mirror of
https://github.com/Kicksecure/security-misc.git
synced 2025-06-08 14:22:42 -04:00
description
This commit is contained in:
Patrick Schleizer
parent
4043d2af3f
commit
d04d4bf095
1 changed files with 71 additions and 67 deletions
138
README.md
138
README.md
|
|
@ -13,13 +13,13 @@ kernel hardening:
|
||||||
Netfilter's connection tracking helper module increases kernel attack
|
Netfilter's connection tracking helper module increases kernel attack
|
||||||
surface by enabling superfluous functionality such as IRC parsing in
|
surface by enabling superfluous functionality such as IRC parsing in
|
||||||
the kernel. (!) Hence, this package disables this feature by shipping the
|
the kernel. (!) Hence, this package disables this feature by shipping the
|
||||||
/etc/modprobe.d/30_nf_conntrack_helper_disable.conf configuration file.
|
`/etc/modprobe.d/30_security-misc.conf` configuration file.
|
||||||
|
|
||||||
* Kernel symbols in various files in /proc are hidden as they can be
|
* Kernel symbols in various files in `/proc` are hidden as they can be
|
||||||
very useful for kernel exploits.
|
very useful for kernel exploits.
|
||||||
|
|
||||||
* Kexec is disabled as it can be used to load a malicious kernel.
|
* Kexec is disabled as it can be used to load a malicious kernel.
|
||||||
/etc/sysctl.d/30_security-misc.conf
|
`/etc/modprobe.d/30_security-misc.conf`
|
||||||
|
|
||||||
* ASLR effectiveness for mmap is increased.
|
* ASLR effectiveness for mmap is increased.
|
||||||
|
|
||||||
|
|
@ -35,7 +35,7 @@ mitigate vulnerabilities such as CVE-2019-14899.
|
||||||
* Prevents symlink/hardlink TOCTOU races.
|
* Prevents symlink/hardlink TOCTOU races.
|
||||||
|
|
||||||
* SACK can be disabled as it is commonly exploited and is rarely used by
|
* SACK can be disabled as it is commonly exploited and is rarely used by
|
||||||
uncommenting settings in file /etc/sysctl.d/30_security-misc.conf.
|
uncommenting settings in file `/etc/sysctl.d/30_security-misc.conf`.
|
||||||
|
|
||||||
* Slab merging is disabled as sometimes a slab can be used in a vulnerable
|
* Slab merging is disabled as sometimes a slab can be used in a vulnerable
|
||||||
way which an attacker can exploit.
|
way which an attacker can exploit.
|
||||||
|
|
@ -54,15 +54,15 @@ KASLR effectiveness.
|
||||||
|
|
||||||
* A systemd service clears System.map on boot as these contain kernel symbols
|
* A systemd service clears System.map on boot as these contain kernel symbols
|
||||||
that could be useful to an attacker.
|
that could be useful to an attacker.
|
||||||
/etc/kernel/postinst.d/30_remove-system-map
|
`/etc/kernel/postinst.d/30_remove-system-map`
|
||||||
/lib/systemd/system/remove-system-map.service
|
`/lib/systemd/system/remove-system-map.service`
|
||||||
/usr/lib/security-misc/remove-system.map
|
`/usr/lib/security-misc/remove-system.map`
|
||||||
|
|
||||||
* Coredumps are disabled as they may contain important information such as
|
* Coredumps are disabled as they may contain important information such as
|
||||||
encryption keys or passwords.
|
encryption keys or passwords.
|
||||||
/etc/security/limits.d/30_security-misc.conf
|
`/etc/security/limits.d/30_security-misc.conf`
|
||||||
/etc/sysctl.d/30_security-misc.conf
|
`/etc/sysctl.d/30_security-misc.conf`
|
||||||
/lib/systemd/coredump.conf.d/30_security-misc.conf
|
`/lib/systemd/coredump.conf.d/30_security-misc.conf`
|
||||||
|
|
||||||
* The thunderbolt and firewire kernel modules are blacklisted as they can be
|
* The thunderbolt and firewire kernel modules are blacklisted as they can be
|
||||||
used for DMA (Direct Memory Access) attacks.
|
used for DMA (Direct Memory Access) attacks.
|
||||||
|
|
@ -72,17 +72,18 @@ used for DMA (Direct Memory Access) attacks.
|
||||||
* Bluetooth is blacklisted to reduce attack surface. Bluetooth also has
|
* Bluetooth is blacklisted to reduce attack surface. Bluetooth also has
|
||||||
a history of security concerns.
|
a history of security concerns.
|
||||||
https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns
|
https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns
|
||||||
|
`/etc/modprobe.d/30_security-misc.conf`
|
||||||
|
|
||||||
* A systemd service restricts /proc/cpuinfo, /proc/bus, /proc/scsi and
|
* A systemd service restricts `/proc/cpuinfo`, `/proc/bus`, `/proc/scsi` and
|
||||||
/sys to the root user only. This hides a lot of hardware identifiers from
|
`/sys` to the root user only. This hides a lot of hardware identifiers from
|
||||||
unprivileged users and increases security as /sys exposes a lot of information
|
unprivileged users and increases security as `/sys` exposes a lot of information
|
||||||
that shouldn't be accessible to unprivileged users. As this will break many
|
that shouldn't be accessible to unprivileged users. As this will break many
|
||||||
things, it is disabled by default and can optionally be enabled by running
|
things, it is disabled by default and can optionally be enabled by running
|
||||||
`systemctl enable hide-hardware-info.service` as root.
|
`systemctl enable hide-hardware-info.service` as root.
|
||||||
/usr/lib/security-misc/hide-hardware-info
|
`/usr/lib/security-misc/hide-hardware-info`
|
||||||
/lib/systemd/system/hide-hardware-info.service
|
`/lib/systemd/system/hide-hardware-info.service`
|
||||||
/lib/systemd/system/user@.service.d/sysfs.conf
|
`/lib/systemd/system/user@.service.d/sysfs.conf`
|
||||||
/etc/hide-hardware-info.d/30_default.conf
|
`/etc/hide-hardware-info.d/30_default.conf`
|
||||||
|
|
||||||
* The MSR kernel module is blacklisted to prevent CPU MSRs from being
|
* The MSR kernel module is blacklisted to prevent CPU MSRs from being
|
||||||
abused to write to arbitrary memory.
|
abused to write to arbitrary memory.
|
||||||
|
|
@ -95,8 +96,8 @@ a target for ROP.
|
||||||
* The vivid kernel module is blacklisted as it's only required for testing
|
* The vivid kernel module is blacklisted as it's only required for testing
|
||||||
and has been the cause of multiple vulnerabilities.
|
and has been the cause of multiple vulnerabilities.
|
||||||
|
|
||||||
* An initramfs hook sets the sysctl values in /etc/sysctl.conf and
|
* An initramfs hook sets the sysctl values in `/etc/sysctl.conf` and
|
||||||
/etc/sysctl.d before init is executed so sysctl hardening is enabled
|
`/etc/sysctl.d` before init is executed so sysctl hardening is enabled
|
||||||
as early as possible.
|
as early as possible.
|
||||||
|
|
||||||
* The kernel panics on oopses to prevent it from continuing to run a flawed
|
* The kernel panics on oopses to prevent it from continuing to run a flawed
|
||||||
|
|
@ -105,23 +106,25 @@ process and to deter brute forcing.
|
||||||
* Restricts the SysRq key so it can only be used for shutdowns and the
|
* Restricts the SysRq key so it can only be used for shutdowns and the
|
||||||
Secure Attention Key.
|
Secure Attention Key.
|
||||||
|
|
||||||
* Restricts loading line disciplines to CAP_SYS_MODULE.
|
* Restricts loading line disciplines to `CAP_SYS_MODULE`.
|
||||||
|
|
||||||
Improve Entropy Collection
|
Improve Entropy Collection
|
||||||
|
|
||||||
* Load jitterentropy_rng kernel module.
|
* Load `jitterentropy_rng` kernel module.
|
||||||
/usr/lib/modules-load.d/30_security-misc.conf
|
`/usr/lib/modules-load.d/30_security-misc.conf`
|
||||||
|
|
||||||
* Distrusts the CPU for initial entropy at boot as it is not possible to
|
* Distrusts the CPU for initial entropy at boot as it is not possible to
|
||||||
audit, may contain weaknesses or a backdoor.
|
audit, may contain weaknesses or a backdoor.
|
||||||
* https://en.wikipedia.org/wiki/RDRAND#Reception
|
* https://en.wikipedia.org/wiki/RDRAND#Reception
|
||||||
* https://twitter.com/pid_eins/status/1149649806056280069
|
* https://twitter.com/pid_eins/status/1149649806056280069
|
||||||
* For more references, see:
|
* For more references, see:
|
||||||
* /etc/default/grub.d/40_distrust_cpu.cfg
|
* `/etc/default/grub.d/40_distrust_cpu.cfg`
|
||||||
|
|
||||||
|
* Gathers more entropy during boot if using the linux-hardened kernel patch.
