From dcf57bebf0d28089045a29477f26ad35d1041392 Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Sat, 29 Jun 2019 22:27:24 +0000 Subject: [PATCH 1/9] Create proc-hidepid.service --- lib/systemd/system/proc-hidepid.service | 26 +++++++++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 lib/systemd/system/proc-hidepid.service diff --git a/lib/systemd/system/proc-hidepid.service b/lib/systemd/system/proc-hidepid.service new file mode 100644 index 0000000..0b826bb --- /dev/null +++ b/lib/systemd/system/proc-hidepid.service @@ -0,0 +1,26 @@ +[Unit] +Description=Mounts /proc with hidepid=2 +Requires=local-fs.target +After=local-fs.target + +[Service] +Type=oneshot +ExecStart=/bin/mount -o remount,nosuid,nodev,noexec,hidepid=2 /proc +ProtectSystem=strict +ProtectHome=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectControlGroups=true +PrivateTmp=true +PrivateMounts=true +PrivateDevices=true +PrivateNetwork=true +MemoryDenyWriteExecute=true +NoNewPrivileges=true +RestrictRealtime=true +SystemCallArchitectures=native +RestrictNamespaces=true +SystemCallFilter=mount munmap access read open close stat fstat lstat mmap mprotect brk rt_sigaction rt_sigprocmask execve readlink getrlimit getuid getgid geteuid getegid statfs prctl arch_prctl set_tid_address newfstatat set_robust_list + +[Install] +WantedBy=multi-user.target From a2c676ed48782f86e8b58d39f8bec4cd37a47cf5 Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Sat, 29 Jun 2019 22:28:41 +0000 Subject: [PATCH 2/9] Update proc-hidepid.service --- lib/systemd/system/proc-hidepid.service | 1 + 1 file changed, 1 insertion(+) diff --git a/lib/systemd/system/proc-hidepid.service b/lib/systemd/system/proc-hidepid.service index 0b826bb..c7feada 100644 --- a/lib/systemd/system/proc-hidepid.service +++ b/lib/systemd/system/proc-hidepid.service @@ -1,5 +1,6 @@ [Unit] Description=Mounts /proc with hidepid=2 +Documentation=https://github.com/Whonix/security-misc Requires=local-fs.target After=local-fs.target From 22267c895b15e10c98bae365ef2bef12f95454aa Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Sat, 29 Jun 2019 22:30:41 +0000 Subject: [PATCH 3/9] Update control --- debian/control | 3 +++ 1 file changed, 3 insertions(+) diff --git a/debian/control b/debian/control index 4a3352f..5ab1eb0 100644 --- a/debian/control +++ b/debian/control @@ -109,3 +109,6 @@ Description: enhances misc security settings DMA (Direct Memory Access) attacks. . IOMMU is enabled with a boot parameter to prevent DMA attacks. + . + A systemd service mounts /proc with hidepid=2 at boot to prevent users from seeing each other's processes. + . From c6b669f1a53bfef08a82994422f9e1b627a937d5 Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Sun, 30 Jun 2019 00:11:13 +0000 Subject: [PATCH 4/9] Create disable-coredumps.conf --- lib/systemd/system/coredump.conf.d/disable-coredumps.conf | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 lib/systemd/system/coredump.conf.d/disable-coredumps.conf diff --git a/lib/systemd/system/coredump.conf.d/disable-coredumps.conf b/lib/systemd/system/coredump.conf.d/disable-coredumps.conf new file mode 100644 index 0000000..519f838 --- /dev/null +++ b/lib/systemd/system/coredump.conf.d/disable-coredumps.conf @@ -0,0 +1,2 @@ +[Coredump] +Storage=none From f040081a5998fddd1ea4bc30140e41c405842371 Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Sun, 30 Jun 2019 00:13:52 +0000 Subject: [PATCH 5/9] Prevent setuid processes from creating coredumps. --- etc/sysctl.d/suid_dumpable.conf | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 etc/sysctl.d/suid_dumpable.conf diff --git a/etc/sysctl.d/suid_dumpable.conf b/etc/sysctl.d/suid_dumpable.conf new file mode 100644 index 0000000..1ed3b79 --- /dev/null +++ b/etc/sysctl.d/suid_dumpable.conf @@ -0,0 +1,2 @@ +# Prevent setuid processes from creating coredumps. +fs.suid_dumpable=0 From 1bf802f8469a4ffc36cccca1ea6fc6f92ea6af8a Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Sun, 30 Jun 2019 00:16:50 +0000 Subject: [PATCH 6/9] Create coredumps.conf --- etc/sysctl.d/coredumps.conf | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 etc/sysctl.d/coredumps.conf diff --git a/etc/sysctl.d/coredumps.conf b/etc/sysctl.d/coredumps.conf new file mode 100644 index 0000000..9ac4548 --- /dev/null +++ b/etc/sysctl.d/coredumps.conf @@ -0,0 +1,3 @@ +# Disables coredumps. This setting may be overwritten by systemd so this may not be useful. +# security-misc also disables coredumps in other ways. +kernel.core_pattern=|/bin/false From 230ef34db45c1c7d980abfd8bd4770ec336ae4bf Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Sun, 30 Jun 2019 00:19:04 +0000 Subject: [PATCH 7/9] Create disable-coredumps.conf --- etc/security/limits.d/disable-coredumps.conf | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 etc/security/limits.d/disable-coredumps.conf diff --git a/etc/security/limits.d/disable-coredumps.conf b/etc/security/limits.d/disable-coredumps.conf new file mode 100644 index 0000000..ea7c414 --- /dev/null +++ b/etc/security/limits.d/disable-coredumps.conf @@ -0,0 +1,2 @@ +# Disable coredumps. +* hard core 0 From 024a698249392bdc6ebd362a2c978bc0e02bd55f Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Sun, 30 Jun 2019 00:20:38 +0000 Subject: [PATCH 8/9] Update control --- debian/control | 2 ++ 1 file changed, 2 insertions(+) diff --git a/debian/control b/debian/control index 4a3352f..94bf967 100644 --- a/debian/control +++ b/debian/control @@ -108,4 +108,6 @@ Description: enhances misc security settings The thunderbolt and firewire modules are blacklisted as they can be used for DMA (Direct Memory Access) attacks. . + Coredumps are disabled as they may contain important information such as encryption keys or passwords. + . IOMMU is enabled with a boot parameter to prevent DMA attacks. From dbfb9e1cdf1e042c8985e2e69b7f5f5f1eaed860 Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Sun, 30 Jun 2019 00:21:46 +0000 Subject: [PATCH 9/9] Update control --- debian/control | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/debian/control b/debian/control index 94bf967..778eb85 100644 --- a/debian/control +++ b/debian/control @@ -108,6 +108,6 @@ Description: enhances misc security settings The thunderbolt and firewire modules are blacklisted as they can be used for DMA (Direct Memory Access) attacks. . - Coredumps are disabled as they may contain important information such as encryption keys or passwords. - . IOMMU is enabled with a boot parameter to prevent DMA attacks. + . + Coredumps are disabled as they may contain important information such as encryption keys or passwords.