From 23a77d4973ec20b2aaab6a9c3a9fd8a98034923e Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Fri, 16 Aug 2024 12:46:51 +1000 Subject: [PATCH 01/11] Simplify syntax of some network-related `sysctl`'s --- usr/lib/sysctl.d/990-security-misc.conf | 30 +++++++++---------------- 1 file changed, 10 insertions(+), 20 deletions(-) diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 8e49235..f6b49f0 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -275,8 +275,7 @@ net.ipv4.tcp_rfc1337=1 ## https://forums.whonix.org/t/enable-reverse-path-filtering/8594 ## https://seclists.org/oss-sec/2019/q4/122 ## -net.ipv4.conf.all.rp_filter=1 -net.ipv4.conf.default.rp_filter=1 +net.ipv4.conf.*.rp_filter=1 ## Disable ICMP redirect acceptance and redirect sending messages. ## Prevents man-in-the-middle attacks and minimizes information disclosure. @@ -289,14 +288,10 @@ net.ipv4.conf.default.rp_filter=1 ## https://askubuntu.com/questions/118273/what-are-icmp-redirects-and-should-they-be-blocked ## https://github.com/Kicksecure/security-misc/pull/248 ## -net.ipv4.conf.all.accept_redirects=0 -net.ipv4.conf.default.accept_redirects=0 -net.ipv4.conf.all.send_redirects=0 -net.ipv4.conf.default.send_redirects=0 -net.ipv6.conf.all.accept_redirects=0 -net.ipv6.conf.default.accept_redirects=0 -#net.ipv4.conf.all.secure_redirects=1 -#net.ipv4.conf.default.secure_redirects=1 +net.ipv4.conf.*.accept_redirects=0 +net.ipv4.conf.*.send_redirects=0 +net.ipv6.conf.*.accept_redirects=0 +#net.ipv4.conf.*.secure_redirects=1 ## Ignore ICMP echo requests. ## Prevents clock fingerprinting through ICMP timestamps and Smurf attacks. @@ -316,15 +311,12 @@ net.ipv4.icmp_ignore_bogus_error_responses=1 ## ## https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/security_guide/sect-security_guide-server_security-disable-source-routing ## -net.ipv4.conf.all.accept_source_route=0 -net.ipv4.conf.default.accept_source_route=0 -net.ipv6.conf.all.accept_source_route=0 -net.ipv6.conf.default.accept_source_route=0 +net.ipv4.conf.*.accept_source_route=0 +net.ipv6.conf.*.accept_source_route=0 ## Do not accept IPv6 router advertisements and solicitations. ## -net.ipv6.conf.all.accept_ra=0 -net.ipv6.conf.default.accept_ra=0 +net.ipv6.conf.*.accept_ra=0 ## Disable SACK and DSACK. ## Select acknowledgements (SACKs) are a known common vector of exploitation. @@ -362,8 +354,7 @@ net.ipv4.tcp_timestamps=0 ## ## The logging of martian packets is currently disabled. ## -#net.ipv4.conf.all.log_martians=1 -#net.ipv4.conf.default.log_martians=1 +#net.ipv4.conf.*.log_martians=1 ## Enable IPv6 Privacy Extensions to prefer temporary addresses over public addresses. ## The temporary/privacy address is used as the source for all outgoing traffic. @@ -379,5 +370,4 @@ net.ipv4.tcp_timestamps=0 ## ## The use of IPv6 Privacy Extensions is currently disabled due to these breakages. ## -#net.ipv6.conf.all.use_tempaddr=2 -#net.ipv6.conf.default.use_tempaddr=2 +#net.ipv6.conf.*.use_tempaddr=2 From fae586c3c5e8382ca01c60f810b26d88189a5514 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Fri, 16 Aug 2024 19:23:48 +1000 Subject: [PATCH 02/11] Patch bug in existing `rp_filter` `sysctl` --- usr/lib/sysctl.d/990-security-misc.conf | 3 +++ 1 file changed, 3 insertions(+) diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index f6b49f0..1e675ca 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -270,12 +270,15 @@ net.ipv4.tcp_rfc1337=1 ## Enable reverse path filtering (source validation) of packets received from all interfaces. ## Prevents IP spoofing and mitigates vulnerabilities such as CVE-2019-14899. +## The second "default" command fixes a bug in the existing kernel implementation. ## ## https://en.wikipedia.org/wiki/IP_address_spoofing ## https://forums.whonix.org/t/enable-reverse-path-filtering/8594 ## https://seclists.org/oss-sec/2019/q4/122 +## https://github.com/Kicksecure/security-misc/pull/261 ## net.ipv4.conf.*.rp_filter=1 +net.ipv4.conf.default.rp_filter=1 ## Disable ICMP redirect acceptance and redirect sending messages. ## Prevents man-in-the-middle attacks and minimizes information disclosure. From 759aee8150a2d1258d73217c071b25432d47496f Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Fri, 16 Aug 2024 22:54:57 +1000 Subject: [PATCH 03/11] Provide option to disable user namespaces --- README.md | 2 +- usr/lib/sysctl.d/990-security-misc.conf | 5 +++++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index da9254a..4644c6a 100644 --- a/README.md +++ b/README.md @@ -37,7 +37,7 @@ space, user space, core dumps, and swap space. can no longer be utilized. See [documentation](https://www.kicksecure.com/wiki/SysRq). - Restrict user namespaces to `CAP_SYS_ADMIN` as they can lead to substantial - privilege escalation. + privilege escalation. Optional - Disable all use of user namespaces. - Restrict kernel profiling and the performance events system to `CAP_PERFMON`. diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 9836bc2..f576dbc 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -93,11 +93,16 @@ kernel.sysrq=0 ## User namespaces aim to improve sandboxing and accessibility for unprivileged users. ## Unprivileged user namespaces pose substantial privilege escalation risks. ## Restricting may lead to breakages in numerous software packages. +## Uncomment the second sysctl to entirely disable user namespaces. ## ## https://madaidans-insecurities.github.io/linux.html#kernel ## https://github.com/a13xp0p0v/kernel-hardening-checker#questions-and-answers ## +## KSPP=partial +## KSPP sets the stricter sysctl user.max_user_namespaces=0. +## kernel.unprivileged_userns_clone=0 +#user.max_user_namespaces=0 ## Restricts kernel profiling to users with CAP_PERFMON. ## The performance events system should not be accessible by unprivileged users. From 1f51d4eeb2b0c6e23ce64fb272eecb97e089324d Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Sun, 18 Aug 2024 13:53:11 +1000 Subject: [PATCH 04/11] Add details on user namespaces --- usr/lib/sysctl.d/990-security-misc.conf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index f576dbc..ad049b2 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -94,9 +94,13 @@ kernel.sysrq=0 ## Unprivileged user namespaces pose substantial privilege escalation risks. ## Restricting may lead to breakages in numerous software packages. ## Uncomment the second sysctl to entirely disable user namespaces. +## Disabling entirely will reduce compatibility with some AppArmor profiles. ## +## https://lwn.net/Articles/673597/ ## https://madaidans-insecurities.github.io/linux.html#kernel ## https://github.com/a13xp0p0v/kernel-hardening-checker#questions-and-answers +## https://github.com/NixOS/nixpkgs/pull/84522#issuecomment-614640601 +## https://github.com/Kicksecure/security-misc/pull/263 ## ## KSPP=partial ## KSPP sets the stricter sysctl user.max_user_namespaces=0. From 18ed77ecc93e9ee759a4990a32edb3dd671b8c26 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Wed, 21 Aug 2024 12:50:14 +1000 Subject: [PATCH 05/11] Refactor modprobe.d to minimise potential future merge conflicts --- README.md | 35 ++-- .../30_security-misc_blacklist.conf | 4 +- etc/modprobe.d/30_security-misc_disable.conf | 162 ++++++++++-------- 3 files changed, 113 insertions(+), 88 deletions(-) diff --git a/README.md b/README.md index da9254a..4742384 100644 --- a/README.md +++ b/README.md @@ -223,17 +223,12 @@ modules from starting. This approach should not be considered comprehensive; rather, it is a form of badness enumeration. Any potential candidates for future disabling should first be blacklisted for a suitable amount of time. +Hardware modules: + - Optional - Bluetooth: Disabled to reduce attack surface. -- Optional - CPU MSRs: Disabled as can be abused to write to arbitrary memory. - -- File Systems: Disable uncommon and legacy file systems. - - FireWire (IEEE 1394): Disabled as they are often vulnerable to DMA attacks. -- Framebuffer (fbdev): Disabled as drivers are well-known to be buggy, cause - kernel panics, and are generally only used by legacy devices. - - GPS: Disable GPS-related modules such as those required for Global Navigation Satellite Systems (GNSS). @@ -244,20 +239,38 @@ disabling should first be blacklisted for a suitable amount of time. - Intel Platform Monitoring Technology (PMT) Telemetry: Disable some functionality of the Intel PMT components. +- Thunderbolt: Disabled as they are often vulnerable to DMA attacks. + +File system modules: + +- File Systems: Disable uncommon and legacy file systems. + - Network File Systems: Disable uncommon and legacy network file systems. +Networking modules: + - Network Protocols: A wide array of uncommon and legacy network protocols and drivers are disabled. -- Miscellaneous: Disable an assortment of other modules such as those required - for amateur radio, floppy disks, and vivid. Also disable legacy drivers that - have been entirely replaced by newer drivers. +Miscellaneous modules: -- Thunderbolt: Disabled as they are often vulnerable to DMA attacks. +- Amateur Radios: Disabled to reduce attack surface. + +- Optional - CPU MSRs: Disabled as can be abused to write to arbitrary memory. + +- Floppy Disks: Disabled to reduce attack surface. + +- Framebuffer (fbdev): Disabled as these drivers are well-known to be buggy, cause + kernel panics, and are generally only used by legacy devices. + +- Replaced Modules: Disabled legacy drivers that have been entirely replaced and + superseded by newer drivers. - Optional - USB Video Device Class: Disables the USB-based video streaming driver for devices like some webcams and digital camcorders. +- Vivid: Disabled to reduce attack surface given previous vulnerabilities. + ### Other - A systemd service clears the System.map file on boot as these contain kernel diff --git a/etc/modprobe.d/30_security-misc_blacklist.conf b/etc/modprobe.d/30_security-misc_blacklist.conf index 34e1124..8386800 100644 --- a/etc/modprobe.d/30_security-misc_blacklist.conf +++ b/etc/modprobe.d/30_security-misc_blacklist.conf @@ -22,7 +22,7 @@ blacklist sr_mod #install sr_mod /usr/bin/disabled-cdrom-by-security-misc ## Miscellaneous: -## + ## GrapheneOS: ## Partial selection of their infrastructure blacklist. ## Duplicate and already disabled modules have been omitted. @@ -39,7 +39,7 @@ blacklist snd_intel8x0 #blacklist tls #blacklist virtio_balloon #blacklist virtio_console -## + ## Ubuntu: ## Already disabled modules have been omitted. ## diff --git a/etc/modprobe.d/30_security-misc_disable.conf b/etc/modprobe.d/30_security-misc_disable.conf index 3a72b0e..3df5a51 100644 --- a/etc/modprobe.d/30_security-misc_disable.conf +++ b/etc/modprobe.d/30_security-misc_disable.conf @@ -8,6 +8,14 @@ ## Blacklisting prevents kernel modules from automatically starting. ## Disabling prohibits kernel modules from starting. +## This configuration file is split into 4 sections: +## 1. Hardware +## 2. File Systems +## 3. Networking +## 4. Miscellaneous + +## 1. Hardware: + ## Bluetooth: ## Disable Bluetooth to reduce attack surface due to extended history of security vulnerabilities. ## @@ -34,27 +42,6 @@ #install btusb /usr/bin/disabled-bluetooth-by-security-misc #install virtio_bt /usr/bin/disabled-bluetooth-by-security-misc -## CPU Model-Specific Registers (MSRs): -## Disable CPU MSRs as they can be abused to write to arbitrary memory. -## -## https://security.stackexchange.com/questions/119712/methods-root-can-use-to-elevate-itself-to-kernel-mode -## https://github.com/Kicksecure/security-misc/issues/215 -## -#install msr /usr/bin/disabled-miscellaneous-by-security-misc - -## File Systems: -## Disable uncommon file systems to reduce attack surface. -## HFS/HFS+ are legacy Apple file systems that may be required depending on the EFI partition format. -## -install cramfs /usr/bin/disabled-filesys-by-security-misc -install freevxfs /usr/bin/disabled-filesys-by-security-misc -install hfs /usr/bin/disabled-filesys-by-security-misc -install hfsplus /usr/bin/disabled-filesys-by-security-misc -install jffs2 /usr/bin/disabled-filesys-by-security-misc -install jfs /usr/bin/disabled-filesys-by-security-misc -install reiserfs /usr/bin/disabled-filesys-by-security-misc -install udf /usr/bin/disabled-filesys-by-security-misc - ## FireWire (IEEE 1394): ## Disable IEEE 1394 (FireWire/i.LINK/Lynx) modules to prevent some DMA attacks. ## @@ -70,43 +57,6 @@ install raw1394 /usr/bin/disabled-firewire-by-security-misc install sbp2 /usr/bin/disabled-firewire-by-security-misc install video1394 /usr/bin/disabled-firewire-by-security-misc -## Framebuffer (fbdev): -## Video drivers are known to be buggy, cause kernel panics, and are generally only used by legacy devices. -## These were all previously blacklisted. -## -## https://docs.kernel.org/fb/index.html -## https://en.wikipedia.org/wiki/Linux_framebuffer -## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-framebuffer.conf?h=ubuntu/disco -## -install aty128fb /usr/bin/disabled-framebuffer-by-security-misc -install atyfb /usr/bin/disabled-framebuffer-by-security-misc -install cirrusfb /usr/bin/disabled-framebuffer-by-security-misc -install cyber2000fb /usr/bin/disabled-framebuffer-by-security-misc -install cyblafb /usr/bin/disabled-framebuffer-by-security-misc -install gx1fb /usr/bin/disabled-framebuffer-by-security-misc -install hgafb /usr/bin/disabled-framebuffer-by-security-misc -install i810fb /usr/bin/disabled-framebuffer-by-security-misc -install intelfb /usr/bin/disabled-framebuffer-by-security-misc -install kyrofb /usr/bin/disabled-framebuffer-by-security-misc -install lxfb /usr/bin/disabled-framebuffer-by-security-misc -install matroxfb_bases /usr/bin/disabled-framebuffer-by-security-misc -install neofb /usr/bin/disabled-framebuffer-by-security-misc -install nvidiafb /usr/bin/disabled-framebuffer-by-security-misc -install pm2fb /usr/bin/disabled-framebuffer-by-security-misc -install radeonfb /usr/bin/disabled-framebuffer-by-security-misc -install rivafb /usr/bin/disabled-framebuffer-by-security-misc -install s1d13xxxfb /usr/bin/disabled-framebuffer-by-security-misc -install savagefb /usr/bin/disabled-framebuffer-by-security-misc -install sisfb /usr/bin/disabled-framebuffer-by-security-misc -install sstfb /usr/bin/disabled-framebuffer-by-security-misc -install tdfxfb /usr/bin/disabled-framebuffer-by-security-misc -install tridentfb /usr/bin/disabled-framebuffer-by-security-misc -install vesafb /usr/bin/disabled-framebuffer-by-security-misc -install vfb /usr/bin/disabled-framebuffer-by-security-misc -install viafb /usr/bin/disabled-framebuffer-by-security-misc -install vt8623fb /usr/bin/disabled-framebuffer-by-security-misc -install udlfb /usr/bin/disabled-framebuffer-by-security-misc - ## Global Positioning Systems (GPS): ## Disable GPS-related modules like GNSS (Global Navigation Satellite System). ## @@ -152,6 +102,30 @@ install pmt_class /usr/bin/disabled-intelpmt-by-security-misc install pmt_crashlog /usr/bin/disabled-intelpmt-by-security-misc install pmt_telemetry /usr/bin/disabled-intelpmt-by-security-misc +## Thunderbolt: +## Disables Thunderbolt modules to prevent some DMA attacks. +## +## https://en.wikipedia.org/wiki/Thunderbolt_(interface)#Security_vulnerabilities +## +install intel-wmi-thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc +install thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc +install thunderbolt_net /usr/bin/disabled-thunderbolt-by-security-misc + +## 2. File Systems: + +## File Systems: +## Disable uncommon file systems to reduce attack surface. +## HFS/HFS+ are legacy Apple file systems that may be required depending on the EFI partition format. +## +install cramfs /usr/bin/disabled-filesys-by-security-misc +install freevxfs /usr/bin/disabled-filesys-by-security-misc +install hfs /usr/bin/disabled-filesys-by-security-misc +install hfsplus /usr/bin/disabled-filesys-by-security-misc +install jffs2 /usr/bin/disabled-filesys-by-security-misc +install jfs /usr/bin/disabled-filesys-by-security-misc +install reiserfs /usr/bin/disabled-filesys-by-security-misc +install udf /usr/bin/disabled-filesys-by-security-misc + ## Network File Systems: ## Disable uncommon network file systems to reduce attack surface. ## @@ -175,6 +149,8 @@ install nfsv2 /usr/bin/disabled-netfilesys-by-security-misc install nfsv3 /usr/bin/disabled-netfilesys-by-security-misc install nfsv4 /usr/bin/disabled-netfilesys-by-security-misc +## 2. Networking: + ## Network Protocols: ## Disables rare and unneeded network protocols that are a common source of unknown vulnerabilities. ## Previously had blacklisted eepro100 and eth1394. @@ -249,17 +225,62 @@ install rds_tcp /usr/bin/disabled-network-by-security-misc install sctp /usr/bin/disabled-network-by-security-misc install sctp_diag /usr/bin/disabled-network-by-security-misc -## Miscellaneous: -## +## 4. Miscellaneous: + ## Amateur Radios: ## install hamradio /usr/bin/disabled-miscellaneous-by-security-misc + +## CPU Model-Specific Registers (MSRs): +## Disable CPU MSRs as they can be abused to write to arbitrary memory. ## +## https://security.stackexchange.com/questions/119712/methods-root-can-use-to-elevate-itself-to-kernel-mode +## https://github.com/Kicksecure/security-misc/issues/215 +## +#install msr /usr/bin/disabled-miscellaneous-by-security-misc + ## Floppy Disks: ## install floppy /usr/bin/disabled-miscellaneous-by-security-misc + +## Framebuffer (fbdev): +## Video drivers are known to be buggy, cause kernel panics, and are generally only used by legacy devices. +## These were all previously blacklisted. ## -## Replaced: +## https://docs.kernel.org/fb/index.html +## https://en.wikipedia.org/wiki/Linux_framebuffer +## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-framebuffer.conf?h=ubuntu/disco +## +install aty128fb /usr/bin/disabled-framebuffer-by-security-misc +install atyfb /usr/bin/disabled-framebuffer-by-security-misc +install cirrusfb /usr/bin/disabled-framebuffer-by-security-misc +install cyber2000fb /usr/bin/disabled-framebuffer-by-security-misc +install cyblafb /usr/bin/disabled-framebuffer-by-security-misc +install gx1fb /usr/bin/disabled-framebuffer-by-security-misc +install hgafb /usr/bin/disabled-framebuffer-by-security-misc +install i810fb /usr/bin/disabled-framebuffer-by-security-misc +install intelfb /usr/bin/disabled-framebuffer-by-security-misc +install kyrofb /usr/bin/disabled-framebuffer-by-security-misc +install lxfb /usr/bin/disabled-framebuffer-by-security-misc +install matroxfb_bases /usr/bin/disabled-framebuffer-by-security-misc +install neofb /usr/bin/disabled-framebuffer-by-security-misc +install nvidiafb /usr/bin/disabled-framebuffer-by-security-misc +install pm2fb /usr/bin/disabled-framebuffer-by-security-misc +install radeonfb /usr/bin/disabled-framebuffer-by-security-misc +install rivafb /usr/bin/disabled-framebuffer-by-security-misc +install s1d13xxxfb /usr/bin/disabled-framebuffer-by-security-misc +install savagefb /usr/bin/disabled-framebuffer-by-security-misc +install sisfb /usr/bin/disabled-framebuffer-by-security-misc +install sstfb /usr/bin/disabled-framebuffer-by-security-misc +install tdfxfb /usr/bin/disabled-framebuffer-by-security-misc +install tridentfb /usr/bin/disabled-framebuffer-by-security-misc +install vesafb /usr/bin/disabled-framebuffer-by-security-misc +install vfb /usr/bin/disabled-framebuffer-by-security-misc +install viafb /usr/bin/disabled-framebuffer-by-security-misc +install vt8623fb /usr/bin/disabled-framebuffer-by-security-misc +install udlfb /usr/bin/disabled-framebuffer-by-security-misc + +## Replaced Modules: ## These legacy drivers have all been entirely replaced and superseded by newer drivers. ## These were all previously blacklisted. ## @@ -269,7 +290,12 @@ install asus_acpi /usr/bin/disabled-miscellaneous-by-security-misc install bcm43xx /usr/bin/disabled-miscellaneous-by-security-misc install de4x5 /usr/bin/disabled-miscellaneous-by-security-misc install prism54 /usr/bin/disabled-miscellaneous-by-security-misc + +## USB Video Device Class: +## Disables the USB-based video streaming driver for devices like some webcams and digital camcorders. ## +#install uvcvideo /usr/bin/disabled-miscellaneous-by-security-misc + ## Vivid: ## Disables the vivid kernel module since it has been the cause of multiple vulnerabilities. ## @@ -278,17 +304,3 @@ install prism54 /usr/bin/disabled-miscellaneous-by-security-misc ## https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475 ## install vivid /usr/bin/disabled-miscellaneous-by-security-misc - -## Thunderbolt: -## Disables Thunderbolt modules to prevent some DMA attacks. -## -## https://en.wikipedia.org/wiki/Thunderbolt_(interface)#Security_vulnerabilities -## -install intel-wmi-thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc -install thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc -install thunderbolt_net /usr/bin/disabled-thunderbolt-by-security-misc - -## USB Video Device Class: -## Disables the USB-based video streaming driver for devices like some webcams and digital camcorders. -## -#install uvcvideo /usr/bin/disabled-miscellaneous-by-security-misc From b87a18d4050bbf2add5cc4920684876a440e65bb Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Wed, 21 Aug 2024 12:51:51 +1000 Subject: [PATCH 06/11] README.md: Organise `sysctl`s --- README.md | 25 ++++++++++++++----------- 1 file changed, 14 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index 4742384..b33ae5f 100644 --- a/README.md +++ b/README.md @@ -11,10 +11,9 @@ implements all recommended Linux kernel settings by the KSPP and many more. ### sysctl sysctl settings are configured via the `/usr/lib/sysctl.d/990-security-misc.conf` -configuration file. +configuration file and significant hardening is applied to a myriad of components. -Significant hardening is applied by default to a myriad of components within kernel -space, user space, core dumps, and swap space. +Kernel space: - Restrict access to kernel addresses through the use of kernel pointers regardless of user privileges. @@ -50,6 +49,8 @@ space, user space, core dumps, and swap space. - Disable asynchronous I/O (when using Linux kernel >= 6.6) as `io_uring` has been the source of numerous kernel exploits. +User space: + - Restrict usage of `ptrace()` to only processes with `CAP_SYS_PTRACE` as it enables programs to inspect and modify other active processes. Optional - Disable usage of `ptrace()` by all processes. @@ -68,12 +69,14 @@ space, user space, core dumps, and swap space. - Disallow registering interpreters for various (miscellaneous) binary formats based on a magic number or their file extension to prevent unintended code execution. +Core dumps: + - Disable core dump files and prevent their creation. If core dump files are enabled, they will be named based on `core.PID` instead of the default `core`. - Limit the copying of potentially sensitive content in memory to the swap device. -Various networking components of the TCP/IP stack are hardened for IPv4/6. +Networking: - Enable TCP SYN cookie protection to assist against SYN flood attacks. @@ -104,13 +107,6 @@ Various networking components of the TCP/IP stack are hardened for IPv4/6. - Optional - Enable IPv6 Privacy Extensions. -### mmap ASLR - -- The bits of entropy used for mmap ASLR are maxed out via - `/usr/libexec/security-misc/mmap-rnd-bits` (set to the values of - `CONFIG_ARCH_MMAP_RND_BITS_MAX` and `CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX` - that the kernel was built with), therefore improving its effectiveness. - ### Boot parameters Mitigations for known CPU vulnerabilities are enabled in their strictest form @@ -178,6 +174,13 @@ configuration file. - Optional - Disable the entire IPv6 stack to reduce attack surface. +### mmap ASLR + +- The bits of entropy used for mmap ASLR are maxed out via + `/usr/libexec/security-misc/mmap-rnd-bits` (set to the values of + `CONFIG_ARCH_MMAP_RND_BITS_MAX` and `CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX` + that the kernel was built with), therefore improving its effectiveness. + ### Kernel Modules #### Kernel Module Signature Verification From 342caf82b20acc2931563449fafe9a98cbedaba2 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Wed, 21 Aug 2024 12:52:48 +1000 Subject: [PATCH 07/11] README.md: Organise kernel boot parameters --- README.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/README.md b/README.md index b33ae5f..65b188c 100644 --- a/README.md +++ b/README.md @@ -117,6 +117,8 @@ Boot parameters relating to kernel hardening, DMA mitigations, and entropy generation are outlined in the `/etc/default/grub.d/40_kernel_hardening.cfg` configuration file. +Kernel space: + - Disable merging of slabs with similar size, which reduces the risk of triggering heap overflows and limits influencing slab cache layout. @@ -160,18 +162,24 @@ configuration file. - Optional - Disable support for all x86 processes and syscalls (when using Linux kernel >= 6.7) to reduce attack surface. +Direct memory access: + - Enable strict IOMMU translation to protect against some DMA attacks via the use of both CPU manufacturer-specific drivers and kernel settings. - Clear the busmaster bit on all PCI bridges during the EFI hand-off, which disables DMA before the IOMMU is configured. May cause boot failure on certain hardware. +Entropy: + - Do not credit the CPU or bootloader as entropy sources at boot in order to maximize the absolute quantity of entropy in the combined pool. - Obtain more entropy at boot from RAM as the runtime memory allocator is being initialized. +Networking: + - Optional - Disable the entire IPv6 stack to reduce attack surface. ### mmap ASLR From af87a84b4f40b2ad9ac05dd9bce837665f239454 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Wed, 21 Aug 2024 12:52:48 +1000 Subject: [PATCH 08/11] README.md: Organise kernel boot parameters --- README.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/README.md b/README.md index da9254a..4d5410c 100644 --- a/README.md +++ b/README.md @@ -121,6 +121,8 @@ Boot parameters relating to kernel hardening, DMA mitigations, and entropy generation are outlined in the `/etc/default/grub.d/40_kernel_hardening.cfg` configuration file. +Kernel space: + - Disable merging of slabs with similar size, which reduces the risk of triggering heap overflows and limits influencing slab cache layout. @@ -164,18 +166,24 @@ configuration file. - Optional - Disable support for all x86 processes and syscalls (when using Linux kernel >= 6.7) to reduce attack surface. +Direct memory access: + - Enable strict IOMMU translation to protect against some DMA attacks via the use of both CPU manufacturer-specific drivers and kernel settings. - Clear the busmaster bit on all PCI bridges during the EFI hand-off, which disables DMA before the IOMMU is configured. May cause boot failure on certain hardware. +Entropy: + - Do not credit the CPU or bootloader as entropy sources at boot in order to maximize the absolute quantity of entropy in the combined pool. - Obtain more entropy at boot from RAM as the runtime memory allocator is being initialized. +Networking: + - Optional - Disable the entire IPv6 stack to reduce attack surface. ### Kernel Modules From 433b15f985545f531b87d09659bbbb89993b5a67 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Wed, 21 Aug 2024 12:51:51 +1000 Subject: [PATCH 09/11] README.md: Organise `sysctl`s --- README.md | 25 ++++++++++++++----------- 1 file changed, 14 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index 4d5410c..cf8d54c 100644 --- a/README.md +++ b/README.md @@ -11,10 +11,9 @@ implements all recommended Linux kernel settings by the KSPP and many more. ### sysctl sysctl settings are configured via the `/usr/lib/sysctl.d/990-security-misc.conf` -configuration file. +configuration file and significant hardening is applied to a myriad of components. -Significant hardening is applied by default to a myriad of components within kernel -space, user space, core dumps, and swap space. +Kernel space: - Restrict access to kernel addresses through the use of kernel pointers regardless of user privileges. @@ -50,6 +49,8 @@ space, user space, core dumps, and swap space. - Disable asynchronous I/O (when using Linux kernel >= 6.6) as `io_uring` has been the source of numerous kernel exploits. +User space: + - Restrict usage of `ptrace()` to only processes with `CAP_SYS_PTRACE` as it enables programs to inspect and modify other active processes. Optional - Disable usage of `ptrace()` by all processes. @@ -68,12 +69,14 @@ space, user space, core dumps, and swap space. - Disallow registering interpreters for various (miscellaneous) binary formats based on a magic number or their file extension to prevent unintended code execution. +Core dumps: + - Disable core dump files and prevent their creation. If core dump files are enabled, they will be named based on `core.PID` instead of the default `core`. - Limit the copying of potentially sensitive content in memory to the swap device. -Various networking components of the TCP/IP stack are hardened for IPv4/6. +Networking: - Enable TCP SYN cookie protection to assist against SYN flood attacks. @@ -104,13 +107,6 @@ Various networking components of the TCP/IP stack are hardened for IPv4/6. - Optional - Enable IPv6 Privacy Extensions. -### mmap ASLR - -- The bits of entropy used for mmap ASLR are maxed out via - `/usr/libexec/security-misc/mmap-rnd-bits` (set to the values of - `CONFIG_ARCH_MMAP_RND_BITS_MAX` and `CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX` - that the kernel was built with), therefore improving its effectiveness. - ### Boot parameters Mitigations for known CPU vulnerabilities are enabled in their strictest form @@ -186,6 +182,13 @@ Networking: - Optional - Disable the entire IPv6 stack to reduce attack surface. +### mmap ASLR + +- The bits of entropy used for mmap ASLR are maxed out via + `/usr/libexec/security-misc/mmap-rnd-bits` (set to the values of + `CONFIG_ARCH_MMAP_RND_BITS_MAX` and `CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX` + that the kernel was built with), therefore improving its effectiveness. + ### Kernel Modules #### Kernel Module Signature Verification From ae85fd5b4ce6f4716f95332c19b79d3daa8f7220 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 25 Aug 2024 14:33:40 +0000 Subject: [PATCH 10/11] bumped changelog version --- changelog.upstream | 18 ++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 24 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 7c57922..3dd86f4 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,21 @@ +commit 433b15f985545f531b87d09659bbbb89993b5a67 +Author: Raja Grewal +Date: Wed Aug 21 12:51:51 2024 +1000 + + README.md: Organise `sysctl`s + +commit af87a84b4f40b2ad9ac05dd9bce837665f239454 +Author: Raja Grewal +Date: Wed Aug 21 12:52:48 2024 +1000 + + README.md: Organise kernel boot parameters + +commit e962153f84c4cb8e13fb0cc25d611ae481c7a0c7 +Author: Patrick Schleizer +Date: Fri Aug 16 08:38:12 2024 +0000 + + bumped changelog version + commit 40b12f5a2a4a40d7033569b11ad4e1c228e7389b Merge: 12296c6 305467c Author: Patrick Schleizer diff --git a/debian/changelog b/debian/changelog index 2bc634a..f86a0c9 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:39.1-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 25 Aug 2024 14:33:39 +0000 + security-misc (3:39.0-1) unstable; urgency=medium * New upstream version (local package). From cf824ddb248957fd9e542c1a5adc5e90381f684c Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 25 Aug 2024 15:34:55 +0000 Subject: [PATCH 11/11] bumped changelog version --- changelog.upstream | 78 ++++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++ 2 files changed, 84 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 3dd86f4..42493c9 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,39 @@ +commit 500568e322b2e3623fc649209d671c7b9d9fa097 +Merge: 43d13b7 73900b5 +Author: Patrick Schleizer +Date: Sun Aug 25 11:01:58 2024 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 73900b59db37d77bc24bd5088aae3cc760aacc69 +Merge: 43d13b7 1f51d4e +Author: Patrick Schleizer +Date: Sun Aug 25 11:00:51 2024 -0400 + + Merge pull request #263 from raja-grewal/max_user_namespaces + + Provide option to disable user namespaces + +commit 43d13b70f12d2198a800054ce4d1ff901cc474f9 +Merge: 8353764 fae586c +Author: Patrick Schleizer +Date: Sun Aug 25 10:55:52 2024 -0400 + + Merge remote-tracking branch 'raja/syntax' + +commit 835376418d616699023f8e638666f43d34241863 +Merge: ae85fd5 342caf8 +Author: Patrick Schleizer +Date: Sun Aug 25 10:48:25 2024 -0400 + + Merge remote-tracking branch 'raja/mod' + +commit ae85fd5b4ce6f4716f95332c19b79d3daa8f7220 +Author: Patrick Schleizer +Date: Sun Aug 25 14:33:40 2024 +0000 + + bumped changelog version + commit 433b15f985545f531b87d09659bbbb89993b5a67 Author: Raja Grewal Date: Wed Aug 21 12:51:51 2024 +1000 @@ -10,6 +46,42 @@ Date: Wed Aug 21 12:52:48 2024 +1000 README.md: Organise kernel boot parameters +commit 342caf82b20acc2931563449fafe9a98cbedaba2 +Author: Raja Grewal +Date: Wed Aug 21 12:52:48 2024 +1000 + + README.md: Organise kernel boot parameters + +commit b87a18d4050bbf2add5cc4920684876a440e65bb +Author: Raja Grewal +Date: Wed Aug 21 12:51:51 2024 +1000 + + README.md: Organise `sysctl`s + +commit 18ed77ecc93e9ee759a4990a32edb3dd671b8c26 +Author: Raja Grewal +Date: Wed Aug 21 12:50:14 2024 +1000 + + Refactor modprobe.d to minimise potential future merge conflicts + +commit 1f51d4eeb2b0c6e23ce64fb272eecb97e089324d +Author: Raja Grewal +Date: Sun Aug 18 13:53:11 2024 +1000 + + Add details on user namespaces + +commit 759aee8150a2d1258d73217c071b25432d47496f +Author: Raja Grewal +Date: Fri Aug 16 22:54:57 2024 +1000 + + Provide option to disable user namespaces + +commit fae586c3c5e8382ca01c60f810b26d88189a5514 +Author: Raja Grewal +Date: Fri Aug 16 19:23:48 2024 +1000 + + Patch bug in existing `rp_filter` `sysctl` + commit e962153f84c4cb8e13fb0cc25d611ae481c7a0c7 Author: Patrick Schleizer Date: Fri Aug 16 08:38:12 2024 +0000 @@ -88,6 +160,12 @@ Date: Fri Aug 16 13:12:07 2024 +1000 Typos +commit 23a77d4973ec20b2aaab6a9c3a9fd8a98034923e +Author: Raja Grewal +Date: Fri Aug 16 12:46:51 2024 +1000 + + Simplify syntax of some network-related `sysctl`'s + commit e3a3207a4447568a17129afe9dde34debc465e21 Author: Raja Grewal Date: Fri Aug 16 12:41:36 2024 +1000 diff --git a/debian/changelog b/debian/changelog index f86a0c9..309ed08 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:39.2-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 25 Aug 2024 15:34:54 +0000 + security-misc (3:39.1-1) unstable; urgency=medium * New upstream version (local package).