mirror of
https://github.com/Kicksecure/security-misc.git
synced 2025-01-21 02:51:06 -05:00
spelling
This commit is contained in:
parent
9a387f95e9
commit
821a416fe3
72
README.md
72
README.md
@ -16,10 +16,10 @@ configuration file.
|
|||||||
Significant hardening is applied by default to a myriad of components within kernel
|
Significant hardening is applied by default to a myriad of components within kernel
|
||||||
space, user space, core dumps, and swap space.
|
space, user space, core dumps, and swap space.
|
||||||
|
|
||||||
- Restrict access to kernel addresses through the us of kernel pointers regardless
|
- Restrict access to kernel addresses through the use of kernel pointers regardless
|
||||||
of user privileges.
|
of user privileges.
|
||||||
|
|
||||||
- Restrict access to the kernel logs to `CAP_SYSLOG` as the often contain
|
- Restrict access to the kernel logs to `CAP_SYSLOG` as they often contain
|
||||||
sensitive information.
|
sensitive information.
|
||||||
|
|
||||||
- Prevent kernel information leaks in the console during boot.
|
- Prevent kernel information leaks in the console during boot.
|
||||||
@ -28,33 +28,33 @@ space, user space, core dumps, and swap space.
|
|||||||
|
|
||||||
- Restrict loading TTY line disciplines to `CAP_SYS_MODULE`.
|
- Restrict loading TTY line disciplines to `CAP_SYS_MODULE`.
|
||||||
|
|
||||||
- Restricts the `userfaultfd()` syscall to `CAP_SYS_PTRACE` which reduces the
|
- Restrict the `userfaultfd()` syscall to `CAP_SYS_PTRACE`, which reduces the
|
||||||
likelihood of use-after-free exploits.
|
likelihood of use-after-free exploits.
|
||||||
|
|
||||||
- Disable `kexec` as it can be used to replace the running kernel.
|
- Disable `kexec` as it can be used to replace the running kernel.
|
||||||
|
|
||||||
- Entirely disables the SysRq key so that the Secure Attention Key (SAK)
|
- Entirely disable the SysRq key so that the Secure Attention Key (SAK)
|
||||||
can no longer be utilised. See [documentation](https://www.kicksecure.com/wiki/SysRq).
|
can no longer be utilized. See [documentation](https://www.kicksecure.com/wiki/SysRq).
|
||||||
|
|
||||||
- Provide the option to disable unprivileged user namespaces as they can lead to
|
- Provide the option to disable unprivileged user namespaces as they can lead to
|
||||||
substantial privilege escalation.
|
substantial privilege escalation.
|
||||||
|
|
||||||
- Restrict kernel profiling and the performance events system to `CAP_PERFMON`.
|
- Restrict kernel profiling and the performance events system to `CAP_PERFMON`.
|
||||||
|
|
||||||
- Randomise the addresses (ASLR) for mmap base, stack, VDSO pages, and heap.
|
- Randomize the addresses (ASLR) for mmap base, stack, VDSO pages, and heap.
|
||||||
|
|
||||||
- Disable asynchronous I/O (when using Linux kernel version >= 6.6).
|
- Disable asynchronous I/O (when using Linux kernel version >= 6.6).
|
||||||
|
|
||||||
- Restrict usage of `ptrace()` to only processes with `CAP_SYS_PTRACE` as it
|
- Restrict usage of `ptrace()` to only processes with `CAP_SYS_PTRACE` as it
|
||||||
enables programs to inspect and modify other active processes. Provide the
|
enables programs to inspect and modify other active processes. Provide the
|
||||||
option to also entirely disable the use of `ptrace()` for all processes.
|
option to entirely disable the use of `ptrace()` for all processes.
|
||||||
|
|
||||||
- Prevent hardlink and symlink TOCTOU races in world-writable directories.
|
- Prevent hardlink and symlink TOCTOU races in world-writable directories.
|
||||||
|
|
||||||
- Disallow unintentional writes to files in world-writable directories unless
|
- Disallow unintentional writes to files in world-writable directories unless
|
||||||
they are owned by the directory owner to mitigate some data spoofing attacks.
|
they are owned by the directory owner to mitigate some data spoofing attacks.
|
||||||
|
|
||||||
- Increase the maximum number of memory map areas a process is able to utilise.
|
- Increase the maximum number of memory map areas a process is able to utilize.
|
||||||
|
|
||||||
- Disable core dump files and prevent their creation. If core dump files are
|
- Disable core dump files and prevent their creation. If core dump files are
|
||||||
enabled, they will be named based on `core.PID` instead of the default `core`.
|
enabled, they will be named based on `core.PID` instead of the default `core`.
|
||||||
@ -67,17 +67,17 @@ Various networking components of the TCP/IP stack are hardened for IPv4/6.
|
|||||||
|
|
||||||
- Protect against TCP time-wait assassination hazards.
|
- Protect against TCP time-wait assassination hazards.
|
||||||
|
|
||||||
- Enables reverse path filtering (source validation) of packets received
|
- Enable reverse path filtering (source validation) of packets received
|
||||||
from all interfaces to prevent IP spoofing.
|
from all interfaces to prevent IP spoofing.
|
||||||
|
|
||||||
- Disable ICMP redirect acceptance and redirect sending messages to
|
- Disable ICMP redirect acceptance and redirect sending messages to
|
||||||
prevent man-in-the-middle attacks and minimise information disclosure.
|
prevent man-in-the-middle attacks and minimize information disclosure.
|
||||||
|
|
||||||
- Ignore ICMP echo requests to prevent clock fingerprinting and Smurf attacks.
|
- Ignore ICMP echo requests to prevent clock fingerprinting and Smurf attacks.
|
||||||
|
|
||||||
- Ignore bogus ICMP error responses.
|
- Ignore bogus ICMP error responses.
|
||||||
|
|
||||||
- Disable source routing which allows users redirect network traffic that
|
- Disable source routing which allows users to redirect network traffic that
|
||||||
can result in man-in-the-middle attacks.
|
can result in man-in-the-middle attacks.
|
||||||
|
|
||||||
- Do not accept IPv6 router advertisements and solicitations.
|
- Do not accept IPv6 router advertisements and solicitations.
|
||||||
@ -85,9 +85,9 @@ Various networking components of the TCP/IP stack are hardened for IPv4/6.
|
|||||||
- Provide the option to disable SACK and DSACK as they have historically been
|
- Provide the option to disable SACK and DSACK as they have historically been
|
||||||
a known vector for exploitation.
|
a known vector for exploitation.
|
||||||
|
|
||||||
- Disable TCP timestamps as it can allow detecting the system time.
|
- Disable TCP timestamps as they can allow detecting the system time.
|
||||||
|
|
||||||
- Provide the option to log of packets with impossible source or destination
|
- Provide the option to log packets with impossible source or destination
|
||||||
addresses to enable further inspection and analysis.
|
addresses to enable further inspection and analysis.
|
||||||
|
|
||||||
- Provide the option to enable IPv6 Privacy Extensions.
|
- Provide the option to enable IPv6 Privacy Extensions.
|
||||||
@ -109,19 +109,19 @@ Boot parameters relating to kernel hardening, DMA mitigations, and entropy
|
|||||||
generation are outlined in the `/etc/default/grub.d/40_kernel_hardening.cfg`
|
generation are outlined in the `/etc/default/grub.d/40_kernel_hardening.cfg`
|
||||||
configuration file.
|
configuration file.
|
||||||
|
|
||||||
- Disable merging of slabs with similar size which reduces the risk of
|
- Disable merging of slabs with similar size, which reduces the risk of
|
||||||
triggering heap overflows and limits influencing slab cache layout.
|
triggering heap overflows and limits influencing slab cache layout.
|
||||||
|
|
||||||
- Enable memory zeroing at both allocation and free time which mitigate some
|
- Enable memory zeroing at both allocation and free time, which mitigates some
|
||||||
use-after-free vulnerabilities by erasing sensitive information in memory.
|
use-after-free vulnerabilities by erasing sensitive information in memory.
|
||||||
|
|
||||||
- Enable the kernel page allocator to randomise free lists to limit some data
|
- Enable the kernel page allocator to randomize free lists to limit some data
|
||||||
exfiltration and ROP attacks especially during the early boot process.
|
exfiltration and ROP attacks, especially during the early boot process.
|
||||||
|
|
||||||
- Enable kernel page table isolation increase KASLR effectiveness and also
|
- Enable kernel page table isolation to increase KASLR effectiveness and also
|
||||||
mitigate the Meltdown CPU vulnerability.
|
mitigate the Meltdown CPU vulnerability.
|
||||||
|
|
||||||
- Enables randomisation of the kernel stack offset on syscall entries to harden
|
- Enable randomization of the kernel stack offset on syscall entries to harden
|
||||||
against memory corruption attacks.
|
against memory corruption attacks.
|
||||||
|
|
||||||
- Disable vsyscalls as they are vulnerable to ROP attacks and have now been
|
- Disable vsyscalls as they are vulnerable to ROP attacks and have now been
|
||||||
@ -142,10 +142,10 @@ configuration file.
|
|||||||
the busmaster bit on all PCI bridges during the early boot process.
|
the busmaster bit on all PCI bridges during the early boot process.
|
||||||
|
|
||||||
- Do not credit the CPU or bootloader as entropy sources at boot in order to
|
- Do not credit the CPU or bootloader as entropy sources at boot in order to
|
||||||
maximise the absolute quantity of entropy in the combined pool.
|
maximize the absolute quantity of entropy in the combined pool.
|
||||||
|
|
||||||
- Obtain more entropy at boot from RAM as the runtime memory allocator is
|
- Obtain more entropy at boot from RAM as the runtime memory allocator is
|
||||||
being initialised.
|
being initialized.
|
||||||
|
|
||||||
- Provide option to disable the entire IPv6 stack to reduce attack surface.
|
- Provide option to disable the entire IPv6 stack to reduce attack surface.
|
||||||
|
|
||||||
@ -156,7 +156,7 @@ the `/etc/default/grub.d/41_quiet_boot.cfg` configuration file.
|
|||||||
|
|
||||||
#### Kernel Module Signature Verification
|
#### Kernel Module Signature Verification
|
||||||
|
|
||||||
Not yet due to issues:
|
Not yet implemented due to issues:
|
||||||
|
|
||||||
- https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/64
|
- https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/64
|
||||||
- https://github.com/dell/dkms/issues/359
|
- https://github.com/dell/dkms/issues/359
|
||||||
@ -167,7 +167,7 @@ See:
|
|||||||
|
|
||||||
#### Disables the loading of new modules to the kernel after the fact
|
#### Disables the loading of new modules to the kernel after the fact
|
||||||
|
|
||||||
Not yet due to issues:
|
Not yet implemented due to issues:
|
||||||
|
|
||||||
- https://github.com/Kicksecure/security-misc/pull/152
|
- https://github.com/Kicksecure/security-misc/pull/152
|
||||||
|
|
||||||
@ -191,13 +191,13 @@ modules from automatically starting.
|
|||||||
- Framebuffer Drivers: Blacklisted as they are well-known to be buggy, cause
|
- Framebuffer Drivers: Blacklisted as they are well-known to be buggy, cause
|
||||||
kernel panics, and are generally only used by legacy devices.
|
kernel panics, and are generally only used by legacy devices.
|
||||||
|
|
||||||
- Miscellaneous: Blacklist an assortment other modules to prevent them from
|
- Miscellaneous: Blacklist an assortment of other modules to prevent them from
|
||||||
automatically loading.
|
automatically loading.
|
||||||
|
|
||||||
Specific kernel modules are entirely disabled to reduce attack surface via
|
Specific kernel modules are entirely disabled to reduce attack surface via
|
||||||
`/etc/modprobe.d/30_security-misc_disable.conf`. Disabling prohibits kernel
|
`/etc/modprobe.d/30_security-misc_disable.conf`. Disabling prohibits kernel
|
||||||
modules from starting. This approach should not be considered comprehensive,
|
modules from starting. This approach should not be considered comprehensive;
|
||||||
rather it is a form of badness enumeration. Any potential candidates for future
|
rather, it is a form of badness enumeration. Any potential candidates for future
|
||||||
disabling should first be blacklisted for a suitable amount of time.
|
disabling should first be blacklisted for a suitable amount of time.
|
||||||
|
|
||||||
- File Systems: Disable uncommon and legacy file systems.
|
- File Systems: Disable uncommon and legacy file systems.
|
||||||
@ -215,9 +215,9 @@ disabling should first be blacklisted for a suitable amount of time.
|
|||||||
|
|
||||||
- Network File Systems: Disable uncommon and legacy network file systems.
|
- Network File Systems: Disable uncommon and legacy network file systems.
|
||||||
|
|
||||||
- Network Protocols: Wide array of uncommon and legacy network protocols are disabled.
|
- Network Protocols: A wide array of uncommon and legacy network protocols are disabled.
|
||||||
|
|
||||||
- Miscellaneous: Disable an assortment other modules such as those required
|
- Miscellaneous: Disable an assortment of other modules such as those required
|
||||||
for amateur radio, floppy disks, and vivid.
|
for amateur radio, floppy disks, and vivid.
|
||||||
|
|
||||||
- Thunderbolt: Disabled as they are often vulnerable to DMA attacks.
|
- Thunderbolt: Disabled as they are often vulnerable to DMA attacks.
|
||||||
@ -246,24 +246,24 @@ disabling should first be blacklisted for a suitable amount of time.
|
|||||||
- An initramfs hook sets the sysctl values in `/etc/sysctl.conf` and
|
- An initramfs hook sets the sysctl values in `/etc/sysctl.conf` and
|
||||||
`/etc/sysctl.d` before init is executed so sysctl hardening is enabled as
|
`/etc/sysctl.d` before init is executed so sysctl hardening is enabled as
|
||||||
early as possible. This is implemented for `initramfs-tools` only because
|
early as possible. This is implemented for `initramfs-tools` only because
|
||||||
this is not needed for `dracut` because `dracut` does that by default, at
|
this is not needed for `dracut` as `dracut` does that by default, at
|
||||||
least on `systemd` enabled systems. Not researched for non-`systemd` systems
|
least on `systemd` enabled systems. Not researched for non-`systemd` systems
|
||||||
by the author of this part of the readme.
|
by the author of this part of the readme.
|
||||||
|
|
||||||
## Network hardening
|
## Network hardening
|
||||||
|
|
||||||
Not yet due to issues:
|
Not yet implemented due to issues:
|
||||||
|
|
||||||
- https://github.com/Kicksecure/security-misc/pull/145
|
- https://github.com/Kicksecure/security-misc/pull/145
|
||||||
|
|
||||||
- https://github.com/Kicksecure/security-misc/issues/184
|
- https://github.com/Kicksecure/security-misc/issues/184
|
||||||
|
|
||||||
- Unlike version 4, IPv6 addresses can provide information not only about the
|
- Unlike version 4, IPv6 addresses can provide information not only about the
|
||||||
originating network, but also the originating device. We prevent this from
|
originating network but also the originating device. We prevent this from
|
||||||
happening by enabling the respective privacy extensions for IPv6.
|
happening by enabling the respective privacy extensions for IPv6.
|
||||||
|
|
||||||
- In addition, we deny the capability to track the originating device in the
|
- In addition, we deny the capability to track the originating device in the
|
||||||
network at all, by using randomized MAC addresses per connection per
|
network at all, by using randomized MAC addresses per connection by
|
||||||
default.
|
default.
|
||||||
|
|
||||||
See:
|
See:
|
||||||
@ -320,7 +320,7 @@ A systemd service is triggered on boot to remount all sensitive partitions and
|
|||||||
directories with significantly more secure hardened mount options. Since this
|
directories with significantly more secure hardened mount options. Since this
|
||||||
would require manual tuning for a given specific system, we handle it by
|
would require manual tuning for a given specific system, we handle it by
|
||||||
creating a very solid configuration file for that very system on package
|
creating a very solid configuration file for that very system on package
|
||||||
install.
|
installation.
|
||||||
|
|
||||||
Not enabled by default yet. In development. Help welcome.
|
Not enabled by default yet. In development. Help welcome.
|
||||||
|
|
||||||
@ -342,15 +342,15 @@ Not enabled by default yet. In development. Help welcome.
|
|||||||
- Abort login for users with locked passwords -
|
- Abort login for users with locked passwords -
|
||||||
`/usr/libexec/security-misc/pam-abort-on-locked-password`.
|
`/usr/libexec/security-misc/pam-abort-on-locked-password`.
|
||||||
|
|
||||||
- Logging into the root account from a virtual, serial, whatnot console is
|
- Logging into the root account from a virtual, serial, or other console is
|
||||||
prevented by shipping an existing and empty `/etc/securetty` file (deletion
|
prevented by shipping an existing and empty `/etc/securetty` file (deletion
|
||||||
of `/etc/securetty` has a different effect).
|
of `/etc/securetty` has a different effect).
|
||||||
|
|
||||||
This package does not yet automatically lock the root account password. It is
|
This package does not yet automatically lock the root account password. It is
|
||||||
not clear if this would be sane in such a package although, it is recommended to
|
not clear if this would be sane in such a package, although it is recommended to
|
||||||
lock and expire the root account.
|
lock and expire the root account.
|
||||||
|
|
||||||
In new Kicksecure builds, root account will be locked by package
|
In new Kicksecure builds, the root account will be locked by package
|
||||||
dist-base-files.
|
dist-base-files.
|
||||||
|
|
||||||
See:
|
See:
|
||||||
|
Loading…
Reference in New Issue
Block a user