cat /etc/default/grub.d/01_hardening.cfg
# Linux command line options recommended by the KSPP
# https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings#kernel_command_line_options
GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT kaslr pti=on slab_nomerge page_poison=1 slub_debug=FPZ nosmt"
# Other interesting options are:
# - intel_iommu=on (sometimes intel_iommu=on,igfx_off) for enabing I/OMMU
# When done editing the file, rebuild grub configuration with: update-grub
cat /usr/lib/sysctl.d/10-hardening.conf
# sysctl recommended by the KSPP
# https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings#sysctls
# Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc).
kernel.kptr_restrict = 1
# Avoid kernel memory address exposures via dmesg.
kernel.dmesg_restrict = 1
# Block non-uid-0 profiling (needs distro patch, otherwise this is the same as "= 2")
kernel.perf_event_paranoid = 3
# Turn off kexec, even if it's built in.
kernel.kexec_load_disabled = 1
# ptrace hardening
# 1: Avoid non-ancestor ptrace access to running processes and their credentials.
# 2: Restrict ptrace access to processes with CAP_SYS_PTRACE
# 3: Completely disable ptrace
kernel.yama.ptrace_scope = 1
# Disable User Namespaces, as it opens up a large attack surface to unprivileged users.
# On Debian kernel.unprivileged_userns_clone is set to 0 by default as well
user.max_user_namespaces = 0
# Turn off unprivileged eBPF access.
kernel.unprivileged_bpf_disabled = 1
# Turn on BPF JIT hardening, if the JIT is enabled.
net.core.bpf_jit_harden = 2
# On x86_64 this adds some bits to userspace ASLR
# vm.mmap_rnd_bits=32
# If all relevant modules have been loaded in the initramfs (by listing them in
# /etc/initramfs/modules and rebuilding the initramfs with update-initramfs,
# one can completely disable modules loading with:
# kernel.modules_disable=1
No, it’s just stuff we’ve already enabled or unneeded things. Some of these options are defaults so I don’t know why they’re in this package.
kaslr
KASLR is enabled by default in Debian and most other distros.
kernel.perf_event_paranoid = 3
This is a default in Debian and requires a kernel patch so we can’t set it in security-misc for other distros since they might not have the patch.
user.max_user_namespaces = 0
Disabling user namespaces entirely will break many sandboxing applications and won’t give any benefit. User namespaces do add a lot of attack surface for privilege escalation but as Debian disables it for unprivileged users by default with a kernel patch, disabling them entirely is pointless.
If all relevant modules have been loaded in the initramfs (by listing them in /etc/initramfs/modules and rebuilding the initramfs with update-initramfs, one can completely disable modules loading with:
Should review generally which systemd target pulls services. Some services make much more sense (better security) when run during sysinit target before anything else that might get exploited later on (desktop environment, browser, web servers, etc.)
Quote Lennart Poettering (systemd developer) said in 2014
Sorry, but we simply don’t support hidepid= as it is implemented right now in the kernel. We need to be able to get meta data out of /proc for clients. journald needs that, polkit, does, our apis do that, there’s probably a lot more.
hidepid= is a bit naive there.
I’d actually like to support it better, but if we do that I figure we need some kernel changes first. instead of being a kernel-wide setting it should be a per-mount point setting, so that we can turn it on for some services, and turn it off for others, simply by passing different settings to the procfs in their respective mount namespaces.
Anyway, the way it stands now, we cannot support this. Sorry.
That quote is a bit old. Things may or may not be better by now.
During boot, the kernel logs are displayed on the console. As the kernel logs are meant to be restricted to root (kernel.dmesg_restrict=1), this should probably be disabled.
Setting kernel.printk=3 3 3 3 with sysctl configures it so only really important errors will be displayed.
Also whonixcheck needs lockdown wrt log viewing. Allows users to see log on systemd warning/error/cycle messages. Running whonixcheck should require sudo but as much as possible should run unprivileged.
I still see some logs after running that. Changing the kernel.printk sysctl hides more. I can still see some logs even with changing kernel.printk as it starts displaying logs before systemd-sysctl is executed. The only way around that would be setting kernel.printk in the initramfs, before systemd has started if it’s even possible.
During security-misc installation and/or a systemd service.
Looks global.
Logs can still be viewed with sudo dmesg. They were never available to unprivileged users in the first place as Debian sets kernel.dmesg_restrict=1 by default.