From fa820e897895eda93011a0f2bbd915ffffcb1459 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 12 Oct 2023 10:40:27 -0400 Subject: [PATCH 001/846] refactoring environment variables loading mechanism --- debian/security-misc.links | 2 ++ debian/security-misc.maintscript | 3 +++ etc/X11/Xsession.d/50security-misc | 9 --------- .../50panic_on_oops => profile.d/security-misc.sh} | 5 +++++ 4 files changed, 10 insertions(+), 9 deletions(-) create mode 100644 debian/security-misc.links delete mode 100755 etc/X11/Xsession.d/50security-misc rename etc/{X11/Xsession.d/50panic_on_oops => profile.d/security-misc.sh} (66%) diff --git a/debian/security-misc.links b/debian/security-misc.links new file mode 100644 index 0000000..97e2e5a --- /dev/null +++ b/debian/security-misc.links @@ -0,0 +1,2 @@ +/etc/profile.d/security-misc.sh /etc/zprofile.d/security-misc.sh +/etc/profile.d/security-misc.sh /etc/X11/Xsession.d/security-misc.sh diff --git a/debian/security-misc.maintscript b/debian/security-misc.maintscript index 4be0d9a..177005f 100644 --- a/debian/security-misc.maintscript +++ b/debian/security-misc.maintscript @@ -40,3 +40,6 @@ rm_conffile /etc/security/limits.d/disable-coredumps.conf ## moved to separate package ram-wipe rm_conffile /etc/default/grub.d/40_cold_boot_attack_defense.cfg + +rm_conffile /etc/X11/Xsession.d/50panic_on_oops +rm_conffile /etc/X11/Xsession.d/50security-misc diff --git a/etc/X11/Xsession.d/50security-misc b/etc/X11/Xsession.d/50security-misc deleted file mode 100755 index 0d8efce..0000000 --- a/etc/X11/Xsession.d/50security-misc +++ /dev/null @@ -1,9 +0,0 @@ -#!/bin/sh - -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -if [ -z "$XDG_CONFIG_DIRS" ]; then - XDG_CONFIG_DIRS=/etc/xdg -fi -export XDG_CONFIG_DIRS=/usr/share/security-misc/:$XDG_CONFIG_DIRS diff --git a/etc/X11/Xsession.d/50panic_on_oops b/etc/profile.d/security-misc.sh similarity index 66% rename from etc/X11/Xsession.d/50panic_on_oops rename to etc/profile.d/security-misc.sh index 79646cb..51ba00e 100755 --- a/etc/X11/Xsession.d/50panic_on_oops +++ b/etc/profile.d/security-misc.sh @@ -3,6 +3,11 @@ ## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. +if [ -z "$XDG_CONFIG_DIRS" ]; then + XDG_CONFIG_DIRS=/etc/xdg +fi +export XDG_CONFIG_DIRS=/usr/share/security-misc/:$XDG_CONFIG_DIRS + if [ -x /usr/libexec/security-misc/panic-on-oops ]; then sudo --non-interactive /usr/libexec/security-misc/panic-on-oops fi From e96e6aa38e29888a64fa35f85becc1596118a812 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 12 Oct 2023 10:43:40 -0400 Subject: [PATCH 002/846] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 0158fba..5e71580 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit fa820e897895eda93011a0f2bbd915ffffcb1459 +Author: Patrick Schleizer +Date: Thu Oct 12 10:40:27 2023 -0400 + + refactoring environment variables loading mechanism + +commit 358e4226f1b3db32e560e4bbe1c663828eac7059 +Author: Patrick Schleizer +Date: Mon Jul 17 11:48:35 2023 -0400 + + bumped changelog version + commit 81ad786dfcdd416056c6ae8a9d02231bda6fcbde Author: Patrick Schleizer Date: Mon Jul 17 11:19:07 2023 -0400 diff --git a/debian/changelog b/debian/changelog index e289373..b54253a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:29.5-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 12 Oct 2023 14:43:40 +0000 + security-misc (3:29.4-1) unstable; urgency=medium * New upstream version (local package). From 2d4524108445829d7ac80e828e9a1442cf038a6b Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 12 Oct 2023 11:37:01 -0400 Subject: [PATCH 003/846] avoid duplicate environment variables --- etc/profile.d/security-misc.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/etc/profile.d/security-misc.sh b/etc/profile.d/security-misc.sh index 51ba00e..026a702 100755 --- a/etc/profile.d/security-misc.sh +++ b/etc/profile.d/security-misc.sh @@ -6,7 +6,9 @@ if [ -z "$XDG_CONFIG_DIRS" ]; then XDG_CONFIG_DIRS=/etc/xdg fi -export XDG_CONFIG_DIRS=/usr/share/security-misc/:$XDG_CONFIG_DIRS +if ! echo "$XDG_CONFIG_DIRS" | grep --quiet /usr/share/security-misc/ ; then + export XDG_CONFIG_DIRS=/usr/share/security-misc/:$XDG_CONFIG_DIRS +fi if [ -x /usr/libexec/security-misc/panic-on-oops ]; then sudo --non-interactive /usr/libexec/security-misc/panic-on-oops From 13a4f37e50805a0e51b8f63808e166318e39a074 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 12 Oct 2023 12:51:37 -0400 Subject: [PATCH 004/846] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 5e71580..1355f69 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit 2d4524108445829d7ac80e828e9a1442cf038a6b +Author: Patrick Schleizer +Date: Thu Oct 12 11:37:01 2023 -0400 + + avoid duplicate environment variables + +commit e96e6aa38e29888a64fa35f85becc1596118a812 +Author: Patrick Schleizer +Date: Thu Oct 12 10:43:40 2023 -0400 + + bumped changelog version + commit fa820e897895eda93011a0f2bbd915ffffcb1459 Author: Patrick Schleizer Date: Thu Oct 12 10:40:27 2023 -0400 diff --git a/debian/changelog b/debian/changelog index b54253a..959457b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:29.6-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 12 Oct 2023 16:51:37 +0000 + security-misc (3:29.5-1) unstable; urgency=medium * New upstream version (local package). From 645ee814e4f3dc330dd6fb24ec4fac0e278c4f42 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 13 Oct 2023 15:22:48 -0400 Subject: [PATCH 005/846] fix --- etc/profile.d/security-misc.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/etc/profile.d/security-misc.sh b/etc/profile.d/security-misc.sh index 026a702..351d3ed 100755 --- a/etc/profile.d/security-misc.sh +++ b/etc/profile.d/security-misc.sh @@ -11,5 +11,6 @@ if ! echo "$XDG_CONFIG_DIRS" | grep --quiet /usr/share/security-misc/ ; then fi if [ -x /usr/libexec/security-misc/panic-on-oops ]; then - sudo --non-interactive /usr/libexec/security-misc/panic-on-oops + ## Hide output. Otherwise could confuse Qubes UpdatesProxy. + sudo --non-interactive /usr/libexec/security-misc/panic-on-oops 1>/dev/null 2>/dev/null fi From dd43ab634d9ab0a59234798e1b14ba99099c65c9 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 13 Oct 2023 15:22:58 -0400 Subject: [PATCH 006/846] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 1355f69..5f28217 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit 645ee814e4f3dc330dd6fb24ec4fac0e278c4f42 +Author: Patrick Schleizer +Date: Fri Oct 13 15:22:48 2023 -0400 + + fix + +commit 13a4f37e50805a0e51b8f63808e166318e39a074 +Author: Patrick Schleizer +Date: Thu Oct 12 12:51:37 2023 -0400 + + bumped changelog version + commit 2d4524108445829d7ac80e828e9a1442cf038a6b Author: Patrick Schleizer Date: Thu Oct 12 11:37:01 2023 -0400 diff --git a/debian/changelog b/debian/changelog index 959457b..aff8c31 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:29.7-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 13 Oct 2023 19:22:58 +0000 + security-misc (3:29.6-1) unstable; urgency=medium * New upstream version (local package). From d543825d85a5d84274c21cd85db6df777948606e Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 21 Oct 2023 12:24:59 -0400 Subject: [PATCH 007/846] comments --- debian/security-misc.links | 2 +- etc/default/grub.d/40_kernel_hardening.cfg | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/debian/security-misc.links b/debian/security-misc.links index 97e2e5a..54eff1b 100644 --- a/debian/security-misc.links +++ b/debian/security-misc.links @@ -1,2 +1,2 @@ /etc/profile.d/security-misc.sh /etc/zprofile.d/security-misc.sh -/etc/profile.d/security-misc.sh /etc/X11/Xsession.d/security-misc.sh +/etc/profile.d/security-misc.sh /etc/X11/Xsession.d/security-misc diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index b673d6d..be7c40c 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -59,6 +59,6 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off" ## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panic-on-oops-1-sysctl-for-better-security/7713 ## Implemented differently: ## /usr/libexec/security-misc/panic-on-oops -## /etc/X11/Xsession.d/50panic_on_oops +## /etc/profile.d/security-misc.sh ## /etc/sudoers.d/security-misc #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX oops=panic" From 43375fa1f4d32f04907edf1297fef737342b49ea Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 21 Oct 2023 12:34:59 -0400 Subject: [PATCH 008/846] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 5f28217..1cae316 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit d543825d85a5d84274c21cd85db6df777948606e +Author: Patrick Schleizer +Date: Sat Oct 21 12:24:59 2023 -0400 + + comments + +commit dd43ab634d9ab0a59234798e1b14ba99099c65c9 +Author: Patrick Schleizer +Date: Fri Oct 13 15:22:58 2023 -0400 + + bumped changelog version + commit 645ee814e4f3dc330dd6fb24ec4fac0e278c4f42 Author: Patrick Schleizer Date: Fri Oct 13 15:22:48 2023 -0400 diff --git a/debian/changelog b/debian/changelog index aff8c31..72ca8d0 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:29.8-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 21 Oct 2023 16:34:59 +0000 + security-misc (3:29.7-1) unstable; urgency=medium * New upstream version (local package). From ae2c1c5a7a02a5f3f6a8bcd4a90fdc9e3b512e62 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 21 Oct 2023 14:18:50 -0400 Subject: [PATCH 009/846] fix xession environment variable --- debian/security-misc.links | 4 ++-- etc/profile.d/{security-misc.sh => 30_security-misc.sh} | 0 2 files changed, 2 insertions(+), 2 deletions(-) rename etc/profile.d/{security-misc.sh => 30_security-misc.sh} (100%) diff --git a/debian/security-misc.links b/debian/security-misc.links index 54eff1b..308f070 100644 --- a/debian/security-misc.links +++ b/debian/security-misc.links @@ -1,2 +1,2 @@ -/etc/profile.d/security-misc.sh /etc/zprofile.d/security-misc.sh -/etc/profile.d/security-misc.sh /etc/X11/Xsession.d/security-misc +/etc/profile.d/30_security-misc.sh /etc/zprofile.d/30_security-misc.zsh +/etc/profile.d/30_security-misc.sh /etc/X11/Xsession.d/30_security-misc diff --git a/etc/profile.d/security-misc.sh b/etc/profile.d/30_security-misc.sh similarity index 100% rename from etc/profile.d/security-misc.sh rename to etc/profile.d/30_security-misc.sh From ef3f1575733c668f652326cdb4f4fba8c71bf0ed Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 21 Oct 2023 14:19:24 -0400 Subject: [PATCH 010/846] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 1cae316..b4865b7 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit ae2c1c5a7a02a5f3f6a8bcd4a90fdc9e3b512e62 +Author: Patrick Schleizer +Date: Sat Oct 21 14:18:50 2023 -0400 + + fix xession environment variable + +commit 43375fa1f4d32f04907edf1297fef737342b49ea +Author: Patrick Schleizer +Date: Sat Oct 21 12:34:59 2023 -0400 + + bumped changelog version + commit d543825d85a5d84274c21cd85db6df777948606e Author: Patrick Schleizer Date: Sat Oct 21 12:24:59 2023 -0400 diff --git a/debian/changelog b/debian/changelog index 72ca8d0..caebc24 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:29.9-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 21 Oct 2023 18:19:24 +0000 + security-misc (3:29.8-1) unstable; urgency=medium * New upstream version (local package). From ac63b0eb3db3d168908459fecd6b3275cce015bc Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 05:41:11 -0400 Subject: [PATCH 011/846] remove duplicate --- lib/systemd/system/remount-secure.service | 1 - 1 file changed, 1 deletion(-) diff --git a/lib/systemd/system/remount-secure.service b/lib/systemd/system/remount-secure.service index 2e08b65..831fc3e 100644 --- a/lib/systemd/system/remount-secure.service +++ b/lib/systemd/system/remount-secure.service @@ -16,7 +16,6 @@ After=qubes-sysinit.service Type=oneshot RemainAfterExit=yes ExecStart=/usr/libexec/security-misc/remount-secure -RemainAfterExit=yes [Install] WantedBy=sysinit.target From 59a5fea25d0b0c39a6e7b3b11f9242ebe5eaa462 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 05:41:56 -0400 Subject: [PATCH 012/846] documentation --- lib/systemd/system/hide-hardware-info.service | 2 +- lib/systemd/system/permission-hardening.service | 2 +- lib/systemd/system/proc-hidepid.service | 2 +- lib/systemd/system/remount-secure.service | 2 +- lib/systemd/system/remove-system-map.service | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/lib/systemd/system/hide-hardware-info.service b/lib/systemd/system/hide-hardware-info.service index d1e02fd..45c3e90 100644 --- a/lib/systemd/system/hide-hardware-info.service +++ b/lib/systemd/system/hide-hardware-info.service @@ -3,7 +3,7 @@ [Unit] Description=Hide hardware information to unprivileged users -Documentation=https://github.com/Whonix/security-misc +Documentation=https://github.com/Kicksecure/security-misc DefaultDependencies=no Before=sysinit.target Requires=local-fs.target diff --git a/lib/systemd/system/permission-hardening.service b/lib/systemd/system/permission-hardening.service index 4987d02..8e9d81c 100644 --- a/lib/systemd/system/permission-hardening.service +++ b/lib/systemd/system/permission-hardening.service @@ -3,7 +3,7 @@ [Unit] Description=SUID, SGID, Capability and File Permission Hardening -Documentation=https://github.com/Whonix/security-misc +Documentation=https://github.com/Kicksecure/security-misc DefaultDependencies=no Before=sysinit.target diff --git a/lib/systemd/system/proc-hidepid.service b/lib/systemd/system/proc-hidepid.service index 8d4d207..6c989c7 100644 --- a/lib/systemd/system/proc-hidepid.service +++ b/lib/systemd/system/proc-hidepid.service @@ -3,7 +3,7 @@ [Unit] Description=Mounts /proc with hidepid=2 -Documentation=https://github.com/Whonix/security-misc +Documentation=https://github.com/Kicksecure/security-misc DefaultDependencies=no Before=sysinit.target Requires=local-fs.target diff --git a/lib/systemd/system/remount-secure.service b/lib/systemd/system/remount-secure.service index 831fc3e..6adfcbc 100644 --- a/lib/systemd/system/remount-secure.service +++ b/lib/systemd/system/remount-secure.service @@ -3,7 +3,7 @@ [Unit] Description=remount /home /tmp /dev/shm /run with nosuid,nodev (default) and noexec (opt-in) -Documentation=https://github.com/Whonix/security-misc +Documentation=https://github.com/Kicksecure/security-misc DefaultDependencies=no Before=sysinit.target diff --git a/lib/systemd/system/remove-system-map.service b/lib/systemd/system/remove-system-map.service index 1675c77..3614f55 100644 --- a/lib/systemd/system/remove-system-map.service +++ b/lib/systemd/system/remove-system-map.service @@ -3,7 +3,7 @@ [Unit] Description=Removes the System.map files -Documentation=https://github.com/Whonix/security-misc +Documentation=https://github.com/Kicksecure/security-misc DefaultDependencies=no Before=sysinit.target Requires=local-fs.target From abc35927345e14bbe4b9f13d205a648ce7a8bd8d Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 06:23:48 -0400 Subject: [PATCH 013/846] remount-secure: stricter error handling --- usr/libexec/security-misc/remount-secure | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/usr/libexec/security-misc/remount-secure b/usr/libexec/security-misc/remount-secure index 57a26ca..5bc6c06 100755 --- a/usr/libexec/security-misc/remount-secure +++ b/usr/libexec/security-misc/remount-secure @@ -10,11 +10,14 @@ set -x set -e +set -o pipefail +set -o nounset if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then ## pre.bsh would `source` the following folders: ## /etc/remount-secure_pre.d/*.conf ## /usr/local/etc/remount-secure_pre.d/*.conf + # shellcheck disable=SC1091 source /usr/libexec/helper-scripts/pre.bsh fi @@ -37,10 +40,15 @@ fi mkdir --parents "/var/run/remount-secure" +[[ -v noexec ]] || noexec="" +[[ -v noexec_maybe ]] || noexec_maybe="" + if [ "$noexec" = "true" ]; then noexec_maybe=",noexec" fi +command -v str_replace >/dev/null + exit_code=0 mount_output="$(mount)" @@ -55,7 +63,7 @@ remount_secure() { ## example status_file_full_path: ## /var/run/remount-secure/_home - ## LANG=C str_replace is provided by package helper-scripts. + ## str_replace is provided by package helper-scripts. mount_folder="$(echo "${status_file_name}" | LANG=C str_replace "_" "/")" ## example mount_folder: ## /home From c069c73109b45fbb8fa230ad4f90f4252db730f2 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 06:29:38 -0400 Subject: [PATCH 014/846] refactoring --- usr/libexec/security-misc/remount-secure | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr/libexec/security-misc/remount-secure b/usr/libexec/security-misc/remount-secure index 5bc6c06..1b8318d 100755 --- a/usr/libexec/security-misc/remount-secure +++ b/usr/libexec/security-misc/remount-secure @@ -70,7 +70,7 @@ remount_secure() { mount_line_of_mount_folder="$(echo "$mount_output" | grep "$mount_folder ")" || true - if echo "$mount_line_of_mount_folder" | grep -q "$new_mount_options" ; then + if echo "$mount_line_of_mount_folder" | grep --quiet "$new_mount_options" ; then echo "INFO: $mount_folder has already intended mount options." return 0 fi @@ -81,7 +81,7 @@ remount_secure() { fi ## BUG: echo: write error: Broken pipe - if echo "$mount_output" | grep -q "$mount_folder " ; then + if echo "$mount_output" | grep --quiet "$mount_folder " ; then ## Already mounted. Using remount. echo mount -o "remount,${new_mount_options}" "$mount_folder" mount -o "remount,${new_mount_options}" "$mount_folder" || exit_code=100 From bc768aa196a08218aac0b6ef1c4ca013f2034122 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 06:31:57 -0400 Subject: [PATCH 015/846] output --- usr/libexec/security-misc/remount-secure | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-) diff --git a/usr/libexec/security-misc/remount-secure b/usr/libexec/security-misc/remount-secure index 1b8318d..bc3ba7b 100755 --- a/usr/libexec/security-misc/remount-secure +++ b/usr/libexec/security-misc/remount-secure @@ -21,20 +21,26 @@ if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then source /usr/libexec/helper-scripts/pre.bsh fi +if test -o xtrace ; then + output_command=true +else + output_command=echo +fi + if [ -e /etc/remount-disable ] || [ -e /usr/local/etc/remount-disable ]; then - echo "INFO: file /etc/remount-disable exists. Doing nothing." + $output_command "INFO: file /etc/remount-disable exists. Doing nothing." exit 0 fi if [ -e /etc/exec ] || [ -e /usr/local/etc/exec ]; then noexec=false - echo "INFO: Will remount with exec because file /etc/exec or /usr/local/etc/exec exists." + $output_command "INFO: Will remount with exec because file /etc/exec or /usr/local/etc/exec exists." else if [ -e /etc/noexec ] || [ -e /usr/local/etc/noexec ]; then noexec=true - echo "INFO: Will remount with noexec because file /etc/noexec or /usr/local/etc/noexec exists." + $output_command "INFO: Will remount with noexec because file /etc/noexec or /usr/local/etc/noexec exists." else - echo "INFO: Will not remount with noexec because file /etc/noexec or /usr/local/etc/noexec does not exist." + $output_command "INFO: Will not remount with noexec because file /etc/noexec or /usr/local/etc/noexec does not exist." fi fi @@ -71,23 +77,23 @@ remount_secure() { mount_line_of_mount_folder="$(echo "$mount_output" | grep "$mount_folder ")" || true if echo "$mount_line_of_mount_folder" | grep --quiet "$new_mount_options" ; then - echo "INFO: $mount_folder has already intended mount options." + $output_command "INFO: $mount_folder has already intended mount options." return 0 fi if [ -e "$status_file_full_path" ]; then - echo "INFO: $mount_folder already remounted earlier. Not remounting again." + $output_command "INFO: $mount_folder already remounted earlier. Not remounting again." return 0 fi ## BUG: echo: write error: Broken pipe if echo "$mount_output" | grep --quiet "$mount_folder " ; then ## Already mounted. Using remount. - echo mount -o "remount,${new_mount_options}" "$mount_folder" + $output_command mount -o "remount,${new_mount_options}" "$mount_folder" mount -o "remount,${new_mount_options}" "$mount_folder" || exit_code=100 else ## Not yet mounted. Using mount bind. - echo mount -o "$new_mount_options" --bind "$mount_folder" "$mount_folder" + $output_command mount -o "$new_mount_options" --bind "$mount_folder" "$mount_folder" mount -o "$new_mount_options" --bind "$mount_folder" "$mount_folder" || exit_code=101 fi From 6dec5cb1d6b841bc6ea92986d6567902109f5ed0 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 06:32:19 -0400 Subject: [PATCH 016/846] debugging --- usr/libexec/security-misc/remount-secure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/libexec/security-misc/remount-secure b/usr/libexec/security-misc/remount-secure index bc3ba7b..5f14c19 100755 --- a/usr/libexec/security-misc/remount-secure +++ b/usr/libexec/security-misc/remount-secure @@ -8,7 +8,7 @@ ## https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707 -set -x +#set -x set -e set -o pipefail set -o nounset From 6f4bf57ff2bc878f03a50d91a5db0afaf897d70e Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 06:48:56 -0400 Subject: [PATCH 017/846] `remount-secure`: add support for `--force`; output --- usr/libexec/security-misc/remount-secure | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/usr/libexec/security-misc/remount-secure b/usr/libexec/security-misc/remount-secure index 5f14c19..4c51ee6 100755 --- a/usr/libexec/security-misc/remount-secure +++ b/usr/libexec/security-misc/remount-secure @@ -77,23 +77,28 @@ remount_secure() { mount_line_of_mount_folder="$(echo "$mount_output" | grep "$mount_folder ")" || true if echo "$mount_line_of_mount_folder" | grep --quiet "$new_mount_options" ; then - $output_command "INFO: $mount_folder has already intended mount options." + $output_command "INFO: $mount_folder has already intended mount options. ($new_mount_options)" return 0 fi - if [ -e "$status_file_full_path" ]; then - $output_command "INFO: $mount_folder already remounted earlier. Not remounting again." - return 0 + ## When this package is upgraded, the systemd unit will run again. + ## If the user meanwhile manually relaxed mount options, this should not be undone. + + if [ "${1:-}" == "--force" ]; then + if [ -e "$status_file_full_path" ]; then + $output_command "INFO: $mount_folder already remounted earlier. Not remounting again. Use --force if this is what you want." + return 0 + fi fi ## BUG: echo: write error: Broken pipe if echo "$mount_output" | grep --quiet "$mount_folder " ; then ## Already mounted. Using remount. - $output_command mount -o "remount,${new_mount_options}" "$mount_folder" + $output_command INFO: Executing: mount -o "remount,${new_mount_options}" "$mount_folder" mount -o "remount,${new_mount_options}" "$mount_folder" || exit_code=100 else ## Not yet mounted. Using mount bind. - $output_command mount -o "$new_mount_options" --bind "$mount_folder" "$mount_folder" + $output_command INFO: Executing: mount -o "$new_mount_options" --bind "$mount_folder" "$mount_folder" mount -o "$new_mount_options" --bind "$mount_folder" "$mount_folder" || exit_code=101 fi From ed11c68ac64c1ec4eaa590dbb56734d450c89b04 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 06:51:52 -0400 Subject: [PATCH 018/846] move remount-secure to /usr/bin/remount-secure to make it easier to manually run --- lib/systemd/system/remount-secure.service | 2 +- usr/{libexec/security-misc => bin}/remount-secure | 0 2 files changed, 1 insertion(+), 1 deletion(-) rename usr/{libexec/security-misc => bin}/remount-secure (100%) diff --git a/lib/systemd/system/remount-secure.service b/lib/systemd/system/remount-secure.service index 6adfcbc..ba6e017 100644 --- a/lib/systemd/system/remount-secure.service +++ b/lib/systemd/system/remount-secure.service @@ -15,7 +15,7 @@ After=qubes-sysinit.service [Service] Type=oneshot RemainAfterExit=yes -ExecStart=/usr/libexec/security-misc/remount-secure +ExecStart=/usr/bin/remount-secure [Install] WantedBy=sysinit.target diff --git a/usr/libexec/security-misc/remount-secure b/usr/bin/remount-secure similarity index 100% rename from usr/libexec/security-misc/remount-secure rename to usr/bin/remount-secure From 27b3ba8bdf2556066a4be02cd1be9a4451a591b2 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 07:06:00 -0400 Subject: [PATCH 019/846] bumped changelog version --- changelog.upstream | 54 ++++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 60 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index b4865b7..f3e844a 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,57 @@ +commit ed11c68ac64c1ec4eaa590dbb56734d450c89b04 +Author: Patrick Schleizer +Date: Sun Oct 22 06:51:52 2023 -0400 + + move remount-secure to /usr/bin/remount-secure to make it easier to manually run + +commit 6f4bf57ff2bc878f03a50d91a5db0afaf897d70e +Author: Patrick Schleizer +Date: Sun Oct 22 06:48:56 2023 -0400 + + `remount-secure`: add support for `--force`; output + +commit 6dec5cb1d6b841bc6ea92986d6567902109f5ed0 +Author: Patrick Schleizer +Date: Sun Oct 22 06:32:19 2023 -0400 + + debugging + +commit bc768aa196a08218aac0b6ef1c4ca013f2034122 +Author: Patrick Schleizer +Date: Sun Oct 22 06:31:57 2023 -0400 + + output + +commit c069c73109b45fbb8fa230ad4f90f4252db730f2 +Author: Patrick Schleizer +Date: Sun Oct 22 06:29:38 2023 -0400 + + refactoring + +commit abc35927345e14bbe4b9f13d205a648ce7a8bd8d +Author: Patrick Schleizer +Date: Sun Oct 22 06:23:48 2023 -0400 + + remount-secure: stricter error handling + +commit 59a5fea25d0b0c39a6e7b3b11f9242ebe5eaa462 +Author: Patrick Schleizer +Date: Sun Oct 22 05:41:56 2023 -0400 + + documentation + +commit ac63b0eb3db3d168908459fecd6b3275cce015bc +Author: Patrick Schleizer +Date: Sun Oct 22 05:41:11 2023 -0400 + + remove duplicate + +commit ef3f1575733c668f652326cdb4f4fba8c71bf0ed +Author: Patrick Schleizer +Date: Sat Oct 21 14:19:24 2023 -0400 + + bumped changelog version + commit ae2c1c5a7a02a5f3f6a8bcd4a90fdc9e3b512e62 Author: Patrick Schleizer Date: Sat Oct 21 14:18:50 2023 -0400 diff --git a/debian/changelog b/debian/changelog index caebc24..dd351a2 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:30.0-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 22 Oct 2023 11:06:00 +0000 + security-misc (3:29.9-1) unstable; urgency=medium * New upstream version (local package). From e257f2a3806ba7013e8e47005fde1385044bc8d9 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 07:50:14 -0400 Subject: [PATCH 020/846] remount-secure: no longer use /usr/libexec/helper-scripts/pre.bsh as not simple with dracut --- usr/bin/remount-secure | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index 4c51ee6..d76cc8a 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -13,13 +13,13 @@ set -e set -o pipefail set -o nounset -if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then - ## pre.bsh would `source` the following folders: - ## /etc/remount-secure_pre.d/*.conf - ## /usr/local/etc/remount-secure_pre.d/*.conf - # shellcheck disable=SC1091 - source /usr/libexec/helper-scripts/pre.bsh -fi +# if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then +# ## pre.bsh would `source` the following folders: +# ## /etc/remount-secure_pre.d/*.conf +# ## /usr/local/etc/remount-secure_pre.d/*.conf +# # shellcheck disable=SC1091 +# source /usr/libexec/helper-scripts/pre.bsh +# fi if test -o xtrace ; then output_command=true From f0ee470ecd0fc37125165dd6a5cefb47339b14b4 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 07:51:05 -0400 Subject: [PATCH 021/846] comment --- usr/bin/remount-secure | 1 + 1 file changed, 1 insertion(+) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index d76cc8a..069fc6d 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -13,6 +13,7 @@ set -e set -o pipefail set -o nounset +## Not simple with dracut. # if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then # ## pre.bsh would `source` the following folders: # ## /etc/remount-secure_pre.d/*.conf From e065f85c8809d04a9a4c041dd8b9b81bacd04e24 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 08:10:48 -0400 Subject: [PATCH 022/846] add remount-secure dracut module --- .../20remount-secure/module-setup.sh | 30 +++++++++++++++++++ .../20remount-secure/remount-secure.sh | 17 +++++++++++ 2 files changed, 47 insertions(+) create mode 100755 usr/lib/dracut/modules.d/20remount-secure/module-setup.sh create mode 100755 usr/lib/dracut/modules.d/20remount-secure/remount-secure.sh diff --git a/usr/lib/dracut/modules.d/20remount-secure/module-setup.sh b/usr/lib/dracut/modules.d/20remount-secure/module-setup.sh new file mode 100755 index 0000000..ca5c44a --- /dev/null +++ b/usr/lib/dracut/modules.d/20remount-secure/module-setup.sh @@ -0,0 +1,30 @@ +#!/bin/bash + +## Copyright (C) 2023 - 2023 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +# called by dracut +check() { + require_binaries str_replace || return 1 + require_binaries mount || return 1 + require_binaries remount-secure || return 1 + return 0 +} + +# called by dracut +depends() { + return 0 +} + +# called by dracut +install() { + inst_multiple str_replace + inst_multiple mount + inst_multiple remount-secure + inst_hook cleanup 90 "$moddir/remount-secure.sh" +} + +# called by dracut +installkernel() { + return 0 +} diff --git a/usr/lib/dracut/modules.d/20remount-secure/remount-secure.sh b/usr/lib/dracut/modules.d/20remount-secure/remount-secure.sh new file mode 100755 index 0000000..a05614c --- /dev/null +++ b/usr/lib/dracut/modules.d/20remount-secure/remount-secure.sh @@ -0,0 +1,17 @@ +#!/bin/sh + +## Copyright (C) 2023 - 2023 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +remount_hook() { + local remount_action + remount_action=$(getarg remountsecure) + + if [ ! "$remount_action" = "yes" ]; then + return 0 + fi + + remount-secure +} + +remount_hook From 05e9accf64a3a6bfa24aac7aaa62620f814b05d1 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 08:12:30 -0400 Subject: [PATCH 023/846] bumped changelog version --- changelog.upstream | 25 +++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 31 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index f3e844a..50d2bcc 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,28 @@ +commit e065f85c8809d04a9a4c041dd8b9b81bacd04e24 +Author: Patrick Schleizer +Date: Sun Oct 22 08:10:48 2023 -0400 + + add remount-secure dracut module + +commit f0ee470ecd0fc37125165dd6a5cefb47339b14b4 +Author: Patrick Schleizer +Date: Sun Oct 22 07:51:05 2023 -0400 + + comment + +commit e257f2a3806ba7013e8e47005fde1385044bc8d9 +Author: Patrick Schleizer +Date: Sun Oct 22 07:50:14 2023 -0400 + + remount-secure: + no longer use /usr/libexec/helper-scripts/pre.bsh as not simple with dracut + +commit 27b3ba8bdf2556066a4be02cd1be9a4451a591b2 +Author: Patrick Schleizer +Date: Sun Oct 22 07:06:00 2023 -0400 + + bumped changelog version + commit ed11c68ac64c1ec4eaa590dbb56734d450c89b04 Author: Patrick Schleizer Date: Sun Oct 22 06:51:52 2023 -0400 diff --git a/debian/changelog b/debian/changelog index dd351a2..f3a04b6 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:30.1-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 22 Oct 2023 12:12:30 +0000 + security-misc (3:30.0-1) unstable; urgency=medium * New upstream version (local package). From 167683ce763e97838e62950f00313b63d7c968b0 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 08:50:57 -0400 Subject: [PATCH 024/846] code simplification --- usr/bin/remount-secure | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index 069fc6d..e7f8273 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -54,8 +54,6 @@ if [ "$noexec" = "true" ]; then noexec_maybe=",noexec" fi -command -v str_replace >/dev/null - exit_code=0 mount_output="$(mount)" @@ -70,11 +68,6 @@ remount_secure() { ## example status_file_full_path: ## /var/run/remount-secure/_home - ## str_replace is provided by package helper-scripts. - mount_folder="$(echo "${status_file_name}" | LANG=C str_replace "_" "/")" - ## example mount_folder: - ## /home - mount_line_of_mount_folder="$(echo "$mount_output" | grep "$mount_folder ")" || true if echo "$mount_line_of_mount_folder" | grep --quiet "$new_mount_options" ; then @@ -107,28 +100,33 @@ remount_secure() { } _home() { + mount_folder="/home" new_mount_options="nosuid,nodev${noexec_maybe}" remount_secure "$@" } _run() { + mount_folder="/run" ## https://lists.freedesktop.org/archives/systemd-devel/2015-February/028456.html new_mount_options="nosuid,nodev${noexec_maybe}" remount_secure "$@" } _dev_shm() { + mount_folder="/dev/shm" new_mount_options="nosuid,nodev${noexec_maybe}" remount_secure "$@" } _tmp() { + mount_folder="/tmp" new_mount_options="nosuid,nodev${noexec_maybe}" remount_secure "$@" } ## https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707/25 # _lib() { +# mount_folder="/lib" # ## Not using noexec on /lib. # new_mount_options="nosuid,nodev" # remount_secure "$@" From 90f2b5e11c341c38bb0b11db603ceeba28e14b1c Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 08:51:37 -0400 Subject: [PATCH 025/846] code simplification --- usr/lib/dracut/modules.d/20remount-secure/module-setup.sh | 2 -- 1 file changed, 2 deletions(-) diff --git a/usr/lib/dracut/modules.d/20remount-secure/module-setup.sh b/usr/lib/dracut/modules.d/20remount-secure/module-setup.sh index ca5c44a..5cc2c61 100755 --- a/usr/lib/dracut/modules.d/20remount-secure/module-setup.sh +++ b/usr/lib/dracut/modules.d/20remount-secure/module-setup.sh @@ -5,7 +5,6 @@ # called by dracut check() { - require_binaries str_replace || return 1 require_binaries mount || return 1 require_binaries remount-secure || return 1 return 0 @@ -18,7 +17,6 @@ depends() { # called by dracut install() { - inst_multiple str_replace inst_multiple mount inst_multiple remount-secure inst_hook cleanup 90 "$moddir/remount-secure.sh" From f472ce690ae350085d40cfd5ec46084dc559a51d Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 08:57:35 -0400 Subject: [PATCH 026/846] comments --- debian/security-misc.triggers | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/debian/security-misc.triggers b/debian/security-misc.triggers index 5dc870f..f8f1c77 100644 --- a/debian/security-misc.triggers +++ b/debian/security-misc.triggers @@ -2,14 +2,14 @@ ## See the file COPYING for copying conditions. #### meta start -#### project Whonix +#### project Kicksecure #### category security #### description ## Trigger 'activate-noawait update-initramfs' also works with both, ## initramfs-tools as well as dracut. ## - Activate initramfs hook that sets the sysctl values before init is executed. -## - dracut module 40sdmem-security-misc +## - dracut module 20remount-secure activate-noawait update-initramfs ## LKRG /usr/share/security-misc/lkrg/lkrg-virtualbox From c409e3221e179437ed0b162dde1e72cd116ba795 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 09:36:03 -0400 Subject: [PATCH 027/846] implement remount-secure --- etc/default/grub.d/40_remmount-secure.cfg | 10 +++ usr/bin/remount-secure | 72 ++++++++++--------- .../20remount-secure/remount-secure.sh | 11 ++- 3 files changed, 56 insertions(+), 37 deletions(-) create mode 100644 etc/default/grub.d/40_remmount-secure.cfg diff --git a/etc/default/grub.d/40_remmount-secure.cfg b/etc/default/grub.d/40_remmount-secure.cfg new file mode 100644 index 0000000..29d8718 --- /dev/null +++ b/etc/default/grub.d/40_remmount-secure.cfg @@ -0,0 +1,10 @@ +## Copyright (C) 2023 - 2023 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## https://www.kicksecure.com/wiki/Security-misc#Remount_Secure + +## Re-mount with nodev, nosuid. +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=1" + +## Re-mount with nodev, nosuid, noexec. +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountnoexec=1" diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index e7f8273..b46daec 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -13,51 +13,52 @@ set -e set -o pipefail set -o nounset -## Not simple with dracut. -# if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then -# ## pre.bsh would `source` the following folders: -# ## /etc/remount-secure_pre.d/*.conf -# ## /usr/local/etc/remount-secure_pre.d/*.conf -# # shellcheck disable=SC1091 -# source /usr/libexec/helper-scripts/pre.bsh -# fi - if test -o xtrace ; then output_command=true else output_command=echo fi -if [ -e /etc/remount-disable ] || [ -e /usr/local/etc/remount-disable ]; then - $output_command "INFO: file /etc/remount-disable exists. Doing nothing." - exit 0 -fi - -if [ -e /etc/exec ] || [ -e /usr/local/etc/exec ]; then - noexec=false - $output_command "INFO: Will remount with exec because file /etc/exec or /usr/local/etc/exec exists." -else - if [ -e /etc/noexec ] || [ -e /usr/local/etc/noexec ]; then - noexec=true - $output_command "INFO: Will remount with noexec because file /etc/noexec or /usr/local/etc/noexec exists." - else - $output_command "INFO: Will not remount with noexec because file /etc/noexec or /usr/local/etc/noexec does not exist." - fi -fi - -mkdir --parents "/var/run/remount-secure" - -[[ -v noexec ]] || noexec="" -[[ -v noexec_maybe ]] || noexec_maybe="" - -if [ "$noexec" = "true" ]; then - noexec_maybe=",noexec" -fi +mkdir --parents "/run/remount-secure" exit_code=0 mount_output="$(mount)" +parse_options() { + ## Thanks to: + ## http://mywiki.wooledge.org/BashFAQ/035 + + while : + do + case ${1:-} in + --remountnoexec) + $output_command "INFO: --remountnoexec" + noexec_maybe=",noexec" + shift + ;; + --force) + $output_command "INFO: --force" + option_force=true + shift + ;; + --) + shift + break + ;; + -*) + echo "unknown option: $1" >&2 + exit 1 + ;; + *) + break + ;; + esac + done + + [[ -v noexec_maybe ]] || noexec_maybe="" +} + remount_secure() { ## ${FUNCNAME[1]} is the name of the calling function. I.e. the function ## which called this function. @@ -78,7 +79,7 @@ remount_secure() { ## When this package is upgraded, the systemd unit will run again. ## If the user meanwhile manually relaxed mount options, this should not be undone. - if [ "${1:-}" == "--force" ]; then + if [ "$option_force" == "true" ]; then if [ -e "$status_file_full_path" ]; then $output_command "INFO: $mount_folder already remounted earlier. Not remounting again. Use --force if this is what you want." return 0 @@ -137,6 +138,7 @@ end() { } main() { + parse_options "$@" _home "$@" _run "$@" _dev_shm "$@" diff --git a/usr/lib/dracut/modules.d/20remount-secure/remount-secure.sh b/usr/lib/dracut/modules.d/20remount-secure/remount-secure.sh index a05614c..bd10974 100755 --- a/usr/lib/dracut/modules.d/20remount-secure/remount-secure.sh +++ b/usr/lib/dracut/modules.d/20remount-secure/remount-secure.sh @@ -3,15 +3,22 @@ ## Copyright (C) 2023 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. +## This script is intended to remount specified mount points with more secure +## options based on kernel command line parameters. + remount_hook() { local remount_action remount_action=$(getarg remountsecure) - if [ ! "$remount_action" = "yes" ]; then + if getargbool 1 remountnoexec; then + remount-secure --remountnoexec return 0 fi - remount-secure + if getargbool 1 remountsecure; then + remount-secure + return 0 + fi } remount_hook From 33d97a2560fe4aaab24f90057e825802541a408b Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 09:39:54 -0400 Subject: [PATCH 028/846] improve output of remount-secure dracut module --- .../modules.d/20remount-secure/remount-secure.sh | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/usr/lib/dracut/modules.d/20remount-secure/remount-secure.sh b/usr/lib/dracut/modules.d/20remount-secure/remount-secure.sh index bd10974..7e046be 100755 --- a/usr/lib/dracut/modules.d/20remount-secure/remount-secure.sh +++ b/usr/lib/dracut/modules.d/20remount-secure/remount-secure.sh @@ -11,14 +11,20 @@ remount_hook() { remount_action=$(getarg remountsecure) if getargbool 1 remountnoexec; then - remount-secure --remountnoexec + if ! remount-secure --remountnoexec ; then + warn "'remount-secure --remountnoexec' failed." + fi return 0 fi if getargbool 1 remountsecure; then - remount-secure + if ! remount-secure ; then + warn "'remount-secure' failed." + fi return 0 fi + + warn "Not using remount-secure." } remount_hook From 84fd41931ce3ba4d6e3785dc8052ee14ce62b80e Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 09:44:17 -0400 Subject: [PATCH 029/846] /var/run -> /run --- usr/bin/remount-secure | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index b46daec..bf3c105 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -65,9 +65,9 @@ remount_secure() { status_file_name="${FUNCNAME[1]}" ## example status_file_name: ## _home - status_file_full_path="/var/run/remount-secure/${status_file_name}" + status_file_full_path="/run/remount-secure/${status_file_name}" ## example status_file_full_path: - ## /var/run/remount-secure/_home + ## /run/remount-secure/_home mount_line_of_mount_folder="$(echo "$mount_output" | grep "$mount_folder ")" || true From 181a6424796b1cafc87a8d74aad197135381a389 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 10:01:38 -0400 Subject: [PATCH 030/846] root check --- usr/bin/remount-secure | 24 +++++++++++++++--------- 1 file changed, 15 insertions(+), 9 deletions(-) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index bf3c105..0279e18 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -13,17 +13,22 @@ set -e set -o pipefail set -o nounset -if test -o xtrace ; then - output_command=true -else - output_command=echo -fi +init() { + if test -o xtrace ; then + output_command=true + else + output_command=echo + fi -mkdir --parents "/run/remount-secure" + if [ "$(id -u)" != "0" ]; then + $output_command "ERROR: must be run as root! sudo $0" + exit 1 + fi -exit_code=0 - -mount_output="$(mount)" + mkdir --parents "/run/remount-secure" + exit_code=0 + mount_output="$(mount)" +} parse_options() { ## Thanks to: @@ -138,6 +143,7 @@ end() { } main() { + init "$@" parse_options "$@" _home "$@" _run "$@" From 4f6f45fb3902f6c49d01b5ccb33a4e24804cd02a Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 10:01:54 -0400 Subject: [PATCH 031/846] bumped changelog version --- changelog.upstream | 48 ++++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 54 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 50d2bcc..439f2e5 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,51 @@ +commit 181a6424796b1cafc87a8d74aad197135381a389 +Author: Patrick Schleizer +Date: Sun Oct 22 10:01:38 2023 -0400 + + root check + +commit 84fd41931ce3ba4d6e3785dc8052ee14ce62b80e +Author: Patrick Schleizer +Date: Sun Oct 22 09:44:17 2023 -0400 + + /var/run -> /run + +commit 33d97a2560fe4aaab24f90057e825802541a408b +Author: Patrick Schleizer +Date: Sun Oct 22 09:39:54 2023 -0400 + + improve output of remount-secure dracut module + +commit c409e3221e179437ed0b162dde1e72cd116ba795 +Author: Patrick Schleizer +Date: Sun Oct 22 09:36:03 2023 -0400 + + implement remount-secure + +commit f472ce690ae350085d40cfd5ec46084dc559a51d +Author: Patrick Schleizer +Date: Sun Oct 22 08:57:35 2023 -0400 + + comments + +commit 90f2b5e11c341c38bb0b11db603ceeba28e14b1c +Author: Patrick Schleizer +Date: Sun Oct 22 08:51:37 2023 -0400 + + code simplification + +commit 167683ce763e97838e62950f00313b63d7c968b0 +Author: Patrick Schleizer +Date: Sun Oct 22 08:50:57 2023 -0400 + + code simplification + +commit 05e9accf64a3a6bfa24aac7aaa62620f814b05d1 +Author: Patrick Schleizer +Date: Sun Oct 22 08:12:30 2023 -0400 + + bumped changelog version + commit e065f85c8809d04a9a4c041dd8b9b81bacd04e24 Author: Patrick Schleizer Date: Sun Oct 22 08:10:48 2023 -0400 diff --git a/debian/changelog b/debian/changelog index f3a04b6..6d1cbea 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:30.2-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 22 Oct 2023 14:01:54 +0000 + security-misc (3:30.1-1) unstable; urgency=medium * New upstream version (local package). From bb57b1a289cc64cc5b2ab5518c151df5355a9f29 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 10:10:51 -0400 Subject: [PATCH 032/846] fix --- usr/lib/dracut/modules.d/20remount-secure/module-setup.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/usr/lib/dracut/modules.d/20remount-secure/module-setup.sh b/usr/lib/dracut/modules.d/20remount-secure/module-setup.sh index 5cc2c61..2070bd3 100755 --- a/usr/lib/dracut/modules.d/20remount-secure/module-setup.sh +++ b/usr/lib/dracut/modules.d/20remount-secure/module-setup.sh @@ -5,6 +5,8 @@ # called by dracut check() { + require_binaries grep || return 1 + require_binaries id || return 1 require_binaries mount || return 1 require_binaries remount-secure || return 1 return 0 @@ -17,6 +19,8 @@ depends() { # called by dracut install() { + inst_multiple grep + inst_multiple id inst_multiple mount inst_multiple remount-secure inst_hook cleanup 90 "$moddir/remount-secure.sh" From 292a5c3a8a37bc9dd807913bd76826e57e978b67 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 10:11:31 -0400 Subject: [PATCH 033/846] fix --- usr/bin/remount-secure | 1 + 1 file changed, 1 insertion(+) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index 0279e18..cb6c90a 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -62,6 +62,7 @@ parse_options() { done [[ -v noexec_maybe ]] || noexec_maybe="" + [[ -v option_force ]] || option_force="" } remount_secure() { From b81a991731e912fa0f7d4ca59b0531bafb02a25a Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 10:15:11 -0400 Subject: [PATCH 034/846] fix --- usr/lib/dracut/modules.d/20remount-secure/module-setup.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/usr/lib/dracut/modules.d/20remount-secure/module-setup.sh b/usr/lib/dracut/modules.d/20remount-secure/module-setup.sh index 2070bd3..ba127f2 100755 --- a/usr/lib/dracut/modules.d/20remount-secure/module-setup.sh +++ b/usr/lib/dracut/modules.d/20remount-secure/module-setup.sh @@ -5,6 +5,7 @@ # called by dracut check() { + require_binaries touch || return 1 require_binaries grep || return 1 require_binaries id || return 1 require_binaries mount || return 1 @@ -19,6 +20,7 @@ depends() { # called by dracut install() { + inst_multiple touch inst_multiple grep inst_multiple id inst_multiple mount From 45ce0ff74d8f42d6a424e0742989008403891f8a Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 10:16:43 -0400 Subject: [PATCH 035/846] debugging --- usr/bin/remount-secure | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index cb6c90a..63a7eb4 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -28,6 +28,10 @@ init() { mkdir --parents "/run/remount-secure" exit_code=0 mount_output="$(mount)" + + ## Debugging. + $output_command "INFO: mount_output:" + $output_command "$mount_output" } parse_options() { From 1120d0652ddead556801958973d61502b75f9fc7 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 10:16:53 -0400 Subject: [PATCH 036/846] bumped changelog version --- changelog.upstream | 30 ++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 36 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 439f2e5..f532cdc 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,33 @@ +commit 45ce0ff74d8f42d6a424e0742989008403891f8a +Author: Patrick Schleizer +Date: Sun Oct 22 10:16:43 2023 -0400 + + debugging + +commit b81a991731e912fa0f7d4ca59b0531bafb02a25a +Author: Patrick Schleizer +Date: Sun Oct 22 10:15:11 2023 -0400 + + fix + +commit 292a5c3a8a37bc9dd807913bd76826e57e978b67 +Author: Patrick Schleizer +Date: Sun Oct 22 10:11:31 2023 -0400 + + fix + +commit bb57b1a289cc64cc5b2ab5518c151df5355a9f29 +Author: Patrick Schleizer +Date: Sun Oct 22 10:10:51 2023 -0400 + + fix + +commit 4f6f45fb3902f6c49d01b5ccb33a4e24804cd02a +Author: Patrick Schleizer +Date: Sun Oct 22 10:01:54 2023 -0400 + + bumped changelog version + commit 181a6424796b1cafc87a8d74aad197135381a389 Author: Patrick Schleizer Date: Sun Oct 22 10:01:38 2023 -0400 diff --git a/debian/changelog b/debian/changelog index 6d1cbea..4663ca4 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:30.3-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 22 Oct 2023 14:16:53 +0000 + security-misc (3:30.2-1) unstable; urgency=medium * New upstream version (local package). From d5cb7ecec9d10069e2e37a2f88680dff6d3f6eb6 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 10:22:21 -0400 Subject: [PATCH 037/846] use findmnt --- usr/bin/remount-secure | 2 +- usr/lib/dracut/modules.d/20remount-secure/module-setup.sh | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index 63a7eb4..2b88822 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -79,7 +79,7 @@ remount_secure() { ## example status_file_full_path: ## /run/remount-secure/_home - mount_line_of_mount_folder="$(echo "$mount_output" | grep "$mount_folder ")" || true + mount_line_of_mount_folder="$(findmnt --noheadings "$mount_folder")" || true if echo "$mount_line_of_mount_folder" | grep --quiet "$new_mount_options" ; then $output_command "INFO: $mount_folder has already intended mount options. ($new_mount_options)" diff --git a/usr/lib/dracut/modules.d/20remount-secure/module-setup.sh b/usr/lib/dracut/modules.d/20remount-secure/module-setup.sh index ba127f2..52b5faa 100755 --- a/usr/lib/dracut/modules.d/20remount-secure/module-setup.sh +++ b/usr/lib/dracut/modules.d/20remount-secure/module-setup.sh @@ -5,6 +5,7 @@ # called by dracut check() { + require_binaries findmnt || return 1 require_binaries touch || return 1 require_binaries grep || return 1 require_binaries id || return 1 @@ -20,6 +21,7 @@ depends() { # called by dracut install() { + inst_multiple findmnt inst_multiple touch inst_multiple grep inst_multiple id From ef69e512bd2e2eba0e292470bfef6336216e2605 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 10:25:57 -0400 Subject: [PATCH 038/846] refactoring --- usr/bin/remount-secure | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index 2b88822..326c038 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -79,9 +79,11 @@ remount_secure() { ## example status_file_full_path: ## /run/remount-secure/_home - mount_line_of_mount_folder="$(findmnt --noheadings "$mount_folder")" || true + old_mount_options="$(findmnt --noheadings --output options -- "$mount_folder")" || true + ## example old_mount_options: + ## rw,nosuid,nodev,relatime,discard - if echo "$mount_line_of_mount_folder" | grep --quiet "$new_mount_options" ; then + if echo "$old_mount_options" | grep --quiet "$new_mount_options" ; then $output_command "INFO: $mount_folder has already intended mount options. ($new_mount_options)" return 0 fi From 41077c94fbc1a0c90ee870292fe82e16a70b52f1 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 10:32:24 -0400 Subject: [PATCH 039/846] improve remount-secure --- usr/bin/remount-secure | 32 ++++++++++++++++++++------------ 1 file changed, 20 insertions(+), 12 deletions(-) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index 326c038..af638df 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -32,6 +32,7 @@ init() { ## Debugging. $output_command "INFO: mount_output:" $output_command "$mount_output" + $output_command "" } parse_options() { @@ -70,6 +71,8 @@ parse_options() { } remount_secure() { + $output_command "" + ## ${FUNCNAME[1]} is the name of the calling function. I.e. the function ## which called this function. status_file_name="${FUNCNAME[1]}" @@ -83,8 +86,10 @@ remount_secure() { ## example old_mount_options: ## rw,nosuid,nodev,relatime,discard - if echo "$old_mount_options" | grep --quiet "$new_mount_options" ; then - $output_command "INFO: $mount_folder has already intended mount options. ($new_mount_options)" + $output_command "INFO: '$mount_folder' old_mount_options: '$old_mount_options'" + + if echo "$old_mount_options" | grep --quiet "$intended_mount_options" ; then + $output_command "INFO: '$mount_folder' has already intended mount options. ($intended_mount_options)" return 0 fi @@ -93,7 +98,7 @@ remount_secure() { if [ "$option_force" == "true" ]; then if [ -e "$status_file_full_path" ]; then - $output_command "INFO: $mount_folder already remounted earlier. Not remounting again. Use --force if this is what you want." + $output_command "INFO: '$mount_folder' already remounted earlier. Not remounting again. Use --force if this is what you want." return 0 fi fi @@ -101,39 +106,42 @@ remount_secure() { ## BUG: echo: write error: Broken pipe if echo "$mount_output" | grep --quiet "$mount_folder " ; then ## Already mounted. Using remount. - $output_command INFO: Executing: mount -o "remount,${new_mount_options}" "$mount_folder" - mount -o "remount,${new_mount_options}" "$mount_folder" || exit_code=100 + $output_command INFO: Executing: mount -o "remount,${intended_mount_options}" "$mount_folder" + mount -o "remount,${intended_mount_options}" "$mount_folder" || exit_code=100 else ## Not yet mounted. Using mount bind. - $output_command INFO: Executing: mount -o "$new_mount_options" --bind "$mount_folder" "$mount_folder" - mount -o "$new_mount_options" --bind "$mount_folder" "$mount_folder" || exit_code=101 + $output_command INFO: Executing: mount -o "$intended_mount_options" --bind "$mount_folder" "$mount_folder" + mount -o "$intended_mount_options" --bind "$mount_folder" "$mount_folder" || exit_code=101 fi + new_mount_options="$(findmnt --noheadings --output options -- "$mount_folder")" || true + $output_command "INFO: '$mount_folder' new_mount_options: '$new_mount_options'" + touch "$status_file_full_path" } _home() { mount_folder="/home" - new_mount_options="nosuid,nodev${noexec_maybe}" + intended_mount_options="nosuid,nodev${noexec_maybe}" remount_secure "$@" } _run() { mount_folder="/run" ## https://lists.freedesktop.org/archives/systemd-devel/2015-February/028456.html - new_mount_options="nosuid,nodev${noexec_maybe}" + intended_mount_options="nosuid,nodev${noexec_maybe}" remount_secure "$@" } _dev_shm() { mount_folder="/dev/shm" - new_mount_options="nosuid,nodev${noexec_maybe}" + intended_mount_options="nosuid,nodev${noexec_maybe}" remount_secure "$@" } _tmp() { mount_folder="/tmp" - new_mount_options="nosuid,nodev${noexec_maybe}" + intended_mount_options="nosuid,nodev${noexec_maybe}" remount_secure "$@" } @@ -141,7 +149,7 @@ _tmp() { # _lib() { # mount_folder="/lib" # ## Not using noexec on /lib. -# new_mount_options="nosuid,nodev" +# intended_mount_options="nosuid,nodev" # remount_secure "$@" # } From a05bd3dd0e7319807fa7ea523407ec82ce8aa39c Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 10:37:02 -0400 Subject: [PATCH 040/846] /home last because most likely to fail --- usr/bin/remount-secure | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index af638df..6e3f579 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -120,12 +120,6 @@ remount_secure() { touch "$status_file_full_path" } -_home() { - mount_folder="/home" - intended_mount_options="nosuid,nodev${noexec_maybe}" - remount_secure "$@" -} - _run() { mount_folder="/run" ## https://lists.freedesktop.org/archives/systemd-devel/2015-February/028456.html @@ -153,6 +147,12 @@ _tmp() { # remount_secure "$@" # } +_home() { + mount_folder="/home" + intended_mount_options="nosuid,nodev${noexec_maybe}" + remount_secure "$@" +} + end() { exit $exit_code } @@ -160,11 +160,11 @@ end() { main() { init "$@" parse_options "$@" - _home "$@" _run "$@" _dev_shm "$@" _tmp "$@" #_lib "$@" + _home "$@" end "$@" } From fcba70df2e4e6c71fd29852d6f0b20f80e2e2d5e Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 10:38:48 -0400 Subject: [PATCH 041/846] refactoring --- usr/bin/remount-secure | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index 6e3f579..fff2cc5 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -106,12 +106,12 @@ remount_secure() { ## BUG: echo: write error: Broken pipe if echo "$mount_output" | grep --quiet "$mount_folder " ; then ## Already mounted. Using remount. - $output_command INFO: Executing: mount -o "remount,${intended_mount_options}" "$mount_folder" - mount -o "remount,${intended_mount_options}" "$mount_folder" || exit_code=100 + $output_command INFO: Executing: mount --options "remount,${intended_mount_options}" "$mount_folder" + mount --options "remount,${intended_mount_options}" "$mount_folder" || exit_code=100 else ## Not yet mounted. Using mount bind. - $output_command INFO: Executing: mount -o "$intended_mount_options" --bind "$mount_folder" "$mount_folder" - mount -o "$intended_mount_options" --bind "$mount_folder" "$mount_folder" || exit_code=101 + $output_command INFO: Executing: mount --options "$intended_mount_options" --bind "$mount_folder" "$mount_folder" + mount --options "$intended_mount_options" --bind "$mount_folder" "$mount_folder" || exit_code=101 fi new_mount_options="$(findmnt --noheadings --output options -- "$mount_folder")" || true From 24d2e26397e8f1e8e350fb60206ab1c5b597cbe6 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 10:40:19 -0400 Subject: [PATCH 042/846] no longer reproducible --- usr/bin/remount-secure | 1 - 1 file changed, 1 deletion(-) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index fff2cc5..79f42b7 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -103,7 +103,6 @@ remount_secure() { fi fi - ## BUG: echo: write error: Broken pipe if echo "$mount_output" | grep --quiet "$mount_folder " ; then ## Already mounted. Using remount. $output_command INFO: Executing: mount --options "remount,${intended_mount_options}" "$mount_folder" From 3ebe8cf4de5c77f26f93ac40bdc596c0c38451f5 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 10:41:42 -0400 Subject: [PATCH 043/846] refactoring --- usr/bin/remount-secure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index 79f42b7..577c2ce 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -103,7 +103,7 @@ remount_secure() { fi fi - if echo "$mount_output" | grep --quiet "$mount_folder " ; then + if findmnt --noheadings "$mount_folder " >/dev/null ; then ## Already mounted. Using remount. $output_command INFO: Executing: mount --options "remount,${intended_mount_options}" "$mount_folder" mount --options "remount,${intended_mount_options}" "$mount_folder" || exit_code=100 From 233fa4625bb60ef65c707d28e7c8a51ef5a1d66e Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 10:49:53 -0400 Subject: [PATCH 044/846] output --- usr/bin/remount-secure | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index 577c2ce..e22c69e 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -104,11 +104,11 @@ remount_secure() { fi if findmnt --noheadings "$mount_folder " >/dev/null ; then - ## Already mounted. Using remount. + $output_command "INFO: '$mount_folder' already mounted, therefore using remount." $output_command INFO: Executing: mount --options "remount,${intended_mount_options}" "$mount_folder" mount --options "remount,${intended_mount_options}" "$mount_folder" || exit_code=100 else - ## Not yet mounted. Using mount bind. + $output_command "INFO: '$mount_folder' not yet mounted, therefore using mount bind." $output_command INFO: Executing: mount --options "$intended_mount_options" --bind "$mount_folder" "$mount_folder" mount --options "$intended_mount_options" --bind "$mount_folder" "$mount_folder" || exit_code=101 fi From a423b85f81e0c066271ad7db78902ccddbeabb5a Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 10:50:30 -0400 Subject: [PATCH 045/846] bumped changelog version --- changelog.upstream | 54 ++++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 60 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index f532cdc..2fb7bde 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,57 @@ +commit 233fa4625bb60ef65c707d28e7c8a51ef5a1d66e +Author: Patrick Schleizer +Date: Sun Oct 22 10:49:53 2023 -0400 + + output + +commit 3ebe8cf4de5c77f26f93ac40bdc596c0c38451f5 +Author: Patrick Schleizer +Date: Sun Oct 22 10:41:42 2023 -0400 + + refactoring + +commit 24d2e26397e8f1e8e350fb60206ab1c5b597cbe6 +Author: Patrick Schleizer +Date: Sun Oct 22 10:40:19 2023 -0400 + + no longer reproducible + +commit fcba70df2e4e6c71fd29852d6f0b20f80e2e2d5e +Author: Patrick Schleizer +Date: Sun Oct 22 10:38:48 2023 -0400 + + refactoring + +commit a05bd3dd0e7319807fa7ea523407ec82ce8aa39c +Author: Patrick Schleizer +Date: Sun Oct 22 10:37:02 2023 -0400 + + /home last because most likely to fail + +commit 41077c94fbc1a0c90ee870292fe82e16a70b52f1 +Author: Patrick Schleizer +Date: Sun Oct 22 10:32:24 2023 -0400 + + improve remount-secure + +commit ef69e512bd2e2eba0e292470bfef6336216e2605 +Author: Patrick Schleizer +Date: Sun Oct 22 10:25:57 2023 -0400 + + refactoring + +commit d5cb7ecec9d10069e2e37a2f88680dff6d3f6eb6 +Author: Patrick Schleizer +Date: Sun Oct 22 10:22:21 2023 -0400 + + use findmnt + +commit 1120d0652ddead556801958973d61502b75f9fc7 +Author: Patrick Schleizer +Date: Sun Oct 22 10:16:53 2023 -0400 + + bumped changelog version + commit 45ce0ff74d8f42d6a424e0742989008403891f8a Author: Patrick Schleizer Date: Sun Oct 22 10:16:43 2023 -0400 diff --git a/debian/changelog b/debian/changelog index 4663ca4..7f00386 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:30.4-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 22 Oct 2023 14:50:30 +0000 + security-misc (3:30.3-1) unstable; urgency=medium * New upstream version (local package). From 26826e8398c4d3feed07e8e3e095a87bbde9907a Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 11:06:34 -0400 Subject: [PATCH 046/846] fix --- usr/bin/remount-secure | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index e22c69e..d1f0569 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -96,7 +96,7 @@ remount_secure() { ## When this package is upgraded, the systemd unit will run again. ## If the user meanwhile manually relaxed mount options, this should not be undone. - if [ "$option_force" == "true" ]; then + if [ ! "$option_force" == "true" ]; then if [ -e "$status_file_full_path" ]; then $output_command "INFO: '$mount_folder' already remounted earlier. Not remounting again. Use --force if this is what you want." return 0 @@ -113,8 +113,8 @@ remount_secure() { mount --options "$intended_mount_options" --bind "$mount_folder" "$mount_folder" || exit_code=101 fi - new_mount_options="$(findmnt --noheadings --output options -- "$mount_folder")" || true - $output_command "INFO: '$mount_folder' new_mount_options: '$new_mount_options'" + new_mount_options="$(findmnt --noheadings "$mount_folder")" || true + $output_command "INFO: $new_mount_options" touch "$status_file_full_path" } From f1da0ce7461fab2eeb421daa886ddd9856c9fd52 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 11:11:10 -0400 Subject: [PATCH 047/846] fix --- usr/bin/remount-secure | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index d1f0569..5c842ad 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -24,14 +24,14 @@ init() { $output_command "ERROR: must be run as root! sudo $0" exit 1 fi + $output_command "START" mkdir --parents "/run/remount-secure" exit_code=0 - mount_output="$(mount)" ## Debugging. - $output_command "INFO: mount_output:" - $output_command "$mount_output" + $output_command "INFO: 'findmnt --list' output at the START." + $output_command "$(findmnt --list)" $output_command "" } @@ -103,7 +103,7 @@ remount_secure() { fi fi - if findmnt --noheadings "$mount_folder " >/dev/null ; then + if findmnt --noheadings "$mount_folder" >/dev/null ; then $output_command "INFO: '$mount_folder' already mounted, therefore using remount." $output_command INFO: Executing: mount --options "remount,${intended_mount_options}" "$mount_folder" mount --options "remount,${intended_mount_options}" "$mount_folder" || exit_code=100 @@ -153,6 +153,9 @@ _home() { } end() { + ## Debugging. + $output_command "INFO: 'findmnt --list' output at the END." + $output_command "$(findmnt --list)" exit $exit_code } From 8eb4607a0e8c3db10f64e4ed5a02e87fd3ee8903 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 11:12:54 -0400 Subject: [PATCH 048/846] improve --- usr/bin/remount-secure | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index 5c842ad..d19078b 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -113,8 +113,8 @@ remount_secure() { mount --options "$intended_mount_options" --bind "$mount_folder" "$mount_folder" || exit_code=101 fi - new_mount_options="$(findmnt --noheadings "$mount_folder")" || true - $output_command "INFO: $new_mount_options" + new_mount_options="$(findmnt --noheadings --output options -- "$mount_folder")" || true + $output_command "INFO: '$mount_folder' new_mount_options: $new_mount_options" touch "$status_file_full_path" } From 975a017dec26f671b7869ba4ad94b3a4d2faf999 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 11:13:05 -0400 Subject: [PATCH 049/846] bumped changelog version --- changelog.upstream | 24 ++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 30 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 2fb7bde..f63eee0 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,27 @@ +commit 8eb4607a0e8c3db10f64e4ed5a02e87fd3ee8903 +Author: Patrick Schleizer +Date: Sun Oct 22 11:12:54 2023 -0400 + + improve + +commit f1da0ce7461fab2eeb421daa886ddd9856c9fd52 +Author: Patrick Schleizer +Date: Sun Oct 22 11:11:10 2023 -0400 + + fix + +commit 26826e8398c4d3feed07e8e3e095a87bbde9907a +Author: Patrick Schleizer +Date: Sun Oct 22 11:06:34 2023 -0400 + + fix + +commit a423b85f81e0c066271ad7db78902ccddbeabb5a +Author: Patrick Schleizer +Date: Sun Oct 22 10:50:30 2023 -0400 + + bumped changelog version + commit 233fa4625bb60ef65c707d28e7c8a51ef5a1d66e Author: Patrick Schleizer Date: Sun Oct 22 10:49:53 2023 -0400 diff --git a/debian/changelog b/debian/changelog index 7f00386..1ce238e 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:30.5-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 22 Oct 2023 15:13:05 +0000 + security-misc (3:30.4-1) unstable; urgency=medium * New upstream version (local package). From e7d30955e88b0a052e9159c11f4c1e1a47dadb49 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 11:28:08 -0400 Subject: [PATCH 050/846] debugging --- usr/bin/remount-secure | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index d19078b..01b6aec 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -109,6 +109,15 @@ remount_secure() { mount --options "remount,${intended_mount_options}" "$mount_folder" || exit_code=100 else $output_command "INFO: '$mount_folder' not yet mounted, therefore using mount bind." + + ## Debugging. + ls "$mount_folder" /x >/dev/null || true + if test -d "$mount_folder" ; then + $output_command "INFO: '$mount_folder' folder exists: yes" + else + $output_command "INFO: '$mount_folder' folder exists: no" + fi + $output_command INFO: Executing: mount --options "$intended_mount_options" --bind "$mount_folder" "$mount_folder" mount --options "$intended_mount_options" --bind "$mount_folder" "$mount_folder" || exit_code=101 fi From 1696c37251fe6158118ac3a694c2e11439de5c46 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 11:28:18 -0400 Subject: [PATCH 051/846] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index f63eee0..3f83e87 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit e7d30955e88b0a052e9159c11f4c1e1a47dadb49 +Author: Patrick Schleizer +Date: Sun Oct 22 11:28:08 2023 -0400 + + debugging + +commit 975a017dec26f671b7869ba4ad94b3a4d2faf999 +Author: Patrick Schleizer +Date: Sun Oct 22 11:13:05 2023 -0400 + + bumped changelog version + commit 8eb4607a0e8c3db10f64e4ed5a02e87fd3ee8903 Author: Patrick Schleizer Date: Sun Oct 22 11:12:54 2023 -0400 diff --git a/debian/changelog b/debian/changelog index 1ce238e..0e1192d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:30.6-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 22 Oct 2023 15:28:18 +0000 + security-misc (3:30.5-1) unstable; urgency=medium * New upstream version (local package). From 84ca0ac8a0b6a72a28e030081299b402749b9348 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 12:54:25 -0400 Subject: [PATCH 052/846] improve remount-secure --- usr/bin/remount-secure | 72 +++++++++++++++---- .../20remount-secure/module-setup.sh | 2 + 2 files changed, 59 insertions(+), 15 deletions(-) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index 01b6aec..270a40e 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -6,6 +6,7 @@ ## noexec in /tmp and/or /home can break some malware but also legitimate ## applications. +## https://www.kicksecure.com/wiki/Dev/remount-secure ## https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707 #set -x @@ -29,10 +30,26 @@ init() { mkdir --parents "/run/remount-secure" exit_code=0 + ## dracut sets NEWROOT=/sysroot + [[ -v NEWROOT ]] || NEWROOT="" + if [ "$NEWROOT" = "" ]; then + $output_command "INFO: dracut detected: yes - NEWROOT: '$NEWROOT'" + else + $output_command "INFO: dracut detected: yes - NEWROOT: '$NEWROOT'" + fi + ## Debugging. $output_command "INFO: 'findmnt --list' output at the START." $output_command "$(findmnt --list)" $output_command "" + + ## Debugging. + #echo "ls -la /root/" + #ls -la / || true + #echo "ls -la /sysroot/" + #ls -la /sysroot/ || true + #echo "env" + #env || true } parse_options() { @@ -103,21 +120,19 @@ remount_secure() { fi fi + if ! test -d "$mount_folder" ; then + $output_command "INFO: '$mount_folder' folder exists: no" + exit_code=102 + return 0 + fi + $output_command "INFO: '$mount_folder' folder exists: yes" + if findmnt --noheadings "$mount_folder" >/dev/null ; then $output_command "INFO: '$mount_folder' already mounted, therefore using remount." $output_command INFO: Executing: mount --options "remount,${intended_mount_options}" "$mount_folder" mount --options "remount,${intended_mount_options}" "$mount_folder" || exit_code=100 else $output_command "INFO: '$mount_folder' not yet mounted, therefore using mount bind." - - ## Debugging. - ls "$mount_folder" /x >/dev/null || true - if test -d "$mount_folder" ; then - $output_command "INFO: '$mount_folder' folder exists: yes" - else - $output_command "INFO: '$mount_folder' folder exists: no" - fi - $output_command INFO: Executing: mount --options "$intended_mount_options" --bind "$mount_folder" "$mount_folder" mount --options "$intended_mount_options" --bind "$mount_folder" "$mount_folder" || exit_code=101 fi @@ -128,35 +143,62 @@ remount_secure() { touch "$status_file_full_path" } -_run() { - mount_folder="/run" +_boot() { + mount_folder="$NEWROOT/boot" ## https://lists.freedesktop.org/archives/systemd-devel/2015-February/028456.html intended_mount_options="nosuid,nodev${noexec_maybe}" remount_secure "$@" } +_run() { + mount_folder="$NEWROOT/run" + ## https://lists.freedesktop.org/archives/systemd-devel/2015-February/028456.html + intended_mount_options="nosuid,nodev${noexec_maybe}" + remount_secure "$@" +} + +## TODO +# _dev() { +# mount_folder="$NEWROOT/dev" +# intended_mount_options="nosuid,${noexec_maybe}" +# remount_secure "$@" +# } + _dev_shm() { - mount_folder="/dev/shm" + mount_folder="$NEWROOT/dev/shm" intended_mount_options="nosuid,nodev${noexec_maybe}" remount_secure "$@" } _tmp() { - mount_folder="/tmp" + mount_folder="$NEWROOT/tmp" + intended_mount_options="nosuid,nodev${noexec_maybe}" + remount_secure "$@" +} + +_var() { + mount_folder="$NEWROOT/var" + ## TODO: nodev? noexec? + intended_mount_options="nosuid" + remount_secure "$@" +} + +_var_tmp() { + mount_folder="$NEWROOT/var/tmp" intended_mount_options="nosuid,nodev${noexec_maybe}" remount_secure "$@" } ## https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707/25 # _lib() { -# mount_folder="/lib" +# mount_folder="$NEWROOT/lib" # ## Not using noexec on /lib. # intended_mount_options="nosuid,nodev" # remount_secure "$@" # } _home() { - mount_folder="/home" + mount_folder="$NEWROOT/home" intended_mount_options="nosuid,nodev${noexec_maybe}" remount_secure "$@" } diff --git a/usr/lib/dracut/modules.d/20remount-secure/module-setup.sh b/usr/lib/dracut/modules.d/20remount-secure/module-setup.sh index 52b5faa..c48d08c 100755 --- a/usr/lib/dracut/modules.d/20remount-secure/module-setup.sh +++ b/usr/lib/dracut/modules.d/20remount-secure/module-setup.sh @@ -9,6 +9,7 @@ check() { require_binaries touch || return 1 require_binaries grep || return 1 require_binaries id || return 1 + require_binaries env || return 1 require_binaries mount || return 1 require_binaries remount-secure || return 1 return 0 @@ -25,6 +26,7 @@ install() { inst_multiple touch inst_multiple grep inst_multiple id + inst_multiple env inst_multiple mount inst_multiple remount-secure inst_hook cleanup 90 "$moddir/remount-secure.sh" From 479ab61a1d0c91d26c2cd200d97b39b2b786e073 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 12:55:20 -0400 Subject: [PATCH 053/846] remove no longer required remount-service systemd unit --- .../system-preset/50-security-misc.preset | 3 --- lib/systemd/system/remount-secure.service | 21 ------------------- 2 files changed, 24 deletions(-) delete mode 100644 lib/systemd/system/remount-secure.service diff --git a/lib/systemd/system-preset/50-security-misc.preset b/lib/systemd/system-preset/50-security-misc.preset index be35459..aee8b99 100644 --- a/lib/systemd/system-preset/50-security-misc.preset +++ b/lib/systemd/system-preset/50-security-misc.preset @@ -7,8 +7,5 @@ disable hide-hardware-info.service ## Disable for now until development finished / tested. disable permission-hardening.service -## Disable for now until development finished / tested. -disable remount-secure.service - ## Disable due to pkexec issues. disable proc-hidepid.service diff --git a/lib/systemd/system/remount-secure.service b/lib/systemd/system/remount-secure.service deleted file mode 100644 index ba6e017..0000000 --- a/lib/systemd/system/remount-secure.service +++ /dev/null @@ -1,21 +0,0 @@ -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -[Unit] -Description=remount /home /tmp /dev/shm /run with nosuid,nodev (default) and noexec (opt-in) -Documentation=https://github.com/Kicksecure/security-misc - -DefaultDependencies=no -Before=sysinit.target -Requires=local-fs.target -After=local-fs.target - -After=qubes-sysinit.service - -[Service] -Type=oneshot -RemainAfterExit=yes -ExecStart=/usr/bin/remount-secure - -[Install] -WantedBy=sysinit.target From f70f36e6cfead0038075d715e430e15aedae459f Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 12:55:41 -0400 Subject: [PATCH 054/846] bumped changelog version --- changelog.upstream | 18 ++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 24 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 3f83e87..93e0a91 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,21 @@ +commit 479ab61a1d0c91d26c2cd200d97b39b2b786e073 +Author: Patrick Schleizer +Date: Sun Oct 22 12:55:20 2023 -0400 + + remove no longer required remount-service systemd unit + +commit 84ca0ac8a0b6a72a28e030081299b402749b9348 +Author: Patrick Schleizer +Date: Sun Oct 22 12:54:25 2023 -0400 + + improve remount-secure + +commit 1696c37251fe6158118ac3a694c2e11439de5c46 +Author: Patrick Schleizer +Date: Sun Oct 22 11:28:18 2023 -0400 + + bumped changelog version + commit e7d30955e88b0a052e9159c11f4c1e1a47dadb49 Author: Patrick Schleizer Date: Sun Oct 22 11:28:08 2023 -0400 diff --git a/debian/changelog b/debian/changelog index 0e1192d..b2e0801 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:30.7-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 22 Oct 2023 16:55:41 +0000 + security-misc (3:30.6-1) unstable; urgency=medium * New upstream version (local package). From 28cb53341d48ece9e042caea03e7159b0f93c2ee Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 13:11:44 -0400 Subject: [PATCH 055/846] remount-secure dracut module: improve output --- usr/lib/dracut/modules.d/20remount-secure/remount-secure.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/usr/lib/dracut/modules.d/20remount-secure/remount-secure.sh b/usr/lib/dracut/modules.d/20remount-secure/remount-secure.sh index 7e046be..0e85b6a 100755 --- a/usr/lib/dracut/modules.d/20remount-secure/remount-secure.sh +++ b/usr/lib/dracut/modules.d/20remount-secure/remount-secure.sh @@ -13,7 +13,9 @@ remount_hook() { if getargbool 1 remountnoexec; then if ! remount-secure --remountnoexec ; then warn "'remount-secure --remountnoexec' failed." + return 1 fi + info "'remount-secure --remountnoexec' success." return 0 fi @@ -21,10 +23,12 @@ remount_hook() { if ! remount-secure ; then warn "'remount-secure' failed." fi + info "'remount-secure' success." return 0 fi warn "Not using remount-secure." + return 1 } remount_hook From b0181af099a2bc20a6d8cc20e6e27371ecc50bf1 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 13:12:25 -0400 Subject: [PATCH 056/846] fix --- usr/lib/dracut/modules.d/20remount-secure/remount-secure.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/usr/lib/dracut/modules.d/20remount-secure/remount-secure.sh b/usr/lib/dracut/modules.d/20remount-secure/remount-secure.sh index 0e85b6a..57fbf9c 100755 --- a/usr/lib/dracut/modules.d/20remount-secure/remount-secure.sh +++ b/usr/lib/dracut/modules.d/20remount-secure/remount-secure.sh @@ -22,6 +22,7 @@ remount_hook() { if getargbool 1 remountsecure; then if ! remount-secure ; then warn "'remount-secure' failed." + return 1 fi info "'remount-secure' success." return 0 From 4288e10554f854d6dd9be092ddbf6a62686b1549 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 13:25:31 -0400 Subject: [PATCH 057/846] fix, rework remount-secure kernel parameters parsing --- etc/default/grub.d/40_remmount-secure.cfg | 2 +- .../modules.d/20remount-secure/remount-secure.sh | 10 ++++++---- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/etc/default/grub.d/40_remmount-secure.cfg b/etc/default/grub.d/40_remmount-secure.cfg index 29d8718..b012d6d 100644 --- a/etc/default/grub.d/40_remmount-secure.cfg +++ b/etc/default/grub.d/40_remmount-secure.cfg @@ -7,4 +7,4 @@ #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=1" ## Re-mount with nodev, nosuid, noexec. -#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountnoexec=1" +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=noexec" diff --git a/usr/lib/dracut/modules.d/20remount-secure/remount-secure.sh b/usr/lib/dracut/modules.d/20remount-secure/remount-secure.sh index 57fbf9c..396ce92 100755 --- a/usr/lib/dracut/modules.d/20remount-secure/remount-secure.sh +++ b/usr/lib/dracut/modules.d/20remount-secure/remount-secure.sh @@ -7,10 +7,12 @@ ## options based on kernel command line parameters. remount_hook() { - local remount_action - remount_action=$(getarg remountsecure) + local remountsecure_action + ## getarg returns the last parameter only. + ## if /proc/cmdline contains 'remountsecure=0 remountsecure=1 remountsecure=noexec' the last one wins. + remountsecure_action=$(getarg remountsecure) - if getargbool 1 remountnoexec; then + if [ "$remountsecure_action" = "1" ]; then if ! remount-secure --remountnoexec ; then warn "'remount-secure --remountnoexec' failed." return 1 @@ -19,7 +21,7 @@ remount_hook() { return 0 fi - if getargbool 1 remountsecure; then + if [ "$remountsecure_action" = "noexec" ]; then if ! remount-secure ; then warn "'remount-secure' failed." return 1 From 6675a2e93194ea15daeb22bee707cf49563f69fe Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 13:30:50 -0400 Subject: [PATCH 058/846] fix --- usr/bin/remount-secure | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index 270a40e..b135b22 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -157,12 +157,11 @@ _run() { remount_secure "$@" } -## TODO -# _dev() { -# mount_folder="$NEWROOT/dev" -# intended_mount_options="nosuid,${noexec_maybe}" -# remount_secure "$@" -# } +_dev() { + mount_folder="$NEWROOT/dev" + intended_mount_options="nosuid,${noexec_maybe}" + remount_secure "$@" +} _dev_shm() { mount_folder="$NEWROOT/dev/shm" @@ -213,9 +212,13 @@ end() { main() { init "$@" parse_options "$@" + _boot "$@" _run "$@" + _dev "$@" _dev_shm "$@" _tmp "$@" + _var "$@" + _var_tmp "$@" #_lib "$@" _home "$@" end "$@" From e689f38ad0ba9727d482dbab25ea5d88e67a8edf Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 13:31:44 -0400 Subject: [PATCH 059/846] todo --- usr/bin/remount-secure | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index b135b22..fbbc16d 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -209,18 +209,19 @@ end() { exit $exit_code } +## TODO: need to be tested one by one main() { init "$@" parse_options "$@" _boot "$@" - _run "$@" - _dev "$@" - _dev_shm "$@" - _tmp "$@" - _var "$@" - _var_tmp "$@" + #_run "$@" + #_dev "$@" + #_dev_shm "$@" + #_tmp "$@" + #_var "$@" + #_var_tmp "$@" #_lib "$@" - _home "$@" + #_home "$@" end "$@" } From 3c183294cd8a402418eafc1e657c6524be49c487 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 13:31:55 -0400 Subject: [PATCH 060/846] bumped changelog version --- changelog.upstream | 36 ++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 42 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 93e0a91..2cd61c7 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,39 @@ +commit e689f38ad0ba9727d482dbab25ea5d88e67a8edf +Author: Patrick Schleizer +Date: Sun Oct 22 13:31:44 2023 -0400 + + todo + +commit 6675a2e93194ea15daeb22bee707cf49563f69fe +Author: Patrick Schleizer +Date: Sun Oct 22 13:30:50 2023 -0400 + + fix + +commit 4288e10554f854d6dd9be092ddbf6a62686b1549 +Author: Patrick Schleizer +Date: Sun Oct 22 13:25:31 2023 -0400 + + fix, rework remount-secure kernel parameters parsing + +commit b0181af099a2bc20a6d8cc20e6e27371ecc50bf1 +Author: Patrick Schleizer +Date: Sun Oct 22 13:12:25 2023 -0400 + + fix + +commit 28cb53341d48ece9e042caea03e7159b0f93c2ee +Author: Patrick Schleizer +Date: Sun Oct 22 13:11:44 2023 -0400 + + remount-secure dracut module: improve output + +commit f70f36e6cfead0038075d715e430e15aedae459f +Author: Patrick Schleizer +Date: Sun Oct 22 12:55:41 2023 -0400 + + bumped changelog version + commit 479ab61a1d0c91d26c2cd200d97b39b2b786e073 Author: Patrick Schleizer Date: Sun Oct 22 12:55:20 2023 -0400 diff --git a/debian/changelog b/debian/changelog index b2e0801..79b1440 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:30.8-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 22 Oct 2023 17:31:55 +0000 + security-misc (3:30.7-1) unstable; urgency=medium * New upstream version (local package). From 8a592c2e371de1136d566e707ba56ce89309230a Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 13:56:17 -0400 Subject: [PATCH 061/846] fix remountsecure kernel parameter logic --- .../20remount-secure/remount-secure.sh | 20 +++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/usr/lib/dracut/modules.d/20remount-secure/remount-secure.sh b/usr/lib/dracut/modules.d/20remount-secure/remount-secure.sh index 396ce92..ba1bb61 100755 --- a/usr/lib/dracut/modules.d/20remount-secure/remount-secure.sh +++ b/usr/lib/dracut/modules.d/20remount-secure/remount-secure.sh @@ -13,16 +13,7 @@ remount_hook() { remountsecure_action=$(getarg remountsecure) if [ "$remountsecure_action" = "1" ]; then - if ! remount-secure --remountnoexec ; then - warn "'remount-secure --remountnoexec' failed." - return 1 - fi - info "'remount-secure --remountnoexec' success." - return 0 - fi - - if [ "$remountsecure_action" = "noexec" ]; then - if ! remount-secure ; then + if ! remount-secure; then warn "'remount-secure' failed." return 1 fi @@ -30,6 +21,15 @@ remount_hook() { return 0 fi + if [ "$remountsecure_action" = "noexec" ]; then + if ! remount-secure --remountnoexec; then + warn "'remount-secure --remountnoexec' failed." + return 1 + fi + info "'remount-secure --remountnoexec' success." + return 0 + fi + warn "Not using remount-secure." return 1 } From 52fa7db0874be85a3db296499ab76f84a5f518db Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 13:57:38 -0400 Subject: [PATCH 062/846] output --- .../modules.d/20remount-secure/remount-secure.sh | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/usr/lib/dracut/modules.d/20remount-secure/remount-secure.sh b/usr/lib/dracut/modules.d/20remount-secure/remount-secure.sh index ba1bb61..1a5ae15 100755 --- a/usr/lib/dracut/modules.d/20remount-secure/remount-secure.sh +++ b/usr/lib/dracut/modules.d/20remount-secure/remount-secure.sh @@ -14,23 +14,23 @@ remount_hook() { if [ "$remountsecure_action" = "1" ]; then if ! remount-secure; then - warn "'remount-secure' failed." + warn "$0: ERROR: 'remount-secure' failed." return 1 fi - info "'remount-secure' success." + info "$0: INFO: 'remount-secure' success." return 0 fi if [ "$remountsecure_action" = "noexec" ]; then if ! remount-secure --remountnoexec; then - warn "'remount-secure --remountnoexec' failed." + warn "$0: ERROR: 'remount-secure --remountnoexec' failed." return 1 fi - info "'remount-secure --remountnoexec' success." + info "$0: INFO: 'remount-secure --remountnoexec' success." return 0 fi - warn "Not using remount-secure." + warn "$0: WARNING: Not using remount-secure." return 1 } From 619f1705e13232680f38bc630f19f2ace32f48ad Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 13:58:55 -0400 Subject: [PATCH 063/846] output --- usr/bin/remount-secure | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index fbbc16d..ea54bad 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -25,7 +25,7 @@ init() { $output_command "ERROR: must be run as root! sudo $0" exit 1 fi - $output_command "START" + $output_command "$0: INFO: START" mkdir --parents "/run/remount-secure" exit_code=0 @@ -206,6 +206,7 @@ end() { ## Debugging. $output_command "INFO: 'findmnt --list' output at the END." $output_command "$(findmnt --list)" + $output_command "$0: INFO: END" exit $exit_code } From 245fad09868c2d84bee66d65ecca32704786919b Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 14:00:06 -0400 Subject: [PATCH 064/846] fix --- usr/bin/remount-secure | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index ea54bad..b4424ae 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -189,12 +189,12 @@ _var_tmp() { } ## https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707/25 -# _lib() { -# mount_folder="$NEWROOT/lib" -# ## Not using noexec on /lib. -# intended_mount_options="nosuid,nodev" -# remount_secure "$@" -# } +_lib() { + mount_folder="$NEWROOT/lib" + ## Not using noexec on /lib. + intended_mount_options="nosuid,nodev" + remount_secure "$@" +} _home() { mount_folder="$NEWROOT/home" @@ -215,13 +215,20 @@ main() { init "$@" parse_options "$@" _boot "$@" + #_run "$@" + + ## TODO: ? #_dev "$@" + #_dev_shm "$@" #_tmp "$@" #_var "$@" #_var_tmp "$@" + + ## TODO: broken? #_lib "$@" + #_home "$@" end "$@" } From 6198ae317c4d8cbd06d95d5e2a585892f455cab6 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 14:29:02 -0400 Subject: [PATCH 065/846] fix --- usr/bin/remount-secure | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index b4424ae..cf511e4 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -151,45 +151,46 @@ _boot() { } _run() { - mount_folder="$NEWROOT/run" + mount_folder="/run" ## https://lists.freedesktop.org/archives/systemd-devel/2015-February/028456.html intended_mount_options="nosuid,nodev${noexec_maybe}" remount_secure "$@" } _dev() { - mount_folder="$NEWROOT/dev" + mount_folder="/dev" intended_mount_options="nosuid,${noexec_maybe}" remount_secure "$@" } _dev_shm() { - mount_folder="$NEWROOT/dev/shm" + mount_folder="/dev/shm" intended_mount_options="nosuid,nodev${noexec_maybe}" remount_secure "$@" } _tmp() { - mount_folder="$NEWROOT/tmp" + mount_folder="/tmp" intended_mount_options="nosuid,nodev${noexec_maybe}" remount_secure "$@" } _var() { - mount_folder="$NEWROOT/var" + mount_folder="/var" ## TODO: nodev? noexec? intended_mount_options="nosuid" remount_secure "$@" } _var_tmp() { - mount_folder="$NEWROOT/var/tmp" + mount_folder="/var/tmp" intended_mount_options="nosuid,nodev${noexec_maybe}" remount_secure "$@" } ## https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707/25 _lib() { + ## TODO: NEWROOT? mount_folder="$NEWROOT/lib" ## Not using noexec on /lib. intended_mount_options="nosuid,nodev" @@ -216,13 +217,15 @@ main() { parse_options "$@" _boot "$@" - #_run "$@" + _run "$@" ## TODO: ? #_dev "$@" - #_dev_shm "$@" - #_tmp "$@" + _dev_shm "$@" + _tmp "$@" + + ## TODO: ? #_var "$@" #_var_tmp "$@" From b29b626b41545fd49b67631820ae40d0fe000f22 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 14:30:28 -0400 Subject: [PATCH 066/846] bumped changelog version --- changelog.upstream | 36 ++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 42 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 2cd61c7..617b65b 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,39 @@ +commit 6198ae317c4d8cbd06d95d5e2a585892f455cab6 +Author: Patrick Schleizer +Date: Sun Oct 22 14:29:02 2023 -0400 + + fix + +commit 245fad09868c2d84bee66d65ecca32704786919b +Author: Patrick Schleizer +Date: Sun Oct 22 14:00:06 2023 -0400 + + fix + +commit 619f1705e13232680f38bc630f19f2ace32f48ad +Author: Patrick Schleizer +Date: Sun Oct 22 13:58:55 2023 -0400 + + output + +commit 52fa7db0874be85a3db296499ab76f84a5f518db +Author: Patrick Schleizer +Date: Sun Oct 22 13:57:38 2023 -0400 + + output + +commit 8a592c2e371de1136d566e707ba56ce89309230a +Author: Patrick Schleizer +Date: Sun Oct 22 13:56:17 2023 -0400 + + fix remountsecure kernel parameter logic + +commit 3c183294cd8a402418eafc1e657c6524be49c487 +Author: Patrick Schleizer +Date: Sun Oct 22 13:31:55 2023 -0400 + + bumped changelog version + commit e689f38ad0ba9727d482dbab25ea5d88e67a8edf Author: Patrick Schleizer Date: Sun Oct 22 13:31:44 2023 -0400 diff --git a/debian/changelog b/debian/changelog index 79b1440..0bb8875 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:30.9-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 22 Oct 2023 18:30:28 +0000 + security-misc (3:30.8-1) unstable; urgency=medium * New upstream version (local package). From 7c0ea4324aa1713f365f7352a3e4db1b703d9750 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 14:39:52 -0400 Subject: [PATCH 067/846] fix --- usr/bin/remount-secure | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index cf511e4..fa0ce54 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -227,12 +227,13 @@ main() { ## TODO: ? #_var "$@" - #_var_tmp "$@" + + _var_tmp "$@" ## TODO: broken? #_lib "$@" - #_home "$@" + _home "$@" end "$@" } From c85db586cadbe781704e62405a76e43650046d2c Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 14:44:58 -0400 Subject: [PATCH 068/846] improve --- usr/bin/remount-secure | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index fa0ce54..d282ad5 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -188,6 +188,18 @@ _var_tmp() { remount_secure "$@" } +_var_log() { + mount_folder="/var/log" + intended_mount_options="nosuid,nodev,noexec" + remount_secure "$@" +} + +_var_log_audit() { + mount_folder="/var/log/audit" + intended_mount_options="nosuid,nodev,noexec" + remount_secure "$@" +} + ## https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707/25 _lib() { ## TODO: NEWROOT? @@ -230,6 +242,10 @@ main() { _var_tmp "$@" + ## TODO: ? + #_var_log + #_var_log_audit + ## TODO: broken? #_lib "$@" From 7f03c2b13742e583e426c91ff4e111b6c0e7da43 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 14:45:45 -0400 Subject: [PATCH 069/846] fix --- usr/bin/remount-secure | 23 +++++++++++------------ 1 file changed, 11 insertions(+), 12 deletions(-) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index d282ad5..540a9ce 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -225,32 +225,31 @@ end() { ## TODO: need to be tested one by one main() { - init "$@" + init parse_options "$@" - _boot "$@" - - _run "$@" + _boot + _run ## TODO: ? - #_dev "$@" + #_dev - _dev_shm "$@" - _tmp "$@" + _dev_shm + _tmp ## TODO: ? - #_var "$@" + #_var - _var_tmp "$@" + _var_tmp ## TODO: ? #_var_log #_var_log_audit ## TODO: broken? - #_lib "$@" + #_lib - _home "$@" - end "$@" + _home + end } main "$@" From f44020973897d98fdc21ced748ad64106979829e Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 14:46:42 -0400 Subject: [PATCH 070/846] bumped changelog version --- changelog.upstream | 24 ++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 30 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 617b65b..b9bb28c 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,27 @@ +commit 7f03c2b13742e583e426c91ff4e111b6c0e7da43 +Author: Patrick Schleizer +Date: Sun Oct 22 14:45:45 2023 -0400 + + fix + +commit c85db586cadbe781704e62405a76e43650046d2c +Author: Patrick Schleizer +Date: Sun Oct 22 14:44:58 2023 -0400 + + improve + +commit 7c0ea4324aa1713f365f7352a3e4db1b703d9750 +Author: Patrick Schleizer +Date: Sun Oct 22 14:39:52 2023 -0400 + + fix + +commit b29b626b41545fd49b67631820ae40d0fe000f22 +Author: Patrick Schleizer +Date: Sun Oct 22 14:30:28 2023 -0400 + + bumped changelog version + commit 6198ae317c4d8cbd06d95d5e2a585892f455cab6 Author: Patrick Schleizer Date: Sun Oct 22 14:29:02 2023 -0400 diff --git a/debian/changelog b/debian/changelog index 0bb8875..a5be996 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:31.0-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 22 Oct 2023 18:46:42 +0000 + security-misc (3:30.9-1) unstable; urgency=medium * New upstream version (local package). From eb90d38d8ca6d6292dbb8013bb9bca8ec26f4792 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 15:05:33 -0400 Subject: [PATCH 071/846] fix --- usr/bin/remount-secure | 18 ++++-------------- 1 file changed, 4 insertions(+), 14 deletions(-) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index 540a9ce..2d04fd7 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -170,13 +170,13 @@ _dev_shm() { } _tmp() { - mount_folder="/tmp" + mount_folder="$NEWROOT/tmp" intended_mount_options="nosuid,nodev${noexec_maybe}" remount_secure "$@" } _var() { - mount_folder="/var" + mount_folder="$NEWROOT/var" ## TODO: nodev? noexec? intended_mount_options="nosuid" remount_secure "$@" @@ -189,20 +189,13 @@ _var_tmp() { } _var_log() { - mount_folder="/var/log" - intended_mount_options="nosuid,nodev,noexec" - remount_secure "$@" -} - -_var_log_audit() { - mount_folder="/var/log/audit" + mount_folder="$NEWROOT/var/log" intended_mount_options="nosuid,nodev,noexec" remount_secure "$@" } ## https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707/25 _lib() { - ## TODO: NEWROOT? mount_folder="$NEWROOT/lib" ## Not using noexec on /lib. intended_mount_options="nosuid,nodev" @@ -240,10 +233,7 @@ main() { #_var _var_tmp - - ## TODO: ? - #_var_log - #_var_log_audit + _var_log ## TODO: broken? #_lib From f3286cf440992661ba85b5c7e41b92ffaca62cf3 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 15:10:21 -0400 Subject: [PATCH 072/846] fix --- usr/bin/remount-secure | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index 2d04fd7..282a34a 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -229,8 +229,7 @@ main() { _dev_shm _tmp - ## TODO: ? - #_var + _var _var_tmp _var_log From eec87a0508a6242430a1f0b8ad341f4c3ea43059 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 15:11:26 -0400 Subject: [PATCH 073/846] fix --- usr/bin/remount-secure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index 282a34a..ffd24b0 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -194,10 +194,10 @@ _var_log() { remount_secure "$@" } -## https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707/25 _lib() { mount_folder="$NEWROOT/lib" ## Not using noexec on /lib. + ## https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707/25 intended_mount_options="nosuid,nodev" remount_secure "$@" } From 3731716a497c233127bff3febbe22d5cf088aad8 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 15:14:22 -0400 Subject: [PATCH 074/846] fix --- usr/bin/remount-secure | 6 ------ 1 file changed, 6 deletions(-) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index ffd24b0..489b39d 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -228,15 +228,9 @@ main() { _dev_shm _tmp - _var - _var_tmp _var_log - - ## TODO: broken? - #_lib - _home end } From 9b9e9ce1c0feb4ca854189754c47ca826eef1c32 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 15:27:01 -0400 Subject: [PATCH 075/846] fix --- usr/bin/remount-secure | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index 489b39d..9feb123 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -159,7 +159,7 @@ _run() { _dev() { mount_folder="/dev" - intended_mount_options="nosuid,${noexec_maybe}" + intended_mount_options="nosuid,noexec" remount_secure "$@" } @@ -177,8 +177,7 @@ _tmp() { _var() { mount_folder="$NEWROOT/var" - ## TODO: nodev? noexec? - intended_mount_options="nosuid" + intended_mount_options="nosuid,nodev${noexec_maybe}" remount_secure "$@" } @@ -216,22 +215,21 @@ end() { exit $exit_code } -## TODO: need to be tested one by one main() { init parse_options "$@" + _boot _run - - ## TODO: ? - #_dev - + _dev _dev_shm _tmp _var - _var_tmp - _var_log + ## /var implies /var/tmp, /var/log and /var/log/audit + #_var_tmp + #_var_log _home + end } From 36f2acb93f65958b27bae030f1d2bd66a278e073 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 15:28:04 -0400 Subject: [PATCH 076/846] bumped changelog version --- changelog.upstream | 36 ++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 42 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index b9bb28c..bae8f0a 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,39 @@ +commit 9b9e9ce1c0feb4ca854189754c47ca826eef1c32 +Author: Patrick Schleizer +Date: Sun Oct 22 15:27:01 2023 -0400 + + fix + +commit 3731716a497c233127bff3febbe22d5cf088aad8 +Author: Patrick Schleizer +Date: Sun Oct 22 15:14:22 2023 -0400 + + fix + +commit eec87a0508a6242430a1f0b8ad341f4c3ea43059 +Author: Patrick Schleizer +Date: Sun Oct 22 15:11:26 2023 -0400 + + fix + +commit f3286cf440992661ba85b5c7e41b92ffaca62cf3 +Author: Patrick Schleizer +Date: Sun Oct 22 15:10:21 2023 -0400 + + fix + +commit eb90d38d8ca6d6292dbb8013bb9bca8ec26f4792 +Author: Patrick Schleizer +Date: Sun Oct 22 15:05:33 2023 -0400 + + fix + +commit f44020973897d98fdc21ced748ad64106979829e +Author: Patrick Schleizer +Date: Sun Oct 22 14:46:42 2023 -0400 + + bumped changelog version + commit 7f03c2b13742e583e426c91ff4e111b6c0e7da43 Author: Patrick Schleizer Date: Sun Oct 22 14:45:45 2023 -0400 diff --git a/debian/changelog b/debian/changelog index a5be996..cc1f8da 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:31.1-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 22 Oct 2023 19:28:04 +0000 + security-misc (3:31.0-1) unstable; urgency=medium * New upstream version (local package). From 70cbe4daaa5cd857c49f2f9b9241f24e2867ab5a Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 15:33:11 -0400 Subject: [PATCH 077/846] fix --- usr/bin/remount-secure | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index 9feb123..0e8f704 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -177,7 +177,9 @@ _tmp() { _var() { mount_folder="$NEWROOT/var" - intended_mount_options="nosuid,nodev${noexec_maybe}" + ## noexec: Not possible. Reason: + ## Debian stores executable maintainer scripts in /var/lib/dpkg/info/ folder. + intended_mount_options="nosuid,nodev" remount_secure "$@" } @@ -225,9 +227,8 @@ main() { _dev_shm _tmp _var - ## /var implies /var/tmp, /var/log and /var/log/audit - #_var_tmp - #_var_log + _var_tmp + _var_log _home end From fa0804b7ae46ecfc1e9e82ca83342c9d456aa9c3 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 15:33:21 -0400 Subject: [PATCH 078/846] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index bae8f0a..e7039a7 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit 70cbe4daaa5cd857c49f2f9b9241f24e2867ab5a +Author: Patrick Schleizer +Date: Sun Oct 22 15:33:11 2023 -0400 + + fix + +commit 36f2acb93f65958b27bae030f1d2bd66a278e073 +Author: Patrick Schleizer +Date: Sun Oct 22 15:28:04 2023 -0400 + + bumped changelog version + commit 9b9e9ce1c0feb4ca854189754c47ca826eef1c32 Author: Patrick Schleizer Date: Sun Oct 22 15:27:01 2023 -0400 diff --git a/debian/changelog b/debian/changelog index cc1f8da..dc1c831 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:31.2-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 22 Oct 2023 19:33:21 +0000 + security-misc (3:31.1-1) unstable; urgency=medium * New upstream version (local package). From ce0babce215dc4ec08101cff5e0d25ad6ec87e70 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 15:35:03 -0400 Subject: [PATCH 079/846] comment --- usr/bin/remount-secure | 2 ++ 1 file changed, 2 insertions(+) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index 0e8f704..5fa177b 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -159,6 +159,8 @@ _run() { _dev() { mount_folder="/dev" + ## /dev should be nosuid,noexec as per: + ## https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1991975 intended_mount_options="nosuid,noexec" remount_secure "$@" } From f80b5fe3767502f6890bdfb7bc32a602c94828d6 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 15:36:16 -0400 Subject: [PATCH 080/846] fix --- usr/bin/remount-secure | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index 5fa177b..9f81d30 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -146,7 +146,7 @@ remount_secure() { _boot() { mount_folder="$NEWROOT/boot" ## https://lists.freedesktop.org/archives/systemd-devel/2015-February/028456.html - intended_mount_options="nosuid,nodev${noexec_maybe}" + intended_mount_options="nosuid,nodev,noexec" remount_secure "$@" } @@ -199,7 +199,7 @@ _var_log() { _lib() { mount_folder="$NEWROOT/lib" - ## Not using noexec on /lib. + ## Cannot use noexec on /lib as per: ## https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707/25 intended_mount_options="nosuid,nodev" remount_secure "$@" From 7112eac3be014938f757e0c0def74bb04dc72d2f Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 15:37:21 -0400 Subject: [PATCH 081/846] output --- usr/bin/remount-secure | 1 + 1 file changed, 1 insertion(+) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index 9f81d30..ab25e33 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -215,6 +215,7 @@ end() { ## Debugging. $output_command "INFO: 'findmnt --list' output at the END." $output_command "$(findmnt --list)" + $output_command "INFO: exit_code: $exit_code" $output_command "$0: INFO: END" exit $exit_code } From a7629b98cf4e7f86bab07c2b75fa712adcd63ee5 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 15:40:49 -0400 Subject: [PATCH 082/846] fix --- usr/bin/remount-secure | 2 +- usr/share/lintian/overrides/security-misc | 3 +++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index ab25e33..130042c 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -180,7 +180,7 @@ _tmp() { _var() { mount_folder="$NEWROOT/var" ## noexec: Not possible. Reason: - ## Debian stores executable maintainer scripts in /var/lib/dpkg/info/ folder. + ## Debian stores executable maintainer scripts in /var/lib/dpkg/info folder. intended_mount_options="nosuid,nodev" remount_secure "$@" } diff --git a/usr/share/lintian/overrides/security-misc b/usr/share/lintian/overrides/security-misc index b18ab3b..a82ad23 100644 --- a/usr/share/lintian/overrides/security-misc +++ b/usr/share/lintian/overrides/security-misc @@ -9,3 +9,6 @@ security-misc: no-manual-page [usr/bin/pkexec.security-misc] ## Non-ideal but still a good solution. security-misc: file-in-unusual-dir [var/cache/security-misc/state-files/placeholder] + +## False-positive. Just a comment mentioning dpkg's folder. +security-misc: uses-dpkg-database-directly [usr/bin/remount-secure] From 316282952f7d2470c89f268beea01b8bac9bb4bb Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 15:40:59 -0400 Subject: [PATCH 083/846] bumped changelog version --- changelog.upstream | 30 ++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 36 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index e7039a7..4244acb 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,33 @@ +commit a7629b98cf4e7f86bab07c2b75fa712adcd63ee5 +Author: Patrick Schleizer +Date: Sun Oct 22 15:40:49 2023 -0400 + + fix + +commit 7112eac3be014938f757e0c0def74bb04dc72d2f +Author: Patrick Schleizer +Date: Sun Oct 22 15:37:21 2023 -0400 + + output + +commit f80b5fe3767502f6890bdfb7bc32a602c94828d6 +Author: Patrick Schleizer +Date: Sun Oct 22 15:36:16 2023 -0400 + + fix + +commit ce0babce215dc4ec08101cff5e0d25ad6ec87e70 +Author: Patrick Schleizer +Date: Sun Oct 22 15:35:03 2023 -0400 + + comment + +commit fa0804b7ae46ecfc1e9e82ca83342c9d456aa9c3 +Author: Patrick Schleizer +Date: Sun Oct 22 15:33:21 2023 -0400 + + bumped changelog version + commit 70cbe4daaa5cd857c49f2f9b9241f24e2867ab5a Author: Patrick Schleizer Date: Sun Oct 22 15:33:11 2023 -0400 diff --git a/debian/changelog b/debian/changelog index dc1c831..36a49b9 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:31.3-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 22 Oct 2023 19:40:59 +0000 + security-misc (3:31.2-1) unstable; urgency=medium * New upstream version (local package). From a88c0a3ad2d83fe72612faf97866e255c5527384 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 15:44:30 -0400 Subject: [PATCH 084/846] fix --- usr/bin/remount-secure | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index 130042c..1c1d5b1 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -147,14 +147,14 @@ _boot() { mount_folder="$NEWROOT/boot" ## https://lists.freedesktop.org/archives/systemd-devel/2015-February/028456.html intended_mount_options="nosuid,nodev,noexec" - remount_secure "$@" + remount_secure } _run() { mount_folder="/run" ## https://lists.freedesktop.org/archives/systemd-devel/2015-February/028456.html intended_mount_options="nosuid,nodev${noexec_maybe}" - remount_secure "$@" + remount_secure } _dev() { @@ -162,19 +162,19 @@ _dev() { ## /dev should be nosuid,noexec as per: ## https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1991975 intended_mount_options="nosuid,noexec" - remount_secure "$@" + remount_secure } _dev_shm() { mount_folder="/dev/shm" intended_mount_options="nosuid,nodev${noexec_maybe}" - remount_secure "$@" + remount_secure } _tmp() { mount_folder="$NEWROOT/tmp" intended_mount_options="nosuid,nodev${noexec_maybe}" - remount_secure "$@" + remount_secure } _var() { @@ -182,19 +182,19 @@ _var() { ## noexec: Not possible. Reason: ## Debian stores executable maintainer scripts in /var/lib/dpkg/info folder. intended_mount_options="nosuid,nodev" - remount_secure "$@" + remount_secure } _var_tmp() { mount_folder="/var/tmp" intended_mount_options="nosuid,nodev${noexec_maybe}" - remount_secure "$@" + remount_secure } _var_log() { mount_folder="$NEWROOT/var/log" intended_mount_options="nosuid,nodev,noexec" - remount_secure "$@" + remount_secure } _lib() { @@ -202,13 +202,13 @@ _lib() { ## Cannot use noexec on /lib as per: ## https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707/25 intended_mount_options="nosuid,nodev" - remount_secure "$@" + remount_secure } _home() { mount_folder="$NEWROOT/home" intended_mount_options="nosuid,nodev${noexec_maybe}" - remount_secure "$@" + remount_secure } end() { From 555d83792df9aa599ae9e0e7c41af49b0601c1c1 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 15:44:47 -0400 Subject: [PATCH 085/846] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 4244acb..baff0ea 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit a88c0a3ad2d83fe72612faf97866e255c5527384 +Author: Patrick Schleizer +Date: Sun Oct 22 15:44:30 2023 -0400 + + fix + +commit 316282952f7d2470c89f268beea01b8bac9bb4bb +Author: Patrick Schleizer +Date: Sun Oct 22 15:40:59 2023 -0400 + + bumped changelog version + commit a7629b98cf4e7f86bab07c2b75fa712adcd63ee5 Author: Patrick Schleizer Date: Sun Oct 22 15:40:49 2023 -0400 diff --git a/debian/changelog b/debian/changelog index 36a49b9..3dda809 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:31.4-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 22 Oct 2023 19:44:47 +0000 + security-misc (3:31.3-1) unstable; urgency=medium * New upstream version (local package). From 5182d7502b34a95fd751c69c4bc3f01d5f5e02b9 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 16:08:21 -0400 Subject: [PATCH 086/846] improve remount-secure --- usr/bin/remount-secure | 86 +++++++++++++++---- .../20remount-secure/remount-secure.sh | 26 ++---- 2 files changed, 75 insertions(+), 37 deletions(-) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index 1c1d5b1..412cebe 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -21,11 +21,12 @@ init() { output_command=echo fi + $output_command "$0: INFO: START" + if [ "$(id -u)" != "0" ]; then $output_command "ERROR: must be run as root! sudo $0" exit 1 fi - $output_command "$0: INFO: START" mkdir --parents "/run/remount-secure" exit_code=0 @@ -33,16 +34,11 @@ init() { ## dracut sets NEWROOT=/sysroot [[ -v NEWROOT ]] || NEWROOT="" if [ "$NEWROOT" = "" ]; then - $output_command "INFO: dracut detected: yes - NEWROOT: '$NEWROOT'" + $output_command "INFO: dracut detected: no" else $output_command "INFO: dracut detected: yes - NEWROOT: '$NEWROOT'" fi - ## Debugging. - $output_command "INFO: 'findmnt --list' output at the START." - $output_command "$(findmnt --list)" - $output_command "" - ## Debugging. #echo "ls -la /root/" #ls -la / || true @@ -59,9 +55,30 @@ parse_options() { while : do case ${1:-} in - --remountnoexec) - $output_command "INFO: --remountnoexec" - noexec_maybe=",noexec" + 0) + $output_command "WARNING: Not using remount-secure." + exit 0 + shift + ;; + 1) + $output_command "INFO: level 1/3 (low)" + most_noexec_maybe="" + home_noexec_maybe="" + parsed=true + shift + ;; + 2) + $output_command "INFO: level 2/3 (medium)" + most_noexec_maybe=",noexec" + home_noexec_maybe="" + parsed=true + shift + ;; + 3) + $output_command "INFO: level 3/3 (high)" + most_noexec_maybe=",noexec" + home_noexec_maybe=",noexec" + parsed=true shift ;; --force) @@ -74,7 +91,7 @@ parse_options() { break ;; -*) - echo "unknown option: $1" >&2 + echo "ERROR: unknown option: $1" >&2 exit 1 ;; *) @@ -83,8 +100,38 @@ parse_options() { esac done - [[ -v noexec_maybe ]] || noexec_maybe="" [[ -v option_force ]] || option_force="" + [[ -v parsed ]] || parsed=false + [[ -v home_noexec_maybe ]] || home_noexec_maybe="" + [[ -v most_noexec_maybe ]] || most_noexec_maybe="" + + $output_command "INFO: using nosuid,nodev: yes" + + if [ "$home_noexec_maybe" = "" ]; then + $output_command "INFO: using noexec for all: no" + else + $output_command "INFO: using noexec for all: yes" + return 0 + fi + + if [ "$most_noexec_maybe" = "" ]; then + $output_command "INFO: using noexec for most: no" + else + $output_command "INFO: using noexec for most (not all): yes" + return 0 + fi + + if [ "$parsed" = "true" ]; then + return 0 + fi + + $output_command "ERROR: syntax error. use either: +$0 0 +$0 1 +$0 2 +$0 3" + + exit 1 } remount_secure() { @@ -153,7 +200,7 @@ _boot() { _run() { mount_folder="/run" ## https://lists.freedesktop.org/archives/systemd-devel/2015-February/028456.html - intended_mount_options="nosuid,nodev${noexec_maybe}" + intended_mount_options="nosuid,nodev${most_noexec_maybe}" remount_secure } @@ -167,13 +214,13 @@ _dev() { _dev_shm() { mount_folder="/dev/shm" - intended_mount_options="nosuid,nodev${noexec_maybe}" + intended_mount_options="nosuid,nodev${most_noexec_maybe}" remount_secure } _tmp() { mount_folder="$NEWROOT/tmp" - intended_mount_options="nosuid,nodev${noexec_maybe}" + intended_mount_options="nosuid,nodev${most_noexec_maybe}" remount_secure } @@ -187,7 +234,7 @@ _var() { _var_tmp() { mount_folder="/var/tmp" - intended_mount_options="nosuid,nodev${noexec_maybe}" + intended_mount_options="nosuid,nodev${most_noexec_maybe}" remount_secure } @@ -207,7 +254,7 @@ _lib() { _home() { mount_folder="$NEWROOT/home" - intended_mount_options="nosuid,nodev${noexec_maybe}" + intended_mount_options="nosuid,nodev${home_noexec_maybe}" remount_secure } @@ -224,6 +271,11 @@ main() { init parse_options "$@" + ## Debugging. + $output_command "INFO: 'findmnt --list' output at the START." + $output_command "$(findmnt --list)" + $output_command "" + _boot _run _dev diff --git a/usr/lib/dracut/modules.d/20remount-secure/remount-secure.sh b/usr/lib/dracut/modules.d/20remount-secure/remount-secure.sh index 1a5ae15..b742dda 100755 --- a/usr/lib/dracut/modules.d/20remount-secure/remount-secure.sh +++ b/usr/lib/dracut/modules.d/20remount-secure/remount-secure.sh @@ -9,29 +9,15 @@ remount_hook() { local remountsecure_action ## getarg returns the last parameter only. - ## if /proc/cmdline contains 'remountsecure=0 remountsecure=1 remountsecure=noexec' the last one wins. + ## If /proc/cmdline contains 'remountsecure=0 remountsecure=1' the last one wins. remountsecure_action=$(getarg remountsecure) - if [ "$remountsecure_action" = "1" ]; then - if ! remount-secure; then - warn "$0: ERROR: 'remount-secure' failed." - return 1 - fi - info "$0: INFO: 'remount-secure' success." - return 0 + if ! remount-secure $remountsecure_action; then + warn "$0: ERROR: 'remount-secure $remountsecure_action' failed." + return 1 fi - - if [ "$remountsecure_action" = "noexec" ]; then - if ! remount-secure --remountnoexec; then - warn "$0: ERROR: 'remount-secure --remountnoexec' failed." - return 1 - fi - info "$0: INFO: 'remount-secure --remountnoexec' success." - return 0 - fi - - warn "$0: WARNING: Not using remount-secure." - return 1 + info "$0: INFO: 'remount-secure $remountsecure_action' success." + return 0 } remount_hook From 11382881b56556741fad5f0291ccb57a24e9c617 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 16:12:26 -0400 Subject: [PATCH 087/846] comments --- etc/default/grub.d/40_remmount-secure.cfg | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/etc/default/grub.d/40_remmount-secure.cfg b/etc/default/grub.d/40_remmount-secure.cfg index b012d6d..76e9f45 100644 --- a/etc/default/grub.d/40_remmount-secure.cfg +++ b/etc/default/grub.d/40_remmount-secure.cfg @@ -3,8 +3,14 @@ ## https://www.kicksecure.com/wiki/Security-misc#Remount_Secure -## Re-mount with nodev, nosuid. -#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=1" +## Disable Remount Secure. +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure="0" -## Re-mount with nodev, nosuid, noexec. -#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=noexec" +## Re-mount with nodev, nosuid only. +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure="1" + +## Re-mount with nodev, nosuid and most with noexec except for /home. +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure="2" + +## Re-mount with nodev, nosuid and all with noexec including /home. +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure="3" From 9a649ddd091b116c9091f3fa582d411b5186375a Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 16:16:40 -0400 Subject: [PATCH 088/846] bumped changelog version --- changelog.upstream | 18 ++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 24 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index baff0ea..cea6f6d 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,21 @@ +commit 11382881b56556741fad5f0291ccb57a24e9c617 +Author: Patrick Schleizer +Date: Sun Oct 22 16:12:26 2023 -0400 + + comments + +commit 5182d7502b34a95fd751c69c4bc3f01d5f5e02b9 +Author: Patrick Schleizer +Date: Sun Oct 22 16:08:21 2023 -0400 + + improve remount-secure + +commit 555d83792df9aa599ae9e0e7c41af49b0601c1c1 +Author: Patrick Schleizer +Date: Sun Oct 22 15:44:47 2023 -0400 + + bumped changelog version + commit a88c0a3ad2d83fe72612faf97866e255c5527384 Author: Patrick Schleizer Date: Sun Oct 22 15:44:30 2023 -0400 diff --git a/debian/changelog b/debian/changelog index 3dda809..566a64c 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:31.5-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 22 Oct 2023 20:16:40 +0000 + security-misc (3:31.4-1) unstable; urgency=medium * New upstream version (local package). From f6d1346e2bde51cd70bc60246c0bfba923c00c3d Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 16:22:08 -0400 Subject: [PATCH 089/846] fix --- etc/default/grub.d/40_remmount-secure.cfg | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/etc/default/grub.d/40_remmount-secure.cfg b/etc/default/grub.d/40_remmount-secure.cfg index 76e9f45..845ca46 100644 --- a/etc/default/grub.d/40_remmount-secure.cfg +++ b/etc/default/grub.d/40_remmount-secure.cfg @@ -4,13 +4,13 @@ ## https://www.kicksecure.com/wiki/Security-misc#Remount_Secure ## Disable Remount Secure. -#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure="0" +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=0" ## Re-mount with nodev, nosuid only. -#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure="1" +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=1" ## Re-mount with nodev, nosuid and most with noexec except for /home. -#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure="2" +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=2" ## Re-mount with nodev, nosuid and all with noexec including /home. -#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure="3" +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=3" From a1c3b87fcee07496af4b42e387b46488b58b73a0 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 16:29:08 -0400 Subject: [PATCH 090/846] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index cea6f6d..5c0eb8f 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit f6d1346e2bde51cd70bc60246c0bfba923c00c3d +Author: Patrick Schleizer +Date: Sun Oct 22 16:22:08 2023 -0400 + + fix + +commit 9a649ddd091b116c9091f3fa582d411b5186375a +Author: Patrick Schleizer +Date: Sun Oct 22 16:16:40 2023 -0400 + + bumped changelog version + commit 11382881b56556741fad5f0291ccb57a24e9c617 Author: Patrick Schleizer Date: Sun Oct 22 16:12:26 2023 -0400 diff --git a/debian/changelog b/debian/changelog index 566a64c..a555ebd 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:31.6-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 22 Oct 2023 20:29:08 +0000 + security-misc (3:31.5-1) unstable; urgency=medium * New upstream version (local package). From 0e80acf38d430784fbb779f4f10c81bfe8a3813f Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 16:45:10 -0400 Subject: [PATCH 091/846] fix --- usr/bin/remount-secure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index 412cebe..a998c36 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -233,7 +233,7 @@ _var() { } _var_tmp() { - mount_folder="/var/tmp" + mount_folder="$NEWROOT/var/tmp" intended_mount_options="nosuid,nodev${most_noexec_maybe}" remount_secure } From d521662d04892fb6d5477fa4450fb5488892a87a Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 16:49:36 -0400 Subject: [PATCH 092/846] comment --- usr/bin/remount-secure | 3 +++ 1 file changed, 3 insertions(+) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index a998c36..152ed26 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -248,6 +248,9 @@ _lib() { mount_folder="$NEWROOT/lib" ## Cannot use noexec on /lib as per: ## https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707/25 + ## There are many executables in /lib. To check: + ## sudo find /var/lib -type f -executable + ## sudo find /var/lib -type f -executable ! -type l intended_mount_options="nosuid,nodev" remount_secure } From ee15f749bb4e68350498e52e8505bed43c98cbaf Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 16:54:58 -0400 Subject: [PATCH 093/846] bumped changelog version --- changelog.upstream | 18 ++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 24 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 5c0eb8f..10fb2b9 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,21 @@ +commit d521662d04892fb6d5477fa4450fb5488892a87a +Author: Patrick Schleizer +Date: Sun Oct 22 16:49:36 2023 -0400 + + comment + +commit 0e80acf38d430784fbb779f4f10c81bfe8a3813f +Author: Patrick Schleizer +Date: Sun Oct 22 16:45:10 2023 -0400 + + fix + +commit a1c3b87fcee07496af4b42e387b46488b58b73a0 +Author: Patrick Schleizer +Date: Sun Oct 22 16:29:08 2023 -0400 + + bumped changelog version + commit f6d1346e2bde51cd70bc60246c0bfba923c00c3d Author: Patrick Schleizer Date: Sun Oct 22 16:22:08 2023 -0400 diff --git a/debian/changelog b/debian/changelog index a555ebd..8d23929 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:31.7-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 22 Oct 2023 20:54:58 +0000 + security-misc (3:31.6-1) unstable; urgency=medium * New upstream version (local package). From e7aafd64d4418d43426b310653861f9024a54255 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 19:16:12 -0400 Subject: [PATCH 094/846] refactoring --- usr/bin/remount-secure | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index 152ed26..102af4f 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -134,6 +134,14 @@ $0 3" exit 1 } +preparation() { + ## Debugging. + $output_command "INFO: 'findmnt --list' output at the START." + $output_command "$(findmnt --list)" + $output_command "" + true +} + remount_secure() { $output_command "" @@ -273,11 +281,7 @@ end() { main() { init parse_options "$@" - - ## Debugging. - $output_command "INFO: 'findmnt --list' output at the START." - $output_command "$(findmnt --list)" - $output_command "" + preparation _boot _run From d2e8a6dad3b94d574cb9c043303160b06893ab97 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 19:21:51 -0400 Subject: [PATCH 095/846] debugging --- usr/bin/remount-secure | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index 102af4f..9c5bb55 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -136,9 +136,9 @@ $0 3" preparation() { ## Debugging. - $output_command "INFO: 'findmnt --list' output at the START." - $output_command "$(findmnt --list)" - $output_command "" + #$output_command "INFO: 'findmnt --list' output at the START." + #$output_command "$(findmnt --list)" + #$output_command "" true } @@ -271,8 +271,9 @@ _home() { end() { ## Debugging. - $output_command "INFO: 'findmnt --list' output at the END." - $output_command "$(findmnt --list)" + #$output_command "INFO: 'findmnt --list' output at the END." + #$output_command "$(findmnt --list)" + $output_command "INFO: exit_code: $exit_code" $output_command "$0: INFO: END" exit $exit_code From f3b40f12cb4bad0f2f00d4ba2dec59fb315c0798 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 22 Oct 2023 19:23:22 -0400 Subject: [PATCH 096/846] bumped changelog version --- changelog.upstream | 18 ++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 24 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 10fb2b9..287788a 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,21 @@ +commit d2e8a6dad3b94d574cb9c043303160b06893ab97 +Author: Patrick Schleizer +Date: Sun Oct 22 19:21:51 2023 -0400 + + debugging + +commit e7aafd64d4418d43426b310653861f9024a54255 +Author: Patrick Schleizer +Date: Sun Oct 22 19:16:12 2023 -0400 + + refactoring + +commit ee15f749bb4e68350498e52e8505bed43c98cbaf +Author: Patrick Schleizer +Date: Sun Oct 22 16:54:58 2023 -0400 + + bumped changelog version + commit d521662d04892fb6d5477fa4450fb5488892a87a Author: Patrick Schleizer Date: Sun Oct 22 16:49:36 2023 -0400 diff --git a/debian/changelog b/debian/changelog index 8d23929..c5fe8ac 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:31.8-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 22 Oct 2023 23:23:22 +0000 + security-misc (3:31.7-1) unstable; urgency=medium * New upstream version (local package). From f0857fd5608525115bd8a96c2f75368263f6f830 Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Mon, 23 Oct 2023 15:33:05 +0000 Subject: [PATCH 097/846] Fix double mount issue for /var/log and /var/tmp Mounting var with bind and mounting a subdirectory causes /var/tmp and /var/log bind mounted twice each. can be checked with lsblk. When we bind mount var only after having mounted the subdirectories, everything is mounted only one. --- usr/bin/remount-secure | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index 9c5bb55..e38e837 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -232,14 +232,6 @@ _tmp() { remount_secure } -_var() { - mount_folder="$NEWROOT/var" - ## noexec: Not possible. Reason: - ## Debian stores executable maintainer scripts in /var/lib/dpkg/info folder. - intended_mount_options="nosuid,nodev" - remount_secure -} - _var_tmp() { mount_folder="$NEWROOT/var/tmp" intended_mount_options="nosuid,nodev${most_noexec_maybe}" @@ -252,6 +244,14 @@ _var_log() { remount_secure } +_var() { + mount_folder="$NEWROOT/var" + ## noexec: Not possible. Reason: + ## Debian stores executable maintainer scripts in /var/lib/dpkg/info folder. + intended_mount_options="nosuid,nodev" + remount_secure +} + _lib() { mount_folder="$NEWROOT/lib" ## Cannot use noexec on /lib as per: @@ -289,9 +289,9 @@ main() { _dev _dev_shm _tmp - _var _var_tmp _var_log + _var _home end From 89381fe7abcc2f4418b95c3eb290c975bf6d612c Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Mon, 23 Oct 2023 16:38:23 +0000 Subject: [PATCH 098/846] rename --- etc/sysctl.d/{30_security-misc.conf => security-misc.conf} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename etc/sysctl.d/{30_security-misc.conf => security-misc.conf} (100%) diff --git a/etc/sysctl.d/30_security-misc.conf b/etc/sysctl.d/security-misc.conf similarity index 100% rename from etc/sysctl.d/30_security-misc.conf rename to etc/sysctl.d/security-misc.conf From 9dda6f69a7df792966005f9c6feb057483cd9ea4 Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Mon, 23 Oct 2023 16:38:40 +0000 Subject: [PATCH 099/846] more rename --- .../{30_silent-kernel-printk.conf => silent-kernel-printk.conf} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename etc/sysctl.d/{30_silent-kernel-printk.conf => silent-kernel-printk.conf} (100%) diff --git a/etc/sysctl.d/30_silent-kernel-printk.conf b/etc/sysctl.d/silent-kernel-printk.conf similarity index 100% rename from etc/sysctl.d/30_silent-kernel-printk.conf rename to etc/sysctl.d/silent-kernel-printk.conf From 1f489719efb37492b9c040ba4e332e8dd70fde1f Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Mon, 23 Oct 2023 16:38:58 +0000 Subject: [PATCH 100/846] rename --- ...y-misc_kexec-disable.conf => security-misc_kexec-disable.conf} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename etc/sysctl.d/{30_security-misc_kexec-disable.conf => security-misc_kexec-disable.conf} (100%) diff --git a/etc/sysctl.d/30_security-misc_kexec-disable.conf b/etc/sysctl.d/security-misc_kexec-disable.conf similarity index 100% rename from etc/sysctl.d/30_security-misc_kexec-disable.conf rename to etc/sysctl.d/security-misc_kexec-disable.conf From 3317332cb431115f81d832ba974181c74427c884 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 24 Oct 2023 05:51:11 -0400 Subject: [PATCH 101/846] bumped changelog version --- changelog.upstream | 30 ++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 36 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 287788a..1da6ca6 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,33 @@ +commit 42c802cd1eca3d2586abde871e4842cdf83490c4 +Merge: f3b40f1 5320c11 +Author: Patrick Schleizer +Date: Tue Oct 24 05:30:15 2023 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 5320c11f3f92b66b7dcab7ca1f67fcba2de5deba +Merge: f3b40f1 f0857fd +Author: Patrick Schleizer +Date: Tue Oct 24 05:22:33 2023 -0400 + + Merge pull request #134 from monsieuremre/patch-1 + + Fix double mount issue for /var/log and /var/tmp + +commit f0857fd5608525115bd8a96c2f75368263f6f830 +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Mon Oct 23 15:33:05 2023 +0000 + + Fix double mount issue for /var/log and /var/tmp + + Mounting var with bind and mounting a subdirectory causes /var/tmp and /var/log bind mounted twice each. can be checked with lsblk. When we bind mount var only after having mounted the subdirectories, everything is mounted only one. + +commit f3b40f12cb4bad0f2f00d4ba2dec59fb315c0798 +Author: Patrick Schleizer +Date: Sun Oct 22 19:23:22 2023 -0400 + + bumped changelog version + commit d2e8a6dad3b94d574cb9c043303160b06893ab97 Author: Patrick Schleizer Date: Sun Oct 22 19:21:51 2023 -0400 diff --git a/debian/changelog b/debian/changelog index c5fe8ac..2c14996 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:31.9-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 24 Oct 2023 09:51:11 +0000 + security-misc (3:31.8-1) unstable; urgency=medium * New upstream version (local package). From ee6716e178806912da08b671ae31504ed2f3ac56 Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Tue, 24 Oct 2023 20:43:10 +0000 Subject: [PATCH 102/846] security-misc.maintscript --- debian/security-misc.maintscript | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/debian/security-misc.maintscript b/debian/security-misc.maintscript index 177005f..2061445 100644 --- a/debian/security-misc.maintscript +++ b/debian/security-misc.maintscript @@ -43,3 +43,9 @@ rm_conffile /etc/default/grub.d/40_cold_boot_attack_defense.cfg rm_conffile /etc/X11/Xsession.d/50panic_on_oops rm_conffile /etc/X11/Xsession.d/50security-misc + +## renamed to remove the trailing 30_ for bug fix +rm_conffile /etc/sysctl.d/30_security-misc.conf +rm_conffile /etc/sysctl.d/30_silent-kernel-printk.conf +rm_conffile /etc/sysctl.d/30_security-misc_kexec-disable.conf + From b7c52800f4c16b1573e372089704a68fd47c5906 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 25 Oct 2023 17:28:43 -0400 Subject: [PATCH 103/846] renamed: etc/sysctl.d/30_security-misc.conf -> usr/lib/sysctl.d/30_security-misc.conf renamed: etc/sysctl.d/30_security-misc_kexec-disable.conf -> usr/lib/sysctl.d/30_security-misc_kexec-disable.conf renamed: etc/sysctl.d/30_silent-kernel-printk.conf -> usr/lib/sysctl.d/30_silent-kernel-printk.conf --- {etc => usr/lib}/sysctl.d/30_security-misc.conf | 0 {etc => usr/lib}/sysctl.d/30_security-misc_kexec-disable.conf | 0 {etc => usr/lib}/sysctl.d/30_silent-kernel-printk.conf | 0 3 files changed, 0 insertions(+), 0 deletions(-) rename {etc => usr/lib}/sysctl.d/30_security-misc.conf (100%) rename {etc => usr/lib}/sysctl.d/30_security-misc_kexec-disable.conf (100%) rename {etc => usr/lib}/sysctl.d/30_silent-kernel-printk.conf (100%) diff --git a/etc/sysctl.d/30_security-misc.conf b/usr/lib/sysctl.d/30_security-misc.conf similarity index 100% rename from etc/sysctl.d/30_security-misc.conf rename to usr/lib/sysctl.d/30_security-misc.conf diff --git a/etc/sysctl.d/30_security-misc_kexec-disable.conf b/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf similarity index 100% rename from etc/sysctl.d/30_security-misc_kexec-disable.conf rename to usr/lib/sysctl.d/30_security-misc_kexec-disable.conf diff --git a/etc/sysctl.d/30_silent-kernel-printk.conf b/usr/lib/sysctl.d/30_silent-kernel-printk.conf similarity index 100% rename from etc/sysctl.d/30_silent-kernel-printk.conf rename to usr/lib/sysctl.d/30_silent-kernel-printk.conf From 6a22351d298e475ecae22bb99249a308b294ff9a Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 25 Oct 2023 17:30:07 -0400 Subject: [PATCH 104/846] renamed: usr/lib/sysctl.d/30_security-misc.conf -> usr/lib/sysctl.d/990-security-misc.conf --- .../sysctl.d/{30_security-misc.conf => 990-security-misc.conf} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename usr/lib/sysctl.d/{30_security-misc.conf => 990-security-misc.conf} (100%) diff --git a/usr/lib/sysctl.d/30_security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf similarity index 100% rename from usr/lib/sysctl.d/30_security-misc.conf rename to usr/lib/sysctl.d/990-security-misc.conf From b7e2d49f5f3f49fab2e1c0647f10bda1921e0a80 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 25 Oct 2023 17:41:05 -0400 Subject: [PATCH 105/846] comment --- debian/security-misc.maintscript | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/security-misc.maintscript b/debian/security-misc.maintscript index 2061445..f1664ee 100644 --- a/debian/security-misc.maintscript +++ b/debian/security-misc.maintscript @@ -44,7 +44,7 @@ rm_conffile /etc/default/grub.d/40_cold_boot_attack_defense.cfg rm_conffile /etc/X11/Xsession.d/50panic_on_oops rm_conffile /etc/X11/Xsession.d/50security-misc -## renamed to remove the trailing 30_ for bug fix +## moved to /usr/lib/sysctl.d rm_conffile /etc/sysctl.d/30_security-misc.conf rm_conffile /etc/sysctl.d/30_silent-kernel-printk.conf rm_conffile /etc/sysctl.d/30_security-misc_kexec-disable.conf From 8557e0963ed6159f7f6c816ad4e009cc7323a760 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 25 Oct 2023 17:55:37 -0400 Subject: [PATCH 106/846] bumped changelog version --- changelog.upstream | 66 ++++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 +++++ 2 files changed, 72 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 1da6ca6..9532789 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,51 @@ +commit b7e2d49f5f3f49fab2e1c0647f10bda1921e0a80 +Author: Patrick Schleizer +Date: Wed Oct 25 17:41:05 2023 -0400 + + comment + +commit 5d71217e597aa3366658524ec5395c9f76dd527b +Merge: 6a22351 a2f811a +Author: Patrick Schleizer +Date: Wed Oct 25 17:40:13 2023 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 6a22351d298e475ecae22bb99249a308b294ff9a +Author: Patrick Schleizer +Date: Wed Oct 25 17:30:07 2023 -0400 + + renamed: usr/lib/sysctl.d/30_security-misc.conf -> usr/lib/sysctl.d/990-security-misc.conf + +commit b7c52800f4c16b1573e372089704a68fd47c5906 +Author: Patrick Schleizer +Date: Wed Oct 25 17:28:43 2023 -0400 + + renamed: etc/sysctl.d/30_security-misc.conf -> usr/lib/sysctl.d/30_security-misc.conf + renamed: etc/sysctl.d/30_security-misc_kexec-disable.conf -> usr/lib/sysctl.d/30_security-misc_kexec-disable.conf + renamed: etc/sysctl.d/30_silent-kernel-printk.conf -> usr/lib/sysctl.d/30_silent-kernel-printk.conf + +commit a2f811aff0cb4e73c3975093012c223127495707 +Merge: 3317332 ee6716e +Author: Patrick Schleizer +Date: Wed Oct 25 17:26:46 2023 -0400 + + Merge pull request #135 from monsieuremre/kernel-fix + + Kernel hardening fix + +commit ee6716e178806912da08b671ae31504ed2f3ac56 +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Tue Oct 24 20:43:10 2023 +0000 + + security-misc.maintscript + +commit 3317332cb431115f81d832ba974181c74427c884 +Author: Patrick Schleizer +Date: Tue Oct 24 05:51:11 2023 -0400 + + bumped changelog version + commit 42c802cd1eca3d2586abde871e4842cdf83490c4 Merge: f3b40f1 5320c11 Author: Patrick Schleizer @@ -14,6 +62,24 @@ Date: Tue Oct 24 05:22:33 2023 -0400 Fix double mount issue for /var/log and /var/tmp +commit 1f489719efb37492b9c040ba4e332e8dd70fde1f +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Mon Oct 23 16:38:58 2023 +0000 + + rename + +commit 9dda6f69a7df792966005f9c6feb057483cd9ea4 +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Mon Oct 23 16:38:40 2023 +0000 + + more rename + +commit 89381fe7abcc2f4418b95c3eb290c975bf6d612c +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Mon Oct 23 16:38:23 2023 +0000 + + rename + commit f0857fd5608525115bd8a96c2f75368263f6f830 Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Mon Oct 23 15:33:05 2023 +0000 diff --git a/debian/changelog b/debian/changelog index 2c14996..8febf32 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:32.0-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 25 Oct 2023 21:55:37 +0000 + security-misc (3:31.9-1) unstable; urgency=medium * New upstream version (local package). From e5d989af5ac2899985c48d60311856fb86e0ddeb Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 26 Oct 2023 12:04:13 -0400 Subject: [PATCH 107/846] comment --- usr/lib/sysctl.d/990-security-misc.conf | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 1fcb0ea..718d64b 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -1,6 +1,12 @@ ## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. +## NOTE: +## This file has a weird file name so /usr/lib/sysctl.d/99-protect-links.conf +## is parsed first and /usr/lib/sysctl.d/990-security-misc.conf is parsed +## afterwards. See also: +## https://github.com/Kicksecure/security-misc/pull/135 + ## Disables coredumps. This setting may be overwritten by systemd so this may not be useful. ## security-misc also disables coredumps in other ways. kernel.core_pattern=|/bin/false From 5f4222c1c3d7fa057b31bba7b0b5c2e83c92a7be Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 26 Oct 2023 12:20:48 -0400 Subject: [PATCH 108/846] enable SUID Disabler and Permission Hardener by default https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener https://forums.whonix.org/t/suid-disabler-and-permission-hardener/7706 --- debian/security-misc.postinst | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/debian/security-misc.postinst b/debian/security-misc.postinst index d00d8cf..04410d9 100644 --- a/debian/security-misc.postinst +++ b/debian/security-misc.postinst @@ -15,6 +15,20 @@ true " ##################################################################### " +permission_hardening() { + echo "" + echo "Running SUID Disabler and Permission Hardener... See also:" + echo "https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener" + echo "" + echo "$0: INFO: run: /usr/libexec/security-misc/permission-hardening" + if ! /usr/libexec/security-misc/permission-hardening ; then + echo "$0: ERROR: Permission hardening failed." >&2 + return 0 + fi + echo "$0: INFO: Permission hardening success." + echo "" +} + case "$1" in configure) if [ -d /etc/skel/.gnupg ]; then @@ -45,6 +59,7 @@ esac pam-auth-update --package /usr/libexec/security-misc/permission-lockdown +permission_hardening ## https://phabricator.whonix.org/T377 ## Debian has no update-grub trigger yet: From ca9603af1713ff37392662c9d1b4251052e7b983 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 26 Oct 2023 12:23:48 -0400 Subject: [PATCH 109/846] bumped changelog version --- changelog.upstream | 22 ++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 28 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 9532789..489df89 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,25 @@ +commit 5f4222c1c3d7fa057b31bba7b0b5c2e83c92a7be +Author: Patrick Schleizer +Date: Thu Oct 26 12:20:48 2023 -0400 + + enable SUID Disabler and Permission Hardener by default + + https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener + + https://forums.whonix.org/t/suid-disabler-and-permission-hardener/7706 + +commit e5d989af5ac2899985c48d60311856fb86e0ddeb +Author: Patrick Schleizer +Date: Thu Oct 26 12:04:13 2023 -0400 + + comment + +commit 8557e0963ed6159f7f6c816ad4e009cc7323a760 +Author: Patrick Schleizer +Date: Wed Oct 25 17:55:37 2023 -0400 + + bumped changelog version + commit b7e2d49f5f3f49fab2e1c0647f10bda1921e0a80 Author: Patrick Schleizer Date: Wed Oct 25 17:41:05 2023 -0400 diff --git a/debian/changelog b/debian/changelog index 8febf32..0039b1d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:32.1-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 26 Oct 2023 16:23:48 +0000 + security-misc (3:32.0-1) unstable; urgency=medium * New upstream version (local package). From 99355c616974d167e3a5424d63cd56b1f64f0eaf Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Thu, 26 Oct 2023 17:45:28 +0000 Subject: [PATCH 110/846] new lines 30_default.conf --- etc/permission-hardening.d/30_default.conf | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/etc/permission-hardening.d/30_default.conf b/etc/permission-hardening.d/30_default.conf index e0d310d..f4cb332 100644 --- a/etc/permission-hardening.d/30_default.conf +++ b/etc/permission-hardening.d/30_default.conf @@ -67,12 +67,32 @@ ###################################################################### /home/ 0755 root root -/home/user/ 0700 user user /root/ 0700 root root /boot/ 0700 root root /etc/permission-hardening.d 0600 root root /usr/local/etc/permission-hardening.d 0600 root root /lib/modules/ 0700 root root +/usr/src 0700 root root +/etc/cups/cupsd.conf 0400 root root +/boot/grub/grub.cfg 0600 root root +/etc/syslog.conf 0600 root root +/etc/crontab 0600 root root +/root/.ssh 0700 root root +/etc/cron.d 0700 root root +/etc/cron.daily 0700 root root +/etc/sudoers.d 0700 root root +/etc/cron.hourly 0700 root root +/etc/cron.weekly 0700 root root +/etc/cron.monthly 0700 root root +/etc/group 0644 root root +/etc/group- 0644 root root +/etc/hosts.allow 0644 root root +/etc/hosts.deny 0644 root root +/etc/issue 0644 root root +/etc/issue.net 0644 root root +/etc/motd 0644 root root +/etc/passwd 0644 root root +/etc/passwd- 0644 root root ###################################################################### # SUID/SGID Removal From d9f10c221a2b6794f0a3c5bcd1c15e2a4f352751 Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Thu, 26 Oct 2023 18:17:50 +0000 Subject: [PATCH 111/846] new permission-lockdown --- usr/libexec/security-misc/permission-lockdown | 45 ++++++++----------- 1 file changed, 19 insertions(+), 26 deletions(-) diff --git a/usr/libexec/security-misc/permission-lockdown b/usr/libexec/security-misc/permission-lockdown index 615bf6c..eab53b0 100755 --- a/usr/libexec/security-misc/permission-lockdown +++ b/usr/libexec/security-misc/permission-lockdown @@ -32,35 +32,28 @@ # /usr/libexec/security-misc/permission-lockdown: user: geoclue | chmod o-rwx "/var/lib/geoclue" home_folder_access_rights_lockdown() { - shopt -s nullglob + # Each users home directory to himself + for user in $(dir /home); do # lists directories only + if [ grep -q "$user" /etc/passwd ]; then # check if user actually exists, and this is not some random directory + if [ -f /var/cache/security-misc/state-files/$user ] + continue # only doing once + fi + touch "/var/cache/security-misc/state-files/$user # so that we know we did this one + dpkg-statoverride --add --update $user $user 0700 /home/$user # home directory of the user itself + find /home/$user -type d | while read directory; # doing this to all directories in the users home + do + chown $user $directory + chmod 700 $directory + done - ## Not using dotglob. - ## touch /var/cache/security-misc/state-files//home/.Trash - ## touch: cannot touch '/var/cache/security-misc/state-files//home/.Trash': No such file or directory - - local folder_name base_name - - for folder_name in /home/* ; do - base_name="$(basename "$folder_name")" - if [ -f "/var/cache/security-misc/state-files/$base_name" ]; then - continue +# not doing it because this sets all files to non executable +# find /home/$user -type f | while read file; # doing this to all files in the users home +# do +# chown $user $file +# chmod 600 $file +# done fi - if [ ! -d "$folder_name" ]; then - continue - fi - if [ "$folder_name" = "/home/" ]; then - continue - fi - mkdir -p /var/cache/security-misc/state-files - echo "$0: chmod o-rwx \"$folder_name\"" - chmod o-rwx "$folder_name" - ## Create a state-file so we do this only once. - ## Therefore a user who will manually undo this, will not get - ## annoyed by this being done over and over again. - touch "/var/cache/security-misc/state-files/$base_name" done - - shopt -u nullglob } home_folder_access_rights_lockdown From 88cd5a905d8aa0f6033ac4ba72903fbad4a90b4b Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Thu, 26 Oct 2023 19:25:24 +0000 Subject: [PATCH 112/846] strip unnecessary --- usr/libexec/security-misc/permission-lockdown | 15 +-------------- 1 file changed, 1 insertion(+), 14 deletions(-) diff --git a/usr/libexec/security-misc/permission-lockdown b/usr/libexec/security-misc/permission-lockdown index eab53b0..8e807ff 100755 --- a/usr/libexec/security-misc/permission-lockdown +++ b/usr/libexec/security-misc/permission-lockdown @@ -38,21 +38,8 @@ home_folder_access_rights_lockdown() { if [ -f /var/cache/security-misc/state-files/$user ] continue # only doing once fi - touch "/var/cache/security-misc/state-files/$user # so that we know we did this one dpkg-statoverride --add --update $user $user 0700 /home/$user # home directory of the user itself - find /home/$user -type d | while read directory; # doing this to all directories in the users home - do - chown $user $directory - chmod 700 $directory - done - -# not doing it because this sets all files to non executable -# find /home/$user -type f | while read file; # doing this to all files in the users home -# do -# chown $user $file -# chmod 600 $file -# done - fi + touch /var/cache/security-misc/state-files/$user # so that we know we did this one done } From f487752ba1b469eb0b2f85657e2ee0860f58496b Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Thu, 26 Oct 2023 19:30:58 +0000 Subject: [PATCH 113/846] not limiting ourselves. we do not do this not just once. --- usr/libexec/security-misc/permission-lockdown | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/usr/libexec/security-misc/permission-lockdown b/usr/libexec/security-misc/permission-lockdown index 8e807ff..372fc2f 100755 --- a/usr/libexec/security-misc/permission-lockdown +++ b/usr/libexec/security-misc/permission-lockdown @@ -35,11 +35,9 @@ home_folder_access_rights_lockdown() { # Each users home directory to himself for user in $(dir /home); do # lists directories only if [ grep -q "$user" /etc/passwd ]; then # check if user actually exists, and this is not some random directory - if [ -f /var/cache/security-misc/state-files/$user ] - continue # only doing once - fi dpkg-statoverride --add --update $user $user 0700 /home/$user # home directory of the user itself - touch /var/cache/security-misc/state-files/$user # so that we know we did this one + echo "Permission updated: chmod go-rwx /home/$user" + fi done } From b5ba03247a5b5bb1f4e010130e4a575ad1397117 Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Thu, 26 Oct 2023 19:31:25 +0000 Subject: [PATCH 114/846] readability --- usr/libexec/security-misc/permission-lockdown | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/libexec/security-misc/permission-lockdown b/usr/libexec/security-misc/permission-lockdown index 372fc2f..4449608 100755 --- a/usr/libexec/security-misc/permission-lockdown +++ b/usr/libexec/security-misc/permission-lockdown @@ -34,7 +34,7 @@ home_folder_access_rights_lockdown() { # Each users home directory to himself for user in $(dir /home); do # lists directories only - if [ grep -q "$user" /etc/passwd ]; then # check if user actually exists, and this is not some random directory + if [ grep --quiet "$user" /etc/passwd ]; then # check if user actually exists, and this is not some random directory dpkg-statoverride --add --update $user $user 0700 /home/$user # home directory of the user itself echo "Permission updated: chmod go-rwx /home/$user" fi From 88f396264ca9d072e4e5de4e1acaee54f3b39749 Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Thu, 26 Oct 2023 19:35:59 +0000 Subject: [PATCH 115/846] avoiding /etc/passwd --- usr/libexec/security-misc/permission-lockdown | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/libexec/security-misc/permission-lockdown b/usr/libexec/security-misc/permission-lockdown index 4449608..dfe0176 100755 --- a/usr/libexec/security-misc/permission-lockdown +++ b/usr/libexec/security-misc/permission-lockdown @@ -34,7 +34,7 @@ home_folder_access_rights_lockdown() { # Each users home directory to himself for user in $(dir /home); do # lists directories only - if [ grep --quiet "$user" /etc/passwd ]; then # check if user actually exists, and this is not some random directory + if [ $(id --user $user) ]; then # check if user actually exists, and this is not some random directory dpkg-statoverride --add --update $user $user 0700 /home/$user # home directory of the user itself echo "Permission updated: chmod go-rwx /home/$user" fi From 91c445244c47c163e2466f8c4dff710eda20c337 Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Thu, 26 Oct 2023 19:41:07 +0000 Subject: [PATCH 116/846] actually we do it once indeed --- usr/libexec/security-misc/permission-lockdown | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/usr/libexec/security-misc/permission-lockdown b/usr/libexec/security-misc/permission-lockdown index dfe0176..a89e1ec 100755 --- a/usr/libexec/security-misc/permission-lockdown +++ b/usr/libexec/security-misc/permission-lockdown @@ -34,9 +34,13 @@ home_folder_access_rights_lockdown() { # Each users home directory to himself for user in $(dir /home); do # lists directories only + if [ -f /var/cache/security-misc/state-files/$user ]; then + continue + fi if [ $(id --user $user) ]; then # check if user actually exists, and this is not some random directory - dpkg-statoverride --add --update $user $user 0700 /home/$user # home directory of the user itself + dpkg-statoverride --add --update $user $user 0700 /home/$user # home directory of the user echo "Permission updated: chmod go-rwx /home/$user" + touch /var/cache/security-misc/state-files/$user # so that we know we did this one fi done } From 1123d23114201988ac3f5f50ab6e74a5307d3d52 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 26 Oct 2023 18:45:07 -0400 Subject: [PATCH 117/846] remount-secure: disable debugging to save space in initrd --- usr/bin/remount-secure | 9 ++++++--- .../modules.d/20remount-secure/module-setup.sh | 14 ++++++++++---- 2 files changed, 16 insertions(+), 7 deletions(-) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index e38e837..a81f43f 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -23,9 +23,12 @@ init() { $output_command "$0: INFO: START" - if [ "$(id -u)" != "0" ]; then - $output_command "ERROR: must be run as root! sudo $0" - exit 1 + ## dracut does not have id. Saving space in initial ramdisk. + if command -v id &>/dev/null ; then + if [ "$(id -u)" != "0" ]; then + $output_command "ERROR: must be run as root! sudo $0" + exit 1 + fi fi mkdir --parents "/run/remount-secure" diff --git a/usr/lib/dracut/modules.d/20remount-secure/module-setup.sh b/usr/lib/dracut/modules.d/20remount-secure/module-setup.sh index c48d08c..ce0a67b 100755 --- a/usr/lib/dracut/modules.d/20remount-secure/module-setup.sh +++ b/usr/lib/dracut/modules.d/20remount-secure/module-setup.sh @@ -5,11 +5,14 @@ # called by dracut check() { + ## For debugging only. + ## Saving space in initial ramdisk. + #require_binaries id || return 1 + #require_binaries env || return 1 + require_binaries findmnt || return 1 require_binaries touch || return 1 require_binaries grep || return 1 - require_binaries id || return 1 - require_binaries env || return 1 require_binaries mount || return 1 require_binaries remount-secure || return 1 return 0 @@ -22,11 +25,14 @@ depends() { # called by dracut install() { + ## For debugging only. + ## Saving space in initial ramdisk. + #inst_multiple id + #inst_multiple env + inst_multiple findmnt inst_multiple touch inst_multiple grep - inst_multiple id - inst_multiple env inst_multiple mount inst_multiple remount-secure inst_hook cleanup 90 "$moddir/remount-secure.sh" From a330a9fd75314931639e7e873adc31c5cc65d555 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 26 Oct 2023 19:20:21 -0400 Subject: [PATCH 118/846] refactor permission-lockdown --- usr/libexec/security-misc/permission-lockdown | 25 +++++++++++++------ 1 file changed, 17 insertions(+), 8 deletions(-) diff --git a/usr/libexec/security-misc/permission-lockdown b/usr/libexec/security-misc/permission-lockdown index a89e1ec..1035450 100755 --- a/usr/libexec/security-misc/permission-lockdown +++ b/usr/libexec/security-misc/permission-lockdown @@ -32,16 +32,25 @@ # /usr/libexec/security-misc/permission-lockdown: user: geoclue | chmod o-rwx "/var/lib/geoclue" home_folder_access_rights_lockdown() { - # Each users home directory to himself - for user in $(dir /home); do # lists directories only - if [ -f /var/cache/security-misc/state-files/$user ]; then + mkdir --parents /var/cache/security-misc/state-files + local user + for user in $(dir /home); do ## lists directories only + if [ -f "/var/cache/security-misc/state-files/$user" ]; then continue fi - if [ $(id --user $user) ]; then # check if user actually exists, and this is not some random directory - dpkg-statoverride --add --update $user $user 0700 /home/$user # home directory of the user - echo "Permission updated: chmod go-rwx /home/$user" - touch /var/cache/security-misc/state-files/$user # so that we know we did this one - fi + folder_name="/home/$user" + ## chmod: + ## The 'g' for 'group' is not needed. + ## Debian by default uses USERGROUPS=yes in /etc/adduser.conf. + ## The group which the user is being added to has the same name as the user. + ## If the username is user then the name of the group is also user. + ## Some background information here: + ## https://unix.stackexchange.com/questions/156473/reasons-behind-the-default-groups-and-users-on-linux + ## In short, this is useful for "file sharing". A if user1 wants to share data with user2 the command + ## required to run is sudo addgroup user1 user2. + echo "$0: chmod o-rwx \"$folder_name\"" + chmod o-rwx "$folder_name" + touch "/var/cache/security-misc/state-files/$user" done } From 7cff267002485fd0abca98d12b0024e061f4ba51 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 26 Oct 2023 19:31:14 -0400 Subject: [PATCH 119/846] remove duplicates --- etc/permission-hardening.d/30_default.conf | 2 -- 1 file changed, 2 deletions(-) diff --git a/etc/permission-hardening.d/30_default.conf b/etc/permission-hardening.d/30_default.conf index f4cb332..bbb08ae 100644 --- a/etc/permission-hardening.d/30_default.conf +++ b/etc/permission-hardening.d/30_default.conf @@ -74,10 +74,8 @@ /lib/modules/ 0700 root root /usr/src 0700 root root /etc/cups/cupsd.conf 0400 root root -/boot/grub/grub.cfg 0600 root root /etc/syslog.conf 0600 root root /etc/crontab 0600 root root -/root/.ssh 0700 root root /etc/cron.d 0700 root root /etc/cron.daily 0700 root root /etc/sudoers.d 0700 root root From 7d576842fb6f3c124db2b6deb5abfc095974a67f Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 26 Oct 2023 20:08:41 -0400 Subject: [PATCH 120/846] bumped changelog version --- changelog.upstream | 98 ++++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 +++ 2 files changed, 104 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 489df89..db21f0d 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,101 @@ +commit 7cff267002485fd0abca98d12b0024e061f4ba51 +Author: Patrick Schleizer +Date: Thu Oct 26 19:31:14 2023 -0400 + + remove duplicates + +commit 928cdb81d43dfd337c82917182d2914d9c9d0915 +Merge: a330a9f 39fed05 +Author: Patrick Schleizer +Date: Thu Oct 26 19:29:55 2023 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 39fed058f4734029b303fac4ea9a1b11f652fab4 +Merge: 92a6ecc 99355c6 +Author: Patrick Schleizer +Date: Thu Oct 26 19:27:41 2023 -0400 + + Merge pull request #140 from monsieuremre/patch-3 + + New lines in default permission config + +commit a330a9fd75314931639e7e873adc31c5cc65d555 +Author: Patrick Schleizer +Date: Thu Oct 26 19:20:21 2023 -0400 + + refactor permission-lockdown + +commit 8bf5ff82be706599f33228ecd6df42be0dc29f39 +Merge: 1123d23 92a6ecc +Author: Patrick Schleizer +Date: Thu Oct 26 19:15:04 2023 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 92a6ecc40a4d3bd4d8f3cec7dd9b1334c72399dc +Merge: ca9603a 91c4452 +Author: Patrick Schleizer +Date: Thu Oct 26 19:13:34 2023 -0400 + + Merge pull request #141 from monsieuremre/patch-4 + + New permission-lockdown + +commit 1123d23114201988ac3f5f50ab6e74a5307d3d52 +Author: Patrick Schleizer +Date: Thu Oct 26 18:45:07 2023 -0400 + + remount-secure: disable debugging to save space in initrd + +commit 91c445244c47c163e2466f8c4dff710eda20c337 +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Thu Oct 26 19:41:07 2023 +0000 + + actually we do it once indeed + +commit 88f396264ca9d072e4e5de4e1acaee54f3b39749 +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Thu Oct 26 19:35:59 2023 +0000 + + avoiding /etc/passwd + +commit b5ba03247a5b5bb1f4e010130e4a575ad1397117 +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Thu Oct 26 19:31:25 2023 +0000 + + readability + +commit f487752ba1b469eb0b2f85657e2ee0860f58496b +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Thu Oct 26 19:30:58 2023 +0000 + + not limiting ourselves. we do not do this not just once. + +commit 88cd5a905d8aa0f6033ac4ba72903fbad4a90b4b +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Thu Oct 26 19:25:24 2023 +0000 + + strip unnecessary + +commit d9f10c221a2b6794f0a3c5bcd1c15e2a4f352751 +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Thu Oct 26 18:17:50 2023 +0000 + + new permission-lockdown + +commit 99355c616974d167e3a5424d63cd56b1f64f0eaf +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Thu Oct 26 17:45:28 2023 +0000 + + new lines 30_default.conf + +commit ca9603af1713ff37392662c9d1b4251052e7b983 +Author: Patrick Schleizer +Date: Thu Oct 26 12:23:48 2023 -0400 + + bumped changelog version + commit 5f4222c1c3d7fa057b31bba7b0b5c2e83c92a7be Author: Patrick Schleizer Date: Thu Oct 26 12:20:48 2023 -0400 diff --git a/debian/changelog b/debian/changelog index 0039b1d..11027e3 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:32.2-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 27 Oct 2023 00:08:41 +0000 + security-misc (3:32.1-1) unstable; urgency=medium * New upstream version (local package). From f2c23a28319e359c642da2dde424456a1064763f Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Fri, 27 Oct 2023 10:53:45 +0000 Subject: [PATCH 121/846] ssh config --- etc/permission-hardening.d/30_default.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/etc/permission-hardening.d/30_default.conf b/etc/permission-hardening.d/30_default.conf index bbb08ae..0396c4b 100644 --- a/etc/permission-hardening.d/30_default.conf +++ b/etc/permission-hardening.d/30_default.conf @@ -75,6 +75,7 @@ /usr/src 0700 root root /etc/cups/cupsd.conf 0400 root root /etc/syslog.conf 0600 root root +/etc/ssh/sshd_config 0600 root root /etc/crontab 0600 root root /etc/cron.d 0700 root root /etc/cron.daily 0700 root root From c975c3c0ff7cc5a1e29b651c2db6c27e3f952870 Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Fri, 27 Oct 2023 11:07:53 +0000 Subject: [PATCH 122/846] new lines 990-security-misc.conf added new recommended hardening settings with comments --- usr/lib/sysctl.d/990-security-misc.conf | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 718d64b..547dbeb 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -14,6 +14,14 @@ kernel.core_pattern=|/bin/false ## Restricts the kernel log to root only. kernel.dmesg_restrict=1 +## Does not set coredump name to 'core' which is default. Defense in depth. +kernel.core_uses_pid=1 + +## A martian packet is a one with a source address which is blatantly wrong +## Recommended to keep a log of these to identify these suspicious packets +net.ipv4.conf.all.log_martians=1 +net.ipv4.conf.default.log_martians=1 + ## Don't allow writes to files that we don't own ## in world writable sticky directories, unless ## they are owned by the owner of the directory. From 604d839537c409604ed2c4c88992ea1a31368f6f Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Fri, 27 Oct 2023 12:30:26 +0000 Subject: [PATCH 123/846] 99_ipv6-privacy-extensions.conf --- etc/systemd/networkd.conf.d/99_ipv6-privacy-extensions.conf | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 etc/systemd/networkd.conf.d/99_ipv6-privacy-extensions.conf diff --git a/etc/systemd/networkd.conf.d/99_ipv6-privacy-extensions.conf b/etc/systemd/networkd.conf.d/99_ipv6-privacy-extensions.conf new file mode 100644 index 0000000..b44948d --- /dev/null +++ b/etc/systemd/networkd.conf.d/99_ipv6-privacy-extensions.conf @@ -0,0 +1,2 @@ +[Network] +IPv6PrivacyExtensions=kernel From e90f62eaabfeee7483af573ef8e9d015ba1977dc Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Fri, 27 Oct 2023 12:34:15 +0000 Subject: [PATCH 124/846] 99_randomize_mac.conf --- etc/NetworkManager/conf.d/99_randomize_mac.conf | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 etc/NetworkManager/conf.d/99_randomize_mac.conf diff --git a/etc/NetworkManager/conf.d/99_randomize_mac.conf b/etc/NetworkManager/conf.d/99_randomize_mac.conf new file mode 100644 index 0000000..1601800 --- /dev/null +++ b/etc/NetworkManager/conf.d/99_randomize_mac.conf @@ -0,0 +1,6 @@ +[device-mac-randomization] +wifi.scan-rand-mac-address=yes + +[connection-mac-randomization] +ethernet.cloned-mac-address=random +wifi.cloned-mac-address=random From 3d4b04fddc16067ed345074683281e74f41eeadf Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Fri, 27 Oct 2023 12:35:39 +0000 Subject: [PATCH 125/846] 99_ipv6-privacy.conf --- etc/NetworkManager/conf.d/99_ipv6-privacy.conf | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 etc/NetworkManager/conf.d/99_ipv6-privacy.conf diff --git a/etc/NetworkManager/conf.d/99_ipv6-privacy.conf b/etc/NetworkManager/conf.d/99_ipv6-privacy.conf new file mode 100644 index 0000000..a70549a --- /dev/null +++ b/etc/NetworkManager/conf.d/99_ipv6-privacy.conf @@ -0,0 +1,2 @@ +[connection] +ipv6.ip6-privacy=2 From b298d152fc10c66892698d9dcae769a44a32037b Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Fri, 27 Oct 2023 14:32:08 +0000 Subject: [PATCH 126/846] 30_security-misc.conf --- etc/bluetooth/30_security-misc.conf | 30 +++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 etc/bluetooth/30_security-misc.conf diff --git a/etc/bluetooth/30_security-misc.conf b/etc/bluetooth/30_security-misc.conf new file mode 100644 index 0000000..d3410f2 --- /dev/null +++ b/etc/bluetooth/30_security-misc.conf @@ -0,0 +1,30 @@ +[General] +# How long to stay in pairable mode before going back to non-discoverable +# The value is in seconds. Default is 0. +# 0 = disable timer, i.e. stay pairable forever +PairableTimeout = 30 + +# How long to stay in discoverable mode before going back to non-discoverable +# The value is in seconds. Default is 180, i.e. 3 minutes. +# 0 = disable timer, i.e. stay discoverable forever +DiscoverableTimeout = 30 + +# Maximum number of controllers allowed to be exposed to the system. +# Default=0 (unlimited) +MaxControllers=1 + +# How long to keep temporary devices around +# The value is in seconds. Default is 30. +# 0 = disable timer, i.e. never keep temporary devices +TemporaryTimeout = 0 + +[Policy] +# AutoEnable defines option to enable all controllers when they are found. +# This includes adapters present on start as well as adapters that are plugged +# in later on. Defaults to 'true'. +AutoEnable=false + +# network/on: A device will only accept advertising packets from peer +# devices that contain private addresses. It may not be compatible with some +# legacy devices since it requires the use of RPA(s) all the time. +Privacy=network/on From 13b4ddbb627d2279b41d1dcbe5c8ce1ac384b088 Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Fri, 27 Oct 2023 14:34:21 +0000 Subject: [PATCH 127/846] 30_security-misc.conf --- etc/modprobe.d/30_security-misc.conf | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/etc/modprobe.d/30_security-misc.conf b/etc/modprobe.d/30_security-misc.conf index 128ab9c..a01ed81 100644 --- a/etc/modprobe.d/30_security-misc.conf +++ b/etc/modprobe.d/30_security-misc.conf @@ -11,8 +11,11 @@ options nf_conntrack nf_conntrack_helper=0 ## Disable bluetooth to reduce attack surface due to extended history of security vulnerabilities ## https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns -install bluetooth /bin/disabled-bluetooth-by-security-misc -install btusb /bin/disabled-bluetooth-by-security-misc +# +## Now replaced by a privacy and security preserving default bluetooth configuration for better usability +# +# install bluetooth /bin/disabled-bluetooth-by-security-misc +# install btusb /bin/disabled-bluetooth-by-security-misc ## Disable thunderbolt and firewire modules to prevent some DMA attacks install thunderbolt /bin/disabled-thunderbolt-by-security-misc From 90a88225a4fde2f09cc14b24f8467bb1ded90c9d Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Fri, 27 Oct 2023 14:38:31 +0000 Subject: [PATCH 128/846] security-misc.maintscript --- debian/security-misc.maintscript | 3 +++ 1 file changed, 3 insertions(+) diff --git a/debian/security-misc.maintscript b/debian/security-misc.maintscript index f1664ee..50c1252 100644 --- a/debian/security-misc.maintscript +++ b/debian/security-misc.maintscript @@ -49,3 +49,6 @@ rm_conffile /etc/sysctl.d/30_security-misc.conf rm_conffile /etc/sysctl.d/30_silent-kernel-printk.conf rm_conffile /etc/sysctl.d/30_security-misc_kexec-disable.conf +## replaced with privacy conscious configurations for bluetooth +## not to hinder day to day usage +rm_conffile /bin/disabled-bluetooth-by-security-misc From fc8e201e84e4c777c087fd113c539ca368fd3a31 Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Fri, 27 Oct 2023 14:49:24 +0000 Subject: [PATCH 129/846] rename --- .../conf.d/{99_randomize_mac.conf => 99_randomize-mac.conf} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename etc/NetworkManager/conf.d/{99_randomize_mac.conf => 99_randomize-mac.conf} (100%) diff --git a/etc/NetworkManager/conf.d/99_randomize_mac.conf b/etc/NetworkManager/conf.d/99_randomize-mac.conf similarity index 100% rename from etc/NetworkManager/conf.d/99_randomize_mac.conf rename to etc/NetworkManager/conf.d/99_randomize-mac.conf From 5ed2a5ce4a24a1a9c3e722a30aa9c6af1dc5d78a Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 1 Nov 2023 11:10:36 -0400 Subject: [PATCH 130/846] bumped changelog version --- changelog.upstream | 30 ++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 36 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index db21f0d..92adf11 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,33 @@ +commit bb1161986b6d108c4fc5a16a48cdac55f98ab35d +Merge: 7d57684 b7cddd6 +Author: Patrick Schleizer +Date: Wed Nov 1 10:31:04 2023 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit b7cddd6e552cb5f5139de91ef2aeae6fde691136 +Merge: 7d57684 c975c3c +Author: Patrick Schleizer +Date: Wed Nov 1 10:30:26 2023 -0400 + + Merge pull request #143 from monsieuremre/patch-6 + + new lines 990-security-misc.conf + +commit c975c3c0ff7cc5a1e29b651c2db6c27e3f952870 +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Fri Oct 27 11:07:53 2023 +0000 + + new lines 990-security-misc.conf + + added new recommended hardening settings with comments + +commit 7d576842fb6f3c124db2b6deb5abfc095974a67f +Author: Patrick Schleizer +Date: Thu Oct 26 20:08:41 2023 -0400 + + bumped changelog version + commit 7cff267002485fd0abca98d12b0024e061f4ba51 Author: Patrick Schleizer Date: Thu Oct 26 19:31:14 2023 -0400 diff --git a/debian/changelog b/debian/changelog index 11027e3..6e02c44 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:32.3-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 01 Nov 2023 15:10:36 +0000 + security-misc (3:32.2-1) unstable; urgency=medium * New upstream version (local package). From a768f1f1ebfc29b0c0105f2965a4290f8dfd8e63 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 1 Nov 2023 12:26:21 -0400 Subject: [PATCH 131/846] bumped changelog version --- changelog.upstream | 28 ++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 34 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 92adf11..649843f 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,25 @@ +commit bb14a058520b13e242fea9f3022c439c4677bd1d +Merge: 5ed2a5c 44906e8 +Author: Patrick Schleizer +Date: Wed Nov 1 11:11:54 2023 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 44906e8f398aae6e9565b131b82124e738e2d0d1 +Merge: 5ed2a5c f2c23a2 +Author: Patrick Schleizer +Date: Wed Nov 1 11:11:27 2023 -0400 + + Merge pull request #142 from monsieuremre/patch-5 + + ssh config + +commit 5ed2a5ce4a24a1a9c3e722a30aa9c6af1dc5d78a +Author: Patrick Schleizer +Date: Wed Nov 1 11:10:36 2023 -0400 + + bumped changelog version + commit bb1161986b6d108c4fc5a16a48cdac55f98ab35d Merge: 7d57684 b7cddd6 Author: Patrick Schleizer @@ -22,6 +44,12 @@ Date: Fri Oct 27 11:07:53 2023 +0000 added new recommended hardening settings with comments +commit f2c23a28319e359c642da2dde424456a1064763f +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Fri Oct 27 10:53:45 2023 +0000 + + ssh config + commit 7d576842fb6f3c124db2b6deb5abfc095974a67f Author: Patrick Schleizer Date: Thu Oct 26 20:08:41 2023 -0400 diff --git a/debian/changelog b/debian/changelog index 6e02c44..9064482 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:32.4-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 01 Nov 2023 16:26:21 +0000 + security-misc (3:32.3-1) unstable; urgency=medium * New upstream version (local package). From 76e684cc0ac0544219d200eeefae1356864fe702 Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Wed, 1 Nov 2023 17:51:27 +0000 Subject: [PATCH 132/846] Update and rename etc/NetworkManager/conf.d/99_ipv6-privacy.conf to usr/lib/NetworkManager/conf.d/99_ipv6-privacy.conf --- {etc => usr/lib}/NetworkManager/conf.d/99_ipv6-privacy.conf | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename {etc => usr/lib}/NetworkManager/conf.d/99_ipv6-privacy.conf (100%) diff --git a/etc/NetworkManager/conf.d/99_ipv6-privacy.conf b/usr/lib/NetworkManager/conf.d/99_ipv6-privacy.conf similarity index 100% rename from etc/NetworkManager/conf.d/99_ipv6-privacy.conf rename to usr/lib/NetworkManager/conf.d/99_ipv6-privacy.conf From 1049298e7bfa4ca0e8f02b4086f8aa086d51c725 Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Wed, 1 Nov 2023 17:52:40 +0000 Subject: [PATCH 133/846] Update and rename etc/NetworkManager/conf.d/99_randomize-mac.conf to usr/lib/NetworkManager/conf.d/99_randomize-mac.conf --- {etc => usr/lib}/NetworkManager/conf.d/99_randomize-mac.conf | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename {etc => usr/lib}/NetworkManager/conf.d/99_randomize-mac.conf (100%) diff --git a/etc/NetworkManager/conf.d/99_randomize-mac.conf b/usr/lib/NetworkManager/conf.d/99_randomize-mac.conf similarity index 100% rename from etc/NetworkManager/conf.d/99_randomize-mac.conf rename to usr/lib/NetworkManager/conf.d/99_randomize-mac.conf From 229032d691c614a926cf3cf96b44752364e4e087 Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Wed, 1 Nov 2023 17:54:05 +0000 Subject: [PATCH 134/846] Rename etc/systemd/networkd.conf.d/99_ipv6-privacy-extensions.conf to usr/lib/systemd/networkd.conf.d/99_ipv6-privacy-extensions.conf --- .../lib}/systemd/networkd.conf.d/99_ipv6-privacy-extensions.conf | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename {etc => usr/lib}/systemd/networkd.conf.d/99_ipv6-privacy-extensions.conf (100%) diff --git a/etc/systemd/networkd.conf.d/99_ipv6-privacy-extensions.conf b/usr/lib/systemd/networkd.conf.d/99_ipv6-privacy-extensions.conf similarity index 100% rename from etc/systemd/networkd.conf.d/99_ipv6-privacy-extensions.conf rename to usr/lib/systemd/networkd.conf.d/99_ipv6-privacy-extensions.conf From 5a583ca48ce608fee4fe55c1d6948505e83a98d8 Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Thu, 2 Nov 2023 08:30:26 +0000 Subject: [PATCH 135/846] typo in file name --- etc/thunderbird/pref/{40_security-mic.js => 40_security-misc.js} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename etc/thunderbird/pref/{40_security-mic.js => 40_security-misc.js} (100%) diff --git a/etc/thunderbird/pref/40_security-mic.js b/etc/thunderbird/pref/40_security-misc.js similarity index 100% rename from etc/thunderbird/pref/40_security-mic.js rename to etc/thunderbird/pref/40_security-misc.js From 1abac794b564d178df37a385cf0d25bac5842c3c Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Thu, 2 Nov 2023 09:15:20 +0000 Subject: [PATCH 136/846] very secure and private defaults --- etc/thunderbird/pref/40_security-misc.js | 48 ++++++++++++++++++++++++ 1 file changed, 48 insertions(+) diff --git a/etc/thunderbird/pref/40_security-misc.js b/etc/thunderbird/pref/40_security-misc.js index 5d849ea..b0586e8 100644 --- a/etc/thunderbird/pref/40_security-misc.js +++ b/etc/thunderbird/pref/40_security-misc.js @@ -9,3 +9,51 @@ // https://forums.whonix.org/t/enable-network-idn-show-punycode-by-default-in-thunderbird-to-fix-url-not-showing-real-domain-name-homograph-attack-punycode/8415 pref("network.IDN_show_punycode", true); + +// Disable all and any kind of telemetry by default +pref("toolkit.telemetry.enabled", false); +pref("toolkit.telemetry.unified", false); +pref("toolkit.telemetry.shutdownPingSender.enabled", false); +pref("toolkit.telemetry.updatePing.enabled", false); +pref("toolkit.telemetry.archive.enabled", false); +pref("toolkit.telemetry.bhrPing.enabled", false); +pref("toolkit.telemetry.firstShutdownPing.enabled", false); +pref("toolkit.telemetry.newProfilePing.enabled", false); +pref("toolkit.telemetry.server", ""); // Defense in depth +pref("toolkit.telemetry.server_owner", ""); // Defense in depth +pref("datareporting.healthreport.uploadEnabled", false); +pref("datareporting.policy.dataSubmissionEnabled", false); +pref("toolkit.telemetry.coverage.opt-out", true); // from Firefox +pref("toolkit.coverage.opt-out", true); // from Firefox + +// Disable implicit outbound traffic +pref("network.connectivity-service.enabled", false); +pref("network.prefetch-next", false); +pref("network.dns.disablePrefetch", true); +pref("network.predictor.enabled", false); + +// No need to explain the problems with javascript +// If you want javascript, use your browser +// Thunderbird needs no javascript +// pref("javascript.enabled", false); // Will break setting up services that require redirecting to their javascripted webpage for login, like gmail etc. So commented out for now. + +// Disable scripting when viewing pdf files +user_pref("pdfjs.enableScripting", false); + +// If you want cookies, use your browser +pref("network.cookie.cookieBehavior", 2); + +// Do not send user agent information +// For email clients, this is more like a relic of the past +// Completely not necessary and just exposes a lot of information about the client +// Since v115.0 Thunderbird already minimizes the user agent +// But we want it gone for good for no information leak at all +// https://hg.mozilla.org/comm-central/rev/cbbbc8d93cd7 +pref("mailnews.headers.sendUserAgent", false); + +// Normally we send emails after marking them with a time stamp +// That includes our local time zone +// This option makes our local time zone appear as UTC +// And rounds the time stamp to the closes minute +// https://hg.mozilla.org/comm-central/rev/98aa0bf2e719 +pref("mail.sanitize_date_header", true); From 3ee4be652b28201ba208757ce5144e51c453ad70 Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Thu, 2 Nov 2023 09:36:58 +0000 Subject: [PATCH 137/846] depend on libpam-tmpdir --- debian/control | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/control b/debian/control index 571050a..7761ab3 100644 --- a/debian/control +++ b/debian/control @@ -15,7 +15,7 @@ Rules-Requires-Root: no Package: security-misc Architecture: all Depends: python3, libglib2.0-bin, libpam-runtime, sudo, adduser, libcap2-bin, - apparmor-profile-dist, helper-scripts, libpam-modules-bin, + apparmor-profile-dist, helper-scripts, libpam-modules-bin, libpam-tmpdir, secure-delete, dmsetup, ${misc:Depends} Replaces: tcp-timestamps-disable, anon-gpg-tweaks, swappiness-lowest Description: Enhances Miscellaneous Security Settings From 3e604618a8ba2531553af4f9af00470bd9629615 Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Thu, 2 Nov 2023 10:24:35 +0000 Subject: [PATCH 138/846] harden-module-loading.service --- lib/systemd/system/harden-module-loading.service | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 lib/systemd/system/harden-module-loading.service diff --git a/lib/systemd/system/harden-module-loading.service b/lib/systemd/system/harden-module-loading.service new file mode 100644 index 0000000..fb6f6fe --- /dev/null +++ b/lib/systemd/system/harden-module-loading.service @@ -0,0 +1,13 @@ +[Unit] +Description=Disable the loading of modules to the kernel after startup. This could be malicious. +After=systemd-modules-load.service +# This functionality is implemented with this and not directly in the sysctl config is +# to allow systemd-modules-load.service to load the modules with no problem but +# to disallow anyone else do the same after the system boots up. + +[Service] +Type=oneshot +ExecStart=/usr/libexec/security-misc/disable-kernel-module-loading + +[Install] +WantedBy=sysinit.target From 9f063584c1f96267b04f8f7fe0eee773f9345370 Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Thu, 2 Nov 2023 10:28:41 +0000 Subject: [PATCH 139/846] disable-kernel-module-loading --- usr/libexec/security-misc/disable-kernel-module-loading | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 usr/libexec/security-misc/disable-kernel-module-loading diff --git a/usr/libexec/security-misc/disable-kernel-module-loading b/usr/libexec/security-misc/disable-kernel-module-loading new file mode 100644 index 0000000..47b5f71 --- /dev/null +++ b/usr/libexec/security-misc/disable-kernel-module-loading @@ -0,0 +1,5 @@ +#!/bin/bash + +sysctl -w kernel.modules_disabled=1 + +echo "The loading of new modules to the kernel has been disabled by security-misc" >&2 From 07882f61a8003026a9e4c135a6e18a8fd204060f Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Thu, 2 Nov 2023 10:44:19 +0000 Subject: [PATCH 140/846] enable service on install not sure if this would be the right way to do it --- debian/security-misc.postinst | 2 ++ 1 file changed, 2 insertions(+) diff --git a/debian/security-misc.postinst b/debian/security-misc.postinst index 04410d9..3c9bcb2 100644 --- a/debian/security-misc.postinst +++ b/debian/security-misc.postinst @@ -61,6 +61,8 @@ pam-auth-update --package /usr/libexec/security-misc/permission-lockdown permission_hardening +systemctl enable disable-module-loading.service + ## https://phabricator.whonix.org/T377 ## Debian has no update-grub trigger yet: ## https://bugs.debian.org/481542 From ac224b270a3a0945d187202f8cca89af0e71a166 Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Thu, 2 Nov 2023 13:01:55 +0000 Subject: [PATCH 141/846] disable sysrq --- usr/lib/sysctl.d/990-security-misc.conf | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 547dbeb..41f39e2 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -137,11 +137,8 @@ net.ipv4.tcp_timestamps=0 #### meta end -## Only allow the SysRq key to be used for shutdowns and the -## Secure Attention Key (SAK). -## -## https://forums.whonix.org/t/sysrq-magic-sysrq-key/8079/ -kernel.sysrq=132 +## Disable SysRq key +kernel.sysrq=0 ## Restrict loading TTY line disciplines to CAP_SYS_MODULE to prevent ## unprivileged attackers from loading vulnerable line disciplines From cd216095eb8d9387437e653d7764ec765ce42a10 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 3 Nov 2023 09:12:24 -0400 Subject: [PATCH 142/846] set default umask to 027 using package libpam-umask https://www.debian.org/doc/manuals/securing-debian-manual/ch04s11.en.html#id-1.5.14.19 https://github.com/Kicksecure/security-misc/pull/151 --- debian/control | 2 +- usr/share/pam-configs/umask-security-misc | 7 +++++++ 2 files changed, 8 insertions(+), 1 deletion(-) create mode 100644 usr/share/pam-configs/umask-security-misc diff --git a/debian/control b/debian/control index 571050a..2e633aa 100644 --- a/debian/control +++ b/debian/control @@ -14,7 +14,7 @@ Rules-Requires-Root: no Package: security-misc Architecture: all -Depends: python3, libglib2.0-bin, libpam-runtime, sudo, adduser, libcap2-bin, +Depends: python3, libglib2.0-bin, libpam-runtime, libpam-umask, sudo, adduser, libcap2-bin, apparmor-profile-dist, helper-scripts, libpam-modules-bin, secure-delete, dmsetup, ${misc:Depends} Replaces: tcp-timestamps-disable, anon-gpg-tweaks, swappiness-lowest diff --git a/usr/share/pam-configs/umask-security-misc b/usr/share/pam-configs/umask-security-misc new file mode 100644 index 0000000..6dfe387 --- /dev/null +++ b/usr/share/pam-configs/umask-security-misc @@ -0,0 +1,7 @@ +Name: Restrict umask to 027 (by package security-misc) +Default: yes +Priority: 100 +Session-Type: Additional +Session-Interactive-Only: yes +Session: + optional pam_umask.so umask=027 From 43bd789c30a562aa60349d019107277a428aece8 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 3 Nov 2023 09:28:08 -0400 Subject: [PATCH 143/846] bumped changelog version --- changelog.upstream | 18 ++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 24 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 649843f..0ba9ff7 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,21 @@ +commit cd216095eb8d9387437e653d7764ec765ce42a10 +Author: Patrick Schleizer +Date: Fri Nov 3 09:12:24 2023 -0400 + + set default umask to 027 + + using package libpam-umask + + https://www.debian.org/doc/manuals/securing-debian-manual/ch04s11.en.html#id-1.5.14.19 + + https://github.com/Kicksecure/security-misc/pull/151 + +commit a768f1f1ebfc29b0c0105f2965a4290f8dfd8e63 +Author: Patrick Schleizer +Date: Wed Nov 1 12:26:21 2023 -0400 + + bumped changelog version + commit bb14a058520b13e242fea9f3022c439c4677bd1d Merge: 5ed2a5c 44906e8 Author: Patrick Schleizer diff --git a/debian/changelog b/debian/changelog index 9064482..62218f6 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:32.5-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 03 Nov 2023 13:28:08 +0000 + security-misc (3:32.4-1) unstable; urgency=medium * New upstream version (local package). From f8913ceb2e2fdd274011377c41b5d08e7459e4af Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 3 Nov 2023 09:43:44 -0400 Subject: [PATCH 144/846] Revert "set default umask to 027" This reverts commit cd216095eb8d9387437e653d7764ec765ce42a10. --- debian/control | 2 +- usr/share/pam-configs/umask-security-misc | 7 ------- 2 files changed, 1 insertion(+), 8 deletions(-) delete mode 100644 usr/share/pam-configs/umask-security-misc diff --git a/debian/control b/debian/control index 2e633aa..571050a 100644 --- a/debian/control +++ b/debian/control @@ -14,7 +14,7 @@ Rules-Requires-Root: no Package: security-misc Architecture: all -Depends: python3, libglib2.0-bin, libpam-runtime, libpam-umask, sudo, adduser, libcap2-bin, +Depends: python3, libglib2.0-bin, libpam-runtime, sudo, adduser, libcap2-bin, apparmor-profile-dist, helper-scripts, libpam-modules-bin, secure-delete, dmsetup, ${misc:Depends} Replaces: tcp-timestamps-disable, anon-gpg-tweaks, swappiness-lowest diff --git a/usr/share/pam-configs/umask-security-misc b/usr/share/pam-configs/umask-security-misc deleted file mode 100644 index 6dfe387..0000000 --- a/usr/share/pam-configs/umask-security-misc +++ /dev/null @@ -1,7 +0,0 @@ -Name: Restrict umask to 027 (by package security-misc) -Default: yes -Priority: 100 -Session-Type: Additional -Session-Interactive-Only: yes -Session: - optional pam_umask.so umask=027 From 07540db90d60b10cbd10881b0024d8e8871330de Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 3 Nov 2023 09:45:12 -0400 Subject: [PATCH 145/846] Revert "Revert "set default umask to 027"" This reverts commit f8913ceb2e2fdd274011377c41b5d08e7459e4af. --- debian/control | 2 +- usr/share/pam-configs/umask-security-misc | 7 +++++++ 2 files changed, 8 insertions(+), 1 deletion(-) create mode 100644 usr/share/pam-configs/umask-security-misc diff --git a/debian/control b/debian/control index 571050a..2e633aa 100644 --- a/debian/control +++ b/debian/control @@ -14,7 +14,7 @@ Rules-Requires-Root: no Package: security-misc Architecture: all -Depends: python3, libglib2.0-bin, libpam-runtime, sudo, adduser, libcap2-bin, +Depends: python3, libglib2.0-bin, libpam-runtime, libpam-umask, sudo, adduser, libcap2-bin, apparmor-profile-dist, helper-scripts, libpam-modules-bin, secure-delete, dmsetup, ${misc:Depends} Replaces: tcp-timestamps-disable, anon-gpg-tweaks, swappiness-lowest diff --git a/usr/share/pam-configs/umask-security-misc b/usr/share/pam-configs/umask-security-misc new file mode 100644 index 0000000..6dfe387 --- /dev/null +++ b/usr/share/pam-configs/umask-security-misc @@ -0,0 +1,7 @@ +Name: Restrict umask to 027 (by package security-misc) +Default: yes +Priority: 100 +Session-Type: Additional +Session-Interactive-Only: yes +Session: + optional pam_umask.so umask=027 From b85d48eb83005da8fd9edc658c71493f407e3670 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 3 Nov 2023 10:31:59 -0400 Subject: [PATCH 146/846] do not change default umask for root since this causes permission issues in `/etc/` https://github.com/Kicksecure/security-misc/pull/151 --- usr/share/pam-configs/umask-security-misc | 1 + 1 file changed, 1 insertion(+) diff --git a/usr/share/pam-configs/umask-security-misc b/usr/share/pam-configs/umask-security-misc index 6dfe387..6436a56 100644 --- a/usr/share/pam-configs/umask-security-misc +++ b/usr/share/pam-configs/umask-security-misc @@ -4,4 +4,5 @@ Priority: 100 Session-Type: Additional Session-Interactive-Only: yes Session: + [success=1 default=ignore] pam_succeed_if.so uid eq 0 optional pam_umask.so umask=027 From 8326aecdb460fffa450bbf3ec0b051010f87ee2a Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 3 Nov 2023 10:33:02 -0400 Subject: [PATCH 147/846] bumped changelog version --- changelog.upstream | 32 ++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 38 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 0ba9ff7..1730ff3 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,35 @@ +commit b85d48eb83005da8fd9edc658c71493f407e3670 +Author: Patrick Schleizer +Date: Fri Nov 3 10:31:59 2023 -0400 + + do not change default umask for root + + since this causes permission issues in `/etc/` + + https://github.com/Kicksecure/security-misc/pull/151 + +commit 07540db90d60b10cbd10881b0024d8e8871330de +Author: Patrick Schleizer +Date: Fri Nov 3 09:45:12 2023 -0400 + + Revert "Revert "set default umask to 027"" + + This reverts commit f8913ceb2e2fdd274011377c41b5d08e7459e4af. + +commit f8913ceb2e2fdd274011377c41b5d08e7459e4af +Author: Patrick Schleizer +Date: Fri Nov 3 09:43:44 2023 -0400 + + Revert "set default umask to 027" + + This reverts commit cd216095eb8d9387437e653d7764ec765ce42a10. + +commit 43bd789c30a562aa60349d019107277a428aece8 +Author: Patrick Schleizer +Date: Fri Nov 3 09:28:08 2023 -0400 + + bumped changelog version + commit cd216095eb8d9387437e653d7764ec765ce42a10 Author: Patrick Schleizer Date: Fri Nov 3 09:12:24 2023 -0400 diff --git a/debian/changelog b/debian/changelog index 62218f6..17e6553 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:32.6-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 03 Nov 2023 14:33:02 +0000 + security-misc (3:32.5-1) unstable; urgency=medium * New upstream version (local package). From d71ac03d96c9861513ff56c68aec9090ef5c50bb Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 3 Nov 2023 10:36:15 -0400 Subject: [PATCH 148/846] comment --- usr/libexec/security-misc/permission-lockdown | 2 ++ 1 file changed, 2 insertions(+) diff --git a/usr/libexec/security-misc/permission-lockdown b/usr/libexec/security-misc/permission-lockdown index 1035450..973c70d 100755 --- a/usr/libexec/security-misc/permission-lockdown +++ b/usr/libexec/security-misc/permission-lockdown @@ -48,6 +48,8 @@ home_folder_access_rights_lockdown() { ## https://unix.stackexchange.com/questions/156473/reasons-behind-the-default-groups-and-users-on-linux ## In short, this is useful for "file sharing". A if user1 wants to share data with user2 the command ## required to run is sudo addgroup user1 user2. + ## See also: user private groups UPGs + ## https://wiki.debian.org/UserPrivateGroups echo "$0: chmod o-rwx \"$folder_name\"" chmod o-rwx "$folder_name" touch "/var/cache/security-misc/state-files/$user" From c33a3d9aadcc4c0ff90f330239eff4b7c905a022 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 3 Nov 2023 10:44:48 -0400 Subject: [PATCH 149/846] readme --- README.md | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/README.md b/README.md index ea335fb..8ca39df 100644 --- a/README.md +++ b/README.md @@ -314,6 +314,8 @@ See: ### Strong user account separation +#### Permission Lockdown + Read, write and execute access for "others" are removed during package installation, upgrade or PAM `mkhomedir` for all users who have home folders in `/home` by running, for example: @@ -333,6 +335,30 @@ See: * `/usr/libexec/security-misc/permission-lockdown` * `/usr/share/pam-configs/mkhomedir-security-misc` +#### umask + +Default `umask` is set to `027` for files created by non-root users +such as for example user `user`. + +This is doing using pam module `pam_mkhomedir.so umask=027`. + +This means, files created by non-root users cannot be read by other +non-root users by default. While Permission Lockdown already protects +the `/home` folder, this protects other folders such as `/tmp`. + +`group` read permissions are not removed. +This is unnecessary due to Debian's use of User Private Groups (UPGs). +See also: https://wiki.debian.org/UserPrivateGroups + +Default `umask` is unchanged for root, because then configuration files +created in `/etc` by the system administrator would be unreadable by +"others" and break applications. Examples include `/etc/firefox-esr` and +`/etc/thunderbird`. + +See: + +* `/usr/share/pam-configs/umask-security-misc` + ### SUID / SGID removal and permission hardening Not enabled by default yet. From cdd66ee3762c441843d421a9e6b11a20580ed7ac Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 3 Nov 2023 10:48:46 -0400 Subject: [PATCH 150/846] wrap-and-sort --- debian/control | 23 ++++++++++++++++++----- 1 file changed, 18 insertions(+), 5 deletions(-) diff --git a/debian/control b/debian/control index 2e633aa..77d5704 100644 --- a/debian/control +++ b/debian/control @@ -5,7 +5,10 @@ Source: security-misc Section: misc Priority: optional Maintainer: Patrick Schleizer -Build-Depends: debhelper (>= 13), debhelper-compat (= 13), config-package-dev, dh-apparmor +Build-Depends: config-package-dev, + debhelper (>= 13), + debhelper-compat (= 13), + dh-apparmor Homepage: https://www.kicksecure.com/wiki/Security-misc Vcs-Browser: https://github.com/Kicksecure/security-misc Vcs-Git: https://github.com/Kicksecure/security-misc.git @@ -14,10 +17,20 @@ Rules-Requires-Root: no Package: security-misc Architecture: all -Depends: python3, libglib2.0-bin, libpam-runtime, libpam-umask, sudo, adduser, libcap2-bin, - apparmor-profile-dist, helper-scripts, libpam-modules-bin, - secure-delete, dmsetup, ${misc:Depends} -Replaces: tcp-timestamps-disable, anon-gpg-tweaks, swappiness-lowest +Depends: adduser, + apparmor-profile-dist, + dmsetup, + helper-scripts, + libcap2-bin, + libglib2.0-bin, + libpam-modules-bin, + libpam-runtime, + libpam-umask, + python3, + secure-delete, + sudo, + ${misc:Depends} +Replaces: anon-gpg-tweaks, swappiness-lowest, tcp-timestamps-disable Description: Enhances Miscellaneous Security Settings https://github.com/Kicksecure/security-misc/blob/master/README.md . From ceffd2b3ee453122e66f594ec31dde6ec3bb7187 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 3 Nov 2023 12:06:43 -0400 Subject: [PATCH 151/846] bumped changelog version --- changelog.upstream | 24 ++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 30 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 1730ff3..fcca49d 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,27 @@ +commit cdd66ee3762c441843d421a9e6b11a20580ed7ac +Author: Patrick Schleizer +Date: Fri Nov 3 10:48:46 2023 -0400 + + wrap-and-sort + +commit c33a3d9aadcc4c0ff90f330239eff4b7c905a022 +Author: Patrick Schleizer +Date: Fri Nov 3 10:44:48 2023 -0400 + + readme + +commit d71ac03d96c9861513ff56c68aec9090ef5c50bb +Author: Patrick Schleizer +Date: Fri Nov 3 10:36:15 2023 -0400 + + comment + +commit 8326aecdb460fffa450bbf3ec0b051010f87ee2a +Author: Patrick Schleizer +Date: Fri Nov 3 10:33:02 2023 -0400 + + bumped changelog version + commit b85d48eb83005da8fd9edc658c71493f407e3670 Author: Patrick Schleizer Date: Fri Nov 3 10:31:59 2023 -0400 diff --git a/debian/changelog b/debian/changelog index 17e6553..0405737 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:32.7-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 03 Nov 2023 16:06:43 +0000 + security-misc (3:32.6-1) unstable; urgency=medium * New upstream version (local package). From 7dc99d54c0358842745ee48c7cc24f589fd63d14 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 3 Nov 2023 12:09:39 -0400 Subject: [PATCH 152/846] fix --- debian/control | 1 - 1 file changed, 1 deletion(-) diff --git a/debian/control b/debian/control index 385ce36..9a57d45 100644 --- a/debian/control +++ b/debian/control @@ -17,7 +17,6 @@ Rules-Requires-Root: no Package: security-misc Architecture: all -Replaces: tcp-timestamps-disable, anon-gpg-tweaks, swappiness-lowest Depends: adduser, apparmor-profile-dist, dmsetup, From 04b210ee88589ef9e6e214d3a5a614780244abc9 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 3 Nov 2023 12:10:48 -0400 Subject: [PATCH 153/846] bumped changelog version --- changelog.upstream | 41 +++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 47 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index fcca49d..c8d0647 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,38 @@ +commit 5e73f78ed9282bf0895b01d44d9c261ea0050cce +Merge: ceffd2b 8e66a41 +Author: Patrick Schleizer +Date: Fri Nov 3 12:10:33 2023 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 8e66a4177868ee7b51dafdb06062b0cb7cbc7415 +Merge: ceffd2b 7dc99d5 +Author: Patrick Schleizer +Date: Fri Nov 3 12:10:00 2023 -0400 + + Merge pull request #147 from monsieuremre/PAM-tmp-files-hardening + + Depend on libpam-tmpdir for very solid extra security + +commit 7dc99d54c0358842745ee48c7cc24f589fd63d14 +Author: Patrick Schleizer +Date: Fri Nov 3 12:09:39 2023 -0400 + + fix + +commit 2a602e78d6ca0f87f11de9a30ae2114468243075 +Merge: 3ee4be6 ceffd2b +Author: Patrick Schleizer +Date: Fri Nov 3 12:08:50 2023 -0400 + + Merge branch 'master' into PAM-tmp-files-hardening + +commit ceffd2b3ee453122e66f594ec31dde6ec3bb7187 +Author: Patrick Schleizer +Date: Fri Nov 3 12:06:43 2023 -0400 + + bumped changelog version + commit cdd66ee3762c441843d421a9e6b11a20580ed7ac Author: Patrick Schleizer Date: Fri Nov 3 10:48:46 2023 -0400 @@ -66,6 +101,12 @@ Date: Fri Nov 3 09:12:24 2023 -0400 https://github.com/Kicksecure/security-misc/pull/151 +commit 3ee4be652b28201ba208757ce5144e51c453ad70 +Author: monsieuremre <130907164+monsieuremre@users.noreply.github.com> +Date: Thu Nov 2 09:36:58 2023 +0000 + + depend on libpam-tmpdir + commit a768f1f1ebfc29b0c0105f2965a4290f8dfd8e63 Author: Patrick Schleizer Date: Wed Nov 1 12:26:21 2023 -0400 diff --git a/debian/changelog b/debian/changelog index 0405737..2eb1001 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:32.8-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 03 Nov 2023 16:10:48 +0000 + security-misc (3:32.7-1) unstable; urgency=medium * New upstream version (local package). From b6d53f698d0ad21a31da6bf74a44577a0c8869fc Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 3 Nov 2023 12:17:00 -0400 Subject: [PATCH 154/846] Revert "allow loading unsigned modules due to issues" This reverts commit 661bcd8603425934188cf139f33e20675ff4b765. --- debian/security-misc.maintscript | 3 --- etc/default/grub.d/40_only_allow_signed_modules.cfg | 4 ++++ 2 files changed, 4 insertions(+), 3 deletions(-) create mode 100644 etc/default/grub.d/40_only_allow_signed_modules.cfg diff --git a/debian/security-misc.maintscript b/debian/security-misc.maintscript index f1664ee..1c4ea5e 100644 --- a/debian/security-misc.maintscript +++ b/debian/security-misc.maintscript @@ -3,9 +3,6 @@ rm_conffile /etc/sudoers.d/umask-security-misc -## https://forums.whonix.org/t/allow-loading-signed-kernel-modules-by-default-disallow-kernel-module-loading-by-default/7880/23 -rm_conffile /etc/default/grub.d/40_only_allow_signed_modules.cfg - ## https://forums.whonix.org/t/sysrq-magic-sysrq-key/8079 rm_conffile /etc/sysctl.d/sysrq.conf diff --git a/etc/default/grub.d/40_only_allow_signed_modules.cfg b/etc/default/grub.d/40_only_allow_signed_modules.cfg new file mode 100644 index 0000000..5441292 --- /dev/null +++ b/etc/default/grub.d/40_only_allow_signed_modules.cfg @@ -0,0 +1,4 @@ +## Requires every module to be signed before being loaded. +## Any module that is unsigned or signed with an invalid key cannot be loaded. +## This makes it harder to load a malicious module. +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX module.sig_enforce=1" From 48adb44c6fd157673cdf7fab3b86ecf7c6b31966 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 3 Nov 2023 12:17:24 -0400 Subject: [PATCH 155/846] bumped changelog version --- changelog.upstream | 14 ++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 20 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index c8d0647..2ff85d2 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,17 @@ +commit b6d53f698d0ad21a31da6bf74a44577a0c8869fc +Author: Patrick Schleizer +Date: Fri Nov 3 12:17:00 2023 -0400 + + Revert "allow loading unsigned modules due to issues" + + This reverts commit 661bcd8603425934188cf139f33e20675ff4b765. + +commit 04b210ee88589ef9e6e214d3a5a614780244abc9 +Author: Patrick Schleizer +Date: Fri Nov 3 12:10:48 2023 -0400 + + bumped changelog version + commit 5e73f78ed9282bf0895b01d44d9c261ea0050cce Merge: ceffd2b 8e66a41 Author: Patrick Schleizer diff --git a/debian/changelog b/debian/changelog index 2eb1001..43a26d7 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:32.9-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 03 Nov 2023 16:17:24 +0000 + security-misc (3:32.8-1) unstable; urgency=medium * New upstream version (local package). From d1b5a3ffd525ec92554ffc9c666f8007c8522aac Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 3 Nov 2023 12:55:34 -0400 Subject: [PATCH 156/846] /usr/sbin/pam-tmpdir-helper exactwhitelist https://github.com/Kicksecure/security-misc/pull/147 --- etc/permission-hardening.d/25_default_whitelist_pam.conf | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 etc/permission-hardening.d/25_default_whitelist_pam.conf diff --git a/etc/permission-hardening.d/25_default_whitelist_pam.conf b/etc/permission-hardening.d/25_default_whitelist_pam.conf new file mode 100644 index 0000000..0c13f5d --- /dev/null +++ b/etc/permission-hardening.d/25_default_whitelist_pam.conf @@ -0,0 +1,9 @@ +## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Please use "/etc/permission-hardening.d/20_user.conf" or +## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## configuration. When security-misc is updated, this file may be overwritten. + +## Without this, Xfce fails to start with a dbus-launch error. +/usr/sbin/pam-tmpdir-helper exactwhitelist From 0242c04dc26638dc1250e3f681b46d15459cf8aa Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 3 Nov 2023 14:51:14 -0400 Subject: [PATCH 157/846] port to DKMS drop-in folder undisplace /etc/dkms/framework.conf.security-misc moved to /etc/dkms/framework.conf.d/30_security-misc.conf --- debian/security-misc.displace | 1 - debian/security-misc.undisplace | 1 + .../30_security-misc.conf} | 0 3 files changed, 1 insertion(+), 1 deletion(-) rename etc/dkms/{framework.conf.security-misc => framework.conf.d/30_security-misc.conf} (100%) diff --git a/debian/security-misc.displace b/debian/security-misc.displace index 54c5862..d80a247 100644 --- a/debian/security-misc.displace +++ b/debian/security-misc.displace @@ -3,4 +3,3 @@ /etc/securetty.security-misc /etc/security/faillock.conf.security-misc -/etc/dkms/framework.conf.security-misc diff --git a/debian/security-misc.undisplace b/debian/security-misc.undisplace index 0b23381..4aed27c 100644 --- a/debian/security-misc.undisplace +++ b/debian/security-misc.undisplace @@ -3,3 +3,4 @@ /etc/login.defs.security-misc /usr/bin/pkexec.security-misc +/etc/dkms/framework.conf.security-misc diff --git a/etc/dkms/framework.conf.security-misc b/etc/dkms/framework.conf.d/30_security-misc.conf similarity index 100% rename from etc/dkms/framework.conf.security-misc rename to etc/dkms/framework.conf.d/30_security-misc.conf From 978e3e4abd8f55a877dfe0d6e39b45ee9f58ba6d Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 3 Nov 2023 14:53:40 -0400 Subject: [PATCH 158/846] readme --- README.md | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 8ca39df..96cab41 100644 --- a/README.md +++ b/README.md @@ -90,7 +90,17 @@ TLB invalidation so devices will never be able to access stale data contents. * Distrust the 'randomly' generated CPU and bootloader seeds. -### Disables and blacklists kernel modules +### Kernel Modules +#### Kernel Module Signature Verification + +Not yet due to issues: +https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/64 + +See: + +* `/etc/default/grub.d/40_only_allow_signed_modules.cfg` + +#### Disables and blacklists kernel modules Certain kernel modules are disabled and blacklisted by default to reduce attack surface via the `/etc/modprobe.d/30_security-misc.conf` configuration file. From 97054b2b1076d6d428996967304b29620923eff4 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 3 Nov 2023 15:55:17 -0400 Subject: [PATCH 159/846] revert enabling kernel module signature enforcement due to issues https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/63 https://github.com/dell/dkms/issues/359 --- README.md | 4 +++- etc/default/grub.d/40_only_allow_signed_modules.cfg | 6 +++++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 96cab41..21ea2fe 100644 --- a/README.md +++ b/README.md @@ -94,7 +94,9 @@ TLB invalidation so devices will never be able to access stale data contents. #### Kernel Module Signature Verification Not yet due to issues: -https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/64 + +* https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/64 +* https://github.com/dell/dkms/issues/359 See: diff --git a/etc/default/grub.d/40_only_allow_signed_modules.cfg b/etc/default/grub.d/40_only_allow_signed_modules.cfg index 5441292..5d1a357 100644 --- a/etc/default/grub.d/40_only_allow_signed_modules.cfg +++ b/etc/default/grub.d/40_only_allow_signed_modules.cfg @@ -1,4 +1,8 @@ ## Requires every module to be signed before being loaded. ## Any module that is unsigned or signed with an invalid key cannot be loaded. ## This makes it harder to load a malicious module. -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX module.sig_enforce=1" +## +## Not enabled by default yet due to issues: +## https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/61 +## https://github.com/dell/dkms/issues/359 +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX module.sig_enforce=1" From fbd9e5d017c4b00d838e9f225c7748c4b362f023 Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Sat, 4 Nov 2023 14:33:35 +0000 Subject: [PATCH 160/846] README.md --- README.md | 63 +++++++++++++++++++++++++++++++++++++++++++++---------- 1 file changed, 52 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index 21ea2fe..1862005 100644 --- a/README.md +++ b/README.md @@ -42,15 +42,21 @@ arbitrary code execution in kernel mode. * Prevents unintentional writes to attacker-controlled files. * Prevents common symlink and hardlink TOCTOU races. - + +* Disables SysRq completely. + * The kernel is only allowed to swap if it is absolutely necessary. This prevents writing potentially sensitive contents of memory to disk. * TCP timestamps are disabled as it can allow detecting the system time. +* Enforces the logging of martian packets, those with a source address which is blatantly wrong. + +* Set coredump file name based on core_pattern value instead of the default of naming it 'core'. + ### mmap ASLR * The bits of entropy used for mmap ASLR are maxed out via @@ -102,6 +108,10 @@ See: * `/etc/default/grub.d/40_only_allow_signed_modules.cfg` +#### Disables the loading of new modules to the kernel after the fact + +A systemd service dynamically sets the kernel parameter ```modules_disabled``` to 1, preventing new modules from being loaded. Since this isn't configured directly within systemctl, it does not break the loading of legitimate and necessary modules for the user, like drivers etc., given they are plugged in on startup. + #### Disables and blacklists kernel modules Certain kernel modules are disabled and blacklisted by default to reduce attack surface via the @@ -111,9 +121,6 @@ Certain kernel modules are disabled and blacklisted by default to reduce attack increases kernel attack surface by enabling superfluous functionality such as IRC parsing in the kernel. Hence, this feature is disabled. -* Bluetooth is disabled to reduce attack surface. Bluetooth has -a lengthy history of security concerns. - * Thunderbolt and numerous FireWire kernel modules are also disabled as they are often vulnerable to DMA attacks. @@ -170,7 +177,7 @@ of multiple vulnerabilities so it is disabled. * Incorporates much of [Ubuntu's](https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d?h=ubuntu/disco) default blacklist of modules to be blocked from automatically loading. However, they are still permitted to load. * Blocks automatic loading of the modules needed to use of CD-ROM devices by default. Not completely disabled yet. - + ### Other * A systemd service clears the System.map file on boot as these contain kernel @@ -199,7 +206,7 @@ this is not needed for `dracut` because `dracut` does that by default, at least on `systemd` enabled systems. Not researched for non-`systemd` systems by the author of this part of the readme. -## Network hardening +## Network & Bluetooth hardening * TCP syncookies are enabled to prevent SYN flood attacks. @@ -216,6 +223,14 @@ dropping RST packets for sockets in the time-wait state. * Reverse path filtering is enabled to prevent IP spoofing and mitigate vulnerabilities such as CVE-2019-14899. +* Unlike version 4, IPv6 addresses can provide information not only about the originating network, but also the originating device. + We prevent this from happening by enabling the respective privacy extensions for IPv6. + +* In addition, we deny the capability to track the originating device in the network at all, by using randomized MAC addresses per connection per default. + +* Bluetooth is left enabled but users are highly discouraged from ever turning it on, due to its history of numerous security vulnurabilities. Unlike the default settings, +we start the system with bluetooth turned off. We also enforce private addresses and strict timeout settings for discoverability and visibility. + ## Entropy collection improvements * The `jitterentropy_rng` kernel module is loaded as early as possible @@ -230,6 +245,11 @@ audit, may contain weaknesses or a backdoor. For references, see: ## Restrictive mount options +A systemd service is triggered on boot to remount all sensitive partitions and directories with significantly more secure hardened mount options. +Since this would require manual tuning for a given specific system, we handle it by creating a very solid configuration file for that very system on package install. + + ## Root access restrictions * `su` is restricted to only users within the group `sudo` which prevents @@ -373,6 +393,22 @@ See: ### SUID / SGID removal and permission hardening +#### SUID / SGID removal + +A systemd service removes SUID / SGID bits from non-essential binaries as +these are often used in privilege escalation attacks. + +#### File permission hardening + +Various file permissions are reset with more secure and hardened defaults. These include but are not limited to: + +* Limiting ```/home``` and ```/root``` to the root only. +* Limiting crontab to root as well as all the configuration files for cron. +* Limiting the configuration for cups and ssh. +* Protecting the information of sudoers from others. +* Protecting various system relevant files and modules. + + ## Application-specific hardening * Enables "`apt-get --error-on=any`" which makes apt exit non-zero for @@ -410,8 +446,13 @@ See: * Deactivates previews in Nautilus - `/usr/share/glib-2.0/schemas/30_security-misc.gschema.override`. * Deactivates thumbnails in Thunar. -* Displays domain names in punycode (`network.IDN_show_punycode`) in -Thunderbird to prevent IDN homograph attacks (a form of phishing). +* Thunderbird is hardened with the following options: + * Displays domain names in punycode to prevent IDN homograph attacks (a form of phishing). + * Strips email client information for sent email headers. + * Stripts user time information from sent email headers by replacing the originating time zone with UTC and rounding the timestamp to the nearest minute. + * Disables scripting when viewing pdf files. + * Disables implicit outgoing connections. + * Disables all and any kind of telemetry. * Security and privacy enhancements for gnupg's config file `/etc/skel/.gnupg/gpg.conf`. See also: From a187d23c4187fd08611e5cba85d09666dfd9f735 Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Sat, 4 Nov 2023 20:56:08 +0000 Subject: [PATCH 161/846] big fix --- lib/systemd/system/harden-module-loading.service | 1 + 1 file changed, 1 insertion(+) diff --git a/lib/systemd/system/harden-module-loading.service b/lib/systemd/system/harden-module-loading.service index fb6f6fe..703658c 100644 --- a/lib/systemd/system/harden-module-loading.service +++ b/lib/systemd/system/harden-module-loading.service @@ -1,6 +1,7 @@ [Unit] Description=Disable the loading of modules to the kernel after startup. This could be malicious. After=systemd-modules-load.service +Before=sysinit.target # This functionality is implemented with this and not directly in the sysctl config is # to allow systemd-modules-load.service to load the modules with no problem but # to disallow anyone else do the same after the system boots up. From 19eceaa8108879ee5477b157fb2175993c487959 Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Sat, 4 Nov 2023 20:56:46 +0000 Subject: [PATCH 162/846] more fix --- usr/libexec/security-misc/disable-kernel-module-loading | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/libexec/security-misc/disable-kernel-module-loading b/usr/libexec/security-misc/disable-kernel-module-loading index 47b5f71..6d4d25d 100644 --- a/usr/libexec/security-misc/disable-kernel-module-loading +++ b/usr/libexec/security-misc/disable-kernel-module-loading @@ -2,4 +2,4 @@ sysctl -w kernel.modules_disabled=1 -echo "The loading of new modules to the kernel has been disabled by security-misc" >&2 +echo "The loading of new modules to the kernel has been disabled by security-misc" From 2e64d89b042227fe5f38bb6d6a859deb4c5183b7 Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Sat, 4 Nov 2023 21:18:45 +0000 Subject: [PATCH 163/846] undo unnecessary manual activation --- debian/security-misc.postinst | 2 -- 1 file changed, 2 deletions(-) diff --git a/debian/security-misc.postinst b/debian/security-misc.postinst index 3c9bcb2..04410d9 100644 --- a/debian/security-misc.postinst +++ b/debian/security-misc.postinst @@ -61,8 +61,6 @@ pam-auth-update --package /usr/libexec/security-misc/permission-lockdown permission_hardening -systemctl enable disable-module-loading.service - ## https://phabricator.whonix.org/T377 ## Debian has no update-grub trigger yet: ## https://bugs.debian.org/481542 From f6bf69b41fa3e1168c2c49884197770e1a78b888 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 5 Nov 2023 11:31:09 -0500 Subject: [PATCH 164/846] update link --- debian/security-misc.preinst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/security-misc.preinst b/debian/security-misc.preinst index 43f8e2c..82fa257 100644 --- a/debian/security-misc.preinst +++ b/debian/security-misc.preinst @@ -100,7 +100,7 @@ sudo_users_check () { echo "sudo adduser user console" >&2 echo "" >&2 echo "$0: ERROR: See also installation instructions:" >&2 - echo "https://www.whonix.org/wiki/security-misc#install" >&2 + echo "https://www.kicksecure.com/wiki/security-misc#install" >&2 if [ "$SECURITY_MISC_INSTALL" = "force" ]; then output_skip_checks "Environment variable SECURITY_MISC_INSTALL is set to 'force'." From dcead44cc6d4272b0966562046f9dab1792845b6 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 5 Nov 2023 11:32:46 -0500 Subject: [PATCH 165/846] output --- debian/security-misc.preinst | 1 + 1 file changed, 1 insertion(+) diff --git a/debian/security-misc.preinst b/debian/security-misc.preinst index 82fa257..dc032b1 100644 --- a/debian/security-misc.preinst +++ b/debian/security-misc.preinst @@ -95,6 +95,7 @@ sudo_users_check () { ## https://forums.whonix.org/t/is-security-misc-suitable-for-hardening-bridges-and-relays/8299/4 echo "$0: ERROR: No user is a member of group 'sudo'. Installation aborted." >&2 echo "$0: ERROR: You probably want to run:" >&2 + echo "$0: NOTE: Replace user 'user' with your actual Linux user account name." >&2 echo "" >&2 echo "sudo adduser user sudo" >&2 echo "sudo adduser user console" >&2 From 93437952b4f64866dfe6067d8caf19415112418d Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 5 Nov 2023 14:41:01 -0500 Subject: [PATCH 166/846] readme --- README.md | 31 +++++++++---------------------- 1 file changed, 9 insertions(+), 22 deletions(-) diff --git a/README.md b/README.md index 1862005..a88b7f3 100644 --- a/README.md +++ b/README.md @@ -47,7 +47,7 @@ arbitrary code execution in kernel mode. Secure Attention Key. --> * Disables SysRq completely. - + * The kernel is only allowed to swap if it is absolutely necessary. This prevents writing potentially sensitive contents of memory to disk. @@ -177,7 +177,7 @@ of multiple vulnerabilities so it is disabled. * Incorporates much of [Ubuntu's](https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d?h=ubuntu/disco) default blacklist of modules to be blocked from automatically loading. However, they are still permitted to load. * Blocks automatic loading of the modules needed to use of CD-ROM devices by default. Not completely disabled yet. - + ### Other * A systemd service clears the System.map file on boot as these contain kernel @@ -206,7 +206,7 @@ this is not needed for `dracut` because `dracut` does that by default, at least on `systemd` enabled systems. Not researched for non-`systemd` systems by the author of this part of the readme. -## Network & Bluetooth hardening +## Network hardening * TCP syncookies are enabled to prevent SYN flood attacks. @@ -225,11 +225,13 @@ vulnerabilities such as CVE-2019-14899. * Unlike version 4, IPv6 addresses can provide information not only about the originating network, but also the originating device. We prevent this from happening by enabling the respective privacy extensions for IPv6. - + * In addition, we deny the capability to track the originating device in the network at all, by using randomized MAC addresses per connection per default. -* Bluetooth is left enabled but users are highly discouraged from ever turning it on, due to its history of numerous security vulnurabilities. Unlike the default settings, -we start the system with bluetooth turned off. We also enforce private addresses and strict timeout settings for discoverability and visibility. +## Network & Bluetooth hardening + +* Not done yet, pending, see: https://github.com/Kicksecure/security-misc/pull/145 + * planned: Bluetooth is left enabled but users are highly discouraged from ever turning it on, due to its history of numerous security vulnerabilities. Unlike the default settings, we start the system with bluetooth turned off. We also enforce private addresses and strict timeout settings for discoverability and visibility. ## Entropy collection improvements @@ -248,25 +250,10 @@ audit, may contain weaknesses or a backdoor. For references, see: A systemd service is triggered on boot to remount all sensitive partitions and directories with significantly more secure hardened mount options. Since this would require manual tuning for a given specific system, we handle it by creating a very solid configuration file for that very system on package install. - ## Root access restrictions * `su` is restricted to only users within the group `sudo` which prevents @@ -407,7 +394,7 @@ Various file permissions are reset with more secure and hardened defaults. These * Limiting the configuration for cups and ssh. * Protecting the information of sudoers from others. * Protecting various system relevant files and modules. - + -* Disables SysRq completely. +- Prevents common symlink and hardlink TOCTOU races. ``{=html} -* The kernel is only allowed to swap if it is absolutely necessary. This -prevents writing potentially sensitive contents of memory to disk. +- Disables SysRq completely. -* TCP timestamps are disabled as it can allow detecting the system time. +- The kernel is only allowed to swap if it is absolutely necessary. This + prevents writing potentially sensitive contents of memory to disk. -* Enforces the logging of martian packets, those with a source address which is blatantly wrong. +- TCP timestamps are disabled as it can allow detecting the system time. -* Set coredump file name based on core_pattern value instead of the default of naming it 'core'. +- Enforces the logging of martian packets, those with a source address which + is blatantly wrong. + +- Set coredump file name based on core_pattern value instead of the default of + naming it 'core'. ### mmap ASLR -* The bits of entropy used for mmap ASLR are maxed out via -`/usr/libexec/security-misc/mmap-rnd-bits` (set to the values of -`CONFIG_ARCH_MMAP_RND_BITS_MAX` and `CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX` that -the kernel was built with), therefore improving its effectiveness. +- The bits of entropy used for mmap ASLR are maxed out via + `/usr/libexec/security-misc/mmap-rnd-bits` (set to the values of + `CONFIG_ARCH_MMAP_RND_BITS_MAX` and `CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX` + that the kernel was built with), therefore improving its effectiveness. ### Boot parameters Boot parameters are outlined in configuration files located in the `etc/default/grub.d/` directory. -* Slab merging is disabled which significantly increases the difficulty of -heap exploitation by preventing overwriting objects from merged caches and -by making it harder to influence slab cache layout. +- Slab merging is disabled which significantly increases the difficulty of + heap exploitation by preventing overwriting objects from merged caches and + by making it harder to influence slab cache layout. -* Memory zeroing at allocation and free time is enabled to mitigate some -use-after-free vulnerabilities and erase sensitive information in memory. +- Memory zeroing at allocation and free time is enabled to mitigate some + use-after-free vulnerabilities and erase sensitive information in memory. -* Page allocator freelist randomization is enabled. +- Page allocator freelist randomization is enabled. -* Kernel Page Table Isolation is enabled to mitigate Meltdown and increase -KASLR effectiveness. +- Kernel Page Table Isolation is enabled to mitigate Meltdown and increase + KASLR effectiveness. -* vsyscalls are disabled as they are obsolete, are at fixed addresses and thus, -are a potential target for ROP. +- vsyscalls are disabled as they are obsolete, are at fixed addresses and + thus, are a potential target for ROP. -* The kernel panics on oopses to thwart certain kernel exploits. +- The kernel panics on oopses to thwart certain kernel exploits. -* Enables randomisation of the kernel stack offset on syscall entries. +- Enables randomisation of the kernel stack offset on syscall entries. -* All mitigations for known CPU vulnerabilities are enabled and SMT is -disabled. +- All mitigations for known CPU vulnerabilities are enabled and SMT is + disabled. -* IOMMU is enabled to prevent DMA attacks along with strict enforcement of IOMMU -TLB invalidation so devices will never be able to access stale data contents. +- IOMMU is enabled to prevent DMA attacks along with strict enforcement of + IOMMU TLB invalidation so devices will never be able to access stale data + contents. -* Distrust the 'randomly' generated CPU and bootloader seeds. +- Distrust the 'randomly' generated CPU and bootloader seeds. ### Kernel Modules + #### Kernel Module Signature Verification Not yet due to issues: -* https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/64 -* https://github.com/dell/dkms/issues/359 +- https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/64 +- https://github.com/dell/dkms/issues/359 See: -* `/etc/default/grub.d/40_only_allow_signed_modules.cfg` +- `/etc/default/grub.d/40_only_allow_signed_modules.cfg` #### Disables the loading of new modules to the kernel after the fact Not yet due to issues: -* https://github.com/Kicksecure/security-misc/pull/152 +- https://github.com/Kicksecure/security-misc/pull/152 -A systemd service dynamically sets the kernel parameter ```modules_disabled``` to 1, preventing new modules from being loaded. Since this isn't configured directly within systemctl, it does not break the loading of legitimate and necessary modules for the user, like drivers etc., given they are plugged in on startup. +A systemd service dynamically sets the kernel parameter `modules_disabled` to 1, +preventing new modules from being loaded. Since this isn't configured directly +within systemctl, it does not break the loading of legitimate and necessary +modules for the user, like drivers etc., given they are plugged in on startup. #### Disables and blacklists kernel modules -Certain kernel modules are disabled and blacklisted by default to reduce attack surface via the -`/etc/modprobe.d/30_security-misc.conf` configuration file. +Certain kernel modules are disabled and blacklisted by default to reduce attack +surface via the `/etc/modprobe.d/30_security-misc.conf` configuration file. -* Deactivates Netfilter's connection tracking helper - this module -increases kernel attack surface by enabling superfluous functionality -such as IRC parsing in the kernel. Hence, this feature is disabled. +- Deactivates Netfilter's connection tracking helper - this module increases + kernel attack surface by enabling superfluous functionality such as IRC + parsing in the kernel. Hence, this feature is disabled. -* Thunderbolt and numerous FireWire kernel modules are also disabled as they are -often vulnerable to DMA attacks. +- Thunderbolt and numerous FireWire kernel modules are also disabled as they + are often vulnerable to DMA attacks. -* The MSR kernel module is disabled to prevent CPU MSRs from being -abused to write to arbitrary memory. +- The MSR kernel module is disabled to prevent CPU MSRs from being abused to + write to arbitrary memory. -* Uncommon network protocols are blacklisted. This includes: +- Uncommon network protocols are blacklisted. This includes: - DCCP - Datagram Congestion Control Protocol +DCCP - Datagram Congestion Control Protocol - SCTP - Stream Control Transmission Protocol +SCTP - Stream Control Transmission Protocol - RDS - Reliable Datagram Sockets +RDS - Reliable Datagram Sockets - TIPC - Transparent Inter-process Communication +TIPC - Transparent Inter-process Communication - HDLC - High-Level Data Link Control +HDLC - High-Level Data Link Control - AX25 - Amateur X.25 +AX25 - Amateur X.25 - NetRom +NetRom - X25 +X25 - ROSE +ROSE - DECnet +DECnet - Econet +Econet - af_802154 - IEEE 802.15.4 +af_802154 - IEEE 802.15.4 - IPX - Internetwork Packet Exchange +IPX - Internetwork Packet Exchange - AppleTalk +AppleTalk - PSNAP - Subnetwork Access Protocol +PSNAP - Subnetwork Access Protocol - p8023 - Novell raw IEEE 802.3 +p8023 - Novell raw IEEE 802.3 - p8022 - IEEE 802.2 +p8022 - IEEE 802.2 - CAN - Controller Area Network +CAN - Controller Area Network - ATM +ATM -* Disables a large array of uncommon file systems and network file systems that reduces the attack surface especially against legacy approaches. +- Disables a large array of uncommon file systems and network file systems + that reduces the attack surface especially against legacy approaches. -* The vivid kernel module is only required for testing and has been the cause -of multiple vulnerabilities so it is disabled. +- The vivid kernel module is only required for testing and has been the cause + of multiple vulnerabilities so it is disabled. -* Provides some disabling of the interface between the [Intel Management Engine (ME)](https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html) and the OS. +- Provides some disabling of the interface between the [Intel Management + Engine (ME)](https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html) + and the OS. -* Incorporates much of [Ubuntu's](https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d?h=ubuntu/disco) default blacklist of modules to be blocked from automatically loading. However, they are still permitted to load. +- Incorporates much of + [Ubuntu's](https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d?h=ubuntu/disco) + default blacklist of modules to be blocked from automatically loading. + However, they are still permitted to load. -* Blocks automatic loading of the modules needed to use of CD-ROM devices by default. Not completely disabled yet. +- Blocks automatic loading of the modules needed to use of CD-ROM devices by + default. Not completely disabled yet. ### Other -* A systemd service clears the System.map file on boot as these contain kernel -pointers. The file is completely overwritten with zeroes to ensure it cannot -be recovered. See: +- A systemd service clears the System.map file on boot as these contain kernel + pointers. The file is completely overwritten with zeroes to ensure it cannot + be recovered. See: `/etc/kernel/postinst.d/30_remove-system-map` @@ -194,8 +208,8 @@ be recovered. See: `/usr/libexec/security-misc/remove-system.map` -* Coredumps are disabled as they may contain important information such as -encryption keys or passwords. See: +- Coredumps are disabled as they may contain important information such as + encryption keys or passwords. See: `/etc/security/limits.d/30_security-misc.conf` @@ -203,119 +217,128 @@ encryption keys or passwords. See: `/lib/systemd/coredump.conf.d/30_security-misc.conf` -* An initramfs hook sets the sysctl values in `/etc/sysctl.conf` and -`/etc/sysctl.d` before init is executed so sysctl hardening is enabled -as early as possible. This is implemented for `initramfs-tools` only because -this is not needed for `dracut` because `dracut` does that by default, at least -on `systemd` enabled systems. Not researched for non-`systemd` systems by the -author of this part of the readme. +- An initramfs hook sets the sysctl values in `/etc/sysctl.conf` and + `/etc/sysctl.d` before init is executed so sysctl hardening is enabled as + early as possible. This is implemented for `initramfs-tools` only because + this is not needed for `dracut` because `dracut` does that by default, at + least on `systemd` enabled systems. Not researched for non-`systemd` systems + by the author of this part of the readme. ## Network hardening -* TCP syncookies are enabled to prevent SYN flood attacks. +- TCP syncookies are enabled to prevent SYN flood attacks. -* ICMP redirect acceptance, ICMP redirect sending, source routing and -IPv6 router advertisements are disabled to prevent man-in-the-middle attacks. +- ICMP redirect acceptance, ICMP redirect sending, source routing and IPv6 + router advertisements are disabled to prevent man-in-the-middle attacks. -* The kernel is configured to ignore all ICMP requests to avoid Smurf attacks, -make the device more difficult to enumerate on the network and prevent clock -fingerprinting through ICMP timestamps. +- The kernel is configured to ignore all ICMP requests to avoid Smurf attacks, + make the device more difficult to enumerate on the network and prevent clock + fingerprinting through ICMP timestamps. -* RFC1337 is enabled to protect against time-wait assassination attacks by -dropping RST packets for sockets in the time-wait state. +- RFC1337 is enabled to protect against time-wait assassination attacks by + dropping RST packets for sockets in the time-wait state. -* Reverse path filtering is enabled to prevent IP spoofing and mitigate -vulnerabilities such as CVE-2019-14899. +- Reverse path filtering is enabled to prevent IP spoofing and mitigate + vulnerabilities such as CVE-2019-14899. -* Unlike version 4, IPv6 addresses can provide information not only about the originating network, but also the originating device. - We prevent this from happening by enabling the respective privacy extensions for IPv6. +- Unlike version 4, IPv6 addresses can provide information not only about the + originating network, but also the originating device. We prevent this from + happening by enabling the respective privacy extensions for IPv6. -* In addition, we deny the capability to track the originating device in the network at all, by using randomized MAC addresses per connection per default. +- In addition, we deny the capability to track the originating device in the + network at all, by using randomized MAC addresses per connection per + default. See: -* `/usr/lib/NetworkManager/conf.d/80_ipv6-privacy.conf` -* `/usr/lib/NetworkManager/conf.d/80_randomize-mac.conf` -* `/usr/lib/systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf` +- `/usr/lib/NetworkManager/conf.d/80_ipv6-privacy.conf` +- `/usr/lib/NetworkManager/conf.d/80_randomize-mac.conf` +- `/usr/lib/systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf` ## Network & Bluetooth hardening -* Bluetooth is 'enabled' for the system. Unlike the usual default behavior, we start -bluetooth turned off on system start and it stays that way unless the user -explicitly chooses to turn bluetooth on. The user is left with the freedom to easily -switch bluetooth on and off the usual way with his own discretion. We set significantly -more private defaults for bluetooth connections by enforcing private addresses and -strict timeout settings for discoverability and visibility. That being said, the most -secure and private bluetooth connection might inherently come with risks by its nature -and may be prone to exploits, as it has a history of having new security vulnurabilities -often. So users are recommended to choose not to use bluetooth when given the option. +- Bluetooth is 'enabled' for the system. Unlike the usual default behavior, we + start bluetooth turned off on system start and it stays that way unless the + user explicitly chooses to turn bluetooth on. The user is left with the + freedom to easily switch bluetooth on and off the usual way with his own + discretion. We set significantly more private defaults for bluetooth + connections by enforcing private addresses and strict timeout settings for + discoverability and visibility. That being said, the most secure and private + bluetooth connection might inherently come with risks by its nature and may + be prone to exploits, as it has a history of having new security + vulnurabilities often. So users are recommended to choose not to use + bluetooth when given the option. See: -* `/etc/bluetooth/30_security-misc.conf` -* https://github.com/Kicksecure/security-misc/pull/145 +- `/etc/bluetooth/30_security-misc.conf` +- https://github.com/Kicksecure/security-misc/pull/145 ## Entropy collection improvements -* The `jitterentropy_rng` kernel module is loaded as early as possible -during boot to gather more entropy via the -`/usr/lib/modules-load.d/30_security-misc.conf` configuration file. +- The `jitterentropy_rng` kernel module is loaded as early as possible during + boot to gather more entropy via the + `/usr/lib/modules-load.d/30_security-misc.conf` configuration file. -* Distrusts the CPU for initial entropy at boot as it is not possible to -audit, may contain weaknesses or a backdoor. For references, see: -`/etc/default/grub.d/40_distrust_cpu.cfg` +- Distrusts the CPU for initial entropy at boot as it is not possible to + audit, may contain weaknesses or a backdoor. For references, see: + `/etc/default/grub.d/40_distrust_cpu.cfg` -* Gathers more entropy during boot if using the linux-hardened kernel patch. +- Gathers more entropy during boot if using the linux-hardened kernel patch. ## Restrictive mount options -A systemd service is triggered on boot to remount all sensitive partitions and directories with significantly more secure hardened mount options. -Since this would require manual tuning for a given specific system, we handle it by creating a very solid configuration file for that very system on package install. +A systemd service is triggered on boot to remount all sensitive partitions and +directories with significantly more secure hardened mount options. Since this +would require manual tuning for a given specific system, we handle it by +creating a very solid configuration file for that very system on package +install. Not enabled by default yet. In development. Help welcome. -* https://github.com/Kicksecure/security-misc/pull/152 -* https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/ +- https://github.com/Kicksecure/security-misc/pull/152 +- https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/ ## Root access restrictions -* `su` is restricted to only users within the group `sudo` which prevents -users from using `su` to gain root access or to switch user accounts - -`/usr/share/pam-configs/wheel-security-misc` -(which results in a change in file `/etc/pam.d/common-auth`). +- `su` is restricted to only users within the group `sudo` which prevents + users from using `su` to gain root access or to switch user accounts - + `/usr/share/pam-configs/wheel-security-misc` (which results in a change in + file `/etc/pam.d/common-auth`). -* Add user `root` to group `sudo`. This is required due to the above restriction so -that logging in from a virtual console is still possible - `debian/security-misc.postinst` +- Add user `root` to group `sudo`. This is required due to the above + restriction so that logging in from a virtual console is still possible - + `debian/security-misc.postinst` -* Abort login for users with locked passwords - -`/usr/libexec/security-misc/pam-abort-on-locked-password`. +- Abort login for users with locked passwords - + `/usr/libexec/security-misc/pam-abort-on-locked-password`. -* Logging into the root account from a virtual, serial, whatnot console is -prevented by shipping an existing and empty `/etc/securetty` file -(deletion of `/etc/securetty` has a different effect). +- Logging into the root account from a virtual, serial, whatnot console is + prevented by shipping an existing and empty `/etc/securetty` file (deletion + of `/etc/securetty` has a different effect). -This package does not yet automatically lock the root account password. It -is not clear if this would be sane in such a package although, it is recommended -to lock and expire the root account. +This package does not yet automatically lock the root account password. It is +not clear if this would be sane in such a package although, it is recommended to +lock and expire the root account. In new Kicksecure builds, root account will be locked by package dist-base-files. See: -* https://www.kicksecure.com/wiki/Root -* https://www.kicksecure.com/wiki/Dev/Permissions -* https://forums.whonix.org/t/restrict-root-access/7658 +- https://www.kicksecure.com/wiki/Root +- https://www.kicksecure.com/wiki/Dev/Permissions +- https://forums.whonix.org/t/restrict-root-access/7658 However, a locked root password will break rescue and emergency shell. -Therefore, this package enables passwordless rescue and emergency shell. -This is the same solution that Debian will likely adapt for Debian -installer: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802211 +Therefore, this package enables passwordless rescue and emergency shell. This is +the same solution that Debian will likely adapt for Debian installer: +https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802211 See: -* `/etc/systemd/system/emergency.service.d/override.conf` -* `/etc/systemd/system/rescue.service.d/override.conf` +- `/etc/systemd/system/emergency.service.d/override.conf` +- `/etc/systemd/system/rescue.service.d/override.conf` Adverse security effects can be prevented by setting up BIOS password protection, GRUB password protection and/or full disk encryption. @@ -324,16 +347,16 @@ protection, GRUB password protection and/or full disk encryption. This uses pam_access to allow members of group `console` to use console but restrict everyone else (except members of group `console-unrestricted`) from -using console with ancient, unpopular login methods such as `/bin/login` -over networks as this might be exploitable. (CVE-2001-0797) +using console with ancient, unpopular login methods such as `/bin/login` over +networks as this might be exploitable. (CVE-2001-0797) -This is not enabled by default in this package since this package does not -know which users shall be added to group 'console' and thus, would break console. +This is not enabled by default in this package since this package does not know +which users shall be added to group 'console' and thus, would break console. See: -* `/usr/share/pam-configs/console-lockdown-security-misc` -* `/etc/security/access-security-misc.conf` +- `/usr/share/pam-configs/console-lockdown-security-misc` +- `/etc/security/access-security-misc.conf` ## Brute force attack protection @@ -341,16 +364,16 @@ User accounts are locked after 50 failed login attempts using `pam_faillock`. Informational output during Linux PAM: -* Show failed and remaining password attempts. -* Document unlock procedure if Linux user account got locked. -* Point out that there is no password feedback for `su`. -* Explain locked root account if locked. +- Show failed and remaining password attempts. +- Document unlock procedure if Linux user account got locked. +- Point out that there is no password feedback for `su`. +- Explain locked root account if locked. See: -* `/usr/share/pam-configs/tally2-security-misc` -* `/usr/libexec/security-misc/pam-info` -* `/usr/libexec/security-misc/pam-abort-on-locked-password` +- `/usr/share/pam-configs/tally2-security-misc` +- `/usr/libexec/security-misc/pam-info` +- `/usr/libexec/security-misc/pam-abort-on-locked-password` ## Access rights restrictions @@ -359,65 +382,64 @@ See: #### Permission Lockdown Read, write and execute access for "others" are removed during package -installation, upgrade or PAM `mkhomedir` for all users who have home -folders in `/home` by running, for example: +installation, upgrade or PAM `mkhomedir` for all users who have home folders in +`/home` by running, for example: -``` -chmod o-rwx /home/user -``` + chmod o-rwx /home/user -This will be done only once per folder in `/home` so users who wish to -relax file permissions are free to do so. This is to protect files in a -home folder that were previously created with lax file permissions prior -to the installation of this package. +This will be done only once per folder in `/home` so users who wish to relax +file permissions are free to do so. This is to protect files in a home folder +that were previously created with lax file permissions prior to the installation +of this package. See: -* `debian/security-misc.postinst` -* `/usr/libexec/security-misc/permission-lockdown` -* `/usr/share/pam-configs/mkhomedir-security-misc` +- `debian/security-misc.postinst` +- `/usr/libexec/security-misc/permission-lockdown` +- `/usr/share/pam-configs/mkhomedir-security-misc` #### umask -Default `umask` is set to `027` for files created by non-root users -such as for example user `user`. +Default `umask` is set to `027` for files created by non-root users such as for +example user `user`. This is doing using pam module `pam_mkhomedir.so umask=027`. -This means, files created by non-root users cannot be read by other -non-root users by default. While Permission Lockdown already protects -the `/home` folder, this protects other folders such as `/tmp`. +This means, files created by non-root users cannot be read by other non-root +users by default. While Permission Lockdown already protects the `/home` folder, +this protects other folders such as `/tmp`. -`group` read permissions are not removed. -This is unnecessary due to Debian's use of User Private Groups (UPGs). -See also: https://wiki.debian.org/UserPrivateGroups +`group` read permissions are not removed. This is unnecessary due to Debian's +use of User Private Groups (UPGs). See also: +https://wiki.debian.org/UserPrivateGroups -Default `umask` is unchanged for root, because then configuration files -created in `/etc` by the system administrator would be unreadable by -"others" and break applications. Examples include `/etc/firefox-esr` and -`/etc/thunderbird`. +Default `umask` is unchanged for root, because then configuration files created +in `/etc` by the system administrator would be unreadable by "others" and break +applications. Examples include `/etc/firefox-esr` and `/etc/thunderbird`. See: -* `/usr/share/pam-configs/umask-security-misc` +- `/usr/share/pam-configs/umask-security-misc` ### SUID / SGID removal and permission hardening #### SUID / SGID removal -A systemd service removes SUID / SGID bits from non-essential binaries as -these are often used in privilege escalation attacks. +A systemd service removes SUID / SGID bits from non-essential binaries as these +are often used in privilege escalation attacks. #### File permission hardening -Various file permissions are reset with more secure and hardened defaults. These include but are not limited to: +Various file permissions are reset with more secure and hardened defaults. These +include but are not limited to: -* Limiting ```/home``` and ```/root``` to the root only. -* Limiting crontab to root as well as all the configuration files for cron. -* Limiting the configuration for cups and ssh. -* Protecting the information of sudoers from others. -* Protecting various system relevant files and modules. +- Limiting `/home` and `/root` to the root only. +- Limiting crontab to root as well as all the configuration files for cron. +- Limiting the configuration for cups and ssh. +- Protecting the information of sudoers from others. +- Protecting various system relevant files and modules. +```{=html} +``` ## Application-specific hardening -* Enables "`apt-get --error-on=any`" which makes apt exit non-zero for - transient failures. - `/etc/apt/apt.conf.d/40error-on-any`. -* Enables APT seccomp-BPF sandboxing - `/etc/apt/apt.conf.d/40sandbox`. -* Deactivates previews in Dolphin. -* Deactivates previews in Nautilus - -`/usr/share/glib-2.0/schemas/30_security-misc.gschema.override`. -* Deactivates thumbnails in Thunar. -* Thunderbird is hardened with the following options: - * Displays domain names in punycode to prevent IDN homograph attacks (a form of phishing). - * Strips email client information for sent email headers. - * Stripts user time information from sent email headers by replacing the originating time zone with UTC and rounding the timestamp to the nearest minute. - * Disables scripting when viewing pdf files. - * Disables implicit outgoing connections. - * Disables all and any kind of telemetry. -* Security and privacy enhancements for gnupg's config file -`/etc/skel/.gnupg/gpg.conf`. See also: - * https://raw.github.com/ioerror/torbirdy/master/gpg.conf - * https://github.com/ioerror/torbirdy/pull/11 +- Enables "`apt-get --error-on=any`" which makes apt exit non-zero for + transient failures. - `/etc/apt/apt.conf.d/40error-on-any`. +- Enables APT seccomp-BPF sandboxing - `/etc/apt/apt.conf.d/40sandbox`. +- Deactivates previews in Dolphin. +- Deactivates previews in Nautilus - + `/usr/share/glib-2.0/schemas/30_security-misc.gschema.override`. +- Deactivates thumbnails in Thunar. +- Thunderbird is hardened with the following options: + - Displays domain names in punycode to prevent IDN homograph attacks (a + form of phishing). + - Strips email client information for sent email headers. + - Stripts user time information from sent email headers by replacing the + originating time zone with UTC and rounding the timestamp to the nearest + minute. + - Disables scripting when viewing pdf files. + - Disables implicit outgoing connections. + - Disables all and any kind of telemetry. +- Security and privacy enhancements for gnupg's config file + `/etc/skel/.gnupg/gpg.conf`. See also: + - https://raw.github.com/ioerror/torbirdy/master/gpg.conf + - https://github.com/ioerror/torbirdy/pull/11 ### project scope of application-specific hardening Added in December 2023. -Before sending pull requests to harden arbitrary applications, please note the scope of security-misc is limited to default installed applications in Kicksecure, Whonix. This includes: +Before sending pull requests to harden arbitrary applications, please note the +scope of security-misc is limited to default installed applications in +Kicksecure, Whonix. This includes: -* Thunderbird, VLC Media Player, KeepassXC -* Debian Specific System Components (APT, DPKG) -* System Services (NetworkManager IPv6 privacy options, MAC address randomization) -* Actually used development utilities such as `git`. +- Thunderbird, VLC Media Player, KeepassXC +- Debian Specific System Components (APT, DPKG) +- System Services (NetworkManager IPv6 privacy options, MAC address + randomization) +- Actually used development utilities such as `git`. -It will not be possible to review and merge "1500" settings profiles for arbitrary applications outside of this context. +It will not be possible to review and merge "1500" settings profiles for +arbitrary applications outside of this context. -The main objective of security-misc is to harden Kicksecure and its derivatives, such as Whonix, by implementing robust security settings. It's designed to be compatible with Debian, reflecting a commitment to clean implementation and sound design principles. However, it's important to note that security-misc is a component of Kicksecure, not a substitute for it. The intention isn't to recreate Kicksecure within security-misc. Instead, specific security enhancements, like for example recommending a curated list of security-focused default packages (e.g., `libpam-tmpdir`), should be integrated directly into those appropriate areas of Kicksecure (e.g. `kicksecure-meta-packages`). +The main objective of security-misc is to harden Kicksecure and its derivatives, +such as Whonix, by implementing robust security settings. It's designed to be +compatible with Debian, reflecting a commitment to clean implementation and +sound design principles. However, it's important to note that security-misc is a +component of Kicksecure, not a substitute for it. The intention isn't to +recreate Kicksecure within security-misc. Instead, specific security +enhancements, like for example recommending a curated list of security-focused +default packages (e.g., `libpam-tmpdir`), should be integrated directly into +those appropriate areas of Kicksecure (e.g. `kicksecure-meta-packages`). -Discussion: -https://github.com/Kicksecure/security-misc/issues/154 +Discussion: https://github.com/Kicksecure/security-misc/issues/154 ### development philosophy Added in December 2023. -"Maintainability is a key priority [1]. Before modifying settings in the downstream security-misc, it's essential to first engage with upstream developers to propose these changes as defaults. This step should only be bypassed if there's a clear, prior indication from upstream that such changes won't be accepted. Additionally, before implementing any workarounds, consulting with upstream is necessary to future unmaintainable complexity. +"Maintainability is a key priority \[1\]. Before modifying settings in the +downstream security-misc, it's essential to first engage with upstream +developers to propose these changes as defaults. This step should only be +bypassed if there's a clear, prior indication from upstream that such changes +won't be accepted. Additionally, before implementing any workarounds, consulting +with upstream is necessary to future unmaintainable complexity. -If debugging features are disabled, pull requests won't be merged until there is a corresponding pull request for the debug-misc package to re-enable these. This is to avoid configuring the system into a corner where it can be no longer debugged. +If debugging features are disabled, pull requests won't be merged until there is +a corresponding pull request for the debug-misc package to re-enable these. This +is to avoid configuring the system into a corner where it can be no longer +debugged. -[1] https://www.kicksecure.com/wiki/Dev/maintainability +\[1\] https://www.kicksecure.com/wiki/Dev/maintainability ## Opt-in hardening Some hardening is opt-in as it causes too much breakage to be enabled by default. -* An optional systemd service mounts `/proc` with `hidepid=2` at boot to -prevent users from seeing another user's processes. This is disabled by -default because it is incompatible with `pkexec`. It can be enabled by -executing `systemctl enable proc-hidepid.service` as root. +- An optional systemd service mounts `/proc` with `hidepid=2` at boot to + prevent users from seeing another user's processes. This is disabled by + default because it is incompatible with `pkexec`. It can be enabled by + executing `systemctl enable proc-hidepid.service` as root. -* A systemd service restricts `/proc/cpuinfo`, `/proc/bus`, `/proc/scsi` and -`/sys` to the root user. This hides a lot of hardware identifiers from -unprivileged users and increases security as `/sys` exposes a lot of -information that shouldn't be accessible to unprivileged users. As this will -break many things, it is disabled by default and can optionally be enabled by -executing `systemctl enable hide-hardware-info.service` as root. +- A systemd service restricts `/proc/cpuinfo`, `/proc/bus`, `/proc/scsi` and + `/sys` to the root user. This hides a lot of hardware identifiers from + unprivileged users and increases security as `/sys` exposes a lot of + information that shouldn't be accessible to unprivileged users. As this will + break many things, it is disabled by default and can optionally be enabled + by executing `systemctl enable hide-hardware-info.service` as root. ## miscellaneous -* hardened malloc compatibility for haveged workaround -`/lib/systemd/system/haveged.service.d/30_security-misc.conf` +- hardened malloc compatibility for haveged workaround + `/lib/systemd/system/haveged.service.d/30_security-misc.conf` -* set `dracut` `reproducible=yes` setting +- set `dracut` `reproducible=yes` setting ## legal @@ -528,14 +573,14 @@ https://github.com/Kicksecure/security-misc/pull/167 ## Related -* Linux Kernel Runtime Guard (LKRG) -* tirdad - TCP ISN CPU Information Leak Protection. -* Kicksecure (TM) - a security-hardened Linux Distribution -* And more. -* https://www.kicksecure.com/wiki/Linux_Kernel_Runtime_Guard_LKRG -* https://github.com/Kicksecure/tirdad -* https://www.kicksecure.com -* https://github.com/Kicksecure +- Linux Kernel Runtime Guard (LKRG) +- tirdad - TCP ISN CPU Information Leak Protection. +- Kicksecure (TM) - a security-hardened Linux Distribution +- And more. +- https://www.kicksecure.com/wiki/Linux_Kernel_Runtime_Guard_LKRG +- https://github.com/Kicksecure/tirdad +- https://www.kicksecure.com +- https://github.com/Kicksecure ## Discussion @@ -551,20 +596,23 @@ See https://www.kicksecure.com/wiki/Security-misc#install Can be build using standard Debian package build tools such as: -``` -dpkg-buildpackage -b -``` + dpkg-buildpackage -b -See instructions. (Replace `generic-package` with the actual name of this package `security-misc`.) +See instructions. (Replace `generic-package` with the actual name of this +package `security-misc`.) -* **A)** [easy](https://www.kicksecure.com/wiki/Dev/Build_Documentation/generic-package/easy), _OR_ -* **B)** [including verifying software signatures](https://www.kicksecure.com/wiki/Dev/Build_Documentation/generic-package) +- **A)** + [easy](https://www.kicksecure.com/wiki/Dev/Build_Documentation/generic-package/easy), + *OR* +- **B)** [including verifying software + signatures](https://www.kicksecure.com/wiki/Dev/Build_Documentation/generic-package) ## Contact -* [Free Forum Support](https://forums.kicksecure.com) -* [Professional Support](https://www.kicksecure.com/wiki/Professional_Support) +- [Free Forum Support](https://forums.kicksecure.com) +- [Professional Support](https://www.kicksecure.com/wiki/Professional_Support) ## Donate -`security-misc` requires [donations](https://www.kicksecure.com/wiki/Donate) to stay alive! +`security-misc` requires [donations](https://www.kicksecure.com/wiki/Donate) to +stay alive! From 79f398d219b9c4cdf8ea0f9e3135a08fa32659a8 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 25 Dec 2023 08:45:20 -0500 Subject: [PATCH 248/846] formatting --- README.md | 56 +++++++++++++++++++------------------------------------ 1 file changed, 19 insertions(+), 37 deletions(-) diff --git a/README.md b/README.md index 65b89ef..6506a92 100644 --- a/README.md +++ b/README.md @@ -140,43 +140,25 @@ surface via the `/etc/modprobe.d/30_security-misc.conf` configuration file. - Uncommon network protocols are blacklisted. This includes: -DCCP - Datagram Congestion Control Protocol - -SCTP - Stream Control Transmission Protocol - -RDS - Reliable Datagram Sockets - -TIPC - Transparent Inter-process Communication - -HDLC - High-Level Data Link Control - -AX25 - Amateur X.25 - -NetRom - -X25 - -ROSE - -DECnet - -Econet - -af_802154 - IEEE 802.15.4 - -IPX - Internetwork Packet Exchange - -AppleTalk - -PSNAP - Subnetwork Access Protocol - -p8023 - Novell raw IEEE 802.3 - -p8022 - IEEE 802.2 - -CAN - Controller Area Network - -ATM + - DCCP - Datagram Congestion Control Protocol + - SCTP - Stream Control Transmission Protocol + - RDS - Reliable Datagram Sockets + - TIPC - Transparent Inter-process Communication + - HDLC - High-Level Data Link Control + - AX25 - Amateur X.25 + - NetRom + - X25 + - ROSE + - DECnet + - Econet + - af_802154 - IEEE 802.15.4 + - IPX - Internetwork Packet Exchange + - AppleTalk + - PSNAP - Subnetwork Access Protocol + - p8023 - Novell raw IEEE 802.3 + - p8022 - IEEE 802.2 + - CAN - Controller Area Network + - ATM - Disables a large array of uncommon file systems and network file systems that reduces the attack surface especially against legacy approaches. From 37b4ab15a823134e616a2a0fe1dda18d5ebfa3c0 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 25 Dec 2023 09:04:10 -0500 Subject: [PATCH 249/846] readme --- README.md | 33 +++++++++++++++++---------------- 1 file changed, 17 insertions(+), 16 deletions(-) diff --git a/README.md b/README.md index 6506a92..a8b8bbf 100644 --- a/README.md +++ b/README.md @@ -41,12 +41,11 @@ configuration file. - Prevents unintentional writes to attacker-controlled files. -- Prevents common symlink and hardlink TOCTOU races. ``{=html} +- Prevents common symlink and hardlink TOCTOU races. -- Disables SysRq completely. +- Disables SysRq key completely. + * Therefore Secure Attention Key (SAK) cannot be used. + * https://www.kicksecure.com/wiki/SysRq - The kernel is only allowed to swap if it is absolutely necessary. This prevents writing potentially sensitive contents of memory to disk. @@ -278,7 +277,7 @@ install. Not enabled by default yet. In development. Help welcome. -- https://github.com/Kicksecure/security-misc/pull/152 +- https://github.com/Kicksecure/security-misc/issues/157 - https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/ ## Root access restrictions @@ -421,18 +420,21 @@ include but are not limited to: - Protecting the information of sudoers from others. - Protecting various system relevant files and modules. -```{=html} - -``` + ## Application-specific hardening - Enables "`apt-get --error-on=any`" which makes apt exit non-zero for From 0810c1ce3c9e19c745b8f0d2cd9410353b172779 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 25 Dec 2023 09:10:31 -0500 Subject: [PATCH 250/846] fix bluetooth in readme fixes https://github.com/Kicksecure/security-misc/issues/180 --- README.md | 40 +++++++++++++++++++++++++--------------- 1 file changed, 25 insertions(+), 15 deletions(-) diff --git a/README.md b/README.md index a8b8bbf..48e285e 100644 --- a/README.md +++ b/README.md @@ -236,24 +236,34 @@ See: - `/usr/lib/NetworkManager/conf.d/80_randomize-mac.conf` - `/usr/lib/systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf` -## Network & Bluetooth hardening +## Bluetooth Hardening -- Bluetooth is 'enabled' for the system. Unlike the usual default behavior, we - start bluetooth turned off on system start and it stays that way unless the - user explicitly chooses to turn bluetooth on. The user is left with the - freedom to easily switch bluetooth on and off the usual way with his own - discretion. We set significantly more private defaults for bluetooth - connections by enforcing private addresses and strict timeout settings for - discoverability and visibility. That being said, the most secure and private - bluetooth connection might inherently come with risks by its nature and may - be prone to exploits, as it has a history of having new security - vulnurabilities often. So users are recommended to choose not to use - bluetooth when given the option. +### Bluetooth Status: Enabled but Defaulted to Off -See: +- **Default Behavior**: Although Bluetooth capability is 'enabled' in the kernel, security-misc deviates from the usual behavior by starting with Bluetooth turned off at system start. This setting remains until the user explicitly opts to activate Bluetooth. -- `/etc/bluetooth/30_security-misc.conf` -- https://github.com/Kicksecure/security-misc/pull/145 +- **User Control**: Users have the freedom to easily switch Bluetooth on and off in the usual way, exercising their own discretion. This can be done via the Bluetooth toggle through the usual way, that is either through GUI settings application or command line commands. + +- **Enhanced Privacy Settings**: We enforce more private defaults for Bluetooth connections. This includes the use of private addresses and strict timeout settings for discoverability and visibility. + +- **Security Considerations**: Despite these measures, it's important to note that Bluetooth technology, by its nature, may still be prone to exploits due to its history of security vulnerabilities. Thus, we recommend users to opt-out of using Bluetooth when possible. + +### Configuration Details + +- See configuration: `/etc/bluetooth/30_security-misc.conf` +- For more information and discussion: [GitHub Pull Request](https://github.com/Kicksecure/security-misc/pull/145) + +### Understanding Bluetooth Terms + +- **Disabling Bluetooth**: This means the absence of the Bluetooth kernel module. When disabled, Bluetooth is non-existent in the system - it cannot be seen, set, configured, or interacted with in any way. + +- **Turning Bluetooth On/Off**: This refers to a software toggle. Normally, on Debian systems, Bluetooth is 'on' when the system boots up. It actively searches for known devices to auto-connect and may be discoverable or visible under certain conditions. Our default ensures that Bluetooth is off on startup. However, it remains 'enabled' in the kernel, meaning the kernel can use the Bluetooth protocol and has the necessary modules. + +### Quick Toggle Guide + +- **Turning Bluetooth On**: Simply click the Bluetooth button in the settings application or on the tray, and switch the toggle. It's a straightforward action that can be completed in less than a second. + +- **Turning Bluetooth Off**: Follow the same procedure as turning it on but switch the toggle to the off position. ## Entropy collection improvements From 269fada14a616c53d7421e88e662f6893eb1fd88 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 25 Dec 2023 09:25:14 -0500 Subject: [PATCH 251/846] combine bind lines https://github.com/Kicksecure/security-misc/issues/157 --- usr/share/doc/security-misc/fstab-vm | 35 +++++++++++----------------- 1 file changed, 13 insertions(+), 22 deletions(-) diff --git a/usr/share/doc/security-misc/fstab-vm b/usr/share/doc/security-misc/fstab-vm index 2cae2ad..15c6228 100644 --- a/usr/share/doc/security-misc/fstab-vm +++ b/usr/share/doc/security-misc/fstab-vm @@ -1,41 +1,32 @@ # -/dev/disk/by-uuid/26ada0c0-1165-4098-884d-aafd2220c2c6 / auto defaults,errors=remount-ro 0 1 +/dev/disk/by-uuid/26ada0c0-1165-4098-884d-aafd2220c2c6 / auto defaults,errors=remount-ro 0 1 -proc /proc proc defaults 0 0 +proc /proc proc defaults 0 0 -/dev /dev none bind 0 0 -/dev /dev none remount,nosuid,noexec 0 0 +/dev /dev none bind,remount,nosuid,noexec 0 0 ## noexec optional -/dev/shm /dev/shm tmpfs nosuid,nodev,noexec 0 0 +/dev/shm /dev/shm tmpfs nosuid,nodev,noexec 0 0 -/dev/cdrom /mnt/cdrom0 iso9660 ro,user,noauto 0 0 +/dev/cdrom /mnt/cdrom0 iso9660 ro,user,noauto 0 0 -/boot /boot none bind 0 0 -/boot /boot none remount,nosuid,nodev,noexec 0 0 +/boot /boot none bind,remount,nosuid,nodev,noexec 0 0 -/lib /lib none bind 0 0 -/lib /lib none remount,nosuid,nodev 0 0 +/lib /lib none bind,remount,nosuid,nodev 0 0 ## noexec optional -/tmp /tmp none bind 0 0 -/tmp /tmp none remount,nosuid,nodev,noexec 0 0 +/tmp /tmp none bind,remount,nosuid,nodev,noexec 0 0 -/var /var none bind 0 0 -/var /var none remount,nosuid,nodev 0 0 +/var /var none bind,remount,nosuid,nodev 0 0 ## noexec optional -/var/tmp /var/tmp none bind 0 0 -/var/tmp /var/tmp none remount,nosuid,nodev,noexec 0 0 +/var/tmp /var/tmp none bind,remount,nosuid,nodev,noexec 0 0 -/var/log /var/log none bind 0 0 -/var/log /var/log none remount,nosuid,nodev,noexec 0 0 +/var/log /var/log none bind,remount,nosuid,nodev,noexec 0 0 ## noexec optional -/run /run none bind 0 0 -/run /run none remount,nosuid,nodev,noexec 0 0 +/run /run none bind,remount,nosuid,nodev,noexec 0 0 ## noexec optional -/home /home none bind 0 0 -/home /home none remount,nosuid,nodev,noexec 0 0 +/home /home none bind,remount,nosuid,nodev,noexec 0 0 From b0dd967611c27f5b8e2472bb74a664aead7a229e Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 25 Dec 2023 09:27:45 -0500 Subject: [PATCH 252/846] usrmerge https://github.com/Kicksecure/security-misc/issues/157 --- usr/bin/remount-secure | 11 ----------- usr/share/doc/security-misc/fstab-vm | 2 -- 2 files changed, 13 deletions(-) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index a81f43f..0a0c38e 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -255,17 +255,6 @@ _var() { remount_secure } -_lib() { - mount_folder="$NEWROOT/lib" - ## Cannot use noexec on /lib as per: - ## https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707/25 - ## There are many executables in /lib. To check: - ## sudo find /var/lib -type f -executable - ## sudo find /var/lib -type f -executable ! -type l - intended_mount_options="nosuid,nodev" - remount_secure -} - _home() { mount_folder="$NEWROOT/home" intended_mount_options="nosuid,nodev${home_noexec_maybe}" diff --git a/usr/share/doc/security-misc/fstab-vm b/usr/share/doc/security-misc/fstab-vm index 15c6228..25c9593 100644 --- a/usr/share/doc/security-misc/fstab-vm +++ b/usr/share/doc/security-misc/fstab-vm @@ -13,8 +13,6 @@ proc /proc pr /boot /boot none bind,remount,nosuid,nodev,noexec 0 0 -/lib /lib none bind,remount,nosuid,nodev 0 0 - ## noexec optional /tmp /tmp none bind,remount,nosuid,nodev,noexec 0 0 From 55709b3aa0acd6cad0c9fedb8782c49fbea79689 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 25 Dec 2023 09:30:57 -0500 Subject: [PATCH 253/846] /tmp tmpfs https://github.com/Kicksecure/security-misc/issues/157 --- usr/share/doc/security-misc/fstab-vm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/share/doc/security-misc/fstab-vm b/usr/share/doc/security-misc/fstab-vm index 25c9593..829dd0d 100644 --- a/usr/share/doc/security-misc/fstab-vm +++ b/usr/share/doc/security-misc/fstab-vm @@ -14,7 +14,7 @@ proc /proc pr /boot /boot none bind,remount,nosuid,nodev,noexec 0 0 ## noexec optional -/tmp /tmp none bind,remount,nosuid,nodev,noexec 0 0 +/tmp /tmp tmpfs bind,remount,nosuid,nodev,noexec 0 0 /var /var none bind,remount,nosuid,nodev 0 0 From 00f9ab43947795c1144d797547968c7c149d6f21 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 25 Dec 2023 09:36:05 -0500 Subject: [PATCH 254/846] /dev devtmpfs https://github.com/Kicksecure/security-misc/issues/157 --- usr/share/doc/security-misc/fstab-vm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/share/doc/security-misc/fstab-vm b/usr/share/doc/security-misc/fstab-vm index 829dd0d..e2df094 100644 --- a/usr/share/doc/security-misc/fstab-vm +++ b/usr/share/doc/security-misc/fstab-vm @@ -4,7 +4,7 @@ proc /proc proc defaults 0 0 -/dev /dev none bind,remount,nosuid,noexec 0 0 +/dev /dev devtmpfs bind,remount,nosuid,noexec 0 0 ## noexec optional /dev/shm /dev/shm tmpfs nosuid,nodev,noexec 0 0 From 0d9e9780daca563a726470a3a5d6fa8c20487240 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 25 Dec 2023 09:37:14 -0500 Subject: [PATCH 255/846] formatting https://github.com/Kicksecure/security-misc/issues/157 --- usr/share/doc/security-misc/fstab-vm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/share/doc/security-misc/fstab-vm b/usr/share/doc/security-misc/fstab-vm index e2df094..ef56409 100644 --- a/usr/share/doc/security-misc/fstab-vm +++ b/usr/share/doc/security-misc/fstab-vm @@ -1,4 +1,4 @@ -# +# /dev/disk/by-uuid/26ada0c0-1165-4098-884d-aafd2220c2c6 / auto defaults,errors=remount-ro 0 1 From 2b7aeedb4a543d0a43a35918999338097d13bb16 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 25 Dec 2023 09:44:51 -0500 Subject: [PATCH 256/846] mount /dev/cdrom to /mnt/cdrom (instead of /mnt/cdrom0) and nodev,nosuid,noexec as per: https://www.debian.org/doc/manuals/securing-debian-manual/ch04s10.en.html https://github.com/Kicksecure/security-misc/issues/157 --- usr/share/doc/security-misc/fstab-vm | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/usr/share/doc/security-misc/fstab-vm b/usr/share/doc/security-misc/fstab-vm index ef56409..cbd240c 100644 --- a/usr/share/doc/security-misc/fstab-vm +++ b/usr/share/doc/security-misc/fstab-vm @@ -9,7 +9,8 @@ proc /proc pr ## noexec optional /dev/shm /dev/shm tmpfs nosuid,nodev,noexec 0 0 -/dev/cdrom /mnt/cdrom0 iso9660 ro,user,noauto 0 0 +## https://www.debian.org/doc/manuals/securing-debian-manual/ch04s10.en.html +/dev/cdrom /mnt/cdrom iso9660 ro,users,nodev,nosuid,noexec 0 0 /boot /boot none bind,remount,nosuid,nodev,noexec 0 0 From 4aa645f29ff741b6e5cdf629deade1923fdcc234 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 25 Dec 2023 09:46:33 -0500 Subject: [PATCH 257/846] comment https://github.com/Kicksecure/security-misc/issues/157 --- usr/share/doc/security-misc/fstab-vm | 1 + 1 file changed, 1 insertion(+) diff --git a/usr/share/doc/security-misc/fstab-vm b/usr/share/doc/security-misc/fstab-vm index cbd240c..ee704c4 100644 --- a/usr/share/doc/security-misc/fstab-vm +++ b/usr/share/doc/security-misc/fstab-vm @@ -9,6 +9,7 @@ proc /proc pr ## noexec optional /dev/shm /dev/shm tmpfs nosuid,nodev,noexec 0 0 +## nodev,nosuid,noexec as per: ## https://www.debian.org/doc/manuals/securing-debian-manual/ch04s10.en.html /dev/cdrom /mnt/cdrom iso9660 ro,users,nodev,nosuid,noexec 0 0 From 40fd8cb6081512e2bc0ef1a7a1ee17cd317024c2 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 25 Dec 2023 09:51:09 -0500 Subject: [PATCH 258/846] no `nofail` mount option to avoid breaking the boot of a system unit testing belongs elsewhere https://github.com/Kicksecure/security-misc/issues/157 --- usr/share/doc/security-misc/fstab-vm | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/usr/share/doc/security-misc/fstab-vm b/usr/share/doc/security-misc/fstab-vm index ee704c4..84ab4ad 100644 --- a/usr/share/doc/security-misc/fstab-vm +++ b/usr/share/doc/security-misc/fstab-vm @@ -1,32 +1,32 @@ -# +# -/dev/disk/by-uuid/26ada0c0-1165-4098-884d-aafd2220c2c6 / auto defaults,errors=remount-ro 0 1 +/dev/disk/by-uuid/26ada0c0-1165-4098-884d-aafd2220c2c6 / auto nofail,defaults,errors=remount-ro 0 1 -proc /proc proc defaults 0 0 +proc /proc proc nofail,defaults 0 0 -/dev /dev devtmpfs bind,remount,nosuid,noexec 0 0 +/dev /dev devtmpfs nofail,bind,remount,nosuid,noexec 0 0 ## noexec optional -/dev/shm /dev/shm tmpfs nosuid,nodev,noexec 0 0 +/dev/shm /dev/shm tmpfs nofail,nosuid,nodev,noexec 0 0 ## nodev,nosuid,noexec as per: ## https://www.debian.org/doc/manuals/securing-debian-manual/ch04s10.en.html -/dev/cdrom /mnt/cdrom iso9660 ro,users,nodev,nosuid,noexec 0 0 +/dev/cdrom /mnt/cdrom iso9660 nofail,ro,users,nodev,nosuid,noexec 0 0 -/boot /boot none bind,remount,nosuid,nodev,noexec 0 0 +/boot /boot none nofail,bind,remount,nosuid,nodev,noexec 0 0 ## noexec optional -/tmp /tmp tmpfs bind,remount,nosuid,nodev,noexec 0 0 +/tmp /tmp tmpfs nofail,bind,remount,nosuid,nodev,noexec 0 0 -/var /var none bind,remount,nosuid,nodev 0 0 +/var /var none nofail,bind,remount,nosuid,nodev 0 0 ## noexec optional -/var/tmp /var/tmp none bind,remount,nosuid,nodev,noexec 0 0 +/var/tmp /var/tmp none nofail,bind,remount,nosuid,nodev,noexec 0 0 -/var/log /var/log none bind,remount,nosuid,nodev,noexec 0 0 +/var/log /var/log none nofail,bind,remount,nosuid,nodev,noexec 0 0 ## noexec optional -/run /run none bind,remount,nosuid,nodev,noexec 0 0 +/run /run none nofail,bind,remount,nosuid,nodev,noexec 0 0 ## noexec optional -/home /home none bind,remount,nosuid,nodev,noexec 0 0 +/home /home none nofail,bind,remount,nosuid,nodev,noexec 0 0 From 9fce67fcd942a7e3e0dd2e874226fcdab5e33ba3 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 25 Dec 2023 10:28:47 -0500 Subject: [PATCH 259/846] remove superfluous, broken `remount` mount option https://github.com/Kicksecure/security-misc/issues/157 --- usr/share/doc/security-misc/fstab-vm | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/usr/share/doc/security-misc/fstab-vm b/usr/share/doc/security-misc/fstab-vm index 84ab4ad..a6b8ba7 100644 --- a/usr/share/doc/security-misc/fstab-vm +++ b/usr/share/doc/security-misc/fstab-vm @@ -13,20 +13,20 @@ proc /proc pr ## https://www.debian.org/doc/manuals/securing-debian-manual/ch04s10.en.html /dev/cdrom /mnt/cdrom iso9660 nofail,ro,users,nodev,nosuid,noexec 0 0 -/boot /boot none nofail,bind,remount,nosuid,nodev,noexec 0 0 +/boot /boot none nofail,bind,nosuid,nodev,noexec 0 0 ## noexec optional -/tmp /tmp tmpfs nofail,bind,remount,nosuid,nodev,noexec 0 0 +/tmp /tmp tmpfs nofail,bind,nosuid,nodev,noexec 0 0 -/var /var none nofail,bind,remount,nosuid,nodev 0 0 +/var /var none nofail,bind,nosuid,nodev 0 0 ## noexec optional -/var/tmp /var/tmp none nofail,bind,remount,nosuid,nodev,noexec 0 0 +/var/tmp /var/tmp none nofail,bind,nosuid,nodev,noexec 0 0 -/var/log /var/log none nofail,bind,remount,nosuid,nodev,noexec 0 0 +/var/log /var/log none nofail,bind,nosuid,nodev,noexec 0 0 ## noexec optional -/run /run none nofail,bind,remount,nosuid,nodev,noexec 0 0 +/run /run none nofail,bind,nosuid,nodev,noexec 0 0 ## noexec optional -/home /home none nofail,bind,remount,nosuid,nodev,noexec 0 0 +/home /home none nofail,bind,nosuid,nodev,noexec 0 0 From 971ff687b1423499c54495a03e5e6fafcbfefb2a Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 25 Dec 2023 10:30:35 -0500 Subject: [PATCH 260/846] do not mount /dev/cdrom by default https://github.com/Kicksecure/security-misc/issues/157 --- usr/share/doc/security-misc/fstab-vm | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/usr/share/doc/security-misc/fstab-vm b/usr/share/doc/security-misc/fstab-vm index a6b8ba7..81eb612 100644 --- a/usr/share/doc/security-misc/fstab-vm +++ b/usr/share/doc/security-misc/fstab-vm @@ -11,7 +11,9 @@ proc /proc pr ## nodev,nosuid,noexec as per: ## https://www.debian.org/doc/manuals/securing-debian-manual/ch04s10.en.html -/dev/cdrom /mnt/cdrom iso9660 nofail,ro,users,nodev,nosuid,noexec 0 0 +## Commented out by default to prevent warning: +## mount: /mnt/cdrom: mount point does not exist. +#/dev/cdrom /mnt/cdrom iso9660 nofail,ro,users,nodev,nosuid,noexec 0 0 /boot /boot none nofail,bind,nosuid,nodev,noexec 0 0 From c86c83cef760906a0d1c56ee8a8c744b2e07f212 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 25 Dec 2023 10:31:58 -0500 Subject: [PATCH 261/846] formatting https://github.com/Kicksecure/security-misc/issues/157 --- usr/share/doc/security-misc/fstab-vm | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/usr/share/doc/security-misc/fstab-vm b/usr/share/doc/security-misc/fstab-vm index 81eb612..cec3399 100644 --- a/usr/share/doc/security-misc/fstab-vm +++ b/usr/share/doc/security-misc/fstab-vm @@ -15,20 +15,20 @@ proc /proc pr ## mount: /mnt/cdrom: mount point does not exist. #/dev/cdrom /mnt/cdrom iso9660 nofail,ro,users,nodev,nosuid,noexec 0 0 -/boot /boot none nofail,bind,nosuid,nodev,noexec 0 0 +/boot /boot none nofail,bind,nosuid,nodev,noexec 0 0 ## noexec optional -/tmp /tmp tmpfs nofail,bind,nosuid,nodev,noexec 0 0 +/tmp /tmp tmpfs nofail,bind,nosuid,nodev,noexec 0 0 -/var /var none nofail,bind,nosuid,nodev 0 0 +/var /var none nofail,bind,nosuid,nodev 0 0 ## noexec optional -/var/tmp /var/tmp none nofail,bind,nosuid,nodev,noexec 0 0 +/var/tmp /var/tmp none nofail,bind,nosuid,nodev,noexec 0 0 -/var/log /var/log none nofail,bind,nosuid,nodev,noexec 0 0 +/var/log /var/log none nofail,bind,nosuid,nodev,noexec 0 0 ## noexec optional -/run /run none nofail,bind,nosuid,nodev,noexec 0 0 +/run /run none nofail,bind,nosuid,nodev,noexec 0 0 ## noexec optional -/home /home none nofail,bind,nosuid,nodev,noexec 0 0 +/home /home none nofail,bind,nosuid,nodev,noexec 0 0 From f64a869bfdd4c746afd206367885851946deb692 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 25 Dec 2023 11:03:22 -0500 Subject: [PATCH 262/846] readme --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 48e285e..4ac4fb6 100644 --- a/README.md +++ b/README.md @@ -512,7 +512,7 @@ component of Kicksecure, not a substitute for it. The intention isn't to recreate Kicksecure within security-misc. Instead, specific security enhancements, like for example recommending a curated list of security-focused default packages (e.g., `libpam-tmpdir`), should be integrated directly into -those appropriate areas of Kicksecure (e.g. `kicksecure-meta-packages`). +those appropriate areas of Kicksecure (e.g.`kicksecure-meta-packages`). Discussion: https://github.com/Kicksecure/security-misc/issues/154 From e15596e7af6fc645dd652c043397baaa91954915 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 25 Dec 2023 16:28:10 +0000 Subject: [PATCH 263/846] bumped changelog version --- changelog.upstream | 148 +++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++ 2 files changed, 154 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 2cf4a5b..5280bc6 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,151 @@ +commit f64a869bfdd4c746afd206367885851946deb692 +Author: Patrick Schleizer +Date: Mon Dec 25 11:03:22 2023 -0500 + + readme + +commit c86c83cef760906a0d1c56ee8a8c744b2e07f212 +Author: Patrick Schleizer +Date: Mon Dec 25 10:31:58 2023 -0500 + + formatting + + https://github.com/Kicksecure/security-misc/issues/157 + +commit 971ff687b1423499c54495a03e5e6fafcbfefb2a +Author: Patrick Schleizer +Date: Mon Dec 25 10:30:35 2023 -0500 + + do not mount /dev/cdrom by default + + https://github.com/Kicksecure/security-misc/issues/157 + +commit 9fce67fcd942a7e3e0dd2e874226fcdab5e33ba3 +Author: Patrick Schleizer +Date: Mon Dec 25 10:28:47 2023 -0500 + + remove superfluous, broken `remount` mount option + + https://github.com/Kicksecure/security-misc/issues/157 + +commit 40fd8cb6081512e2bc0ef1a7a1ee17cd317024c2 +Author: Patrick Schleizer +Date: Mon Dec 25 09:51:09 2023 -0500 + + no `nofail` mount option to avoid breaking the boot of a system + + unit testing belongs elsewhere + + https://github.com/Kicksecure/security-misc/issues/157 + +commit 4aa645f29ff741b6e5cdf629deade1923fdcc234 +Author: Patrick Schleizer +Date: Mon Dec 25 09:46:33 2023 -0500 + + comment + + https://github.com/Kicksecure/security-misc/issues/157 + +commit 2b7aeedb4a543d0a43a35918999338097d13bb16 +Author: Patrick Schleizer +Date: Mon Dec 25 09:44:51 2023 -0500 + + mount /dev/cdrom to /mnt/cdrom (instead of /mnt/cdrom0) and + nodev,nosuid,noexec + + as per: + https://www.debian.org/doc/manuals/securing-debian-manual/ch04s10.en.html + + https://github.com/Kicksecure/security-misc/issues/157 + +commit 0d9e9780daca563a726470a3a5d6fa8c20487240 +Author: Patrick Schleizer +Date: Mon Dec 25 09:37:14 2023 -0500 + + formatting + + https://github.com/Kicksecure/security-misc/issues/157 + +commit 00f9ab43947795c1144d797547968c7c149d6f21 +Author: Patrick Schleizer +Date: Mon Dec 25 09:36:05 2023 -0500 + + /dev devtmpfs + + https://github.com/Kicksecure/security-misc/issues/157 + +commit 55709b3aa0acd6cad0c9fedb8782c49fbea79689 +Author: Patrick Schleizer +Date: Mon Dec 25 09:30:57 2023 -0500 + + /tmp tmpfs + + https://github.com/Kicksecure/security-misc/issues/157 + +commit b0dd967611c27f5b8e2472bb74a664aead7a229e +Author: Patrick Schleizer +Date: Mon Dec 25 09:27:45 2023 -0500 + + usrmerge + + https://github.com/Kicksecure/security-misc/issues/157 + +commit 269fada14a616c53d7421e88e662f6893eb1fd88 +Author: Patrick Schleizer +Date: Mon Dec 25 09:25:14 2023 -0500 + + combine bind lines + + https://github.com/Kicksecure/security-misc/issues/157 + +commit 0810c1ce3c9e19c745b8f0d2cd9410353b172779 +Author: Patrick Schleizer +Date: Mon Dec 25 09:10:31 2023 -0500 + + fix bluetooth in readme + + fixes https://github.com/Kicksecure/security-misc/issues/180 + +commit 37b4ab15a823134e616a2a0fe1dda18d5ebfa3c0 +Author: Patrick Schleizer +Date: Mon Dec 25 09:04:10 2023 -0500 + + readme + +commit 79f398d219b9c4cdf8ea0f9e3135a08fa32659a8 +Author: Patrick Schleizer +Date: Mon Dec 25 08:45:20 2023 -0500 + + formatting + +commit c90ada3c398205227d906e2b2108d36d92edcf3c +Author: Patrick Schleizer +Date: Mon Dec 25 08:37:23 2023 -0500 + + pandoc -f markdown -t markdown --wrap=auto --columns=80 README.md -o README.md + +commit 34bf297bd17af2adf59804bd133a00b7dc1942b7 +Author: Patrick Schleizer +Date: Mon Dec 25 08:32:34 2023 -0500 + + formatting + +commit d5fc9f620169b6975c8d3ef685f47e62cb6b9262 +Author: Patrick Schleizer +Date: Mon Dec 25 08:26:03 2023 -0500 + + improve bluetooth in readme + + as suggested by @monsieuremre + + https://github.com/Kicksecure/security-misc/issues/180 + +commit 7fa597deca7ff2b2932a5f5fad56be57bd78b6cf +Author: Patrick Schleizer +Date: Fri Dec 22 16:31:58 2023 +0000 + + bumped changelog version + commit f70a034da2b4b615855504e7080baf1a7e7b461c Author: Patrick Schleizer Date: Fri Dec 22 08:31:58 2023 -0500 diff --git a/debian/changelog b/debian/changelog index 74ad652..a99c2c3 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:34.7-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 25 Dec 2023 16:28:09 +0000 + security-misc (3:34.6-1) unstable; urgency=medium * New upstream version (local package). From 5b36599c0ce35857239c82459828db1ec4215411 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 29 Dec 2023 14:57:38 -0500 Subject: [PATCH 264/846] /dev/, /dev/shm, /tmp https://github.com/Kicksecure/security-misc/issues/157#issuecomment-1869073716 --- usr/share/doc/security-misc/fstab-vm | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/usr/share/doc/security-misc/fstab-vm b/usr/share/doc/security-misc/fstab-vm index cec3399..e02a087 100644 --- a/usr/share/doc/security-misc/fstab-vm +++ b/usr/share/doc/security-misc/fstab-vm @@ -5,9 +5,11 @@ proc /proc proc nofail,defaults 0 0 /dev /dev devtmpfs nofail,bind,remount,nosuid,noexec 0 0 +#udev /dev devtmpfs defaults,nosuid,noexec 0 0 ## noexec optional /dev/shm /dev/shm tmpfs nofail,nosuid,nodev,noexec 0 0 +#tmpfs /dev/shm tmpfs defaults,nosuid,nodev,noexec 0 0 ## nodev,nosuid,noexec as per: ## https://www.debian.org/doc/manuals/securing-debian-manual/ch04s10.en.html @@ -19,6 +21,7 @@ proc /proc pr ## noexec optional /tmp /tmp tmpfs nofail,bind,nosuid,nodev,noexec 0 0 +#tmpfs /tmp tmpfs defaults,nodev,nosuid,noexec 0 0 /var /var none nofail,bind,nosuid,nodev 0 0 @@ -32,3 +35,6 @@ proc /proc pr ## noexec optional /home /home none nofail,bind,nosuid,nodev,noexec 0 0 + +## TODO: +#/sys From 94c0e26a082f61f71e89b1fb7386a58166ffa411 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 29 Dec 2023 20:15:50 +0000 Subject: [PATCH 265/846] bumped changelog version --- changelog.upstream | 14 ++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 20 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 5280bc6..00f98f1 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,17 @@ +commit 5b36599c0ce35857239c82459828db1ec4215411 +Author: Patrick Schleizer +Date: Fri Dec 29 14:57:38 2023 -0500 + + /dev/, /dev/shm, /tmp + + https://github.com/Kicksecure/security-misc/issues/157#issuecomment-1869073716 + +commit e15596e7af6fc645dd652c043397baaa91954915 +Author: Patrick Schleizer +Date: Mon Dec 25 16:28:10 2023 +0000 + + bumped changelog version + commit f64a869bfdd4c746afd206367885851946deb692 Author: Patrick Schleizer Date: Mon Dec 25 11:03:22 2023 -0500 diff --git a/debian/changelog b/debian/changelog index a99c2c3..5c393ca 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:34.8-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 29 Dec 2023 20:15:50 +0000 + security-misc (3:34.7-1) unstable; urgency=medium * New upstream version (local package). From f138cf0f78c03e3952801d01d25d5f8065ff1457 Mon Sep 17 00:00:00 2001 From: Ben Grande Date: Tue, 2 Jan 2024 12:17:16 +0100 Subject: [PATCH 266/846] Refactor permission-hardener - Organize comments from default configuration; - Apply and undo changes from a single file controlled by parameters; - Arrays should be evaluated as arrays and not normal variables; - Quote variables; - Brackets around variables; - Standardize test cases to "test" command; - Test against empty or non-empty variables with "-z" and "-n"; - Show a usage message when necessary; - Require root to run the script with informative message; - Permit the user to see the help message without running as root; - Do not create root directories without passing root check; - Use long options for "set" command; --- etc/permission-hardening.d/30_default.conf | 31 +- usr/bin/permission-hardening | 1043 +++++++++++--------- usr/bin/permission-hardening-undo | 136 --- 3 files changed, 615 insertions(+), 595 deletions(-) delete mode 100755 usr/bin/permission-hardening-undo diff --git a/etc/permission-hardening.d/30_default.conf b/etc/permission-hardening.d/30_default.conf index 8ff51c9..b6e4aeb 100644 --- a/etc/permission-hardening.d/30_default.conf +++ b/etc/permission-hardening.d/30_default.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardening.d/20_user.conf" or @@ -9,10 +9,8 @@ ## ## Syntax: ## [filename] [mode] [owner] [group] [capability] +## [filename] [exactwhitelist|matchwhitelist|disablewhitelist|nosuid] ## -## To remove all SUID/SGID binaries in a directory, you can use the "nosuid" -## argument. - ## TODO: white spaces inside file name untested and probably will not work. ###################################################################### @@ -22,13 +20,9 @@ #whitelists_disable_all=true ###################################################################### -# SUID disablewhitelist +# SUID disables below (or in lexically higher) files: disablewhitelist ###################################################################### -## disablewhitelist disables below (or in lexically higher) files -## exactwhitelist and matchwhitelist. Add these here (discouraged) or better -## in file "/etc/permission-hardening.d/20_user.conf". - ## For example, if you are not using SELinux the following might make sense to ## enable. TODO: research #/utempter/utempter disablewhitelist @@ -37,7 +31,7 @@ #/fusermount disablewhitelist ###################################################################### -# SUID exact match whitelist +# SUID whitelist matches full path: exactwhitelist ###################################################################### ## In case you need to use 'su'. See also: @@ -45,10 +39,6 @@ #/bin/su exactwhitelist #/usr/bin/su exactwhitelist -###################################################################### -# SUID exact match whitelist -###################################################################### - ## https://manpages.debian.org/xserver-xorg-legacy/Xorg.wrap.1.en.html ## https://lwn.net/Articles/590315/ ## http://forums.whonix.org/t/permission-hardening/8655/25 @@ -56,12 +46,12 @@ #/lib/xorg/Xorg.wrap whitelist ###################################################################### -# SUID regex match whitelist +# SUID whitelist matches in any section of the path: matchwhitelist ###################################################################### -###################################################################### -# SUID regex match whitelist -###################################################################### +## Examples below are already configured: +#ssh-agent matchwhitelist +#/lib/openssh matchwhitelist ###################################################################### # Permission Hardening @@ -95,9 +85,12 @@ /etc/passwd- 0644 root root ###################################################################### -# SUID/SGID Removal +# SUID/SGID Removal: nosuid ###################################################################### +## To remove all SUID/SGID binaries in a directory, you can use the "nosuid" +## argument. +## ## Remove all SUID/SGID binaries/libraries. /bin/ nosuid diff --git a/usr/bin/permission-hardening b/usr/bin/permission-hardening index aa95cbf..7673dd7 100755 --- a/usr/bin/permission-hardening +++ b/usr/bin/permission-hardening @@ -1,510 +1,673 @@ #!/bin/bash -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## https://forums.whonix.org/t/disable-suid-binaries/7706 ## https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707 ## To undo: -## sudo /usr/libexec/security-misc/permission-hardening-undo +## sudo permission-hardening disable -#set -x -set -e -set -o pipefail +set -o errexit -o nounset -o pipefail exit_code=0 - -mkdir --parents /var/lib/permission-hardening/private -mkdir --parents /var/lib/permission-hardening/existing_mode -mkdir --parents /var/lib/permission-hardening/new_mode -dpkg_admindir_parameter_existing_mode="--admindir /var/lib/permission-hardening/existing_mode" -dpkg_admindir_parameter_new_mode="--admindir /var/lib/permission-hardening/new_mode" +store_dir="/var/lib/permission-hardening" +dpkg_admindir_parameter_existing_mode="--admindir ${store_dir}/existing_mode" +dpkg_admindir_parameter_new_mode="--admindir ${store_dir}/new_mode" echo_wrapper_ignore() { - echo "run: $@" - "$@" 2>/dev/null || true + echo "run: $*" + "$@" 2>/dev/null || true } echo_wrapper_silent_ignore() { - #echo "run: $@" - "$@" 2>/dev/null || true + #echo "run: $@" + "$@" 2>/dev/null || true } echo_wrapper_audit() { - echo "run: $@" - return_code=0 - "$@" || \ - { \ - return_code="$?" ; \ - exit_code=203 ; \ - echo "ERROR: above command failed with exit code '$return_code'! calling function name: '${FUNCNAME[1]}'" >&2 ; \ - }; + echo "run: $*" + return_code=0 + "$@" || + { + return_code="$?" + exit_code=203 + echo "ERROR: above command failed with exit code '${return_code}'! calling function name: '${FUNCNAME[1]}'" >&2 + } } echo_wrapper_silent_audit() { - #echo "run (debugging): $@" - return_code=0 - "$@" || \ - { \ - return_code="$?" ; \ - exit_code=204 ; \ - echo "ERROR: above command '$@' failed with exit code '$return_code'! calling function name: '${FUNCNAME[1]}'" >&2 ; \ - }; + #echo "run (debugging): $@" + return_code=0 + "$@" || + { + return_code="$?" + exit_code=204 + echo "ERROR: above command '$*' failed with exit code '${return_code}'! calling function name: '${FUNCNAME[1]}'" >&2 + } +} + +make_store_dir(){ + mkdir --parents "${store_dir}/private" + mkdir --parents "${store_dir}/existing_mode" + mkdir --parents "${store_dir}/new_mode" } sanity_tests() { - echo_wrapper_silent_audit which \ - capsh getcap setcap stat find dpkg-statoverride getent xargs grep 1>/dev/null + echo_wrapper_silent_audit which \ + capsh getcap setcap stat find dpkg-statoverride getent xargs grep 1>/dev/null } add_nosuid_statoverride_entry() { - local fso_to_process - fso_to_process="$fso" - local should_be_counter - should_be_counter="$(find "$fso_to_process" -perm /u=s,g=s | wc -l)" || true - local counter_actual - counter_actual=0 + local fso_to_process + fso_to_process="${fso}" + local should_be_counter + should_be_counter="$(find "${fso_to_process}" -perm /u=s,g=s | wc -l)" || true + local counter_actual + counter_actual=0 - local line - while read -r line; do - true "line: $line" - counter_actual="$(( counter_actual + 1 ))" + local line + while read -r line; do + true "line: ${line}" + counter_actual="$((counter_actual + 1))" + + local arr file_name existing_mode existing_owner existing_group + IFS=" " read -r -a arr <<< "${line}" + file_name="${arr[0]}" + existing_mode="${arr[1]}" + existing_owner="${arr[2]}" + existing_group="${arr[3]}" + + if test "${#arr[@]}" = 0; then + echo "ERROR: arr is empty. line: '${line}'" >&2 + continue + fi + if test -z "${file_name}"; then + echo "ERROR: file_name is empty. line: '${line}'" >&2 + continue + fi + if test -z "${existing_mode}"; then + echo "ERROR: existing_mode is empty. line: '${line}'" >&2 + continue + fi + if test -z "${existing_owner}"; then + echo "ERROR: existing_owner is empty. line: '${line}'" >&2 + continue + fi + if test -z "${existing_group}"; then + echo "ERROR: existing_group is empty. line: '${line}'" >&2 + continue + fi + + ## -h file True if file is a symbolic Link. + ## -u file True if file has its set-user-id bit set. + ## -g file True if file has its set-group-id bit set. + + if test -h "${file_name}"; then + ## https://forums.whonix.org/t/disable-suid-binaries/7706/14 + true "skip symlink: ${file_name}" + continue + fi + + if test -d "${file_name}"; then + true "skip directory: ${file_name}" + continue + fi + + local setuid setuid_output setsgid setsgid_output + setuid="" + setuid_output="" + if test -u "${file_name}"; then + setuid=true + setuid_output="set-user-id" + fi + setsgid="" + setsgid_output="" + if test -g "${file_name}"; then + setsgid=true + setsgid_output="set-group-id" + fi + + local setuid_or_setsgid + setuid_or_setsgid="" + if test "${setuid}" = "true" || test "${setsgid}" = "true"; then + setuid_or_setsgid=true + fi + if test -z "${setuid_or_setsgid}"; then + continue + fi + + ## Remove suid / gid and execute permission for 'group' and 'others'. + ## Similar to: chmod og-ugx /path/to/filename + ## Removing execution permission is useful to make binaries such as 'su' + ## fail closed rather than fail open if suid was removed from these. + ## Do not remove read access since no security benefit and easier to + ## manually undo for users. + ## Are there suid or sgid binaries which are still useful if suid / sgid + ## has been removed from these? + new_mode="744" + + local is_exact_whitelisted + is_exact_whitelisted="" + for white_list_entry in ${exact_white_list}; do + if test "${file_name}" = "${white_list_entry}"; then + is_exact_whitelisted="true" + ## Stop looping through the whitelist. + break + fi + done + + local is_match_whitelisted + is_match_whitelisted="" + for matchwhite_list_entry in ${match_white_list}; do + if echo "${file_name}" | grep --quiet --fixed-strings "${matchwhite_list_entry}"; then + is_match_whitelisted="true" + ## Stop looping through the match_white_list. + break + fi + done + + local is_disable_whitelisted + is_disable_whitelisted="" + for disablematch_list_entry in ${disable_white_list:-}; do + if echo "${file_name}" | grep --quiet --fixed-strings "${disablematch_list_entry}"; then + is_disable_whitelisted="true" + ## Stop looping through the disablewhitelist. + break + fi + done + + if test "${whitelists_disable_all:-}" = "true"; then + true "INFO: whitelists_disable_all=true - ${setuid_output} ${setsgid_output} found - file_name: '${file_name}' | existing_mode: '${existing_mode}'" + elif test "${is_disable_whitelisted}" = "true"; then + true "INFO: white list disabled - ${setuid_output} ${setsgid_output} found - file_name: '${file_name}' | existing_mode: '${existing_mode}'" + else + if test "${is_exact_whitelisted}" = "true"; then + true "INFO: SKIP whitelisted - ${setuid_output} ${setsgid_output} found - file_name: '${file_name}' | existing_mode: '${existing_mode}'" + continue + fi + if test "${is_match_whitelisted}" = "true"; then + true "INFO: SKIP matchwhitelisted - ${setuid_output} ${setsgid_output} found - file_name: '${file_name}' | existing_mode: '${existing_mode}' | matchwhite_list_entry: '${matchwhite_list_entry}'" + continue + fi + fi + + echo "INFO: ${setuid_output} ${setsgid_output} found - file_name: '${file_name}' | existing_mode: '${existing_mode}' | new_mode: '${new_mode}'" + + # shellcheck disable=SC2086 + if dpkg-statoverride ${dpkg_admindir_parameter_existing_mode} --list "${file_name}" >/dev/null; then + true "OK Existing mode already saved previously. Not saving again." + else + ## Save existing_mode in separate database. + ## Not using --update as not intending to enforce existing_mode. + # shellcheck disable=SC2086 + echo_wrapper_silent_audit dpkg-statoverride ${dpkg_admindir_parameter_existing_mode} --add "${existing_owner}" "${existing_group}" "${existing_mode}" "${file_name}" + fi + + ## No need to check "dpkg-statoverride --list" for existing entries. + ## If existing_mode was correct already, we would not have reached this + ## point. Since existing_mode is incorrect, remove from dpkg-statoverride + ## and re-add. + + ## Remove from real database. + echo_wrapper_silent_ignore dpkg-statoverride --remove "${file_name}" + + ## Remove from separate database. + # shellcheck disable=SC2086 + echo_wrapper_silent_ignore dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --remove "${file_name}" + + ## Add to real database and use --update to make changes on disk. + echo_wrapper_audit dpkg-statoverride --add --update "${existing_owner}" "${existing_group}" "${new_mode}" "${file_name}" + + ## Not using --update as this is only for recording. + # shellcheck disable=SC2086 + echo_wrapper_silent_audit dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --add "${existing_owner}" "${existing_group}" "${new_mode}" "${file_name}" + + ## /lib will hit ARG_MAX if using bash 'shopt -s globstar' and '/lib/**'. + ## Using 'find' with '-perm /u=s,g=s' is faster and avoids ARG_MAX. + ## https://forums.whonix.org/t/disable-suid-binaries/7706/17 + done < <(find "${fso_to_process}" -perm /u=s,g=s -print0 | xargs -I{} -0 stat -c "%n %a %U %G" {}) + + ## Sanity test. + if test ! "${should_be_counter}" = "${counter_actual}"; then + echo "INFO: fso_to_process: '${fso_to_process}' | counter_actual : '${counter_actual}'" + echo "INFO: fso_to_process: '${fso_to_process}' | should_be_counter: '${should_be_counter}'" + exit_code=202 + echo "ERROR: counter does not check out." >&2 + fi +} + +set_file_perms() { + true "INFO: START parsing config_file: '${config_file}'" + local line + while read -r line || test -n "${line}"; do + if test -z "${line}"; then + continue + fi + + if [[ "${line}" =~ ^# ]]; then + continue + fi + + if [[ "${line}" =~ [0-9a-zA-Z/] ]]; then + true "OK line contains only white listed characters." + else + exit_code=200 + echo "ERROR: cannot parse line with invalid character. line: '${line}'" >&2 + ## Safer to exit with error in this case. + ## https://forums.whonix.org/t/disable-suid-binaries/7706/59 + exit "${exit_code}" + fi + + if test "${line}" = 'whitelists_disable_all=true'; then + whitelists_disable_all=true + echo "INFO: whitelists_disable_all=true - all whitelists disabled." + continue + fi + + #global fso + local mode_from_config owner_from_config group_from_config capability_from_config + if ! read -r fso mode_from_config owner_from_config group_from_config capability_from_config <<<"${line}"; then + exit_code=201 + echo "ERROR: cannot parse. line: '${line}'" >&2 + ## Debugging. + du -hs /tmp || true + echo "test -w /tmp: '$(test -w /tmp)'" >&2 || true + ## Safer to exit with error in this case. + ## https://forums.whonix.org/t/disable-suid-binaries/7706/59 + exit "${exit_code}" + fi + + ## Debugging. + #echo "line: '${line}'" + #echo "fso: '${fso}'" + #echo "mode_from_config: '${mode_from_config}'" + #echo "owner_from_config: '${owner_from_config}'" + + local fso_without_trailing_slash + fso_without_trailing_slash="${fso%/}" + + if test "${mode_from_config}" = "disablewhitelist"; then + ## TODO: test/add white spaces inside file name support + disable_white_list+="${fso} " + continue + fi + + if test "${mode_from_config}" = "exactwhitelist"; then + ## TODO: test/add white spaces inside file name support + exact_white_list+="${fso} " + continue + fi + + if test "${mode_from_config}" = "matchwhitelist"; then + ## TODO: test/add white spaces inside file name support + match_white_list+="${fso} " + continue + fi + + if test ! -e "${fso}"; then + true "INFO: fso: '${fso}' - does not exist. This is likely normal." + continue + fi + + ## Use dpkg-statoverride so permissions are not reset during upgrades. + + if test "${mode_from_config}" = "nosuid"; then + ## If mode_from_config is "nosuid" the config does not set owner and + ## group. Therefore do not enforce owner/group check. + add_nosuid_statoverride_entry + else + local string_length_of_mode_from_config + string_length_of_mode_from_config="${#mode_from_config}" + if test "${string_length_of_mode_from_config}" -gt "4"; then + echo "ERROR: Mode '${mode_from_config}' is invalid!" >&2 + continue + fi + if test "${string_length_of_mode_from_config}" -lt "3"; then + echo "ERROR: Mode '${mode_from_config}' is invalid!" >&2 + continue + fi + + if ! grep --quiet --fixed-strings "${owner_from_config}:" "${store_dir}/private/passwd"; then + echo "ERROR: owner_from_config '${owner_from_config}' does not exist!" >&2 + continue + fi + + if ! grep --quiet --fixed-strings "${group_from_config}:" "${store_dir}/private/group"; then + echo "ERROR: group_from_config '${group_from_config}' does not exist!" >&2 + continue + fi + + local mode_for_grep + mode_for_grep="${mode_from_config}" + first_character_of_mode_from_config="${mode_from_config::1}" + if test "${first_character_of_mode_from_config}" = "0"; then + ## Remove leading '0'. + mode_for_grep="${mode_from_config:1}" + fi + + local stat_output + stat_output="" + if ! stat_output="$(stat -c "%n %a %U %G" "${fso_without_trailing_slash}")"; then + echo "ERROR: failed to run 'stat' for fso_without_trailing_slash: '${fso_without_trailing_slash}'!" >&2 + continue + fi local arr file_name existing_mode existing_owner existing_group - arr=($line) + IFS=" " read -r -a arr <<< "${stat_output}" file_name="${arr[0]}" existing_mode="${arr[1]}" existing_owner="${arr[2]}" existing_group="${arr[3]}" - if [ "$arr" = "" ]; then - echo "ERROR: arr is empty. line: '$line'" >&2 - continue + if test "${#arr[@]}" = 0; then + echo "ERROR: arr is empty. stat_output: '${stat_output}' | line: '${line}'" >&2 + continue fi - if [ "$file_name" = "" ]; then - echo "ERROR: file_name is empty. line: '$line'" >&2 - continue + if test -z "${file_name}"; then + echo "ERROR: file_name is empty. stat_output: '${stat_output}' | line: '${line}'" >&2 + continue fi - if [ "$existing_mode" = "" ]; then - echo "ERROR: existing_mode is empty. line: '$line'" >&2 - continue + if test -z "${existing_mode}"; then + echo "ERROR: existing_mode is empty. stat_output: '${stat_output}' | line: '${line}'" >&2 + continue fi - if [ "$existing_owner" = "" ]; then - echo "ERROR: existing_owner is empty. line: '$line'" >&2 - continue + if test -z "${existing_owner}"; then + echo "ERROR: existing_owner is empty. stat_output: '${stat_output}' | line: '${line}'" >&2 + continue fi - if [ "$existing_group" = "" ]; then - echo "ERROR: existing_group is empty. line: '$line'" >&2 - continue + if test -z "${existing_group}"; then + echo "ERROR: ${existing_group} is empty. stat_output: '${stat_output}' | line: '${line}'" >&2 + continue fi - ## -h file True if file is a symbolic Link. - ## -u file True if file has its set-user-id bit set. - ## -g file True if file has its set-group-id bit set. + ## Check there is an entry for the fso. + ## + ## example: dpkg-statoverride --list | grep /home + ## output: + ## root root 755 /home + ## + ## dpkg-statoverride does not show leading '0'. + local dpkg_statoverride_list_output="" + local dpkg_statoverride_list_exit_code=0 + dpkg_statoverride_list_output="$(dpkg-statoverride --list "${fso_without_trailing_slash}")" || { + dpkg_statoverride_list_exit_code=$? + true + } - if test -h "$file_name" ; then - ## https://forums.whonix.org/t/disable-suid-binaries/7706/14 - true "skip symlink: $file_name" - continue - fi + if test "${dpkg_statoverride_list_exit_code}" = "0"; then + true "There is an fso entry. Check if owner/group/mode match." + local grep_line + grep_line="${owner_from_config} ${group_from_config} ${mode_for_grep} ${fso_without_trailing_slash}" + if echo "${dpkg_statoverride_list_output}" | grep --quiet --fixed-strings "${grep_line}"; then + true "OK The owner/group/mode matches. No further action required." + else + true "The owner/group/mode do not match, therefore remove and re-add the entry to update it." + ## fso_without_trailing_slash instead of fso to prevent + ## "dpkg-statoverride: warning: stripping trailing /" - if test -d "$file_name" ; then - true "skip directory: $file_name" - continue - fi + # shellcheck disable=SC2086 + if dpkg-statoverride ${dpkg_admindir_parameter_existing_mode} --list "${fso_without_trailing_slash}" >/dev/null; then + true "OK Existing mode already saved previously. No need to save again." + else + ## Save existing_mode in separate database. + ## Not using --update as not intending to enforce existing_mode. + # shellcheck disable=SC2086 + echo_wrapper_silent_audit dpkg-statoverride ${dpkg_admindir_parameter_existing_mode} --add "${existing_owner}" "${existing_group}" "${existing_mode}" "${fso_without_trailing_slash}" + fi - local setuid setuid_output setsgid setsgid_output - setuid="" - setuid_output="" - if test -u "$file_name" ; then - setuid=true - setuid_output="set-user-id" - fi - setsgid="" - setsgid_output="" - if test -g "$file_name" ; then - setsgid=true - setsgid_output="set-group-id" - fi + # shellcheck disable=SC2086 + echo_wrapper_silent_ignore dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --remove "${fso_without_trailing_slash}" - local setuid_or_setsgid - setuid_or_setsgid="" - if [ "$setuid" = "true" ] || [ "$setsgid" = "true" ]; then - setuid_or_setsgid=true - fi - if [ "$setuid_or_setsgid" = "" ]; then - continue - fi + ## Remove from and add to real database. + echo_wrapper_silent_ignore dpkg-statoverride --remove "${fso_without_trailing_slash}" + echo_wrapper_audit dpkg-statoverride --add --update "${owner_from_config}" "${group_from_config}" "${mode_from_config}" "${fso_without_trailing_slash}" - ## Remove suid / gid and execute permission for 'group' and 'others'. - ## Similar to: chmod og-ugx /path/to/filename - ## Removing execution permission is useful to make binaries such as 'su' fail closed rather - ## than fail open if suid was removed from these. - ## Do not remove read access since no security benefit and easier to manually undo for users. - ## Are there suid or sgid binaries which are still useful if suid / sgid has been removed from these? - new_mode="744" - - local is_exact_whitelisted - is_exact_whitelisted="" - for white_list_entry in $exact_white_list ; do - if [ "$file_name" = "$white_list_entry" ]; then - is_exact_whitelisted="true" - ## Stop looping through the whitelist. - break - fi - done - - local is_match_whitelisted - is_match_whitelisted="" - for matchwhite_list_entry in $match_white_list ; do - if echo "$file_name" | grep --quiet --fixed-strings "$matchwhite_list_entry" ; then - is_match_whitelisted="true" - ## Stop looping through the match_white_list. - break - fi - done - - local is_disable_whitelisted - is_disable_whitelisted="" - for disablematch_list_entry in $disable_white_list ; do - if echo "$file_name" | grep --quiet --fixed-strings "$disablematch_list_entry" ; then - is_disable_whitelisted="true" - ## Stop looping through the disablewhitelist. - break - fi - done - - if [ "$whitelists_disable_all" = "true" ]; then - true "INFO: whitelists_disable_all=true - $setuid_output $setsgid_output found - file_name: '$file_name' | existing_mode: '$existing_mode'" - elif [ "$is_disable_whitelisted" = "true" ]; then - true "INFO: white list disabled - $setuid_output $setsgid_output found - file_name: '$file_name' | existing_mode: '$existing_mode'" + ## Save in separate database. + ## Not using --update as this is only for saving. + # shellcheck disable=SC2086 + echo_wrapper_silent_audit dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --add "${owner_from_config}" "${group_from_config}" "${mode_from_config}" "${fso_without_trailing_slash}" + fi else - if [ "$is_exact_whitelisted" = "true" ]; then - true "INFO: SKIP whitelisted - $setuid_output $setsgid_output found - file_name: '$file_name' | existing_mode: '$existing_mode'" - continue - fi - if [ "$is_match_whitelisted" = "true" ]; then - true "INFO: SKIP matchwhitelisted - $setuid_output $setsgid_output found - file_name: '$file_name' | existing_mode: '$existing_mode' | matchwhite_list_entry: '$matchwhite_list_entry'" - continue - fi + true "There is no fso entry. Therefore add one." + + # shellcheck disable=SC2086 + if dpkg-statoverride ${dpkg_admindir_parameter_existing_mode} --list "${fso_without_trailing_slash}" >/dev/null; then + true "OK Existing mode already saved previously. No need to save again." + else + ## Save existing_mode in separate database. + ## Not using --update as not intending to enforce existing_mode. + # shellcheck disable=SC2086 + echo_wrapper_silent_audit dpkg-statoverride ${dpkg_admindir_parameter_existing_mode} --add "${existing_owner}" "${existing_group}" "${existing_mode}" "${fso_without_trailing_slash}" + fi + + ## Add to real database. + echo_wrapper_audit dpkg-statoverride --add --update "${owner_from_config}" "${group_from_config}" "${mode_from_config}" "${fso_without_trailing_slash}" + + ## Save in separate database. + ## Not using --update as this is only for saving. + # shellcheck disable=SC2086 + echo_wrapper_silent_audit dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --add "${owner_from_config}" "${group_from_config}" "${mode_from_config}" "${fso_without_trailing_slash}" + fi + fi + if test -z "${capability_from_config}"; then + continue + fi + + if test "${capability_from_config}" = "none"; then + ## https://forums.whonix.org/t/disable-suid-binaries/7706/45 + ## sudo setcap -r /bin/ping 2>/dev/null + ## Failed to set capabilities on file '/bin/ping' (No data available) + ## The value of the capability argument is not permitted for a file. Or + ## the file is not a regular (non-symlink) file + ## Therefore use echo_wrapper_ignore. + echo_wrapper_ignore setcap -r "${fso}" + getcap_output="$(getcap "${fso}")" + if test -n "${getcap_output}"; then + exit_code=205 + echo "ERROR: removing capabilities for fso '${fso}' failed!" >&2 + continue + fi + else + if ! capsh --print | grep --fixed-strings "Bounding set" | grep --quiet "${capability_from_config}"; then + echo "ERROR: capability_from_config '${capability_from_config}' does not exist!" >&2 + continue fi - echo "INFO: $setuid_output $setsgid_output found - file_name: '$file_name' | existing_mode: '$existing_mode' | new_mode: '$new_mode'" - - if dpkg-statoverride $dpkg_admindir_parameter_existing_mode --list "$file_name" >/dev/null ; then - true "OK Existing mode already saved previously. No need to save again." - else - ## Save existing_mode in separate database. - ## Not using --update as not intending to enforce existing_mode. - echo_wrapper_silent_audit dpkg-statoverride $dpkg_admindir_parameter_existing_mode --add "$existing_owner" "$existing_group" "$existing_mode" "$file_name" - fi - - ## No need to check "dpkg-statoverride --list" for existing entries. - ## If existing_mode was correct already, we would not have reached this point. - ## Since existing_mode is incorrect, remove from dpkg-statoverride and re-add. - - ## Remove from real database. - echo_wrapper_silent_ignore dpkg-statoverride --remove "$file_name" - - ## Remove from separate database. - echo_wrapper_silent_ignore dpkg-statoverride $dpkg_admindir_parameter_new_mode --remove "$file_name" - - ## Add to real database and use --update to make changes on disk. - echo_wrapper_audit dpkg-statoverride --add --update "$existing_owner" "$existing_group" "$new_mode" "$file_name" - - ## Not using --update as this is only for recording. - echo_wrapper_silent_audit dpkg-statoverride $dpkg_admindir_parameter_new_mode --add "$existing_owner" "$existing_group" "$new_mode" "$file_name" - - ## /lib will hit ARG_MAX if using bash 'shopt -s globstar' and '/lib/**'. - ## Using 'find' with '-perm /u=s,g=s' is faster and avoids ARG_MAX. - ## https://forums.whonix.org/t/disable-suid-binaries/7706/17 - done < <( find "$fso_to_process" -perm /u=s,g=s -print0 | xargs -I{} -0 stat -c "%n %a %U %G" {} ) - - ## Sanity test. - if [ ! "$should_be_counter" = "$counter_actual" ]; then - echo "INFO: fso_to_process: '$fso_to_process' | counter_actual : '$counter_actual'" - echo "INFO: fso_to_process: '$fso_to_process' | should_be_counter: '$should_be_counter'" - exit_code=202 - echo "ERROR: counter does not check out." >&2 - fi -} - -set_file_perms() { - true "INFO: START parsing config_file: '$config_file'" - local line - while read -r line || [[ -n "${line}" ]]; do - if [ "$line" = "" ]; then - continue - fi - - if [[ "$line" =~ ^# ]]; then - continue - fi - - if [[ "$line" =~ [0-9a-zA-Z/] ]]; then - true "OK line contains only white listed characters." - else - exit_code=200 - echo "ERROR: cannot parse line with invalid character. line: '$line'" >&2 - ## Safer to exit with error in this case. - ## https://forums.whonix.org/t/disable-suid-binaries/7706/59 - exit "$exit_code" - fi - - if [ "$line" = 'whitelists_disable_all=true' ]; then - whitelists_disable_all=true - echo "INFO: whitelists_disable_all=true - all whitelists disabled." - continue - fi - - #global fso - local mode_from_config owner_from_config group_from_config capability_from_config - if ! read -r fso mode_from_config owner_from_config group_from_config capability_from_config <<< "$line" ; then - exit_code=201 - echo "ERROR: cannot parse. line: '$line'" >&2 - ## Debugging. - du -hs /tmp || true - echo "test -w /tmp: '$(test -w /tmp)'" >&2 || true - ## Safer to exit with error in this case. - ## https://forums.whonix.org/t/disable-suid-binaries/7706/59 - exit "$exit_code" - fi - - ## Debugging. - #echo "line: '$line'" - #echo "fso: '$fso'" - #echo "mode_from_config: '$mode_from_config'" - #echo "owner_from_config: '$owner_from_config'" - - local fso_without_trailing_slash - fso_without_trailing_slash="${fso%/}" - - if [ "$mode_from_config" = "disablewhitelist" ]; then - ## TODO: test/add white spaces inside file name support - disable_white_list+="$fso " - continue - fi - - if [ "$mode_from_config" = "exactwhitelist" ]; then - ## TODO: test/add white spaces inside file name support - exact_white_list+="$fso " - continue - fi - - if [ "$mode_from_config" = "matchwhitelist" ]; then - ## TODO: test/add white spaces inside file name support - match_white_list+="$fso " - continue - fi - - if [ ! -e "$fso" ]; then - true "INFO: fso: '$fso' - does not exist. This is likely normal." - continue - fi - - ## Use dpkg-statoverride so permissions are not reset during upgrades. - - if [ "$mode_from_config" = "nosuid" ]; then - ## If mode_from_config is "nosuid" the config does not set owner and - ## group. Therefore do not enforce owner/group check. - - add_nosuid_statoverride_entry - else - local string_length_of_mode_from_config - string_length_of_mode_from_config="${#mode_from_config}" - if [ "$string_length_of_mode_from_config" -gt "4" ]; then - echo "ERROR: Mode '$mode_from_config' is invalid!" >&2 - continue - fi - if [ "$string_length_of_mode_from_config" -lt "3" ]; then - echo "ERROR: Mode '$mode_from_config' is invalid!" >&2 - continue - fi - - if ! grep --quiet --fixed-strings "${owner_from_config}:" /var/lib/permission-hardening/private/passwd ; then - echo "ERROR: owner_from_config '$owner_from_config' does not exist!" >&2 - continue - fi - - if ! grep --quiet --fixed-strings "${group_from_config}:" /var/lib/permission-hardening/private/group ; then - echo "ERROR: group_from_config '$group_from_config' does not exist!" >&2 - continue - fi - - local mode_for_grep - mode_for_grep="$mode_from_config" - first_character_of_mode_from_config="${mode_from_config::1}" - if [ "$first_character_of_mode_from_config" = "0" ]; then - ## Remove leading '0'. - mode_for_grep="${mode_from_config:1}" - fi - - local stat_output - stat_output="" - if ! stat_output="$(stat -c "%n %a %U %G" "$fso_without_trailing_slash")" ; then - echo "ERROR: failed to run 'stat' for fso_without_trailing_slash: '$fso_without_trailing_slash'!" >&2 - continue - fi - - local arr file_name existing_mode existing_owner existing_group - arr=($stat_output) - file_name="${arr[0]}" - existing_mode="${arr[1]}" - existing_owner="${arr[2]}" - existing_group="${arr[3]}" - - if [ "$arr" = "" ]; then - echo "ERROR: arr is empty. stat_output: '$stat_output' | line: '$line'" >&2 - continue - fi - if [ "$file_name" = "" ]; then - echo "ERROR: file_name is empty. stat_output: '$stat_output' | line: '$line'" >&2 - continue - fi - if [ "$existing_mode" = "" ]; then - echo "ERROR: existing_mode is empty. stat_output: '$stat_output' | line: '$line'" >&2 - continue - fi - if [ "$existing_owner" = "" ]; then - echo "ERROR: existing_owner is empty. stat_output: '$stat_output' | line: '$line'" >&2 - continue - fi - if [ "$existing_group" = "" ]; then - echo "ERROR: $existing_group is empty. stat_output: '$stat_output' | line: '$line'" >&2 - continue - fi - - ## Check there is an entry for the fso. - ## - ## example: dpkg-statoverride --list | grep /home - ## output: - ## root root 755 /home - ## - ## dpkg-statoverride does not show leading '0'. - local dpkg_statoverride_list_output="" - local dpkg_statoverride_list_exit_code=0 - dpkg_statoverride_list_output="$(dpkg-statoverride --list "$fso_without_trailing_slash")" || { dpkg_statoverride_list_exit_code=$? ; true; }; - - if [ "$dpkg_statoverride_list_exit_code" = "0" ]; then - true "There is an fso entry. Check if owner/group/mode match." - local grep_line - grep_line="$owner_from_config $group_from_config $mode_for_grep $fso_without_trailing_slash" - if echo "$dpkg_statoverride_list_output" | grep --quiet --fixed-strings "$grep_line" ; then - true "OK The owner/group/mode matches. No further action required." - else - true "The owner/group/mode do not match, therefore remove and re-add the entry to update it." - ## fso_without_trailing_slash instead of fso to prevent - ## "dpkg-statoverride: warning: stripping trailing /" - - if dpkg-statoverride $dpkg_admindir_parameter_existing_mode --list "$fso_without_trailing_slash" >/dev/null ; then - true "OK Existing mode already saved previously. No need to save again." - else - ## Save existing_mode in separate database. - ## Not using --update as not intending to enforce existing_mode. - echo_wrapper_silent_audit dpkg-statoverride $dpkg_admindir_parameter_existing_mode --add "$existing_owner" "$existing_group" "$existing_mode" "$fso_without_trailing_slash" - fi - - echo_wrapper_silent_ignore dpkg-statoverride $dpkg_admindir_parameter_new_mode --remove "$fso_without_trailing_slash" - - ## Remove from and add to real database. - echo_wrapper_silent_ignore dpkg-statoverride --remove "$fso_without_trailing_slash" - echo_wrapper_audit dpkg-statoverride --add --update "$owner_from_config" "$group_from_config" "$mode_from_config" "$fso_without_trailing_slash" - - ## Save in separate database. - ## Not using --update as this is only for saving. - echo_wrapper_silent_audit dpkg-statoverride $dpkg_admindir_parameter_new_mode --add "$owner_from_config" "$group_from_config" "$mode_from_config" "$fso_without_trailing_slash" - fi - else - true "There is no fso entry. Therefore add one." - - if dpkg-statoverride $dpkg_admindir_parameter_existing_mode --list "$fso_without_trailing_slash" >/dev/null ; then - true "OK Existing mode already saved previously. No need to save again." - else - ## Save existing_mode in separate database. - ## Not using --update as not intending to enforce existing_mode. - echo_wrapper_silent_audit dpkg-statoverride $dpkg_admindir_parameter_existing_mode --add "$existing_owner" "$existing_group" "$existing_mode" "$fso_without_trailing_slash" - fi - - ## Add to real database. - echo_wrapper_audit dpkg-statoverride --add --update "$owner_from_config" "$group_from_config" "$mode_from_config" "$fso_without_trailing_slash" - - ## Save in separate database. - ## Not using --update as this is only for saving. - echo_wrapper_silent_audit dpkg-statoverride $dpkg_admindir_parameter_new_mode --add "$owner_from_config" "$group_from_config" "$mode_from_config" "$fso_without_trailing_slash" - fi - fi - if [ "$capability_from_config" = "" ]; then - continue - fi - - if [ "$capability_from_config" = "none" ]; then - ## https://forums.whonix.org/t/disable-suid-binaries/7706/45 - # sudo setcap -r /bin/ping 2>/dev/null - # Failed to set capabilities on file '/bin/ping' (No data available) - # The value of the capability argument is not permitted for a file. Or the file is not a regular (non-symlink) file - ## Therefore use echo_wrapper_ignore. - echo_wrapper_ignore setcap -r "$fso" - getcap_output="$(getcap "$fso")" - if [ ! "$getcap_output" = "" ]; then - exit_code=205 - echo "ERROR: removing capabilities for fso '$fso' failed!" >&2 - continue - fi - else - if ! capsh --print | grep --fixed-strings "Bounding set" | grep --quiet "$capability_from_config" ; then - echo "ERROR: capability_from_config '$capability_from_config' does not exist!" >&2 - continue - fi - - ## feature request: dpkg-statoverride: support for capabilities - ## https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=502580 - echo_wrapper_audit setcap "${capability_from_config}+ep" "$fso" - fi - done < "$config_file" - true "INFO: END parsing config_file: '$config_file'" + ## feature request: dpkg-statoverride: support for capabilities + ## https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=502580 + echo_wrapper_audit setcap "${capability_from_config}+ep" "${fso}" + fi + done <"${config_file}" + true "INFO: END parsing config_file: '${config_file}'" } parse_config_folder() { - touch /var/lib/permission-hardening/private/passwd - chmod og-rwx /var/lib/permission-hardening/private/passwd - touch /var/lib/permission-hardening/private/group - chmod og-rwx /var/lib/permission-hardening/private/group + touch "${store_dir}/private/passwd" + chmod og-rwx "${store_dir}/private/passwd" + touch "${store_dir}/private/group" + chmod og-rwx "${store_dir}/private/group" local passwd_file_contents_temp - # Query contents of password and group databases only once and buffer them - # - # If we don't buffer we sometimes get incorrect results when checking for entries using - # 'if getent passwd | grep --quiet '^root:'; ...' since 'grep' exits after the first match in - # this case causing 'getent' to receive SIGPIPE, which then fails the pipeline since - # 'set -o pipefail' is set for this script. + ## Query contents of password and group databases only once and buffer them + ## + ## If we don't buffer we sometimes get incorrect results when checking for + ## entries using 'if getent passwd | grep --quiet '^root:'; ...' since + ## 'grep' exits after the first match in this case causing 'getent' to + ## receive SIGPIPE, which then fails the pipeline since 'set -o pipefail' is + ## set for this script. passwd_file_contents_temp=$(getent passwd) - echo "$passwd_file_contents_temp" | tee /var/lib/permission-hardening/private/passwd >/dev/null + echo "${passwd_file_contents_temp}" | tee "${store_dir}/private/passwd" >/dev/null group_file_contents_temp=$(getent group) - echo "$group_file_contents_temp" | tee /var/lib/permission-hardening/private/group >/dev/null + echo "${group_file_contents_temp}" | tee "${store_dir}/private/group" >/dev/null - passwd_file_contents=$(cat /var/lib/permission-hardening/private/passwd) - group_file_contents=$(cat /var/lib/permission-hardening/private/group) + passwd_file_contents="$(cat "${store_dir}/private/passwd")" + group_file_contents="$(cat "${store_dir}/private/group")" shopt -s nullglob - for config_file in /etc/permission-hardening.d/*.conf /usr/local/etc/permission-hardening.d/*.conf; do + for config_file in \ + /etc/permission-hardening.d/*.conf \ + /usr/local/etc/permission-hardening.d/*.conf + do set_file_perms done } -sanity_tests -parse_config_folder +apply() { + check_root + make_store_dir + sanity_tests + parse_config_folder -echo "\ + echo "\ INFO: To compare the current and previous permission modes: -1. Install 'meld' (or similar) for an easier comparison of file changes: - sudo apt install --no-install-recommends meld + Install 'meld' (or preferred diff tool) for comparison of file mode changes: + sudo apt install --no-install-recommends meld -2. Use 'meld' to view the differences: - meld /var/lib/permission-hardening/existing_mode/statoverride /var/lib/permission-hardening/new_mode/statoverride" + Use 'meld' or another diff tool to view the differences: + meld ${store_dir}/existing_mode/statoverride ${store_dir}/new_mode/statoverride" +} -if [ ! "$exit_code" = "0" ]; then - echo "ERROR: Will exit with non-zero exit code: '$exit_code'" >&2 +spare() { + check_root + make_store_dir + + remove_file="${1}" + exit_code=0 + dpkg_admindir_parameter_existing_mode="--admindir ${store_dir}/existing_mode" + dpkg_admindir_parameter_new_mode="--admindir ${store_dir}/new_mode" + + if test ! -f "${store_dir}/existing_mode/statoverride"; then + return 0 + fi + + local line + while read -r line; do + ## example line: + ## root root 4755 /usr/lib/eject/dmcrypt-get-device + + local owner group mode file_name + if ! read -r owner group mode file_name <<< "${line}"; then + exit_code=201 + echo "ERROR: cannot parse line: ${line}" >&2 + continue + fi + true "owner: '${owner}' group: '${group}' mode: '${mode}' file_name: '${file_name}'" + + if test "${remove_file}" = "all"; then + proceed=true + verbose="" + remove_one=false + else + if test "${remove_file}" = "${file_name}"; then + proceed=true + verbose="--verbose" + remove_one=true + else + proceed=false + verbose="" + fi + fi + + if test "${proceed}" = "false"; then + continue + fi + + if test "${remove_one}" = "true"; then + set -o xtrace + fi + + if test -e "${file_name}"; then + chown ${verbose} "${owner}:${group}" "${file_name}" || exit_code=202 + ## chmod need to be run after chown since chown removes suid. + ## https://unix.stackexchange.com/questions/53665/chown-removes-setuid-bit-bug-or-feature + chmod ${verbose} "${mode}" "${file_name}" || exit_code=203 + else + echo "INFO: file_name: '${file_name}' - does not exist. This is likely normal." + fi + + dpkg-statoverride --remove "${file_name}" &>/dev/null || true + # shellcheck disable=SC2086 + dpkg-statoverride ${dpkg_admindir_parameter_existing_mode} --remove "${file_name}" &>/dev/null || true + # shellcheck disable=SC2086 + dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --remove "${file_name}" &>/dev/null || true + + if test "${remove_one}" = "true"; then + set +o xtrace + break + fi + + done < "${store_dir}/existing_mode/statoverride" + + if test ! "${remove_file}" = "all"; then + if test ! "${remove_one}" = "true"; then + echo "INFO: no file removed. + + File '${remove_file}' has not removed from SUID Disabler and Permission Hardener during this invocation of this program. + + Note: This is expected if already done earlier. + + Note: This program expects the full path to the file. Example: + $0 disable /usr/bin/newgrp + + The following syntax will not work: + $0 disable program-name + + The following example will not work: + $0 disable newgrp + + To remove all: + $0 disable all + + This change might not be permanent (because of the permission-hardening.service systemd unit). For full instructions, see: + https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener + + To view list of changed by SUID Disabler and Permission Hardener: + https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener#View_List_of_Permissions_Changed_by_SUID_Disabler_and_Permission_Hardener + + For re-enabling any specific SUID binary: + https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener#Re-Enable_Specific_SUID_Binaries + + For completely disabling SUID Disabler and Permission Hardener: + https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener#Disable_SUID_Disabler_and_Permission_Hardener" + fi + fi +} + +check_root(){ + if test "$(id -u)" != "0"; then + echo "ERROR: Not running as root, aborting." + exit 1 + fi +} + +usage(){ + echo "Usage: ${0##*/} enable + ${0##*/} disable [FILE|all] + +Examples: + ${0##*/} enable + ${0##*/} disable all + ${0##*/} disable /usr/bin/newgrp" >&2 + exit "${1}" +} + +case "${1:-}" in + enable) shift; apply "$@";; + disable) + shift + case "${1:-}" in + "") usage;; + *) spare "${1}";; + esac + ;; + -h|--help) usage 0;; + *) usage 1;; +esac + +if test "${exit_code}" != "0"; then + echo "ERROR: Exiting with non-zero exit code: '${exit_code}'" >&2 fi -exit "$exit_code" +exit "${exit_code}" diff --git a/usr/bin/permission-hardening-undo b/usr/bin/permission-hardening-undo deleted file mode 100755 index ca22500..0000000 --- a/usr/bin/permission-hardening-undo +++ /dev/null @@ -1,136 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -#set -x -set -e -set -o pipefail - -if [ "$1" = "all" ]; then - remove_file="all" -elif [ ! "$1" = "" ]; then - remove_file="$1" -else - echo "ERROR: need to give parameter 'all' or a filename. - -examples: - -$0 all - -$0 /usr/bin/newgrp - " >&2 -fi - -exit_code=0 - -dpkg_admindir_parameter_existing_mode="--admindir /var/lib/permission-hardening/existing_mode" -dpkg_admindir_parameter_new_mode="--admindir /var/lib/permission-hardening/new_mode" - -undo_permission_hardening() { - if [ ! -f /var/lib/permission-hardening/existing_mode/statoverride ]; then - return 0 - fi - - local line - - while read -r line; do - ## example line: - ## root root 4755 /usr/lib/eject/dmcrypt-get-device - - local owner group mode file_name - if ! read -r owner group mode file_name <<< "$line" ; then - exit_code=201 - echo "ERROR: cannot parse line: $line" >&2 - continue - fi - true "owner: '$owner' group: '$group' mode: '$mode' file_name: '$file_name'" - - if [ "$remove_file" = "all" ]; then - do_proceed=true - verbose_maybe="" - else - if [ "$remove_file" = "$file_name" ]; then - do_proceed=true - verbose_maybe="--verbose" - remove_one=true - else - do_proceed=false - verbose_maybe="" - fi - fi - - if [ "$do_proceed" = "false" ]; then - continue - fi - - if [ "$remove_one" = "true" ]; then - set -x - fi - - if test -e "$file_name" ; then - chown $verbose_maybe "${owner}:${group}" "$file_name" || exit_code=202 - ## chmod need to be run after chown since chown removes suid. - ## https://unix.stackexchange.com/questions/53665/chown-removes-setuid-bit-bug-or-feature - chmod $verbose_maybe "$mode" "$file_name" || exit_code=203 - else - echo "INFO: file_name: '$file_name' - does not exist. This is likely normal." - fi - - dpkg-statoverride --remove "$file_name" &>/dev/null || true - dpkg-statoverride $dpkg_admindir_parameter_existing_mode --remove "$file_name" &>/dev/null || true - dpkg-statoverride $dpkg_admindir_parameter_new_mode --remove "$file_name" &>/dev/null || true - - if [ "$remove_one" = "true" ]; then - set +x - break - fi - - done < "/var/lib/permission-hardening/existing_mode/statoverride" -} - -undo_permission_hardening - -if [ ! "$remove_file" = "all" ]; then - if [ ! "$remove_one" = "true" ]; then - echo "INFO: none removed. - -File '$remove_file' has not removed from SUID Disabler and Permission Hardener during this invocation of this program. - -Note: This is expected if already done earlier. - -Note: This program expects the full path to the file. Example: - -$0 /usr/bin/newgrp - -The following syntax will not work: - -$0 program-name - -The following example will not work: - -$0 newgrp - -To remove all: - -$0 all - -This change might not be permanent (because of the permission-hardening.service systemd unit). For full instructions, see: -https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener - -To view list of changed by SUID Disabler and Permission Hardener: -https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener#View_List_of_Permissions_Changed_by_SUID_Disabler_and_Permission_Hardener - -For re-enabling any specific SUID binary: -https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener#Re-Enable_Specific_SUID_Binaries - -For completely disabling SUID Disabler and Permission Hardener: -https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener#Disable_SUID_Disabler_and_Permission_Hardener" - fi -fi - -if [ ! "$exit_code" = "0" ]; then - echo "ERROR: Will exit with non-zero exit code: '$exit_code'" >&2 -fi - -exit "$exit_code" From abf72c2ee4286ec069f75e66acf05a42f3645c89 Mon Sep 17 00:00:00 2001 From: Ben Grande Date: Tue, 2 Jan 2024 13:34:29 +0100 Subject: [PATCH 267/846] Rename file permission hardening script Hardener as the script is the agent that is hardening the file permissions. --- README.md | 10 +++++----- debian/security-misc.postinst | 6 +++--- .../25_default_passwd.conf | 4 ++-- .../25_default_sudo.conf | 4 ++-- .../25_default_whitelist_bubblewrap.conf | 4 ++-- .../25_default_whitelist_chromium.conf | 4 ++-- .../25_default_whitelist_dbus.conf | 4 ++-- .../25_default_whitelist_firejail.conf | 4 ++-- .../25_default_whitelist_fuse.conf | 4 ++-- .../25_default_whitelist_hardened_malloc.conf | 4 ++-- .../25_default_whitelist_mount.conf | 4 ++-- .../25_default_whitelist_pam.conf | 4 ++-- .../25_default_whitelist_policykit.conf | 4 ++-- .../25_default_whitelist_qubes.conf | 4 ++-- .../25_default_whitelist_selinux.conf | 4 ++-- .../25_default_whitelist_spice.conf | 4 ++-- .../25_default_whitelist_ssh.conf | 4 ++-- .../25_default_whitelist_sudo.conf | 4 ++-- .../25_default_whitelist_unix_chkpwd.conf | 4 ++-- .../25_default_whitelist_virtualbox.conf | 4 ++-- .../30_default.conf | 8 ++++---- lib/systemd/system-preset/50-security-misc.preset | 2 +- ...n-hardening.service => permission-hardener.service} | 2 +- usr/bin/{permission-hardening => permission-hardener} | 9 ++++----- 24 files changed, 54 insertions(+), 55 deletions(-) rename etc/{permission-hardening.d => permission-hardener.d}/25_default_passwd.conf (80%) rename etc/{permission-hardening.d => permission-hardener.d}/25_default_sudo.conf (89%) rename etc/{permission-hardening.d => permission-hardener.d}/25_default_whitelist_bubblewrap.conf (66%) rename etc/{permission-hardening.d => permission-hardener.d}/25_default_whitelist_chromium.conf (63%) rename etc/{permission-hardening.d => permission-hardener.d}/25_default_whitelist_dbus.conf (64%) rename etc/{permission-hardening.d => permission-hardener.d}/25_default_whitelist_firejail.conf (74%) rename etc/{permission-hardening.d => permission-hardener.d}/25_default_whitelist_fuse.conf (72%) rename etc/{permission-hardening.d => permission-hardener.d}/25_default_whitelist_hardened_malloc.conf (68%) rename etc/{permission-hardening.d => permission-hardener.d}/25_default_whitelist_mount.conf (81%) rename etc/{permission-hardening.d => permission-hardener.d}/25_default_whitelist_pam.conf (69%) rename etc/{permission-hardening.d => permission-hardener.d}/25_default_whitelist_policykit.conf (79%) rename etc/{permission-hardening.d => permission-hardener.d}/25_default_whitelist_qubes.conf (81%) rename etc/{permission-hardening.d => permission-hardener.d}/25_default_whitelist_selinux.conf (64%) rename etc/{permission-hardening.d => permission-hardener.d}/25_default_whitelist_spice.conf (65%) rename etc/{permission-hardening.d => permission-hardener.d}/25_default_whitelist_ssh.conf (69%) rename etc/{permission-hardening.d => permission-hardener.d}/25_default_whitelist_sudo.conf (65%) rename etc/{permission-hardening.d => permission-hardener.d}/25_default_whitelist_unix_chkpwd.conf (74%) rename etc/{permission-hardening.d => permission-hardener.d}/25_default_whitelist_virtualbox.conf (77%) rename etc/{permission-hardening.d => permission-hardener.d}/30_default.conf (94%) rename lib/systemd/system/{permission-hardening.service => permission-hardener.service} (93%) rename usr/bin/{permission-hardening => permission-hardener} (99%) diff --git a/README.md b/README.md index 4ac4fb6..a46b30a 100644 --- a/README.md +++ b/README.md @@ -430,23 +430,23 @@ include but are not limited to: - Protecting the information of sudoers from others. - Protecting various system relevant files and modules. -##### permission-hardening ##### +##### permission-hardener ##### `permission-hardener` removes SUID / SGID bits from non-essential binaries as these are often used in privilege escalation attacks. It runs at package installation and upgrade time. There is also an optional systemd unit which does the same at boot time that -can be enabled by running `systemctl enable permission-hardening.service` as +can be enabled by running `systemctl enable permission-hardener.service` as root. The hardening at boot time is not the default because this slows down the boot too much. See: -* `/usr/bin/permission-hardening` +* `/usr/bin/permission-hardener` * `debian/security-misc.postinst` -* `/lib/systemd/system/permission-hardening.service` -* `/etc/permission-hardening.d` +* `/lib/systemd/system/permission-hardener.service` +* `/etc/permission-hardener.d` * https://forums.whonix.org/t/disable-suid-binaries/7706 * https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener diff --git a/debian/security-misc.postinst b/debian/security-misc.postinst index 7cd54c2..da358e3 100644 --- a/debian/security-misc.postinst +++ b/debian/security-misc.postinst @@ -20,8 +20,8 @@ permission_hardening() { echo "Running SUID Disabler and Permission Hardener... See also:" echo "https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener" echo "" - echo "$0: INFO: running: permission-hardening" - if ! permission-hardening ; then + echo "$0: INFO: running: permission-hardener" + if ! permission-hardener ; then echo "$0: ERROR: Permission hardening failed." >&2 return 0 fi @@ -59,7 +59,7 @@ esac pam-auth-update --package /usr/libexec/security-misc/permission-lockdown -permission_hardening +permission_hardener ## https://phabricator.whonix.org/T377 ## Debian has no update-grub trigger yet: diff --git a/etc/permission-hardening.d/25_default_passwd.conf b/etc/permission-hardener.d/25_default_passwd.conf similarity index 80% rename from etc/permission-hardening.d/25_default_passwd.conf rename to etc/permission-hardener.d/25_default_passwd.conf index 32fd72e..dcd403f 100644 --- a/etc/permission-hardening.d/25_default_passwd.conf +++ b/etc/permission-hardener.d/25_default_passwd.conf @@ -1,8 +1,8 @@ ## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Please use "/etc/permission-hardening.d/20_user.conf" or -## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## Please use "/etc/permission-hardener.d/20_user.conf" or +## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom ## configuration. When security-misc is updated, this file may be overwritten. # Keep the `passwd` utility executable to prevent issues with the diff --git a/etc/permission-hardening.d/25_default_sudo.conf b/etc/permission-hardener.d/25_default_sudo.conf similarity index 89% rename from etc/permission-hardening.d/25_default_sudo.conf rename to etc/permission-hardener.d/25_default_sudo.conf index 67be9ac..6a1cf21 100644 --- a/etc/permission-hardening.d/25_default_sudo.conf +++ b/etc/permission-hardener.d/25_default_sudo.conf @@ -1,8 +1,8 @@ ## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Please use "/etc/permission-hardening.d/20_user.conf" or -## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## Please use "/etc/permission-hardener.d/20_user.conf" or +## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom ## configuration. When security-misc is updated, this file may be overwritten. ## https://forums.whonix.org/t/restrict-root-access/7658/116 diff --git a/etc/permission-hardening.d/25_default_whitelist_bubblewrap.conf b/etc/permission-hardener.d/25_default_whitelist_bubblewrap.conf similarity index 66% rename from etc/permission-hardening.d/25_default_whitelist_bubblewrap.conf rename to etc/permission-hardener.d/25_default_whitelist_bubblewrap.conf index 2ffc8c2..071e724 100644 --- a/etc/permission-hardening.d/25_default_whitelist_bubblewrap.conf +++ b/etc/permission-hardener.d/25_default_whitelist_bubblewrap.conf @@ -1,8 +1,8 @@ ## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Please use "/etc/permission-hardening.d/20_user.conf" or -## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## Please use "/etc/permission-hardener.d/20_user.conf" or +## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom ## configuration. When security-misc is updated, this file may be overwritten. /usr/bin/bwrap exactwhitelist diff --git a/etc/permission-hardening.d/25_default_whitelist_chromium.conf b/etc/permission-hardener.d/25_default_whitelist_chromium.conf similarity index 63% rename from etc/permission-hardening.d/25_default_whitelist_chromium.conf rename to etc/permission-hardener.d/25_default_whitelist_chromium.conf index 5244b2c..db6f8ea 100644 --- a/etc/permission-hardening.d/25_default_whitelist_chromium.conf +++ b/etc/permission-hardener.d/25_default_whitelist_chromium.conf @@ -1,8 +1,8 @@ ## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Please use "/etc/permission-hardening.d/20_user.conf" or -## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## Please use "/etc/permission-hardener.d/20_user.conf" or +## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom ## configuration. When security-misc is updated, this file may be overwritten. chrome-sandbox matchwhitelist diff --git a/etc/permission-hardening.d/25_default_whitelist_dbus.conf b/etc/permission-hardener.d/25_default_whitelist_dbus.conf similarity index 64% rename from etc/permission-hardening.d/25_default_whitelist_dbus.conf rename to etc/permission-hardener.d/25_default_whitelist_dbus.conf index e1325ff..2997915 100644 --- a/etc/permission-hardening.d/25_default_whitelist_dbus.conf +++ b/etc/permission-hardener.d/25_default_whitelist_dbus.conf @@ -1,8 +1,8 @@ ## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Please use "/etc/permission-hardening.d/20_user.conf" or -## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## Please use "/etc/permission-hardener.d/20_user.conf" or +## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom ## configuration. When security-misc is updated, this file may be overwritten. dbus-daemon-launch-helper matchwhitelist diff --git a/etc/permission-hardening.d/25_default_whitelist_firejail.conf b/etc/permission-hardener.d/25_default_whitelist_firejail.conf similarity index 74% rename from etc/permission-hardening.d/25_default_whitelist_firejail.conf rename to etc/permission-hardener.d/25_default_whitelist_firejail.conf index 99608df..a56cb23 100644 --- a/etc/permission-hardening.d/25_default_whitelist_firejail.conf +++ b/etc/permission-hardener.d/25_default_whitelist_firejail.conf @@ -1,8 +1,8 @@ ## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Please use "/etc/permission-hardening.d/20_user.conf" or -## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## Please use "/etc/permission-hardener.d/20_user.conf" or +## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom ## configuration. When security-misc is updated, this file may be overwritten. ## There is a controversy about firejail but those who choose to install it diff --git a/etc/permission-hardening.d/25_default_whitelist_fuse.conf b/etc/permission-hardener.d/25_default_whitelist_fuse.conf similarity index 72% rename from etc/permission-hardening.d/25_default_whitelist_fuse.conf rename to etc/permission-hardener.d/25_default_whitelist_fuse.conf index 1293214..4affc6a 100644 --- a/etc/permission-hardening.d/25_default_whitelist_fuse.conf +++ b/etc/permission-hardener.d/25_default_whitelist_fuse.conf @@ -1,8 +1,8 @@ ## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Please use "/etc/permission-hardening.d/20_user.conf" or -## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## Please use "/etc/permission-hardener.d/20_user.conf" or +## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom ## configuration. When security-misc is updated, this file may be overwritten. ## required for AppImages such as electrum Bitcoin wallet diff --git a/etc/permission-hardening.d/25_default_whitelist_hardened_malloc.conf b/etc/permission-hardener.d/25_default_whitelist_hardened_malloc.conf similarity index 68% rename from etc/permission-hardening.d/25_default_whitelist_hardened_malloc.conf rename to etc/permission-hardener.d/25_default_whitelist_hardened_malloc.conf index 4934ff0..6cc01fe 100644 --- a/etc/permission-hardening.d/25_default_whitelist_hardened_malloc.conf +++ b/etc/permission-hardener.d/25_default_whitelist_hardened_malloc.conf @@ -1,8 +1,8 @@ ## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Please use "/etc/permission-hardening.d/20_user.conf" or -## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## Please use "/etc/permission-hardener.d/20_user.conf" or +## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom ## configuration. When security-misc is updated, this file may be overwritten. libhardened_malloc.so matchwhitelist diff --git a/etc/permission-hardening.d/25_default_whitelist_mount.conf b/etc/permission-hardener.d/25_default_whitelist_mount.conf similarity index 81% rename from etc/permission-hardening.d/25_default_whitelist_mount.conf rename to etc/permission-hardener.d/25_default_whitelist_mount.conf index 1557318..ce7d014 100644 --- a/etc/permission-hardening.d/25_default_whitelist_mount.conf +++ b/etc/permission-hardener.d/25_default_whitelist_mount.conf @@ -1,8 +1,8 @@ ## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Please use "/etc/permission-hardening.d/20_user.conf" or -## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## Please use "/etc/permission-hardener.d/20_user.conf" or +## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom ## configuration. When security-misc is updated, this file may be overwritten. ## https://forums.whonix.org/t/disable-suid-binaries/7706/61 diff --git a/etc/permission-hardening.d/25_default_whitelist_pam.conf b/etc/permission-hardener.d/25_default_whitelist_pam.conf similarity index 69% rename from etc/permission-hardening.d/25_default_whitelist_pam.conf rename to etc/permission-hardener.d/25_default_whitelist_pam.conf index bf518ff..7348e0c 100644 --- a/etc/permission-hardening.d/25_default_whitelist_pam.conf +++ b/etc/permission-hardener.d/25_default_whitelist_pam.conf @@ -1,8 +1,8 @@ ## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Please use "/etc/permission-hardening.d/20_user.conf" or -## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## Please use "/etc/permission-hardener.d/20_user.conf" or +## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom ## configuration. When security-misc is updated, this file may be overwritten. ## Without this, Xfce fails to start with a dbus-launch error. diff --git a/etc/permission-hardening.d/25_default_whitelist_policykit.conf b/etc/permission-hardener.d/25_default_whitelist_policykit.conf similarity index 79% rename from etc/permission-hardening.d/25_default_whitelist_policykit.conf rename to etc/permission-hardener.d/25_default_whitelist_policykit.conf index fb4fa86..032c6b2 100644 --- a/etc/permission-hardening.d/25_default_whitelist_policykit.conf +++ b/etc/permission-hardener.d/25_default_whitelist_policykit.conf @@ -1,8 +1,8 @@ ## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Please use "/etc/permission-hardening.d/20_user.conf" or -## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## Please use "/etc/permission-hardener.d/20_user.conf" or +## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom ## configuration. When security-misc is updated, this file may be overwritten. /usr/bin/pkexec exactwhitelist diff --git a/etc/permission-hardening.d/25_default_whitelist_qubes.conf b/etc/permission-hardener.d/25_default_whitelist_qubes.conf similarity index 81% rename from etc/permission-hardening.d/25_default_whitelist_qubes.conf rename to etc/permission-hardener.d/25_default_whitelist_qubes.conf index 7a5c968..ad8592a 100644 --- a/etc/permission-hardening.d/25_default_whitelist_qubes.conf +++ b/etc/permission-hardener.d/25_default_whitelist_qubes.conf @@ -1,8 +1,8 @@ ## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Please use "/etc/permission-hardening.d/20_user.conf" or -## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## Please use "/etc/permission-hardener.d/20_user.conf" or +## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom ## configuration. When security-misc is updated, this file may be overwritten. ## TODO: research diff --git a/etc/permission-hardening.d/25_default_whitelist_selinux.conf b/etc/permission-hardener.d/25_default_whitelist_selinux.conf similarity index 64% rename from etc/permission-hardening.d/25_default_whitelist_selinux.conf rename to etc/permission-hardener.d/25_default_whitelist_selinux.conf index f0464b9..2a5686a 100644 --- a/etc/permission-hardening.d/25_default_whitelist_selinux.conf +++ b/etc/permission-hardener.d/25_default_whitelist_selinux.conf @@ -1,8 +1,8 @@ ## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Please use "/etc/permission-hardening.d/20_user.conf" or -## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## Please use "/etc/permission-hardener.d/20_user.conf" or +## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom ## configuration. When security-misc is updated, this file may be overwritten. /utempter/utempter matchwhitelist diff --git a/etc/permission-hardening.d/25_default_whitelist_spice.conf b/etc/permission-hardener.d/25_default_whitelist_spice.conf similarity index 65% rename from etc/permission-hardening.d/25_default_whitelist_spice.conf rename to etc/permission-hardener.d/25_default_whitelist_spice.conf index 394b173..a8b7f7a 100644 --- a/etc/permission-hardening.d/25_default_whitelist_spice.conf +++ b/etc/permission-hardener.d/25_default_whitelist_spice.conf @@ -1,8 +1,8 @@ ## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Please use "/etc/permission-hardening.d/20_user.conf" or -## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## Please use "/etc/permission-hardener.d/20_user.conf" or +## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom ## configuration. When security-misc is updated, this file may be overwritten. spice-client-glib-usb-acl-helper matchwhitelist diff --git a/etc/permission-hardening.d/25_default_whitelist_ssh.conf b/etc/permission-hardener.d/25_default_whitelist_ssh.conf similarity index 69% rename from etc/permission-hardening.d/25_default_whitelist_ssh.conf rename to etc/permission-hardener.d/25_default_whitelist_ssh.conf index 678b2f6..f7ef445 100644 --- a/etc/permission-hardening.d/25_default_whitelist_ssh.conf +++ b/etc/permission-hardener.d/25_default_whitelist_ssh.conf @@ -1,8 +1,8 @@ ## Copyright (C) 2023 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Please use "/etc/permission-hardening.d/20_user.conf" or -## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## Please use "/etc/permission-hardener.d/20_user.conf" or +## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom ## configuration. When security-misc is updated, this file may be overwritten. ## TODO: research diff --git a/etc/permission-hardening.d/25_default_whitelist_sudo.conf b/etc/permission-hardener.d/25_default_whitelist_sudo.conf similarity index 65% rename from etc/permission-hardening.d/25_default_whitelist_sudo.conf rename to etc/permission-hardener.d/25_default_whitelist_sudo.conf index 07051dd..a7b0fd2 100644 --- a/etc/permission-hardening.d/25_default_whitelist_sudo.conf +++ b/etc/permission-hardener.d/25_default_whitelist_sudo.conf @@ -1,8 +1,8 @@ ## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Please use "/etc/permission-hardening.d/20_user.conf" or -## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## Please use "/etc/permission-hardener.d/20_user.conf" or +## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom ## configuration. When security-misc is updated, this file may be overwritten. /usr/bin/sudo exactwhitelist diff --git a/etc/permission-hardening.d/25_default_whitelist_unix_chkpwd.conf b/etc/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf similarity index 74% rename from etc/permission-hardening.d/25_default_whitelist_unix_chkpwd.conf rename to etc/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf index c086dab..dc1fb5a 100644 --- a/etc/permission-hardening.d/25_default_whitelist_unix_chkpwd.conf +++ b/etc/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf @@ -1,8 +1,8 @@ ## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Please use "/etc/permission-hardening.d/20_user.conf" or -## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## Please use "/etc/permission-hardener.d/20_user.conf" or +## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom ## configuration. When security-misc is updated, this file may be overwritten. ## required for performing password validation from unprivileged user diff --git a/etc/permission-hardening.d/25_default_whitelist_virtualbox.conf b/etc/permission-hardener.d/25_default_whitelist_virtualbox.conf similarity index 77% rename from etc/permission-hardening.d/25_default_whitelist_virtualbox.conf rename to etc/permission-hardener.d/25_default_whitelist_virtualbox.conf index dbd5737..17701d9 100644 --- a/etc/permission-hardening.d/25_default_whitelist_virtualbox.conf +++ b/etc/permission-hardener.d/25_default_whitelist_virtualbox.conf @@ -1,8 +1,8 @@ ## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Please use "/etc/permission-hardening.d/20_user.conf" or -## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## Please use "/etc/permission-hardener.d/20_user.conf" or +## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom ## configuration. When security-misc is updated, this file may be overwritten. ## TODO: research diff --git a/etc/permission-hardening.d/30_default.conf b/etc/permission-hardener.d/30_default.conf similarity index 94% rename from etc/permission-hardening.d/30_default.conf rename to etc/permission-hardener.d/30_default.conf index b6e4aeb..2ba3dee 100644 --- a/etc/permission-hardening.d/30_default.conf +++ b/etc/permission-hardener.d/30_default.conf @@ -1,8 +1,8 @@ ## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Please use "/etc/permission-hardening.d/20_user.conf" or -## "/usr/local/etc/permission-hardening.d/20_user.conf" for your custom +## Please use "/etc/permission-hardener.d/20_user.conf" or +## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom ## configuration. When security-misc is updated, this file may be overwritten. ## File permission hardening. @@ -60,8 +60,8 @@ /home/ 0755 root root /root/ 0700 root root /boot/ 0700 root root -/etc/permission-hardening.d 0600 root root -/usr/local/etc/permission-hardening.d 0600 root root +/etc/permission-hardener.d 0600 root root +/usr/local/etc/permission-hardener.d 0600 root root /lib/modules/ 0700 root root /usr/src 0700 root root /etc/cups/cupsd.conf 0400 root root diff --git a/lib/systemd/system-preset/50-security-misc.preset b/lib/systemd/system-preset/50-security-misc.preset index 201369d..a852419 100644 --- a/lib/systemd/system-preset/50-security-misc.preset +++ b/lib/systemd/system-preset/50-security-misc.preset @@ -5,7 +5,7 @@ disable hide-hardware-info.service ## Disable for now until development finished / tested. -disable permission-hardening.service +disable permission-hardener.service ## Disable for now until development finished / tested. ## https://github.com/Kicksecure/security-misc/pull/152 diff --git a/lib/systemd/system/permission-hardening.service b/lib/systemd/system/permission-hardener.service similarity index 93% rename from lib/systemd/system/permission-hardening.service rename to lib/systemd/system/permission-hardener.service index 9891b72..912e6c7 100644 --- a/lib/systemd/system/permission-hardening.service +++ b/lib/systemd/system/permission-hardener.service @@ -13,7 +13,7 @@ After=local-fs.target [Service] Type=oneshot RemainAfterExit=yes -ExecStart=permission-hardening +ExecStart=permission-hardener [Install] WantedBy=sysinit.target diff --git a/usr/bin/permission-hardening b/usr/bin/permission-hardener similarity index 99% rename from usr/bin/permission-hardening rename to usr/bin/permission-hardener index 7673dd7..d2a7ccc 100755 --- a/usr/bin/permission-hardening +++ b/usr/bin/permission-hardener @@ -6,13 +6,10 @@ ## https://forums.whonix.org/t/disable-suid-binaries/7706 ## https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707 -## To undo: -## sudo permission-hardening disable - set -o errexit -o nounset -o pipefail exit_code=0 -store_dir="/var/lib/permission-hardening" +store_dir="/var/lib/permission-hardener" dpkg_admindir_parameter_existing_mode="--admindir ${store_dir}/existing_mode" dpkg_admindir_parameter_new_mode="--admindir ${store_dir}/new_mode" @@ -507,6 +504,8 @@ parse_config_folder() { shopt -s nullglob for config_file in \ + /etc/permission-hardener.d/*.conf \ + /usr/local/etc/permission-hardener.d/*.conf \ /etc/permission-hardening.d/*.conf \ /usr/local/etc/permission-hardening.d/*.conf do @@ -620,7 +619,7 @@ spare() { To remove all: $0 disable all - This change might not be permanent (because of the permission-hardening.service systemd unit). For full instructions, see: + This change might not be permanent (because of the permission-hardener.service systemd unit). For full instructions, see: https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener To view list of changed by SUID Disabler and Permission Hardener: From db0503e71d5c37865cbb0a01cb8fa00af2a4e574 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 2 Jan 2024 14:55:13 +0000 Subject: [PATCH 268/846] bumped changelog version --- changelog.upstream | 30 ++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 36 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 00f98f1..7cd78ce 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,25 @@ +commit a94f2a3f4626a9292660bc7f98a6513f34d0f5b2 +Merge: 94c0e26 8daf97a +Author: Patrick Schleizer +Date: Tue Jan 2 05:30:49 2024 -0500 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 8daf97ab0181a9cbb9e9dec57f1f00270dbb3a50 +Merge: 94c0e26 f055fe5 +Author: Patrick Schleizer +Date: Tue Jan 2 05:29:35 2024 -0500 + + Merge pull request #178 from raja-grewal/io_uring + + Disable asynchronous I/O + +commit 94c0e26a082f61f71e89b1fb7386a58166ffa411 +Author: Patrick Schleizer +Date: Fri Dec 29 20:15:50 2023 +0000 + + bumped changelog version + commit 5b36599c0ce35857239c82459828db1ec4215411 Author: Patrick Schleizer Date: Fri Dec 29 14:57:38 2023 -0500 @@ -168,6 +190,14 @@ Date: Fri Dec 22 08:31:58 2023 -0500 fixes https://github.com/Kicksecure/security-misc/issues/179 +commit f055fe5da2219b68f46c3c577d79fcfd7e79cfc6 +Author: Raja Grewal +Date: Fri Dec 15 08:33:36 2023 +0000 + + Disable asynchronous I/O + + io_uring creation is disabled for all processes. io_uring_setup always fails with -EPERM. Existing io_uring instances can still be used. + commit 99f2edd4f685cdc9a47b32107125408e12a294c2 Author: Patrick Schleizer Date: Tue Dec 12 16:51:21 2023 +0000 diff --git a/debian/changelog b/debian/changelog index 5c393ca..1a3638c 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:34.9-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 02 Jan 2024 14:55:13 +0000 + security-misc (3:34.8-1) unstable; urgency=medium * New upstream version (local package). From bc02c72018d6458d4c1852dd441287b277421514 Mon Sep 17 00:00:00 2001 From: Ben Grande Date: Tue, 2 Jan 2024 17:08:45 +0100 Subject: [PATCH 269/846] Fix unbound variable - Run messages preceded by INFO; - Comment unknown unused variables; - Remove unnecessary variables; and - Deal with unbound variable due to subshell by writing to a file; --- usr/bin/permission-hardener | 31 ++++++++++++++----------------- 1 file changed, 14 insertions(+), 17 deletions(-) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index d2a7ccc..2e3fcbc 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -14,17 +14,17 @@ dpkg_admindir_parameter_existing_mode="--admindir ${store_dir}/existing_mode" dpkg_admindir_parameter_new_mode="--admindir ${store_dir}/new_mode" echo_wrapper_ignore() { - echo "run: $*" + echo "INFO: run: $*" "$@" 2>/dev/null || true } echo_wrapper_silent_ignore() { - #echo "run: $@" + #echo "INFO: run: $@" "$@" 2>/dev/null || true } echo_wrapper_audit() { - echo "run: $*" + echo "INFO: run: $*" return_code=0 "$@" || { @@ -499,8 +499,8 @@ parse_config_folder() { group_file_contents_temp=$(getent group) echo "${group_file_contents_temp}" | tee "${store_dir}/private/group" >/dev/null - passwd_file_contents="$(cat "${store_dir}/private/passwd")" - group_file_contents="$(cat "${store_dir}/private/group")" + #passwd_file_contents="$(cat "${store_dir}/private/passwd")" + #group_file_contents="$(cat "${store_dir}/private/group")" shopt -s nullglob for config_file in \ @@ -555,32 +555,29 @@ spare() { true "owner: '${owner}' group: '${group}' mode: '${mode}' file_name: '${file_name}'" if test "${remove_file}" = "all"; then - proceed=true verbose="" remove_one=false else if test "${remove_file}" = "${file_name}"; then - proceed=true verbose="--verbose" remove_one=true + echo "${remove_one}" | tee "${store_dir}/remove_one" >/dev/null else - proceed=false - verbose="" + echo "false" | tee "${store_dir}/remove_one" >/dev/null + continue fi fi - if test "${proceed}" = "false"; then - continue - fi - if test "${remove_one}" = "true"; then set -o xtrace fi if test -e "${file_name}"; then + # shellcheck disable=SC2086 chown ${verbose} "${owner}:${group}" "${file_name}" || exit_code=202 ## chmod need to be run after chown since chown removes suid. ## https://unix.stackexchange.com/questions/53665/chown-removes-setuid-bit-bug-or-feature + # shellcheck disable=SC2086 chmod ${verbose} "${mode}" "${file_name}" || exit_code=203 else echo "INFO: file_name: '${file_name}' - does not exist. This is likely normal." @@ -600,10 +597,10 @@ spare() { done < "${store_dir}/existing_mode/statoverride" if test ! "${remove_file}" = "all"; then - if test ! "${remove_one}" = "true"; then - echo "INFO: no file removed. + if test "$(cat "${store_dir}/remove_one")" = "false"; then + echo "INFO: no file was removed. - File '${remove_file}' has not removed from SUID Disabler and Permission Hardener during this invocation of this program. + File '${remove_file}' has not been removed from SUID Disabler and Permission Hardener during this invocation of this program. Note: This is expected if already done earlier. @@ -657,7 +654,7 @@ case "${1:-}" in disable) shift case "${1:-}" in - "") usage;; + "") usage 1;; *) spare "${1}";; esac ;; From 74afcc9c63ad064f20778ad2870690925c3cee81 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Wed, 3 Jan 2024 17:52:23 +1100 Subject: [PATCH 270/846] Clarify validity of disabling io_uring --- usr/lib/sysctl.d/990-security-misc.conf | 3 +++ 1 file changed, 3 insertions(+) diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index f660d54..321f3b8 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -68,6 +68,9 @@ kernel.unprivileged_bpf_disabled=1 net.core.bpf_jit_harden=2 ## Disable asynchronous I/O for all processes. +## Valid only for linux kernel version >= 6.6. +## Command is retained here for future-proofing and completeness. +## https://forums.whonix.org/t/io-uring-security-vulnerabilties/16890/6 kernel.io_uring_disabled=2 #### meta start From e8f8dcd0fb1c23a62974849f55516da9dce5948e Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 4 Jan 2024 02:03:26 +0000 Subject: [PATCH 271/846] bumped changelog version --- changelog.upstream | 28 ++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 34 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 7cd78ce..6d7ee2a 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,31 @@ +commit 70a86fa994c0a894643e876fc86226ad0443a741 +Merge: db0503e 71060f1 +Author: Patrick Schleizer +Date: Wed Jan 3 05:12:48 2024 -0500 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 71060f1f53ca7a275f10c4b6ab3e6c25585d5440 +Merge: db0503e 74afcc9 +Author: Patrick Schleizer +Date: Wed Jan 3 05:00:41 2024 -0500 + + Merge pull request #182 from raja-grewal/io_uring + + Clarify validity of disabling io_uring + +commit 74afcc9c63ad064f20778ad2870690925c3cee81 +Author: Raja Grewal +Date: Wed Jan 3 17:52:23 2024 +1100 + + Clarify validity of disabling io_uring + +commit db0503e71d5c37865cbb0a01cb8fa00af2a4e574 +Author: Patrick Schleizer +Date: Tue Jan 2 14:55:13 2024 +0000 + + bumped changelog version + commit a94f2a3f4626a9292660bc7f98a6513f34d0f5b2 Merge: 94c0e26 8daf97a Author: Patrick Schleizer diff --git a/debian/changelog b/debian/changelog index 1a3638c..bf047db 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:35.0-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 04 Jan 2024 02:03:26 +0000 + security-misc (3:34.9-1) unstable; urgency=medium * New upstream version (local package). From 3f1304403fbf04f15dac01963c66f82cd84452d4 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 6 Jan 2024 08:15:31 -0500 Subject: [PATCH 272/846] disable MAC randomization in Network Manager (NM) because it breaks VirtualBox DHCP https://github.com/Kicksecure/security-misc/issues/184 --- usr/lib/NetworkManager/conf.d/80_randomize-mac.conf | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/usr/lib/NetworkManager/conf.d/80_randomize-mac.conf b/usr/lib/NetworkManager/conf.d/80_randomize-mac.conf index 1601800..428c0e2 100644 --- a/usr/lib/NetworkManager/conf.d/80_randomize-mac.conf +++ b/usr/lib/NetworkManager/conf.d/80_randomize-mac.conf @@ -1,6 +1,6 @@ -[device-mac-randomization] -wifi.scan-rand-mac-address=yes +#[device-mac-randomization] +#wifi.scan-rand-mac-address=yes -[connection-mac-randomization] -ethernet.cloned-mac-address=random -wifi.cloned-mac-address=random +#[connection-mac-randomization] +#ethernet.cloned-mac-address=random +#wifi.cloned-mac-address=random From 86f91e3030ef0b08000fc28a3a172e6a47918e4e Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 6 Jan 2024 09:10:45 -0500 Subject: [PATCH 273/846] revert umask 027 by default because broken because this also happens for root while it should not https://github.com/Kicksecure/security-misc/issues/185 --- README.md | 4 +++- usr/share/pam-configs/umask-security-misc | 8 -------- 2 files changed, 3 insertions(+), 9 deletions(-) delete mode 100644 usr/share/pam-configs/umask-security-misc diff --git a/README.md b/README.md index 4ac4fb6..2463c66 100644 --- a/README.md +++ b/README.md @@ -392,7 +392,9 @@ See: #### umask Default `umask` is set to `027` for files created by non-root users such as for -example user `user`. +example user `user`. Broken. Disabled. See: + +* https://github.com/Kicksecure/security-misc/issues/184 This is doing using pam module `pam_mkhomedir.so umask=027`. diff --git a/usr/share/pam-configs/umask-security-misc b/usr/share/pam-configs/umask-security-misc deleted file mode 100644 index 6436a56..0000000 --- a/usr/share/pam-configs/umask-security-misc +++ /dev/null @@ -1,8 +0,0 @@ -Name: Restrict umask to 027 (by package security-misc) -Default: yes -Priority: 100 -Session-Type: Additional -Session-Interactive-Only: yes -Session: - [success=1 default=ignore] pam_succeed_if.so uid eq 0 - optional pam_umask.so umask=027 From df0f9d3267644c4aea87add2dcade86044c496f0 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 6 Jan 2024 09:19:57 -0500 Subject: [PATCH 274/846] README --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 2463c66..86f1a43 100644 --- a/README.md +++ b/README.md @@ -287,6 +287,7 @@ install. Not enabled by default yet. In development. Help welcome. +- https://www.kicksecure.com/wiki/Dev/remount-secure - https://github.com/Kicksecure/security-misc/issues/157 - https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/ From 128bb01b35d20e97351dfb53768f35482f9756a2 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 7 Jan 2024 06:36:25 -0500 Subject: [PATCH 275/846] undo IPv6 privacy due to potential server issues https://github.com/Kicksecure/security-misc/issues/184 --- .../systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr/lib/systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf b/usr/lib/systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf index b44948d..ad1e947 100644 --- a/usr/lib/systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf +++ b/usr/lib/systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf @@ -1,2 +1,2 @@ -[Network] -IPv6PrivacyExtensions=kernel +#[Network] +#IPv6PrivacyExtensions=kernel From 1199871d7bbc7316a7e5822d77eee0666b55b203 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 7 Jan 2024 06:37:34 -0500 Subject: [PATCH 276/846] undo IPv6 privacy due to potential server issues https://github.com/Kicksecure/security-misc/issues/184 --- usr/lib/NetworkManager/conf.d/80_ipv6-privacy.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr/lib/NetworkManager/conf.d/80_ipv6-privacy.conf b/usr/lib/NetworkManager/conf.d/80_ipv6-privacy.conf index a70549a..bc2280c 100644 --- a/usr/lib/NetworkManager/conf.d/80_ipv6-privacy.conf +++ b/usr/lib/NetworkManager/conf.d/80_ipv6-privacy.conf @@ -1,2 +1,2 @@ -[connection] -ipv6.ip6-privacy=2 +#[connection] +#ipv6.ip6-privacy=2 From dc8d9eece32dec06e63c580c886a240019b3f33e Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 9 Jan 2024 05:52:49 +0000 Subject: [PATCH 277/846] bumped changelog version --- changelog.upstream | 46 ++++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 52 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 6d7ee2a..61d1e59 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,49 @@ +commit 1199871d7bbc7316a7e5822d77eee0666b55b203 +Author: Patrick Schleizer +Date: Sun Jan 7 06:37:34 2024 -0500 + + undo IPv6 privacy due to potential server issues + + https://github.com/Kicksecure/security-misc/issues/184 + +commit 128bb01b35d20e97351dfb53768f35482f9756a2 +Author: Patrick Schleizer +Date: Sun Jan 7 06:36:25 2024 -0500 + + undo IPv6 privacy due to potential server issues + + https://github.com/Kicksecure/security-misc/issues/184 + +commit df0f9d3267644c4aea87add2dcade86044c496f0 +Author: Patrick Schleizer +Date: Sat Jan 6 09:19:57 2024 -0500 + + README + +commit 86f91e3030ef0b08000fc28a3a172e6a47918e4e +Author: Patrick Schleizer +Date: Sat Jan 6 09:10:45 2024 -0500 + + revert umask 027 by default + + because broken because this also happens for root while it should not + + https://github.com/Kicksecure/security-misc/issues/185 + +commit 3f1304403fbf04f15dac01963c66f82cd84452d4 +Author: Patrick Schleizer +Date: Sat Jan 6 08:15:31 2024 -0500 + + disable MAC randomization in Network Manager (NM) because it breaks VirtualBox DHCP + + https://github.com/Kicksecure/security-misc/issues/184 + +commit e8f8dcd0fb1c23a62974849f55516da9dce5948e +Author: Patrick Schleizer +Date: Thu Jan 4 02:03:26 2024 +0000 + + bumped changelog version + commit 70a86fa994c0a894643e876fc86226ad0443a741 Merge: db0503e 71060f1 Author: Patrick Schleizer diff --git a/debian/changelog b/debian/changelog index bf047db..2624404 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:35.1-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 09 Jan 2024 05:52:48 +0000 + security-misc (3:35.0-1) unstable; urgency=medium * New upstream version (local package). From a90cd43631216f28a18a1b3f066b9f6ef3301ac4 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 16 Jan 2024 08:32:52 -0500 Subject: [PATCH 278/846] fix postinst for new permission-hardener https://github.com/Kicksecure/security-misc/pull/181 --- debian/security-misc.postinst | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/debian/security-misc.postinst b/debian/security-misc.postinst index da358e3..68ea720 100644 --- a/debian/security-misc.postinst +++ b/debian/security-misc.postinst @@ -20,8 +20,8 @@ permission_hardening() { echo "Running SUID Disabler and Permission Hardener... See also:" echo "https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener" echo "" - echo "$0: INFO: running: permission-hardener" - if ! permission-hardener ; then + echo "$0: INFO: running: permission-hardener enable" + if ! permission-hardener enable ; then echo "$0: ERROR: Permission hardening failed." >&2 return 0 fi @@ -59,7 +59,7 @@ esac pam-auth-update --package /usr/libexec/security-misc/permission-lockdown -permission_hardener +permission_hardening ## https://phabricator.whonix.org/T377 ## Debian has no update-grub trigger yet: From ed7c09fc46b26440439adf748f597da277a3f1e4 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 16 Jan 2024 08:45:13 -0500 Subject: [PATCH 279/846] permission-hardening -> permission-hardener migration mv --verbose /var/lib/permission-hardening /var/lib/permission-hardener https://github.com/Kicksecure/security-misc/pull/181 --- debian/security-misc.postinst | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/debian/security-misc.postinst b/debian/security-misc.postinst index 68ea720..a3fa5f2 100644 --- a/debian/security-misc.postinst +++ b/debian/security-misc.postinst @@ -15,6 +15,16 @@ true " ##################################################################### " +permission_hardening_legacy() { + if test -d /var/lib/permission-hardener ; then + return 0 + fi + if ! test -d /var/lib/permission-hardening ; then + return 0 + fi + mv --verbose /var/lib/permission-hardening /var/lib/permission-hardener +} + permission_hardening() { echo "" echo "Running SUID Disabler and Permission Hardener... See also:" @@ -59,6 +69,7 @@ esac pam-auth-update --package /usr/libexec/security-misc/permission-lockdown +permission_hardening_legacy permission_hardening ## https://phabricator.whonix.org/T377 From 4f7973bc5628cdc24f5224bd98858249307635d3 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 16 Jan 2024 08:56:26 -0500 Subject: [PATCH 280/846] comment --- etc/permission-hardener.d/30_default.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/permission-hardener.d/30_default.conf b/etc/permission-hardener.d/30_default.conf index 2ba3dee..0d5ea8a 100644 --- a/etc/permission-hardener.d/30_default.conf +++ b/etc/permission-hardener.d/30_default.conf @@ -41,7 +41,7 @@ ## https://manpages.debian.org/xserver-xorg-legacy/Xorg.wrap.1.en.html ## https://lwn.net/Articles/590315/ -## http://forums.whonix.org/t/permission-hardening/8655/25 +## https://forums.whonix.org/t/suid-disabler-and-permission-hardener/7706/35 #/usr/lib/xorg/Xorg.wrap whitelist #/lib/xorg/Xorg.wrap whitelist From fa53848b5cda135fbb8a3855e8508692084fc7e9 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 16 Jan 2024 13:58:55 +0000 Subject: [PATCH 281/846] bumped changelog version --- changelog.upstream | 76 ++++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++ 2 files changed, 82 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 61d1e59..0e3b363 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,40 @@ +commit 4f7973bc5628cdc24f5224bd98858249307635d3 +Author: Patrick Schleizer +Date: Tue Jan 16 08:56:26 2024 -0500 + + comment + +commit ed7c09fc46b26440439adf748f597da277a3f1e4 +Author: Patrick Schleizer +Date: Tue Jan 16 08:45:13 2024 -0500 + + permission-hardening -> permission-hardener migration + + mv --verbose /var/lib/permission-hardening /var/lib/permission-hardener + + https://github.com/Kicksecure/security-misc/pull/181 + +commit a90cd43631216f28a18a1b3f066b9f6ef3301ac4 +Author: Patrick Schleizer +Date: Tue Jan 16 08:32:52 2024 -0500 + + fix postinst for new permission-hardener + + https://github.com/Kicksecure/security-misc/pull/181 + +commit 862bf6b5ab29917138325023eb3507f5fbd5653c +Merge: dc8d9ee bc02c72 +Author: Patrick Schleizer +Date: Tue Jan 16 08:19:28 2024 -0500 + + Merge remote-tracking branch 'ben-grande/clean' + +commit dc8d9eece32dec06e63c580c886a240019b3f33e +Author: Patrick Schleizer +Date: Tue Jan 9 05:52:49 2024 +0000 + + bumped changelog version + commit 1199871d7bbc7316a7e5822d77eee0666b55b203 Author: Patrick Schleizer Date: Sun Jan 7 06:37:34 2024 -0500 @@ -66,12 +103,51 @@ Date: Wed Jan 3 17:52:23 2024 +1100 Clarify validity of disabling io_uring +commit bc02c72018d6458d4c1852dd441287b277421514 +Author: Ben Grande +Date: Tue Jan 2 17:08:45 2024 +0100 + + Fix unbound variable + + - Run messages preceded by INFO; + - Comment unknown unused variables; + - Remove unnecessary variables; and + - Deal with unbound variable due to subshell by writing to a file; + commit db0503e71d5c37865cbb0a01cb8fa00af2a4e574 Author: Patrick Schleizer Date: Tue Jan 2 14:55:13 2024 +0000 bumped changelog version +commit abf72c2ee4286ec069f75e66acf05a42f3645c89 +Author: Ben Grande +Date: Tue Jan 2 13:34:29 2024 +0100 + + Rename file permission hardening script + + Hardener as the script is the agent that is hardening the file + permissions. + +commit f138cf0f78c03e3952801d01d25d5f8065ff1457 +Author: Ben Grande +Date: Tue Jan 2 12:17:16 2024 +0100 + + Refactor permission-hardener + + - Organize comments from default configuration; + - Apply and undo changes from a single file controlled by parameters; + - Arrays should be evaluated as arrays and not normal variables; + - Quote variables; + - Brackets around variables; + - Standardize test cases to "test" command; + - Test against empty or non-empty variables with "-z" and "-n"; + - Show a usage message when necessary; + - Require root to run the script with informative message; + - Permit the user to see the help message without running as root; + - Do not create root directories without passing root check; + - Use long options for "set" command; + commit a94f2a3f4626a9292660bc7f98a6513f34d0f5b2 Merge: 94c0e26 8daf97a Author: Patrick Schleizer diff --git a/debian/changelog b/debian/changelog index 2624404..4a87862 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:35.2-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 16 Jan 2024 13:58:54 +0000 + security-misc (3:35.1-1) unstable; urgency=medium * New upstream version (local package). From 9cafd78fe21baa3c2a36853f57e0638b2facfe5c Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 16 Jan 2024 09:05:09 -0500 Subject: [PATCH 282/846] rm_conffile /etc/permission-hardening.d https://github.com/Kicksecure/security-misc/pull/181 --- debian/security-misc.maintscript | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/debian/security-misc.maintscript b/debian/security-misc.maintscript index c6ba935..7e44c41 100644 --- a/debian/security-misc.maintscript +++ b/debian/security-misc.maintscript @@ -45,3 +45,24 @@ rm_conffile /etc/X11/Xsession.d/50security-misc rm_conffile /etc/sysctl.d/30_security-misc.conf rm_conffile /etc/sysctl.d/30_silent-kernel-printk.conf rm_conffile /etc/sysctl.d/30_security-misc_kexec-disable.conf + +## moved to etc/permission-hardener.d +rm_conffile /etc/permission-hardening.d/25_default_passwd.conf +rm_conffile /etc/permission-hardening.d/25_default_sudo.conf +rm_conffile /etc/permission-hardening.d/25_default_whitelist_bubblewrap.conf +rm_conffile /etc/permission-hardening.d/25_default_whitelist_chromium.conf +rm_conffile /etc/permission-hardening.d/25_default_whitelist_dbus.conf +rm_conffile /etc/permission-hardening.d/25_default_whitelist_firejail.conf +rm_conffile /etc/permission-hardening.d/25_default_whitelist_fuse.conf +rm_conffile /etc/permission-hardening.d/25_default_whitelist_hardened_malloc.conf +rm_conffile /etc/permission-hardening.d/25_default_whitelist_mount.conf +rm_conffile /etc/permission-hardening.d/25_default_whitelist_pam.conf +rm_conffile /etc/permission-hardening.d/25_default_whitelist_policykit.conf +rm_conffile /etc/permission-hardening.d/25_default_whitelist_qubes.conf +rm_conffile /etc/permission-hardening.d/25_default_whitelist_selinux.conf +rm_conffile /etc/permission-hardening.d/25_default_whitelist_spice.conf +rm_conffile /etc/permission-hardening.d/25_default_whitelist_ssh.conf +rm_conffile /etc/permission-hardening.d/25_default_whitelist_sudo.conf +rm_conffile /etc/permission-hardening.d/25_default_whitelist_unix_chkpwd.conf +rm_conffile /etc/permission-hardening.d/25_default_whitelist_virtualbox.conf +rm_conffile /etc/permission-hardening.d/30_default.conf From 6aa55698ab2a0f3771d28293d7ad14da2763a16f Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 16 Jan 2024 09:10:59 -0500 Subject: [PATCH 283/846] delete legacy folder /etc/permission-hardening.d if empty https://github.com/Kicksecure/security-misc/pull/181 --- debian/security-misc.postinst | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/debian/security-misc.postinst b/debian/security-misc.postinst index a3fa5f2..5e83b03 100644 --- a/debian/security-misc.postinst +++ b/debian/security-misc.postinst @@ -15,7 +15,7 @@ true " ##################################################################### " -permission_hardening_legacy() { +permission_hardening_legacy_state_files() { if test -d /var/lib/permission-hardener ; then return 0 fi @@ -25,6 +25,13 @@ permission_hardening_legacy() { mv --verbose /var/lib/permission-hardening /var/lib/permission-hardener } +permission_hardening_legacy_config_folder() { + if ! test -d /etc/permission-hardening.d ; then + return 0 + fi + rmdir --verbose --ignore-fail-on-non-empty /etc/permission-hardening.d || true +} + permission_hardening() { echo "" echo "Running SUID Disabler and Permission Hardener... See also:" @@ -69,7 +76,8 @@ esac pam-auth-update --package /usr/libexec/security-misc/permission-lockdown -permission_hardening_legacy +permission_hardening_legacy_state_files + permission_hardening ## https://phabricator.whonix.org/T377 @@ -92,6 +100,8 @@ true "INFO: debhelper beginning here." true "INFO: Done with debhelper." +permission_hardening_legacy_config_folder + true " ##################################################################### ## INFO: END : $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $@ From 186f6015da7b3314c95c2833032c6fe953a71afd Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 16 Jan 2024 14:14:18 +0000 Subject: [PATCH 284/846] bumped changelog version --- changelog.upstream | 22 ++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 28 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 0e3b363..f930bfe 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,25 @@ +commit 6aa55698ab2a0f3771d28293d7ad14da2763a16f +Author: Patrick Schleizer +Date: Tue Jan 16 09:10:59 2024 -0500 + + delete legacy folder /etc/permission-hardening.d if empty + + https://github.com/Kicksecure/security-misc/pull/181 + +commit 9cafd78fe21baa3c2a36853f57e0638b2facfe5c +Author: Patrick Schleizer +Date: Tue Jan 16 09:05:09 2024 -0500 + + rm_conffile /etc/permission-hardening.d + + https://github.com/Kicksecure/security-misc/pull/181 + +commit fa53848b5cda135fbb8a3855e8508692084fc7e9 +Author: Patrick Schleizer +Date: Tue Jan 16 13:58:55 2024 +0000 + + bumped changelog version + commit 4f7973bc5628cdc24f5224bd98858249307635d3 Author: Patrick Schleizer Date: Tue Jan 16 08:56:26 2024 -0500 diff --git a/debian/changelog b/debian/changelog index 4a87862..ca572b8 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:35.3-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 16 Jan 2024 14:14:18 +0000 + security-misc (3:35.2-1) unstable; urgency=medium * New upstream version (local package). From 3ba8fe586e1abe133bd41076278f8663aba7e641 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 16 Jan 2024 09:23:54 -0500 Subject: [PATCH 285/846] update permission-hardener.service Which is now only an additional opt-in systemd unit, because permission-hardener is run by default at security-misc package installation time. https://github.com/Kicksecure/security-misc/pull/181 --- lib/systemd/system/permission-hardener.service | 4 ++-- usr/bin/permission-hardener | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/lib/systemd/system/permission-hardener.service b/lib/systemd/system/permission-hardener.service index 912e6c7..94ddd6b 100644 --- a/lib/systemd/system/permission-hardener.service +++ b/lib/systemd/system/permission-hardener.service @@ -2,7 +2,7 @@ ## See the file COPYING for copying conditions. [Unit] -Description=SUID, SGID, Capability and File Permission Hardening +Description=Permission Hardener at Boot Time (opt-in in addition to security-misc package installation time hardening) Documentation=https://github.com/Kicksecure/security-misc DefaultDependencies=no @@ -13,7 +13,7 @@ After=local-fs.target [Service] Type=oneshot RemainAfterExit=yes -ExecStart=permission-hardener +ExecStart=permission-hardener enable [Install] WantedBy=sysinit.target diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index 2e3fcbc..4831581 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -616,7 +616,7 @@ spare() { To remove all: $0 disable all - This change might not be permanent (because of the permission-hardener.service systemd unit). For full instructions, see: + This change might not be permanent. For full instructions, see: https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener To view list of changed by SUID Disabler and Permission Hardener: From 0d78ecaee37536379ad2f230f45904f57425cb19 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 16 Jan 2024 09:26:21 -0500 Subject: [PATCH 286/846] README --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index fec808e..e47754f 100644 --- a/README.md +++ b/README.md @@ -436,8 +436,8 @@ include but are not limited to: ##### permission-hardener ##### `permission-hardener` removes SUID / SGID bits from non-essential binaries as -these are often used in privilege escalation attacks. It runs at package -installation and upgrade time. +these are often used in privilege escalation attacks. It is enabled by default +and applied at security-misc package installation and upgrade time. There is also an optional systemd unit which does the same at boot time that can be enabled by running `systemctl enable permission-hardener.service` as From 66e6371221c3395a0523e30e8ef1a051d3e6cdd0 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 16 Jan 2024 14:26:34 +0000 Subject: [PATCH 287/846] bumped changelog version --- changelog.upstream | 24 ++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 30 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index f930bfe..316c98d 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,27 @@ +commit 0d78ecaee37536379ad2f230f45904f57425cb19 +Author: Patrick Schleizer +Date: Tue Jan 16 09:26:21 2024 -0500 + + README + +commit 3ba8fe586e1abe133bd41076278f8663aba7e641 +Author: Patrick Schleizer +Date: Tue Jan 16 09:23:54 2024 -0500 + + update permission-hardener.service + + Which is now only an additional opt-in systemd unit, + because permission-hardener is run by default at security-misc + package installation time. + + https://github.com/Kicksecure/security-misc/pull/181 + +commit 186f6015da7b3314c95c2833032c6fe953a71afd +Author: Patrick Schleizer +Date: Tue Jan 16 14:14:18 2024 +0000 + + bumped changelog version + commit 6aa55698ab2a0f3771d28293d7ad14da2763a16f Author: Patrick Schleizer Date: Tue Jan 16 09:10:59 2024 -0500 diff --git a/debian/changelog b/debian/changelog index ca572b8..cbf6a0b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:35.4-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 16 Jan 2024 14:26:34 +0000 + security-misc (3:35.3-1) unstable; urgency=medium * New upstream version (local package). From 18a06935e0cca3dc090643aad406d861e4583085 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 17 Jan 2024 13:23:20 -0500 Subject: [PATCH 288/846] run permission hardener when new packages are install files to /usr or /opt (basically anywhere) fixes https://github.com/Kicksecure/security-misc/issues/189 --- debian/security-misc.postinst | 6 +++--- debian/security-misc.triggers | 26 +++----------------------- 2 files changed, 6 insertions(+), 26 deletions(-) diff --git a/debian/security-misc.postinst b/debian/security-misc.postinst index 5e83b03..b3aaae8 100644 --- a/debian/security-misc.postinst +++ b/debian/security-misc.postinst @@ -33,17 +33,16 @@ permission_hardening_legacy_config_folder() { } permission_hardening() { - echo "" echo "Running SUID Disabler and Permission Hardener... See also:" echo "https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener" - echo "" echo "$0: INFO: running: permission-hardener enable" + echo "" if ! permission-hardener enable ; then echo "$0: ERROR: Permission hardening failed." >&2 return 0 fi - echo "$0: INFO: Permission hardening success." echo "" + echo "$0: INFO: Permission hardening success." } case "$1" in @@ -64,6 +63,7 @@ case "$1" in echo "INFO: triggered $DPKG_MAINTSCRIPT_PACKAGE: '$DPKG_MAINTSCRIPT_PACKAGE' $DPKG_MAINTSCRIPT_PACKAGE DPKG_MAINTSCRIPT_NAME: '$DPKG_MAINTSCRIPT_NAME' $\@: '$@' 2: '$2'" /usr/share/security-misc/lkrg/lkrg-virtualbox || true /usr/libexec/security-misc/mmap-rnd-bits || true + permission_hardening exit 0 ;; diff --git a/debian/security-misc.triggers b/debian/security-misc.triggers index f8f1c77..bcfd1c5 100644 --- a/debian/security-misc.triggers +++ b/debian/security-misc.triggers @@ -1,25 +1,5 @@ -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2024 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -#### meta start -#### project Kicksecure -#### category security -#### description - -## Trigger 'activate-noawait update-initramfs' also works with both, -## initramfs-tools as well as dracut. -## - Activate initramfs hook that sets the sysctl values before init is executed. -## - dracut module 20remount-secure -activate-noawait update-initramfs - -## LKRG /usr/share/security-misc/lkrg/lkrg-virtualbox -interest-noawait /usr/bin/vboxmanage - -## /usr/libexec/security-misc/mmap-rnd-bits -## auto generates: -## /etc/sysctl.d/30_security-misc_aslr-mmap.conf -## sets: -## vm.mmap_rnd_bits -interest-noawait /boot - -#### meta end +interest-await /usr +interest-await /opt From 0efee2f50fd38feade7700c2f033cc3d4c200d34 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 17 Jan 2024 13:39:56 -0500 Subject: [PATCH 289/846] usrmerge fixes https://github.com/Kicksecure/security-misc/issues/190 --- debian/security-misc.install | 1 - etc/initramfs-tools/hooks/sysctl-initramfs | 2 +- etc/modprobe.d/30_security-misc.conf | 102 +++++++++--------- etc/permission-hardener.d/30_default.conf | 20 ++-- .../bin}/disabled-bluetooth-by-security-misc | 0 .../bin}/disabled-cdrom-by-security-misc | 0 .../bin}/disabled-filesys-by-security-misc | 0 .../bin}/disabled-firewire-by-security-misc | 0 .../bin}/disabled-intelme-by-security-misc | 0 .../bin}/disabled-msr-by-security-misc | 0 .../bin}/disabled-netfilesys-by-security-misc | 0 .../bin}/disabled-network-by-security-misc | 0 .../disabled-thunderbolt-by-security-misc | 0 .../bin}/disabled-vivid-by-security-misc | 0 usr/bin/permission-hardener | 2 +- .../coredump.conf.d/30_security-misc.conf | 0 .../system-preset/50-security-misc.preset | 0 .../system/harden-module-loading.service | 0 .../haveged.service.d/30_security-misc.conf | 0 .../systemd/system/hide-hardware-info.service | 0 .../system/permission-hardener.service | 0 .../lib}/systemd/system/proc-hidepid.service | 0 .../systemd/system/remount-secure.service | 0 .../systemd/system/remove-system-map.service | 0 .../lib}/systemd/system/sysinit-post.target | 0 .../systemd/system/user@.service.d/sysfs.conf | 0 .../lkrg/30-lkrg-virtualbox.conf | 4 +- 27 files changed, 65 insertions(+), 66 deletions(-) rename {bin => usr/bin}/disabled-bluetooth-by-security-misc (100%) rename {bin => usr/bin}/disabled-cdrom-by-security-misc (100%) rename {bin => usr/bin}/disabled-filesys-by-security-misc (100%) rename {bin => usr/bin}/disabled-firewire-by-security-misc (100%) rename {bin => usr/bin}/disabled-intelme-by-security-misc (100%) rename {bin => usr/bin}/disabled-msr-by-security-misc (100%) rename {bin => usr/bin}/disabled-netfilesys-by-security-misc (100%) rename {bin => usr/bin}/disabled-network-by-security-misc (100%) rename {bin => usr/bin}/disabled-thunderbolt-by-security-misc (100%) rename {bin => usr/bin}/disabled-vivid-by-security-misc (100%) rename {lib => usr/lib}/systemd/coredump.conf.d/30_security-misc.conf (100%) rename {lib => usr/lib}/systemd/system-preset/50-security-misc.preset (100%) rename {lib => usr/lib}/systemd/system/harden-module-loading.service (100%) rename {lib => usr/lib}/systemd/system/haveged.service.d/30_security-misc.conf (100%) rename {lib => usr/lib}/systemd/system/hide-hardware-info.service (100%) rename {lib => usr/lib}/systemd/system/permission-hardener.service (100%) rename {lib => usr/lib}/systemd/system/proc-hidepid.service (100%) rename {lib => usr/lib}/systemd/system/remount-secure.service (100%) rename {lib => usr/lib}/systemd/system/remove-system-map.service (100%) rename {lib => usr/lib}/systemd/system/sysinit-post.target (100%) rename {lib => usr/lib}/systemd/system/user@.service.d/sysfs.conf (100%) diff --git a/debian/security-misc.install b/debian/security-misc.install index 126a525..ea6d791 100644 --- a/debian/security-misc.install +++ b/debian/security-misc.install @@ -5,6 +5,5 @@ bin/* etc/* -lib/* usr/* var/* diff --git a/etc/initramfs-tools/hooks/sysctl-initramfs b/etc/initramfs-tools/hooks/sysctl-initramfs index f1e3589..1a80c8f 100755 --- a/etc/initramfs-tools/hooks/sysctl-initramfs +++ b/etc/initramfs-tools/hooks/sysctl-initramfs @@ -18,4 +18,4 @@ prereqs) esac . /usr/share/initramfs-tools/hook-functions -copy_exec /sbin/sysctl /sbin +copy_exec /usr/sbin/sysctl /usr/sbin diff --git a/etc/modprobe.d/30_security-misc.conf b/etc/modprobe.d/30_security-misc.conf index a01ed81..24ee928 100644 --- a/etc/modprobe.d/30_security-misc.conf +++ b/etc/modprobe.d/30_security-misc.conf @@ -14,78 +14,78 @@ options nf_conntrack nf_conntrack_helper=0 # ## Now replaced by a privacy and security preserving default bluetooth configuration for better usability # -# install bluetooth /bin/disabled-bluetooth-by-security-misc -# install btusb /bin/disabled-bluetooth-by-security-misc +# install bluetooth /usr/bin/disabled-bluetooth-by-security-misc +# install btusb /usr/bin/disabled-bluetooth-by-security-misc ## Disable thunderbolt and firewire modules to prevent some DMA attacks -install thunderbolt /bin/disabled-thunderbolt-by-security-misc -install firewire-core /bin/disabled-firewire-by-security-misc -install firewire_core /bin/disabled-firewire-by-security-misc -install firewire-ohci /bin/disabled-firewire-by-security-misc -install firewire_ohci /bin/disabled-firewire-by-security-misc -install firewire_sbp2 /bin/disabled-firewire-by-security-misc -install firewire-sbp2 /bin/disabled-firewire-by-security-misc -install ohci1394 /bin/disabled-firewire-by-security-misc -install sbp2 /bin/disabled-firewire-by-security-misc -install dv1394 /bin/disabled-firewire-by-security-misc -install raw1394 /bin/disabled-firewire-by-security-misc -install video1394 /bin/disabled-firewire-by-security-misc +install thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc +install firewire-core /usr/bin/disabled-firewire-by-security-misc +install firewire_core /usr/bin/disabled-firewire-by-security-misc +install firewire-ohci /usr/bin/disabled-firewire-by-security-misc +install firewire_ohci /usr/bin/disabled-firewire-by-security-misc +install firewire_sbp2 /usr/bin/disabled-firewire-by-security-misc +install firewire-sbp2 /usr/bin/disabled-firewire-by-security-misc +install ohci1394 /usr/bin/disabled-firewire-by-security-misc +install sbp2 /usr/bin/disabled-firewire-by-security-misc +install dv1394 /usr/bin/disabled-firewire-by-security-misc +install raw1394 /usr/bin/disabled-firewire-by-security-misc +install video1394 /usr/bin/disabled-firewire-by-security-misc ## Disable CPU MSRs as they can be abused to write to arbitrary memory. ## https://security.stackexchange.com/questions/119712/methods-root-can-use-to-elevate-itself-to-kernel-mode -install msr /bin/disabled-msr-by-security-misc +install msr /usr/bin/disabled-msr-by-security-misc ## Disables unneeded network protocols that will likely not be used as these may have unknown vulnerabilties. ## Credit to Tails (https://tails.boum.org/blueprint/blacklist_modules/) for some of these. ## > Debian ships a long list of modules for wide support of devices, filesystems, protocols. Some of these modules have a pretty bad security track record, and some of those are simply not used by most of our users. ## > Other distributions like Ubuntu[1] and Fedora[2] already ship a blacklist for various network protocols which aren't much in use by users and have a poor security track record. -install dccp /bin/disabled-network-by-security-misc -install sctp /bin/disabled-network-by-security-misc -install rds /bin/disabled-network-by-security-misc -install tipc /bin/disabled-network-by-security-misc -install n-hdlc /bin/disabled-network-by-security-misc -install ax25 /bin/disabled-network-by-security-misc -install netrom /bin/disabled-network-by-security-misc -install x25 /bin/disabled-network-by-security-misc -install rose /bin/disabled-network-by-security-misc -install decnet /bin/disabled-network-by-security-misc -install econet /bin/disabled-network-by-security-misc -install af_802154 /bin/disabled-network-by-security-misc -install ipx /bin/disabled-network-by-security-misc -install appletalk /bin/disabled-network-by-security-misc -install psnap /bin/disabled-network-by-security-misc -install p8023 /bin/disabled-network-by-security-misc -install p8022 /bin/disabled-network-by-security-misc -install can /bin/disabled-network-by-security-misc -install atm /bin/disabled-network-by-security-misc +install dccp /usr/bin/disabled-network-by-security-misc +install sctp /usr/bin/disabled-network-by-security-misc +install rds /usr/bin/disabled-network-by-security-misc +install tipc /usr/bin/disabled-network-by-security-misc +install n-hdlc /usr/bin/disabled-network-by-security-misc +install ax25 /usr/bin/disabled-network-by-security-misc +install netrom /usr/bin/disabled-network-by-security-misc +install x25 /usr/bin/disabled-network-by-security-misc +install rose /usr/bin/disabled-network-by-security-misc +install decnet /usr/bin/disabled-network-by-security-misc +install econet /usr/bin/disabled-network-by-security-misc +install af_802154 /usr/bin/disabled-network-by-security-misc +install ipx /usr/bin/disabled-network-by-security-misc +install appletalk /usr/bin/disabled-network-by-security-misc +install psnap /usr/bin/disabled-network-by-security-misc +install p8023 /usr/bin/disabled-network-by-security-misc +install p8022 /usr/bin/disabled-network-by-security-misc +install can /usr/bin/disabled-network-by-security-misc +install atm /usr/bin/disabled-network-by-security-misc ## Disable uncommon file systems to reduce attack surface ## HFS and HFS+ are legacy Apple filesystems that may be required depending on the EFI parition format -install cramfs /bin/disabled-filesys-by-security-misc -install freevxfs /bin/disabled-filesys-by-security-misc -install jffs2 /bin/disabled-filesys-by-security-misc -install hfs /bin/disabled-filesys-by-security-misc -install hfsplus /bin/disabled-filesys-by-security-misc -install udf /bin/disabled-filesys-by-security-misc +install cramfs /usr/bin/disabled-filesys-by-security-misc +install freevxfs /usr/bin/disabled-filesys-by-security-misc +install jffs2 /usr/bin/disabled-filesys-by-security-misc +install hfs /usr/bin/disabled-filesys-by-security-misc +install hfsplus /usr/bin/disabled-filesys-by-security-misc +install udf /usr/bin/disabled-filesys-by-security-misc ## Disable uncommon network file systems to reduce attack surface -install cifs /bin/disabled-netfilesys-by-security-misc -install nfs /bin/disabled-netfilesys-by-security-misc -install nfsv3 /bin/disabled-netfilesys-by-security-misc -install nfsv4 /bin/disabled-netfilesys-by-security-misc -install ksmbd /bin/disabled-netfilesys-by-security-misc -install gfs2 /bin/disabled-netfilesys-by-security-misc +install cifs /usr/bin/disabled-netfilesys-by-security-misc +install nfs /usr/bin/disabled-netfilesys-by-security-misc +install nfsv3 /usr/bin/disabled-netfilesys-by-security-misc +install nfsv4 /usr/bin/disabled-netfilesys-by-security-misc +install ksmbd /usr/bin/disabled-netfilesys-by-security-misc +install gfs2 /usr/bin/disabled-netfilesys-by-security-misc ## Disables the vivid kernel module as it's only required for testing and has been the cause of multiple vulnerabilities ## https://forums.whonix.org/t/kernel-recompilation-for-better-hardening/7598/233 ## https://www.openwall.com/lists/oss-security/2019/11/02/1 ## https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475 -install vivid /bin/disabled-vivid-by-security-misc +install vivid /usr/bin/disabled-vivid-by-security-misc ## Disable Intel Management Engine (ME) interface with the OS ## https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html -install mei /bin/disabled-intelme-by-security-misc -install mei-me /bin/disabled-intelme-by-security-misc +install mei /usr/bin/disabled-intelme-by-security-misc +install mei-me /usr/bin/disabled-intelme-by-security-misc ## Blacklist automatic loading of the Atheros 5K RF MACs madwifi driver ## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-ath_pci.conf?h=ubuntu/disco @@ -143,7 +143,7 @@ blacklist udlfb ## Disable CD-ROM devices ## https://nvd.nist.gov/vuln/detail/CVE-2018-11506 ## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/31 -#install cdrom /bin/disabled-cdrom-by-security-misc -#install sr_mod /bin/disabled-cdrom-by-security-misc +#install cdrom /usr/bin/disabled-cdrom-by-security-misc +#install sr_mod /usr/bin/disabled-cdrom-by-security-misc blacklist cdrom blacklist sr_mod diff --git a/etc/permission-hardener.d/30_default.conf b/etc/permission-hardener.d/30_default.conf index 0d5ea8a..f1ec473 100644 --- a/etc/permission-hardener.d/30_default.conf +++ b/etc/permission-hardener.d/30_default.conf @@ -36,14 +36,14 @@ ## In case you need to use 'su'. See also: ## https://www.kicksecure.com/wiki/root#su -#/bin/su exactwhitelist +#/usr/bin/su exactwhitelist #/usr/bin/su exactwhitelist ## https://manpages.debian.org/xserver-xorg-legacy/Xorg.wrap.1.en.html ## https://lwn.net/Articles/590315/ ## https://forums.whonix.org/t/suid-disabler-and-permission-hardener/7706/35 #/usr/lib/xorg/Xorg.wrap whitelist -#/lib/xorg/Xorg.wrap whitelist +#/usr/lib/xorg/Xorg.wrap whitelist ###################################################################### # SUID whitelist matches in any section of the path: matchwhitelist @@ -51,7 +51,7 @@ ## Examples below are already configured: #ssh-agent matchwhitelist -#/lib/openssh matchwhitelist +#/usr/lib/openssh matchwhitelist ###################################################################### # Permission Hardening @@ -62,7 +62,7 @@ /boot/ 0700 root root /etc/permission-hardener.d 0600 root root /usr/local/etc/permission-hardener.d 0600 root root -/lib/modules/ 0700 root root +/usr/lib/modules/ 0700 root root /usr/src 0700 root root /etc/cups/cupsd.conf 0400 root root /etc/syslog.conf 0600 root root @@ -93,25 +93,25 @@ ## ## Remove all SUID/SGID binaries/libraries. -/bin/ nosuid +/usr/bin/ nosuid /usr/local/bin/ nosuid /usr/bin/ nosuid /usr/local/usr/bin/ nosuid -/sbin/ nosuid +/usr/sbin/ nosuid /usr/local/sbin/ nosuid /usr/sbin/ nosuid /usr/local/usr/sbin/ nosuid -/lib/ nosuid +/usr/lib/ nosuid /usr/local/lib/ nosuid -/lib32/ nosuid +/usr/lib32/ nosuid /usr/local/lib32/ nosuid -/lib64/ nosuid +/usr/lib64/ nosuid /usr/local/lib64/ nosuid /usr/lib/ nosuid @@ -134,7 +134,7 @@ ## Ping doesn't work with Tor anyway so its capabilities are removed to ## reduce attack surface. ## anon-apps-config does this. -#/bin/ping 0744 root root none +#/usr/bin/ping 0744 root root none ## TODO: research #/usr/lib/x86_64-linux-gnu/gstreamer1.0/grstreamer-1.0/gst-ptp-helper 0744 root root none diff --git a/bin/disabled-bluetooth-by-security-misc b/usr/bin/disabled-bluetooth-by-security-misc similarity index 100% rename from bin/disabled-bluetooth-by-security-misc rename to usr/bin/disabled-bluetooth-by-security-misc diff --git a/bin/disabled-cdrom-by-security-misc b/usr/bin/disabled-cdrom-by-security-misc similarity index 100% rename from bin/disabled-cdrom-by-security-misc rename to usr/bin/disabled-cdrom-by-security-misc diff --git a/bin/disabled-filesys-by-security-misc b/usr/bin/disabled-filesys-by-security-misc similarity index 100% rename from bin/disabled-filesys-by-security-misc rename to usr/bin/disabled-filesys-by-security-misc diff --git a/bin/disabled-firewire-by-security-misc b/usr/bin/disabled-firewire-by-security-misc similarity index 100% rename from bin/disabled-firewire-by-security-misc rename to usr/bin/disabled-firewire-by-security-misc diff --git a/bin/disabled-intelme-by-security-misc b/usr/bin/disabled-intelme-by-security-misc similarity index 100% rename from bin/disabled-intelme-by-security-misc rename to usr/bin/disabled-intelme-by-security-misc diff --git a/bin/disabled-msr-by-security-misc b/usr/bin/disabled-msr-by-security-misc similarity index 100% rename from bin/disabled-msr-by-security-misc rename to usr/bin/disabled-msr-by-security-misc diff --git a/bin/disabled-netfilesys-by-security-misc b/usr/bin/disabled-netfilesys-by-security-misc similarity index 100% rename from bin/disabled-netfilesys-by-security-misc rename to usr/bin/disabled-netfilesys-by-security-misc diff --git a/bin/disabled-network-by-security-misc b/usr/bin/disabled-network-by-security-misc similarity index 100% rename from bin/disabled-network-by-security-misc rename to usr/bin/disabled-network-by-security-misc diff --git a/bin/disabled-thunderbolt-by-security-misc b/usr/bin/disabled-thunderbolt-by-security-misc similarity index 100% rename from bin/disabled-thunderbolt-by-security-misc rename to usr/bin/disabled-thunderbolt-by-security-misc diff --git a/bin/disabled-vivid-by-security-misc b/usr/bin/disabled-vivid-by-security-misc similarity index 100% rename from bin/disabled-vivid-by-security-misc rename to usr/bin/disabled-vivid-by-security-misc diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index 4831581..2e5df3d 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -221,7 +221,7 @@ add_nosuid_statoverride_entry() { # shellcheck disable=SC2086 echo_wrapper_silent_audit dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --add "${existing_owner}" "${existing_group}" "${new_mode}" "${file_name}" - ## /lib will hit ARG_MAX if using bash 'shopt -s globstar' and '/lib/**'. + ## /usr/lib will hit ARG_MAX if using bash 'shopt -s globstar' and '/usr/lib/**'. ## Using 'find' with '-perm /u=s,g=s' is faster and avoids ARG_MAX. ## https://forums.whonix.org/t/disable-suid-binaries/7706/17 done < <(find "${fso_to_process}" -perm /u=s,g=s -print0 | xargs -I{} -0 stat -c "%n %a %U %G" {}) diff --git a/lib/systemd/coredump.conf.d/30_security-misc.conf b/usr/lib/systemd/coredump.conf.d/30_security-misc.conf similarity index 100% rename from lib/systemd/coredump.conf.d/30_security-misc.conf rename to usr/lib/systemd/coredump.conf.d/30_security-misc.conf diff --git a/lib/systemd/system-preset/50-security-misc.preset b/usr/lib/systemd/system-preset/50-security-misc.preset similarity index 100% rename from lib/systemd/system-preset/50-security-misc.preset rename to usr/lib/systemd/system-preset/50-security-misc.preset diff --git a/lib/systemd/system/harden-module-loading.service b/usr/lib/systemd/system/harden-module-loading.service similarity index 100% rename from lib/systemd/system/harden-module-loading.service rename to usr/lib/systemd/system/harden-module-loading.service diff --git a/lib/systemd/system/haveged.service.d/30_security-misc.conf b/usr/lib/systemd/system/haveged.service.d/30_security-misc.conf similarity index 100% rename from lib/systemd/system/haveged.service.d/30_security-misc.conf rename to usr/lib/systemd/system/haveged.service.d/30_security-misc.conf diff --git a/lib/systemd/system/hide-hardware-info.service b/usr/lib/systemd/system/hide-hardware-info.service similarity index 100% rename from lib/systemd/system/hide-hardware-info.service rename to usr/lib/systemd/system/hide-hardware-info.service diff --git a/lib/systemd/system/permission-hardener.service b/usr/lib/systemd/system/permission-hardener.service similarity index 100% rename from lib/systemd/system/permission-hardener.service rename to usr/lib/systemd/system/permission-hardener.service diff --git a/lib/systemd/system/proc-hidepid.service b/usr/lib/systemd/system/proc-hidepid.service similarity index 100% rename from lib/systemd/system/proc-hidepid.service rename to usr/lib/systemd/system/proc-hidepid.service diff --git a/lib/systemd/system/remount-secure.service b/usr/lib/systemd/system/remount-secure.service similarity index 100% rename from lib/systemd/system/remount-secure.service rename to usr/lib/systemd/system/remount-secure.service diff --git a/lib/systemd/system/remove-system-map.service b/usr/lib/systemd/system/remove-system-map.service similarity index 100% rename from lib/systemd/system/remove-system-map.service rename to usr/lib/systemd/system/remove-system-map.service diff --git a/lib/systemd/system/sysinit-post.target b/usr/lib/systemd/system/sysinit-post.target similarity index 100% rename from lib/systemd/system/sysinit-post.target rename to usr/lib/systemd/system/sysinit-post.target diff --git a/lib/systemd/system/user@.service.d/sysfs.conf b/usr/lib/systemd/system/user@.service.d/sysfs.conf similarity index 100% rename from lib/systemd/system/user@.service.d/sysfs.conf rename to usr/lib/systemd/system/user@.service.d/sysfs.conf diff --git a/usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf b/usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf index 1336b2c..c94e65e 100644 --- a/usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf +++ b/usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf @@ -15,7 +15,7 @@ ## /etc/sysctl.d/30-lkrg-virtualbox.conf ## by package security-misc, files: ## /usr/share/security-misc/lkrg/lkrg-virtualbox -## /lib/systemd/system/lkrg.service.d/40-virtualbox.conf +## /usr/lib/systemd/system/lkrg.service.d/40-virtualbox.conf ## https://forums.whonix.org/t/linux-kernel-runtime-guard-lkrg-linux-kernel-runtime-integrity-checking-and-exploit-detection/8477/32 ## https://www.openwall.com/lists/lkrg-users/2020/01/24/2 @@ -24,7 +24,7 @@ ## https://github.com/openwall/lkrg/blob/main/scripts/bootup/lkrg.conf ## https://github.com/openwall/lkrg/blob/main/scripts/bootup/systemd/lkrg.service ## /etc/sysctl.d/30-lkrg-dkms.conf -## /lib/systemd/system/lkrg.service +## /usr/lib/systemd/system/lkrg.service ## https://github.com/openwall/lkrg/issues/82#issuecomment-886188999 lkrg.pcfi_validate = 1 From 011e55e3e52485ccd728b4bb249efbc816f38806 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 17 Jan 2024 13:45:17 -0500 Subject: [PATCH 290/846] remove duplicates after usrmerge https://github.com/Kicksecure/security-misc/issues/190 --- etc/permission-hardener.d/30_default.conf | 7 ------- 1 file changed, 7 deletions(-) diff --git a/etc/permission-hardener.d/30_default.conf b/etc/permission-hardener.d/30_default.conf index f1ec473..5db32b2 100644 --- a/etc/permission-hardener.d/30_default.conf +++ b/etc/permission-hardener.d/30_default.conf @@ -37,13 +37,11 @@ ## In case you need to use 'su'. See also: ## https://www.kicksecure.com/wiki/root#su #/usr/bin/su exactwhitelist -#/usr/bin/su exactwhitelist ## https://manpages.debian.org/xserver-xorg-legacy/Xorg.wrap.1.en.html ## https://lwn.net/Articles/590315/ ## https://forums.whonix.org/t/suid-disabler-and-permission-hardener/7706/35 #/usr/lib/xorg/Xorg.wrap whitelist -#/usr/lib/xorg/Xorg.wrap whitelist ###################################################################### # SUID whitelist matches in any section of the path: matchwhitelist @@ -93,25 +91,20 @@ ## ## Remove all SUID/SGID binaries/libraries. -/usr/bin/ nosuid /usr/local/bin/ nosuid /usr/bin/ nosuid /usr/local/usr/bin/ nosuid -/usr/sbin/ nosuid /usr/local/sbin/ nosuid /usr/sbin/ nosuid /usr/local/usr/sbin/ nosuid -/usr/lib/ nosuid /usr/local/lib/ nosuid -/usr/lib32/ nosuid /usr/local/lib32/ nosuid -/usr/lib64/ nosuid /usr/local/lib64/ nosuid /usr/lib/ nosuid From 071b984a1eaaa8a8ea6a40e4ee36eabcde2d630d Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 17 Jan 2024 13:49:05 -0500 Subject: [PATCH 291/846] `sort -d` https://github.com/Kicksecure/security-misc/issues/190 --- etc/permission-hardener.d/30_default.conf | 41 +++++++++-------------- 1 file changed, 15 insertions(+), 26 deletions(-) diff --git a/etc/permission-hardener.d/30_default.conf b/etc/permission-hardener.d/30_default.conf index 5db32b2..d35ee5a 100644 --- a/etc/permission-hardener.d/30_default.conf +++ b/etc/permission-hardener.d/30_default.conf @@ -91,34 +91,23 @@ ## ## Remove all SUID/SGID binaries/libraries. -/usr/local/bin/ nosuid - -/usr/bin/ nosuid -/usr/local/usr/bin/ nosuid - -/usr/local/sbin/ nosuid - -/usr/sbin/ nosuid -/usr/local/usr/sbin/ nosuid - -/usr/local/lib/ nosuid - -/usr/local/lib32/ nosuid - -/usr/local/lib64/ nosuid - -/usr/lib/ nosuid -/usr/local/usr/lib/ nosuid - -/usr/lib32/ nosuid -/usr/local/usr/lib32/ nosuid - -/usr/lib64/ nosuid -/usr/local/usr/lib64/ nosuid - -## https://forums.whonix.org/t/suid-disabler-and-permission-hardener/7706/68 /opt/ nosuid +/usr/bin/ nosuid +/usr/lib32/ nosuid +/usr/lib64/ nosuid +/usr/lib/ nosuid +/usr/local/bin/ nosuid +/usr/local/lib32/ nosuid +/usr/local/lib64/ nosuid +/usr/local/lib/ nosuid /usr/local/opt/ nosuid +/usr/local/sbin/ nosuid +/usr/local/usr/bin/ nosuid +/usr/local/usr/lib32/ nosuid +/usr/local/usr/lib64/ nosuid +/usr/local/usr/lib/ nosuid +/usr/local/usr/sbin/ nosuid +/usr/sbin/ nosuid ###################################################################### # Capability Removal From 5a6cd4c2abd243c91575e9477a921aa290c68ba5 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 17 Jan 2024 13:51:30 -0500 Subject: [PATCH 292/846] remove now empty /bin from copying since it is empty after usrmerge https://github.com/Kicksecure/security-misc/issues/190 --- debian/security-misc.install | 1 - 1 file changed, 1 deletion(-) diff --git a/debian/security-misc.install b/debian/security-misc.install index ea6d791..9cea19c 100644 --- a/debian/security-misc.install +++ b/debian/security-misc.install @@ -3,7 +3,6 @@ ## This file was generated using 'genmkfile debinstfile'. -bin/* etc/* usr/* var/* From 3048e0ac76e4eba1c53b43ba2424157505578cdd Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 17 Jan 2024 13:54:07 -0500 Subject: [PATCH 293/846] usrmerge https://github.com/Kicksecure/security-misc/issues/190 --- usr/share/lintian/overrides/security-misc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/share/lintian/overrides/security-misc b/usr/share/lintian/overrides/security-misc index 7d34486..69081ee 100644 --- a/usr/share/lintian/overrides/security-misc +++ b/usr/share/lintian/overrides/security-misc @@ -14,4 +14,4 @@ security-misc: file-in-unusual-dir [var/cache/security-misc/state-files/placehol security-misc: uses-dpkg-database-directly [usr/bin/remount-secure] ## Special target to make sure this runs as non-parallelized as possible to avoid race conditions. -security-misc: systemd-service-file-refers-to-unusual-wantedby-target sysinit-post.target [lib/systemd/system/remount-secure.service] +security-misc: systemd-service-file-refers-to-unusual-wantedby-target sysinit-post.target [usr/lib/systemd/system/remount-secure.service] From 08619d6a7307b6ab05a3ba7e71ea33b00db20b27 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 17 Jan 2024 13:59:36 -0500 Subject: [PATCH 294/846] minor RPM updates https://github.com/Kicksecure/security-misc/issues/160 --- rpm_spec/security-misc.spec.in | 47 ++-------------------------------- 1 file changed, 2 insertions(+), 45 deletions(-) diff --git a/rpm_spec/security-misc.spec.in b/rpm_spec/security-misc.spec.in index 289cd42..e922b76 100644 --- a/rpm_spec/security-misc.spec.in +++ b/rpm_spec/security-misc.spec.in @@ -4,7 +4,7 @@ Release: 1%{?dist} Summary: enhances misc security settings License: AGPL-3+ -URL: https://github.com/Whonix/security-misc +URL: https://github.com/Kicksecure/security-misc Source0: %{name}-%{version}.tar.xz BuildRequires: dpkg-dev @@ -13,50 +13,7 @@ Requires: make BuildArch: noarch %description -The following settings are changed: - -deactivates previews in Dolphin; -deactivates previews in Nautilus; -deactivates thumbnails in Thunar; -deactivates TCP timestamps; -deactivates Netfilter's connection tracking helper; - -TCP time stamps (RFC 1323) allow for tracking clock -information with millisecond resolution. This may or may not allow an -attacker to learn information about the system clock at such -a resolution, depending on various issues such as network lag. -This information is available to anyone who monitors the network -somewhere between the attacked system and the destination server. -It may allow an attacker to find out how long a given -system has been running, and to distinguish several -systems running behind NAT and using the same IP address. It might -also allow one to look for clocks that match an expected value to find the -public IP used by a user. - -Hence, this package disables this feature by shipping the -/etc/sysctl.d/tcp_timestamps.conf configuration file. - -Note that TCP time stamps normally have some usefulness. They are -needed for: - -* the TCP protection against wrapped sequence numbers; however, to - trigger a wrap, one needs to send roughly 2^32 packets in one - minute: as said in RFC 1700, "The current recommended default - time to live (TTL) for the Internet Protocol (IP) [45,105] is 64". - So, this probably won't be a practical problem in the context - of Anonymity Distributions. - -* "Round-Trip Time Measurement", which is only useful when the user - manages to saturate their connection. When using Anonymity Distributions, - probably the limiting factor for transmission speed is rarely the capacity - of the user connection. - -Netfilter's connection tracking helper module increases kernel attack -surface by enabling superfluous functionality such as IRC parsing in -the kernel. (!) - -Hence, this package disables this feature by shipping the -/etc/sysctl.d/nf_conntrack_helper.conf configuration file. +See README. %prep %setup -q From 314e5b490c6864b745fbf5fd6d9bb2c724d478b8 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 17 Jan 2024 14:03:09 -0500 Subject: [PATCH 295/846] use wildcards instead of outdated, incomplete list https://github.com/Kicksecure/security-misc/issues/160 --- rpm_spec/security-misc.spec.in | 44 +++------------------------------- 1 file changed, 3 insertions(+), 41 deletions(-) diff --git a/rpm_spec/security-misc.spec.in b/rpm_spec/security-misc.spec.in index e922b76..b42625e 100644 --- a/rpm_spec/security-misc.spec.in +++ b/rpm_spec/security-misc.spec.in @@ -29,47 +29,9 @@ make %{?_smp_mflags} %files %license debian/copyright -/etc/X11/Xsession.d/50panic_on_oops -/etc/X11/Xsession.d/50security-misc -/etc/apparmor.d/tunables/home.d/security-misc -/etc/apt/apt.conf.d/40sandbox -/etc/default/grub.d/40_enable_iommu.cfg -/etc/default/grub.d/40_kernel_hardening.cfg -/etc/login.defs.security-misc -/etc/modprobe.d/30_nf_conntrack_helper_disable.conf -/etc/modprobe.d/blacklist-dma.conf -/etc/modprobe.d/uncommon-network-protocols.conf -/etc/securetty.security-misc -/etc/security/limits.d/disable-coredumps.conf -/etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml -/etc/sudoers.d/security-misc -/etc/sysctl.d/coredumps.conf -/etc/sysctl.d/dmesg_restrict.conf -/etc/sysctl.d/fs_protected.conf -/etc/sysctl.d/harden_bpf.conf -/etc/sysctl.d/kexec.conf -/etc/sysctl.d/kptr_restrict.conf -/etc/sysctl.d/mmap_aslr.conf -/etc/sysctl.d/ptrace_scope.conf -/etc/sysctl.d/suid_dumpable.conf -/etc/sysctl.d/sysrq.conf -/etc/sysctl.d/tcp_hardening.conf -/etc/sysctl.d/tcp_sack.conf -/etc/sysctl.d/tcp_timestamps.conf -/etc/systemd/system/emergency.service.d/override.conf -/etc/systemd/system/rescue.service.d/override.conf -/lib/systemd/coredump.conf.d/disable-coredumps.conf -/lib/systemd/system/proc-hidepid.service -/lib/systemd/system/remove-system-map.service -/usr/libexec/security-misc/apt-get-update -/usr/libexec/security-misc/apt-get-update-sanity-test -/usr/libexec/security-misc/panic-on-oops -/usr/libexec/security-misc/remove-system.map -/usr/share/glib-2.0/schemas/30_security-misc.gschema.override -/usr/share/lintian/overrides/security-misc -/usr/share/pam-configs/usergroups -/usr/share/pam-configs/wheel -/usr/share/security-misc/dolphinrc +/etc/* +/lib/* +/usr/* %changelog @CHANGELOG@ From f0e2a82b558f64611f037424c6f8f12de32737f6 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 17 Jan 2024 19:18:25 +0000 Subject: [PATCH 296/846] bumped changelog version --- changelog.upstream | 74 ++++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++ 2 files changed, 80 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 316c98d..cd78b32 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,77 @@ +commit 314e5b490c6864b745fbf5fd6d9bb2c724d478b8 +Author: Patrick Schleizer +Date: Wed Jan 17 14:03:09 2024 -0500 + + use wildcards + + instead of outdated, incomplete list + + https://github.com/Kicksecure/security-misc/issues/160 + +commit 08619d6a7307b6ab05a3ba7e71ea33b00db20b27 +Author: Patrick Schleizer +Date: Wed Jan 17 13:59:36 2024 -0500 + + minor RPM updates + + https://github.com/Kicksecure/security-misc/issues/160 + +commit 3048e0ac76e4eba1c53b43ba2424157505578cdd +Author: Patrick Schleizer +Date: Wed Jan 17 13:54:07 2024 -0500 + + usrmerge + + https://github.com/Kicksecure/security-misc/issues/190 + +commit 5a6cd4c2abd243c91575e9477a921aa290c68ba5 +Author: Patrick Schleizer +Date: Wed Jan 17 13:51:30 2024 -0500 + + remove now empty /bin from copying since it is empty after usrmerge + + https://github.com/Kicksecure/security-misc/issues/190 + +commit 071b984a1eaaa8a8ea6a40e4ee36eabcde2d630d +Author: Patrick Schleizer +Date: Wed Jan 17 13:49:05 2024 -0500 + + `sort -d` + + https://github.com/Kicksecure/security-misc/issues/190 + +commit 011e55e3e52485ccd728b4bb249efbc816f38806 +Author: Patrick Schleizer +Date: Wed Jan 17 13:45:17 2024 -0500 + + remove duplicates after usrmerge + + https://github.com/Kicksecure/security-misc/issues/190 + +commit 0efee2f50fd38feade7700c2f033cc3d4c200d34 +Author: Patrick Schleizer +Date: Wed Jan 17 13:39:56 2024 -0500 + + usrmerge + + fixes https://github.com/Kicksecure/security-misc/issues/190 + +commit 18a06935e0cca3dc090643aad406d861e4583085 +Author: Patrick Schleizer +Date: Wed Jan 17 13:23:20 2024 -0500 + + run permission hardener when new packages are install files to /usr or /opt + + (basically anywhere) + + fixes https://github.com/Kicksecure/security-misc/issues/189 + +commit 66e6371221c3395a0523e30e8ef1a051d3e6cdd0 +Author: Patrick Schleizer +Date: Tue Jan 16 14:26:34 2024 +0000 + + bumped changelog version + commit 0d78ecaee37536379ad2f230f45904f57425cb19 Author: Patrick Schleizer Date: Tue Jan 16 09:26:21 2024 -0500 diff --git a/debian/changelog b/debian/changelog index cbf6a0b..fd07f91 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:35.5-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 17 Jan 2024 19:18:24 +0000 + security-misc (3:35.4-1) unstable; urgency=medium * New upstream version (local package). From 1855fa08b1386b1ea8697767104e7ad0f1521c9c Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 18 Jan 2024 08:54:39 -0500 Subject: [PATCH 297/846] readme --- README_generic.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README_generic.md b/README_generic.md index e5c0e76..787af72 100644 --- a/README_generic.md +++ b/README_generic.md @@ -1,8 +1,8 @@ # Enhances Miscellaneous Security Settings # -https://github.com/Whonix/security-misc/blob/master/README.md +https://github.com/Kicksecure/security-misc/blob/master/README.md -https://www.whonix.org/wiki/Security-misc +https://www.kicksecure.com/wiki/Security-misc Discussion: From 64e41b113cae893d1f27f441f99340389ba8b9b3 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 18 Jan 2024 14:10:51 +0000 Subject: [PATCH 298/846] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index cd78b32..8d8e04a 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit 1855fa08b1386b1ea8697767104e7ad0f1521c9c +Author: Patrick Schleizer +Date: Thu Jan 18 08:54:39 2024 -0500 + + readme + +commit f0e2a82b558f64611f037424c6f8f12de32737f6 +Author: Patrick Schleizer +Date: Wed Jan 17 19:18:25 2024 +0000 + + bumped changelog version + commit 314e5b490c6864b745fbf5fd6d9bb2c724d478b8 Author: Patrick Schleizer Date: Wed Jan 17 14:03:09 2024 -0500 diff --git a/debian/changelog b/debian/changelog index fd07f91..eb6d894 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:35.6-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 18 Jan 2024 14:10:50 +0000 + security-misc (3:35.5-1) unstable; urgency=medium * New upstream version (local package). From 185bfe749787a8c6e93103ae8c6b0751a169e276 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 25 Jan 2024 06:54:36 -0500 Subject: [PATCH 299/846] use `interest-noawait` instead of `interest-await` fixes https://github.com/Kicksecure/security-misc/issues/196 --- debian/security-misc.triggers | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/debian/security-misc.triggers b/debian/security-misc.triggers index bcfd1c5..f425076 100644 --- a/debian/security-misc.triggers +++ b/debian/security-misc.triggers @@ -1,5 +1,6 @@ ## Copyright (C) 2024 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -interest-await /usr -interest-await /opt +## https://github.com/Kicksecure/security-misc/issues/196 +interest-noawait /usr +interest-noawait /opt From 8037ce52f96dcc6f8007c1567daf38ff013352d6 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 25 Jan 2024 13:59:29 +0000 Subject: [PATCH 300/846] bumped changelog version --- changelog.upstream | 14 ++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 20 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 8d8e04a..5f202ec 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,17 @@ +commit 185bfe749787a8c6e93103ae8c6b0751a169e276 +Author: Patrick Schleizer +Date: Thu Jan 25 06:54:36 2024 -0500 + + use `interest-noawait` instead of `interest-await` + + fixes https://github.com/Kicksecure/security-misc/issues/196 + +commit 64e41b113cae893d1f27f441f99340389ba8b9b3 +Author: Patrick Schleizer +Date: Thu Jan 18 14:10:51 2024 +0000 + + bumped changelog version + commit 1855fa08b1386b1ea8697767104e7ad0f1521c9c Author: Patrick Schleizer Date: Thu Jan 18 08:54:39 2024 -0500 diff --git a/debian/changelog b/debian/changelog index eb6d894..9d49344 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:35.7-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 25 Jan 2024 13:59:29 +0000 + security-misc (3:35.6-1) unstable; urgency=medium * New upstream version (local package). From 4231155efa0970d2456b67cc89c8828b0766cf7f Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Mon, 29 Jan 2024 12:57:48 +0000 Subject: [PATCH 301/846] Add reference for kernel parameters --- etc/default/grub.d/40_cpu_mitigations.cfg | 1 + 1 file changed, 1 insertion(+) diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index 1351206..e92d7cc 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -4,6 +4,7 @@ ## Enables all known mitigations for CPU vulnerabilities. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html +## https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html ## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647 ## Enable mitigations for Spectre variant 2 (indirect branch speculation). From 4509a5fc95204080f2855849d22c7e05393455d9 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Mon, 29 Jan 2024 12:58:14 +0000 Subject: [PATCH 302/846] Enable known mitigations for CPU vulnerabilities and disable SMT --- etc/default/grub.d/40_cpu_mitigations.cfg | 3 +++ 1 file changed, 3 insertions(+) diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index e92d7cc..8bcf7c2 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -7,6 +7,9 @@ ## https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html ## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647 +## Enable known mitigations for CPU vulnerabilities and disable SMT. +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mitigations=auto,nosmt" + ## Enable mitigations for Spectre variant 2 (indirect branch speculation). ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/spectre.html From 6c54e35027e86ec045102cd1d95f84aa30bc55c9 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Mon, 29 Jan 2024 12:58:51 +0000 Subject: [PATCH 303/846] Enable mitigations for RETBleed vulnerability and disable SMT --- etc/default/grub.d/40_cpu_mitigations.cfg | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index 8bcf7c2..e90579c 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -63,3 +63,8 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX l1d_flush=on" ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/processor_mmio_stale_data.html GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mmio_stale_data=full,nosmt" + +## Enable mitigations for RETBleed (Arbitrary Speculative Code Execution with +## Return Instructions) vulnerability and disable SMT. +## +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX retbleed=auto,nosmt" From 139b10a9aad85018f87bdc4bb227e938f7955235 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Mon, 29 Jan 2024 12:59:13 +0000 Subject: [PATCH 304/846] Control RAS overflow mitigation on AMD Zen CPUs --- etc/default/grub.d/40_cpu_mitigations.cfg | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index e90579c..7c55707 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -68,3 +68,8 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mmio_stale_data=full,nosmt" ## Return Instructions) vulnerability and disable SMT. ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX retbleed=auto,nosmt" + +## Control RAS overflow mitigation on AMD Zen CPUs. +## +## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/srso.html +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spec_rstack_overflow=safe-ret" From b16c99ab62a902b1f61b9d4fe63273cd614e757c Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Mon, 29 Jan 2024 13:39:40 +0000 Subject: [PATCH 305/846] Remove hardcoded `spec_rstack_overflow` setting --- etc/default/grub.d/40_cpu_mitigations.cfg | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index 7c55707..9bd9fc5 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -70,6 +70,8 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mmio_stale_data=full,nosmt" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX retbleed=auto,nosmt" ## Control RAS overflow mitigation on AMD Zen CPUs. +## The current default kernel parameter is 'spec_rstack_overflow=safe-ret' +## This default will used until provided sufficient evidence to modify. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/srso.html -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spec_rstack_overflow=safe-ret" + From ad9d913902d7e696f1114da74d84f9cdcb22bc25 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 3 Feb 2024 18:28:27 +0000 Subject: [PATCH 306/846] bumped changelog version --- changelog.upstream | 52 ++++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 58 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 5f202ec..96f74e9 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,55 @@ +commit 02090da08cfd411314ffeeb6df95f73c701f06c6 +Merge: 8037ce5 ba13657 +Author: Patrick Schleizer +Date: Sat Feb 3 12:51:07 2024 -0500 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit ba13657d894f2f30d8deb7c08b85e5fbc1dcea21 +Merge: 8037ce5 b16c99a +Author: Patrick Schleizer +Date: Sat Feb 3 12:50:28 2024 -0500 + + Merge pull request #197 from raja-grewal/mitigations + + Additional Explicit CPU Mitigations + +commit b16c99ab62a902b1f61b9d4fe63273cd614e757c +Author: raja-grewal +Date: Mon Jan 29 13:39:40 2024 +0000 + + Remove hardcoded `spec_rstack_overflow` setting + +commit 139b10a9aad85018f87bdc4bb227e938f7955235 +Author: raja-grewal +Date: Mon Jan 29 12:59:13 2024 +0000 + + Control RAS overflow mitigation on AMD Zen CPUs + +commit 6c54e35027e86ec045102cd1d95f84aa30bc55c9 +Author: raja-grewal +Date: Mon Jan 29 12:58:51 2024 +0000 + + Enable mitigations for RETBleed vulnerability and disable SMT + +commit 4509a5fc95204080f2855849d22c7e05393455d9 +Author: raja-grewal +Date: Mon Jan 29 12:58:14 2024 +0000 + + Enable known mitigations for CPU vulnerabilities and disable SMT + +commit 4231155efa0970d2456b67cc89c8828b0766cf7f +Author: raja-grewal +Date: Mon Jan 29 12:57:48 2024 +0000 + + Add reference for kernel parameters + +commit 8037ce52f96dcc6f8007c1567daf38ff013352d6 +Author: Patrick Schleizer +Date: Thu Jan 25 13:59:29 2024 +0000 + + bumped changelog version + commit 185bfe749787a8c6e93103ae8c6b0751a169e276 Author: Patrick Schleizer Date: Thu Jan 25 06:54:36 2024 -0500 diff --git a/debian/changelog b/debian/changelog index 9d49344..1b722e7 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:35.8-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 03 Feb 2024 18:28:26 +0000 + security-misc (3:35.7-1) unstable; urgency=medium * New upstream version (local package). From 38783faf60b85c4e855bf78c87e1c07765776b50 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 22 Feb 2024 05:58:53 -0500 Subject: [PATCH 307/846] add more bind mounts of mount options hardening as suggested in https://github.com/Kicksecure/security-misc/pull/202 --- usr/bin/remount-secure | 76 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 76 insertions(+) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index 0a0c38e..65541d6 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -208,6 +208,13 @@ _boot() { remount_secure } +_boot_efi() { + ## TODO: new, test + mount_folder="$NEWROOT/boot/efi" + intended_mount_options="nosuid,nodev,noexec" + remount_secure +} + _run() { mount_folder="/run" ## https://lists.freedesktop.org/archives/systemd-devel/2015-February/028456.html @@ -229,6 +236,13 @@ _dev_shm() { remount_secure } +_sys() { + ## TODO: new, test + mount_folder="/sys" + intended_mount_options="nosuid,nodev,noexec" + remount_secure +} + _tmp() { mount_folder="$NEWROOT/tmp" intended_mount_options="nosuid,nodev${most_noexec_maybe}" @@ -255,12 +269,63 @@ _var() { remount_secure } +_usr() { + ## TODO: new, test + mount_folder="$NEWROOT/usr" + intended_mount_options="nodev" + remount_secure +} + _home() { mount_folder="$NEWROOT/home" intended_mount_options="nosuid,nodev${home_noexec_maybe}" remount_secure } +_root() { + ## TODO: new, test + mount_folder="$NEWROOT/root" + intended_mount_options="nosuid,nodev${home_noexec_maybe}" + remount_secure +} + +_srv() { + ## TODO: new, test + mount_folder="$NEWROOT/srv" + intended_mount_options="nosuid,nodev${home_noexec_maybe}" + remount_secure +} + +_media() { + ## TODO: new, test + mount_folder="$NEWROOT/media" + intended_mount_options="nosuid,nodev${home_noexec_maybe}" + remount_secure +} + +_mnt() { + ## TODO: new, test + mount_folder="$NEWROOT/mnt" + intended_mount_options="nosuid,nodev${home_noexec_maybe}" + remount_secure +} + +_opt() { + ## TODO: new, test + mount_folder="$NEWROOT/opt" + intended_mount_options="nosuid,nodev${home_noexec_maybe}" + remount_secure +} + +_etc() { + ## TODO: new, test + ## /etc cannot be noexec because various executables are there. To find, run: + ## sudo find /etc -executable + mount_folder="$NEWROOT/etc" + intended_mount_options="nosuid,nodev" + remount_secure +} + end() { ## Debugging. #$output_command "INFO: 'findmnt --list' output at the END." @@ -277,6 +342,7 @@ main() { preparation _boot + _boot_efi _run _dev _dev_shm @@ -284,9 +350,19 @@ main() { _var_tmp _var_log _var + _usr _home + _root + _srv + _media + _mnt + _opt + _etc end } +## TODO: see also hidepid /usr/lib/systemd/system/proc-hidepid.service +#mount --options defaults,nosuid,nodev,noexec,remount,subset=pid /proc + main "$@" From 7c7b4b24b4959f3ef96ff7ef0b11fa4c0bd48c8e Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 22 Feb 2024 06:01:00 -0500 Subject: [PATCH 308/846] fix home_noexec_maybe -> most_noexec_maybe https://github.com/Kicksecure/security-misc/pull/202 --- usr/bin/remount-secure | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index 65541d6..92a68cb 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -292,21 +292,21 @@ _root() { _srv() { ## TODO: new, test mount_folder="$NEWROOT/srv" - intended_mount_options="nosuid,nodev${home_noexec_maybe}" + intended_mount_options="nosuid,nodev${most_noexec_maybe}" remount_secure } _media() { ## TODO: new, test mount_folder="$NEWROOT/media" - intended_mount_options="nosuid,nodev${home_noexec_maybe}" + intended_mount_options="nosuid,nodev${most_noexec_maybe}" remount_secure } _mnt() { ## TODO: new, test mount_folder="$NEWROOT/mnt" - intended_mount_options="nosuid,nodev${home_noexec_maybe}" + intended_mount_options="nosuid,nodev${most_noexec_maybe}" remount_secure } From 1e1613aa93dca1e7fe7f24dbd32028a0cadd21fd Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 22 Feb 2024 06:02:28 -0500 Subject: [PATCH 309/846] allow /opt exec as usually optional binaries are placed there such as firefox https://github.com/Kicksecure/security-misc/pull/202 --- usr/bin/remount-secure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index 92a68cb..8927566 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -313,7 +313,7 @@ _mnt() { _opt() { ## TODO: new, test mount_folder="$NEWROOT/opt" - intended_mount_options="nosuid,nodev${home_noexec_maybe}" + intended_mount_options="nosuid,nodev" remount_secure } From c0f98b05b609c7c8ac6f86e123af9e0642d82697 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 22 Feb 2024 06:03:59 -0500 Subject: [PATCH 310/846] comment https://github.com/Kicksecure/security-misc/pull/202 --- usr/bin/remount-secure | 2 ++ 1 file changed, 2 insertions(+) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index 8927566..233287c 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -313,6 +313,8 @@ _mnt() { _opt() { ## TODO: new, test mount_folder="$NEWROOT/opt" + ## Allow /opt exec as usually optional binaries are placed there such as Firefox + ## when manually installed from tarball. intended_mount_options="nosuid,nodev" remount_secure } From 44a15cd97da3066e39d2d7df1f456e703036a6e9 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 22 Feb 2024 09:13:56 -0500 Subject: [PATCH 311/846] mount --make-private https://github.com/Kicksecure/security-misc/issues/172 --- usr/bin/remount-secure | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index 233287c..38c3e2c 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -187,12 +187,12 @@ remount_secure() { if findmnt --noheadings "$mount_folder" >/dev/null ; then $output_command "INFO: '$mount_folder' already mounted, therefore using remount." - $output_command INFO: Executing: mount --options "remount,${intended_mount_options}" "$mount_folder" - mount --options "remount,${intended_mount_options}" "$mount_folder" || exit_code=100 + $output_command INFO: Executing: mount --make-private --options "remount,${intended_mount_options}" "$mount_folder" + mount --make-private --options "remount,${intended_mount_options}" "$mount_folder" || exit_code=100 else $output_command "INFO: '$mount_folder' not yet mounted, therefore using mount bind." - $output_command INFO: Executing: mount --options "$intended_mount_options" --bind "$mount_folder" "$mount_folder" - mount --options "$intended_mount_options" --bind "$mount_folder" "$mount_folder" || exit_code=101 + $output_command INFO: Executing: mount --make-private --options "$intended_mount_options" --bind "$mount_folder" "$mount_folder" + mount --make-private --options "$intended_mount_options" --bind "$mount_folder" "$mount_folder" || exit_code=101 fi new_mount_options="$(findmnt --noheadings --output options -- "$mount_folder")" || true From 5bdd7b8475bdfde8dbee5318fb43d0c2a236e3b0 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 22 Feb 2024 09:14:52 -0500 Subject: [PATCH 312/846] output --- usr/bin/remount-secure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index 38c3e2c..7b2c133 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -196,7 +196,7 @@ remount_secure() { fi new_mount_options="$(findmnt --noheadings --output options -- "$mount_folder")" || true - $output_command "INFO: '$mount_folder' new_mount_options: $new_mount_options" + $output_command "INFO: '$mount_folder' new_mount_options: '$new_mount_options'" touch "$status_file_full_path" } From f7831db197b2fff33b66eeb44efd749e482315e0 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 22 Feb 2024 09:17:41 -0500 Subject: [PATCH 313/846] do not exit non-zero if folder does not exist --- usr/bin/remount-secure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index 7b2c133..1446ac8 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -179,8 +179,8 @@ remount_secure() { fi if ! test -d "$mount_folder" ; then + ## For example /boot/efi does not always exist on all systems. $output_command "INFO: '$mount_folder' folder exists: no" - exit_code=102 return 0 fi $output_command "INFO: '$mount_folder' folder exists: yes" From 6d7cf3c12a8a772fee1cd893d5504767690b3b77 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 22 Feb 2024 09:49:48 -0500 Subject: [PATCH 314/846] output --- usr/bin/remount-secure | 1 + 1 file changed, 1 insertion(+) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index 1446ac8..d30d146 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -333,6 +333,7 @@ end() { #$output_command "INFO: 'findmnt --list' output at the END." #$output_command "$(findmnt --list)" + $output_command "" $output_command "INFO: exit_code: $exit_code" $output_command "$0: INFO: END" exit $exit_code From d148a769b7106831c0b27a7ad63d91ab42257678 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 22 Feb 2024 14:50:05 +0000 Subject: [PATCH 315/846] bumped changelog version --- changelog.upstream | 64 ++++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 +++++ 2 files changed, 70 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 96f74e9..8c91668 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,67 @@ +commit 6d7cf3c12a8a772fee1cd893d5504767690b3b77 +Author: Patrick Schleizer +Date: Thu Feb 22 09:49:48 2024 -0500 + + output + +commit f7831db197b2fff33b66eeb44efd749e482315e0 +Author: Patrick Schleizer +Date: Thu Feb 22 09:17:41 2024 -0500 + + do not exit non-zero if folder does not exist + +commit 5bdd7b8475bdfde8dbee5318fb43d0c2a236e3b0 +Author: Patrick Schleizer +Date: Thu Feb 22 09:14:52 2024 -0500 + + output + +commit 44a15cd97da3066e39d2d7df1f456e703036a6e9 +Author: Patrick Schleizer +Date: Thu Feb 22 09:13:56 2024 -0500 + + mount --make-private + + https://github.com/Kicksecure/security-misc/issues/172 + +commit c0f98b05b609c7c8ac6f86e123af9e0642d82697 +Author: Patrick Schleizer +Date: Thu Feb 22 06:03:59 2024 -0500 + + comment + + https://github.com/Kicksecure/security-misc/pull/202 + +commit 1e1613aa93dca1e7fe7f24dbd32028a0cadd21fd +Author: Patrick Schleizer +Date: Thu Feb 22 06:02:28 2024 -0500 + + allow /opt exec as usually optional binaries are placed there such as firefox + + https://github.com/Kicksecure/security-misc/pull/202 + +commit 7c7b4b24b4959f3ef96ff7ef0b11fa4c0bd48c8e +Author: Patrick Schleizer +Date: Thu Feb 22 06:01:00 2024 -0500 + + fix home_noexec_maybe -> most_noexec_maybe + + https://github.com/Kicksecure/security-misc/pull/202 + +commit 38783faf60b85c4e855bf78c87e1c07765776b50 +Author: Patrick Schleizer +Date: Thu Feb 22 05:58:53 2024 -0500 + + add more bind mounts of mount options hardening + + as suggested in https://github.com/Kicksecure/security-misc/pull/202 + +commit ad9d913902d7e696f1114da74d84f9cdcb22bc25 +Author: Patrick Schleizer +Date: Sat Feb 3 18:28:27 2024 +0000 + + bumped changelog version + commit 02090da08cfd411314ffeeb6df95f73c701f06c6 Merge: 8037ce5 ba13657 Author: Patrick Schleizer diff --git a/debian/changelog b/debian/changelog index 1b722e7..40e0bab 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:35.9-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 22 Feb 2024 14:50:05 +0000 + security-misc (3:35.8-1) unstable; urgency=medium * New upstream version (local package). From c0924321b84874ae7fc72c59fd58e4c4ae8bc6d9 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 22 Feb 2024 09:52:36 -0500 Subject: [PATCH 316/846] fix systemd unit ExecStart --- usr/lib/systemd/system/remount-secure.service | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/lib/systemd/system/remount-secure.service b/usr/lib/systemd/system/remount-secure.service index b801fe2..575f05e 100644 --- a/usr/lib/systemd/system/remount-secure.service +++ b/usr/lib/systemd/system/remount-secure.service @@ -24,7 +24,7 @@ Requires=sysinit.target [Service] Type=oneshot RemainAfterExit=yes -ExecStart=remount-secure +ExecStart=remount-secure 3 [Install] WantedBy=sysinit-post.target From eb3e0b9292f71a5dba312500508f893779fb1b9c Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 22 Feb 2024 14:52:55 +0000 Subject: [PATCH 317/846] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 8c91668..32cfe10 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit c0924321b84874ae7fc72c59fd58e4c4ae8bc6d9 +Author: Patrick Schleizer +Date: Thu Feb 22 09:52:36 2024 -0500 + + fix systemd unit ExecStart + +commit d148a769b7106831c0b27a7ad63d91ab42257678 +Author: Patrick Schleizer +Date: Thu Feb 22 14:50:05 2024 +0000 + + bumped changelog version + commit 6d7cf3c12a8a772fee1cd893d5504767690b3b77 Author: Patrick Schleizer Date: Thu Feb 22 09:49:48 2024 -0500 diff --git a/debian/changelog b/debian/changelog index 40e0bab..324018a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:36.0-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 22 Feb 2024 14:52:54 +0000 + security-misc (3:35.9-1) unstable; urgency=medium * New upstream version (local package). From 37a7abdf0c1e6d8179bd09d3c1bd0363e8bc0a96 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 22 Feb 2024 11:07:01 -0500 Subject: [PATCH 318/846] ConditionKernelCommandLine=!remountsecure=0 --- usr/lib/systemd/system/remount-secure.service | 2 ++ 1 file changed, 2 insertions(+) diff --git a/usr/lib/systemd/system/remount-secure.service b/usr/lib/systemd/system/remount-secure.service index 575f05e..8797b9c 100644 --- a/usr/lib/systemd/system/remount-secure.service +++ b/usr/lib/systemd/system/remount-secure.service @@ -5,6 +5,8 @@ Description=remount /home /tmp /dev/shm /run with nosuid,nodev (default) and noexec (opt-in) Documentation=https://github.com/Kicksecure/security-misc +ConditionKernelCommandLine=!remountsecure=0 + DefaultDependencies=no Before=sysinit-post.target From 6b73e6c2a9ff1efe211e41e005e4ecaa63731d82 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 22 Feb 2024 16:07:16 +0000 Subject: [PATCH 319/846] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 32cfe10..ce54959 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit 37a7abdf0c1e6d8179bd09d3c1bd0363e8bc0a96 +Author: Patrick Schleizer +Date: Thu Feb 22 11:07:01 2024 -0500 + + ConditionKernelCommandLine=!remountsecure=0 + +commit eb3e0b9292f71a5dba312500508f893779fb1b9c +Author: Patrick Schleizer +Date: Thu Feb 22 14:52:55 2024 +0000 + + bumped changelog version + commit c0924321b84874ae7fc72c59fd58e4c4ae8bc6d9 Author: Patrick Schleizer Date: Thu Feb 22 09:52:36 2024 -0500 diff --git a/debian/changelog b/debian/changelog index 324018a..57d4a88 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:36.1-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 22 Feb 2024 16:07:16 +0000 + security-misc (3:36.0-1) unstable; urgency=medium * New upstream version (local package). From 3bc1765dbbd333a1d607ab6962281b4d0a5c4b60 Mon Sep 17 00:00:00 2001 From: Daniel Winzen Date: Wed, 21 Feb 2024 20:37:34 +0100 Subject: [PATCH 320/846] Allow access to /sys/fs for polkit --- usr/libexec/security-misc/hide-hardware-info | 29 ++++++++++++-------- 1 file changed, 17 insertions(+), 12 deletions(-) diff --git a/usr/libexec/security-misc/hide-hardware-info b/usr/libexec/security-misc/hide-hardware-info index b55441f..4ed2aca 100755 --- a/usr/libexec/security-misc/hide-hardware-info +++ b/usr/libexec/security-misc/hide-hardware-info @@ -80,6 +80,23 @@ do fi done +## restrict permissions on everything but +## what is needed +for i in /sys/* /sys/fs/* +do + ## Using '|| true': + ## https://github.com/Kicksecure/security-misc/pull/108 + if [ "${sysfs_whitelist}" = "1" ]; then + chmod o-rwx "${i}" || true + else + chmod og-rwx "${i}" || true + fi +done + +## polkit needs stat access to /sys/fs/cgroup +## to function properly +chmod o+rx /sys /sys/fs + ## on SELinux systems, at least /sys/fs/selinux ## must be visible to unprivileged users, else ## SELinux userspace utilities will not function @@ -88,18 +105,6 @@ if [ -d /sys/fs/selinux ]; then echo "INFO: SELinux detected because folder /sys/fs/selinux exists. See also:" echo "https://www.kicksecure.com/wiki/Security-misc#selinux" if [ "${selinux}" = "1" ]; then - ## restrict permissions on everything but - ## what is needed - for i in /sys/* /sys/fs/* - do - ## Using '|| true': - ## https://github.com/Kicksecure/security-misc/pull/108 - if [ "${sysfs_whitelist}" = "1" ]; then - chmod o-rwx "${i}" || true - else - chmod og-rwx "${i}" || true - fi - done chmod o+rx /sys /sys/fs /sys/fs/selinux echo "INFO: SELinux mode enabled. Restrictions loosened slightly in order to allow userspace utilities to function." else From ef44ecea44ee516b1ba92175eb78b2e8143c4502 Mon Sep 17 00:00:00 2001 From: Daniel Winzen Date: Thu, 22 Feb 2024 16:51:23 +0100 Subject: [PATCH 321/846] Add option to disabe /sys hardening --- etc/hide-hardware-info.d/30_default.conf | 3 + usr/libexec/security-misc/hide-hardware-info | 73 +++++++++++--------- 2 files changed, 43 insertions(+), 33 deletions(-) diff --git a/etc/hide-hardware-info.d/30_default.conf b/etc/hide-hardware-info.d/30_default.conf index df6952e..ffda4de 100644 --- a/etc/hide-hardware-info.d/30_default.conf +++ b/etc/hide-hardware-info.d/30_default.conf @@ -7,6 +7,9 @@ ## Disable the /proc/cpuinfo whitelist. #cpuinfo_whitelist=0 +## Disable /sys hardening. +#sysfs=0 + ## Disable selinux mode. ## https://www.whonix.org/wiki/Security-misc#selinux #selinux=0 diff --git a/usr/libexec/security-misc/hide-hardware-info b/usr/libexec/security-misc/hide-hardware-info index 4ed2aca..810433b 100755 --- a/usr/libexec/security-misc/hide-hardware-info +++ b/usr/libexec/security-misc/hide-hardware-info @@ -8,6 +8,8 @@ set -e sysfs_whitelist=1 cpuinfo_whitelist=1 +sysfs=1 + ## https://www.whonix.org/wiki/Security-misc#selinux selinux=0 @@ -53,12 +55,14 @@ for i in /proc/cpuinfo /proc/bus /proc/scsi /sys do if [ -e "${i}" ]; then if [ "${i}" = "/sys" ]; then - ## Whitelist for /sys. - if [ "${sysfs_whitelist}" = "1" ]; then - create_whitelist sysfs - else - chmod og-rwx /sys - echo "INFO: The sysfs whitelist is not enabled. Some things may not work properly." + if [ "${sysfs}" = "1" ]; then + ## Whitelist for /sys. + if [ "${sysfs_whitelist}" = "1" ]; then + create_whitelist sysfs + else + chmod og-rwx /sys + echo "INFO: The sysfs whitelist is not enabled. Some things may not work properly." + fi fi elif [ "${i}" = "/proc/cpuinfo" ]; then ## Whitelist for /proc/cpuinfo. @@ -80,34 +84,37 @@ do fi done -## restrict permissions on everything but -## what is needed -for i in /sys/* /sys/fs/* -do - ## Using '|| true': - ## https://github.com/Kicksecure/security-misc/pull/108 - if [ "${sysfs_whitelist}" = "1" ]; then - chmod o-rwx "${i}" || true - else - chmod og-rwx "${i}" || true - fi -done -## polkit needs stat access to /sys/fs/cgroup -## to function properly -chmod o+rx /sys /sys/fs +if [ "${sysfs}" = "1" ]; then + ## restrict permissions on everything but + ## what is needed + for i in /sys/* /sys/fs/* + do + ## Using '|| true': + ## https://github.com/Kicksecure/security-misc/pull/108 + if [ "${sysfs_whitelist}" = "1" ]; then + chmod o-rwx "${i}" || true + else + chmod og-rwx "${i}" || true + fi + done -## on SELinux systems, at least /sys/fs/selinux -## must be visible to unprivileged users, else -## SELinux userspace utilities will not function -## properly -if [ -d /sys/fs/selinux ]; then - echo "INFO: SELinux detected because folder /sys/fs/selinux exists. See also:" - echo "https://www.kicksecure.com/wiki/Security-misc#selinux" - if [ "${selinux}" = "1" ]; then - chmod o+rx /sys /sys/fs /sys/fs/selinux - echo "INFO: SELinux mode enabled. Restrictions loosened slightly in order to allow userspace utilities to function." - else - echo "INFO: SELinux detected, but SELinux mode is not enabled. Some userspace utilities may not work properly." + ## polkit needs stat access to /sys/fs/cgroup + ## to function properly + chmod o+rx /sys /sys/fs + + ## on SELinux systems, at least /sys/fs/selinux + ## must be visible to unprivileged users, else + ## SELinux userspace utilities will not function + ## properly + if [ -d /sys/fs/selinux ]; then + echo "INFO: SELinux detected because folder /sys/fs/selinux exists. See also:" + echo "https://www.kicksecure.com/wiki/Security-misc#selinux" + if [ "${selinux}" = "1" ]; then + chmod o+rx /sys /sys/fs /sys/fs/selinux + echo "INFO: SELinux mode enabled. Restrictions loosened slightly in order to allow userspace utilities to function." + else + echo "INFO: SELinux detected, but SELinux mode is not enabled. Some userspace utilities may not work properly." + fi fi fi From c3dd178b19be8c078ed6a2f46a072bef3d144c06 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 22 Feb 2024 14:57:50 -0500 Subject: [PATCH 322/846] output --- usr/bin/remount-secure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index d30d146..7723918 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -164,7 +164,7 @@ remount_secure() { $output_command "INFO: '$mount_folder' old_mount_options: '$old_mount_options'" if echo "$old_mount_options" | grep --quiet "$intended_mount_options" ; then - $output_command "INFO: '$mount_folder' has already intended mount options. ($intended_mount_options)" + $output_command "INFO: '$mount_folder' has already intended mount options. ('$intended_mount_options')" return 0 fi From a1f898e3b317f49a5bb9507c8b9d3bd3c4e23abf Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 22 Feb 2024 19:58:01 +0000 Subject: [PATCH 323/846] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index ce54959..fb3dcdd 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit c3dd178b19be8c078ed6a2f46a072bef3d144c06 +Author: Patrick Schleizer +Date: Thu Feb 22 14:57:50 2024 -0500 + + output + +commit 6b73e6c2a9ff1efe211e41e005e4ecaa63731d82 +Author: Patrick Schleizer +Date: Thu Feb 22 16:07:16 2024 +0000 + + bumped changelog version + commit 37a7abdf0c1e6d8179bd09d3c1bd0363e8bc0a96 Author: Patrick Schleizer Date: Thu Feb 22 11:07:01 2024 -0500 diff --git a/debian/changelog b/debian/changelog index 57d4a88..6600db3 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:36.2-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 22 Feb 2024 19:58:00 +0000 + security-misc (3:36.1-1) unstable; urgency=medium * New upstream version (local package). From d13d1aa7ec7e9ac9f1aa87e4b36228bfd3af6eb2 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 22 Feb 2024 15:07:53 -0500 Subject: [PATCH 324/846] comments --- usr/bin/remount-secure | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index 7723918..92e3aa8 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -1,11 +1,28 @@ #!/bin/bash -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. +## features: +## - nodev,nosuid where appropriate +## - optional noexec for most except /home +## - optional noexec for all including /home +## - idempotent (script can be safely re-run) +## - can be run from: +## - systemd +## - dracut +## - manually from command line +## - can safely handle non-existing folders +## - error handling +## - log output: +## - shows each and every command executed +## - shows old mount options prior running remount-secure +## - shows new mount options after running remount-secure + ## noexec in /tmp and/or /home can break some malware but also legitimate ## applications. +## https://www.kicksecure.com/wiki/Noexec ## https://www.kicksecure.com/wiki/Dev/remount-secure ## https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707 From 02d6f67741ef93d9ab39e02ac56b27c551a19dca Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 22 Feb 2024 20:08:17 +0000 Subject: [PATCH 325/846] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index fb3dcdd..8d799e8 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit d13d1aa7ec7e9ac9f1aa87e4b36228bfd3af6eb2 +Author: Patrick Schleizer +Date: Thu Feb 22 15:07:53 2024 -0500 + + comments + +commit a1f898e3b317f49a5bb9507c8b9d3bd3c4e23abf +Author: Patrick Schleizer +Date: Thu Feb 22 19:58:01 2024 +0000 + + bumped changelog version + commit c3dd178b19be8c078ed6a2f46a072bef3d144c06 Author: Patrick Schleizer Date: Thu Feb 22 14:57:50 2024 -0500 diff --git a/debian/changelog b/debian/changelog index 6600db3..83cfe4d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:36.3-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 22 Feb 2024 20:08:17 +0000 + security-misc (3:36.2-1) unstable; urgency=medium * New upstream version (local package). From f2958bbfa5e67ee10380a25d996826233469080a Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 26 Feb 2024 07:49:30 -0500 Subject: [PATCH 326/846] comment --- usr/libexec/security-misc/hide-hardware-info | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/libexec/security-misc/hide-hardware-info b/usr/libexec/security-misc/hide-hardware-info index 810433b..2a4a56d 100755 --- a/usr/libexec/security-misc/hide-hardware-info +++ b/usr/libexec/security-misc/hide-hardware-info @@ -10,7 +10,7 @@ cpuinfo_whitelist=1 sysfs=1 -## https://www.whonix.org/wiki/Security-misc#selinux +## https://www.kicksecure.com/wiki/Security-misc#selinux selinux=0 shopt -s nullglob From cf84762a3a84d2be3b9510dddb32bdc433170dfa Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 26 Feb 2024 07:52:41 -0500 Subject: [PATCH 327/846] improve output https://github.com/Kicksecure/security-misc/issues/172 --- usr/libexec/security-misc/hide-hardware-info | 25 +++++++++++++------- 1 file changed, 17 insertions(+), 8 deletions(-) diff --git a/usr/libexec/security-misc/hide-hardware-info b/usr/libexec/security-misc/hide-hardware-info index 2a4a56d..48bb3a2 100755 --- a/usr/libexec/security-misc/hide-hardware-info +++ b/usr/libexec/security-misc/hide-hardware-info @@ -5,6 +5,13 @@ set -e +run_cmd() { + echo "INFO: executing: $@" + "$@" +} + +echo "$0: INFO: START" + sysfs_whitelist=1 cpuinfo_whitelist=1 @@ -36,9 +43,9 @@ create_whitelist() { ## Changing the permissions of /sys recursively ## causes errors as the permissions of /sys/kernel/debug ## and /sys/fs/cgroup cannot be changed. - chgrp -fR "${1}" "${whitelist_path}" || true + run_cmd chgrp -fR "${1}" "${whitelist_path}" || true - chmod o-rwx "${whitelist_path}" + run_cmd chmod o-rwx "${whitelist_path}" else echo "ERROR: The ${1} group does not exist, the ${1} whitelist was not created." fi @@ -60,7 +67,7 @@ do if [ "${sysfs_whitelist}" = "1" ]; then create_whitelist sysfs else - chmod og-rwx /sys + run_cmd chmod og-rwx /sys echo "INFO: The sysfs whitelist is not enabled. Some things may not work properly." fi fi @@ -69,7 +76,7 @@ do if [ "${cpuinfo_whitelist}" = "1" ]; then create_whitelist cpuinfo else - chmod og-rwx /proc/cpuinfo + run_cmd chmod og-rwx /proc/cpuinfo echo "INFO: The cpuinfo whitelist is not enabled. Some things may not work properly." fi else @@ -93,15 +100,15 @@ if [ "${sysfs}" = "1" ]; then ## Using '|| true': ## https://github.com/Kicksecure/security-misc/pull/108 if [ "${sysfs_whitelist}" = "1" ]; then - chmod o-rwx "${i}" || true + run_cmd chmod o-rwx "${i}" || true else - chmod og-rwx "${i}" || true + run_cmd chmod og-rwx "${i}" || true fi done ## polkit needs stat access to /sys/fs/cgroup ## to function properly - chmod o+rx /sys /sys/fs + run_cmd chmod o+rx /sys /sys/fs ## on SELinux systems, at least /sys/fs/selinux ## must be visible to unprivileged users, else @@ -111,10 +118,12 @@ if [ "${sysfs}" = "1" ]; then echo "INFO: SELinux detected because folder /sys/fs/selinux exists. See also:" echo "https://www.kicksecure.com/wiki/Security-misc#selinux" if [ "${selinux}" = "1" ]; then - chmod o+rx /sys /sys/fs /sys/fs/selinux + run_cmd chmod o+rx /sys /sys/fs /sys/fs/selinux echo "INFO: SELinux mode enabled. Restrictions loosened slightly in order to allow userspace utilities to function." else echo "INFO: SELinux detected, but SELinux mode is not enabled. Some userspace utilities may not work properly." fi fi fi + +echo "$0: INFO: END" From d8f5376c4f36f5deb734e6dead42a62566d13480 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 26 Feb 2024 07:58:06 -0500 Subject: [PATCH 328/846] improve output https://github.com/Kicksecure/security-misc/issues/172 --- usr/libexec/security-misc/hide-hardware-info | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/libexec/security-misc/hide-hardware-info b/usr/libexec/security-misc/hide-hardware-info index 48bb3a2..46ef9bf 100755 --- a/usr/libexec/security-misc/hide-hardware-info +++ b/usr/libexec/security-misc/hide-hardware-info @@ -80,7 +80,7 @@ do echo "INFO: The cpuinfo whitelist is not enabled. Some things may not work properly." fi else - chmod og-rwx "${i}" + run_cmd chmod og-rwx "${i}" fi else ## /proc/scsi doesn't exist on Debian so errors From 2d1d1b246f3fe061d4f817da5cecf46010839e1d Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 26 Feb 2024 08:07:29 -0500 Subject: [PATCH 329/846] improve output https://github.com/Kicksecure/security-misc/issues/172 --- usr/libexec/security-misc/hide-hardware-info | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/usr/libexec/security-misc/hide-hardware-info b/usr/libexec/security-misc/hide-hardware-info index 46ef9bf..3c1902e 100755 --- a/usr/libexec/security-misc/hide-hardware-info +++ b/usr/libexec/security-misc/hide-hardware-info @@ -6,7 +6,12 @@ set -e run_cmd() { - echo "INFO: executing: $@" + echo "INFO: normal executing : $@" + "$@" +} + +run_cmd_whitelist() { + echo "INFO: whitelist executing: $@" "$@" } @@ -43,9 +48,9 @@ create_whitelist() { ## Changing the permissions of /sys recursively ## causes errors as the permissions of /sys/kernel/debug ## and /sys/fs/cgroup cannot be changed. - run_cmd chgrp -fR "${1}" "${whitelist_path}" || true + run_cmd_whitelist chgrp -fR "${1}" "${whitelist_path}" || true - run_cmd chmod o-rwx "${whitelist_path}" + run_cmd_whitelist chmod o-rwx "${whitelist_path}" else echo "ERROR: The ${1} group does not exist, the ${1} whitelist was not created." fi @@ -67,17 +72,16 @@ do if [ "${sysfs_whitelist}" = "1" ]; then create_whitelist sysfs else + echo "INFO: The sysfs whitelist is not enabled. Some things may not work properly. Full sysfs hardening..." run_cmd chmod og-rwx /sys - echo "INFO: The sysfs whitelist is not enabled. Some things may not work properly." fi fi elif [ "${i}" = "/proc/cpuinfo" ]; then - ## Whitelist for /proc/cpuinfo. if [ "${cpuinfo_whitelist}" = "1" ]; then create_whitelist cpuinfo else + echo "INFO: The cpuinfo whitelist is not enabled. Some things may not work properly. Full cpuinfo hardening..." run_cmd chmod og-rwx /proc/cpuinfo - echo "INFO: The cpuinfo whitelist is not enabled. Some things may not work properly." fi else run_cmd chmod og-rwx "${i}" From 808e72f24bf30b3476ab6b87f96eb636632c195c Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 26 Feb 2024 08:11:26 -0500 Subject: [PATCH 330/846] use long options https://github.com/Kicksecure/security-misc/issues/172 --- usr/libexec/security-misc/hide-hardware-info | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/libexec/security-misc/hide-hardware-info b/usr/libexec/security-misc/hide-hardware-info index 3c1902e..d250a6a 100755 --- a/usr/libexec/security-misc/hide-hardware-info +++ b/usr/libexec/security-misc/hide-hardware-info @@ -48,7 +48,7 @@ create_whitelist() { ## Changing the permissions of /sys recursively ## causes errors as the permissions of /sys/kernel/debug ## and /sys/fs/cgroup cannot be changed. - run_cmd_whitelist chgrp -fR "${1}" "${whitelist_path}" || true + run_cmd_whitelist chgrp --quiet --recursive "${1}" "${whitelist_path}" || true run_cmd_whitelist chmod o-rwx "${whitelist_path}" else From a5cc1774f2fbf6475e7b56601fbcd84a2a63fed0 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 26 Feb 2024 13:32:44 +0000 Subject: [PATCH 331/846] bumped changelog version --- changelog.upstream | 72 ++++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++ 2 files changed, 78 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 8d799e8..c8ce2af 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,63 @@ +commit 808e72f24bf30b3476ab6b87f96eb636632c195c +Author: Patrick Schleizer +Date: Mon Feb 26 08:11:26 2024 -0500 + + use long options + + https://github.com/Kicksecure/security-misc/issues/172 + +commit 2d1d1b246f3fe061d4f817da5cecf46010839e1d +Author: Patrick Schleizer +Date: Mon Feb 26 08:07:29 2024 -0500 + + improve output + + https://github.com/Kicksecure/security-misc/issues/172 + +commit d8f5376c4f36f5deb734e6dead42a62566d13480 +Author: Patrick Schleizer +Date: Mon Feb 26 07:58:06 2024 -0500 + + improve output + + https://github.com/Kicksecure/security-misc/issues/172 + +commit cf84762a3a84d2be3b9510dddb32bdc433170dfa +Author: Patrick Schleizer +Date: Mon Feb 26 07:52:41 2024 -0500 + + improve output + + https://github.com/Kicksecure/security-misc/issues/172 + +commit f2958bbfa5e67ee10380a25d996826233469080a +Author: Patrick Schleizer +Date: Mon Feb 26 07:49:30 2024 -0500 + + comment + +commit bc8f9edc3197e33e75ea1d691834d9abbdcdefd0 +Merge: 02d6f67 b23d167 +Author: Patrick Schleizer +Date: Mon Feb 26 07:48:19 2024 -0500 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit b23d167342ef242a1e9d4e91b6a4b945e80c3e7e +Merge: 02d6f67 ef44ece +Author: Patrick Schleizer +Date: Mon Feb 26 07:46:02 2024 -0500 + + Merge pull request #204 from DanWin/sysfs-mount + + Make /sys hardening optional and allow access to /sys/fs to make polkit work + +commit 02d6f67741ef93d9ab39e02ac56b27c551a19dca +Author: Patrick Schleizer +Date: Thu Feb 22 20:08:17 2024 +0000 + + bumped changelog version + commit d13d1aa7ec7e9ac9f1aa87e4b36228bfd3af6eb2 Author: Patrick Schleizer Date: Thu Feb 22 15:07:53 2024 -0500 @@ -16,6 +76,18 @@ Date: Thu Feb 22 14:57:50 2024 -0500 output +commit ef44ecea44ee516b1ba92175eb78b2e8143c4502 +Author: Daniel Winzen +Date: Thu Feb 22 16:51:23 2024 +0100 + + Add option to disabe /sys hardening + +commit 3bc1765dbbd333a1d607ab6962281b4d0a5c4b60 +Author: Daniel Winzen +Date: Wed Feb 21 20:37:34 2024 +0100 + + Allow access to /sys/fs for polkit + commit 6b73e6c2a9ff1efe211e41e005e4ecaa63731d82 Author: Patrick Schleizer Date: Thu Feb 22 16:07:16 2024 +0000 diff --git a/debian/changelog b/debian/changelog index 83cfe4d..f64949b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:36.4-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 26 Feb 2024 13:32:44 +0000 + security-misc (3:36.3-1) unstable; urgency=medium * New upstream version (local package). From e013070e0bfc43d006e09ae1c5ae3533f7bebc5f Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 4 Mar 2024 06:33:21 -0500 Subject: [PATCH 332/846] newline --- etc/sudoers.d/security-misc | 1 - 1 file changed, 1 deletion(-) diff --git a/etc/sudoers.d/security-misc b/etc/sudoers.d/security-misc index 4256683..fd9b7fc 100644 --- a/etc/sudoers.d/security-misc +++ b/etc/sudoers.d/security-misc @@ -3,4 +3,3 @@ user ALL=NOPASSWD: /usr/libexec/security-misc/panic-on-oops %sudo ALL=NOPASSWD: /usr/libexec/security-misc/panic-on-oops - From af6c6971a741c69a584ba3f92dbfed12e40784dc Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 4 Mar 2024 06:33:51 -0500 Subject: [PATCH 333/846] comment --- etc/default/grub.d/40_kernel_hardening.cfg | 2 -- 1 file changed, 2 deletions(-) diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index be7c40c..9b7b53b 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -59,6 +59,4 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off" ## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panic-on-oops-1-sysctl-for-better-security/7713 ## Implemented differently: ## /usr/libexec/security-misc/panic-on-oops -## /etc/profile.d/security-misc.sh -## /etc/sudoers.d/security-misc #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX oops=panic" From 6b76373395622bac0e701c6d15c6656658febced Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 4 Mar 2024 06:44:26 -0500 Subject: [PATCH 334/846] fix panic-on-oops started every 10s in Qubes-Whonix by changing from a /etc/profile.d etc. related mechanism to start to a systemd unit file based approach Thanks to @marmarek for the bug report! https://forums.whonix.org/t/panic-on-oops-started-every-10s/19450 --- etc/profile.d/30_security-misc.sh | 5 ----- usr/lib/systemd/system/panic-on-oops.service | 20 ++++++++++++++++++++ 2 files changed, 20 insertions(+), 5 deletions(-) create mode 100644 usr/lib/systemd/system/panic-on-oops.service diff --git a/etc/profile.d/30_security-misc.sh b/etc/profile.d/30_security-misc.sh index 351d3ed..2ab169d 100755 --- a/etc/profile.d/30_security-misc.sh +++ b/etc/profile.d/30_security-misc.sh @@ -9,8 +9,3 @@ fi if ! echo "$XDG_CONFIG_DIRS" | grep --quiet /usr/share/security-misc/ ; then export XDG_CONFIG_DIRS=/usr/share/security-misc/:$XDG_CONFIG_DIRS fi - -if [ -x /usr/libexec/security-misc/panic-on-oops ]; then - ## Hide output. Otherwise could confuse Qubes UpdatesProxy. - sudo --non-interactive /usr/libexec/security-misc/panic-on-oops 1>/dev/null 2>/dev/null -fi diff --git a/usr/lib/systemd/system/panic-on-oops.service b/usr/lib/systemd/system/panic-on-oops.service new file mode 100644 index 0000000..cf13053 --- /dev/null +++ b/usr/lib/systemd/system/panic-on-oops.service @@ -0,0 +1,20 @@ +## Copyright (C) 2024 - 2024 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +[Unit] +Description=Sets 'sysctl kernel.panic_on_oops=1' late during the boot process. +Documentation=https://github.com/Kicksecure/security-misc + +ConditionKernelCommandLine=!panic-on-oops=0 + +After=multi-user.target +After=graphical.target +After=getty.target + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/usr/libexec/security-misc/panic-on-oops + +[Install] +WantedBy=multi-user.target From 0f0d9ca2a42cf9fc04e405ae90f3d67bc0794e12 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 4 Mar 2024 11:48:30 +0000 Subject: [PATCH 335/846] bumped changelog version --- changelog.upstream | 30 ++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 36 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index c8ce2af..70aab3e 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,33 @@ +commit 6b76373395622bac0e701c6d15c6656658febced +Author: Patrick Schleizer +Date: Mon Mar 4 06:44:26 2024 -0500 + + fix panic-on-oops started every 10s in Qubes-Whonix + + by changing from a /etc/profile.d etc. related mechanism to start to a systemd unit file based approach + + Thanks to @marmarek for the bug report! + + https://forums.whonix.org/t/panic-on-oops-started-every-10s/19450 + +commit af6c6971a741c69a584ba3f92dbfed12e40784dc +Author: Patrick Schleizer +Date: Mon Mar 4 06:33:51 2024 -0500 + + comment + +commit e013070e0bfc43d006e09ae1c5ae3533f7bebc5f +Author: Patrick Schleizer +Date: Mon Mar 4 06:33:21 2024 -0500 + + newline + +commit a5cc1774f2fbf6475e7b56601fbcd84a2a63fed0 +Author: Patrick Schleizer +Date: Mon Feb 26 13:32:44 2024 +0000 + + bumped changelog version + commit 808e72f24bf30b3476ab6b87f96eb636632c195c Author: Patrick Schleizer Date: Mon Feb 26 08:11:26 2024 -0500 diff --git a/debian/changelog b/debian/changelog index f64949b..22e313b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:36.5-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 04 Mar 2024 11:48:30 +0000 + security-misc (3:36.4-1) unstable; urgency=medium * New upstream version (local package). From a5206bde336c159be065345e7dd5cb86b2b6a27f Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 10 Mar 2024 08:44:53 -0400 Subject: [PATCH 336/846] `proc-hidepid.service` add `gid=proc` This allows users that are a member of the `proc` group to be excluded from `hidepid` protections. https://github.com/Kicksecure/security-misc/issues/208 --- usr/lib/systemd/system/proc-hidepid.service | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/lib/systemd/system/proc-hidepid.service b/usr/lib/systemd/system/proc-hidepid.service index 7acad5b..2ec1858 100644 --- a/usr/lib/systemd/system/proc-hidepid.service +++ b/usr/lib/systemd/system/proc-hidepid.service @@ -12,7 +12,7 @@ After=local-fs.target [Service] Type=oneshot -ExecStart=/bin/mount -o remount,nosuid,nodev,noexec,hidepid=2 /proc +ExecStart=/bin/mount -o remount,nosuid,nodev,noexec,hidepid=2,gid=proc /proc RemainAfterExit=yes [Install] From 57fc487e5e5ffad765f1418236744319cc666871 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 10 Mar 2024 13:19:26 +0000 Subject: [PATCH 337/846] bumped changelog version --- changelog.upstream | 16 ++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 22 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 70aab3e..1fea6fd 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,19 @@ +commit a5206bde336c159be065345e7dd5cb86b2b6a27f +Author: Patrick Schleizer +Date: Sun Mar 10 08:44:53 2024 -0400 + + `proc-hidepid.service` add `gid=proc` + + This allows users that are a member of the `proc` group to be excluded from `hidepid` protections. + + https://github.com/Kicksecure/security-misc/issues/208 + +commit 0f0d9ca2a42cf9fc04e405ae90f3d67bc0794e12 +Author: Patrick Schleizer +Date: Mon Mar 4 11:48:30 2024 +0000 + + bumped changelog version + commit 6b76373395622bac0e701c6d15c6656658febced Author: Patrick Schleizer Date: Mon Mar 4 06:44:26 2024 -0500 diff --git a/debian/changelog b/debian/changelog index 22e313b..5cc0bd7 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:36.6-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 10 Mar 2024 13:19:26 +0000 + security-misc (3:36.5-1) unstable; urgency=medium * New upstream version (local package). From 03ed546cd8992b29855ca1c2748ed988dd3c765d Mon Sep 17 00:00:00 2001 From: wryMitts <158655396+wryMitts@users.noreply.github.com> Date: Sun, 10 Mar 2024 16:55:10 -0400 Subject: [PATCH 338/846] Create proc group on install Fixes https://github.com/Kicksecure/security-misc/issues/210 --- debian/security-misc.preinst | 3 +++ 1 file changed, 3 insertions(+) diff --git a/debian/security-misc.preinst b/debian/security-misc.preinst index dc032b1..4b6a4d7 100644 --- a/debian/security-misc.preinst +++ b/debian/security-misc.preinst @@ -20,6 +20,9 @@ user_groups_modifications() { addgroup --system sysfs addgroup --system cpuinfo + ## /usr/lib/systemd/system/proc-hidepid.service + addgroup --system proc + ## group 'sudo' membership required to use 'su' ## /usr/share/pam-configs/wheel-security-misc adduser root sudo From 357ea5deab85debb9dff5d9e4e80a972954249c8 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 11 Mar 2024 15:07:50 +0000 Subject: [PATCH 339/846] bumped changelog version --- changelog.upstream | 30 ++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 36 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 1fea6fd..c6f87f7 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,33 @@ +commit 0a018bdebca167d671d8bda81a2b0d929d396945 +Merge: 57fc487 0b81316 +Author: Patrick Schleizer +Date: Mon Mar 11 10:13:57 2024 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 0b8131630041dbd80f1aa61dcedde446208c06f7 +Merge: 57fc487 03ed546 +Author: Patrick Schleizer +Date: Mon Mar 11 10:12:46 2024 -0400 + + Merge pull request #211 from wryMitts/patch-1 + + Create proc group on install + +commit 03ed546cd8992b29855ca1c2748ed988dd3c765d +Author: wryMitts <158655396+wryMitts@users.noreply.github.com> +Date: Sun Mar 10 16:55:10 2024 -0400 + + Create proc group on install + + Fixes https://github.com/Kicksecure/security-misc/issues/210 + +commit 57fc487e5e5ffad765f1418236744319cc666871 +Author: Patrick Schleizer +Date: Sun Mar 10 13:19:26 2024 +0000 + + bumped changelog version + commit a5206bde336c159be065345e7dd5cb86b2b6a27f Author: Patrick Schleizer Date: Sun Mar 10 08:44:53 2024 -0400 diff --git a/debian/changelog b/debian/changelog index 5cc0bd7..a53e7cf 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:36.7-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 11 Mar 2024 15:07:50 +0000 + security-misc (3:36.6-1) unstable; urgency=medium * New upstream version (local package). From ecaa024f226f4f45ac9d2a4f38bcdb82a6e35a2f Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 18 Mar 2024 11:01:56 -0400 Subject: [PATCH 340/846] lower debugging --- usr/share/security-misc/lkrg/lkrg-virtualbox | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/share/security-misc/lkrg/lkrg-virtualbox b/usr/share/security-misc/lkrg/lkrg-virtualbox index 022d2dc..545a694 100755 --- a/usr/share/security-misc/lkrg/lkrg-virtualbox +++ b/usr/share/security-misc/lkrg/lkrg-virtualbox @@ -3,7 +3,7 @@ ## Copyright (C) 2021 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -set -x +#set -x set -e if ! command -v vboxmanage &>/dev/null ; then From d9ac01ba5c26f9730feb17fe573d447e625e59f8 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 18 Mar 2024 15:10:10 +0000 Subject: [PATCH 341/846] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index c6f87f7..4eced19 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit ecaa024f226f4f45ac9d2a4f38bcdb82a6e35a2f +Author: Patrick Schleizer +Date: Mon Mar 18 11:01:56 2024 -0400 + + lower debugging + +commit 357ea5deab85debb9dff5d9e4e80a972954249c8 +Author: Patrick Schleizer +Date: Mon Mar 11 15:07:50 2024 +0000 + + bumped changelog version + commit 0a018bdebca167d671d8bda81a2b0d929d396945 Merge: 57fc487 0b81316 Author: Patrick Schleizer diff --git a/debian/changelog b/debian/changelog index a53e7cf..8f36f5e 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:36.8-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 18 Mar 2024 15:10:10 +0000 + security-misc (3:36.7-1) unstable; urgency=medium * New upstream version (local package). From 7dba3fb7bebd4fdc7f168df378c2d505971f2c04 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 1 Apr 2024 02:55:59 -0400 Subject: [PATCH 342/846] no longer disable MSR by default fixes https://github.com/Kicksecure/security-misc/issues/215 --- etc/modprobe.d/30_security-misc.conf | 3 ++- usr/bin/disabled-msr-by-security-misc | 10 ---------- 2 files changed, 2 insertions(+), 11 deletions(-) delete mode 100755 usr/bin/disabled-msr-by-security-misc diff --git a/etc/modprobe.d/30_security-misc.conf b/etc/modprobe.d/30_security-misc.conf index 24ee928..8b5af64 100644 --- a/etc/modprobe.d/30_security-misc.conf +++ b/etc/modprobe.d/30_security-misc.conf @@ -33,7 +33,8 @@ install video1394 /usr/bin/disabled-firewire-by-security-misc ## Disable CPU MSRs as they can be abused to write to arbitrary memory. ## https://security.stackexchange.com/questions/119712/methods-root-can-use-to-elevate-itself-to-kernel-mode -install msr /usr/bin/disabled-msr-by-security-misc +## https://github.com/Kicksecure/security-misc/issues/215 +#install msr /usr/bin/disabled-msr-by-security-misc ## Disables unneeded network protocols that will likely not be used as these may have unknown vulnerabilties. ## Credit to Tails (https://tails.boum.org/blueprint/blacklist_modules/) for some of these. diff --git a/usr/bin/disabled-msr-by-security-misc b/usr/bin/disabled-msr-by-security-misc deleted file mode 100755 index 2c5e6e1..0000000 --- a/usr/bin/disabled-msr-by-security-misc +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -## Alerts the user that a kernel module failed to load due to it being blacklisted by default. - -echo "$0: ERROR: This CPU MSR kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2 - -exit 1 From 7fba04d1485187fe648f3d3ab44cd834b0eb9791 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 1 Apr 2024 06:56:45 +0000 Subject: [PATCH 343/846] bumped changelog version --- changelog.upstream | 14 ++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 20 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 4eced19..d5e5794 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,17 @@ +commit 7dba3fb7bebd4fdc7f168df378c2d505971f2c04 +Author: Patrick Schleizer +Date: Mon Apr 1 02:55:59 2024 -0400 + + no longer disable MSR by default + + fixes https://github.com/Kicksecure/security-misc/issues/215 + +commit d9ac01ba5c26f9730feb17fe573d447e625e59f8 +Author: Patrick Schleizer +Date: Mon Mar 18 15:10:10 2024 +0000 + + bumped changelog version + commit ecaa024f226f4f45ac9d2a4f38bcdb82a6e35a2f Author: Patrick Schleizer Date: Mon Mar 18 11:01:56 2024 -0400 diff --git a/debian/changelog b/debian/changelog index 8f36f5e..51b4db5 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:36.9-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 01 Apr 2024 06:56:44 +0000 + security-misc (3:36.8-1) unstable; urgency=medium * New upstream version (local package). From 493576836c90653f9c3514fcd5b3bf816e56d689 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Fri, 12 Apr 2024 00:17:06 +1000 Subject: [PATCH 344/846] BHI mitigation on Intel CPUs --- etc/default/grub.d/40_cpu_mitigations.cfg | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index 9bd9fc5..667480e 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -75,3 +75,8 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX retbleed=auto,nosmt" ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/srso.html +## Enables mitigation of Branch History Injection vulnerabilities on Intel CPUs. +## +## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=2bb69f5fc72183e1c62547d900f560d0e9334925 +## TODO: update the above link with better alternative when possible +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_bhi=on" From a9886a3119f9b662b15fc26d28a7fedf316b72c4 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 12 Apr 2024 06:56:39 +0000 Subject: [PATCH 345/846] bumped changelog version --- changelog.upstream | 28 ++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 34 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index d5e5794..5f51674 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,31 @@ +commit 5cbdf3c1262d26ae03b28baee87b1d268329da40 +Merge: 7fba04d ab8b6da +Author: Patrick Schleizer +Date: Fri Apr 12 02:54:17 2024 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit ab8b6da484a90e9a62f8ba515c757aa3758baf48 +Merge: 7fba04d 4935768 +Author: Patrick Schleizer +Date: Fri Apr 12 02:53:08 2024 -0400 + + Merge pull request #216 from raja-grewal/spectre_bhi + + BHI mitigation on Intel CPUs + +commit 493576836c90653f9c3514fcd5b3bf816e56d689 +Author: raja-grewal +Date: Fri Apr 12 00:17:06 2024 +1000 + + BHI mitigation on Intel CPUs + +commit 7fba04d1485187fe648f3d3ab44cd834b0eb9791 +Author: Patrick Schleizer +Date: Mon Apr 1 06:56:45 2024 +0000 + + bumped changelog version + commit 7dba3fb7bebd4fdc7f168df378c2d505971f2c04 Author: Patrick Schleizer Date: Mon Apr 1 02:55:59 2024 -0400 diff --git a/debian/changelog b/debian/changelog index 51b4db5..38a464a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:37.0-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 12 Apr 2024 06:56:38 +0000 + security-misc (3:36.9-1) unstable; urgency=medium * New upstream version (local package). From 965c8641fd28e0ee592b50605edb7494fe9c3a28 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Wed, 1 May 2024 13:47:02 +1000 Subject: [PATCH 346/846] Update BHI mitigation reference --- etc/default/grub.d/40_cpu_mitigations.cfg | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index 667480e..7940b25 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -77,6 +77,5 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX retbleed=auto,nosmt" ## Enables mitigation of Branch History Injection vulnerabilities on Intel CPUs. ## -## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=2bb69f5fc72183e1c62547d900f560d0e9334925 -## TODO: update the above link with better alternative when possible +## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/spectre.html GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_bhi=on" From de4f4be94762c9751ea62f744d7d6ede3ef30e88 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Wed, 1 May 2024 13:47:40 +1000 Subject: [PATCH 347/846] Merge spectre mitigations --- etc/default/grub.d/40_cpu_mitigations.cfg | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index 7940b25..de9ca82 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -10,10 +10,11 @@ ## Enable known mitigations for CPU vulnerabilities and disable SMT. GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mitigations=auto,nosmt" -## Enable mitigations for Spectre variant 2 (indirect branch speculation). +## Enable mitigations for both Spectre Variant 2 (indirect branch speculation) +## and Intel branch history injection (BHI) vulnerabilities. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/spectre.html -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_v2=on" +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_v2=on spectre_bhi=on" ## Disable Speculative Store Bypass. GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spec_store_bypass_disable=on" @@ -74,8 +75,3 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX retbleed=auto,nosmt" ## This default will used until provided sufficient evidence to modify. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/srso.html - -## Enables mitigation of Branch History Injection vulnerabilities on Intel CPUs. -## -## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/spectre.html -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_bhi=on" From 015dcc4212736417a2202ea0e0a92e5c2e58d6a5 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Wed, 1 May 2024 13:48:13 +1000 Subject: [PATCH 348/846] Add reference for SSB --- etc/default/grub.d/40_cpu_mitigations.cfg | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index de9ca82..b683200 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -16,7 +16,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mitigations=auto,nosmt" ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/spectre.html GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_v2=on spectre_bhi=on" -## Disable Speculative Store Bypass. +## Disable Speculative Store Bypass (Spectre Variant 4). +## +## https://www.suse.com/support/kb/doc/?id=000019189 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spec_store_bypass_disable=on" ## Enable mitigations for the L1TF vulnerability through disabling SMT From d89d7e8ef8ee3fd45456e82e8f649f7f28c93e80 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Wed, 1 May 2024 13:49:00 +1000 Subject: [PATCH 349/846] Add reference for RETBleed --- etc/default/grub.d/40_cpu_mitigations.cfg | 1 + 1 file changed, 1 insertion(+) diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index b683200..ee6a2df 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -70,6 +70,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mmio_stale_data=full,nosmt" ## Enable mitigations for RETBleed (Arbitrary Speculative Code Execution with ## Return Instructions) vulnerability and disable SMT. ## +## https://www.suse.com/support/kb/doc/?id=000020693 GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX retbleed=auto,nosmt" ## Control RAS overflow mitigation on AMD Zen CPUs. From c002bd62e8584a19e73b3f42673a3f9bafba6a2c Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Wed, 1 May 2024 13:49:34 +1000 Subject: [PATCH 350/846] Clarify use of `mitigations=auto` --- etc/default/grub.d/40_cpu_mitigations.cfg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index ee6a2df..49c200e 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -7,7 +7,7 @@ ## https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html ## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647 -## Enable known mitigations for CPU vulnerabilities and disable SMT. +## Enable a subset of known mitigations for CPU vulnerabilities and disable SMT. GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mitigations=auto,nosmt" ## Enable mitigations for both Spectre Variant 2 (indirect branch speculation) From 1122b3402c0856a087415d7ba1a313048b7e3eea Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Wed, 1 May 2024 13:50:42 +1000 Subject: [PATCH 351/846] GDS mitigation for CPUs --- etc/default/grub.d/40_cpu_mitigations.cfg | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index 49c200e..029db6d 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -78,3 +78,10 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX retbleed=auto,nosmt" ## This default will used until provided sufficient evidence to modify. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/srso.html + +## Mitigates Gather Data Sampling (GDS) vulnerability. +## Note for systems that have not received a suitable microcode update this will +## entirely disable use of the AVX instructions set. +## +## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/gather_data_sampling.html +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX gather_data_sampling=force" From 0c031a29d33d13d9106746d61b87f9d98a80b5cd Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Wed, 1 May 2024 13:55:09 +1000 Subject: [PATCH 352/846] RFDS mitigation on Intel Atom CPUs (including E-cores) --- etc/default/grub.d/40_cpu_mitigations.cfg | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index 029db6d..aaefdaf 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -85,3 +85,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX retbleed=auto,nosmt" ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/gather_data_sampling.html GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX gather_data_sampling=force" + +## Register File Data Sampling (RFDS) mitigation on Intel Atom CPUs which +## encompasses E-cores on hybrid architectures. +## +## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/reg-file-data-sampling.html +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX reg_file_data_sampling=on" From 8f7768ce96e32e3f1ec52118afffc2a44a160976 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Sun, 5 May 2024 12:50:39 +0000 Subject: [PATCH 353/846] Add vendor links --- etc/default/grub.d/40_cpu_mitigations.cfg | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index aaefdaf..20f62c1 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -7,6 +7,12 @@ ## https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html ## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647 +## Check for potential updates directly from AMD and Intel. +## +## https://www.amd.com/en/resources/product-security.html +## https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/advisory-guidance.html +## https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/disclosure-documentation.html + ## Enable a subset of known mitigations for CPU vulnerabilities and disable SMT. GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mitigations=auto,nosmt" From 4694268b8f779c1a0a56546dc6d12bf9f23a7cdd Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Sun, 5 May 2024 12:52:51 +0000 Subject: [PATCH 354/846] Remove a word --- etc/default/grub.d/40_cpu_mitigations.cfg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index 20f62c1..fd997e4 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -1,7 +1,7 @@ ## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Enables all known mitigations for CPU vulnerabilities. +## Enables known mitigations for CPU vulnerabilities. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html ## https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html From 132b41ae73e9ea72bc3d8aff22ae75fc622758a3 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Thu, 9 May 2024 02:16:50 +0000 Subject: [PATCH 355/846] Revert logging of martians --- usr/lib/sysctl.d/990-security-misc.conf | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 321f3b8..95b44ff 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -81,8 +81,9 @@ kernel.io_uring_disabled=2 ## A martian packet is a one with a source address which is blatantly wrong ## Recommended to keep a log of these to identify these suspicious packets -net.ipv4.conf.all.log_martians=1 -net.ipv4.conf.default.log_martians=1 +## Good for troubleshooting and diagnostics but not necessary by default +#net.ipv4.conf.all.log_martians=1 +#net.ipv4.conf.default.log_martians=1 ## Protects against time-wait assassination. ## It drops RST packets for sockets in the time-wait state. From f3800a4e2b7bef87cc3bd8791f9e7f654f8d782a Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Thu, 9 May 2024 02:25:46 +0000 Subject: [PATCH 356/846] Create disabled-gps-by-security-misc --- usr/bin/disabled-gps-by-security-misc | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 usr/bin/disabled-gps-by-security-misc diff --git a/usr/bin/disabled-gps-by-security-misc b/usr/bin/disabled-gps-by-security-misc new file mode 100644 index 0000000..460e39c --- /dev/null +++ b/usr/bin/disabled-gps-by-security-misc @@ -0,0 +1,10 @@ +#!/bin/bash + +## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Alerts the user that a kernel module failed to load due to it being blacklisted by default. + +echo "$0: ERROR: This GNSS (Global Navigation Satellite System) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2 + +exit 1 From 06f13bb766bd84182331aeb1632b917de4b36020 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Thu, 9 May 2024 02:28:53 +0000 Subject: [PATCH 357/846] Disable GPS modules like GNSS --- etc/modprobe.d/30_security-misc.conf | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/etc/modprobe.d/30_security-misc.conf b/etc/modprobe.d/30_security-misc.conf index 8b5af64..d993919 100644 --- a/etc/modprobe.d/30_security-misc.conf +++ b/etc/modprobe.d/30_security-misc.conf @@ -88,6 +88,14 @@ install vivid /usr/bin/disabled-vivid-by-security-misc install mei /usr/bin/disabled-intelme-by-security-misc install mei-me /usr/bin/disabled-intelme-by-security-misc +# Disable GPS modules like GNSS (Global Navigation Satellite System) +install gnss /usr/bin/disabled-gps-by-security-misc +install gnss-mtk /usr/bin/disabled-gps-by-security-misc +install gnss-serial /usr/bin/disabled-gps-by-security-misc +install gnss-sirf /usr/bin/disabled-gps-by-security-misc +install gnss-usb /usr/bin/disabled-gps-by-security-misc +install gnss-ubx /usr/bin/disabled-gps-by-security-misc + ## Blacklist automatic loading of the Atheros 5K RF MACs madwifi driver ## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-ath_pci.conf?h=ubuntu/disco blacklist ath_pci From 677f75ae8ed64af599f837ced15f34990df498e5 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Thu, 9 May 2024 02:34:02 +0000 Subject: [PATCH 358/846] Disable `firewire-net` module --- etc/modprobe.d/30_security-misc.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/etc/modprobe.d/30_security-misc.conf b/etc/modprobe.d/30_security-misc.conf index 8b5af64..5e6c1f6 100644 --- a/etc/modprobe.d/30_security-misc.conf +++ b/etc/modprobe.d/30_security-misc.conf @@ -21,6 +21,7 @@ options nf_conntrack nf_conntrack_helper=0 install thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc install firewire-core /usr/bin/disabled-firewire-by-security-misc install firewire_core /usr/bin/disabled-firewire-by-security-misc +install firewire-net /usr/bin/disabled-firewire-by-security-misc install firewire-ohci /usr/bin/disabled-firewire-by-security-misc install firewire_ohci /usr/bin/disabled-firewire-by-security-misc install firewire_sbp2 /usr/bin/disabled-firewire-by-security-misc From 8d01fc2d351285c9c2f810bf5cf10797c9b9eb41 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 10 May 2024 06:48:26 -0400 Subject: [PATCH 359/846] chmod +x --- usr/bin/disabled-gps-by-security-misc | 0 1 file changed, 0 insertions(+), 0 deletions(-) mode change 100644 => 100755 usr/bin/disabled-gps-by-security-misc diff --git a/usr/bin/disabled-gps-by-security-misc b/usr/bin/disabled-gps-by-security-misc old mode 100644 new mode 100755 From 9b589bc3116c8f9d6d574021bcec7b5dec3888b8 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 10 May 2024 06:49:34 -0400 Subject: [PATCH 360/846] comment --- usr/lib/sysctl.d/990-security-misc.conf | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 95b44ff..9f2736e 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -81,7 +81,9 @@ kernel.io_uring_disabled=2 ## A martian packet is a one with a source address which is blatantly wrong ## Recommended to keep a log of these to identify these suspicious packets -## Good for troubleshooting and diagnostics but not necessary by default +## Good for troubleshooting and diagnostics but not necessary by default. +## Caused issue: +## https://github.com/Kicksecure/security-misc/issues/214 #net.ipv4.conf.all.log_martians=1 #net.ipv4.conf.default.log_martians=1 From 5867b1b014f450acdf70c203ffe2f27831f1d9b0 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 10 May 2024 11:20:36 +0000 Subject: [PATCH 361/846] bumped changelog version --- changelog.upstream | 139 +++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++ 2 files changed, 145 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 5f51674..7c04cd0 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,142 @@ +commit 9b589bc3116c8f9d6d574021bcec7b5dec3888b8 +Author: Patrick Schleizer +Date: Fri May 10 06:49:34 2024 -0400 + + comment + +commit 8d01fc2d351285c9c2f810bf5cf10797c9b9eb41 +Author: Patrick Schleizer +Date: Fri May 10 06:48:26 2024 -0400 + + chmod +x + +commit 8a28c1bc38b87bf55f25764c96a0e81e22137232 +Merge: a9886a3 0f1119f +Author: Patrick Schleizer +Date: Fri May 10 06:48:04 2024 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 0f1119f326cd769db8995e8eb54ff35503c70562 +Merge: 547757f 677f75a +Author: Patrick Schleizer +Date: Fri May 10 06:45:57 2024 -0400 + + Merge pull request #221 from raja-grewal/firewire + + Disable Firewire Module + +commit 547757f4514a54437d044656c5e2b6d413a4cc30 +Merge: 7b9fe44 06f13bb +Author: Patrick Schleizer +Date: Fri May 10 06:45:34 2024 -0400 + + Merge pull request #220 from raja-grewal/block_gps + + Block Several GPS-related Modules + +commit 7b9fe44a20f3caf67f386969a5fc7c980e5f0282 +Merge: 62ea4dc 132b41a +Author: Patrick Schleizer +Date: Fri May 10 06:43:43 2024 -0400 + + Merge pull request #219 from raja-grewal/logging_martians + + Revert Logging of Martians + +commit 62ea4dc1768f69bb28a69c20e55c87ae692cc0c8 +Merge: a9886a3 4694268 +Author: Patrick Schleizer +Date: Fri May 10 06:43:15 2024 -0400 + + Merge pull request #218 from raja-grewal/secure_cpu + + More CPU Mitigations and Additional References + +commit 677f75ae8ed64af599f837ced15f34990df498e5 +Author: raja-grewal +Date: Thu May 9 02:34:02 2024 +0000 + + Disable `firewire-net` module + +commit 06f13bb766bd84182331aeb1632b917de4b36020 +Author: raja-grewal +Date: Thu May 9 02:28:53 2024 +0000 + + Disable GPS modules like GNSS + +commit f3800a4e2b7bef87cc3bd8791f9e7f654f8d782a +Author: raja-grewal +Date: Thu May 9 02:25:46 2024 +0000 + + Create disabled-gps-by-security-misc + +commit 132b41ae73e9ea72bc3d8aff22ae75fc622758a3 +Author: raja-grewal +Date: Thu May 9 02:16:50 2024 +0000 + + Revert logging of martians + +commit 4694268b8f779c1a0a56546dc6d12bf9f23a7cdd +Author: raja-grewal +Date: Sun May 5 12:52:51 2024 +0000 + + Remove a word + +commit 8f7768ce96e32e3f1ec52118afffc2a44a160976 +Author: raja-grewal +Date: Sun May 5 12:50:39 2024 +0000 + + Add vendor links + +commit 0c031a29d33d13d9106746d61b87f9d98a80b5cd +Author: raja-grewal +Date: Wed May 1 13:55:09 2024 +1000 + + RFDS mitigation on Intel Atom CPUs (including E-cores) + +commit 1122b3402c0856a087415d7ba1a313048b7e3eea +Author: raja-grewal +Date: Wed May 1 13:50:42 2024 +1000 + + GDS mitigation for CPUs + +commit c002bd62e8584a19e73b3f42673a3f9bafba6a2c +Author: raja-grewal +Date: Wed May 1 13:49:34 2024 +1000 + + Clarify use of `mitigations=auto` + +commit d89d7e8ef8ee3fd45456e82e8f649f7f28c93e80 +Author: raja-grewal +Date: Wed May 1 13:49:00 2024 +1000 + + Add reference for RETBleed + +commit 015dcc4212736417a2202ea0e0a92e5c2e58d6a5 +Author: raja-grewal +Date: Wed May 1 13:48:13 2024 +1000 + + Add reference for SSB + +commit de4f4be94762c9751ea62f744d7d6ede3ef30e88 +Author: raja-grewal +Date: Wed May 1 13:47:40 2024 +1000 + + Merge spectre mitigations + +commit 965c8641fd28e0ee592b50605edb7494fe9c3a28 +Author: raja-grewal +Date: Wed May 1 13:47:02 2024 +1000 + + Update BHI mitigation reference + +commit a9886a3119f9b662b15fc26d28a7fedf316b72c4 +Author: Patrick Schleizer +Date: Fri Apr 12 06:56:39 2024 +0000 + + bumped changelog version + commit 5cbdf3c1262d26ae03b28baee87b1d268329da40 Merge: 7fba04d ab8b6da Author: Patrick Schleizer diff --git a/debian/changelog b/debian/changelog index 38a464a..d56325f 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:37.1-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 10 May 2024 11:20:36 +0000 + security-misc (3:37.0-1) unstable; urgency=medium * New upstream version (local package). From dddac1dc4015a28fc6b12244809685295272edd1 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Sat, 11 May 2024 13:15:42 +1000 Subject: [PATCH 362/846] Update README.md --- README.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index e47754f..c774837 100644 --- a/README.md +++ b/README.md @@ -58,6 +58,9 @@ configuration file. - Set coredump file name based on core_pattern value instead of the default of naming it 'core'. +- Will disable `io_uring` interface for performing asynchronous I/O as it has + historically been a significant attack surface. + ### mmap ASLR - The bits of entropy used for mmap ASLR are maxed out via @@ -89,7 +92,7 @@ Boot parameters are outlined in configuration files located in the - Enables randomisation of the kernel stack offset on syscall entries. -- All mitigations for known CPU vulnerabilities are enabled and SMT is +- Mitigations for known CPU vulnerabilities are enabled and SMT is disabled. - IOMMU is enabled to prevent DMA attacks along with strict enforcement of @@ -169,6 +172,9 @@ surface via the `/etc/modprobe.d/30_security-misc.conf` configuration file. Engine (ME)](https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html) and the OS. +- Disables several kernel modules responsible for GPS such as GNSS (Global + Navigation Satellite System). + - Incorporates much of [Ubuntu's](https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d?h=ubuntu/disco) default blacklist of modules to be blocked from automatically loading. From 1bb843ec3863696170242c57668d0b3f44f41d7b Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Sat, 11 May 2024 13:18:36 +1000 Subject: [PATCH 363/846] Update Copyright (C) to 2024 --- COPYING | 2 +- debian/control | 2 +- debian/copyright | 2 +- debian/make-helper-overrides.bsh | 2 +- debian/rules | 2 +- debian/security-misc.displace | 2 +- debian/security-misc.install | 2 +- debian/security-misc.maintscript | 2 +- debian/security-misc.postinst | 2 +- debian/security-misc.postrm | 2 +- debian/security-misc.preinst | 2 +- debian/security-misc.prerm | 2 +- debian/security-misc.undisplace | 2 +- debian/watch | 2 +- etc/apparmor.d/tunables/home.d/security-misc | 2 +- etc/apt/apt.conf.d/40error-on-any | 2 +- etc/apt/apt.conf.d/40sandbox | 2 +- etc/default/grub.d/40_cpu_mitigations.cfg | 2 +- etc/default/grub.d/40_distrust_bootloader.cfg | 2 +- etc/default/grub.d/40_distrust_cpu.cfg | 2 +- etc/default/grub.d/40_enable_iommu.cfg | 2 +- etc/default/grub.d/40_kernel_hardening.cfg | 2 +- etc/default/grub.d/40_remmount-secure.cfg | 2 +- etc/default/grub.d/41_quiet.cfg | 2 +- etc/hide-hardware-info.d/30_default.conf | 2 +- etc/initramfs-tools/hooks/sysctl-initramfs | 2 +- etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs | 2 +- etc/kernel/postinst.d/30_remove-system-map | 2 +- etc/modprobe.d/30_security-misc.conf | 2 +- etc/permission-hardener.d/25_default_passwd.conf | 2 +- etc/permission-hardener.d/25_default_sudo.conf | 2 +- .../25_default_whitelist_bubblewrap.conf | 2 +- etc/permission-hardener.d/25_default_whitelist_chromium.conf | 2 +- etc/permission-hardener.d/25_default_whitelist_dbus.conf | 2 +- etc/permission-hardener.d/25_default_whitelist_firejail.conf | 2 +- etc/permission-hardener.d/25_default_whitelist_fuse.conf | 2 +- .../25_default_whitelist_hardened_malloc.conf | 2 +- etc/permission-hardener.d/25_default_whitelist_mount.conf | 2 +- etc/permission-hardener.d/25_default_whitelist_pam.conf | 2 +- etc/permission-hardener.d/25_default_whitelist_policykit.conf | 2 +- etc/permission-hardener.d/25_default_whitelist_qubes.conf | 2 +- etc/permission-hardener.d/25_default_whitelist_selinux.conf | 2 +- etc/permission-hardener.d/25_default_whitelist_spice.conf | 2 +- etc/permission-hardener.d/25_default_whitelist_ssh.conf | 2 +- etc/permission-hardener.d/25_default_whitelist_sudo.conf | 2 +- .../25_default_whitelist_unix_chkpwd.conf | 2 +- .../25_default_whitelist_virtualbox.conf | 2 +- etc/profile.d/30_security-misc.sh | 2 +- etc/security/access-security-misc.conf | 2 +- etc/security/limits.d/30_security-misc.conf | 2 +- etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml | 2 +- etc/sudoers.d/pkexec-security-misc | 2 +- etc/sudoers.d/security-misc | 2 +- etc/sudoers.d/xfce-security-misc | 2 +- etc/thunderbird/pref/40_security-misc.js | 2 +- usr/bin/disabled-bluetooth-by-security-misc | 2 +- usr/bin/disabled-cdrom-by-security-misc | 2 +- usr/bin/disabled-filesys-by-security-misc | 2 +- usr/bin/disabled-firewire-by-security-misc | 2 +- usr/bin/disabled-gps-by-security-misc | 2 +- usr/bin/disabled-intelme-by-security-misc | 2 +- usr/bin/disabled-netfilesys-by-security-misc | 2 +- usr/bin/disabled-network-by-security-misc | 2 +- usr/bin/disabled-thunderbolt-by-security-misc | 2 +- usr/bin/disabled-vivid-by-security-misc | 2 +- usr/bin/pkexec.security-misc | 2 +- .../modules.d-disabled/20remount-secure/module-setup.sh | 2 +- .../modules.d-disabled/20remount-secure/remount-secure.sh | 2 +- usr/lib/modules-load.d/30_security-misc.conf | 2 +- usr/lib/sysctl.d/30_security-misc_kexec-disable.conf | 2 +- usr/lib/sysctl.d/30_silent-kernel-printk.conf | 2 +- usr/lib/sysctl.d/990-security-misc.conf | 2 +- usr/lib/systemd/system-preset/50-security-misc.preset | 2 +- .../systemd/system/haveged.service.d/30_security-misc.conf | 2 +- usr/lib/systemd/system/hide-hardware-info.service | 2 +- usr/lib/systemd/system/permission-hardener.service | 2 +- usr/lib/systemd/system/proc-hidepid.service | 2 +- usr/lib/systemd/system/remount-secure.service | 2 +- usr/lib/systemd/system/remove-system-map.service | 2 +- usr/libexec/security-misc/apt-get-update | 2 +- usr/libexec/security-misc/apt-get-update-sanity-test | 2 +- usr/libexec/security-misc/askpass | 2 +- usr/libexec/security-misc/echo-path | 2 +- usr/libexec/security-misc/hide-hardware-info | 2 +- usr/libexec/security-misc/mmap-rnd-bits | 4 ++-- usr/libexec/security-misc/pam-abort-on-locked-password | 2 +- usr/libexec/security-misc/pam-info | 2 +- usr/libexec/security-misc/pam_faillock_not_if_x | 2 +- usr/libexec/security-misc/pam_only_if_login | 2 +- usr/libexec/security-misc/panic-on-oops | 2 +- usr/libexec/security-misc/permission-lockdown | 2 +- usr/libexec/security-misc/remove-system.map | 2 +- usr/libexec/security-misc/virusforget | 2 +- usr/share/lintian/overrides/security-misc | 2 +- usr/share/security-misc/dolphinrc | 2 +- usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf | 2 +- usr/share/security-misc/lkrg/lkrg-virtualbox | 2 +- 97 files changed, 98 insertions(+), 98 deletions(-) diff --git a/COPYING b/COPYING index 2a78337..808999e 100644 --- a/COPYING +++ b/COPYING @@ -1,7 +1,7 @@ Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Files: * -Copyright: 2012 - 2023 ENCRYPTED SUPPORT LP +Copyright: 2012 - 2024 ENCRYPTED SUPPORT LP License: AGPL-3+ License: AGPL-3+ diff --git a/debian/control b/debian/control index 77d5704..4909511 100644 --- a/debian/control +++ b/debian/control @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. Source: security-misc diff --git a/debian/copyright b/debian/copyright index 2a78337..808999e 100644 --- a/debian/copyright +++ b/debian/copyright @@ -1,7 +1,7 @@ Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Files: * -Copyright: 2012 - 2023 ENCRYPTED SUPPORT LP +Copyright: 2012 - 2024 ENCRYPTED SUPPORT LP License: AGPL-3+ License: AGPL-3+ diff --git a/debian/make-helper-overrides.bsh b/debian/make-helper-overrides.bsh index c43ca87..ca24e42 100755 --- a/debian/make-helper-overrides.bsh +++ b/debian/make-helper-overrides.bsh @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2021 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2021 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/24 diff --git a/debian/rules b/debian/rules index a1570ba..60f46e0 100755 --- a/debian/rules +++ b/debian/rules @@ -1,6 +1,6 @@ #!/usr/bin/make -f -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. #export DH_VERBOSE=1 diff --git a/debian/security-misc.displace b/debian/security-misc.displace index d80a247..29392d5 100644 --- a/debian/security-misc.displace +++ b/debian/security-misc.displace @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. /etc/securetty.security-misc diff --git a/debian/security-misc.install b/debian/security-misc.install index 9cea19c..51e61ce 100644 --- a/debian/security-misc.install +++ b/debian/security-misc.install @@ -1,4 +1,4 @@ -## Copyright (C) 2020 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2020 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## This file was generated using 'genmkfile debinstfile'. diff --git a/debian/security-misc.maintscript b/debian/security-misc.maintscript index 7e44c41..f64e762 100644 --- a/debian/security-misc.maintscript +++ b/debian/security-misc.maintscript @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. rm_conffile /etc/sudoers.d/umask-security-misc diff --git a/debian/security-misc.postinst b/debian/security-misc.postinst index b3aaae8..6dd7738 100644 --- a/debian/security-misc.postinst +++ b/debian/security-misc.postinst @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then diff --git a/debian/security-misc.postrm b/debian/security-misc.postrm index c40721f..d474547 100644 --- a/debian/security-misc.postrm +++ b/debian/security-misc.postrm @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then diff --git a/debian/security-misc.preinst b/debian/security-misc.preinst index 4b6a4d7..f10ff11 100644 --- a/debian/security-misc.preinst +++ b/debian/security-misc.preinst @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then diff --git a/debian/security-misc.prerm b/debian/security-misc.prerm index 78d5f3a..b1f7db3 100644 --- a/debian/security-misc.prerm +++ b/debian/security-misc.prerm @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then diff --git a/debian/security-misc.undisplace b/debian/security-misc.undisplace index 4aed27c..6db9354 100644 --- a/debian/security-misc.undisplace +++ b/debian/security-misc.undisplace @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. /etc/login.defs.security-misc diff --git a/debian/watch b/debian/watch index 4a80d35..e38736e 100644 --- a/debian/watch +++ b/debian/watch @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. version=4 diff --git a/etc/apparmor.d/tunables/home.d/security-misc b/etc/apparmor.d/tunables/home.d/security-misc index b1aad3d..92faf91 100644 --- a/etc/apparmor.d/tunables/home.d/security-misc +++ b/etc/apparmor.d/tunables/home.d/security-misc @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. alias /etc/pam.d/common-session -> /etc/pam.d//etc/pam.d/common-session.security-misc, diff --git a/etc/apt/apt.conf.d/40error-on-any b/etc/apt/apt.conf.d/40error-on-any index fbde1db..85de3be 100644 --- a/etc/apt/apt.conf.d/40error-on-any +++ b/etc/apt/apt.conf.d/40error-on-any @@ -1,4 +1,4 @@ -## Copyright (C) 2021 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2021 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Make "sudo apt-get update" exit non-zero for transient failures. diff --git a/etc/apt/apt.conf.d/40sandbox b/etc/apt/apt.conf.d/40sandbox index eb7ef7a..e8025ac 100644 --- a/etc/apt/apt.conf.d/40sandbox +++ b/etc/apt/apt.conf.d/40sandbox @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## https://forums.whonix.org/t/apt-seccomp-bpf-sandboxing/7702 diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index fd997e4..99582ae 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Enables known mitigations for CPU vulnerabilities. diff --git a/etc/default/grub.d/40_distrust_bootloader.cfg b/etc/default/grub.d/40_distrust_bootloader.cfg index 36ce183..eb26262 100644 --- a/etc/default/grub.d/40_distrust_bootloader.cfg +++ b/etc/default/grub.d/40_distrust_bootloader.cfg @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Distrusts the bootloader for initial entropy at boot. diff --git a/etc/default/grub.d/40_distrust_cpu.cfg b/etc/default/grub.d/40_distrust_cpu.cfg index 107b717..5cfaba9 100644 --- a/etc/default/grub.d/40_distrust_cpu.cfg +++ b/etc/default/grub.d/40_distrust_cpu.cfg @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Distrusts the CPU for initial entropy at boot as it is not possible to diff --git a/etc/default/grub.d/40_enable_iommu.cfg b/etc/default/grub.d/40_enable_iommu.cfg index 10a82fd..898e500 100644 --- a/etc/default/grub.d/40_enable_iommu.cfg +++ b/etc/default/grub.d/40_enable_iommu.cfg @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Enables IOMMU to prevent DMA attacks. diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index 9b7b53b..4c70928 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. kpkg="linux-image-$(dpkg --print-architecture)" || true diff --git a/etc/default/grub.d/40_remmount-secure.cfg b/etc/default/grub.d/40_remmount-secure.cfg index 845ca46..4bdc3a9 100644 --- a/etc/default/grub.d/40_remmount-secure.cfg +++ b/etc/default/grub.d/40_remmount-secure.cfg @@ -1,4 +1,4 @@ -## Copyright (C) 2023 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2023 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## https://www.kicksecure.com/wiki/Security-misc#Remount_Secure diff --git a/etc/default/grub.d/41_quiet.cfg b/etc/default/grub.d/41_quiet.cfg index b863029..ecb268b 100644 --- a/etc/default/grub.d/41_quiet.cfg +++ b/etc/default/grub.d/41_quiet.cfg @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Prevent kernel info leaks in console during boot. diff --git a/etc/hide-hardware-info.d/30_default.conf b/etc/hide-hardware-info.d/30_default.conf index ffda4de..07e1c7e 100644 --- a/etc/hide-hardware-info.d/30_default.conf +++ b/etc/hide-hardware-info.d/30_default.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Disable the /sys whitelist. diff --git a/etc/initramfs-tools/hooks/sysctl-initramfs b/etc/initramfs-tools/hooks/sysctl-initramfs index 1a80c8f..22ceaf1 100755 --- a/etc/initramfs-tools/hooks/sysctl-initramfs +++ b/etc/initramfs-tools/hooks/sysctl-initramfs @@ -1,6 +1,6 @@ #!/bin/sh -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. set -e diff --git a/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs b/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs index d932fc1..88d0162 100755 --- a/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs +++ b/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs @@ -1,6 +1,6 @@ #!/bin/sh -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. PREREQ="" diff --git a/etc/kernel/postinst.d/30_remove-system-map b/etc/kernel/postinst.d/30_remove-system-map index 14ac9b6..f5e3d96 100755 --- a/etc/kernel/postinst.d/30_remove-system-map +++ b/etc/kernel/postinst.d/30_remove-system-map @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. if test -x /usr/libexec/security-misc/remove-system.map ; then diff --git a/etc/modprobe.d/30_security-misc.conf b/etc/modprobe.d/30_security-misc.conf index 421c8be..0e4b0f2 100644 --- a/etc/modprobe.d/30_security-misc.conf +++ b/etc/modprobe.d/30_security-misc.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## See the following links for a community discussion and overview regarding the selections diff --git a/etc/permission-hardener.d/25_default_passwd.conf b/etc/permission-hardener.d/25_default_passwd.conf index dcd403f..6313e15 100644 --- a/etc/permission-hardener.d/25_default_passwd.conf +++ b/etc/permission-hardener.d/25_default_passwd.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardener.d/20_user.conf" or diff --git a/etc/permission-hardener.d/25_default_sudo.conf b/etc/permission-hardener.d/25_default_sudo.conf index 6a1cf21..ee46b0e 100644 --- a/etc/permission-hardener.d/25_default_sudo.conf +++ b/etc/permission-hardener.d/25_default_sudo.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardener.d/20_user.conf" or diff --git a/etc/permission-hardener.d/25_default_whitelist_bubblewrap.conf b/etc/permission-hardener.d/25_default_whitelist_bubblewrap.conf index 071e724..57ad396 100644 --- a/etc/permission-hardener.d/25_default_whitelist_bubblewrap.conf +++ b/etc/permission-hardener.d/25_default_whitelist_bubblewrap.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardener.d/20_user.conf" or diff --git a/etc/permission-hardener.d/25_default_whitelist_chromium.conf b/etc/permission-hardener.d/25_default_whitelist_chromium.conf index db6f8ea..68f54ed 100644 --- a/etc/permission-hardener.d/25_default_whitelist_chromium.conf +++ b/etc/permission-hardener.d/25_default_whitelist_chromium.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardener.d/20_user.conf" or diff --git a/etc/permission-hardener.d/25_default_whitelist_dbus.conf b/etc/permission-hardener.d/25_default_whitelist_dbus.conf index 2997915..4c185ca 100644 --- a/etc/permission-hardener.d/25_default_whitelist_dbus.conf +++ b/etc/permission-hardener.d/25_default_whitelist_dbus.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardener.d/20_user.conf" or diff --git a/etc/permission-hardener.d/25_default_whitelist_firejail.conf b/etc/permission-hardener.d/25_default_whitelist_firejail.conf index a56cb23..fbece5c 100644 --- a/etc/permission-hardener.d/25_default_whitelist_firejail.conf +++ b/etc/permission-hardener.d/25_default_whitelist_firejail.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardener.d/20_user.conf" or diff --git a/etc/permission-hardener.d/25_default_whitelist_fuse.conf b/etc/permission-hardener.d/25_default_whitelist_fuse.conf index 4affc6a..a8b41b1 100644 --- a/etc/permission-hardener.d/25_default_whitelist_fuse.conf +++ b/etc/permission-hardener.d/25_default_whitelist_fuse.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardener.d/20_user.conf" or diff --git a/etc/permission-hardener.d/25_default_whitelist_hardened_malloc.conf b/etc/permission-hardener.d/25_default_whitelist_hardened_malloc.conf index 6cc01fe..5437436 100644 --- a/etc/permission-hardener.d/25_default_whitelist_hardened_malloc.conf +++ b/etc/permission-hardener.d/25_default_whitelist_hardened_malloc.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardener.d/20_user.conf" or diff --git a/etc/permission-hardener.d/25_default_whitelist_mount.conf b/etc/permission-hardener.d/25_default_whitelist_mount.conf index ce7d014..54b22a6 100644 --- a/etc/permission-hardener.d/25_default_whitelist_mount.conf +++ b/etc/permission-hardener.d/25_default_whitelist_mount.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardener.d/20_user.conf" or diff --git a/etc/permission-hardener.d/25_default_whitelist_pam.conf b/etc/permission-hardener.d/25_default_whitelist_pam.conf index 7348e0c..f9d8a08 100644 --- a/etc/permission-hardener.d/25_default_whitelist_pam.conf +++ b/etc/permission-hardener.d/25_default_whitelist_pam.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardener.d/20_user.conf" or diff --git a/etc/permission-hardener.d/25_default_whitelist_policykit.conf b/etc/permission-hardener.d/25_default_whitelist_policykit.conf index 032c6b2..227b5fc 100644 --- a/etc/permission-hardener.d/25_default_whitelist_policykit.conf +++ b/etc/permission-hardener.d/25_default_whitelist_policykit.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardener.d/20_user.conf" or diff --git a/etc/permission-hardener.d/25_default_whitelist_qubes.conf b/etc/permission-hardener.d/25_default_whitelist_qubes.conf index ad8592a..ec84733 100644 --- a/etc/permission-hardener.d/25_default_whitelist_qubes.conf +++ b/etc/permission-hardener.d/25_default_whitelist_qubes.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardener.d/20_user.conf" or diff --git a/etc/permission-hardener.d/25_default_whitelist_selinux.conf b/etc/permission-hardener.d/25_default_whitelist_selinux.conf index 2a5686a..0259ef1 100644 --- a/etc/permission-hardener.d/25_default_whitelist_selinux.conf +++ b/etc/permission-hardener.d/25_default_whitelist_selinux.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardener.d/20_user.conf" or diff --git a/etc/permission-hardener.d/25_default_whitelist_spice.conf b/etc/permission-hardener.d/25_default_whitelist_spice.conf index a8b7f7a..85e0197 100644 --- a/etc/permission-hardener.d/25_default_whitelist_spice.conf +++ b/etc/permission-hardener.d/25_default_whitelist_spice.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardener.d/20_user.conf" or diff --git a/etc/permission-hardener.d/25_default_whitelist_ssh.conf b/etc/permission-hardener.d/25_default_whitelist_ssh.conf index f7ef445..8d9eba5 100644 --- a/etc/permission-hardener.d/25_default_whitelist_ssh.conf +++ b/etc/permission-hardener.d/25_default_whitelist_ssh.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2023 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2023 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardener.d/20_user.conf" or diff --git a/etc/permission-hardener.d/25_default_whitelist_sudo.conf b/etc/permission-hardener.d/25_default_whitelist_sudo.conf index a7b0fd2..7003861 100644 --- a/etc/permission-hardener.d/25_default_whitelist_sudo.conf +++ b/etc/permission-hardener.d/25_default_whitelist_sudo.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardener.d/20_user.conf" or diff --git a/etc/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf b/etc/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf index dc1fb5a..5953d85 100644 --- a/etc/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf +++ b/etc/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardener.d/20_user.conf" or diff --git a/etc/permission-hardener.d/25_default_whitelist_virtualbox.conf b/etc/permission-hardener.d/25_default_whitelist_virtualbox.conf index 17701d9..d9c68bc 100644 --- a/etc/permission-hardener.d/25_default_whitelist_virtualbox.conf +++ b/etc/permission-hardener.d/25_default_whitelist_virtualbox.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardener.d/20_user.conf" or diff --git a/etc/profile.d/30_security-misc.sh b/etc/profile.d/30_security-misc.sh index 2ab169d..41aa6ac 100755 --- a/etc/profile.d/30_security-misc.sh +++ b/etc/profile.d/30_security-misc.sh @@ -1,6 +1,6 @@ #!/bin/sh -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. if [ -z "$XDG_CONFIG_DIRS" ]; then diff --git a/etc/security/access-security-misc.conf b/etc/security/access-security-misc.conf index 248335c..a78abd1 100644 --- a/etc/security/access-security-misc.conf +++ b/etc/security/access-security-misc.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## To enable root login, see: diff --git a/etc/security/limits.d/30_security-misc.conf b/etc/security/limits.d/30_security-misc.conf index bbbe31d..91a08a3 100644 --- a/etc/security/limits.d/30_security-misc.conf +++ b/etc/security/limits.d/30_security-misc.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Disable coredumps. diff --git a/etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml b/etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml index fa9d01d..0f588ae 100644 --- a/etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml +++ b/etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml @@ -1,6 +1,6 @@ - + diff --git a/etc/sudoers.d/pkexec-security-misc b/etc/sudoers.d/pkexec-security-misc index db5f32f..bd78bde 100644 --- a/etc/sudoers.d/pkexec-security-misc +++ b/etc/sudoers.d/pkexec-security-misc @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## REVIEW: is it ok that users can find out the PATH setting of root? diff --git a/etc/sudoers.d/security-misc b/etc/sudoers.d/security-misc index fd9b7fc..7084b1f 100644 --- a/etc/sudoers.d/security-misc +++ b/etc/sudoers.d/security-misc @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. user ALL=NOPASSWD: /usr/libexec/security-misc/panic-on-oops diff --git a/etc/sudoers.d/xfce-security-misc b/etc/sudoers.d/xfce-security-misc index be92ce9..3d26d7b 100644 --- a/etc/sudoers.d/xfce-security-misc +++ b/etc/sudoers.d/xfce-security-misc @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## https://forums.whonix.org/t/xfce4-power-manager-xfpm-power-backlight-helper-pkexec-lxsudo-popup/8764 diff --git a/etc/thunderbird/pref/40_security-misc.js b/etc/thunderbird/pref/40_security-misc.js index b0586e8..49df52d 100644 --- a/etc/thunderbird/pref/40_security-misc.js +++ b/etc/thunderbird/pref/40_security-misc.js @@ -1,4 +1,4 @@ -//#### Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +//#### Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP //#### See the file COPYING for copying conditions. //#### meta start diff --git a/usr/bin/disabled-bluetooth-by-security-misc b/usr/bin/disabled-bluetooth-by-security-misc index 55b1e63..8091b45 100755 --- a/usr/bin/disabled-bluetooth-by-security-misc +++ b/usr/bin/disabled-bluetooth-by-security-misc @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Alerts the user that a kernel module failed to load due to it being blacklisted by default. diff --git a/usr/bin/disabled-cdrom-by-security-misc b/usr/bin/disabled-cdrom-by-security-misc index 9efd765..13e4592 100755 --- a/usr/bin/disabled-cdrom-by-security-misc +++ b/usr/bin/disabled-cdrom-by-security-misc @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Alerts the user that a kernel module failed to load due to it being blacklisted by default. diff --git a/usr/bin/disabled-filesys-by-security-misc b/usr/bin/disabled-filesys-by-security-misc index 50dd638..b5b2426 100755 --- a/usr/bin/disabled-filesys-by-security-misc +++ b/usr/bin/disabled-filesys-by-security-misc @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Alerts the user that a kernel module failed to load due to it being blacklisted by default. diff --git a/usr/bin/disabled-firewire-by-security-misc b/usr/bin/disabled-firewire-by-security-misc index ca04ab1..dbcc7ce 100755 --- a/usr/bin/disabled-firewire-by-security-misc +++ b/usr/bin/disabled-firewire-by-security-misc @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Alerts the user that a kernel module failed to load due to it being blacklisted by default. diff --git a/usr/bin/disabled-gps-by-security-misc b/usr/bin/disabled-gps-by-security-misc index 460e39c..90b7076 100755 --- a/usr/bin/disabled-gps-by-security-misc +++ b/usr/bin/disabled-gps-by-security-misc @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Alerts the user that a kernel module failed to load due to it being blacklisted by default. diff --git a/usr/bin/disabled-intelme-by-security-misc b/usr/bin/disabled-intelme-by-security-misc index 108cc81..47bdcb1 100755 --- a/usr/bin/disabled-intelme-by-security-misc +++ b/usr/bin/disabled-intelme-by-security-misc @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Alerts the user that a kernel module failed to load due to it being blacklisted by default. diff --git a/usr/bin/disabled-netfilesys-by-security-misc b/usr/bin/disabled-netfilesys-by-security-misc index 5c15b39..e62f0c0 100755 --- a/usr/bin/disabled-netfilesys-by-security-misc +++ b/usr/bin/disabled-netfilesys-by-security-misc @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Alerts the user that a kernel module failed to load due to it being blacklisted by default. diff --git a/usr/bin/disabled-network-by-security-misc b/usr/bin/disabled-network-by-security-misc index d2ae58c..f00086e 100755 --- a/usr/bin/disabled-network-by-security-misc +++ b/usr/bin/disabled-network-by-security-misc @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Alerts the user that a kernel module failed to load due to it being blacklisted by default. diff --git a/usr/bin/disabled-thunderbolt-by-security-misc b/usr/bin/disabled-thunderbolt-by-security-misc index e086d4a..d153ceb 100755 --- a/usr/bin/disabled-thunderbolt-by-security-misc +++ b/usr/bin/disabled-thunderbolt-by-security-misc @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Alerts the user that a kernel module failed to load due to it being blacklisted by default. diff --git a/usr/bin/disabled-vivid-by-security-misc b/usr/bin/disabled-vivid-by-security-misc index ed1487f..aa7c639 100755 --- a/usr/bin/disabled-vivid-by-security-misc +++ b/usr/bin/disabled-vivid-by-security-misc @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Alerts the user that a kernel module failed to load due to it being blacklisted by default. diff --git a/usr/bin/pkexec.security-misc b/usr/bin/pkexec.security-misc index cb57c9a..be8fddd 100755 --- a/usr/bin/pkexec.security-misc +++ b/usr/bin/pkexec.security-misc @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Redirect calls for pkexec to lxqt-sudo because pkexec is incompatible with diff --git a/usr/lib/dracut/modules.d-disabled/20remount-secure/module-setup.sh b/usr/lib/dracut/modules.d-disabled/20remount-secure/module-setup.sh index ce0a67b..e5a4188 100755 --- a/usr/lib/dracut/modules.d-disabled/20remount-secure/module-setup.sh +++ b/usr/lib/dracut/modules.d-disabled/20remount-secure/module-setup.sh @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2023 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2023 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. # called by dracut diff --git a/usr/lib/dracut/modules.d-disabled/20remount-secure/remount-secure.sh b/usr/lib/dracut/modules.d-disabled/20remount-secure/remount-secure.sh index b742dda..de44d46 100755 --- a/usr/lib/dracut/modules.d-disabled/20remount-secure/remount-secure.sh +++ b/usr/lib/dracut/modules.d-disabled/20remount-secure/remount-secure.sh @@ -1,6 +1,6 @@ #!/bin/sh -## Copyright (C) 2023 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2023 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## This script is intended to remount specified mount points with more secure diff --git a/usr/lib/modules-load.d/30_security-misc.conf b/usr/lib/modules-load.d/30_security-misc.conf index 072c9b0..08ee22a 100644 --- a/usr/lib/modules-load.d/30_security-misc.conf +++ b/usr/lib/modules-load.d/30_security-misc.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## https://www.whonix.org/wiki/Dev/Entropy diff --git a/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf b/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf index 5cca304..bbdf5ea 100644 --- a/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf +++ b/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Quote https://www.kernel.org/doc/html/latest/admin-guide/sysctl/kernel.html diff --git a/usr/lib/sysctl.d/30_silent-kernel-printk.conf b/usr/lib/sysctl.d/30_silent-kernel-printk.conf index e99f0b5..b76a4b3 100644 --- a/usr/lib/sysctl.d/30_silent-kernel-printk.conf +++ b/usr/lib/sysctl.d/30_silent-kernel-printk.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Prevent kernel info leaks in console during boot. diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 9f2736e..371c265 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## NOTE: diff --git a/usr/lib/systemd/system-preset/50-security-misc.preset b/usr/lib/systemd/system-preset/50-security-misc.preset index a852419..37374b3 100644 --- a/usr/lib/systemd/system-preset/50-security-misc.preset +++ b/usr/lib/systemd/system-preset/50-security-misc.preset @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## https://forums.whonix.org/t/restrict-hardware-information-to-root-testers-wanted/8618 diff --git a/usr/lib/systemd/system/haveged.service.d/30_security-misc.conf b/usr/lib/systemd/system/haveged.service.d/30_security-misc.conf index fd79dc8..97d4688 100644 --- a/usr/lib/systemd/system/haveged.service.d/30_security-misc.conf +++ b/usr/lib/systemd/system/haveged.service.d/30_security-misc.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2021 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2021 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. [Service] diff --git a/usr/lib/systemd/system/hide-hardware-info.service b/usr/lib/systemd/system/hide-hardware-info.service index 68d7401..6d39335 100644 --- a/usr/lib/systemd/system/hide-hardware-info.service +++ b/usr/lib/systemd/system/hide-hardware-info.service @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. [Unit] diff --git a/usr/lib/systemd/system/permission-hardener.service b/usr/lib/systemd/system/permission-hardener.service index 94ddd6b..99d4c37 100644 --- a/usr/lib/systemd/system/permission-hardener.service +++ b/usr/lib/systemd/system/permission-hardener.service @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. [Unit] diff --git a/usr/lib/systemd/system/proc-hidepid.service b/usr/lib/systemd/system/proc-hidepid.service index 2ec1858..f48211d 100644 --- a/usr/lib/systemd/system/proc-hidepid.service +++ b/usr/lib/systemd/system/proc-hidepid.service @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. [Unit] diff --git a/usr/lib/systemd/system/remount-secure.service b/usr/lib/systemd/system/remount-secure.service index 8797b9c..414bba6 100644 --- a/usr/lib/systemd/system/remount-secure.service +++ b/usr/lib/systemd/system/remount-secure.service @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. [Unit] diff --git a/usr/lib/systemd/system/remove-system-map.service b/usr/lib/systemd/system/remove-system-map.service index c6eb17b..51041f2 100644 --- a/usr/lib/systemd/system/remove-system-map.service +++ b/usr/lib/systemd/system/remove-system-map.service @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. [Unit] diff --git a/usr/libexec/security-misc/apt-get-update b/usr/libexec/security-misc/apt-get-update index 39afd9c..9c5dde1 100755 --- a/usr/libexec/security-misc/apt-get-update +++ b/usr/libexec/security-misc/apt-get-update @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. sigterm_trap() { diff --git a/usr/libexec/security-misc/apt-get-update-sanity-test b/usr/libexec/security-misc/apt-get-update-sanity-test index d71e680..a363fae 100755 --- a/usr/libexec/security-misc/apt-get-update-sanity-test +++ b/usr/libexec/security-misc/apt-get-update-sanity-test @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. set -x diff --git a/usr/libexec/security-misc/askpass b/usr/libexec/security-misc/askpass index 73f7d40..c3bb41a 100755 --- a/usr/libexec/security-misc/askpass +++ b/usr/libexec/security-misc/askpass @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. set -e diff --git a/usr/libexec/security-misc/echo-path b/usr/libexec/security-misc/echo-path index 9231d85..4a82272 100755 --- a/usr/libexec/security-misc/echo-path +++ b/usr/libexec/security-misc/echo-path @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. set -e diff --git a/usr/libexec/security-misc/hide-hardware-info b/usr/libexec/security-misc/hide-hardware-info index d250a6a..f6a963b 100755 --- a/usr/libexec/security-misc/hide-hardware-info +++ b/usr/libexec/security-misc/hide-hardware-info @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. set -e diff --git a/usr/libexec/security-misc/mmap-rnd-bits b/usr/libexec/security-misc/mmap-rnd-bits index 17482bf..74078fa 100755 --- a/usr/libexec/security-misc/mmap-rnd-bits +++ b/usr/libexec/security-misc/mmap-rnd-bits @@ -1,6 +1,6 @@ #!/usr/bin/env bash -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## This script enforces the maximum ASLR hardening settings for mmap, given the @@ -56,7 +56,7 @@ fi ## Generate a sysctl.d conf file. SYSCTL="\ -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## This file is automatically generated by: diff --git a/usr/libexec/security-misc/pam-abort-on-locked-password b/usr/libexec/security-misc/pam-abort-on-locked-password index 8e2a575..bb1a3ee 100755 --- a/usr/libexec/security-misc/pam-abort-on-locked-password +++ b/usr/libexec/security-misc/pam-abort-on-locked-password @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## This is only a usability feature to avoid needlessly bumping pam_faillock diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info index de6a3e0..aa730de 100755 --- a/usr/libexec/security-misc/pam-info +++ b/usr/libexec/security-misc/pam-info @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## To enable debug log, run: diff --git a/usr/libexec/security-misc/pam_faillock_not_if_x b/usr/libexec/security-misc/pam_faillock_not_if_x index 3fcf10f..edfa35d 100755 --- a/usr/libexec/security-misc/pam_faillock_not_if_x +++ b/usr/libexec/security-misc/pam_faillock_not_if_x @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## https://serverfault.com/questions/134471/success-n-control-syntax-in-pam-conf-pam-d-files diff --git a/usr/libexec/security-misc/pam_only_if_login b/usr/libexec/security-misc/pam_only_if_login index 11f56d4..f81592e 100755 --- a/usr/libexec/security-misc/pam_only_if_login +++ b/usr/libexec/security-misc/pam_only_if_login @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## https://serverfault.com/questions/134471/success-n-control-syntax-in-pam-conf-pam-d-files diff --git a/usr/libexec/security-misc/panic-on-oops b/usr/libexec/security-misc/panic-on-oops index 20365df..907ee69 100755 --- a/usr/libexec/security-misc/panic-on-oops +++ b/usr/libexec/security-misc/panic-on-oops @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. set -e diff --git a/usr/libexec/security-misc/permission-lockdown b/usr/libexec/security-misc/permission-lockdown index 973c70d..a5623b2 100755 --- a/usr/libexec/security-misc/permission-lockdown +++ b/usr/libexec/security-misc/permission-lockdown @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## Doing this for all users would create many issues. diff --git a/usr/libexec/security-misc/remove-system.map b/usr/libexec/security-misc/remove-system.map index a541222..5341844 100755 --- a/usr/libexec/security-misc/remove-system.map +++ b/usr/libexec/security-misc/remove-system.map @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then diff --git a/usr/libexec/security-misc/virusforget b/usr/libexec/security-misc/virusforget index 785d026..5a2c5d7 100755 --- a/usr/libexec/security-misc/virusforget +++ b/usr/libexec/security-misc/virusforget @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## VirusForget is inspired by Christopher Laprise. diff --git a/usr/share/lintian/overrides/security-misc b/usr/share/lintian/overrides/security-misc index 69081ee..0a24ab0 100644 --- a/usr/share/lintian/overrides/security-misc +++ b/usr/share/lintian/overrides/security-misc @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## The whole point of the package. diff --git a/usr/share/security-misc/dolphinrc b/usr/share/security-misc/dolphinrc index 0d4b739..682401d 100644 --- a/usr/share/security-misc/dolphinrc +++ b/usr/share/security-misc/dolphinrc @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions [PreviewSettings] diff --git a/usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf b/usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf index c94e65e..e1485b6 100644 --- a/usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf +++ b/usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2021 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2021 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## LKRG VirtualBox host configuration diff --git a/usr/share/security-misc/lkrg/lkrg-virtualbox b/usr/share/security-misc/lkrg/lkrg-virtualbox index 545a694..3b4a061 100755 --- a/usr/share/security-misc/lkrg/lkrg-virtualbox +++ b/usr/share/security-misc/lkrg/lkrg-virtualbox @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2021 - 2023 ENCRYPTED SUPPORT LP +## Copyright (C) 2021 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. #set -x From 2f716050d17016be6f550a7de8e0c1030e869e8f Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Sun, 12 May 2024 01:06:34 +0000 Subject: [PATCH 364/846] Update README.md --- README.md | 3 --- 1 file changed, 3 deletions(-) diff --git a/README.md b/README.md index c774837..d5cc076 100644 --- a/README.md +++ b/README.md @@ -52,9 +52,6 @@ configuration file. - TCP timestamps are disabled as it can allow detecting the system time. -- Enforces the logging of martian packets, those with a source address which - is blatantly wrong. - - Set coredump file name based on core_pattern value instead of the default of naming it 'core'. From bfca98ea89cea0f8604ecca0c8640860320e8e33 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 18 May 2024 20:45:12 +0000 Subject: [PATCH 365/846] bumped changelog version --- changelog.upstream | 40 ++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 46 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 7c04cd0..6be71e2 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,43 @@ +commit eb82884fb2e3d3bb4fa5555d8212146042ba8aa4 +Merge: 5867b1b 12e006e +Author: Patrick Schleizer +Date: Sat May 18 16:42:41 2024 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 12e006ef9cabbbcbe9cb45d9a6631e9a7a47cf3a +Merge: 5867b1b 2f71605 +Author: Patrick Schleizer +Date: Sat May 18 16:30:07 2024 -0400 + + Merge pull request #222 from raja-grewal/text + + Update Readme and Copyright + +commit 2f716050d17016be6f550a7de8e0c1030e869e8f +Author: raja-grewal +Date: Sun May 12 01:06:34 2024 +0000 + + Update README.md + +commit 1bb843ec3863696170242c57668d0b3f44f41d7b +Author: Raja Grewal +Date: Sat May 11 13:18:36 2024 +1000 + + Update Copyright (C) to 2024 + +commit dddac1dc4015a28fc6b12244809685295272edd1 +Author: Raja Grewal +Date: Sat May 11 13:15:42 2024 +1000 + + Update README.md + +commit 5867b1b014f450acdf70c203ffe2f27831f1d9b0 +Author: Patrick Schleizer +Date: Fri May 10 11:20:36 2024 +0000 + + bumped changelog version + commit 9b589bc3116c8f9d6d574021bcec7b5dec3888b8 Author: Patrick Schleizer Date: Fri May 10 06:49:34 2024 -0400 diff --git a/debian/changelog b/debian/changelog index d56325f..fda0e0c 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:37.2-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 18 May 2024 20:45:11 +0000 + security-misc (3:37.1-1) unstable; urgency=medium * New upstream version (local package). From 4efa293f3b76814bc5399a959482d7db6e7431ec Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 28 May 2024 07:51:06 -0400 Subject: [PATCH 366/846] add `/etc/gitconfig` by default for better `git` security ``` [core] symlinks = false [transfer] fsckobjects = true fsckobjects = true [fetch] fsckobjects = true fsckobjects = true [receive] fsckobjects = true fsckobjects = true ``` + additional suggestions as comments fixes https://github.com/Kicksecure/security-misc/issues/225 --- etc/gitconfig | 41 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) create mode 100644 etc/gitconfig diff --git a/etc/gitconfig b/etc/gitconfig new file mode 100644 index 0000000..4c6780f --- /dev/null +++ b/etc/gitconfig @@ -0,0 +1,41 @@ +## Copyright (C) 2024 - 2024 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Lines starting with a hash symbol ('#') are comments. +## https://github.com/Kicksecure/security-misc/issues/225 + +[core] +## https://github.com/git/git/security/advisories/GHSA-8prw-h3cq-mghm + symlinks = false + +## https://forums.whonix.org/t/git-users-enable-fsck-by-default-for-better-security/2066 +[transfer] + fsckobjects = true + fsckobjects = true +[fetch] + fsckobjects = true + fsckobjects = true +[receive] + fsckobjects = true + fsckobjects = true + +## Generally a good idea but too intrusive to enable by default. +## Listed here as suggestions what users should put into their ~/.gitconfig +## file. + +## Not enabled by default because it requires essential knowledge about OpenPG +## and an already existing local signing key. Otherwise would prevent all new +## commits. +#[commit] +# gpgsign = true + +## Not enabled by default because it would break the 'git merge' command for +## unsigned commits and require the '--no-verify-signature' command line +## option. +#[merge] +# verifySignatures = true + +## Not enabled by default because it would break for users who are not having +## an account at the git server and having added a SSH public key. +#[url "ssh://git@github.com/"] +# insteadOf = https://github.com/ From bbe64a0b7992610dfef6002271718a2aee115cae Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 28 May 2024 12:04:53 +0000 Subject: [PATCH 367/846] bumped changelog version --- changelog.upstream | 47 ++++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 53 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 6be71e2..ee1d78d 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,50 @@ +commit ae24a97d4d0ffcfb3d1cc92edb61e7ecf4535ee7 +Merge: bfca98e a735857 +Author: Patrick Schleizer +Date: Tue May 28 08:02:21 2024 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit a7358578520294b51e1001199670a0bbeeb43eb1 +Merge: bfca98e 4efa293 +Author: Patrick Schleizer +Date: Tue May 28 07:55:31 2024 -0400 + + Merge pull request #226 from Kicksecure/gitconfig + + add `/etc/gitconfig` by default for better `git` security + +commit 4efa293f3b76814bc5399a959482d7db6e7431ec +Author: Patrick Schleizer +Date: Tue May 28 07:51:06 2024 -0400 + + add `/etc/gitconfig` by default for better `git` security + + ``` + [core] + symlinks = false + + [transfer] + fsckobjects = true + fsckobjects = true + [fetch] + fsckobjects = true + fsckobjects = true + [receive] + fsckobjects = true + fsckobjects = true + ``` + + + additional suggestions as comments + + fixes https://github.com/Kicksecure/security-misc/issues/225 + +commit bfca98ea89cea0f8604ecca0c8640860320e8e33 +Author: Patrick Schleizer +Date: Sat May 18 20:45:12 2024 +0000 + + bumped changelog version + commit eb82884fb2e3d3bb4fa5555d8212146042ba8aa4 Merge: 5867b1b 12e006e Author: Patrick Schleizer diff --git a/debian/changelog b/debian/changelog index fda0e0c..562a2c8 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:37.3-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 28 May 2024 12:04:52 +0000 + security-misc (3:37.2-1) unstable; urgency=medium * New upstream version (local package). From e0cd9579d64e6d16667832de51f77a3091ef213e Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 1 Jun 2024 13:32:13 -0400 Subject: [PATCH 368/846] remove duplicate `fsckobjects = true` from `/etc/gitconfig` --- etc/gitconfig | 3 --- 1 file changed, 3 deletions(-) diff --git a/etc/gitconfig b/etc/gitconfig index 4c6780f..4955199 100644 --- a/etc/gitconfig +++ b/etc/gitconfig @@ -11,13 +11,10 @@ ## https://forums.whonix.org/t/git-users-enable-fsck-by-default-for-better-security/2066 [transfer] fsckobjects = true - fsckobjects = true [fetch] fsckobjects = true - fsckobjects = true [receive] fsckobjects = true - fsckobjects = true ## Generally a good idea but too intrusive to enable by default. ## Listed here as suggestions what users should put into their ~/.gitconfig From 641e98e57714f7d38962bfd12d673500b8114356 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 1 Jun 2024 17:35:04 +0000 Subject: [PATCH 369/846] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index ee1d78d..7d9ccb6 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit e0cd9579d64e6d16667832de51f77a3091ef213e +Author: Patrick Schleizer +Date: Sat Jun 1 13:32:13 2024 -0400 + + remove duplicate `fsckobjects = true` from `/etc/gitconfig` + +commit bbe64a0b7992610dfef6002271718a2aee115cae +Author: Patrick Schleizer +Date: Tue May 28 12:04:53 2024 +0000 + + bumped changelog version + commit ae24a97d4d0ffcfb3d1cc92edb61e7ecf4535ee7 Merge: bfca98e a735857 Author: Patrick Schleizer diff --git a/debian/changelog b/debian/changelog index 562a2c8..f15cd40 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:37.4-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 01 Jun 2024 17:35:04 +0000 + security-misc (3:37.3-1) unstable; urgency=medium * New upstream version (local package). From c815304026d30f7774f804498d20431ccdf8dc7f Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 1 Jun 2024 14:12:57 -0400 Subject: [PATCH 370/846] readme --- README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index d5cc076..5c9df4a 100644 --- a/README.md +++ b/README.md @@ -55,7 +55,7 @@ configuration file. - Set coredump file name based on core_pattern value instead of the default of naming it 'core'. -- Will disable `io_uring` interface for performing asynchronous I/O as it has +- Will disable `io_uring` interface for performing asynchronous I/O as it has historically been a significant attack surface. ### mmap ASLR @@ -478,6 +478,8 @@ See: - Deactivates previews in Nautilus - `/usr/share/glib-2.0/schemas/30_security-misc.gschema.override`. - Deactivates thumbnails in Thunar. + - rationale: lower attack surface when using the file manager + - https://forums.whonix.org/t/disable-preview-in-file-manager-by-default/18904 - Thunderbird is hardened with the following options: - Displays domain names in punycode to prevent IDN homograph attacks (a form of phishing). From b316352ede379d96cff4813735b93eb59506fe42 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 1 Jun 2024 18:13:08 +0000 Subject: [PATCH 371/846] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 7d9ccb6..ef1375d 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit c815304026d30f7774f804498d20431ccdf8dc7f +Author: Patrick Schleizer +Date: Sat Jun 1 14:12:57 2024 -0400 + + readme + +commit 641e98e57714f7d38962bfd12d673500b8114356 +Author: Patrick Schleizer +Date: Sat Jun 1 17:35:04 2024 +0000 + + bumped changelog version + commit e0cd9579d64e6d16667832de51f77a3091ef213e Author: Patrick Schleizer Date: Sat Jun 1 13:32:13 2024 -0400 diff --git a/debian/changelog b/debian/changelog index f15cd40..be428f2 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:37.5-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 01 Jun 2024 18:13:08 +0000 + security-misc (3:37.4-1) unstable; urgency=medium * New upstream version (local package). From e1984478662fc51e6eacc989bc6bba0ca1fc07cd Mon Sep 17 00:00:00 2001 From: Ashlen Date: Sat, 8 Jun 2024 22:17:05 -0600 Subject: [PATCH 372/846] fix(etc): delete typo in /etc/apparmor.d tunables /etc/pam.d was present twice in a row ("/etc/pam.d//etc/pam.d") in this file: /etc/apparmor.d/tunables/home.d/security-misc. --- etc/apparmor.d/tunables/home.d/security-misc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/apparmor.d/tunables/home.d/security-misc b/etc/apparmor.d/tunables/home.d/security-misc index 92faf91..5256089 100644 --- a/etc/apparmor.d/tunables/home.d/security-misc +++ b/etc/apparmor.d/tunables/home.d/security-misc @@ -1,7 +1,7 @@ ## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -alias /etc/pam.d/common-session -> /etc/pam.d//etc/pam.d/common-session.security-misc, +alias /etc/pam.d/common-session -> /etc/pam.d/common-session.security-misc, alias /etc/pam.d/common-session-noninteractive -> /etc/pam.d/common-session-noninteractive.security-misc, alias /etc/login.defs -> /etc/login.defs.security-misc, alias /etc/securetty -> /etc/securetty.security-misc, From 05c1711b16c96a221c13a011a6666fe6b385ec1e Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 11 Jun 2024 12:56:56 +0000 Subject: [PATCH 373/846] bumped changelog version --- changelog.upstream | 31 +++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 37 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index ef1375d..c63cf13 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,34 @@ +commit e48115588caae8e51bb980ac84b1f0f415ca0d17 +Merge: b316352 cad8d85 +Author: Patrick Schleizer +Date: Tue Jun 11 07:25:47 2024 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit cad8d857556e29544f742fdac8fe82758a4f885c +Merge: b316352 e198447 +Author: Patrick Schleizer +Date: Tue Jun 11 07:25:07 2024 -0400 + + Merge pull request #227 from 3uryd1ce/fix-pam.d-path + + fix(etc): delete typo in /etc/apparmor.d tunables + +commit e1984478662fc51e6eacc989bc6bba0ca1fc07cd +Author: Ashlen +Date: Sat Jun 8 22:17:05 2024 -0600 + + fix(etc): delete typo in /etc/apparmor.d tunables + + /etc/pam.d was present twice in a row ("/etc/pam.d//etc/pam.d") in this + file: /etc/apparmor.d/tunables/home.d/security-misc. + +commit b316352ede379d96cff4813735b93eb59506fe42 +Author: Patrick Schleizer +Date: Sat Jun 1 18:13:08 2024 +0000 + + bumped changelog version + commit c815304026d30f7774f804498d20431ccdf8dc7f Author: Patrick Schleizer Date: Sat Jun 1 14:12:57 2024 -0400 diff --git a/debian/changelog b/debian/changelog index be428f2..0cf310c 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:37.6-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 11 Jun 2024 12:56:56 +0000 + security-misc (3:37.5-1) unstable; urgency=medium * New upstream version (local package). From b7796a5334075d5fa538d7579003fde6287d7e6d Mon Sep 17 00:00:00 2001 From: Ben Grande Date: Thu, 11 Jul 2024 11:04:22 +0200 Subject: [PATCH 374/846] Unify method to find SUID files --- usr/bin/permission-hardener | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index 2e5df3d..1d4c868 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -60,10 +60,16 @@ add_nosuid_statoverride_entry() { local fso_to_process fso_to_process="${fso}" local should_be_counter - should_be_counter="$(find "${fso_to_process}" -perm /u=s,g=s | wc -l)" || true + should_be_counter=0 local counter_actual counter_actual=0 + local dummy_line + while read -r dummy_line; do + true "DEBUG: test would evaluate parse" "${dummy_line}" + should_be_counter=$((should_be_counter + 1)) + done < <(find "${fso_to_process}" -perm /u=s,g=s -print0 | xargs -I{} -0 stat -c "%n %a %U %G" {}) + local line while read -r line; do true "line: ${line}" From 275a4ffc1114856cbd9a1cd49701dcb25d87bfb5 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Fri, 12 Jul 2024 02:27:56 +1000 Subject: [PATCH 375/846] Remove redundant disabled modules --- etc/modprobe.d/30_security-misc.conf | 3 --- 1 file changed, 3 deletions(-) diff --git a/etc/modprobe.d/30_security-misc.conf b/etc/modprobe.d/30_security-misc.conf index 0e4b0f2..90b2a46 100644 --- a/etc/modprobe.d/30_security-misc.conf +++ b/etc/modprobe.d/30_security-misc.conf @@ -20,11 +20,8 @@ options nf_conntrack nf_conntrack_helper=0 ## Disable thunderbolt and firewire modules to prevent some DMA attacks install thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc install firewire-core /usr/bin/disabled-firewire-by-security-misc -install firewire_core /usr/bin/disabled-firewire-by-security-misc install firewire-net /usr/bin/disabled-firewire-by-security-misc install firewire-ohci /usr/bin/disabled-firewire-by-security-misc -install firewire_ohci /usr/bin/disabled-firewire-by-security-misc -install firewire_sbp2 /usr/bin/disabled-firewire-by-security-misc install firewire-sbp2 /usr/bin/disabled-firewire-by-security-misc install ohci1394 /usr/bin/disabled-firewire-by-security-misc install sbp2 /usr/bin/disabled-firewire-by-security-misc From fe20f3240e2f31099bcaa9f9e2045320df810edf Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Fri, 12 Jul 2024 02:28:48 +1000 Subject: [PATCH 376/846] Refactor existing modprobe for clarity --- etc/modprobe.d/30_security-misc.conf | 268 +++++++++++++++------------ 1 file changed, 151 insertions(+), 117 deletions(-) diff --git a/etc/modprobe.d/30_security-misc.conf b/etc/modprobe.d/30_security-misc.conf index 90b2a46..af5fd10 100644 --- a/etc/modprobe.d/30_security-misc.conf +++ b/etc/modprobe.d/30_security-misc.conf @@ -1,123 +1,34 @@ ## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## See the following links for a community discussion and overview regarding the selections +## See the following links for a community discussion and overview regarding the selections. ## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989 ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#kasr-kernel-modules -## Disable automatic conntrack helper assignment +## Blacklisting prevents kernel modules from automatically starting. +## Disabling prohibits kernel modules from starting. + +## CD-ROM/DVD: +## Blacklist CD-ROM and DVD modules. +## Do not disable by default for potential future ISO plans. +## https://nvd.nist.gov/vuln/detail/CVE-2018-11506 +## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/31 +# +blacklist cdrom +blacklist sr_mod +# +#install cdrom /usr/bin/disabled-cdrom-by-security-misc +#install sr_mod /usr/bin/disabled-cdrom-by-security-misc + +## Connection Tracking: +## Disable automatic conntrack helper assignment. ## https://phabricator.whonix.org/T486 +# options nf_conntrack nf_conntrack_helper=0 -## Disable bluetooth to reduce attack surface due to extended history of security vulnerabilities -## https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns -# -## Now replaced by a privacy and security preserving default bluetooth configuration for better usability -# -# install bluetooth /usr/bin/disabled-bluetooth-by-security-misc -# install btusb /usr/bin/disabled-bluetooth-by-security-misc - -## Disable thunderbolt and firewire modules to prevent some DMA attacks -install thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc -install firewire-core /usr/bin/disabled-firewire-by-security-misc -install firewire-net /usr/bin/disabled-firewire-by-security-misc -install firewire-ohci /usr/bin/disabled-firewire-by-security-misc -install firewire-sbp2 /usr/bin/disabled-firewire-by-security-misc -install ohci1394 /usr/bin/disabled-firewire-by-security-misc -install sbp2 /usr/bin/disabled-firewire-by-security-misc -install dv1394 /usr/bin/disabled-firewire-by-security-misc -install raw1394 /usr/bin/disabled-firewire-by-security-misc -install video1394 /usr/bin/disabled-firewire-by-security-misc - -## Disable CPU MSRs as they can be abused to write to arbitrary memory. -## https://security.stackexchange.com/questions/119712/methods-root-can-use-to-elevate-itself-to-kernel-mode -## https://github.com/Kicksecure/security-misc/issues/215 -#install msr /usr/bin/disabled-msr-by-security-misc - -## Disables unneeded network protocols that will likely not be used as these may have unknown vulnerabilties. -## Credit to Tails (https://tails.boum.org/blueprint/blacklist_modules/) for some of these. -## > Debian ships a long list of modules for wide support of devices, filesystems, protocols. Some of these modules have a pretty bad security track record, and some of those are simply not used by most of our users. -## > Other distributions like Ubuntu[1] and Fedora[2] already ship a blacklist for various network protocols which aren't much in use by users and have a poor security track record. -install dccp /usr/bin/disabled-network-by-security-misc -install sctp /usr/bin/disabled-network-by-security-misc -install rds /usr/bin/disabled-network-by-security-misc -install tipc /usr/bin/disabled-network-by-security-misc -install n-hdlc /usr/bin/disabled-network-by-security-misc -install ax25 /usr/bin/disabled-network-by-security-misc -install netrom /usr/bin/disabled-network-by-security-misc -install x25 /usr/bin/disabled-network-by-security-misc -install rose /usr/bin/disabled-network-by-security-misc -install decnet /usr/bin/disabled-network-by-security-misc -install econet /usr/bin/disabled-network-by-security-misc -install af_802154 /usr/bin/disabled-network-by-security-misc -install ipx /usr/bin/disabled-network-by-security-misc -install appletalk /usr/bin/disabled-network-by-security-misc -install psnap /usr/bin/disabled-network-by-security-misc -install p8023 /usr/bin/disabled-network-by-security-misc -install p8022 /usr/bin/disabled-network-by-security-misc -install can /usr/bin/disabled-network-by-security-misc -install atm /usr/bin/disabled-network-by-security-misc - -## Disable uncommon file systems to reduce attack surface -## HFS and HFS+ are legacy Apple filesystems that may be required depending on the EFI parition format -install cramfs /usr/bin/disabled-filesys-by-security-misc -install freevxfs /usr/bin/disabled-filesys-by-security-misc -install jffs2 /usr/bin/disabled-filesys-by-security-misc -install hfs /usr/bin/disabled-filesys-by-security-misc -install hfsplus /usr/bin/disabled-filesys-by-security-misc -install udf /usr/bin/disabled-filesys-by-security-misc - -## Disable uncommon network file systems to reduce attack surface -install cifs /usr/bin/disabled-netfilesys-by-security-misc -install nfs /usr/bin/disabled-netfilesys-by-security-misc -install nfsv3 /usr/bin/disabled-netfilesys-by-security-misc -install nfsv4 /usr/bin/disabled-netfilesys-by-security-misc -install ksmbd /usr/bin/disabled-netfilesys-by-security-misc -install gfs2 /usr/bin/disabled-netfilesys-by-security-misc - -## Disables the vivid kernel module as it's only required for testing and has been the cause of multiple vulnerabilities -## https://forums.whonix.org/t/kernel-recompilation-for-better-hardening/7598/233 -## https://www.openwall.com/lists/oss-security/2019/11/02/1 -## https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475 -install vivid /usr/bin/disabled-vivid-by-security-misc - -## Disable Intel Management Engine (ME) interface with the OS -## https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html -install mei /usr/bin/disabled-intelme-by-security-misc -install mei-me /usr/bin/disabled-intelme-by-security-misc - -# Disable GPS modules like GNSS (Global Navigation Satellite System) -install gnss /usr/bin/disabled-gps-by-security-misc -install gnss-mtk /usr/bin/disabled-gps-by-security-misc -install gnss-serial /usr/bin/disabled-gps-by-security-misc -install gnss-sirf /usr/bin/disabled-gps-by-security-misc -install gnss-usb /usr/bin/disabled-gps-by-security-misc -install gnss-ubx /usr/bin/disabled-gps-by-security-misc - -## Blacklist automatic loading of the Atheros 5K RF MACs madwifi driver -## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-ath_pci.conf?h=ubuntu/disco -blacklist ath_pci - -## Blacklist automatic loading of miscellaneous modules -## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist.conf?h=ubuntu/disco -blacklist evbug -blacklist usbmouse -blacklist usbkbd -blacklist eepro100 -blacklist de4x5 -blacklist eth1394 -blacklist snd_intel8x0m -blacklist snd_aw2 -blacklist prism54 -blacklist bcm43xx -blacklist garmin_gps -blacklist asus_acpi -blacklist snd_pcsp -blacklist pcspkr -blacklist amd76x_edac - -## Blacklist automatic loading of framebuffer drivers +## Framebuffer Drivers: ## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-framebuffer.conf?h=ubuntu/disco +# blacklist aty128fb blacklist atyfb blacklist radeonfb @@ -147,10 +58,133 @@ blacklist viafb blacklist vt8623fb blacklist udlfb -## Disable CD-ROM devices -## https://nvd.nist.gov/vuln/detail/CVE-2018-11506 -## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/31 -#install cdrom /usr/bin/disabled-cdrom-by-security-misc -#install sr_mod /usr/bin/disabled-cdrom-by-security-misc -blacklist cdrom -blacklist sr_mod +## Miscellaneous: +## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist.conf?h=ubuntu/disco +## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-ath_pci.conf?h=ubuntu/disco +# +blacklist ath_pci +blacklist evbug +blacklist usbmouse +blacklist usbkbd +blacklist eepro100 +blacklist de4x5 +blacklist eth1394 +blacklist snd_intel8x0m +blacklist snd_aw2 +blacklist prism54 +blacklist bcm43xx +blacklist garmin_gps +blacklist asus_acpi +blacklist snd_pcsp +blacklist pcspkr +blacklist amd76x_edac + +## Bluetooth: +## Disable Bluetooth to reduce attack surface due to extended history of security vulnerabilities. +## https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns +# +## Now replaced by a privacy and security preserving default Bluetooth configuration for better usability. +# +#install bluetooth /usr/bin/disabled-bluetooth-by-security-misc +#install btusb /usr/bin/disabled-bluetooth-by-security-misc + +## CPU Model-Specific Registers (MSRs): +## Disable CPU MSRs as they can be abused to write to arbitrary memory. +## https://security.stackexchange.com/questions/119712/methods-root-can-use-to-elevate-itself-to-kernel-mode +## https://github.com/Kicksecure/security-misc/issues/215 +# +#install msr /usr/bin/disabled-msr-by-security-misc + +## FireWire (IEEE 1394): +## Disable IEEE 1394 (FireWire/i.LINK/Lynx) modules to prevent some DMA attacks. +## https://en.wikipedia.org/wiki/IEEE_1394#Security_issues +# +install firewire-core /usr/bin/disabled-firewire-by-security-misc +install firewire-net /usr/bin/disabled-firewire-by-security-misc +install firewire-ohci /usr/bin/disabled-firewire-by-security-misc +install firewire-sbp2 /usr/bin/disabled-firewire-by-security-misc +install ohci1394 /usr/bin/disabled-firewire-by-security-misc +install sbp2 /usr/bin/disabled-firewire-by-security-misc +install dv1394 /usr/bin/disabled-firewire-by-security-misc +install raw1394 /usr/bin/disabled-firewire-by-security-misc +install video1394 /usr/bin/disabled-firewire-by-security-misc + +## File Systems: +## Disable uncommon file systems to reduce attack surface. +## HFS and HFS+ are legacy Apple filesystems that may be required depending on the EFI partition format. +# +install cramfs /usr/bin/disabled-filesys-by-security-misc +install freevxfs /usr/bin/disabled-filesys-by-security-misc +install jffs2 /usr/bin/disabled-filesys-by-security-misc +install hfs /usr/bin/disabled-filesys-by-security-misc +install hfsplus /usr/bin/disabled-filesys-by-security-misc +install udf /usr/bin/disabled-filesys-by-security-misc + +## Global Positioning Systems: +## Disable GPS-related modules like GNSS (Global Navigation Satellite System). +# +install gnss /usr/bin/disabled-gps-by-security-misc +install gnss-mtk /usr/bin/disabled-gps-by-security-misc +install gnss-serial /usr/bin/disabled-gps-by-security-misc +install gnss-sirf /usr/bin/disabled-gps-by-security-misc +install gnss-usb /usr/bin/disabled-gps-by-security-misc +install gnss-ubx /usr/bin/disabled-gps-by-security-misc + +## Intel Management Engine (ME): +## Partially disable the Intel ME interface with the OS. +## https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html +# +install mei /usr/bin/disabled-intelme-by-security-misc +install mei-me /usr/bin/disabled-intelme-by-security-misc + +## Network File Systems: +## Disable uncommon network file systems to reduce attack surface. +# +install cifs /usr/bin/disabled-netfilesys-by-security-misc +install nfs /usr/bin/disabled-netfilesys-by-security-misc +install nfsv3 /usr/bin/disabled-netfilesys-by-security-misc +install nfsv4 /usr/bin/disabled-netfilesys-by-security-misc +install ksmbd /usr/bin/disabled-netfilesys-by-security-misc +install gfs2 /usr/bin/disabled-netfilesys-by-security-misc + +## Network Protocols: +## Disables rare and unneeded network protocols that are a common source of unknown vulnerabilities. +## https://tails.boum.org/blueprint/blacklist_modules/ +## https://fedoraproject.org/wiki/Security_Features_Matrix#Blacklist_Rare_Protocols) +## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-rare-network.conf?h=ubuntu/disco +# +install dccp /usr/bin/disabled-network-by-security-misc +install sctp /usr/bin/disabled-network-by-security-misc +install rds /usr/bin/disabled-network-by-security-misc +install tipc /usr/bin/disabled-network-by-security-misc +install n-hdlc /usr/bin/disabled-network-by-security-misc +install ax25 /usr/bin/disabled-network-by-security-misc +install netrom /usr/bin/disabled-network-by-security-misc +install x25 /usr/bin/disabled-network-by-security-misc +install rose /usr/bin/disabled-network-by-security-misc +install decnet /usr/bin/disabled-network-by-security-misc +install econet /usr/bin/disabled-network-by-security-misc +install af_802154 /usr/bin/disabled-network-by-security-misc +install ipx /usr/bin/disabled-network-by-security-misc +install appletalk /usr/bin/disabled-network-by-security-misc +install psnap /usr/bin/disabled-network-by-security-misc +install p8023 /usr/bin/disabled-network-by-security-misc +install p8022 /usr/bin/disabled-network-by-security-misc +install can /usr/bin/disabled-network-by-security-misc +install atm /usr/bin/disabled-network-by-security-misc + +## Miscellaneous: +# +## Vivid: +## Disables the vivid kernel module since it has been the cause of multiple vulnerabilities. +## https://forums.whonix.org/t/kernel-recompilation-for-better-hardening/7598/233 +## https://www.openwall.com/lists/oss-security/2019/11/02/1 +## https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475 +# +install vivid /usr/bin/disabled-vivid-by-security-misc + +## Thunderbolt: +## Disables Thunderbolt modules to prevent some DMA attacks. +## https://en.wikipedia.org/wiki/Thunderbolt_(interface)#Security_vulnerabilities +# +install thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc From fc792ff23234399ed299c3fdc086d47c87d9b4a3 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Fri, 12 Jul 2024 02:29:36 +1000 Subject: [PATCH 377/846] Alphabetically sort existing modprobe --- etc/modprobe.d/30_security-misc.conf | 76 ++++++++++++++-------------- 1 file changed, 38 insertions(+), 38 deletions(-) diff --git a/etc/modprobe.d/30_security-misc.conf b/etc/modprobe.d/30_security-misc.conf index af5fd10..a4e8baa 100644 --- a/etc/modprobe.d/30_security-misc.conf +++ b/etc/modprobe.d/30_security-misc.conf @@ -31,7 +31,6 @@ options nf_conntrack nf_conntrack_helper=0 # blacklist aty128fb blacklist atyfb -blacklist radeonfb blacklist cirrusfb blacklist cyber2000fb blacklist cyblafb @@ -45,6 +44,7 @@ blacklist matroxfb_bases blacklist neofb blacklist nvidiafb blacklist pm2fb +blacklist radeonfb blacklist rivafb blacklist s1d13xxxfb blacklist savagefb @@ -63,21 +63,21 @@ blacklist udlfb ## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-ath_pci.conf?h=ubuntu/disco # blacklist ath_pci -blacklist evbug -blacklist usbmouse -blacklist usbkbd -blacklist eepro100 -blacklist de4x5 -blacklist eth1394 -blacklist snd_intel8x0m -blacklist snd_aw2 -blacklist prism54 -blacklist bcm43xx -blacklist garmin_gps -blacklist asus_acpi -blacklist snd_pcsp -blacklist pcspkr blacklist amd76x_edac +blacklist asus_acpi +blacklist bcm43xx +blacklist eepro100 +blacklist eth1394 +blacklist evbug +blacklist de4x5 +blacklist garmin_gps +blacklist pcspkr +blacklist prism54 +blacklist snd_aw2 +blacklist snd_intel8x0m +blacklist snd_pcsp +blacklist usbkbd +blacklist usbmouse ## Bluetooth: ## Disable Bluetooth to reduce attack surface due to extended history of security vulnerabilities. @@ -99,14 +99,14 @@ blacklist amd76x_edac ## Disable IEEE 1394 (FireWire/i.LINK/Lynx) modules to prevent some DMA attacks. ## https://en.wikipedia.org/wiki/IEEE_1394#Security_issues # +install dv1394 /usr/bin/disabled-firewire-by-security-misc install firewire-core /usr/bin/disabled-firewire-by-security-misc -install firewire-net /usr/bin/disabled-firewire-by-security-misc install firewire-ohci /usr/bin/disabled-firewire-by-security-misc +install firewire-net /usr/bin/disabled-firewire-by-security-misc install firewire-sbp2 /usr/bin/disabled-firewire-by-security-misc install ohci1394 /usr/bin/disabled-firewire-by-security-misc -install sbp2 /usr/bin/disabled-firewire-by-security-misc -install dv1394 /usr/bin/disabled-firewire-by-security-misc install raw1394 /usr/bin/disabled-firewire-by-security-misc +install sbp2 /usr/bin/disabled-firewire-by-security-misc install video1394 /usr/bin/disabled-firewire-by-security-misc ## File Systems: @@ -115,9 +115,9 @@ install video1394 /usr/bin/disabled-firewire-by-security-misc # install cramfs /usr/bin/disabled-filesys-by-security-misc install freevxfs /usr/bin/disabled-filesys-by-security-misc -install jffs2 /usr/bin/disabled-filesys-by-security-misc install hfs /usr/bin/disabled-filesys-by-security-misc install hfsplus /usr/bin/disabled-filesys-by-security-misc +install jffs2 /usr/bin/disabled-filesys-by-security-misc install udf /usr/bin/disabled-filesys-by-security-misc ## Global Positioning Systems: @@ -127,8 +127,8 @@ install gnss /usr/bin/disabled-gps-by-security-misc install gnss-mtk /usr/bin/disabled-gps-by-security-misc install gnss-serial /usr/bin/disabled-gps-by-security-misc install gnss-sirf /usr/bin/disabled-gps-by-security-misc -install gnss-usb /usr/bin/disabled-gps-by-security-misc install gnss-ubx /usr/bin/disabled-gps-by-security-misc +install gnss-usb /usr/bin/disabled-gps-by-security-misc ## Intel Management Engine (ME): ## Partially disable the Intel ME interface with the OS. @@ -141,11 +141,11 @@ install mei-me /usr/bin/disabled-intelme-by-security-misc ## Disable uncommon network file systems to reduce attack surface. # install cifs /usr/bin/disabled-netfilesys-by-security-misc +install gfs2 /usr/bin/disabled-netfilesys-by-security-misc +install ksmbd /usr/bin/disabled-netfilesys-by-security-misc install nfs /usr/bin/disabled-netfilesys-by-security-misc install nfsv3 /usr/bin/disabled-netfilesys-by-security-misc install nfsv4 /usr/bin/disabled-netfilesys-by-security-misc -install ksmbd /usr/bin/disabled-netfilesys-by-security-misc -install gfs2 /usr/bin/disabled-netfilesys-by-security-misc ## Network Protocols: ## Disables rare and unneeded network protocols that are a common source of unknown vulnerabilities. @@ -153,25 +153,25 @@ install gfs2 /usr/bin/disabled-netfilesys-by-security-misc ## https://fedoraproject.org/wiki/Security_Features_Matrix#Blacklist_Rare_Protocols) ## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-rare-network.conf?h=ubuntu/disco # -install dccp /usr/bin/disabled-network-by-security-misc -install sctp /usr/bin/disabled-network-by-security-misc -install rds /usr/bin/disabled-network-by-security-misc -install tipc /usr/bin/disabled-network-by-security-misc -install n-hdlc /usr/bin/disabled-network-by-security-misc -install ax25 /usr/bin/disabled-network-by-security-misc -install netrom /usr/bin/disabled-network-by-security-misc -install x25 /usr/bin/disabled-network-by-security-misc -install rose /usr/bin/disabled-network-by-security-misc -install decnet /usr/bin/disabled-network-by-security-misc -install econet /usr/bin/disabled-network-by-security-misc install af_802154 /usr/bin/disabled-network-by-security-misc -install ipx /usr/bin/disabled-network-by-security-misc install appletalk /usr/bin/disabled-network-by-security-misc -install psnap /usr/bin/disabled-network-by-security-misc -install p8023 /usr/bin/disabled-network-by-security-misc -install p8022 /usr/bin/disabled-network-by-security-misc -install can /usr/bin/disabled-network-by-security-misc install atm /usr/bin/disabled-network-by-security-misc +install ax25 /usr/bin/disabled-network-by-security-misc +install can /usr/bin/disabled-network-by-security-misc +install decnet /usr/bin/disabled-network-by-security-misc +install dccp /usr/bin/disabled-network-by-security-misc +install econet /usr/bin/disabled-network-by-security-misc +install ipx /usr/bin/disabled-network-by-security-misc +install n-hdlc /usr/bin/disabled-network-by-security-misc +install netrom /usr/bin/disabled-network-by-security-misc +install p8022 /usr/bin/disabled-network-by-security-misc +install p8023 /usr/bin/disabled-network-by-security-misc +install psnap /usr/bin/disabled-network-by-security-misc +install rds /usr/bin/disabled-network-by-security-misc +install rose /usr/bin/disabled-network-by-security-misc +install sctp /usr/bin/disabled-network-by-security-misc +install tipc /usr/bin/disabled-network-by-security-misc +install x25 /usr/bin/disabled-network-by-security-misc ## Miscellaneous: # From b02230a783941da412be72fb52053db0c6b8010f Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Fri, 12 Jul 2024 02:42:37 +1000 Subject: [PATCH 378/846] Split modprobe into blacklisted and disabled configurations --- README.md | 7 +- debian/security-misc.maintscript | 2 +- .../30_security-misc_blacklist.conf | 80 +++++++++++++++++++ ...isc.conf => 30_security-misc_disable.conf} | 71 ---------------- usr/bin/disabled-bluetooth-by-security-misc | 2 +- usr/bin/disabled-cdrom-by-security-misc | 2 +- usr/bin/disabled-filesys-by-security-misc | 2 +- usr/bin/disabled-firewire-by-security-misc | 2 +- usr/bin/disabled-gps-by-security-misc | 2 +- usr/bin/disabled-intelme-by-security-misc | 2 +- usr/bin/disabled-netfilesys-by-security-misc | 2 +- usr/bin/disabled-network-by-security-misc | 2 +- usr/bin/disabled-thunderbolt-by-security-misc | 2 +- usr/bin/disabled-vivid-by-security-misc | 3 +- 14 files changed, 96 insertions(+), 85 deletions(-) create mode 100644 etc/modprobe.d/30_security-misc_blacklist.conf rename etc/modprobe.d/{30_security-misc.conf => 30_security-misc_disable.conf} (77%) diff --git a/README.md b/README.md index 5c9df4a..7601260 100644 --- a/README.md +++ b/README.md @@ -122,10 +122,11 @@ preventing new modules from being loaded. Since this isn't configured directly within systemctl, it does not break the loading of legitimate and necessary modules for the user, like drivers etc., given they are plugged in on startup. -#### Disables and blacklists kernel modules +#### Blacklist and disable kernel modules -Certain kernel modules are disabled and blacklisted by default to reduce attack -surface via the `/etc/modprobe.d/30_security-misc.conf` configuration file. +Certain kernel modules are blacklisted and disabled by default to reduce attack +surface via both the `/etc/modprobe.d/30_security-misc_blacklist.conf` and +`/etc/modprobe.d/30_security-misc_disable.conf` configuration files respectively. - Deactivates Netfilter's connection tracking helper - this module increases kernel attack surface by enabling superfluous functionality such as IRC diff --git a/debian/security-misc.maintscript b/debian/security-misc.maintscript index f64e762..4279cf2 100644 --- a/debian/security-misc.maintscript +++ b/debian/security-misc.maintscript @@ -24,7 +24,7 @@ rm_conffile /etc/sysctl.d/kexec.conf rm_conffile /etc/sysctl.d/tcp_hardening.conf rm_conffile /etc/sysctl.d/tcp_sack.conf -## merged into 1 file /etc/modprobe.d/30_security-misc.conf +## merged into 2 files /etc/modprobe.d/30_security-misc_blacklist.conf and /etc/modprobe.d/30_security-misc_disable.conf rm_conffile /etc/modprobe.d/uncommon-network-protocols.conf rm_conffile /etc/modprobe.d/blacklist-bluetooth.conf rm_conffile /etc/modprobe.d/vivid.conf diff --git a/etc/modprobe.d/30_security-misc_blacklist.conf b/etc/modprobe.d/30_security-misc_blacklist.conf new file mode 100644 index 0000000..f516fe2 --- /dev/null +++ b/etc/modprobe.d/30_security-misc_blacklist.conf @@ -0,0 +1,80 @@ +## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## See the following links for a community discussion and overview regarding the selections. +## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989 +## https://madaidans-insecurities.github.io/guides/linux-hardening.html#kasr-kernel-modules + +## Blacklisting prevents kernel modules from automatically starting. +## Disabling prohibits kernel modules from starting. + +## CD-ROM/DVD: +## Blacklist CD-ROM and DVD modules. +## Do not disable by default for potential future ISO plans. +## https://nvd.nist.gov/vuln/detail/CVE-2018-11506 +## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/31 +# +blacklist cdrom +blacklist sr_mod +# +#install cdrom /usr/bin/disabled-cdrom-by-security-misc +#install sr_mod /usr/bin/disabled-cdrom-by-security-misc + +## Conntrack: +## Disable automatic conntrack helper assignment. +## https://phabricator.whonix.org/T486 +# +options nf_conntrack nf_conntrack_helper=0 + +## Framebuffer Drivers: +## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-framebuffer.conf?h=ubuntu/disco +# +blacklist aty128fb +blacklist atyfb +blacklist cirrusfb +blacklist cyber2000fb +blacklist cyblafb +blacklist gx1fb +blacklist hgafb +blacklist i810fb +blacklist intelfb +blacklist kyrofb +blacklist lxfb +blacklist matroxfb_bases +blacklist neofb +blacklist nvidiafb +blacklist pm2fb +blacklist radeonfb +blacklist rivafb +blacklist s1d13xxxfb +blacklist savagefb +blacklist sisfb +blacklist sstfb +blacklist tdfxfb +blacklist tridentfb +blacklist vesafb +blacklist vfb +blacklist viafb +blacklist vt8623fb +blacklist udlfb + +## Miscellaneous: +## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist.conf?h=ubuntu/disco +## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-ath_pci.conf?h=ubuntu/disco +# +blacklist ath_pci +blacklist amd76x_edac +blacklist asus_acpi +blacklist bcm43xx +blacklist eepro100 +blacklist eth1394 +blacklist evbug +blacklist de4x5 +blacklist garmin_gps +blacklist pcspkr +blacklist prism54 +blacklist snd_aw2 +blacklist snd_intel8x0m +blacklist snd_pcsp +blacklist usbkbd +blacklist usbmouse diff --git a/etc/modprobe.d/30_security-misc.conf b/etc/modprobe.d/30_security-misc_disable.conf similarity index 77% rename from etc/modprobe.d/30_security-misc.conf rename to etc/modprobe.d/30_security-misc_disable.conf index a4e8baa..0a676d1 100644 --- a/etc/modprobe.d/30_security-misc.conf +++ b/etc/modprobe.d/30_security-misc_disable.conf @@ -8,77 +8,6 @@ ## Blacklisting prevents kernel modules from automatically starting. ## Disabling prohibits kernel modules from starting. -## CD-ROM/DVD: -## Blacklist CD-ROM and DVD modules. -## Do not disable by default for potential future ISO plans. -## https://nvd.nist.gov/vuln/detail/CVE-2018-11506 -## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/31 -# -blacklist cdrom -blacklist sr_mod -# -#install cdrom /usr/bin/disabled-cdrom-by-security-misc -#install sr_mod /usr/bin/disabled-cdrom-by-security-misc - -## Connection Tracking: -## Disable automatic conntrack helper assignment. -## https://phabricator.whonix.org/T486 -# -options nf_conntrack nf_conntrack_helper=0 - -## Framebuffer Drivers: -## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-framebuffer.conf?h=ubuntu/disco -# -blacklist aty128fb -blacklist atyfb -blacklist cirrusfb -blacklist cyber2000fb -blacklist cyblafb -blacklist gx1fb -blacklist hgafb -blacklist i810fb -blacklist intelfb -blacklist kyrofb -blacklist lxfb -blacklist matroxfb_bases -blacklist neofb -blacklist nvidiafb -blacklist pm2fb -blacklist radeonfb -blacklist rivafb -blacklist s1d13xxxfb -blacklist savagefb -blacklist sisfb -blacklist sstfb -blacklist tdfxfb -blacklist tridentfb -blacklist vesafb -blacklist vfb -blacklist viafb -blacklist vt8623fb -blacklist udlfb - -## Miscellaneous: -## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist.conf?h=ubuntu/disco -## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-ath_pci.conf?h=ubuntu/disco -# -blacklist ath_pci -blacklist amd76x_edac -blacklist asus_acpi -blacklist bcm43xx -blacklist eepro100 -blacklist eth1394 -blacklist evbug -blacklist de4x5 -blacklist garmin_gps -blacklist pcspkr -blacklist prism54 -blacklist snd_aw2 -blacklist snd_intel8x0m -blacklist snd_pcsp -blacklist usbkbd -blacklist usbmouse - ## Bluetooth: ## Disable Bluetooth to reduce attack surface due to extended history of security vulnerabilities. ## https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns diff --git a/usr/bin/disabled-bluetooth-by-security-misc b/usr/bin/disabled-bluetooth-by-security-misc index 8091b45..7e011e3 100755 --- a/usr/bin/disabled-bluetooth-by-security-misc +++ b/usr/bin/disabled-bluetooth-by-security-misc @@ -5,6 +5,6 @@ ## Alerts the user that a kernel module failed to load due to it being blacklisted by default. -echo "$0: ERROR: This bluetooth kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2 +echo "$0: ERROR: This bluetooth kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2 exit 1 diff --git a/usr/bin/disabled-cdrom-by-security-misc b/usr/bin/disabled-cdrom-by-security-misc index 13e4592..55f4b0c 100755 --- a/usr/bin/disabled-cdrom-by-security-misc +++ b/usr/bin/disabled-cdrom-by-security-misc @@ -5,6 +5,6 @@ ## Alerts the user that a kernel module failed to load due to it being blacklisted by default. -echo "$0: ERROR: This CD-ROM kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2 +echo "$0: ERROR: This CD-ROM kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2 exit 1 diff --git a/usr/bin/disabled-filesys-by-security-misc b/usr/bin/disabled-filesys-by-security-misc index b5b2426..6c7dd5a 100755 --- a/usr/bin/disabled-filesys-by-security-misc +++ b/usr/bin/disabled-filesys-by-security-misc @@ -5,6 +5,6 @@ ## Alerts the user that a kernel module failed to load due to it being blacklisted by default. -echo "$0: ERROR: This file system kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2 +echo "$0: ERROR: This file system kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2 exit 1 diff --git a/usr/bin/disabled-firewire-by-security-misc b/usr/bin/disabled-firewire-by-security-misc index dbcc7ce..cbde5d1 100755 --- a/usr/bin/disabled-firewire-by-security-misc +++ b/usr/bin/disabled-firewire-by-security-misc @@ -5,6 +5,6 @@ ## Alerts the user that a kernel module failed to load due to it being blacklisted by default. -echo "$0: ERROR: This firewire kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2 +echo "$0: ERROR: This firewire kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2 exit 1 diff --git a/usr/bin/disabled-gps-by-security-misc b/usr/bin/disabled-gps-by-security-misc index 90b7076..f1a24bf 100755 --- a/usr/bin/disabled-gps-by-security-misc +++ b/usr/bin/disabled-gps-by-security-misc @@ -5,6 +5,6 @@ ## Alerts the user that a kernel module failed to load due to it being blacklisted by default. -echo "$0: ERROR: This GNSS (Global Navigation Satellite System) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2 +echo "$0: ERROR: This GNSS (Global Navigation Satellite System) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2 exit 1 diff --git a/usr/bin/disabled-intelme-by-security-misc b/usr/bin/disabled-intelme-by-security-misc index 47bdcb1..0913fcf 100755 --- a/usr/bin/disabled-intelme-by-security-misc +++ b/usr/bin/disabled-intelme-by-security-misc @@ -5,6 +5,6 @@ ## Alerts the user that a kernel module failed to load due to it being blacklisted by default. -echo "$0: ERROR: This Intel Management Engine (ME) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2 +echo "$0: ERROR: This Intel Management Engine (ME) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2 exit 1 diff --git a/usr/bin/disabled-netfilesys-by-security-misc b/usr/bin/disabled-netfilesys-by-security-misc index e62f0c0..bbb57a8 100755 --- a/usr/bin/disabled-netfilesys-by-security-misc +++ b/usr/bin/disabled-netfilesys-by-security-misc @@ -5,6 +5,6 @@ ## Alerts the user that a kernel module failed to load due to it being blacklisted by default. -echo "$0: ERROR: This network file system kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2 +echo "$0: ERROR: This network file system kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2 exit 1 diff --git a/usr/bin/disabled-network-by-security-misc b/usr/bin/disabled-network-by-security-misc index f00086e..8035522 100755 --- a/usr/bin/disabled-network-by-security-misc +++ b/usr/bin/disabled-network-by-security-misc @@ -5,6 +5,6 @@ ## Alerts the user that a kernel module failed to load due to it being blacklisted by default. -echo "$0: ERROR: This network protocol kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2 +echo "$0: ERROR: This network protocol kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2 exit 1 diff --git a/usr/bin/disabled-thunderbolt-by-security-misc b/usr/bin/disabled-thunderbolt-by-security-misc index d153ceb..98f0840 100755 --- a/usr/bin/disabled-thunderbolt-by-security-misc +++ b/usr/bin/disabled-thunderbolt-by-security-misc @@ -5,6 +5,6 @@ ## Alerts the user that a kernel module failed to load due to it being blacklisted by default. -echo "$0: ERROR: This thunderbolt kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2 +echo "$0: ERROR: This thunderbolt kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2 exit 1 diff --git a/usr/bin/disabled-vivid-by-security-misc b/usr/bin/disabled-vivid-by-security-misc index aa7c639..4a9855e 100755 --- a/usr/bin/disabled-vivid-by-security-misc +++ b/usr/bin/disabled-vivid-by-security-misc @@ -5,6 +5,7 @@ ## Alerts the user that a kernel module failed to load due to it being blacklisted by default. -echo "$0: ERROR: This vivid kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc.conf | args: $@" >&2 +echo "$0: ERROR: This vivid kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable +.conf | args: $@" >&2 exit 1 From f31dc8aebc652b2037c375351fc478d9b5ba4c27 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Fri, 12 Jul 2024 16:21:03 +1000 Subject: [PATCH 379/846] Fix error in error script --- usr/bin/disabled-vivid-by-security-misc | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/usr/bin/disabled-vivid-by-security-misc b/usr/bin/disabled-vivid-by-security-misc index 4a9855e..f2d07b7 100755 --- a/usr/bin/disabled-vivid-by-security-misc +++ b/usr/bin/disabled-vivid-by-security-misc @@ -5,7 +5,6 @@ ## Alerts the user that a kernel module failed to load due to it being blacklisted by default. -echo "$0: ERROR: This vivid kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable -.conf | args: $@" >&2 +echo "$0: ERROR: This vivid kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2 exit 1 From 41a3bf92fbdac88a1884dee735600cafa35134bf Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Fri, 12 Jul 2024 16:21:41 +1000 Subject: [PATCH 380/846] Sort `30_security-misc_disable.conf` --- etc/modprobe.d/30_security-misc_disable.conf | 24 ++++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/etc/modprobe.d/30_security-misc_disable.conf b/etc/modprobe.d/30_security-misc_disable.conf index 0a676d1..c9f5499 100644 --- a/etc/modprobe.d/30_security-misc_disable.conf +++ b/etc/modprobe.d/30_security-misc_disable.conf @@ -24,6 +24,17 @@ # #install msr /usr/bin/disabled-msr-by-security-misc +## File Systems: +## Disable uncommon file systems to reduce attack surface. +## HFS and HFS+ are legacy Apple filesystems that may be required depending on the EFI partition format. +# +install cramfs /usr/bin/disabled-filesys-by-security-misc +install freevxfs /usr/bin/disabled-filesys-by-security-misc +install hfs /usr/bin/disabled-filesys-by-security-misc +install hfsplus /usr/bin/disabled-filesys-by-security-misc +install jffs2 /usr/bin/disabled-filesys-by-security-misc +install udf /usr/bin/disabled-filesys-by-security-misc + ## FireWire (IEEE 1394): ## Disable IEEE 1394 (FireWire/i.LINK/Lynx) modules to prevent some DMA attacks. ## https://en.wikipedia.org/wiki/IEEE_1394#Security_issues @@ -38,18 +49,7 @@ install raw1394 /usr/bin/disabled-firewire-by-security-misc install sbp2 /usr/bin/disabled-firewire-by-security-misc install video1394 /usr/bin/disabled-firewire-by-security-misc -## File Systems: -## Disable uncommon file systems to reduce attack surface. -## HFS and HFS+ are legacy Apple filesystems that may be required depending on the EFI partition format. -# -install cramfs /usr/bin/disabled-filesys-by-security-misc -install freevxfs /usr/bin/disabled-filesys-by-security-misc -install hfs /usr/bin/disabled-filesys-by-security-misc -install hfsplus /usr/bin/disabled-filesys-by-security-misc -install jffs2 /usr/bin/disabled-filesys-by-security-misc -install udf /usr/bin/disabled-filesys-by-security-misc - -## Global Positioning Systems: +## Global Positioning Systems (GPS): ## Disable GPS-related modules like GNSS (Global Navigation Satellite System). # install gnss /usr/bin/disabled-gps-by-security-misc From 5f10cc8bcf11654f5e0f97c07e0a7ff198013c1e Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Fri, 12 Jul 2024 16:22:10 +1000 Subject: [PATCH 381/846] Update README.md relating to modprobe --- README.md | 72 +++++++++++++++++++++---------------------------------- 1 file changed, 27 insertions(+), 45 deletions(-) diff --git a/README.md b/README.md index 7601260..114b90c 100644 --- a/README.md +++ b/README.md @@ -124,62 +124,44 @@ modules for the user, like drivers etc., given they are plugged in on startup. #### Blacklist and disable kernel modules -Certain kernel modules are blacklisted and disabled by default to reduce attack -surface via both the `/etc/modprobe.d/30_security-misc_blacklist.conf` and -`/etc/modprobe.d/30_security-misc_disable.conf` configuration files respectively. +Certain kernel modules are blacklisted by default to reduce attack surface via +`/etc/modprobe.d/30_security-misc_blacklist.conf`. Blacklisting prevents kernel +modules from automatically starting. -- Deactivates Netfilter's connection tracking helper - this module increases - kernel attack surface by enabling superfluous functionality such as IRC - parsing in the kernel. Hence, this feature is disabled. +- CD-ROM/DVD: Blacklist modules required for CD-ROM/DVD devices. -- Thunderbolt and numerous FireWire kernel modules are also disabled as they - are often vulnerable to DMA attacks. +- Conntrack: Deactivates Netfilter's connection tracking helper - this module + increases kernel attack surface by enabling superfluous functionality such + as IRC parsing in the kernel. Hence, this feature is disabled. -- The MSR kernel module is disabled to prevent CPU MSRs from being abused to - write to arbitrary memory. +- Framebuffer Drivers: Blacklisted as they are well-known to be buggy, cause + kernel panics, and are generally only used by legacy devices. -- Uncommon network protocols are blacklisted. This includes: +- Miscellaneous: Blacklist an assortment other modules to prevent them from + automatically loading. - - DCCP - Datagram Congestion Control Protocol - - SCTP - Stream Control Transmission Protocol - - RDS - Reliable Datagram Sockets - - TIPC - Transparent Inter-process Communication - - HDLC - High-Level Data Link Control - - AX25 - Amateur X.25 - - NetRom - - X25 - - ROSE - - DECnet - - Econet - - af_802154 - IEEE 802.15.4 - - IPX - Internetwork Packet Exchange - - AppleTalk - - PSNAP - Subnetwork Access Protocol - - p8023 - Novell raw IEEE 802.3 - - p8022 - IEEE 802.2 - - CAN - Controller Area Network - - ATM +Specific kernel modules are entirely disabled to reduce attack surface via +`/etc/modprobe.d/30_security-misc_disable.conf`. Disabling prohibits kernel +modules from starting. This approach should not be considered comprehensive, +rather it is a form of badness enumeration. -- Disables a large array of uncommon file systems and network file systems - that reduces the attack surface especially against legacy approaches. +- File Systems: Disable uncommon and legacy file systems. -- The vivid kernel module is only required for testing and has been the cause - of multiple vulnerabilities so it is disabled. +- FireWire (IEEE 1394): Disabled as they are often vulnerable to DMA attacks. -- Provides some disabling of the interface between the [Intel Management - Engine (ME)](https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html) - and the OS. +- GPS: Disables GPS-related modules responsible systems such as for Global + Navigation Satellite System (GNSS). -- Disables several kernel modules responsible for GPS such as GNSS (Global - Navigation Satellite System). +- Intel Management Engine (ME): Provides some disabling of the interface between the + Intel ME and the OS. -- Incorporates much of - [Ubuntu's](https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d?h=ubuntu/disco) - default blacklist of modules to be blocked from automatically loading. - However, they are still permitted to load. +- Network File Systems: Disable uncommon and legacy network file systems. -- Blocks automatic loading of the modules needed to use of CD-ROM devices by - default. Not completely disabled yet. +- Network Protocols: Wide array of uncommon and legacy network protocols are disabled. + +- Miscellaneous: Disable an assortment other modules such as vivid. + +- Thunderbolt: Disabled as they are often vulnerable to DMA attacks. ### Other From 2de3a795990234134be15be90aa55f547c064d92 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Sat, 13 Jul 2024 22:41:40 +1000 Subject: [PATCH 382/846] Refactor existing sysctl for clarity --- README.md | 96 +++-- debian/security-misc.maintscript | 2 +- .../30_security-misc_kexec-disable.conf | 9 +- usr/lib/sysctl.d/30_silent-kernel-printk.conf | 4 +- usr/lib/sysctl.d/990-security-misc.conf | 401 ++++++++++++------ 5 files changed, 330 insertions(+), 182 deletions(-) diff --git a/README.md b/README.md index 114b90c..9ed387b 100644 --- a/README.md +++ b/README.md @@ -6,57 +6,76 @@ This section is inspired by the Kernel Self Protection Project (KSPP). It implements all recommended Linux kernel settings by the KSPP and many more. - https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project +- https://kspp.github.io/Recommended_Settings ### sysctl -sysctl settings are configured via the `/etc/sysctl.d/30_security-misc.conf` +sysctl settings are configured via the `/usr/lib/sysctl.d/990-security-misc.conf` configuration file. -- A kernel pointer points to a specific location in kernel memory. These can - be very useful in exploiting the kernel so they are restricted to - `CAP_SYSLOG`. +Significant hardening is applied by default to a myriad of components within kernel +space, user space, core dumps, and swap space. -- The kernel logs are restricted to `CAP_SYSLOG` as they can often leak - sensitive information such as kernel pointers. +- Restrict kernel addresses regardless of user privileges. -- The `ptrace()` system call is restricted to `CAP_SYS_PTRACE`. +- Restrict access to the kernel logs to `CAP_SYSLOG` as the often contain + sensitive information. -- eBPF is restricted to `CAP_BPF` (`CAP_SYS_ADMIN` on kernel versions prior to - 5.8) and JIT hardening techniques such as constant blinding are enabled. +- Prevent kernel information leaks in the console during boot. -- Restricts performance events to `CAP_PERFMON` (`CAP_SYS_ADMIN` on kernel - versions prior to 5.8). +- Restrict eBPF access to `CAP_BPF` and enable associated JIT compiler hardening. -- Restricts loading line disciplines to `CAP_SYS_MODULE` to prevent - unprivileged attackers from loading vulnerable line disciplines with the - `TIOCSETD` ioctl which has been abused in a number of exploits before. +- Restrict loading TTY line disciplines to `CAP_SYS_MODULE`. -- Restricts the `userfaultfd()` syscall to `CAP_SYS_PTRACE` as `userfaultfd()` - is often abused to exploit use-after-free flaws. +- Restricts the `userfaultfd()` syscall to `CAP_SYS_PTRACE` which reduces the + likelihood of use-after-free exploits. -- Kexec is disabled as it can be used to load a malicious kernel and gain - arbitrary code execution in kernel mode. +- Disable `kexec` as it can be used to replace the running kernel. -- Randomises the addresses for mmap base, heap, stack, and VDSO pages. +- Entirely disables the SysRq key so that the Secure Attention Key (SAK) + can no longer be utilised. -- Prevents unintentional writes to attacker-controlled files. +- Restrict kernel profiling and the performance events system to `CAP_PERFMON`. -- Prevents common symlink and hardlink TOCTOU races. +- Randomise the addresses (ASLR) for mmap base, stack, VDSO pages, and heap. -- Disables SysRq key completely. - * Therefore Secure Attention Key (SAK) cannot be used. - * https://www.kicksecure.com/wiki/SysRq +- Disable asynchronous I/O (when using Linux kernel version >= 6.6). -- The kernel is only allowed to swap if it is absolutely necessary. This - prevents writing potentially sensitive contents of memory to disk. +- Restrict usage of `ptrace()` to only processes with `CAP_SYS_PTRACE` as it + enables programs to inspect and modify other active processes. -- TCP timestamps are disabled as it can allow detecting the system time. +- Prevent hardlink and symlink TOCTOU races in world-writable directories. -- Set coredump file name based on core_pattern value instead of the default of - naming it 'core'. +- Disallow unintentional writes to attacker-controlled files. -- Will disable `io_uring` interface for performing asynchronous I/O as it has - historically been a significant attack surface. +- Increase the maximum number of memory map areas a process is able to utilise. + +- Disable core dump files and prevent their creation. + +- Limit the copying of potentially sensitive content in memory to the swap device. + +Various networking components of the TCP/IP stack are hardened for IPv4/6. + +- Enable TCP SYN cookie protection to assist against SYN flood attacks. + +- Protect against TCP time-wait assassination hazards. + +- Enables reverse path filtering (source validation) of packets received + from all interfaces to prevent IP spoofing. + +- Disable ICMP redirect acceptance and redirect sending messages to + prevent man-in-the-middle attacks and minimise information disclosure. + +- Ignore ICMP echo requests to prevent clock fingerprinting and Smurf attacks. + +- Ignore bogus ICMP error responses. + +- Disable source routing which allows users redirect network traffic that + can result in man-in-the-middle attacks. + +- Do not accept IPv6 router advertisements and solicitations. + +- Disable TCP timestamps as it can allow detecting the system time. ### mmap ASLR @@ -193,21 +212,6 @@ rather it is a form of badness enumeration. ## Network hardening -- TCP syncookies are enabled to prevent SYN flood attacks. - -- ICMP redirect acceptance, ICMP redirect sending, source routing and IPv6 - router advertisements are disabled to prevent man-in-the-middle attacks. - -- The kernel is configured to ignore all ICMP requests to avoid Smurf attacks, - make the device more difficult to enumerate on the network and prevent clock - fingerprinting through ICMP timestamps. - -- RFC1337 is enabled to protect against time-wait assassination attacks by - dropping RST packets for sockets in the time-wait state. - -- Reverse path filtering is enabled to prevent IP spoofing and mitigate - vulnerabilities such as CVE-2019-14899. - - Unlike version 4, IPv6 addresses can provide information not only about the originating network, but also the originating device. We prevent this from happening by enabling the respective privacy extensions for IPv6. diff --git a/debian/security-misc.maintscript b/debian/security-misc.maintscript index 4279cf2..8636e0c 100644 --- a/debian/security-misc.maintscript +++ b/debian/security-misc.maintscript @@ -10,7 +10,7 @@ rm_conffile /etc/sysctl.d/sysrq.conf rm_conffile /etc/apparmor.d/usr.lib.security-misc.pam_tally2-info rm_conffile /etc/apparmor.d/usr.lib.security-misc.permission-lockdown -## merged into 1 file /etc/sysctl.d/30_security-misc.conf +## merged into 3 files /usr/lib/sysctl.d/30_security-misc_kexec-disable.conf, /usr/lib/sysctl.d/30_silent-kernel-printk.conf, and /usr/lib/sysctl.d/990-security-misc.conf rm_conffile /etc/sysctl.d/fs_protected.conf rm_conffile /etc/sysctl.d/kptr_restrict.conf rm_conffile /etc/sysctl.d/suid_dumpable.conf diff --git a/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf b/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf index bbdf5ea..ad2f6bd 100644 --- a/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf +++ b/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf @@ -1,12 +1,11 @@ ## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Quote https://www.kernel.org/doc/html/latest/admin-guide/sysctl/kernel.html -## -## kexec_load_disabled: -## -## A toggle indicating if the kexec_load syscall has been disabled. This value defaults to 0 (false: kexec_load enabled), but can be set to 1 (true: kexec_load disabled). Once true, kexec can no longer be used, and the toggle cannot be set back to false. This allows a kexec image to be loaded before disabling the syscall, allowing a system to set up (and later use) an image without it being altered. Generally used together with the "modules_disabled" sysctl. ## Disables kexec which can be used to replace the running kernel. +## Useful for live kernel patching without rebooting. +## +## https://en.wikipedia.org/wiki/Kexec +## kernel.kexec_load_disabled=1 ## Why is this in a dedicated config file? diff --git a/usr/lib/sysctl.d/30_silent-kernel-printk.conf b/usr/lib/sysctl.d/30_silent-kernel-printk.conf index b76a4b3..5ac7b6f 100644 --- a/usr/lib/sysctl.d/30_silent-kernel-printk.conf +++ b/usr/lib/sysctl.d/30_silent-kernel-printk.conf @@ -1,8 +1,8 @@ ## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Prevent kernel info leaks in console during boot. -## https://phabricator.whonix.org/T950 +## Prevent kernel information leaks in the console during boot. +## kernel.printk = 3 3 3 3 ## NOTE: diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 371c265..c1bf3e9 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -2,177 +2,322 @@ ## See the file COPYING for copying conditions. ## NOTE: -## This file has a weird file name so /usr/lib/sysctl.d/99-protect-links.conf -## is parsed first and /usr/lib/sysctl.d/990-security-misc.conf is parsed -## afterwards. See also: +## This file has a strange name so that `/usr/lib/sysctl.d/99-protect-links.conf` is +## first parsed and then followed by `/usr/lib/sysctl.d/990-security-misc.conf`. ## https://github.com/Kicksecure/security-misc/pull/135 -## Restricts the kernel log to root only. -kernel.dmesg_restrict=1 +## This configuration file is split into 5 sections: +## 1. Kernel Space +## 2. User Space +## 3. Core Dumps +## 4. Swap Space +## 5. Networking -## Disables coredumps. This setting may be overwritten by systemd so this may not be useful. -## security-misc also disables coredumps in other ways. -kernel.core_pattern=|/bin/false +## See the documentation below for details on the majority of the selected commands. +## https://www.kernel.org/doc/html/latest/admin-guide/sysctl/kernel.html +## https://www.kernel.org/doc/html/latest/admin-guide/sysctl/fs.html +## https://www.kernel.org/doc/html/latest/admin-guide/sysctl/net.html +## https://www.kernel.org/doc/html/latest/admin-guide/sysctl/vm.html +## https://www.kernel.org/doc/html/latest//networking/ip-sysctl.html -## Does not set coredump name to 'core' which is default. Defense in depth. -kernel.core_uses_pid=1 - -## Prevent setuid processes from creating coredumps. -fs.suid_dumpable=0 - -## Don't allow writes to files that we don't own -## in world writable sticky directories, unless -## they are owned by the owner of the directory. -fs.protected_fifos=2 -fs.protected_regular=2 - -## Only allow symlinks to be followed when outside of -## a world-writable sticky directory, or when the owner -## of the symlink and follower match, or when the directory -## owner matches the symlink's owner. +## 1. Kernel Space: ## -## Prevent hardlinks from being created by users that do not -## have read/write access to the source file. -## -## These prevent many TOCTOU races. -fs.protected_symlinks=1 -fs.protected_hardlinks=1 +## https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel +## https://wiki.archlinux.org/title/Security#Kernel_hardening -## Hides kernel addresses in various files in /proc. -## Kernel addresses can be very useful in certain exploits. +## Restrict kernel addresses via /proc and other interfaces regardless of user privileges. +## Kernel pointers expose specific locations in kernel memory. ## ## https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak +## kernel.kptr_restrict=2 -## Improves ASLR effectiveness for mmap. -## Both explicit sysctl are made redundant due to automation +## Restrict access to the kernel log buffer to CAP_SYSLOG. +## Kernel logs often contain sensitive information such as kernel pointers. +## +kernel.dmesg_restrict=1 + +## Prevent kernel information leaks in the console during boot. +## +## See `/usr/lib/sysctl.d/30_silent-kernel-printk.conf` for implementation. +## +#kernel.printk=3 3 3 3s + +## Restrict eBPF access to CAP_BPF and enable associated JIT compiler hardening. +## +## https://en.wikipedia.org/wiki/EBPF#Security +## +kernel.unprivileged_bpf_disabled=1 +net.core.bpf_jit_harden=2 + +## Restrict loading TTY line disciplines to CAP_SYS_MODULE. +## Prevents unprivileged users loading vulnerable line disciplines with the TIOCSETD ioctl. +## +## https://a13xp0p0v.github.io/2017/03/24/CVE-2017-2636.html +## https://lkml.org/lkml/2019/4/15/890 +## +dev.tty.ldisc_autoload=0 + +## Restrict the userfaultfd() syscall to SYS_CAP_PTRACE. +## Reduces likelihood of use-after-free exploits from heap sprays. +## +## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=cefdca0a86be517bc390fc4541e3674b8e7803b0 +## https://duasynt.com/blog/linux-kernel-heap-spray +## +vm.unprivileged_userfaultfd=0 + +## Disables kexec which can be used to replace the running kernel. +## Useful for live kernel patching without rebooting. +## +## https://en.wikipedia.org/wiki/Kexec +## +## See `/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf` for implementation. +## +#kernel.kexec_load_disabled=1 + +## Disable the SysRq key to prevent leakage of kernel information. +## The Secure Attention Key (SAK) can no longer be utilised. +## +## https://www.kernel.org/doc/html/latest/admin-guide/sysrq.html +## https://www.kicksecure.com/wiki/SysRq +## https://github.com/xairy/unlockdown +## +kernel.sysrq=0 + +## Restrict user namespaces to CAP_SYS_ADMIN. +## User namespaces aim to improve sandboxing and accessibility for unprivileged users. +## Unprivileged user namespaces pose substantial privilege escalation risks. +## Restricting is well-known to cause breakages across numerous software. +## +## https://madaidans-insecurities.github.io/linux.html#kernel +## https://github.com/a13xp0p0v/kernel-hardening-checker#questions-and-answers +## +## Unprivileged user namespaces are currently enabled. +## +#kernel.unprivileged_userns_clone=0 + +## Restricts kernel profiling to CAP_PERFMON. +## The performance events system should not be accessible by unprivileged users. +## +## https://www.kernel.org/doc/html/latest/admin-guide/perf-security.html#unprivileged-users +## https://lore.kernel.org/kernel-hardening/1469630746-32279-1-git-send-email-jeffv@google.com/ +## +kernel.perf_event_paranoid=3 + +## Enable ASLR for mmap base, stack, VDSO pages, and heap. +## Heap randomisation can lead to breakages with legacy applications. +## +## https://en.wikipedia.org/wiki/Address_space_layout_randomization#Linux +## +kernel.randomize_va_space=2 + +## Disable asynchronous I/O for all processes. +## +## https://security.googleblog.com/2023/06/learnings-from-kctf-vrps-42-linux.html +## +## Applicable when using Linux kernel >= 6.6 (retained here for future-proofing and completeness). +## +kernel.io_uring_disabled=2 + + +## 2.User Space: +## +## https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-userspace + +## Restrict usage of the ptrace() system call to only processes with CAP_SYS_PTRACE. +## Limit ptrace() as it enables programs to inspect and modify other active processes. +## This may break some programs running under WINE. +## +## https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html#ptrace-scope +## +kernel.yama.ptrace_scope=2 + +## Maximise bits of entropy for improved effectiveness of mmap ASLR. +## The maximum numbers of bits are dependent on CPU architecture (the ones shown below are for x86). +## Both explicit sysctl are made redundant due to automation. +## Do NOT enable either sysctl - displaying only for clarity. +## ## https://forums.whonix.org/t/automate-mmap-randomisation-to-fix-ppc64el/16514 -## Do NOT enable either - displaying only for clarity +## +## See `/usr/libexec/security-misc/mmap-rnd-bits` for implementation. ## #vm.mmap_rnd_bits=32 #vm.mmap_rnd_compat_bits=16 -## Restricts the use of ptrace to root. This might break some programs running under WINE. -## A workaround for WINE would be to give the wineserver and wine-preloader ptrace capabilities. This can be done by running: +## Prevent hardlink creation by users who do not have read/write/ownership of source file. +## Only allow symlinks to be followed when outside of a world-writable sticky directories. +## Allow symlinks when the owner and follower match or when the directory owner matches the symlink's owner. +## Hardens cross privilege boundaries if root process follows a hardlink/symlink belonging to another user. +## This mitigates many hardlink/symlink-based TOCTOU races in world-writable directories like /tmp. ## -## sudo apt-get install libcap2-bin -## sudo setcap cap_sys_ptrace=eip /usr/bin/wineserver -## sudo setcap cap_sys_ptrace=eip /usr/bin/wine-preloader -kernel.yama.ptrace_scope=2 +## https://wiki.archlinux.org/title/Security#File_systems +## https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=/tmp +## https://en.wikipedia.org/wiki/Time-of-check_to_time-of-use#Preventing_TOCTOU +## +fs.protected_hardlinks=1 +fs.protected_symlinks=1 -## Randomize the addresses for mmap base, heap, stack, and VDSO pages -kernel.randomize_va_space=2 +## Disallow writes to files in world-writable sticky directories unless owned by the directory owner. +## Also applies to group writable sticky directories to make data spoofing attacks more difficult. +## Prevents unintentional writes to attacker-controlled files. +## +fs.protected_fifos=2 +fs.protected_regular=2 -## Hardens the BPF JIT compiler and restricts it to root. -kernel.unprivileged_bpf_disabled=1 -net.core.bpf_jit_harden=2 +## Increase the maximum number of memory map areas a process is permitted to utilise. +## Addresses performance, crash, and start-up issues for some memory intensive applications. +## Required to accommodate the very large number of guard pages created by hardened_malloc. +## Kicksecure version 18 will deprecate hardened_malloc and so this sysctl will be applied here instead. +## +## https://archlinux.org/news/increasing-the-default-vmmax_map_count-value/ +## https://github.com/GrapheneOS/hardened_malloc#traditional-linux-based-operating-systems +## https://github.com/Kicksecure/hardened_malloc/blob/master/debian/hardened_malloc.conf +## https://www.kicksecure.com/wiki/Hardened_Malloc#Deprecation_in_Kicksecure +## +vm.max_map_count=1048576 -## Disable asynchronous I/O for all processes. -## Valid only for linux kernel version >= 6.6. -## Command is retained here for future-proofing and completeness. -## https://forums.whonix.org/t/io-uring-security-vulnerabilties/16890/6 -kernel.io_uring_disabled=2 -#### meta start -#### project Kicksecure -#### category networking and security -#### description -## TCP/IP stack hardening +## 3. Core Dumps: +## +## https://madaidans-insecurities.github.io/guides/linux-hardening.html#core-dumps -## A martian packet is a one with a source address which is blatantly wrong -## Recommended to keep a log of these to identify these suspicious packets -## Good for troubleshooting and diagnostics but not necessary by default. -## Caused issue: -## https://github.com/Kicksecure/security-misc/issues/214 -#net.ipv4.conf.all.log_martians=1 -#net.ipv4.conf.default.log_martians=1 +## Disable core dump files by preventing any pattern names. +## This setting may be overwritten by systemd is is not comprehensive. +## Core dumps are also disabled in security-misc via other means. +## +## https://wiki.archlinux.org/title/Core_dump#Disabling_automatic_core_dumps +## +kernel.core_pattern=|/bin/false -## Protects against time-wait assassination. -## It drops RST packets for sockets in the time-wait state. +## Prevent setuid processes or otherwise protected/tainted binaries from creating core dumps. +## Any process which has changed privilege levels or is execute-only will not be dumped. +## +fs.suid_dumpable=0 + +## Set core dump file name to 'core.PID' instead of 'core' as a form of defence-in-depth. +## If core dumps are permitted, only useful if PID listings are hidden from non-root users. +## +kernel.core_uses_pid=1 + + +## 4. Swap Space: +## +## https://madaidans-insecurities.github.io/guides/linux-hardening.html#swap + +## Limit the copying of memory to the swap device only if absolutely necessary. +## Minimises the likelihood of writing potentially sensitive contents to disk. +## +## https://en.wikipedia.org/wiki/Memory_paging#Linux +## +vm.swappiness=1 + + +## 5. Networking: +## +## https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-network +## https://wiki.archlinux.org/title/Sysctl#TCP/IP_stack_hardening + +## Enable TCP SYN cookie protection to assist against SYN flood attacks. +## +## https://en.wikipedia.org/wiki/SYN_flood +## https://cateee.net/lkddb/web-lkddb/SYN_COOKIES.html +## +net.ipv4.tcp_syncookies=1 + +## Protect against TCP time-wait assassination hazards. +## Drops RST packets for sockets in the time-wait state. +## +## https://tools.ietf.org/html/rfc1337 +## net.ipv4.tcp_rfc1337=1 -## Disables ICMP redirect acceptance. +## Enable reverse path filtering (source validation) of packets received from all interfaces. +## Prevents IP spoofing and mitigate vulnerabilities such as CVE-2019-14899. +## +## https://en.wikipedia.org/wiki/IP_address_spoofing +## https://forums.whonix.org/t/enable-reverse-path-filtering/8594 +## https://seclists.org/oss-sec/2019/q4/122 +## +net.ipv4.conf.all.rp_filter=1 +net.ipv4.conf.default.rp_filter=1 + +## Disable ICMP redirect acceptance and redirect sending messages. +## Prevents man-in-the-middle attacks and minimises information disclosure. +## net.ipv4.conf.all.accept_redirects=0 net.ipv4.conf.default.accept_redirects=0 net.ipv4.conf.all.secure_redirects=0 net.ipv4.conf.default.secure_redirects=0 net.ipv6.conf.all.accept_redirects=0 net.ipv6.conf.default.accept_redirects=0 - -## Disables ICMP redirect sending. net.ipv4.conf.all.send_redirects=0 net.ipv4.conf.default.send_redirects=0 -## Ignores ICMP requests. +## Ignore ICMP echo requests. +## Prevents clock fingerprinting through ICMP timestamps and Smurf attacks. +## +## https://en.wikipedia.org/wiki/Smurf_attack +## net.ipv4.icmp_echo_ignore_all=1 net.ipv6.icmp.echo_ignore_all=1 -## Ignores bogus ICMP error responses +## Ignore bogus ICMP error responses. +## Mitigates attacks designed to fill log files with useless error messages. +## net.ipv4.icmp_ignore_bogus_error_responses=1 -## Enables TCP syncookies. -net.ipv4.tcp_syncookies=1 - -## Disable source routing. +## Disable source routing which allows users redirect network traffic. +## Prevents man-in-the-middle attacks in which the traffic is redirected. +## +## https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/security_guide/sect-security_guide-server_security-disable-source-routing +## net.ipv4.conf.all.accept_source_route=0 net.ipv4.conf.default.accept_source_route=0 net.ipv6.conf.all.accept_source_route=0 net.ipv6.conf.default.accept_source_route=0 -## Enable reverse path filtering to prevent IP spoofing and -## mitigate vulnerabilities such as CVE-2019-14899. -## https://forums.whonix.org/t/enable-reverse-path-filtering/8594 -net.ipv4.conf.default.rp_filter=1 -net.ipv4.conf.all.rp_filter=1 - -#### meta end - - -## Previously disabled SACK, DSACK, and FACK. -## https://forums.whonix.org/t/disabling-tcp-sack-dsack-fack/8109 -#net.ipv4.tcp_sack=0 -#net.ipv4.tcp_dsack=0 -#net.ipv4.tcp_fack=0 - - -#### meta start -#### project Kicksecure -#### category networking and security -#### description -## disable IPv4 TCP Timestamps - -net.ipv4.tcp_timestamps=0 - -#### meta end - - -## Disable SysRq key -kernel.sysrq=0 - -## Restrict loading TTY line disciplines to CAP_SYS_MODULE to prevent -## unprivileged attackers from loading vulnerable line disciplines -## with the TIOCSETD ioctl which has been used in exploits before -## such as https://a13xp0p0v.github.io/2017/03/24/CVE-2017-2636.html +## Do not accept IPv6 router advertisements and solicitations. ## -## https://lkml.org/lkml/2019/4/15/890 -dev.tty.ldisc_autoload=0 - -## Restrict the userfaultfd() syscall to root as it can make heap sprays -## easier. -## -## https://duasynt.com/blog/linux-kernel-heap-spray -vm.unprivileged_userfaultfd=0 - -## Let the kernel only swap if it is absolutely necessary. -## Better not be set to zero: -## - https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Performance_Tuning_Guide/s-memory-tunables.html -## - https://en.wikipedia.org/wiki/Swappiness -vm.swappiness=1 - -## Disallow kernel profiling by users without CAP_SYS_ADMIN -## https://www.kernel.org/doc/Documentation/sysctl/kernel.txt -kernel.perf_event_paranoid=3 - -## Do not accept router advertisements net.ipv6.conf.all.accept_ra=0 net.ipv6.conf.default.accept_ra=0 + +## Disable SACK, DSACK, and FACK. +## Select acknowledgements (SACKs) are a known common vector of exploitation. +## Duplicate select acknowledgements (DSACKs) are an extension of SACK. +## Forward acknowledgements (FACKs) are a legacy option that will (eventually) be deprecated. +## Disabling can cause severe connectivity issues on networks with high latency or packet loss. +## Enabling on stable high-bandwidth networks can lead to reduced efficiency of TCP connections. +## +## https://datatracker.ietf.org/doc/html/rfc2018 +## https://datatracker.ietf.org/doc/html/rfc2883 +## https://access.redhat.com/sites/default/files/attachments/20150325_network_performance_tuning.pdf +## https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md +## https://wiki.archlinux.org/title/Sysctl#TCP_Selective_Acknowledgement +## https://forums.whonix.org/t/disabling-tcp-sack-dsack-fack/8109/5 +## +## SACK and DSACK are currently enabled. +## +#net.ipv4.tcp_sack=0 +#net.ipv4.tcp_dsack=0 +net.ipv4.tcp_fack=0 + +## Disable TCP timestamps to limit system fingerprinting via time. +## +## https://forums.whonix.org/t/do-ntp-and-tcp-timestamps-really-leak-your-local-time/7824 +## https://web.archive.org/web/20170201160732/https://mailman.boum.org/pipermail/tails-dev/2013-December/004520.html +## +net.ipv4.tcp_timestamps=0 + +## Previously enabled logging of packets with impossible source or destination addresses. +## Martian and unroutable packets may be used for dangerous purposes. +## Recommended to keep a (kernel dmesg) log of these to identify these suspicious packets +## Good for troubleshooting and diagnostics but not necessary by default. +## Known for causing performance issues especially on systems with multiple interfaces. +## +## https://wiki.archlinux.org/title/Sysctl#TCP_Selective_Acknowledgement +## https://github.com/Kicksecure/security-misc/issues/214 +## +## The logging of martian packets is currently disabled. +## +#net.ipv4.conf.all.log_martians=1 +#net.ipv4.conf.default.log_martians=1 From 98580bb39a495a141e7b40792fd9d232fcf29d23 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Sat, 13 Jul 2024 23:29:52 +1000 Subject: [PATCH 383/846] Update modprobe presentation --- .../30_security-misc_blacklist.conf | 14 ++++++--- etc/modprobe.d/30_security-misc_disable.conf | 31 ++++++++++++------- 2 files changed, 28 insertions(+), 17 deletions(-) diff --git a/etc/modprobe.d/30_security-misc_blacklist.conf b/etc/modprobe.d/30_security-misc_blacklist.conf index f516fe2..a4401f6 100644 --- a/etc/modprobe.d/30_security-misc_blacklist.conf +++ b/etc/modprobe.d/30_security-misc_blacklist.conf @@ -11,24 +11,27 @@ ## CD-ROM/DVD: ## Blacklist CD-ROM and DVD modules. ## Do not disable by default for potential future ISO plans. +## ## https://nvd.nist.gov/vuln/detail/CVE-2018-11506 ## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/31 -# +## blacklist cdrom blacklist sr_mod -# +## #install cdrom /usr/bin/disabled-cdrom-by-security-misc #install sr_mod /usr/bin/disabled-cdrom-by-security-misc ## Conntrack: ## Disable automatic conntrack helper assignment. +## ## https://phabricator.whonix.org/T486 -# +## options nf_conntrack nf_conntrack_helper=0 ## Framebuffer Drivers: +## ## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-framebuffer.conf?h=ubuntu/disco -# +## blacklist aty128fb blacklist atyfb blacklist cirrusfb @@ -59,9 +62,10 @@ blacklist vt8623fb blacklist udlfb ## Miscellaneous: +## ## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist.conf?h=ubuntu/disco ## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-ath_pci.conf?h=ubuntu/disco -# +## blacklist ath_pci blacklist amd76x_edac blacklist asus_acpi diff --git a/etc/modprobe.d/30_security-misc_disable.conf b/etc/modprobe.d/30_security-misc_disable.conf index c9f5499..f82ccb6 100644 --- a/etc/modprobe.d/30_security-misc_disable.conf +++ b/etc/modprobe.d/30_security-misc_disable.conf @@ -10,24 +10,26 @@ ## Bluetooth: ## Disable Bluetooth to reduce attack surface due to extended history of security vulnerabilities. +## ## https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns -# +## ## Now replaced by a privacy and security preserving default Bluetooth configuration for better usability. -# +## #install bluetooth /usr/bin/disabled-bluetooth-by-security-misc #install btusb /usr/bin/disabled-bluetooth-by-security-misc ## CPU Model-Specific Registers (MSRs): ## Disable CPU MSRs as they can be abused to write to arbitrary memory. +## ## https://security.stackexchange.com/questions/119712/methods-root-can-use-to-elevate-itself-to-kernel-mode ## https://github.com/Kicksecure/security-misc/issues/215 -# +## #install msr /usr/bin/disabled-msr-by-security-misc ## File Systems: ## Disable uncommon file systems to reduce attack surface. ## HFS and HFS+ are legacy Apple filesystems that may be required depending on the EFI partition format. -# +## install cramfs /usr/bin/disabled-filesys-by-security-misc install freevxfs /usr/bin/disabled-filesys-by-security-misc install hfs /usr/bin/disabled-filesys-by-security-misc @@ -37,8 +39,9 @@ install udf /usr/bin/disabled-filesys-by-security-misc ## FireWire (IEEE 1394): ## Disable IEEE 1394 (FireWire/i.LINK/Lynx) modules to prevent some DMA attacks. +## ## https://en.wikipedia.org/wiki/IEEE_1394#Security_issues -# +## install dv1394 /usr/bin/disabled-firewire-by-security-misc install firewire-core /usr/bin/disabled-firewire-by-security-misc install firewire-ohci /usr/bin/disabled-firewire-by-security-misc @@ -51,7 +54,7 @@ install video1394 /usr/bin/disabled-firewire-by-security-misc ## Global Positioning Systems (GPS): ## Disable GPS-related modules like GNSS (Global Navigation Satellite System). -# +## install gnss /usr/bin/disabled-gps-by-security-misc install gnss-mtk /usr/bin/disabled-gps-by-security-misc install gnss-serial /usr/bin/disabled-gps-by-security-misc @@ -61,14 +64,15 @@ install gnss-usb /usr/bin/disabled-gps-by-security-misc ## Intel Management Engine (ME): ## Partially disable the Intel ME interface with the OS. +## ## https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html -# +## install mei /usr/bin/disabled-intelme-by-security-misc install mei-me /usr/bin/disabled-intelme-by-security-misc ## Network File Systems: ## Disable uncommon network file systems to reduce attack surface. -# +## install cifs /usr/bin/disabled-netfilesys-by-security-misc install gfs2 /usr/bin/disabled-netfilesys-by-security-misc install ksmbd /usr/bin/disabled-netfilesys-by-security-misc @@ -78,10 +82,11 @@ install nfsv4 /usr/bin/disabled-netfilesys-by-security-misc ## Network Protocols: ## Disables rare and unneeded network protocols that are a common source of unknown vulnerabilities. +## ## https://tails.boum.org/blueprint/blacklist_modules/ ## https://fedoraproject.org/wiki/Security_Features_Matrix#Blacklist_Rare_Protocols) ## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-rare-network.conf?h=ubuntu/disco -# +## install af_802154 /usr/bin/disabled-network-by-security-misc install appletalk /usr/bin/disabled-network-by-security-misc install atm /usr/bin/disabled-network-by-security-misc @@ -103,17 +108,19 @@ install tipc /usr/bin/disabled-network-by-security-misc install x25 /usr/bin/disabled-network-by-security-misc ## Miscellaneous: -# +## ## Vivid: ## Disables the vivid kernel module since it has been the cause of multiple vulnerabilities. +## ## https://forums.whonix.org/t/kernel-recompilation-for-better-hardening/7598/233 ## https://www.openwall.com/lists/oss-security/2019/11/02/1 ## https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475 -# +## install vivid /usr/bin/disabled-vivid-by-security-misc ## Thunderbolt: ## Disables Thunderbolt modules to prevent some DMA attacks. +## ## https://en.wikipedia.org/wiki/Thunderbolt_(interface)#Security_vulnerabilities -# +## install thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc From 8f2ec75f8173b6ab970a5ef213dcf5a3f67aa84a Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Sat, 13 Jul 2024 23:30:55 +1000 Subject: [PATCH 384/846] Clarify README.mmd relating to module disabling --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 114b90c..668b793 100644 --- a/README.md +++ b/README.md @@ -143,7 +143,8 @@ modules from automatically starting. Specific kernel modules are entirely disabled to reduce attack surface via `/etc/modprobe.d/30_security-misc_disable.conf`. Disabling prohibits kernel modules from starting. This approach should not be considered comprehensive, -rather it is a form of badness enumeration. +rather it is a form of badness enumeration. Any potential candidates for future +disabling should first be blacklisted for a suitable amount of time. - File Systems: Disable uncommon and legacy file systems. From 9f582665467fd4fdf20c83841305785024bceedf Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Sat, 13 Jul 2024 23:32:01 +1000 Subject: [PATCH 385/846] Move nf_conntrack_helper disabling into separate file --- README.md | 8 ++++---- debian/security-misc.maintscript | 2 +- etc/modprobe.d/30_security-misc_blacklist.conf | 7 ------- etc/modprobe.d/30_security-misc_conntrack.conf | 11 +++++++++++ 4 files changed, 16 insertions(+), 12 deletions(-) create mode 100644 etc/modprobe.d/30_security-misc_conntrack.conf diff --git a/README.md b/README.md index 668b793..b5cf7a3 100644 --- a/README.md +++ b/README.md @@ -124,16 +124,16 @@ modules for the user, like drivers etc., given they are plugged in on startup. #### Blacklist and disable kernel modules +Conntrack: Deactivates Netfilter's connection tracking helper module which +increases kernel attack surface by enabling superfluous functionality such +as IRC parsing in the kernel. See `/etc/modprobe.d/30_security-misc_conntrack.conf`. + Certain kernel modules are blacklisted by default to reduce attack surface via `/etc/modprobe.d/30_security-misc_blacklist.conf`. Blacklisting prevents kernel modules from automatically starting. - CD-ROM/DVD: Blacklist modules required for CD-ROM/DVD devices. -- Conntrack: Deactivates Netfilter's connection tracking helper - this module - increases kernel attack surface by enabling superfluous functionality such - as IRC parsing in the kernel. Hence, this feature is disabled. - - Framebuffer Drivers: Blacklisted as they are well-known to be buggy, cause kernel panics, and are generally only used by legacy devices. diff --git a/debian/security-misc.maintscript b/debian/security-misc.maintscript index 4279cf2..5d115c3 100644 --- a/debian/security-misc.maintscript +++ b/debian/security-misc.maintscript @@ -24,7 +24,7 @@ rm_conffile /etc/sysctl.d/kexec.conf rm_conffile /etc/sysctl.d/tcp_hardening.conf rm_conffile /etc/sysctl.d/tcp_sack.conf -## merged into 2 files /etc/modprobe.d/30_security-misc_blacklist.conf and /etc/modprobe.d/30_security-misc_disable.conf +## merged into 3 files /etc/modprobe.d/30_security-misc_blacklist.conf, 30_security-misc_conntrack.conf, and /etc/modprobe.d/30_security-misc_disable.conf rm_conffile /etc/modprobe.d/uncommon-network-protocols.conf rm_conffile /etc/modprobe.d/blacklist-bluetooth.conf rm_conffile /etc/modprobe.d/vivid.conf diff --git a/etc/modprobe.d/30_security-misc_blacklist.conf b/etc/modprobe.d/30_security-misc_blacklist.conf index a4401f6..6dce2d2 100644 --- a/etc/modprobe.d/30_security-misc_blacklist.conf +++ b/etc/modprobe.d/30_security-misc_blacklist.conf @@ -21,13 +21,6 @@ blacklist sr_mod #install cdrom /usr/bin/disabled-cdrom-by-security-misc #install sr_mod /usr/bin/disabled-cdrom-by-security-misc -## Conntrack: -## Disable automatic conntrack helper assignment. -## -## https://phabricator.whonix.org/T486 -## -options nf_conntrack nf_conntrack_helper=0 - ## Framebuffer Drivers: ## ## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-framebuffer.conf?h=ubuntu/disco diff --git a/etc/modprobe.d/30_security-misc_conntrack.conf b/etc/modprobe.d/30_security-misc_conntrack.conf new file mode 100644 index 0000000..c1a641b --- /dev/null +++ b/etc/modprobe.d/30_security-misc_conntrack.conf @@ -0,0 +1,11 @@ +## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Conntrack: +## Disable Netfilter's automatic connection tracking helper assignment. +## Increases kernel attack surface by enabling superfluous functionality such as IRC parsing in the kernel. +## +## https://conntrack-tools.netfilter.org/manual.html +## https://forums.whonix.org/t/disable-conntrack-helper/18917 +## +options nf_conntrack nf_conntrack_helper=0 From 5ba5a85ad09b74a29c5ed0e5c265d54d93da9d32 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 13 Jul 2024 15:01:16 +0000 Subject: [PATCH 386/846] bumped changelog version --- changelog.upstream | 80 ++++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++ 2 files changed, 86 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index c63cf13..49f6141 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,83 @@ +commit ad860063aba0443a8ac8b9cf191d008617d6d904 +Merge: f34b9d7 9f58266 +Author: Patrick Schleizer +Date: Sat Jul 13 10:55:45 2024 -0400 + + Merge remote-tracking branch 'raja/modprobe' + +commit 9f582665467fd4fdf20c83841305785024bceedf +Author: Raja Grewal +Date: Sat Jul 13 23:32:01 2024 +1000 + + Move nf_conntrack_helper disabling into separate file + +commit 8f2ec75f8173b6ab970a5ef213dcf5a3f67aa84a +Author: Raja Grewal +Date: Sat Jul 13 23:30:55 2024 +1000 + + Clarify README.mmd relating to module disabling + +commit 98580bb39a495a141e7b40792fd9d232fcf29d23 +Author: Raja Grewal +Date: Sat Jul 13 23:29:52 2024 +1000 + + Update modprobe presentation + +commit f34b9d7c45cd723535eedd3df99896ee7f852388 +Merge: 05c1711 5f10cc8 +Author: Patrick Schleizer +Date: Sat Jul 13 06:14:43 2024 -0400 + + Merge remote-tracking branch 'raja/modules' + +commit 5f10cc8bcf11654f5e0f97c07e0a7ff198013c1e +Author: Raja Grewal +Date: Fri Jul 12 16:22:10 2024 +1000 + + Update README.md relating to modprobe + +commit 41a3bf92fbdac88a1884dee735600cafa35134bf +Author: Raja Grewal +Date: Fri Jul 12 16:21:41 2024 +1000 + + Sort `30_security-misc_disable.conf` + +commit f31dc8aebc652b2037c375351fc478d9b5ba4c27 +Author: Raja Grewal +Date: Fri Jul 12 16:21:03 2024 +1000 + + Fix error in error script + +commit b02230a783941da412be72fb52053db0c6b8010f +Author: Raja Grewal +Date: Fri Jul 12 02:42:37 2024 +1000 + + Split modprobe into blacklisted and disabled configurations + +commit fc792ff23234399ed299c3fdc086d47c87d9b4a3 +Author: Raja Grewal +Date: Fri Jul 12 02:29:36 2024 +1000 + + Alphabetically sort existing modprobe + +commit fe20f3240e2f31099bcaa9f9e2045320df810edf +Author: Raja Grewal +Date: Fri Jul 12 02:28:48 2024 +1000 + + Refactor existing modprobe for clarity + +commit 275a4ffc1114856cbd9a1cd49701dcb25d87bfb5 +Author: Raja Grewal +Date: Fri Jul 12 02:27:56 2024 +1000 + + Remove redundant disabled modules + +commit 05c1711b16c96a221c13a011a6666fe6b385ec1e +Author: Patrick Schleizer +Date: Tue Jun 11 12:56:56 2024 +0000 + + bumped changelog version + commit e48115588caae8e51bb980ac84b1f0f415ca0d17 Merge: b316352 cad8d85 Author: Patrick Schleizer diff --git a/debian/changelog b/debian/changelog index 0cf310c..058cddc 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:37.7-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 13 Jul 2024 15:01:15 +0000 + security-misc (3:37.6-1) unstable; urgency=medium * New upstream version (local package). From 565597c9a282b08697d04204f5eb9c22153e77bd Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Sun, 14 Jul 2024 01:21:24 +1000 Subject: [PATCH 387/846] Minor documentation changes and fixes --- .../sysctl.d/30_security-misc_kexec-disable.conf | 13 +++++++------ usr/lib/sysctl.d/30_silent-kernel-printk.conf | 12 ++++-------- usr/lib/sysctl.d/990-security-misc.conf | 14 +++++++------- 3 files changed, 18 insertions(+), 21 deletions(-) diff --git a/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf b/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf index ad2f6bd..74c0bbf 100644 --- a/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf +++ b/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf @@ -1,15 +1,16 @@ ## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. +## NOTE: +## Why is this in a dedicated config file? +## Package ram-wipe requires kexec. However, ram-wipe could not ship a config +## file /etc/sysctl.d/40_ram-wipe.conf which sets 'kernel.kexec_load_disabled=0'. +## This is because once systemd-sysctl.service has set 'kernel.kexec_load_disabled=1' +## it cannot be undone without reboot. This is a upstream Linux security feature. + ## Disables kexec which can be used to replace the running kernel. ## Useful for live kernel patching without rebooting. ## ## https://en.wikipedia.org/wiki/Kexec ## kernel.kexec_load_disabled=1 - -## Why is this in a dedicated config file? -## Package ram-wipe requires kexec. However, ram-wipe could not ship a config -## file /etc/sysctl.d/40_ram-wipe.conf which sets 'kernel.kexec_load_disabled=0'. -## This is because once systemd-sysctl.service has set 'kernel.kexec_load_disabled=1' -## it cannot be undone without reboot. This is a upstream Linux security feature. diff --git a/usr/lib/sysctl.d/30_silent-kernel-printk.conf b/usr/lib/sysctl.d/30_silent-kernel-printk.conf index 5ac7b6f..7283bcb 100644 --- a/usr/lib/sysctl.d/30_silent-kernel-printk.conf +++ b/usr/lib/sysctl.d/30_silent-kernel-printk.conf @@ -1,14 +1,10 @@ ## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. +## NOTE: +## For higher verbosity, delete file /etc/default/grub.d/41_quiet.cfg. +## Alternatively, install the debug-misc package which will undo these settings. + ## Prevent kernel information leaks in the console during boot. ## kernel.printk = 3 3 3 3 - -## NOTE: -## For higher verbosity, the user might also want to delete file -## /etc/default/grub.d/41_quiet.cfg -## (or out-comment its settings). -## -## Alternatively, the user could consider to install the debug-misc package, -## which will undo the settings found here. diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index c1bf3e9..2f47e89 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -2,8 +2,8 @@ ## See the file COPYING for copying conditions. ## NOTE: -## This file has a strange name so that `/usr/lib/sysctl.d/99-protect-links.conf` is -## first parsed and then followed by `/usr/lib/sysctl.d/990-security-misc.conf`. +## This file has a strange name so that /usr/lib/sysctl.d/99-protect-links.conf is +## first parsed and then followed by /usr/lib/sysctl.d/990-security-misc.conf. ## https://github.com/Kicksecure/security-misc/pull/135 ## This configuration file is split into 5 sections: @@ -39,9 +39,9 @@ kernel.dmesg_restrict=1 ## Prevent kernel information leaks in the console during boot. ## -## See `/usr/lib/sysctl.d/30_silent-kernel-printk.conf` for implementation. +## See /usr/lib/sysctl.d/30_silent-kernel-printk.conf for implementation. ## -#kernel.printk=3 3 3 3s +#kernel.printk=3 3 3 3 ## Restrict eBPF access to CAP_BPF and enable associated JIT compiler hardening. ## @@ -71,7 +71,7 @@ vm.unprivileged_userfaultfd=0 ## ## https://en.wikipedia.org/wiki/Kexec ## -## See `/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf` for implementation. +## See /usr/lib/sysctl.d/30_security-misc_kexec-disable.conf for implementation. ## #kernel.kexec_load_disabled=1 @@ -139,7 +139,7 @@ kernel.yama.ptrace_scope=2 ## ## https://forums.whonix.org/t/automate-mmap-randomisation-to-fix-ppc64el/16514 ## -## See `/usr/libexec/security-misc/mmap-rnd-bits` for implementation. +## See /usr/libexec/security-misc/mmap-rnd-bits for implementation. ## #vm.mmap_rnd_bits=32 #vm.mmap_rnd_compat_bits=16 @@ -314,7 +314,7 @@ net.ipv4.tcp_timestamps=0 ## Good for troubleshooting and diagnostics but not necessary by default. ## Known for causing performance issues especially on systems with multiple interfaces. ## -## https://wiki.archlinux.org/title/Sysctl#TCP_Selective_Acknowledgement +## https://wiki.archlinux.org/title/Sysctl#Log_martian_packets ## https://github.com/Kicksecure/security-misc/issues/214 ## ## The logging of martian packets is currently disabled. From dd1741c4a1cd18f34f69437c00f3a78a9ebd402a Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Sun, 14 Jul 2024 13:40:53 +1000 Subject: [PATCH 388/846] Some documentation additions and fixes --- usr/lib/sysctl.d/990-security-misc.conf | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 2f47e89..322abb8 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -98,6 +98,7 @@ kernel.sysrq=0 ## Restricts kernel profiling to CAP_PERFMON. ## The performance events system should not be accessible by unprivileged users. +## Other distributions such as Ubuntu and Fedora may permit further restricting. ## ## https://www.kernel.org/doc/html/latest/admin-guide/perf-security.html#unprivileged-users ## https://lore.kernel.org/kernel-hardening/1469630746-32279-1-git-send-email-jeffv@google.com/ @@ -126,9 +127,16 @@ kernel.io_uring_disabled=2 ## Restrict usage of the ptrace() system call to only processes with CAP_SYS_PTRACE. ## Limit ptrace() as it enables programs to inspect and modify other active processes. -## This may break some programs running under WINE. +## Prevents native code debugging which some programs use as a method to detect tampering. +## May cause breakages in 'anti-cheat' software and programs running under Proton/WINE. ## ## https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html#ptrace-scope +## https://en.wikipedia.org/wiki/Ptrace +## https://grapheneos.org/features#attack-surface-reduction +## https://github.com/GrapheneOS/os-issue-tracker/issues/651#issuecomment-917599928 +## https://github.com/netblue30/firejail/issues/2860 +## +## It is possible to harden further by disabling ptrace() for all users, see documentation. ## kernel.yama.ptrace_scope=2 @@ -301,16 +309,16 @@ net.ipv6.conf.default.accept_ra=0 #net.ipv4.tcp_dsack=0 net.ipv4.tcp_fack=0 -## Disable TCP timestamps to limit system fingerprinting via time. +## Disable TCP timestamps to limit device fingerprinting via system time. ## ## https://forums.whonix.org/t/do-ntp-and-tcp-timestamps-really-leak-your-local-time/7824 ## https://web.archive.org/web/20170201160732/https://mailman.boum.org/pipermail/tails-dev/2013-December/004520.html ## net.ipv4.tcp_timestamps=0 -## Previously enabled logging of packets with impossible source or destination addresses. +## Enable logging of packets with impossible source or destination addresses. ## Martian and unroutable packets may be used for dangerous purposes. -## Recommended to keep a (kernel dmesg) log of these to identify these suspicious packets +## Recommended to keep a (kernel dmesg) log of these to identify these suspicious packets. ## Good for troubleshooting and diagnostics but not necessary by default. ## Known for causing performance issues especially on systems with multiple interfaces. ## From 2b9e174c9db69f2c30828aae236c631d46255e07 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Sun, 14 Jul 2024 16:22:52 +1000 Subject: [PATCH 389/846] Remove empty lines --- usr/lib/sysctl.d/990-security-misc.conf | 4 ---- 1 file changed, 4 deletions(-) diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 322abb8..5fbe51c 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -120,7 +120,6 @@ kernel.randomize_va_space=2 ## kernel.io_uring_disabled=2 - ## 2.User Space: ## ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-userspace @@ -184,7 +183,6 @@ fs.protected_regular=2 ## vm.max_map_count=1048576 - ## 3. Core Dumps: ## ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#core-dumps @@ -207,7 +205,6 @@ fs.suid_dumpable=0 ## kernel.core_uses_pid=1 - ## 4. Swap Space: ## ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#swap @@ -219,7 +216,6 @@ kernel.core_uses_pid=1 ## vm.swappiness=1 - ## 5. Networking: ## ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-network From 5cf9afc21563712b851850e2041141807503807c Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Sun, 14 Jul 2024 17:05:49 +1000 Subject: [PATCH 390/846] Include optional `sysctl`'s in README.md --- README.md | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 9ed387b..d49d65f 100644 --- a/README.md +++ b/README.md @@ -35,6 +35,9 @@ space, user space, core dumps, and swap space. - Entirely disables the SysRq key so that the Secure Attention Key (SAK) can no longer be utilised. +- Provide option to disable unprivileged user namespaces as they can lead to + privilege escalation. + - Restrict kernel profiling and the performance events system to `CAP_PERFMON`. - Randomise the addresses (ASLR) for mmap base, stack, VDSO pages, and heap. @@ -42,7 +45,8 @@ space, user space, core dumps, and swap space. - Disable asynchronous I/O (when using Linux kernel version >= 6.6). - Restrict usage of `ptrace()` to only processes with `CAP_SYS_PTRACE` as it - enables programs to inspect and modify other active processes. + enables programs to inspect and modify other active processes. Provide option + to also entirely disable the use of `ptrace()` for all processes. - Prevent hardlink and symlink TOCTOU races in world-writable directories. @@ -75,8 +79,14 @@ Various networking components of the TCP/IP stack are hardened for IPv4/6. - Do not accept IPv6 router advertisements and solicitations. +- Provide option to disable SACK and DSACK as they have historically been a + vector for exploitation. + - Disable TCP timestamps as it can allow detecting the system time. +- Provide option to log of packets with impossible source or destination + addresses to enable inspection and further analysis. + ### mmap ASLR - The bits of entropy used for mmap ASLR are maxed out via From acd60e45d8cbc98ea935c9bf035f2840622ab58d Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Sun, 14 Jul 2024 20:07:31 +1000 Subject: [PATCH 391/846] Add comment about enabling core dump files --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index d49d65f..5d9b594 100644 --- a/README.md +++ b/README.md @@ -54,7 +54,8 @@ space, user space, core dumps, and swap space. - Increase the maximum number of memory map areas a process is able to utilise. -- Disable core dump files and prevent their creation. +- Disable core dump files and prevent their creation. If core dump files are + enabled, they will be nammed based on `core.PID` instead of the default `core`. - Limit the copying of potentially sensitive content in memory to the swap device. From a33d4cd099b8cbf569ff35627eeacf3562a4371e Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Mon, 15 Jul 2024 01:56:25 +1000 Subject: [PATCH 392/846] Refactor existing kernel parameters for clarity --- README.md | 65 ++++--- etc/default/grub.d/40_cpu_mitigations.cfg | 59 +++--- etc/default/grub.d/40_distrust_bootloader.cfg | 7 - etc/default/grub.d/40_distrust_cpu.cfg | 12 -- etc/default/grub.d/40_enable_iommu.cfg | 17 -- etc/default/grub.d/40_kernel_hardening.cfg | 183 ++++++++++++++---- .../grub.d/40_only_allow_signed_modules.cfg | 8 - ...mount-secure.cfg => 40_remount_secure.cfg} | 15 +- etc/default/grub.d/40_signed_modules.cfg | 25 +++ etc/default/grub.d/41_quiet.cfg | 27 --- etc/default/grub.d/41_quiet_boot.cfg | 21 ++ 11 files changed, 284 insertions(+), 155 deletions(-) delete mode 100644 etc/default/grub.d/40_distrust_bootloader.cfg delete mode 100644 etc/default/grub.d/40_distrust_cpu.cfg delete mode 100644 etc/default/grub.d/40_enable_iommu.cfg delete mode 100644 etc/default/grub.d/40_only_allow_signed_modules.cfg rename etc/default/grub.d/{40_remmount-secure.cfg => 40_remount_secure.cfg} (52%) create mode 100644 etc/default/grub.d/40_signed_modules.cfg delete mode 100644 etc/default/grub.d/41_quiet.cfg create mode 100644 etc/default/grub.d/41_quiet_boot.cfg diff --git a/README.md b/README.md index b5cf7a3..fde0464 100644 --- a/README.md +++ b/README.md @@ -67,36 +67,54 @@ configuration file. ### Boot parameters -Boot parameters are outlined in configuration files located in the -`etc/default/grub.d/` directory. +Mitigations for known CPU vulnerabilities are enabled in their strictest form +and simultaneous multithreading (SMT) is disabled. See the +`/etc/default/grub.d/40_cpu_mitigations.cfg` configuration file. -- Slab merging is disabled which significantly increases the difficulty of - heap exploitation by preventing overwriting objects from merged caches and - by making it harder to influence slab cache layout. +Boot parameters relating to kernel hardening, DMA mitigations, and entropy +generation are outlined in the `/etc/default/grub.d/40_kernel_hardening.cfg` +configuration file. -- Memory zeroing at allocation and free time is enabled to mitigate some - use-after-free vulnerabilities and erase sensitive information in memory. +- Disable merging of slabs with similar size which reduces the risk of + triggering heap overflows and limits influencing slab cache layout. -- Page allocator freelist randomization is enabled. +- Provides option to enable sanity checks and red zoning via slab debugging. + Not reccommened due to implicit disabling of kernel pointer hashing. -- Kernel Page Table Isolation is enabled to mitigate Meltdown and increase - KASLR effectiveness. +- Enable Memory zeroing at both allocation and free time which mitigate some + use-after-free vulnerabilities by erasing sensitive information in memory. -- vsyscalls are disabled as they are obsolete, are at fixed addresses and - thus, are a potential target for ROP. +- Enable the kernel page allocator to randomise free lists to limit some data + exfiltration and ROP attacks especially during the early boot process. -- The kernel panics on oopses to thwart certain kernel exploits. +- Enable kernel page table isolation increase KASLR effectiveness and also + mitigate the Meltdown CPU vulnerability. -- Enables randomisation of the kernel stack offset on syscall entries. +- Enables randomisation of the kernel stack offset on syscall entries to harden + against memory corruption attacks. -- Mitigations for known CPU vulnerabilities are enabled and SMT is - disabled. +- Disable vsyscalls as they are vulnerable to ROP attacks and have now been + replaced by vDSO. -- IOMMU is enabled to prevent DMA attacks along with strict enforcement of - IOMMU TLB invalidation so devices will never be able to access stale data - contents. +- Restrict access to debugfs by not registering the file system since it can + contain sensitive information. -- Distrust the 'randomly' generated CPU and bootloader seeds. +- Force kernel panics on "oopses" to potentially indicate and thwart certain + kernel exploitation attempts. + +- Provide option to modify machine check exception handler. + +- Enable strict IOMMU translation to protect against DMA attacks and disable + the busmaster bit on all PCI bridges during the early boot process. + +- Do not credit the CPU or bootloader as entropy sources at boot in order to + maximise the absolute quantity of entropy the pool. + +- Obtain more entropy at boot from RAM as the runtime memory allocator is + being initialised. + +Disallow sensitive kernel information leaks in the console during boot. See +the `/etc/default/grub.d/40_quiet_boot.cfg` configuration file. ### Kernel Modules @@ -109,7 +127,7 @@ Not yet due to issues: See: -- `/etc/default/grub.d/40_only_allow_signed_modules.cfg` +- `/etc/default/grub.d/40_signed_modules.cfg` #### Disables the loading of new modules to the kernel after the fact @@ -259,8 +277,9 @@ See: `/usr/lib/modules-load.d/30_security-misc.conf` configuration file. - Distrusts the CPU for initial entropy at boot as it is not possible to - audit, may contain weaknesses or a backdoor. For references, see: - `/etc/default/grub.d/40_distrust_cpu.cfg` + audit, may contain weaknesses or a backdoor. Similarly, do not credit the + bootloader seed for initial entropy. For references, see: + `/etc/default/grub.d/40_kernel_hardening.cfg` - Gathers more entropy during boot if using the linux-hardened kernel patch. diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index 99582ae..13d8ffd 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -1,99 +1,114 @@ ## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Enables known mitigations for CPU vulnerabilities. -## +## Enable known mitigations for CPU vulnerabilities. ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html ## https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html ## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647 ## Check for potential updates directly from AMD and Intel. -## ## https://www.amd.com/en/resources/product-security.html ## https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/advisory-guidance.html ## https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/disclosure-documentation.html ## Enable a subset of known mitigations for CPU vulnerabilities and disable SMT. +## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mitigations=auto,nosmt" +## Disable SMT as it has been the cause of and amplified numerous CPU exploits. +## The only full mitigation of cross-HT attacks is to disable SMT. +## +## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/core-scheduling.html +## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647/17 +## +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX nosmt=force" + ## Enable mitigations for both Spectre Variant 2 (indirect branch speculation) ## and Intel branch history injection (BHI) vulnerabilities. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/spectre.html -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_v2=on spectre_bhi=on" +## +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_v2=on" +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_bhi=on" ## Disable Speculative Store Bypass (Spectre Variant 4). ## ## https://www.suse.com/support/kb/doc/?id=000019189 +## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spec_store_bypass_disable=on" ## Enable mitigations for the L1TF vulnerability through disabling SMT ## and L1D flush runtime control. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html +## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX l1tf=full,force" ## Enable mitigations for the MDS vulnerability through clearing buffer cache ## and disabling SMT. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html +## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mds=full,nosmt" -## Patches the TAA vulnerability by disabling TSX and enables mitigations using +## Patches the TAA vulnerability by disabling TSX and enable mitigations using ## TSX Async Abort along with disabling SMT. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/tsx_async_abort.html -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX tsx=off tsx_async_abort=full,nosmt" +## +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX tsx=off" +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX tsx_async_abort=full,nosmt" ## Mark all huge pages in the EPT as non-executable to mitigate iTLB multihit. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/multihit.html +## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm.nx_huge_pages=force" -## Enables mitigations for SRBDS to prevent MDS attacks on RDRAND and RDSEED instructions. -## Only mitigated through microcode updates from Intel. +## Mitigations for SRBDS to prevent MDS attacks on RDRAND and RDSEED instructions +## are only possible through microcode updates from Intel. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/special-register-buffer-data-sampling.html ## https://access.redhat.com/solutions/5142691 -## Force disable SMT as it has caused numerous CPU vulnerabilities. -## The only full mitigation of cross-HT attacks is to disable SMT. -## -## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/core-scheduling.html -## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647/17 -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX nosmt=force" - -## Enables the prctl interface to prevent leaks from L1D on context switches. +## Enable the prctl() interface to prevent leaks from L1D on context switches. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1d_flush.html +## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX l1d_flush=on" -## Mitigates numerous MMIO Stale Data vulnerabilities and disables SMT. +## Mitigate numerous MMIO Stale Data vulnerabilities and disable SMT. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/processor_mmio_stale_data.html +## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mmio_stale_data=full,nosmt" ## Enable mitigations for RETBleed (Arbitrary Speculative Code Execution with ## Return Instructions) vulnerability and disable SMT. ## ## https://www.suse.com/support/kb/doc/?id=000020693 +## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX retbleed=auto,nosmt" ## Control RAS overflow mitigation on AMD Zen CPUs. -## The current default kernel parameter is 'spec_rstack_overflow=safe-ret' -## This default will used until provided sufficient evidence to modify. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/srso.html +## +## The default kernel setting will be utilised until provided sufficient evidence to modify. +## +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spec_rstack_overflow=safe-ret" -## Mitigates Gather Data Sampling (GDS) vulnerability. +## Enable Gather Data Sampling (GDS) mitigation. ## Note for systems that have not received a suitable microcode update this will ## entirely disable use of the AVX instructions set. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/gather_data_sampling.html +## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX gather_data_sampling=force" -## Register File Data Sampling (RFDS) mitigation on Intel Atom CPUs which +## Enable Register File Data Sampling (RFDS) mitigation on Intel Atom CPUs which ## encompasses E-cores on hybrid architectures. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/reg-file-data-sampling.html -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX reg_file_data_sampling=on" +## +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX reg_file_data_sampling=on" \ No newline at end of file diff --git a/etc/default/grub.d/40_distrust_bootloader.cfg b/etc/default/grub.d/40_distrust_bootloader.cfg deleted file mode 100644 index eb26262..0000000 --- a/etc/default/grub.d/40_distrust_bootloader.cfg +++ /dev/null @@ -1,7 +0,0 @@ -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -## Distrusts the bootloader for initial entropy at boot. -## -## https://lkml.org/lkml/2022/6/5/271 -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_bootloader=off" diff --git a/etc/default/grub.d/40_distrust_cpu.cfg b/etc/default/grub.d/40_distrust_cpu.cfg deleted file mode 100644 index 5cfaba9..0000000 --- a/etc/default/grub.d/40_distrust_cpu.cfg +++ /dev/null @@ -1,12 +0,0 @@ -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -## Distrusts the CPU for initial entropy at boot as it is not possible to -## audit, may contain weaknesses or a backdoor. -## -## https://en.wikipedia.org/wiki/RDRAND#Reception -## https://twitter.com/pid_eins/status/1149649806056280069 -## https://archive.nytimes.com/www.nytimes.com/interactive/2013/09/05/us/documents-reveal-nsa-campaign-against-encryption.html -## https://forums.whonix.org/t/entropy-config-random-trust-cpu-yes-or-no-rng-core-default-quality/8566 -## https://lkml.org/lkml/2022/6/5/271 -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_cpu=off" diff --git a/etc/default/grub.d/40_enable_iommu.cfg b/etc/default/grub.d/40_enable_iommu.cfg deleted file mode 100644 index 898e500..0000000 --- a/etc/default/grub.d/40_enable_iommu.cfg +++ /dev/null @@ -1,17 +0,0 @@ -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -## Enables IOMMU to prevent DMA attacks. -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX intel_iommu=on amd_iommu=force_isolation" - -## Disable the busmaster bit on all PCI bridges during very -## early boot to avoid holes in IOMMU. -## -## https://mjg59.dreamwidth.org/54433.html -## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4444f8541dad16fefd9b8807ad1451e806ef1d94 -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi=disable_early_pci_dma" - -## Enables strict enforcement of IOMMU TLB invalidation so devices will never be able to access stale data contents -## https://github.com/torvalds/linux/blob/master/drivers/iommu/Kconfig#L97 -## Page 11 of https://lenovopress.lenovo.com/lp1467.pdf -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu=force iommu.passthrough=0 iommu.strict=1" diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index 4c70928..0129fe9 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -5,58 +5,169 @@ kpkg="linux-image-$(dpkg --print-architecture)" || true kver="$(dpkg-query --show --showformat='${Version}' "$kpkg")" 2>/dev/null || true #echo "## kver: $kver" -## Disables the merging of slabs of similar sizes. -## Sometimes a slab can be used in a vulnerable way which an attacker can exploit. +## This configuration file is split into 3 sections: +## 1. Kernel Space +## 2. Direct Memory Access +## 3. Entropy + +## See the documentation below for details on the majority of the selected commands. +## https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html +## https://wiki.archlinux.org/title/Kernel_parameters#GRUB + +## 1. Kernel Space: +## +## https://madaidans-insecurities.github.io/guides/linux-hardening.html#boot-parameters + +## Disable merging of slabs with similar size. +## Reduces the risk of triggering heap overflows. +## Prevents overwriting objects from merged caches and limits influencing slab cache layout. +## +## https://www.openwall.com/lists/kernel-hardening/2017/06/19/33 +## https://www.openwall.com/lists/kernel-hardening/2017/06/20/10 +## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_nomerge" -## Enables sanity checks (F) and redzoning (Z). -## Disabled due to kernel deciding to implicitly disable kernel pointer hashing -## https://github.com/torvalds/linux/commit/792702911f581f7793962fbeb99d5c3a1b28f4c3 +## Enable sanity checks and red zoning of slabs. +## +## https://www.kernel.org/doc/html/latest/mm/slub.html +## https://lore.kernel.org/all/20210601182202.3011020-5-swboyd@chromium.org/T/#u +## +## Disabled as enabling this implicitly disables kernel pointer hashing. +## #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slub_debug=FZ" -## Zero memory at allocation and free time. -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX init_on_alloc=1 init_on_free=1" +## Zero memory at allocation time and free time. +## Fills newly allocated pages, freed pages, and heap objects with zeros. +## Mitigates use-after-free exploits by erasing sensitive information in memory. +## +## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6471384af2a6530696fc0203bafe4de41a23c9ef +## +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX init_on_alloc=1" +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX init_on_free=1" -## Machine check exception handler decides whether the system should panic or not based on the exception that happened. -## https://forums.whonix.org/t/kernel-hardening/7296/494 -#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mce=0" - -## Enables Kernel Page Table Isolation which mitigates Meltdown and improves KASLR. -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX pti=on" - -## Vsyscalls are obsolete, are at fixed addresses and are a target for ROP. -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vsyscall=none" - -## Enables page allocator freelist randomization. +## Enable the kernel page allocator to randomise free lists. +## During early boot the page allocator has predictable FIFO behaviour for physical pages. +## Limits some data exfiltration and ROP attacks that rely on inferring sensitive data location. +## Also improves performance by optimising memory-side cache utilisation. +## +## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e900a918b0984ec8f2eb150b8477a47b75d17692 +## https://en.wikipedia.org/wiki/Return-oriented_programming#Attacks +## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX page_alloc.shuffle=1" -## Enables randomisation of the kernel stack offset on syscall entries (introduced in kernel 5.13). +## Enable kernel page table isolation to harden against kernel ASLR (KASLR) bypasses. +## Mitigates the Meltdown CPU vulnerability. +## +## https://en.wikipedia.org/wiki/Kernel_page-table_isolation +## +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX pti=on" + +## Enable randomisation of the kernel stack offset on syscall entries. +## Hardens against memory corruption attacks due to increased entropy. +## Limits attacks relying on deterministic stack addresses or cross-syscall address exposure. +## ## https://lkml.org/lkml/2019/3/18/246 +## https://a13xp0p0v.github.io/2020/02/15/CVE-2019-18683.html +## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX randomize_kstack_offset=on" -## Enables kernel lockdown. +## Disable vsyscalls to reduce attack surface as they have been replaced by vDSO. +## Vulnerable to ROP attacks as vsyscalls are located at fixed addresses in memory. ## -## Disabled for now as it enforces module signature verification which breaks -## too many things. -## https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880 +## https://lwn.net/Articles/446528/ +## https://en.wikipedia.org/wiki/VDSO ## -#if dpkg --compare-versions "${kver}" ge "5.4"; then -# GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX lockdown=confidentiality" -#fi +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vsyscall=none" -## Gather more entropy during boot. +## Restrict access to debugfs by not registering the file system. +## Deactivated since the file system can contain sensitive information. ## -## Requires linux-hardened kernel patch. -## https://github.com/anthraxx/linux-hardened -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX extra_latent_entropy" - -## Restrict access to debugfs since it can contain a lot of sensitive information. ## https://lkml.org/lkml/2020/7/16/122 -## https://github.com/torvalds/linux/blob/fb1201aececc59990b75ef59fca93ae4aa1e1444/Documentation/admin-guide/kernel-parameters.txt#L835-L848 +## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off" -## Force the kernel to panic on "oopses" (which may be due to false positives) +## Force the kernel to panic on "oopses". +## Can sometimes potentially indicate and thwart certain kernel exploitation attempts. +## Also cause panics on machine check exceptions. +## Panics may be due to false-positives such as bad drivers. +## ## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panic-on-oops-1-sysctl-for-better-security/7713 -## Implemented differently: -## /usr/libexec/security-misc/panic-on-oops +## +## See /usr/libexec/security-misc/panic-on-oops for implementation. +## #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX oops=panic" + +## Modify machine check exception handler. +## Can decide whether the system should panic or not based on the occurrence of an exception. +## +## https://www.kernel.org/doc/html/latest/arch/x86/x86_64/machinecheck.html +## https://www.kernel.org/doc/html/latest/arch/x86/x86_64/boot-options.html#machine-check +## https://forums.whonix.org/t/kernel-hardening/7296/494 +## +## The default kernel setting will be utilised until provided sufficient evidence to modify. +## +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mce=0" + +## 2. Direct Memory Access: +## +## https://madaidans-insecurities.github.io/guides/linux-hardening.html#dma-attacks + +## Enable CPU manufacturer-specific IOMMU drivers to protect against DMA attacks. +## +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX amd_iommu=force_isolation" +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX intel_iommu" + +## Enable and force use of IOMMU translation to protect against DMA attacks. +## Strictly force DMA unmap operations to synchronously invalidate IOMMU hardware TLBs. +## Ensures devices will never be able to access stale data contents. +## +## https://en.wikipedia.org/wiki/Input%E2%80%93output_memory_management_unit +## https://en.wikipedia.org/wiki/DMA_attack +## https://lenovopress.lenovo.com/lp1467.pdf +## +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu=force" +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu.passthrough=0" +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu.strict=1" + +## Disable the busmaster bit on all PCI bridges during the early boot process. +## Patches weak-point in some existing IOMMU implementations. +## May lead to issues such as complete system boot failure on certain devices. +## +## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4444f8541dad16fefd9b8807ad1451e806ef1d94 +## https://mjg59.dreamwidth.org/54433.html +## +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi=disable_early_pci_dma" + +## 3. Entropy: +## +## https://madaidans-insecurities.github.io/guides/linux-hardening.html#rdrand + +## Do not credit the CPU or bootloader seeds as entropy sources at boot. +## The RDRAND CPU (RNG) instructions are proprietary and closed-source. +## Numerous implementations of RDRAND have a long history of being defective. +## The RNG seed passed by the bootloader could also potentially be tampered. +## Maximising the entropy pool at boot is desirable for all cryptographic operations. +## These settings ensure additional entropy is obtained from other sources to initialise the RNG. +## Note that distrusting these (relatively fast) sources of entropy will increase boot time. +## +## https://en.wikipedia.org/wiki/RDRAND#Reception +## https://systemd.io/RANDOM_SEEDS/ +## https://arstechnica.com/gadgets/2019/10/how-a-months-old-amd-microcode-bug-destroyed-my-weekend/ +## https://x.com/pid_eins/status/1149649806056280069 +## https://archive.nytimes.com/www.nytimes.com/interactive/2013/09/05/us/documents-reveal-nsa-campaign-against-encryption.html +## https://forums.whonix.org/t/entropy-config-random-trust-cpu-yes-or-no-rng-core-default-quality/8566 +## https://github.com/NixOS/nixpkgs/pull/165355 +## https://lkml.org/lkml/2022/6/5/271 +## +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_bootloader=off" +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_cpu=off" + +## Obtain more entropy during boot as the runtime memory allocator is being initialised. +## Entropy will be extracted from up to the first 4GB of RAM. +## Requires the linux-hardened kernel patch. +## +## https://www.kicksecure.com/wiki/Hardened-kernel#linux-hardened +## https://github.com/anthraxx/linux-hardened/commit/c3e7df1dba1eb8105d6d5143079a6a0ad9e9ebc7 +## https://github.com/anthraxx/linux-hardened/commit/a04458f97fe1f7e95888c77c0165b646375db9c4 +## +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX extra_latent_entropy" diff --git a/etc/default/grub.d/40_only_allow_signed_modules.cfg b/etc/default/grub.d/40_only_allow_signed_modules.cfg deleted file mode 100644 index 5d1a357..0000000 --- a/etc/default/grub.d/40_only_allow_signed_modules.cfg +++ /dev/null @@ -1,8 +0,0 @@ -## Requires every module to be signed before being loaded. -## Any module that is unsigned or signed with an invalid key cannot be loaded. -## This makes it harder to load a malicious module. -## -## Not enabled by default yet due to issues: -## https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/61 -## https://github.com/dell/dkms/issues/359 -#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX module.sig_enforce=1" diff --git a/etc/default/grub.d/40_remmount-secure.cfg b/etc/default/grub.d/40_remount_secure.cfg similarity index 52% rename from etc/default/grub.d/40_remmount-secure.cfg rename to etc/default/grub.d/40_remount_secure.cfg index 4bdc3a9..c180456 100644 --- a/etc/default/grub.d/40_remmount-secure.cfg +++ b/etc/default/grub.d/40_remount_secure.cfg @@ -1,16 +1,25 @@ ## Copyright (C) 2023 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. +## Remount Secure provides enhanced security via mmount options: ## https://www.kicksecure.com/wiki/Security-misc#Remount_Secure +## Option A (No Security): ## Disable Remount Secure. +## #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=0" -## Re-mount with nodev, nosuid only. +## Option B (Low Security): +## Re-mount with nodev and nosuid only. +## #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=1" -## Re-mount with nodev, nosuid and most with noexec except for /home. +## Option C (Medium Security): +## Re-mount with nodev, nosuid, and noexec for most mount points, excluding /home. +## #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=2" -## Re-mount with nodev, nosuid and all with noexec including /home. +## Option D (Highest Security) +## Re-mount with nodev, nosuid, and noexec for all mount points including /home. +## #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=3" diff --git a/etc/default/grub.d/40_signed_modules.cfg b/etc/default/grub.d/40_signed_modules.cfg new file mode 100644 index 0000000..9a6a101 --- /dev/null +++ b/etc/default/grub.d/40_signed_modules.cfg @@ -0,0 +1,25 @@ +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Require every kernel module to be signed before being loaded. +## Any module that is unsigned or signed with an invalid key cannot be loaded. +## This prevents all out-of-tree kernel modules unless signed. +## This makes it harder to load a malicious module. +## +## https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/61 +## https://github.com/dell/dkms/issues/359 +## +## Not enabled by default yet due to several issues. +## +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX module.sig_enforce=1" + +## Enable kernel lockdown to enforce security boundary between user and kernel space. +## Confidentiality mode enforces module signature verification. +## +## https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880 +## +## ## Not enabled by default yet due to several issues. +## +#if dpkg --compare-versions "${kver}" ge "5.4"; then +# GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX lockdown=confidentiality" +#fi diff --git a/etc/default/grub.d/41_quiet.cfg b/etc/default/grub.d/41_quiet.cfg deleted file mode 100644 index ecb268b..0000000 --- a/etc/default/grub.d/41_quiet.cfg +++ /dev/null @@ -1,27 +0,0 @@ -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -## Prevent kernel info leaks in console during boot. -## https://phabricator.whonix.org/T950 - -## LANG=C str_replace is provided by package helper-scripts. - -## The following command actually removed "quiet" from the kernel command line. -## If verbosity is desired, the user might want to keep this line. -## Remove "quiet" from GRUB_CMDLINE_LINUX_DEFAULT because "quiet" must be first. -GRUB_CMDLINE_LINUX_DEFAULT="$(echo "$GRUB_CMDLINE_LINUX_DEFAULT" | LANG=C str_replace "quiet" "")" - -## If verbosity is desired, the user might want to out-comment the following line. -GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT quiet loglevel=0" - -## NOTE: -## After editing this file, running: -## sudo update-grub -## is required. -## -## If higher verbosity is desired, the user might also want to delete file -## /etc/sysctl.d/30_silent-kernel-printk.conf -## (or out-comment its settings). -## -## Alternatively, the user could consider to install the debug-misc package, -## which will undo the settings found here. diff --git a/etc/default/grub.d/41_quiet_boot.cfg b/etc/default/grub.d/41_quiet_boot.cfg new file mode 100644 index 0000000..48a38d4 --- /dev/null +++ b/etc/default/grub.d/41_quiet_boot.cfg @@ -0,0 +1,21 @@ +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## NOTE: +## For higher verbosity, delete file /usr/lib/sysctl.d/30_silent-kernel-printk.conf. +## Alternatively, install the debug-misc package which will undo theses settings. + +## LANG=C str_replace is provided by package helper-scripts. + +## The following command actually removed "quiet" from the kernel command line. +## If verbosity is desired, the user might want to keep this line. +## Remove "quiet" from GRUB_CMDLINE_LINUX_DEFAULT because "quiet" must be first. +GRUB_CMDLINE_LINUX_DEFAULT="$(echo "$GRUB_CMDLINE_LINUX_DEFAULT" | LANG=C str_replace "quiet" "")" + +## Prevent sensitive kernel information leaks in the console during boot. +## +## https://madaidans-insecurities.github.io/guides/linux-hardening.html#boot-kernel +## https://wiki.archlinux.org/title/silent_boot +## +GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT quiet" +GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT loglevel=0" From f550fbe07cafb75112e98268730d1bcc511489e2 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Mon, 15 Jul 2024 01:59:04 +1000 Subject: [PATCH 393/846] Add option to disable the entire IPv6 stack functionality --- README.md | 2 ++ etc/default/grub.d/40_kernel_hardening.cfg | 15 +++++++++++++++ 2 files changed, 17 insertions(+) diff --git a/README.md b/README.md index fde0464..a55002e 100644 --- a/README.md +++ b/README.md @@ -113,6 +113,8 @@ configuration file. - Obtain more entropy at boot from RAM as the runtime memory allocator is being initialised. +- Provide option to disable the entire IPv6 stack to reduce attack surface. + Disallow sensitive kernel information leaks in the console during boot. See the `/etc/default/grub.d/40_quiet_boot.cfg` configuration file. diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index 0129fe9..c4575b3 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -9,6 +9,7 @@ kver="$(dpkg-query --show --showformat='${Version}' "$kpkg")" 2>/dev/null || tru ## 1. Kernel Space ## 2. Direct Memory Access ## 3. Entropy +## 4. Networking ## See the documentation below for details on the majority of the selected commands. ## https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html @@ -171,3 +172,17 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_cpu=off" ## https://github.com/anthraxx/linux-hardened/commit/a04458f97fe1f7e95888c77c0165b646375db9c4 ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX extra_latent_entropy" + +## 4. Networking +## +## https://madaidans-insecurities.github.io/guides/linux-hardening.html#kasr-boot-parameters + +## Disable the entire IPv6 stack functionality. +## Removes attack surface associated with the IPv6 module. +## +## https://www.kernel.org/doc/html/latest/networking/ipv6.html +## https://wiki.archlinux.org/title/IPv6#Disable_IPv6 +## +## Enabling makes redundant many network hardening sysctl's in usr/lib/sysctl.d/990-security-misc.conf. +## +#ipv6.disable=1 \ No newline at end of file From 99038c7a0621f5c9852638c1706c5306b42e6480 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Mon, 15 Jul 2024 02:02:01 +1000 Subject: [PATCH 394/846] Add option to disable support for x86 processes and syscalls in the future --- README.md | 3 +++ etc/default/grub.d/40_kernel_hardening.cfg | 9 +++++++++ 2 files changed, 12 insertions(+) diff --git a/README.md b/README.md index a55002e..238e2c1 100644 --- a/README.md +++ b/README.md @@ -104,6 +104,9 @@ configuration file. - Provide option to modify machine check exception handler. +- Provide option to disable support for all x86 processes and syscalls to reduce + attack surface (when using Linux kernel version >= 6.7). + - Enable strict IOMMU translation to protect against DMA attacks and disable the busmaster bit on all PCI bridges during the early boot process. diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index c4575b3..36cf099 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -109,6 +109,15 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off" ## #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mce=0" +## Disable support for x86 processes and syscalls. +## Unconditionally disables IA32 emulation to substantially reduce attack surface. +## +## https://lore.kernel.org/all/20230623111409.3047467-7-nik.borisov@suse.com/ +## +## Applicable when using Linux kernel >= 6.7 (retained here for future-proofing and completeness). +## +#ia32_emulation=0 + ## 2. Direct Memory Access: ## ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#dma-attacks From 48e1ac416314d2c66f3a0d5044a3c51cb6fb4093 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Mon, 15 Jul 2024 02:04:25 +1000 Subject: [PATCH 395/846] Remove the optional `slub_debug` parameter since it is no longer recommended --- README.md | 3 --- etc/default/grub.d/40_kernel_hardening.cfg | 9 --------- 2 files changed, 12 deletions(-) diff --git a/README.md b/README.md index 238e2c1..f2bf497 100644 --- a/README.md +++ b/README.md @@ -78,9 +78,6 @@ configuration file. - Disable merging of slabs with similar size which reduces the risk of triggering heap overflows and limits influencing slab cache layout. -- Provides option to enable sanity checks and red zoning via slab debugging. - Not reccommened due to implicit disabling of kernel pointer hashing. - - Enable Memory zeroing at both allocation and free time which mitigate some use-after-free vulnerabilities by erasing sensitive information in memory. diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index 36cf099..fcc5352 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -28,15 +28,6 @@ kver="$(dpkg-query --show --showformat='${Version}' "$kpkg")" 2>/dev/null || tru ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_nomerge" -## Enable sanity checks and red zoning of slabs. -## -## https://www.kernel.org/doc/html/latest/mm/slub.html -## https://lore.kernel.org/all/20210601182202.3011020-5-swboyd@chromium.org/T/#u -## -## Disabled as enabling this implicitly disables kernel pointer hashing. -## -#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slub_debug=FZ" - ## Zero memory at allocation time and free time. ## Fills newly allocated pages, freed pages, and heap objects with zeros. ## Mitigates use-after-free exploits by erasing sensitive information in memory. From 69c8e849270393537d3e024137bc20a42c848333 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Mon, 15 Jul 2024 14:38:21 +1000 Subject: [PATCH 396/846] Fix typos --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index f2bf497..f53d126 100644 --- a/README.md +++ b/README.md @@ -78,7 +78,7 @@ configuration file. - Disable merging of slabs with similar size which reduces the risk of triggering heap overflows and limits influencing slab cache layout. -- Enable Memory zeroing at both allocation and free time which mitigate some +- Enable memory zeroing at both allocation and free time which mitigate some use-after-free vulnerabilities by erasing sensitive information in memory. - Enable the kernel page allocator to randomise free lists to limit some data @@ -108,7 +108,7 @@ configuration file. the busmaster bit on all PCI bridges during the early boot process. - Do not credit the CPU or bootloader as entropy sources at boot in order to - maximise the absolute quantity of entropy the pool. + maximise the absolute quantity of entropy in the combined pool. - Obtain more entropy at boot from RAM as the runtime memory allocator is being initialised. From f4d652fa7b5dd350b577521c6bba22c9eb3c13f1 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Mon, 15 Jul 2024 14:39:12 +1000 Subject: [PATCH 397/846] Update presentation of `quiet loglevel=0` --- etc/default/grub.d/40_kernel_hardening.cfg | 12 ++++++++++ etc/default/grub.d/41_quiet_boot.cfg | 26 +++++++++++----------- 2 files changed, 25 insertions(+), 13 deletions(-) diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index fcc5352..0854a4f 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -100,6 +100,18 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off" ## #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mce=0" +## Prevent sensitive kernel information leaks in the console during boot. +## Must be used in combination with the kernel.printk sysctl. +## See /usr/lib/sysctl.d/30_silent-kernel-printk.conf for implementation. +## +## https://www.kernel.org/doc/html/next/core-api/printk-basics.html +## https://wiki.archlinux.org/title/silent_boot +## +## See /etc/default/grub.d/41_quiet_boot.cfg for implementation. +## +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX loglevel=0" +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX quiet" + ## Disable support for x86 processes and syscalls. ## Unconditionally disables IA32 emulation to substantially reduce attack surface. ## diff --git a/etc/default/grub.d/41_quiet_boot.cfg b/etc/default/grub.d/41_quiet_boot.cfg index 48a38d4..c06ac8f 100644 --- a/etc/default/grub.d/41_quiet_boot.cfg +++ b/etc/default/grub.d/41_quiet_boot.cfg @@ -1,21 +1,21 @@ ## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## NOTE: -## For higher verbosity, delete file /usr/lib/sysctl.d/30_silent-kernel-printk.conf. -## Alternatively, install the debug-misc package which will undo theses settings. - -## LANG=C str_replace is provided by package helper-scripts. - -## The following command actually removed "quiet" from the kernel command line. -## If verbosity is desired, the user might want to keep this line. -## Remove "quiet" from GRUB_CMDLINE_LINUX_DEFAULT because "quiet" must be first. -GRUB_CMDLINE_LINUX_DEFAULT="$(echo "$GRUB_CMDLINE_LINUX_DEFAULT" | LANG=C str_replace "quiet" "")" - ## Prevent sensitive kernel information leaks in the console during boot. +## Must be used in combination with the kernel.printk sysctl. +## See /usr/lib/sysctl.d/30_silent-kernel-printk.conf for implementation. ## -## https://madaidans-insecurities.github.io/guides/linux-hardening.html#boot-kernel +## https://www.kernel.org/doc/html/next/core-api/printk-basics.html ## https://wiki.archlinux.org/title/silent_boot ## -GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT quiet" +## For easier debugging, these are not applied to the recovery boot option. +## Switch the pair of commands to universally apply parameters to all boot options. +## GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT loglevel=0" +GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT quiet" +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX loglevel=0" +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX quiet" + +## For Increased Log Verbosity: +## Comment-out the kernel.printk sysctl in /usr/lib/sysctl.d/30_silent-kernel-printk.conf. +## Alternatively, install the debug-misc package which will undo theses settingss. From fbfdb0fa99087e4160979b612db04e63a1d3e3b1 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Mon, 15 Jul 2024 14:40:03 +1000 Subject: [PATCH 398/846] Update `security-misc.maintscript` relating to grub --- debian/security-misc.maintscript | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/debian/security-misc.maintscript b/debian/security-misc.maintscript index 5d115c3..78a36fd 100644 --- a/debian/security-misc.maintscript +++ b/debian/security-misc.maintscript @@ -66,3 +66,17 @@ rm_conffile /etc/permission-hardening.d/25_default_whitelist_sudo.conf rm_conffile /etc/permission-hardening.d/25_default_whitelist_unix_chkpwd.conf rm_conffile /etc/permission-hardening.d/25_default_whitelist_virtualbox.conf rm_conffile /etc/permission-hardening.d/30_default.conf + +## merged into 1 file /etc/default/grub.d/40_kernel_hardening.cfg +rm /etc/default/grub.d/40_distrust_bootloader.cfg +rm /etc/default/grub.d/40_distrust_cpu.cfg +rm /etc/default/grub.d/40_enable_iommu.cfg + +## renamed to /etc/default/grub.d/40_remount_secure.cfg +rm /etc/default/grub.d/40_remmount-secure.cfg + +## renamed to /etc/default/grub.d/40_signed_modules.cfg +rm /etc/default/grub.d/40_only_allow_signed_modules.cfg + +## renamed to /etc/default/grub.d/41_quiet_boot.cfg +rm /etc/default/grub.d/41_quiet.cfg From d229e8b04d914803fa66c3a695022cfb2d9b2a25 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Mon, 15 Jul 2024 14:50:29 +1000 Subject: [PATCH 399/846] Fix link --- etc/default/grub.d/40_kernel_hardening.cfg | 2 +- etc/default/grub.d/41_quiet_boot.cfg | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index 0854a4f..eaedccb 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -104,7 +104,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off" ## Must be used in combination with the kernel.printk sysctl. ## See /usr/lib/sysctl.d/30_silent-kernel-printk.conf for implementation. ## -## https://www.kernel.org/doc/html/next/core-api/printk-basics.html +## https://www.kernel.org/doc/html/latest/core-api/printk-basics.html ## https://wiki.archlinux.org/title/silent_boot ## ## See /etc/default/grub.d/41_quiet_boot.cfg for implementation. diff --git a/etc/default/grub.d/41_quiet_boot.cfg b/etc/default/grub.d/41_quiet_boot.cfg index c06ac8f..7bccbaa 100644 --- a/etc/default/grub.d/41_quiet_boot.cfg +++ b/etc/default/grub.d/41_quiet_boot.cfg @@ -5,7 +5,7 @@ ## Must be used in combination with the kernel.printk sysctl. ## See /usr/lib/sysctl.d/30_silent-kernel-printk.conf for implementation. ## -## https://www.kernel.org/doc/html/next/core-api/printk-basics.html +## https://www.kernel.org/doc/html/latest/core-api/printk-basics.html ## https://wiki.archlinux.org/title/silent_boot ## ## For easier debugging, these are not applied to the recovery boot option. From c8385d82fbd6ba16ba1f0b4969661474966b74f1 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Mon, 15 Jul 2024 14:57:40 +1000 Subject: [PATCH 400/846] Clarify instructions for increasing log verbosity --- etc/default/grub.d/41_quiet_boot.cfg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/default/grub.d/41_quiet_boot.cfg b/etc/default/grub.d/41_quiet_boot.cfg index 7bccbaa..c07d874 100644 --- a/etc/default/grub.d/41_quiet_boot.cfg +++ b/etc/default/grub.d/41_quiet_boot.cfg @@ -17,5 +17,5 @@ GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT quiet" #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX quiet" ## For Increased Log Verbosity: -## Comment-out the kernel.printk sysctl in /usr/lib/sysctl.d/30_silent-kernel-printk.conf. +## Adjust (or comment out) the kernel.printk sysctl in /usr/lib/sysctl.d/30_silent-kernel-printk.conf. ## Alternatively, install the debug-misc package which will undo theses settingss. From 1c2afc1f253e15d2605d1bef0e323e6e972a2484 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Mon, 15 Jul 2024 15:01:48 +1000 Subject: [PATCH 401/846] Update presentation of the `kernel.printk` sysctl --- usr/lib/sysctl.d/30_silent-kernel-printk.conf | 14 +++++++++----- usr/lib/sysctl.d/990-security-misc.conf | 4 ++++ 2 files changed, 13 insertions(+), 5 deletions(-) diff --git a/usr/lib/sysctl.d/30_silent-kernel-printk.conf b/usr/lib/sysctl.d/30_silent-kernel-printk.conf index 7283bcb..de73876 100644 --- a/usr/lib/sysctl.d/30_silent-kernel-printk.conf +++ b/usr/lib/sysctl.d/30_silent-kernel-printk.conf @@ -1,10 +1,14 @@ ## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## NOTE: -## For higher verbosity, delete file /etc/default/grub.d/41_quiet.cfg. -## Alternatively, install the debug-misc package which will undo these settings. - ## Prevent kernel information leaks in the console during boot. +## Must be used in combination with the kernel boot parameters. +## See /etc/default/grub.d/41_quiet_boot.cfg for implementation. ## -kernel.printk = 3 3 3 3 +## https://www.kernel.org/doc/html/latest/core-api/printk-basics.html +## +kernel.printk=3 3 3 3 + +## For Increased Log Verbosity: +## Adjust (or comment out) the kernel parameters in /etc/default/grub.d/41_quiet_boot.cfg. +## Alternatively, installing the debug-misc package will undo these settings. \ No newline at end of file diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 5fbe51c..c1316be 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -38,6 +38,10 @@ kernel.kptr_restrict=2 kernel.dmesg_restrict=1 ## Prevent kernel information leaks in the console during boot. +## Must be used in combination with the kernel boot parameters. +## See /etc/default/grub.d/41_quiet_boot.cfg for implementation. +## +## https://www.kernel.org/doc/html/latest/core-api/printk-basics.html ## ## See /usr/lib/sysctl.d/30_silent-kernel-printk.conf for implementation. ## From b2657bc61fb15bb89d62f0743a36835c1f0dda8a Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Mon, 15 Jul 2024 15:05:00 +1000 Subject: [PATCH 402/846] Improve docs --- README.md | 2 +- etc/default/grub.d/41_quiet_boot.cfg | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index f53d126..1a38546 100644 --- a/README.md +++ b/README.md @@ -116,7 +116,7 @@ configuration file. - Provide option to disable the entire IPv6 stack to reduce attack surface. Disallow sensitive kernel information leaks in the console during boot. See -the `/etc/default/grub.d/40_quiet_boot.cfg` configuration file. +the `/etc/default/grub.d/41_quiet_boot.cfg` configuration file. ### Kernel Modules diff --git a/etc/default/grub.d/41_quiet_boot.cfg b/etc/default/grub.d/41_quiet_boot.cfg index c07d874..25d819a 100644 --- a/etc/default/grub.d/41_quiet_boot.cfg +++ b/etc/default/grub.d/41_quiet_boot.cfg @@ -18,4 +18,4 @@ GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT quiet" ## For Increased Log Verbosity: ## Adjust (or comment out) the kernel.printk sysctl in /usr/lib/sysctl.d/30_silent-kernel-printk.conf. -## Alternatively, install the debug-misc package which will undo theses settingss. +## Alternatively, installing the debug-misc package will undo these settings. \ No newline at end of file From e0696d02a234e6f7ab9fb601ffe58e7d953846a2 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Mon, 15 Jul 2024 20:46:04 +1000 Subject: [PATCH 403/846] Update `security-misc.maintscript` Due to previous splitting IN https://github.com/Kicksecure/security-misc/commit/b02230a783941da412be72fb52053db0c6b8010f. --- debian/security-misc.maintscript | 1 + 1 file changed, 1 insertion(+) diff --git a/debian/security-misc.maintscript b/debian/security-misc.maintscript index 5d115c3..59043e5 100644 --- a/debian/security-misc.maintscript +++ b/debian/security-misc.maintscript @@ -31,6 +31,7 @@ rm_conffile /etc/modprobe.d/vivid.conf rm_conffile /etc/modprobe.d/blacklist-dma.conf rm_conffile /etc/modprobe.d/msr.conf rm_conffile /etc/modprobe.d/30_nf_conntrack_helper_disable.conf +rm_conffile /etc/modprobe.d/30_security-misc.conf ## renamed to /etc/security/limits.d/30_security-misc.conf rm_conffile /etc/security/limits.d/disable-coredumps.conf From 4476a477a77c98cf4334fbcb866bc8f113f568ac Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Mon, 15 Jul 2024 20:47:07 +1000 Subject: [PATCH 404/846] Provide option to disable more Bluetooth modules --- etc/modprobe.d/30_security-misc_disable.conf | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/etc/modprobe.d/30_security-misc_disable.conf b/etc/modprobe.d/30_security-misc_disable.conf index f82ccb6..bd6a181 100644 --- a/etc/modprobe.d/30_security-misc_disable.conf +++ b/etc/modprobe.d/30_security-misc_disable.conf @@ -16,7 +16,22 @@ ## Now replaced by a privacy and security preserving default Bluetooth configuration for better usability. ## #install bluetooth /usr/bin/disabled-bluetooth-by-security-misc +#install bluetooth_6lowpan /usr/bin/disabled-bluetooth-by-security-misc +#install bt3c_cs /usr/bin/disabled-bluetooth-by-security-misc +#install btbcm /usr/bin/disabled-bluetooth-by-security-misc +#install btintel /usr/bin/disabled-bluetooth-by-security-misc +#install btmrvl /usr/bin/disabled-bluetooth-by-security-misc +#install btmrvl_sdio /usr/bin/disabled-bluetooth-by-security-misc +#install btmtk /usr/bin/disabled-bluetooth-by-security-misc +#install btmtksdio /usr/bin/disabled-bluetooth-by-security-misc +#install btmtkuart /usr/bin/disabled-bluetooth-by-security-misc +#install btnxpuart /usr/bin/disabled-bluetooth-by-security-misc +#install btqca /usr/bin/disabled-bluetooth-by-security-misc +#install btrsi /usr/bin/disabled-bluetooth-by-security-misc +#install btrtl /usr/bin/disabled-bluetooth-by-security-misc +#install btsdio /usr/bin/disabled-bluetooth-by-security-misc #install btusb /usr/bin/disabled-bluetooth-by-security-misc +#install virtio_bt /usr/bin/disabled-bluetooth-by-security-misc ## CPU Model-Specific Registers (MSRs): ## Disable CPU MSRs as they can be abused to write to arbitrary memory. From 99b0ce7948213e7f7adf42ddd7c7beb229374bd4 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Mon, 15 Jul 2024 20:47:56 +1000 Subject: [PATCH 405/846] Disable more file systems --- etc/modprobe.d/30_security-misc_disable.conf | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/etc/modprobe.d/30_security-misc_disable.conf b/etc/modprobe.d/30_security-misc_disable.conf index bd6a181..e36f074 100644 --- a/etc/modprobe.d/30_security-misc_disable.conf +++ b/etc/modprobe.d/30_security-misc_disable.conf @@ -43,13 +43,15 @@ ## File Systems: ## Disable uncommon file systems to reduce attack surface. -## HFS and HFS+ are legacy Apple filesystems that may be required depending on the EFI partition format. +## HFS and HFS+ are legacy Apple file systems that may be required depending on the EFI partition format. ## install cramfs /usr/bin/disabled-filesys-by-security-misc install freevxfs /usr/bin/disabled-filesys-by-security-misc install hfs /usr/bin/disabled-filesys-by-security-misc install hfsplus /usr/bin/disabled-filesys-by-security-misc install jffs2 /usr/bin/disabled-filesys-by-security-misc +install jfs /usr/bin/disabled-filesys-by-security-misc +install reiserfs /usr/bin/disabled-filesys-by-security-misc install udf /usr/bin/disabled-filesys-by-security-misc ## FireWire (IEEE 1394): From 82c5a93f7cf2846490120c5262a146a313a5ce47 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Mon, 15 Jul 2024 20:53:07 +1000 Subject: [PATCH 406/846] Disable another GPS module --- README.md | 4 ++-- etc/modprobe.d/30_security-misc_blacklist.conf | 1 - etc/modprobe.d/30_security-misc_disable.conf | 1 + 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index b5cf7a3..442c2be 100644 --- a/README.md +++ b/README.md @@ -150,8 +150,8 @@ disabling should first be blacklisted for a suitable amount of time. - FireWire (IEEE 1394): Disabled as they are often vulnerable to DMA attacks. -- GPS: Disables GPS-related modules responsible systems such as for Global - Navigation Satellite System (GNSS). +- GPS: Disable GPS-related modules such as those required for Global Navigation + Satellite Systems (GNSS). - Intel Management Engine (ME): Provides some disabling of the interface between the Intel ME and the OS. diff --git a/etc/modprobe.d/30_security-misc_blacklist.conf b/etc/modprobe.d/30_security-misc_blacklist.conf index 6dce2d2..c192c3c 100644 --- a/etc/modprobe.d/30_security-misc_blacklist.conf +++ b/etc/modprobe.d/30_security-misc_blacklist.conf @@ -67,7 +67,6 @@ blacklist eepro100 blacklist eth1394 blacklist evbug blacklist de4x5 -blacklist garmin_gps blacklist pcspkr blacklist prism54 blacklist snd_aw2 diff --git a/etc/modprobe.d/30_security-misc_disable.conf b/etc/modprobe.d/30_security-misc_disable.conf index e36f074..40bcf7f 100644 --- a/etc/modprobe.d/30_security-misc_disable.conf +++ b/etc/modprobe.d/30_security-misc_disable.conf @@ -72,6 +72,7 @@ install video1394 /usr/bin/disabled-firewire-by-security-misc ## Global Positioning Systems (GPS): ## Disable GPS-related modules like GNSS (Global Navigation Satellite System). ## +install garmin_gps /usr/bin/disabled-gps-by-security-misc install gnss /usr/bin/disabled-gps-by-security-misc install gnss-mtk /usr/bin/disabled-gps-by-security-misc install gnss-serial /usr/bin/disabled-gps-by-security-misc From 9e40ff055195b1e8637d1e957c3f8db01f99bbc1 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Mon, 15 Jul 2024 20:54:18 +1000 Subject: [PATCH 407/846] Disable more network file systems --- etc/modprobe.d/30_security-misc_disable.conf | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/etc/modprobe.d/30_security-misc_disable.conf b/etc/modprobe.d/30_security-misc_disable.conf index 40bcf7f..423aced 100644 --- a/etc/modprobe.d/30_security-misc_disable.conf +++ b/etc/modprobe.d/30_security-misc_disable.conf @@ -91,10 +91,23 @@ install mei-me /usr/bin/disabled-intelme-by-security-misc ## Network File Systems: ## Disable uncommon network file systems to reduce attack surface. ## -install cifs /usr/bin/disabled-netfilesys-by-security-misc install gfs2 /usr/bin/disabled-netfilesys-by-security-misc install ksmbd /usr/bin/disabled-netfilesys-by-security-misc +## +## Common Internet File System (CIFS): +## +install cifs /usr/bin/disabled-netfilesys-by-security-misc +install cifs_arc4 /usr/bin/disabled-netfilesys-by-security-misc +install cifs_md4 /usr/bin/disabled-netfilesys-by-security-misc +## +## Network File System (NFS): +## install nfs /usr/bin/disabled-netfilesys-by-security-misc +install nfs_acl /usr/bin/disabled-netfilesys-by-security-misc +install nfs_layout_nfsv41_files /usr/bin/disabled-netfilesys-by-security-misc +install nfs_layout_flexfiles /usr/bin/disabled-netfilesys-by-security-misc +install nfsd /usr/bin/disabled-netfilesys-by-security-misc +install nfsv2 /usr/bin/disabled-netfilesys-by-security-misc install nfsv3 /usr/bin/disabled-netfilesys-by-security-misc install nfsv4 /usr/bin/disabled-netfilesys-by-security-misc From 51f7776bc8722752d53fc503b0c79564d8715d4c Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Mon, 15 Jul 2024 20:56:12 +1000 Subject: [PATCH 408/846] Disable more network protocols/drivers --- .../30_security-misc_blacklist.conf | 2 - etc/modprobe.d/30_security-misc_disable.conf | 57 +++++++++++++++++-- 2 files changed, 51 insertions(+), 8 deletions(-) diff --git a/etc/modprobe.d/30_security-misc_blacklist.conf b/etc/modprobe.d/30_security-misc_blacklist.conf index c192c3c..c35af0b 100644 --- a/etc/modprobe.d/30_security-misc_blacklist.conf +++ b/etc/modprobe.d/30_security-misc_blacklist.conf @@ -63,8 +63,6 @@ blacklist ath_pci blacklist amd76x_edac blacklist asus_acpi blacklist bcm43xx -blacklist eepro100 -blacklist eth1394 blacklist evbug blacklist de4x5 blacklist pcspkr diff --git a/etc/modprobe.d/30_security-misc_disable.conf b/etc/modprobe.d/30_security-misc_disable.conf index 423aced..9ba5f84 100644 --- a/etc/modprobe.d/30_security-misc_disable.conf +++ b/etc/modprobe.d/30_security-misc_disable.conf @@ -115,28 +115,73 @@ install nfsv4 /usr/bin/disabled-netfilesys-by-security-misc ## Disables rare and unneeded network protocols that are a common source of unknown vulnerabilities. ## ## https://tails.boum.org/blueprint/blacklist_modules/ -## https://fedoraproject.org/wiki/Security_Features_Matrix#Blacklist_Rare_Protocols) +## https://fedoraproject.org/wiki/Security_Features_Matrix#Blacklist_Rare_Protocols ## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-rare-network.conf?h=ubuntu/disco ## install af_802154 /usr/bin/disabled-network-by-security-misc install appletalk /usr/bin/disabled-network-by-security-misc -install atm /usr/bin/disabled-network-by-security-misc install ax25 /usr/bin/disabled-network-by-security-misc -install can /usr/bin/disabled-network-by-security-misc +install brcm80211 /bin/true /usr/bin/disabled-network-by-security-misc install decnet /usr/bin/disabled-network-by-security-misc install dccp /usr/bin/disabled-network-by-security-misc install econet /usr/bin/disabled-network-by-security-misc +install eepro100 /usr/bin/disabled-network-by-security-misc +install eth1394 /usr/bin/disabled-network-by-security-misc install ipx /usr/bin/disabled-network-by-security-misc install n-hdlc /usr/bin/disabled-network-by-security-misc install netrom /usr/bin/disabled-network-by-security-misc install p8022 /usr/bin/disabled-network-by-security-misc install p8023 /usr/bin/disabled-network-by-security-misc install psnap /usr/bin/disabled-network-by-security-misc -install rds /usr/bin/disabled-network-by-security-misc install rose /usr/bin/disabled-network-by-security-misc -install sctp /usr/bin/disabled-network-by-security-misc -install tipc /usr/bin/disabled-network-by-security-misc install x25 /usr/bin/disabled-network-by-security-misc +## +## Asynchronous Transfer Mode (ATM): +## +install atm /usr/bin/disabled-network-by-security-misc +install ueagle-atm /usr/bin/disabled-network-by-security-misc +install usbatm /usr/bin/disabled-network-by-security-misc +install xusbatm /usr/bin/disabled-network-by-security-misc +## +## Controller Area Network (CAN) Protocol: +## +install c_can /usr/bin/disabled-network-by-security-misc +install c_can_pci /usr/bin/disabled-network-by-security-misc +install c_can_platform /usr/bin/disabled-network-by-security-misc +install can /usr/bin/disabled-network-by-security-misc +install can-bcm /usr/bin/disabled-network-by-security-misc +install can-dev /usr/bin/disabled-network-by-security-misc +install can-gw /usr/bin/disabled-network-by-security-misc +install can-isotp /usr/bin/disabled-network-by-security-misc +install can-raw /usr/bin/disabled-network-by-security-misc +install can-j1939 /usr/bin/disabled-network-by-security-misc +install can327 /usr/bin/disabled-network-by-security-misc +install ifi_canfd /usr/bin/disabled-network-by-security-misc +install janz-ican3 /usr/bin/disabled-network-by-security-misc +install m_can /usr/bin/disabled-network-by-security-misc +install m_can_pci /usr/bin/disabled-network-by-security-misc +install m_can_platform /usr/bin/disabled-network-by-security-misc +install phy-can-transceiver /usr/bin/disabled-network-by-security-misc +install slcan /usr/bin/disabled-network-by-security-misc +install ucan /usr/bin/disabled-network-by-security-misc +install vxcan /usr/bin/disabled-network-by-security-misc +install vcan /usr/bin/disabled-network-by-security-misc +## +## Transparent Inter Process Communication (TIPC): +## +install tipc /usr/bin/disabled-network-by-security-misc +install tipc_diag /usr/bin/disabled-network-by-security-misc +## +## Reliable Datagram Sockets (RDS): +## +install rds /usr/bin/disabled-network-by-security-misc +install rds_rdma /usr/bin/disabled-network-by-security-misc +install rds_tcp /usr/bin/disabled-network-by-security-misc +## +## Stream Control Transmission Protocol (SCTP): +## +install sctp /usr/bin/disabled-network-by-security-misc +install sctp_diag /usr/bin/disabled-network-by-security-misc ## Miscellaneous: ## From 96aa63267a6fcee03f252f0791f37b7b6222a7c1 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Mon, 15 Jul 2024 20:57:14 +1000 Subject: [PATCH 409/846] Disable more Thunderbolt modules --- etc/modprobe.d/30_security-misc_disable.conf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/etc/modprobe.d/30_security-misc_disable.conf b/etc/modprobe.d/30_security-misc_disable.conf index 9ba5f84..74ce512 100644 --- a/etc/modprobe.d/30_security-misc_disable.conf +++ b/etc/modprobe.d/30_security-misc_disable.conf @@ -199,4 +199,6 @@ install vivid /usr/bin/disabled-vivid-by-security-misc ## ## https://en.wikipedia.org/wiki/Thunderbolt_(interface)#Security_vulnerabilities ## +install intel-wmi-thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc install thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc +install thunderbolt_net /usr/bin/disabled-thunderbolt-by-security-misc From c52b1a3fd269ef4f98028dd5eead476abe5d138d Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Mon, 15 Jul 2024 20:58:45 +1000 Subject: [PATCH 410/846] Create `disabled-miscellaneous-by-security-misc` --- usr/bin/disabled-miscellaneous-by-security-misc | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100755 usr/bin/disabled-miscellaneous-by-security-misc diff --git a/usr/bin/disabled-miscellaneous-by-security-misc b/usr/bin/disabled-miscellaneous-by-security-misc new file mode 100755 index 0000000..2c23909 --- /dev/null +++ b/usr/bin/disabled-miscellaneous-by-security-misc @@ -0,0 +1,10 @@ +#!/bin/bash + +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Alerts the user that a kernel module failed to load due to it being blacklisted by default. + +echo "$0: ERROR: This kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2 + +exit 1 From cb2fb95b81efa2ebb2bd80aeaacad9122f0f073c Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Mon, 15 Jul 2024 21:01:36 +1000 Subject: [PATCH 411/846] Disable more miscellaneous drivers --- etc/modprobe.d/30_security-misc_disable.conf | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/etc/modprobe.d/30_security-misc_disable.conf b/etc/modprobe.d/30_security-misc_disable.conf index 74ce512..024a0b1 100644 --- a/etc/modprobe.d/30_security-misc_disable.conf +++ b/etc/modprobe.d/30_security-misc_disable.conf @@ -185,6 +185,14 @@ install sctp_diag /usr/bin/disabled-network-by-security-misc ## Miscellaneous: ## +## Amateur Radios: +## +install hamradio /bin/true /usr/bin/disabled-miscellaneous-by-security-misc +## +## Floppy Disks: +## +install floppy /bin/true /usr/bin/disabled-miscellaneous-by-security-misc +## ## Vivid: ## Disables the vivid kernel module since it has been the cause of multiple vulnerabilities. ## From 8219a1e257525d487a49e7b3a6b14c1e180a7b52 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Mon, 15 Jul 2024 21:02:10 +1000 Subject: [PATCH 412/846] Update README.md relating to disabled miscellaneous modules --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 442c2be..d99cdaa 100644 --- a/README.md +++ b/README.md @@ -160,7 +160,8 @@ disabling should first be blacklisted for a suitable amount of time. - Network Protocols: Wide array of uncommon and legacy network protocols are disabled. -- Miscellaneous: Disable an assortment other modules such as vivid. +- Miscellaneous: Disable an assortment other modules such as those required + for amateur radio, floppy disks, and vivid. - Thunderbolt: Disabled as they are often vulnerable to DMA attacks. From fda3832eaf293915ab77ce73a0be2caec15e21fa Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Mon, 15 Jul 2024 21:08:45 +1000 Subject: [PATCH 413/846] Replace bash file presented for disabling of miscellaneous modules --- debian/security-misc.maintscript | 3 +++ etc/modprobe.d/30_security-misc_disable.conf | 4 ++-- usr/bin/disabled-vivid-by-security-misc | 10 ---------- 3 files changed, 5 insertions(+), 12 deletions(-) delete mode 100755 usr/bin/disabled-vivid-by-security-misc diff --git a/debian/security-misc.maintscript b/debian/security-misc.maintscript index 59043e5..e046582 100644 --- a/debian/security-misc.maintscript +++ b/debian/security-misc.maintscript @@ -67,3 +67,6 @@ rm_conffile /etc/permission-hardening.d/25_default_whitelist_sudo.conf rm_conffile /etc/permission-hardening.d/25_default_whitelist_unix_chkpwd.conf rm_conffile /etc/permission-hardening.d/25_default_whitelist_virtualbox.conf rm_conffile /etc/permission-hardening.d/30_default.conf + +## repalced with /usr/bin/disabled-miscellaneous-by-security-misc +rm_conffile /usr/bin/disabled-vivid-by-security-misc \ No newline at end of file diff --git a/etc/modprobe.d/30_security-misc_disable.conf b/etc/modprobe.d/30_security-misc_disable.conf index 024a0b1..eda012c 100644 --- a/etc/modprobe.d/30_security-misc_disable.conf +++ b/etc/modprobe.d/30_security-misc_disable.conf @@ -39,7 +39,7 @@ ## https://security.stackexchange.com/questions/119712/methods-root-can-use-to-elevate-itself-to-kernel-mode ## https://github.com/Kicksecure/security-misc/issues/215 ## -#install msr /usr/bin/disabled-msr-by-security-misc +#install msr /usr/bin/disabled-miscellaneous-by-security-misc ## File Systems: ## Disable uncommon file systems to reduce attack surface. @@ -200,7 +200,7 @@ install floppy /bin/true /usr/bin/disabled-miscellaneous-by-security-misc ## https://www.openwall.com/lists/oss-security/2019/11/02/1 ## https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475 ## -install vivid /usr/bin/disabled-vivid-by-security-misc +install vivid /usr/bin/disabled-miscellaneous-by-security-misc ## Thunderbolt: ## Disables Thunderbolt modules to prevent some DMA attacks. diff --git a/usr/bin/disabled-vivid-by-security-misc b/usr/bin/disabled-vivid-by-security-misc deleted file mode 100755 index f2d07b7..0000000 --- a/usr/bin/disabled-vivid-by-security-misc +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -## Alerts the user that a kernel module failed to load due to it being blacklisted by default. - -echo "$0: ERROR: This vivid kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2 - -exit 1 From a8bc1144c32b4b4f20904af5f813da1051fe4c9c Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Mon, 15 Jul 2024 21:10:13 +1000 Subject: [PATCH 414/846] Updated wording of error files for disabled modules --- usr/bin/disabled-bluetooth-by-security-misc | 2 +- usr/bin/disabled-cdrom-by-security-misc | 2 +- usr/bin/disabled-firewire-by-security-misc | 2 +- usr/bin/disabled-gps-by-security-misc | 2 +- usr/bin/disabled-thunderbolt-by-security-misc | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/usr/bin/disabled-bluetooth-by-security-misc b/usr/bin/disabled-bluetooth-by-security-misc index 7e011e3..3669fc1 100755 --- a/usr/bin/disabled-bluetooth-by-security-misc +++ b/usr/bin/disabled-bluetooth-by-security-misc @@ -5,6 +5,6 @@ ## Alerts the user that a kernel module failed to load due to it being blacklisted by default. -echo "$0: ERROR: This bluetooth kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2 +echo "$0: ERROR: This Bluetooth kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2 exit 1 diff --git a/usr/bin/disabled-cdrom-by-security-misc b/usr/bin/disabled-cdrom-by-security-misc index 55f4b0c..4a7b141 100755 --- a/usr/bin/disabled-cdrom-by-security-misc +++ b/usr/bin/disabled-cdrom-by-security-misc @@ -5,6 +5,6 @@ ## Alerts the user that a kernel module failed to load due to it being blacklisted by default. -echo "$0: ERROR: This CD-ROM kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2 +echo "$0: ERROR: This CD-ROM/DVD kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2 exit 1 diff --git a/usr/bin/disabled-firewire-by-security-misc b/usr/bin/disabled-firewire-by-security-misc index cbde5d1..2abc6bc 100755 --- a/usr/bin/disabled-firewire-by-security-misc +++ b/usr/bin/disabled-firewire-by-security-misc @@ -5,6 +5,6 @@ ## Alerts the user that a kernel module failed to load due to it being blacklisted by default. -echo "$0: ERROR: This firewire kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2 +echo "$0: ERROR: This FireWire (IEEE 1394) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2 exit 1 diff --git a/usr/bin/disabled-gps-by-security-misc b/usr/bin/disabled-gps-by-security-misc index f1a24bf..d43626e 100755 --- a/usr/bin/disabled-gps-by-security-misc +++ b/usr/bin/disabled-gps-by-security-misc @@ -5,6 +5,6 @@ ## Alerts the user that a kernel module failed to load due to it being blacklisted by default. -echo "$0: ERROR: This GNSS (Global Navigation Satellite System) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2 +echo "$0: ERROR: This GPS (Global Positioning System) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2 exit 1 diff --git a/usr/bin/disabled-thunderbolt-by-security-misc b/usr/bin/disabled-thunderbolt-by-security-misc index 98f0840..dbe89ec 100755 --- a/usr/bin/disabled-thunderbolt-by-security-misc +++ b/usr/bin/disabled-thunderbolt-by-security-misc @@ -5,6 +5,6 @@ ## Alerts the user that a kernel module failed to load due to it being blacklisted by default. -echo "$0: ERROR: This thunderbolt kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2 +echo "$0: ERROR: This Thunderbolt kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2 exit 1 From 382f1e9ec00ab5f012f028fa324d6cf73040c37d Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Mon, 15 Jul 2024 21:13:25 +1000 Subject: [PATCH 415/846] Fix error --- debian/security-misc.maintscript | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/debian/security-misc.maintscript b/debian/security-misc.maintscript index 78a36fd..c5c2569 100644 --- a/debian/security-misc.maintscript +++ b/debian/security-misc.maintscript @@ -68,15 +68,15 @@ rm_conffile /etc/permission-hardening.d/25_default_whitelist_virtualbox.conf rm_conffile /etc/permission-hardening.d/30_default.conf ## merged into 1 file /etc/default/grub.d/40_kernel_hardening.cfg -rm /etc/default/grub.d/40_distrust_bootloader.cfg -rm /etc/default/grub.d/40_distrust_cpu.cfg -rm /etc/default/grub.d/40_enable_iommu.cfg +rm_conffile /etc/default/grub.d/40_distrust_bootloader.cfg +rm_conffile /etc/default/grub.d/40_distrust_cpu.cfg +rm_conffile /etc/default/grub.d/40_enable_iommu.cfg ## renamed to /etc/default/grub.d/40_remount_secure.cfg -rm /etc/default/grub.d/40_remmount-secure.cfg +rm_conffile /etc/default/grub.d/40_remmount-secure.cfg ## renamed to /etc/default/grub.d/40_signed_modules.cfg -rm /etc/default/grub.d/40_only_allow_signed_modules.cfg +rm_conffile /etc/default/grub.d/40_only_allow_signed_modules.cfg ## renamed to /etc/default/grub.d/41_quiet_boot.cfg -rm /etc/default/grub.d/41_quiet.cfg +rm_conffile /etc/default/grub.d/41_quiet.cfg From f2db11269e89d4c945642b661aa9cbe356f89037 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Mon, 15 Jul 2024 21:18:32 +1000 Subject: [PATCH 416/846] Fix script --- etc/modprobe.d/30_security-misc_disable.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/etc/modprobe.d/30_security-misc_disable.conf b/etc/modprobe.d/30_security-misc_disable.conf index eda012c..d6b5122 100644 --- a/etc/modprobe.d/30_security-misc_disable.conf +++ b/etc/modprobe.d/30_security-misc_disable.conf @@ -187,11 +187,11 @@ install sctp_diag /usr/bin/disabled-network-by-security-misc ## ## Amateur Radios: ## -install hamradio /bin/true /usr/bin/disabled-miscellaneous-by-security-misc +install hamradio /usr/bin/disabled-miscellaneous-by-security-misc ## ## Floppy Disks: ## -install floppy /bin/true /usr/bin/disabled-miscellaneous-by-security-misc +install floppy /usr/bin/disabled-miscellaneous-by-security-misc ## ## Vivid: ## Disables the vivid kernel module since it has been the cause of multiple vulnerabilities. From 9300c208e25d936f2c633a0904126566afc1c275 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Mon, 15 Jul 2024 21:36:25 +1000 Subject: [PATCH 417/846] Fix script --- etc/modprobe.d/30_security-misc_disable.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/modprobe.d/30_security-misc_disable.conf b/etc/modprobe.d/30_security-misc_disable.conf index d6b5122..0158586 100644 --- a/etc/modprobe.d/30_security-misc_disable.conf +++ b/etc/modprobe.d/30_security-misc_disable.conf @@ -121,7 +121,7 @@ install nfsv4 /usr/bin/disabled-netfilesys-by-security-misc install af_802154 /usr/bin/disabled-network-by-security-misc install appletalk /usr/bin/disabled-network-by-security-misc install ax25 /usr/bin/disabled-network-by-security-misc -install brcm80211 /bin/true /usr/bin/disabled-network-by-security-misc +install brcm80211 /usr/bin/disabled-network-by-security-misc install decnet /usr/bin/disabled-network-by-security-misc install dccp /usr/bin/disabled-network-by-security-misc install econet /usr/bin/disabled-network-by-security-misc From 22ba7a7c393a8c9005dfe26aea396815a4d54803 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Mon, 15 Jul 2024 22:21:20 +1000 Subject: [PATCH 418/846] Disable more Intel Management Engine (ME) modules --- etc/modprobe.d/30_security-misc_disable.conf | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/etc/modprobe.d/30_security-misc_disable.conf b/etc/modprobe.d/30_security-misc_disable.conf index f82ccb6..da40ded 100644 --- a/etc/modprobe.d/30_security-misc_disable.conf +++ b/etc/modprobe.d/30_security-misc_disable.conf @@ -68,7 +68,17 @@ install gnss-usb /usr/bin/disabled-gps-by-security-misc ## https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html ## install mei /usr/bin/disabled-intelme-by-security-misc +install mei-gsc /usr/bin/disabled-intelme-by-security-misc +install mei_gsc_proxy /usr/bin/disabled-intelme-by-security-misc +install mei_hdcp /usr/bin/disabled-intelme-by-security-misc install mei-me /usr/bin/disabled-intelme-by-security-misc +install mei_phy /usr/bin/disabled-intelme-by-security-misc +install mei_pxp /usr/bin/disabled-intelme-by-security-misc +install mei-txe /usr/bin/disabled-intelme-by-security-misc +install mei-vsc-hw /usr/bin/disabled-intelme-by-security-misc +install mei-vsc /usr/bin/disabled-intelme-by-security-misc +install mei_wdt /usr/bin/disabled-intelme-by-security-misc +install microread_mei /usr/bin/disabled-intelme-by-security-misc ## Network File Systems: ## Disable uncommon network file systems to reduce attack surface. From 61941da37509a4bb809212536b79f461a209f584 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Mon, 15 Jul 2024 22:38:09 +1000 Subject: [PATCH 419/846] Create `disabled-intelpmt-by-security-misc` --- usr/bin/disabled-intelpmt-by-security-misc | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100755 usr/bin/disabled-intelpmt-by-security-misc diff --git a/usr/bin/disabled-intelpmt-by-security-misc b/usr/bin/disabled-intelpmt-by-security-misc new file mode 100755 index 0000000..44f04bc --- /dev/null +++ b/usr/bin/disabled-intelpmt-by-security-misc @@ -0,0 +1,10 @@ +#!/bin/bash + +## Copyright (C) 2024 - 2024 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Alerts the user that a kernel module failed to load due to it being blacklisted by default. + +echo "$0: ERROR: This Intel Platform Monitoring Technology Telemetry (PMT) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2 + +exit 1 From 724435e56ea059183241044a4fc09423187533eb Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Mon, 15 Jul 2024 22:38:43 +1000 Subject: [PATCH 420/846] Disable some Intel Platform Monitoring Technology Telemetry (PMT) modules --- README.md | 3 +++ etc/modprobe.d/30_security-misc_disable.conf | 9 +++++++++ 2 files changed, 12 insertions(+) diff --git a/README.md b/README.md index b5cf7a3..d4c965c 100644 --- a/README.md +++ b/README.md @@ -156,6 +156,9 @@ disabling should first be blacklisted for a suitable amount of time. - Intel Management Engine (ME): Provides some disabling of the interface between the Intel ME and the OS. +- Intel Platform Monitoring Technology Telemetry (PMT): Disable some functionality + of the Intel PMT components. + - Network File Systems: Disable uncommon and legacy network file systems. - Network Protocols: Wide array of uncommon and legacy network protocols are disabled. diff --git a/etc/modprobe.d/30_security-misc_disable.conf b/etc/modprobe.d/30_security-misc_disable.conf index f82ccb6..9cb1156 100644 --- a/etc/modprobe.d/30_security-misc_disable.conf +++ b/etc/modprobe.d/30_security-misc_disable.conf @@ -70,6 +70,15 @@ install gnss-usb /usr/bin/disabled-gps-by-security-misc install mei /usr/bin/disabled-intelme-by-security-misc install mei-me /usr/bin/disabled-intelme-by-security-misc +## Intel Platform Monitoring Technology Telemetry (PMT): +## Disable some functionality of the Intel PMT components. +## +## https://github.com/intel/Intel-PMT +## +install pmt_class /usr/bin/disabled-intelpmt-by-security-misc +install pmt_crashlog /usr/bin/disabled-intelpmt-by-security-misc +install pmt_telemetry /usr/bin/disabled-intelpmt-by-security-misc + ## Network File Systems: ## Disable uncommon network file systems to reduce attack surface. ## From 73f6d4b26f51f0c920fe020677f464c536d75410 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Tue, 16 Jul 2024 01:03:41 +1000 Subject: [PATCH 421/846] Fix transcription error --- etc/default/grub.d/40_kernel_hardening.cfg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index eaedccb..8285744 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -128,7 +128,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off" ## Enable CPU manufacturer-specific IOMMU drivers to protect against DMA attacks. ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX amd_iommu=force_isolation" -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX intel_iommu" +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX intel_iommu=on" ## Enable and force use of IOMMU translation to protect against DMA attacks. ## Strictly force DMA unmap operations to synchronously invalidate IOMMU hardware TLBs. From 94df2e3d244f5e6e8e4320c1f28cc11dba00dd36 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 15 Jul 2024 12:29:52 -0400 Subject: [PATCH 422/846] further discussion required https://github.com/Kicksecure/security-misc/pull/234#issuecomment-2228909249 --- etc/modprobe.d/30_security-misc_disable.conf | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/etc/modprobe.d/30_security-misc_disable.conf b/etc/modprobe.d/30_security-misc_disable.conf index 0158586..97d3840 100644 --- a/etc/modprobe.d/30_security-misc_disable.conf +++ b/etc/modprobe.d/30_security-misc_disable.conf @@ -121,12 +121,12 @@ install nfsv4 /usr/bin/disabled-netfilesys-by-security-misc install af_802154 /usr/bin/disabled-network-by-security-misc install appletalk /usr/bin/disabled-network-by-security-misc install ax25 /usr/bin/disabled-network-by-security-misc -install brcm80211 /usr/bin/disabled-network-by-security-misc +#install brcm80211 /usr/bin/disabled-network-by-security-misc install decnet /usr/bin/disabled-network-by-security-misc install dccp /usr/bin/disabled-network-by-security-misc install econet /usr/bin/disabled-network-by-security-misc -install eepro100 /usr/bin/disabled-network-by-security-misc -install eth1394 /usr/bin/disabled-network-by-security-misc +#install eepro100 /usr/bin/disabled-network-by-security-misc +#install eth1394 /usr/bin/disabled-network-by-security-misc install ipx /usr/bin/disabled-network-by-security-misc install n-hdlc /usr/bin/disabled-network-by-security-misc install netrom /usr/bin/disabled-network-by-security-misc @@ -139,9 +139,9 @@ install x25 /usr/bin/disabled-network-by-security-misc ## Asynchronous Transfer Mode (ATM): ## install atm /usr/bin/disabled-network-by-security-misc -install ueagle-atm /usr/bin/disabled-network-by-security-misc -install usbatm /usr/bin/disabled-network-by-security-misc -install xusbatm /usr/bin/disabled-network-by-security-misc +#install ueagle-atm /usr/bin/disabled-network-by-security-misc +#install usbatm /usr/bin/disabled-network-by-security-misc +#install xusbatm /usr/bin/disabled-network-by-security-misc ## ## Controller Area Network (CAN) Protocol: ## From fe0846c8c2bdfc0534850b1e9bf9c4130381def9 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 15 Jul 2024 12:30:38 -0400 Subject: [PATCH 423/846] fix https://github.com/Kicksecure/security-misc/pull/234#discussion_r1678065395 --- debian/security-misc.maintscript | 3 --- 1 file changed, 3 deletions(-) diff --git a/debian/security-misc.maintscript b/debian/security-misc.maintscript index e046582..59043e5 100644 --- a/debian/security-misc.maintscript +++ b/debian/security-misc.maintscript @@ -67,6 +67,3 @@ rm_conffile /etc/permission-hardening.d/25_default_whitelist_sudo.conf rm_conffile /etc/permission-hardening.d/25_default_whitelist_unix_chkpwd.conf rm_conffile /etc/permission-hardening.d/25_default_whitelist_virtualbox.conf rm_conffile /etc/permission-hardening.d/30_default.conf - -## repalced with /usr/bin/disabled-miscellaneous-by-security-misc -rm_conffile /usr/bin/disabled-vivid-by-security-misc \ No newline at end of file From fe5c840b79c4aabd5c21a286d3ce1a3ee460812c Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 15 Jul 2024 21:18:55 +0000 Subject: [PATCH 424/846] bumped changelog version --- changelog.upstream | 127 +++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 +++ 2 files changed, 133 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 49f6141..b135da6 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,124 @@ +commit 6e63fc8985b97902dbae2553ded51950168dc222 +Merge: fe0846c b7796a5 +Author: Patrick Schleizer +Date: Mon Jul 15 17:14:25 2024 -0400 + + Merge remote-tracking branch 'ben-grande/fuzz' + +commit fe0846c8c2bdfc0534850b1e9bf9c4130381def9 +Author: Patrick Schleizer +Date: Mon Jul 15 12:30:38 2024 -0400 + + fix + + https://github.com/Kicksecure/security-misc/pull/234#discussion_r1678065395 + +commit 94df2e3d244f5e6e8e4320c1f28cc11dba00dd36 +Author: Patrick Schleizer +Date: Mon Jul 15 12:29:52 2024 -0400 + + further discussion required + + https://github.com/Kicksecure/security-misc/pull/234#issuecomment-2228909249 + +commit 41f0b53dd62d2968a6ff88a6fd907ca42f581847 +Merge: 5ba5a85 9300c20 +Author: Patrick Schleizer +Date: Mon Jul 15 12:28:03 2024 -0400 + + Merge remote-tracking branch 'raja/kernel_modules' + +commit 9300c208e25d936f2c633a0904126566afc1c275 +Author: Raja Grewal +Date: Mon Jul 15 21:36:25 2024 +1000 + + Fix script + +commit f2db11269e89d4c945642b661aa9cbe356f89037 +Author: Raja Grewal +Date: Mon Jul 15 21:18:32 2024 +1000 + + Fix script + +commit a8bc1144c32b4b4f20904af5f813da1051fe4c9c +Author: Raja Grewal +Date: Mon Jul 15 21:10:13 2024 +1000 + + Updated wording of error files for disabled modules + +commit fda3832eaf293915ab77ce73a0be2caec15e21fa +Author: Raja Grewal +Date: Mon Jul 15 21:08:45 2024 +1000 + + Replace bash file presented for disabling of miscellaneous modules + +commit 8219a1e257525d487a49e7b3a6b14c1e180a7b52 +Author: Raja Grewal +Date: Mon Jul 15 21:02:10 2024 +1000 + + Update README.md relating to disabled miscellaneous modules + +commit cb2fb95b81efa2ebb2bd80aeaacad9122f0f073c +Author: Raja Grewal +Date: Mon Jul 15 21:01:36 2024 +1000 + + Disable more miscellaneous drivers + +commit c52b1a3fd269ef4f98028dd5eead476abe5d138d +Author: Raja Grewal +Date: Mon Jul 15 20:58:45 2024 +1000 + + Create `disabled-miscellaneous-by-security-misc` + +commit 96aa63267a6fcee03f252f0791f37b7b6222a7c1 +Author: Raja Grewal +Date: Mon Jul 15 20:57:14 2024 +1000 + + Disable more Thunderbolt modules + +commit 51f7776bc8722752d53fc503b0c79564d8715d4c +Author: Raja Grewal +Date: Mon Jul 15 20:56:12 2024 +1000 + + Disable more network protocols/drivers + +commit 9e40ff055195b1e8637d1e957c3f8db01f99bbc1 +Author: Raja Grewal +Date: Mon Jul 15 20:54:18 2024 +1000 + + Disable more network file systems + +commit 82c5a93f7cf2846490120c5262a146a313a5ce47 +Author: Raja Grewal +Date: Mon Jul 15 20:53:07 2024 +1000 + + Disable another GPS module + +commit 99b0ce7948213e7f7adf42ddd7c7beb229374bd4 +Author: Raja Grewal +Date: Mon Jul 15 20:47:56 2024 +1000 + + Disable more file systems + +commit 4476a477a77c98cf4334fbcb866bc8f113f568ac +Author: Raja Grewal +Date: Mon Jul 15 20:47:07 2024 +1000 + + Provide option to disable more Bluetooth modules + +commit e0696d02a234e6f7ab9fb601ffe58e7d953846a2 +Author: Raja Grewal +Date: Mon Jul 15 20:46:04 2024 +1000 + + Update `security-misc.maintscript` + Due to previous splitting IN https://github.com/Kicksecure/security-misc/commit/b02230a783941da412be72fb52053db0c6b8010f. + +commit 5ba5a85ad09b74a29c5ed0e5c265d54d93da9d32 +Author: Patrick Schleizer +Date: Sat Jul 13 15:01:16 2024 +0000 + + bumped changelog version + commit ad860063aba0443a8ac8b9cf191d008617d6d904 Merge: f34b9d7 9f58266 Author: Patrick Schleizer @@ -72,6 +193,12 @@ Date: Fri Jul 12 02:27:56 2024 +1000 Remove redundant disabled modules +commit b7796a5334075d5fa538d7579003fde6287d7e6d +Author: Ben Grande +Date: Thu Jul 11 11:04:22 2024 +0200 + + Unify method to find SUID files + commit 05c1711b16c96a221c13a011a6666fe6b385ec1e Author: Patrick Schleizer Date: Tue Jun 11 12:56:56 2024 +0000 diff --git a/debian/changelog b/debian/changelog index 058cddc..ce06bfd 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:37.8-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 15 Jul 2024 21:18:54 +0000 + security-misc (3:37.7-1) unstable; urgency=medium * New upstream version (local package). From d1119c38b6ad4193919d4b800de0a3cb014f92c1 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Wed, 17 Jul 2024 00:31:23 +1000 Subject: [PATCH 425/846] Apply changes from code review --- README.md | 10 ++++++---- usr/lib/sysctl.d/990-security-misc.conf | 2 ++ 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 5d9b594..14d1a23 100644 --- a/README.md +++ b/README.md @@ -16,7 +16,8 @@ configuration file. Significant hardening is applied by default to a myriad of components within kernel space, user space, core dumps, and swap space. -- Restrict kernel addresses regardless of user privileges. +- Restrict access to kernel addresses through the us of kernel pointers regardless + of user privileges. - Restrict access to the kernel logs to `CAP_SYSLOG` as the often contain sensitive information. @@ -33,7 +34,7 @@ space, user space, core dumps, and swap space. - Disable `kexec` as it can be used to replace the running kernel. - Entirely disables the SysRq key so that the Secure Attention Key (SAK) - can no longer be utilised. + can no longer be utilised. See [documentation](https://www.kicksecure.com/wiki/SysRq). - Provide option to disable unprivileged user namespaces as they can lead to privilege escalation. @@ -50,12 +51,13 @@ space, user space, core dumps, and swap space. - Prevent hardlink and symlink TOCTOU races in world-writable directories. -- Disallow unintentional writes to attacker-controlled files. +- Disallow unintentional writes to files in world-writable directories unless + they are owned by the directory owner to mitigate some data spoofing attacks. - Increase the maximum number of memory map areas a process is able to utilise. - Disable core dump files and prevent their creation. If core dump files are - enabled, they will be nammed based on `core.PID` instead of the default `core`. + enabled, they will be named based on `core.PID` instead of the default `core`. - Limit the copying of potentially sensitive content in memory to the swap device. diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index c1316be..3c80e23 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -215,8 +215,10 @@ kernel.core_uses_pid=1 ## Limit the copying of memory to the swap device only if absolutely necessary. ## Minimises the likelihood of writing potentially sensitive contents to disk. +## Not reccommmeded to set to zero since this disables periodic write behavior. ## ## https://en.wikipedia.org/wiki/Memory_paging#Linux +## https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Performance_Tuning_Guide/s-memory-tunables.html ## vm.swappiness=1 From 824d9b82e53485eed8eaf24e9815ac07ad0f2406 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Wed, 17 Jul 2024 00:36:18 +1000 Subject: [PATCH 426/846] Uncomment redundant disabling of TCP FACK` --- usr/lib/sysctl.d/990-security-misc.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 3c80e23..fd51343 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -309,7 +309,7 @@ net.ipv6.conf.default.accept_ra=0 ## #net.ipv4.tcp_sack=0 #net.ipv4.tcp_dsack=0 -net.ipv4.tcp_fack=0 +#net.ipv4.tcp_fack=0 ## Disable TCP timestamps to limit device fingerprinting via system time. ## From 49594ccb223c09d70f00434e5875c9dae1a2360d Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Wed, 17 Jul 2024 00:49:25 +1000 Subject: [PATCH 427/846] Partially revert https://github.com/raja-grewal/security-misc/commit/f4d652fa7b5dd350b577521c6bba22c9eb3c13f1 --- etc/default/grub.d/41_quiet_boot.cfg | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/etc/default/grub.d/41_quiet_boot.cfg b/etc/default/grub.d/41_quiet_boot.cfg index 25d819a..4beed93 100644 --- a/etc/default/grub.d/41_quiet_boot.cfg +++ b/etc/default/grub.d/41_quiet_boot.cfg @@ -1,6 +1,14 @@ ## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. +## Some default configuration files automatically include the "quiet" parameter. +## Thefore, first remove "quiet" from GRUB_CMDLINE_LINUX_DEFAULT since "quiet" must be first. +## LANG=C str_replace is provided by package helper-scripts. +## +## https://github.com/Kicksecure/security-misc/pull/233#issuecomment-2228792461 +## +GRUB_CMDLINE_LINUX_DEFAULT="$(echo "$GRUB_CMDLINE_LINUX_DEFAULT" | LANG=C str_replace "quiet" "")" + ## Prevent sensitive kernel information leaks in the console during boot. ## Must be used in combination with the kernel.printk sysctl. ## See /usr/lib/sysctl.d/30_silent-kernel-printk.conf for implementation. From d69fe88091c7212a9af86306c797aed40398584b Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Wed, 17 Jul 2024 01:08:01 +1000 Subject: [PATCH 428/846] Provide option to disable `uvcvideo` driver --- etc/modprobe.d/30_security-misc_disable.conf | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/etc/modprobe.d/30_security-misc_disable.conf b/etc/modprobe.d/30_security-misc_disable.conf index 97d3840..9e91697 100644 --- a/etc/modprobe.d/30_security-misc_disable.conf +++ b/etc/modprobe.d/30_security-misc_disable.conf @@ -193,6 +193,11 @@ install hamradio /usr/bin/disabled-miscellaneous-by-security-misc ## install floppy /usr/bin/disabled-miscellaneous-by-security-misc ## +## USB Video Device Class: +## Disables USB-based video streaming driver for devices like webcams and digital camcorders. +## +#install uvcvideo /usr/bin/disabled-miscellaneous-by-security-misc +## ## Vivid: ## Disables the vivid kernel module since it has been the cause of multiple vulnerabilities. ## From f317aaebab126bafe3cfaef8159bf0820c392c87 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Wed, 17 Jul 2024 01:09:02 +1000 Subject: [PATCH 429/846] Disable two network modules These were previously blacklisted for two years in https://github.com/Kicksecure/security-misc/commit/61ef9bd59f9ff39c140f782ff5b41d0a3c6d97bc. --- etc/modprobe.d/30_security-misc_disable.conf | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/etc/modprobe.d/30_security-misc_disable.conf b/etc/modprobe.d/30_security-misc_disable.conf index 9e91697..b6be29e 100644 --- a/etc/modprobe.d/30_security-misc_disable.conf +++ b/etc/modprobe.d/30_security-misc_disable.conf @@ -113,10 +113,12 @@ install nfsv4 /usr/bin/disabled-netfilesys-by-security-misc ## Network Protocols: ## Disables rare and unneeded network protocols that are a common source of unknown vulnerabilities. +## Previously had blacklisted eepro100 and eth1394. ## ## https://tails.boum.org/blueprint/blacklist_modules/ ## https://fedoraproject.org/wiki/Security_Features_Matrix#Blacklist_Rare_Protocols ## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-rare-network.conf?h=ubuntu/disco +## https://github.com/Kicksecure/security-misc/pull/234#issuecomment-2230732015 ## install af_802154 /usr/bin/disabled-network-by-security-misc install appletalk /usr/bin/disabled-network-by-security-misc @@ -125,8 +127,8 @@ install ax25 /usr/bin/disabled-network-by-security-misc install decnet /usr/bin/disabled-network-by-security-misc install dccp /usr/bin/disabled-network-by-security-misc install econet /usr/bin/disabled-network-by-security-misc -#install eepro100 /usr/bin/disabled-network-by-security-misc -#install eth1394 /usr/bin/disabled-network-by-security-misc +install eepro100 /usr/bin/disabled-network-by-security-misc +install eth1394 /usr/bin/disabled-network-by-security-misc install ipx /usr/bin/disabled-network-by-security-misc install n-hdlc /usr/bin/disabled-network-by-security-misc install netrom /usr/bin/disabled-network-by-security-misc From abafb1945cace774429fefd0c1a037fb2ec3f774 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Wed, 17 Jul 2024 13:26:03 +1000 Subject: [PATCH 430/846] Add Intel ME references --- etc/modprobe.d/30_security-misc_disable.conf | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/etc/modprobe.d/30_security-misc_disable.conf b/etc/modprobe.d/30_security-misc_disable.conf index da40ded..28f9f3d 100644 --- a/etc/modprobe.d/30_security-misc_disable.conf +++ b/etc/modprobe.d/30_security-misc_disable.conf @@ -64,8 +64,13 @@ install gnss-usb /usr/bin/disabled-gps-by-security-misc ## Intel Management Engine (ME): ## Partially disable the Intel ME interface with the OS. +## ME functionality has increasing become more intertwined with basic system operation. +## Disabling may lead to breakages places such as security, power management, display, and DRM. ## ## https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html +## https://en.wikipedia.org/wiki/Intel_Management_Engine#Security_vulnerabilities +## https://www.kicksecure.com/wiki/Out-of-band_Management_Technology#Intel_ME_Disabling_Disadvantages +## https://github.com/Kicksecure/security-misc/pull/236#issuecomment-2229092813 ## install mei /usr/bin/disabled-intelme-by-security-misc install mei-gsc /usr/bin/disabled-intelme-by-security-misc @@ -75,8 +80,8 @@ install mei-me /usr/bin/disabled-intelme-by-security-misc install mei_phy /usr/bin/disabled-intelme-by-security-misc install mei_pxp /usr/bin/disabled-intelme-by-security-misc install mei-txe /usr/bin/disabled-intelme-by-security-misc -install mei-vsc-hw /usr/bin/disabled-intelme-by-security-misc install mei-vsc /usr/bin/disabled-intelme-by-security-misc +install mei-vsc-hw /usr/bin/disabled-intelme-by-security-misc install mei_wdt /usr/bin/disabled-intelme-by-security-misc install microread_mei /usr/bin/disabled-intelme-by-security-misc From 81a3715c7c0b73796a62297ebe55e861a46f7686 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Wed, 17 Jul 2024 13:32:08 +1000 Subject: [PATCH 431/846] Add info regarding the downsides of disabling SMT --- etc/default/grub.d/40_cpu_mitigations.cfg | 3 +++ 1 file changed, 3 insertions(+) diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index 13d8ffd..e303f9f 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -17,9 +17,12 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mitigations=auto,nosmt" ## Disable SMT as it has been the cause of and amplified numerous CPU exploits. ## The only full mitigation of cross-HT attacks is to disable SMT. +## Disabling will significantly decrease system performance on multi-threaded tasks. +## To enable SMT, remove this line all other occurrences of "nosmt" in this file. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/core-scheduling.html ## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647/17 +## https://github.com/anthraxx/linux-hardened/issues/37#issuecomment-619597365 ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX nosmt=force" From 693b47e6235528ab7a9032818cce22fd63a4f5ea Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Wed, 17 Jul 2024 14:58:30 +1000 Subject: [PATCH 432/846] Clarify ICMP redirect acceptance and sending --- usr/lib/sysctl.d/990-security-misc.conf | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index fd51343..3cebc76 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -252,16 +252,22 @@ net.ipv4.conf.all.rp_filter=1 net.ipv4.conf.default.rp_filter=1 ## Disable ICMP redirect acceptance and redirect sending messages. -## Prevents man-in-the-middle attacks and minimises information disclosure. +## Prevents man-in-the-middle attacks and minimises information disclosure. +## +## https://askubuntu.com/questions/118273/what-are-icmp-redirects-and-should-they-be-blocked ## net.ipv4.conf.all.accept_redirects=0 net.ipv4.conf.default.accept_redirects=0 -net.ipv4.conf.all.secure_redirects=0 -net.ipv4.conf.default.secure_redirects=0 -net.ipv6.conf.all.accept_redirects=0 -net.ipv6.conf.default.accept_redirects=0 net.ipv4.conf.all.send_redirects=0 net.ipv4.conf.default.send_redirects=0 +net.ipv6.conf.all.accept_redirects=0 +net.ipv6.conf.default.accept_redirects=0 + +## Accept ICMP redirect messages only for approved gateways. +## If ICMP redirect messages are permitted, only useful if managing a default gateway list. +## +net.ipv4.conf.all.secure_redirects=0 +net.ipv4.conf.default.secure_redirects=0 ## Ignore ICMP echo requests. ## Prevents clock fingerprinting through ICMP timestamps and Smurf attacks. From a3408990ab439e6edbf8691cf7d65fb16c0d24df Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Wed, 17 Jul 2024 15:03:39 +1000 Subject: [PATCH 433/846] Uncomment disabling of already disabled ATM modules --- etc/modprobe.d/30_security-misc_disable.conf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/etc/modprobe.d/30_security-misc_disable.conf b/etc/modprobe.d/30_security-misc_disable.conf index b6be29e..e278caa 100644 --- a/etc/modprobe.d/30_security-misc_disable.conf +++ b/etc/modprobe.d/30_security-misc_disable.conf @@ -141,9 +141,9 @@ install x25 /usr/bin/disabled-network-by-security-misc ## Asynchronous Transfer Mode (ATM): ## install atm /usr/bin/disabled-network-by-security-misc -#install ueagle-atm /usr/bin/disabled-network-by-security-misc -#install usbatm /usr/bin/disabled-network-by-security-misc -#install xusbatm /usr/bin/disabled-network-by-security-misc +install ueagle-atm /usr/bin/disabled-network-by-security-misc +install usbatm /usr/bin/disabled-network-by-security-misc +install xusbatm /usr/bin/disabled-network-by-security-misc ## ## Controller Area Network (CAN) Protocol: ## From 39fd125eb0f0c16c8a64933bbd04709287a2686a Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Wed, 17 Jul 2024 21:44:44 +1000 Subject: [PATCH 434/846] Provide explanation on the disabling of IPv6 Privacy Extensions --- .../NetworkManager/conf.d/80_ipv6-privacy.conf | 8 ++++++++ .../NetworkManager/conf.d/80_randomize-mac.conf | 8 ++++++++ usr/lib/sysctl.d/990-security-misc.conf | 17 +++++++++++++++++ .../80_ipv6-privacy-extensions.conf | 8 ++++++++ 4 files changed, 41 insertions(+) diff --git a/usr/lib/NetworkManager/conf.d/80_ipv6-privacy.conf b/usr/lib/NetworkManager/conf.d/80_ipv6-privacy.conf index bc2280c..0605c37 100644 --- a/usr/lib/NetworkManager/conf.d/80_ipv6-privacy.conf +++ b/usr/lib/NetworkManager/conf.d/80_ipv6-privacy.conf @@ -1,2 +1,10 @@ +## MAC randomisation breaks root server and VirtualBox DHCP likely due to IPv6 Privacy Extensions. +## +## https://datatracker.ietf.org/doc/html/rfc4941 +## https://github.com/Kicksecure/security-misc/pull/145 +## https://github.com/Kicksecure/security-misc/issues/184 +## +## The use of IPv6 Privacy Extenstions is currently diasbled due to these breakages. + #[connection] #ipv6.ip6-privacy=2 diff --git a/usr/lib/NetworkManager/conf.d/80_randomize-mac.conf b/usr/lib/NetworkManager/conf.d/80_randomize-mac.conf index 428c0e2..04d0312 100644 --- a/usr/lib/NetworkManager/conf.d/80_randomize-mac.conf +++ b/usr/lib/NetworkManager/conf.d/80_randomize-mac.conf @@ -1,3 +1,11 @@ +## MAC randomisation breaks root server and VirtualBox DHCP likely due to IPv6 Privacy Extensions. +## +## https://datatracker.ietf.org/doc/html/rfc4941 +## https://github.com/Kicksecure/security-misc/pull/145 +## https://github.com/Kicksecure/security-misc/issues/184 +## +## The use of IPv6 Privacy Extenstions is currently diasbled due to these breakages. + #[device-mac-randomization] #wifi.scan-rand-mac-address=yes diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 3cebc76..2235dfc 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -337,3 +337,20 @@ net.ipv4.tcp_timestamps=0 ## #net.ipv4.conf.all.log_martians=1 #net.ipv4.conf.default.log_martians=1 + +## Enable IPv6 Privacy Extensions prefer temporary addresses over public addresses. +## The temporary/privacy address is used as the source of all outgoing traffic. +## Must be used in combination with /usr/lib/systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf. +## Must be used in combination with /usr/lib/NetworkManager/conf.d/80_ipv6-privacy.conf. +## Should be used with MAC randomisation in /usr/lib/NetworkManager/conf.d/80_randomize-mac.conf. +## +## MAC randomisation breaks root server and VirtualBox DHCP likely due to IPv6 Privacy Extensions. +## +## https://datatracker.ietf.org/doc/html/rfc4941 +## https://github.com/Kicksecure/security-misc/pull/145 +## https://github.com/Kicksecure/security-misc/issues/184 +## +## The use of IPv6 Privacy Extenstions is currently diasbled due to these breakages. +## +#net.ipv6.conf.all.use_tempaddr=2 +#net.ipv6.conf.default.use_tempaddr=2 \ No newline at end of file diff --git a/usr/lib/systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf b/usr/lib/systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf index ad1e947..e53c635 100644 --- a/usr/lib/systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf +++ b/usr/lib/systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf @@ -1,2 +1,10 @@ +## MAC randomisation breaks root server and VirtualBox DHCP likely due to IPv6 Privacy Extensions. +## +## https://datatracker.ietf.org/doc/html/rfc4941 +## https://github.com/Kicksecure/security-misc/pull/145 +## https://github.com/Kicksecure/security-misc/issues/184 +## +## The use of IPv6 Privacy Extenstions is currently diasbled due to these breakages. + #[Network] #IPv6PrivacyExtensions=kernel From 25fd532ce62399d5bb42d844ad32b5128eaf748d Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Wed, 17 Jul 2024 21:56:40 +1000 Subject: [PATCH 435/846] Update README.md relating to `sysctl`'s --- README.md | 24 ++++++++++++++++-------- 1 file changed, 16 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 14d1a23..1a4efa6 100644 --- a/README.md +++ b/README.md @@ -36,8 +36,8 @@ space, user space, core dumps, and swap space. - Entirely disables the SysRq key so that the Secure Attention Key (SAK) can no longer be utilised. See [documentation](https://www.kicksecure.com/wiki/SysRq). -- Provide option to disable unprivileged user namespaces as they can lead to - privilege escalation. +- Provide the option to disable unprivileged user namespaces as they can lead to + substantial privilege escalation. - Restrict kernel profiling and the performance events system to `CAP_PERFMON`. @@ -46,8 +46,8 @@ space, user space, core dumps, and swap space. - Disable asynchronous I/O (when using Linux kernel version >= 6.6). - Restrict usage of `ptrace()` to only processes with `CAP_SYS_PTRACE` as it - enables programs to inspect and modify other active processes. Provide option - to also entirely disable the use of `ptrace()` for all processes. + enables programs to inspect and modify other active processes. Provide the + option to also entirely disable the use of `ptrace()` for all processes. - Prevent hardlink and symlink TOCTOU races in world-writable directories. @@ -82,13 +82,15 @@ Various networking components of the TCP/IP stack are hardened for IPv4/6. - Do not accept IPv6 router advertisements and solicitations. -- Provide option to disable SACK and DSACK as they have historically been a - vector for exploitation. +- Provide the option to disable SACK and DSACK as they have historically been + a known vector for exploitation. - Disable TCP timestamps as it can allow detecting the system time. -- Provide option to log of packets with impossible source or destination - addresses to enable inspection and further analysis. +- Provide the option to log of packets with impossible source or destination + addresses to enable further inspection and analysis. + +- Provide the option to enable IPv6 Privacy Extensions. ### mmap ASLR @@ -225,6 +227,12 @@ rather it is a form of badness enumeration. ## Network hardening +Not yet due to issues: + +- https://github.com/Kicksecure/security-misc/pull/145 + +- https://github.com/Kicksecure/security-misc/issues/184 + - Unlike version 4, IPv6 addresses can provide information not only about the originating network, but also the originating device. We prevent this from happening by enabling the respective privacy extensions for IPv6. From 6d6e5473f2778a2a5b1ca7826d0a3a5a63cff08a Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 17 Jul 2024 08:00:24 -0400 Subject: [PATCH 436/846] minor --- usr/lib/sysctl.d/30_silent-kernel-printk.conf | 2 +- usr/lib/sysctl.d/990-security-misc.conf | 18 +++++++++--------- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/usr/lib/sysctl.d/30_silent-kernel-printk.conf b/usr/lib/sysctl.d/30_silent-kernel-printk.conf index de73876..884a2a6 100644 --- a/usr/lib/sysctl.d/30_silent-kernel-printk.conf +++ b/usr/lib/sysctl.d/30_silent-kernel-printk.conf @@ -11,4 +11,4 @@ kernel.printk=3 3 3 3 ## For Increased Log Verbosity: ## Adjust (or comment out) the kernel parameters in /etc/default/grub.d/41_quiet_boot.cfg. -## Alternatively, installing the debug-misc package will undo these settings. \ No newline at end of file +## Alternatively, installing the debug-misc package will undo these settings. diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 3cebc76..67af3c3 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -26,7 +26,7 @@ ## https://wiki.archlinux.org/title/Security#Kernel_hardening ## Restrict kernel addresses via /proc and other interfaces regardless of user privileges. -## Kernel pointers expose specific locations in kernel memory. +## Kernel pointers expose specific locations in kernel memory. ## ## https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak ## @@ -128,10 +128,10 @@ kernel.io_uring_disabled=2 ## ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-userspace -## Restrict usage of the ptrace() system call to only processes with CAP_SYS_PTRACE. +## Restrict usage of the ptrace() system call to only processes with CAP_SYS_PTRACE. ## Limit ptrace() as it enables programs to inspect and modify other active processes. ## Prevents native code debugging which some programs use as a method to detect tampering. -## May cause breakages in 'anti-cheat' software and programs running under Proton/WINE. +## May cause breakages in 'anti-cheat' software and programs running under Proton/WINE. ## ## https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html#ptrace-scope ## https://en.wikipedia.org/wiki/Ptrace @@ -139,7 +139,7 @@ kernel.io_uring_disabled=2 ## https://github.com/GrapheneOS/os-issue-tracker/issues/651#issuecomment-917599928 ## https://github.com/netblue30/firejail/issues/2860 ## -## It is possible to harden further by disabling ptrace() for all users, see documentation. +## It is possible to harden further by disabling ptrace() for all users, see documentation. ## kernel.yama.ptrace_scope=2 @@ -236,7 +236,7 @@ net.ipv4.tcp_syncookies=1 ## Protect against TCP time-wait assassination hazards. ## Drops RST packets for sockets in the time-wait state. -## +## ## https://tools.ietf.org/html/rfc1337 ## net.ipv4.tcp_rfc1337=1 @@ -282,7 +282,7 @@ net.ipv6.icmp.echo_ignore_all=1 ## net.ipv4.icmp_ignore_bogus_error_responses=1 -## Disable source routing which allows users redirect network traffic. +## Disable source routing which allows users redirect network traffic. ## Prevents man-in-the-middle attacks in which the traffic is redirected. ## ## https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/security_guide/sect-security_guide-server_security-disable-source-routing @@ -303,7 +303,7 @@ net.ipv6.conf.default.accept_ra=0 ## Forward acknowledgements (FACKs) are a legacy option that will (eventually) be deprecated. ## Disabling can cause severe connectivity issues on networks with high latency or packet loss. ## Enabling on stable high-bandwidth networks can lead to reduced efficiency of TCP connections. -## +## ## https://datatracker.ietf.org/doc/html/rfc2018 ## https://datatracker.ietf.org/doc/html/rfc2883 ## https://access.redhat.com/sites/default/files/attachments/20150325_network_performance_tuning.pdf @@ -329,11 +329,11 @@ net.ipv4.tcp_timestamps=0 ## Recommended to keep a (kernel dmesg) log of these to identify these suspicious packets. ## Good for troubleshooting and diagnostics but not necessary by default. ## Known for causing performance issues especially on systems with multiple interfaces. -## +## ## https://wiki.archlinux.org/title/Sysctl#Log_martian_packets ## https://github.com/Kicksecure/security-misc/issues/214 ## -## The logging of martian packets is currently disabled. +## The logging of martian packets is currently disabled. ## #net.ipv4.conf.all.log_martians=1 #net.ipv4.conf.default.log_martians=1 From 0b873b765e20b06113d808075fa95c8acbb1e0fc Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 17 Jul 2024 08:05:27 -0400 Subject: [PATCH 437/846] minor --- usr/lib/sysctl.d/990-security-misc.conf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 9e132f1..88dab81 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -340,10 +340,10 @@ net.ipv4.tcp_timestamps=0 ## Enable IPv6 Privacy Extensions prefer temporary addresses over public addresses. ## The temporary/privacy address is used as the source of all outgoing traffic. -## Must be used in combination with /usr/lib/systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf. +## Must be used in combination with /usr/lib/systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf. ## Must be used in combination with /usr/lib/NetworkManager/conf.d/80_ipv6-privacy.conf. ## Should be used with MAC randomisation in /usr/lib/NetworkManager/conf.d/80_randomize-mac.conf. -## +## ## MAC randomisation breaks root server and VirtualBox DHCP likely due to IPv6 Privacy Extensions. ## ## https://datatracker.ietf.org/doc/html/rfc4941 @@ -353,4 +353,4 @@ net.ipv4.tcp_timestamps=0 ## The use of IPv6 Privacy Extenstions is currently diasbled due to these breakages. ## #net.ipv6.conf.all.use_tempaddr=2 -#net.ipv6.conf.default.use_tempaddr=2 \ No newline at end of file +#net.ipv6.conf.default.use_tempaddr=2 From d29a616142562492db6c45c299f002100e905828 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 17 Jul 2024 08:39:20 -0400 Subject: [PATCH 438/846] minor --- etc/default/grub.d/40_cpu_mitigations.cfg | 4 ++-- etc/default/grub.d/40_kernel_hardening.cfg | 8 ++++---- etc/default/grub.d/40_remount_secure.cfg | 4 ++-- etc/default/grub.d/41_quiet_boot.cfg | 2 +- 4 files changed, 9 insertions(+), 9 deletions(-) diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index e303f9f..55b6c17 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -109,9 +109,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX retbleed=auto,nosmt" ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX gather_data_sampling=force" -## Enable Register File Data Sampling (RFDS) mitigation on Intel Atom CPUs which +## Enable Register File Data Sampling (RFDS) mitigation on Intel Atom CPUs which ## encompasses E-cores on hybrid architectures. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/reg-file-data-sampling.html ## -GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX reg_file_data_sampling=on" \ No newline at end of file +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX reg_file_data_sampling=on" diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index 8285744..946f2a4 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -82,7 +82,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off" ## Can sometimes potentially indicate and thwart certain kernel exploitation attempts. ## Also cause panics on machine check exceptions. ## Panics may be due to false-positives such as bad drivers. -## +## ## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panic-on-oops-1-sysctl-for-better-security/7713 ## ## See /usr/libexec/security-misc/panic-on-oops for implementation. @@ -157,7 +157,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi=disable_early_pci_dma" ## Do not credit the CPU or bootloader seeds as entropy sources at boot. ## The RDRAND CPU (RNG) instructions are proprietary and closed-source. -## Numerous implementations of RDRAND have a long history of being defective. +## Numerous implementations of RDRAND have a long history of being defective. ## The RNG seed passed by the bootloader could also potentially be tampered. ## Maximising the entropy pool at boot is desirable for all cryptographic operations. ## These settings ensure additional entropy is obtained from other sources to initialise the RNG. @@ -191,10 +191,10 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX extra_latent_entropy" ## Disable the entire IPv6 stack functionality. ## Removes attack surface associated with the IPv6 module. -## +## ## https://www.kernel.org/doc/html/latest/networking/ipv6.html ## https://wiki.archlinux.org/title/IPv6#Disable_IPv6 ## ## Enabling makes redundant many network hardening sysctl's in usr/lib/sysctl.d/990-security-misc.conf. ## -#ipv6.disable=1 \ No newline at end of file +#ipv6.disable=1 diff --git a/etc/default/grub.d/40_remount_secure.cfg b/etc/default/grub.d/40_remount_secure.cfg index c180456..3427bf1 100644 --- a/etc/default/grub.d/40_remount_secure.cfg +++ b/etc/default/grub.d/40_remount_secure.cfg @@ -1,7 +1,7 @@ ## Copyright (C) 2023 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Remount Secure provides enhanced security via mmount options: +## Remount Secure provides enhanced security via mmount options: ## https://www.kicksecure.com/wiki/Security-misc#Remount_Secure ## Option A (No Security): @@ -20,6 +20,6 @@ #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=2" ## Option D (Highest Security) -## Re-mount with nodev, nosuid, and noexec for all mount points including /home. +## Re-mount with nodev, nosuid, and noexec for all mount points including /home. ## #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=3" diff --git a/etc/default/grub.d/41_quiet_boot.cfg b/etc/default/grub.d/41_quiet_boot.cfg index 4beed93..9a23579 100644 --- a/etc/default/grub.d/41_quiet_boot.cfg +++ b/etc/default/grub.d/41_quiet_boot.cfg @@ -26,4 +26,4 @@ GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT quiet" ## For Increased Log Verbosity: ## Adjust (or comment out) the kernel.printk sysctl in /usr/lib/sysctl.d/30_silent-kernel-printk.conf. -## Alternatively, installing the debug-misc package will undo these settings. \ No newline at end of file +## Alternatively, installing the debug-misc package will undo these settings. From 6157e328f40a7f3780208489b1ffecef8e6d738a Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 17 Jul 2024 08:52:11 -0400 Subject: [PATCH 439/846] no longer disable Intel ME related kernel modules https://github.com/Kicksecure/security-misc/issues/239 --- etc/modprobe.d/30_security-misc_disable.conf | 24 ++++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/etc/modprobe.d/30_security-misc_disable.conf b/etc/modprobe.d/30_security-misc_disable.conf index 8633c62..97a8196 100644 --- a/etc/modprobe.d/30_security-misc_disable.conf +++ b/etc/modprobe.d/30_security-misc_disable.conf @@ -90,18 +90,18 @@ install gnss-usb /usr/bin/disabled-gps-by-security-misc ## https://www.kicksecure.com/wiki/Out-of-band_Management_Technology#Intel_ME_Disabling_Disadvantages ## https://github.com/Kicksecure/security-misc/pull/236#issuecomment-2229092813 ## -install mei /usr/bin/disabled-intelme-by-security-misc -install mei-gsc /usr/bin/disabled-intelme-by-security-misc -install mei_gsc_proxy /usr/bin/disabled-intelme-by-security-misc -install mei_hdcp /usr/bin/disabled-intelme-by-security-misc -install mei-me /usr/bin/disabled-intelme-by-security-misc -install mei_phy /usr/bin/disabled-intelme-by-security-misc -install mei_pxp /usr/bin/disabled-intelme-by-security-misc -install mei-txe /usr/bin/disabled-intelme-by-security-misc -install mei-vsc /usr/bin/disabled-intelme-by-security-misc -install mei-vsc-hw /usr/bin/disabled-intelme-by-security-misc -install mei_wdt /usr/bin/disabled-intelme-by-security-misc -install microread_mei /usr/bin/disabled-intelme-by-security-misc +#install mei /usr/bin/disabled-intelme-by-security-misc +#install mei-gsc /usr/bin/disabled-intelme-by-security-misc +#install mei_gsc_proxy /usr/bin/disabled-intelme-by-security-misc +#install mei_hdcp /usr/bin/disabled-intelme-by-security-misc +#install mei-me /usr/bin/disabled-intelme-by-security-misc +#install mei_phy /usr/bin/disabled-intelme-by-security-misc +#install mei_pxp /usr/bin/disabled-intelme-by-security-misc +#install mei-txe /usr/bin/disabled-intelme-by-security-misc +#install mei-vsc /usr/bin/disabled-intelme-by-security-misc +#install mei-vsc-hw /usr/bin/disabled-intelme-by-security-misc +#install mei_wdt /usr/bin/disabled-intelme-by-security-misc +#install microread_mei /usr/bin/disabled-intelme-by-security-misc ## Network File Systems: ## Disable uncommon network file systems to reduce attack surface. From f7772fb85a1fe6d3c0749e5f34fc29111b6a8125 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 17 Jul 2024 08:57:35 -0400 Subject: [PATCH 440/846] minor --- README.md | 34 +++++++++++++++++----------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/README.md b/README.md index bad198e..1978aee 100644 --- a/README.md +++ b/README.md @@ -16,10 +16,10 @@ configuration file. Significant hardening is applied by default to a myriad of components within kernel space, user space, core dumps, and swap space. -- Restrict access to kernel addresses through the us of kernel pointers regardless +- Restrict access to kernel addresses through the us of kernel pointers regardless of user privileges. -- Restrict access to the kernel logs to `CAP_SYSLOG` as the often contain +- Restrict access to the kernel logs to `CAP_SYSLOG` as the often contain sensitive information. - Prevent kernel information leaks in the console during boot. @@ -46,7 +46,7 @@ space, user space, core dumps, and swap space. - Disable asynchronous I/O (when using Linux kernel version >= 6.6). - Restrict usage of `ptrace()` to only processes with `CAP_SYS_PTRACE` as it - enables programs to inspect and modify other active processes. Provide the + enables programs to inspect and modify other active processes. Provide the option to also entirely disable the use of `ptrace()` for all processes. - Prevent hardlink and symlink TOCTOU races in world-writable directories. @@ -67,10 +67,10 @@ Various networking components of the TCP/IP stack are hardened for IPv4/6. - Protect against TCP time-wait assassination hazards. -- Enables reverse path filtering (source validation) of packets received +- Enables reverse path filtering (source validation) of packets received from all interfaces to prevent IP spoofing. -- Disable ICMP redirect acceptance and redirect sending messages to +- Disable ICMP redirect acceptance and redirect sending messages to prevent man-in-the-middle attacks and minimise information disclosure. - Ignore ICMP echo requests to prevent clock fingerprinting and Smurf attacks. @@ -87,7 +87,7 @@ Various networking components of the TCP/IP stack are hardened for IPv4/6. - Disable TCP timestamps as it can allow detecting the system time. -- Provide the option to log of packets with impossible source or destination +- Provide the option to log of packets with impossible source or destination addresses to enable further inspection and analysis. - Provide the option to enable IPv6 Privacy Extensions. @@ -102,20 +102,20 @@ Various networking components of the TCP/IP stack are hardened for IPv4/6. ### Boot parameters Mitigations for known CPU vulnerabilities are enabled in their strictest form -and simultaneous multithreading (SMT) is disabled. See the +and simultaneous multithreading (SMT) is disabled. See the `/etc/default/grub.d/40_cpu_mitigations.cfg` configuration file. Boot parameters relating to kernel hardening, DMA mitigations, and entropy generation are outlined in the `/etc/default/grub.d/40_kernel_hardening.cfg` configuration file. -- Disable merging of slabs with similar size which reduces the risk of +- Disable merging of slabs with similar size which reduces the risk of triggering heap overflows and limits influencing slab cache layout. - Enable memory zeroing at both allocation and free time which mitigate some use-after-free vulnerabilities by erasing sensitive information in memory. -- Enable the kernel page allocator to randomise free lists to limit some data +- Enable the kernel page allocator to randomise free lists to limit some data exfiltration and ROP attacks especially during the early boot process. - Enable kernel page table isolation increase KASLR effectiveness and also @@ -124,13 +124,13 @@ configuration file. - Enables randomisation of the kernel stack offset on syscall entries to harden against memory corruption attacks. -- Disable vsyscalls as they are vulnerable to ROP attacks and have now been +- Disable vsyscalls as they are vulnerable to ROP attacks and have now been replaced by vDSO. -- Restrict access to debugfs by not registering the file system since it can +- Restrict access to debugfs by not registering the file system since it can contain sensitive information. -- Force kernel panics on "oopses" to potentially indicate and thwart certain +- Force kernel panics on "oopses" to potentially indicate and thwart certain kernel exploitation attempts. - Provide option to modify machine check exception handler. @@ -144,7 +144,7 @@ configuration file. - Do not credit the CPU or bootloader as entropy sources at boot in order to maximise the absolute quantity of entropy in the combined pool. -- Obtain more entropy at boot from RAM as the runtime memory allocator is +- Obtain more entropy at boot from RAM as the runtime memory allocator is being initialised. - Provide option to disable the entire IPv6 stack to reduce attack surface. @@ -188,8 +188,8 @@ modules from automatically starting. - CD-ROM/DVD: Blacklist modules required for CD-ROM/DVD devices. -- Framebuffer Drivers: Blacklisted as they are well-known to be buggy, cause - kernel panics, and are generally only used by legacy devices. +- Framebuffer Drivers: Blacklisted as they are well-known to be buggy, cause + kernel panics, and are generally only used by legacy devices. - Miscellaneous: Blacklist an assortment other modules to prevent them from automatically loading. @@ -204,7 +204,7 @@ disabling should first be blacklisted for a suitable amount of time. - FireWire (IEEE 1394): Disabled as they are often vulnerable to DMA attacks. -- GPS: Disable GPS-related modules such as those required for Global Navigation +- GPS: Disable GPS-related modules such as those required for Global Navigation Satellite Systems (GNSS). - Intel Management Engine (ME): Provides some disabling of the interface between the @@ -305,7 +305,7 @@ See: `/usr/lib/modules-load.d/30_security-misc.conf` configuration file. - Distrusts the CPU for initial entropy at boot as it is not possible to - audit, may contain weaknesses or a backdoor. Similarly, do not credit the + audit, may contain weaknesses or a backdoor. Similarly, do not credit the bootloader seed for initial entropy. For references, see: `/etc/default/grub.d/40_kernel_hardening.cfg` From afe3c25a49940f7f322414c08e8dbd631e696215 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 17 Jul 2024 08:58:00 -0400 Subject: [PATCH 441/846] update readme https://github.com/Kicksecure/security-misc/issues/239 --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 1978aee..a515c45 100644 --- a/README.md +++ b/README.md @@ -207,8 +207,8 @@ disabling should first be blacklisted for a suitable amount of time. - GPS: Disable GPS-related modules such as those required for Global Navigation Satellite Systems (GNSS). -- Intel Management Engine (ME): Provides some disabling of the interface between the - Intel ME and the OS. +- Not yet enabled: Intel Management Engine (ME): Provides some disabling of the interface between the + Intel ME and the OS. See discussion: https://github.com/Kicksecure/security-misc/issues/239 - Network File Systems: Disable uncommon and legacy network file systems. From 0da22c20316c8f0f574e0127926506e52ccbc269 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 17 Jul 2024 09:07:31 -0400 Subject: [PATCH 442/846] minor --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index cb65669..0e5d290 100644 --- a/README.md +++ b/README.md @@ -212,7 +212,7 @@ disabling should first be blacklisted for a suitable amount of time. - Intel Platform Monitoring Technology Telemetry (PMT): Disable some functionality of the Intel PMT components. - + - Network File Systems: Disable uncommon and legacy network file systems. - Network Protocols: Wide array of uncommon and legacy network protocols are disabled. From 1087387b362d5598e44262db07ab0fff9118b064 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Wed, 17 Jul 2024 23:35:25 +1000 Subject: [PATCH 443/846] Remove obsolete `#net.ipv4.tcp_fack=0` --- usr/lib/sysctl.d/990-security-misc.conf | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 88dab81..52e3345 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -297,10 +297,9 @@ net.ipv6.conf.default.accept_source_route=0 net.ipv6.conf.all.accept_ra=0 net.ipv6.conf.default.accept_ra=0 -## Disable SACK, DSACK, and FACK. +## Disable SACK and DSACK. ## Select acknowledgements (SACKs) are a known common vector of exploitation. ## Duplicate select acknowledgements (DSACKs) are an extension of SACK. -## Forward acknowledgements (FACKs) are a legacy option that will (eventually) be deprecated. ## Disabling can cause severe connectivity issues on networks with high latency or packet loss. ## Enabling on stable high-bandwidth networks can lead to reduced efficiency of TCP connections. ## @@ -315,7 +314,6 @@ net.ipv6.conf.default.accept_ra=0 ## #net.ipv4.tcp_sack=0 #net.ipv4.tcp_dsack=0 -#net.ipv4.tcp_fack=0 ## Disable TCP timestamps to limit device fingerprinting via system time. ## From 8f3896c3dac13b604e36d4249f976598f271a215 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Wed, 17 Jul 2024 23:44:37 +1000 Subject: [PATCH 444/846] Upgrade hyperlinks to HTTPS --- COPYING | 6 +++--- debian/copyright | 6 +++--- etc/skel/.gnupg/gpg.conf | 4 ++-- usr/bin/pkexec.security-misc | 2 +- usr/bin/remount-secure | 2 +- usr/libexec/security-misc/virusforget | 2 +- 6 files changed, 11 insertions(+), 11 deletions(-) diff --git a/COPYING b/COPYING index 808999e..bf11138 100644 --- a/COPYING +++ b/COPYING @@ -8,7 +8,7 @@ License: AGPL-3+ GNU AFFERO GENERAL PUBLIC LICENSE Version 3, 19 November 2007 . - Copyright (C) 2007 Free Software Foundation, Inc. + Copyright (C) 2007 Free Software Foundation, Inc. Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. . @@ -650,7 +650,7 @@ License: AGPL-3+ GNU Affero General Public License for more details. . You should have received a copy of the GNU Affero General Public License - along with this program. If not, see . + along with this program. If not, see . . Also add information on how to contact you by electronic and paper mail. . @@ -665,4 +665,4 @@ License: AGPL-3+ You should also get your employer (if you work as a programmer) or school, if any, to sign a "copyright disclaimer" for the program, if necessary. For more information on this, and how to apply and follow the GNU AGPL, see - . + . diff --git a/debian/copyright b/debian/copyright index 808999e..bf11138 100644 --- a/debian/copyright +++ b/debian/copyright @@ -8,7 +8,7 @@ License: AGPL-3+ GNU AFFERO GENERAL PUBLIC LICENSE Version 3, 19 November 2007 . - Copyright (C) 2007 Free Software Foundation, Inc. + Copyright (C) 2007 Free Software Foundation, Inc. Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. . @@ -650,7 +650,7 @@ License: AGPL-3+ GNU Affero General Public License for more details. . You should have received a copy of the GNU Affero General Public License - along with this program. If not, see . + along with this program. If not, see . . Also add information on how to contact you by electronic and paper mail. . @@ -665,4 +665,4 @@ License: AGPL-3+ You should also get your employer (if you work as a programmer) or school, if any, to sign a "copyright disclaimer" for the program, if necessary. For more information on this, and how to apply and follow the GNU AGPL, see - . + . diff --git a/etc/skel/.gnupg/gpg.conf b/etc/skel/.gnupg/gpg.conf index f8004fe..f0ed5a4 100644 --- a/etc/skel/.gnupg/gpg.conf +++ b/etc/skel/.gnupg/gpg.conf @@ -282,13 +282,13 @@ display-charset utf-8 ################################################################## ################################################################## -## BEGIN Some suggestions from Debian http://keyring.debian.org/creating-key.html +## BEGIN Some suggestions from Debian https://keyring.debian.org/creating-key.html personal-digest-preferences SHA512 cert-digest-algo SHA512 default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed -## END Some suggestions from Debian http://keyring.debian.org/creating-key.html +## END Some suggestions from Debian https://keyring.debian.org/creating-key.html ################################################################## ################################################################## diff --git a/usr/bin/pkexec.security-misc b/usr/bin/pkexec.security-misc index be8fddd..3739391 100755 --- a/usr/bin/pkexec.security-misc +++ b/usr/bin/pkexec.security-misc @@ -34,7 +34,7 @@ switch_user=false original_args="$@" ## Thanks to: -## http://mywiki.wooledge.org/BashFAQ/035 +## https://mywiki.wooledge.org/BashFAQ/035 while : do diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index 92e3aa8..14da1fe 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -70,7 +70,7 @@ init() { parse_options() { ## Thanks to: - ## http://mywiki.wooledge.org/BashFAQ/035 + ## https://mywiki.wooledge.org/BashFAQ/035 while : do diff --git a/usr/libexec/security-misc/virusforget b/usr/libexec/security-misc/virusforget index 5a2c5d7..62b6823 100755 --- a/usr/libexec/security-misc/virusforget +++ b/usr/libexec/security-misc/virusforget @@ -29,7 +29,7 @@ root_check() { parse_cmd_options() { ## Thanks to: - ## http://mywiki.wooledge.org/BashFAQ/035 + ## https://mywiki.wooledge.org/BashFAQ/035 while : do From d0a59617f6b8a90fd5c758699e910af9d7496c98 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Thu, 18 Jul 2024 00:13:30 +1000 Subject: [PATCH 445/846] Add missing Copyright (C) statements --- debian/security-misc.displace-extension | 3 +++ debian/security-misc.gconf-defaults | 3 +++ debian/security-misc.links | 3 +++ etc/bluetooth/30_security-misc.conf | 3 +++ etc/dkms/framework.conf.d/30_security-misc.conf | 3 +++ etc/dracut.conf.d/30-security-misc.conf | 3 +++ etc/securetty.security-misc | 3 +++ etc/security/faillock.conf.security-misc | 3 +++ etc/systemd/system/emergency.service.d/override.conf | 3 +++ etc/systemd/system/rescue.service.d/override.conf | 3 +++ usr/lib/NetworkManager/conf.d/80_ipv6-privacy.conf | 3 +++ usr/lib/NetworkManager/conf.d/80_randomize-mac.conf | 3 +++ usr/lib/systemd/coredump.conf.d/30_security-misc.conf | 3 +++ .../systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf | 3 +++ usr/lib/systemd/system/harden-module-loading.service | 3 +++ usr/lib/systemd/system/sysinit-post.target | 3 +++ usr/lib/systemd/system/user@.service.d/sysfs.conf | 3 +++ usr/libexec/security-misc/disable-kernel-module-loading | 3 +++ usr/share/glib-2.0/schemas/30_security-misc.gschema.override | 3 +++ 19 files changed, 57 insertions(+) diff --git a/debian/security-misc.displace-extension b/debian/security-misc.displace-extension index 6ecb033..2959324 100644 --- a/debian/security-misc.displace-extension +++ b/debian/security-misc.displace-extension @@ -1 +1,4 @@ +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + .security-misc diff --git a/debian/security-misc.gconf-defaults b/debian/security-misc.gconf-defaults index 26d57ff..ebfb7f3 100644 --- a/debian/security-misc.gconf-defaults +++ b/debian/security-misc.gconf-defaults @@ -1,3 +1,6 @@ +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + /apps/nautilus/preview_sound never /apps/nautilus/show_icon_text never /apps/nautilus/show-image-thumbnails never diff --git a/debian/security-misc.links b/debian/security-misc.links index 308f070..467193f 100644 --- a/debian/security-misc.links +++ b/debian/security-misc.links @@ -1,2 +1,5 @@ +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + /etc/profile.d/30_security-misc.sh /etc/zprofile.d/30_security-misc.zsh /etc/profile.d/30_security-misc.sh /etc/X11/Xsession.d/30_security-misc diff --git a/etc/bluetooth/30_security-misc.conf b/etc/bluetooth/30_security-misc.conf index d3410f2..0bd3b9f 100644 --- a/etc/bluetooth/30_security-misc.conf +++ b/etc/bluetooth/30_security-misc.conf @@ -1,3 +1,6 @@ +## Copyright (C) 2023 - 2024 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + [General] # How long to stay in pairable mode before going back to non-discoverable # The value is in seconds. Default is 0. diff --git a/etc/dkms/framework.conf.d/30_security-misc.conf b/etc/dkms/framework.conf.d/30_security-misc.conf index f9a643d..095e050 100644 --- a/etc/dkms/framework.conf.d/30_security-misc.conf +++ b/etc/dkms/framework.conf.d/30_security-misc.conf @@ -1,3 +1,6 @@ +## Copyright (C) 2023 - 2024 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + ## This configuration file modifies the behavior of ## DKMS (Dynamic Kernel Module Support) and is sourced ## in by DKMS every time it is run. diff --git a/etc/dracut.conf.d/30-security-misc.conf b/etc/dracut.conf.d/30-security-misc.conf index 90c7698..4e24799 100644 --- a/etc/dracut.conf.d/30-security-misc.conf +++ b/etc/dracut.conf.d/30-security-misc.conf @@ -1,3 +1,6 @@ +## Copyright (C) 2021 - 2024 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + reproducible=yes ## Debugging. diff --git a/etc/securetty.security-misc b/etc/securetty.security-misc index ca0d81b..e32ca29 100644 --- a/etc/securetty.security-misc +++ b/etc/securetty.security-misc @@ -1,2 +1,5 @@ +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + # /etc/securetty: list of terminals on which root is allowed to login. # See securetty(5) and login(1). diff --git a/etc/security/faillock.conf.security-misc b/etc/security/faillock.conf.security-misc index bb81754..d52c196 100644 --- a/etc/security/faillock.conf.security-misc +++ b/etc/security/faillock.conf.security-misc @@ -1,3 +1,6 @@ +## Copyright (C) 2021 - 2024 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + # Configuration for locking the user after multiple failed # authentication attempts. # diff --git a/etc/systemd/system/emergency.service.d/override.conf b/etc/systemd/system/emergency.service.d/override.conf index b24186a..a7d4469 100644 --- a/etc/systemd/system/emergency.service.d/override.conf +++ b/etc/systemd/system/emergency.service.d/override.conf @@ -1,3 +1,6 @@ +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + ## https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802211 ## https://salsa.debian.org/ah/user-setup/commit/bc5ca2de85ec27845d0b46059cb7cc02bae7b44d diff --git a/etc/systemd/system/rescue.service.d/override.conf b/etc/systemd/system/rescue.service.d/override.conf index b24186a..a7d4469 100644 --- a/etc/systemd/system/rescue.service.d/override.conf +++ b/etc/systemd/system/rescue.service.d/override.conf @@ -1,3 +1,6 @@ +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + ## https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802211 ## https://salsa.debian.org/ah/user-setup/commit/bc5ca2de85ec27845d0b46059cb7cc02bae7b44d diff --git a/usr/lib/NetworkManager/conf.d/80_ipv6-privacy.conf b/usr/lib/NetworkManager/conf.d/80_ipv6-privacy.conf index 0605c37..246eaf2 100644 --- a/usr/lib/NetworkManager/conf.d/80_ipv6-privacy.conf +++ b/usr/lib/NetworkManager/conf.d/80_ipv6-privacy.conf @@ -1,3 +1,6 @@ +## Copyright (C) 2023 - 2024 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + ## MAC randomisation breaks root server and VirtualBox DHCP likely due to IPv6 Privacy Extensions. ## ## https://datatracker.ietf.org/doc/html/rfc4941 diff --git a/usr/lib/NetworkManager/conf.d/80_randomize-mac.conf b/usr/lib/NetworkManager/conf.d/80_randomize-mac.conf index 04d0312..dfeda10 100644 --- a/usr/lib/NetworkManager/conf.d/80_randomize-mac.conf +++ b/usr/lib/NetworkManager/conf.d/80_randomize-mac.conf @@ -1,3 +1,6 @@ +## Copyright (C) 2023 - 2024 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + ## MAC randomisation breaks root server and VirtualBox DHCP likely due to IPv6 Privacy Extensions. ## ## https://datatracker.ietf.org/doc/html/rfc4941 diff --git a/usr/lib/systemd/coredump.conf.d/30_security-misc.conf b/usr/lib/systemd/coredump.conf.d/30_security-misc.conf index 519f838..2cb1b1a 100644 --- a/usr/lib/systemd/coredump.conf.d/30_security-misc.conf +++ b/usr/lib/systemd/coredump.conf.d/30_security-misc.conf @@ -1,2 +1,5 @@ +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + [Coredump] Storage=none diff --git a/usr/lib/systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf b/usr/lib/systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf index e53c635..5959004 100644 --- a/usr/lib/systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf +++ b/usr/lib/systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf @@ -1,3 +1,6 @@ +## Copyright (C) 2023 - 2024 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + ## MAC randomisation breaks root server and VirtualBox DHCP likely due to IPv6 Privacy Extensions. ## ## https://datatracker.ietf.org/doc/html/rfc4941 diff --git a/usr/lib/systemd/system/harden-module-loading.service b/usr/lib/systemd/system/harden-module-loading.service index ed2392c..3394623 100644 --- a/usr/lib/systemd/system/harden-module-loading.service +++ b/usr/lib/systemd/system/harden-module-loading.service @@ -1,3 +1,6 @@ +## Copyright (C) 2023 - 2024 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + [Unit] Description=Disable the loading of additional modules after systemd-modules-load.service Documentation=https://github.com/Kicksecure/security-misc diff --git a/usr/lib/systemd/system/sysinit-post.target b/usr/lib/systemd/system/sysinit-post.target index faeb6f9..336133b 100644 --- a/usr/lib/systemd/system/sysinit-post.target +++ b/usr/lib/systemd/system/sysinit-post.target @@ -1,3 +1,6 @@ +## Copyright (C) 2023 - 2024 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + [Unit] Description=sys-init.target by security-misc diff --git a/usr/lib/systemd/system/user@.service.d/sysfs.conf b/usr/lib/systemd/system/user@.service.d/sysfs.conf index e0cf3a7..2c27ce5 100644 --- a/usr/lib/systemd/system/user@.service.d/sysfs.conf +++ b/usr/lib/systemd/system/user@.service.d/sysfs.conf @@ -1,2 +1,5 @@ +## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + [Service] SupplementaryGroups=sysfs diff --git a/usr/libexec/security-misc/disable-kernel-module-loading b/usr/libexec/security-misc/disable-kernel-module-loading index e2174ac..1916cc0 100644 --- a/usr/libexec/security-misc/disable-kernel-module-loading +++ b/usr/libexec/security-misc/disable-kernel-module-loading @@ -1,5 +1,8 @@ #!/bin/bash +## Copyright (C) 2023 - 2024 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + set -x set -e diff --git a/usr/share/glib-2.0/schemas/30_security-misc.gschema.override b/usr/share/glib-2.0/schemas/30_security-misc.gschema.override index 2ee9098..92b5348 100644 --- a/usr/share/glib-2.0/schemas/30_security-misc.gschema.override +++ b/usr/share/glib-2.0/schemas/30_security-misc.gschema.override @@ -1,2 +1,5 @@ +## Copyright (C) 2017 - 2024 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + [org.gnome.nautilus.preferences] show-image-thumbnails="never" From 4afe257a42576158a54a68948440a2b4c043b67c Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Thu, 18 Jul 2024 00:14:13 +1000 Subject: [PATCH 446/846] minor --- etc/bluetooth/30_security-misc.conf | 2 +- usr/share/security-misc/dolphinrc | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/etc/bluetooth/30_security-misc.conf b/etc/bluetooth/30_security-misc.conf index 0bd3b9f..8f45502 100644 --- a/etc/bluetooth/30_security-misc.conf +++ b/etc/bluetooth/30_security-misc.conf @@ -19,7 +19,7 @@ MaxControllers=1 # How long to keep temporary devices around # The value is in seconds. Default is 30. # 0 = disable timer, i.e. never keep temporary devices -TemporaryTimeout = 0 +TemporaryTimeout = 0 [Policy] # AutoEnable defines option to enable all controllers when they are found. diff --git a/usr/share/security-misc/dolphinrc b/usr/share/security-misc/dolphinrc index 682401d..00e7768 100644 --- a/usr/share/security-misc/dolphinrc +++ b/usr/share/security-misc/dolphinrc @@ -3,4 +3,3 @@ [PreviewSettings] Plugins= - From 821a416fe39e11ca030c63f25a5220772d80eae5 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 17 Jul 2024 10:43:16 -0400 Subject: [PATCH 447/846] spelling --- README.md | 308 +++++++++++++++++++++++++++--------------------------- 1 file changed, 154 insertions(+), 154 deletions(-) diff --git a/README.md b/README.md index 0e5d290..515b259 100644 --- a/README.md +++ b/README.md @@ -5,8 +5,8 @@ This section is inspired by the Kernel Self Protection Project (KSPP). It implements all recommended Linux kernel settings by the KSPP and many more. -- https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project -- https://kspp.github.io/Recommended_Settings +- https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project +- https://kspp.github.io/Recommended_Settings ### sysctl @@ -16,88 +16,88 @@ configuration file. Significant hardening is applied by default to a myriad of components within kernel space, user space, core dumps, and swap space. -- Restrict access to kernel addresses through the us of kernel pointers regardless - of user privileges. +- Restrict access to kernel addresses through the use of kernel pointers regardless + of user privileges. -- Restrict access to the kernel logs to `CAP_SYSLOG` as the often contain - sensitive information. +- Restrict access to the kernel logs to `CAP_SYSLOG` as they often contain + sensitive information. -- Prevent kernel information leaks in the console during boot. +- Prevent kernel information leaks in the console during boot. -- Restrict eBPF access to `CAP_BPF` and enable associated JIT compiler hardening. +- Restrict eBPF access to `CAP_BPF` and enable associated JIT compiler hardening. -- Restrict loading TTY line disciplines to `CAP_SYS_MODULE`. +- Restrict loading TTY line disciplines to `CAP_SYS_MODULE`. -- Restricts the `userfaultfd()` syscall to `CAP_SYS_PTRACE` which reduces the - likelihood of use-after-free exploits. +- Restrict the `userfaultfd()` syscall to `CAP_SYS_PTRACE`, which reduces the + likelihood of use-after-free exploits. -- Disable `kexec` as it can be used to replace the running kernel. +- Disable `kexec` as it can be used to replace the running kernel. -- Entirely disables the SysRq key so that the Secure Attention Key (SAK) - can no longer be utilised. See [documentation](https://www.kicksecure.com/wiki/SysRq). +- Entirely disable the SysRq key so that the Secure Attention Key (SAK) + can no longer be utilized. See [documentation](https://www.kicksecure.com/wiki/SysRq). -- Provide the option to disable unprivileged user namespaces as they can lead to - substantial privilege escalation. +- Provide the option to disable unprivileged user namespaces as they can lead to + substantial privilege escalation. -- Restrict kernel profiling and the performance events system to `CAP_PERFMON`. +- Restrict kernel profiling and the performance events system to `CAP_PERFMON`. -- Randomise the addresses (ASLR) for mmap base, stack, VDSO pages, and heap. +- Randomize the addresses (ASLR) for mmap base, stack, VDSO pages, and heap. -- Disable asynchronous I/O (when using Linux kernel version >= 6.6). +- Disable asynchronous I/O (when using Linux kernel version >= 6.6). -- Restrict usage of `ptrace()` to only processes with `CAP_SYS_PTRACE` as it - enables programs to inspect and modify other active processes. Provide the - option to also entirely disable the use of `ptrace()` for all processes. +- Restrict usage of `ptrace()` to only processes with `CAP_SYS_PTRACE` as it + enables programs to inspect and modify other active processes. Provide the + option to entirely disable the use of `ptrace()` for all processes. -- Prevent hardlink and symlink TOCTOU races in world-writable directories. +- Prevent hardlink and symlink TOCTOU races in world-writable directories. -- Disallow unintentional writes to files in world-writable directories unless - they are owned by the directory owner to mitigate some data spoofing attacks. +- Disallow unintentional writes to files in world-writable directories unless + they are owned by the directory owner to mitigate some data spoofing attacks. -- Increase the maximum number of memory map areas a process is able to utilise. +- Increase the maximum number of memory map areas a process is able to utilize. -- Disable core dump files and prevent their creation. If core dump files are - enabled, they will be named based on `core.PID` instead of the default `core`. +- Disable core dump files and prevent their creation. If core dump files are + enabled, they will be named based on `core.PID` instead of the default `core`. -- Limit the copying of potentially sensitive content in memory to the swap device. +- Limit the copying of potentially sensitive content in memory to the swap device. Various networking components of the TCP/IP stack are hardened for IPv4/6. -- Enable TCP SYN cookie protection to assist against SYN flood attacks. +- Enable TCP SYN cookie protection to assist against SYN flood attacks. -- Protect against TCP time-wait assassination hazards. +- Protect against TCP time-wait assassination hazards. -- Enables reverse path filtering (source validation) of packets received - from all interfaces to prevent IP spoofing. +- Enable reverse path filtering (source validation) of packets received + from all interfaces to prevent IP spoofing. -- Disable ICMP redirect acceptance and redirect sending messages to - prevent man-in-the-middle attacks and minimise information disclosure. +- Disable ICMP redirect acceptance and redirect sending messages to + prevent man-in-the-middle attacks and minimize information disclosure. -- Ignore ICMP echo requests to prevent clock fingerprinting and Smurf attacks. +- Ignore ICMP echo requests to prevent clock fingerprinting and Smurf attacks. -- Ignore bogus ICMP error responses. +- Ignore bogus ICMP error responses. -- Disable source routing which allows users redirect network traffic that - can result in man-in-the-middle attacks. +- Disable source routing which allows users to redirect network traffic that + can result in man-in-the-middle attacks. -- Do not accept IPv6 router advertisements and solicitations. +- Do not accept IPv6 router advertisements and solicitations. -- Provide the option to disable SACK and DSACK as they have historically been - a known vector for exploitation. +- Provide the option to disable SACK and DSACK as they have historically been + a known vector for exploitation. -- Disable TCP timestamps as it can allow detecting the system time. +- Disable TCP timestamps as they can allow detecting the system time. -- Provide the option to log of packets with impossible source or destination - addresses to enable further inspection and analysis. +- Provide the option to log packets with impossible source or destination + addresses to enable further inspection and analysis. -- Provide the option to enable IPv6 Privacy Extensions. +- Provide the option to enable IPv6 Privacy Extensions. ### mmap ASLR -- The bits of entropy used for mmap ASLR are maxed out via - `/usr/libexec/security-misc/mmap-rnd-bits` (set to the values of - `CONFIG_ARCH_MMAP_RND_BITS_MAX` and `CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX` - that the kernel was built with), therefore improving its effectiveness. +- The bits of entropy used for mmap ASLR are maxed out via + `/usr/libexec/security-misc/mmap-rnd-bits` (set to the values of + `CONFIG_ARCH_MMAP_RND_BITS_MAX` and `CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX` + that the kernel was built with), therefore improving its effectiveness. ### Boot parameters @@ -109,45 +109,45 @@ Boot parameters relating to kernel hardening, DMA mitigations, and entropy generation are outlined in the `/etc/default/grub.d/40_kernel_hardening.cfg` configuration file. -- Disable merging of slabs with similar size which reduces the risk of - triggering heap overflows and limits influencing slab cache layout. +- Disable merging of slabs with similar size, which reduces the risk of + triggering heap overflows and limits influencing slab cache layout. -- Enable memory zeroing at both allocation and free time which mitigate some - use-after-free vulnerabilities by erasing sensitive information in memory. +- Enable memory zeroing at both allocation and free time, which mitigates some + use-after-free vulnerabilities by erasing sensitive information in memory. -- Enable the kernel page allocator to randomise free lists to limit some data - exfiltration and ROP attacks especially during the early boot process. +- Enable the kernel page allocator to randomize free lists to limit some data + exfiltration and ROP attacks, especially during the early boot process. -- Enable kernel page table isolation increase KASLR effectiveness and also - mitigate the Meltdown CPU vulnerability. +- Enable kernel page table isolation to increase KASLR effectiveness and also + mitigate the Meltdown CPU vulnerability. -- Enables randomisation of the kernel stack offset on syscall entries to harden - against memory corruption attacks. +- Enable randomization of the kernel stack offset on syscall entries to harden + against memory corruption attacks. -- Disable vsyscalls as they are vulnerable to ROP attacks and have now been - replaced by vDSO. +- Disable vsyscalls as they are vulnerable to ROP attacks and have now been + replaced by vDSO. -- Restrict access to debugfs by not registering the file system since it can - contain sensitive information. +- Restrict access to debugfs by not registering the file system since it can + contain sensitive information. -- Force kernel panics on "oopses" to potentially indicate and thwart certain - kernel exploitation attempts. +- Force kernel panics on "oopses" to potentially indicate and thwart certain + kernel exploitation attempts. -- Provide option to modify machine check exception handler. +- Provide option to modify machine check exception handler. -- Provide option to disable support for all x86 processes and syscalls to reduce - attack surface (when using Linux kernel version >= 6.7). +- Provide option to disable support for all x86 processes and syscalls to reduce + attack surface (when using Linux kernel version >= 6.7). -- Enable strict IOMMU translation to protect against DMA attacks and disable - the busmaster bit on all PCI bridges during the early boot process. +- Enable strict IOMMU translation to protect against DMA attacks and disable + the busmaster bit on all PCI bridges during the early boot process. -- Do not credit the CPU or bootloader as entropy sources at boot in order to - maximise the absolute quantity of entropy in the combined pool. +- Do not credit the CPU or bootloader as entropy sources at boot in order to + maximize the absolute quantity of entropy in the combined pool. -- Obtain more entropy at boot from RAM as the runtime memory allocator is - being initialised. +- Obtain more entropy at boot from RAM as the runtime memory allocator is + being initialized. -- Provide option to disable the entire IPv6 stack to reduce attack surface. +- Provide option to disable the entire IPv6 stack to reduce attack surface. Disallow sensitive kernel information leaks in the console during boot. See the `/etc/default/grub.d/41_quiet_boot.cfg` configuration file. @@ -156,20 +156,20 @@ the `/etc/default/grub.d/41_quiet_boot.cfg` configuration file. #### Kernel Module Signature Verification -Not yet due to issues: +Not yet implemented due to issues: -- https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/64 -- https://github.com/dell/dkms/issues/359 +- https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/64 +- https://github.com/dell/dkms/issues/359 See: -- `/etc/default/grub.d/40_signed_modules.cfg` +- `/etc/default/grub.d/40_signed_modules.cfg` #### Disables the loading of new modules to the kernel after the fact -Not yet due to issues: +Not yet implemented due to issues: -- https://github.com/Kicksecure/security-misc/pull/152 +- https://github.com/Kicksecure/security-misc/pull/152 A systemd service dynamically sets the kernel parameter `modules_disabled` to 1, preventing new modules from being loaded. Since this isn't configured directly @@ -186,47 +186,47 @@ Certain kernel modules are blacklisted by default to reduce attack surface via `/etc/modprobe.d/30_security-misc_blacklist.conf`. Blacklisting prevents kernel modules from automatically starting. -- CD-ROM/DVD: Blacklist modules required for CD-ROM/DVD devices. +- CD-ROM/DVD: Blacklist modules required for CD-ROM/DVD devices. -- Framebuffer Drivers: Blacklisted as they are well-known to be buggy, cause - kernel panics, and are generally only used by legacy devices. +- Framebuffer Drivers: Blacklisted as they are well-known to be buggy, cause + kernel panics, and are generally only used by legacy devices. -- Miscellaneous: Blacklist an assortment other modules to prevent them from - automatically loading. +- Miscellaneous: Blacklist an assortment of other modules to prevent them from + automatically loading. Specific kernel modules are entirely disabled to reduce attack surface via `/etc/modprobe.d/30_security-misc_disable.conf`. Disabling prohibits kernel -modules from starting. This approach should not be considered comprehensive, -rather it is a form of badness enumeration. Any potential candidates for future +modules from starting. This approach should not be considered comprehensive; +rather, it is a form of badness enumeration. Any potential candidates for future disabling should first be blacklisted for a suitable amount of time. -- File Systems: Disable uncommon and legacy file systems. +- File Systems: Disable uncommon and legacy file systems. -- FireWire (IEEE 1394): Disabled as they are often vulnerable to DMA attacks. +- FireWire (IEEE 1394): Disabled as they are often vulnerable to DMA attacks. -- GPS: Disable GPS-related modules such as those required for Global Navigation - Satellite Systems (GNSS). +- GPS: Disable GPS-related modules such as those required for Global Navigation + Satellite Systems (GNSS). -- Not yet enabled: Intel Management Engine (ME): Provides some disabling of the interface between the - Intel ME and the OS. See discussion: https://github.com/Kicksecure/security-misc/issues/239 +- Not yet enabled: Intel Management Engine (ME): Provides some disabling of the interface between the + Intel ME and the OS. See discussion: https://github.com/Kicksecure/security-misc/issues/239 -- Intel Platform Monitoring Technology Telemetry (PMT): Disable some functionality - of the Intel PMT components. +- Intel Platform Monitoring Technology Telemetry (PMT): Disable some functionality + of the Intel PMT components. -- Network File Systems: Disable uncommon and legacy network file systems. +- Network File Systems: Disable uncommon and legacy network file systems. -- Network Protocols: Wide array of uncommon and legacy network protocols are disabled. +- Network Protocols: A wide array of uncommon and legacy network protocols are disabled. -- Miscellaneous: Disable an assortment other modules such as those required - for amateur radio, floppy disks, and vivid. +- Miscellaneous: Disable an assortment of other modules such as those required + for amateur radio, floppy disks, and vivid. -- Thunderbolt: Disabled as they are often vulnerable to DMA attacks. +- Thunderbolt: Disabled as they are often vulnerable to DMA attacks. ### Other -- A systemd service clears the System.map file on boot as these contain kernel - pointers. The file is completely overwritten with zeroes to ensure it cannot - be recovered. See: +- A systemd service clears the System.map file on boot as these contain kernel + pointers. The file is completely overwritten with zeroes to ensure it cannot + be recovered. See: `/etc/kernel/postinst.d/30_remove-system-map` @@ -234,8 +234,8 @@ disabling should first be blacklisted for a suitable amount of time. `/usr/libexec/security-misc/remove-system.map` -- Coredumps are disabled as they may contain important information such as - encryption keys or passwords. See: +- Coredumps are disabled as they may contain important information such as + encryption keys or passwords. See: `/etc/security/limits.d/30_security-misc.conf` @@ -243,34 +243,34 @@ disabling should first be blacklisted for a suitable amount of time. `/lib/systemd/coredump.conf.d/30_security-misc.conf` -- An initramfs hook sets the sysctl values in `/etc/sysctl.conf` and - `/etc/sysctl.d` before init is executed so sysctl hardening is enabled as - early as possible. This is implemented for `initramfs-tools` only because - this is not needed for `dracut` because `dracut` does that by default, at - least on `systemd` enabled systems. Not researched for non-`systemd` systems - by the author of this part of the readme. +- An initramfs hook sets the sysctl values in `/etc/sysctl.conf` and + `/etc/sysctl.d` before init is executed so sysctl hardening is enabled as + early as possible. This is implemented for `initramfs-tools` only because + this is not needed for `dracut` as `dracut` does that by default, at + least on `systemd` enabled systems. Not researched for non-`systemd` systems + by the author of this part of the readme. ## Network hardening -Not yet due to issues: +Not yet implemented due to issues: -- https://github.com/Kicksecure/security-misc/pull/145 +- https://github.com/Kicksecure/security-misc/pull/145 -- https://github.com/Kicksecure/security-misc/issues/184 +- https://github.com/Kicksecure/security-misc/issues/184 -- Unlike version 4, IPv6 addresses can provide information not only about the - originating network, but also the originating device. We prevent this from - happening by enabling the respective privacy extensions for IPv6. +- Unlike version 4, IPv6 addresses can provide information not only about the + originating network but also the originating device. We prevent this from + happening by enabling the respective privacy extensions for IPv6. -- In addition, we deny the capability to track the originating device in the - network at all, by using randomized MAC addresses per connection per - default. +- In addition, we deny the capability to track the originating device in the + network at all, by using randomized MAC addresses per connection by + default. See: -- `/usr/lib/NetworkManager/conf.d/80_ipv6-privacy.conf` -- `/usr/lib/NetworkManager/conf.d/80_randomize-mac.conf` -- `/usr/lib/systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf` +- `/usr/lib/NetworkManager/conf.d/80_ipv6-privacy.conf` +- `/usr/lib/NetworkManager/conf.d/80_randomize-mac.conf` +- `/usr/lib/systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf` ## Bluetooth Hardening @@ -303,16 +303,16 @@ See: ## Entropy collection improvements -- The `jitterentropy_rng` kernel module is loaded as early as possible during - boot to gather more entropy via the - `/usr/lib/modules-load.d/30_security-misc.conf` configuration file. +- The `jitterentropy_rng` kernel module is loaded as early as possible during + boot to gather more entropy via the + `/usr/lib/modules-load.d/30_security-misc.conf` configuration file. -- Distrusts the CPU for initial entropy at boot as it is not possible to - audit, may contain weaknesses or a backdoor. Similarly, do not credit the - bootloader seed for initial entropy. For references, see: - `/etc/default/grub.d/40_kernel_hardening.cfg` +- Distrusts the CPU for initial entropy at boot as it is not possible to + audit, may contain weaknesses or a backdoor. Similarly, do not credit the + bootloader seed for initial entropy. For references, see: + `/etc/default/grub.d/40_kernel_hardening.cfg` -- Gathers more entropy during boot if using the linux-hardened kernel patch. +- Gathers more entropy during boot if using the linux-hardened kernel patch. ## Restrictive mount options @@ -320,44 +320,44 @@ A systemd service is triggered on boot to remount all sensitive partitions and directories with significantly more secure hardened mount options. Since this would require manual tuning for a given specific system, we handle it by creating a very solid configuration file for that very system on package -install. +installation. Not enabled by default yet. In development. Help welcome. -- https://www.kicksecure.com/wiki/Dev/remount-secure -- https://github.com/Kicksecure/security-misc/issues/157 -- https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/ +- https://www.kicksecure.com/wiki/Dev/remount-secure +- https://github.com/Kicksecure/security-misc/issues/157 +- https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/ ## Root access restrictions -- `su` is restricted to only users within the group `sudo` which prevents - users from using `su` to gain root access or to switch user accounts - - `/usr/share/pam-configs/wheel-security-misc` (which results in a change in - file `/etc/pam.d/common-auth`). +- `su` is restricted to only users within the group `sudo` which prevents + users from using `su` to gain root access or to switch user accounts - + `/usr/share/pam-configs/wheel-security-misc` (which results in a change in + file `/etc/pam.d/common-auth`). -- Add user `root` to group `sudo`. This is required due to the above - restriction so that logging in from a virtual console is still possible - - `debian/security-misc.postinst` +- Add user `root` to group `sudo`. This is required due to the above + restriction so that logging in from a virtual console is still possible - + `debian/security-misc.postinst` -- Abort login for users with locked passwords - - `/usr/libexec/security-misc/pam-abort-on-locked-password`. +- Abort login for users with locked passwords - + `/usr/libexec/security-misc/pam-abort-on-locked-password`. -- Logging into the root account from a virtual, serial, whatnot console is - prevented by shipping an existing and empty `/etc/securetty` file (deletion - of `/etc/securetty` has a different effect). +- Logging into the root account from a virtual, serial, or other console is + prevented by shipping an existing and empty `/etc/securetty` file (deletion + of `/etc/securetty` has a different effect). This package does not yet automatically lock the root account password. It is -not clear if this would be sane in such a package although, it is recommended to +not clear if this would be sane in such a package, although it is recommended to lock and expire the root account. -In new Kicksecure builds, root account will be locked by package +In new Kicksecure builds, the root account will be locked by package dist-base-files. See: -- https://www.kicksecure.com/wiki/Root -- https://www.kicksecure.com/wiki/Dev/Permissions -- https://forums.whonix.org/t/restrict-root-access/7658 +- https://www.kicksecure.com/wiki/Root +- https://www.kicksecure.com/wiki/Dev/Permissions +- https://forums.whonix.org/t/restrict-root-access/7658 However, a locked root password will break rescue and emergency shell. Therefore, this package enables passwordless rescue and emergency shell. This is From 5cec685cf9b0845838f17fba78ac65d6c2e63386 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 17 Jul 2024 10:49:21 -0400 Subject: [PATCH 448/846] spelling --- README.md | 174 +++++++++++++++++++++++++++--------------------------- 1 file changed, 88 insertions(+), 86 deletions(-) diff --git a/README.md b/README.md index 515b259..b6aa965 100644 --- a/README.md +++ b/README.md @@ -361,31 +361,31 @@ See: However, a locked root password will break rescue and emergency shell. Therefore, this package enables passwordless rescue and emergency shell. This is -the same solution that Debian will likely adapt for Debian installer: +the same solution that Debian will likely adopt for the Debian installer: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802211 See: -- `/etc/systemd/system/emergency.service.d/override.conf` -- `/etc/systemd/system/rescue.service.d/override.conf` +- `/etc/systemd/system/emergency.service.d/override.conf` +- `/etc/systemd/system/rescue.service.d/override.conf` Adverse security effects can be prevented by setting up BIOS password -protection, GRUB password protection and/or full disk encryption. +protection, GRUB password protection, and/or full disk encryption. ## Console lockdown -This uses pam_access to allow members of group `console` to use console but +This uses pam_access to allow members of group `console` to use the console but restrict everyone else (except members of group `console-unrestricted`) from -using console with ancient, unpopular login methods such as `/bin/login` over +using the console with ancient, unpopular login methods such as `/bin/login` over networks as this might be exploitable. (CVE-2001-0797) This is not enabled by default in this package since this package does not know -which users shall be added to group 'console' and thus, would break console. +which users should be added to group 'console' and thus, would break console access. See: -- `/usr/share/pam-configs/console-lockdown-security-misc` -- `/etc/security/access-security-misc.conf` +- `/usr/share/pam-configs/console-lockdown-security-misc` +- `/etc/security/access-security-misc.conf` ## Brute force attack protection @@ -393,16 +393,16 @@ User accounts are locked after 50 failed login attempts using `pam_faillock`. Informational output during Linux PAM: -- Show failed and remaining password attempts. -- Document unlock procedure if Linux user account got locked. -- Point out that there is no password feedback for `su`. -- Explain locked root account if locked. +- Show failed and remaining password attempts. +- Document unlock procedure if Linux user account got locked. +- Point out that there is no password feedback for `su`. +- Explain locked root account if locked. See: -- `/usr/share/pam-configs/tally2-security-misc` -- `/usr/libexec/security-misc/pam-info` -- `/usr/libexec/security-misc/pam-abort-on-locked-password` +- `/usr/share/pam-configs/tally2-security-misc` +- `/usr/libexec/security-misc/pam-info` +- `/usr/libexec/security-misc/pam-abort-on-locked-password` ## Access rights restrictions @@ -410,11 +410,13 @@ See: #### Permission Lockdown -Read, write and execute access for "others" are removed during package -installation, upgrade or PAM `mkhomedir` for all users who have home folders in +Read, write, and execute access for "others" are removed during package +installation, upgrade, or PAM `mkhomedir` for all users who have home folders in `/home` by running, for example: - chmod o-rwx /home/user +``` +chmod o-rwx /home/user +``` This will be done only once per folder in `/home` so users who wish to relax file permissions are free to do so. This is to protect files in a home folder @@ -423,20 +425,20 @@ of this package. See: -- `debian/security-misc.postinst` -- `/usr/libexec/security-misc/permission-lockdown` -- `/usr/share/pam-configs/mkhomedir-security-misc` +- `debian/security-misc.postinst` +- `/usr/libexec/security-misc/permission-lockdown` +- `/usr/share/pam-configs/mkhomedir-security-misc` #### umask -Default `umask` is set to `027` for files created by non-root users such as for -example user `user`. Broken. Disabled. See: +Default `umask` is set to `027` for files created by non-root users such as +user `user`. Broken. Disabled. See: * https://github.com/Kicksecure/security-misc/issues/184 -This is doing using pam module `pam_mkhomedir.so umask=027`. +This is done using the PAM module `pam_mkhomedir.so umask=027`. -This means, files created by non-root users cannot be read by other non-root +This means files created by non-root users cannot be read by other non-root users by default. While Permission Lockdown already protects the `/home` folder, this protects other folders such as `/tmp`. @@ -444,13 +446,13 @@ this protects other folders such as `/tmp`. use of User Private Groups (UPGs). See also: https://wiki.debian.org/UserPrivateGroups -Default `umask` is unchanged for root, because then configuration files created +Default `umask` is unchanged for root because then configuration files created in `/etc` by the system administrator would be unreadable by "others" and break applications. Examples include `/etc/firefox-esr` and `/etc/thunderbird`. See: -- `/usr/share/pam-configs/umask-security-misc` +- `/usr/share/pam-configs/umask-security-misc` ### SUID / SGID removal and permission hardening @@ -464,13 +466,13 @@ are often used in privilege escalation attacks. Various file permissions are reset with more secure and hardened defaults. These include but are not limited to: -- Limiting `/home` and `/root` to the root only. -- Limiting crontab to root as well as all the configuration files for cron. -- Limiting the configuration for cups and ssh. -- Protecting the information of sudoers from others. -- Protecting various system relevant files and modules. +- Limiting `/home` and `/root` to the root only. +- Limiting crontab to root as well as all the configuration files for cron. +- Limiting the configuration for cups and ssh. +- Protecting the information of sudoers from others. +- Protecting various system-relevant files and modules. -##### permission-hardener ##### +##### permission-hardener `permission-hardener` removes SUID / SGID bits from non-essential binaries as these are often used in privilege escalation attacks. It is enabled by default @@ -479,7 +481,7 @@ and applied at security-misc package installation and upgrade time. There is also an optional systemd unit which does the same at boot time that can be enabled by running `systemctl enable permission-hardener.service` as root. The hardening at boot time is not the default because this slows down -the boot too much. +the boot process too much. See: @@ -505,43 +507,43 @@ See: ## Application-specific hardening -- Enables "`apt-get --error-on=any`" which makes apt exit non-zero for - transient failures. - `/etc/apt/apt.conf.d/40error-on-any`. -- Enables APT seccomp-BPF sandboxing - `/etc/apt/apt.conf.d/40sandbox`. -- Deactivates previews in Dolphin. -- Deactivates previews in Nautilus - - `/usr/share/glib-2.0/schemas/30_security-misc.gschema.override`. -- Deactivates thumbnails in Thunar. - - rationale: lower attack surface when using the file manager - - https://forums.whonix.org/t/disable-preview-in-file-manager-by-default/18904 -- Thunderbird is hardened with the following options: - - Displays domain names in punycode to prevent IDN homograph attacks (a - form of phishing). - - Strips email client information for sent email headers. - - Stripts user time information from sent email headers by replacing the - originating time zone with UTC and rounding the timestamp to the nearest - minute. - - Disables scripting when viewing pdf files. - - Disables implicit outgoing connections. - - Disables all and any kind of telemetry. -- Security and privacy enhancements for gnupg's config file - `/etc/skel/.gnupg/gpg.conf`. See also: - - https://raw.github.com/ioerror/torbirdy/master/gpg.conf - - https://github.com/ioerror/torbirdy/pull/11 +- Enables "`apt-get --error-on=any`" which makes apt exit non-zero for + transient failures. - `/etc/apt/apt.conf.d/40error-on-any`. +- Enables APT seccomp-BPF sandboxing - `/etc/apt/apt.conf.d/40sandbox`. +- Deactivates previews in Dolphin. +- Deactivates previews in Nautilus - + `/usr/share/glib-2.0/schemas/30_security-misc.gschema.override`. +- Deactivates thumbnails in Thunar. + - Rationale: lower attack surface when using the file manager + - https://forums.whonix.org/t/disable-preview-in-file-manager-by-default/18904 +- Thunderbird is hardened with the following options: + - Displays domain names in punycode to prevent IDN homograph attacks (a + form of phishing). + - Strips email client information from sent email headers. + - Strips user time information from sent email headers by replacing the + originating time zone with UTC and rounding the timestamp to the nearest + minute. + - Disables scripting when viewing PDF files. + - Disables implicit outgoing connections. + - Disables all and any kind of telemetry. +- Security and privacy enhancements for gnupg's config file + `/etc/skel/.gnupg/gpg.conf`. See also: + - https://raw.github.com/ioerror/torbirdy/master/gpg.conf + - https://github.com/ioerror/torbirdy/pull/11 -### project scope of application-specific hardening +### Project scope of application-specific hardening Added in December 2023. Before sending pull requests to harden arbitrary applications, please note the scope of security-misc is limited to default installed applications in -Kicksecure, Whonix. This includes: +Kicksecure and Whonix. This includes: -- Thunderbird, VLC Media Player, KeepassXC -- Debian Specific System Components (APT, DPKG) -- System Services (NetworkManager IPv6 privacy options, MAC address - randomization) -- Actually used development utilities such as `git`. +- Thunderbird, VLC Media Player, KeePassXC +- Debian Specific System Components (APT, DPKG) +- System Services (NetworkManager IPv6 privacy options, MAC address + randomization) +- Actually used development utilities such as `git`. It will not be possible to review and merge "1500" settings profiles for arbitrary applications outside of this context. @@ -552,26 +554,26 @@ compatible with Debian, reflecting a commitment to clean implementation and sound design principles. However, it's important to note that security-misc is a component of Kicksecure, not a substitute for it. The intention isn't to recreate Kicksecure within security-misc. Instead, specific security -enhancements, like for example recommending a curated list of security-focused +enhancements, like recommending a curated list of security-focused default packages (e.g., `libpam-tmpdir`), should be integrated directly into -those appropriate areas of Kicksecure (e.g.`kicksecure-meta-packages`). +those appropriate areas of Kicksecure (e.g. `kicksecure-meta-packages`). Discussion: https://github.com/Kicksecure/security-misc/issues/154 -### development philosophy +### Development philosophy Added in December 2023. -"Maintainability is a key priority \[1\]. Before modifying settings in the +Maintainability is a key priority \[1\]. Before modifying settings in the downstream security-misc, it's essential to first engage with upstream developers to propose these changes as defaults. This step should only be bypassed if there's a clear, prior indication from upstream that such changes won't be accepted. Additionally, before implementing any workarounds, consulting -with upstream is necessary to future unmaintainable complexity. +with upstream is necessary to avoid future unmaintainable complexity. If debugging features are disabled, pull requests won't be merged until there is a corresponding pull request for the debug-misc package to re-enable these. This -is to avoid configuring the system into a corner where it can be no longer +is to avoid configuring the system into a corner where it can no longer be debugged. \[1\] https://www.kicksecure.com/wiki/Dev/maintainability @@ -581,26 +583,26 @@ debugged. Some hardening is opt-in as it causes too much breakage to be enabled by default. -- An optional systemd service mounts `/proc` with `hidepid=2` at boot to - prevent users from seeing another user's processes. This is disabled by - default because it is incompatible with `pkexec`. It can be enabled by - executing `systemctl enable proc-hidepid.service` as root. +- An optional systemd service mounts `/proc` with `hidepid=2` at boot to + prevent users from seeing another user's processes. This is disabled by + default because it is incompatible with `pkexec`. It can be enabled by + executing `systemctl enable proc-hidepid.service` as root. -- A systemd service restricts `/proc/cpuinfo`, `/proc/bus`, `/proc/scsi` and - `/sys` to the root user. This hides a lot of hardware identifiers from - unprivileged users and increases security as `/sys` exposes a lot of - information that shouldn't be accessible to unprivileged users. As this will - break many things, it is disabled by default and can optionally be enabled - by executing `systemctl enable hide-hardware-info.service` as root. +- A systemd service restricts `/proc/cpuinfo`, `/proc/bus`, `/proc/scsi`, and + `/sys` to the root user. This hides a lot of hardware identifiers from + unprivileged users and increases security as `/sys` exposes a lot of + information that shouldn't be accessible to unprivileged users. As this will + break many things, it is disabled by default and can optionally be enabled + by executing `systemctl enable hide-hardware-info.service` as root. -## miscellaneous +## Miscellaneous -- hardened malloc compatibility for haveged workaround - `/lib/systemd/system/haveged.service.d/30_security-misc.conf` +- Hardened malloc compatibility for haveged workaround + `/lib/systemd/system/haveged.service.d/30_security-misc.conf` -- set `dracut` `reproducible=yes` setting +- Set `dracut` `reproducible=yes` setting -## legal +## Legal `/usr/lib/issue.d/20_security-misc.issue` From 24cd70a014b221b25669755b955bc114fe083643 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 17 Jul 2024 10:55:12 -0400 Subject: [PATCH 449/846] spelling --- .../sysctl.d/30_security-misc_kexec-disable.conf | 15 ++++++++------- usr/lib/sysctl.d/30_silent-kernel-printk.conf | 7 ++++--- 2 files changed, 12 insertions(+), 10 deletions(-) diff --git a/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf b/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf index 74c0bbf..0177c2c 100644 --- a/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf +++ b/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf @@ -2,15 +2,16 @@ ## See the file COPYING for copying conditions. ## NOTE: -## Why is this in a dedicated config file? -## Package ram-wipe requires kexec. However, ram-wipe could not ship a config -## file /etc/sysctl.d/40_ram-wipe.conf which sets 'kernel.kexec_load_disabled=0'. -## This is because once systemd-sysctl.service has set 'kernel.kexec_load_disabled=1' -## it cannot be undone without reboot. This is a upstream Linux security feature. +## This configuration is in a dedicated file because the ram-wipe package +## requires kexec. However, ram-wipe cannot ship a config file +## /etc/sysctl.d/40_ram-wipe.conf that sets 'kernel.kexec_load_disabled=0'. +## Once systemd-sysctl.service has set 'kernel.kexec_load_disabled=1', +## it cannot be undone without a reboot. This is an upstream Linux security feature. -## Disables kexec which can be used to replace the running kernel. -## Useful for live kernel patching without rebooting. +## Disables kexec, which can be used to replace the running kernel. +## Kexec is useful for live kernel patching without rebooting. ## +## For more information, see: ## https://en.wikipedia.org/wiki/Kexec ## kernel.kexec_load_disabled=1 diff --git a/usr/lib/sysctl.d/30_silent-kernel-printk.conf b/usr/lib/sysctl.d/30_silent-kernel-printk.conf index 884a2a6..0d5e4aa 100644 --- a/usr/lib/sysctl.d/30_silent-kernel-printk.conf +++ b/usr/lib/sysctl.d/30_silent-kernel-printk.conf @@ -5,10 +5,11 @@ ## Must be used in combination with the kernel boot parameters. ## See /etc/default/grub.d/41_quiet_boot.cfg for implementation. ## +## For more information, refer to: ## https://www.kernel.org/doc/html/latest/core-api/printk-basics.html ## kernel.printk=3 3 3 3 -## For Increased Log Verbosity: -## Adjust (or comment out) the kernel parameters in /etc/default/grub.d/41_quiet_boot.cfg. -## Alternatively, installing the debug-misc package will undo these settings. +## For increased log verbosity: +## A) Adjust (or comment out) the kernel parameters in /etc/default/grub.d/41_quiet_boot.cfg. Or, +## B) Alternatively, install the debug-misc package to undo these settings. From c8be4ac83c2563798ee35d56200eb8d11a2c32e3 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 17 Jul 2024 10:56:14 -0400 Subject: [PATCH 450/846] comment --- usr/lib/sysctl.d/30_security-misc_kexec-disable.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf b/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf index 0177c2c..b61a762 100644 --- a/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf +++ b/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf @@ -7,6 +7,7 @@ ## /etc/sysctl.d/40_ram-wipe.conf that sets 'kernel.kexec_load_disabled=0'. ## Once systemd-sysctl.service has set 'kernel.kexec_load_disabled=1', ## it cannot be undone without a reboot. This is an upstream Linux security feature. +## Instead, ram-wipe will config-package-dev 'hide' this file. ## Disables kexec, which can be used to replace the running kernel. ## Kexec is useful for live kernel patching without rebooting. From a2e26f441b6f44831c7b1bf3bf9dc2cf6f06e176 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 17 Jul 2024 11:04:03 -0400 Subject: [PATCH 451/846] spelling --- usr/lib/sysctl.d/990-security-misc.conf | 84 ++++++++++++------------- 1 file changed, 42 insertions(+), 42 deletions(-) diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 52e3345..60440e5 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -2,18 +2,18 @@ ## See the file COPYING for copying conditions. ## NOTE: -## This file has a strange name so that /usr/lib/sysctl.d/99-protect-links.conf is -## first parsed and then followed by /usr/lib/sysctl.d/990-security-misc.conf. +## This file has a special name to ensure that /usr/lib/sysctl.d/99-protect-links.conf +## is parsed first, followed by /usr/lib/sysctl.d/990-security-misc.conf. ## https://github.com/Kicksecure/security-misc/pull/135 -## This configuration file is split into 5 sections: +## This configuration file is divided into 5 sections: ## 1. Kernel Space ## 2. User Space ## 3. Core Dumps ## 4. Swap Space ## 5. Networking -## See the documentation below for details on the majority of the selected commands. +## For detailed explanations of most of the selected commands, refer to: ## https://www.kernel.org/doc/html/latest/admin-guide/sysctl/kernel.html ## https://www.kernel.org/doc/html/latest/admin-guide/sysctl/fs.html ## https://www.kernel.org/doc/html/latest/admin-guide/sysctl/net.html @@ -25,20 +25,20 @@ ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel ## https://wiki.archlinux.org/title/Security#Kernel_hardening -## Restrict kernel addresses via /proc and other interfaces regardless of user privileges. +## Restrict kernel address visibility via /proc and other interfaces, regardless of user privileges. ## Kernel pointers expose specific locations in kernel memory. ## ## https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak ## kernel.kptr_restrict=2 -## Restrict access to the kernel log buffer to CAP_SYSLOG. +## Restrict access to the kernel log buffer to users with CAP_SYSLOG. ## Kernel logs often contain sensitive information such as kernel pointers. ## kernel.dmesg_restrict=1 ## Prevent kernel information leaks in the console during boot. -## Must be used in combination with the kernel boot parameters. +## Must be used in conjunction with kernel boot parameters. ## See /etc/default/grub.d/41_quiet_boot.cfg for implementation. ## ## https://www.kernel.org/doc/html/latest/core-api/printk-basics.html @@ -54,23 +54,23 @@ kernel.dmesg_restrict=1 kernel.unprivileged_bpf_disabled=1 net.core.bpf_jit_harden=2 -## Restrict loading TTY line disciplines to CAP_SYS_MODULE. -## Prevents unprivileged users loading vulnerable line disciplines with the TIOCSETD ioctl. +## Restrict loading TTY line disciplines to users with CAP_SYS_MODULE. +## Prevents unprivileged users from loading vulnerable line disciplines with the TIOCSETD ioctl. ## ## https://a13xp0p0v.github.io/2017/03/24/CVE-2017-2636.html ## https://lkml.org/lkml/2019/4/15/890 ## dev.tty.ldisc_autoload=0 -## Restrict the userfaultfd() syscall to SYS_CAP_PTRACE. -## Reduces likelihood of use-after-free exploits from heap sprays. +## Restrict the userfaultfd() syscall to users with SYS_CAP_PTRACE. +## Reduces the likelihood of use-after-free exploits from heap sprays. ## ## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=cefdca0a86be517bc390fc4541e3674b8e7803b0 ## https://duasynt.com/blog/linux-kernel-heap-spray ## vm.unprivileged_userfaultfd=0 -## Disables kexec which can be used to replace the running kernel. +## Disables kexec, which can be used to replace the running kernel. ## Useful for live kernel patching without rebooting. ## ## https://en.wikipedia.org/wiki/Kexec @@ -80,7 +80,7 @@ vm.unprivileged_userfaultfd=0 #kernel.kexec_load_disabled=1 ## Disable the SysRq key to prevent leakage of kernel information. -## The Secure Attention Key (SAK) can no longer be utilised. +## The Secure Attention Key (SAK) can no longer be utilized. ## ## https://www.kernel.org/doc/html/latest/admin-guide/sysrq.html ## https://www.kicksecure.com/wiki/SysRq @@ -88,10 +88,10 @@ vm.unprivileged_userfaultfd=0 ## kernel.sysrq=0 -## Restrict user namespaces to CAP_SYS_ADMIN. +## Restrict user namespaces to users with CAP_SYS_ADMIN. ## User namespaces aim to improve sandboxing and accessibility for unprivileged users. ## Unprivileged user namespaces pose substantial privilege escalation risks. -## Restricting is well-known to cause breakages across numerous software. +## Restricting is known to cause breakages across numerous software packages. ## ## https://madaidans-insecurities.github.io/linux.html#kernel ## https://github.com/a13xp0p0v/kernel-hardening-checker#questions-and-answers @@ -100,7 +100,7 @@ kernel.sysrq=0 ## #kernel.unprivileged_userns_clone=0 -## Restricts kernel profiling to CAP_PERFMON. +## Restricts kernel profiling to users with CAP_PERFMON. ## The performance events system should not be accessible by unprivileged users. ## Other distributions such as Ubuntu and Fedora may permit further restricting. ## @@ -110,7 +110,7 @@ kernel.sysrq=0 kernel.perf_event_paranoid=3 ## Enable ASLR for mmap base, stack, VDSO pages, and heap. -## Heap randomisation can lead to breakages with legacy applications. +## Heap randomization can lead to breakages with legacy applications. ## ## https://en.wikipedia.org/wiki/Address_space_layout_randomization#Linux ## @@ -124,7 +124,7 @@ kernel.randomize_va_space=2 ## kernel.io_uring_disabled=2 -## 2.User Space: +## 2. User Space: ## ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-userspace @@ -143,8 +143,8 @@ kernel.io_uring_disabled=2 ## kernel.yama.ptrace_scope=2 -## Maximise bits of entropy for improved effectiveness of mmap ASLR. -## The maximum numbers of bits are dependent on CPU architecture (the ones shown below are for x86). +## Maximize bits of entropy for improved effectiveness of mmap ASLR. +## The maximum number of bits depends on CPU architecture (the ones shown below are for x86). ## Both explicit sysctl are made redundant due to automation. ## Do NOT enable either sysctl - displaying only for clarity. ## @@ -156,9 +156,9 @@ kernel.yama.ptrace_scope=2 #vm.mmap_rnd_compat_bits=16 ## Prevent hardlink creation by users who do not have read/write/ownership of source file. -## Only allow symlinks to be followed when outside of a world-writable sticky directories. +## Only allow symlinks to be followed when outside of world-writable sticky directories. ## Allow symlinks when the owner and follower match or when the directory owner matches the symlink's owner. -## Hardens cross privilege boundaries if root process follows a hardlink/symlink belonging to another user. +## Hardens cross-privilege boundaries if root process follows a hardlink/symlink belonging to another user. ## This mitigates many hardlink/symlink-based TOCTOU races in world-writable directories like /tmp. ## ## https://wiki.archlinux.org/title/Security#File_systems @@ -169,16 +169,16 @@ fs.protected_hardlinks=1 fs.protected_symlinks=1 ## Disallow writes to files in world-writable sticky directories unless owned by the directory owner. -## Also applies to group writable sticky directories to make data spoofing attacks more difficult. +## Also applies to group-writable sticky directories to make data spoofing attacks more difficult. ## Prevents unintentional writes to attacker-controlled files. ## fs.protected_fifos=2 fs.protected_regular=2 -## Increase the maximum number of memory map areas a process is permitted to utilise. -## Addresses performance, crash, and start-up issues for some memory intensive applications. +## Increase the maximum number of memory map areas a process is permitted to utilize. +## Addresses performance, crash, and start-up issues for some memory-intensive applications. ## Required to accommodate the very large number of guard pages created by hardened_malloc. -## Kicksecure version 18 will deprecate hardened_malloc and so this sysctl will be applied here instead. +## Kicksecure version 18 will deprecate hardened_malloc, so this sysctl will be applied here instead. ## ## https://archlinux.org/news/increasing-the-default-vmmax_map_count-value/ ## https://github.com/GrapheneOS/hardened_malloc#traditional-linux-based-operating-systems @@ -192,7 +192,7 @@ vm.max_map_count=1048576 ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#core-dumps ## Disable core dump files by preventing any pattern names. -## This setting may be overwritten by systemd is is not comprehensive. +## This setting may be overwritten by systemd and is not comprehensive. ## Core dumps are also disabled in security-misc via other means. ## ## https://wiki.archlinux.org/title/Core_dump#Disabling_automatic_core_dumps @@ -204,7 +204,7 @@ kernel.core_pattern=|/bin/false ## fs.suid_dumpable=0 -## Set core dump file name to 'core.PID' instead of 'core' as a form of defence-in-depth. +## Set core dump file name to 'core.PID' instead of 'core' as a form of defense-in-depth. ## If core dumps are permitted, only useful if PID listings are hidden from non-root users. ## kernel.core_uses_pid=1 @@ -214,8 +214,8 @@ kernel.core_uses_pid=1 ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#swap ## Limit the copying of memory to the swap device only if absolutely necessary. -## Minimises the likelihood of writing potentially sensitive contents to disk. -## Not reccommmeded to set to zero since this disables periodic write behavior. +## Minimizes the likelihood of writing potentially sensitive contents to disk. +## Not recommended to set to zero since this disables periodic write behavior. ## ## https://en.wikipedia.org/wiki/Memory_paging#Linux ## https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Performance_Tuning_Guide/s-memory-tunables.html @@ -242,7 +242,7 @@ net.ipv4.tcp_syncookies=1 net.ipv4.tcp_rfc1337=1 ## Enable reverse path filtering (source validation) of packets received from all interfaces. -## Prevents IP spoofing and mitigate vulnerabilities such as CVE-2019-14899. +## Prevents IP spoofing and mitigates vulnerabilities such as CVE-2019-14899. ## ## https://en.wikipedia.org/wiki/IP_address_spoofing ## https://forums.whonix.org/t/enable-reverse-path-filtering/8594 @@ -252,7 +252,7 @@ net.ipv4.conf.all.rp_filter=1 net.ipv4.conf.default.rp_filter=1 ## Disable ICMP redirect acceptance and redirect sending messages. -## Prevents man-in-the-middle attacks and minimises information disclosure. +## Prevents man-in-the-middle attacks and minimizes information disclosure. ## ## https://askubuntu.com/questions/118273/what-are-icmp-redirects-and-should-they-be-blocked ## @@ -282,7 +282,7 @@ net.ipv6.icmp.echo_ignore_all=1 ## net.ipv4.icmp_ignore_bogus_error_responses=1 -## Disable source routing which allows users redirect network traffic. +## Disable source routing which allows users to redirect network traffic. ## Prevents man-in-the-middle attacks in which the traffic is redirected. ## ## https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/security_guide/sect-security_guide-server_security-disable-source-routing @@ -323,10 +323,10 @@ net.ipv6.conf.default.accept_ra=0 net.ipv4.tcp_timestamps=0 ## Enable logging of packets with impossible source or destination addresses. -## Martian and unroutable packets may be used for dangerous purposes. -## Recommended to keep a (kernel dmesg) log of these to identify these suspicious packets. -## Good for troubleshooting and diagnostics but not necessary by default. -## Known for causing performance issues especially on systems with multiple interfaces. +## Martian and unroutable packets may be used for malicious purposes. +## Recommended to keep a (kernel dmesg) log of these to identify suspicious packets. +## Useful for troubleshooting and diagnostics but not necessary by default. +## Known to cause performance issues, especially on systems with multiple interfaces. ## ## https://wiki.archlinux.org/title/Sysctl#Log_martian_packets ## https://github.com/Kicksecure/security-misc/issues/214 @@ -336,19 +336,19 @@ net.ipv4.tcp_timestamps=0 #net.ipv4.conf.all.log_martians=1 #net.ipv4.conf.default.log_martians=1 -## Enable IPv6 Privacy Extensions prefer temporary addresses over public addresses. -## The temporary/privacy address is used as the source of all outgoing traffic. +## Enable IPv6 Privacy Extensions to prefer temporary addresses over public addresses. +## The temporary/privacy address is used as the source for all outgoing traffic. ## Must be used in combination with /usr/lib/systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf. ## Must be used in combination with /usr/lib/NetworkManager/conf.d/80_ipv6-privacy.conf. -## Should be used with MAC randomisation in /usr/lib/NetworkManager/conf.d/80_randomize-mac.conf. +## Should be used with MAC randomization in /usr/lib/NetworkManager/conf.d/80_randomize-mac.conf. ## -## MAC randomisation breaks root server and VirtualBox DHCP likely due to IPv6 Privacy Extensions. +## MAC randomization breaks root server and VirtualBox DHCP, likely due to IPv6 Privacy Extensions. ## ## https://datatracker.ietf.org/doc/html/rfc4941 ## https://github.com/Kicksecure/security-misc/pull/145 ## https://github.com/Kicksecure/security-misc/issues/184 ## -## The use of IPv6 Privacy Extenstions is currently diasbled due to these breakages. +## The use of IPv6 Privacy Extensions is currently disabled due to these breakages. ## #net.ipv6.conf.all.use_tempaddr=2 #net.ipv6.conf.default.use_tempaddr=2 From b569fc02a4650187e69b62b95439c05ee2611e91 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 17 Jul 2024 11:38:53 -0400 Subject: [PATCH 452/846] spelling --- etc/default/grub.d/41_quiet_boot.cfg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/default/grub.d/41_quiet_boot.cfg b/etc/default/grub.d/41_quiet_boot.cfg index 9a23579..4806484 100644 --- a/etc/default/grub.d/41_quiet_boot.cfg +++ b/etc/default/grub.d/41_quiet_boot.cfg @@ -2,7 +2,7 @@ ## See the file COPYING for copying conditions. ## Some default configuration files automatically include the "quiet" parameter. -## Thefore, first remove "quiet" from GRUB_CMDLINE_LINUX_DEFAULT since "quiet" must be first. +## Therefore, first remove "quiet" from GRUB_CMDLINE_LINUX_DEFAULT since "quiet" must be first. ## LANG=C str_replace is provided by package helper-scripts. ## ## https://github.com/Kicksecure/security-misc/pull/233#issuecomment-2228792461 From 9e976474d5d620be9e4f8d8a97f73c6cc3e64573 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 17 Jul 2024 11:40:51 -0400 Subject: [PATCH 453/846] spelling --- etc/default/grub.d/40_remount_secure.cfg | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/etc/default/grub.d/40_remount_secure.cfg b/etc/default/grub.d/40_remount_secure.cfg index 3427bf1..db6db11 100644 --- a/etc/default/grub.d/40_remount_secure.cfg +++ b/etc/default/grub.d/40_remount_secure.cfg @@ -1,7 +1,7 @@ ## Copyright (C) 2023 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Remount Secure provides enhanced security via mmount options: +## Remount Secure provides enhanced security via mount options: ## https://www.kicksecure.com/wiki/Security-misc#Remount_Secure ## Option A (No Security): @@ -19,7 +19,7 @@ ## #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=2" -## Option D (Highest Security) +## Option D (Highest Security): ## Re-mount with nodev, nosuid, and noexec for all mount points including /home. ## #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=3" From f4da582aa31b869413aef6f4e252b7985e961339 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 17 Jul 2024 11:44:17 -0400 Subject: [PATCH 454/846] spelling --- etc/default/grub.d/40_cpu_mitigations.cfg | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index 55b6c17..99eee7d 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -18,7 +18,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mitigations=auto,nosmt" ## Disable SMT as it has been the cause of and amplified numerous CPU exploits. ## The only full mitigation of cross-HT attacks is to disable SMT. ## Disabling will significantly decrease system performance on multi-threaded tasks. -## To enable SMT, remove this line all other occurrences of "nosmt" in this file. +## To enable SMT, remove this line and all other occurrences of "nosmt" in this file. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/core-scheduling.html ## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647/17 @@ -54,7 +54,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX l1tf=full,force" ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mds=full,nosmt" -## Patches the TAA vulnerability by disabling TSX and enable mitigations using +## Patches the TAA vulnerability by disabling TSX and enables mitigations using ## TSX Async Abort along with disabling SMT. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/tsx_async_abort.html @@ -97,7 +97,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX retbleed=auto,nosmt" ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/srso.html ## -## The default kernel setting will be utilised until provided sufficient evidence to modify. +## The default kernel setting will be utilized until provided sufficient evidence to modify. ## #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spec_rstack_overflow=safe-ret" From d454f36c63bd653e47353fb1c93107b2d5584fe2 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 17 Jul 2024 11:52:29 -0400 Subject: [PATCH 455/846] spelling --- etc/default/grub.d/40_kernel_hardening.cfg | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index 946f2a4..b69dfe0 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -11,7 +11,7 @@ kver="$(dpkg-query --show --showformat='${Version}' "$kpkg")" 2>/dev/null || tru ## 3. Entropy ## 4. Networking -## See the documentation below for details on the majority of the selected commands. +## See the documentation below for details on the majority of the selected commands: ## https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html ## https://wiki.archlinux.org/title/Kernel_parameters#GRUB @@ -37,10 +37,10 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_nomerge" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX init_on_alloc=1" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX init_on_free=1" -## Enable the kernel page allocator to randomise free lists. -## During early boot the page allocator has predictable FIFO behaviour for physical pages. +## Enable the kernel page allocator to randomize free lists. +## During early boot, the page allocator has predictable FIFO behavior for physical pages. ## Limits some data exfiltration and ROP attacks that rely on inferring sensitive data location. -## Also improves performance by optimising memory-side cache utilisation. +## Also improves performance by optimizing memory-side cache utilization. ## ## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e900a918b0984ec8f2eb150b8477a47b75d17692 ## https://en.wikipedia.org/wiki/Return-oriented_programming#Attacks @@ -54,7 +54,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX page_alloc.shuffle=1" ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX pti=on" -## Enable randomisation of the kernel stack offset on syscall entries. +## Enable randomization of the kernel stack offset on syscall entries. ## Hardens against memory corruption attacks due to increased entropy. ## Limits attacks relying on deterministic stack addresses or cross-syscall address exposure. ## @@ -96,7 +96,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off" ## https://www.kernel.org/doc/html/latest/arch/x86/x86_64/boot-options.html#machine-check ## https://forums.whonix.org/t/kernel-hardening/7296/494 ## -## The default kernel setting will be utilised until provided sufficient evidence to modify. +## The default kernel setting will be utilized until provided sufficient evidence to modify. ## #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mce=0" @@ -143,7 +143,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu.passthrough=0" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu.strict=1" ## Disable the busmaster bit on all PCI bridges during the early boot process. -## Patches weak-point in some existing IOMMU implementations. +## Patches weak points in some existing IOMMU implementations. ## May lead to issues such as complete system boot failure on certain devices. ## ## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4444f8541dad16fefd9b8807ad1451e806ef1d94 @@ -159,8 +159,8 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi=disable_early_pci_dma" ## The RDRAND CPU (RNG) instructions are proprietary and closed-source. ## Numerous implementations of RDRAND have a long history of being defective. ## The RNG seed passed by the bootloader could also potentially be tampered. -## Maximising the entropy pool at boot is desirable for all cryptographic operations. -## These settings ensure additional entropy is obtained from other sources to initialise the RNG. +## Maximizing the entropy pool at boot is desirable for all cryptographic operations. +## These settings ensure additional entropy is obtained from other sources to initialize the RNG. ## Note that distrusting these (relatively fast) sources of entropy will increase boot time. ## ## https://en.wikipedia.org/wiki/RDRAND#Reception @@ -175,7 +175,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi=disable_early_pci_dma" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_bootloader=off" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_cpu=off" -## Obtain more entropy during boot as the runtime memory allocator is being initialised. +## Obtain more entropy during boot as the runtime memory allocator is being initialized. ## Entropy will be extracted from up to the first 4GB of RAM. ## Requires the linux-hardened kernel patch. ## From b04828f858fa6d101099773d3156841fd6d33b6f Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Thu, 18 Jul 2024 11:01:41 +1000 Subject: [PATCH 456/846] Disable the usage of `ptrace()` by all processes --- README.md | 5 ++--- usr/lib/sysctl.d/990-security-misc.conf | 6 ++---- 2 files changed, 4 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index b6aa965..cbd2530 100644 --- a/README.md +++ b/README.md @@ -45,9 +45,8 @@ space, user space, core dumps, and swap space. - Disable asynchronous I/O (when using Linux kernel version >= 6.6). -- Restrict usage of `ptrace()` to only processes with `CAP_SYS_PTRACE` as it - enables programs to inspect and modify other active processes. Provide the - option to entirely disable the use of `ptrace()` for all processes. +- Disable the usage of `ptrace()` by all processes as it enables programs to + inspect and modify other active processes. - Prevent hardlink and symlink TOCTOU races in world-writable directories. diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 60440e5..1131b77 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -128,7 +128,7 @@ kernel.io_uring_disabled=2 ## ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-userspace -## Restrict usage of the ptrace() system call to only processes with CAP_SYS_PTRACE. +## Disable the usage of ptrace() system calls by all processes. ## Limit ptrace() as it enables programs to inspect and modify other active processes. ## Prevents native code debugging which some programs use as a method to detect tampering. ## May cause breakages in 'anti-cheat' software and programs running under Proton/WINE. @@ -139,9 +139,7 @@ kernel.io_uring_disabled=2 ## https://github.com/GrapheneOS/os-issue-tracker/issues/651#issuecomment-917599928 ## https://github.com/netblue30/firejail/issues/2860 ## -## It is possible to harden further by disabling ptrace() for all users, see documentation. -## -kernel.yama.ptrace_scope=2 +kernel.yama.ptrace_scope=3 ## Maximize bits of entropy for improved effectiveness of mmap ASLR. ## The maximum number of bits depends on CPU architecture (the ones shown below are for x86). From 6d211faf591608ea6e7f484e8bc69dd567877abf Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Thu, 18 Jul 2024 11:04:54 +1000 Subject: [PATCH 457/846] Restrict unprivileged user namespaces --- README.md | 4 ++-- usr/lib/sysctl.d/990-security-misc.conf | 6 ++---- 2 files changed, 4 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index b6aa965..b401517 100644 --- a/README.md +++ b/README.md @@ -36,8 +36,8 @@ space, user space, core dumps, and swap space. - Entirely disable the SysRq key so that the Secure Attention Key (SAK) can no longer be utilized. See [documentation](https://www.kicksecure.com/wiki/SysRq). -- Provide the option to disable unprivileged user namespaces as they can lead to - substantial privilege escalation. +- Restrict user namespaces to `CAP_SYS_ADMIN` as they can lead to substantial + privilege escalation. - Restrict kernel profiling and the performance events system to `CAP_PERFMON`. diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 60440e5..ccb3dd3 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -91,14 +91,12 @@ kernel.sysrq=0 ## Restrict user namespaces to users with CAP_SYS_ADMIN. ## User namespaces aim to improve sandboxing and accessibility for unprivileged users. ## Unprivileged user namespaces pose substantial privilege escalation risks. -## Restricting is known to cause breakages across numerous software packages. +## Restricting may lead to breakages in numerous software packages. ## ## https://madaidans-insecurities.github.io/linux.html#kernel ## https://github.com/a13xp0p0v/kernel-hardening-checker#questions-and-answers ## -## Unprivileged user namespaces are currently enabled. -## -#kernel.unprivileged_userns_clone=0 +kernel.unprivileged_userns_clone=0 ## Restricts kernel profiling to users with CAP_PERFMON. ## The performance events system should not be accessible by unprivileged users. From faa9181a6c0c78b9471c9a4e6bdd3291aec704f6 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Thu, 18 Jul 2024 12:19:27 +1000 Subject: [PATCH 458/846] Typos --- README.md | 6 +++--- debian/security-misc.maintscript | 2 +- etc/default/grub.d/40_kernel_hardening.cfg | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index b6aa965..9e3cbaf 100644 --- a/README.md +++ b/README.md @@ -133,9 +133,9 @@ configuration file. - Force kernel panics on "oopses" to potentially indicate and thwart certain kernel exploitation attempts. -- Provide option to modify machine check exception handler. +- Provide the option to modify machine check exception handler. -- Provide option to disable support for all x86 processes and syscalls to reduce +- Provide the option to disable support for all x86 processes and syscalls to reduce attack surface (when using Linux kernel version >= 6.7). - Enable strict IOMMU translation to protect against DMA attacks and disable @@ -147,7 +147,7 @@ configuration file. - Obtain more entropy at boot from RAM as the runtime memory allocator is being initialized. -- Provide option to disable the entire IPv6 stack to reduce attack surface. +- Provide the option to disable the entire IPv6 stack to reduce attack surface. Disallow sensitive kernel information leaks in the console during boot. See the `/etc/default/grub.d/41_quiet_boot.cfg` configuration file. diff --git a/debian/security-misc.maintscript b/debian/security-misc.maintscript index efa72c2..b875fd4 100644 --- a/debian/security-misc.maintscript +++ b/debian/security-misc.maintscript @@ -47,7 +47,7 @@ rm_conffile /etc/sysctl.d/30_security-misc.conf rm_conffile /etc/sysctl.d/30_silent-kernel-printk.conf rm_conffile /etc/sysctl.d/30_security-misc_kexec-disable.conf -## moved to etc/permission-hardener.d +## moved to /etc/permission-hardener.d rm_conffile /etc/permission-hardening.d/25_default_passwd.conf rm_conffile /etc/permission-hardening.d/25_default_sudo.conf rm_conffile /etc/permission-hardening.d/25_default_whitelist_bubblewrap.conf diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index b69dfe0..13ccac6 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -195,6 +195,6 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX extra_latent_entropy" ## https://www.kernel.org/doc/html/latest/networking/ipv6.html ## https://wiki.archlinux.org/title/IPv6#Disable_IPv6 ## -## Enabling makes redundant many network hardening sysctl's in usr/lib/sysctl.d/990-security-misc.conf. +## Enabling makes redundant many network hardening sysctl's in /usr/lib/sysctl.d/990-security-misc.conf. ## #ipv6.disable=1 From 9e6facda7017498e8310a9c39403e95e81c5a903 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Thu, 18 Jul 2024 12:21:37 +1000 Subject: [PATCH 459/846] Update module disabling presentation --- README.md | 15 ++++++++++++--- etc/modprobe.d/30_security-misc_disable.conf | 18 ++++++++++-------- 2 files changed, 22 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index 9e3cbaf..6e19e2f 100644 --- a/README.md +++ b/README.md @@ -200,6 +200,10 @@ modules from starting. This approach should not be considered comprehensive; rather, it is a form of badness enumeration. Any potential candidates for future disabling should first be blacklisted for a suitable amount of time. +- Optional - Bluetooth: Disabled to reduce attack surface. + +- Optional - CPU MSRs: Disabled as can be abused to write to arbitrary memory. + - File Systems: Disable uncommon and legacy file systems. - FireWire (IEEE 1394): Disabled as they are often vulnerable to DMA attacks. @@ -207,21 +211,26 @@ disabling should first be blacklisted for a suitable amount of time. - GPS: Disable GPS-related modules such as those required for Global Navigation Satellite Systems (GNSS). -- Not yet enabled: Intel Management Engine (ME): Provides some disabling of the interface between the - Intel ME and the OS. See discussion: https://github.com/Kicksecure/security-misc/issues/239 +- Optional - Intel Management Engine (ME): Provides some disabling of the interface + between the Intel ME and the OS. May lead to breakages in places such as security, + power management, display, and DRM. See discussion: https://github.com/Kicksecure/security-misc/issues/239 - Intel Platform Monitoring Technology Telemetry (PMT): Disable some functionality of the Intel PMT components. - Network File Systems: Disable uncommon and legacy network file systems. -- Network Protocols: A wide array of uncommon and legacy network protocols are disabled. +- Network Protocols: A wide array of uncommon and legacy network protocols and drivers + are disabled. - Miscellaneous: Disable an assortment of other modules such as those required for amateur radio, floppy disks, and vivid. - Thunderbolt: Disabled as they are often vulnerable to DMA attacks. +- Optional - USB Video Device Class: Disables the USB-based video streaming driver for + devices like some webcams and digital camcorders. + ### Other - A systemd service clears the System.map file on boot as these contain kernel diff --git a/etc/modprobe.d/30_security-misc_disable.conf b/etc/modprobe.d/30_security-misc_disable.conf index 426a0e6..d2408af 100644 --- a/etc/modprobe.d/30_security-misc_disable.conf +++ b/etc/modprobe.d/30_security-misc_disable.conf @@ -14,6 +14,7 @@ ## https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns ## ## Now replaced by a privacy and security preserving default Bluetooth configuration for better usability. +## https://github.com/Kicksecure/security-misc/pull/145 ## #install bluetooth /usr/bin/disabled-bluetooth-by-security-misc #install bluetooth_6lowpan /usr/bin/disabled-bluetooth-by-security-misc @@ -43,7 +44,7 @@ ## File Systems: ## Disable uncommon file systems to reduce attack surface. -## HFS and HFS+ are legacy Apple file systems that may be required depending on the EFI partition format. +## HFS/HFS+ are legacy Apple file systems that may be required depending on the EFI partition format. ## install cramfs /usr/bin/disabled-filesys-by-security-misc install freevxfs /usr/bin/disabled-filesys-by-security-misc @@ -82,13 +83,14 @@ install gnss-usb /usr/bin/disabled-gps-by-security-misc ## Intel Management Engine (ME): ## Partially disable the Intel ME interface with the OS. -## ME functionality has increasing become more intertwined with basic system operation. -## Disabling may lead to breakages places such as security, power management, display, and DRM. +## ME functionality has increasing become more intertwined with basic Intel system operation. +## Disabling may lead to breakages in places such as security, power management, display, and DRM. ## ## https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html ## https://en.wikipedia.org/wiki/Intel_Management_Engine#Security_vulnerabilities ## https://www.kicksecure.com/wiki/Out-of-band_Management_Technology#Intel_ME_Disabling_Disadvantages ## https://github.com/Kicksecure/security-misc/pull/236#issuecomment-2229092813 +## https://github.com/Kicksecure/security-misc/issues/239 ## #install mei /usr/bin/disabled-intelme-by-security-misc #install mei-gsc /usr/bin/disabled-intelme-by-security-misc @@ -219,11 +221,6 @@ install hamradio /usr/bin/disabled-miscellaneous-by-security-misc ## install floppy /usr/bin/disabled-miscellaneous-by-security-misc ## -## USB Video Device Class: -## Disables USB-based video streaming driver for devices like webcams and digital camcorders. -## -#install uvcvideo /usr/bin/disabled-miscellaneous-by-security-misc -## ## Vivid: ## Disables the vivid kernel module since it has been the cause of multiple vulnerabilities. ## @@ -241,3 +238,8 @@ install vivid /usr/bin/disabled-miscellaneous-by-security-misc install intel-wmi-thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc install thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc install thunderbolt_net /usr/bin/disabled-thunderbolt-by-security-misc + +## USB Video Device Class: +## Disables the USB-based video streaming driver for devices like some webcams and digital camcorders. +## +#install uvcvideo /usr/bin/disabled-miscellaneous-by-security-misc From 13cc1f0986033855a399b50442a86a8d8552eb96 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Thu, 18 Jul 2024 12:25:00 +1000 Subject: [PATCH 460/846] Clarify (future) disabling of `io_uring` --- README.md | 3 ++- usr/lib/sysctl.d/990-security-misc.conf | 8 +++++++- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 6e19e2f..5cd9fad 100644 --- a/README.md +++ b/README.md @@ -43,7 +43,8 @@ space, user space, core dumps, and swap space. - Randomize the addresses (ASLR) for mmap base, stack, VDSO pages, and heap. -- Disable asynchronous I/O (when using Linux kernel version >= 6.6). +- Provide the option to disable asynchronous I/O as `io_uring` has been the source + of numerous kernel exploits (when using Linux kernel version >= 6.6). - Restrict usage of `ptrace()` to only processes with `CAP_SYS_PTRACE` as it enables programs to inspect and modify other active processes. Provide the diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 60440e5..e302047 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -117,12 +117,18 @@ kernel.perf_event_paranoid=3 kernel.randomize_va_space=2 ## Disable asynchronous I/O for all processes. +## Leading cause of numerous kernel exploits. +## Disabling will reduce the read/write performance of storage devices. ## +## https://en.wikipedia.org/wiki/Io_uring#Security +## https://lwn.net/Articles/902466/ ## https://security.googleblog.com/2023/06/learnings-from-kctf-vrps-42-linux.html +## https://github.com/moby/moby/pull/46762 +## https://forums.whonix.org/t/io-uring-security-vulnerabilties/16890 ## ## Applicable when using Linux kernel >= 6.6 (retained here for future-proofing and completeness). ## -kernel.io_uring_disabled=2 +#kernel.io_uring_disabled=2 ## 2. User Space: ## From 95286df50274953326accb615487e21d409b652a Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Thu, 18 Jul 2024 15:28:31 +1000 Subject: [PATCH 461/846] Update README.md regarding secure ICMP redirects --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 5cd9fad..29654c4 100644 --- a/README.md +++ b/README.md @@ -72,7 +72,8 @@ Various networking components of the TCP/IP stack are hardened for IPv4/6. from all interfaces to prevent IP spoofing. - Disable ICMP redirect acceptance and redirect sending messages to - prevent man-in-the-middle attacks and minimize information disclosure. + prevent man-in-the-middle attacks and minimize information disclosure. If + ICMP redirect messages are permitted, only do so from approved gateways. - Ignore ICMP echo requests to prevent clock fingerprinting and Smurf attacks. From 2ccc95f6d44bacd3da97d586542695f33d5faf38 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 18 Jul 2024 14:05:23 +0000 Subject: [PATCH 462/846] bumped changelog version --- changelog.upstream | 412 +++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 + 2 files changed, 418 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index b135da6..c7b5c05 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,283 @@ +commit d454f36c63bd653e47353fb1c93107b2d5584fe2 +Author: Patrick Schleizer +Date: Wed Jul 17 11:52:29 2024 -0400 + + spelling + +commit f4da582aa31b869413aef6f4e252b7985e961339 +Author: Patrick Schleizer +Date: Wed Jul 17 11:44:17 2024 -0400 + + spelling + +commit 9e976474d5d620be9e4f8d8a97f73c6cc3e64573 +Author: Patrick Schleizer +Date: Wed Jul 17 11:40:51 2024 -0400 + + spelling + +commit b569fc02a4650187e69b62b95439c05ee2611e91 +Author: Patrick Schleizer +Date: Wed Jul 17 11:38:53 2024 -0400 + + spelling + +commit a2e26f441b6f44831c7b1bf3bf9dc2cf6f06e176 +Author: Patrick Schleizer +Date: Wed Jul 17 11:04:03 2024 -0400 + + spelling + +commit c8be4ac83c2563798ee35d56200eb8d11a2c32e3 +Author: Patrick Schleizer +Date: Wed Jul 17 10:56:14 2024 -0400 + + comment + +commit 24cd70a014b221b25669755b955bc114fe083643 +Author: Patrick Schleizer +Date: Wed Jul 17 10:55:12 2024 -0400 + + spelling + +commit 5cec685cf9b0845838f17fba78ac65d6c2e63386 +Author: Patrick Schleizer +Date: Wed Jul 17 10:49:21 2024 -0400 + + spelling + +commit 821a416fe39e11ca030c63f25a5220772d80eae5 +Author: Patrick Schleizer +Date: Wed Jul 17 10:43:16 2024 -0400 + + spelling + +commit 9a387f95e9346030e2adc3252a45942949561b52 +Merge: fd41acd 4afe257 +Author: Patrick Schleizer +Date: Wed Jul 17 10:32:26 2024 -0400 + + Merge remote-tracking branch 'raja/miscellaneous' + +commit fd41acdc721a6463813bc347cb965b6211fb9447 +Merge: 0da22c2 1087387 +Author: Patrick Schleizer +Date: Wed Jul 17 10:27:31 2024 -0400 + + Merge remote-tracking branch 'raja/fack_off' + +commit 4afe257a42576158a54a68948440a2b4c043b67c +Author: Raja Grewal +Date: Thu Jul 18 00:14:13 2024 +1000 + + minor + +commit d0a59617f6b8a90fd5c758699e910af9d7496c98 +Author: Raja Grewal +Date: Thu Jul 18 00:13:30 2024 +1000 + + Add missing Copyright (C) statements + +commit 8f3896c3dac13b604e36d4249f976598f271a215 +Author: Raja Grewal +Date: Wed Jul 17 23:44:37 2024 +1000 + + Upgrade hyperlinks to HTTPS + +commit 1087387b362d5598e44262db07ab0fff9118b064 +Author: Raja Grewal +Date: Wed Jul 17 23:35:25 2024 +1000 + + Remove obsolete `#net.ipv4.tcp_fack=0` + +commit 0da22c20316c8f0f574e0127926506e52ccbc269 +Author: Patrick Schleizer +Date: Wed Jul 17 09:07:31 2024 -0400 + + minor + +commit c336b266f61528cce27e1cafac6377370927a787 +Merge: afe3c25 df80385 +Author: Patrick Schleizer +Date: Wed Jul 17 09:06:44 2024 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit df80385289717fee0266436d056c9aedd0fb06af +Merge: afe3c25 724435e +Author: Patrick Schleizer +Date: Wed Jul 17 09:04:18 2024 -0400 + + Merge pull request #237 from raja-grewal/intel_pmt + + Disable some Intel PMT kernel modules + +commit afe3c25a49940f7f322414c08e8dbd631e696215 +Author: Patrick Schleizer +Date: Wed Jul 17 08:58:00 2024 -0400 + + update readme + + https://github.com/Kicksecure/security-misc/issues/239 + +commit f7772fb85a1fe6d3c0749e5f34fc29111b6a8125 +Author: Patrick Schleizer +Date: Wed Jul 17 08:57:35 2024 -0400 + + minor + +commit 6157e328f40a7f3780208489b1ffecef8e6d738a +Author: Patrick Schleizer +Date: Wed Jul 17 08:52:11 2024 -0400 + + no longer disable Intel ME related kernel modules + + https://github.com/Kicksecure/security-misc/issues/239 + +commit daee8b900b3057235aedc17b1231c3c05599140c +Merge: 954ff1b a4ba6e4 +Author: Patrick Schleizer +Date: Wed Jul 17 08:47:55 2024 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit a4ba6e485d94512fdf737b9f66137c3f692c9904 +Merge: 9a75135 abafb19 +Author: Patrick Schleizer +Date: Wed Jul 17 08:46:27 2024 -0400 + + Merge pull request #236 from raja-grewal/intel_me + + Disable more Intel ME kernel modules + +commit 954ff1be41288b5fa2e50d492d92544915f93bb5 +Merge: d29a616 9a75135 +Author: Patrick Schleizer +Date: Wed Jul 17 08:42:52 2024 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 9a75135633ad172f7cbf318e1206865493c28bb4 +Merge: d29a616 a340899 +Author: Patrick Schleizer +Date: Wed Jul 17 08:41:43 2024 -0400 + + Merge pull request #238 from raja-grewal/uvcvideo_2 + + Minor additions to `30_security-misc_disable.conf` + +commit d29a616142562492db6c45c299f002100e905828 +Author: Patrick Schleizer +Date: Wed Jul 17 08:39:20 2024 -0400 + + minor + +commit a2802f352fc7021ead0d431c665cc16b2821ae0b +Merge: 0b873b7 81a3715 +Author: Patrick Schleizer +Date: Wed Jul 17 08:38:23 2024 -0400 + + Merge remote-tracking branch 'raja/kargs' + +commit 0b873b765e20b06113d808075fa95c8acbb1e0fc +Author: Patrick Schleizer +Date: Wed Jul 17 08:05:27 2024 -0400 + + minor + +commit 070bb46a08afcd84fb638472c39bd543bad4fb17 +Merge: 6d6e547 25fd532 +Author: Patrick Schleizer +Date: Wed Jul 17 08:02:45 2024 -0400 + + Merge remote-tracking branch 'raja/sysctl' + +commit 6d6e5473f2778a2a5b1ca7826d0a3a5a63cff08a +Author: Patrick Schleizer +Date: Wed Jul 17 08:00:24 2024 -0400 + + minor + +commit cf5f0edbb85589a72ec891e9c3e090f9e81c4fda +Merge: fe5c840 693b47e +Author: Patrick Schleizer +Date: Wed Jul 17 07:59:35 2024 -0400 + + Merge remote-tracking branch 'raja/sysctl' + +commit 25fd532ce62399d5bb42d844ad32b5128eaf748d +Author: Raja Grewal +Date: Wed Jul 17 21:56:40 2024 +1000 + + Update README.md relating to `sysctl`'s + +commit 39fd125eb0f0c16c8a64933bbd04709287a2686a +Author: Raja Grewal +Date: Wed Jul 17 21:44:44 2024 +1000 + + Provide explanation on the disabling of IPv6 Privacy Extensions + +commit a3408990ab439e6edbf8691cf7d65fb16c0d24df +Author: Raja Grewal +Date: Wed Jul 17 15:03:39 2024 +1000 + + Uncomment disabling of already disabled ATM modules + +commit 693b47e6235528ab7a9032818cce22fd63a4f5ea +Author: Raja Grewal +Date: Wed Jul 17 14:58:30 2024 +1000 + + Clarify ICMP redirect acceptance and sending + +commit 81a3715c7c0b73796a62297ebe55e861a46f7686 +Author: Raja Grewal +Date: Wed Jul 17 13:32:08 2024 +1000 + + Add info regarding the downsides of disabling SMT + +commit abafb1945cace774429fefd0c1a037fb2ec3f774 +Author: Raja Grewal +Date: Wed Jul 17 13:26:03 2024 +1000 + + Add Intel ME references + +commit f317aaebab126bafe3cfaef8159bf0820c392c87 +Author: Raja Grewal +Date: Wed Jul 17 01:09:02 2024 +1000 + + Disable two network modules + These were previously blacklisted for two years in https://github.com/Kicksecure/security-misc/commit/61ef9bd59f9ff39c140f782ff5b41d0a3c6d97bc. + +commit d69fe88091c7212a9af86306c797aed40398584b +Author: Raja Grewal +Date: Wed Jul 17 01:08:01 2024 +1000 + + Provide option to disable `uvcvideo` driver + +commit 49594ccb223c09d70f00434e5875c9dae1a2360d +Author: Raja Grewal +Date: Wed Jul 17 00:49:25 2024 +1000 + + Partially revert https://github.com/raja-grewal/security-misc/commit/f4d652fa7b5dd350b577521c6bba22c9eb3c13f1 + +commit 824d9b82e53485eed8eaf24e9815ac07ad0f2406 +Author: Raja Grewal +Date: Wed Jul 17 00:36:18 2024 +1000 + + Uncomment redundant disabling of TCP FACK` + +commit d1119c38b6ad4193919d4b800de0a3cb014f92c1 +Author: Raja Grewal +Date: Wed Jul 17 00:31:23 2024 +1000 + + Apply changes from code review + +commit fe5c840b79c4aabd5c21a286d3ce1a3ee460812c +Author: Patrick Schleizer +Date: Mon Jul 15 21:18:55 2024 +0000 + + bumped changelog version + commit 6e63fc8985b97902dbae2553ded51950168dc222 Merge: fe0846c b7796a5 Author: Patrick Schleizer @@ -28,6 +308,30 @@ Date: Mon Jul 15 12:28:03 2024 -0400 Merge remote-tracking branch 'raja/kernel_modules' +commit 73f6d4b26f51f0c920fe020677f464c536d75410 +Author: Raja Grewal +Date: Tue Jul 16 01:03:41 2024 +1000 + + Fix transcription error + +commit 724435e56ea059183241044a4fc09423187533eb +Author: Raja Grewal +Date: Mon Jul 15 22:38:43 2024 +1000 + + Disable some Intel Platform Monitoring Technology Telemetry (PMT) modules + +commit 61941da37509a4bb809212536b79f461a209f584 +Author: Raja Grewal +Date: Mon Jul 15 22:38:09 2024 +1000 + + Create `disabled-intelpmt-by-security-misc` + +commit 22ba7a7c393a8c9005dfe26aea396815a4d54803 +Author: Raja Grewal +Date: Mon Jul 15 22:21:20 2024 +1000 + + Disable more Intel Management Engine (ME) modules + commit 9300c208e25d936f2c633a0904126566afc1c275 Author: Raja Grewal Date: Mon Jul 15 21:36:25 2024 +1000 @@ -40,6 +344,12 @@ Date: Mon Jul 15 21:18:32 2024 +1000 Fix script +commit 382f1e9ec00ab5f012f028fa324d6cf73040c37d +Author: Raja Grewal +Date: Mon Jul 15 21:13:25 2024 +1000 + + Fix error + commit a8bc1144c32b4b4f20904af5f813da1051fe4c9c Author: Raja Grewal Date: Mon Jul 15 21:10:13 2024 +1000 @@ -113,6 +423,102 @@ Date: Mon Jul 15 20:46:04 2024 +1000 Update `security-misc.maintscript` Due to previous splitting IN https://github.com/Kicksecure/security-misc/commit/b02230a783941da412be72fb52053db0c6b8010f. +commit b2657bc61fb15bb89d62f0743a36835c1f0dda8a +Author: Raja Grewal +Date: Mon Jul 15 15:05:00 2024 +1000 + + Improve docs + +commit 1c2afc1f253e15d2605d1bef0e323e6e972a2484 +Author: Raja Grewal +Date: Mon Jul 15 15:01:48 2024 +1000 + + Update presentation of the `kernel.printk` sysctl + +commit c8385d82fbd6ba16ba1f0b4969661474966b74f1 +Author: Raja Grewal +Date: Mon Jul 15 14:57:40 2024 +1000 + + Clarify instructions for increasing log verbosity + +commit d229e8b04d914803fa66c3a695022cfb2d9b2a25 +Author: Raja Grewal +Date: Mon Jul 15 14:50:29 2024 +1000 + + Fix link + +commit fbfdb0fa99087e4160979b612db04e63a1d3e3b1 +Author: Raja Grewal +Date: Mon Jul 15 14:40:03 2024 +1000 + + Update `security-misc.maintscript` relating to grub + +commit f4d652fa7b5dd350b577521c6bba22c9eb3c13f1 +Author: Raja Grewal +Date: Mon Jul 15 14:39:12 2024 +1000 + + Update presentation of `quiet loglevel=0` + +commit 69c8e849270393537d3e024137bc20a42c848333 +Author: Raja Grewal +Date: Mon Jul 15 14:38:21 2024 +1000 + + Fix typos + +commit 48e1ac416314d2c66f3a0d5044a3c51cb6fb4093 +Author: Raja Grewal +Date: Mon Jul 15 02:04:25 2024 +1000 + + Remove the optional `slub_debug` parameter since it is no longer recommended + +commit 99038c7a0621f5c9852638c1706c5306b42e6480 +Author: Raja Grewal +Date: Mon Jul 15 02:02:01 2024 +1000 + + Add option to disable support for x86 processes and syscalls in the future + +commit f550fbe07cafb75112e98268730d1bcc511489e2 +Author: Raja Grewal +Date: Mon Jul 15 01:59:04 2024 +1000 + + Add option to disable the entire IPv6 stack functionality + +commit a33d4cd099b8cbf569ff35627eeacf3562a4371e +Author: Raja Grewal +Date: Mon Jul 15 01:56:25 2024 +1000 + + Refactor existing kernel parameters for clarity + +commit acd60e45d8cbc98ea935c9bf035f2840622ab58d +Author: Raja Grewal +Date: Sun Jul 14 20:07:31 2024 +1000 + + Add comment about enabling core dump files + +commit 5cf9afc21563712b851850e2041141807503807c +Author: Raja Grewal +Date: Sun Jul 14 17:05:49 2024 +1000 + + Include optional `sysctl`'s in README.md + +commit 2b9e174c9db69f2c30828aae236c631d46255e07 +Author: Raja Grewal +Date: Sun Jul 14 16:22:52 2024 +1000 + + Remove empty lines + +commit dd1741c4a1cd18f34f69437c00f3a78a9ebd402a +Author: Raja Grewal +Date: Sun Jul 14 13:40:53 2024 +1000 + + Some documentation additions and fixes + +commit 565597c9a282b08697d04204f5eb9c22153e77bd +Author: Raja Grewal +Date: Sun Jul 14 01:21:24 2024 +1000 + + Minor documentation changes and fixes + commit 5ba5a85ad09b74a29c5ed0e5c265d54d93da9d32 Author: Patrick Schleizer Date: Sat Jul 13 15:01:16 2024 +0000 @@ -144,6 +550,12 @@ Date: Sat Jul 13 23:29:52 2024 +1000 Update modprobe presentation +commit 2de3a795990234134be15be90aa55f547c064d92 +Author: Raja Grewal +Date: Sat Jul 13 22:41:40 2024 +1000 + + Refactor existing sysctl for clarity + commit f34b9d7c45cd723535eedd3df99896ee7f852388 Merge: 05c1711 5f10cc8 Author: Patrick Schleizer diff --git a/debian/changelog b/debian/changelog index ce06bfd..574f110 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:37.9-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 18 Jul 2024 14:05:22 +0000 + security-misc (3:37.8-1) unstable; urgency=medium * New upstream version (local package). From 05cf438199ca75f96cf8e67131f4a409b465e7e7 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 18 Jul 2024 10:11:03 -0400 Subject: [PATCH 463/846] no comments / copyright allowed in .displace-extension --- debian/security-misc.displace-extension | 3 --- 1 file changed, 3 deletions(-) diff --git a/debian/security-misc.displace-extension b/debian/security-misc.displace-extension index 2959324..6ecb033 100644 --- a/debian/security-misc.displace-extension +++ b/debian/security-misc.displace-extension @@ -1,4 +1 @@ -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - .security-misc From 61628c2baf58ca2859bc5fc99782985ef0822750 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 18 Jul 2024 14:11:35 +0000 Subject: [PATCH 464/846] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index c7b5c05..cd694ee 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit 05cf438199ca75f96cf8e67131f4a409b465e7e7 +Author: Patrick Schleizer +Date: Thu Jul 18 10:11:03 2024 -0400 + + no comments / copyright allowed in .displace-extension + +commit 2ccc95f6d44bacd3da97d586542695f33d5faf38 +Author: Patrick Schleizer +Date: Thu Jul 18 14:05:23 2024 +0000 + + bumped changelog version + commit d454f36c63bd653e47353fb1c93107b2d5584fe2 Author: Patrick Schleizer Date: Wed Jul 17 11:52:29 2024 -0400 diff --git a/debian/changelog b/debian/changelog index 574f110..934d9fb 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:38.0-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 18 Jul 2024 14:11:35 +0000 + security-misc (3:37.9-1) unstable; urgency=medium * New upstream version (local package). From 21efacf1b111d9599e72cef23b791cf4961c04c3 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 18 Jul 2024 14:00:28 -0400 Subject: [PATCH 465/846] cleanup duplicate comments which are already in `/etc/dkms/framework.conf` --- .../framework.conf.d/30_security-misc.conf | 42 ------------------- 1 file changed, 42 deletions(-) diff --git a/etc/dkms/framework.conf.d/30_security-misc.conf b/etc/dkms/framework.conf.d/30_security-misc.conf index 095e050..bd0f84e 100644 --- a/etc/dkms/framework.conf.d/30_security-misc.conf +++ b/etc/dkms/framework.conf.d/30_security-misc.conf @@ -1,48 +1,6 @@ ## Copyright (C) 2023 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## This configuration file modifies the behavior of -## DKMS (Dynamic Kernel Module Support) and is sourced -## in by DKMS every time it is run. - -## Source Tree Location (default: /usr/src) -# source_tree="/usr/src" - -## DKMS Tree Location (default: /var/lib/dkms) -# dkms_tree="/var/lib/dkms" - -## Install Tree Location (default: /lib/modules) -# install_tree="/lib/modules" - -## tmp Location (default: /tmp) -# tmp_location="/tmp" - -## verbosity setting (verbose will be active if you set it to a non-null value) -# verbose="" - -## symlink kernel modules (will be active if you set it to a non-null value) -## This creates symlinks from the install_tree into the dkms_tree instead of -## copying the modules. This preserves some space on the costs of being less -## safe. -# symlink_modules="" - -## Automatic installation and upgrade for all installed kernels (if set to a -## non-null value) -# autoinstall_all_kernels="" - -## Script to sign modules during build, script is called with kernel version -## and module name -# sign_tool="/etc/dkms/sign_helper.sh" - -### BEGIN modifications by package security-misc ### - -## original: -## https://github.com/dell/dkms/blob/master/dkms_framework.conf - -## DKMS feature request: -## add /etc/dkms/framework.conf.d configuration file drop-in folder -## https://github.com/dell/dkms/issues/116 - ## Lower parallel compilation jobs to 1 if less than 2 GB RAM to avoid freezing ## of virtual machines. ## From a5eed00eba76f83c310f62d000830f38b0e87d21 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 18 Jul 2024 14:02:38 -0400 Subject: [PATCH 466/846] cleanup comments --- etc/dkms/framework.conf.d/30_security-misc.conf | 16 +++------------- 1 file changed, 3 insertions(+), 13 deletions(-) diff --git a/etc/dkms/framework.conf.d/30_security-misc.conf b/etc/dkms/framework.conf.d/30_security-misc.conf index bd0f84e..dda1ce7 100644 --- a/etc/dkms/framework.conf.d/30_security-misc.conf +++ b/etc/dkms/framework.conf.d/30_security-misc.conf @@ -1,13 +1,9 @@ ## Copyright (C) 2023 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Lower parallel compilation jobs to 1 if less than 2 GB RAM to avoid freezing -## of virtual machines. -## -## This does not necessarily belong into security-misc, however likely -## security-misc will need to modify /etc/dkms/framework.conf in the future to -## enable kernel module signing. See below. -## +## Lower parallel compilation jobs to 1 if less than 2 GB RAM to avoid freezing of virtual machines. +## This does not necessarily belong into security-misc. +## Example here: ## https://forums.whonix.org/t/linux-kernel-runtime-guard-lkrg-linux-kernel-runtime-integrity-checking-and-exploit-detection/8477/26 ENOUGH_RAM="1950" total_ram="$(free -m | sed -n -e '/^Mem:/s/^[^0-9]*\([0-9]*\) .*/\1/p')" @@ -17,9 +13,3 @@ else true "INFO: Not enough RAM available. Lowering compilation cores to 1." parallel_jobs=1 fi - -## https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/58 -## https://github.com/dell/dkms/blob/master/sign_helper.sh -#sign_tool="/etc/dkms/sign_helper.sh" - -### END modifications by package security-misc ### From cac5bbad99a9c083c5b5f85f07c7368287c64f72 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 18 Jul 2024 14:04:00 -0400 Subject: [PATCH 467/846] comment --- etc/dkms/framework.conf.d/30_security-misc.conf | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/etc/dkms/framework.conf.d/30_security-misc.conf b/etc/dkms/framework.conf.d/30_security-misc.conf index dda1ce7..abf9a78 100644 --- a/etc/dkms/framework.conf.d/30_security-misc.conf +++ b/etc/dkms/framework.conf.d/30_security-misc.conf @@ -3,8 +3,13 @@ ## Lower parallel compilation jobs to 1 if less than 2 GB RAM to avoid freezing of virtual machines. ## This does not necessarily belong into security-misc. +## ## Example here: ## https://forums.whonix.org/t/linux-kernel-runtime-guard-lkrg-linux-kernel-runtime-integrity-checking-and-exploit-detection/8477/26 +## +## This might no longer be possible in the future. See: +## "Stop handling dkms.conf as a bash/shell script" +## https://github.com/dell/dkms/issues/414 ENOUGH_RAM="1950" total_ram="$(free -m | sed -n -e '/^Mem:/s/^[^0-9]*\([0-9]*\) .*/\1/p')" if [ "$total_ram" -ge "$ENOUGH_RAM" ]; then From 2d11436432d3b2b75f84b05550de06cd77ec6e79 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 18 Jul 2024 18:05:07 +0000 Subject: [PATCH 468/846] bumped changelog version --- changelog.upstream | 24 ++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 30 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index cd694ee..8ba26aa 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,27 @@ +commit cac5bbad99a9c083c5b5f85f07c7368287c64f72 +Author: Patrick Schleizer +Date: Thu Jul 18 14:04:00 2024 -0400 + + comment + +commit a5eed00eba76f83c310f62d000830f38b0e87d21 +Author: Patrick Schleizer +Date: Thu Jul 18 14:02:38 2024 -0400 + + cleanup comments + +commit 21efacf1b111d9599e72cef23b791cf4961c04c3 +Author: Patrick Schleizer +Date: Thu Jul 18 14:00:28 2024 -0400 + + cleanup duplicate comments which are already in `/etc/dkms/framework.conf` + +commit 61628c2baf58ca2859bc5fc99782985ef0822750 +Author: Patrick Schleizer +Date: Thu Jul 18 14:11:35 2024 +0000 + + bumped changelog version + commit 05cf438199ca75f96cf8e67131f4a409b465e7e7 Author: Patrick Schleizer Date: Thu Jul 18 10:11:03 2024 -0400 diff --git a/debian/changelog b/debian/changelog index 934d9fb..d5334b1 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:38.1-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 18 Jul 2024 18:05:06 +0000 + security-misc (3:38.0-1) unstable; urgency=medium * New upstream version (local package). From 06894d1c98e91f43af58cc438559ea76b6a361e3 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Fri, 19 Jul 2024 18:30:42 +1000 Subject: [PATCH 469/846] Typo --- etc/default/grub.d/40_kernel_hardening.cfg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index 13ccac6..2bc07b5 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -5,7 +5,7 @@ kpkg="linux-image-$(dpkg --print-architecture)" || true kver="$(dpkg-query --show --showformat='${Version}' "$kpkg")" 2>/dev/null || true #echo "## kver: $kver" -## This configuration file is split into 3 sections: +## This configuration file is split into 4 sections: ## 1. Kernel Space ## 2. Direct Memory Access ## 3. Entropy From 9f53a0182b5f6a7cf8228bf19b04661d39c7a2fe Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 19 Jul 2024 07:20:59 -0400 Subject: [PATCH 470/846] undo io_uring related changes as these should be done in a separate pull request (if apprpriate) https://github.com/Kicksecure/security-misc/pull/244#issuecomment-2238889062 --- README.md | 2 +- usr/lib/sysctl.d/990-security-misc.conf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 29654c4..5e029c8 100644 --- a/README.md +++ b/README.md @@ -43,7 +43,7 @@ space, user space, core dumps, and swap space. - Randomize the addresses (ASLR) for mmap base, stack, VDSO pages, and heap. -- Provide the option to disable asynchronous I/O as `io_uring` has been the source +- Disable asynchronous I/O as `io_uring` has been the source of numerous kernel exploits (when using Linux kernel version >= 6.6). - Restrict usage of `ptrace()` to only processes with `CAP_SYS_PTRACE` as it diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index e302047..7b07033 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -128,7 +128,7 @@ kernel.randomize_va_space=2 ## ## Applicable when using Linux kernel >= 6.6 (retained here for future-proofing and completeness). ## -#kernel.io_uring_disabled=2 +kernel.io_uring_disabled=2 ## 2. User Space: ## From c4965ed838b1df93ddb9e947fb2f0d23fa8ffc17 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Sat, 20 Jul 2024 14:55:10 +1000 Subject: [PATCH 471/846] Disable legacy framebuffer drivers These were all previously blacklisted for over 2 years. --- README.md | 6 ++-- .../30_security-misc_blacklist.conf | 33 ----------------- etc/modprobe.d/30_security-misc_disable.conf | 35 +++++++++++++++++++ usr/bin/disabled-framebuffer-by-security-misc | 10 ++++++ 4 files changed, 48 insertions(+), 36 deletions(-) create mode 100755 usr/bin/disabled-framebuffer-by-security-misc diff --git a/README.md b/README.md index 5e029c8..3a9c552 100644 --- a/README.md +++ b/README.md @@ -190,9 +190,6 @@ modules from automatically starting. - CD-ROM/DVD: Blacklist modules required for CD-ROM/DVD devices. -- Framebuffer Drivers: Blacklisted as they are well-known to be buggy, cause - kernel panics, and are generally only used by legacy devices. - - Miscellaneous: Blacklist an assortment of other modules to prevent them from automatically loading. @@ -210,6 +207,9 @@ disabling should first be blacklisted for a suitable amount of time. - FireWire (IEEE 1394): Disabled as they are often vulnerable to DMA attacks. +- Framebuffer Drivers: Disabled as they are well-known to be buggy, cause + kernel panics, and are generally only used by legacy devices. + - GPS: Disable GPS-related modules such as those required for Global Navigation Satellite Systems (GNSS). diff --git a/etc/modprobe.d/30_security-misc_blacklist.conf b/etc/modprobe.d/30_security-misc_blacklist.conf index c35af0b..4f1b1be 100644 --- a/etc/modprobe.d/30_security-misc_blacklist.conf +++ b/etc/modprobe.d/30_security-misc_blacklist.conf @@ -21,39 +21,6 @@ blacklist sr_mod #install cdrom /usr/bin/disabled-cdrom-by-security-misc #install sr_mod /usr/bin/disabled-cdrom-by-security-misc -## Framebuffer Drivers: -## -## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-framebuffer.conf?h=ubuntu/disco -## -blacklist aty128fb -blacklist atyfb -blacklist cirrusfb -blacklist cyber2000fb -blacklist cyblafb -blacklist gx1fb -blacklist hgafb -blacklist i810fb -blacklist intelfb -blacklist kyrofb -blacklist lxfb -blacklist matroxfb_bases -blacklist neofb -blacklist nvidiafb -blacklist pm2fb -blacklist radeonfb -blacklist rivafb -blacklist s1d13xxxfb -blacklist savagefb -blacklist sisfb -blacklist sstfb -blacklist tdfxfb -blacklist tridentfb -blacklist vesafb -blacklist vfb -blacklist viafb -blacklist vt8623fb -blacklist udlfb - ## Miscellaneous: ## ## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist.conf?h=ubuntu/disco diff --git a/etc/modprobe.d/30_security-misc_disable.conf b/etc/modprobe.d/30_security-misc_disable.conf index d2408af..7ce6190 100644 --- a/etc/modprobe.d/30_security-misc_disable.conf +++ b/etc/modprobe.d/30_security-misc_disable.conf @@ -70,6 +70,41 @@ install raw1394 /usr/bin/disabled-firewire-by-security-misc install sbp2 /usr/bin/disabled-firewire-by-security-misc install video1394 /usr/bin/disabled-firewire-by-security-misc +## Framebuffer Drivers: +## Known to be buggy, cause kernel panics, and are generally only used by legacy devices. +## These were all previously blacklisted. +## +## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-framebuffer.conf?h=ubuntu/disco +## +install aty128fb /usr/bin/disabled-framebuffer-by-security-misc +install atyfb /usr/bin/disabled-framebuffer-by-security-misc +install cirrusfb /usr/bin/disabled-framebuffer-by-security-misc +install cyber2000fb /usr/bin/disabled-framebuffer-by-security-misc +install cyblafb /usr/bin/disabled-framebuffer-by-security-misc +install gx1fb /usr/bin/disabled-framebuffer-by-security-misc +install hgafb /usr/bin/disabled-framebuffer-by-security-misc +install i810fb /usr/bin/disabled-framebuffer-by-security-misc +install intelfb /usr/bin/disabled-framebuffer-by-security-misc +install kyrofb /usr/bin/disabled-framebuffer-by-security-misc +install lxfb /usr/bin/disabled-framebuffer-by-security-misc +install matroxfb_bases /usr/bin/disabled-framebuffer-by-security-misc +install neofb /usr/bin/disabled-framebuffer-by-security-misc +install nvidiafb /usr/bin/disabled-framebuffer-by-security-misc +install pm2fb /usr/bin/disabled-framebuffer-by-security-misc +install radeonfb /usr/bin/disabled-framebuffer-by-security-misc +install rivafb /usr/bin/disabled-framebuffer-by-security-misc +install s1d13xxxfb /usr/bin/disabled-framebuffer-by-security-misc +install savagefb /usr/bin/disabled-framebuffer-by-security-misc +install sisfb /usr/bin/disabled-framebuffer-by-security-misc +install sstfb /usr/bin/disabled-framebuffer-by-security-misc +install tdfxfb /usr/bin/disabled-framebuffer-by-security-misc +install tridentfb /usr/bin/disabled-framebuffer-by-security-misc +install vesafb /usr/bin/disabled-framebuffer-by-security-misc +install vfb /usr/bin/disabled-framebuffer-by-security-misc +install viafb /usr/bin/disabled-framebuffer-by-security-misc +install vt8623fb /usr/bin/disabled-framebuffer-by-security-misc +install udlfb /usr/bin/disabled-framebuffer-by-security-misc + ## Global Positioning Systems (GPS): ## Disable GPS-related modules like GNSS (Global Navigation Satellite System). ## diff --git a/usr/bin/disabled-framebuffer-by-security-misc b/usr/bin/disabled-framebuffer-by-security-misc new file mode 100755 index 0000000..301f869 --- /dev/null +++ b/usr/bin/disabled-framebuffer-by-security-misc @@ -0,0 +1,10 @@ +#!/bin/bash + +## Copyright (C) 2024 - 2024 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Alerts the user that a kernel module failed to load due to it being blacklisted by default. + +echo "$0: ERROR: This framebuffer driver kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2 + +exit 1 From 3c720a0715191c858e8d1df9795dddfea5dbdcf1 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Sat, 20 Jul 2024 15:03:21 +1000 Subject: [PATCH 472/846] Disable some legacy drivers These were all previously blacklisted for over 2 years. --- README.md | 3 ++- etc/modprobe.d/30_security-misc_blacklist.conf | 6 +----- etc/modprobe.d/30_security-misc_disable.conf | 11 +++++++++++ 3 files changed, 14 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 3a9c552..331a5ce 100644 --- a/README.md +++ b/README.md @@ -226,7 +226,8 @@ disabling should first be blacklisted for a suitable amount of time. are disabled. - Miscellaneous: Disable an assortment of other modules such as those required - for amateur radio, floppy disks, and vivid. + for amateur radio, floppy disks, and vivid. Also disable legacy drivers that + have been entirely replaced by newer drivers. - Thunderbolt: Disabled as they are often vulnerable to DMA attacks. diff --git a/etc/modprobe.d/30_security-misc_blacklist.conf b/etc/modprobe.d/30_security-misc_blacklist.conf index 4f1b1be..2ef0d1a 100644 --- a/etc/modprobe.d/30_security-misc_blacklist.conf +++ b/etc/modprobe.d/30_security-misc_blacklist.conf @@ -26,14 +26,10 @@ blacklist sr_mod ## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist.conf?h=ubuntu/disco ## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-ath_pci.conf?h=ubuntu/disco ## -blacklist ath_pci blacklist amd76x_edac -blacklist asus_acpi -blacklist bcm43xx +blacklist ath_pci blacklist evbug -blacklist de4x5 blacklist pcspkr -blacklist prism54 blacklist snd_aw2 blacklist snd_intel8x0m blacklist snd_pcsp diff --git a/etc/modprobe.d/30_security-misc_disable.conf b/etc/modprobe.d/30_security-misc_disable.conf index 7ce6190..c78ba2a 100644 --- a/etc/modprobe.d/30_security-misc_disable.conf +++ b/etc/modprobe.d/30_security-misc_disable.conf @@ -256,6 +256,17 @@ install hamradio /usr/bin/disabled-miscellaneous-by-security-misc ## install floppy /usr/bin/disabled-miscellaneous-by-security-misc ## +## Replaced: +## These legacy drivers have all been entirely replaced and superseded by newer drivers. +## These were all previously blacklisted. +## +## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist.conf?h=ubuntu/disco +## +install asus_acpi /usr/bin/disabled-miscellaneous-by-security-misc +install bcm43xx /usr/bin/disabled-miscellaneous-by-security-misc +install de4x5 /usr/bin/disabled-miscellaneous-by-security-misc +install prism54 /usr/bin/disabled-miscellaneous-by-security-misc +## ## Vivid: ## Disables the vivid kernel module since it has been the cause of multiple vulnerabilities. ## From a189956adc2cf5a1c8311d0e0e9c7cfbc6e4afe3 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Sat, 20 Jul 2024 20:11:09 +1000 Subject: [PATCH 473/846] Typo --- usr/bin/disabled-bluetooth-by-security-misc | 2 +- usr/bin/disabled-cdrom-by-security-misc | 2 +- usr/bin/disabled-filesys-by-security-misc | 2 +- usr/bin/disabled-firewire-by-security-misc | 2 +- usr/bin/disabled-framebuffer-by-security-misc | 2 +- usr/bin/disabled-gps-by-security-misc | 2 +- usr/bin/disabled-intelme-by-security-misc | 2 +- usr/bin/disabled-intelpmt-by-security-misc | 2 +- usr/bin/disabled-miscellaneous-by-security-misc | 2 +- usr/bin/disabled-netfilesys-by-security-misc | 2 +- usr/bin/disabled-network-by-security-misc | 2 +- usr/bin/disabled-thunderbolt-by-security-misc | 2 +- 12 files changed, 12 insertions(+), 12 deletions(-) diff --git a/usr/bin/disabled-bluetooth-by-security-misc b/usr/bin/disabled-bluetooth-by-security-misc index 3669fc1..5b6992d 100755 --- a/usr/bin/disabled-bluetooth-by-security-misc +++ b/usr/bin/disabled-bluetooth-by-security-misc @@ -5,6 +5,6 @@ ## Alerts the user that a kernel module failed to load due to it being blacklisted by default. -echo "$0: ERROR: This Bluetooth kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2 +echo "$0: ERROR: This Bluetooth kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf. | args: $@" >&2 exit 1 diff --git a/usr/bin/disabled-cdrom-by-security-misc b/usr/bin/disabled-cdrom-by-security-misc index 4a7b141..2bb8e4c 100755 --- a/usr/bin/disabled-cdrom-by-security-misc +++ b/usr/bin/disabled-cdrom-by-security-misc @@ -5,6 +5,6 @@ ## Alerts the user that a kernel module failed to load due to it being blacklisted by default. -echo "$0: ERROR: This CD-ROM/DVD kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2 +echo "$0: ERROR: This CD-ROM/DVD kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf. | args: $@" >&2 exit 1 diff --git a/usr/bin/disabled-filesys-by-security-misc b/usr/bin/disabled-filesys-by-security-misc index 6c7dd5a..fad544b 100755 --- a/usr/bin/disabled-filesys-by-security-misc +++ b/usr/bin/disabled-filesys-by-security-misc @@ -5,6 +5,6 @@ ## Alerts the user that a kernel module failed to load due to it being blacklisted by default. -echo "$0: ERROR: This file system kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2 +echo "$0: ERROR: This file system kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf. | args: $@" >&2 exit 1 diff --git a/usr/bin/disabled-firewire-by-security-misc b/usr/bin/disabled-firewire-by-security-misc index 2abc6bc..a7de567 100755 --- a/usr/bin/disabled-firewire-by-security-misc +++ b/usr/bin/disabled-firewire-by-security-misc @@ -5,6 +5,6 @@ ## Alerts the user that a kernel module failed to load due to it being blacklisted by default. -echo "$0: ERROR: This FireWire (IEEE 1394) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2 +echo "$0: ERROR: This FireWire (IEEE 1394) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf. | args: $@" >&2 exit 1 diff --git a/usr/bin/disabled-framebuffer-by-security-misc b/usr/bin/disabled-framebuffer-by-security-misc index 301f869..dc0c9b8 100755 --- a/usr/bin/disabled-framebuffer-by-security-misc +++ b/usr/bin/disabled-framebuffer-by-security-misc @@ -5,6 +5,6 @@ ## Alerts the user that a kernel module failed to load due to it being blacklisted by default. -echo "$0: ERROR: This framebuffer driver kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2 +echo "$0: ERROR: This framebuffer driver kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf. | args: $@" >&2 exit 1 diff --git a/usr/bin/disabled-gps-by-security-misc b/usr/bin/disabled-gps-by-security-misc index d43626e..1122adc 100755 --- a/usr/bin/disabled-gps-by-security-misc +++ b/usr/bin/disabled-gps-by-security-misc @@ -5,6 +5,6 @@ ## Alerts the user that a kernel module failed to load due to it being blacklisted by default. -echo "$0: ERROR: This GPS (Global Positioning System) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2 +echo "$0: ERROR: This GPS (Global Positioning System) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf. | args: $@" >&2 exit 1 diff --git a/usr/bin/disabled-intelme-by-security-misc b/usr/bin/disabled-intelme-by-security-misc index 0913fcf..6eca99b 100755 --- a/usr/bin/disabled-intelme-by-security-misc +++ b/usr/bin/disabled-intelme-by-security-misc @@ -5,6 +5,6 @@ ## Alerts the user that a kernel module failed to load due to it being blacklisted by default. -echo "$0: ERROR: This Intel Management Engine (ME) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2 +echo "$0: ERROR: This Intel Management Engine (ME) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf. | args: $@" >&2 exit 1 diff --git a/usr/bin/disabled-intelpmt-by-security-misc b/usr/bin/disabled-intelpmt-by-security-misc index 44f04bc..3e9139a 100755 --- a/usr/bin/disabled-intelpmt-by-security-misc +++ b/usr/bin/disabled-intelpmt-by-security-misc @@ -5,6 +5,6 @@ ## Alerts the user that a kernel module failed to load due to it being blacklisted by default. -echo "$0: ERROR: This Intel Platform Monitoring Technology Telemetry (PMT) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2 +echo "$0: ERROR: This Intel Platform Monitoring Technology Telemetry (PMT) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf. | args: $@" >&2 exit 1 diff --git a/usr/bin/disabled-miscellaneous-by-security-misc b/usr/bin/disabled-miscellaneous-by-security-misc index 2c23909..c75dc6e 100755 --- a/usr/bin/disabled-miscellaneous-by-security-misc +++ b/usr/bin/disabled-miscellaneous-by-security-misc @@ -5,6 +5,6 @@ ## Alerts the user that a kernel module failed to load due to it being blacklisted by default. -echo "$0: ERROR: This kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2 +echo "$0: ERROR: This kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf. | args: $@" >&2 exit 1 diff --git a/usr/bin/disabled-netfilesys-by-security-misc b/usr/bin/disabled-netfilesys-by-security-misc index bbb57a8..60c0c22 100755 --- a/usr/bin/disabled-netfilesys-by-security-misc +++ b/usr/bin/disabled-netfilesys-by-security-misc @@ -5,6 +5,6 @@ ## Alerts the user that a kernel module failed to load due to it being blacklisted by default. -echo "$0: ERROR: This network file system kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2 +echo "$0: ERROR: This network file system kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf. | args: $@" >&2 exit 1 diff --git a/usr/bin/disabled-network-by-security-misc b/usr/bin/disabled-network-by-security-misc index 8035522..4b35716 100755 --- a/usr/bin/disabled-network-by-security-misc +++ b/usr/bin/disabled-network-by-security-misc @@ -5,6 +5,6 @@ ## Alerts the user that a kernel module failed to load due to it being blacklisted by default. -echo "$0: ERROR: This network protocol kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2 +echo "$0: ERROR: This network protocol kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf. | args: $@" >&2 exit 1 diff --git a/usr/bin/disabled-thunderbolt-by-security-misc b/usr/bin/disabled-thunderbolt-by-security-misc index dbe89ec..03cf804 100755 --- a/usr/bin/disabled-thunderbolt-by-security-misc +++ b/usr/bin/disabled-thunderbolt-by-security-misc @@ -5,6 +5,6 @@ ## Alerts the user that a kernel module failed to load due to it being blacklisted by default. -echo "$0: ERROR: This Thunderbolt kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf | args: $@" >&2 +echo "$0: ERROR: This Thunderbolt kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf. | args: $@" >&2 exit 1 From f0a478c7c91697988926a73d3a1880dd8caaca68 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 20 Jul 2024 12:57:56 -0400 Subject: [PATCH 474/846] permission hardener: allow postfix postqueue matchwhitelist postdrop matchwhitelist --- .../25_default_whitelist_postfix.conf | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 etc/permission-hardener.d/25_default_whitelist_postfix.conf diff --git a/etc/permission-hardener.d/25_default_whitelist_postfix.conf b/etc/permission-hardener.d/25_default_whitelist_postfix.conf new file mode 100644 index 0000000..d15b564 --- /dev/null +++ b/etc/permission-hardener.d/25_default_whitelist_postfix.conf @@ -0,0 +1,9 @@ +## Copyright (C) 2023 - 2024 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Please use "/etc/permission-hardener.d/20_user.conf" or +## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom +## configuration. When security-misc is updated, this file may be overwritten. + +postqueue matchwhitelist +postdrop matchwhitelist From 04fb00572f2e4c9bdfaaa0f6da8007999daab641 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 20 Jul 2024 17:02:05 +0000 Subject: [PATCH 475/846] bumped changelog version --- changelog.upstream | 62 ++++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 +++++ 2 files changed, 68 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 8ba26aa..6e8633a 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,41 @@ +commit f0a478c7c91697988926a73d3a1880dd8caaca68 +Author: Patrick Schleizer +Date: Sat Jul 20 12:57:56 2024 -0400 + + permission hardener: allow postfix + + postqueue matchwhitelist + postdrop matchwhitelist + +commit 9f53a0182b5f6a7cf8228bf19b04661d39c7a2fe +Author: Patrick Schleizer +Date: Fri Jul 19 07:20:59 2024 -0400 + + undo io_uring related changes + + as these should be done in a separate pull request (if apprpriate) + + https://github.com/Kicksecure/security-misc/pull/244#issuecomment-2238889062 + +commit 8791aecb38a41aa0b0c108505726bc6a1ace903e +Merge: 2d11436 06894d1 +Author: Patrick Schleizer +Date: Fri Jul 19 07:19:09 2024 -0400 + + Merge remote-tracking branch 'raja/fixes' + +commit 06894d1c98e91f43af58cc438559ea76b6a361e3 +Author: Raja Grewal +Date: Fri Jul 19 18:30:42 2024 +1000 + + Typo + +commit 2d11436432d3b2b75f84b05550de06cd77ec6e79 +Author: Patrick Schleizer +Date: Thu Jul 18 18:05:07 2024 +0000 + + bumped changelog version + commit cac5bbad99a9c083c5b5f85f07c7368287c64f72 Author: Patrick Schleizer Date: Thu Jul 18 14:04:00 2024 -0400 @@ -34,6 +72,30 @@ Date: Thu Jul 18 14:05:23 2024 +0000 bumped changelog version +commit 95286df50274953326accb615487e21d409b652a +Author: Raja Grewal +Date: Thu Jul 18 15:28:31 2024 +1000 + + Update README.md regarding secure ICMP redirects + +commit 13cc1f0986033855a399b50442a86a8d8552eb96 +Author: Raja Grewal +Date: Thu Jul 18 12:25:00 2024 +1000 + + Clarify (future) disabling of `io_uring` + +commit 9e6facda7017498e8310a9c39403e95e81c5a903 +Author: Raja Grewal +Date: Thu Jul 18 12:21:37 2024 +1000 + + Update module disabling presentation + +commit faa9181a6c0c78b9471c9a4e6bdd3291aec704f6 +Author: Raja Grewal +Date: Thu Jul 18 12:19:27 2024 +1000 + + Typos + commit d454f36c63bd653e47353fb1c93107b2d5584fe2 Author: Patrick Schleizer Date: Wed Jul 17 11:52:29 2024 -0400 diff --git a/debian/changelog b/debian/changelog index d5334b1..b6b4ff3 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:38.2-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 20 Jul 2024 17:02:04 +0000 + security-misc (3:38.1-1) unstable; urgency=medium * New upstream version (local package). From 64f8b2eb5870664fca06aa060f2f50af358ced55 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 21 Jul 2024 06:36:22 -0400 Subject: [PATCH 476/846] Revert "no longer disable Intel ME related kernel modules" This reverts commit 6157e328f40a7f3780208489b1ffecef8e6d738a. https://www.kicksecure.com/wiki/Out-of-band_Management_Technology#Intel_ME_Kernel_Modules https://github.com/Kicksecure/security-misc/issues/239 --- etc/modprobe.d/30_security-misc_disable.conf | 24 ++++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/etc/modprobe.d/30_security-misc_disable.conf b/etc/modprobe.d/30_security-misc_disable.conf index d2408af..b6cfcbe 100644 --- a/etc/modprobe.d/30_security-misc_disable.conf +++ b/etc/modprobe.d/30_security-misc_disable.conf @@ -92,18 +92,18 @@ install gnss-usb /usr/bin/disabled-gps-by-security-misc ## https://github.com/Kicksecure/security-misc/pull/236#issuecomment-2229092813 ## https://github.com/Kicksecure/security-misc/issues/239 ## -#install mei /usr/bin/disabled-intelme-by-security-misc -#install mei-gsc /usr/bin/disabled-intelme-by-security-misc -#install mei_gsc_proxy /usr/bin/disabled-intelme-by-security-misc -#install mei_hdcp /usr/bin/disabled-intelme-by-security-misc -#install mei-me /usr/bin/disabled-intelme-by-security-misc -#install mei_phy /usr/bin/disabled-intelme-by-security-misc -#install mei_pxp /usr/bin/disabled-intelme-by-security-misc -#install mei-txe /usr/bin/disabled-intelme-by-security-misc -#install mei-vsc /usr/bin/disabled-intelme-by-security-misc -#install mei-vsc-hw /usr/bin/disabled-intelme-by-security-misc -#install mei_wdt /usr/bin/disabled-intelme-by-security-misc -#install microread_mei /usr/bin/disabled-intelme-by-security-misc +install mei /usr/bin/disabled-intelme-by-security-misc +install mei-gsc /usr/bin/disabled-intelme-by-security-misc +install mei_gsc_proxy /usr/bin/disabled-intelme-by-security-misc +install mei_hdcp /usr/bin/disabled-intelme-by-security-misc +install mei-me /usr/bin/disabled-intelme-by-security-misc +install mei_phy /usr/bin/disabled-intelme-by-security-misc +install mei_pxp /usr/bin/disabled-intelme-by-security-misc +install mei-txe /usr/bin/disabled-intelme-by-security-misc +install mei-vsc /usr/bin/disabled-intelme-by-security-misc +install mei-vsc-hw /usr/bin/disabled-intelme-by-security-misc +install mei_wdt /usr/bin/disabled-intelme-by-security-misc +install microread_mei /usr/bin/disabled-intelme-by-security-misc ## Intel Platform Monitoring Technology Telemetry (PMT): ## Disable some functionality of the Intel PMT components. From d2563ed92317a029340dbb83f30da008b01325f2 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 21 Jul 2024 10:40:14 +0000 Subject: [PATCH 477/846] bumped changelog version --- changelog.upstream | 18 ++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 24 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 6e8633a..32ec008 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,21 @@ +commit 64f8b2eb5870664fca06aa060f2f50af358ced55 +Author: Patrick Schleizer +Date: Sun Jul 21 06:36:22 2024 -0400 + + Revert "no longer disable Intel ME related kernel modules" + + This reverts commit 6157e328f40a7f3780208489b1ffecef8e6d738a. + + https://www.kicksecure.com/wiki/Out-of-band_Management_Technology#Intel_ME_Kernel_Modules + + https://github.com/Kicksecure/security-misc/issues/239 + +commit 04fb00572f2e4c9bdfaaa0f6da8007999daab641 +Author: Patrick Schleizer +Date: Sat Jul 20 17:02:05 2024 +0000 + + bumped changelog version + commit f0a478c7c91697988926a73d3a1880dd8caaca68 Author: Patrick Schleizer Date: Sat Jul 20 12:57:56 2024 -0400 diff --git a/debian/changelog b/debian/changelog index b6b4ff3..876e60b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:38.3-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 21 Jul 2024 10:40:13 +0000 + security-misc (3:38.2-1) unstable; urgency=medium * New upstream version (local package). From d6fc71dba78a9c871015ebdde3bef61943369b47 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Mon, 22 Jul 2024 17:26:00 +1000 Subject: [PATCH 478/846] Add option to switch (back) to using kCFI in the future --- README.md | 4 ++++ etc/default/grub.d/40_kernel_hardening.cfg | 19 +++++++++++++++++++ 2 files changed, 23 insertions(+) diff --git a/README.md b/README.md index 5e029c8..7bac0c4 100644 --- a/README.md +++ b/README.md @@ -137,6 +137,10 @@ configuration file. - Provide the option to modify machine check exception handler. +- Provide the option to use kCFI as the default CFI implementation as it may be + slightly more resilient to attacks that can construct arbitrary executable + memory contents (when using Linux kernel version >= 6.5). + - Provide the option to disable support for all x86 processes and syscalls to reduce attack surface (when using Linux kernel version >= 6.7). diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index 2bc07b5..ef9ed1f 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -112,6 +112,25 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off" #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX loglevel=0" #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX quiet" +## Switch (back) to using kCFI as the default Control Flow Integrity (CFI) implementation. +## As of Linux kernel 6.2, FineIBT has been the default implementation. +## Intel-developed IBT (Indirect Branch Tracking) is only used if there support by the CPU. +## kCFI is software-only while FineIBT is a hybrid software/hardware implementation. +## FineIBT may result in performance benefits as it only performs checking at destinations. +## FineIBT is weaker against attacks that can construct arbitrary executable memory contents. +## Choice of this parameter is dependant on user threat model as there are pros/cons to both. +## +## https://docs.kernel.org/next/x86/shstk.html +## https://lore.kernel.org/lkml/202210010918.4918F847C4@keescook/T/#u +## https://lore.kernel.org/lkml/202210182217.486CBA50@keescook/T/ +## https://lore.kernel.org/lkml/202407150933.E1871BE@keescook/ +## https://isopenbsdsecu.re/mitigations/forward_edge_cfi/ +## https://source.android.com/docs/security/test/kcfi +## +## Applicable when using Linux kernel >= 6.5 (retained here for future-proofing and completeness). +## +#cfi=kcfi + ## Disable support for x86 processes and syscalls. ## Unconditionally disables IA32 emulation to substantially reduce attack surface. ## From 9c3566f524f748b9f7c98a36b3f2b1064cdba3ed Mon Sep 17 00:00:00 2001 From: Ben Grande Date: Mon, 22 Jul 2024 16:01:14 +0200 Subject: [PATCH 479/846] Delimit file names with null terminator --- usr/bin/permission-hardener | 55 ++++++++++++++++++------------------- 1 file changed, 26 insertions(+), 29 deletions(-) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index 1d4c868..026e290 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -65,18 +65,18 @@ add_nosuid_statoverride_entry() { counter_actual=0 local dummy_line - while read -r dummy_line; do + while IFS="" read -r -d "" dummy_line; do true "DEBUG: test would evaluate parse" "${dummy_line}" should_be_counter=$((should_be_counter + 1)) done < <(find "${fso_to_process}" -perm /u=s,g=s -print0 | xargs -I{} -0 stat -c "%n %a %U %G" {}) local line - while read -r line; do + while IFS="" read -r -d "" line; do true "line: ${line}" counter_actual="$((counter_actual + 1))" local arr file_name existing_mode existing_owner existing_group - IFS=" " read -r -a arr <<< "${line}" + read -r -a arr <<< "${line}" file_name="${arr[0]}" existing_mode="${arr[1]}" existing_owner="${arr[2]}" @@ -153,7 +153,7 @@ add_nosuid_statoverride_entry() { local is_exact_whitelisted is_exact_whitelisted="" - for white_list_entry in ${exact_white_list}; do + for white_list_entry in "${exact_white_list[@]:-}"; do if test "${file_name}" = "${white_list_entry}"; then is_exact_whitelisted="true" ## Stop looping through the whitelist. @@ -163,7 +163,7 @@ add_nosuid_statoverride_entry() { local is_match_whitelisted is_match_whitelisted="" - for matchwhite_list_entry in ${match_white_list}; do + for matchwhite_list_entry in "${match_white_list[@]:-}"; do if echo "${file_name}" | grep --quiet --fixed-strings "${matchwhite_list_entry}"; then is_match_whitelisted="true" ## Stop looping through the match_white_list. @@ -173,7 +173,7 @@ add_nosuid_statoverride_entry() { local is_disable_whitelisted is_disable_whitelisted="" - for disablematch_list_entry in ${disable_white_list:-}; do + for disablematch_list_entry in "${disable_white_list[@]:-}"; do if echo "${file_name}" | grep --quiet --fixed-strings "${disablematch_list_entry}"; then is_disable_whitelisted="true" ## Stop looping through the disablewhitelist. @@ -234,10 +234,9 @@ add_nosuid_statoverride_entry() { ## Sanity test. if test ! "${should_be_counter}" = "${counter_actual}"; then - echo "INFO: fso_to_process: '${fso_to_process}' | counter_actual : '${counter_actual}'" - echo "INFO: fso_to_process: '${fso_to_process}' | should_be_counter: '${should_be_counter}'" + echo "INFO: file system object (parsed/wanted): '${fso_to_process}': (${counter_actual}/${should_be_counter})" + echo "ERROR: expected number of files to be parsed was not met." >&2 exit_code=202 - echo "ERROR: counter does not check out." >&2 fi } @@ -249,7 +248,7 @@ set_file_perms() { continue fi - if [[ "${line}" =~ ^# ]]; then + if [[ "${line}" =~ ^\s*# ]]; then continue fi @@ -291,23 +290,21 @@ set_file_perms() { local fso_without_trailing_slash fso_without_trailing_slash="${fso%/}" - if test "${mode_from_config}" = "disablewhitelist"; then - ## TODO: test/add white spaces inside file name support - disable_white_list+="${fso} " - continue - fi - - if test "${mode_from_config}" = "exactwhitelist"; then - ## TODO: test/add white spaces inside file name support - exact_white_list+="${fso} " - continue - fi - - if test "${mode_from_config}" = "matchwhitelist"; then - ## TODO: test/add white spaces inside file name support - match_white_list+="${fso} " - continue - fi + ## TODO: test/add white spaces inside file name support + case "${mode_from_config}" in + disablewhitelist) + disable_white_list+=("${fso}") + continue + ;; + exactwhitelist) + exact_white_list+=("${fso}") + continue + ;; + matchwhitelist) + match_white_list+=("${fso}") + continue + ;; + esac if test ! -e "${fso}"; then true "INFO: fso: '${fso}' - does not exist. This is likely normal." @@ -358,7 +355,7 @@ set_file_perms() { fi local arr file_name existing_mode existing_owner existing_group - IFS=" " read -r -a arr <<< "${stat_output}" + read -r -a arr <<< "${stat_output}" file_name="${arr[0]}" existing_mode="${arr[1]}" existing_owner="${arr[2]}" @@ -548,7 +545,7 @@ spare() { fi local line - while read -r line; do + while IFS="" read -r -d "" line; do ## example line: ## root root 4755 /usr/lib/eject/dmcrypt-get-device From 7ee1ea2cc7dd62feee3243d64b414130e68d35e9 Mon Sep 17 00:00:00 2001 From: Ben Grande Date: Mon, 22 Jul 2024 17:06:07 +0200 Subject: [PATCH 480/846] Unify functions that evaluate commands --- usr/bin/permission-hardener | 58 +++++++++++++++---------------------- 1 file changed, 24 insertions(+), 34 deletions(-) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index 026e290..1011372 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -14,33 +14,23 @@ dpkg_admindir_parameter_existing_mode="--admindir ${store_dir}/existing_mode" dpkg_admindir_parameter_new_mode="--admindir ${store_dir}/new_mode" echo_wrapper_ignore() { - echo "INFO: run: $*" - "$@" 2>/dev/null || true -} - -echo_wrapper_silent_ignore() { - #echo "INFO: run: $@" + if test "${1}" = "verbose"; then + echo "INFO: run: $*" + fi + shift "$@" 2>/dev/null || true } echo_wrapper_audit() { - echo "INFO: run: $*" + if test "${1}" = "verbose"; then + echo "INFO: run: $*" + fi + shift return_code=0 "$@" || { return_code="$?" exit_code=203 - echo "ERROR: above command failed with exit code '${return_code}'! calling function name: '${FUNCNAME[1]}'" >&2 - } -} - -echo_wrapper_silent_audit() { - #echo "run (debugging): $@" - return_code=0 - "$@" || - { - return_code="$?" - exit_code=204 echo "ERROR: above command '$*' failed with exit code '${return_code}'! calling function name: '${FUNCNAME[1]}'" >&2 } } @@ -52,7 +42,7 @@ make_store_dir(){ } sanity_tests() { - echo_wrapper_silent_audit which \ + echo_wrapper_audit silent which \ capsh getcap setcap stat find dpkg-statoverride getent xargs grep 1>/dev/null } @@ -205,7 +195,7 @@ add_nosuid_statoverride_entry() { ## Save existing_mode in separate database. ## Not using --update as not intending to enforce existing_mode. # shellcheck disable=SC2086 - echo_wrapper_silent_audit dpkg-statoverride ${dpkg_admindir_parameter_existing_mode} --add "${existing_owner}" "${existing_group}" "${existing_mode}" "${file_name}" + echo_wrapper_audit silent dpkg-statoverride ${dpkg_admindir_parameter_existing_mode} --add "${existing_owner}" "${existing_group}" "${existing_mode}" "${file_name}" fi ## No need to check "dpkg-statoverride --list" for existing entries. @@ -214,18 +204,18 @@ add_nosuid_statoverride_entry() { ## and re-add. ## Remove from real database. - echo_wrapper_silent_ignore dpkg-statoverride --remove "${file_name}" + echo_wrapper_ignore silent dpkg-statoverride --remove "${file_name}" ## Remove from separate database. # shellcheck disable=SC2086 - echo_wrapper_silent_ignore dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --remove "${file_name}" + echo_wrapper_ignore silent dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --remove "${file_name}" ## Add to real database and use --update to make changes on disk. - echo_wrapper_audit dpkg-statoverride --add --update "${existing_owner}" "${existing_group}" "${new_mode}" "${file_name}" + echo_wrapper_audit verbose dpkg-statoverride --add --update "${existing_owner}" "${existing_group}" "${new_mode}" "${file_name}" ## Not using --update as this is only for recording. # shellcheck disable=SC2086 - echo_wrapper_silent_audit dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --add "${existing_owner}" "${existing_group}" "${new_mode}" "${file_name}" + echo_wrapper_audit silent dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --add "${existing_owner}" "${existing_group}" "${new_mode}" "${file_name}" ## /usr/lib will hit ARG_MAX if using bash 'shopt -s globstar' and '/usr/lib/**'. ## Using 'find' with '-perm /u=s,g=s' is faster and avoids ARG_MAX. @@ -414,20 +404,20 @@ set_file_perms() { ## Save existing_mode in separate database. ## Not using --update as not intending to enforce existing_mode. # shellcheck disable=SC2086 - echo_wrapper_silent_audit dpkg-statoverride ${dpkg_admindir_parameter_existing_mode} --add "${existing_owner}" "${existing_group}" "${existing_mode}" "${fso_without_trailing_slash}" + echo_wrapper_audit silent dpkg-statoverride ${dpkg_admindir_parameter_existing_mode} --add "${existing_owner}" "${existing_group}" "${existing_mode}" "${fso_without_trailing_slash}" fi # shellcheck disable=SC2086 - echo_wrapper_silent_ignore dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --remove "${fso_without_trailing_slash}" + echo_wrapper_ignore silent dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --remove "${fso_without_trailing_slash}" ## Remove from and add to real database. - echo_wrapper_silent_ignore dpkg-statoverride --remove "${fso_without_trailing_slash}" - echo_wrapper_audit dpkg-statoverride --add --update "${owner_from_config}" "${group_from_config}" "${mode_from_config}" "${fso_without_trailing_slash}" + echo_wrapper_ignore silent dpkg-statoverride --remove "${fso_without_trailing_slash}" + echo_wrapper_audit verbose dpkg-statoverride --add --update "${owner_from_config}" "${group_from_config}" "${mode_from_config}" "${fso_without_trailing_slash}" ## Save in separate database. ## Not using --update as this is only for saving. # shellcheck disable=SC2086 - echo_wrapper_silent_audit dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --add "${owner_from_config}" "${group_from_config}" "${mode_from_config}" "${fso_without_trailing_slash}" + echo_wrapper_audit silent dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --add "${owner_from_config}" "${group_from_config}" "${mode_from_config}" "${fso_without_trailing_slash}" fi else true "There is no fso entry. Therefore add one." @@ -439,16 +429,16 @@ set_file_perms() { ## Save existing_mode in separate database. ## Not using --update as not intending to enforce existing_mode. # shellcheck disable=SC2086 - echo_wrapper_silent_audit dpkg-statoverride ${dpkg_admindir_parameter_existing_mode} --add "${existing_owner}" "${existing_group}" "${existing_mode}" "${fso_without_trailing_slash}" + echo_wrapper_audit silent dpkg-statoverride ${dpkg_admindir_parameter_existing_mode} --add "${existing_owner}" "${existing_group}" "${existing_mode}" "${fso_without_trailing_slash}" fi ## Add to real database. - echo_wrapper_audit dpkg-statoverride --add --update "${owner_from_config}" "${group_from_config}" "${mode_from_config}" "${fso_without_trailing_slash}" + echo_wrapper_audit verbose dpkg-statoverride --add --update "${owner_from_config}" "${group_from_config}" "${mode_from_config}" "${fso_without_trailing_slash}" ## Save in separate database. ## Not using --update as this is only for saving. # shellcheck disable=SC2086 - echo_wrapper_silent_audit dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --add "${owner_from_config}" "${group_from_config}" "${mode_from_config}" "${fso_without_trailing_slash}" + echo_wrapper_audit silent dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --add "${owner_from_config}" "${group_from_config}" "${mode_from_config}" "${fso_without_trailing_slash}" fi fi if test -z "${capability_from_config}"; then @@ -462,7 +452,7 @@ set_file_perms() { ## The value of the capability argument is not permitted for a file. Or ## the file is not a regular (non-symlink) file ## Therefore use echo_wrapper_ignore. - echo_wrapper_ignore setcap -r "${fso}" + echo_wrapper_ignore verbose setcap -r "${fso}" getcap_output="$(getcap "${fso}")" if test -n "${getcap_output}"; then exit_code=205 @@ -477,7 +467,7 @@ set_file_perms() { ## feature request: dpkg-statoverride: support for capabilities ## https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=502580 - echo_wrapper_audit setcap "${capability_from_config}+ep" "${fso}" + echo_wrapper_audit verbose setcap "${capability_from_config}+ep" "${fso}" fi done <"${config_file}" true "INFO: END parsing config_file: '${config_file}'" From fb494c2ba5b7fd0f864a59896710d9cddf92b458 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Tue, 23 Jul 2024 13:12:13 +1000 Subject: [PATCH 481/846] Update docs relating to the `cfi=kcfi` kernel parameter --- README.md | 6 +++--- etc/default/grub.d/40_kernel_hardening.cfg | 15 ++++++++++----- 2 files changed, 13 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 7bac0c4..71ae57c 100644 --- a/README.md +++ b/README.md @@ -137,9 +137,9 @@ configuration file. - Provide the option to modify machine check exception handler. -- Provide the option to use kCFI as the default CFI implementation as it may be - slightly more resilient to attacks that can construct arbitrary executable - memory contents (when using Linux kernel version >= 6.5). +- Provide the option to use kCFI as the default CFI implementation since it may be + slightly more resilient to attacks that are able to write arbitrary executables + in memory (when using Linux kernel version >= 6.2). - Provide the option to disable support for all x86 processes and syscalls to reduce attack surface (when using Linux kernel version >= 6.7). diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index ef9ed1f..5709f52 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -114,20 +114,25 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off" ## Switch (back) to using kCFI as the default Control Flow Integrity (CFI) implementation. ## As of Linux kernel 6.2, FineIBT has been the default implementation. -## Intel-developed IBT (Indirect Branch Tracking) is only used if there support by the CPU. +## The Intel-developed IBT (Indirect Branch Tracking) is only used if there support by the CPU. ## kCFI is software-only while FineIBT is a hybrid software/hardware implementation. ## FineIBT may result in performance benefits as it only performs checking at destinations. -## FineIBT is weaker against attacks that can construct arbitrary executable memory contents. -## Choice of this parameter is dependant on user threat model as there are pros/cons to both. +## FineIBT is weaker against attacks that can write arbitrary executable in memory. +## Upstream hardening has given users the ability to disable FineIBT based on requests. +## Choice of CFI implementation is dependent on user threat model as there are pros/cons to both. +## Do not modify this parameter if unsure of implications. ## -## https://docs.kernel.org/next/x86/shstk.html +## https://lore.kernel.org/all/20221027092842.699804264@infradead.org/ ## https://lore.kernel.org/lkml/202210010918.4918F847C4@keescook/T/#u ## https://lore.kernel.org/lkml/202210182217.486CBA50@keescook/T/ ## https://lore.kernel.org/lkml/202407150933.E1871BE@keescook/ ## https://isopenbsdsecu.re/mitigations/forward_edge_cfi/ +## https://docs.kernel.org/next/x86/shstk.html ## https://source.android.com/docs/security/test/kcfi +## https://lpc.events/event/16/contributions/1315/attachments/1067/2169/cfi.pdf +## https://forums.whonix.org/t/kernel-hardening-security-misc/7296/561 ## -## Applicable when using Linux kernel >= 6.5 (retained here for future-proofing and completeness). +## Applicable when using Linux kernel >= 6.2 (retained here for future-proofing and completeness). ## #cfi=kcfi From 06fbcdac1de6f1830d911f05a4f7c14fd522fad4 Mon Sep 17 00:00:00 2001 From: Ben Grande Date: Tue, 23 Jul 2024 09:55:02 +0200 Subject: [PATCH 482/846] Prettify log messages --- usr/bin/permission-hardener | 107 +++++++++++++++++------------------- 1 file changed, 49 insertions(+), 58 deletions(-) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index 1011372..6a78a28 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -31,7 +31,7 @@ echo_wrapper_audit() { { return_code="$?" exit_code=203 - echo "ERROR: above command '$*' failed with exit code '${return_code}'! calling function name: '${FUNCNAME[1]}'" >&2 + echo "ERROR: command '$*' failed with exit code '${return_code}'! calling function name: '${FUNCNAME[1]}'" >&2 } } @@ -56,13 +56,13 @@ add_nosuid_statoverride_entry() { local dummy_line while IFS="" read -r -d "" dummy_line; do - true "DEBUG: test would evaluate parse" "${dummy_line}" + true "DEBUG: test would parse line:" "${dummy_line}" should_be_counter=$((should_be_counter + 1)) done < <(find "${fso_to_process}" -perm /u=s,g=s -print0 | xargs -I{} -0 stat -c "%n %a %U %G" {}) local line while IFS="" read -r -d "" line; do - true "line: ${line}" + true "DEBUG: line: ${line}" counter_actual="$((counter_actual + 1))" local arr file_name existing_mode existing_owner existing_group @@ -73,23 +73,23 @@ add_nosuid_statoverride_entry() { existing_group="${arr[3]}" if test "${#arr[@]}" = 0; then - echo "ERROR: arr is empty. line: '${line}'" >&2 + echo "ERROR: line is empty: '${line}'" >&2 continue fi if test -z "${file_name}"; then - echo "ERROR: file_name is empty. line: '${line}'" >&2 + echo "ERROR: file name is empty. line: '${line}'" >&2 continue fi if test -z "${existing_mode}"; then - echo "ERROR: existing_mode is empty. line: '${line}'" >&2 + echo "ERROR: existing mode is empty. line: '${line}'" >&2 continue fi if test -z "${existing_owner}"; then - echo "ERROR: existing_owner is empty. line: '${line}'" >&2 + echo "ERROR: existing owner is empty. line: '${line}'" >&2 continue fi if test -z "${existing_group}"; then - echo "ERROR: existing_group is empty. line: '${line}'" >&2 + echo "ERROR: existing group is empty. line: '${line}'" >&2 continue fi @@ -99,12 +99,12 @@ add_nosuid_statoverride_entry() { if test -h "${file_name}"; then ## https://forums.whonix.org/t/disable-suid-binaries/7706/14 - true "skip symlink: ${file_name}" + true "DEBUG: skip symlink: ${file_name}" continue fi if test -d "${file_name}"; then - true "skip directory: ${file_name}" + true "DEBUG: skip directory: ${file_name}" continue fi @@ -171,26 +171,27 @@ add_nosuid_statoverride_entry() { fi done + clean_output="setuid=${setuid_output} setgid=${setsgid_output} existing_mode=${existing_mode} new_mode=${new_mode} file='${file_name}'" if test "${whitelists_disable_all:-}" = "true"; then - true "INFO: whitelists_disable_all=true - ${setuid_output} ${setsgid_output} found - file_name: '${file_name}' | existing_mode: '${existing_mode}'" + echo "INFO: whitelists_disable_all=true ${clean_output}" elif test "${is_disable_whitelisted}" = "true"; then - true "INFO: white list disabled - ${setuid_output} ${setsgid_output} found - file_name: '${file_name}' | existing_mode: '${existing_mode}'" + true "INFO: white list disabled ${clean_output}" else if test "${is_exact_whitelisted}" = "true"; then - true "INFO: SKIP whitelisted - ${setuid_output} ${setsgid_output} found - file_name: '${file_name}' | existing_mode: '${existing_mode}'" + true "INFO: is_exact_whitelisted=true ${clean_output}" continue fi if test "${is_match_whitelisted}" = "true"; then - true "INFO: SKIP matchwhitelisted - ${setuid_output} ${setsgid_output} found - file_name: '${file_name}' | existing_mode: '${existing_mode}' | matchwhite_list_entry: '${matchwhite_list_entry}'" + true "INFO: is_match_whitelisted=true ${clean_output} matchwhite_list_entry: '${matchwhite_list_entry}'" continue fi fi - echo "INFO: ${setuid_output} ${setsgid_output} found - file_name: '${file_name}' | existing_mode: '${existing_mode}' | new_mode: '${new_mode}'" + echo "INFO: ${clean_output}" # shellcheck disable=SC2086 if dpkg-statoverride ${dpkg_admindir_parameter_existing_mode} --list "${file_name}" >/dev/null; then - true "OK Existing mode already saved previously. Not saving again." + true "INFO: Existing mode already saved previously. Not saving again." else ## Save existing_mode in separate database. ## Not using --update as not intending to enforce existing_mode. @@ -224,14 +225,14 @@ add_nosuid_statoverride_entry() { ## Sanity test. if test ! "${should_be_counter}" = "${counter_actual}"; then - echo "INFO: file system object (parsed/wanted): '${fso_to_process}': (${counter_actual}/${should_be_counter})" + echo "INFO: file (parsed/wanted): '${fso_to_process}': (${counter_actual}/${should_be_counter})" echo "ERROR: expected number of files to be parsed was not met." >&2 exit_code=202 fi } set_file_perms() { - true "INFO: START parsing config_file: '${config_file}'" + true "INFO: START parsing config file: '${config_file}'" local line while read -r line || test -n "${line}"; do if test -z "${line}"; then @@ -243,10 +244,10 @@ set_file_perms() { fi if [[ "${line}" =~ [0-9a-zA-Z/] ]]; then - true "OK line contains only white listed characters." + true "INFO: line contains only white listed characters." else exit_code=200 - echo "ERROR: cannot parse line with invalid character. line: '${line}'" >&2 + echo "ERROR: cannot parse line with invalid character in line: '${line}'" >&2 ## Safer to exit with error in this case. ## https://forums.whonix.org/t/disable-suid-binaries/7706/59 exit "${exit_code}" @@ -254,7 +255,7 @@ set_file_perms() { if test "${line}" = 'whitelists_disable_all=true'; then whitelists_disable_all=true - echo "INFO: whitelists_disable_all=true - all whitelists disabled." + echo "INFO: whitelists_disable_all=true" continue fi @@ -262,7 +263,7 @@ set_file_perms() { local mode_from_config owner_from_config group_from_config capability_from_config if ! read -r fso mode_from_config owner_from_config group_from_config capability_from_config <<<"${line}"; then exit_code=201 - echo "ERROR: cannot parse. line: '${line}'" >&2 + echo "ERROR: cannot parse line: '${line}'" >&2 ## Debugging. du -hs /tmp || true echo "test -w /tmp: '$(test -w /tmp)'" >&2 || true @@ -297,7 +298,7 @@ set_file_perms() { esac if test ! -e "${fso}"; then - true "INFO: fso: '${fso}' - does not exist. This is likely normal." + true "INFO: file does not exist: '${fso}'" continue fi @@ -311,21 +312,21 @@ set_file_perms() { local string_length_of_mode_from_config string_length_of_mode_from_config="${#mode_from_config}" if test "${string_length_of_mode_from_config}" -gt "4"; then - echo "ERROR: Mode '${mode_from_config}' is invalid!" >&2 + echo "ERROR: Invalid mode: '${mode_from_config}'" >&2 continue fi if test "${string_length_of_mode_from_config}" -lt "3"; then - echo "ERROR: Mode '${mode_from_config}' is invalid!" >&2 + echo "ERROR: Invalid mode: '${mode_from_config}'" >&2 continue fi if ! grep --quiet --fixed-strings "${owner_from_config}:" "${store_dir}/private/passwd"; then - echo "ERROR: owner_from_config '${owner_from_config}' does not exist!" >&2 + echo "ERROR: owner from config does not exist: '${owner_from_config}'" >&2 continue fi if ! grep --quiet --fixed-strings "${group_from_config}:" "${store_dir}/private/group"; then - echo "ERROR: group_from_config '${group_from_config}' does not exist!" >&2 + echo "ERROR: group from config does not exist: '${group_from_config}'" >&2 continue fi @@ -340,7 +341,7 @@ set_file_perms() { local stat_output stat_output="" if ! stat_output="$(stat -c "%n %a %U %G" "${fso_without_trailing_slash}")"; then - echo "ERROR: failed to run 'stat' for fso_without_trailing_slash: '${fso_without_trailing_slash}'!" >&2 + echo "ERROR: failed to run 'stat' on file: '${fso_without_trailing_slash}'!" >&2 continue fi @@ -352,15 +353,15 @@ set_file_perms() { existing_group="${arr[3]}" if test "${#arr[@]}" = 0; then - echo "ERROR: arr is empty. stat_output: '${stat_output}' | line: '${line}'" >&2 + echo "ERROR: line is empty. Stat output: '${stat_output}', line: '${line}'" >&2 continue fi if test -z "${file_name}"; then - echo "ERROR: file_name is empty. stat_output: '${stat_output}' | line: '${line}'" >&2 + echo "ERROR: file name is empty. Stat output: '${stat_output}', line: '${line}'" >&2 continue fi if test -z "${existing_mode}"; then - echo "ERROR: existing_mode is empty. stat_output: '${stat_output}' | line: '${line}'" >&2 + echo "ERROR: existing mode is empty. Stat output: '${stat_output}', line: '${line}'" >&2 continue fi if test -z "${existing_owner}"; then @@ -368,7 +369,7 @@ set_file_perms() { continue fi if test -z "${existing_group}"; then - echo "ERROR: ${existing_group} is empty. stat_output: '${stat_output}' | line: '${line}'" >&2 + echo "ERROR: existing group is empty. Stat output: '${stat_output}', line: '${line}'" >&2 continue fi @@ -387,19 +388,19 @@ set_file_perms() { } if test "${dpkg_statoverride_list_exit_code}" = "0"; then - true "There is an fso entry. Check if owner/group/mode match." + true "INFO: There is an fso entry. Check if owner/group/mode matches." local grep_line grep_line="${owner_from_config} ${group_from_config} ${mode_for_grep} ${fso_without_trailing_slash}" if echo "${dpkg_statoverride_list_output}" | grep --quiet --fixed-strings "${grep_line}"; then - true "OK The owner/group/mode matches. No further action required." + true "INFO: The owner/group/mode matches. No further action required." else - true "The owner/group/mode do not match, therefore remove and re-add the entry to update it." + true "INFO: The owner/group/mode does not match, removing and re-adding the entry to update it." ## fso_without_trailing_slash instead of fso to prevent ## "dpkg-statoverride: warning: stripping trailing /" # shellcheck disable=SC2086 if dpkg-statoverride ${dpkg_admindir_parameter_existing_mode} --list "${fso_without_trailing_slash}" >/dev/null; then - true "OK Existing mode already saved previously. No need to save again." + true "INFO: Existing mode already saved previously. Not saving again." else ## Save existing_mode in separate database. ## Not using --update as not intending to enforce existing_mode. @@ -420,11 +421,11 @@ set_file_perms() { echo_wrapper_audit silent dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --add "${owner_from_config}" "${group_from_config}" "${mode_from_config}" "${fso_without_trailing_slash}" fi else - true "There is no fso entry. Therefore add one." + true "INFO: There is no fso entry, adding one." # shellcheck disable=SC2086 if dpkg-statoverride ${dpkg_admindir_parameter_existing_mode} --list "${fso_without_trailing_slash}" >/dev/null; then - true "OK Existing mode already saved previously. No need to save again." + true "INFO: Existing mode already saved previously. Not saving again." else ## Save existing_mode in separate database. ## Not using --update as not intending to enforce existing_mode. @@ -456,12 +457,12 @@ set_file_perms() { getcap_output="$(getcap "${fso}")" if test -n "${getcap_output}"; then exit_code=205 - echo "ERROR: removing capabilities for fso '${fso}' failed!" >&2 + echo "ERROR: removing capabilities failed. File: '${fso}'" >&2 continue fi else if ! capsh --print | grep --fixed-strings "Bounding set" | grep --quiet "${capability_from_config}"; then - echo "ERROR: capability_from_config '${capability_from_config}' does not exist!" >&2 + echo "ERROR: capability from config does not exist: '${capability_from_config}'" >&2 continue fi @@ -470,7 +471,7 @@ set_file_perms() { echo_wrapper_audit verbose setcap "${capability_from_config}+ep" "${fso}" fi done <"${config_file}" - true "INFO: END parsing config_file: '${config_file}'" + true "INFO: END parsing config file: '${config_file}'" } parse_config_folder() { @@ -513,11 +514,8 @@ apply() { parse_config_folder echo "\ -INFO: To compare the current and previous permission modes: - Install 'meld' (or preferred diff tool) for comparison of file mode changes: +INFO: To compare the current and previous permission modes, install 'meld' (or preferred diff tool) for comparison of file mode changes: sudo apt install --no-install-recommends meld - - Use 'meld' or another diff tool to view the differences: meld ${store_dir}/existing_mode/statoverride ${store_dir}/new_mode/statoverride" } @@ -545,7 +543,7 @@ spare() { echo "ERROR: cannot parse line: ${line}" >&2 continue fi - true "owner: '${owner}' group: '${group}' mode: '${mode}' file_name: '${file_name}'" + true "INFO: owner=${owner} group=${group} mode=${mode} file_name='${file_name}'" if test "${remove_file}" = "all"; then verbose="" @@ -573,7 +571,7 @@ spare() { # shellcheck disable=SC2086 chmod ${verbose} "${mode}" "${file_name}" || exit_code=203 else - echo "INFO: file_name: '${file_name}' - does not exist. This is likely normal." + echo "INFO: file doesn't exist: '${file_name}'" fi dpkg-statoverride --remove "${file_name}" &>/dev/null || true @@ -593,18 +591,11 @@ spare() { if test "$(cat "${store_dir}/remove_one")" = "false"; then echo "INFO: no file was removed. - File '${remove_file}' has not been removed from SUID Disabler and Permission Hardener during this invocation of this program. + File '${remove_file}' has not been removed from SUID Disabler and Permission Hardener during this invocation. This is expected if already done earlier. - Note: This is expected if already done earlier. - - Note: This program expects the full path to the file. Example: - $0 disable /usr/bin/newgrp - - The following syntax will not work: - $0 disable program-name - - The following example will not work: - $0 disable newgrp + This program expects the full path to the file. Example: + $0 disable /usr/bin/newgrp # absolute path: works + $0 disable newgrp # relative path: does not work To remove all: $0 disable all From aa99de68d307cd88462665424996d9b730ab5087 Mon Sep 17 00:00:00 2001 From: Ben Grande Date: Tue, 23 Jul 2024 18:46:47 +0200 Subject: [PATCH 483/846] Log output with defined levels --- usr/bin/permission-hardener | 140 ++++++++++++++++++++---------------- 1 file changed, 79 insertions(+), 61 deletions(-) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index 6a78a28..9eff886 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -13,25 +13,33 @@ store_dir="/var/lib/permission-hardener" dpkg_admindir_parameter_existing_mode="--admindir ${store_dir}/existing_mode" dpkg_admindir_parameter_new_mode="--admindir ${store_dir}/new_mode" +log_level=info +# shellcheck disable=SC1091 +source /usr/libexec/helper-scripts/log_run_die.sh + echo_wrapper_ignore() { if test "${1}" = "verbose"; then - echo "INFO: run: $*" + shift + log info "Run: $*" + else + shift fi - shift "$@" 2>/dev/null || true } echo_wrapper_audit() { if test "${1}" = "verbose"; then - echo "INFO: run: $*" + shift + log info "Run: $*" + else + shift fi - shift return_code=0 "$@" || { return_code="$?" exit_code=203 - echo "ERROR: command '$*' failed with exit code '${return_code}'! calling function name: '${FUNCNAME[1]}'" >&2 + log error "Command '$*' failed with exit code '${return_code}'! calling function name: '${FUNCNAME[1]}'" >&2 } } @@ -55,14 +63,13 @@ add_nosuid_statoverride_entry() { counter_actual=0 local dummy_line - while IFS="" read -r -d "" dummy_line; do - true "DEBUG: test would parse line:" "${dummy_line}" + while IFS="" read -r dummy_line; do + log info "Test would parse line: ${dummy_line}" should_be_counter=$((should_be_counter + 1)) done < <(find "${fso_to_process}" -perm /u=s,g=s -print0 | xargs -I{} -0 stat -c "%n %a %U %G" {}) local line - while IFS="" read -r -d "" line; do - true "DEBUG: line: ${line}" + while IFS="" read -r line; do counter_actual="$((counter_actual + 1))" local arr file_name existing_mode existing_owner existing_group @@ -73,23 +80,23 @@ add_nosuid_statoverride_entry() { existing_group="${arr[3]}" if test "${#arr[@]}" = 0; then - echo "ERROR: line is empty: '${line}'" >&2 + log error "Line is empty: '${line}'" >&2 continue fi if test -z "${file_name}"; then - echo "ERROR: file name is empty. line: '${line}'" >&2 + log error "File name is empty. line: '${line}'" >&2 continue fi if test -z "${existing_mode}"; then - echo "ERROR: existing mode is empty. line: '${line}'" >&2 + log error "Existing mode is empty. line: '${line}'" >&2 continue fi if test -z "${existing_owner}"; then - echo "ERROR: existing owner is empty. line: '${line}'" >&2 + log error "Existing owner is empty. line: '${line}'" >&2 continue fi if test -z "${existing_group}"; then - echo "ERROR: existing group is empty. line: '${line}'" >&2 + log error "Existing group is empty. line: '${line}'" >&2 continue fi @@ -99,12 +106,12 @@ add_nosuid_statoverride_entry() { if test -h "${file_name}"; then ## https://forums.whonix.org/t/disable-suid-binaries/7706/14 - true "DEBUG: skip symlink: ${file_name}" + log info "Skip symlink: ${file_name}" continue fi if test -d "${file_name}"; then - true "DEBUG: skip directory: ${file_name}" + log info "Skip directory: ${file_name}" continue fi @@ -144,6 +151,9 @@ add_nosuid_statoverride_entry() { local is_exact_whitelisted is_exact_whitelisted="" for white_list_entry in "${exact_white_list[@]:-}"; do + if test -z "${white_list_entry}"; then + continue + fi if test "${file_name}" = "${white_list_entry}"; then is_exact_whitelisted="true" ## Stop looping through the whitelist. @@ -154,6 +164,9 @@ add_nosuid_statoverride_entry() { local is_match_whitelisted is_match_whitelisted="" for matchwhite_list_entry in "${match_white_list[@]:-}"; do + if test -z "${matchwhite_list_entry}"; then + continue + fi if echo "${file_name}" | grep --quiet --fixed-strings "${matchwhite_list_entry}"; then is_match_whitelisted="true" ## Stop looping through the match_white_list. @@ -164,6 +177,9 @@ add_nosuid_statoverride_entry() { local is_disable_whitelisted is_disable_whitelisted="" for disablematch_list_entry in "${disable_white_list[@]:-}"; do + if test -z "${disablematch_list_entry}"; then + continue + fi if echo "${file_name}" | grep --quiet --fixed-strings "${disablematch_list_entry}"; then is_disable_whitelisted="true" ## Stop looping through the disablewhitelist. @@ -171,27 +187,26 @@ add_nosuid_statoverride_entry() { fi done + clean_output_prefix="Managing (S|G)UID of line:" clean_output="setuid=${setuid_output} setgid=${setsgid_output} existing_mode=${existing_mode} new_mode=${new_mode} file='${file_name}'" if test "${whitelists_disable_all:-}" = "true"; then - echo "INFO: whitelists_disable_all=true ${clean_output}" + log info "${clean_output_prefix} whitelists_disable_all=true ${clean_output}" elif test "${is_disable_whitelisted}" = "true"; then - true "INFO: white list disabled ${clean_output}" + log info "${clean_output_prefix} is_disable_whitelisted=true ${clean_output}" else if test "${is_exact_whitelisted}" = "true"; then - true "INFO: is_exact_whitelisted=true ${clean_output}" + log info "${clean_output_prefix} is_exact_whitelisted=true ${clean_output}" continue fi if test "${is_match_whitelisted}" = "true"; then - true "INFO: is_match_whitelisted=true ${clean_output} matchwhite_list_entry: '${matchwhite_list_entry}'" + log info "${clean_output_prefix} is_match_whitelisted=true matchwhite_list_entry=${matchwhite_list_entry} ${clean_output}" continue fi fi - echo "INFO: ${clean_output}" - # shellcheck disable=SC2086 if dpkg-statoverride ${dpkg_admindir_parameter_existing_mode} --list "${file_name}" >/dev/null; then - true "INFO: Existing mode already saved previously. Not saving again." + log info "Existing mode already saved previously. Not saving again." else ## Save existing_mode in separate database. ## Not using --update as not intending to enforce existing_mode. @@ -225,14 +240,14 @@ add_nosuid_statoverride_entry() { ## Sanity test. if test ! "${should_be_counter}" = "${counter_actual}"; then - echo "INFO: file (parsed/wanted): '${fso_to_process}': (${counter_actual}/${should_be_counter})" - echo "ERROR: expected number of files to be parsed was not met." >&2 + log info "File (parsed/wanted): '${fso_to_process}': (${counter_actual}/${should_be_counter})" + log error "Expected number of files to be parsed was not met." >&2 exit_code=202 fi } set_file_perms() { - true "INFO: START parsing config file: '${config_file}'" + log info "START parsing config file: ${config_file}" local line while read -r line || test -n "${line}"; do if test -z "${line}"; then @@ -243,11 +258,9 @@ set_file_perms() { continue fi - if [[ "${line}" =~ [0-9a-zA-Z/] ]]; then - true "INFO: line contains only white listed characters." - else + if ! [[ "${line}" =~ [0-9a-zA-Z/] ]]; then exit_code=200 - echo "ERROR: cannot parse line with invalid character in line: '${line}'" >&2 + log error "Line contains invalid characters: ${line}" >&2 ## Safer to exit with error in this case. ## https://forums.whonix.org/t/disable-suid-binaries/7706/59 exit "${exit_code}" @@ -255,7 +268,7 @@ set_file_perms() { if test "${line}" = 'whitelists_disable_all=true'; then whitelists_disable_all=true - echo "INFO: whitelists_disable_all=true" + log info "whitelists_disable_all=true" continue fi @@ -263,7 +276,7 @@ set_file_perms() { local mode_from_config owner_from_config group_from_config capability_from_config if ! read -r fso mode_from_config owner_from_config group_from_config capability_from_config <<<"${line}"; then exit_code=201 - echo "ERROR: cannot parse line: '${line}'" >&2 + log error "Cannot parse line: '${line}'" >&2 ## Debugging. du -hs /tmp || true echo "test -w /tmp: '$(test -w /tmp)'" >&2 || true @@ -272,6 +285,8 @@ set_file_perms() { exit "${exit_code}" fi + log info "Parsing line: fso=${fso} mode_from_config=${mode_from_config} owner_from_config=${owner_from_config} group_from_config=${group_from_config} capability_from_config=${capability_from_config}" + ## Debugging. #echo "line: '${line}'" #echo "fso: '${fso}'" @@ -282,6 +297,7 @@ set_file_perms() { fso_without_trailing_slash="${fso%/}" ## TODO: test/add white spaces inside file name support + declare -g disable_white_list exact_white_list match_white_list case "${mode_from_config}" in disablewhitelist) disable_white_list+=("${fso}") @@ -298,7 +314,7 @@ set_file_perms() { esac if test ! -e "${fso}"; then - true "INFO: file does not exist: '${fso}'" + log warn "File does not exist: '${fso}'" continue fi @@ -312,21 +328,21 @@ set_file_perms() { local string_length_of_mode_from_config string_length_of_mode_from_config="${#mode_from_config}" if test "${string_length_of_mode_from_config}" -gt "4"; then - echo "ERROR: Invalid mode: '${mode_from_config}'" >&2 + log error "Invalid mode: '${mode_from_config}'" >&2 continue fi if test "${string_length_of_mode_from_config}" -lt "3"; then - echo "ERROR: Invalid mode: '${mode_from_config}'" >&2 + log error "Invalid mode: '${mode_from_config}'" >&2 continue fi if ! grep --quiet --fixed-strings "${owner_from_config}:" "${store_dir}/private/passwd"; then - echo "ERROR: owner from config does not exist: '${owner_from_config}'" >&2 + log error "Owner from config does not exist: '${owner_from_config}'" >&2 continue fi if ! grep --quiet --fixed-strings "${group_from_config}:" "${store_dir}/private/group"; then - echo "ERROR: group from config does not exist: '${group_from_config}'" >&2 + log error "Group from config does not exist: '${group_from_config}'" >&2 continue fi @@ -341,7 +357,7 @@ set_file_perms() { local stat_output stat_output="" if ! stat_output="$(stat -c "%n %a %U %G" "${fso_without_trailing_slash}")"; then - echo "ERROR: failed to run 'stat' on file: '${fso_without_trailing_slash}'!" >&2 + log error "Failed to run 'stat' on file: '${fso_without_trailing_slash}'!" >&2 continue fi @@ -353,23 +369,23 @@ set_file_perms() { existing_group="${arr[3]}" if test "${#arr[@]}" = 0; then - echo "ERROR: line is empty. Stat output: '${stat_output}', line: '${line}'" >&2 + log error "Line is empty. Stat output: '${stat_output}', line: '${line}'" >&2 continue fi if test -z "${file_name}"; then - echo "ERROR: file name is empty. Stat output: '${stat_output}', line: '${line}'" >&2 + log error "File name is empty. Stat output: '${stat_output}', line: '${line}'" >&2 continue fi if test -z "${existing_mode}"; then - echo "ERROR: existing mode is empty. Stat output: '${stat_output}', line: '${line}'" >&2 + log error "Existing mode is empty. Stat output: '${stat_output}', line: '${line}'" >&2 continue fi if test -z "${existing_owner}"; then - echo "ERROR: existing_owner is empty. stat_output: '${stat_output}' | line: '${line}'" >&2 + log error "Existing_owner is empty. stat_output: '${stat_output}' | line: '${line}'" >&2 continue fi if test -z "${existing_group}"; then - echo "ERROR: existing group is empty. Stat output: '${stat_output}', line: '${line}'" >&2 + log error "Existing group is empty. Stat output: '${stat_output}', line: '${line}'" >&2 continue fi @@ -388,19 +404,18 @@ set_file_perms() { } if test "${dpkg_statoverride_list_exit_code}" = "0"; then - true "INFO: There is an fso entry. Check if owner/group/mode matches." local grep_line grep_line="${owner_from_config} ${group_from_config} ${mode_for_grep} ${fso_without_trailing_slash}" if echo "${dpkg_statoverride_list_output}" | grep --quiet --fixed-strings "${grep_line}"; then - true "INFO: The owner/group/mode matches. No further action required." + log info "The owner/group/mode matches fso entry. No further action required." else - true "INFO: The owner/group/mode does not match, removing and re-adding the entry to update it." + log info "The owner/group/mode does not match fso entry, updating entry." ## fso_without_trailing_slash instead of fso to prevent ## "dpkg-statoverride: warning: stripping trailing /" # shellcheck disable=SC2086 if dpkg-statoverride ${dpkg_admindir_parameter_existing_mode} --list "${fso_without_trailing_slash}" >/dev/null; then - true "INFO: Existing mode already saved previously. Not saving again." + log info "Existing mode already saved previously. Not saving again." else ## Save existing_mode in separate database. ## Not using --update as not intending to enforce existing_mode. @@ -421,11 +436,11 @@ set_file_perms() { echo_wrapper_audit silent dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --add "${owner_from_config}" "${group_from_config}" "${mode_from_config}" "${fso_without_trailing_slash}" fi else - true "INFO: There is no fso entry, adding one." + log info "There is no fso entry, adding one." # shellcheck disable=SC2086 if dpkg-statoverride ${dpkg_admindir_parameter_existing_mode} --list "${fso_without_trailing_slash}" >/dev/null; then - true "INFO: Existing mode already saved previously. Not saving again." + log info "Existing mode already saved previously. Not saving again." else ## Save existing_mode in separate database. ## Not using --update as not intending to enforce existing_mode. @@ -457,12 +472,12 @@ set_file_perms() { getcap_output="$(getcap "${fso}")" if test -n "${getcap_output}"; then exit_code=205 - echo "ERROR: removing capabilities failed. File: '${fso}'" >&2 + log error "Removing capabilities failed. File: '${fso}'" >&2 continue fi else if ! capsh --print | grep --fixed-strings "Bounding set" | grep --quiet "${capability_from_config}"; then - echo "ERROR: capability from config does not exist: '${capability_from_config}'" >&2 + log error "Capability from config does not exist: '${capability_from_config}'" >&2 continue fi @@ -470,8 +485,9 @@ set_file_perms() { ## https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=502580 echo_wrapper_audit verbose setcap "${capability_from_config}+ep" "${fso}" fi + done <"${config_file}" - true "INFO: END parsing config file: '${config_file}'" + log info "END parsing config file: ${config_file}" } parse_config_folder() { @@ -504,6 +520,7 @@ parse_config_folder() { /usr/local/etc/permission-hardening.d/*.conf do set_file_perms + done } @@ -513,8 +530,8 @@ apply() { sanity_tests parse_config_folder - echo "\ -INFO: To compare the current and previous permission modes, install 'meld' (or preferred diff tool) for comparison of file mode changes: + log info "\ +To compare the current and previous permission modes, install 'meld' (or preferred diff tool) for comparison of file mode changes: sudo apt install --no-install-recommends meld meld ${store_dir}/existing_mode/statoverride ${store_dir}/new_mode/statoverride" } @@ -529,21 +546,22 @@ spare() { dpkg_admindir_parameter_new_mode="--admindir ${store_dir}/new_mode" if test ! -f "${store_dir}/existing_mode/statoverride"; then + true debug "Stat file does not exist, hardening was not applied not applied before" return 0 fi local line - while IFS="" read -r -d "" line; do + while read -r line; do ## example line: ## root root 4755 /usr/lib/eject/dmcrypt-get-device local owner group mode file_name if ! read -r owner group mode file_name <<< "${line}"; then exit_code=201 - echo "ERROR: cannot parse line: ${line}" >&2 + log error "Cannot parse line: ${line}" >&2 continue fi - true "INFO: owner=${owner} group=${group} mode=${mode} file_name='${file_name}'" + log info "Parsing line: owner=${owner} group=${group} mode=${mode} file_name='${file_name}'" if test "${remove_file}" = "all"; then verbose="" @@ -571,7 +589,7 @@ spare() { # shellcheck disable=SC2086 chmod ${verbose} "${mode}" "${file_name}" || exit_code=203 else - echo "INFO: file doesn't exist: '${file_name}'" + log warn "File does not exist: '${file_name}'" fi dpkg-statoverride --remove "${file_name}" &>/dev/null || true @@ -589,7 +607,7 @@ spare() { if test ! "${remove_file}" = "all"; then if test "$(cat "${store_dir}/remove_one")" = "false"; then - echo "INFO: no file was removed. + log info "No file was removed. File '${remove_file}' has not been removed from SUID Disabler and Permission Hardener during this invocation. This is expected if already done earlier. @@ -617,7 +635,7 @@ spare() { check_root(){ if test "$(id -u)" != "0"; then - echo "ERROR: Not running as root, aborting." + log error "Not running as root, aborting." exit 1 fi } @@ -647,7 +665,7 @@ case "${1:-}" in esac if test "${exit_code}" != "0"; then - echo "ERROR: Exiting with non-zero exit code: '${exit_code}'" >&2 + log error "Exiting with non-zero exit code: '${exit_code}'" >&2 fi exit "${exit_code}" From 8be21b6eff40fdd3909ef63468463fc52e8bf45f Mon Sep 17 00:00:00 2001 From: Ben Grande Date: Tue, 23 Jul 2024 19:36:12 +0200 Subject: [PATCH 484/846] Handle newlines in file names --- usr/bin/permission-hardener | 45 +++++++++++++++++++++---------------- 1 file changed, 26 insertions(+), 19 deletions(-) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index 9eff886..87f4307 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -63,40 +63,47 @@ add_nosuid_statoverride_entry() { counter_actual=0 local dummy_line - while IFS="" read -r dummy_line; do + while IFS="" read -r -d "" dummy_line; do log info "Test would parse line: ${dummy_line}" should_be_counter=$((should_be_counter + 1)) - done < <(find "${fso_to_process}" -perm /u=s,g=s -print0 | xargs -I{} -0 stat -c "%n %a %U %G" {}) + done < <(find "${fso_to_process}" -perm /u=s,g=s -print0) local line - while IFS="" read -r line; do + while IFS="" read -r -d "" line; do counter_actual="$((counter_actual + 1))" local arr file_name existing_mode existing_owner existing_group - read -r -a arr <<< "${line}" - file_name="${arr[0]}" - existing_mode="${arr[1]}" - existing_owner="${arr[2]}" - existing_group="${arr[3]}" + file_name="${line}" + stat_output="$(stat -c "%a %U %G" "${line}")" + read -r -a arr <<< "${stat_output}" + existing_mode="${arr[0]}" + existing_owner="${arr[1]}" + existing_group="${arr[2]}" if test "${#arr[@]}" = 0; then log error "Line is empty: '${line}'" >&2 continue fi if test -z "${file_name}"; then - log error "File name is empty. line: '${line}'" >&2 + log error "File name is empty in line: ${line}" >&2 continue fi if test -z "${existing_mode}"; then - log error "Existing mode is empty. line: '${line}'" >&2 + log error "Existing mode is empty in line: ${line}" >&2 continue fi if test -z "${existing_owner}"; then - log error "Existing owner is empty. line: '${line}'" >&2 + log error "Existing owner is empty in line: ${line}" >&2 continue fi if test -z "${existing_group}"; then - log error "Existing group is empty. line: '${line}'" >&2 + log error "Existing group is empty in line: ${line}" >&2 + continue + fi + + ## dpkg-statoverride: error: path may not contain newlines + if [[ "${file_name}" == *$'\n'* ]]; then + log warn "Skipping file name that contains newlines: ${file_name}" >&2 continue fi @@ -236,7 +243,7 @@ add_nosuid_statoverride_entry() { ## /usr/lib will hit ARG_MAX if using bash 'shopt -s globstar' and '/usr/lib/**'. ## Using 'find' with '-perm /u=s,g=s' is faster and avoids ARG_MAX. ## https://forums.whonix.org/t/disable-suid-binaries/7706/17 - done < <(find "${fso_to_process}" -perm /u=s,g=s -print0 | xargs -I{} -0 stat -c "%n %a %U %G" {}) + done < <(find "${fso_to_process}" -perm /u=s,g=s -print0) ## Sanity test. if test ! "${should_be_counter}" = "${counter_actual}"; then @@ -356,17 +363,17 @@ set_file_perms() { local stat_output stat_output="" - if ! stat_output="$(stat -c "%n %a %U %G" "${fso_without_trailing_slash}")"; then + if ! stat_output="$(stat -c "%a %U %G" "${fso_without_trailing_slash}")"; then log error "Failed to run 'stat' on file: '${fso_without_trailing_slash}'!" >&2 continue fi local arr file_name existing_mode existing_owner existing_group read -r -a arr <<< "${stat_output}" - file_name="${arr[0]}" - existing_mode="${arr[1]}" - existing_owner="${arr[2]}" - existing_group="${arr[3]}" + file_name="${fso_without_trailing_slash}" + existing_mode="${arr[0]}" + existing_owner="${arr[1]}" + existing_group="${arr[2]}" if test "${#arr[@]}" = 0; then log error "Line is empty. Stat output: '${stat_output}', line: '${line}'" >&2 @@ -589,7 +596,7 @@ spare() { # shellcheck disable=SC2086 chmod ${verbose} "${mode}" "${file_name}" || exit_code=203 else - log warn "File does not exist: '${file_name}'" + log warn "File does not exist: ${file_name}" fi dpkg-statoverride --remove "${file_name}" &>/dev/null || true From 88c88187f2909322211cc08598717068ea7cf1d1 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Wed, 24 Jul 2024 17:26:50 +1000 Subject: [PATCH 485/846] Re-enable (default) `secure_redirects` for ICMP redirect messages --- README.md | 3 +-- usr/lib/sysctl.d/990-security-misc.conf | 9 +++------ 2 files changed, 4 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 5e029c8..02fd18e 100644 --- a/README.md +++ b/README.md @@ -72,8 +72,7 @@ Various networking components of the TCP/IP stack are hardened for IPv4/6. from all interfaces to prevent IP spoofing. - Disable ICMP redirect acceptance and redirect sending messages to - prevent man-in-the-middle attacks and minimize information disclosure. If - ICMP redirect messages are permitted, only do so from approved gateways. + prevent man-in-the-middle attacks and minimize information disclosure. - Ignore ICMP echo requests to prevent clock fingerprinting and Smurf attacks. diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 7b07033..8fe680c 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -260,6 +260,9 @@ net.ipv4.conf.default.rp_filter=1 ## Disable ICMP redirect acceptance and redirect sending messages. ## Prevents man-in-the-middle attacks and minimizes information disclosure. ## +## https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/security_guide/sect-security_guide-server_security-disable-source-routing#sect-Security_Guide-Server_Security-Disable-Source-Routing +## https://www.frozentux.net/ipsysctl-tutorial/chunkyhtml/theconfvariables.html +## https://www.debian.org/doc/manuals/securing-debian-manual/network-secure.en.html ## https://askubuntu.com/questions/118273/what-are-icmp-redirects-and-should-they-be-blocked ## net.ipv4.conf.all.accept_redirects=0 @@ -269,12 +272,6 @@ net.ipv4.conf.default.send_redirects=0 net.ipv6.conf.all.accept_redirects=0 net.ipv6.conf.default.accept_redirects=0 -## Accept ICMP redirect messages only for approved gateways. -## If ICMP redirect messages are permitted, only useful if managing a default gateway list. -## -net.ipv4.conf.all.secure_redirects=0 -net.ipv4.conf.default.secure_redirects=0 - ## Ignore ICMP echo requests. ## Prevents clock fingerprinting through ICMP timestamps and Smurf attacks. ## From 7200e9bd8c793f5ea30c3448fd03fbd38c6292b5 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 24 Jul 2024 09:15:02 -0400 Subject: [PATCH 486/846] output --- usr/bin/permission-hardener | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index 87f4307..2800e73 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -553,7 +553,7 @@ spare() { dpkg_admindir_parameter_new_mode="--admindir ${store_dir}/new_mode" if test ! -f "${store_dir}/existing_mode/statoverride"; then - true debug "Stat file does not exist, hardening was not applied not applied before" + true "DEBUG: Stat file does not exist, hardening was not applied before." return 0 fi From 1135d34ab334c9b39e51a147dc94df568f982512 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Wed, 24 Jul 2024 23:33:36 +1000 Subject: [PATCH 487/846] Reword description of `cfi=kcfi` kerenel parameter --- etc/default/grub.d/40_kernel_hardening.cfg | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index 5709f52..9c179b2 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -113,14 +113,14 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off" #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX quiet" ## Switch (back) to using kCFI as the default Control Flow Integrity (CFI) implementation. -## As of Linux kernel 6.2, FineIBT has been the default implementation. -## The Intel-developed IBT (Indirect Branch Tracking) is only used if there support by the CPU. +## As of Linux kernel 6.2, FineIBT has been selected to be the default implementation. +## The Intel-developed IBT (Indirect Branch Tracking) is only used if there is support by the CPU. ## kCFI is software-only while FineIBT is a hybrid software/hardware implementation. -## FineIBT may result in performance benefits as it only performs checking at destinations. -## FineIBT is weaker against attacks that can write arbitrary executable in memory. +## FineIBT may result in some performance benefits as it only performs checking at destinations. +## FineIBT is considered weaker against attacks that can write arbitrary executable in memory. ## Upstream hardening has given users the ability to disable FineIBT based on requests. -## Choice of CFI implementation is dependent on user threat model as there are pros/cons to both. -## Do not modify this parameter if unsure of implications. +## Choice of CFI implementation is highly dependent on user threat model as there are pros/cons to both. +## Do not modify from default if unsure of implications. ## ## https://lore.kernel.org/all/20221027092842.699804264@infradead.org/ ## https://lore.kernel.org/lkml/202210010918.4918F847C4@keescook/T/#u From a077ae54ea050af8828813b781738cba24e27624 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 24 Jul 2024 10:56:08 -0400 Subject: [PATCH 488/846] modify call of stat to use NUL delimiter for more robust string parsing --- usr/bin/permission-hardener | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index 2800e73..36c21f1 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -74,11 +74,14 @@ add_nosuid_statoverride_entry() { local arr file_name existing_mode existing_owner existing_group file_name="${line}" - stat_output="$(stat -c "%a %U %G" "${line}")" - read -r -a arr <<< "${stat_output}" - existing_mode="${arr[0]}" - existing_owner="${arr[1]}" - existing_group="${arr[2]}" + ## Capture the stat output with fields separated by NUL characters. + ## Delimiter at the end to avoid the last field to be interpreted as having a newline. + stat_output=$(stat -c '%n\0%a\0%U\0%G\0%' "${line}") + readarray -d '\0' -t arr <<< "${stat_output}" + file_name_from_stat="${arr[0]}" + existing_mode="${arr[1]}" + existing_owner="${arr[2]}" + existing_group="${arr[3]}" if test "${#arr[@]}" = 0; then log error "Line is empty: '${line}'" >&2 @@ -363,7 +366,7 @@ set_file_perms() { local stat_output stat_output="" - if ! stat_output="$(stat -c "%a %U %G" "${fso_without_trailing_slash}")"; then + if ! stat_output="$(stat -c '%n\0%a\0%U\0%G\0%' "${fso_without_trailing_slash}")"; then log error "Failed to run 'stat' on file: '${fso_without_trailing_slash}'!" >&2 continue fi From 1cbda7998196dc04e83c48526d15f9ad5f11e6c9 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 24 Jul 2024 10:57:13 -0400 Subject: [PATCH 489/846] check first if array is empty before parsing further --- usr/bin/permission-hardener | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index 36c21f1..63786d3 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -77,16 +77,19 @@ add_nosuid_statoverride_entry() { ## Capture the stat output with fields separated by NUL characters. ## Delimiter at the end to avoid the last field to be interpreted as having a newline. stat_output=$(stat -c '%n\0%a\0%U\0%G\0%' "${line}") + readarray -d '\0' -t arr <<< "${stat_output}" - file_name_from_stat="${arr[0]}" - existing_mode="${arr[1]}" - existing_owner="${arr[2]}" - existing_group="${arr[3]}" if test "${#arr[@]}" = 0; then log error "Line is empty: '${line}'" >&2 continue fi + + file_name_from_stat="${arr[0]}" + existing_mode="${arr[1]}" + existing_owner="${arr[2]}" + existing_group="${arr[3]}" + if test -z "${file_name}"; then log error "File name is empty in line: ${line}" >&2 continue From b9dfe70a016e46e1f275918be19890526182cfa2 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 24 Jul 2024 10:58:05 -0400 Subject: [PATCH 490/846] check first if file_name is empty --- usr/bin/permission-hardener | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index 63786d3..c2c6129 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -73,7 +73,14 @@ add_nosuid_statoverride_entry() { counter_actual="$((counter_actual + 1))" local arr file_name existing_mode existing_owner existing_group + file_name="${line}" + + if test -z "${file_name}"; then + log error "File name is empty in line: ${line}" >&2 + continue + fi + ## Capture the stat output with fields separated by NUL characters. ## Delimiter at the end to avoid the last field to be interpreted as having a newline. stat_output=$(stat -c '%n\0%a\0%U\0%G\0%' "${line}") @@ -90,10 +97,6 @@ add_nosuid_statoverride_entry() { existing_owner="${arr[2]}" existing_group="${arr[3]}" - if test -z "${file_name}"; then - log error "File name is empty in line: ${line}" >&2 - continue - fi if test -z "${existing_mode}"; then log error "Existing mode is empty in line: ${line}" >&2 continue From ced02fb9e03e12c7d51923511e7d6a54b09a6274 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 24 Jul 2024 11:01:24 -0400 Subject: [PATCH 491/846] add sanity test for file_name output from stat --- usr/bin/permission-hardener | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index c2c6129..17d0abe 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -97,6 +97,15 @@ add_nosuid_statoverride_entry() { existing_owner="${arr[2]}" existing_group="${arr[3]}" + if [ ! "$file_name" = "$file_name_from_stat" ]; then + log error "\ +file_name is different from file_name_from_stat: +line: '${line}' +file_name '${file_name}' +file_name_from_stat: '${file_name_from_stat}'" >&2 + continue + fi + if test -z "${existing_mode}"; then log error "Existing mode is empty in line: ${line}" >&2 continue From a6e517736b83c124cf8cec52bac184612a29ad0d Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 24 Jul 2024 11:02:25 -0400 Subject: [PATCH 492/846] local stat_output --- usr/bin/permission-hardener | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index 17d0abe..571d176 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -72,7 +72,7 @@ add_nosuid_statoverride_entry() { while IFS="" read -r -d "" line; do counter_actual="$((counter_actual + 1))" - local arr file_name existing_mode existing_owner existing_group + local arr file_name existing_mode existing_owner existing_group stat_output file_name="${line}" From d5366835112cc5fabef7ec46a9c582c08121cb14 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 24 Jul 2024 11:03:28 -0400 Subject: [PATCH 493/846] local clean_output_prefix clean_output --- usr/bin/permission-hardener | 1 + 1 file changed, 1 insertion(+) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index 571d176..978c6a9 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -212,6 +212,7 @@ file_name_from_stat: '${file_name_from_stat}'" >&2 fi done + local clean_output_prefix clean_output clean_output_prefix="Managing (S|G)UID of line:" clean_output="setuid=${setuid_output} setgid=${setsgid_output} existing_mode=${existing_mode} new_mode=${new_mode} file='${file_name}'" if test "${whitelists_disable_all:-}" = "true"; then From 00911df5c1de24960ad6d21b4cd99450f2d08a88 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 24 Jul 2024 11:10:56 -0400 Subject: [PATCH 494/846] modify call of stat to use NUL delimiter for more robust string parsing --- usr/bin/permission-hardener | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index 978c6a9..ed42723 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -72,7 +72,7 @@ add_nosuid_statoverride_entry() { while IFS="" read -r -d "" line; do counter_actual="$((counter_actual + 1))" - local arr file_name existing_mode existing_owner existing_group stat_output + local arr file_name file_name_from_stat existing_mode existing_owner existing_group stat_output file_name="${line}" @@ -88,7 +88,7 @@ add_nosuid_statoverride_entry() { readarray -d '\0' -t arr <<< "${stat_output}" if test "${#arr[@]}" = 0; then - log error "Line is empty: '${line}'" >&2 + log error "Line is empty. Stat output: '${stat_output}', line: '${line}'" >&2 continue fi @@ -387,12 +387,19 @@ set_file_perms() { continue fi - local arr file_name existing_mode existing_owner existing_group - read -r -a arr <<< "${stat_output}" + local arr file_name file_name_from_stat existing_mode existing_owner existing_group + readarray -d '\0' -t arr <<< "${stat_output}" file_name="${fso_without_trailing_slash}" - existing_mode="${arr[0]}" - existing_owner="${arr[1]}" - existing_group="${arr[2]}" + + if test "${#arr[@]}" = 0; then + log error "Line is empty: '${line}'" >&2 + continue + fi + + file_name_from_stat="${arr[0]}" + existing_mode="${arr[1]}" + existing_owner="${arr[2]}" + existing_group="${arr[3]}" if test "${#arr[@]}" = 0; then log error "Line is empty. Stat output: '${stat_output}', line: '${line}'" >&2 From 9712b5b4e3cff3eac8ef03b5e562ff89d74ef4b8 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 24 Jul 2024 11:12:18 -0400 Subject: [PATCH 495/846] output --- usr/bin/permission-hardener | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index ed42723..0ca91ec 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -392,7 +392,7 @@ set_file_perms() { file_name="${fso_without_trailing_slash}" if test "${#arr[@]}" = 0; then - log error "Line is empty: '${line}'" >&2 + log error "Line is empty. Stat output: '${stat_output}', line: '${line}'" >&2 continue fi @@ -414,7 +414,7 @@ set_file_perms() { continue fi if test -z "${existing_owner}"; then - log error "Existing_owner is empty. stat_output: '${stat_output}' | line: '${line}'" >&2 + log error "Existing_owner is empty. Stat output: '${stat_output}' | line: '${line}'" >&2 continue fi if test -z "${existing_group}"; then From 721392901be384014298f59deb57747b825c8b37 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 24 Jul 2024 11:12:39 -0400 Subject: [PATCH 496/846] remove duplicate test --- usr/bin/permission-hardener | 4 ---- 1 file changed, 4 deletions(-) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index 0ca91ec..933cb55 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -401,10 +401,6 @@ set_file_perms() { existing_owner="${arr[2]}" existing_group="${arr[3]}" - if test "${#arr[@]}" = 0; then - log error "Line is empty. Stat output: '${stat_output}', line: '${line}'" >&2 - continue - fi if test -z "${file_name}"; then log error "File name is empty. Stat output: '${stat_output}', line: '${line}'" >&2 continue From c9fd2ceb61ea176c731432f02a9fa40652fbddc8 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 24 Jul 2024 11:13:35 -0400 Subject: [PATCH 497/846] downgrade warning of non-existing files to info to avoid all users by default getting a warning for expected non-existing files --- usr/bin/permission-hardener | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index 933cb55..4689973 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -618,7 +618,7 @@ spare() { # shellcheck disable=SC2086 chmod ${verbose} "${mode}" "${file_name}" || exit_code=203 else - log warn "File does not exist: ${file_name}" + log info "File does not exist: ${file_name}" fi dpkg-statoverride --remove "${file_name}" &>/dev/null || true From 151ca659a9f5565744ff57f3b581c8c051def148 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 24 Jul 2024 11:19:15 -0400 Subject: [PATCH 498/846] output --- usr/bin/permission-hardener | 34 +++++++++++++++++----------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index 4689973..3e43dbf 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -64,7 +64,7 @@ add_nosuid_statoverride_entry() { local dummy_line while IFS="" read -r -d "" dummy_line; do - log info "Test would parse line: ${dummy_line}" + log info "Test would parse line: '${dummy_line}'" should_be_counter=$((should_be_counter + 1)) done < <(find "${fso_to_process}" -perm /u=s,g=s -print0) @@ -77,7 +77,7 @@ add_nosuid_statoverride_entry() { file_name="${line}" if test -z "${file_name}"; then - log error "File name is empty in line: ${line}" >&2 + log error "File name is empty in line: '${line}'" >&2 continue fi @@ -107,21 +107,21 @@ file_name_from_stat: '${file_name_from_stat}'" >&2 fi if test -z "${existing_mode}"; then - log error "Existing mode is empty in line: ${line}" >&2 + log error "Existing mode is empty in line: '${line}'" >&2 continue fi if test -z "${existing_owner}"; then - log error "Existing owner is empty in line: ${line}" >&2 + log error "Existing owner is empty in line: '${line}'" >&2 continue fi if test -z "${existing_group}"; then - log error "Existing group is empty in line: ${line}" >&2 + log error "Existing group is empty in line: '${line}'" >&2 continue fi ## dpkg-statoverride: error: path may not contain newlines if [[ "${file_name}" == *$'\n'* ]]; then - log warn "Skipping file name that contains newlines: ${file_name}" >&2 + log warn "Skipping file name that contains newlines: '${file_name}'" >&2 continue fi @@ -131,12 +131,12 @@ file_name_from_stat: '${file_name_from_stat}'" >&2 if test -h "${file_name}"; then ## https://forums.whonix.org/t/disable-suid-binaries/7706/14 - log info "Skip symlink: ${file_name}" + log info "Skip symlink: '${file_name}'" continue fi if test -d "${file_name}"; then - log info "Skip directory: ${file_name}" + log info "Skip directory: '${file_name}'" continue fi @@ -214,7 +214,7 @@ file_name_from_stat: '${file_name_from_stat}'" >&2 local clean_output_prefix clean_output clean_output_prefix="Managing (S|G)UID of line:" - clean_output="setuid=${setuid_output} setgid=${setsgid_output} existing_mode=${existing_mode} new_mode=${new_mode} file='${file_name}'" + clean_output="setuid='${setuid_output}' setgid='${setsgid_output}' existing_mode='${existing_mode}' new_mode='${new_mode}' file='${file_name}'" if test "${whitelists_disable_all:-}" = "true"; then log info "${clean_output_prefix} whitelists_disable_all=true ${clean_output}" elif test "${is_disable_whitelisted}" = "true"; then @@ -225,7 +225,7 @@ file_name_from_stat: '${file_name_from_stat}'" >&2 continue fi if test "${is_match_whitelisted}" = "true"; then - log info "${clean_output_prefix} is_match_whitelisted=true matchwhite_list_entry=${matchwhite_list_entry} ${clean_output}" + log info "${clean_output_prefix} is_match_whitelisted=true matchwhite_list_entry='${matchwhite_list_entry}' ${clean_output}" continue fi fi @@ -273,7 +273,7 @@ file_name_from_stat: '${file_name_from_stat}'" >&2 } set_file_perms() { - log info "START parsing config file: ${config_file}" + log info "START parsing config file: '${config_file}'" local line while read -r line || test -n "${line}"; do if test -z "${line}"; then @@ -286,7 +286,7 @@ set_file_perms() { if ! [[ "${line}" =~ [0-9a-zA-Z/] ]]; then exit_code=200 - log error "Line contains invalid characters: ${line}" >&2 + log error "Line contains invalid characters: '${line}'" >&2 ## Safer to exit with error in this case. ## https://forums.whonix.org/t/disable-suid-binaries/7706/59 exit "${exit_code}" @@ -311,7 +311,7 @@ set_file_perms() { exit "${exit_code}" fi - log info "Parsing line: fso=${fso} mode_from_config=${mode_from_config} owner_from_config=${owner_from_config} group_from_config=${group_from_config} capability_from_config=${capability_from_config}" + log info "Parsing line: fso='${fso}' mode_from_config='${mode_from_config}' owner_from_config='${owner_from_config}' group_from_config='${group_from_config}' capability_from_config='${capability_from_config}'" ## Debugging. #echo "line: '${line}'" @@ -516,7 +516,7 @@ set_file_perms() { fi done <"${config_file}" - log info "END parsing config file: ${config_file}" + log info "END parsing config file: '${config_file}'" } parse_config_folder() { @@ -587,10 +587,10 @@ spare() { local owner group mode file_name if ! read -r owner group mode file_name <<< "${line}"; then exit_code=201 - log error "Cannot parse line: ${line}" >&2 + log error "Cannot parse line: '${line}'" >&2 continue fi - log info "Parsing line: owner=${owner} group=${group} mode=${mode} file_name='${file_name}'" + log info "Parsing line: owner='${owner}' group='${group}' mode='${mode}' file_name='${file_name}'" if test "${remove_file}" = "all"; then verbose="" @@ -618,7 +618,7 @@ spare() { # shellcheck disable=SC2086 chmod ${verbose} "${mode}" "${file_name}" || exit_code=203 else - log info "File does not exist: ${file_name}" + log info "File does not exist: '${file_name}'" fi dpkg-statoverride --remove "${file_name}" &>/dev/null || true From 3bf1f26c0bb271d63c16b314e4da040abf5b3713 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 24 Jul 2024 11:20:26 -0400 Subject: [PATCH 499/846] downgrade warning of non-existing folders to info to avoid all users by default getting a warning for expected non-existing folders --- usr/bin/permission-hardener | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index 3e43dbf..a71e9e6 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -340,7 +340,7 @@ set_file_perms() { esac if test ! -e "${fso}"; then - log warn "File does not exist: '${fso}'" + log info "File does not exist: '${fso}'" continue fi From 4a5312b3a9419c8b3e07dda2b650d5fbf9a38d34 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 24 Jul 2024 11:27:51 -0400 Subject: [PATCH 500/846] output --- usr/bin/permission-hardener | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index a71e9e6..b66db0f 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -13,14 +13,14 @@ store_dir="/var/lib/permission-hardener" dpkg_admindir_parameter_existing_mode="--admindir ${store_dir}/existing_mode" dpkg_admindir_parameter_new_mode="--admindir ${store_dir}/new_mode" -log_level=info +log_level=notice # shellcheck disable=SC1091 source /usr/libexec/helper-scripts/log_run_die.sh echo_wrapper_ignore() { if test "${1}" = "verbose"; then shift - log info "Run: $*" + log notice "Run: $*" else shift fi @@ -30,7 +30,7 @@ echo_wrapper_ignore() { echo_wrapper_audit() { if test "${1}" = "verbose"; then shift - log info "Run: $*" + log notice "Run: $*" else shift fi @@ -559,7 +559,7 @@ apply() { sanity_tests parse_config_folder - log info "\ + log notice "\ To compare the current and previous permission modes, install 'meld' (or preferred diff tool) for comparison of file mode changes: sudo apt install --no-install-recommends meld meld ${store_dir}/existing_mode/statoverride ${store_dir}/new_mode/statoverride" From cda0d26af7c057dab8edf4897f98c2e8f83e3d56 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 24 Jul 2024 11:45:13 -0400 Subject: [PATCH 501/846] cannot use NULL inside a bash variable use custom delimiter instead --- usr/bin/permission-hardener | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index b66db0f..0637ed9 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -12,6 +12,7 @@ exit_code=0 store_dir="/var/lib/permission-hardener" dpkg_admindir_parameter_existing_mode="--admindir ${store_dir}/existing_mode" dpkg_admindir_parameter_new_mode="--admindir ${store_dir}/new_mode" +delimiter="#permission-hardener-delimiter#" log_level=notice # shellcheck disable=SC1091 @@ -81,11 +82,11 @@ add_nosuid_statoverride_entry() { continue fi - ## Capture the stat output with fields separated by NUL characters. ## Delimiter at the end to avoid the last field to be interpreted as having a newline. - stat_output=$(stat -c '%n\0%a\0%U\0%G\0%' "${line}") + stat_output=$(stat -c "%n${delimiter}%a${delimiter}%U${delimiter}%G${delimiter}%" "${line}") + stat_output_simple=$(stat -c '%n %a %U %G' "${line}") - readarray -d '\0' -t arr <<< "${stat_output}" + readarray -d "${delimiter}" -t arr <<< "${stat_output}" if test "${#arr[@]}" = 0; then log error "Line is empty. Stat output: '${stat_output}', line: '${line}'" >&2 @@ -382,13 +383,13 @@ set_file_perms() { local stat_output stat_output="" - if ! stat_output="$(stat -c '%n\0%a\0%U\0%G\0%' "${fso_without_trailing_slash}")"; then + if ! stat_output=$(stat -c "%n${delimiter}%a${delimiter}%U${delimiter}%G${delimiter}%" "${fso_without_trailing_slash}"); then log error "Failed to run 'stat' on file: '${fso_without_trailing_slash}'!" >&2 continue fi local arr file_name file_name_from_stat existing_mode existing_owner existing_group - readarray -d '\0' -t arr <<< "${stat_output}" + readarray -d "${delimiter}" -t arr <<< "${stat_output}" file_name="${fso_without_trailing_slash}" if test "${#arr[@]}" = 0; then From 6cadc70a96cd709fb7a94abcb14e7dd97c57fdb8 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 24 Jul 2024 11:47:52 -0400 Subject: [PATCH 502/846] output --- usr/bin/permission-hardener | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index 0637ed9..bea2abe 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -411,7 +411,7 @@ set_file_perms() { continue fi if test -z "${existing_owner}"; then - log error "Existing_owner is empty. Stat output: '${stat_output}' | line: '${line}'" >&2 + log error "Existing owner is empty. Stat output: '${stat_output}' | line: '${line}'" >&2 continue fi if test -z "${existing_group}"; then From cc2b335ee692cc04a2c4e298902f3503927b2c50 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 24 Jul 2024 11:48:32 -0400 Subject: [PATCH 503/846] cleanup --- usr/bin/permission-hardener | 1 - 1 file changed, 1 deletion(-) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index bea2abe..2612b2a 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -84,7 +84,6 @@ add_nosuid_statoverride_entry() { ## Delimiter at the end to avoid the last field to be interpreted as having a newline. stat_output=$(stat -c "%n${delimiter}%a${delimiter}%U${delimiter}%G${delimiter}%" "${line}") - stat_output_simple=$(stat -c '%n %a %U %G' "${line}") readarray -d "${delimiter}" -t arr <<< "${stat_output}" From a16dd8474bf72c2b8c63adc7500140e89d19fedb Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 24 Jul 2024 11:50:30 -0400 Subject: [PATCH 504/846] sanity test --- usr/bin/permission-hardener | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index 2612b2a..61090bf 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -99,6 +99,7 @@ add_nosuid_statoverride_entry() { if [ ! "$file_name" = "$file_name_from_stat" ]; then log error "\ +function add_nosuid_statoverride_entry: file_name is different from file_name_from_stat: line: '${line}' file_name '${file_name}' @@ -401,6 +402,16 @@ set_file_perms() { existing_owner="${arr[2]}" existing_group="${arr[3]}" + if [ ! "$file_name" = "$file_name_from_stat" ]; then + log error "\ +function set_file_perms: +file_name is different from file_name_from_stat: +line: '${line}' +file_name '${file_name}' +file_name_from_stat: '${file_name_from_stat}'" >&2 + continue + fi + if test -z "${file_name}"; then log error "File name is empty. Stat output: '${stat_output}', line: '${line}'" >&2 continue From 10c73b326f824f783169383888b9464965a53cbb Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 24 Jul 2024 12:07:26 -0400 Subject: [PATCH 505/846] fix delimiter parsing --- usr/bin/permission-hardener | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index 61090bf..b843ad2 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -73,7 +73,7 @@ add_nosuid_statoverride_entry() { while IFS="" read -r -d "" line; do counter_actual="$((counter_actual + 1))" - local arr file_name file_name_from_stat existing_mode existing_owner existing_group stat_output + local arr file_name file_name_from_stat existing_mode existing_owner existing_group stat_output stat_output_newlined file_name="${line}" @@ -82,10 +82,9 @@ add_nosuid_statoverride_entry() { continue fi - ## Delimiter at the end to avoid the last field to be interpreted as having a newline. - stat_output=$(stat -c "%n${delimiter}%a${delimiter}%U${delimiter}%G${delimiter}%" "${line}") - - readarray -d "${delimiter}" -t arr <<< "${stat_output}" + stat_output=$(stat -c "%n${delimiter}%a${delimiter}%U${delimiter}%G${delimiter}" "${line}") + stat_output_newlined=$(printf '%s\n' "${stat_output//${delimiter}/$'\n'}") + readarray -t arr <<< "${stat_output_newlined}" if test "${#arr[@]}" = 0; then log error "Line is empty. Stat output: '${stat_output}', line: '${line}'" >&2 @@ -381,15 +380,16 @@ set_file_perms() { mode_for_grep="${mode_from_config:1}" fi - local stat_output + local stat_output stat_output_newlined stat_output="" - if ! stat_output=$(stat -c "%n${delimiter}%a${delimiter}%U${delimiter}%G${delimiter}%" "${fso_without_trailing_slash}"); then + if ! stat_output=$(stat -c "%n${delimiter}%a${delimiter}%U${delimiter}%G${delimiter}" "${fso_without_trailing_slash}"); then log error "Failed to run 'stat' on file: '${fso_without_trailing_slash}'!" >&2 continue fi + stat_output_newlined=$(printf '%s\n' "${stat_output//${delimiter}/$'\n'}") local arr file_name file_name_from_stat existing_mode existing_owner existing_group - readarray -d "${delimiter}" -t arr <<< "${stat_output}" + readarray -t arr <<< "${stat_output_newlined}" file_name="${fso_without_trailing_slash}" if test "${#arr[@]}" = 0; then From 4cc1289e89b341e15725d65e405e607ea4784f9f Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 24 Jul 2024 13:30:30 -0400 Subject: [PATCH 506/846] output --- usr/bin/permission-hardener | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index b843ad2..cef71b9 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -160,6 +160,7 @@ file_name_from_stat: '${file_name_from_stat}'" >&2 setuid_or_setsgid=true fi if test -z "${setuid_or_setsgid}"; then + log info "Neither setuid nor setsgid. Skipping. file_name: '${file_name}'" continue fi @@ -177,10 +178,12 @@ file_name_from_stat: '${file_name_from_stat}'" >&2 is_exact_whitelisted="" for white_list_entry in "${exact_white_list[@]:-}"; do if test -z "${white_list_entry}"; then + log info "white_list_entry unset. Skipping. file_name: '${file_name}'" continue fi if test "${file_name}" = "${white_list_entry}"; then is_exact_whitelisted="true" + log info "is_exact_whitelisted=true. Skipping. file_name: '${file_name}'" ## Stop looping through the whitelist. break fi @@ -190,10 +193,12 @@ file_name_from_stat: '${file_name_from_stat}'" >&2 is_match_whitelisted="" for matchwhite_list_entry in "${match_white_list[@]:-}"; do if test -z "${matchwhite_list_entry}"; then + log info "matchwhite_list_entry unset. Skipping. file_name: '${file_name}'" continue fi if echo "${file_name}" | grep --quiet --fixed-strings "${matchwhite_list_entry}"; then is_match_whitelisted="true" + log info "is_match_whitelisted=true. Skipping. file_name: '${file_name}'" ## Stop looping through the match_white_list. break fi @@ -203,10 +208,12 @@ file_name_from_stat: '${file_name_from_stat}'" >&2 is_disable_whitelisted="" for disablematch_list_entry in "${disable_white_list[@]:-}"; do if test -z "${disablematch_list_entry}"; then + log info "disablematch_list_entry unset. Skipping. file_name: '${file_name}'" continue fi if echo "${file_name}" | grep --quiet --fixed-strings "${disablematch_list_entry}"; then is_disable_whitelisted="true" + log info "is_disable_whitelisted=true. Skipping. file_name: '${file_name}'" ## Stop looping through the disablewhitelist. break fi @@ -230,6 +237,8 @@ file_name_from_stat: '${file_name_from_stat}'" >&2 fi fi + log notice "${clean_output_prefix} ${clean_output}" + # shellcheck disable=SC2086 if dpkg-statoverride ${dpkg_admindir_parameter_existing_mode} --list "${file_name}" >/dev/null; then log info "Existing mode already saved previously. Not saving again." @@ -277,6 +286,7 @@ set_file_perms() { local line while read -r line || test -n "${line}"; do if test -z "${line}"; then + true "DEBUG: line is empty. Skipping." continue fi @@ -498,6 +508,7 @@ file_name_from_stat: '${file_name_from_stat}'" >&2 fi fi if test -z "${capability_from_config}"; then + log info "capability_from_config is empty. Skipping. file_name: '${file_name}'" continue fi From 9231f058911ab9059e91c4c0c1677ef66b5bb666 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 24 Jul 2024 13:31:49 -0400 Subject: [PATCH 507/846] todo --- usr/bin/permission-hardener | 3 +++ 1 file changed, 3 insertions(+) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index cef71b9..1c21df2 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -6,6 +6,9 @@ ## https://forums.whonix.org/t/disable-suid-binaries/7706 ## https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707 +## TODO: +## - unduplicate stat_output related source code + set -o errexit -o nounset -o pipefail exit_code=0 From f699eb02a27ef54b9ced5866447b63152984af66 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Thu, 25 Jul 2024 10:11:33 +1000 Subject: [PATCH 508/846] Set `sysctl fs.binfmt_misc.status=0` --- README.md | 3 +++ usr/lib/sysctl.d/990-security-misc.conf | 16 ++++++++++++++++ 2 files changed, 19 insertions(+) diff --git a/README.md b/README.md index 5e029c8..d4dd706 100644 --- a/README.md +++ b/README.md @@ -57,6 +57,9 @@ space, user space, core dumps, and swap space. - Increase the maximum number of memory map areas a process is able to utilize. +- Disallow registering interpreters for various (miscellaneous) binary formats based + on a magic number or their file extension to prevent unintended code execution. + - Disable core dump files and prevent their creation. If core dump files are enabled, they will be named based on `core.PID` instead of the default `core`. diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 7b07033..334fb68 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -193,6 +193,22 @@ fs.protected_regular=2 ## vm.max_map_count=1048576 +## Disable the miscellaneous binary format virtual file system to prevent unintended code execution. +## Prevents registering interpreters for various binary formats based on a magic number or their file extension. +## If arbitrary executable file formats are recognised, they will be passed to relevant user space applications. +## These interpreters will run with root permissions when a setuid binary is owned by root. +## Can stop maliciously crafted files with specific file extensions from automatically executing. +## Breaks many scripts that do not have appropriate shebang interpreter directives (#!/bin/...). +## +## https://www.kernel.org/doc/html/latest/admin-guide/binfmt-misc.html +## https://salsa.debian.org/debian/binfmt-support +## https://access.redhat.com/solutions/1985633 +## https://en.wikipedia.org/wiki/Binfmt_misc +## https://security.stackexchange.com/questions/271786/does-allowing-binfmt-misc-significantly-increase-the-attack-surface-for-unprivil +## https://unix.stackexchange.com/questions/439569/what-kinds-of-executable-formats-do-the-files-under-proc-sys-fs-binfmt-misc-al +## +fs.binfmt_misc.status=0 + ## 3. Core Dumps: ## ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#core-dumps From 3926b91dcf371377d38c747e5c7718ac2fed3c83 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Thu, 25 Jul 2024 10:26:23 +1000 Subject: [PATCH 509/846] Add documentation on `sysctl kernel.panic_on_oops=1` --- README.md | 3 +++ usr/lib/sysctl.d/990-security-misc.conf | 11 +++++++++++ 2 files changed, 14 insertions(+) diff --git a/README.md b/README.md index 5e029c8..e28549f 100644 --- a/README.md +++ b/README.md @@ -41,6 +41,9 @@ space, user space, core dumps, and swap space. - Restrict kernel profiling and the performance events system to `CAP_PERFMON`. +- Force the kernel to panic on "oopses" that can potentially indicate and thwart + certain kernel exploitation attempts. + - Randomize the addresses (ASLR) for mmap base, stack, VDSO pages, and heap. - Disable asynchronous I/O as `io_uring` has been the source diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 7b07033..b05b3bf 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -109,6 +109,17 @@ kernel.sysrq=0 ## kernel.perf_event_paranoid=3 +## Force the kernel to panic on "oopses". +## Can sometimes potentially indicate and thwart certain kernel exploitation attempts. +## Also cause panics on machine check exceptions. +## Panics may be due to false-positives such as bad drivers. +## +## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panic-on-oops-1-sysctl-for-better-security/7713 +## +## See /usr/libexec/security-misc/panic-on-oops for implementation. +## +#kernel.panic_on_oops=1 + ## Enable ASLR for mmap base, stack, VDSO pages, and heap. ## Heap randomization can lead to breakages with legacy applications. ## From ed3336694ce35614ab47db42bce29d3c69d46752 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Thu, 25 Jul 2024 10:28:27 +1000 Subject: [PATCH 510/846] Provide the option to immediately reboot on a kernel panics --- README.md | 3 ++- usr/lib/sysctl.d/990-security-misc.conf | 1 + usr/libexec/security-misc/panic-on-oops | 1 + 3 files changed, 4 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index e28549f..34ea2b2 100644 --- a/README.md +++ b/README.md @@ -42,7 +42,8 @@ space, user space, core dumps, and swap space. - Restrict kernel profiling and the performance events system to `CAP_PERFMON`. - Force the kernel to panic on "oopses" that can potentially indicate and thwart - certain kernel exploitation attempts. + certain kernel exploitation attempts. Provide the option to reboot immediately + on a kernel panic. - Randomize the addresses (ASLR) for mmap base, stack, VDSO pages, and heap. diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index b05b3bf..7eb1a73 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -119,6 +119,7 @@ kernel.perf_event_paranoid=3 ## See /usr/libexec/security-misc/panic-on-oops for implementation. ## #kernel.panic_on_oops=1 +#kernel.panic=-1 ## Enable ASLR for mmap base, stack, VDSO pages, and heap. ## Heap randomization can lead to breakages with legacy applications. diff --git a/usr/libexec/security-misc/panic-on-oops b/usr/libexec/security-misc/panic-on-oops index 907ee69..2fc25c8 100755 --- a/usr/libexec/security-misc/panic-on-oops +++ b/usr/libexec/security-misc/panic-on-oops @@ -16,3 +16,4 @@ fi ## from continuing to run a flawed processes. Many kernel exploits ## will also cause an oops which this will make the kernel kill. sysctl kernel.panic_on_oops=1 +#sysctl kernel.panic=-1 From 28b25bda3f51c7d5a6ee6d28446cb5f731f452d0 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Thu, 25 Jul 2024 15:51:32 +1000 Subject: [PATCH 511/846] Partial inclusion of GrapheneOS infrastructure blacklist --- .../30_security-misc_blacklist.conf | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/etc/modprobe.d/30_security-misc_blacklist.conf b/etc/modprobe.d/30_security-misc_blacklist.conf index 2ef0d1a..34e1124 100644 --- a/etc/modprobe.d/30_security-misc_blacklist.conf +++ b/etc/modprobe.d/30_security-misc_blacklist.conf @@ -23,6 +23,26 @@ blacklist sr_mod ## Miscellaneous: ## +## GrapheneOS: +## Partial selection of their infrastructure blacklist. +## Duplicate and already disabled modules have been omitted. +## +## https://github.com/GrapheneOS/infrastructure/blob/main/modprobe.d/local.conf +## +#blacklist cfg80211 +#blacklist intel_agp +#blacklist ip_tables +blacklist joydev +#blacklist mousedev +#blacklist psmouse +blacklist snd_intel8x0 +#blacklist tls +#blacklist virtio_balloon +#blacklist virtio_console +## +## Ubuntu: +## Already disabled modules have been omitted. +## ## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist.conf?h=ubuntu/disco ## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-ath_pci.conf?h=ubuntu/disco ## From 3b8a3f9b832ee1eee959fbcce8b5eed417d4712e Mon Sep 17 00:00:00 2001 From: Ben Grande Date: Thu, 25 Jul 2024 12:20:16 +0200 Subject: [PATCH 512/846] Unduplicate stat call --- usr/bin/permission-hardener | 187 ++++++++++++++++++------------------ 1 file changed, 91 insertions(+), 96 deletions(-) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index 1c21df2..10fad42 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -6,9 +6,6 @@ ## https://forums.whonix.org/t/disable-suid-binaries/7706 ## https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707 -## TODO: -## - unduplicate stat_output related source code - set -o errexit -o nounset -o pipefail exit_code=0 @@ -17,6 +14,7 @@ dpkg_admindir_parameter_existing_mode="--admindir ${store_dir}/existing_mode" dpkg_admindir_parameter_new_mode="--admindir ${store_dir}/new_mode" delimiter="#permission-hardener-delimiter#" +# shellcheck disable=SC2034 log_level=notice # shellcheck disable=SC1091 source /usr/libexec/helper-scripts/log_run_die.sh @@ -53,6 +51,78 @@ make_store_dir(){ mkdir --parents "${store_dir}/new_mode" } +## Some tools may fail on newlines and even variable assignment to array may +## fail if a variable that will be assigned to an array element contains +## characters that are used as delimiters. +block_newlines(){ + local newline_variable newline_value + newline_variable="${1}" + newline_value="${2}" + ## dpkg-statoverride: error: path may not contain newlines + #if [[ "${newline_value}" == *$'\n'* ]]; then + if [[ "${newline_value}" != "${newline_value//$'\n'/NEWLINE}" ]]; then + log warn "Skipping ${newline_variable} that contains newlines: '${newline_value}'" >&2 + return 1 + fi +} + +output_stat(){ + local file_name + file_name="${1}" + + if test -z "${file_name}"; then + log error "File name is empty. file_name: '${file_name}'" >&2 + return 1 + fi + + block_newlines file "${file_name}" + + declare -a arr + local file_name_from_stat existing_mode existing_owner existing_group stat_output stat_output_newlined + + if ! stat_output="$(stat -c "%a${delimiter}%U${delimiter}%G${delimiter}%n${delimiter}" "${file_name}")"; then + log error "Failed to run 'stat' on file: '${file_name}'!" >&2 + return 1 + fi + + stat_output_newlined="$(printf '%s\n' "${stat_output//${delimiter}/$'\n'}")" + readarray -t arr <<< "${stat_output_newlined}" + + if test "${#arr[@]}" = 0; then + log error "Line is empty. Stat output: '${stat_output}', line: '${line}'" >&2 + return 1 + fi + + existing_mode="${arr[0]}" + existing_owner="${arr[1]}" + existing_group="${arr[2]}" + file_name_from_stat="${arr[3]}" + + if [ ! "$file_name" = "$file_name_from_stat" ]; then + log error "\ +function ${FUNCNAME[1]}: +File name is different from file name received from stat: +File name '${file_name}' +File name from stat: '${file_name_from_stat}'" >&2 + return 1 + fi + + if test -z "${existing_mode}"; then + log error "Existing mode is empty. Stat output: '${stat_output}', line: '${line}'" >&2 + return 1 + fi + if test -z "${existing_owner}"; then + log error "Existing owner is empty. Stat output: '${stat_output}' | line: '${line}'" >&2 + return 1 + fi + if test -z "${existing_group}"; then + log error "Existing group is empty. Stat output: '${stat_output}', line: '${line}'" >&2 + return 1 + fi + + (IFS=$'\n'; echo "${arr[*]}") +} + sanity_tests() { echo_wrapper_audit silent which \ capsh getcap setcap stat find dpkg-statoverride getent xargs grep 1>/dev/null @@ -73,60 +143,21 @@ add_nosuid_statoverride_entry() { done < <(find "${fso_to_process}" -perm /u=s,g=s -print0) local line - while IFS="" read -r -d "" line; do - counter_actual="$((counter_actual + 1))" + while IFS="" read -r -d "" file_name; do + counter_actual=$((counter_actual + 1)) - local arr file_name file_name_from_stat existing_mode existing_owner existing_group stat_output stat_output_newlined - - file_name="${line}" - - if test -z "${file_name}"; then - log error "File name is empty in line: '${line}'" >&2 - continue - fi - - stat_output=$(stat -c "%n${delimiter}%a${delimiter}%U${delimiter}%G${delimiter}" "${line}") - stat_output_newlined=$(printf '%s\n' "${stat_output//${delimiter}/$'\n'}") - readarray -t arr <<< "${stat_output_newlined}" + declare -a arr + local existing_mode existing_owner existing_group + readarray -t arr < <(output_stat "${file_name}") + ## Above command creates a subshell that cannot be returned. if test "${#arr[@]}" = 0; then - log error "Line is empty. Stat output: '${stat_output}', line: '${line}'" >&2 continue fi - file_name_from_stat="${arr[0]}" - existing_mode="${arr[1]}" - existing_owner="${arr[2]}" - existing_group="${arr[3]}" - - if [ ! "$file_name" = "$file_name_from_stat" ]; then - log error "\ -function add_nosuid_statoverride_entry: -file_name is different from file_name_from_stat: -line: '${line}' -file_name '${file_name}' -file_name_from_stat: '${file_name_from_stat}'" >&2 - continue - fi - - if test -z "${existing_mode}"; then - log error "Existing mode is empty in line: '${line}'" >&2 - continue - fi - if test -z "${existing_owner}"; then - log error "Existing owner is empty in line: '${line}'" >&2 - continue - fi - if test -z "${existing_group}"; then - log error "Existing group is empty in line: '${line}'" >&2 - continue - fi - - ## dpkg-statoverride: error: path may not contain newlines - if [[ "${file_name}" == *$'\n'* ]]; then - log warn "Skipping file name that contains newlines: '${file_name}'" >&2 - continue - fi + existing_mode="${arr[0]}" + existing_owner="${arr[1]}" + existing_group="${arr[2]}" ## -h file True if file is a symbolic Link. ## -u file True if file has its set-user-id bit set. @@ -335,7 +366,6 @@ set_file_perms() { local fso_without_trailing_slash fso_without_trailing_slash="${fso%/}" - ## TODO: test/add white spaces inside file name support declare -g disable_white_list exact_white_list match_white_list case "${mode_from_config}" in disablewhitelist) @@ -393,54 +423,19 @@ set_file_perms() { mode_for_grep="${mode_from_config:1}" fi - local stat_output stat_output_newlined - stat_output="" - if ! stat_output=$(stat -c "%n${delimiter}%a${delimiter}%U${delimiter}%G${delimiter}" "${fso_without_trailing_slash}"); then - log error "Failed to run 'stat' on file: '${fso_without_trailing_slash}'!" >&2 - continue - fi - stat_output_newlined=$(printf '%s\n' "${stat_output//${delimiter}/$'\n'}") + declare -a arr + local existing_mode existing_owner existing_group - local arr file_name file_name_from_stat existing_mode existing_owner existing_group - readarray -t arr <<< "${stat_output_newlined}" file_name="${fso_without_trailing_slash}" - + readarray -t arr < <(output_stat "${file_name}") + ## Above command creates a subshell that cannot be returned from. if test "${#arr[@]}" = 0; then - log error "Line is empty. Stat output: '${stat_output}', line: '${line}'" >&2 continue fi - file_name_from_stat="${arr[0]}" - existing_mode="${arr[1]}" - existing_owner="${arr[2]}" - existing_group="${arr[3]}" - - if [ ! "$file_name" = "$file_name_from_stat" ]; then - log error "\ -function set_file_perms: -file_name is different from file_name_from_stat: -line: '${line}' -file_name '${file_name}' -file_name_from_stat: '${file_name_from_stat}'" >&2 - continue - fi - - if test -z "${file_name}"; then - log error "File name is empty. Stat output: '${stat_output}', line: '${line}'" >&2 - continue - fi - if test -z "${existing_mode}"; then - log error "Existing mode is empty. Stat output: '${stat_output}', line: '${line}'" >&2 - continue - fi - if test -z "${existing_owner}"; then - log error "Existing owner is empty. Stat output: '${stat_output}' | line: '${line}'" >&2 - continue - fi - if test -z "${existing_group}"; then - log error "Existing group is empty. Stat output: '${stat_output}', line: '${line}'" >&2 - continue - fi + existing_mode="${arr[0]}" + existing_owner="${arr[1]}" + existing_group="${arr[2]}" ## Check there is an entry for the fso. ## @@ -558,9 +553,9 @@ parse_config_folder() { ## 'grep' exits after the first match in this case causing 'getent' to ## receive SIGPIPE, which then fails the pipeline since 'set -o pipefail' is ## set for this script. - passwd_file_contents_temp=$(getent passwd) + passwd_file_contents_temp="$(getent passwd)" echo "${passwd_file_contents_temp}" | tee "${store_dir}/private/passwd" >/dev/null - group_file_contents_temp=$(getent group) + group_file_contents_temp="$(getent group)" echo "${group_file_contents_temp}" | tee "${store_dir}/private/group" >/dev/null #passwd_file_contents="$(cat "${store_dir}/private/passwd")" From 652a06c8e9f841e043cc5b5fb030b149cb70dc85 Mon Sep 17 00:00:00 2001 From: Ben Grande Date: Thu, 25 Jul 2024 12:37:21 +0200 Subject: [PATCH 513/846] Only print SUID or SGID values when set --- usr/bin/permission-hardener | 24 ++++++++++-------------- 1 file changed, 10 insertions(+), 14 deletions(-) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index 10fad42..3196cfa 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -174,27 +174,23 @@ add_nosuid_statoverride_entry() { continue fi - local setuid setuid_output setsgid setsgid_output + local setuid setgid setuid="" - setuid_output="" if test -u "${file_name}"; then setuid=true - setuid_output="set-user-id" fi - setsgid="" - setsgid_output="" + setgid="" if test -g "${file_name}"; then - setsgid=true - setsgid_output="set-group-id" + setgid=true fi - local setuid_or_setsgid - setuid_or_setsgid="" - if test "${setuid}" = "true" || test "${setsgid}" = "true"; then - setuid_or_setsgid=true + local setuid_or_setgid + setuid_or_setgid="" + if test "${setuid}" = "true" || test "${setgid}" = "true"; then + setuid_or_setgid=true fi - if test -z "${setuid_or_setsgid}"; then - log info "Neither setuid nor setsgid. Skipping. file_name: '${file_name}'" + if test -z "${setuid_or_setgid}"; then + log info "Neither setuid nor setgid. Skipping. file_name: '${file_name}'" continue fi @@ -255,7 +251,7 @@ add_nosuid_statoverride_entry() { local clean_output_prefix clean_output clean_output_prefix="Managing (S|G)UID of line:" - clean_output="setuid='${setuid_output}' setgid='${setsgid_output}' existing_mode='${existing_mode}' new_mode='${new_mode}' file='${file_name}'" + clean_output="${setuid:+setuid='true'} ${setgid:+setgid='true'} existing_mode='${existing_mode}' new_mode='${new_mode}' file='${file_name}'" if test "${whitelists_disable_all:-}" = "true"; then log info "${clean_output_prefix} whitelists_disable_all=true ${clean_output}" elif test "${is_disable_whitelisted}" = "true"; then From 4397de0138dac47aee66570fcfe4ef38c8179321 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Fri, 26 Jul 2024 11:30:46 +1000 Subject: [PATCH 514/846] Update description of `cfi=kcfi` kerenel parameter --- etc/default/grub.d/40_kernel_hardening.cfg | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index 9c179b2..172c3c8 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -113,14 +113,14 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off" #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX quiet" ## Switch (back) to using kCFI as the default Control Flow Integrity (CFI) implementation. -## As of Linux kernel 6.2, FineIBT has been selected to be the default implementation. -## The Intel-developed IBT (Indirect Branch Tracking) is only used if there is support by the CPU. +## The default implementation is FIneIBT as of Linux kernel 6.2. +## The Intel-developed IBT (Indirect Branch Tracking) is only used if supported by the CPU. ## kCFI is software-only while FineIBT is a hybrid software/hardware implementation. ## FineIBT may result in some performance benefits as it only performs checking at destinations. -## FineIBT is considered weaker against attacks that can write arbitrary executable in memory. -## Upstream hardening has given users the ability to disable FineIBT based on requests. +## FineIBT is considered weaker against attacks that can write arbitrary executables into memory. +## Upstream hardening work has provided users the ability to disable FineIBT based on requests. ## Choice of CFI implementation is highly dependent on user threat model as there are pros/cons to both. -## Do not modify from default if unsure of implications. +## Do not modify from the default setting if unsure of implications. ## ## https://lore.kernel.org/all/20221027092842.699804264@infradead.org/ ## https://lore.kernel.org/lkml/202210010918.4918F847C4@keescook/T/#u @@ -132,6 +132,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off" ## https://lpc.events/event/16/contributions/1315/attachments/1067/2169/cfi.pdf ## https://forums.whonix.org/t/kernel-hardening-security-misc/7296/561 ## +## TODO: Debian 13 Trixie ## Applicable when using Linux kernel >= 6.2 (retained here for future-proofing and completeness). ## #cfi=kcfi From f616da7c0690fc0dffc21be59174ed8754ec55fb Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 26 Jul 2024 09:40:59 +0000 Subject: [PATCH 515/846] bumped changelog version --- changelog.upstream | 179 +++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++ 2 files changed, 185 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 32ec008..9095f50 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,182 @@ +commit 9231f058911ab9059e91c4c0c1677ef66b5bb666 +Author: Patrick Schleizer +Date: Wed Jul 24 13:31:49 2024 -0400 + + todo + +commit 4cc1289e89b341e15725d65e405e607ea4784f9f +Author: Patrick Schleizer +Date: Wed Jul 24 13:30:30 2024 -0400 + + output + +commit 10c73b326f824f783169383888b9464965a53cbb +Author: Patrick Schleizer +Date: Wed Jul 24 12:07:26 2024 -0400 + + fix delimiter parsing + +commit a16dd8474bf72c2b8c63adc7500140e89d19fedb +Author: Patrick Schleizer +Date: Wed Jul 24 11:50:30 2024 -0400 + + sanity test + +commit cc2b335ee692cc04a2c4e298902f3503927b2c50 +Author: Patrick Schleizer +Date: Wed Jul 24 11:48:32 2024 -0400 + + cleanup + +commit 6cadc70a96cd709fb7a94abcb14e7dd97c57fdb8 +Author: Patrick Schleizer +Date: Wed Jul 24 11:47:52 2024 -0400 + + output + +commit cda0d26af7c057dab8edf4897f98c2e8f83e3d56 +Author: Patrick Schleizer +Date: Wed Jul 24 11:45:13 2024 -0400 + + cannot use NULL inside a bash variable + + use custom delimiter instead + +commit 4a5312b3a9419c8b3e07dda2b650d5fbf9a38d34 +Author: Patrick Schleizer +Date: Wed Jul 24 11:27:51 2024 -0400 + + output + +commit 3bf1f26c0bb271d63c16b314e4da040abf5b3713 +Author: Patrick Schleizer +Date: Wed Jul 24 11:20:26 2024 -0400 + + downgrade warning of non-existing folders to info + + to avoid all users by default getting a warning for expected non-existing folders + +commit 151ca659a9f5565744ff57f3b581c8c051def148 +Author: Patrick Schleizer +Date: Wed Jul 24 11:19:15 2024 -0400 + + output + +commit c9fd2ceb61ea176c731432f02a9fa40652fbddc8 +Author: Patrick Schleizer +Date: Wed Jul 24 11:13:35 2024 -0400 + + downgrade warning of non-existing files to info + + to avoid all users by default getting a warning for expected non-existing files + +commit 721392901be384014298f59deb57747b825c8b37 +Author: Patrick Schleizer +Date: Wed Jul 24 11:12:39 2024 -0400 + + remove duplicate test + +commit 9712b5b4e3cff3eac8ef03b5e562ff89d74ef4b8 +Author: Patrick Schleizer +Date: Wed Jul 24 11:12:18 2024 -0400 + + output + +commit 00911df5c1de24960ad6d21b4cd99450f2d08a88 +Author: Patrick Schleizer +Date: Wed Jul 24 11:10:56 2024 -0400 + + modify call of stat to use NUL delimiter + + for more robust string parsing + +commit d5366835112cc5fabef7ec46a9c582c08121cb14 +Author: Patrick Schleizer +Date: Wed Jul 24 11:03:28 2024 -0400 + + local clean_output_prefix clean_output + +commit a6e517736b83c124cf8cec52bac184612a29ad0d +Author: Patrick Schleizer +Date: Wed Jul 24 11:02:25 2024 -0400 + + local stat_output + +commit ced02fb9e03e12c7d51923511e7d6a54b09a6274 +Author: Patrick Schleizer +Date: Wed Jul 24 11:01:24 2024 -0400 + + add sanity test for file_name output from stat + +commit b9dfe70a016e46e1f275918be19890526182cfa2 +Author: Patrick Schleizer +Date: Wed Jul 24 10:58:05 2024 -0400 + + check first if file_name is empty + +commit 1cbda7998196dc04e83c48526d15f9ad5f11e6c9 +Author: Patrick Schleizer +Date: Wed Jul 24 10:57:13 2024 -0400 + + check first if array is empty before parsing further + +commit a077ae54ea050af8828813b781738cba24e27624 +Author: Patrick Schleizer +Date: Wed Jul 24 10:56:08 2024 -0400 + + modify call of stat to use NUL delimiter + + for more robust string parsing + +commit 7200e9bd8c793f5ea30c3448fd03fbd38c6292b5 +Author: Patrick Schleizer +Date: Wed Jul 24 09:15:02 2024 -0400 + + output + +commit 1b6161c2dcd9a0686503c84cda4c9f6a29fe4e02 +Merge: d2563ed 8be21b6 +Author: Patrick Schleizer +Date: Wed Jul 24 09:13:48 2024 -0400 + + Merge remote-tracking branch 'ben-grande/fuzz' + +commit 8be21b6eff40fdd3909ef63468463fc52e8bf45f +Author: Ben Grande +Date: Tue Jul 23 19:36:12 2024 +0200 + + Handle newlines in file names + +commit aa99de68d307cd88462665424996d9b730ab5087 +Author: Ben Grande +Date: Tue Jul 23 18:46:47 2024 +0200 + + Log output with defined levels + +commit 06fbcdac1de6f1830d911f05a4f7c14fd522fad4 +Author: Ben Grande +Date: Tue Jul 23 09:55:02 2024 +0200 + + Prettify log messages + +commit 7ee1ea2cc7dd62feee3243d64b414130e68d35e9 +Author: Ben Grande +Date: Mon Jul 22 17:06:07 2024 +0200 + + Unify functions that evaluate commands + +commit 9c3566f524f748b9f7c98a36b3f2b1064cdba3ed +Author: Ben Grande +Date: Mon Jul 22 16:01:14 2024 +0200 + + Delimit file names with null terminator + +commit d2563ed92317a029340dbb83f30da008b01325f2 +Author: Patrick Schleizer +Date: Sun Jul 21 10:40:14 2024 +0000 + + bumped changelog version + commit 64f8b2eb5870664fca06aa060f2f50af358ced55 Author: Patrick Schleizer Date: Sun Jul 21 06:36:22 2024 -0400 diff --git a/debian/changelog b/debian/changelog index 876e60b..06a9a4c 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:38.4-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 26 Jul 2024 09:40:58 +0000 + security-misc (3:38.3-1) unstable; urgency=medium * New upstream version (local package). From 9f135231ccdc3f6eba27db2e1794eff23f03fc0f Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 26 Jul 2024 06:43:01 -0400 Subject: [PATCH 516/846] no longer disable Intel ME related kernel modules because that might break firmware updates This reverts commit 64f8b2eb5870664fca06aa060f2f50af358ced55. https://github.com/Kicksecure/security-misc/issues/239 --- etc/modprobe.d/30_security-misc_disable.conf | 24 ++++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/etc/modprobe.d/30_security-misc_disable.conf b/etc/modprobe.d/30_security-misc_disable.conf index b6cfcbe..d2408af 100644 --- a/etc/modprobe.d/30_security-misc_disable.conf +++ b/etc/modprobe.d/30_security-misc_disable.conf @@ -92,18 +92,18 @@ install gnss-usb /usr/bin/disabled-gps-by-security-misc ## https://github.com/Kicksecure/security-misc/pull/236#issuecomment-2229092813 ## https://github.com/Kicksecure/security-misc/issues/239 ## -install mei /usr/bin/disabled-intelme-by-security-misc -install mei-gsc /usr/bin/disabled-intelme-by-security-misc -install mei_gsc_proxy /usr/bin/disabled-intelme-by-security-misc -install mei_hdcp /usr/bin/disabled-intelme-by-security-misc -install mei-me /usr/bin/disabled-intelme-by-security-misc -install mei_phy /usr/bin/disabled-intelme-by-security-misc -install mei_pxp /usr/bin/disabled-intelme-by-security-misc -install mei-txe /usr/bin/disabled-intelme-by-security-misc -install mei-vsc /usr/bin/disabled-intelme-by-security-misc -install mei-vsc-hw /usr/bin/disabled-intelme-by-security-misc -install mei_wdt /usr/bin/disabled-intelme-by-security-misc -install microread_mei /usr/bin/disabled-intelme-by-security-misc +#install mei /usr/bin/disabled-intelme-by-security-misc +#install mei-gsc /usr/bin/disabled-intelme-by-security-misc +#install mei_gsc_proxy /usr/bin/disabled-intelme-by-security-misc +#install mei_hdcp /usr/bin/disabled-intelme-by-security-misc +#install mei-me /usr/bin/disabled-intelme-by-security-misc +#install mei_phy /usr/bin/disabled-intelme-by-security-misc +#install mei_pxp /usr/bin/disabled-intelme-by-security-misc +#install mei-txe /usr/bin/disabled-intelme-by-security-misc +#install mei-vsc /usr/bin/disabled-intelme-by-security-misc +#install mei-vsc-hw /usr/bin/disabled-intelme-by-security-misc +#install mei_wdt /usr/bin/disabled-intelme-by-security-misc +#install microread_mei /usr/bin/disabled-intelme-by-security-misc ## Intel Platform Monitoring Technology Telemetry (PMT): ## Disable some functionality of the Intel PMT components. From 9694cf0cd1a225c68d45814e0f4d6995659a0066 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 26 Jul 2024 07:43:59 -0400 Subject: [PATCH 517/846] output --- usr/bin/permission-hardener | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index 3196cfa..58f8918 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -112,7 +112,7 @@ File name from stat: '${file_name_from_stat}'" >&2 return 1 fi if test -z "${existing_owner}"; then - log error "Existing owner is empty. Stat output: '${stat_output}' | line: '${line}'" >&2 + log error "Existing owner is empty. Stat output: '${stat_output}', line: '${line}'" >&2 return 1 fi if test -z "${existing_group}"; then From 19f131c7426aaa5199504e75aba180a7771a2520 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 26 Jul 2024 08:07:08 -0400 Subject: [PATCH 518/846] code simplification https://github.com/Kicksecure/security-misc/pull/251 --- usr/bin/permission-hardener | 37 +++++++++++-------------------------- 1 file changed, 11 insertions(+), 26 deletions(-) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index 58f8918..98f4824 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -78,7 +78,7 @@ output_stat(){ block_newlines file "${file_name}" declare -a arr - local file_name_from_stat existing_mode existing_owner existing_group stat_output stat_output_newlined + local file_name_from_stat stat_output stat_output_newlined if ! stat_output="$(stat -c "%a${delimiter}%U${delimiter}%G${delimiter}%n${delimiter}" "${file_name}")"; then log error "Failed to run 'stat' on file: '${file_name}'!" >&2 @@ -119,8 +119,6 @@ File name from stat: '${file_name_from_stat}'" >&2 log error "Existing group is empty. Stat output: '${stat_output}', line: '${line}'" >&2 return 1 fi - - (IFS=$'\n'; echo "${arr[*]}") } sanity_tests() { @@ -146,18 +144,11 @@ add_nosuid_statoverride_entry() { while IFS="" read -r -d "" file_name; do counter_actual=$((counter_actual + 1)) - declare -a arr - local existing_mode existing_owner existing_group - - readarray -t arr < <(output_stat "${file_name}") - ## Above command creates a subshell that cannot be returned. - if test "${#arr[@]}" = 0; then - continue - fi - - existing_mode="${arr[0]}" - existing_owner="${arr[1]}" - existing_group="${arr[2]}" + ## sets: + ## exiting_mode + ## existing_owner + ## existing_group + output_stat "${file_name}" ## -h file True if file is a symbolic Link. ## -u file True if file has its set-user-id bit set. @@ -419,19 +410,13 @@ set_file_perms() { mode_for_grep="${mode_from_config:1}" fi - declare -a arr - local existing_mode existing_owner existing_group - file_name="${fso_without_trailing_slash}" - readarray -t arr < <(output_stat "${file_name}") - ## Above command creates a subshell that cannot be returned from. - if test "${#arr[@]}" = 0; then - continue - fi - existing_mode="${arr[0]}" - existing_owner="${arr[1]}" - existing_group="${arr[2]}" + ## sets: + ## exiting_mode + ## existing_owner + ## existing_group + output_stat "${file_name}" ## Check there is an entry for the fso. ## From 95722d6d7902367afb44175263a8628df9ad01b2 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 26 Jul 2024 08:13:33 -0400 Subject: [PATCH 519/846] use long option name --- usr/bin/permission-hardener | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index 98f4824..a3b68d2 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -80,7 +80,7 @@ output_stat(){ declare -a arr local file_name_from_stat stat_output stat_output_newlined - if ! stat_output="$(stat -c "%a${delimiter}%U${delimiter}%G${delimiter}%n${delimiter}" "${file_name}")"; then + if ! stat_output="$(stat --format="%a${delimiter}%U${delimiter}%G${delimiter}%n${delimiter}" "${file_name}")"; then log error "Failed to run 'stat' on file: '${file_name}'!" >&2 return 1 fi From 30f46790a4df7662926fa43d44ac34c3286dd590 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 26 Jul 2024 08:21:21 -0400 Subject: [PATCH 520/846] use end of options whenever possible --- usr/bin/permission-hardener | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index a3b68d2..412f3f2 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -80,7 +80,7 @@ output_stat(){ declare -a arr local file_name_from_stat stat_output stat_output_newlined - if ! stat_output="$(stat --format="%a${delimiter}%U${delimiter}%G${delimiter}%n${delimiter}" "${file_name}")"; then + if ! stat_output="$(stat --format="%a${delimiter}%U${delimiter}%G${delimiter}%n${delimiter}" -- "${file_name}")"; then log error "Failed to run 'stat' on file: '${file_name}'!" >&2 return 1 fi @@ -217,7 +217,7 @@ add_nosuid_statoverride_entry() { log info "matchwhite_list_entry unset. Skipping. file_name: '${file_name}'" continue fi - if echo "${file_name}" | grep --quiet --fixed-strings "${matchwhite_list_entry}"; then + if echo "${file_name}" | grep --quiet --fixed-strings -- "${matchwhite_list_entry}"; then is_match_whitelisted="true" log info "is_match_whitelisted=true. Skipping. file_name: '${file_name}'" ## Stop looping through the match_white_list. @@ -232,7 +232,7 @@ add_nosuid_statoverride_entry() { log info "disablematch_list_entry unset. Skipping. file_name: '${file_name}'" continue fi - if echo "${file_name}" | grep --quiet --fixed-strings "${disablematch_list_entry}"; then + if echo "${file_name}" | grep --quiet --fixed-strings -- "${disablematch_list_entry}"; then is_disable_whitelisted="true" log info "is_disable_whitelisted=true. Skipping. file_name: '${file_name}'" ## Stop looping through the disablewhitelist. @@ -392,12 +392,12 @@ set_file_perms() { continue fi - if ! grep --quiet --fixed-strings "${owner_from_config}:" "${store_dir}/private/passwd"; then + if ! grep --quiet --fixed-strings -- "${owner_from_config}:" "${store_dir}/private/passwd"; then log error "Owner from config does not exist: '${owner_from_config}'" >&2 continue fi - if ! grep --quiet --fixed-strings "${group_from_config}:" "${store_dir}/private/group"; then + if ! grep --quiet --fixed-strings -- "${group_from_config}:" "${store_dir}/private/group"; then log error "Group from config does not exist: '${group_from_config}'" >&2 continue fi @@ -435,7 +435,7 @@ set_file_perms() { if test "${dpkg_statoverride_list_exit_code}" = "0"; then local grep_line grep_line="${owner_from_config} ${group_from_config} ${mode_for_grep} ${fso_without_trailing_slash}" - if echo "${dpkg_statoverride_list_output}" | grep --quiet --fixed-strings "${grep_line}"; then + if echo "${dpkg_statoverride_list_output}" | grep --quiet --fixed-strings -- "${grep_line}"; then log info "The owner/group/mode matches fso entry. No further action required." else log info "The owner/group/mode does not match fso entry, updating entry." @@ -498,22 +498,22 @@ set_file_perms() { ## The value of the capability argument is not permitted for a file. Or ## the file is not a regular (non-symlink) file ## Therefore use echo_wrapper_ignore. - echo_wrapper_ignore verbose setcap -r "${fso}" - getcap_output="$(getcap "${fso}")" + echo_wrapper_ignore verbose setcap -r -- "${fso}" + getcap_output="$(getcap -- "${fso}")" if test -n "${getcap_output}"; then exit_code=205 log error "Removing capabilities failed. File: '${fso}'" >&2 continue fi else - if ! capsh --print | grep --fixed-strings "Bounding set" | grep --quiet "${capability_from_config}"; then + if ! capsh --print | grep --fixed-strings -- "Bounding set" | grep --quiet -- "${capability_from_config}"; then log error "Capability from config does not exist: '${capability_from_config}'" >&2 continue fi ## feature request: dpkg-statoverride: support for capabilities ## https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=502580 - echo_wrapper_audit verbose setcap "${capability_from_config}+ep" "${fso}" + echo_wrapper_audit verbose setcap "${capability_from_config}+ep" -- "${fso}" fi done <"${config_file}" @@ -530,7 +530,7 @@ parse_config_folder() { ## Query contents of password and group databases only once and buffer them ## ## If we don't buffer we sometimes get incorrect results when checking for - ## entries using 'if getent passwd | grep --quiet '^root:'; ...' since + ## entries using 'if getent passwd | grep --quiet -- '^root:'; ...' since ## 'grep' exits after the first match in this case causing 'getent' to ## receive SIGPIPE, which then fails the pipeline since 'set -o pipefail' is ## set for this script. From aac450f80836b03478b9e2632afc5a4519f9b37a Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 26 Jul 2024 08:22:04 -0400 Subject: [PATCH 521/846] refactoring --- usr/bin/permission-hardener | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index 412f3f2..34ba038 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -122,8 +122,8 @@ File name from stat: '${file_name_from_stat}'" >&2 } sanity_tests() { - echo_wrapper_audit silent which \ - capsh getcap setcap stat find dpkg-statoverride getent xargs grep 1>/dev/null + echo_wrapper_audit silent \ + which capsh getcap setcap stat find dpkg-statoverride getent xargs grep 1>/dev/null } add_nosuid_statoverride_entry() { From 6f0551b944cbf83d82f7a1a554c4461bc971520b Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 26 Jul 2024 08:23:54 -0400 Subject: [PATCH 522/846] refactoring --- usr/bin/permission-hardener | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index 34ba038..d84fd6e 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -123,7 +123,8 @@ File name from stat: '${file_name_from_stat}'" >&2 sanity_tests() { echo_wrapper_audit silent \ - which capsh getcap setcap stat find dpkg-statoverride getent xargs grep 1>/dev/null + which \ + capsh getcap setcap stat find dpkg-statoverride getent xargs grep 1>/dev/null } add_nosuid_statoverride_entry() { From 2b40ea75e9c3f679fd09ae331a56f294c3ac7607 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 26 Jul 2024 08:24:23 -0400 Subject: [PATCH 523/846] cleanup --- usr/bin/permission-hardener | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index d84fd6e..cb51993 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -124,7 +124,7 @@ File name from stat: '${file_name_from_stat}'" >&2 sanity_tests() { echo_wrapper_audit silent \ which \ - capsh getcap setcap stat find dpkg-statoverride getent xargs grep 1>/dev/null + capsh getcap setcap stat find dpkg-statoverride getent grep 1>/dev/null } add_nosuid_statoverride_entry() { From f2c9c2f5d1b59127b22fae4dd4b8bb7a6f98a485 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 26 Jul 2024 08:26:16 -0400 Subject: [PATCH 524/846] output --- usr/bin/permission-hardener | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index cb51993..a11e6a6 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -89,7 +89,7 @@ output_stat(){ readarray -t arr <<< "${stat_output_newlined}" if test "${#arr[@]}" = 0; then - log error "Line is empty. Stat output: '${stat_output}', line: '${line}'" >&2 + log error "Array is empty. Stat output: '${stat_output}', line: '${line}'" >&2 return 1 fi From 8e40c10c319a76e0256c8f135182b0ca7f532f85 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 26 Jul 2024 08:31:17 -0400 Subject: [PATCH 525/846] comment --- usr/bin/permission-hardener | 2 ++ 1 file changed, 2 insertions(+) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index a11e6a6..2e1345b 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -6,6 +6,8 @@ ## https://forums.whonix.org/t/disable-suid-binaries/7706 ## https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707 +## dpkg-statoverride does not support end-of-options ("--"). + set -o errexit -o nounset -o pipefail exit_code=0 From d96c0633d431dafd034ae8d1ae0ffbb59c49be4a Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 26 Jul 2024 08:39:11 -0400 Subject: [PATCH 526/846] more use of end of options --- usr/bin/permission-hardener | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index 2e1345b..a7f02f4 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -220,7 +220,7 @@ add_nosuid_statoverride_entry() { log info "matchwhite_list_entry unset. Skipping. file_name: '${file_name}'" continue fi - if echo "${file_name}" | grep --quiet --fixed-strings -- "${matchwhite_list_entry}"; then + if echo -- "${file_name}" | grep --quiet --fixed-strings -- "${matchwhite_list_entry}"; then is_match_whitelisted="true" log info "is_match_whitelisted=true. Skipping. file_name: '${file_name}'" ## Stop looping through the match_white_list. @@ -235,7 +235,7 @@ add_nosuid_statoverride_entry() { log info "disablematch_list_entry unset. Skipping. file_name: '${file_name}'" continue fi - if echo "${file_name}" | grep --quiet --fixed-strings -- "${disablematch_list_entry}"; then + if echo -- "${file_name}" | grep --quiet --fixed-strings -- "${disablematch_list_entry}"; then is_disable_whitelisted="true" log info "is_disable_whitelisted=true. Skipping. file_name: '${file_name}'" ## Stop looping through the disablewhitelist. @@ -339,7 +339,7 @@ set_file_perms() { log error "Cannot parse line: '${line}'" >&2 ## Debugging. du -hs /tmp || true - echo "test -w /tmp: '$(test -w /tmp)'" >&2 || true + echo -- "test -w /tmp: '$(test -w /tmp)'" >&2 || true ## Safer to exit with error in this case. ## https://forums.whonix.org/t/disable-suid-binaries/7706/59 exit "${exit_code}" @@ -438,7 +438,7 @@ set_file_perms() { if test "${dpkg_statoverride_list_exit_code}" = "0"; then local grep_line grep_line="${owner_from_config} ${group_from_config} ${mode_for_grep} ${fso_without_trailing_slash}" - if echo "${dpkg_statoverride_list_output}" | grep --quiet --fixed-strings -- "${grep_line}"; then + if echo -- "${dpkg_statoverride_list_output}" | grep --quiet --fixed-strings -- "${grep_line}"; then log info "The owner/group/mode matches fso entry. No further action required." else log info "The owner/group/mode does not match fso entry, updating entry." @@ -538,9 +538,9 @@ parse_config_folder() { ## receive SIGPIPE, which then fails the pipeline since 'set -o pipefail' is ## set for this script. passwd_file_contents_temp="$(getent passwd)" - echo "${passwd_file_contents_temp}" | tee "${store_dir}/private/passwd" >/dev/null + echo -- "${passwd_file_contents_temp}" | tee -- "${store_dir}/private/passwd" >/dev/null group_file_contents_temp="$(getent group)" - echo "${group_file_contents_temp}" | tee "${store_dir}/private/group" >/dev/null + echo -- "${group_file_contents_temp}" | tee -- "${store_dir}/private/group" >/dev/null #passwd_file_contents="$(cat "${store_dir}/private/passwd")" #group_file_contents="$(cat "${store_dir}/private/group")" @@ -603,9 +603,9 @@ spare() { if test "${remove_file}" = "${file_name}"; then verbose="--verbose" remove_one=true - echo "${remove_one}" | tee "${store_dir}/remove_one" >/dev/null + echo -- "${remove_one}" | tee -- "${store_dir}/remove_one" >/dev/null else - echo "false" | tee "${store_dir}/remove_one" >/dev/null + echo -- "false" | tee -- "${store_dir}/remove_one" >/dev/null continue fi fi @@ -674,7 +674,7 @@ check_root(){ } usage(){ - echo "Usage: ${0##*/} enable + echo -- "Usage: ${0##*/} enable ${0##*/} disable [FILE|all] Examples: From 05504b9ab251ae6e48b5d28eb5fdcd12d730ea8a Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 26 Jul 2024 08:40:10 -0400 Subject: [PATCH 527/846] minor --- usr/bin/permission-hardener | 1 + 1 file changed, 1 insertion(+) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index a7f02f4..c12f13f 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -307,6 +307,7 @@ add_nosuid_statoverride_entry() { set_file_perms() { log info "START parsing config file: '${config_file}'" + local line while read -r line || test -n "${line}"; do if test -z "${line}"; then From d144f68d1a06a1153c4178b2f6ba9643dededbb8 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 26 Jul 2024 08:46:08 -0400 Subject: [PATCH 528/846] output --- usr/bin/permission-hardener | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index c12f13f..72f404f 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -91,7 +91,12 @@ output_stat(){ readarray -t arr <<< "${stat_output_newlined}" if test "${#arr[@]}" = 0; then - log error "Array is empty. Stat output: '${stat_output}', line: '${line}'" >&2 + log error "Array is empty. +File name: '${file_name}' +Stat output: '${stat_output}' +stat_output_newlined: '${stat_output_newlined}' +line: '${line}' +" >&2 return 1 fi @@ -102,10 +107,11 @@ output_stat(){ if [ ! "$file_name" = "$file_name_from_stat" ]; then log error "\ -function ${FUNCNAME[1]}: File name is different from file name received from stat: -File name '${file_name}' -File name from stat: '${file_name_from_stat}'" >&2 +File name: '${file_name}' +File name from stat: '${file_name_from_stat}' +line: '${line}' +" >&2 return 1 fi From 0e661bc688c7222840c9d83fb3ccab6549b3ac11 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 26 Jul 2024 08:49:14 -0400 Subject: [PATCH 529/846] output --- usr/bin/permission-hardener | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index 72f404f..bdc5233 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -91,7 +91,7 @@ output_stat(){ readarray -t arr <<< "${stat_output_newlined}" if test "${#arr[@]}" = 0; then - log error "Array is empty. + log error "Array length is 0. File name: '${file_name}' Stat output: '${stat_output}' stat_output_newlined: '${stat_output_newlined}' From 82d401a7de58b74448113bed36c8f0cc073c7f82 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 26 Jul 2024 08:52:42 -0400 Subject: [PATCH 530/846] sanity test --- usr/bin/permission-hardener | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index bdc5233..dae1fd1 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -87,7 +87,28 @@ output_stat(){ return 1 fi + if [ "$stat_output" = "" ]; then + log error "stat_output is empty. +File name: '${file_name}' +Stat output: '${stat_output}' +stat_output_newlined: '${stat_output_newlined}' +line: '${line}' +" >&2 + return 1 + fi + stat_output_newlined="$(printf '%s\n' "${stat_output//${delimiter}/$'\n'}")" + + if test "${stat_output_newlined}" = ""; then + log error "stat_output_newlined is empty. +File name: '${file_name}' +Stat output: '${stat_output}' +stat_output_newlined: '${stat_output_newlined}' +line: '${line}' +" >&2 + return 1 + fi + readarray -t arr <<< "${stat_output_newlined}" if test "${#arr[@]}" = 0; then From ee037c01a1208b9247c3ae144fa3faa68657ffdb Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 26 Jul 2024 08:58:44 -0400 Subject: [PATCH 531/846] Skip file names starting with '--', because this would be interpreted by dpkg-statoverride as an option. --- usr/bin/permission-hardener | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index dae1fd1..61298e6 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -79,6 +79,11 @@ output_stat(){ block_newlines file "${file_name}" + if [[ $file_name == --* ]]; then + log warn "File name starts with '--'. This would be interpreted by dpkg-statoverride as an option. Skipping. file_name: '${file_name}'" >&2 + return 1 + fi + declare -a arr local file_name_from_stat stat_output stat_output_newlined From 7e0f1a87010674c63963b70c87e903cf27b288ef Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 26 Jul 2024 09:08:04 -0400 Subject: [PATCH 532/846] dpkg-statoverride can actually handle '--file-name'. --- usr/bin/permission-hardener | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index 61298e6..e643ada 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -79,10 +79,11 @@ output_stat(){ block_newlines file "${file_name}" - if [[ $file_name == --* ]]; then - log warn "File name starts with '--'. This would be interpreted by dpkg-statoverride as an option. Skipping. file_name: '${file_name}'" >&2 - return 1 - fi + ## dpkg-statoverride can acttually handle '--file-name'. +# if [[ $file_name == --* ]]; then +# log warn "File name starts with '--'. This would be interpreted by dpkg-statoverride as an option. Skipping. file_name: '${file_name}'" >&2 +# return 1 +# fi declare -a arr local file_name_from_stat stat_output stat_output_newlined From 794f6a25fa87a9d6d796b07ee06b690ea0badc92 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 26 Jul 2024 09:08:29 -0400 Subject: [PATCH 533/846] comment --- usr/bin/permission-hardener | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index e643ada..1c7a12e 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -79,7 +79,7 @@ output_stat(){ block_newlines file "${file_name}" - ## dpkg-statoverride can acttually handle '--file-name'. + ## dpkg-statoverride can actually handle '--file-name'. # if [[ $file_name == --* ]]; then # log warn "File name starts with '--'. This would be interpreted by dpkg-statoverride as an option. Skipping. file_name: '${file_name}'" >&2 # return 1 From 6bbf176e3b91f842cf4cdeaf8cb1f4c60e159a0c Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 26 Jul 2024 09:33:45 -0400 Subject: [PATCH 534/846] consider end-of-options for `find` --- usr/bin/permission-hardener | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index 1c7a12e..6dab5c6 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -174,7 +174,7 @@ add_nosuid_statoverride_entry() { while IFS="" read -r -d "" dummy_line; do log info "Test would parse line: '${dummy_line}'" should_be_counter=$((should_be_counter + 1)) - done < <(find "${fso_to_process}" -perm /u=s,g=s -print0) + done < <(printf -- "${fso_to_process}" | find -files0-from - -perm /u=s,g=s -print0) local line while IFS="" read -r -d "" file_name; do @@ -328,7 +328,7 @@ add_nosuid_statoverride_entry() { ## /usr/lib will hit ARG_MAX if using bash 'shopt -s globstar' and '/usr/lib/**'. ## Using 'find' with '-perm /u=s,g=s' is faster and avoids ARG_MAX. ## https://forums.whonix.org/t/disable-suid-binaries/7706/17 - done < <(find "${fso_to_process}" -perm /u=s,g=s -print0) + done < <(printf -- "${fso_to_process}" | find -files0-from - -perm /u=s,g=s -print0) ## Sanity test. if test ! "${should_be_counter}" = "${counter_actual}"; then From 04d9ca1ebe79cae5cce04b6533285b8d1299d692 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 26 Jul 2024 10:16:20 -0400 Subject: [PATCH 535/846] use `find` with `safe_echo_nonewline` --- usr/bin/permission-hardener | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index 6dab5c6..43d3789 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -16,6 +16,7 @@ dpkg_admindir_parameter_existing_mode="--admindir ${store_dir}/existing_mode" dpkg_admindir_parameter_new_mode="--admindir ${store_dir}/new_mode" delimiter="#permission-hardener-delimiter#" +source /usr/libexec/helper-scripts/safe_echo.sh # shellcheck disable=SC2034 log_level=notice # shellcheck disable=SC1091 @@ -174,7 +175,7 @@ add_nosuid_statoverride_entry() { while IFS="" read -r -d "" dummy_line; do log info "Test would parse line: '${dummy_line}'" should_be_counter=$((should_be_counter + 1)) - done < <(printf -- "${fso_to_process}" | find -files0-from - -perm /u=s,g=s -print0) + done < <(safe_echo_nonewline "${fso_to_process}" | find -files0-from - -perm /u=s,g=s -print0) local line while IFS="" read -r -d "" file_name; do @@ -328,7 +329,7 @@ add_nosuid_statoverride_entry() { ## /usr/lib will hit ARG_MAX if using bash 'shopt -s globstar' and '/usr/lib/**'. ## Using 'find' with '-perm /u=s,g=s' is faster and avoids ARG_MAX. ## https://forums.whonix.org/t/disable-suid-binaries/7706/17 - done < <(printf -- "${fso_to_process}" | find -files0-from - -perm /u=s,g=s -print0) + done < <(safe_echo_nonewline "${fso_to_process}" | find -files0-from - -perm /u=s,g=s -print0) ## Sanity test. if test ! "${should_be_counter}" = "${counter_actual}"; then From 3b033ceba24e5e14056d54710d782397e5c669df Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 26 Jul 2024 10:17:24 -0400 Subject: [PATCH 536/846] shellcheck --- usr/bin/permission-hardener | 1 + 1 file changed, 1 insertion(+) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index 43d3789..3724f92 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -16,6 +16,7 @@ dpkg_admindir_parameter_existing_mode="--admindir ${store_dir}/existing_mode" dpkg_admindir_parameter_new_mode="--admindir ${store_dir}/new_mode" delimiter="#permission-hardener-delimiter#" +# shellcheck disable=SC1091 source /usr/libexec/helper-scripts/safe_echo.sh # shellcheck disable=SC2034 log_level=notice From ac41d1cfff8b722248a5ef1dfe38a8c704f04134 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 26 Jul 2024 10:25:59 -0400 Subject: [PATCH 537/846] comment --- usr/bin/permission-hardener | 2 ++ 1 file changed, 2 insertions(+) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index 3724f92..834aaf5 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -177,6 +177,8 @@ add_nosuid_statoverride_entry() { log info "Test would parse line: '${dummy_line}'" should_be_counter=$((should_be_counter + 1)) done < <(safe_echo_nonewline "${fso_to_process}" | find -files0-from - -perm /u=s,g=s -print0) + ## False positive on SC2185 (find without path argument) #1748 + ## https://github.com/koalaman/shellcheck/issues/1748 local line while IFS="" read -r -d "" file_name; do From 6096ed1109a0d5a62a844552fee500ebe66071c8 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 26 Jul 2024 10:26:43 -0400 Subject: [PATCH 538/846] comment --- usr/bin/permission-hardener | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index 834aaf5..2818560 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -179,6 +179,10 @@ add_nosuid_statoverride_entry() { done < <(safe_echo_nonewline "${fso_to_process}" | find -files0-from - -perm /u=s,g=s -print0) ## False positive on SC2185 (find without path argument) #1748 ## https://github.com/koalaman/shellcheck/issues/1748 + ## + ## /usr/lib will hit ARG_MAX if using bash 'shopt -s globstar' and '/usr/lib/**'. + ## Using 'find' with '-perm /u=s,g=s' is faster and avoids ARG_MAX. + ## https://forums.whonix.org/t/disable-suid-binaries/7706/17 local line while IFS="" read -r -d "" file_name; do @@ -328,10 +332,6 @@ add_nosuid_statoverride_entry() { ## Not using --update as this is only for recording. # shellcheck disable=SC2086 echo_wrapper_audit silent dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --add "${existing_owner}" "${existing_group}" "${new_mode}" "${file_name}" - - ## /usr/lib will hit ARG_MAX if using bash 'shopt -s globstar' and '/usr/lib/**'. - ## Using 'find' with '-perm /u=s,g=s' is faster and avoids ARG_MAX. - ## https://forums.whonix.org/t/disable-suid-binaries/7706/17 done < <(safe_echo_nonewline "${fso_to_process}" | find -files0-from - -perm /u=s,g=s -print0) ## Sanity test. From 8ec23ed7128580ed0092df43945ba55e94163a6d Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 26 Jul 2024 10:28:57 -0400 Subject: [PATCH 539/846] echo does not support end-of-options --- usr/bin/permission-hardener | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index 2818560..84d1a0d 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -261,7 +261,7 @@ add_nosuid_statoverride_entry() { log info "matchwhite_list_entry unset. Skipping. file_name: '${file_name}'" continue fi - if echo -- "${file_name}" | grep --quiet --fixed-strings -- "${matchwhite_list_entry}"; then + if echo "${file_name}" | grep --quiet --fixed-strings -- "${matchwhite_list_entry}"; then is_match_whitelisted="true" log info "is_match_whitelisted=true. Skipping. file_name: '${file_name}'" ## Stop looping through the match_white_list. @@ -276,7 +276,7 @@ add_nosuid_statoverride_entry() { log info "disablematch_list_entry unset. Skipping. file_name: '${file_name}'" continue fi - if echo -- "${file_name}" | grep --quiet --fixed-strings -- "${disablematch_list_entry}"; then + if echo "${file_name}" | grep --quiet --fixed-strings -- "${disablematch_list_entry}"; then is_disable_whitelisted="true" log info "is_disable_whitelisted=true. Skipping. file_name: '${file_name}'" ## Stop looping through the disablewhitelist. @@ -377,7 +377,7 @@ set_file_perms() { log error "Cannot parse line: '${line}'" >&2 ## Debugging. du -hs /tmp || true - echo -- "test -w /tmp: '$(test -w /tmp)'" >&2 || true + echo "test -w /tmp: '$(test -w /tmp)'" >&2 || true ## Safer to exit with error in this case. ## https://forums.whonix.org/t/disable-suid-binaries/7706/59 exit "${exit_code}" @@ -476,7 +476,7 @@ set_file_perms() { if test "${dpkg_statoverride_list_exit_code}" = "0"; then local grep_line grep_line="${owner_from_config} ${group_from_config} ${mode_for_grep} ${fso_without_trailing_slash}" - if echo -- "${dpkg_statoverride_list_output}" | grep --quiet --fixed-strings -- "${grep_line}"; then + if echo "${dpkg_statoverride_list_output}" | grep --quiet --fixed-strings -- "${grep_line}"; then log info "The owner/group/mode matches fso entry. No further action required." else log info "The owner/group/mode does not match fso entry, updating entry." @@ -576,9 +576,9 @@ parse_config_folder() { ## receive SIGPIPE, which then fails the pipeline since 'set -o pipefail' is ## set for this script. passwd_file_contents_temp="$(getent passwd)" - echo -- "${passwd_file_contents_temp}" | tee -- "${store_dir}/private/passwd" >/dev/null + echo "${passwd_file_contents_temp}" | tee -- "${store_dir}/private/passwd" >/dev/null group_file_contents_temp="$(getent group)" - echo -- "${group_file_contents_temp}" | tee -- "${store_dir}/private/group" >/dev/null + echo "${group_file_contents_temp}" | tee -- "${store_dir}/private/group" >/dev/null #passwd_file_contents="$(cat "${store_dir}/private/passwd")" #group_file_contents="$(cat "${store_dir}/private/group")" @@ -641,9 +641,9 @@ spare() { if test "${remove_file}" = "${file_name}"; then verbose="--verbose" remove_one=true - echo -- "${remove_one}" | tee -- "${store_dir}/remove_one" >/dev/null + echo "${remove_one}" | tee -- "${store_dir}/remove_one" >/dev/null else - echo -- "false" | tee -- "${store_dir}/remove_one" >/dev/null + echo "false" | tee -- "${store_dir}/remove_one" >/dev/null continue fi fi @@ -712,7 +712,7 @@ check_root(){ } usage(){ - echo -- "Usage: ${0##*/} enable + echo "Usage: ${0##*/} enable ${0##*/} disable [FILE|all] Examples: From e2ae93a9571f2f0c9077ea61436a540a3be5a894 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 26 Jul 2024 10:30:45 -0400 Subject: [PATCH 540/846] port to safe_echo --- usr/bin/permission-hardener | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index 84d1a0d..ad6f9b8 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -261,7 +261,7 @@ add_nosuid_statoverride_entry() { log info "matchwhite_list_entry unset. Skipping. file_name: '${file_name}'" continue fi - if echo "${file_name}" | grep --quiet --fixed-strings -- "${matchwhite_list_entry}"; then + if safe_echo "${file_name}" | grep --quiet --fixed-strings -- "${matchwhite_list_entry}"; then is_match_whitelisted="true" log info "is_match_whitelisted=true. Skipping. file_name: '${file_name}'" ## Stop looping through the match_white_list. @@ -276,7 +276,7 @@ add_nosuid_statoverride_entry() { log info "disablematch_list_entry unset. Skipping. file_name: '${file_name}'" continue fi - if echo "${file_name}" | grep --quiet --fixed-strings -- "${disablematch_list_entry}"; then + if safe_echo "${file_name}" | grep --quiet --fixed-strings -- "${disablematch_list_entry}"; then is_disable_whitelisted="true" log info "is_disable_whitelisted=true. Skipping. file_name: '${file_name}'" ## Stop looping through the disablewhitelist. @@ -377,7 +377,7 @@ set_file_perms() { log error "Cannot parse line: '${line}'" >&2 ## Debugging. du -hs /tmp || true - echo "test -w /tmp: '$(test -w /tmp)'" >&2 || true + safe_echo "test -w /tmp: '$(test -w /tmp)'" >&2 || true ## Safer to exit with error in this case. ## https://forums.whonix.org/t/disable-suid-binaries/7706/59 exit "${exit_code}" @@ -386,10 +386,10 @@ set_file_perms() { log info "Parsing line: fso='${fso}' mode_from_config='${mode_from_config}' owner_from_config='${owner_from_config}' group_from_config='${group_from_config}' capability_from_config='${capability_from_config}'" ## Debugging. - #echo "line: '${line}'" - #echo "fso: '${fso}'" - #echo "mode_from_config: '${mode_from_config}'" - #echo "owner_from_config: '${owner_from_config}'" + #safe_echo "line: '${line}'" + #safe_echo "fso: '${fso}'" + #safe_echo "mode_from_config: '${mode_from_config}'" + #safe_echo "owner_from_config: '${owner_from_config}'" local fso_without_trailing_slash fso_without_trailing_slash="${fso%/}" @@ -476,7 +476,7 @@ set_file_perms() { if test "${dpkg_statoverride_list_exit_code}" = "0"; then local grep_line grep_line="${owner_from_config} ${group_from_config} ${mode_for_grep} ${fso_without_trailing_slash}" - if echo "${dpkg_statoverride_list_output}" | grep --quiet --fixed-strings -- "${grep_line}"; then + if safe_echo "${dpkg_statoverride_list_output}" | grep --quiet --fixed-strings -- "${grep_line}"; then log info "The owner/group/mode matches fso entry. No further action required." else log info "The owner/group/mode does not match fso entry, updating entry." @@ -576,9 +576,9 @@ parse_config_folder() { ## receive SIGPIPE, which then fails the pipeline since 'set -o pipefail' is ## set for this script. passwd_file_contents_temp="$(getent passwd)" - echo "${passwd_file_contents_temp}" | tee -- "${store_dir}/private/passwd" >/dev/null + safe_echo "${passwd_file_contents_temp}" | tee -- "${store_dir}/private/passwd" >/dev/null group_file_contents_temp="$(getent group)" - echo "${group_file_contents_temp}" | tee -- "${store_dir}/private/group" >/dev/null + safe_echo "${group_file_contents_temp}" | tee -- "${store_dir}/private/group" >/dev/null #passwd_file_contents="$(cat "${store_dir}/private/passwd")" #group_file_contents="$(cat "${store_dir}/private/group")" @@ -641,9 +641,9 @@ spare() { if test "${remove_file}" = "${file_name}"; then verbose="--verbose" remove_one=true - echo "${remove_one}" | tee -- "${store_dir}/remove_one" >/dev/null + safe_echo "${remove_one}" | tee -- "${store_dir}/remove_one" >/dev/null else - echo "false" | tee -- "${store_dir}/remove_one" >/dev/null + safe_echo "false" | tee -- "${store_dir}/remove_one" >/dev/null continue fi fi @@ -712,7 +712,7 @@ check_root(){ } usage(){ - echo "Usage: ${0##*/} enable + safe_echo "Usage: ${0##*/} enable ${0##*/} disable [FILE|all] Examples: From 330cf14eab248d035fa467dba4f7bc3eb92a33bb Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 26 Jul 2024 15:40:24 +0000 Subject: [PATCH 541/846] bumped changelog version --- changelog.upstream | 253 +++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++ 2 files changed, 259 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 9095f50..7954835 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,238 @@ +commit 62bb4bc6269a0603c15f1efaad7ca365ea15c9d7 +Merge: 7969e86 886f609 +Author: Patrick Schleizer +Date: Fri Jul 26 11:10:25 2024 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 886f6095dba71d76d5fd98277374417657e0cd31 +Merge: 7969e86 ed33366 +Author: Patrick Schleizer +Date: Fri Jul 26 11:08:30 2024 -0400 + + Merge pull request #250 from raja-grewal/Panik-Kalm + + Add details on "oopes" and kernel panics + +commit 7969e8607160eae0cb5a3adddeec8d07c1d6e097 +Merge: e2ae93a 0318f57 +Author: Patrick Schleizer +Date: Fri Jul 26 11:06:13 2024 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 0318f577ab554ae2ac0f9417b18134723ea2b580 +Merge: e2ae93a 4397de0 +Author: Patrick Schleizer +Date: Fri Jul 26 11:04:29 2024 -0400 + + Merge pull request #246 from raja-grewal/cfi + + Provide the option to change the default CFI implementation in the future + +commit e2ae93a9571f2f0c9077ea61436a540a3be5a894 +Author: Patrick Schleizer +Date: Fri Jul 26 10:30:45 2024 -0400 + + port to safe_echo + +commit 8ec23ed7128580ed0092df43945ba55e94163a6d +Author: Patrick Schleizer +Date: Fri Jul 26 10:28:57 2024 -0400 + + echo does not support end-of-options + +commit 6096ed1109a0d5a62a844552fee500ebe66071c8 +Author: Patrick Schleizer +Date: Fri Jul 26 10:26:43 2024 -0400 + + comment + +commit ac41d1cfff8b722248a5ef1dfe38a8c704f04134 +Author: Patrick Schleizer +Date: Fri Jul 26 10:25:59 2024 -0400 + + comment + +commit 3b033ceba24e5e14056d54710d782397e5c669df +Author: Patrick Schleizer +Date: Fri Jul 26 10:17:24 2024 -0400 + + shellcheck + +commit 04d9ca1ebe79cae5cce04b6533285b8d1299d692 +Author: Patrick Schleizer +Date: Fri Jul 26 10:16:20 2024 -0400 + + use `find` with `safe_echo_nonewline` + +commit 6bbf176e3b91f842cf4cdeaf8cb1f4c60e159a0c +Author: Patrick Schleizer +Date: Fri Jul 26 09:33:45 2024 -0400 + + consider end-of-options for `find` + +commit 794f6a25fa87a9d6d796b07ee06b690ea0badc92 +Author: Patrick Schleizer +Date: Fri Jul 26 09:08:29 2024 -0400 + + comment + +commit 7e0f1a87010674c63963b70c87e903cf27b288ef +Author: Patrick Schleizer +Date: Fri Jul 26 09:08:04 2024 -0400 + + dpkg-statoverride can actually handle '--file-name'. + +commit ee037c01a1208b9247c3ae144fa3faa68657ffdb +Author: Patrick Schleizer +Date: Fri Jul 26 08:58:44 2024 -0400 + + Skip file names starting with '--', + + because this would be interpreted by dpkg-statoverride as an option. + +commit 82d401a7de58b74448113bed36c8f0cc073c7f82 +Author: Patrick Schleizer +Date: Fri Jul 26 08:52:42 2024 -0400 + + sanity test + +commit 0e661bc688c7222840c9d83fb3ccab6549b3ac11 +Author: Patrick Schleizer +Date: Fri Jul 26 08:49:14 2024 -0400 + + output + +commit d144f68d1a06a1153c4178b2f6ba9643dededbb8 +Author: Patrick Schleizer +Date: Fri Jul 26 08:46:08 2024 -0400 + + output + +commit 05504b9ab251ae6e48b5d28eb5fdcd12d730ea8a +Author: Patrick Schleizer +Date: Fri Jul 26 08:40:10 2024 -0400 + + minor + +commit d96c0633d431dafd034ae8d1ae0ffbb59c49be4a +Author: Patrick Schleizer +Date: Fri Jul 26 08:39:11 2024 -0400 + + more use of end of options + +commit 8e40c10c319a76e0256c8f135182b0ca7f532f85 +Author: Patrick Schleizer +Date: Fri Jul 26 08:31:17 2024 -0400 + + comment + +commit f2c9c2f5d1b59127b22fae4dd4b8bb7a6f98a485 +Author: Patrick Schleizer +Date: Fri Jul 26 08:26:16 2024 -0400 + + output + +commit 2b40ea75e9c3f679fd09ae331a56f294c3ac7607 +Author: Patrick Schleizer +Date: Fri Jul 26 08:24:23 2024 -0400 + + cleanup + +commit 6f0551b944cbf83d82f7a1a554c4461bc971520b +Author: Patrick Schleizer +Date: Fri Jul 26 08:23:54 2024 -0400 + + refactoring + +commit aac450f80836b03478b9e2632afc5a4519f9b37a +Author: Patrick Schleizer +Date: Fri Jul 26 08:22:04 2024 -0400 + + refactoring + +commit 30f46790a4df7662926fa43d44ac34c3286dd590 +Author: Patrick Schleizer +Date: Fri Jul 26 08:21:21 2024 -0400 + + use end of options whenever possible + +commit 95722d6d7902367afb44175263a8628df9ad01b2 +Author: Patrick Schleizer +Date: Fri Jul 26 08:13:33 2024 -0400 + + use long option name + +commit 19f131c7426aaa5199504e75aba180a7771a2520 +Author: Patrick Schleizer +Date: Fri Jul 26 08:07:08 2024 -0400 + + code simplification + + https://github.com/Kicksecure/security-misc/pull/251 + +commit 9694cf0cd1a225c68d45814e0f4d6995659a0066 +Author: Patrick Schleizer +Date: Fri Jul 26 07:43:59 2024 -0400 + + output + +commit bdfe764f9d805b14dca4196e623e81ce95145d9b +Merge: 9f13523 652a06c +Author: Patrick Schleizer +Date: Fri Jul 26 07:19:05 2024 -0400 + + Merge remote-tracking branch 'ben-grande/stat-dedup' + +commit 9f135231ccdc3f6eba27db2e1794eff23f03fc0f +Author: Patrick Schleizer +Date: Fri Jul 26 06:43:01 2024 -0400 + + no longer disable Intel ME related kernel modules + + because that might break firmware updates + + This reverts commit 64f8b2eb5870664fca06aa060f2f50af358ced55. + + https://github.com/Kicksecure/security-misc/issues/239 + +commit f616da7c0690fc0dffc21be59174ed8754ec55fb +Author: Patrick Schleizer +Date: Fri Jul 26 09:40:59 2024 +0000 + + bumped changelog version + +commit 4397de0138dac47aee66570fcfe4ef38c8179321 +Author: Raja Grewal +Date: Fri Jul 26 11:30:46 2024 +1000 + + Update description of `cfi=kcfi` kerenel parameter + +commit 652a06c8e9f841e043cc5b5fb030b149cb70dc85 +Author: Ben Grande +Date: Thu Jul 25 12:37:21 2024 +0200 + + Only print SUID or SGID values when set + +commit 3b8a3f9b832ee1eee959fbcce8b5eed417d4712e +Author: Ben Grande +Date: Thu Jul 25 12:20:16 2024 +0200 + + Unduplicate stat call + +commit ed3336694ce35614ab47db42bce29d3c69d46752 +Author: Raja Grewal +Date: Thu Jul 25 10:28:27 2024 +1000 + + Provide the option to immediately reboot on a kernel panics + +commit 3926b91dcf371377d38c747e5c7718ac2fed3c83 +Author: Raja Grewal +Date: Thu Jul 25 10:26:23 2024 +1000 + + Add documentation on `sysctl kernel.panic_on_oops=1` + commit 9231f058911ab9059e91c4c0c1677ef66b5bb666 Author: Patrick Schleizer Date: Wed Jul 24 13:31:49 2024 -0400 @@ -128,6 +363,12 @@ Date: Wed Jul 24 10:56:08 2024 -0400 for more robust string parsing +commit 1135d34ab334c9b39e51a147dc94df568f982512 +Author: Raja Grewal +Date: Wed Jul 24 23:33:36 2024 +1000 + + Reword description of `cfi=kcfi` kerenel parameter + commit 7200e9bd8c793f5ea30c3448fd03fbd38c6292b5 Author: Patrick Schleizer Date: Wed Jul 24 09:15:02 2024 -0400 @@ -159,6 +400,12 @@ Date: Tue Jul 23 09:55:02 2024 +0200 Prettify log messages +commit fb494c2ba5b7fd0f864a59896710d9cddf92b458 +Author: Raja Grewal +Date: Tue Jul 23 13:12:13 2024 +1000 + + Update docs relating to the `cfi=kcfi` kernel parameter + commit 7ee1ea2cc7dd62feee3243d64b414130e68d35e9 Author: Ben Grande Date: Mon Jul 22 17:06:07 2024 +0200 @@ -171,6 +418,12 @@ Date: Mon Jul 22 16:01:14 2024 +0200 Delimit file names with null terminator +commit d6fc71dba78a9c871015ebdde3bef61943369b47 +Author: Raja Grewal +Date: Mon Jul 22 17:26:00 2024 +1000 + + Add option to switch (back) to using kCFI in the future + commit d2563ed92317a029340dbb83f30da008b01325f2 Author: Patrick Schleizer Date: Sun Jul 21 10:40:14 2024 +0000 diff --git a/debian/changelog b/debian/changelog index 06a9a4c..6249588 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:38.5-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 26 Jul 2024 15:40:23 +0000 + security-misc (3:38.4-1) unstable; urgency=medium * New upstream version (local package). From 1c9f33f90606fb930744f1b9afc11caf87626194 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Sat, 27 Jul 2024 13:24:08 +1000 Subject: [PATCH 542/846] Revert "Disable the usage of `ptrace()` by all processes" This reverts commit b04828f858fa6d101099773d3156841fd6d33b6f. --- README.md | 5 +++-- usr/lib/sysctl.d/990-security-misc.conf | 6 ++++-- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index cbd2530..b6aa965 100644 --- a/README.md +++ b/README.md @@ -45,8 +45,9 @@ space, user space, core dumps, and swap space. - Disable asynchronous I/O (when using Linux kernel version >= 6.6). -- Disable the usage of `ptrace()` by all processes as it enables programs to - inspect and modify other active processes. +- Restrict usage of `ptrace()` to only processes with `CAP_SYS_PTRACE` as it + enables programs to inspect and modify other active processes. Provide the + option to entirely disable the use of `ptrace()` for all processes. - Prevent hardlink and symlink TOCTOU races in world-writable directories. diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 1131b77..60440e5 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -128,7 +128,7 @@ kernel.io_uring_disabled=2 ## ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-userspace -## Disable the usage of ptrace() system calls by all processes. +## Restrict usage of the ptrace() system call to only processes with CAP_SYS_PTRACE. ## Limit ptrace() as it enables programs to inspect and modify other active processes. ## Prevents native code debugging which some programs use as a method to detect tampering. ## May cause breakages in 'anti-cheat' software and programs running under Proton/WINE. @@ -139,7 +139,9 @@ kernel.io_uring_disabled=2 ## https://github.com/GrapheneOS/os-issue-tracker/issues/651#issuecomment-917599928 ## https://github.com/netblue30/firejail/issues/2860 ## -kernel.yama.ptrace_scope=3 +## It is possible to harden further by disabling ptrace() for all users, see documentation. +## +kernel.yama.ptrace_scope=2 ## Maximize bits of entropy for improved effectiveness of mmap ASLR. ## The maximum number of bits depends on CPU architecture (the ones shown below are for x86). From 73979d4342dae2017be52d5182bb66fa28be398d Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Sat, 27 Jul 2024 13:28:59 +1000 Subject: [PATCH 543/846] Link to `ptrace()` discussion --- usr/lib/sysctl.d/990-security-misc.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 60440e5..9a95486 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -140,6 +140,7 @@ kernel.io_uring_disabled=2 ## https://github.com/netblue30/firejail/issues/2860 ## ## It is possible to harden further by disabling ptrace() for all users, see documentation. +## https://github.com/Kicksecure/security-misc/pull/242 ## kernel.yama.ptrace_scope=2 From 144545762674e914046bb94100237329320e8ece Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Sat, 27 Jul 2024 14:00:30 +1000 Subject: [PATCH 544/846] Show details regarding `secure_redirects` (again) --- README.md | 3 ++- usr/lib/sysctl.d/990-security-misc.conf | 6 ++++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 02fd18e..5e029c8 100644 --- a/README.md +++ b/README.md @@ -72,7 +72,8 @@ Various networking components of the TCP/IP stack are hardened for IPv4/6. from all interfaces to prevent IP spoofing. - Disable ICMP redirect acceptance and redirect sending messages to - prevent man-in-the-middle attacks and minimize information disclosure. + prevent man-in-the-middle attacks and minimize information disclosure. If + ICMP redirect messages are permitted, only do so from approved gateways. - Ignore ICMP echo requests to prevent clock fingerprinting and Smurf attacks. diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 8fe680c..39d0539 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -272,6 +272,12 @@ net.ipv4.conf.default.send_redirects=0 net.ipv6.conf.all.accept_redirects=0 net.ipv6.conf.default.accept_redirects=0 +## Accept ICMP redirect messages only for approved gateways. +## If ICMP redirect messages are permitted, only useful if managing a default gateway list. +## +net.ipv4.conf.all.secure_redirects=1 +net.ipv4.conf.default.secure_redirects=1 + ## Ignore ICMP echo requests. ## Prevents clock fingerprinting through ICMP timestamps and Smurf attacks. ## From e86b2e7f8fcda5727b158579610cb6a0354e89cf Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 27 Jul 2024 12:13:18 -0400 Subject: [PATCH 545/846] output --- debian/security-misc.postinst | 2 -- 1 file changed, 2 deletions(-) diff --git a/debian/security-misc.postinst b/debian/security-misc.postinst index 6dd7738..e232778 100644 --- a/debian/security-misc.postinst +++ b/debian/security-misc.postinst @@ -36,12 +36,10 @@ permission_hardening() { echo "Running SUID Disabler and Permission Hardener... See also:" echo "https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener" echo "$0: INFO: running: permission-hardener enable" - echo "" if ! permission-hardener enable ; then echo "$0: ERROR: Permission hardening failed." >&2 return 0 fi - echo "" echo "$0: INFO: Permission hardening success." } From e60ce50d30c8981f13d8bab1d6ca8b8efb9d8928 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 27 Jul 2024 16:13:35 +0000 Subject: [PATCH 546/846] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 7954835..c6f06d8 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit e86b2e7f8fcda5727b158579610cb6a0354e89cf +Author: Patrick Schleizer +Date: Sat Jul 27 12:13:18 2024 -0400 + + output + +commit 330cf14eab248d035fa467dba4f7bc3eb92a33bb +Author: Patrick Schleizer +Date: Fri Jul 26 15:40:24 2024 +0000 + + bumped changelog version + commit 62bb4bc6269a0603c15f1efaad7ca365ea15c9d7 Merge: 7969e86 886f609 Author: Patrick Schleizer diff --git a/debian/changelog b/debian/changelog index 6249588..07496aa 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:38.6-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 27 Jul 2024 16:13:34 +0000 + security-misc (3:38.5-1) unstable; urgency=medium * New upstream version (local package). From 9fbee9fc82768c3b436307459d174378ee471335 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Sun, 28 Jul 2024 21:57:25 +1000 Subject: [PATCH 547/846] Clarify --- usr/lib/sysctl.d/990-security-misc.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 334fb68..9b350d3 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -195,8 +195,8 @@ vm.max_map_count=1048576 ## Disable the miscellaneous binary format virtual file system to prevent unintended code execution. ## Prevents registering interpreters for various binary formats based on a magic number or their file extension. -## If arbitrary executable file formats are recognised, they will be passed to relevant user space applications. -## These interpreters will run with root permissions when a setuid binary is owned by root. +## Otherwise arbitrary executables with recognized file formats will be passed to relevant user space applications. +## These interpreters will the run with root permissions when a setuid binary is owned by root. ## Can stop maliciously crafted files with specific file extensions from automatically executing. ## Breaks many scripts that do not have appropriate shebang interpreter directives (#!/bin/...). ## From d2d024ebe9a371eaf90b7b72f8a227e5d2e9babe Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Sun, 28 Jul 2024 22:03:33 +1000 Subject: [PATCH 548/846] Typo --- usr/lib/sysctl.d/990-security-misc.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 9b350d3..adb80c7 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -196,7 +196,7 @@ vm.max_map_count=1048576 ## Disable the miscellaneous binary format virtual file system to prevent unintended code execution. ## Prevents registering interpreters for various binary formats based on a magic number or their file extension. ## Otherwise arbitrary executables with recognized file formats will be passed to relevant user space applications. -## These interpreters will the run with root permissions when a setuid binary is owned by root. +## These interpreters will thn run with root permissions when a setuid binary is owned by root. ## Can stop maliciously crafted files with specific file extensions from automatically executing. ## Breaks many scripts that do not have appropriate shebang interpreter directives (#!/bin/...). ## From 9cabaa1bd15a0639c87bf2e965755d06ff0a7bb4 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Sun, 28 Jul 2024 22:04:30 +1000 Subject: [PATCH 549/846] Typo --- usr/lib/sysctl.d/990-security-misc.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index adb80c7..747ca67 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -196,7 +196,7 @@ vm.max_map_count=1048576 ## Disable the miscellaneous binary format virtual file system to prevent unintended code execution. ## Prevents registering interpreters for various binary formats based on a magic number or their file extension. ## Otherwise arbitrary executables with recognized file formats will be passed to relevant user space applications. -## These interpreters will thn run with root permissions when a setuid binary is owned by root. +## These interpreters will then run with root permissions when a setuid binary is owned by root. ## Can stop maliciously crafted files with specific file extensions from automatically executing. ## Breaks many scripts that do not have appropriate shebang interpreter directives (#!/bin/...). ## From de6f3ea74a5a1408e4351c955ecb7010825364c5 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 28 Jul 2024 20:50:22 +0000 Subject: [PATCH 550/846] bumped changelog version --- changelog.upstream | 42 ++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 48 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index c6f06d8..934cc7d 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,9 +1,45 @@ +commit d036094089e3e3a74df981c50882481273fcb6c0 +Merge: e60ce50 0f86fbd +Author: Patrick Schleizer +Date: Sun Jul 28 15:44:40 2024 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 0f86fbd8ceea3157ee035eb9f4a0ff13024f1bc9 +Merge: e60ce50 73979d4 +Author: Patrick Schleizer +Date: Sun Jul 28 15:43:54 2024 -0400 + + Merge pull request #242 from raja-grewal/ptrace + + Disable the usage of `ptrace()` by all processes + +commit e60ce50d30c8981f13d8bab1d6ca8b8efb9d8928 +Author: Patrick Schleizer +Date: Sat Jul 27 16:13:35 2024 +0000 + + bumped changelog version + commit e86b2e7f8fcda5727b158579610cb6a0354e89cf Author: Patrick Schleizer Date: Sat Jul 27 12:13:18 2024 -0400 output +commit 73979d4342dae2017be52d5182bb66fa28be398d +Author: Raja Grewal +Date: Sat Jul 27 13:28:59 2024 +1000 + + Link to `ptrace()` discussion + +commit 1c9f33f90606fb930744f1b9afc11caf87626194 +Author: Raja Grewal +Date: Sat Jul 27 13:24:08 2024 +1000 + + Revert "Disable the usage of `ptrace()` by all processes" + + This reverts commit b04828f858fa6d101099773d3156841fd6d33b6f. + commit 330cf14eab248d035fa467dba4f7bc3eb92a33bb Author: Patrick Schleizer Date: Fri Jul 26 15:40:24 2024 +0000 @@ -558,6 +594,12 @@ Date: Thu Jul 18 12:19:27 2024 +1000 Typos +commit b04828f858fa6d101099773d3156841fd6d33b6f +Author: Raja Grewal +Date: Thu Jul 18 11:01:41 2024 +1000 + + Disable the usage of `ptrace()` by all processes + commit d454f36c63bd653e47353fb1c93107b2d5584fe2 Author: Patrick Schleizer Date: Wed Jul 17 11:52:29 2024 -0400 diff --git a/debian/changelog b/debian/changelog index 07496aa..5d90f8d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:38.7-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 28 Jul 2024 20:50:21 +0000 + security-misc (3:38.6-1) unstable; urgency=medium * New upstream version (local package). From e53d24fc48b51a21fc182cc59890e97a1d7ac647 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Sat, 3 Aug 2024 00:09:42 +1000 Subject: [PATCH 551/846] Add missing GRUB command lines for disabled boot parameters --- etc/default/grub.d/40_kernel_hardening.cfg | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index 172c3c8..f36dac0 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -135,7 +135,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off" ## TODO: Debian 13 Trixie ## Applicable when using Linux kernel >= 6.2 (retained here for future-proofing and completeness). ## -#cfi=kcfi +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX cfi=kcfi" ## Disable support for x86 processes and syscalls. ## Unconditionally disables IA32 emulation to substantially reduce attack surface. @@ -144,7 +144,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off" ## ## Applicable when using Linux kernel >= 6.7 (retained here for future-proofing and completeness). ## -#ia32_emulation=0 +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ia32_emulation=0" ## 2. Direct Memory Access: ## @@ -222,4 +222,4 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX extra_latent_entropy" ## ## Enabling makes redundant many network hardening sysctl's in /usr/lib/sysctl.d/990-security-misc.conf. ## -#ipv6.disable=1 +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ipv6.disable=1" From f6a16258a116ce5c5f4f6bad9d8ab9b6e1ec6bb7 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Sat, 3 Aug 2024 00:11:06 +1000 Subject: [PATCH 552/846] Add references to KSPP --- etc/default/grub.d/40_kernel_hardening.cfg | 1 + usr/lib/sysctl.d/990-security-misc.conf | 1 + 2 files changed, 2 insertions(+) diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index f36dac0..b1b3055 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -18,6 +18,7 @@ kver="$(dpkg-query --show --showformat='${Version}' "$kpkg")" 2>/dev/null || tru ## 1. Kernel Space: ## ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#boot-parameters +## https://kspp.github.io/Recommended_Settings#kernel-command-line-options ## Disable merging of slabs with similar size. ## Reduces the risk of triggering heap overflows. diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 40ab0ff..e795339 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -23,6 +23,7 @@ ## 1. Kernel Space: ## ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel +## https://kspp.github.io/Recommended_Settings#sysctls ## https://wiki.archlinux.org/title/Security#Kernel_hardening ## Restrict kernel address visibility via /proc and other interfaces, regardless of user privileges. From 9099ecce8ae12352f2b739d3d7adf6069488ff49 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Sat, 3 Aug 2024 00:12:50 +1000 Subject: [PATCH 553/846] Provide option to enable the kernel Electric-Fence --- README.md | 4 ++++ etc/default/grub.d/40_kernel_hardening.cfg | 9 +++++++++ 2 files changed, 13 insertions(+) diff --git a/README.md b/README.md index b6a6c60..b23f852 100644 --- a/README.md +++ b/README.md @@ -141,6 +141,10 @@ configuration file. - Provide the option to modify machine check exception handler. +- Provide the option to enable the kernel Electric-Fence sampling-based memory + safety error detector which can identify heap out-of-bounds access, use-after-free, + and invalid-free errors. + - Provide the option to use kCFI as the default CFI implementation since it may be slightly more resilient to attacks that are able to write arbitrary executables in memory (when using Linux kernel version >= 6.2). diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index b1b3055..390f75b 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -113,6 +113,15 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off" #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX loglevel=0" #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX quiet" +## Enable the kernel "Electric-Fence" sampling-based memory safety error detector. +## KFENCE detects heap out-of-bounds access, use-after-free, and invalid-free errors. +## Aims to have very low processing overhead at each sampling interval +## Sampling interval is set to occur every 100 milliseconds as per KSPP recommendation. +## +## https://www.kernel.org/doc/html/latest/dev-tools/kfence.html +## +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kfence.sample_interval=100" + ## Switch (back) to using kCFI as the default Control Flow Integrity (CFI) implementation. ## The default implementation is FIneIBT as of Linux kernel 6.2. ## The Intel-developed IBT (Indirect Branch Tracking) is only used if supported by the CPU. From 52aeacb4da4a8458b0ffdc1ade4094a178def6f4 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Sat, 3 Aug 2024 00:13:38 +1000 Subject: [PATCH 554/846] Provide option to disable 32 bit vDSO mappings --- README.md | 2 ++ etc/default/grub.d/40_kernel_hardening.cfg | 8 ++++++++ 2 files changed, 10 insertions(+) diff --git a/README.md b/README.md index b23f852..457fe0e 100644 --- a/README.md +++ b/README.md @@ -145,6 +145,8 @@ configuration file. safety error detector which can identify heap out-of-bounds access, use-after-free, and invalid-free errors. +- Provide the option to disable 32 bit vDSO mappings. + - Provide the option to use kCFI as the default CFI implementation since it may be slightly more resilient to attacks that are able to write arbitrary executables in memory (when using Linux kernel version >= 6.2). diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index 390f75b..d34f0ca 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -122,6 +122,14 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off" ## #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kfence.sample_interval=100" +## Disable x86 Virtual Dynamic Shared Object (vDSO) mappings. +## +## https://en.wikipedia.org/wiki/VDSO +## +## The use of 32 bit vDSO mappings is currently enabled. +## +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0" + ## Switch (back) to using kCFI as the default Control Flow Integrity (CFI) implementation. ## The default implementation is FIneIBT as of Linux kernel 6.2. ## The Intel-developed IBT (Indirect Branch Tracking) is only used if supported by the CPU. From ca2179bb6a01e3ebbb1e04e3507cc305f25bca4e Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Sat, 3 Aug 2024 00:25:49 +1000 Subject: [PATCH 555/846] Provide the option to disable legacy TIOCSTI operation --- README.md | 3 +++ usr/lib/sysctl.d/990-security-misc.conf | 7 +++++++ 2 files changed, 10 insertions(+) diff --git a/README.md b/README.md index 457fe0e..42fba56 100644 --- a/README.md +++ b/README.md @@ -47,6 +47,9 @@ space, user space, core dumps, and swap space. - Randomize the addresses (ASLR) for mmap base, stack, VDSO pages, and heap. +- Provide the option to disable the use of legacy TIOCSTI operation which can be + used to inject keypresses. + - Disable asynchronous I/O as `io_uring` has been the source of numerous kernel exploits (when using Linux kernel version >= 6.6). diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index e795339..ef550e4 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -129,6 +129,13 @@ kernel.perf_event_paranoid=3 ## kernel.randomize_va_space=2 +## Disable use of the legacy TIOCSTI operation which can be used to inject keypresses. +## Will break screen readers as can no longer push characters into a controlling TTY. +## +## This is disabled by default when using Linux kernel >= 6.2. +## +#dev.tty.legacy_tiocsti=0 + ## Disable asynchronous I/O for all processes. ## Leading cause of numerous kernel exploits. ## Disabling will reduce the read/write performance of storage devices. From b77d1a2b980ae20158aa628eec67b016282d0a40 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Sat, 3 Aug 2024 14:49:48 +1000 Subject: [PATCH 556/846] Revert "Remove the optional `slub_debug` parameter since it is no longer recommended" This reverts commit 48e1ac416314d2c66f3a0d5044a3c51cb6fb4093. --- README.md | 3 +++ etc/default/grub.d/40_kernel_hardening.cfg | 9 +++++++++ 2 files changed, 12 insertions(+) diff --git a/README.md b/README.md index b6a6c60..f9bad76 100644 --- a/README.md +++ b/README.md @@ -118,6 +118,9 @@ configuration file. - Disable merging of slabs with similar size, which reduces the risk of triggering heap overflows and limits influencing slab cache layout. +- Provides option to enable sanity checks and red zoning via slab debugging. + Not reccommened due to implicit disabling of kernel pointer hashing. + - Enable memory zeroing at both allocation and free time, which mitigates some use-after-free vulnerabilities by erasing sensitive information in memory. diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index 172c3c8..a9d223e 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -28,6 +28,15 @@ kver="$(dpkg-query --show --showformat='${Version}' "$kpkg")" 2>/dev/null || tru ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_nomerge" +## Enable sanity checks and red zoning of slabs. +## +## https://www.kernel.org/doc/html/latest/mm/slub.html +## https://lore.kernel.org/all/20210601182202.3011020-5-swboyd@chromium.org/T/#u +## +## Disabled as enabling this implicitly disables kernel pointer hashing. +## +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slub_debug=FZ" + ## Zero memory at allocation time and free time. ## Fills newly allocated pages, freed pages, and heap objects with zeros. ## Mitigates use-after-free exploits by erasing sensitive information in memory. From 22b6cee80c74aff3d0f9cd36822ae88f8fa8e601 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Sat, 3 Aug 2024 15:11:14 +1000 Subject: [PATCH 557/846] Add details about `slub_debug` --- README.md | 4 ++-- etc/default/grub.d/40_kernel_hardening.cfg | 9 +++++++-- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index f9bad76..f3acb5e 100644 --- a/README.md +++ b/README.md @@ -118,8 +118,8 @@ configuration file. - Disable merging of slabs with similar size, which reduces the risk of triggering heap overflows and limits influencing slab cache layout. -- Provides option to enable sanity checks and red zoning via slab debugging. - Not reccommened due to implicit disabling of kernel pointer hashing. +- Provide the option to enable sanity checks and red zoning via slab debugging. + Enabling this feature will implicitly disable kernel pointer hashing. - Enable memory zeroing at both allocation and free time, which mitigates some use-after-free vulnerabilities by erasing sensitive information in memory. diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index a9d223e..0e6dd08 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -28,12 +28,17 @@ kver="$(dpkg-query --show --showformat='${Version}' "$kpkg")" 2>/dev/null || tru ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_nomerge" -## Enable sanity checks and red zoning of slabs. +## Enable sanity checks and red zoning of slabs via debugging options to detect corruption. +## As a by product of debugging, this will implicitly disabling kernel pointer hashing. +## Enabling will therefore leak exact and all kernel memory addresses to root. +## Has the potential to cause a noticeable performance decrease. ## ## https://www.kernel.org/doc/html/latest/mm/slub.html ## https://lore.kernel.org/all/20210601182202.3011020-5-swboyd@chromium.org/T/#u +## https://gitlab.tails.boum.org/tails/tails/-/issues/19613 ## -## Disabled as enabling this implicitly disables kernel pointer hashing. +## The default kernel setting will be utilized until provided sufficient evidence to modify. +## https://github.com/Kicksecure/security-misc/issues/253 ## #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slub_debug=FZ" From 6f14d68cdcad3784311e33029eba6906ea0784c2 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Sat, 3 Aug 2024 15:12:15 +1000 Subject: [PATCH 558/846] Update legacy name `slub_debug` -> `slab_debug` --- etc/default/grub.d/40_kernel_hardening.cfg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index 0e6dd08..2986a54 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -40,7 +40,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_nomerge" ## The default kernel setting will be utilized until provided sufficient evidence to modify. ## https://github.com/Kicksecure/security-misc/issues/253 ## -#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slub_debug=FZ" +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_debug=FZ" ## Zero memory at allocation time and free time. ## Fills newly allocated pages, freed pages, and heap objects with zeros. From 4f7f82016015f61002ac8f778b61968c572dc7dc Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Mon, 5 Aug 2024 14:16:33 +1000 Subject: [PATCH 559/846] Add reference --- usr/lib/sysctl.d/990-security-misc.conf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 39d0539..ba33bae 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -275,6 +275,8 @@ net.ipv6.conf.default.accept_redirects=0 ## Accept ICMP redirect messages only for approved gateways. ## If ICMP redirect messages are permitted, only useful if managing a default gateway list. ## +## https://github.com/Kicksecure/security-misc/pull/248 +## net.ipv4.conf.all.secure_redirects=1 net.ipv4.conf.default.secure_redirects=1 From aa34d86598f5b846b007730104e4c99c59f9984d Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Mon, 5 Aug 2024 14:27:17 +1000 Subject: [PATCH 560/846] Enable `slab_debug=FZ` --- README.md | 4 ++-- etc/default/grub.d/40_kernel_hardening.cfg | 4 +--- 2 files changed, 3 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index a187056..3ac2ab4 100644 --- a/README.md +++ b/README.md @@ -121,8 +121,8 @@ configuration file. - Disable merging of slabs with similar size, which reduces the risk of triggering heap overflows and limits influencing slab cache layout. -- Provide the option to enable sanity checks and red zoning via slab debugging. - Enabling this feature will implicitly disable kernel pointer hashing. +- Enable sanity checks and red zoning via slab debugging. This will implicitly + disable kernel pointer hashing, leaking very sensitive information to root. - Enable memory zeroing at both allocation and free time, which mitigates some use-after-free vulnerabilities by erasing sensitive information in memory. diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index fab54cf..44cfbd9 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -37,11 +37,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_nomerge" ## https://www.kernel.org/doc/html/latest/mm/slub.html ## https://lore.kernel.org/all/20210601182202.3011020-5-swboyd@chromium.org/T/#u ## https://gitlab.tails.boum.org/tails/tails/-/issues/19613 -## -## The default kernel setting will be utilized until provided sufficient evidence to modify. ## https://github.com/Kicksecure/security-misc/issues/253 ## -#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_debug=FZ" +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_debug=FZ" ## Zero memory at allocation time and free time. ## Fills newly allocated pages, freed pages, and heap objects with zeros. From c0d140f2211e6490d13e3cd327005027c668905f Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Mon, 5 Aug 2024 15:06:34 +1000 Subject: [PATCH 561/846] Enable `dev.tty.legacy_tiocsti=0` --- README.md | 3 +-- usr/lib/sysctl.d/990-security-misc.conf | 10 ++++++---- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index a187056..efe9e32 100644 --- a/README.md +++ b/README.md @@ -47,8 +47,7 @@ space, user space, core dumps, and swap space. - Randomize the addresses (ASLR) for mmap base, stack, VDSO pages, and heap. -- Provide the option to disable the use of legacy TIOCSTI operation which can be - used to inject keypresses. +- Disable the use of legacy TIOCSTI operations which can be used to inject keypresses. - Disable asynchronous I/O as `io_uring` has been the source of numerous kernel exploits (when using Linux kernel version >= 6.6). diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index b68f833..0b46477 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -127,12 +127,14 @@ kernel.perf_event_paranoid=3 ## kernel.randomize_va_space=2 -## Disable use of the legacy TIOCSTI operation which can be used to inject keypresses. -## Will break screen readers as can no longer push characters into a controlling TTY. -## +## Disable the use of legacy TIOCSTI operations which can be used to inject keypresses. +## Can lead to privilege escalation by pushing characters into a controlling TTY. +## Will break out-dated screen readers that continue to rely on this legacy functionality. ## This is disabled by default when using Linux kernel >= 6.2. ## -#dev.tty.legacy_tiocsti=0 +## https://lore.kernel.org/lkml/20221228205726.rfevry7ud6gmttg5@begin/T/ +## +dev.tty.legacy_tiocsti=0 ## Disable asynchronous I/O for all processes. ## Leading cause of numerous kernel exploits. From d102ec19972865032f12f90bffe3e592546f0267 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Mon, 5 Aug 2024 15:07:56 +1000 Subject: [PATCH 562/846] Enable `kfence.sample_interval=100` --- README.md | 5 ++--- etc/default/grub.d/40_kernel_hardening.cfg | 2 +- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index a187056..16f7df3 100644 --- a/README.md +++ b/README.md @@ -147,9 +147,8 @@ configuration file. - Provide the option to modify machine check exception handler. -- Provide the option to enable the kernel Electric-Fence sampling-based memory - safety error detector which can identify heap out-of-bounds access, use-after-free, - and invalid-free errors. +- Enable the kernel Electric-Fence sampling-based memory safety error detector + which can identify heap out-of-bounds access, use-after-free, and invalid-free errors. - Provide the option to disable 32 bit vDSO mappings. diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index fab54cf..bbfee13 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -134,7 +134,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off" ## ## https://www.kernel.org/doc/html/latest/dev-tools/kfence.html ## -#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kfence.sample_interval=100" +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kfence.sample_interval=100" ## Disable x86 Virtual Dynamic Shared Object (vDSO) mappings. ## From 8559079312adb4ed92e5f478120b408dfe7a1124 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Mon, 5 Aug 2024 15:10:02 +1000 Subject: [PATCH 563/846] Enable `vdso32=0` --- README.md | 2 +- etc/default/grub.d/40_kernel_hardening.cfg | 10 +++++----- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index a187056..8b12b71 100644 --- a/README.md +++ b/README.md @@ -151,7 +151,7 @@ configuration file. safety error detector which can identify heap out-of-bounds access, use-after-free, and invalid-free errors. -- Provide the option to disable 32 bit vDSO mappings. +- Disable 32-bit vDSO mappings as they are a legacy compatibility feature. - Provide the option to use kCFI as the default CFI implementation since it may be slightly more resilient to attacks that are able to write arbitrary executables diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index fab54cf..7e92bdb 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -136,13 +136,13 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off" ## #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kfence.sample_interval=100" -## Disable x86 Virtual Dynamic Shared Object (vDSO) mappings. +## Disable 32-bit Virtual Dynamic Shared Object (vDSO) mappings. +## Legacy compatibility feature for superseded glibc versions. ## -## https://en.wikipedia.org/wiki/VDSO +## https://lore.kernel.org/lkml/20080409082927.BD59E26F992@magilla.localdomain/T/ +## https://lists.openwall.net/linux-kernel/2014/03/11/3 ## -## The use of 32 bit vDSO mappings is currently enabled. -## -#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0" +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0" ## Switch (back) to using kCFI as the default Control Flow Integrity (CFI) implementation. ## The default implementation is FIneIBT as of Linux kernel 6.2. From 89e816dda6c5a00512b276071c4d9fe108ee63b5 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 6 Aug 2024 14:01:39 +0000 Subject: [PATCH 564/846] bumped changelog version --- changelog.upstream | 177 +++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++ 2 files changed, 183 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 934cc7d..81a58c9 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,174 @@ +commit 967f9e257b09bc73ddb579292d507f7cb9832643 +Merge: fa90918 a25aaf9 +Author: Patrick Schleizer +Date: Tue Aug 6 09:57:56 2024 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit a25aaf900a12666046278a9fab6933b3d5670679 +Merge: 6bc039a 8559079 +Author: Patrick Schleizer +Date: Tue Aug 6 09:55:20 2024 -0400 + + Merge pull request #260 from raja-grewal/vdso32 + + Enable `vdso32=0` + +commit 6bc039a430289342f06857a52a5f13829d6e50f5 +Merge: ce60d56 d102ec1 +Author: Patrick Schleizer +Date: Tue Aug 6 09:52:56 2024 -0400 + + Merge pull request #259 from raja-grewal/kfence + + Enable `kfence.sample_interval=100` + +commit ce60d5615fe99e41c48d459f562d581a688c295a +Merge: b027842 c0d140f +Author: Patrick Schleizer +Date: Tue Aug 6 09:48:08 2024 -0400 + + Merge pull request #258 from raja-grewal/legacy_tiocsti + + Enable `dev.tty.legacy_tiocsti=0` + +commit b0278428a73cd3d329aaa36626005e0c593331f0 +Merge: fa90918 aa34d86 +Author: Patrick Schleizer +Date: Tue Aug 6 09:39:04 2024 -0400 + + Merge pull request #257 from raja-grewal/slab_debug + + Enable `slab_debug=FZ` + +commit 8559079312adb4ed92e5f478120b408dfe7a1124 +Author: Raja Grewal +Date: Mon Aug 5 15:10:02 2024 +1000 + + Enable `vdso32=0` + +commit d102ec19972865032f12f90bffe3e592546f0267 +Author: Raja Grewal +Date: Mon Aug 5 15:07:56 2024 +1000 + + Enable `kfence.sample_interval=100` + +commit c0d140f2211e6490d13e3cd327005027c668905f +Author: Raja Grewal +Date: Mon Aug 5 15:06:34 2024 +1000 + + Enable `dev.tty.legacy_tiocsti=0` + +commit aa34d86598f5b846b007730104e4c99c59f9984d +Author: Raja Grewal +Date: Mon Aug 5 14:27:17 2024 +1000 + + Enable `slab_debug=FZ` + +commit fa9091869d417c6494840d0cb32623037d70c8be +Merge: 06f0c27 725118c +Author: Patrick Schleizer +Date: Sun Aug 4 16:20:36 2024 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 725118c5759b45118bbd2804492526ea2a7c1a81 +Merge: 6d97408 6d211fa +Author: Patrick Schleizer +Date: Sun Aug 4 16:19:52 2024 -0400 + + Merge pull request #243 from raja-grewal/namespaces + + Restrict unprivileged user namespaces + +commit 06f0c27128a66c1074f405de3139651519e48204 +Merge: 8abc5ae 6d97408 +Author: Patrick Schleizer +Date: Sun Aug 4 16:15:01 2024 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 6d97408a6d2f002461ae6ca1d647fbf24bf1b99e +Merge: 8abc5ae 6f14d68 +Author: Patrick Schleizer +Date: Sun Aug 4 16:11:46 2024 -0400 + + Merge pull request #255 from raja-grewal/SLUB + + Restore option to enable `slub_debug=FZ` + +commit 8abc5ae8f0f152c68f855f0e8d993880589c5d5c +Merge: de6f3ea eab66da +Author: Patrick Schleizer +Date: Sun Aug 4 16:09:52 2024 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit eab66dad0994e408c1beaade3fdcf2cd1d605b31 +Merge: de6f3ea ca2179b +Author: Patrick Schleizer +Date: Sun Aug 4 16:08:32 2024 -0400 + + Merge pull request #254 from raja-grewal/patch + + Updates to kernel and `sysctl` hardening + +commit 6f14d68cdcad3784311e33029eba6906ea0784c2 +Author: Raja Grewal +Date: Sat Aug 3 15:12:15 2024 +1000 + + Update legacy name `slub_debug` -> `slab_debug` + +commit 22b6cee80c74aff3d0f9cd36822ae88f8fa8e601 +Author: Raja Grewal +Date: Sat Aug 3 15:11:14 2024 +1000 + + Add details about `slub_debug` + +commit b77d1a2b980ae20158aa628eec67b016282d0a40 +Author: Raja Grewal +Date: Sat Aug 3 14:49:48 2024 +1000 + + Revert "Remove the optional `slub_debug` parameter since it is no longer recommended" + + This reverts commit 48e1ac416314d2c66f3a0d5044a3c51cb6fb4093. + +commit ca2179bb6a01e3ebbb1e04e3507cc305f25bca4e +Author: Raja Grewal +Date: Sat Aug 3 00:25:49 2024 +1000 + + Provide the option to disable legacy TIOCSTI operation + +commit 52aeacb4da4a8458b0ffdc1ade4094a178def6f4 +Author: Raja Grewal +Date: Sat Aug 3 00:13:38 2024 +1000 + + Provide option to disable 32 bit vDSO mappings + +commit 9099ecce8ae12352f2b739d3d7adf6069488ff49 +Author: Raja Grewal +Date: Sat Aug 3 00:12:50 2024 +1000 + + Provide option to enable the kernel Electric-Fence + +commit f6a16258a116ce5c5f4f6bad9d8ab9b6e1ec6bb7 +Author: Raja Grewal +Date: Sat Aug 3 00:11:06 2024 +1000 + + Add references to KSPP + +commit e53d24fc48b51a21fc182cc59890e97a1d7ac647 +Author: Raja Grewal +Date: Sat Aug 3 00:09:42 2024 +1000 + + Add missing GRUB command lines for disabled boot parameters + +commit de6f3ea74a5a1408e4351c955ecb7010825364c5 +Author: Patrick Schleizer +Date: Sun Jul 28 20:50:22 2024 +0000 + + bumped changelog version + commit d036094089e3e3a74df981c50882481273fcb6c0 Merge: e60ce50 0f86fbd Author: Patrick Schleizer @@ -594,6 +765,12 @@ Date: Thu Jul 18 12:19:27 2024 +1000 Typos +commit 6d211faf591608ea6e7f484e8bc69dd567877abf +Author: Raja Grewal +Date: Thu Jul 18 11:04:54 2024 +1000 + + Restrict unprivileged user namespaces + commit b04828f858fa6d101099773d3156841fd6d33b6f Author: Raja Grewal Date: Thu Jul 18 11:01:41 2024 +1000 diff --git a/debian/changelog b/debian/changelog index 5d90f8d..50c5315 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:38.8-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 06 Aug 2024 14:01:38 +0000 + security-misc (3:38.7-1) unstable; urgency=medium * New upstream version (local package). From debd7a7b7ae8b03e04d2c8597bcccf2c79000570 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Wed, 7 Aug 2024 13:33:44 +1000 Subject: [PATCH 565/846] Provide optional `sysctl fs.binfmt_misc.status=0` --- README.md | 5 +++-- usr/lib/sysctl.d/990-security-misc.conf | 5 ++++- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index d4dd706..96f8b14 100644 --- a/README.md +++ b/README.md @@ -57,8 +57,9 @@ space, user space, core dumps, and swap space. - Increase the maximum number of memory map areas a process is able to utilize. -- Disallow registering interpreters for various (miscellaneous) binary formats based - on a magic number or their file extension to prevent unintended code execution. +- Provide the option to disallow registering interpreters for various (miscellaneous) + binary formats based on a magic number or their file extension to prevent + unintended code execution. - Disable core dump files and prevent their creation. If core dump files are enabled, they will be named based on `core.PID` instead of the default `core`. diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 747ca67..4de859c 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -206,8 +206,11 @@ vm.max_map_count=1048576 ## https://en.wikipedia.org/wiki/Binfmt_misc ## https://security.stackexchange.com/questions/271786/does-allowing-binfmt-misc-significantly-increase-the-attack-surface-for-unprivil ## https://unix.stackexchange.com/questions/439569/what-kinds-of-executable-formats-do-the-files-under-proc-sys-fs-binfmt-misc-al +## https://github.com/Kicksecure/security-misc/pull/249 ## -fs.binfmt_misc.status=0 +## The default kernel setting will be utilized until provided sufficient evidence to modify. +## +#fs.binfmt_misc.status=0 ## 3. Core Dumps: ## From ec3038c7bc625f6c8eddb753ffe295ff2697a717 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Wed, 7 Aug 2024 13:48:53 +1000 Subject: [PATCH 566/846] Clarify `secure_redirects` --- README.md | 5 ++--- usr/lib/sysctl.d/990-security-misc.conf | 13 +++++-------- 2 files changed, 7 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index 5e029c8..4c31d90 100644 --- a/README.md +++ b/README.md @@ -71,9 +71,8 @@ Various networking components of the TCP/IP stack are hardened for IPv4/6. - Enable reverse path filtering (source validation) of packets received from all interfaces to prevent IP spoofing. -- Disable ICMP redirect acceptance and redirect sending messages to - prevent man-in-the-middle attacks and minimize information disclosure. If - ICMP redirect messages are permitted, only do so from approved gateways. +- Disable ICMP redirect acceptance and redirect sending messages to prevent + man-in-the-middle attacks and minimize information disclosure. - Ignore ICMP echo requests to prevent clock fingerprinting and Smurf attacks. diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index ba33bae..9efb03a 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -259,11 +259,14 @@ net.ipv4.conf.default.rp_filter=1 ## Disable ICMP redirect acceptance and redirect sending messages. ## Prevents man-in-the-middle attacks and minimizes information disclosure. +## If ICMP redirects are permitted, accept messages only through approved gateways (kernel default). +## Approving gateways requires the managing of a default gateway list. ## ## https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/security_guide/sect-security_guide-server_security-disable-source-routing#sect-Security_Guide-Server_Security-Disable-Source-Routing ## https://www.frozentux.net/ipsysctl-tutorial/chunkyhtml/theconfvariables.html ## https://www.debian.org/doc/manuals/securing-debian-manual/network-secure.en.html ## https://askubuntu.com/questions/118273/what-are-icmp-redirects-and-should-they-be-blocked +## https://github.com/Kicksecure/security-misc/pull/248 ## net.ipv4.conf.all.accept_redirects=0 net.ipv4.conf.default.accept_redirects=0 @@ -271,14 +274,8 @@ net.ipv4.conf.all.send_redirects=0 net.ipv4.conf.default.send_redirects=0 net.ipv6.conf.all.accept_redirects=0 net.ipv6.conf.default.accept_redirects=0 - -## Accept ICMP redirect messages only for approved gateways. -## If ICMP redirect messages are permitted, only useful if managing a default gateway list. -## -## https://github.com/Kicksecure/security-misc/pull/248 -## -net.ipv4.conf.all.secure_redirects=1 -net.ipv4.conf.default.secure_redirects=1 +#net.ipv4.conf.all.secure_redirects=1 +#net.ipv4.conf.default.secure_redirects=1 ## Ignore ICMP echo requests. ## Prevents clock fingerprinting through ICMP timestamps and Smurf attacks. From 50fa721fd54cd696ae90a35bc7df7c8f1eb17a13 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Wed, 7 Aug 2024 14:01:49 +1000 Subject: [PATCH 567/846] Update docs regarding Intel module disabling --- README.md | 6 +++--- etc/modprobe.d/30_security-misc_disable.conf | 5 +++-- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 331a5ce..0ed55ef 100644 --- a/README.md +++ b/README.md @@ -214,10 +214,10 @@ disabling should first be blacklisted for a suitable amount of time. Satellite Systems (GNSS). - Optional - Intel Management Engine (ME): Provides some disabling of the interface - between the Intel ME and the OS. May lead to breakages in places such as security, - power management, display, and DRM. See discussion: https://github.com/Kicksecure/security-misc/issues/239 + between the Intel ME and the OS. May lead to breakages in places such as firmware + updates, security, power management, display, and DRM. See discussion: https://github.com/Kicksecure/security-misc/issues/239 -- Intel Platform Monitoring Technology Telemetry (PMT): Disable some functionality +- Intel Platform Monitoring Technology (PMT) Telemetry: Disable some functionality of the Intel PMT components. - Network File Systems: Disable uncommon and legacy network file systems. diff --git a/etc/modprobe.d/30_security-misc_disable.conf b/etc/modprobe.d/30_security-misc_disable.conf index c78ba2a..d6c5974 100644 --- a/etc/modprobe.d/30_security-misc_disable.conf +++ b/etc/modprobe.d/30_security-misc_disable.conf @@ -119,7 +119,8 @@ install gnss-usb /usr/bin/disabled-gps-by-security-misc ## Intel Management Engine (ME): ## Partially disable the Intel ME interface with the OS. ## ME functionality has increasing become more intertwined with basic Intel system operation. -## Disabling may lead to breakages in places such as security, power management, display, and DRM. +## Disabling may lead to breakages in numerous places without clear debugging/error messages. +## May cause issues with firmware updates, security, power management, display, and DRM. ## ## https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html ## https://en.wikipedia.org/wiki/Intel_Management_Engine#Security_vulnerabilities @@ -140,7 +141,7 @@ install gnss-usb /usr/bin/disabled-gps-by-security-misc #install mei_wdt /usr/bin/disabled-intelme-by-security-misc #install microread_mei /usr/bin/disabled-intelme-by-security-misc -## Intel Platform Monitoring Technology Telemetry (PMT): +## Intel Platform Monitoring Technology (PMT) Telemetry: ## Disable some functionality of the Intel PMT components. ## ## https://github.com/intel/Intel-PMT From e98dc8c4f8af32dd3b10c034477fd2154df189ac Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Wed, 7 Aug 2024 14:14:47 +1000 Subject: [PATCH 568/846] Update notifications for disabled kernel modules --- usr/bin/disabled-bluetooth-by-security-misc | 4 ++-- usr/bin/disabled-cdrom-by-security-misc | 4 ++-- usr/bin/disabled-filesys-by-security-misc | 4 ++-- usr/bin/disabled-firewire-by-security-misc | 4 ++-- usr/bin/disabled-framebuffer-by-security-misc | 4 ++-- usr/bin/disabled-gps-by-security-misc | 4 ++-- usr/bin/disabled-intelme-by-security-misc | 4 ++-- usr/bin/disabled-intelpmt-by-security-misc | 4 ++-- usr/bin/disabled-miscellaneous-by-security-misc | 4 ++-- usr/bin/disabled-netfilesys-by-security-misc | 4 ++-- usr/bin/disabled-network-by-security-misc | 4 ++-- usr/bin/disabled-thunderbolt-by-security-misc | 4 ++-- 12 files changed, 24 insertions(+), 24 deletions(-) diff --git a/usr/bin/disabled-bluetooth-by-security-misc b/usr/bin/disabled-bluetooth-by-security-misc index 5b6992d..d576b26 100755 --- a/usr/bin/disabled-bluetooth-by-security-misc +++ b/usr/bin/disabled-bluetooth-by-security-misc @@ -3,8 +3,8 @@ ## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Alerts the user that a kernel module failed to load due to it being blacklisted by default. +## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. -echo "$0: ERROR: This Bluetooth kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf. | args: $@" >&2 +echo "$0: ALERT: This Bluetooth kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2 exit 1 diff --git a/usr/bin/disabled-cdrom-by-security-misc b/usr/bin/disabled-cdrom-by-security-misc index 2bb8e4c..af27e08 100755 --- a/usr/bin/disabled-cdrom-by-security-misc +++ b/usr/bin/disabled-cdrom-by-security-misc @@ -3,8 +3,8 @@ ## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Alerts the user that a kernel module failed to load due to it being blacklisted by default. +## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. -echo "$0: ERROR: This CD-ROM/DVD kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf. | args: $@" >&2 +echo "$0: ALERT: This CD-ROM/DVD kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2 exit 1 diff --git a/usr/bin/disabled-filesys-by-security-misc b/usr/bin/disabled-filesys-by-security-misc index fad544b..faffe58 100755 --- a/usr/bin/disabled-filesys-by-security-misc +++ b/usr/bin/disabled-filesys-by-security-misc @@ -3,8 +3,8 @@ ## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Alerts the user that a kernel module failed to load due to it being blacklisted by default. +## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. -echo "$0: ERROR: This file system kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf. | args: $@" >&2 +echo "$0: ALERT: This file system kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2 exit 1 diff --git a/usr/bin/disabled-firewire-by-security-misc b/usr/bin/disabled-firewire-by-security-misc index a7de567..4886755 100755 --- a/usr/bin/disabled-firewire-by-security-misc +++ b/usr/bin/disabled-firewire-by-security-misc @@ -3,8 +3,8 @@ ## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Alerts the user that a kernel module failed to load due to it being blacklisted by default. +## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. -echo "$0: ERROR: This FireWire (IEEE 1394) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf. | args: $@" >&2 +echo "$0: ALERT: This FireWire (IEEE 1394) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2 exit 1 diff --git a/usr/bin/disabled-framebuffer-by-security-misc b/usr/bin/disabled-framebuffer-by-security-misc index dc0c9b8..2933f95 100755 --- a/usr/bin/disabled-framebuffer-by-security-misc +++ b/usr/bin/disabled-framebuffer-by-security-misc @@ -3,8 +3,8 @@ ## Copyright (C) 2024 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Alerts the user that a kernel module failed to load due to it being blacklisted by default. +## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. -echo "$0: ERROR: This framebuffer driver kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf. | args: $@" >&2 +echo "$0: ALERT: This framebuffer kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2 exit 1 diff --git a/usr/bin/disabled-gps-by-security-misc b/usr/bin/disabled-gps-by-security-misc index 1122adc..51997c1 100755 --- a/usr/bin/disabled-gps-by-security-misc +++ b/usr/bin/disabled-gps-by-security-misc @@ -3,8 +3,8 @@ ## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Alerts the user that a kernel module failed to load due to it being blacklisted by default. +## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. -echo "$0: ERROR: This GPS (Global Positioning System) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf. | args: $@" >&2 +echo "$0: ALERT: This Global Positioning System (GPS) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2 exit 1 diff --git a/usr/bin/disabled-intelme-by-security-misc b/usr/bin/disabled-intelme-by-security-misc index 6eca99b..dc2bb72 100755 --- a/usr/bin/disabled-intelme-by-security-misc +++ b/usr/bin/disabled-intelme-by-security-misc @@ -3,8 +3,8 @@ ## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Alerts the user that a kernel module failed to load due to it being blacklisted by default. +## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. -echo "$0: ERROR: This Intel Management Engine (ME) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf. | args: $@" >&2 +echo "$0: ALERT: This Intel Management Engine (ME) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2 exit 1 diff --git a/usr/bin/disabled-intelpmt-by-security-misc b/usr/bin/disabled-intelpmt-by-security-misc index 3e9139a..76daa06 100755 --- a/usr/bin/disabled-intelpmt-by-security-misc +++ b/usr/bin/disabled-intelpmt-by-security-misc @@ -3,8 +3,8 @@ ## Copyright (C) 2024 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Alerts the user that a kernel module failed to load due to it being blacklisted by default. +## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. -echo "$0: ERROR: This Intel Platform Monitoring Technology Telemetry (PMT) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf. | args: $@" >&2 +echo "$0: ALERT: This Intel Platform Monitoring Technology (PMT) Telemetry kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2 exit 1 diff --git a/usr/bin/disabled-miscellaneous-by-security-misc b/usr/bin/disabled-miscellaneous-by-security-misc index c75dc6e..6eff13c 100755 --- a/usr/bin/disabled-miscellaneous-by-security-misc +++ b/usr/bin/disabled-miscellaneous-by-security-misc @@ -3,8 +3,8 @@ ## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Alerts the user that a kernel module failed to load due to it being blacklisted by default. +## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. -echo "$0: ERROR: This kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf. | args: $@" >&2 +echo "$0: ALERT: This kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2 exit 1 diff --git a/usr/bin/disabled-netfilesys-by-security-misc b/usr/bin/disabled-netfilesys-by-security-misc index 60c0c22..8775acb 100755 --- a/usr/bin/disabled-netfilesys-by-security-misc +++ b/usr/bin/disabled-netfilesys-by-security-misc @@ -3,8 +3,8 @@ ## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Alerts the user that a kernel module failed to load due to it being blacklisted by default. +## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. -echo "$0: ERROR: This network file system kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf. | args: $@" >&2 +echo "$0: ALERT: This network file system kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2 exit 1 diff --git a/usr/bin/disabled-network-by-security-misc b/usr/bin/disabled-network-by-security-misc index 4b35716..a6a87db 100755 --- a/usr/bin/disabled-network-by-security-misc +++ b/usr/bin/disabled-network-by-security-misc @@ -3,8 +3,8 @@ ## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Alerts the user that a kernel module failed to load due to it being blacklisted by default. +## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. -echo "$0: ERROR: This network protocol kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf. | args: $@" >&2 +echo "$0: ALERT: This network protocol kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2 exit 1 diff --git a/usr/bin/disabled-thunderbolt-by-security-misc b/usr/bin/disabled-thunderbolt-by-security-misc index 03cf804..5bac656 100755 --- a/usr/bin/disabled-thunderbolt-by-security-misc +++ b/usr/bin/disabled-thunderbolt-by-security-misc @@ -3,8 +3,8 @@ ## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Alerts the user that a kernel module failed to load due to it being blacklisted by default. +## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. -echo "$0: ERROR: This Thunderbolt kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf. | args: $@" >&2 +echo "$0: ALERT: This Thunderbolt kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2 exit 1 From a5373afc55e789f4657f3d843243e878e4afffa2 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Wed, 7 Aug 2024 14:44:14 +1000 Subject: [PATCH 569/846] Details on disabled `fbdev` kernel modules --- README.md | 2 +- etc/modprobe.d/30_security-misc_disable.conf | 6 ++++-- usr/bin/disabled-framebuffer-by-security-misc | 2 +- 3 files changed, 6 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 0ed55ef..0ed1240 100644 --- a/README.md +++ b/README.md @@ -207,7 +207,7 @@ disabling should first be blacklisted for a suitable amount of time. - FireWire (IEEE 1394): Disabled as they are often vulnerable to DMA attacks. -- Framebuffer Drivers: Disabled as they are well-known to be buggy, cause +- Framebuffer (fbdev): Disabled as drivers are well-known to be buggy, cause kernel panics, and are generally only used by legacy devices. - GPS: Disable GPS-related modules such as those required for Global Navigation diff --git a/etc/modprobe.d/30_security-misc_disable.conf b/etc/modprobe.d/30_security-misc_disable.conf index d6c5974..3a72b0e 100644 --- a/etc/modprobe.d/30_security-misc_disable.conf +++ b/etc/modprobe.d/30_security-misc_disable.conf @@ -70,10 +70,12 @@ install raw1394 /usr/bin/disabled-firewire-by-security-misc install sbp2 /usr/bin/disabled-firewire-by-security-misc install video1394 /usr/bin/disabled-firewire-by-security-misc -## Framebuffer Drivers: -## Known to be buggy, cause kernel panics, and are generally only used by legacy devices. +## Framebuffer (fbdev): +## Video drivers are known to be buggy, cause kernel panics, and are generally only used by legacy devices. ## These were all previously blacklisted. ## +## https://docs.kernel.org/fb/index.html +## https://en.wikipedia.org/wiki/Linux_framebuffer ## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-framebuffer.conf?h=ubuntu/disco ## install aty128fb /usr/bin/disabled-framebuffer-by-security-misc diff --git a/usr/bin/disabled-framebuffer-by-security-misc b/usr/bin/disabled-framebuffer-by-security-misc index 2933f95..681bc40 100755 --- a/usr/bin/disabled-framebuffer-by-security-misc +++ b/usr/bin/disabled-framebuffer-by-security-misc @@ -5,6 +5,6 @@ ## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. -echo "$0: ALERT: This framebuffer kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2 +echo "$0: ALERT: This framebuffer (fbdev) kernel module is disabled by package security-misc by default. See the configuration file /etc/modprobe.d/30_security-misc_disable.conf for details. | args: $@" >&2 exit 1 From e5a38fc856c66d2bd6abc35fc08d4f2083ea8e54 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Fri, 9 Aug 2024 13:30:15 +1000 Subject: [PATCH 570/846] Typo --- etc/default/grub.d/40_kernel_hardening.cfg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index 33f98fc..b526ee7 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -143,7 +143,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kfence.sample_interval=100" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0" ## Switch (back) to using kCFI as the default Control Flow Integrity (CFI) implementation. -## The default implementation is FIneIBT as of Linux kernel 6.2. +## The default implementation is FineIBT as of Linux kernel 6.2. ## The Intel-developed IBT (Indirect Branch Tracking) is only used if supported by the CPU. ## kCFI is software-only while FineIBT is a hybrid software/hardware implementation. ## FineIBT may result in some performance benefits as it only performs checking at destinations. From 0b0683499a6a21e3995a115c377eb19008bc4cd1 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Fri, 9 Aug 2024 13:30:39 +1000 Subject: [PATCH 571/846] Consistent line length formatting --- README.md | 37 +++++++++++++++++++++++++++++-------- 1 file changed, 29 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 3c41728..500833c 100644 --- a/README.md +++ b/README.md @@ -305,13 +305,24 @@ See: ### Bluetooth Status: Enabled but Defaulted to Off -- **Default Behavior**: Although Bluetooth capability is 'enabled' in the kernel, security-misc deviates from the usual behavior by starting with Bluetooth turned off at system start. This setting remains until the user explicitly opts to activate Bluetooth. +- **Default Behavior**: Although Bluetooth capability is 'enabled' in the kernel, + security-misc deviates from the usual behavior by starting with Bluetooth + turned off at system start. This setting remains until the user explicitly opts + to activate Bluetooth. -- **User Control**: Users have the freedom to easily switch Bluetooth on and off in the usual way, exercising their own discretion. This can be done via the Bluetooth toggle through the usual way, that is either through GUI settings application or command line commands. +- **User Control**: Users have the freedom to easily switch Bluetooth on and off + in the usual way, exercising their own discretion. This can be done via the + Bluetooth toggle through the usual way, that is either through GUI settings + application or command line commands. -- **Enhanced Privacy Settings**: We enforce more private defaults for Bluetooth connections. This includes the use of private addresses and strict timeout settings for discoverability and visibility. +- **Enhanced Privacy Settings**: We enforce more private defaults for Bluetooth + connections. This includes the use of private addresses and strict timeout + settings for discoverability and visibility. -- **Security Considerations**: Despite these measures, it's important to note that Bluetooth technology, by its nature, may still be prone to exploits due to its history of security vulnerabilities. Thus, we recommend users to opt-out of using Bluetooth when possible. +- **Security Considerations**: Despite these measures, it's important to note that + Bluetooth technology, by its nature, may still be prone to exploits due to its + history of security vulnerabilities. Thus, we recommend users to opt-out of + using Bluetooth when possible. ### Configuration Details @@ -320,15 +331,25 @@ See: ### Understanding Bluetooth Terms -- **Disabling Bluetooth**: This means the absence of the Bluetooth kernel module. When disabled, Bluetooth is non-existent in the system - it cannot be seen, set, configured, or interacted with in any way. +- **Disabling Bluetooth**: This means the absence of the Bluetooth kernel module. + When disabled, Bluetooth is non-existent in the system - it cannot be seen, set, + configured, or interacted with in any way. -- **Turning Bluetooth On/Off**: This refers to a software toggle. Normally, on Debian systems, Bluetooth is 'on' when the system boots up. It actively searches for known devices to auto-connect and may be discoverable or visible under certain conditions. Our default ensures that Bluetooth is off on startup. However, it remains 'enabled' in the kernel, meaning the kernel can use the Bluetooth protocol and has the necessary modules. +- **Turning Bluetooth On/Off**: This refers to a software toggle. Normally, on + Debian systems, Bluetooth is 'on' when the system boots up. It actively searches + for known devices to auto-connect and may be discoverable or visible under certain + conditions. Our default ensures that Bluetooth is off on startup. However, it + remains 'enabled' in the kernel, meaning the kernel can use the Bluetooth protocol + and has the necessary modules. ### Quick Toggle Guide -- **Turning Bluetooth On**: Simply click the Bluetooth button in the settings application or on the tray, and switch the toggle. It's a straightforward action that can be completed in less than a second. +- **Turning Bluetooth On**: Simply click the Bluetooth button in the settings + application or on the tray, and switch the toggle. It's a straightforward action + that can be completed in less than a second. -- **Turning Bluetooth Off**: Follow the same procedure as turning it on but switch the toggle to the off position. +- **Turning Bluetooth Off**: Follow the same procedure as turning it on but switch + the toggle to the off position. ## Entropy collection improvements From d8bcec881f66604e29d6e0c1426635e2ad4979f1 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Fri, 9 Aug 2024 13:33:32 +1000 Subject: [PATCH 572/846] Add some notices for future Debian 13 rebase --- etc/default/grub.d/40_kernel_hardening.cfg | 1 + usr/lib/sysctl.d/990-security-misc.conf | 5 ++++- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index b526ee7..b813b48 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -172,6 +172,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0" ## ## https://lore.kernel.org/all/20230623111409.3047467-7-nik.borisov@suse.com/ ## +## TODO: Debian 13 Trixie ## Applicable when using Linux kernel >= 6.7 (retained here for future-proofing and completeness). ## #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ia32_emulation=0" diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 0b46477..1194489 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -130,10 +130,12 @@ kernel.randomize_va_space=2 ## Disable the use of legacy TIOCSTI operations which can be used to inject keypresses. ## Can lead to privilege escalation by pushing characters into a controlling TTY. ## Will break out-dated screen readers that continue to rely on this legacy functionality. -## This is disabled by default when using Linux kernel >= 6.2. ## ## https://lore.kernel.org/lkml/20221228205726.rfevry7ud6gmttg5@begin/T/ ## +## TODO: Debian 13 Trixie +## This is disabled by default when using Linux kernel >= 6.2. +## dev.tty.legacy_tiocsti=0 ## Disable asynchronous I/O for all processes. @@ -146,6 +148,7 @@ dev.tty.legacy_tiocsti=0 ## https://github.com/moby/moby/pull/46762 ## https://forums.whonix.org/t/io-uring-security-vulnerabilties/16890 ## +## TODO: Debian 13 Trixie ## Applicable when using Linux kernel >= 6.6 (retained here for future-proofing and completeness). ## kernel.io_uring_disabled=2 From 077bc48a26d1d3f5d1f758d7e251edccba64742b Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Fri, 9 Aug 2024 13:35:33 +1000 Subject: [PATCH 573/846] Add reference on `rp_filter` --- usr/lib/sysctl.d/990-security-misc.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 1194489..800e626 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -275,6 +275,7 @@ net.ipv4.tcp_rfc1337=1 ## Prevents IP spoofing and mitigates vulnerabilities such as CVE-2019-14899. ## ## https://en.wikipedia.org/wiki/IP_address_spoofing +## https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/security_guide/sect-security_guide-server_security-reverse_path_forwarding#sect-Security_Guide-Server_Security-Reverse_Path_Forwarding ## https://forums.whonix.org/t/enable-reverse-path-filtering/8594 ## https://seclists.org/oss-sec/2019/q4/122 ## From 15c638acad64cc3dcc7b5c43d9a6be2fa2350654 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Fri, 9 Aug 2024 13:36:47 +1000 Subject: [PATCH 574/846] Add reference on RDRAND --- etc/default/grub.d/40_kernel_hardening.cfg | 1 + 1 file changed, 1 insertion(+) diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index b813b48..8a90108 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -221,6 +221,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi=disable_early_pci_dma" ## ## https://en.wikipedia.org/wiki/RDRAND#Reception ## https://systemd.io/RANDOM_SEEDS/ +## https://www.kicksecure.com/wiki/Dev/Entropy#RDRAND ## https://arstechnica.com/gadgets/2019/10/how-a-months-old-amd-microcode-bug-destroyed-my-weekend/ ## https://x.com/pid_eins/status/1149649806056280069 ## https://archive.nytimes.com/www.nytimes.com/interactive/2013/09/05/us/documents-reveal-nsa-campaign-against-encryption.html From 3456f1c1d7725846ec201c28dd693bf9b07bab89 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Fri, 9 Aug 2024 13:39:25 +1000 Subject: [PATCH 575/846] Minor consistency update in README.md --- README.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 500833c..df451f4 100644 --- a/README.md +++ b/README.md @@ -56,6 +56,8 @@ space, user space, core dumps, and swap space. enables programs to inspect and modify other active processes. Provide the option to entirely disable the use of `ptrace()` for all processes. +- Maximize the bits of entropy used for mmap ASLR across all architectures. + - Prevent hardlink and symlink TOCTOU races in world-writable directories. - Disallow unintentional writes to files in world-writable directories unless @@ -146,6 +148,8 @@ configuration file. - Provide the option to modify machine check exception handler. +- Disallow sensitive kernel information leaks in the console during boot. + - Enable the kernel Electric-Fence sampling-based memory safety error detector which can identify heap out-of-bounds access, use-after-free, and invalid-free errors. @@ -169,9 +173,6 @@ configuration file. - Provide the option to disable the entire IPv6 stack to reduce attack surface. -Disallow sensitive kernel information leaks in the console during boot. See -the `/etc/default/grub.d/41_quiet_boot.cfg` configuration file. - ### Kernel Modules #### Kernel Module Signature Verification From f8fa89b245d929aee9884937fdcf44a6551df4cf Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Fri, 9 Aug 2024 14:21:59 +1000 Subject: [PATCH 576/846] Add details on `tcp_timestamps` --- usr/lib/sysctl.d/990-security-misc.conf | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 800e626..481f463 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -347,9 +347,14 @@ net.ipv6.conf.default.accept_ra=0 #net.ipv4.tcp_dsack=0 ## Disable TCP timestamps to limit device fingerprinting via system time. +## Timestamps allows round-trip time measurement and protection against wrapped sequence numbers. +## Disabling timestamps on very fast links is likely to cause TCP Sequence Numbers to wrap. +## Segments with wrapped numbers will be incorrectly discarded, reducing network performance. ## +## https://datatracker.ietf.org/doc/html/rfc1323 ## https://forums.whonix.org/t/do-ntp-and-tcp-timestamps-really-leak-your-local-time/7824 ## https://web.archive.org/web/20170201160732/https://mailman.boum.org/pipermail/tails-dev/2013-December/004520.html +## https://access.redhat.com/sites/default/files/attachments/20150325_network_performance_tuning.pdf ## net.ipv4.tcp_timestamps=0 From 73db68dbf9a1f9ded95a593db36a4960ce06a173 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Fri, 9 Aug 2024 14:27:30 +1000 Subject: [PATCH 577/846] Add details on KFENCE --- etc/default/grub.d/40_kernel_hardening.cfg | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index 8a90108..aa55e94 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -127,10 +127,13 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off" ## Enable the kernel "Electric-Fence" sampling-based memory safety error detector. ## KFENCE detects heap out-of-bounds access, use-after-free, and invalid-free errors. -## Aims to have very low processing overhead at each sampling interval +## Aims to have very low processing overhead at each sampling interval. ## Sampling interval is set to occur every 100 milliseconds as per KSPP recommendation. ## ## https://www.kernel.org/doc/html/latest/dev-tools/kfence.html +## https://google.github.io/kernel-sanitizers/KFENCE.html +## https://blogs.oracle.com/linux/post/linux-slub-allocator-internals-and-debugging-4 +## https://lwn.net/Articles/835542/ ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kfence.sample_interval=100" From 326d82a9beee130956dd817812016a6ee16fccbc Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Thu, 15 Aug 2024 11:46:56 +1000 Subject: [PATCH 578/846] Revert "Provide optional `sysctl fs.binfmt_misc.status=0`" This reverts commit debd7a7b7ae8b03e04d2c8597bcccf2c79000570. --- README.md | 5 ++--- usr/lib/sysctl.d/990-security-misc.conf | 5 +---- 2 files changed, 3 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 96f8b14..d4dd706 100644 --- a/README.md +++ b/README.md @@ -57,9 +57,8 @@ space, user space, core dumps, and swap space. - Increase the maximum number of memory map areas a process is able to utilize. -- Provide the option to disallow registering interpreters for various (miscellaneous) - binary formats based on a magic number or their file extension to prevent - unintended code execution. +- Disallow registering interpreters for various (miscellaneous) binary formats based + on a magic number or their file extension to prevent unintended code execution. - Disable core dump files and prevent their creation. If core dump files are enabled, they will be named based on `core.PID` instead of the default `core`. diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 4de859c..747ca67 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -206,11 +206,8 @@ vm.max_map_count=1048576 ## https://en.wikipedia.org/wiki/Binfmt_misc ## https://security.stackexchange.com/questions/271786/does-allowing-binfmt-misc-significantly-increase-the-attack-surface-for-unprivil ## https://unix.stackexchange.com/questions/439569/what-kinds-of-executable-formats-do-the-files-under-proc-sys-fs-binfmt-misc-al -## https://github.com/Kicksecure/security-misc/pull/249 ## -## The default kernel setting will be utilized until provided sufficient evidence to modify. -## -#fs.binfmt_misc.status=0 +fs.binfmt_misc.status=0 ## 3. Core Dumps: ## From b552b92401f67d59e12ac6fda2f7fe1c54b0c8a7 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Thu, 15 Aug 2024 11:54:21 +1000 Subject: [PATCH 579/846] Add references on `fs.binfmt_misc.status` --- usr/lib/sysctl.d/990-security-misc.conf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 747ca67..7df6f03 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -206,6 +206,10 @@ vm.max_map_count=1048576 ## https://en.wikipedia.org/wiki/Binfmt_misc ## https://security.stackexchange.com/questions/271786/does-allowing-binfmt-misc-significantly-increase-the-attack-surface-for-unprivil ## https://unix.stackexchange.com/questions/439569/what-kinds-of-executable-formats-do-the-files-under-proc-sys-fs-binfmt-misc-al +## https://github.com/Kicksecure/security-misc/pull/249 +## +## KSPP=yes +## KSPP does not set CONFIG_BINFMT_MISC. ## fs.binfmt_misc.status=0 From 4bc12b07b42def786862b938e3f63c18cf874158 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 15 Aug 2024 17:51:18 +0000 Subject: [PATCH 580/846] bumped changelog version --- changelog.upstream | 46 ++++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 52 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 81a58c9..7bab75d 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,31 @@ +commit 9e61e37c17524b57f185b796f2ac19ba193205a8 +Merge: 89e816d dfd1c97 +Author: Patrick Schleizer +Date: Thu Aug 15 13:47:33 2024 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit dfd1c97168249b229495cbd873d4d8493e244663 +Merge: 89e816d ec3038c +Author: Patrick Schleizer +Date: Thu Aug 15 13:46:30 2024 -0400 + + Merge pull request #248 from raja-grewal/secure_redirects + + Re-enable (default) `secure_redirects` for ICMP redirect messages + +commit ec3038c7bc625f6c8eddb753ffe295ff2697a717 +Author: Raja Grewal +Date: Wed Aug 7 13:48:53 2024 +1000 + + Clarify `secure_redirects` + +commit 89e816dda6c5a00512b276071c4d9fe108ee63b5 +Author: Patrick Schleizer +Date: Tue Aug 6 14:01:39 2024 +0000 + + bumped changelog version + commit 967f9e257b09bc73ddb579292d507f7cb9832643 Merge: fa90918 a25aaf9 Author: Patrick Schleizer @@ -65,6 +93,12 @@ Date: Mon Aug 5 14:27:17 2024 +1000 Enable `slab_debug=FZ` +commit 4f7f82016015f61002ac8f778b61968c572dc7dc +Author: Raja Grewal +Date: Mon Aug 5 14:16:33 2024 +1000 + + Add reference + commit fa9091869d417c6494840d0cb32623037d70c8be Merge: 06f0c27 725118c Author: Patrick Schleizer @@ -197,6 +231,12 @@ Date: Sat Jul 27 12:13:18 2024 -0400 output +commit 144545762674e914046bb94100237329320e8ece +Author: Raja Grewal +Date: Sat Jul 27 14:00:30 2024 +1000 + + Show details regarding `secure_redirects` (again) + commit 73979d4342dae2017be52d5182bb66fa28be398d Author: Raja Grewal Date: Sat Jul 27 13:28:59 2024 +1000 @@ -601,6 +641,12 @@ Date: Wed Jul 24 09:13:48 2024 -0400 Merge remote-tracking branch 'ben-grande/fuzz' +commit 88c88187f2909322211cc08598717068ea7cf1d1 +Author: Raja Grewal +Date: Wed Jul 24 17:26:50 2024 +1000 + + Re-enable (default) `secure_redirects` for ICMP redirect messages + commit 8be21b6eff40fdd3909ef63468463fc52e8bf45f Author: Ben Grande Date: Tue Jul 23 19:36:12 2024 +0200 diff --git a/debian/changelog b/debian/changelog index 50c5315..9f574d5 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:38.9-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 15 Aug 2024 17:51:18 +0000 + security-misc (3:38.8-1) unstable; urgency=medium * New upstream version (local package). From e3a3207a4447568a17129afe9dde34debc465e21 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Fri, 16 Aug 2024 12:41:36 +1000 Subject: [PATCH 581/846] Clarify DMA hardening --- README.md | 7 +++++-- etc/default/grub.d/40_kernel_hardening.cfg | 12 +++++++----- 2 files changed, 12 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index b1c0a89..e8e3083 100644 --- a/README.md +++ b/README.md @@ -161,8 +161,11 @@ configuration file. - Provide the option to disable support for all x86 processes and syscalls to reduce attack surface (when using Linux kernel version >= 6.7). -- Enable strict IOMMU translation to protect against DMA attacks and disable - the busmaster bit on all PCI bridges during the early boot process. +- Enable strict IOMMU translation to protect against some DMA attacks via the use + of both CPU manufacturer-specific drivers and kernel settings. + +- Clear the busmaster bit on all PCI bridges during the EFI hand-off, which disables + DMA before the IOMMU is configured. May cause boot failure on certain hardware. - Do not credit the CPU or bootloader as entropy sources at boot in order to maximize the absolute quantity of entropy in the combined pool. diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index aa55e94..b6cc9df 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -184,12 +184,12 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0" ## ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#dma-attacks -## Enable CPU manufacturer-specific IOMMU drivers to protect against DMA attacks. +## Enable CPU manufacturer-specific IOMMU drivers to mitigate some DMA attacks. ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX amd_iommu=force_isolation" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX intel_iommu=on" -## Enable and force use of IOMMU translation to protect against DMA attacks. +## Enable and force use of IOMMU translation to protect against some DMA attacks. ## Strictly force DMA unmap operations to synchronously invalidate IOMMU hardware TLBs. ## Ensures devices will never be able to access stale data contents. ## @@ -201,9 +201,11 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu=force" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu.passthrough=0" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu.strict=1" -## Disable the busmaster bit on all PCI bridges during the early boot process. -## Patches weak points in some existing IOMMU implementations. -## May lead to issues such as complete system boot failure on certain devices. +## Clear the busmaster bit on all PCI bridges during the EFI hand-off. +## Terminates all existing DMA transactions prior to the kernel's IOMMU setup. +## Forces third party PCI devices to then re-set their busmaster bit in order to perform DMA. +## Assumes that the motherboard chipset and firmware are not malicious. +## May cause complete boot failure on certain hardware with incompatible firmware. ## ## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4444f8541dad16fefd9b8807ad1451e806ef1d94 ## https://mjg59.dreamwidth.org/54433.html From 23a77d4973ec20b2aaab6a9c3a9fd8a98034923e Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Fri, 16 Aug 2024 12:46:51 +1000 Subject: [PATCH 582/846] Simplify syntax of some network-related `sysctl`'s --- usr/lib/sysctl.d/990-security-misc.conf | 30 +++++++++---------------- 1 file changed, 10 insertions(+), 20 deletions(-) diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 8e49235..f6b49f0 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -275,8 +275,7 @@ net.ipv4.tcp_rfc1337=1 ## https://forums.whonix.org/t/enable-reverse-path-filtering/8594 ## https://seclists.org/oss-sec/2019/q4/122 ## -net.ipv4.conf.all.rp_filter=1 -net.ipv4.conf.default.rp_filter=1 +net.ipv4.conf.*.rp_filter=1 ## Disable ICMP redirect acceptance and redirect sending messages. ## Prevents man-in-the-middle attacks and minimizes information disclosure. @@ -289,14 +288,10 @@ net.ipv4.conf.default.rp_filter=1 ## https://askubuntu.com/questions/118273/what-are-icmp-redirects-and-should-they-be-blocked ## https://github.com/Kicksecure/security-misc/pull/248 ## -net.ipv4.conf.all.accept_redirects=0 -net.ipv4.conf.default.accept_redirects=0 -net.ipv4.conf.all.send_redirects=0 -net.ipv4.conf.default.send_redirects=0 -net.ipv6.conf.all.accept_redirects=0 -net.ipv6.conf.default.accept_redirects=0 -#net.ipv4.conf.all.secure_redirects=1 -#net.ipv4.conf.default.secure_redirects=1 +net.ipv4.conf.*.accept_redirects=0 +net.ipv4.conf.*.send_redirects=0 +net.ipv6.conf.*.accept_redirects=0 +#net.ipv4.conf.*.secure_redirects=1 ## Ignore ICMP echo requests. ## Prevents clock fingerprinting through ICMP timestamps and Smurf attacks. @@ -316,15 +311,12 @@ net.ipv4.icmp_ignore_bogus_error_responses=1 ## ## https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/security_guide/sect-security_guide-server_security-disable-source-routing ## -net.ipv4.conf.all.accept_source_route=0 -net.ipv4.conf.default.accept_source_route=0 -net.ipv6.conf.all.accept_source_route=0 -net.ipv6.conf.default.accept_source_route=0 +net.ipv4.conf.*.accept_source_route=0 +net.ipv6.conf.*.accept_source_route=0 ## Do not accept IPv6 router advertisements and solicitations. ## -net.ipv6.conf.all.accept_ra=0 -net.ipv6.conf.default.accept_ra=0 +net.ipv6.conf.*.accept_ra=0 ## Disable SACK and DSACK. ## Select acknowledgements (SACKs) are a known common vector of exploitation. @@ -362,8 +354,7 @@ net.ipv4.tcp_timestamps=0 ## ## The logging of martian packets is currently disabled. ## -#net.ipv4.conf.all.log_martians=1 -#net.ipv4.conf.default.log_martians=1 +#net.ipv4.conf.*.log_martians=1 ## Enable IPv6 Privacy Extensions to prefer temporary addresses over public addresses. ## The temporary/privacy address is used as the source for all outgoing traffic. @@ -379,5 +370,4 @@ net.ipv4.tcp_timestamps=0 ## ## The use of IPv6 Privacy Extensions is currently disabled due to these breakages. ## -#net.ipv6.conf.all.use_tempaddr=2 -#net.ipv6.conf.default.use_tempaddr=2 +#net.ipv6.conf.*.use_tempaddr=2 From 9212a4e93754a4505be3fcf0ff4b029c073d2f07 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Fri, 16 Aug 2024 13:12:07 +1000 Subject: [PATCH 583/846] Typos --- README.md | 4 ++-- usr/lib/sysctl.d/990-security-misc.conf | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index e8e3083..5d81c69 100644 --- a/README.md +++ b/README.md @@ -145,9 +145,9 @@ configuration file. - Force kernel panics on "oopses" to potentially indicate and thwart certain kernel exploitation attempts. -- Provide the option to modify machine check exception handler. +- Provide the option to modify the machine check exception handler. -- Disallow sensitive kernel information leaks in the console during boot. +- Prevent sensitive kernel information leaks in the console during boot. - Enable the kernel Electric-Fence sampling-based memory safety error detector which can identify heap out-of-bounds access, use-after-free, and invalid-free errors. diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index b72fa90..a245693 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -349,7 +349,7 @@ net.ipv6.conf.default.accept_ra=0 #net.ipv4.tcp_dsack=0 ## Disable TCP timestamps to limit device fingerprinting via system time. -## Timestamps allows round-trip time measurement and protection against wrapped sequence numbers. +## Timestamps allow round-trip time measurement and protection against wrapped sequence numbers. ## Disabling timestamps on very fast links is likely to cause TCP Sequence Numbers to wrap. ## Segments with wrapped numbers will be incorrectly discarded, reducing network performance. ## From a13298002350a39491a509d15633edb95a2e3edd Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Fri, 16 Aug 2024 13:24:25 +1000 Subject: [PATCH 584/846] Update README.md --- README.md | 36 ++++++++++++++++++------------------ 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/README.md b/README.md index 5d81c69..81f3ca7 100644 --- a/README.md +++ b/README.md @@ -42,19 +42,19 @@ space, user space, core dumps, and swap space. - Restrict kernel profiling and the performance events system to `CAP_PERFMON`. - Force the kernel to panic on "oopses" that can potentially indicate and thwart - certain kernel exploitation attempts. Provide the option to reboot immediately - on a kernel panic. + certain kernel exploitation attempts. Optional - Force immediate reboot on the + occurrence of a kernel panic. - Randomize the addresses (ASLR) for mmap base, stack, VDSO pages, and heap. - Disable the use of legacy TIOCSTI operations which can be used to inject keypresses. -- Disable asynchronous I/O as `io_uring` has been the source - of numerous kernel exploits (when using Linux kernel version >= 6.6). +- Disable asynchronous I/O (when using Linux kernel >= 6.6) as `io_uring` has been + the source of numerous kernel exploits. - Restrict usage of `ptrace()` to only processes with `CAP_SYS_PTRACE` as it - enables programs to inspect and modify other active processes. Provide the - option to entirely disable the use of `ptrace()` for all processes. + enables programs to inspect and modify other active processes. Optional - Disable + usage of `ptrace()` by all processes. - Maximize the bits of entropy used for mmap ASLR across all architectures. @@ -91,15 +91,15 @@ Various networking components of the TCP/IP stack are hardened for IPv4/6. - Do not accept IPv6 router advertisements and solicitations. -- Provide the option to disable SACK and DSACK as they have historically been - a known vector for exploitation. +- Optional - Disable SACK and DSACK as they have historically been a known + vector for exploitation. - Disable TCP timestamps as they can allow detecting the system time. -- Provide the option to log packets with impossible source or destination - addresses to enable further inspection and analysis. +- Optional - Log packets with impossible source or destination addresses to + enable further inspection and analysis. -- Provide the option to enable IPv6 Privacy Extensions. +- Optional - Enable IPv6 Privacy Extensions. ### mmap ASLR @@ -145,7 +145,7 @@ configuration file. - Force kernel panics on "oopses" to potentially indicate and thwart certain kernel exploitation attempts. -- Provide the option to modify the machine check exception handler. +- Optional - Modify the machine check exception handler. - Prevent sensitive kernel information leaks in the console during boot. @@ -154,12 +154,12 @@ configuration file. - Disable 32-bit vDSO mappings as they are a legacy compatibility feature. -- Provide the option to use kCFI as the default CFI implementation since it may be - slightly more resilient to attacks that are able to write arbitrary executables - in memory (when using Linux kernel version >= 6.2). +- Optional - Use kCFI as the default CFI implementation (when using Linux kernel >= 6.2) + since it may be slightly more resilient to attacks that are able to write + arbitrary executables in memory. -- Provide the option to disable support for all x86 processes and syscalls to reduce - attack surface (when using Linux kernel version >= 6.7). +- Optional - Disable support for all x86 processes and syscalls (when using Linux kernel >= 6.7) + to reduce attack surface. - Enable strict IOMMU translation to protect against some DMA attacks via the use of both CPU manufacturer-specific drivers and kernel settings. @@ -173,7 +173,7 @@ configuration file. - Obtain more entropy at boot from RAM as the runtime memory allocator is being initialized. -- Provide the option to disable the entire IPv6 stack to reduce attack surface. +- Optional - Disable the entire IPv6 stack to reduce attack surface. ### Kernel Modules From 84376d23fc17d2ced890ffca0b05d15907d42a6f Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Fri, 16 Aug 2024 13:39:11 +1000 Subject: [PATCH 585/846] Add details on ASLR and move to user space section --- README.md | 4 ++-- usr/lib/sysctl.d/990-security-misc.conf | 16 +++++++++------- 2 files changed, 11 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index 81f3ca7..1d869a1 100644 --- a/README.md +++ b/README.md @@ -45,8 +45,6 @@ space, user space, core dumps, and swap space. certain kernel exploitation attempts. Optional - Force immediate reboot on the occurrence of a kernel panic. -- Randomize the addresses (ASLR) for mmap base, stack, VDSO pages, and heap. - - Disable the use of legacy TIOCSTI operations which can be used to inject keypresses. - Disable asynchronous I/O (when using Linux kernel >= 6.6) as `io_uring` has been @@ -63,6 +61,8 @@ space, user space, core dumps, and swap space. - Disallow unintentional writes to files in world-writable directories unless they are owned by the directory owner to mitigate some data spoofing attacks. +- Randomize the addresses (ASLR) for mmap base, stack, VDSO pages, and heap. + - Increase the maximum number of memory map areas a process is able to utilize. - Disable core dump files and prevent their creation. If core dump files are diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index a245693..39aa63c 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -120,13 +120,6 @@ kernel.perf_event_paranoid=3 #kernel.panic_on_oops=1 #kernel.panic=-1 -## Enable ASLR for mmap base, stack, VDSO pages, and heap. -## Heap randomization can lead to breakages with legacy applications. -## -## https://en.wikipedia.org/wiki/Address_space_layout_randomization#Linux -## -kernel.randomize_va_space=2 - ## Disable the use of legacy TIOCSTI operations which can be used to inject keypresses. ## Can lead to privilege escalation by pushing characters into a controlling TTY. ## Will break out-dated screen readers that continue to rely on this legacy functionality. @@ -205,6 +198,15 @@ fs.protected_symlinks=1 fs.protected_fifos=2 fs.protected_regular=2 +## Enable ASLR for mmap base, stack, VDSO pages, and heap. +## Forces shared libraries to be loaded to random addresses +## Start location of PIE-linked binaries is randomized. +## Heap randomization can lead to breakages with legacy applications. +## +## https://en.wikipedia.org/wiki/Address_space_layout_randomization#Linux +## +kernel.randomize_va_space=2 + ## Increase the maximum number of memory map areas a process is permitted to utilize. ## Addresses performance, crash, and start-up issues for some memory-intensive applications. ## Required to accommodate the very large number of guard pages created by hardened_malloc. From cea8e753786d100ebe961ad74a99925e54d47771 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Fri, 16 Aug 2024 14:55:22 +1000 Subject: [PATCH 586/846] Consistent formating --- usr/lib/sysctl.d/30_security-misc_kexec-disable.conf | 3 +-- usr/lib/sysctl.d/30_silent-kernel-printk.conf | 3 +-- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf b/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf index b61a762..0400ad1 100644 --- a/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf +++ b/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf @@ -10,9 +10,8 @@ ## Instead, ram-wipe will config-package-dev 'hide' this file. ## Disables kexec, which can be used to replace the running kernel. -## Kexec is useful for live kernel patching without rebooting. +## Useful for live kernel patching without rebooting. ## -## For more information, see: ## https://en.wikipedia.org/wiki/Kexec ## kernel.kexec_load_disabled=1 diff --git a/usr/lib/sysctl.d/30_silent-kernel-printk.conf b/usr/lib/sysctl.d/30_silent-kernel-printk.conf index 0d5e4aa..f8baa3f 100644 --- a/usr/lib/sysctl.d/30_silent-kernel-printk.conf +++ b/usr/lib/sysctl.d/30_silent-kernel-printk.conf @@ -2,10 +2,9 @@ ## See the file COPYING for copying conditions. ## Prevent kernel information leaks in the console during boot. -## Must be used in combination with the kernel boot parameters. +## Must be used in conjunction with kernel boot parameters. ## See /etc/default/grub.d/41_quiet_boot.cfg for implementation. ## -## For more information, refer to: ## https://www.kernel.org/doc/html/latest/core-api/printk-basics.html ## kernel.printk=3 3 3 3 From e962153f84c4cb8e13fb0cc25d611ae481c7a0c7 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 16 Aug 2024 08:38:12 +0000 Subject: [PATCH 587/846] bumped changelog version --- changelog.upstream | 241 +++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++ 2 files changed, 247 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 7bab75d..7c57922 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,94 @@ +commit 40b12f5a2a4a40d7033569b11ad4e1c228e7389b +Merge: 12296c6 305467c +Author: Patrick Schleizer +Date: Fri Aug 16 04:30:29 2024 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 305467c652af933bb5aa5a677b10a992a5f19cab +Merge: 12296c6 a5373af +Author: Patrick Schleizer +Date: Fri Aug 16 04:25:43 2024 -0400 + + Merge pull request #245 from raja-grewal/blacklist_to_disable + + Update `/etc/modprobe.d/*` + +commit 12296c68dc0aaa3703e1c36f854a02de8db412fe +Merge: 4bc12b0 036bcea +Author: Patrick Schleizer +Date: Fri Aug 16 04:22:43 2024 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 036bcea4e6757de094fcafdadcf56aaa90729d79 +Merge: ef60c5b 81bf7a8 +Author: Patrick Schleizer +Date: Fri Aug 16 04:20:32 2024 -0400 + + Merge pull request #262 from raja-grewal/docs + + Miscellaneous updates to presentation + +commit 81bf7a8f90098a7107dcb3c783b87a168f5c090f +Merge: cea8e75 ef60c5b +Author: raja-grewal +Date: Fri Aug 16 16:57:01 2024 +1000 + + Merge branch 'Kicksecure:master' into docs + +commit ef60c5b153a521e1cfd522ac471a8ca6dc076d90 +Merge: 4bc12b0 b552b92 +Author: Patrick Schleizer +Date: Fri Aug 16 02:43:57 2024 -0400 + + Merge pull request #249 from raja-grewal/binfmt_misc + + Disallow registering interpreters for miscellaneous binary formats + +commit cea8e753786d100ebe961ad74a99925e54d47771 +Author: Raja Grewal +Date: Fri Aug 16 14:55:22 2024 +1000 + + Consistent formating + +commit 84376d23fc17d2ced890ffca0b05d15907d42a6f +Author: Raja Grewal +Date: Fri Aug 16 13:39:11 2024 +1000 + + Add details on ASLR and move to user space section + +commit a13298002350a39491a509d15633edb95a2e3edd +Author: Raja Grewal +Date: Fri Aug 16 13:24:25 2024 +1000 + + Update README.md + +commit 9212a4e93754a4505be3fcf0ff4b029c073d2f07 +Author: Raja Grewal +Date: Fri Aug 16 13:12:07 2024 +1000 + + Typos + +commit e3a3207a4447568a17129afe9dde34debc465e21 +Author: Raja Grewal +Date: Fri Aug 16 12:41:36 2024 +1000 + + Clarify DMA hardening + +commit be9308e490f79a7b7788a744524d1d91cc870726 +Merge: 73db68d 4bc12b0 +Author: raja-grewal +Date: Fri Aug 16 11:45:43 2024 +1000 + + Merge branch 'Kicksecure:master' into docs + +commit 4bc12b07b42def786862b938e3f63c18cf874158 +Author: Patrick Schleizer +Date: Thu Aug 15 17:51:18 2024 +0000 + + bumped changelog version + commit 9e61e37c17524b57f185b796f2ac19ba193205a8 Merge: 89e816d dfd1c97 Author: Patrick Schleizer @@ -14,12 +105,98 @@ Date: Thu Aug 15 13:46:30 2024 -0400 Re-enable (default) `secure_redirects` for ICMP redirect messages +commit b552b92401f67d59e12ac6fda2f7fe1c54b0c8a7 +Author: Raja Grewal +Date: Thu Aug 15 11:54:21 2024 +1000 + + Add references on `fs.binfmt_misc.status` + +commit 326d82a9beee130956dd817812016a6ee16fccbc +Author: Raja Grewal +Date: Thu Aug 15 11:46:56 2024 +1000 + + Revert "Provide optional `sysctl fs.binfmt_misc.status=0`" + + This reverts commit debd7a7b7ae8b03e04d2c8597bcccf2c79000570. + +commit 73db68dbf9a1f9ded95a593db36a4960ce06a173 +Author: Raja Grewal +Date: Fri Aug 9 14:27:30 2024 +1000 + + Add details on KFENCE + +commit f8fa89b245d929aee9884937fdcf44a6551df4cf +Author: Raja Grewal +Date: Fri Aug 9 14:21:59 2024 +1000 + + Add details on `tcp_timestamps` + +commit 3456f1c1d7725846ec201c28dd693bf9b07bab89 +Author: Raja Grewal +Date: Fri Aug 9 13:39:25 2024 +1000 + + Minor consistency update in README.md + +commit 15c638acad64cc3dcc7b5c43d9a6be2fa2350654 +Author: Raja Grewal +Date: Fri Aug 9 13:36:47 2024 +1000 + + Add reference on RDRAND + +commit 077bc48a26d1d3f5d1f758d7e251edccba64742b +Author: Raja Grewal +Date: Fri Aug 9 13:35:33 2024 +1000 + + Add reference on `rp_filter` + +commit d8bcec881f66604e29d6e0c1426635e2ad4979f1 +Author: Raja Grewal +Date: Fri Aug 9 13:33:32 2024 +1000 + + Add some notices for future Debian 13 rebase + +commit 0b0683499a6a21e3995a115c377eb19008bc4cd1 +Author: Raja Grewal +Date: Fri Aug 9 13:30:39 2024 +1000 + + Consistent line length formatting + +commit e5a38fc856c66d2bd6abc35fc08d4f2083ea8e54 +Author: Raja Grewal +Date: Fri Aug 9 13:30:15 2024 +1000 + + Typo + +commit a5373afc55e789f4657f3d843243e878e4afffa2 +Author: Raja Grewal +Date: Wed Aug 7 14:44:14 2024 +1000 + + Details on disabled `fbdev` kernel modules + +commit e98dc8c4f8af32dd3b10c034477fd2154df189ac +Author: Raja Grewal +Date: Wed Aug 7 14:14:47 2024 +1000 + + Update notifications for disabled kernel modules + +commit 50fa721fd54cd696ae90a35bc7df7c8f1eb17a13 +Author: Raja Grewal +Date: Wed Aug 7 14:01:49 2024 +1000 + + Update docs regarding Intel module disabling + commit ec3038c7bc625f6c8eddb753ffe295ff2697a717 Author: Raja Grewal Date: Wed Aug 7 13:48:53 2024 +1000 Clarify `secure_redirects` +commit debd7a7b7ae8b03e04d2c8597bcccf2c79000570 +Author: Raja Grewal +Date: Wed Aug 7 13:33:44 2024 +1000 + + Provide optional `sysctl fs.binfmt_misc.status=0` + commit 89e816dda6c5a00512b276071c4d9fe108ee63b5 Author: Patrick Schleizer Date: Tue Aug 6 14:01:39 2024 +0000 @@ -219,6 +396,24 @@ Date: Sun Jul 28 15:43:54 2024 -0400 Disable the usage of `ptrace()` by all processes +commit 9cabaa1bd15a0639c87bf2e965755d06ff0a7bb4 +Author: Raja Grewal +Date: Sun Jul 28 22:04:30 2024 +1000 + + Typo + +commit d2d024ebe9a371eaf90b7b72f8a227e5d2e9babe +Author: Raja Grewal +Date: Sun Jul 28 22:03:33 2024 +1000 + + Typo + +commit 9fbee9fc82768c3b436307459d174378ee471335 +Author: Raja Grewal +Date: Sun Jul 28 21:57:25 2024 +1000 + + Clarify + commit e60ce50d30c8981f13d8bab1d6ca8b8efb9d8928 Author: Patrick Schleizer Date: Sat Jul 27 16:13:35 2024 +0000 @@ -325,6 +520,13 @@ Date: Fri Jul 26 10:16:20 2024 -0400 use `find` with `safe_echo_nonewline` +commit 20454fb81157f1f962f36d9c37d34f4ac650a1e6 +Merge: 28b25bd 6bbf176 +Author: raja-grewal +Date: Sat Jul 27 00:09:30 2024 +1000 + + Merge branch 'Kicksecure:master' into blacklist_to_disable + commit 6bbf176e3b91f842cf4cdeaf8cb1f4c60e159a0c Author: Patrick Schleizer Date: Fri Jul 26 09:33:45 2024 -0400 @@ -480,6 +682,12 @@ Date: Thu Jul 25 12:20:16 2024 +0200 Unduplicate stat call +commit 28b25bda3f51c7d5a6ee6d28446cb5f731f452d0 +Author: Raja Grewal +Date: Thu Jul 25 15:51:32 2024 +1000 + + Partial inclusion of GrapheneOS infrastructure blacklist + commit ed3336694ce35614ab47db42bce29d3c69d46752 Author: Raja Grewal Date: Thu Jul 25 10:28:27 2024 +1000 @@ -492,6 +700,12 @@ Date: Thu Jul 25 10:26:23 2024 +1000 Add documentation on `sysctl kernel.panic_on_oops=1` +commit f699eb02a27ef54b9ced5866447b63152984af66 +Author: Raja Grewal +Date: Thu Jul 25 10:11:33 2024 +1000 + + Set `sysctl fs.binfmt_misc.status=0` + commit 9231f058911ab9059e91c4c0c1677ef66b5bb666 Author: Patrick Schleizer Date: Wed Jul 24 13:31:49 2024 -0400 @@ -689,6 +903,13 @@ Date: Mon Jul 22 17:26:00 2024 +1000 Add option to switch (back) to using kCFI in the future +commit f582e543434ba20a2fb7f7300058f7c8a7d62878 +Merge: a189956 d2563ed +Author: raja-grewal +Date: Mon Jul 22 15:12:00 2024 +1000 + + Merge branch 'Kicksecure:master' into blacklist_to_disable + commit d2563ed92317a029340dbb83f30da008b01325f2 Author: Patrick Schleizer Date: Sun Jul 21 10:40:14 2024 +0000 @@ -722,6 +943,26 @@ Date: Sat Jul 20 12:57:56 2024 -0400 postqueue matchwhitelist postdrop matchwhitelist +commit a189956adc2cf5a1c8311d0e0e9c7cfbc6e4afe3 +Author: Raja Grewal +Date: Sat Jul 20 20:11:09 2024 +1000 + + Typo + +commit 3c720a0715191c858e8d1df9795dddfea5dbdcf1 +Author: Raja Grewal +Date: Sat Jul 20 15:03:21 2024 +1000 + + Disable some legacy drivers + These were all previously blacklisted for over 2 years. + +commit c4965ed838b1df93ddb9e947fb2f0d23fa8ffc17 +Author: Raja Grewal +Date: Sat Jul 20 14:55:10 2024 +1000 + + Disable legacy framebuffer drivers + These were all previously blacklisted for over 2 years. + commit 9f53a0182b5f6a7cf8228bf19b04661d39c7a2fe Author: Patrick Schleizer Date: Fri Jul 19 07:20:59 2024 -0400 diff --git a/debian/changelog b/debian/changelog index 9f574d5..2bc634a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:39.0-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 16 Aug 2024 08:38:11 +0000 + security-misc (3:38.9-1) unstable; urgency=medium * New upstream version (local package). From fae586c3c5e8382ca01c60f810b26d88189a5514 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Fri, 16 Aug 2024 19:23:48 +1000 Subject: [PATCH 588/846] Patch bug in existing `rp_filter` `sysctl` --- usr/lib/sysctl.d/990-security-misc.conf | 3 +++ 1 file changed, 3 insertions(+) diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index f6b49f0..1e675ca 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -270,12 +270,15 @@ net.ipv4.tcp_rfc1337=1 ## Enable reverse path filtering (source validation) of packets received from all interfaces. ## Prevents IP spoofing and mitigates vulnerabilities such as CVE-2019-14899. +## The second "default" command fixes a bug in the existing kernel implementation. ## ## https://en.wikipedia.org/wiki/IP_address_spoofing ## https://forums.whonix.org/t/enable-reverse-path-filtering/8594 ## https://seclists.org/oss-sec/2019/q4/122 +## https://github.com/Kicksecure/security-misc/pull/261 ## net.ipv4.conf.*.rp_filter=1 +net.ipv4.conf.default.rp_filter=1 ## Disable ICMP redirect acceptance and redirect sending messages. ## Prevents man-in-the-middle attacks and minimizes information disclosure. From 759aee8150a2d1258d73217c071b25432d47496f Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Fri, 16 Aug 2024 22:54:57 +1000 Subject: [PATCH 589/846] Provide option to disable user namespaces --- README.md | 2 +- usr/lib/sysctl.d/990-security-misc.conf | 5 +++++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index da9254a..4644c6a 100644 --- a/README.md +++ b/README.md @@ -37,7 +37,7 @@ space, user space, core dumps, and swap space. can no longer be utilized. See [documentation](https://www.kicksecure.com/wiki/SysRq). - Restrict user namespaces to `CAP_SYS_ADMIN` as they can lead to substantial - privilege escalation. + privilege escalation. Optional - Disable all use of user namespaces. - Restrict kernel profiling and the performance events system to `CAP_PERFMON`. diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 9836bc2..f576dbc 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -93,11 +93,16 @@ kernel.sysrq=0 ## User namespaces aim to improve sandboxing and accessibility for unprivileged users. ## Unprivileged user namespaces pose substantial privilege escalation risks. ## Restricting may lead to breakages in numerous software packages. +## Uncomment the second sysctl to entirely disable user namespaces. ## ## https://madaidans-insecurities.github.io/linux.html#kernel ## https://github.com/a13xp0p0v/kernel-hardening-checker#questions-and-answers ## +## KSPP=partial +## KSPP sets the stricter sysctl user.max_user_namespaces=0. +## kernel.unprivileged_userns_clone=0 +#user.max_user_namespaces=0 ## Restricts kernel profiling to users with CAP_PERFMON. ## The performance events system should not be accessible by unprivileged users. From 248e094b8e0bbf7892f79ad1c3ec77c7ed00d008 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Sat, 17 Aug 2024 01:06:21 +1000 Subject: [PATCH 590/846] Include KSPP compliance notices --- etc/default/grub.d/40_cpu_mitigations.cfg | 6 +++ etc/default/grub.d/40_kernel_hardening.cfg | 48 +++++++++++++++++++ etc/default/grub.d/40_signed_modules.cfg | 8 +++- .../30_security-misc_kexec-disable.conf | 3 ++ usr/lib/sysctl.d/990-security-misc.conf | 48 +++++++++++++++++++ 5 files changed, 112 insertions(+), 1 deletion(-) diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index 99eee7d..486b63b 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -13,6 +13,9 @@ ## Enable a subset of known mitigations for CPU vulnerabilities and disable SMT. ## +## KSPP=yes +## KSPP sets the kernel parameters. +## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mitigations=auto,nosmt" ## Disable SMT as it has been the cause of and amplified numerous CPU exploits. @@ -24,6 +27,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mitigations=auto,nosmt" ## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647/17 ## https://github.com/anthraxx/linux-hardened/issues/37#issuecomment-619597365 ## +## KSPP=yes +## KSPP sets the kernel parameter. +## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX nosmt=force" ## Enable mitigations for both Spectre Variant 2 (indirect branch speculation) diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index b6cc9df..35472ba 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -27,6 +27,9 @@ kver="$(dpkg-query --show --showformat='${Version}' "$kpkg")" 2>/dev/null || tru ## https://www.openwall.com/lists/kernel-hardening/2017/06/19/33 ## https://www.openwall.com/lists/kernel-hardening/2017/06/20/10 ## +## KSPP=yes +## KSPP sets the kernel parameter and does not set CONFIG_SLAB_MERGE_DEFAULT. +## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_nomerge" ## Enable sanity checks and red zoning of slabs via debugging options to detect corruption. @@ -39,6 +42,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_nomerge" ## https://gitlab.tails.boum.org/tails/tails/-/issues/19613 ## https://github.com/Kicksecure/security-misc/issues/253 ## +## KSPP=yes +## KSPP sets the kernel parameters and CONFIG_SLUB_DEBUG. +## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_debug=FZ" ## Zero memory at allocation time and free time. @@ -47,6 +53,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_debug=FZ" ## ## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6471384af2a6530696fc0203bafe4de41a23c9ef ## +## KSPP=yes +## KSPP sets the kernel parameters, CONFIG_INIT_ON_ALLOC_DEFAULT_ON=y, and CONFIG_INIT_ON_FREE_DEFAULT_ON=y. +## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX init_on_alloc=1" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX init_on_free=1" @@ -58,6 +67,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX init_on_free=1" ## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e900a918b0984ec8f2eb150b8477a47b75d17692 ## https://en.wikipedia.org/wiki/Return-oriented_programming#Attacks ## +## KSPP=yes +## KSPP sets the kernel parameter and CONFIG_SHUFFLE_PAGE_ALLOCATOR=y. +## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX page_alloc.shuffle=1" ## Enable kernel page table isolation to harden against kernel ASLR (KASLR) bypasses. @@ -65,6 +77,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX page_alloc.shuffle=1" ## ## https://en.wikipedia.org/wiki/Kernel_page-table_isolation ## +## KSPP=yes +## KSPP sets the kernel parameter and CONFIG_MITIGATION_PAGE_TABLE_ISOLATION=y. +## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX pti=on" ## Enable randomization of the kernel stack offset on syscall entries. @@ -74,6 +89,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX pti=on" ## https://lkml.org/lkml/2019/3/18/246 ## https://a13xp0p0v.github.io/2020/02/15/CVE-2019-18683.html ## +## KSPP=yes +## KSPP sets the kernel parameter and CONFIG_RANDOMIZE_KSTACK_OFFSET_DEFAULT=y. +## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX randomize_kstack_offset=on" ## Disable vsyscalls to reduce attack surface as they have been replaced by vDSO. @@ -82,6 +100,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX randomize_kstack_offset=on" ## https://lwn.net/Articles/446528/ ## https://en.wikipedia.org/wiki/VDSO ## +## KSPP=yes +## KSPP sets the kernel parameter, CONFIG_LEGACY_VSYSCALL_NONE=y and does not set CONFIG_X86_VSYSCALL_EMULATION. +## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vsyscall=none" ## Restrict access to debugfs by not registering the file system. @@ -98,6 +119,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off" ## ## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panic-on-oops-1-sysctl-for-better-security/7713 ## +## KSPP=yes +## KSPP sets CONFIG_PANIC_ON_OOPS=y and CONFIG_PANIC_TIMEOUT=-1. +## ## See /usr/libexec/security-misc/panic-on-oops for implementation. ## #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX oops=panic" @@ -135,6 +159,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off" ## https://blogs.oracle.com/linux/post/linux-slub-allocator-internals-and-debugging-4 ## https://lwn.net/Articles/835542/ ## +## KSPP=yes +## KSPP sets the kernel parameter, CONFIG_KFENCE=y, and CONFIG_KFENCE_SAMPLE_INTERVAL=100. +## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kfence.sample_interval=100" ## Disable 32-bit Virtual Dynamic Shared Object (vDSO) mappings. @@ -143,6 +170,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kfence.sample_interval=100" ## https://lore.kernel.org/lkml/20080409082927.BD59E26F992@magilla.localdomain/T/ ## https://lists.openwall.net/linux-kernel/2014/03/11/3 ## +## KSPP=yes +## KSPP sets the kernel parameter and does not set CONFIG_COMPAT_VDSO. +## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0" ## Switch (back) to using kCFI as the default Control Flow Integrity (CFI) implementation. @@ -165,6 +195,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0" ## https://lpc.events/event/16/contributions/1315/attachments/1067/2169/cfi.pdf ## https://forums.whonix.org/t/kernel-hardening-security-misc/7296/561 ## +## KSPP=yes +## KSPP sets the kernel parameter. +## ## TODO: Debian 13 Trixie ## Applicable when using Linux kernel >= 6.2 (retained here for future-proofing and completeness). ## @@ -175,6 +208,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0" ## ## https://lore.kernel.org/all/20230623111409.3047467-7-nik.borisov@suse.com/ ## +## KSPP=yes +## KSPP does not set CONFIG_COMPAT, CONFIG_IA32_EMULATION, CONFIG_X86_X32, CONFIG_X86_X32_ABI, and CONFIG_MODIFY_LDT_SYSCALL. +## ## TODO: Debian 13 Trixie ## Applicable when using Linux kernel >= 6.7 (retained here for future-proofing and completeness). ## @@ -186,6 +222,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0" ## Enable CPU manufacturer-specific IOMMU drivers to mitigate some DMA attacks. ## +## KSPP=yes +## KSPP sets CONFIG_INTEL_IOMMU=y, CONFIG_INTEL_IOMMU_DEFAULT_ON=y, CONFIG_INTEL_IOMMU_SVM=y, CONFIG_AMD_IOMMU=y, and CONFIG_AMD_IOMMU_V2=y. +## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX amd_iommu=force_isolation" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX intel_iommu=on" @@ -197,6 +236,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX intel_iommu=on" ## https://en.wikipedia.org/wiki/DMA_attack ## https://lenovopress.lenovo.com/lp1467.pdf ## +## KSPP=yes +## KSPP sets the kernel parameters, CONFIG_IOMMU_SUPPORT=y, CONFIG_IOMMU_DEFAULT_DMA_STRICT=y, and does not set CONFIG_IOMMU_DEFAULT_PASSTHROUGH. +## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu=force" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu.passthrough=0" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu.strict=1" @@ -210,6 +252,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX iommu.strict=1" ## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4444f8541dad16fefd9b8807ad1451e806ef1d94 ## https://mjg59.dreamwidth.org/54433.html ## +## KSPP=yes +## KSPP sets CONFIG_EFI_DISABLE_PCI_DMA=y. +## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi=disable_early_pci_dma" ## 3. Entropy: @@ -234,6 +279,9 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi=disable_early_pci_dma" ## https://github.com/NixOS/nixpkgs/pull/165355 ## https://lkml.org/lkml/2022/6/5/271 ## +## KSPP=yes +## KSPP sets CONFIG_RANDOM_TRUST_BOOTLOADER=y and CONFIG_RANDOM_TRUST_CPU=y. +## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_bootloader=off" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_cpu=off" diff --git a/etc/default/grub.d/40_signed_modules.cfg b/etc/default/grub.d/40_signed_modules.cfg index 9a6a101..5e6fce7 100644 --- a/etc/default/grub.d/40_signed_modules.cfg +++ b/etc/default/grub.d/40_signed_modules.cfg @@ -9,6 +9,9 @@ ## https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/61 ## https://github.com/dell/dkms/issues/359 ## +## KSPP=yes +## KSPP sets CONFIG_MODULE_SIG=y, CONFIG_MODULE_SIG_FORCE=y, and CONFIG_MODULE_SIG_ALL=y. +## ## Not enabled by default yet due to several issues. ## #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX module.sig_enforce=1" @@ -18,7 +21,10 @@ ## ## https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880 ## -## ## Not enabled by default yet due to several issues. +## KSPP=yes +## KSPP sets CONFIG_SECURITY_LOCKDOWN_LSM=y, CONFIG_SECURITY_LOCKDOWN_LSM_EARLY=y, and CONFIG_LOCK_DOWN_KERNEL_FORCE_CONFIDENTIALITY=y. +## +## Not enabled by default yet due to several issues. ## #if dpkg --compare-versions "${kver}" ge "5.4"; then # GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX lockdown=confidentiality" diff --git a/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf b/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf index 0400ad1..eb785cc 100644 --- a/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf +++ b/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf @@ -14,4 +14,7 @@ ## ## https://en.wikipedia.org/wiki/Kexec ## +## KSPP=yes +## KSPP sets the sysctl and does not set CONFIG_KEXEC. +## kernel.kexec_load_disabled=1 diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 9836bc2..3bd7ea1 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -31,11 +31,17 @@ ## ## https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak ## +## KSPP=yes +## KSPP sets the sysctl. +## kernel.kptr_restrict=2 ## Restrict access to the kernel log buffer to users with CAP_SYSLOG. ## Kernel logs often contain sensitive information such as kernel pointers. ## +## KSPP=yes +## KSPP sets the sysctl and CONFIG_SECURITY_DMESG_RESTRICT=y. +## kernel.dmesg_restrict=1 ## Prevent kernel information leaks in the console during boot. @@ -52,6 +58,9 @@ kernel.dmesg_restrict=1 ## ## https://en.wikipedia.org/wiki/EBPF#Security ## +## KSPP=yes +## KSPP sets the sysctls. +## kernel.unprivileged_bpf_disabled=1 net.core.bpf_jit_harden=2 @@ -61,6 +70,9 @@ net.core.bpf_jit_harden=2 ## https://a13xp0p0v.github.io/2017/03/24/CVE-2017-2636.html ## https://lkml.org/lkml/2019/4/15/890 ## +## KSPP=yes +## KSPP sets the sysctl does not set CONFIG_LDISC_AUTOLOAD. +## dev.tty.ldisc_autoload=0 ## Restrict the userfaultfd() syscall to users with SYS_CAP_PTRACE. @@ -69,6 +81,9 @@ dev.tty.ldisc_autoload=0 ## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=cefdca0a86be517bc390fc4541e3674b8e7803b0 ## https://duasynt.com/blog/linux-kernel-heap-spray ## +## KSPP=yes +## KSPP sets the sysctl. +## vm.unprivileged_userfaultfd=0 ## Disables kexec, which can be used to replace the running kernel. @@ -78,6 +93,9 @@ vm.unprivileged_userfaultfd=0 ## ## See /usr/lib/sysctl.d/30_security-misc_kexec-disable.conf for implementation. ## +## KSPP=yes +## KSPP sets the sysctl and does not set CONFIG_KEXEC. +## #kernel.kexec_load_disabled=1 ## Disable the SysRq key to prevent leakage of kernel information. @@ -87,6 +105,9 @@ vm.unprivileged_userfaultfd=0 ## https://www.kicksecure.com/wiki/SysRq ## https://github.com/xairy/unlockdown ## +## KSPP=yes +## KSPP sets the less strict CONFIG_MAGIC_SYSRQ_DEFAULT_ENABLE=176. +## kernel.sysrq=0 ## Restrict user namespaces to users with CAP_SYS_ADMIN. @@ -106,6 +127,9 @@ kernel.unprivileged_userns_clone=0 ## https://www.kernel.org/doc/html/latest/admin-guide/perf-security.html#unprivileged-users ## https://lore.kernel.org/kernel-hardening/1469630746-32279-1-git-send-email-jeffv@google.com/ ## +## KSPP=yes +## KSPP sets the sysctl. +## kernel.perf_event_paranoid=3 ## Force the kernel to panic on "oopses". @@ -115,6 +139,9 @@ kernel.perf_event_paranoid=3 ## ## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panic-on-oops-1-sysctl-for-better-security/7713 ## +## KSPP=yes +## KSPP sets CONFIG_PANIC_ON_OOPS=y and CONFIG_PANIC_TIMEOUT=-1. +## ## See /usr/libexec/security-misc/panic-on-oops for implementation. ## #kernel.panic_on_oops=1 @@ -126,6 +153,9 @@ kernel.perf_event_paranoid=3 ## ## https://lore.kernel.org/lkml/20221228205726.rfevry7ud6gmttg5@begin/T/ ## +## KSPP=yes +## KSPP sets the sysctl and does not set CONFIG_LEGACY_TIOCSTI. +## ## TODO: Debian 13 Trixie ## This is disabled by default when using Linux kernel >= 6.2. ## @@ -161,6 +191,9 @@ kernel.io_uring_disabled=2 ## https://github.com/GrapheneOS/os-issue-tracker/issues/651#issuecomment-917599928 ## https://github.com/netblue30/firejail/issues/2860 ## +## KSPP=partial +## KSPP sets the stricter sysctl kernel.yama.ptrace_scope=3. +## ## It is possible to harden further by disabling ptrace() for all users, see documentation. ## https://github.com/Kicksecure/security-misc/pull/242 ## @@ -188,6 +221,9 @@ kernel.yama.ptrace_scope=2 ## https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=/tmp ## https://en.wikipedia.org/wiki/Time-of-check_to_time-of-use#Preventing_TOCTOU ## +## KSPP=yes +## KSPP sets the sysctls. +## fs.protected_hardlinks=1 fs.protected_symlinks=1 @@ -195,6 +231,9 @@ fs.protected_symlinks=1 ## Also applies to group-writable sticky directories to make data spoofing attacks more difficult. ## Prevents unintentional writes to attacker-controlled files. ## +## KSPP=yes +## KSPP sets the sysctls. +## fs.protected_fifos=2 fs.protected_regular=2 @@ -205,6 +244,9 @@ fs.protected_regular=2 ## ## https://en.wikipedia.org/wiki/Address_space_layout_randomization#Linux ## +## KSPP=yes +## KSPP sets the sysctl. +## kernel.randomize_va_space=2 ## Increase the maximum number of memory map areas a process is permitted to utilize. @@ -254,6 +296,9 @@ kernel.core_pattern=|/bin/false ## Prevent setuid processes or otherwise protected/tainted binaries from creating core dumps. ## Any process which has changed privilege levels or is execute-only will not be dumped. ## +## KSPP=yes +## KSPP sets the sysctl. +## fs.suid_dumpable=0 ## Set core dump file name to 'core.PID' instead of 'core' as a form of defense-in-depth. @@ -284,6 +329,9 @@ vm.swappiness=1 ## https://en.wikipedia.org/wiki/SYN_flood ## https://cateee.net/lkddb/web-lkddb/SYN_COOKIES.html ## +## KSPP=yes +## KSPP sets CONFIG_SYN_COOKIES=y. +## net.ipv4.tcp_syncookies=1 ## Protect against TCP time-wait assassination hazards. From 1f51d4eeb2b0c6e23ce64fb272eecb97e089324d Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Sun, 18 Aug 2024 13:53:11 +1000 Subject: [PATCH 591/846] Add details on user namespaces --- usr/lib/sysctl.d/990-security-misc.conf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index f576dbc..ad049b2 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -94,9 +94,13 @@ kernel.sysrq=0 ## Unprivileged user namespaces pose substantial privilege escalation risks. ## Restricting may lead to breakages in numerous software packages. ## Uncomment the second sysctl to entirely disable user namespaces. +## Disabling entirely will reduce compatibility with some AppArmor profiles. ## +## https://lwn.net/Articles/673597/ ## https://madaidans-insecurities.github.io/linux.html#kernel ## https://github.com/a13xp0p0v/kernel-hardening-checker#questions-and-answers +## https://github.com/NixOS/nixpkgs/pull/84522#issuecomment-614640601 +## https://github.com/Kicksecure/security-misc/pull/263 ## ## KSPP=partial ## KSPP sets the stricter sysctl user.max_user_namespaces=0. From 683110e7f02fa5fc6415354386552640cdb8758b Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Mon, 19 Aug 2024 01:34:14 +1000 Subject: [PATCH 592/846] Correction --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index da9254a..1ec228f 100644 --- a/README.md +++ b/README.md @@ -3,7 +3,8 @@ ## Kernel hardening This section is inspired by the Kernel Self Protection Project (KSPP). It -implements all recommended Linux kernel settings by the KSPP and many more. +attempts to implement all recommended Linux kernel settings by the KSPP and +many more sources. - https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project - https://kspp.github.io/Recommended_Settings From 94dab1b7c503429e2fa91019a0183b2f36c6693f Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Mon, 19 Aug 2024 10:53:05 +1000 Subject: [PATCH 593/846] Partial compliance with the KSPP on kernel panics --- etc/default/grub.d/40_kernel_hardening.cfg | 4 ++-- usr/lib/sysctl.d/990-security-misc.conf | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index 35472ba..32f58ac 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -119,8 +119,8 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off" ## ## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panic-on-oops-1-sysctl-for-better-security/7713 ## -## KSPP=yes -## KSPP sets CONFIG_PANIC_ON_OOPS=y and CONFIG_PANIC_TIMEOUT=-1. +## KSPP=partial +## KSPP sets CONFIG_PANIC_ON_OOPS=y, but also requries CONFIG_PANIC_TIMEOUT=-1. ## ## See /usr/libexec/security-misc/panic-on-oops for implementation. ## diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 3bd7ea1..e9057dc 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -139,8 +139,8 @@ kernel.perf_event_paranoid=3 ## ## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panic-on-oops-1-sysctl-for-better-security/7713 ## -## KSPP=yes -## KSPP sets CONFIG_PANIC_ON_OOPS=y and CONFIG_PANIC_TIMEOUT=-1. +## KSPP=partial +## KSPP sets CONFIG_PANIC_ON_OOPS=y, but also requries CONFIG_PANIC_TIMEOUT=-1. ## ## See /usr/libexec/security-misc/panic-on-oops for implementation. ## From e61027a40e2ab82fac3ae4cfd5f91fd0a47f31e5 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Mon, 19 Aug 2024 11:32:20 +1000 Subject: [PATCH 594/846] Set `sysctl vm.mmap_min_addr=65536` --- README.md | 3 +++ usr/lib/sysctl.d/990-security-misc.conf | 14 ++++++++++++++ 2 files changed, 17 insertions(+) diff --git a/README.md b/README.md index da9254a..a7a0128 100644 --- a/README.md +++ b/README.md @@ -63,6 +63,9 @@ space, user space, core dumps, and swap space. - Randomize the addresses (ASLR) for mmap base, stack, VDSO pages, and heap. +- Raise the minimum address a process can request for memory mapping to 64KB to + protect against kernel null pointer dereference vulnerabilities. + - Increase the maximum number of memory map areas a process is able to utilize. - Disallow registering interpreters for various (miscellaneous) binary formats based diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 9836bc2..4a16ad0 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -207,6 +207,20 @@ fs.protected_regular=2 ## kernel.randomize_va_space=2 +## Raise the minimum address a process can request for memory mapping to 64KB as a form of defense-in-depth. +## Prevents kernel null pointer dereference vulnerabilities which may trigger kernel panics. +## Protects against local unprivileged users gaining root privileges by mapping data to low memory pages. +## Some legacy applications may still depend on low virtual memory addresses for proper functionality. +## +## https://googleprojectzero.blogspot.com/2023/01/exploiting-null-dereferences-in-linux.html +## https://access.redhat.com/articles/20484 +## https://wiki.debian.org/mmap_min_addr +## +## KSPP=yes +## KSPP sets CONFIG_DEFAULT_MMAP_MIN_ADDR=65536. +## +vm.mmap_min_addr=65536 + ## Increase the maximum number of memory map areas a process is permitted to utilize. ## Addresses performance, crash, and start-up issues for some memory-intensive applications. ## Required to accommodate the very large number of guard pages created by hardened_malloc. From 56b28e38264fe742b8d694176f1057c15574fc08 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Mon, 19 Aug 2024 11:50:08 +1000 Subject: [PATCH 595/846] Typo --- etc/default/grub.d/40_kernel_hardening.cfg | 2 +- usr/lib/sysctl.d/990-security-misc.conf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index 32f58ac..aaf5be8 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -120,7 +120,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off" ## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panic-on-oops-1-sysctl-for-better-security/7713 ## ## KSPP=partial -## KSPP sets CONFIG_PANIC_ON_OOPS=y, but also requries CONFIG_PANIC_TIMEOUT=-1. +## KSPP sets CONFIG_PANIC_ON_OOPS=y, but also requires CONFIG_PANIC_TIMEOUT=-1. ## ## See /usr/libexec/security-misc/panic-on-oops for implementation. ## diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index e9057dc..f13f193 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -140,7 +140,7 @@ kernel.perf_event_paranoid=3 ## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panic-on-oops-1-sysctl-for-better-security/7713 ## ## KSPP=partial -## KSPP sets CONFIG_PANIC_ON_OOPS=y, but also requries CONFIG_PANIC_TIMEOUT=-1. +## KSPP sets CONFIG_PANIC_ON_OOPS=y, but also requires CONFIG_PANIC_TIMEOUT=-1. ## ## See /usr/libexec/security-misc/panic-on-oops for implementation. ## From 18ed77ecc93e9ee759a4990a32edb3dd671b8c26 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Wed, 21 Aug 2024 12:50:14 +1000 Subject: [PATCH 596/846] Refactor modprobe.d to minimise potential future merge conflicts --- README.md | 35 ++-- .../30_security-misc_blacklist.conf | 4 +- etc/modprobe.d/30_security-misc_disable.conf | 162 ++++++++++-------- 3 files changed, 113 insertions(+), 88 deletions(-) diff --git a/README.md b/README.md index da9254a..4742384 100644 --- a/README.md +++ b/README.md @@ -223,17 +223,12 @@ modules from starting. This approach should not be considered comprehensive; rather, it is a form of badness enumeration. Any potential candidates for future disabling should first be blacklisted for a suitable amount of time. +Hardware modules: + - Optional - Bluetooth: Disabled to reduce attack surface. -- Optional - CPU MSRs: Disabled as can be abused to write to arbitrary memory. - -- File Systems: Disable uncommon and legacy file systems. - - FireWire (IEEE 1394): Disabled as they are often vulnerable to DMA attacks. -- Framebuffer (fbdev): Disabled as drivers are well-known to be buggy, cause - kernel panics, and are generally only used by legacy devices. - - GPS: Disable GPS-related modules such as those required for Global Navigation Satellite Systems (GNSS). @@ -244,20 +239,38 @@ disabling should first be blacklisted for a suitable amount of time. - Intel Platform Monitoring Technology (PMT) Telemetry: Disable some functionality of the Intel PMT components. +- Thunderbolt: Disabled as they are often vulnerable to DMA attacks. + +File system modules: + +- File Systems: Disable uncommon and legacy file systems. + - Network File Systems: Disable uncommon and legacy network file systems. +Networking modules: + - Network Protocols: A wide array of uncommon and legacy network protocols and drivers are disabled. -- Miscellaneous: Disable an assortment of other modules such as those required - for amateur radio, floppy disks, and vivid. Also disable legacy drivers that - have been entirely replaced by newer drivers. +Miscellaneous modules: -- Thunderbolt: Disabled as they are often vulnerable to DMA attacks. +- Amateur Radios: Disabled to reduce attack surface. + +- Optional - CPU MSRs: Disabled as can be abused to write to arbitrary memory. + +- Floppy Disks: Disabled to reduce attack surface. + +- Framebuffer (fbdev): Disabled as these drivers are well-known to be buggy, cause + kernel panics, and are generally only used by legacy devices. + +- Replaced Modules: Disabled legacy drivers that have been entirely replaced and + superseded by newer drivers. - Optional - USB Video Device Class: Disables the USB-based video streaming driver for devices like some webcams and digital camcorders. +- Vivid: Disabled to reduce attack surface given previous vulnerabilities. + ### Other - A systemd service clears the System.map file on boot as these contain kernel diff --git a/etc/modprobe.d/30_security-misc_blacklist.conf b/etc/modprobe.d/30_security-misc_blacklist.conf index 34e1124..8386800 100644 --- a/etc/modprobe.d/30_security-misc_blacklist.conf +++ b/etc/modprobe.d/30_security-misc_blacklist.conf @@ -22,7 +22,7 @@ blacklist sr_mod #install sr_mod /usr/bin/disabled-cdrom-by-security-misc ## Miscellaneous: -## + ## GrapheneOS: ## Partial selection of their infrastructure blacklist. ## Duplicate and already disabled modules have been omitted. @@ -39,7 +39,7 @@ blacklist snd_intel8x0 #blacklist tls #blacklist virtio_balloon #blacklist virtio_console -## + ## Ubuntu: ## Already disabled modules have been omitted. ## diff --git a/etc/modprobe.d/30_security-misc_disable.conf b/etc/modprobe.d/30_security-misc_disable.conf index 3a72b0e..3df5a51 100644 --- a/etc/modprobe.d/30_security-misc_disable.conf +++ b/etc/modprobe.d/30_security-misc_disable.conf @@ -8,6 +8,14 @@ ## Blacklisting prevents kernel modules from automatically starting. ## Disabling prohibits kernel modules from starting. +## This configuration file is split into 4 sections: +## 1. Hardware +## 2. File Systems +## 3. Networking +## 4. Miscellaneous + +## 1. Hardware: + ## Bluetooth: ## Disable Bluetooth to reduce attack surface due to extended history of security vulnerabilities. ## @@ -34,27 +42,6 @@ #install btusb /usr/bin/disabled-bluetooth-by-security-misc #install virtio_bt /usr/bin/disabled-bluetooth-by-security-misc -## CPU Model-Specific Registers (MSRs): -## Disable CPU MSRs as they can be abused to write to arbitrary memory. -## -## https://security.stackexchange.com/questions/119712/methods-root-can-use-to-elevate-itself-to-kernel-mode -## https://github.com/Kicksecure/security-misc/issues/215 -## -#install msr /usr/bin/disabled-miscellaneous-by-security-misc - -## File Systems: -## Disable uncommon file systems to reduce attack surface. -## HFS/HFS+ are legacy Apple file systems that may be required depending on the EFI partition format. -## -install cramfs /usr/bin/disabled-filesys-by-security-misc -install freevxfs /usr/bin/disabled-filesys-by-security-misc -install hfs /usr/bin/disabled-filesys-by-security-misc -install hfsplus /usr/bin/disabled-filesys-by-security-misc -install jffs2 /usr/bin/disabled-filesys-by-security-misc -install jfs /usr/bin/disabled-filesys-by-security-misc -install reiserfs /usr/bin/disabled-filesys-by-security-misc -install udf /usr/bin/disabled-filesys-by-security-misc - ## FireWire (IEEE 1394): ## Disable IEEE 1394 (FireWire/i.LINK/Lynx) modules to prevent some DMA attacks. ## @@ -70,43 +57,6 @@ install raw1394 /usr/bin/disabled-firewire-by-security-misc install sbp2 /usr/bin/disabled-firewire-by-security-misc install video1394 /usr/bin/disabled-firewire-by-security-misc -## Framebuffer (fbdev): -## Video drivers are known to be buggy, cause kernel panics, and are generally only used by legacy devices. -## These were all previously blacklisted. -## -## https://docs.kernel.org/fb/index.html -## https://en.wikipedia.org/wiki/Linux_framebuffer -## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-framebuffer.conf?h=ubuntu/disco -## -install aty128fb /usr/bin/disabled-framebuffer-by-security-misc -install atyfb /usr/bin/disabled-framebuffer-by-security-misc -install cirrusfb /usr/bin/disabled-framebuffer-by-security-misc -install cyber2000fb /usr/bin/disabled-framebuffer-by-security-misc -install cyblafb /usr/bin/disabled-framebuffer-by-security-misc -install gx1fb /usr/bin/disabled-framebuffer-by-security-misc -install hgafb /usr/bin/disabled-framebuffer-by-security-misc -install i810fb /usr/bin/disabled-framebuffer-by-security-misc -install intelfb /usr/bin/disabled-framebuffer-by-security-misc -install kyrofb /usr/bin/disabled-framebuffer-by-security-misc -install lxfb /usr/bin/disabled-framebuffer-by-security-misc -install matroxfb_bases /usr/bin/disabled-framebuffer-by-security-misc -install neofb /usr/bin/disabled-framebuffer-by-security-misc -install nvidiafb /usr/bin/disabled-framebuffer-by-security-misc -install pm2fb /usr/bin/disabled-framebuffer-by-security-misc -install radeonfb /usr/bin/disabled-framebuffer-by-security-misc -install rivafb /usr/bin/disabled-framebuffer-by-security-misc -install s1d13xxxfb /usr/bin/disabled-framebuffer-by-security-misc -install savagefb /usr/bin/disabled-framebuffer-by-security-misc -install sisfb /usr/bin/disabled-framebuffer-by-security-misc -install sstfb /usr/bin/disabled-framebuffer-by-security-misc -install tdfxfb /usr/bin/disabled-framebuffer-by-security-misc -install tridentfb /usr/bin/disabled-framebuffer-by-security-misc -install vesafb /usr/bin/disabled-framebuffer-by-security-misc -install vfb /usr/bin/disabled-framebuffer-by-security-misc -install viafb /usr/bin/disabled-framebuffer-by-security-misc -install vt8623fb /usr/bin/disabled-framebuffer-by-security-misc -install udlfb /usr/bin/disabled-framebuffer-by-security-misc - ## Global Positioning Systems (GPS): ## Disable GPS-related modules like GNSS (Global Navigation Satellite System). ## @@ -152,6 +102,30 @@ install pmt_class /usr/bin/disabled-intelpmt-by-security-misc install pmt_crashlog /usr/bin/disabled-intelpmt-by-security-misc install pmt_telemetry /usr/bin/disabled-intelpmt-by-security-misc +## Thunderbolt: +## Disables Thunderbolt modules to prevent some DMA attacks. +## +## https://en.wikipedia.org/wiki/Thunderbolt_(interface)#Security_vulnerabilities +## +install intel-wmi-thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc +install thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc +install thunderbolt_net /usr/bin/disabled-thunderbolt-by-security-misc + +## 2. File Systems: + +## File Systems: +## Disable uncommon file systems to reduce attack surface. +## HFS/HFS+ are legacy Apple file systems that may be required depending on the EFI partition format. +## +install cramfs /usr/bin/disabled-filesys-by-security-misc +install freevxfs /usr/bin/disabled-filesys-by-security-misc +install hfs /usr/bin/disabled-filesys-by-security-misc +install hfsplus /usr/bin/disabled-filesys-by-security-misc +install jffs2 /usr/bin/disabled-filesys-by-security-misc +install jfs /usr/bin/disabled-filesys-by-security-misc +install reiserfs /usr/bin/disabled-filesys-by-security-misc +install udf /usr/bin/disabled-filesys-by-security-misc + ## Network File Systems: ## Disable uncommon network file systems to reduce attack surface. ## @@ -175,6 +149,8 @@ install nfsv2 /usr/bin/disabled-netfilesys-by-security-misc install nfsv3 /usr/bin/disabled-netfilesys-by-security-misc install nfsv4 /usr/bin/disabled-netfilesys-by-security-misc +## 2. Networking: + ## Network Protocols: ## Disables rare and unneeded network protocols that are a common source of unknown vulnerabilities. ## Previously had blacklisted eepro100 and eth1394. @@ -249,17 +225,62 @@ install rds_tcp /usr/bin/disabled-network-by-security-misc install sctp /usr/bin/disabled-network-by-security-misc install sctp_diag /usr/bin/disabled-network-by-security-misc -## Miscellaneous: -## +## 4. Miscellaneous: + ## Amateur Radios: ## install hamradio /usr/bin/disabled-miscellaneous-by-security-misc + +## CPU Model-Specific Registers (MSRs): +## Disable CPU MSRs as they can be abused to write to arbitrary memory. ## +## https://security.stackexchange.com/questions/119712/methods-root-can-use-to-elevate-itself-to-kernel-mode +## https://github.com/Kicksecure/security-misc/issues/215 +## +#install msr /usr/bin/disabled-miscellaneous-by-security-misc + ## Floppy Disks: ## install floppy /usr/bin/disabled-miscellaneous-by-security-misc + +## Framebuffer (fbdev): +## Video drivers are known to be buggy, cause kernel panics, and are generally only used by legacy devices. +## These were all previously blacklisted. ## -## Replaced: +## https://docs.kernel.org/fb/index.html +## https://en.wikipedia.org/wiki/Linux_framebuffer +## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-framebuffer.conf?h=ubuntu/disco +## +install aty128fb /usr/bin/disabled-framebuffer-by-security-misc +install atyfb /usr/bin/disabled-framebuffer-by-security-misc +install cirrusfb /usr/bin/disabled-framebuffer-by-security-misc +install cyber2000fb /usr/bin/disabled-framebuffer-by-security-misc +install cyblafb /usr/bin/disabled-framebuffer-by-security-misc +install gx1fb /usr/bin/disabled-framebuffer-by-security-misc +install hgafb /usr/bin/disabled-framebuffer-by-security-misc +install i810fb /usr/bin/disabled-framebuffer-by-security-misc +install intelfb /usr/bin/disabled-framebuffer-by-security-misc +install kyrofb /usr/bin/disabled-framebuffer-by-security-misc +install lxfb /usr/bin/disabled-framebuffer-by-security-misc +install matroxfb_bases /usr/bin/disabled-framebuffer-by-security-misc +install neofb /usr/bin/disabled-framebuffer-by-security-misc +install nvidiafb /usr/bin/disabled-framebuffer-by-security-misc +install pm2fb /usr/bin/disabled-framebuffer-by-security-misc +install radeonfb /usr/bin/disabled-framebuffer-by-security-misc +install rivafb /usr/bin/disabled-framebuffer-by-security-misc +install s1d13xxxfb /usr/bin/disabled-framebuffer-by-security-misc +install savagefb /usr/bin/disabled-framebuffer-by-security-misc +install sisfb /usr/bin/disabled-framebuffer-by-security-misc +install sstfb /usr/bin/disabled-framebuffer-by-security-misc +install tdfxfb /usr/bin/disabled-framebuffer-by-security-misc +install tridentfb /usr/bin/disabled-framebuffer-by-security-misc +install vesafb /usr/bin/disabled-framebuffer-by-security-misc +install vfb /usr/bin/disabled-framebuffer-by-security-misc +install viafb /usr/bin/disabled-framebuffer-by-security-misc +install vt8623fb /usr/bin/disabled-framebuffer-by-security-misc +install udlfb /usr/bin/disabled-framebuffer-by-security-misc + +## Replaced Modules: ## These legacy drivers have all been entirely replaced and superseded by newer drivers. ## These were all previously blacklisted. ## @@ -269,7 +290,12 @@ install asus_acpi /usr/bin/disabled-miscellaneous-by-security-misc install bcm43xx /usr/bin/disabled-miscellaneous-by-security-misc install de4x5 /usr/bin/disabled-miscellaneous-by-security-misc install prism54 /usr/bin/disabled-miscellaneous-by-security-misc + +## USB Video Device Class: +## Disables the USB-based video streaming driver for devices like some webcams and digital camcorders. ## +#install uvcvideo /usr/bin/disabled-miscellaneous-by-security-misc + ## Vivid: ## Disables the vivid kernel module since it has been the cause of multiple vulnerabilities. ## @@ -278,17 +304,3 @@ install prism54 /usr/bin/disabled-miscellaneous-by-security-misc ## https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475 ## install vivid /usr/bin/disabled-miscellaneous-by-security-misc - -## Thunderbolt: -## Disables Thunderbolt modules to prevent some DMA attacks. -## -## https://en.wikipedia.org/wiki/Thunderbolt_(interface)#Security_vulnerabilities -## -install intel-wmi-thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc -install thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc -install thunderbolt_net /usr/bin/disabled-thunderbolt-by-security-misc - -## USB Video Device Class: -## Disables the USB-based video streaming driver for devices like some webcams and digital camcorders. -## -#install uvcvideo /usr/bin/disabled-miscellaneous-by-security-misc From b87a18d4050bbf2add5cc4920684876a440e65bb Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Wed, 21 Aug 2024 12:51:51 +1000 Subject: [PATCH 597/846] README.md: Organise `sysctl`s --- README.md | 25 ++++++++++++++----------- 1 file changed, 14 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index 4742384..b33ae5f 100644 --- a/README.md +++ b/README.md @@ -11,10 +11,9 @@ implements all recommended Linux kernel settings by the KSPP and many more. ### sysctl sysctl settings are configured via the `/usr/lib/sysctl.d/990-security-misc.conf` -configuration file. +configuration file and significant hardening is applied to a myriad of components. -Significant hardening is applied by default to a myriad of components within kernel -space, user space, core dumps, and swap space. +Kernel space: - Restrict access to kernel addresses through the use of kernel pointers regardless of user privileges. @@ -50,6 +49,8 @@ space, user space, core dumps, and swap space. - Disable asynchronous I/O (when using Linux kernel >= 6.6) as `io_uring` has been the source of numerous kernel exploits. +User space: + - Restrict usage of `ptrace()` to only processes with `CAP_SYS_PTRACE` as it enables programs to inspect and modify other active processes. Optional - Disable usage of `ptrace()` by all processes. @@ -68,12 +69,14 @@ space, user space, core dumps, and swap space. - Disallow registering interpreters for various (miscellaneous) binary formats based on a magic number or their file extension to prevent unintended code execution. +Core dumps: + - Disable core dump files and prevent their creation. If core dump files are enabled, they will be named based on `core.PID` instead of the default `core`. - Limit the copying of potentially sensitive content in memory to the swap device. -Various networking components of the TCP/IP stack are hardened for IPv4/6. +Networking: - Enable TCP SYN cookie protection to assist against SYN flood attacks. @@ -104,13 +107,6 @@ Various networking components of the TCP/IP stack are hardened for IPv4/6. - Optional - Enable IPv6 Privacy Extensions. -### mmap ASLR - -- The bits of entropy used for mmap ASLR are maxed out via - `/usr/libexec/security-misc/mmap-rnd-bits` (set to the values of - `CONFIG_ARCH_MMAP_RND_BITS_MAX` and `CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX` - that the kernel was built with), therefore improving its effectiveness. - ### Boot parameters Mitigations for known CPU vulnerabilities are enabled in their strictest form @@ -178,6 +174,13 @@ configuration file. - Optional - Disable the entire IPv6 stack to reduce attack surface. +### mmap ASLR + +- The bits of entropy used for mmap ASLR are maxed out via + `/usr/libexec/security-misc/mmap-rnd-bits` (set to the values of + `CONFIG_ARCH_MMAP_RND_BITS_MAX` and `CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX` + that the kernel was built with), therefore improving its effectiveness. + ### Kernel Modules #### Kernel Module Signature Verification From 342caf82b20acc2931563449fafe9a98cbedaba2 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Wed, 21 Aug 2024 12:52:48 +1000 Subject: [PATCH 598/846] README.md: Organise kernel boot parameters --- README.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/README.md b/README.md index b33ae5f..65b188c 100644 --- a/README.md +++ b/README.md @@ -117,6 +117,8 @@ Boot parameters relating to kernel hardening, DMA mitigations, and entropy generation are outlined in the `/etc/default/grub.d/40_kernel_hardening.cfg` configuration file. +Kernel space: + - Disable merging of slabs with similar size, which reduces the risk of triggering heap overflows and limits influencing slab cache layout. @@ -160,18 +162,24 @@ configuration file. - Optional - Disable support for all x86 processes and syscalls (when using Linux kernel >= 6.7) to reduce attack surface. +Direct memory access: + - Enable strict IOMMU translation to protect against some DMA attacks via the use of both CPU manufacturer-specific drivers and kernel settings. - Clear the busmaster bit on all PCI bridges during the EFI hand-off, which disables DMA before the IOMMU is configured. May cause boot failure on certain hardware. +Entropy: + - Do not credit the CPU or bootloader as entropy sources at boot in order to maximize the absolute quantity of entropy in the combined pool. - Obtain more entropy at boot from RAM as the runtime memory allocator is being initialized. +Networking: + - Optional - Disable the entire IPv6 stack to reduce attack surface. ### mmap ASLR From e4909b5e28e16f09de0e548c9221578ebe1190a3 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Sun, 25 Aug 2024 12:47:04 +1000 Subject: [PATCH 599/846] Add details on kernel panics --- README.md | 2 +- etc/default/grub.d/40_kernel_hardening.cfg | 3 ++- usr/lib/sysctl.d/990-security-misc.conf | 18 +++++++++++++----- usr/libexec/security-misc/panic-on-oops | 5 ++++- 4 files changed, 20 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 1ec228f..ecbf3ef 100644 --- a/README.md +++ b/README.md @@ -44,7 +44,7 @@ space, user space, core dumps, and swap space. - Force the kernel to panic on "oopses" that can potentially indicate and thwart certain kernel exploitation attempts. Optional - Force immediate reboot on the - occurrence of a kernel panic. + occurrence of a kernel panic and also set panic limit to one (when using Linux kernel >= 6.2). - Disable the use of legacy TIOCSTI operations which can be used to inject keypresses. diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index aaf5be8..c8a7eab 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -114,9 +114,10 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off" ## Force the kernel to panic on "oopses". ## Can sometimes potentially indicate and thwart certain kernel exploitation attempts. -## Also cause panics on machine check exceptions. ## Panics may be due to false-positives such as bad drivers. ## +## https://en.wikipedia.org/wiki/Kernel_panic#Linux +## https://en.wikipedia.org/wiki/Linux_kernel_oops ## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panic-on-oops-1-sysctl-for-better-security/7713 ## ## KSPP=partial diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index f13f193..e305fa6 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -132,20 +132,28 @@ kernel.unprivileged_userns_clone=0 ## kernel.perf_event_paranoid=3 -## Force the kernel to panic on "oopses". +## Force the kernel to panic on "oopses" and kernel warnings in the WARN() path. ## Can sometimes potentially indicate and thwart certain kernel exploitation attempts. -## Also cause panics on machine check exceptions. ## Panics may be due to false-positives such as bad drivers. ## -## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panic-on-oops-1-sysctl-for-better-security/7713 +## https://en.wikipedia.org/wiki/Kernel_panic#Linux +## https://en.wikipedia.org/wiki/Linux_kernel_oops +## https://en.wikipedia.org/wiki/Kdump_(Linux) +## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panisc-on-oops-1-sysctl-for-better-security/7713 ## ## KSPP=partial -## KSPP sets CONFIG_PANIC_ON_OOPS=y, but also requires CONFIG_PANIC_TIMEOUT=-1. +## KSPP sets the sysctls, CONFIG_PANIC_ON_OOPS=y, but also requires CONFIG_PANIC_TIMEOUT=-1. ## ## See /usr/libexec/security-misc/panic-on-oops for implementation. ## -#kernel.panic_on_oops=1 +## TODO: Debian 13 Trixie +## The limits are applicable when using Linux kernel >= 6.2 (retained here for future-proofing and completeness). +## #kernel.panic=-1 +kernel.panic_on_oops=1 +#kernel.panic_on_warn=1 +#kernel.oops_limit=1 +#kernel.warn_limit=1 ## Disable the use of legacy TIOCSTI operations which can be used to inject keypresses. ## Can lead to privilege escalation by pushing characters into a controlling TTY. diff --git a/usr/libexec/security-misc/panic-on-oops b/usr/libexec/security-misc/panic-on-oops index 2fc25c8..8d647f1 100755 --- a/usr/libexec/security-misc/panic-on-oops +++ b/usr/libexec/security-misc/panic-on-oops @@ -15,5 +15,8 @@ fi ## Makes the kernel panic on oopses. This prevents the kernel ## from continuing to run a flawed processes. Many kernel exploits ## will also cause an oops which this will make the kernel kill. -sysctl kernel.panic_on_oops=1 #sysctl kernel.panic=-1 +sysctl kernel.panic_on_oops=1 +#sysctl kernel.panic_on_warn=1 +#sysctl kernel.oops_limit=1 +#sysctl kernel.warn_limit=1 From 32de5e7c49d301b62b838ba88550f58b02b6562b Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Sun, 25 Aug 2024 12:57:22 +1000 Subject: [PATCH 600/846] Add details on oopses and warnings --- usr/lib/sysctl.d/990-security-misc.conf | 4 +++- usr/libexec/security-misc/panic-on-oops | 3 ++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index e305fa6..9f79277 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -135,6 +135,8 @@ kernel.perf_event_paranoid=3 ## Force the kernel to panic on "oopses" and kernel warnings in the WARN() path. ## Can sometimes potentially indicate and thwart certain kernel exploitation attempts. ## Panics may be due to false-positives such as bad drivers. +## Oopses are serious but non-fatal errors. +## Kernel warnings are useful to avoid a when attempting to access the location of a WARN(). ## ## https://en.wikipedia.org/wiki/Kernel_panic#Linux ## https://en.wikipedia.org/wiki/Linux_kernel_oops @@ -150,7 +152,7 @@ kernel.perf_event_paranoid=3 ## The limits are applicable when using Linux kernel >= 6.2 (retained here for future-proofing and completeness). ## #kernel.panic=-1 -kernel.panic_on_oops=1 +#kernel.panic_on_oops=1 #kernel.panic_on_warn=1 #kernel.oops_limit=1 #kernel.warn_limit=1 diff --git a/usr/libexec/security-misc/panic-on-oops b/usr/libexec/security-misc/panic-on-oops index 8d647f1..caeb950 100755 --- a/usr/libexec/security-misc/panic-on-oops +++ b/usr/libexec/security-misc/panic-on-oops @@ -14,7 +14,8 @@ fi ## Makes the kernel panic on oopses. This prevents the kernel ## from continuing to run a flawed processes. Many kernel exploits -## will also cause an oops which this will make the kernel kill. +## will also cause an oops which this will make the kernel kill +## the offending processes. #sysctl kernel.panic=-1 sysctl kernel.panic_on_oops=1 #sysctl kernel.panic_on_warn=1 From af87a84b4f40b2ad9ac05dd9bce837665f239454 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Wed, 21 Aug 2024 12:52:48 +1000 Subject: [PATCH 601/846] README.md: Organise kernel boot parameters --- README.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/README.md b/README.md index da9254a..4d5410c 100644 --- a/README.md +++ b/README.md @@ -121,6 +121,8 @@ Boot parameters relating to kernel hardening, DMA mitigations, and entropy generation are outlined in the `/etc/default/grub.d/40_kernel_hardening.cfg` configuration file. +Kernel space: + - Disable merging of slabs with similar size, which reduces the risk of triggering heap overflows and limits influencing slab cache layout. @@ -164,18 +166,24 @@ configuration file. - Optional - Disable support for all x86 processes and syscalls (when using Linux kernel >= 6.7) to reduce attack surface. +Direct memory access: + - Enable strict IOMMU translation to protect against some DMA attacks via the use of both CPU manufacturer-specific drivers and kernel settings. - Clear the busmaster bit on all PCI bridges during the EFI hand-off, which disables DMA before the IOMMU is configured. May cause boot failure on certain hardware. +Entropy: + - Do not credit the CPU or bootloader as entropy sources at boot in order to maximize the absolute quantity of entropy in the combined pool. - Obtain more entropy at boot from RAM as the runtime memory allocator is being initialized. +Networking: + - Optional - Disable the entire IPv6 stack to reduce attack surface. ### Kernel Modules From 433b15f985545f531b87d09659bbbb89993b5a67 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Wed, 21 Aug 2024 12:51:51 +1000 Subject: [PATCH 602/846] README.md: Organise `sysctl`s --- README.md | 25 ++++++++++++++----------- 1 file changed, 14 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index 4d5410c..cf8d54c 100644 --- a/README.md +++ b/README.md @@ -11,10 +11,9 @@ implements all recommended Linux kernel settings by the KSPP and many more. ### sysctl sysctl settings are configured via the `/usr/lib/sysctl.d/990-security-misc.conf` -configuration file. +configuration file and significant hardening is applied to a myriad of components. -Significant hardening is applied by default to a myriad of components within kernel -space, user space, core dumps, and swap space. +Kernel space: - Restrict access to kernel addresses through the use of kernel pointers regardless of user privileges. @@ -50,6 +49,8 @@ space, user space, core dumps, and swap space. - Disable asynchronous I/O (when using Linux kernel >= 6.6) as `io_uring` has been the source of numerous kernel exploits. +User space: + - Restrict usage of `ptrace()` to only processes with `CAP_SYS_PTRACE` as it enables programs to inspect and modify other active processes. Optional - Disable usage of `ptrace()` by all processes. @@ -68,12 +69,14 @@ space, user space, core dumps, and swap space. - Disallow registering interpreters for various (miscellaneous) binary formats based on a magic number or their file extension to prevent unintended code execution. +Core dumps: + - Disable core dump files and prevent their creation. If core dump files are enabled, they will be named based on `core.PID` instead of the default `core`. - Limit the copying of potentially sensitive content in memory to the swap device. -Various networking components of the TCP/IP stack are hardened for IPv4/6. +Networking: - Enable TCP SYN cookie protection to assist against SYN flood attacks. @@ -104,13 +107,6 @@ Various networking components of the TCP/IP stack are hardened for IPv4/6. - Optional - Enable IPv6 Privacy Extensions. -### mmap ASLR - -- The bits of entropy used for mmap ASLR are maxed out via - `/usr/libexec/security-misc/mmap-rnd-bits` (set to the values of - `CONFIG_ARCH_MMAP_RND_BITS_MAX` and `CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX` - that the kernel was built with), therefore improving its effectiveness. - ### Boot parameters Mitigations for known CPU vulnerabilities are enabled in their strictest form @@ -186,6 +182,13 @@ Networking: - Optional - Disable the entire IPv6 stack to reduce attack surface. +### mmap ASLR + +- The bits of entropy used for mmap ASLR are maxed out via + `/usr/libexec/security-misc/mmap-rnd-bits` (set to the values of + `CONFIG_ARCH_MMAP_RND_BITS_MAX` and `CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX` + that the kernel was built with), therefore improving its effectiveness. + ### Kernel Modules #### Kernel Module Signature Verification From ae85fd5b4ce6f4716f95332c19b79d3daa8f7220 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 25 Aug 2024 14:33:40 +0000 Subject: [PATCH 603/846] bumped changelog version --- changelog.upstream | 18 ++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 24 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 7c57922..3dd86f4 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,21 @@ +commit 433b15f985545f531b87d09659bbbb89993b5a67 +Author: Raja Grewal +Date: Wed Aug 21 12:51:51 2024 +1000 + + README.md: Organise `sysctl`s + +commit af87a84b4f40b2ad9ac05dd9bce837665f239454 +Author: Raja Grewal +Date: Wed Aug 21 12:52:48 2024 +1000 + + README.md: Organise kernel boot parameters + +commit e962153f84c4cb8e13fb0cc25d611ae481c7a0c7 +Author: Patrick Schleizer +Date: Fri Aug 16 08:38:12 2024 +0000 + + bumped changelog version + commit 40b12f5a2a4a40d7033569b11ad4e1c228e7389b Merge: 12296c6 305467c Author: Patrick Schleizer diff --git a/debian/changelog b/debian/changelog index 2bc634a..f86a0c9 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:39.1-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 25 Aug 2024 14:33:39 +0000 + security-misc (3:39.0-1) unstable; urgency=medium * New upstream version (local package). From cf824ddb248957fd9e542c1a5adc5e90381f684c Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 25 Aug 2024 15:34:55 +0000 Subject: [PATCH 604/846] bumped changelog version --- changelog.upstream | 78 ++++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++ 2 files changed, 84 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 3dd86f4..42493c9 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,39 @@ +commit 500568e322b2e3623fc649209d671c7b9d9fa097 +Merge: 43d13b7 73900b5 +Author: Patrick Schleizer +Date: Sun Aug 25 11:01:58 2024 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 73900b59db37d77bc24bd5088aae3cc760aacc69 +Merge: 43d13b7 1f51d4e +Author: Patrick Schleizer +Date: Sun Aug 25 11:00:51 2024 -0400 + + Merge pull request #263 from raja-grewal/max_user_namespaces + + Provide option to disable user namespaces + +commit 43d13b70f12d2198a800054ce4d1ff901cc474f9 +Merge: 8353764 fae586c +Author: Patrick Schleizer +Date: Sun Aug 25 10:55:52 2024 -0400 + + Merge remote-tracking branch 'raja/syntax' + +commit 835376418d616699023f8e638666f43d34241863 +Merge: ae85fd5 342caf8 +Author: Patrick Schleizer +Date: Sun Aug 25 10:48:25 2024 -0400 + + Merge remote-tracking branch 'raja/mod' + +commit ae85fd5b4ce6f4716f95332c19b79d3daa8f7220 +Author: Patrick Schleizer +Date: Sun Aug 25 14:33:40 2024 +0000 + + bumped changelog version + commit 433b15f985545f531b87d09659bbbb89993b5a67 Author: Raja Grewal Date: Wed Aug 21 12:51:51 2024 +1000 @@ -10,6 +46,42 @@ Date: Wed Aug 21 12:52:48 2024 +1000 README.md: Organise kernel boot parameters +commit 342caf82b20acc2931563449fafe9a98cbedaba2 +Author: Raja Grewal +Date: Wed Aug 21 12:52:48 2024 +1000 + + README.md: Organise kernel boot parameters + +commit b87a18d4050bbf2add5cc4920684876a440e65bb +Author: Raja Grewal +Date: Wed Aug 21 12:51:51 2024 +1000 + + README.md: Organise `sysctl`s + +commit 18ed77ecc93e9ee759a4990a32edb3dd671b8c26 +Author: Raja Grewal +Date: Wed Aug 21 12:50:14 2024 +1000 + + Refactor modprobe.d to minimise potential future merge conflicts + +commit 1f51d4eeb2b0c6e23ce64fb272eecb97e089324d +Author: Raja Grewal +Date: Sun Aug 18 13:53:11 2024 +1000 + + Add details on user namespaces + +commit 759aee8150a2d1258d73217c071b25432d47496f +Author: Raja Grewal +Date: Fri Aug 16 22:54:57 2024 +1000 + + Provide option to disable user namespaces + +commit fae586c3c5e8382ca01c60f810b26d88189a5514 +Author: Raja Grewal +Date: Fri Aug 16 19:23:48 2024 +1000 + + Patch bug in existing `rp_filter` `sysctl` + commit e962153f84c4cb8e13fb0cc25d611ae481c7a0c7 Author: Patrick Schleizer Date: Fri Aug 16 08:38:12 2024 +0000 @@ -88,6 +160,12 @@ Date: Fri Aug 16 13:12:07 2024 +1000 Typos +commit 23a77d4973ec20b2aaab6a9c3a9fd8a98034923e +Author: Raja Grewal +Date: Fri Aug 16 12:46:51 2024 +1000 + + Simplify syntax of some network-related `sysctl`'s + commit e3a3207a4447568a17129afe9dde34debc465e21 Author: Raja Grewal Date: Fri Aug 16 12:41:36 2024 +1000 diff --git a/debian/changelog b/debian/changelog index f86a0c9..309ed08 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:39.2-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 25 Aug 2024 15:34:54 +0000 + security-misc (3:39.1-1) unstable; urgency=medium * New upstream version (local package). From ac6602ac3531ae57603e8a9e5ac2ee1652164b23 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Mon, 26 Aug 2024 11:19:20 +1000 Subject: [PATCH 605/846] Add detail on disabling user namespaces breaking UPower --- usr/lib/sysctl.d/990-security-misc.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 484761e..d244a01 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -116,6 +116,7 @@ kernel.sysrq=0 ## Restricting may lead to breakages in numerous software packages. ## Uncomment the second sysctl to entirely disable user namespaces. ## Disabling entirely will reduce compatibility with some AppArmor profiles. +## Disabling entirely is known to break the UPower systemd servince. ## ## https://lwn.net/Articles/673597/ ## https://madaidans-insecurities.github.io/linux.html#kernel From 2841d789bebbd43f855b6ffb92a3a6f017007a72 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Mon, 26 Aug 2024 11:21:26 +1000 Subject: [PATCH 606/846] README: Update --- README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/README.md b/README.md index 946e646..7183675 100644 --- a/README.md +++ b/README.md @@ -8,6 +8,7 @@ many more sources. - https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project - https://kspp.github.io/Recommended_Settings +- https://github.com/KSPP/kspp.github.io ### sysctl @@ -75,6 +76,8 @@ Core dumps: - Disable core dump files and prevent their creation. If core dump files are enabled, they will be named based on `core.PID` instead of the default `core`. +Swap space: + - Limit the copying of potentially sensitive content in memory to the swap device. Networking: From 2c356e8b0ef7db56e7b453535c8cb6c83fc2e3c6 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Mon, 26 Aug 2024 11:34:12 +1000 Subject: [PATCH 607/846] Add KSPP notice definitions --- etc/default/grub.d/40_cpu_mitigations.cfg | 4 ++++ etc/default/grub.d/40_kernel_hardening.cfg | 4 ++++ etc/default/grub.d/40_remount_secure.cfg | 4 ++++ etc/default/grub.d/40_signed_modules.cfg | 4 ++++ etc/default/grub.d/41_quiet_boot.cfg | 4 ++++ usr/lib/sysctl.d/30_security-misc_kexec-disable.conf | 4 ++++ usr/lib/sysctl.d/30_silent-kernel-printk.conf | 4 ++++ usr/lib/sysctl.d/990-security-misc.conf | 4 ++++ 8 files changed, 32 insertions(+) diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index 486b63b..529b626 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -1,6 +1,10 @@ ## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. +## Definitions: +## KSPP=yes: compliant with recommendations by the KSPP +## KSPP=partial: partially compliant with recommendations by the KSPP + ## Enable known mitigations for CPU vulnerabilities. ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html ## https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index c8a7eab..49435d9 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -5,6 +5,10 @@ kpkg="linux-image-$(dpkg --print-architecture)" || true kver="$(dpkg-query --show --showformat='${Version}' "$kpkg")" 2>/dev/null || true #echo "## kver: $kver" +## Definitions: +## KSPP=yes: compliant with recommendations by the KSPP +## KSPP=partial: partially compliant with recommendations by the KSPP + ## This configuration file is split into 4 sections: ## 1. Kernel Space ## 2. Direct Memory Access diff --git a/etc/default/grub.d/40_remount_secure.cfg b/etc/default/grub.d/40_remount_secure.cfg index db6db11..4593820 100644 --- a/etc/default/grub.d/40_remount_secure.cfg +++ b/etc/default/grub.d/40_remount_secure.cfg @@ -1,6 +1,10 @@ ## Copyright (C) 2023 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. +## Definitions: +## KSPP=yes: compliant with recommendations by the KSPP +## KSPP=partial: partially compliant with recommendations by the KSPP + ## Remount Secure provides enhanced security via mount options: ## https://www.kicksecure.com/wiki/Security-misc#Remount_Secure diff --git a/etc/default/grub.d/40_signed_modules.cfg b/etc/default/grub.d/40_signed_modules.cfg index 5e6fce7..788eeb1 100644 --- a/etc/default/grub.d/40_signed_modules.cfg +++ b/etc/default/grub.d/40_signed_modules.cfg @@ -1,6 +1,10 @@ ## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. +## Definitions: +## KSPP=yes: compliant with recommendations by the KSPP +## KSPP=partial: partially compliant with recommendations by the KSPP + ## Require every kernel module to be signed before being loaded. ## Any module that is unsigned or signed with an invalid key cannot be loaded. ## This prevents all out-of-tree kernel modules unless signed. diff --git a/etc/default/grub.d/41_quiet_boot.cfg b/etc/default/grub.d/41_quiet_boot.cfg index 4806484..86c8660 100644 --- a/etc/default/grub.d/41_quiet_boot.cfg +++ b/etc/default/grub.d/41_quiet_boot.cfg @@ -1,6 +1,10 @@ ## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. +## Definitions: +## KSPP=yes: compliant with recommendations by the KSPP +## KSPP=partial: partially compliant with recommendations by the KSPP + ## Some default configuration files automatically include the "quiet" parameter. ## Therefore, first remove "quiet" from GRUB_CMDLINE_LINUX_DEFAULT since "quiet" must be first. ## LANG=C str_replace is provided by package helper-scripts. diff --git a/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf b/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf index eb785cc..74ab6f5 100644 --- a/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf +++ b/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf @@ -1,6 +1,10 @@ ## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. +## Definitions: +## KSPP=yes: compliant with recommendations by the KSPP +## KSPP=partial: partially compliant with recommendations by the KSPP + ## NOTE: ## This configuration is in a dedicated file because the ram-wipe package ## requires kexec. However, ram-wipe cannot ship a config file diff --git a/usr/lib/sysctl.d/30_silent-kernel-printk.conf b/usr/lib/sysctl.d/30_silent-kernel-printk.conf index f8baa3f..b07fae9 100644 --- a/usr/lib/sysctl.d/30_silent-kernel-printk.conf +++ b/usr/lib/sysctl.d/30_silent-kernel-printk.conf @@ -1,6 +1,10 @@ ## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. +## Definitions: +## KSPP=yes: compliant with recommendations by the KSPP +## KSPP=partial: partially compliant with recommendations by the KSPP + ## Prevent kernel information leaks in the console during boot. ## Must be used in conjunction with kernel boot parameters. ## See /etc/default/grub.d/41_quiet_boot.cfg for implementation. diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index d244a01..a0bb243 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -6,6 +6,10 @@ ## is parsed first, followed by /usr/lib/sysctl.d/990-security-misc.conf. ## https://github.com/Kicksecure/security-misc/pull/135 +## Definitions: +## KSPP=yes: compliant with recommendations by the KSPP +## KSPP=partial: partially compliant with recommendations by the KSPP + ## This configuration file is divided into 5 sections: ## 1. Kernel Space ## 2. User Space From 9e91c98cc926e7a166458cd78e3c1d1ced23c753 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Mon, 26 Aug 2024 12:40:04 +1000 Subject: [PATCH 608/846] Add details on BPF hardening and split the `sysctl`s --- README.md | 5 ++++- usr/lib/sysctl.d/990-security-misc.conf | 20 +++++++++++++++++--- 2 files changed, 21 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 7183675..8af16ae 100644 --- a/README.md +++ b/README.md @@ -25,7 +25,8 @@ Kernel space: - Prevent kernel information leaks in the console during boot. -- Restrict eBPF access to `CAP_BPF` and enable associated JIT compiler hardening. +- Restrict usage of `bpf()` to `CAP_BPF` to prevent the loading of BPF programs + by unprivileged users. - Restrict loading TTY line disciplines to `CAP_SYS_MODULE`. @@ -82,6 +83,8 @@ Swap space: Networking: +- Enable hardening of the BPF JIT compiler protect against JIT spraying. + - Enable TCP SYN cookie protection to assist against SYN flood attacks. - Protect against TCP time-wait assassination hazards. diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index a0bb243..bd74a3a 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -58,15 +58,16 @@ kernel.dmesg_restrict=1 ## #kernel.printk=3 3 3 3 -## Restrict eBPF access to CAP_BPF and enable associated JIT compiler hardening. +## Restrict eBPF access to CAP_BPF. +## Disables unprivileged calls to bpf() without recovery. ## ## https://en.wikipedia.org/wiki/EBPF#Security +## https://lwn.net/Articles/660331/ ## ## KSPP=yes -## KSPP sets the sysctls. +## KSPP sets the sysctl. ## kernel.unprivileged_bpf_disabled=1 -net.core.bpf_jit_harden=2 ## Restrict loading TTY line disciplines to users with CAP_SYS_MODULE. ## Prevents unprivileged users from loading vulnerable line disciplines with the TIOCSETD ioctl. @@ -348,6 +349,19 @@ vm.swappiness=1 ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-network ## https://wiki.archlinux.org/title/Sysctl#TCP/IP_stack_hardening +## Enable hardening of the BPF JIT compiler for all users. +## Provides some mitigation against JIT spraying. +## +## https://en.wikipedia.org/wiki/JIT_spraying +## https://www.blackhat.com/docs/eu-16/materials/eu-16-Reshetova-Randomization-Can't-Stop-BPF-JIT-Spray-wp.pdf +## https://lwn.net/Articles/686098/ +## https://lwn.net/Articles/525609/ +## +## KSPP=yes +## KSPP sets the sysctl. +## +net.core.bpf_jit_harden=2 + ## Enable TCP SYN cookie protection to assist against SYN flood attacks. ## ## https://en.wikipedia.org/wiki/SYN_flood From f70fe308a9f65873d34de2d1906d825f3a56e272 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 28 Aug 2024 06:49:50 -0400 Subject: [PATCH 609/846] no longer set sysctl `fs.binfmt_misc.status=0` / no longer disallow registering interpreters for miscellaneous binary formats causing file/folder permissions issue `d????????? ? ? ? ? ? .` Firefox no longer starting (probably not not a Firefox issue) https://github.com/Kicksecure/security-misc/issues/267 --- README.md | 3 ++- usr/lib/sysctl.d/990-security-misc.conf | 5 ++++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 8af16ae..93403b9 100644 --- a/README.md +++ b/README.md @@ -69,8 +69,9 @@ User space: - Increase the maximum number of memory map areas a process is able to utilize. -- Disallow registering interpreters for various (miscellaneous) binary formats based +- Optional - Disallow registering interpreters for various (miscellaneous) binary formats based on a magic number or their file extension to prevent unintended code execution. + See issue: https://github.com/Kicksecure/security-misc/issues/267 Core dumps: diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index bd74a3a..bbef5bd 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -304,7 +304,10 @@ vm.max_map_count=1048576 ## KSPP=yes ## KSPP does not set CONFIG_BINFMT_MISC. ## -fs.binfmt_misc.status=0 +## This is disabled by default due to file/folder permission issues: +## https://github.com/Kicksecure/security-misc/issues/267 +## +#fs.binfmt_misc.status=0 ## 3. Core Dumps: ## From 9c918eb4313b60dc15aa9fa4474a7977602030c1 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 28 Aug 2024 11:01:37 +0000 Subject: [PATCH 610/846] bumped changelog version --- changelog.upstream | 102 +++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 +++ 2 files changed, 108 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 42493c9..b0c969c 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,69 @@ +commit f70fe308a9f65873d34de2d1906d825f3a56e272 +Author: Patrick Schleizer +Date: Wed Aug 28 06:49:50 2024 -0400 + + no longer set sysctl `fs.binfmt_misc.status=0` / + no longer disallow registering interpreters for miscellaneous binary formats + + causing file/folder permissions issue `d????????? ? ? ? ? ? .` + + Firefox no longer starting (probably not not a Firefox issue) + + https://github.com/Kicksecure/security-misc/issues/267 + +commit 463aa58f28b6389d0925fed87096b348b652cc16 +Merge: cf824dd 328840c +Author: Patrick Schleizer +Date: Wed Aug 28 06:42:49 2024 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 328840c933a583adc5458aa08c63fb627b31b298 +Merge: cf824dd 9e91c98 +Author: Patrick Schleizer +Date: Wed Aug 28 06:38:57 2024 -0400 + + Merge pull request #264 from raja-grewal/kspp_compliance + + Add KSPP compliance notices to corresponding parameters and `sysctls` + +commit 9e91c98cc926e7a166458cd78e3c1d1ced23c753 +Author: Raja Grewal +Date: Mon Aug 26 12:40:04 2024 +1000 + + Add details on BPF hardening and split the `sysctl`s + +commit 2c356e8b0ef7db56e7b453535c8cb6c83fc2e3c6 +Author: Raja Grewal +Date: Mon Aug 26 11:34:12 2024 +1000 + + Add KSPP notice definitions + +commit 2841d789bebbd43f855b6ffb92a3a6f017007a72 +Author: Raja Grewal +Date: Mon Aug 26 11:21:26 2024 +1000 + + README: Update + +commit ac6602ac3531ae57603e8a9e5ac2ee1652164b23 +Author: Raja Grewal +Date: Mon Aug 26 11:19:20 2024 +1000 + + Add detail on disabling user namespaces breaking UPower + +commit 9dbd200be415c86e7039463c6269fad8395a4373 +Merge: 32de5e7 cf824dd +Author: raja-grewal +Date: Mon Aug 26 11:08:21 2024 +1000 + + Merge branch 'Kicksecure:master' into kspp_compliance + +commit cf824ddb248957fd9e542c1a5adc5e90381f684c +Author: Patrick Schleizer +Date: Sun Aug 25 15:34:55 2024 +0000 + + bumped changelog version + commit 500568e322b2e3623fc649209d671c7b9d9fa097 Merge: 43d13b7 73900b5 Author: Patrick Schleizer @@ -46,6 +112,18 @@ Date: Wed Aug 21 12:52:48 2024 +1000 README.md: Organise kernel boot parameters +commit 32de5e7c49d301b62b838ba88550f58b02b6562b +Author: Raja Grewal +Date: Sun Aug 25 12:57:22 2024 +1000 + + Add details on oopses and warnings + +commit e4909b5e28e16f09de0e548c9221578ebe1190a3 +Author: Raja Grewal +Date: Sun Aug 25 12:47:04 2024 +1000 + + Add details on kernel panics + commit 342caf82b20acc2931563449fafe9a98cbedaba2 Author: Raja Grewal Date: Wed Aug 21 12:52:48 2024 +1000 @@ -64,12 +142,36 @@ Date: Wed Aug 21 12:50:14 2024 +1000 Refactor modprobe.d to minimise potential future merge conflicts +commit 56b28e38264fe742b8d694176f1057c15574fc08 +Author: Raja Grewal +Date: Mon Aug 19 11:50:08 2024 +1000 + + Typo + +commit 94dab1b7c503429e2fa91019a0183b2f36c6693f +Author: Raja Grewal +Date: Mon Aug 19 10:53:05 2024 +1000 + + Partial compliance with the KSPP on kernel panics + +commit 683110e7f02fa5fc6415354386552640cdb8758b +Author: Raja Grewal +Date: Mon Aug 19 01:34:14 2024 +1000 + + Correction + commit 1f51d4eeb2b0c6e23ce64fb272eecb97e089324d Author: Raja Grewal Date: Sun Aug 18 13:53:11 2024 +1000 Add details on user namespaces +commit 248e094b8e0bbf7892f79ad1c3ec77c7ed00d008 +Author: Raja Grewal +Date: Sat Aug 17 01:06:21 2024 +1000 + + Include KSPP compliance notices + commit 759aee8150a2d1258d73217c071b25432d47496f Author: Raja Grewal Date: Fri Aug 16 22:54:57 2024 +1000 diff --git a/debian/changelog b/debian/changelog index 309ed08..b9cd9a3 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:39.3-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 28 Aug 2024 11:01:36 +0000 + security-misc (3:39.2-1) unstable; urgency=medium * New upstream version (local package). From 3101035a3fd5fbe87c79e95e51dc2da39fee93d5 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Thu, 29 Aug 2024 01:57:32 +1000 Subject: [PATCH 611/846] Enable `panic_on_warn=1` --- README.md | 7 ++++--- usr/libexec/security-misc/panic-on-oops | 10 +++++----- 2 files changed, 9 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 93403b9..c1f1144 100644 --- a/README.md +++ b/README.md @@ -43,9 +43,10 @@ Kernel space: - Restrict kernel profiling and the performance events system to `CAP_PERFMON`. -- Force the kernel to panic on "oopses" that can potentially indicate and thwart - certain kernel exploitation attempts. Optional - Force immediate reboot on the - occurrence of a kernel panic and also set panic limit to one (when using Linux kernel >= 6.2). +- Force the kernel to panic on both "oopses", which can potentially indicate and thwart + certain kernel exploitation attempts, and also kernel warnings in the `WARN()` path. + Optional - Force immediate reboot on the occurrence of a single kernel panic and also + (when using Linux kernel >= 6.2) limit the number of allowed panics to one. - Disable the use of legacy TIOCSTI operations which can be used to inject keypresses. diff --git a/usr/libexec/security-misc/panic-on-oops b/usr/libexec/security-misc/panic-on-oops index caeb950..73c22d0 100755 --- a/usr/libexec/security-misc/panic-on-oops +++ b/usr/libexec/security-misc/panic-on-oops @@ -12,12 +12,12 @@ if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then source /usr/libexec/helper-scripts/pre.bsh fi -## Makes the kernel panic on oopses. This prevents the kernel -## from continuing to run a flawed processes. Many kernel exploits -## will also cause an oops which this will make the kernel kill -## the offending processes. +## Makes the kernel panic on oopses and warnings. This prevents the +## kernel from continuing to run a flawed processes. Many kernel +## exploits will also cause an oops, these settings will make the +## kernel kill the offending processes. #sysctl kernel.panic=-1 sysctl kernel.panic_on_oops=1 -#sysctl kernel.panic_on_warn=1 +sysctl kernel.panic_on_warn=1 #sysctl kernel.oops_limit=1 #sysctl kernel.warn_limit=1 From 6294729c8ef24077cd342b4557653806c3aacd34 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Thu, 29 Aug 2024 15:34:24 +1000 Subject: [PATCH 612/846] Follow-up on https://github.com/Kicksecure/security-misc/commit/f70fe308a9f65873d34de2d1906d825f3a56e272 --- usr/lib/sysctl.d/990-security-misc.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index bbef5bd..cbb03a3 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -301,7 +301,7 @@ vm.max_map_count=1048576 ## https://unix.stackexchange.com/questions/439569/what-kinds-of-executable-formats-do-the-files-under-proc-sys-fs-binfmt-misc-al ## https://github.com/Kicksecure/security-misc/pull/249 ## -## KSPP=yes +## KSPP=no ## KSPP does not set CONFIG_BINFMT_MISC. ## ## This is disabled by default due to file/folder permission issues: From 59374ce902127e2125addc2ebb57d0d856a63671 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 29 Aug 2024 09:49:51 +0000 Subject: [PATCH 613/846] bumped changelog version --- changelog.upstream | 28 ++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 34 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index b0c969c..3797cca 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,31 @@ +commit 7e2838ec077b53e41d468d5655290152761c8745 +Merge: 9c918eb 0762794 +Author: Patrick Schleizer +Date: Thu Aug 29 05:06:07 2024 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 0762794ff684049a62b5b92b61177615a5376ad7 +Merge: 9c918eb 6294729 +Author: Patrick Schleizer +Date: Thu Aug 29 04:46:26 2024 -0400 + + Merge pull request #269 from raja-grewal/tidy + + Minor correction + +commit 6294729c8ef24077cd342b4557653806c3aacd34 +Author: Raja Grewal +Date: Thu Aug 29 15:34:24 2024 +1000 + + Follow-up on https://github.com/Kicksecure/security-misc/commit/f70fe308a9f65873d34de2d1906d825f3a56e272 + +commit 9c918eb4313b60dc15aa9fa4474a7977602030c1 +Author: Patrick Schleizer +Date: Wed Aug 28 11:01:37 2024 +0000 + + bumped changelog version + commit f70fe308a9f65873d34de2d1906d825f3a56e272 Author: Patrick Schleizer Date: Wed Aug 28 06:49:50 2024 -0400 diff --git a/debian/changelog b/debian/changelog index b9cd9a3..b07ee8e 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:39.4-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 29 Aug 2024 09:49:51 +0000 + security-misc (3:39.3-1) unstable; urgency=medium * New upstream version (local package). From 7393ba159192fdfc45ef31a3fa60786f899dbf25 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Wed, 4 Sep 2024 23:23:24 +1000 Subject: [PATCH 614/846] Typo --- usr/lib/sysctl.d/990-security-misc.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index cbb03a3..3ec3b73 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -121,7 +121,7 @@ kernel.sysrq=0 ## Restricting may lead to breakages in numerous software packages. ## Uncomment the second sysctl to entirely disable user namespaces. ## Disabling entirely will reduce compatibility with some AppArmor profiles. -## Disabling entirely is known to break the UPower systemd servince. +## Disabling entirely is known to break the UPower systemd service. ## ## https://lwn.net/Articles/673597/ ## https://madaidans-insecurities.github.io/linux.html#kernel From 40fb14c654df94e9bdfb30ae55fc3bc4f0a0aef4 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 4 Sep 2024 14:13:15 +0000 Subject: [PATCH 615/846] bumped changelog version --- changelog.upstream | 65 ++++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 +++++ 2 files changed, 71 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 3797cca..368d456 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,56 @@ +commit 5a255d4831470449a26b324a8f16594432bf834b +Merge: d618f9f 563a898 +Author: Patrick Schleizer +Date: Wed Sep 4 10:12:34 2024 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 563a8980133e15e33ac95a631e37ecfff88f6f8f +Merge: 175945e e61027a +Author: Patrick Schleizer +Date: Wed Sep 4 10:11:48 2024 -0400 + + Merge pull request #265 from raja-grewal/mmap_min_addr + + Set `sysctl vm.mmap_min_addr=65536` + +commit d618f9f35b8e8c6eee1e164a6ec300d63b1ee797 +Merge: 59374ce 175945e +Author: Patrick Schleizer +Date: Wed Sep 4 10:07:50 2024 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 175945ec9a28bf1e5b0fa0d2ae2bd6546d6c6172 +Merge: b0a8544 3101035 +Author: Patrick Schleizer +Date: Wed Sep 4 10:05:47 2024 -0400 + + Merge pull request #268 from raja-grewal/panic_on_warn + + Enable `panic_on_warn=1` + +commit b0a8544182f6ff3c8c3f1068176ff5e9e4f557ef +Merge: 59374ce 7393ba1 +Author: Patrick Schleizer +Date: Wed Sep 4 10:04:45 2024 -0400 + + Merge pull request #270 from raja-grewal/typo + + Small typo + +commit 7393ba159192fdfc45ef31a3fa60786f899dbf25 +Author: raja-grewal +Date: Wed Sep 4 23:23:24 2024 +1000 + + Typo + +commit 59374ce902127e2125addc2ebb57d0d856a63671 +Author: Patrick Schleizer +Date: Thu Aug 29 09:49:51 2024 +0000 + + bumped changelog version + commit 7e2838ec077b53e41d468d5655290152761c8745 Merge: 9c918eb 0762794 Author: Patrick Schleizer @@ -20,6 +73,12 @@ Date: Thu Aug 29 15:34:24 2024 +1000 Follow-up on https://github.com/Kicksecure/security-misc/commit/f70fe308a9f65873d34de2d1906d825f3a56e272 +commit 3101035a3fd5fbe87c79e95e51dc2da39fee93d5 +Author: Raja Grewal +Date: Thu Aug 29 01:57:32 2024 +1000 + + Enable `panic_on_warn=1` + commit 9c918eb4313b60dc15aa9fa4474a7977602030c1 Author: Patrick Schleizer Date: Wed Aug 28 11:01:37 2024 +0000 @@ -176,6 +235,12 @@ Date: Mon Aug 19 11:50:08 2024 +1000 Typo +commit e61027a40e2ab82fac3ae4cfd5f91fd0a47f31e5 +Author: Raja Grewal +Date: Mon Aug 19 11:32:20 2024 +1000 + + Set `sysctl vm.mmap_min_addr=65536` + commit 94dab1b7c503429e2fa91019a0183b2f36c6693f Author: Raja Grewal Date: Mon Aug 19 10:53:05 2024 +1000 diff --git a/debian/changelog b/debian/changelog index b07ee8e..7ccf2ff 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:39.5-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 04 Sep 2024 14:13:15 +0000 + security-misc (3:39.4-1) unstable; urgency=medium * New upstream version (local package). From e914028be7a48a3bfdf86e09c029011807f080d7 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 5 Sep 2024 06:03:05 -0400 Subject: [PATCH 616/846] add KSPP compliance status to readme based on comment by @raja-grewal https://github.com/Kicksecure/security-misc/issues/256#issuecomment-2330376651 --- README.md | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) diff --git a/README.md b/README.md index b4021d9..6706e8d 100644 --- a/README.md +++ b/README.md @@ -194,6 +194,48 @@ Networking: - Optional - Disable the entire IPv6 stack to reduce attack surface. +## Kernel Self Protection Project (KSPP) Compliance Status + +**Summary:*** + +security-misc is in full compliance with KSPP as much as reasonable. In a few exception cases there is only partial compliance or non-compliance. + +* https://kspp.github.io/Recommended_Settings + +**Full compliance:** + +More than 30 kernel boot parameters and more than 30 sysctl settings are fully compliant with recommendations by KSPP. + +**Partial compliance:** + +1. `sysctl kernel.yama.ptrace_scope=3` + +Disable `ptrace()` entirely. Can easily enable. + +* https://github.com/Kicksecure/security-misc/pull/242 + +2. `sysctl kernel.panic=-1` + +Force immediate reboot upon a kernel panic. Can enable but may cause system crashes. + +* https://github.com/Kicksecure/security-misc/pull/264 +* https://github.com/Kicksecure/security-misc/pull/268 + +3. `sysctl user.max_user_namespaces=0` + +Disable user namespaces entirely. Unadvisable due to numerous potential breakages. + +* https://github.com/Kicksecure/security-misc/pull/263 + +**Non-compliance:** + +4. `sysctl fs.binfmt_misc.status=0` + +Disable registering interpreters for miscellaneous binary formats. Currently unadvisable due to breakage with Firefox. + +* https://github.com/Kicksecure/security-misc/pull/249 +* https://github.com/Kicksecure/security-misc/issues/267 + ### mmap ASLR - The bits of entropy used for mmap ASLR are maxed out via From 01908d505a59e7ec37cc3de3e1d49ff35ba127aa Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 5 Sep 2024 07:00:11 -0400 Subject: [PATCH 617/846] readme --- README.md | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/README.md b/README.md index 6706e8d..d746f59 100644 --- a/README.md +++ b/README.md @@ -196,45 +196,45 @@ Networking: ## Kernel Self Protection Project (KSPP) Compliance Status -**Summary:*** +**Summary:** -security-misc is in full compliance with KSPP as much as reasonable. In a few exception cases there is only partial compliance or non-compliance. +`security-misc` is in full compliance with KSPP recommendations wherever feasible. However, there are a few cases of partial or non-compliance due to technical limitations. -* https://kspp.github.io/Recommended_Settings +* [KSPP Recommended Settings](https://kspp.github.io/Recommended_Settings) **Full compliance:** -More than 30 kernel boot parameters and more than 30 sysctl settings are fully compliant with recommendations by KSPP. +More than 30 kernel boot parameters and over 30 sysctl settings are fully aligned with KSPP's recommendations. **Partial compliance:** 1. `sysctl kernel.yama.ptrace_scope=3` -Disable `ptrace()` entirely. Can easily enable. +Completely disables `ptrace()`. Can be enabled easily if needed. -* https://github.com/Kicksecure/security-misc/pull/242 +* [security-misc pull request #242](https://github.com/Kicksecure/security-misc/pull/242) 2. `sysctl kernel.panic=-1` -Force immediate reboot upon a kernel panic. Can enable but may cause system crashes. +Forces an immediate reboot on kernel panic. This can be enabled, but it may lead to unexpected system crashes. -* https://github.com/Kicksecure/security-misc/pull/264 -* https://github.com/Kicksecure/security-misc/pull/268 +* [security-misc pull request #264](https://github.com/Kicksecure/security-misc/pull/264) +* [security-misc pull request #268](https://github.com/Kicksecure/security-misc/pull/268) 3. `sysctl user.max_user_namespaces=0` -Disable user namespaces entirely. Unadvisable due to numerous potential breakages. +Disables user namespaces entirely. Not recommended due to the potential for widespread breakages. -* https://github.com/Kicksecure/security-misc/pull/263 +* [security-misc pull request #263](https://github.com/Kicksecure/security-misc/pull/263) **Non-compliance:** 4. `sysctl fs.binfmt_misc.status=0` -Disable registering interpreters for miscellaneous binary formats. Currently unadvisable due to breakage with Firefox. +Disables the registration of interpreters for miscellaneous binary formats. Currently not feasible due to compatibility issues with Firefox. -* https://github.com/Kicksecure/security-misc/pull/249 -* https://github.com/Kicksecure/security-misc/issues/267 +* [security-misc pull request #249](https://github.com/Kicksecure/security-misc/pull/249) +* [security-misc issue #267](https://github.com/Kicksecure/security-misc/issues/267) ### mmap ASLR From 1bc694fa124eaeb6e1517d2191a8fd97446872c4 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 8 Sep 2024 17:41:30 +0000 Subject: [PATCH 618/846] bumped changelog version --- changelog.upstream | 20 ++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 26 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 368d456..cab2526 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,23 @@ +commit 01908d505a59e7ec37cc3de3e1d49ff35ba127aa +Author: Patrick Schleizer +Date: Thu Sep 5 07:00:11 2024 -0400 + + readme + +commit e914028be7a48a3bfdf86e09c029011807f080d7 +Author: Patrick Schleizer +Date: Thu Sep 5 06:03:05 2024 -0400 + + add KSPP compliance status to readme based on comment by @raja-grewal + + https://github.com/Kicksecure/security-misc/issues/256#issuecomment-2330376651 + +commit 40fb14c654df94e9bdfb30ae55fc3bc4f0a0aef4 +Author: Patrick Schleizer +Date: Wed Sep 4 14:13:15 2024 +0000 + + bumped changelog version + commit 5a255d4831470449a26b324a8f16594432bf834b Merge: d618f9f 563a898 Author: Patrick Schleizer diff --git a/debian/changelog b/debian/changelog index 7ccf2ff..2de7eac 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:39.6-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 08 Sep 2024 17:41:30 +0000 + security-misc (3:39.5-1) unstable; urgency=medium * New upstream version (local package). From 3280dbd5d562d7f6b50118ac0da36c3285493be6 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 13 Sep 2024 22:52:47 -0400 Subject: [PATCH 619/846] Fix VirtualBox audio device ICH AC97. no longer `blacklist snd_intel8x0` Breaks VirtualBox audio device ICH AC97, which is unfortunately still required by some users. https://www.kicksecure.com/wiki/Dev/audio Fixes https://github.com/Kicksecure/security-misc/issues/271 --- etc/modprobe.d/30_security-misc_blacklist.conf | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/etc/modprobe.d/30_security-misc_blacklist.conf b/etc/modprobe.d/30_security-misc_blacklist.conf index 8386800..af312b2 100644 --- a/etc/modprobe.d/30_security-misc_blacklist.conf +++ b/etc/modprobe.d/30_security-misc_blacklist.conf @@ -35,7 +35,13 @@ blacklist sr_mod blacklist joydev #blacklist mousedev #blacklist psmouse -blacklist snd_intel8x0 +## TODO: Re-check in Debian trixie +## In GrapheneOS list, yes, "should" be out-commented here. +## But not actually out-commented. +## Breaks VirtualBox audio device ICH AC97, which is unfortunately still required by some users. +## https://www.kicksecure.com/wiki/Dev/audio +## https://github.com/Kicksecure/security-misc/issues/271 +#blacklist snd_intel8x0 #blacklist tls #blacklist virtio_balloon #blacklist virtio_console From 18d426f521b2b1369fe68e143dc8a0be064d0dcc Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 14 Sep 2024 02:56:09 +0000 Subject: [PATCH 620/846] bumped changelog version --- changelog.upstream | 19 +++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 25 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index cab2526..bd0c006 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,22 @@ +commit 3280dbd5d562d7f6b50118ac0da36c3285493be6 +Author: Patrick Schleizer +Date: Fri Sep 13 22:52:47 2024 -0400 + + Fix VirtualBox audio device ICH AC97. + + no longer `blacklist snd_intel8x0` + + Breaks VirtualBox audio device ICH AC97, which is unfortunately still required by some users. + https://www.kicksecure.com/wiki/Dev/audio + + Fixes https://github.com/Kicksecure/security-misc/issues/271 + +commit 1bc694fa124eaeb6e1517d2191a8fd97446872c4 +Author: Patrick Schleizer +Date: Sun Sep 8 17:41:30 2024 +0000 + + bumped changelog version + commit 01908d505a59e7ec37cc3de3e1d49ff35ba127aa Author: Patrick Schleizer Date: Thu Sep 5 07:00:11 2024 -0400 diff --git a/debian/changelog b/debian/changelog index 2de7eac..1b10682 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:39.7-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 14 Sep 2024 02:56:08 +0000 + security-misc (3:39.6-1) unstable; urgency=medium * New upstream version (local package). From 769767a96a5de2a8bc05e70ca490d8340b553061 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Wed, 25 Sep 2024 09:54:49 +1000 Subject: [PATCH 621/846] Update mmap ASLR docs --- README.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index d746f59..e55a1ec 100644 --- a/README.md +++ b/README.md @@ -59,7 +59,7 @@ User space: enables programs to inspect and modify other active processes. Optional - Disable usage of `ptrace()` by all processes. -- Maximize the bits of entropy used for mmap ASLR across all architectures. +- Maximize the bits of entropy used for mmap ASLR across all CPU architectures. - Prevent hardlink and symlink TOCTOU races in world-writable directories. @@ -194,6 +194,13 @@ Networking: - Optional - Disable the entire IPv6 stack to reduce attack surface. +### mmap ASLR + +- The bits of entropy used for mmap ASLR for all CPU architectures are maxed + out via `/usr/libexec/security-misc/mmap-rnd-bits` (set to the values of + `CONFIG_ARCH_MMAP_RND_BITS_MAX` and `CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX` + that the kernel was built with), therefore improving its effectiveness. + ## Kernel Self Protection Project (KSPP) Compliance Status **Summary:** @@ -236,13 +243,6 @@ Disables the registration of interpreters for miscellaneous binary formats. Curr * [security-misc pull request #249](https://github.com/Kicksecure/security-misc/pull/249) * [security-misc issue #267](https://github.com/Kicksecure/security-misc/issues/267) -### mmap ASLR - -- The bits of entropy used for mmap ASLR are maxed out via - `/usr/libexec/security-misc/mmap-rnd-bits` (set to the values of - `CONFIG_ARCH_MMAP_RND_BITS_MAX` and `CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX` - that the kernel was built with), therefore improving its effectiveness. - ### Kernel Modules #### Kernel Module Signature Verification From 870ff88605b8167c8882162cc3da005d71ca0cd3 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Wed, 25 Sep 2024 10:01:45 +1000 Subject: [PATCH 622/846] Comment on Flatpak requiring unprivileged user namespaces --- usr/lib/sysctl.d/990-security-misc.conf | 2 ++ 1 file changed, 2 insertions(+) diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 7329e77..e633df1 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -119,6 +119,7 @@ kernel.sysrq=0 ## User namespaces aim to improve sandboxing and accessibility for unprivileged users. ## Unprivileged user namespaces pose substantial privilege escalation risks. ## Restricting may lead to breakages in numerous software packages. +## Flatpak requires unprivileged users to create new user namespaces for sandboxing. ## Uncomment the second sysctl to entirely disable user namespaces. ## Disabling entirely will reduce compatibility with some AppArmor profiles. ## Disabling entirely is known to break the UPower systemd service. @@ -127,6 +128,7 @@ kernel.sysrq=0 ## https://madaidans-insecurities.github.io/linux.html#kernel ## https://github.com/a13xp0p0v/kernel-hardening-checker#questions-and-answers ## https://github.com/NixOS/nixpkgs/pull/84522#issuecomment-614640601 +## https://github.com/flatpak/flatpak/wiki/User-namespace-requirements ## https://github.com/Kicksecure/security-misc/pull/263 ## ## KSPP=partial From 5572eb897a10455041df8abec6b6be6de29431a0 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 25 Sep 2024 01:03:42 +0000 Subject: [PATCH 623/846] bumped changelog version --- changelog.upstream | 34 ++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 40 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index bd0c006..d4a84ed 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,37 @@ +commit e04f9cd4c17305d5201aa973c34778e81508734b +Merge: 18d426f 65aa910 +Author: Patrick Schleizer +Date: Tue Sep 24 20:16:06 2024 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 65aa910503c07f708abf20f78be2f519ef58764a +Merge: 18d426f 870ff88 +Author: Patrick Schleizer +Date: Tue Sep 24 20:15:03 2024 -0400 + + Merge pull request #272 from raja-grewal/text + + Documentation update + +commit 870ff88605b8167c8882162cc3da005d71ca0cd3 +Author: raja-grewal +Date: Wed Sep 25 10:01:45 2024 +1000 + + Comment on Flatpak requiring unprivileged user namespaces + +commit 769767a96a5de2a8bc05e70ca490d8340b553061 +Author: raja-grewal +Date: Wed Sep 25 09:54:49 2024 +1000 + + Update mmap ASLR docs + +commit 18d426f521b2b1369fe68e143dc8a0be064d0dcc +Author: Patrick Schleizer +Date: Sat Sep 14 02:56:09 2024 +0000 + + bumped changelog version + commit 3280dbd5d562d7f6b50118ac0da36c3285493be6 Author: Patrick Schleizer Date: Fri Sep 13 22:52:47 2024 -0400 diff --git a/debian/changelog b/debian/changelog index 1b10682..57ee04b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:39.8-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 25 Sep 2024 01:03:42 +0000 + security-misc (3:39.7-1) unstable; urgency=medium * New upstream version (local package). From 39d063d494cb540f45747f6253ab896200ba03c3 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Thu, 26 Sep 2024 13:09:21 +0000 Subject: [PATCH 624/846] Add KSPP=no definition --- etc/default/grub.d/40_cpu_mitigations.cfg | 1 + etc/default/grub.d/40_kernel_hardening.cfg | 1 + etc/default/grub.d/40_remount_secure.cfg | 1 + etc/default/grub.d/40_signed_modules.cfg | 1 + etc/default/grub.d/41_quiet_boot.cfg | 1 + usr/lib/sysctl.d/30_security-misc_kexec-disable.conf | 1 + usr/lib/sysctl.d/30_silent-kernel-printk.conf | 1 + usr/lib/sysctl.d/990-security-misc.conf | 1 + 8 files changed, 8 insertions(+) diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index 529b626..5960e14 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -4,6 +4,7 @@ ## Definitions: ## KSPP=yes: compliant with recommendations by the KSPP ## KSPP=partial: partially compliant with recommendations by the KSPP +## KSPP=no: not (currently) compliant with recommendations by the KSPP ## Enable known mitigations for CPU vulnerabilities. ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index 49435d9..ad7e61a 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -8,6 +8,7 @@ kver="$(dpkg-query --show --showformat='${Version}' "$kpkg")" 2>/dev/null || tru ## Definitions: ## KSPP=yes: compliant with recommendations by the KSPP ## KSPP=partial: partially compliant with recommendations by the KSPP +## KSPP=no: not (currently) compliant with recommendations by the KSPP ## This configuration file is split into 4 sections: ## 1. Kernel Space diff --git a/etc/default/grub.d/40_remount_secure.cfg b/etc/default/grub.d/40_remount_secure.cfg index 4593820..f92991a 100644 --- a/etc/default/grub.d/40_remount_secure.cfg +++ b/etc/default/grub.d/40_remount_secure.cfg @@ -4,6 +4,7 @@ ## Definitions: ## KSPP=yes: compliant with recommendations by the KSPP ## KSPP=partial: partially compliant with recommendations by the KSPP +## KSPP=no: not (currently) compliant with recommendations by the KSPP ## Remount Secure provides enhanced security via mount options: ## https://www.kicksecure.com/wiki/Security-misc#Remount_Secure diff --git a/etc/default/grub.d/40_signed_modules.cfg b/etc/default/grub.d/40_signed_modules.cfg index 788eeb1..b33dceb 100644 --- a/etc/default/grub.d/40_signed_modules.cfg +++ b/etc/default/grub.d/40_signed_modules.cfg @@ -4,6 +4,7 @@ ## Definitions: ## KSPP=yes: compliant with recommendations by the KSPP ## KSPP=partial: partially compliant with recommendations by the KSPP +## KSPP=no: not (currently) compliant with recommendations by the KSPP ## Require every kernel module to be signed before being loaded. ## Any module that is unsigned or signed with an invalid key cannot be loaded. diff --git a/etc/default/grub.d/41_quiet_boot.cfg b/etc/default/grub.d/41_quiet_boot.cfg index 86c8660..33b412d 100644 --- a/etc/default/grub.d/41_quiet_boot.cfg +++ b/etc/default/grub.d/41_quiet_boot.cfg @@ -4,6 +4,7 @@ ## Definitions: ## KSPP=yes: compliant with recommendations by the KSPP ## KSPP=partial: partially compliant with recommendations by the KSPP +## KSPP=no: not (currently) compliant with recommendations by the KSPP ## Some default configuration files automatically include the "quiet" parameter. ## Therefore, first remove "quiet" from GRUB_CMDLINE_LINUX_DEFAULT since "quiet" must be first. diff --git a/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf b/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf index 74ab6f5..da77fd7 100644 --- a/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf +++ b/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf @@ -4,6 +4,7 @@ ## Definitions: ## KSPP=yes: compliant with recommendations by the KSPP ## KSPP=partial: partially compliant with recommendations by the KSPP +## KSPP=no: not (currently) compliant with recommendations by the KSPP ## NOTE: ## This configuration is in a dedicated file because the ram-wipe package diff --git a/usr/lib/sysctl.d/30_silent-kernel-printk.conf b/usr/lib/sysctl.d/30_silent-kernel-printk.conf index b07fae9..44b0b25 100644 --- a/usr/lib/sysctl.d/30_silent-kernel-printk.conf +++ b/usr/lib/sysctl.d/30_silent-kernel-printk.conf @@ -4,6 +4,7 @@ ## Definitions: ## KSPP=yes: compliant with recommendations by the KSPP ## KSPP=partial: partially compliant with recommendations by the KSPP +## KSPP=no: not (currently) compliant with recommendations by the KSPP ## Prevent kernel information leaks in the console during boot. ## Must be used in conjunction with kernel boot parameters. diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index e633df1..c404553 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -9,6 +9,7 @@ ## Definitions: ## KSPP=yes: compliant with recommendations by the KSPP ## KSPP=partial: partially compliant with recommendations by the KSPP +## KSPP=no: not (currently) compliant with recommendations by the KSPP ## This configuration file is divided into 5 sections: ## 1. Kernel Space From f3b50a23c976ba4feff34eee721c50f698ecc5bf Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Thu, 26 Sep 2024 13:10:01 +0000 Subject: [PATCH 625/846] Add reference on unprivileged_userns_restriction --- usr/lib/sysctl.d/990-security-misc.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index c404553..eb160ef 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -127,6 +127,7 @@ kernel.sysrq=0 ## ## https://lwn.net/Articles/673597/ ## https://madaidans-insecurities.github.io/linux.html#kernel +## https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction ## https://github.com/a13xp0p0v/kernel-hardening-checker#questions-and-answers ## https://github.com/NixOS/nixpkgs/pull/84522#issuecomment-614640601 ## https://github.com/flatpak/flatpak/wiki/User-namespace-requirements From eae38e72f30ff9b9f8d0b8b0b33182a918333e48 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Thu, 26 Sep 2024 13:10:36 +0000 Subject: [PATCH 626/846] README.md: Show the current max_map_count --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index e55a1ec..a849c91 100644 --- a/README.md +++ b/README.md @@ -71,7 +71,7 @@ User space: - Raise the minimum address a process can request for memory mapping to 64KB to protect against kernel null pointer dereference vulnerabilities. -- Increase the maximum number of memory map areas a process is able to utilize. +- Increase the maximum number of memory map areas a process is able to utilize to 1,048,576. - Optional - Disallow registering interpreters for various (miscellaneous) binary formats based on a magic number or their file extension to prevent unintended code execution. From ac1378743c7448c9a7e7e02bebcf3270592d42a5 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Mon, 30 Sep 2024 16:56:18 +1000 Subject: [PATCH 627/846] Consistent formatting --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index a849c91..481a6c0 100644 --- a/README.md +++ b/README.md @@ -201,7 +201,7 @@ Networking: `CONFIG_ARCH_MMAP_RND_BITS_MAX` and `CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX` that the kernel was built with), therefore improving its effectiveness. -## Kernel Self Protection Project (KSPP) Compliance Status +### Kernel Self Protection Project (KSPP) compliance status **Summary:** From f401d94d5e0d0f26e93be55deda440fe565a6b22 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 3 Oct 2024 02:44:06 -0400 Subject: [PATCH 628/846] expand documentation on `kernel.unprivileged_userns_clone=0` sysctl https://github.com/Kicksecure/security-misc/issues/274 --- usr/lib/sysctl.d/990-security-misc.conf | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index e633df1..897ba59 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -119,22 +119,34 @@ kernel.sysrq=0 ## User namespaces aim to improve sandboxing and accessibility for unprivileged users. ## Unprivileged user namespaces pose substantial privilege escalation risks. ## Restricting may lead to breakages in numerous software packages. +## ## Flatpak requires unprivileged users to create new user namespaces for sandboxing. -## Uncomment the second sysctl to entirely disable user namespaces. +## https://github.com/flatpak/flatpak/wiki/User-namespace-requirements +## https://salsa.debian.org/debian/bubblewrap/-/blob/debian/latest/debian/README.Debian +## https://forums.kicksecure.com/t/can-not-run-flatpak-apps-after-kicksecure-update/592 +## ## Disabling entirely will reduce compatibility with some AppArmor profiles. ## Disabling entirely is known to break the UPower systemd service. ## +## Also breaks (some?) AppImages. +## https://forums.kicksecure.com/t/cannot-run-some-appimage-apps-after-kicksecure-upate/594 +## +## Might also break evolution (e-mail client): +## https://forums.kicksecure.com/t/impossible-to-start-evolution-app-since-the-last-update/601 +## ## https://lwn.net/Articles/673597/ ## https://madaidans-insecurities.github.io/linux.html#kernel ## https://github.com/a13xp0p0v/kernel-hardening-checker#questions-and-answers ## https://github.com/NixOS/nixpkgs/pull/84522#issuecomment-614640601 ## https://github.com/flatpak/flatpak/wiki/User-namespace-requirements ## https://github.com/Kicksecure/security-misc/pull/263 +## https://github.com/Kicksecure/security-misc/issues/274 ## ## KSPP=partial -## KSPP sets the stricter sysctl user.max_user_namespaces=0. +## KSPP sets sysctls kernel.unprivileged_userns_clone=0 and user.max_user_namespaces=0. ## kernel.unprivileged_userns_clone=0 +## Uncomment the following sysctl to entirely disable user namespaces. #user.max_user_namespaces=0 ## Restricts kernel profiling to users with CAP_PERFMON. From 0e3ffa3f11a0049e57803c8f2e75dbb7d8ceb22c Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 3 Oct 2024 02:58:58 -0400 Subject: [PATCH 629/846] no longer set `kernel.unprivileged_userns_clone=0` because it breaks too much fixes https://github.com/Kicksecure/security-misc/issues/274 --- README.md | 12 +++++++----- usr/lib/sysctl.d/990-security-misc.conf | 7 ++++--- 2 files changed, 11 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index e55a1ec..bc43280 100644 --- a/README.md +++ b/README.md @@ -38,8 +38,10 @@ Kernel space: - Entirely disable the SysRq key so that the Secure Attention Key (SAK) can no longer be utilized. See [documentation](https://www.kicksecure.com/wiki/SysRq). -- Restrict user namespaces to `CAP_SYS_ADMIN` as they can lead to substantial - privilege escalation. Optional - Disable all use of user namespaces. +- Optional - Restrict user namespaces to `CAP_SYS_ADMIN` as they can lead to substantial + privilege escalation. + +- Optional - Disable all use of user namespaces. - Restrict kernel profiling and the performance events system to `CAP_PERFMON`. @@ -200,7 +202,7 @@ Networking: out via `/usr/libexec/security-misc/mmap-rnd-bits` (set to the values of `CONFIG_ARCH_MMAP_RND_BITS_MAX` and `CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX` that the kernel was built with), therefore improving its effectiveness. - + ## Kernel Self Protection Project (KSPP) Compliance Status **Summary:** @@ -228,14 +230,14 @@ Forces an immediate reboot on kernel panic. This can be enabled, but it may lead * [security-misc pull request #264](https://github.com/Kicksecure/security-misc/pull/264) * [security-misc pull request #268](https://github.com/Kicksecure/security-misc/pull/268) +**Non-compliance:** + 3. `sysctl user.max_user_namespaces=0` Disables user namespaces entirely. Not recommended due to the potential for widespread breakages. * [security-misc pull request #263](https://github.com/Kicksecure/security-misc/pull/263) -**Non-compliance:** - 4. `sysctl fs.binfmt_misc.status=0` Disables the registration of interpreters for miscellaneous binary formats. Currently not feasible due to compatibility issues with Firefox. diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 897ba59..f7763b1 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -142,10 +142,11 @@ kernel.sysrq=0 ## https://github.com/Kicksecure/security-misc/pull/263 ## https://github.com/Kicksecure/security-misc/issues/274 ## -## KSPP=partial -## KSPP sets sysctls kernel.unprivileged_userns_clone=0 and user.max_user_namespaces=0. +## KSPP=no +## KSPP sets user.max_user_namespaces=0 sysctl, a Linux mainline, stricter setting. ## -kernel.unprivileged_userns_clone=0 +## kernel.unprivileged_userns_clone is a Debian specific kernel feature. Not Linux mainline. +#kernel.unprivileged_userns_clone=0 ## Uncomment the following sysctl to entirely disable user namespaces. #user.max_user_namespaces=0 From 8a2d432ffe6d4eb661026b6e7dbf534bb1db971b Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 3 Oct 2024 07:22:23 +0000 Subject: [PATCH 630/846] bumped changelog version --- changelog.upstream | 24 ++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 30 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index d4a84ed..f86e577 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,27 @@ +commit 0e3ffa3f11a0049e57803c8f2e75dbb7d8ceb22c +Author: Patrick Schleizer +Date: Thu Oct 3 02:58:58 2024 -0400 + + no longer set `kernel.unprivileged_userns_clone=0` + + because it breaks too much + + fixes https://github.com/Kicksecure/security-misc/issues/274 + +commit f401d94d5e0d0f26e93be55deda440fe565a6b22 +Author: Patrick Schleizer +Date: Thu Oct 3 02:44:06 2024 -0400 + + expand documentation on `kernel.unprivileged_userns_clone=0` sysctl + + https://github.com/Kicksecure/security-misc/issues/274 + +commit 5572eb897a10455041df8abec6b6be6de29431a0 +Author: Patrick Schleizer +Date: Wed Sep 25 01:03:42 2024 +0000 + + bumped changelog version + commit e04f9cd4c17305d5201aa973c34778e81508734b Merge: 18d426f 65aa910 Author: Patrick Schleizer diff --git a/debian/changelog b/debian/changelog index 57ee04b..dc8edc6 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:39.9-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 03 Oct 2024 07:22:23 +0000 + security-misc (3:39.8-1) unstable; urgency=medium * New upstream version (local package). From dc470cac1d93656354aeaaac0a6f8cbbd39f9f0f Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Sun, 6 Oct 2024 10:46:05 +0000 Subject: [PATCH 631/846] Remmove deprecated link --- README.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/README.md b/README.md index 481a6c0..071af7f 100644 --- a/README.md +++ b/README.md @@ -6,7 +6,6 @@ This section is inspired by the Kernel Self Protection Project (KSPP). It attempts to implement all recommended Linux kernel settings by the KSPP and many more sources. -- https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project - https://kspp.github.io/Recommended_Settings - https://github.com/KSPP/kspp.github.io @@ -200,7 +199,7 @@ Networking: out via `/usr/libexec/security-misc/mmap-rnd-bits` (set to the values of `CONFIG_ARCH_MMAP_RND_BITS_MAX` and `CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX` that the kernel was built with), therefore improving its effectiveness. - + ### Kernel Self Protection Project (KSPP) compliance status **Summary:** From 263335f74ea0f050f9c259e20141c3345e7fa789 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 8 Oct 2024 11:24:56 +0000 Subject: [PATCH 632/846] bumped changelog version --- changelog.upstream | 59 ++++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 +++++ 2 files changed, 65 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index f86e577..6209403 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,38 @@ +commit 9169611645d0cd5a308ff48862f351ef5ea5f7e8 +Merge: 8a2d432 8227a3d +Author: Patrick Schleizer +Date: Tue Oct 8 05:54:50 2024 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 8227a3dde2995ceb113164baf49591d52c2b53e1 +Merge: 8a2d432 0c0774f +Author: Patrick Schleizer +Date: Tue Oct 8 05:53:48 2024 -0400 + + Merge pull request #273 from raja-grewal/text_2 + + Documentation update 2 + +commit 0c0774f6c0927ed1cc599f931175985b8f01ec30 +Merge: dc470ca 8a2d432 +Author: raja-grewal +Date: Sun Oct 6 10:48:52 2024 +0000 + + Merge branch 'master' into text_2 + +commit dc470cac1d93656354aeaaac0a6f8cbbd39f9f0f +Author: raja-grewal +Date: Sun Oct 6 10:46:05 2024 +0000 + + Remmove deprecated link + +commit 8a2d432ffe6d4eb661026b6e7dbf534bb1db971b +Author: Patrick Schleizer +Date: Thu Oct 3 07:22:23 2024 +0000 + + bumped changelog version + commit 0e3ffa3f11a0049e57803c8f2e75dbb7d8ceb22c Author: Patrick Schleizer Date: Thu Oct 3 02:58:58 2024 -0400 @@ -16,6 +51,30 @@ Date: Thu Oct 3 02:44:06 2024 -0400 https://github.com/Kicksecure/security-misc/issues/274 +commit ac1378743c7448c9a7e7e02bebcf3270592d42a5 +Author: raja-grewal +Date: Mon Sep 30 16:56:18 2024 +1000 + + Consistent formatting + +commit eae38e72f30ff9b9f8d0b8b0b33182a918333e48 +Author: raja-grewal +Date: Thu Sep 26 13:10:36 2024 +0000 + + README.md: Show the current max_map_count + +commit f3b50a23c976ba4feff34eee721c50f698ecc5bf +Author: raja-grewal +Date: Thu Sep 26 13:10:01 2024 +0000 + + Add reference on unprivileged_userns_restriction + +commit 39d063d494cb540f45747f6253ab896200ba03c3 +Author: raja-grewal +Date: Thu Sep 26 13:09:21 2024 +0000 + + Add KSPP=no definition + commit 5572eb897a10455041df8abec6b6be6de29431a0 Author: Patrick Schleizer Date: Wed Sep 25 01:03:42 2024 +0000 diff --git a/debian/changelog b/debian/changelog index dc8edc6..c607a93 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:40.0-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 08 Oct 2024 11:24:55 +0000 + security-misc (3:39.9-1) unstable; urgency=medium * New upstream version (local package). From 09fe46adc956e8c6de232f1093c37cdd30933acd Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Mon, 14 Oct 2024 02:54:30 +0000 Subject: [PATCH 633/846] Clarify KSPP compliance header for the undocumented case --- etc/default/grub.d/40_cpu_mitigations.cfg | 1 + etc/default/grub.d/40_kernel_hardening.cfg | 1 + etc/default/grub.d/40_remount_secure.cfg | 1 + etc/default/grub.d/40_signed_modules.cfg | 1 + etc/default/grub.d/41_quiet_boot.cfg | 1 + usr/lib/sysctl.d/30_security-misc_kexec-disable.conf | 1 + usr/lib/sysctl.d/30_silent-kernel-printk.conf | 1 + usr/lib/sysctl.d/990-security-misc.conf | 1 + 8 files changed, 8 insertions(+) diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index 5960e14..e426673 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -5,6 +5,7 @@ ## KSPP=yes: compliant with recommendations by the KSPP ## KSPP=partial: partially compliant with recommendations by the KSPP ## KSPP=no: not (currently) compliant with recommendations by the KSPP +## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP. ## Enable known mitigations for CPU vulnerabilities. ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index ad7e61a..e41dabb 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -9,6 +9,7 @@ kver="$(dpkg-query --show --showformat='${Version}' "$kpkg")" 2>/dev/null || tru ## KSPP=yes: compliant with recommendations by the KSPP ## KSPP=partial: partially compliant with recommendations by the KSPP ## KSPP=no: not (currently) compliant with recommendations by the KSPP +## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP. ## This configuration file is split into 4 sections: ## 1. Kernel Space diff --git a/etc/default/grub.d/40_remount_secure.cfg b/etc/default/grub.d/40_remount_secure.cfg index f92991a..f06235b 100644 --- a/etc/default/grub.d/40_remount_secure.cfg +++ b/etc/default/grub.d/40_remount_secure.cfg @@ -5,6 +5,7 @@ ## KSPP=yes: compliant with recommendations by the KSPP ## KSPP=partial: partially compliant with recommendations by the KSPP ## KSPP=no: not (currently) compliant with recommendations by the KSPP +## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP. ## Remount Secure provides enhanced security via mount options: ## https://www.kicksecure.com/wiki/Security-misc#Remount_Secure diff --git a/etc/default/grub.d/40_signed_modules.cfg b/etc/default/grub.d/40_signed_modules.cfg index b33dceb..75cd3bb 100644 --- a/etc/default/grub.d/40_signed_modules.cfg +++ b/etc/default/grub.d/40_signed_modules.cfg @@ -5,6 +5,7 @@ ## KSPP=yes: compliant with recommendations by the KSPP ## KSPP=partial: partially compliant with recommendations by the KSPP ## KSPP=no: not (currently) compliant with recommendations by the KSPP +## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP. ## Require every kernel module to be signed before being loaded. ## Any module that is unsigned or signed with an invalid key cannot be loaded. diff --git a/etc/default/grub.d/41_quiet_boot.cfg b/etc/default/grub.d/41_quiet_boot.cfg index 33b412d..9623625 100644 --- a/etc/default/grub.d/41_quiet_boot.cfg +++ b/etc/default/grub.d/41_quiet_boot.cfg @@ -5,6 +5,7 @@ ## KSPP=yes: compliant with recommendations by the KSPP ## KSPP=partial: partially compliant with recommendations by the KSPP ## KSPP=no: not (currently) compliant with recommendations by the KSPP +## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP. ## Some default configuration files automatically include the "quiet" parameter. ## Therefore, first remove "quiet" from GRUB_CMDLINE_LINUX_DEFAULT since "quiet" must be first. diff --git a/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf b/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf index da77fd7..5c38e38 100644 --- a/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf +++ b/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf @@ -5,6 +5,7 @@ ## KSPP=yes: compliant with recommendations by the KSPP ## KSPP=partial: partially compliant with recommendations by the KSPP ## KSPP=no: not (currently) compliant with recommendations by the KSPP +## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP. ## NOTE: ## This configuration is in a dedicated file because the ram-wipe package diff --git a/usr/lib/sysctl.d/30_silent-kernel-printk.conf b/usr/lib/sysctl.d/30_silent-kernel-printk.conf index 44b0b25..a1fd57e 100644 --- a/usr/lib/sysctl.d/30_silent-kernel-printk.conf +++ b/usr/lib/sysctl.d/30_silent-kernel-printk.conf @@ -5,6 +5,7 @@ ## KSPP=yes: compliant with recommendations by the KSPP ## KSPP=partial: partially compliant with recommendations by the KSPP ## KSPP=no: not (currently) compliant with recommendations by the KSPP +## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP. ## Prevent kernel information leaks in the console during boot. ## Must be used in conjunction with kernel boot parameters. diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index e4ae584..6009fc4 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -10,6 +10,7 @@ ## KSPP=yes: compliant with recommendations by the KSPP ## KSPP=partial: partially compliant with recommendations by the KSPP ## KSPP=no: not (currently) compliant with recommendations by the KSPP +## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP. ## This configuration file is divided into 5 sections: ## 1. Kernel Space From a9f238fe048acfeff49f96c00570acc6ca4c37e8 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Mon, 14 Oct 2024 02:57:31 +0000 Subject: [PATCH 634/846] README.md: Split optional setting to new line --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index c700ba8..a29cc29 100644 --- a/README.md +++ b/README.md @@ -46,7 +46,8 @@ Kernel space: - Force the kernel to panic on both "oopses", which can potentially indicate and thwart certain kernel exploitation attempts, and also kernel warnings in the `WARN()` path. - Optional - Force immediate reboot on the occurrence of a single kernel panic and also + +- Optional - Force immediate reboot on the occurrence of a single kernel panic and also (when using Linux kernel >= 6.2) limit the number of allowed panics to one. - Disable the use of legacy TIOCSTI operations which can be used to inject keypresses. From eb72163d5707c7673db1f12405d2e04261bd43c8 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Mon, 14 Oct 2024 03:01:15 +0000 Subject: [PATCH 635/846] README.md: Make line lengths consistent --- README.md | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index a29cc29..c23d261 100644 --- a/README.md +++ b/README.md @@ -207,13 +207,15 @@ Networking: **Summary:** -`security-misc` is in full compliance with KSPP recommendations wherever feasible. However, there are a few cases of partial or non-compliance due to technical limitations. +`security-misc` is in full compliance with KSPP recommendations wherever feasible. However, +there are a few cases of partial or non-compliance due to technical limitations. * [KSPP Recommended Settings](https://kspp.github.io/Recommended_Settings) **Full compliance:** -More than 30 kernel boot parameters and over 30 sysctl settings are fully aligned with KSPP's recommendations. +More than 30 kernel boot parameters and over 30 sysctl settings are fully aligned with +the KSPP's recommendations. **Partial compliance:** @@ -225,7 +227,8 @@ Completely disables `ptrace()`. Can be enabled easily if needed. 2. `sysctl kernel.panic=-1` -Forces an immediate reboot on kernel panic. This can be enabled, but it may lead to unexpected system crashes. +Forces an immediate reboot on kernel panic. This can be enabled, but it may lead to unexpected +system crashes. * [security-misc pull request #264](https://github.com/Kicksecure/security-misc/pull/264) * [security-misc pull request #268](https://github.com/Kicksecure/security-misc/pull/268) @@ -240,7 +243,8 @@ Disables user namespaces entirely. Not recommended due to the potential for wide 4. `sysctl fs.binfmt_misc.status=0` -Disables the registration of interpreters for miscellaneous binary formats. Currently not feasible due to compatibility issues with Firefox. +Disables the registration of interpreters for miscellaneous binary formats. Currently not +feasible due to compatibility issues with Firefox. * [security-misc pull request #249](https://github.com/Kicksecure/security-misc/pull/249) * [security-misc issue #267](https://github.com/Kicksecure/security-misc/issues/267) From 0cfcdf4f89dc75f2a8e3f8a9e8c69dc3ba3da78a Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 16 Oct 2024 10:57:20 +0000 Subject: [PATCH 636/846] bumped changelog version --- changelog.upstream | 40 ++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 46 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 6209403..0d74dbf 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,43 @@ +commit 0adb9b7c0609a51d503b61ab40ae7d8e55635043 +Merge: 263335f e50ad80 +Author: Patrick Schleizer +Date: Wed Oct 16 06:31:09 2024 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit e50ad807c01b5753c67d579126d7b79d38070c0a +Merge: 263335f eb72163 +Author: Patrick Schleizer +Date: Wed Oct 16 06:29:25 2024 -0400 + + Merge pull request #276 from raja-grewal/KSPP_header + + Clarify KSPP compliance header + +commit eb72163d5707c7673db1f12405d2e04261bd43c8 +Author: raja-grewal +Date: Mon Oct 14 03:01:15 2024 +0000 + + README.md: Make line lengths consistent + +commit a9f238fe048acfeff49f96c00570acc6ca4c37e8 +Author: raja-grewal +Date: Mon Oct 14 02:57:31 2024 +0000 + + README.md: Split optional setting to new line + +commit 09fe46adc956e8c6de232f1093c37cdd30933acd +Author: raja-grewal +Date: Mon Oct 14 02:54:30 2024 +0000 + + Clarify KSPP compliance header for the undocumented case + +commit 263335f74ea0f050f9c259e20141c3345e7fa789 +Author: Patrick Schleizer +Date: Tue Oct 8 11:24:56 2024 +0000 + + bumped changelog version + commit 9169611645d0cd5a308ff48862f351ef5ea5f7e8 Merge: 8a2d432 8227a3d Author: Patrick Schleizer diff --git a/debian/changelog b/debian/changelog index c607a93..6931cd6 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:40.1-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 16 Oct 2024 10:57:20 +0000 + security-misc (3:40.0-1) unstable; urgency=medium * New upstream version (local package). From b6433309fd7d6839cfba89e1197590e1ff62ef58 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 18 Oct 2024 12:45:02 -0400 Subject: [PATCH 637/846] use end-of-options --- .../security-misc/pam-abort-on-locked-password | 4 ++-- usr/libexec/security-misc/pam-info | 14 +++++++------- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/usr/libexec/security-misc/pam-abort-on-locked-password b/usr/libexec/security-misc/pam-abort-on-locked-password index bb1a3ee..4e02f3c 100755 --- a/usr/libexec/security-misc/pam-abort-on-locked-password +++ b/usr/libexec/security-misc/pam-abort-on-locked-password @@ -7,7 +7,7 @@ ## counter. This is not a security feature. ## https://forums.whonix.org/t/restrict-root-access/7658/1 -passwd_bin="$(type -P "passwd")" +passwd_bin="$(type -P -- "passwd")" if ! test -x "$passwd_bin" ; then echo "\ @@ -17,7 +17,7 @@ See https://www.whonix.org/wiki/SUID_Disabler_and_Permission_Hardener#passwd" >& exit 2 fi -if ! passwd_output="$("$passwd_bin" -S "$PAM_USER" 2>/dev/null)" ; then +if ! passwd_output="$("$passwd_bin" -S -- "$PAM_USER" 2>/dev/null)" ; then echo "$0: ERROR: user \"$PAM_USER\" does not exist." >&2 exit 3 fi diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info index aa730de..6f2172c 100755 --- a/usr/libexec/security-misc/pam-info +++ b/usr/libexec/security-misc/pam-info @@ -32,22 +32,22 @@ if [ "$PAM_USER" = "" ]; then exit 0 fi -grep_result="$(grep "accessfile=/etc/security/access-security-misc.conf" /etc/pam.d/common-account 2>/dev/null)" +grep_result="$(grep -- "accessfile=/etc/security/access-security-misc.conf" /etc/pam.d/common-account 2>/dev/null)" ## Check if grep matched something. if [ ! "$grep_result" = "" ]; then ## Yes, grep matched. ## Check if not out commented. - if ! echo "$grep_result" | grep -q "#" ; then + if ! echo "$grep_result" | grep --quiet -- "#" ; then ## Not out commented indeed. ## https://forums.whonix.org/t/etc-security-hardening-console-lockdown/8592 - if id --name --groups --zero "$PAM_USER" | grep --quiet --null-data --line-regexp --fixed-strings "console"; then + if id --name --groups --zero -- "$PAM_USER" | grep --quiet --null-data --line-regexp --fixed-strings -- "console"; then console_allowed=true fi - if id --name --groups --zero "$PAM_USER" | grep --quiet --null-data --line-regexp --fixed-strings "console-unrestricted"; then + if id --name --groups --zero -- "$PAM_USER" | grep --quiet --null-data --line-regexp --fixed-strings -- "console-unrestricted"; then console_allowed=true fi @@ -102,7 +102,7 @@ fi ## ## Checking exit code to avoid breaking when read-only disk boot but ## without ro-mode-init or grub-live being used. -if ! pam_faillock_output="$(faillock --user "$PAM_USER")" ; then +if ! pam_faillock_output="$(faillock --user -- "$PAM_USER")" ; then true "$0: faillock non-zero exit code." exit 0 fi @@ -159,7 +159,7 @@ fi deny=3 if test -f /etc/security/faillock.conf ; then - deny_line=$(grep --invert-match "#" /etc/security/faillock.conf | grep "deny =") + deny_line=$(grep --invert-match "#" -- /etc/security/faillock.conf | grep -- "deny =") deny="$(echo "$deny_line" | LANG=C str_replace "=" "" | LANG=C str_replace "deny" "" | LANG=C str_replace " " "")" ## Example: #deny=50 @@ -181,7 +181,7 @@ $0: ERROR: Login blocked after $failed_login_counter attempts. To unlock, run the following command as superuser: (If you still have a sudo/root shell somewhere.) -faillock --reset --user $PAM_USER +faillock --reset --user -- $PAM_USER However, most likely unlock procedure is required. First boot into recovery mode at grub boot menu and then run above command. From 690e8dd826d1cb39c0c12c03792781862cc2dd23 Mon Sep 17 00:00:00 2001 From: Aaron Rainbolt Date: Sat, 19 Oct 2024 23:49:07 -0500 Subject: [PATCH 638/846] Avoid faillock lock/tally reset on reboot or timeout --- debian/security-misc.postinst | 3 +++ etc/security/faillock.conf.security-misc | 11 +++++++--- usr/libexec/security-misc/pam-info | 5 ++++- ...ty-misc => faillock-preauth-security-misc} | 7 ++----- usr/share/pam-configs/faillock2-security-misc | 8 -------- .../pam-configs/unix-faillock-security-misc | 20 +++++++++++++++++++ 6 files changed, 37 insertions(+), 17 deletions(-) rename usr/share/pam-configs/{faillock-security-misc => faillock-preauth-security-misc} (60%) delete mode 100644 usr/share/pam-configs/faillock2-security-misc create mode 100644 usr/share/pam-configs/unix-faillock-security-misc diff --git a/debian/security-misc.postinst b/debian/security-misc.postinst index e232778..41aa3dc 100644 --- a/debian/security-misc.postinst +++ b/debian/security-misc.postinst @@ -52,6 +52,9 @@ case "$1" in ## /usr/share/glib-2.0/schemas/30_security-misc.gschema.override glib-compile-schemas /usr/share/glib-2.0/schemas || true + + ## state dir for faillock + mkdir -p /var/lib/security-misc/faillock ;; abort-upgrade|abort-remove|abort-deconfigure) diff --git a/etc/security/faillock.conf.security-misc b/etc/security/faillock.conf.security-misc index d52c196..3442279 100644 --- a/etc/security/faillock.conf.security-misc +++ b/etc/security/faillock.conf.security-misc @@ -6,7 +6,7 @@ # # The directory where the user files with the failure records are kept. # The default is /var/run/faillock. -# dir = /var/run/faillock +dir = /var/lib/security-misc/faillock # # Will log the user name into the system log if the user is not found. # Enabled if option is present. @@ -38,14 +38,19 @@ deny = 50 # authentication failures must happen for the user account # lock out is n seconds. # The default is 900 (15 minutes). -# fail_interval = 900 +# security-misc note: the interval should be set to infinity if possible, +# however pam_faillock arbitrarily limits this variable to a maximum of 604800 +# seconds (7 days). See +# https://github.com/linux-pam/linux-pam/blob/539816e4a0a277dbb632412be91e482fff9d9d09/modules/pam_faillock/faillock_config.h#L59 +# for details. Therefore we set this to the maximum allowable value of 7 days. +fail_interval = 604800 # # The access will be re-enabled after n seconds after the lock out. # The value 0 has the same meaning as value `never` - the access # will not be re-enabled without resetting the faillock # entries by the `faillock` command. # The default is 600 (10 minutes). -# unlock_time = 600 +unlock_time = never # # Root account can become locked as well as regular accounts. # Enabled if option is present. diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info index 6f2172c..50dd9d7 100755 --- a/usr/libexec/security-misc/pam-info +++ b/usr/libexec/security-misc/pam-info @@ -21,6 +21,9 @@ true "$0: START PHASE 2" set -o pipefail +## Named constants. +pam_faillock_state_dir="/var/lib/security-misc/faillock" + ## Debugging. who_ami="$(whoami)" true "$0: who_ami: $who_ami" @@ -102,7 +105,7 @@ fi ## ## Checking exit code to avoid breaking when read-only disk boot but ## without ro-mode-init or grub-live being used. -if ! pam_faillock_output="$(faillock --user -- "$PAM_USER")" ; then +if ! pam_faillock_output="$(faillock --dir "$pam_faillock_state_dir" --user "$PAM_USER")" ; then true "$0: faillock non-zero exit code." exit 0 fi diff --git a/usr/share/pam-configs/faillock-security-misc b/usr/share/pam-configs/faillock-preauth-security-misc similarity index 60% rename from usr/share/pam-configs/faillock-security-misc rename to usr/share/pam-configs/faillock-preauth-security-misc index d337690..f72826c 100644 --- a/usr/share/pam-configs/faillock-security-misc +++ b/usr/share/pam-configs/faillock-preauth-security-misc @@ -1,11 +1,8 @@ -Name: lock accounts after 50 failed authentication attempts (part 1) (by package security-misc) +Name: lock accounts after 50 failed authentication attempts (preauth component) (by package security-misc) Default: yes -Priority: 290 +Priority: 1024 Auth-Type: Primary Auth: optional pam_exec.so debug stdout seteuid /usr/libexec/security-misc/pam-info [success=1 default=ignore] pam_exec.so seteuid quiet /usr/libexec/security-misc/pam_faillock_not_if_x required pam_faillock.so preauth -Account-Type: Primary -Account: - requisite pam_faillock.so diff --git a/usr/share/pam-configs/faillock2-security-misc b/usr/share/pam-configs/faillock2-security-misc deleted file mode 100644 index 7bc5fb7..0000000 --- a/usr/share/pam-configs/faillock2-security-misc +++ /dev/null @@ -1,8 +0,0 @@ -Name: lock accounts after 50 failed authentication attempts (part 2) (by package security-misc) -Default: yes -Priority: 245 -Auth-Type: Primary -Auth: - [success=2 default=ignore] pam_exec.so seteuid quiet /usr/libexec/security-misc/pam_faillock_not_if_x - [default=die] pam_faillock.so authfail - sufficient pam_faillock.so authsucc diff --git a/usr/share/pam-configs/unix-faillock-security-misc b/usr/share/pam-configs/unix-faillock-security-misc new file mode 100644 index 0000000..876ffa8 --- /dev/null +++ b/usr/share/pam-configs/unix-faillock-security-misc @@ -0,0 +1,20 @@ +Name: Unix authentication with faillock (by package security-misc) +Default: yes +Priority: 384 +Auth-Type: Primary +Auth: + [success=3 default=ignore] pam_unix.so nullok try_first_pass + [success=1 default=ignore] pam_exec.so seteuid quiet /usr/libexec/security-misc/pam_faillock_not_if_x + [default=die] pam_faillock.so authfail + requisite pam_deny.so + [success=1 default=ignore] pam_exec.so seteuid quiet /usr/libexec/security-misc/pam_faillock_not_if_x + optional pam_faillock.so authsucc + required pam_permit.so +Auth-Initial: + [success=3 default=ignore] pam_unix.so nullok + [success=1 default=ignore] pam_exec.so seteuid quiet /usr/libexec/security-misc/pam_faillock_not_if_x + [default=die] pam_faillock.so authfail + requisite pam_deny.so + [success=1 default=ignore] pam_exec.so seteuid quiet /usr/libexec/security-misc/pam_faillock_not_if_x + optional pam_faillock.so authsucc + required pam_permit.so From 5991a23049491dd04c19d9ea80f7d7381dd494a0 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 21 Oct 2024 05:47:25 -0400 Subject: [PATCH 639/846] comment --- usr/libexec/security-misc/pam-info | 2 ++ 1 file changed, 2 insertions(+) diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info index 50dd9d7..930679a 100755 --- a/usr/libexec/security-misc/pam-info +++ b/usr/libexec/security-misc/pam-info @@ -105,6 +105,8 @@ fi ## ## Checking exit code to avoid breaking when read-only disk boot but ## without ro-mode-init or grub-live being used. +## +## end-of-options ("--") unsupported by faillock. if ! pam_faillock_output="$(faillock --dir "$pam_faillock_state_dir" --user "$PAM_USER")" ; then true "$0: faillock non-zero exit code." exit 0 From 566cda5e4bc69f54d63d72f1e30703074fdf0ce8 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 21 Oct 2024 05:47:38 -0400 Subject: [PATCH 640/846] output --- usr/libexec/security-misc/pam-info | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info index 930679a..32fdeaf 100755 --- a/usr/libexec/security-misc/pam-info +++ b/usr/libexec/security-misc/pam-info @@ -186,7 +186,7 @@ $0: ERROR: Login blocked after $failed_login_counter attempts. To unlock, run the following command as superuser: (If you still have a sudo/root shell somewhere.) -faillock --reset --user -- $PAM_USER +faillock --reset --user $PAM_USER However, most likely unlock procedure is required. First boot into recovery mode at grub boot menu and then run above command. From b44e507900defe3db68f31f3e110b1c3e5aa684c Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 23 Oct 2024 09:56:05 +0000 Subject: [PATCH 641/846] bumped changelog version --- changelog.upstream | 37 +++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 43 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 0d74dbf..733892c 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,40 @@ +commit 566cda5e4bc69f54d63d72f1e30703074fdf0ce8 +Author: Patrick Schleizer +Date: Mon Oct 21 05:47:38 2024 -0400 + + output + +commit 5991a23049491dd04c19d9ea80f7d7381dd494a0 +Author: Patrick Schleizer +Date: Mon Oct 21 05:47:25 2024 -0400 + + comment + +commit fd34baff8ff17ed572469d9d6d884e6c0d881d20 +Merge: b643330 690e8dd +Author: Patrick Schleizer +Date: Mon Oct 21 05:43:53 2024 -0400 + + Merge remote-tracking branch 'ArrayBolt3/master' + +commit 690e8dd826d1cb39c0c12c03792781862cc2dd23 +Author: Aaron Rainbolt +Date: Sat Oct 19 23:49:07 2024 -0500 + + Avoid faillock lock/tally reset on reboot or timeout + +commit b6433309fd7d6839cfba89e1197590e1ff62ef58 +Author: Patrick Schleizer +Date: Fri Oct 18 12:45:02 2024 -0400 + + use end-of-options + +commit 0cfcdf4f89dc75f2a8e3f8a9e8c69dc3ba3da78a +Author: Patrick Schleizer +Date: Wed Oct 16 10:57:20 2024 +0000 + + bumped changelog version + commit 0adb9b7c0609a51d503b61ab40ae7d8e55635043 Merge: 263335f e50ad80 Author: Patrick Schleizer diff --git a/debian/changelog b/debian/changelog index 6931cd6..6750d26 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:40.2-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 23 Oct 2024 09:56:05 +0000 + security-misc (3:40.1-1) unstable; urgency=medium * New upstream version (local package). From 6c2e808b9f34900840bd2857fed10d1ffd4cc4c2 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 28 Oct 2024 05:03:20 -0400 Subject: [PATCH 642/846] refactoring --- usr/libexec/security-misc/hide-hardware-info | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/usr/libexec/security-misc/hide-hardware-info b/usr/libexec/security-misc/hide-hardware-info index f6a963b..c61f41b 100755 --- a/usr/libexec/security-misc/hide-hardware-info +++ b/usr/libexec/security-misc/hide-hardware-info @@ -28,8 +28,7 @@ selinux=0 shopt -s nullglob ## Allows for disabling the whitelist. -for i in /etc/hide-hardware-info.d/*.conf -do +for i in /etc/hide-hardware-info.d/*.conf ; do bash -n "${i}" source "${i}" done @@ -63,8 +62,7 @@ create_whitelist() { ## and /proc/scsi to the root user only. This hides ## many hardware identifiers from ordinary users ## and increases security. -for i in /proc/cpuinfo /proc/bus /proc/scsi /sys -do +for i in /proc/cpuinfo /proc/bus /proc/scsi /sys ; do if [ -e "${i}" ]; then if [ "${i}" = "/sys" ]; then if [ "${sysfs}" = "1" ]; then @@ -99,8 +97,7 @@ done if [ "${sysfs}" = "1" ]; then ## restrict permissions on everything but ## what is needed - for i in /sys/* /sys/fs/* - do + for i in /sys/* /sys/fs/* ; do ## Using '|| true': ## https://github.com/Kicksecure/security-misc/pull/108 if [ "${sysfs_whitelist}" = "1" ]; then From d00235897d686895a7e2e7da7435832fee008164 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 28 Oct 2024 05:03:59 -0400 Subject: [PATCH 643/846] hide-hardware-info: also parse `/usr/local/etc/hide-hardware-info.d/*.conf` --- usr/libexec/security-misc/hide-hardware-info | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/libexec/security-misc/hide-hardware-info b/usr/libexec/security-misc/hide-hardware-info index c61f41b..40e31c2 100755 --- a/usr/libexec/security-misc/hide-hardware-info +++ b/usr/libexec/security-misc/hide-hardware-info @@ -28,7 +28,7 @@ selinux=0 shopt -s nullglob ## Allows for disabling the whitelist. -for i in /etc/hide-hardware-info.d/*.conf ; do +for i in /usr/local/etc/hide-hardware-info.d/*.conf /etc/hide-hardware-info.d/*.conf ; do bash -n "${i}" source "${i}" done From fdd1f4b7f88efc22bb57c2ad3e83c0c2e8cbb064 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 28 Oct 2024 05:06:05 -0400 Subject: [PATCH 644/846] refactoring --- usr/libexec/security-misc/hide-hardware-info | 27 ++++++++++++-------- 1 file changed, 17 insertions(+), 10 deletions(-) diff --git a/usr/libexec/security-misc/hide-hardware-info b/usr/libexec/security-misc/hide-hardware-info index 40e31c2..9eaae72 100755 --- a/usr/libexec/security-misc/hide-hardware-info +++ b/usr/libexec/security-misc/hide-hardware-info @@ -17,21 +17,25 @@ run_cmd_whitelist() { echo "$0: INFO: START" -sysfs_whitelist=1 -cpuinfo_whitelist=1 +default_variables_set() { + sysfs_whitelist=1 + cpuinfo_whitelist=1 -sysfs=1 + sysfs=1 -## https://www.kicksecure.com/wiki/Security-misc#selinux -selinux=0 + ## https://www.kicksecure.com/wiki/Security-misc#selinux + selinux=0 +} shopt -s nullglob -## Allows for disabling the whitelist. -for i in /usr/local/etc/hide-hardware-info.d/*.conf /etc/hide-hardware-info.d/*.conf ; do - bash -n "${i}" - source "${i}" -done +parse_configuration() { + ## Allows for disabling the whitelist. + for i in /usr/local/etc/hide-hardware-info.d/*.conf /etc/hide-hardware-info.d/*.conf ; do + bash -n "${i}" + source "${i}" + done +} create_whitelist() { if [ "${1}" = "sysfs" ]; then @@ -55,6 +59,9 @@ create_whitelist() { fi } +default_variables_set +parse_configuration + ## sysfs and debugfs expose a lot of information ## that should not be accessible by an unprivileged ## user which includes hardware info, debug info and From ef0eb5f7a0c5a62c5d26bf6dc534f6aa3decc4b0 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 28 Oct 2024 05:06:26 -0400 Subject: [PATCH 645/846] refactoring --- usr/libexec/security-misc/hide-hardware-info | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/usr/libexec/security-misc/hide-hardware-info b/usr/libexec/security-misc/hide-hardware-info index 9eaae72..2929d83 100755 --- a/usr/libexec/security-misc/hide-hardware-info +++ b/usr/libexec/security-misc/hide-hardware-info @@ -4,6 +4,7 @@ ## See the file COPYING for copying conditions. set -e +shopt -s nullglob run_cmd() { echo "INFO: normal executing : $@" @@ -27,8 +28,6 @@ default_variables_set() { selinux=0 } -shopt -s nullglob - parse_configuration() { ## Allows for disabling the whitelist. for i in /usr/local/etc/hide-hardware-info.d/*.conf /etc/hide-hardware-info.d/*.conf ; do From 0d506156587f87a303184f22259ffb57dd92cbc8 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 28 Oct 2024 05:07:00 -0400 Subject: [PATCH 646/846] local --- usr/libexec/security-misc/hide-hardware-info | 1 + 1 file changed, 1 insertion(+) diff --git a/usr/libexec/security-misc/hide-hardware-info b/usr/libexec/security-misc/hide-hardware-info index 2929d83..68ec73c 100755 --- a/usr/libexec/security-misc/hide-hardware-info +++ b/usr/libexec/security-misc/hide-hardware-info @@ -30,6 +30,7 @@ default_variables_set() { parse_configuration() { ## Allows for disabling the whitelist. + local i for i in /usr/local/etc/hide-hardware-info.d/*.conf /etc/hide-hardware-info.d/*.conf ; do bash -n "${i}" source "${i}" From cfe19e31d858d7899f4d95e21117c992d236d328 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 28 Oct 2024 05:09:53 -0400 Subject: [PATCH 647/846] shell options --- usr/libexec/security-misc/hide-hardware-info | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/usr/libexec/security-misc/hide-hardware-info b/usr/libexec/security-misc/hide-hardware-info index 68ec73c..df335bd 100755 --- a/usr/libexec/security-misc/hide-hardware-info +++ b/usr/libexec/security-misc/hide-hardware-info @@ -3,7 +3,10 @@ ## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -set -e +set -o errexit +set -o nounset +set -o errtrace +set -o pipefail shopt -s nullglob run_cmd() { From 71c58442ca6d57cd95b72a76ed87f8c248cdbd98 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 28 Oct 2024 05:10:19 -0400 Subject: [PATCH 648/846] minor --- usr/libexec/security-misc/hide-hardware-info | 2 -- 1 file changed, 2 deletions(-) diff --git a/usr/libexec/security-misc/hide-hardware-info b/usr/libexec/security-misc/hide-hardware-info index df335bd..ad532b5 100755 --- a/usr/libexec/security-misc/hide-hardware-info +++ b/usr/libexec/security-misc/hide-hardware-info @@ -24,9 +24,7 @@ echo "$0: INFO: START" default_variables_set() { sysfs_whitelist=1 cpuinfo_whitelist=1 - sysfs=1 - ## https://www.kicksecure.com/wiki/Security-misc#selinux selinux=0 } From 3af2684134279ba6f5b18b40986f02a50baa5604 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 30 Oct 2024 09:43:05 +0000 Subject: [PATCH 649/846] bumped changelog version --- changelog.upstream | 48 ++++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 54 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 733892c..4516505 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,51 @@ +commit 71c58442ca6d57cd95b72a76ed87f8c248cdbd98 +Author: Patrick Schleizer +Date: Mon Oct 28 05:10:19 2024 -0400 + + minor + +commit cfe19e31d858d7899f4d95e21117c992d236d328 +Author: Patrick Schleizer +Date: Mon Oct 28 05:09:53 2024 -0400 + + shell options + +commit 0d506156587f87a303184f22259ffb57dd92cbc8 +Author: Patrick Schleizer +Date: Mon Oct 28 05:07:00 2024 -0400 + + local + +commit ef0eb5f7a0c5a62c5d26bf6dc534f6aa3decc4b0 +Author: Patrick Schleizer +Date: Mon Oct 28 05:06:26 2024 -0400 + + refactoring + +commit fdd1f4b7f88efc22bb57c2ad3e83c0c2e8cbb064 +Author: Patrick Schleizer +Date: Mon Oct 28 05:06:05 2024 -0400 + + refactoring + +commit d00235897d686895a7e2e7da7435832fee008164 +Author: Patrick Schleizer +Date: Mon Oct 28 05:03:59 2024 -0400 + + hide-hardware-info: also parse `/usr/local/etc/hide-hardware-info.d/*.conf` + +commit 6c2e808b9f34900840bd2857fed10d1ffd4cc4c2 +Author: Patrick Schleizer +Date: Mon Oct 28 05:03:20 2024 -0400 + + refactoring + +commit b44e507900defe3db68f31f3e110b1c3e5aa684c +Author: Patrick Schleizer +Date: Wed Oct 23 09:56:05 2024 +0000 + + bumped changelog version + commit 566cda5e4bc69f54d63d72f1e30703074fdf0ce8 Author: Patrick Schleizer Date: Mon Oct 21 05:47:38 2024 -0400 diff --git a/debian/changelog b/debian/changelog index 6750d26..ce0a844 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:40.3-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 30 Oct 2024 09:43:05 +0000 + security-misc (3:40.2-1) unstable; urgency=medium * New upstream version (local package). From a1d1f97955fd9fd3cee77dc04e2eb5e5fa29d243 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Fri, 8 Nov 2024 03:58:23 +0000 Subject: [PATCH 650/846] Provide option to drop gratuitous ARP packets --- README.md | 3 +++ usr/lib/sysctl.d/990-security-misc.conf | 11 +++++++++++ 2 files changed, 14 insertions(+) diff --git a/README.md b/README.md index c23d261..3404414 100644 --- a/README.md +++ b/README.md @@ -121,6 +121,9 @@ Networking: - Optional - Enable IPv6 Privacy Extensions. +- Optional - Drop gratuitous ARP packets to prevent ARP cache poisoning + via man-in-the-middle and denial-of-service attacks. + ### Boot parameters Mitigations for known CPU vulnerabilities are enabled in their strictest form diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 6009fc4..2bec703 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -526,3 +526,14 @@ net.ipv4.tcp_timestamps=0 ## The use of IPv6 Privacy Extensions is currently disabled due to these breakages. ## #net.ipv6.conf.*.use_tempaddr=2 + +## Drop gratuitous ARP (Address Resolution Protocol) packets. +## Stops ARP responses sent by a device without being explicitly requested. +## Prevents ARP cache poisoning by rejecting fake ARP entries into a network. +## Prevents man-in-the-middle and denial-of-service attacks. +## May cause breakages when ARP proxies are used in the network. +## +## https://patchwork.ozlabs.org/project/netdev/patch/1428652454-1224-3-git-send-email-johannes@sipsolutions.net/ +## https://www.practicalnetworking.net/series/arp/gratuitous-arp/ +## +#net.ipv4.conf.*.drop_gratuitous_arp=1 From 8107782fa54ec0e21893e6bd4a6baabb71eb864b Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Fri, 8 Nov 2024 15:36:04 +1100 Subject: [PATCH 651/846] Enable `ssbd=force-on` --- etc/default/grub.d/40_cpu_mitigations.cfg | 2 ++ 1 file changed, 2 insertions(+) diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index e426673..1b900c0 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -47,10 +47,12 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_v2=on" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_bhi=on" ## Disable Speculative Store Bypass (Spectre Variant 4). +## Unconditionally enable mitigation for both kernel and userspace. ## ## https://www.suse.com/support/kb/doc/?id=000019189 ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spec_store_bypass_disable=on" +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ssbd=force-on" ## Enable mitigations for the L1TF vulnerability through disabling SMT ## and L1D flush runtime control. From 5bd0a277bf39812c6adf40a7a3ef6390935fa08e Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 10 Nov 2024 06:29:17 -0500 Subject: [PATCH 652/846] fix permission-hardener issue "Removing capabilities failed. File: '/bin/ping'" no longer user end-of-options marker (`--`) for `setcap` since setcap does not support it Fixes https://github.com/QubesOS/qubes-issues/issues/9569 https://forums.whonix.org/t/permission-hardener-error/20719 --- usr/bin/permission-hardener | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index ad6f9b8..e5039c0 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -539,7 +539,12 @@ set_file_perms() { ## The value of the capability argument is not permitted for a file. Or ## the file is not a regular (non-symlink) file ## Therefore use echo_wrapper_ignore. - echo_wrapper_ignore verbose setcap -r -- "${fso}" + ## + ## NOTE: setcap does not support End-of-Options Marker ('--') yet. + ## setcap bug report: + ## setcap Command Does Not Support End-of-Options Marker ('--') + ## https://bugzilla.kernel.org/show_bug.cgi?id=219487 + echo_wrapper_ignore verbose setcap -r "${fso}" getcap_output="$(getcap -- "${fso}")" if test -n "${getcap_output}"; then exit_code=205 From 4c649577f053af12bcd02c20576bf2d8aec1476d Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 10 Nov 2024 11:52:42 +0000 Subject: [PATCH 653/846] bumped changelog version --- changelog.upstream | 41 +++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 47 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 4516505..df7fcb6 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,44 @@ +commit 29b1f1ec5f3a4bf3991fc1b862751c8eb9769ecd +Merge: 5bd0a27 238f32e +Author: Patrick Schleizer +Date: Sun Nov 10 06:32:30 2024 -0500 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 5bd0a277bf39812c6adf40a7a3ef6390935fa08e +Author: Patrick Schleizer +Date: Sun Nov 10 06:29:17 2024 -0500 + + fix permission-hardener issue "Removing capabilities failed. File: '/bin/ping'" + + no longer user end-of-options marker (`--`) for `setcap` + since setcap does not support it + + Fixes https://github.com/QubesOS/qubes-issues/issues/9569 + + https://forums.whonix.org/t/permission-hardener-error/20719 + +commit 238f32e81d835e5b9d3bc43a0654d05efa4c4313 +Merge: 3af2684 8107782 +Author: Patrick Schleizer +Date: Fri Nov 8 07:39:40 2024 -0500 + + Merge pull request #280 from raja-grewal/ssbd + + Enable `ssbd=force-on` + +commit 8107782fa54ec0e21893e6bd4a6baabb71eb864b +Author: raja-grewal +Date: Fri Nov 8 15:36:04 2024 +1100 + + Enable `ssbd=force-on` + +commit 3af2684134279ba6f5b18b40986f02a50baa5604 +Author: Patrick Schleizer +Date: Wed Oct 30 09:43:05 2024 +0000 + + bumped changelog version + commit 71c58442ca6d57cd95b72a76ed87f8c248cdbd98 Author: Patrick Schleizer Date: Mon Oct 28 05:10:19 2024 -0400 diff --git a/debian/changelog b/debian/changelog index ce0a844..6fcb3e3 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:40.4-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 10 Nov 2024 11:52:42 +0000 + security-misc (3:40.3-1) unstable; urgency=medium * New upstream version (local package). From 29ae5f5980d521f6a4b468f5bf41210f78fdf10a Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 11 Nov 2024 05:28:31 -0500 Subject: [PATCH 654/846] fix optional opt-in `harden-module-loading.service` by making `/usr/libexec/security-misc/disable-kernel-module-loading` executable Thanks to @ArrayBolt3 for the bug report! --- usr/libexec/security-misc/disable-kernel-module-loading | 0 1 file changed, 0 insertions(+), 0 deletions(-) mode change 100644 => 100755 usr/libexec/security-misc/disable-kernel-module-loading diff --git a/usr/libexec/security-misc/disable-kernel-module-loading b/usr/libexec/security-misc/disable-kernel-module-loading old mode 100644 new mode 100755 From 862d23cb10b7687084f8e7e207d1e2c9c1ef6751 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 11 Nov 2024 05:36:41 -0500 Subject: [PATCH 655/846] fix `panic-on-oops.service` remove `After=multi-user.target` because already using `WantedBy=multi-user.target` Thanks to @ArrayBolt3 for the bug report! --- usr/lib/systemd/system/panic-on-oops.service | 1 - 1 file changed, 1 deletion(-) diff --git a/usr/lib/systemd/system/panic-on-oops.service b/usr/lib/systemd/system/panic-on-oops.service index cf13053..425ab5c 100644 --- a/usr/lib/systemd/system/panic-on-oops.service +++ b/usr/lib/systemd/system/panic-on-oops.service @@ -7,7 +7,6 @@ Documentation=https://github.com/Kicksecure/security-misc ConditionKernelCommandLine=!panic-on-oops=0 -After=multi-user.target After=graphical.target After=getty.target From ef05b1a160b24d5aa42da9cc15009d94a37cf120 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 11 Nov 2024 05:40:41 -0500 Subject: [PATCH 656/846] disable legacy matroxfb_base framebuffer driver fix typo matroxfb_bases -> matroxfb_base Thanks to @ArrayBolt3 for the bug report! --- etc/modprobe.d/30_security-misc_disable.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/modprobe.d/30_security-misc_disable.conf b/etc/modprobe.d/30_security-misc_disable.conf index 3df5a51..561441a 100644 --- a/etc/modprobe.d/30_security-misc_disable.conf +++ b/etc/modprobe.d/30_security-misc_disable.conf @@ -262,7 +262,7 @@ install i810fb /usr/bin/disabled-framebuffer-by-security-misc install intelfb /usr/bin/disabled-framebuffer-by-security-misc install kyrofb /usr/bin/disabled-framebuffer-by-security-misc install lxfb /usr/bin/disabled-framebuffer-by-security-misc -install matroxfb_bases /usr/bin/disabled-framebuffer-by-security-misc +install matroxfb_base /usr/bin/disabled-framebuffer-by-security-misc install neofb /usr/bin/disabled-framebuffer-by-security-misc install nvidiafb /usr/bin/disabled-framebuffer-by-security-misc install pm2fb /usr/bin/disabled-framebuffer-by-security-misc From 7c06e22c7d11c345428f3ad42ba43805ebc8d810 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 11 Nov 2024 05:43:25 -0500 Subject: [PATCH 657/846] deleted `/usr/bin/pkexec.security-misc` This was not used anymore for anything. In the past, we used to `config-package-dev` `replace` `/usr/bin/pkexec` with `/usr/bin/pkexec.security-misc` for the purpose of: > Redirect calls for pkexec to lxqt-sudo because pkexec is incompatible with hidepid. * https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860040 * https://forums.whonix.org/t/cannot-use-pkexec/8129 This was a worthwhile effort, interesting approach but ultimately a dead-end. --- usr/bin/pkexec.security-misc | 132 ----------------------------------- 1 file changed, 132 deletions(-) delete mode 100755 usr/bin/pkexec.security-misc diff --git a/usr/bin/pkexec.security-misc b/usr/bin/pkexec.security-misc deleted file mode 100755 index 3739391..0000000 --- a/usr/bin/pkexec.security-misc +++ /dev/null @@ -1,132 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -## Redirect calls for pkexec to lxqt-sudo because pkexec is incompatible with -## hidepid. -## * https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860040 -## * https://forums.whonix.org/t/cannot-use-pkexec/8129 - -set -e - -my_real_path="$(realpath "$0")" || true -identifier="$my_real_path wrapper" -exec > >(systemd-cat --identifier="$identifier output by program:") 2>&1 - -log_to_journal() { - echo "$@" | systemd-cat --identifier="$identifier output by wrapper:" || true -} - -log_to_journal "$0 $@" -log_to_journal "DISPLAY: '$DISPLAY'" -my_pstree="$(pstree -p $$)" || true -log_to_journal "my_pstree: '$my_pstree'" - -## If hidepid is not in use, just use pkexec normally. -if ! mount | grep "/proc" | grep "hidepid=2" &>/dev/null ; then - pkexec.security-misc-orig "$@" - exit $? -fi - -switch_user=false - -original_args="$@" - -## Thanks to: -## https://mywiki.wooledge.org/BashFAQ/035 - -while : -do - case $1 in - ## Should show 'pkexec --version' or fail? - --version) - shift - pkexec.security-misc-orig "$original_args" - exit $? - ;; - ## Should show 'pkexec --help' or fail? - --help) - shift - pkexec.security-misc-orig "$original_args" - exit $? - ;; - ## Drop --disable-internal-agent as not needed and breaking both, - ## lxqt-sudo and sudo. - --disable-internal-agent) - shift - ;; - --user) - ## lxqt-sudo does not support "--user". - ## We should not make this wrapper run something as root which - ## is supposed to run under a different user. Try using - ## "sudo -A --user user --set-home" instead. - user_pkexec_wrapper="$2" - if [ "$user_pkexec_wrapper" = "" ]; then - shift - else - shift 2 - fi - switch_user=true - maybe_switch_to_user="--user $user_pkexec_wrapper" - ;; - --) - shift - break - ;; - *) - break - ;; - esac -done - -## If there are input files (for example) that follow the options, they -## will remain in the "$@" positional parameters. - -if [ "$PKEXEC_UID" = "" ]; then - if [ ! "$user_pkexec_wrapper" = "" ]; then - PKEXEC_UID="$user_pkexec_wrapper" - elif [ ! "$SUDO_USER" = "" ]; then - PKEXEC_UID="$SUDO_USER" - else - PKEXEC_UID="$(whoami)" - fi -fi -export PKEXEC_UID - -if [[ "$@" = "" ]]; then - ## Call original pkexec in case there are no arguments. - pkexec.security-misc-orig $original_args - exit $? -fi - -exit_code=0 - -## lxqt-sudo does not check /etc/sudoers / /etc/sudoers.d exceptions. -## Therefore use 'sudo -l' to see if there is any already existing sudoers exception. -## Did not work. 'sudo -l' will always exit with exit code '0'. -# if sudo -l --non-interactive $maybe_switch_to_user --set-home PKEXEC_UID="$PKEXEC_UID" "$@" ; then -# log_to_journal "sudoers exception: yes" -# sudo --non-interactive $maybe_switch_to_user --set-home PKEXEC_UID="$PKEXEC_UID" "$@" || { exit_code=$? ; true; }; -# log_to_journal "sudo --user | exit_code: '$exit_code'" -# exit "$exit_code" -# fi -# -# log_to_journal "sudoers exception: no" - -if [ "$switch_user" = "true" ]; then - ## 'sudo --user user' clears environment variables such as PATH. - lxqt-sudo sudo $maybe_switch_to_user --set-home PKEXEC_UID="$PKEXEC_UID" "$@" || { exit_code=$? ; true; }; -else - ## set PATH same as root - ## This is required for gdebi. - ## REVIEW: is it ok that users can find out the PATH setting of root? - ## lxqt-sudo does not clear environment variable PATH. - PATH="$(sudo --non-interactive /usr/libexec/security-misc/echo-path)" - export PATH - lxqt-sudo "$@" || { exit_code=$? ; true; }; -fi - -log_to_journal "exit_code: '$exit_code'" - -exit "$exit_code" From 50161f5d79eea2ab796863e4eb30eccc17e0b41d Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 11 Nov 2024 05:48:11 -0500 Subject: [PATCH 658/846] moved /etc/dkms/framework.conf.d/30_security-misc.conf (renamed) to usability-misc --- debian/security-misc.maintscript | 3 +++ .../framework.conf.d/30_security-misc.conf | 20 ------------------- 2 files changed, 3 insertions(+), 20 deletions(-) delete mode 100644 etc/dkms/framework.conf.d/30_security-misc.conf diff --git a/debian/security-misc.maintscript b/debian/security-misc.maintscript index b875fd4..f6d6a83 100644 --- a/debian/security-misc.maintscript +++ b/debian/security-misc.maintscript @@ -81,3 +81,6 @@ rm_conffile /etc/default/grub.d/40_only_allow_signed_modules.cfg ## renamed to /etc/default/grub.d/41_quiet_boot.cfg rm_conffile /etc/default/grub.d/41_quiet.cfg + +## moved to usability-misc +rm_conffile /etc/dkms/framework.conf.d/30_security-misc.conf diff --git a/etc/dkms/framework.conf.d/30_security-misc.conf b/etc/dkms/framework.conf.d/30_security-misc.conf deleted file mode 100644 index abf9a78..0000000 --- a/etc/dkms/framework.conf.d/30_security-misc.conf +++ /dev/null @@ -1,20 +0,0 @@ -## Copyright (C) 2023 - 2024 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -## Lower parallel compilation jobs to 1 if less than 2 GB RAM to avoid freezing of virtual machines. -## This does not necessarily belong into security-misc. -## -## Example here: -## https://forums.whonix.org/t/linux-kernel-runtime-guard-lkrg-linux-kernel-runtime-integrity-checking-and-exploit-detection/8477/26 -## -## This might no longer be possible in the future. See: -## "Stop handling dkms.conf as a bash/shell script" -## https://github.com/dell/dkms/issues/414 -ENOUGH_RAM="1950" -total_ram="$(free -m | sed -n -e '/^Mem:/s/^[^0-9]*\([0-9]*\) .*/\1/p')" -if [ "$total_ram" -ge "$ENOUGH_RAM" ]; then - true "INFO: Enough RAM available. Not lowering compilation cores." -else - true "INFO: Not enough RAM available. Lowering compilation cores to 1." - parallel_jobs=1 -fi From 65fc0419a84d62e07c61d7e37ef27d144b6b6794 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 11 Nov 2024 11:07:57 +0000 Subject: [PATCH 659/846] bumped changelog version --- changelog.upstream | 57 ++++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 +++++ 2 files changed, 63 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index df7fcb6..40e9b99 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,60 @@ +commit 50161f5d79eea2ab796863e4eb30eccc17e0b41d +Author: Patrick Schleizer +Date: Mon Nov 11 05:48:11 2024 -0500 + + moved /etc/dkms/framework.conf.d/30_security-misc.conf (renamed) to usability-misc + +commit 7c06e22c7d11c345428f3ad42ba43805ebc8d810 +Author: Patrick Schleizer +Date: Mon Nov 11 05:43:25 2024 -0500 + + deleted `/usr/bin/pkexec.security-misc` + + This was not used anymore for anything. In the past, we used to `config-package-dev` `replace` `/usr/bin/pkexec` with `/usr/bin/pkexec.security-misc` for the purpose of: + + > Redirect calls for pkexec to lxqt-sudo because pkexec is incompatible with hidepid. + + * https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860040 + * https://forums.whonix.org/t/cannot-use-pkexec/8129 + + This was a worthwhile effort, interesting approach but ultimately a dead-end. + +commit ef05b1a160b24d5aa42da9cc15009d94a37cf120 +Author: Patrick Schleizer +Date: Mon Nov 11 05:40:41 2024 -0500 + + disable legacy matroxfb_base framebuffer driver + + fix typo matroxfb_bases -> matroxfb_base + + Thanks to @ArrayBolt3 for the bug report! + +commit 862d23cb10b7687084f8e7e207d1e2c9c1ef6751 +Author: Patrick Schleizer +Date: Mon Nov 11 05:36:41 2024 -0500 + + fix `panic-on-oops.service` + + remove `After=multi-user.target` because already using `WantedBy=multi-user.target` + + Thanks to @ArrayBolt3 for the bug report! + +commit 29ae5f5980d521f6a4b468f5bf41210f78fdf10a +Author: Patrick Schleizer +Date: Mon Nov 11 05:28:31 2024 -0500 + + fix optional opt-in `harden-module-loading.service` + + by making `/usr/libexec/security-misc/disable-kernel-module-loading` executable + + Thanks to @ArrayBolt3 for the bug report! + +commit 4c649577f053af12bcd02c20576bf2d8aec1476d +Author: Patrick Schleizer +Date: Sun Nov 10 11:52:42 2024 +0000 + + bumped changelog version + commit 29b1f1ec5f3a4bf3991fc1b862751c8eb9769ecd Merge: 5bd0a27 238f32e Author: Patrick Schleizer diff --git a/debian/changelog b/debian/changelog index 6fcb3e3..9ce2b90 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:40.5-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 11 Nov 2024 11:07:57 +0000 + security-misc (3:40.4-1) unstable; urgency=medium * New upstream version (local package). From 8c2e8e69798e5255529ab3dbee6ca07b8b293100 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 12 Nov 2024 01:41:12 -0500 Subject: [PATCH 660/846] deleted no longer used and out-commented `etc/sudoers.d/pkexec-security-misc` leftover --- etc/sudoers.d/pkexec-security-misc | 11 ----------- 1 file changed, 11 deletions(-) delete mode 100644 etc/sudoers.d/pkexec-security-misc diff --git a/etc/sudoers.d/pkexec-security-misc b/etc/sudoers.d/pkexec-security-misc deleted file mode 100644 index bd78bde..0000000 --- a/etc/sudoers.d/pkexec-security-misc +++ /dev/null @@ -1,11 +0,0 @@ -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -## REVIEW: is it ok that users can find out the PATH setting of root? -#%sudo ALL=NOPASSWD: /usr/libexec/security-misc/echo-path - -## xfpm-power-backlight-helper demands environment variable PKEXEC_UID to be -## set. Would otherwise error out with the following error message: -## "This program must only be run through pkexec" -## REVIEW: Can bad things be done by spoofing PKEXEC_UID? -#Defaults:ALL env_keep += "PKEXEC_UID" From 7987a3914d364e674eb7479b15708c450041af02 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 12 Nov 2024 02:29:42 -0500 Subject: [PATCH 661/846] deleted no longer used and out-commented `/etc/sudoers.d/xfce-security-misc` leftover --- etc/sudoers.d/xfce-security-misc | 19 ------------------- 1 file changed, 19 deletions(-) delete mode 100644 etc/sudoers.d/xfce-security-misc diff --git a/etc/sudoers.d/xfce-security-misc b/etc/sudoers.d/xfce-security-misc deleted file mode 100644 index 3d26d7b..0000000 --- a/etc/sudoers.d/xfce-security-misc +++ /dev/null @@ -1,19 +0,0 @@ -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -## https://forums.whonix.org/t/xfce4-power-manager-xfpm-power-backlight-helper-pkexec-lxsudo-popup/8764 -## /usr/share/polkit-1/actions/org.xfce.power.policy - -## Feel free to out comment this if you are not using xfce4-power-manager or Xfce. - -#%sudo ALL=NOPASSWD: /usr/sbin/xfpm-power-backlight-helper --set-brightness [[\:digit\:]] -#%sudo ALL=NOPASSWD: /usr/sbin/xfpm-power-backlight-helper --set-brightness [[\:digit\:]][[\:digit\:]] -#%sudo ALL=NOPASSWD: /usr/sbin/xfpm-power-backlight-helper --set-brightness [[\:digit\:]][[\:digit\:]][[\:digit\:]] - -#%sudo ALL=NOPASSWD: /usr/sbin/xfpm-power-backlight-helper --set-brightness-switch [[\:digit\:]] -#%sudo ALL=NOPASSWD: /usr/sbin/xfpm-power-backlight-helper --set-brightness-switch [[\:digit\:]][[\:digit\:]] -#%sudo ALL=NOPASSWD: /usr/sbin/xfpm-power-backlight-helper --set-brightness-switch [[\:digit\:]][[\:digit\:]][[\:digit\:]] - -## XXX: Should we allow this? -#%sudo ALL=NOPASSWD: /usr/sbin/xfce4-pm-helper --suspend -#%sudo ALL=NOPASSWD: /usr/sbin/xfce4-pm-helper --hibernate From 57e1edde23aa3f313ce087e00ebc14d158356d6c Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 12 Nov 2024 09:11:57 +0000 Subject: [PATCH 662/846] bumped changelog version --- changelog.upstream | 18 ++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 24 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 40e9b99..dad0b22 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,21 @@ +commit 7987a3914d364e674eb7479b15708c450041af02 +Author: Patrick Schleizer +Date: Tue Nov 12 02:29:42 2024 -0500 + + deleted no longer used and out-commented `/etc/sudoers.d/xfce-security-misc` leftover + +commit 8c2e8e69798e5255529ab3dbee6ca07b8b293100 +Author: Patrick Schleizer +Date: Tue Nov 12 01:41:12 2024 -0500 + + deleted no longer used and out-commented `etc/sudoers.d/pkexec-security-misc` leftover + +commit 65fc0419a84d62e07c61d7e37ef27d144b6b6794 +Author: Patrick Schleizer +Date: Mon Nov 11 11:07:57 2024 +0000 + + bumped changelog version + commit 50161f5d79eea2ab796863e4eb30eccc17e0b41d Author: Patrick Schleizer Date: Mon Nov 11 05:48:11 2024 -0500 diff --git a/debian/changelog b/debian/changelog index 9ce2b90..534a025 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:40.6-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 12 Nov 2024 09:11:57 +0000 + security-misc (3:40.5-1) unstable; urgency=medium * New upstream version (local package). From c2aae73ce161811571e4c85609a0b043399c1b65 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Wed, 13 Nov 2024 05:38:03 +0000 Subject: [PATCH 663/846] Add reference and move text --- README.md | 6 +++--- usr/lib/sysctl.d/990-security-misc.conf | 23 ++++++++++++----------- 2 files changed, 15 insertions(+), 14 deletions(-) diff --git a/README.md b/README.md index 3404414..e167a87 100644 --- a/README.md +++ b/README.md @@ -102,6 +102,9 @@ Networking: - Disable ICMP redirect acceptance and redirect sending messages to prevent man-in-the-middle attacks and minimize information disclosure. +- Optional - Drop gratuitous ARP packets to prevent ARP cache poisoning + via man-in-the-middle and denial-of-service attacks. + - Ignore ICMP echo requests to prevent clock fingerprinting and Smurf attacks. - Ignore bogus ICMP error responses. @@ -121,9 +124,6 @@ Networking: - Optional - Enable IPv6 Privacy Extensions. -- Optional - Drop gratuitous ARP packets to prevent ARP cache poisoning - via man-in-the-middle and denial-of-service attacks. - ### Boot parameters Mitigations for known CPU vulnerabilities are enabled in their strictest form diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 2bec703..054dcbf 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -443,6 +443,18 @@ net.ipv4.conf.*.send_redirects=0 net.ipv6.conf.*.accept_redirects=0 #net.ipv4.conf.*.secure_redirects=1 +## Drop gratuitous ARP (Address Resolution Protocol) packets. +## Stops ARP responses sent by a device without being explicitly requested. +## Prevents ARP cache poisoning by rejecting fake ARP entries into a network. +## Prevents man-in-the-middle and denial-of-service attacks. +## May cause breakages when ARP proxies are used in the network. +## +## https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf +## https://patchwork.ozlabs.org/project/netdev/patch/1428652454-1224-3-git-send-email-johannes@sipsolutions.net/ +## https://www.practicalnetworking.net/series/arp/gratuitous-arp/ +## +#net.ipv4.conf.*.drop_gratuitous_arp=1 + ## Ignore ICMP echo requests. ## Prevents clock fingerprinting through ICMP timestamps and Smurf attacks. ## @@ -526,14 +538,3 @@ net.ipv4.tcp_timestamps=0 ## The use of IPv6 Privacy Extensions is currently disabled due to these breakages. ## #net.ipv6.conf.*.use_tempaddr=2 - -## Drop gratuitous ARP (Address Resolution Protocol) packets. -## Stops ARP responses sent by a device without being explicitly requested. -## Prevents ARP cache poisoning by rejecting fake ARP entries into a network. -## Prevents man-in-the-middle and denial-of-service attacks. -## May cause breakages when ARP proxies are used in the network. -## -## https://patchwork.ozlabs.org/project/netdev/patch/1428652454-1224-3-git-send-email-johannes@sipsolutions.net/ -## https://www.practicalnetworking.net/series/arp/gratuitous-arp/ -## -#net.ipv4.conf.*.drop_gratuitous_arp=1 From a25d4f8df88908e83e56049204aa625f1196a948 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Wed, 13 Nov 2024 05:40:21 +0000 Subject: [PATCH 664/846] Provide option to enable ARP filtering --- README.md | 3 +++ usr/lib/sysctl.d/990-security-misc.conf | 9 +++++++++ 2 files changed, 12 insertions(+) diff --git a/README.md b/README.md index e167a87..baa450d 100644 --- a/README.md +++ b/README.md @@ -102,6 +102,9 @@ Networking: - Disable ICMP redirect acceptance and redirect sending messages to prevent man-in-the-middle attacks and minimize information disclosure. +- Optional - Enable ARP filtering to mitigate some ARP spoofing and ARP + cache poisoning attacks. + - Optional - Drop gratuitous ARP packets to prevent ARP cache poisoning via man-in-the-middle and denial-of-service attacks. diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 054dcbf..52d31de 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -443,6 +443,15 @@ net.ipv4.conf.*.send_redirects=0 net.ipv6.conf.*.accept_redirects=0 #net.ipv4.conf.*.secure_redirects=1 +## Enable ARP (Address Resolution Protocol) filtering. +## Prevents the Linux kernel from handling the ARP table globally +## Can mitigate some ARP spoofing and ARP cache poisoning attacks. +## Improper filtering can lead to increased ARP traffic and inadvertently block legitimate ARP requests. +## +## https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf +## +#net.ipv4.conf.*.arp_filter=1 + ## Drop gratuitous ARP (Address Resolution Protocol) packets. ## Stops ARP responses sent by a device without being explicitly requested. ## Prevents ARP cache poisoning by rejecting fake ARP entries into a network. From 18aec201bfb0477fee8800ad1388099e11920016 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Wed, 13 Nov 2024 05:41:25 +0000 Subject: [PATCH 665/846] Provide option to harden response to ARP requests --- README.md | 3 +++ usr/lib/sysctl.d/990-security-misc.conf | 7 +++++++ 2 files changed, 10 insertions(+) diff --git a/README.md b/README.md index baa450d..ed9e4d7 100644 --- a/README.md +++ b/README.md @@ -105,6 +105,9 @@ Networking: - Optional - Enable ARP filtering to mitigate some ARP spoofing and ARP cache poisoning attacks. +- Optional - Respond to ARP requests only if the target IP address is + on-link, preventing some IP spoofing attacks. + - Optional - Drop gratuitous ARP packets to prevent ARP cache poisoning via man-in-the-middle and denial-of-service attacks. diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 52d31de..a2c3198 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -452,6 +452,13 @@ net.ipv6.conf.*.accept_redirects=0 ## #net.ipv4.conf.*.arp_filter=1 +## Respond to ARP (Address Resolution Protocol) requests only if the target IP address is on-link. +## Reduces IP spoofing attacks by limiting the scope of allowable ARP responses. +## +## https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf +## +#net.ipv4.conf.*.arp_ignore=2 + ## Drop gratuitous ARP (Address Resolution Protocol) packets. ## Stops ARP responses sent by a device without being explicitly requested. ## Prevents ARP cache poisoning by rejecting fake ARP entries into a network. From 141b84c40de76988ec78bdccf1c1d67fc4367b3f Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Wed, 13 Nov 2024 05:42:56 +0000 Subject: [PATCH 666/846] Provide option to deny sending and receiving shared media redirects --- README.md | 5 ++++- usr/lib/sysctl.d/990-security-misc.conf | 11 +++++++++++ 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index ed9e4d7..50b3cf0 100644 --- a/README.md +++ b/README.md @@ -102,12 +102,15 @@ Networking: - Disable ICMP redirect acceptance and redirect sending messages to prevent man-in-the-middle attacks and minimize information disclosure. +- Optional - Deny sending and receiving shared media redirects to reduce + the risk of IP spoofing attacks. + - Optional - Enable ARP filtering to mitigate some ARP spoofing and ARP cache poisoning attacks. - Optional - Respond to ARP requests only if the target IP address is on-link, preventing some IP spoofing attacks. - + - Optional - Drop gratuitous ARP packets to prevent ARP cache poisoning via man-in-the-middle and denial-of-service attacks. diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index a2c3198..c43ca19 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -443,6 +443,17 @@ net.ipv4.conf.*.send_redirects=0 net.ipv6.conf.*.accept_redirects=0 #net.ipv4.conf.*.secure_redirects=1 +## Deny sending and receiving RFC1620 shared media redirects. +## Relevant mainly for network interfaces that operate over shared media such as Ethernet hubs. +## Stops the kernel from sending ICMP redirects to specific networks from the connected network. +## This variable overrides the use secure_redirects. +## +## https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf +## https://datatracker.ietf.org/doc/html/rfc1620 +## https://www.frozentux.net/ipsysctl-tutorial/chunkyhtml/theconfvariables.html +## +#net.ipv4.conf.*.shared_media=0 + ## Enable ARP (Address Resolution Protocol) filtering. ## Prevents the Linux kernel from handling the ARP table globally ## Can mitigate some ARP spoofing and ARP cache poisoning attacks. From ef95b3f9a5aed9652c541cf4bf05b20011718466 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 14 Nov 2024 14:41:14 -0500 Subject: [PATCH 667/846] Revert "fix `panic-on-oops.service`" This reverts commit 862d23cb10b7687084f8e7e207d1e2c9c1ef6751. --- usr/lib/systemd/system/panic-on-oops.service | 1 + 1 file changed, 1 insertion(+) diff --git a/usr/lib/systemd/system/panic-on-oops.service b/usr/lib/systemd/system/panic-on-oops.service index 425ab5c..cf13053 100644 --- a/usr/lib/systemd/system/panic-on-oops.service +++ b/usr/lib/systemd/system/panic-on-oops.service @@ -7,6 +7,7 @@ Documentation=https://github.com/Kicksecure/security-misc ConditionKernelCommandLine=!panic-on-oops=0 +After=multi-user.target After=graphical.target After=getty.target From 31804e30ecc9c5a1c5a8e1e014d3dcb85cee4f36 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 14 Nov 2024 20:46:26 +0000 Subject: [PATCH 668/846] bumped changelog version --- changelog.upstream | 14 ++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 20 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index dad0b22..7782fa4 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,17 @@ +commit ef95b3f9a5aed9652c541cf4bf05b20011718466 +Author: Patrick Schleizer +Date: Thu Nov 14 14:41:14 2024 -0500 + + Revert "fix `panic-on-oops.service`" + + This reverts commit 862d23cb10b7687084f8e7e207d1e2c9c1ef6751. + +commit 57e1edde23aa3f313ce087e00ebc14d158356d6c +Author: Patrick Schleizer +Date: Tue Nov 12 09:11:57 2024 +0000 + + bumped changelog version + commit 7987a3914d364e674eb7479b15708c450041af02 Author: Patrick Schleizer Date: Tue Nov 12 02:29:42 2024 -0500 diff --git a/debian/changelog b/debian/changelog index 534a025..9ca0709 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:40.7-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 14 Nov 2024 20:46:26 +0000 + security-misc (3:40.6-1) unstable; urgency=medium * New upstream version (local package). From c7e9460b2ae8dcb96196fef69a7e0ed992c1b43b Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 14 Nov 2024 16:31:12 -0500 Subject: [PATCH 669/846] output --- usr/bin/permission-hardener | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index e5039c0..858679c 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -26,7 +26,7 @@ source /usr/libexec/helper-scripts/log_run_die.sh echo_wrapper_ignore() { if test "${1}" = "verbose"; then shift - log notice "Run: $*" + log notice "Executing: $*" else shift fi @@ -36,7 +36,7 @@ echo_wrapper_ignore() { echo_wrapper_audit() { if test "${1}" = "verbose"; then shift - log notice "Run: $*" + log notice "Executing: $*" else shift fi From af43472d0ccdecb1725a200d10aeeb1b8d51f31a Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 14 Nov 2024 22:24:50 +0000 Subject: [PATCH 670/846] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 7782fa4..2e26fb3 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit c7e9460b2ae8dcb96196fef69a7e0ed992c1b43b +Author: Patrick Schleizer +Date: Thu Nov 14 16:31:12 2024 -0500 + + output + +commit 31804e30ecc9c5a1c5a8e1e014d3dcb85cee4f36 +Author: Patrick Schleizer +Date: Thu Nov 14 20:46:26 2024 +0000 + + bumped changelog version + commit ef95b3f9a5aed9652c541cf4bf05b20011718466 Author: Patrick Schleizer Date: Thu Nov 14 14:41:14 2024 -0500 diff --git a/debian/changelog b/debian/changelog index 9ca0709..1e46db1 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:40.8-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 14 Nov 2024 22:24:50 +0000 + security-misc (3:40.7-1) unstable; urgency=medium * New upstream version (local package). From d7475e252a64e296913ed8893261e52e72163d55 Mon Sep 17 00:00:00 2001 From: Aaron Rainbolt Date: Thu, 21 Nov 2024 20:03:42 -0600 Subject: [PATCH 671/846] Make apt-get-update able to be terminated securely --- usr/libexec/security-misc/apt-get-update | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/usr/libexec/security-misc/apt-get-update b/usr/libexec/security-misc/apt-get-update index 9c5dde1..3086e55 100755 --- a/usr/libexec/security-misc/apt-get-update +++ b/usr/libexec/security-misc/apt-get-update @@ -3,6 +3,13 @@ ## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. +write_pid_file() { + safe-rm -rf /tmp/security-misc-apt-get-update-pid; + install -m644 /dev/null /tmp/security-misc-apt-get-update-pid \ + || exit 1 + echo "$$" > /tmp/security-misc-apt-get-update-pid +} + sigterm_trap() { if [ "$lastpid" = "" ]; then exit 143 @@ -21,6 +28,8 @@ trap "sigterm_trap" SIGTERM SIGINT [ -n "$timeout_after" ] || timeout_after="600" [ -n "$kill_after" ] || kill_after="10" +write_pid_file + timeout \ --kill-after="$kill_after" \ "$timeout_after" \ From d32cb8c95b09721e52c4d682a0ddd39d590a4368 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 25 Nov 2024 15:44:00 -0500 Subject: [PATCH 672/846] use TMP, sponge, refactoring --- usr/libexec/security-misc/apt-get-update | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/usr/libexec/security-misc/apt-get-update b/usr/libexec/security-misc/apt-get-update index 3086e55..fecfe4f 100755 --- a/usr/libexec/security-misc/apt-get-update +++ b/usr/libexec/security-misc/apt-get-update @@ -4,10 +4,10 @@ ## See the file COPYING for copying conditions. write_pid_file() { - safe-rm -rf /tmp/security-misc-apt-get-update-pid; - install -m644 /dev/null /tmp/security-misc-apt-get-update-pid \ - || exit 1 - echo "$$" > /tmp/security-misc-apt-get-update-pid + [[ -z "${TMP:-}" ]] && error "TMP is unset" + safe-rm -rf "$TMP/security-misc-apt-get-update-pid"; + install -m644 /dev/null "$TMP/security-misc-apt-get-update-pid" || exit 1 + echo "$$" | sponge -- "$TMP/security-misc-apt-get-update-pid" } sigterm_trap() { From f9b5d7d3f4f2ed8d1baae67d8427f13cf26aee8d Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 25 Nov 2024 15:48:01 -0500 Subject: [PATCH 673/846] use strict shell options --- usr/libexec/security-misc/apt-get-update | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/usr/libexec/security-misc/apt-get-update b/usr/libexec/security-misc/apt-get-update index fecfe4f..165d96f 100755 --- a/usr/libexec/security-misc/apt-get-update +++ b/usr/libexec/security-misc/apt-get-update @@ -3,6 +3,11 @@ ## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. +set -o errexit +set -o nounset +set -o errtrace +set -o pipefail + write_pid_file() { [[ -z "${TMP:-}" ]] && error "TMP is unset" safe-rm -rf "$TMP/security-misc-apt-get-update-pid"; @@ -25,8 +30,8 @@ sigterm_trap() { trap "sigterm_trap" SIGTERM SIGINT -[ -n "$timeout_after" ] || timeout_after="600" -[ -n "$kill_after" ] || kill_after="10" +[[ -v timeout_after ]] || timeout_after="600" +[[ -v kill_after ]] || kill_after="10" write_pid_file From 98d7c245ee11f16e566422a17543aaed2c155d88 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 25 Nov 2024 15:57:30 -0500 Subject: [PATCH 674/846] "|| exit 1" no longer required thanks to errexit --- usr/libexec/security-misc/apt-get-update | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/libexec/security-misc/apt-get-update b/usr/libexec/security-misc/apt-get-update index 165d96f..b506e44 100755 --- a/usr/libexec/security-misc/apt-get-update +++ b/usr/libexec/security-misc/apt-get-update @@ -11,7 +11,7 @@ set -o pipefail write_pid_file() { [[ -z "${TMP:-}" ]] && error "TMP is unset" safe-rm -rf "$TMP/security-misc-apt-get-update-pid"; - install -m644 /dev/null "$TMP/security-misc-apt-get-update-pid" || exit 1 + install -m644 /dev/null "$TMP/security-misc-apt-get-update-pid" echo "$$" | sponge -- "$TMP/security-misc-apt-get-update-pid" } From 59299a6639fef31565b8f3cef857c9faa331e0f7 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 25 Nov 2024 21:07:42 +0000 Subject: [PATCH 675/846] bumped changelog version --- changelog.upstream | 37 +++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 43 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 2e26fb3..4fccc87 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,40 @@ +commit 98d7c245ee11f16e566422a17543aaed2c155d88 +Author: Patrick Schleizer +Date: Mon Nov 25 15:57:30 2024 -0500 + + "|| exit 1" no longer required thanks to errexit + +commit f9b5d7d3f4f2ed8d1baae67d8427f13cf26aee8d +Author: Patrick Schleizer +Date: Mon Nov 25 15:48:01 2024 -0500 + + use strict shell options + +commit d32cb8c95b09721e52c4d682a0ddd39d590a4368 +Author: Patrick Schleizer +Date: Mon Nov 25 15:44:00 2024 -0500 + + use TMP, sponge, refactoring + +commit 62a551cfe39a6a640f32e6e97f3e915aa8673514 +Merge: af43472 d7475e2 +Author: Patrick Schleizer +Date: Mon Nov 25 15:38:01 2024 -0500 + + Merge remote-tracking branch 'ArrayBolt3/arraybolt3/sudoers' + +commit d7475e252a64e296913ed8893261e52e72163d55 +Author: Aaron Rainbolt +Date: Thu Nov 21 20:03:42 2024 -0600 + + Make apt-get-update able to be terminated securely + +commit af43472d0ccdecb1725a200d10aeeb1b8d51f31a +Author: Patrick Schleizer +Date: Thu Nov 14 22:24:50 2024 +0000 + + bumped changelog version + commit c7e9460b2ae8dcb96196fef69a7e0ed992c1b43b Author: Patrick Schleizer Date: Thu Nov 14 16:31:12 2024 -0500 diff --git a/debian/changelog b/debian/changelog index 1e46db1..15e8b1e 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:40.9-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 25 Nov 2024 21:07:41 +0000 + security-misc (3:40.8-1) unstable; urgency=medium * New upstream version (local package). From 1708a03e1edda821ef091f10c46d32f740511d38 Mon Sep 17 00:00:00 2001 From: Aaron Rainbolt Date: Thu, 28 Nov 2024 15:20:57 -0600 Subject: [PATCH 676/846] Enable umask hardening --- README.md | 14 +++++++++----- etc/sudoers.d/security-misc | 5 +++++ usr/share/pam-configs/umask-security-misc | 8 ++++++++ 3 files changed, 22 insertions(+), 5 deletions(-) create mode 100644 usr/share/pam-configs/umask-security-misc diff --git a/README.md b/README.md index c23d261..6117830 100644 --- a/README.md +++ b/README.md @@ -46,7 +46,7 @@ Kernel space: - Force the kernel to panic on both "oopses", which can potentially indicate and thwart certain kernel exploitation attempts, and also kernel warnings in the `WARN()` path. - + - Optional - Force immediate reboot on the occurrence of a single kernel panic and also (when using Linux kernel >= 6.2) limit the number of allowed panics to one. @@ -573,9 +573,7 @@ See: #### umask Default `umask` is set to `027` for files created by non-root users such as -user `user`. Broken. Disabled. See: - -* https://github.com/Kicksecure/security-misc/issues/184 +user `user`. This is done using the PAM module `pam_mkhomedir.so umask=027`. @@ -589,7 +587,13 @@ https://wiki.debian.org/UserPrivateGroups Default `umask` is unchanged for root because then configuration files created in `/etc` by the system administrator would be unreadable by "others" and break -applications. Examples include `/etc/firefox-esr` and `/etc/thunderbird`. +applications. Examples include `/etc/firefox-esr` and `/etc/thunderbird`. The +`umask` is also set to 022 via `sudoers` configuration, so that files created +as root are world-readable even when using commands such as `sudo vi +/etc/file` or `sudo -i; touch /etc/file`. + +`umask` is set to 022 rather than 027 when using `sudo`, so that commands such +as `sudo vi /etc/configfile` and `sudo -i; touch /etc/file` See: diff --git a/etc/sudoers.d/security-misc b/etc/sudoers.d/security-misc index 7084b1f..591eede 100644 --- a/etc/sudoers.d/security-misc +++ b/etc/sudoers.d/security-misc @@ -3,3 +3,8 @@ user ALL=NOPASSWD: /usr/libexec/security-misc/panic-on-oops %sudo ALL=NOPASSWD: /usr/libexec/security-misc/panic-on-oops + +## Use a more open umask when executing commands with sudo +## Can be overridden on a per-user basis using .[z]profile if desirable +Defaults umask_override +Defaults umask=0022 diff --git a/usr/share/pam-configs/umask-security-misc b/usr/share/pam-configs/umask-security-misc new file mode 100644 index 0000000..6436a56 --- /dev/null +++ b/usr/share/pam-configs/umask-security-misc @@ -0,0 +1,8 @@ +Name: Restrict umask to 027 (by package security-misc) +Default: yes +Priority: 100 +Session-Type: Additional +Session-Interactive-Only: yes +Session: + [success=1 default=ignore] pam_succeed_if.so uid eq 0 + optional pam_umask.so umask=027 From 93b51819d4693955936456916188b4118fe68a66 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 6 Dec 2024 09:47:08 -0500 Subject: [PATCH 677/846] permission hardener mount chmod change from `745` to `755` https://github.com/Kicksecure/security-misc/issues/284 --- etc/permission-hardener.d/25_default_whitelist_mount.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/etc/permission-hardener.d/25_default_whitelist_mount.conf b/etc/permission-hardener.d/25_default_whitelist_mount.conf index 54b22a6..08965b8 100644 --- a/etc/permission-hardener.d/25_default_whitelist_mount.conf +++ b/etc/permission-hardener.d/25_default_whitelist_mount.conf @@ -13,5 +13,5 @@ ## Remove SUID from 'mount' but keep executable. ## https://forums.whonix.org/t/disable-suid-binaries/7706/61 -/bin/mount 745 root root -/usr/bin/mount 745 root root +/bin/mount 755 root root +/usr/bin/mount 755 root root From 5b88e92e5c4b951e659e1574fc248bd11158dfb2 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 6 Dec 2024 09:48:58 -0500 Subject: [PATCH 678/846] permission hardner: treat `mount` the same way we treat `umount` Thanks to @the-moog for the bug report! fixes https://github.com/Kicksecure/security-misc/issues/284 --- etc/permission-hardener.d/25_default_whitelist_mount.conf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/etc/permission-hardener.d/25_default_whitelist_mount.conf b/etc/permission-hardener.d/25_default_whitelist_mount.conf index 08965b8..c0a4f96 100644 --- a/etc/permission-hardener.d/25_default_whitelist_mount.conf +++ b/etc/permission-hardener.d/25_default_whitelist_mount.conf @@ -10,8 +10,12 @@ ## SUID will be removed below in separate step. /bin/mount exactwhitelist /usr/bin/mount exactwhitelist +/bin/umount exactwhitelist +/usr/bin/umount exactwhitelist ## Remove SUID from 'mount' but keep executable. ## https://forums.whonix.org/t/disable-suid-binaries/7706/61 /bin/mount 755 root root /usr/bin/mount 755 root root +/bin/umount 755 root root +/usr/bin/umount 755 root root From 1ce37d42cd2c132eca8c45ddb04fdb594349d08f Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 7 Dec 2024 04:50:40 -0500 Subject: [PATCH 679/846] . --- usr/share/security-misc/lkrg/lkrg-virtualbox | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/usr/share/security-misc/lkrg/lkrg-virtualbox b/usr/share/security-misc/lkrg/lkrg-virtualbox index 3b4a061..6ab093a 100755 --- a/usr/share/security-misc/lkrg/lkrg-virtualbox +++ b/usr/share/security-misc/lkrg/lkrg-virtualbox @@ -6,8 +6,11 @@ #set -x set -e +## Check if the VirtualBox host software is installed. if ! command -v vboxmanage &>/dev/null ; then + ## VirtualBox host software is not installed. if test -f /etc/sysctl.d/30-lkrg-virtualbox.conf ; then + ## Delete using '--verbose' so user is notified. rm --force --verbose /etc/sysctl.d/30-lkrg-virtualbox.conf fi exit 0 @@ -21,4 +24,7 @@ if ! test -f /usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf ; then exit 0 fi +## TODO: check if lkrg is installed. + +## Delete using '--verbose' so user is notified. cp --verbose /usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf /etc/sysctl.d/30-lkrg-virtualbox.conf From 7902311c570edd4286ba36f0cb85223d1e909a03 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 7 Dec 2024 04:54:47 -0500 Subject: [PATCH 680/846] do not create /etc/sysctl.d/30-lkrg-virtualbox.conf if LKRG is not installed --- usr/share/security-misc/lkrg/lkrg-virtualbox | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/usr/share/security-misc/lkrg/lkrg-virtualbox b/usr/share/security-misc/lkrg/lkrg-virtualbox index 6ab093a..3e5edc3 100755 --- a/usr/share/security-misc/lkrg/lkrg-virtualbox +++ b/usr/share/security-misc/lkrg/lkrg-virtualbox @@ -6,6 +6,9 @@ #set -x set -e +## provides function: pkg_installed +source /usr/libexec/helper-scripts/package_installed_check.bsh + ## Check if the VirtualBox host software is installed. if ! command -v vboxmanage &>/dev/null ; then ## VirtualBox host software is not installed. @@ -24,7 +27,9 @@ if ! test -f /usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf ; then exit 0 fi -## TODO: check if lkrg is installed. +if ! pkg_installed "lkrg" ; then + exit 0 +fi ## Delete using '--verbose' so user is notified. cp --verbose /usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf /etc/sysctl.d/30-lkrg-virtualbox.conf From 439fa7f3be74f5eba4b98f73c0bb50fd37e8b0e1 Mon Sep 17 00:00:00 2001 From: Aaron Rainbolt Date: Sun, 8 Dec 2024 03:21:27 -0600 Subject: [PATCH 681/846] Harden/disable recovery mode options --- etc/default/grub.d/41_recovery_restrict.cfg | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100644 etc/default/grub.d/41_recovery_restrict.cfg diff --git a/etc/default/grub.d/41_recovery_restrict.cfg b/etc/default/grub.d/41_recovery_restrict.cfg new file mode 100644 index 0000000..cfe68b0 --- /dev/null +++ b/etc/default/grub.d/41_recovery_restrict.cfg @@ -0,0 +1,16 @@ +## Copyright (C) 2024 - 2024 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Definitions: +## KSPP=yes: compliant with recommendations by the KSPP +## KSPP=partial: partially compliant with recommendations by the KSPP +## KSPP=no: not (currently) compliant with recommendations by the KSPP +## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP. + +## Disable access to single-user mode (i.e. recovery mode). +## https://forums.kicksecure.com/t/remove-linux-recovery-mode-boot-option-from-default-grub-boot-menu/727 +GRUB_DISABLE_RECOVERY='true' + +## Disable access to Dracut's recovery console. +## https://forums.kicksecure.com/t/harden-dracut-initramfs-generator-by-disabling-recovery-console/724 +GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT rd.shell=0 rd.emergency=halt" From 518224b8cf9e99a830b584d8d54b5dea2925c8f5 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 10 Dec 2024 19:17:10 +0000 Subject: [PATCH 682/846] bumped changelog version --- changelog.upstream | 18 ++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 24 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 4fccc87..ab75925 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,21 @@ +commit 7902311c570edd4286ba36f0cb85223d1e909a03 +Author: Patrick Schleizer +Date: Sat Dec 7 04:54:47 2024 -0500 + + do not create /etc/sysctl.d/30-lkrg-virtualbox.conf if LKRG is not installed + +commit 1ce37d42cd2c132eca8c45ddb04fdb594349d08f +Author: Patrick Schleizer +Date: Sat Dec 7 04:50:40 2024 -0500 + + . + +commit 59299a6639fef31565b8f3cef857c9faa331e0f7 +Author: Patrick Schleizer +Date: Mon Nov 25 21:07:42 2024 +0000 + + bumped changelog version + commit 98d7c245ee11f16e566422a17543aaed2c155d88 Author: Patrick Schleizer Date: Mon Nov 25 15:57:30 2024 -0500 diff --git a/debian/changelog b/debian/changelog index 15e8b1e..b4859e3 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:41.0-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 10 Dec 2024 19:17:10 +0000 + security-misc (3:40.9-1) unstable; urgency=medium * New upstream version (local package). From a9dd592a8b49226f326e90111178aebba3cc144f Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 10 Dec 2024 19:19:10 +0000 Subject: [PATCH 683/846] bumped changelog version --- changelog.upstream | 19 +++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 25 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index ab75925..1e3591c 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,22 @@ +commit 58722324ec0be98c3e44938df8cb60ca9b261210 +Merge: 518224b 439fa7f +Author: Patrick Schleizer +Date: Tue Dec 10 14:18:50 2024 -0500 + + Merge remote-tracking branch 'ArrayBolt3/arraybolt3/no-recovery-mode' + +commit 518224b8cf9e99a830b584d8d54b5dea2925c8f5 +Author: Patrick Schleizer +Date: Tue Dec 10 19:17:10 2024 +0000 + + bumped changelog version + +commit 439fa7f3be74f5eba4b98f73c0bb50fd37e8b0e1 +Author: Aaron Rainbolt +Date: Sun Dec 8 03:21:27 2024 -0600 + + Harden/disable recovery mode options + commit 7902311c570edd4286ba36f0cb85223d1e909a03 Author: Patrick Schleizer Date: Sat Dec 7 04:54:47 2024 -0500 diff --git a/debian/changelog b/debian/changelog index b4859e3..0b5fc91 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:41.1-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 10 Dec 2024 19:19:10 +0000 + security-misc (3:41.0-1) unstable; urgency=medium * New upstream version (local package). From c1167968542a62d0677517e11505f6e9222ec378 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Thu, 12 Dec 2024 06:36:47 +0000 Subject: [PATCH 684/846] `arp_ignore`: Add reference to 2024-12-10 Mullvad VPN audit details --- usr/lib/sysctl.d/990-security-misc.conf | 3 +++ 1 file changed, 3 insertions(+) diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index c43ca19..93efe26 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -467,6 +467,9 @@ net.ipv6.conf.*.accept_redirects=0 ## Reduces IP spoofing attacks by limiting the scope of allowable ARP responses. ## ## https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf +## https://github.com/mullvad/mullvadvpn-app/blob/main/audits/2024-12-10-X41-D-Sec.md#mllvd-cr-24-03-virtual-ip-address-of-tunnel-device-leaks-to-network-adjacent-participant-severity-medium +## https://github.com/mullvad/mullvadvpn-app/pull/7141 +## https://www.x41-dsec.de/static/reports/X41-Mullvad-Audit-Public-Report-2024-12-10.pdf ## #net.ipv4.conf.*.arp_ignore=2 From 4c3ca68453b44074025a1ec9f31451c57344f3cf Mon Sep 17 00:00:00 2001 From: Aaron Rainbolt Date: Mon, 9 Dec 2024 12:37:11 -0600 Subject: [PATCH 685/846] Disable unnecessary sudoers exceptions --- etc/sudoers.d/security-misc | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/etc/sudoers.d/security-misc b/etc/sudoers.d/security-misc index 7084b1f..abe4364 100644 --- a/etc/sudoers.d/security-misc +++ b/etc/sudoers.d/security-misc @@ -1,5 +1,6 @@ ## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -user ALL=NOPASSWD: /usr/libexec/security-misc/panic-on-oops -%sudo ALL=NOPASSWD: /usr/libexec/security-misc/panic-on-oops +## Neither of these are needed. +#user ALL=NOPASSWD: /usr/libexec/security-misc/panic-on-oops +#%sudo ALL=NOPASSWD: /usr/libexec/security-misc/panic-on-oops From ca3a73ac13d805515f71f1be7ecedc33d3a1b519 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Tue, 17 Dec 2024 11:37:10 +0000 Subject: [PATCH 686/846] Typo --- usr/lib/sysctl.d/990-security-misc.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 6009fc4..81e40a2 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -281,7 +281,7 @@ fs.protected_fifos=2 fs.protected_regular=2 ## Enable ASLR for mmap base, stack, VDSO pages, and heap. -## Forces shared libraries to be loaded to random addresses +## Forces shared libraries to be loaded to random addresses. ## Start location of PIE-linked binaries is randomized. ## Heap randomization can lead to breakages with legacy applications. ## From 943c421889ce5dfe3869380e4587ca22724f2ce7 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Tue, 17 Dec 2024 11:40:38 +0000 Subject: [PATCH 687/846] Minor refactoring --- etc/default/grub.d/41_recovery_restrict.cfg | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/etc/default/grub.d/41_recovery_restrict.cfg b/etc/default/grub.d/41_recovery_restrict.cfg index cfe68b0..530a728 100644 --- a/etc/default/grub.d/41_recovery_restrict.cfg +++ b/etc/default/grub.d/41_recovery_restrict.cfg @@ -7,10 +7,15 @@ ## KSPP=no: not (currently) compliant with recommendations by the KSPP ## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP. -## Disable access to single-user mode (i.e. recovery mode). +## Disable access to single-user (recovery) mode. +## ## https://forums.kicksecure.com/t/remove-linux-recovery-mode-boot-option-from-default-grub-boot-menu/727 -GRUB_DISABLE_RECOVERY='true' +## +GRUB_DISABLE_RECOVERY="true" ## Disable access to Dracut's recovery console. +## ## https://forums.kicksecure.com/t/harden-dracut-initramfs-generator-by-disabling-recovery-console/724 -GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT rd.shell=0 rd.emergency=halt" +## +GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT rd.emergency=halt" +GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT rd.shell=0" \ No newline at end of file From defba1f2450b2c8bbc668bf5f6f6f0d101338cc7 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Tue, 17 Dec 2024 11:42:03 +0000 Subject: [PATCH 688/846] Refactor CPU mitigations --- etc/default/grub.d/40_cpu_mitigations.cfg | 80 ++++++++++++++++------- 1 file changed, 55 insertions(+), 25 deletions(-) diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index 1b900c0..c1828dc 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -17,7 +17,7 @@ ## https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/advisory-guidance.html ## https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/disclosure-documentation.html -## Enable a subset of known mitigations for CPU vulnerabilities and disable SMT. +## Enable a subset of known mitigations for some CPU vulnerabilities and disable SMT. ## ## KSPP=yes ## KSPP sets the kernel parameters. @@ -27,7 +27,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mitigations=auto,nosmt" ## Disable SMT as it has been the cause of and amplified numerous CPU exploits. ## The only full mitigation of cross-HT attacks is to disable SMT. ## Disabling will significantly decrease system performance on multi-threaded tasks. -## To enable SMT, remove this line and all other occurrences of "nosmt" in this file. +## Note, this setting will prevent re-enabling SMT via the sysfs interface. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/core-scheduling.html ## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647/17 @@ -36,95 +36,125 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mitigations=auto,nosmt" ## KSPP=yes ## KSPP sets the kernel parameter. ## +## To re-enable SMT: +## - Remove "nosmt=force". +## - Remove all occurrences of ",nosmt" in this file (note the comma ","). +## - Downgrade "l1tf=full,force" protection to "l1tf=flush". +## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX nosmt=force" -## Enable mitigations for both Spectre Variant 2 (indirect branch speculation) -## and Intel branch history injection (BHI) vulnerabilities. +## Spectre Side Channels (BTI and BHI): +## Unconditionally enable mitigation for Spectre Variant 2 (branch target injection). +## Enable mitigation for the Intel branch history injection vulnerability. +## Currently affects both AMD and Intel CPUs. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/spectre.html ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_v2=on" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spectre_bhi=on" -## Disable Speculative Store Bypass (Spectre Variant 4). -## Unconditionally enable mitigation for both kernel and userspace. +## Speculative Store Bypass (SSB): +## Mitigate Spectre Variant 4 by disabling speculative store bypass system-wide. +## Unconditionally enable the mitigation for both kernel and userspace. +## Currently affects both AMD and Intel CPUs. ## +## https://en.wikipedia.org/wiki/Speculative_Store_Bypass ## https://www.suse.com/support/kb/doc/?id=000019189 ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spec_store_bypass_disable=on" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ssbd=force-on" -## Enable mitigations for the L1TF vulnerability through disabling SMT -## and L1D flush runtime control. +## L1 Terminal Fault (L1TF): +## Mitigate the vulnerability by disabling L1D flush runtime control and SMT. +## Currently affects Intel CPUs. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX l1tf=full,force" -## Enable mitigations for the MDS vulnerability through clearing buffer cache -## and disabling SMT. +## Microarchitectural Data Sampling (MDS): +## Mitigate the vulnerability by clearing the buffer cache and disabling SMT. +## Currently affects Intel CPUs. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mds=full,nosmt" -## Patches the TAA vulnerability by disabling TSX and enables mitigations using -## TSX Async Abort along with disabling SMT. +## TSX Asynchronous Abort (TAA): +## Mitigate the vulnerability by disabling TSX. +## If TSX is enabled, clear CPU buffer rings on transitions and disable SMT. +## Currently affects Intel CPUs. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/tsx_async_abort.html ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX tsx=off" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX tsx_async_abort=full,nosmt" -## Mark all huge pages in the EPT as non-executable to mitigate iTLB multihit. +## iTLB Multihit: +## Mitigate the vulnerability by marking all huge pages in the EPT as non-executable. +## Currently affects Intel CPUs. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/multihit.html ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm.nx_huge_pages=force" -## Mitigations for SRBDS to prevent MDS attacks on RDRAND and RDSEED instructions -## are only possible through microcode updates from Intel. +## Special Register Buffer Data Sampling (SRBDS): +## Mitigation of the vulnerability is only possible via microcode updates from Intel. +## Currently affects Intel CPUs. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/special-register-buffer-data-sampling.html ## https://access.redhat.com/solutions/5142691 -## Enable the prctl() interface to prevent leaks from L1D on context switches. +## L1D Flushing: +## Mitigate leaks from the L1D cache on context switches by enabling the prctl() interface. +## Currently affects Intel CPUs. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1d_flush.html ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX l1d_flush=on" -## Mitigate numerous MMIO Stale Data vulnerabilities and disable SMT. +## MMIO Stale Data: +## Mitigate the vulnerability by appropriately clearing the CPU buffer and disabling SMT. +## Currently affects Intel CPUs. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/processor_mmio_stale_data.html ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mmio_stale_data=full,nosmt" -## Enable mitigations for RETBleed (Arbitrary Speculative Code Execution with -## Return Instructions) vulnerability and disable SMT. +## Arbitrary Speculative Code Execution with Return Instructions (Retbleed): +## Mitigate the vulnerability through CPU-dependent implementation and disable SMT. +## Currently affects both AMD Zen 1-2 and Intel CPUs. ## +## https://en.wikipedia.org/wiki/Retbleed +## https://comsec.ethz.ch/research/microarch/retbleed/ ## https://www.suse.com/support/kb/doc/?id=000020693 +## https://access.redhat.com/solutions/retbleed ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX retbleed=auto,nosmt" -## Control RAS overflow mitigation on AMD Zen CPUs. +## Speculative Return Stack Overflow (SRSO): +## Mitigate the vulnerability by ensureing all RET instructions speculate to a controlled location. +## Currently affects AMD Zen 1-4 CPUs. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/srso.html ## ## The default kernel setting will be utilized until provided sufficient evidence to modify. +## Using "spec_rstack_overflow=ipbp" may provide stronger security at a greater performance impact. ## #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX spec_rstack_overflow=safe-ret" -## Enable Gather Data Sampling (GDS) mitigation. -## Note for systems that have not received a suitable microcode update this will -## entirely disable use of the AVX instructions set. +## Gather Data Sampling (GDS): +## Mitigate the vulnerability either via microcode update or by disabling AVX. +## Note, without a suitable microcode update, this will entirely disable use of the AVX instructions set. +## Currently affects Intel CPUs. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/gather_data_sampling.html ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX gather_data_sampling=force" -## Enable Register File Data Sampling (RFDS) mitigation on Intel Atom CPUs which -## encompasses E-cores on hybrid architectures. +## Register File Data Sampling (RFDS): +## Mitigate the vulnerability by appropriately clearing the CPU buffer. +## Currently affects Intel Atom CPUs (which encompasses E-cores on hybrid architectures). ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/reg-file-data-sampling.html ## From 45355aabdc180a6a2fdd4a374c6f7d72f4d36240 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Tue, 17 Dec 2024 11:42:52 +0000 Subject: [PATCH 689/846] Enable `kvm-intel.vmentry_l1d_flush=always` --- etc/default/grub.d/40_cpu_mitigations.cfg | 2 ++ 1 file changed, 2 insertions(+) diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index c1828dc..8236c99 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -66,11 +66,13 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ssbd=force-on" ## L1 Terminal Fault (L1TF): ## Mitigate the vulnerability by disabling L1D flush runtime control and SMT. +## If conditional L1D flushing, mitigate the vulnerability for certain KVM hypervisor configurations. ## Currently affects Intel CPUs. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX l1tf=full,force" +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm-intel.vmentry_l1d_flush=always" ## Microarchitectural Data Sampling (MDS): ## Mitigate the vulnerability by clearing the buffer cache and disabling SMT. From 3e96fdd9ccb6268403d6c4f9a061c4a33e6f6dd2 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Tue, 17 Dec 2024 11:44:11 +0000 Subject: [PATCH 690/846] Enable `kvm.mitigate_smt_rsb=1` --- etc/default/grub.d/40_cpu_mitigations.cfg | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index 8236c99..b7984c5 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -134,6 +134,14 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mmio_stale_data=full,nosmt" ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX retbleed=auto,nosmt" +## Cross-Thread Return Address Predictions: +## Mitigate the vulnerability for certain KVM hypervisor configurations. +## Currently affects AMD Zen 1-2 CPUs. +## +## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/cross-thread-rsb.html +## +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm.mitigate_smt_rsb=1" + ## Speculative Return Stack Overflow (SRSO): ## Mitigate the vulnerability by ensureing all RET instructions speculate to a controlled location. ## Currently affects AMD Zen 1-4 CPUs. From 0dff2cd28fd769955757cdef1b7f9d637a1180c5 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Wed, 18 Dec 2024 03:32:35 +0000 Subject: [PATCH 691/846] Minor additions --- etc/default/grub.d/40_cpu_mitigations.cfg | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index b7984c5..fa750b7 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -8,6 +8,7 @@ ## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP. ## Enable known mitigations for CPU vulnerabilities. +## Note, the mitigations for SSB and Retbleed are not currently mentioned in the first link. ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html ## https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html ## https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647 @@ -40,6 +41,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mitigations=auto,nosmt" ## - Remove "nosmt=force". ## - Remove all occurrences of ",nosmt" in this file (note the comma ","). ## - Downgrade "l1tf=full,force" protection to "l1tf=flush". +## - Regenerate the dracut initramfs and then reboot system. ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX nosmt=force" @@ -66,7 +68,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ssbd=force-on" ## L1 Terminal Fault (L1TF): ## Mitigate the vulnerability by disabling L1D flush runtime control and SMT. -## If conditional L1D flushing, mitigate the vulnerability for certain KVM hypervisor configurations. +## If L1D flushing is conditional, mitigate the vulnerability for certain KVM hypervisor configurations. ## Currently affects Intel CPUs. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html @@ -75,7 +77,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX l1tf=full,force" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm-intel.vmentry_l1d_flush=always" ## Microarchitectural Data Sampling (MDS): -## Mitigate the vulnerability by clearing the buffer cache and disabling SMT. +## Mitigate the vulnerability by clearing the CPU buffer cache and disabling SMT. ## Currently affects Intel CPUs. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html @@ -101,7 +103,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX tsx_async_abort=full,nosmt" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm.nx_huge_pages=force" ## Special Register Buffer Data Sampling (SRBDS): -## Mitigation of the vulnerability is only possible via microcode updates from Intel. +## Mitigation of the vulnerability is only possible via microcode update from Intel. ## Currently affects Intel CPUs. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/special-register-buffer-data-sampling.html @@ -115,8 +117,8 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm.nx_huge_pages=force" ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX l1d_flush=on" -## MMIO Stale Data: -## Mitigate the vulnerability by appropriately clearing the CPU buffer and disabling SMT. +## Processor MMIO Stale Data: +## Mitigate the vulnerabilities by appropriately clearing the CPU buffer and disabling SMT. ## Currently affects Intel CPUs. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/processor_mmio_stale_data.html @@ -143,7 +145,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX retbleed=auto,nosmt" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kvm.mitigate_smt_rsb=1" ## Speculative Return Stack Overflow (SRSO): -## Mitigate the vulnerability by ensureing all RET instructions speculate to a controlled location. +## Mitigate the vulnerability by ensuring all RET instructions speculate to a controlled location. ## Currently affects AMD Zen 1-4 CPUs. ## ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/srso.html From 3749f8ff097551a843e5ed80de52c6770a32e0c6 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Wed, 18 Dec 2024 03:36:09 +0000 Subject: [PATCH 692/846] Update presentation on user namespaces --- README.md | 4 +-- usr/lib/sysctl.d/990-security-misc.conf | 43 ++++++++++++------------- 2 files changed, 23 insertions(+), 24 deletions(-) diff --git a/README.md b/README.md index c23d261..d032762 100644 --- a/README.md +++ b/README.md @@ -37,11 +37,11 @@ Kernel space: - Entirely disable the SysRq key so that the Secure Attention Key (SAK) can no longer be utilized. See [documentation](https://www.kicksecure.com/wiki/SysRq). +- Optional - Disable all use of user namespaces. + - Optional - Restrict user namespaces to `CAP_SYS_ADMIN` as they can lead to substantial privilege escalation. -- Optional - Disable all use of user namespaces. - - Restrict kernel profiling and the performance events system to `CAP_PERFMON`. - Force the kernel to panic on both "oopses", which can potentially indicate and thwart diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 81e40a2..10f7a12 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -117,42 +117,41 @@ vm.unprivileged_userfaultfd=0 ## kernel.sysrq=0 -## Restrict user namespaces to users with CAP_SYS_ADMIN. +## Disable user namespaces entirely. ## User namespaces aim to improve sandboxing and accessibility for unprivileged users. -## Unprivileged user namespaces pose substantial privilege escalation risks. -## Restricting may lead to breakages in numerous software packages. -## -## Flatpak requires unprivileged users to create new user namespaces for sandboxing. -## https://github.com/flatpak/flatpak/wiki/User-namespace-requirements -## https://salsa.debian.org/debian/bubblewrap/-/blob/debian/latest/debian/README.Debian -## https://forums.kicksecure.com/t/can-not-run-flatpak-apps-after-kicksecure-update/592 -## ## Disabling entirely will reduce compatibility with some AppArmor profiles. ## Disabling entirely is known to break the UPower systemd service. -## -## Also breaks (some?) AppImages. -## https://forums.kicksecure.com/t/cannot-run-some-appimage-apps-after-kicksecure-upate/594 -## -## Might also break evolution (e-mail client): -## https://forums.kicksecure.com/t/impossible-to-start-evolution-app-since-the-last-update/601 +## Not recommended due to well-known breakages across numerous software packages. ## ## https://lwn.net/Articles/673597/ ## https://madaidans-insecurities.github.io/linux.html#kernel -## https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction ## https://github.com/a13xp0p0v/kernel-hardening-checker#questions-and-answers ## https://github.com/NixOS/nixpkgs/pull/84522#issuecomment-614640601 -## https://github.com/flatpak/flatpak/wiki/User-namespace-requirements ## https://github.com/Kicksecure/security-misc/pull/263 -## https://github.com/Kicksecure/security-misc/issues/274 ## ## KSPP=no -## KSPP sets user.max_user_namespaces=0 sysctl, a Linux mainline, stricter setting. +## KSPP sets the sysctl. ## -## kernel.unprivileged_userns_clone is a Debian specific kernel feature. Not Linux mainline. -#kernel.unprivileged_userns_clone=0 -## Uncomment the following sysctl to entirely disable user namespaces. #user.max_user_namespaces=0 +## Restrict user namespaces to users with CAP_SYS_ADMIN. +## See the user.max_user_namespaces setting for more details. +## This is a Debian-specific kernel feature, not a Linux mainline setting. +## Unprivileged user namespaces pose substantial privilege escalation risks. +## Flatpak requires unprivileged users to create new user namespaces for sandboxing. +## Restricting is known to cause breakages in some AppImages and the Evolution Email Client. +## Not recommended due to widespread breakages across many software packages. +## +## https://salsa.debian.org/debian/bubblewrap/-/blob/debian/latest/debian/README.Debian +## https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction +## https://github.com/flatpak/flatpak/wiki/User-namespace-requirements +## https://forums.kicksecure.com/t/can-not-run-flatpak-apps-after-kicksecure-update/592 +## https://forums.kicksecure.com/t/cannot-run-some-appimage-apps-after-kicksecure-upate/594 +## https://forums.kicksecure.com/t/impossible-to-start-evolution-app-since-the-last-update/601 +## https://github.com/Kicksecure/security-misc/issues/274 +## +#kernel.unprivileged_userns_clone=0 + ## Restricts kernel profiling to users with CAP_PERFMON. ## The performance events system should not be accessible by unprivileged users. ## Other distributions such as Ubuntu and Fedora may permit further restricting. From 9d69cd1912ab657e7916b38f56b477c2b7abd0a3 Mon Sep 17 00:00:00 2001 From: Aaron Rainbolt Date: Wed, 18 Dec 2024 21:34:16 -0600 Subject: [PATCH 693/846] Add sysmaint account lock detection --- usr/libexec/security-misc/pam-info | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info index 32fdeaf..adde5bc 100755 --- a/usr/libexec/security-misc/pam-info +++ b/usr/libexec/security-misc/pam-info @@ -72,6 +72,14 @@ https://www.kicksecure.com/wiki/root#console fi fi +if [ "$PAM_USER" = 'sysmaint' ]; then + sysmaint_passwd_info="$(passwd -S sysmaint 2>/dev/null)" || true + sysmaint_lock_info="$(cut -d' ' -f2 <<< "${sysmaint_passwd_info}")" + if [ "${sysmaint_lock_info}" = 'L' ]; then + echo "$0: ERROR: Reboot and choose 'PERSISTENT mode SYSMAINT' for system maintenance. See https://www.kicksecure.com/wiki/sysmaint" + fi +fi + ## https://forums.whonix.org/t/how-strong-do-linux-user-account-passwords-have-to-be-when-using-full-disk-encryption-fde-too/7698 ## Does not work (yet) for login, pam_securetty runs before and aborts. From f0c611d9edb5fd7a3e00d13b248c65abda2c9d8a Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 19 Dec 2024 00:18:25 -0500 Subject: [PATCH 694/846] comment --- etc/sudoers.d/security-misc | 1 + 1 file changed, 1 insertion(+) diff --git a/etc/sudoers.d/security-misc b/etc/sudoers.d/security-misc index 803ee25..cc700a9 100644 --- a/etc/sudoers.d/security-misc +++ b/etc/sudoers.d/security-misc @@ -7,5 +7,6 @@ ## Use a more open umask when executing commands with sudo ## Can be overridden on a per-user basis using .[z]profile if desirable +## https://www.kicksecure.com/wiki/Dev/Strong_Linux_User_Account_Isolation#umask_hardening Defaults umask_override Defaults umask=0022 From e9a5b14a0db6f071424c19e6f4b006386afb6ab4 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 19 Dec 2024 06:57:42 +0000 Subject: [PATCH 695/846] bumped changelog version --- changelog.upstream | 177 +++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++ 2 files changed, 183 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 1e3591c..fe91377 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,119 @@ +commit 3135a03e21f9e5816097e25aaa7f4a1671f8f87d +Merge: f0c611d c7f7196 +Author: Patrick Schleizer +Date: Thu Dec 19 00:34:56 2024 -0500 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit c7f7196471b07a580c6d4a5d86739215508142cd +Merge: e5b67e0 3749f8f +Author: Patrick Schleizer +Date: Thu Dec 19 00:31:25 2024 -0500 + + Merge pull request #287 from raja-grewal/patch + + Refactor and add two CPU mitigations + +commit f0c611d9edb5fd7a3e00d13b248c65abda2c9d8a +Author: Patrick Schleizer +Date: Thu Dec 19 00:18:25 2024 -0500 + + comment + +commit 4f681be77429984695a1b0f689065051884e7bf7 +Merge: 4c3ca68 4cf5757 +Author: Patrick Schleizer +Date: Thu Dec 19 00:17:44 2024 -0500 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit e5b67e044bb5011dd667879a73a670f2c5f74057 +Merge: 4cf5757 c116796 +Author: Patrick Schleizer +Date: Thu Dec 19 00:15:02 2024 -0500 + + Merge pull request #279 from raja-grewal/arp + + Provide network-related hardening options via `sysctl`'s + +commit 4cf5757575c1257a14331f0169a9d8d163e1326d +Merge: 9d06341 1708a03 +Author: Patrick Schleizer +Date: Thu Dec 19 00:08:56 2024 -0500 + + Merge pull request #282 from ArrayBolt3/arraybolt3/umask + + Enable umask hardening + +commit 3749f8ff097551a843e5ed80de52c6770a32e0c6 +Author: raja-grewal +Date: Wed Dec 18 03:36:09 2024 +0000 + + Update presentation on user namespaces + +commit 0dff2cd28fd769955757cdef1b7f9d637a1180c5 +Author: raja-grewal +Date: Wed Dec 18 03:32:35 2024 +0000 + + Minor additions + +commit 3e96fdd9ccb6268403d6c4f9a061c4a33e6f6dd2 +Author: raja-grewal +Date: Tue Dec 17 11:44:11 2024 +0000 + + Enable `kvm.mitigate_smt_rsb=1` + +commit 45355aabdc180a6a2fdd4a374c6f7d72f4d36240 +Author: raja-grewal +Date: Tue Dec 17 11:42:52 2024 +0000 + + Enable `kvm-intel.vmentry_l1d_flush=always` + +commit defba1f2450b2c8bbc668bf5f6f6f0d101338cc7 +Author: raja-grewal +Date: Tue Dec 17 11:42:03 2024 +0000 + + Refactor CPU mitigations + +commit 943c421889ce5dfe3869380e4587ca22724f2ce7 +Author: raja-grewal +Date: Tue Dec 17 11:40:38 2024 +0000 + + Minor refactoring + +commit ca3a73ac13d805515f71f1be7ecedc33d3a1b519 +Author: raja-grewal +Date: Tue Dec 17 11:37:10 2024 +0000 + + Typo + +commit 4c3ca68453b44074025a1ec9f31451c57344f3cf +Author: Aaron Rainbolt +Date: Mon Dec 9 12:37:11 2024 -0600 + + Disable unnecessary sudoers exceptions + +commit 9d06341c91b51f9c737fe67457045924323635f0 +Merge: a9dd592 5b88e92 +Author: Patrick Schleizer +Date: Sat Dec 14 15:18:56 2024 -0500 + + Merge pull request #285 from Kicksecure/permission-hardener-mount + + Permission Hardener: treat mount same as umount + +commit c1167968542a62d0677517e11505f6e9222ec378 +Author: raja-grewal +Date: Thu Dec 12 06:36:47 2024 +0000 + + `arp_ignore`: Add reference to 2024-12-10 Mullvad VPN audit details + +commit a9dd592a8b49226f326e90111178aebba3cc144f +Author: Patrick Schleizer +Date: Tue Dec 10 19:19:10 2024 +0000 + + bumped changelog version + commit 58722324ec0be98c3e44938df8cb60ca9b261210 Merge: 518224b 439fa7f Author: Patrick Schleizer @@ -29,6 +145,30 @@ Date: Sat Dec 7 04:50:40 2024 -0500 . +commit 5b88e92e5c4b951e659e1574fc248bd11158dfb2 +Author: Patrick Schleizer +Date: Fri Dec 6 09:48:58 2024 -0500 + + permission hardner: treat `mount` the same way we treat `umount` + + Thanks to @the-moog for the bug report! + + fixes https://github.com/Kicksecure/security-misc/issues/284 + +commit 93b51819d4693955936456916188b4118fe68a66 +Author: Patrick Schleizer +Date: Fri Dec 6 09:47:08 2024 -0500 + + permission hardener mount chmod change from `745` to `755` + + https://github.com/Kicksecure/security-misc/issues/284 + +commit 1708a03e1edda821ef091f10c46d32f740511d38 +Author: Aaron Rainbolt +Date: Thu Nov 28 15:20:57 2024 -0600 + + Enable umask hardening + commit 59299a6639fef31565b8f3cef857c9faa331e0f7 Author: Patrick Schleizer Date: Mon Nov 25 21:07:42 2024 +0000 @@ -92,6 +232,37 @@ Date: Thu Nov 14 14:41:14 2024 -0500 This reverts commit 862d23cb10b7687084f8e7e207d1e2c9c1ef6751. +commit 412b371e85044962f6620386b767369b9e25d71e +Merge: 141b84c 57e1edd +Author: raja-grewal +Date: Wed Nov 13 16:47:57 2024 +1100 + + Merge branch 'Kicksecure:master' into arp + +commit 141b84c40de76988ec78bdccf1c1d67fc4367b3f +Author: raja-grewal +Date: Wed Nov 13 05:42:56 2024 +0000 + + Provide option to deny sending and receiving shared media redirects + +commit 18aec201bfb0477fee8800ad1388099e11920016 +Author: raja-grewal +Date: Wed Nov 13 05:41:25 2024 +0000 + + Provide option to harden response to ARP requests + +commit a25d4f8df88908e83e56049204aa625f1196a948 +Author: raja-grewal +Date: Wed Nov 13 05:40:21 2024 +0000 + + Provide option to enable ARP filtering + +commit c2aae73ce161811571e4c85609a0b043399c1b65 +Author: raja-grewal +Date: Wed Nov 13 05:38:03 2024 +0000 + + Add reference and move text + commit 57e1edde23aa3f313ce087e00ebc14d158356d6c Author: Patrick Schleizer Date: Tue Nov 12 09:11:57 2024 +0000 @@ -208,6 +379,12 @@ Date: Fri Nov 8 15:36:04 2024 +1100 Enable `ssbd=force-on` +commit a1d1f97955fd9fd3cee77dc04e2eb5e5fa29d243 +Author: raja-grewal +Date: Fri Nov 8 03:58:23 2024 +0000 + + Provide option to drop gratuitous ARP packets + commit 3af2684134279ba6f5b18b40986f02a50baa5604 Author: Patrick Schleizer Date: Wed Oct 30 09:43:05 2024 +0000 diff --git a/debian/changelog b/debian/changelog index 0b5fc91..e3c3c68 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:41.2-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 19 Dec 2024 06:57:42 +0000 + security-misc (3:41.1-1) unstable; urgency=medium * New upstream version (local package). From daf0a0900b780a9d44d0d9b49b3fca6ddbd20d18 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 19 Dec 2024 04:39:34 -0500 Subject: [PATCH 696/846] fix apt-get-update for non-English locale https://forums.kicksecure.com/t/systemcheck-reports-warning-debian-package-update-check-result-apt-get-reports-that-packages-can-be-updated-but-system-is-already-fully-upgraded/785 --- usr/libexec/security-misc/apt-get-update | 2 ++ 1 file changed, 2 insertions(+) diff --git a/usr/libexec/security-misc/apt-get-update b/usr/libexec/security-misc/apt-get-update index b506e44..3c91ffd 100755 --- a/usr/libexec/security-misc/apt-get-update +++ b/usr/libexec/security-misc/apt-get-update @@ -8,6 +8,8 @@ set -o nounset set -o errtrace set -o pipefail +export LANG=C + write_pid_file() { [[ -z "${TMP:-}" ]] && error "TMP is unset" safe-rm -rf "$TMP/security-misc-apt-get-update-pid"; From 95b535764c8a98b67a71ee1fd57b7f01da464106 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 19 Dec 2024 09:43:26 +0000 Subject: [PATCH 697/846] bumped changelog version --- changelog.upstream | 14 ++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 20 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index fe91377..1153637 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,17 @@ +commit daf0a0900b780a9d44d0d9b49b3fca6ddbd20d18 +Author: Patrick Schleizer +Date: Thu Dec 19 04:39:34 2024 -0500 + + fix apt-get-update for non-English locale + + https://forums.kicksecure.com/t/systemcheck-reports-warning-debian-package-update-check-result-apt-get-reports-that-packages-can-be-updated-but-system-is-already-fully-upgraded/785 + +commit e9a5b14a0db6f071424c19e6f4b006386afb6ab4 +Author: Patrick Schleizer +Date: Thu Dec 19 06:57:42 2024 +0000 + + bumped changelog version + commit 3135a03e21f9e5816097e25aaa7f4a1671f8f87d Merge: f0c611d c7f7196 Author: Patrick Schleizer diff --git a/debian/changelog b/debian/changelog index e3c3c68..a4dcb4d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:41.3-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 19 Dec 2024 09:43:26 +0000 + security-misc (3:41.2-1) unstable; urgency=medium * New upstream version (local package). From 750367a9066ca2a0ff819b438a92cb1f6c325edb Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Thu, 19 Dec 2024 10:29:56 +0000 Subject: [PATCH 698/846] Set `net.ipv4.conf.*.shared_media=0` --- README.md | 4 ++-- usr/lib/sysctl.d/990-security-misc.conf | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index df12ba2..7f35178 100644 --- a/README.md +++ b/README.md @@ -102,8 +102,8 @@ Networking: - Disable ICMP redirect acceptance and redirect sending messages to prevent man-in-the-middle attacks and minimize information disclosure. -- Optional - Deny sending and receiving shared media redirects to reduce - the risk of IP spoofing attacks. +- Deny sending and receiving shared media redirects to reduce the risk of IP + spoofing attacks. - Optional - Enable ARP filtering to mitigate some ARP spoofing and ARP cache poisoning attacks. diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 4cf6bb6..30fe4f6 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -451,7 +451,7 @@ net.ipv6.conf.*.accept_redirects=0 ## https://datatracker.ietf.org/doc/html/rfc1620 ## https://www.frozentux.net/ipsysctl-tutorial/chunkyhtml/theconfvariables.html ## -#net.ipv4.conf.*.shared_media=0 +net.ipv4.conf.*.shared_media=0 ## Enable ARP (Address Resolution Protocol) filtering. ## Prevents the Linux kernel from handling the ARP table globally From af1d06973bdd46af3e39b0bdfda81b950ccac996 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Thu, 19 Dec 2024 10:31:43 +0000 Subject: [PATCH 699/846] Set `net.ipv4.conf.*.arp_filter=1` --- README.md | 3 +-- usr/lib/sysctl.d/990-security-misc.conf | 2 +- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index df12ba2..54a793a 100644 --- a/README.md +++ b/README.md @@ -105,8 +105,7 @@ Networking: - Optional - Deny sending and receiving shared media redirects to reduce the risk of IP spoofing attacks. -- Optional - Enable ARP filtering to mitigate some ARP spoofing and ARP - cache poisoning attacks. +- Enable ARP filtering to mitigate some ARP spoofing and ARP cache poisoning attacks. - Optional - Respond to ARP requests only if the target IP address is on-link, preventing some IP spoofing attacks. diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 4cf6bb6..fd3ce59 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -460,7 +460,7 @@ net.ipv6.conf.*.accept_redirects=0 ## ## https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf ## -#net.ipv4.conf.*.arp_filter=1 +net.ipv4.conf.*.arp_filter=1 ## Respond to ARP (Address Resolution Protocol) requests only if the target IP address is on-link. ## Reduces IP spoofing attacks by limiting the scope of allowable ARP responses. From c37f4efadf8f046168732871172cb66f58eb7c78 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Thu, 19 Dec 2024 10:33:49 +0000 Subject: [PATCH 700/846] Set `net.ipv4.conf.*.arp_ignore=2` --- README.md | 4 ++-- usr/lib/sysctl.d/990-security-misc.conf | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index df12ba2..3eb30d6 100644 --- a/README.md +++ b/README.md @@ -108,8 +108,8 @@ Networking: - Optional - Enable ARP filtering to mitigate some ARP spoofing and ARP cache poisoning attacks. -- Optional - Respond to ARP requests only if the target IP address is - on-link, preventing some IP spoofing attacks. +- Respond to ARP requests only if the target IP address is on-link, + preventing some IP spoofing attacks. - Optional - Drop gratuitous ARP packets to prevent ARP cache poisoning via man-in-the-middle and denial-of-service attacks. diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 4cf6bb6..fc176d3 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -470,7 +470,7 @@ net.ipv6.conf.*.accept_redirects=0 ## https://github.com/mullvad/mullvadvpn-app/pull/7141 ## https://www.x41-dsec.de/static/reports/X41-Mullvad-Audit-Public-Report-2024-12-10.pdf ## -#net.ipv4.conf.*.arp_ignore=2 +net.ipv4.conf.*.arp_ignore=2 ## Drop gratuitous ARP (Address Resolution Protocol) packets. ## Stops ARP responses sent by a device without being explicitly requested. From 2e6e1701a052ef32711f6c3abaad693a773323f6 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Thu, 19 Dec 2024 10:35:08 +0000 Subject: [PATCH 701/846] Set `net.ipv4.conf.*.drop_gratuitous_arp=1` --- README.md | 4 ++-- usr/lib/sysctl.d/990-security-misc.conf | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index df12ba2..923ee2b 100644 --- a/README.md +++ b/README.md @@ -111,8 +111,8 @@ Networking: - Optional - Respond to ARP requests only if the target IP address is on-link, preventing some IP spoofing attacks. -- Optional - Drop gratuitous ARP packets to prevent ARP cache poisoning - via man-in-the-middle and denial-of-service attacks. +- Drop gratuitous ARP packets to prevent ARP cache poisoning via + man-in-the-middle and denial-of-service attacks. - Ignore ICMP echo requests to prevent clock fingerprinting and Smurf attacks. diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 4cf6bb6..495de4a 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -482,7 +482,7 @@ net.ipv6.conf.*.accept_redirects=0 ## https://patchwork.ozlabs.org/project/netdev/patch/1428652454-1224-3-git-send-email-johannes@sipsolutions.net/ ## https://www.practicalnetworking.net/series/arp/gratuitous-arp/ ## -#net.ipv4.conf.*.drop_gratuitous_arp=1 +net.ipv4.conf.*.drop_gratuitous_arp=1 ## Ignore ICMP echo requests. ## Prevents clock fingerprinting through ICMP timestamps and Smurf attacks. From 175b442d5bb9dfcb4e9b524ec2077e72c74598cc Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 19 Dec 2024 05:56:50 -0500 Subject: [PATCH 702/846] use long option name --- usr/libexec/security-misc/pam-info | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info index adde5bc..382e2ac 100755 --- a/usr/libexec/security-misc/pam-info +++ b/usr/libexec/security-misc/pam-info @@ -73,7 +73,7 @@ https://www.kicksecure.com/wiki/root#console fi if [ "$PAM_USER" = 'sysmaint' ]; then - sysmaint_passwd_info="$(passwd -S sysmaint 2>/dev/null)" || true + sysmaint_passwd_info="$(passwd --status sysmaint 2>/dev/null)" || true sysmaint_lock_info="$(cut -d' ' -f2 <<< "${sysmaint_passwd_info}")" if [ "${sysmaint_lock_info}" = 'L' ]; then echo "$0: ERROR: Reboot and choose 'PERSISTENT mode SYSMAINT' for system maintenance. See https://www.kicksecure.com/wiki/sysmaint" From 642b4eeedc43e69bb82ea259b52c0946ce638983 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Thu, 19 Dec 2024 21:57:25 +1100 Subject: [PATCH 703/846] Add link to tabular comparison of CPU mitigations --- etc/default/grub.d/40_cpu_mitigations.cfg | 3 +++ 1 file changed, 3 insertions(+) diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index fa750b7..d2232b3 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -18,6 +18,9 @@ ## https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/advisory-guidance.html ## https://www.intel.com/content/www/us/en/developer/topic-technology/software-security-guidance/disclosure-documentation.html +## Tabular comparison between the utility and functionality of various mitigations. +## https://forums.whonix.org/t/kernel-hardening-security-misc/7296/587 + ## Enable a subset of known mitigations for some CPU vulnerabilities and disable SMT. ## ## KSPP=yes From 721b100fb64136b7c36c8d43c90c716a1fed42d0 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 19 Dec 2024 10:58:50 +0000 Subject: [PATCH 704/846] bumped changelog version --- changelog.upstream | 25 +++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 31 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 1153637..e5ef237 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,22 @@ +commit 175b442d5bb9dfcb4e9b524ec2077e72c74598cc +Author: Patrick Schleizer +Date: Thu Dec 19 05:56:50 2024 -0500 + + use long option name + +commit c99021bb0c1d5b6bf361cc483449330cdd218ee6 +Merge: 95b5357 9d69cd1 +Author: Patrick Schleizer +Date: Thu Dec 19 05:56:01 2024 -0500 + + Merge remote-tracking branch 'ArrayBolt3/arraybolt3/sysmaint' + +commit 95b535764c8a98b67a71ee1fd57b7f01da464106 +Author: Patrick Schleizer +Date: Thu Dec 19 09:43:26 2024 +0000 + + bumped changelog version + commit daf0a0900b780a9d44d0d9b49b3fca6ddbd20d18 Author: Patrick Schleizer Date: Thu Dec 19 04:39:34 2024 -0500 @@ -59,6 +78,12 @@ Date: Thu Dec 19 00:08:56 2024 -0500 Enable umask hardening +commit 9d69cd1912ab657e7916b38f56b477c2b7abd0a3 +Author: Aaron Rainbolt +Date: Wed Dec 18 21:34:16 2024 -0600 + + Add sysmaint account lock detection + commit 3749f8ff097551a843e5ed80de52c6770a32e0c6 Author: raja-grewal Date: Wed Dec 18 03:36:09 2024 +0000 diff --git a/debian/changelog b/debian/changelog index a4dcb4d..944ae91 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:41.4-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 19 Dec 2024 10:58:50 +0000 + security-misc (3:41.3-1) unstable; urgency=medium * New upstream version (local package). From 6de5d2d0763539d6d0d4b19b501bb316ed3b2c94 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 20 Dec 2024 00:37:44 -0500 Subject: [PATCH 705/846] permission hardener: also parse `/usr/lib/permission-hardener.d/*.conf` folder --- usr/bin/permission-hardener | 1 + 1 file changed, 1 insertion(+) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index 858679c..c88b54f 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -590,6 +590,7 @@ parse_config_folder() { shopt -s nullglob for config_file in \ + /usr/lib/permission-hardener.d/*.conf \ /etc/permission-hardener.d/*.conf \ /usr/local/etc/permission-hardener.d/*.conf \ /etc/permission-hardening.d/*.conf \ From a2c1e8c218117a47ef70dd767d753be5d084adfa Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 20 Dec 2024 00:39:51 -0500 Subject: [PATCH 706/846] clean up old files in `/etc/permission-hardener.d` because will be moved to `/usr/lib/permission-hardener.d` --- debian/security-misc.maintscript | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/debian/security-misc.maintscript b/debian/security-misc.maintscript index f6d6a83..adce7ef 100644 --- a/debian/security-misc.maintscript +++ b/debian/security-misc.maintscript @@ -68,6 +68,28 @@ rm_conffile /etc/permission-hardening.d/25_default_whitelist_unix_chkpwd.conf rm_conffile /etc/permission-hardening.d/25_default_whitelist_virtualbox.conf rm_conffile /etc/permission-hardening.d/30_default.conf +## moved to /usr/lib/permission-hardener.d +rm_conffile /etc/permission-hardener.d/25_default_passwd.conf +rm_conffile /etc/permission-hardener.d/25_default_sudo.conf +rm_conffile /etc/permission-hardener.d/25_default_whitelist_bubblewrap.conf +rm_conffile /etc/permission-hardener.d/25_default_whitelist_chromium.conf +rm_conffile /etc/permission-hardener.d/25_default_whitelist_dbus.conf +rm_conffile /etc/permission-hardener.d/25_default_whitelist_firejail.conf +rm_conffile /etc/permission-hardener.d/25_default_whitelist_fuse.conf +rm_conffile /etc/permission-hardener.d/25_default_whitelist_hardened_malloc.conf +rm_conffile /etc/permission-hardener.d/25_default_whitelist_mount.conf +rm_conffile /etc/permission-hardener.d/25_default_whitelist_pam.conf +rm_conffile /etc/permission-hardener.d/25_default_whitelist_policykit.conf +rm_conffile /etc/permission-hardener.d/25_default_whitelist_postfix.conf +rm_conffile /etc/permission-hardener.d/25_default_whitelist_qubes.conf +rm_conffile /etc/permission-hardener.d/25_default_whitelist_selinux.conf +rm_conffile /etc/permission-hardener.d/25_default_whitelist_spice.conf +rm_conffile /etc/permission-hardener.d/25_default_whitelist_ssh.conf +rm_conffile /etc/permission-hardener.d/25_default_whitelist_sudo.conf +rm_conffile /etc/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf +rm_conffile /etc/permission-hardener.d/25_default_whitelist_virtualbox.conf +rm_conffile /etc/permission-hardener.d/30_default.conf + ## merged into 1 file /etc/default/grub.d/40_kernel_hardening.cfg rm_conffile /etc/default/grub.d/40_distrust_bootloader.cfg rm_conffile /etc/default/grub.d/40_distrust_cpu.cfg From ad6e1f5ad490e12fc5e69b82da5dc1830cc41c96 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 20 Dec 2024 00:41:06 -0500 Subject: [PATCH 707/846] move from `/etc/permission-hardener.d` to `/usr/lib/permission-hardener.d` --- {etc => usr/lib}/permission-hardener.d/25_default_passwd.conf | 0 {etc => usr/lib}/permission-hardener.d/25_default_sudo.conf | 0 .../permission-hardener.d/25_default_whitelist_bubblewrap.conf | 0 .../lib}/permission-hardener.d/25_default_whitelist_chromium.conf | 0 .../lib}/permission-hardener.d/25_default_whitelist_dbus.conf | 0 .../lib}/permission-hardener.d/25_default_whitelist_firejail.conf | 0 .../lib}/permission-hardener.d/25_default_whitelist_fuse.conf | 0 .../25_default_whitelist_hardened_malloc.conf | 0 .../lib}/permission-hardener.d/25_default_whitelist_mount.conf | 0 .../lib}/permission-hardener.d/25_default_whitelist_pam.conf | 0 .../permission-hardener.d/25_default_whitelist_policykit.conf | 0 .../lib}/permission-hardener.d/25_default_whitelist_postfix.conf | 0 .../lib}/permission-hardener.d/25_default_whitelist_qubes.conf | 0 .../lib}/permission-hardener.d/25_default_whitelist_selinux.conf | 0 .../lib}/permission-hardener.d/25_default_whitelist_spice.conf | 0 .../lib}/permission-hardener.d/25_default_whitelist_ssh.conf | 0 .../lib}/permission-hardener.d/25_default_whitelist_sudo.conf | 0 .../permission-hardener.d/25_default_whitelist_unix_chkpwd.conf | 0 .../permission-hardener.d/25_default_whitelist_virtualbox.conf | 0 {etc => usr/lib}/permission-hardener.d/30_default.conf | 0 20 files changed, 0 insertions(+), 0 deletions(-) rename {etc => usr/lib}/permission-hardener.d/25_default_passwd.conf (100%) rename {etc => usr/lib}/permission-hardener.d/25_default_sudo.conf (100%) rename {etc => usr/lib}/permission-hardener.d/25_default_whitelist_bubblewrap.conf (100%) rename {etc => usr/lib}/permission-hardener.d/25_default_whitelist_chromium.conf (100%) rename {etc => usr/lib}/permission-hardener.d/25_default_whitelist_dbus.conf (100%) rename {etc => usr/lib}/permission-hardener.d/25_default_whitelist_firejail.conf (100%) rename {etc => usr/lib}/permission-hardener.d/25_default_whitelist_fuse.conf (100%) rename {etc => usr/lib}/permission-hardener.d/25_default_whitelist_hardened_malloc.conf (100%) rename {etc => usr/lib}/permission-hardener.d/25_default_whitelist_mount.conf (100%) rename {etc => usr/lib}/permission-hardener.d/25_default_whitelist_pam.conf (100%) rename {etc => usr/lib}/permission-hardener.d/25_default_whitelist_policykit.conf (100%) rename {etc => usr/lib}/permission-hardener.d/25_default_whitelist_postfix.conf (100%) rename {etc => usr/lib}/permission-hardener.d/25_default_whitelist_qubes.conf (100%) rename {etc => usr/lib}/permission-hardener.d/25_default_whitelist_selinux.conf (100%) rename {etc => usr/lib}/permission-hardener.d/25_default_whitelist_spice.conf (100%) rename {etc => usr/lib}/permission-hardener.d/25_default_whitelist_ssh.conf (100%) rename {etc => usr/lib}/permission-hardener.d/25_default_whitelist_sudo.conf (100%) rename {etc => usr/lib}/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf (100%) rename {etc => usr/lib}/permission-hardener.d/25_default_whitelist_virtualbox.conf (100%) rename {etc => usr/lib}/permission-hardener.d/30_default.conf (100%) diff --git a/etc/permission-hardener.d/25_default_passwd.conf b/usr/lib/permission-hardener.d/25_default_passwd.conf similarity index 100% rename from etc/permission-hardener.d/25_default_passwd.conf rename to usr/lib/permission-hardener.d/25_default_passwd.conf diff --git a/etc/permission-hardener.d/25_default_sudo.conf b/usr/lib/permission-hardener.d/25_default_sudo.conf similarity index 100% rename from etc/permission-hardener.d/25_default_sudo.conf rename to usr/lib/permission-hardener.d/25_default_sudo.conf diff --git a/etc/permission-hardener.d/25_default_whitelist_bubblewrap.conf b/usr/lib/permission-hardener.d/25_default_whitelist_bubblewrap.conf similarity index 100% rename from etc/permission-hardener.d/25_default_whitelist_bubblewrap.conf rename to usr/lib/permission-hardener.d/25_default_whitelist_bubblewrap.conf diff --git a/etc/permission-hardener.d/25_default_whitelist_chromium.conf b/usr/lib/permission-hardener.d/25_default_whitelist_chromium.conf similarity index 100% rename from etc/permission-hardener.d/25_default_whitelist_chromium.conf rename to usr/lib/permission-hardener.d/25_default_whitelist_chromium.conf diff --git a/etc/permission-hardener.d/25_default_whitelist_dbus.conf b/usr/lib/permission-hardener.d/25_default_whitelist_dbus.conf similarity index 100% rename from etc/permission-hardener.d/25_default_whitelist_dbus.conf rename to usr/lib/permission-hardener.d/25_default_whitelist_dbus.conf diff --git a/etc/permission-hardener.d/25_default_whitelist_firejail.conf b/usr/lib/permission-hardener.d/25_default_whitelist_firejail.conf similarity index 100% rename from etc/permission-hardener.d/25_default_whitelist_firejail.conf rename to usr/lib/permission-hardener.d/25_default_whitelist_firejail.conf diff --git a/etc/permission-hardener.d/25_default_whitelist_fuse.conf b/usr/lib/permission-hardener.d/25_default_whitelist_fuse.conf similarity index 100% rename from etc/permission-hardener.d/25_default_whitelist_fuse.conf rename to usr/lib/permission-hardener.d/25_default_whitelist_fuse.conf diff --git a/etc/permission-hardener.d/25_default_whitelist_hardened_malloc.conf b/usr/lib/permission-hardener.d/25_default_whitelist_hardened_malloc.conf similarity index 100% rename from etc/permission-hardener.d/25_default_whitelist_hardened_malloc.conf rename to usr/lib/permission-hardener.d/25_default_whitelist_hardened_malloc.conf diff --git a/etc/permission-hardener.d/25_default_whitelist_mount.conf b/usr/lib/permission-hardener.d/25_default_whitelist_mount.conf similarity index 100% rename from etc/permission-hardener.d/25_default_whitelist_mount.conf rename to usr/lib/permission-hardener.d/25_default_whitelist_mount.conf diff --git a/etc/permission-hardener.d/25_default_whitelist_pam.conf b/usr/lib/permission-hardener.d/25_default_whitelist_pam.conf similarity index 100% rename from etc/permission-hardener.d/25_default_whitelist_pam.conf rename to usr/lib/permission-hardener.d/25_default_whitelist_pam.conf diff --git a/etc/permission-hardener.d/25_default_whitelist_policykit.conf b/usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf similarity index 100% rename from etc/permission-hardener.d/25_default_whitelist_policykit.conf rename to usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf diff --git a/etc/permission-hardener.d/25_default_whitelist_postfix.conf b/usr/lib/permission-hardener.d/25_default_whitelist_postfix.conf similarity index 100% rename from etc/permission-hardener.d/25_default_whitelist_postfix.conf rename to usr/lib/permission-hardener.d/25_default_whitelist_postfix.conf diff --git a/etc/permission-hardener.d/25_default_whitelist_qubes.conf b/usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf similarity index 100% rename from etc/permission-hardener.d/25_default_whitelist_qubes.conf rename to usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf diff --git a/etc/permission-hardener.d/25_default_whitelist_selinux.conf b/usr/lib/permission-hardener.d/25_default_whitelist_selinux.conf similarity index 100% rename from etc/permission-hardener.d/25_default_whitelist_selinux.conf rename to usr/lib/permission-hardener.d/25_default_whitelist_selinux.conf diff --git a/etc/permission-hardener.d/25_default_whitelist_spice.conf b/usr/lib/permission-hardener.d/25_default_whitelist_spice.conf similarity index 100% rename from etc/permission-hardener.d/25_default_whitelist_spice.conf rename to usr/lib/permission-hardener.d/25_default_whitelist_spice.conf diff --git a/etc/permission-hardener.d/25_default_whitelist_ssh.conf b/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf similarity index 100% rename from etc/permission-hardener.d/25_default_whitelist_ssh.conf rename to usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf diff --git a/etc/permission-hardener.d/25_default_whitelist_sudo.conf b/usr/lib/permission-hardener.d/25_default_whitelist_sudo.conf similarity index 100% rename from etc/permission-hardener.d/25_default_whitelist_sudo.conf rename to usr/lib/permission-hardener.d/25_default_whitelist_sudo.conf diff --git a/etc/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf b/usr/lib/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf similarity index 100% rename from etc/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf rename to usr/lib/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf diff --git a/etc/permission-hardener.d/25_default_whitelist_virtualbox.conf b/usr/lib/permission-hardener.d/25_default_whitelist_virtualbox.conf similarity index 100% rename from etc/permission-hardener.d/25_default_whitelist_virtualbox.conf rename to usr/lib/permission-hardener.d/25_default_whitelist_virtualbox.conf diff --git a/etc/permission-hardener.d/30_default.conf b/usr/lib/permission-hardener.d/30_default.conf similarity index 100% rename from etc/permission-hardener.d/30_default.conf rename to usr/lib/permission-hardener.d/30_default.conf From cd027b86e710b6f6b8fac6dd0ebcdcd691e86dd3 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 20 Dec 2024 05:48:48 +0000 Subject: [PATCH 708/846] bumped changelog version --- changelog.upstream | 25 +++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 31 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index e5ef237..7f2d4d9 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,28 @@ +commit ad6e1f5ad490e12fc5e69b82da5dc1830cc41c96 +Author: Patrick Schleizer +Date: Fri Dec 20 00:41:06 2024 -0500 + + move from `/etc/permission-hardener.d` to `/usr/lib/permission-hardener.d` + +commit a2c1e8c218117a47ef70dd767d753be5d084adfa +Author: Patrick Schleizer +Date: Fri Dec 20 00:39:51 2024 -0500 + + clean up old files in `/etc/permission-hardener.d` + because will be moved to `/usr/lib/permission-hardener.d` + +commit 6de5d2d0763539d6d0d4b19b501bb316ed3b2c94 +Author: Patrick Schleizer +Date: Fri Dec 20 00:37:44 2024 -0500 + + permission hardener: also parse `/usr/lib/permission-hardener.d/*.conf` folder + +commit 721b100fb64136b7c36c8d43c90c716a1fed42d0 +Author: Patrick Schleizer +Date: Thu Dec 19 10:58:50 2024 +0000 + + bumped changelog version + commit 175b442d5bb9dfcb4e9b524ec2077e72c74598cc Author: Patrick Schleizer Date: Thu Dec 19 05:56:50 2024 -0500 diff --git a/debian/changelog b/debian/changelog index 944ae91..d2603e0 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:41.5-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 20 Dec 2024 05:48:48 +0000 + security-misc (3:41.4-1) unstable; urgency=medium * New upstream version (local package). From b21c394ea52401c0d77b6ec396af6a49335f5e0b Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 20 Dec 2024 00:56:20 -0500 Subject: [PATCH 709/846] Trigger permission hardener when new configuration files are being installed. --- debian/security-misc.triggers | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/debian/security-misc.triggers b/debian/security-misc.triggers index f425076..ace3c31 100644 --- a/debian/security-misc.triggers +++ b/debian/security-misc.triggers @@ -1,6 +1,16 @@ ## Copyright (C) 2024 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. +## use noawait ## https://github.com/Kicksecure/security-misc/issues/196 + +## Trigger permission hardener when new binaries are being installed. interest-noawait /usr interest-noawait /opt + +## Trigger permission hardener when new configuration files are being installed. +/usr/lib/permission-hardener.d +/etc/permission-hardener.d +/usr/local/etc/permission-hardener.d +/etc/permission-hardening.d +/usr/local/etc/permission-hardening.d From b40bc0a2c9b17b3569918a6839bce1c67af5c9df Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 20 Dec 2024 05:58:24 +0000 Subject: [PATCH 710/846] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 7f2d4d9..370cb7c 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit b21c394ea52401c0d77b6ec396af6a49335f5e0b +Author: Patrick Schleizer +Date: Fri Dec 20 00:56:20 2024 -0500 + + Trigger permission hardener when new configuration files are being installed. + +commit cd027b86e710b6f6b8fac6dd0ebcdcd691e86dd3 +Author: Patrick Schleizer +Date: Fri Dec 20 05:48:48 2024 +0000 + + bumped changelog version + commit ad6e1f5ad490e12fc5e69b82da5dc1830cc41c96 Author: Patrick Schleizer Date: Fri Dec 20 00:41:06 2024 -0500 diff --git a/debian/changelog b/debian/changelog index d2603e0..a3960be 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:41.6-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 20 Dec 2024 05:58:24 +0000 + security-misc (3:41.5-1) unstable; urgency=medium * New upstream version (local package). From a4c76c617a18a49168e0ffdba2d8b0ae834f2877 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 20 Dec 2024 01:01:13 -0500 Subject: [PATCH 711/846] syntax fix --- debian/security-misc.triggers | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/debian/security-misc.triggers b/debian/security-misc.triggers index ace3c31..2cadd25 100644 --- a/debian/security-misc.triggers +++ b/debian/security-misc.triggers @@ -9,8 +9,8 @@ interest-noawait /usr interest-noawait /opt ## Trigger permission hardener when new configuration files are being installed. -/usr/lib/permission-hardener.d -/etc/permission-hardener.d -/usr/local/etc/permission-hardener.d -/etc/permission-hardening.d -/usr/local/etc/permission-hardening.d +interest-noawait /usr/lib/permission-hardener.d +interest-noawait /etc/permission-hardener.d +interest-noawait /usr/local/etc/permission-hardener.d +interest-noawait /etc/permission-hardening.d +interest-noawait /usr/local/etc/permission-hardening.d From 3c73c0cd3a845d1a484551ff50f59e5f2ef56a68 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 20 Dec 2024 06:01:27 +0000 Subject: [PATCH 712/846] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 370cb7c..643158a 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit a4c76c617a18a49168e0ffdba2d8b0ae834f2877 +Author: Patrick Schleizer +Date: Fri Dec 20 01:01:13 2024 -0500 + + syntax fix + +commit b40bc0a2c9b17b3569918a6839bce1c67af5c9df +Author: Patrick Schleizer +Date: Fri Dec 20 05:58:24 2024 +0000 + + bumped changelog version + commit b21c394ea52401c0d77b6ec396af6a49335f5e0b Author: Patrick Schleizer Date: Fri Dec 20 00:56:20 2024 -0500 diff --git a/debian/changelog b/debian/changelog index a3960be..c32adbe 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:41.7-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 20 Dec 2024 06:01:27 +0000 + security-misc (3:41.6-1) unstable; urgency=medium * New upstream version (local package). From 2f3a2bce7756efe75cd8aaf5066b599b4c49bbdc Mon Sep 17 00:00:00 2001 From: Aaron Rainbolt Date: Fri, 20 Dec 2024 11:04:22 -0600 Subject: [PATCH 713/846] Add warning about using non-sysmaint accounts in sysmaint mode --- usr/libexec/security-misc/pam-info | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info index 382e2ac..3ffad57 100755 --- a/usr/libexec/security-misc/pam-info +++ b/usr/libexec/security-misc/pam-info @@ -76,10 +76,17 @@ if [ "$PAM_USER" = 'sysmaint' ]; then sysmaint_passwd_info="$(passwd --status sysmaint 2>/dev/null)" || true sysmaint_lock_info="$(cut -d' ' -f2 <<< "${sysmaint_passwd_info}")" if [ "${sysmaint_lock_info}" = 'L' ]; then - echo "$0: ERROR: Reboot and choose 'PERSISTENT mode SYSMAINT' for system maintenance. See https://www.kicksecure.com/wiki/sysmaint" + echo "$0: ERROR: Reboot and choose 'PERSISTENT mode SYSMAINT' for system maintenance. See https://www.kicksecure.com/wiki/Sysmaint" fi fi +kernel_cmdline="$(cat /proc/cmdline)" + +if [ "$PAM_USER" != 'sysmaint' ] \ + && [[ "${kernel_cmdline}" =~ 'boot-role=sysmaint' ]]; then + echo "$0: WARNING: Reboot and choose 'PERSISTENT mode USER' for normal work. See https://www.kicksecure.com/wiki/Sysmaint" +fi + ## https://forums.whonix.org/t/how-strong-do-linux-user-account-passwords-have-to-be-when-using-full-disk-encryption-fde-too/7698 ## Does not work (yet) for login, pam_securetty runs before and aborts. From aa82202e701167eacb63eac208469844e983ca43 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 24 Dec 2024 05:16:22 +0000 Subject: [PATCH 714/846] bumped changelog version --- changelog.upstream | 19 +++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 25 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 643158a..8c61741 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,22 @@ +commit 27d015d58ebc5e750d9d06f042b761720473941d +Merge: 3c73c0c 2f3a2bc +Author: Patrick Schleizer +Date: Tue Dec 24 00:08:58 2024 -0500 + + Merge remote-tracking branch 'ArrayBolt3/arraybolt3/sysmaint' + +commit 2f3a2bce7756efe75cd8aaf5066b599b4c49bbdc +Author: Aaron Rainbolt +Date: Fri Dec 20 11:04:22 2024 -0600 + + Add warning about using non-sysmaint accounts in sysmaint mode + +commit 3c73c0cd3a845d1a484551ff50f59e5f2ef56a68 +Author: Patrick Schleizer +Date: Fri Dec 20 06:01:27 2024 +0000 + + bumped changelog version + commit a4c76c617a18a49168e0ffdba2d8b0ae834f2877 Author: Patrick Schleizer Date: Fri Dec 20 01:01:13 2024 -0500 diff --git a/debian/changelog b/debian/changelog index c32adbe..f1c54b6 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:41.8-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 24 Dec 2024 05:16:21 +0000 + security-misc (3:41.7-1) unstable; urgency=medium * New upstream version (local package). From 6602fb102dedc21300ae4c4519f3d9ef4e668045 Mon Sep 17 00:00:00 2001 From: Aaron Rainbolt Date: Tue, 24 Dec 2024 20:52:34 -0600 Subject: [PATCH 715/846] Adjust pam-info messaging for sysmaint mode --- usr/libexec/security-misc/pam-info | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info index 3ffad57..085f118 100755 --- a/usr/libexec/security-misc/pam-info +++ b/usr/libexec/security-misc/pam-info @@ -84,7 +84,7 @@ kernel_cmdline="$(cat /proc/cmdline)" if [ "$PAM_USER" != 'sysmaint' ] \ && [[ "${kernel_cmdline}" =~ 'boot-role=sysmaint' ]]; then - echo "$0: WARNING: Reboot and choose 'PERSISTENT mode USER' for normal work. See https://www.kicksecure.com/wiki/Sysmaint" + echo "$0: WARNING: Use account 'sysmaint' for system maintenance. See https://www.kicksecure.com/wiki/Sysmaint" fi ## https://forums.whonix.org/t/how-strong-do-linux-user-account-passwords-have-to-be-when-using-full-disk-encryption-fde-too/7698 From 83d386795940099e0835c51f3522aae3d9217dc8 Mon Sep 17 00:00:00 2001 From: Aaron Rainbolt Date: Tue, 24 Dec 2024 20:14:57 -0600 Subject: [PATCH 716/846] Refactor permission-hardener to be more idempotent --- debian/security-misc.maintscript | 3 + usr/bin/permission-hardener | 1048 +++++++++-------- usr/bin/permission-hardener-old | 748 ++++++++++++ ....conf => 25_default_whitelist_passwd.conf} | 2 + 4 files changed, 1287 insertions(+), 514 deletions(-) create mode 100755 usr/bin/permission-hardener-old rename usr/lib/permission-hardener.d/{25_default_passwd.conf => 25_default_whitelist_passwd.conf} (91%) diff --git a/debian/security-misc.maintscript b/debian/security-misc.maintscript index adce7ef..5063263 100644 --- a/debian/security-misc.maintscript +++ b/debian/security-misc.maintscript @@ -106,3 +106,6 @@ rm_conffile /etc/default/grub.d/41_quiet.cfg ## moved to usability-misc rm_conffile /etc/dkms/framework.conf.d/30_security-misc.conf + +## renamed to reflect the fact that this uses a whitelist +rm_conffile /usr/lib/permission-hardener.d/25_default_passwd.conf diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index c88b54f..c8d115b 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -10,12 +10,6 @@ set -o errexit -o nounset -o pipefail -exit_code=0 -store_dir="/var/lib/permission-hardener" -dpkg_admindir_parameter_existing_mode="--admindir ${store_dir}/existing_mode" -dpkg_admindir_parameter_new_mode="--admindir ${store_dir}/new_mode" -delimiter="#permission-hardener-delimiter#" - # shellcheck disable=SC1091 source /usr/libexec/helper-scripts/safe_echo.sh # shellcheck disable=SC2034 @@ -34,6 +28,7 @@ echo_wrapper_ignore() { } echo_wrapper_audit() { + local return_code if test "${1}" = "verbose"; then shift log notice "Executing: $*" @@ -49,30 +44,23 @@ echo_wrapper_audit() { } } -make_store_dir(){ - mkdir --parents "${store_dir}/private" - mkdir --parents "${store_dir}/existing_mode" - mkdir --parents "${store_dir}/new_mode" -} - ## Some tools may fail on newlines and even variable assignment to array may ## fail if a variable that will be assigned to an array element contains ## characters that are used as delimiters. -block_newlines(){ +block_newlines() { local newline_variable newline_value - newline_variable="${1}" - newline_value="${2}" + newline_variable="${1:-}" + newline_value="${2:-}" ## dpkg-statoverride: error: path may not contain newlines - #if [[ "${newline_value}" == *$'\n'* ]]; then if [[ "${newline_value}" != "${newline_value//$'\n'/NEWLINE}" ]]; then log warn "Skipping ${newline_variable} that contains newlines: '${newline_value}'" >&2 return 1 fi } -output_stat(){ +output_stat() { local file_name - file_name="${1}" + file_name="${1:-}" if test -z "${file_name}"; then log error "File name is empty. file_name: '${file_name}'" >&2 @@ -81,16 +69,10 @@ output_stat(){ block_newlines file "${file_name}" - ## dpkg-statoverride can actually handle '--file-name'. -# if [[ $file_name == --* ]]; then -# log warn "File name starts with '--'. This would be interpreted by dpkg-statoverride as an option. Skipping. file_name: '${file_name}'" >&2 -# return 1 -# fi - declare -a arr local file_name_from_stat stat_output stat_output_newlined - if ! stat_output="$(stat --format="%a${delimiter}%U${delimiter}%G${delimiter}%n${delimiter}" -- "${file_name}")"; then + if ! stat_output="$(stat -L --format="%a${delimiter}%U${delimiter}%G${delimiter}%n${delimiter}" -- "${file_name}")"; then log error "Failed to run 'stat' on file: '${file_name}'!" >&2 return 1 fi @@ -100,7 +82,7 @@ output_stat(){ File name: '${file_name}' Stat output: '${stat_output}' stat_output_newlined: '${stat_output_newlined}' -line: '${line}' +line: '${processed_config_line}' " >&2 return 1 fi @@ -112,7 +94,7 @@ line: '${line}' File name: '${file_name}' Stat output: '${stat_output}' stat_output_newlined: '${stat_output_newlined}' -line: '${line}' +line: '${processed_config_line}' " >&2 return 1 fi @@ -124,7 +106,7 @@ line: '${line}' File name: '${file_name}' Stat output: '${stat_output}' stat_output_newlined: '${stat_output_newlined}' -line: '${line}' +line: '${processed_config_line}' " >&2 return 1 fi @@ -139,456 +121,178 @@ line: '${line}' File name is different from file name received from stat: File name: '${file_name}' File name from stat: '${file_name_from_stat}' -line: '${line}' +line: '${processed_config_line}' " >&2 return 1 fi if test -z "${existing_mode}"; then - log error "Existing mode is empty. Stat output: '${stat_output}', line: '${line}'" >&2 + log error "Existing mode is empty. Stat output: '${stat_output}', line: '${processed_config_line}'" >&2 return 1 fi if test -z "${existing_owner}"; then - log error "Existing owner is empty. Stat output: '${stat_output}', line: '${line}'" >&2 + log error "Existing owner is empty. Stat output: '${stat_output}', line: '${processed_config_line}'" >&2 return 1 fi if test -z "${existing_group}"; then - log error "Existing group is empty. Stat output: '${stat_output}', line: '${line}'" >&2 + log error "Existing group is empty. Stat output: '${stat_output}', line: '${processed_config_line}'" >&2 return 1 fi } -sanity_tests() { - echo_wrapper_audit silent \ - which \ - capsh getcap setcap stat find dpkg-statoverride getent grep 1>/dev/null +print_usage(){ + safe_echo "Usage: ${0##*/} enable + ${0##*/} disable [FILE|all] + +Examples: + ${0##*/} enable + ${0##*/} disable all + ${0##*/} disable /usr/bin/newgrp" >&2 } -add_nosuid_statoverride_entry() { - local fso_to_process - fso_to_process="${fso}" - local should_be_counter - should_be_counter=0 - local counter_actual - counter_actual=0 +## TODO: Validate input before you blindly trust it! +add_to_policy() { + local file_name file_mode file_owner file_group updated_entry policy_idx \ + file_capabilities + file_name="${1:-}" + file_mode="${2:-}" + file_owner="${3:-}" + file_group="${4:-}" + file_capabilities="${5:-}" + updated_entry=false - local dummy_line - while IFS="" read -r -d "" dummy_line; do - log info "Test would parse line: '${dummy_line}'" - should_be_counter=$((should_be_counter + 1)) - done < <(safe_echo_nonewline "${fso_to_process}" | find -files0-from - -perm /u=s,g=s -print0) - ## False positive on SC2185 (find without path argument) #1748 - ## https://github.com/koalaman/shellcheck/issues/1748 - ## - ## /usr/lib will hit ARG_MAX if using bash 'shopt -s globstar' and '/usr/lib/**'. - ## Using 'find' with '-perm /u=s,g=s' is faster and avoids ARG_MAX. - ## https://forums.whonix.org/t/disable-suid-binaries/7706/17 + for (( policy_idx=0; policy_idx < ${#policy_file_list[@]}; policy_idx++ )); do + if [ "${policy_file_list[policy_idx]}" = "${file_name}" ]; then + policy_mode_list[policy_idx]="${file_mode}" + policy_user_owner_list[policy_idx]="${file_owner}" + policy_group_owner_list[policy_idx]="${file_group}" + policy_capability_list[policy_idx]="${file_capabilities}" + updated_entry=true + break + fi + done - local line - while IFS="" read -r -d "" file_name; do - counter_actual=$((counter_actual + 1)) + if [ "${updated_entry}" != 'true' ]; then + policy_file_list+=( "${file_name}" ) + policy_mode_list+=( "${file_mode}" ) + policy_user_owner_list+=( "${file_owner}" ) + policy_group_owner_list+=( "${file_group}" ) + policy_capability_list+=( "${file_capabilities}" ) + fi +} + +check_nosuid_whitelist() { + local target_file match_white_list_entry + + target_file="${1:-}" + + ## Handle whitelists, if we're supposed to + if [ "${whitelists_disable_all}" = 'false' ]; then + ## literal matching is intentional here + # shellcheck disable=SC2076 + if ! [[ " ${policy_disable_white_list[*]} " =~ " ${target_file} " ]]; then + ## literal matching is intentional here too + # shellcheck disable=SC2076 + if [[ " ${policy_exact_white_list[*]} " =~ " ${target_file} " ]]; then + return 1 + fi + + for match_white_list_entry in "${policy_match_white_list[@]:-}"; do + if safe_echo "${target_file}" \ + | grep --quiet --fixed-strings -- "${match_white_list_entry}"; then + return 1 + fi + done + fi + fi + + return 0 +} + +load_early_nosuid_policy() { + local target_file find_list_item + + target_file="${1:-}" + + # shellcheck disable=SC2185 + while IFS="" read -r -d "" find_list_item; do + check_nosuid_whitelist "${find_list_item}" || continue ## sets: ## exiting_mode ## existing_owner ## existing_group - output_stat "${file_name}" + output_stat "${find_list_item}" ## -h file True if file is a symbolic Link. ## -u file True if file has its set-user-id bit set. ## -g file True if file has its set-group-id bit set. - if test -h "${file_name}"; then + if [ -h "${find_list_item}" ]; then ## https://forums.whonix.org/t/disable-suid-binaries/7706/14 - log info "Skip symlink: '${file_name}'" + log info "Skip symlink: '${find_list_item}'" continue fi - if test -d "${file_name}"; then - log info "Skip directory: '${file_name}'" + if [ -d "${find_list_item}" ]; then + log info "Skip directory: '${find_list_item}'" continue fi - local setuid setgid - setuid="" - if test -u "${file_name}"; then - setuid=true - fi - setgid="" - if test -g "${file_name}"; then - setgid=true - fi + ## Trim off the most significant digit of the mode, this discards S(U|G)ID + ## bits (and the sticky bit too but that doesn't matter on Linux) + ## + ## Actually, the old behavior is better here. + local new_mode + # new_mode="${existing_mode:1}" + new_mode='744' - local setuid_or_setgid - setuid_or_setgid="" - if test "${setuid}" = "true" || test "${setgid}" = "true"; then - setuid_or_setgid=true - fi - if test -z "${setuid_or_setgid}"; then - log info "Neither setuid nor setgid. Skipping. file_name: '${file_name}'" - continue - fi - - ## Remove suid / gid and execute permission for 'group' and 'others'. - ## Similar to: chmod og-ugx /path/to/filename - ## Removing execution permission is useful to make binaries such as 'su' - ## fail closed rather than fail open if suid was removed from these. - ## Do not remove read access since no security benefit and easier to - ## manually undo for users. - ## Are there suid or sgid binaries which are still useful if suid / sgid - ## has been removed from these? - new_mode="744" - - local is_exact_whitelisted - is_exact_whitelisted="" - for white_list_entry in "${exact_white_list[@]:-}"; do - if test -z "${white_list_entry}"; then - log info "white_list_entry unset. Skipping. file_name: '${file_name}'" - continue - fi - if test "${file_name}" = "${white_list_entry}"; then - is_exact_whitelisted="true" - log info "is_exact_whitelisted=true. Skipping. file_name: '${file_name}'" - ## Stop looping through the whitelist. - break - fi - done - - local is_match_whitelisted - is_match_whitelisted="" - for matchwhite_list_entry in "${match_white_list[@]:-}"; do - if test -z "${matchwhite_list_entry}"; then - log info "matchwhite_list_entry unset. Skipping. file_name: '${file_name}'" - continue - fi - if safe_echo "${file_name}" | grep --quiet --fixed-strings -- "${matchwhite_list_entry}"; then - is_match_whitelisted="true" - log info "is_match_whitelisted=true. Skipping. file_name: '${file_name}'" - ## Stop looping through the match_white_list. - break - fi - done - - local is_disable_whitelisted - is_disable_whitelisted="" - for disablematch_list_entry in "${disable_white_list[@]:-}"; do - if test -z "${disablematch_list_entry}"; then - log info "disablematch_list_entry unset. Skipping. file_name: '${file_name}'" - continue - fi - if safe_echo "${file_name}" | grep --quiet --fixed-strings -- "${disablematch_list_entry}"; then - is_disable_whitelisted="true" - log info "is_disable_whitelisted=true. Skipping. file_name: '${file_name}'" - ## Stop looping through the disablewhitelist. - break - fi - done - - local clean_output_prefix clean_output - clean_output_prefix="Managing (S|G)UID of line:" - clean_output="${setuid:+setuid='true'} ${setgid:+setgid='true'} existing_mode='${existing_mode}' new_mode='${new_mode}' file='${file_name}'" - if test "${whitelists_disable_all:-}" = "true"; then - log info "${clean_output_prefix} whitelists_disable_all=true ${clean_output}" - elif test "${is_disable_whitelisted}" = "true"; then - log info "${clean_output_prefix} is_disable_whitelisted=true ${clean_output}" - else - if test "${is_exact_whitelisted}" = "true"; then - log info "${clean_output_prefix} is_exact_whitelisted=true ${clean_output}" - continue - fi - if test "${is_match_whitelisted}" = "true"; then - log info "${clean_output_prefix} is_match_whitelisted=true matchwhite_list_entry='${matchwhite_list_entry}' ${clean_output}" - continue - fi - fi - - log notice "${clean_output_prefix} ${clean_output}" - - # shellcheck disable=SC2086 - if dpkg-statoverride ${dpkg_admindir_parameter_existing_mode} --list "${file_name}" >/dev/null; then - log info "Existing mode already saved previously. Not saving again." - else - ## Save existing_mode in separate database. - ## Not using --update as not intending to enforce existing_mode. - # shellcheck disable=SC2086 - echo_wrapper_audit silent dpkg-statoverride ${dpkg_admindir_parameter_existing_mode} --add "${existing_owner}" "${existing_group}" "${existing_mode}" "${file_name}" - fi - - ## No need to check "dpkg-statoverride --list" for existing entries. - ## If existing_mode was correct already, we would not have reached this - ## point. Since existing_mode is incorrect, remove from dpkg-statoverride - ## and re-add. - - ## Remove from real database. - echo_wrapper_ignore silent dpkg-statoverride --remove "${file_name}" - - ## Remove from separate database. - # shellcheck disable=SC2086 - echo_wrapper_ignore silent dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --remove "${file_name}" - - ## Add to real database and use --update to make changes on disk. - echo_wrapper_audit verbose dpkg-statoverride --add --update "${existing_owner}" "${existing_group}" "${new_mode}" "${file_name}" - - ## Not using --update as this is only for recording. - # shellcheck disable=SC2086 - echo_wrapper_audit silent dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --add "${existing_owner}" "${existing_group}" "${new_mode}" "${file_name}" - done < <(safe_echo_nonewline "${fso_to_process}" | find -files0-from - -perm /u=s,g=s -print0) - - ## Sanity test. - if test ! "${should_be_counter}" = "${counter_actual}"; then - log info "File (parsed/wanted): '${fso_to_process}': (${counter_actual}/${should_be_counter})" - log error "Expected number of files to be parsed was not met." >&2 - exit_code=202 - fi + add_to_policy "${find_list_item}" "${new_mode}" "${existing_owner}" \ + "${existing_group}" + done < <(safe_echo_nonewline "${target_file}" | find -files0-from - -perm /u=s,g=s -print0) } -set_file_perms() { - log info "START parsing config file: '${config_file}'" +load_late_nosuid_policy() { + local target_file state_idx state_file_item state_user_owner_item \ + state_group_owner_item - local line - while read -r line || test -n "${line}"; do - if test -z "${line}"; then - true "DEBUG: line is empty. Skipping." - continue - fi + target_file="${1:-}" + for (( state_idx=0; state_idx < ${#state_file_list[@]}; state_idx++ )); do + state_file_item="${state_file_list[state_idx]}" + state_user_owner_item="${state_user_owner_list[state_idx]}" + state_group_owner_item="${state_group_owner_list[state_idx]}" + check_nosuid_whitelist "${state_file_item}" || continue - if [[ "${line}" =~ ^\s*# ]]; then - continue - fi - - if ! [[ "${line}" =~ [0-9a-zA-Z/] ]]; then - exit_code=200 - log error "Line contains invalid characters: '${line}'" >&2 - ## Safer to exit with error in this case. - ## https://forums.whonix.org/t/disable-suid-binaries/7706/59 - exit "${exit_code}" - fi - - if test "${line}" = 'whitelists_disable_all=true'; then - whitelists_disable_all=true - log info "whitelists_disable_all=true" - continue - fi - - #global fso - local mode_from_config owner_from_config group_from_config capability_from_config - if ! read -r fso mode_from_config owner_from_config group_from_config capability_from_config <<<"${line}"; then - exit_code=201 - log error "Cannot parse line: '${line}'" >&2 - ## Debugging. - du -hs /tmp || true - safe_echo "test -w /tmp: '$(test -w /tmp)'" >&2 || true - ## Safer to exit with error in this case. - ## https://forums.whonix.org/t/disable-suid-binaries/7706/59 - exit "${exit_code}" - fi - - log info "Parsing line: fso='${fso}' mode_from_config='${mode_from_config}' owner_from_config='${owner_from_config}' group_from_config='${group_from_config}' capability_from_config='${capability_from_config}'" - - ## Debugging. - #safe_echo "line: '${line}'" - #safe_echo "fso: '${fso}'" - #safe_echo "mode_from_config: '${mode_from_config}'" - #safe_echo "owner_from_config: '${owner_from_config}'" - - local fso_without_trailing_slash - fso_without_trailing_slash="${fso%/}" - - declare -g disable_white_list exact_white_list match_white_list - case "${mode_from_config}" in - disablewhitelist) - disable_white_list+=("${fso}") - continue - ;; - exactwhitelist) - exact_white_list+=("${fso}") - continue - ;; - matchwhitelist) - match_white_list+=("${fso}") - continue - ;; - esac - - if test ! -e "${fso}"; then - log info "File does not exist: '${fso}'" - continue - fi - - ## Use dpkg-statoverride so permissions are not reset during upgrades. - - if test "${mode_from_config}" = "nosuid"; then - ## If mode_from_config is "nosuid" the config does not set owner and - ## group. Therefore do not enforce owner/group check. - add_nosuid_statoverride_entry - else - local string_length_of_mode_from_config - string_length_of_mode_from_config="${#mode_from_config}" - if test "${string_length_of_mode_from_config}" -gt "4"; then - log error "Invalid mode: '${mode_from_config}'" >&2 - continue - fi - if test "${string_length_of_mode_from_config}" -lt "3"; then - log error "Invalid mode: '${mode_from_config}'" >&2 + if [[ ${state_file_item} == ${target_file}* ]]; then + if [ -h "${state_file_item}" ]; then + ## https://forums.whonix.org/t/disable-suid-binaries/7706/14 + log info "Skip symlink: '${state_file_item}'" continue fi - if ! grep --quiet --fixed-strings -- "${owner_from_config}:" "${store_dir}/private/passwd"; then - log error "Owner from config does not exist: '${owner_from_config}'" >&2 + if [ -d "${state_file_item}" ]; then + log info "Skip directory: '${state_file_item}'" continue fi - if ! grep --quiet --fixed-strings -- "${group_from_config}:" "${store_dir}/private/group"; then - log error "Group from config does not exist: '${group_from_config}'" >&2 - continue - fi - - local mode_for_grep - mode_for_grep="${mode_from_config}" - first_character_of_mode_from_config="${mode_from_config::1}" - if test "${first_character_of_mode_from_config}" = "0"; then - ## Remove leading '0'. - mode_for_grep="${mode_from_config:1}" - fi - - file_name="${fso_without_trailing_slash}" - - ## sets: - ## exiting_mode - ## existing_owner - ## existing_group - output_stat "${file_name}" - - ## Check there is an entry for the fso. - ## - ## example: dpkg-statoverride --list | grep /home - ## output: - ## root root 755 /home - ## - ## dpkg-statoverride does not show leading '0'. - local dpkg_statoverride_list_output="" - local dpkg_statoverride_list_exit_code=0 - dpkg_statoverride_list_output="$(dpkg-statoverride --list "${fso_without_trailing_slash}")" || { - dpkg_statoverride_list_exit_code=$? - true - } - - if test "${dpkg_statoverride_list_exit_code}" = "0"; then - local grep_line - grep_line="${owner_from_config} ${group_from_config} ${mode_for_grep} ${fso_without_trailing_slash}" - if safe_echo "${dpkg_statoverride_list_output}" | grep --quiet --fixed-strings -- "${grep_line}"; then - log info "The owner/group/mode matches fso entry. No further action required." - else - log info "The owner/group/mode does not match fso entry, updating entry." - ## fso_without_trailing_slash instead of fso to prevent - ## "dpkg-statoverride: warning: stripping trailing /" - - # shellcheck disable=SC2086 - if dpkg-statoverride ${dpkg_admindir_parameter_existing_mode} --list "${fso_without_trailing_slash}" >/dev/null; then - log info "Existing mode already saved previously. Not saving again." - else - ## Save existing_mode in separate database. - ## Not using --update as not intending to enforce existing_mode. - # shellcheck disable=SC2086 - echo_wrapper_audit silent dpkg-statoverride ${dpkg_admindir_parameter_existing_mode} --add "${existing_owner}" "${existing_group}" "${existing_mode}" "${fso_without_trailing_slash}" - fi - - # shellcheck disable=SC2086 - echo_wrapper_ignore silent dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --remove "${fso_without_trailing_slash}" - - ## Remove from and add to real database. - echo_wrapper_ignore silent dpkg-statoverride --remove "${fso_without_trailing_slash}" - echo_wrapper_audit verbose dpkg-statoverride --add --update "${owner_from_config}" "${group_from_config}" "${mode_from_config}" "${fso_without_trailing_slash}" - - ## Save in separate database. - ## Not using --update as this is only for saving. - # shellcheck disable=SC2086 - echo_wrapper_audit silent dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --add "${owner_from_config}" "${group_from_config}" "${mode_from_config}" "${fso_without_trailing_slash}" - fi - else - log info "There is no fso entry, adding one." - - # shellcheck disable=SC2086 - if dpkg-statoverride ${dpkg_admindir_parameter_existing_mode} --list "${fso_without_trailing_slash}" >/dev/null; then - log info "Existing mode already saved previously. Not saving again." - else - ## Save existing_mode in separate database. - ## Not using --update as not intending to enforce existing_mode. - # shellcheck disable=SC2086 - echo_wrapper_audit silent dpkg-statoverride ${dpkg_admindir_parameter_existing_mode} --add "${existing_owner}" "${existing_group}" "${existing_mode}" "${fso_without_trailing_slash}" - fi - - ## Add to real database. - echo_wrapper_audit verbose dpkg-statoverride --add --update "${owner_from_config}" "${group_from_config}" "${mode_from_config}" "${fso_without_trailing_slash}" - - ## Save in separate database. - ## Not using --update as this is only for saving. - # shellcheck disable=SC2086 - echo_wrapper_audit silent dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --add "${owner_from_config}" "${group_from_config}" "${mode_from_config}" "${fso_without_trailing_slash}" - fi + local new_mode + new_mode='744' + add_to_policy "${state_file_item}" "${new_mode}" \ + "${state_user_owner_item}" "${state_group_owner_item}" fi - if test -z "${capability_from_config}"; then - log info "capability_from_config is empty. Skipping. file_name: '${file_name}'" - continue - fi - - if test "${capability_from_config}" = "none"; then - ## https://forums.whonix.org/t/disable-suid-binaries/7706/45 - ## sudo setcap -r /bin/ping 2>/dev/null - ## Failed to set capabilities on file '/bin/ping' (No data available) - ## The value of the capability argument is not permitted for a file. Or - ## the file is not a regular (non-symlink) file - ## Therefore use echo_wrapper_ignore. - ## - ## NOTE: setcap does not support End-of-Options Marker ('--') yet. - ## setcap bug report: - ## setcap Command Does Not Support End-of-Options Marker ('--') - ## https://bugzilla.kernel.org/show_bug.cgi?id=219487 - echo_wrapper_ignore verbose setcap -r "${fso}" - getcap_output="$(getcap -- "${fso}")" - if test -n "${getcap_output}"; then - exit_code=205 - log error "Removing capabilities failed. File: '${fso}'" >&2 - continue - fi - else - if ! capsh --print | grep --fixed-strings -- "Bounding set" | grep --quiet -- "${capability_from_config}"; then - log error "Capability from config does not exist: '${capability_from_config}'" >&2 - continue - fi - - ## feature request: dpkg-statoverride: support for capabilities - ## https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=502580 - echo_wrapper_audit verbose setcap "${capability_from_config}+ep" -- "${fso}" - fi - - done <"${config_file}" - log info "END parsing config file: '${config_file}'" + done } -parse_config_folder() { - touch "${store_dir}/private/passwd" - chmod og-rwx "${store_dir}/private/passwd" - touch "${store_dir}/private/group" - chmod og-rwx "${store_dir}/private/group" +load_state() { + ## Config format: + ## path options + ## where options is one of: + ## user_owner group_owner filemode [capability-setting] + ## [nosuid|exactwhitelist|matchwhitelist|disablewhitelist] - local passwd_file_contents_temp - ## Query contents of password and group databases only once and buffer them - ## - ## If we don't buffer we sometimes get incorrect results when checking for - ## entries using 'if getent passwd | grep --quiet -- '^root:'; ...' since - ## 'grep' exits after the first match in this case causing 'getent' to - ## receive SIGPIPE, which then fails the pipeline since 'set -o pipefail' is - ## set for this script. - passwd_file_contents_temp="$(getent passwd)" - safe_echo "${passwd_file_contents_temp}" | tee -- "${store_dir}/private/passwd" >/dev/null - group_file_contents_temp="$(getent group)" - safe_echo "${group_file_contents_temp}" | tee -- "${store_dir}/private/group" >/dev/null + local config_file line bit_list file_path policy_nosuid_file_item - #passwd_file_contents="$(cat "${store_dir}/private/passwd")" - #group_file_contents="$(cat "${store_dir}/private/group")" - - shopt -s nullglob + ## Load configuration, deferring whitelist handling until later for config_file in \ /usr/lib/permission-hardener.d/*.conf \ /etc/permission-hardener.d/*.conf \ @@ -596,97 +300,314 @@ parse_config_folder() { /etc/permission-hardening.d/*.conf \ /usr/local/etc/permission-hardening.d/*.conf do - set_file_perms + if [ ! -f "${config_file}" ]; then + continue + fi + while read -r line; do + if [ -z "${line}" ]; then + true 'DEBUG: line is empty. Skipping.' + continue + fi + if [[ "${line}" =~ ^\s*# ]]; then + continue + fi + if ! [[ "${line}" =~ [0-9a-zA-Z/] ]]; then + exit_code=200 + log error "Line contains invalid characters: '${line}'" >&2 + ## Safer to exit with error in this case. + ## https://forums.whonix.org/t/disable-suid-binaries/7706/59 + exit "${exit_code}" + fi + if [ "${line}" = 'whitelists_disable_all=true' ]; then + whitelists_disable_all=true + log info "whitelists_disable_all=true" + continue + fi + + processed_config_line="${line}" + + IFS=' ' read -r -a bit_list <<< "${line}" + + if (( ${#bit_list[@]} < 2 )) \ + || (( ${#bit_list[@]} > 5 )) \ + || (( ${#bit_list[@]} == 3 )); then + exit_code=200 + log error "Line contains an invalid number of fields: '${line}'" >&2 + exit "${exit_code}" + fi + + # Strip trailing slash if appropriate + bit_list[0]="${bit_list[0]%/}" + file_path="${bit_list[0]}" + + case "${bit_list[1]}" in + 'exactwhitelist') + [ ! -e "${file_path}" ] && continue + policy_exact_white_list+=( "${file_path}" ) + continue + ;; + 'matchwhitelist') + policy_match_white_list+=( "${file_path}" ) + continue + ;; + 'disablewhitelist') + policy_disable_white_list+=( "${file_path}" ) + continue + ;; + 'nosuid') + [ ! -e "${file_path}" ] && continue + policy_nosuid_file_list+=( "${file_path}" ) + ;; + *) + [ ! -e "${file_path}" ] && continue + add_to_policy "${bit_list[@]}" + ;; + esac + done < "${config_file}" + done + + ## We have to handle nosuid files at the end since the whitelist arrays need + ## built first. + for policy_nosuid_file_item in "${policy_nosuid_file_list[@]}"; do + load_early_nosuid_policy "${policy_nosuid_file_item}" + done + + local line bit_list policy_file_item + + ## Load the state file from disk + if [ -f "${state_file}" ]; then + while read -r line; do + read -r -a bit_list <<< "${line}" + if (( ${#bit_list[@]} != 4 )); then + log info "Invalid number of fields in state file line: '${line}'. Skipping." + continue + fi + state_user_owner_list+=( "${bit_list[0]}" ) + state_group_owner_list+=( "${bit_list[1]}" ) + state_mode_list+=( "${bit_list[2]}" ) + state_file_list+=( "${bit_list[3]}" ) + done < "${state_file}" + fi + + ## Find any files in the policy that don't already have a matching file in + ## the state. Add those files to the state, and save them to the state file + ## as well. + for policy_file_item in "${policy_file_list[@]}"; do + # shellcheck disable=SC2076 + if [[ " ${state_file_list[*]} " =~ " ${policy_file_item} " ]]; then + continue + fi + output_stat "${policy_file_item}" + state_file_list+=( "${policy_file_item}" ) + state_user_owner_list+=( "${existing_owner}" ) + state_group_owner_list+=( "${existing_group}" ) + state_mode_list+=( "${existing_mode}" ) + # shellcheck disable=SC2086 + echo_wrapper_audit silent dpkg-statoverride \ + ${dpkg_admindir_parameter_existing_mode} \ + --add "${existing_owner}" "${existing_group}" "${existing_mode}" \ + "${policy_file_item}" + done + + for policy_nosuid_file_item in "${policy_nosuid_file_list[@]}"; do + load_late_nosuid_policy "${policy_nosuid_file_item}" done } -apply() { - check_root - make_store_dir - sanity_tests - parse_config_folder +apply_policy() { + local policy_idx did_state_update state_idx - log notice "\ -To compare the current and previous permission modes, install 'meld' (or preferred diff tool) for comparison of file mode changes: - sudo apt install --no-install-recommends meld - meld ${store_dir}/existing_mode/statoverride ${store_dir}/new_mode/statoverride" + ## Modify the in-memory state so that all items that the policy affects match + ## the policy. DO NOT save these changes to the state file! + for (( policy_idx=0; policy_idx < ${#policy_file_list[@]}; policy_idx++ )); do + did_state_update=false + for (( state_idx=0; state_idx < ${#state_file_list[@]}; state_idx++ )); do + if [ "${state_file_list[state_idx]}" = "${policy_file_list[policy_idx]}" ]; then + state_user_owner_list[state_idx]="${policy_user_owner_list[policy_idx]}" + state_group_owner_list[state_idx]="${policy_group_owner_list[policy_idx]}" + state_mode_list[state_idx]="${policy_mode_list[policy_idx]}" + did_state_update=true + break + fi + done + if [ "${did_state_update}" = 'false' ]; then + exit_code=206 + log error "File exists in policy but not in state! File: '${policy_file_list[policy_idx]}'" + exit "${exit_code}" + fi + done } -spare() { - check_root - make_store_dir +commit_policy() { + local policy_idx state_idx state_file_item \ + state_user_owner_item state_group_owner_item \ + state_mode_item orig_main_statoverride_db orig_new_statoverride_db \ + policy_file_item policy_capability_item - remove_file="${1}" - exit_code=0 - dpkg_admindir_parameter_existing_mode="--admindir ${store_dir}/existing_mode" - dpkg_admindir_parameter_new_mode="--admindir ${store_dir}/new_mode" + ## Check each file on the filesystem against the state, and update it if the + ## state does not match. Also ensure the consistency of the new_mode database + ## so that people can compare the original permissions of files with the new + ## permissions. + orig_main_statoverride_db="$(dpkg-statoverride --list)" || true + # shellcheck disable=SC2086 + orig_new_statoverride_db="$(dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --list)" || true - if test ! -f "${store_dir}/existing_mode/statoverride"; then - true "DEBUG: Stat file does not exist, hardening was not applied before." + for (( state_idx=0; state_idx < ${#state_file_list[@]}; state_idx++ )); do + state_file_item="${state_file_list[state_idx]}" + state_user_owner_item="${state_user_owner_list[state_idx]}" + state_group_owner_item="${state_group_owner_list[state_idx]}" + state_mode_item="${state_mode_list[state_idx]}" + + ## Get rid of leading zeros, stat doesn't output them due to how we use it. + ## Using BASH_REMATCH is faster than sed. We capture all leading zeros into + ## one group, and the rest of the string into a second group. The second + ## group is the string we want. BASH_REMATCH[0] is the entire string, + ## BASH_REMATCH[1] is the first match that we want to discard, and + ## BASH_REMATCH[2] is the desired second group. + [[ "${state_mode_item}" =~ ^(0*)(.*) ]] || true; + state_mode_item="${BASH_REMATCH[2]}" + + output_stat "${state_file_item}" + + if [ "${existing_owner}" != "${state_user_owner_item}" ] \ + || [ "${existing_group}" != "${state_group_owner_item}" ] \ + || [ "${existing_mode}" != "${state_mode_item}" ]; then + if ! grep --quiet --fixed-strings -- "${state_user_owner_item}:" "${store_dir}/private/passwd"; then + log error "Owner from config does not exist: '${state_user_owner_item}'" >&2 + continue + fi + + if ! grep --quiet --fixed-strings -- "${state_group_owner_item}:" "${store_dir}/private/group"; then + log error "Group from config does not exist: '${state_group_owner_item}'" >&2 + continue + fi + # Remove and reapply in main list + if grep --quiet --fixed-strings \ + -- "${state_file_item}" <<< "${orig_main_statoverride_db}"; then + echo_wrapper_ignore silent dpkg-statoverride --remove \ + "${state_file_item}" + fi + echo_wrapper_audit verbose dpkg-statoverride --add --update \ + "${state_user_owner_item}" "${state_group_owner_item}" \ + "${state_mode_item}" "${state_file_item}" + + # Update item in secondary list + if grep --quiet --fixed-strings \ + -- "${state_file_item}" <<< "${orig_new_statoverride_db}"; then + # shellcheck disable=SC2086 + echo_wrapper_ignore silent dpkg-statoverride \ + ${dpkg_admindir_parameter_new_mode} --remove \ + "${state_file_item}" + fi + # shellcheck disable=SC2086 + echo_wrapper_audit verbose dpkg-statoverride \ + ${dpkg_admindir_parameter_new_mode} --add \ + "${state_user_owner_item}" "${state_group_owner_item}" \ + "${state_mode_item}" "${state_file_item}" + fi + done + + ## Apply capability hardening, dpkg-statoverride can't handle this so we have + ## to do this manually + for (( policy_idx=0; policy_idx < ${#policy_file_list[@]}; policy_idx++ )); do + policy_file_item="${policy_file_list[policy_idx]}" + policy_capability_item="${policy_capability_list[policy_idx]}" + if [ -z "${policy_capability_item}" ]; then + continue + fi + + if [ "${policy_capability_item}" = 'none' ]; then + echo_wrapper_ignore verbose setcap -r "${policy_file_item}" + if [ -n "$(getcap -- "${policy_file_item}")" ]; then + exit_code=205 + log error \ + "Removing capabilities failed. File: '${policy_file_item}'" >&2 + continue + fi + else + if ! capsh --print \ + | grep --fixed-strings -- "Bounding set" \ + | grep --quiet -- "${policy_capability_item}"; then + log error \ + "Capability from config does not exist: '${policy_capability_item}'" \ + >&2 + continue + fi + + ## feature request: dpkg-statoverride: support for capabilities + ## https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=502580 + echo_wrapper_audit verbose setcap "${policy_capability_item}+ep" \ + -- "${policy_file_item}" + fi + done +} + +undo_policy_for_file() { + local undo_file state_idx state_file_item did_undo \ + undo_all verbose orig_main_statoverride_db orig_new_statoverride_db \ + state_user_owner_item state_group_owner_item state_mode_item + + undo_file="${1}" + undo_all=false + verbose='--verbose' + if [ "${undo_file}" = 'all' ]; then + undo_all=true + verbose='' + fi + + if [ ! -f "${state_file}" ]; then + true 'DEBUG: State file does not exist, hardening was not applied before.' return 0 fi - local line - while read -r line; do - ## example line: - ## root root 4755 /usr/lib/eject/dmcrypt-get-device + did_undo=false - local owner group mode file_name - if ! read -r owner group mode file_name <<< "${line}"; then - exit_code=201 - log error "Cannot parse line: '${line}'" >&2 - continue + for (( state_idx=0; state_idx < ${#state_file_list[@]}; state_idx++ )); do + state_file_item="${state_file_list[state_idx]}" + if [ "${undo_all}" = 'true' ]; then + undo_file="${state_file_item}" fi - log info "Parsing line: owner='${owner}' group='${group}' mode='${mode}' file_name='${file_name}'" - if test "${remove_file}" = "all"; then - verbose="" - remove_one=false - else - if test "${remove_file}" = "${file_name}"; then - verbose="--verbose" - remove_one=true - safe_echo "${remove_one}" | tee -- "${store_dir}/remove_one" >/dev/null - else - safe_echo "false" | tee -- "${store_dir}/remove_one" >/dev/null - continue + if [ "${state_file_item}" = "${undo_file}" ]; then + orig_main_statoverride_db="$(dpkg-statoverride --list)" || true + # shellcheck disable=SC2086 + orig_new_statoverride_db="$(dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --list)" || true + + if grep --quiet --fixed-strings \ + -- "${undo_file}" <<< "${orig_main_statoverride_db}"; then + echo_wrapper_ignore silent dpkg-statoverride --remove \ + "${undo_file}" fi - fi - if test "${remove_one}" = "true"; then - set -o xtrace - fi + if grep --quiet --fixed-strings \ + -- "${undo_file}" <<< "${orig_new_statoverride_db}"; then + # shellcheck disable=SC2086 + echo_wrapper_ignore silent dpkg-statoverride \ + ${dpkg_admindir_parameter_new_mode} --remove \ + "${undo_file}" + fi - if test -e "${file_name}"; then - # shellcheck disable=SC2086 - chown ${verbose} "${owner}:${group}" "${file_name}" || exit_code=202 - ## chmod need to be run after chown since chown removes suid. - ## https://unix.stackexchange.com/questions/53665/chown-removes-setuid-bit-bug-or-feature - # shellcheck disable=SC2086 - chmod ${verbose} "${mode}" "${file_name}" || exit_code=203 - else - log info "File does not exist: '${file_name}'" - fi - - dpkg-statoverride --remove "${file_name}" &>/dev/null || true - # shellcheck disable=SC2086 - dpkg-statoverride ${dpkg_admindir_parameter_existing_mode} --remove "${file_name}" &>/dev/null || true - # shellcheck disable=SC2086 - dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --remove "${file_name}" &>/dev/null || true - - if test "${remove_one}" = "true"; then - set +o xtrace + if [ -e "${undo_file}" ]; then + state_user_owner_item="${state_user_owner_list[state_idx]}" + state_group_owner_item="${state_group_owner_list[state_idx]}" + state_mode_item="${state_mode_list[state_idx]}" + chown ${verbose} "${state_user_owner_item}:${state_group_owner_item}" \ + "${undo_file}" || exit_code=202 + ## chmod need to be run after chown since chown removes suid. + chmod ${verbose} "${state_mode_item}" "${undo_file}" || exit_code=203 + else + log info "File does not exist: '${undo_file}'" + fi + did_undo=true break fi + done - done < "${store_dir}/existing_mode/statoverride" + if ! [[ "${did_undo}" = 'false' ]]; then + log info "The specified file is not hardened, leaving unchanged. - if test ! "${remove_file}" = "all"; then - if test "$(cat "${store_dir}/remove_one")" = "false"; then - log info "No file was removed. - - File '${remove_file}' has not been removed from SUID Disabler and Permission Hardener during this invocation. This is expected if already done earlier. + File '${undo_file}' has not been removed from SUID Disabler and Permission Hardener during this invocation. This is expected if no policy was ever applied to the file before. This program expects the full path to the file. Example: $0 disable /usr/bin/newgrp # absolute path: works @@ -706,39 +627,138 @@ spare() { For completely disabling SUID Disabler and Permission Hardener: https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener#Disable_SUID_Disabler_and_Permission_Hardener" - fi fi } -check_root(){ - if test "$(id -u)" != "0"; then - log error "Not running as root, aborting." - exit 1 - fi +print_columns() { + local format_str bogus_str + format_str='' + for bogus_str in "$@"; do + format_str="${format_str}%s\t" + done + format_str="${format_str}\n" + # Using a dynamically generated format string on purpose. + # shellcheck disable=SC2059 + printf "${format_str}" "$@" } -usage(){ - safe_echo "Usage: ${0##*/} enable - ${0##*/} disable [FILE|all] +print_policy() { + local policy_idx -Examples: - ${0##*/} enable - ${0##*/} disable all - ${0##*/} disable /usr/bin/newgrp" >&2 - exit "${1}" + print_columns 'File' 'User' 'Group' 'Mode' 'Capabilities' + + for (( policy_idx=0; policy_idx < ${#policy_file_list[@]}; policy_idx++ )); do + print_columns \ + "${policy_file_list[policy_idx]}" \ + "${policy_user_owner_list[policy_idx]}" \ + "${policy_group_owner_list[policy_idx]}" \ + "${policy_mode_list[policy_idx]}" \ + "${policy_capability_list[policy_idx]}" + done } +print_state() { + local state_idx + + print_columns 'File' 'User' 'Group' 'Mode' + for (( state_idx=0; state_idx < ${#state_file_list[@]}; state_idx++ )); do + print_columns \ + "${state_file_list[state_idx]}" \ + "${state_user_owner_list[state_idx]}" \ + "${state_group_owner_list[state_idx]}" \ + "${state_mode_list[state_idx]}" + done +} + +## Constants +store_dir="/var/lib/permission-hardener" +state_file="${store_dir}/existing_mode/statoverride" +dpkg_admindir_parameter_existing_mode="--admindir ${store_dir}/existing_mode" +dpkg_admindir_parameter_new_mode="--admindir ${store_dir}/new_mode" +delimiter="#permission-hardener-delimiter#" + +## Global variables +policy_file_list=() +policy_user_owner_list=() +policy_group_owner_list=() +policy_mode_list=() +policy_capability_list=() +policy_exact_white_list=() +policy_match_white_list=() +policy_disable_white_list=() +policy_nosuid_file_list=() +state_file_list=() +state_user_owner_list=() +state_group_owner_list=() +state_mode_list=() +whitelists_disable_all=false +existing_mode='' +existing_owner='' +existing_group='' +processed_config_line='' +exit_code=0 + +## Setup and sanity checking +if [ "$(id -u)" != '0' ]; then + log error "Not running as root, aborting." + exit 1 +fi + +mkdir --parents "${store_dir}/private" +mkdir --parents "${store_dir}/existing_mode" +mkdir --parents "${store_dir}/new_mode" +touch "${store_dir}/private/passwd" +chmod og-rwx "${store_dir}/private/passwd" +touch "${store_dir}/private/group" +chmod og-rwx "${store_dir}/private/group" +getent passwd | sponge -- "${store_dir}/private/passwd" +getent group | sponge -- "${store_dir}/private/group" + +echo_wrapper_audit silent which capsh getcap setcap stat find \ + dpkg-statoverride getent grep 1>/dev/null + +## Command parsing and execution case "${1:-}" in - enable) shift; apply "$@";; + enable) + shift + load_state + apply_policy + commit_policy + ;; disable) shift case "${1:-}" in - "") usage 1;; - *) spare "${1}";; + "") + print_usage + exit 1 + ;; + *) + load_state + undo_policy_for_file "${1}" + ;; esac ;; - -h|--help) usage 0;; - *) usage 1;; + print-policy) + load_state + print_policy + ;; + print-state) + load_state + print_state + ;; + print-policy-applied-state) + load_state + apply_policy + print_state + ;; + -h|--help) + print_usage + exit 0 + ;; + *) + print_usage + exit 1 + ;; esac if test "${exit_code}" != "0"; then diff --git a/usr/bin/permission-hardener-old b/usr/bin/permission-hardener-old new file mode 100755 index 0000000..c88b54f --- /dev/null +++ b/usr/bin/permission-hardener-old @@ -0,0 +1,748 @@ +#!/bin/bash + +## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## https://forums.whonix.org/t/disable-suid-binaries/7706 +## https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707 + +## dpkg-statoverride does not support end-of-options ("--"). + +set -o errexit -o nounset -o pipefail + +exit_code=0 +store_dir="/var/lib/permission-hardener" +dpkg_admindir_parameter_existing_mode="--admindir ${store_dir}/existing_mode" +dpkg_admindir_parameter_new_mode="--admindir ${store_dir}/new_mode" +delimiter="#permission-hardener-delimiter#" + +# shellcheck disable=SC1091 +source /usr/libexec/helper-scripts/safe_echo.sh +# shellcheck disable=SC2034 +log_level=notice +# shellcheck disable=SC1091 +source /usr/libexec/helper-scripts/log_run_die.sh + +echo_wrapper_ignore() { + if test "${1}" = "verbose"; then + shift + log notice "Executing: $*" + else + shift + fi + "$@" 2>/dev/null || true +} + +echo_wrapper_audit() { + if test "${1}" = "verbose"; then + shift + log notice "Executing: $*" + else + shift + fi + return_code=0 + "$@" || + { + return_code="$?" + exit_code=203 + log error "Command '$*' failed with exit code '${return_code}'! calling function name: '${FUNCNAME[1]}'" >&2 + } +} + +make_store_dir(){ + mkdir --parents "${store_dir}/private" + mkdir --parents "${store_dir}/existing_mode" + mkdir --parents "${store_dir}/new_mode" +} + +## Some tools may fail on newlines and even variable assignment to array may +## fail if a variable that will be assigned to an array element contains +## characters that are used as delimiters. +block_newlines(){ + local newline_variable newline_value + newline_variable="${1}" + newline_value="${2}" + ## dpkg-statoverride: error: path may not contain newlines + #if [[ "${newline_value}" == *$'\n'* ]]; then + if [[ "${newline_value}" != "${newline_value//$'\n'/NEWLINE}" ]]; then + log warn "Skipping ${newline_variable} that contains newlines: '${newline_value}'" >&2 + return 1 + fi +} + +output_stat(){ + local file_name + file_name="${1}" + + if test -z "${file_name}"; then + log error "File name is empty. file_name: '${file_name}'" >&2 + return 1 + fi + + block_newlines file "${file_name}" + + ## dpkg-statoverride can actually handle '--file-name'. +# if [[ $file_name == --* ]]; then +# log warn "File name starts with '--'. This would be interpreted by dpkg-statoverride as an option. Skipping. file_name: '${file_name}'" >&2 +# return 1 +# fi + + declare -a arr + local file_name_from_stat stat_output stat_output_newlined + + if ! stat_output="$(stat --format="%a${delimiter}%U${delimiter}%G${delimiter}%n${delimiter}" -- "${file_name}")"; then + log error "Failed to run 'stat' on file: '${file_name}'!" >&2 + return 1 + fi + + if [ "$stat_output" = "" ]; then + log error "stat_output is empty. +File name: '${file_name}' +Stat output: '${stat_output}' +stat_output_newlined: '${stat_output_newlined}' +line: '${line}' +" >&2 + return 1 + fi + + stat_output_newlined="$(printf '%s\n' "${stat_output//${delimiter}/$'\n'}")" + + if test "${stat_output_newlined}" = ""; then + log error "stat_output_newlined is empty. +File name: '${file_name}' +Stat output: '${stat_output}' +stat_output_newlined: '${stat_output_newlined}' +line: '${line}' +" >&2 + return 1 + fi + + readarray -t arr <<< "${stat_output_newlined}" + + if test "${#arr[@]}" = 0; then + log error "Array length is 0. +File name: '${file_name}' +Stat output: '${stat_output}' +stat_output_newlined: '${stat_output_newlined}' +line: '${line}' +" >&2 + return 1 + fi + + existing_mode="${arr[0]}" + existing_owner="${arr[1]}" + existing_group="${arr[2]}" + file_name_from_stat="${arr[3]}" + + if [ ! "$file_name" = "$file_name_from_stat" ]; then + log error "\ +File name is different from file name received from stat: +File name: '${file_name}' +File name from stat: '${file_name_from_stat}' +line: '${line}' +" >&2 + return 1 + fi + + if test -z "${existing_mode}"; then + log error "Existing mode is empty. Stat output: '${stat_output}', line: '${line}'" >&2 + return 1 + fi + if test -z "${existing_owner}"; then + log error "Existing owner is empty. Stat output: '${stat_output}', line: '${line}'" >&2 + return 1 + fi + if test -z "${existing_group}"; then + log error "Existing group is empty. Stat output: '${stat_output}', line: '${line}'" >&2 + return 1 + fi +} + +sanity_tests() { + echo_wrapper_audit silent \ + which \ + capsh getcap setcap stat find dpkg-statoverride getent grep 1>/dev/null +} + +add_nosuid_statoverride_entry() { + local fso_to_process + fso_to_process="${fso}" + local should_be_counter + should_be_counter=0 + local counter_actual + counter_actual=0 + + local dummy_line + while IFS="" read -r -d "" dummy_line; do + log info "Test would parse line: '${dummy_line}'" + should_be_counter=$((should_be_counter + 1)) + done < <(safe_echo_nonewline "${fso_to_process}" | find -files0-from - -perm /u=s,g=s -print0) + ## False positive on SC2185 (find without path argument) #1748 + ## https://github.com/koalaman/shellcheck/issues/1748 + ## + ## /usr/lib will hit ARG_MAX if using bash 'shopt -s globstar' and '/usr/lib/**'. + ## Using 'find' with '-perm /u=s,g=s' is faster and avoids ARG_MAX. + ## https://forums.whonix.org/t/disable-suid-binaries/7706/17 + + local line + while IFS="" read -r -d "" file_name; do + counter_actual=$((counter_actual + 1)) + + ## sets: + ## exiting_mode + ## existing_owner + ## existing_group + output_stat "${file_name}" + + ## -h file True if file is a symbolic Link. + ## -u file True if file has its set-user-id bit set. + ## -g file True if file has its set-group-id bit set. + + if test -h "${file_name}"; then + ## https://forums.whonix.org/t/disable-suid-binaries/7706/14 + log info "Skip symlink: '${file_name}'" + continue + fi + + if test -d "${file_name}"; then + log info "Skip directory: '${file_name}'" + continue + fi + + local setuid setgid + setuid="" + if test -u "${file_name}"; then + setuid=true + fi + setgid="" + if test -g "${file_name}"; then + setgid=true + fi + + local setuid_or_setgid + setuid_or_setgid="" + if test "${setuid}" = "true" || test "${setgid}" = "true"; then + setuid_or_setgid=true + fi + if test -z "${setuid_or_setgid}"; then + log info "Neither setuid nor setgid. Skipping. file_name: '${file_name}'" + continue + fi + + ## Remove suid / gid and execute permission for 'group' and 'others'. + ## Similar to: chmod og-ugx /path/to/filename + ## Removing execution permission is useful to make binaries such as 'su' + ## fail closed rather than fail open if suid was removed from these. + ## Do not remove read access since no security benefit and easier to + ## manually undo for users. + ## Are there suid or sgid binaries which are still useful if suid / sgid + ## has been removed from these? + new_mode="744" + + local is_exact_whitelisted + is_exact_whitelisted="" + for white_list_entry in "${exact_white_list[@]:-}"; do + if test -z "${white_list_entry}"; then + log info "white_list_entry unset. Skipping. file_name: '${file_name}'" + continue + fi + if test "${file_name}" = "${white_list_entry}"; then + is_exact_whitelisted="true" + log info "is_exact_whitelisted=true. Skipping. file_name: '${file_name}'" + ## Stop looping through the whitelist. + break + fi + done + + local is_match_whitelisted + is_match_whitelisted="" + for matchwhite_list_entry in "${match_white_list[@]:-}"; do + if test -z "${matchwhite_list_entry}"; then + log info "matchwhite_list_entry unset. Skipping. file_name: '${file_name}'" + continue + fi + if safe_echo "${file_name}" | grep --quiet --fixed-strings -- "${matchwhite_list_entry}"; then + is_match_whitelisted="true" + log info "is_match_whitelisted=true. Skipping. file_name: '${file_name}'" + ## Stop looping through the match_white_list. + break + fi + done + + local is_disable_whitelisted + is_disable_whitelisted="" + for disablematch_list_entry in "${disable_white_list[@]:-}"; do + if test -z "${disablematch_list_entry}"; then + log info "disablematch_list_entry unset. Skipping. file_name: '${file_name}'" + continue + fi + if safe_echo "${file_name}" | grep --quiet --fixed-strings -- "${disablematch_list_entry}"; then + is_disable_whitelisted="true" + log info "is_disable_whitelisted=true. Skipping. file_name: '${file_name}'" + ## Stop looping through the disablewhitelist. + break + fi + done + + local clean_output_prefix clean_output + clean_output_prefix="Managing (S|G)UID of line:" + clean_output="${setuid:+setuid='true'} ${setgid:+setgid='true'} existing_mode='${existing_mode}' new_mode='${new_mode}' file='${file_name}'" + if test "${whitelists_disable_all:-}" = "true"; then + log info "${clean_output_prefix} whitelists_disable_all=true ${clean_output}" + elif test "${is_disable_whitelisted}" = "true"; then + log info "${clean_output_prefix} is_disable_whitelisted=true ${clean_output}" + else + if test "${is_exact_whitelisted}" = "true"; then + log info "${clean_output_prefix} is_exact_whitelisted=true ${clean_output}" + continue + fi + if test "${is_match_whitelisted}" = "true"; then + log info "${clean_output_prefix} is_match_whitelisted=true matchwhite_list_entry='${matchwhite_list_entry}' ${clean_output}" + continue + fi + fi + + log notice "${clean_output_prefix} ${clean_output}" + + # shellcheck disable=SC2086 + if dpkg-statoverride ${dpkg_admindir_parameter_existing_mode} --list "${file_name}" >/dev/null; then + log info "Existing mode already saved previously. Not saving again." + else + ## Save existing_mode in separate database. + ## Not using --update as not intending to enforce existing_mode. + # shellcheck disable=SC2086 + echo_wrapper_audit silent dpkg-statoverride ${dpkg_admindir_parameter_existing_mode} --add "${existing_owner}" "${existing_group}" "${existing_mode}" "${file_name}" + fi + + ## No need to check "dpkg-statoverride --list" for existing entries. + ## If existing_mode was correct already, we would not have reached this + ## point. Since existing_mode is incorrect, remove from dpkg-statoverride + ## and re-add. + + ## Remove from real database. + echo_wrapper_ignore silent dpkg-statoverride --remove "${file_name}" + + ## Remove from separate database. + # shellcheck disable=SC2086 + echo_wrapper_ignore silent dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --remove "${file_name}" + + ## Add to real database and use --update to make changes on disk. + echo_wrapper_audit verbose dpkg-statoverride --add --update "${existing_owner}" "${existing_group}" "${new_mode}" "${file_name}" + + ## Not using --update as this is only for recording. + # shellcheck disable=SC2086 + echo_wrapper_audit silent dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --add "${existing_owner}" "${existing_group}" "${new_mode}" "${file_name}" + done < <(safe_echo_nonewline "${fso_to_process}" | find -files0-from - -perm /u=s,g=s -print0) + + ## Sanity test. + if test ! "${should_be_counter}" = "${counter_actual}"; then + log info "File (parsed/wanted): '${fso_to_process}': (${counter_actual}/${should_be_counter})" + log error "Expected number of files to be parsed was not met." >&2 + exit_code=202 + fi +} + +set_file_perms() { + log info "START parsing config file: '${config_file}'" + + local line + while read -r line || test -n "${line}"; do + if test -z "${line}"; then + true "DEBUG: line is empty. Skipping." + continue + fi + + if [[ "${line}" =~ ^\s*# ]]; then + continue + fi + + if ! [[ "${line}" =~ [0-9a-zA-Z/] ]]; then + exit_code=200 + log error "Line contains invalid characters: '${line}'" >&2 + ## Safer to exit with error in this case. + ## https://forums.whonix.org/t/disable-suid-binaries/7706/59 + exit "${exit_code}" + fi + + if test "${line}" = 'whitelists_disable_all=true'; then + whitelists_disable_all=true + log info "whitelists_disable_all=true" + continue + fi + + #global fso + local mode_from_config owner_from_config group_from_config capability_from_config + if ! read -r fso mode_from_config owner_from_config group_from_config capability_from_config <<<"${line}"; then + exit_code=201 + log error "Cannot parse line: '${line}'" >&2 + ## Debugging. + du -hs /tmp || true + safe_echo "test -w /tmp: '$(test -w /tmp)'" >&2 || true + ## Safer to exit with error in this case. + ## https://forums.whonix.org/t/disable-suid-binaries/7706/59 + exit "${exit_code}" + fi + + log info "Parsing line: fso='${fso}' mode_from_config='${mode_from_config}' owner_from_config='${owner_from_config}' group_from_config='${group_from_config}' capability_from_config='${capability_from_config}'" + + ## Debugging. + #safe_echo "line: '${line}'" + #safe_echo "fso: '${fso}'" + #safe_echo "mode_from_config: '${mode_from_config}'" + #safe_echo "owner_from_config: '${owner_from_config}'" + + local fso_without_trailing_slash + fso_without_trailing_slash="${fso%/}" + + declare -g disable_white_list exact_white_list match_white_list + case "${mode_from_config}" in + disablewhitelist) + disable_white_list+=("${fso}") + continue + ;; + exactwhitelist) + exact_white_list+=("${fso}") + continue + ;; + matchwhitelist) + match_white_list+=("${fso}") + continue + ;; + esac + + if test ! -e "${fso}"; then + log info "File does not exist: '${fso}'" + continue + fi + + ## Use dpkg-statoverride so permissions are not reset during upgrades. + + if test "${mode_from_config}" = "nosuid"; then + ## If mode_from_config is "nosuid" the config does not set owner and + ## group. Therefore do not enforce owner/group check. + add_nosuid_statoverride_entry + else + local string_length_of_mode_from_config + string_length_of_mode_from_config="${#mode_from_config}" + if test "${string_length_of_mode_from_config}" -gt "4"; then + log error "Invalid mode: '${mode_from_config}'" >&2 + continue + fi + if test "${string_length_of_mode_from_config}" -lt "3"; then + log error "Invalid mode: '${mode_from_config}'" >&2 + continue + fi + + if ! grep --quiet --fixed-strings -- "${owner_from_config}:" "${store_dir}/private/passwd"; then + log error "Owner from config does not exist: '${owner_from_config}'" >&2 + continue + fi + + if ! grep --quiet --fixed-strings -- "${group_from_config}:" "${store_dir}/private/group"; then + log error "Group from config does not exist: '${group_from_config}'" >&2 + continue + fi + + local mode_for_grep + mode_for_grep="${mode_from_config}" + first_character_of_mode_from_config="${mode_from_config::1}" + if test "${first_character_of_mode_from_config}" = "0"; then + ## Remove leading '0'. + mode_for_grep="${mode_from_config:1}" + fi + + file_name="${fso_without_trailing_slash}" + + ## sets: + ## exiting_mode + ## existing_owner + ## existing_group + output_stat "${file_name}" + + ## Check there is an entry for the fso. + ## + ## example: dpkg-statoverride --list | grep /home + ## output: + ## root root 755 /home + ## + ## dpkg-statoverride does not show leading '0'. + local dpkg_statoverride_list_output="" + local dpkg_statoverride_list_exit_code=0 + dpkg_statoverride_list_output="$(dpkg-statoverride --list "${fso_without_trailing_slash}")" || { + dpkg_statoverride_list_exit_code=$? + true + } + + if test "${dpkg_statoverride_list_exit_code}" = "0"; then + local grep_line + grep_line="${owner_from_config} ${group_from_config} ${mode_for_grep} ${fso_without_trailing_slash}" + if safe_echo "${dpkg_statoverride_list_output}" | grep --quiet --fixed-strings -- "${grep_line}"; then + log info "The owner/group/mode matches fso entry. No further action required." + else + log info "The owner/group/mode does not match fso entry, updating entry." + ## fso_without_trailing_slash instead of fso to prevent + ## "dpkg-statoverride: warning: stripping trailing /" + + # shellcheck disable=SC2086 + if dpkg-statoverride ${dpkg_admindir_parameter_existing_mode} --list "${fso_without_trailing_slash}" >/dev/null; then + log info "Existing mode already saved previously. Not saving again." + else + ## Save existing_mode in separate database. + ## Not using --update as not intending to enforce existing_mode. + # shellcheck disable=SC2086 + echo_wrapper_audit silent dpkg-statoverride ${dpkg_admindir_parameter_existing_mode} --add "${existing_owner}" "${existing_group}" "${existing_mode}" "${fso_without_trailing_slash}" + fi + + # shellcheck disable=SC2086 + echo_wrapper_ignore silent dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --remove "${fso_without_trailing_slash}" + + ## Remove from and add to real database. + echo_wrapper_ignore silent dpkg-statoverride --remove "${fso_without_trailing_slash}" + echo_wrapper_audit verbose dpkg-statoverride --add --update "${owner_from_config}" "${group_from_config}" "${mode_from_config}" "${fso_without_trailing_slash}" + + ## Save in separate database. + ## Not using --update as this is only for saving. + # shellcheck disable=SC2086 + echo_wrapper_audit silent dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --add "${owner_from_config}" "${group_from_config}" "${mode_from_config}" "${fso_without_trailing_slash}" + fi + else + log info "There is no fso entry, adding one." + + # shellcheck disable=SC2086 + if dpkg-statoverride ${dpkg_admindir_parameter_existing_mode} --list "${fso_without_trailing_slash}" >/dev/null; then + log info "Existing mode already saved previously. Not saving again." + else + ## Save existing_mode in separate database. + ## Not using --update as not intending to enforce existing_mode. + # shellcheck disable=SC2086 + echo_wrapper_audit silent dpkg-statoverride ${dpkg_admindir_parameter_existing_mode} --add "${existing_owner}" "${existing_group}" "${existing_mode}" "${fso_without_trailing_slash}" + fi + + ## Add to real database. + echo_wrapper_audit verbose dpkg-statoverride --add --update "${owner_from_config}" "${group_from_config}" "${mode_from_config}" "${fso_without_trailing_slash}" + + ## Save in separate database. + ## Not using --update as this is only for saving. + # shellcheck disable=SC2086 + echo_wrapper_audit silent dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --add "${owner_from_config}" "${group_from_config}" "${mode_from_config}" "${fso_without_trailing_slash}" + fi + fi + if test -z "${capability_from_config}"; then + log info "capability_from_config is empty. Skipping. file_name: '${file_name}'" + continue + fi + + if test "${capability_from_config}" = "none"; then + ## https://forums.whonix.org/t/disable-suid-binaries/7706/45 + ## sudo setcap -r /bin/ping 2>/dev/null + ## Failed to set capabilities on file '/bin/ping' (No data available) + ## The value of the capability argument is not permitted for a file. Or + ## the file is not a regular (non-symlink) file + ## Therefore use echo_wrapper_ignore. + ## + ## NOTE: setcap does not support End-of-Options Marker ('--') yet. + ## setcap bug report: + ## setcap Command Does Not Support End-of-Options Marker ('--') + ## https://bugzilla.kernel.org/show_bug.cgi?id=219487 + echo_wrapper_ignore verbose setcap -r "${fso}" + getcap_output="$(getcap -- "${fso}")" + if test -n "${getcap_output}"; then + exit_code=205 + log error "Removing capabilities failed. File: '${fso}'" >&2 + continue + fi + else + if ! capsh --print | grep --fixed-strings -- "Bounding set" | grep --quiet -- "${capability_from_config}"; then + log error "Capability from config does not exist: '${capability_from_config}'" >&2 + continue + fi + + ## feature request: dpkg-statoverride: support for capabilities + ## https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=502580 + echo_wrapper_audit verbose setcap "${capability_from_config}+ep" -- "${fso}" + fi + + done <"${config_file}" + log info "END parsing config file: '${config_file}'" +} + +parse_config_folder() { + touch "${store_dir}/private/passwd" + chmod og-rwx "${store_dir}/private/passwd" + touch "${store_dir}/private/group" + chmod og-rwx "${store_dir}/private/group" + + local passwd_file_contents_temp + ## Query contents of password and group databases only once and buffer them + ## + ## If we don't buffer we sometimes get incorrect results when checking for + ## entries using 'if getent passwd | grep --quiet -- '^root:'; ...' since + ## 'grep' exits after the first match in this case causing 'getent' to + ## receive SIGPIPE, which then fails the pipeline since 'set -o pipefail' is + ## set for this script. + passwd_file_contents_temp="$(getent passwd)" + safe_echo "${passwd_file_contents_temp}" | tee -- "${store_dir}/private/passwd" >/dev/null + group_file_contents_temp="$(getent group)" + safe_echo "${group_file_contents_temp}" | tee -- "${store_dir}/private/group" >/dev/null + + #passwd_file_contents="$(cat "${store_dir}/private/passwd")" + #group_file_contents="$(cat "${store_dir}/private/group")" + + shopt -s nullglob + for config_file in \ + /usr/lib/permission-hardener.d/*.conf \ + /etc/permission-hardener.d/*.conf \ + /usr/local/etc/permission-hardener.d/*.conf \ + /etc/permission-hardening.d/*.conf \ + /usr/local/etc/permission-hardening.d/*.conf + do + set_file_perms + + done +} + +apply() { + check_root + make_store_dir + sanity_tests + parse_config_folder + + log notice "\ +To compare the current and previous permission modes, install 'meld' (or preferred diff tool) for comparison of file mode changes: + sudo apt install --no-install-recommends meld + meld ${store_dir}/existing_mode/statoverride ${store_dir}/new_mode/statoverride" +} + +spare() { + check_root + make_store_dir + + remove_file="${1}" + exit_code=0 + dpkg_admindir_parameter_existing_mode="--admindir ${store_dir}/existing_mode" + dpkg_admindir_parameter_new_mode="--admindir ${store_dir}/new_mode" + + if test ! -f "${store_dir}/existing_mode/statoverride"; then + true "DEBUG: Stat file does not exist, hardening was not applied before." + return 0 + fi + + local line + while read -r line; do + ## example line: + ## root root 4755 /usr/lib/eject/dmcrypt-get-device + + local owner group mode file_name + if ! read -r owner group mode file_name <<< "${line}"; then + exit_code=201 + log error "Cannot parse line: '${line}'" >&2 + continue + fi + log info "Parsing line: owner='${owner}' group='${group}' mode='${mode}' file_name='${file_name}'" + + if test "${remove_file}" = "all"; then + verbose="" + remove_one=false + else + if test "${remove_file}" = "${file_name}"; then + verbose="--verbose" + remove_one=true + safe_echo "${remove_one}" | tee -- "${store_dir}/remove_one" >/dev/null + else + safe_echo "false" | tee -- "${store_dir}/remove_one" >/dev/null + continue + fi + fi + + if test "${remove_one}" = "true"; then + set -o xtrace + fi + + if test -e "${file_name}"; then + # shellcheck disable=SC2086 + chown ${verbose} "${owner}:${group}" "${file_name}" || exit_code=202 + ## chmod need to be run after chown since chown removes suid. + ## https://unix.stackexchange.com/questions/53665/chown-removes-setuid-bit-bug-or-feature + # shellcheck disable=SC2086 + chmod ${verbose} "${mode}" "${file_name}" || exit_code=203 + else + log info "File does not exist: '${file_name}'" + fi + + dpkg-statoverride --remove "${file_name}" &>/dev/null || true + # shellcheck disable=SC2086 + dpkg-statoverride ${dpkg_admindir_parameter_existing_mode} --remove "${file_name}" &>/dev/null || true + # shellcheck disable=SC2086 + dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --remove "${file_name}" &>/dev/null || true + + if test "${remove_one}" = "true"; then + set +o xtrace + break + fi + + done < "${store_dir}/existing_mode/statoverride" + + if test ! "${remove_file}" = "all"; then + if test "$(cat "${store_dir}/remove_one")" = "false"; then + log info "No file was removed. + + File '${remove_file}' has not been removed from SUID Disabler and Permission Hardener during this invocation. This is expected if already done earlier. + + This program expects the full path to the file. Example: + $0 disable /usr/bin/newgrp # absolute path: works + $0 disable newgrp # relative path: does not work + + To remove all: + $0 disable all + + This change might not be permanent. For full instructions, see: + https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener + + To view list of changed by SUID Disabler and Permission Hardener: + https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener#View_List_of_Permissions_Changed_by_SUID_Disabler_and_Permission_Hardener + + For re-enabling any specific SUID binary: + https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener#Re-Enable_Specific_SUID_Binaries + + For completely disabling SUID Disabler and Permission Hardener: + https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener#Disable_SUID_Disabler_and_Permission_Hardener" + fi + fi +} + +check_root(){ + if test "$(id -u)" != "0"; then + log error "Not running as root, aborting." + exit 1 + fi +} + +usage(){ + safe_echo "Usage: ${0##*/} enable + ${0##*/} disable [FILE|all] + +Examples: + ${0##*/} enable + ${0##*/} disable all + ${0##*/} disable /usr/bin/newgrp" >&2 + exit "${1}" +} + +case "${1:-}" in + enable) shift; apply "$@";; + disable) + shift + case "${1:-}" in + "") usage 1;; + *) spare "${1}";; + esac + ;; + -h|--help) usage 0;; + *) usage 1;; +esac + +if test "${exit_code}" != "0"; then + log error "Exiting with non-zero exit code: '${exit_code}'" >&2 +fi + +exit "${exit_code}" diff --git a/usr/lib/permission-hardener.d/25_default_passwd.conf b/usr/lib/permission-hardener.d/25_default_whitelist_passwd.conf similarity index 91% rename from usr/lib/permission-hardener.d/25_default_passwd.conf rename to usr/lib/permission-hardener.d/25_default_whitelist_passwd.conf index 6313e15..6c8369c 100644 --- a/usr/lib/permission-hardener.d/25_default_passwd.conf +++ b/usr/lib/permission-hardener.d/25_default_whitelist_passwd.conf @@ -10,5 +10,7 @@ # user logins with `su` and KScreenLocker # # See also: https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener#passwd +/usr/bin/passwd exactwhitelist +/bin/passwd exactwhitelist /usr/bin/passwd 0755 root root /bin/passwd 0755 root root From 397b476a822c9f7e41ec911f5d689b67026660ad Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 26 Dec 2024 04:12:02 +0000 Subject: [PATCH 717/846] bumped changelog version --- changelog.upstream | 19 +++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 25 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 8c61741..97f695d 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,22 @@ +commit 66f8c18c65f33676d242b57ebb1d4410876461b3 +Merge: aa82202 6602fb1 +Author: Patrick Schleizer +Date: Wed Dec 25 22:43:04 2024 -0500 + + Merge remote-tracking branch 'ArrayBolt3/arraybolt3/sysmaint' + +commit 6602fb102dedc21300ae4c4519f3d9ef4e668045 +Author: Aaron Rainbolt +Date: Tue Dec 24 20:52:34 2024 -0600 + + Adjust pam-info messaging for sysmaint mode + +commit aa82202e701167eacb63eac208469844e983ca43 +Author: Patrick Schleizer +Date: Tue Dec 24 05:16:22 2024 +0000 + + bumped changelog version + commit 27d015d58ebc5e750d9d06f042b761720473941d Merge: 3c73c0c 2f3a2bc Author: Patrick Schleizer diff --git a/debian/changelog b/debian/changelog index f1c54b6..09c0cc8 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:41.9-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 26 Dec 2024 04:12:02 +0000 + security-misc (3:41.8-1) unstable; urgency=medium * New upstream version (local package). From dbcb612517abbf8d162cfb31ba0585c518df8817 Mon Sep 17 00:00:00 2001 From: Aaron Rainbolt Date: Wed, 25 Dec 2024 19:48:28 -0600 Subject: [PATCH 718/846] Polish permission-hardener refactor --- usr/bin/permission-hardener | 302 ++++--- usr/bin/permission-hardener-old | 748 ------------------ .../25_default_whitelist_passwd.conf | 3 +- 3 files changed, 184 insertions(+), 869 deletions(-) delete mode 100755 usr/bin/permission-hardener-old diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index c8d115b..de03c7c 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -1,4 +1,5 @@ #!/bin/bash +# shellcheck disable=SC2076 ## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. @@ -8,32 +9,52 @@ ## dpkg-statoverride does not support end-of-options ("--"). +## SC2076 is disabled because ShellCheck seems to think that any use of +## [[ ... =~ ... ]] is supposed to be a regex match. But [[ '...' =~ '...' ]] +## works very well for literal matching, and it is used that way extensively +## throughout this script. + set -o errexit -o nounset -o pipefail -# shellcheck disable=SC1091 -source /usr/libexec/helper-scripts/safe_echo.sh +## Constants # shellcheck disable=SC2034 log_level=notice +store_dir="/var/lib/permission-hardener" +state_file="${store_dir}/existing_mode/statoverride" +dpkg_admindir_parameter_existing_mode="--admindir ${store_dir}/existing_mode" +dpkg_admindir_parameter_new_mode="--admindir ${store_dir}/new_mode" +delimiter="#permission-hardener-delimiter#" + +## Library imports +# shellcheck disable=SC1091 +source /usr/libexec/helper-scripts/safe_echo.sh # shellcheck disable=SC1091 source /usr/libexec/helper-scripts/log_run_die.sh +## Functions echo_wrapper_ignore() { - if test "${1}" = "verbose"; then + if [ "${1}" = 'verbose' ]; then shift log notice "Executing: $*" - else + elif [ "${1}" = 'silent' ]; then shift + else + log error "Unrecognized command '${1}'! calling function name: '${FUNCNAME[1]}'" >&2 + return fi "$@" 2>/dev/null || true } echo_wrapper_audit() { local return_code - if test "${1}" = "verbose"; then + if [ "${1}" = 'verbose' ]; then shift log notice "Executing: $*" - else + elif [ "${1}" = 'silent' ]; then shift + else + log error "Unrecognized command '${1}'! calling function name: '${FUNCNAME[1]}'" >&2 + return fi return_code=0 "$@" || @@ -59,25 +80,34 @@ block_newlines() { } output_stat() { - local file_name + local file_name stat_output stat_output_newlined + declare -a arr file_name="${1:-}" - if test -z "${file_name}"; then + if [ -z "${file_name}" ]; then log error "File name is empty. file_name: '${file_name}'" >&2 return 1 fi block_newlines file "${file_name}" - declare -a arr - local file_name_from_stat stat_output stat_output_newlined + if [ ! -e "${file_name}" ]; then + log info "File does not exist. file_name: '${file_name}'" >&2 + existing_mode='' + existing_owner='' + existing_group='' + file_name_from_stat='' + return 0 + fi - if ! stat_output="$(stat -L --format="%a${delimiter}%U${delimiter}%G${delimiter}%n${delimiter}" -- "${file_name}")"; then + if ! stat_output="$(stat -L \ + --format="%a${delimiter}%U${delimiter}%G${delimiter}%n${delimiter}" \ + -- "${file_name}")"; then log error "Failed to run 'stat' on file: '${file_name}'!" >&2 return 1 fi - if [ "$stat_output" = "" ]; then + if [ "$stat_output" = '' ]; then log error "stat_output is empty. File name: '${file_name}' Stat output: '${stat_output}' @@ -89,7 +119,7 @@ line: '${processed_config_line}' stat_output_newlined="$(printf '%s\n' "${stat_output//${delimiter}/$'\n'}")" - if test "${stat_output_newlined}" = ""; then + if [ "${stat_output_newlined}" = '' ]; then log error "stat_output_newlined is empty. File name: '${file_name}' Stat output: '${stat_output}' @@ -101,7 +131,7 @@ line: '${processed_config_line}' readarray -t arr <<< "${stat_output_newlined}" - if test "${#arr[@]}" = 0; then + if [ "${#arr[@]}" = '0' ]; then log error "Array length is 0. File name: '${file_name}' Stat output: '${stat_output}' @@ -116,7 +146,7 @@ line: '${processed_config_line}' existing_group="${arr[2]}" file_name_from_stat="${arr[3]}" - if [ ! "$file_name" = "$file_name_from_stat" ]; then + if [ "$file_name" != "$file_name_from_stat" ]; then log error "\ File name is different from file name received from stat: File name: '${file_name}' @@ -126,15 +156,15 @@ line: '${processed_config_line}' return 1 fi - if test -z "${existing_mode}"; then + if [ -z "${existing_mode}" ]; then log error "Existing mode is empty. Stat output: '${stat_output}', line: '${processed_config_line}'" >&2 return 1 fi - if test -z "${existing_owner}"; then + if [ -z "${existing_owner}" ]; then log error "Existing owner is empty. Stat output: '${stat_output}', line: '${processed_config_line}'" >&2 return 1 fi - if test -z "${existing_group}"; then + if [ -z "${existing_group}" ]; then log error "Existing group is empty. Stat output: '${stat_output}', line: '${processed_config_line}'" >&2 return 1 fi @@ -143,6 +173,9 @@ line: '${processed_config_line}' print_usage(){ safe_echo "Usage: ${0##*/} enable ${0##*/} disable [FILE|all] + ${0##*/} print-policy + ${0##*/} print-state + ${0##*/} print-policy-applied-state Examples: ${0##*/} enable @@ -150,7 +183,6 @@ Examples: ${0##*/} disable /usr/bin/newgrp" >&2 } -## TODO: Validate input before you blindly trust it! add_to_policy() { local file_name file_mode file_owner file_group updated_entry policy_idx \ file_capabilities @@ -187,25 +219,23 @@ check_nosuid_whitelist() { target_file="${1:-}" ## Handle whitelists, if we're supposed to - if [ "${whitelists_disable_all}" = 'false' ]; then - ## literal matching is intentional here - # shellcheck disable=SC2076 - if ! [[ " ${policy_disable_white_list[*]} " =~ " ${target_file} " ]]; then - ## literal matching is intentional here too - # shellcheck disable=SC2076 - if [[ " ${policy_exact_white_list[*]} " =~ " ${target_file} " ]]; then - return 1 - fi + [ "${whitelists_disable_all}" = 'true' ] && return 0 - for match_white_list_entry in "${policy_match_white_list[@]:-}"; do - if safe_echo "${target_file}" \ - | grep --quiet --fixed-strings -- "${match_white_list_entry}"; then - return 1 - fi - done - fi + ## literal matching is intentional here + [[ " ${policy_disable_white_list[*]} " =~ " ${target_file} " ]] && return 0 + + ## literal matching is intentional here too + if [[ " ${policy_exact_white_list[*]} " =~ " ${target_file} " ]]; then + return 1 fi + for match_white_list_entry in "${policy_match_white_list[@]:-}"; do + if safe_echo "${target_file}" \ + | grep --quiet --fixed-strings -- "${match_white_list_entry}"; then + return 1 + fi + done + return 0 } @@ -223,11 +253,11 @@ load_early_nosuid_policy() { ## existing_owner ## existing_group output_stat "${find_list_item}" + if [ -z "${file_name_from_stat}" ]; then + continue + fi - ## -h file True if file is a symbolic Link. - ## -u file True if file has its set-user-id bit set. - ## -g file True if file has its set-group-id bit set. - + ## -h file True if file is a symbolic link. if [ -h "${find_list_item}" ]; then ## https://forums.whonix.org/t/disable-suid-binaries/7706/14 log info "Skip symlink: '${find_list_item}'" @@ -239,58 +269,107 @@ load_early_nosuid_policy() { continue fi - ## Trim off the most significant digit of the mode, this discards S(U|G)ID - ## bits (and the sticky bit too but that doesn't matter on Linux) - ## - ## Actually, the old behavior is better here. + ## Remove suid / gid and execute permission for 'group' and 'others'. + ## Similar to: chmod og-ugx /path/to/filename + ## Removing execution permission is useful to make binaries such as 'su' + ## fail closed rather than fail open if suid was removed from these. + ## Do not remove read access since no security benefit and easier to + ## manually undo for users. + ## Are there suid or sgid binaries which are still useful if suid / sgid + ## has been removed from these? local new_mode - # new_mode="${existing_mode:1}" new_mode='744' add_to_policy "${find_list_item}" "${new_mode}" "${existing_owner}" \ "${existing_group}" - done < <(safe_echo_nonewline "${target_file}" | find -files0-from - -perm /u=s,g=s -print0) + done < <(safe_echo_nonewline "${target_file}" \ + | find -files0-from - -perm /u=s,g=s -print0) +} + +match_dir() { + local base_str match_str base_arr match_arr base_idx + + base_str="${1}" + match_str="${2}" + [[ "${base_str}" =~ '//' ]] && return 1 + [[ "${match_str}" =~ '//' ]] && return 1 + + IFS='/' read -r -a base_arr <<< "${base_str}" + IFS='/' read -r -a match_arr <<< "${match_str}" + (( ${#base_arr[@]} > ${#match_arr[@]} )) && return 1 + + for (( base_idx=0; base_idx < ${#base_arr[@]}; base_idx++ )); do + if [ "${base_arr[base_idx]}" != "${match_arr[base_idx]}" ]; then + return 1 + fi + done + + return 0 } load_late_nosuid_policy() { local target_file state_idx state_file_item state_user_owner_item \ - state_group_owner_item + state_group_owner_item new_mode target_file="${1:-}" for (( state_idx=0; state_idx < ${#state_file_list[@]}; state_idx++ )); do state_file_item="${state_file_list[state_idx]}" - state_user_owner_item="${state_user_owner_list[state_idx]}" - state_group_owner_item="${state_group_owner_list[state_idx]}" check_nosuid_whitelist "${state_file_item}" || continue - if [[ ${state_file_item} == ${target_file}* ]]; then - if [ -h "${state_file_item}" ]; then - ## https://forums.whonix.org/t/disable-suid-binaries/7706/14 - log info "Skip symlink: '${state_file_item}'" - continue - fi + ## If the "target file" matches the start of the state file name, that's + ## a likely match. + match_dir "${target_file}" "${state_file_item}" || continue - if [ -d "${state_file_item}" ]; then - log info "Skip directory: '${state_file_item}'" - continue - fi - - local new_mode - new_mode='744' - add_to_policy "${state_file_item}" "${new_mode}" \ - "${state_user_owner_item}" "${state_group_owner_item}" + if [ -h "${state_file_item}" ]; then + ## https://forums.whonix.org/t/disable-suid-binaries/7706/14 + log info "Skip symlink: '${state_file_item}'" + continue fi + + if [ -d "${state_file_item}" ]; then + log info "Skip directory: '${state_file_item}'" + continue + fi + + state_user_owner_item="${state_user_owner_list[state_idx]}" + state_group_owner_item="${state_group_owner_list[state_idx]}" + new_mode='744' + add_to_policy "${state_file_item}" "${new_mode}" \ + "${state_user_owner_item}" "${state_group_owner_item}" done } +load_state_without_policy() { + local line bit_list + + ## Load the state file from disk + if [ -f "${state_file}" ]; then + while read -r line; do + read -r -a bit_list <<< "${line}" + if (( ${#bit_list[@]} != 4 )); then + log info \ + "Invalid number of fields in state file line: '${line}'. Skipping." + continue + fi + state_user_owner_list+=( "${bit_list[0]}" ) + state_group_owner_list+=( "${bit_list[1]}" ) + state_mode_list+=( "${bit_list[2]}" ) + state_file_list+=( "${bit_list[3]}" ) + done < "${state_file}" + fi +} + load_state() { ## Config format: ## path options ## where options is one of: ## user_owner group_owner filemode [capability-setting] ## [nosuid|exactwhitelist|matchwhitelist|disablewhitelist] + ## + ## Additionally, the special value 'whitelists_disable_all=true' is understood + ## to mean that all whitelisting should be ignored. - local config_file line bit_list file_path policy_nosuid_file_item + local config_file line bit_list policy_nosuid_file_item policy_file_item ## Load configuration, deferring whitelist handling until later for config_file in \ @@ -303,14 +382,17 @@ load_state() { if [ ! -f "${config_file}" ]; then continue fi + while read -r line; do if [ -z "${line}" ]; then true 'DEBUG: line is empty. Skipping.' continue fi + if [[ "${line}" =~ ^\s*# ]]; then continue fi + if ! [[ "${line}" =~ [0-9a-zA-Z/] ]]; then exit_code=200 log error "Line contains invalid characters: '${line}'" >&2 @@ -339,28 +421,27 @@ load_state() { # Strip trailing slash if appropriate bit_list[0]="${bit_list[0]%/}" - file_path="${bit_list[0]}" case "${bit_list[1]}" in 'exactwhitelist') - [ ! -e "${file_path}" ] && continue - policy_exact_white_list+=( "${file_path}" ) + [ ! -e "${bit_list[0]}" ] && continue + policy_exact_white_list+=( "${bit_list[0]}" ) continue ;; 'matchwhitelist') - policy_match_white_list+=( "${file_path}" ) + policy_match_white_list+=( "${bit_list[0]}" ) continue ;; 'disablewhitelist') - policy_disable_white_list+=( "${file_path}" ) + policy_disable_white_list+=( "${bit_list[0]}" ) continue ;; 'nosuid') - [ ! -e "${file_path}" ] && continue - policy_nosuid_file_list+=( "${file_path}" ) + [ ! -e "${bit_list[0]}" ] && continue + policy_nosuid_file_list+=( "${bit_list[0]}" ) ;; *) - [ ! -e "${file_path}" ] && continue + [ ! -e "${bit_list[0]}" ] && continue add_to_policy "${bit_list[@]}" ;; esac @@ -373,32 +454,19 @@ load_state() { load_early_nosuid_policy "${policy_nosuid_file_item}" done - local line bit_list policy_file_item - - ## Load the state file from disk - if [ -f "${state_file}" ]; then - while read -r line; do - read -r -a bit_list <<< "${line}" - if (( ${#bit_list[@]} != 4 )); then - log info "Invalid number of fields in state file line: '${line}'. Skipping." - continue - fi - state_user_owner_list+=( "${bit_list[0]}" ) - state_group_owner_list+=( "${bit_list[1]}" ) - state_mode_list+=( "${bit_list[2]}" ) - state_file_list+=( "${bit_list[3]}" ) - done < "${state_file}" - fi + load_state_without_policy ## Find any files in the policy that don't already have a matching file in ## the state. Add those files to the state, and save them to the state file ## as well. for policy_file_item in "${policy_file_list[@]}"; do - # shellcheck disable=SC2076 if [[ " ${state_file_list[*]} " =~ " ${policy_file_item} " ]]; then continue fi output_stat "${policy_file_item}" + if [ -z "${file_name_from_stat}" ]; then + continue + fi state_file_list+=( "${policy_file_item}" ) state_user_owner_list+=( "${existing_owner}" ) state_group_owner_list+=( "${existing_group}" ) @@ -410,6 +478,7 @@ load_state() { "${policy_file_item}" done + ## Fix up nosuid policies using state information for policy_nosuid_file_item in "${policy_nosuid_file_list[@]}"; do load_late_nosuid_policy "${policy_nosuid_file_item}" done @@ -433,7 +502,8 @@ apply_policy() { done if [ "${did_state_update}" = 'false' ]; then exit_code=206 - log error "File exists in policy but not in state! File: '${policy_file_list[policy_idx]}'" + log error \ + "File exists in policy but not in state! File: '${policy_file_list[policy_idx]}'" exit "${exit_code}" fi done @@ -469,22 +539,24 @@ commit_policy() { state_mode_item="${BASH_REMATCH[2]}" output_stat "${state_file_item}" + if [ -z "${file_name_from_stat}" ]; then + continue + fi if [ "${existing_owner}" != "${state_user_owner_item}" ] \ || [ "${existing_group}" != "${state_group_owner_item}" ] \ || [ "${existing_mode}" != "${state_mode_item}" ]; then - if ! grep --quiet --fixed-strings -- "${state_user_owner_item}:" "${store_dir}/private/passwd"; then + if ! [[ "${passwd_file_contents}" =~ "${state_user_owner_item}:" ]]; then log error "Owner from config does not exist: '${state_user_owner_item}'" >&2 continue fi - if ! grep --quiet --fixed-strings -- "${state_group_owner_item}:" "${store_dir}/private/group"; then + if ! [[ "${group_file_contents}" =~ "${state_group_owner_item}:" ]]; then log error "Group from config does not exist: '${state_group_owner_item}'" >&2 continue fi - # Remove and reapply in main list - if grep --quiet --fixed-strings \ - -- "${state_file_item}" <<< "${orig_main_statoverride_db}"; then + ## Remove and reapply in main list + if [[ "${orig_main_statoverride_db}" =~ "${state_file_item}" ]]; then echo_wrapper_ignore silent dpkg-statoverride --remove \ "${state_file_item}" fi @@ -492,9 +564,8 @@ commit_policy() { "${state_user_owner_item}" "${state_group_owner_item}" \ "${state_mode_item}" "${state_file_item}" - # Update item in secondary list - if grep --quiet --fixed-strings \ - -- "${state_file_item}" <<< "${orig_new_statoverride_db}"; then + ## Update item in secondary list + if [[ "${orig_new_statoverride_db}" =~ "${state_file_item}" ]]; then # shellcheck disable=SC2086 echo_wrapper_ignore silent dpkg-statoverride \ ${dpkg_admindir_parameter_new_mode} --remove \ @@ -574,14 +645,12 @@ undo_policy_for_file() { # shellcheck disable=SC2086 orig_new_statoverride_db="$(dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --list)" || true - if grep --quiet --fixed-strings \ - -- "${undo_file}" <<< "${orig_main_statoverride_db}"; then + if [[ "${orig_main_statoverride_db}" =~ "${undo_file}" ]]; then echo_wrapper_ignore silent dpkg-statoverride --remove \ "${undo_file}" fi - if grep --quiet --fixed-strings \ - -- "${undo_file}" <<< "${orig_new_statoverride_db}"; then + if [[ "${orig_new_statoverride_db}" =~ "${undo_file}" ]]; then # shellcheck disable=SC2086 echo_wrapper_ignore silent dpkg-statoverride \ ${dpkg_admindir_parameter_new_mode} --remove \ @@ -594,13 +663,16 @@ undo_policy_for_file() { state_mode_item="${state_mode_list[state_idx]}" chown ${verbose} "${state_user_owner_item}:${state_group_owner_item}" \ "${undo_file}" || exit_code=202 - ## chmod need to be run after chown since chown removes suid. + ## chmod needs to be run after chown since chown removes suid. chmod ${verbose} "${state_mode_item}" "${undo_file}" || exit_code=203 else log info "File does not exist: '${undo_file}'" fi did_undo=true - break + + if [ "${undo_all}" = 'false' ]; then + break + fi fi done @@ -637,7 +709,7 @@ print_columns() { format_str="${format_str}%s\t" done format_str="${format_str}\n" - # Using a dynamically generated format string on purpose. + ## Using a dynamically generated format string on purpose. # shellcheck disable=SC2059 printf "${format_str}" "$@" } @@ -670,13 +742,6 @@ print_state() { done } -## Constants -store_dir="/var/lib/permission-hardener" -state_file="${store_dir}/existing_mode/statoverride" -dpkg_admindir_parameter_existing_mode="--admindir ${store_dir}/existing_mode" -dpkg_admindir_parameter_new_mode="--admindir ${store_dir}/new_mode" -delimiter="#permission-hardener-delimiter#" - ## Global variables policy_file_list=() policy_user_owner_list=() @@ -696,6 +761,9 @@ existing_mode='' existing_owner='' existing_group='' processed_config_line='' +file_name_from_stat='' +passwd_file_contents="$(getent passwd)" +group_file_contents="$(getent group)" exit_code=0 ## Setup and sanity checking @@ -704,15 +772,8 @@ if [ "$(id -u)" != '0' ]; then exit 1 fi -mkdir --parents "${store_dir}/private" mkdir --parents "${store_dir}/existing_mode" mkdir --parents "${store_dir}/new_mode" -touch "${store_dir}/private/passwd" -chmod og-rwx "${store_dir}/private/passwd" -touch "${store_dir}/private/group" -chmod og-rwx "${store_dir}/private/group" -getent passwd | sponge -- "${store_dir}/private/passwd" -getent group | sponge -- "${store_dir}/private/group" echo_wrapper_audit silent which capsh getcap setcap stat find \ dpkg-statoverride getent grep 1>/dev/null @@ -733,7 +794,7 @@ case "${1:-}" in exit 1 ;; *) - load_state + load_state_without_policy undo_policy_for_file "${1}" ;; esac @@ -761,6 +822,7 @@ case "${1:-}" in ;; esac +## Exit if test "${exit_code}" != "0"; then log error "Exiting with non-zero exit code: '${exit_code}'" >&2 fi diff --git a/usr/bin/permission-hardener-old b/usr/bin/permission-hardener-old deleted file mode 100755 index c88b54f..0000000 --- a/usr/bin/permission-hardener-old +++ /dev/null @@ -1,748 +0,0 @@ -#!/bin/bash - -## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -## https://forums.whonix.org/t/disable-suid-binaries/7706 -## https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707 - -## dpkg-statoverride does not support end-of-options ("--"). - -set -o errexit -o nounset -o pipefail - -exit_code=0 -store_dir="/var/lib/permission-hardener" -dpkg_admindir_parameter_existing_mode="--admindir ${store_dir}/existing_mode" -dpkg_admindir_parameter_new_mode="--admindir ${store_dir}/new_mode" -delimiter="#permission-hardener-delimiter#" - -# shellcheck disable=SC1091 -source /usr/libexec/helper-scripts/safe_echo.sh -# shellcheck disable=SC2034 -log_level=notice -# shellcheck disable=SC1091 -source /usr/libexec/helper-scripts/log_run_die.sh - -echo_wrapper_ignore() { - if test "${1}" = "verbose"; then - shift - log notice "Executing: $*" - else - shift - fi - "$@" 2>/dev/null || true -} - -echo_wrapper_audit() { - if test "${1}" = "verbose"; then - shift - log notice "Executing: $*" - else - shift - fi - return_code=0 - "$@" || - { - return_code="$?" - exit_code=203 - log error "Command '$*' failed with exit code '${return_code}'! calling function name: '${FUNCNAME[1]}'" >&2 - } -} - -make_store_dir(){ - mkdir --parents "${store_dir}/private" - mkdir --parents "${store_dir}/existing_mode" - mkdir --parents "${store_dir}/new_mode" -} - -## Some tools may fail on newlines and even variable assignment to array may -## fail if a variable that will be assigned to an array element contains -## characters that are used as delimiters. -block_newlines(){ - local newline_variable newline_value - newline_variable="${1}" - newline_value="${2}" - ## dpkg-statoverride: error: path may not contain newlines - #if [[ "${newline_value}" == *$'\n'* ]]; then - if [[ "${newline_value}" != "${newline_value//$'\n'/NEWLINE}" ]]; then - log warn "Skipping ${newline_variable} that contains newlines: '${newline_value}'" >&2 - return 1 - fi -} - -output_stat(){ - local file_name - file_name="${1}" - - if test -z "${file_name}"; then - log error "File name is empty. file_name: '${file_name}'" >&2 - return 1 - fi - - block_newlines file "${file_name}" - - ## dpkg-statoverride can actually handle '--file-name'. -# if [[ $file_name == --* ]]; then -# log warn "File name starts with '--'. This would be interpreted by dpkg-statoverride as an option. Skipping. file_name: '${file_name}'" >&2 -# return 1 -# fi - - declare -a arr - local file_name_from_stat stat_output stat_output_newlined - - if ! stat_output="$(stat --format="%a${delimiter}%U${delimiter}%G${delimiter}%n${delimiter}" -- "${file_name}")"; then - log error "Failed to run 'stat' on file: '${file_name}'!" >&2 - return 1 - fi - - if [ "$stat_output" = "" ]; then - log error "stat_output is empty. -File name: '${file_name}' -Stat output: '${stat_output}' -stat_output_newlined: '${stat_output_newlined}' -line: '${line}' -" >&2 - return 1 - fi - - stat_output_newlined="$(printf '%s\n' "${stat_output//${delimiter}/$'\n'}")" - - if test "${stat_output_newlined}" = ""; then - log error "stat_output_newlined is empty. -File name: '${file_name}' -Stat output: '${stat_output}' -stat_output_newlined: '${stat_output_newlined}' -line: '${line}' -" >&2 - return 1 - fi - - readarray -t arr <<< "${stat_output_newlined}" - - if test "${#arr[@]}" = 0; then - log error "Array length is 0. -File name: '${file_name}' -Stat output: '${stat_output}' -stat_output_newlined: '${stat_output_newlined}' -line: '${line}' -" >&2 - return 1 - fi - - existing_mode="${arr[0]}" - existing_owner="${arr[1]}" - existing_group="${arr[2]}" - file_name_from_stat="${arr[3]}" - - if [ ! "$file_name" = "$file_name_from_stat" ]; then - log error "\ -File name is different from file name received from stat: -File name: '${file_name}' -File name from stat: '${file_name_from_stat}' -line: '${line}' -" >&2 - return 1 - fi - - if test -z "${existing_mode}"; then - log error "Existing mode is empty. Stat output: '${stat_output}', line: '${line}'" >&2 - return 1 - fi - if test -z "${existing_owner}"; then - log error "Existing owner is empty. Stat output: '${stat_output}', line: '${line}'" >&2 - return 1 - fi - if test -z "${existing_group}"; then - log error "Existing group is empty. Stat output: '${stat_output}', line: '${line}'" >&2 - return 1 - fi -} - -sanity_tests() { - echo_wrapper_audit silent \ - which \ - capsh getcap setcap stat find dpkg-statoverride getent grep 1>/dev/null -} - -add_nosuid_statoverride_entry() { - local fso_to_process - fso_to_process="${fso}" - local should_be_counter - should_be_counter=0 - local counter_actual - counter_actual=0 - - local dummy_line - while IFS="" read -r -d "" dummy_line; do - log info "Test would parse line: '${dummy_line}'" - should_be_counter=$((should_be_counter + 1)) - done < <(safe_echo_nonewline "${fso_to_process}" | find -files0-from - -perm /u=s,g=s -print0) - ## False positive on SC2185 (find without path argument) #1748 - ## https://github.com/koalaman/shellcheck/issues/1748 - ## - ## /usr/lib will hit ARG_MAX if using bash 'shopt -s globstar' and '/usr/lib/**'. - ## Using 'find' with '-perm /u=s,g=s' is faster and avoids ARG_MAX. - ## https://forums.whonix.org/t/disable-suid-binaries/7706/17 - - local line - while IFS="" read -r -d "" file_name; do - counter_actual=$((counter_actual + 1)) - - ## sets: - ## exiting_mode - ## existing_owner - ## existing_group - output_stat "${file_name}" - - ## -h file True if file is a symbolic Link. - ## -u file True if file has its set-user-id bit set. - ## -g file True if file has its set-group-id bit set. - - if test -h "${file_name}"; then - ## https://forums.whonix.org/t/disable-suid-binaries/7706/14 - log info "Skip symlink: '${file_name}'" - continue - fi - - if test -d "${file_name}"; then - log info "Skip directory: '${file_name}'" - continue - fi - - local setuid setgid - setuid="" - if test -u "${file_name}"; then - setuid=true - fi - setgid="" - if test -g "${file_name}"; then - setgid=true - fi - - local setuid_or_setgid - setuid_or_setgid="" - if test "${setuid}" = "true" || test "${setgid}" = "true"; then - setuid_or_setgid=true - fi - if test -z "${setuid_or_setgid}"; then - log info "Neither setuid nor setgid. Skipping. file_name: '${file_name}'" - continue - fi - - ## Remove suid / gid and execute permission for 'group' and 'others'. - ## Similar to: chmod og-ugx /path/to/filename - ## Removing execution permission is useful to make binaries such as 'su' - ## fail closed rather than fail open if suid was removed from these. - ## Do not remove read access since no security benefit and easier to - ## manually undo for users. - ## Are there suid or sgid binaries which are still useful if suid / sgid - ## has been removed from these? - new_mode="744" - - local is_exact_whitelisted - is_exact_whitelisted="" - for white_list_entry in "${exact_white_list[@]:-}"; do - if test -z "${white_list_entry}"; then - log info "white_list_entry unset. Skipping. file_name: '${file_name}'" - continue - fi - if test "${file_name}" = "${white_list_entry}"; then - is_exact_whitelisted="true" - log info "is_exact_whitelisted=true. Skipping. file_name: '${file_name}'" - ## Stop looping through the whitelist. - break - fi - done - - local is_match_whitelisted - is_match_whitelisted="" - for matchwhite_list_entry in "${match_white_list[@]:-}"; do - if test -z "${matchwhite_list_entry}"; then - log info "matchwhite_list_entry unset. Skipping. file_name: '${file_name}'" - continue - fi - if safe_echo "${file_name}" | grep --quiet --fixed-strings -- "${matchwhite_list_entry}"; then - is_match_whitelisted="true" - log info "is_match_whitelisted=true. Skipping. file_name: '${file_name}'" - ## Stop looping through the match_white_list. - break - fi - done - - local is_disable_whitelisted - is_disable_whitelisted="" - for disablematch_list_entry in "${disable_white_list[@]:-}"; do - if test -z "${disablematch_list_entry}"; then - log info "disablematch_list_entry unset. Skipping. file_name: '${file_name}'" - continue - fi - if safe_echo "${file_name}" | grep --quiet --fixed-strings -- "${disablematch_list_entry}"; then - is_disable_whitelisted="true" - log info "is_disable_whitelisted=true. Skipping. file_name: '${file_name}'" - ## Stop looping through the disablewhitelist. - break - fi - done - - local clean_output_prefix clean_output - clean_output_prefix="Managing (S|G)UID of line:" - clean_output="${setuid:+setuid='true'} ${setgid:+setgid='true'} existing_mode='${existing_mode}' new_mode='${new_mode}' file='${file_name}'" - if test "${whitelists_disable_all:-}" = "true"; then - log info "${clean_output_prefix} whitelists_disable_all=true ${clean_output}" - elif test "${is_disable_whitelisted}" = "true"; then - log info "${clean_output_prefix} is_disable_whitelisted=true ${clean_output}" - else - if test "${is_exact_whitelisted}" = "true"; then - log info "${clean_output_prefix} is_exact_whitelisted=true ${clean_output}" - continue - fi - if test "${is_match_whitelisted}" = "true"; then - log info "${clean_output_prefix} is_match_whitelisted=true matchwhite_list_entry='${matchwhite_list_entry}' ${clean_output}" - continue - fi - fi - - log notice "${clean_output_prefix} ${clean_output}" - - # shellcheck disable=SC2086 - if dpkg-statoverride ${dpkg_admindir_parameter_existing_mode} --list "${file_name}" >/dev/null; then - log info "Existing mode already saved previously. Not saving again." - else - ## Save existing_mode in separate database. - ## Not using --update as not intending to enforce existing_mode. - # shellcheck disable=SC2086 - echo_wrapper_audit silent dpkg-statoverride ${dpkg_admindir_parameter_existing_mode} --add "${existing_owner}" "${existing_group}" "${existing_mode}" "${file_name}" - fi - - ## No need to check "dpkg-statoverride --list" for existing entries. - ## If existing_mode was correct already, we would not have reached this - ## point. Since existing_mode is incorrect, remove from dpkg-statoverride - ## and re-add. - - ## Remove from real database. - echo_wrapper_ignore silent dpkg-statoverride --remove "${file_name}" - - ## Remove from separate database. - # shellcheck disable=SC2086 - echo_wrapper_ignore silent dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --remove "${file_name}" - - ## Add to real database and use --update to make changes on disk. - echo_wrapper_audit verbose dpkg-statoverride --add --update "${existing_owner}" "${existing_group}" "${new_mode}" "${file_name}" - - ## Not using --update as this is only for recording. - # shellcheck disable=SC2086 - echo_wrapper_audit silent dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --add "${existing_owner}" "${existing_group}" "${new_mode}" "${file_name}" - done < <(safe_echo_nonewline "${fso_to_process}" | find -files0-from - -perm /u=s,g=s -print0) - - ## Sanity test. - if test ! "${should_be_counter}" = "${counter_actual}"; then - log info "File (parsed/wanted): '${fso_to_process}': (${counter_actual}/${should_be_counter})" - log error "Expected number of files to be parsed was not met." >&2 - exit_code=202 - fi -} - -set_file_perms() { - log info "START parsing config file: '${config_file}'" - - local line - while read -r line || test -n "${line}"; do - if test -z "${line}"; then - true "DEBUG: line is empty. Skipping." - continue - fi - - if [[ "${line}" =~ ^\s*# ]]; then - continue - fi - - if ! [[ "${line}" =~ [0-9a-zA-Z/] ]]; then - exit_code=200 - log error "Line contains invalid characters: '${line}'" >&2 - ## Safer to exit with error in this case. - ## https://forums.whonix.org/t/disable-suid-binaries/7706/59 - exit "${exit_code}" - fi - - if test "${line}" = 'whitelists_disable_all=true'; then - whitelists_disable_all=true - log info "whitelists_disable_all=true" - continue - fi - - #global fso - local mode_from_config owner_from_config group_from_config capability_from_config - if ! read -r fso mode_from_config owner_from_config group_from_config capability_from_config <<<"${line}"; then - exit_code=201 - log error "Cannot parse line: '${line}'" >&2 - ## Debugging. - du -hs /tmp || true - safe_echo "test -w /tmp: '$(test -w /tmp)'" >&2 || true - ## Safer to exit with error in this case. - ## https://forums.whonix.org/t/disable-suid-binaries/7706/59 - exit "${exit_code}" - fi - - log info "Parsing line: fso='${fso}' mode_from_config='${mode_from_config}' owner_from_config='${owner_from_config}' group_from_config='${group_from_config}' capability_from_config='${capability_from_config}'" - - ## Debugging. - #safe_echo "line: '${line}'" - #safe_echo "fso: '${fso}'" - #safe_echo "mode_from_config: '${mode_from_config}'" - #safe_echo "owner_from_config: '${owner_from_config}'" - - local fso_without_trailing_slash - fso_without_trailing_slash="${fso%/}" - - declare -g disable_white_list exact_white_list match_white_list - case "${mode_from_config}" in - disablewhitelist) - disable_white_list+=("${fso}") - continue - ;; - exactwhitelist) - exact_white_list+=("${fso}") - continue - ;; - matchwhitelist) - match_white_list+=("${fso}") - continue - ;; - esac - - if test ! -e "${fso}"; then - log info "File does not exist: '${fso}'" - continue - fi - - ## Use dpkg-statoverride so permissions are not reset during upgrades. - - if test "${mode_from_config}" = "nosuid"; then - ## If mode_from_config is "nosuid" the config does not set owner and - ## group. Therefore do not enforce owner/group check. - add_nosuid_statoverride_entry - else - local string_length_of_mode_from_config - string_length_of_mode_from_config="${#mode_from_config}" - if test "${string_length_of_mode_from_config}" -gt "4"; then - log error "Invalid mode: '${mode_from_config}'" >&2 - continue - fi - if test "${string_length_of_mode_from_config}" -lt "3"; then - log error "Invalid mode: '${mode_from_config}'" >&2 - continue - fi - - if ! grep --quiet --fixed-strings -- "${owner_from_config}:" "${store_dir}/private/passwd"; then - log error "Owner from config does not exist: '${owner_from_config}'" >&2 - continue - fi - - if ! grep --quiet --fixed-strings -- "${group_from_config}:" "${store_dir}/private/group"; then - log error "Group from config does not exist: '${group_from_config}'" >&2 - continue - fi - - local mode_for_grep - mode_for_grep="${mode_from_config}" - first_character_of_mode_from_config="${mode_from_config::1}" - if test "${first_character_of_mode_from_config}" = "0"; then - ## Remove leading '0'. - mode_for_grep="${mode_from_config:1}" - fi - - file_name="${fso_without_trailing_slash}" - - ## sets: - ## exiting_mode - ## existing_owner - ## existing_group - output_stat "${file_name}" - - ## Check there is an entry for the fso. - ## - ## example: dpkg-statoverride --list | grep /home - ## output: - ## root root 755 /home - ## - ## dpkg-statoverride does not show leading '0'. - local dpkg_statoverride_list_output="" - local dpkg_statoverride_list_exit_code=0 - dpkg_statoverride_list_output="$(dpkg-statoverride --list "${fso_without_trailing_slash}")" || { - dpkg_statoverride_list_exit_code=$? - true - } - - if test "${dpkg_statoverride_list_exit_code}" = "0"; then - local grep_line - grep_line="${owner_from_config} ${group_from_config} ${mode_for_grep} ${fso_without_trailing_slash}" - if safe_echo "${dpkg_statoverride_list_output}" | grep --quiet --fixed-strings -- "${grep_line}"; then - log info "The owner/group/mode matches fso entry. No further action required." - else - log info "The owner/group/mode does not match fso entry, updating entry." - ## fso_without_trailing_slash instead of fso to prevent - ## "dpkg-statoverride: warning: stripping trailing /" - - # shellcheck disable=SC2086 - if dpkg-statoverride ${dpkg_admindir_parameter_existing_mode} --list "${fso_without_trailing_slash}" >/dev/null; then - log info "Existing mode already saved previously. Not saving again." - else - ## Save existing_mode in separate database. - ## Not using --update as not intending to enforce existing_mode. - # shellcheck disable=SC2086 - echo_wrapper_audit silent dpkg-statoverride ${dpkg_admindir_parameter_existing_mode} --add "${existing_owner}" "${existing_group}" "${existing_mode}" "${fso_without_trailing_slash}" - fi - - # shellcheck disable=SC2086 - echo_wrapper_ignore silent dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --remove "${fso_without_trailing_slash}" - - ## Remove from and add to real database. - echo_wrapper_ignore silent dpkg-statoverride --remove "${fso_without_trailing_slash}" - echo_wrapper_audit verbose dpkg-statoverride --add --update "${owner_from_config}" "${group_from_config}" "${mode_from_config}" "${fso_without_trailing_slash}" - - ## Save in separate database. - ## Not using --update as this is only for saving. - # shellcheck disable=SC2086 - echo_wrapper_audit silent dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --add "${owner_from_config}" "${group_from_config}" "${mode_from_config}" "${fso_without_trailing_slash}" - fi - else - log info "There is no fso entry, adding one." - - # shellcheck disable=SC2086 - if dpkg-statoverride ${dpkg_admindir_parameter_existing_mode} --list "${fso_without_trailing_slash}" >/dev/null; then - log info "Existing mode already saved previously. Not saving again." - else - ## Save existing_mode in separate database. - ## Not using --update as not intending to enforce existing_mode. - # shellcheck disable=SC2086 - echo_wrapper_audit silent dpkg-statoverride ${dpkg_admindir_parameter_existing_mode} --add "${existing_owner}" "${existing_group}" "${existing_mode}" "${fso_without_trailing_slash}" - fi - - ## Add to real database. - echo_wrapper_audit verbose dpkg-statoverride --add --update "${owner_from_config}" "${group_from_config}" "${mode_from_config}" "${fso_without_trailing_slash}" - - ## Save in separate database. - ## Not using --update as this is only for saving. - # shellcheck disable=SC2086 - echo_wrapper_audit silent dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --add "${owner_from_config}" "${group_from_config}" "${mode_from_config}" "${fso_without_trailing_slash}" - fi - fi - if test -z "${capability_from_config}"; then - log info "capability_from_config is empty. Skipping. file_name: '${file_name}'" - continue - fi - - if test "${capability_from_config}" = "none"; then - ## https://forums.whonix.org/t/disable-suid-binaries/7706/45 - ## sudo setcap -r /bin/ping 2>/dev/null - ## Failed to set capabilities on file '/bin/ping' (No data available) - ## The value of the capability argument is not permitted for a file. Or - ## the file is not a regular (non-symlink) file - ## Therefore use echo_wrapper_ignore. - ## - ## NOTE: setcap does not support End-of-Options Marker ('--') yet. - ## setcap bug report: - ## setcap Command Does Not Support End-of-Options Marker ('--') - ## https://bugzilla.kernel.org/show_bug.cgi?id=219487 - echo_wrapper_ignore verbose setcap -r "${fso}" - getcap_output="$(getcap -- "${fso}")" - if test -n "${getcap_output}"; then - exit_code=205 - log error "Removing capabilities failed. File: '${fso}'" >&2 - continue - fi - else - if ! capsh --print | grep --fixed-strings -- "Bounding set" | grep --quiet -- "${capability_from_config}"; then - log error "Capability from config does not exist: '${capability_from_config}'" >&2 - continue - fi - - ## feature request: dpkg-statoverride: support for capabilities - ## https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=502580 - echo_wrapper_audit verbose setcap "${capability_from_config}+ep" -- "${fso}" - fi - - done <"${config_file}" - log info "END parsing config file: '${config_file}'" -} - -parse_config_folder() { - touch "${store_dir}/private/passwd" - chmod og-rwx "${store_dir}/private/passwd" - touch "${store_dir}/private/group" - chmod og-rwx "${store_dir}/private/group" - - local passwd_file_contents_temp - ## Query contents of password and group databases only once and buffer them - ## - ## If we don't buffer we sometimes get incorrect results when checking for - ## entries using 'if getent passwd | grep --quiet -- '^root:'; ...' since - ## 'grep' exits after the first match in this case causing 'getent' to - ## receive SIGPIPE, which then fails the pipeline since 'set -o pipefail' is - ## set for this script. - passwd_file_contents_temp="$(getent passwd)" - safe_echo "${passwd_file_contents_temp}" | tee -- "${store_dir}/private/passwd" >/dev/null - group_file_contents_temp="$(getent group)" - safe_echo "${group_file_contents_temp}" | tee -- "${store_dir}/private/group" >/dev/null - - #passwd_file_contents="$(cat "${store_dir}/private/passwd")" - #group_file_contents="$(cat "${store_dir}/private/group")" - - shopt -s nullglob - for config_file in \ - /usr/lib/permission-hardener.d/*.conf \ - /etc/permission-hardener.d/*.conf \ - /usr/local/etc/permission-hardener.d/*.conf \ - /etc/permission-hardening.d/*.conf \ - /usr/local/etc/permission-hardening.d/*.conf - do - set_file_perms - - done -} - -apply() { - check_root - make_store_dir - sanity_tests - parse_config_folder - - log notice "\ -To compare the current and previous permission modes, install 'meld' (or preferred diff tool) for comparison of file mode changes: - sudo apt install --no-install-recommends meld - meld ${store_dir}/existing_mode/statoverride ${store_dir}/new_mode/statoverride" -} - -spare() { - check_root - make_store_dir - - remove_file="${1}" - exit_code=0 - dpkg_admindir_parameter_existing_mode="--admindir ${store_dir}/existing_mode" - dpkg_admindir_parameter_new_mode="--admindir ${store_dir}/new_mode" - - if test ! -f "${store_dir}/existing_mode/statoverride"; then - true "DEBUG: Stat file does not exist, hardening was not applied before." - return 0 - fi - - local line - while read -r line; do - ## example line: - ## root root 4755 /usr/lib/eject/dmcrypt-get-device - - local owner group mode file_name - if ! read -r owner group mode file_name <<< "${line}"; then - exit_code=201 - log error "Cannot parse line: '${line}'" >&2 - continue - fi - log info "Parsing line: owner='${owner}' group='${group}' mode='${mode}' file_name='${file_name}'" - - if test "${remove_file}" = "all"; then - verbose="" - remove_one=false - else - if test "${remove_file}" = "${file_name}"; then - verbose="--verbose" - remove_one=true - safe_echo "${remove_one}" | tee -- "${store_dir}/remove_one" >/dev/null - else - safe_echo "false" | tee -- "${store_dir}/remove_one" >/dev/null - continue - fi - fi - - if test "${remove_one}" = "true"; then - set -o xtrace - fi - - if test -e "${file_name}"; then - # shellcheck disable=SC2086 - chown ${verbose} "${owner}:${group}" "${file_name}" || exit_code=202 - ## chmod need to be run after chown since chown removes suid. - ## https://unix.stackexchange.com/questions/53665/chown-removes-setuid-bit-bug-or-feature - # shellcheck disable=SC2086 - chmod ${verbose} "${mode}" "${file_name}" || exit_code=203 - else - log info "File does not exist: '${file_name}'" - fi - - dpkg-statoverride --remove "${file_name}" &>/dev/null || true - # shellcheck disable=SC2086 - dpkg-statoverride ${dpkg_admindir_parameter_existing_mode} --remove "${file_name}" &>/dev/null || true - # shellcheck disable=SC2086 - dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --remove "${file_name}" &>/dev/null || true - - if test "${remove_one}" = "true"; then - set +o xtrace - break - fi - - done < "${store_dir}/existing_mode/statoverride" - - if test ! "${remove_file}" = "all"; then - if test "$(cat "${store_dir}/remove_one")" = "false"; then - log info "No file was removed. - - File '${remove_file}' has not been removed from SUID Disabler and Permission Hardener during this invocation. This is expected if already done earlier. - - This program expects the full path to the file. Example: - $0 disable /usr/bin/newgrp # absolute path: works - $0 disable newgrp # relative path: does not work - - To remove all: - $0 disable all - - This change might not be permanent. For full instructions, see: - https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener - - To view list of changed by SUID Disabler and Permission Hardener: - https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener#View_List_of_Permissions_Changed_by_SUID_Disabler_and_Permission_Hardener - - For re-enabling any specific SUID binary: - https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener#Re-Enable_Specific_SUID_Binaries - - For completely disabling SUID Disabler and Permission Hardener: - https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener#Disable_SUID_Disabler_and_Permission_Hardener" - fi - fi -} - -check_root(){ - if test "$(id -u)" != "0"; then - log error "Not running as root, aborting." - exit 1 - fi -} - -usage(){ - safe_echo "Usage: ${0##*/} enable - ${0##*/} disable [FILE|all] - -Examples: - ${0##*/} enable - ${0##*/} disable all - ${0##*/} disable /usr/bin/newgrp" >&2 - exit "${1}" -} - -case "${1:-}" in - enable) shift; apply "$@";; - disable) - shift - case "${1:-}" in - "") usage 1;; - *) spare "${1}";; - esac - ;; - -h|--help) usage 0;; - *) usage 1;; -esac - -if test "${exit_code}" != "0"; then - log error "Exiting with non-zero exit code: '${exit_code}'" >&2 -fi - -exit "${exit_code}" diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_passwd.conf b/usr/lib/permission-hardener.d/25_default_whitelist_passwd.conf index 6c8369c..71d2298 100644 --- a/usr/lib/permission-hardener.d/25_default_whitelist_passwd.conf +++ b/usr/lib/permission-hardener.d/25_default_whitelist_passwd.conf @@ -7,7 +7,8 @@ # Keep the `passwd` utility executable to prevent issues with the # /usr/libexec/security-misc/pam-abort-on-locked-password script blocking -# user logins with `su` and KScreenLocker +# user logins with `su` and KScreenLocker. exactwhitelist is needed to keep +# the nosuid rule on /usr/bin from fighting with these rules. # # See also: https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener#passwd /usr/bin/passwd exactwhitelist From 717e6fcfbea38cef9d3e201cf2e2b725e3da2267 Mon Sep 17 00:00:00 2001 From: Aaron Rainbolt Date: Mon, 30 Dec 2024 19:23:20 -0600 Subject: [PATCH 719/846] Post-review improvements to permission-hardener --- usr/bin/permission-hardener | 61 ++++++++++++++++++------------------- 1 file changed, 30 insertions(+), 31 deletions(-) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index de03c7c..bcd8180 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -107,7 +107,7 @@ output_stat() { return 1 fi - if [ "$stat_output" = '' ]; then + if [ -z "$stat_output" ]; then log error "stat_output is empty. File name: '${file_name}' Stat output: '${stat_output}' @@ -119,7 +119,7 @@ line: '${processed_config_line}' stat_output_newlined="$(printf '%s\n' "${stat_output//${delimiter}/$'\n'}")" - if [ "${stat_output_newlined}" = '' ]; then + if [ -z "${stat_output_newlined}" ]; then log error "stat_output_newlined is empty. File name: '${file_name}' Stat output: '${stat_output}' @@ -225,9 +225,7 @@ check_nosuid_whitelist() { [[ " ${policy_disable_white_list[*]} " =~ " ${target_file} " ]] && return 0 ## literal matching is intentional here too - if [[ " ${policy_exact_white_list[*]} " =~ " ${target_file} " ]]; then - return 1 - fi + [[ " ${policy_exact_white_list[*]} " =~ " ${target_file} " ]] && return 1 for match_white_list_entry in "${policy_match_white_list[@]:-}"; do if safe_echo "${target_file}" \ @@ -286,6 +284,9 @@ load_early_nosuid_policy() { | find -files0-from - -perm /u=s,g=s -print0) } +## If the "target file" matches the start of the state file name, that's a +## likely match. This is used by load_late_nosuid_policy for detecting info +## about files that need SUID-locked that are in the state. match_dir() { local base_str match_str base_arr match_arr base_idx @@ -316,8 +317,6 @@ load_late_nosuid_policy() { state_file_item="${state_file_list[state_idx]}" check_nosuid_whitelist "${state_file_item}" || continue - ## If the "target file" matches the start of the state file name, that's - ## a likely match. match_dir "${target_file}" "${state_file_item}" || continue if [ -h "${state_file_item}" ]; then @@ -340,21 +339,21 @@ load_late_nosuid_policy() { } load_state_without_policy() { - local line bit_list + local line field_list ## Load the state file from disk if [ -f "${state_file}" ]; then while read -r line; do - read -r -a bit_list <<< "${line}" - if (( ${#bit_list[@]} != 4 )); then + read -r -a field_list <<< "${line}" + if (( ${#field_list[@]} != 4 )); then log info \ "Invalid number of fields in state file line: '${line}'. Skipping." continue fi - state_user_owner_list+=( "${bit_list[0]}" ) - state_group_owner_list+=( "${bit_list[1]}" ) - state_mode_list+=( "${bit_list[2]}" ) - state_file_list+=( "${bit_list[3]}" ) + state_user_owner_list+=( "${field_list[0]}" ) + state_group_owner_list+=( "${field_list[1]}" ) + state_mode_list+=( "${field_list[2]}" ) + state_file_list+=( "${field_list[3]}" ) done < "${state_file}" fi } @@ -369,7 +368,7 @@ load_state() { ## Additionally, the special value 'whitelists_disable_all=true' is understood ## to mean that all whitelisting should be ignored. - local config_file line bit_list policy_nosuid_file_item policy_file_item + local config_file line field_list policy_nosuid_file_item policy_file_item ## Load configuration, deferring whitelist handling until later for config_file in \ @@ -393,7 +392,7 @@ load_state() { continue fi - if ! [[ "${line}" =~ [0-9a-zA-Z/] ]]; then + if ! [[ "${line}" =~ ^[-0-9a-zA-Z._/[:space:]]*$ ]]; then exit_code=200 log error "Line contains invalid characters: '${line}'" >&2 ## Safer to exit with error in this case. @@ -409,40 +408,40 @@ load_state() { processed_config_line="${line}" - IFS=' ' read -r -a bit_list <<< "${line}" + IFS=' ' read -r -a field_list <<< "${line}" - if (( ${#bit_list[@]} < 2 )) \ - || (( ${#bit_list[@]} > 5 )) \ - || (( ${#bit_list[@]} == 3 )); then + if (( ${#field_list[@]} != 2 )) \ + && (( ${#field_list[@]} != 4 )) \ + && (( ${#field_list[@]} != 5 )); then exit_code=200 log error "Line contains an invalid number of fields: '${line}'" >&2 exit "${exit_code}" fi # Strip trailing slash if appropriate - bit_list[0]="${bit_list[0]%/}" + field_list[0]="${field_list[0]%/}" - case "${bit_list[1]}" in + case "${field_list[1]}" in 'exactwhitelist') - [ ! -e "${bit_list[0]}" ] && continue - policy_exact_white_list+=( "${bit_list[0]}" ) + [ ! -e "${field_list[0]}" ] && continue + policy_exact_white_list+=( "${field_list[0]}" ) continue ;; 'matchwhitelist') - policy_match_white_list+=( "${bit_list[0]}" ) + policy_match_white_list+=( "${field_list[0]}" ) continue ;; 'disablewhitelist') - policy_disable_white_list+=( "${bit_list[0]}" ) + policy_disable_white_list+=( "${field_list[0]}" ) continue ;; 'nosuid') - [ ! -e "${bit_list[0]}" ] && continue - policy_nosuid_file_list+=( "${bit_list[0]}" ) + [ ! -e "${field_list[0]}" ] && continue + policy_nosuid_file_list+=( "${field_list[0]}" ) ;; *) - [ ! -e "${bit_list[0]}" ] && continue - add_to_policy "${bit_list[@]}" + [ ! -e "${field_list[0]}" ] && continue + add_to_policy "${field_list[@]}" ;; esac done < "${config_file}" @@ -661,7 +660,7 @@ undo_policy_for_file() { state_user_owner_item="${state_user_owner_list[state_idx]}" state_group_owner_item="${state_group_owner_list[state_idx]}" state_mode_item="${state_mode_list[state_idx]}" - chown ${verbose} "${state_user_owner_item}:${state_group_owner_item}" \ + chown ${verbose} -- "${state_user_owner_item}:${state_group_owner_item}" \ "${undo_file}" || exit_code=202 ## chmod needs to be run after chown since chown removes suid. chmod ${verbose} "${state_mode_item}" "${undo_file}" || exit_code=203 From 0640964c35b0d977ba718629d4a8791e67700202 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 31 Dec 2024 06:14:29 -0500 Subject: [PATCH 720/846] readme --- README.md | 28 +++++++++++++++------------- 1 file changed, 15 insertions(+), 13 deletions(-) diff --git a/README.md b/README.md index df12ba2..5a7e36b 100644 --- a/README.md +++ b/README.md @@ -584,28 +584,30 @@ See: #### umask -Default `umask` is set to `027` for files created by non-root users such as -user `user`. +The default `umask` is set to `027` for files created by non-root users, such +as the account `user`. This is done using the PAM module `pam_mkhomedir.so umask=027`. -This means files created by non-root users cannot be read by other non-root -users by default. While Permission Lockdown already protects the `/home` folder, -this protects other folders such as `/tmp`. +This configuration ensures that files created by non-root users cannot be read +by other non-root users by default. While Permission Lockdown already protects +the `/home` folder, this setting extends protection to other folders such as +`/tmp`. `group` read permissions are not removed. This is unnecessary due to Debian's use of User Private Groups (UPGs). See also: https://wiki.debian.org/UserPrivateGroups -Default `umask` is unchanged for root because then configuration files created -in `/etc` by the system administrator would be unreadable by "others" and break -applications. Examples include `/etc/firefox-esr` and `/etc/thunderbird`. The -`umask` is also set to 022 via `sudoers` configuration, so that files created -as root are world-readable even when using commands such as `sudo vi -/etc/file` or `sudo -i; touch /etc/file`. +The default `umask` is unchanged for root because configuration files created +in `/etc` by the system administrator would otherwise be unreadable by +"others," potentially breaking applications. Examples include `/etc/firefox-esr` +and `/etc/thunderbird`. Additionally, the `umask` is set to `022` via `sudoers` +configuration, ensuring that files created as root are world-readable, even +when using commands such as `sudo vi /etc/file` or `sudo -i; touch /etc/file`. -`umask` is set to 022 rather than 027 when using `sudo`, so that commands such -as `sudo vi /etc/configfile` and `sudo -i; touch /etc/file` +When using `sudo`, the `umask` is set to `022` rather than `027` to ensure +compatibility with commands such as `sudo vi /etc/configfile` and +`sudo -i; touch /etc/file`. See: From bb24bff2965ca31de6337820eafd787a11a44a2b Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 31 Dec 2024 14:09:34 +0000 Subject: [PATCH 721/846] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 97f695d..e706b3b 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit 0640964c35b0d977ba718629d4a8791e67700202 +Author: Patrick Schleizer +Date: Tue Dec 31 06:14:29 2024 -0500 + + readme + +commit 397b476a822c9f7e41ec911f5d689b67026660ad +Author: Patrick Schleizer +Date: Thu Dec 26 04:12:02 2024 +0000 + + bumped changelog version + commit 66f8c18c65f33676d242b57ebb1d4410876461b3 Merge: aa82202 6602fb1 Author: Patrick Schleizer diff --git a/debian/changelog b/debian/changelog index 09c0cc8..ad720d8 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:42.0-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 31 Dec 2024 14:09:34 +0000 + security-misc (3:41.9-1) unstable; urgency=medium * New upstream version (local package). From 33114f771aaeb4dccb0b465861d1239129deb8b2 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 31 Dec 2024 13:26:21 -0500 Subject: [PATCH 722/846] copyright --- COPYING | 2 +- debian/copyright | 2 +- debian/make-helper-overrides.bsh | 2 +- debian/rules | 2 +- debian/security-misc.displace | 2 +- debian/security-misc.gconf-defaults | 2 +- debian/security-misc.install | 2 +- debian/security-misc.links | 2 +- debian/security-misc.maintscript | 2 +- debian/security-misc.postinst | 2 +- debian/security-misc.postrm | 2 +- debian/security-misc.preinst | 2 +- debian/security-misc.prerm | 2 +- debian/security-misc.triggers | 2 +- debian/security-misc.undisplace | 2 +- debian/watch | 2 +- etc/apparmor.d/tunables/home.d/security-misc | 2 +- etc/apt/apt.conf.d/40error-on-any | 2 +- etc/apt/apt.conf.d/40sandbox | 2 +- etc/bluetooth/30_security-misc.conf | 2 +- etc/default/grub.d/40_cpu_mitigations.cfg | 2 +- etc/default/grub.d/40_kernel_hardening.cfg | 2 +- etc/default/grub.d/40_remount_secure.cfg | 2 +- etc/default/grub.d/40_signed_modules.cfg | 2 +- etc/default/grub.d/41_quiet_boot.cfg | 2 +- etc/default/grub.d/41_recovery_restrict.cfg | 2 +- etc/dracut.conf.d/30-security-misc.conf | 2 +- etc/gitconfig | 2 +- etc/hide-hardware-info.d/30_default.conf | 2 +- etc/initramfs-tools/hooks/sysctl-initramfs | 2 +- etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs | 2 +- etc/kernel/postinst.d/30_remove-system-map | 2 +- etc/modprobe.d/30_security-misc_blacklist.conf | 2 +- etc/modprobe.d/30_security-misc_conntrack.conf | 2 +- etc/modprobe.d/30_security-misc_disable.conf | 2 +- etc/profile.d/30_security-misc.sh | 2 +- etc/securetty.security-misc | 2 +- etc/security/access-security-misc.conf | 2 +- etc/security/faillock.conf.security-misc | 2 +- etc/security/limits.d/30_security-misc.conf | 2 +- etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml | 2 +- etc/sudoers.d/security-misc | 2 +- etc/systemd/system/emergency.service.d/override.conf | 2 +- etc/systemd/system/rescue.service.d/override.conf | 2 +- etc/thunderbird/pref/40_security-misc.js | 2 +- usr/bin/disabled-bluetooth-by-security-misc | 2 +- usr/bin/disabled-cdrom-by-security-misc | 2 +- usr/bin/disabled-filesys-by-security-misc | 2 +- usr/bin/disabled-firewire-by-security-misc | 2 +- usr/bin/disabled-framebuffer-by-security-misc | 2 +- usr/bin/disabled-gps-by-security-misc | 2 +- usr/bin/disabled-intelme-by-security-misc | 2 +- usr/bin/disabled-intelpmt-by-security-misc | 2 +- usr/bin/disabled-miscellaneous-by-security-misc | 2 +- usr/bin/disabled-netfilesys-by-security-misc | 2 +- usr/bin/disabled-network-by-security-misc | 2 +- usr/bin/disabled-thunderbolt-by-security-misc | 2 +- usr/bin/permission-hardener | 2 +- usr/bin/remount-secure | 2 +- usr/lib/NetworkManager/conf.d/80_ipv6-privacy.conf | 2 +- usr/lib/NetworkManager/conf.d/80_randomize-mac.conf | 2 +- .../modules.d-disabled/20remount-secure/module-setup.sh | 2 +- .../modules.d-disabled/20remount-secure/remount-secure.sh | 2 +- usr/lib/modules-load.d/30_security-misc.conf | 2 +- usr/lib/permission-hardener.d/25_default_passwd.conf | 2 +- usr/lib/permission-hardener.d/25_default_sudo.conf | 2 +- .../25_default_whitelist_bubblewrap.conf | 2 +- .../permission-hardener.d/25_default_whitelist_chromium.conf | 2 +- usr/lib/permission-hardener.d/25_default_whitelist_dbus.conf | 2 +- .../permission-hardener.d/25_default_whitelist_firejail.conf | 2 +- usr/lib/permission-hardener.d/25_default_whitelist_fuse.conf | 2 +- .../25_default_whitelist_hardened_malloc.conf | 2 +- usr/lib/permission-hardener.d/25_default_whitelist_mount.conf | 2 +- usr/lib/permission-hardener.d/25_default_whitelist_pam.conf | 2 +- .../permission-hardener.d/25_default_whitelist_policykit.conf | 2 +- .../permission-hardener.d/25_default_whitelist_postfix.conf | 2 +- usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf | 2 +- .../permission-hardener.d/25_default_whitelist_selinux.conf | 2 +- usr/lib/permission-hardener.d/25_default_whitelist_spice.conf | 2 +- usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf | 2 +- usr/lib/permission-hardener.d/25_default_whitelist_sudo.conf | 2 +- .../25_default_whitelist_unix_chkpwd.conf | 2 +- .../25_default_whitelist_virtualbox.conf | 2 +- usr/lib/permission-hardener.d/30_default.conf | 2 +- usr/lib/sysctl.d/30_security-misc_kexec-disable.conf | 2 +- usr/lib/sysctl.d/30_silent-kernel-printk.conf | 2 +- usr/lib/sysctl.d/990-security-misc.conf | 2 +- usr/lib/systemd/coredump.conf.d/30_security-misc.conf | 2 +- .../systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf | 2 +- usr/lib/systemd/system-preset/50-security-misc.preset | 2 +- usr/lib/systemd/system/harden-module-loading.service | 2 +- .../systemd/system/haveged.service.d/30_security-misc.conf | 2 +- usr/lib/systemd/system/hide-hardware-info.service | 2 +- usr/lib/systemd/system/panic-on-oops.service | 2 +- usr/lib/systemd/system/permission-hardener.service | 2 +- usr/lib/systemd/system/proc-hidepid.service | 2 +- usr/lib/systemd/system/remount-secure.service | 2 +- usr/lib/systemd/system/remove-system-map.service | 2 +- usr/lib/systemd/system/sysinit-post.target | 2 +- usr/lib/systemd/system/user@.service.d/sysfs.conf | 2 +- usr/libexec/security-misc/apt-get-update | 2 +- usr/libexec/security-misc/apt-get-update-sanity-test | 2 +- usr/libexec/security-misc/askpass | 2 +- usr/libexec/security-misc/disable-kernel-module-loading | 2 +- usr/libexec/security-misc/echo-path | 2 +- usr/libexec/security-misc/hide-hardware-info | 2 +- usr/libexec/security-misc/mmap-rnd-bits | 4 ++-- usr/libexec/security-misc/pam-abort-on-locked-password | 2 +- usr/libexec/security-misc/pam-info | 2 +- usr/libexec/security-misc/pam_faillock_not_if_x | 2 +- usr/libexec/security-misc/pam_only_if_login | 2 +- usr/libexec/security-misc/panic-on-oops | 2 +- usr/libexec/security-misc/permission-lockdown | 2 +- usr/libexec/security-misc/remove-system.map | 2 +- usr/libexec/security-misc/virusforget | 2 +- usr/share/glib-2.0/schemas/30_security-misc.gschema.override | 2 +- usr/share/lintian/overrides/security-misc | 2 +- usr/share/security-misc/dolphinrc | 2 +- usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf | 2 +- usr/share/security-misc/lkrg/lkrg-virtualbox | 2 +- 120 files changed, 121 insertions(+), 121 deletions(-) diff --git a/COPYING b/COPYING index bf11138..829d909 100644 --- a/COPYING +++ b/COPYING @@ -1,7 +1,7 @@ Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Files: * -Copyright: 2012 - 2024 ENCRYPTED SUPPORT LP +Copyright: 2012 - 2025 ENCRYPTED SUPPORT LLC License: AGPL-3+ License: AGPL-3+ diff --git a/debian/copyright b/debian/copyright index bf11138..829d909 100644 --- a/debian/copyright +++ b/debian/copyright @@ -1,7 +1,7 @@ Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Files: * -Copyright: 2012 - 2024 ENCRYPTED SUPPORT LP +Copyright: 2012 - 2025 ENCRYPTED SUPPORT LLC License: AGPL-3+ License: AGPL-3+ diff --git a/debian/make-helper-overrides.bsh b/debian/make-helper-overrides.bsh index ca24e42..dda635e 100755 --- a/debian/make-helper-overrides.bsh +++ b/debian/make-helper-overrides.bsh @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2021 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2021 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/24 diff --git a/debian/rules b/debian/rules index 60f46e0..ca5e85c 100755 --- a/debian/rules +++ b/debian/rules @@ -1,6 +1,6 @@ #!/usr/bin/make -f -## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. #export DH_VERBOSE=1 diff --git a/debian/security-misc.displace b/debian/security-misc.displace index 29392d5..78257f6 100644 --- a/debian/security-misc.displace +++ b/debian/security-misc.displace @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. /etc/securetty.security-misc diff --git a/debian/security-misc.gconf-defaults b/debian/security-misc.gconf-defaults index ebfb7f3..b79536a 100644 --- a/debian/security-misc.gconf-defaults +++ b/debian/security-misc.gconf-defaults @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. /apps/nautilus/preview_sound never diff --git a/debian/security-misc.install b/debian/security-misc.install index 51e61ce..6d5f850 100644 --- a/debian/security-misc.install +++ b/debian/security-misc.install @@ -1,4 +1,4 @@ -## Copyright (C) 2020 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2020 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## This file was generated using 'genmkfile debinstfile'. diff --git a/debian/security-misc.links b/debian/security-misc.links index 467193f..c3369df 100644 --- a/debian/security-misc.links +++ b/debian/security-misc.links @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. /etc/profile.d/30_security-misc.sh /etc/zprofile.d/30_security-misc.zsh diff --git a/debian/security-misc.maintscript b/debian/security-misc.maintscript index adce7ef..9e990e4 100644 --- a/debian/security-misc.maintscript +++ b/debian/security-misc.maintscript @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. rm_conffile /etc/sudoers.d/umask-security-misc diff --git a/debian/security-misc.postinst b/debian/security-misc.postinst index 41aa3dc..8cbe4d7 100644 --- a/debian/security-misc.postinst +++ b/debian/security-misc.postinst @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then diff --git a/debian/security-misc.postrm b/debian/security-misc.postrm index d474547..13dc588 100644 --- a/debian/security-misc.postrm +++ b/debian/security-misc.postrm @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then diff --git a/debian/security-misc.preinst b/debian/security-misc.preinst index f10ff11..992ff96 100644 --- a/debian/security-misc.preinst +++ b/debian/security-misc.preinst @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then diff --git a/debian/security-misc.prerm b/debian/security-misc.prerm index b1f7db3..1c4cd87 100644 --- a/debian/security-misc.prerm +++ b/debian/security-misc.prerm @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then diff --git a/debian/security-misc.triggers b/debian/security-misc.triggers index 2cadd25..1f4a592 100644 --- a/debian/security-misc.triggers +++ b/debian/security-misc.triggers @@ -1,4 +1,4 @@ -## Copyright (C) 2024 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2024 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## use noawait diff --git a/debian/security-misc.undisplace b/debian/security-misc.undisplace index 6db9354..990101a 100644 --- a/debian/security-misc.undisplace +++ b/debian/security-misc.undisplace @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. /etc/login.defs.security-misc diff --git a/debian/watch b/debian/watch index e38736e..86f015f 100644 --- a/debian/watch +++ b/debian/watch @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. version=4 diff --git a/etc/apparmor.d/tunables/home.d/security-misc b/etc/apparmor.d/tunables/home.d/security-misc index 5256089..d63d5db 100644 --- a/etc/apparmor.d/tunables/home.d/security-misc +++ b/etc/apparmor.d/tunables/home.d/security-misc @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. alias /etc/pam.d/common-session -> /etc/pam.d/common-session.security-misc, diff --git a/etc/apt/apt.conf.d/40error-on-any b/etc/apt/apt.conf.d/40error-on-any index 85de3be..f1be472 100644 --- a/etc/apt/apt.conf.d/40error-on-any +++ b/etc/apt/apt.conf.d/40error-on-any @@ -1,4 +1,4 @@ -## Copyright (C) 2021 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2021 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## Make "sudo apt-get update" exit non-zero for transient failures. diff --git a/etc/apt/apt.conf.d/40sandbox b/etc/apt/apt.conf.d/40sandbox index e8025ac..43150ec 100644 --- a/etc/apt/apt.conf.d/40sandbox +++ b/etc/apt/apt.conf.d/40sandbox @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## https://forums.whonix.org/t/apt-seccomp-bpf-sandboxing/7702 diff --git a/etc/bluetooth/30_security-misc.conf b/etc/bluetooth/30_security-misc.conf index 8f45502..91ce2d3 100644 --- a/etc/bluetooth/30_security-misc.conf +++ b/etc/bluetooth/30_security-misc.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2023 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2023 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. [General] diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index fa750b7..6194b8f 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## Definitions: diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index e41dabb..748bf47 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. kpkg="linux-image-$(dpkg --print-architecture)" || true diff --git a/etc/default/grub.d/40_remount_secure.cfg b/etc/default/grub.d/40_remount_secure.cfg index f06235b..c3cc30a 100644 --- a/etc/default/grub.d/40_remount_secure.cfg +++ b/etc/default/grub.d/40_remount_secure.cfg @@ -1,4 +1,4 @@ -## Copyright (C) 2023 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2023 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## Definitions: diff --git a/etc/default/grub.d/40_signed_modules.cfg b/etc/default/grub.d/40_signed_modules.cfg index 75cd3bb..36af7f3 100644 --- a/etc/default/grub.d/40_signed_modules.cfg +++ b/etc/default/grub.d/40_signed_modules.cfg @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## Definitions: diff --git a/etc/default/grub.d/41_quiet_boot.cfg b/etc/default/grub.d/41_quiet_boot.cfg index 9623625..96d43cd 100644 --- a/etc/default/grub.d/41_quiet_boot.cfg +++ b/etc/default/grub.d/41_quiet_boot.cfg @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## Definitions: diff --git a/etc/default/grub.d/41_recovery_restrict.cfg b/etc/default/grub.d/41_recovery_restrict.cfg index 530a728..89fe02f 100644 --- a/etc/default/grub.d/41_recovery_restrict.cfg +++ b/etc/default/grub.d/41_recovery_restrict.cfg @@ -1,4 +1,4 @@ -## Copyright (C) 2024 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2024 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## Definitions: diff --git a/etc/dracut.conf.d/30-security-misc.conf b/etc/dracut.conf.d/30-security-misc.conf index 4e24799..5b3c7b5 100644 --- a/etc/dracut.conf.d/30-security-misc.conf +++ b/etc/dracut.conf.d/30-security-misc.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2021 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2021 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. reproducible=yes diff --git a/etc/gitconfig b/etc/gitconfig index 4955199..8ce67b4 100644 --- a/etc/gitconfig +++ b/etc/gitconfig @@ -1,4 +1,4 @@ -## Copyright (C) 2024 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2024 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## Lines starting with a hash symbol ('#') are comments. diff --git a/etc/hide-hardware-info.d/30_default.conf b/etc/hide-hardware-info.d/30_default.conf index 07e1c7e..7c41eb4 100644 --- a/etc/hide-hardware-info.d/30_default.conf +++ b/etc/hide-hardware-info.d/30_default.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## Disable the /sys whitelist. diff --git a/etc/initramfs-tools/hooks/sysctl-initramfs b/etc/initramfs-tools/hooks/sysctl-initramfs index 22ceaf1..022c6af 100755 --- a/etc/initramfs-tools/hooks/sysctl-initramfs +++ b/etc/initramfs-tools/hooks/sysctl-initramfs @@ -1,6 +1,6 @@ #!/bin/sh -## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. set -e diff --git a/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs b/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs index 88d0162..e4792e7 100755 --- a/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs +++ b/etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs @@ -1,6 +1,6 @@ #!/bin/sh -## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. PREREQ="" diff --git a/etc/kernel/postinst.d/30_remove-system-map b/etc/kernel/postinst.d/30_remove-system-map index f5e3d96..416c808 100755 --- a/etc/kernel/postinst.d/30_remove-system-map +++ b/etc/kernel/postinst.d/30_remove-system-map @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. if test -x /usr/libexec/security-misc/remove-system.map ; then diff --git a/etc/modprobe.d/30_security-misc_blacklist.conf b/etc/modprobe.d/30_security-misc_blacklist.conf index af312b2..49e4fcb 100644 --- a/etc/modprobe.d/30_security-misc_blacklist.conf +++ b/etc/modprobe.d/30_security-misc_blacklist.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## See the following links for a community discussion and overview regarding the selections. diff --git a/etc/modprobe.d/30_security-misc_conntrack.conf b/etc/modprobe.d/30_security-misc_conntrack.conf index c1a641b..29cbb74 100644 --- a/etc/modprobe.d/30_security-misc_conntrack.conf +++ b/etc/modprobe.d/30_security-misc_conntrack.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## Conntrack: diff --git a/etc/modprobe.d/30_security-misc_disable.conf b/etc/modprobe.d/30_security-misc_disable.conf index 561441a..c7fc2b6 100644 --- a/etc/modprobe.d/30_security-misc_disable.conf +++ b/etc/modprobe.d/30_security-misc_disable.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## See the following links for a community discussion and overview regarding the selections. diff --git a/etc/profile.d/30_security-misc.sh b/etc/profile.d/30_security-misc.sh index 41aa6ac..c1adb22 100755 --- a/etc/profile.d/30_security-misc.sh +++ b/etc/profile.d/30_security-misc.sh @@ -1,6 +1,6 @@ #!/bin/sh -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. if [ -z "$XDG_CONFIG_DIRS" ]; then diff --git a/etc/securetty.security-misc b/etc/securetty.security-misc index e32ca29..c98d20d 100644 --- a/etc/securetty.security-misc +++ b/etc/securetty.security-misc @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. # /etc/securetty: list of terminals on which root is allowed to login. diff --git a/etc/security/access-security-misc.conf b/etc/security/access-security-misc.conf index a78abd1..c7f002f 100644 --- a/etc/security/access-security-misc.conf +++ b/etc/security/access-security-misc.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## To enable root login, see: diff --git a/etc/security/faillock.conf.security-misc b/etc/security/faillock.conf.security-misc index 3442279..4b70cde 100644 --- a/etc/security/faillock.conf.security-misc +++ b/etc/security/faillock.conf.security-misc @@ -1,4 +1,4 @@ -## Copyright (C) 2021 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2021 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. # Configuration for locking the user after multiple failed diff --git a/etc/security/limits.d/30_security-misc.conf b/etc/security/limits.d/30_security-misc.conf index 91a08a3..d494b14 100644 --- a/etc/security/limits.d/30_security-misc.conf +++ b/etc/security/limits.d/30_security-misc.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## Disable coredumps. diff --git a/etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml b/etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml index 0f588ae..dd94349 100644 --- a/etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml +++ b/etc/skel/.config/xfce4/xfconf/xfce-perchannel-xml/thunar.xml @@ -1,6 +1,6 @@ - + diff --git a/etc/sudoers.d/security-misc b/etc/sudoers.d/security-misc index cc700a9..1fa2146 100644 --- a/etc/sudoers.d/security-misc +++ b/etc/sudoers.d/security-misc @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## Neither of these are needed. diff --git a/etc/systemd/system/emergency.service.d/override.conf b/etc/systemd/system/emergency.service.d/override.conf index a7d4469..42fefd4 100644 --- a/etc/systemd/system/emergency.service.d/override.conf +++ b/etc/systemd/system/emergency.service.d/override.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802211 diff --git a/etc/systemd/system/rescue.service.d/override.conf b/etc/systemd/system/rescue.service.d/override.conf index a7d4469..42fefd4 100644 --- a/etc/systemd/system/rescue.service.d/override.conf +++ b/etc/systemd/system/rescue.service.d/override.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802211 diff --git a/etc/thunderbird/pref/40_security-misc.js b/etc/thunderbird/pref/40_security-misc.js index 49df52d..931f9d2 100644 --- a/etc/thunderbird/pref/40_security-misc.js +++ b/etc/thunderbird/pref/40_security-misc.js @@ -1,4 +1,4 @@ -//#### Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +//#### Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC //#### See the file COPYING for copying conditions. //#### meta start diff --git a/usr/bin/disabled-bluetooth-by-security-misc b/usr/bin/disabled-bluetooth-by-security-misc index d576b26..0a4c308 100755 --- a/usr/bin/disabled-bluetooth-by-security-misc +++ b/usr/bin/disabled-bluetooth-by-security-misc @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. diff --git a/usr/bin/disabled-cdrom-by-security-misc b/usr/bin/disabled-cdrom-by-security-misc index af27e08..f017e76 100755 --- a/usr/bin/disabled-cdrom-by-security-misc +++ b/usr/bin/disabled-cdrom-by-security-misc @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. diff --git a/usr/bin/disabled-filesys-by-security-misc b/usr/bin/disabled-filesys-by-security-misc index faffe58..f0cf9b4 100755 --- a/usr/bin/disabled-filesys-by-security-misc +++ b/usr/bin/disabled-filesys-by-security-misc @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. diff --git a/usr/bin/disabled-firewire-by-security-misc b/usr/bin/disabled-firewire-by-security-misc index 4886755..c0d035a 100755 --- a/usr/bin/disabled-firewire-by-security-misc +++ b/usr/bin/disabled-firewire-by-security-misc @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. diff --git a/usr/bin/disabled-framebuffer-by-security-misc b/usr/bin/disabled-framebuffer-by-security-misc index 681bc40..c287c21 100755 --- a/usr/bin/disabled-framebuffer-by-security-misc +++ b/usr/bin/disabled-framebuffer-by-security-misc @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2024 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2024 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. diff --git a/usr/bin/disabled-gps-by-security-misc b/usr/bin/disabled-gps-by-security-misc index 51997c1..149249a 100755 --- a/usr/bin/disabled-gps-by-security-misc +++ b/usr/bin/disabled-gps-by-security-misc @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. diff --git a/usr/bin/disabled-intelme-by-security-misc b/usr/bin/disabled-intelme-by-security-misc index dc2bb72..094fa29 100755 --- a/usr/bin/disabled-intelme-by-security-misc +++ b/usr/bin/disabled-intelme-by-security-misc @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. diff --git a/usr/bin/disabled-intelpmt-by-security-misc b/usr/bin/disabled-intelpmt-by-security-misc index 76daa06..45a7aa4 100755 --- a/usr/bin/disabled-intelpmt-by-security-misc +++ b/usr/bin/disabled-intelpmt-by-security-misc @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2024 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2024 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. diff --git a/usr/bin/disabled-miscellaneous-by-security-misc b/usr/bin/disabled-miscellaneous-by-security-misc index 6eff13c..5848c6e 100755 --- a/usr/bin/disabled-miscellaneous-by-security-misc +++ b/usr/bin/disabled-miscellaneous-by-security-misc @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. diff --git a/usr/bin/disabled-netfilesys-by-security-misc b/usr/bin/disabled-netfilesys-by-security-misc index 8775acb..ed4e792 100755 --- a/usr/bin/disabled-netfilesys-by-security-misc +++ b/usr/bin/disabled-netfilesys-by-security-misc @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. diff --git a/usr/bin/disabled-network-by-security-misc b/usr/bin/disabled-network-by-security-misc index a6a87db..f8c3129 100755 --- a/usr/bin/disabled-network-by-security-misc +++ b/usr/bin/disabled-network-by-security-misc @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. diff --git a/usr/bin/disabled-thunderbolt-by-security-misc b/usr/bin/disabled-thunderbolt-by-security-misc index 5bac656..c6d1d71 100755 --- a/usr/bin/disabled-thunderbolt-by-security-misc +++ b/usr/bin/disabled-thunderbolt-by-security-misc @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## Alerts user that a kernel module failed to load due to it being explicitly disabled by default. diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index c88b54f..1f19b6e 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## https://forums.whonix.org/t/disable-suid-binaries/7706 diff --git a/usr/bin/remount-secure b/usr/bin/remount-secure index 14da1fe..865867d 100755 --- a/usr/bin/remount-secure +++ b/usr/bin/remount-secure @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## features: diff --git a/usr/lib/NetworkManager/conf.d/80_ipv6-privacy.conf b/usr/lib/NetworkManager/conf.d/80_ipv6-privacy.conf index 246eaf2..3d0a483 100644 --- a/usr/lib/NetworkManager/conf.d/80_ipv6-privacy.conf +++ b/usr/lib/NetworkManager/conf.d/80_ipv6-privacy.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2023 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2023 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## MAC randomisation breaks root server and VirtualBox DHCP likely due to IPv6 Privacy Extensions. diff --git a/usr/lib/NetworkManager/conf.d/80_randomize-mac.conf b/usr/lib/NetworkManager/conf.d/80_randomize-mac.conf index dfeda10..8088591 100644 --- a/usr/lib/NetworkManager/conf.d/80_randomize-mac.conf +++ b/usr/lib/NetworkManager/conf.d/80_randomize-mac.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2023 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2023 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## MAC randomisation breaks root server and VirtualBox DHCP likely due to IPv6 Privacy Extensions. diff --git a/usr/lib/dracut/modules.d-disabled/20remount-secure/module-setup.sh b/usr/lib/dracut/modules.d-disabled/20remount-secure/module-setup.sh index e5a4188..8917091 100755 --- a/usr/lib/dracut/modules.d-disabled/20remount-secure/module-setup.sh +++ b/usr/lib/dracut/modules.d-disabled/20remount-secure/module-setup.sh @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2023 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2023 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. # called by dracut diff --git a/usr/lib/dracut/modules.d-disabled/20remount-secure/remount-secure.sh b/usr/lib/dracut/modules.d-disabled/20remount-secure/remount-secure.sh index de44d46..0e0a0c1 100755 --- a/usr/lib/dracut/modules.d-disabled/20remount-secure/remount-secure.sh +++ b/usr/lib/dracut/modules.d-disabled/20remount-secure/remount-secure.sh @@ -1,6 +1,6 @@ #!/bin/sh -## Copyright (C) 2023 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2023 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## This script is intended to remount specified mount points with more secure diff --git a/usr/lib/modules-load.d/30_security-misc.conf b/usr/lib/modules-load.d/30_security-misc.conf index 08ee22a..2b38546 100644 --- a/usr/lib/modules-load.d/30_security-misc.conf +++ b/usr/lib/modules-load.d/30_security-misc.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## https://www.whonix.org/wiki/Dev/Entropy diff --git a/usr/lib/permission-hardener.d/25_default_passwd.conf b/usr/lib/permission-hardener.d/25_default_passwd.conf index 6313e15..ef4a1d9 100644 --- a/usr/lib/permission-hardener.d/25_default_passwd.conf +++ b/usr/lib/permission-hardener.d/25_default_passwd.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardener.d/20_user.conf" or diff --git a/usr/lib/permission-hardener.d/25_default_sudo.conf b/usr/lib/permission-hardener.d/25_default_sudo.conf index ee46b0e..74aedca 100644 --- a/usr/lib/permission-hardener.d/25_default_sudo.conf +++ b/usr/lib/permission-hardener.d/25_default_sudo.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardener.d/20_user.conf" or diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_bubblewrap.conf b/usr/lib/permission-hardener.d/25_default_whitelist_bubblewrap.conf index 57ad396..7c44b1a 100644 --- a/usr/lib/permission-hardener.d/25_default_whitelist_bubblewrap.conf +++ b/usr/lib/permission-hardener.d/25_default_whitelist_bubblewrap.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardener.d/20_user.conf" or diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_chromium.conf b/usr/lib/permission-hardener.d/25_default_whitelist_chromium.conf index 68f54ed..01ea21c 100644 --- a/usr/lib/permission-hardener.d/25_default_whitelist_chromium.conf +++ b/usr/lib/permission-hardener.d/25_default_whitelist_chromium.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardener.d/20_user.conf" or diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_dbus.conf b/usr/lib/permission-hardener.d/25_default_whitelist_dbus.conf index 4c185ca..d6aadc9 100644 --- a/usr/lib/permission-hardener.d/25_default_whitelist_dbus.conf +++ b/usr/lib/permission-hardener.d/25_default_whitelist_dbus.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardener.d/20_user.conf" or diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_firejail.conf b/usr/lib/permission-hardener.d/25_default_whitelist_firejail.conf index fbece5c..5b7351f 100644 --- a/usr/lib/permission-hardener.d/25_default_whitelist_firejail.conf +++ b/usr/lib/permission-hardener.d/25_default_whitelist_firejail.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardener.d/20_user.conf" or diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_fuse.conf b/usr/lib/permission-hardener.d/25_default_whitelist_fuse.conf index a8b41b1..8c5563a 100644 --- a/usr/lib/permission-hardener.d/25_default_whitelist_fuse.conf +++ b/usr/lib/permission-hardener.d/25_default_whitelist_fuse.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardener.d/20_user.conf" or diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_hardened_malloc.conf b/usr/lib/permission-hardener.d/25_default_whitelist_hardened_malloc.conf index 5437436..acf20b6 100644 --- a/usr/lib/permission-hardener.d/25_default_whitelist_hardened_malloc.conf +++ b/usr/lib/permission-hardener.d/25_default_whitelist_hardened_malloc.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardener.d/20_user.conf" or diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_mount.conf b/usr/lib/permission-hardener.d/25_default_whitelist_mount.conf index c0a4f96..bf86ba9 100644 --- a/usr/lib/permission-hardener.d/25_default_whitelist_mount.conf +++ b/usr/lib/permission-hardener.d/25_default_whitelist_mount.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardener.d/20_user.conf" or diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_pam.conf b/usr/lib/permission-hardener.d/25_default_whitelist_pam.conf index f9d8a08..00ee52d 100644 --- a/usr/lib/permission-hardener.d/25_default_whitelist_pam.conf +++ b/usr/lib/permission-hardener.d/25_default_whitelist_pam.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardener.d/20_user.conf" or diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf b/usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf index 227b5fc..beb7531 100644 --- a/usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf +++ b/usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardener.d/20_user.conf" or diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_postfix.conf b/usr/lib/permission-hardener.d/25_default_whitelist_postfix.conf index d15b564..5ebdae3 100644 --- a/usr/lib/permission-hardener.d/25_default_whitelist_postfix.conf +++ b/usr/lib/permission-hardener.d/25_default_whitelist_postfix.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2023 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2023 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardener.d/20_user.conf" or diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf b/usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf index ec84733..0bd997f 100644 --- a/usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf +++ b/usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardener.d/20_user.conf" or diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_selinux.conf b/usr/lib/permission-hardener.d/25_default_whitelist_selinux.conf index 0259ef1..fd74488 100644 --- a/usr/lib/permission-hardener.d/25_default_whitelist_selinux.conf +++ b/usr/lib/permission-hardener.d/25_default_whitelist_selinux.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardener.d/20_user.conf" or diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_spice.conf b/usr/lib/permission-hardener.d/25_default_whitelist_spice.conf index 85e0197..df29fec 100644 --- a/usr/lib/permission-hardener.d/25_default_whitelist_spice.conf +++ b/usr/lib/permission-hardener.d/25_default_whitelist_spice.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardener.d/20_user.conf" or diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf b/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf index 8d9eba5..5511112 100644 --- a/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf +++ b/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2023 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2023 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardener.d/20_user.conf" or diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_sudo.conf b/usr/lib/permission-hardener.d/25_default_whitelist_sudo.conf index 7003861..a68564d 100644 --- a/usr/lib/permission-hardener.d/25_default_whitelist_sudo.conf +++ b/usr/lib/permission-hardener.d/25_default_whitelist_sudo.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardener.d/20_user.conf" or diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf b/usr/lib/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf index 5953d85..05d5235 100644 --- a/usr/lib/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf +++ b/usr/lib/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardener.d/20_user.conf" or diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_virtualbox.conf b/usr/lib/permission-hardener.d/25_default_whitelist_virtualbox.conf index d9c68bc..621a6b2 100644 --- a/usr/lib/permission-hardener.d/25_default_whitelist_virtualbox.conf +++ b/usr/lib/permission-hardener.d/25_default_whitelist_virtualbox.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardener.d/20_user.conf" or diff --git a/usr/lib/permission-hardener.d/30_default.conf b/usr/lib/permission-hardener.d/30_default.conf index d35ee5a..27605d9 100644 --- a/usr/lib/permission-hardener.d/30_default.conf +++ b/usr/lib/permission-hardener.d/30_default.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## Please use "/etc/permission-hardener.d/20_user.conf" or diff --git a/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf b/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf index 5c38e38..0ef99da 100644 --- a/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf +++ b/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## Definitions: diff --git a/usr/lib/sysctl.d/30_silent-kernel-printk.conf b/usr/lib/sysctl.d/30_silent-kernel-printk.conf index a1fd57e..d8febf9 100644 --- a/usr/lib/sysctl.d/30_silent-kernel-printk.conf +++ b/usr/lib/sysctl.d/30_silent-kernel-printk.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## Definitions: diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 4cf6bb6..02cbf4e 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## NOTE: diff --git a/usr/lib/systemd/coredump.conf.d/30_security-misc.conf b/usr/lib/systemd/coredump.conf.d/30_security-misc.conf index 2cb1b1a..2d02bc9 100644 --- a/usr/lib/systemd/coredump.conf.d/30_security-misc.conf +++ b/usr/lib/systemd/coredump.conf.d/30_security-misc.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. [Coredump] diff --git a/usr/lib/systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf b/usr/lib/systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf index 5959004..5de38c4 100644 --- a/usr/lib/systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf +++ b/usr/lib/systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2023 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2023 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## MAC randomisation breaks root server and VirtualBox DHCP likely due to IPv6 Privacy Extensions. diff --git a/usr/lib/systemd/system-preset/50-security-misc.preset b/usr/lib/systemd/system-preset/50-security-misc.preset index 37374b3..1895526 100644 --- a/usr/lib/systemd/system-preset/50-security-misc.preset +++ b/usr/lib/systemd/system-preset/50-security-misc.preset @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## https://forums.whonix.org/t/restrict-hardware-information-to-root-testers-wanted/8618 diff --git a/usr/lib/systemd/system/harden-module-loading.service b/usr/lib/systemd/system/harden-module-loading.service index 3394623..8efea40 100644 --- a/usr/lib/systemd/system/harden-module-loading.service +++ b/usr/lib/systemd/system/harden-module-loading.service @@ -1,4 +1,4 @@ -## Copyright (C) 2023 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2023 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. [Unit] diff --git a/usr/lib/systemd/system/haveged.service.d/30_security-misc.conf b/usr/lib/systemd/system/haveged.service.d/30_security-misc.conf index 97d4688..2981464 100644 --- a/usr/lib/systemd/system/haveged.service.d/30_security-misc.conf +++ b/usr/lib/systemd/system/haveged.service.d/30_security-misc.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2021 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2021 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. [Service] diff --git a/usr/lib/systemd/system/hide-hardware-info.service b/usr/lib/systemd/system/hide-hardware-info.service index 6d39335..659c3f5 100644 --- a/usr/lib/systemd/system/hide-hardware-info.service +++ b/usr/lib/systemd/system/hide-hardware-info.service @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. [Unit] diff --git a/usr/lib/systemd/system/panic-on-oops.service b/usr/lib/systemd/system/panic-on-oops.service index cf13053..6b10ddc 100644 --- a/usr/lib/systemd/system/panic-on-oops.service +++ b/usr/lib/systemd/system/panic-on-oops.service @@ -1,4 +1,4 @@ -## Copyright (C) 2024 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2024 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. [Unit] diff --git a/usr/lib/systemd/system/permission-hardener.service b/usr/lib/systemd/system/permission-hardener.service index 99d4c37..109c9fd 100644 --- a/usr/lib/systemd/system/permission-hardener.service +++ b/usr/lib/systemd/system/permission-hardener.service @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. [Unit] diff --git a/usr/lib/systemd/system/proc-hidepid.service b/usr/lib/systemd/system/proc-hidepid.service index f48211d..d7ea4d9 100644 --- a/usr/lib/systemd/system/proc-hidepid.service +++ b/usr/lib/systemd/system/proc-hidepid.service @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. [Unit] diff --git a/usr/lib/systemd/system/remount-secure.service b/usr/lib/systemd/system/remount-secure.service index 414bba6..2489d34 100644 --- a/usr/lib/systemd/system/remount-secure.service +++ b/usr/lib/systemd/system/remount-secure.service @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. [Unit] diff --git a/usr/lib/systemd/system/remove-system-map.service b/usr/lib/systemd/system/remove-system-map.service index 51041f2..1e36d61 100644 --- a/usr/lib/systemd/system/remove-system-map.service +++ b/usr/lib/systemd/system/remove-system-map.service @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. [Unit] diff --git a/usr/lib/systemd/system/sysinit-post.target b/usr/lib/systemd/system/sysinit-post.target index 336133b..c00e91e 100644 --- a/usr/lib/systemd/system/sysinit-post.target +++ b/usr/lib/systemd/system/sysinit-post.target @@ -1,4 +1,4 @@ -## Copyright (C) 2023 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2023 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. [Unit] diff --git a/usr/lib/systemd/system/user@.service.d/sysfs.conf b/usr/lib/systemd/system/user@.service.d/sysfs.conf index 2c27ce5..3a9129d 100644 --- a/usr/lib/systemd/system/user@.service.d/sysfs.conf +++ b/usr/lib/systemd/system/user@.service.d/sysfs.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. [Service] diff --git a/usr/libexec/security-misc/apt-get-update b/usr/libexec/security-misc/apt-get-update index 3c91ffd..fc90a5e 100755 --- a/usr/libexec/security-misc/apt-get-update +++ b/usr/libexec/security-misc/apt-get-update @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. set -o errexit diff --git a/usr/libexec/security-misc/apt-get-update-sanity-test b/usr/libexec/security-misc/apt-get-update-sanity-test index a363fae..a5b7709 100755 --- a/usr/libexec/security-misc/apt-get-update-sanity-test +++ b/usr/libexec/security-misc/apt-get-update-sanity-test @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. set -x diff --git a/usr/libexec/security-misc/askpass b/usr/libexec/security-misc/askpass index c3bb41a..56ecffc 100755 --- a/usr/libexec/security-misc/askpass +++ b/usr/libexec/security-misc/askpass @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. set -e diff --git a/usr/libexec/security-misc/disable-kernel-module-loading b/usr/libexec/security-misc/disable-kernel-module-loading index 1916cc0..80d3190 100755 --- a/usr/libexec/security-misc/disable-kernel-module-loading +++ b/usr/libexec/security-misc/disable-kernel-module-loading @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2023 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2023 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. set -x diff --git a/usr/libexec/security-misc/echo-path b/usr/libexec/security-misc/echo-path index 4a82272..3bcc2cd 100755 --- a/usr/libexec/security-misc/echo-path +++ b/usr/libexec/security-misc/echo-path @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. set -e diff --git a/usr/libexec/security-misc/hide-hardware-info b/usr/libexec/security-misc/hide-hardware-info index ad532b5..acf24ef 100755 --- a/usr/libexec/security-misc/hide-hardware-info +++ b/usr/libexec/security-misc/hide-hardware-info @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. set -o errexit diff --git a/usr/libexec/security-misc/mmap-rnd-bits b/usr/libexec/security-misc/mmap-rnd-bits index 74078fa..25745c2 100755 --- a/usr/libexec/security-misc/mmap-rnd-bits +++ b/usr/libexec/security-misc/mmap-rnd-bits @@ -1,6 +1,6 @@ #!/usr/bin/env bash -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## This script enforces the maximum ASLR hardening settings for mmap, given the @@ -56,7 +56,7 @@ fi ## Generate a sysctl.d conf file. SYSCTL="\ -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## This file is automatically generated by: diff --git a/usr/libexec/security-misc/pam-abort-on-locked-password b/usr/libexec/security-misc/pam-abort-on-locked-password index 4e02f3c..52da1c2 100755 --- a/usr/libexec/security-misc/pam-abort-on-locked-password +++ b/usr/libexec/security-misc/pam-abort-on-locked-password @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## This is only a usability feature to avoid needlessly bumping pam_faillock diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info index 085f118..d94e413 100755 --- a/usr/libexec/security-misc/pam-info +++ b/usr/libexec/security-misc/pam-info @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## To enable debug log, run: diff --git a/usr/libexec/security-misc/pam_faillock_not_if_x b/usr/libexec/security-misc/pam_faillock_not_if_x index edfa35d..433dca8 100755 --- a/usr/libexec/security-misc/pam_faillock_not_if_x +++ b/usr/libexec/security-misc/pam_faillock_not_if_x @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## https://serverfault.com/questions/134471/success-n-control-syntax-in-pam-conf-pam-d-files diff --git a/usr/libexec/security-misc/pam_only_if_login b/usr/libexec/security-misc/pam_only_if_login index f81592e..568f037 100755 --- a/usr/libexec/security-misc/pam_only_if_login +++ b/usr/libexec/security-misc/pam_only_if_login @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## https://serverfault.com/questions/134471/success-n-control-syntax-in-pam-conf-pam-d-files diff --git a/usr/libexec/security-misc/panic-on-oops b/usr/libexec/security-misc/panic-on-oops index 73c22d0..749eb3c 100755 --- a/usr/libexec/security-misc/panic-on-oops +++ b/usr/libexec/security-misc/panic-on-oops @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. set -e diff --git a/usr/libexec/security-misc/permission-lockdown b/usr/libexec/security-misc/permission-lockdown index a5623b2..31aaee4 100755 --- a/usr/libexec/security-misc/permission-lockdown +++ b/usr/libexec/security-misc/permission-lockdown @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## Doing this for all users would create many issues. diff --git a/usr/libexec/security-misc/remove-system.map b/usr/libexec/security-misc/remove-system.map index 5341844..5b75f6d 100755 --- a/usr/libexec/security-misc/remove-system.map +++ b/usr/libexec/security-misc/remove-system.map @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then diff --git a/usr/libexec/security-misc/virusforget b/usr/libexec/security-misc/virusforget index 62b6823..a5cb3ea 100755 --- a/usr/libexec/security-misc/virusforget +++ b/usr/libexec/security-misc/virusforget @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## VirusForget is inspired by Christopher Laprise. diff --git a/usr/share/glib-2.0/schemas/30_security-misc.gschema.override b/usr/share/glib-2.0/schemas/30_security-misc.gschema.override index 92b5348..2f56805 100644 --- a/usr/share/glib-2.0/schemas/30_security-misc.gschema.override +++ b/usr/share/glib-2.0/schemas/30_security-misc.gschema.override @@ -1,4 +1,4 @@ -## Copyright (C) 2017 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2017 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. [org.gnome.nautilus.preferences] diff --git a/usr/share/lintian/overrides/security-misc b/usr/share/lintian/overrides/security-misc index 0a24ab0..26c3c70 100644 --- a/usr/share/lintian/overrides/security-misc +++ b/usr/share/lintian/overrides/security-misc @@ -1,4 +1,4 @@ -## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## The whole point of the package. diff --git a/usr/share/security-misc/dolphinrc b/usr/share/security-misc/dolphinrc index 00e7768..9028487 100644 --- a/usr/share/security-misc/dolphinrc +++ b/usr/share/security-misc/dolphinrc @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions [PreviewSettings] diff --git a/usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf b/usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf index e1485b6..150e06b 100644 --- a/usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf +++ b/usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf @@ -1,4 +1,4 @@ -## Copyright (C) 2021 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2021 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. ## LKRG VirtualBox host configuration diff --git a/usr/share/security-misc/lkrg/lkrg-virtualbox b/usr/share/security-misc/lkrg/lkrg-virtualbox index 3e5edc3..4e1754c 100755 --- a/usr/share/security-misc/lkrg/lkrg-virtualbox +++ b/usr/share/security-misc/lkrg/lkrg-virtualbox @@ -1,6 +1,6 @@ #!/bin/bash -## Copyright (C) 2021 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2021 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. #set -x From 40b23cfad40825eefc3686e562d78250b58bbc82 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 31 Dec 2024 18:42:01 +0000 Subject: [PATCH 723/846] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index e706b3b..69fec66 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit 33114f771aaeb4dccb0b465861d1239129deb8b2 +Author: Patrick Schleizer +Date: Tue Dec 31 13:26:21 2024 -0500 + + copyright + +commit bb24bff2965ca31de6337820eafd787a11a44a2b +Author: Patrick Schleizer +Date: Tue Dec 31 14:09:34 2024 +0000 + + bumped changelog version + commit 0640964c35b0d977ba718629d4a8791e67700202 Author: Patrick Schleizer Date: Tue Dec 31 06:14:29 2024 -0500 diff --git a/debian/changelog b/debian/changelog index ad720d8..9020a37 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:42.1-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 31 Dec 2024 18:42:01 +0000 + security-misc (3:42.0-1) unstable; urgency=medium * New upstream version (local package). From 93ebf176c5f38bd268e5394e01421e46b9ae7dff Mon Sep 17 00:00:00 2001 From: Aaron Rainbolt Date: Thu, 2 Jan 2025 20:41:40 -0500 Subject: [PATCH 724/846] Make the main field count check in permission-hardener a bit more elegant --- usr/bin/permission-hardener | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index 3ed62b3..11bdfb9 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -410,13 +410,14 @@ load_state() { IFS=' ' read -r -a field_list <<< "${line}" - if (( ${#field_list[@]} != 2 )) \ - && (( ${#field_list[@]} != 4 )) \ - && (( ${#field_list[@]} != 5 )); then - exit_code=200 - log error "Line contains an invalid number of fields: '${line}'" >&2 - exit "${exit_code}" - fi + case "${#field_list[@]}" in + 2|4|5) true;; + *) + exit_code=200 + log error "Line contains an invalid number of fields: '${line}'" >&2 + exit "${exit_code}" + ;; + esac # Strip trailing slash if appropriate field_list[0]="${field_list[0]%/}" From d4767b75206b46f1a006cd91b00239a7b828fc89 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 6 Jan 2025 04:24:44 -0500 Subject: [PATCH 725/846] fix: apply PAM wheal only to `su` PAM service --- usr/libexec/security-misc/pam_only_if_su | 17 +++++++++++++++++ usr/share/pam-configs/wheel-security-misc | 1 + 2 files changed, 18 insertions(+) create mode 100755 usr/libexec/security-misc/pam_only_if_su diff --git a/usr/libexec/security-misc/pam_only_if_su b/usr/libexec/security-misc/pam_only_if_su new file mode 100755 index 0000000..604510f --- /dev/null +++ b/usr/libexec/security-misc/pam_only_if_su @@ -0,0 +1,17 @@ +#!/bin/bash + +## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +## Similar to: +## /usr/libexec/security-misc/pam_only_if_login + +set -x + +true "PAM_SERVICE: $PAM_SERVICE" + +if [ "$PAM_SERVICE" = "su" ]; then + exit 1 +else + exit 0 +fi diff --git a/usr/share/pam-configs/wheel-security-misc b/usr/share/pam-configs/wheel-security-misc index 323ff72..10dcb88 100644 --- a/usr/share/pam-configs/wheel-security-misc +++ b/usr/share/pam-configs/wheel-security-misc @@ -3,4 +3,5 @@ Default: yes Priority: 280 Auth-Type: Primary Auth: + [success=1 default=ignore] pam_exec.so seteuid quiet /usr/libexec/security-misc/pam_only_if_su requisite pam_wheel.so group=sudo debug From 6e0787957b53a64132b64e2a29bafe3e4b66d178 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 6 Jan 2025 05:29:40 -0500 Subject: [PATCH 726/846] increase priority of pam wheel so it is checked even before faillock in case of attemtping to use `su` without being a member of the required group `sudo`, it's useful to abort the PAM stack as early as possible to avoid needlessly propmting for a password to later be rejected tu to lack of group membership --- usr/share/pam-configs/wheel-security-misc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/share/pam-configs/wheel-security-misc b/usr/share/pam-configs/wheel-security-misc index 10dcb88..eb8a9df 100644 --- a/usr/share/pam-configs/wheel-security-misc +++ b/usr/share/pam-configs/wheel-security-misc @@ -1,6 +1,6 @@ Name: group sudo membership required to use su (by package security-misc) Default: yes -Priority: 280 +Priority: 1050 Auth-Type: Primary Auth: [success=1 default=ignore] pam_exec.so seteuid quiet /usr/libexec/security-misc/pam_only_if_su From c6be621968c898f792ef1a450d2e1be5cd6056da Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 6 Jan 2025 10:31:40 +0000 Subject: [PATCH 727/846] bumped changelog version --- changelog.upstream | 21 +++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 27 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 69fec66..3db2650 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,24 @@ +commit 6e0787957b53a64132b64e2a29bafe3e4b66d178 +Author: Patrick Schleizer +Date: Mon Jan 6 05:29:40 2025 -0500 + + increase priority of pam wheel so it is checked even before faillock + + in case of attemtping to use `su` without being a member of the required group `sudo`, it's useful to abort the PAM stack as early as possible to avoid needlessly propmting for a password to later + be rejected tu to lack of group membership + +commit d4767b75206b46f1a006cd91b00239a7b828fc89 +Author: Patrick Schleizer +Date: Mon Jan 6 04:24:44 2025 -0500 + + fix: apply PAM wheal only to `su` PAM service + +commit 40b23cfad40825eefc3686e562d78250b58bbc82 +Author: Patrick Schleizer +Date: Tue Dec 31 18:42:01 2024 +0000 + + bumped changelog version + commit 33114f771aaeb4dccb0b465861d1239129deb8b2 Author: Patrick Schleizer Date: Tue Dec 31 13:26:21 2024 -0500 diff --git a/debian/changelog b/debian/changelog index 9020a37..d6dcbb3 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:42.2-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 06 Jan 2025 10:31:40 +0000 + security-misc (3:42.1-1) unstable; urgency=medium * New upstream version (local package). From 5941195e96880b8beb2a791d3c21f3a4c6d429eb Mon Sep 17 00:00:00 2001 From: Aaron Rainbolt Date: Tue, 7 Jan 2025 14:10:46 -0600 Subject: [PATCH 728/846] Don't worry about files under /bin anymore, Bookworm uses a merged /usr directory --- usr/lib/permission-hardener.d/25_default_passwd.conf | 1 - usr/lib/permission-hardener.d/25_default_sudo.conf | 1 - .../25_default_whitelist_bubblewrap.conf | 1 - usr/lib/permission-hardener.d/25_default_whitelist_mount.conf | 4 ---- .../permission-hardener.d/25_default_whitelist_policykit.conf | 2 -- usr/lib/permission-hardener.d/25_default_whitelist_sudo.conf | 1 - 6 files changed, 10 deletions(-) diff --git a/usr/lib/permission-hardener.d/25_default_passwd.conf b/usr/lib/permission-hardener.d/25_default_passwd.conf index ef4a1d9..fb34f38 100644 --- a/usr/lib/permission-hardener.d/25_default_passwd.conf +++ b/usr/lib/permission-hardener.d/25_default_passwd.conf @@ -11,4 +11,3 @@ # # See also: https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener#passwd /usr/bin/passwd 0755 root root -/bin/passwd 0755 root root diff --git a/usr/lib/permission-hardener.d/25_default_sudo.conf b/usr/lib/permission-hardener.d/25_default_sudo.conf index 74aedca..e575449 100644 --- a/usr/lib/permission-hardener.d/25_default_sudo.conf +++ b/usr/lib/permission-hardener.d/25_default_sudo.conf @@ -17,4 +17,3 @@ ## compromised network-facing daemon (such as web servers, time synchronization daemons, ## etc.) running as its own user from exploiting sudo to escalate privileges. #/usr/bin/sudo 4750 root sudo -#/bin/sudo 4750 root sudo diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_bubblewrap.conf b/usr/lib/permission-hardener.d/25_default_whitelist_bubblewrap.conf index 7c44b1a..f1e873f 100644 --- a/usr/lib/permission-hardener.d/25_default_whitelist_bubblewrap.conf +++ b/usr/lib/permission-hardener.d/25_default_whitelist_bubblewrap.conf @@ -6,4 +6,3 @@ ## configuration. When security-misc is updated, this file may be overwritten. /usr/bin/bwrap exactwhitelist -/bin/bwrap exactwhitelist diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_mount.conf b/usr/lib/permission-hardener.d/25_default_whitelist_mount.conf index bf86ba9..ac5e9d1 100644 --- a/usr/lib/permission-hardener.d/25_default_whitelist_mount.conf +++ b/usr/lib/permission-hardener.d/25_default_whitelist_mount.conf @@ -8,14 +8,10 @@ ## https://forums.whonix.org/t/disable-suid-binaries/7706/61 ## Protect from 'chmod -x' (and SUID removal). ## SUID will be removed below in separate step. -/bin/mount exactwhitelist /usr/bin/mount exactwhitelist -/bin/umount exactwhitelist /usr/bin/umount exactwhitelist ## Remove SUID from 'mount' but keep executable. ## https://forums.whonix.org/t/disable-suid-binaries/7706/61 -/bin/mount 755 root root /usr/bin/mount 755 root root -/bin/umount 755 root root /usr/bin/umount 755 root root diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf b/usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf index beb7531..8133fab 100644 --- a/usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf +++ b/usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf @@ -6,9 +6,7 @@ ## configuration. When security-misc is updated, this file may be overwritten. /usr/bin/pkexec exactwhitelist -/bin/pkexec exactwhitelist /usr/bin/pkexec.security-misc-orig exactwhitelist -/bin/pkexec.security-misc-orig exactwhitelist ## TODO: research ## match both: diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_sudo.conf b/usr/lib/permission-hardener.d/25_default_whitelist_sudo.conf index a68564d..ee68aba 100644 --- a/usr/lib/permission-hardener.d/25_default_whitelist_sudo.conf +++ b/usr/lib/permission-hardener.d/25_default_whitelist_sudo.conf @@ -6,4 +6,3 @@ ## configuration. When security-misc is updated, this file may be overwritten. /usr/bin/sudo exactwhitelist -/bin/sudo exactwhitelist From 5e3785d76e616f49407e720b37138f35a50fe4fb Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Wed, 8 Jan 2025 18:35:52 +1100 Subject: [PATCH 729/846] README.md: Remove double space --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 7f35178..3df75fb 100644 --- a/README.md +++ b/README.md @@ -102,7 +102,7 @@ Networking: - Disable ICMP redirect acceptance and redirect sending messages to prevent man-in-the-middle attacks and minimize information disclosure. -- Deny sending and receiving shared media redirects to reduce the risk of IP +- Deny sending and receiving shared media redirects to reduce the risk of IP spoofing attacks. - Optional - Enable ARP filtering to mitigate some ARP spoofing and ARP From 1f8eee47200221e2e38291a31e852e9c222d8c64 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Wed, 8 Jan 2025 18:36:00 +1100 Subject: [PATCH 730/846] Add missing sentence full stop --- usr/lib/sysctl.d/990-security-misc.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index fd3ce59..8a89cb8 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -454,7 +454,7 @@ net.ipv6.conf.*.accept_redirects=0 #net.ipv4.conf.*.shared_media=0 ## Enable ARP (Address Resolution Protocol) filtering. -## Prevents the Linux kernel from handling the ARP table globally +## Prevents the Linux kernel from handling the ARP table globally. ## Can mitigate some ARP spoofing and ARP cache poisoning attacks. ## Improper filtering can lead to increased ARP traffic and inadvertently block legitimate ARP requests. ## From 538b312349a97bcecb12e62519d77840afcd6ca3 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Thu, 9 Jan 2025 15:28:56 +1100 Subject: [PATCH 731/846] Add comment about microcode updates --- etc/default/grub.d/40_cpu_mitigations.cfg | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index d2232b3..795cc72 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -21,6 +21,11 @@ ## Tabular comparison between the utility and functionality of various mitigations. ## https://forums.whonix.org/t/kernel-hardening-security-misc/7296/587 +## For complete protection, users must install the latest relevant security microcode update. +## BIOS/UEFI updates should only be obtained directly from OEMs and/or motherboard manufacturers. +## Note that incorrectly performing system BIOS/UEFI updates can potentially lead to serious functionality issues. +## The parameters below only provide (partial) protection at both the kernel and user space level. + ## Enable a subset of known mitigations for some CPU vulnerabilities and disable SMT. ## ## KSPP=yes From cf435a8fa8e6f795a25ef004cf44a65d461dd32c Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Fri, 10 Jan 2025 13:22:21 +1100 Subject: [PATCH 732/846] README.md: Note importance of microcode updates --- README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index df12ba2..05685b4 100644 --- a/README.md +++ b/README.md @@ -137,7 +137,9 @@ Networking: Mitigations for known CPU vulnerabilities are enabled in their strictest form and simultaneous multithreading (SMT) is disabled. See the -`/etc/default/grub.d/40_cpu_mitigations.cfg` configuration file. +`/etc/default/grub.d/40_cpu_mitigations.cfg` configuration file. Note, to achieve +complete protection for known CPU vulnerabilities, the latest security microcode +(BIOS/UEFI) updates must also be installed on the system. Boot parameters relating to kernel hardening, DMA mitigations, and entropy generation are outlined in the `/etc/default/grub.d/40_kernel_hardening.cfg` From 482960d056ec8d624f127bfe9b1c69a4c30c7e34 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 10 Jan 2025 10:21:12 -0500 Subject: [PATCH 733/846] permission-hardener: move to new state folder `/var/lib/permission-hardener-v2` without migration https://github.com/Kicksecure/security-misc/pull/294 --- debian/security-misc.postinst | 11 ----------- usr/bin/permission-hardener | 2 +- 2 files changed, 1 insertion(+), 12 deletions(-) diff --git a/debian/security-misc.postinst b/debian/security-misc.postinst index 8cbe4d7..d62cebc 100644 --- a/debian/security-misc.postinst +++ b/debian/security-misc.postinst @@ -15,16 +15,6 @@ true " ##################################################################### " -permission_hardening_legacy_state_files() { - if test -d /var/lib/permission-hardener ; then - return 0 - fi - if ! test -d /var/lib/permission-hardening ; then - return 0 - fi - mv --verbose /var/lib/permission-hardening /var/lib/permission-hardener -} - permission_hardening_legacy_config_folder() { if ! test -d /etc/permission-hardening.d ; then return 0 @@ -77,7 +67,6 @@ esac pam-auth-update --package /usr/libexec/security-misc/permission-lockdown -permission_hardening_legacy_state_files permission_hardening diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index 11bdfb9..b2991e0 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -19,7 +19,7 @@ set -o errexit -o nounset -o pipefail ## Constants # shellcheck disable=SC2034 log_level=notice -store_dir="/var/lib/permission-hardener" +store_dir="/var/lib/permission-hardener-v2" state_file="${store_dir}/existing_mode/statoverride" dpkg_admindir_parameter_existing_mode="--admindir ${store_dir}/existing_mode" dpkg_admindir_parameter_new_mode="--admindir ${store_dir}/new_mode" From 485d9abd1d14e445b48f0fd63290a985b05a5ac7 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 10 Jan 2025 15:34:21 +0000 Subject: [PATCH 734/846] bumped changelog version --- changelog.upstream | 171 +++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++ 2 files changed, 177 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 3db2650..2d113b6 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,113 @@ +commit c17485baa118e76cc8074ce3e72ac3ac38c577cd +Merge: 482960d e9ef360 +Author: Patrick Schleizer +Date: Fri Jan 10 10:32:26 2025 -0500 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit e9ef3602dd1661de0c0c3781d7e0246720643354 +Merge: 1b33e83 cf435a8 +Author: Patrick Schleizer +Date: Fri Jan 10 10:30:34 2025 -0500 + + Merge pull request #292 from raja-grewal/cpu_table + + Add link to tabular comparison of CPU mitigations + +commit 1b33e83529d652dab4468e0b386e333b3ca4745b +Merge: 486757b 2e6e170 +Author: Patrick Schleizer +Date: Fri Jan 10 10:29:30 2025 -0500 + + Merge pull request #291 from raja-grewal/drop_gratuitous_arp + + Drop gratuitous ARP packets + +commit 486757bfae5e7ecc389b16c49704e742fd267565 +Merge: 17ff249 c37f4ef +Author: Patrick Schleizer +Date: Fri Jan 10 10:29:12 2025 -0500 + + Merge pull request #290 from raja-grewal/arp_ignore + + Respond to ARP requests only if the target IP address is on-link + +commit 17ff24915062736a32d4d54da7163fe34aa70fd3 +Merge: 27d19ba 1f8eee4 +Author: Patrick Schleizer +Date: Fri Jan 10 10:28:48 2025 -0500 + + Merge pull request #289 from raja-grewal/arp_filter + + Enable ARP filtering + +commit 27d19ba568e601c37035a310ae6cdd7d953be286 +Merge: 482960d 5e3785d +Author: Patrick Schleizer +Date: Fri Jan 10 10:28:05 2025 -0500 + + Merge pull request #288 from raja-grewal/shared_media + + Deny sending and receiving shared media redirects + +commit 482960d056ec8d624f127bfe9b1c69a4c30c7e34 +Author: Patrick Schleizer +Date: Fri Jan 10 10:21:12 2025 -0500 + + permission-hardener: move to new state folder `/var/lib/permission-hardener-v2` without migration + + https://github.com/Kicksecure/security-misc/pull/294 + +commit cf435a8fa8e6f795a25ef004cf44a65d461dd32c +Author: raja-grewal +Date: Fri Jan 10 13:22:21 2025 +1100 + + README.md: Note importance of microcode updates + +commit 3a31cc99b34617cdd3c5f8e8950a37158849cb56 +Merge: c4cfb85 5941195 +Author: Patrick Schleizer +Date: Thu Jan 9 09:30:58 2025 -0500 + + Merge remote-tracking branch 'ArrayBolt3/arraybolt3/usrmerge' + +commit 538b312349a97bcecb12e62519d77840afcd6ca3 +Author: raja-grewal +Date: Thu Jan 9 15:28:56 2025 +1100 + + Add comment about microcode updates + +commit 1f8eee47200221e2e38291a31e852e9c222d8c64 +Author: raja-grewal +Date: Wed Jan 8 18:36:00 2025 +1100 + + Add missing sentence full stop + +commit 5e3785d76e616f49407e720b37138f35a50fe4fb +Author: raja-grewal +Date: Wed Jan 8 18:35:52 2025 +1100 + + README.md: Remove double space + +commit 5941195e96880b8beb2a791d3c21f3a4c6d429eb +Author: Aaron Rainbolt +Date: Tue Jan 7 14:10:46 2025 -0600 + + Don't worry about files under /bin anymore, Bookworm uses a merged /usr directory + +commit c4cfb8597d1a8631a4cbfa7e88212b798e2bc514 +Merge: c6be621 93ebf17 +Author: Patrick Schleizer +Date: Mon Jan 6 08:43:54 2025 -0500 + + Merge remote-tracking branch 'ArrayBolt3/arraybolt3/permission-hardener-refactor' + +commit c6be621968c898f792ef1a450d2e1be5cd6056da +Author: Patrick Schleizer +Date: Mon Jan 6 10:31:40 2025 +0000 + + bumped changelog version + commit 6e0787957b53a64132b64e2a29bafe3e4b66d178 Author: Patrick Schleizer Date: Mon Jan 6 05:29:40 2025 -0500 @@ -13,6 +123,19 @@ Date: Mon Jan 6 04:24:44 2025 -0500 fix: apply PAM wheal only to `su` PAM service +commit 93ebf176c5f38bd268e5394e01421e46b9ae7dff +Author: Aaron Rainbolt +Date: Thu Jan 2 20:41:40 2025 -0500 + + Make the main field count check in permission-hardener a bit more elegant + +commit 895c0f541fb34f9ebfee9c7ef79c053d5af4a7cc +Merge: 717e6fc 40b23cf +Author: Aaron Rainbolt +Date: Wed Jan 1 15:04:01 2025 -0600 + + Merge branch 'master' into arraybolt3/permission-hardener-refactor + commit 40b23cfad40825eefc3686e562d78250b58bbc82 Author: Patrick Schleizer Date: Tue Dec 31 18:42:01 2024 +0000 @@ -37,6 +160,18 @@ Date: Tue Dec 31 06:14:29 2024 -0500 readme +commit 717e6fcfbea38cef9d3e201cf2e2b725e3da2267 +Author: Aaron Rainbolt +Date: Mon Dec 30 19:23:20 2024 -0600 + + Post-review improvements to permission-hardener + +commit dbcb612517abbf8d162cfb31ba0585c518df8817 +Author: Aaron Rainbolt +Date: Wed Dec 25 19:48:28 2024 -0600 + + Polish permission-hardener refactor + commit 397b476a822c9f7e41ec911f5d689b67026660ad Author: Patrick Schleizer Date: Thu Dec 26 04:12:02 2024 +0000 @@ -50,6 +185,12 @@ Date: Wed Dec 25 22:43:04 2024 -0500 Merge remote-tracking branch 'ArrayBolt3/arraybolt3/sysmaint' +commit 83d386795940099e0835c51f3522aae3d9217dc8 +Author: Aaron Rainbolt +Date: Tue Dec 24 20:14:57 2024 -0600 + + Refactor permission-hardener to be more idempotent + commit 6602fb102dedc21300ae4c4519f3d9ef4e668045 Author: Aaron Rainbolt Date: Tue Dec 24 20:52:34 2024 -0600 @@ -130,6 +271,12 @@ Date: Thu Dec 19 10:58:50 2024 +0000 bumped changelog version +commit 642b4eeedc43e69bb82ea259b52c0946ce638983 +Author: raja-grewal +Date: Thu Dec 19 21:57:25 2024 +1100 + + Add link to tabular comparison of CPU mitigations + commit 175b442d5bb9dfcb4e9b524ec2077e72c74598cc Author: Patrick Schleizer Date: Thu Dec 19 05:56:50 2024 -0500 @@ -143,6 +290,30 @@ Date: Thu Dec 19 05:56:01 2024 -0500 Merge remote-tracking branch 'ArrayBolt3/arraybolt3/sysmaint' +commit 2e6e1701a052ef32711f6c3abaad693a773323f6 +Author: raja-grewal +Date: Thu Dec 19 10:35:08 2024 +0000 + + Set `net.ipv4.conf.*.drop_gratuitous_arp=1` + +commit c37f4efadf8f046168732871172cb66f58eb7c78 +Author: raja-grewal +Date: Thu Dec 19 10:33:49 2024 +0000 + + Set `net.ipv4.conf.*.arp_ignore=2` + +commit af1d06973bdd46af3e39b0bdfda81b950ccac996 +Author: raja-grewal +Date: Thu Dec 19 10:31:43 2024 +0000 + + Set `net.ipv4.conf.*.arp_filter=1` + +commit 750367a9066ca2a0ff819b438a92cb1f6c325edb +Author: raja-grewal +Date: Thu Dec 19 10:29:56 2024 +0000 + + Set `net.ipv4.conf.*.shared_media=0` + commit 95b535764c8a98b67a71ee1fd57b7f01da464106 Author: Patrick Schleizer Date: Thu Dec 19 09:43:26 2024 +0000 diff --git a/debian/changelog b/debian/changelog index d6dcbb3..a861ab5 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:42.3-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 10 Jan 2025 15:34:20 +0000 + security-misc (3:42.2-1) unstable; urgency=medium * New upstream version (local package). From d6a7cd3e0d1e677c1fa8c1fb3b307cdbe0f45031 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 12 Jan 2025 05:36:16 -0500 Subject: [PATCH 735/846] formatting. use chapter to make allow for deep linking --- README.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index a4e391f..a67909a 100644 --- a/README.md +++ b/README.md @@ -14,7 +14,7 @@ many more sources. sysctl settings are configured via the `/usr/lib/sysctl.d/990-security-misc.conf` configuration file and significant hardening is applied to a myriad of components. -Kernel space: +#### Kernel space - Restrict access to kernel addresses through the use of kernel pointers regardless of user privileges. @@ -55,7 +55,7 @@ Kernel space: - Disable asynchronous I/O (when using Linux kernel >= 6.6) as `io_uring` has been the source of numerous kernel exploits. -User space: +#### User space - Restrict usage of `ptrace()` to only processes with `CAP_SYS_PTRACE` as it enables programs to inspect and modify other active processes. Optional - Disable @@ -79,16 +79,16 @@ User space: on a magic number or their file extension to prevent unintended code execution. See issue: https://github.com/Kicksecure/security-misc/issues/267 -Core dumps: +#### Core dumps - Disable core dump files and prevent their creation. If core dump files are enabled, they will be named based on `core.PID` instead of the default `core`. -Swap space: +#### Swap space - Limit the copying of potentially sensitive content in memory to the swap device. -Networking: +#### Networking - Enable hardening of the BPF JIT compiler protect against JIT spraying. From b0baa8baa57937358dc988b88adab4858a1d8cae Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 12 Jan 2025 05:38:35 -0500 Subject: [PATCH 736/846] add link --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index a67909a..06f31d9 100644 --- a/README.md +++ b/README.md @@ -132,6 +132,8 @@ configuration file and significant hardening is applied to a myriad of component - Optional - Enable IPv6 Privacy Extensions. +- Documentation: https://www.kicksecure.com/wiki/Networking + ### Boot parameters Mitigations for known CPU vulnerabilities are enabled in their strictest form From de1f31e3df1a0fba0a4c6e41b9b46e076266cfd4 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 12 Jan 2025 11:47:18 +0000 Subject: [PATCH 737/846] bumped changelog version --- changelog.upstream | 20 ++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 26 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 2d113b6..d09f087 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,23 @@ +commit b0baa8baa57937358dc988b88adab4858a1d8cae +Author: Patrick Schleizer +Date: Sun Jan 12 05:38:35 2025 -0500 + + add link + +commit d6a7cd3e0d1e677c1fa8c1fb3b307cdbe0f45031 +Author: Patrick Schleizer +Date: Sun Jan 12 05:36:16 2025 -0500 + + formatting. + + use chapter to make allow for deep linking + +commit 485d9abd1d14e445b48f0fd63290a985b05a5ac7 +Author: Patrick Schleizer +Date: Fri Jan 10 15:34:21 2025 +0000 + + bumped changelog version + commit c17485baa118e76cc8074ce3e72ac3ac38c577cd Merge: 482960d e9ef360 Author: Patrick Schleizer diff --git a/debian/changelog b/debian/changelog index a861ab5..8c72c04 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:42.4-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 12 Jan 2025 11:47:17 +0000 + security-misc (3:42.3-1) unstable; urgency=medium * New upstream version (local package). From 07786de03953b91310588e0b37b9e150bf1b4736 Mon Sep 17 00:00:00 2001 From: Aaron Rainbolt Date: Sun, 12 Jan 2025 19:34:41 -0600 Subject: [PATCH 738/846] Enable smooth migration from permission-hardener-v1 to permission-hardener-v2 --- debian/control | 3 +- debian/po/POTFILES.in | 1 + debian/po/templates.pot | 34 ++++++++++++++++++ debian/security-misc.config | 64 ++++++++++++++++++++++++++++++++++ debian/security-misc.postinst | 62 ++++++++++++++++++++++++++++++-- debian/security-misc.templates | 7 ++++ 6 files changed, 167 insertions(+), 4 deletions(-) create mode 100644 debian/po/POTFILES.in create mode 100644 debian/po/templates.pot create mode 100644 debian/security-misc.config create mode 100644 debian/security-misc.templates diff --git a/debian/control b/debian/control index 4909511..d45f96d 100644 --- a/debian/control +++ b/debian/control @@ -8,7 +8,8 @@ Maintainer: Patrick Schleizer Build-Depends: config-package-dev, debhelper (>= 13), debhelper-compat (= 13), - dh-apparmor + dh-apparmor, + po-debconf Homepage: https://www.kicksecure.com/wiki/Security-misc Vcs-Browser: https://github.com/Kicksecure/security-misc Vcs-Git: https://github.com/Kicksecure/security-misc.git diff --git a/debian/po/POTFILES.in b/debian/po/POTFILES.in new file mode 100644 index 0000000..435938f --- /dev/null +++ b/debian/po/POTFILES.in @@ -0,0 +1 @@ +[type: gettext/rfc822deb] security-misc.templates diff --git a/debian/po/templates.pot b/debian/po/templates.pot new file mode 100644 index 0000000..3ebab2d --- /dev/null +++ b/debian/po/templates.pot @@ -0,0 +1,34 @@ +# SOME DESCRIPTIVE TITLE. +# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER +# This file is distributed under the same license as the security-misc package. +# FIRST AUTHOR , YEAR. +# +#, fuzzy +msgid "" +msgstr "" +"Project-Id-Version: security-misc\n" +"Report-Msgid-Bugs-To: security-misc@packages.debian.org\n" +"POT-Creation-Date: 2025-01-12 19:28-0600\n" +"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" +"Last-Translator: FULL NAME \n" +"Language-Team: LANGUAGE \n" +"Language: \n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=CHARSET\n" +"Content-Transfer-Encoding: 8bit\n" + +#. Type: note +#. Description +#: ../security-misc.templates:1001 +msgid "Manual intervention may be required for permission-hardener update" +msgstr "" + +#. Type: note +#. Description +#: ../security-misc.templates:1001 +msgid "" +"permission-hardener is being updated to correct a bug that caused state file " +"corruption. If you installed your own custom permission-hardener " +"configuration, some manual intervention may be required. See https://www." +"kicksecure.com/wiki/Permission-hardener#Fixing_state_files" +msgstr "" diff --git a/debian/security-misc.config b/debian/security-misc.config new file mode 100644 index 0000000..86722de --- /dev/null +++ b/debian/security-misc.config @@ -0,0 +1,64 @@ +#!/bin/bash + +## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +source /usr/share/debconf/confmodule + +check_migrate_permission_hardener_state() { + local orig_hardening_arr custom_hardening_arr config_file + if [ -f "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1" ]; then + return 0 + fi + mkdir --parents '/var/lib/security-misc/do_once' + + # TODO: Is there some way to autogenerate this list at runtime? + orig_hardening_arr=( + '/usr/lib/permission-hardener.d/25_default_sudo.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_bubblewrap.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_chromium.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_dbus.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_firejail.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_fuse.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_hardened_malloc.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_mount.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_pam.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_passwd.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_postfix.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_selinux.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_spice.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_sudo.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_virtualbox.conf' + '/usr/lib/permission-hardener.d/20_user-sysmaint-split.conf' + '/usr/lib/permission-hardener.d/30_ping.conf' + '/usr/lib/permission-hardener.d/30_default.conf' + ) + readarray -t custom_hardening_arr < <(dpkg -V | awk '/permission-hardener.d/{ print $NF }') + + for config_file in \ + /usr/lib/permission-hardener.d/*.conf \ + /etc/permission-hardener.d/*.conf \ + /usr/local/etc/permission-hardener.d/*.conf \ + /etc/permission-hardening.d/*.conf \ + /usr/local/etc/permission-hardening.d/*.conf + do + # shellcheck disable=SC2076 + if ! [[ " ${orig_hardening_arr[*]} " =~ " ${config_file} " ]]; then + custom_hardening_arr+=( "${config_file}" ) + fi + done + + if [ "${#custom_hardening_arr[@]}" != '0' ]; then + db_input critical security-misc/alert-on-permission-hardener-v2-upgrade + # shellcheck disable=SC2119 + db_go + fi + + touch "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1" +} + +check_migrate_permission_hardener_state \ No newline at end of file diff --git a/debian/security-misc.postinst b/debian/security-misc.postinst index d62cebc..5866b7b 100644 --- a/debian/security-misc.postinst +++ b/debian/security-misc.postinst @@ -7,11 +7,15 @@ if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then source /usr/libexec/helper-scripts/pre.bsh fi +## Required since this package uses debconf - this is mandatory even though +## the postinst itself does not use debconf commands. +source /usr/share/debconf/confmodule + set -e true " ##################################################################### -## INFO: BEGIN: $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $@ +## INFO: BEGIN: $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $* ##################################################################### " @@ -33,6 +37,55 @@ permission_hardening() { echo "$0: INFO: Permission hardening success." } +migrate_permission_hardener_state() { + local v2_state_file + + if [ -f "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1" ]; then + return 0 + fi + mkdir --parents '/var/lib/security-misc/do_once' + + ## This has to be stored in the postinst rather than installed by the + ## package, because permission-hardener *will* change it and we *cannot* + ## allow future package updates to overwrite it. + v2_state_file="root root 644 /etc/passwd- +root root 755 /etc/cron.monthly +root root 755 /etc/sudoers.d +root shadow 2755 /usr/bin/expiry +root root 4755 /usr/bin/umount +root root 4755 /usr/bin/gpasswd +root root 755 /usr/lib/modules +root root 644 /etc/issue.net +root root 644 /etc/group- +root root 4755 /usr/bin/newgrp +root root 755 /etc/cron.weekly +root root 644 /etc/hosts.deny +root root 4755 /usr/bin/su +root root 644 /etc/hosts.allow +root root 700 /root +root root 755 /etc/cron.daily +root root 755 /bin/ping +root root 777 /etc/motd +root root 755 /boot +root root 755 /home +root shadow 2755 /usr/bin/chage +root root 4755 /usr/bin/chsh +root root 4755 /usr/bin/passwd +root root 4755 /usr/bin/chfn +root root 644 /etc/group +root root 755 /etc/permission-hardener.d +root root 644 /etc/passwd +root root 755 /usr/src +root root 4755 /usr/bin/mount +root root 777 /etc/issue +root root 755 /etc/cron.d" + + ## Not using sponge since moreutils might not be installed at this point. + mkdir --parents '/var/lib/permission-hardener-v2/existing_mode' + echo "${v2_state_file}" > '/var/lib/permission-hardener-v2/existing_mode/statoverride' + touch "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1" +} + case "$1" in configure) if [ -d /etc/skel/.gnupg ]; then @@ -45,13 +98,16 @@ case "$1" in ## state dir for faillock mkdir -p /var/lib/security-misc/faillock + + ## migrate permission_hardener state to v2 if applicable + migrate_permission_hardener_state ;; abort-upgrade|abort-remove|abort-deconfigure) ;; triggered) - echo "INFO: triggered $DPKG_MAINTSCRIPT_PACKAGE: '$DPKG_MAINTSCRIPT_PACKAGE' $DPKG_MAINTSCRIPT_PACKAGE DPKG_MAINTSCRIPT_NAME: '$DPKG_MAINTSCRIPT_NAME' $\@: '$@' 2: '$2'" + echo "INFO: triggered $DPKG_MAINTSCRIPT_PACKAGE: '$DPKG_MAINTSCRIPT_PACKAGE' $DPKG_MAINTSCRIPT_PACKAGE DPKG_MAINTSCRIPT_NAME: '$DPKG_MAINTSCRIPT_NAME' $\*: '$*' 2: '$2'" /usr/share/security-misc/lkrg/lkrg-virtualbox || true /usr/libexec/security-misc/mmap-rnd-bits || true permission_hardening @@ -94,7 +150,7 @@ permission_hardening_legacy_config_folder true " ##################################################################### -## INFO: END : $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $@ +## INFO: END : $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $* ##################################################################### " diff --git a/debian/security-misc.templates b/debian/security-misc.templates new file mode 100644 index 0000000..53b2ed3 --- /dev/null +++ b/debian/security-misc.templates @@ -0,0 +1,7 @@ +Template: security-misc/alert-on-permission-hardener-v2-upgrade +Type: note +_Description: Manual intervention may be required for permission-hardener update + permission-hardener is being updated to correct a bug that caused state file + corruption. If you installed your own custom permission-hardener configuration, + some manual intervention may be required. See + https://www.kicksecure.com/wiki/Permission-hardener#Fixing_state_files From 5570d3e5b9f97f14c772facff16dc45df66d42e9 Mon Sep 17 00:00:00 2001 From: Aaron Rainbolt Date: Sun, 12 Jan 2025 20:40:41 -0600 Subject: [PATCH 739/846] Add a forgotten set -e --- debian/security-misc.config | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/debian/security-misc.config b/debian/security-misc.config index 86722de..3880207 100644 --- a/debian/security-misc.config +++ b/debian/security-misc.config @@ -5,6 +5,8 @@ source /usr/share/debconf/confmodule +set -e + check_migrate_permission_hardener_state() { local orig_hardening_arr custom_hardening_arr config_file if [ -f "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1" ]; then @@ -61,4 +63,4 @@ check_migrate_permission_hardener_state() { touch "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1" } -check_migrate_permission_hardener_state \ No newline at end of file +check_migrate_permission_hardener_state From a9e87e9d308f5e61a2d2054fa038dae6faadad3a Mon Sep 17 00:00:00 2001 From: Aaron Rainbolt Date: Sun, 12 Jan 2025 21:13:43 -0600 Subject: [PATCH 740/846] Prevent installation failures when installing non-interactively --- debian/security-misc.config | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/debian/security-misc.config b/debian/security-misc.config index 3880207..29d0992 100644 --- a/debian/security-misc.config +++ b/debian/security-misc.config @@ -55,9 +55,12 @@ check_migrate_permission_hardener_state() { done if [ "${#custom_hardening_arr[@]}" != '0' ]; then - db_input critical security-misc/alert-on-permission-hardener-v2-upgrade + ## db_input will return code 30 if the message won't be displayed, which + ## causes a non-interactive install to error out if you don't use || true + db_input critical security-misc/alert-on-permission-hardener-v2-upgrade || true + ## db_go can return code 30 too in some instances, we don't care here # shellcheck disable=SC2119 - db_go + db_go || true fi touch "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1" From de9ebabd46798ff2afa259907b6a7b976070e7f0 Mon Sep 17 00:00:00 2001 From: Aaron Rainbolt Date: Mon, 13 Jan 2025 21:57:10 -0600 Subject: [PATCH 741/846] Fix minor migration bugs, don't run the migration code on new image builds --- debian/make-helper-overrides.bsh | 2 +- debian/security-misc.config | 130 +++++++++++------- debian/security-misc.postinst | 43 +----- ...on-hardener-existing-mode-legacy-hardcoded | 33 +++++ 4 files changed, 122 insertions(+), 86 deletions(-) create mode 100644 usr/share/security-misc/permission-hardener-existing-mode-legacy-hardcoded diff --git a/debian/make-helper-overrides.bsh b/debian/make-helper-overrides.bsh index dda635e..4804b3e 100755 --- a/debian/make-helper-overrides.bsh +++ b/debian/make-helper-overrides.bsh @@ -4,4 +4,4 @@ ## See the file COPYING for copying conditions. ## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/24 -genmkfile_lintian_post_opts+=" --suppress-tags obsolete-command-in-modprobe.d-file" +genmkfile_lintian_post_opts+=" --suppress-tags obsolete-command-in-modprobe.d-file --suppress-tags no-complete-debconf-translation" diff --git a/debian/security-misc.config b/debian/security-misc.config index 29d0992..8513add 100644 --- a/debian/security-misc.config +++ b/debian/security-misc.config @@ -8,61 +8,99 @@ source /usr/share/debconf/confmodule set -e check_migrate_permission_hardener_state() { - local orig_hardening_arr custom_hardening_arr config_file + local orig_hardening_arr custom_hardening_arr config_file custom_config_file if [ -f "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1" ]; then return 0 fi mkdir --parents '/var/lib/security-misc/do_once' - # TODO: Is there some way to autogenerate this list at runtime? - orig_hardening_arr=( - '/usr/lib/permission-hardener.d/25_default_sudo.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_bubblewrap.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_chromium.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_dbus.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_firejail.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_fuse.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_hardened_malloc.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_mount.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_pam.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_passwd.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_postfix.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_selinux.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_spice.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_sudo.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_virtualbox.conf' - '/usr/lib/permission-hardener.d/20_user-sysmaint-split.conf' - '/usr/lib/permission-hardener.d/30_ping.conf' - '/usr/lib/permission-hardener.d/30_default.conf' - ) - readarray -t custom_hardening_arr < <(dpkg -V | awk '/permission-hardener.d/{ print $NF }') + if [ -d '/var/lib/permission-hardener' ]; then + orig_hardening_arr=( + '/usr/lib/permission-hardener.d/25_default_passwd.conf' + '/usr/lib/permission-hardener.d/25_default_sudo.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_bubblewrap.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_chromium.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_dbus.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_firejail.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_fuse.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_hardened_malloc.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_mount.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_pam.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_passwd.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_postfix.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_selinux.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_spice.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_sudo.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_virtualbox.conf' + '/usr/lib/permission-hardener.d/20_user-sysmaint-split.conf' + '/usr/lib/permission-hardener.d/30_ping.conf' + '/usr/lib/permission-hardener.d/30_default.conf' + '/etc/permission-hardener.d/25_default_passwd.conf' + '/etc/permission-hardener.d/25_default_sudo.conf' + '/etc/permission-hardener.d/25_default_whitelist_bubblewrap.conf' + '/etc/permission-hardener.d/25_default_whitelist_chromium.conf' + '/etc/permission-hardener.d/25_default_whitelist_dbus.conf' + '/etc/permission-hardener.d/25_default_whitelist_firejail.conf' + '/etc/permission-hardener.d/25_default_whitelist_fuse.conf' + '/etc/permission-hardener.d/25_default_whitelist_hardened_malloc.conf' + '/etc/permission-hardener.d/25_default_whitelist_mount.conf' + '/etc/permission-hardener.d/25_default_whitelist_pam.conf' + '/etc/permission-hardener.d/25_default_whitelist_passwd.conf' + '/etc/permission-hardener.d/25_default_whitelist_policykit.conf' + '/etc/permission-hardener.d/25_default_whitelist_postfix.conf' + '/etc/permission-hardener.d/25_default_whitelist_qubes.conf' + '/etc/permission-hardener.d/25_default_whitelist_selinux.conf' + '/etc/permission-hardener.d/25_default_whitelist_spice.conf' + '/etc/permission-hardener.d/25_default_whitelist_ssh.conf' + '/etc/permission-hardener.d/25_default_whitelist_sudo.conf' + '/etc/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf' + '/etc/permission-hardener.d/25_default_whitelist_virtualbox.conf' + '/etc/permission-hardener.d/20_user-sysmaint-split.conf' + '/etc/permission-hardener.d/30_ping.conf' + '/etc/permission-hardener.d/30_default.conf' + ) - for config_file in \ - /usr/lib/permission-hardener.d/*.conf \ - /etc/permission-hardener.d/*.conf \ - /usr/local/etc/permission-hardener.d/*.conf \ - /etc/permission-hardening.d/*.conf \ - /usr/local/etc/permission-hardening.d/*.conf - do - # shellcheck disable=SC2076 - if ! [[ " ${orig_hardening_arr[*]} " =~ " ${config_file} " ]]; then - custom_hardening_arr+=( "${config_file}" ) + readarray -t custom_hardening_arr < <(dpkg -V | awk '/permission-hardener.d/{ print $NF }') + ## If the above `dpkg -V` command doesn't return any permission-hardener + ## related lines, the array will contain no meaningful info, just a single + ## blank element at the start. Set the array to be explicitly empty in + ## this scenario. + if [ -z "${custom_hardening_arr[0]}" ]; then + custom_hardening_arr=() + fi + + for config_file in \ + /usr/lib/permission-hardener.d/*.conf \ + /etc/permission-hardener.d/*.conf \ + /usr/local/etc/permission-hardener.d/*.conf \ + /etc/permission-hardening.d/*.conf \ + /usr/local/etc/permission-hardening.d/*.conf + do + # shellcheck disable=SC2076 + if ! [[ " ${orig_hardening_arr[*]} " =~ " ${config_file} " ]]; then + if [ -f "${config_file}" ]; then + custom_hardening_arr+=( "${config_file}" ) + fi + fi + done + + if [ "${#custom_hardening_arr[@]}" != '0' ]; then + for custom_config_file in "${custom_hardening_arr[@]}"; do + echo "INFO: Possible custom configuration file found: '${custom_config_file}'" + done + ## db_input will return code 30 if the message won't be displayed, which + ## causes a non-interactive install to error out if you don't use || true + db_input critical security-misc/alert-on-permission-hardener-v2-upgrade || true + ## db_go can return code 30 too in some instances, we don't care here + # shellcheck disable=SC2119 + db_go || true fi - done - if [ "${#custom_hardening_arr[@]}" != '0' ]; then - ## db_input will return code 30 if the message won't be displayed, which - ## causes a non-interactive install to error out if you don't use || true - db_input critical security-misc/alert-on-permission-hardener-v2-upgrade || true - ## db_go can return code 30 too in some instances, we don't care here - # shellcheck disable=SC2119 - db_go || true fi - touch "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1" } diff --git a/debian/security-misc.postinst b/debian/security-misc.postinst index 5866b7b..4240d6f 100644 --- a/debian/security-misc.postinst +++ b/debian/security-misc.postinst @@ -38,51 +38,16 @@ permission_hardening() { } migrate_permission_hardener_state() { - local v2_state_file - if [ -f "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1" ]; then return 0 fi mkdir --parents '/var/lib/security-misc/do_once' - ## This has to be stored in the postinst rather than installed by the - ## package, because permission-hardener *will* change it and we *cannot* - ## allow future package updates to overwrite it. - v2_state_file="root root 644 /etc/passwd- -root root 755 /etc/cron.monthly -root root 755 /etc/sudoers.d -root shadow 2755 /usr/bin/expiry -root root 4755 /usr/bin/umount -root root 4755 /usr/bin/gpasswd -root root 755 /usr/lib/modules -root root 644 /etc/issue.net -root root 644 /etc/group- -root root 4755 /usr/bin/newgrp -root root 755 /etc/cron.weekly -root root 644 /etc/hosts.deny -root root 4755 /usr/bin/su -root root 644 /etc/hosts.allow -root root 700 /root -root root 755 /etc/cron.daily -root root 755 /bin/ping -root root 777 /etc/motd -root root 755 /boot -root root 755 /home -root shadow 2755 /usr/bin/chage -root root 4755 /usr/bin/chsh -root root 4755 /usr/bin/passwd -root root 4755 /usr/bin/chfn -root root 644 /etc/group -root root 755 /etc/permission-hardener.d -root root 644 /etc/passwd -root root 755 /usr/src -root root 4755 /usr/bin/mount -root root 777 /etc/issue -root root 755 /etc/cron.d" + if [ -d '/var/lib/permission-hardener' ]; then + mkdir --parents '/var/lib/permission-hardener-v2/existing_mode' + cp '/usr/share/security-misc/permission-hardener-existing-mode-legacy-hardcoded' '/var/lib/permission-hardener-v2/existing_mode/statoverride' + fi - ## Not using sponge since moreutils might not be installed at this point. - mkdir --parents '/var/lib/permission-hardener-v2/existing_mode' - echo "${v2_state_file}" > '/var/lib/permission-hardener-v2/existing_mode/statoverride' touch "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1" } diff --git a/usr/share/security-misc/permission-hardener-existing-mode-legacy-hardcoded b/usr/share/security-misc/permission-hardener-existing-mode-legacy-hardcoded new file mode 100644 index 0000000..e8a4bbe --- /dev/null +++ b/usr/share/security-misc/permission-hardener-existing-mode-legacy-hardcoded @@ -0,0 +1,33 @@ +root root 644 /etc/passwd- +root root 755 /etc/cron.monthly +root root 755 /etc/sudoers.d +root shadow 2755 /usr/bin/expiry +root root 4755 /usr/bin/umount +root root 4755 /usr/bin/gpasswd +root root 755 /usr/lib/modules +root root 644 /etc/issue.net +root root 644 /etc/group- +root root 4755 /usr/bin/newgrp +root root 755 /etc/cron.weekly +root root 644 /etc/hosts.deny +root root 4755 /usr/bin/su +root root 644 /etc/hosts.allow +root root 700 /root +root root 755 /etc/cron.daily +root root 755 /bin/ping +root root 777 /etc/motd +root root 755 /boot +root root 755 /home +root shadow 2755 /usr/bin/chage +root root 4755 /usr/bin/chsh +root root 4755 /usr/bin/passwd +root root 4755 /usr/bin/chfn +root root 644 /etc/group +root root 755 /etc/permission-hardener.d +root root 644 /etc/passwd +root root 755 /usr/src +root root 4755 /usr/bin/mount +root root 777 /etc/issue +root root 755 /etc/cron.d +root root 4755 /usr/bin/sudo +root root 4755 /usr/bin/pkexec From b2a1a0ec9f8db1d84c222e734737b7ed149f6d92 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 14 Jan 2025 03:17:00 -0500 Subject: [PATCH 742/846] refactoring --- debian/security-misc.config | 172 ++++++++++++++++++------------------ 1 file changed, 87 insertions(+), 85 deletions(-) diff --git a/debian/security-misc.config b/debian/security-misc.config index 8513add..f08ea97 100644 --- a/debian/security-misc.config +++ b/debian/security-misc.config @@ -8,99 +8,101 @@ source /usr/share/debconf/confmodule set -e check_migrate_permission_hardener_state() { + if [ -d '/var/lib/permission-hardener' ]; then + return 0 + fi + local orig_hardening_arr custom_hardening_arr config_file custom_config_file if [ -f "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1" ]; then return 0 fi mkdir --parents '/var/lib/security-misc/do_once' - if [ -d '/var/lib/permission-hardener' ]; then - orig_hardening_arr=( - '/usr/lib/permission-hardener.d/25_default_passwd.conf' - '/usr/lib/permission-hardener.d/25_default_sudo.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_bubblewrap.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_chromium.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_dbus.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_firejail.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_fuse.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_hardened_malloc.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_mount.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_pam.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_passwd.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_postfix.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_selinux.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_spice.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_sudo.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf' - '/usr/lib/permission-hardener.d/25_default_whitelist_virtualbox.conf' - '/usr/lib/permission-hardener.d/20_user-sysmaint-split.conf' - '/usr/lib/permission-hardener.d/30_ping.conf' - '/usr/lib/permission-hardener.d/30_default.conf' - '/etc/permission-hardener.d/25_default_passwd.conf' - '/etc/permission-hardener.d/25_default_sudo.conf' - '/etc/permission-hardener.d/25_default_whitelist_bubblewrap.conf' - '/etc/permission-hardener.d/25_default_whitelist_chromium.conf' - '/etc/permission-hardener.d/25_default_whitelist_dbus.conf' - '/etc/permission-hardener.d/25_default_whitelist_firejail.conf' - '/etc/permission-hardener.d/25_default_whitelist_fuse.conf' - '/etc/permission-hardener.d/25_default_whitelist_hardened_malloc.conf' - '/etc/permission-hardener.d/25_default_whitelist_mount.conf' - '/etc/permission-hardener.d/25_default_whitelist_pam.conf' - '/etc/permission-hardener.d/25_default_whitelist_passwd.conf' - '/etc/permission-hardener.d/25_default_whitelist_policykit.conf' - '/etc/permission-hardener.d/25_default_whitelist_postfix.conf' - '/etc/permission-hardener.d/25_default_whitelist_qubes.conf' - '/etc/permission-hardener.d/25_default_whitelist_selinux.conf' - '/etc/permission-hardener.d/25_default_whitelist_spice.conf' - '/etc/permission-hardener.d/25_default_whitelist_ssh.conf' - '/etc/permission-hardener.d/25_default_whitelist_sudo.conf' - '/etc/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf' - '/etc/permission-hardener.d/25_default_whitelist_virtualbox.conf' - '/etc/permission-hardener.d/20_user-sysmaint-split.conf' - '/etc/permission-hardener.d/30_ping.conf' - '/etc/permission-hardener.d/30_default.conf' - ) - - readarray -t custom_hardening_arr < <(dpkg -V | awk '/permission-hardener.d/{ print $NF }') - ## If the above `dpkg -V` command doesn't return any permission-hardener - ## related lines, the array will contain no meaningful info, just a single - ## blank element at the start. Set the array to be explicitly empty in - ## this scenario. - if [ -z "${custom_hardening_arr[0]}" ]; then - custom_hardening_arr=() - fi - - for config_file in \ - /usr/lib/permission-hardener.d/*.conf \ - /etc/permission-hardener.d/*.conf \ - /usr/local/etc/permission-hardener.d/*.conf \ - /etc/permission-hardening.d/*.conf \ - /usr/local/etc/permission-hardening.d/*.conf - do - # shellcheck disable=SC2076 - if ! [[ " ${orig_hardening_arr[*]} " =~ " ${config_file} " ]]; then - if [ -f "${config_file}" ]; then - custom_hardening_arr+=( "${config_file}" ) - fi - fi - done - - if [ "${#custom_hardening_arr[@]}" != '0' ]; then - for custom_config_file in "${custom_hardening_arr[@]}"; do - echo "INFO: Possible custom configuration file found: '${custom_config_file}'" - done - ## db_input will return code 30 if the message won't be displayed, which - ## causes a non-interactive install to error out if you don't use || true - db_input critical security-misc/alert-on-permission-hardener-v2-upgrade || true - ## db_go can return code 30 too in some instances, we don't care here - # shellcheck disable=SC2119 - db_go || true - fi + orig_hardening_arr=( + '/usr/lib/permission-hardener.d/25_default_passwd.conf' + '/usr/lib/permission-hardener.d/25_default_sudo.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_bubblewrap.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_chromium.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_dbus.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_firejail.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_fuse.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_hardened_malloc.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_mount.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_pam.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_passwd.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_postfix.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_selinux.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_spice.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_sudo.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf' + '/usr/lib/permission-hardener.d/25_default_whitelist_virtualbox.conf' + '/usr/lib/permission-hardener.d/20_user-sysmaint-split.conf' + '/usr/lib/permission-hardener.d/30_ping.conf' + '/usr/lib/permission-hardener.d/30_default.conf' + '/etc/permission-hardener.d/25_default_passwd.conf' + '/etc/permission-hardener.d/25_default_sudo.conf' + '/etc/permission-hardener.d/25_default_whitelist_bubblewrap.conf' + '/etc/permission-hardener.d/25_default_whitelist_chromium.conf' + '/etc/permission-hardener.d/25_default_whitelist_dbus.conf' + '/etc/permission-hardener.d/25_default_whitelist_firejail.conf' + '/etc/permission-hardener.d/25_default_whitelist_fuse.conf' + '/etc/permission-hardener.d/25_default_whitelist_hardened_malloc.conf' + '/etc/permission-hardener.d/25_default_whitelist_mount.conf' + '/etc/permission-hardener.d/25_default_whitelist_pam.conf' + '/etc/permission-hardener.d/25_default_whitelist_passwd.conf' + '/etc/permission-hardener.d/25_default_whitelist_policykit.conf' + '/etc/permission-hardener.d/25_default_whitelist_postfix.conf' + '/etc/permission-hardener.d/25_default_whitelist_qubes.conf' + '/etc/permission-hardener.d/25_default_whitelist_selinux.conf' + '/etc/permission-hardener.d/25_default_whitelist_spice.conf' + '/etc/permission-hardener.d/25_default_whitelist_ssh.conf' + '/etc/permission-hardener.d/25_default_whitelist_sudo.conf' + '/etc/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf' + '/etc/permission-hardener.d/25_default_whitelist_virtualbox.conf' + '/etc/permission-hardener.d/20_user-sysmaint-split.conf' + '/etc/permission-hardener.d/30_ping.conf' + '/etc/permission-hardener.d/30_default.conf' + ) + readarray -t custom_hardening_arr < <(dpkg -V | awk '/permission-hardener.d/{ print $NF }') + ## If the above `dpkg -V` command doesn't return any permission-hardener + ## related lines, the array will contain no meaningful info, just a single + ## blank element at the start. Set the array to be explicitly empty in + ## this scenario. + if [ -z "${custom_hardening_arr[0]}" ]; then + custom_hardening_arr=() fi + + for config_file in \ + /usr/lib/permission-hardener.d/*.conf \ + /etc/permission-hardener.d/*.conf \ + /usr/local/etc/permission-hardener.d/*.conf \ + /etc/permission-hardening.d/*.conf \ + /usr/local/etc/permission-hardening.d/*.conf + do + # shellcheck disable=SC2076 + if ! [[ " ${orig_hardening_arr[*]} " =~ " ${config_file} " ]]; then + if [ -f "${config_file}" ]; then + custom_hardening_arr+=( "${config_file}" ) + fi + fi + done + + if [ "${#custom_hardening_arr[@]}" != '0' ]; then + for custom_config_file in "${custom_hardening_arr[@]}"; do + echo "INFO: Possible custom configuration file found: '${custom_config_file}'" + done + ## db_input will return code 30 if the message won't be displayed, which + ## causes a non-interactive install to error out if you don't use || true + db_input critical security-misc/alert-on-permission-hardener-v2-upgrade || true + ## db_go can return code 30 too in some instances, we don't care here + # shellcheck disable=SC2119 + db_go || true + fi + touch "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1" } From b7e7b2767eb957dd1401f5abcff07bfcb47a4c00 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 14 Jan 2025 03:18:17 -0500 Subject: [PATCH 743/846] refactoring --- debian/security-misc.postinst | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/debian/security-misc.postinst b/debian/security-misc.postinst index 4240d6f..a2d4e2f 100644 --- a/debian/security-misc.postinst +++ b/debian/security-misc.postinst @@ -38,15 +38,17 @@ permission_hardening() { } migrate_permission_hardener_state() { + if [ ! -d '/var/lib/permission-hardener' ]; then + return 0 + fi + if [ -f "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1" ]; then return 0 fi mkdir --parents '/var/lib/security-misc/do_once' - if [ -d '/var/lib/permission-hardener' ]; then - mkdir --parents '/var/lib/permission-hardener-v2/existing_mode' - cp '/usr/share/security-misc/permission-hardener-existing-mode-legacy-hardcoded' '/var/lib/permission-hardener-v2/existing_mode/statoverride' - fi + mkdir --parents '/var/lib/permission-hardener-v2/existing_mode' + cp '/usr/share/security-misc/permission-hardener-existing-mode-legacy-hardcoded' '/var/lib/permission-hardener-v2/existing_mode/statoverride' touch "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1" } From 420cb3f86f69c4505702a8f38271fb095316cb6f Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 14 Jan 2025 03:19:21 -0500 Subject: [PATCH 744/846] refactoring --- debian/security-misc.config | 1 + debian/security-misc.postinst | 1 + 2 files changed, 2 insertions(+) diff --git a/debian/security-misc.config b/debian/security-misc.config index f08ea97..452a506 100644 --- a/debian/security-misc.config +++ b/debian/security-misc.config @@ -8,6 +8,7 @@ source /usr/share/debconf/confmodule set -e check_migrate_permission_hardener_state() { + ## If folder /var/lib/permission-hardener (version 1) does not exist, this migration is unneeded. if [ -d '/var/lib/permission-hardener' ]; then return 0 fi diff --git a/debian/security-misc.postinst b/debian/security-misc.postinst index a2d4e2f..a722cf3 100644 --- a/debian/security-misc.postinst +++ b/debian/security-misc.postinst @@ -38,6 +38,7 @@ permission_hardening() { } migrate_permission_hardener_state() { + ## If folder /var/lib/permission-hardener (version 1) does not exist, this migration is unneeded. if [ ! -d '/var/lib/permission-hardener' ]; then return 0 fi From 7e7632a55396e10e20a6e9d8d563011694cccc85 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 14 Jan 2025 08:24:05 +0000 Subject: [PATCH 745/846] bumped changelog version --- changelog.upstream | 55 ++++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 +++++ 2 files changed, 61 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index d09f087..a93a8d7 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,58 @@ +commit 420cb3f86f69c4505702a8f38271fb095316cb6f +Author: Patrick Schleizer +Date: Tue Jan 14 03:19:21 2025 -0500 + + refactoring + +commit b7e7b2767eb957dd1401f5abcff07bfcb47a4c00 +Author: Patrick Schleizer +Date: Tue Jan 14 03:18:17 2025 -0500 + + refactoring + +commit b2a1a0ec9f8db1d84c222e734737b7ed149f6d92 +Author: Patrick Schleizer +Date: Tue Jan 14 03:17:00 2025 -0500 + + refactoring + +commit 69ae2d9ea0826aa81c70e957bb5a9241a84346ad +Merge: de1f31e de9ebab +Author: Patrick Schleizer +Date: Tue Jan 14 03:15:45 2025 -0500 + + Merge remote-tracking branch 'ArrayBolt3/arraybolt3/permission-hardener-migrate' + +commit de9ebabd46798ff2afa259907b6a7b976070e7f0 +Author: Aaron Rainbolt +Date: Mon Jan 13 21:57:10 2025 -0600 + + Fix minor migration bugs, don't run the migration code on new image builds + +commit a9e87e9d308f5e61a2d2054fa038dae6faadad3a +Author: Aaron Rainbolt +Date: Sun Jan 12 21:13:43 2025 -0600 + + Prevent installation failures when installing non-interactively + +commit 5570d3e5b9f97f14c772facff16dc45df66d42e9 +Author: Aaron Rainbolt +Date: Sun Jan 12 20:40:41 2025 -0600 + + Add a forgotten set -e + +commit 07786de03953b91310588e0b37b9e150bf1b4736 +Author: Aaron Rainbolt +Date: Sun Jan 12 19:34:41 2025 -0600 + + Enable smooth migration from permission-hardener-v1 to permission-hardener-v2 + +commit de1f31e3df1a0fba0a4c6e41b9b46e076266cfd4 +Author: Patrick Schleizer +Date: Sun Jan 12 11:47:18 2025 +0000 + + bumped changelog version + commit b0baa8baa57937358dc988b88adab4858a1d8cae Author: Patrick Schleizer Date: Sun Jan 12 05:38:35 2025 -0500 diff --git a/debian/changelog b/debian/changelog index 8c72c04..f1aa577 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:42.5-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 14 Jan 2025 08:24:05 +0000 + security-misc (3:42.4-1) unstable; urgency=medium * New upstream version (local package). From 7d44db2cb268c4eb31b50bbd44b87b8001dc068c Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 14 Jan 2025 03:49:15 -0500 Subject: [PATCH 746/846] usrmerge --- usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf | 1 - 1 file changed, 1 deletion(-) diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf b/usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf index 0bd997f..aca4ca1 100644 --- a/usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf +++ b/usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf @@ -14,5 +14,4 @@ ## ## match both: #/usr/lib/qubes/qfile-unpacker whitelist -#/lib/qubes/qfile-unpacker qfile-unpacker matchwhitelist From b198591537a01f5b35c9301ca28a24c70864bcbd Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 14 Jan 2025 03:49:42 -0500 Subject: [PATCH 747/846] comment --- usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf b/usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf index aca4ca1..f8c85db 100644 --- a/usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf +++ b/usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf @@ -8,7 +8,7 @@ ## TODO: research ## https://github.com/QubesOS/qubes-core-agent-linux/blob/master/qubes-rpc/qfile-unpacker.c ## -## Qubes upstream security issue: +## Historic Qubes upstream security issue: ## qfile-unpacker allows unprivileged users in VMs to gain root privileges ## https://github.com/QubesOS/qubes-issues/issues/8633 ## From 1e9940481318d8d7a443b98f0906089759f27a5d Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 14 Jan 2025 03:50:16 -0500 Subject: [PATCH 748/846] comment --- usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf b/usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf index f8c85db..d175670 100644 --- a/usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf +++ b/usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf @@ -13,5 +13,6 @@ ## https://github.com/QubesOS/qubes-issues/issues/8633 ## ## match both: +#/usr/bin/qfile-unpacker #/usr/lib/qubes/qfile-unpacker whitelist qfile-unpacker matchwhitelist From fce6a5f8303cd891efd8bbfef861e357dc90e88e Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 14 Jan 2025 03:51:43 -0500 Subject: [PATCH 749/846] comment --- .../permission-hardener.d/25_default_whitelist_qubes.conf | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf b/usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf index d175670..4fefe4f 100644 --- a/usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf +++ b/usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf @@ -13,6 +13,9 @@ ## https://github.com/QubesOS/qubes-issues/issues/8633 ## ## match both: -#/usr/bin/qfile-unpacker -#/usr/lib/qubes/qfile-unpacker whitelist +## - /usr/lib/qubes/qfile-unpacker whitelist +## - Not bit-for-bit identical to /usr/lib/qubes/qfile-unpacker. +## - Stripping SUID from this does *not* break file copying. +## - TODO: further reserach required on its purpose +## - /usr/bin/qfile-unpacker qfile-unpacker matchwhitelist From 0ac85ea9f56abdf621ec1b4f2acf08a2450067ba Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 14 Jan 2025 03:54:35 -0500 Subject: [PATCH 750/846] comment --- .../permission-hardener.d/25_default_whitelist_fuse.conf | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_fuse.conf b/usr/lib/permission-hardener.d/25_default_whitelist_fuse.conf index 8c5563a..084510c 100644 --- a/usr/lib/permission-hardener.d/25_default_whitelist_fuse.conf +++ b/usr/lib/permission-hardener.d/25_default_whitelist_fuse.conf @@ -5,6 +5,13 @@ ## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom ## configuration. When security-misc is updated, this file may be overwritten. -## required for AppImages such as electrum Bitcoin wallet +## Critical component of FUSE (Filesystem in USErspace) +## +## Used by things such as: +## - AppImages +## - such as electrum Bitcoin wallet +## - Docker +## If not SUID, unprivileged users will be unable to use FUSE any longer. +## ## https://forums.whonix.org/t/disable-suid-binaries/7706/57 /fusermount matchwhitelist From 9f1759ba0ea7ecee87c8777226eb8a56482deeb5 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 14 Jan 2025 03:56:55 -0500 Subject: [PATCH 751/846] comment --- .../25_default_whitelist_pam.conf | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_pam.conf b/usr/lib/permission-hardener.d/25_default_whitelist_pam.conf index 00ee52d..b787e5f 100644 --- a/usr/lib/permission-hardener.d/25_default_whitelist_pam.conf +++ b/usr/lib/permission-hardener.d/25_default_whitelist_pam.conf @@ -5,5 +5,18 @@ ## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom ## configuration. When security-misc is updated, this file may be overwritten. +## Used by the pam_tmpdir module to create a secure temporary directory for the +## user that is logging in. +## https://manpages.ubuntu.com/manpages/oracular/man8/pam-tmpdir-helper.8.html +## Apparently specific to Debian, there isn't actually any Git repo with this +## code in it, it's just a "floating" package in the Debian archive. Written by +## the same person who maintains the package. Almost certainly cannot be +## disabled without causing serious problems, but may be worth auditing. +## (Worthy of note, it doesn't seem this program takes any user input, but +## relies solely on the calling user's UID and GID, though this could require +## further review.) +## ## Without this, Xfce fails to start with a dbus-launch error. +## +## TODO: audit pam-tmpdir-helper pam-tmpdir-helper matchwhitelist From d89ffcde30f6115c25c1bc807eb30b18c21e2b6e Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 14 Jan 2025 04:04:09 -0500 Subject: [PATCH 752/846] comment --- .../25_default_whitelist_policykit.conf | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf b/usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf index 8133fab..f8a3919 100644 --- a/usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf +++ b/usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf @@ -9,7 +9,19 @@ /usr/bin/pkexec.security-misc-orig exactwhitelist ## TODO: research -## match both: -#/usr/lib/policykit-1/polkit-agent-helper-1 matchwhitelist -#/lib/policykit-1/polkit-agent-helper-1 +## TODO: Should be handled in user-sysmaint-split? +## +## Required for PolicyKit (Polkit) to function. +## +## https://polkit-devel.freedesktop.narkive.com/zXO4yEg7/documentation-on-polkit-agent-helper-1-and-suid# +## https://gitlab.freedesktop.org/polkit/polkit/-/issues/168 +## https://cgit.freedesktop.org/polkit/tree/src/polkitagent/polkitagenthelper-pam.c#n93 +## +## Changing permissions here may break more than just normal privilege escalation. +## May be safe to disable for users other than sysmaint similar to what was done with pkexec and sudo, +## however even that might not be safe. +## +## matches both: +## - /usr/lib/policykit-1/polkit-agent-helper-1 +## - /lib/policykit-1/polkit-agent-helper-1 polkit-agent-helper-1 matchwhitelist From 7a5f8b87af7142ce973bd88abf98279ce15559a9 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 14 Jan 2025 04:06:44 -0500 Subject: [PATCH 753/846] permission hardener: disable SUID for `ssh-agent`, `ssh-keysign`, `/lib/openssh/*` This might break SSH host-based authentication. --- .../25_default_whitelist_ssh.conf | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf b/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf index 5511112..2d5f786 100644 --- a/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf +++ b/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf @@ -5,7 +5,11 @@ ## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom ## configuration. When security-misc is updated, this file may be overwritten. -## TODO: research -ssh-agent matchwhitelist -ssh-keysign matchwhitelist -/lib/openssh matchwhitelist +## Used only for SSH host-based authentication +## https://linux.die.net/man/8/ssh-keysign +## Needed to allow access to the machine's host key for use in the +## authentication process. This is a non-default method of authenticating to +## SSH, and is likely rarely used, thus this should be safe to disable. +#ssh-agent matchwhitelist +#ssh-keysign matchwhitelist +#/lib/openssh matchwhitelist From 466308e4f9ebd496ff54dd9f77881ce10a558802 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 14 Jan 2025 04:09:57 -0500 Subject: [PATCH 754/846] permission hardener: disable SUID for `chrome-sandbox` --- .../25_default_whitelist_chromium.conf | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_chromium.conf b/usr/lib/permission-hardener.d/25_default_whitelist_chromium.conf index 01ea21c..bdb2b2a 100644 --- a/usr/lib/permission-hardener.d/25_default_whitelist_chromium.conf +++ b/usr/lib/permission-hardener.d/25_default_whitelist_chromium.conf @@ -5,4 +5,13 @@ ## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom ## configuration. When security-misc is updated, this file may be overwritten. -chrome-sandbox matchwhitelist +## Chrome/Chromium now uses namespace-based sandboxing rather than a SUID +## sandbox for most use cases, and while the SUID sandbox is still technically +## supported [1], it's also virtually unused [2]. Chromium still works fine +## when it is stripped of its SUID bit and rendered no longer executable, +## and opening `chrome://sandbox` while in this state shows that sandboxing is +## still working perfectly fine. +## +## [1] https://chromium.googlesource.com/chromium/src/+/0e94f26e8/docs/linux_sandboxing.md +## [2] https://chromium.googlesource.com/chromium/src/+/0e94f26e8/docs/linux_suid_sandbox.md +#chrome-sandbox matchwhitelist From 6d282226ef653accf1de32582b999ff31775f60f Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 14 Jan 2025 04:12:12 -0500 Subject: [PATCH 755/846] comment --- .../permission-hardener.d/25_default_whitelist_dbus.conf | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_dbus.conf b/usr/lib/permission-hardener.d/25_default_whitelist_dbus.conf index d6aadc9..4b455ae 100644 --- a/usr/lib/permission-hardener.d/25_default_whitelist_dbus.conf +++ b/usr/lib/permission-hardener.d/25_default_whitelist_dbus.conf @@ -5,4 +5,12 @@ ## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom ## configuration. When security-misc is updated, this file may be overwritten. +## Needed for D-Bus system activation to work. +## https://dbus.freedesktop.org/doc/system-activation.txt +## +## May be vital for desktop features to work normally. +## +## Appears to have been designed with security in mind and can only be called +## by root or a user in the `messagebus` group (which currently has one member, +## namely user `messagebus`). dbus-daemon-launch-helper matchwhitelist From eec2e2c8ee621c6ebb152abbfe3951fa0322a0d0 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 14 Jan 2025 04:13:39 -0500 Subject: [PATCH 756/846] comment --- .../permission-hardener.d/25_default_whitelist_qubes.conf | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf b/usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf index 4fefe4f..40f9b59 100644 --- a/usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf +++ b/usr/lib/permission-hardener.d/25_default_whitelist_qubes.conf @@ -12,10 +12,13 @@ ## qfile-unpacker allows unprivileged users in VMs to gain root privileges ## https://github.com/QubesOS/qubes-issues/issues/8633 ## -## match both: +## matches both: ## - /usr/lib/qubes/qfile-unpacker whitelist ## - Not bit-for-bit identical to /usr/lib/qubes/qfile-unpacker. ## - Stripping SUID from this does *not* break file copying. ## - TODO: further reserach required on its purpose ## - /usr/bin/qfile-unpacker +## - Appears to be an integral part of file transfer between qubes, stripping +## SUID from this in an AppVM results in that AppVM being unable to receive +## files any longer. (It can still send files to other qubes though.) qfile-unpacker matchwhitelist From 41cd09933a506d55bab1f8bf101840cf4bbbf028 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 14 Jan 2025 09:26:05 +0000 Subject: [PATCH 757/846] bumped changelog version --- changelog.upstream | 74 ++++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++ 2 files changed, 80 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index a93a8d7..bbc805d 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,77 @@ +commit eec2e2c8ee621c6ebb152abbfe3951fa0322a0d0 +Author: Patrick Schleizer +Date: Tue Jan 14 04:13:39 2025 -0500 + + comment + +commit 6d282226ef653accf1de32582b999ff31775f60f +Author: Patrick Schleizer +Date: Tue Jan 14 04:12:12 2025 -0500 + + comment + +commit 466308e4f9ebd496ff54dd9f77881ce10a558802 +Author: Patrick Schleizer +Date: Tue Jan 14 04:09:57 2025 -0500 + + permission hardener: disable SUID for `chrome-sandbox` + +commit 7a5f8b87af7142ce973bd88abf98279ce15559a9 +Author: Patrick Schleizer +Date: Tue Jan 14 04:06:44 2025 -0500 + + permission hardener: disable SUID for `ssh-agent`, `ssh-keysign`, `/lib/openssh/*` + + This might break SSH host-based authentication. + +commit d89ffcde30f6115c25c1bc807eb30b18c21e2b6e +Author: Patrick Schleizer +Date: Tue Jan 14 04:04:09 2025 -0500 + + comment + +commit 9f1759ba0ea7ecee87c8777226eb8a56482deeb5 +Author: Patrick Schleizer +Date: Tue Jan 14 03:56:55 2025 -0500 + + comment + +commit 0ac85ea9f56abdf621ec1b4f2acf08a2450067ba +Author: Patrick Schleizer +Date: Tue Jan 14 03:54:35 2025 -0500 + + comment + +commit fce6a5f8303cd891efd8bbfef861e357dc90e88e +Author: Patrick Schleizer +Date: Tue Jan 14 03:51:43 2025 -0500 + + comment + +commit 1e9940481318d8d7a443b98f0906089759f27a5d +Author: Patrick Schleizer +Date: Tue Jan 14 03:50:16 2025 -0500 + + comment + +commit b198591537a01f5b35c9301ca28a24c70864bcbd +Author: Patrick Schleizer +Date: Tue Jan 14 03:49:42 2025 -0500 + + comment + +commit 7d44db2cb268c4eb31b50bbd44b87b8001dc068c +Author: Patrick Schleizer +Date: Tue Jan 14 03:49:15 2025 -0500 + + usrmerge + +commit 7e7632a55396e10e20a6e9d8d563011694cccc85 +Author: Patrick Schleizer +Date: Tue Jan 14 08:24:05 2025 +0000 + + bumped changelog version + commit 420cb3f86f69c4505702a8f38271fb095316cb6f Author: Patrick Schleizer Date: Tue Jan 14 03:19:21 2025 -0500 diff --git a/debian/changelog b/debian/changelog index f1aa577..a95a613 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:42.6-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 14 Jan 2025 09:26:05 +0000 + security-misc (3:42.5-1) unstable; urgency=medium * New upstream version (local package). From cdf179f1277bcae3ef681d35aeca6289d55b3a6a Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 14 Jan 2025 08:53:38 -0500 Subject: [PATCH 758/846] fix --- debian/security-misc.config | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/security-misc.config b/debian/security-misc.config index 452a506..55b89a5 100644 --- a/debian/security-misc.config +++ b/debian/security-misc.config @@ -9,7 +9,7 @@ set -e check_migrate_permission_hardener_state() { ## If folder /var/lib/permission-hardener (version 1) does not exist, this migration is unneeded. - if [ -d '/var/lib/permission-hardener' ]; then + if [ ! -d '/var/lib/permission-hardener' ]; then return 0 fi From 0e4dfc59dd9c06dd732affd8ca7f72a1a70a95b0 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 14 Jan 2025 13:53:49 +0000 Subject: [PATCH 759/846] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index bbc805d..0c7652b 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit cdf179f1277bcae3ef681d35aeca6289d55b3a6a +Author: Patrick Schleizer +Date: Tue Jan 14 08:53:38 2025 -0500 + + fix + +commit 41cd09933a506d55bab1f8bf101840cf4bbbf028 +Author: Patrick Schleizer +Date: Tue Jan 14 09:26:05 2025 +0000 + + bumped changelog version + commit eec2e2c8ee621c6ebb152abbfe3951fa0322a0d0 Author: Patrick Schleizer Date: Tue Jan 14 04:13:39 2025 -0500 diff --git a/debian/changelog b/debian/changelog index a95a613..64fbdec 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:42.7-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 14 Jan 2025 13:53:49 +0000 + security-misc (3:42.6-1) unstable; urgency=medium * New upstream version (local package). From a812961beabacca052b4b25b78ecd2c35184d5d5 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 14 Jan 2025 09:06:12 -0500 Subject: [PATCH 760/846] verbose --- debian/security-misc.postinst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/security-misc.postinst b/debian/security-misc.postinst index a722cf3..0603717 100644 --- a/debian/security-misc.postinst +++ b/debian/security-misc.postinst @@ -49,7 +49,7 @@ migrate_permission_hardener_state() { mkdir --parents '/var/lib/security-misc/do_once' mkdir --parents '/var/lib/permission-hardener-v2/existing_mode' - cp '/usr/share/security-misc/permission-hardener-existing-mode-legacy-hardcoded' '/var/lib/permission-hardener-v2/existing_mode/statoverride' + cp --verbose '/usr/share/security-misc/permission-hardener-existing-mode-legacy-hardcoded' '/var/lib/permission-hardener-v2/existing_mode/statoverride' touch "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1" } From e60183ec073d278f8d69a5475aa52d75870cd9b0 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 14 Jan 2025 09:06:41 -0500 Subject: [PATCH 761/846] output --- debian/security-misc.config | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/security-misc.config b/debian/security-misc.config index 55b89a5..8dbcf2a 100644 --- a/debian/security-misc.config +++ b/debian/security-misc.config @@ -94,7 +94,7 @@ check_migrate_permission_hardener_state() { if [ "${#custom_hardening_arr[@]}" != '0' ]; then for custom_config_file in "${custom_hardening_arr[@]}"; do - echo "INFO: Possible custom configuration file found: '${custom_config_file}'" + echo "$0: INFO: Possible custom configuration file found: '${custom_config_file}'" done ## db_input will return code 30 if the message won't be displayed, which ## causes a non-interactive install to error out if you don't use || true From 6a4f9c1bd8c48bb1a711eee077ea7a05646b0598 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 14 Jan 2025 14:06:50 +0000 Subject: [PATCH 762/846] bumped changelog version --- changelog.upstream | 18 ++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 24 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 0c7652b..cdf1435 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,21 @@ +commit e60183ec073d278f8d69a5475aa52d75870cd9b0 +Author: Patrick Schleizer +Date: Tue Jan 14 09:06:41 2025 -0500 + + output + +commit a812961beabacca052b4b25b78ecd2c35184d5d5 +Author: Patrick Schleizer +Date: Tue Jan 14 09:06:12 2025 -0500 + + verbose + +commit 0e4dfc59dd9c06dd732affd8ca7f72a1a70a95b0 +Author: Patrick Schleizer +Date: Tue Jan 14 13:53:49 2025 +0000 + + bumped changelog version + commit cdf179f1277bcae3ef681d35aeca6289d55b3a6a Author: Patrick Schleizer Date: Tue Jan 14 08:53:38 2025 -0500 diff --git a/debian/changelog b/debian/changelog index 64fbdec..cfd4f5e 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:42.8-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 14 Jan 2025 14:06:50 +0000 + security-misc (3:42.7-1) unstable; urgency=medium * New upstream version (local package). From 0a2f06b456854f1cec3ff93952edef928ac7a184 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 14 Jan 2025 09:07:32 -0500 Subject: [PATCH 763/846] use pre.bsh --- debian/security-misc.config | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/debian/security-misc.config b/debian/security-misc.config index 8dbcf2a..6a0e3d4 100644 --- a/debian/security-misc.config +++ b/debian/security-misc.config @@ -3,6 +3,10 @@ ## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. +if [ -f /usr/libexec/helper-scripts/pre.bsh ]; then + source /usr/libexec/helper-scripts/pre.bsh +fi + source /usr/share/debconf/confmodule set -e From 95dd8f419fc7e9832d8ce6f74d35af9b36752f3f Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 14 Jan 2025 14:07:50 +0000 Subject: [PATCH 764/846] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index cdf1435..a521ddc 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit 0a2f06b456854f1cec3ff93952edef928ac7a184 +Author: Patrick Schleizer +Date: Tue Jan 14 09:07:32 2025 -0500 + + use pre.bsh + +commit 6a4f9c1bd8c48bb1a711eee077ea7a05646b0598 +Author: Patrick Schleizer +Date: Tue Jan 14 14:06:50 2025 +0000 + + bumped changelog version + commit e60183ec073d278f8d69a5475aa52d75870cd9b0 Author: Patrick Schleizer Date: Tue Jan 14 09:06:41 2025 -0500 diff --git a/debian/changelog b/debian/changelog index cfd4f5e..24400c9 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:42.9-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 14 Jan 2025 14:07:50 +0000 + security-misc (3:42.8-1) unstable; urgency=medium * New upstream version (local package). From 9bb92e91a8f364a9d9e5d69e907fe8ed8a3c58a2 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 14 Jan 2025 09:16:25 -0500 Subject: [PATCH 765/846] debhelper --- debian/security-misc.config | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/debian/security-misc.config b/debian/security-misc.config index 6a0e3d4..5bb4bc1 100644 --- a/debian/security-misc.config +++ b/debian/security-misc.config @@ -11,6 +11,12 @@ source /usr/share/debconf/confmodule set -e +true " +##################################################################### +## INFO: BEGIN: $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $* +##################################################################### +" + check_migrate_permission_hardener_state() { ## If folder /var/lib/permission-hardener (version 1) does not exist, this migration is unneeded. if [ ! -d '/var/lib/permission-hardener' ]; then @@ -112,3 +118,18 @@ check_migrate_permission_hardener_state() { } check_migrate_permission_hardener_state + +true "INFO: debhelper beginning here." + +#DEBHELPER# + +true "INFO: Done with debhelper." + +true " +##################################################################### +## INFO: END : $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $* +##################################################################### +" + +## Explicitly "exit 0", so eventually trapped errors can be ignored. +exit 0 From bbc4ad7c2a0827d079ccbb18dce4aaae042a2253 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 14 Jan 2025 14:16:45 +0000 Subject: [PATCH 766/846] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index a521ddc..7558518 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit 9bb92e91a8f364a9d9e5d69e907fe8ed8a3c58a2 +Author: Patrick Schleizer +Date: Tue Jan 14 09:16:25 2025 -0500 + + debhelper + +commit 95dd8f419fc7e9832d8ce6f74d35af9b36752f3f +Author: Patrick Schleizer +Date: Tue Jan 14 14:07:50 2025 +0000 + + bumped changelog version + commit 0a2f06b456854f1cec3ff93952edef928ac7a184 Author: Patrick Schleizer Date: Tue Jan 14 09:07:32 2025 -0500 diff --git a/debian/changelog b/debian/changelog index 24400c9..1ef755a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:43.0-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 14 Jan 2025 14:16:45 +0000 + security-misc (3:42.9-1) unstable; urgency=medium * New upstream version (local package). From f3c07a2451fd2818daca6bc248cbbcba213516e7 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 14 Jan 2025 09:24:06 -0500 Subject: [PATCH 767/846] update link --- debian/security-misc.templates | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/security-misc.templates b/debian/security-misc.templates index 53b2ed3..03e7e7c 100644 --- a/debian/security-misc.templates +++ b/debian/security-misc.templates @@ -4,4 +4,4 @@ _Description: Manual intervention may be required for permission-hardener update permission-hardener is being updated to correct a bug that caused state file corruption. If you installed your own custom permission-hardener configuration, some manual intervention may be required. See - https://www.kicksecure.com/wiki/Permission-hardener#Fixing_state_files + https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener#fixing_state_files From c46178dee46f88e8d0007a12a48addc2493faab7 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 14 Jan 2025 09:27:37 -0500 Subject: [PATCH 768/846] output --- debian/security-misc.templates | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/debian/security-misc.templates b/debian/security-misc.templates index 03e7e7c..6d8a160 100644 --- a/debian/security-misc.templates +++ b/debian/security-misc.templates @@ -1,7 +1,9 @@ Template: security-misc/alert-on-permission-hardener-v2-upgrade Type: note _Description: Manual intervention may be required for permission-hardener update - permission-hardener is being updated to correct a bug that caused state file - corruption. If you installed your own custom permission-hardener configuration, - some manual intervention may be required. See + No panic. Nothing is broken. Just some rare condition has been hit. + permission-hardener is being updated to correct a minor bug that caused + permission-hardener state file corruption. If you installed your own custom + permission-hardener configuration, some manual intervention may be required. + See: https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener#fixing_state_files From 876c0b618785fc71d1d399ff7ab649382104a714 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 14 Jan 2025 09:29:35 -0500 Subject: [PATCH 769/846] output --- debian/security-misc.templates | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/debian/security-misc.templates b/debian/security-misc.templates index 6d8a160..1b543e7 100644 --- a/debian/security-misc.templates +++ b/debian/security-misc.templates @@ -1,9 +1,9 @@ Template: security-misc/alert-on-permission-hardener-v2-upgrade Type: note _Description: Manual intervention may be required for permission-hardener update - No panic. Nothing is broken. Just some rare condition has been hit. - permission-hardener is being updated to correct a minor bug that caused - permission-hardener state file corruption. If you installed your own custom - permission-hardener configuration, some manual intervention may be required. - See: + No need to panic. Nothing is broken. A rare condition has been encountered. + permission-hardener is being updated to fix a minor bug that caused + corruption in the permission-hardener state file. If you installed your own + custom permission-hardener configuration, some manual intervention may be + required. See: https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener#fixing_state_files From 86d3db15bf94dc0f4547105e18ef5f26ca124fa8 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 14 Jan 2025 09:30:46 -0500 Subject: [PATCH 770/846] output --- debian/security-misc.config | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/debian/security-misc.config b/debian/security-misc.config index 5bb4bc1..71726a4 100644 --- a/debian/security-misc.config +++ b/debian/security-misc.config @@ -11,6 +11,10 @@ source /usr/share/debconf/confmodule set -e +## Not set by DPKG for '.config' script. +DPKG_MAINTSCRIPT_PACKAGE="security-misc" +DPKG_MAINTSCRIPT_NAME="config" + true " ##################################################################### ## INFO: BEGIN: $DPKG_MAINTSCRIPT_PACKAGE $DPKG_MAINTSCRIPT_NAME $* From 659c7037c6956f6d905e55a1ebb13ebe6a273dee Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 14 Jan 2025 14:30:58 +0000 Subject: [PATCH 771/846] bumped changelog version --- changelog.upstream | 30 ++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 36 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 7558518..8c6e970 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,33 @@ +commit 86d3db15bf94dc0f4547105e18ef5f26ca124fa8 +Author: Patrick Schleizer +Date: Tue Jan 14 09:30:46 2025 -0500 + + output + +commit 876c0b618785fc71d1d399ff7ab649382104a714 +Author: Patrick Schleizer +Date: Tue Jan 14 09:29:35 2025 -0500 + + output + +commit c46178dee46f88e8d0007a12a48addc2493faab7 +Author: Patrick Schleizer +Date: Tue Jan 14 09:27:37 2025 -0500 + + output + +commit f3c07a2451fd2818daca6bc248cbbcba213516e7 +Author: Patrick Schleizer +Date: Tue Jan 14 09:24:06 2025 -0500 + + update link + +commit bbc4ad7c2a0827d079ccbb18dce4aaae042a2253 +Author: Patrick Schleizer +Date: Tue Jan 14 14:16:45 2025 +0000 + + bumped changelog version + commit 9bb92e91a8f364a9d9e5d69e907fe8ed8a3c58a2 Author: Patrick Schleizer Date: Tue Jan 14 09:16:25 2025 -0500 diff --git a/debian/changelog b/debian/changelog index 1ef755a..5ee1fef 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:43.1-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 14 Jan 2025 14:30:58 +0000 + security-misc (3:43.0-1) unstable; urgency=medium * New upstream version (local package). From 709036c79f8efc9fefa9e7709780a75f9f5004d2 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 14 Jan 2025 09:31:58 -0500 Subject: [PATCH 772/846] debconf-updatepo --- debian/po/templates.pot | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/debian/po/templates.pot b/debian/po/templates.pot index 3ebab2d..adb123b 100644 --- a/debian/po/templates.pot +++ b/debian/po/templates.pot @@ -8,7 +8,7 @@ msgid "" msgstr "" "Project-Id-Version: security-misc\n" "Report-Msgid-Bugs-To: security-misc@packages.debian.org\n" -"POT-Creation-Date: 2025-01-12 19:28-0600\n" +"POT-Creation-Date: 2025-01-14 09:31-0500\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME \n" "Language-Team: LANGUAGE \n" @@ -27,8 +27,10 @@ msgstr "" #. Description #: ../security-misc.templates:1001 msgid "" -"permission-hardener is being updated to correct a bug that caused state file " -"corruption. If you installed your own custom permission-hardener " -"configuration, some manual intervention may be required. See https://www." -"kicksecure.com/wiki/Permission-hardener#Fixing_state_files" +"No need to panic. Nothing is broken. A rare condition has been encountered. " +"permission-hardener is being updated to fix a minor bug that caused " +"corruption in the permission-hardener state file. If you installed your own " +"custom permission-hardener configuration, some manual intervention may be " +"required. See: https://www.kicksecure.com/wiki/" +"SUID_Disabler_and_Permission_Hardener#fixing_state_files" msgstr "" From a84d3ba732bcbd2fb93ea2bc145a0db0f33f1b77 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 14 Jan 2025 14:32:13 +0000 Subject: [PATCH 773/846] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 8c6e970..b6f420d 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit 709036c79f8efc9fefa9e7709780a75f9f5004d2 +Author: Patrick Schleizer +Date: Tue Jan 14 09:31:58 2025 -0500 + + debconf-updatepo + +commit 659c7037c6956f6d905e55a1ebb13ebe6a273dee +Author: Patrick Schleizer +Date: Tue Jan 14 14:30:58 2025 +0000 + + bumped changelog version + commit 86d3db15bf94dc0f4547105e18ef5f26ca124fa8 Author: Patrick Schleizer Date: Tue Jan 14 09:30:46 2025 -0500 diff --git a/debian/changelog b/debian/changelog index 5ee1fef..6e782c5 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:43.2-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 14 Jan 2025 14:32:12 +0000 + security-misc (3:43.1-1) unstable; urgency=medium * New upstream version (local package). From 396372c1295e2a09d596f3e23fccc26794a26f05 Mon Sep 17 00:00:00 2001 From: Aaron Rainbolt Date: Tue, 14 Jan 2025 18:50:24 -0600 Subject: [PATCH 774/846] Avoid scanning unnecessary packages for modified permission-hardener config --- debian/security-misc.config | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/debian/security-misc.config b/debian/security-misc.config index 71726a4..95684bc 100644 --- a/debian/security-misc.config +++ b/debian/security-misc.config @@ -22,6 +22,8 @@ true " " check_migrate_permission_hardener_state() { + local modified_pkg_data_str custom_hardening_arr config_file + ## If folder /var/lib/permission-hardener (version 1) does not exist, this migration is unneeded. if [ ! -d '/var/lib/permission-hardener' ]; then return 0 @@ -82,7 +84,10 @@ check_migrate_permission_hardener_state() { '/etc/permission-hardener.d/30_default.conf' ) - readarray -t custom_hardening_arr < <(dpkg -V | awk '/permission-hardener.d/{ print $NF }') + ## This will exit non-zero if some of the packages don't exist, but we + ## don't care. The packages that *are* installed will still be scanned. + modified_pkg_data_str="$(dpkg -V security-misc user-sysmaint-split anon-apps-config)" || true + readarray -t custom_hardening_arr < <(awk '/permission-hardener.d/{ print $NF }' <<< "${modified_pkg_data_str}") ## If the above `dpkg -V` command doesn't return any permission-hardener ## related lines, the array will contain no meaningful info, just a single ## blank element at the start. Set the array to be explicitly empty in From a0f81958dfb020d311d86cbd00d4f86f678d8be9 Mon Sep 17 00:00:00 2001 From: Aaron Rainbolt Date: Tue, 14 Jan 2025 19:25:15 -0600 Subject: [PATCH 775/846] De-corrupt the new_mode permission-hardener statoverride database too --- debian/security-misc.postinst | 2 ++ ...mission-hardener-new-mode-legacy-hardcoded | 23 +++++++++++++++++++ 2 files changed, 25 insertions(+) create mode 100644 usr/share/security-misc/permission-hardener-new-mode-legacy-hardcoded diff --git a/debian/security-misc.postinst b/debian/security-misc.postinst index 0603717..5ee40c6 100644 --- a/debian/security-misc.postinst +++ b/debian/security-misc.postinst @@ -49,7 +49,9 @@ migrate_permission_hardener_state() { mkdir --parents '/var/lib/security-misc/do_once' mkdir --parents '/var/lib/permission-hardener-v2/existing_mode' + mkdir --parents '/var/lib/permission-hardener-v2/new_mode' cp --verbose '/usr/share/security-misc/permission-hardener-existing-mode-legacy-hardcoded' '/var/lib/permission-hardener-v2/existing_mode/statoverride' + cp --verbose '/usr/share/security-misc/permission-hardener-new-mode-legacy-hardcoded' '/var/lib/permission-hardener-v2/new_mode/statoverride' touch "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1" } diff --git a/usr/share/security-misc/permission-hardener-new-mode-legacy-hardcoded b/usr/share/security-misc/permission-hardener-new-mode-legacy-hardcoded new file mode 100644 index 0000000..b8f0cf4 --- /dev/null +++ b/usr/share/security-misc/permission-hardener-new-mode-legacy-hardcoded @@ -0,0 +1,23 @@ +root root 700 /etc/cron.monthly +root root 700 /etc/sudoers.d +root shadow 744 /usr/bin/expiry +root root 755 /usr/bin/umount +root root 744 /usr/bin/gpasswd +root root 700 /usr/lib/modules +root root 744 /usr/bin/newgrp +root root 700 /etc/cron.weekly +root root 744 /usr/bin/su +root root 700 /etc/cron.daily +root root 644 /etc/motd +root _ssh 744 /usr/bin/ssh-agent +root root 700 /boot +root shadow 744 /usr/bin/chage +root root 744 /usr/lib/openssh/ssh-keysign +root root 744 /usr/bin/chsh +root root 755 /usr/bin/passwd +root root 744 /usr/bin/chfn +root root 600 /etc/permission-hardener.d +root root 700 /usr/src +root root 755 /usr/bin/mount +root root 644 /etc/issue +root root 700 /etc/cron.d From c6f09748f383fdf7c1b07441c73477b3f18d2768 Mon Sep 17 00:00:00 2001 From: Aaron Rainbolt Date: Tue, 14 Jan 2025 20:27:53 -0600 Subject: [PATCH 776/846] Handle de-corruption of new_mode a bit better --- debian/security-misc.postinst | 26 ++++++++++++++++--- ...mission-hardener-new-mode-legacy-hardcoded | 1 + 2 files changed, 23 insertions(+), 4 deletions(-) diff --git a/debian/security-misc.postinst b/debian/security-misc.postinst index 5ee40c6..d1f61d1 100644 --- a/debian/security-misc.postinst +++ b/debian/security-misc.postinst @@ -38,6 +38,7 @@ permission_hardening() { } migrate_permission_hardener_state() { + local existing_mode_dir new_mode_dir dpkg_statoverride_list ## If folder /var/lib/permission-hardener (version 1) does not exist, this migration is unneeded. if [ ! -d '/var/lib/permission-hardener' ]; then return 0 @@ -48,10 +49,27 @@ migrate_permission_hardener_state() { fi mkdir --parents '/var/lib/security-misc/do_once' - mkdir --parents '/var/lib/permission-hardener-v2/existing_mode' - mkdir --parents '/var/lib/permission-hardener-v2/new_mode' - cp --verbose '/usr/share/security-misc/permission-hardener-existing-mode-legacy-hardcoded' '/var/lib/permission-hardener-v2/existing_mode/statoverride' - cp --verbose '/usr/share/security-misc/permission-hardener-new-mode-legacy-hardcoded' '/var/lib/permission-hardener-v2/new_mode/statoverride' + existing_mode_dir='/var/lib/permission-hardener-v2/existing_mode' + new_mode_dir='/var/lib/permission-hardener-v2/new_mode' + + mkdir --parents "${existing_mode_dir}"; + mkdir --parents "${new_mode_dir}"; + + cp --verbose '/usr/share/security-misc/permission-hardener-existing-mode-legacy-hardcoded' "${existing_mode_dir}/statoverride" + cp --verbose '/usr/share/security-misc/permission-hardener-new-mode-legacy-hardcoded' "${new_mode_dir}/statoverride" + + dpkg_statoverride_list="$(dpkg-statoverride --admindir "${new_mode_dir}" --list)" + + if [ "$(stat --format '%G' /usr/bin/sudo)" = 'sysmaint' ]; then + if ! [[ "${dpkg_statoverride_list}" =~ '/usr/bin/sudo' ]]; then + dpkg-statoverride --admindir "${new_mode_dir}" --add 'root' 'sysmaint' '4750' '/usr/bin/sudo' + fi + fi + if [ "$(stat --format '%G' /usr/bin/pkexec)" = 'sysmaint' ]; then + if ! [[ "${dpkg_statoverride_list}" =~ '/usr/bin/pkexec' ]]; then + dpkg-statoverride --admindir "${new_mode_dir}" --add 'root' 'sysmaint' '4750' '/usr/bin/pkexec' + fi + fi touch "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1" } diff --git a/usr/share/security-misc/permission-hardener-new-mode-legacy-hardcoded b/usr/share/security-misc/permission-hardener-new-mode-legacy-hardcoded index b8f0cf4..142686e 100644 --- a/usr/share/security-misc/permission-hardener-new-mode-legacy-hardcoded +++ b/usr/share/security-misc/permission-hardener-new-mode-legacy-hardcoded @@ -8,6 +8,7 @@ root root 744 /usr/bin/newgrp root root 700 /etc/cron.weekly root root 744 /usr/bin/su root root 700 /etc/cron.daily +root root 755 /bin/ping root root 644 /etc/motd root _ssh 744 /usr/bin/ssh-agent root root 700 /boot From 328f747179ffb2e7705a73bc9a0c5133a17da829 Mon Sep 17 00:00:00 2001 From: Aaron Rainbolt Date: Tue, 14 Jan 2025 20:35:28 -0600 Subject: [PATCH 777/846] Restore permission-hardener's notice about how to compare old and new states --- usr/bin/permission-hardener | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index b2991e0..c5527e3 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -612,6 +612,11 @@ commit_policy() { -- "${policy_file_item}" fi done + + log notice "\ +To compare the current and previous permission modes, install 'meld' (or preferred diff tool) for comparison of file mode changes: + sudo apt install --no-install-recommends meld + meld ${store_dir}/existing_mode/statoverride ${store_dir}/new_mode/statoverride" } undo_policy_for_file() { From ca257164105c4f66576024b64c52a42921455d16 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 15 Jan 2025 09:44:48 -0500 Subject: [PATCH 778/846] improve permission hardener migration code --- debian/security-misc.config | 27 +++++++++++++++++++++++---- 1 file changed, 23 insertions(+), 4 deletions(-) mode change 100644 => 100755 debian/security-misc.config diff --git a/debian/security-misc.config b/debian/security-misc.config old mode 100644 new mode 100755 index 95684bc..d8f4506 --- a/debian/security-misc.config +++ b/debian/security-misc.config @@ -22,7 +22,7 @@ true " " check_migrate_permission_hardener_state() { - local modified_pkg_data_str custom_hardening_arr config_file + local pkg_list modified_pkg_data_str custom_hardening_arr config_file ## If folder /var/lib/permission-hardener (version 1) does not exist, this migration is unneeded. if [ ! -d '/var/lib/permission-hardener' ]; then @@ -35,6 +35,8 @@ check_migrate_permission_hardener_state() { fi mkdir --parents '/var/lib/security-misc/do_once' + source /usr/libexec/helper-scripts/package_installed_check.bsh + orig_hardening_arr=( '/usr/lib/permission-hardener.d/25_default_passwd.conf' '/usr/lib/permission-hardener.d/25_default_sudo.conf' @@ -84,11 +86,24 @@ check_migrate_permission_hardener_state() { '/etc/permission-hardener.d/30_default.conf' ) + pkg_list="security-misc" + if pkg_installed user-sysmaint-split ; then + pkg_list+=" user-sysmaint-split" + fi + if pkg_installed anon-apps-config ; then + pkg_list+=" anon-apps-config" + fi + ## This will exit non-zero if some of the packages don't exist, but we ## don't care. The packages that *are* installed will still be scanned. - modified_pkg_data_str="$(dpkg -V security-misc user-sysmaint-split anon-apps-config)" || true + modified_pkg_data_str="$(dpkg --verify $pkg_list)" || true + + ## Example modified_pkg_data_str: + #modified_pkg_data_str='missing /usr/lib/permission-hardener.d/20_user-sysmaint-split.conf' + readarray -t custom_hardening_arr < <(awk '/permission-hardener.d/{ print $NF }' <<< "${modified_pkg_data_str}") - ## If the above `dpkg -V` command doesn't return any permission-hardener + + ## If the above `dpkg --verify` command doesn't return any permission-hardener ## related lines, the array will contain no meaningful info, just a single ## blank element at the start. Set the array to be explicitly empty in ## this scenario. @@ -113,7 +128,11 @@ check_migrate_permission_hardener_state() { if [ "${#custom_hardening_arr[@]}" != '0' ]; then for custom_config_file in "${custom_hardening_arr[@]}"; do - echo "$0: INFO: Possible custom configuration file found: '${custom_config_file}'" + if ! test -e "${custom_config_file}" ; then + echo "$0: INFO: Possible missing configuration file found: '${custom_config_file}'" + else + echo "$0: INFO: Possible custom configuration file found: '${custom_config_file}'" + fi done ## db_input will return code 30 if the message won't be displayed, which ## causes a non-interactive install to error out if you don't use || true From 597186972e463ce7a0b44662f7656f351ddf1030 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 15 Jan 2025 15:02:44 +0000 Subject: [PATCH 779/846] bumped changelog version --- changelog.upstream | 43 +++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 49 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index b6f420d..78b8576 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,46 @@ +commit ca257164105c4f66576024b64c52a42921455d16 +Author: Patrick Schleizer +Date: Wed Jan 15 09:44:48 2025 -0500 + + improve permission hardener migration code + +commit 2dfd30a44ae332faa50bc4920486cdd9480c7e5d +Merge: a84d3ba 328f747 +Author: Patrick Schleizer +Date: Wed Jan 15 09:33:57 2025 -0500 + + Merge remote-tracking branch 'ArrayBolt3/arraybolt3/more-permission-hardener' + +commit 328f747179ffb2e7705a73bc9a0c5133a17da829 +Author: Aaron Rainbolt +Date: Tue Jan 14 20:35:28 2025 -0600 + + Restore permission-hardener's notice about how to compare old and new states + +commit c6f09748f383fdf7c1b07441c73477b3f18d2768 +Author: Aaron Rainbolt +Date: Tue Jan 14 20:27:53 2025 -0600 + + Handle de-corruption of new_mode a bit better + +commit a0f81958dfb020d311d86cbd00d4f86f678d8be9 +Author: Aaron Rainbolt +Date: Tue Jan 14 19:25:15 2025 -0600 + + De-corrupt the new_mode permission-hardener statoverride database too + +commit 396372c1295e2a09d596f3e23fccc26794a26f05 +Author: Aaron Rainbolt +Date: Tue Jan 14 18:50:24 2025 -0600 + + Avoid scanning unnecessary packages for modified permission-hardener config + +commit a84d3ba732bcbd2fb93ea2bc145a0db0f33f1b77 +Author: Patrick Schleizer +Date: Tue Jan 14 14:32:13 2025 +0000 + + bumped changelog version + commit 709036c79f8efc9fefa9e7709780a75f9f5004d2 Author: Patrick Schleizer Date: Tue Jan 14 09:31:58 2025 -0500 diff --git a/debian/changelog b/debian/changelog index 6e782c5..5acdf3c 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:43.3-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 15 Jan 2025 15:02:43 +0000 + security-misc (3:43.2-1) unstable; urgency=medium * New upstream version (local package). From bf73f1f2b5e429caaf01bfbcdc7d5d032e3c0efb Mon Sep 17 00:00:00 2001 From: Aaron Rainbolt Date: Wed, 15 Jan 2025 19:10:41 -0600 Subject: [PATCH 780/846] Avoid impossible-to-satisfy dependency on helper-scripts, improve string handling robustness in postinst --- debian/security-misc.config | 35 +++++++++++++++++++++++++++++------ 1 file changed, 29 insertions(+), 6 deletions(-) diff --git a/debian/security-misc.config b/debian/security-misc.config index d8f4506..07dfcf6 100755 --- a/debian/security-misc.config +++ b/debian/security-misc.config @@ -21,6 +21,31 @@ true " ##################################################################### " +## Copied from helper-scripts/usr/libexec/helper-scripts/package_installed_check.bsh +pkg_installed() { + local package_name dpkg_query_output + local requested_action status error_state + + package_name="$1" + ## Cannot use '&>' because it is a bashism. + dpkg_query_output="$(dpkg-query --show --showformat='${Status}' "$package_name" 2>/dev/null)" || true + ## dpkg_query_output Exampels: + ## install ok half-configured + ## install ok installed + + requested_action=$(echo "$dpkg_query_output" | awk '{print $1}') + status=$(echo "$dpkg_query_output" | awk '{print $2}') + error_state=$(echo "$dpkg_query_output" | awk '{print $3}') + + if [ "$requested_action" = 'install' ]; then + true "$0: INFO: $package_name is installed, ok." + return 0 + fi + + true "$0: INFO: $package_name is not installed, ok." + return 1 +} + check_migrate_permission_hardener_state() { local pkg_list modified_pkg_data_str custom_hardening_arr config_file @@ -35,8 +60,6 @@ check_migrate_permission_hardener_state() { fi mkdir --parents '/var/lib/security-misc/do_once' - source /usr/libexec/helper-scripts/package_installed_check.bsh - orig_hardening_arr=( '/usr/lib/permission-hardener.d/25_default_passwd.conf' '/usr/lib/permission-hardener.d/25_default_sudo.conf' @@ -86,17 +109,17 @@ check_migrate_permission_hardener_state() { '/etc/permission-hardener.d/30_default.conf' ) - pkg_list="security-misc" + pkg_list=( "security-misc" ) if pkg_installed user-sysmaint-split ; then - pkg_list+=" user-sysmaint-split" + pkg_list+=( "user-sysmaint-split" ) fi if pkg_installed anon-apps-config ; then - pkg_list+=" anon-apps-config" + pkg_list+=( "anon-apps-config" ) fi ## This will exit non-zero if some of the packages don't exist, but we ## don't care. The packages that *are* installed will still be scanned. - modified_pkg_data_str="$(dpkg --verify $pkg_list)" || true + modified_pkg_data_str="$(dpkg --verify "${pkg_list[@]}")" || true ## Example modified_pkg_data_str: #modified_pkg_data_str='missing /usr/lib/permission-hardener.d/20_user-sysmaint-split.conf' From 876d596a071ac916f7d220ee2449358aedba7efe Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 17 Jan 2025 07:55:54 -0500 Subject: [PATCH 781/846] comment --- debian/security-misc.config | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/debian/security-misc.config b/debian/security-misc.config index 07dfcf6..11dd83d 100755 --- a/debian/security-misc.config +++ b/debian/security-misc.config @@ -21,7 +21,10 @@ true " ##################################################################### " -## Copied from helper-scripts/usr/libexec/helper-scripts/package_installed_check.bsh +## Code duplication. +## '.config' scripts are run very early. Even 'Pre-Depends: helper-scripts' would be insufficient. +## Therefore the code is duplicated here. +## Copied from: helper-scripts /usr/libexec/helper-scripts/package_installed_check.bsh pkg_installed() { local package_name dpkg_query_output local requested_action status error_state From 51c7010e8f47ce6e6a28e6267c735e897dcfb053 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 17 Jan 2025 13:35:28 +0000 Subject: [PATCH 782/846] bumped changelog version --- changelog.upstream | 25 +++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 31 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 78b8576..79ae2c7 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,28 @@ +commit 876d596a071ac916f7d220ee2449358aedba7efe +Author: Patrick Schleizer +Date: Fri Jan 17 07:55:54 2025 -0500 + + comment + +commit c9e2f82bd01813682998c775f75bac0841239e5e +Merge: 5971869 bf73f1f +Author: Patrick Schleizer +Date: Fri Jan 17 07:53:59 2025 -0500 + + Merge remote-tracking branch 'ArrayBolt3/master' + +commit bf73f1f2b5e429caaf01bfbcdc7d5d032e3c0efb +Author: Aaron Rainbolt +Date: Wed Jan 15 19:10:41 2025 -0600 + + Avoid impossible-to-satisfy dependency on helper-scripts, improve string handling robustness in postinst + +commit 597186972e463ce7a0b44662f7656f351ddf1030 +Author: Patrick Schleizer +Date: Wed Jan 15 15:02:44 2025 +0000 + + bumped changelog version + commit ca257164105c4f66576024b64c52a42921455d16 Author: Patrick Schleizer Date: Wed Jan 15 09:44:48 2025 -0500 diff --git a/debian/changelog b/debian/changelog index 5acdf3c..18555e8 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:43.4-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 17 Jan 2025 13:35:27 +0000 + security-misc (3:43.3-1) unstable; urgency=medium * New upstream version (local package). From 1b4d1edfc316f125ff5039bf17897802205750e2 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 20 Jan 2025 04:29:42 -0500 Subject: [PATCH 783/846] comments --- .../25_default_whitelist_policykit.conf | 6 +++--- .../permission-hardener.d/25_default_whitelist_postfix.conf | 1 + .../permission-hardener.d/25_default_whitelist_selinux.conf | 1 + .../permission-hardener.d/25_default_whitelist_spice.conf | 1 + .../permission-hardener.d/25_default_whitelist_sudo.conf | 1 + 5 files changed, 7 insertions(+), 3 deletions(-) diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf b/usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf index f8a3919..de20400 100644 --- a/usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf +++ b/usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf @@ -5,12 +5,10 @@ ## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom ## configuration. When security-misc is updated, this file may be overwritten. +## user-sysmaint-split hardens this further. /usr/bin/pkexec exactwhitelist /usr/bin/pkexec.security-misc-orig exactwhitelist -## TODO: research -## TODO: Should be handled in user-sysmaint-split? -## ## Required for PolicyKit (Polkit) to function. ## ## https://polkit-devel.freedesktop.narkive.com/zXO4yEg7/documentation-on-polkit-agent-helper-1-and-suid# @@ -24,4 +22,6 @@ ## matches both: ## - /usr/lib/policykit-1/polkit-agent-helper-1 ## - /lib/policykit-1/polkit-agent-helper-1 +## +## user-sysmaint-split hardens this further. polkit-agent-helper-1 matchwhitelist diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_postfix.conf b/usr/lib/permission-hardener.d/25_default_whitelist_postfix.conf index 5ebdae3..bf76069 100644 --- a/usr/lib/permission-hardener.d/25_default_whitelist_postfix.conf +++ b/usr/lib/permission-hardener.d/25_default_whitelist_postfix.conf @@ -5,5 +5,6 @@ ## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom ## configuration. When security-misc is updated, this file may be overwritten. +## TODO: research and document postqueue matchwhitelist postdrop matchwhitelist diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_selinux.conf b/usr/lib/permission-hardener.d/25_default_whitelist_selinux.conf index fd74488..62d3198 100644 --- a/usr/lib/permission-hardener.d/25_default_whitelist_selinux.conf +++ b/usr/lib/permission-hardener.d/25_default_whitelist_selinux.conf @@ -5,4 +5,5 @@ ## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom ## configuration. When security-misc is updated, this file may be overwritten. +## TODO: research and document /utempter/utempter matchwhitelist diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_spice.conf b/usr/lib/permission-hardener.d/25_default_whitelist_spice.conf index df29fec..5b79059 100644 --- a/usr/lib/permission-hardener.d/25_default_whitelist_spice.conf +++ b/usr/lib/permission-hardener.d/25_default_whitelist_spice.conf @@ -5,4 +5,5 @@ ## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom ## configuration. When security-misc is updated, this file may be overwritten. +## TODO: research and document spice-client-glib-usb-acl-helper matchwhitelist diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_sudo.conf b/usr/lib/permission-hardener.d/25_default_whitelist_sudo.conf index ee68aba..e15b265 100644 --- a/usr/lib/permission-hardener.d/25_default_whitelist_sudo.conf +++ b/usr/lib/permission-hardener.d/25_default_whitelist_sudo.conf @@ -5,4 +5,5 @@ ## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom ## configuration. When security-misc is updated, this file may be overwritten. +## user-sysmaint-split hardens this further. /usr/bin/sudo exactwhitelist From 4e0d5a196ccb8ef3fdf2b67d974f28d02a532f91 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 20 Jan 2025 04:30:26 -0500 Subject: [PATCH 784/846] delete comment only configuration file (moved to user-sysmaint-split) --- .../25_default_sudo.conf | 19 ------------------- 1 file changed, 19 deletions(-) delete mode 100644 usr/lib/permission-hardener.d/25_default_sudo.conf diff --git a/usr/lib/permission-hardener.d/25_default_sudo.conf b/usr/lib/permission-hardener.d/25_default_sudo.conf deleted file mode 100644 index e575449..0000000 --- a/usr/lib/permission-hardener.d/25_default_sudo.conf +++ /dev/null @@ -1,19 +0,0 @@ -## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC -## See the file COPYING for copying conditions. - -## Please use "/etc/permission-hardener.d/20_user.conf" or -## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom -## configuration. When security-misc is updated, this file may be overwritten. - -## https://forums.whonix.org/t/restrict-root-access/7658/116 -## This restricts the file permissions of the sudo executable so that a vulnerability -## in the program will not be exploitable by any users not in the "sudo" group. sudo -## is a very complex program and is setuid so vulnerabilities in it can allow privilege -## escalation, regardless of other root access restrictions. For example, the following -## buffer overflow vulnerability could have been exploited by any user on the system: -## https://www.openwall.com/lists/oss-security/2021/01/26/3 -## With this restriction, only users explicitly permitted to use sudo by being added to -## the "sudo" group could exploit such vulnerabilities. For example, this would prevent a -## compromised network-facing daemon (such as web servers, time synchronization daemons, -## etc.) running as its own user from exploiting sudo to escalate privileges. -#/usr/bin/sudo 4750 root sudo From 8ff5f3b22125488f64cd384ffbfcbd8f2ecd61a6 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 20 Jan 2025 10:11:43 +0000 Subject: [PATCH 785/846] bumped changelog version --- changelog.upstream | 18 ++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 24 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 79ae2c7..c803629 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,21 @@ +commit 4e0d5a196ccb8ef3fdf2b67d974f28d02a532f91 +Author: Patrick Schleizer +Date: Mon Jan 20 04:30:26 2025 -0500 + + delete comment only configuration file (moved to user-sysmaint-split) + +commit 1b4d1edfc316f125ff5039bf17897802205750e2 +Author: Patrick Schleizer +Date: Mon Jan 20 04:29:42 2025 -0500 + + comments + +commit 51c7010e8f47ce6e6a28e6267c735e897dcfb053 +Author: Patrick Schleizer +Date: Fri Jan 17 13:35:28 2025 +0000 + + bumped changelog version + commit 876d596a071ac916f7d220ee2449358aedba7efe Author: Patrick Schleizer Date: Fri Jan 17 07:55:54 2025 -0500 diff --git a/debian/changelog b/debian/changelog index 18555e8..8653904 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:43.5-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 20 Jan 2025 10:11:42 +0000 + security-misc (3:43.4-1) unstable; urgency=medium * New upstream version (local package). From df9d058ed9635b168508ded20277c174a24cf3f5 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 20 Jan 2025 06:28:16 -0500 Subject: [PATCH 786/846] usrmerge --- usr/lib/permission-hardener.d/25_default_whitelist_passwd.conf | 1 - usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf | 2 +- .../permission-hardener.d/25_default_whitelist_unix_chkpwd.conf | 1 - .../permission-hardener.d/25_default_whitelist_virtualbox.conf | 1 - 4 files changed, 1 insertion(+), 4 deletions(-) diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_passwd.conf b/usr/lib/permission-hardener.d/25_default_whitelist_passwd.conf index 87f4f1e..e7bc816 100644 --- a/usr/lib/permission-hardener.d/25_default_whitelist_passwd.conf +++ b/usr/lib/permission-hardener.d/25_default_whitelist_passwd.conf @@ -12,5 +12,4 @@ # # See also: https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener#passwd /usr/bin/passwd exactwhitelist -/bin/passwd exactwhitelist /usr/bin/passwd 0755 root root diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf b/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf index 2d5f786..8688dfe 100644 --- a/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf +++ b/usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf @@ -12,4 +12,4 @@ ## SSH, and is likely rarely used, thus this should be safe to disable. #ssh-agent matchwhitelist #ssh-keysign matchwhitelist -#/lib/openssh matchwhitelist +#/usr/lib/openssh matchwhitelist diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf b/usr/lib/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf index 05d5235..1faf380 100644 --- a/usr/lib/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf +++ b/usr/lib/permission-hardener.d/25_default_whitelist_unix_chkpwd.conf @@ -8,4 +8,3 @@ ## required for performing password validation from unprivileged user ## processes such as KScreenLocker's unlock prompt /usr/sbin/unix_chkpwd exactwhitelist -/sbin/unix_chkpwd exactwhitelist diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_virtualbox.conf b/usr/lib/permission-hardener.d/25_default_whitelist_virtualbox.conf index 621a6b2..76c2eee 100644 --- a/usr/lib/permission-hardener.d/25_default_whitelist_virtualbox.conf +++ b/usr/lib/permission-hardener.d/25_default_whitelist_virtualbox.conf @@ -7,7 +7,6 @@ ## TODO: research /usr/lib/virtualbox/ matchwhitelist -/lib/virtualbox/ matchwhitelist VirtualBoxVM matchwhitelist VBoxSDL matchwhitelist VBoxNetNAT matchwhitelist From f1b6bff30b1891bfbe870de9edd78fa7dbd66e7c Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 20 Jan 2025 11:35:08 +0000 Subject: [PATCH 787/846] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index c803629..3261247 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit df9d058ed9635b168508ded20277c174a24cf3f5 +Author: Patrick Schleizer +Date: Mon Jan 20 06:28:16 2025 -0500 + + usrmerge + +commit 8ff5f3b22125488f64cd384ffbfcbd8f2ecd61a6 +Author: Patrick Schleizer +Date: Mon Jan 20 10:11:43 2025 +0000 + + bumped changelog version + commit 4e0d5a196ccb8ef3fdf2b67d974f28d02a532f91 Author: Patrick Schleizer Date: Mon Jan 20 04:30:26 2025 -0500 diff --git a/debian/changelog b/debian/changelog index 8653904..22d37c6 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:43.6-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 20 Jan 2025 11:35:08 +0000 + security-misc (3:43.5-1) unstable; urgency=medium * New upstream version (local package). From a97620a2e491cc039adb15af94958f26b39319a2 Mon Sep 17 00:00:00 2001 From: Aaron Rainbolt Date: Mon, 20 Jan 2025 22:43:55 -0600 Subject: [PATCH 788/846] Add print-diagnostics command to permission-hardener --- usr/bin/permission-hardener | 176 +++++++++++++++++++++++++++++++----- 1 file changed, 153 insertions(+), 23 deletions(-) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index c5527e3..165dd2c 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -176,6 +176,7 @@ print_usage(){ ${0##*/} print-policy ${0##*/} print-state ${0##*/} print-policy-applied-state + ${0##*/} print-diagnostics Examples: ${0##*/} enable @@ -747,29 +748,113 @@ print_state() { done } -## Global variables -policy_file_list=() -policy_user_owner_list=() -policy_group_owner_list=() -policy_mode_list=() -policy_capability_list=() -policy_exact_white_list=() -policy_match_white_list=() -policy_disable_white_list=() -policy_nosuid_file_list=() -state_file_list=() -state_user_owner_list=() -state_group_owner_list=() -state_mode_list=() -whitelists_disable_all=false -existing_mode='' -existing_owner='' -existing_group='' -processed_config_line='' -file_name_from_stat='' -passwd_file_contents="$(getent passwd)" -group_file_contents="$(getent group)" -exit_code=0 +print_raw_policy_config() { + for config_file in \ + /usr/lib/permission-hardener.d/*.conf \ + /etc/permission-hardener.d/*.conf \ + /usr/local/etc/permission-hardener.d/*.conf \ + /etc/permission-hardening.d/*.conf \ + /usr/local/etc/permission-hardening.d/*.conf + do + if [ ! -f "${config_file}" ]; then + continue + fi + echo "*** begin ${config_file} ***" + cat "${config_file}" + echo "*** end ${config_file} ***" + done +} + +print_raw_state() { + local state_file + for state_file in "${store_dir}/existing_mode/statoverride" \ + "${store_dir}/new_mode/statoverride"; do + echo "*** begin ${state_file} ***" + cat "${state_file}" + echo "*** end ${state_file} ***" + done +} + +print_fs_audit() { + local state_idx + + echo 'Legend:' + echo '... - Warning about an unusual, but not necessarily wrong, condition' + echo '!!! - Warning about an unusual and definitely wrong condition' + echo '*** - File permission data, actual state on filesystem is consistent with policy' + echo '^^^ - File permission data, actual state on filesystem is inconsistent with policy' + echo 'vvv - File permissions specified by state, always shown after a ^^^ item' + echo + + for (( state_idx=0; state_idx < ${#state_file_list[@]}; state_idx++ )); do + state_file_item="${state_file_list[state_idx]}" + state_user_owner_item="${state_user_owner_list[state_idx]}" + state_group_owner_item="${state_group_owner_list[state_idx]}" + state_mode_item="${state_mode_list[state_idx]}" + + ## Get rid of leading zeros, stat doesn't output them due to how we use it. + ## Using BASH_REMATCH is faster than sed. We capture all leading zeros into + ## one group, and the rest of the string into a second group. The second + ## group is the string we want. BASH_REMATCH[0] is the entire string, + ## BASH_REMATCH[1] is the first match that we want to discard, and + ## BASH_REMATCH[2] is the desired second group. + [[ "${state_mode_item}" =~ ^(0*)(.*) ]] || true; + state_mode_item="${BASH_REMATCH[2]}" + + output_stat "${state_file_item}" + if [ -z "${file_name_from_stat}" ]; then + echo "... '${state_file_item}' does not exist" + continue + fi + + if [ "${existing_owner}" != "${state_user_owner_item}" ] \ + || [ "${existing_group}" != "${state_group_owner_item}" ] \ + || [ "${existing_mode}" != "${state_mode_item}" ]; then + if ! [[ "${passwd_file_contents}" =~ "${state_user_owner_item}:" ]]; then + echo "!!! Owner from config does not exist: '${state_user_owner_item}'" + continue + fi + + if ! [[ "${group_file_contents}" =~ "${state_group_owner_item}:" ]]; then + echo "!!! Group from config does not exist: '${state_group_owner_item}'" + continue + fi + + echo "^^^ ${file_name_from_stat} ${existing_owner}:${existing_group} ${existing_mode}" + echo "vvv ${state_file_item} ${state_user_owner_item}:${state_group_owner_item} ${state_mode_item}" + else + echo "*** ${file_name_from_stat} ${existing_owner}:${existing_group} ${existing_mode}" + fi + done +} + +reset_global_vars() { + ## Global variables + policy_file_list=() + policy_user_owner_list=() + policy_group_owner_list=() + policy_mode_list=() + policy_capability_list=() + policy_exact_white_list=() + policy_match_white_list=() + policy_disable_white_list=() + policy_nosuid_file_list=() + state_file_list=() + state_user_owner_list=() + state_group_owner_list=() + state_mode_list=() + whitelists_disable_all=false + existing_mode='' + existing_owner='' + existing_group='' + processed_config_line='' + file_name_from_stat='' + passwd_file_contents="$(getent passwd)" + group_file_contents="$(getent group)" + exit_code=0 +} + +reset_global_vars ## Setup and sanity checking if [ "$(id -u)" != '0' ]; then @@ -817,6 +902,51 @@ case "${1:-}" in apply_policy print_state ;; + print-diagnostics) + echo '=== BEGIN PERMISSION-HARDENER DIAGNOSTICS ===' + + echo '--- BEGIN State without policy ---' + load_state_without_policy + print_state + echo '--- END State without policy ---' + + reset_global_vars + + echo '--- BEGIN Policy without state ---' + load_state + print_policy + echo '--- END Policy without state ---' + + reset_global_vars + + echo '--- BEGIN Policy-applied-state ---' + load_state + apply_policy + print_state + echo '--- END Policy-applied state ---' + + reset_global_vars + + echo '--- BEGIN Master dpkg-statoverride database ---' + dpkg-statoverride --list + echo '--- END Master dpkg-statoverride database ---' + + echo '--- BEGIN Raw policy configuration ---' + print_raw_policy_config + echo '--- END Raw policy configuration ---' + + echo '--- BEGIN Raw state data ---' + print_raw_state + echo '--- END Raw state data ---' + + echo '--- BEGIN Filesystem state audit ---' + load_state + apply_policy + print_fs_audit + echo '--- END Filesystem state audit ---' + + echo '=== END PERMISSION-HARDENER DIAGNOSTICS ===' + ;; -h|--help) print_usage exit 0 From 15d13a8571d1f38b2bc36387f61bce24c86be97b Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Tue, 21 Jan 2025 12:36:04 +0000 Subject: [PATCH 789/846] Add info on DBX updates via the UEFI Revocation List --- README.md | 9 ++++++--- etc/default/grub.d/40_cpu_mitigations.cfg | 7 +++++++ 2 files changed, 13 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 06f31d9..74bfa0f 100644 --- a/README.md +++ b/README.md @@ -138,9 +138,12 @@ configuration file and significant hardening is applied to a myriad of component Mitigations for known CPU vulnerabilities are enabled in their strictest form and simultaneous multithreading (SMT) is disabled. See the -`/etc/default/grub.d/40_cpu_mitigations.cfg` configuration file. Note, to achieve -complete protection for known CPU vulnerabilities, the latest security microcode -(BIOS/UEFI) updates must also be installed on the system. +`/etc/default/grub.d/40_cpu_mitigations.cfg` configuration file. + +Note, to achieve complete protection for known CPU vulnerabilities, the latest +security microcode (BIOS/UEFI) updates must be installed on the system. Furthermore, +if using Secure Boot, the Secure Boot Forbidden Signature Database (DBX) must be kept +up to date through [UEFI Revocation List](https://uefi.org/revocationlistfile) updates. Boot parameters relating to kernel hardening, DMA mitigations, and entropy generation are outlined in the `/etc/default/grub.d/40_kernel_hardening.cfg` diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index 06bcb88..9b29760 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -26,6 +26,13 @@ ## Note that incorrectly performing system BIOS/UEFI updates can potentially lead to serious functionality issues. ## The parameters below only provide (partial) protection at both the kernel and user space level. +## If using Secure Boot, users must also ensure the Secure Boot Forbidden Signature Database (DBX) is up to date. +## The UEFI Revocation List contains signatures of now revoked firmware and software used in booting systems. +## If using compatible hardware, the database can be updated directly in user space using fwupd. +## Note that incorrectly performing DBX updates can potentially lead to serious functionality issues. +## https://uefi.org/revocationlistfile +## https://github.com/fwupd/fwupd + ## Enable a subset of known mitigations for some CPU vulnerabilities and disable SMT. ## ## KSPP=yes From 4b1e530674146d4d2b62ff4a87fe3add5667403c Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Tue, 21 Jan 2025 12:39:06 +0000 Subject: [PATCH 790/846] README.md: List CPU mitigations --- README.md | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/README.md b/README.md index 74bfa0f..2b4904a 100644 --- a/README.md +++ b/README.md @@ -145,6 +145,38 @@ security microcode (BIOS/UEFI) updates must be installed on the system. Furtherm if using Secure Boot, the Secure Boot Forbidden Signature Database (DBX) must be kept up to date through [UEFI Revocation List](https://uefi.org/revocationlistfile) updates. +CPU mitigations: + +- Disable Simultaneous Multithreading (SMT) + +- Spectre Side Channels (BTI and BHI) + +- Speculative Store Bypass (SSB) + +- L1 Terminal Fault (L1TF) + +- Microarchitectural Data Sampling (MDS) + +- TSX Asynchronous Abort (TAA) + +- iTLB Multihit + +- Special Register Buffer Data Sampling (SRBDS) + +- L1D Flushing + +- Processor MMIO Stale Data + +- Arbitrary Speculative Code Execution with Return Instructions (Retbleed) + +- Cross-Thread Return Address Predictions + +- Speculative Return Stack Overflow (SRSO) + +- Gather Data Sampling (GDS) + +- Register File Data Sampling (RFDS) + Boot parameters relating to kernel hardening, DMA mitigations, and entropy generation are outlined in the `/etc/default/grub.d/40_kernel_hardening.cfg` configuration file. From ed767e00b0260d29c18c710efe07d68a9beffb34 Mon Sep 17 00:00:00 2001 From: Aaron Rainbolt Date: Tue, 21 Jan 2025 16:41:30 -0600 Subject: [PATCH 791/846] Add some local variable declarations --- usr/bin/permission-hardener | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index 165dd2c..58c0797 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -749,6 +749,7 @@ print_state() { } print_raw_policy_config() { + local config_file for config_file in \ /usr/lib/permission-hardener.d/*.conf \ /etc/permission-hardener.d/*.conf \ @@ -776,7 +777,8 @@ print_raw_state() { } print_fs_audit() { - local state_idx + local state_idx state_file_item state_user_owner_item state_group_owner_item \ + state_mode_item echo 'Legend:' echo '... - Warning about an unusual, but not necessarily wrong, condition' From 5e60416c864a7d06f635161a185864fc36d5685c Mon Sep 17 00:00:00 2001 From: Aaron Rainbolt Date: Tue, 21 Jan 2025 21:05:03 -0600 Subject: [PATCH 792/846] Make permission-hardener always apply changes to real files, not symlinks --- usr/bin/permission-hardener | 32 ++++++++++++------- ...on-hardener-existing-mode-legacy-hardcoded | 4 +-- ...mission-hardener-new-mode-legacy-hardcoded | 4 +-- 3 files changed, 25 insertions(+), 15 deletions(-) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index 58c0797..7d5028a 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -168,6 +168,12 @@ line: '${processed_config_line}' log error "Existing group is empty. Stat output: '${stat_output}', line: '${processed_config_line}'" >&2 return 1 fi + + ## If a symlink was passed as input, return the original file's path rather + ## than the symlink to avoid problems stemming from using the wrong path + if [ -h "${file_name_from_stat}" ]; then + file_name_from_stat="$(realpath "${file_name_from_stat}")" + fi } print_usage(){ @@ -194,6 +200,10 @@ add_to_policy() { file_capabilities="${5:-}" updated_entry=false + if [ -h "${file_name}" ]; then + file_name="$(realpath "${file_name}")" || return 1 + fi + for (( policy_idx=0; policy_idx < ${#policy_file_list[@]}; policy_idx++ )); do if [ "${policy_file_list[policy_idx]}" = "${file_name}" ]; then policy_mode_list[policy_idx]="${file_mode}" @@ -279,7 +289,7 @@ load_early_nosuid_policy() { local new_mode new_mode='744' - add_to_policy "${find_list_item}" "${new_mode}" "${existing_owner}" \ + add_to_policy "${file_name_from_stat}" "${new_mode}" "${existing_owner}" \ "${existing_group}" done < <(safe_echo_nonewline "${target_file}" \ | find -files0-from - -perm /u=s,g=s -print0) @@ -468,7 +478,7 @@ load_state() { if [ -z "${file_name_from_stat}" ]; then continue fi - state_file_list+=( "${policy_file_item}" ) + state_file_list+=( "${file_name_from_stat}" ) state_user_owner_list+=( "${existing_owner}" ) state_group_owner_list+=( "${existing_group}" ) state_mode_list+=( "${existing_mode}" ) @@ -476,7 +486,7 @@ load_state() { echo_wrapper_audit silent dpkg-statoverride \ ${dpkg_admindir_parameter_existing_mode} \ --add "${existing_owner}" "${existing_group}" "${existing_mode}" \ - "${policy_file_item}" + "${file_name_from_stat}" done ## Fix up nosuid policies using state information @@ -557,26 +567,26 @@ commit_policy() { continue fi ## Remove and reapply in main list - if [[ "${orig_main_statoverride_db}" =~ "${state_file_item}" ]]; then + if [[ "${orig_main_statoverride_db}" =~ "${file_name_from_stat}" ]]; then echo_wrapper_ignore silent dpkg-statoverride --remove \ - "${state_file_item}" + "${file_name_from_stat}" fi echo_wrapper_audit verbose dpkg-statoverride --add --update \ "${state_user_owner_item}" "${state_group_owner_item}" \ - "${state_mode_item}" "${state_file_item}" + "${state_mode_item}" "${file_name_from_stat}" ## Update item in secondary list - if [[ "${orig_new_statoverride_db}" =~ "${state_file_item}" ]]; then + if [[ "${orig_new_statoverride_db}" =~ "${file_name_from_stat}" ]]; then # shellcheck disable=SC2086 echo_wrapper_ignore silent dpkg-statoverride \ ${dpkg_admindir_parameter_new_mode} --remove \ - "${state_file_item}" + "${file_name_from_stat}" fi # shellcheck disable=SC2086 echo_wrapper_audit verbose dpkg-statoverride \ ${dpkg_admindir_parameter_new_mode} --add \ "${state_user_owner_item}" "${state_group_owner_item}" \ - "${state_mode_item}" "${state_file_item}" + "${state_mode_item}" "${file_name_from_stat}" fi done @@ -805,7 +815,7 @@ print_fs_audit() { output_stat "${state_file_item}" if [ -z "${file_name_from_stat}" ]; then - echo "... '${state_file_item}' does not exist" + echo "... '${file_name_from_stat}' does not exist" continue fi @@ -823,7 +833,7 @@ print_fs_audit() { fi echo "^^^ ${file_name_from_stat} ${existing_owner}:${existing_group} ${existing_mode}" - echo "vvv ${state_file_item} ${state_user_owner_item}:${state_group_owner_item} ${state_mode_item}" + echo "vvv ${file_name_from_stat} ${state_user_owner_item}:${state_group_owner_item} ${state_mode_item}" else echo "*** ${file_name_from_stat} ${existing_owner}:${existing_group} ${existing_mode}" fi diff --git a/usr/share/security-misc/permission-hardener-existing-mode-legacy-hardcoded b/usr/share/security-misc/permission-hardener-existing-mode-legacy-hardcoded index e8a4bbe..7f87a45 100644 --- a/usr/share/security-misc/permission-hardener-existing-mode-legacy-hardcoded +++ b/usr/share/security-misc/permission-hardener-existing-mode-legacy-hardcoded @@ -15,7 +15,7 @@ root root 644 /etc/hosts.allow root root 700 /root root root 755 /etc/cron.daily root root 755 /bin/ping -root root 777 /etc/motd +root root 777 /etc/motd.kicksecure root root 755 /boot root root 755 /home root shadow 2755 /usr/bin/chage @@ -27,7 +27,7 @@ root root 755 /etc/permission-hardener.d root root 644 /etc/passwd root root 755 /usr/src root root 4755 /usr/bin/mount -root root 777 /etc/issue +root root 777 /etc/issue.kicksecure root root 755 /etc/cron.d root root 4755 /usr/bin/sudo root root 4755 /usr/bin/pkexec diff --git a/usr/share/security-misc/permission-hardener-new-mode-legacy-hardcoded b/usr/share/security-misc/permission-hardener-new-mode-legacy-hardcoded index 142686e..37f1088 100644 --- a/usr/share/security-misc/permission-hardener-new-mode-legacy-hardcoded +++ b/usr/share/security-misc/permission-hardener-new-mode-legacy-hardcoded @@ -9,7 +9,7 @@ root root 700 /etc/cron.weekly root root 744 /usr/bin/su root root 700 /etc/cron.daily root root 755 /bin/ping -root root 644 /etc/motd +root root 644 /etc/motd.kicksecure root _ssh 744 /usr/bin/ssh-agent root root 700 /boot root shadow 744 /usr/bin/chage @@ -20,5 +20,5 @@ root root 744 /usr/bin/chfn root root 600 /etc/permission-hardener.d root root 700 /usr/src root root 755 /usr/bin/mount -root root 644 /etc/issue +root root 644 /etc/issue.kicksecure root root 700 /etc/cron.d From 42f34f5a4ccf95d504e28a26aeb0747fef4685ba Mon Sep 17 00:00:00 2001 From: Aaron Rainbolt Date: Tue, 21 Jan 2025 21:49:03 -0600 Subject: [PATCH 793/846] Don't handle files with multiple hardlinks --- usr/bin/permission-hardener | 21 +++++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) diff --git a/usr/bin/permission-hardener b/usr/bin/permission-hardener index 7d5028a..9f70834 100755 --- a/usr/bin/permission-hardener +++ b/usr/bin/permission-hardener @@ -80,7 +80,7 @@ block_newlines() { } output_stat() { - local file_name stat_output stat_output_newlined + local file_name stat_output stat_output_newlined hardlink_count declare -a arr file_name="${1:-}" @@ -101,7 +101,7 @@ output_stat() { fi if ! stat_output="$(stat -L \ - --format="%a${delimiter}%U${delimiter}%G${delimiter}%n${delimiter}" \ + --format="%a${delimiter}%U${delimiter}%G${delimiter}%n${delimiter}%h${delimiter}" \ -- "${file_name}")"; then log error "Failed to run 'stat' on file: '${file_name}'!" >&2 return 1 @@ -145,6 +145,7 @@ line: '${processed_config_line}' existing_owner="${arr[1]}" existing_group="${arr[2]}" file_name_from_stat="${arr[3]}" + hardlink_count="${arr[4]}" if [ "$file_name" != "$file_name_from_stat" ]; then log error "\ @@ -156,6 +157,22 @@ line: '${processed_config_line}' return 1 fi + ## We can't handle files with hardlinks because figuring out all of the files + ## in a "hardlink pool" requires scanning the whole filesystem, which would + ## result in an unacceptable performance hit for this script. We don't check + ## directory hardlinks since directories can't have traditional hardlinks. + if [ ! -d "${file_name_from_stat}" ]; then + if (( hardlink_count > 1 )); then + log error "\ +File has unexpected hardlinks, cannot handle. +File name: '${file_name}' +File name from stat: '${file_name_from_stat}' +line: '${processed_config_line}' +" >&2 + return 1 + fi + fi + if [ -z "${existing_mode}" ]; then log error "Existing mode is empty. Stat output: '${stat_output}', line: '${processed_config_line}'" >&2 return 1 From 80bd314436b99b723359f25e52bbd14683929b56 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 22 Jan 2025 08:25:14 -0500 Subject: [PATCH 794/846] add `.whonix` files to hardcoded files --- .../permission-hardener-existing-mode-legacy-hardcoded | 2 ++ .../security-misc/permission-hardener-new-mode-legacy-hardcoded | 2 ++ 2 files changed, 4 insertions(+) diff --git a/usr/share/security-misc/permission-hardener-existing-mode-legacy-hardcoded b/usr/share/security-misc/permission-hardener-existing-mode-legacy-hardcoded index 7f87a45..4d7dc17 100644 --- a/usr/share/security-misc/permission-hardener-existing-mode-legacy-hardcoded +++ b/usr/share/security-misc/permission-hardener-existing-mode-legacy-hardcoded @@ -16,6 +16,7 @@ root root 700 /root root root 755 /etc/cron.daily root root 755 /bin/ping root root 777 /etc/motd.kicksecure +root root 777 /etc/motd.whonix root root 755 /boot root root 755 /home root shadow 2755 /usr/bin/chage @@ -28,6 +29,7 @@ root root 644 /etc/passwd root root 755 /usr/src root root 4755 /usr/bin/mount root root 777 /etc/issue.kicksecure +root root 777 /etc/issue.whonix root root 755 /etc/cron.d root root 4755 /usr/bin/sudo root root 4755 /usr/bin/pkexec diff --git a/usr/share/security-misc/permission-hardener-new-mode-legacy-hardcoded b/usr/share/security-misc/permission-hardener-new-mode-legacy-hardcoded index 37f1088..d1b3a80 100644 --- a/usr/share/security-misc/permission-hardener-new-mode-legacy-hardcoded +++ b/usr/share/security-misc/permission-hardener-new-mode-legacy-hardcoded @@ -10,6 +10,7 @@ root root 744 /usr/bin/su root root 700 /etc/cron.daily root root 755 /bin/ping root root 644 /etc/motd.kicksecure +root root 644 /etc/motd.whonix root _ssh 744 /usr/bin/ssh-agent root root 700 /boot root shadow 744 /usr/bin/chage @@ -21,4 +22,5 @@ root root 600 /etc/permission-hardener.d root root 700 /usr/src root root 755 /usr/bin/mount root root 644 /etc/issue.kicksecure +root root 644 /etc/issue.whonix root root 700 /etc/cron.d From c8a2483cf6735b29ef9b265cc09b58b00b14b6f0 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 22 Jan 2025 13:52:29 +0000 Subject: [PATCH 795/846] bumped changelog version --- changelog.upstream | 50 ++++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 56 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 3261247..27b686b 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,53 @@ +commit 80bd314436b99b723359f25e52bbd14683929b56 +Author: Patrick Schleizer +Date: Wed Jan 22 08:25:14 2025 -0500 + + add `.whonix` files to hardcoded files + +commit 9b012bdeee03e73de537e7fe65c0bb8d16b38e79 +Merge: 507130a 42f34f5 +Author: Patrick Schleizer +Date: Wed Jan 22 08:23:49 2025 -0500 + + Merge remote-tracking branch 'ArrayBolt3/arraybolt3/permission-hardener-symlink-fix' + +commit 507130a1cc0592bd4a4b280da7496dade470e637 +Merge: f1b6bff ed767e0 +Author: Patrick Schleizer +Date: Wed Jan 22 08:21:39 2025 -0500 + + Merge remote-tracking branch 'ArrayBolt3/arraybolt3/permission-hardener-diag' + +commit 42f34f5a4ccf95d504e28a26aeb0747fef4685ba +Author: Aaron Rainbolt +Date: Tue Jan 21 21:49:03 2025 -0600 + + Don't handle files with multiple hardlinks + +commit 5e60416c864a7d06f635161a185864fc36d5685c +Author: Aaron Rainbolt +Date: Tue Jan 21 21:05:03 2025 -0600 + + Make permission-hardener always apply changes to real files, not symlinks + +commit ed767e00b0260d29c18c710efe07d68a9beffb34 +Author: Aaron Rainbolt +Date: Tue Jan 21 16:41:30 2025 -0600 + + Add some local variable declarations + +commit a97620a2e491cc039adb15af94958f26b39319a2 +Author: Aaron Rainbolt +Date: Mon Jan 20 22:43:55 2025 -0600 + + Add print-diagnostics command to permission-hardener + +commit f1b6bff30b1891bfbe870de9edd78fa7dbd66e7c +Author: Patrick Schleizer +Date: Mon Jan 20 11:35:08 2025 +0000 + + bumped changelog version + commit df9d058ed9635b168508ded20277c174a24cf3f5 Author: Patrick Schleizer Date: Mon Jan 20 06:28:16 2025 -0500 diff --git a/debian/changelog b/debian/changelog index 22d37c6..25950d7 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:43.7-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 22 Jan 2025 13:52:29 +0000 + security-misc (3:43.6-1) unstable; urgency=medium * New upstream version (local package). From d5ad29a7324dfbece3185026a3f4c58121c453b6 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 22 Jan 2025 09:04:44 -0500 Subject: [PATCH 796/846] add /usr/lib/polkit-1/polkit-agent-helper-1 to permission hardener hardcoded statoverride file --- .../permission-hardener-existing-mode-legacy-hardcoded | 1 + 1 file changed, 1 insertion(+) diff --git a/usr/share/security-misc/permission-hardener-existing-mode-legacy-hardcoded b/usr/share/security-misc/permission-hardener-existing-mode-legacy-hardcoded index 4d7dc17..d40c552 100644 --- a/usr/share/security-misc/permission-hardener-existing-mode-legacy-hardcoded +++ b/usr/share/security-misc/permission-hardener-existing-mode-legacy-hardcoded @@ -33,3 +33,4 @@ root root 777 /etc/issue.whonix root root 755 /etc/cron.d root root 4755 /usr/bin/sudo root root 4755 /usr/bin/pkexec +root root 4755 /usr/lib/polkit-1/polkit-agent-helper-1 From 3a056c9d9c17ed3968f48ac332cee94f714320c7 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 22 Jan 2025 09:05:50 -0500 Subject: [PATCH 797/846] bump permission hardner migration code version --- debian/security-misc.config | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/debian/security-misc.config b/debian/security-misc.config index 11dd83d..e9b2756 100755 --- a/debian/security-misc.config +++ b/debian/security-misc.config @@ -58,7 +58,7 @@ check_migrate_permission_hardener_state() { fi local orig_hardening_arr custom_hardening_arr config_file custom_config_file - if [ -f "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1" ]; then + if [ -f "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_2" ]; then return 0 fi mkdir --parents '/var/lib/security-misc/do_once' @@ -168,7 +168,7 @@ check_migrate_permission_hardener_state() { db_go || true fi - touch "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1" + touch "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_2" } check_migrate_permission_hardener_state From f90ffacac3d3c12f62f62106a69cb6caeca69041 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 22 Jan 2025 09:09:56 -0500 Subject: [PATCH 798/846] bump permission hardner migration code version --- debian/security-misc.postinst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/debian/security-misc.postinst b/debian/security-misc.postinst index d1f61d1..ac81a23 100644 --- a/debian/security-misc.postinst +++ b/debian/security-misc.postinst @@ -44,7 +44,7 @@ migrate_permission_hardener_state() { return 0 fi - if [ -f "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1" ]; then + if [ -f "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_2" ]; then return 0 fi mkdir --parents '/var/lib/security-misc/do_once' @@ -71,7 +71,7 @@ migrate_permission_hardener_state() { fi fi - touch "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_1" + touch "/var/lib/security-misc/do_once/${FUNCNAME[0]}_version_2" } case "$1" in From 3c18734db32b2d19c3a30e282435f083d307d86e Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 22 Jan 2025 14:11:21 +0000 Subject: [PATCH 799/846] bumped changelog version --- changelog.upstream | 24 ++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 30 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 27b686b..1c845f3 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,27 @@ +commit f90ffacac3d3c12f62f62106a69cb6caeca69041 +Author: Patrick Schleizer +Date: Wed Jan 22 09:09:56 2025 -0500 + + bump permission hardner migration code version + +commit 3a056c9d9c17ed3968f48ac332cee94f714320c7 +Author: Patrick Schleizer +Date: Wed Jan 22 09:05:50 2025 -0500 + + bump permission hardner migration code version + +commit d5ad29a7324dfbece3185026a3f4c58121c453b6 +Author: Patrick Schleizer +Date: Wed Jan 22 09:04:44 2025 -0500 + + add /usr/lib/polkit-1/polkit-agent-helper-1 to permission hardener hardcoded statoverride file + +commit c8a2483cf6735b29ef9b265cc09b58b00b14b6f0 +Author: Patrick Schleizer +Date: Wed Jan 22 13:52:29 2025 +0000 + + bumped changelog version + commit 80bd314436b99b723359f25e52bbd14683929b56 Author: Patrick Schleizer Date: Wed Jan 22 08:25:14 2025 -0500 diff --git a/debian/changelog b/debian/changelog index 25950d7..0f49262 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:43.8-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 22 Jan 2025 14:11:21 +0000 + security-misc (3:43.7-1) unstable; urgency=medium * New upstream version (local package). From b10f5489a3e3317f01339ea34a0e5c7bfb850a01 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 23 Jan 2025 11:12:26 -0500 Subject: [PATCH 800/846] copyright --- debian/control | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/debian/control b/debian/control index d45f96d..fd56b5f 100644 --- a/debian/control +++ b/debian/control @@ -1,4 +1,4 @@ -## Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP +## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. Source: security-misc From 6b4fa1ef0055d36a45d65481129dabfee77027e4 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 23 Jan 2025 16:28:58 +0000 Subject: [PATCH 801/846] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 1c845f3..de4ea6c 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit b10f5489a3e3317f01339ea34a0e5c7bfb850a01 +Author: Patrick Schleizer +Date: Thu Jan 23 11:12:26 2025 -0500 + + copyright + +commit 3c18734db32b2d19c3a30e282435f083d307d86e +Author: Patrick Schleizer +Date: Wed Jan 22 14:11:21 2025 +0000 + + bumped changelog version + commit f90ffacac3d3c12f62f62106a69cb6caeca69041 Author: Patrick Schleizer Date: Wed Jan 22 09:09:56 2025 -0500 diff --git a/debian/changelog b/debian/changelog index 0f49262..6ff9c8d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:43.9-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 23 Jan 2025 16:28:58 +0000 + security-misc (3:43.8-1) unstable; urgency=medium * New upstream version (local package). From 6aaf7082177fe4d02415aac4317cde74665f495c Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 29 Jan 2025 14:36:41 +0000 Subject: [PATCH 802/846] bumped changelog version --- changelog.upstream | 34 ++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 40 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index de4ea6c..7cc6b12 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,25 @@ +commit 10508cb5801c28f8fff306957e867a1626aa6489 +Merge: 6b4fa1e b9dee26 +Author: Patrick Schleizer +Date: Wed Jan 29 09:36:28 2025 -0500 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit b9dee2633128577245763bad41cf3cb6b49751f3 +Merge: 6b4fa1e 4b1e530 +Author: Patrick Schleizer +Date: Wed Jan 29 09:35:50 2025 -0500 + + Merge pull request #296 from raja-grewal/cpu_details + + Hardware-related Documentation + +commit 6b4fa1ef0055d36a45d65481129dabfee77027e4 +Author: Patrick Schleizer +Date: Thu Jan 23 16:28:58 2025 +0000 + + bumped changelog version + commit b10f5489a3e3317f01339ea34a0e5c7bfb850a01 Author: Patrick Schleizer Date: Thu Jan 23 11:12:26 2025 -0500 @@ -72,6 +94,18 @@ Date: Tue Jan 21 16:41:30 2025 -0600 Add some local variable declarations +commit 4b1e530674146d4d2b62ff4a87fe3add5667403c +Author: raja-grewal +Date: Tue Jan 21 12:39:06 2025 +0000 + + README.md: List CPU mitigations + +commit 15d13a8571d1f38b2bc36387f61bce24c86be97b +Author: raja-grewal +Date: Tue Jan 21 12:36:04 2025 +0000 + + Add info on DBX updates via the UEFI Revocation List + commit a97620a2e491cc039adb15af94958f26b39319a2 Author: Aaron Rainbolt Date: Mon Jan 20 22:43:55 2025 -0600 diff --git a/debian/changelog b/debian/changelog index 6ff9c8d..cce4734 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:44.0-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 29 Jan 2025 14:36:41 +0000 + security-misc (3:43.9-1) unstable; urgency=medium * New upstream version (local package). From 7c150d116d1d1f95e2fb729934906eb4391a389a Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 30 Jan 2025 07:45:08 -0500 Subject: [PATCH 803/846] LANG=C str_replace: no longer requires LANG=C, therefore removed --- etc/default/grub.d/41_quiet_boot.cfg | 4 ++-- usr/libexec/security-misc/pam-info | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/etc/default/grub.d/41_quiet_boot.cfg b/etc/default/grub.d/41_quiet_boot.cfg index 96d43cd..7221ac0 100644 --- a/etc/default/grub.d/41_quiet_boot.cfg +++ b/etc/default/grub.d/41_quiet_boot.cfg @@ -9,11 +9,11 @@ ## Some default configuration files automatically include the "quiet" parameter. ## Therefore, first remove "quiet" from GRUB_CMDLINE_LINUX_DEFAULT since "quiet" must be first. -## LANG=C str_replace is provided by package helper-scripts. +## str_replace is provided by package helper-scripts. ## ## https://github.com/Kicksecure/security-misc/pull/233#issuecomment-2228792461 ## -GRUB_CMDLINE_LINUX_DEFAULT="$(echo "$GRUB_CMDLINE_LINUX_DEFAULT" | LANG=C str_replace "quiet" "")" +GRUB_CMDLINE_LINUX_DEFAULT="$(echo "$GRUB_CMDLINE_LINUX_DEFAULT" | str_replace "quiet" "")" ## Prevent sensitive kernel information leaks in the console during boot. ## Must be used in combination with the kernel.printk sysctl. diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info index d94e413..240dc1e 100755 --- a/usr/libexec/security-misc/pam-info +++ b/usr/libexec/security-misc/pam-info @@ -152,7 +152,7 @@ true "pam_faillock_output_first_line: '$pam_faillock_output_first_line'" ## example pam_faillock_output_first_line: ## user: -user_name="$(echo "$pam_faillock_output_first_line" | LANG=C str_replace ":" "")" +user_name="$(echo "$pam_faillock_output_first_line" | str_replace ":" "")" ## example user_name: ## user ## root @@ -180,7 +180,7 @@ deny=3 if test -f /etc/security/faillock.conf ; then deny_line=$(grep --invert-match "#" -- /etc/security/faillock.conf | grep -- "deny =") - deny="$(echo "$deny_line" | LANG=C str_replace "=" "" | LANG=C str_replace "deny" "" | LANG=C str_replace " " "")" + deny="$(echo "$deny_line" | str_replace "=" "" | str_replace "deny" "" | str_replace " " "")" ## Example: #deny=50 fi From 9f5e522b83ba969112abf6a9fba77c1eff31b14d Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 30 Jan 2025 07:53:04 -0500 Subject: [PATCH 804/846] LC_ALL=C --- usr/libexec/security-misc/apt-get-update | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/libexec/security-misc/apt-get-update b/usr/libexec/security-misc/apt-get-update index fc90a5e..729baca 100755 --- a/usr/libexec/security-misc/apt-get-update +++ b/usr/libexec/security-misc/apt-get-update @@ -8,7 +8,7 @@ set -o nounset set -o errtrace set -o pipefail -export LANG=C +export LC_ALL=C write_pid_file() { [[ -z "${TMP:-}" ]] && error "TMP is unset" From c0f2f110146410428fc12815b30aaba67ff16126 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 30 Jan 2025 12:58:48 +0000 Subject: [PATCH 805/846] bumped changelog version --- changelog.upstream | 18 ++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 24 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 7cc6b12..01cd911 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,21 @@ +commit 9f5e522b83ba969112abf6a9fba77c1eff31b14d +Author: Patrick Schleizer +Date: Thu Jan 30 07:53:04 2025 -0500 + + LC_ALL=C + +commit 7c150d116d1d1f95e2fb729934906eb4391a389a +Author: Patrick Schleizer +Date: Thu Jan 30 07:45:08 2025 -0500 + + LANG=C str_replace: no longer requires LANG=C, therefore removed + +commit 6aaf7082177fe4d02415aac4317cde74665f495c +Author: Patrick Schleizer +Date: Wed Jan 29 14:36:41 2025 +0000 + + bumped changelog version + commit 10508cb5801c28f8fff306957e867a1626aa6489 Merge: 6b4fa1e b9dee26 Author: Patrick Schleizer diff --git a/debian/changelog b/debian/changelog index cce4734..4f03643 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:44.1-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 30 Jan 2025 12:58:48 +0000 + security-misc (3:44.0-1) unstable; urgency=medium * New upstream version (local package). From ac1493fcfc194b8d1a680d7e8bf53a90caa984ac Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 31 Jan 2025 14:33:17 -0500 Subject: [PATCH 806/846] comment --- debian/security-misc.config | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/debian/security-misc.config b/debian/security-misc.config index e9b2756..adaed34 100755 --- a/debian/security-misc.config +++ b/debian/security-misc.config @@ -21,10 +21,11 @@ true " ##################################################################### " -## Code duplication. +## NOTE: Code duplication. +## Copied from: helper-scripts /usr/libexec/helper-scripts/package_installed_check.bsh +## ## '.config' scripts are run very early. Even 'Pre-Depends: helper-scripts' would be insufficient. ## Therefore the code is duplicated here. -## Copied from: helper-scripts /usr/libexec/helper-scripts/package_installed_check.bsh pkg_installed() { local package_name dpkg_query_output local requested_action status error_state From 041caf286b343268e6db69f2957f23c1dd20812a Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 31 Jan 2025 14:33:54 -0500 Subject: [PATCH 807/846] update pkg_installed function --- debian/security-misc.config | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/debian/security-misc.config b/debian/security-misc.config index adaed34..e200fb6 100755 --- a/debian/security-misc.config +++ b/debian/security-misc.config @@ -33,13 +33,13 @@ pkg_installed() { package_name="$1" ## Cannot use '&>' because it is a bashism. dpkg_query_output="$(dpkg-query --show --showformat='${Status}' "$package_name" 2>/dev/null)" || true - ## dpkg_query_output Exampels: + ## dpkg_query_output Examples: ## install ok half-configured ## install ok installed - requested_action=$(echo "$dpkg_query_output" | awk '{print $1}') - status=$(echo "$dpkg_query_output" | awk '{print $2}') - error_state=$(echo "$dpkg_query_output" | awk '{print $3}') + requested_action=$(printf '%s' "$dpkg_query_output" | awk '{print $1}') + status=$(printf '%s' "$dpkg_query_output" | awk '{print $2}') + error_state=$(printf '%s' "$dpkg_query_output" | awk '{print $3}') if [ "$requested_action" = 'install' ]; then true "$0: INFO: $package_name is installed, ok." From 2a4a228b150e06c7ff796315719d41e825dd8ad3 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 31 Jan 2025 19:38:42 +0000 Subject: [PATCH 808/846] bumped changelog version --- changelog.upstream | 18 ++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 24 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 01cd911..507a461 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,21 @@ +commit 041caf286b343268e6db69f2957f23c1dd20812a +Author: Patrick Schleizer +Date: Fri Jan 31 14:33:54 2025 -0500 + + update pkg_installed function + +commit ac1493fcfc194b8d1a680d7e8bf53a90caa984ac +Author: Patrick Schleizer +Date: Fri Jan 31 14:33:17 2025 -0500 + + comment + +commit c0f2f110146410428fc12815b30aaba67ff16126 +Author: Patrick Schleizer +Date: Thu Jan 30 12:58:48 2025 +0000 + + bumped changelog version + commit 9f5e522b83ba969112abf6a9fba77c1eff31b14d Author: Patrick Schleizer Date: Thu Jan 30 07:53:04 2025 -0500 diff --git a/debian/changelog b/debian/changelog index 4f03643..6f9d2b4 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:44.2-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 31 Jan 2025 19:38:41 +0000 + security-misc (3:44.1-1) unstable; urgency=medium * New upstream version (local package). From ce4b57d1cb179f18c1ac41681626d01054355fe6 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Mon, 3 Feb 2025 00:31:45 +0000 Subject: [PATCH 809/846] Update docs on kernel panics --- usr/lib/sysctl.d/990-security-misc.conf | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index cc04e0c..3b2e38c 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -168,11 +168,16 @@ kernel.perf_event_paranoid=3 ## Can sometimes potentially indicate and thwart certain kernel exploitation attempts. ## Panics may be due to false-positives such as bad drivers. ## Oopses are serious but non-fatal errors. -## Kernel warnings are useful to avoid a when attempting to access the location of a WARN(). +## Warnings are messages generated by the kernel to indicate unexpected conditions or errors. +## By default, code execution continues regardless of warnings emitted by macros like WARN() and WARN_ON(). +## Note that by forcing kernel panics on oopses and warnings, this exposes the system to targeted denial of service attacks. +## Forcing immediate system reboots on any single kernel panic is an extreme option. ## ## https://en.wikipedia.org/wiki/Kernel_panic#Linux ## https://en.wikipedia.org/wiki/Linux_kernel_oops ## https://en.wikipedia.org/wiki/Kdump_(Linux) +## https://lwn.net/Articles/876209/ +## https://git.sr.ht/~gregkh/presentation-security/tree/3fdaf81a2f8b2c8d64cdb2f529cc714624868aa8/item/security-stuff.pdf ## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panisc-on-oops-1-sysctl-for-better-security/7713 ## ## KSPP=partial From 3e7d1b4e23e1e8ef4ad138dbe4119eee7e72511c Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sun, 9 Feb 2025 23:04:36 +0000 Subject: [PATCH 810/846] bumped changelog version --- changelog.upstream | 28 ++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 34 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 507a461..f9fc56f 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,31 @@ +commit 0615e6e995eb25d8e1bff181ecc49ff51e4029cc +Merge: 2a4a228 4d62ee3 +Author: Patrick Schleizer +Date: Sun Feb 9 18:01:43 2025 -0500 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 4d62ee3ab31bde80eebde265c2513233f10f751a +Merge: 2a4a228 ce4b57d +Author: Patrick Schleizer +Date: Sun Feb 9 18:00:59 2025 -0500 + + Merge pull request #297 from raja-grewal/warn_path + + Update docs on kernel panics + +commit ce4b57d1cb179f18c1ac41681626d01054355fe6 +Author: raja-grewal +Date: Mon Feb 3 00:31:45 2025 +0000 + + Update docs on kernel panics + +commit 2a4a228b150e06c7ff796315719d41e825dd8ad3 +Author: Patrick Schleizer +Date: Fri Jan 31 19:38:42 2025 +0000 + + bumped changelog version + commit 041caf286b343268e6db69f2957f23c1dd20812a Author: Patrick Schleizer Date: Fri Jan 31 14:33:54 2025 -0500 diff --git a/debian/changelog b/debian/changelog index 6f9d2b4..a6a3891 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:44.3-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sun, 09 Feb 2025 23:04:36 +0000 + security-misc (3:44.2-1) unstable; urgency=medium * New upstream version (local package). From cd0ba94ac5e7e8360183ac6f440d941b4067025b Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 3 Mar 2025 05:57:59 -0500 Subject: [PATCH 811/846] no longer disable `vivid` kernel module by default, because it breaks Qubes Video Companion Thanks to @marmarek for the bug report! https://forums.whonix.org/t/testing-qubes-video-companion-on-whonix/21393 fixes https://github.com/Kicksecure/security-misc/issues/298 --- etc/modprobe.d/30_security-misc_disable.conf | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/etc/modprobe.d/30_security-misc_disable.conf b/etc/modprobe.d/30_security-misc_disable.conf index c7fc2b6..e95bd68 100644 --- a/etc/modprobe.d/30_security-misc_disable.conf +++ b/etc/modprobe.d/30_security-misc_disable.conf @@ -303,4 +303,8 @@ install prism54 /usr/bin/disabled-miscellaneous-by-security-misc ## https://www.openwall.com/lists/oss-security/2019/11/02/1 ## https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475 ## -install vivid /usr/bin/disabled-miscellaneous-by-security-misc +## No longer disabled by default: +## https://forums.whonix.org/t/testing-qubes-video-companion-on-whonix/21393 +## https://github.com/Kicksecure/security-misc/issues/298 +## +#install vivid /usr/bin/disabled-miscellaneous-by-security-misc From d927fe238cc5369f7fe1632a4173fe4bdf0ffdfb Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 3 Mar 2025 11:00:38 +0000 Subject: [PATCH 812/846] bumped changelog version --- changelog.upstream | 19 +++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 25 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index f9fc56f..cd40cff 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,22 @@ +commit cd0ba94ac5e7e8360183ac6f440d941b4067025b +Author: Patrick Schleizer +Date: Mon Mar 3 05:57:59 2025 -0500 + + no longer disable `vivid` kernel module by default, + because it breaks Qubes Video Companion + + Thanks to @marmarek for the bug report! + + https://forums.whonix.org/t/testing-qubes-video-companion-on-whonix/21393 + + fixes https://github.com/Kicksecure/security-misc/issues/298 + +commit 3e7d1b4e23e1e8ef4ad138dbe4119eee7e72511c +Author: Patrick Schleizer +Date: Sun Feb 9 23:04:36 2025 +0000 + + bumped changelog version + commit 0615e6e995eb25d8e1bff181ecc49ff51e4029cc Merge: 2a4a228 4d62ee3 Author: Patrick Schleizer diff --git a/debian/changelog b/debian/changelog index a6a3891..c6b69a9 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:44.4-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 03 Mar 2025 11:00:37 +0000 + security-misc (3:44.3-1) unstable; urgency=medium * New upstream version (local package). From f643ebc2f923ba4d7231e5aeaf1d91d1a9d1d0df Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Sun, 16 Mar 2025 03:28:39 +0000 Subject: [PATCH 813/846] Disable pstore processing by systemd-pstore service --- README.md | 5 +++++ usr/lib/systemd/pstore.conf.d/30_security-misc.conf | 5 +++++ 2 files changed, 10 insertions(+) create mode 100644 usr/lib/systemd/pstore.conf.d/30_security-misc.conf diff --git a/README.md b/README.md index 2b4904a..d47cf1d 100644 --- a/README.md +++ b/README.md @@ -413,6 +413,11 @@ Miscellaneous modules: `/lib/systemd/coredump.conf.d/30_security-misc.conf` +- PStore is disabled as crash logs can contain sensitive system data such as + kernel version, hostname, and users. See: + + `/usr/lib/systemd/pstore.conf.d/30_security-misc.conf` + - An initramfs hook sets the sysctl values in `/etc/sysctl.conf` and `/etc/sysctl.d` before init is executed so sysctl hardening is enabled as early as possible. This is implemented for `initramfs-tools` only because diff --git a/usr/lib/systemd/pstore.conf.d/30_security-misc.conf b/usr/lib/systemd/pstore.conf.d/30_security-misc.conf new file mode 100644 index 0000000..9e513c6 --- /dev/null +++ b/usr/lib/systemd/pstore.conf.d/30_security-misc.conf @@ -0,0 +1,5 @@ +## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC +## See the file COPYING for copying conditions. + +[PStore] +Storage=none From df2fc2cf6b0437d23c7641118ebd24d2e3a670ce Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Sun, 16 Mar 2025 03:30:04 +0000 Subject: [PATCH 814/846] Set `efi_pstore.pstore_disable=1` --- README.md | 3 +++ etc/default/grub.d/40_kernel_hardening.cfg | 12 ++++++++++++ 2 files changed, 15 insertions(+) diff --git a/README.md b/README.md index d47cf1d..ebcfef5 100644 --- a/README.md +++ b/README.md @@ -226,6 +226,9 @@ Kernel space: - Optional - Disable support for all x86 processes and syscalls (when using Linux kernel >= 6.7) to reduce attack surface. +- Disable EFI persistent storage feature, preventing the kernel from writing crash logs and + other persistent data to the EFI variable store. + Direct memory access: - Enable strict IOMMU translation to protect against some DMA attacks via the use diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index 748bf47..99f2d16 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -223,6 +223,18 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0" ## #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ia32_emulation=0" +## Disable EFI persistent storage feature. +## Prevents the kernel from writing crash logs and other persistent data to the EFI variable store. +## +## https://blogs.oracle.com/linux/post/pstore-linux-kernel-persistent-storage-file-system +## https://www.ais.com/understanding-pstore-linux-kernel-persistent-storage-file-system/ +## https://lwn.net/Articles/434821/ +## https://manpages.debian.org/testing/systemd/systemd-pstore.service.8.en.html +## https://gitlab.tails.boum.org/tails/tails/-/issues/20813 +## https://github.com/Kicksecure/security-misc/issues/299 +## +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX efi_pstore.pstore_disable=1" + ## 2. Direct Memory Access: ## ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#dma-attacks From f0d17c7e4134d8a54ce7331c1e9d3ce932278987 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Sun, 16 Mar 2025 03:31:24 +0000 Subject: [PATCH 815/846] README: Fix a few links --- README.md | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index ebcfef5..c51b776 100644 --- a/README.md +++ b/README.md @@ -228,7 +228,7 @@ Kernel space: - Disable EFI persistent storage feature, preventing the kernel from writing crash logs and other persistent data to the EFI variable store. - + Direct memory access: - Enable strict IOMMU translation to protect against some DMA attacks via the use @@ -403,7 +403,7 @@ Miscellaneous modules: `/etc/kernel/postinst.d/30_remove-system-map` -`/lib/systemd/system/remove-system-map.service` +`/usr/lib/systemd/system/remove-system-map.service` `/usr/libexec/security-misc/remove-system.map` @@ -412,21 +412,20 @@ Miscellaneous modules: `/etc/security/limits.d/30_security-misc.conf` -`/etc/sysctl.d/30_security-misc.conf` +`/usr/lib/sysctl.d/30_security-misc.conf` -`/lib/systemd/coredump.conf.d/30_security-misc.conf` +`/usr/lib/systemd/coredump.conf.d/30_security-misc.conf` - PStore is disabled as crash logs can contain sensitive system data such as kernel version, hostname, and users. See: `/usr/lib/systemd/pstore.conf.d/30_security-misc.conf` -- An initramfs hook sets the sysctl values in `/etc/sysctl.conf` and - `/etc/sysctl.d` before init is executed so sysctl hardening is enabled as - early as possible. This is implemented for `initramfs-tools` only because - this is not needed for `dracut` as `dracut` does that by default, at - least on `systemd` enabled systems. Not researched for non-`systemd` systems - by the author of this part of the readme. +- An initramfs hook sets the sysctl values in `/usr/lib/sysctl.d/` before init + is executed so sysctl hardening is enabled as early as possible. This is + implemented for `initramfs-tools` only because this is not needed for `dracut` + as `dracut` does that by default, at least on `systemd` enabled systems. Not + researched for non-`systemd` systems by the author of this part of the readme. ## Network hardening From 173606891ad0c064a22b4ec0aee772105d8be54a Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 8 Apr 2025 06:48:29 -0400 Subject: [PATCH 816/846] output --- usr/libexec/security-misc/pam-info | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info index 240dc1e..afd8ac4 100755 --- a/usr/libexec/security-misc/pam-info +++ b/usr/libexec/security-misc/pam-info @@ -201,7 +201,7 @@ $0: ERROR: Login blocked after $failed_login_counter attempts. To unlock, run the following command as superuser: (If you still have a sudo/root shell somewhere.) -faillock --reset --user $PAM_USER +faillock --dir $pam_faillock_state_dir --reset --user $PAM_USER However, most likely unlock procedure is required. First boot into recovery mode at grub boot menu and then run above command. From 39f4f5b60739c387f02970018e14f1ae93677e00 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 8 Apr 2025 06:53:08 -0400 Subject: [PATCH 817/846] comments --- debian/security-misc.preinst | 2 +- etc/hide-hardware-info.d/30_default.conf | 2 +- etc/security/access-security-misc.conf | 2 +- usr/lib/modules-load.d/30_security-misc.conf | 2 +- .../permission-hardener.d/25_default_whitelist_firejail.conf | 2 +- usr/libexec/security-misc/pam-abort-on-locked-password | 2 +- usr/libexec/security-misc/pam-info | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/debian/security-misc.preinst b/debian/security-misc.preinst index 992ff96..8e900d0 100644 --- a/debian/security-misc.preinst +++ b/debian/security-misc.preinst @@ -47,7 +47,7 @@ user_groups_modifications() { ## an "empty" /etc/securetty. ## In case a system administrator edits /etc/securetty, there is no need to ## block for this to be still blocked by console lockdown. See also: - ## https://www.whonix.org/wiki/Root#Root_Login + ## https://www.kicksecure.com/wiki/Root#Root_Login adduser root console } diff --git a/etc/hide-hardware-info.d/30_default.conf b/etc/hide-hardware-info.d/30_default.conf index 7c41eb4..d1bc221 100644 --- a/etc/hide-hardware-info.d/30_default.conf +++ b/etc/hide-hardware-info.d/30_default.conf @@ -11,5 +11,5 @@ #sysfs=0 ## Disable selinux mode. -## https://www.whonix.org/wiki/Security-misc#selinux +## https://www.kicksecure.com/wiki/Security-misc#selinux #selinux=0 diff --git a/etc/security/access-security-misc.conf b/etc/security/access-security-misc.conf index c7f002f..e8bc2ab 100644 --- a/etc/security/access-security-misc.conf +++ b/etc/security/access-security-misc.conf @@ -2,7 +2,7 @@ ## See the file COPYING for copying conditions. ## To enable root login, see: -## https://www.whonix.org/wiki/Root#Root_Login +## https://www.kicksecure.com/wiki/Root#Root_Login ## Console Lockdown ## https://forums.whonix.org/t/etc-security-hardening/8592 diff --git a/usr/lib/modules-load.d/30_security-misc.conf b/usr/lib/modules-load.d/30_security-misc.conf index 2b38546..6ee13ca 100644 --- a/usr/lib/modules-load.d/30_security-misc.conf +++ b/usr/lib/modules-load.d/30_security-misc.conf @@ -1,7 +1,7 @@ ## Copyright (C) 2019 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. -## https://www.whonix.org/wiki/Dev/Entropy +## https://www.kicksecure.com/wiki/Dev/Entropy ## https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927972 ## https://forums.whonix.org/t/jitterentropy-rngd/7204 jitterentropy_rng diff --git a/usr/lib/permission-hardener.d/25_default_whitelist_firejail.conf b/usr/lib/permission-hardener.d/25_default_whitelist_firejail.conf index 5b7351f..e3441e1 100644 --- a/usr/lib/permission-hardener.d/25_default_whitelist_firejail.conf +++ b/usr/lib/permission-hardener.d/25_default_whitelist_firejail.conf @@ -7,5 +7,5 @@ ## There is a controversy about firejail but those who choose to install it ## should be able to use it. -## https://www.whonix.org/wiki/Dev/Firejail#Security +## https://www.kicksecure.com/wiki/Dev/Firejail#Security /usr/bin/firejail exactwhitelist diff --git a/usr/libexec/security-misc/pam-abort-on-locked-password b/usr/libexec/security-misc/pam-abort-on-locked-password index 52da1c2..35c2dd4 100755 --- a/usr/libexec/security-misc/pam-abort-on-locked-password +++ b/usr/libexec/security-misc/pam-abort-on-locked-password @@ -12,7 +12,7 @@ passwd_bin="$(type -P -- "passwd")" if ! test -x "$passwd_bin" ; then echo "\ $0: ERROR: passwd_bin \"$passwd_bin\" is not executable. -See https://www.whonix.org/wiki/SUID_Disabler_and_Permission_Hardener#passwd" >&2 +See https://www.kicksecure.com/wiki/SUID_Disabler_and_Permission_Hardener#passwd" >&2 ## Identifiable exit codes in case stdout / stderr is not logged in journal. exit 2 fi diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info index afd8ac4..f1e03a2 100755 --- a/usr/libexec/security-misc/pam-info +++ b/usr/libexec/security-misc/pam-info @@ -116,7 +116,7 @@ fi ## ## https://askubuntu.com/questions/983183/how-lock-the-unlock-screen-after-wrong-password-attempts ## -## https://www.whonix.org/pipermail/whonix-devel/2019-September/001439.html +## https://web.archive.org/web/20200919221439/https://www.whonix.org/pipermail/whonix-devel/2019-September/001439.html ## ## Checking exit code to avoid breaking when read-only disk boot but ## without ro-mode-init or grub-live being used. From 4d2b2e65468522b1d1beda63b0b16cfa12b1d535 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 8 Apr 2025 14:08:24 +0000 Subject: [PATCH 818/846] bumped changelog version --- changelog.upstream | 18 ++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 24 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index cd40cff..a13f7df 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,21 @@ +commit 39f4f5b60739c387f02970018e14f1ae93677e00 +Author: Patrick Schleizer +Date: Tue Apr 8 06:53:08 2025 -0400 + + comments + +commit 173606891ad0c064a22b4ec0aee772105d8be54a +Author: Patrick Schleizer +Date: Tue Apr 8 06:48:29 2025 -0400 + + output + +commit d927fe238cc5369f7fe1632a4173fe4bdf0ffdfb +Author: Patrick Schleizer +Date: Mon Mar 3 11:00:38 2025 +0000 + + bumped changelog version + commit cd0ba94ac5e7e8360183ac6f440d941b4067025b Author: Patrick Schleizer Date: Mon Mar 3 05:57:59 2025 -0500 diff --git a/debian/changelog b/debian/changelog index c6b69a9..c28da5f 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:44.5-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 08 Apr 2025 14:08:24 +0000 + security-misc (3:44.4-1) unstable; urgency=medium * New upstream version (local package). From 163d51f32a1888a52ea78ba32a4e4a2d72aea87d Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 9 Apr 2025 09:47:52 -0400 Subject: [PATCH 819/846] newline at the end --- etc/default/grub.d/41_recovery_restrict.cfg | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/default/grub.d/41_recovery_restrict.cfg b/etc/default/grub.d/41_recovery_restrict.cfg index 89fe02f..f54247b 100644 --- a/etc/default/grub.d/41_recovery_restrict.cfg +++ b/etc/default/grub.d/41_recovery_restrict.cfg @@ -18,4 +18,4 @@ GRUB_DISABLE_RECOVERY="true" ## https://forums.kicksecure.com/t/harden-dracut-initramfs-generator-by-disabling-recovery-console/724 ## GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT rd.emergency=halt" -GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT rd.shell=0" \ No newline at end of file +GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT rd.shell=0" From da9dd3c3f14103701ad82af775b4fb547f5b3e2e Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Wed, 9 Apr 2025 15:16:00 +0000 Subject: [PATCH 820/846] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index a13f7df..fbd70ba 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit 163d51f32a1888a52ea78ba32a4e4a2d72aea87d +Author: Patrick Schleizer +Date: Wed Apr 9 09:47:52 2025 -0400 + + newline at the end + +commit 4d2b2e65468522b1d1beda63b0b16cfa12b1d535 +Author: Patrick Schleizer +Date: Tue Apr 8 14:08:24 2025 +0000 + + bumped changelog version + commit 39f4f5b60739c387f02970018e14f1ae93677e00 Author: Patrick Schleizer Date: Tue Apr 8 06:53:08 2025 -0400 diff --git a/debian/changelog b/debian/changelog index c28da5f..24991b1 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:44.6-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Wed, 09 Apr 2025 15:15:59 +0000 + security-misc (3:44.5-1) unstable; urgency=medium * New upstream version (local package). From aa0ffff42753f68e67bc92680a22986a5b9ef9e0 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Thu, 10 Apr 2025 11:49:45 +1000 Subject: [PATCH 821/846] README.md: Revert error --- README.md | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index c51b776..38cc8e0 100644 --- a/README.md +++ b/README.md @@ -421,11 +421,12 @@ Miscellaneous modules: `/usr/lib/systemd/pstore.conf.d/30_security-misc.conf` -- An initramfs hook sets the sysctl values in `/usr/lib/sysctl.d/` before init - is executed so sysctl hardening is enabled as early as possible. This is - implemented for `initramfs-tools` only because this is not needed for `dracut` - as `dracut` does that by default, at least on `systemd` enabled systems. Not - researched for non-`systemd` systems by the author of this part of the readme. +- An initramfs hook sets the sysctl values in `/etc/sysctl.conf` and + `/etc/sysctl.d` before init is executed so sysctl hardening is enabled as + early as possible. This is implemented for `initramfs-tools` only because + this is not needed for `dracut` as `dracut` does that by default, at + least on `systemd` enabled systems. Not researched for non-`systemd` systems + by the author of this part of the readme. ## Network hardening From 74ca63d12c716017d022f5dfc5348ae7b787e220 Mon Sep 17 00:00:00 2001 From: Aaron Rainbolt Date: Wed, 9 Apr 2025 21:01:41 -0500 Subject: [PATCH 822/846] Mass-change "PERSISTENCE mode USERNAME" to "PERSISTENCE Mode - USERNAME Session" --- usr/libexec/security-misc/pam-info | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info index f1e03a2..a254a94 100755 --- a/usr/libexec/security-misc/pam-info +++ b/usr/libexec/security-misc/pam-info @@ -76,7 +76,7 @@ if [ "$PAM_USER" = 'sysmaint' ]; then sysmaint_passwd_info="$(passwd --status sysmaint 2>/dev/null)" || true sysmaint_lock_info="$(cut -d' ' -f2 <<< "${sysmaint_passwd_info}")" if [ "${sysmaint_lock_info}" = 'L' ]; then - echo "$0: ERROR: Reboot and choose 'PERSISTENT mode SYSMAINT' for system maintenance. See https://www.kicksecure.com/wiki/Sysmaint" + echo "$0: ERROR: Reboot and choose 'PERSISTENT Mode - SYSMAINT Session' for system maintenance. See https://www.kicksecure.com/wiki/Sysmaint" fi fi From 5e88dfe809a762aeebf62ea2de131cfbdea9ae32 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Thu, 10 Apr 2025 11:38:17 +0000 Subject: [PATCH 823/846] bumped changelog version --- changelog.upstream | 19 +++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 25 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index fbd70ba..11fb2cf 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,22 @@ +commit c0a18c5a7122fe3c7b52d0e02ca5e8817efb3996 +Merge: da9dd3c 74ca63d +Author: Patrick Schleizer +Date: Thu Apr 10 06:07:55 2025 -0400 + + Merge remote-tracking branch 'ArrayBolt3/arraybolt3/rename-boot-modes' + +commit 74ca63d12c716017d022f5dfc5348ae7b787e220 +Author: Aaron Rainbolt +Date: Wed Apr 9 21:01:41 2025 -0500 + + Mass-change "PERSISTENCE mode USERNAME" to "PERSISTENCE Mode - USERNAME Session" + +commit da9dd3c3f14103701ad82af775b4fb547f5b3e2e +Author: Patrick Schleizer +Date: Wed Apr 9 15:16:00 2025 +0000 + + bumped changelog version + commit 163d51f32a1888a52ea78ba32a4e4a2d72aea87d Author: Patrick Schleizer Date: Wed Apr 9 09:47:52 2025 -0400 diff --git a/debian/changelog b/debian/changelog index 24991b1..83b5447 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:44.7-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Thu, 10 Apr 2025 11:38:17 +0000 + security-misc (3:44.6-1) unstable; urgency=medium * New upstream version (local package). From 7512aa67572c97267fd176e63ae4862b6d37f8ae Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 15 Apr 2025 20:59:37 +0000 Subject: [PATCH 824/846] bumped changelog version --- changelog.upstream | 46 ++++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 52 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 11fb2cf..fac59a5 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,25 @@ +commit e0e2a9b61c61b34a6fe10782e294d58adff15cfe +Merge: 5e88dfe 9f2836d +Author: Patrick Schleizer +Date: Tue Apr 15 15:27:10 2025 -0400 + + Merge remote-tracking branch 'github-kicksecure/master' + +commit 9f2836d2baae900222cbae74d7a32bcdc69e589f +Merge: 5e88dfe aa0ffff +Author: Patrick Schleizer +Date: Tue Apr 15 15:17:25 2025 -0400 + + Merge pull request #304 from raja-grewal/stop_pstore + + Disable PStore + +commit 5e88dfe809a762aeebf62ea2de131cfbdea9ae32 +Author: Patrick Schleizer +Date: Thu Apr 10 11:38:17 2025 +0000 + + bumped changelog version + commit c0a18c5a7122fe3c7b52d0e02ca5e8817efb3996 Merge: da9dd3c 74ca63d Author: Patrick Schleizer @@ -11,6 +33,12 @@ Date: Wed Apr 9 21:01:41 2025 -0500 Mass-change "PERSISTENCE mode USERNAME" to "PERSISTENCE Mode - USERNAME Session" +commit aa0ffff42753f68e67bc92680a22986a5b9ef9e0 +Author: raja-grewal +Date: Thu Apr 10 11:49:45 2025 +1000 + + README.md: Revert error + commit da9dd3c3f14103701ad82af775b4fb547f5b3e2e Author: Patrick Schleizer Date: Wed Apr 9 15:16:00 2025 +0000 @@ -41,6 +69,24 @@ Date: Tue Apr 8 06:48:29 2025 -0400 output +commit f0d17c7e4134d8a54ce7331c1e9d3ce932278987 +Author: raja-grewal +Date: Sun Mar 16 03:31:24 2025 +0000 + + README: Fix a few links + +commit df2fc2cf6b0437d23c7641118ebd24d2e3a670ce +Author: raja-grewal +Date: Sun Mar 16 03:30:04 2025 +0000 + + Set `efi_pstore.pstore_disable=1` + +commit f643ebc2f923ba4d7231e5aeaf1d91d1a9d1d0df +Author: raja-grewal +Date: Sun Mar 16 03:28:39 2025 +0000 + + Disable pstore processing by systemd-pstore service + commit d927fe238cc5369f7fe1632a4173fe4bdf0ffdfb Author: Patrick Schleizer Date: Mon Mar 3 11:00:38 2025 +0000 diff --git a/debian/changelog b/debian/changelog index 83b5447..b12df22 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:44.8-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Tue, 15 Apr 2025 20:59:37 +0000 + security-misc (3:44.7-1) unstable; urgency=medium * New upstream version (local package). From 5a37790e6bd80ffd4f74d9596523ef72366d35d9 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 19 Apr 2025 12:43:15 -0400 Subject: [PATCH 825/846] cleanup --- usr/libexec/security-misc/apt-get-update | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/libexec/security-misc/apt-get-update b/usr/libexec/security-misc/apt-get-update index 729baca..cb586e9 100755 --- a/usr/libexec/security-misc/apt-get-update +++ b/usr/libexec/security-misc/apt-get-update @@ -12,7 +12,7 @@ export LC_ALL=C write_pid_file() { [[ -z "${TMP:-}" ]] && error "TMP is unset" - safe-rm -rf "$TMP/security-misc-apt-get-update-pid"; + safe-rm -rf "$TMP/security-misc-apt-get-update-pid" install -m644 /dev/null "$TMP/security-misc-apt-get-update-pid" echo "$$" | sponge -- "$TMP/security-misc-apt-get-update-pid" } From 96ff7c8dc67809a3199d0b7f22d9e50483634a9c Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 19 Apr 2025 12:45:06 -0400 Subject: [PATCH 826/846] refactoring --- usr/libexec/security-misc/apt-get-update | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/usr/libexec/security-misc/apt-get-update b/usr/libexec/security-misc/apt-get-update index cb586e9..0e5e8f5 100755 --- a/usr/libexec/security-misc/apt-get-update +++ b/usr/libexec/security-misc/apt-get-update @@ -21,12 +21,9 @@ sigterm_trap() { if [ "$lastpid" = "" ]; then exit 143 fi - ps -p "$lastpid" >/dev/null 2>&1 - if [ ! "$?" = "0" ]; then - ## Already terminated. - exit 143 + if kill -0 -- "$lastpid" &>/dev/null ; then + kill -s sigterm -- "$lastpid" fi - kill -s sigterm "$lastpid" exit 143 } From ce2c9a21a357b3981335336eaf7ac8a6a3bcb052 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 19 Apr 2025 12:47:40 -0400 Subject: [PATCH 827/846] /usr/libexec/security-misc/apt-get-update: use `/run/helper-scripts` folder for pid file instead of `$TMP` to avoid permission issues --- usr/libexec/security-misc/apt-get-update | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/usr/libexec/security-misc/apt-get-update b/usr/libexec/security-misc/apt-get-update index 0e5e8f5..6262d00 100755 --- a/usr/libexec/security-misc/apt-get-update +++ b/usr/libexec/security-misc/apt-get-update @@ -11,10 +11,9 @@ set -o pipefail export LC_ALL=C write_pid_file() { - [[ -z "${TMP:-}" ]] && error "TMP is unset" - safe-rm -rf "$TMP/security-misc-apt-get-update-pid" - install -m644 /dev/null "$TMP/security-misc-apt-get-update-pid" - echo "$$" | sponge -- "$TMP/security-misc-apt-get-update-pid" + safe-rm -rf "/run/helper-scripts/security-misc-apt-get-update-pid" + install -m644 /dev/null "/run/helper-scripts/security-misc-apt-get-update-pid" + echo "$$" | sponge -- "/run/helper-scripts/security-misc-apt-get-update-pid" } sigterm_trap() { From 90330a1ec958f82f9322ecc62bcfb7169d641af4 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 19 Apr 2025 12:49:18 -0400 Subject: [PATCH 828/846] refactoring --- usr/libexec/security-misc/apt-get-update | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/libexec/security-misc/apt-get-update b/usr/libexec/security-misc/apt-get-update index 6262d00..27d829e 100755 --- a/usr/libexec/security-misc/apt-get-update +++ b/usr/libexec/security-misc/apt-get-update @@ -11,7 +11,7 @@ set -o pipefail export LC_ALL=C write_pid_file() { - safe-rm -rf "/run/helper-scripts/security-misc-apt-get-update-pid" + safe-rm -r -f -- "/run/helper-scripts/security-misc-apt-get-update-pid" install -m644 /dev/null "/run/helper-scripts/security-misc-apt-get-update-pid" echo "$$" | sponge -- "/run/helper-scripts/security-misc-apt-get-update-pid" } From 81634930fa13a240b9fff9a878dd84af1dccc6b3 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 19 Apr 2025 12:55:32 -0400 Subject: [PATCH 829/846] refactoring --- usr/libexec/security-misc/apt-get-update | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/usr/libexec/security-misc/apt-get-update b/usr/libexec/security-misc/apt-get-update index 27d829e..d645cf9 100755 --- a/usr/libexec/security-misc/apt-get-update +++ b/usr/libexec/security-misc/apt-get-update @@ -9,11 +9,12 @@ set -o errtrace set -o pipefail export LC_ALL=C +pidfile="/run/helper-scripts/security-misc-apt-get-update-pid" write_pid_file() { - safe-rm -r -f -- "/run/helper-scripts/security-misc-apt-get-update-pid" - install -m644 /dev/null "/run/helper-scripts/security-misc-apt-get-update-pid" - echo "$$" | sponge -- "/run/helper-scripts/security-misc-apt-get-update-pid" + safe-rm -r -f -- "$pidfile" + install -m644 /dev/null "$pidfile" + echo "$$" | sponge -- "$pidfile" } sigterm_trap() { From c4f0e1d16f6999b055b0fa310456870f12a6dbea Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 19 Apr 2025 12:57:14 -0400 Subject: [PATCH 830/846] refactoring --- usr/libexec/security-misc/apt-get-update | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/usr/libexec/security-misc/apt-get-update b/usr/libexec/security-misc/apt-get-update index d645cf9..d5d4da0 100755 --- a/usr/libexec/security-misc/apt-get-update +++ b/usr/libexec/security-misc/apt-get-update @@ -21,9 +21,10 @@ sigterm_trap() { if [ "$lastpid" = "" ]; then exit 143 fi - if kill -0 -- "$lastpid" &>/dev/null ; then - kill -s sigterm -- "$lastpid" + if ! kill -0 -- "$lastpid" &>/dev/null ; then + exit 143 fi + kill -s sigterm -- "$lastpid" exit 143 } From 4799f3ce02e5683dad0fff13f5d7fe0aadb0a0db Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 19 Apr 2025 13:17:28 -0400 Subject: [PATCH 831/846] make `/usr/libexec/security-misc/apt-get-update` more reliable --- usr/libexec/security-misc/apt-get-update | 32 ++++++++++-------------- 1 file changed, 13 insertions(+), 19 deletions(-) diff --git a/usr/libexec/security-misc/apt-get-update b/usr/libexec/security-misc/apt-get-update index d5d4da0..e333930 100755 --- a/usr/libexec/security-misc/apt-get-update +++ b/usr/libexec/security-misc/apt-get-update @@ -11,34 +11,28 @@ set -o pipefail export LC_ALL=C pidfile="/run/helper-scripts/security-misc-apt-get-update-pid" -write_pid_file() { - safe-rm -r -f -- "$pidfile" - install -m644 /dev/null "$pidfile" - echo "$$" | sponge -- "$pidfile" -} - sigterm_trap() { - if [ "$lastpid" = "" ]; then - exit 143 - fi - if ! kill -0 -- "$lastpid" &>/dev/null ; then - exit 143 - fi - kill -s sigterm -- "$lastpid" + /usr/libexec/helper-scripts/apt-get-update-kill-helper exit 143 } +## terminate potential previous invocations. +/usr/libexec/helper-scripts/apt-get-update-kill-helper + trap "sigterm_trap" SIGTERM SIGINT [[ -v timeout_after ]] || timeout_after="600" [[ -v kill_after ]] || kill_after="10" -write_pid_file - -timeout \ - --kill-after="$kill_after" \ - "$timeout_after" \ - apt-get update --error-on=any "$@" & +start-stop-daemon \ + --make-pidfile \ + --pidfile "$pidfile" \ + --exec /usr/bin/timeout \ + --start \ + -- \ + --kill-after="$kill_after" \ + "$timeout_after" \ + apt-get update --error-on=any "$@" & lastpid="$!" wait "$lastpid" From a670c0d873eba8d84bde90ebbeecc7aecc22349e Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 19 Apr 2025 13:18:23 -0400 Subject: [PATCH 832/846] comment --- usr/libexec/security-misc/apt-get-update | 2 ++ 1 file changed, 2 insertions(+) diff --git a/usr/libexec/security-misc/apt-get-update b/usr/libexec/security-misc/apt-get-update index e333930..63729d3 100755 --- a/usr/libexec/security-misc/apt-get-update +++ b/usr/libexec/security-misc/apt-get-update @@ -3,6 +3,8 @@ ## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. +## TODO: Move this to helper-scripts. + set -o errexit set -o nounset set -o errtrace From 701f4a0e88a32e4c9312fd92b73cef5d4f755f0a Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 19 Apr 2025 13:20:04 -0400 Subject: [PATCH 833/846] output --- usr/libexec/security-misc/apt-get-update | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr/libexec/security-misc/apt-get-update b/usr/libexec/security-misc/apt-get-update index 63729d3..03da442 100755 --- a/usr/libexec/security-misc/apt-get-update +++ b/usr/libexec/security-misc/apt-get-update @@ -14,12 +14,12 @@ export LC_ALL=C pidfile="/run/helper-scripts/security-misc-apt-get-update-pid" sigterm_trap() { - /usr/libexec/helper-scripts/apt-get-update-kill-helper + /usr/libexec/helper-scripts/apt-get-update-kill-helper &>/dev/null exit 143 } ## terminate potential previous invocations. -/usr/libexec/helper-scripts/apt-get-update-kill-helper +/usr/libexec/helper-scripts/apt-get-update-kill-helper &>/dev/null trap "sigterm_trap" SIGTERM SIGINT From 4aca622706f33e85832e67650259a7751ba87a72 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 19 Apr 2025 13:23:26 -0400 Subject: [PATCH 834/846] fix --- usr/libexec/security-misc/apt-get-update | 2 ++ 1 file changed, 2 insertions(+) diff --git a/usr/libexec/security-misc/apt-get-update b/usr/libexec/security-misc/apt-get-update index 03da442..0cd6401 100755 --- a/usr/libexec/security-misc/apt-get-update +++ b/usr/libexec/security-misc/apt-get-update @@ -10,6 +10,8 @@ set -o nounset set -o errtrace set -o pipefail +command -v start-stop-daemon >/dev/null + export LC_ALL=C pidfile="/run/helper-scripts/security-misc-apt-get-update-pid" From 9948ae114d4c6bbd650022c9985137c0fdea5675 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 19 Apr 2025 13:24:17 -0400 Subject: [PATCH 835/846] fix --- usr/libexec/security-misc/apt-get-update | 2 ++ 1 file changed, 2 insertions(+) diff --git a/usr/libexec/security-misc/apt-get-update b/usr/libexec/security-misc/apt-get-update index 0cd6401..9cbfd8e 100755 --- a/usr/libexec/security-misc/apt-get-update +++ b/usr/libexec/security-misc/apt-get-update @@ -11,6 +11,8 @@ set -o errtrace set -o pipefail command -v start-stop-daemon >/dev/null +command -v timeout >/dev/null +command -v apt-get >/dev/null export LC_ALL=C pidfile="/run/helper-scripts/security-misc-apt-get-update-pid" From dc7e8579040a96630ab1bbf7b4b901e3e3abe8c7 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Sat, 19 Apr 2025 17:33:56 +0000 Subject: [PATCH 836/846] bumped changelog version --- changelog.upstream | 74 ++++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 6 ++++ 2 files changed, 80 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index fac59a5..443ce2d 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,77 @@ +commit 9948ae114d4c6bbd650022c9985137c0fdea5675 +Author: Patrick Schleizer +Date: Sat Apr 19 13:24:17 2025 -0400 + + fix + +commit 4aca622706f33e85832e67650259a7751ba87a72 +Author: Patrick Schleizer +Date: Sat Apr 19 13:23:26 2025 -0400 + + fix + +commit 701f4a0e88a32e4c9312fd92b73cef5d4f755f0a +Author: Patrick Schleizer +Date: Sat Apr 19 13:20:04 2025 -0400 + + output + +commit a670c0d873eba8d84bde90ebbeecc7aecc22349e +Author: Patrick Schleizer +Date: Sat Apr 19 13:18:23 2025 -0400 + + comment + +commit 4799f3ce02e5683dad0fff13f5d7fe0aadb0a0db +Author: Patrick Schleizer +Date: Sat Apr 19 13:17:28 2025 -0400 + + make `/usr/libexec/security-misc/apt-get-update` more reliable + +commit c4f0e1d16f6999b055b0fa310456870f12a6dbea +Author: Patrick Schleizer +Date: Sat Apr 19 12:57:14 2025 -0400 + + refactoring + +commit 81634930fa13a240b9fff9a878dd84af1dccc6b3 +Author: Patrick Schleizer +Date: Sat Apr 19 12:55:32 2025 -0400 + + refactoring + +commit 90330a1ec958f82f9322ecc62bcfb7169d641af4 +Author: Patrick Schleizer +Date: Sat Apr 19 12:49:18 2025 -0400 + + refactoring + +commit ce2c9a21a357b3981335336eaf7ac8a6a3bcb052 +Author: Patrick Schleizer +Date: Sat Apr 19 12:47:40 2025 -0400 + + /usr/libexec/security-misc/apt-get-update: use `/run/helper-scripts` folder for pid file instead of `$TMP` + + to avoid permission issues + +commit 96ff7c8dc67809a3199d0b7f22d9e50483634a9c +Author: Patrick Schleizer +Date: Sat Apr 19 12:45:06 2025 -0400 + + refactoring + +commit 5a37790e6bd80ffd4f74d9596523ef72366d35d9 +Author: Patrick Schleizer +Date: Sat Apr 19 12:43:15 2025 -0400 + + cleanup + +commit 7512aa67572c97267fd176e63ae4862b6d37f8ae +Author: Patrick Schleizer +Date: Tue Apr 15 20:59:37 2025 +0000 + + bumped changelog version + commit e0e2a9b61c61b34a6fe10782e294d58adff15cfe Merge: 5e88dfe 9f2836d Author: Patrick Schleizer diff --git a/debian/changelog b/debian/changelog index b12df22..66ff75b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:44.9-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Sat, 19 Apr 2025 17:33:56 +0000 + security-misc (3:44.8-1) unstable; urgency=medium * New upstream version (local package). From efa2967fca36c776d43419dd5bf12696bc61c426 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 21 Apr 2025 04:53:04 -0400 Subject: [PATCH 837/846] comments --- etc/modprobe.d/30_security-misc_disable.conf | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/etc/modprobe.d/30_security-misc_disable.conf b/etc/modprobe.d/30_security-misc_disable.conf index e95bd68..79b5ed6 100644 --- a/etc/modprobe.d/30_security-misc_disable.conf +++ b/etc/modprobe.d/30_security-misc_disable.conf @@ -1,7 +1,7 @@ ## Copyright (C) 2012 - 2025 ENCRYPTED SUPPORT LLC ## See the file COPYING for copying conditions. -## See the following links for a community discussion and overview regarding the selections. +## See the following links for a community discussion and overview regarding the selections: ## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989 ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#kasr-kernel-modules @@ -17,11 +17,11 @@ ## 1. Hardware: ## Bluetooth: -## Disable Bluetooth to reduce attack surface due to extended history of security vulnerabilities. +## Disable Bluetooth to reduce the attack surface due to its long history of security vulnerabilities. ## ## https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns ## -## Now replaced by a privacy and security preserving default Bluetooth configuration for better usability. +## Now replaced with a privacy- and security-preserving default Bluetooth configuration for better usability. ## https://github.com/Kicksecure/security-misc/pull/145 ## #install bluetooth /usr/bin/disabled-bluetooth-by-security-misc @@ -43,7 +43,7 @@ #install virtio_bt /usr/bin/disabled-bluetooth-by-security-misc ## FireWire (IEEE 1394): -## Disable IEEE 1394 (FireWire/i.LINK/Lynx) modules to prevent some DMA attacks. +## Disable IEEE 1394 (FireWire/i.LINK/Lynx) modules to prevent certain DMA attacks. ## ## https://en.wikipedia.org/wiki/IEEE_1394#Security_issues ## @@ -70,9 +70,9 @@ install gnss-usb /usr/bin/disabled-gps-by-security-misc ## Intel Management Engine (ME): ## Partially disable the Intel ME interface with the OS. -## ME functionality has increasing become more intertwined with basic Intel system operation. -## Disabling may lead to breakages in numerous places without clear debugging/error messages. -## May cause issues with firmware updates, security, power management, display, and DRM. +## ME functionality has increasingly become intertwined with basic Intel system operation. +## Disabling it may lead to breakages in various components without clear debugging/error messages. +## It may affect firmware updates, security, power management, display, and DRM. ## ## https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html ## https://en.wikipedia.org/wiki/Intel_Management_Engine#Security_vulnerabilities @@ -94,7 +94,7 @@ install gnss-usb /usr/bin/disabled-gps-by-security-misc #install microread_mei /usr/bin/disabled-intelme-by-security-misc ## Intel Platform Monitoring Technology (PMT) Telemetry: -## Disable some functionality of the Intel PMT components. +## Disable certain functionalities of the Intel PMT components. ## ## https://github.com/intel/Intel-PMT ## @@ -103,7 +103,7 @@ install pmt_crashlog /usr/bin/disabled-intelpmt-by-security-misc install pmt_telemetry /usr/bin/disabled-intelpmt-by-security-misc ## Thunderbolt: -## Disables Thunderbolt modules to prevent some DMA attacks. +## Disable Thunderbolt modules to prevent certain DMA attacks. ## ## https://en.wikipedia.org/wiki/Thunderbolt_(interface)#Security_vulnerabilities ## From abb0c83619b820b7b66258efa9e141850eaa8b6c Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 21 Apr 2025 04:54:06 -0400 Subject: [PATCH 838/846] comments --- etc/modprobe.d/30_security-misc_conntrack.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/modprobe.d/30_security-misc_conntrack.conf b/etc/modprobe.d/30_security-misc_conntrack.conf index 29cbb74..c3ff5b9 100644 --- a/etc/modprobe.d/30_security-misc_conntrack.conf +++ b/etc/modprobe.d/30_security-misc_conntrack.conf @@ -3,7 +3,7 @@ ## Conntrack: ## Disable Netfilter's automatic connection tracking helper assignment. -## Increases kernel attack surface by enabling superfluous functionality such as IRC parsing in the kernel. +## Increases the kernel attack surface by enabling superfluous functionality such as IRC parsing in the kernel. ## ## https://conntrack-tools.netfilter.org/manual.html ## https://forums.whonix.org/t/disable-conntrack-helper/18917 From 502f5953c734346edc680a0b898b435e6c6f6e27 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 21 Apr 2025 04:55:19 -0400 Subject: [PATCH 839/846] comments --- etc/modprobe.d/30_security-misc_conntrack.conf | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/etc/modprobe.d/30_security-misc_conntrack.conf b/etc/modprobe.d/30_security-misc_conntrack.conf index c3ff5b9..7f36327 100644 --- a/etc/modprobe.d/30_security-misc_conntrack.conf +++ b/etc/modprobe.d/30_security-misc_conntrack.conf @@ -3,7 +3,8 @@ ## Conntrack: ## Disable Netfilter's automatic connection tracking helper assignment. -## Increases the kernel attack surface by enabling superfluous functionality such as IRC parsing in the kernel. +## This functionality adds unnecessary features, such as IRC protocol parsing, into the kernel. +## Disabling it reduces the kernel attack surface and improves security. ## ## https://conntrack-tools.netfilter.org/manual.html ## https://forums.whonix.org/t/disable-conntrack-helper/18917 From 4bf0e3a63667c284d053e5b8517440a884a42441 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 21 Apr 2025 04:57:07 -0400 Subject: [PATCH 840/846] comments --- etc/modprobe.d/30_security-misc_blacklist.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/etc/modprobe.d/30_security-misc_blacklist.conf b/etc/modprobe.d/30_security-misc_blacklist.conf index 49e4fcb..5ce1edc 100644 --- a/etc/modprobe.d/30_security-misc_blacklist.conf +++ b/etc/modprobe.d/30_security-misc_blacklist.conf @@ -10,7 +10,7 @@ ## CD-ROM/DVD: ## Blacklist CD-ROM and DVD modules. -## Do not disable by default for potential future ISO plans. +## Not disabled by default due to potential future ISO plans. ## ## https://nvd.nist.gov/vuln/detail/CVE-2018-11506 ## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/31 From e154d0af6dd41e392122fbe3d09219734c5ad588 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 21 Apr 2025 10:21:54 +0000 Subject: [PATCH 841/846] bumped changelog version --- changelog.upstream | 30 ++++++++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 36 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 443ce2d..60f4eb5 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,33 @@ +commit 4bf0e3a63667c284d053e5b8517440a884a42441 +Author: Patrick Schleizer +Date: Mon Apr 21 04:57:07 2025 -0400 + + comments + +commit 502f5953c734346edc680a0b898b435e6c6f6e27 +Author: Patrick Schleizer +Date: Mon Apr 21 04:55:19 2025 -0400 + + comments + +commit abb0c83619b820b7b66258efa9e141850eaa8b6c +Author: Patrick Schleizer +Date: Mon Apr 21 04:54:06 2025 -0400 + + comments + +commit efa2967fca36c776d43419dd5bf12696bc61c426 +Author: Patrick Schleizer +Date: Mon Apr 21 04:53:04 2025 -0400 + + comments + +commit dc7e8579040a96630ab1bbf7b4b901e3e3abe8c7 +Author: Patrick Schleizer +Date: Sat Apr 19 17:33:56 2025 +0000 + + bumped changelog version + commit 9948ae114d4c6bbd650022c9985137c0fdea5675 Author: Patrick Schleizer Date: Sat Apr 19 13:24:17 2025 -0400 diff --git a/debian/changelog b/debian/changelog index 66ff75b..ae03aa4 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:45.0-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Mon, 21 Apr 2025 10:21:54 +0000 + security-misc (3:44.9-1) unstable; urgency=medium * New upstream version (local package). From 612f5f92fde236b86928428fd0247c8e971b0460 Mon Sep 17 00:00:00 2001 From: Aaron Rainbolt Date: Thu, 24 Apr 2025 20:01:35 -0500 Subject: [PATCH 842/846] Fix umask for pkexec-run commands --- usr/share/pam-configs/umask-security-misc | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/usr/share/pam-configs/umask-security-misc b/usr/share/pam-configs/umask-security-misc index 6436a56..c6c32e6 100644 --- a/usr/share/pam-configs/umask-security-misc +++ b/usr/share/pam-configs/umask-security-misc @@ -2,7 +2,8 @@ Name: Restrict umask to 027 (by package security-misc) Default: yes Priority: 100 Session-Type: Additional -Session-Interactive-Only: yes Session: [success=1 default=ignore] pam_succeed_if.so uid eq 0 optional pam_umask.so umask=027 + [success=1 default=ignore] pam_succeed_if.so uid ne 0 + optional pam_umask.so umask=022 From a8f6132bec1a6f4a639d58295b3e50faf5494d98 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 25 Apr 2025 03:11:27 -0400 Subject: [PATCH 843/846] output --- usr/share/pam-configs/umask-security-misc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/share/pam-configs/umask-security-misc b/usr/share/pam-configs/umask-security-misc index c6c32e6..b29e433 100644 --- a/usr/share/pam-configs/umask-security-misc +++ b/usr/share/pam-configs/umask-security-misc @@ -1,4 +1,4 @@ -Name: Restrict umask to 027 (by package security-misc) +Name: Restrict umask to 027 for non-root users (by package security-misc) Default: yes Priority: 100 Session-Type: Additional From ba1012ca8767baf34ed762d80b25b03bb70e6765 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 25 Apr 2025 08:19:35 +0000 Subject: [PATCH 844/846] bumped changelog version --- changelog.upstream | 25 +++++++++++++++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 31 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 60f4eb5..7a4f697 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,28 @@ +commit a8f6132bec1a6f4a639d58295b3e50faf5494d98 +Author: Patrick Schleizer +Date: Fri Apr 25 03:11:27 2025 -0400 + + output + +commit 1d14a9f32435b8131c251e03bff2af5c929bbf49 +Merge: e154d0a 612f5f9 +Author: Patrick Schleizer +Date: Fri Apr 25 02:59:09 2025 -0400 + + Merge remote-tracking branch 'ArrayBolt3/arraybolt3/fix-pkexec-umask' + +commit 612f5f92fde236b86928428fd0247c8e971b0460 +Author: Aaron Rainbolt +Date: Thu Apr 24 20:01:35 2025 -0500 + + Fix umask for pkexec-run commands + +commit e154d0af6dd41e392122fbe3d09219734c5ad588 +Author: Patrick Schleizer +Date: Mon Apr 21 10:21:54 2025 +0000 + + bumped changelog version + commit 4bf0e3a63667c284d053e5b8517440a884a42441 Author: Patrick Schleizer Date: Mon Apr 21 04:57:07 2025 -0400 diff --git a/debian/changelog b/debian/changelog index ae03aa4..26d2607 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:45.1-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 25 Apr 2025 08:19:34 +0000 + security-misc (3:45.0-1) unstable; urgency=medium * New upstream version (local package). From 06e1e44b0039807baa862102b12fc5e199c3ccb3 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 25 Apr 2025 05:51:21 -0400 Subject: [PATCH 845/846] comments --- usr/libexec/security-misc/pam-info | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr/libexec/security-misc/pam-info b/usr/libexec/security-misc/pam-info index a254a94..5f8198a 100755 --- a/usr/libexec/security-misc/pam-info +++ b/usr/libexec/security-misc/pam-info @@ -106,12 +106,12 @@ fi # fi # fi -## as user "user" +## under account "user" ## /usr/sbin/faillock -u user ## faillock: Error opening /var/log/tallylog for update: Permission denied ## /usr/sbin/faillock: Authentication error ## -## xscreensaver runs as user "user", therefore pam_faillock cannot function. +## xscreensaver runs under account "user", therefore pam_faillock cannot function. ## xscreensaver has its own failed login counter. ## ## https://askubuntu.com/questions/983183/how-lock-the-unlock-screen-after-wrong-password-attempts From 341dce33fb806ab03822470e6af91604662c22dd Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 25 Apr 2025 09:54:23 +0000 Subject: [PATCH 846/846] bumped changelog version --- changelog.upstream | 12 ++++++++++++ debian/changelog | 6 ++++++ 2 files changed, 18 insertions(+) diff --git a/changelog.upstream b/changelog.upstream index 7a4f697..d2432d7 100644 --- a/changelog.upstream +++ b/changelog.upstream @@ -1,3 +1,15 @@ +commit 06e1e44b0039807baa862102b12fc5e199c3ccb3 +Author: Patrick Schleizer +Date: Fri Apr 25 05:51:21 2025 -0400 + + comments + +commit ba1012ca8767baf34ed762d80b25b03bb70e6765 +Author: Patrick Schleizer +Date: Fri Apr 25 08:19:35 2025 +0000 + + bumped changelog version + commit a8f6132bec1a6f4a639d58295b3e50faf5494d98 Author: Patrick Schleizer Date: Fri Apr 25 03:11:27 2025 -0400 diff --git a/debian/changelog b/debian/changelog index 26d2607..a0ef4b0 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +security-misc (3:45.2-1) unstable; urgency=medium + + * New upstream version (local package). + + -- Patrick Schleizer Fri, 25 Apr 2025 09:54:23 +0000 + security-misc (3:45.1-1) unstable; urgency=medium * New upstream version (local package).