Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2024-10-01 08:25:45 -04:00
Code Issues Packages Projects Releases Wiki Activity

README.md

Browse Source
This commit is contained in:
monsieuremre 2023-11-04 14:33:35 +00:00 committed by GitHub
parent 97054b2b10
commit fbd9e5d017
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 52 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

59
README.md
View File

@ -42,15 +42,21 @@ arbitrary code execution in kernel mode.
* Prevents unintentional writes to attacker-controlled files.
* Prevents common symlink and hardlink TOCTOU races.
<!--
* Restricts the SysRq key so it can only be used for shutdowns and the
Secure Attention Key.
-->
* Disables SysRq completely.
* The kernel is only allowed to swap if it is absolutely necessary. This
prevents writing potentially sensitive contents of memory to disk.
* TCP timestamps are disabled as it can allow detecting the system time.
* Enforces the logging of martian packets, those with a source address which is blatantly wrong.
* Set coredump file name based on core_pattern value instead of the default of naming it 'core'.
### mmap ASLR
* The bits of entropy used for mmap ASLR are maxed out via
@ -102,6 +108,10 @@ See:
* `/etc/default/grub.d/40_only_allow_signed_modules.cfg`
#### Disables the loading of new modules to the kernel after the fact
A systemd service dynamically sets the kernel parameter ```modules_disabled``` to 1, preventing new modules from being loaded. Since this isn't configured directly within systemctl, it does not break the loading of legitimate and necessary modules for the user, like drivers etc., given they are plugged in on startup.
#### Disables and blacklists kernel modules
Certain kernel modules are disabled and blacklisted by default to reduce attack surface via the
@ -111,9 +121,6 @@ Certain kernel modules are disabled and blacklisted by default to reduce attack
increases kernel attack surface by enabling superfluous functionality
such as IRC parsing in the kernel. Hence, this feature is disabled.
* Bluetooth is disabled to reduce attack surface. Bluetooth has
a lengthy history of security concerns.
* Thunderbolt and numerous FireWire kernel modules are also disabled as they are
often vulnerable to DMA attacks.
@ -199,7 +206,7 @@ this is not needed for `dracut` because `dracut` does that by default, at least
on `systemd` enabled systems. Not researched for non-`systemd` systems by the
author of this part of the readme.
## Network hardening
## Network & Bluetooth hardening
* TCP syncookies are enabled to prevent SYN flood attacks.
@ -216,6 +223,14 @@ dropping RST packets for sockets in the time-wait state.
* Reverse path filtering is enabled to prevent IP spoofing and mitigate
vulnerabilities such as CVE-2019-14899.
* Unlike version 4, IPv6 addresses can provide information not only about the originating network, but also the originating device.
We prevent this from happening by enabling the respective privacy extensions for IPv6.
* In addition, we deny the capability to track the originating device in the network at all, by using randomized MAC addresses per connection per default.
* Bluetooth is left enabled but users are highly discouraged from ever turning it on, due to its history of numerous security vulnurabilities. Unlike the default settings,
we start the system with bluetooth turned off. We also enforce private addresses and strict timeout settings for discoverability and visibility.
## Entropy collection improvements
* The `jitterentropy_rng` kernel module is loaded as early as possible
@ -230,6 +245,11 @@ audit, may contain weaknesses or a backdoor. For references, see:
## Restrictive mount options
A systemd service is triggered on boot to remount all sensitive partitions and directories with significantly more secure hardened mount options.
Since this would require manual tuning for a given specific system, we handle it by creating a very solid configuration file for that very system on package install.
<!--
Not enabled by default yet. In development. Help welcome.
https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/
@ -246,7 +266,7 @@ To disable this, execute `touch /etc/remount-disable` as root.
Alternatively, file `/usr/local/etc/remount-disable` or `/usr/local/etc/noexec`
could be used.
-->
## Root access restrictions
* `su` is restricted to only users within the group `sudo` which prevents
@ -373,6 +393,22 @@ See:
### SUID / SGID removal and permission hardening
#### SUID / SGID removal
A systemd service removes SUID / SGID bits from non-essential binaries as
these are often used in privilege escalation attacks.
#### File permission hardening
Various file permissions are reset with more secure and hardened defaults. These include but are not limited to:
* Limiting ```/home``` and ```/root``` to the root only.
* Limiting crontab to root as well as all the configuration files for cron.
* Limiting the configuration for cups and ssh.
* Protecting the information of sudoers from others.
* Protecting various system relevant files and modules.
<!--
Not enabled by default yet.
A systemd service removes SUID / SGID bits from non-essential binaries as
@ -400,7 +436,7 @@ See:
* `/usr/bin/pkexec.security-misc`
* https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860040
* https://forums.whonix.org/t/cannot-use-pkexec/8129
-->
## Application-specific hardening
* Enables "`apt-get --error-on=any`" which makes apt exit non-zero for
@ -410,8 +446,13 @@ See:
* Deactivates previews in Nautilus -
`/usr/share/glib-2.0/schemas/30_security-misc.gschema.override`.
* Deactivates thumbnails in Thunar.
* Displays domain names in punycode (`network.IDN_show_punycode`) in
Thunderbird to prevent IDN homograph attacks (a form of phishing).
* Thunderbird is hardened with the following options:
* Displays domain names in punycode to prevent IDN homograph attacks (a form of phishing).
* Strips email client information for sent email headers.
* Stripts user time information from sent email headers by replacing the originating time zone with UTC and rounding the timestamp to the nearest minute.
* Disables scripting when viewing pdf files.
* Disables implicit outgoing connections.
* Disables all and any kind of telemetry.
* Security and privacy enhancements for gnupg's config file
`/etc/skel/.gnupg/gpg.conf`. See also: