Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-01-15 15:27:08 -05:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #33 from madaidan/documentation

Browse Source 
Improve documentation
This commit is contained in:
Patrick Schleizer 2019-10-17 06:19:46 +00:00 committed by GitHub
commit 994ca024c2
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 27 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
debian/control vendored
View File

@ -32,33 +32,36 @@ Description: enhances misc security settings
the kernel. (!) Hence, this package disables this feature by shipping the the kernel. (!) Hence, this package disables this feature by shipping the
/etc/modprobe.d/30_nf_conntrack_helper_disable.conf configuration file. /etc/modprobe.d/30_nf_conntrack_helper_disable.conf configuration file.
. .
* Kernel symbols in /proc/kallsyms are hidden to prevent malware from * Kernel symbols in various files in /proc are hidden as they can be
reading them and using them to learn more about what to attack on your system. very useful for kernel exploits.
. .
* Kexec is disabled as it can be used to load a malicious kernel. * Kexec is disabled as it can be used to load a malicious kernel.
/etc/sysctl.d/kexec.conf /etc/sysctl.d/kexec.conf
. .
* ASLR effectiveness for mmap is increased. * ASLR effectiveness for mmap is increased.
. .
* The TCP/IP stack is hardened. * The TCP/IP stack is hardened by disabling ICMP redirect acceptance,
ICMP redirect sending and source routing to prevent man-in-the-middle attacks,
ignoring all ICMP requests, enabling TCP syncookies to prevent SYN flood attacks
and enabling RFC1337 to protect against time-wait assassination attacks.
. .
* This package makes some data spoofing attacks harder. * Some data spoofing attacks are made harder.
. .
* SACK can be disabled as it is commonly exploited and is rarely used by * SACK can be disabled as it is commonly exploited and is rarely used by
commenting in settings in file /etc/sysctl.d/tcp_sack.conf. uncommenting settings in file /etc/sysctl.d/tcp_sack.conf.
. .
* This package disables the merging of slabs of similar sizes to prevent an * Slab merging is disabled as sometimes a slab can be used in a vulnerable
attacker from exploiting them. way which an attacker can exploit.
. .
* Sanity checks, redzoning, and memory poisoning are enabled. * Sanity checks, redzoning, and memory poisoning are enabled.
. .
* The kernel now panics on uncorrectable errors in ECC memory which could * Machine checks (MCE) are disabled which makes the kernel panic
be exploited. on uncorrectable errors in ECC memory that could be exploited.
. .
* Kernel Page Table Isolation is enabled to mitigate Meltdown and increase * Kernel Page Table Isolation is enabled to mitigate Meltdown and increase
KASLR effectiveness. KASLR effectiveness.
. .
* SMT is disabled as it can be used to exploit the MDS vulnerability. * SMT is disabled as it can be used to exploit the MDS and other vulnerabilities.
. .
* All mitigations for the MDS vulnerability are enabled. * All mitigations for the MDS vulnerability are enabled.
. .
@ -74,8 +77,8 @@ Description: enhances misc security settings
/etc/sysctl.d/coredumps.conf /etc/sysctl.d/coredumps.conf
/lib/systemd/coredump.conf.d/disable-coredumps.conf /lib/systemd/coredump.conf.d/disable-coredumps.conf
. .
* The thunderbolt and firewire modules are blacklisted as they can be used * The thunderbolt and firewire kernel modules are blacklisted as they can be
for DMA (Direct Memory Access) attacks. used for DMA (Direct Memory Access) attacks.
. .
* IOMMU is enabled with a boot parameter to prevent DMA attacks. * IOMMU is enabled with a boot parameter to prevent DMA attacks.
. .

5
etc/modprobe.d/blacklist-bluetooth.conf
View File

@ -1,3 +1,6 @@
# Blacklists bluetooth. # Blacklists bluetooth to reduce attack surface.
# Bluetooth also has a history of security vulnerabilities:
#
# https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns
install bluetooth /bin/false install bluetooth /bin/false
install btusb /bin/false install btusb /bin/false

5
etc/sysctl.d/kptr_restrict.conf
View File

@ -1,5 +1,8 @@
## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net> ## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## See the file COPYING for copying conditions. ## See the file COPYING for copying conditions.
## Hides kernel symbols in /proc/kallsyms ## Hides kernel addresses in various files in /proc.
## Kernel addresses can be very useful in certain exploits.
##
## https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak
kernel.kptr_restrict=2 kernel.kptr_restrict=2

2
etc/sysctl.d/mmap_aslr.conf
View File

@ -1,6 +1,6 @@
## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net> ## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## See the file COPYING for copying conditions. ## See the file COPYING for copying conditions.
## Improves KASLR effectiveness for mmap. ## Improves ASLR effectiveness for mmap.
vm.mmap_rnd_bits=32 vm.mmap_rnd_bits=32
vm.mmap_rnd_compat_bits=16 vm.mmap_rnd_compat_bits=16

4
usr/lib/security-misc/panic-on-oops
View File

@ -12,5 +12,7 @@ if [ -f /usr/lib/helper-scripts/pre.bsh ]; then
source /usr/lib/helper-scripts/pre.bsh source /usr/lib/helper-scripts/pre.bsh
fi fi
# Makes the kernel panic on oopses. ## Makes the kernel panic on oopses. This prevents the kernel
## from continuing to run a flawed processes. Many kernel exploits
## will also cause an oops which this will make the kernel kill.
sysctl kernel.panic_on_oops=1 sysctl kernel.panic_on_oops=1