mirror of
https://github.com/Kicksecure/security-misc.git
synced 2025-06-01 03:24:31 -04:00
Merge remote-tracking branch 'github-kicksecure/master'
This commit is contained in:
Patrick Schleizer
commit
c17485baa1
3 changed files with 23 additions and 14 deletions
19
README.md
19
README.md
|
|
@ -102,17 +102,16 @@ Networking:
|
||||||
- Disable ICMP redirect acceptance and redirect sending messages to prevent
|
- Disable ICMP redirect acceptance and redirect sending messages to prevent
|
||||||
man-in-the-middle attacks and minimize information disclosure.
|
man-in-the-middle attacks and minimize information disclosure.
|
||||||
|
|
||||||
- Optional - Deny sending and receiving shared media redirects to reduce
|
- Deny sending and receiving shared media redirects to reduce the risk of IP
|
||||||
the risk of IP spoofing attacks.
|
spoofing attacks.
|
||||||
|
|
||||||
- Optional - Enable ARP filtering to mitigate some ARP spoofing and ARP
|
- Enable ARP filtering to mitigate some ARP spoofing and ARP cache poisoning attacks.
|
||||||
cache poisoning attacks.
|
|
||||||
|
|
||||||
- Optional - Respond to ARP requests only if the target IP address is
|
- Respond to ARP requests only if the target IP address is on-link,
|
||||||
on-link, preventing some IP spoofing attacks.
|
preventing some IP spoofing attacks.
|
||||||
|
|
||||||
- Optional - Drop gratuitous ARP packets to prevent ARP cache poisoning
|
- Drop gratuitous ARP packets to prevent ARP cache poisoning via
|
||||||
via man-in-the-middle and denial-of-service attacks.
|
man-in-the-middle and denial-of-service attacks.
|
||||||
|
|
||||||
- Ignore ICMP echo requests to prevent clock fingerprinting and Smurf attacks.
|
- Ignore ICMP echo requests to prevent clock fingerprinting and Smurf attacks.
|
||||||
|
|
||||||
|
|
@ -137,7 +136,9 @@ Networking:
|
||||||
|
|
||||||
Mitigations for known CPU vulnerabilities are enabled in their strictest form
|
Mitigations for known CPU vulnerabilities are enabled in their strictest form
|
||||||
and simultaneous multithreading (SMT) is disabled. See the
|
and simultaneous multithreading (SMT) is disabled. See the
|
||||||
`/etc/default/grub.d/40_cpu_mitigations.cfg` configuration file.
|
`/etc/default/grub.d/40_cpu_mitigations.cfg` configuration file. Note, to achieve
|
||||||
|
complete protection for known CPU vulnerabilities, the latest security microcode
|
||||||
|
(BIOS/UEFI) updates must also be installed on the system.
|
||||||
|
|
||||||
Boot parameters relating to kernel hardening, DMA mitigations, and entropy
|
Boot parameters relating to kernel hardening, DMA mitigations, and entropy
|
||||||
generation are outlined in the `/etc/default/grub.d/40_kernel_hardening.cfg`
|
generation are outlined in the `/etc/default/grub.d/40_kernel_hardening.cfg`
|
||||||
|
|
|
||||||
|
|
@ -18,6 +18,14 @@
|
||||||
## https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/advisory-guidance.html
|
## https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/advisory-guidance.html
|
||||||
## https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/disclosure-documentation.html
|
## https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/disclosure-documentation.html
|
||||||
|
|
||||||
|
## Tabular comparison between the utility and functionality of various mitigations.
|
||||||
|
## https://forums.whonix.org/t/kernel-hardening-security-misc/7296/587
|
||||||
|
|
||||||
|
## For complete protection, users must install the latest relevant security microcode update.
|
||||||
|
## BIOS/UEFI updates should only be obtained directly from OEMs and/or motherboard manufacturers.
|
||||||
|
## Note that incorrectly performing system BIOS/UEFI updates can potentially lead to serious functionality issues.
|
||||||
|
## The parameters below only provide (partial) protection at both the kernel and user space level.
|
||||||
|
|
||||||
## Enable a subset of known mitigations for some CPU vulnerabilities and disable SMT.
|
## Enable a subset of known mitigations for some CPU vulnerabilities and disable SMT.
|
||||||
##
|
##
|
||||||
## KSPP=yes
|
## KSPP=yes
|
||||||
|
|
|
||||||
|
|
@ -451,16 +451,16 @@ net.ipv6.conf.*.accept_redirects=0
|
||||||
## https://datatracker.ietf.org/doc/html/rfc1620
|
## https://datatracker.ietf.org/doc/html/rfc1620
|
||||||
## https://www.frozentux.net/ipsysctl-tutorial/chunkyhtml/theconfvariables.html
|
## https://www.frozentux.net/ipsysctl-tutorial/chunkyhtml/theconfvariables.html
|
||||||
##
|
##
|
||||||
#net.ipv4.conf.*.shared_media=0
|
net.ipv4.conf.*.shared_media=0
|
||||||
|
|
||||||
## Enable ARP (Address Resolution Protocol) filtering.
|
## Enable ARP (Address Resolution Protocol) filtering.
|
||||||
## Prevents the Linux kernel from handling the ARP table globally
|
## Prevents the Linux kernel from handling the ARP table globally.
|
||||||
## Can mitigate some ARP spoofing and ARP cache poisoning attacks.
|
## Can mitigate some ARP spoofing and ARP cache poisoning attacks.
|
||||||
## Improper filtering can lead to increased ARP traffic and inadvertently block legitimate ARP requests.
|
## Improper filtering can lead to increased ARP traffic and inadvertently block legitimate ARP requests.
|
||||||
##
|
##
|
||||||
## https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf
|
## https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf
|
||||||
##
|
##
|
||||||
#net.ipv4.conf.*.arp_filter=1
|
net.ipv4.conf.*.arp_filter=1
|
||||||
|
|
||||||
## Respond to ARP (Address Resolution Protocol) requests only if the target IP address is on-link.
|
## Respond to ARP (Address Resolution Protocol) requests only if the target IP address is on-link.
|
||||||
## Reduces IP spoofing attacks by limiting the scope of allowable ARP responses.
|
## Reduces IP spoofing attacks by limiting the scope of allowable ARP responses.
|
||||||
|
|
@ -470,7 +470,7 @@ net.ipv6.conf.*.accept_redirects=0
|
||||||
## https://github.com/mullvad/mullvadvpn-app/pull/7141
|
## https://github.com/mullvad/mullvadvpn-app/pull/7141
|
||||||
## https://www.x41-dsec.de/static/reports/X41-Mullvad-Audit-Public-Report-2024-12-10.pdf
|
## https://www.x41-dsec.de/static/reports/X41-Mullvad-Audit-Public-Report-2024-12-10.pdf
|
||||||
##
|
##
|
||||||
#net.ipv4.conf.*.arp_ignore=2
|
net.ipv4.conf.*.arp_ignore=2
|
||||||
|
|
||||||
## Drop gratuitous ARP (Address Resolution Protocol) packets.
|
## Drop gratuitous ARP (Address Resolution Protocol) packets.
|
||||||
## Stops ARP responses sent by a device without being explicitly requested.
|
## Stops ARP responses sent by a device without being explicitly requested.
|
||||||
|
|
@ -482,7 +482,7 @@ net.ipv6.conf.*.accept_redirects=0
|
||||||
## https://patchwork.ozlabs.org/project/netdev/patch/1428652454-1224-3-git-send-email-johannes@sipsolutions.net/
|
## https://patchwork.ozlabs.org/project/netdev/patch/1428652454-1224-3-git-send-email-johannes@sipsolutions.net/
|
||||||
## https://www.practicalnetworking.net/series/arp/gratuitous-arp/
|
## https://www.practicalnetworking.net/series/arp/gratuitous-arp/
|
||||||
##
|
##
|
||||||
#net.ipv4.conf.*.drop_gratuitous_arp=1
|
net.ipv4.conf.*.drop_gratuitous_arp=1
|
||||||
|
|
||||||
## Ignore ICMP echo requests.
|
## Ignore ICMP echo requests.
|
||||||
## Prevents clock fingerprinting through ICMP timestamps and Smurf attacks.
|
## Prevents clock fingerprinting through ICMP timestamps and Smurf attacks.
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue