR effectiveness for mmap is increased.
.
@ -53,7 +53,7 @@ Description: enhances misc security settings
* Prevents symlink/hardlink TOCTOU races.
.
* SACK can be disabled as it is commonly exploited and is rarely used by
uncommenting settings in file /etc/sysctl.d/30_security-misc.conf.
uncommenting settings in file `/etc/sysctl.d/30_security-misc.conf`.
.
* Slab merging is disabled as sometimes a slab can be used in a vulnerable
way which an attacker can exploit.
@ -72,15 +72,15 @@ Description: enhances misc security settings
.
* A systemd service clears System.map on boot as these contain kernel symbols
that could be useful to an attacker.
/etc/kernel/postinst.d/30_remove-system-map
/lib/systemd/system/remove-system-map.service
/usr/lib/security-misc/remove-system.map
`/etc/kernel/postinst.d/30_remove-system-map`
`/lib/systemd/system/remove-system-map.service`
`/usr/lib/security-misc/remove-system.map`
.
* Coredumps are disabled as they may contain important information such as
encryption keys or passwords.
/etc/security/limits.d/30_security-misc.conf
/etc/sysctl.d/30_security-misc.conf
/lib/systemd/coredump.conf.d/30_security-misc.conf
`/etc/security/limits.d/30_security-misc.conf`
`/etc/sysctl.d/30_security-misc.conf`
`/lib/systemd/coredump.conf.d/30_security-misc.conf`
.
* The thunderbolt and firewire kernel modules are blacklisted as they can be
used for DMA (Direct Memory Access) attacks.
@ -92,16 +92,16 @@ Description: enhances misc security settings
https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns
`/etc/modprobe.d/30_security-misc.conf`
.
* A systemd service restricts /proc/cpuinfo, /proc/bus, /proc/scsi and
/sys to the root user only. This hides a lot of hardware identifiers from
unprivileged users and increases security as /sys exposes a lot of information
* A systemd service restricts `/proc/cpuinfo`, `/proc/bus`, `/proc/scsi` and
`/sys` to the root user only. This hides a lot of hardware identifiers from
unprivileged users and increases security as `/sys` exposes a lot of information
that shouldn't be accessible to unprivileged users. As this will break many
things, it is disabled by default and can optionally be enabled by running
`systemctl enable hide-hardware-info.service` as root.
/usr/lib/security-misc/hide-hardware-info
/lib/systemd/system/hide-hardware-info.service
/lib/systemd/system/user@.service.d/sysfs.conf
/etc/hide-hardware-info.d/30_default.conf
`/usr/lib/security-misc/hide-hardware-info`
`/lib/systemd/system/hide-hardware-info.service`
`/lib/systemd/system/user@.service.d/sysfs.conf`
`/etc/hide-hardware-info.d/30_default.conf`
.
* The MSR kernel module is blacklisted to prevent CPU MSRs from being
abused to write to arbitrary memory.
@ -114,8 +114,8 @@ Description: enhances misc security settings
* The vivid kernel module is blacklisted as it's only required for testing
and has been the cause of multiple vulnerabilities.
.
* An initramfs hook sets the sysctl values in /etc/sysctl.conf and
/etc/sysctl.d before init is executed so sysctl hardening is enabled
* An initramfs hook sets the sysctl values in `/etc/sysctl.conf` and
`/etc/sysctl.d` before init is executed so sysctl hardening is enabled
as early as possible.
.
* The kernel panics on oopses to prevent it from continuing to run a flawed
@ -124,25 +124,25 @@ Description: enhances misc security settings
* Restricts the SysRq key so it can only be used for shutdowns and the
Secure Attention Key.
.
* Restricts loading line disciplines to CAP_SYS_MODULE.
* Restricts loading line disciplines to `CAP_SYS_MODULE`.
.
Improve Entropy Collection
.
* Load jitterentropy_rng kernel module.
/usr/lib/modules-load.d/30_security-misc.conf
* Load `jitterentropy_rng` kernel module.
`/usr/lib/modules-load.d/30_security-misc.conf`
.
* Distrusts the CPU for initial entropy at boot as it is not possible to
audit, may contain weaknesses or a backdoor.
* https://en.wikipedia.org/wiki/RDRAND#Reception
* https://twitter.com/pid_eins/status/1149649806056280069
* For more references, see:
* /etc/default/grub.d/40_distrust_cpu.cfg
* `/etc/default/grub.d/40_distrust_cpu.cfg`
.
* Gathers more entropy during boot if using the linux-hardened kernel patch.
.
Uncommon network protocols are blacklisted:
These are rarely used and may have unknown vulnerabilities.
/etc/modprobe.d/uncommon-network-protocols.conf
`/etc/modprobe.d/30_security-misc.conf`
The network protocols that are blacklisted are:
.
* DCCP - Datagram Congestion Control Protocol
@ -165,16 +165,17 @@ Description: enhances misc security settings
.
user restrictions:
.
* remount /home, /tmp, /dev/shm and /run with nosuid,nodev (default) and
noexec (opt-in). To disable this, run "sudo touch /etc/remount-disable". To
opt-in noexec, run "sudo touch /etc/noexec" and reboot (easiest).
Alternatively file /usr/local/etc/remount-disable or file
/usr/local/etc/noexec could be used.
/lib/systemd/system/remount-secure.service
/usr/lib/security-misc/remount-secure
* remount `/home`, `/tmp`, `/dev/shm` and `/run` with `nosuid,nodev`
(default) and `noexec` (opt-in). To disable this, run
`sudo touch /etc/remount-disable`. To opt-in `noexec`, run
`sudo touch /etc/noexec` and reboot (easiest).
Alternatively file `/usr/local/etc/remount-disable` or file
`/usr/local/etc/noexec` could be used.
`/lib/systemd/system/remount-secure.service`
`/usr/lib/security-misc/remount-secure`
.
* A systemd service mounts /proc with hidepid=2 at boot to prevent users from
seeing each other's processes.
* A systemd service mounts `/proc` with `hidepid=2` at boot to prevent users
from seeing each other's processes.
.
* The kernel logs are restricted to root only.
.
@ -186,35 +187,35 @@ Description: enhances misc security settings
.
* `su` is restricted to only users within the group `sudo` which prevents
users from using `su` to gain root access or to switch user accounts.
/usr/share/pam-configs/wheel-security-misc
`/usr/share/pam-configs/wheel-security-misc`
(Which results in a change in file `/etc/pam.d/common-auth`.)
.
* Add user `root` to group `sudo`. This is required to make above work so
login as a user in a virtual console is still possible.
debian/security-misc.postinst
`debian/security-misc.postinst`
.
* Abort login for users with locked passwords.
/usr/lib/security-misc/pam-abort-on-locked-password
`/usr/lib/security-misc/pam-abort-on-locked-password`
.
* Logging into the root account from a virtual, serial, whatnot console is
prevented by shipping an existing and empty /etc/securetty.
(Deletion of /etc/securetty has a different effect.)
/etc/securetty.security-misc
prevented by shipping an existing and empty `/etc/securetty`.
(Deletion of `/etc/securetty` has a different effect.)
`/etc/securetty.security-misc`
.
* Console Lockdown.
Allow members of group 'console' to use console.
Everyone else except members of group
'console-unrestricted' are restricted from using console using ancient,
unpopular login methods such as using /bin/login over networks, which might
unpopular login methods such as using `/bin/login` over networks, which might
be exploitable. (CVE-2001-0797) Using pam_access.
Not enabled by default in this package since this package does not know which
users shall be added to group 'console' and would break console.
/usr/share/pam-configs/console-lockdown-security-misc
/etc/security/access-security-misc.conf
`/usr/share/pam-configs/console-lockdown-security-misc`
`/etc/security/access-security-misc.conf`
.
Protect Linux user accounts against brute force attacks.
Lock user accounts after 50 failed login attempts using pam_tally2.
/usr/share/pam-configs/tally2-security-misc
Lock user accounts after 50 failed login attempts using `pam_tally2`.
`/usr/share/pam-configs/tally2-security-misc`
.
informational output during Linux PAM:
.
@ -222,25 +223,25 @@ Description: enhances misc security settings
* Document unlock procedure if Linux user account got locked.
* Point out, that there is no password feedback for `su`.
* Explain locked (root) account if locked.
