From e53d24fc48b51a21fc182cc59890e97a1d7ac647 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Sat, 3 Aug 2024 00:09:42 +1000 Subject: [PATCH 1/5] Add missing GRUB command lines for disabled boot parameters --- etc/default/grub.d/40_kernel_hardening.cfg | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index 172c3c8..f36dac0 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -135,7 +135,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off" ## TODO: Debian 13 Trixie ## Applicable when using Linux kernel >= 6.2 (retained here for future-proofing and completeness). ## -#cfi=kcfi +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX cfi=kcfi" ## Disable support for x86 processes and syscalls. ## Unconditionally disables IA32 emulation to substantially reduce attack surface. @@ -144,7 +144,7 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off" ## ## Applicable when using Linux kernel >= 6.7 (retained here for future-proofing and completeness). ## -#ia32_emulation=0 +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ia32_emulation=0" ## 2. Direct Memory Access: ## @@ -222,4 +222,4 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX extra_latent_entropy" ## ## Enabling makes redundant many network hardening sysctl's in /usr/lib/sysctl.d/990-security-misc.conf. ## -#ipv6.disable=1 +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ipv6.disable=1" From f6a16258a116ce5c5f4f6bad9d8ab9b6e1ec6bb7 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Sat, 3 Aug 2024 00:11:06 +1000 Subject: [PATCH 2/5] Add references to KSPP --- etc/default/grub.d/40_kernel_hardening.cfg | 1 + usr/lib/sysctl.d/990-security-misc.conf | 1 + 2 files changed, 2 insertions(+) diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index f36dac0..b1b3055 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -18,6 +18,7 @@ kver="$(dpkg-query --show --showformat='${Version}' "$kpkg")" 2>/dev/null || tru ## 1. Kernel Space: ## ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#boot-parameters +## https://kspp.github.io/Recommended_Settings#kernel-command-line-options ## Disable merging of slabs with similar size. ## Reduces the risk of triggering heap overflows. diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 40ab0ff..e795339 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -23,6 +23,7 @@ ## 1. Kernel Space: ## ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel +## https://kspp.github.io/Recommended_Settings#sysctls ## https://wiki.archlinux.org/title/Security#Kernel_hardening ## Restrict kernel address visibility via /proc and other interfaces, regardless of user privileges. From 9099ecce8ae12352f2b739d3d7adf6069488ff49 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Sat, 3 Aug 2024 00:12:50 +1000 Subject: [PATCH 3/5] Provide option to enable the kernel Electric-Fence --- README.md | 4 ++++ etc/default/grub.d/40_kernel_hardening.cfg | 9 +++++++++ 2 files changed, 13 insertions(+) diff --git a/README.md b/README.md index b6a6c60..b23f852 100644 --- a/README.md +++ b/README.md @@ -141,6 +141,10 @@ configuration file. - Provide the option to modify machine check exception handler. +- Provide the option to enable the kernel Electric-Fence sampling-based memory + safety error detector which can identify heap out-of-bounds access, use-after-free, + and invalid-free errors. + - Provide the option to use kCFI as the default CFI implementation since it may be slightly more resilient to attacks that are able to write arbitrary executables in memory (when using Linux kernel version >= 6.2). diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index b1b3055..390f75b 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -113,6 +113,15 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off" #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX loglevel=0" #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX quiet" +## Enable the kernel "Electric-Fence" sampling-based memory safety error detector. +## KFENCE detects heap out-of-bounds access, use-after-free, and invalid-free errors. +## Aims to have very low processing overhead at each sampling interval +## Sampling interval is set to occur every 100 milliseconds as per KSPP recommendation. +## +## https://www.kernel.org/doc/html/latest/dev-tools/kfence.html +## +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kfence.sample_interval=100" + ## Switch (back) to using kCFI as the default Control Flow Integrity (CFI) implementation. ## The default implementation is FIneIBT as of Linux kernel 6.2. ## The Intel-developed IBT (Indirect Branch Tracking) is only used if supported by the CPU. From 52aeacb4da4a8458b0ffdc1ade4094a178def6f4 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Sat, 3 Aug 2024 00:13:38 +1000 Subject: [PATCH 4/5] Provide option to disable 32 bit vDSO mappings --- README.md | 2 ++ etc/default/grub.d/40_kernel_hardening.cfg | 8 ++++++++ 2 files changed, 10 insertions(+) diff --git a/README.md b/README.md index b23f852..457fe0e 100644 --- a/README.md +++ b/README.md @@ -145,6 +145,8 @@ configuration file. safety error detector which can identify heap out-of-bounds access, use-after-free, and invalid-free errors. +- Provide the option to disable 32 bit vDSO mappings. + - Provide the option to use kCFI as the default CFI implementation since it may be slightly more resilient to attacks that are able to write arbitrary executables in memory (when using Linux kernel version >= 6.2). diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index 390f75b..d34f0ca 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -122,6 +122,14 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX debugfs=off" ## #GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX kfence.sample_interval=100" +## Disable x86 Virtual Dynamic Shared Object (vDSO) mappings. +## +## https://en.wikipedia.org/wiki/VDSO +## +## The use of 32 bit vDSO mappings is currently enabled. +## +#GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX vdso32=0" + ## Switch (back) to using kCFI as the default Control Flow Integrity (CFI) implementation. ## The default implementation is FIneIBT as of Linux kernel 6.2. ## The Intel-developed IBT (Indirect Branch Tracking) is only used if supported by the CPU. From ca2179bb6a01e3ebbb1e04e3507cc305f25bca4e Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Sat, 3 Aug 2024 00:25:49 +1000 Subject: [PATCH 5/5] Provide the option to disable legacy TIOCSTI operation --- README.md | 3 +++ usr/lib/sysctl.d/990-security-misc.conf | 7 +++++++ 2 files changed, 10 insertions(+) diff --git a/README.md b/README.md index 457fe0e..42fba56 100644 --- a/README.md +++ b/README.md @@ -47,6 +47,9 @@ space, user space, core dumps, and swap space. - Randomize the addresses (ASLR) for mmap base, stack, VDSO pages, and heap. +- Provide the option to disable the use of legacy TIOCSTI operation which can be + used to inject keypresses. + - Disable asynchronous I/O as `io_uring` has been the source of numerous kernel exploits (when using Linux kernel version >= 6.6). diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index e795339..ef550e4 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -129,6 +129,13 @@ kernel.perf_event_paranoid=3 ## kernel.randomize_va_space=2 +## Disable use of the legacy TIOCSTI operation which can be used to inject keypresses. +## Will break screen readers as can no longer push characters into a controlling TTY. +## +## This is disabled by default when using Linux kernel >= 6.2. +## +#dev.tty.legacy_tiocsti=0 + ## Disable asynchronous I/O for all processes. ## Leading cause of numerous kernel exploits. ## Disabling will reduce the read/write performance of storage devices.