Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2024-12-25 22:09:26 -05:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #15 from madaidan/patch-11

Browse Source 
Update control
This commit is contained in:
Patrick Schleizer 2019-06-29 10:05:34 +00:00 committed by GitHub
commit 60e6dfcbff
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 13 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
debian/control vendored
View File

@ -23,6 +23,8 @@ Description: enhances misc security settings
deactivates thumbnails in Thunar;
deactivates TCP timestamps;
deactivates Netfilter's connection tracking helper;
implements some kernel hardening;
prevents DMA attacks;
.
TCP time stamps (RFC 1323) allow for tracking clock
information with millisecond resolution. This may or may not allow an
@ -59,7 +61,7 @@ Description: enhances misc security settings
the kernel. (!)
.
Hence, this package disables this feature by shipping the
/etc/sysctl.d/nf_conntrack_helper.conf configuration file.
/etc/modprobe.d/30_nf_conntrack_helper_disable.conf configuration file.
.
Kernel symbols in /proc/kallsyms are hidden to prevent malware from
reading them and using them to learn more about what to attack on your system.
@ -95,3 +97,13 @@ Description: enhances misc security settings
.
DCCP, SCTP, TIPC and RDS are blacklisted as they are rarely used and may have
unknown vulnerabilities.
.
The kernel logs are restricted to root only.
.
A systemd service clears System.map on boot as these contain kernel symbols that could be useful to an attacker.
.
The SysRq key is restricted to only allow shutdowns/reboots.
.
The thunderbolt and firewire modules are blacklisted as they can be used for DMA (Direct Memory Access) attacks.
.
IOMMU is enabled with a boot parameter to prevent DMA attacks.