From 09fe46adc956e8c6de232f1093c37cdd30933acd Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Mon, 14 Oct 2024 02:54:30 +0000 Subject: [PATCH 1/3] Clarify KSPP compliance header for the undocumented case --- etc/default/grub.d/40_cpu_mitigations.cfg | 1 + etc/default/grub.d/40_kernel_hardening.cfg | 1 + etc/default/grub.d/40_remount_secure.cfg | 1 + etc/default/grub.d/40_signed_modules.cfg | 1 + etc/default/grub.d/41_quiet_boot.cfg | 1 + usr/lib/sysctl.d/30_security-misc_kexec-disable.conf | 1 + usr/lib/sysctl.d/30_silent-kernel-printk.conf | 1 + usr/lib/sysctl.d/990-security-misc.conf | 1 + 8 files changed, 8 insertions(+) diff --git a/etc/default/grub.d/40_cpu_mitigations.cfg b/etc/default/grub.d/40_cpu_mitigations.cfg index 5960e14..e426673 100644 --- a/etc/default/grub.d/40_cpu_mitigations.cfg +++ b/etc/default/grub.d/40_cpu_mitigations.cfg @@ -5,6 +5,7 @@ ## KSPP=yes: compliant with recommendations by the KSPP ## KSPP=partial: partially compliant with recommendations by the KSPP ## KSPP=no: not (currently) compliant with recommendations by the KSPP +## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP. ## Enable known mitigations for CPU vulnerabilities. ## https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index ad7e61a..e41dabb 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -9,6 +9,7 @@ kver="$(dpkg-query --show --showformat='${Version}' "$kpkg")" 2>/dev/null || tru ## KSPP=yes: compliant with recommendations by the KSPP ## KSPP=partial: partially compliant with recommendations by the KSPP ## KSPP=no: not (currently) compliant with recommendations by the KSPP +## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP. ## This configuration file is split into 4 sections: ## 1. Kernel Space diff --git a/etc/default/grub.d/40_remount_secure.cfg b/etc/default/grub.d/40_remount_secure.cfg index f92991a..f06235b 100644 --- a/etc/default/grub.d/40_remount_secure.cfg +++ b/etc/default/grub.d/40_remount_secure.cfg @@ -5,6 +5,7 @@ ## KSPP=yes: compliant with recommendations by the KSPP ## KSPP=partial: partially compliant with recommendations by the KSPP ## KSPP=no: not (currently) compliant with recommendations by the KSPP +## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP. ## Remount Secure provides enhanced security via mount options: ## https://www.kicksecure.com/wiki/Security-misc#Remount_Secure diff --git a/etc/default/grub.d/40_signed_modules.cfg b/etc/default/grub.d/40_signed_modules.cfg index b33dceb..75cd3bb 100644 --- a/etc/default/grub.d/40_signed_modules.cfg +++ b/etc/default/grub.d/40_signed_modules.cfg @@ -5,6 +5,7 @@ ## KSPP=yes: compliant with recommendations by the KSPP ## KSPP=partial: partially compliant with recommendations by the KSPP ## KSPP=no: not (currently) compliant with recommendations by the KSPP +## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP. ## Require every kernel module to be signed before being loaded. ## Any module that is unsigned or signed with an invalid key cannot be loaded. diff --git a/etc/default/grub.d/41_quiet_boot.cfg b/etc/default/grub.d/41_quiet_boot.cfg index 33b412d..9623625 100644 --- a/etc/default/grub.d/41_quiet_boot.cfg +++ b/etc/default/grub.d/41_quiet_boot.cfg @@ -5,6 +5,7 @@ ## KSPP=yes: compliant with recommendations by the KSPP ## KSPP=partial: partially compliant with recommendations by the KSPP ## KSPP=no: not (currently) compliant with recommendations by the KSPP +## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP. ## Some default configuration files automatically include the "quiet" parameter. ## Therefore, first remove "quiet" from GRUB_CMDLINE_LINUX_DEFAULT since "quiet" must be first. diff --git a/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf b/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf index da77fd7..5c38e38 100644 --- a/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf +++ b/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf @@ -5,6 +5,7 @@ ## KSPP=yes: compliant with recommendations by the KSPP ## KSPP=partial: partially compliant with recommendations by the KSPP ## KSPP=no: not (currently) compliant with recommendations by the KSPP +## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP. ## NOTE: ## This configuration is in a dedicated file because the ram-wipe package diff --git a/usr/lib/sysctl.d/30_silent-kernel-printk.conf b/usr/lib/sysctl.d/30_silent-kernel-printk.conf index 44b0b25..a1fd57e 100644 --- a/usr/lib/sysctl.d/30_silent-kernel-printk.conf +++ b/usr/lib/sysctl.d/30_silent-kernel-printk.conf @@ -5,6 +5,7 @@ ## KSPP=yes: compliant with recommendations by the KSPP ## KSPP=partial: partially compliant with recommendations by the KSPP ## KSPP=no: not (currently) compliant with recommendations by the KSPP +## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP. ## Prevent kernel information leaks in the console during boot. ## Must be used in conjunction with kernel boot parameters. diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index e4ae584..6009fc4 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -10,6 +10,7 @@ ## KSPP=yes: compliant with recommendations by the KSPP ## KSPP=partial: partially compliant with recommendations by the KSPP ## KSPP=no: not (currently) compliant with recommendations by the KSPP +## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP. ## This configuration file is divided into 5 sections: ## 1. Kernel Space From a9f238fe048acfeff49f96c00570acc6ca4c37e8 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Mon, 14 Oct 2024 02:57:31 +0000 Subject: [PATCH 2/3] README.md: Split optional setting to new line --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index c700ba8..a29cc29 100644 --- a/README.md +++ b/README.md @@ -46,7 +46,8 @@ Kernel space: - Force the kernel to panic on both "oopses", which can potentially indicate and thwart certain kernel exploitation attempts, and also kernel warnings in the `WARN()` path. - Optional - Force immediate reboot on the occurrence of a single kernel panic and also + +- Optional - Force immediate reboot on the occurrence of a single kernel panic and also (when using Linux kernel >= 6.2) limit the number of allowed panics to one. - Disable the use of legacy TIOCSTI operations which can be used to inject keypresses. From eb72163d5707c7673db1f12405d2e04261bd43c8 Mon Sep 17 00:00:00 2001 From: raja-grewal Date: Mon, 14 Oct 2024 03:01:15 +0000 Subject: [PATCH 3/3] README.md: Make line lengths consistent --- README.md | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index a29cc29..c23d261 100644 --- a/README.md +++ b/README.md @@ -207,13 +207,15 @@ Networking: **Summary:** -`security-misc` is in full compliance with KSPP recommendations wherever feasible. However, there are a few cases of partial or non-compliance due to technical limitations. +`security-misc` is in full compliance with KSPP recommendations wherever feasible. However, +there are a few cases of partial or non-compliance due to technical limitations. * [KSPP Recommended Settings](https://kspp.github.io/Recommended_Settings) **Full compliance:** -More than 30 kernel boot parameters and over 30 sysctl settings are fully aligned with KSPP's recommendations. +More than 30 kernel boot parameters and over 30 sysctl settings are fully aligned with +the KSPP's recommendations. **Partial compliance:** @@ -225,7 +227,8 @@ Completely disables `ptrace()`. Can be enabled easily if needed. 2. `sysctl kernel.panic=-1` -Forces an immediate reboot on kernel panic. This can be enabled, but it may lead to unexpected system crashes. +Forces an immediate reboot on kernel panic. This can be enabled, but it may lead to unexpected +system crashes. * [security-misc pull request #264](https://github.com/Kicksecure/security-misc/pull/264) * [security-misc pull request #268](https://github.com/Kicksecure/security-misc/pull/268) @@ -240,7 +243,8 @@ Disables user namespaces entirely. Not recommended due to the potential for wide 4. `sysctl fs.binfmt_misc.status=0` -Disables the registration of interpreters for miscellaneous binary formats. Currently not feasible due to compatibility issues with Firefox. +Disables the registration of interpreters for miscellaneous binary formats. Currently not +feasible due to compatibility issues with Firefox. * [security-misc pull request #249](https://github.com/Kicksecure/security-misc/pull/249) * [security-misc issue #267](https://github.com/Kicksecure/security-misc/issues/267)