Merge branch 'master' into arraybolt3/trixie

2025-11-25 22:18:33 -05:00 · 2025-08-21 20:09:48 -05:00 · 2025-08-21 20:09:48 -05:00 · 53e930b4cc
commit 53e930b4cc
parent df8a323d03 5898a6457a
8 changed files with 27 additions and 25 deletions
--- a/README.md
+++ b/README.md
@ -48,7 +48,7 @@ configuration file and significant hardening is applied to a myriad of component
  and thwart certain kernel exploitation attempts) and kernel warnings in the `WARN()` path.
 - Force immediate system reboot on the occurrence of a single kernel panic, reducing the
-  risk and impact of both denial of service and cold boot attacks.
+  risk and impact of denial of service attacks and both cold and warm boot attacks.
 - Disable the use of legacy TIOCSTI operations which can be used to inject keypresses.
@ -725,20 +725,14 @@ See:
 - Deactivates thumbnails in Thunar.
  - Rationale: lower attack surface when using the file manager
  - https://forums.whonix.org/t/disable-preview-in-file-manager-by-default/18904
 - Thunderbird is hardened with the following options:
  - Displays domain names in punycode to prevent IDN homograph attacks (a
    form of phishing).
  - Strips email client information from sent email headers.
  - Strips user time information from sent email headers by replacing the
    originating time zone with UTC and rounding the timestamp to the nearest
    minute.
  - Disables scripting when viewing PDF files.
  - Disables implicit outgoing connections.
  - Disables all and any kind of telemetry.
 - Security and privacy enhancements for gnupg's config file
  `/etc/skel/.gnupg/gpg.conf`. See also:
  - https://raw.github.com/ioerror/torbirdy/master/gpg.conf
  - https://github.com/ioerror/torbirdy/pull/11
 - Hardens SSH client
  `/etc/ssh/ssh_config.d/30_security-misc.conf`
 - Hardens SSH server
  `/etc/ssh/sshd_config.d/30_security-misc.conf`
 ### Project scope of application-specific hardening
--- a/etc/default/grub.d/40_kernel_hardening.cfg
+++ b/etc/default/grub.d/40_kernel_hardening.cfg
@ -118,16 +118,18 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vsyscall=none"
 ##
 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off"
-## Force the kernel to panic on "oopses".
+## Force the kernel to immediately panic on "oopses".
 ## Can sometimes potentially indicate and thwart certain kernel exploitation attempts.
 ## Panics may be due to false-positives such as bad drivers.
 ## Oopses are serious but non-fatal errors.
 ## Certain "oopses" can sometimes indicate and thwart potential kernel exploitation attempts.
 ## Note that by forcing kernel panics on oopses, this exposes the system to targeted denial of service attacks.
 ##
 ## https://en.wikipedia.org/wiki/Kernel_panic#Linux
 ## https://en.wikipedia.org/wiki/Linux_kernel_oops
 ## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panic-on-oops-1-sysctl-for-better-security/7713
 ##
-## KSPP=partial
+## KSPP=yes
-## KSPP sets CONFIG_PANIC_ON_OOPS=y, but also requires CONFIG_PANIC_TIMEOUT=-1.
+## KSPP sets CONFIG_PANIC_ON_OOPS=y and CONFIG_PANIC_TIMEOUT=-1.
 ##
 ## See /usr/libexec/security-misc/panic-on-oops for implementation.
 ##
--- a/etc/modprobe.d/30_security-misc_conntrack.conf
+++ b/etc/modprobe.d/30_security-misc_conntrack.conf
@ -7,6 +7,7 @@
 ## Disabling it reduces the kernel attack surface and improves security.
 ##
 ## https://conntrack-tools.netfilter.org/manual.html
 ## https://home.regit.org/netfilter-en/secure-use-of-helpers/
 ## https://forums.whonix.org/t/disable-conntrack-helper/18917
 ##
 options nf_conntrack nf_conntrack_helper=0
--- a/etc/ssh/ssh_config.d/30_security-misc.conf
+++ b/etc/ssh/ssh_config.d/30_security-misc.conf
@ -7,6 +7,9 @@
 ## need to be system-wide, you may also consider placing overrides in
 ## ~/.ssh/config.
 ## See also:
 ## https://www.kicksecure.com/wiki/SSH#Client_Configuration_File
 Host *
  VisualHostKey yes
  Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
--- a/etc/ssh/sshd_config.d/30_security-misc.conf
+++ b/etc/ssh/sshd_config.d/30_security-misc.conf
@ -5,9 +5,8 @@
 ## number that is read later by SSHD, such as
 ## '/etc/ssh/sshd_config.d/50_user.conf'.
-## This is okay because of strict firewall. For an onion-only server, listen
+## See also:
-## on 127.0.0.1.
