Kernel Hardening - security-misc

Yeah… They are still sore from our discussions about them on Twitter.

1 Like

twitter seems to be a curse for many of us. :wink:

2 Likes
1 Like

sysctl-initramfs has an issue vs grub-live. In case of booting into live mode, we shouldn’t write to the root image. Maybe this could help:

if grep -qs "boot=live" /proc/cmdline; then

There are also other cases (security-misc is a general package. Don’t just focus on Whonix / Kicksecure) where writing to the root image might be unwanted. It’s not up to initramfs stage (security-misc / sysctl-initramfs) to know what shall happen with root image write policy.

/run/initramfs already exists. Therefore log location /run/initramfs/sysctl-initramfs-error.log would be better since ephemeral, in RAM, not on persistent disk. Will implement.

1 Like

Done.

But the error log is weird. Added xxxxxxxxxxxx to some sysctl.d file.

cat /run/initramfs/sysctl-initramfs-error.log

sysctl: bad line 9: 1 tokens found, 2 needed

Looks fine when running sudo sh -x /etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs but weird log when this is done in initramfs at boot. But I guess good enough.

1 Like

2 posts were split to a new topic: Virtualization Based Hardening Intel VBH

Could you please look into

sudo sysctl -a

And see if there is something else to harden?

ufw doesnt block ICMP - wiki fixation reminded me, perhaps there are some other ICMP related settings worth flipping? For example, you have this already covered:

## Disables ICMP redirect acceptance.
net.ipv4.conf.all.accept_redirects=0

But perhaps there is more? Even if Whonix firewall blocks ICMP, that could be interested in context of Kicksecure and clearnet reachable servers.

1 Like

We could maybe reduce some kernel attack surface by disabling a few things but this would all be done with hardened-kernel anyway.

fs.aio-max-nr=0

I think this would disable AIO which adds lot of complexity/attack surface to the kernel.

kernel.ftrace_enabled=0

Disables ftrace which adds a lot of potentially dangerous debugging functionality.

fs.binfmt_misc.status=0

Disables binfmt_misc which adds support for custom binary formats.

2 Likes

Shutting it down can destroy performance for async IO applications like databases.

I don’t think we depend on it for build debugging - similar to ptrace’s situation. Should be included in the debug functionality disabling package.

This one might break Java programs and cross compiling builds for other archs with QEMU. You might want to document that in case users show up with mysterious bug reports.

2 Likes

madaidan via Whonix Forum:

fs.binfmt_misc.status=0

Disables binfmt_misc which adds support for custom binary formats.

Not sure anymore but I think I tested that once and it broken XFCE for
unknown reason.

1 Like

I think the performance loss is worth it. Asynchronous I/O in general adds a lot of complexity and attack surface to the kernel. POSIX AIO is especially atrocious.

It’s already disabled in hardened-kernel and I see no issues.

1 Like

Then we need to update at same time debug-misc + documentation.

Have you tested that? A number of software uses databases behind the scenes like mediawiki and discourse and bringing them to a crawl would destroy the usecase. Some IM clients use dbs too.

As long as documented then at least they will have a clue what needs to be done.

1 Like

What do you think?

1 Like

This one is fine. kernel.perf_event_paranoid=3 requires a kernel patch but some distros (such as Debian) includes this by default. If the patch isn’t used then it’ll be the same as setting it to 2.

https://patchwork.kernel.org/patch/9249919/

1 Like
2 Likes

Interesting tool, anything that can contributed to it?

1 Like

Was posted here: kernel recompilation for better hardening

1 Like

That comment needs an update.

debian bug report: Please reconsider enabling the user namespaces by default

It seems that next debian version will have unpriv user ns by default.

Related:

https://forums.whonix.org/t/flathub-as-a-source-of-software/10706/6

1 Like

Related to Linux kernel user namespaces:
Debian package bubblewrapwill set kernel.unprivileged_userns_clone=1 in Debian bullseye and above. bubblewrap will be no longer suid by default.

1 Like