* /usr/share/pam-configs/tally2-security-misc
* /usr/lib/security-misc/pam_tally2-info
* /usr/lib/security-misc/pam-abort-on-locked-password
* `/usr/share/pam-configs/tally2-security-misc`
* `/usr/lib/security-misc/pam_tally2-info`
* `/usr/lib/security-misc/pam-abort-on-locked-password`
.
access rights restrictions:
.
* Strong Linux User Account Separation.
Removes read, write and execute access for others for all users who have
home folders under folder /home by running for example
home folders under folder `/home` by running for example
"chmod o-rwx /home/user"
during package installation, upgrade or pam mkhomedir. This will be done only
once per
folder in folder /home so users who wish to relax file permissions are free to
during package installation, upgrade or pam `mkhomedir`. This will be done
only once per folder in folder `/home` so users who wish to relax file
permissions are free to
do so. This is to protect previously created files in user home folder which
were previously created with lax file permissions prior installation of this
package.
debian/security-misc.postinst
/usr/lib/security-misc/permission-lockdown
/usr/share/pam-configs/mkhomedir-security-misc
`debian/security-misc.postinst`
`/usr/lib/security-misc/permission-lockdown`
`/usr/share/pam-configs/mkhomedir-security-misc`
.
* SUID / GUID removal and permission hardening.
A systemd service removed SUID / GUID from non-essential binaries as these are
@ -248,17 +249,17 @@ Description: enhances misc security settings
It is disabled by default for now during testing and can optionally be enabled
by running `systemctl enable permission-hardening.service` as root.
https://forums.whonix.org/t/disable-suid-binaries/7706
/usr/lib/security-misc/permission-hardening
/lib/systemd/system/permission-hardening.service
/etc/permission-hardening.d/30_default.conf
`/usr/lib/security-misc/permission-hardening`
`/lib/systemd/system/permission-hardening.service`
`/etc/permission-hardening.d/30_default.conf`
.
access rights relaxations:
.
Redirect calls for pkexec to lxqt-sudo because pkexec is incompatible with
hidepid.
Redirect calls for `pkexec` to `lxqt-sudo` because `pkexec` is incompatible
with `hidepid`.
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860040
https://forums.whonix.org/t/cannot-use-pkexec/8129
/usr/bin/pkexec.security-misc
`/usr/bin/pkexec.security-misc`
.
This package does (not yet) automatically lock the root account password.
It is not clear that would be sane in such a package.
@ -269,14 +270,14 @@ Description: enhances misc security settings
https://www.whonix.org/wiki/Dev/Permissions
https://forums.whonix.org/t/restrict-root-access/7658
However, a locked root password will break rescue and emergency shell.
Therefore this package enables passwordless resuce and emergency shell.
This is the same solution that Debian will likely addapt for Debian
Therefore this package enables passwordless rescue and emergency shell.
This is the same solution that Debian will likely adapt for Debian
installer.
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802211
Adverse security effects can be prevented by setting up BIOS password
protection, grub password protection and/or full disk encryption.
/etc/systemd/system/emergency.service.d/override.conf
/etc/systemd/system/rescue.service.d/override.conf
`/etc/systemd/system/emergency.service.d/override.conf`
`/etc/systemd/system/rescue.service.d/override.conf`
.
Disables TCP Time Stamps:
.
@ -293,7 +294,7 @@ Description: enhances misc security settings
public IP used by a user.
.
Hence, this package disables this feature by shipping the
/etc/sysctl.d/30_security-misc.conf configuration file.
`/etc/sysctl.d/30_security-misc.conf` configuration file.
.
Note that TCP time stamps normally have some usefulness. They are
needed for:
@ -311,10 +312,10 @@ Description: enhances misc security settings
.
Application specific hardening:
.
* Enables APT seccomp-BPF sandboxing. /etc/apt/apt.conf.d/40sandbox
* Enables APT seccomp-BPF sandboxing. `/etc/apt/apt.conf.d/40sandbox`
* Deactivates previews in Dolphin.
* Deactivates previews in Nautilus.
/usr/share/glib-2.0/schemas/30_security-misc.gschema.override
`/usr/share/glib-2.0/schemas/30_security-misc.gschema.override`
* Deactivates thumbnails in Thunar.
* Enables punycode (`network.IDN_show_punycode`) by default in Thunderbird
to make phising attacks more difficult. Fixing URL not showing real Domain