Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2024-12-27 07:59:31 -05:00
Code Issues Packages Projects Releases Wiki Activity

Apply changes from code review

Browse Source
This commit is contained in:
Raja Grewal 2024-07-17 00:31:23 +10:00
parent 1c2afc1f25
commit d1119c38b6
No known key found for this signature in database
GPG Key ID: 92CA473C156B64C4
2 changed files with 8 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
README.md
View File

@ -16,7 +16,8 @@ configuration file.
Significant hardening is applied by default to a myriad of components within kernel
space, user space, core dumps, and swap space.
- Restrict kernel addresses regardless of user privileges.
- Restrict access to kernel addresses through the us of kernel pointers regardless
of user privileges.
- Restrict access to the kernel logs to `CAP_SYSLOG` as the often contain
sensitive information.
@ -33,7 +34,7 @@ space, user space, core dumps, and swap space.
- Disable `kexec` as it can be used to replace the running kernel.
- Entirely disables the SysRq key so that the Secure Attention Key (SAK)
can no longer be utilised.
can no longer be utilised. See [documentation](https://www.kicksecure.com/wiki/SysRq).
- Provide option to disable unprivileged user namespaces as they can lead to
privilege escalation.
@ -50,12 +51,13 @@ space, user space, core dumps, and swap space.
- Prevent hardlink and symlink TOCTOU races in world-writable directories.
- Disallow unintentional writes to attacker-controlled files.
- Disallow unintentional writes to files in world-writable directories unless
they are owned by the directory owner to mitigate some data spoofing attacks.
- Increase the maximum number of memory map areas a process is able to utilise.
- Disable core dump files and prevent their creation. If core dump files are
enabled, they will be nammed based on `core.PID` instead of the default `core`.
enabled, they will be named based on `core.PID` instead of the default `core`.
- Limit the copying of potentially sensitive content in memory to the swap device.

2
usr/lib/sysctl.d/990-security-misc.conf
View File

@ -215,8 +215,10 @@ kernel.core_uses_pid=1
## Limit the copying of memory to the swap device only if absolutely necessary.
## Minimises the likelihood of writing potentially sensitive contents to disk.
## Not reccommmeded to set to zero since this disables periodic write behavior.
##
## https://en.wikipedia.org/wiki/Memory_paging#Linux
## https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Performance_Tuning_Guide/s-memory-tunables.html
##
vm.swappiness=1