Merge branch 'Kicksecure:master' into kspp_compliance

2024-10-01 08:25:45 -04:00 · 2024-08-26 11:08:21 +10:00 · 2024-08-26 11:08:21 +10:00 · 9dbd200be4
commit 9dbd200be4
parent 32de5e7c49 cf824ddb24
6 changed files with 265 additions and 119 deletions
--- a/README.md
+++ b/README.md
@ -12,10 +12,9 @@ many more sources.
 ### sysctl
 sysctl settings are configured via the `/usr/lib/sysctl.d/990-security-misc.conf`
-configuration file.
+configuration file and significant hardening is applied to a myriad of components.
-Significant hardening is applied by default to a myriad of components within kernel
+Kernel space:
 space, user space, core dumps, and swap space.
 - Restrict access to kernel addresses through the use of kernel pointers regardless
  of user privileges.
@ -38,7 +37,7 @@ space, user space, core dumps, and swap space.
  can no longer be utilized. See [documentation](https://www.kicksecure.com/wiki/SysRq).
 - Restrict user namespaces to `CAP_SYS_ADMIN` as they can lead to substantial
-  privilege escalation.
+  privilege escalation. Optional - Disable all use of user namespaces.
 - Restrict kernel profiling and the performance events system to `CAP_PERFMON`.
@ -51,6 +50,8 @@ space, user space, core dumps, and swap space.
 - Disable asynchronous I/O (when using Linux kernel >= 6.6) as `io_uring` has been
  the source of numerous kernel exploits.
 User space:
 - Restrict usage of `ptrace()` to only processes with `CAP_SYS_PTRACE` as it
  enables programs to inspect and modify other active processes. Optional - Disable
  usage of `ptrace()` by all processes.
@ -69,12 +70,14 @@ space, user space, core dumps, and swap space.
 - Disallow registering interpreters for various (miscellaneous) binary formats based
  on a magic number or their file extension to prevent unintended code execution.
 Core dumps:
 - Disable core dump files and prevent their creation. If core dump files are
  enabled, they will be named based on `core.PID` instead of the default `core`.
 - Limit the copying of potentially sensitive content in memory to the swap device.
-Various networking components of the TCP/IP stack are hardened for IPv4/6.
+Networking:
 - Enable TCP SYN cookie protection to assist against SYN flood attacks.
@ -105,13 +108,6 @@ Various networking components of the TCP/IP stack are hardened for IPv4/6.
 - Optional - Enable IPv6 Privacy Extensions.
 ### mmap ASLR
 - The bits of entropy used for mmap ASLR are maxed out via
  `/usr/libexec/security-misc/mmap-rnd-bits` (set to the values of
  `CONFIG_ARCH_MMAP_RND_BITS_MAX` and `CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX`
  that the kernel was built with), therefore improving its effectiveness.
 ### Boot parameters
 Mitigations for known CPU vulnerabilities are enabled in their strictest form
@ -122,6 +118,8 @@ Boot parameters relating to kernel hardening, DMA mitigations, and entropy
 generation are outlined in the `/etc/default/grub.d/40_kernel_hardening.cfg`
 configuration file.
 Kernel space:
 - Disable merging of slabs with similar size, which reduces the risk of
  triggering heap overflows and limits influencing slab cache layout.
@ -165,20 +163,33 @@ configuration file.
 - Optional - Disable support for all x86 processes and syscalls (when using Linux kernel >= 6.7)
  to reduce attack surface.
 Direct memory access:
 - Enable strict IOMMU translation to protect against some DMA attacks via the use
  of both CPU manufacturer-specific drivers and kernel settings.
 - Clear the busmaster bit on all PCI bridges during the EFI hand-off, which disables
  DMA before the IOMMU is configured. May cause boot failure on certain hardware.
 Entropy:
 - Do not credit the CPU or bootloader as entropy sources at boot in order to
  maximize the absolute quantity of entropy in the combined pool.
 - Obtain more entropy at boot from RAM as the runtime memory allocator is
  being initialized.
 Networking:
 - Optional - Disable the entire IPv6 stack to reduce attack surface.
 ### mmap ASLR
 - The bits of entropy used for mmap ASLR are maxed out via
  `/usr/libexec/security-misc/mmap-rnd-bits` (set to the values of
  `CONFIG_ARCH_MMAP_RND_BITS_MAX` and `CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX`
  that the kernel was built with), therefore improving its effectiveness.
 ### Kernel Modules
 #### Kernel Module Signature Verification
@ -224,17 +235,12 @@ modules from starting. This approach should not be considered comprehensive;
 rather, it is a form of badness enumeration. Any potential candidates for future
 disabling should first be blacklisted for a suitable amount of time.
 Hardware modules:
 - Optional - Bluetooth: Disabled to reduce attack surface.
 - Optional - CPU MSRs: Disabled as can be abused to write to arbitrary memory.
 - File Systems: Disable uncommon and legacy file systems.
 - FireWire (IEEE 1394): Disabled as they are often vulnerable to DMA attacks.
 - Framebuffer (fbdev): Disabled as drivers are well-known to be buggy, cause
  kernel panics, and are generally only used by legacy devices.
 - GPS: Disable GPS-related modules such as those required for Global Navigation
  Satellite Systems (GNSS).
@ -245,20 +251,38 @@ disabling should first be blacklisted for a suitable amount of time.
 - Intel Platform Monitoring Technology (PMT) Telemetry: Disable some functionality
  of the Intel PMT components.
 - Thunderbolt: Disabled as they are often vulnerable to DMA attacks.
 File system modules:
 - File Systems: Disable uncommon and legacy file systems.
 - Network File Systems: Disable uncommon and legacy network file systems.
 Networking modules:
 - Network Protocols: A wide array of uncommon and legacy network protocols and drivers
  are disabled.
- Miscellaneous: Disable an assortment of other modules such as those required
+Miscellaneous modules:
  for amateur radio, floppy disks, and vivid. Also disable legacy drivers that
  have been entirely replaced by newer drivers.
- Thunderbolt: Disabled as they are often vulnerable to DMA attacks.
+- Amateur Radios: Disabled to reduce attack surface.
 - Optional - CPU MSRs: Disabled as can be abused to write to arbitrary memory.
 - Floppy Disks: Disabled to reduce attack surface.
 - Framebuffer (fbdev): Disabled as these drivers are well-known to be buggy, cause
  kernel panics, and are generally only used by legacy devices.
 - Replaced Modules: Disabled legacy drivers that have been entirely replaced and
  superseded by newer drivers.
 - Optional - USB Video Device Class: Disables the USB-based video streaming driver for
  devices like some webcams and digital camcorders.
 - Vivid: Disabled to reduce attack surface given previous vulnerabilities.
 ### Other
 - A systemd service clears the System.map file on boot as these contain kernel
--- a/changelog.upstream
+++ b/changelog.upstream
@ -1,3 +1,93 @@
 commit 500568e322b2e3623fc649209d671c7b9d9fa097
 Merge: 43d13b7 73900b5
 Author: Patrick Schleizer <adrelanos@whonix.org>
 Date:   Sun Aug 25 11:01:58 2024 -0400
    Merge remote-tracking branch 'github-kicksecure/master'
 commit 73900b59db37d77bc24bd5088aae3cc760aacc69
 Merge: 43d13b7 1f51d4e
 Author: Patrick Schleizer <adrelanos@whonix.org>
 Date:   Sun Aug 25 11:00:51 2024 -0400
    Merge pull request #263 from raja-grewal/max_user_namespaces
    Provide option to disable user namespaces
 commit 43d13b70f12d2198a800054ce4d1ff901cc474f9
 Merge: 8353764 fae586c