|
||||||
|
|
||||||
Uncommon network protocols are blacklisted:
|
Uncommon network protocols are blacklisted:
|
||||||
These are rarely used and may have unknown vulnerabilities.
|
These are rarely used and may have unknown vulnerabilities.
|
||||||
/etc/modprobe.d/uncommon-network-protocols.conf
|
`/etc/modprobe.d/30_security-misc.conf`
|
||||||
The network protocols that are blacklisted are:
|
The network protocols that are blacklisted are:
|
||||||
|
|
||||||
* DCCP - Datagram Congestion Control Protocol
|
* DCCP - Datagram Congestion Control Protocol
|
||||||
|
|
@ -144,16 +147,17 @@ The network protocols that are blacklisted are:
|
||||||
|
|
||||||
user restrictions:
|
user restrictions:
|
||||||
|
|
||||||
* remount /home, /tmp, /dev/shm and /run with nosuid,nodev (default) and
|
* remount `/home`, `/tmp`, `/dev/shm` and `/run` with `nosuid,nodev`
|
||||||
noexec (opt-in). To disable this, run "sudo touch /etc/remount-disable". To
|
(default) and `noexec` (opt-in). To disable this, run
|
||||||
opt-in noexec, run "sudo touch /etc/noexec" and reboot (easiest).
|
`sudo touch /etc/remount-disable`. To opt-in `noexec`, run
|
||||||
Alternatively file /usr/local/etc/remount-disable or file
|
`sudo touch /etc/noexec` and reboot (easiest).
|
||||||
/usr/local/etc/noexec could be used.
|
Alternatively file `/usr/local/etc/remount-disable` or file
|
||||||
/lib/systemd/system/remount-secure.service
|
`/usr/local/etc/noexec` could be used.
|
||||||
/usr/lib/security-misc/remount-secure
|
`/lib/systemd/system/remount-secure.service`
|
||||||
|
`/usr/lib/security-misc/remount-secure`
|
||||||
|
|
||||||
* A systemd service mounts /proc with hidepid=2 at boot to prevent users from
|
* A systemd service mounts `/proc` with `hidepid=2` at boot to prevent users
|
||||||
seeing each other's processes.
|
from seeing each other's processes.
|
||||||
|
|
||||||
* The kernel logs are restricted to root only.
|
* The kernel logs are restricted to root only.
|
||||||
|
|
||||||
|
|
@ -165,35 +169,35 @@ restricts access to the root account:
|
||||||
|
|
||||||
* `su` is restricted to only users within the group `sudo` which prevents
|
* `su` is restricted to only users within the group `sudo` which prevents
|
||||||
users from using `su` to gain root access or to switch user accounts.
|
users from using `su` to gain root access or to switch user accounts.
|
||||||
/usr/share/pam-configs/wheel-security-misc
|
`/usr/share/pam-configs/wheel-security-misc`
|
||||||
(Which results in a change in file `/etc/pam.d/common-auth`.)
|
(Which results in a change in file `/etc/pam.d/common-auth`.)
|
||||||
|
|
||||||
* Add user `root` to group `sudo`. This is required to make above work so
|
* Add user `root` to group `sudo`. This is required to make above work so
|
||||||
login as a user in a virtual console is still possible.
|
login as a user in a virtual console is still possible.
|
||||||
debian/security-misc.postinst
|
`debian/security-misc.postinst`
|
||||||
|
|
||||||
* Abort login for users with locked passwords.
|
* Abort login for users with locked passwords.
|
||||||
/usr/lib/security-misc/pam-abort-on-locked-password
|
`/usr/lib/security-misc/pam-abort-on-locked-password`
|
||||||
|
|
||||||
* Logging into the root account from a virtual, serial, whatnot console is
|
* Logging into the root account from a virtual, serial, whatnot console is
|
||||||
prevented by shipping an existing and empty /etc/securetty.
|
prevented by shipping an existing and empty `/etc/securetty`.
|
||||||
(Deletion of /etc/securetty has a different effect.)
|
(Deletion of `/etc/securetty` has a different effect.)
|
||||||
/etc/securetty.security-misc
|
`/etc/securetty.security-misc`
|
||||||
|
|
||||||
* Console Lockdown.
|
* Console Lockdown.
|
||||||
Allow members of group 'console' to use console.
|
Allow members of group 'console' to use console.
