mirror of
https://github.com/Kicksecure/security-misc.git
synced 2025-11-25 19:06:20 -05:00
Merge branch 'trixie_docs' into arraybolt3/trixie
This commit is contained in:
Aaron Rainbolt
commit
a2a9e8440b
5 changed files with 9 additions and 16 deletions
|
|
@ -52,8 +52,7 @@ configuration file and significant hardening is applied to a myriad of component
|
|||
|
||||
- Disable the use of legacy TIOCSTI operations which can be used to inject keypresses.
|
||||
|
||||
- Disable asynchronous I/O (when using Linux kernel >= 6.6) as `io_uring` has been
|
||||
the source of numerous kernel exploits.
|
||||
- Disable asynchronous I/O as `io_uring` has been the source of numerous kernel exploits.
|
||||
|
||||
#### User space
|
||||
|
||||
|
|
@ -225,8 +224,7 @@ Kernel space:
|
|||
since it may be slightly more resilient to attacks that are able to write
|
||||
arbitrary executables in memory.
|
||||
|
||||
- Optional - Disable support for all x86 processes and syscalls (when using Linux kernel >= 6.7)
|
||||
to reduce attack surface.
|
||||
- Optional - Disable support for all x86 processes and syscalls to reduce attack surface.
|
||||
|
||||
- Disable the EFI persistent storage feature which prevents the kernel from writing crash logs
|
||||
and other persistent data to either the UEFI variable storage or ACPI ERST backends.
|
||||
|
|
|
|||
|
|
@ -218,9 +218,6 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0"
|
|||
## KSPP=yes
|
||||
## KSPP does not set CONFIG_COMPAT, CONFIG_IA32_EMULATION, CONFIG_X86_X32, CONFIG_X86_X32_ABI, and CONFIG_MODIFY_LDT_SYSCALL.
|
||||
##
|
||||
## TODO: Debian 13 Trixie
|
||||
## Applicable when using Linux kernel >= 6.7 (retained here for future-proofing and completeness).
|
||||
##
|
||||
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ia32_emulation=0"
|
||||
|
||||
## Disable EFI persistent storage feature.
|
||||
|
|
|
|||
|
|
@ -7,14 +7,17 @@
|
|||
## KSPP=no: not (currently) compliant with recommendations by the KSPP
|
||||
## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP.
|
||||
|
||||
## Disable access to single-user (recovery) mode.
|
||||
## Disable access to the GRUB single-user (recovery) mode menu entries.
|
||||
##
|
||||
## https://forums.kicksecure.com/t/remove-linux-recovery-mode-boot-option-from-default-grub-boot-menu/727
|
||||
##
|
||||
GRUB_DISABLE_RECOVERY="true"
|
||||
|
||||
## Disable access to Dracut's recovery console.
|
||||
## Prevents the emergency shell from starting automatically during boot failures.
|
||||
##
|
||||
## https://insinuator.net/2025/07/insecure-boot-injecting-initramfs-from-a-debug-shell/
|
||||
## https://serverfault.com/questions/554853/how-can-i-secure-the-dracut-shell
|
||||
## https://forums.kicksecure.com/t/harden-dracut-initramfs-generator-by-disabling-recovery-console/724
|
||||
##
|
||||
GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT rd.emergency=halt"
|
||||
|
|
|
|||
|
|
@ -27,7 +27,7 @@ blacklist sr_mod
|
|||
## Partial selection of their infrastructure blacklist.
|
||||
## Duplicate and already disabled modules have been omitted.
|
||||
##
|
||||
## https://github.com/GrapheneOS/infrastructure/blob/main/modprobe.d/local.conf
|
||||
## https://github.com/GrapheneOS/infrastructure/blob/main/etc/modprobe.d/local.conf
|
||||
##
|
||||
#blacklist cfg80211
|
||||
#blacklist intel_agp
|
||||
|
|
|
|||
|
|
@ -197,19 +197,17 @@ kernel.perf_event_paranoid=3
|
|||
## Disable the use of legacy TIOCSTI operations which can be used to inject keypresses.
|
||||
## Can lead to privilege escalation by pushing characters into a controlling TTY.
|
||||
## Will break out-dated screen readers that continue to rely on this legacy functionality.
|
||||
## Note this was already disabled by default as of Linux kernel 6.2.
|
||||
##
|
||||
## https://lore.kernel.org/lkml/20221228205726.rfevry7ud6gmttg5@begin/T/
|
||||
##
|
||||
## KSPP=yes
|
||||
## KSPP sets the sysctl and does not set CONFIG_LEGACY_TIOCSTI.
|
||||
##
|
||||
## TODO: Debian 13 Trixie
|
||||
## This is disabled by default when using Linux kernel >= 6.2.
|
||||
##
|
||||
dev.tty.legacy_tiocsti=0
|
||||
|
||||
## Disable asynchronous I/O for all processes.
|
||||
## Leading cause of numerous kernel exploits.
|
||||
## Use of io_uring has been the leading cause of numerous kernel exploits.
|
||||
## Disabling will reduce the read/write performance of storage devices.
|
||||
##
|
||||
## https://en.wikipedia.org/wiki/Io_uring#Security
|
||||
|
|
@ -218,9 +216,6 @@ dev.tty.legacy_tiocsti=0
|
|||
## https://github.com/moby/moby/pull/46762
|
||||
## https://forums.whonix.org/t/io-uring-security-vulnerabilties/16890
|
||||
##
|
||||
## TODO: Debian 13 Trixie
|
||||
## Applicable when using Linux kernel >= 6.6 (retained here for future-proofing and completeness).
|
||||
##
|
||||
kernel.io_uring_disabled=2
|
||||
|
||||
## 2. User Space:
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue