diff --git a/README.md b/README.md index fde0464..a55002e 100644 --- a/README.md +++ b/README.md @@ -113,6 +113,8 @@ configuration file. - Obtain more entropy at boot from RAM as the runtime memory allocator is being initialised. +- Provide option to disable the entire IPv6 stack to reduce attack surface. + Disallow sensitive kernel information leaks in the console during boot. See the `/etc/default/grub.d/40_quiet_boot.cfg` configuration file. diff --git a/etc/default/grub.d/40_kernel_hardening.cfg b/etc/default/grub.d/40_kernel_hardening.cfg index 0129fe9..c4575b3 100644 --- a/etc/default/grub.d/40_kernel_hardening.cfg +++ b/etc/default/grub.d/40_kernel_hardening.cfg @@ -9,6 +9,7 @@ kver="$(dpkg-query --show --showformat='${Version}' "$kpkg")" 2>/dev/null || tru ## 1. Kernel Space ## 2. Direct Memory Access ## 3. Entropy +## 4. Networking ## See the documentation below for details on the majority of the selected commands. ## https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html @@ -171,3 +172,17 @@ GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX random.trust_cpu=off" ## https://github.com/anthraxx/linux-hardened/commit/a04458f97fe1f7e95888c77c0165b646375db9c4 ## GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX extra_latent_entropy" + +## 4. Networking +## +## https://madaidans-insecurities.github.io/guides/linux-hardening.html#kasr-boot-parameters + +## Disable the entire IPv6 stack functionality. +## Removes attack surface associated with the IPv6 module. +## +## https://www.kernel.org/doc/html/latest/networking/ipv6.html +## https://wiki.archlinux.org/title/IPv6#Disable_IPv6 +## +## Enabling makes redundant many network hardening sysctl's in usr/lib/sysctl.d/990-security-misc.conf. +## +#ipv6.disable=1 \ No newline at end of file