diff --git a/README.md b/README.md index c700ba8..c23d261 100644 --- a/README.md +++ b/README.md @@ -46,7 +46,8 @@ Kernel space: - Force the kernel to panic on both "oopses", which can potentially indicate and thwart certain kernel exploitation attempts, and also kernel warnings in the `WARN()` path. - Optional - Force immediate reboot on the occurrence of a single kernel panic and also + +- Optional - Force immediate reboot on the occurrence of a single kernel panic and also (when using Linux kernel >= 6.2) limit the number of allowed panics to one. - Disable the use of legacy TIOCSTI operations which can be used to inject keypresses. @@ -206,13 +207,15 @@ Networking: **Summary:** -`security-misc` is in full compliance with KSPP recommendations wherever feasible. However, there are a few cases of partial or non-compliance due to technical limitations. +`security-misc` is in full compliance with KSPP recommendations wherever feasible. However, +there are a few cases of partial or non-compliance due to technical limitations. * [KSPP Recommended Settings](https://kspp.github.io/Recommended_Settings) **Full compliance:** -More than 30 kernel boot parameters and over 30 sysctl settings are fully aligned with KSPP's recommendations. +More than 30 kernel boot parameters and over 30 sysctl settings are fully aligned with +the KSPP's recommendations. **Partial compliance:** @@ -224,7 +227,8 @@ Completely disables `ptrace()`. Can be enabled easily if needed. 2. `sysctl kernel.panic=-1` -Forces an immediate reboot on kernel panic. This can be enabled, but it may lead to unexpected system crashes. +Forces an immediate reboot on kernel panic. This can be enabled, but it may lead to unexpected +system crashes. * [security-misc pull request #264](https://github.com/Kicksecure/security-misc/pull/264) * [security-misc pull request #268](https://github.com/Kicksecure/security-misc/pull/268) @@ -239,7 +243,8 @@ Disables user namespaces entirely. Not recommended due to the potential for wide 4. `sysctl fs.binfmt_misc.status=0` -Disables the registration of interpreters for miscellaneous binary formats. Currently not feasible due to compatibility issues with Firefox. +Disables the registration of interpreters for miscellaneous binary formats. Currently not +feasible due to compatibility issues with Firefox. * [security-misc pull request #249](https://github.com/Kicksecure/security-misc/pull/249) * [security-misc issue #267](https://github.com/Kicksecure/security-misc/issues/267) diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index 5960e14..e426673 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -5,6 +5,7 @@ ## KSPP=yes: compliant with recommendations by the KSPP ## KSPP=partial: partially compliant with recommendations by the KSPP ## KSPP=no: not (currently) compliant with recommendations by the KSPP +## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP. ## Enable known mitigations for CPU vulnerabilities. ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index ad7e61a..e41dabb 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -9,6 +9,7 @@ kver="$(dpkg-query --show --showformat='${Version}' "$kpkg")" 2>/dev/null || tru ## KSPP=yes: compliant with recommendations by the KSPP ## KSPP=partial: partially compliant with recommendations by the KSPP ## KSPP=no: not (currently) compliant with recommendations by the KSPP +## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP. ## This configuration file is split into 4 sections: ## 1. Kernel Space diff --git a/etc/default/grub.d/40_remount_secure.cfg b/etc/default/grub.d/40_remount_secure.cfg index f92991a..f06235b 100644 --- a/etc/default/grub.d/40_remount_secure.cfg +++ b/etc/default/grub.d/40_remount_secure.cfg @@ -5,6 +5,7 @@ ## KSPP=yes: compliant with recommendations by the KSPP ## KSPP=partial: partially compliant with recommendations by the KSPP ## KSPP=no: not (currently) compliant with recommendations by the KSPP +## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP. ## Remount Secure provides enhanced security via mount options: ## https://www.kicksecure.com/wiki/Security-misc#Remount_Secure diff --git a/etc/default/grub.d/40_signed_modules.cfg b/etc/default/grub.d/40_signed_modules.cfg index b33dceb..75cd3bb 100644 --- a/etc/default/grub.d/40_signed_modules.cfg +++ b/etc/default/grub.d/40_signed_modules.cfg @@ -5,6 +5,7 @@ ## KSPP=yes: compliant with recommendations by the KSPP ## KSPP=partial: partially compliant with recommendations by the KSPP ## KSPP=no: not (currently) compliant with recommendations by the KSPP +## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP. ## Require every kernel module to be signed before being loaded. ## Any module that is unsigned or signed with an invalid key cannot be loaded. diff --git a/etc/default/grub.d/41_quiet_boot.cfg b/etc/default/grub.d/41_quiet_boot.cfg index 33b412d..9623625 100644 --- a/etc/default/grub.d/41_quiet_boot.cfg +++ b/etc/default/grub.d/41_quiet_boot.cfg @@ -5,6 +5,7 @@ ## KSPP=yes: compliant with recommendations by the KSPP ## KSPP=partial: partially compliant with recommendations by the KSPP ## KSPP=no: not (currently) compliant with recommendations by the KSPP +## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP. ## Some default configuration files automatically include the "quiet" parameter. ## Therefore, first remove "quiet" from GRUB_CMDLINE_LINUX_DEFAULT since "quiet" must be first. diff --git a/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf b/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf index da77fd7..5c38e38 100644 --- a/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf +++ b/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf @@ -5,6 +5,7 @@ ## KSPP=yes: compliant with recommendations by the KSPP ## KSPP=partial: partially compliant with recommendations by the KSPP ## KSPP=no: not (currently) compliant with recommendations by the KSPP +## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP. ## NOTE: ## This configuration is in a dedicated file because the ram-wipe package diff --git a/usr/lib/sysctl.d/30_silent-kernel-printk.conf b/usr/lib/sysctl.d/30_silent-kernel-printk.conf index 44b0b25..a1fd57e 100644 --- a/usr/lib/sysctl.d/30_silent-kernel-printk.conf +++ b/usr/lib/sysctl.d/30_silent-kernel-printk.conf @@ -5,6 +5,7 @@ ## KSPP=yes: compliant with recommendations by the KSPP ## KSPP=partial: partially compliant with recommendations by the KSPP ## KSPP=no: not (currently) compliant with recommendations by the KSPP +## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP. ## Prevent kernel information leaks in the console during boot. ## Must be used in conjunction with kernel boot parameters. diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index e4ae584..6009fc4 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -10,6 +10,7 @@ ## KSPP=yes: compliant with recommendations by the KSPP ## KSPP=partial: partially compliant with recommendations by the KSPP ## KSPP=no: not (currently) compliant with recommendations by the KSPP +## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP. ## This configuration file is divided into 5 sections: ## 1. Kernel Space