From 0ea7dd161b3e643c23624e6dcb450116824b6301 Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Fri, 14 Feb 2020 17:50:19 +0000 Subject: [PATCH 1/2] Restrict loading line disciplines to CAP_SYS_MODULE --- etc/sysctl.d/30_security-misc.conf | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/etc/sysctl.d/30_security-misc.conf b/etc/sysctl.d/30_security-misc.conf index 4c17bcb..8305bd1 100644 --- a/etc/sysctl.d/30_security-misc.conf +++ b/etc/sysctl.d/30_security-misc.conf @@ -118,3 +118,8 @@ net.ipv4.conf.all.rp_filter=1 net.ipv4.tcp_timestamps=0 #### meta end + +## Restrict loading line disciplines to CAP_SYS_MODULE to prevent +## unprivileged attackers from loading vulnerable line disciplines +## with the TIOCSETD ioctl to exploit them. +dev.tty.ldisc_autoload=0 From ace62111761451a13c446767dfd3c32b9b70a7f8 Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Fri, 14 Feb 2020 17:51:17 +0000 Subject: [PATCH 2/2] Update control --- debian/control | 2 ++ 1 file changed, 2 insertions(+) diff --git a/debian/control b/debian/control index 2abb7ee..99871c4 100644 --- a/debian/control +++ b/debian/control @@ -119,6 +119,8 @@ Description: enhances misc security settings . * The kernel panics on oopses to prevent it from continuing to run a flawed process and to deter brute forcing. + . + * Restricts loading line disciplines to CAP_SYS_MODULE. . Improve Entropy Collection .