From 39d063d494cb540f45747f6253ab896200ba03c3 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Thu, 26 Sep 2024 13:09:21 +0000 Subject: [PATCH] Add KSPP=no definition --- etc/default/grub.d/40_cpu_mitigations.cfg | 1 + etc/default/grub.d/40_kernel_hardening.cfg | 1 + etc/default/grub.d/40_remount_secure.cfg | 1 + etc/default/grub.d/40_signed_modules.cfg | 1 + etc/default/grub.d/41_quiet_boot.cfg | 1 + usr/lib/sysctl.d/30_security-misc_kexec-disable.conf | 1 + usr/lib/sysctl.d/30_silent-kernel-printk.conf | 1 + usr/lib/sysctl.d/990-security-misc.conf | 1 + 8 files changed, 8 insertions(+) diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index 529b626..5960e14 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -4,6 +4,7 @@ ## Definitions: ## KSPP=yes: compliant with recommendations by the KSPP ## KSPP=partial: partially compliant with recommendations by the KSPP +## KSPP=no: not (currently) compliant with recommendations by the KSPP ## Enable known mitigations for CPU vulnerabilities. ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index 49435d9..ad7e61a 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -8,6 +8,7 @@ kver="$(dpkg-query --show --showformat='${Version}' "$kpkg")" 2>/dev/null || tru ## Definitions: ## KSPP=yes: compliant with recommendations by the KSPP ## KSPP=partial: partially compliant with recommendations by the KSPP +## KSPP=no: not (currently) compliant with recommendations by the KSPP ## This configuration file is split into 4 sections: ## 1. Kernel Space diff --git a/etc/default/grub.d/40_remount_secure.cfg b/etc/default/grub.d/40_remount_secure.cfg index 4593820..f92991a 100644 --- a/etc/default/grub.d/40_remount_secure.cfg +++ b/etc/default/grub.d/40_remount_secure.cfg @@ -4,6 +4,7 @@ ## Definitions: ## KSPP=yes: compliant with recommendations by the KSPP ## KSPP=partial: partially compliant with recommendations by the KSPP +## KSPP=no: not (currently) compliant with recommendations by the KSPP ## Remount Secure provides enhanced security via mount options: ## https://www.kicksecure.com/wiki/Security-misc#Remount_Secure diff --git a/etc/default/grub.d/40_signed_modules.cfg b/etc/default/grub.d/40_signed_modules.cfg index 788eeb1..b33dceb 100644 --- a/etc/default/grub.d/40_signed_modules.cfg +++ b/etc/default/grub.d/40_signed_modules.cfg @@ -4,6 +4,7 @@ ## Definitions: ## KSPP=yes: compliant with recommendations by the KSPP ## KSPP=partial: partially compliant with recommendations by the KSPP +## KSPP=no: not (currently) compliant with recommendations by the KSPP ## Require every kernel module to be signed before being loaded. ## Any module that is unsigned or signed with an invalid key cannot be loaded. diff --git a/etc/default/grub.d/41_quiet_boot.cfg b/etc/default/grub.d/41_quiet_boot.cfg index 86c8660..33b412d 100644 --- a/etc/default/grub.d/41_quiet_boot.cfg +++ b/etc/default/grub.d/41_quiet_boot.cfg @@ -4,6 +4,7 @@ ## Definitions: ## KSPP=yes: compliant with recommendations by the KSPP ## KSPP=partial: partially compliant with recommendations by the KSPP +## KSPP=no: not (currently) compliant with recommendations by the KSPP ## Some default configuration files automatically include the "quiet" parameter. ## Therefore, first remove "quiet" from GRUB_CMDLINE_LINUX_DEFAULT since "quiet" must be first. diff --git a/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf b/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf index 74ab6f5..da77fd7 100644 --- a/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf +++ b/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf @@ -4,6 +4,7 @@ ## Definitions: ## KSPP=yes: compliant with recommendations by the KSPP ## KSPP=partial: partially compliant with recommendations by the KSPP +## KSPP=no: not (currently) compliant with recommendations by the KSPP ## NOTE: ## This configuration is in a dedicated file because the ram-wipe package diff --git a/usr/lib/sysctl.d/30_silent-kernel-printk.conf b/usr/lib/sysctl.d/30_silent-kernel-printk.conf index b07fae9..44b0b25 100644 --- a/usr/lib/sysctl.d/30_silent-kernel-printk.conf +++ b/usr/lib/sysctl.d/30_silent-kernel-printk.conf @@ -4,6 +4,7 @@ ## Definitions: ## KSPP=yes: compliant with recommendations by the KSPP ## KSPP=partial: partially compliant with recommendations by the KSPP +## KSPP=no: not (currently) compliant with recommendations by the KSPP ## Prevent kernel information leaks in the console during boot. ## Must be used in conjunction with kernel boot parameters. diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index e633df1..c404553 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -9,6 +9,7 @@ ## Definitions: ## KSPP=yes: compliant with recommendations by the KSPP ## KSPP=partial: partially compliant with recommendations by the KSPP +## KSPP=no: not (currently) compliant with recommendations by the KSPP ## This configuration file is divided into 5 sections: ## 1. Kernel Space