Merge branch 'master' into arraybolt3/trixie

README.md

@@ -48,7 +48,7 @@ configuration file and significant hardening is applied to a myriad of component
   and thwart certain kernel exploitation attempts) and kernel warnings in the `WARN()` path.
 
 - Force immediate system reboot on the occurrence of a single kernel panic, reducing the
-  risk and impact of both denial of service and cold boot attacks.
+  risk and impact of denial of service attacks and both cold and warm boot attacks.
 
 - Disable the use of legacy TIOCSTI operations which can be used to inject keypresses.
 
@@ -725,20 +725,14 @@ See:
 - Deactivates thumbnails in Thunar.
   - Rationale: lower attack surface when using the file manager
   - https://forums.whonix.org/t/disable-preview-in-file-manager-by-default/18904
-- Thunderbird is hardened with the following options:
-  - Displays domain names in punycode to prevent IDN homograph attacks (a
-    form of phishing).
-  - Strips email client information from sent email headers.
-  - Strips user time information from sent email headers by replacing the
-    originating time zone with UTC and rounding the timestamp to the nearest
-    minute.
-  - Disables scripting when viewing PDF files.
-  - Disables implicit outgoing connections.
-  - Disables all and any kind of telemetry.
 - Security and privacy enhancements for gnupg's config file
   `/etc/skel/.gnupg/gpg.conf`. See also:
   - https://raw.github.com/ioerror/torbirdy/master/gpg.conf
   - https://github.com/ioerror/torbirdy/pull/11
+- Hardens SSH client
+  `/etc/ssh/ssh_config.d/30_security-misc.conf`
+- Hardens SSH server
+  `/etc/ssh/sshd_config.d/30_security-misc.conf`
 
 ### Project scope of application-specific hardening
 

etc/default/grub.d/40_kernel_hardening.cfg

@@ -118,16 +118,18 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vsyscall=none"
 ##
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off"
 
-## Force the kernel to panic on "oopses".
-## Can sometimes potentially indicate and thwart certain kernel exploitation attempts.
+## Force the kernel to immediately panic on "oopses".
 ## Panics may be due to false-positives such as bad drivers.
+## Oopses are serious but non-fatal errors.
+## Certain "oopses" can sometimes indicate and thwart potential kernel exploitation attempts.
+## Note that by forcing kernel panics on oopses, this exposes the system to targeted denial of service attacks.
 ##
 ## https://en.wikipedia.org/wiki/Kernel_panic#Linux
 ## https://en.wikipedia.org/wiki/Linux_kernel_oops
 ## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panic-on-oops-1-sysctl-for-better-security/7713
 ##
-## KSPP=partial
-## KSPP sets CONFIG_PANIC_ON_OOPS=y, but also requires CONFIG_PANIC_TIMEOUT=-1.
+## KSPP=yes
+## KSPP sets CONFIG_PANIC_ON_OOPS=y and CONFIG_PANIC_TIMEOUT=-1.
 ##
 ## See /usr/libexec/security-misc/panic-on-oops for implementation.
 ##

etc/modprobe.d/30_security-misc_conntrack.conf

@@ -7,6 +7,7 @@
 ## Disabling it reduces the kernel attack surface and improves security.
 ##
 ## https://conntrack-tools.netfilter.org/manual.html
+## https://home.regit.org/netfilter-en/secure-use-of-helpers/
 ## https://forums.whonix.org/t/disable-conntrack-helper/18917
 ##
 options nf_conntrack nf_conntrack_helper=0

etc/ssh/ssh_config.d/30_security-misc.conf

@@ -7,6 +7,9 @@
 ## need to be system-wide, you may also consider placing overrides in
 ## ~/.ssh/config.
 
+## See also:
+## https://www.kicksecure.com/wiki/SSH#Client_Configuration_File
+
 Host *
   VisualHostKey yes
   Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr

etc/ssh/sshd_config.d/30_security-misc.conf

@@ -5,9 +5,8 @@
 ## number that is read later by SSHD, such as
 ## '/etc/ssh/sshd_config.d/50_user.conf'.
 
-## This is okay because of strict firewall. For an onion-only server, listen
-## on 127.0.0.1.
-ListenAddress 0.0.0.0
+## See also:
+## https://www.kicksecure.com/wiki/SSH#Server_Configuration_File
 
 ## Number of allowed login attempts per connection.
 MaxAuthTries 3
@@ -50,7 +49,7 @@ KbdInteractiveAuthentication no
 ## account, read:
 ##   https://www.kicksecure.com/wiki/SSH#SSH_Login_Comparison_Table
 ## We set it to 'yes' to work with libpam-tmpdir.
-##   https://www.kicksecure.com/wiki/Dev/Strong_Linux_User_Account_Isolation@libpam-tmpdir
+##   https://www.kicksecure.com/wiki/Dev/Strong_Linux_User_Account_Isolation#libpam-tmpdir
 ## Also folders such as '/run/user/1000' will exist thanks to PAM.
 ## The absence of that folder can lead to issues (such as with msgcollector).
 UsePAM yes

usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf

@@ -6,14 +6,14 @@
 ## configuration. When security-misc is updated, this file may be overwritten.
 
 ## Used for SSH client key management
-## https://manpages.debian.org/trixie/openssh-client/ssh-agent.1.en.html
+## https://manpages.debian.org/ssh-agent
 ## Debian installs ssh-agent with setgid permissions (2755) and with
 ## _ssh as the group to help mitigate ptrace attacks that could extract
 ## private keys from the agent's memory.
 ssh-agent matchwhitelist
 
 ## Used only for SSH host-based authentication
-## https://linux.die.net/man/8/ssh-keysign
+## https://manpages.debian.org/ssh-keysign
 ## Needed to allow access to the machine's host key for use in the
 ## authentication process. This is a non-default method of authenticating to
 ## SSH, and is likely rarely used, thus this should be safe to disable.

usr/lib/sysctl.d/990-security-misc.conf

@@ -175,7 +175,6 @@ kernel.perf_event_paranoid=3
 ##
 ## https://en.wikipedia.org/wiki/Kernel_panic#Linux
 ## https://en.wikipedia.org/wiki/Linux_kernel_oops
-## https://en.wikipedia.org/wiki/Kdump_(Linux)
 ## https://lwn.net/Articles/876209/
 ## https://git.sr.ht/~gregkh/presentation-security/tree/3fdaf81a2f8b2c8d64cdb2f529cc714624868aa8/item/security-stuff.pdf
 ## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panisc-on-oops-1-sysctl-for-better-security/7713
@@ -189,8 +188,8 @@ kernel.perf_event_paranoid=3
 #kernel.warn_limit=1
 
 ## Force immediate system reboots on the occurrence of a single kernel panic.
-## Ensures the system does not hang forever if a panic occurs, reducing susceptibility to cold boot attacks.
 ## Increases resilience and limits impact of denial of service attacks as system automatically restarts.
+## Ensures the system does not hang forever if a panic occurs, reducing susceptibility to both cold and warm boot attacks.
 ## Immediate rebooting also prevents persistent information disclosure on panic details that were dumped to screen.
 ##
 ## KSPP=yes

usr/libexec/security-misc/panic-on-oops

@@ -17,10 +17,14 @@ fi
 ## to run after an inconsistent state is triggered by a potentially
 ## flawed processes. The reasons for the errors could be kernel
 ## exploit attempts but may also simply be general software bugs.
+##
+## https://docs.kernel.org/admin-guide/sysctl/kernel.html#oops-limit
 sysctl kernel.oops_limit=1
+## https://docs.kernel.org/admin-guide/sysctl/kernel.html#warn-limit
 sysctl kernel.warn_limit=1
 
 ## Makes the system immediately reboot on the occurrence of a single
-## kernel panic. This reduces the risk and impact of both denial of
-## service and cold boot attacks.
+## kernel panic. This reduces the risk and impact of denial of
+## service attacks and both cold and warm boot attacks.
+## https://docs.kernel.org/admin-guide/sysctl/kernel.html#panic
 sysctl kernel.panic=-1