Merge pull request #33 from madaidan/documentation

Improve documentation

debian/control

@@ -32,33 +32,36 @@ Description: enhances misc security settings
  the kernel. (!) Hence, this package disables this feature by shipping the
  /etc/modprobe.d/30_nf_conntrack_helper_disable.conf configuration file.
  .
-  * Kernel symbols in /proc/kallsyms are hidden to prevent malware from
- reading them and using them to learn more about what to attack on your system.
+  * Kernel symbols in various files in /proc are hidden as they can be
+ very useful for kernel exploits.
  .
   * Kexec is disabled as it can be used to load a malicious kernel.
  /etc/sysctl.d/kexec.conf
  .
   * ASLR effectiveness for mmap is increased.
  .
-  * The TCP/IP stack is hardened.
+  * The TCP/IP stack is hardened by disabling ICMP redirect acceptance,
+ ICMP redirect sending and source routing to prevent man-in-the-middle attacks,
+ ignoring all ICMP requests, enabling TCP syncookies to prevent SYN flood attacks
+ and enabling RFC1337 to protect against time-wait assassination attacks.
  .
-  * This package makes some data spoofing attacks harder.
+  * Some data spoofing attacks are made harder.
  .
   * SACK can be disabled as it is commonly exploited and is rarely used by
- commenting in settings in file /etc/sysctl.d/tcp_sack.conf.
+ uncommenting settings in file /etc/sysctl.d/tcp_sack.conf.
  .
-  * This package disables the merging of slabs of similar sizes to prevent an
- attacker from exploiting them.
+  * Slab merging is disabled as sometimes a slab can be used in a vulnerable
+ way which an attacker can exploit.
  .
   * Sanity checks, redzoning, and memory poisoning are enabled.
  .
-  * The kernel now panics on uncorrectable errors in ECC memory which could
- be exploited.
+  * Machine checks (MCE) are disabled which makes the kernel panic
+ on uncorrectable errors in ECC memory that could be exploited.
  .
   * Kernel Page Table Isolation is enabled to mitigate Meltdown and increase
  KASLR effectiveness.
  .
-  * SMT is disabled as it can be used to exploit the MDS vulnerability.
+  * SMT is disabled as it can be used to exploit the MDS and other vulnerabilities.
  .
   * All mitigations for the MDS vulnerability are enabled.
  .
@@ -74,8 +77,8 @@ Description: enhances misc security settings
  /etc/sysctl.d/coredumps.conf
  /lib/systemd/coredump.conf.d/disable-coredumps.conf
  .
-  * The thunderbolt and firewire modules are blacklisted as they can be used
- for DMA (Direct Memory Access) attacks.
+  * The thunderbolt and firewire kernel modules are blacklisted as they can be
+ used for DMA (Direct Memory Access) attacks.
  .
   * IOMMU is enabled with a boot parameter to prevent DMA attacks.
  .

etc/modprobe.d/blacklist-bluetooth.conf

@@ -1,3 +1,6 @@
-# Blacklists bluetooth.
+# Blacklists bluetooth to reduce attack surface.
+# Bluetooth also has a history of security vulnerabilities:
+#
+# https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns
 install bluetooth /bin/false
 install btusb /bin/false

etc/sysctl.d/kptr_restrict.conf

@@ -1,5 +1,8 @@
 ## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
 ## See the file COPYING for copying conditions.
 
-## Hides kernel symbols in /proc/kallsyms
+## Hides kernel addresses in various files in /proc.
+## Kernel addresses can be very useful in certain exploits.
+##
+## https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak
 kernel.kptr_restrict=2

etc/sysctl.d/mmap_aslr.conf

@@ -1,6 +1,6 @@
 ## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
 ## See the file COPYING for copying conditions.
 
-## Improves KASLR effectiveness for mmap.
+## Improves ASLR effectiveness for mmap.
 vm.mmap_rnd_bits=32
 vm.mmap_rnd_compat_bits=16

usr/lib/security-misc/panic-on-oops

@@ -12,5 +12,7 @@ if [ -f /usr/lib/helper-scripts/pre.bsh ]; then
    source /usr/lib/helper-scripts/pre.bsh
 fi
 
-# Makes the kernel panic on oopses.
+## Makes the kernel panic on oopses. This prevents the kernel
+## from continuing to run a flawed processes. Many kernel exploits
+## will also cause an oops which this will make the kernel kill.
 sysctl kernel.panic_on_oops=1