From 18ed77ecc93e9ee759a4990a32edb3dd671b8c26 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Wed, 21 Aug 2024 12:50:14 +1000 Subject: [PATCH 1/3] Refactor modprobe.d to minimise potential future merge conflicts --- README.md | 35 ++-- .../30_security-misc_blacklist.conf | 4 +- etc/modprobe.d/30_security-misc_disable.conf | 162 ++++++++++-------- 3 files changed, 113 insertions(+), 88 deletions(-) diff --git a/README.md b/README.md index da9254a..4742384 100644 --- a/README.md +++ b/README.md @@ -223,17 +223,12 @@ modules from starting. This approach should not be considered comprehensive; rather, it is a form of badness enumeration. Any potential candidates for future disabling should first be blacklisted for a suitable amount of time. +Hardware modules: + - Optional - Bluetooth: Disabled to reduce attack surface. -- Optional - CPU MSRs: Disabled as can be abused to write to arbitrary memory. - -- File Systems: Disable uncommon and legacy file systems. - - FireWire (IEEE 1394): Disabled as they are often vulnerable to DMA attacks. -- Framebuffer (fbdev): Disabled as drivers are well-known to be buggy, cause - kernel panics, and are generally only used by legacy devices. - - GPS: Disable GPS-related modules such as those required for Global Navigation Satellite Systems (GNSS). @@ -244,20 +239,38 @@ disabling should first be blacklisted for a suitable amount of time. - Intel Platform Monitoring Technology (PMT) Telemetry: Disable some functionality of the Intel PMT components. +- Thunderbolt: Disabled as they are often vulnerable to DMA attacks. + +File system modules: + +- File Systems: Disable uncommon and legacy file systems. + - Network File Systems: Disable uncommon and legacy network file systems. +Networking modules: + - Network Protocols: A wide array of uncommon and legacy network protocols and drivers are disabled. -- Miscellaneous: Disable an assortment of other modules such as those required - for amateur radio, floppy disks, and vivid. Also disable legacy drivers that - have been entirely replaced by newer drivers. +Miscellaneous modules: -- Thunderbolt: Disabled as they are often vulnerable to DMA attacks. +- Amateur Radios: Disabled to reduce attack surface. + +- Optional - CPU MSRs: Disabled as can be abused to write to arbitrary memory. + +- Floppy Disks: Disabled to reduce attack surface. + +- Framebuffer (fbdev): Disabled as these drivers are well-known to be buggy, cause + kernel panics, and are generally only used by legacy devices. + +- Replaced Modules: Disabled legacy drivers that have been entirely replaced and + superseded by newer drivers. - Optional - USB Video Device Class: Disables the USB-based video streaming driver for devices like some webcams and digital camcorders. +- Vivid: Disabled to reduce attack surface given previous vulnerabilities. + ### Other - A systemd service clears the System.map file on boot as these contain kernel diff --git a/etc/modprobe.d/30_security-misc_blacklist.conf b/etc/modprobe.d/30_security-misc_blacklist.conf index 34e1124..8386800 100644 --- a/etc/modprobe.d/30_security-misc_blacklist.conf +++ b/etc/modprobe.d/30_security-misc_blacklist.conf @@ -22,7 +22,7 @@ blacklist sr_mod #install sr_mod /usr/bin/disabled-cdrom-by-security-misc ## Miscellaneous: -## + ## GrapheneOS: ## Partial selection of their infrastructure blacklist. ## Duplicate and already disabled modules have been omitted. @@ -39,7 +39,7 @@ blacklist snd_intel8x0 #blacklist tls #blacklist virtio_balloon #blacklist virtio_console -## + ## Ubuntu: ## Already disabled modules have been omitted. ## diff --git a/etc/modprobe.d/30_security-misc_disable.conf b/etc/modprobe.d/30_security-misc_disable.conf index 3a72b0e..3df5a51 100644 --- a/etc/modprobe.d/30_security-misc_disable.conf +++ b/etc/modprobe.d/30_security-misc_disable.conf @@ -8,6 +8,14 @@ ## Blacklisting prevents kernel modules from automatically starting. ## Disabling prohibits kernel modules from starting. +## This configuration file is split into 4 sections: +## 1. Hardware +## 2. File Systems +## 3. Networking +## 4. Miscellaneous + +## 1. Hardware: + ## Bluetooth: ## Disable Bluetooth to reduce attack surface due to extended history of security vulnerabilities. ## @@ -34,27 +42,6 @@ #install btusb /usr/bin/disabled-bluetooth-by-security-misc #install virtio_bt /usr/bin/disabled-bluetooth-by-security-misc -## CPU Model-Specific Registers (MSRs): -## Disable CPU MSRs as they can be abused to write to arbitrary memory. -## -## https://security.stackexchange.com/questions/119712/methods-root-can-use-to-elevate-itself-to-kernel-mode -## https://github.com/Kicksecure/security-misc/issues/215 -## -#install msr /usr/bin/disabled-miscellaneous-by-security-misc - -## File Systems: -## Disable uncommon file systems to reduce attack surface. -## HFS/HFS+ are legacy Apple file systems that may be required depending on the EFI partition format. -## -install cramfs /usr/bin/disabled-filesys-by-security-misc -install freevxfs /usr/bin/disabled-filesys-by-security-misc -install hfs /usr/bin/disabled-filesys-by-security-misc -install hfsplus /usr/bin/disabled-filesys-by-security-misc -install jffs2 /usr/bin/disabled-filesys-by-security-misc -install jfs /usr/bin/disabled-filesys-by-security-misc -install reiserfs /usr/bin/disabled-filesys-by-security-misc -install udf /usr/bin/disabled-filesys-by-security-misc - ## FireWire (IEEE 1394): ## Disable IEEE 1394 (FireWire/i.LINK/Lynx) modules to prevent some DMA attacks. ## @@ -70,43 +57,6 @@ install raw1394 /usr/bin/disabled-firewire-by-security-misc install sbp2 /usr/bin/disabled-firewire-by-security-misc install video1394 /usr/bin/disabled-firewire-by-security-misc -## Framebuffer (fbdev): -## Video drivers are known to be buggy, cause kernel panics, and are generally only used by legacy devices. -## These were all previously blacklisted. -## -## https://docs.kernel.org/fb/index.html -## https://en.wikipedia.org/wiki/Linux_framebuffer -## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-framebuffer.conf?h=ubuntu/disco -## -install aty128fb /usr/bin/disabled-framebuffer-by-security-misc -install atyfb /usr/bin/disabled-framebuffer-by-security-misc -install cirrusfb /usr/bin/disabled-framebuffer-by-security-misc -install cyber2000fb /usr/bin/disabled-framebuffer-by-security-misc -install cyblafb /usr/bin/disabled-framebuffer-by-security-misc -install gx1fb /usr/bin/disabled-framebuffer-by-security-misc -install hgafb /usr/bin/disabled-framebuffer-by-security-misc -install i810fb /usr/bin/disabled-framebuffer-by-security-misc -install intelfb /usr/bin/disabled-framebuffer-by-security-misc -install kyrofb /usr/bin/disabled-framebuffer-by-security-misc -install lxfb /usr/bin/disabled-framebuffer-by-security-misc -install matroxfb_bases /usr/bin/disabled-framebuffer-by-security-misc -install neofb /usr/bin/disabled-framebuffer-by-security-misc -install nvidiafb /usr/bin/disabled-framebuffer-by-security-misc -install pm2fb /usr/bin/disabled-framebuffer-by-security-misc -install radeonfb /usr/bin/disabled-framebuffer-by-security-misc -install rivafb /usr/bin/disabled-framebuffer-by-security-misc -install s1d13xxxfb /usr/bin/disabled-framebuffer-by-security-misc -install savagefb /usr/bin/disabled-framebuffer-by-security-misc -install sisfb /usr/bin/disabled-framebuffer-by-security-misc -install sstfb /usr/bin/disabled-framebuffer-by-security-misc -install tdfxfb /usr/bin/disabled-framebuffer-by-security-misc -install tridentfb /usr/bin/disabled-framebuffer-by-security-misc -install vesafb /usr/bin/disabled-framebuffer-by-security-misc -install vfb /usr/bin/disabled-framebuffer-by-security-misc -install viafb /usr/bin/disabled-framebuffer-by-security-misc -install vt8623fb /usr/bin/disabled-framebuffer-by-security-misc -install udlfb /usr/bin/disabled-framebuffer-by-security-misc - ## Global Positioning Systems (GPS): ## Disable GPS-related modules like GNSS (Global Navigation Satellite System). ## @@ -152,6 +102,30 @@ install pmt_class /usr/bin/disabled-intelpmt-by-security-misc install pmt_crashlog /usr/bin/disabled-intelpmt-by-security-misc install pmt_telemetry /usr/bin/disabled-intelpmt-by-security-misc +## Thunderbolt: +## Disables Thunderbolt modules to prevent some DMA attacks. +## +## https://en.wikipedia.org/wiki/Thunderbolt_(interface)#Security_vulnerabilities +## +install intel-wmi-thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc +install thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc +install thunderbolt_net /usr/bin/disabled-thunderbolt-by-security-misc + +## 2. File Systems: + +## File Systems: +## Disable uncommon file systems to reduce attack surface. +## HFS/HFS+ are legacy Apple file systems that may be required depending on the EFI partition format. +## +install cramfs /usr/bin/disabled-filesys-by-security-misc +install freevxfs /usr/bin/disabled-filesys-by-security-misc +install hfs /usr/bin/disabled-filesys-by-security-misc +install hfsplus /usr/bin/disabled-filesys-by-security-misc +install jffs2 /usr/bin/disabled-filesys-by-security-misc +install jfs /usr/bin/disabled-filesys-by-security-misc +install reiserfs /usr/bin/disabled-filesys-by-security-misc +install udf /usr/bin/disabled-filesys-by-security-misc + ## Network File Systems: ## Disable uncommon network file systems to reduce attack surface. ## @@ -175,6 +149,8 @@ install nfsv2 /usr/bin/disabled-netfilesys-by-security-misc install nfsv3 /usr/bin/disabled-netfilesys-by-security-misc install nfsv4 /usr/bin/disabled-netfilesys-by-security-misc +## 2. Networking: + ## Network Protocols: ## Disables rare and unneeded network protocols that are a common source of unknown vulnerabilities. ## Previously had blacklisted eepro100 and eth1394. @@ -249,17 +225,62 @@ install rds_tcp /usr/bin/disabled-network-by-security-misc install sctp /usr/bin/disabled-network-by-security-misc install sctp_diag /usr/bin/disabled-network-by-security-misc -## Miscellaneous: -## +## 4. Miscellaneous: + ## Amateur Radios: ## install hamradio /usr/bin/disabled-miscellaneous-by-security-misc + +## CPU Model-Specific Registers (MSRs): +## Disable CPU MSRs as they can be abused to write to arbitrary memory. ## +## https://security.stackexchange.com/questions/119712/methods-root-can-use-to-elevate-itself-to-kernel-mode +## https://github.com/Kicksecure/security-misc/issues/215 +## +#install msr /usr/bin/disabled-miscellaneous-by-security-misc + ## Floppy Disks: ## install floppy /usr/bin/disabled-miscellaneous-by-security-misc + +## Framebuffer (fbdev): +## Video drivers are known to be buggy, cause kernel panics, and are generally only used by legacy devices. +## These were all previously blacklisted. ## -## Replaced: +## https://docs.kernel.org/fb/index.html +## https://en.wikipedia.org/wiki/Linux_framebuffer +## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-framebuffer.conf?h=ubuntu/disco +## +install aty128fb /usr/bin/disabled-framebuffer-by-security-misc +install atyfb /usr/bin/disabled-framebuffer-by-security-misc +install cirrusfb /usr/bin/disabled-framebuffer-by-security-misc +install cyber2000fb /usr/bin/disabled-framebuffer-by-security-misc +install cyblafb /usr/bin/disabled-framebuffer-by-security-misc +install gx1fb /usr/bin/disabled-framebuffer-by-security-misc +install hgafb /usr/bin/disabled-framebuffer-by-security-misc +install i810fb /usr/bin/disabled-framebuffer-by-security-misc +install intelfb /usr/bin/disabled-framebuffer-by-security-misc +install kyrofb /usr/bin/disabled-framebuffer-by-security-misc +install lxfb /usr/bin/disabled-framebuffer-by-security-misc +install matroxfb_bases /usr/bin/disabled-framebuffer-by-security-misc +install neofb /usr/bin/disabled-framebuffer-by-security-misc +install nvidiafb /usr/bin/disabled-framebuffer-by-security-misc +install pm2fb /usr/bin/disabled-framebuffer-by-security-misc +install radeonfb /usr/bin/disabled-framebuffer-by-security-misc +install rivafb /usr/bin/disabled-framebuffer-by-security-misc +install s1d13xxxfb /usr/bin/disabled-framebuffer-by-security-misc +install savagefb /usr/bin/disabled-framebuffer-by-security-misc +install sisfb /usr/bin/disabled-framebuffer-by-security-misc +install sstfb /usr/bin/disabled-framebuffer-by-security-misc +install tdfxfb /usr/bin/disabled-framebuffer-by-security-misc +install tridentfb /usr/bin/disabled-framebuffer-by-security-misc +install vesafb /usr/bin/disabled-framebuffer-by-security-misc +install vfb /usr/bin/disabled-framebuffer-by-security-misc +install viafb /usr/bin/disabled-framebuffer-by-security-misc +install vt8623fb /usr/bin/disabled-framebuffer-by-security-misc +install udlfb /usr/bin/disabled-framebuffer-by-security-misc + +## Replaced Modules: ## These legacy drivers have all been entirely replaced and superseded by newer drivers. ## These were all previously blacklisted. ## @@ -269,7 +290,12 @@ install asus_acpi /usr/bin/disabled-miscellaneous-by-security-misc install bcm43xx /usr/bin/disabled-miscellaneous-by-security-misc install de4x5 /usr/bin/disabled-miscellaneous-by-security-misc install prism54 /usr/bin/disabled-miscellaneous-by-security-misc + +## USB Video Device Class: +## Disables the USB-based video streaming driver for devices like some webcams and digital camcorders. ## +#install uvcvideo /usr/bin/disabled-miscellaneous-by-security-misc + ## Vivid: ## Disables the vivid kernel module since it has been the cause of multiple vulnerabilities. ## @@ -278,17 +304,3 @@ install prism54 /usr/bin/disabled-miscellaneous-by-security-misc ## https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475 ## install vivid /usr/bin/disabled-miscellaneous-by-security-misc - -## Thunderbolt: -## Disables Thunderbolt modules to prevent some DMA attacks. -## -## https://en.wikipedia.org/wiki/Thunderbolt_(interface)#Security_vulnerabilities -## -install intel-wmi-thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc -install thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc -install thunderbolt_net /usr/bin/disabled-thunderbolt-by-security-misc - -## USB Video Device Class: -## Disables the USB-based video streaming driver for devices like some webcams and digital camcorders. -## -#install uvcvideo /usr/bin/disabled-miscellaneous-by-security-misc From b87a18d4050bbf2add5cc4920684876a440e65bb Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Wed, 21 Aug 2024 12:51:51 +1000 Subject: [PATCH 2/3] README.md: Organise `sysctl`s --- README.md | 25 ++++++++++++++----------- 1 file changed, 14 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index 4742384..b33ae5f 100644 --- a/README.md +++ b/README.md @@ -11,10 +11,9 @@ implements all recommended Linux kernel settings by the KSPP and many more. ### sysctl sysctl settings are configured via the `/usr/lib/sysctl.d/990-security-misc.conf` -configuration file. +configuration file and significant hardening is applied to a myriad of components. -Significant hardening is applied by default to a myriad of components within kernel -space, user space, core dumps, and swap space. +Kernel space: - Restrict access to kernel addresses through the use of kernel pointers regardless of user privileges. @@ -50,6 +49,8 @@ space, user space, core dumps, and swap space. - Disable asynchronous I/O (when using Linux kernel >= 6.6) as `io_uring` has been the source of numerous kernel exploits. +User space: + - Restrict usage of `ptrace()` to only processes with `CAP_SYS_PTRACE` as it enables programs to inspect and modify other active processes. Optional - Disable usage of `ptrace()` by all processes. @@ -68,12 +69,14 @@ space, user space, core dumps, and swap space. - Disallow registering interpreters for various (miscellaneous) binary formats based on a magic number or their file extension to prevent unintended code execution. +Core dumps: + - Disable core dump files and prevent their creation. If core dump files are enabled, they will be named based on `core.PID` instead of the default `core`. - Limit the copying of potentially sensitive content in memory to the swap device. -Various networking components of the TCP/IP stack are hardened for IPv4/6. +Networking: - Enable TCP SYN cookie protection to assist against SYN flood attacks. @@ -104,13 +107,6 @@ Various networking components of the TCP/IP stack are hardened for IPv4/6. - Optional - Enable IPv6 Privacy Extensions. -### mmap ASLR - -- The bits of entropy used for mmap ASLR are maxed out via - `/usr/libexec/security-misc/mmap-rnd-bits` (set to the values of - `CONFIG_ARCH_MMAP_RND_BITS_MAX` and `CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX` - that the kernel was built with), therefore improving its effectiveness. - ### Boot parameters Mitigations for known CPU vulnerabilities are enabled in their strictest form @@ -178,6 +174,13 @@ configuration file. - Optional - Disable the entire IPv6 stack to reduce attack surface. +### mmap ASLR + +- The bits of entropy used for mmap ASLR are maxed out via + `/usr/libexec/security-misc/mmap-rnd-bits` (set to the values of + `CONFIG_ARCH_MMAP_RND_BITS_MAX` and `CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX` + that the kernel was built with), therefore improving its effectiveness. + ### Kernel Modules #### Kernel Module Signature Verification From 342caf82b20acc2931563449fafe9a98cbedaba2 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Wed, 21 Aug 2024 12:52:48 +1000 Subject: [PATCH 3/3] README.md: Organise kernel boot parameters --- README.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/README.md b/README.md index b33ae5f..65b188c 100644 --- a/README.md +++ b/README.md @@ -117,6 +117,8 @@ Boot parameters relating to kernel hardening, DMA mitigations, and entropy generation are outlined in the `/etc/default/grub.d/40_kernel_hardening.cfg` configuration file. +Kernel space: + - Disable merging of slabs with similar size, which reduces the risk of triggering heap overflows and limits influencing slab cache layout. @@ -160,18 +162,24 @@ configuration file. - Optional - Disable support for all x86 processes and syscalls (when using Linux kernel >= 6.7) to reduce attack surface. +Direct memory access: + - Enable strict IOMMU translation to protect against some DMA attacks via the use of both CPU manufacturer-specific drivers and kernel settings. - Clear the busmaster bit on all PCI bridges during the EFI hand-off, which disables DMA before the IOMMU is configured. May cause boot failure on certain hardware. +Entropy: + - Do not credit the CPU or bootloader as entropy sources at boot in order to maximize the absolute quantity of entropy in the combined pool. - Obtain more entropy at boot from RAM as the runtime memory allocator is being initialized. +Networking: + - Optional - Disable the entire IPv6 stack to reduce attack surface. ### mmap ASLR