Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2024-10-01 08:25:45 -04:00
Code Issues Packages Projects Releases Wiki Activity

Update control

Browse Source
This commit is contained in:
madaidan 2019-06-28 11:33:48 +00:00 committed by GitHub
parent ecf5d80fdf
commit b26d861dff
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 13 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
debian/control vendored
View File

@ -23,6 +23,8 @@ Description: enhances misc security settings
deactivates thumbnails in Thunar;
deactivates TCP timestamps;
deactivates Netfilter's connection tracking helper;
implements some kernel hardening;
prevents DMA attacks;
.
TCP time stamps (RFC 1323) allow for tracking clock
information with millisecond resolution. This may or may not allow an
@ -59,7 +61,7 @@ Description: enhances misc security settings
the kernel. (!)
.
Hence, this package disables this feature by shipping the
/etc/sysctl.d/nf_conntrack_helper.conf configuration file.
/etc/modprobe.d/30_nf_conntrack_helper_disable.conf configuration file.
.
Kernel symbols in /proc/kallsyms are hidden to prevent malware from
reading them and using them to learn more about what to attack on your system.
@ -95,3 +97,13 @@ Description: enhances misc security settings
.
DCCP, SCTP, TIPC and RDS are blacklisted as they are rarely used and may have
unknown vulnerabilities.
The kernel logs are restricted to root only.
A systemd service clears System.map on boot as these contain kernel symbols that could be useful to an attacker.
The SysRq key is restricted to only allow shutdowns/reboots.
The thunderbolt and firewire modules are blacklisted as they can be used for DMA (Direct Memory Access) attacks.
IOMMU is enabled with a boot parameter to prevent DMA attacks.