Merge pull request #12 from madaidan/patch-8

Update control
2024-10-01 08:25:45 -04:00 · 2019-06-23 19:45:31 +00:00 · 2019-06-23 19:45:31 +00:00 · 90d676ec18
commit 90d676ec18
parent 2a6289980e 1a07d90ed2
1 changed files with 35 additions and 0 deletions
--- a/debian/control
+++ b/debian/control
@ -60,3 +60,38 @@ Description: enhances misc security settings
 .
 Hence, this package disables this feature by shipping the
 /etc/sysctl.d/nf_conntrack_helper.conf configuration file.
+ 
+ Kernel symbols in /proc/kallsyms are hidden to prevent malware from
+ reading them and using them to learn more about what to attack on your system.
+ 
+ Kexec is disabled as it can be used for live patching of the running kernel.
+ 
+ The BPF JIT compiler is restricted to the root user and is hardened.
+ 
+ ASLR effectiveness for mmap is increased.
+ 
+ The ptrace system call is restricted to the root user only.
+ 
+ The TCP/IP stack is hardened.
+ 
+ This package makes some data spoofing attacks harder.
+ 
+ SACK is disabled as it is commonly exploited and is rarely used.
+ 
+ This package disables the merging of slabs of similar sizes to prevent an
+ attacker from exploiting them.
+ 
+ Sanity checks, redzoning, and memory poisoning are enabled.
+ 
+ The kernel now panics on uncorrectable errors in ECC memory which could
+ be exploited.
+ 
+ Kernel Page Table Isolation is enabled to mitigate Meltdown and increase
+ KASLR effectiveness.
+ 
+ SMT is disabled as it can be used to exploit the MDS vulnerability.
+ 
+ All mitigations for the MDS vulnerability are enabled.
+ 
+ DCCP, SCTP, TIPC and RDS are blacklisted as they are rarely used and may have
+ unknown vulnerabilities.