Merge remote-tracking branch 'github-kicksecure/master'

README.md

@@ -102,17 +102,16 @@ Networking:
 - Disable ICMP redirect acceptance and redirect sending messages to prevent
   man-in-the-middle attacks and minimize information disclosure.
 
-- Optional - Deny sending and receiving shared media redirects to reduce
-  the risk of IP spoofing attacks.
+- Deny sending and receiving shared media redirects to reduce the risk of IP
+  spoofing attacks.
 
-- Optional - Enable ARP filtering to mitigate some ARP spoofing and ARP
-  cache poisoning attacks.
+- Enable ARP filtering to mitigate some ARP spoofing and ARP cache poisoning attacks.
 
-- Optional - Respond to ARP requests only if the target IP address is
-  on-link, preventing some IP spoofing attacks.
+- Respond to ARP requests only if the target IP address is  on-link,
+  preventing some IP spoofing attacks.
 
-- Optional - Drop gratuitous ARP packets to prevent ARP cache poisoning
-  via man-in-the-middle and denial-of-service attacks.
+- Drop gratuitous ARP packets to prevent ARP cache poisoning via
+  man-in-the-middle and denial-of-service attacks.
 
 - Ignore ICMP echo requests to prevent clock fingerprinting and Smurf attacks.
 
@@ -137,7 +136,9 @@ Networking:
 
 Mitigations for known CPU vulnerabilities are enabled in their strictest form
 and simultaneous multithreading (SMT) is disabled. See the
-`/etc/default/grub.d/40_cpu_mitigations.cfg` configuration file.
+`/etc/default/grub.d/40_cpu_mitigations.cfg` configuration file. Note, to achieve
+complete protection for known CPU vulnerabilities, the latest security microcode
+(BIOS/UEFI) updates must also be installed on the system.
 
 Boot parameters relating to kernel hardening, DMA mitigations, and entropy
 generation are outlined in the `/etc/default/grub.d/40_kernel_hardening.cfg`

etc/default/grub.d/40_cpu_mitigations.cfg

@@ -18,6 +18,14 @@
 ## https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/advisory-guidance.html
 ## https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/disclosure-documentation.html
 
+## Tabular comparison between the utility and functionality of various mitigations.
+## https://forums.whonix.org/t/kernel-hardening-security-misc/7296/587
+
+## For complete protection, users must install the latest relevant security microcode update.
+## BIOS/UEFI updates should only be obtained directly from OEMs and/or motherboard manufacturers.
+## Note that incorrectly performing system BIOS/UEFI updates can potentially lead to serious functionality issues.
+## The parameters below only provide (partial) protection at both the kernel and user space level.
+
 ## Enable a subset of known mitigations for some CPU vulnerabilities and disable SMT.
 ##
 ## KSPP=yes

usr/lib/sysctl.d/990-security-misc.conf

@@ -451,16 +451,16 @@ net.ipv6.conf.*.accept_redirects=0
 ## https://datatracker.ietf.org/doc/html/rfc1620
 ## https://www.frozentux.net/ipsysctl-tutorial/chunkyhtml/theconfvariables.html
 ##
-#net.ipv4.conf.*.shared_media=0
+net.ipv4.conf.*.shared_media=0
 
 ## Enable ARP (Address Resolution Protocol) filtering.
-## Prevents the Linux kernel from handling the ARP table globally
+## Prevents the Linux kernel from handling the ARP table globally.
 ## Can mitigate some ARP spoofing and ARP cache poisoning attacks.
 ## Improper filtering can lead to increased ARP traffic and inadvertently block legitimate ARP requests.
 ##
 ## https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf
 ##
-#net.ipv4.conf.*.arp_filter=1
+net.ipv4.conf.*.arp_filter=1
 
 ## Respond to ARP (Address Resolution Protocol) requests only if the target IP address is on-link.
 ## Reduces IP spoofing attacks by limiting the scope of allowable ARP responses.
@@ -470,7 +470,7 @@ net.ipv6.conf.*.accept_redirects=0
 ## https://github.com/mullvad/mullvadvpn-app/pull/7141
 ## https://www.x41-dsec.de/static/reports/X41-Mullvad-Audit-Public-Report-2024-12-10.pdf
 ##
-#net.ipv4.conf.*.arp_ignore=2
+net.ipv4.conf.*.arp_ignore=2
 
 ## Drop gratuitous ARP (Address Resolution Protocol) packets.
 ## Stops ARP responses sent by a device without being explicitly requested.
@@ -482,7 +482,7 @@ net.ipv6.conf.*.accept_redirects=0
 ## https://patchwork.ozlabs.org/project/netdev/patch/1428652454-1224-3-git-send-email-johannes@sipsolutions.net/
 ## https://www.practicalnetworking.net/series/arp/gratuitous-arp/
 ##
-#net.ipv4.conf.*.drop_gratuitous_arp=1
+net.ipv4.conf.*.drop_gratuitous_arp=1
 
 ## Ignore ICMP echo requests.
 ## Prevents clock fingerprinting through ICMP timestamps and Smurf attacks.