Merge pull request #276 from raja-grewal/KSPP_header

Clarify KSPP compliance header
2025-01-05 13:08:04 +07:00 · 2024-10-16 06:29:25 -04:00 · 2024-10-16 06:29:25 -04:00 · e50ad807c0
commit e50ad807c0
parent 263335f74e eb72163d57
9 changed files with 18 additions and 5 deletions
--- a/README.md
+++ b/README.md
@ -46,7 +46,8 @@ Kernel space:

 - Force the kernel to panic on both "oopses", which can potentially indicate and thwart
  certain kernel exploitation attempts, and also kernel warnings in the `WARN()` path.
-  Optional - Force immediate reboot on the occurrence of a single kernel panic and also
+  
+- Optional - Force immediate reboot on the occurrence of a single kernel panic and also
  (when using Linux kernel >= 6.2) limit the number of allowed panics to one.

 - Disable the use of legacy TIOCSTI operations which can be used to inject keypresses.
@ -206,13 +207,15 @@ Networking:

 **Summary:**

-`security-misc` is in full compliance with KSPP recommendations wherever feasible. However, there are a few cases of partial or non-compliance due to technical limitations.
+`security-misc` is in full compliance with KSPP recommendations wherever feasible. However,
+there are a few cases of partial or non-compliance due to technical limitations.

 * [KSPP Recommended Settings](https://kspp.github.io/Recommended_Settings)

 **Full compliance:**

-More than 30 kernel boot parameters and over 30 sysctl settings are fully aligned with KSPP's recommendations.
+More than 30 kernel boot parameters and over 30 sysctl settings are fully aligned with
+the KSPP's recommendations.

 **Partial compliance:**

@ -224,7 +227,8 @@ Completely disables `ptrace()`. Can be enabled easily if needed.

 2. `sysctl kernel.panic=-1`

-Forces an immediate reboot on kernel panic. This can be enabled, but it may lead to unexpected system crashes.
+Forces an immediate reboot on kernel panic. This can be enabled, but it may lead to unexpected
+system crashes.

 * [security-misc pull request #264](https://github.com/Kicksecure/security-misc/pull/264)
 * [security-misc pull request #268](https://github.com/Kicksecure/security-misc/pull/268)
@ -239,7 +243,8 @@ Disables user namespaces entirely. Not recommended due to the potential for wide

 4. `sysctl fs.binfmt_misc.status=0`

-Disables the registration of interpreters for miscellaneous binary formats. Currently not feasible due to compatibility issues with Firefox.
+Disables the registration of interpreters for miscellaneous binary formats. Currently not
+feasible due to compatibility issues with Firefox.

 * [security-misc pull request #249](https://github.com/Kicksecure/security-misc/pull/249)
 * [security-misc issue #267](https://github.com/Kicksecure/security-misc/issues/267)
--- a/etc/default/grub.d/40_cpu_mitigations.cfg
+++ b/etc/default/grub.d/40_cpu_mitigations.cfg
@ -5,6 +5,7 @@
 ## KSPP=yes: compliant with recommendations by the KSPP
 ## KSPP=partial: partially compliant with recommendations by the KSPP
 ## KSPP=no: not (currently) compliant with recommendations by the KSPP
+## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP.

 ## Enable known mitigations for CPU vulnerabilities.
 ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html
--- a/etc/default/grub.d/40_kernel_hardening.cfg
+++ b/etc/default/grub.d/40_kernel_hardening.cfg
@ -9,6 +9,7 @@ kver="$(dpkg-query --show --showformat='${Version}' "$kpkg")" 2>/dev/null || tru
 ## KSPP=yes: compliant with recommendations by the KSPP
 ## KSPP=partial: partially compliant with recommendations by the KSPP
 ## KSPP=no: not (currently) compliant with recommendations by the KSPP
+## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP.

 ## This configuration file is split into 4 sections:
 ## 1. Kernel Space
--- a/etc/default/grub.d/40_remount_secure.cfg
+++ b/etc/default/grub.d/40_remount_secure.cfg
@ -5,6 +5,7 @@
 ## KSPP=yes: compliant with recommendations by the KSPP
 ## KSPP=partial: partially compliant with recommendations by the KSPP
 ## KSPP=no: not (currently) compliant with recommendations by the KSPP
+## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP.

 ## Remount Secure provides enhanced security via mount options:
 ## https://www.kicksecure.com/wiki/Security-misc#Remount_Secure
--- a/etc/default/grub.d/40_signed_modules.cfg
+++ b/etc/default/grub.d/40_signed_modules.cfg
@ -5,6 +5,7 @@
 ## KSPP=yes: compliant with recommendations by the KSPP
 ## KSPP=partial: partially compliant with recommendations by the KSPP
 ## KSPP=no: not (currently) compliant with recommendations by the KSPP
+## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP.

 ## Require every kernel module to be signed before being loaded.
 ## Any module that is unsigned or signed with an invalid key cannot be loaded.
--- a/etc/default/grub.d/41_quiet_boot.cfg
+++ b/etc/default/grub.d/41_quiet_boot.cfg
@ -5,6 +5,7 @@
 ## KSPP=yes: compliant with recommendations by the KSPP
 ## KSPP=partial: partially compliant with recommendations by the KSPP
 ## KSPP=no: not (currently) compliant with recommendations by the KSPP
+## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP.

 ## Some default configuration files automatically include the "quiet" parameter.
 ## Therefore, first remove "quiet" from GRUB_CMDLINE_LINUX_DEFAULT since "quiet" must be first.
--- a/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf
+++ b/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf
@ -5,6 +5,7 @@
 ## KSPP=yes: compliant with recommendations by the KSPP
 ## KSPP=partial: partially compliant with recommendations by the KSPP
 ## KSPP=no: not (currently) compliant with recommendations by the KSPP
+## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP.

 ## NOTE:
 ## This configuration is in a dedicated file because the ram-wipe package
--- a/usr/lib/sysctl.d/30_silent-kernel-printk.conf
+++ b/usr/lib/sysctl.d/30_silent-kernel-printk.conf
@ -5,6 +5,7 @@
 ## KSPP=yes: compliant with recommendations by the KSPP
 ## KSPP=partial: partially compliant with recommendations by the KSPP
 ## KSPP=no: not (currently) compliant with recommendations by the KSPP
+## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP.

 ## Prevent kernel information leaks in the console during boot.
 ## Must be used in conjunction with kernel boot parameters.
--- a/usr/lib/sysctl.d/990-security-misc.conf
+++ b/usr/lib/sysctl.d/990-security-misc.conf
@ -10,6 +10,7 @@
 ## KSPP=yes: compliant with recommendations by the KSPP
 ## KSPP=partial: partially compliant with recommendations by the KSPP
 ## KSPP=no: not (currently) compliant with recommendations by the KSPP
+## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP.

 ## This configuration file is divided into 5 sections:
 ## 1. Kernel Space