Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2024-10-01 08:25:45 -04:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'github-kicksecure/master'

Browse Source
This commit is contained in:
Patrick Schleizer 2024-08-04 16:20:36 -04:00
commit fa9091869d
No known key found for this signature in database
GPG Key ID: CB8D50BB77BB3C48
2 changed files with 4 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
README.md
View File

@ -36,8 +36,8 @@ space, user space, core dumps, and swap space.
- Entirely disable the SysRq key so that the Secure Attention Key (SAK)
can no longer be utilized. See [documentation](https://www.kicksecure.com/wiki/SysRq).
- Provide the option to disable unprivileged user namespaces as they can lead to
substantial privilege escalation.
- Restrict user namespaces to `CAP_SYS_ADMIN` as they can lead to substantial
privilege escalation.
- Restrict kernel profiling and the performance events system to `CAP_PERFMON`.

6
usr/lib/sysctl.d/990-security-misc.conf
View File

@ -92,14 +92,12 @@ kernel.sysrq=0
## Restrict user namespaces to users with CAP_SYS_ADMIN.
## User namespaces aim to improve sandboxing and accessibility for unprivileged users.
## Unprivileged user namespaces pose substantial privilege escalation risks.
## Restricting is known to cause breakages across numerous software packages.
## Restricting may lead to breakages in numerous software packages.
##
## https://madaidans-insecurities.github.io/linux.html#kernel
## https://github.com/a13xp0p0v/kernel-hardening-checker#questions-and-answers
##
## Unprivileged user namespaces are currently enabled.
##
#kernel.unprivileged_userns_clone=0
kernel.unprivileged_userns_clone=0
## Restricts kernel profiling to users with CAP_PERFMON.
## The performance events system should not be accessible by unprivileged users.