From 14d13fb03ed627cfb378873ad46f4d3ac795a9f6 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Tue, 19 Jan 2021 19:41:42 -0500 Subject: [PATCH] readme --- README_generic.md | 333 +--------------------------------------------- 1 file changed, 3 insertions(+), 330 deletions(-) diff --git a/README_generic.md b/README_generic.md index 58e54fd..b046222 100644 --- a/README_generic.md +++ b/README_generic.md @@ -1,335 +1,8 @@ -# enhances misc security settings # +# Enhances Miscellaneous Security Settings # -Inspired by Kernel Self Protection Project (KSPP) +https://github.com/Whonix/security-misc/blob/master/README.md -* Implements most if not all recommended Linux kernel settings (sysctl) and -kernel parameters by KSPP. - -* https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project - -kernel hardening: - -* deactivates Netfilter's connection tracking helper -Netfilter's connection tracking helper module increases kernel attack -surface by enabling superfluous functionality such as IRC parsing in -the kernel. (!) Hence, this package disables this feature by shipping the -`/etc/modprobe.d/30_security-misc.conf` configuration file. - -* Kernel symbols in various files in `/proc` are hidden as they can be -very useful for kernel exploits. - -* Kexec is disabled as it can be used to load a malicious kernel. -`/etc/modprobe.d/30_security-misc.conf` - -* ASLR effectiveness for mmap is increased. - -* The TCP/IP stack is hardened by disabling ICMP redirect acceptance, -ICMP redirect sending and source routing to prevent man-in-the-middle attacks, -ignoring all ICMP requests, enabling TCP syncookies to prevent SYN flood -attacks, enabling RFC1337 to protect against time-wait assassination -attacks and enabling reverse path filtering to prevent IP spoofing and -mitigate vulnerabilities such as CVE-2019-14899. - -* Avoids unintentional writes to attacker-controlled files. - -* Prevents symlink/hardlink TOCTOU races. - -* SACK can be disabled as it is commonly exploited and is rarely used by -uncommenting settings in file `/etc/sysctl.d/30_security-misc.conf`. - -* Slab merging is disabled as sometimes a slab can be used in a vulnerable -way which an attacker can exploit. - -* Sanity checks and redzoning are enabled. - -* Memory zeroing at allocation and free time is enabled. - -* The machine check tolerance level is decreased which makes the kernel panic -on uncorrectable errors in ECC memory that could be exploited. - -* Kernel Page Table Isolation is enabled to mitigate Meltdown and increase -KASLR effectiveness. - -* Enables all mitigations for CPU vulnerabilities and disables SMT. - -* A systemd service clears System.map on boot as these contain kernel symbols -that could be useful to an attacker. -`/etc/kernel/postinst.d/30_remove-system-map` -`/lib/systemd/system/remove-system-map.service` -`/usr/lib/security-misc/remove-system.map` - -* Coredumps are disabled as they may contain important information such as -encryption keys or passwords. -`/etc/security/limits.d/30_security-misc.conf` -`/etc/sysctl.d/30_security-misc.conf` -`/lib/systemd/coredump.conf.d/30_security-misc.conf` - -* The thunderbolt and firewire kernel modules are blacklisted as they can be -used for DMA (Direct Memory Access) attacks. - -* IOMMU is enabled with a boot parameter to prevent DMA attacks. - -* Bluetooth is blacklisted to reduce attack surface. Bluetooth also has -a history of security concerns. -https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns -`/etc/modprobe.d/30_security-misc.conf` - -* A systemd service restricts `/proc/cpuinfo`, `/proc/bus`, `/proc/scsi` and -`/sys` to the root user only. This hides a lot of hardware identifiers from -unprivileged users and increases security as `/sys` exposes a lot of -information that shouldn't be accessible to unprivileged users. As this will -break many things, it is disabled by default and can optionally be enabled by -running `systemctl enable hide-hardware-info.service` as root. -`/usr/lib/security-misc/hide-hardware-info` -`/lib/systemd/system/hide-hardware-info.service` -`/lib/systemd/system/user@.service.d/sysfs.conf` -`/etc/hide-hardware-info.d/30_default.conf` - -* The MSR kernel module is blacklisted to prevent CPU MSRs from being -abused to write to arbitrary memory. - -* Vsyscalls are disabled as they are obsolete, are at fixed addresses and are -a target for ROP. - -* Page allocator freelist randomization is enabled. - -* The vivid kernel module is blacklisted as it's only required for testing -and has been the cause of multiple vulnerabilities. - -* An initramfs hook sets the sysctl values in `/etc/sysctl.conf` and -`/etc/sysctl.d` before init is executed so sysctl hardening is enabled -as early as possible. - -* The kernel panics on oopses to prevent it from continuing to run a flawed -process and to deter brute forcing. - -* Restricts the SysRq key so it can only be used for shutdowns and the -Secure Attention Key. - -* Restricts loading line disciplines to `CAP_SYS_MODULE`. - -* Restricts the `userfaultfd()` syscall to root. - -* Access to debugfs is restricted as it can contain a lot of sensitive -information. - -Improve Entropy Collection - -* Load `jitterentropy_rng` kernel module. -`/usr/lib/modules-load.d/30_security-misc.conf` - -* Distrusts the CPU for initial entropy at boot as it is not possible to -audit, may contain weaknesses or a backdoor. -* https://en.wikipedia.org/wiki/RDRAND#Reception -* https://twitter.com/pid_eins/status/1149649806056280069 -* For more references, see: -* `/etc/default/grub.d/40_distrust_cpu.cfg` - -* Gathers more entropy during boot if using the linux-hardened kernel patch. - -Uncommon network protocols are blacklisted: -These are rarely used and may have unknown vulnerabilities. -`/etc/modprobe.d/30_security-misc.conf` -The network protocols that are blacklisted are: - -* DCCP - Datagram Congestion Control Protocol -* SCTP - Stream Control Transmission Protocol -* RDS - Reliable Datagram Sockets -* TIPC - Transparent Inter-process Communication -* HDLC - High-Level Data Link Control -* AX25 - Amateur X.25 -* NetRom -* X25 -* ROSE -* DECnet -* Econet -* af_802154 - IEEE 802.15.4 -* IPX - Internetwork Packet Exchange -* AppleTalk -* PSNAP - Subnetwork Access Protocol -* p8023 - Novell raw IEEE 802.3 -* p8022 - IEEE 802.2 - -user restrictions: - -* remount `/home`, `/tmp`, `/dev/shm` and `/run` with `nosuid,nodev` -(default) and `noexec` (opt-in). To disable this, run -`sudo touch /etc/remount-disable`. To opt-in `noexec`, run -`sudo touch /etc/noexec` and reboot (easiest). -Alternatively file `/usr/local/etc/remount-disable` or file -`/usr/local/etc/noexec` could be used. -`/lib/systemd/system/remount-secure.service` -`/usr/lib/security-misc/remount-secure` - -* An optional systemd service mounts `/proc` with `hidepid=2` at boot to -prevent users from seeing each other's processes. Not enabled because not -compatible with pkexec. - -* The kernel logs are restricted to root only. - -* The BPF JIT compiler is restricted to the root user and is hardened. - -* The ptrace system call is restricted to the root user only. - -restricts access to the root account: - -* `su` is restricted to only users within the group `sudo` which prevents -users from using `su` to gain root access or to switch user accounts. -`/usr/share/pam-configs/wheel-security-misc` -(Which results in a change in file `/etc/pam.d/common-auth`.) - -* Add user `root` to group `sudo`. This is required to make above work so -login as a user in a virtual console is still possible. -`debian/security-misc.postinst` - -* Abort login for users with locked passwords. -`/usr/lib/security-misc/pam-abort-on-locked-password` - -* Logging into the root account from a virtual, serial, whatnot console is -prevented by shipping an existing and empty `/etc/securetty`. -(Deletion of `/etc/securetty` has a different effect.) -`/etc/securetty.security-misc` - -* Console Lockdown. -Allow members of group 'console' to use console. -Everyone else except members of group -'console-unrestricted' are restricted from using console using ancient, -unpopular login methods such as using `/bin/login` over networks, which might -be exploitable. (CVE-2001-0797) Using pam_access. -Not enabled by default in this package since this package does not know which -users shall be added to group 'console' and would break console. -`/usr/share/pam-configs/console-lockdown-security-misc` -`/etc/security/access-security-misc.conf` - -Protect Linux user accounts against brute force attacks. -Lock user accounts after 50 failed login attempts using `pam_tally2`. -`/usr/share/pam-configs/tally2-security-misc` - -informational output during Linux PAM: - -* Show failed and remaining password attempts. -* Document unlock procedure if Linux user account got locked. -* Point out, that there is no password feedback for `su`. -* Explain locked (root) account if locked. -* `/usr/share/pam-configs/tally2-security-misc` -* `/usr/lib/security-misc/pam_tally2-info` -* `/usr/lib/security-misc/pam-abort-on-locked-password` - -access rights restrictions: - -* Strong Linux User Account Separation. -Removes read, write and execute access for others for all users who have -home folders under folder `/home` by running for example -"chmod o-rwx /home/user" -during package installation, upgrade or pam `mkhomedir`. This will be done -only once per folder in folder `/home` so users who wish to relax file -permissions are free to -do so. This is to protect previously created files in user home folder which -were previously created with lax file permissions prior installation of this -package. -`debian/security-misc.postinst` -`/usr/lib/security-misc/permission-lockdown` -`/usr/share/pam-configs/mkhomedir-security-misc` - -* SUID / GUID removal and permission hardening. -A systemd service removed SUID / GUID from non-essential binaries as these are -often used in privilege escalation attacks. -It is disabled by default for now during testing and can optionally be enabled -by running `systemctl enable permission-hardening.service` as root. -https://forums.whonix.org/t/disable-suid-binaries/7706 -`/usr/lib/security-misc/permission-hardening` -`/lib/systemd/system/permission-hardening.service` -`/etc/permission-hardening.d/30_default.conf` - -access rights relaxations: - -Redirect calls for `pkexec` to `lxqt-sudo` because `pkexec` is incompatible -with `hidepid`. -https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860040 -https://forums.whonix.org/t/cannot-use-pkexec/8129 -`/usr/bin/pkexec.security-misc` - -This package does (not yet) automatically lock the root account password. -It is not clear that would be sane in such a package. -It is recommended to lock and expire the root account. -In new Whonix builds, root account will be locked by package -dist-base-files. -https://www.whonix.org/wiki/Root -https://www.whonix.org/wiki/Dev/Permissions -https://forums.whonix.org/t/restrict-root-access/7658 -However, a locked root password will break rescue and emergency shell. -Therefore this package enables passwordless rescue and emergency shell. -This is the same solution that Debian will likely adapt for Debian -installer. -https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802211 -Adverse security effects can be prevented by setting up BIOS password -protection, grub password protection and/or full disk encryption. -`/etc/systemd/system/emergency.service.d/override.conf` -`/etc/systemd/system/rescue.service.d/override.conf` - -Let the kernel only swap if it is absolutely necessary. -`/etc/sysctl.d/30_security-misc.conf` - -Disables TCP Time Stamps: - -TCP time stamps (RFC 1323) allow for tracking clock -information with millisecond resolution. This may or may not allow an -attacker to learn information about the system clock at such -a resolution, depending on various issues such as network lag. -This information is available to anyone who monitors the network -somewhere between the attacked system and the destination server. -It may allow an attacker to find out how long a given -system has been running, and to distinguish several -systems running behind NAT and using the same IP address. It might -also allow one to look for clocks that match an expected value to find the -public IP used by a user. - -Hence, this package disables this feature by shipping the -`/etc/sysctl.d/30_security-misc.conf` configuration file. - -Note that TCP time stamps normally have some usefulness. They are -needed for: - -* the TCP protection against wrapped sequence numbers; however, to -trigger a wrap, one needs to send roughly 2^32 packets in one -minute: as said in RFC 1700, "The current recommended default -time to live (TTL) for the Internet Protocol (IP) [45,105] is 64". -So, this probably won't be a practical problem in the context -of Anonymity Distributions. -* "Round-Trip Time Measurement", which is only useful when the user -manages to saturate their connection. When using Anonymity Distributions, -probably the limiting factor for transmission speed is rarely the capacity -of the user connection. - -Application specific hardening: - -* Enables APT seccomp-BPF sandboxing. `/etc/apt/apt.conf.d/40sandbox` -* Deactivates previews in Dolphin. -* Deactivates previews in Nautilus. -`/usr/share/glib-2.0/schemas/30_security-misc.gschema.override` -* Deactivates thumbnails in Thunar. -* Enables punycode (`network.IDN_show_punycode`) by default in Thunderbird -to make phishing attacks more difficult. Fixing URL not showing real Domain -Name (Homograph attack). -* Security and privacy enhancements for gnupg's config file -`/etc/skel/.gnupg/gpg.conf`. See also: -https://raw.github.com/ioerror/torbirdy/master/gpg.conf -https://github.com/ioerror/torbirdy/pull/11 - -Want more? Look into these: - -* Linux Kernel Runtime Guard (LKRG) -* tirdad - TCP ISN CPU Information Leak Protection. -* Whonix ™ - Anonymous Operating System -* Kicksecure ™ - A Security-hardened, Non-anonymous Linux Distribution -* SecBrowser ™ - A Security-hardened, Non-anonymous Browser -* And more. -* https://www.whonix.org/wiki/Linux_Kernel_Runtime_Guard_LKRG -* https://github.com/Whonix/tirdad -* https://www.whonix.org -* https://www.whonix.org/wiki/Kicksecure -* https://www.whonix.org/wiki/SecBrowser -* https://github.com/Whonix +https://www.whonix.org/wiki/Security-misc Discussion: