mirror of
https://github.com/Kicksecure/security-misc.git
synced 2025-08-08 05:42:18 -04:00
minor
This commit is contained in:
Patrick Schleizer
parent
6157e328f4
commit
f7772fb85a
1 changed files with 17 additions and 17 deletions
34
README.md
34
README.md
|
|
@ -16,10 +16,10 @@ configuration file.
|
||||||
Significant hardening is applied by default to a myriad of components within kernel
|
Significant hardening is applied by default to a myriad of components within kernel
|
||||||
space, user space, core dumps, and swap space.
|
space, user space, core dumps, and swap space.
|
||||||
|
|
||||||
- Restrict access to kernel addresses through the us of kernel pointers regardless
|
- Restrict access to kernel addresses through the us of kernel pointers regardless
|
||||||
of user privileges.
|
of user privileges.
|
||||||
|
|
||||||
- Restrict access to the kernel logs to `CAP_SYSLOG` as the often contain
|
- Restrict access to the kernel logs to `CAP_SYSLOG` as the often contain
|
||||||
sensitive information.
|
sensitive information.
|
||||||
|
|
||||||
- Prevent kernel information leaks in the console during boot.
|
- Prevent kernel information leaks in the console during boot.
|
||||||
|
|
@ -46,7 +46,7 @@ space, user space, core dumps, and swap space.
|
||||||
- Disable asynchronous I/O (when using Linux kernel version >= 6.6).
|
- Disable asynchronous I/O (when using Linux kernel version >= 6.6).
|
||||||
|
|
||||||
- Restrict usage of `ptrace()` to only processes with `CAP_SYS_PTRACE` as it
|
- Restrict usage of `ptrace()` to only processes with `CAP_SYS_PTRACE` as it
|
||||||
enables programs to inspect and modify other active processes. Provide the
|
enables programs to inspect and modify other active processes. Provide the
|
||||||
option to also entirely disable the use of `ptrace()` for all processes.
|
option to also entirely disable the use of `ptrace()` for all processes.
|
||||||
|
|
||||||
- Prevent hardlink and symlink TOCTOU races in world-writable directories.
|
- Prevent hardlink and symlink TOCTOU races in world-writable directories.
|
||||||
|
|
@ -67,10 +67,10 @@ Various networking components of the TCP/IP stack are hardened for IPv4/6.
|
||||||
|
|
||||||
- Protect against TCP time-wait assassination hazards.
|
- Protect against TCP time-wait assassination hazards.
|
||||||
|
|
||||||
- Enables reverse path filtering (source validation) of packets received
|
- Enables reverse path filtering (source validation) of packets received
|
||||||
from all interfaces to prevent IP spoofing.
|
from all interfaces to prevent IP spoofing.
|
||||||
|
|
||||||
- Disable ICMP redirect acceptance and redirect sending messages to
|
- Disable ICMP redirect acceptance and redirect sending messages to
|
||||||
prevent man-in-the-middle attacks and minimise information disclosure.
|
prevent man-in-the-middle attacks and minimise information disclosure.
|
||||||
|
|
||||||
- Ignore ICMP echo requests to prevent clock fingerprinting and Smurf attacks.
|
- Ignore ICMP echo requests to prevent clock fingerprinting and Smurf attacks.
|
||||||
|
|
@ -87,7 +87,7 @@ Various networking components of the TCP/IP stack are hardened for IPv4/6.
|
||||||
|
|
||||||
- Disable TCP timestamps as it can allow detecting the system time.
|
- Disable TCP timestamps as it can allow detecting the system time.
|
||||||
|
|
||||||
- Provide the option to log of packets with impossible source or destination
|
- Provide the option to log of packets with impossible source or destination
|
||||||
addresses to enable further inspection and analysis.
|
addresses to enable further inspection and analysis.
|
||||||
|
|
||||||
- Provide the option to enable IPv6 Privacy Extensions.
|
- Provide the option to enable IPv6 Privacy Extensions.
|
||||||
|
|
@ -102,20 +102,20 @@ Various networking components of the TCP/IP stack are hardened for IPv4/6.
|
||||||
### Boot parameters
|
### Boot parameters
|
||||||
|
|
||||||
Mitigations for known CPU vulnerabilities are enabled in their strictest form
|
Mitigations for known CPU vulnerabilities are enabled in their strictest form
|
||||||
and simultaneous multithreading (SMT) is disabled. See the
|
and simultaneous multithreading (SMT) is disabled. See the
|
||||||
`/etc/default/grub.d/40_cpu_mitigations.cfg` configuration file.
|
`/etc/default/grub.d/40_cpu_mitigations.cfg` configuration file.
|
||||||
|
|
||||||
Boot parameters relating to kernel hardening, DMA mitigations, and entropy
|
Boot parameters relating to kernel hardening, DMA mitigations, and entropy
|
||||||
generation are outlined in the `/etc/default/grub.d/40_kernel_hardening.cfg`
|
generation are outlined in the `/etc/default/grub.d/40_kernel_hardening.cfg`
|
||||||
configuration file.
|
configuration file.
|
||||||
|
|
||||||
- Disable merging of slabs with similar size which reduces the risk of
|
- Disable merging of slabs with similar size which reduces the risk of
|
||||||
triggering heap overflows and limits influencing slab cache layout.
|
triggering heap overflows and limits influencing slab cache layout.
|
||||||
|
|
||||||
- Enable memory zeroing at both allocation and free time which mitigate some
|
- Enable memory zeroing at both allocation and free time which mitigate some
|
||||||
use-after-free vulnerabilities by erasing sensitive information in memory.
|
use-after-free vulnerabilities by erasing sensitive information in memory.
|
||||||
|
|
||||||
- Enable the kernel page allocator to randomise free lists to limit some data
|
- Enable the kernel page allocator to randomise free lists to limit some data
|
||||||
exfiltration and ROP attacks especially during the early boot process.
|
exfiltration and ROP attacks especially during the early boot process.
|
||||||
|
|
||||||
- Enable kernel page table isolation increase KASLR effectiveness and also
|
- Enable kernel page table isolation increase KASLR effectiveness and also
|
||||||
|
|
@ -124,13 +124,13 @@ configuration file.
|
||||||
- Enables randomisation of the kernel stack offset on syscall entries to harden
|
- Enables randomisation of the kernel stack offset on syscall entries to harden
|
||||||
against memory corruption attacks.
|
against memory corruption attacks.
|
||||||
|
|
||||||
- Disable vsyscalls as they are vulnerable to ROP attacks and have now been
|
- Disable vsyscalls as they are vulnerable to ROP attacks and have now been
|
||||||
replaced by vDSO.
|
replaced by vDSO.
|
||||||
|
|
||||||
- Restrict access to debugfs by not registering the file system since it can
|
- Restrict access to debugfs by not registering the file system since it can
|
||||||
contain sensitive information.
|
contain sensitive information.
|
||||||
|
|
||||||
- Force kernel panics on "oopses" to potentially indicate and thwart certain
|
- Force kernel panics on "oopses" to potentially indicate and thwart certain
|
||||||
kernel exploitation attempts.
|
kernel exploitation attempts.
|
||||||
|
|
||||||
- Provide option to modify machine check exception handler.
|
- Provide option to modify machine check exception handler.
|
||||||
|
|
@ -144,7 +144,7 @@ configuration file.
|
||||||
- Do not credit the CPU or bootloader as entropy sources at boot in order to
|
- Do not credit the CPU or bootloader as entropy sources at boot in order to
|
||||||
maximise the absolute quantity of entropy in the combined pool.
|
maximise the absolute quantity of entropy in the combined pool.
|
||||||
|
|
||||||
- Obtain more entropy at boot from RAM as the runtime memory allocator is
|
- Obtain more entropy at boot from RAM as the runtime memory allocator is
|
||||||
being initialised.
|
being initialised.
|
||||||
|
|
||||||
- Provide option to disable the entire IPv6 stack to reduce attack surface.
|
- Provide option to disable the entire IPv6 stack to reduce attack surface.
|
||||||
|
|
@ -188,8 +188,8 @@ modules from automatically starting.
|
||||||
|
|
||||||
- CD-ROM/DVD: Blacklist modules required for CD-ROM/DVD devices.
|
- CD-ROM/DVD: Blacklist modules required for CD-ROM/DVD devices.
|
||||||
|
|
||||||
- Framebuffer Drivers: Blacklisted as they are well-known to be buggy, cause
|
- Framebuffer Drivers: Blacklisted as they are well-known to be buggy, cause
|
||||||
kernel panics, and are generally only used by legacy devices.
|
kernel panics, and are generally only used by legacy devices.
|
||||||
|
|
||||||
- Miscellaneous: Blacklist an assortment other modules to prevent them from
|
- Miscellaneous: Blacklist an assortment other modules to prevent them from
|
||||||
automatically loading.
|
automatically loading.
|
||||||
|
|
@ -204,7 +204,7 @@ disabling should first be blacklisted for a suitable amount of time.
|
||||||
|
|
||||||
- FireWire (IEEE 1394): Disabled as they are often vulnerable to DMA attacks.
|
- FireWire (IEEE 1394): Disabled as they are often vulnerable to DMA attacks.
|
||||||
|
|
||||||
- GPS: Disable GPS-related modules such as those required for Global Navigation
|
- GPS: Disable GPS-related modules such as those required for Global Navigation
|
||||||
Satellite Systems (GNSS).
|
Satellite Systems (GNSS).
|
||||||
|
|
||||||
- Intel Management Engine (ME): Provides some disabling of the interface between the
|
- Intel Management Engine (ME): Provides some disabling of the interface between the
|
||||||
|
|
@ -305,7 +305,7 @@ See:
|
||||||
`/usr/lib/modules-load.d/30_security-misc.conf` configuration file.
|
`/usr/lib/modules-load.d/30_security-misc.conf` configuration file.
|
||||||
|
|
||||||
- Distrusts the CPU for initial entropy at boot as it is not possible to
|
- Distrusts the CPU for initial entropy at boot as it is not possible to
|
||||||
audit, may contain weaknesses or a backdoor. Similarly, do not credit the
|
audit, may contain weaknesses or a backdoor. Similarly, do not credit the
|
||||||
bootloader seed for initial entropy. For references, see:
|
bootloader seed for initial entropy. For references, see:
|
||||||
`/etc/default/grub.d/40_kernel_hardening.cfg`
|
`/etc/default/grub.d/40_kernel_hardening.cfg`
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue