From 4043d2af3f8239a2056610363fc9d53770ebc336 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 25 Feb 2020 02:06:48 -0500 Subject: [PATCH] description --- debian/control | 135 +++++++++++++++++++++++++------------------------ 1 file changed, 68 insertions(+), 67 deletions(-) diff --git a/debian/control b/debian/control index 45355db..f959cbc 100644 --- a/debian/control +++ b/debian/control @@ -31,13 +31,13 @@ Description: enhances misc security settings Netfilter's connection tracking helper module increases kernel attack surface by enabling superfluous functionality such as IRC parsing in the kernel. (!) Hence, this package disables this feature by shipping the - /etc/modprobe.d/30_nf_conntrack_helper_disable.conf configuration file. + `/etc/modprobe.d/30_security-misc.conf` configuration file. . - * Kernel symbols in various files in /proc are hidden as they can be + * Kernel symbols in various files in `/proc` are hidden as they can be very useful for kernel exploits. . * Kexec is disabled as it can be used to load a malicious kernel. - /etc/sysctl.d/30_security-misc.conf + `/etc/modprobe.d/30_security-misc.conf` . * ASLR effectiveness for mmap is increased. . @@ -53,7 +53,7 @@ Description: enhances misc security settings * Prevents symlink/hardlink TOCTOU races. . * SACK can be disabled as it is commonly exploited and is rarely used by - uncommenting settings in file /etc/sysctl.d/30_security-misc.conf. + uncommenting settings in file `/etc/sysctl.d/30_security-misc.conf`. . * Slab merging is disabled as sometimes a slab can be used in a vulnerable way which an attacker can exploit. @@ -72,15 +72,15 @@ Description: enhances misc security settings . * A systemd service clears System.map on boot as these contain kernel symbols that could be useful to an attacker. - /etc/kernel/postinst.d/30_remove-system-map - /lib/systemd/system/remove-system-map.service - /usr/lib/security-misc/remove-system.map + `/etc/kernel/postinst.d/30_remove-system-map` + `/lib/systemd/system/remove-system-map.service` + `/usr/lib/security-misc/remove-system.map` . * Coredumps are disabled as they may contain important information such as encryption keys or passwords. - /etc/security/limits.d/30_security-misc.conf - /etc/sysctl.d/30_security-misc.conf - /lib/systemd/coredump.conf.d/30_security-misc.conf + `/etc/security/limits.d/30_security-misc.conf` + `/etc/sysctl.d/30_security-misc.conf` + `/lib/systemd/coredump.conf.d/30_security-misc.conf` . * The thunderbolt and firewire kernel modules are blacklisted as they can be used for DMA (Direct Memory Access) attacks. @@ -92,16 +92,16 @@ Description: enhances misc security settings https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns `/etc/modprobe.d/30_security-misc.conf` . - * A systemd service restricts /proc/cpuinfo, /proc/bus, /proc/scsi and - /sys to the root user only. This hides a lot of hardware identifiers from - unprivileged users and increases security as /sys exposes a lot of information + * A systemd service restricts `/proc/cpuinfo`, `/proc/bus`, `/proc/scsi` and + `/sys` to the root user only. This hides a lot of hardware identifiers from + unprivileged users and increases security as `/sys` exposes a lot of information that shouldn't be accessible to unprivileged users. As this will break many things, it is disabled by default and can optionally be enabled by running `systemctl enable hide-hardware-info.service` as root. - /usr/lib/security-misc/hide-hardware-info - /lib/systemd/system/hide-hardware-info.service - /lib/systemd/system/user@.service.d/sysfs.conf - /etc/hide-hardware-info.d/30_default.conf + `/usr/lib/security-misc/hide-hardware-info` + `/lib/systemd/system/hide-hardware-info.service` + `/lib/systemd/system/user@.service.d/sysfs.conf` + `/etc/hide-hardware-info.d/30_default.conf` . * The MSR kernel module is blacklisted to prevent CPU MSRs from being abused to write to arbitrary memory. @@ -114,8 +114,8 @@ Description: enhances misc security settings * The vivid kernel module is blacklisted as it's only required for testing and has been the cause of multiple vulnerabilities. . - * An initramfs hook sets the sysctl values in /etc/sysctl.conf and - /etc/sysctl.d before init is executed so sysctl hardening is enabled + * An initramfs hook sets the sysctl values in `/etc/sysctl.conf` and + `/etc/sysctl.d` before init is executed so sysctl hardening is enabled as early as possible. . * The kernel panics on oopses to prevent it from continuing to run a flawed @@ -124,25 +124,25 @@ Description: enhances misc security settings * Restricts the SysRq key so it can only be used for shutdowns and the Secure Attention Key. . - * Restricts loading line disciplines to CAP_SYS_MODULE. + * Restricts loading line disciplines to `CAP_SYS_MODULE`. . Improve Entropy Collection . - * Load jitterentropy_rng kernel module. - /usr/lib/modules-load.d/30_security-misc.conf + * Load `jitterentropy_rng` kernel module. + `/usr/lib/modules-load.d/30_security-misc.conf` . * Distrusts the CPU for initial entropy at boot as it is not possible to audit, may contain weaknesses or a backdoor. * https://en.wikipedia.org/wiki/RDRAND#Reception * https://twitter.com/pid_eins/status/1149649806056280069 * For more references, see: - * /etc/default/grub.d/40_distrust_cpu.cfg + * `/etc/default/grub.d/40_distrust_cpu.cfg` . * Gathers more entropy during boot if using the linux-hardened kernel patch. . Uncommon network protocols are blacklisted: These are rarely used and may have unknown vulnerabilities. - /etc/modprobe.d/uncommon-network-protocols.conf + `/etc/modprobe.d/30_security-misc.conf` The network protocols that are blacklisted are: . * DCCP - Datagram Congestion Control Protocol @@ -165,16 +165,17 @@ Description: enhances misc security settings . user restrictions: . - * remount /home, /tmp, /dev/shm and /run with nosuid,nodev (default) and - noexec (opt-in). To disable this, run "sudo touch /etc/remount-disable". To - opt-in noexec, run "sudo touch /etc/noexec" and reboot (easiest). - Alternatively file /usr/local/etc/remount-disable or file - /usr/local/etc/noexec could be used. - /lib/systemd/system/remount-secure.service - /usr/lib/security-misc/remount-secure + * remount `/home`, `/tmp`, `/dev/shm` and `/run` with `nosuid,nodev` + (default) and `noexec` (opt-in). To disable this, run + `sudo touch /etc/remount-disable`. To opt-in `noexec`, run + `sudo touch /etc/noexec` and reboot (easiest). + Alternatively file `/usr/local/etc/remount-disable` or file + `/usr/local/etc/noexec` could be used. + `/lib/systemd/system/remount-secure.service` + `/usr/lib/security-misc/remount-secure` . - * A systemd service mounts /proc with hidepid=2 at boot to prevent users from - seeing each other's processes. + * A systemd service mounts `/proc` with `hidepid=2` at boot to prevent users + from seeing each other's processes. . * The kernel logs are restricted to root only. . @@ -186,35 +187,35 @@ Description: enhances misc security settings . * `su` is restricted to only users within the group `sudo` which prevents users from using `su` to gain root access or to switch user accounts. - /usr/share/pam-configs/wheel-security-misc + `/usr/share/pam-configs/wheel-security-misc` (Which results in a change in file `/etc/pam.d/common-auth`.) . * Add user `root` to group `sudo`. This is required to make above work so login as a user in a virtual console is still possible. - debian/security-misc.postinst + `debian/security-misc.postinst` . * Abort login for users with locked passwords. - /usr/lib/security-misc/pam-abort-on-locked-password + `/usr/lib/security-misc/pam-abort-on-locked-password` . * Logging into the root account from a virtual, serial, whatnot console is - prevented by shipping an existing and empty /etc/securetty. - (Deletion of /etc/securetty has a different effect.) - /etc/securetty.security-misc + prevented by shipping an existing and empty `/etc/securetty`. + (Deletion of `/etc/securetty` has a different effect.) + `/etc/securetty.security-misc` . * Console Lockdown. Allow members of group 'console' to use console. Everyone else except members of group 'console-unrestricted' are restricted from using console using ancient, - unpopular login methods such as using /bin/login over networks, which might + unpopular login methods such as using `/bin/login` over networks, which might be exploitable. (CVE-2001-0797) Using pam_access. Not enabled by default in this package since this package does not know which users shall be added to group 'console' and would break console. - /usr/share/pam-configs/console-lockdown-security-misc - /etc/security/access-security-misc.conf + `/usr/share/pam-configs/console-lockdown-security-misc` + `/etc/security/access-security-misc.conf` . Protect Linux user accounts against brute force attacks. - Lock user accounts after 50 failed login attempts using pam_tally2. - /usr/share/pam-configs/tally2-security-misc + Lock user accounts after 50 failed login attempts using `pam_tally2`. + `/usr/share/pam-configs/tally2-security-misc` . informational output during Linux PAM: . @@ -222,25 +223,25 @@ Description: enhances misc security settings * Document unlock procedure if Linux user account got locked. * Point out, that there is no password feedback for `su`. * Explain locked (root) account if locked. - * /usr/share/pam-configs/tally2-security-misc - * /usr/lib/security-misc/pam_tally2-info - * /usr/lib/security-misc/pam-abort-on-locked-password + * `/usr/share/pam-configs/tally2-security-misc` + * `/usr/lib/security-misc/pam_tally2-info` + * `/usr/lib/security-misc/pam-abort-on-locked-password` . access rights restrictions: . * Strong Linux User Account Separation. Removes read, write and execute access for others for all users who have - home folders under folder /home by running for example + home folders under folder `/home` by running for example "chmod o-rwx /home/user" - during package installation, upgrade or pam mkhomedir. This will be done only - once per - folder in folder /home so users who wish to relax file permissions are free to + during package installation, upgrade or pam `mkhomedir`. This will be done + only once per folder in folder `/home` so users who wish to relax file + permissions are free to do so. This is to protect previously created files in user home folder which were previously created with lax file permissions prior installation of this package. - debian/security-misc.postinst - /usr/lib/security-misc/permission-lockdown - /usr/share/pam-configs/mkhomedir-security-misc + `debian/security-misc.postinst` + `/usr/lib/security-misc/permission-lockdown` + `/usr/share/pam-configs/mkhomedir-security-misc` . * SUID / GUID removal and permission hardening. A systemd service removed SUID / GUID from non-essential binaries as these are @@ -248,17 +249,17 @@ Description: enhances misc security settings It is disabled by default for now during testing and can optionally be enabled by running `systemctl enable permission-hardening.service` as root. https://forums.whonix.org/t/disable-suid-binaries/7706 - /usr/lib/security-misc/permission-hardening - /lib/systemd/system/permission-hardening.service - /etc/permission-hardening.d/30_default.conf + `/usr/lib/security-misc/permission-hardening` + `/lib/systemd/system/permission-hardening.service` + `/etc/permission-hardening.d/30_default.conf` . access rights relaxations: . - Redirect calls for pkexec to lxqt-sudo because pkexec is incompatible with - hidepid. + Redirect calls for `pkexec` to `lxqt-sudo` because `pkexec` is incompatible + with `hidepid`. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860040 https://forums.whonix.org/t/cannot-use-pkexec/8129 - /usr/bin/pkexec.security-misc + `/usr/bin/pkexec.security-misc` . This package does (not yet) automatically lock the root account password. It is not clear that would be sane in such a package. @@ -269,14 +270,14 @@ Description: enhances misc security settings https://www.whonix.org/wiki/Dev/Permissions https://forums.whonix.org/t/restrict-root-access/7658 However, a locked root password will break rescue and emergency shell. - Therefore this package enables passwordless resuce and emergency shell. - This is the same solution that Debian will likely addapt for Debian + Therefore this package enables passwordless rescue and emergency shell. + This is the same solution that Debian will likely adapt for Debian installer. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802211 Adverse security effects can be prevented by setting up BIOS password protection, grub password protection and/or full disk encryption. - /etc/systemd/system/emergency.service.d/override.conf - /etc/systemd/system/rescue.service.d/override.conf + `/etc/systemd/system/emergency.service.d/override.conf` + `/etc/systemd/system/rescue.service.d/override.conf` . Disables TCP Time Stamps: . @@ -293,7 +294,7 @@ Description: enhances misc security settings public IP used by a user. . Hence, this package disables this feature by shipping the - /etc/sysctl.d/30_security-misc.conf configuration file. + `/etc/sysctl.d/30_security-misc.conf` configuration file. . Note that TCP time stamps normally have some usefulness. They are needed for: @@ -311,10 +312,10 @@ Description: enhances misc security settings . Application specific hardening: . - * Enables APT seccomp-BPF sandboxing. /etc/apt/apt.conf.d/40sandbox + * Enables APT seccomp-BPF sandboxing. `/etc/apt/apt.conf.d/40sandbox` * Deactivates previews in Dolphin. * Deactivates previews in Nautilus. - /usr/share/glib-2.0/schemas/30_security-misc.gschema.override + `/usr/share/glib-2.0/schemas/30_security-misc.gschema.override` * Deactivates thumbnails in Thunar. * Enables punycode (`network.IDN_show_punycode`) by default in Thunderbird to make phising attacks more difficult. Fixing URL not showing real Domain