Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-04-25 21:39:10 -04:00
Code Issues Packages Projects Releases Wiki Activity

readme

Browse Source
This commit is contained in:
Patrick Schleizer 2019-09-06 09:32:42 +00:00
parent 0e20e33d16
commit b15becd48d
No known key found for this signature in database
GPG Key ID: CB8D50BB77BB3C48
1 changed files with 7 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
README.md
View File

@ -18,7 +18,7 @@ kernel.
* The TCP/IP stack is hardened. * The TCP/IP stack is hardened.
* his package makes some data spoofing attacks harder. * This package makes some data spoofing attacks harder.
* SACK is disabled as it is commonly exploited and is rarely used. * SACK is disabled as it is commonly exploited and is rarely used.
@ -38,7 +38,9 @@ KASLR effectiveness.
* All mitigations for the MDS vulnerability are enabled. * All mitigations for the MDS vulnerability are enabled.
* The SysRq key is restricted to only allow shutdowns/reboots. * The SysRq key is restricted to only allow shutdowns/reboots.
A systemd service clears System.map on boot as these contain kernel symbols /etc/sysctl.d/sysrq.conf
* A systemd service clears System.map on boot as these contain kernel symbols
that could be useful to an attacker. that could be useful to an attacker.
/etc/kernel/postinst.d/30_remove-system-map /etc/kernel/postinst.d/30_remove-system-map
/lib/systemd/system/remove-system-map.service /lib/systemd/system/remove-system-map.service
@ -46,6 +48,9 @@ that could be useful to an attacker.
* Coredumps are disabled as they may contain important information such as * Coredumps are disabled as they may contain important information such as
encryption keys or passwords. encryption keys or passwords.
/etc/security/limits.d/disable-coredumps.conf
/etc/sysctl.d/coredumps.conf
/lib/systemd/coredump.conf.d/disable-coredumps.conf
* The thunderbolt and firewire modules are blacklisted as they can be used * The thunderbolt and firewire modules are blacklisted as they can be used
for DMA (Direct Memory Access) attacks. for DMA (Direct Memory Access) attacks.