Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2024-12-26 10:19:25 -05:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #15 from madaidan/patch-11

Browse Source 
Update control
This commit is contained in:
Patrick Schleizer 2019-06-29 10:05:34 +00:00 committed by GitHub
commit 60e6dfcbff
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 13 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
debian/control vendored
View File

@ -23,6 +23,8 @@ Description: enhances misc security settings
deactivates thumbnails in Thunar; deactivates thumbnails in Thunar;
deactivates TCP timestamps; deactivates TCP timestamps;
deactivates Netfilter's connection tracking helper; deactivates Netfilter's connection tracking helper;
implements some kernel hardening;
prevents DMA attacks;
. .
TCP time stamps (RFC 1323) allow for tracking clock TCP time stamps (RFC 1323) allow for tracking clock
information with millisecond resolution. This may or may not allow an information with millisecond resolution. This may or may not allow an
@ -59,7 +61,7 @@ Description: enhances misc security settings
the kernel. (!) the kernel. (!)
. .
Hence, this package disables this feature by shipping the Hence, this package disables this feature by shipping the
/etc/sysctl.d/nf_conntrack_helper.conf configuration file. /etc/modprobe.d/30_nf_conntrack_helper_disable.conf configuration file.
. .
Kernel symbols in /proc/kallsyms are hidden to prevent malware from Kernel symbols in /proc/kallsyms are hidden to prevent malware from
reading them and using them to learn more about what to attack on your system. reading them and using them to learn more about what to attack on your system.
@ -95,3 +97,13 @@ Description: enhances misc security settings
. .
DCCP, SCTP, TIPC and RDS are blacklisted as they are rarely used and may have DCCP, SCTP, TIPC and RDS are blacklisted as they are rarely used and may have
unknown vulnerabilities. unknown vulnerabilities.
.
The kernel logs are restricted to root only.
.
A systemd service clears System.map on boot as these contain kernel symbols that could be useful to an attacker.
.
The SysRq key is restricted to only allow shutdowns/reboots.
.
The thunderbolt and firewire modules are blacklisted as they can be used for DMA (Direct Memory Access) attacks.
.
IOMMU is enabled with a boot parameter to prevent DMA attacks.