If something is not useful on it’s own for security-misc package (?),
add to apparmor-profile-everything package?
Maybe we should invent a package debug (not installed by default)
which ships config snippets which resets to normal debug kernel.yama.ptrace_scope=0, kernel.sysrq=1 and what not?
Only for non-root users. Run strace as root and it works fine.
Setting ptrace_scope to 2 restricts ptrace to root only, setting it to 3 denies access to ptrace entirely.
This would still be useful regardless if apparmor-profile-everything is used.
It would be preferable if it sets ptrace_scope to 2 as that still allows ptrace but only for root. ptrace is really dangerous is it gives malware an easy way to compromise any program in a user’s session. Disabling ptrace_scope wouldn’t be the best.
kernel.sysrq=1 is not the default. Dunno what Debian sets it to though.
A package debug which isn’t installed by default is a tool which must be as useful as possible for me. In past there was a situation where I needed to use strace to debug an application which should not be run as root (GUI application). Installing a debug package and then still needing to fiddle more (relax more settings) seems not useful for me. In Linux Kernel Runtime Guard (LKRG) - Linux Kernel Runtime Integrity Checking and Exploit Detection - #26 by Patrick I experienced a hard to debug issue which required serial console and SysRq. It wasn’t easy to set up a debug environment to gather any useful output. If it’s already hard for me as a developer, than I can only imagine how hard it would be for advanced users or new developers trying to debug something. Therefore there need to be strong development tools. A trigger someone can pull (superroot) sudo apt install debug to have access to unrestricted debugging. To debug something isn’t the most visible, rewarding task anyhow but having roadblocks on the way makes it even less likely someone could be bothered to look.
Could you please also process /etc/sysctl.conf? I personally don’t
like /etc/sysctl.conf file since there is /etc/sysctl.d folder but
this is required for consistency. /etc/sysctl.conf is still used by
many sysadmins and in many security guides.
Should we disable the systemd-sysctl service and apparmor profile in apparmor-profile-everything now?
I don’t know. Does that that work? The less code, the better. I guess
it’s no longer needed since no sysctl would be changed anyhow since
these get applied even already in initial ramdisk? systemd-sysctl trying
to re-enforce already existing settings wouldn’t require any permissions?
On the other hand, is it OK to say apparmor-profile-everything depends
on security-misc? Would that be the case?
At least I’d like to know which module specifically was refused loading.
Instead of install vivid /bin/false I tried install vivid /bin/false vivid. I.e. passing a parameter to /bin/false which would be ignored by /bin/false but useful to see in logs. That didn’t work. LKRG won’t show it.
It was security-misc kernel.core_pattern=|/bin/false
Therefore what do you think about changing /etc/modprobe.d/vivid.conf from
Attackers have exactly as much or as little control over /bin/false too?
The sysctl early loading inspired me. Would it make sense to load some kernel modules more early in initramfs too? initramfs supports force_load.
force_load
adds a module (and its dependencies) to the initramfs image and also
unconditionally loads the module during boot. Also supports passing arguments to
the module by listing them after the module name.
Useful kernel modules come to mind could be jitterentropy_rng and LKRG [1]. Others?
/bin/false already exists and has its permissions correctly set.
I don’t really like the idea of it pointing to an unknown file. What if /bin/false_vivid already exists but with 777 perms? An attacker can write whatever they want there and it will be regularly executed as root.
jitterentropy should be built-in, not a module. We already do that with hardened-kernel though.
LKRG and tirdad should be loaded as early as possible. Preferably, they would also be built-in but that’s not supported (yet?).
/bin/false already exists and has its permissions correctly set.
I don’t really like the idea of it pointing to an unknown file. What if /bin/false_vivid already exists but with 777 perms?
Nothing in /bin does ever exist (without previous system compromise or created by system administrator) that has permissions 777 (i.e. writeable by others than root). Any argument against /bin/false_vivid could also be made against /bin/false.
An attacker can write whatever they want there and it will be regularly executed as root.
jitterentropy should be built-in, not a module. We already do that with hardened-kernel though.
Alright.
However, as long as we’re not using hardened-kernel by default and for non-users of hardened-kernel, does it make sense the load jitterentropy_rng more early?
See also:
jitterentropy_rng is currently only used by the in-kernel DRBG.
What uses the in-kernel DRBG? Asked in above ticket too.
LKRG and tirdad should be loaded as early as possible. Preferably, they would also be built-in but that’s not supported (yet?).
tirdad statically in kernel, asked upstream, link here: