From d04d4bf0950b60b8e5bf51b2303bbecdbc5fe326 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 25 Feb 2020 02:08:10 -0500 Subject: [PATCH] description --- README.md | 138 ++++++++++++++++++++++++++++-------------------------- 1 file changed, 71 insertions(+), 67 deletions(-) diff --git a/README.md b/README.md index 5b4ff90..4b78da9 100644 --- a/README.md +++ b/README.md @@ -13,13 +13,13 @@ kernel hardening: Netfilter's connection tracking helper module increases kernel attack surface by enabling superfluous functionality such as IRC parsing in the kernel. (!) Hence, this package disables this feature by shipping the -/etc/modprobe.d/30_nf_conntrack_helper_disable.conf configuration file. +`/etc/modprobe.d/30_security-misc.conf` configuration file. -* Kernel symbols in various files in /proc are hidden as they can be +* Kernel symbols in various files in `/proc` are hidden as they can be very useful for kernel exploits. * Kexec is disabled as it can be used to load a malicious kernel. -/etc/sysctl.d/30_security-misc.conf +`/etc/modprobe.d/30_security-misc.conf` * ASLR effectiveness for mmap is increased. @@ -35,7 +35,7 @@ mitigate vulnerabilities such as CVE-2019-14899. * Prevents symlink/hardlink TOCTOU races. * SACK can be disabled as it is commonly exploited and is rarely used by -uncommenting settings in file /etc/sysctl.d/30_security-misc.conf. +uncommenting settings in file `/etc/sysctl.d/30_security-misc.conf`. * Slab merging is disabled as sometimes a slab can be used in a vulnerable way which an attacker can exploit. @@ -54,15 +54,15 @@ KASLR effectiveness. * A systemd service clears System.map on boot as these contain kernel symbols that could be useful to an attacker. -/etc/kernel/postinst.d/30_remove-system-map -/lib/systemd/system/remove-system-map.service -/usr/lib/security-misc/remove-system.map +`/etc/kernel/postinst.d/30_remove-system-map` +`/lib/systemd/system/remove-system-map.service` +`/usr/lib/security-misc/remove-system.map` * Coredumps are disabled as they may contain important information such as encryption keys or passwords. -/etc/security/limits.d/30_security-misc.conf -/etc/sysctl.d/30_security-misc.conf -/lib/systemd/coredump.conf.d/30_security-misc.conf +`/etc/security/limits.d/30_security-misc.conf` +`/etc/sysctl.d/30_security-misc.conf` +`/lib/systemd/coredump.conf.d/30_security-misc.conf` * The thunderbolt and firewire kernel modules are blacklisted as they can be used for DMA (Direct Memory Access) attacks. @@ -72,17 +72,18 @@ used for DMA (Direct Memory Access) attacks. * Bluetooth is blacklisted to reduce attack surface. Bluetooth also has a history of security concerns. https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns +`/etc/modprobe.d/30_security-misc.conf` -* A systemd service restricts /proc/cpuinfo, /proc/bus, /proc/scsi and -/sys to the root user only. This hides a lot of hardware identifiers from -unprivileged users and increases security as /sys exposes a lot of information +* A systemd service restricts `/proc/cpuinfo`, `/proc/bus`, `/proc/scsi` and +`/sys` to the root user only. This hides a lot of hardware identifiers from +unprivileged users and increases security as `/sys` exposes a lot of information that shouldn't be accessible to unprivileged users. As this will break many things, it is disabled by default and can optionally be enabled by running `systemctl enable hide-hardware-info.service` as root. -/usr/lib/security-misc/hide-hardware-info -/lib/systemd/system/hide-hardware-info.service -/lib/systemd/system/user@.service.d/sysfs.conf -/etc/hide-hardware-info.d/30_default.conf +`/usr/lib/security-misc/hide-hardware-info` +`/lib/systemd/system/hide-hardware-info.service` +`/lib/systemd/system/user@.service.d/sysfs.conf` +`/etc/hide-hardware-info.d/30_default.conf` * The MSR kernel module is blacklisted to prevent CPU MSRs from being abused to write to arbitrary memory. @@ -95,8 +96,8 @@ a target for ROP. * The vivid kernel module is blacklisted as it's only required for testing and has been the cause of multiple vulnerabilities. -* An initramfs hook sets the sysctl values in /etc/sysctl.conf and -/etc/sysctl.d before init is executed so sysctl hardening is enabled +* An initramfs hook sets the sysctl values in `/etc/sysctl.conf` and +`/etc/sysctl.d` before init is executed so sysctl hardening is enabled as early as possible. * The kernel panics on oopses to prevent it from continuing to run a flawed @@ -105,23 +106,25 @@ process and to deter brute forcing. * Restricts the SysRq key so it can only be used for shutdowns and the Secure Attention Key. -* Restricts loading line disciplines to CAP_SYS_MODULE. +* Restricts loading line disciplines to `CAP_SYS_MODULE`. Improve Entropy Collection -* Load jitterentropy_rng kernel module. -/usr/lib/modules-load.d/30_security-misc.conf +* Load `jitterentropy_rng` kernel module. +`/usr/lib/modules-load.d/30_security-misc.conf` * Distrusts the CPU for initial entropy at boot as it is not possible to audit, may contain weaknesses or a backdoor. * https://en.wikipedia.org/wiki/RDRAND#Reception * https://twitter.com/pid_eins/status/1149649806056280069 * For more references, see: -* /etc/default/grub.d/40_distrust_cpu.cfg +* `/etc/default/grub.d/40_distrust_cpu.cfg` + +* Gathers more entropy during boot if using the linux-hardened kernel patch. Uncommon network protocols are blacklisted: These are rarely used and may have unknown vulnerabilities. -/etc/modprobe.d/uncommon-network-protocols.conf +`/etc/modprobe.d/30_security-misc.conf` The network protocols that are blacklisted are: * DCCP - Datagram Congestion Control Protocol @@ -144,16 +147,17 @@ The network protocols that are blacklisted are: user restrictions: -* remount /home, /tmp, /dev/shm and /run with nosuid,nodev (default) and -noexec (opt-in). To disable this, run "sudo touch /etc/remount-disable". To -opt-in noexec, run "sudo touch /etc/noexec" and reboot (easiest). -Alternatively file /usr/local/etc/remount-disable or file -/usr/local/etc/noexec could be used. -/lib/systemd/system/remount-secure.service -/usr/lib/security-misc/remount-secure +* remount `/home`, `/tmp`, `/dev/shm` and `/run` with `nosuid,nodev` +(default) and `noexec` (opt-in). To disable this, run +`sudo touch /etc/remount-disable`. To opt-in `noexec`, run +`sudo touch /etc/noexec` and reboot (easiest). +Alternatively file `/usr/local/etc/remount-disable` or file +`/usr/local/etc/noexec` could be used. +`/lib/systemd/system/remount-secure.service` +`/usr/lib/security-misc/remount-secure` -* A systemd service mounts /proc with hidepid=2 at boot to prevent users from -seeing each other's processes. +* A systemd service mounts `/proc` with `hidepid=2` at boot to prevent users +from seeing each other's processes. * The kernel logs are restricted to root only. @@ -165,35 +169,35 @@ restricts access to the root account: * `su` is restricted to only users within the group `sudo` which prevents users from using `su` to gain root access or to switch user accounts. -/usr/share/pam-configs/wheel-security-misc +`/usr/share/pam-configs/wheel-security-misc` (Which results in a change in file `/etc/pam.d/common-auth`.) * Add user `root` to group `sudo`. This is required to make above work so login as a user in a virtual console is still possible. -debian/security-misc.postinst +`debian/security-misc.postinst` * Abort login for users with locked passwords. -/usr/lib/security-misc/pam-abort-on-locked-password +`/usr/lib/security-misc/pam-abort-on-locked-password` * Logging into the root account from a virtual, serial, whatnot console is -prevented by shipping an existing and empty /etc/securetty. -(Deletion of /etc/securetty has a different effect.) -/etc/securetty.security-misc +prevented by shipping an existing and empty `/etc/securetty`. +(Deletion of `/etc/securetty` has a different effect.) +`/etc/securetty.security-misc` * Console Lockdown. Allow members of group 'console' to use console. Everyone else except members of group 'console-unrestricted' are restricted from using console using ancient, -unpopular login methods such as using /bin/login over networks, which might +unpopular login methods such as using `/bin/login` over networks, which might be exploitable. (CVE-2001-0797) Using pam_access. Not enabled by default in this package since this package does not know which users shall be added to group 'console' and would break console. -/usr/share/pam-configs/console-lockdown-security-misc -/etc/security/access-security-misc.conf +`/usr/share/pam-configs/console-lockdown-security-misc` +`/etc/security/access-security-misc.conf` Protect Linux user accounts against brute force attacks. -Lock user accounts after 50 failed login attempts using pam_tally2. -/usr/share/pam-configs/tally2-security-misc +Lock user accounts after 50 failed login attempts using `pam_tally2`. +`/usr/share/pam-configs/tally2-security-misc` informational output during Linux PAM: @@ -201,25 +205,25 @@ informational output during Linux PAM: * Document unlock procedure if Linux user account got locked. * Point out, that there is no password feedback for `su`. * Explain locked (root) account if locked. -* /usr/share/pam-configs/tally2-security-misc -* /usr/lib/security-misc/pam_tally2-info -* /usr/lib/security-misc/pam-abort-on-locked-password +* `/usr/share/pam-configs/tally2-security-misc` +* `/usr/lib/security-misc/pam_tally2-info` +* `/usr/lib/security-misc/pam-abort-on-locked-password` access rights restrictions: * Strong Linux User Account Separation. Removes read, write and execute access for others for all users who have -home folders under folder /home by running for example +home folders under folder `/home` by running for example "chmod o-rwx /home/user" -during package installation, upgrade or pam mkhomedir. This will be done only -once per -folder in folder /home so users who wish to relax file permissions are free to +during package installation, upgrade or pam `mkhomedir`. This will be done +only once per folder in folder `/home` so users who wish to relax file +permissions are free to do so. This is to protect previously created files in user home folder which were previously created with lax file permissions prior installation of this package. -debian/security-misc.postinst -/usr/lib/security-misc/permission-lockdown -/usr/share/pam-configs/mkhomedir-security-misc +`debian/security-misc.postinst` +`/usr/lib/security-misc/permission-lockdown` +`/usr/share/pam-configs/mkhomedir-security-misc` * SUID / GUID removal and permission hardening. A systemd service removed SUID / GUID from non-essential binaries as these are @@ -227,17 +231,17 @@ often used in privilege escalation attacks. It is disabled by default for now during testing and can optionally be enabled by running `systemctl enable permission-hardening.service` as root. https://forums.whonix.org/t/disable-suid-binaries/7706 -/usr/lib/security-misc/permission-hardening -/lib/systemd/system/permission-hardening.service -/etc/permission-hardening.d/30_default.conf +`/usr/lib/security-misc/permission-hardening` +`/lib/systemd/system/permission-hardening.service` +`/etc/permission-hardening.d/30_default.conf` access rights relaxations: -Redirect calls for pkexec to lxqt-sudo because pkexec is incompatible with -hidepid. +Redirect calls for `pkexec` to `lxqt-sudo` because `pkexec` is incompatible +with `hidepid`. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860040 https://forums.whonix.org/t/cannot-use-pkexec/8129 -/usr/bin/pkexec.security-misc +`/usr/bin/pkexec.security-misc` This package does (not yet) automatically lock the root account password. It is not clear that would be sane in such a package. @@ -248,14 +252,14 @@ https://www.whonix.org/wiki/Root https://www.whonix.org/wiki/Dev/Permissions https://forums.whonix.org/t/restrict-root-access/7658 However, a locked root password will break rescue and emergency shell. -Therefore this package enables passwordless resuce and emergency shell. -This is the same solution that Debian will likely addapt for Debian +Therefore this package enables passwordless rescue and emergency shell. +This is the same solution that Debian will likely adapt for Debian installer. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802211 Adverse security effects can be prevented by setting up BIOS password protection, grub password protection and/or full disk encryption. -/etc/systemd/system/emergency.service.d/override.conf -/etc/systemd/system/rescue.service.d/override.conf +`/etc/systemd/system/emergency.service.d/override.conf` +`/etc/systemd/system/rescue.service.d/override.conf` Disables TCP Time Stamps: @@ -272,7 +276,7 @@ also allow one to look for clocks that match an expected value to find the public IP used by a user. Hence, this package disables this feature by shipping the -/etc/sysctl.d/30_security-misc.conf configuration file. +`/etc/sysctl.d/30_security-misc.conf` configuration file. Note that TCP time stamps normally have some usefulness. They are needed for: @@ -290,10 +294,10 @@ of the user connection. Application specific hardening: -* Enables APT seccomp-BPF sandboxing. /etc/apt/apt.conf.d/40sandbox +* Enables APT seccomp-BPF sandboxing. `/etc/apt/apt.conf.d/40sandbox` * Deactivates previews in Dolphin. * Deactivates previews in Nautilus. -/usr/share/glib-2.0/schemas/30_security-misc.gschema.override +`/usr/share/glib-2.0/schemas/30_security-misc.gschema.override` * Deactivates thumbnails in Thunar. * Enables punycode (`network.IDN_show_punycode`) by default in Thunderbird to make phising attacks more difficult. Fixing URL not showing real Domain