Merge remote-tracking branch 'origin/master'

2025-01-14 12:39:28 -05:00 · 2019-10-17 06:04:34 -04:00 · 2019-10-17 06:04:34 -04:00 · c8e0303d6d
commit c8e0303d6d
parent 4b1b3b7d66 8a42c5b023
9 changed files with 94 additions and 17 deletions
--- a/debian/control
+++ b/debian/control
@ -32,33 +32,36 @@ Description: enhances misc security settings
 the kernel. (!) Hence, this package disables this feature by shipping the
 /etc/modprobe.d/30_nf_conntrack_helper_disable.conf configuration file.
 .
-  * Kernel symbols in /proc/kallsyms are hidden to prevent malware from
+  * Kernel symbols in various files in /proc are hidden as they can be
- reading them and using them to learn more about what to attack on your system.
+ very useful for kernel exploits.
 .
  * Kexec is disabled as it can be used to load a malicious kernel.
 /etc/sysctl.d/kexec.conf
 .
  * ASLR effectiveness for mmap is increased.
 .
-  * The TCP/IP stack is hardened.
+  * The TCP/IP stack is hardened by disabling ICMP redirect acceptance,
 ICMP redirect sending and source routing to prevent man-in-the-middle attacks,
 ignoring all ICMP requests, enabling TCP syncookies to prevent SYN flood attacks
 and enabling RFC1337 to protect against time-wait assassination attacks.
 .
-  * This package makes some data spoofing attacks harder.
+  * Some data spoofing attacks are made harder.
 .
  * SACK can be disabled as it is commonly exploited and is rarely used by
- commenting in settings in file /etc/sysctl.d/tcp_sack.conf.
+ uncommenting settings in file /etc/sysctl.d/tcp_sack.conf.
 .
-  * This package disables the merging of slabs of similar sizes to prevent an
+  * Slab merging is disabled as sometimes a slab can be used in a vulnerable
- attacker from exploiting them.
+ way which an attacker can exploit.
 .
  * Sanity checks, redzoning, and memory poisoning are enabled.
 .
-  * The kernel now panics on uncorrectable errors in ECC memory which could
+  * Machine checks (MCE) are disabled which makes the kernel panic
- be exploited.
+ on uncorrectable errors in ECC memory that could be exploited.
 .
  * Kernel Page Table Isolation is enabled to mitigate Meltdown and increase
 KASLR effectiveness.
 .
-  * SMT is disabled as it can be used to exploit the MDS vulnerability.
+  * SMT is disabled as it can be used to exploit the MDS and other vulnerabilities.
 .
  * All mitigations for the MDS vulnerability are enabled.
 .
@ -74,8 +77,8 @@ Description: enhances misc security settings
 /etc/sysctl.d/coredumps.conf
 /lib/systemd/coredump.conf.d/disable-coredumps.conf
 .
-  * The thunderbolt and firewire modules are blacklisted as they can be used
+  * The thunderbolt and firewire kernel modules are blacklisted as they can be
- for DMA (Direct Memory Access) attacks.
+ used for DMA (Direct Memory Access) attacks.
 .
  * IOMMU is enabled with a boot parameter to prevent DMA attacks.
 .
--- a/debian/security-misc.postinst
+++ b/debian/security-misc.postinst
@ -30,6 +30,8 @@ case "$1" in
 esac
 addgroup root sudo
 addgroup --system sysfs
 addgroup --system cpuinfo
 pam-auth-update --package
--- a/etc/hide-hardware-info.d/30_whitelist.conf
+++ b/etc/hide-hardware-info.d/30_whitelist.conf
@ -0,0 +1,8 @@
 ## Copyright (C) 2012 - 2018 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
 ## See the file COPYING for copying conditions.
 ## Disable the /sys whitelist.
 #sysfs_whitelist=0
 ## Disable the /proc/cpuinfo whitelist.
 #cpuinfo_whitelist=0
--- a/etc/modprobe.d/blacklist-bluetooth.conf
+++ b/etc/modprobe.d/blacklist-bluetooth.conf
@ -1,3 +1,6 @@
-# Blacklists bluetooth.
+# Blacklists bluetooth to reduce attack surface.
 # Bluetooth also has a history of security vulnerabilities:
 #
 # https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns
 install bluetooth /bin/false
 install btusb /bin/false
--- a/etc/sysctl.d/kptr_restrict.conf
+++ b/etc/sysctl.d/kptr_restrict.conf
@ -1,5 +1,8 @@
 ## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
 ## See the file COPYING for copying conditions.
-## Hides kernel symbols in /proc/kallsyms
+## Hides kernel addresses in various files in /proc.
 ## Kernel addresses can be very useful in certain exploits.
 ##
 ## https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak
 kernel.kptr_restrict=2
--- a/etc/sysctl.d/mmap_aslr.conf
+++ b/etc/sysctl.d/mmap_aslr.conf
@ -1,6 +1,6 @@
 ## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
 ## See the file COPYING for copying conditions.
-## Improves KASLR effectiveness for mmap.
+## Improves ASLR effectiveness for mmap.
 vm.mmap_rnd_bits=32
 vm.mmap_rnd_compat_bits=16
--- a/lib/systemd/system/user@.service.d/sysfs.conf
+++ b/lib/systemd/system/user@.service.d/sysfs.conf
@ -0,0 +1,2 @@
 [Service]
 SupplementaryGroups=sysfs
--- a/usr/lib/security-misc/hide-hardware-info
+++ b/usr/lib/security-misc/hide-hardware-info
@ -3,6 +3,42 @@
 ## Copyright (C) 2012 - 2018 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
 ## See the file COPYING for copying conditions.
 sysfs_whitelist=1
 cpuinfo_whitelist=1
 ## Allows for disabling the whitelist.
 for i in /etc/hide-hardware-info.d/*.conf
 do
  source "${i}"
 done
 create_whitelist() {
  if [ "${1}" = "sysfs" ]; then
    whitelist_path="/sys"
  elif [ "${1}" = "cpuinfo" ]; then
    whitelist_path="/proc/cpuinfo"
  else
    echo "ERROR: ${1} is not a correct parameter."
    exit 1
  fi
  if grep -q "${1}" /etc/group; then
    chmod o-rwx "${whitelist_path}"
    chgrp -fR "${1}" "${whitelist_path}"
    ## Changing the permissions of /sys recursively
    ## causes errors as the permissions of /sys/kernel/debug
    ## and /sys/fs/cgroup cannot be changed which makes
    ## systemd say the service has failed even though
    ## everything has completed successfully. So, this
    ## returns "0" instead which makes systemd say the 
    ## service has succeeded.
    return 0
  else
    echo "ERROR: The ${1} group does not exist, the ${1} whitelist was not created."
  fi
 }
 ## sysfs and debugfs expose a lot of information
 ## that should not be accessible by an unprivileged
 ## user which includes hardware info, debug info and
@ -13,7 +49,25 @@
 for i in /proc/cpuinfo /proc/bus /proc/scsi /sys
 do
  if [ -e "${i}" ]; then
-    chmod og-rwx "${i}"
+    if [ "${i}" = "/sys" ]; then
      ## Whitelist for /sys.
      if [ "${sysfs_whitelist}" = "1" ]; then
        create_whitelist sysfs
      else
        chmod og-rwx /sys
        echo "INFO: The sysfs whitelist is not enabled. Some things may not work properly."
      fi
    elif [ "${i}" = "/proc/cpuinfo" ]; then
      ## Whitelist for /proc/cpuinfo.
      if [ "${cpuinfo_whitelist}" = "1" ]; then
        create_whitelist cpuinfo
      else
        chmod og-rwx /proc/cpuinfo
        echo "INFO: The cpuinfo whitelist is not enabled. Some things may not work properly."
      fi
    else
      chmod og-rwx "${i}"
    fi
  else
    ## /proc/scsi doesn't exist on Debian so errors
    ## are expected here.
--- a/usr/lib/security-misc/panic-on-oops
+++ b/usr/lib/security-misc/panic-on-oops
@ -12,5 +12,7 @@ if [ -f /usr/lib/helper-scripts/pre.bsh ]; then
   source /usr/lib/helper-scripts/pre.bsh
 fi
-# Makes the kernel panic on oopses.
+## Makes the kernel panic on oopses. This prevents the kernel
 ## from continuing to run a flawed processes. Many kernel exploits
 ## will also cause an oops which this will make the kernel kill.
 sysctl kernel.panic_on_oops=1