Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-04-14 19:32:56 -04:00
Code Issues Packages Projects Releases Wiki Activity

Merge aa0ffff42753f68e67bc92680a22986a5b9ef9e0 into 5e88dfe809a762aeebf62ea2de131cfbdea9ae32

Browse Source
This commit is contained in:
raja-grewal 2025-04-11 02:31:48 +02:00 committed by GitHub
commit d1b30a7f26
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 28 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
README.md
View File

@ -226,6 +226,9 @@ Kernel space:
- Optional - Disable support for all x86 processes and syscalls (when using Linux kernel >= 6.7)
to reduce attack surface.
- Disable EFI persistent storage feature, preventing the kernel from writing crash logs and
other persistent data to the EFI variable store.
Direct memory access:
- Enable strict IOMMU translation to protect against some DMA attacks via the use
@ -400,7 +403,7 @@ Miscellaneous modules:
`/etc/kernel/postinst.d/30_remove-system-map`
`/lib/systemd/system/remove-system-map.service`
`/usr/lib/systemd/system/remove-system-map.service`
`/usr/libexec/security-misc/remove-system.map`
@ -409,9 +412,14 @@ Miscellaneous modules:
`/etc/security/limits.d/30_security-misc.conf`
`/etc/sysctl.d/30_security-misc.conf`
`/usr/lib/sysctl.d/30_security-misc.conf`
`/lib/systemd/coredump.conf.d/30_security-misc.conf`
`/usr/lib/systemd/coredump.conf.d/30_security-misc.conf`
- PStore is disabled as crash logs can contain sensitive system data such as
kernel version, hostname, and users. See:
`/usr/lib/systemd/pstore.conf.d/30_security-misc.conf`
- An initramfs hook sets the sysctl values in `/etc/sysctl.conf` and
`/etc/sysctl.d` before init is executed so sysctl hardening is enabled as

12
etc/default/grub.d/40_kernel_hardening.cfg
View File

@ -223,6 +223,18 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0"
##
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ia32_emulation=0"
## Disable EFI persistent storage feature.
## Prevents the kernel from writing crash logs and other persistent data to the EFI variable store.
##
## https://blogs.oracle.com/linux/post/pstore-linux-kernel-persistent-storage-file-system
## https://www.ais.com/understanding-pstore-linux-kernel-persistent-storage-file-system/
## https://lwn.net/Articles/434821/
## https://manpages.debian.org/testing/systemd/systemd-pstore.service.8.en.html
## https://gitlab.tails.boum.org/tails/tails/-/issues/20813
## https://github.com/Kicksecure/security-misc/issues/299
##
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi_pstore.pstore_disable=1"
## 2. Direct Memory Access:
##
## https://madaidans-insecurities.github.io/guides/linux-hardening.html#dma-attacks

5
usr/lib/systemd/pstore.conf.d/30_security-misc.conf Normal file
View File

@ -0,0 +1,5 @@
## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
[PStore]
Storage=none