From 248e094b8e0bbf7892f79ad1c3ec77c7ed00d008 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Sat, 17 Aug 2024 01:06:21 +1000 Subject: [PATCH 01/10] Include KSPP compliance notices --- etc/default/grub.d/40_cpu_mitigations.cfg | 6 +++ etc/default/grub.d/40_kernel_hardening.cfg | 48 +++++++++++++++++++ etc/default/grub.d/40_signed_modules.cfg | 8 +++- .../30_security-misc_kexec-disable.conf | 3 ++ usr/lib/sysctl.d/990-security-misc.conf | 48 +++++++++++++++++++ 5 files changed, 112 insertions(+), 1 deletion(-) diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index 99eee7d..486b63b 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -13,6 +13,9 @@ ## Enable a subset of known mitigations for CPU vulnerabilities and disable SMT. ## +## KSPP=yes +## KSPP sets the kernel parameters. +## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mitigations=auto,nosmt" ## Disable SMT as it has been the cause of and amplified numerous CPU exploits. @@ -24,6 +27,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mitigations=auto,nosmt" ## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647/17 ## https://github.com/anthraxx/linux-hardened/issues/37#issuecomment-619597365 ## +## KSPP=yes +## KSPP sets the kernel parameter. +## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX nosmt=force" ## Enable mitigations for both Spectre Variant 2 (indirect branch speculation) diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index b6cc9df..35472ba 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -27,6 +27,9 @@ kver="$(dpkg-query --show --showformat='${Version}' "$kpkg")" 2>/dev/null || tru ## https://www.openwall.com/lists/kernel-hardening/2017/06/19/33 ## https://www.openwall.com/lists/kernel-hardening/2017/06/20/10 ## +## KSPP=yes +## KSPP sets the kernel parameter and does not set CONFIG_SLAB_MERGE_DEFAULT. +## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_nomerge" ## Enable sanity checks and red zoning of slabs via debugging options to detect corruption. @@ -39,6 +42,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_nomerge" ## https://gitlab.tails.boum.org/tails/tails/-/issues/19613 ## https://github.com/Kicksecure/security-misc/issues/253 ## +## KSPP=yes +## KSPP sets the kernel parameters and CONFIG_SLUB_DEBUG. +## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_debug=FZ" ## Zero memory at allocation time and free time. @@ -47,6 +53,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_debug=FZ" ## ## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6471384af2a6530696fc0203bafe4de41a23c9ef ## +## KSPP=yes +## KSPP sets the kernel parameters, CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y, and CONFIG_INIT_ON_FREE_DEFAULT_ON=y. +## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX init_on_alloc=1" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX init_on_free=1" @@ -58,6 +67,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX init_on_free=1" ## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e900a918b0984ec8f2eb150b8477a47b75d17692 ## https://en.wikipedia.org/wiki/Return-oriented_programming#Attacks ## +## KSPP=yes +## KSPP sets the kernel parameter and CONFIG_SHUFFLE_PAGE_ALLOCATOR=y. +## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX page_alloc.shuffle=1" ## Enable kernel page table isolation to harden against kernel ASLR (KASLR) bypasses. @@ -65,6 +77,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX page_alloc.shuffle=1" ## ## https://en.wikipedia.org/wiki/Kernel_page-table_isolation ## +## KSPP=yes +## KSPP sets the kernel parameter and CONFIG_MITIGATION_PAGE_TABLE_ISOLATION=y. +## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX pti=on" ## Enable randomization of the kernel stack offset on syscall entries. @@ -74,6 +89,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX pti=on" ## https://lkml.org/lkml/2019/3/18/246 ## https://a13xp0p0v.github.io/2020/02/15/CVE-2019-18683.html ## +## KSPP=yes +## KSPP sets the kernel parameter and CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y. +## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX randomize_kstack_offset=on" ## Disable vsyscalls to reduce attack surface as they have been replaced by vDSO. @@ -82,6 +100,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX randomize_kstack_offset=on" ## https://lwn.net/Articles/446528/ ## https://en.wikipedia.org/wiki/VDSO ## +## KSPP=yes +## KSPP sets the kernel parameter, CONFIG_LEGACY_VSYSCALL_NONE=y and does not set CONFIG_X86_VSYSCALL_EMULATION. +## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vsyscall=none" ## Restrict access to debugfs by not registering the file system. @@ -98,6 +119,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off" ## ## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panic-on-oops-1-sysctl-for-better-security/7713 ## +## KSPP=yes +## KSPP sets CONFIG_PANIC_ON_OOPS=y and CONFIG_PANIC_TIMEOUT=-1. +## ## See /usr/libexec/security-misc/panic-on-oops for implementation. ## #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX oops=panic" @@ -135,6 +159,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off" ## https://blogs.oracle.com/linux/post/linux-slub-allocator-internals-and-debugging-4 ## https://lwn.net/Articles/835542/ ## +## KSPP=yes +## KSPP sets the kernel parameter, CONFIG_KFENCE=y, and CONFIG_KFENCE_SAMPLE_INTERVAL=100. +## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kfence.sample_interval=100" ## Disable 32-bit Virtual Dynamic Shared Object (vDSO) mappings. @@ -143,6 +170,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kfence.sample_interval=100" ## https://lore.kernel.org/lkml/20080409082927.BD59E26F992@magilla.localdomain/T/ ## https://lists.openwall.net/linux-kernel/2014/03/11/3 ## +## KSPP=yes +## KSPP sets the kernel parameter and does not set CONFIG_COMPAT_VDSO. +## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0" ## Switch (back) to using kCFI as the default Control Flow Integrity (CFI) implementation. @@ -165,6 +195,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0" ## https://lpc.events/event/16/contributions/1315/attachments/1067/2169/cfi.pdf ## https://forums.whonix.org/t/kernel-hardening-security-misc/7296/561 ## +## KSPP=yes +## KSPP sets the kernel parameter. +## ## TODO: Debian 13 Trixie ## Applicable when using Linux kernel >= 6.2 (retained here for future-proofing and completeness). ## @@ -175,6 +208,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0" ## ## https://lore.kernel.org/all/20230623111409.3047467-7-nik.borisov@suse.com/ ## +## KSPP=yes +## KSPP does not set CONFIG_COMPAT, CONFIG_IA32_EMULATION, CONFIG_X86_X32, CONFIG_X86_X32_ABI, and CONFIG_MODIFY_LDT_SYSCALL. +## ## TODO: Debian 13 Trixie ## Applicable when using Linux kernel >= 6.7 (retained here for future-proofing and completeness). ## @@ -186,6 +222,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0" ## Enable CPU manufacturer-specific IOMMU drivers to mitigate some DMA attacks. ## +## KSPP=yes +## KSPP sets CONFIG_INTEL_IOMMU=y, CONFIG_INTEL_IOMMU_DEFAULT_ON=y, CONFIG_INTEL_IOMMU_SVM=y, CONFIG_AMD_IOMMU=y, and CONFIG_AMD_IOMMU_V2=y. +## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX amd_iommu=force_isolation" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX intel_iommu=on" @@ -197,6 +236,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX intel_iommu=on" ## https://en.wikipedia.org/wiki/DMA_attack ## https://lenovopress.lenovo.com/lp1467.pdf ## +## KSPP=yes +## KSPP sets the kernel parameters, CONFIG_IOMMU_SUPPORT=y, CONFIG_IOMMU_DEFAULT_DMA_STRICT=y, and does not set CONFIG_IOMMU_DEFAULT_PASSTHROUGH. +## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu=force" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu.passthrough=0" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu.strict=1" @@ -210,6 +252,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu.strict=1" ## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4444f8541dad16fefd9b8807ad1451e806ef1d94 ## https://mjg59.dreamwidth.org/54433.html ## +## KSPP=yes +## KSPP sets CONFIG_EFI_DISABLE_PCI_DMA=y. +## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi=disable_early_pci_dma" ## 3. Entropy: @@ -234,6 +279,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi=disable_early_pci_dma" ## https://github.com/NixOS/nixpkgs/pull/165355 ## https://lkml.org/lkml/2022/6/5/271 ## +## KSPP=yes +## KSPP sets CONFIG_RANDOM_TRUST_BOOTLOADER=y and CONFIG_RANDOM_TRUST_CPU=y. +## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_bootloader=off" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_cpu=off" diff --git a/etc/default/grub.d/40_signed_modules.cfg b/etc/default/grub.d/40_signed_modules.cfg index 9a6a101..5e6fce7 100644 --- a/etc/default/grub.d/40_signed_modules.cfg +++ b/etc/default/grub.d/40_signed_modules.cfg @@ -9,6 +9,9 @@ ## https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/61 ## https://github.com/dell/dkms/issues/359 ## +## KSPP=yes +## KSPP sets CONFIG_MODULE_SIG=y, CONFIG_MODULE_SIG_FORCE=y, and CONFIG_MODULE_SIG_ALL=y. +## ## Not enabled by default yet due to several issues. ## #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX module.sig_enforce=1" @@ -18,7 +21,10 @@ ## ## https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880 ## -## ## Not enabled by default yet due to several issues. +## KSPP=yes +## KSPP sets CONFIG_SECURITY_LOCKDOWN_LSM=y, CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y, and CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y. +## +## Not enabled by default yet due to several issues. ## #if dpkg --compare-versions "${kver}" ge "5.4"; then # GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX lockdown=confidentiality" diff --git a/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf b/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf index 0400ad1..eb785cc 100644 --- a/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf +++ b/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf @@ -14,4 +14,7 @@ ## ## https://en.wikipedia.org/wiki/Kexec ## +## KSPP=yes +## KSPP sets the sysctl and does not set CONFIG_KEXEC. +## kernel.kexec_load_disabled=1 diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 9836bc2..3bd7ea1 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -31,11 +31,17 @@ ## ## https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak ## +## KSPP=yes +## KSPP sets the sysctl. +## kernel.kptr_restrict=2 ## Restrict access to the kernel log buffer to users with CAP_SYSLOG. ## Kernel logs often contain sensitive information such as kernel pointers. ## +## KSPP=yes +## KSPP sets the sysctl and CONFIG_SECURITY_DMESG_RESTRICT=y. +## kernel.dmesg_restrict=1 ## Prevent kernel information leaks in the console during boot. @@ -52,6 +58,9 @@ kernel.dmesg_restrict=1 ## ## https://en.wikipedia.org/wiki/EBPF#Security ## +## KSPP=yes +## KSPP sets the sysctls. +## kernel.unprivileged_bpf_disabled=1 net.core.bpf_jit_harden=2 @@ -61,6 +70,9 @@ net.core.bpf_jit_harden=2 ## https://a13xp0p0v.github.io/2017/03/24/CVE-2017-2636.html ## https://lkml.org/lkml/2019/4/15/890 ## +## KSPP=yes +## KSPP sets the sysctl does not set CONFIG_LDISC_AUTOLOAD. +## dev.tty.ldisc_autoload=0 ## Restrict the userfaultfd() syscall to users with SYS_CAP_PTRACE. @@ -69,6 +81,9 @@ dev.tty.ldisc_autoload=0 ## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=cefdca0a86be517bc390fc4541e3674b8e7803b0 ## https://duasynt.com/blog/linux-kernel-heap-spray ## +## KSPP=yes +## KSPP sets the sysctl. +## vm.unprivileged_userfaultfd=0 ## Disables kexec, which can be used to replace the running kernel. @@ -78,6 +93,9 @@ vm.unprivileged_userfaultfd=0 ## ## See /usr/lib/sysctl.d/30_security-misc_kexec-disable.conf for implementation. ## +## KSPP=yes +## KSPP sets the sysctl and does not set CONFIG_KEXEC. +## #kernel.kexec_load_disabled=1 ## Disable the SysRq key to prevent leakage of kernel information. @@ -87,6 +105,9 @@ vm.unprivileged_userfaultfd=0 ## https://www.kicksecure.com/wiki/SysRq ## https://github.com/xairy/unlockdown ## +## KSPP=yes +## KSPP sets the less strict CONFIG_MAGIC_SYSRQ_DEFAULT_ENABLE=176. +## kernel.sysrq=0 ## Restrict user namespaces to users with CAP_SYS_ADMIN. @@ -106,6 +127,9 @@ kernel.unprivileged_userns_clone=0 ## https://www.kernel.org/doc/html/latest/admin-guide/perf-security.html#unprivileged-users ## https://lore.kernel.org/kernel-hardening/1469630746-32279-1-git-send-email-jeffv@google.com/ ## +## KSPP=yes +## KSPP sets the sysctl. +## kernel.perf_event_paranoid=3 ## Force the kernel to panic on "oopses". @@ -115,6 +139,9 @@ kernel.perf_event_paranoid=3 ## ## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panic-on-oops-1-sysctl-for-better-security/7713 ## +## KSPP=yes +## KSPP sets CONFIG_PANIC_ON_OOPS=y and CONFIG_PANIC_TIMEOUT=-1. +## ## See /usr/libexec/security-misc/panic-on-oops for implementation. ## #kernel.panic_on_oops=1 @@ -126,6 +153,9 @@ kernel.perf_event_paranoid=3 ## ## https://lore.kernel.org/lkml/20221228205726.rfevry7ud6gmttg5@begin/T/ ## +## KSPP=yes +## KSPP sets the sysctl and does not set CONFIG_LEGACY_TIOCSTI. +## ## TODO: Debian 13 Trixie ## This is disabled by default when using Linux kernel >= 6.2. ## @@ -161,6 +191,9 @@ kernel.io_uring_disabled=2 ## https://github.com/GrapheneOS/os-issue-tracker/issues/651#issuecomment-917599928 ## https://github.com/netblue30/firejail/issues/2860 ## +## KSPP=partial +## KSPP sets the stricter sysctl kernel.yama.ptrace_scope=3. +## ## It is possible to harden further by disabling ptrace() for all users, see documentation. ## https://github.com/Kicksecure/security-misc/pull/242 ## @@ -188,6 +221,9 @@ kernel.yama.ptrace_scope=2 ## https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=/tmp ## https://en.wikipedia.org/wiki/Time-of-check_to_time-of-use#Preventing_TOCTOU ## +## KSPP=yes +## KSPP sets the sysctls. +## fs.protected_hardlinks=1 fs.protected_symlinks=1 @@ -195,6 +231,9 @@ fs.protected_symlinks=1 ## Also applies to group-writable sticky directories to make data spoofing attacks more difficult. ## Prevents unintentional writes to attacker-controlled files. ## +## KSPP=yes +## KSPP sets the sysctls. +## fs.protected_fifos=2 fs.protected_regular=2 @@ -205,6 +244,9 @@ fs.protected_regular=2 ## ## https://en.wikipedia.org/wiki/Address_space_layout_randomization#Linux ## +## KSPP=yes +## KSPP sets the sysctl. +## kernel.randomize_va_space=2 ## Increase the maximum number of memory map areas a process is permitted to utilize. @@ -254,6 +296,9 @@ kernel.core_pattern=|/bin/false ## Prevent setuid processes or otherwise protected/tainted binaries from creating core dumps. ## Any process which has changed privilege levels or is execute-only will not be dumped. ## +## KSPP=yes +## KSPP sets the sysctl. +## fs.suid_dumpable=0 ## Set core dump file name to 'core.PID' instead of 'core' as a form of defense-in-depth. @@ -284,6 +329,9 @@ vm.swappiness=1 ## https://en.wikipedia.org/wiki/SYN_flood ## https://cateee.net/lkddb/web-lkddb/SYN_COOKIES.html ## +## KSPP=yes +## KSPP sets CONFIG_SYN_COOKIES=y. +## net.ipv4.tcp_syncookies=1 ## Protect against TCP time-wait assassination hazards. From 683110e7f02fa5fc6415354386552640cdb8758b Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Mon, 19 Aug 2024 01:34:14 +1000 Subject: [PATCH 02/10] Correction --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index da9254a..1ec228f 100644 --- a/README.md +++ b/README.md @@ -3,7 +3,8 @@ ## Kernel hardening This section is inspired by the Kernel Self Protection Project (KSPP). It -implements all recommended Linux kernel settings by the KSPP and many more. +attempts to implement all recommended Linux kernel settings by the KSPP and +many more sources. - https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project - https://kspp.github.io/Recommended_Settings From 94dab1b7c503429e2fa91019a0183b2f36c6693f Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Mon, 19 Aug 2024 10:53:05 +1000 Subject: [PATCH 03/10] Partial compliance with the KSPP on kernel panics --- etc/default/grub.d/40_kernel_hardening.cfg | 4 ++-- usr/lib/sysctl.d/990-security-misc.conf | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index 35472ba..32f58ac 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -119,8 +119,8 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off" ## ## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panic-on-oops-1-sysctl-for-better-security/7713 ## -## KSPP=yes -## KSPP sets CONFIG_PANIC_ON_OOPS=y and CONFIG_PANIC_TIMEOUT=-1. +## KSPP=partial +## KSPP sets CONFIG_PANIC_ON_OOPS=y, but also requries CONFIG_PANIC_TIMEOUT=-1. ## ## See /usr/libexec/security-misc/panic-on-oops for implementation. ## diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 3bd7ea1..e9057dc 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -139,8 +139,8 @@ kernel.perf_event_paranoid=3 ## ## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panic-on-oops-1-sysctl-for-better-security/7713 ## -## KSPP=yes -## KSPP sets CONFIG_PANIC_ON_OOPS=y and CONFIG_PANIC_TIMEOUT=-1. +## KSPP=partial +## KSPP sets CONFIG_PANIC_ON_OOPS=y, but also requries CONFIG_PANIC_TIMEOUT=-1. ## ## See /usr/libexec/security-misc/panic-on-oops for implementation. ## From 56b28e38264fe742b8d694176f1057c15574fc08 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Mon, 19 Aug 2024 11:50:08 +1000 Subject: [PATCH 04/10] Typo --- etc/default/grub.d/40_kernel_hardening.cfg | 2 +- usr/lib/sysctl.d/990-security-misc.conf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index 32f58ac..aaf5be8 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -120,7 +120,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off" ## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panic-on-oops-1-sysctl-for-better-security/7713 ## ## KSPP=partial -## KSPP sets CONFIG_PANIC_ON_OOPS=y, but also requries CONFIG_PANIC_TIMEOUT=-1. +## KSPP sets CONFIG_PANIC_ON_OOPS=y, but also requires CONFIG_PANIC_TIMEOUT=-1. ## ## See /usr/libexec/security-misc/panic-on-oops for implementation. ## diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index e9057dc..f13f193 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -140,7 +140,7 @@ kernel.perf_event_paranoid=3 ## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panic-on-oops-1-sysctl-for-better-security/7713 ## ## KSPP=partial -## KSPP sets CONFIG_PANIC_ON_OOPS=y, but also requries CONFIG_PANIC_TIMEOUT=-1. +## KSPP sets CONFIG_PANIC_ON_OOPS=y, but also requires CONFIG_PANIC_TIMEOUT=-1. ## ## See /usr/libexec/security-misc/panic-on-oops for implementation. ## From e4909b5e28e16f09de0e548c9221578ebe1190a3 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Sun, 25 Aug 2024 12:47:04 +1000 Subject: [PATCH 05/10] Add details on kernel panics --- README.md | 2 +- etc/default/grub.d/40_kernel_hardening.cfg | 3 ++- usr/lib/sysctl.d/990-security-misc.conf | 18 +++++++++++++----- usr/libexec/security-misc/panic-on-oops | 5 ++++- 4 files changed, 20 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 1ec228f..ecbf3ef 100644 --- a/README.md +++ b/README.md @@ -44,7 +44,7 @@ space, user space, core dumps, and swap space. - Force the kernel to panic on "oopses" that can potentially indicate and thwart certain kernel exploitation attempts. Optional - Force immediate reboot on the - occurrence of a kernel panic. + occurrence of a kernel panic and also set panic limit to one (when using Linux kernel >= 6.2). - Disable the use of legacy TIOCSTI operations which can be used to inject keypresses. diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index aaf5be8..c8a7eab 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -114,9 +114,10 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off" ## Force the kernel to panic on "oopses". ## Can sometimes potentially indicate and thwart certain kernel exploitation attempts. -## Also cause panics on machine check exceptions. ## Panics may be due to false-positives such as bad drivers. ## +## https://en.wikipedia.org/wiki/Kernel_panic#Linux +## https://en.wikipedia.org/wiki/Linux_kernel_oops ## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panic-on-oops-1-sysctl-for-better-security/7713 ## ## KSPP=partial diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index f13f193..e305fa6 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -132,20 +132,28 @@ kernel.unprivileged_userns_clone=0 ## kernel.perf_event_paranoid=3 -## Force the kernel to panic on "oopses". +## Force the kernel to panic on "oopses" and kernel warnings in the WARN() path. ## Can sometimes potentially indicate and thwart certain kernel exploitation attempts. -## Also cause panics on machine check exceptions. ## Panics may be due to false-positives such as bad drivers. ## -## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panic-on-oops-1-sysctl-for-better-security/7713 +## https://en.wikipedia.org/wiki/Kernel_panic#Linux +## https://en.wikipedia.org/wiki/Linux_kernel_oops +## https://en.wikipedia.org/wiki/Kdump_(Linux) +## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panisc-on-oops-1-sysctl-for-better-security/7713 ## ## KSPP=partial -## KSPP sets CONFIG_PANIC_ON_OOPS=y, but also requires CONFIG_PANIC_TIMEOUT=-1. +## KSPP sets the sysctls, CONFIG_PANIC_ON_OOPS=y, but also requires CONFIG_PANIC_TIMEOUT=-1. ## ## See /usr/libexec/security-misc/panic-on-oops for implementation. ## -#kernel.panic_on_oops=1 +## TODO: Debian 13 Trixie +## The limits are applicable when using Linux kernel >= 6.2 (retained here for future-proofing and completeness). +## #kernel.panic=-1 +kernel.panic_on_oops=1 +#kernel.panic_on_warn=1 +#kernel.oops_limit=1 +#kernel.warn_limit=1 ## Disable the use of legacy TIOCSTI operations which can be used to inject keypresses. ## Can lead to privilege escalation by pushing characters into a controlling TTY. diff --git a/usr/libexec/security-misc/panic-on-oops b/usr/libexec/security-misc/panic-on-oops index 2fc25c8..8d647f1 100755 --- a/usr/libexec/security-misc/panic-on-oops +++ b/usr/libexec/security-misc/panic-on-oops @@ -15,5 +15,8 @@ fi ## Makes the kernel panic on oopses. This prevents the kernel ## from continuing to run a flawed processes. Many kernel exploits ## will also cause an oops which this will make the kernel kill. -sysctl kernel.panic_on_oops=1 #sysctl kernel.panic=-1 +sysctl kernel.panic_on_oops=1 +#sysctl kernel.panic_on_warn=1 +#sysctl kernel.oops_limit=1 +#sysctl kernel.warn_limit=1 From 32de5e7c49d301b62b838ba88550f58b02b6562b Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Sun, 25 Aug 2024 12:57:22 +1000 Subject: [PATCH 06/10] Add details on oopses and warnings --- usr/lib/sysctl.d/990-security-misc.conf | 4 +++- usr/libexec/security-misc/panic-on-oops | 3 ++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index e305fa6..9f79277 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -135,6 +135,8 @@ kernel.perf_event_paranoid=3 ## Force the kernel to panic on "oopses" and kernel warnings in the WARN() path. ## Can sometimes potentially indicate and thwart certain kernel exploitation attempts. ## Panics may be due to false-positives such as bad drivers. +## Oopses are serious but non-fatal errors. +## Kernel warnings are useful to avoid a when attempting to access the location of a WARN(). ## ## https://en.wikipedia.org/wiki/Kernel_panic#Linux ## https://en.wikipedia.org/wiki/Linux_kernel_oops @@ -150,7 +152,7 @@ kernel.perf_event_paranoid=3 ## The limits are applicable when using Linux kernel >= 6.2 (retained here for future-proofing and completeness). ## #kernel.panic=-1 -kernel.panic_on_oops=1 +#kernel.panic_on_oops=1 #kernel.panic_on_warn=1 #kernel.oops_limit=1 #kernel.warn_limit=1 diff --git a/usr/libexec/security-misc/panic-on-oops b/usr/libexec/security-misc/panic-on-oops index 8d647f1..caeb950 100755 --- a/usr/libexec/security-misc/panic-on-oops +++ b/usr/libexec/security-misc/panic-on-oops @@ -14,7 +14,8 @@ fi ## Makes the kernel panic on oopses. This prevents the kernel ## from continuing to run a flawed processes. Many kernel exploits -## will also cause an oops which this will make the kernel kill. +## will also cause an oops which this will make the kernel kill +## the offending processes. #sysctl kernel.panic=-1 sysctl kernel.panic_on_oops=1 #sysctl kernel.panic_on_warn=1 From ac6602ac3531ae57603e8a9e5ac2ee1652164b23 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Mon, 26 Aug 2024 11:19:20 +1000 Subject: [PATCH 07/10] Add detail on disabling user namespaces breaking UPower --- usr/lib/sysctl.d/990-security-misc.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 484761e..d244a01 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -116,6 +116,7 @@ kernel.sysrq=0 ## Restricting may lead to breakages in numerous software packages. ## Uncomment the second sysctl to entirely disable user namespaces. ## Disabling entirely will reduce compatibility with some AppArmor profiles. +## Disabling entirely is known to break the UPower systemd servince. ## ## https://lwn.net/Articles/673597/ ## https://madaidans-insecurities.github.io/linux.html#kernel From 2841d789bebbd43f855b6ffb92a3a6f017007a72 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Mon, 26 Aug 2024 11:21:26 +1000 Subject: [PATCH 08/10] README: Update --- README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/README.md b/README.md index 946e646..7183675 100644 --- a/README.md +++ b/README.md @@ -8,6 +8,7 @@ many more sources. - https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project - https://kspp.github.io/Recommended_Settings +- https://github.com/KSPP/kspp.github.io ### sysctl @@ -75,6 +76,8 @@ Core dumps: - Disable core dump files and prevent their creation. If core dump files are enabled, they will be named based on `core.PID` instead of the default `core`. +Swap space: + - Limit the copying of potentially sensitive content in memory to the swap device. Networking: From 2c356e8b0ef7db56e7b453535c8cb6c83fc2e3c6 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Mon, 26 Aug 2024 11:34:12 +1000 Subject: [PATCH 09/10] Add KSPP notice definitions --- etc/default/grub.d/40_cpu_mitigations.cfg | 4 ++++ etc/default/grub.d/40_kernel_hardening.cfg | 4 ++++ etc/default/grub.d/40_remount_secure.cfg | 4 ++++ etc/default/grub.d/40_signed_modules.cfg | 4 ++++ etc/default/grub.d/41_quiet_boot.cfg | 4 ++++ usr/lib/sysctl.d/30_security-misc_kexec-disable.conf | 4 ++++ usr/lib/sysctl.d/30_silent-kernel-printk.conf | 4 ++++ usr/lib/sysctl.d/990-security-misc.conf | 4 ++++ 8 files changed, 32 insertions(+) diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index 486b63b..529b626 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -1,6 +1,10 @@ ## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. +## Definitions: +## KSPP=yes: compliant with recommendations by the KSPP +## KSPP=partial: partially compliant with recommendations by the KSPP + ## Enable known mitigations for CPU vulnerabilities. ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html ## https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index c8a7eab..49435d9 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -5,6 +5,10 @@ kpkg="linux-image-$(dpkg --print-architecture)" || true kver="$(dpkg-query --show --showformat='${Version}' "$kpkg")" 2>/dev/null || true #echo "## kver: $kver" +## Definitions: +## KSPP=yes: compliant with recommendations by the KSPP +## KSPP=partial: partially compliant with recommendations by the KSPP + ## This configuration file is split into 4 sections: ## 1. Kernel Space ## 2. Direct Memory Access diff --git a/etc/default/grub.d/40_remount_secure.cfg b/etc/default/grub.d/40_remount_secure.cfg index db6db11..4593820 100644 --- a/etc/default/grub.d/40_remount_secure.cfg +++ b/etc/default/grub.d/40_remount_secure.cfg @@ -1,6 +1,10 @@ ## Copyright (C) 2023 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. +## Definitions: +## KSPP=yes: compliant with recommendations by the KSPP +## KSPP=partial: partially compliant with recommendations by the KSPP + ## Remount Secure provides enhanced security via mount options: ## https://www.kicksecure.com/wiki/Security-misc#Remount_Secure diff --git a/etc/default/grub.d/40_signed_modules.cfg b/etc/default/grub.d/40_signed_modules.cfg index 5e6fce7..788eeb1 100644 --- a/etc/default/grub.d/40_signed_modules.cfg +++ b/etc/default/grub.d/40_signed_modules.cfg @@ -1,6 +1,10 @@ ## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. +## Definitions: +## KSPP=yes: compliant with recommendations by the KSPP +## KSPP=partial: partially compliant with recommendations by the KSPP + ## Require every kernel module to be signed before being loaded. ## Any module that is unsigned or signed with an invalid key cannot be loaded. ## This prevents all out-of-tree kernel modules unless signed. diff --git a/etc/default/grub.d/41_quiet_boot.cfg b/etc/default/grub.d/41_quiet_boot.cfg index 4806484..86c8660 100644 --- a/etc/default/grub.d/41_quiet_boot.cfg +++ b/etc/default/grub.d/41_quiet_boot.cfg @@ -1,6 +1,10 @@ ## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. +## Definitions: +## KSPP=yes: compliant with recommendations by the KSPP +## KSPP=partial: partially compliant with recommendations by the KSPP + ## Some default configuration files automatically include the "quiet" parameter. ## Therefore, first remove "quiet" from GRUB_CMDLINE_LINUX_DEFAULT since "quiet" must be first. ## LANG=C str_replace is provided by package helper-scripts. diff --git a/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf b/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf index eb785cc..74ab6f5 100644 --- a/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf +++ b/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf @@ -1,6 +1,10 @@ ## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. +## Definitions: +## KSPP=yes: compliant with recommendations by the KSPP +## KSPP=partial: partially compliant with recommendations by the KSPP + ## NOTE: ## This configuration is in a dedicated file because the ram-wipe package ## requires kexec. However, ram-wipe cannot ship a config file diff --git a/usr/lib/sysctl.d/30_silent-kernel-printk.conf b/usr/lib/sysctl.d/30_silent-kernel-printk.conf index f8baa3f..b07fae9 100644 --- a/usr/lib/sysctl.d/30_silent-kernel-printk.conf +++ b/usr/lib/sysctl.d/30_silent-kernel-printk.conf @@ -1,6 +1,10 @@ ## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. +## Definitions: +## KSPP=yes: compliant with recommendations by the KSPP +## KSPP=partial: partially compliant with recommendations by the KSPP + ## Prevent kernel information leaks in the console during boot. ## Must be used in conjunction with kernel boot parameters. ## See /etc/default/grub.d/41_quiet_boot.cfg for implementation. diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index d244a01..a0bb243 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -6,6 +6,10 @@ ## is parsed first, followed by /usr/lib/sysctl.d/990-security-misc.conf. ## https://github.com/Kicksecure/security-misc/pull/135 +## Definitions: +## KSPP=yes: compliant with recommendations by the KSPP +## KSPP=partial: partially compliant with recommendations by the KSPP + ## This configuration file is divided into 5 sections: ## 1. Kernel Space ## 2. User Space From 9e91c98cc926e7a166458cd78e3c1d1ced23c753 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Mon, 26 Aug 2024 12:40:04 +1000 Subject: [PATCH 10/10] Add details on BPF hardening and split the `sysctl`s --- README.md | 5 ++++- usr/lib/sysctl.d/990-security-misc.conf | 20 +++++++++++++++++--- 2 files changed, 21 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 7183675..8af16ae 100644 --- a/README.md +++ b/README.md @@ -25,7 +25,8 @@ Kernel space: - Prevent kernel information leaks in the console during boot. -- Restrict eBPF access to `CAP_BPF` and enable associated JIT compiler hardening. +- Restrict usage of `bpf()` to `CAP_BPF` to prevent the loading of BPF programs + by unprivileged users. - Restrict loading TTY line disciplines to `CAP_SYS_MODULE`. @@ -82,6 +83,8 @@ Swap space: Networking: +- Enable hardening of the BPF JIT compiler protect against JIT spraying. + - Enable TCP SYN cookie protection to assist against SYN flood attacks. - Protect against TCP time-wait assassination hazards. diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index a0bb243..bd74a3a 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -58,15 +58,16 @@ kernel.dmesg_restrict=1 ## #kernel.printk=3 3 3 3 -## Restrict eBPF access to CAP_BPF and enable associated JIT compiler hardening. +## Restrict eBPF access to CAP_BPF. +## Disables unprivileged calls to bpf() without recovery. ## ## https://en.wikipedia.org/wiki/EBPF#Security +## https://lwn.net/Articles/660331/ ## ## KSPP=yes -## KSPP sets the sysctls. +## KSPP sets the sysctl. ## kernel.unprivileged_bpf_disabled=1 -net.core.bpf_jit_harden=2 ## Restrict loading TTY line disciplines to users with CAP_SYS_MODULE. ## Prevents unprivileged users from loading vulnerable line disciplines with the TIOCSETD ioctl. @@ -348,6 +349,19 @@ vm.swappiness=1 ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-network ## https://wiki.archlinux.org/title/Sysctl#TCP/IP_stack_hardening +## Enable hardening of the BPF JIT compiler for all users. +## Provides some mitigation against JIT spraying. +## +## https://en.wikipedia.org/wiki/JIT_spraying +## https://www.blackhat.com/docs/eu-16/materials/eu-16-Reshetova-Randomization-Can't-Stop-BPF-JIT-Spray-wp.pdf +## https://lwn.net/Articles/686098/ +## https://lwn.net/Articles/525609/ +## +## KSPP=yes +## KSPP sets the sysctl. +## +net.core.bpf_jit_harden=2 + ## Enable TCP SYN cookie protection to assist against SYN flood attacks. ## ## https://en.wikipedia.org/wiki/SYN_flood