diff --git a/README.md b/README.md index ac12886..67ce5de 100644 --- a/README.md +++ b/README.md @@ -44,16 +44,15 @@ configuration file and significant hardening is applied to a myriad of component - Restrict kernel profiling and the performance events system to `CAP_PERFMON`. -- Force the kernel to panic on both "oopses", which can potentially indicate and thwart - certain kernel exploitation attempts, and also kernel warnings in the `WARN()` path. +- Force the kernel to immediately panic on both "oopses" (which can potentially indicate + and thwart certain kernel exploitation attempts) and kernel warnings in the `WARN()` path. -- Optional - Force immediate reboot on the occurrence of a single kernel panic and also - (when using Linux kernel >= 6.2) limit the number of allowed panics to one. +- Force immediate system reboot on the occurrence of a single kernel panic, reducing the + risk and impact of both denial of service and cold boot attacks. - Disable the use of legacy TIOCSTI operations which can be used to inject keypresses. -- Disable asynchronous I/O (when using Linux kernel >= 6.6) as `io_uring` has been - the source of numerous kernel exploits. +- Disable asynchronous I/O as `io_uring` has been the source of numerous kernel exploits. #### User space @@ -221,12 +220,10 @@ Kernel space: - Disable 32-bit vDSO mappings as they are a legacy compatibility feature. -- Optional - Use kCFI as the default CFI implementation (when using Linux kernel >= 6.2) - since it may be slightly more resilient to attacks that are able to write - arbitrary executables in memory. +- Use kCFI as the default CFI implementation as it is more resilient to attacks that are + able to write arbitrary executables into memory omitting the necessary hash validation. -- Optional - Disable support for all x86 processes and syscalls (when using Linux kernel >= 6.7) - to reduce attack surface. +- Disable support for all 32-bit x86 processes and syscalls to reduce attack surface. - Disable the EFI persistent storage feature which prevents the kernel from writing crash logs and other persistent data to either the UEFI variable storage or ACPI ERST backends. @@ -280,23 +277,15 @@ Completely disables `ptrace()`. Can be enabled easily if needed. * [security-misc pull request #242](https://github.com/Kicksecure/security-misc/pull/242) -2. `sysctl kernel.panic=-1` - -Forces an immediate reboot on kernel panic. This can be enabled, but it may lead to unexpected -system crashes. - -* [security-misc pull request #264](https://github.com/Kicksecure/security-misc/pull/264) -* [security-misc pull request #268](https://github.com/Kicksecure/security-misc/pull/268) - **Non-compliance:** -3. `sysctl user.max_user_namespaces=0` +2. `sysctl user.max_user_namespaces=0` Disables user namespaces entirely. Not recommended due to the potential for widespread breakages. * [security-misc pull request #263](https://github.com/Kicksecure/security-misc/pull/263) -4. `sysctl fs.binfmt_misc.status=0` +3. `sysctl fs.binfmt_misc.status=0` Disables the registration of interpreters for miscellaneous binary formats. Currently not feasible due to compatibility issues with Firefox. diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index 671c28b..513b5c8 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -186,15 +186,14 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0" ## The default implementation is FineIBT as of Linux kernel 6.2. ## The Intel-developed IBT (Indirect Branch Tracking) is only used if supported by the CPU. ## kCFI is software-only while FineIBT is a hybrid software/hardware implementation. -## FineIBT may result in some performance benefits as it only performs checking at destinations. +## FineIBT may result in some performance benefits as it only performs hash checks at the destinations. +## kCFI mandates hash validation at the source (which is randomized), making it more difficult to bypass. ## FineIBT is considered weaker against attacks that can write arbitrary executables into memory. -## Upstream hardening work has provided users the ability to disable FineIBT based on requests. -## Choice of CFI implementation is highly dependent on user threat model as there are pros/cons to both. -## Do not modify from the default setting if unsure of implications. ## -## https://lore.kernel.org/all/20221027092842.699804264@infradead.org/ +## https://lwn.net/Articles/891976/ ## https://lore.kernel.org/lkml/202210010918.4918F847C4@keescook/T/#u ## https://lore.kernel.org/lkml/202210182217.486CBA50@keescook/T/ +## https://lore.kernel.org/all/20221027092842.699804264@infradead.org/ ## https://lore.kernel.org/lkml/202407150933.E1871BE@keescook/ ## https://isopenbsdsecu.re/mitigations/forward_edge_cfi/ ## https://docs.kernel.org/next/x86/shstk.html @@ -205,12 +204,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0" ## KSPP=yes ## KSPP sets the kernel parameter. ## -## TODO: Debian 13 Trixie -## Applicable when using Linux kernel >= 6.2 (retained here for future-proofing and completeness). -## -#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX cfi=kcfi" +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX cfi=kcfi" -## Disable support for x86 processes and syscalls. +## Disable support for all 32-bit x86 processes and syscalls. ## Unconditionally disables IA32 emulation to substantially reduce attack surface. ## ## https://lore.kernel.org/all/20230623111409.3047467-7-nik.borisov@suse.com/ @@ -218,10 +214,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0" ## KSPP=yes ## KSPP does not set CONFIG_COMPAT, CONFIG_IA32_EMULATION, CONFIG_X86_X32, CONFIG_X86_X32_ABI, and CONFIG_MODIFY_LDT_SYSCALL. ## -## TODO: Debian 13 Trixie -## Applicable when using Linux kernel >= 6.7 (retained here for future-proofing and completeness). -## -#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ia32_emulation=0" +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ia32_emulation=0" ## Disable EFI persistent storage feature. ## Disable Error Record Serialization Table (ERST) support as a form of defense-in-depth. diff --git a/etc/default/grub.d/41_recovery_restrict.cfg b/etc/default/grub.d/41_recovery_restrict.cfg index f54247b..5da19e7 100644 --- a/etc/default/grub.d/41_recovery_restrict.cfg +++ b/etc/default/grub.d/41_recovery_restrict.cfg @@ -7,14 +7,17 @@ ## KSPP=no: not (currently) compliant with recommendations by the KSPP ## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP. -## Disable access to single-user (recovery) mode. +## Disable access to the GRUB single-user (recovery) mode menu entries. ## ## https://forums.kicksecure.com/t/remove-linux-recovery-mode-boot-option-from-default-grub-boot-menu/727 ## GRUB_DISABLE_RECOVERY="true" ## Disable access to Dracut's recovery console. +## Prevents the emergency shell from starting automatically during boot failures. ## +## https://insinuator.net/2025/07/insecure-boot-injecting-initramfs-from-a-debug-shell/ +## https://serverfault.com/questions/554853/how-can-i-secure-the-dracut-shell ## https://forums.kicksecure.com/t/harden-dracut-initramfs-generator-by-disabling-recovery-console/724 ## GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT rd.emergency=halt" diff --git a/etc/modprobe.d/30_security-misc_blacklist.conf b/etc/modprobe.d/30_security-misc_blacklist.conf index 5ce1edc..936e26a 100644 --- a/etc/modprobe.d/30_security-misc_blacklist.conf +++ b/etc/modprobe.d/30_security-misc_blacklist.conf @@ -27,7 +27,7 @@ blacklist sr_mod ## Partial selection of their infrastructure blacklist. ## Duplicate and already disabled modules have been omitted. ## -## https://github.com/GrapheneOS/infrastructure/blob/main/modprobe.d/local.conf +## https://github.com/GrapheneOS/infrastructure/blob/main/etc/modprobe.d/local.conf ## #blacklist cfg80211 #blacklist intel_agp diff --git a/etc/security/limits.d/30_security-misc.conf b/etc/security/limits.d/30_security-misc.conf index d494b14..52e9d78 100644 --- a/etc/security/limits.d/30_security-misc.conf +++ b/etc/security/limits.d/30_security-misc.conf @@ -2,4 +2,6 @@ ## See the file COPYING for copying conditions. ## Disable coredumps. -* hard core 0 +## `-` in the second field sets both hard and soft limits at the same time. +## See `man 5 limits.conf`. +* - core 0 diff --git a/etc/ssh/ssh_config.d/30_security-misc.conf b/etc/ssh/ssh_config.d/30_security-misc.conf new file mode 100644 index 0000000..6693f72 --- /dev/null +++ b/etc/ssh/ssh_config.d/30_security-misc.conf @@ -0,0 +1,19 @@ +## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## Don't edit this file, to overwrite any options, edit a file with a higher +## number that is read later by SSH, such as +## '/etc/ssh/ssh_config.d/50_user.conf'. If your configuration changes do not +## need to be system-wide, you may also consider placing overrides in +## ~/.ssh/config. + +Host * + VisualHostKey yes + Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr + MACs umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com + KexAlgorithms sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,mlkem768x25519-sha256,curve25519-sha256,curve25519-sha256@libssh.org + ## To force the use of quantum-resistant key exchange algorithms, override + ## the above with + # KexAlgorithms sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,mlkem768x25519-sha256 + HostKeyAlgorithms sk-ssh-ed25519@openssh.com,ssh-ed25519 + PubkeyAcceptedAlgorithms sk-ssh-ed25519@openssh.com,ssh-ed25519 diff --git a/etc/ssh/sshd_config.d/30_security-misc.conf b/etc/ssh/sshd_config.d/30_security-misc.conf new file mode 100644 index 0000000..5abf9cc --- /dev/null +++ b/etc/ssh/sshd_config.d/30_security-misc.conf @@ -0,0 +1,79 @@ +## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## Don't edit this file, to overwrite any options, edit a file with a higher +## number that is read later by SSHD, such as +## '/etc/ssh/sshd_config.d/50_user.conf'. + +## This is okay because of strict firewall. For an onion-only server, listen +## on 127.0.0.1. +ListenAddress 0.0.0.0 + +## Number of allowed login attempts per connection. +MaxAuthTries 3 + +## Require strong ciphers and algorithms. +HostKey /etc/ssh/ssh_host_ed25519_key +HostKeyAlgorithms ssh-ed25519 +PubkeyAcceptedAlgorithms ssh-ed25519,sk-ssh-ed25519@openssh.com +Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com +MACs umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com +KexAlgorithms sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,mlkem768x25519-sha256,curve25519-sha256,curve25519-sha256@libssh.org +## To force the use of quantum-resistant key exchange algorithms, override the +## above with +# KexAlgorithms sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,mlkem768x25519-sha256 + +## Override with 'no' to fully deny root login, or leave this as +## 'prohibit-password' for denying root password login but still allowing +## other authentication methods such as public key. +PermitRootLogin prohibit-password + +## Public key authentication is transparent, non-interactive and more secure. +PasswordAuthentication no + +## Change to 'yes' to enable challenge-response passwords (beware issues with +## some PAM modules and threads) +KbdInteractiveAuthentication no + +## PAM can be used for account and session processing when using +## ChallengeResponseAuthentication or PasswordAuthentication. +## +## Depending on your PAM configuration, PAM authentication via +## ChallengeResponseAuthentication may bypass the setting of "PermitRootLogin +## without-password". +## +## If you want PAM account and session checks to run without PAM +## authentication, then enable this but set PasswordAuthentication and +## ChallengeResponseAuthentication to 'no'. +## +## The default upstream is 'no', Debian sets this to 'yes'. If using a locked +## account, read: +## https://www.kicksecure.com/wiki/SSH#SSH_Login_Comparison_Table +## We set it to 'yes' to work with libpam-tmpdir. +## https://www.kicksecure.com/wiki/Dev/Strong_Linux_User_Account_Isolation@libpam-tmpdir +## Also folders such as '/run/user/1000' will exist thanks to PAM. +## The absence of that folder can lead to issues (such as with msgcollector). +UsePAM yes + +## Block dangerous forwarding. +AllowAgentForwarding no +AllowTcpForwarding no +X11Forwarding no + +## Hide unnecessary login banners. +PrintMotd no +#Banner /etc/issue.net +#Hiding Debian version from SSH banner (obscurity) +DebianBanner no + +## Some options are dangerous but may be required in certain circumstances. As +## an example, if forwarding is required, selectively allow it with a 'Match' +## block. Consider a new separate user named 'tunnel' which wants to forward +## its local port to be available on the server on port 443. Note that a +## tunnel user doesn't even require a TTY nor a shell, so don't forget to +## change the 'tunnel' shell to something that prevents login such as +## '/usr/sbin/nologin'. +#Match User tunnel +# AllowTcpForwarding yes +# PermitListen localhost:443 +# PermitTTY no diff --git a/etc/thunderbird/pref/40_security-misc.js b/etc/thunderbird/pref/40_security-misc.js deleted file mode 100644 index 931f9d2..0000000 --- a/etc/thunderbird/pref/40_security-misc.js +++ /dev/null @@ -1,59 +0,0 @@ -//#### Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -//#### See the file COPYING for copying conditions. - -//#### meta start -//#### project Whonix and Kicksecure -//#### category security and apps -//#### description https://forums.whonix.org/t/enable-network-idn-show-punycode-by-default-in-thunderbird-to-fix-url-not-showing-real-domain-name-homograph-attack-punycode/8415 -//#### meta end - -// https://forums.whonix.org/t/enable-network-idn-show-punycode-by-default-in-thunderbird-to-fix-url-not-showing-real-domain-name-homograph-attack-punycode/8415 -pref("network.IDN_show_punycode", true); - -// Disable all and any kind of telemetry by default -pref("toolkit.telemetry.enabled", false); -pref("toolkit.telemetry.unified", false); -pref("toolkit.telemetry.shutdownPingSender.enabled", false); -pref("toolkit.telemetry.updatePing.enabled", false); -pref("toolkit.telemetry.archive.enabled", false); -pref("toolkit.telemetry.bhrPing.enabled", false); -pref("toolkit.telemetry.firstShutdownPing.enabled", false); -pref("toolkit.telemetry.newProfilePing.enabled", false); -pref("toolkit.telemetry.server", ""); // Defense in depth -pref("toolkit.telemetry.server_owner", ""); // Defense in depth -pref("datareporting.healthreport.uploadEnabled", false); -pref("datareporting.policy.dataSubmissionEnabled", false); -pref("toolkit.telemetry.coverage.opt-out", true); // from Firefox -pref("toolkit.coverage.opt-out", true); // from Firefox - -// Disable implicit outbound traffic -pref("network.connectivity-service.enabled", false); -pref("network.prefetch-next", false); -pref("network.dns.disablePrefetch", true); -pref("network.predictor.enabled", false); - -// No need to explain the problems with javascript -// If you want javascript, use your browser -// Thunderbird needs no javascript -// pref("javascript.enabled", false); // Will break setting up services that require redirecting to their javascripted webpage for login, like gmail etc. So commented out for now. - -// Disable scripting when viewing pdf files -user_pref("pdfjs.enableScripting", false); - -// If you want cookies, use your browser -pref("network.cookie.cookieBehavior", 2); - -// Do not send user agent information -// For email clients, this is more like a relic of the past -// Completely not necessary and just exposes a lot of information about the client -// Since v115.0 Thunderbird already minimizes the user agent -// But we want it gone for good for no information leak at all -// https://hg.mozilla.org/comm-central/rev/cbbbc8d93cd7 -pref("mailnews.headers.sendUserAgent", false); - -// Normally we send emails after marking them with a time stamp -// That includes our local time zone -// This option makes our local time zone appear as UTC -// And rounds