Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-11-27 16:40:53 -05:00
Code Issues Projects Releases Packages Wiki Activity

Update docs

Browse source
This commit is contained in:
raja-grewal 2025-08-06 03:12:06 +00:00 committed by GitHub
parent c2690efcac
commit 498551536c
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
4 changed files with 5 additions and 15 deletions
Download patch file Download diff file Expand all files Collapse all files

6
README.md
View file

@ -52,8 +52,7 @@ configuration file and significant hardening is applied to a myriad of component
- Disable the use of legacy TIOCSTI operations which can be used to inject keypresses. - Disable the use of legacy TIOCSTI operations which can be used to inject keypresses.
- Disable asynchronous I/O (when using Linux kernel >= 6.6) as `io_uring` has been - Disable asynchronous I/O as `io_uring` has been the source of numerous kernel exploits.
the source of numerous kernel exploits.
#### User space #### User space
@ -225,8 +224,7 @@ Kernel space:
since it may be slightly more resilient to attacks that are able to write since it may be slightly more resilient to attacks that are able to write
arbitrary executables in memory. arbitrary executables in memory.
- Optional - Disable support for all x86 processes and syscalls (when using Linux kernel >= 6.7) - Optional - Disable support for all x86 processes and syscalls to reduce attack surface.
to reduce attack surface.
- Disable the EFI persistent storage feature which prevents the kernel from writing crash logs - Disable the EFI persistent storage feature which prevents the kernel from writing crash logs
and other persistent data to either the UEFI variable storage or ACPI ERST backends. and other persistent data to either the UEFI variable storage or ACPI ERST backends.

3
etc/default/grub.d/40_kernel_hardening.cfg
View file

@ -218,9 +218,6 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0"
## KSPP=yes ## KSPP=yes
## KSPP does not set CONFIG_COMPAT, CONFIG_IA32_EMULATION, CONFIG_X86_X32, CONFIG_X86_X32_ABI, and CONFIG_MODIFY_LDT_SYSCALL. ## KSPP does not set CONFIG_COMPAT, CONFIG_IA32_EMULATION, CONFIG_X86_X32, CONFIG_X86_X32_ABI, and CONFIG_MODIFY_LDT_SYSCALL.
## ##
## TODO: Debian 13 Trixie
## Applicable when using Linux kernel >= 6.7 (retained here for future-proofing and completeness).
##
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ia32_emulation=0" #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ia32_emulation=0"
## Disable EFI persistent storage feature. ## Disable EFI persistent storage feature.

2
etc/modprobe.d/30_security-misc_blacklist.conf
View file

@ -27,7 +27,7 @@ blacklist sr_mod
## Partial selection of their infrastructure blacklist. ## Partial selection of their infrastructure blacklist.
## Duplicate and already disabled modules have been omitted. ## Duplicate and already disabled modules have been omitted.
## ##
## https://github.com/GrapheneOS/infrastructure/blob/main/modprobe.d/local.conf ## https://github.com/GrapheneOS/infrastructure/blob/main/etc/modprobe.d/local.conf
## ##
#blacklist cfg80211 #blacklist cfg80211
#blacklist intel_agp #blacklist intel_agp

9
usr/lib/sysctl.d/990-security-misc.conf
View file

@ -197,19 +197,17 @@ kernel.perf_event_paranoid=3
## Disable the use of legacy TIOCSTI operations which can be used to inject keypresses. ## Disable the use of legacy TIOCSTI operations which can be used to inject keypresses.
## Can lead to privilege escalation by pushing characters into a controlling TTY. ## Can lead to privilege escalation by pushing characters into a controlling TTY.
## Will break out-dated screen readers that continue to rely on this legacy functionality. ## Will break out-dated screen readers that continue to rely on this legacy functionality.
## Note this was already disabled by default as of Linux kernel 6.2.
## ##
## https://lore.kernel.org/lkml/20221228205726.rfevry7ud6gmttg5@begin/T/ ## https://lore.kernel.org/lkml/20221228205726.rfevry7ud6gmttg5@begin/T/
## ##
## KSPP=yes ## KSPP=yes
## KSPP sets the sysctl and does not set CONFIG_LEGACY_TIOCSTI. ## KSPP sets the sysctl and does not set CONFIG_LEGACY_TIOCSTI.
## ##
## TODO: Debian 13 Trixie
## This is disabled by default when using Linux kernel >= 6.2.
##
dev.tty.legacy_tiocsti=0 dev.tty.legacy_tiocsti=0
## Disable asynchronous I/O for all processes. ## Disable asynchronous I/O for all processes.
## Leading cause of numerous kernel exploits. ## Use of io_uring has been the leading cause of numerous kernel exploits.
## Disabling will reduce the read/write performance of storage devices. ## Disabling will reduce the read/write performance of storage devices.
## ##
## https://en.wikipedia.org/wiki/Io_uring#Security ## https://en.wikipedia.org/wiki/Io_uring#Security
@ -218,9 +216,6 @@ dev.tty.legacy_tiocsti=0
## https://github.com/moby/moby/pull/46762 ## https://github.com/moby/moby/pull/46762
## https://forums.whonix.org/t/io-uring-security-vulnerabilties/16890 ## https://forums.whonix.org/t/io-uring-security-vulnerabilties/16890
## ##
## TODO: Debian 13 Trixie
## Applicable when using Linux kernel >= 6.6 (retained here for future-proofing and completeness).
##
kernel.io_uring_disabled=2 kernel.io_uring_disabled=2
## 2. User Space: ## 2. User Space: