Merge branch 'master' into panic_limits

etc/default/grub.d/40_kernel_hardening.cfg

@@ -188,15 +188,14 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0"
 ## The default implementation is FineIBT as of Linux kernel 6.2.
 ## The Intel-developed IBT (Indirect Branch Tracking) is only used if supported by the CPU.
 ## kCFI is software-only while FineIBT is a hybrid software/hardware implementation.
-## FineIBT may result in some performance benefits as it only performs checking at destinations.
+## FineIBT may result in some performance benefits as it only performs hash checks at the destinations.
+## kCFI mandates hash validation at the source (which is randomized), making it more difficult to bypass.
 ## FineIBT is considered weaker against attacks that can write arbitrary executables into memory.
-## Upstream hardening work has provided users the ability to disable FineIBT based on requests.
-## Choice of CFI implementation is highly dependent on user threat model as there are pros/cons to both.
-## Do not modify from the default setting if unsure of implications.
 ##
-## https://lore.kernel.org/all/20221027092842.699804264@infradead.org/
+## https://lwn.net/Articles/891976/
 ## https://lore.kernel.org/lkml/202210010918.4918F847C4@keescook/T/#u
 ## https://lore.kernel.org/lkml/202210182217.486CBA50@keescook/T/
+## https://lore.kernel.org/all/20221027092842.699804264@infradead.org/
 ## https://lore.kernel.org/lkml/202407150933.E1871BE@keescook/
 ## https://isopenbsdsecu.re/mitigations/forward_edge_cfi/
 ## https://docs.kernel.org/next/x86/shstk.html
@@ -207,12 +206,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0"
 ## KSPP=yes
 ## KSPP sets the kernel parameter.
 ##
-## TODO: Debian 13 Trixie
-## Applicable when using Linux kernel >= 6.2 (retained here for future-proofing and completeness).
-##
-#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX cfi=kcfi"
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX cfi=kcfi"
 
-## Disable support for x86 processes and syscalls.
+## Disable support for all 32-bit x86 processes and syscalls.
 ## Unconditionally disables IA32 emulation to substantially reduce attack surface.
 ##
 ## https://lore.kernel.org/all/20230623111409.3047467-7-nik.borisov@suse.com/
@@ -220,10 +216,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0"
 ## KSPP=yes
 ## KSPP does not set CONFIG_COMPAT, CONFIG_IA32_EMULATION, CONFIG_X86_X32, CONFIG_X86_X32_ABI, and CONFIG_MODIFY_LDT_SYSCALL.
 ##
-## TODO: Debian 13 Trixie
-## Applicable when using Linux kernel >= 6.7 (retained here for future-proofing and completeness).
-##
-#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ia32_emulation=0"
+GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ia32_emulation=0"
 
 ## Disable EFI persistent storage feature.
 ## Disable Error Record Serialization Table (ERST) support as a form of defense-in-depth.

etc/default/grub.d/41_recovery_restrict.cfg

@@ -7,14 +7,17 @@
 ## KSPP=no: not (currently) compliant with recommendations by the KSPP
 ## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP.
 
-## Disable access to single-user (recovery) mode.
+## Disable access to the GRUB single-user (recovery) mode menu entries.
 ##
 ## https://forums.kicksecure.com/t/remove-linux-recovery-mode-boot-option-from-default-grub-boot-menu/727
 ##
 GRUB_DISABLE_RECOVERY="true"
 
 ## Disable access to Dracut's recovery console.
+## Prevents the emergency shell from starting automatically during boot failures.
 ##
+## https://insinuator.net/2025/07/insecure-boot-injecting-initramfs-from-a-debug-shell/
+## https://serverfault.com/questions/554853/how-can-i-secure-the-dracut-shell
 ## https://forums.kicksecure.com/t/harden-dracut-initramfs-generator-by-disabling-recovery-console/724
 ##
 GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT rd.emergency=halt"

etc/modprobe.d/30_security-misc_blacklist.conf

@@ -27,7 +27,7 @@ blacklist sr_mod
 ## Partial selection of their infrastructure blacklist.
 ## Duplicate and already disabled modules have been omitted.
 ##
-## https://github.com/GrapheneOS/infrastructure/blob/main/modprobe.d/local.conf
+## https://github.com/GrapheneOS/infrastructure/blob/main/etc/modprobe.d/local.conf
 ##
 #blacklist cfg80211
 #blacklist intel_agp

etc/security-misc/emerg-shutdown/30_security_misc.conf

@@ -17,7 +17,7 @@
 ##
 ## The default key sequence triggers a shutdown when Ctrl+Alt+Delete is
 ## pressed, allowing the use of either the left or right Ctrl and Alt keys.
-EMERG_SHUTDOWN_KEYS="KEY_LEFTCTRL|KEY_RIGHTCTRL,KEY_LEFTALT|KEY_RIGHTALT,KEY_DELETE"
+EMERG_SHUTDOWN_KEYS="KEY_LEFTCTRL|KEY_RIGHTCTRL,KEY_LEFTALT|KEY_RIGHTALT,KEY_END"
 
 ## Set the maximum number of seconds shutdown can take. If shutdown gets stuck
 ## for longer than this, the system will forcibly power down.

etc/security/limits.d/30_security-misc.conf

@@ -2,4 +2,6 @@
 ## See the file COPYING for copying conditions.
 
 ## Disable coredumps.
-* hard core 0
+## `-` in the second field sets both hard and soft limits at the same time.
+## See `man 5 limits.conf`.
+* - core 0

etc/ssh/ssh_config.d/30_security-misc.conf

@@ -0,0 +1,22 @@
+## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## Don't edit this file, to overwrite any options, edit a file with a higher
+## number that is read later by SSH, such as
+## '/etc/ssh/ssh_config.d/50_user.conf'. If your configuration changes do not
+## need to be system-wide, you may also consider placing overrides in
+## ~/.ssh/config.
+
+## See also:
+## https://www.kicksecure.com/wiki/SSH#Client_Configuration_File
+
+Host *
+  VisualHostKey yes
+  Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
+  MACs umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
+  KexAlgorithms sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,mlkem768x25519-sha256,curve25519-sha256,curve25519-sha256@libssh.org
+  ## To force the use of quantum-resistant key exchange algorithms, override
+  ## the above with
+  # KexAlgorithms sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,mlkem768x25519-sha256
+  HostKeyAlgorithms sk-ssh-ed25519@openssh.com,ssh-ed25519
+  PubkeyAcceptedAlgorithms sk-ssh-ed25519@openssh.com,ssh-ed25519

etc/ssh/sshd_config.d/30_security-misc.conf

@@ -0,0 +1,82 @@
+## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## Don't edit this file, to overwrite any options, edit a file with a higher
+## number that is read later by SSHD, such as
+## '/etc/ssh/sshd_config.d/50_user.conf'.
+
+## See also:
+## https://www.kicksecure.com/wiki/SSH#Server_Configuration_File
+
+## This is okay because of strict firewall. For an onion-only server, listen
+## on 127.0.0.1.
+ListenAddress 0.0.0.0
+
+## Number of allowed login attempts per connection.
+MaxAuthTries 3
+
+## Require strong ciphers and algorithms.
+HostKey /etc/ssh/ssh_host_ed25519_key
+HostKeyAlgorithms ssh-ed25519
+PubkeyAcceptedAlgorithms ssh-ed25519,sk-ssh-ed25519@openssh.com
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com
+MACs umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
+KexAlgorithms sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,mlkem768x25519-sha256,curve25519-sha256,curve25519-sha256@libssh.org
+## To force the use of quantum-resistant key exchange algorithms, override the
+## above with
+# KexAlgorithms sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,mlkem768x25519-sha256
+
+## Override with 'no' to fully deny root login, or leave this as
+## 'prohibit-password' for denying root password login but still allowing
+## other authentication methods such as public key.
+PermitRootLogin prohibit-password
+
+## Public key authentication is transparent, non-interactive and more secure.
+PasswordAuthentication no
+
+## Change to 'yes' to enable challenge-response passwords (beware issues with
+## some PAM modules and threads)
+KbdInteractiveAuthentication no
+
+## PAM can be used for account and session processing when using
+## ChallengeResponseAuthentication or PasswordAuthentication.
+##
+## Depending on your PAM configuration, PAM authentication via
+## ChallengeResponseAuthentication may bypass the setting of "PermitRootLogin
+## without-password".
+##
+## If you want PAM account and session checks to run without PAM
+## authentication, then enable this but set PasswordAuthentication and
+## ChallengeResponseAuthentication to 'no'.
+##
+## The default upstream is 'no', Debian sets this to 'yes'. If using a locked
+## account, read:
+##   https://www.kicksecure.com/wiki/SSH#SSH_Login_Comparison_Table
+## We set it to 'yes' to work with libpam-tmpdir.
+##   https://www.kicksecure.com/wiki/Dev/Strong_Linux_User_Account_Isolation#libpam-tmpdir
+## Also folders such as '/run/user/1000' will exist thanks to PAM.
+## The absence of that folder can lead to issues (such as with msgcollector).
+UsePAM yes
+
+## Block dangerous forwarding.
+AllowAgentForwarding no
+AllowTcpForwarding no
+X11Forwarding no
+
+## Hide unnecessary login banners.
+PrintMotd no
+#Banner /etc/issue.net
+#Hiding Debian version from SSH banner (obscurity)
+DebianBanner no
+
+## Some options are dangerous but may be required in certain circumstances. As
+## an example, if forwarding is required, selectively allow it with a 'Match'
+## block. Consider a new separate user named 'tunnel' which wants to forward
+## its local port to be available on the server on port 443. Note that a
+## tunnel user doesn't even require a TTY nor a shell, so don't forget to
+## change the 'tunnel' shell to something that prevents login such as
+## '/usr/sbin/nologin'.
+#Match User tunnel
+#  AllowTcpForwarding yes
+#  PermitListen localhost:443
+#  PermitTTY no

etc/thunderbird/pref/40_security-misc.js

@@ -1,59 +0,0 @@
-//#### Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
-//#### See the file COPYING for copying conditions.
-
-//#### meta start
-//#### project Whonix and Kicksecure
-//#### category security and apps
-//#### description https://forums.whonix.org/t/enable-network-idn-show-punycode-by-default-in-thunderbird-to-fix-url-not-showing-real-domain-name-homograph-attack-punycode/8415
-//#### meta end
-
-// https://forums.whonix.org/t/enable-network-idn-show-punycode-by-default-in-thunderbird-to-fix-url-not-showing-real-domain-name-homograph-attack-punycode/8415
-pref("network.IDN_show_punycode", true);
-
-// Disable all and any kind of telemetry by default
-pref("toolkit.telemetry.enabled", false);
-pref("toolkit.telemetry.unified", false);
-pref("toolkit.telemetry.shutdownPingSender.enabled", false);
-pref("toolkit.telemetry.updatePing.enabled", false);
-pref("toolkit.telemetry.archive.enabled", false);
-pref("toolkit.telemetry.bhrPing.enabled", false);
-pref("toolkit.telemetry.firstShutdownPing.enabled", false);
-pref("toolkit.telemetry.newProfilePing.enabled", false);
-pref("toolkit.telemetry.server", ""); // Defense in depth
-pref("toolkit.telemetry.server_owner", ""); // Defense in depth
-pref("datareporting.healthreport.uploadEnabled", false);
-pref("datareporting.policy.dataSubmissionEnabled", false);
-pref("toolkit.telemetry.coverage.opt-out", true); // from Firefox
-pref("toolkit.coverage.opt-out", true); // from Firefox
-
-// Disable implicit outbound traffic
-pref("network.connectivity-service.enabled", false);
-pref("network.prefetch-next", false);
-pref("network.dns.disablePrefetch", true);
-pref("network.predictor.enabled", false);
-
-// No need to explain the problems with javascript
-// If you want javascript, use your browser
-// Thunderbird needs no javascript
-// pref("javascript.enabled", false); // Will break setting up services that require redirecting to their javascripted webpage for login, like gmail etc. So commented out for now.
-
-// Disable scripting when viewing pdf files
-user_pref("pdfjs.enableScripting", false);
-
-// If you want cookies, use your browser
-pref("network.cookie.cookieBehavior", 2);
-
-// Do not send user agent information
-// For email clients, this is more like a relic of the past
-// Completely not necessary and just exposes a lot of information about the client
-// Since v115.0 Thunderbird already minimizes the user agent
-// But we want it gone for good for no information leak at all
-// https://hg.mozilla.org/comm-central/rev/cbbbc8d93cd7
-pref("mailnews.headers.sendUserAgent", false);
-
-// Normally we send emails after marking them with a time stamp
-// That includes our local time zone
-// This option makes our local time zone appear as UTC
-// And rounds the time stamp to the closes minute
-// https://hg.mozilla.org/comm-central/rev/98aa0bf2e719
-pref("mail.sanitize_date_header", true);

etc/usbguard/rules.d/30_security-misc.conf

@@ -0,0 +1,55 @@
+## We allow devices that were plugged in before the daemon starts. Everything
+## is blocked as the default. Following rules apply on top of this.
+
+## Explicitly reject any interface that is not documented and/or defined by
+## USB.org.
+## Note: Most probably superfluous.
+reject with-interface none-of { 00:*:* 01:*:* 02:*:* 03:*:* 05:*:* 06:*:* 07:*:* 08:*:* 09:*:* 0a:*:* 0b:*:* 0d:*:* 0e:*:* 0f:*:* 10:*:* 11:*:* 12:*:* 13:*:* 14:*:* 3c:*:* dc:*:* e0:*:* ef:*:* fe:*:* ff:*:* }
+
+## Allow all mouses and keyboards, in a sense, so the user can conveniently
+## change them without restrating the daemon.
+
+## Allow only one keyboard to be connected
+allow with-interface equals { 03:01:01 } if !allowed-matches(with-interface equals { 03:01:01 })
+## Allow only one mouse to be connected
+allow with-interface equals { 03:01:02 } if !allowed-matches(with-interface equals { 03:01:02 })
+## NOTE: Some HID devices will have an interface of 03:00:00 - these are HID
+## devices that do not support a "boot interface". **These are blocked
+## entirely.** It is very likely that this will cause issues with some mice
+## and keyboards. Also note, all HID devices other than mice and keyboards
+## will be blocked, **including touchscreens.**
+
+## Explicitly reject any device with a mouse/keyboard interface in
+## combination with some other interface.
+## Mice and keyboards should likely never have non-HID interfaces provided
+## alongside them.
+reject with-interface all-of { 03:*:* 00:*:* }
+reject with-interface all-of { 03:*:* 01:*:* }
+reject with-interface all-of { 03:*:* 02:*:* }
+reject with-interface all-of { 03:*:* 05:*:* }
+reject with-interface all-of { 03:*:* 06:*:* }
+reject with-interface all-of { 03:*:* 07:*:* }
+reject with-interface all-of { 03:*:* 08:*:* }
+reject with-interface all-of { 03:*:* 09:*:* }
+reject with-interface all-of { 03:*:* 0a:*:* }
+reject with-interface all-of { 03:*:* 0b:*:* }
+reject with-interface all-of { 03:*:* 0d:*:* }
+reject with-interface all-of { 03:*:* 0e:*:* }
+reject with-interface all-of { 03:*:* 0f:*:* }
+reject with-interface all-of { 03:*:* 10:*:* }
+reject with-interface all-of { 03:*:* 11:*:* }
+reject with-interface all-of { 03:*:* 12:*:* }
+reject with-interface all-of { 03:*:* 13:*:* }
+reject with-interface all-of { 03:*:* 14:*:* }
+reject with-interface all-of { 03:*:* 3c:*:* }
+reject with-interface all-of { 03:*:* dc:*:* }
+reject with-interface all-of { 03:*:* e0:*:* }
+reject with-interface all-of { 03:*:* ef:*:* }
+reject with-interface all-of { 03:*:* fe:*:* }
+reject with-interface all-of { 03:*:* ff:*:* }
+
+## Allow USB mass storage, if and only if the USB device only has the mass
+## storage interface and nothing extra.
+## Suspicious interface combinations with mass storage are blocked.
+allow with-interface equals { 08:*:* }
+