disable kexec (revert enabling kexec)

remove kexec-utils for ram-wipe since moved to its own package
This commit is contained in:
Patrick Schleizer 2023-01-09 06:37:45 -05:00
parent 87c4e77c01
commit ad5d0d4b12
No known key found for this signature in database
GPG Key ID: CB8D50BB77BB3C48
2 changed files with 2 additions and 3 deletions

2
debian/control vendored
View File

@ -16,7 +16,7 @@ Package: security-misc
Architecture: all
Depends: python3, libglib2.0-bin, libpam-runtime, sudo, adduser, libcap2-bin,
apparmor-profile-dist, helper-scripts, libpam-modules-bin,
secure-delete, dmsetup, kexec-tools, ${misc:Depends}
secure-delete, dmsetup, ${misc:Depends}
Replaces: tcp-timestamps-disable, anon-gpg-tweaks, swappiness-lowest
Description: Enhances Miscellaneous Security Settings
https://github.com/Whonix/security-misc/blob/master/README.md

View File

@ -37,8 +37,7 @@ net.core.bpf_jit_harden=2
## A toggle indicating if the kexec_load syscall has been disabled. This value defaults to 0 (false: kexec_load enabled), but can be set to 1 (true: kexec_load disabled). Once true, kexec can no longer be used, and the toggle cannot be set back to false. This allows a kexec image to be loaded before disabling the syscall, allowing a system to set up (and later use) an image without it being altered. Generally used together with the "modules_disabled" sysctl.
## Disables kexec which can be used to replace the running kernel.
## kexec is required for cold boot attack defense
## kernel.kexec_load_disabled=1
kernel.kexec_load_disabled=1
## Hides kernel addresses in various files in /proc.
## Kernel addresses can be very useful in certain exploits.