From 5cb21d0d4d36fd516f17a9b5378443859f497027 Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Wed, 12 Feb 2020 18:03:23 +0000 Subject: [PATCH 1/6] Prevent symlink/hardlink TOCTOU races --- etc/sysctl.d/30_security-misc.conf | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-) diff --git a/etc/sysctl.d/30_security-misc.conf b/etc/sysctl.d/30_security-misc.conf index ae374de..4c17bcb 100644 --- a/etc/sysctl.d/30_security-misc.conf +++ b/etc/sysctl.d/30_security-misc.conf @@ -5,21 +5,31 @@ ## security-misc also disables coredumps in other ways. kernel.core_pattern=|/bin/false - ## Restricts the kernel log to root only. kernel.dmesg_restrict=1 - -## Makes some data spoofing attacks harder. +## Don't allow writes to files that we don't own +## in world writable sticky directories, unless +## they are owned by the owner of the directory. fs.protected_fifos=2 fs.protected_regular=2 +## Only allow symlinks to be followed when outside of +## a world-writable sticky directory, or when the owner +## of the symlink and follower match, or when the directory +## owner matches the symlink's owner. +## +## Prevent hardlinks from being created by users that do not +## have read/write access to the source file. +## +## These prevent many TOCTOU races. +fs.protected_symlinks=1 +fs.protected_hardlinks=1 ## Hardens the BPF JIT compiler and restricts it to root. kernel.unprivileged_bpf_disabled=1 net.core.bpf_jit_harden=2 - ## Quote https://www.kernel.org/doc/html/latest/admin-guide/sysctl/kernel.html ## ## kexec_load_disabled: @@ -29,19 +39,16 @@ net.core.bpf_jit_harden=2 ## Disables kexec which can be used to replace the running kernel. kernel.kexec_load_disabled=1 - ## Hides kernel addresses in various files in /proc. ## Kernel addresses can be very useful in certain exploits. ## ## https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak kernel.kptr_restrict=2 - ## Improves ASLR effectiveness for mmap. vm.mmap_rnd_bits=32 vm.mmap_rnd_compat_bits=16 - ## Restricts the use of ptrace to root. This might break some programs running under WINE. ## A workaround for WINE would be to give the wineserver and wine-preloader ptrace capabilities. This can be done by running: ## @@ -50,7 +57,6 @@ vm.mmap_rnd_compat_bits=16 ## sudo setcap cap_sys_ptrace=eip /usr/bin/wine-preloader kernel.yama.ptrace_scope=2 - ## Prevent setuid processes from creating coredumps. fs.suid_dumpable=0 From 14f845837476810f1eb3038d9d41f9ad8088b916 Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Wed, 12 Feb 2020 18:05:32 +0000 Subject: [PATCH 2/6] Update control --- debian/control | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/debian/control b/debian/control index 6a97d69..653f292 100644 --- a/debian/control +++ b/debian/control @@ -48,7 +48,9 @@ Description: enhances misc security settings attacks and enabling reverse path filtering to prevent IP spoofing and mitigate vulnerabilities such as CVE-2019-14899. . - * Some data spoofing attacks are made harder. + * Avoids unintentional writes to attacker-controlled files. + . + * Prevents symlink/hardlink TOCTOU races. . * SACK can be disabled as it is commonly exploited and is rarely used by uncommenting settings in file /etc/sysctl.d/30_security-misc.conf. From 0ea7dd161b3e643c23624e6dcb450116824b6301 Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Fri, 14 Feb 2020 17:50:19 +0000 Subject: [PATCH 3/6] Restrict loading line disciplines to CAP_SYS_MODULE --- etc/sysctl.d/30_security-misc.conf | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/etc/sysctl.d/30_security-misc.conf b/etc/sysctl.d/30_security-misc.conf index 4c17bcb..8305bd1 100644 --- a/etc/sysctl.d/30_security-misc.conf +++ b/etc/sysctl.d/30_security-misc.conf @@ -118,3 +118,8 @@ net.ipv4.conf.all.rp_filter=1 net.ipv4.tcp_timestamps=0 #### meta end + +## Restrict loading line disciplines to CAP_SYS_MODULE to prevent +## unprivileged attackers from loading vulnerable line disciplines +## with the TIOCSETD ioctl to exploit them. +dev.tty.ldisc_autoload=0 From ace62111761451a13c446767dfd3c32b9b70a7f8 Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Fri, 14 Feb 2020 17:51:17 +0000 Subject: [PATCH 4/6] Update control --- debian/control | 2 ++ 1 file changed, 2 insertions(+) diff --git a/debian/control b/debian/control index 2abb7ee..99871c4 100644 --- a/debian/control +++ b/debian/control @@ -119,6 +119,8 @@ Description: enhances misc security settings . * The kernel panics on oopses to prevent it from continuing to run a flawed process and to deter brute forcing. + . + * Restricts loading line disciplines to CAP_SYS_MODULE. . Improve Entropy Collection . From 9b767139ef82279e00d86f7f1e1e8bf73d795651 Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Fri, 14 Feb 2020 18:52:01 +0000 Subject: [PATCH 5/6] Avoid holes in IOMMU --- etc/default/grub.d/40_enable_iommu.cfg | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/etc/default/grub.d/40_enable_iommu.cfg b/etc/default/grub.d/40_enable_iommu.cfg index 1d6dd0a..6e49d49 100644 --- a/etc/default/grub.d/40_enable_iommu.cfg +++ b/etc/default/grub.d/40_enable_iommu.cfg @@ -3,3 +3,10 @@ ## Enables IOMMU to prevent DMA attacks. GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX intel_iommu=on amd_iommu=on" + +## Disable the busmaster bit on all PCI bridges during very +## early boot to avoid holes in IOMMU. +## +## https://mjg59.dreamwidth.org/54433.html +## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4444f8541dad16fefd9b8807ad1451e806ef1d94 +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi=disable_early_pci_dma" From 31009f0bfa10e7b67f5823a5be92273e5414fff3 Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Fri, 14 Feb 2020 23:46:19 +0000 Subject: [PATCH 6/6] Shred System.map files --- usr/lib/security-misc/remove-system.map | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/lib/security-misc/remove-system.map b/usr/lib/security-misc/remove-system.map index c99b286..7e7f787 100755 --- a/usr/lib/security-misc/remove-system.map +++ b/usr/lib/security-misc/remove-system.map @@ -26,7 +26,7 @@ fi ## Removes the System.map files as they are only used for debugging or malware. for filename in ${system_map_location} ; do if [ -f "${filename}" ]; then - rm --verbose --force "${filename}" + shred --verbose --force --zero -u "${filename}" fi done