Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-01-14 04:59:30 -05:00
Code Issues Packages Projects Releases Wiki Activity

readme

Browse Source
This commit is contained in:
Patrick Schleizer 2023-11-05 14:41:01 -05:00
parent f32b543887
commit 93437952b4
No known key found for this signature in database
GPG Key ID: CB8D50BB77BB3C48
1 changed files with 9 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
README.md
View File

@ -206,7 +206,7 @@ this is not needed for `dracut` because `dracut` does that by default, at least
on `systemd` enabled systems. Not researched for non-`systemd` systems by the
author of this part of the readme.
## Network & Bluetooth hardening
## Network hardening
* TCP syncookies are enabled to prevent SYN flood attacks.
@ -228,8 +228,10 @@ vulnerabilities such as CVE-2019-14899.
* In addition, we deny the capability to track the originating device in the network at all, by using randomized MAC addresses per connection per default.
* Bluetooth is left enabled but users are highly discouraged from ever turning it on, due to its history of numerous security vulnurabilities. Unlike the default settings,
we start the system with bluetooth turned off. We also enforce private addresses and strict timeout settings for discoverability and visibility.
## Network & Bluetooth hardening
* Not done yet, pending, see: https://github.com/Kicksecure/security-misc/pull/145
* planned: Bluetooth is left enabled but users are highly discouraged from ever turning it on, due to its history of numerous security vulnerabilities. Unlike the default settings, we start the system with bluetooth turned off. We also enforce private addresses and strict timeout settings for discoverability and visibility.
## Entropy collection improvements
@ -248,25 +250,10 @@ audit, may contain weaknesses or a backdoor. For references, see:
A systemd service is triggered on boot to remount all sensitive partitions and directories with significantly more secure hardened mount options.
Since this would require manual tuning for a given specific system, we handle it by creating a very solid configuration file for that very system on package install.
<!--
Not enabled by default yet. In development. Help welcome.
https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/
`/home`, `/tmp`, `/dev/shm` and `/run` are remounted with the `nosuid` and `nodev`
mount options to prevent execution of setuid or setgid binaries and creation of
devices on those filesystems.
Optionally, they can also be mounted with `noexec` to prevent execution of any
binary. To opt-in to applying `noexec`, execute `touch /etc/noexec` as root
and reboot.
To disable this, execute `touch /etc/remount-disable` as root.
Alternatively, file `/usr/local/etc/remount-disable` or `/usr/local/etc/noexec`
could be used.
-->
## Root access restrictions
* `su` is restricted to only users within the group `sudo` which prevents