+## https://www.kicksecure.com/wiki/SSH#Server_Configuration_File
 ListenAddress 0.0.0.0
 ## Number of allowed login attempts per connection.
 MaxAuthTries 3
@ -50,7 +49,7 @@ KbdInteractiveAuthentication no
 ## account, read:
 ##   https://www.kicksecure.com/wiki/SSH#SSH_Login_Comparison_Table
 ## We set it to 'yes' to work with libpam-tmpdir.
-##   https://www.kicksecure.com/wiki/Dev/Strong_Linux_User_Account_Isolation@libpam-tmpdir
+##   https://www.kicksecure.com/wiki/Dev/Strong_Linux_User_Account_Isolation#libpam-tmpdir
 ## Also folders such as '/run/user/1000' will exist thanks to PAM.
 ## The absence of that folder can lead to issues (such as with msgcollector).
 UsePAM yes
--- a/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf
+++ b/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf
@ -6,14 +6,14 @@
 ## configuration. When security-misc is updated, this file may be overwritten.
 ## Used for SSH client key management
-## https://manpages.debian.org/trixie/openssh-client/ssh-agent.1.en.html
+## https://manpages.debian.org/ssh-agent
 ## Debian installs ssh-agent with setgid permissions (2755) and with
 ## _ssh as the group to help mitigate ptrace attacks that could extract
 ## private keys from the agent's memory.
 ssh-agent matchwhitelist
 ## Used only for SSH host-based authentication
-## https://linux.die.net/man/8/ssh-keysign
+## https://manpages.debian.org/ssh-keysign
 ## Needed to allow access to the machine's host key for use in the
 ## authentication process. This is a non-default method of authenticating to
 ## SSH, and is likely rarely used, thus this should be safe to disable.
--- a/usr/lib/sysctl.d/990-security-misc.conf
+++ b/usr/lib/sysctl.d/990-security-misc.conf
@ -175,7 +175,6 @@ kernel.perf_event_paranoid=3
 ##
 ## https://en.wikipedia.org/wiki/Kernel_panic#Linux
 ## https://en.wikipedia.org/wiki/Linux_kernel_oops
 ## https://en.wikipedia.org/wiki/Kdump_(Linux)
 ## https://lwn.net/Articles/876209/
 ## https://git.sr.ht/~gregkh/presentation-security/tree/3fdaf81a2f8b2c8d64cdb2f529cc714624868aa8/item/security-stuff.pdf
 ## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panisc-on-oops-1-sysctl-for-better-security/7713
@ -189,8 +188,8 @@ kernel.perf_event_paranoid=3
 #kernel.warn_limit=1
 ## Force immediate system reboots on the occurrence of a single kernel panic.
 ## Ensures the system does not hang forever if a panic occurs, reducing susceptibility to cold boot attacks.
 ## Increases resilience and limits impact of denial of service attacks as system automatically restarts.
 ## Ensures the system does not hang forever if a panic occurs, reducing susceptibility to both cold and warm boot attacks.
 ## Immediate rebooting also prevents persistent information disclosure on panic details that were dumped to screen.
 ##
 ## KSPP=yes
--- a/usr/libexec/security-misc/panic-on-oops
+++ b/usr/libexec/security-misc/panic-on-oops
@ -17,10 +17,14 @@ fi
 ## to run after an inconsistent state is triggered by a potentially
 ## flawed processes. The reasons for the errors could be kernel
 ## exploit attempts but may also simply be general software bugs.
 ##
 ## https://docs.kernel.org/admin-guide/sysctl/kernel.html#oops-limit
 sysctl kernel.oops_limit=1
 ## https://docs.kernel.org/admin-guide/sysctl/kernel.html#warn-limit
 sysctl kernel.warn_limit=1
 ## Makes the system immediately reboot on the occurrence of a single
-## kernel panic. This reduces the risk and impact of both denial of
+## kernel panic. This reduces the risk and impact of denial of
-## service and cold boot attacks.
+## service attacks and both cold and warm boot attacks.
 ## https://docs.kernel.org/admin-guide/sysctl/kernel.html#panic
 sysctl kernel.panic=-1