diff --git a/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf b/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf index ad2f6bd..74c0bbf 100644 --- a/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf +++ b/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf @@ -1,15 +1,16 @@ ## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. +## NOTE: +## Why is this in a dedicated config file? +## Package ram-wipe requires kexec. However, ram-wipe could not ship a config +## file /etc/sysctl.d/40_ram-wipe.conf which sets 'kernel.kexec_load_disabled=0'. +## This is because once systemd-sysctl.service has set 'kernel.kexec_load_disabled=1' +## it cannot be undone without reboot. This is a upstream Linux security feature. + ## Disables kexec which can be used to replace the running kernel. ## Useful for live kernel patching without rebooting. ## ## https://en.wikipedia.org/wiki/Kexec ## kernel.kexec_load_disabled=1 - -## Why is this in a dedicated config file? -## Package ram-wipe requires kexec. However, ram-wipe could not ship a config -## file /etc/sysctl.d/40_ram-wipe.conf which sets 'kernel.kexec_load_disabled=0'. -## This is because once systemd-sysctl.service has set 'kernel.kexec_load_disabled=1' -## it cannot be undone without reboot. This is a upstream Linux security feature. diff --git a/usr/lib/sysctl.d/30_silent-kernel-printk.conf b/usr/lib/sysctl.d/30_silent-kernel-printk.conf index 5ac7b6f..7283bcb 100644 --- a/usr/lib/sysctl.d/30_silent-kernel-printk.conf +++ b/usr/lib/sysctl.d/30_silent-kernel-printk.conf @@ -1,14 +1,10 @@ ## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. +## NOTE: +## For higher verbosity, delete file /etc/default/grub.d/41_quiet.cfg. +## Alternatively, install the debug-misc package which will undo these settings. + ## Prevent kernel information leaks in the console during boot. ## kernel.printk = 3 3 3 3 - -## NOTE: -## For higher verbosity, the user might also want to delete file -## /etc/default/grub.d/41_quiet.cfg -## (or out-comment its settings). -## -## Alternatively, the user could consider to install the debug-misc package, -## which will undo the settings found here. diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index c1bf3e9..2f47e89 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -2,8 +2,8 @@ ## See the file COPYING for copying conditions. ## NOTE: -## This file has a strange name so that `/usr/lib/sysctl.d/99-protect-links.conf` is -## first parsed and then followed by `/usr/lib/sysctl.d/990-security-misc.conf`. +## This file has a strange name so that /usr/lib/sysctl.d/99-protect-links.conf is +## first parsed and then followed by /usr/lib/sysctl.d/990-security-misc.conf. ## https://github.com/Kicksecure/security-misc/pull/135 ## This configuration file is split into 5 sections: @@ -39,9 +39,9 @@ kernel.dmesg_restrict=1 ## Prevent kernel information leaks in the console during boot. ## -## See `/usr/lib/sysctl.d/30_silent-kernel-printk.conf` for implementation. +## See /usr/lib/sysctl.d/30_silent-kernel-printk.conf for implementation. ## -#kernel.printk=3 3 3 3s +#kernel.printk=3 3 3 3 ## Restrict eBPF access to CAP_BPF and enable associated JIT compiler hardening. ## @@ -71,7 +71,7 @@ vm.unprivileged_userfaultfd=0 ## ## https://en.wikipedia.org/wiki/Kexec ## -## See `/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf` for implementation. +## See /usr/lib/sysctl.d/30_security-misc_kexec-disable.conf for implementation. ## #kernel.kexec_load_disabled=1 @@ -139,7 +139,7 @@ kernel.yama.ptrace_scope=2 ## ## https://forums.whonix.org/t/automate-mmap-randomisation-to-fix-ppc64el/16514 ## -## See `/usr/libexec/security-misc/mmap-rnd-bits` for implementation. +## See /usr/libexec/security-misc/mmap-rnd-bits for implementation. ## #vm.mmap_rnd_bits=32 #vm.mmap_rnd_compat_bits=16 @@ -314,7 +314,7 @@ net.ipv4.tcp_timestamps=0 ## Good for troubleshooting and diagnostics but not necessary by default. ## Known for causing performance issues especially on systems with multiple interfaces. ## -## https://wiki.archlinux.org/title/Sysctl#TCP_Selective_Acknowledgement +## https://wiki.archlinux.org/title/Sysctl#Log_martian_packets ## https://github.com/Kicksecure/security-misc/issues/214 ## ## The logging of martian packets is currently disabled.