Merge branch 'Kicksecure:master' into docs

README.md

@@ -63,9 +63,8 @@ configuration file and significant hardening is applied to a myriad of component
 
 #### User space
 
-- Restrict usage of `ptrace()` to only processes with `CAP_SYS_PTRACE` as it
-  enables programs to inspect and modify other active processes. Optional - Disable
-  usage of `ptrace()` by all processes.
+- Disable the usage of `ptrace()` by all processes as it enables programs to inspect
+  and modify other active processes.
 
 - Maximize the bits of entropy used for mmap ASLR across all CPU architectures.
 
@@ -126,7 +125,8 @@ configuration file and significant hardening is applied to a myriad of component
 - Disable source routing which allows users to redirect network traffic that
   can result in man-in-the-middle attacks.
 
-- Do not accept IPv6 router advertisements and solicitations.
+- Do not accept IPv6 router advertisements (RAs) and solicitations which can result
+  in both man-in-the-middle and denial-of-service attacks.
 
 - Optional - Disable SACK and DSACK as they have historically been a known
   vector for exploitation.

changelog.upstream

@@ -1,3 +1,72 @@
+commit f5b7aab87ec6640eb1969bb4be05bb5b0ff04a3c
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Sat Oct 18 05:18:55 2025 -0400
+
+    update
+
+commit 806eec423a7a6acb0d5eabc5872c9a5d121a4dc3
+Merge: 6cc1c27f 70fbbc23
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Sat Oct 18 04:44:41 2025 -0400
+
+    Merge remote-tracking branch 'ArrayBolt3/arraybolt3/trixie'
+
+commit 70fbbc230c0c5366b7a09d531012d18b1e88e07b
+Author: Aaron Rainbolt <arraybolt3@ubuntu.com>
+Date:   Fri Oct 17 15:49:42 2025 -0500
+
+    Set USBGuard settings to permit USB hubs and Qubes USB passthrough
+
+commit 3d5e659b78cf2588f95280c13b1ebdf24060fb6f
+Author: Aaron Rainbolt <arraybolt3@ubuntu.com>
+Date:   Wed Oct 15 19:02:48 2025 -0500
+
+    Remove trailing spaces
+
+commit 29639fe69e12ff71ec422a0137b5dbaade9179c3
+Merge: 026d55ac 0c8f2f1b
+Author: Aaron Rainbolt <arraybolt3@ubuntu.com>
+Date:   Wed Oct 15 19:01:08 2025 -0500
+
+    Merge remote-tracking branch 'raja/bad_ipv6_ra' into arraybolt3/trixie
+
+commit 026d55ac410bf747db03c0cf9475b3408bce7f8e
+Author: Aaron Rainbolt <arraybolt3@ubuntu.com>
+Date:   Wed Oct 15 18:30:52 2025 -0500
+
+    Typo fixes
+
+commit 35fce26476b20eda81544f583bd2b2124b8e96b0
+Merge: 4f63af42 23041741
+Author: Aaron Rainbolt <arraybolt3@ubuntu.com>
+Date:   Wed Oct 15 18:18:33 2025 -0500
+
+    Merge remote-tracking branch 'raja/stop_ptrace' into arraybolt3/trixie
+
+commit 4f63af4200de23e2216be6d3e7f1055af02dbc3b
+Author: Aaron Rainbolt <arraybolt3@ubuntu.com>
+Date:   Wed Oct 15 17:53:26 2025 -0500
+
+    Allow listing USB devices via usbguard
+
+commit 23041741715cc5f3d16378d6bb34719ceaa1642c
+Author: raja-grewal <rg_public@proton.me>
+Date:   Sun Oct 12 02:32:45 2025 +0000
+
+    Insert empty new line
+
+commit 7161430a6000c4ff5e15a9a8c9519529655a1444
+Author: raja-grewal <rg_public@proton.me>
+Date:   Sun Oct 12 02:27:48 2025 +0000
+
+    Seperate `ptrace()` disabling into own file
+
+commit 6cc1c27fb376d02adc6c5cddf64b030e2e694711
+Author: Patrick Schleizer <adrelanos@whonix.org>
+Date:   Fri Oct 10 12:08:28 2025 +0000
+
+    bumped changelog version
+
 commit 4d9c3dc357ae92b735cf96f121491f7eed1be9f5
 Author: Patrick Schleizer <adrelanos@whonix.org>
 Date:   Fri Oct 10 08:08:10 2025 -0400
@@ -73,6 +142,12 @@ Date:   Mon Oct 6 15:03:31 2025 -0500
 
     Remove unsafe sanitizer compiler flags from emerg-shutdown
 
+commit 0c8f2f1b44049b676251775d64e23651e9225d00
+Author: raja-grewal <rg_public@proton.me>
+Date:   Thu Oct 2 07:05:00 2025 +0000
+
+    Add docs about the risks associated with IPv6 RAs
+
 commit dd961b84272247f4e8f01d3042d8ca256ccf50d2
 Author: Patrick Schleizer <adrelanos@whonix.org>
 Date:   Sun Sep 28 21:09:46 2025 +0000
@@ -98,6 +173,12 @@ Date:   Sun Sep 28 14:11:10 2025 -0500
 
     Allow users in the qubes group to access USBGuard IPC
 
+commit 194b8fce4e5a8e9c642171853d7b0491debced55
+Author: raja-grewal <rg_public@proton.me>
+Date:   Sun Sep 28 03:20:24 2025 +0000
+
+    Disable the usage of `ptrace()` by all processes
+
 commit 22c9863493b326d8ec730ecdf721593b836baf99
 Author: Patrick Schleizer <adrelanos@whonix.org>
 Date:   Fri Sep 26 08:40:20 2025 +0000

debian/changelog

@@ -1,3 +1,9 @@
+security-misc (3:48.5-1) unstable; urgency=medium
+
+  * New upstream version (local package).
+
+ -- Patrick Schleizer <adrelanos@whonix.org>  Sat, 18 Oct 2025 09:19:07 +0000
+
 security-misc (3:48.4-1) unstable; urgency=medium
 
   * New upstream version (local package).

debian/security-misc-shared.install

@@ -116,6 +116,7 @@ usr/lib/permission-hardener.d/25_default_whitelist_spice.conf#security-misc-shar
 usr/lib/sysctl.d/30_silent-kernel-printk.conf#security-misc-shared => /usr/lib/sysctl.d/30_silent-kernel-printk.conf
 usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared => /usr/lib/sysctl.d/990-security-misc.conf
 usr/lib/sysctl.d/30_security-misc_kexec-disable.conf#security-misc-shared => /usr/lib/sysctl.d/30_security-misc_kexec-disable.conf
+usr/lib/sysctl.d/30_security-misc_ptrace-disable.conf#security-misc-shared => /usr/lib/sysctl.d/30_security-misc_ptrace-disable.conf
 usr/share/glib-2.0/schemas/30_security-misc.gschema.override#security-misc-shared => /usr/share/glib-2.0/schemas/30_security-misc.gschema.override
 usr/share/doc/security-misc/fstab-vm#security-misc-shared => /usr/share/doc/security-misc/fstab-vm
 usr/share/pam-configs/faillock-preauth-security-misc#security-misc-shared => /usr/share/pam-configs/faillock-preauth-security-misc

etc/usbguard/IPCAccessControl.d/:qubes#security-misc-shared

@@ -1 +1 @@
-Devices=listen
+Devices=listen,list

etc/usbguard/IPCAccessControl.d/:sudo#security-misc-shared

@@ -1 +1 @@
-Devices=listen
+Devices=listen,list

etc/usbguard/rules.d/30_security-misc.conf#security-misc-shared

@@ -66,3 +66,6 @@ reject with-interface one-of { ef:04:* }
 ## Suspicious interface combinations with mass storage are blocked.
 allow with-interface equals { 08:*:* }
 
+## Allow USB hubs, these are likely safe and are required for Qubes OS USB
+## passthrough to work.
+allow with-interface equals { 09:*:* }

usr/lib/sysctl.d/30_security-misc_ptrace-disable.conf#security-misc-shared

@@ -0,0 +1,24 @@
+## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## Definitions:
+## KSPP=yes: compliant with recommendations by the KSPP
+## KSPP=partial: partially compliant with recommendations by the KSPP
+## KSPP=no: not (currently) compliant with recommendations by the KSPP
+## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP.
+
+## Disable the usage of the ptrace() system call by all processes.
+## Restrict ptrace() as it enables programs to inspect and modify other active processes.
+## Prevents native code debugging which some programs use as a method to detect tampering.
+## May cause breakages in 'anti-cheat' software and programs running under Proton/WINE.
+##
+## https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html#ptrace-scope
+## https://en.wikipedia.org/wiki/Ptrace
+## https://grapheneos.org/features#attack-surface-reduction
+## https://github.com/GrapheneOS/os-issue-tracker/issues/651#issuecomment-917599928
+## https://github.com/netblue30/firejail/issues/2860
+##
+## KSPP=yes
+## KSPP sets the sysctl.
+##
+kernel.yama.ptrace_scope=3

usr/lib/sysctl.d/990-security-misc.conf#security-misc-shared

@@ -241,8 +241,8 @@ kernel.io_uring_disabled=2
 ##
 ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-userspace
 
-## Restrict usage of the ptrace() system call to only processes with CAP_SYS_PTRACE.
-## Limit ptrace() as it enables programs to inspect and modify other active processes.
+## Disable the usage of the ptrace() system call by all processes.
+## Restrict ptrace() as it enables programs to inspect and modify other active processes.
 ## Prevents native code debugging which some programs use as a method to detect tampering.
 ## May cause breakages in 'anti-cheat' software and programs running under Proton/WINE.
 ##
@@ -252,13 +252,12 @@ kernel.io_uring_disabled=2
 ## https://github.com/GrapheneOS/os-issue-tracker/issues/651#issuecomment-917599928
 ## https://github.com/netblue30/firejail/issues/2860
 ##
-## KSPP=partial
-## KSPP sets the stricter sysctl kernel.yama.ptrace_scope=3.
+## KSPP=yes
+## KSPP sets the sysctl.
 ##
-## It is possible to harden further by disabling ptrace() for all users, see documentation.
-## https://github.com/Kicksecure/security-misc/pull/242
+## See /usr/lib/sysctl.d/30_security-misc_ptrace-disable.conf for implementation.
 ##
-kernel.yama.ptrace_scope=2
+#kernel.yama.ptrace_scope=3
 
 ## Maximize bits of entropy for improved effectiveness of mmap ASLR.
 ## The maximum number of bits depends on CPU architecture (the ones shown below are for x86).
@@ -529,7 +528,15 @@ net.ipv4.icmp_ignore_bogus_error_responses=1
 net.ipv4.conf.*.accept_source_route=0
 net.ipv6.conf.*.accept_source_route=0
 
-## Do not accept IPv6 router advertisements and solicitations.
+## Do not accept IPv6 router advertisements (RAs) and solicitations.
+## RAs are unsecured and unauthenticated and any device on the local link can send and accept them without verification.
+## Malicious RAs can activate IPv6 connectivity on dormant hosts leading to unauthorized access.
+## Flooding the network with malicious RAs can lead to denial of service attacks.
+## Rogue RAs can lead to interception of all network traffic by setting the attacker's system as the default gateway.
+##
+## https://datatracker.ietf.org/doc/html/rfc6104
+## https://datatracker.ietf.org/doc/html/rfc6105
+## https://archive.conference.hitb.org/hitbsecconf2012kul/materials/D1T2%20-%20Marc%20Heuse%20-%20IPv6%20Insecurity%20Revolutions.pdf
 ##
 net.ipv6.conf.*.accept_ra=0