Merge remote-tracking branch 'origin/master'

etc/default/grub.d/40_enable_iommu.cfg

@@ -0,0 +1,2 @@
+# Enables IOMMU to prevent DMA attacks.
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX intel_iommu=on amd_iommu=on"

etc/modprobe.d/blacklist-dma.conf

@@ -0,0 +1,3 @@
+# Blacklist thunderbolt and firewire to prevent some DMA attacks.
+blacklist firewire-core
+blacklist thunderbolt

etc/sysctl.d/dmesg_restrict.conf

@@ -0,0 +1,2 @@
+# Restricts the kernel log to root only.
+kernel.dmesg_restrict=1

etc/sysctl.d/sysrq.conf

@@ -0,0 +1,2 @@
+# Allow only rebooting/shutting down with the SysRq key.
+kernel.sysrq=128

etc/sysctl.d/tcp_hardening.conf

@@ -15,5 +15,12 @@ net.ipv6.conf.default.accept_redirects=0
 net.ipv4.conf.all.send_redirects=0
 net.ipv4.conf.default.send_redirects=0
 
-# Ignores ICMP requests
+# Ignores ICMP requests.
 net.ipv4.icmp_echo_ignore_all=1
+
+# Enables TCP syncookies.
+net.ipv4.tcp_syncookies=1
+
+# Disable source routing.
+net.ipv4.conf.all.accept_source_route=0
+net.ipv4.conf.default.accept_source_route=0

lib/systemd/system/remove-system-map.service

@@ -0,0 +1,9 @@
+[Unit]
+Description=Removes the System.map files
+
+[Service]
+Type=oneshot
+ExecStart=/usr/lib/security-misc/remove-system.map
+
+[Install]
+WantedBy=multi-user.target

usr/lib/security-misc/remove-system.map

@@ -0,0 +1,14 @@
+#!/bin/bash
+
+## Copyright (C) 2012 - 2018 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
+## See the file COPYING for copying conditions.
+
+shopt -s nullglob
+
+# Removes the System.map files as they are only used for debugging or malware.
+for filename in /boot/System.map-*
+do
+  if [ -f "${filename}" ]; then
+    rm -f "${filename}"
+  fi
+done