Merge pull request #153 from monsieuremre/readme

Updated Readme
This commit is contained in:
Patrick Schleizer 2023-11-05 14:34:13 -05:00 committed by GitHub
commit 817ca116f6
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -42,15 +42,21 @@ arbitrary code execution in kernel mode.
* Prevents unintentional writes to attacker-controlled files. * Prevents unintentional writes to attacker-controlled files.
* Prevents common symlink and hardlink TOCTOU races. * Prevents common symlink and hardlink TOCTOU races.
<!--
* Restricts the SysRq key so it can only be used for shutdowns and the * Restricts the SysRq key so it can only be used for shutdowns and the
Secure Attention Key. Secure Attention Key.
-->
* Disables SysRq completely.
* The kernel is only allowed to swap if it is absolutely necessary. This * The kernel is only allowed to swap if it is absolutely necessary. This
prevents writing potentially sensitive contents of memory to disk. prevents writing potentially sensitive contents of memory to disk.
* TCP timestamps are disabled as it can allow detecting the system time. * TCP timestamps are disabled as it can allow detecting the system time.
* Enforces the logging of martian packets, those with a source address which is blatantly wrong.
* Set coredump file name based on core_pattern value instead of the default of naming it 'core'.
### mmap ASLR ### mmap ASLR
* The bits of entropy used for mmap ASLR are maxed out via * The bits of entropy used for mmap ASLR are maxed out via
@ -102,6 +108,10 @@ See:
* `/etc/default/grub.d/40_only_allow_signed_modules.cfg` * `/etc/default/grub.d/40_only_allow_signed_modules.cfg`
#### Disables the loading of new modules to the kernel after the fact
A systemd service dynamically sets the kernel parameter ```modules_disabled``` to 1, preventing new modules from being loaded. Since this isn't configured directly within systemctl, it does not break the loading of legitimate and necessary modules for the user, like drivers etc., given they are plugged in on startup.
#### Disables and blacklists kernel modules #### Disables and blacklists kernel modules
Certain kernel modules are disabled and blacklisted by default to reduce attack surface via the Certain kernel modules are disabled and blacklisted by default to reduce attack surface via the
@ -111,9 +121,6 @@ Certain kernel modules are disabled and blacklisted by default to reduce attack
increases kernel attack surface by enabling superfluous functionality increases kernel attack surface by enabling superfluous functionality
such as IRC parsing in the kernel. Hence, this feature is disabled. such as IRC parsing in the kernel. Hence, this feature is disabled.
* Bluetooth is disabled to reduce attack surface. Bluetooth has
a lengthy history of security concerns.
* Thunderbolt and numerous FireWire kernel modules are also disabled as they are * Thunderbolt and numerous FireWire kernel modules are also disabled as they are
often vulnerable to DMA attacks. often vulnerable to DMA attacks.
@ -170,7 +177,7 @@ of multiple vulnerabilities so it is disabled.
* Incorporates much of [Ubuntu's](https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d?h=ubuntu/disco) default blacklist of modules to be blocked from automatically loading. However, they are still permitted to load. * Incorporates much of [Ubuntu's](https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d?h=ubuntu/disco) default blacklist of modules to be blocked from automatically loading. However, they are still permitted to load.
* Blocks automatic loading of the modules needed to use of CD-ROM devices by default. Not completely disabled yet. * Blocks automatic loading of the modules needed to use of CD-ROM devices by default. Not completely disabled yet.
### Other ### Other
* A systemd service clears the System.map file on boot as these contain kernel * A systemd service clears the System.map file on boot as these contain kernel
@ -199,7 +206,7 @@ this is not needed for `dracut` because `dracut` does that by default, at least
on `systemd` enabled systems. Not researched for non-`systemd` systems by the on `systemd` enabled systems. Not researched for non-`systemd` systems by the
author of this part of the readme. author of this part of the readme.
## Network hardening ## Network & Bluetooth hardening
* TCP syncookies are enabled to prevent SYN flood attacks. * TCP syncookies are enabled to prevent SYN flood attacks.
@ -216,6 +223,14 @@ dropping RST packets for sockets in the time-wait state.
* Reverse path filtering is enabled to prevent IP spoofing and mitigate * Reverse path filtering is enabled to prevent IP spoofing and mitigate
vulnerabilities such as CVE-2019-14899. vulnerabilities such as CVE-2019-14899.
* Unlike version 4, IPv6 addresses can provide information not only about the originating network, but also the originating device.
We prevent this from happening by enabling the respective privacy extensions for IPv6.
* In addition, we deny the capability to track the originating device in the network at all, by using randomized MAC addresses per connection per default.
* Bluetooth is left enabled but users are highly discouraged from ever turning it on, due to its history of numerous security vulnurabilities. Unlike the default settings,
we start the system with bluetooth turned off. We also enforce private addresses and strict timeout settings for discoverability and visibility.
## Entropy collection improvements ## Entropy collection improvements
* The `jitterentropy_rng` kernel module is loaded as early as possible * The `jitterentropy_rng` kernel module is loaded as early as possible
@ -230,6 +245,11 @@ audit, may contain weaknesses or a backdoor. For references, see:
## Restrictive mount options ## Restrictive mount options
A systemd service is triggered on boot to remount all sensitive partitions and directories with significantly more secure hardened mount options.
Since this would require manual tuning for a given specific system, we handle it by creating a very solid configuration file for that very system on package install.
<!--
Not enabled by default yet. In development. Help welcome. Not enabled by default yet. In development. Help welcome.
https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/ https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/
@ -246,7 +266,7 @@ To disable this, execute `touch /etc/remount-disable` as root.
Alternatively, file `/usr/local/etc/remount-disable` or `/usr/local/etc/noexec` Alternatively, file `/usr/local/etc/remount-disable` or `/usr/local/etc/noexec`
could be used. could be used.
-->
## Root access restrictions ## Root access restrictions
* `su` is restricted to only users within the group `sudo` which prevents * `su` is restricted to only users within the group `sudo` which prevents
@ -373,6 +393,22 @@ See:
### SUID / SGID removal and permission hardening ### SUID / SGID removal and permission hardening
#### SUID / SGID removal
A systemd service removes SUID / SGID bits from non-essential binaries as
these are often used in privilege escalation attacks.
#### File permission hardening
Various file permissions are reset with more secure and hardened defaults. These include but are not limited to:
* Limiting ```/home``` and ```/root``` to the root only.
* Limiting crontab to root as well as all the configuration files for cron.
* Limiting the configuration for cups and ssh.
* Protecting the information of sudoers from others.
* Protecting various system relevant files and modules.
<!--
Not enabled by default yet. Not enabled by default yet.
A systemd service removes SUID / SGID bits from non-essential binaries as A systemd service removes SUID / SGID bits from non-essential binaries as
@ -400,7 +436,7 @@ See:
* `/usr/bin/pkexec.security-misc` * `/usr/bin/pkexec.security-misc`
* https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860040 * https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860040
* https://forums.whonix.org/t/cannot-use-pkexec/8129 * https://forums.whonix.org/t/cannot-use-pkexec/8129
-->
## Application-specific hardening ## Application-specific hardening
* Enables "`apt-get --error-on=any`" which makes apt exit non-zero for * Enables "`apt-get --error-on=any`" which makes apt exit non-zero for
@ -410,8 +446,13 @@ See:
* Deactivates previews in Nautilus - * Deactivates previews in Nautilus -
`/usr/share/glib-2.0/schemas/30_security-misc.gschema.override`. `/usr/share/glib-2.0/schemas/30_security-misc.gschema.override`.
* Deactivates thumbnails in Thunar. * Deactivates thumbnails in Thunar.
* Displays domain names in punycode (`network.IDN_show_punycode`) in * Thunderbird is hardened with the following options:
Thunderbird to prevent IDN homograph attacks (a form of phishing). * Displays domain names in punycode to prevent IDN homograph attacks (a form of phishing).
* Strips email client information for sent email headers.
* Stripts user time information from sent email headers by replacing the originating time zone with UTC and rounding the timestamp to the nearest minute.
* Disables scripting when viewing pdf files.
* Disables implicit outgoing connections.
* Disables all and any kind of telemetry.
* Security and privacy enhancements for gnupg's config file * Security and privacy enhancements for gnupg's config file
`/etc/skel/.gnupg/gpg.conf`. See also: `/etc/skel/.gnupg/gpg.conf`. See also: