From 6a4c493213929b354a3c8d2acf2325473ae63cfd Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Fri, 24 Jan 2020 04:26:36 -0500 Subject: [PATCH] merge the many sysctl config files into 1 and use a name starting with double digits to make it easier to disable settings using a lexically higher config file --- debian/security-misc.maintscript | 13 ++++ etc/sysctl.d/30_security-misc.conf | 114 +++++++++++++++++++++++++++++ etc/sysctl.d/coredumps.conf | 6 -- etc/sysctl.d/dmesg_restrict.conf | 5 -- etc/sysctl.d/fs_protected.conf | 6 -- etc/sysctl.d/harden_bpf.conf | 6 -- etc/sysctl.d/kexec.conf | 11 --- etc/sysctl.d/kptr_restrict.conf | 8 -- etc/sysctl.d/mmap_aslr.conf | 6 -- etc/sysctl.d/ptrace_scope.conf | 10 --- etc/sysctl.d/suid_dumpable.conf | 5 -- etc/sysctl.d/tcp_hardening.conf | 42 ----------- etc/sysctl.d/tcp_sack.conf | 8 -- etc/sysctl.d/tcp_timestamps.conf | 12 --- 14 files changed, 127 insertions(+), 125 deletions(-) create mode 100644 etc/sysctl.d/30_security-misc.conf delete mode 100644 etc/sysctl.d/coredumps.conf delete mode 100644 etc/sysctl.d/dmesg_restrict.conf delete mode 100644 etc/sysctl.d/fs_protected.conf delete mode 100644 etc/sysctl.d/harden_bpf.conf delete mode 100644 etc/sysctl.d/kexec.conf delete mode 100644 etc/sysctl.d/kptr_restrict.conf delete mode 100644 etc/sysctl.d/mmap_aslr.conf delete mode 100644 etc/sysctl.d/ptrace_scope.conf delete mode 100644 etc/sysctl.d/suid_dumpable.conf delete mode 100644 etc/sysctl.d/tcp_hardening.conf delete mode 100644 etc/sysctl.d/tcp_sack.conf delete mode 100644 etc/sysctl.d/tcp_timestamps.conf diff --git a/debian/security-misc.maintscript b/debian/security-misc.maintscript index 7441686..2ee7f0f 100644 --- a/debian/security-misc.maintscript +++ b/debian/security-misc.maintscript @@ -12,3 +12,16 @@ rm_conffile /etc/sysctl.d/sysrq.conf ## https://github.com/Whonix/security-misc/pull/45 rm_conffile /etc/apparmor.d/usr.lib.security-misc.pam_tally2-info rm_conffile /etc/apparmor.d/usr.lib.security-misc.permission-lockdown + +rm_conffile /etc/sysctl.d/fs_protected.conf +rm_conffile /etc/sysctl.d/kptr_restrict.conf +rm_conffile /etc/sysctl.d/suid_dumpable.conf +rm_conffile /etc/sysctl.d/harden_bpf.conf +rm_conffile /etc/sysctl.d/ptrace_scope.conf +rm_conffile /etc/sysctl.d/tcp_timestamps.conf +rm_conffile /etc/sysctl.d/mmap_aslr.conf +rm_conffile /etc/sysctl.d/dmesg_restrict.conf +rm_conffile /etc/sysctl.d/coredumps.conf +rm_conffile /etc/sysctl.d/kexec.conf +rm_conffile /etc/sysctl.d/tcp_hardening.conf +rm_conffile /etc/sysctl.d/tcp_sack.conf diff --git a/etc/sysctl.d/30_security-misc.conf b/etc/sysctl.d/30_security-misc.conf new file mode 100644 index 0000000..ae374de --- /dev/null +++ b/etc/sysctl.d/30_security-misc.conf @@ -0,0 +1,114 @@ +## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Disables coredumps. This setting may be overwritten by systemd so this may not be useful. +## security-misc also disables coredumps in other ways. +kernel.core_pattern=|/bin/false + + +## Restricts the kernel log to root only. +kernel.dmesg_restrict=1 + + +## Makes some data spoofing attacks harder. +fs.protected_fifos=2 +fs.protected_regular=2 + + +## Hardens the BPF JIT compiler and restricts it to root. +kernel.unprivileged_bpf_disabled=1 +net.core.bpf_jit_harden=2 + + +## Quote https://www.kernel.org/doc/html/latest/admin-guide/sysctl/kernel.html +## +## kexec_load_disabled: +## +## A toggle indicating if the kexec_load syscall has been disabled. This value defaults to 0 (false: kexec_load enabled), but can be set to 1 (true: kexec_load disabled). Once true, kexec can no longer be used, and the toggle cannot be set back to false. This allows a kexec image to be loaded before disabling the syscall, allowing a system to set up (and later use) an image without it being altered. Generally used together with the "modules_disabled" sysctl. + +## Disables kexec which can be used to replace the running kernel. +kernel.kexec_load_disabled=1 + + +## Hides kernel addresses in various files in /proc. +## Kernel addresses can be very useful in certain exploits. +## +## https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak +kernel.kptr_restrict=2 + + +## Improves ASLR effectiveness for mmap. +vm.mmap_rnd_bits=32 +vm.mmap_rnd_compat_bits=16 + + +## Restricts the use of ptrace to root. This might break some programs running under WINE. +## A workaround for WINE would be to give the wineserver and wine-preloader ptrace capabilities. This can be done by running: +## +## sudo apt-get install libcap2-bin +## sudo setcap cap_sys_ptrace=eip /usr/bin/wineserver +## sudo setcap cap_sys_ptrace=eip /usr/bin/wine-preloader +kernel.yama.ptrace_scope=2 + + +## Prevent setuid processes from creating coredumps. +fs.suid_dumpable=0 + + +#### meta start +#### project Kicksecure +#### category networking and security +#### description +## TCP/IP stack hardening + +## Protects against time-wait assassination. +## It drops RST packets for sockets in the time-wait state. +net.ipv4.tcp_rfc1337=1 + +## Disables ICMP redirect acceptance. +net.ipv4.conf.all.accept_redirects=0 +net.ipv4.conf.default.accept_redirects=0 +net.ipv4.conf.all.secure_redirects=0 +net.ipv4.conf.default.secure_redirects=0 +net.ipv6.conf.all.accept_redirects=0 +net.ipv6.conf.default.accept_redirects=0 + +## Disables ICMP redirect sending. +net.ipv4.conf.all.send_redirects=0 +net.ipv4.conf.default.send_redirects=0 + +## Ignores ICMP requests. +net.ipv4.icmp_echo_ignore_all=1 + +## Enables TCP syncookies. +net.ipv4.tcp_syncookies=1 + +## Disable source routing. +net.ipv4.conf.all.accept_source_route=0 +net.ipv4.conf.default.accept_source_route=0 + +## Enable reverse path filtering to prevent IP spoofing and +## mitigate vulnerabilities such as CVE-2019-14899. +## https://forums.whonix.org/t/enable-reverse-path-filtering/8594 +net.ipv4.conf.default.rp_filter=1 +net.ipv4.conf.all.rp_filter=1 + +#### meta end + + +## Disables SACK as it is commonly exploited and likely not needed. +## https://forums.whonix.org/t/disabling-tcp-sack-dsack-fack/8109 +#net.ipv4.tcp_sack=0 +#net.ipv4.tcp_dsack=0 +#net.ipv4.tcp_fack=0 + + +#### meta start +#### project Kicksecure +#### category networking and security +#### description +## disable IPv4 TCP Timestamps + +net.ipv4.tcp_timestamps=0 + +#### meta end diff --git a/etc/sysctl.d/coredumps.conf b/etc/sysctl.d/coredumps.conf deleted file mode 100644 index 79c2922..0000000 --- a/etc/sysctl.d/coredumps.conf +++ /dev/null @@ -1,6 +0,0 @@ -## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -## Disables coredumps. This setting may be overwritten by systemd so this may not be useful. -## security-misc also disables coredumps in other ways. -kernel.core_pattern=|/bin/false diff --git a/etc/sysctl.d/dmesg_restrict.conf b/etc/sysctl.d/dmesg_restrict.conf deleted file mode 100644 index 0883bd3..0000000 --- a/etc/sysctl.d/dmesg_restrict.conf +++ /dev/null @@ -1,5 +0,0 @@ -## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -## Restricts the kernel log to root only. -kernel.dmesg_restrict=1 diff --git a/etc/sysctl.d/fs_protected.conf b/etc/sysctl.d/fs_protected.conf deleted file mode 100644 index 19c3920..0000000 --- a/etc/sysctl.d/fs_protected.conf +++ /dev/null @@ -1,6 +0,0 @@ -## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -## Makes some data spoofing attacks harder. -fs.protected_fifos=2 -fs.protected_regular=2 diff --git a/etc/sysctl.d/harden_bpf.conf b/etc/sysctl.d/harden_bpf.conf deleted file mode 100644 index e1c84b4..0000000 --- a/etc/sysctl.d/harden_bpf.conf +++ /dev/null @@ -1,6 +0,0 @@ -## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -## Hardens the BPF JIT compiler and restricts it to root. -kernel.unprivileged_bpf_disabled=1 -net.core.bpf_jit_harden=2 diff --git a/etc/sysctl.d/kexec.conf b/etc/sysctl.d/kexec.conf deleted file mode 100644 index 6fc9689..0000000 --- a/etc/sysctl.d/kexec.conf +++ /dev/null @@ -1,11 +0,0 @@ -## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -## Quote https://www.kernel.org/doc/html/latest/admin-guide/sysctl/kernel.html -## -## kexec_load_disabled: -## -## A toggle indicating if the kexec_load syscall has been disabled. This value defaults to 0 (false: kexec_load enabled), but can be set to 1 (true: kexec_load disabled). Once true, kexec can no longer be used, and the toggle cannot be set back to false. This allows a kexec image to be loaded before disabling the syscall, allowing a system to set up (and later use) an image without it being altered. Generally used together with the "modules_disabled" sysctl. - -## Disables kexec which can be used to replace the running kernel. -kernel.kexec_load_disabled=1 diff --git a/etc/sysctl.d/kptr_restrict.conf b/etc/sysctl.d/kptr_restrict.conf deleted file mode 100644 index 0ea871e..0000000 --- a/etc/sysctl.d/kptr_restrict.conf +++ /dev/null @@ -1,8 +0,0 @@ -## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -## Hides kernel addresses in various files in /proc. -## Kernel addresses can be very useful in certain exploits. -## -## https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak -kernel.kptr_restrict=2 diff --git a/etc/sysctl.d/mmap_aslr.conf b/etc/sysctl.d/mmap_aslr.conf deleted file mode 100644 index e38151b..0000000 --- a/etc/sysctl.d/mmap_aslr.conf +++ /dev/null @@ -1,6 +0,0 @@ -## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -## Improves ASLR effectiveness for mmap. -vm.mmap_rnd_bits=32 -vm.mmap_rnd_compat_bits=16 diff --git a/etc/sysctl.d/ptrace_scope.conf b/etc/sysctl.d/ptrace_scope.conf deleted file mode 100644 index b48ad18..0000000 --- a/etc/sysctl.d/ptrace_scope.conf +++ /dev/null @@ -1,10 +0,0 @@ -## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -## Restricts the use of ptrace to root. This might break some programs running under WINE. -## A workaround for WINE would be to give the wineserver and wine-preloader ptrace capabilities. This can be done by running: -## -## sudo apt-get install libcap2-bin -## sudo setcap cap_sys_ptrace=eip /usr/bin/wineserver -## sudo setcap cap_sys_ptrace=eip /usr/bin/wine-preloader -kernel.yama.ptrace_scope=2 diff --git a/etc/sysctl.d/suid_dumpable.conf b/etc/sysctl.d/suid_dumpable.conf deleted file mode 100644 index 54f19b6..0000000 --- a/etc/sysctl.d/suid_dumpable.conf +++ /dev/null @@ -1,5 +0,0 @@ -## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -## Prevent setuid processes from creating coredumps. -fs.suid_dumpable=0 diff --git a/etc/sysctl.d/tcp_hardening.conf b/etc/sysctl.d/tcp_hardening.conf deleted file mode 100644 index 85b6ddf..0000000 --- a/etc/sysctl.d/tcp_hardening.conf +++ /dev/null @@ -1,42 +0,0 @@ -## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -#### meta start -#### project Kicksecure -#### category networking and security -#### description -## TCP/IP stack hardening - -## Protects against time-wait assassination. -## It drops RST packets for sockets in the time-wait state. -net.ipv4.tcp_rfc1337=1 - -## Disables ICMP redirect acceptance. -net.ipv4.conf.all.accept_redirects=0 -net.ipv4.conf.default.accept_redirects=0 -net.ipv4.conf.all.secure_redirects=0 -net.ipv4.conf.default.secure_redirects=0 -net.ipv6.conf.all.accept_redirects=0 -net.ipv6.conf.default.accept_redirects=0 - -## Disables ICMP redirect sending. -net.ipv4.conf.all.send_redirects=0 -net.ipv4.conf.default.send_redirects=0 - -## Ignores ICMP requests. -net.ipv4.icmp_echo_ignore_all=1 - -## Enables TCP syncookies. -net.ipv4.tcp_syncookies=1 - -## Disable source routing. -net.ipv4.conf.all.accept_source_route=0 -net.ipv4.conf.default.accept_source_route=0 - -## Enable reverse path filtering to prevent IP spoofing and -## mitigate vulnerabilities such as CVE-2019-14899. -## https://forums.whonix.org/t/enable-reverse-path-filtering/8594 -net.ipv4.conf.default.rp_filter=1 -net.ipv4.conf.all.rp_filter=1 - -#### meta end diff --git a/etc/sysctl.d/tcp_sack.conf b/etc/sysctl.d/tcp_sack.conf deleted file mode 100644 index 4bd07eb..0000000 --- a/etc/sysctl.d/tcp_sack.conf +++ /dev/null @@ -1,8 +0,0 @@ -## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -## Disables SACK as it is commonly exploited and likely not needed. -## https://forums.whonix.org/t/disabling-tcp-sack-dsack-fack/8109 -#net.ipv4.tcp_sack=0 -#net.ipv4.tcp_dsack=0 -#net.ipv4.tcp_fack=0 diff --git a/etc/sysctl.d/tcp_timestamps.conf b/etc/sysctl.d/tcp_timestamps.conf deleted file mode 100644 index a1b874c..0000000 --- a/etc/sysctl.d/tcp_timestamps.conf +++ /dev/null @@ -1,12 +0,0 @@ -## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP -## See the file COPYING for copying conditions. - -#### meta start -#### project Kicksecure -#### category networking and security -#### description -## disable IPv4 TCP Timestamps - -net.ipv4.tcp_timestamps=0 - -#### meta end