From 194b8fce4e5a8e9c642171853d7b0491debced55 Mon Sep 17 00:00:00 2001
From: raja-grewal <rg_public@proton.me>
Date: Sun, 28 Sep 2025 03:20:24 +0000
Subject: [PATCH 1/8] Disable the usage of `ptrace()` by all processes

---
 README.md                                       | 17 ++++-------------
 .../990-security-misc.conf#security-misc-shared | 13 +++++--------
 2 files changed, 9 insertions(+), 21 deletions(-)

diff --git a/README.md b/README.md
index f784bbf..f5f143f 100644
--- a/README.md
+++ b/README.md
@@ -58,9 +58,8 @@ configuration file and significant hardening is applied to a myriad of component
 
 #### User space
 
-- Restrict usage of `ptrace()` to only processes with `CAP_SYS_PTRACE` as it
-  enables programs to inspect and modify other active processes. Optional - Disable
-  usage of `ptrace()` by all processes.
+- Disable the usage of `ptrace()` by all processes as it enables programs to inspect
+  and modify other active processes
 
 - Maximize the bits of entropy used for mmap ASLR across all CPU architectures.
 
@@ -273,23 +272,15 @@ there are a few cases of partial or non-compliance due to technical limitations.
 More than 30 kernel boot parameters and over 30 sysctl settings are fully aligned with
 the KSPP's recommendations.
 
-**Partial compliance:**
-
-1. `sysctl kernel.yama.ptrace_scope=3`
-
-Completely disables `ptrace()`. Can be enabled easily if needed.
-
-* [security-misc pull request #242](https://github.com/Kicksecure/security-misc/pull/242)
-
 **Non-compliance:**
 
-2. `sysctl user.max_user_namespaces=0`
+1. `sysctl user.max_user_namespaces=0`
 
 Disables user namespaces entirely. Not recommended due to the potential for widespread breakages.
 
 * [security-misc pull request #263](https://github.com/Kicksecure/security-misc/pull/263)
 
-3. `sysctl fs.binfmt_misc.status=0`
+2. `sysctl fs.binfmt_misc.status=0`
 
 Disables the registration of interpreters for miscellaneous binary formats. Currently not
 feasible due to compatibility issues with Firefox.
diff --git a/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared b/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared
index fa7a97d..40d8eb7 100644
--- a/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared
+++ b/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared
@@ -227,8 +227,8 @@ kernel.io_uring_disabled=2
 ##
 ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-userspace
 
-## Restrict usage of the ptrace() system call to only processes with CAP_SYS_PTRACE.
-## Limit ptrace() as it enables programs to inspect and modify other active processes.
+## Diable the usage of the ptrace() system call by all processes.
+## Restrict ptrace() as it enables programs to inspect and modify other active processes.
 ## Prevents native code debugging which some programs use as a method to detect tampering.
 ## May cause breakages in 'anti-cheat' software and programs running under Proton/WINE.
 ##
@@ -238,13 +238,10 @@ kernel.io_uring_disabled=2
 ## https://github.com/GrapheneOS/os-issue-tracker/issues/651#issuecomment-917599928
 ## https://github.com/netblue30/firejail/issues/2860
 ##
-## KSPP=partial
-## KSPP sets the stricter sysctl kernel.yama.ptrace_scope=3.
+## KSPP=yes
+## KSPP sets the sysctl.
 ##
-## It is possible to harden further by disabling ptrace() for all users, see documentation.
-## https://github.com/Kicksecure/security-misc/pull/242
-##
-kernel.yama.ptrace_scope=2
+kernel.yama.ptrace_scope=3
 
 ## Maximize bits of entropy for improved effectiveness of mmap ASLR.
 ## The maximum number of bits depends on CPU architecture (the ones shown below are for x86).

From 0c8f2f1b44049b676251775d64e23651e9225d00 Mon Sep 17 00:00:00 2001
From: raja-grewal <rg_public@proton.me>
Date: Thu, 2 Oct 2025 07:05:00 +0000
Subject: [PATCH 2/8] Add docs about the risks associated with IPv6 RAs

---
 README.md                                              |  5 +++--
 .../990-security-misc.conf#security-misc-shared        | 10 +++++++++-
 2 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index f784bbf..9dc25bd 100644
--- a/README.md
+++ b/README.md
@@ -121,8 +121,9 @@ configuration file and significant hardening is applied to a myriad of component
 - Disable source routing which allows users to redirect network traffic that
   can result in man-in-the-middle attacks.
 
-- Do not accept IPv6 router advertisements and solicitations.
-
+- Do not accept IPv6 router advertisements (RAs) and solicitations which can result
+  in both man-in-the-middle and denial-of-service attacks.
+  
 - Optional - Disable SACK and DSACK as they have historically been a known
   vector for exploitation.
 
diff --git a/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared b/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared
index fa7a97d..75765c5 100644
--- a/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared
+++ b/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared
@@ -515,7 +515,15 @@ net.ipv4.icmp_ignore_bogus_error_responses=1
 net.ipv4.conf.*.accept_source_route=0
 net.ipv6.conf.*.accept_source_route=0
 
-## Do not accept IPv6 router advertisements and solicitations.
+## Do not accept IPv6 router advertisements (RAs) and solicitations.
+## RAs are unsecured and unauthenticated and any device on the local link can send and accept them without verification.
+## Malicious RAs can activate IPv6 connectivity on dormant hosts leading to unauthorized access.
+## Flooding the network with malicious RAs can lead to denial of service attacks.
+## Rogue RAs can lead to interception of all network traffic by setting the attacker's system as the default gateway.
+##
+## https://datatracker.ietf.org/doc/html/rfc6104
+## https://datatracker.ietf.org/doc/html/rfc6105
+## https://archive.conference.hitb.org/hitbsecconf2012kul/materials/D1T2%20-%20Marc%20Heuse%20-%20IPv6%20Insecurity%20Revolutions.pdf
 ##
 net.ipv6.conf.*.accept_ra=0
 

From 7161430a6000c4ff5e15a9a8c9519529655a1444 Mon Sep 17 00:00:00 2001
From: raja-grewal <rg_public@proton.me>
Date: Sun, 12 Oct 2025 02:27:48 +0000
Subject: [PATCH 3/8] Seperate `ptrace()` disabling into own file

---
 ...c_ptrace-disable.conf#security-misc-shared | 24 +++++++++++++++++++
 ...90-security-misc.conf#security-misc-shared |  4 +++-
 2 files changed, 27 insertions(+), 1 deletion(-)
 create mode 100644 usr/lib/sysctl.d/30_security-misc_ptrace-disable.conf#security-misc-shared

diff --git a/usr/lib/sysctl.d/30_security-misc_ptrace-disable.conf#security-misc-shared b/usr/lib/sysctl.d/30_security-misc_ptrace-disable.conf#security-misc-shared
new file mode 100644
index 0000000..1047f88
--- /dev/null
+++ b/usr/lib/sysctl.d/30_security-misc_ptrace-disable.conf#security-misc-shared
@@ -0,0 +1,24 @@
+## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## Definitions:
+## KSPP=yes: compliant with recommendations by the KSPP
+## KSPP=partial: partially compliant with recommendations by the KSPP
+## KSPP=no: not (currently) compliant with recommendations by the KSPP
+## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP.
+
+## Diable the usage of the ptrace() system call by all processes.
+## Restrict ptrace() as it enables programs to inspect and modify other active processes.
+## Prevents native code debugging which some programs use as a method to detect tampering.
+## May cause breakages in 'anti-cheat' software and programs running under Proton/WINE.
+##
+## https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html#ptrace-scope
+## https://en.wikipedia.org/wiki/Ptrace
+## https://grapheneos.org/features#attack-surface-reduction
+## https://github.com/GrapheneOS/os-issue-tracker/issues/651#issuecomment-917599928
+## https://github.com/netblue30/firejail/issues/2860 
+##
+## KSPP=yes
+## KSPP sets the sysctl.
+##
+kernel.yama.ptrace_scope=3
\ No newline at end of file
diff --git a/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared b/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared
index 40d8eb7..9caedfe 100644
--- a/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared
+++ b/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared
@@ -241,7 +241,9 @@ kernel.io_uring_disabled=2
 ## KSPP=yes
 ## KSPP sets the sysctl.
 ##
-kernel.yama.ptrace_scope=3
+## See /usr/lib/sysctl.d/30_security_misc-ptrace-disable.conf for implementation.
+##
+#kernel.yama.ptrace_scope=3
 
 ## Maximize bits of entropy for improved effectiveness of mmap ASLR.
 ## The maximum number of bits depends on CPU architecture (the ones shown below are for x86).

From 23041741715cc5f3d16378d6bb34719ceaa1642c Mon Sep 17 00:00:00 2001
From: raja-grewal <rg_public@proton.me>
Date: Sun, 12 Oct 2025 02:32:45 +0000
Subject: [PATCH 4/8] Insert empty new line

---
 .../30_security-misc_ptrace-disable.conf#security-misc-shared | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/usr/lib/sysctl.d/30_security-misc_ptrace-disable.conf#security-misc-shared b/usr/lib/sysctl.d/30_security-misc_ptrace-disable.conf#security-misc-shared
index 1047f88..fd40923 100644
--- a/usr/lib/sysctl.d/30_security-misc_ptrace-disable.conf#security-misc-shared
+++ b/usr/lib/sysctl.d/30_security-misc_ptrace-disable.conf#security-misc-shared
@@ -16,9 +16,9 @@
 ## https://en.wikipedia.org/wiki/Ptrace
 ## https://grapheneos.org/features#attack-surface-reduction
 ## https://github.com/GrapheneOS/os-issue-tracker/issues/651#issuecomment-917599928
-## https://github.com/netblue30/firejail/issues/2860 
+## https://github.com/netblue30/firejail/issues/2860
 ##
 ## KSPP=yes
 ## KSPP sets the sysctl.
 ##
-kernel.yama.ptrace_scope=3
\ No newline at end of file
+kernel.yama.ptrace_scope=3

From 4f63af4200de23e2216be6d3e7f1055af02dbc3b Mon Sep 17 00:00:00 2001
From: Aaron Rainbolt <arraybolt3@ubuntu.com>
Date: Wed, 15 Oct 2025 17:53:26 -0500
Subject: [PATCH 5/8] Allow listing USB devices via usbguard

---
 etc/usbguard/IPCAccessControl.d/:qubes#security-misc-shared | 2 +-
 etc/usbguard/IPCAccessControl.d/:sudo#security-misc-shared  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/etc/usbguard/IPCAccessControl.d/:qubes#security-misc-shared b/etc/usbguard/IPCAccessControl.d/:qubes#security-misc-shared
index c12628a..470f4df 100644
--- a/etc/usbguard/IPCAccessControl.d/:qubes#security-misc-shared
+++ b/etc/usbguard/IPCAccessControl.d/:qubes#security-misc-shared
@@ -1 +1 @@
-Devices=listen
+Devices=listen,list
diff --git a/etc/usbguard/IPCAccessControl.d/:sudo#security-misc-shared b/etc/usbguard/IPCAccessControl.d/:sudo#security-misc-shared
index c12628a..470f4df 100644
--- a/etc/usbguard/IPCAccessControl.d/:sudo#security-misc-shared
+++ b/etc/usbguard/IPCAccessControl.d/:sudo#security-misc-shared
@@ -1 +1 @@
-Devices=listen
+Devices=listen,list

From 026d55ac410bf747db03c0cf9475b3408bce7f8e Mon Sep 17 00:00:00 2001
From: Aaron Rainbolt <arraybolt3@ubuntu.com>
Date: Wed, 15 Oct 2025 18:30:52 -0500
Subject: [PATCH 6/8] Typo fixes

---
 README.md                                                     | 2 +-
 .../30_security-misc_ptrace-disable.conf#security-misc-shared | 2 +-
 usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared  | 4 ++--
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index 33dcb4c..2f14d57 100644
--- a/README.md
+++ b/README.md
@@ -63,7 +63,7 @@ configuration file and significant hardening is applied to a myriad of component
 #### User space
 
 - Disable the usage of `ptrace()` by all processes as it enables programs to inspect
-  and modify other active processes
+  and modify other active processes.
 
 - Maximize the bits of entropy used for mmap ASLR across all CPU architectures.
 
diff --git a/usr/lib/sysctl.d/30_security-misc_ptrace-disable.conf#security-misc-shared b/usr/lib/sysctl.d/30_security-misc_ptrace-disable.conf#security-misc-shared
index fd40923..0baec08 100644
--- a/usr/lib/sysctl.d/30_security-misc_ptrace-disable.conf#security-misc-shared
+++ b/usr/lib/sysctl.d/30_security-misc_ptrace-disable.conf#security-misc-shared
@@ -7,7 +7,7 @@
 ## KSPP=no: not (currently) compliant with recommendations by the KSPP
 ## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP.
 
-## Diable the usage of the ptrace() system call by all processes.
+## Disable the usage of the ptrace() system call by all processes.
 ## Restrict ptrace() as it enables programs to inspect and modify other active processes.
 ## Prevents native code debugging which some programs use as a method to detect tampering.
 ## May cause breakages in 'anti-cheat' software and programs running under Proton/WINE.
diff --git a/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared b/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared
index 7ad04c9..5cf443f 100644
--- a/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared
+++ b/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared
@@ -234,7 +234,7 @@ kernel.io_uring_disabled=2
 ##
 ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-userspace
 
-## Diable the usage of the ptrace() system call by all processes.
+## Disable the usage of the ptrace() system call by all processes.
 ## Restrict ptrace() as it enables programs to inspect and modify other active processes.
 ## Prevents native code debugging which some programs use as a method to detect tampering.
 ## May cause breakages in 'anti-cheat' software and programs running under Proton/WINE.
@@ -248,7 +248,7 @@ kernel.io_uring_disabled=2
 ## KSPP=yes
 ## KSPP sets the sysctl.
 ##
-## See /usr/lib/sysctl.d/30_security_misc-ptrace-disable.conf for implementation.
+## See /usr/lib/sysctl.d/30_security-misc_ptrace-disable.conf for implementation.
 ##
 #kernel.yama.ptrace_scope=3
 

From 3d5e659b78cf2588f95280c13b1ebdf24060fb6f Mon Sep 17 00:00:00 2001
From: Aaron Rainbolt <arraybolt3@ubuntu.com>
Date: Wed, 15 Oct 2025 19:02:48 -0500
Subject: [PATCH 7/8] Remove trailing spaces

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 89554f6..ee8d364 100644
--- a/README.md
+++ b/README.md
@@ -126,7 +126,7 @@ configuration file and significant hardening is applied to a myriad of component
 
 - Do not accept IPv6 router advertisements (RAs) and solicitations which can result
   in both man-in-the-middle and denial-of-service attacks.
-  
+
 - Optional - Disable SACK and DSACK as they have historically been a known
   vector for exploitation.
 

From 70fbbc230c0c5366b7a09d531012d18b1e88e07b Mon Sep 17 00:00:00 2001
From: Aaron Rainbolt <arraybolt3@ubuntu.com>
Date: Fri, 17 Oct 2025 15:49:42 -0500
Subject: [PATCH 8/8] Set USBGuard settings to permit USB hubs and Qubes USB
 passthrough

---
 .../rules.d/30_security-misc.conf#security-misc-shared         | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/etc/usbguard/rules.d/30_security-misc.conf#security-misc-shared b/etc/usbguard/rules.d/30_security-misc.conf#security-misc-shared
index 05e5032..ceb3c1f 100644
--- a/etc/usbguard/rules.d/30_security-misc.conf#security-misc-shared
+++ b/etc/usbguard/rules.d/30_security-misc.conf#security-misc-shared
@@ -66,3 +66,6 @@ reject with-interface one-of { ef:04:* }
 ## Suspicious interface combinations with mass storage are blocked.
 allow with-interface equals { 08:*:* }
 
+## Allow USB hubs, these are likely safe and are required for Qubes OS USB
+## passthrough to work.
+allow with-interface equals { 09:*:* }