From 7d31e17fc5a8fe3055568c1a0f541dea064f30a0 Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Fri, 17 Nov 2023 17:02:41 +0000 Subject: [PATCH 01/24] usbguard --- debian/control | 1 + 1 file changed, 1 insertion(+) diff --git a/debian/control b/debian/control index 9a57d45..4c40b96 100644 --- a/debian/control +++ b/debian/control @@ -30,6 +30,7 @@ Depends: adduser, python3, secure-delete, sudo, + usbguard, ${misc:Depends} Replaces: anon-gpg-tweaks, swappiness-lowest, tcp-timestamps-disable Description: Enhances Miscellaneous Security Settings From 7c8b9b294678056d684fd3dc22f012d75da40426 Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Fri, 17 Nov 2023 17:14:01 +0000 Subject: [PATCH 02/24] 30_security-misc.conf --- etc/usbguard/rules.d/30_security-misc.conf | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 etc/usbguard/rules.d/30_security-misc.conf diff --git a/etc/usbguard/rules.d/30_security-misc.conf b/etc/usbguard/rules.d/30_security-misc.conf new file mode 100644 index 0000000..a93e29e --- /dev/null +++ b/etc/usbguard/rules.d/30_security-misc.conf @@ -0,0 +1,18 @@ +## Blacklisting is not the optimal approach to security. Normally all USB devices should be rejected (default) and only the devices you personally know and trust be whitelisted. +## If you can do this, it is recommended to do. For convenience for the majority, we do the following: + +## Allow all USB devices with mass storage interface +allow with-interface equals { 08:*:* } + +## Reject storage devices that also have extra suspicuous interfaces. +## Like a usb storage device that also tries to behave like a keyboard. +## This is a well known type of cyber attack. + +reject with-interface all-of { 08:*:* 03:00:* } +reject with-interface all-of { 08:*:* 03:01:* } +reject with-interface all-of { 08:*:* e0:*:* } +reject with-interface all-of { 08:*:* 0a:*:* } +reject with-interface all-of { 08:*:* 02:*:* } + +## We do not allow anything else. Keyboards, mice, and everything else, they will be rejected. The only exception is, if they were plugged in when the daemon starts. +## If you have your keyboard plugged in before booting, it will be allowed. If you plug after the fact, you have to manually allow the device or do a restart. From 4cae74d610ad37066e8a334019cfa5c82f088a2e Mon Sep 17 00:00:00 2001 From: monsieuremre Date: Sun, 21 Jul 2024 11:19:32 +0200 Subject: [PATCH 03/24] Update 30_security-misc.conf --- etc/usbguard/rules.d/30_security-misc.conf | 58 ++++++++++++++++------ 1 file changed, 43 insertions(+), 15 deletions(-) diff --git a/etc/usbguard/rules.d/30_security-misc.conf b/etc/usbguard/rules.d/30_security-misc.conf index a93e29e..fd2bce9 100644 --- a/etc/usbguard/rules.d/30_security-misc.conf +++ b/etc/usbguard/rules.d/30_security-misc.conf @@ -1,18 +1,46 @@ -## Blacklisting is not the optimal approach to security. Normally all USB devices should be rejected (default) and only the devices you personally know and trust be whitelisted. -## If you can do this, it is recommended to do. For convenience for the majority, we do the following: +# We allow those that were plugged in before the daemon starts. Everything is blocked as the default. Following rules apply on top of this. -## Allow all USB devices with mass storage interface +# Explicitly reject any interface that is not documented and/or defined by USB.org +# Note: Most probably superfluous +reject with-interface none-of { 01:*:* 02:*:* 03:*:* 04:*:* 05:*:* 06:*:* 07:*:* 08:*:* 09:*:* 0a:*:* 0b:*:* 0d:*:* 0e:*:* 0f:*:* 10:*:* 11:*:* 12:*:* 13:*:* 14:*:* 3c:*:* dc:*:* e0:*:* ef:*:* fe:*:* ff:*:*} + +### Allow all mouses and keyboards, in a sense, so the user can conveniently change them without restrating the daemon. +### Take extra measures to ensure security + +# Allow only one keyboard to be connected +allow with-interface one-of { 03:00:01 03:01:01 } if !allowed-matches(with-interface one-of { 03:00:01 03:01:01 }) + +# Allow only one mouse to be connected +allow with-interface one-of { 03:00:02 03:01:02 } if !allowed-matches(with-interface one-of { 03:00:02 03:01:02 }) + +# Explicitly reject any device with a mouse/keyboard interface in combination with some other interface +# Mouses and keyboards should only have one interface for all legitimate use cases +reject with-interface all-of { 03:*:* 02:*:* } +reject with-interface all-of { 03:*:* 04:*:* } +reject with-interface all-of { 03:*:* 05:*:* } +reject with-interface all-of { 03:*:* 06:*:* } +reject with-interface all-of { 03:*:* 07:*:* } +reject with-interface all-of { 03:*:* 08:*:* } +reject with-interface all-of { 03:*:* 09:*:* } +reject with-interface all-of { 03:*:* 0a:*:* } +reject with-interface all-of { 03:*:* 0b:*:* } +reject with-interface all-of { 03:*:* 0d:*:* } +reject with-interface all-of { 03:*:* 0e:*:* } +reject with-interface all-of { 03:*:* 0f:*:* } +reject with-interface all-of { 03:*:* 10:*:* } +reject with-interface all-of { 03:*:* 11:*:* } +reject with-interface all-of { 03:*:* 12:*:* } +reject with-interface all-of { 03:*:* 13:*:* } +reject with-interface all-of { 03:*:* 14:*:* } +reject with-interface all-of { 03:*:* 3c:*:* } +reject with-interface all-of { 03:*:* dc:*:* } +reject with-interface all-of { 03:*:* e0:*:* } +reject with-interface all-of { 03:*:* ef:*:* } +reject with-interface all-of { 03:*:* fe:*:* } +reject with-interface all-of { 03:*:* ff:*:* } + +# Allow USB mass storage +# If and only if the USB device only has the mass storage interface and nothing extra +# Suspicious interface combinations with mass storage are blocked allow with-interface equals { 08:*:* } -## Reject storage devices that also have extra suspicuous interfaces. -## Like a usb storage device that also tries to behave like a keyboard. -## This is a well known type of cyber attack. - -reject with-interface all-of { 08:*:* 03:00:* } -reject with-interface all-of { 08:*:* 03:01:* } -reject with-interface all-of { 08:*:* e0:*:* } -reject with-interface all-of { 08:*:* 0a:*:* } -reject with-interface all-of { 08:*:* 02:*:* } - -## We do not allow anything else. Keyboards, mice, and everything else, they will be rejected. The only exception is, if they were plugged in when the daemon starts. -## If you have your keyboard plugged in before booting, it will be allowed. If you plug after the fact, you have to manually allow the device or do a restart. From 28ce70644147f637e91bd4941bcbc139d875e5e7 Mon Sep 17 00:00:00 2001 From: nexus$ Date: Fri, 1 Aug 2025 15:03:26 +0000 Subject: [PATCH 04/24] Set soft limit for core dumps to 0 --- etc/security/limits.d/30_security-misc.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/etc/security/limits.d/30_security-misc.conf b/etc/security/limits.d/30_security-misc.conf index d494b14..0f0108f 100644 --- a/etc/security/limits.d/30_security-misc.conf +++ b/etc/security/limits.d/30_security-misc.conf @@ -3,3 +3,4 @@ ## Disable coredumps. * hard core 0 +* soft core 0 From 1f7525722e7027b5c3379460eee5f62669631dee Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Wed, 6 Aug 2025 01:48:47 +0000 Subject: [PATCH 05/24] Enable `cfi=kcfi` --- README.md | 5 ++--- etc/default/grub.d/40_kernel_hardening.cfg | 14 +++++--------- 2 files changed, 7 insertions(+), 12 deletions(-) diff --git a/README.md b/README.md index ac12886..ed9c740 100644 --- a/README.md +++ b/README.md @@ -221,9 +221,8 @@ Kernel space: - Disable 32-bit vDSO mappings as they are a legacy compatibility feature. -- Optional - Use kCFI as the default CFI implementation (when using Linux kernel >= 6.2) - since it may be slightly more resilient to attacks that are able to write - arbitrary executables in memory. +- Use kCFI as the default CFI implementation as it is more resilient to attacks that able + to write arbitrary executables into memory omitting the necessary hash validation. - Optional - Disable support for all x86 processes and syscalls (when using Linux kernel >= 6.7) to reduce attack surface. diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index 671c28b..685f673 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -186,15 +186,14 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0" ## The default implementation is FineIBT as of Linux kernel 6.2. ## The Intel-developed IBT (Indirect Branch Tracking) is only used if supported by the CPU. ## kCFI is software-only while FineIBT is a hybrid software/hardware implementation. -## FineIBT may result in some performance benefits as it only performs checking at destinations. +## FineIBT may result in some performance benefits as it only performs hash checks at the destinations. +## kCFI mandates hash validation at the source (which is randomized), making it more difficult to bypass. ## FineIBT is considered weaker against attacks that can write arbitrary executables into memory. -## Upstream hardening work has provided users the ability to disable FineIBT based on requests. -## Choice of CFI implementation is highly dependent on user threat model as there are pros/cons to both. -## Do not modify from the default setting if unsure of implications. ## -## https://lore.kernel.org/all/20221027092842.699804264@infradead.org/ +## https://lwn.net/Articles/891976/ ## https://lore.kernel.org/lkml/202210010918.4918F847C4@keescook/T/#u ## https://lore.kernel.org/lkml/202210182217.486CBA50@keescook/T/ +## https://lore.kernel.org/all/20221027092842.699804264@infradead.org/ ## https://lore.kernel.org/lkml/202407150933.E1871BE@keescook/ ## https://isopenbsdsecu.re/mitigations/forward_edge_cfi/ ## https://docs.kernel.org/next/x86/shstk.html @@ -205,10 +204,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0" ## KSPP=yes ## KSPP sets the kernel parameter. ## -## TODO: Debian 13 Trixie -## Applicable when using Linux kernel >= 6.2 (retained here for future-proofing and completeness). -## -#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX cfi=kcfi" +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX cfi=kcfi" ## Disable support for x86 processes and syscalls. ## Unconditionally disables IA32 emulation to substantially reduce attack surface. From 45d20dd972e6501237d35d1605c81d4e3fde43b1 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Wed, 6 Aug 2025 02:35:15 +0000 Subject: [PATCH 06/24] Upgrade sysctls and docs on kernel panics --- README.md | 11 +++++------ usr/lib/sysctl.d/990-security-misc.conf | 25 +++++++++++++++---------- usr/libexec/security-misc/panic-on-oops | 19 +++++++++++-------- 3 files changed, 31 insertions(+), 24 deletions(-) diff --git a/README.md b/README.md index ac12886..b124a7a 100644 --- a/README.md +++ b/README.md @@ -44,11 +44,10 @@ configuration file and significant hardening is applied to a myriad of component - Restrict kernel profiling and the performance events system to `CAP_PERFMON`. -- Force the kernel to panic on both "oopses", which can potentially indicate and thwart - certain kernel exploitation attempts, and also kernel warnings in the `WARN()` path. +- Force the kernel to immediately panic on both "oopses" (which can potentially indicate + and thwart certain kernel exploitation attempts) and kernel warnings in the `WARN()` path. -- Optional - Force immediate reboot on the occurrence of a single kernel panic and also - (when using Linux kernel >= 6.2) limit the number of allowed panics to one. +- Optional - Force immediate reboot on the occurrence of a single kernel panic. - Disable the use of legacy TIOCSTI operations which can be used to inject keypresses. @@ -280,6 +279,8 @@ Completely disables `ptrace()`. Can be enabled easily if needed. * [security-misc pull request #242](https://github.com/Kicksecure/security-misc/pull/242) +**Non-compliance:** + 2. `sysctl kernel.panic=-1` Forces an immediate reboot on kernel panic. This can be enabled, but it may lead to unexpected @@ -288,8 +289,6 @@ system crashes. * [security-misc pull request #264](https://github.com/Kicksecure/security-misc/pull/264) * [security-misc pull request #268](https://github.com/Kicksecure/security-misc/pull/268) -**Non-compliance:** - 3. `sysctl user.max_user_namespaces=0` Disables user namespaces entirely. Not recommended due to the potential for widespread breakages. diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index eaa671e..139e2e6 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -164,14 +164,14 @@ kernel.sysrq=0 ## kernel.perf_event_paranoid=3 -## Force the kernel to panic on "oopses" and kernel warnings in the WARN() path. -## Can sometimes potentially indicate and thwart certain kernel exploitation attempts. +## Force the kernel to immediately panic on "oopses" and kernel warnings in the WARN() path. ## Panics may be due to false-positives such as bad drivers. +## Both allowed limits are set to one so that panics occur on the single first instance of either scenario. ## Oopses are serious but non-fatal errors. +## Certain "oopses" can sometimes indicate and thwart potential kernel exploitation attempts. ## Warnings are messages generated by the kernel to indicate unexpected conditions or errors. ## By default, code execution continues regardless of warnings emitted by macros like WARN() and WARN_ON(). ## Note that by forcing kernel panics on oopses and warnings, this exposes the system to targeted denial of service attacks. -## Forcing immediate system reboots on any single kernel panic is an extreme option. ## ## https://en.wikipedia.org/wiki/Kernel_panic#Linux ## https://en.wikipedia.org/wiki/Linux_kernel_oops @@ -180,20 +180,25 @@ kernel.perf_event_paranoid=3 ## https://git.sr.ht/~gregkh/presentation-security/tree/3fdaf81a2f8b2c8d64cdb2f529cc714624868aa8/item/security-stuff.pdf ## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panisc-on-oops-1-sysctl-for-better-security/7713 ## -## KSPP=partial -## KSPP sets the sysctls, CONFIG_PANIC_ON_OOPS=y, but also requires CONFIG_PANIC_TIMEOUT=-1. +## KSPP=yes +## KSPP sets the sysctls and CONFIG_PANIC_ON_OOPS=y ## ## See /usr/libexec/security-misc/panic-on-oops for implementation. ## -## TODO: Debian 13 Trixie -## The limits are applicable when using Linux kernel >= 6.2 (retained here for future-proofing and completeness). -## #kernel.panic=-1 -#kernel.panic_on_oops=1 -#kernel.panic_on_warn=1 #kernel.oops_limit=1 #kernel.warn_limit=1 +## Force immediate system reboots on the occurrence of a single kernel panic. +## This is an extreme safety option which also creates a large opening for targeted denial of service attacks. +## +## KSPP=no +## KSPP sets CONFIG_PANIC_TIMEOUT=-1. +## +## See /usr/libexec/security-misc/panic-on-oops for implementation. +## +#kernel.panic=-1 + ## Disable the use of legacy TIOCSTI operations which can be used to inject keypresses. ## Can lead to privilege escalation by pushing characters into a controlling TTY. ## Will break out-dated screen readers that continue to rely on this legacy functionality. diff --git a/usr/libexec/security-misc/panic-on-oops b/usr/libexec/security-misc/panic-on-oops index 749eb3c..3c45a68 100755 --- a/usr/libexec/security-misc/panic-on-oops +++ b/usr/libexec/security-misc/panic-on-oops @@ -12,12 +12,15 @@ if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then source /usr/libexec/helper-scripts/pre.bsh fi -## Makes the kernel panic on oopses and warnings. This prevents the -## kernel from continuing to run a flawed processes. Many kernel -## exploits will also cause an oops, these settings will make the -## kernel kill the offending processes. +## Makes the kernel immediately panic on both oopses and warnings. +## This prevents the kernel from continuing to run a potentially +## flawed processes. Many kernel exploits will also cause an oops, +## these settings will make the kernel kill the offending processes. +sysctl kernel.oops_limit=1 +sysctl kernel.warn_limit=1 + +## Makes the system immediately reboot on the occur occurrence of +## a single kernel panic. This is an extreme safety option which also +## creates a large opening for targeted denial of service attacks. #sysctl kernel.panic=-1 -sysctl kernel.panic_on_oops=1 -sysctl kernel.panic_on_warn=1 -#sysctl kernel.oops_limit=1 -#sysctl kernel.warn_limit=1 + From 498551536c71f1c1ac33f3c1992e18c9277e6618 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Wed, 6 Aug 2025 03:12:06 +0000 Subject: [PATCH 07/24] Update docs --- README.md | 6 ++---- etc/default/grub.d/40_kernel_hardening.cfg | 3 --- etc/modprobe.d/30_security-misc_blacklist.conf | 2 +- usr/lib/sysctl.d/990-security-misc.conf | 9 ++------- 4 files changed, 5 insertions(+), 15 deletions(-) diff --git a/README.md b/README.md index ac12886..e853332 100644 --- a/README.md +++ b/README.md @@ -52,8 +52,7 @@ configuration file and significant hardening is applied to a myriad of component - Disable the use of legacy TIOCSTI operations which can be used to inject keypresses. -- Disable asynchronous I/O (when using Linux kernel >= 6.6) as `io_uring` has been - the source of numerous kernel exploits. +- Disable asynchronous I/O as `io_uring` has been the source of numerous kernel exploits. #### User space @@ -225,8 +224,7 @@ Kernel space: since it may be slightly more resilient to attacks that are able to write arbitrary executables in memory. -- Optional - Disable support for all x86 processes and syscalls (when using Linux kernel >= 6.7) - to reduce attack surface. +- Optional - Disable support for all x86 processes and syscalls to reduce attack surface. - Disable the EFI persistent storage feature which prevents the kernel from writing crash logs and other persistent data to either the UEFI variable storage or ACPI ERST backends. diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index 671c28b..1f3cc7c 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -218,9 +218,6 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0" ## KSPP=yes ## KSPP does not set CONFIG_COMPAT, CONFIG_IA32_EMULATION, CONFIG_X86_X32, CONFIG_X86_X32_ABI, and CONFIG_MODIFY_LDT_SYSCALL. ## -## TODO: Debian 13 Trixie -## Applicable when using Linux kernel >= 6.7 (retained here for future-proofing and completeness). -## #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ia32_emulation=0" ## Disable EFI persistent storage feature. diff --git a/etc/modprobe.d/30_security-misc_blacklist.conf b/etc/modprobe.d/30_security-misc_blacklist.conf index 5ce1edc..936e26a 100644 --- a/etc/modprobe.d/30_security-misc_blacklist.conf +++ b/etc/modprobe.d/30_security-misc_blacklist.conf @@ -27,7 +27,7 @@ blacklist sr_mod ## Partial selection of their infrastructure blacklist. ## Duplicate and already disabled modules have been omitted. ## -## https://github.com/GrapheneOS/infrastructure/blob/main/modprobe.d/local.conf +## https://github.com/GrapheneOS/infrastructure/blob/main/etc/modprobe.d/local.conf ## #blacklist cfg80211 #blacklist intel_agp diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index eaa671e..23dc6ef 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -197,19 +197,17 @@ kernel.perf_event_paranoid=3 ## Disable the use of legacy TIOCSTI operations which can be used to inject keypresses. ## Can lead to privilege escalation by pushing characters into a controlling TTY. ## Will break out-dated screen readers that continue to rely on this legacy functionality. +## Note this was already disabled by default as of Linux kernel 6.2. ## ## https://lore.kernel.org/lkml/20221228205726.rfevry7ud6gmttg5@begin/T/ ## ## KSPP=yes ## KSPP sets the sysctl and does not set CONFIG_LEGACY_TIOCSTI. ## -## TODO: Debian 13 Trixie -## This is disabled by default when using Linux kernel >= 6.2. -## dev.tty.legacy_tiocsti=0 ## Disable asynchronous I/O for all processes. -## Leading cause of numerous kernel exploits. +## Use of io_uring has been the leading cause of numerous kernel exploits. ## Disabling will reduce the read/write performance of storage devices. ## ## https://en.wikipedia.org/wiki/Io_uring#Security @@ -218,9 +216,6 @@ dev.tty.legacy_tiocsti=0 ## https://github.com/moby/moby/pull/46762 ## https://forums.whonix.org/t/io-uring-security-vulnerabilties/16890 ## -## TODO: Debian 13 Trixie -## Applicable when using Linux kernel >= 6.6 (retained here for future-proofing and completeness). -## kernel.io_uring_disabled=2 ## 2. User Space: From 86f44063eb753fe1bbdd754ce104670d26aed6ca Mon Sep 17 00:00:00 2001 From: Aaron Rainbolt Date: Tue, 5 Aug 2025 22:58:06 -0500 Subject: [PATCH 08/24] Port to Trixie. --- README_generic.md | 2 +- debian/control | 2 +- usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf | 2 +- usr/libexec/security-misc/askpass | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/README_generic.md b/README_generic.md index 787af72..4c05521 100644 --- a/README_generic.md +++ b/README_generic.md @@ -28,7 +28,7 @@ sudo cp ~/derivative.asc /usr/share/keyrings/derivative.asc 3\. Add the derivative repository. ``` -echo "deb [signed-by=/usr/share/keyrings/derivative.asc] https://deb.kicksecure.com bookworm main contrib non-free" | sudo tee /etc/apt/sources.list.d/derivative.list +echo "deb [signed-by=/usr/share/keyrings/derivative.asc] https://deb.kicksecure.com trixie main contrib non-free" | sudo tee /etc/apt/sources.list.d/derivative.list ``` 4\. Update your package lists. diff --git a/debian/control b/debian/control index 6235dad..13143e4 100644 --- a/debian/control +++ b/debian/control @@ -13,7 +13,7 @@ Build-Depends: config-package-dev, Homepage: https://www.kicksecure.com/wiki/Security-misc Vcs-Browser: https://github.com/Kicksecure/security-misc Vcs-Git: https://github.com/Kicksecure/security-misc.git -Standards-Version: 4.6.2 +Standards-Version: 4.7.2 Rules-Requires-Root: no Package: security-misc diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf b/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf index 2b55bd2..7c825e7 100644 --- a/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf +++ b/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf @@ -6,7 +6,7 @@ ## configuration. When security-misc is updated, this file may be overwritten. ## Used for SSH client key management -## https://manpages.debian.org/bookworm/openssh-client/ssh-agent.1.en.html +## https://manpages.debian.org/trixie/openssh-client/ssh-agent.1.en.html ## Debian installs ssh-agent with setgid permissions (2755) and with ## _ssh as the group to help mitigate ptrace attacks that could extract ## private keys from the agent's memory. diff --git a/usr/libexec/security-misc/askpass b/usr/libexec/security-misc/askpass index 56ecffc..d428975 100755 --- a/usr/libexec/security-misc/askpass +++ b/usr/libexec/security-misc/askpass @@ -7,4 +7,4 @@ set -e title="$0: password required for $(whoami) to perform action as superuser" -zenity --password --title="$title" +yad --password --title="$title" From 4166d6d1e60d564be4c3fb2ad530e7a180638e6a Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Wed, 6 Aug 2025 15:53:49 +1000 Subject: [PATCH 09/24] Update docs on recovery restrictions --- etc/default/grub.d/41_recovery_restrict.cfg | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/etc/default/grub.d/41_recovery_restrict.cfg b/etc/default/grub.d/41_recovery_restrict.cfg index f54247b..5da19e7 100644 --- a/etc/default/grub.d/41_recovery_restrict.cfg +++ b/etc/default/grub.d/41_recovery_restrict.cfg @@ -7,14 +7,17 @@ ## KSPP=no: not (currently) compliant with recommendations by the KSPP ## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP. -## Disable access to single-user (recovery) mode. +## Disable access to the GRUB single-user (recovery) mode menu entries. ## ## https://forums.kicksecure.com/t/remove-linux-recovery-mode-boot-option-from-default-grub-boot-menu/727 ## GRUB_DISABLE_RECOVERY="true" ## Disable access to Dracut's recovery console. +## Prevents the emergency shell from starting automatically during boot failures. ## +## https://insinuator.net/2025/07/insecure-boot-injecting-initramfs-from-a-debug-shell/ +## https://serverfault.com/questions/554853/how-can-i-secure-the-dracut-shell ## https://forums.kicksecure.com/t/harden-dracut-initramfs-generator-by-disabling-recovery-console/724 ## GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT rd.emergency=halt" From 2ada07cf66727ea66283c55c0ba078489b3db94e Mon Sep 17 00:00:00 2001 From: Aaron Rainbolt Date: Thu, 7 Aug 2025 22:23:03 -0500 Subject: [PATCH 10/24] Add SSH hardening config --- etc/ssh/ssh_config.d/30_security-misc.conf | 19 +++++ etc/ssh/sshd_config.d/30_security-misc.conf | 79 +++++++++++++++++++++ 2 files changed, 98 insertions(+) create mode 100644 etc/ssh/ssh_config.d/30_security-misc.conf create mode 100644 etc/ssh/sshd_config.d/30_security-misc.conf diff --git a/etc/ssh/ssh_config.d/30_security-misc.conf b/etc/ssh/ssh_config.d/30_security-misc.conf new file mode 100644 index 0000000..6693f72 --- /dev/null +++ b/etc/ssh/ssh_config.d/30_security-misc.conf @@ -0,0 +1,19 @@ +## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## Don't edit this file, to overwrite any options, edit a file with a higher +## number that is read later by SSH, such as +## '/etc/ssh/ssh_config.d/50_user.conf'. If your configuration changes do not +## need to be system-wide, you may also consider placing overrides in +## ~/.ssh/config. + +Host * + VisualHostKey yes + Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr + MACs umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com + KexAlgorithms sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,mlkem768x25519-sha256,curve25519-sha256,curve25519-sha256@libssh.org + ## To force the use of quantum-resistant key exchange algorithms, override + ## the above with + # KexAlgorithms sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,mlkem768x25519-sha256 + HostKeyAlgorithms sk-ssh-ed25519@openssh.com,ssh-ed25519 + PubkeyAcceptedAlgorithms sk-ssh-ed25519@openssh.com,ssh-ed25519 diff --git a/etc/ssh/sshd_config.d/30_security-misc.conf b/etc/ssh/sshd_config.d/30_security-misc.conf new file mode 100644 index 0000000..5abf9cc --- /dev/null +++ b/etc/ssh/sshd_config.d/30_security-misc.conf @@ -0,0 +1,79 @@ +## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## Don't edit this file, to overwrite any options, edit a file with a higher +## number that is read later by SSHD, such as +## '/etc/ssh/sshd_config.d/50_user.conf'. + +## This is okay because of strict firewall. For an onion-only server, listen +## on 127.0.0.1. +ListenAddress 0.0.0.0 + +## Number of allowed login attempts per connection. +MaxAuthTries 3 + +## Require strong ciphers and algorithms. +HostKey /etc/ssh/ssh_host_ed25519_key +HostKeyAlgorithms ssh-ed25519 +PubkeyAcceptedAlgorithms ssh-ed25519,sk-ssh-ed25519@openssh.com +Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com +MACs umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com +KexAlgorithms sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,mlkem768x25519-sha256,curve25519-sha256,curve25519-sha256@libssh.org +## To force the use of quantum-resistant key exchange algorithms, override the +## above with +# KexAlgorithms sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,mlkem768x25519-sha256 + +## Override with 'no' to fully deny root login, or leave this as +## 'prohibit-password' for denying root password login but still allowing +## other authentication methods such as public key. +PermitRootLogin prohibit-password + +## Public key authentication is transparent, non-interactive and more secure. +PasswordAuthentication no + +## Change to 'yes' to enable challenge-response passwords (beware issues with +## some PAM modules and threads) +KbdInteractiveAuthentication no + +## PAM can be used for account and session processing when using +## ChallengeResponseAuthentication or PasswordAuthentication. +## +## Depending on your PAM configuration, PAM authentication via +## ChallengeResponseAuthentication may bypass the setting of "PermitRootLogin +## without-password". +## +## If you want PAM account and session checks to run without PAM +## authentication, then enable this but set PasswordAuthentication and +## ChallengeResponseAuthentication to 'no'. +## +## The default upstream is 'no', Debian sets this to 'yes'. If using a locked +## account, read: +## https://www.kicksecure.com/wiki/SSH#SSH_Login_Comparison_Table +## We set it to 'yes' to work with libpam-tmpdir. +## https://www.kicksecure.com/wiki/Dev/Strong_Linux_User_Account_Isolation@libpam-tmpdir +## Also folders such as '/run/user/1000' will exist thanks to PAM. +## The absence of that folder can lead to issues (such as with msgcollector). +UsePAM yes + +## Block dangerous forwarding. +AllowAgentForwarding no +AllowTcpForwarding no +X11Forwarding no + +## Hide unnecessary login banners. +PrintMotd no +#Banner /etc/issue.net +#Hiding Debian version from SSH banner (obscurity) +DebianBanner no + +## Some options are dangerous but may be required in certain circumstances. As +## an example, if forwarding is required, selectively allow it with a 'Match' +## block. Consider a new separate user named 'tunnel' which wants to forward +## its local port to be available on the server on port 443. Note that a +## tunnel user doesn't even require a TTY nor a shell, so don't forget to +## change the 'tunnel' shell to something that prevents login such as +## '/usr/sbin/nologin'. +#Match User tunnel +# AllowTcpForwarding yes +# PermitListen localhost:443 +# PermitTTY no From c33ea7be6d2a82462042cf482a32bf259bf51bd5 Mon Sep 17 00:00:00 2001 From: Aaron Rainbolt Date: Sun, 10 Aug 2025 15:23:48 -0500 Subject: [PATCH 11/24] Move security-misc/apt-get-update* to helper-scripts --- usr/libexec/security-misc/apt-get-update | 46 ------------------- .../security-misc/apt-get-update-sanity-test | 21 --------- 2 files changed, 67 deletions(-) delete mode 100755 usr/libexec/security-misc/apt-get-update delete mode 100755 usr/libexec/security-misc/apt-get-update-sanity-test diff --git a/usr/libexec/security-misc/apt-get-update b/usr/libexec/security-misc/apt-get-update deleted file mode 100755 index 9cbfd8e..0000000 --- a/usr/libexec/security-misc/apt-get-update +++ /dev/null @@ -1,46 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## TODO: Move this to helper-scripts. - -set -o errexit -set -o nounset -set -o errtrace -set -o pipefail - -command -v start-stop-daemon >/dev/null -command -v timeout >/dev/null -command -v apt-get >/dev/null - -export LC_ALL=C -pidfile="/run/helper-scripts/security-misc-apt-get-update-pid" - -sigterm_trap() { - /usr/libexec/helper-scripts/apt-get-update-kill-helper &>/dev/null - exit 143 -} - -## terminate potential previous invocations. -/usr/libexec/helper-scripts/apt-get-update-kill-helper &>/dev/null - -trap "sigterm_trap" SIGTERM SIGINT - -[[ -v timeout_after ]] || timeout_after="600" -[[ -v kill_after ]] || kill_after="10" - -start-stop-daemon \ - --make-pidfile \ - --pidfile "$pidfile" \ - --exec /usr/bin/timeout \ - --start \ - -- \ - --kill-after="$kill_after" \ - "$timeout_after" \ - apt-get update --error-on=any "$@" & - -lastpid="$!" -wait "$lastpid" - -exit "$?" diff --git a/usr/libexec/security-misc/apt-get-update-sanity-test b/usr/libexec/security-misc/apt-get-update-sanity-test deleted file mode 100755 index 7efac72..0000000 --- a/usr/libexec/security-misc/apt-get-update-sanity-test +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -set -x -set -e -set -o pipefail - -if ! printf '%s\n' "" | wc -l >/dev/null ; then - printf '%s\n' "\ -$0: ERROR: command 'wc' test failed! Do not ignore this! - -'wc' can core dump. Example: -zsh: illegal hardware instruction (core dumped) wc -l -https://github.com/rspamd/rspamd/issues/5137" >&2 - exit 1 -fi - -wc -L "/var/lib/apt/lists/"*InRelease -wc -L "/var/lib/apt/lists/"*InRelease | awk '$1 > 1024 {print; exit 1}' From fce86dccb67db0a37601899bf3115bd9f4fa714a Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Wed, 13 Aug 2025 10:44:40 +1000 Subject: [PATCH 12/24] Typo --- usr/libexec/security-misc/panic-on-oops | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/usr/libexec/security-misc/panic-on-oops b/usr/libexec/security-misc/panic-on-oops index 3c45a68..b5cb2e8 100755 --- a/usr/libexec/security-misc/panic-on-oops +++ b/usr/libexec/security-misc/panic-on-oops @@ -19,8 +19,7 @@ fi sysctl kernel.oops_limit=1 sysctl kernel.warn_limit=1 -## Makes the system immediately reboot on the occur occurrence of -## a single kernel panic. This is an extreme safety option which also -## creates a large opening for targeted denial of service attacks. +## Makes the system immediately reboot on the occurrence of a single +## kernel panic. This is an extreme safety option which also creates +## a large opening for targeted denial of service attacks. #sysctl kernel.panic=-1 - From 00c660d40dce06d979fc7b9dbf7a6e952a9e51cc Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Fri, 15 Aug 2025 11:29:27 +1000 Subject: [PATCH 13/24] Typo --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index ed9c740..ca0966d 100644 --- a/README.md +++ b/README.md @@ -221,8 +221,8 @@ Kernel space: - Disable 32-bit vDSO mappings as they are a legacy compatibility feature. -- Use kCFI as the default CFI implementation as it is more resilient to attacks that able - to write arbitrary executables into memory omitting the necessary hash validation. +- Use kCFI as the default CFI implementation as it is more resilient to attacks that are + able to write arbitrary executables into memory omitting the necessary hash validation. - Optional - Disable support for all x86 processes and syscalls (when using Linux kernel >= 6.7) to reduce attack surface. From 94668b2e93c37a3879968f455575c631f9f8bcac Mon Sep 17 00:00:00 2001 From: Aaron Rainbolt Date: Fri, 15 Aug 2025 16:46:35 -0500 Subject: [PATCH 14/24] Set hard and soft limits on core file size at the same time --- etc/security/limits.d/30_security-misc.conf | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/etc/security/limits.d/30_security-misc.conf b/etc/security/limits.d/30_security-misc.conf index 0f0108f..52e9d78 100644 --- a/etc/security/limits.d/30_security-misc.conf +++ b/etc/security/limits.d/30_security-misc.conf @@ -2,5 +2,6 @@ ## See the file COPYING for copying conditions. ## Disable coredumps. -* hard core 0 -* soft core 0 +## `-` in the second field sets both hard and soft limits at the same time. +## See `man 5 limits.conf`. +* - core 0 From 66ec5bda5872bbf51eb480836d3ffb3bb2f934cf Mon Sep 17 00:00:00 2001 From: Aaron Rainbolt Date: Fri, 15 Aug 2025 16:51:07 -0500 Subject: [PATCH 15/24] Remove obsolete Thunderbird configuration hardening --- etc/thunderbird/pref/40_security-misc.js | 59 ------------------------ 1 file changed, 59 deletions(-) delete mode 100644 etc/thunderbird/pref/40_security-misc.js diff --git a/etc/thunderbird/pref/40_security-misc.js b/etc/thunderbird/pref/40_security-misc.js deleted file mode 100644 index 931f9d2..0000000 --- a/etc/thunderbird/pref/40_security-misc.js +++ /dev/null @@ -1,59 +0,0 @@ -//#### Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC -//#### See the file COPYING for copying conditions. - -//#### meta start -//#### project Whonix and Kicksecure -//#### category security and apps -//#### description https://forums.whonix.org/t/enable-network-idn-show-punycode-by-default-in-thunderbird-to-fix-url-not-showing-real-domain-name-homograph-attack-punycode/8415 -//#### meta end - -// https://forums.whonix.org/t/enable-network-idn-show-punycode-by-default-in-thunderbird-to-fix-url-not-showing-real-domain-name-homograph-attack-punycode/8415 -pref("network.IDN_show_punycode", true); - -// Disable all and any kind of telemetry by default -pref("toolkit.telemetry.enabled", false); -pref("toolkit.telemetry.unified", false); -pref("toolkit.telemetry.shutdownPingSender.enabled", false); -pref("toolkit.telemetry.updatePing.enabled", false); -pref("toolkit.telemetry.archive.enabled", false); -pref("toolkit.telemetry.bhrPing.enabled", false); -pref("toolkit.telemetry.firstShutdownPing.enabled", false); -pref("toolkit.telemetry.newProfilePing.enabled", false); -pref("toolkit.telemetry.server", ""); // Defense in depth -pref("toolkit.telemetry.server_owner", ""); // Defense in depth -pref("datareporting.healthreport.uploadEnabled", false); -pref("datareporting.policy.dataSubmissionEnabled", false); -pref("toolkit.telemetry.coverage.opt-out", true); // from Firefox -pref("toolkit.coverage.opt-out", true); // from Firefox - -// Disable implicit outbound traffic -pref("network.connectivity-service.enabled", false); -pref("network.prefetch-next", false); -pref("network.dns.disablePrefetch", true); -pref("network.predictor.enabled", false); - -// No need to explain the problems with javascript -// If you want javascript, use your browser -// Thunderbird needs no javascript -// pref("javascript.enabled", false); // Will break setting up services that require redirecting to their javascripted webpage for login, like gmail etc. So commented out for now. - -// Disable scripting when viewing pdf files -user_pref("pdfjs.enableScripting", false); - -// If you want cookies, use your browser -pref("network.cookie.cookieBehavior", 2); - -// Do not send user agent information -// For email clients, this is more like a relic of the past -// Completely not necessary and just exposes a lot of information about the client -// Since v115.0 Thunderbird already minimizes the user agent -// But we want it gone for good for no information leak at all -// https://hg.mozilla.org/comm-central/rev/cbbbc8d93cd7 -pref("mailnews.headers.sendUserAgent", false); - -// Normally we send emails after marking them with a time stamp -// That includes our local time zone -// This option makes our local time zone appear as UTC -// And rounds the time stamp to the closes minute -// https://hg.mozilla.org/comm-central/rev/98aa0bf2e719 -pref("mail.sanitize_date_header", true); From cba16879eff9d3d998c127e41c38d2067cdf04cc Mon Sep 17 00:00:00 2001 From: Aaron Rainbolt Date: Fri, 15 Aug 2025 17:16:42 -0500 Subject: [PATCH 16/24] Polish USBGuard configuration --- debian/control | 1 - etc/usbguard/rules.d/30_security-misc.conf | 43 +++++++++++++--------- 2 files changed, 26 insertions(+), 18 deletions(-) diff --git a/debian/control b/debian/control index 0dd839e..13143e4 100644 --- a/debian/control +++ b/debian/control @@ -32,7 +32,6 @@ Depends: adduser, python3, secure-delete, sudo, - usbguard, ${misc:Depends} Replaces: anon-gpg-tweaks, swappiness-lowest, tcp-timestamps-disable Description: Enhances Miscellaneous Security Settings diff --git a/etc/usbguard/rules.d/30_security-misc.conf b/etc/usbguard/rules.d/30_security-misc.conf index fd2bce9..9b63314 100644 --- a/etc/usbguard/rules.d/30_security-misc.conf +++ b/etc/usbguard/rules.d/30_security-misc.conf @@ -1,22 +1,31 @@ -# We allow those that were plugged in before the daemon starts. Everything is blocked as the default. Following rules apply on top of this. +## We allow devices that were plugged in before the daemon starts. Everything +## is blocked as the default. Following rules apply on top of this. -# Explicitly reject any interface that is not documented and/or defined by USB.org -# Note: Most probably superfluous -reject with-interface none-of { 01:*:* 02:*:* 03:*:* 04:*:* 05:*:* 06:*:* 07:*:* 08:*:* 09:*:* 0a:*:* 0b:*:* 0d:*:* 0e:*:* 0f:*:* 10:*:* 11:*:* 12:*:* 13:*:* 14:*:* 3c:*:* dc:*:* e0:*:* ef:*:* fe:*:* ff:*:*} +## Explicitly reject any interface that is not documented and/or defined by +## USB.org. +## Note: Most probably superfluous. +reject with-interface none-of { 00:*:* 01:*:* 02:*:* 03:*:* 05:*:* 06:*:* 07:*:* 08:*:* 09:*:* 0a:*:* 0b:*:* 0d:*:* 0e:*:* 0f:*:* 10:*:* 11:*:* 12:*:* 13:*:* 14:*:* 3c:*:* dc:*:* e0:*:* ef:*:* fe:*:* ff:*:* } -### Allow all mouses and keyboards, in a sense, so the user can conveniently change them without restrating the daemon. -### Take extra measures to ensure security +## Allow all mouses and keyboards, in a sense, so the user can conveniently +## change them without restrating the daemon. -# Allow only one keyboard to be connected -allow with-interface one-of { 03:00:01 03:01:01 } if !allowed-matches(with-interface one-of { 03:00:01 03:01:01 }) +## Allow only one keyboard to be connected +allow with-interface equals { 03:01:01 } if !allowed-matches(with-interface equals { 03:01:01 }) +## Allow only one mouse to be connected +allow with-interface equals { 03:01:02 } if !allowed-matches(with-interface equals { 03:01:02 }) +## NOTE: Some HID devices will have an interface of 03:00:00 - these are HID +## devices that do not support a "boot interface". **These are blocked +## entirely.** It is very likely that this will cause issues with some mice +## and keyboards. Also note, all HID devices other than mice and keyboards +## will be blocked, **including touchscreens.** -# Allow only one mouse to be connected -allow with-interface one-of { 03:00:02 03:01:02 } if !allowed-matches(with-interface one-of { 03:00:02 03:01:02 }) - -# Explicitly reject any device with a mouse/keyboard interface in combination with some other interface -# Mouses and keyboards should only have one interface for all legitimate use cases +## Explicitly reject any device with a mouse/keyboard interface in +## combination with some other interface. +## Mice and keyboards should likely never have non-HID interfaces provided +## alongside them. +reject with-interface all-of { 03:*:* 00:*:* } +reject with-interface all-of { 03:*:* 01:*:* } reject with-interface all-of { 03:*:* 02:*:* } -reject with-interface all-of { 03:*:* 04:*:* } reject with-interface all-of { 03:*:* 05:*:* } reject with-interface all-of { 03:*:* 06:*:* } reject with-interface all-of { 03:*:* 07:*:* } @@ -39,8 +48,8 @@ reject with-interface all-of { 03:*:* ef:*:* } reject with-interface all-of { 03:*:* fe:*:* } reject with-interface all-of { 03:*:* ff:*:* } -# Allow USB mass storage -# If and only if the USB device only has the mass storage interface and nothing extra -# Suspicious interface combinations with mass storage are blocked +## Allow USB mass storage, if and only if the USB device only has the mass +## storage interface and nothing extra. +## Suspicious interface combinations with mass storage are blocked. allow with-interface equals { 08:*:* } From 1f75426f079d6e0aecd8fac22088ad36a7c16398 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Sat, 16 Aug 2025 02:20:00 +0000 Subject: [PATCH 17/24] Clarify docs for disabling 32-bit x86 support --- README.md | 2 +- etc/default/grub.d/40_kernel_hardening.cfg | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index e853332..2239824 100644 --- a/README.md +++ b/README.md @@ -224,7 +224,7 @@ Kernel space: since it may be slightly more resilient to attacks that are able to write arbitrary executables in memory. -- Optional - Disable support for all x86 processes and syscalls to reduce attack surface. +- Optional - Disable support for all 32-bit x86 processes and syscalls to reduce attack surface. - Disable the EFI persistent storage feature which prevents the kernel from writing crash logs and other persistent data to either the UEFI variable storage or ACPI ERST backends. diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index 1f3cc7c..0e6cbfe 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -210,7 +210,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0" ## #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX cfi=kcfi" -## Disable support for x86 processes and syscalls. +## Disable support for all 32-bit x86 processes and syscalls. ## Unconditionally disables IA32 emulation to substantially reduce attack surface. ## ## https://lore.kernel.org/all/20230623111409.3047467-7-nik.borisov@suse.com/ From c33f7d04e2cef477b675fbf6c2a91583ba3bf808 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Sat, 16 Aug 2025 03:32:48 +0000 Subject: [PATCH 18/24] Remove duplicate comment --- usr/lib/sysctl.d/990-security-misc.conf | 1 - 1 file changed, 1 deletion(-) diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 139e2e6..be306df 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -185,7 +185,6 @@ kernel.perf_event_paranoid=3 ## ## See /usr/libexec/security-misc/panic-on-oops for implementation. ## -#kernel.panic=-1 #kernel.oops_limit=1 #kernel.warn_limit=1 From f1de0da69b46f91ea7fd34db601393d23599b3bb Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Sat, 16 Aug 2025 04:01:12 +0000 Subject: [PATCH 19/24] Clarify description on panics on oopses and warns --- usr/libexec/security-misc/panic-on-oops | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/usr/libexec/security-misc/panic-on-oops b/usr/libexec/security-misc/panic-on-oops index b5cb2e8..1add1ca 100755 --- a/usr/libexec/security-misc/panic-on-oops +++ b/usr/libexec/security-misc/panic-on-oops @@ -13,9 +13,10 @@ if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then fi ## Makes the kernel immediately panic on both oopses and warnings. -## This prevents the kernel from continuing to run a potentially -## flawed processes. Many kernel exploits will also cause an oops, -## these settings will make the kernel kill the offending processes. +## These settings force a full system crash rather than continuing +## to run after an inconsistent state is triggered by a potentially +## flawed processes. The reasons for the errors could be kernel +## exploit attempts but may also simply be general software bugs. sysctl kernel.oops_limit=1 sysctl kernel.warn_limit=1 From 247015bcc6e924e24874d16ed7ad78165ace58a3 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Sun, 17 Aug 2025 06:27:44 +0000 Subject: [PATCH 20/24] Set `sysctl kernel.panic=-1` --- README.md | 15 ++++----------- usr/lib/sysctl.d/990-security-misc.conf | 6 ++++-- usr/libexec/security-misc/panic-on-oops | 6 +++--- 3 files changed, 11 insertions(+), 16 deletions(-) diff --git a/README.md b/README.md index b124a7a..425bd0d 100644 --- a/README.md +++ b/README.md @@ -47,7 +47,8 @@ configuration file and significant hardening is applied to a myriad of component - Force the kernel to immediately panic on both "oopses" (which can potentially indicate and thwart certain kernel exploitation attempts) and kernel warnings in the `WARN()` path. -- Optional - Force immediate reboot on the occurrence of a single kernel panic. +- Force immediate system reboot on the occurrence of a single kernel panic, reducing the + risk and impact of both denial of service and cold boot attacks. - Disable the use of legacy TIOCSTI operations which can be used to inject keypresses. @@ -281,21 +282,13 @@ Completely disables `ptrace()`. Can be enabled easily if needed. **Non-compliance:** -2. `sysctl kernel.panic=-1` - -Forces an immediate reboot on kernel panic. This can be enabled, but it may lead to unexpected -system crashes. - -* [security-misc pull request #264](https://github.com/Kicksecure/security-misc/pull/264) -* [security-misc pull request #268](https://github.com/Kicksecure/security-misc/pull/268) - -3. `sysctl user.max_user_namespaces=0` +2. `sysctl user.max_user_namespaces=0` Disables user namespaces entirely. Not recommended due to the potential for widespread breakages. * [security-misc pull request #263](https://github.com/Kicksecure/security-misc/pull/263) -4. `sysctl fs.binfmt_misc.status=0` +3. `sysctl fs.binfmt_misc.status=0` Disables the registration of interpreters for miscellaneous binary formats. Currently not feasible due to compatibility issues with Firefox. diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index be306df..3c43d8d 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -189,9 +189,11 @@ kernel.perf_event_paranoid=3 #kernel.warn_limit=1 ## Force immediate system reboots on the occurrence of a single kernel panic. -## This is an extreme safety option which also creates a large opening for targeted denial of service attacks. +## Ensures the system does not hang forever if a panic occurs, reducing susceptibility to cold boot attacks. +## Increases resilience and limits impact of denial of service attacks as system automatically restarts. +## Immediate rebooting also prevents persistent information disclosure on panic details that were dumped to screen. ## -## KSPP=no +## KSPP=yes ## KSPP sets CONFIG_PANIC_TIMEOUT=-1. ## ## See /usr/libexec/security-misc/panic-on-oops for implementation. diff --git a/usr/libexec/security-misc/panic-on-oops b/usr/libexec/security-misc/panic-on-oops index 1add1ca..83ceeac 100755 --- a/usr/libexec/security-misc/panic-on-oops +++ b/usr/libexec/security-misc/panic-on-oops @@ -21,6 +21,6 @@ sysctl kernel.oops_limit=1 sysctl kernel.warn_limit=1 ## Makes the system immediately reboot on the occurrence of a single -## kernel panic. This is an extreme safety option which also creates -## a large opening for targeted denial of service attacks. -#sysctl kernel.panic=-1 +## kernel panic. This reduces the risk and impact of both denial of +## service and cold boot attacks. +sysctl kernel.panic=-1 From 6df3e3cde8053d6b2771f510457da774336546bf Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Sun, 17 Aug 2025 06:32:11 +0000 Subject: [PATCH 21/24] Update kernel panic service description --- usr/lib/systemd/system/panic-on-oops.service | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/lib/systemd/system/panic-on-oops.service b/usr/lib/systemd/system/panic-on-oops.service index 6b10ddc..429af3d 100644 --- a/usr/lib/systemd/system/panic-on-oops.service +++ b/usr/lib/systemd/system/panic-on-oops.service @@ -2,7 +2,7 @@ ## See the file COPYING for copying conditions. [Unit] -Description=Sets 'sysctl kernel.panic_on_oops=1' late during the boot process. +Description=Sets 'sysctl' settings relating to kernel panics on both oopses and warnings late during the boot process. Documentation=https://github.com/Kicksecure/security-misc ConditionKernelCommandLine=!panic-on-oops=0 From e06b78a52225db02415aeafb833160c9ea0280d9 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Sun, 17 Aug 2025 07:05:32 +0000 Subject: [PATCH 22/24] Temporarily revert IA32 doc updates --- README.md | 5 +++-- etc/default/grub.d/40_kernel_hardening.cfg | 5 ++++- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 2239824..7f3eead 100644 --- a/README.md +++ b/README.md @@ -224,8 +224,9 @@ Kernel space: since it may be slightly more resilient to attacks that are able to write arbitrary executables in memory. -- Optional - Disable support for all 32-bit x86 processes and syscalls to reduce attack surface. - +- Optional - Disable support for all x86 processes and syscalls (when using Linux kernel >= 6.7) + to reduce attack surface. + - Disable the EFI persistent storage feature which prevents the kernel from writing crash logs and other persistent data to either the UEFI variable storage or ACPI ERST backends. diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index 0e6cbfe..671c28b 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -210,7 +210,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0" ## #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX cfi=kcfi" -## Disable support for all 32-bit x86 processes and syscalls. +## Disable support for x86 processes and syscalls. ## Unconditionally disables IA32 emulation to substantially reduce attack surface. ## ## https://lore.kernel.org/all/20230623111409.3047467-7-nik.borisov@suse.com/ @@ -218,6 +218,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0" ## KSPP=yes ## KSPP does not set CONFIG_COMPAT, CONFIG_IA32_EMULATION, CONFIG_X86_X32, CONFIG_X86_X32_ABI, and CONFIG_MODIFY_LDT_SYSCALL. ## +## TODO: Debian 13 Trixie +## Applicable when using Linux kernel >= 6.7 (retained here for future-proofing and completeness). +## #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ia32_emulation=0" ## Disable EFI persistent storage feature. From 3de9cd5646ad45fe745711b83f79f4d469fc8473 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Sun, 17 Aug 2025 07:06:55 +0000 Subject: [PATCH 23/24] Remove whitespace --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 7f3eead..180dfa7 100644 --- a/README.md +++ b/README.md @@ -226,7 +226,7 @@ Kernel space: - Optional - Disable support for all x86 processes and syscalls (when using Linux kernel >= 6.7) to reduce attack surface. - + - Disable the EFI persistent storage feature which prevents the kernel from writing crash logs and other persistent data to either the UEFI variable storage or ACPI ERST backends. From f175d1961e4e028539f5a90c0db1fcd1f760cdba Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Sun, 17 Aug 2025 07:08:08 +0000 Subject: [PATCH 24/24] Enable `ia32_emulation=0` --- README.md | 3 +-- etc/default/grub.d/40_kernel_hardening.cfg | 7 ++----- 2 files changed, 3 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index ac12886..6a98c52 100644 --- a/README.md +++ b/README.md @@ -225,8 +225,7 @@ Kernel space: since it may be slightly more resilient to attacks that are able to write arbitrary executables in memory. -- Optional - Disable support for all x86 processes and syscalls (when using Linux kernel >= 6.7) - to reduce attack surface. +- Disable support for all 32-bit x86 processes and syscalls to reduce attack surface. - Disable the EFI persistent storage feature which prevents the kernel from writing crash logs and other persistent data to either the UEFI variable storage or ACPI ERST backends. diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index 671c28b..5ac2c8c 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -210,7 +210,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0" ## #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX cfi=kcfi" -## Disable support for x86 processes and syscalls. +## Disable support for all 32-bit x86 processes and syscalls. ## Unconditionally disables IA32 emulation to substantially reduce attack surface. ## ## https://lore.kernel.org/all/20230623111409.3047467-7-nik.borisov@suse.com/ @@ -218,10 +218,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0" ## KSPP=yes ## KSPP does not set CONFIG_COMPAT, CONFIG_IA32_EMULATION, CONFIG_X86_X32, CONFIG_X86_X32_ABI, and CONFIG_MODIFY_LDT_SYSCALL. ## -## TODO: Debian 13 Trixie -## Applicable when using Linux kernel >= 6.7 (retained here for future-proofing and completeness). -## -#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ia32_emulation=0" +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ia32_emulation=0" ## Disable EFI persistent storage feature. ## Disable Error Record Serialization Table (ERST) support as a form of defense-in-depth.