From 9db63d97770e62749c0b602dd9e7d2d4d6a1128b Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Mon, 13 Oct 2025 01:01:14 +0000 Subject: [PATCH 01/45] README: Update KSSP compliance status --- README.md | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index a73f6b0..7bb18f7 100644 --- a/README.md +++ b/README.md @@ -279,23 +279,15 @@ there are a few cases of partial or non-compliance due to technical limitations. More than 30 kernel boot parameters and over 30 sysctl settings are fully aligned with the KSPP's recommendations. -**Partial compliance:** - -1. `sysctl kernel.yama.ptrace_scope=3` - -Completely disables `ptrace()`. Can be enabled easily if needed. - -* [security-misc pull request #242](https://github.com/Kicksecure/security-misc/pull/242) - **Non-compliance:** -2. `sysctl user.max_user_namespaces=0` +1. `sysctl user.max_user_namespaces=0` Disables user namespaces entirely. Not recommended due to the potential for widespread breakages. * [security-misc pull request #263](https://github.com/Kicksecure/security-misc/pull/263) -3. `sysctl fs.binfmt_misc.status=0` +2. `sysctl fs.binfmt_misc.status=0` Disables the registration of interpreters for miscellaneous binary formats. Currently not feasible due to compatibility issues with Firefox. @@ -303,6 +295,14 @@ feasible due to compatibility issues with Firefox. * [security-misc pull request #249](https://github.com/Kicksecure/security-misc/pull/249) * [security-misc issue #267](https://github.com/Kicksecure/security-misc/issues/267) +3. Kernel boot parameter `hash_pointers=always` + +Forces all exposed pointers to be hashed and must be used in combination with already enabled +kernel boot parameter `slab_debug=FZ`. Currently not possible as requires Linux kernel >= 6.17. + +* [security-misc issue #253](https://github.com/Kicksecure/security-misc/issues/253) +* [security-misc pull request #325](https://github.com/Kicksecure/security-misc/pull/325) + ### Kernel Modules #### Kernel Module Signature Verification From f690b58870bd90582018cec51046f4ed67a414d4 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Mon, 13 Oct 2025 02:08:44 +0000 Subject: [PATCH 02/45] Add docs relating to panic on OOM --- README.md | 7 ++++--- .../990-security-misc.conf#security-misc-shared | 13 ++++++++++--- 2 files changed, 14 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 7bb18f7..8d1119a 100644 --- a/README.md +++ b/README.md @@ -52,9 +52,10 @@ configuration file and significant hardening is applied to a myriad of component - Force immediate system reboot on the occurrence of a single kernel panic, reducing the risk and impact of denial of service attacks and both cold and warm boot attacks. -- Force immediate kernel panic on OOM. This is to avoid security features such as the screen - locker, kloak, emerg-shutdown from being arbitrarily terminated when the system starts - running out of memory. +- Force immediate kernel panic on OOM (out of memory) which the above setting will force + an immediate system reboot, as opposed to placing any reliance on the oom_killer to + avoid arbitrarily terminating security features based on their OOM score. Note this creates + the risk of userspace-based denial of service attacks that maliciously fill memory. - Disable the use of legacy TIOCSTI operations which can be used to inject keypresses. diff --git a/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared b/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared index d99a580..5faeec0 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared +++ b/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared @@ -199,11 +199,18 @@ kernel.perf_event_paranoid=3 ## #kernel.panic=-1 -## Force immediate kernel panic on OOM. -## This is to avoid security features such as the screen locker, kloak, emerg-shutdown -## from being arbitrarily terminated when the system starts running out of memory. +## Force immediate kernel panic on OOM (out of memory) scenarios. +## Registers a kernel panic whenever the oom_killer is triggered to kill some rouge process based on their OOM score. +## Note that this must be used with kernel.panic=-1 for it to be function as intended. +## This prevents security features such as the screen locker, kloak, and emerg-shutdown from being arbitrarily terminated. +## Enabling these two together creates a risk of userspace-based denial-of-service attacks that maliciously fill memory. +## This opinionated default forces immediate system reboot rather than placing any reliance on the oom_killer. +## +## https://en.wikipedia.org/wiki/Out_of_memory ## https://forums.whonix.org/t/screen-locker-in-security-can-we-disable-these-at-least-4-backdoors/8128/14 +## https://github.com/KSPP/kspp.github.io/issues/9 ## https://github.com/Kicksecure/security-misc/issues/324 +## vm.panic_on_oom=2 ## Disable the use of legacy TIOCSTI operations which can be used to inject keypresses. From 708e1358dfbc21444f2bf39dfa81ea5053f2bb10 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Fri, 17 Oct 2025 00:48:57 +0000 Subject: [PATCH 03/45] Add docs relating `extra_latent_entropy` --- etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared | 2 ++ 1 file changed, 2 insertions(+) diff --git a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared index 2eef877..39b04c5 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared +++ b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared @@ -308,6 +308,8 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_cpu=off" ## Obtain more entropy during boot as the runtime memory allocator is being initialized. ## Entropy will be extracted from up to the first 4GB of RAM. +## Note that entropy extracted this way is not cryptographically secure and so is not credited. +## This will increase boot time due to interrupting the boot process. ## Requires the linux-hardened kernel patch. ## ## https://www.kicksecure.com/wiki/Hardened-kernel#linux-hardened From 11d9b9403854ae7cd2638765e8350257580be35f Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Fri, 17 Oct 2025 01:01:28 +0000 Subject: [PATCH 04/45] Add docs on entropy --- .../grub.d/40_kernel_hardening.cfg#security-misc-shared | 3 +++ 1 file changed, 3 insertions(+) diff --git a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared index 39b04c5..c8209f5 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared +++ b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared @@ -288,6 +288,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi=disable_early_pci_dma" ## The RNG seed passed by the bootloader could also potentially be tampered. ## Maximizing the entropy pool at boot is desirable for all cryptographic operations. ## These settings ensure additional entropy is obtained from other sources to initialize the RNG. +## RDSEED instructions also rely on periodic reseeds from the same underlying entropy sources. ## Note that distrusting these (relatively fast) sources of entropy will increase boot time. ## ## https://en.wikipedia.org/wiki/RDRAND#Reception @@ -299,6 +300,8 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi=disable_early_pci_dma" ## https://forums.whonix.org/t/entropy-config-random-trust-cpu-yes-or-no-rng-core-default-quality/8566 ## https://github.com/NixOS/nixpkgs/pull/165355 ## https://lkml.org/lkml/2022/6/5/271 +## https://lwn.net/Articles/961121/ +## https://lore.kernel.org/lkml/aPFDn-4Cm6n0_3_e@gourry-fedora-PF4VCD3F/ ## ## KSPP=yes ## KSPP sets CONFIG_RANDOM_TRUST_BOOTLOADER=y and CONFIG_RANDOM_TRUST_CPU=y. From 9f7480e20adf148dcb7dbe80e704f3f79691b657 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Sun, 19 Oct 2025 01:41:58 +0000 Subject: [PATCH 05/45] Make terminology consistent --- README.md | 4 ++-- .../grub.d/40_kernel_hardening.cfg#security-misc-shared | 2 +- .../sysctl.d/990-security-misc.conf#security-misc-shared | 6 +++--- .../security-misc/panic-on-oops#security-misc-shared | 5 +++-- 4 files changed, 9 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 537b72a..3459fc6 100644 --- a/README.md +++ b/README.md @@ -50,12 +50,12 @@ configuration file and significant hardening is applied to a myriad of component and thwart certain kernel exploitation attempts) and kernel warnings in the `WARN()` path. - Force immediate system reboot on the occurrence of a single kernel panic, reducing the - risk and impact of denial of service attacks and both cold and warm boot attacks. + risk and impact of denial-of-service attacks and both cold and warm boot attacks. - Force immediate kernel panic on OOM (out of memory) which the above setting will force an immediate system reboot, as opposed to placing any reliance on the oom_killer to avoid arbitrarily terminating security features based on their OOM score. Note this creates - the risk of userspace-based denial of service attacks that maliciously fill memory. + the risk of userspace-based denial-of-service attacks that maliciously fill memory. - Disable the use of legacy TIOCSTI operations which can be used to inject keypresses. diff --git a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared index c8209f5..21e2c06 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared +++ b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared @@ -126,7 +126,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off" ## Panics may be due to false-positives such as bad drivers. ## Oopses are serious but non-fatal errors. ## Certain "oopses" can sometimes indicate and thwart potential kernel exploitation attempts. -## Note that by forcing kernel panics on oopses, this exposes the system to targeted denial of service attacks. +## Note that by forcing kernel panics on oopses, this exposes the system to targeted denial-of-service attacks. ## ## https://en.wikipedia.org/wiki/Kernel_panic#Linux ## https://en.wikipedia.org/wiki/Linux_kernel_oops diff --git a/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared b/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared index aeb3fe0..4e8625c 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared +++ b/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared @@ -171,7 +171,7 @@ kernel.perf_event_paranoid=3 ## Certain "oopses" can sometimes indicate and thwart potential kernel exploitation attempts. ## Warnings are messages generated by the kernel to indicate unexpected conditions or errors. ## By default, code execution continues regardless of warnings emitted by macros like WARN() and WARN_ON(). -## Note that by forcing kernel panics on oopses and warnings, this exposes the system to targeted denial of service attacks. +## Note that by forcing kernel panics on oopses and warnings, this exposes the system to targeted denial-of-service attacks. ## ## https://en.wikipedia.org/wiki/Kernel_panic#Linux ## https://en.wikipedia.org/wiki/Linux_kernel_oops @@ -188,7 +188,7 @@ kernel.perf_event_paranoid=3 #kernel.warn_limit=1 ## Force immediate system reboots on the occurrence of a single kernel panic. -## Increases resilience and limits impact of denial of service attacks as system automatically restarts. +## Increases resilience and limits impact of denial-of-service attacks as system automatically restarts. ## Ensures the system does not hang forever if a panic occurs, reducing susceptibility to both cold and warm boot attacks. ## Immediate rebooting also prevents persistent information disclosure on panic details that were dumped to screen. ## @@ -531,7 +531,7 @@ net.ipv6.conf.*.accept_source_route=0 ## Do not accept IPv6 router advertisements (RAs) and solicitations. ## RAs are unsecured and unauthenticated and any device on the local link can send and accept them without verification. ## Malicious RAs can activate IPv6 connectivity on dormant hosts leading to unauthorized access. -## Flooding the network with malicious RAs can lead to denial of service attacks. +## Flooding the network with malicious RAs can lead to denial-of-service attacks. ## Rogue RAs can lead to interception of all network traffic by setting the attacker's system as the default gateway. ## ## https://datatracker.ietf.org/doc/html/rfc6104 diff --git a/usr/libexec/security-misc/panic-on-oops#security-misc-shared b/usr/libexec/security-misc/panic-on-oops#security-misc-shared index 54731c9..5e32d02 100755 --- a/usr/libexec/security-misc/panic-on-oops#security-misc-shared +++ b/usr/libexec/security-misc/panic-on-oops#security-misc-shared @@ -24,7 +24,8 @@ sysctl kernel.oops_limit=1 sysctl kernel.warn_limit=1 ## Makes the system immediately reboot on the occurrence of a single -## kernel panic. This reduces the risk and impact of denial of -## service attacks and both cold and warm boot attacks. +## kernel panic. This reduces the risk and impact of denial-of-service +## attacks and both cold and warm boot attacks. +## ## https://docs.kernel.org/admin-guide/sysctl/kernel.html#panic sysctl kernel.panic=-1 From 8f78269949217ac11163cc8b6f17147621fef6eb Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Mon, 20 Oct 2025 05:36:54 +0000 Subject: [PATCH 06/45] Add docs on slab_debug --- README.md | 4 ++-- .../grub.d/40_kernel_hardening.cfg#security-misc-shared | 8 ++++++-- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 3459fc6..42220a2 100644 --- a/README.md +++ b/README.md @@ -298,8 +298,8 @@ feasible due to compatibility issues with Firefox. 3. Kernel boot parameter `hash_pointers=always` -Forces all exposed pointers to be hashed and must be used in combination with already enabled -kernel boot parameter `slab_debug=FZ`. Currently not possible as requires Linux kernel >= 6.17. +Force all exposed pointers to be hashed and must be used in combination with the already enabled +`slab_debug=FZ` kernel boot parameter. Currently is not possible as requires Linux kernel >= 6.17. * [security-misc issue #253](https://github.com/Kicksecure/security-misc/issues/253) * [security-misc pull request #325](https://github.com/Kicksecure/security-misc/pull/325) diff --git a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared index 21e2c06..fac7117 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared +++ b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared @@ -38,13 +38,17 @@ kver="$(dpkg-query --show --showformat='${Version}' "$kpkg")" 2>/dev/null || tru ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_nomerge" -## Enable sanity checks and red zoning of slabs via debugging options to detect corruption. +## Enable sanity checks and red zoning of slabs via debugging options to detect memory corruption. +## Sanity checks force additional verification steps on every memory allocation and free operation. +## Red zoning adds extra metadata to each object to detect writes beyond the object's boundaries. ## As a by product of debugging, this will implicitly disabling kernel pointer hashing unless manually re-enabled. ## Enabling this (for now) will therefore leak exact and all kernel memory addresses to root. -## Has the potential to cause a noticeable performance decrease. +## Introduces a noticeable performance overhead during all memory allocation and deallocation operations. ## ## https://www.kernel.org/doc/html/latest/mm/slub.html +## https://www.kernel.org/doc/Documentation/vm/slub.txt ## https://lore.kernel.org/all/20210601182202.3011020-5-swboyd@chromium.org/T/#u +## https://blogs.oracle.com/linux/post/linux-slub-allocator-internals-and-debugging-2 ## https://gitlab.tails.boum.org/tails/tails/-/issues/19613 ## https://github.com/Kicksecure/security-misc/issues/253 ## From d175d1be525edd8fb6140680c31425c8a89cc244 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Sun, 2 Nov 2025 15:54:34 +1100 Subject: [PATCH 07/45] Add doc on entropy related failure on AMD Zen 5 CPUs --- etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared | 1 + 1 file changed, 1 insertion(+) diff --git a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared index fac7117..5af1493 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared +++ b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared @@ -306,6 +306,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi=disable_early_pci_dma" ## https://lkml.org/lkml/2022/6/5/271 ## https://lwn.net/Articles/961121/ ## https://lore.kernel.org/lkml/aPFDn-4Cm6n0_3_e@gourry-fedora-PF4VCD3F/ +## https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7055.html ## ## KSPP=yes ## KSPP sets CONFIG_RANDOM_TRUST_BOOTLOADER=y and CONFIG_RANDOM_TRUST_CPU=y. From c5f91eb33a2ad745af7a6278cf49419d0b366343 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Sun, 2 Nov 2025 06:15:06 +0000 Subject: [PATCH 08/45] Add another method to disable 32-bit legacy vsyscalls --- README.md | 2 ++ .../40_kernel_hardening.cfg#security-misc-shared | 2 ++ .../990-security-misc.conf#security-misc-shared | 14 ++++++++++++++ 3 files changed, 18 insertions(+) diff --git a/README.md b/README.md index ee8d364..1501d26 100644 --- a/README.md +++ b/README.md @@ -60,6 +60,8 @@ configuration file and significant hardening is applied to a myriad of component - Disable asynchronous I/O as `io_uring` has been the source of numerous kernel exploits. +- Disable 32-bit vDSO mappings as they are a legacy compatibility feature. + #### User space - Disable the usage of `ptrace()` by all processes as it enables programs to inspect diff --git a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared index 2eef877..9a5e983 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared +++ b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared @@ -186,6 +186,8 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kfence.sample_interval=100" ## KSPP=yes ## KSPP sets the kernel parameter and does not set CONFIG_COMPAT_VDSO. ## +## See /usr/lib/sysctl.d/990-security-misc.conf for another additional implementation. +## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0" ## Switch (back) to using kCFI as the default Control Flow Integrity (CFI) implementation. diff --git a/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared b/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared index 78e5e5f..53bec74 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared +++ b/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared @@ -20,6 +20,7 @@ ## 5. Networking ## For detailed explanations of most of the selected commands, refer to: +## https://www.kernel.org/doc/html/latest/admin-guide/sysctl/abi.html ## https://www.kernel.org/doc/html/latest/admin-guide/sysctl/kernel.html ## https://www.kernel.org/doc/html/latest/admin-guide/sysctl/fs.html ## https://www.kernel.org/doc/html/latest/admin-guide/sysctl/net.html @@ -230,6 +231,19 @@ dev.tty.legacy_tiocsti=0 ## kernel.io_uring_disabled=2 +## Disable 32-bit Virtual Dynamic Shared Object (vDSO) mappings. +## Legacy compatibility feature for superseded glibc versions. +## +## https://lore.kernel.org/lkml/20080409082927.BD59E26F992@magilla.localdomain/T/ +## https://lists.openwall.net/linux-kernel/2014/03/11/3 +## +## KSPP=yes +## KSPP sets the kernel parameter and does not set CONFIG_COMPAT_VDSO. +## +## See /etc/default/grub.d/40_kernel_hardening.cfg for another additional implementation. +## +abi.vsyscall32=0 + ## 2. User Space: ## ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-userspace From 3fdfebc4646d7c1f48806d02810de44fd53482bb Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Mon, 3 Nov 2025 00:48:49 +0000 Subject: [PATCH 09/45] Set `proc_mem.force_override=ptrace` --- README.md | 3 +++ .../40_kernel_hardening.cfg#security-misc-shared | 13 +++++++++++++ 2 files changed, 16 insertions(+) diff --git a/README.md b/README.md index 302c8ab..69e3728 100644 --- a/README.md +++ b/README.md @@ -238,6 +238,9 @@ Kernel space: - Disable the EFI persistent storage feature which prevents the kernel from writing crash logs and other persistent data to either the UEFI variable storage or ACPI ERST backends. +- Restrict processes from modifying their own memory mappings unless actively done via + `ptrace()` in order to limit self-modification which can trigger exploits. + Direct memory access: - Enable strict IOMMU translation to protect against some DMA attacks via the use diff --git a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared index 2eef877..0bddd2d 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared +++ b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared @@ -237,6 +237,19 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ia32_emulation=0" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi_pstore.pstore_disable=1" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX erst_disable" +## Restrict processes from modifying their own memory mappings. +## Prevents the use of FULL_FORCE by a processes unless via ptrace() for debugging. +## Limit self-modification which can be used trigger race condition vulnerabilities. +## +## https://lore.kernel.org/lkml/20240712-vfs-procfs-ce7e6c7cf26b@brauner/ +## https://lwn.net/Articles/983169/ +## https://github.com/a13xp0p0v/kernel-hardening-checker/pull/201 +## https://github.com/Kicksecure/security-misc/issues/330 +## +## Using "proc_mem.force_override=never" provides superior protection by never allowing overrides. +## +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX proc_mem.force_override=ptrace" + ## 2. Direct Memory Access: ## ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#dma-attacks From 5e87c9bea49b5a06c1400cb8b632f344cccb6db6 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Mon, 3 Nov 2025 04:30:58 +0000 Subject: [PATCH 10/45] Set `kpti=1` --- README.md | 2 ++ .../40_cpu_mitigations.cfg#security-misc-shared | 14 ++++++++++++++ 2 files changed, 16 insertions(+) diff --git a/README.md b/README.md index 302c8ab..35815ac 100644 --- a/README.md +++ b/README.md @@ -156,6 +156,8 @@ CPU mitigations: - Spectre Side Channels (BTI and BHI) +- Meltdown + - Speculative Store Bypass (SSB) - L1 Terminal Fault (L1TF) diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg#security-misc-shared b/etc/default/grub.d/40_cpu_mitigations.cfg#security-misc-shared index 8f18ad0..4ee58fc 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg#security-misc-shared +++ b/etc/default/grub.d/40_cpu_mitigations.cfg#security-misc-shared @@ -71,6 +71,20 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX nosmt=force" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_v2=on" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_bhi=on" +## Meltdown: +## Mitigate Spectre Variant 3 using kernel page table isolation (PTI). +## Force enable PTI of user and kernel address spaces on all cores. +## Mitigations for X86_64 CPUs are done in /etc/default/grub.d/40_kernel_hardening.cfg using "pti=on". +## Currently affects ARM64 CPUs. +## +## https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability) +## https://en.wikipedia.org/wiki/Kernel_page-table_isolation +## +## KSPP=yes +## KSPP sets CONFIG_UNMAP_KERNEL_AT_EL0=y. +## +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kpti=1" + ## Speculative Store Bypass (SSB): ## Mitigate Spectre Variant 4 by disabling speculative store bypass system-wide. ## Unconditionally enable the mitigation for both kernel and userspace. From 322584db3346aaa1e3d1f9782b3d22ca2153c7da Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Mon, 3 Nov 2025 04:31:59 +0000 Subject: [PATCH 11/45] Update docs on `pti=on` --- README.md | 4 ++-- .../grub.d/40_kernel_hardening.cfg#security-misc-shared | 4 +++- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 35815ac..87b3742 100644 --- a/README.md +++ b/README.md @@ -208,8 +208,8 @@ Kernel space: - Enable the kernel page allocator to randomize free lists to limit some data exfiltration and ROP attacks, especially during the early boot process. -- Enable kernel page table isolation to increase KASLR effectiveness and also - mitigate the Meltdown CPU vulnerability. +- Enable kernel page table isolation on X86_64 CPUs to increase KASLR effectiveness + and also mitigate the Meltdown CPU vulnerability. - Enable randomization of the kernel stack offset on syscall entries to harden against memory corruption attacks. diff --git a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared index 2eef877..73dca75 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared +++ b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared @@ -83,8 +83,10 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX init_on_free=1" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX page_alloc.shuffle=1" ## Enable kernel page table isolation to harden against kernel ASLR (KASLR) bypasses. -## Mitigates the Meltdown CPU vulnerability. +## Mitigates the Meltdown (Spectre Variant 3) CPU vulnerability. +## Mitigations for ARM64 CPUs are done in /etc/default/grub.d/40_cpu_mitigations.cfg using "kpti=1". ## +## https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability) ## https://en.wikipedia.org/wiki/Kernel_page-table_isolation ## ## KSPP=yes From 53d90b1128d55e352b3eef8ae680a07a825b1ecf Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Mon, 3 Nov 2025 04:32:49 +0000 Subject: [PATCH 12/45] Update docs on `ssbd=force-on` --- etc/default/grub.d/40_cpu_mitigations.cfg#security-misc-shared | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg#security-misc-shared b/etc/default/grub.d/40_cpu_mitigations.cfg#security-misc-shared index 4ee58fc..0bd8665 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg#security-misc-shared +++ b/etc/default/grub.d/40_cpu_mitigations.cfg#security-misc-shared @@ -88,7 +88,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kpti=1" ## Speculative Store Bypass (SSB): ## Mitigate Spectre Variant 4 by disabling speculative store bypass system-wide. ## Unconditionally enable the mitigation for both kernel and userspace. -## Currently affects both AMD and Intel CPUs. +## Currently affects AMD, ARM64, and Intel CPUs. ## ## https://en.wikipedia.org/wiki/Speculative_Store_Bypass ## https://www.suse.com/support/kb/doc/?id=000019189 From e43d4d7f7110de0b23996373e9462aa900b314a6 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Mon, 3 Nov 2025 05:46:07 +0000 Subject: [PATCH 13/45] Set `bdev_allow_write_mounted=0` --- README.md | 3 +++ .../40_kernel_hardening.cfg#security-misc-shared | 12 ++++++++++++ 2 files changed, 15 insertions(+) diff --git a/README.md b/README.md index 302c8ab..831f61d 100644 --- a/README.md +++ b/README.md @@ -238,6 +238,9 @@ Kernel space: - Disable the EFI persistent storage feature which prevents the kernel from writing crash logs and other persistent data to either the UEFI variable storage or ACPI ERST backends. +- Prevent runaway privileged processes from writing to block devices that are mounted by + filesystems to protect against filesystem corruption and kernel crashes. + Direct memory access: - Enable strict IOMMU translation to protect against some DMA attacks via the use diff --git a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared index 2eef877..6274892 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared +++ b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared @@ -237,6 +237,18 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ia32_emulation=0" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi_pstore.pstore_disable=1" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX erst_disable" +## Prevent processes from writing to block devices that are mounted by filesystems. +## Enhances system stability and security by protecting against runaway privileged processes. +## Allowing processes to write to the buffer cache can cause filesystem corruption and kernel crashes. +## Does not prevent data modifications using direct SCSI commands or lower-level storage stack access. +## May lead to breakages in certain limited scenarios. +## +## https://github.com/torvalds/linux/commit/ed5cc702d311c14b653323d76062b0294effa66e +## https://lore.kernel.org/lkml/20240105-vfs-super-4092d802972c@brauner/ +## https://github.com/a13xp0p0v/kernel-hardening-checker/issues/186 +## +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX bdev_allow_write_mounted=0" + ## 2. Direct Memory Access: ## ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#dma-attacks From 019a0cf72c99f9f10fd42afbfed96c283e17e458 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Wed, 5 Nov 2025 00:03:19 +0000 Subject: [PATCH 14/45] Update docs on entropy --- README.md | 4 +++- .../grub.d/40_kernel_hardening.cfg#security-misc-shared | 8 +++----- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 578e822..c5e69e6 100644 --- a/README.md +++ b/README.md @@ -250,7 +250,9 @@ Direct memory access: Entropy: - Do not credit the CPU or bootloader as entropy sources at boot in order to - maximize the absolute quantity of entropy in the combined pool. + maximize the absolute quantity of entropy in the combined pool. This is desirable + for all cryptographic operations reliant proprietary on RDRAND and RDSEED CPU + instructions for random number generation that have long history of being defective. - Obtain more entropy at boot from RAM as the runtime memory allocator is being initialized. diff --git a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared index 5af1493..4894a29 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared +++ b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared @@ -287,19 +287,17 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi=disable_early_pci_dma" ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#rdrand ## Do not credit the CPU or bootloader seeds as entropy sources at boot. -## The RDRAND CPU (RNG) instructions are proprietary and closed-source. -## Numerous implementations of RDRAND have a long history of being defective. +## The RDRAND and RDSEED CPU (RNG) instructions are proprietary and closed-source. +## Numerous implementations of RDRAND and RDSEED have a long history of being defective. ## The RNG seed passed by the bootloader could also potentially be tampered. ## Maximizing the entropy pool at boot is desirable for all cryptographic operations. -## These settings ensure additional entropy is obtained from other sources to initialize the RNG. -## RDSEED instructions also rely on periodic reseeds from the same underlying entropy sources. +## These settings ensure additional entropy is obtained from other sources to initialize the Linux CRNG. ## Note that distrusting these (relatively fast) sources of entropy will increase boot time. ## ## https://en.wikipedia.org/wiki/RDRAND#Reception ## https://systemd.io/RANDOM_SEEDS/ ## https://www.kicksecure.com/wiki/Dev/Entropy#RDRAND ## https://arstechnica.com/gadgets/2019/10/how-a-months-old-amd-microcode-bug-destroyed-my-weekend/ -## https://x.com/pid_eins/status/1149649806056280069 ## https://archive.nytimes.com/www.nytimes.com/interactive/2013/09/05/us/documents-reveal-nsa-campaign-against-encryption.html ## https://forums.whonix.org/t/entropy-config-random-trust-cpu-yes-or-no-rng-core-default-quality/8566 ## https://github.com/NixOS/nixpkgs/pull/165355 From 37b493826ec60397c6019959abb7e0631dd33ed4 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Wed, 5 Nov 2025 00:03:54 +0000 Subject: [PATCH 15/45] Spit distrusting entropy settings for clarity --- README.md | 12 +++++--- ..._kernel_hardening.cfg#security-misc-shared | 29 +++++++++++++------ 2 files changed, 28 insertions(+), 13 deletions(-) diff --git a/README.md b/README.md index c5e69e6..dc9649d 100644 --- a/README.md +++ b/README.md @@ -249,10 +249,14 @@ Direct memory access: Entropy: -- Do not credit the CPU or bootloader as entropy sources at boot in order to - maximize the absolute quantity of entropy in the combined pool. This is desirable - for all cryptographic operations reliant proprietary on RDRAND and RDSEED CPU - instructions for random number generation that have long history of being defective. +- Do not credit the CPU seeds as an entropy sources at boot in order to maximize the + absolute quantity of entropy in the combined pool. This is desirable for all + cryptographic operations reliant proprietary on RDRAND and RDSEED CPU instructions + for random number generation that have long history of being defective. + +- Do not credit the bootloader seeds as an entropy sources at boot to maximize the + absolute quantity of entropy in the combined pool. This is desirable for all + cryptographic operations as seeds passed by the bootloader could be tampered. - Obtain more entropy at boot from RAM as the runtime memory allocator is being initialized. diff --git a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared index 4894a29..2b7d217 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared +++ b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared @@ -286,31 +286,42 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi=disable_early_pci_dma" ## ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#rdrand -## Do not credit the CPU or bootloader seeds as entropy sources at boot. +## Do not credit the CPU seeds as an entropy sources at boot. ## The RDRAND and RDSEED CPU (RNG) instructions are proprietary and closed-source. ## Numerous implementations of RDRAND and RDSEED have a long history of being defective. -## The RNG seed passed by the bootloader could also potentially be tampered. ## Maximizing the entropy pool at boot is desirable for all cryptographic operations. -## These settings ensure additional entropy is obtained from other sources to initialize the Linux CRNG. -## Note that distrusting these (relatively fast) sources of entropy will increase boot time. +## This ensures additional entropy is obtained from other sources to initialize the Linux CRNG. +## Note that distrusting this (relatively fast) source of entropy will increase boot time. ## -## https://en.wikipedia.org/wiki/RDRAND#Reception +## https://en.wikipedia.org/wiki/RDRAND ## https://systemd.io/RANDOM_SEEDS/ ## https://www.kicksecure.com/wiki/Dev/Entropy#RDRAND -## https://arstechnica.com/gadgets/2019/10/how-a-months-old-amd-microcode-bug-destroyed-my-weekend/ ## https://archive.nytimes.com/www.nytimes.com/interactive/2013/09/05/us/documents-reveal-nsa-campaign-against-encryption.html ## https://forums.whonix.org/t/entropy-config-random-trust-cpu-yes-or-no-rng-core-default-quality/8566 -## https://github.com/NixOS/nixpkgs/pull/165355 ## https://lkml.org/lkml/2022/6/5/271 ## https://lwn.net/Articles/961121/ ## https://lore.kernel.org/lkml/aPFDn-4Cm6n0_3_e@gourry-fedora-PF4VCD3F/ ## https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7055.html ## ## KSPP=yes -## KSPP sets CONFIG_RANDOM_TRUST_BOOTLOADER=y and CONFIG_RANDOM_TRUST_CPU=y. +## KSPP sets CONFIG_RANDOM_TRUST_CPU=y. +## +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_cpu=off" + +## Do not credit the bootloader seeds as an entropy source at boot. +## The RNG seed passed by the bootloader could potentially be tampered. +## Maximizing the entropy pool at boot is desirable for all cryptographic operations. +## This ensures additional entropy is obtained from other sources to initialize the Linux CRNG. +## Note that distrusting this (relatively fast) source of entropy will increase boot time. +## +## https://systemd.io/RANDOM_SEEDS/ +## https://github.com/NixOS/nixpkgs/pull/165355 +## https://lkml.org/lkml/2022/6/5/271 +## +## KSPP=yes +## KSPP sets CONFIG_RANDOM_TRUST_BOOTLOADER=y. ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_bootloader=off" -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_cpu=off" ## Obtain more entropy during boot as the runtime memory allocator is being initialized. ## Entropy will be extracted from up to the first 4GB of RAM. From a46f678c7f8715fd1cedd1102f9815b9d845ccb3 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Wed, 5 Nov 2025 00:05:17 +0000 Subject: [PATCH 16/45] Update docs on latent entropy --- README.md | 3 +++ .../grub.d/40_kernel_hardening.cfg#security-misc-shared | 3 ++- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index dc9649d..35005e7 100644 --- a/README.md +++ b/README.md @@ -261,6 +261,9 @@ Entropy: - Obtain more entropy at boot from RAM as the runtime memory allocator is being initialized. +- Obtain more entropy at boot from RAM as the runtime memory allocator is being + initialized to maximize the absolute quantity of entropy in the combined pool. + Networking: - Optional - Disable the entire IPv6 stack to reduce attack surface. diff --git a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared index 2b7d217..db65fea 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared +++ b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared @@ -324,8 +324,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_cpu=off" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_bootloader=off" ## Obtain more entropy during boot as the runtime memory allocator is being initialized. -## Entropy will be extracted from up to the first 4GB of RAM. +## Entropy will be extracted from up to the first 4GB of RAM as another source. ## Note that entropy extracted this way is not cryptographically secure and so is not credited. +## Maximizing the entropy pool at boot is desirable for all cryptographic operations. ## This will increase boot time due to interrupting the boot process. ## Requires the linux-hardened kernel patch. ## From a3830db09e3f567237caefb687ef2da877573b03 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Sun, 9 Nov 2025 13:42:31 +0000 Subject: [PATCH 17/45] Update docs relating to panic on OOM --- README.md | 7 ++++--- .../sysctl.d/990-security-misc.conf#security-misc-shared | 5 +++-- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 8111c5f..0acc17b 100644 --- a/README.md +++ b/README.md @@ -52,9 +52,10 @@ configuration file and significant hardening is applied to a myriad of component - Force immediate system reboot on the occurrence of a single kernel panic, reducing the risk and impact of denial-of-service attacks and both cold and warm boot attacks. -- Optional - Force immediate kernel panic on OOM. This is to avoid security features such as the screen - locker, kloak, emerg-shutdown from being arbitrarily terminated when the system starts - running out of memory. +- Optional - Force immediate kernel panic on OOM (out of memory) which with the above setting + will force an immediate system reboot as opposed to placing any reliance on the oom_killer + to avoid arbitrarily terminating security features based on their OOM score. Note this + creates the risk of userspace-based denial-of-service attacks that maliciously fill memory. - Disable the use of legacy TIOCSTI operations which can be used to inject keypresses. diff --git a/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared b/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared index 9f2220d..84c038d 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared +++ b/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared @@ -204,13 +204,14 @@ kernel.perf_event_paranoid=3 ## Note that this must be used with kernel.panic=-1 for it to be function as intended. ## This prevents security features such as the screen locker, kloak, and emerg-shutdown from being arbitrarily terminated. ## Enabling these two together creates a risk of userspace-based denial-of-service attacks that maliciously fill memory. -## This opinionated default forces immediate system reboot rather than placing any reliance on the oom_killer. +## This forces immediate system reboot rather than placing any reliance on the oom_killer. +## Known to cause extreme user experience problems with certain applications as the Tor Browser. +## Enabling by default requires improved upstream handling of user space OOM better accounting for desktop users. ## ## https://en.wikipedia.org/wiki/Out_of_memory ## https://forums.whonix.org/t/screen-locker-in-security-can-we-disable-these-at-least-4-backdoors/8128/14 ## https://github.com/KSPP/kspp.github.io/issues/9 ## https://github.com/Kicksecure/security-misc/issues/324 -## Needs more work. ## #vm.panic_on_oom=2 From b89aaea61e83aea6b23ea34a01dbb1e6bce1e2df Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Mon, 10 Nov 2025 06:03:33 +0000 Subject: [PATCH 18/45] Add docs on logging martian packets --- usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared | 2 ++ 1 file changed, 2 insertions(+) diff --git a/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared b/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared index 84c038d..594ea33 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared +++ b/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared @@ -579,6 +579,8 @@ net.ipv4.tcp_timestamps=0 ## Known to cause performance issues, especially on systems with multiple interfaces. ## ## https://wiki.archlinux.org/title/Sysctl#Log_martian_packets +## https://www.cyberciti.biz/faq/linux-log-suspicious-martian-packets-un-routable-source-addresses/ +## https://support.scc.suse.com/s/kb/Martian-sources-errors-showing-in-messages-log?language=en_US ## https://github.com/Kicksecure/security-misc/issues/214 ## ## The logging of martian packets is currently disabled. From 5ac02d2d528a37fe1c162c4808b3d874a8c53159 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Mon, 10 Nov 2025 06:13:35 +0000 Subject: [PATCH 19/45] Set `net.ipv4.tcp_tw_reuse=0` --- README.md | 3 +++ .../990-security-misc.conf#security-misc-shared | 10 ++++++++++ 2 files changed, 13 insertions(+) diff --git a/README.md b/README.md index 8c232ae..da9becd 100644 --- a/README.md +++ b/README.md @@ -132,6 +132,9 @@ configuration file and significant hardening is applied to a myriad of component - Disable TCP timestamps as they can allow detecting the system time. +- Disable reuse of `TIME_WAIT` sockets for new outgoing connections as the above + setting disables TCP timestamps. + - Optional - Log packets with impossible source or destination addresses to enable further inspection and analysis. diff --git a/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared b/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared index a4914da..c9a3f97 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared +++ b/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared @@ -565,6 +565,16 @@ net.ipv6.conf.*.accept_ra=0 ## net.ipv4.tcp_timestamps=0 +## Disable reuse of TIME_WAIT sockets for new outgoing connections. +## The safety of reusing of TIME_WAIT sockets requires enabling TCP timestamps. +## The kernel uses timestamps to verify a new connection is not a duplicate segment from an older connection. +## Hence TIME-WAIT sockets should wait the full timeout period before being made available again. +## Can lead to port exhaustion on high-traffic networks with numerous short-lived connections. +## +## https://vincent.bernat.ch/en/blog/2014-tcp-time-wait-state-linux +## +net.ipv4.tcp_tw_reuse=0 + ## Enable logging of packets with impossible source or destination addresses. ## Martian and unroutable packets may be used for malicious purposes. ## Recommended to keep a (kernel dmesg) log of these to identify suspicious packets. From 0b9b9ffb1e87850e3296d0420c305062b66868d5 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Tue, 11 Nov 2025 11:32:47 +0000 Subject: [PATCH 20/45] Improve clarity for panic on OOM --- usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared b/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared index 594ea33..121ee5c 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared +++ b/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared @@ -201,7 +201,6 @@ kernel.perf_event_paranoid=3 ## Force immediate kernel panic on OOM (out of memory) scenarios. ## Registers a kernel panic whenever the oom_killer is triggered to kill some rouge process based on their OOM score. -## Note that this must be used with kernel.panic=-1 for it to be function as intended. ## This prevents security features such as the screen locker, kloak, and emerg-shutdown from being arbitrarily terminated. ## Enabling these two together creates a risk of userspace-based denial-of-service attacks that maliciously fill memory. ## This forces immediate system reboot rather than placing any reliance on the oom_killer. @@ -213,6 +212,8 @@ kernel.perf_event_paranoid=3 ## https://github.com/KSPP/kspp.github.io/issues/9 ## https://github.com/Kicksecure/security-misc/issues/324 ## +## Note that this must be used with kernel.panic=-1 for it to function as intended. +## #vm.panic_on_oom=2 ## Disable the use of legacy TIOCSTI operations which can be used to inject keypresses. From d891313d57b469c28c08993b05d355b29ea08397 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Tue, 11 Nov 2025 11:39:21 +0000 Subject: [PATCH 21/45] Provide options to panic upon receiving NMIs --- README.md | 4 ++++ ...90-security-misc.conf#security-misc-shared | 21 +++++++++++++++++++ 2 files changed, 25 insertions(+) diff --git a/README.md b/README.md index 8c232ae..a1acb1c 100644 --- a/README.md +++ b/README.md @@ -56,6 +56,10 @@ configuration file and significant hardening is applied to a myriad of component locker, kloak, emerg-shutdown from being arbitrarily terminated when the system starts running out of memory. +- Optional - Force immediate kernel panics upon receiving NMIs (Non-Maskable Interrupts) + indicating serious hardware-level I/O issues, uncorrectable memory and hardware errors, + and undefined or unknowsources in order to prevent data corruption. + - Disable the use of legacy TIOCSTI operations which can be used to inject keypresses. - Disable asynchronous I/O as `io_uring` has been the source of numerous kernel exploits. diff --git a/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared b/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared index a4914da..7422c54 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared +++ b/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared @@ -208,6 +208,27 @@ kernel.perf_event_paranoid=3 ## #vm.panic_on_oom=2 +## Force immediate kernel panic on certain NMIs (Non-Maskable Interrupts). +## NMIs are hardware interrupts that cannot be ignored by standard interrupt-masking techniques. +## NMIs are reserved for critical events that require immediate attention. +## Panic upon a NMI indicating a serious hardware-level I/O issue to prevent data corruption. +## Panic upon a NMI indicating uncorrectable memory and hardware errors to prevent data corruption. +## Panic upon receiving an undefined or unknown NMI. +## All three must first be tested to ensure there are no pre-existing issues on user hardware. +## After confirming stability of each they can then be used and prevent data corruption from hardware sources. +## These are valuable for high-reliability systems where data integrity is critical. +## +## https://en.wikipedia.org/wiki/Non-maskable_interrupt +## https://www.kernel.org/doc/html/latest//trace/events-nmi.html +## https://0xax.gitbooks.io/linux-insides/content/Interrupts/linux-interrupts-6.html +## https://docs.redhat.com/en/documentation/red_hat_enterprise_linux_for_real_time/7/html/reference_guide/non-maskable_interrupts +## +## Note that these must be used with kernel.panic=-1 for them to function as intended. +## +#kernel.panic_on_io_nmi=1 +#kernel.panic_on_unrecovered_nmi=1 +#kernel.unknown_nmi_panic=1 + ## Disable the use of legacy TIOCSTI operations which can be used to inject keypresses. ## Can lead to privilege escalation by pushing characters into a controlling TTY. ## Will break out-dated screen readers that continue to rely on this legacy functionality. From 99e993b885ca1fa30a871120b545f9334371cd5a Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Sat, 15 Nov 2025 03:16:07 +0000 Subject: [PATCH 22/45] Provide options to enable AMD SME and SEV --- README.md | 3 +++ ..._kernel_hardening.cfg#security-misc-shared | 21 +++++++++++++++++++ 2 files changed, 24 insertions(+) diff --git a/README.md b/README.md index 8c232ae..3596f74 100644 --- a/README.md +++ b/README.md @@ -238,6 +238,9 @@ Kernel space: - Disable the EFI persistent storage feature which prevents the kernel from writing crash logs and other persistent data to either the UEFI variable storage or ACPI ERST backends. +- Optional - On compatible AMD CPUs enable Secure Memory Encryption (SME) to protect against + cold boot attacks and Secure Encrypted Virtualization (SEV) for further guest memory isolation. + Direct memory access: - Enable strict IOMMU translation to protect against some DMA attacks via the use diff --git a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared index 2eef877..962e37d 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared +++ b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared @@ -237,6 +237,27 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ia32_emulation=0" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi_pstore.pstore_disable=1" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX erst_disable" +## Enable AMD Secure Memory Encryption (SME) and Secure Encrypted Virtualization (SEV). +## SME encrypts memory with a single key at the kernel level to protect against cold boot attacks. +## SEV extends SME to VMs by encrypting the memory of each with a unique key for guest isolation. +## This is hardware-based encryption managed by the proprietary and closed-source AMD Platform Security Processor (PSP). +## Both require a compatible AMD CPU and support for SME to first be enabled in the BIOS/UEFI. +## Likely unavailable in consumer-grade AMD CPUs where Transparent SME (TSME) can be enabled in the BIOS/UEFI to achieve SME. +## May cause boot failure on certain hardware with incompatible DMA masks. +## +## https://www.kernel.org/doc/html/next/x86/amd-memory-encryption.html +## https://www.kernel.org/doc/html/latest/virt/kvm/x86/amd-memory-encryption.html +## https://docs.amd.com/v/u/en-US/memory-encryption-white-paper +## https://docs.amd.com/v/u/en-US/SEV-SNP-strengthening-vm-isolation-with-integrity-protection-and-more +## https://en.wikichip.org/wiki/x86/sme +## https://lore.kernel.org/lkml/YWvy9bSRaC+m1sV+@zn.tnic/T/#m01bcb37040b6b0d119d385d9a34b9c7ac4ce5f84 +## https://mricher.fr/post/amd-memory-encryption/ +## https://www.kicksecure.com/wiki/Dev/confidential_computing#AMD +## https://forums.whonix.org/t/enable-secure-memory-encryption-sme-kernel-parameter-mem-encrypt-by-default/10393 +## +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mem_encrypt=on" +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm_amd.sev=1" + ## 2. Direct Memory Access: ## ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#dma-attacks From b6fe1a5a6e164c7a7505b5e27ece582a1b928d82 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Sat, 15 Nov 2025 04:51:01 +0000 Subject: [PATCH 23/45] Make panic related settings consistent Ensures the `sysctl` and boot parameters are equivalent in settings and in description. This should prevent future questions regarding having omitted boot parameters that were actually redundant. --- README.md | 7 +++-- ..._kernel_hardening.cfg#security-misc-shared | 26 ++++++++++++++++--- 2 files changed, 27 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 0acc17b..9d069d5 100644 --- a/README.md +++ b/README.md @@ -219,8 +219,11 @@ Kernel space: - Restrict access to debugfs by not registering the file system since it can contain sensitive information. -- Force kernel panics on "oopses" to potentially indicate and thwart certain - kernel exploitation attempts. +- Force the kernel to immediately panic on both "oopses" (which can potentially indicate + and thwart certain kernel exploitation attempts) and kernel warnings in the `WARN()` path. + +- Force immediate system reboot on the occurrence of a single kernel panic, reducing the + risk and impact of denial-of-service attacks and both cold and warm boot attacks. - Optional - Modify the machine check exception handler. diff --git a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared index db65fea..f67c6c3 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared +++ b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared @@ -126,22 +126,40 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vsyscall=none" ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off" -## Force the kernel to immediately panic on "oopses". +## Force the kernel to immediately panic on "oopses" and kernel warnings in the WARN() path. ## Panics may be due to false-positives such as bad drivers. +## Both allowed limits are set to one so that panics occur on the single first instance of either scenario. ## Oopses are serious but non-fatal errors. ## Certain "oopses" can sometimes indicate and thwart potential kernel exploitation attempts. -## Note that by forcing kernel panics on oopses, this exposes the system to targeted denial-of-service attacks. +## Warnings are messages generated by the kernel to indicate unexpected conditions or errors. +## By default, code execution continues regardless of warnings emitted by macros like WARN() and WARN_ON(). +## Note that by forcing kernel panics on oopses and warnings, this exposes the system to targeted denial of service attacks. ## ## https://en.wikipedia.org/wiki/Kernel_panic#Linux ## https://en.wikipedia.org/wiki/Linux_kernel_oops -## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panic-on-oops-1-sysctl-for-better-security/7713 +## https://lwn.net/Articles/876209/ +## https://git.sr.ht/~gregkh/presentation-security/tree/3fdaf81a2f8b2c8d64cdb2f529cc714624868aa8/item/security-stuff.pdf +## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panisc-on-oops-1-sysctl-for-better-security/7713 ## ## KSPP=yes -## KSPP sets CONFIG_PANIC_ON_OOPS=y and CONFIG_PANIC_TIMEOUT=-1. +## KSPP sets CONFIG_PANIC_ON_OOPS=y. ## ## See /usr/libexec/security-misc/panic-on-oops for implementation. ## #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX oops=panic" +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX panic_on_warn=1" + +## Force immediate system reboots on the occurrence of a single kernel panic. +## Increases resilience and limits impact of denial of service attacks as system automatically restarts. +## Ensures the system does not hang forever if a panic occurs, reducing susceptibility to both cold and warm boot attacks. +## Immediate rebooting also prevents persistent information disclosure on panic details that were dumped to screen. +## +## KSPP=yes +## KSPP sets CONFIG_PANIC_TIMEOUT=-1. +## +## See /usr/libexec/security-misc/panic-on-oops for implementation. +## +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX panic=-1" ## Modify machine check exception handler. ## Can decide whether the system should panic or not based on the occurrence of an exception. From 9f897c5ccda781d010077446abb3d176cf929c94 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Sat, 15 Nov 2025 05:48:33 +0000 Subject: [PATCH 24/45] Update docs on reducing the MCE tolerance level --- README.md | 3 ++- .../40_kernel_hardening.cfg#security-misc-shared | 16 ++++++++++++---- 2 files changed, 14 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 9d069d5..4ee2d0b 100644 --- a/README.md +++ b/README.md @@ -225,7 +225,8 @@ Kernel space: - Force immediate system reboot on the occurrence of a single kernel panic, reducing the risk and impact of denial-of-service attacks and both cold and warm boot attacks. -- Optional - Modify the machine check exception handler. +- Optional - Reduce the the Machine Check Exception (MCE) handler tolerance level to + always force kernel panics on any uncorrected hardware errors detected by the CPU. - Prevent sensitive kernel information leaks in the console during boot. diff --git a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared index f67c6c3..da6b63a 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared +++ b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared @@ -161,14 +161,22 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off" ## #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX panic=-1" -## Modify machine check exception handler. -## Can decide whether the system should panic or not based on the occurrence of an exception. +## Reduce the Machine Check Exception (MCE) handler tolerance level. +## Machine checks report internal hardware error conditions detected by the CPU. +## Force the kernel to always panic on any uncorrected errors. +## Improves security using ECC memory against vulnerabilities like Rowhammer. +## Note current x86 CPUs generally do not allow recovery from MCEs. +## Must first be tested to ensure there are no pre-existing issues on user hardware. +## The default kernel setting should be utilized until provided sufficient evidence to modify. ## ## https://www.kernel.org/doc/html/latest/arch/x86/x86_64/machinecheck.html -## https://www.kernel.org/doc/html/latest/arch/x86/x86_64/boot-options.html#machine-check +## https://www.kernel.org/doc/Documentation/x86/x86_64/boot-options.txt +## https://www.kernel.org/doc/Documentation/x86/x86_64/machinecheck +## https://en.wikipedia.org/wiki/Machine-check_exception#Linux +## https://groups.google.com/g/rowhammer-discuss/c/9Vgso6u2GP0 ## https://forums.whonix.org/t/kernel-hardening/7296/494 ## -## The default kernel setting will be utilized until provided sufficient evidence to modify. +## Note that this must be used with panic=-1 for it to function as intended. ## #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mce=0" From 29176d2ed29b07c4da9b9c0df1eefd2bda70b984 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Sat, 15 Nov 2025 06:30:11 +0000 Subject: [PATCH 25/45] Remove the option to reduce the MCE tolerance level --- README.md | 3 --- ..._kernel_hardening.cfg#security-misc-shared | 19 ------------------- 2 files changed, 22 deletions(-) diff --git a/README.md b/README.md index 4ee2d0b..112ab3b 100644 --- a/README.md +++ b/README.md @@ -225,9 +225,6 @@ Kernel space: - Force immediate system reboot on the occurrence of a single kernel panic, reducing the risk and impact of denial-of-service attacks and both cold and warm boot attacks. -- Optional - Reduce the the Machine Check Exception (MCE) handler tolerance level to - always force kernel panics on any uncorrected hardware errors detected by the CPU. - - Prevent sensitive kernel information leaks in the console during boot. - Enable the kernel Electric-Fence sampling-based memory safety error detector diff --git a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared index da6b63a..7ab1e46 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared +++ b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared @@ -161,25 +161,6 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off" ## #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX panic=-1" -## Reduce the Machine Check Exception (MCE) handler tolerance level. -## Machine checks report internal hardware error conditions detected by the CPU. -## Force the kernel to always panic on any uncorrected errors. -## Improves security using ECC memory against vulnerabilities like Rowhammer. -## Note current x86 CPUs generally do not allow recovery from MCEs. -## Must first be tested to ensure there are no pre-existing issues on user hardware. -## The default kernel setting should be utilized until provided sufficient evidence to modify. -## -## https://www.kernel.org/doc/html/latest/arch/x86/x86_64/machinecheck.html -## https://www.kernel.org/doc/Documentation/x86/x86_64/boot-options.txt -## https://www.kernel.org/doc/Documentation/x86/x86_64/machinecheck -## https://en.wikipedia.org/wiki/Machine-check_exception#Linux -## https://groups.google.com/g/rowhammer-discuss/c/9Vgso6u2GP0 -## https://forums.whonix.org/t/kernel-hardening/7296/494 -## -## Note that this must be used with panic=-1 for it to function as intended. -## -#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mce=0" - ## Prevent sensitive kernel information leaks in the console during boot. ## Must be used in combination with the kernel.printk sysctl. ## See /usr/lib/sysctl.d/30_silent-kernel-printk.conf for implementation. From 62dc2d448366d190812773ec9eeadd38e1223cbc Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Tue, 18 Nov 2025 20:31:46 +1100 Subject: [PATCH 26/45] Add note about Intel TME --- etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared | 1 + 1 file changed, 1 insertion(+) diff --git a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared index 962e37d..61aad7c 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared +++ b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared @@ -243,6 +243,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX erst_disable" ## This is hardware-based encryption managed by the proprietary and closed-source AMD Platform Security Processor (PSP). ## Both require a compatible AMD CPU and support for SME to first be enabled in the BIOS/UEFI. ## Likely unavailable in consumer-grade AMD CPUs where Transparent SME (TSME) can be enabled in the BIOS/UEFI to achieve SME. +## Note the corresponding Intel Total Memory Encryption (TME) can also be enabled via the BIOS/UEFI. ## May cause boot failure on certain hardware with incompatible DMA masks. ## ## https://www.kernel.org/doc/html/next/x86/amd-memory-encryption.html From ebc011e67bff659778cbca2240c5e57d663f3f41 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Wed, 19 Nov 2025 11:35:04 +1100 Subject: [PATCH 27/45] Typo --- usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared b/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared index 7422c54..f1288c3 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared +++ b/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared @@ -215,7 +215,7 @@ kernel.perf_event_paranoid=3 ## Panic upon a NMI indicating uncorrectable memory and hardware errors to prevent data corruption. ## Panic upon receiving an undefined or unknown NMI. ## All three must first be tested to ensure there are no pre-existing issues on user hardware. -## After confirming stability of each they can then be used and prevent data corruption from hardware sources. +## After confirming stability of each they can then be used to prevent data corruption from hardware sources. ## These are valuable for high-reliability systems where data integrity is critical. ## ## https://en.wikipedia.org/wiki/Non-maskable_interrupt From 5c4d3162ab3c5178502c1f48e6288dc86cc45bb1 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 23 Nov 2025 05:25:13 -0500 Subject: [PATCH 28/45] fix --- .../30_security-misc.conf#security-misc-shared | 2 ++ 1 file changed, 2 insertions(+) diff --git a/usr/lib/systemd/system/usbguard.service.d/30_security-misc.conf#security-misc-shared b/usr/lib/systemd/system/usbguard.service.d/30_security-misc.conf#security-misc-shared index fa87f09..24cb0da 100644 --- a/usr/lib/systemd/system/usbguard.service.d/30_security-misc.conf#security-misc-shared +++ b/usr/lib/systemd/system/usbguard.service.d/30_security-misc.conf#security-misc-shared @@ -3,4 +3,6 @@ [Unit] ConditionPathExists=/sys/bus/usb + +[Service] ExecCondition=/usr/libexec/security-misc/check-for-usb-controller From ec11679514d54c9a61e7c4e35ce81467b12333f4 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 23 Nov 2025 10:26:13 +0000 Subject: [PATCH 29/45] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index cb06465..1f63788 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit 5c4d3162ab3c5178502c1f48e6288dc86cc45bb1 +Author: Patrick Schleizer +Date: Sun Nov 23 05:25:13 2025 -0500 + + fix + +commit 9f85a78c9919d71c3e92099cac8525ac385aea5c +Author: Patrick Schleizer +Date: Wed Nov 19 07:02:14 2025 +0000 + + bumped changelog version + commit 4e7cfb0d061810ec7c3139379a65db83abc39efc Merge: d267cf67 936c799c Author: Patrick Schleizer diff --git a/debian/changelog b/debian/changelog index 84d868a..78157df 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:50.2-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 23 Nov 2025 10:26:13 +0000 + security-misc (3:50.1-1) unstable; urgency=medium * New upstream version (local package). From edda37809fb186f6d85511e774957b701483ca66 Mon Sep 17 00:00:00 2001 From: Aaron Rainbolt