 Author: Patrick Schleizer <adrelanos@whonix.org>
 Date:   Sun Aug 25 10:55:52 2024 -0400
    Merge remote-tracking branch 'raja/syntax'
 commit 835376418d616699023f8e638666f43d34241863
 Merge: ae85fd5 342caf8
 Author: Patrick Schleizer <adrelanos@whonix.org>
 Date:   Sun Aug 25 10:48:25 2024 -0400
    Merge remote-tracking branch 'raja/mod'
 commit ae85fd5b4ce6f4716f95332c19b79d3daa8f7220
 Author: Patrick Schleizer <adrelanos@whonix.org>
 Date:   Sun Aug 25 14:33:40 2024 +0000
    bumped changelog version
 commit 433b15f985545f531b87d09659bbbb89993b5a67
 Author: Raja Grewal <rg_public@proton.me>
 Date:   Wed Aug 21 12:51:51 2024 +1000
    README.md: Organise `sysctl`s
 commit af87a84b4f40b2ad9ac05dd9bce837665f239454
 Author: Raja Grewal <rg_public@proton.me>
 Date:   Wed Aug 21 12:52:48 2024 +1000
    README.md: Organise kernel boot parameters
 commit 342caf82b20acc2931563449fafe9a98cbedaba2
 Author: Raja Grewal <rg_public@proton.me>
 Date:   Wed Aug 21 12:52:48 2024 +1000
    README.md: Organise kernel boot parameters
 commit b87a18d4050bbf2add5cc4920684876a440e65bb
 Author: Raja Grewal <rg_public@proton.me>
 Date:   Wed Aug 21 12:51:51 2024 +1000
    README.md: Organise `sysctl`s
 commit 18ed77ecc93e9ee759a4990a32edb3dd671b8c26
 Author: Raja Grewal <rg_public@proton.me>
 Date:   Wed Aug 21 12:50:14 2024 +1000
    Refactor modprobe.d to minimise potential future merge conflicts
 commit 1f51d4eeb2b0c6e23ce64fb272eecb97e089324d
 Author: Raja Grewal <rg_public@proton.me>
 Date:   Sun Aug 18 13:53:11 2024 +1000
    Add details on user namespaces
 commit 759aee8150a2d1258d73217c071b25432d47496f
 Author: Raja Grewal <rg_public@proton.me>
 Date:   Fri Aug 16 22:54:57 2024 +1000
    Provide option to disable user namespaces
 commit fae586c3c5e8382ca01c60f810b26d88189a5514
 Author: Raja Grewal <rg_public@proton.me>
 Date:   Fri Aug 16 19:23:48 2024 +1000
    Patch bug in existing `rp_filter` `sysctl`
 commit e962153f84c4cb8e13fb0cc25d611ae481c7a0c7
 Author: Patrick Schleizer <adrelanos@whonix.org>
 Date:   Fri Aug 16 08:38:12 2024 +0000
    bumped changelog version
 commit 40b12f5a2a4a40d7033569b11ad4e1c228e7389b
 Merge: 12296c6 305467c
 Author: Patrick Schleizer <adrelanos@whonix.org>
@ -70,6 +160,12 @@ Date:   Fri Aug 16 13:12:07 2024 +1000
    Typos
 commit 23a77d4973ec20b2aaab6a9c3a9fd8a98034923e
 Author: Raja Grewal <rg_public@proton.me>
 Date:   Fri Aug 16 12:46:51 2024 +1000
    Simplify syntax of some network-related `sysctl`'s
 commit e3a3207a4447568a17129afe9dde34debc465e21
 Author: Raja Grewal <rg_public@proton.me>
 Date:   Fri Aug 16 12:41:36 2024 +1000
--- a/debian/changelog
+++ b/debian/changelog
@ -1,3 +1,15 @@
 security-misc (3:39.2-1) unstable; urgency=medium
  * New upstream version (local package).
 -- Patrick Schleizer <adrelanos@whonix.org>  Sun, 25 Aug 2024 15:34:54 +0000
 security-misc (3:39.1-1) unstable; urgency=medium
  * New upstream version (local package).
 -- Patrick Schleizer <adrelanos@whonix.org>  Sun, 25 Aug 2024 14:33:39 +0000
 security-misc (3:39.0-1) unstable; urgency=medium
  * New upstream version (local package).
--- a/etc/modprobe.d/30_security-misc_blacklist.conf
+++ b/etc/modprobe.d/30_security-misc_blacklist.conf
@ -22,7 +22,7 @@ blacklist sr_mod
 #install sr_mod /usr/bin/disabled-cdrom-by-security-misc
 ## Miscellaneous:
-##
+
 ## GrapheneOS:
 ## Partial selection of their infrastructure blacklist.
 ## Duplicate and already disabled modules have been omitted.
@ -39,7 +39,7 @@ blacklist snd_intel8x0
 #blacklist tls
 #blacklist virtio_balloon
 #blacklist virtio_console
-##
+
 ## Ubuntu:
 ## Already disabled modules have been omitted.
 ##
--- a/etc/modprobe.d/30_security-misc_disable.conf
+++ b/etc/modprobe.d/30_security-misc_disable.conf
@ -8,6 +8,14 @@
 ## Blacklisting prevents kernel modules from automatically starting.
 ## Disabling prohibits kernel modules from starting.
 ## This configuration file is split into 4 sections:
 ## 1. Hardware
 ## 2. File Systems
 ## 3. Networking
 ## 4. Miscellaneous
 ## 1. Hardware:
 ## Bluetooth:
 ## Disable Bluetooth to reduce attack surface due to extended history of security vulnerabilities.
 ##
@ -34,27 +42,6 @@
 #install btusb /usr/bin/disabled-bluetooth-by-security-misc
 #install virtio_bt /usr/bin/disabled-bluetooth-by-security-misc
 ## CPU Model-Specific Registers (MSRs):
 ## Disable CPU MSRs as they can be abused to write to arbitrary memory.
 ##
 ## https://security.stackexchange.com/questions/119712/methods-root-can-use-to-elevate-itself-to-kernel-mode
 ## https://github.com/Kicksecure/security-misc/issues/215
 ##
 #install msr /usr/bin/disabled-miscellaneous-by-security-misc
 ## File Systems:
 ## Disable uncommon file systems to reduce attack surface.
 ## HFS/HFS+ are legacy Apple file systems that may be required depending on the EFI partition format.
 ##
 install cramfs /usr/bin/disabled-filesys-by-security-misc
 install freevxfs /usr/bin/disabled-filesys-by-security-misc
 install hfs /usr/bin/disabled-filesys-by-security-misc
 install hfsplus /usr/bin/disabled-filesys-by-security-misc
 install jffs2 /usr/bin/disabled-filesys-by-security-misc
 install jfs /usr/bin/disabled-filesys-by-security-misc
 install reiserfs /usr/bin/disabled-filesys-by-security-misc
 install udf /usr/bin/disabled-filesys-by-security-misc
 ## FireWire (IEEE 1394):
 ## Disable IEEE 1394 (FireWire/i.LINK/Lynx) modules to prevent some DMA attacks.
 ##
@ -70,43 +57,6 @@ install raw1394 /usr/bin/disabled-firewire-by-security-misc
 install sbp2 /usr/bin/disabled-firewire-by-security-misc
 install video1394 /usr/bin/disabled-firewire-by-security-misc
 ## Framebuffer (fbdev):
 ## Video drivers are known to be buggy, cause kernel panics, and are generally only used by legacy devices.
 ## These were all previously blacklisted.
 ##
 ## https://docs.kernel.org/fb/index.html
 ## https://en.wikipedia.org/wiki/Linux_framebuffer
 ## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-framebuffer.conf?h=ubuntu/disco
 ##
 install aty128fb /usr/bin/disabled-framebuffer-by-security-misc
 install atyfb /usr/bin/disabled-framebuffer-by-security-misc
 install cirrusfb /usr/bin/disabled-framebuffer-by-security-misc
 install cyber2000fb /usr/bin/disabled-framebuffer-by-security-misc
 install cyblafb /usr/bin/disabled-framebuffer-by-security-misc
 install gx1fb /usr/bin/disabled-framebuffer-by-security-misc
 install hgafb /usr/bin/disabled-framebuffer-by-security-misc
 install i810fb /usr/bin/disabled-framebuffer-by-security-misc
 install intelfb /usr/bin/disabled-framebuffer-by-security-misc
 install kyrofb /usr/bin/disabled-framebuffer-by-security-misc
 install lxfb /usr/bin/disabled-framebuffer-by-security-misc
 install matroxfb_bases /usr/bin/disabled-framebuffer-by-security-misc
 install neofb /usr/bin/disabled-framebuffer-by-security-misc
 install nvidiafb /usr/bin/disabled-framebuffer-by-security-misc
 install pm2fb /usr/bin/disabled-framebuffer-by-security-misc
 install radeonfb /usr/bin/disabled-framebuffer-by-security-misc
 install rivafb /usr/bin/disabled-framebuffer-by-security-misc
 install s1d13xxxfb /usr/bin/disabled-framebuffer-by-security-misc
 install savagefb /usr/bin/disabled-framebuffer-by-security-misc
 install sisfb /usr/bin/disabled-framebuffer-by-security-misc
 install sstfb /usr/bin/disabled-framebuffer-by-security-misc
 install tdfxfb /usr/bin/disabled-framebuffer-by-security-misc
 install tridentfb /usr/bin/disabled-framebuffer-by-security-misc
 install vesafb /usr/bin/disabled-framebuffer-by-security-misc
 install vfb /usr/bin/disabled-framebuffer-by-security-misc
 install viafb /usr/bin/disabled-framebuffer-by-security-misc
 install vt8623fb /usr/bin/disabled-framebuffer-by-security-misc
 install udlfb /usr/bin/disabled-framebuffer-by-security-misc
 ## Global Positioning Systems (GPS):
 ## Disable GPS-related modules like GNSS (Global Navigation Satellite System).
 ##
@ -152,6 +102,30 @@ install pmt_class /usr/bin/disabled-intelpmt-by-security-misc
 install pmt_crashlog /usr/bin/disabled-intelpmt-by-security-misc
 install pmt_telemetry /usr/bin/disabled-intelpmt-by-security-misc
 ## Thunderbolt:
 ## Disables Thunderbolt modules to prevent some DMA attacks.
 ##
 ## https://en.wikipedia.org/wiki/Thunderbolt_(interface)#Security_vulnerabilities
 ##
 install intel-wmi-thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc
 install thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc
 install thunderbolt_net /usr/bin/disabled-thunderbolt-by-security-misc
 ## 2. File Systems:
 ## File Systems:
 ## Disable uncommon file systems to reduce attack surface.
 ## HFS/HFS+ are legacy Apple file systems that may be required depending on the EFI partition format.
 ##
 install cramfs /usr/bin/disabled-filesys-by-security-misc
 install freevxfs /usr/bin/disabled-filesys-by-security-misc
 install hfs /usr/bin/disabled-filesys-by-security-misc
 install hfsplus /usr/bin/disabled-filesys-by-security-misc
 install jffs2 /usr/bin/disabled-filesys-by-security-misc
 install jfs /usr/bin/disabled-filesys-by-security-misc
 install reiserfs /usr/bin/disabled-filesys-by-security-misc
 install udf /usr/bin/disabled-filesys-by-security-misc
 ## Network File Systems:
 ## Disable uncommon network file systems to reduce attack surface.
 ##
@ -175,6 +149,8 @@ install nfsv2 /usr/bin/disabled-netfilesys-by-security-misc
 install nfsv3 /usr/bin/disabled-netfilesys-by-security-misc
 install nfsv4 /usr/bin/disabled-netfilesys-by-security-misc
 ## 2. Networking:
 ## Network Protocols:
 ## Disables rare and unneeded network protocols that are a common source of unknown vulnerabilities.
 ## Previously had blacklisted eepro100 and eth1394.
@ -249,17 +225,62 @@ install rds_tcp /usr/bin/disabled-network-by-security-misc
 install sctp /usr/bin/disabled-network-by-security-misc
 install sctp_diag /usr/bin/disabled-network-by-security-misc
-## Miscellaneous:
+## 4. Miscellaneous:
-##
+
 ## Amateur Radios:
 ##
 install hamradio /usr/bin/disabled-miscellaneous-by-security-misc
 ## CPU Model-Specific Registers (MSRs):
 ## Disable CPU MSRs as they can be abused to write to arbitrary memory.
 ##
 ## https://security.stackexchange.com/questions/119712/methods-root-can-use-to-elevate-itself-to-kernel-mode
 ## https://github.com/Kicksecure/security-misc/issues/215
 ##
 #install msr /usr/bin/disabled-miscellaneous-by-security-misc
 ## Floppy Disks:
 ##
 install floppy /usr/bin/disabled-miscellaneous-by-security-misc
 ## Framebuffer (fbdev):
 ## Video drivers are known to be buggy, cause kernel panics, and are generally only used by legacy devices.
 ## These were all previously blacklisted.
 ##
-## Replaced:
+## https://docs.kernel.org/fb/index.html
 ## https://en.wikipedia.org/wiki/Linux_framebuffer
 ## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-framebuffer.conf?h=ubuntu/disco
 ##
 install aty128fb /usr/bin/disabled-framebuffer-by-security-misc
 install atyfb /usr/bin/disabled-framebuffer-by-security-misc
 install cirrusfb /usr/bin/disabled-framebuffer-by-security-misc
 install cyber2000fb /usr/bin/disabled-framebuffer-by-security-misc
 install cyblafb /usr/bin/disabled-framebuffer-by-security-misc
 install gx1fb /usr/bin/disabled-framebuffer-by-security-misc
 install hgafb /usr/bin/disabled-framebuffer-by-security-misc
 install i810fb /usr/bin/disabled-framebuffer-by-security-misc
 install intelfb /usr/bin/disabled-framebuffer-by-security-misc
 install kyrofb /usr/bin/disabled-framebuffer-by-security-misc
 install lxfb /usr/bin/disabled-framebuffer-by-security-misc
 install matroxfb_bases /usr/bin/disabled-framebuffer-by-security-misc
 install neofb /usr/bin/disabled-framebuffer-by-security-misc
 install nvidiafb /usr/bin/disabled-framebuffer-by-security-misc
 install pm2fb /usr/bin/disabled-framebuffer-by-security-misc
 install radeonfb /usr/bin/disabled-framebuffer-by-security-misc
 install rivafb /usr/bin/disabled-framebuffer-by-security-misc
 install s1d13xxxfb /usr/bin/disabled-framebuffer-by-security-misc
 install savagefb /usr/bin/disabled-framebuffer-by-security-misc
 install sisfb /usr/bin/disabled-framebuffer-by-security-misc
 install sstfb /usr/bin/disabled-framebuffer-by-security-misc
 install tdfxfb /usr/bin/disabled-framebuffer-by-security-misc
 install tridentfb /usr/bin/disabled-framebuffer-by-security-misc
 install vesafb /usr/bin/disabled-framebuffer-by-security-misc
 install vfb /usr/bin/disabled-framebuffer-by-security-misc
 install viafb /usr/bin/disabled-framebuffer-by-security-misc
 install vt8623fb /usr/bin/disabled-framebuffer-by-security-misc
 install udlfb /usr/bin/disabled-framebuffer-by-security-misc
 ## Replaced Modules:
 ## These legacy drivers have all been entirely replaced and superseded by newer drivers.
 ## These were all previously blacklisted.
 ##
@ -269,7 +290,12 @@ install asus_acpi /usr/bin/disabled-miscellaneous-by-security-misc
 install bcm43xx /usr/bin/disabled-miscellaneous-by-security-misc
 install de4x5 /usr/bin/disabled-miscellaneous-by-security-misc
 install prism54 /usr/bin/disabled-miscellaneous-by-security-misc
 ## USB Video Device Class:
 ## Disables the USB-based video streaming driver for devices like some webcams and digital camcorders.
 ##
 #install uvcvideo /usr/bin/disabled-miscellaneous-by-security-misc
 ## Vivid:
 ## Disables the vivid kernel module since it has been the cause of multiple vulnerabilities.
 ##
@ -278,17 +304,3 @@ install prism54 /usr/bin/disabled-miscellaneous-by-security-misc
 ## https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475
 ##
 install vivid /usr/bin/disabled-miscellaneous-by-security-misc
 ## Thunderbolt:
 ## Disables Thunderbolt modules to prevent some DMA attacks.
 ##
 ## https://en.wikipedia.org/wiki/Thunderbolt_(interface)#Security_vulnerabilities
 ##
 install intel-wmi-thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc
 install thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc
 install thunderbolt_net /usr/bin/disabled-thunderbolt-by-security-misc
 ## USB Video Device Class:
 ## Disables the USB-based video streaming driver for devices like some webcams and digital camcorders.
 ##
 #install uvcvideo /usr/bin/disabled-miscellaneous-by-security-misc
--- a/usr/lib/sysctl.d/990-security-misc.conf
+++ b/usr/lib/sysctl.d/990-security-misc.conf
@ -114,11 +114,20 @@ kernel.sysrq=0
 ## User namespaces aim to improve sandboxing and accessibility for unprivileged users.
 ## Unprivileged user namespaces pose substantial privilege escalation risks.
 ## Restricting may lead to breakages in numerous software packages.
 ## Uncomment the second sysctl to entirely disable user namespaces.
 ## Disabling entirely will reduce compatibility with some AppArmor profiles.
 ##
 ## https://lwn.net/Articles/673597/
 ## https://madaidans-insecurities.github.io/linux.html#kernel
 ## https://github.com/a13xp0p0v/kernel-hardening-checker#questions-and-answers
 ## https://github.com/NixOS/nixpkgs/pull/84522#issuecomment-614640601
 ## https://github.com/Kicksecure/security-misc/pull/263
 ##
 ## KSPP=partial
 ## KSPP sets the stricter sysctl user.max_user_namespaces=0.
 ##
 kernel.unprivileged_userns_clone=0
 #user.max_user_namespaces=0
 ## Restricts kernel profiling to users with CAP_PERFMON.
 ## The performance events system should not be accessible by unprivileged users.
@ -353,13 +362,15 @@ net.ipv4.tcp_rfc1337=1
 ## Enable reverse path filtering (source validation) of packets received from all interfaces.
 ## Prevents IP spoofing and mitigates vulnerabilities such as CVE-2019-14899.
 ## The second "default" command fixes a bug in the existing kernel implementation.
 ##
 ## https://en.wikipedia.org/wiki/IP_address_spoofing
 ## https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/security_guide/sect-security_guide-server_security-reverse_path_forwarding#sect-Security_Guide-Server_Security-Reverse_Path_Forwarding
 ## https://forums.whonix.org/t/enable-reverse-path-filtering/8594
 ## https://seclists.org/oss-sec/2019/q4/122
 ## https://github.com/Kicksecure/security-misc/pull/261
 ##
-net.ipv4.conf.all.rp_filter=1
+net.ipv4.conf.*.rp_filter=1
 net.ipv4.conf.default.rp_filter=1
 ## Disable ICMP redirect acceptance and redirect sending messages.
@ -373,14 +384,10 @@ net.ipv4.conf.default.rp_filter=1
 ## https://askubuntu.com/questions/118273/what-are-icmp-redirects-and-should-they-be-blocked
 ## https://github.com/Kicksecure/security-misc/pull/248
 ##
-net.ipv4.conf.all.accept_redirects=0
+net.ipv4.conf.*.accept_redirects=0
-net.ipv4.conf.default.accept_redirects=0
+net.ipv4.conf.*.send_redirects=0
-net.ipv4.conf.all.send_redirects=0
+net.ipv6.conf.*.accept_redirects=0
-net.ipv4.conf.default.send_redirects=0
+#net.ipv4.conf.*.secure_redirects=1
 net.ipv6.conf.all.accept_redirects=0
 net.ipv6.conf.default.accept_redirects=0
 #net.ipv4.conf.all.secure_redirects=1
 #net.ipv4.conf.default.secure_redirects=1
 ## Ignore ICMP echo requests.
 ## Prevents clock fingerprinting through ICMP timestamps and Smurf attacks.
@ -400,15 +407,12 @@ net.ipv4.icmp_ignore_bogus_error_responses=1
 ##
 ## https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/security_guide/sect-security_guide-server_security-disable-source-routing
 ##
-net.ipv4.conf.all.accept_source_route=0
+net.ipv4.conf.*.accept_source_route=0
-net.ipv4.conf.default.accept_source_route=0
+net.ipv6.conf.*.accept_source_route=0
 net.ipv6.conf.all.accept_source_route=0
 net.ipv6.conf.default.accept_source_route=0
 ## Do not accept IPv6 router advertisements and solicitations.
 ##
-net.ipv6.conf.all.accept_ra=0
+net.ipv6.conf.*.accept_ra=0
 net.ipv6.conf.default.accept_ra=0
 ## Disable SACK and DSACK.
 ## Select acknowledgements (SACKs) are a known common vector of exploitation.
@ -451,8 +455,7 @@ net.ipv4.tcp_timestamps=0
 ##
 ## The logging of martian packets is currently disabled.
 ##
-#net.ipv4.conf.all.log_martians=1
+#net.ipv4.conf.*.log_martians=1
 #net.ipv4.conf.default.log_martians=1
 ## Enable IPv6 Privacy Extensions to prefer temporary addresses over public addresses.
 ## The temporary/privacy address is used as the source for all outgoing traffic.
@ -468,5 +471,4 @@ net.ipv4.tcp_timestamps=0
 ##
 ## The use of IPv6 Privacy Extensions is currently disabled due to these breakages.
 ##
-#net.ipv6.conf.all.use_tempaddr=2
+#net.ipv6.conf.*.use_tempaddr=2
 #net.ipv6.conf.default.use_tempaddr=2