mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-01-05 13:08:04 +07:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #273 from raja-grewal/text_2

Browse Source 
Documentation update 2
This commit is contained in:
Patrick Schleizer 2024-10-08 05:53:48 -04:00 committed by GitHub
commit 8227a3dde2
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
9 changed files with 11 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
README.md
View File

@ -6,7 +6,6 @@ This section is inspired by the Kernel Self Protection Project (KSPP). It
attempts to implement all recommended Linux kernel settings by the KSPP and
many more sources.
- https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project
- https://kspp.github.io/Recommended_Settings
- https://github.com/KSPP/kspp.github.io
@ -73,7 +72,7 @@ User space:
- Raise the minimum address a process can request for memory mapping to 64KB to
protect against kernel null pointer dereference vulnerabilities.
- Increase the maximum number of memory map areas a process is able to utilize.
- Increase the maximum number of memory map areas a process is able to utilize to 1,048,576.
- Optional - Disallow registering interpreters for various (miscellaneous) binary formats based
on a magic number or their file extension to prevent unintended code execution.
@ -203,7 +202,7 @@ Networking:
`CONFIG_ARCH_MMAP_RND_BITS_MAX` and `CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX`
that the kernel was built with), therefore improving its effectiveness.
## Kernel Self Protection Project (KSPP) Compliance Status
### Kernel Self Protection Project (KSPP) compliance status
**Summary:**

1
etc/default/grub.d/40_cpu_mitigations.cfg
View File

@ -4,6 +4,7 @@
## Definitions:
## KSPP=yes: compliant with recommendations by the KSPP
## KSPP=partial: partially compliant with recommendations by the KSPP
## KSPP=no: not (currently) compliant with recommendations by the KSPP
## Enable known mitigations for CPU vulnerabilities.
## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html

1
etc/default/grub.d/40_kernel_hardening.cfg
View File

@ -8,6 +8,7 @@ kver="$(dpkg-query --show --showformat='${Version}' "$kpkg")" 2>/dev/null || tru
## Definitions:
## KSPP=yes: compliant with recommendations by the KSPP
## KSPP=partial: partially compliant with recommendations by the KSPP
## KSPP=no: not (currently) compliant with recommendations by the KSPP
## This configuration file is split into 4 sections:
## 1. Kernel Space

1
etc/default/grub.d/40_remount_secure.cfg
View File

@ -4,6 +4,7 @@
## Definitions:
## KSPP=yes: compliant with recommendations by the KSPP
## KSPP=partial: partially compliant with recommendations by the KSPP
## KSPP=no: not (currently) compliant with recommendations by the KSPP
## Remount Secure provides enhanced security via mount options:
## https://www.kicksecure.com/wiki/Security-misc#Remount_Secure

1
etc/default/grub.d/40_signed_modules.cfg
View File

@ -4,6 +4,7 @@
## Definitions:
## KSPP=yes: compliant with recommendations by the KSPP
## KSPP=partial: partially compliant with recommendations by the KSPP
## KSPP=no: not (currently) compliant with recommendations by the KSPP
## Require every kernel module to be signed before being loaded.
## Any module that is unsigned or signed with an invalid key cannot be loaded.

1
etc/default/grub.d/41_quiet_boot.cfg
View File

@ -4,6 +4,7 @@
## Definitions:
## KSPP=yes: compliant with recommendations by the KSPP
## KSPP=partial: partially compliant with recommendations by the KSPP
## KSPP=no: not (currently) compliant with recommendations by the KSPP
## Some default configuration files automatically include the "quiet" parameter.
## Therefore, first remove "quiet" from GRUB_CMDLINE_LINUX_DEFAULT since "quiet" must be first.

1
usr/lib/sysctl.d/30_security-misc_kexec-disable.conf
View File

@ -4,6 +4,7 @@
## Definitions:
## KSPP=yes: compliant with recommendations by the KSPP
## KSPP=partial: partially compliant with recommendations by the KSPP
## KSPP=no: not (currently) compliant with recommendations by the KSPP
## NOTE:
## This configuration is in a dedicated file because the ram-wipe package

1
usr/lib/sysctl.d/30_silent-kernel-printk.conf
View File

@ -4,6 +4,7 @@
## Definitions:
## KSPP=yes: compliant with recommendations by the KSPP
## KSPP=partial: partially compliant with recommendations by the KSPP
## KSPP=no: not (currently) compliant with recommendations by the KSPP
## Prevent kernel information leaks in the console during boot.
## Must be used in conjunction with kernel boot parameters.

2
usr/lib/sysctl.d/990-security-misc.conf
View File

@ -9,6 +9,7 @@
## Definitions:
## KSPP=yes: compliant with recommendations by the KSPP
## KSPP=partial: partially compliant with recommendations by the KSPP
## KSPP=no: not (currently) compliant with recommendations by the KSPP
## This configuration file is divided into 5 sections:
## 1. Kernel Space
@ -136,6 +137,7 @@ kernel.sysrq=0
##
## https://lwn.net/Articles/673597/
## https://madaidans-insecurities.github.io/linux.html#kernel
## https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction
## https://github.com/a13xp0p0v/kernel-hardening-checker#questions-and-answers
## https://github.com/NixOS/nixpkgs/pull/84522#issuecomment-614640601
## https://github.com/flatpak/flatpak/wiki/User-namespace-requirements