mirror of
https://github.com/Kicksecure/security-misc.git
synced 2024-12-25 18:09:24 -05:00
Merge remote-tracking branch 'origin/master'
This commit is contained in:
commit
cce35e5109
6
debian/control
vendored
6
debian/control
vendored
@ -48,7 +48,9 @@ Description: enhances misc security settings
|
|||||||
attacks and enabling reverse path filtering to prevent IP spoofing and
|
attacks and enabling reverse path filtering to prevent IP spoofing and
|
||||||
mitigate vulnerabilities such as CVE-2019-14899.
|
mitigate vulnerabilities such as CVE-2019-14899.
|
||||||
.
|
.
|
||||||
* Some data spoofing attacks are made harder.
|
* Avoids unintentional writes to attacker-controlled files.
|
||||||
|
.
|
||||||
|
* Prevents symlink/hardlink TOCTOU races.
|
||||||
.
|
.
|
||||||
* SACK can be disabled as it is commonly exploited and is rarely used by
|
* SACK can be disabled as it is commonly exploited and is rarely used by
|
||||||
uncommenting settings in file /etc/sysctl.d/30_security-misc.conf.
|
uncommenting settings in file /etc/sysctl.d/30_security-misc.conf.
|
||||||
@ -117,6 +119,8 @@ Description: enhances misc security settings
|
|||||||
.
|
.
|
||||||
* The kernel panics on oopses to prevent it from continuing to run a flawed
|
* The kernel panics on oopses to prevent it from continuing to run a flawed
|
||||||
process and to deter brute forcing.
|
process and to deter brute forcing.
|
||||||
|
.
|
||||||
|
* Restricts loading line disciplines to CAP_SYS_MODULE.
|
||||||
.
|
.
|
||||||
Improve Entropy Collection
|
Improve Entropy Collection
|
||||||
.
|
.
|
||||||
|
@ -3,3 +3,10 @@
|
|||||||
|
|
||||||
## Enables IOMMU to prevent DMA attacks.
|
## Enables IOMMU to prevent DMA attacks.
|
||||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX intel_iommu=on amd_iommu=on"
|
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX intel_iommu=on amd_iommu=on"
|
||||||
|
|
||||||
|
## Disable the busmaster bit on all PCI bridges during very
|
||||||
|
## early boot to avoid holes in IOMMU.
|
||||||
|
##
|
||||||
|
## https://mjg59.dreamwidth.org/54433.html
|
||||||
|
## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4444f8541dad16fefd9b8807ad1451e806ef1d94
|
||||||
|
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi=disable_early_pci_dma"
|
||||||
|
@ -5,21 +5,31 @@
|
|||||||
## security-misc also disables coredumps in other ways.
|
## security-misc also disables coredumps in other ways.
|
||||||
kernel.core_pattern=|/bin/false
|
kernel.core_pattern=|/bin/false
|
||||||
|
|
||||||
|
|
||||||
## Restricts the kernel log to root only.
|
## Restricts the kernel log to root only.
|
||||||
kernel.dmesg_restrict=1
|
kernel.dmesg_restrict=1
|
||||||
|
|
||||||
|
## Don't allow writes to files that we don't own
|
||||||
## Makes some data spoofing attacks harder.
|
## in world writable sticky directories, unless
|
||||||
|
## they are owned by the owner of the directory.
|
||||||
fs.protected_fifos=2
|
fs.protected_fifos=2
|
||||||
fs.protected_regular=2
|
fs.protected_regular=2
|
||||||
|
|
||||||
|
## Only allow symlinks to be followed when outside of
|
||||||
|
## a world-writable sticky directory, or when the owner
|
||||||
|
## of the symlink and follower match, or when the directory
|
||||||
|
## owner matches the symlink's owner.
|
||||||
|
##
|
||||||
|
## Prevent hardlinks from being created by users that do not
|
||||||
|
## have read/write access to the source file.
|
||||||
|
##
|
||||||
|
## These prevent many TOCTOU races.
|
||||||
|
fs.protected_symlinks=1
|
||||||
|
fs.protected_hardlinks=1
|
||||||
|
|
||||||
## Hardens the BPF JIT compiler and restricts it to root.
|
## Hardens the BPF JIT compiler and restricts it to root.
|
||||||
kernel.unprivileged_bpf_disabled=1
|
kernel.unprivileged_bpf_disabled=1
|
||||||
net.core.bpf_jit_harden=2
|
net.core.bpf_jit_harden=2
|
||||||
|
|
||||||
|
|
||||||
## Quote https://www.kernel.org/doc/html/latest/admin-guide/sysctl/kernel.html
|
## Quote https://www.kernel.org/doc/html/latest/admin-guide/sysctl/kernel.html
|
||||||
##
|
##
|
||||||
## kexec_load_disabled:
|
## kexec_load_disabled:
|
||||||
@ -29,19 +39,16 @@ net.core.bpf_jit_harden=2
|
|||||||
## Disables kexec which can be used to replace the running kernel.
|
## Disables kexec which can be used to replace the running kernel.
|
||||||
kernel.kexec_load_disabled=1
|
kernel.kexec_load_disabled=1
|
||||||
|
|
||||||
|
|
||||||
## Hides kernel addresses in various files in /proc.
|
## Hides kernel addresses in various files in /proc.
|
||||||
## Kernel addresses can be very useful in certain exploits.
|
## Kernel addresses can be very useful in certain exploits.
|
||||||
##
|
##
|
||||||
## https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak
|
## https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak
|
||||||
kernel.kptr_restrict=2
|
kernel.kptr_restrict=2
|
||||||
|
|
||||||
|
|
||||||
## Improves ASLR effectiveness for mmap.
|
## Improves ASLR effectiveness for mmap.
|
||||||
vm.mmap_rnd_bits=32
|
vm.mmap_rnd_bits=32
|
||||||
vm.mmap_rnd_compat_bits=16
|
vm.mmap_rnd_compat_bits=16
|
||||||
|
|
||||||
|
|
||||||
## Restricts the use of ptrace to root. This might break some programs running under WINE.
|
## Restricts the use of ptrace to root. This might break some programs running under WINE.
|
||||||
## A workaround for WINE would be to give the wineserver and wine-preloader ptrace capabilities. This can be done by running:
|
## A workaround for WINE would be to give the wineserver and wine-preloader ptrace capabilities. This can be done by running:
|
||||||
##
|
##
|
||||||
@ -50,7 +57,6 @@ vm.mmap_rnd_compat_bits=16
|
|||||||
## sudo setcap cap_sys_ptrace=eip /usr/bin/wine-preloader
|
## sudo setcap cap_sys_ptrace=eip /usr/bin/wine-preloader
|
||||||
kernel.yama.ptrace_scope=2
|
kernel.yama.ptrace_scope=2
|
||||||
|
|
||||||
|
|
||||||
## Prevent setuid processes from creating coredumps.
|
## Prevent setuid processes from creating coredumps.
|
||||||
fs.suid_dumpable=0
|
fs.suid_dumpable=0
|
||||||
|
|
||||||
@ -112,3 +118,8 @@ net.ipv4.conf.all.rp_filter=1
|
|||||||
net.ipv4.tcp_timestamps=0
|
net.ipv4.tcp_timestamps=0
|
||||||
|
|
||||||
#### meta end
|
#### meta end
|
||||||
|
|
||||||
|
## Restrict loading line disciplines to CAP_SYS_MODULE to prevent
|
||||||
|
## unprivileged attackers from loading vulnerable line disciplines
|
||||||
|
## with the TIOCSETD ioctl to exploit them.
|
||||||
|
dev.tty.ldisc_autoload=0
|
||||||
|
@ -26,7 +26,7 @@ fi
|
|||||||
## Removes the System.map files as they are only used for debugging or malware.
|
## Removes the System.map files as they are only used for debugging or malware.
|
||||||
for filename in ${system_map_location} ; do
|
for filename in ${system_map_location} ; do
|
||||||
if [ -f "${filename}" ]; then
|
if [ -f "${filename}" ]; then
|
||||||
rm --verbose --force "${filename}"
|
shred --verbose --force --zero -u "${filename}"
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user