Merge branch 'Kicksecure:master' into kspp_compliance

2024-10-01 08:25:45 -04:00 · 2024-08-26 11:08:21 +10:00 · 2024-08-26 11:08:21 +10:00 · 9dbd200be4
commit 9dbd200be4
parent 32de5e7c49 cf824ddb24
6 changed files with 265 additions and 119 deletions
--- a/README.md
+++ b/README.md
@ -12,10 +12,9 @@ many more sources.
 ### sysctl

 sysctl settings are configured via the `/usr/lib/sysctl.d/990-security-misc.conf`
-configuration file.
+configuration file and significant hardening is applied to a myriad of components.

-Significant hardening is applied by default to a myriad of components within kernel
-space, user space, core dumps, and swap space.
+Kernel space:

 - Restrict access to kernel addresses through the use of kernel pointers regardless
  of user privileges.
@ -38,7 +37,7 @@ space, user space, core dumps, and swap space.
  can no longer be utilized. See [documentation](https://www.kicksecure.com/wiki/SysRq).

 - Restrict user namespaces to `CAP_SYS_ADMIN` as they can lead to substantial
-  privilege escalation.
+  privilege escalation. Optional - Disable all use of user namespaces.

 - Restrict kernel profiling and the performance events system to `CAP_PERFMON`.

@ -51,6 +50,8 @@ space, user space, core dumps, and swap space.
 - Disable asynchronous I/O (when using Linux kernel >= 6.6) as `io_uring` has been
  the source of numerous kernel exploits.

+User space:
+
 - Restrict usage of `ptrace()` to only processes with `CAP_SYS_PTRACE` as it
  enables programs to inspect and modify other active processes. Optional - Disable
  usage of `ptrace()` by all processes.
@ -69,12 +70,14 @@ space, user space, core dumps, and swap space.
 - Disallow registering interpreters for various (miscellaneous) binary formats based
  on a magic number or their file extension to prevent unintended code execution.

+Core dumps:
+
 - Disable core dump files and prevent their creation. If core dump files are
  enabled, they will be named based on `core.PID` instead of the default `core`.

 - Limit the copying of potentially sensitive content in memory to the swap device.

-Various networking components of the TCP/IP stack are hardened for IPv4/6.
+Networking:

 - Enable TCP SYN cookie protection to assist against SYN flood attacks.

@ -105,13 +108,6 @@ Various networking components of the TCP/IP stack are hardened for IPv4/6.

 - Optional - Enable IPv6 Privacy Extensions.

-### mmap ASLR
-
- The bits of entropy used for mmap ASLR are maxed out via
-  `/usr/libexec/security-misc/mmap-rnd-bits` (set to the values of
-  `CONFIG_ARCH_MMAP_RND_BITS_MAX` and `CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX`
-  that the kernel was built with), therefore improving its effectiveness.
-
 ### Boot parameters

 Mitigations for known CPU vulnerabilities are enabled in their strictest form
@ -122,6 +118,8 @@ Boot parameters relating to kernel hardening, DMA mitigations, and entropy
 generation are outlined in the `/etc/default/grub.d/40_kernel_hardening.cfg`
 configuration file.

+Kernel space:
+
 - Disable merging of slabs with similar size, which reduces the risk of
  triggering heap overflows and limits influencing slab cache layout.

@ -165,20 +163,33 @@ configuration file.
 - Optional - Disable support for all x86 processes and syscalls (when using Linux kernel >= 6.7)
  to reduce attack surface.

+Direct memory access:
+
 - Enable strict IOMMU translation to protect against some DMA attacks via the use
  of both CPU manufacturer-specific drivers and kernel settings.

 - Clear the busmaster bit on all PCI bridges during the EFI hand-off, which disables
  DMA before the IOMMU is configured. May cause boot failure on certain hardware.

+Entropy:
+
 - Do not credit the CPU or bootloader as entropy sources at boot in order to
  maximize the absolute quantity of entropy in the combined pool.

 - Obtain more entropy at boot from RAM as the runtime memory allocator is
  being initialized.

+Networking:
+
 - Optional - Disable the entire IPv6 stack to reduce attack surface.

+### mmap ASLR
+
+- The bits of entropy used for mmap ASLR are maxed out via
+  `/usr/libexec/security-misc/mmap-rnd-bits` (set to the values of
+  `CONFIG_ARCH_MMAP_RND_BITS_MAX` and `CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX`
+  that the kernel was built with), therefore improving its effectiveness.
+
 ### Kernel Modules

 #### Kernel Module Signature Verification
@ -224,17 +235,12 @@ modules from starting. This approach should not be considered comprehensive;
 rather, it is a form of badness enumeration. Any potential candidates for future
 disabling should first be blacklisted for a suitable amount of time.

+Hardware modules:
+
 - Optional - Bluetooth: Disabled to reduce attack surface.

- Optional - CPU MSRs: Disabled as can be abused to write to arbitrary memory.
-
- File Systems: Disable uncommon and legacy file systems.
-
 - FireWire (IEEE 1394): Disabled as they are often vulnerable to DMA attacks.

- Framebuffer (fbdev): Disabled as drivers are well-known to be buggy, cause
-  kernel panics, and are generally only used by legacy devices.
-
 - GPS: Disable GPS-related modules such as those required for Global Navigation
  Satellite Systems (GNSS).

@ -245,20 +251,38 @@ disabling should first be blacklisted for a suitable amount of time.
 - Intel Platform Monitoring Technology (PMT) Telemetry: Disable some functionality
  of the Intel PMT components.

+- Thunderbolt: Disabled as they are often vulnerable to DMA attacks.
+
+File system modules:
+
+- File Systems: Disable uncommon and legacy file systems.
+
 - Network File Systems: Disable uncommon and legacy network file systems.

+Networking modules:
+
 - Network Protocols: A wide array of uncommon and legacy network protocols and drivers
  are disabled.

- Miscellaneous: Disable an assortment of other modules such as those required
-  for amateur radio, floppy disks, and vivid. Also disable legacy drivers that
-  have been entirely replaced by newer drivers.
+Miscellaneous modules:

- Thunderbolt: Disabled as they are often vulnerable to DMA attacks.
+- Amateur Radios: Disabled to reduce attack surface.
+
+- Optional - CPU MSRs: Disabled as can be abused to write to arbitrary memory.
+
+- Floppy Disks: Disabled to reduce attack surface.
+
+- Framebuffer (fbdev): Disabled as these drivers are well-known to be buggy, cause
+  kernel panics, and are generally only used by legacy devices.
+
+- Replaced Modules: Disabled legacy drivers that have been entirely replaced and
+  superseded by newer drivers.

 - Optional - USB Video Device Class: Disables the USB-based video streaming driver for
  devices like some webcams and digital camcorders.

+- Vivid: Disabled to reduce attack surface given previous vulnerabilities.
+
 ### Other

 - A systemd service clears the System.map file on boot as these contain kernel
--- a/changelog.upstream
+++ b/changelog.upstream
@ -1,3 +1,93 @@
+commit 500568e322b2e3623fc649209d671c7b9d9fa097
+Merge: 43d13b7 73900b5
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Sun Aug 25 11:01:58 2024 -0400
+
+    Merge remote-tracking branch 'github-kicksecure/master'
+
+commit 73900b59db37d77bc24bd5088aae3cc760aacc69
+Merge: 43d13b7 1f51d4e
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Sun Aug 25 11:00:51 2024 -0400
+
+    Merge pull request #263 from raja-grewal/max_user_namespaces
+    
+    Provide option to disable user namespaces
+
+commit 43d13b70f12d2198a800054ce4d1ff901cc474f9
+Merge: 8353764 fae586c
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Sun Aug 25 10:55:52 2024 -0400
+
+    Merge remote-tracking branch 'raja/syntax'
+
+commit 835376418d616699023f8e638666f43d34241863
+Merge: ae85fd5 342caf8
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Sun Aug 25 10:48:25 2024 -0400
+
+    Merge remote-tracking branch 'raja/mod'
+
+commit ae85fd5b4ce6f4716f95332c19b79d3daa8f7220
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Sun Aug 25 14:33:40 2024 +0000
+
+    bumped changelog version
+
+commit 433b15f985545f531b87d09659bbbb89993b5a67
+Author: Raja Grewal <rg_public@proton.me>
+Date:   Wed Aug 21 12:51:51 2024 +1000
+
+    README.md: Organise `sysctl`s
+
+commit af87a84b4f40b2ad9ac05dd9bce837665f239454
+Author: Raja Grewal <rg_public@proton.me>
+Date:   Wed Aug 21 12:52:48 2024 +1000
+
+    README.md: Organise kernel boot parameters
+
+commit 342caf82b20acc2931563449fafe9a98cbedaba2
+Author: Raja Grewal <rg_public@proton.me>
+Date:   Wed Aug 21 12:52:48 2024 +1000
+
+    README.md: Organise kernel boot parameters
+
+commit b87a18d4050bbf2add5cc4920684876a440e65bb
+Author: Raja Grewal <rg_public@proton.me>
+Date:   Wed Aug 21 12:51:51 2024 +1000
+
+    README.md: Organise `sysctl`s
+
+commit 18ed77ecc93e9ee759a4990a32edb3dd671b8c26
+Author: Raja Grewal <rg_public@proton.me>
+Date:   Wed Aug 21 12:50:14 2024 +1000
+
+    Refactor modprobe.d to minimise potential future merge conflicts
+
+commit 1f51d4eeb2b0c6e23ce64fb272eecb97e089324d
+Author: Raja Grewal <rg_public@proton.me>
+Date:   Sun Aug 18 13:53:11 2024 +1000
+
+    Add details on user namespaces
+
+commit 759aee8150a2d1258d73217c071b25432d47496f
+Author: Raja Grewal <rg_public@proton.me>
+Date:   Fri Aug 16 22:54:57 2024 +1000
+
+    Provide option to disable user namespaces
+
+commit fae586c3c5e8382ca01c60f810b26d88189a5514
+Author: Raja Grewal <rg_public@proton.me>
+Date:   Fri Aug 16 19:23:48 2024 +1000
+
+    Patch bug in existing `rp_filter` `sysctl`
+
+commit e962153f84c4cb8e13fb0cc25d611ae481c7a0c7
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Fri Aug 16 08:38:12 2024 +0000
+
+    bumped changelog version
+
 commit 40b12f5a2a4a40d7033569b11ad4e1c228e7389b
 Merge: 12296c6 305467c
 Author: Patrick Schleizer <adrelanos@whonix.org>
@ -70,6 +160,12 @@ Date:   Fri Aug 16 13:12:07 2024 +1000

    Typos

+commit 23a77d4973ec20b2aaab6a9c3a9fd8a98034923e
+Author: Raja Grewal <rg_public@proton.me>
+Date:   Fri Aug 16 12:46:51 2024 +1000
+
+    Simplify syntax of some network-related `sysctl`'s
+
 commit e3a3207a4447568a17129afe9dde34debc465e21
 Author: Raja Grewal <rg_public@proton.me>
 Date:   Fri Aug 16 12:41:36 2024 +1000
--- a/debian/changelog
+++ b/debian/changelog
@ -1,3 +1,15 @@
+security-misc (3:39.2-1) unstable; urgency=medium
+
+  * New upstream version (local package).
+
+ -- Patrick Schleizer <adrelanos@whonix.org>  Sun, 25 Aug 2024 15:34:54 +0000
+
+security-misc (3:39.1-1) unstable; urgency=medium
+
+  * New upstream version (local package).
+
+ -- Patrick Schleizer <adrelanos@whonix.org>  Sun, 25 Aug 2024 14:33:39 +0000
+
 security-misc (3:39.0-1) unstable; urgency=medium

  * New upstream version (local package).
--- a/etc/modprobe.d/30_security-misc_blacklist.conf
+++ b/etc/modprobe.d/30_security-misc_blacklist.conf
@ -22,7 +22,7 @@ blacklist sr_mod
 #install sr_mod /usr/bin/disabled-cdrom-by-security-misc

 ## Miscellaneous:
-##
+
 ## GrapheneOS:
 ## Partial selection of their infrastructure blacklist.
 ## Duplicate and already disabled modules have been omitted.
@ -39,7 +39,7 @@ blacklist snd_intel8x0
 #blacklist tls
 #blacklist virtio_balloon
 #blacklist virtio_console
-##
+
 ## Ubuntu:
 ## Already disabled modules have been omitted.
 ##
--- a/etc/modprobe.d/30_security-misc_disable.conf
+++ b/etc/modprobe.d/30_security-misc_disable.conf
@ -8,6 +8,14 @@
 ## Blacklisting prevents kernel modules from automatically starting.
 ## Disabling prohibits kernel modules from starting.

+## This configuration file is split into 4 sections:
+## 1. Hardware
+## 2. File Systems
+## 3. Networking
+## 4. Miscellaneous
+
+## 1. Hardware:
+
 ## Bluetooth:
 ## Disable Bluetooth to reduce attack surface due to extended history of security vulnerabilities.
 ##
@ -34,27 +42,6 @@
 #install btusb /usr/bin/disabled-bluetooth-by-security-misc
 #install virtio_bt /usr/bin/disabled-bluetooth-by-security-misc

-## CPU Model-Specific Registers (MSRs):
-## Disable CPU MSRs as they can be abused to write to arbitrary memory.
-##
-## https://security.stackexchange.com/questions/119712/methods-root-can-use-to-elevate-itself-to-kernel-mode
-## https://github.com/Kicksecure/security-misc/issues/215
-##
-#install msr /usr/bin/disabled-miscellaneous-by-security-misc
-
-## File Systems:
-## Disable uncommon file systems to reduce attack surface.
-## HFS/HFS+ are legacy Apple file systems that may be required depending on the EFI partition format.
-##
-install cramfs /usr/bin/disabled-filesys-by-security-misc
-install freevxfs /usr/bin/disabled-filesys-by-security-misc
-install hfs /usr/bin/disabled-filesys-by-security-misc
-install hfsplus /usr/bin/disabled-filesys-by-security-misc
-install jffs2 /usr/bin/disabled-filesys-by-security-misc
-install jfs /usr/bin/disabled-filesys-by-security-misc
-install reiserfs /usr/bin/disabled-filesys-by-security-misc
-install udf /usr/bin/disabled-filesys-by-security-misc
-
 ## FireWire (IEEE 1394):
 ## Disable IEEE 1394 (FireWire/i.LINK/Lynx) modules to prevent some DMA attacks.
 ##
@ -70,43 +57,6 @@ install raw1394 /usr/bin/disabled-firewire-by-security-misc
 install sbp2 /usr/bin/disabled-firewire-by-security-misc
 install video1394 /usr/bin/disabled-firewire-by-security-misc

-## Framebuffer (fbdev):
-## Video drivers are known to be buggy, cause kernel panics, and are generally only used by legacy devices.
-## These were all previously blacklisted.
-##
-## https://docs.kernel.org/fb/index.html
-## https://en.wikipedia.org/wiki/Linux_framebuffer
-## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-framebuffer.conf?h=ubuntu/disco
-##
-install aty128fb /usr/bin/disabled-framebuffer-by-security-misc
-install atyfb /usr/bin/disabled-framebuffer-by-security-misc
-install cirrusfb /usr/bin/disabled-framebuffer-by-security-misc
-install cyber2000fb /usr/bin/disabled-framebuffer-by-security-misc
-install cyblafb /usr/bin/disabled-framebuffer-by-security-misc
-install gx1fb /usr/bin/disabled-framebuffer-by-security-misc
-install hgafb /usr/bin/disabled-framebuffer-by-security-misc
-install i810fb /usr/bin/disabled-framebuffer-by-security-misc
-install intelfb /usr/bin/disabled-framebuffer-by-security-misc
-install kyrofb /usr/bin/disabled-framebuffer-by-security-misc
-install lxfb /usr/bin/disabled-framebuffer-by-security-misc
-install matroxfb_bases /usr/bin/disabled-framebuffer-by-security-misc
-install neofb /usr/bin/disabled-framebuffer-by-security-misc
-install nvidiafb /usr/bin/disabled-framebuffer-by-security-misc
-install pm2fb /usr/bin/disabled-framebuffer-by-security-misc
-install radeonfb /usr/bin/disabled-framebuffer-by-security-misc
-install rivafb /usr/bin/disabled-framebuffer-by-security-misc
-install s1d13xxxfb /usr/bin/disabled-framebuffer-by-security-misc
-install savagefb /usr/bin/disabled-framebuffer-by-security-misc
-install sisfb /usr/bin/disabled-framebuffer-by-security-misc
-install sstfb /usr/bin/disabled-framebuffer-by-security-misc
-install tdfxfb /usr/bin/disabled-framebuffer-by-security-misc
-install tridentfb /usr/bin/disabled-framebuffer-by-security-misc
-install vesafb /usr/bin/disabled-framebuffer-by-security-misc
-install vfb /usr/bin/disabled-framebuffer-by-security-misc
-install viafb /usr/bin/disabled-framebuffer-by-security-misc
-install vt8623fb /usr/bin/disabled-framebuffer-by-security-misc
-install udlfb /usr/bin/disabled-framebuffer-by-security-misc
-
 ## Global Positioning Systems (GPS):
 ## Disable GPS-related modules like GNSS (Global Navigation Satellite System).
 ##
@ -152,6 +102,30 @@ install pmt_class /usr/bin/disabled-intelpmt-by-security-misc
 install pmt_crashlog /usr/bin/disabled-intelpmt-by-security-misc
 install pmt_telemetry /usr/bin/disabled-intelpmt-by-security-misc

+## Thunderbolt:
+## Disables Thunderbolt modules to prevent some DMA attacks.
+##
+## https://en.wikipedia.org/wiki/Thunderbolt_(interface)#Security_vulnerabilities
+##
+install intel-wmi-thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc
+install thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc
+install thunderbolt_net /usr/bin/disabled-thunderbolt-by-security-misc
+
+## 2. File Systems:
+
+## File Systems:
+## Disable uncommon file systems to reduce attack surface.
+## HFS/HFS+ are legacy Apple file systems that may be required depending on the EFI partition format.
+##
+install cramfs /usr/bin/disabled-filesys-by-security-misc
+install freevxfs /usr/bin/disabled-filesys-by-security-misc
+install hfs /usr/bin/disabled-filesys-by-security-misc
+install hfsplus /usr/bin/disabled-filesys-by-security-misc
+install jffs2 /usr/bin/disabled-filesys-by-security-misc
+install jfs /usr/bin/disabled-filesys-by-security-misc
+install reiserfs /usr/bin/disabled-filesys-by-security-misc
+install udf /usr/bin/disabled-filesys-by-security-misc
+
 ## Network File Systems:
 ## Disable uncommon network file systems to reduce attack surface.
 ##
@ -175,6 +149,8 @@ install nfsv2 /usr/bin/disabled-netfilesys-by-security-misc
 install nfsv3 /usr/bin/disabled-netfilesys-by-security-misc
 install nfsv4 /usr/bin/disabled-netfilesys-by-security-misc

+## 2. Networking:
+
 ## Network Protocols:
 ## Disables rare and unneeded network protocols that are a common source of unknown vulnerabilities.
 ## Previously had blacklisted eepro100 and eth1394.
@ -249,17 +225,62 @@ install rds_tcp /usr/bin/disabled-network-by-security-misc
 install sctp /usr/bin/disabled-network-by-security-misc
 install sctp_diag /usr/bin/disabled-network-by-security-misc

-## Miscellaneous:
-##
+## 4. Miscellaneous:
+
 ## Amateur Radios:
 ##
 install hamradio /usr/bin/disabled-miscellaneous-by-security-misc
+
+## CPU Model-Specific Registers (MSRs):
+## Disable CPU MSRs as they can be abused to write to arbitrary memory.
 ##
+## https://security.stackexchange.com/questions/119712/methods-root-can-use-to-elevate-itself-to-kernel-mode
+## https://github.com/Kicksecure/security-misc/issues/215
+##
+#install msr /usr/bin/disabled-miscellaneous-by-security-misc
+
 ## Floppy Disks:
 ##
 install floppy /usr/bin/disabled-miscellaneous-by-security-misc
+
+## Framebuffer (fbdev):
+## Video drivers are known to be buggy, cause kernel panics, and are generally only used by legacy devices.
+## These were all previously blacklisted.
 ##
-## Replaced:
+## https://docs.kernel.org/fb/index.html
+## https://en.wikipedia.org/wiki/Linux_framebuffer
+## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-framebuffer.conf?h=ubuntu/disco
+##
+install aty128fb /usr/bin/disabled-framebuffer-by-security-misc
+install atyfb /usr/bin/disabled-framebuffer-by-security-misc
+install cirrusfb /usr/bin/disabled-framebuffer-by-security-misc
+install cyber2000fb /usr/bin/disabled-framebuffer-by-security-misc
+install cyblafb /usr/bin/disabled-framebuffer-by-security-misc
+install gx1fb /usr/bin/disabled-framebuffer-by-security-misc
+install hgafb /usr/bin/disabled-framebuffer-by-security-misc
+install i810fb /usr/bin/disabled-framebuffer-by-security-misc
+install intelfb /usr/bin/disabled-framebuffer-by-security-misc
+install kyrofb /usr/bin/disabled-framebuffer-by-security-misc
+install lxfb /usr/bin/disabled-framebuffer-by-security-misc
+install matroxfb_bases /usr/bin/disabled-framebuffer-by-security-misc
+install neofb /usr/bin/disabled-framebuffer-by-security-misc
+install nvidiafb /usr/bin/disabled-framebuffer-by-security-misc
+install pm2fb /usr/bin/disabled-framebuffer-by-security-misc
+install radeonfb /usr/bin/disabled-framebuffer-by-security-misc
+install rivafb /usr/bin/disabled-framebuffer-by-security-misc
+install s1d13xxxfb /usr/bin/disabled-framebuffer-by-security-misc
+install savagefb /usr/bin/disabled-framebuffer-by-security-misc
+install sisfb /usr/bin/disabled-framebuffer-by-security-misc
+install sstfb /usr/bin/disabled-framebuffer-by-security-misc
+install tdfxfb /usr/bin/disabled-framebuffer-by-security-misc
+install tridentfb /usr/bin/disabled-framebuffer-by-security-misc
+install vesafb /usr/bin/disabled-framebuffer-by-security-misc
+install vfb /usr/bin/disabled-framebuffer-by-security-misc
+install viafb /usr/bin/disabled-framebuffer-by-security-misc
+install vt8623fb /usr/bin/disabled-framebuffer-by-security-misc
+install udlfb /usr/bin/disabled-framebuffer-by-security-misc
+
+## Replaced Modules:
 ## These legacy drivers have all been entirely replaced and superseded by newer drivers.
 ## These were all previously blacklisted.
 ##
@ -269,7 +290,12 @@ install asus_acpi /usr/bin/disabled-miscellaneous-by-security-misc
 install bcm43xx /usr/bin/disabled-miscellaneous-by-security-misc
 install de4x5 /usr/bin/disabled-miscellaneous-by-security-misc
 install prism54 /usr/bin/disabled-miscellaneous-by-security-misc
+
+## USB Video Device Class:
+## Disables the USB-based video streaming driver for devices like some webcams and digital camcorders.
 ##
+#install uvcvideo /usr/bin/disabled-miscellaneous-by-security-misc
+
 ## Vivid:
 ## Disables the vivid kernel module since it has been the cause of multiple vulnerabilities.
 ##
@ -278,17 +304,3 @@ install prism54 /usr/bin/disabled-miscellaneous-by-security-misc
 ## https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475
 ##
 install vivid /usr/bin/disabled-miscellaneous-by-security-misc
-
-## Thunderbolt:
-## Disables Thunderbolt modules to prevent some DMA attacks.
-##
-## https://en.wikipedia.org/wiki/Thunderbolt_(interface)#Security_vulnerabilities
-##
-install intel-wmi-thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc
-install thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc
-install thunderbolt_net /usr/bin/disabled-thunderbolt-by-security-misc
-
-## USB Video Device Class:
-## Disables the USB-based video streaming driver for devices like some webcams and digital camcorders.
-##
-#install uvcvideo /usr/bin/disabled-miscellaneous-by-security-misc
--- a/usr/lib/sysctl.d/990-security-misc.conf
+++ b/usr/lib/sysctl.d/990-security-misc.conf
@ -114,11 +114,20 @@ kernel.sysrq=0
 ## User namespaces aim to improve sandboxing and accessibility for unprivileged users.
 ## Unprivileged user namespaces pose substantial privilege escalation risks.
 ## Restricting may lead to breakages in numerous software packages.
+## Uncomment the second sysctl to entirely disable user namespaces.
+## Disabling entirely will reduce compatibility with some AppArmor profiles.
 ##
+## https://lwn.net/Articles/673597/
 ## https://madaidans-insecurities.github.io/linux.html#kernel
 ## https://github.com/a13xp0p0v/kernel-hardening-checker#questions-and-answers
+## https://github.com/NixOS/nixpkgs/pull/84522#issuecomment-614640601
+## https://github.com/Kicksecure/security-misc/pull/263
+##
+## KSPP=partial
+## KSPP sets the stricter sysctl user.max_user_namespaces=0.
 ##
 kernel.unprivileged_userns_clone=0
+#user.max_user_namespaces=0

 ## Restricts kernel profiling to users with CAP_PERFMON.
 ## The performance events system should not be accessible by unprivileged users.
@ -353,13 +362,15 @@ net.ipv4.tcp_rfc1337=1

 ## Enable reverse path filtering (source validation) of packets received from all interfaces.
 ## Prevents IP spoofing and mitigates vulnerabilities such as CVE-2019-14899.
+## The second "default" command fixes a bug in the existing kernel implementation.
 ##
 ## https://en.wikipedia.org/wiki/IP_address_spoofing
 ## https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/security_guide/sect-security_guide-server_security-reverse_path_forwarding#sect-Security_Guide-Server_Security-Reverse_Path_Forwarding
 ## https://forums.whonix.org/t/enable-reverse-path-filtering/8594
 ## https://seclists.org/oss-sec/2019/q4/122
+## https://github.com/Kicksecure/security-misc/pull/261
 ##
-net.ipv4.conf.all.rp_filter=1
+net.ipv4.conf.*.rp_filter=1
 net.ipv4.conf.default.rp_filter=1

 ## Disable ICMP redirect acceptance and redirect sending messages.
@ -373,14 +384,10 @@ net.ipv4.conf.default.rp_filter=1
 ## https://askubuntu.com/questions/118273/what-are-icmp-redirects-and-should-they-be-blocked
 ## https://github.com/Kicksecure/security-misc/pull/248
 ##
-net.ipv4.conf.all.accept_redirects=0
-net.ipv4.conf.default.accept_redirects=0
-net.ipv4.conf.all.send_redirects=0
-net.ipv4.conf.default.send_redirects=0
-net.ipv6.conf.all.accept_redirects=0
-net.ipv6.conf.default.accept_redirects=0
-#net.ipv4.conf.all.secure_redirects=1
-#net.ipv4.conf.default.secure_redirects=1
+net.ipv4.conf.*.accept_redirects=0
+net.ipv4.conf.*.send_redirects=0
+net.ipv6.conf.*.accept_redirects=0
+#net.ipv4.conf.*.secure_redirects=1

 ## Ignore ICMP echo requests.
 ## Prevents clock fingerprinting through ICMP timestamps and Smurf attacks.
@ -400,15 +407,12 @@ net.ipv4.icmp_ignore_bogus_error_responses=1
 ##
 ## https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/security_guide/sect-security_guide-server_security-disable-source-routing
 ##
-net.ipv4.conf.all.accept_source_route=0
-net.ipv4.conf.default.accept_source_route=0
-net.ipv6.conf.all.accept_source_route=0
-net.ipv6.conf.default.accept_source_route=0
+net.ipv4.conf.*.accept_source_route=0
+net.ipv6.conf.*.accept_source_route=0

 ## Do not accept IPv6 router advertisements and solicitations.
 ##
-net.ipv6.conf.all.accept_ra=0
-net.ipv6.conf.default.accept_ra=0
+net.ipv6.conf.*.accept_ra=0

 ## Disable SACK and DSACK.
 ## Select acknowledgements (SACKs) are a known common vector of exploitation.
@ -451,8 +455,7 @@ net.ipv4.tcp_timestamps=0
 ##
 ## The logging of martian packets is currently disabled.
 ##
-#net.ipv4.conf.all.log_martians=1
-#net.ipv4.conf.default.log_martians=1
+#net.ipv4.conf.*.log_martians=1

 ## Enable IPv6 Privacy Extensions to prefer temporary addresses over public addresses.
 ## The temporary/privacy address is used as the source for all outgoing traffic.
@ -468,5 +471,4 @@ net.ipv4.tcp_timestamps=0
 ##
 ## The use of IPv6 Privacy Extensions is currently disabled due to these breakages.
 ##
-#net.ipv6.conf.all.use_tempaddr=2
-#net.ipv6.conf.default.use_tempaddr=2
+#net.ipv6.conf.*.use_tempaddr=2