Date: Sun, 23 Nov 2025 14:54:02 -0600 Subject: [PATCH 30/45] Remove obsolete migration code for permission-hardener, add initial permission-hardener state installation code --- debian/security-misc-shared.postinst | 78 +++++++++++++++++----------- 1 file changed, 49 insertions(+), 29 deletions(-) diff --git a/debian/security-misc-shared.postinst b/debian/security-misc-shared.postinst index f77f39a..aeedc44 100755 --- a/debian/security-misc-shared.postinst +++ b/debian/security-misc-shared.postinst @@ -37,39 +37,55 @@ permission_hardening() { echo "$0: INFO: Permission hardening success." } -migrate_permission_hardener_state() { - local existing_mode_dir new_mode_dir dpkg_statoverride_list - ## If folder /var/lib/permission-hardener (version 1) does not exist, this migration is unneeded. - if [ ! -d '/var/lib/permission-hardener' ]; then - return 0 - fi +install_permission_hardener_base_state() { + local state_str if [ -f "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_2" ]; then return 0 fi mkdir --parents '/var/lib/security-misc/do_once' - existing_mode_dir='/var/lib/permission-hardener-v2/existing_mode' - new_mode_dir='/var/lib/permission-hardener-v2/new_mode' - - mkdir --parents "${existing_mode_dir}"; - mkdir --parents "${new_mode_dir}"; - - cp --verbose '/usr/share/security-misc/permission-hardener-existing-mode-legacy-hardcoded' "${existing_mode_dir}/statoverride" - cp --verbose '/usr/share/security-misc/permission-hardener-new-mode-legacy-hardcoded' "${new_mode_dir}/statoverride" - - dpkg_statoverride_list="$(dpkg-statoverride --admindir "${new_mode_dir}" --list)" - - if [ "$(stat --format '%G' /usr/bin/sudo)" = 'sysmaint' ]; then - if ! [[ "${dpkg_statoverride_list}" =~ '/usr/bin/sudo' ]]; then - dpkg-statoverride --admindir "${new_mode_dir}" --add 'root' 'sysmaint' '4750' '/usr/bin/sudo' - fi - fi - if [ "$(stat --format '%G' /usr/bin/pkexec)" = 'sysmaint' ]; then - if ! [[ "${dpkg_statoverride_list}" =~ '/usr/bin/pkexec' ]]; then - dpkg-statoverride --admindir "${new_mode_dir}" --add 'root' 'sysmaint' '4750' '/usr/bin/pkexec' - fi - fi + mkdir --parents -- '/var/lib/permission-hardener-v2/existing_mode' + state_str="root root 644 /etc/passwd- +root root 755 /etc/cron.monthly +root root 755 /etc/sudoers.d +root shadow 2755 /usr/bin/expiry +root root 4755 /usr/bin/umount +root root 4755 /usr/bin/gpasswd +root root 755 /usr/lib/modules +root root 644 /etc/issue.net +root root 644 /etc/group- +root root 4755 /usr/bin/newgrp +root root 755 /etc/cron.weekly +root root 4755 /usr/lib/polkit-1/polkit-agent-helper-1 +root root 644 /etc/hosts.deny +root root 4755 /usr/bin/newgidmap +root root 644 /etc/issue.kicksecure +root root 4755 /usr/bin/pkexec +root root 4755 /usr/bin/su +root root 644 /etc/hosts.allow +root root 700 /root +root root 755 /etc/cron.daily +root root 644 /etc/motd +root root 4755 /usr/bin/newuidmap +root root 755 /boot +root root 755 /home +root shadow 2755 /usr/bin/chage +root root 4755 /usr/lib/openssh/ssh-keysign +root root 4755 /usr/bin/ntfs-3g +root root 4755 /usr/bin/chsh +root root 644 /etc/motd.kicksecure +root root 755 /usr/bin/su-to-root +root root 4755 /usr/bin/passwd +root root 4755 /usr/bin/chfn +root root 644 /etc/group +root root 4755 /usr/bin/sudo +root root 644 /etc/passwd +root root 755 /usr/src +root root 4755 /usr/bin/mount +root root 644 /etc/issue +root root 755 /etc/cron.d" + printf '%s\n' "$state_str" | tee /var/lib/permission-hardener-v2/existing_mode/statoverride touch "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_2" } @@ -87,8 +103,12 @@ case "$1" in ## state dir for faillock mkdir -p /var/lib/security-misc/faillock - ## migrate permission_hardener state to v2 if applicable - migrate_permission_hardener_state + ## Pre-populate permission-hardener state on first postinst run. + ## Necessary because the first permission-hardener run may occur + ## before all permissions are set properly by package postinst + ## scripts. In particular, pkexec is not SUID-root until after its + ## postinst runs. + install_permission_hardener_base_state ## Fix usbguard config permissions, this seemingly can't be done ## during the unpack stage From a3417e997d26e9a88d30da408d470fab98f58d79 Mon Sep 17 00:00:00 2001 From: Aaron Rainbolt Date: Sun, 23 Nov 2025 16:27:59 -0600 Subject: [PATCH 31/45] Add pkexec remembered permissions fix for permission-hardener, fix some postinst bugs --- debian/security-misc-shared.postinst | 35 +++++++++++++++++++++++++--- 1 file changed, 32 insertions(+), 3 deletions(-) diff --git a/debian/security-misc-shared.postinst b/debian/security-misc-shared.postinst index aeedc44..7e27381 100755 --- a/debian/security-misc-shared.postinst +++ b/debian/security-misc-shared.postinst @@ -37,14 +37,40 @@ permission_hardening() { echo "$0: INFO: Permission hardening success." } +fix_pkexec_remembered_permissions() { + if [ -f "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1" ]; then + return 0 + fi + mkdir --parents '/var/lib/security-misc/do_once' + + if ! [ -f "/var/lib/permission-hardener-v2/existing_mode/statoverride" ]; then + touch "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1" + return 0 + fi + + ## The existing_mode database may incorrectly list the original permissions + ## of pkexec as '755'. They should be '4755'. Fix this with str_replace. If + ## this issue is not present, str_replace will do nothing. + str_replace 'root root 755 /usr/bin/pkexec' \ + 'root root 4755 /usr/bin/pkexec' \ + /var/lib/permission-hardener-v2/existing_mode/statoverride + + touch "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1" +} + install_permission_hardener_base_state() { local state_str - if [ -f "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_2" ]; then - return 0 + if [ -f "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1" ]; then + return 0 fi mkdir --parents '/var/lib/security-misc/do_once' + if [ -f "/var/lib/permission-hardener-v2/existing_mode/statoverride" ]; then + touch "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1" + return 0 + fi + mkdir --parents -- '/var/lib/permission-hardener-v2/existing_mode' state_str="root root 644 /etc/passwd- root root 755 /etc/cron.monthly @@ -87,7 +113,7 @@ root root 644 /etc/issue root root 755 /etc/cron.d" printf '%s\n' "$state_str" | tee /var/lib/permission-hardener-v2/existing_mode/statoverride - touch "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_2" + touch "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1" } case "$1" in @@ -103,6 +129,9 @@ case "$1" in ## state dir for faillock mkdir -p /var/lib/security-misc/faillock + ## Fix pkexec remembered permissions if necessary. + fix_pkexec_remembered_permissions + ## Pre-populate permission-hardener state on first postinst run. ## Necessary because the first permission-hardener run may occur ## before all permissions are set properly by package postinst From d68988e76cda939ce200d970e19310cadba5d08e Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 24 Nov 2025 03:17:25 -0500 Subject: [PATCH 32/45] comments --- debian/security-misc-shared.postinst | 2 ++ 1 file changed, 2 insertions(+) diff --git a/debian/security-misc-shared.postinst b/debian/security-misc-shared.postinst index 7e27381..d7e6c91 100755 --- a/debian/security-misc-shared.postinst +++ b/debian/security-misc-shared.postinst @@ -44,6 +44,7 @@ fix_pkexec_remembered_permissions() { mkdir --parents '/var/lib/security-misc/do_once' if ! [ -f "/var/lib/permission-hardener-v2/existing_mode/statoverride" ]; then + ## 'statoverride' file does not exist yet. Therefore no need to fix it using 'str_replace'. touch "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1" return 0 fi @@ -67,6 +68,7 @@ install_permission_hardener_base_state() { mkdir --parents '/var/lib/security-misc/do_once' if [ -f "/var/lib/permission-hardener-v2/existing_mode/statoverride" ]; then + ## 'statoverride' file already exists. Therefore no need to pre-populate it. touch "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1" return 0 fi From cac73c3154b3278ad71edc0fd159afc71d5dbc45 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 24 Nov 2025 03:17:38 -0500 Subject: [PATCH 33/45] minor --- debian/security-misc-shared.postinst | 1 + 1 file changed, 1 insertion(+) diff --git a/debian/security-misc-shared.postinst b/debian/security-misc-shared.postinst index d7e6c91..090e1e2 100755 --- a/debian/security-misc-shared.postinst +++ b/debian/security-misc-shared.postinst @@ -113,6 +113,7 @@ root root 755 /usr/src root root 4755 /usr/bin/mount root root 644 /etc/issue root root 755 /etc/cron.d" + printf '%s\n' "$state_str" | tee /var/lib/permission-hardener-v2/existing_mode/statoverride touch "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1" From cbd35502f19e74b6f95ff40bf03f02806eef3cdc Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 24 Nov 2025 03:18:25 -0500 Subject: [PATCH 34/45] comment --- debian/security-misc-shared.postinst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/security-misc-shared.postinst b/debian/security-misc-shared.postinst index 090e1e2..a246308 100755 --- a/debian/security-misc-shared.postinst +++ b/debian/security-misc-shared.postinst @@ -129,7 +129,7 @@ case "$1" in ## /usr/share/glib-2.0/schemas/30_security-misc.gschema.override glib-compile-schemas /usr/share/glib-2.0/schemas || true - ## state dir for faillock + ## state dir for PAM 'faillock' mkdir -p /var/lib/security-misc/faillock ## Fix pkexec remembered permissions if necessary. From 2089b3a9b8e9d10c06850f0329f7e2eb8a8a12cc Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 24 Nov 2025 08:44:10 +0000 Subject: [PATCH 35/45] bumped changelog version --- changelog.upstream | 43 +++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 49 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 1f63788..0afdae7 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,46 @@ +commit cbd35502f19e74b6f95ff40bf03f02806eef3cdc +Author: Patrick Schleizer +Date: Mon Nov 24 03:18:25 2025 -0500 + + comment + +commit cac73c3154b3278ad71edc0fd159afc71d5dbc45 +Author: Patrick Schleizer +Date: Mon Nov 24 03:17:38 2025 -0500 + + minor + +commit d68988e76cda939ce200d970e19310cadba5d08e +Author: Patrick Schleizer +Date: Mon Nov 24 03:17:25 2025 -0500 + + comments + +commit c1ca36d75888b95835b953c3a8a122954c1e5929 +Merge: ec116795 a3417e99 +Author: Patrick Schleizer +Date: Mon Nov 24 03:11:19 2025 -0500 + + Merge remote-tracking branch 'ArrayBolt3/arraybolt3/trixie' + +commit a3417e997d26e9a88d30da408d470fab98f58d79 +Author: Aaron Rainbolt +Date: Sun Nov 23 16:27:59 2025 -0600 + + Add pkexec remembered permissions fix for permission-hardener, fix some postinst bugs + +commit edda37809fb186f6d85511e774957b701483ca66 +Author: Aaron Rainbolt +Date: Sun Nov 23 14:54:02 2025 -0600 + + Remove obsolete migration code for permission-hardener, add initial permission-hardener state installation code + +commit ec11679514d54c9a61e7c4e35ce81467b12333f4 +Author: Patrick Schleizer +Date: Sun Nov 23 10:26:13 2025 +0000 + + bumped changelog version + commit 5c4d3162ab3c5178502c1f48e6288dc86cc45bb1 Author: Patrick Schleizer Date: Sun Nov 23 05:25:13 2025 -0500 diff --git a/debian/changelog b/debian/changelog index 78157df..bd0e15f 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:50.3-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 24 Nov 2025 08:44:09 +0000 + security-misc (3:50.2-1) unstable; urgency=medium * New upstream version (local package). From 65c45fc3d799cdf6402328cc61cbdd1949a12945 Mon Sep 17 00:00:00 2001 From: Aaron Rainbolt Date: Fri, 28 Nov 2025 00:13:45 -0600 Subject: [PATCH 36/45] Minor fixes to NMI panic docs --- README.md | 4 ++-- usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 0ffb261..1979306 100644 --- a/README.md +++ b/README.md @@ -57,8 +57,8 @@ configuration file and significant hardening is applied to a myriad of component running out of memory. - Optional - Force immediate kernel panics upon receiving NMIs (Non-Maskable Interrupts) - indicating serious hardware-level I/O issues, uncorrectable memory and hardware errors, - and undefined or unknowsources in order to prevent data corruption. + triggered by serious hardware-level I/O issues, uncorrectable memory and hardware errors, + and undefined or unknown sources in order to prevent data corruption. - Disable the use of legacy TIOCSTI operations which can be used to inject keypresses. diff --git a/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared b/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared index f1288c3..561bac9 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared +++ b/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared @@ -219,8 +219,8 @@ kernel.perf_event_paranoid=3 ## These are valuable for high-reliability systems where data integrity is critical. ## ## https://en.wikipedia.org/wiki/Non-maskable_interrupt -## https://www.kernel.org/doc/html/latest//trace/events-nmi.html -## https://0xax.gitbooks.io/linux-insides/content/Interrupts/linux-interrupts-6.html +## https://www.kernel.org/doc/html/latest/trace/events-nmi.html +## https://0xax.gitbook.io/linux-insides/summary/interrupts/linux-interrupts-6 ## https://docs.redhat.com/en/documentation/red_hat_enterprise_linux_for_real_time/7/html/reference_guide/non-maskable_interrupts ## ## Note that these must be used with kernel.panic=-1 for them to function as intended. From f0d069c7968e2ee10d7104ce1ba502d3122b0ab2 Mon Sep 17 00:00:00 2001 From: Aaron Rainbolt Date: Sat, 29 Nov 2025 20:15:03 -0600 Subject: [PATCH 37/45] Minor README.md corrections --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 250fb0b..48a4db9 100644 --- a/README.md +++ b/README.md @@ -215,8 +215,8 @@ Kernel space: - Enable the kernel page allocator to randomize free lists to limit some data exfiltration and ROP attacks, especially during the early boot process. -- Enable kernel page table isolation on X86_64 CPUs to increase KASLR effectiveness - and also mitigate the Meltdown CPU vulnerability. +- Enable kernel page table isolation on x86_64 and ARM64 CPUs to increase + KASLR effectiveness and also mitigate the Meltdown CPU vulnerability. - Enable randomization of the kernel stack offset on syscall entries to harden against memory corruption attacks. From 17ab1bb00fe287c4c941d9cd3813ee3a3ae89ade Mon Sep 17 00:00:00 2001 From: Aaron Rainbolt Date: Sat, 29 Nov 2025 20:44:30 -0600 Subject: [PATCH 38/45] Documentation fix --- .../grub.d/40_kernel_hardening.cfg#security-misc-shared | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared index b6f2a66..c6b878f 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared +++ b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared @@ -274,8 +274,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX erst_disable" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX bdev_allow_write_mounted=0" ## Restrict processes from modifying their own memory mappings. -## Prevents the use of FULL_FORCE by a processes unless via ptrace() for debugging. -## Limit self-modification which can be used trigger race condition vulnerabilities. +## Prevents the use of /proc/PID/mem to write to protected pages via the kernel's +## mem_rw() FOLL_FORCE flag. This makes it harder to trick applications into +## overwriting their own memory. ## ## https://lore.kernel.org/lkml/20240712-vfs-procfs-ce7e6c7cf26b@brauner/ ## https://lwn.net/Articles/983169/ From b3eb739fe2662acfbd844de8d87af4720727fc7a Mon Sep 17 00:00:00 2001 From: Aaron Rainbolt Date: Sun, 30 Nov 2025 00:20:21 -0600 Subject: [PATCH 39/45] Link fix, change some wording --- README.md | 6 +++--- .../grub.d/40_kernel_hardening.cfg#security-misc-shared | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index f63815a..41a9556 100644 --- a/README.md +++ b/README.md @@ -270,10 +270,10 @@ Direct memory access: Entropy: -- Do not credit the CPU seeds as an entropy sources at boot in order to maximize the +- Do not credit the CPU seeds as an entropy source at boot in order to maximize the absolute quantity of entropy in the combined pool. This is desirable for all - cryptographic operations reliant proprietary on RDRAND and RDSEED CPU instructions - for random number generation that have long history of being defective. + cryptographic operations, to avoid reliance on proprietary RDRAND and RDSEED CPU + instructions for random number generation that have long history of being defective. - Do not credit the bootloader seeds as an entropy sources at boot to maximize the absolute quantity of entropy in the combined pool. This is desirable for all diff --git a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared index c11a46d..33722f6 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared +++ b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared @@ -141,7 +141,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off" ## https://en.wikipedia.org/wiki/Linux_kernel_oops ## https://lwn.net/Articles/876209/ ## https://git.sr.ht/~gregkh/presentation-security/tree/3fdaf81a2f8b2c8d64cdb2f529cc714624868aa8/item/security-stuff.pdf -## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panisc-on-oops-1-sysctl-for-better-security/7713 +## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panic-on-oops-1-sysctl-for-better-security/7713 ## ## KSPP=yes ## KSPP sets CONFIG_PANIC_ON_OOPS=y. From 0534a34ed7246793db384518cfbecb3adfcb7f3e Mon Sep 17 00:00:00 2001 From: Aaron Rainbolt Date: Tue, 2 Dec 2025 19:06:30 -0600 Subject: [PATCH 40/45] Fix block-unsafe-logins when running as non-root, add swaylock to list of safe auth services --- .../block-unsafe-logins#security-misc-shared | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/usr/libexec/security-misc/block-unsafe-logins#security-misc-shared b/usr/libexec/security-misc/block-unsafe-logins#security-misc-shared index 3230ff3..1fca650 100755 --- a/usr/libexec/security-misc/block-unsafe-logins#security-misc-shared +++ b/usr/libexec/security-misc/block-unsafe-logins#security-misc-shared @@ -39,7 +39,7 @@ if [[ "$kernel_cmdline" =~ 'boot-role=sysmaint' ]]; then printf '%s\n' 'ERROR: Rejecting non-sysmaint account in sysmaint session!' exit 1 fi - true 'INFO: Running in sysmaint session and logging into sysmaint account, allowing authentication to proceed.' + true 'INFO: Running in sysmaint session and authenticating as sysmaint account, allowing authentication to proceed.' exit 0 fi @@ -72,7 +72,7 @@ fi ## tools do not permit privilege escalation from one user to another, and ## passwordless login is expected to work even for sensitive accounts. -login_service_list=( 'login' 'greetd' 'sshd' ) +login_service_list=( 'login' 'greetd' 'sshd' 'swaylock' ) for login_service in "${login_service_list[@]}"; do if [ "$PAM_SERVICE" = "$login_service" ]; then true "INFO: Login service '$PAM_SERVICE' is considered safe, allowing authentication to proceed." @@ -97,7 +97,17 @@ fi ## attack would require root privileges to execute though, so this is likely ## not a concern. We do this before checking if $PAM_USER is in the list of ## interactive users to keep the race window as short as possible. -if ! output="$(/usr/libexec/helper-scripts/get-password-status-list)"; then +## +## NOTE: PAM modules may run as non-root in some instances (such as when used +## by Swaylock). +if [ "$(id -u)" = '0' ]; then + passwd_status_list_cmd=( + '/usr/libexec/helper-scripts/get-password-status-list' + ) +else + passwd_status_list_cmd=( 'leaprun' 'get-password-status-list' ) +fi +if ! output="$("${passwd_status_list_cmd[@]}")"; then printf '%s\n' 'ERROR: Failed to get password status list!' exit 1 fi From 17dd7af7d1cf37ff30a17e2eaee06732d627ed34 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 3 Dec 2025 08:31:22 +0000 Subject: [PATCH 41/45] bumped changelog version --- changelog.upstream | 290 +++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 + 2 files changed, 296 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 0afdae7..362aba8 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,109 @@ +commit c44678f92df924e4c10f08960426c526e0292aba +Merge: 6f9732be 0534a34e +Author: Patrick Schleizer +Date: Wed Dec 3 03:22:44 2025 -0500 + + Merge remote-tracking branch 'ArrayBolt3/arraybolt3/trixie' + +commit 0534a34ed7246793db384518cfbecb3adfcb7f3e +Author: Aaron Rainbolt +Date: Tue Dec 2 19:06:30 2025 -0600 + + Fix block-unsafe-logins when running as non-root, add swaylock to list of safe auth services + +commit 6f9732be98cbc344076b89d57491c423368172d5 +Merge: 2089b3a9 b3eb739f +Author: Patrick Schleizer +Date: Tue Dec 2 06:04:07 2025 -0500 + + Merge remote-tracking branch 'ArrayBolt3/arraybolt3/trixie' + +commit b3eb739fe2662acfbd844de8d87af4720727fc7a +Author: Aaron Rainbolt +Date: Sun Nov 30 00:20:21 2025 -0600 + + Link fix, change some wording + +commit 5f34b4146e895bb935b719071ab2762278944995 +Merge: 2c253b13 29176d2e +Author: Aaron Rainbolt +Date: Sun Nov 30 00:12:18 2025 -0600 + + Merge remote-tracking branch 'raja/docs' into arraybolt3/trixie + +commit 2c253b1312c034cb8395039803380c1157967061 +Merge: 17ab1bb0 c5f91eb3 +Author: Aaron Rainbolt +Date: Sat Nov 29 21:01:51 2025 -0600 + + Merge remote-tracking branch 'raja/vsyscall32' into arraybolt3/trixie + +commit 17ab1bb00fe287c4c941d9cd3813ee3a3ae89ade +Author: Aaron Rainbolt +Date: Sat Nov 29 20:44:30 2025 -0600 + + Documentation fix + +commit 2b2d30afce3d40eb9c2177ad67fd7d89cd4602a0 +Merge: f0d069c7 3fdfebc4 +Author: Aaron Rainbolt +Date: Sat Nov 29 20:23:09 2025 -0600 + + Merge remote-tracking branch 'raja/limit_full_force' into arraybolt3/trixie + +commit f0d069c7968e2ee10d7104ce1ba502d3122b0ab2 +Author: Aaron Rainbolt +Date: Sat Nov 29 20:15:03 2025 -0600 + + Minor README.md corrections + +commit b73a830b0f62fe43b38cc89d56d997bed355570c +Merge: e54cb007 53d90b11 +Author: Aaron Rainbolt +Date: Sat Nov 29 19:59:35 2025 -0600 + + Merge remote-tracking branch 'raja/kpti' into arraybolt3/trixie + +commit e54cb007f9fc351c25c292ffd68abe974be56bb0 +Merge: 84e193c4 e43d4d7f +Author: Aaron Rainbolt +Date: Sat Nov 29 19:54:10 2025 -0600 + + Merge remote-tracking branch 'raja/limit_bdev_writes' into arraybolt3/trixie + +commit 84e193c44ec9ebf676d1fb4a32d6e2f68afd3d0d +Merge: 65c45fc3 5ac02d2d +Author: Aaron Rainbolt +Date: Fri Nov 28 14:21:59 2025 -0600 + + Merge remote-tracking branch 'raja/stop_tw_reuse' into arraybolt3/trixie + +commit 65c45fc3d799cdf6402328cc61cbdd1949a12945 +Author: Aaron Rainbolt +Date: Fri Nov 28 00:13:45 2025 -0600 + + Minor fixes to NMI panic docs + +commit 37b1d055f18c6335e96c41c06174b66e43e4a8ff +Merge: 7280d886 ebc011e6 +Author: Aaron Rainbolt +Date: Fri Nov 28 00:09:43 2025 -0600 + + Merge remote-tracking branch 'raja/panic_nmi' into arraybolt3/trixie + +commit 7280d8867da50e05dd7d3071123d49b15660051d +Merge: 2089b3a9 62dc2d44 +Author: Aaron Rainbolt +Date: Thu Nov 27 23:28:53 2025 -0600 + + Merge remote-tracking branch 'raja/amd_encrypt_ram' into arraybolt3/trixie + +commit 2089b3a9b8e9d10c06850f0329f7e2eb8a8a12cc +Author: Patrick Schleizer +Date: Mon Nov 24 08:44:10 2025 +0000 + + bumped changelog version + commit cbd35502f19e74b6f95ff40bf03f02806eef3cdc Author: Patrick Schleizer Date: Mon Nov 24 03:18:25 2025 -0500 @@ -66,6 +172,43 @@ Date: Tue Nov 18 23:53:03 2025 -0600 Don't break passwordless sudo in unrestricted admin mode +commit ebc011e67bff659778cbca2240c5e57d663f3f41 +Author: raja-grewal +Date: Wed Nov 19 11:35:04 2025 +1100 + + Typo + +commit 62dc2d448366d190812773ec9eeadd38e1223cbc +Author: raja-grewal +Date: Tue Nov 18 20:31:46 2025 +1100 + + Add note about Intel TME + +commit 29176d2ed29b07c4da9b9c0df1eefd2bda70b984 +Author: raja-grewal +Date: Sat Nov 15 06:30:11 2025 +0000 + + Remove the option to reduce the MCE tolerance level + +commit 9f897c5ccda781d010077446abb3d176cf929c94 +Author: raja-grewal +Date: Sat Nov 15 05:48:33 2025 +0000 + + Update docs on reducing the MCE tolerance level + +commit b6fe1a5a6e164c7a7505b5e27ece582a1b928d82 +Author: raja-grewal +Date: Sat Nov 15 04:51:01 2025 +0000 + + Make panic related settings consistent + Ensures the `sysctl` and boot parameters are equivalent in settings and in description. This should prevent future questions regarding having omitted boot parameters that were actually redundant. + +commit 99e993b885ca1fa30a871120b545f9334371cd5a +Author: raja-grewal +Date: Sat Nov 15 03:16:07 2025 +0000 + + Provide options to enable AMD SME and SEV + commit d267cf6761076092c299508a0c356c05d0ee713d Author: Patrick Schleizer Date: Fri Nov 14 06:21:34 2025 +0000 @@ -91,6 +234,18 @@ Date: Tue Nov 11 23:59:50 2025 -0500 Merge remote-tracking branch 'ArrayBolt3/arraybolt3/trixie' +commit d891313d57b469c28c08993b05d355b29ea08397 +Author: raja-grewal +Date: Tue Nov 11 11:39:21 2025 +0000 + + Provide options to panic upon receiving NMIs + +commit 0b9b9ffb1e87850e3296d0420c305062b66868d5 +Author: raja-grewal +Date: Tue Nov 11 11:32:47 2025 +0000 + + Improve clarity for panic on OOM + commit 3070aa5d1f988b199030b31baa2fabc2db7b289f Author: Aaron Rainbolt Date: Mon Nov 10 22:40:15 2025 -0600 @@ -176,6 +331,18 @@ Date: Mon Nov 10 02:04:15 2025 -0500 Merge remote-tracking branch 'ArrayBolt3/arraybolt3/trixie' +commit 5ac02d2d528a37fe1c162c4808b3d874a8c53159 +Author: raja-grewal +Date: Mon Nov 10 06:13:35 2025 +0000 + + Set `net.ipv4.tcp_tw_reuse=0` + +commit b89aaea61e83aea6b23ea34a01dbb1e6bce1e2df +Author: raja-grewal +Date: Mon Nov 10 06:03:33 2025 +0000 + + Add docs on logging martian packets + commit 5fbd42bbec55d66197b70789b10f7cb6705207fb Author: Aaron Rainbolt Date: Sun Nov 9 18:38:54 2025 -0600 @@ -188,6 +355,19 @@ Date: Sun Nov 9 17:46:22 2025 -0600 Prevent non-sysmaint logins in sysmaint mode and unsafe passwordless logins in user mode +commit a3830db09e3f567237caefb687ef2da877573b03 +Author: raja-grewal +Date: Sun Nov 9 13:42:31 2025 +0000 + + Update docs relating to panic on OOM + +commit 0aa0b67df6a33b84a656cfb7055c4af5ca583439 +Merge: a46f678c 0939883f +Author: raja-grewal +Date: Mon Nov 10 00:20:48 2025 +1100 + + Merge branch 'master' into docs + commit 0939883f0b5e1232e9aa85e61c0cbef551a59357 Author: Patrick Schleizer Date: Sun Nov 9 10:47:45 2025 +0000 @@ -257,6 +437,61 @@ Date: Fri Nov 7 17:09:22 2025 -0600 Suppress usbguard startup unless a USB controller is visible to lspci +commit a46f678c7f8715fd1cedd1102f9815b9d845ccb3 +Author: raja-grewal +Date: Wed Nov 5 00:05:17 2025 +0000 + + Update docs on latent entropy + +commit 37b493826ec60397c6019959abb7e0631dd33ed4 +Author: raja-grewal +Date: Wed Nov 5 00:03:54 2025 +0000 + + Spit distrusting entropy settings for clarity + +commit 019a0cf72c99f9f10fd42afbfed96c283e17e458 +Author: raja-grewal +Date: Wed Nov 5 00:03:19 2025 +0000 + + Update docs on entropy + +commit 4c88b911415cbf57eecc93a22c6674322662db50 +Merge: d175d1be 5b97e7bd +Author: raja-grewal +Date: Wed Nov 5 10:10:10 2025 +1100 + + Merge branch 'Kicksecure:master' into docs + +commit e43d4d7f7110de0b23996373e9462aa900b314a6 +Author: raja-grewal +Date: Mon Nov 3 05:46:07 2025 +0000 + + Set `bdev_allow_write_mounted=0` + +commit 53d90b1128d55e352b3eef8ae680a07a825b1ecf +Author: raja-grewal +Date: Mon Nov 3 04:32:49 2025 +0000 + + Update docs on `ssbd=force-on` + +commit 322584db3346aaa1e3d1f9782b3d22ca2153c7da +Author: raja-grewal +Date: Mon Nov 3 04:31:59 2025 +0000 + + Update docs on `pti=on` + +commit 5e87c9bea49b5a06c1400cb8b632f344cccb6db6 +Author: raja-grewal +Date: Mon Nov 3 04:30:58 2025 +0000 + + Set `kpti=1` + +commit 3fdfebc4646d7c1f48806d02810de44fd53482bb +Author: raja-grewal +Date: Mon Nov 3 00:48:49 2025 +0000 + + Set `proc_mem.force_override=ptrace` + commit 5b97e7bd277038b3b04c80a78ce05bb52277d4f6 Author: Patrick Schleizer Date: Sun Nov 2 11:41:51 2025 +0000 @@ -282,6 +517,18 @@ Date: Sun Nov 2 05:57:52 2025 -0500 move usbguard reject rules to the top +commit c5f91eb33a2ad745af7a6278cf49419d0b366343 +Author: raja-grewal +Date: Sun Nov 2 06:15:06 2025 +0000 + + Add another method to disable 32-bit legacy vsyscalls + +commit d175d1be525edd8fb6140680c31425c8a89cc244 +Author: raja-grewal +Date: Sun Nov 2 15:54:34 2025 +1100 + + Add doc on entropy related failure on AMD Zen 5 CPUs + commit 7beb19b64a33cb86771488ab558756fa86b577d3 Author: Aaron Rainbolt Date: Sat Nov 1 22:06:44 2025 -0500 @@ -430,6 +677,12 @@ Date: Wed Oct 22 00:37:36 2025 -0400 do not start usbguard-notifier if /sys/bus/usb does not exist +commit 8f78269949217ac11163cc8b6f17147621fef6eb +Author: raja-grewal +Date: Mon Oct 20 05:36:54 2025 +0000 + + Add docs on slab_debug + commit 7969ffd4a52786f4a92f74931fff85430906a629 Author: Patrick Schleizer Date: Sun Oct 19 08:43:36 2025 +0000 @@ -444,6 +697,19 @@ Date: Sun Oct 19 04:42:24 2025 -0400 https://forums.kicksecure.com/t/usbguard-what-should-we-allow-or-disallow-by-default/1248/49 +commit 9f7480e20adf148dcb7dbe80e704f3f79691b657 +Author: raja-grewal +Date: Sun Oct 19 01:41:58 2025 +0000 + + Make terminology consistent + +commit f2c3eba4f06c38fda7843427c352022a0f869f66 +Merge: 11d9b940 929421bd +Author: raja-grewal +Date: Sun Oct 19 12:23:13 2025 +1100 + + Merge branch 'Kicksecure:master' into docs + commit 929421bd258a3c0c1f142f707aeff479f2ea3c49 Author: Patrick Schleizer Date: Sat Oct 18 09:19:07 2025 +0000 @@ -469,6 +735,18 @@ Date: Fri Oct 17 15:49:42 2025 -0500 Set USBGuard settings to permit USB hubs and Qubes USB passthrough +commit 11d9b9403854ae7cd2638765e8350257580be35f +Author: raja-grewal +Date: Fri Oct 17 01:01:28 2025 +0000 + + Add docs on entropy + +commit 708e1358dfbc21444f2bf39dfa81ea5053f2bb10 +Author: raja-grewal +Date: Fri Oct 17 00:48:57 2025 +0000 + + Add docs relating `extra_latent_entropy` + commit 3d5e659b78cf2588f95280c13b1ebdf24060fb6f Author: Aaron Rainbolt Date: Wed Oct 15 19:02:48 2025 -0500 @@ -501,6 +779,18 @@ Date: Wed Oct 15 17:53:26 2025 -0500 Allow listing USB devices via usbguard +commit f690b58870bd90582018cec51046f4ed67a414d4 +Author: raja-grewal +Date: Mon Oct 13 02:08:44 2025 +0000 + + Add docs relating to panic on OOM + +commit 9db63d97770e62749c0b602dd9e7d2d4d6a1128b +Author: raja-grewal +Date: Mon Oct 13 01:01:14 2025 +0000 + + README: Update KSSP compliance status + commit 23041741715cc5f3d16378d6bb34719ceaa1642c Author: raja-grewal Date: Sun Oct 12 02:32:45 2025 +0000 diff --git a/debian/changelog b/debian/changelog index bd0e15f..8594016 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:50.4-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 03 Dec 2025 08:31:21 +0000 + security-misc (3:50.3-1) unstable; urgency=medium * New upstream version (local package). From 85761a4153a4f19e7b18e91062e97d3376451884 Mon Sep 17 00:00:00 2001 From: Aaron Rainbolt Date: Thu, 4 Dec 2025 23:27:18 -0600 Subject: [PATCH 42/45] permission-hardener: Fix undo warning logic, minor improvements suggested by ChatGPT Codex --- .../permission-hardener#security-misc-shared | 51 +++++++++++++++---- 1 file changed, 42 insertions(+), 9 deletions(-) diff --git a/usr/bin/permission-hardener#security-misc-shared b/usr/bin/permission-hardener#security-misc-shared index 2d9a729..fe318b0 100755 --- a/usr/bin/permission-hardener#security-misc-shared +++ b/usr/bin/permission-hardener#security-misc-shared @@ -89,7 +89,13 @@ output_stat() { return 1 fi - block_newlines file "${file_name}" + if ! block_newlines file "${file_name}"; then + existing_mode='' + existing_owner='' + existing_group='' + file_name_from_stat='' + return 0 + fi if [ ! -e "${file_name}" ]; then log info "File does not exist. file_name: '${file_name}'" >&2 @@ -217,6 +223,12 @@ add_to_policy() { file_capabilities="${5:-}" updated_entry=false + if [ -z "${file_name}" ]; then + exit_code=207 + log error "Attempted to add a policy entry with an empty filename! file_mode='${file_mode}' file_onwer='${file_owner}' file_group='${file_group}' file_capabilities='${file_capabilities}'" >&2 + exit "${exit_code}" + fi + if [ -h "${file_name}" ]; then file_name="$(realpath "${file_name}")" || return 1 fi @@ -319,6 +331,11 @@ match_dir() { base_str="${1}" match_str="${2}" + if [ -z "${base_str}" ] || [ -z "${match_str}" ]; then + exit_code=207 + log error "Empty base_str or match_str provided to match_dir! base_str: '${base_str}' match_str: '${match_str}'" >&2 + exit "${exit_code}" + fi [[ "${base_str}" =~ '//' ]] && return 1 [[ "${match_str}" =~ '//' ]] && return 1 @@ -562,8 +579,13 @@ commit_policy() { ## group is the string we want. BASH_REMATCH[0] is the entire string, ## BASH_REMATCH[1] is the first match that we want to discard, and ## BASH_REMATCH[2] is the desired second group. - [[ "${state_mode_item}" =~ ^(0*)(.*) ]] || true; - state_mode_item="${BASH_REMATCH[2]}" + if [[ "${state_mode_item}" =~ ^(0*)(.*) ]]; then + state_mode_item="${BASH_REMATCH[2]}" + else + exit_code=208 + log error "'Impossible' regex match failure in commit_policy! Regex: '^(0*)(.*)' String (state_mode_item): '${state_mode_item}'" >&2 + exit "${exit_code}" + fi output_stat "${state_file_item}" if [ -z "${file_name_from_stat}" ]; then @@ -693,9 +715,11 @@ undo_policy_for_file() { state_user_owner_item="${state_user_owner_list[state_idx]}" state_group_owner_item="${state_group_owner_list[state_idx]}" state_mode_item="${state_mode_list[state_idx]}" + # shellcheck disable=SC2086 chown ${verbose} -- "${state_user_owner_item}:${state_group_owner_item}" \ "${undo_file}" || exit_code=202 ## chmod needs to be run after chown since chown removes suid. + # shellcheck disable=SC2086 chmod ${verbose} "${state_mode_item}" "${undo_file}" || exit_code=203 else log info "File does not exist: '${undo_file}'" @@ -708,8 +732,8 @@ undo_policy_for_file() { fi done - if ! [[ "${did_undo}" = 'false' ]]; then - log info "The specified file is not hardened, leaving unchanged. + if [ "${did_undo}" = 'false' ]; then + log notice "The specified file is not hardened, leaving unchanged. File '${undo_file}' has not been removed from SUID Disabler and Permission Hardener during this invocation. This is expected if no policy was ever applied to the file before. @@ -797,7 +821,11 @@ print_raw_state() { for state_file in "${store_dir}/existing_mode/statoverride" \ "${store_dir}/new_mode/statoverride"; do echo "*** begin ${state_file} ***" - cat "${state_file}" + if [ -f "${state_file}" ]; then + cat "${state_file}" + else + echo '(file does not exist)' + fi echo "*** end ${state_file} ***" done } @@ -826,12 +854,17 @@ print_fs_audit() { ## group is the string we want. BASH_REMATCH[0] is the entire string, ## BASH_REMATCH[1] is the first match that we want to discard, and ## BASH_REMATCH[2] is the desired second group. - [[ "${state_mode_item}" =~ ^(0*)(.*) ]] || true; - state_mode_item="${BASH_REMATCH[2]}" + if [[ "${state_mode_item}" =~ ^(0*)(.*) ]]; then + state_mode_item="${BASH_REMATCH[2]}" + else + exit_code=208 + log error "'Impossible' regex match failure in print_fs_audit! Regex: '^(0*)(.*)' String (state_mode_item): '${state_mode_item}'" >&2 + exit "${exit_code}" + fi output_stat "${state_file_item}" if [ -z "${file_name_from_stat}" ]; then - echo "... '${file_name_from_stat}' does not exist" + echo "... '${state_file_item}' does not exist" continue fi From 8f99672cb24242d6cb86d985384ab4ad7d1aca54 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 5 Dec 2025 11:39:12 +0000 Subject: [PATCH 43/45] bumped changelog version --- changelog.upstream | 19 +++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 25 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 362aba8..daf7a87 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,22 @@ +commit ac128dd873968b1815e4113b30ea69f34fa0b088 +Merge: 17dd7af7 85761a41 +Author: Patrick Schleizer +Date: Fri Dec 5 06:35:03 2025 -0500 + + Merge remote-tracking branch 'ArrayBolt3/arraybolt3/trixie' + +commit 85761a4153a4f19e7b18e91062e97d3376451884 +Author: Aaron Rainbolt +Date: Thu Dec 4 23:27:18 2025 -0600 + + permission-hardener: Fix undo warning logic, minor improvements suggested by ChatGPT Codex + +commit 17dd7af7d1cf37ff30a17e2eaee06732d627ed34 +Author: Patrick Schleizer +Date: Wed Dec 3 08:31:22 2025 +0000 + + bumped changelog version + commit c44678f92df924e4c10f08960426c526e0292aba Merge: 6f9732be 0534a34e Author: Patrick Schleizer diff --git a/debian/changelog b/debian/changelog index 8594016..f8b0638 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:50.5-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 05 Dec 2025 11:39:12 +0000 + security-misc (3:50.4-1) unstable; urgency=medium * New upstream version (local package). From b7b6b6e5fbeba0cfab141bf05d7fb657879ba8e9 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 8 Dec 2025 09:42:59 -0500 Subject: [PATCH 44/45] output --- .../security-misc/block-unsafe-logins#security-misc-shared | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/libexec/security-misc/block-unsafe-logins#security-misc-shared b/usr/libexec/security-misc/block-unsafe-logins#security-misc-shared index 1fca650..15d1e01 100755 --- a/usr/libexec/security-misc/block-unsafe-logins#security-misc-shared +++ b/usr/libexec/security-misc/block-unsafe-logins#security-misc-shared @@ -36,7 +36,7 @@ fi if [[ "$kernel_cmdline" =~ 'boot-role=sysmaint' ]]; then true "INFO: session type: sysmaint session" if [ "$PAM_USER" != 'sysmaint' ]; then - printf '%s\n' 'ERROR: Rejecting non-sysmaint account in sysmaint session!' + printf '%s\n' 'ERROR: Rejecting non-sysmaint account '$PAM_USER' in sysmaint session!' exit 1 fi true 'INFO: Running in sysmaint session and authenticating as sysmaint account, allowing authentication to proceed.' From 725565c42e7b3e1bb5036d160cc0388cc001901b Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 9 Dec 2025 14:06:55 +0000 Subject: [PATCH 45/45] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index daf7a87..97b14f1 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit b7b6b6e5fbeba0cfab141bf05d7fb657879ba8e9 +Author: Patrick Schleizer +Date: Mon Dec 8 09:42:59 2025 -0500 + + output + +commit 8f99672cb24242d6cb86d985384ab4ad7d1aca54 +Author: Patrick Schleizer +Date: Fri Dec 5 11:39:12 2025 +0000 + + bumped changelog version + commit ac128dd873968b1815e4113b30ea69f34fa0b088 Merge: 17dd7af7 85761a41 Author: Patrick Schleizer diff --git a/debian/changelog b/debian/changelog index f8b0638..85d27ad 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:50.6-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 09 Dec 2025 14:06:55 +0000 + security-misc (3:50.5-1) unstable; urgency=medium * New upstream version (local package).