Kernel Hardening - security-misc

Mycobee · May 20, 2024, 2:47am

I wonder how much secure (or less secure) BSD OS’s are…

I suspect any kernel written in a language where memory is managed manually is going to be more susceptible to terrifying exploits. Wonder long term possibility of Rust based OS’s…

Dont have much useful to add…just thoughts

Patrick · May 20, 2024, 1:50pm

If packages.debian.org, kernel.org or another trustworthy source would provide a Debian stable compatible APT repository with stable Linux kernels, that might be an option.

Otherwise this unfortunately is not actionable. Kernel re-compilation (with or without changed (security) settings) is too difficult and maintenance intensive given the current project resources.

Usability / reliability issues are also a risk.

raja · May 27, 2024, 3:10am

github.com/Kicksecure/security-misc

Suggestions for kernel modules blacklisted in /etc/modprobe.d/30_security-misc.conf

opened 09:57PM - 26 May 24 UTC

MikeHorn-git

blacklist amdgpu # Make this optionnal blacklist b43 … # Quite old broadcom wireless driver : https://wireless.wiki.kernel.org/en/users/drivers/b43 blacklist exfat blacklist iwlwifi # Intel wireless driver blacklist mac80211 # Printer support for parallel port blacklist ntfs blacklist nvidia blacklist radeon blacklist usb_storage blacklist uinput # User-level input driver install cfg80211 /bin/true # Wireless Api for a very old broadcom device : https://github.com/torvalds/linux/blob/master/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c install brcm80211 /bin/true # Very old broadcom wireless driver : https://github.com/Broadcom/brcm80211 install dvb_core /bin/true # Core module for DVB devices : https://www.kernel.org/doc/html/v4.9/media/kapi/dtv-core.html install dvb_usb_rtl2832u /bin/true # DVB-T USB devices with RTL2832U chipset install dvb_usb_rtl28xxu /bin/true # DVB-T USB devices with RTL28xx chipset install dvb_usb_v2 /bin/true # Newer DVB USB framework install eepro100 /bin/true # Very old network driver https://github.com/torvalds/linux/blob/master/drivers/net/ethernet/intel/e100.c install eth1394 /bin/true # Very old network driver https://archive.kernel.org/oldwiki/ieee1394.wiki.kernel.org/index.php/Eth1394.html install fddi /bin/true # Fiber Distributed Data Interface : https://github.com/torvalds/linux/blob/master/net/802/fddi.c install floppy /bin/true install hamradio /bin/true # Amateur radio protocol : https://github.com/torvalds/linux/tree/master/drivers/net/hamradio install ib_ipoib /bin/true # InfiniBand over IP install jfs /bin/true # IBM's Journaled File System install joydev /bin/true # Joystick support install lp /bin/true # Printer support for parallel port install parport /bin/true # Parallel port support install pmt_class /bin/true # Platform Monitoring Telemetry (Intel) install pmt_telemetry /bin/true # Platform Monitoring Telemetry (Intel) install ppp_async /bin/true # Point-to-Point Protocol for asynchronous connections install ppp_deflate /bin/true # Compression module for PPP install ppp_generic /bin/true # Generic PPP support install pppoe /bin/true # PPP over Ethernet install pppox /bin/true # PPP over various transports install r820t /bin/true # Rafael Micro R820T tuner install reiserfs /bin/true # ReiserFS filesystem install rtl2830 /bin/true # Realtek RTL2830 DVB-T receiver install rtl2832 /bin/true # Realtek RTL2832 DVB-T receiver install rtl2832_sdr /bin/true # RTL2832-based SDR devices install rtl2838 /bin/true # Realtek RTL2838 DVB-T receiver install rtl8187 /bin/true # Realtek RTL8187 wireless LAN driver install slhc /bin/true # SLIP/PPP compression and decompression install squashfs /bin/true # SquashFS filesystem install tr /bin/true # Token Ring protocol install uvcvideo /bin/true # USB Video Class driver

Patrick · May 28, 2024, 11:55am

github.com/Kicksecure/security-misc

add `/etc/gitconfig` by default for better `git` security

Kicksecure:master ← Kicksecure:gitconfig

opened 11:54AM - 28 May 24 UTC

adrelanos

+41 -0

## Changes ## Mandatory Checklist - [x] Legal agreements accepted. By cont…ributing to this organisation, you acknowledge you have read, understood, and agree to be bound by these these agreements: [Terms of Service](https://www.kicksecure.com/wiki/Terms_of_Service), [Privacy Policy](https://www.kicksecure.com/wiki/Privacy_Policy), [Cookie Policy](https://www.kicksecure.com/wiki/Cookie_Policy), [E-Sign Consent](https://www.kicksecure.com/wiki/E-Sign_Consent), [DMCA](https://www.kicksecure.com/wiki/DMCA), [Imprint](https://www.kicksecure.com/wiki/Imprint) ## Optional Checklist The following items are optional but might be requested in certain cases. - [x] I have tested it locally - [ ] I have reviewed and updated any documentation if relevant - [ ] I am providing new code and test(s) for it Fixes #225