mirror of
https://github.com/Kicksecure/security-misc.git
synced 2024-10-01 08:25:45 -04:00
description
This commit is contained in:
parent
0e5187ff24
commit
4043d2af3f
135
debian/control
vendored
135
debian/control
vendored
@ -31,13 +31,13 @@ Description: enhances misc security settings
|
||||
Netfilter's connection tracking helper module increases kernel attack
|
||||
surface by enabling superfluous functionality such as IRC parsing in
|
||||
the kernel. (!) Hence, this package disables this feature by shipping the
|
||||
/etc/modprobe.d/30_nf_conntrack_helper_disable.conf configuration file.
|
||||
`/etc/modprobe.d/30_security-misc.conf` configuration file.
|
||||
.
|
||||
* Kernel symbols in various files in /proc are hidden as they can be
|
||||
* Kernel symbols in various files in `/proc` are hidden as they can be
|
||||
very useful for kernel exploits.
|
||||
.
|
||||
* Kexec is disabled as it can be used to load a malicious kernel.
|
||||
/etc/sysctl.d/30_security-misc.conf
|
||||
`/etc/modprobe.d/30_security-misc.conf`
|
||||
.
|
||||
* ASLR effectiveness for mmap is increased.
|
||||
.
|
||||
@ -53,7 +53,7 @@ Description: enhances misc security settings
|
||||
* Prevents symlink/hardlink TOCTOU races.
|
||||
.
|
||||
* SACK can be disabled as it is commonly exploited and is rarely used by
|
||||
uncommenting settings in file /etc/sysctl.d/30_security-misc.conf.
|
||||
uncommenting settings in file `/etc/sysctl.d/30_security-misc.conf`.
|
||||
.
|
||||
* Slab merging is disabled as sometimes a slab can be used in a vulnerable
|
||||
way which an attacker can exploit.
|
||||
@ -72,15 +72,15 @@ Description: enhances misc security settings
|
||||
.
|
||||
* A systemd service clears System.map on boot as these contain kernel symbols
|
||||
that could be useful to an attacker.
|
||||
/etc/kernel/postinst.d/30_remove-system-map
|
||||
/lib/systemd/system/remove-system-map.service
|
||||
/usr/lib/security-misc/remove-system.map
|
||||
`/etc/kernel/postinst.d/30_remove-system-map`
|
||||
`/lib/systemd/system/remove-system-map.service`
|
||||
`/usr/lib/security-misc/remove-system.map`
|
||||
.
|
||||
* Coredumps are disabled as they may contain important information such as
|
||||
encryption keys or passwords.
|
||||
/etc/security/limits.d/30_security-misc.conf
|
||||
/etc/sysctl.d/30_security-misc.conf
|
||||
/lib/systemd/coredump.conf.d/30_security-misc.conf
|
||||
`/etc/security/limits.d/30_security-misc.conf`
|
||||
`/etc/sysctl.d/30_security-misc.conf`
|
||||
`/lib/systemd/coredump.conf.d/30_security-misc.conf`
|
||||
.
|
||||
* The thunderbolt and firewire kernel modules are blacklisted as they can be
|
||||
used for DMA (Direct Memory Access) attacks.
|
||||
@ -92,16 +92,16 @@ Description: enhances misc security settings
|
||||
https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns
|
||||
`/etc/modprobe.d/30_security-misc.conf`
|
||||
.
|
||||
* A systemd service restricts /proc/cpuinfo, /proc/bus, /proc/scsi and
|
||||
/sys to the root user only. This hides a lot of hardware identifiers from
|
||||
unprivileged users and increases security as /sys exposes a lot of information
|
||||
* A systemd service restricts `/proc/cpuinfo`, `/proc/bus`, `/proc/scsi` and
|
||||
`/sys` to the root user only. This hides a lot of hardware identifiers from
|
||||
unprivileged users and increases security as `/sys` exposes a lot of information
|
||||
that shouldn't be accessible to unprivileged users. As this will break many
|
||||
things, it is disabled by default and can optionally be enabled by running
|
||||
`systemctl enable hide-hardware-info.service` as root.
|
||||
/usr/lib/security-misc/hide-hardware-info
|
||||
/lib/systemd/system/hide-hardware-info.service
|
||||
/lib/systemd/system/user@.service.d/sysfs.conf
|
||||
/etc/hide-hardware-info.d/30_default.conf
|
||||
`/usr/lib/security-misc/hide-hardware-info`
|
||||
`/lib/systemd/system/hide-hardware-info.service`
|
||||
`/lib/systemd/system/user@.service.d/sysfs.conf`
|
||||
`/etc/hide-hardware-info.d/30_default.conf`
|
||||
.
|
||||
* The MSR kernel module is blacklisted to prevent CPU MSRs from being
|
||||
abused to write to arbitrary memory.
|
||||
@ -114,8 +114,8 @@ Description: enhances misc security settings
|
||||
* The vivid kernel module is blacklisted as it's only required for testing
|
||||
and has been the cause of multiple vulnerabilities.
|
||||
.
|
||||
* An initramfs hook sets the sysctl values in /etc/sysctl.conf and
|
||||
/etc/sysctl.d before init is executed so sysctl hardening is enabled
|
||||
* An initramfs hook sets the sysctl values in `/etc/sysctl.conf` and
|
||||
`/etc/sysctl.d` before init is executed so sysctl hardening is enabled
|
||||
as early as possible.
|
||||
.
|
||||
* The kernel panics on oopses to prevent it from continuing to run a flawed
|
||||
@ -124,25 +124,25 @@ Description: enhances misc security settings
|
||||
* Restricts the SysRq key so it can only be used for shutdowns and the
|
||||
Secure Attention Key.
|
||||
.
|
||||
* Restricts loading line disciplines to CAP_SYS_MODULE.
|
||||
* Restricts loading line disciplines to `CAP_SYS_MODULE`.
|
||||
.
|
||||
Improve Entropy Collection
|
||||
.
|
||||
* Load jitterentropy_rng kernel module.
|
||||
/usr/lib/modules-load.d/30_security-misc.conf
|
||||
* Load `jitterentropy_rng` kernel module.
|
||||
`/usr/lib/modules-load.d/30_security-misc.conf`
|
||||
.
|
||||
* Distrusts the CPU for initial entropy at boot as it is not possible to
|
||||
audit, may contain weaknesses or a backdoor.
|
||||
* https://en.wikipedia.org/wiki/RDRAND#Reception
|
||||
* https://twitter.com/pid_eins/status/1149649806056280069
|
||||
* For more references, see:
|
||||
* /etc/default/grub.d/40_distrust_cpu.cfg
|
||||
* `/etc/default/grub.d/40_distrust_cpu.cfg`
|
||||
.
|
||||
* Gathers more entropy during boot if using the linux-hardened kernel patch.
|
||||
.
|
||||
Uncommon network protocols are blacklisted:
|
||||
These are rarely used and may have unknown vulnerabilities.
|
||||
/etc/modprobe.d/uncommon-network-protocols.conf
|
||||
`/etc/modprobe.d/30_security-misc.conf`
|
||||
The network protocols that are blacklisted are:
|
||||
.
|
||||
* DCCP - Datagram Congestion Control Protocol
|
||||
@ -165,16 +165,17 @@ Description: enhances misc security settings
|
||||
.
|
||||
user restrictions:
|
||||
.
|
||||
* remount /home, /tmp, /dev/shm and /run with nosuid,nodev (default) and
|
||||
noexec (opt-in). To disable this, run "sudo touch /etc/remount-disable". To
|
||||
opt-in noexec, run "sudo touch /etc/noexec" and reboot (easiest).
|
||||
Alternatively file /usr/local/etc/remount-disable or file
|
||||
/usr/local/etc/noexec could be used.
|
||||
/lib/systemd/system/remount-secure.service
|
||||
/usr/lib/security-misc/remount-secure
|
||||
* remount `/home`, `/tmp`, `/dev/shm` and `/run` with `nosuid,nodev`
|
||||
(default) and `noexec` (opt-in). To disable this, run
|
||||
`sudo touch /etc/remount-disable`. To opt-in `noexec`, run
|
||||
`sudo touch /etc/noexec` and reboot (easiest).
|
||||
Alternatively file `/usr/local/etc/remount-disable` or file
|
||||
`/usr/local/etc/noexec` could be used.
|
||||
`/lib/systemd/system/remount-secure.service`
|
||||
`/usr/lib/security-misc/remount-secure`
|
||||
.
|
||||
* A systemd service mounts /proc with hidepid=2 at boot to prevent users from
|
||||
seeing each other's processes.
|
||||
* A systemd service mounts `/proc` with `hidepid=2` at boot to prevent users
|
||||
from seeing each other's processes.
|
||||
.
|
||||
* The kernel logs are restricted to root only.
|
||||
.
|
||||
@ -186,35 +187,35 @@ Description: enhances misc security settings
|
||||
.
|
||||
* `su` is restricted to only users within the group `sudo` which prevents
|
||||
users from using `su` to gain root access or to switch user accounts.
|
||||
/usr/share/pam-configs/wheel-security-misc
|
||||
`/usr/share/pam-configs/wheel-security-misc`
|
||||
(Which results in a change in file `/etc/pam.d/common-auth`.)
|
||||
.
|
||||
* Add user `root` to group `sudo`. This is required to make above work so
|
||||
login as a user in a virtual console is still possible.
|
||||
debian/security-misc.postinst
|
||||
`debian/security-misc.postinst`
|
||||
.
|
||||
* Abort login for users with locked passwords.
|
||||
/usr/lib/security-misc/pam-abort-on-locked-password
|
||||
`/usr/lib/security-misc/pam-abort-on-locked-password`
|
||||
.
|
||||
* Logging into the root account from a virtual, serial, whatnot console is
|
||||
prevented by shipping an existing and empty /etc/securetty.
|
||||
(Deletion of /etc/securetty has a different effect.)
|
||||
/etc/securetty.security-misc
|
||||
prevented by shipping an existing and empty `/etc/securetty`.
|
||||
(Deletion of `/etc/securetty` has a different effect.)
|
||||
`/etc/securetty.security-misc`
|
||||
.
|
||||
* Console Lockdown.
|
||||
Allow members of group 'console' to use console.
|
||||
Everyone else except members of group
|
||||
'console-unrestricted' are restricted from using console using ancient,
|
||||
unpopular login methods such as using /bin/login over networks, which might
|
||||
unpopular login methods such as using `/bin/login` over networks, which might
|
||||
be exploitable. (CVE-2001-0797) Using pam_access.
|
||||
Not enabled by default in this package since this package does not know which
|
||||
users shall be added to group 'console' and would break console.
|
||||
/usr/share/pam-configs/console-lockdown-security-misc
|
||||
/etc/security/access-security-misc.conf
|
||||
`/usr/share/pam-configs/console-lockdown-security-misc`
|
||||
`/etc/security/access-security-misc.conf`
|
||||
.
|
||||
Protect Linux user accounts against brute force attacks.
|
||||
Lock user accounts after 50 failed login attempts using pam_tally2.
|
||||
/usr/share/pam-configs/tally2-security-misc
|
||||
Lock user accounts after 50 failed login attempts using `pam_tally2`.
|
||||
`/usr/share/pam-configs/tally2-security-misc`
|
||||
.
|
||||
informational output during Linux PAM:
|
||||
.
|
||||
@ -222,25 +223,25 @@ Description: enhances misc security settings
|
||||
* Document unlock procedure if Linux user account got locked.
|
||||
* Point out, that there is no password feedback for `su`.
|
||||
* Explain locked (root) account if locked.
|
||||
* /usr/share/pam-configs/tally2-security-misc
|
||||
* /usr/lib/security-misc/pam_tally2-info
|
||||
* /usr/lib/security-misc/pam-abort-on-locked-password
|
||||
* `/usr/share/pam-configs/tally2-security-misc`
|
||||
* `/usr/lib/security-misc/pam_tally2-info`
|
||||
* `/usr/lib/security-misc/pam-abort-on-locked-password`
|
||||
.
|
||||
access rights restrictions:
|
||||
.
|
||||
* Strong Linux User Account Separation.
|
||||
Removes read, write and execute access for others for all users who have
|
||||
home folders under folder /home by running for example
|
||||
home folders under folder `/home` by running for example
|
||||
"chmod o-rwx /home/user"
|
||||
during package installation, upgrade or pam mkhomedir. This will be done only
|
||||
once per
|
||||
folder in folder /home so users who wish to relax file permissions are free to
|
||||
during package installation, upgrade or pam `mkhomedir`. This will be done
|
||||
only once per folder in folder `/home` so users who wish to relax file
|
||||
permissions are free to
|
||||
do so. This is to protect previously created files in user home folder which
|
||||
were previously created with lax file permissions prior installation of this
|
||||
package.
|
||||
debian/security-misc.postinst
|
||||
/usr/lib/security-misc/permission-lockdown
|
||||
/usr/share/pam-configs/mkhomedir-security-misc
|
||||
`debian/security-misc.postinst`
|
||||
`/usr/lib/security-misc/permission-lockdown`
|
||||
`/usr/share/pam-configs/mkhomedir-security-misc`
|
||||
.
|
||||
* SUID / GUID removal and permission hardening.
|
||||
A systemd service removed SUID / GUID from non-essential binaries as these are
|
||||
@ -248,17 +249,17 @@ Description: enhances misc security settings
|
||||
It is disabled by default for now during testing and can optionally be enabled
|
||||
by running `systemctl enable permission-hardening.service` as root.
|
||||
https://forums.whonix.org/t/disable-suid-binaries/7706
|
||||
/usr/lib/security-misc/permission-hardening
|
||||
/lib/systemd/system/permission-hardening.service
|
||||
/etc/permission-hardening.d/30_default.conf
|
||||
`/usr/lib/security-misc/permission-hardening`
|
||||
`/lib/systemd/system/permission-hardening.service`
|
||||
`/etc/permission-hardening.d/30_default.conf`
|
||||
.
|
||||
access rights relaxations:
|
||||
.
|
||||
Redirect calls for pkexec to lxqt-sudo because pkexec is incompatible with
|
||||
hidepid.
|
||||
Redirect calls for `pkexec` to `lxqt-sudo` because `pkexec` is incompatible
|
||||
with `hidepid`.
|
||||
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860040
|
||||
https://forums.whonix.org/t/cannot-use-pkexec/8129
|
||||
/usr/bin/pkexec.security-misc
|
||||
`/usr/bin/pkexec.security-misc`
|
||||
.
|
||||
This package does (not yet) automatically lock the root account password.
|
||||
It is not clear that would be sane in such a package.
|
||||
@ -269,14 +270,14 @@ Description: enhances misc security settings
|
||||
https://www.whonix.org/wiki/Dev/Permissions
|
||||
https://forums.whonix.org/t/restrict-root-access/7658
|
||||
However, a locked root password will break rescue and emergency shell.
|
||||
Therefore this package enables passwordless resuce and emergency shell.
|
||||
This is the same solution that Debian will likely addapt for Debian
|
||||
Therefore this package enables passwordless rescue and emergency shell.
|
||||
This is the same solution that Debian will likely adapt for Debian
|
||||
installer.
|
||||
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802211
|
||||
Adverse security effects can be prevented by setting up BIOS password
|
||||
protection, grub password protection and/or full disk encryption.
|
||||
/etc/systemd/system/emergency.service.d/override.conf
|
||||
/etc/systemd/system/rescue.service.d/override.conf
|
||||
`/etc/systemd/system/emergency.service.d/override.conf`
|
||||
`/etc/systemd/system/rescue.service.d/override.conf`
|
||||
.
|
||||
Disables TCP Time Stamps:
|
||||
.
|
||||
@ -293,7 +294,7 @@ Description: enhances misc security settings
|
||||
public IP used by a user.
|
||||
.
|
||||
Hence, this package disables this feature by shipping the
|
||||
/etc/sysctl.d/30_security-misc.conf configuration file.
|
||||
`/etc/sysctl.d/30_security-misc.conf` configuration file.
|
||||
.
|
||||
Note that TCP time stamps normally have some usefulness. They are
|
||||
needed for:
|
||||
@ -311,10 +312,10 @@ Description: enhances misc security settings
|
||||
.
|
||||
Application specific hardening:
|
||||
.
|
||||
* Enables APT seccomp-BPF sandboxing. /etc/apt/apt.conf.d/40sandbox
|
||||
* Enables APT seccomp-BPF sandboxing. `/etc/apt/apt.conf.d/40sandbox`
|
||||
* Deactivates previews in Dolphin.
|
||||
* Deactivates previews in Nautilus.
|
||||
/usr/share/glib-2.0/schemas/30_security-misc.gschema.override
|
||||
`/usr/share/glib-2.0/schemas/30_security-misc.gschema.override`
|
||||
* Deactivates thumbnails in Thunar.
|
||||
* Enables punycode (`network.IDN_show_punycode`) by default in Thunderbird
|
||||
to make phising attacks more difficult. Fixing URL not showing real Domain
|
||||
|
Loading…
Reference in New Issue
Block a user