mirror of
https://github.com/Kicksecure/security-misc.git
synced 2025-01-21 00:11:35 -05:00
Merge remote-tracking branch 'github-kicksecure/master'
This commit is contained in:
Patrick Schleizer
commit
8abc5ae8f0
@ -47,6 +47,9 @@ space, user space, core dumps, and swap space.
|
||||
|
||||
- Randomize the addresses (ASLR) for mmap base, stack, VDSO pages, and heap.
|
||||
|
||||
- Provide the option to disable the use of legacy TIOCSTI operation which can be
|
||||
used to inject keypresses.
|
||||
|
||||
- Disable asynchronous I/O as `io_uring` has been the source
|
||||
of numerous kernel exploits (when using Linux kernel version >= 6.6).
|
||||
|
||||
@ -141,6 +144,12 @@ configuration file.
|
||||
|
||||
- Provide the option to modify machine check exception handler.
|
||||
|
||||
- Provide the option to enable the kernel Electric-Fence sampling-based memory
|
||||
safety error detector which can identify heap out-of-bounds access, use-after-free,
|
||||
and invalid-free errors.
|
||||
|
||||
- Provide the option to disable 32 bit vDSO mappings.
|
||||
|
||||
- Provide the option to use kCFI as the default CFI implementation since it may be
|
||||
slightly more resilient to attacks that are able to write arbitrary executables
|
||||
in memory (when using Linux kernel version >= 6.2).
|
||||
|
||||
@ -18,6 +18,7 @@ kver="$(dpkg-query --show --showformat='${Version}' "$kpkg")" 2>/dev/null || tru
|
||||
## 1. Kernel Space:
|
||||
##
|
||||
## https://madaidans-insecurities.github.io/guides/linux-hardening.html#boot-parameters
|
||||
## https://kspp.github.io/Recommended_Settings#kernel-command-line-options
|
||||
|
||||
## Disable merging of slabs with similar size.
|
||||
## Reduces the risk of triggering heap overflows.
|
||||
@ -112,6 +113,23 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off"
|
||||
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX loglevel=0"
|
||||
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX quiet"
|
||||
|
||||
## Enable the kernel "Electric-Fence" sampling-based memory safety error detector.
|
||||
## KFENCE detects heap out-of-bounds access, use-after-free, and invalid-free errors.
|
||||
## Aims to have very low processing overhead at each sampling interval
|
||||
## Sampling interval is set to occur every 100 milliseconds as per KSPP recommendation.
|
||||
##
|
||||
## https://www.kernel.org/doc/html/latest/dev-tools/kfence.html
|
||||
##
|
||||
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kfence.sample_interval=100"
|
||||
|
||||
## Disable x86 Virtual Dynamic Shared Object (vDSO) mappings.
|
||||
##
|
||||
## https://en.wikipedia.org/wiki/VDSO
|
||||
##
|
||||
## The use of 32 bit vDSO mappings is currently enabled.
|
||||
##
|
||||
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0"
|
||||
|
||||
## Switch (back) to using kCFI as the default Control Flow Integrity (CFI) implementation.
|
||||
## The default implementation is FIneIBT as of Linux kernel 6.2.
|
||||
## The Intel-developed IBT (Indirect Branch Tracking) is only used if supported by the CPU.
|
||||
@ -135,7 +153,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off"
|
||||
## TODO: Debian 13 Trixie
|
||||
## Applicable when using Linux kernel >= 6.2 (retained here for future-proofing and completeness).
|
||||
##
|
||||
#cfi=kcfi
|
||||
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX cfi=kcfi"
|
||||
|
||||
## Disable support for x86 processes and syscalls.
|
||||
## Unconditionally disables IA32 emulation to substantially reduce attack surface.
|
||||
@ -144,7 +162,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off"
|
||||
##
|
||||
## Applicable when using Linux kernel >= 6.7 (retained here for future-proofing and completeness).
|
||||
##
|
||||
#ia32_emulation=0
|
||||
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ia32_emulation=0"
|
||||
|
||||
## 2. Direct Memory Access:
|
||||
##
|
||||
@ -222,4 +240,4 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX extra_latent_entropy"
|
||||
##
|
||||
## Enabling makes redundant many network hardening sysctl's in /usr/lib/sysctl.d/990-security-misc.conf.
|
||||
##
|
||||
#ipv6.disable=1
|
||||
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ipv6.disable=1"
|
||||
|
||||
@ -23,6 +23,7 @@
|
||||
## 1. Kernel Space:
|
||||
##
|
||||
## https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel
|
||||
## https://kspp.github.io/Recommended_Settings#sysctls
|
||||
## https://wiki.archlinux.org/title/Security#Kernel_hardening
|
||||
|
||||
## Restrict kernel address visibility via /proc and other interfaces, regardless of user privileges.
|
||||
@ -128,6 +129,13 @@ kernel.perf_event_paranoid=3
|
||||
##
|
||||
kernel.randomize_va_space=2
|
||||
|
||||
## Disable use of the legacy TIOCSTI operation which can be used to inject keypresses.
|
||||
## Will break screen readers as can no longer push characters into a controlling TTY.
|
||||
##
|
||||
## This is disabled by default when using Linux kernel >= 6.2.
|
||||
##
|
||||
#dev.tty.legacy_tiocsti=0
|
||||
|
||||
## Disable asynchronous I/O for all processes.
|
||||
## Leading cause of numerous kernel exploits.
|
||||
## Disabling will reduce the read/write performance of storage devices.
|
||||
|
||||
Loading…
Reference in New Issue
Block a user