From 2de3a795990234134be15be90aa55f547c064d92 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Sat, 13 Jul 2024 22:41:40 +1000 Subject: [PATCH 01/10] Refactor existing sysctl for clarity --- README.md | 96 +++-- debian/security-misc.maintscript | 2 +- .../30_security-misc_kexec-disable.conf | 9 +- usr/lib/sysctl.d/30_silent-kernel-printk.conf | 4 +- usr/lib/sysctl.d/990-security-misc.conf | 401 ++++++++++++------ 5 files changed, 330 insertions(+), 182 deletions(-) diff --git a/README.md b/README.md index 114b90c..9ed387b 100644 --- a/README.md +++ b/README.md @@ -6,57 +6,76 @@ This section is inspired by the Kernel Self Protection Project (KSPP). It implements all recommended Linux kernel settings by the KSPP and many more. - https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project +- https://kspp.github.io/Recommended_Settings ### sysctl -sysctl settings are configured via the `/etc/sysctl.d/30_security-misc.conf` +sysctl settings are configured via the `/usr/lib/sysctl.d/990-security-misc.conf` configuration file. -- A kernel pointer points to a specific location in kernel memory. These can - be very useful in exploiting the kernel so they are restricted to - `CAP_SYSLOG`. +Significant hardening is applied by default to a myriad of components within kernel +space, user space, core dumps, and swap space. -- The kernel logs are restricted to `CAP_SYSLOG` as they can often leak - sensitive information such as kernel pointers. +- Restrict kernel addresses regardless of user privileges. -- The `ptrace()` system call is restricted to `CAP_SYS_PTRACE`. +- Restrict access to the kernel logs to `CAP_SYSLOG` as the often contain + sensitive information. -- eBPF is restricted to `CAP_BPF` (`CAP_SYS_ADMIN` on kernel versions prior to - 5.8) and JIT hardening techniques such as constant blinding are enabled. +- Prevent kernel information leaks in the console during boot. -- Restricts performance events to `CAP_PERFMON` (`CAP_SYS_ADMIN` on kernel - versions prior to 5.8). +- Restrict eBPF access to `CAP_BPF` and enable associated JIT compiler hardening. -- Restricts loading line disciplines to `CAP_SYS_MODULE` to prevent - unprivileged attackers from loading vulnerable line disciplines with the - `TIOCSETD` ioctl which has been abused in a number of exploits before. +- Restrict loading TTY line disciplines to `CAP_SYS_MODULE`. -- Restricts the `userfaultfd()` syscall to `CAP_SYS_PTRACE` as `userfaultfd()` - is often abused to exploit use-after-free flaws. +- Restricts the `userfaultfd()` syscall to `CAP_SYS_PTRACE` which reduces the + likelihood of use-after-free exploits. -- Kexec is disabled as it can be used to load a malicious kernel and gain - arbitrary code execution in kernel mode. +- Disable `kexec` as it can be used to replace the running kernel. -- Randomises the addresses for mmap base, heap, stack, and VDSO pages. +- Entirely disables the SysRq key so that the Secure Attention Key (SAK) + can no longer be utilised. -- Prevents unintentional writes to attacker-controlled files. +- Restrict kernel profiling and the performance events system to `CAP_PERFMON`. -- Prevents common symlink and hardlink TOCTOU races. +- Randomise the addresses (ASLR) for mmap base, stack, VDSO pages, and heap. -- Disables SysRq key completely. - * Therefore Secure Attention Key (SAK) cannot be used. - * https://www.kicksecure.com/wiki/SysRq +- Disable asynchronous I/O (when using Linux kernel version >= 6.6). -- The kernel is only allowed to swap if it is absolutely necessary. This - prevents writing potentially sensitive contents of memory to disk. +- Restrict usage of `ptrace()` to only processes with `CAP_SYS_PTRACE` as it + enables programs to inspect and modify other active processes. -- TCP timestamps are disabled as it can allow detecting the system time. +- Prevent hardlink and symlink TOCTOU races in world-writable directories. -- Set coredump file name based on core_pattern value instead of the default of - naming it 'core'. +- Disallow unintentional writes to attacker-controlled files. -- Will disable `io_uring` interface for performing asynchronous I/O as it has - historically been a significant attack surface. +- Increase the maximum number of memory map areas a process is able to utilise. + +- Disable core dump files and prevent their creation. + +- Limit the copying of potentially sensitive content in memory to the swap device. + +Various networking components of the TCP/IP stack are hardened for IPv4/6. + +- Enable TCP SYN cookie protection to assist against SYN flood attacks. + +- Protect against TCP time-wait assassination hazards. + +- Enables reverse path filtering (source validation) of packets received + from all interfaces to prevent IP spoofing. + +- Disable ICMP redirect acceptance and redirect sending messages to + prevent man-in-the-middle attacks and minimise information disclosure. + +- Ignore ICMP echo requests to prevent clock fingerprinting and Smurf attacks. + +- Ignore bogus ICMP error responses. + +- Disable source routing which allows users redirect network traffic that + can result in man-in-the-middle attacks. + +- Do not accept IPv6 router advertisements and solicitations. + +- Disable TCP timestamps as it can allow detecting the system time. ### mmap ASLR @@ -193,21 +212,6 @@ rather it is a form of badness enumeration. ## Network hardening -- TCP syncookies are enabled to prevent SYN flood attacks. - -- ICMP redirect acceptance, ICMP redirect sending, source routing and IPv6 - router advertisements are disabled to prevent man-in-the-middle attacks. - -- The kernel is configured to ignore all ICMP requests to avoid Smurf attacks, - make the device more difficult to enumerate on the network and prevent clock - fingerprinting through ICMP timestamps. - -- RFC1337 is enabled to protect against time-wait assassination attacks by - dropping RST packets for sockets in the time-wait state. - -- Reverse path filtering is enabled to prevent IP spoofing and mitigate - vulnerabilities such as CVE-2019-14899. - - Unlike version 4, IPv6 addresses can provide information not only about the originating network, but also the originating device. We prevent this from happening by enabling the respective privacy extensions for IPv6. diff --git a/debian/security-misc.maintscript b/debian/security-misc.maintscript index 4279cf2..8636e0c 100644 --- a/debian/security-misc.maintscript +++ b/debian/security-misc.maintscript @@ -10,7 +10,7 @@ rm_conffile /etc/sysctl.d/sysrq.conf rm_conffile /etc/apparmor.d/usr.lib.security-misc.pam_tally2-info rm_conffile /etc/apparmor.d/usr.lib.security-misc.permission-lockdown -## merged into 1 file /etc/sysctl.d/30_security-misc.conf +## merged into 3 files /usr/lib/sysctl.d/30_security-misc_kexec-disable.conf, /usr/lib/sysctl.d/30_silent-kernel-printk.conf, and /usr/lib/sysctl.d/990-security-misc.conf rm_conffile /etc/sysctl.d/fs_protected.conf rm_conffile /etc/sysctl.d/kptr_restrict.conf rm_conffile /etc/sysctl.d/suid_dumpable.conf diff --git a/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf b/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf index bbdf5ea..ad2f6bd 100644 --- a/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf +++ b/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf @@ -1,12 +1,11 @@ ## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Quote https://www.kernel.org/doc/html/latest/admin-guide/sysctl/kernel.html -## -## kexec_load_disabled: -## -## A toggle indicating if the kexec_load syscall has been disabled. This value defaults to 0 (false: kexec_load enabled), but can be set to 1 (true: kexec_load disabled). Once true, kexec can no longer be used, and the toggle cannot be set back to false. This allows a kexec image to be loaded before disabling the syscall, allowing a system to set up (and later use) an image without it being altered. Generally used together with the "modules_disabled" sysctl. ## Disables kexec which can be used to replace the running kernel. +## Useful for live kernel patching without rebooting. +## +## https://en.wikipedia.org/wiki/Kexec +## kernel.kexec_load_disabled=1 ## Why is this in a dedicated config file? diff --git a/usr/lib/sysctl.d/30_silent-kernel-printk.conf b/usr/lib/sysctl.d/30_silent-kernel-printk.conf index b76a4b3..5ac7b6f 100644 --- a/usr/lib/sysctl.d/30_silent-kernel-printk.conf +++ b/usr/lib/sysctl.d/30_silent-kernel-printk.conf @@ -1,8 +1,8 @@ ## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Prevent kernel info leaks in console during boot. -## https://phabricator.whonix.org/T950 +## Prevent kernel information leaks in the console during boot. +## kernel.printk = 3 3 3 3 ## NOTE: diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 371c265..c1bf3e9 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -2,177 +2,322 @@ ## See the file COPYING for copying conditions. ## NOTE: -## This file has a weird file name so /usr/lib/sysctl.d/99-protect-links.conf -## is parsed first and /usr/lib/sysctl.d/990-security-misc.conf is parsed -## afterwards. See also: +## This file has a strange name so that `/usr/lib/sysctl.d/99-protect-links.conf` is +## first parsed and then followed by `/usr/lib/sysctl.d/990-security-misc.conf`. ## https://github.com/Kicksecure/security-misc/pull/135 -## Restricts the kernel log to root only. -kernel.dmesg_restrict=1 +## This configuration file is split into 5 sections: +## 1. Kernel Space +## 2. User Space +## 3. Core Dumps +## 4. Swap Space +## 5. Networking -## Disables coredumps. This setting may be overwritten by systemd so this may not be useful. -## security-misc also disables coredumps in other ways. -kernel.core_pattern=|/bin/false +## See the documentation below for details on the majority of the selected commands. +## https://www.kernel.org/doc/html/latest/admin-guide/sysctl/kernel.html +## https://www.kernel.org/doc/html/latest/admin-guide/sysctl/fs.html +## https://www.kernel.org/doc/html/latest/admin-guide/sysctl/net.html +## https://www.kernel.org/doc/html/latest/admin-guide/sysctl/vm.html +## https://www.kernel.org/doc/html/latest//networking/ip-sysctl.html -## Does not set coredump name to 'core' which is default. Defense in depth. -kernel.core_uses_pid=1 - -## Prevent setuid processes from creating coredumps. -fs.suid_dumpable=0 - -## Don't allow writes to files that we don't own -## in world writable sticky directories, unless -## they are owned by the owner of the directory. -fs.protected_fifos=2 -fs.protected_regular=2 - -## Only allow symlinks to be followed when outside of -## a world-writable sticky directory, or when the owner -## of the symlink and follower match, or when the directory -## owner matches the symlink's owner. +## 1. Kernel Space: ## -## Prevent hardlinks from being created by users that do not -## have read/write access to the source file. -## -## These prevent many TOCTOU races. -fs.protected_symlinks=1 -fs.protected_hardlinks=1 +## https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel +## https://wiki.archlinux.org/title/Security#Kernel_hardening -## Hides kernel addresses in various files in /proc. -## Kernel addresses can be very useful in certain exploits. +## Restrict kernel addresses via /proc and other interfaces regardless of user privileges. +## Kernel pointers expose specific locations in kernel memory. ## ## https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak +## kernel.kptr_restrict=2 -## Improves ASLR effectiveness for mmap. -## Both explicit sysctl are made redundant due to automation +## Restrict access to the kernel log buffer to CAP_SYSLOG. +## Kernel logs often contain sensitive information such as kernel pointers. +## +kernel.dmesg_restrict=1 + +## Prevent kernel information leaks in the console during boot. +## +## See `/usr/lib/sysctl.d/30_silent-kernel-printk.conf` for implementation. +## +#kernel.printk=3 3 3 3s + +## Restrict eBPF access to CAP_BPF and enable associated JIT compiler hardening. +## +## https://en.wikipedia.org/wiki/EBPF#Security +## +kernel.unprivileged_bpf_disabled=1 +net.core.bpf_jit_harden=2 + +## Restrict loading TTY line disciplines to CAP_SYS_MODULE. +## Prevents unprivileged users loading vulnerable line disciplines with the TIOCSETD ioctl. +## +## https://a13xp0p0v.github.io/2017/03/24/CVE-2017-2636.html +## https://lkml.org/lkml/2019/4/15/890 +## +dev.tty.ldisc_autoload=0 + +## Restrict the userfaultfd() syscall to SYS_CAP_PTRACE. +## Reduces likelihood of use-after-free exploits from heap sprays. +## +## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=cefdca0a86be517bc390fc4541e3674b8e7803b0 +## https://duasynt.com/blog/linux-kernel-heap-spray +## +vm.unprivileged_userfaultfd=0 + +## Disables kexec which can be used to replace the running kernel. +## Useful for live kernel patching without rebooting. +## +## https://en.wikipedia.org/wiki/Kexec +## +## See `/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf` for implementation. +## +#kernel.kexec_load_disabled=1 + +## Disable the SysRq key to prevent leakage of kernel information. +## The Secure Attention Key (SAK) can no longer be utilised. +## +## https://www.kernel.org/doc/html/latest/admin-guide/sysrq.html +## https://www.kicksecure.com/wiki/SysRq +## https://github.com/xairy/unlockdown +## +kernel.sysrq=0 + +## Restrict user namespaces to CAP_SYS_ADMIN. +## User namespaces aim to improve sandboxing and accessibility for unprivileged users. +## Unprivileged user namespaces pose substantial privilege escalation risks. +## Restricting is well-known to cause breakages across numerous software. +## +## https://madaidans-insecurities.github.io/linux.html#kernel +## https://github.com/a13xp0p0v/kernel-hardening-checker#questions-and-answers +## +## Unprivileged user namespaces are currently enabled. +## +#kernel.unprivileged_userns_clone=0 + +## Restricts kernel profiling to CAP_PERFMON. +## The performance events system should not be accessible by unprivileged users. +## +## https://www.kernel.org/doc/html/latest/admin-guide/perf-security.html#unprivileged-users +## https://lore.kernel.org/kernel-hardening/1469630746-32279-1-git-send-email-jeffv@google.com/ +## +kernel.perf_event_paranoid=3 + +## Enable ASLR for mmap base, stack, VDSO pages, and heap. +## Heap randomisation can lead to breakages with legacy applications. +## +## https://en.wikipedia.org/wiki/Address_space_layout_randomization#Linux +## +kernel.randomize_va_space=2 + +## Disable asynchronous I/O for all processes. +## +## https://security.googleblog.com/2023/06/learnings-from-kctf-vrps-42-linux.html +## +## Applicable when using Linux kernel >= 6.6 (retained here for future-proofing and completeness). +## +kernel.io_uring_disabled=2 + + +## 2.User Space: +## +## https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-userspace + +## Restrict usage of the ptrace() system call to only processes with CAP_SYS_PTRACE. +## Limit ptrace() as it enables programs to inspect and modify other active processes. +## This may break some programs running under WINE. +## +## https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html#ptrace-scope +## +kernel.yama.ptrace_scope=2 + +## Maximise bits of entropy for improved effectiveness of mmap ASLR. +## The maximum numbers of bits are dependent on CPU architecture (the ones shown below are for x86). +## Both explicit sysctl are made redundant due to automation. +## Do NOT enable either sysctl - displaying only for clarity. +## ## https://forums.whonix.org/t/automate-mmap-randomisation-to-fix-ppc64el/16514 -## Do NOT enable either - displaying only for clarity +## +## See `/usr/libexec/security-misc/mmap-rnd-bits` for implementation. ## #vm.mmap_rnd_bits=32 #vm.mmap_rnd_compat_bits=16 -## Restricts the use of ptrace to root. This might break some programs running under WINE. -## A workaround for WINE would be to give the wineserver and wine-preloader ptrace capabilities. This can be done by running: +## Prevent hardlink creation by users who do not have read/write/ownership of source file. +## Only allow symlinks to be followed when outside of a world-writable sticky directories. +## Allow symlinks when the owner and follower match or when the directory owner matches the symlink's owner. +## Hardens cross privilege boundaries if root process follows a hardlink/symlink belonging to another user. +## This mitigates many hardlink/symlink-based TOCTOU races in world-writable directories like /tmp. ## -## sudo apt-get install libcap2-bin -## sudo setcap cap_sys_ptrace=eip /usr/bin/wineserver -## sudo setcap cap_sys_ptrace=eip /usr/bin/wine-preloader -kernel.yama.ptrace_scope=2 +## https://wiki.archlinux.org/title/Security#File_systems +## https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=/tmp +## https://en.wikipedia.org/wiki/Time-of-check_to_time-of-use#Preventing_TOCTOU +## +fs.protected_hardlinks=1 +fs.protected_symlinks=1 -## Randomize the addresses for mmap base, heap, stack, and VDSO pages -kernel.randomize_va_space=2 +## Disallow writes to files in world-writable sticky directories unless owned by the directory owner. +## Also applies to group writable sticky directories to make data spoofing attacks more difficult. +## Prevents unintentional writes to attacker-controlled files. +## +fs.protected_fifos=2 +fs.protected_regular=2 -## Hardens the BPF JIT compiler and restricts it to root. -kernel.unprivileged_bpf_disabled=1 -net.core.bpf_jit_harden=2 +## Increase the maximum number of memory map areas a process is permitted to utilise. +## Addresses performance, crash, and start-up issues for some memory intensive applications. +## Required to accommodate the very large number of guard pages created by hardened_malloc. +## Kicksecure version 18 will deprecate hardened_malloc and so this sysctl will be applied here instead. +## +## https://archlinux.org/news/increasing-the-default-vmmax_map_count-value/ +## https://github.com/GrapheneOS/hardened_malloc#traditional-linux-based-operating-systems +## https://github.com/Kicksecure/hardened_malloc/blob/master/debian/hardened_malloc.conf +## https://www.kicksecure.com/wiki/Hardened_Malloc#Deprecation_in_Kicksecure +## +vm.max_map_count=1048576 -## Disable asynchronous I/O for all processes. -## Valid only for linux kernel version >= 6.6. -## Command is retained here for future-proofing and completeness. -## https://forums.whonix.org/t/io-uring-security-vulnerabilties/16890/6 -kernel.io_uring_disabled=2 -#### meta start -#### project Kicksecure -#### category networking and security -#### description -## TCP/IP stack hardening +## 3. Core Dumps: +## +## https://madaidans-insecurities.github.io/guides/linux-hardening.html#core-dumps -## A martian packet is a one with a source address which is blatantly wrong -## Recommended to keep a log of these to identify these suspicious packets -## Good for troubleshooting and diagnostics but not necessary by default. -## Caused issue: -## https://github.com/Kicksecure/security-misc/issues/214 -#net.ipv4.conf.all.log_martians=1 -#net.ipv4.conf.default.log_martians=1 +## Disable core dump files by preventing any pattern names. +## This setting may be overwritten by systemd is is not comprehensive. +## Core dumps are also disabled in security-misc via other means. +## +## https://wiki.archlinux.org/title/Core_dump#Disabling_automatic_core_dumps +## +kernel.core_pattern=|/bin/false -## Protects against time-wait assassination. -## It drops RST packets for sockets in the time-wait state. +## Prevent setuid processes or otherwise protected/tainted binaries from creating core dumps. +## Any process which has changed privilege levels or is execute-only will not be dumped. +## +fs.suid_dumpable=0 + +## Set core dump file name to 'core.PID' instead of 'core' as a form of defence-in-depth. +## If core dumps are permitted, only useful if PID listings are hidden from non-root users. +## +kernel.core_uses_pid=1 + + +## 4. Swap Space: +## +## https://madaidans-insecurities.github.io/guides/linux-hardening.html#swap + +## Limit the copying of memory to the swap device only if absolutely necessary. +## Minimises the likelihood of writing potentially sensitive contents to disk. +## +## https://en.wikipedia.org/wiki/Memory_paging#Linux +## +vm.swappiness=1 + + +## 5. Networking: +## +## https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-network +## https://wiki.archlinux.org/title/Sysctl#TCP/IP_stack_hardening + +## Enable TCP SYN cookie protection to assist against SYN flood attacks. +## +## https://en.wikipedia.org/wiki/SYN_flood +## https://cateee.net/lkddb/web-lkddb/SYN_COOKIES.html +## +net.ipv4.tcp_syncookies=1 + +## Protect against TCP time-wait assassination hazards. +## Drops RST packets for sockets in the time-wait state. +## +## https://tools.ietf.org/html/rfc1337 +## net.ipv4.tcp_rfc1337=1 -## Disables ICMP redirect acceptance. +## Enable reverse path filtering (source validation) of packets received from all interfaces. +## Prevents IP spoofing and mitigate vulnerabilities such as CVE-2019-14899. +## +## https://en.wikipedia.org/wiki/IP_address_spoofing +## https://forums.whonix.org/t/enable-reverse-path-filtering/8594 +## https://seclists.org/oss-sec/2019/q4/122 +## +net.ipv4.conf.all.rp_filter=1 +net.ipv4.conf.default.rp_filter=1 + +## Disable ICMP redirect acceptance and redirect sending messages. +## Prevents man-in-the-middle attacks and minimises information disclosure. +## net.ipv4.conf.all.accept_redirects=0 net.ipv4.conf.default.accept_redirects=0 net.ipv4.conf.all.secure_redirects=0 net.ipv4.conf.default.secure_redirects=0 net.ipv6.conf.all.accept_redirects=0 net.ipv6.conf.default.accept_redirects=0 - -## Disables ICMP redirect sending. net.ipv4.conf.all.send_redirects=0 net.ipv4.conf.default.send_redirects=0 -## Ignores ICMP requests. +## Ignore ICMP echo requests. +## Prevents clock fingerprinting through ICMP timestamps and Smurf attacks. +## +## https://en.wikipedia.org/wiki/Smurf_attack +## net.ipv4.icmp_echo_ignore_all=1 net.ipv6.icmp.echo_ignore_all=1 -## Ignores bogus ICMP error responses +## Ignore bogus ICMP error responses. +## Mitigates attacks designed to fill log files with useless error messages. +## net.ipv4.icmp_ignore_bogus_error_responses=1 -## Enables TCP syncookies. -net.ipv4.tcp_syncookies=1 - -## Disable source routing. +## Disable source routing which allows users redirect network traffic. +## Prevents man-in-the-middle attacks in which the traffic is redirected. +## +## https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/security_guide/sect-security_guide-server_security-disable-source-routing +## net.ipv4.conf.all.accept_source_route=0 net.ipv4.conf.default.accept_source_route=0 net.ipv6.conf.all.accept_source_route=0 net.ipv6.conf.default.accept_source_route=0 -## Enable reverse path filtering to prevent IP spoofing and -## mitigate vulnerabilities such as CVE-2019-14899. -## https://forums.whonix.org/t/enable-reverse-path-filtering/8594 -net.ipv4.conf.default.rp_filter=1 -net.ipv4.conf.all.rp_filter=1 - -#### meta end - - -## Previously disabled SACK, DSACK, and FACK. -## https://forums.whonix.org/t/disabling-tcp-sack-dsack-fack/8109 -#net.ipv4.tcp_sack=0 -#net.ipv4.tcp_dsack=0 -#net.ipv4.tcp_fack=0 - - -#### meta start -#### project Kicksecure -#### category networking and security -#### description -## disable IPv4 TCP Timestamps - -net.ipv4.tcp_timestamps=0 - -#### meta end - - -## Disable SysRq key -kernel.sysrq=0 - -## Restrict loading TTY line disciplines to CAP_SYS_MODULE to prevent -## unprivileged attackers from loading vulnerable line disciplines -## with the TIOCSETD ioctl which has been used in exploits before -## such as https://a13xp0p0v.github.io/2017/03/24/CVE-2017-2636.html +## Do not accept IPv6 router advertisements and solicitations. ## -## https://lkml.org/lkml/2019/4/15/890 -dev.tty.ldisc_autoload=0 - -## Restrict the userfaultfd() syscall to root as it can make heap sprays -## easier. -## -## https://duasynt.com/blog/linux-kernel-heap-spray -vm.unprivileged_userfaultfd=0 - -## Let the kernel only swap if it is absolutely necessary. -## Better not be set to zero: -## - https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Performance_Tuning_Guide/s-memory-tunables.html -## - https://en.wikipedia.org/wiki/Swappiness -vm.swappiness=1 - -## Disallow kernel profiling by users without CAP_SYS_ADMIN -## https://www.kernel.org/doc/Documentation/sysctl/kernel.txt -kernel.perf_event_paranoid=3 - -## Do not accept router advertisements net.ipv6.conf.all.accept_ra=0 net.ipv6.conf.default.accept_ra=0 + +## Disable SACK, DSACK, and FACK. +## Select acknowledgements (SACKs) are a known common vector of exploitation. +## Duplicate select acknowledgements (DSACKs) are an extension of SACK. +## Forward acknowledgements (FACKs) are a legacy option that will (eventually) be deprecated. +## Disabling can cause severe connectivity issues on networks with high latency or packet loss. +## Enabling on stable high-bandwidth networks can lead to reduced efficiency of TCP connections. +## +## https://datatracker.ietf.org/doc/html/rfc2018 +## https://datatracker.ietf.org/doc/html/rfc2883 +## https://access.redhat.com/sites/default/files/attachments/20150325_network_performance_tuning.pdf +## https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md +## https://wiki.archlinux.org/title/Sysctl#TCP_Selective_Acknowledgement +## https://forums.whonix.org/t/disabling-tcp-sack-dsack-fack/8109/5 +## +## SACK and DSACK are currently enabled. +## +#net.ipv4.tcp_sack=0 +#net.ipv4.tcp_dsack=0 +net.ipv4.tcp_fack=0 + +## Disable TCP timestamps to limit system fingerprinting via time. +## +## https://forums.whonix.org/t/do-ntp-and-tcp-timestamps-really-leak-your-local-time/7824 +## https://web.archive.org/web/20170201160732/https://mailman.boum.org/pipermail/tails-dev/2013-December/004520.html +## +net.ipv4.tcp_timestamps=0 + +## Previously enabled logging of packets with impossible source or destination addresses. +## Martian and unroutable packets may be used for dangerous purposes. +## Recommended to keep a (kernel dmesg) log of these to identify these suspicious packets +## Good for troubleshooting and diagnostics but not necessary by default. +## Known for causing performance issues especially on systems with multiple interfaces. +## +## https://wiki.archlinux.org/title/Sysctl#TCP_Selective_Acknowledgement +## https://github.com/Kicksecure/security-misc/issues/214 +## +## The logging of martian packets is currently disabled. +## +#net.ipv4.conf.all.log_martians=1 +#net.ipv4.conf.default.log_martians=1 From 565597c9a282b08697d04204f5eb9c22153e77bd Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Sun, 14 Jul 2024 01:21:24 +1000 Subject: [PATCH 02/10] Minor documentation changes and fixes --- .../sysctl.d/30_security-misc_kexec-disable.conf | 13 +++++++------ usr/lib/sysctl.d/30_silent-kernel-printk.conf | 12 ++++-------- usr/lib/sysctl.d/990-security-misc.conf | 14 +++++++------- 3 files changed, 18 insertions(+), 21 deletions(-) diff --git a/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf b/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf index ad2f6bd..74c0bbf 100644 --- a/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf +++ b/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf @@ -1,15 +1,16 @@ ## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. +## NOTE: +## Why is this in a dedicated config file? +## Package ram-wipe requires kexec. However, ram-wipe could not ship a config +## file /etc/sysctl.d/40_ram-wipe.conf which sets 'kernel.kexec_load_disabled=0'. +## This is because once systemd-sysctl.service has set 'kernel.kexec_load_disabled=1' +## it cannot be undone without reboot. This is a upstream Linux security feature. + ## Disables kexec which can be used to replace the running kernel. ## Useful for live kernel patching without rebooting. ## ## https://en.wikipedia.org/wiki/Kexec ## kernel.kexec_load_disabled=1 - -## Why is this in a dedicated config file? -## Package ram-wipe requires kexec. However, ram-wipe could not ship a config -## file /etc/sysctl.d/40_ram-wipe.conf which sets 'kernel.kexec_load_disabled=0'. -## This is because once systemd-sysctl.service has set 'kernel.kexec_load_disabled=1' -## it cannot be undone without reboot. This is a upstream Linux security feature. diff --git a/usr/lib/sysctl.d/30_silent-kernel-printk.conf b/usr/lib/sysctl.d/30_silent-kernel-printk.conf index 5ac7b6f..7283bcb 100644 --- a/usr/lib/sysctl.d/30_silent-kernel-printk.conf +++ b/usr/lib/sysctl.d/30_silent-kernel-printk.conf @@ -1,14 +1,10 @@ ## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. +## NOTE: +## For higher verbosity, delete file /etc/default/grub.d/41_quiet.cfg. +## Alternatively, install the debug-misc package which will undo these settings. + ## Prevent kernel information leaks in the console during boot. ## kernel.printk = 3 3 3 3 - -## NOTE: -## For higher verbosity, the user might also want to delete file -## /etc/default/grub.d/41_quiet.cfg -## (or out-comment its settings). -## -## Alternatively, the user could consider to install the debug-misc package, -## which will undo the settings found here. diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index c1bf3e9..2f47e89 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -2,8 +2,8 @@ ## See the file COPYING for copying conditions. ## NOTE: -## This file has a strange name so that `/usr/lib/sysctl.d/99-protect-links.conf` is -## first parsed and then followed by `/usr/lib/sysctl.d/990-security-misc.conf`. +## This file has a strange name so that /usr/lib/sysctl.d/99-protect-links.conf is +## first parsed and then followed by /usr/lib/sysctl.d/990-security-misc.conf. ## https://github.com/Kicksecure/security-misc/pull/135 ## This configuration file is split into 5 sections: @@ -39,9 +39,9 @@ kernel.dmesg_restrict=1 ## Prevent kernel information leaks in the console during boot. ## -## See `/usr/lib/sysctl.d/30_silent-kernel-printk.conf` for implementation. +## See /usr/lib/sysctl.d/30_silent-kernel-printk.conf for implementation. ## -#kernel.printk=3 3 3 3s +#kernel.printk=3 3 3 3 ## Restrict eBPF access to CAP_BPF and enable associated JIT compiler hardening. ## @@ -71,7 +71,7 @@ vm.unprivileged_userfaultfd=0 ## ## https://en.wikipedia.org/wiki/Kexec ## -## See `/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf` for implementation. +## See /usr/lib/sysctl.d/30_security-misc_kexec-disable.conf for implementation. ## #kernel.kexec_load_disabled=1 @@ -139,7 +139,7 @@ kernel.yama.ptrace_scope=2 ## ## https://forums.whonix.org/t/automate-mmap-randomisation-to-fix-ppc64el/16514 ## -## See `/usr/libexec/security-misc/mmap-rnd-bits` for implementation. +## See /usr/libexec/security-misc/mmap-rnd-bits for implementation. ## #vm.mmap_rnd_bits=32 #vm.mmap_rnd_compat_bits=16 @@ -314,7 +314,7 @@ net.ipv4.tcp_timestamps=0 ## Good for troubleshooting and diagnostics but not necessary by default. ## Known for causing performance issues especially on systems with multiple interfaces. ## -## https://wiki.archlinux.org/title/Sysctl#TCP_Selective_Acknowledgement +## https://wiki.archlinux.org/title/Sysctl#Log_martian_packets ## https://github.com/Kicksecure/security-misc/issues/214 ## ## The logging of martian packets is currently disabled. From dd1741c4a1cd18f34f69437c00f3a78a9ebd402a Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Sun, 14 Jul 2024 13:40:53 +1000 Subject: [PATCH 03/10] Some documentation additions and fixes --- usr/lib/sysctl.d/990-security-misc.conf | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 2f47e89..322abb8 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -98,6 +98,7 @@ kernel.sysrq=0 ## Restricts kernel profiling to CAP_PERFMON. ## The performance events system should not be accessible by unprivileged users. +## Other distributions such as Ubuntu and Fedora may permit further restricting. ## ## https://www.kernel.org/doc/html/latest/admin-guide/perf-security.html#unprivileged-users ## https://lore.kernel.org/kernel-hardening/1469630746-32279-1-git-send-email-jeffv@google.com/ @@ -126,9 +127,16 @@ kernel.io_uring_disabled=2 ## Restrict usage of the ptrace() system call to only processes with CAP_SYS_PTRACE. ## Limit ptrace() as it enables programs to inspect and modify other active processes. -## This may break some programs running under WINE. +## Prevents native code debugging which some programs use as a method to detect tampering. +## May cause breakages in 'anti-cheat' software and programs running under Proton/WINE. ## ## https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html#ptrace-scope +## https://en.wikipedia.org/wiki/Ptrace +## https://grapheneos.org/features#attack-surface-reduction +## https://github.com/GrapheneOS/os-issue-tracker/issues/651#issuecomment-917599928 +## https://github.com/netblue30/firejail/issues/2860 +## +## It is possible to harden further by disabling ptrace() for all users, see documentation. ## kernel.yama.ptrace_scope=2 @@ -301,16 +309,16 @@ net.ipv6.conf.default.accept_ra=0 #net.ipv4.tcp_dsack=0 net.ipv4.tcp_fack=0 -## Disable TCP timestamps to limit system fingerprinting via time. +## Disable TCP timestamps to limit device fingerprinting via system time. ## ## https://forums.whonix.org/t/do-ntp-and-tcp-timestamps-really-leak-your-local-time/7824 ## https://web.archive.org/web/20170201160732/https://mailman.boum.org/pipermail/tails-dev/2013-December/004520.html ## net.ipv4.tcp_timestamps=0 -## Previously enabled logging of packets with impossible source or destination addresses. +## Enable logging of packets with impossible source or destination addresses. ## Martian and unroutable packets may be used for dangerous purposes. -## Recommended to keep a (kernel dmesg) log of these to identify these suspicious packets +## Recommended to keep a (kernel dmesg) log of these to identify these suspicious packets. ## Good for troubleshooting and diagnostics but not necessary by default. ## Known for causing performance issues especially on systems with multiple interfaces. ## From 2b9e174c9db69f2c30828aae236c631d46255e07 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Sun, 14 Jul 2024 16:22:52 +1000 Subject: [PATCH 04/10] Remove empty lines --- usr/lib/sysctl.d/990-security-misc.conf | 4 ---- 1 file changed, 4 deletions(-) diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 322abb8..5fbe51c 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -120,7 +120,6 @@ kernel.randomize_va_space=2 ## kernel.io_uring_disabled=2 - ## 2.User Space: ## ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-userspace @@ -184,7 +183,6 @@ fs.protected_regular=2 ## vm.max_map_count=1048576 - ## 3. Core Dumps: ## ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#core-dumps @@ -207,7 +205,6 @@ fs.suid_dumpable=0 ## kernel.core_uses_pid=1 - ## 4. Swap Space: ## ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#swap @@ -219,7 +216,6 @@ kernel.core_uses_pid=1 ## vm.swappiness=1 - ## 5. Networking: ## ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-network From 5cf9afc21563712b851850e2041141807503807c Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Sun, 14 Jul 2024 17:05:49 +1000 Subject: [PATCH 05/10] Include optional `sysctl`'s in README.md --- README.md | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 9ed387b..d49d65f 100644 --- a/README.md +++ b/README.md @@ -35,6 +35,9 @@ space, user space, core dumps, and swap space. - Entirely disables the SysRq key so that the Secure Attention Key (SAK) can no longer be utilised. +- Provide option to disable unprivileged user namespaces as they can lead to + privilege escalation. + - Restrict kernel profiling and the performance events system to `CAP_PERFMON`. - Randomise the addresses (ASLR) for mmap base, stack, VDSO pages, and heap. @@ -42,7 +45,8 @@ space, user space, core dumps, and swap space. - Disable asynchronous I/O (when using Linux kernel version >= 6.6). - Restrict usage of `ptrace()` to only processes with `CAP_SYS_PTRACE` as it - enables programs to inspect and modify other active processes. + enables programs to inspect and modify other active processes. Provide option + to also entirely disable the use of `ptrace()` for all processes. - Prevent hardlink and symlink TOCTOU races in world-writable directories. @@ -75,8 +79,14 @@ Various networking components of the TCP/IP stack are hardened for IPv4/6. - Do not accept IPv6 router advertisements and solicitations. +- Provide option to disable SACK and DSACK as they have historically been a + vector for exploitation. + - Disable TCP timestamps as it can allow detecting the system time. +- Provide option to log of packets with impossible source or destination + addresses to enable inspection and further analysis. + ### mmap ASLR - The bits of entropy used for mmap ASLR are maxed out via From acd60e45d8cbc98ea935c9bf035f2840622ab58d Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Sun, 14 Jul 2024 20:07:31 +1000 Subject: [PATCH 06/10] Add comment about enabling core dump files --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index d49d65f..5d9b594 100644 --- a/README.md +++ b/README.md @@ -54,7 +54,8 @@ space, user space, core dumps, and swap space. - Increase the maximum number of memory map areas a process is able to utilise. -- Disable core dump files and prevent their creation. +- Disable core dump files and prevent their creation. If core dump files are + enabled, they will be nammed based on `core.PID` instead of the default `core`. - Limit the copying of potentially sensitive content in memory to the swap device. From 1c2afc1f253e15d2605d1bef0e323e6e972a2484 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Mon, 15 Jul 2024 15:01:48 +1000 Subject: [PATCH 07/10] Update presentation of the `kernel.printk` sysctl --- usr/lib/sysctl.d/30_silent-kernel-printk.conf | 14 +++++++++----- usr/lib/sysctl.d/990-security-misc.conf | 4 ++++ 2 files changed, 13 insertions(+), 5 deletions(-) diff --git a/usr/lib/sysctl.d/30_silent-kernel-printk.conf b/usr/lib/sysctl.d/30_silent-kernel-printk.conf index 7283bcb..de73876 100644 --- a/usr/lib/sysctl.d/30_silent-kernel-printk.conf +++ b/usr/lib/sysctl.d/30_silent-kernel-printk.conf @@ -1,10 +1,14 @@ ## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## NOTE: -## For higher verbosity, delete file /etc/default/grub.d/41_quiet.cfg. -## Alternatively, install the debug-misc package which will undo these settings. - ## Prevent kernel information leaks in the console during boot. +## Must be used in combination with the kernel boot parameters. +## See /etc/default/grub.d/41_quiet_boot.cfg for implementation. ## -kernel.printk = 3 3 3 3 +## https://www.kernel.org/doc/html/latest/core-api/printk-basics.html +## +kernel.printk=3 3 3 3 + +## For Increased Log Verbosity: +## Adjust (or comment out) the kernel parameters in /etc/default/grub.d/41_quiet_boot.cfg. +## Alternatively, installing the debug-misc package will undo these settings. \ No newline at end of file diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 5fbe51c..c1316be 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -38,6 +38,10 @@ kernel.kptr_restrict=2 kernel.dmesg_restrict=1 ## Prevent kernel information leaks in the console during boot. +## Must be used in combination with the kernel boot parameters. +## See /etc/default/grub.d/41_quiet_boot.cfg for implementation. +## +## https://www.kernel.org/doc/html/latest/core-api/printk-basics.html ## ## See /usr/lib/sysctl.d/30_silent-kernel-printk.conf for implementation. ## From d1119c38b6ad4193919d4b800de0a3cb014f92c1 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Wed, 17 Jul 2024 00:31:23 +1000 Subject: [PATCH 08/10] Apply changes from code review --- README.md | 10 ++++++---- usr/lib/sysctl.d/990-security-misc.conf | 2 ++ 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 5d9b594..14d1a23 100644 --- a/README.md +++ b/README.md @@ -16,7 +16,8 @@ configuration file. Significant hardening is applied by default to a myriad of components within kernel space, user space, core dumps, and swap space. -- Restrict kernel addresses regardless of user privileges. +- Restrict access to kernel addresses through the us of kernel pointers regardless + of user privileges. - Restrict access to the kernel logs to `CAP_SYSLOG` as the often contain sensitive information. @@ -33,7 +34,7 @@ space, user space, core dumps, and swap space. - Disable `kexec` as it can be used to replace the running kernel. - Entirely disables the SysRq key so that the Secure Attention Key (SAK) - can no longer be utilised. + can no longer be utilised. See [documentation](https://www.kicksecure.com/wiki/SysRq). - Provide option to disable unprivileged user namespaces as they can lead to privilege escalation. @@ -50,12 +51,13 @@ space, user space, core dumps, and swap space. - Prevent hardlink and symlink TOCTOU races in world-writable directories. -- Disallow unintentional writes to attacker-controlled files. +- Disallow unintentional writes to files in world-writable directories unless + they are owned by the directory owner to mitigate some data spoofing attacks. - Increase the maximum number of memory map areas a process is able to utilise. - Disable core dump files and prevent their creation. If core dump files are - enabled, they will be nammed based on `core.PID` instead of the default `core`. + enabled, they will be named based on `core.PID` instead of the default `core`. - Limit the copying of potentially sensitive content in memory to the swap device. diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index c1316be..3c80e23 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -215,8 +215,10 @@ kernel.core_uses_pid=1 ## Limit the copying of memory to the swap device only if absolutely necessary. ## Minimises the likelihood of writing potentially sensitive contents to disk. +## Not reccommmeded to set to zero since this disables periodic write behavior. ## ## https://en.wikipedia.org/wiki/Memory_paging#Linux +## https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Performance_Tuning_Guide/s-memory-tunables.html ## vm.swappiness=1 From 824d9b82e53485eed8eaf24e9815ac07ad0f2406 Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Wed, 17 Jul 2024 00:36:18 +1000 Subject: [PATCH 09/10] Uncomment redundant disabling of TCP FACK` --- usr/lib/sysctl.d/990-security-misc.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 3c80e23..fd51343 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -309,7 +309,7 @@ net.ipv6.conf.default.accept_ra=0 ## #net.ipv4.tcp_sack=0 #net.ipv4.tcp_dsack=0 -net.ipv4.tcp_fack=0 +#net.ipv4.tcp_fack=0 ## Disable TCP timestamps to limit device fingerprinting via system time. ## From 693b47e6235528ab7a9032818cce22fd63a4f5ea Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Wed, 17 Jul 2024 14:58:30 +1000 Subject: [PATCH 10/10] Clarify ICMP redirect acceptance and sending --- usr/lib/sysctl.d/990-security-misc.conf | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index fd51343..3cebc76 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -252,16 +252,22 @@ net.ipv4.conf.all.rp_filter=1 net.ipv4.conf.default.rp_filter=1 ## Disable ICMP redirect acceptance and redirect sending messages. -## Prevents man-in-the-middle attacks and minimises information disclosure. +## Prevents man-in-the-middle attacks and minimises information disclosure. +## +## https://askubuntu.com/questions/118273/what-are-icmp-redirects-and-should-they-be-blocked ## net.ipv4.conf.all.accept_redirects=0 net.ipv4.conf.default.accept_redirects=0 -net.ipv4.conf.all.secure_redirects=0 -net.ipv4.conf.default.secure_redirects=0 -net.ipv6.conf.all.accept_redirects=0 -net.ipv6.conf.default.accept_redirects=0 net.ipv4.conf.all.send_redirects=0 net.ipv4.conf.default.send_redirects=0 +net.ipv6.conf.all.accept_redirects=0 +net.ipv6.conf.default.accept_redirects=0 + +## Accept ICMP redirect messages only for approved gateways. +## If ICMP redirect messages are permitted, only useful if managing a default gateway list. +## +net.ipv4.conf.all.secure_redirects=0 +net.ipv4.conf.default.secure_redirects=0 ## Ignore ICMP echo requests. ## Prevents clock fingerprinting through ICMP timestamps and Smurf attacks.