Merge remote-tracking branch 'origin/master'

2025-01-14 12:49:27 -05:00 · 2019-10-17 06:04:34 -04:00 · 2019-10-17 06:04:34 -04:00 · c8e0303d6d
commit c8e0303d6d
parent 4b1b3b7d66 8a42c5b023
9 changed files with 94 additions and 17 deletions
--- a/debian/control
+++ b/debian/control
@ -32,33 +32,36 @@ Description: enhances misc security settings
 the kernel. (!) Hence, this package disables this feature by shipping the
 /etc/modprobe.d/30_nf_conntrack_helper_disable.conf configuration file.
 .
-  * Kernel symbols in /proc/kallsyms are hidden to prevent malware from
- reading them and using them to learn more about what to attack on your system.
+  * Kernel symbols in various files in /proc are hidden as they can be
+ very useful for kernel exploits.
 .
  * Kexec is disabled as it can be used to load a malicious kernel.
 /etc/sysctl.d/kexec.conf
 .
  * ASLR effectiveness for mmap is increased.
 .
-  * The TCP/IP stack is hardened.
+  * The TCP/IP stack is hardened by disabling ICMP redirect acceptance,
+ ICMP redirect sending and source routing to prevent man-in-the-middle attacks,
+ ignoring all ICMP requests, enabling TCP syncookies to prevent SYN flood attacks
+ and enabling RFC1337 to protect against time-wait assassination attacks.
 .
-  * This package makes some data spoofing attacks harder.
+  * Some data spoofing attacks are made harder.
 .
  * SACK can be disabled as it is commonly exploited and is rarely used by
- commenting in settings in file /etc/sysctl.d/tcp_sack.conf.
+ uncommenting settings in file /etc/sysctl.d/tcp_sack.conf.
 .
-  * This package disables the merging of slabs of similar sizes to prevent an
- attacker from exploiting them.
+  * Slab merging is disabled as sometimes a slab can be used in a vulnerable
+ way which an attacker can exploit.
 .
  * Sanity checks, redzoning, and memory poisoning are enabled.
 .
-  * The kernel now panics on uncorrectable errors in ECC memory which could
- be exploited.
+  * Machine checks (MCE) are disabled which makes the kernel panic
+ on uncorrectable errors in ECC memory that could be exploited.
 .
  * Kernel Page Table Isolation is enabled to mitigate Meltdown and increase
 KASLR effectiveness.
 .
-  * SMT is disabled as it can be used to exploit the MDS vulnerability.
+  * SMT is disabled as it can be used to exploit the MDS and other vulnerabilities.
 .
  * All mitigations for the MDS vulnerability are enabled.
 .
@ -74,8 +77,8 @@ Description: enhances misc security settings
 /etc/sysctl.d/coredumps.conf
 /lib/systemd/coredump.conf.d/disable-coredumps.conf
 .
-  * The thunderbolt and firewire modules are blacklisted as they can be used
- for DMA (Direct Memory Access) attacks.
+  * The thunderbolt and firewire kernel modules are blacklisted as they can be
+ used for DMA (Direct Memory Access) attacks.
 .
  * IOMMU is enabled with a boot parameter to prevent DMA attacks.
 .
--- a/debian/security-misc.postinst
+++ b/debian/security-misc.postinst
@ -30,6 +30,8 @@ case "$1" in
 esac

 addgroup root sudo
+addgroup --system sysfs
+addgroup --system cpuinfo

 pam-auth-update --package

--- a/etc/hide-hardware-info.d/30_whitelist.conf
+++ b/etc/hide-hardware-info.d/30_whitelist.conf
@ -0,0 +1,8 @@
+## Copyright (C) 2012 - 2018 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
+## See the file COPYING for copying conditions.
+
+## Disable the /sys whitelist.
+#sysfs_whitelist=0
+
+## Disable the /proc/cpuinfo whitelist.
+#cpuinfo_whitelist=0
--- a/etc/modprobe.d/blacklist-bluetooth.conf
+++ b/etc/modprobe.d/blacklist-bluetooth.conf
@ -1,3 +1,6 @@
-# Blacklists bluetooth.
+# Blacklists bluetooth to reduce attack surface.
+# Bluetooth also has a history of security vulnerabilities:
+#
+# https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns
 install bluetooth /bin/false
 install btusb /bin/false
--- a/etc/sysctl.d/kptr_restrict.conf
+++ b/etc/sysctl.d/kptr_restrict.conf
@ -1,5 +1,8 @@
 ## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
 ## See the file COPYING for copying conditions.

-## Hides kernel symbols in /proc/kallsyms
+## Hides kernel addresses in various files in /proc.
+## Kernel addresses can be very useful in certain exploits.
+##
+## https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak
 kernel.kptr_restrict=2
--- a/etc/sysctl.d/mmap_aslr.conf
+++ b/etc/sysctl.d/mmap_aslr.conf
@ -1,6 +1,6 @@
 ## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
 ## See the file COPYING for copying conditions.

-## Improves KASLR effectiveness for mmap.
+## Improves ASLR effectiveness for mmap.
 vm.mmap_rnd_bits=32
 vm.mmap_rnd_compat_bits=16
--- a/lib/systemd/system/user@.service.d/sysfs.conf
+++ b/lib/systemd/system/user@.service.d/sysfs.conf
@ -0,0 +1,2 @@
+[Service]
+SupplementaryGroups=sysfs
--- a/usr/lib/security-misc/hide-hardware-info
+++ b/usr/lib/security-misc/hide-hardware-info
@ -3,6 +3,42 @@
 ## Copyright (C) 2012 - 2018 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
 ## See the file COPYING for copying conditions.

+sysfs_whitelist=1
+cpuinfo_whitelist=1
+
+## Allows for disabling the whitelist.
+for i in /etc/hide-hardware-info.d/*.conf
+do
+  source "${i}"
+done
+
+create_whitelist() {
+  if [ "${1}" = "sysfs" ]; then
+    whitelist_path="/sys"
+  elif [ "${1}" = "cpuinfo" ]; then
+    whitelist_path="/proc/cpuinfo"
+  else
+    echo "ERROR: ${1} is not a correct parameter."
+    exit 1
+  fi
+
+  if grep -q "${1}" /etc/group; then
+    chmod o-rwx "${whitelist_path}"
+    chgrp -fR "${1}" "${whitelist_path}"
+    
+    ## Changing the permissions of /sys recursively
+    ## causes errors as the permissions of /sys/kernel/debug
+    ## and /sys/fs/cgroup cannot be changed which makes
+    ## systemd say the service has failed even though
+    ## everything has completed successfully. So, this
+    ## returns "0" instead which makes systemd say the 
+    ## service has succeeded.
+    return 0
+  else
+    echo "ERROR: The ${1} group does not exist, the ${1} whitelist was not created."
+  fi
+}
+
 ## sysfs and debugfs expose a lot of information
 ## that should not be accessible by an unprivileged
 ## user which includes hardware info, debug info and
@ -13,7 +49,25 @@
 for i in /proc/cpuinfo /proc/bus /proc/scsi /sys
 do
  if [ -e "${i}" ]; then
+    if [ "${i}" = "/sys" ]; then
+      ## Whitelist for /sys.
+      if [ "${sysfs_whitelist}" = "1" ]; then
+        create_whitelist sysfs
+      else
+        chmod og-rwx /sys
+        echo "INFO: The sysfs whitelist is not enabled. Some things may not work properly."
+      fi
+    elif [ "${i}" = "/proc/cpuinfo" ]; then
+      ## Whitelist for /proc/cpuinfo.
+      if [ "${cpuinfo_whitelist}" = "1" ]; then
+        create_whitelist cpuinfo
+      else
+        chmod og-rwx /proc/cpuinfo
+        echo "INFO: The cpuinfo whitelist is not enabled. Some things may not work properly."
+      fi
+    else
      chmod og-rwx "${i}"
+    fi
  else
    ## /proc/scsi doesn't exist on Debian so errors
    ## are expected here.
--- a/usr/lib/security-misc/panic-on-oops
+++ b/usr/lib/security-misc/panic-on-oops
@ -12,5 +12,7 @@ if [ -f /usr/lib/helper-scripts/pre.bsh ]; then
   source /usr/lib/helper-scripts/pre.bsh
 fi

-# Makes the kernel panic on oopses.
+## Makes the kernel panic on oopses. This prevents the kernel
+## from continuing to run a flawed processes. Many kernel exploits
+## will also cause an oops which this will make the kernel kill.
 sysctl kernel.panic_on_oops=1