description

README.md

@@ -13,13 +13,13 @@ kernel hardening:
 Netfilter's connection tracking helper module increases kernel attack
 surface by enabling superfluous functionality such as IRC parsing in
 the kernel. (!) Hence, this package disables this feature by shipping the
-/etc/modprobe.d/30_nf_conntrack_helper_disable.conf configuration file.
+`/etc/modprobe.d/30_security-misc.conf` configuration file.
 
-* Kernel symbols in various files in /proc are hidden as they can be
+* Kernel symbols in various files in `/proc` are hidden as they can be
 very useful for kernel exploits.
 
 * Kexec is disabled as it can be used to load a malicious kernel.
-/etc/sysctl.d/30_security-misc.conf
+`/etc/modprobe.d/30_security-misc.conf`
 
 * ASLR effectiveness for mmap is increased.
 
@@ -35,7 +35,7 @@ mitigate vulnerabilities such as CVE-2019-14899.
 * Prevents symlink/hardlink TOCTOU races.
 
 * SACK can be disabled as it is commonly exploited and is rarely used by
-uncommenting settings in file /etc/sysctl.d/30_security-misc.conf.
+uncommenting settings in file `/etc/sysctl.d/30_security-misc.conf`.
 
 * Slab merging is disabled as sometimes a slab can be used in a vulnerable
 way which an attacker can exploit.
@@ -54,15 +54,15 @@ KASLR effectiveness.
 
 * A systemd service clears System.map on boot as these contain kernel symbols
 that could be useful to an attacker.
-/etc/kernel/postinst.d/30_remove-system-map
-/lib/systemd/system/remove-system-map.service
-/usr/lib/security-misc/remove-system.map
+`/etc/kernel/postinst.d/30_remove-system-map`
+`/lib/systemd/system/remove-system-map.service`
+`/usr/lib/security-misc/remove-system.map`
 
 * Coredumps are disabled as they may contain important information such as
 encryption keys or passwords.
-/etc/security/limits.d/30_security-misc.conf
-/etc/sysctl.d/30_security-misc.conf
-/lib/systemd/coredump.conf.d/30_security-misc.conf
+`/etc/security/limits.d/30_security-misc.conf`
+`/etc/sysctl.d/30_security-misc.conf`
+`/lib/systemd/coredump.conf.d/30_security-misc.conf`
 
 * The thunderbolt and firewire kernel modules are blacklisted as they can be
 used for DMA (Direct Memory Access) attacks.
@@ -72,17 +72,18 @@ used for DMA (Direct Memory Access) attacks.
 * Bluetooth is blacklisted to reduce attack surface. Bluetooth also has
 a history of security concerns.
 https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns
+`/etc/modprobe.d/30_security-misc.conf`
 
-* A systemd service restricts /proc/cpuinfo, /proc/bus, /proc/scsi and
-/sys to the root user only. This hides a lot of hardware identifiers from
-unprivileged users and increases security as /sys exposes a lot of information
+* A systemd service restricts `/proc/cpuinfo`, `/proc/bus`, `/proc/scsi` and
+`/sys` to the root user only. This hides a lot of hardware identifiers from
+unprivileged users and increases security as `/sys` exposes a lot of information
 that shouldn't be accessible to unprivileged users. As this will break many
 things, it is disabled by default and can optionally be enabled by running
 `systemctl enable hide-hardware-info.service` as root.
-/usr/lib/security-misc/hide-hardware-info
-/lib/systemd/system/hide-hardware-info.service
-/lib/systemd/system/user@.service.d/sysfs.conf
-/etc/hide-hardware-info.d/30_default.conf
+`/usr/lib/security-misc/hide-hardware-info`
+`/lib/systemd/system/hide-hardware-info.service`
+`/lib/systemd/system/user@.service.d/sysfs.conf`
+`/etc/hide-hardware-info.d/30_default.conf`
 
 * The MSR kernel module is blacklisted to prevent CPU MSRs from being
 abused to write to arbitrary memory.
@@ -95,8 +96,8 @@ a target for ROP.
 * The vivid kernel module is blacklisted as it's only required for testing
 and has been the cause of multiple vulnerabilities.
 
-* An initramfs hook sets the sysctl values in /etc/sysctl.conf and
-/etc/sysctl.d before init is executed so sysctl hardening is enabled
+* An initramfs hook sets the sysctl values in `/etc/sysctl.conf` and
+`/etc/sysctl.d` before init is executed so sysctl hardening is enabled
 as early as possible.
 
 * The kernel panics on oopses to prevent it from continuing to run a flawed
@@ -105,23 +106,25 @@ process and to deter brute forcing.
 * Restricts the SysRq key so it can only be used for shutdowns and the
 Secure Attention Key.
 
-* Restricts loading line disciplines to CAP_SYS_MODULE.
+* Restricts loading line disciplines to `CAP_SYS_MODULE`.
 
 Improve Entropy Collection
 
-* Load jitterentropy_rng kernel module.
-/usr/lib/modules-load.d/30_security-misc.conf
+* Load `jitterentropy_rng` kernel module.
+`/usr/lib/modules-load.d/30_security-misc.conf`
 
 * Distrusts the CPU for initial entropy at boot as it is not possible to
 audit, may contain weaknesses or a backdoor.
 * https://en.wikipedia.org/wiki/RDRAND#Reception
 * https://twitter.com/pid_eins/status/1149649806056280069
 * For more references, see:
-* /etc/default/grub.d/40_distrust_cpu.cfg
+* `/etc/default/grub.d/40_distrust_cpu.cfg`
+
+* Gathers more entropy during boot if using the linux-hardened kernel patch.
 
 Uncommon network protocols are blacklisted:
 These are rarely used and may have unknown vulnerabilities.
-/etc/modprobe.d/uncommon-network-protocols.conf
+`/etc/modprobe.d/30_security-misc.conf`
 The network protocols that are blacklisted are:
 
 * DCCP - Datagram Congestion Control Protocol
@@ -144,16 +147,17 @@ The network protocols that are blacklisted are:
 
 user restrictions:
 
-* remount /home, /tmp, /dev/shm and /run with nosuid,nodev (default) and
-noexec (opt-in). To disable this, run "sudo touch /etc/remount-disable". To
-opt-in noexec, run "sudo touch /etc/noexec" and reboot (easiest).
-Alternatively file /usr/local/etc/remount-disable or file
-/usr/local/etc/noexec could be used.
-/lib/systemd/system/remount-secure.service
-/usr/lib/security-misc/remount-secure
+* remount `/home`, `/tmp`, `/dev/shm` and `/run` with `nosuid,nodev`
+(default) and `noexec` (opt-in). To disable this, run
+`sudo touch /etc/remount-disable`. To opt-in `noexec`, run
+`sudo touch /etc/noexec` and reboot (easiest).
+Alternatively file `/usr/local/etc/remount-disable` or file
+`/usr/local/etc/noexec` could be used.
+`/lib/systemd/system/remount-secure.service`
+`/usr/lib/security-misc/remount-secure`
 
-* A systemd service mounts /proc with hidepid=2 at boot to prevent users from
-seeing each other's processes.
+* A systemd service mounts `/proc` with `hidepid=2` at boot to prevent users
+from seeing each other's processes.
 
 * The kernel logs are restricted to root only.
 
@@ -165,35 +169,35 @@ restricts access to the root account:
 
 * `su` is restricted to only users within the group `sudo` which prevents
 users from using `su` to gain root access or to switch user accounts.
-/usr/share/pam-configs/wheel-security-misc
+`/usr/share/pam-configs/wheel-security-misc`
 (Which results in a change in file `/etc/pam.d/common-auth`.)
 
 * Add user `root` to group `sudo`. This is required to make above work so
 login as a user in a virtual console is still possible.
-debian/security-misc.postinst
+`debian/security-misc.postinst`
 
 * Abort login for users with locked passwords.
-/usr/lib/security-misc/pam-abort-on-locked-password
+`/usr/lib/security-misc/pam-abort-on-locked-password`
 
 * Logging into the root account from a virtual, serial, whatnot console is
-prevented by shipping an existing and empty /etc/securetty.
-(Deletion of /etc/securetty has a different effect.)
-/etc/securetty.security-misc
+prevented by shipping an existing and empty `/etc/securetty`.
+(Deletion of `/etc/securetty` has a different effect.)
+`/etc/securetty.security-misc`
 
 * Console Lockdown.
 Allow members of group 'console' to use console.
 Everyone else except members of group
 'console-unrestricted' are restricted from using console using ancient,
-unpopular login methods such as using /bin/login over networks, which might
+unpopular login methods such as using `/bin/login` over networks, which might
 be exploitable. (CVE-2001-0797) Using pam_access.
 Not enabled by default in this package since this package does not know which
 users shall be added to group 'console' and would break console.
-/usr/share/pam-configs/console-lockdown-security-misc
-/etc/security/access-security-misc.conf
+`/usr/share/pam-configs/console-lockdown-security-misc`
+`/etc/security/access-security-misc.conf`
 
 Protect Linux user accounts against brute force attacks.
-Lock user accounts after 50 failed login attempts using pam_tally2.
-/usr/share/pam-configs/tally2-security-misc
+Lock user accounts after 50 failed login attempts using `pam_tally2`.
+`/usr/share/pam-configs/tally2-security-misc`
 
 informational output during Linux PAM:
 
@@ -201,25 +205,25 @@ informational output during Linux PAM:
 * Document unlock procedure if Linux user account got locked.
 * Point out, that there is no password feedback for `su`.
 * Explain locked (root) account if locked.
-* /usr/share/pam-configs/tally2-security-misc
-* /usr/lib/security-misc/pam_tally2-info
-* /usr/lib/security-misc/pam-abort-on-locked-password
+* `/usr/share/pam-configs/tally2-security-misc`
+* `/usr/lib/security-misc/pam_tally2-info`
+* `/usr/lib/security-misc/pam-abort-on-locked-password`
 
 access rights restrictions:
 
 * Strong Linux User Account Separation.
 Removes read, write and execute access for others for all users who have
-home folders under folder /home by running for example
+home folders under folder `/home` by running for example
 "chmod o-rwx /home/user"
-during package installation, upgrade or pam mkhomedir. This will be done only
-once per
-folder in folder /home so users who wish to relax file permissions are free to
+during package installation, upgrade or pam `mkhomedir`. This will be done
+only once per folder in folder `/home` so users who wish to relax file
+permissions are free to
 do so. This is to protect previously created files in user home folder which
 were previously created with lax file permissions prior installation of this
 package.
-debian/security-misc.postinst
-/usr/lib/security-misc/permission-lockdown
-/usr/share/pam-configs/mkhomedir-security-misc
+`debian/security-misc.postinst`
+`/usr/lib/security-misc/permission-lockdown`
+`/usr/share/pam-configs/mkhomedir-security-misc`
 
 * SUID / GUID removal and permission hardening.
 A systemd service removed SUID / GUID from non-essential binaries as these are
@@ -227,17 +231,17 @@ often used in privilege escalation attacks.
 It is disabled by default for now during testing and can optionally be enabled
 by running `systemctl enable permission-hardening.service` as root.
 https://forums.whonix.org/t/disable-suid-binaries/7706
-/usr/lib/security-misc/permission-hardening
-/lib/systemd/system/permission-hardening.service
-/etc/permission-hardening.d/30_default.conf
+`/usr/lib/security-misc/permission-hardening`
+`/lib/systemd/system/permission-hardening.service`
+`/etc/permission-hardening.d/30_default.conf`
 
 access rights relaxations:
 
-Redirect calls for pkexec to lxqt-sudo because pkexec is incompatible with
-hidepid.
+Redirect calls for `pkexec` to `lxqt-sudo` because `pkexec` is incompatible
+with `hidepid`.
 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860040
 https://forums.whonix.org/t/cannot-use-pkexec/8129
-/usr/bin/pkexec.security-misc
+`/usr/bin/pkexec.security-misc`
 
 This package does (not yet) automatically lock the root account password.
 It is not clear that would be sane in such a package.
@@ -248,14 +252,14 @@ https://www.whonix.org/wiki/Root
 https://www.whonix.org/wiki/Dev/Permissions
 https://forums.whonix.org/t/restrict-root-access/7658
 However, a locked root password will break rescue and emergency shell.
-Therefore this package enables passwordless resuce and emergency shell.
-This is the same solution that Debian will likely addapt for Debian
+Therefore this package enables passwordless rescue and emergency shell.
+This is the same solution that Debian will likely adapt for Debian
 installer.
 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802211
 Adverse security effects can be prevented by setting up BIOS password
 protection, grub password protection and/or full disk encryption.
-/etc/systemd/system/emergency.service.d/override.conf
-/etc/systemd/system/rescue.service.d/override.conf
+`/etc/systemd/system/emergency.service.d/override.conf`
+`/etc/systemd/system/rescue.service.d/override.conf`
 
 Disables TCP Time Stamps:
 
@@ -272,7 +276,7 @@ also allow one to look for clocks that match an expected value to find the
 public IP used by a user.
 
 Hence, this package disables this feature by shipping the
-/etc/sysctl.d/30_security-misc.conf configuration file.
+`/etc/sysctl.d/30_security-misc.conf` configuration file.
 
 Note that TCP time stamps normally have some usefulness. They are
 needed for:
@@ -290,10 +294,10 @@ of the user connection.
 
 Application specific hardening:
 
-* Enables APT seccomp-BPF sandboxing. /etc/apt/apt.conf.d/40sandbox
+* Enables APT seccomp-BPF sandboxing. `/etc/apt/apt.conf.d/40sandbox`
 * Deactivates previews in Dolphin.
 * Deactivates previews in Nautilus.
-/usr/share/glib-2.0/schemas/30_security-misc.gschema.override
+`/usr/share/glib-2.0/schemas/30_security-misc.gschema.override`
 * Deactivates thumbnails in Thunar.
 * Enables punycode (`network.IDN_show_punycode`) by default in Thunderbird
 to make phising attacks more difficult. Fixing URL not showing real Domain