From 01c839c815b7f8c16c231bbd72da1673ad88fdb7 Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Tue, 25 Jun 2019 19:16:43 +0000 Subject: [PATCH 1/6] Restrict what the SysRq key can do --- etc/sysctl.d/sysrq.conf | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 etc/sysctl.d/sysrq.conf diff --git a/etc/sysctl.d/sysrq.conf b/etc/sysctl.d/sysrq.conf new file mode 100644 index 0000000..266e275 --- /dev/null +++ b/etc/sysctl.d/sysrq.conf @@ -0,0 +1,2 @@ +# Allow only rebooting/shutting down with the SysRq key. +kernel.sysrq=128 From 382e336f69097f3baa7693da6aaf8833b05cf322 Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Tue, 25 Jun 2019 19:20:27 +0000 Subject: [PATCH 2/6] Create remove-system.map --- usr/lib/security-misc/remove-system.map | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 usr/lib/security-misc/remove-system.map diff --git a/usr/lib/security-misc/remove-system.map b/usr/lib/security-misc/remove-system.map new file mode 100644 index 0000000..75edbbe --- /dev/null +++ b/usr/lib/security-misc/remove-system.map @@ -0,0 +1,6 @@ +#!/bin/bash + +# Removes the System.map files as they are only used for debugging or malware. +if [ -f /boot/System.map-* ]; then + rm /boot/System.map-* +fi From 3116a56f1353681fbb97d4e7f92ee069f2577b33 Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Tue, 25 Jun 2019 19:25:32 +0000 Subject: [PATCH 3/6] Create remove-system-map.service --- lib/systemd/system/remove-system-map.service | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 lib/systemd/system/remove-system-map.service diff --git a/lib/systemd/system/remove-system-map.service b/lib/systemd/system/remove-system-map.service new file mode 100644 index 0000000..03720f9 --- /dev/null +++ b/lib/systemd/system/remove-system-map.service @@ -0,0 +1,9 @@ +[Unit] +Description=Removes the System.map files + +[Service] +Type=oneshot +Execstart=/usr/lib/security-misc/remove-system.map + +[Install] +WantedBy=multi-user.target From 8ef0db17e6a9c066b50a021292aab80a7523cbb6 Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Wed, 26 Jun 2019 12:59:45 +0000 Subject: [PATCH 4/6] Use a for loop to detect if System.map exists --- usr/lib/security-misc/remove-system.map | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/usr/lib/security-misc/remove-system.map b/usr/lib/security-misc/remove-system.map index 75edbbe..8e723f9 100644 --- a/usr/lib/security-misc/remove-system.map +++ b/usr/lib/security-misc/remove-system.map @@ -1,6 +1,9 @@ #!/bin/bash # Removes the System.map files as they are only used for debugging or malware. -if [ -f /boot/System.map-* ]; then - rm /boot/System.map-* -fi +for file in /boot/System.map-* +do + if [ -f "${file}" ]; then + rm "${file}" + fi +done From 9392c8deb2657d3ff2c3734fb8bf1863d4e2a2d7 Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Wed, 26 Jun 2019 15:03:54 +0000 Subject: [PATCH 5/6] Update remove-system.map --- usr/lib/security-misc/remove-system.map | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/usr/lib/security-misc/remove-system.map b/usr/lib/security-misc/remove-system.map index 8e723f9..10071f8 100644 --- a/usr/lib/security-misc/remove-system.map +++ b/usr/lib/security-misc/remove-system.map @@ -1,9 +1,14 @@ #!/bin/bash +## Copyright (C) 2012 - 2018 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +shopt -s nullglob + # Removes the System.map files as they are only used for debugging or malware. -for file in /boot/System.map-* +for filename in /boot/System.map-* do - if [ -f "${file}" ]; then - rm "${file}" + if [ -f "${filename}" ]; then + rm -f "${filename}" fi done From b8091850082fe1b956d6cff11fc7aa17786e693e Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Thu, 27 Jun 2019 16:09:52 +0000 Subject: [PATCH 6/6] Update remove-system-map.service --- lib/systemd/system/remove-system-map.service | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/systemd/system/remove-system-map.service b/lib/systemd/system/remove-system-map.service index 03720f9..89a028b 100644 --- a/lib/systemd/system/remove-system-map.service +++ b/lib/systemd/system/remove-system-map.service @@ -3,7 +3,7 @@ Description=Removes the System.map files [Service] Type=oneshot -Execstart=/usr/lib/security-misc/remove-system.map +ExecStart=/usr/lib/security-misc/remove-system.map [Install] WantedBy=multi-user.target