Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-02-13 23:21:24 -05:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'github-kicksecure/master'

Browse Source
This commit is contained in:
Patrick Schleizer 2024-09-24 20:16:06 -04:00
commit e04f9cd4c1
No known key found for this signature in database
GPG Key ID: CB8D50BB77BB3C48
2 changed files with 10 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
README.md
View File

@ -59,7 +59,7 @@ User space:
enables programs to inspect and modify other active processes. Optional - Disable
usage of `ptrace()` by all processes.
- Maximize the bits of entropy used for mmap ASLR across all architectures.
- Maximize the bits of entropy used for mmap ASLR across all CPU architectures.
- Prevent hardlink and symlink TOCTOU races in world-writable directories.
@ -194,6 +194,13 @@ Networking:
- Optional - Disable the entire IPv6 stack to reduce attack surface.
### mmap ASLR
- The bits of entropy used for mmap ASLR for all CPU architectures are maxed
out via `/usr/libexec/security-misc/mmap-rnd-bits` (set to the values of
`CONFIG_ARCH_MMAP_RND_BITS_MAX` and `CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX`
that the kernel was built with), therefore improving its effectiveness.
## Kernel Self Protection Project (KSPP) Compliance Status
**Summary:**
@ -236,13 +243,6 @@ Disables the registration of interpreters for miscellaneous binary formats. Curr
* [security-misc pull request #249](https://github.com/Kicksecure/security-misc/pull/249)
* [security-misc issue #267](https://github.com/Kicksecure/security-misc/issues/267)
### mmap ASLR
- The bits of entropy used for mmap ASLR are maxed out via
`/usr/libexec/security-misc/mmap-rnd-bits` (set to the values of
`CONFIG_ARCH_MMAP_RND_BITS_MAX` and `CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX`
that the kernel was built with), therefore improving its effectiveness.
### Kernel Modules
#### Kernel Module Signature Verification

2
usr/lib/sysctl.d/990-security-misc.conf
View File

@ -119,6 +119,7 @@ kernel.sysrq=0
## User namespaces aim to improve sandboxing and accessibility for unprivileged users.
## Unprivileged user namespaces pose substantial privilege escalation risks.
## Restricting may lead to breakages in numerous software packages.
## Flatpak requires unprivileged users to create new user namespaces for sandboxing.
## Uncomment the second sysctl to entirely disable user namespaces.
## Disabling entirely will reduce compatibility with some AppArmor profiles.
## Disabling entirely is known to break the UPower systemd service.
@ -127,6 +128,7 @@ kernel.sysrq=0
## https://madaidans-insecurities.github.io/linux.html#kernel
## https://github.com/a13xp0p0v/kernel-hardening-checker#questions-and-answers
## https://github.com/NixOS/nixpkgs/pull/84522#issuecomment-614640601
## https://github.com/flatpak/flatpak/wiki/User-namespace-requirements
## https://github.com/Kicksecure/security-misc/pull/263
##
## KSPP=partial