Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2024-10-01 08:25:45 -04:00
Code Issues Packages Projects Releases Wiki Activity

disable kexec (revert enabling kexec)

Browse Source 
remove kexec-utils for ram-wipe since moved to its own package
This commit is contained in:
Patrick Schleizer 2023-01-09 06:37:45 -05:00
parent 87c4e77c01
commit ad5d0d4b12
No known key found for this signature in database
GPG Key ID: CB8D50BB77BB3C48
2 changed files with 2 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
debian/control vendored
View File

@ -16,7 +16,7 @@ Package: security-misc
Architecture: all Architecture: all
Depends: python3, libglib2.0-bin, libpam-runtime, sudo, adduser, libcap2-bin, Depends: python3, libglib2.0-bin, libpam-runtime, sudo, adduser, libcap2-bin,
apparmor-profile-dist, helper-scripts, libpam-modules-bin, apparmor-profile-dist, helper-scripts, libpam-modules-bin,
secure-delete, dmsetup, kexec-tools, ${misc:Depends} secure-delete, dmsetup, ${misc:Depends}
Replaces: tcp-timestamps-disable, anon-gpg-tweaks, swappiness-lowest Replaces: tcp-timestamps-disable, anon-gpg-tweaks, swappiness-lowest
Description: Enhances Miscellaneous Security Settings Description: Enhances Miscellaneous Security Settings
https://github.com/Whonix/security-misc/blob/master/README.md https://github.com/Whonix/security-misc/blob/master/README.md

3
etc/sysctl.d/30_security-misc.conf
View File

@ -37,8 +37,7 @@ net.core.bpf_jit_harden=2
## A toggle indicating if the kexec_load syscall has been disabled. This value defaults to 0 (false: kexec_load enabled), but can be set to 1 (true: kexec_load disabled). Once true, kexec can no longer be used, and the toggle cannot be set back to false. This allows a kexec image to be loaded before disabling the syscall, allowing a system to set up (and later use) an image without it being altered. Generally used together with the "modules_disabled" sysctl. ## A toggle indicating if the kexec_load syscall has been disabled. This value defaults to 0 (false: kexec_load enabled), but can be set to 1 (true: kexec_load disabled). Once true, kexec can no longer be used, and the toggle cannot be set back to false. This allows a kexec image to be loaded before disabling the syscall, allowing a system to set up (and later use) an image without it being altered. Generally used together with the "modules_disabled" sysctl.
## Disables kexec which can be used to replace the running kernel. ## Disables kexec which can be used to replace the running kernel.
## kexec is required for cold boot attack defense kernel.kexec_load_disabled=1
## kernel.kexec_load_disabled=1
## Hides kernel addresses in various files in /proc. ## Hides kernel addresses in various files in /proc.
## Kernel addresses can be very useful in certain exploits. ## Kernel addresses can be very useful in certain exploits.