From b26d861dffdbca124322cbfbda99ab71a3142e06 Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Fri, 28 Jun 2019 11:33:48 +0000 Subject: [PATCH 1/2] Update control --- debian/control | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/debian/control b/debian/control index 9c438de..818cb04 100644 --- a/debian/control +++ b/debian/control @@ -23,6 +23,8 @@ Description: enhances misc security settings deactivates thumbnails in Thunar; deactivates TCP timestamps; deactivates Netfilter's connection tracking helper; + implements some kernel hardening; + prevents DMA attacks; . TCP time stamps (RFC 1323) allow for tracking clock information with millisecond resolution. This may or may not allow an @@ -59,7 +61,7 @@ Description: enhances misc security settings the kernel. (!) . Hence, this package disables this feature by shipping the - /etc/sysctl.d/nf_conntrack_helper.conf configuration file. + /etc/modprobe.d/30_nf_conntrack_helper_disable.conf configuration file. . Kernel symbols in /proc/kallsyms are hidden to prevent malware from reading them and using them to learn more about what to attack on your system. @@ -95,3 +97,13 @@ Description: enhances misc security settings . DCCP, SCTP, TIPC and RDS are blacklisted as they are rarely used and may have unknown vulnerabilities. + + The kernel logs are restricted to root only. + + A systemd service clears System.map on boot as these contain kernel symbols that could be useful to an attacker. + + The SysRq key is restricted to only allow shutdowns/reboots. + + The thunderbolt and firewire modules are blacklisted as they can be used for DMA (Direct Memory Access) attacks. + + IOMMU is enabled with a boot parameter to prevent DMA attacks. From 9e9c854d274d7322759a9e5d2c49bcbd60e63e0d Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Fri, 28 Jun 2019 11:34:35 +0000 Subject: [PATCH 2/2] Update control --- debian/control | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/debian/control b/debian/control index 818cb04..7219c2b 100644 --- a/debian/control +++ b/debian/control @@ -97,13 +97,13 @@ Description: enhances misc security settings . DCCP, SCTP, TIPC and RDS are blacklisted as they are rarely used and may have unknown vulnerabilities. - + . The kernel logs are restricted to root only. - + . A systemd service clears System.map on boot as these contain kernel symbols that could be useful to an attacker. - + . The SysRq key is restricted to only allow shutdowns/reboots. - + . The thunderbolt and firewire modules are blacklisted as they can be used for DMA (Direct Memory Access) attacks. - + . IOMMU is enabled with a boot parameter to prevent DMA attacks.