diff --git a/README.md b/README.md index 1499540..6de1b09 100644 --- a/README.md +++ b/README.md @@ -50,16 +50,23 @@ configuration file and significant hardening is applied to a myriad of component and thwart certain kernel exploitation attempts) and kernel warnings in the `WARN()` path. - Force immediate system reboot on the occurrence of a single kernel panic, reducing the - risk and impact of denial of service attacks and both cold and warm boot attacks. + risk and impact of denial-of-service attacks and both cold and warm boot attacks. -- Optional - Force immediate kernel panic on OOM. This is to avoid security features such as the screen - locker, kloak, emerg-shutdown from being arbitrarily terminated when the system starts - running out of memory. +- Optional - Force immediate kernel panic on OOM (out of memory) which with the above setting + will force an immediate system reboot as opposed to placing any reliance on the oom_killer + to avoid arbitrarily terminating security features based on their OOM score. Note this + creates the risk of userspace-based denial-of-service attacks that maliciously fill memory. + +- Optional - Force immediate kernel panics upon receiving NMIs (Non-Maskable Interrupts) + triggered by serious hardware-level I/O issues, uncorrectable memory and hardware errors, + and undefined or unknown sources in order to prevent data corruption. - Disable the use of legacy TIOCSTI operations which can be used to inject keypresses. - Disable asynchronous I/O as `io_uring` has been the source of numerous kernel exploits. +- Disable 32-bit vDSO mappings as they are a legacy compatibility feature. + #### User space - Disable the usage of `ptrace()` by all processes as it enables programs to inspect @@ -132,6 +139,9 @@ configuration file and significant hardening is applied to a myriad of component - Disable TCP timestamps as they can allow detecting the system time. +- Disable reuse of `TIME_WAIT` sockets for new outgoing connections as the above + setting disables TCP timestamps. + - Optional - Log packets with impossible source or destination addresses to enable further inspection and analysis. @@ -156,6 +166,8 @@ CPU mitigations: - Spectre Side Channels (BTI and BHI) +- Meltdown + - Speculative Store Bypass (SSB) - L1 Terminal Fault (L1TF) @@ -206,8 +218,8 @@ Kernel space: - Enable the kernel page allocator to randomize free lists to limit some data exfiltration and ROP attacks, especially during the early boot process. -- Enable kernel page table isolation to increase KASLR effectiveness and also - mitigate the Meltdown CPU vulnerability. +- Enable kernel page table isolation on x86_64 and ARM64 CPUs to increase + KASLR effectiveness and also mitigate the Meltdown CPU vulnerability. - Enable randomization of the kernel stack offset on syscall entries to harden against memory corruption attacks. @@ -218,10 +230,11 @@ Kernel space: - Restrict access to debugfs by not registering the file system since it can contain sensitive information. -- Force kernel panics on "oopses" to potentially indicate and thwart certain - kernel exploitation attempts. +- Force the kernel to immediately panic on both "oopses" (which can potentially indicate + and thwart certain kernel exploitation attempts) and kernel warnings in the `WARN()` path. -- Optional - Modify the machine check exception handler. +- Force immediate system reboot on the occurrence of a single kernel panic, reducing the + risk and impact of denial-of-service attacks and both cold and warm boot attacks. - Prevent sensitive kernel information leaks in the console during boot. @@ -238,6 +251,15 @@ Kernel space: - Disable the EFI persistent storage feature which prevents the kernel from writing crash logs and other persistent data to either the UEFI variable storage or ACPI ERST backends. +- Optional - On compatible AMD CPUs enable Secure Memory Encryption (SME) to protect against + cold boot attacks and Secure Encrypted Virtualization (SEV) for further guest memory isolation. + +- Prevent runaway privileged processes from writing to block devices that are mounted by + filesystems to protect against filesystem corruption and kernel crashes. + +- Restrict processes from modifying their own memory mappings unless actively done via + `ptrace()` in order to limit self-modification which can trigger exploits. + Direct memory access: - Enable strict IOMMU translation to protect against some DMA attacks via the use @@ -248,12 +270,21 @@ Direct memory access: Entropy: -- Do not credit the CPU or bootloader as entropy sources at boot in order to - maximize the absolute quantity of entropy in the combined pool. +- Do not credit the CPU seeds as an entropy source at boot in order to maximize the + absolute quantity of entropy in the combined pool. This is desirable for all + cryptographic operations, to avoid reliance on proprietary RDRAND and RDSEED CPU + instructions for random number generation that have long history of being defective. + +- Do not credit the bootloader seeds as an entropy sources at boot to maximize the + absolute quantity of entropy in the combined pool. This is desirable for all + cryptographic operations as seeds passed by the bootloader could be tampered. - Obtain more entropy at boot from RAM as the runtime memory allocator is being initialized. +- Obtain more entropy at boot from RAM as the runtime memory allocator is being + initialized to maximize the absolute quantity of entropy in the combined pool. + Networking: - Optional - Disable the entire IPv6 stack to reduce attack surface. @@ -295,6 +326,14 @@ feasible due to compatibility issues with Firefox. * [security-misc pull request #249](https://github.com/Kicksecure/security-misc/pull/249) * [security-misc issue #267](https://github.com/Kicksecure/security-misc/issues/267) +3. Kernel boot parameter `hash_pointers=always` + +Force all exposed pointers to be hashed and must be used in combination with the already enabled +`slab_debug=FZ` kernel boot parameter. Currently is not possible as requires Linux kernel >= 6.17. + +* [security-misc issue #253](https://github.com/Kicksecure/security-misc/issues/253) +* [security-misc pull request #325](https://github.com/Kicksecure/security-misc/pull/325) + ### Kernel Modules #### Kernel Module Signature Verification diff --git a/changelog.upstream b/changelog.upstream index cb06465..97b14f1 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,195 @@ +commit b7b6b6e5fbeba0cfab141bf05d7fb657879ba8e9 +Author: Patrick Schleizer +Date: Mon Dec 8 09:42:59 2025 -0500 + + output + +commit 8f99672cb24242d6cb86d985384ab4ad7d1aca54 +Author: Patrick Schleizer +Date: Fri Dec 5 11:39:12 2025 +0000 + + bumped changelog version + +commit ac128dd873968b1815e4113b30ea69f34fa0b088 +Merge: 17dd7af7 85761a41 +Author: Patrick Schleizer +Date: Fri Dec 5 06:35:03 2025 -0500 + + Merge remote-tracking branch 'ArrayBolt3/arraybolt3/trixie' + +commit 85761a4153a4f19e7b18e91062e97d3376451884 +Author: Aaron Rainbolt +Date: Thu Dec 4 23:27:18 2025 -0600 + + permission-hardener: Fix undo warning logic, minor improvements suggested by ChatGPT Codex + +commit 17dd7af7d1cf37ff30a17e2eaee06732d627ed34 +Author: Patrick Schleizer +Date: Wed Dec 3 08:31:22 2025 +0000 + + bumped changelog version + +commit c44678f92df924e4c10f08960426c526e0292aba +Merge: 6f9732be 0534a34e +Author: Patrick Schleizer +Date: Wed Dec 3 03:22:44 2025 -0500 + + Merge remote-tracking branch 'ArrayBolt3/arraybolt3/trixie' + +commit 0534a34ed7246793db384518cfbecb3adfcb7f3e +Author: Aaron Rainbolt +Date: Tue Dec 2 19:06:30 2025 -0600 + + Fix block-unsafe-logins when running as non-root, add swaylock to list of safe auth services + +commit 6f9732be98cbc344076b89d57491c423368172d5 +Merge: 2089b3a9 b3eb739f +Author: Patrick Schleizer +Date: Tue Dec 2 06:04:07 2025 -0500 + + Merge remote-tracking branch 'ArrayBolt3/arraybolt3/trixie' + +commit b3eb739fe2662acfbd844de8d87af4720727fc7a +Author: Aaron Rainbolt +Date: Sun Nov 30 00:20:21 2025 -0600 + + Link fix, change some wording + +commit 5f34b4146e895bb935b719071ab2762278944995 +Merge: 2c253b13 29176d2e +Author: Aaron Rainbolt +Date: Sun Nov 30 00:12:18 2025 -0600 + + Merge remote-tracking branch 'raja/docs' into arraybolt3/trixie + +commit 2c253b1312c034cb8395039803380c1157967061 +Merge: 17ab1bb0 c5f91eb3 +Author: Aaron Rainbolt +Date: Sat Nov 29 21:01:51 2025 -0600 + + Merge remote-tracking branch 'raja/vsyscall32' into arraybolt3/trixie + +commit 17ab1bb00fe287c4c941d9cd3813ee3a3ae89ade +Author: Aaron Rainbolt +Date: Sat Nov 29 20:44:30 2025 -0600 + + Documentation fix + +commit 2b2d30afce3d40eb9c2177ad67fd7d89cd4602a0 +Merge: f0d069c7 3fdfebc4 +Author: Aaron Rainbolt +Date: Sat Nov 29 20:23:09 2025 -0600 + + Merge remote-tracking branch 'raja/limit_full_force' into arraybolt3/trixie + +commit f0d069c7968e2ee10d7104ce1ba502d3122b0ab2 +Author: Aaron Rainbolt +Date: Sat Nov 29 20:15:03 2025 -0600 + + Minor README.md corrections + +commit b73a830b0f62fe43b38cc89d56d997bed355570c +Merge: e54cb007 53d90b11 +Author: Aaron Rainbolt +Date: Sat Nov 29 19:59:35 2025 -0600 + + Merge remote-tracking branch 'raja/kpti' into arraybolt3/trixie + +commit e54cb007f9fc351c25c292ffd68abe974be56bb0 +Merge: 84e193c4 e43d4d7f +Author: Aaron Rainbolt +Date: Sat Nov 29 19:54:10 2025 -0600 + + Merge remote-tracking branch 'raja/limit_bdev_writes' into arraybolt3/trixie + +commit 84e193c44ec9ebf676d1fb4a32d6e2f68afd3d0d +Merge: 65c45fc3 5ac02d2d +Author: Aaron Rainbolt +Date: Fri Nov 28 14:21:59 2025 -0600 + + Merge remote-tracking branch 'raja/stop_tw_reuse' into arraybolt3/trixie + +commit 65c45fc3d799cdf6402328cc61cbdd1949a12945 +Author: Aaron Rainbolt +Date: Fri Nov 28 00:13:45 2025 -0600 + + Minor fixes to NMI panic docs + +commit 37b1d055f18c6335e96c41c06174b66e43e4a8ff +Merge: 7280d886 ebc011e6 +Author: Aaron Rainbolt +Date: Fri Nov 28 00:09:43 2025 -0600 + + Merge remote-tracking branch 'raja/panic_nmi' into arraybolt3/trixie + +commit 7280d8867da50e05dd7d3071123d49b15660051d +Merge: 2089b3a9 62dc2d44 +Author: Aaron Rainbolt +Date: Thu Nov 27 23:28:53 2025 -0600 + + Merge remote-tracking branch 'raja/amd_encrypt_ram' into arraybolt3/trixie + +commit 2089b3a9b8e9d10c06850f0329f7e2eb8a8a12cc +Author: Patrick Schleizer +Date: Mon Nov 24 08:44:10 2025 +0000 + + bumped changelog version + +commit cbd35502f19e74b6f95ff40bf03f02806eef3cdc +Author: Patrick Schleizer +Date: Mon Nov 24 03:18:25 2025 -0500 + + comment + +commit cac73c3154b3278ad71edc0fd159afc71d5dbc45 +Author: Patrick Schleizer +Date: Mon Nov 24 03:17:38 2025 -0500 + + minor + +commit d68988e76cda939ce200d970e19310cadba5d08e +Author: Patrick Schleizer +Date: Mon Nov 24 03:17:25 2025 -0500 + + comments + +commit c1ca36d75888b95835b953c3a8a122954c1e5929 +Merge: ec116795 a3417e99 +Author: Patrick Schleizer +Date: Mon Nov 24 03:11:19 2025 -0500 + + Merge remote-tracking branch 'ArrayBolt3/arraybolt3/trixie' + +commit a3417e997d26e9a88d30da408d470fab98f58d79 +Author: Aaron Rainbolt +Date: Sun Nov 23 16:27:59 2025 -0600 + + Add pkexec remembered permissions fix for permission-hardener, fix some postinst bugs + +commit edda37809fb186f6d85511e774957b701483ca66 +Author: Aaron Rainbolt +Date: Sun Nov 23 14:54:02 2025 -0600 + + Remove obsolete migration code for permission-hardener, add initial permission-hardener state installation code + +commit ec11679514d54c9a61e7c4e35ce81467b12333f4 +Author: Patrick Schleizer +Date: Sun Nov 23 10:26:13 2025 +0000 + + bumped changelog version + +commit 5c4d3162ab3c5178502c1f48e6288dc86cc45bb1 +Author: Patrick Schleizer +Date: Sun Nov 23 05:25:13 2025 -0500 + + fix + +commit 9f85a78c9919d71c3e92099cac8525ac385aea5c +Author: Patrick Schleizer +Date: Wed Nov 19 07:02:14 2025 +0000 + + bumped changelog version + commit 4e7cfb0d061810ec7c3139379a65db83abc39efc Merge: d267cf67 936c799c Author: Patrick Schleizer @@ -11,6 +203,43 @@ Date: Tue Nov 18 23:53:03 2025 -0600 Don't break passwordless sudo in unrestricted admin mode +commit ebc011e67bff659778cbca2240c5e57d663f3f41 +Author: raja-grewal +Date: Wed Nov 19 11:35:04 2025 +1100 + + Typo + +commit 62dc2d448366d190812773ec9eeadd38e1223cbc +Author: raja-grewal +Date: Tue Nov 18 20:31:46 2025 +1100 + + Add note about Intel TME + +commit 29176d2ed29b07c4da9b9c0df1eefd2bda70b984 +Author: raja-grewal +Date: Sat Nov 15 06:30:11 2025 +0000 + + Remove the option to reduce the MCE tolerance level + +commit 9f897c5ccda781d010077446abb3d176cf929c94 +Author: raja-grewal +Date: Sat Nov 15 05:48:33 2025 +0000 + + Update docs on reducing the MCE tolerance level + +commit b6fe1a5a6e164c7a7505b5e27ece582a1b928d82 +Author: raja-grewal +Date: Sat Nov 15 04:51:01 2025 +0000 + + Make panic related settings consistent + Ensures the `sysctl` and boot parameters are equivalent in settings and in description. This should prevent future questions regarding having omitted boot parameters that were actually redundant. + +commit 99e993b885ca1fa30a871120b545f9334371cd5a +Author: raja-grewal +Date: Sat Nov 15 03:16:07 2025 +0000 + + Provide options to enable AMD SME and SEV + commit d267cf6761076092c299508a0c356c05d0ee713d Author: Patrick Schleizer Date: Fri Nov 14 06:21:34 2025 +0000 @@ -36,6 +265,18 @@ Date: Tue Nov 11 23:59:50 2025 -0500 Merge remote-tracking branch 'ArrayBolt3/arraybolt3/trixie' +commit d891313d57b469c28c08993b05d355b29ea08397 +Author: raja-grewal +Date: Tue Nov 11 11:39:21 2025 +0000 + + Provide options to panic upon receiving NMIs + +commit 0b9b9ffb1e87850e3296d0420c305062b66868d5 +Author: raja-grewal +Date: Tue Nov 11 11:32:47 2025 +0000 + + Improve clarity for panic on OOM + commit 3070aa5d1f988b199030b31baa2fabc2db7b289f Author: Aaron Rainbolt Date: Mon Nov 10 22:40:15 2025 -0600 @@ -121,6 +362,18 @@ Date: Mon Nov 10 02:04:15 2025 -0500 Merge remote-tracking branch 'ArrayBolt3/arraybolt3/trixie' +commit 5ac02d2d528a37fe1c162c4808b3d874a8c53159 +Author: raja-grewal +Date: Mon Nov 10 06:13:35 2025 +0000 + + Set `net.ipv4.tcp_tw_reuse=0` + +commit b89aaea61e83aea6b23ea34a01dbb1e6bce1e2df +Author: raja-grewal +Date: Mon Nov 10 06:03:33 2025 +0000 + + Add docs on logging martian packets + commit 5fbd42bbec55d66197b70789b10f7cb6705207fb Author: Aaron Rainbolt Date: Sun Nov 9 18:38:54 2025 -0600 @@ -133,6 +386,19 @@ Date: Sun Nov 9 17:46:22 2025 -0600 Prevent non-sysmaint logins in sysmaint mode and unsafe passwordless logins in user mode +commit a3830db09e3f567237caefb687ef2da877573b03 +Author: raja-grewal +Date: Sun Nov 9 13:42:31 2025 +0000 + + Update docs relating to panic on OOM + +commit 0aa0b67df6a33b84a656cfb7055c4af5ca583439 +Merge: a46f678c 0939883f +Author: raja-grewal +Date: Mon Nov 10 00:20:48 2025 +1100 + + Merge branch 'master' into docs + commit 0939883f0b5e1232e9aa85e61c0cbef551a59357 Author: Patrick Schleizer Date: Sun Nov 9 10:47:45 2025 +0000 @@ -202,6 +468,61 @@ Date: Fri Nov 7 17:09:22 2025 -0600 Suppress usbguard startup unless a USB controller is visible to lspci +commit a46f678c7f8715fd1cedd1102f9815b9d845ccb3 +Author: raja-grewal +Date: Wed Nov 5 00:05:17 2025 +0000 + + Update docs on latent entropy + +commit 37b493826ec60397c6019959abb7e0631dd33ed4 +Author: raja-grewal +Date: Wed Nov 5 00:03:54 2025 +0000 + + Spit distrusting entropy settings for clarity + +commit 019a0cf72c99f9f10fd42afbfed96c283e17e458 +Author: raja-grewal +Date: Wed Nov 5 00:03:19 2025 +0000 + + Update docs on entropy + +commit 4c88b911415cbf57eecc93a22c6674322662db50 +Merge: d175d1be 5b97e7bd +Author: raja-grewal +Date: Wed Nov 5 10:10:10 2025 +1100 + + Merge branch 'Kicksecure:master' into docs + +commit e43d4d7f7110de0b23996373e9462aa900b314a6 +Author: raja-grewal +Date: Mon Nov 3 05:46:07 2025 +0000 + + Set `bdev_allow_write_mounted=0` + +commit 53d90b1128d55e352b3eef8ae680a07a825b1ecf +Author: raja-grewal +Date: Mon Nov 3 04:32:49 2025 +0000 + + Update docs on `ssbd=force-on` + +commit 322584db3346aaa1e3d1f9782b3d22ca2153c7da +Author: raja-grewal +Date: Mon Nov 3 04:31:59 2025 +0000 + + Update docs on `pti=on` + +commit 5e87c9bea49b5a06c1400cb8b632f344cccb6db6 +Author: raja-grewal +Date: Mon Nov 3 04:30:58 2025 +0000 + + Set `kpti=1` + +commit 3fdfebc4646d7c1f48806d02810de44fd53482bb +Author: raja-grewal +Date: Mon Nov 3 00:48:49 2025 +0000 + + Set `proc_mem.force_override=ptrace` + commit 5b97e7bd277038b3b04c80a78ce05bb52277d4f6 Author: Patrick Schleizer Date: Sun Nov 2 11:41:51 2025 +0000 @@ -227,6 +548,18 @@ Date: Sun Nov 2 05:57:52 2025 -0500 move usbguard reject rules to the top +commit c5f91eb33a2ad745af7a6278cf49419d0b366343 +Author: raja-grewal +Date: Sun Nov 2 06:15:06 2025 +0000 + + Add another method to disable 32-bit legacy vsyscalls + +commit d175d1be525edd8fb6140680c31425c8a89cc244 +Author: raja-grewal +Date: Sun Nov 2 15:54:34 2025 +1100 + + Add doc on entropy related failure on AMD Zen 5 CPUs + commit 7beb19b64a33cb86771488ab558756fa86b577d3 Author: Aaron Rainbolt Date: Sat Nov 1 22:06:44 2025 -0500 @@ -375,6 +708,12 @@ Date: Wed Oct 22 00:37:36 2025 -0400 do not start usbguard-notifier if /sys/bus/usb does not exist +commit 8f78269949217ac11163cc8b6f17147621fef6eb +Author: raja-grewal +Date: Mon Oct 20 05:36:54 2025 +0000 + + Add docs on slab_debug + commit 7969ffd4a52786f4a92f74931fff85430906a629 Author: Patrick Schleizer Date: Sun Oct 19 08:43:36 2025 +0000 @@ -389,6 +728,19 @@ Date: Sun Oct 19 04:42:24 2025 -0400 https://forums.kicksecure.com/t/usbguard-what-should-we-allow-or-disallow-by-default/1248/49 +commit 9f7480e20adf148dcb7dbe80e704f3f79691b657 +Author: raja-grewal +Date: Sun Oct 19 01:41:58 2025 +0000 + + Make terminology consistent + +commit f2c3eba4f06c38fda7843427c352022a0f869f66 +Merge: 11d9b940 929421bd +Author: raja-grewal +Date: Sun Oct 19 12:23:13 2025 +1100 + + Merge branch 'Kicksecure:master' into docs + commit 929421bd258a3c0c1f142f707aeff479f2ea3c49 Author: Patrick Schleizer Date: Sat Oct 18 09:19:07 2025 +0000 @@ -414,6 +766,18 @@ Date: Fri Oct 17 15:49:42 2025 -0500 Set USBGuard settings to permit USB hubs and Qubes USB passthrough +commit 11d9b9403854ae7cd2638765e8350257580be35f +Author: raja-grewal +Date: Fri Oct 17 01:01:28 2025 +0000 + + Add docs on entropy + +commit 708e1358dfbc21444f2bf39dfa81ea5053f2bb10 +Author: raja-grewal +Date: Fri Oct 17 00:48:57 2025 +0000 + + Add docs relating `extra_latent_entropy` + commit 3d5e659b78cf2588f95280c13b1ebdf24060fb6f Author: Aaron Rainbolt Date: Wed Oct 15 19:02:48 2025 -0500 @@ -446,6 +810,18 @@ Date: Wed Oct 15 17:53:26 2025 -0500 Allow listing USB devices via usbguard +commit f690b58870bd90582018cec51046f4ed67a414d4 +Author: raja-grewal +Date: Mon Oct 13 02:08:44 2025 +0000 + + Add docs relating to panic on OOM + +commit 9db63d97770e62749c0b602dd9e7d2d4d6a1128b +Author: raja-grewal +Date: Mon Oct 13 01:01:14 2025 +0000 + + README: Update KSSP compliance status + commit 23041741715cc5f3d16378d6bb34719ceaa1642c Author: raja-grewal Date: Sun Oct 12 02:32:45 2025 +0000 diff --git a/debian/changelog b/debian/changelog index 84d868a..85d27ad 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,33 @@ +security-misc (3:50.6-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 09 Dec 2025 14:06:55 +0000 + +security-misc (3:50.5-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 05 Dec 2025 11:39:12 +0000 + +security-misc (3:50.4-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 03 Dec 2025 08:31:21 +0000 + +security-misc (3:50.3-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 24 Nov 2025 08:44:09 +0000 + +security-misc (3:50.2-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 23 Nov 2025 10:26:13 +0000 + security-misc (3:50.1-1) unstable; urgency=medium * New upstream version (local package). diff --git a/debian/security-misc-shared.postinst b/debian/security-misc-shared.postinst index f77f39a..a246308 100755 --- a/debian/security-misc-shared.postinst +++ b/debian/security-misc-shared.postinst @@ -37,41 +37,86 @@ permission_hardening() { echo "$0: INFO: Permission hardening success." } -migrate_permission_hardener_state() { - local existing_mode_dir new_mode_dir dpkg_statoverride_list - ## If folder /var/lib/permission-hardener (version 1) does not exist, this migration is unneeded. - if [ ! -d '/var/lib/permission-hardener' ]; then +fix_pkexec_remembered_permissions() { + if [ -f "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1" ]; then return 0 fi - - if [ -f "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_2" ]; then - return 0 - fi mkdir --parents '/var/lib/security-misc/do_once' - existing_mode_dir='/var/lib/permission-hardener-v2/existing_mode' - new_mode_dir='/var/lib/permission-hardener-v2/new_mode' - - mkdir --parents "${existing_mode_dir}"; - mkdir --parents "${new_mode_dir}"; - - cp --verbose '/usr/share/security-misc/permission-hardener-existing-mode-legacy-hardcoded' "${existing_mode_dir}/statoverride" - cp --verbose '/usr/share/security-misc/permission-hardener-new-mode-legacy-hardcoded' "${new_mode_dir}/statoverride" - - dpkg_statoverride_list="$(dpkg-statoverride --admindir "${new_mode_dir}" --list)" - - if [ "$(stat --format '%G' /usr/bin/sudo)" = 'sysmaint' ]; then - if ! [[ "${dpkg_statoverride_list}" =~ '/usr/bin/sudo' ]]; then - dpkg-statoverride --admindir "${new_mode_dir}" --add 'root' 'sysmaint' '4750' '/usr/bin/sudo' - fi - fi - if [ "$(stat --format '%G' /usr/bin/pkexec)" = 'sysmaint' ]; then - if ! [[ "${dpkg_statoverride_list}" =~ '/usr/bin/pkexec' ]]; then - dpkg-statoverride --admindir "${new_mode_dir}" --add 'root' 'sysmaint' '4750' '/usr/bin/pkexec' - fi + if ! [ -f "/var/lib/permission-hardener-v2/existing_mode/statoverride" ]; then + ## 'statoverride' file does not exist yet. Therefore no need to fix it using 'str_replace'. + touch "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1" + return 0 fi - touch "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_2" + ## The existing_mode database may incorrectly list the original permissions + ## of pkexec as '755'. They should be '4755'. Fix this with str_replace. If + ## this issue is not present, str_replace will do nothing. + str_replace 'root root 755 /usr/bin/pkexec' \ + 'root root 4755 /usr/bin/pkexec' \ + /var/lib/permission-hardener-v2/existing_mode/statoverride + + touch "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1" +} + +install_permission_hardener_base_state() { + local state_str + + if [ -f "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1" ]; then + return 0 + fi + mkdir --parents '/var/lib/security-misc/do_once' + + if [ -f "/var/lib/permission-hardener-v2/existing_mode/statoverride" ]; then + ## 'statoverride' file already exists. Therefore no need to pre-populate it. + touch "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1" + return 0 + fi + + mkdir --parents -- '/var/lib/permission-hardener-v2/existing_mode' + state_str="root root 644 /etc/passwd- +root root 755 /etc/cron.monthly +root root 755 /etc/sudoers.d +root shadow 2755 /usr/bin/expiry +root root 4755 /usr/bin/umount +root root 4755 /usr/bin/gpasswd +root root 755 /usr/lib/modules +root root 644 /etc/issue.net +root root 644 /etc/group- +root root 4755 /usr/bin/newgrp +root root 755 /etc/cron.weekly +root root 4755 /usr/lib/polkit-1/polkit-agent-helper-1 +root root 644 /etc/hosts.deny +root root 4755 /usr/bin/newgidmap +root root 644 /etc/issue.kicksecure +root root 4755 /usr/bin/pkexec +root root 4755 /usr/bin/su +root root 644 /etc/hosts.allow +root root 700 /root +root root 755 /etc/cron.daily +root root 644 /etc/motd +root root 4755 /usr/bin/newuidmap +root root 755 /boot +root root 755 /home +root shadow 2755 /usr/bin/chage +root root 4755 /usr/lib/openssh/ssh-keysign +root root 4755 /usr/bin/ntfs-3g +root root 4755 /usr/bin/chsh +root root 644 /etc/motd.kicksecure +root root 755 /usr/bin/su-to-root +root root 4755 /usr/bin/passwd +root root 4755 /usr/bin/chfn +root root 644 /etc/group +root root 4755 /usr/bin/sudo +root root 644 /etc/passwd +root root 755 /usr/src +root root 4755 /usr/bin/mount +root root 644 /etc/issue +root root 755 /etc/cron.d" + + printf '%s\n' "$state_str" | tee /var/lib/permission-hardener-v2/existing_mode/statoverride + + touch "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1" } case "$1" in @@ -84,11 +129,18 @@ case "$1" in ## /usr/share/glib-2.0/schemas/30_security-misc.gschema.override glib-compile-schemas /usr/share/glib-2.0/schemas || true - ## state dir for faillock + ## state dir for PAM 'faillock' mkdir -p /var/lib/security-misc/faillock - ## migrate permission_hardener state to v2 if applicable - migrate_permission_hardener_state + ## Fix pkexec remembered permissions if necessary. + fix_pkexec_remembered_permissions + + ## Pre-populate permission-hardener state on first postinst run. + ## Necessary because the first permission-hardener run may occur + ## before all permissions are set properly by package postinst + ## scripts. In particular, pkexec is not SUID-root until after its + ## postinst runs. + install_permission_hardener_base_state ## Fix usbguard config permissions, this seemingly can't be done ## during the unpack stage diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg#security-misc-shared b/etc/default/grub.d/40_cpu_mitigations.cfg#security-misc-shared index 8f18ad0..0bd8665 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg#security-misc-shared +++ b/etc/default/grub.d/40_cpu_mitigations.cfg#security-misc-shared @@ -71,10 +71,24 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX nosmt=force" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_v2=on" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_bhi=on" +## Meltdown: +## Mitigate Spectre Variant 3 using kernel page table isolation (PTI). +## Force enable PTI of user and kernel address spaces on all cores. +## Mitigations for X86_64 CPUs are done in /etc/default/grub.d/40_kernel_hardening.cfg using "pti=on". +## Currently affects ARM64 CPUs. +## +## https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability) +## https://en.wikipedia.org/wiki/Kernel_page-table_isolation +## +## KSPP=yes +## KSPP sets CONFIG_UNMAP_KERNEL_AT_EL0=y. +## +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kpti=1" + ## Speculative Store Bypass (SSB): ## Mitigate Spectre Variant 4 by disabling speculative store bypass system-wide. ## Unconditionally enable the mitigation for both kernel and userspace. -## Currently affects both AMD and Intel CPUs. +## Currently affects AMD, ARM64, and Intel CPUs. ## ## https://en.wikipedia.org/wiki/Speculative_Store_Bypass ## https://www.suse.com/support/kb/doc/?id=000019189 diff --git a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared index 2eef877..33722f6 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared +++ b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared @@ -38,13 +38,17 @@ kver="$(dpkg-query --show --showformat='${Version}' "$kpkg")" 2>/dev/null || tru ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_nomerge" -## Enable sanity checks and red zoning of slabs via debugging options to detect corruption. +## Enable sanity checks and red zoning of slabs via debugging options to detect memory corruption. +## Sanity checks force additional verification steps on every memory allocation and free operation. +## Red zoning adds extra metadata to each object to detect writes beyond the object's boundaries. ## As a by product of debugging, this will implicitly disabling kernel pointer hashing unless manually re-enabled. ## Enabling this (for now) will therefore leak exact and all kernel memory addresses to root. -## Has the potential to cause a noticeable performance decrease. +## Introduces a noticeable performance overhead during all memory allocation and deallocation operations. ## ## https://www.kernel.org/doc/html/latest/mm/slub.html +## https://www.kernel.org/doc/Documentation/vm/slub.txt ## https://lore.kernel.org/all/20210601182202.3011020-5-swboyd@chromium.org/T/#u +## https://blogs.oracle.com/linux/post/linux-slub-allocator-internals-and-debugging-2 ## https://gitlab.tails.boum.org/tails/tails/-/issues/19613 ## https://github.com/Kicksecure/security-misc/issues/253 ## @@ -83,8 +87,10 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX init_on_free=1" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX page_alloc.shuffle=1" ## Enable kernel page table isolation to harden against kernel ASLR (KASLR) bypasses. -## Mitigates the Meltdown CPU vulnerability. +## Mitigates the Meltdown (Spectre Variant 3) CPU vulnerability. +## Mitigations for ARM64 CPUs are done in /etc/default/grub.d/40_cpu_mitigations.cfg using "kpti=1". ## +## https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability) ## https://en.wikipedia.org/wiki/Kernel_page-table_isolation ## ## KSPP=yes @@ -122,33 +128,40 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vsyscall=none" ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off" -## Force the kernel to immediately panic on "oopses". +## Force the kernel to immediately panic on "oopses" and kernel warnings in the WARN() path. ## Panics may be due to false-positives such as bad drivers. +## Both allowed limits are set to one so that panics occur on the single first instance of either scenario. ## Oopses are serious but non-fatal errors. ## Certain "oopses" can sometimes indicate and thwart potential kernel exploitation attempts. -## Note that by forcing kernel panics on oopses, this exposes the system to targeted denial of service attacks. +## Warnings are messages generated by the kernel to indicate unexpected conditions or errors. +## By default, code execution continues regardless of warnings emitted by macros like WARN() and WARN_ON(). +## Note that by forcing kernel panics on oopses and warnings, this exposes the system to targeted denial of service attacks. ## ## https://en.wikipedia.org/wiki/Kernel_panic#Linux ## https://en.wikipedia.org/wiki/Linux_kernel_oops +## https://lwn.net/Articles/876209/ +## https://git.sr.ht/~gregkh/presentation-security/tree/3fdaf81a2f8b2c8d64cdb2f529cc714624868aa8/item/security-stuff.pdf ## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panic-on-oops-1-sysctl-for-better-security/7713 ## ## KSPP=yes -## KSPP sets CONFIG_PANIC_ON_OOPS=y and CONFIG_PANIC_TIMEOUT=-1. +## KSPP sets CONFIG_PANIC_ON_OOPS=y. ## ## See /usr/libexec/security-misc/panic-on-oops for implementation. ## #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX oops=panic" +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX panic_on_warn=1" -## Modify machine check exception handler. -## Can decide whether the system should panic or not based on the occurrence of an exception. +## Force immediate system reboots on the occurrence of a single kernel panic. +## Increases resilience and limits impact of denial of service attacks as system automatically restarts. +## Ensures the system does not hang forever if a panic occurs, reducing susceptibility to both cold and warm boot attacks. +## Immediate rebooting also prevents persistent information disclosure on panic details that were dumped to screen. ## -## https://www.kernel.org/doc/html/latest/arch/x86/x86_64/machinecheck.html -## https://www.kernel.org/doc/html/latest/arch/x86/x86_64/boot-options.html#machine-check -## https://forums.whonix.org/t/kernel-hardening/7296/494 +## KSPP=yes +## KSPP sets CONFIG_PANIC_TIMEOUT=-1. ## -## The default kernel setting will be utilized until provided sufficient evidence to modify. +## See /usr/libexec/security-misc/panic-on-oops for implementation. ## -#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mce=0" +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX panic=-1" ## Prevent sensitive kernel information leaks in the console during boot. ## Must be used in combination with the kernel.printk sysctl. @@ -186,6 +199,8 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kfence.sample_interval=100" ## KSPP=yes ## KSPP sets the kernel parameter and does not set CONFIG_COMPAT_VDSO. ## +## See /usr/lib/sysctl.d/990-security-misc.conf for another additional implementation. +## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0" ## Switch (back) to using kCFI as the default Control Flow Integrity (CFI) implementation. @@ -237,6 +252,54 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ia32_emulation=0" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi_pstore.pstore_disable=1" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX erst_disable" +## Enable AMD Secure Memory Encryption (SME) and Secure Encrypted Virtualization (SEV). +## SME encrypts memory with a single key at the kernel level to protect against cold boot attacks. +## SEV extends SME to VMs by encrypting the memory of each with a unique key for guest isolation. +## This is hardware-based encryption managed by the proprietary and closed-source AMD Platform Security Processor (PSP). +## Both require a compatible AMD CPU and support for SME to first be enabled in the BIOS/UEFI. +## Likely unavailable in consumer-grade AMD CPUs where Transparent SME (TSME) can be enabled in the BIOS/UEFI to achieve SME. +## Note the corresponding Intel Total Memory Encryption (TME) can also be enabled via the BIOS/UEFI. +## May cause boot failure on certain hardware with incompatible DMA masks. +## +## https://www.kernel.org/doc/html/next/x86/amd-memory-encryption.html +## https://www.kernel.org/doc/html/latest/virt/kvm/x86/amd-memory-encryption.html +## https://docs.amd.com/v/u/en-US/memory-encryption-white-paper +## https://docs.amd.com/v/u/en-US/SEV-SNP-strengthening-vm-isolation-with-integrity-protection-and-more +## https://en.wikichip.org/wiki/x86/sme +## https://lore.kernel.org/lkml/YWvy9bSRaC+m1sV+@zn.tnic/T/#m01bcb37040b6b0d119d385d9a34b9c7ac4ce5f84 +## https://mricher.fr/post/amd-memory-encryption/ +## https://www.kicksecure.com/wiki/Dev/confidential_computing#AMD +## https://forums.whonix.org/t/enable-secure-memory-encryption-sme-kernel-parameter-mem-encrypt-by-default/10393 +## +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mem_encrypt=on" +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm_amd.sev=1" + +## Prevent processes from writing to block devices that are mounted by filesystems. +## Enhances system stability and security by protecting against runaway privileged processes. +## Allowing processes to write to the buffer cache can cause filesystem corruption and kernel crashes. +## Does not prevent data modifications using direct SCSI commands or lower-level storage stack access. +## May lead to breakages in certain limited scenarios. +## +## https://github.com/torvalds/linux/commit/ed5cc702d311c14b653323d76062b0294effa66e +## https://lore.kernel.org/lkml/20240105-vfs-super-4092d802972c@brauner/ +## https://github.com/a13xp0p0v/kernel-hardening-checker/issues/186 +## +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX bdev_allow_write_mounted=0" + +## Restrict processes from modifying their own memory mappings. +## Prevents the use of /proc/PID/mem to write to protected pages via the kernel's +## mem_rw() FOLL_FORCE flag. This makes it harder to trick applications into +## overwriting their own memory. +## +## https://lore.kernel.org/lkml/20240712-vfs-procfs-ce7e6c7cf26b@brauner/ +## https://lwn.net/Articles/983169/ +## https://github.com/a13xp0p0v/kernel-hardening-checker/pull/201 +## https://github.com/Kicksecure/security-misc/issues/330 +## +## Using "proc_mem.force_override=never" provides superior protection by never allowing overrides. +## +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX proc_mem.force_override=ptrace" + ## 2. Direct Memory Access: ## ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#dma-attacks @@ -282,32 +345,48 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi=disable_early_pci_dma" ## ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#rdrand -## Do not credit the CPU or bootloader seeds as entropy sources at boot. -## The RDRAND CPU (RNG) instructions are proprietary and closed-source. -## Numerous implementations of RDRAND have a long history of being defective. -## The RNG seed passed by the bootloader could also potentially be tampered. +## Do not credit the CPU seeds as an entropy sources at boot. +## The RDRAND and RDSEED CPU (RNG) instructions are proprietary and closed-source. +## Numerous implementations of RDRAND and RDSEED have a long history of being defective. ## Maximizing the entropy pool at boot is desirable for all cryptographic operations. -## These settings ensure additional entropy is obtained from other sources to initialize the RNG. -## Note that distrusting these (relatively fast) sources of entropy will increase boot time. +## This ensures additional entropy is obtained from other sources to initialize the Linux CRNG. +## Note that distrusting this (relatively fast) source of entropy will increase boot time. ## -## https://en.wikipedia.org/wiki/RDRAND#Reception +## https://en.wikipedia.org/wiki/RDRAND ## https://systemd.io/RANDOM_SEEDS/ ## https://www.kicksecure.com/wiki/Dev/Entropy#RDRAND -## https://arstechnica.com/gadgets/2019/10/how-a-months-old-amd-microcode-bug-destroyed-my-weekend/ -## https://x.com/pid_eins/status/1149649806056280069 ## https://archive.nytimes.com/www.nytimes.com/interactive/2013/09/05/us/documents-reveal-nsa-campaign-against-encryption.html ## https://forums.whonix.org/t/entropy-config-random-trust-cpu-yes-or-no-rng-core-default-quality/8566 +## https://lkml.org/lkml/2022/6/5/271 +## https://lwn.net/Articles/961121/ +## https://lore.kernel.org/lkml/aPFDn-4Cm6n0_3_e@gourry-fedora-PF4VCD3F/ +## https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7055.html +## +## KSPP=yes +## KSPP sets CONFIG_RANDOM_TRUST_CPU=y. +## +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_cpu=off" + +## Do not credit the bootloader seeds as an entropy source at boot. +## The RNG seed passed by the bootloader could potentially be tampered. +## Maximizing the entropy pool at boot is desirable for all cryptographic operations. +## This ensures additional entropy is obtained from other sources to initialize the Linux CRNG. +## Note that distrusting this (relatively fast) source of entropy will increase boot time. +## +## https://systemd.io/RANDOM_SEEDS/ ## https://github.com/NixOS/nixpkgs/pull/165355 ## https://lkml.org/lkml/2022/6/5/271 ## ## KSPP=yes -## KSPP sets CONFIG_RANDOM_TRUST_BOOTLOADER=y and CONFIG_RANDOM_TRUST_CPU=y. +## KSPP sets CONFIG_RANDOM_TRUST_BOOTLOADER=y. ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_bootloader=off" -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_cpu=off" ## Obtain more entropy during boot as the runtime memory allocator is being initialized. -## Entropy will be extracted from up to the first 4GB of RAM. +## Entropy will be extracted from up to the first 4GB of RAM as another source. +## Note that entropy extracted this way is not cryptographically secure and so is not credited. +## Maximizing the entropy pool at boot is desirable for all cryptographic operations. +## This will increase boot time due to interrupting the boot process. ## Requires the linux-hardened kernel patch. ## ## https://www.kicksecure.com/wiki/Hardened-kernel#linux-hardened diff --git a/usr/bin/permission-hardener#security-misc-shared b/usr/bin/permission-hardener#security-misc-shared index 2d9a729..fe318b0 100755 --- a/usr/bin/permission-hardener#security-misc-shared +++ b/usr/bin/permission-hardener#security-misc-shared @@ -89,7 +89,13 @@ output_stat() { return 1 fi - block_newlines file "${file_name}" + if ! block_newlines file "${file_name}"; then + existing_mode='' + existing_owner='' + existing_group='' + file_name_from_stat='' + return 0 + fi if [ ! -e "${file_name}" ]; then log info "File does not exist. file_name: '${file_name}'" >&2 @@ -217,6 +223,12 @@ add_to_policy() { file_capabilities="${5:-}" updated_entry=false + if [ -z "${file_name}" ]; then + exit_code=207 + log error "Attempted to add a policy entry with an empty filename! file_mode='${file_mode}' file_onwer='${file_owner}' file_group='${file_group}' file_capabilities='${file_capabilities}'" >&2 + exit "${exit_code}" + fi + if [ -h "${file_name}" ]; then file_name="$(realpath "${file_name}")" || return 1 fi @@ -319,6 +331,11 @@ match_dir() { base_str="${1}" match_str="${2}" + if [ -z "${base_str}" ] || [ -z "${match_str}" ]; then + exit_code=207 + log error "Empty base_str or match_str provided to match_dir! base_str: '${base_str}' match_str: '${match_str}'" >&2 + exit "${exit_code}" + fi [[ "${base_str}" =~ '//' ]] && return 1 [[ "${match_str}" =~ '//' ]] && return 1 @@ -562,8 +579,13 @@ commit_policy() { ## group is the string we want. BASH_REMATCH[0] is the entire string, ## BASH_REMATCH[1] is the first match that we want to discard, and ## BASH_REMATCH[2] is the desired second group. - [[ "${state_mode_item}" =~ ^(0*)(.*) ]] || true; - state_mode_item="${BASH_REMATCH[2]}" + if [[ "${state_mode_item}" =~ ^(0*)(.*) ]]; then + state_mode_item="${BASH_REMATCH[2]}" + else + exit_code=208 + log error "'Impossible' regex match failure in commit_policy! Regex: '^(0*)(.*)' String (state_mode_item): '${state_mode_item}'" >&2 + exit "${exit_code}" + fi output_stat "${state_file_item}" if [ -z "${file_name_from_stat}" ]; then @@ -693,9 +715,11 @@ undo_policy_for_file() { state_user_owner_item="${state_user_owner_list[state_idx]}" state_group_owner_item="${state_group_owner_list[state_idx]}" state_mode_item="${state_mode_list[state_idx]}" + # shellcheck disable=SC2086 chown ${verbose} -- "${state_user_owner_item}:${state_group_owner_item}" \ "${undo_file}" || exit_code=202 ## chmod needs to be run after chown since chown removes suid. + # shellcheck disable=SC2086 chmod ${verbose} "${state_mode_item}" "${undo_file}" || exit_code=203 else log info "File does not exist: '${undo_file}'" @@ -708,8 +732,8 @@ undo_policy_for_file() { fi done - if ! [[ "${did_undo}" = 'false' ]]; then - log info "The specified file is not hardened, leaving unchanged. + if [ "${did_undo}" = 'false' ]; then + log notice "The specified file is not hardened, leaving unchanged. File '${undo_file}' has not been removed from SUID Disabler and Permission Hardener during this invocation. This is expected if no policy was ever applied to the file before. @@ -797,7 +821,11 @@ print_raw_state() { for state_file in "${store_dir}/existing_mode/statoverride" \ "${store_dir}/new_mode/statoverride"; do echo "*** begin ${state_file} ***" - cat "${state_file}" + if [ -f "${state_file}" ]; then + cat "${state_file}" + else + echo '(file does not exist)' + fi echo "*** end ${state_file} ***" done } @@ -826,12 +854,17 @@ print_fs_audit() { ## group is the string we want. BASH_REMATCH[0] is the entire string, ## BASH_REMATCH[1] is the first match that we want to discard, and ## BASH_REMATCH[2] is the desired second group. - [[ "${state_mode_item}" =~ ^(0*)(.*) ]] || true; - state_mode_item="${BASH_REMATCH[2]}" + if [[ "${state_mode_item}" =~ ^(0*)(.*) ]]; then + state_mode_item="${BASH_REMATCH[2]}" + else + exit_code=208 + log error "'Impossible' regex match failure in print_fs_audit! Regex: '^(0*)(.*)' String (state_mode_item): '${state_mode_item}'" >&2 + exit "${exit_code}" + fi output_stat "${state_file_item}" if [ -z "${file_name_from_stat}" ]; then - echo "... '${file_name_from_stat}' does not exist" + echo "... '${state_file_item}' does not exist" continue fi diff --git a/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared b/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared index a4914da..4dd42ff 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared +++ b/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared @@ -20,6 +20,7 @@ ## 5. Networking ## For detailed explanations of most of the selected commands, refer to: +## https://www.kernel.org/doc/html/latest/admin-guide/sysctl/abi.html ## https://www.kernel.org/doc/html/latest/admin-guide/sysctl/kernel.html ## https://www.kernel.org/doc/html/latest/admin-guide/sysctl/fs.html ## https://www.kernel.org/doc/html/latest/admin-guide/sysctl/net.html @@ -171,7 +172,7 @@ kernel.perf_event_paranoid=3 ## Certain "oopses" can sometimes indicate and thwart potential kernel exploitation attempts. ## Warnings are messages generated by the kernel to indicate unexpected conditions or errors. ## By default, code execution continues regardless of warnings emitted by macros like WARN() and WARN_ON(). -## Note that by forcing kernel panics on oopses and warnings, this exposes the system to targeted denial of service attacks. +## Note that by forcing kernel panics on oopses and warnings, this exposes the system to targeted denial-of-service attacks. ## ## https://en.wikipedia.org/wiki/Kernel_panic#Linux ## https://en.wikipedia.org/wiki/Linux_kernel_oops @@ -188,7 +189,7 @@ kernel.perf_event_paranoid=3 #kernel.warn_limit=1 ## Force immediate system reboots on the occurrence of a single kernel panic. -## Increases resilience and limits impact of denial of service attacks as system automatically restarts. +## Increases resilience and limits impact of denial-of-service attacks as system automatically restarts. ## Ensures the system does not hang forever if a panic occurs, reducing susceptibility to both cold and warm boot attacks. ## Immediate rebooting also prevents persistent information disclosure on panic details that were dumped to screen. ## @@ -199,15 +200,44 @@ kernel.perf_event_paranoid=3 ## #kernel.panic=-1 -## Force immediate kernel panic on OOM. -## This is to avoid security features such as the screen locker, kloak, emerg-shutdown -## from being arbitrarily terminated when the system starts running out of memory. +## Force immediate kernel panic on OOM (out of memory) scenarios. +## Registers a kernel panic whenever the oom_killer is triggered to kill some rouge process based on their OOM score. +## This prevents security features such as the screen locker, kloak, and emerg-shutdown from being arbitrarily terminated. +## Enabling these two together creates a risk of userspace-based denial-of-service attacks that maliciously fill memory. +## This forces immediate system reboot rather than placing any reliance on the oom_killer. +## Known to cause extreme user experience problems with certain applications as the Tor Browser. +## Enabling by default requires improved upstream handling of user space OOM better accounting for desktop users. +## +## https://en.wikipedia.org/wiki/Out_of_memory ## https://forums.whonix.org/t/screen-locker-in-security-can-we-disable-these-at-least-4-backdoors/8128/14 +## https://github.com/KSPP/kspp.github.io/issues/9 ## https://github.com/Kicksecure/security-misc/issues/324 -## Needs more work. +## +## Note that this must be used with kernel.panic=-1 for it to function as intended. ## #vm.panic_on_oom=2 +## Force immediate kernel panic on certain NMIs (Non-Maskable Interrupts). +## NMIs are hardware interrupts that cannot be ignored by standard interrupt-masking techniques. +## NMIs are reserved for critical events that require immediate attention. +## Panic upon a NMI indicating a serious hardware-level I/O issue to prevent data corruption. +## Panic upon a NMI indicating uncorrectable memory and hardware errors to prevent data corruption. +## Panic upon receiving an undefined or unknown NMI. +## All three must first be tested to ensure there are no pre-existing issues on user hardware. +## After confirming stability of each they can then be used to prevent data corruption from hardware sources. +## These are valuable for high-reliability systems where data integrity is critical. +## +## https://en.wikipedia.org/wiki/Non-maskable_interrupt +## https://www.kernel.org/doc/html/latest/trace/events-nmi.html +## https://0xax.gitbook.io/linux-insides/summary/interrupts/linux-interrupts-6 +## https://docs.redhat.com/en/documentation/red_hat_enterprise_linux_for_real_time/7/html/reference_guide/non-maskable_interrupts +## +## Note that these must be used with kernel.panic=-1 for them to function as intended. +## +#kernel.panic_on_io_nmi=1 +#kernel.panic_on_unrecovered_nmi=1 +#kernel.unknown_nmi_panic=1 + ## Disable the use of legacy TIOCSTI operations which can be used to inject keypresses. ## Can lead to privilege escalation by pushing characters into a controlling TTY. ## Will break out-dated screen readers that continue to rely on this legacy functionality. @@ -232,6 +262,19 @@ dev.tty.legacy_tiocsti=0 ## kernel.io_uring_disabled=2 +## Disable 32-bit Virtual Dynamic Shared Object (vDSO) mappings. +## Legacy compatibility feature for superseded glibc versions. +## +## https://lore.kernel.org/lkml/20080409082927.BD59E26F992@magilla.localdomain/T/ +## https://lists.openwall.net/linux-kernel/2014/03/11/3 +## +## KSPP=yes +## KSPP sets the kernel parameter and does not set CONFIG_COMPAT_VDSO. +## +## See /etc/default/grub.d/40_kernel_hardening.cfg for another additional implementation. +## +abi.vsyscall32=0 + ## 2. User Space: ## ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-userspace @@ -526,7 +569,7 @@ net.ipv6.conf.*.accept_source_route=0 ## Do not accept IPv6 router advertisements (RAs) and solicitations. ## RAs are unsecured and unauthenticated and any device on the local link can send and accept them without verification. ## Malicious RAs can activate IPv6 connectivity on dormant hosts leading to unauthorized access. -## Flooding the network with malicious RAs can lead to denial of service attacks. +## Flooding the network with malicious RAs can lead to denial-of-service attacks. ## Rogue RAs can lead to interception of all network traffic by setting the attacker's system as the default gateway. ## ## https://datatracker.ietf.org/doc/html/rfc6104 @@ -565,6 +608,16 @@ net.ipv6.conf.*.accept_ra=0 ## net.ipv4.tcp_timestamps=0 +## Disable reuse of TIME_WAIT sockets for new outgoing connections. +## The safety of reusing of TIME_WAIT sockets requires enabling TCP timestamps. +## The kernel uses timestamps to verify a new connection is not a duplicate segment from an older connection. +## Hence TIME-WAIT sockets should wait the full timeout period before being made available again. +## Can lead to port exhaustion on high-traffic networks with numerous short-lived connections. +## +## https://vincent.bernat.ch/en/blog/2014-tcp-time-wait-state-linux +## +net.ipv4.tcp_tw_reuse=0 + ## Enable logging of packets with impossible source or destination addresses. ## Martian and unroutable packets may be used for malicious purposes. ## Recommended to keep a (kernel dmesg) log of these to identify suspicious packets. @@ -572,6 +625,8 @@ net.ipv4.tcp_timestamps=0 ## Known to cause performance issues, especially on systems with multiple interfaces. ## ## https://wiki.archlinux.org/title/Sysctl#Log_martian_packets +## https://www.cyberciti.biz/faq/linux-log-suspicious-martian-packets-un-routable-source-addresses/ +## https://support.scc.suse.com/s/kb/Martian-sources-errors-showing-in-messages-log?language=en_US ## https://github.com/Kicksecure/security-misc/issues/214 ## ## The logging of martian packets is currently disabled. diff --git a/usr/lib/systemd/system/usbguard.service.d/30_security-misc.conf#security-misc-shared b/usr/lib/systemd/system/usbguard.service.d/30_security-misc.conf#security-misc-shared index fa87f09..24cb0da 100644 --- a/usr/lib/systemd/system/usbguard.service.d/30_security-misc.conf#security-misc-shared +++ b/usr/lib/systemd/system/usbguard.service.d/30_security-misc.conf#security-misc-shared @@ -3,4 +3,6 @@ [Unit] ConditionPathExists=/sys/bus/usb + +[Service] ExecCondition=/usr/libexec/security-misc/check-for-usb-controller diff --git a/usr/libexec/security-misc/block-unsafe-logins#security-misc-shared b/usr/libexec/security-misc/block-unsafe-logins#security-misc-shared index 3230ff3..15d1e01 100755 --- a/usr/libexec/security-misc/block-unsafe-logins#security-misc-shared +++ b/usr/libexec/security-misc/block-unsafe-logins#security-misc-shared @@ -36,10 +36,10 @@ fi if [[ "$kernel_cmdline" =~ 'boot-role=sysmaint' ]]; then true "INFO: session type: sysmaint session" if [ "$PAM_USER" != 'sysmaint' ]; then - printf '%s\n' 'ERROR: Rejecting non-sysmaint account in sysmaint session!' + printf '%s\n' 'ERROR: Rejecting non-sysmaint account '$PAM_USER' in sysmaint session!' exit 1 fi - true 'INFO: Running in sysmaint session and logging into sysmaint account, allowing authentication to proceed.' + true 'INFO: Running in sysmaint session and authenticating as sysmaint account, allowing authentication to proceed.' exit 0 fi @@ -72,7 +72,7 @@ fi ## tools do not permit privilege escalation from one user to another, and ## passwordless login is expected to work even for sensitive accounts. -login_service_list=( 'login' 'greetd' 'sshd' ) +login_service_list=( 'login' 'greetd' 'sshd' 'swaylock' ) for login_service in "${login_service_list[@]}"; do if [ "$PAM_SERVICE" = "$login_service" ]; then true "INFO: Login service '$PAM_SERVICE' is considered safe, allowing authentication to proceed." @@ -97,7 +97,17 @@ fi ## attack would require root privileges to execute though, so this is likely ## not a concern. We do this before checking if $PAM_USER is in the list of ## interactive users to keep the race window as short as possible. -if ! output="$(/usr/libexec/helper-scripts/get-password-status-list)"; then +## +## NOTE: PAM modules may run as non-root in some instances (such as when used +## by Swaylock). +if [ "$(id -u)" = '0' ]; then + passwd_status_list_cmd=( + '/usr/libexec/helper-scripts/get-password-status-list' + ) +else + passwd_status_list_cmd=( 'leaprun' 'get-password-status-list' ) +fi +if ! output="$("${passwd_status_list_cmd[@]}")"; then printf '%s\n' 'ERROR: Failed to get password status list!' exit 1 fi diff --git a/usr/libexec/security-misc/panic-on-oops#security-misc-shared b/usr/libexec/security-misc/panic-on-oops#security-misc-shared index 54731c9..5e32d02 100755 --- a/usr/libexec/security-misc/panic-on-oops#security-misc-shared +++ b/usr/libexec/security-misc/panic-on-oops#security-misc-shared @@ -24,7 +24,8 @@ sysctl kernel.oops_limit=1 sysctl kernel.warn_limit=1 ## Makes the system immediately reboot on the occurrence of a single -## kernel panic. This reduces the risk and impact of denial of -## service attacks and both cold and warm boot attacks. +## kernel panic. This reduces the risk and impact of denial-of-service +## attacks and both cold and warm boot attacks. +## ## https://docs.kernel.org/admin-guide/sysctl/kernel.html#panic sysctl kernel.panic=-1