From 1472d41f030d02aba6576ef481ace35554908e8d Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Mon, 29 Dec 2025 06:41:33 +0000 Subject: [PATCH 01/11] Add KSPP partial compliance notice for `proc_mem.force_override=ptrace` --- README.md | 15 ++++++++++++--- .../40_kernel_hardening.cfg#security-misc-shared | 3 ++- 2 files changed, 14 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index c51b85c..c995bd3 100644 --- a/README.md +++ b/README.md @@ -321,15 +321,24 @@ there are a few cases of partial or non-compliance due to technical limitations. More than 30 kernel boot parameters and over 30 sysctl settings are fully aligned with the KSPP's recommendations. +**Partial compliance:** + +1. Kernel boot parameter `proc_mem.force_override=never` + +Restrict processes from modifying their own memory mappings by completely disables use of +`/proc/PID/mem` to write to protected pages. Can be enabled easily if required. + +* [security-misc pull request #332](https://github.com/Kicksecure/security-misc/pull/332) + **Non-compliance:** -1. `sysctl user.max_user_namespaces=0` +2. `sysctl user.max_user_namespaces=0` Disables user namespaces entirely. Not recommended due to the potential for widespread breakages. * [security-misc pull request #263](https://github.com/Kicksecure/security-misc/pull/263) -2. `sysctl fs.binfmt_misc.status=0` +3. `sysctl fs.binfmt_misc.status=0` Disables the registration of interpreters for miscellaneous binary formats. Currently not feasible due to compatibility issues with Firefox. @@ -337,7 +346,7 @@ feasible due to compatibility issues with Firefox. * [security-misc pull request #249](https://github.com/Kicksecure/security-misc/pull/249) * [security-misc issue #267](https://github.com/Kicksecure/security-misc/issues/267) -3. Kernel boot parameter `hash_pointers=always` +4. Kernel boot parameter `hash_pointers=always` Force all exposed pointers to be hashed and must be used in combination with the already enabled `slab_debug=FZ` kernel boot parameter. Currently is not possible as requires Linux kernel >= 6.17. diff --git a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared index 4407b16..1193d09 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared +++ b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared @@ -326,7 +326,8 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX bdev_allow_write_mounted=0" ## https://github.com/a13xp0p0v/kernel-hardening-checker/pull/201 ## https://github.com/Kicksecure/security-misc/issues/330 ## -## Using "proc_mem.force_override=never" provides superior protection by never allowing overrides. +## KSPP=partial +## KSPP sets the stricter kernel parameter proc_mem.force_override=never. ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX proc_mem.force_override=ptrace" From 4d49ab56a4be29b03746b99cf6254ef15c93ed74 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Mon, 29 Dec 2025 06:52:35 +0000 Subject: [PATCH 02/11] Update docs on `proc_mem.force_override` --- README.md | 2 +- .../grub.d/40_kernel_hardening.cfg#security-misc-shared | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index c995bd3..4fd6a62 100644 --- a/README.md +++ b/README.md @@ -269,7 +269,7 @@ Kernel space: filesystems to protect against filesystem corruption and kernel crashes. - Restrict processes from modifying their own memory mappings unless actively done via - `ptrace()` in order to limit self-modification which can trigger exploits. + `ptrace()` for debugging in order to limit self-modification which can trigger exploits. Direct memory access: diff --git a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared index 1193d09..05e1a44 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared +++ b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared @@ -317,9 +317,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX erst_disable" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX bdev_allow_write_mounted=0" ## Restrict processes from modifying their own memory mappings. -## Prevents the use of /proc/PID/mem to write to protected pages via the kernel's -## mem_rw() FOLL_FORCE flag. This makes it harder to trick applications into -## overwriting their own memory. +## Prevents using /proc/PID/mem to write to protected pages unless via ptrace() for debugging. +## Increases the difficulty in tricking applications into overwriting their own memory. +## Limit self-modification which can be used trigger race condition vulnerabilities. ## ## https://lore.kernel.org/lkml/20240712-vfs-procfs-ce7e6c7cf26b@brauner/ ## https://lwn.net/Articles/983169/ From 6a92e956f3fd41fe416c1e41203687619c7011bc Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Mon, 29 Dec 2025 07:02:24 +0000 Subject: [PATCH 03/11] Add minor notices to panic on oopses and warnings --- etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared | 2 ++ usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared | 2 ++ 2 files changed, 4 insertions(+) diff --git a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared index 05e1a44..1ccf647 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared +++ b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared @@ -159,6 +159,8 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off" ## KSPP=yes ## KSPP sets CONFIG_PANIC_TIMEOUT=-1. ## +## Note that this must be used with panic=-1 for it to function as intended. +## ## See /usr/libexec/security-misc/panic-on-oops for implementation. ## #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX panic=-1" diff --git a/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared b/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared index 27b911b..9ec4b9b 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared +++ b/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared @@ -183,6 +183,8 @@ kernel.perf_event_paranoid=3 ## KSPP=yes ## KSPP sets the sysctls and CONFIG_PANIC_ON_OOPS=y ## +## Note that this must be used with kernel.panic=-1 for it to function as intended. +## ## See /usr/libexec/security-misc/panic-on-oops for implementation. ## #kernel.oops_limit=1 From 61170e1c6a4869120413cf5236a2d995af26422d Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Mon, 29 Dec 2025 07:16:54 +0000 Subject: [PATCH 04/11] Reorder panic settings --- README.md | 12 ++++---- ..._kernel_hardening.cfg#security-misc-shared | 28 +++++++++---------- ...90-security-misc.conf#security-misc-shared | 20 ++++++------- 3 files changed, 30 insertions(+), 30 deletions(-) diff --git a/README.md b/README.md index 4fd6a62..c1809bc 100644 --- a/README.md +++ b/README.md @@ -46,12 +46,12 @@ configuration file and significant hardening is applied to a myriad of component - Restrict kernel profiling and the performance events system to `CAP_PERFMON`. -- Force the kernel to immediately panic on both "oopses" (which can potentially indicate - and thwart certain kernel exploitation attempts) and kernel warnings in the `WARN()` path. - - Force immediate system reboot on the occurrence of a single kernel panic, reducing the risk and impact of denial-of-service attacks and both cold and warm boot attacks. +- Force the kernel to immediately panic on both "oopses" (which can potentially indicate + and thwart certain kernel exploitation attempts) and kernel warnings in the `WARN()` path. + - Optional - Force immediate kernel panic on OOM (out of memory) which with the above setting will force an immediate system reboot as opposed to placing any reliance on the oom_killer to avoid arbitrarily terminating security features based on their OOM score. Note this @@ -236,12 +236,12 @@ Kernel space: - Restrict access to debugfs by not registering the file system since it can contain sensitive information. -- Force the kernel to immediately panic on both "oopses" (which can potentially indicate - and thwart certain kernel exploitation attempts) and kernel warnings in the `WARN()` path. - - Force immediate system reboot on the occurrence of a single kernel panic, reducing the risk and impact of denial-of-service attacks and both cold and warm boot attacks. +- Force the kernel to immediately panic on both "oopses" (which can potentially indicate + and thwart certain kernel exploitation attempts) and kernel warnings in the `WARN()` path. + - Optional - Force the kernel to immediately panic if it becomes tainted. Some reasons include upon using out of specification hardware, bad page states, ACPI tables being overridden, severe firmware bugs, in-kernel tests run, or mutating fwctl debug operations. It can also diff --git a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared index 1ccf647..7f9cabe 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared +++ b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared @@ -128,6 +128,20 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vsyscall=none" ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off" +## Force immediate system reboots on the occurrence of a single kernel panic. +## Increases resilience and limits impact of denial of service attacks as system automatically restarts. +## Ensures the system does not hang forever if a panic occurs, reducing susceptibility to both cold and warm boot attacks. +## Immediate rebooting also prevents persistent information disclosure on panic details that were dumped to screen. +## +## KSPP=yes +## KSPP sets CONFIG_PANIC_TIMEOUT=-1. +## +## Note that this must be used with panic=-1 for it to function as intended. +## +## See /usr/libexec/security-misc/panic-on-oops for implementation. +## +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX panic=-1" + ## Force