mirror of
https://github.com/Kicksecure/security-misc.git
synced 2024-10-01 08:25:45 -04:00
Merge pull request #31 from madaidan/hide-hardware-info
Restrict /proc/cpuinfo, /proc/bus, /proc/scsi and /sys to root
This commit is contained in:
commit
7bcf73deaa
7
debian/control
vendored
7
debian/control
vendored
@ -84,6 +84,13 @@ Description: enhances misc security settings
|
|||||||
* Bluetooth is blacklisted to reduce attack surface. Bluetooth also has
|
* Bluetooth is blacklisted to reduce attack surface. Bluetooth also has
|
||||||
a history of security concerns.
|
a history of security concerns.
|
||||||
https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns
|
https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns
|
||||||
|
.
|
||||||
|
* A systemd service restricts /proc/cpuinfo, /proc/bus, /proc/scsi and
|
||||||
|
/sys to the root user only. This hides a lot of hardware identifiers from
|
||||||
|
unprivileged users and increases security as /sys exposes a lot of information
|
||||||
|
that shouldn't be accessible to unprivileged users. As this will break many
|
||||||
|
things, it is disabled by default and can optionally be enabled by running
|
||||||
|
`systemctl enable hide-hardware-info.service` as root.
|
||||||
.
|
.
|
||||||
Uncommon network protocols are blacklisted:
|
Uncommon network protocols are blacklisted:
|
||||||
These are rarely used and may have unknown vulnerabilities.
|
These are rarely used and may have unknown vulnerabilities.
|
||||||
|
4
lib/systemd/system-preset/50-security-misc.preset
Normal file
4
lib/systemd/system-preset/50-security-misc.preset
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
## Copyright (C) 2012 - 2018 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
|
||||||
|
## See the file COPYING for copying conditions.
|
||||||
|
|
||||||
|
disable hide-hardware-info.service
|
17
lib/systemd/system/hide-hardware-info.service
Normal file
17
lib/systemd/system/hide-hardware-info.service
Normal file
@ -0,0 +1,17 @@
|
|||||||
|
## Copyright (C) 2012 - 2018 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
|
||||||
|
## See the file COPYING for copying conditions.
|
||||||
|
|
||||||
|
[Unit]
|
||||||
|
Description=Hide hardware information to unprivileged users
|
||||||
|
Documentation=https://github.com/Whonix/security-misc
|
||||||
|
DefaultDependencies=no
|
||||||
|
Before=sysinit.target
|
||||||
|
Requires=local-fs.target
|
||||||
|
After=local-fs.target
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=oneshot
|
||||||
|
ExecStart=/usr/lib/security-misc/hide-hardware-info
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=sysinit.target
|
24
usr/lib/security-misc/hide-hardware-info
Normal file
24
usr/lib/security-misc/hide-hardware-info
Normal file
@ -0,0 +1,24 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
## Copyright (C) 2012 - 2018 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
|
||||||
|
## See the file COPYING for copying conditions.
|
||||||
|
|
||||||
|
## sysfs and debugfs expose a lot of information
|
||||||
|
## that should not be accessible by an unprivileged
|
||||||
|
## user which includes hardware info, debug info and
|
||||||
|
## more. This restricts /sys, /proc/cpuinfo, /proc/bus
|
||||||
|
## and /proc/scsi to the root user only. This hides
|
||||||
|
## many hardware identifiers from ordinary users
|
||||||
|
## and increases security.
|
||||||
|
for i in /proc/cpuinfo /proc/bus /proc/scsi /sys
|
||||||
|
do
|
||||||
|
if [ -e "${i}" ]; then
|
||||||
|
chmod og-rwx "${i}"
|
||||||
|
else
|
||||||
|
## /proc/scsi doesn't exist on Debian so errors
|
||||||
|
## are expected here.
|
||||||
|
if ! [ "${i}" = "/proc/scsi" ]; then
|
||||||
|
echo "ERROR: ${i} could not be found."
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
done
|
Loading…
Reference in New Issue
Block a user