From 39d063d494cb540f45747f6253ab896200ba03c3 Mon Sep 17 00:00:00 2001
From: raja-grewal <rg_public@proton.me>
Date: Thu, 26 Sep 2024 13:09:21 +0000
Subject: [PATCH 1/5] Add KSPP=no definition

---
 etc/default/grub.d/40_cpu_mitigations.cfg            | 1 +
 etc/default/grub.d/40_kernel_hardening.cfg           | 1 +
 etc/default/grub.d/40_remount_secure.cfg             | 1 +
 etc/default/grub.d/40_signed_modules.cfg             | 1 +
 etc/default/grub.d/41_quiet_boot.cfg                 | 1 +
 usr/lib/sysctl.d/30_security-misc_kexec-disable.conf | 1 +
 usr/lib/sysctl.d/30_silent-kernel-printk.conf        | 1 +
 usr/lib/sysctl.d/990-security-misc.conf              | 1 +
 8 files changed, 8 insertions(+)

diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg
index 529b626..5960e14 100644
--- a/etc/default/grub.d/40_cpu_mitigations.cfg
+++ b/etc/default/grub.d/40_cpu_mitigations.cfg
@@ -4,6 +4,7 @@
 ## Definitions:
 ## KSPP=yes: compliant with recommendations by the KSPP
 ## KSPP=partial: partially compliant with recommendations by the KSPP
+## KSPP=no: not (currently) compliant with recommendations by the KSPP
 
 ## Enable known mitigations for CPU vulnerabilities.
 ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html
diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg
index 49435d9..ad7e61a 100644
--- a/etc/default/grub.d/40_kernel_hardening.cfg
+++ b/etc/default/grub.d/40_kernel_hardening.cfg
@@ -8,6 +8,7 @@ kver="$(dpkg-query --show --showformat='${Version}' "$kpkg")" 2>/dev/null || tru
 ## Definitions:
 ## KSPP=yes: compliant with recommendations by the KSPP
 ## KSPP=partial: partially compliant with recommendations by the KSPP
+## KSPP=no: not (currently) compliant with recommendations by the KSPP
 
 ## This configuration file is split into 4 sections:
 ## 1. Kernel Space
diff --git a/etc/default/grub.d/40_remount_secure.cfg b/etc/default/grub.d/40_remount_secure.cfg
index 4593820..f92991a 100644
--- a/etc/default/grub.d/40_remount_secure.cfg
+++ b/etc/default/grub.d/40_remount_secure.cfg
@@ -4,6 +4,7 @@
 ## Definitions:
 ## KSPP=yes: compliant with recommendations by the KSPP
 ## KSPP=partial: partially compliant with recommendations by the KSPP
+## KSPP=no: not (currently) compliant with recommendations by the KSPP
 
 ## Remount Secure provides enhanced security via mount options:
 ## https://www.kicksecure.com/wiki/Security-misc#Remount_Secure
diff --git a/etc/default/grub.d/40_signed_modules.cfg b/etc/default/grub.d/40_signed_modules.cfg
index 788eeb1..b33dceb 100644
--- a/etc/default/grub.d/40_signed_modules.cfg
+++ b/etc/default/grub.d/40_signed_modules.cfg
@@ -4,6 +4,7 @@
 ## Definitions:
 ## KSPP=yes: compliant with recommendations by the KSPP
 ## KSPP=partial: partially compliant with recommendations by the KSPP
+## KSPP=no: not (currently) compliant with recommendations by the KSPP
 
 ## Require every kernel module to be signed before being loaded.
 ## Any module that is unsigned or signed with an invalid key cannot be loaded.
diff --git a/etc/default/grub.d/41_quiet_boot.cfg b/etc/default/grub.d/41_quiet_boot.cfg
index 86c8660..33b412d 100644
--- a/etc/default/grub.d/41_quiet_boot.cfg
+++ b/etc/default/grub.d/41_quiet_boot.cfg
@@ -4,6 +4,7 @@
 ## Definitions:
 ## KSPP=yes: compliant with recommendations by the KSPP
 ## KSPP=partial: partially compliant with recommendations by the KSPP
+## KSPP=no: not (currently) compliant with recommendations by the KSPP
 
 ## Some default configuration files automatically include the "quiet" parameter.
 ## Therefore, first remove "quiet" from GRUB_CMDLINE_LINUX_DEFAULT since "quiet" must be first.
diff --git a/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf b/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf
index 74ab6f5..da77fd7 100644
--- a/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf
+++ b/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf
@@ -4,6 +4,7 @@
 ## Definitions:
 ## KSPP=yes: compliant with recommendations by the KSPP
 ## KSPP=partial: partially compliant with recommendations by the KSPP
+## KSPP=no: not (currently) compliant with recommendations by the KSPP
 
 ## NOTE:
 ## This configuration is in a dedicated file because the ram-wipe package
diff --git a/usr/lib/sysctl.d/30_silent-kernel-printk.conf b/usr/lib/sysctl.d/30_silent-kernel-printk.conf
index b07fae9..44b0b25 100644
--- a/usr/lib/sysctl.d/30_silent-kernel-printk.conf
+++ b/usr/lib/sysctl.d/30_silent-kernel-printk.conf
@@ -4,6 +4,7 @@
 ## Definitions:
 ## KSPP=yes: compliant with recommendations by the KSPP
 ## KSPP=partial: partially compliant with recommendations by the KSPP
+## KSPP=no: not (currently) compliant with recommendations by the KSPP
 
 ## Prevent kernel information leaks in the console during boot.
 ## Must be used in conjunction with kernel boot parameters.
diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf
index e633df1..c404553 100644
--- a/usr/lib/sysctl.d/990-security-misc.conf
+++ b/usr/lib/sysctl.d/990-security-misc.conf
@@ -9,6 +9,7 @@
 ## Definitions:
 ## KSPP=yes: compliant with recommendations by the KSPP
 ## KSPP=partial: partially compliant with recommendations by the KSPP
+## KSPP=no: not (currently) compliant with recommendations by the KSPP
 
 ## This configuration file is divided into 5 sections:
 ## 1. Kernel Space

From f3b50a23c976ba4feff34eee721c50f698ecc5bf Mon Sep 17 00:00:00 2001
From: raja-grewal <rg_public@proton.me>
Date: Thu, 26 Sep 2024 13:10:01 +0000
Subject: [PATCH 2/5] Add reference on unprivileged_userns_restriction

---
 usr/lib/sysctl.d/990-security-misc.conf | 1 +
 1 file changed, 1 insertion(+)

diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf
index c404553..eb160ef 100644
--- a/usr/lib/sysctl.d/990-security-misc.conf
+++ b/usr/lib/sysctl.d/990-security-misc.conf
@@ -127,6 +127,7 @@ kernel.sysrq=0
 ##
 ## https://lwn.net/Articles/673597/
 ## https://madaidans-insecurities.github.io/linux.html#kernel
+## https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction
 ## https://github.com/a13xp0p0v/kernel-hardening-checker#questions-and-answers
 ## https://github.com/NixOS/nixpkgs/pull/84522#issuecomment-614640601
 ## https://github.com/flatpak/flatpak/wiki/User-namespace-requirements

From eae38e72f30ff9b9f8d0b8b0b33182a918333e48 Mon Sep 17 00:00:00 2001
From: raja-grewal <rg_public@proton.me>
Date: Thu, 26 Sep 2024 13:10:36 +0000
Subject: [PATCH 3/5] README.md: Show the current max_map_count

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index e55a1ec..a849c91 100644
--- a/README.md
+++ b/README.md
@@ -71,7 +71,7 @@ User space:
 - Raise the minimum address a process can request for memory mapping to 64KB to
   protect against kernel null pointer dereference vulnerabilities.
 
-- Increase the maximum number of memory map areas a process is able to utilize.
+- Increase the maximum number of memory map areas a process is able to utilize to 1,048,576.
 
 - Optional - Disallow registering interpreters for various (miscellaneous) binary formats based
   on a magic number or their file extension to prevent unintended code execution.

From ac1378743c7448c9a7e7e02bebcf3270592d42a5 Mon Sep 17 00:00:00 2001
From: raja-grewal <rg_public@proton.me>
Date: Mon, 30 Sep 2024 16:56:18 +1000
Subject: [PATCH 4/5] Consistent formatting

---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index a849c91..481a6c0 100644
--- a/README.md
+++ b/README.md
@@ -201,7 +201,7 @@ Networking:
   `CONFIG_ARCH_MMAP_RND_BITS_MAX` and `CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX`
   that the kernel was built with), therefore improving its effectiveness.
   
-## Kernel Self Protection Project (KSPP) Compliance Status
+### Kernel Self Protection Project (KSPP) compliance status
 
 **Summary:**
 

From dc470cac1d93656354aeaaac0a6f8cbbd39f9f0f Mon Sep 17 00:00:00 2001
From: raja-grewal <rg_public@proton.me>
Date: Sun, 6 Oct 2024 10:46:05 +0000
Subject: [PATCH 5/5] Remmove deprecated link

---
 README.md | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 481a6c0..071af7f 100644
--- a/README.md
+++ b/README.md
@@ -6,7 +6,6 @@ This section is inspired by the Kernel Self Protection Project (KSPP). It
 attempts to implement all recommended Linux kernel settings by the KSPP and
 many more sources.
 
-- https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project
 - https://kspp.github.io/Recommended_Settings
 - https://github.com/KSPP/kspp.github.io
 
@@ -200,7 +199,7 @@ Networking:
   out via `/usr/libexec/security-misc/mmap-rnd-bits` (set to the values of
   `CONFIG_ARCH_MMAP_RND_BITS_MAX` and `CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX`
   that the kernel was built with), therefore improving its effectiveness.
-  
+
 ### Kernel Self Protection Project (KSPP) compliance status
 
 **Summary:**