the time stamp to the closes minute -// https://hg.mozilla.org/comm-central/rev/98aa0bf2e719 -pref("mail.sanitize_date_header", true); diff --git a/etc/usbguard/rules.d/30_security-misc.conf b/etc/usbguard/rules.d/30_security-misc.conf new file mode 100644 index 0000000..9b63314 --- /dev/null +++ b/etc/usbguard/rules.d/30_security-misc.conf @@ -0,0 +1,55 @@ +## We allow devices that were plugged in before the daemon starts. Everything +## is blocked as the default. Following rules apply on top of this. + +## Explicitly reject any interface that is not documented and/or defined by +## USB.org. +## Note: Most probably superfluous. +reject with-interface none-of { 00:*:* 01:*:* 02:*:* 03:*:* 05:*:* 06:*:* 07:*:* 08:*:* 09:*:* 0a:*:* 0b:*:* 0d:*:* 0e:*:* 0f:*:* 10:*:* 11:*:* 12:*:* 13:*:* 14:*:* 3c:*:* dc:*:* e0:*:* ef:*:* fe:*:* ff:*:* } + +## Allow all mouses and keyboards, in a sense, so the user can conveniently +## change them without restrating the daemon. + +## Allow only one keyboard to be connected +allow with-interface equals { 03:01:01 } if !allowed-matches(with-interface equals { 03:01:01 }) +## Allow only one mouse to be connected +allow with-interface equals { 03:01:02 } if !allowed-matches(with-interface equals { 03:01:02 }) +## NOTE: Some HID devices will have an interface of 03:00:00 - these are HID +## devices that do not support a "boot interface". **These are blocked +## entirely.** It is very likely that this will cause issues with some mice +## and keyboards. Also note, all HID devices other than mice and keyboards +## will be blocked, **including touchscreens.** + +## Explicitly reject any device with a mouse/keyboard interface in +## combination with some other interface. +## Mice and keyboards should likely never have non-HID interfaces provided +## alongside them. +reject with-interface all-of { 03:*:* 00:*:* } +reject with-interface all-of { 03:*:* 01:*:* } +reject with-interface all-of { 03:*:* 02:*:* } +reject with-interface all-of { 03:*:* 05:*:* } +reject with-interface all-of { 03:*:* 06:*:* } +reject with-interface all-of { 03:*:* 07:*:* } +reject with-interface all-of { 03:*:* 08:*:* } +reject with-interface all-of { 03:*:* 09:*:* } +reject with-interface all-of { 03:*:* 0a:*:* } +reject with-interface all-of { 03:*:* 0b:*:* } +reject with-interface all-of { 03:*:* 0d:*:* } +reject with-interface all-of { 03:*:* 0e:*:* } +reject with-interface all-of { 03:*:* 0f:*:* } +reject with-interface all-of { 03:*:* 10:*:* } +reject with-interface all-of { 03:*:* 11:*:* } +reject with-interface all-of { 03:*:* 12:*:* } +reject with-interface all-of { 03:*:* 13:*:* } +reject with-interface all-of { 03:*:* 14:*:* } +reject with-interface all-of { 03:*:* 3c:*:* } +reject with-interface all-of { 03:*:* dc:*:* } +reject with-interface all-of { 03:*:* e0:*:* } +reject with-interface all-of { 03:*:* ef:*:* } +reject with-interface all-of { 03:*:* fe:*:* } +reject with-interface all-of { 03:*:* ff:*:* } + +## Allow USB mass storage, if and only if the USB device only has the mass +## storage interface and nothing extra. +## Suspicious interface combinations with mass storage are blocked. +allow with-interface equals { 08:*:* } + diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf b/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf index 2b55bd2..7c825e7 100644 --- a/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf +++ b/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf @@ -6,7 +6,7 @@ ## configuration. When security-misc is updated, this file may be overwritten. ## Used for SSH client key management -## https://manpages.debian.org/bookworm/openssh-client/ssh-agent.1.en.html +## https://manpages.debian.org/trixie/openssh-client/ssh-agent.1.en.html ## Debian installs ssh-agent with setgid permissions (2755) and with ## _ssh as the group to help mitigate ptrace attacks that could extract ## private keys from the agent's memory. diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index eaa671e..0c44a05 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -164,14 +164,14 @@ kernel.sysrq=0 ## kernel.perf_event_paranoid=3 -## Force the kernel to panic on "oopses" and kernel warnings in the WARN() path. -## Can sometimes potentially indicate and thwart certain kernel exploitation attempts. +## Force the kernel to immediately panic on "oopses" and kernel warnings in the WARN() path. ## Panics may be due to false-positives such as bad drivers. +## Both allowed limits are set to one so that panics occur on the single first instance of either scenario. ## Oopses are serious but non-fatal errors. +## Certain "oopses" can sometimes indicate and thwart potential kernel exploitation attempts. ## Warnings are messages generated by the kernel to indicate unexpected conditions or errors. ## By default, code execution continues regardless of warnings emitted by macros like WARN() and WARN_ON(). ## Note that by forcing kernel panics on oopses and warnings, this exposes the system to targeted denial of service attacks. -## Forcing immediate system reboots on any single kernel panic is an extreme option. ## ## https://en.wikipedia.org/wiki/Kernel_panic#Linux ## https://en.wikipedia.org/wiki/Linux_kernel_oops @@ -180,36 +180,40 @@ kernel.perf_event_paranoid=3 ## https://git.sr.ht/~gregkh/presentation-security/tree/3fdaf81a2f8b2c8d64cdb2f529cc714624868aa8/item/security-stuff.pdf ## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panisc-on-oops-1-sysctl-for-better-security/7713 ## -## KSPP=partial -## KSPP sets the sysctls, CONFIG_PANIC_ON_OOPS=y, but also requires CONFIG_PANIC_TIMEOUT=-1. +## KSPP=yes +## KSPP sets the sysctls and CONFIG_PANIC_ON_OOPS=y ## ## See /usr/libexec/security-misc/panic-on-oops for implementation. ## -## TODO: Debian 13 Trixie -## The limits are applicable when using Linux kernel >= 6.2 (retained here for future-proofing and completeness). -## -#kernel.panic=-1 -#kernel.panic_on_oops=1 -#kernel.panic_on_warn=1 #kernel.oops_limit=1 #kernel.warn_limit=1 +## Force immediate system reboots on the occurrence of a single kernel panic. +## Ensures the system does not hang forever if a panic occurs, reducing susceptibility to cold boot attacks. +## Increases resilience and limits impact of denial of service attacks as system automatically restarts. +## Immediate rebooting also prevents persistent information disclosure on panic details that were dumped to screen. +## +## KSPP=yes +## KSPP sets CONFIG_PANIC_TIMEOUT=-1. +## +## See /usr/libexec/security-misc/panic-on-oops for implementation. +## +#kernel.panic=-1 + ## Disable the use of legacy TIOCSTI operations which can be used to inject keypresses. ## Can lead to privilege escalation by pushing characters into a controlling TTY. ## Will break out-dated screen readers that continue to rely on this legacy functionality. +## Note this was already disabled by default as of Linux kernel 6.2. ## ## https://lore.kernel.org/lkml/20221228205726.rfevry7ud6gmttg5@begin/T/ ## ## KSPP=yes ## KSPP sets the sysctl and does not set CONFIG_LEGACY_TIOCSTI. ## -## TODO: Debian 13 Trixie -## This is disabled by default when using Linux kernel >= 6.2. -## dev.tty.legacy_tiocsti=0 ## Disable asynchronous I/O for all processes. -## Leading cause of numerous kernel exploits. +## Use of io_uring has been the leading cause of numerous kernel exploits. ## Disabling will reduce the read/write performance of storage devices. ## ## https://en.wikipedia.org/wiki/Io_uring#Security @@ -218,9 +222,6 @@ dev.tty.legacy_tiocsti=0 ## https://github.com/moby/moby/pull/46762 ## https://forums.whonix.org/t/io-uring-security-vulnerabilties/16890 ## -## TODO: Debian 13 Trixie -## Applicable when using Linux kernel >= 6.6 (retained here for future-proofing and completeness). -## kernel.io_uring_disabled=2 ## 2. User Space: diff --git a/usr/lib/systemd/system/panic-on-oops.service b/usr/lib/systemd/system/panic-on-oops.service index 6b10ddc..429af3d 100644 --- a/usr/lib/systemd/system/panic-on-oops.service +++ b/usr/lib/systemd/system/panic-on-oops.service @@ -2,7 +2,7 @@ ## See the file COPYING for copying conditions. [Unit] -Description=Sets 'sysctl kernel.panic_on_oops=1' late during the boot process. +Description=Sets 'sysctl' settings relating to kernel panics on both oopses and warnings late during the boot process. Documentation=https://github.com/Kicksecure/security-misc ConditionKernelCommandLine=!panic-on-oops=0 diff --git a/usr/libexec/security-misc/apt-get-update b/usr/libexec/security-misc/apt-get-update deleted file mode 100755 index 9cbfd8e..0000000 --- a/usr/libexec/security-misc/apt-get-update +++ /dev/null @@ -1,46 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## TODO: Move this to helper-scripts. - -set -o errexit -set -o nounset -set -o errtrace -set -o pipefail - -command -v start-stop-daemon >/dev/null -command -v timeout >/dev/null -command -v apt-get >/dev/null - -export LC_ALL=C -pidfile="/run/helper-scripts/security-misc-apt-get-update-pid" - -sigterm_trap() { - /usr/libexec/helper-scripts/apt-get-update-kill-helper &>/dev/null - exit 143 -} - -## terminate potential previous invocations. -/usr/libexec/helper-scripts/apt-get-update-kill-helper &>/dev/null - -trap "sigterm_trap" SIGTERM SIGINT - -[[ -v timeout_after ]] || timeout_after="600" -[[ -v kill_after ]] || kill_after="10" - -start-stop-daemon \ - --make-pidfile \ - --pidfile "$pidfile" \ - --exec /usr/bin/timeout \ - --start \ - -- \ - --kill-after="$kill_after" \ - "$timeout_after" \ - apt-get update --error-on=any "$@" & - -lastpid="$!" -wait "$lastpid" - -exit "$?" diff --git a/usr/libexec/security-misc/apt-get-update-sanity-test b/usr/libexec/security-misc/apt-get-update-sanity-test deleted file mode 100755 index 7efac72..0000000 --- a/usr/libexec/security-misc/apt-get-update-sanity-test +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -set -x -set -e -set -o pipefail - -if ! printf '%s\n' "" | wc -l >/dev/null ; then - printf '%s\n' "\ -$0: ERROR: command 'wc' test failed! Do not ignore this! - -'wc' can core dump. Example: -zsh: illegal hardware instruction (core dumped) wc -l -https://github.com/rspamd/rspamd/issues/5137" >&2 - exit 1 -fi - -wc -L "/var/lib/apt/lists/"*InRelease -wc -L "/var/lib/apt/lists/"*InRelease | awk '$1 > 1024 {print; exit 1}' diff --git a/usr/libexec/security-misc/askpass b/usr/libexec/security-misc/askpass index 56ecffc..d428975 100755 --- a/usr/libexec/security-misc/askpass +++ b/usr/libexec/security-misc/askpass @@ -7,4 +7,4 @@ set -e title="$0: password required for $(whoami) to perform action as superuser" -zenity --password --title="$title" +yad --password --title="$title" diff --git a/usr/libexec/security-misc/panic-on-oops b/usr/libexec/security-misc/panic-on-oops index 749eb3c..83ceeac 100755 --- a/usr/libexec/security-misc/panic-on-oops +++ b/usr/libexec/security-misc/panic-on-oops @@ -12,12 +12,15 @@ if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then source /usr/libexec/helper-scripts/pre.bsh fi -## Makes the kernel panic on oopses and warnings. This prevents the -## kernel from continuing to run a flawed processes. Many kernel -## exploits will also cause an oops, these settings will make the -## kernel kill the offending processes. -#sysctl kernel.panic=-1 -sysctl kernel.panic_on_oops=1 -sysctl kernel.panic_on_warn=1 -#sysctl kernel.oops_limit=1 -#sysctl kernel.warn_limit=1 +## Makes the kernel immediately panic on both oopses and warnings. +## These settings force a full system crash rather than continuing +## to run after an inconsistent state is triggered by a potentially +## flawed processes. The reasons for the errors could be kernel +## exploit attempts but may also simply be general software bugs. +sysctl kernel.oops_limit=1 +sysctl kernel.warn_limit=1 + +## Makes the system immediately reboot on the occurrence of a single +## kernel panic. This reduces the risk and impact of both denial of +## service and cold boot attacks. +sysctl kernel.panic=-1