mirror of
https://github.com/Kicksecure/security-misc.git
synced 2025-01-15 22:47:08 -05:00
minor
This commit is contained in:
parent
a2802f352f
commit
d29a616142
@ -109,9 +109,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX retbleed=auto,nosmt"
|
||||
##
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX gather_data_sampling=force"
|
||||
|
||||
## Enable Register File Data Sampling (RFDS) mitigation on Intel Atom CPUs which
|
||||
## Enable Register File Data Sampling (RFDS) mitigation on Intel Atom CPUs which
|
||||
## encompasses E-cores on hybrid architectures.
|
||||
##
|
||||
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/reg-file-data-sampling.html
|
||||
##
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX reg_file_data_sampling=on"
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX reg_file_data_sampling=on"
|
||||
|
@ -82,7 +82,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off"
|
||||
## Can sometimes potentially indicate and thwart certain kernel exploitation attempts.
|
||||
## Also cause panics on machine check exceptions.
|
||||
## Panics may be due to false-positives such as bad drivers.
|
||||
##
|
||||
##
|
||||
## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panic-on-oops-1-sysctl-for-better-security/7713
|
||||
##
|
||||
## See /usr/libexec/security-misc/panic-on-oops for implementation.
|
||||
@ -157,7 +157,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi=disable_early_pci_dma"
|
||||
|
||||
## Do not credit the CPU or bootloader seeds as entropy sources at boot.
|
||||
## The RDRAND CPU (RNG) instructions are proprietary and closed-source.
|
||||
## Numerous implementations of RDRAND have a long history of being defective.
|
||||
## Numerous implementations of RDRAND have a long history of being defective.
|
||||
## The RNG seed passed by the bootloader could also potentially be tampered.
|
||||
## Maximising the entropy pool at boot is desirable for all cryptographic operations.
|
||||
## These settings ensure additional entropy is obtained from other sources to initialise the RNG.
|
||||
@ -191,10 +191,10 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX extra_latent_entropy"
|
||||
|
||||
## Disable the entire IPv6 stack functionality.
|
||||
## Removes attack surface associated with the IPv6 module.
|
||||
##
|
||||
##
|
||||
## https://www.kernel.org/doc/html/latest/networking/ipv6.html
|
||||
## https://wiki.archlinux.org/title/IPv6#Disable_IPv6
|
||||
##
|
||||
## Enabling makes redundant many network hardening sysctl's in usr/lib/sysctl.d/990-security-misc.conf.
|
||||
##
|
||||
#ipv6.disable=1
|
||||
#ipv6.disable=1
|
||||
|
@ -1,7 +1,7 @@
|
||||
## Copyright (C) 2023 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
|
||||
## See the file COPYING for copying conditions.
|
||||
|
||||
## Remount Secure provides enhanced security via mmount options:
|
||||
## Remount Secure provides enhanced security via mmount options:
|
||||
## https://www.kicksecure.com/wiki/Security-misc#Remount_Secure
|
||||
|
||||
## Option A (No Security):
|
||||
@ -20,6 +20,6 @@
|
||||
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=2"
|
||||
|
||||
## Option D (Highest Security)
|
||||
## Re-mount with nodev, nosuid, and noexec for all mount points including /home.
|
||||
## Re-mount with nodev, nosuid, and noexec for all mount points including /home.
|
||||
##
|
||||
#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=3"
|
||||
|
@ -26,4 +26,4 @@ GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT quiet"
|
||||
|
||||
## For Increased Log Verbosity:
|
||||
## Adjust (or comment out) the kernel.printk sysctl in /usr/lib/sysctl.d/30_silent-kernel-printk.conf.
|
||||
## Alternatively, installing the debug-misc package will undo these settings.
|
||||
## Alternatively, installing the debug-misc package will undo these settings.
|
||||
|
Loading…
Reference in New Issue
Block a user