This commit is contained in:
Patrick Schleizer 2024-07-17 10:43:16 -04:00
parent 9a387f95e9
commit 821a416fe3
No known key found for this signature in database
GPG Key ID: CB8D50BB77BB3C48

View File

@ -16,10 +16,10 @@ configuration file.
Significant hardening is applied by default to a myriad of components within kernel Significant hardening is applied by default to a myriad of components within kernel
space, user space, core dumps, and swap space. space, user space, core dumps, and swap space.
- Restrict access to kernel addresses through the us of kernel pointers regardless - Restrict access to kernel addresses through the use of kernel pointers regardless
of user privileges. of user privileges.
- Restrict access to the kernel logs to `CAP_SYSLOG` as the often contain - Restrict access to the kernel logs to `CAP_SYSLOG` as they often contain
sensitive information. sensitive information.
- Prevent kernel information leaks in the console during boot. - Prevent kernel information leaks in the console during boot.
@ -28,33 +28,33 @@ space, user space, core dumps, and swap space.
- Restrict loading TTY line disciplines to `CAP_SYS_MODULE`. - Restrict loading TTY line disciplines to `CAP_SYS_MODULE`.
- Restricts the `userfaultfd()` syscall to `CAP_SYS_PTRACE` which reduces the - Restrict the `userfaultfd()` syscall to `CAP_SYS_PTRACE`, which reduces the
likelihood of use-after-free exploits. likelihood of use-after-free exploits.
- Disable `kexec` as it can be used to replace the running kernel. - Disable `kexec` as it can be used to replace the running kernel.
- Entirely disables the SysRq key so that the Secure Attention Key (SAK) - Entirely disable the SysRq key so that the Secure Attention Key (SAK)
can no longer be utilised. See [documentation](https://www.kicksecure.com/wiki/SysRq). can no longer be utilized. See [documentation](https://www.kicksecure.com/wiki/SysRq).
- Provide the option to disable unprivileged user namespaces as they can lead to - Provide the option to disable unprivileged user namespaces as they can lead to
substantial privilege escalation. substantial privilege escalation.
- Restrict kernel profiling and the performance events system to `CAP_PERFMON`. - Restrict kernel profiling and the performance events system to `CAP_PERFMON`.
- Randomise the addresses (ASLR) for mmap base, stack, VDSO pages, and heap. - Randomize the addresses (ASLR) for mmap base, stack, VDSO pages, and heap.
- Disable asynchronous I/O (when using Linux kernel version >= 6.6). - Disable asynchronous I/O (when using Linux kernel version >= 6.6).
- Restrict usage of `ptrace()` to only processes with `CAP_SYS_PTRACE` as it - Restrict usage of `ptrace()` to only processes with `CAP_SYS_PTRACE` as it
enables programs to inspect and modify other active processes. Provide the enables programs to inspect and modify other active processes. Provide the
option to also entirely disable the use of `ptrace()` for all processes. option to entirely disable the use of `ptrace()` for all processes.
- Prevent hardlink and symlink TOCTOU races in world-writable directories. - Prevent hardlink and symlink TOCTOU races in world-writable directories.
- Disallow unintentional writes to files in world-writable directories unless - Disallow unintentional writes to files in world-writable directories unless
they are owned by the directory owner to mitigate some data spoofing attacks. they are owned by the directory owner to mitigate some data spoofing attacks.
- Increase the maximum number of memory map areas a process is able to utilise. - Increase the maximum number of memory map areas a process is able to utilize.
- Disable core dump files and prevent their creation. If core dump files are - Disable core dump files and prevent their creation. If core dump files are
enabled, they will be named based on `core.PID` instead of the default `core`. enabled, they will be named based on `core.PID` instead of the default `core`.
@ -67,17 +67,17 @@ Various networking components of the TCP/IP stack are hardened for IPv4/6.
- Protect against TCP time-wait assassination hazards. - Protect against TCP time-wait assassination hazards.
- Enables reverse path filtering (source validation) of packets received - Enable reverse path filtering (source validation) of packets received
from all interfaces to prevent IP spoofing. from all interfaces to prevent IP spoofing.
- Disable ICMP redirect acceptance and redirect sending messages to - Disable ICMP redirect acceptance and redirect sending messages to
prevent man-in-the-middle attacks and minimise information disclosure. prevent man-in-the-middle attacks and minimize information disclosure.
- Ignore ICMP echo requests to prevent clock fingerprinting and Smurf attacks. - Ignore ICMP echo requests to prevent clock fingerprinting and Smurf attacks.
- Ignore bogus ICMP error responses. - Ignore bogus ICMP error responses.
- Disable source routing which allows users redirect network traffic that - Disable source routing which allows users to redirect network traffic that
can result in man-in-the-middle attacks. can result in man-in-the-middle attacks.
- Do not accept IPv6 router advertisements and solicitations. - Do not accept IPv6 router advertisements and solicitations.
@ -85,9 +85,9 @@ Various networking components of the TCP/IP stack are hardened for IPv4/6.
- Provide the option to disable SACK and DSACK as they have historically been - Provide the option to disable SACK and DSACK as they have historically been
a known vector for exploitation. a known vector for exploitation.
- Disable TCP timestamps as it can allow detecting the system time. - Disable TCP timestamps as they can allow detecting the system time.
- Provide the option to log of packets with impossible source or destination - Provide the option to log packets with impossible source or destination
addresses to enable further inspection and analysis. addresses to enable further inspection and analysis.
- Provide the option to enable IPv6 Privacy Extensions. - Provide the option to enable IPv6 Privacy Extensions.
@ -109,19 +109,19 @@ Boot parameters relating to kernel hardening, DMA mitigations, and entropy
generation are outlined in the `/etc/default/grub.d/40_kernel_hardening.cfg` generation are outlined in the `/etc/default/grub.d/40_kernel_hardening.cfg`
configuration file. configuration file.
- Disable merging of slabs with similar size which reduces the risk of - Disable merging of slabs with similar size, which reduces the risk of
triggering heap overflows and limits influencing slab cache layout. triggering heap overflows and limits influencing slab cache layout.
- Enable memory zeroing at both allocation and free time which mitigate some - Enable memory zeroing at both allocation and free time, which mitigates some
use-after-free vulnerabilities by erasing sensitive information in memory. use-after-free vulnerabilities by erasing sensitive information in memory.
- Enable the kernel page allocator to randomise free lists to limit some data - Enable the kernel page allocator to randomize free lists to limit some data
exfiltration and ROP attacks especially during the early boot process. exfiltration and ROP attacks, especially during the early boot process.
- Enable kernel page table isolation increase KASLR effectiveness and also - Enable kernel page table isolation to increase KASLR effectiveness and also
mitigate the Meltdown CPU vulnerability. mitigate the Meltdown CPU vulnerability.
- Enables randomisation of the kernel stack offset on syscall entries to harden - Enable randomization of the kernel stack offset on syscall entries to harden
against memory corruption attacks. against memory corruption attacks.
- Disable vsyscalls as they are vulnerable to ROP attacks and have now been - Disable vsyscalls as they are vulnerable to ROP attacks and have now been
@ -142,10 +142,10 @@ configuration file.
the busmaster bit on all PCI bridges during the early boot process. the busmaster bit on all PCI bridges during the early boot process.
- Do not credit the CPU or bootloader as entropy sources at boot in order to - Do not credit the CPU or bootloader as entropy sources at boot in order to
maximise the absolute quantity of entropy in the combined pool. maximize the absolute quantity of entropy in the combined pool.
- Obtain more entropy at boot from RAM as the runtime memory allocator is - Obtain more entropy at boot from RAM as the runtime memory allocator is
being initialised. being initialized.
- Provide option to disable the entire IPv6 stack to reduce attack surface. - Provide option to disable the entire IPv6 stack to reduce attack surface.
@ -156,7 +156,7 @@ the `/etc/default/grub.d/41_quiet_boot.cfg` configuration file.
#### Kernel Module Signature Verification #### Kernel Module Signature Verification
Not yet due to issues: Not yet implemented due to issues:
- https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/64 - https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/64
- https://github.com/dell/dkms/issues/359 - https://github.com/dell/dkms/issues/359
@ -167,7 +167,7 @@ See:
#### Disables the loading of new modules to the kernel after the fact #### Disables the loading of new modules to the kernel after the fact
Not yet due to issues: Not yet implemented due to issues:
- https://github.com/Kicksecure/security-misc/pull/152 - https://github.com/Kicksecure/security-misc/pull/152
@ -191,13 +191,13 @@ modules from automatically starting.
- Framebuffer Drivers: Blacklisted as they are well-known to be buggy, cause - Framebuffer Drivers: Blacklisted as they are well-known to be buggy, cause
kernel panics, and are generally only used by legacy devices. kernel panics, and are generally only used by legacy devices.
- Miscellaneous: Blacklist an assortment other modules to prevent them from - Miscellaneous: Blacklist an assortment of other modules to prevent them from
automatically loading. automatically loading.
Specific kernel modules are entirely disabled to reduce attack surface via Specific kernel modules are entirely disabled to reduce attack surface via
`/etc/modprobe.d/30_security-misc_disable.conf`. Disabling prohibits kernel `/etc/modprobe.d/30_security-misc_disable.conf`. Disabling prohibits kernel
modules from starting. This approach should not be considered comprehensive, modules from starting. This approach should not be considered comprehensive;
rather it is a form of badness enumeration. Any potential candidates for future rather, it is a form of badness enumeration. Any potential candidates for future
disabling should first be blacklisted for a suitable amount of time. disabling should first be blacklisted for a suitable amount of time.
- File Systems: Disable uncommon and legacy file systems. - File Systems: Disable uncommon and legacy file systems.
@ -215,9 +215,9 @@ disabling should first be blacklisted for a suitable amount of time.
- Network File Systems: Disable uncommon and legacy network file systems. - Network File Systems: Disable uncommon and legacy network file systems.
- Network Protocols: Wide array of uncommon and legacy network protocols are disabled. - Network Protocols: A wide array of uncommon and legacy network protocols are disabled.
- Miscellaneous: Disable an assortment other modules such as those required - Miscellaneous: Disable an assortment of other modules such as those required
for amateur radio, floppy disks, and vivid. for amateur radio, floppy disks, and vivid.
- Thunderbolt: Disabled as they are often vulnerable to DMA attacks. - Thunderbolt: Disabled as they are often vulnerable to DMA attacks.
@ -246,24 +246,24 @@ disabling should first be blacklisted for a suitable amount of time.
- An initramfs hook sets the sysctl values in `/etc/sysctl.conf` and - An initramfs hook sets the sysctl values in `/etc/sysctl.conf` and
`/etc/sysctl.d` before init is executed so sysctl hardening is enabled as `/etc/sysctl.d` before init is executed so sysctl hardening is enabled as
early as possible. This is implemented for `initramfs-tools` only because early as possible. This is implemented for `initramfs-tools` only because
this is not needed for `dracut` because `dracut` does that by default, at this is not needed for `dracut` as `dracut` does that by default, at
least on `systemd` enabled systems. Not researched for non-`systemd` systems least on `systemd` enabled systems. Not researched for non-`systemd` systems
by the author of this part of the readme. by the author of this part of the readme.
## Network hardening ## Network hardening
Not yet due to issues: Not yet implemented due to issues:
- https://github.com/Kicksecure/security-misc/pull/145 - https://github.com/Kicksecure/security-misc/pull/145
- https://github.com/Kicksecure/security-misc/issues/184 - https://github.com/Kicksecure/security-misc/issues/184
- Unlike version 4, IPv6 addresses can provide information not only about the - Unlike version 4, IPv6 addresses can provide information not only about the
originating network, but also the originating device. We prevent this from originating network but also the originating device. We prevent this from
happening by enabling the respective privacy extensions for IPv6. happening by enabling the respective privacy extensions for IPv6.
- In addition, we deny the capability to track the originating device in the - In addition, we deny the capability to track the originating device in the
network at all, by using randomized MAC addresses per connection per network at all, by using randomized MAC addresses per connection by
default. default.
See: See:
@ -320,7 +320,7 @@ A systemd service is triggered on boot to remount all sensitive partitions and
directories with significantly more secure hardened mount options. Since this directories with significantly more secure hardened mount options. Since this
would require manual tuning for a given specific system, we handle it by would require manual tuning for a given specific system, we handle it by
creating a very solid configuration file for that very system on package creating a very solid configuration file for that very system on package
install. installation.
Not enabled by default yet. In development. Help welcome. Not enabled by default yet. In development. Help welcome.
@ -342,15 +342,15 @@ Not enabled by default yet. In development. Help welcome.
- Abort login for users with locked passwords - - Abort login for users with locked passwords -
`/usr/libexec/security-misc/pam-abort-on-locked-password`. `/usr/libexec/security-misc/pam-abort-on-locked-password`.
- Logging into the root account from a virtual, serial, whatnot console is - Logging into the root account from a virtual, serial, or other console is
prevented by shipping an existing and empty `/etc/securetty` file (deletion prevented by shipping an existing and empty `/etc/securetty` file (deletion
of `/etc/securetty` has a different effect). of `/etc/securetty` has a different effect).
This package does not yet automatically lock the root account password. It is This package does not yet automatically lock the root account password. It is
not clear if this would be sane in such a package although, it is recommended to not clear if this would be sane in such a package, although it is recommended to
lock and expire the root account. lock and expire the root account.
In new Kicksecure builds, root account will be locked by package In new Kicksecure builds, the root account will be locked by package
dist-base-files. dist-base-files.
See: See: