mirror of
https://github.com/Kicksecure/security-misc.git
synced 2025-11-27 09:20:26 -05:00
Merge remote-tracking branch 'ArrayBolt3/arraybolt3/trixie'
This commit is contained in:
Patrick Schleizer
commit
806eec423a
6 changed files with 50 additions and 24 deletions
20
README.md
20
README.md
|
|
@ -62,9 +62,8 @@ configuration file and significant hardening is applied to a myriad of component
|
|||
|
||||
#### User space
|
||||
|
||||
- Restrict usage of `ptrace()` to only processes with `CAP_SYS_PTRACE` as it
|
||||
enables programs to inspect and modify other active processes. Optional - Disable
|
||||
usage of `ptrace()` by all processes.
|
||||
- Disable the usage of `ptrace()` by all processes as it enables programs to inspect
|
||||
and modify other active processes.
|
||||
|
||||
- Maximize the bits of entropy used for mmap ASLR across all CPU architectures.
|
||||
|
||||
|
|
@ -125,7 +124,8 @@ configuration file and significant hardening is applied to a myriad of component
|
|||
- Disable source routing which allows users to redirect network traffic that
|
||||
can result in man-in-the-middle attacks.
|
||||
|
||||
- Do not accept IPv6 router advertisements and solicitations.
|
||||
- Do not accept IPv6 router advertisements (RAs) and solicitations which can result
|
||||
in both man-in-the-middle and denial-of-service attacks.
|
||||
|
||||
- Optional - Disable SACK and DSACK as they have historically been a known
|
||||
vector for exploitation.
|
||||
|
|
@ -279,23 +279,15 @@ there are a few cases of partial or non-compliance due to technical limitations.
|
|||
More than 30 kernel boot parameters and over 30 sysctl settings are fully aligned with
|
||||
the KSPP's recommendations.
|
||||
|
||||
**Partial compliance:**
|
||||
|
||||
1. `sysctl kernel.yama.ptrace_scope=3`
|
||||
|
||||
Completely disables `ptrace()`. Can be enabled easily if needed.
|
||||
|
||||
* [security-misc pull request #242](https://github.com/Kicksecure/security-misc/pull/242)
|
||||
|
||||
**Non-compliance:**
|
||||
|
||||
2. `sysctl user.max_user_namespaces=0`
|
||||
1. `sysctl user.max_user_namespaces=0`
|
||||
|
||||
Disables user namespaces entirely. Not recommended due to the potential for widespread breakages.
|
||||
|
||||
* [security-misc pull request #263](https://github.com/Kicksecure/security-misc/pull/263)
|
||||
|
||||
3. `sysctl fs.binfmt_misc.status=0`
|
||||
2. `sysctl fs.binfmt_misc.status=0`
|
||||
|
||||
Disables the registration of interpreters for miscellaneous binary formats. Currently not
|
||||
feasible due to compatibility issues with Firefox.
|
||||
|
|
|
|||
|
|
@ -1 +1 @@
|
|||
Devices=listen
|
||||
Devices=listen,list
|
||||
|
|
|
|||
|
|
@ -1 +1 @@
|
|||
Devices=listen
|
||||
Devices=listen,list
|
||||
|
|
|
|||
|
|
@ -66,3 +66,6 @@ reject with-interface one-of { ef:04:* }
|
|||
## Suspicious interface combinations with mass storage are blocked.
|
||||
allow with-interface equals { 08:*:* }
|
||||
|
||||
## Allow USB hubs, these are likely safe and are required for Qubes OS USB
|
||||
## passthrough to work.
|
||||
allow with-interface equals { 09:*:* }
|
||||
|
|
|
|||
|
|
@ -0,0 +1,24 @@
|
|||
## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
|
||||
## See the file COPYING for copying conditions.
|
||||
|
||||
## Definitions:
|
||||
## KSPP=yes: compliant with recommendations by the KSPP
|
||||
## KSPP=partial: partially compliant with recommendations by the KSPP
|
||||
## KSPP=no: not (currently) compliant with recommendations by the KSPP
|
||||
## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP.
|
||||
|
||||
## Disable the usage of the ptrace() system call by all processes.
|
||||
## Restrict ptrace() as it enables programs to inspect and modify other active processes.
|
||||
## Prevents native code debugging which some programs use as a method to detect tampering.
|
||||
## May cause breakages in 'anti-cheat' software and programs running under Proton/WINE.
|
||||
##
|
||||
## https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html#ptrace-scope
|
||||
## https://en.wikipedia.org/wiki/Ptrace
|
||||
## https://grapheneos.org/features#attack-surface-reduction
|
||||
## https://github.com/GrapheneOS/os-issue-tracker/issues/651#issuecomment-917599928
|
||||
## https://github.com/netblue30/firejail/issues/2860
|
||||
##
|
||||
## KSPP=yes
|
||||
## KSPP sets the sysctl.
|
||||
##
|
||||
kernel.yama.ptrace_scope=3
|
||||
|
|
@ -234,8 +234,8 @@ kernel.io_uring_disabled=2
|
|||
##
|
||||
## https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-userspace
|
||||
|
||||
## Restrict usage of the ptrace() system call to only processes with CAP_SYS_PTRACE.
|
||||
## Limit ptrace() as it enables programs to inspect and modify other active processes.
|
||||
## Disable the usage of the ptrace() system call by all processes.
|
||||
## Restrict ptrace() as it enables programs to inspect and modify other active processes.
|
||||
## Prevents native code debugging which some programs use as a method to detect tampering.
|
||||
## May cause breakages in 'anti-cheat' software and programs running under Proton/WINE.
|
||||
##
|
||||
|
|
@ -245,13 +245,12 @@ kernel.io_uring_disabled=2
|
|||
## https://github.com/GrapheneOS/os-issue-tracker/issues/651#issuecomment-917599928
|
||||
## https://github.com/netblue30/firejail/issues/2860
|
||||
##
|
||||
## KSPP=partial
|
||||
## KSPP sets the stricter sysctl kernel.yama.ptrace_scope=3.
|
||||
## KSPP=yes
|
||||
## KSPP sets the sysctl.
|
||||
##
|
||||
## It is possible to harden further by disabling ptrace() for all users, see documentation.
|
||||
## https://github.com/Kicksecure/security-misc/pull/242
|
||||
## See /usr/lib/sysctl.d/30_security-misc_ptrace-disable.conf for implementation.
|
||||
##
|
||||
kernel.yama.ptrace_scope=2
|
||||
#kernel.yama.ptrace_scope=3
|
||||
|
||||
## Maximize bits of entropy for improved effectiveness of mmap ASLR.
|
||||
## The maximum number of bits depends on CPU architecture (the ones shown below are for x86).
|
||||
|
|
@ -522,7 +521,15 @@ net.ipv4.icmp_ignore_bogus_error_responses=1
|
|||
net.ipv4.conf.*.accept_source_route=0
|
||||
net.ipv6.conf.*.accept_source_route=0
|
||||
|
||||
## Do not accept IPv6 router advertisements and solicitations.
|
||||
## Do not accept IPv6 router advertisements (RAs) and solicitations.
|
||||
## RAs are unsecured and unauthenticated and any device on the local link can send and accept them without verification.
|
||||
## Malicious RAs can activate IPv6 connectivity on dormant hosts leading to unauthorized access.
|
||||
## Flooding the network with malicious RAs can lead to denial of service attacks.
|
||||
## Rogue RAs can lead to interception of all network traffic by setting the attacker's system as the default gateway.
|
||||
##
|
||||
## https://datatracker.ietf.org/doc/html/rfc6104
|
||||
## https://datatracker.ietf.org/doc/html/rfc6105
|
||||
## https://archive.conference.hitb.org/hitbsecconf2012kul/materials/D1T2%20-%20Marc%20Heuse%20-%20IPv6%20Insecurity%20Revolutions.pdf
|
||||
##
|
||||
net.ipv6.conf.*.accept_ra=0
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue