mirror of
https://github.com/Kicksecure/security-misc.git
synced 2024-12-23 01:23:36 +07:00
parent
18a06935e0
commit
0efee2f50f
1
debian/security-misc.install
vendored
1
debian/security-misc.install
vendored
@ -5,6 +5,5 @@
|
||||
|
||||
bin/*
|
||||
etc/*
|
||||
lib/*
|
||||
usr/*
|
||||
var/*
|
||||
|
@ -18,4 +18,4 @@ prereqs)
|
||||
esac
|
||||
|
||||
. /usr/share/initramfs-tools/hook-functions
|
||||
copy_exec /sbin/sysctl /sbin
|
||||
copy_exec /usr/sbin/sysctl /usr/sbin
|
||||
|
@ -14,78 +14,78 @@ options nf_conntrack nf_conntrack_helper=0
|
||||
#
|
||||
## Now replaced by a privacy and security preserving default bluetooth configuration for better usability
|
||||
#
|
||||
# install bluetooth /bin/disabled-bluetooth-by-security-misc
|
||||
# install btusb /bin/disabled-bluetooth-by-security-misc
|
||||
# install bluetooth /usr/bin/disabled-bluetooth-by-security-misc
|
||||
# install btusb /usr/bin/disabled-bluetooth-by-security-misc
|
||||
|
||||
## Disable thunderbolt and firewire modules to prevent some DMA attacks
|
||||
install thunderbolt /bin/disabled-thunderbolt-by-security-misc
|
||||
install firewire-core /bin/disabled-firewire-by-security-misc
|
||||
install firewire_core /bin/disabled-firewire-by-security-misc
|
||||
install firewire-ohci /bin/disabled-firewire-by-security-misc
|
||||
install firewire_ohci /bin/disabled-firewire-by-security-misc
|
||||
install firewire_sbp2 /bin/disabled-firewire-by-security-misc
|
||||
install firewire-sbp2 /bin/disabled-firewire-by-security-misc
|
||||
install ohci1394 /bin/disabled-firewire-by-security-misc
|
||||
install sbp2 /bin/disabled-firewire-by-security-misc
|
||||
install dv1394 /bin/disabled-firewire-by-security-misc
|
||||
install raw1394 /bin/disabled-firewire-by-security-misc
|
||||
install video1394 /bin/disabled-firewire-by-security-misc
|
||||
install thunderbolt /usr/bin/disabled-thunderbolt-by-security-misc
|
||||
install firewire-core /usr/bin/disabled-firewire-by-security-misc
|
||||
install firewire_core /usr/bin/disabled-firewire-by-security-misc
|
||||
install firewire-ohci /usr/bin/disabled-firewire-by-security-misc
|
||||
install firewire_ohci /usr/bin/disabled-firewire-by-security-misc
|
||||
install firewire_sbp2 /usr/bin/disabled-firewire-by-security-misc
|
||||
install firewire-sbp2 /usr/bin/disabled-firewire-by-security-misc
|
||||
install ohci1394 /usr/bin/disabled-firewire-by-security-misc
|
||||
install sbp2 /usr/bin/disabled-firewire-by-security-misc
|
||||
install dv1394 /usr/bin/disabled-firewire-by-security-misc
|
||||
install raw1394 /usr/bin/disabled-firewire-by-security-misc
|
||||
install video1394 /usr/bin/disabled-firewire-by-security-misc
|
||||
|
||||
## Disable CPU MSRs as they can be abused to write to arbitrary memory.
|
||||
## https://security.stackexchange.com/questions/119712/methods-root-can-use-to-elevate-itself-to-kernel-mode
|
||||
install msr /bin/disabled-msr-by-security-misc
|
||||
install msr /usr/bin/disabled-msr-by-security-misc
|
||||
|
||||
## Disables unneeded network protocols that will likely not be used as these may have unknown vulnerabilties.
|
||||
## Credit to Tails (https://tails.boum.org/blueprint/blacklist_modules/) for some of these.
|
||||
## > Debian ships a long list of modules for wide support of devices, filesystems, protocols. Some of these modules have a pretty bad security track record, and some of those are simply not used by most of our users.
|
||||
## > Other distributions like Ubuntu[1] and Fedora[2] already ship a blacklist for various network protocols which aren't much in use by users and have a poor security track record.
|
||||
install dccp /bin/disabled-network-by-security-misc
|
||||
install sctp /bin/disabled-network-by-security-misc
|
||||
install rds /bin/disabled-network-by-security-misc
|
||||
install tipc /bin/disabled-network-by-security-misc
|
||||
install n-hdlc /bin/disabled-network-by-security-misc
|
||||
install ax25 /bin/disabled-network-by-security-misc
|
||||
install netrom /bin/disabled-network-by-security-misc
|
||||
install x25 /bin/disabled-network-by-security-misc
|
||||
install rose /bin/disabled-network-by-security-misc
|
||||
install decnet /bin/disabled-network-by-security-misc
|
||||
install econet /bin/disabled-network-by-security-misc
|
||||
install af_802154 /bin/disabled-network-by-security-misc
|
||||
install ipx /bin/disabled-network-by-security-misc
|
||||
install appletalk /bin/disabled-network-by-security-misc
|
||||
install psnap /bin/disabled-network-by-security-misc
|
||||
install p8023 /bin/disabled-network-by-security-misc
|
||||
install p8022 /bin/disabled-network-by-security-misc
|
||||
install can /bin/disabled-network-by-security-misc
|
||||
install atm /bin/disabled-network-by-security-misc
|
||||
install dccp /usr/bin/disabled-network-by-security-misc
|
||||
install sctp /usr/bin/disabled-network-by-security-misc
|
||||
install rds /usr/bin/disabled-network-by-security-misc
|
||||
install tipc /usr/bin/disabled-network-by-security-misc
|
||||
install n-hdlc /usr/bin/disabled-network-by-security-misc
|
||||
install ax25 /usr/bin/disabled-network-by-security-misc
|
||||
install netrom /usr/bin/disabled-network-by-security-misc
|
||||
install x25 /usr/bin/disabled-network-by-security-misc
|
||||
install rose /usr/bin/disabled-network-by-security-misc
|
||||
install decnet /usr/bin/disabled-network-by-security-misc
|
||||
install econet /usr/bin/disabled-network-by-security-misc
|
||||
install af_802154 /usr/bin/disabled-network-by-security-misc
|
||||
install ipx /usr/bin/disabled-network-by-security-misc
|
||||
install appletalk /usr/bin/disabled-network-by-security-misc
|
||||
install psnap /usr/bin/disabled-network-by-security-misc
|
||||
install p8023 /usr/bin/disabled-network-by-security-misc
|
||||
install p8022 /usr/bin/disabled-network-by-security-misc
|
||||
install can /usr/bin/disabled-network-by-security-misc
|
||||
install atm /usr/bin/disabled-network-by-security-misc
|
||||
|
||||
## Disable uncommon file systems to reduce attack surface
|
||||
## HFS and HFS+ are legacy Apple filesystems that may be required depending on the EFI parition format
|
||||
install cramfs /bin/disabled-filesys-by-security-misc
|
||||
install freevxfs /bin/disabled-filesys-by-security-misc
|
||||
install jffs2 /bin/disabled-filesys-by-security-misc
|
||||
install hfs /bin/disabled-filesys-by-security-misc
|
||||
install hfsplus /bin/disabled-filesys-by-security-misc
|
||||
install udf /bin/disabled-filesys-by-security-misc
|
||||
install cramfs /usr/bin/disabled-filesys-by-security-misc
|
||||
install freevxfs /usr/bin/disabled-filesys-by-security-misc
|
||||
install jffs2 /usr/bin/disabled-filesys-by-security-misc
|
||||
install hfs /usr/bin/disabled-filesys-by-security-misc
|
||||
install hfsplus /usr/bin/disabled-filesys-by-security-misc
|
||||
install udf /usr/bin/disabled-filesys-by-security-misc
|
||||
|
||||
## Disable uncommon network file systems to reduce attack surface
|
||||
install cifs /bin/disabled-netfilesys-by-security-misc
|
||||
install nfs /bin/disabled-netfilesys-by-security-misc
|
||||
install nfsv3 /bin/disabled-netfilesys-by-security-misc
|
||||
install nfsv4 /bin/disabled-netfilesys-by-security-misc
|
||||
install ksmbd /bin/disabled-netfilesys-by-security-misc
|
||||
install gfs2 /bin/disabled-netfilesys-by-security-misc
|
||||
install cifs /usr/bin/disabled-netfilesys-by-security-misc
|
||||
install nfs /usr/bin/disabled-netfilesys-by-security-misc
|
||||
install nfsv3 /usr/bin/disabled-netfilesys-by-security-misc
|
||||
install nfsv4 /usr/bin/disabled-netfilesys-by-security-misc
|
||||
install ksmbd /usr/bin/disabled-netfilesys-by-security-misc
|
||||
install gfs2 /usr/bin/disabled-netfilesys-by-security-misc
|
||||
|
||||
## Disables the vivid kernel module as it's only required for testing and has been the cause of multiple vulnerabilities
|
||||
## https://forums.whonix.org/t/kernel-recompilation-for-better-hardening/7598/233
|
||||
## https://www.openwall.com/lists/oss-security/2019/11/02/1
|
||||
## https://github.com/a13xp0p0v/kconfig-hardened-check/commit/981bd163fa19fccbc5ce5d4182e639d67e484475
|
||||
install vivid /bin/disabled-vivid-by-security-misc
|
||||
install vivid /usr/bin/disabled-vivid-by-security-misc
|
||||
|
||||
## Disable Intel Management Engine (ME) interface with the OS
|
||||
## https://www.kernel.org/doc/html/latest/driver-api/mei/mei.html
|
||||
install mei /bin/disabled-intelme-by-security-misc
|
||||
install mei-me /bin/disabled-intelme-by-security-misc
|
||||
install mei /usr/bin/disabled-intelme-by-security-misc
|
||||
install mei-me /usr/bin/disabled-intelme-by-security-misc
|
||||
|
||||
## Blacklist automatic loading of the Atheros 5K RF MACs madwifi driver
|
||||
## https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-ath_pci.conf?h=ubuntu/disco
|
||||
@ -143,7 +143,7 @@ blacklist udlfb
|
||||
## Disable CD-ROM devices
|
||||
## https://nvd.nist.gov/vuln/detail/CVE-2018-11506
|
||||
## https://forums.whonix.org/t/blacklist-more-kernel-modules-to-reduce-attack-surface/7989/31
|
||||
#install cdrom /bin/disabled-cdrom-by-security-misc
|
||||
#install sr_mod /bin/disabled-cdrom-by-security-misc
|
||||
#install cdrom /usr/bin/disabled-cdrom-by-security-misc
|
||||
#install sr_mod /usr/bin/disabled-cdrom-by-security-misc
|
||||
blacklist cdrom
|
||||
blacklist sr_mod
|
||||
|
@ -36,14 +36,14 @@
|
||||
|
||||
## In case you need to use 'su'. See also:
|
||||
## https://www.kicksecure.com/wiki/root#su
|
||||
#/bin/su exactwhitelist
|
||||
#/usr/bin/su exactwhitelist
|
||||
#/usr/bin/su exactwhitelist
|
||||
|
||||
## https://manpages.debian.org/xserver-xorg-legacy/Xorg.wrap.1.en.html
|
||||
## https://lwn.net/Articles/590315/
|
||||
## https://forums.whonix.org/t/suid-disabler-and-permission-hardener/7706/35
|
||||
#/usr/lib/xorg/Xorg.wrap whitelist
|
||||
#/lib/xorg/Xorg.wrap whitelist
|
||||
#/usr/lib/xorg/Xorg.wrap whitelist
|
||||
|
||||
######################################################################
|
||||
# SUID whitelist matches in any section of the path: matchwhitelist
|
||||
@ -51,7 +51,7 @@
|
||||
|
||||
## Examples below are already configured:
|
||||
#ssh-agent matchwhitelist
|
||||
#/lib/openssh matchwhitelist
|
||||
#/usr/lib/openssh matchwhitelist
|
||||
|
||||
######################################################################
|
||||
# Permission Hardening
|
||||
@ -62,7 +62,7 @@
|
||||
/boot/ 0700 root root
|
||||
/etc/permission-hardener.d 0600 root root
|
||||
/usr/local/etc/permission-hardener.d 0600 root root
|
||||
/lib/modules/ 0700 root root
|
||||
/usr/lib/modules/ 0700 root root
|
||||
/usr/src 0700 root root
|
||||
/etc/cups/cupsd.conf 0400 root root
|
||||
/etc/syslog.conf 0600 root root
|
||||
@ -93,25 +93,25 @@
|
||||
##
|
||||
## Remove all SUID/SGID binaries/libraries.
|
||||
|
||||
/bin/ nosuid
|
||||
/usr/bin/ nosuid
|
||||
/usr/local/bin/ nosuid
|
||||
|
||||
/usr/bin/ nosuid
|
||||
/usr/local/usr/bin/ nosuid
|
||||
|
||||
/sbin/ nosuid
|
||||
/usr/sbin/ nosuid
|
||||
/usr/local/sbin/ nosuid
|
||||
|
||||
/usr/sbin/ nosuid
|
||||
/usr/local/usr/sbin/ nosuid
|
||||
|
||||
/lib/ nosuid
|
||||
/usr/lib/ nosuid
|
||||
/usr/local/lib/ nosuid
|
||||
|
||||
/lib32/ nosuid
|
||||
/usr/lib32/ nosuid
|
||||
/usr/local/lib32/ nosuid
|
||||
|
||||
/lib64/ nosuid
|
||||
/usr/lib64/ nosuid
|
||||
/usr/local/lib64/ nosuid
|
||||
|
||||
/usr/lib/ nosuid
|
||||
@ -134,7 +134,7 @@
|
||||
## Ping doesn't work with Tor anyway so its capabilities are removed to
|
||||
## reduce attack surface.
|
||||
## anon-apps-config does this.
|
||||
#/bin/ping 0744 root root none
|
||||
#/usr/bin/ping 0744 root root none
|
||||
|
||||
## TODO: research
|
||||
#/usr/lib/x86_64-linux-gnu/gstreamer1.0/grstreamer-1.0/gst-ptp-helper 0744 root root none
|
||||
|
@ -221,7 +221,7 @@ add_nosuid_statoverride_entry() {
|
||||
# shellcheck disable=SC2086
|
||||
echo_wrapper_silent_audit dpkg-statoverride ${dpkg_admindir_parameter_new_mode} --add "${existing_owner}" "${existing_group}" "${new_mode}" "${file_name}"
|
||||
|
||||
## /lib will hit ARG_MAX if using bash 'shopt -s globstar' and '/lib/**'.
|
||||
## /usr/lib will hit ARG_MAX if using bash 'shopt -s globstar' and '/usr/lib/**'.
|
||||
## Using 'find' with '-perm /u=s,g=s' is faster and avoids ARG_MAX.
|
||||
## https://forums.whonix.org/t/disable-suid-binaries/7706/17
|
||||
done < <(find "${fso_to_process}" -perm /u=s,g=s -print0 | xargs -I{} -0 stat -c "%n %a %U %G" {})
|
||||
|
@ -15,7 +15,7 @@
|
||||
## /etc/sysctl.d/30-lkrg-virtualbox.conf
|
||||
## by package security-misc, files:
|
||||
## /usr/share/security-misc/lkrg/lkrg-virtualbox
|
||||
## /lib/systemd/system/lkrg.service.d/40-virtualbox.conf
|
||||
## /usr/lib/systemd/system/lkrg.service.d/40-virtualbox.conf
|
||||
|
||||
## https://forums.whonix.org/t/linux-kernel-runtime-guard-lkrg-linux-kernel-runtime-integrity-checking-and-exploit-detection/8477/32
|
||||
## https://www.openwall.com/lists/lkrg-users/2020/01/24/2
|
||||
@ -24,7 +24,7 @@
|
||||
## https://github.com/openwall/lkrg/blob/main/scripts/bootup/lkrg.conf
|
||||
## https://github.com/openwall/lkrg/blob/main/scripts/bootup/systemd/lkrg.service
|
||||
## /etc/sysctl.d/30-lkrg-dkms.conf
|
||||
## /lib/systemd/system/lkrg.service
|
||||
## /usr/lib/systemd/system/lkrg.service
|
||||
|
||||
## https://github.com/openwall/lkrg/issues/82#issuecomment-886188999
|
||||
lkrg.pcfi_validate = 1
|
||||
|
Loading…
Reference in New Issue
Block a user