|
||||||
Everyone else except members of group
|
Everyone else except members of group
|
||||||
'console-unrestricted' are restricted from using console using ancient,
|
'console-unrestricted' are restricted from using console using ancient,
|
||||||
unpopular login methods such as using /bin/login over networks, which might
|
unpopular login methods such as using `/bin/login` over networks, which might
|
||||||
be exploitable. (CVE-2001-0797) Using pam_access.
|
be exploitable. (CVE-2001-0797) Using pam_access.
|
||||||
Not enabled by default in this package since this package does not know which
|
Not enabled by default in this package since this package does not know which
|
||||||
users shall be added to group 'console' and would break console.
|
users shall be added to group 'console' and would break console.
|
||||||
/usr/share/pam-configs/console-lockdown-security-misc
|
`/usr/share/pam-configs/console-lockdown-security-misc`
|
||||||
/etc/security/access-security-misc.conf
|
`/etc/security/access-security-misc.conf`
|
||||||
|
|
||||||
Protect Linux user accounts against brute force attacks.
|
Protect Linux user accounts against brute force attacks.
|
||||||
Lock user accounts after 50 failed login attempts using pam_tally2.
|
Lock user accounts after 50 failed login attempts using `pam_tally2`.
|
||||||
/usr/share/pam-configs/tally2-security-misc
|
`/usr/share/pam-configs/tally2-security-misc`
|
||||||
|
|
||||||
informational output during Linux PAM:
|
informational output during Linux PAM:
|
||||||
|
|
||||||
|
|
@ -201,25 +205,25 @@ informational output during Linux PAM:
|
||||||
* Document unlock procedure if Linux user account got locked.
|
* Document unlock procedure if Linux user account got locked.
|
||||||
* Point out, that there is no password feedback for `su`.
|
* Point out, that there is no password feedback for `su`.
|
||||||
* Explain locked (root) account if locked.
|
* Explain locked (root) account if locked.
|
||||||
* /usr/share/pam-configs/tally2-security-misc
|
* `/usr/share/pam-configs/tally2-security-misc`
|
||||||
* /usr/lib/security-misc/pam_tally2-info
|
* `/usr/lib/security-misc/pam_tally2-info`
|
||||||
* /usr/lib/security-misc/pam-abort-on-locked-password
|
* `/usr/lib/security-misc/pam-abort-on-locked-password`
|
||||||
|
|
||||||
access rights restrictions:
|
access rights restrictions:
|
||||||
|
|
||||||
* Strong Linux User Account Separation.
|
* Strong Linux User Account Separation.
|
||||||
Removes read, write and execute access for others for all users who have
|
Removes read, write and execute access for others for all users who have
|
||||||
home folders under folder /home by running for example
|
home folders under folder `/home` by running for example
|
||||||
"chmod o-rwx /home/user"
|
"chmod o-rwx /home/user"
|
||||||
during package installation, upgrade or pam mkhomedir. This will be done only
|
during package installation, upgrade or pam `mkhomedir`. This will be done
|
||||||
once per
|
only once per folder in folder `/home` so users who wish to relax file
|
||||||
folder in folder /home so users who wish to relax file permissions are free to
|
permissions are free to
|
||||||
do so. This is to protect previously created files in user home folder which
|
do so. This is to protect previously created files in user home folder which
|
||||||
were previously created with lax file permissions prior installation of this
|
were previously created with lax file permissions prior installation of this
|
||||||
package.
|
package.
|
||||||
debian/security-misc.postinst
|
`debian/security-misc.postinst`
|
||||||
/usr/lib/security-misc/permission-lockdown
|
`/usr/lib/security-misc/permission-lockdown`
|
||||||
/usr/share/pam-configs/mkhomedir-security-misc
|
`/usr/share/pam-configs/mkhomedir-security-misc`
|
||||||
|
|
||||||
* SUID / GUID removal and permission hardening.
|
* SUID / GUID removal and permission hardening.
|
||||||
A systemd service removed SUID / GUID from non-essential binaries as these are
|
A systemd service removed SUID / GUID from non-essential binaries as these are
|
||||||
|
|
@ -227,17 +231,17 @@ often used in privilege escalation attacks.
|
||||||
It is disabled by default for now during testing and can optionally be enabled
|
It is disabled by default for now during testing and can optionally be enabled
|
||||||
by running `systemctl enable permission-hardening.service` as root.
|
by running `systemctl enable permission-hardening.service` as root.
|
||||||
https://forums.whonix.org/t/disable-suid-binaries/7706
|
https://forums.whonix.org/t/disable-suid-binaries/7706
|
||||||
/usr/lib/security-misc/permission-hardening
|
`/usr/lib/security-misc/permission-hardening`
|
||||||
/lib/systemd/system/permission-hardening.service
|
`/lib/systemd/system/permission-hardening.service`
|
||||||
/etc/permission-hardening.d/30_default.conf
|
`/etc/permission-hardening.d/30_default.conf`
|
||||||
|
|
||||||
access rights relaxations:
|
access rights relaxations:
|
||||||
|
|
||||||
Redirect calls for pkexec to lxqt-sudo because pkexec is incompatible with
|
Redirect calls for `pkexec` to `lxqt-sudo` because `pkexec` is incompatible
|
||||||
hidepid.
|
with `hidepid`.
|
||||||
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860040
|
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860040
|
||||||
https://forums.whonix.org/t/cannot-use-pkexec/8129
|
https://forums.whonix.org/t/cannot-use-pkexec/8129
|
||||||
/usr/bin/pkexec.security-misc
|
`/usr/bin/pkexec.security-misc`
|
||||||
|
|
||||||
This package does (not yet) automatically lock the root account password.
|
This package does (not yet) automatically lock the root account password.
|
||||||
It is not clear that would be sane in such a package.
|
It is not clear that would be sane in such a package.
|
||||||
|
|
@ -248,14 +252,14 @@ https://www.whonix.org/wiki/Root
|
||||||
https://www.whonix.org/wiki/Dev/Permissions
|
https://www.whonix.org/wiki/Dev/Permissions
|
||||||
https://forums.whonix.org/t/restrict-root-access/7658
|
https://forums.whonix.org/t/restrict-root-access/7658
|
||||||
However, a locked root password will break rescue and emergency shell.
|
However, a locked root password will break rescue and emergency shell.
|
||||||
Therefore this package enables passwordless resuce and emergency shell.
|
Therefore this package enables passwordless rescue and emergency shell.
|
||||||
This is the same solution that Debian will likely addapt for Debian
|
This is the same solution that Debian will likely adapt for Debian
|
||||||
installer.
|
installer.
|
||||||
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802211
|
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802211
|
||||||
Adverse security effects can be prevented by setting up BIOS password
|
Adverse security effects can be prevented by setting up BIOS password
|
||||||
protection, grub password protection and/or full disk encryption.
|
protection, grub password protection and/or full disk encryption.
|
||||||
/etc/systemd/system/emergency.service.d/override.conf
|
`/etc/systemd/system/emergency.service.d/override.conf`
|
||||||
/etc/systemd/system/rescue.service.d/override.conf
|
`/etc/systemd/system/rescue.service.d/override.conf`
|
||||||
|
|
||||||
Disables TCP Time Stamps:
|
Disables TCP Time Stamps:
|
||||||
|
|
||||||
|
|
@ -272,7 +276,7 @@ also allow one to look for clocks that match an expected value to find the
|
||||||
public IP used by a user.
|
public IP used by a user.
|
||||||
|
|
||||||
Hence, this package disables this feature by shipping the
|
Hence, this package disables this feature by shipping the
|
||||||
/etc/sysctl.d/30_security-misc.conf configuration file.
|
`/etc/sysctl.d/30_security-misc.conf` configuration file.
|
||||||
|
|
||||||
Note that TCP time stamps normally have some usefulness. They are
|
Note that TCP time stamps normally have some usefulness. They are
|
||||||
needed for:
|
needed for:
|
||||||
|
|
@ -290,10 +294,10 @@ of the user connection.
|
||||||
|
|
||||||
Application specific hardening:
|
Application specific hardening:
|
||||||
|
|
||||||
* Enables APT seccomp-BPF sandboxing. /etc/apt/apt.conf.d/40sandbox
|
* Enables APT seccomp-BPF sandboxing. `/etc/apt/apt.conf.d/40sandbox`
|
||||||
* Deactivates previews in Dolphin.
|
* Deactivates previews in Dolphin.
|
||||||
* Deactivates previews in Nautilus.
|
* Deactivates previews in Nautilus.
|
||||||
/usr/share/glib-2.0/schemas/30_security-misc.gschema.override
|
`/usr/share/glib-2.0/schemas/30_security-misc.gschema.override`
|
||||||
* Deactivates thumbnails in Thunar.
|
* Deactivates thumbnails in Thunar.
|
||||||
* Enables punycode (`network.IDN_show_punycode`) by default in Thunderbird
|
* Enables punycode (`network.IDN_show_punycode`) by default in Thunderbird
|
||||||
to make phising attacks more difficult. Fixing URL not showing real Domain
|
to make phising attacks more difficult. Fixing URL not showing real Domain
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue