Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2024-10-01 08:25:45 -04:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'github-kicksecure/master'

Browse Source
This commit is contained in:
Patrick Schleizer 2023-05-15 16:58:11 +00:00
commit b11a336b4f
No known key found for this signature in database
GPG Key ID: CB8D50BB77BB3C48
2 changed files with 8 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
README.md
View File

@ -386,10 +386,6 @@ https://github.com/ioerror/torbirdy/pull/11
Some hardening is opt-in as it causes too much breakage to be enabled by Some hardening is opt-in as it causes too much breakage to be enabled by
default. default.
* TCP SACK can be disabled as it is commonly exploited and is rarely used by
uncommenting settings in the `/etc/sysctl.d/30_security-misc.conf`
configuration file.
* An optional systemd service mounts `/proc` with `hidepid=2` at boot to * An optional systemd service mounts `/proc` with `hidepid=2` at boot to
prevent users from seeing another user's processes. This is disabled by prevent users from seeing another user's processes. This is disabled by
default because it is incompatible with `pkexec`. It can be enabled by default because it is incompatible with `pkexec`. It can be enabled by

8
etc/sysctl.d/30_security-misc.conf
View File

@ -36,6 +36,14 @@ net.core.bpf_jit_harden=2
## https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak ## https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak
kernel.kptr_restrict=2 kernel.kptr_restrict=2
## Improves ASLR effectiveness for mmap.
## Both explicit sysctl are made redundant due to automation
## https://forums.whonix.org/t/automate-mmap-randomisation-to-fix-ppc64el/16514
## Do NOT enable either - displaying only for clarity
##
#vm.mmap_rnd_bits=32
#vm.mmap_rnd_compat_bits=16
## Restricts the use of ptrace to root. This might break some programs running under WINE. ## Restricts the use of ptrace to root. This might break some programs running under WINE.
## A workaround for WINE would be to give the wineserver and wine-preloader ptrace capabilities. This can be done by running: ## A workaround for WINE would be to give the wineserver and wine-preloader ptrace capabilities. This can be done by running:
## ##