From 07c6362f1aff2e151c51aa681a79c3ef650baa6d Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Sun, 23 Jun 2019 18:34:45 +0000 Subject: [PATCH 01/10] Blacklist thunderbolt and firewire --- etc/modprobe.d/blacklist-dma.conf | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 etc/modprobe.d/blacklist-dma.conf diff --git a/etc/modprobe.d/blacklist-dma.conf b/etc/modprobe.d/blacklist-dma.conf new file mode 100644 index 0000000..3e2c7de --- /dev/null +++ b/etc/modprobe.d/blacklist-dma.conf @@ -0,0 +1,3 @@ +# Blacklist thunderbolt and firewire to prevent some DMA attacks. +blacklist firewire-core +blacklist thunderbolt From 641407c8e9c728429ec86e7c89e431896d88e116 Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Sun, 23 Jun 2019 18:38:50 +0000 Subject: [PATCH 02/10] Enable IOMMU --- etc/default/grub.d/40_enable_iommu.cfg | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 etc/default/grub.d/40_enable_iommu.cfg diff --git a/etc/default/grub.d/40_enable_iommu.cfg b/etc/default/grub.d/40_enable_iommu.cfg new file mode 100644 index 0000000..8e2baff --- /dev/null +++ b/etc/default/grub.d/40_enable_iommu.cfg @@ -0,0 +1,2 @@ +# Enables IOMMU to prevent DMA attacks. +GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX intel_iommu=on amd_iommu=on" From 01c839c815b7f8c16c231bbd72da1673ad88fdb7 Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Tue, 25 Jun 2019 19:16:43 +0000 Subject: [PATCH 03/10] Restrict what the SysRq key can do --- etc/sysctl.d/sysrq.conf | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 etc/sysctl.d/sysrq.conf diff --git a/etc/sysctl.d/sysrq.conf b/etc/sysctl.d/sysrq.conf new file mode 100644 index 0000000..266e275 --- /dev/null +++ b/etc/sysctl.d/sysrq.conf @@ -0,0 +1,2 @@ +# Allow only rebooting/shutting down with the SysRq key. +kernel.sysrq=128 From 382e336f69097f3baa7693da6aaf8833b05cf322 Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Tue, 25 Jun 2019 19:20:27 +0000 Subject: [PATCH 04/10] Create remove-system.map --- usr/lib/security-misc/remove-system.map | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 usr/lib/security-misc/remove-system.map diff --git a/usr/lib/security-misc/remove-system.map b/usr/lib/security-misc/remove-system.map new file mode 100644 index 0000000..75edbbe --- /dev/null +++ b/usr/lib/security-misc/remove-system.map @@ -0,0 +1,6 @@ +#!/bin/bash + +# Removes the System.map files as they are only used for debugging or malware. +if [ -f /boot/System.map-* ]; then + rm /boot/System.map-* +fi From 3116a56f1353681fbb97d4e7f92ee069f2577b33 Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Tue, 25 Jun 2019 19:25:32 +0000 Subject: [PATCH 05/10] Create remove-system-map.service --- lib/systemd/system/remove-system-map.service | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 lib/systemd/system/remove-system-map.service diff --git a/lib/systemd/system/remove-system-map.service b/lib/systemd/system/remove-system-map.service new file mode 100644 index 0000000..03720f9 --- /dev/null +++ b/lib/systemd/system/remove-system-map.service @@ -0,0 +1,9 @@ +[Unit] +Description=Removes the System.map files + +[Service] +Type=oneshot +Execstart=/usr/lib/security-misc/remove-system.map + +[Install] +WantedBy=multi-user.target From 8ef0db17e6a9c066b50a021292aab80a7523cbb6 Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Wed, 26 Jun 2019 12:59:45 +0000 Subject: [PATCH 06/10] Use a for loop to detect if System.map exists --- usr/lib/security-misc/remove-system.map | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/usr/lib/security-misc/remove-system.map b/usr/lib/security-misc/remove-system.map index 75edbbe..8e723f9 100644 --- a/usr/lib/security-misc/remove-system.map +++ b/usr/lib/security-misc/remove-system.map @@ -1,6 +1,9 @@ #!/bin/bash # Removes the System.map files as they are only used for debugging or malware. -if [ -f /boot/System.map-* ]; then - rm /boot/System.map-* -fi +for file in /boot/System.map-* +do + if [ -f "${file}" ]; then + rm "${file}" + fi +done From 9392c8deb2657d3ff2c3734fb8bf1863d4e2a2d7 Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Wed, 26 Jun 2019 15:03:54 +0000 Subject: [PATCH 07/10] Update remove-system.map --- usr/lib/security-misc/remove-system.map | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/usr/lib/security-misc/remove-system.map b/usr/lib/security-misc/remove-system.map index 8e723f9..10071f8 100644 --- a/usr/lib/security-misc/remove-system.map +++ b/usr/lib/security-misc/remove-system.map @@ -1,9 +1,14 @@ #!/bin/bash +## Copyright (C) 2012 - 2018 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +shopt -s nullglob + # Removes the System.map files as they are only used for debugging or malware. -for file in /boot/System.map-* +for filename in /boot/System.map-* do - if [ -f "${file}" ]; then - rm "${file}" + if [ -f "${filename}" ]; then + rm -f "${filename}" fi done From b8091850082fe1b956d6cff11fc7aa17786e693e Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Thu, 27 Jun 2019 16:09:52 +0000 Subject: [PATCH 08/10] Update remove-system-map.service --- lib/systemd/system/remove-system-map.service | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/systemd/system/remove-system-map.service b/lib/systemd/system/remove-system-map.service index 03720f9..89a028b 100644 --- a/lib/systemd/system/remove-system-map.service +++ b/lib/systemd/system/remove-system-map.service @@ -3,7 +3,7 @@ Description=Removes the System.map files [Service] Type=oneshot -Execstart=/usr/lib/security-misc/remove-system.map +ExecStart=/usr/lib/security-misc/remove-system.map [Install] WantedBy=multi-user.target From c54125270b44140b9ecfe0420205ac685b2a3505 Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Thu, 27 Jun 2019 18:15:57 +0000 Subject: [PATCH 09/10] Create dmesg_restrict.conf --- etc/sysctl.d/dmesg_restrict.conf | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 etc/sysctl.d/dmesg_restrict.conf diff --git a/etc/sysctl.d/dmesg_restrict.conf b/etc/sysctl.d/dmesg_restrict.conf new file mode 100644 index 0000000..789769d --- /dev/null +++ b/etc/sysctl.d/dmesg_restrict.conf @@ -0,0 +1,2 @@ +# Restricts the kernel log to root only. +kernel.dmesg_restrict=1 From 3801a53a9e01aafa3783276059a7907f5b20b96e Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Thu, 27 Jun 2019 18:17:58 +0000 Subject: [PATCH 10/10] Update tcp_hardening.conf --- etc/sysctl.d/tcp_hardening.conf | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/etc/sysctl.d/tcp_hardening.conf b/etc/sysctl.d/tcp_hardening.conf index 0cea4be..e192a8b 100644 --- a/etc/sysctl.d/tcp_hardening.conf +++ b/etc/sysctl.d/tcp_hardening.conf @@ -15,5 +15,12 @@ net.ipv6.conf.default.accept_redirects=0 net.ipv4.conf.all.send_redirects=0 net.ipv4.conf.default.send_redirects=0 -# Ignores ICMP requests +# Ignores ICMP requests. net.ipv4.icmp_echo_ignore_all=1 + +# Enables TCP syncookies. +net.ipv4.tcp_syncookies=1 + +# Disable source routing. +net.ipv4.conf.all.accept_source_route=0 +net.ipv4.conf.default.accept_source_route=0