the kernel to immediately panic on "oopses" and kernel warnings in the WARN() path. ## Panics may be due to false-positives such as bad drivers. ## Both allowed limits are set to one so that panics occur on the single first instance of either scenario. @@ -151,20 +165,6 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off" #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX oops=panic" #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX panic_on_warn=1" -## Force immediate system reboots on the occurrence of a single kernel panic. -## Increases resilience and limits impact of denial of service attacks as system automatically restarts. -## Ensures the system does not hang forever if a panic occurs, reducing susceptibility to both cold and warm boot attacks. -## Immediate rebooting also prevents persistent information disclosure on panic details that were dumped to screen. -## -## KSPP=yes -## KSPP sets CONFIG_PANIC_TIMEOUT=-1. -## -## Note that this must be used with panic=-1 for it to function as intended. -## -## See /usr/libexec/security-misc/panic-on-oops for implementation. -## -#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX panic=-1" - ## Force the kernel to immediately panic if it becomes tainted. ## Using kernel documentation, one can select a subset of taints to create a security policy. ## Requires summing the numbers for each taint state and then converting it to a hexadecimal bitmask. diff --git a/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared b/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared index 9ec4b9b..5b6d3d6 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared +++ b/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared @@ -165,6 +165,16 @@ kernel.sysrq=0 ## kernel.perf_event_paranoid=3 +## Force immediate system reboots on the occurrence of a single kernel panic. +## Increases resilience and limits impact of denial-of-service attacks as system automatically restarts. +## Ensures the system does not hang forever if a panic occurs, reducing susceptibility to both cold and warm boot attacks. +## Immediate rebooting also prevents persistent information disclosure on panic details that were dumped to screen. +## +## KSPP=yes +## KSPP sets CONFIG_PANIC_TIMEOUT=-1. +## +kernel.panic=-1 + ## Force the kernel to immediately panic on "oopses" and kernel warnings in the WARN() path. ## Panics may be due to false-positives such as bad drivers. ## Both allowed limits are set to one so that panics occur on the single first instance of either scenario. @@ -190,16 +200,6 @@ kernel.perf_event_paranoid=3 #kernel.oops_limit=1 #kernel.warn_limit=1 -## Force immediate system reboots on the occurrence of a single kernel panic. -## Increases resilience and limits impact of denial-of-service attacks as system automatically restarts. -## Ensures the system does not hang forever if a panic occurs, reducing susceptibility to both cold and warm boot attacks. -## Immediate rebooting also prevents persistent information disclosure on panic details that were dumped to screen. -## -## KSPP=yes -## KSPP sets CONFIG_PANIC_TIMEOUT=-1. -## -kernel.panic=-1 - ## Force immediate kernel panic on OOM (out of memory) scenarios. ## Registers a kernel panic whenever the oom_killer is triggered to kill some rouge process based on their OOM score. ## This prevents security features such as the screen locker, kloak, and emerg-shutdown from being arbitrarily terminated. From cd0a59fd1495db21b8da4b3e8484df61858e7f80 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Mon, 29 Dec 2025 07:24:32 +0000 Subject: [PATCH 05/11] Merge Meltdown mitigtions for ARM64 and X86_64 CPUs --- README.md | 3 --- .../40_cpu_mitigations.cfg#security-misc-shared | 9 +++++---- .../40_kernel_hardening.cfg#security-misc-shared | 12 ------------ 3 files changed, 5 insertions(+), 19 deletions(-) diff --git a/README.md b/README.md index c1809bc..8dd86fc 100644 --- a/README.md +++ b/README.md @@ -224,9 +224,6 @@ Kernel space: - Enable the kernel page allocator to randomize free lists to limit some data exfiltration and ROP attacks, especially during the early boot process. -- Enable kernel page table isolation on x86_64 and ARM64 CPUs to increase - KASLR effectiveness and also mitigate the Meltdown CPU vulnerability. - - Enable randomization of the kernel stack offset on syscall entries to harden against memory corruption attacks. diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg#security-misc-shared b/etc/default/grub.d/40_cpu_mitigations.cfg#security-misc-shared index 10f3af0..7df65d0 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg#security-misc-shared +++ b/etc/default/grub.d/40_cpu_mitigations.cfg#security-misc-shared @@ -83,17 +83,18 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_bhi=on" ## Meltdown: ## Mitigate Spectre Variant 3 using kernel page table isolation (PTI). -## Force enable PTI of user and kernel address spaces on all cores. -## Mitigations for X86_64 CPUs are done in /etc/default/grub.d/40_kernel_hardening.cfg using "pti=on". -## Currently affects ARM64 CPUs. +## Enables kernel PTI to harden against kernel ASLR (KASLR) bypasses. +## Force enables PTI of user and kernel address spaces on all ARM cores. +## Currently affects AMD, ARM64, and Intel CPUs. ## ## https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability) ## https://en.wikipedia.org/wiki/Kernel_page-table_isolation ## ## KSPP=yes -## KSPP sets CONFIG_UNMAP_KERNEL_AT_EL0=y. +## KSPP sets the second kernel parameter, CONFIG_MITIGATION_PAGE_TABLE_ISOLATION=y, and CONFIG_UNMAP_KERNEL_AT_EL0=y. ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kpti=1" +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX pti=on" ## Speculative Store Bypass (SSB): ## Mitigate Spectre Variant 4 by disabling speculative store bypass system-wide. diff --git a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared index 7f9cabe..861c986 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared +++ b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared @@ -86,18 +86,6 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX init_on_free=1" ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX page_alloc.shuffle=1" -## Enable kernel page table isolation to harden against kernel ASLR (KASLR) bypasses. -## Mitigates the Meltdown (Spectre Variant 3) CPU vulnerability. -## Mitigations for ARM64 CPUs are done in /etc/default/grub.d/40_cpu_mitigations.cfg using "kpti=1". -## -## https://en.wikipedia.org/wiki/Meltdown_(security_vulnerability) -## https://en.wikipedia.org/wiki/Kernel_page-table_isolation -## -## KSPP=yes -## KSPP sets the kernel parameter and CONFIG_MITIGATION_PAGE_TABLE_ISOLATION=y. -## -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX pti=on" - ## Enable randomization of the kernel stack offset on syscall entries. ## Hardens against memory corruption attacks due to increased entropy. ## Limits attacks relying on deterministic stack addresses or cross-syscall address exposure. From 31e268d6246a98d62c23a5bb9e7e4282d0fad282 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Mon, 29 Dec 2025 07:34:53 +0000 Subject: [PATCH 06/11] README: typos --- README.md | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 8dd86fc..2ff03f7 100644 --- a/README.md +++ b/README.md @@ -241,7 +241,7 @@ Kernel space: - Optional - Force the kernel to immediately panic if it becomes tainted. Some reasons include upon using out of specification hardware, bad page states, ACPI tables being overridden, - severe firmware bugs, in-kernel tests run, or mutating fwctl debug operations. It can also + severe firmware bugs, in-kernel tests run, or mutating `fwctl` debug operations. It can also include the loading of proprietary or out-of-tree modules. - Prevent sensitive kernel information leaks in the console during boot. @@ -280,16 +280,13 @@ Entropy: - Do not credit the CPU seeds as an entropy source at boot in order to maximize the absolute quantity of entropy in the combined pool. This is desirable for all - cryptographic operations, to avoid reliance on proprietary RDRAND and RDSEED CPU + cryptographic operations to avoid reliance on proprietary RDRAND and RDSEED CPU instructions for random number generation that have long history of being defective. - Do not credit the bootloader seeds as an entropy source at boot to maximize the absolute quantity of entropy in the combined pool. This is desirable for all cryptographic operations as seeds passed by the bootloader could be tampered. -- Obtain more entropy at boot from RAM as the runtime memory allocator is - being initialized. - - Obtain more entropy at boot from RAM as the runtime memory allocator is being initialized to maximize the absolute quantity of entropy in the combined pool. From e3765131b067083c6a9a7f373cfb154a806e57ad Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Mon, 29 Dec 2025 07:36:55 +0000 Subject: [PATCH 07/11] Add reference on IOMMU vulnerabilities --- etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared | 1 + 1 file changed, 1 insertion(+) diff --git a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared index 861c986..f86e539 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared +++ b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared @@ -340,6 +340,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX intel_iommu=on" ## https://en.wikipedia.org/wiki/Input%E2%80%93output_memory_management_unit ## https://en.wikipedia.org/wiki/DMA_attack ## https://lenovopress.lenovo.com/lp1467.pdf +## https://www.kb.cert.org/vuls/id/382314 ## ## KSPP=yes ## KSPP sets the kernel parameters, CONFIG_IOMMU_SUPPORT=y, CONFIG_IOMMU_DEFAULT_DMA_STRICT=y, and does not set CONFIG_IOMMU_DEFAULT_PASSTHROUGH. From 8fd95a0b97f339f2609de7e7614fa8a3e86e3157 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Mon, 29 Dec 2025 07:44:15 +0000 Subject: [PATCH 08/11] Sort new split package install script for easier readability --- debian/security-misc-shared.install | 216 ++++++++++++++-------------- 1 file changed, 108 insertions(+), 108 deletions(-) diff --git a/debian/security-misc-shared.install b/debian/security-misc-shared.install index 5bbf8b8..4557c30 100755 --- a/debian/security-misc-shared.install +++ b/debian/security-misc-shared.install @@ -5,140 +5,140 @@ ## This file was generated using 'genmkfile debinstfile'. -var/cache/security-misc/state-files/placeholder#security-misc-shared => /var/cache/security-misc/state-files/placeholder -etc/security/faillock.conf.security-misc#security-misc-shared => /etc/security/faillock.conf.security-misc -etc/security/access-security-misc.conf#security-misc-shared => /etc/security/access-security-misc.conf -etc/security/limits.d/30_security-misc.conf#security-misc-shared => /etc/security/limits.d/30_security-misc.conf -etc/gitconfig#security-misc-shared => /etc/gitconfig etc/apparmor.d/tunables/home.d/security-misc#security-misc-shared => /etc/apparmor.d/tunables/home.d/security-misc +etc/apt/apt.conf.d/40error-on-any#security-misc-shared => /etc/apt/apt.conf.d/40error-on-any +etc/apt/apt.conf.d/40sandbox#security-misc-shared => /etc/apt/apt.conf.d/40sandbox +etc/default/grub.d/40_cpu_mitigations.cfg#security-misc-shared => /etc/default/grub.d/40_cpu_mitigations.cfg +etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared => /etc/default/grub.d/40_kernel_hardening.cfg +etc/default/grub.d/40_remount_secure.cfg#security-misc-shared => /etc/default/grub.d/40_remount_secure.cfg +etc/default/grub.d/40_signed_modules.cfg#security-misc-shared => /etc/default/grub.d/40_signed_modules.cfg +etc/default/grub.d/41_quiet_boot.cfg#security-misc-shared => /etc/default/grub.d/41_quiet_boot.cfg +etc/default/grub.d/41_recovery_restrict.cfg#security-misc-shared => /etc/default/grub.d/41_recovery_restrict.cfg +etc/dracut.conf.d/30-security-misc.conf#security-misc-shared => /etc/dracut.conf.d/30-security-misc.conf +etc/gitconfig#security-misc-shared => /etc/gitconfig +etc/hide-hardware-info.d/30_default.conf#security-misc-shared => /etc/hide-hardware-info.d/30_default.conf +etc/kernel/postinst.d/30_remove-system-map#security-misc-shared => /etc/kernel/postinst.d/30_remove-system-map +etc/modprobe.d/30_security-misc_blacklist.conf#security-misc-shared => /etc/modprobe.d/30_security-misc_blacklist.conf +etc/modprobe.d/30_security-misc_conntrack.conf#security-misc-shared => /etc/modprobe.d/30_security-misc_conntrack.conf +etc/modprobe.d/30_security-misc_disable.conf#security-misc-shared => /etc/modprobe.d/30_security-misc_disable.conf +etc/profile.d/30_security-misc.sh#security-misc-shared => /etc/profile.d/30_security-misc.sh +etc/securetty.security-misc#security-misc-shared => /etc/securetty.security-misc +etc/security-misc/emerg-shutdown/30_security_misc.conf#security-misc-shared => /etc/security-misc/emerg-shutdown/30_security_misc.conf +etc/security/access-security-misc.conf#security-misc-shared => /etc/security/access-security-misc.conf +etc/security/faillock.conf.security-misc#security-misc-shared => /etc/security/faillock.conf.security-misc +etc/security/limits.d/30_security-misc.conf#security-misc-shared => /etc/security/limits.d/30_security-misc.conf +etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml#security-misc-shared => /etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml +etc/skel/.gnupg/gpg.conf#security-misc-shared => /etc/skel/.gnupg/gpg.conf etc/ssh/ssh_config.d/30_security-misc.conf#security-misc-shared => /etc/ssh/ssh_config.d/30_security-misc.conf etc/ssh/sshd_config.d/30_security-misc.conf#security-misc-shared => /etc/ssh/sshd_config.d/30_security-misc.conf -etc/usbguard/IPCAccessControl.d/:sudo#security-misc-shared => /etc/usbguard/IPCAccessControl.d/:sudo -etc/usbguard/IPCAccessControl.d/:qubes#security-misc-shared => /etc/usbguard/IPCAccessControl.d/:qubes -etc/usbguard/rules.d/30_security-misc.conf#security-misc-shared => /etc/usbguard/rules.d/30_security-misc.conf -etc/usbguard/usbguard-daemon.conf.security-misc#security-misc-shared => /etc/usbguard/usbguard-daemon.conf.security-misc -etc/kernel/postinst.d/30_remove-system-map#security-misc-shared => /etc/kernel/postinst.d/30_remove-system-map etc/sudoers.d/security-misc#security-misc-shared => /etc/sudoers.d/security-misc etc/systemd/system/emergency.service.d/override.conf#security-misc-shared => /etc/systemd/system/emergency.service.d/override.conf etc/systemd/system/rescue.service.d/override.conf#security-misc-shared => /etc/systemd/system/rescue.service.d/override.conf -etc/profile.d/30_security-misc.sh#security-misc-shared => /etc/profile.d/30_security-misc.sh -etc/default/grub.d/40_cpu_mitigations.cfg#security-misc-shared => /etc/default/grub.d/40_cpu_mitigations.cfg -etc/default/grub.d/41_recovery_restrict.cfg#security-misc-shared => /etc/default/grub.d/41_recovery_restrict.cfg -etc/default/grub.d/40_signed_modules.cfg#security-misc-shared => /etc/default/grub.d/40_signed_modules.cfg -etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared => /etc/default/grub.d/40_kernel_hardening.cfg -etc/default/grub.d/40_remount_secure.cfg#security-misc-shared => /etc/default/grub.d/40_remount_secure.cfg -etc/default/grub.d/41_quiet_boot.cfg#security-misc-shared => /etc/default/grub.d/41_quiet_boot.cfg -etc/apt/apt.conf.d/40sandbox#security-misc-shared => /etc/apt/apt.conf.d/40sandbox -etc/apt/apt.conf.d/40error-on-any#security-misc-shared => /etc/apt/apt.conf.d/40error-on-any -etc/securetty.security-misc#security-misc-shared => /etc/securetty.security-misc -etc/dracut.conf.d/30-security-misc.conf#security-misc-shared => /etc/dracut.conf.d/30-security-misc.conf -etc/skel/.gnupg/gpg.conf#security-misc-shared => /etc/skel/.gnupg/gpg.conf -etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml#security-misc-shared => /etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml -etc/hide-hardware-info.d/30_default.conf#security-misc-shared => /etc/hide-hardware-info.d/30_default.conf -etc/security-misc/emerg-shutdown/30_security_misc.conf#security-misc-shared => /etc/security-misc/emerg-shutdown/30_security_misc.conf -etc/modprobe.d/30_security-misc_disable.conf#security-misc-shared => /etc/modprobe.d/30_security-misc_disable.conf -etc/modprobe.d/30_security-misc_conntrack.conf#security-misc-shared => /etc/modprobe.d/30_security-misc_conntrack.conf -etc/modprobe.d/30_security-misc_blacklist.conf#security-misc-shared => /etc/modprobe.d/30_security-misc_blacklist.conf -usr/libexec/security-misc/pam-abort-on-locked-password#security-misc-shared => /usr/libexec/security-misc/pam-abort-on-locked-password -usr/libexec/security-misc/kill-vboxdrmclient-on-shutdown#security-misc-shared => /usr/libexec/security-misc/kill-vboxdrmclient-on-shutdown -usr/libexec/security-misc/ensure-shutdown#security-misc-shared => /usr/libexec/security-misc/ensure-shutdown -usr/libexec/security-misc/askpass#security-misc-shared => /usr/libexec/security-misc/askpass -usr/libexec/security-misc/panic-on-oops#security-misc-shared => /usr/libexec/security-misc/panic-on-oops -usr/libexec/security-misc/mmap-rnd-bits#security-misc-shared => /usr/libexec/security-misc/mmap-rnd-bits -usr/libexec/security-misc/echo-path#security-misc-shared => /usr/libexec/security-misc/echo-path -usr/libexec/security-misc/emerg-shutdown#security-misc-shared => /usr/libexec/security-misc/emerg-shutdown -usr/libexec/security-misc/pam-info#security-misc-shared => /usr/libexec/security-misc/pam-info -usr/libexec/security-misc/permission-lockdown#security-misc-shared => /usr/libexec/security-misc/permission-lockdown -usr/libexec/security-misc/pam_only_if_su#security-misc-shared => /usr/libexec/security-misc/pam_only_if_su -usr/libexec/security-misc/remove-system.map#security-misc-shared => /usr/libexec/security-misc/remove-system.map -usr/libexec/security-misc/check-for-usb-controller#security-misc-shared => /usr/libexec/security-misc/check-for-usb-controller -usr/libexec/security-misc/pam_only_if_login#security-misc-shared => /usr/libexec/security-misc/pam_only_if_login -usr/libexec/security-misc/block-unsafe-logins#security-misc-shared => /usr/libexec/security-misc/block-unsafe-logins -usr/libexec/security-misc/disable-kernel-module-loading#security-misc-shared => /usr/libexec/security-misc/disable-kernel-module-loading -usr/libexec/security-misc/hide-hardware-info#security-misc-shared => /usr/libexec/security-misc/hide-hardware-info -usr/libexec/security-misc/virusforget#security-misc-shared => /usr/libexec/security-misc/virusforget -usr/libexec/security-misc/pam_faillock_not_if_x#security-misc-shared => /usr/libexec/security-misc/pam_faillock_not_if_x -usr/src/security-misc/emerg-shutdown.c#security-misc-shared => /usr/src/security-misc/emerg-shutdown.c -usr/bin/disabled-gps-by-security-misc#security-misc-shared => /usr/bin/disabled-gps-by-security-misc +etc/usbguard/IPCAccessControl.d/:qubes#security-misc-shared => /etc/usbguard/IPCAccessControl.d/:qubes +etc/usbguard/IPCAccessControl.d/:sudo#security-misc-shared => /etc/usbguard/IPCAccessControl.d/:sudo +etc/usbguard/rules.d/30_security-misc.conf#security-misc-shared => /etc/usbguard/rules.d/30_security-misc.conf +etc/usbguard/usbguard-daemon.conf.security-misc#security-misc-shared => /etc/usbguard/usbguard-daemon.conf.security-misc +usr/bin/disabled-bluetooth-by-security-misc#security-misc-shared => /usr/bin/disabled-bluetooth-by-security-misc +usr/bin/disabled-cdrom-by-security-misc#security-misc-shared => /usr/bin/disabled-cdrom-by-security-misc usr/bin/disabled-cpumsr-by-security-misc#security-misc-shared => /usr/bin/disabled-cpumsr-by-security-misc -usr/bin/disabled-netfilesys-by-security-misc#security-misc-shared => /usr/bin/disabled-netfilesys-by-security-misc -usr/bin/disabled-framebuffer-by-security-misc#security-misc-shared => /usr/bin/disabled-framebuffer-by-security-misc -usr/bin/disabled-miscellaneous-by-security-misc#security-misc-shared => /usr/bin/disabled-miscellaneous-by-security-misc -usr/bin/disabled-intelme-by-security-misc#security-misc-shared => /usr/bin/disabled-intelme-by-security-misc +usr/bin/disabled-filesys-by-security-misc#security-misc-shared => /usr/bin/disabled-filesys-by-security-misc usr/bin/disabled-firewire-by-security-misc#security-misc-shared => /usr/bin/disabled-firewire-by-security-misc +usr/bin/disabled-framebuffer-by-security-misc#security-misc-shared => /usr/bin/disabled-framebuffer-by-security-misc +usr/bin/disabled-gps-by-security-misc#security-misc-shared => /usr/bin/disabled-gps-by-security-misc +usr/bin/disabled-intelme-by-security-misc#security-misc-shared => /usr/bin/disabled-intelme-by-security-misc +usr/bin/disabled-intelpmt-by-security-misc#security-misc-shared => /usr/bin/disabled-intelpmt-by-security-misc +usr/bin/disabled-miscellaneous-by-security-misc#security-misc-shared => /usr/bin/disabled-miscellaneous-by-security-misc +usr/bin/disabled-netfilesys-by-security-misc#security-misc-shared => /usr/bin/disabled-netfilesys-by-security-misc usr/bin/disabled-network-by-security-misc#security-misc-shared => /usr/bin/disabled-network-by-security-misc usr/bin/disabled-thunderbolt-by-security-misc#security-misc-shared => /usr/bin/disabled-thunderbolt-by-security-misc -usr/bin/disabled-cdrom-by-security-misc#security-misc-shared => /usr/bin/disabled-cdrom-by-security-misc -usr/bin/disabled-filesys-by-security-misc#security-misc-shared => /usr/bin/disabled-filesys-by-security-misc usr/bin/permission-hardener#security-misc-shared => /usr/bin/permission-hardener -usr/bin/disabled-intelpmt-by-security-misc#security-misc-shared => /usr/bin/disabled-intelpmt-by-security-misc -usr/bin/disabled-bluetooth-by-security-misc#security-misc-shared => /usr/bin/disabled-bluetooth-by-security-misc usr/bin/remount-secure#security-misc-shared => /usr/bin/remount-secure -usr/lib/modules-load.d/30_security-misc.conf#security-misc-shared => /usr/lib/modules-load.d/30_security-misc.conf -usr/lib/systemd/coredump.conf.d/30_security-misc.conf#security-misc-shared => /usr/lib/systemd/coredump.conf.d/30_security-misc.conf -usr/lib/systemd/system-preset/50-security-misc.preset#security-misc-shared => /usr/lib/systemd/system-preset/50-security-misc.preset -usr/lib/systemd/system/panic-on-oops.service#security-misc-shared => /usr/lib/systemd/system/panic-on-oops.service -usr/lib/systemd/system/permission-hardener.service#security-misc-shared => /usr/lib/systemd/system/permission-hardener.service -usr/lib/systemd/system/remove-system-map.service#security-misc-shared => /usr/lib/systemd/system/remove-system-map.service -usr/lib/systemd/system/proc-hidepid.service#security-misc-shared => /usr/lib/systemd/system/proc-hidepid.service -usr/lib/systemd/system/block-shutdown.service#security-misc-shared => /usr/lib/systemd/system/block-shutdown.service -usr/lib/systemd/system/emerg-shutdown.service#security-misc-shared => /usr/lib/systemd/system/emerg-shutdown.service -usr/lib/systemd/system/hide-hardware-info.service#security-misc-shared => /usr/lib/systemd/system/hide-hardware-info.service -usr/lib/systemd/system/harden-module-loading.service#security-misc-shared => /usr/lib/systemd/system/harden-module-loading.service -usr/lib/systemd/system/user@.service.d/sysfs.conf#security-misc-shared => /usr/lib/systemd/system/user@.service.d/sysfs.conf -usr/lib/systemd/system/usbguard.service.d/30_security-misc.conf#security-misc-shared => /usr/lib/systemd/system/usbguard.service.d/30_security-misc.conf -usr/lib/systemd/system/haveged.service.d/30_security-misc.conf#security-misc-shared => /usr/lib/systemd/system/haveged.service.d/30_security-misc.conf -usr/lib/systemd/system/remount-secure.service#security-misc-shared => /usr/lib/systemd/system/remount-secure.service -usr/lib/systemd/system/ensure-shutdown.service#security-misc-shared => /usr/lib/systemd/system/ensure-shutdown.service -usr/lib/systemd/system/sysinit-post.target#security-misc-shared => /usr/lib/systemd/system/sysinit-post.target -usr/lib/systemd/system/ensure-shutdown-trigger.service#security-misc-shared => /usr/lib/systemd/system/ensure-shutdown-trigger.service -usr/lib/systemd/system/kill-vboxdrmclient-on-shutdown.service#security-misc-shared => /usr/lib/systemd/system/kill-vboxdrmclient-on-shutdown.service -usr/lib/systemd/user/usbguard-notifier.service.d/30_security-misc.conf#security-misc-shared => /usr/lib/systemd/user/usbguard-notifier.service.d/30_security-misc.conf -usr/lib/systemd/pstore.conf.d/30_security-misc.conf#security-misc-shared => /usr/lib/systemd/pstore.conf.d/30_security-misc.conf -usr/lib/udev/rules.d/95-emerg-shutdown.rules#security-misc-shared => /usr/lib/udev/rules.d/95-emerg-shutdown.rules -usr/lib/issue.d/20_security-misc.issue#security-misc-shared => /usr/lib/issue.d/20_security-misc.issue -usr/lib/dracut/modules.d/99emerg-shutdown/module-setup.sh#security-misc-shared => /usr/lib/dracut/modules.d/99emerg-shutdown/module-setup.sh usr/lib/dracut/modules.d-disabled/20remount-secure/module-setup.sh#security-misc-shared => /usr/lib/dracut/modules.d-disabled/20remount-secure/module-setup.sh usr/lib/dracut/modules.d-disabled/20remount-secure/remount-secure.sh#security-misc-shared => /usr/lib/dracut/modules.d-disabled/20remount-secure/remount-secure.sh -usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf#security-misc-shared => /usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf -usr/lib/permission-hardener.d/25_default_whitelist_firejail.conf#security-misc-shared => /usr/lib/permission-hardener.d/25_default_whitelist_firejail.conf -usr/lib/permission-hardener.d/30_default.conf#security-misc-shared => /usr/lib/permission-hardener.d/30_default.conf +usr/lib/dracut/modules.d/99emerg-shutdown/module-setup.sh#security-misc-shared => /usr/lib/dracut/modules.d/99emerg-shutdown/module-setup.sh +usr/lib/issue.d/20_security-misc.issue#security-misc-shared => /usr/lib/issue.d/20_security-misc.issue +usr/lib/modules-load.d/30_security-misc.conf#security-misc-shared => /usr/lib/modules-load.d/30_security-misc.conf usr/lib/permission-hardener.d/25_default_whitelist_bubblewrap.conf#security-misc-shared => /usr/lib/permission-hardener.d/25_default_whitelist_bubblewrap.conf -usr/lib/permission-hardener.d/25_default_whitelist_virtualbox.conf#security-misc-shared => /usr/lib/permission-hardener.d/25_default_whitelist_virtualbox.conf -usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf#security-misc-shared => /usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf usr/lib/permission-hardener.d/25_default_whitelist_chromium.conf#security-misc-shared => /usr/lib/permission-hardener.d/25_default_whitelist_chromium.conf -usr/lib/permission-hardener.d/25_default_whitelist_selinux.conf#security-misc-shared => /usr/lib/permission-hardener.d/25_default_whitelist_selinux.conf -usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf#security-misc-shared => /usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf -usr/lib/permission-hardener.d/25_default_whitelist_pam.conf#security-misc-shared => /usr/lib/permission-hardener.d/25_default_whitelist_pam.conf usr/lib/permission-hardener.d/25_default_whitelist_dbus.conf#security-misc-shared => /usr/lib/permission-hardener.d/25_default_whitelist_dbus.conf -usr/lib/permission-hardener.d/25_default_whitelist_postfix.conf#security-misc-shared => /usr/lib/permission-hardener.d/25_default_whitelist_postfix.conf -usr/lib/permission-hardener.d/25_default_whitelist_mount.conf#security-misc-shared => /usr/lib/permission-hardener.d/25_default_whitelist_mount.conf +usr/lib/permission-hardener.d/25_default_whitelist_firejail.conf#security-misc-shared => /usr/lib/permission-hardener.d/25_default_whitelist_firejail.conf +usr/lib/permission-hardener.d/25_default_whitelist_fuse.conf#security-misc-shared => /usr/lib/permission-hardener.d/25_default_whitelist_fuse.conf usr/lib/permission-hardener.d/25_default_whitelist_hardened_malloc.conf#security-misc-shared => /usr/lib/permission-hardener.d/25_default_whitelist_hardened_malloc.conf +usr/lib/permission-hardener.d/25_default_whitelist_mount.conf#security-misc-shared => /usr/lib/permission-hardener.d/25_default_whitelist_mount.conf +usr/lib/permission-hardener.d/25_default_whitelist_pam.conf#security-misc-shared => /usr/lib/permission-hardener.d/25_default_whitelist_pam.conf +usr/lib/permission-hardener.d/25_default_whitelist_passwd.conf#security-misc-shared => /usr/lib/permission-hardener.d/25_default_whitelist_passwd.conf +usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf#security-misc-shared => /usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf +usr/lib/permission-hardener.d/25_default_whitelist_postfix.conf#security-misc-shared => /usr/lib/permission-hardener.d/25_default_whitelist_postfix.conf +usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf#security-misc-shared => /usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf +usr/lib/permission-hardener.d/25_default_whitelist_selinux.conf#security-misc-shared => /usr/lib/permission-hardener.d/25_default_whitelist_selinux.conf +usr/lib/permission-hardener.d/25_default_whitelist_spice.conf#security-misc-shared => /usr/lib/permission-hardener.d/25_default_whitelist_spice.conf +usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf#security-misc-shared => /usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf usr/lib/permission-hardener.d/25_default_whitelist_sudo.conf#security-misc-shared => /usr/lib/permission-hardener.d/25_default_whitelist_sudo.conf usr/lib/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf#security-misc-shared => /usr/lib/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf -usr/lib/permission-hardener.d/25_default_whitelist_fuse.conf#security-misc-shared => /usr/lib/permission-hardener.d/25_default_whitelist_fuse.conf -usr/lib/permission-hardener.d/25_default_whitelist_passwd.conf#security-misc-shared => /usr/lib/permission-hardener.d/25_default_whitelist_passwd.conf -usr/lib/permission-hardener.d/25_default_whitelist_spice.conf#security-misc-shared => /usr/lib/permission-hardener.d/25_default_whitelist_spice.conf -usr/lib/sysctl.d/30_silent-kernel-printk.conf#security-misc-shared => /usr/lib/sysctl.d/30_silent-kernel-printk.conf -usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared => /usr/lib/sysctl.d/990-security-misc.conf +usr/lib/permission-hardener.d/25_default_whitelist_virtualbox.conf#security-misc-shared => /usr/lib/permission-hardener.d/25_default_whitelist_virtualbox.conf +usr/lib/permission-hardener.d/30_default.conf#security-misc-shared => /usr/lib/permission-hardener.d/30_default.conf usr/lib/sysctl.d/30_security-misc_kexec-disable.conf#security-misc-shared => /usr/lib/sysctl.d/30_security-misc_kexec-disable.conf usr/lib/sysctl.d/30_security-misc_ptrace-disable.conf#security-misc-shared => /usr/lib/sysctl.d/30_security-misc_ptrace-disable.conf -usr/share/polkit-1/actions/org.freedesktop.Flatpak.policy.security-misc#security-misc-shared => /usr/share/polkit-1/actions/org.freedesktop.Flatpak.policy.security-misc -usr/share/glib-2.0/schemas/30_security-misc.gschema.override#security-misc-shared => /usr/share/glib-2.0/schemas/30_security-misc.gschema.override +usr/lib/sysctl.d/30_silent-kernel-printk.conf#security-misc-shared => /usr/lib/sysctl.d/30_silent-kernel-printk.conf +usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared => /usr/lib/sysctl.d/990-security-misc.conf +usr/lib/systemd/coredump.conf.d/30_security-misc.conf#security-misc-shared => /usr/lib/systemd/coredump.conf.d/30_security-misc.conf +usr/lib/systemd/pstore.conf.d/30_security-misc.conf#security-misc-shared => /usr/lib/systemd/pstore.conf.d/30_security-misc.conf +usr/lib/systemd/system-preset/50-security-misc.preset#security-misc-shared => /usr/lib/systemd/system-preset/50-security-misc.preset +usr/lib/systemd/system/block-shutdown.service#security-misc-shared => /usr/lib/systemd/system/block-shutdown.service +usr/lib/systemd/system/emerg-shutdown.service#security-misc-shared => /usr/lib/systemd/system/emerg-shutdown.service +usr/lib/systemd/system/ensure-shutdown-trigger.service#security-misc-shared => /usr/lib/systemd/system/ensure-shutdown-trigger.service +usr/lib/systemd/system/ensure-shutdown.service#security-misc-shared => /usr/lib/systemd/system/ensure-shutdown.service +usr/lib/systemd/system/harden-module-loading.service#security-misc-shared => /usr/lib/systemd/system/harden-module-loading.service +usr/lib/systemd/system/haveged.service.d/30_security-misc.conf#security-misc-shared => /usr/lib/systemd/system/haveged.service.d/30_security-misc.conf +usr/lib/systemd/system/hide-hardware-info.service#security-misc-shared => /usr/lib/systemd/system/hide-hardware-info.service +usr/lib/systemd/system/kill-vboxdrmclient-on-shutdown.service#security-misc-shared => /usr/lib/systemd/system/kill-vboxdrmclient-on-shutdown.service +usr/lib/systemd/system/panic-on-oops.service#security-misc-shared => /usr/lib/systemd/system/panic-on-oops.service +usr/lib/systemd/system/permission-hardener.service#security-misc-shared => /usr/lib/systemd/system/permission-hardener.service +usr/lib/systemd/system/proc-hidepid.service#security-misc-shared => /usr/lib/systemd/system/proc-hidepid.service +usr/lib/systemd/system/remount-secure.service#security-misc-shared => /usr/lib/systemd/system/remount-secure.service +usr/lib/systemd/system/remove-system-map.service#security-misc-shared => /usr/lib/systemd/system/remove-system-map.service +usr/lib/systemd/system/sysinit-post.target#security-misc-shared => /usr/lib/systemd/system/sysinit-post.target +usr/lib/systemd/system/usbguard.service.d/30_security-misc.conf#security-misc-shared => /usr/lib/systemd/system/usbguard.service.d/30_security-misc.conf +usr/lib/systemd/system/user@.service.d/sysfs.conf#security-misc-shared => /usr/lib/systemd/system/user@.service.d/sysfs.conf +usr/lib/systemd/user/usbguard-notifier.service.d/30_security-misc.conf#security-misc-shared => /usr/lib/systemd/user/usbguard-notifier.service.d/30_security-misc.conf +usr/lib/udev/rules.d/95-emerg-shutdown.rules#security-misc-shared => /usr/lib/udev/rules.d/95-emerg-shutdown.rules +usr/libexec/security-misc/askpass#security-misc-shared => /usr/libexec/security-misc/askpass +usr/libexec/security-misc/block-unsafe-logins#security-misc-shared => /usr/libexec/security-misc/block-unsafe-logins +usr/libexec/security-misc/check-for-usb-controller#security-misc-shared => /usr/libexec/security-misc/check-for-usb-controller +usr/libexec/security-misc/disable-kernel-module-loading#security-misc-shared => /usr/libexec/security-misc/disable-kernel-module-loading +usr/libexec/security-misc/echo-path#security-misc-shared => /usr/libexec/security-misc/echo-path +usr/libexec/security-misc/emerg-shutdown#security-misc-shared => /usr/libexec/security-misc/emerg-shutdown +usr/libexec/security-misc/ensure-shutdown#security-misc-shared => /usr/libexec/security-misc/ensure-shutdown +usr/libexec/security-misc/hide-hardware-info#security-misc-shared => /usr/libexec/security-misc/hide-hardware-info +usr/libexec/security-misc/kill-vboxdrmclient-on-shutdown#security-misc-shared => /usr/libexec/security-misc/kill-vboxdrmclient-on-shutdown +usr/libexec/security-misc/mmap-rnd-bits#security-misc-shared => /usr/libexec/security-misc/mmap-rnd-bits +usr/libexec/security-misc/pam-abort-on-locked-password#security-misc-shared => /usr/libexec/security-misc/pam-abort-on-locked-password +usr/libexec/security-misc/pam-info#security-misc-shared => /usr/libexec/security-misc/pam-info +usr/libexec/security-misc/pam_faillock_not_if_x#security-misc-shared => /usr/libexec/security-misc/pam_faillock_not_if_x +usr/libexec/security-misc/pam_only_if_login#security-misc-shared => /usr/libexec/security-misc/pam_only_if_login +usr/libexec/security-misc/pam_only_if_su#security-misc-shared => /usr/libexec/security-misc/pam_only_if_su +usr/libexec/security-misc/panic-on-oops#security-misc-shared => /usr/libexec/security-misc/panic-on-oops +usr/libexec/security-misc/permission-lockdown#security-misc-shared => /usr/libexec/security-misc/permission-lockdown +usr/libexec/security-misc/remove-system.map#security-misc-shared => /usr/libexec/security-misc/remove-system.map +usr/libexec/security-misc/virusforget#security-misc-shared => /usr/libexec/security-misc/virusforget usr/share/doc/security-misc/fstab-vm#security-misc-shared => /usr/share/doc/security-misc/fstab-vm +usr/share/glib-2.0/schemas/30_security-misc.gschema.override#security-misc-shared => /usr/share/glib-2.0/schemas/30_security-misc.gschema.override +usr/share/lintian/overrides/security-misc-shared#security-misc-shared => /usr/share/lintian/overrides/security-misc-shared +usr/share/pam-configs/block-unsafe-logins-security-misc#security-misc-shared => /usr/share/pam-configs/block-unsafe-logins-security-misc +usr/share/pam-configs/console-lockdown-security-misc#security-misc-shared => /usr/share/pam-configs/console-lockdown-security-misc usr/share/pam-configs/faillock-preauth-security-misc#security-misc-shared => /usr/share/pam-configs/faillock-preauth-security-misc -usr/share/pam-configs/wheel-security-misc#security-misc-shared => /usr/share/pam-configs/wheel-security-misc +usr/share/pam-configs/mkhomedir-security-misc#security-misc-shared => /usr/share/pam-configs/mkhomedir-security-misc +usr/share/pam-configs/pam-abort-on-locked-password-security-misc#security-misc-shared => /usr/share/pam-configs/pam-abort-on-locked-password-security-misc usr/share/pam-configs/umask-security-misc#security-misc-shared => /usr/share/pam-configs/umask-security-misc usr/share/pam-configs/unix-faillock-security-misc#security-misc-shared => /usr/share/pam-configs/unix-faillock-security-misc -usr/share/pam-configs/console-lockdown-security-misc#security-misc-shared => /usr/share/pam-configs/console-lockdown-security-misc -usr/share/pam-configs/mkhomedir-security-misc#security-misc-shared => /usr/share/pam-configs/mkhomedir-security-misc -usr/share/pam-configs/block-unsafe-logins-security-misc#security-misc-shared => /usr/share/pam-configs/block-unsafe-logins-security-misc -usr/share/pam-configs/pam-abort-on-locked-password-security-misc#security-misc-shared => /usr/share/pam-configs/pam-abort-on-locked-password-security-misc -usr/share/lintian/overrides/security-misc-shared#security-misc-shared => /usr/share/lintian/overrides/security-misc-shared +usr/share/pam-configs/wheel-security-misc#security-misc-shared => /usr/share/pam-configs/wheel-security-misc +usr/share/polkit-1/actions/org.freedesktop.Flatpak.policy.security-misc#security-misc-shared => /usr/share/polkit-1/actions/org.freedesktop.Flatpak.policy.security-misc +usr/share/security-misc/dolphinrc#security-misc-shared => /usr/share/security-misc/dolphinrc +usr/share/security-misc/emerg-shutdown-initramfs.service#security-misc-shared => /usr/share/security-misc/emerg-shutdown-initramfs.service usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf#security-misc-shared => /usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf usr/share/security-misc/lkrg/lkrg-virtualbox#security-misc-shared => /usr/share/security-misc/lkrg/lkrg-virtualbox -usr/share/security-misc/emerg-shutdown-initramfs.service#security-misc-shared => /usr/share/security-misc/emerg-shutdown-initramfs.service -usr/share/security-misc/security-misc-memlockd.cfg#security-misc-shared => /usr/share/security-misc/security-misc-memlockd.cfg -usr/share/security-misc/permission-hardener-new-mode-legacy-hardcoded#security-misc-shared => /usr/share/security-misc/permission-hardener-new-mode-legacy-hardcoded -usr/share/security-misc/dolphinrc#security-misc-shared => /usr/share/security-misc/dolphinrc usr/share/security-misc/permission-hardener-existing-mode-legacy-hardcoded#security-misc-shared => /usr/share/security-misc/permission-hardener-existing-mode-legacy-hardcoded +usr/share/security-misc/permission-hardener-new-mode-legacy-hardcoded#security-misc-shared => /usr/share/security-misc/permission-hardener-new-mode-legacy-hardcoded +usr/share/security-misc/security-misc-memlockd.cfg#security-misc-shared => /usr/share/security-misc/security-misc-memlockd.cfg +usr/src/security-misc/emerg-shutdown.c#security-misc-shared => /usr/src/security-misc/emerg-shutdown.c +var/cache/security-misc/state-files/placeholder#security-misc-shared => /var/cache/security-misc/state-files/placeholder From 56df8b624c88b56905d945a0b247714152321c9b Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Mon, 29 Dec 2025 07:52:15 +0000 Subject: [PATCH 09/11] Re-order boot params as introduced The ordering was changed due to different merge times. --- README.md | 8 +-- ..._kernel_hardening.cfg#security-misc-shared | 54 +++++++++---------- 2 files changed, 31 insertions(+), 31 deletions(-) diff --git a/README.md b/README.md index 2ff03f7..d3631e6 100644 --- a/README.md +++ b/README.md @@ -259,14 +259,14 @@ Kernel space: - Disable the EFI persistent storage feature which prevents the kernel from writing crash logs and other persistent data to either the UEFI variable storage or ACPI ERST backends. -- Optional - On compatible AMD CPUs enable Secure Memory Encryption (SME) to protect against - cold boot attacks and Secure Encrypted Virtualization (SEV) for further guest memory isolation. +- Restrict processes from modifying their own memory mappings unless actively done via + `ptrace()` for debugging in order to limit self-modification which can trigger exploits. - Prevent runaway privileged processes from writing to block devices that are mounted by filesystems to protect against filesystem corruption and kernel crashes. -- Restrict processes from modifying their own memory mappings unless actively done via - `ptrace()` for debugging in order to limit self-modification which can trigger exploits. +- Optional - On compatible AMD CPUs enable Secure Memory Encryption (SME) to protect against + cold boot attacks and Secure Encrypted Virtualization (SEV) for further guest memory isolation. Direct memory access: diff --git a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared index f86e539..664535e 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared +++ b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared @@ -265,6 +265,33 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ia32_emulation=0" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi_pstore.pstore_disable=1" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX erst_disable" +## Restrict processes from modifying their own memory mappings. +## Prevents using /proc/PID/mem to write to protected pages unless via ptrace() for debugging. +## Increases the difficulty in tricking applications into overwriting their own memory. +## Limit self-modification which can be used trigger race condition vulnerabilities. +## +## https://lore.kernel.org/lkml/20240712-vfs-procfs-ce7e6c7cf26b@brauner/ +## https://lwn.net/Articles/983169/ +## https://github.com/a13xp0p0v/kernel-hardening-checker/pull/201 +## https://github.com/Kicksecure/security-misc/issues/330 +## +## KSPP=partial +## KSPP sets the stricter kernel parameter proc_mem.force_override=never. +## +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX proc_mem.force_override=ptrace" + +## Prevent processes from writing to block devices that are mounted by filesystems. +## Enhances system stability and security by protecting against runaway privileged processes. +## Allowing processes to write to the buffer cache can cause filesystem corruption and kernel crashes. +## Does not prevent data modifications using direct SCSI commands or lower-level storage stack access. +## May lead to breakages in certain limited scenarios. +## +## https://github.com/torvalds/linux/commit/ed5cc702d311c14b653323d76062b0294effa66e +## https://lore.kernel.org/lkml/20240105-vfs-super-4092d802972c@brauner/ +## https://github.com/a13xp0p0v/kernel-hardening-checker/issues/186 +## +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX bdev_allow_write_mounted=0" + ## Enable AMD Secure Memory Encryption (SME) and Secure Encrypted Virtualization (SEV). ## SME encrypts memory with a single key at the kernel level to protect against cold boot attacks. ## SEV extends SME to VMs by encrypting the memory of each with a unique key for guest isolation. @@ -294,33 +321,6 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX erst_disable" #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm_amd.sev_es=1" #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm_amd.sev_snp=1" -## Prevent processes from writing to block devices that are mounted by filesystems. -## Enhances system stability and security by protecting against runaway privileged processes. -## Allowing processes to write to the buffer cache can cause filesystem corruption and kernel crashes. -## Does not prevent data modifications using direct SCSI commands or lower-level storage stack access. -## May lead to breakages in certain limited scenarios. -## -## https://github.com/torvalds/linux/commit/ed5cc702d311c14b653323d76062b0294effa66e -## https://lore.kernel.org/lkml/20240105-vfs-super-4092d802972c@brauner/ -## https://github.com/a13xp0p0v/kernel-hardening-checker/issues/186 -## -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX bdev_allow_write_mounted=0" - -## Restrict processes from modifying their own memory mappings. -## Prevents using /proc/PID/mem to write to protected pages unless via ptrace() for debugging. -## Increases the difficulty in tricking applications into overwriting their own memory. -## Limit self-modification which can be used trigger race condition vulnerabilities. -## -## https://lore.kernel.org/lkml/20240712-vfs-procfs-ce7e6c7cf26b@brauner/ -## https://lwn.net/Articles/983169/ -## https://github.com/a13xp0p0v/kernel-hardening-checker/pull/201 -## https://github.com/Kicksecure/security-misc/issues/330 -## -## KSPP=partial -## KSPP sets the stricter kernel parameter proc_mem.force_override=never. -## -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX proc_mem.force_override=ptrace" - ## 2. Direct Memory Access: ## ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#dma-attacks From d0512e4f25ed78d0b27a62e305812dec3e00873a Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Tue, 30 Dec 2025 03:47:47 +0000 Subject: [PATCH 10/11] Update links to kernel docs --- ...0_cpu_mitigations.cfg#security-misc-shared | 36 +++++++++---------- ..._kernel_hardening.cfg#security-misc-shared | 14 ++++---- .../41_quiet_boot.cfg#security-misc-shared | 2 +- ...ity-misc_disable.conf#security-misc-shared | 2 +- ...c_ptrace-disable.conf#security-misc-shared | 2 +- ...nt-kernel-printk.conf#security-misc-shared | 2 +- ...90-security-misc.conf#security-misc-shared | 24 ++++++------- 7 files changed, 41 insertions(+), 41 deletions(-) diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg#security-misc-shared b/etc/default/grub.d/40_cpu_mitigations.cfg#security-misc-shared index 7df65d0..b41cad2 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg#security-misc-shared +++ b/etc/default/grub.d/40_cpu_mitigations.cfg#security-misc-shared @@ -9,8 +9,8 @@ ## Enable known mitigations for CPU vulnerabilities. ## Note, the mitigations for SSB and Retbleed are not currently mentioned in the first link. -## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html -## https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html +## https://docs.kernel.org/admin-guide/hw-vuln/index.html +## https://docs.kernel.org/admin-guide/kernel-parameters.html ## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647 ## Check for potential updates directly from AMD and Intel. @@ -41,7 +41,7 @@ ## ## https://github.com/Kicksecure/security-misc/issues/199#issuecomment-3327391859 ## https://github.com/secureblue/secureblue/issues/1405 -## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/attack_vector_controls.html +## https://docs.kernel.org/admin-guide/hw-vuln/attack_vector_controls.html ## ## KSPP=yes ## KSPP sets the kernel parameters. @@ -56,7 +56,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mitigations=auto,nosmt" ## Disabling will significantly decrease system performance on multi-threaded tasks. ## Note, this setting will prevent re-enabling SMT via the sysfs interface. ## -## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/core-scheduling.html +## https://docs.kernel.org/admin-guide/hw-vuln/core-scheduling.html ## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647/17 ## https://github.com/anthraxx/linux-hardened/issues/37#issuecomment-619597365 ## @@ -76,7 +76,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX nosmt=force" ## Enable mitigation for the Intel branch history injection vulnerability. ## Currently affects both AMD and Intel CPUs. ## -## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/spectre.html +## https://docs.kernel.org/admin-guide/hw-vuln/spectre.html ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_v2=on" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_bhi=on" @@ -112,7 +112,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ssbd=force-on" ## If L1D flushing is conditional, mitigate the vulnerability for certain KVM hypervisor configurations. ## Currently affects Intel CPUs. ## -## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html +## https://docs.kernel.org/admin-guide/hw-vuln/l1tf.html ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX l1tf=full,force" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm-intel.vmentry_l1d_flush=always" @@ -121,7 +121,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm-intel.vmentry_l1d_flush=always" ## Mitigate the vulnerability by clearing the CPU buffer cache and disabling SMT. ## Currently affects Intel CPUs. ## -## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html +## https://docs.kernel.org/admin-guide/hw-vuln/mds.html ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mds=full,nosmt" @@ -130,7 +130,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mds=full,nosmt" ## If TSX is enabled, clear CPU buffer rings on transitions and disable SMT. ## Currently affects Intel CPUs. ## -## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/tsx_async_abort.html +## https://docs.kernel.org/admin-guide/hw-vuln/tsx_async_abort.html ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX tsx=off" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX tsx_async_abort=full,nosmt" @@ -139,7 +139,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX tsx_async_abort=full,nosmt" ## Mitigate the vulnerability by marking all huge pages in the EPT as non-executable. ## Currently affects Intel CPUs. ## -## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/multihit.html +## https://docs.kernel.org/admin-guide/hw-vuln/multihit.html ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm.nx_huge_pages=force" @@ -147,14 +147,14 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm.nx_huge_pages=force" ## Mitigation of the vulnerability is only possible via microcode update from Intel. ## Currently affects Intel CPUs. ## -## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/special-register-buffer-data-sampling.html +## https://docs.kernel.org/admin-guide/hw-vuln/special-register-buffer-data-sampling.html ## https://access.redhat.com/solutions/5142691 ## L1D Flushing: ## Mitigate leaks from the L1D cache on context switches by enabling the prctl() interface. ## Currently affects Intel CPUs. ## -## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1d_flush.html +## https://docs.kernel.org/admin-guide/hw-vuln/l1d_flush.html ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX l1d_flush=on" @@ -162,7 +162,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX l1d_flush=on" ## Mitigate the vulnerabilities by appropriately clearing the CPU buffer and disabling SMT. ## Currently affects Intel CPUs. ## -## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/processor_mmio_stale_data.html +## https://docs.kernel.org/admin-guide/hw-vuln/processor_mmio_stale_data.html ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mmio_stale_data=full,nosmt" @@ -181,7 +181,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX retbleed=auto,nosmt" ## Mitigate the vulnerability for certain KVM hypervisor configurations. ## Currently affects AMD Zen 1-2 CPUs. ## -## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/cross-thread-rsb.html +## https://docs.kernel.org/admin-guide/hw-vuln/cross-thread-rsb.html ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm.mitigate_smt_rsb=1" @@ -189,7 +189,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm.mitigate_smt_rsb=1" ## Mitigate the vulnerability by ensuring all RET instructions speculate to a controlled location. ## Currently affects AMD Zen 1-4 CPUs. ## -## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/srso.html +## https://docs.kernel.org/admin-guide/hw-vuln/srso.html ## ## The default kernel setting will be utilized until provided sufficient evidence to modify. ## Using "spec_rstack_overflow=ibpb" may provide superior protection to the default software-based approach. @@ -202,7 +202,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm.mitigate_smt_rsb=1" ## Note, without a suitable microcode update, this will entirely disable use of the AVX instructions set. ## Currently affects Intel CPUs. ## -## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/gather_data_sampling.html +## https://docs.kernel.org/admin-guide/hw-vuln/gather_data_sampling.html ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX gather_data_sampling=force" @@ -210,7 +210,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX gather_data_sampling=force" ## Mitigate the vulnerability by appropriately clearing the CPU buffer. ## Currently affects Intel Atom CPUs (which encompasses E-cores on hybrid architectures). ## -## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/reg-file-data-sampling.html +## https://docs.kernel.org/admin-guide/hw-vuln/reg-file-data-sampling.html ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX reg_file_data_sampling=on" @@ -218,7 +218,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX reg_file_data_sampling=on" ## Mitigate the vulnerability by not allowing indirect branches in the lower half of the cacheline. ## Currently affects Intel CPUs. ## -## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/indirect-target-selection.html +## https://docs.kernel.org/admin-guide/hw-vuln/indirect-target-selection.html ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX indirect_target_selection=force" @@ -227,6 +227,6 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX indirect_target_selection=force" ## Comprehensive protection may also require disabling SMT to limit cross-thread attacks. ## Currently affects both AMD and Intel CPUs. ## -## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/vmscape.html +## https://docs.kernel.org/admin-guide/hw-vuln/vmscape.html ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vmscape=force" diff --git a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared index 664535e..ce554fc 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared +++ b/etc/default/grub.d/40_kernel_hardening.cfg#security-misc-shared @@ -18,7 +18,7 @@ kver="$(dpkg-query --show --showformat='${Version}' "$kpkg")" 2>/dev/null || tru ## 4. Networking ## See the documentation below for details on the majority of the selected commands: -## https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html +## https://docs.kernel.org/admin-guide/kernel-parameters.html ## https://wiki.archlinux.org/title/Kernel_parameters#GRUB ## 1. Kernel Space: @@ -45,7 +45,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_nomerge" ## Enabling this (for now) will therefore leak exact and all kernel memory addresses to root. ## Introduces a noticeable performance overhead during all memory allocation and deallocation operations. ## -## https://www.kernel.org/doc/html/latest/mm/slub.html +## https://docs.kernel.org/mm/slub.html ## https://www.kernel.org/doc/Documentation/vm/slub.txt ## https://lore.kernel.org/all/20210601182202.3011020-5-swboyd@chromium.org/T/#u ## https://blogs.oracle.com/linux/post/linux-slub-allocator-internals-and-debugging-2 @@ -167,7 +167,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off" ## All must first be tested to ensure there are no pre-existing issues on user hardware. ## After confirming stability this reduces attack surface. ## -## https://www.kernel.org/doc/html/latest/admin-guide/tainted-kernels.html +## https://docs.kernel.org/admin-guide/tainted-kernels.html ## https://support.scc.suse.com/s/kb/Tainted-kernel-1583239310621?language=en_US ## https://lore.kernel.org/all/20200515175502.146720-1-aquini@redhat.com/T/ ## https://github.com/Kicksecure/security-misc/pull/339 @@ -180,7 +180,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off" ## Must be used in combination with the kernel.printk sysctl. ## See /usr/lib/sysctl.d/30_silent-kernel-printk.conf for implementation. ## -## https://www.kernel.org/doc/html/latest/core-api/printk-basics.html +## https://docs.kernel.org/core-api/printk-basics.html ## https://wiki.archlinux.org/title/silent_boot ## ## See /etc/default/grub.d/41_quiet_boot.cfg for implementation. @@ -193,7 +193,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off" ## Aims to have very low processing overhead at each sampling interval. ## Sampling interval is set to occur every 100 milliseconds as per KSPP recommendation. ## -## https://www.kernel.org/doc/html/latest/dev-tools/kfence.html +## https://docs.kernel.org/dev-tools/kfence.html ## https://google.github.io/kernel-sanitizers/KFENCE.html ## https://blogs.oracle.com/linux/post/linux-slub-allocator-internals-and-debugging-4 ## https://lwn.net/Articles/835542/ @@ -304,7 +304,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX bdev_allow_write_mounted=0" ## May cause boot failure on certain hardware with incompatible DMA masks especially if IOMMU is disabled. ## ## https://www.kernel.org/doc/html/next/x86/amd-memory-encryption.html -## https://www.kernel.org/doc/html/latest/virt/kvm/x86/amd-memory-encryption.html +## https://docs.kernel.org/virt/kvm/x86/amd-memory-encryption.html ## https://docs.amd.com/v/u/en-US/memory-encryption-white-paper ## https://docs.amd.com/v/u/en-US/SEV-SNP-strengthening-vm-isolation-with-integrity-protection-and-more ## https://github.com/AMDESE/AMDSEV @@ -424,7 +424,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX extra_latent_entropy" ## Disable the entire IPv6 stack functionality. ## Removes attack surface associated with the IPv6 module. ## -## https://www.kernel.org/doc/html/latest/networking/ipv6.html +## https://docs.kernel.org/networking/ipv6.html ## https://wiki.archlinux.org/title/IPv6#Disable_IPv6 ## ## Enabling makes redundant many network hardening sysctl's in /usr/lib/sysctl.d/990-security-misc.conf. diff --git a/etc/default/grub.d/41_quiet_boot.cfg#security-misc-shared b/etc/default/grub.d/41_quiet_boot.cfg#security-misc-shared index 7221ac0..21b73f5 100644 --- a/etc/default/grub.d/41_quiet_boot.cfg#security-misc-shared +++ b/etc/default/grub.d/41_quiet_boot.cfg#security-misc-shared @@ -19,7 +19,7 @@ GRUB_CMDLINE_LINUX_DEFAULT="$(echo "$GRUB_CMDLINE_LINUX_DEFAULT" | str_replace " ## Must be used in combination with the kernel.printk sysctl. ## See /usr/lib/sysctl.d/30_silent-kernel-printk.conf for implementation. ## -## https://www.kernel.org/doc/html/latest/core-api/printk-basics.html +## https://docs.kernel.org/core-api/printk-basics.html ## https://wiki.archlinux.org/title/silent_boot ## ## For easier debugging, these are not applied to the recovery boot option. diff --git a/etc/modprobe.d/30_security-misc_disable.conf#security-misc-shared b/etc/modprobe.d/30_security-misc_disable.conf#security-misc-shared index 644048c..13703ca 100644 --- a/etc/modprobe.d/30_security-misc_disable.conf#security-misc-shared +++ b/etc/modprobe.d/30_security-misc_disable.conf#security-misc-shared @@ -87,7 +87,7 @@ install gnss-usb /usr/bin/disabled-gps-by-security-misc ## Disabling it may lead to breakages in various components without clear debugging/error messages. ## It may affect firmware updates, security, power management, display, and DRM. ## -## https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html +## https://docs.kernel.org/driver-api/mei/mei.html ## https://en.wikipedia.org/wiki/Intel_Management_Engine#Security_vulnerabilities ## https://www.kicksecure.com/wiki/Out-of-band_Management_Technology#Intel_ME_Disabling_Disadvantages ## https://github.com/Kicksecure/security-misc/pull/236#issuecomment-2229092813 diff --git a/usr/lib/sysctl.d/30_security-misc_ptrace-disable.conf#security-misc-shared b/usr/lib/sysctl.d/30_security-misc_ptrace-disable.conf#security-misc-shared index 0baec08..724e0f1 100644 --- a/usr/lib/sysctl.d/30_security-misc_ptrace-disable.conf#security-misc-shared +++ b/usr/lib/sysctl.d/30_security-misc_ptrace-disable.conf#security-misc-shared @@ -12,7 +12,7 @@ ## Prevents native code debugging which some programs use as a method to detect tampering. ## May cause breakages in 'anti-cheat' software and programs running under Proton/WINE. ## -## https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html#ptrace-scope +## https://docs.kernel.org/admin-guide/LSM/Yama.html#ptrace-scope ## https://en.wikipedia.org/wiki/Ptrace ## https://grapheneos.org/features#attack-surface-reduction ## https://github.com/GrapheneOS/os-issue-tracker/issues/651#issuecomment-917599928 diff --git a/usr/lib/sysctl.d/30_silent-kernel-printk.conf#security-misc-shared b/usr/lib/sysctl.d/30_silent-kernel-printk.conf#security-misc-shared index d8febf9..3e42491 100644 --- a/usr/lib/sysctl.d/30_silent-kernel-printk.conf#security-misc-shared +++ b/usr/lib/sysctl.d/30_silent-kernel-printk.conf#security-misc-shared @@ -11,7 +11,7 @@ ## Must be used in conjunction with kernel boot parameters. ## See /etc/default/grub.d/41_quiet_boot.cfg for implementation. ## -## https://www.kernel.org/doc/html/latest/core-api/printk-basics.html +## https://docs.kernel.org/core-api/printk-basics.html ## kernel.printk=3 3 3 3 diff --git a/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared b/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared index 5b6d3d6..a1ddec0 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared +++ b/usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared @@ -20,12 +20,12 @@ ## 5. Networking ## For detailed explanations of most of the selected commands, refer to: -## https://www.kernel.org/doc/html/latest/admin-guide/sysctl/abi.html -## https://www.kernel.org/doc/html/latest/admin-guide/sysctl/kernel.html -## https://www.kernel.org/doc/html/latest/admin-guide/sysctl/fs.html -## https://www.kernel.org/doc/html/latest/admin-guide/sysctl/net.html -## https://www.kernel.org/doc/html/latest/admin-guide/sysctl/vm.html -## https://www.kernel.org/doc/html/latest//networking/ip-sysctl.html +## https://docs.kernel.org/admin-guide/sysctl/abi.html +## https://docs.kernel.org/admin-guide/sysctl/kernel.html +## https://docs.kernel.org/admin-guide/sysctl/fs.html +## https://docs.kernel.org/admin-guide/sysctl/net.html +## https://docs.kernel.org/admin-guide/sysctl/vm.html +## https://docs.kernel.org//networking/ip-sysctl.html ## 1. Kernel Space: ## @@ -55,7 +55,7 @@ kernel.dmesg_restrict=1 ## Must be used in conjunction with kernel boot parameters. ## See /etc/default/grub.d/41_quiet_boot.cfg for implementation. ## -## https://www.kernel.org/doc/html/latest/core-api/printk-basics.html +## https://docs.kernel.org/core-api/printk-basics.html ## ## See /usr/lib/sysctl.d/30_silent-kernel-printk.conf for implementation. ## @@ -109,7 +109,7 @@ vm.unprivileged_userfaultfd=0 ## Disable the SysRq key to prevent leakage of kernel information. ## The Secure Attention Key (SAK) can no longer be utilized. ## -## https://www.kernel.org/doc/html/latest/admin-guide/sysrq.html +## https://docs.kernel.org/admin-guide/sysrq.html ## https://www.kicksecure.com/wiki/SysRq ## https://github.com/xairy/unlockdown ## @@ -157,7 +157,7 @@ kernel.sysrq=0 ## The performance events system should not be accessible by unprivileged users. ## Other distributions such as Ubuntu and Fedora may permit further restricting. ## -## https://www.kernel.org/doc/html/latest/admin-guide/perf-security.html#unprivileged-users +## https://docs.kernel.org/admin-guide/perf-security.html#unprivileged-users ## https://lore.kernel.org/kernel-hardening/1469630746-32279-1-git-send-email-jeffv@google.com/ ## ## KSPP=yes @@ -228,7 +228,7 @@ kernel.panic=-1 ## These are valuable for high-reliability systems where data integrity is critical. ## ## https://en.wikipedia.org/wiki/Non-maskable_interrupt -## https://www.kernel.org/doc/html/latest/trace/events-nmi.html +## https://docs.kernel.org/trace/events-nmi.html ## https://0xax.gitbook.io/linux-insides/summary/interrupts/linux-interrupts-6 ## https://docs.redhat.com/en/documentation/red_hat_enterprise_linux_for_real_time/7/html/reference_guide/non-maskable_interrupts ## @@ -284,7 +284,7 @@ abi.vsyscall32=0 ## Prevents native code debugging which some programs use as a method to detect tampering. ## May cause breakages in 'anti-cheat' software and programs running under Proton/WINE. ## -## https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html#ptrace-scope +## https://docs.kernel.org/admin-guide/LSM/Yama.html#ptrace-scope ## https://en.wikipedia.org/wiki/Ptrace ## https://grapheneos.org/features#attack-surface-reduction ## https://github.com/GrapheneOS/os-issue-tracker/issues/651#issuecomment-917599928 @@ -380,7 +380,7 @@ vm.max_map_count=1048576 ## Can stop maliciously crafted files with specific file extensions from automatically executing. ## Breaks many scripts that do not have appropriate shebang interpreter directives (#!/bin/...). ## -## https://www.kernel.org/doc/html/latest/admin-guide/binfmt-misc.html +## https://docs.kernel.org/admin-guide/binfmt-misc.html ## https://salsa.debian.org/debian/binfmt-support ## https://access.redhat.com/solutions/1985633 ## https://en.wikipedia.org/wiki/Binfmt_misc From 73d3da104b03c967c56d90d0905336caa802e416 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Tue, 30 Dec 2025 03:51:49 +0000 Subject: [PATCH 11/11] Sort file --- debian/security-misc-desktop.install | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/security-misc-desktop.install b/debian/security-misc-desktop.install index 7397d9f..609f3f7 100755 --- a/debian/security-misc-desktop.install +++ b/debian/security-misc-desktop.install @@ -5,8 +5,8 @@ ## This file was generated using 'genmkfile debinstfile'. -etc/sudoers.d/security-misc-desktop#security-misc-desktop => /etc/sudoers.d/security-misc-desktop etc/bluetooth/30_security-misc.conf#security-misc-desktop => /etc/bluetooth/30_security-misc.conf +etc/sudoers.d/security-misc-desktop#security-misc-desktop => /etc/sudoers.d/security-misc-desktop usr/lib/NetworkManager/conf.d/80_ipv6-privacy.conf#security-misc-desktop => /usr/lib/NetworkManager/conf.d/80_ipv6-privacy.conf usr/lib/NetworkManager/conf.d/80_randomize-mac.conf#security-misc-desktop => /usr/lib/NetworkManager/conf.d/80_randomize-mac.conf usr/lib/systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf#security-misc-desktop => /usr/lib/systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf