Kernel Hardening - security-misc

Patrick · June 23, 2019, 7:01pm

Please add to security-misc/debian/control at master · Kicksecure/security-misc · GitHub - readme is generated from that (sometimes, on script manual run).

Patrick · June 23, 2019, 7:22pm

madaidan · June 23, 2019, 7:28pm

Is this right?

https://github.com/madaidan/security-misc/blob/patch-8/debian/control

Patrick · June 23, 2019, 7:45pm

Patrick · June 23, 2019, 7:49pm

The text really helped. Well written. Applied a syntax fix on top.

Patrick · June 23, 2019, 8:16pm

A post was split to a new topic: kernel recompilation for better hardening

HulaHoop · June 23, 2019, 10:30pm

There is no ‘on’ option for amd_iommu. Is there some way to check if these settings are valid/recognized without testing them? Maybe someone familiar with the kernel on Debian bug tracker?

madaidan · June 24, 2019, 1:04am

Weird. The Arch Wiki and a few other places say to use amd_iommu=on. Maybe the kernel docs are wrong?

HulaHoop · June 24, 2019, 3:21am

Well I’m not going to argue with Arch documentation

madaidan · June 24, 2019, 5:04pm

The System.map files should be removed. By default, /boot/System.map-* contains kernel symbols which could be useful to an attacker. Setting kernel.kptr_restrict=2 hides these from /proc/kallsyms but an attacker can just look at the System.map files to get the symbols anyway.

These could possibly be purged during the build or at boot with a systemd service.

Tails also removes these.

System.map files are only used for debugging or malware.

It may be useful to disable the SysRq key too. It allows anyone to use certain commands that the kernel will do regardless of what it’s currently doing. It can be disabled with sysctl using kernel.sysrq=0. I am not too sure about this one though.

See QA/Sysrq - Fedora Project Wiki. It doesn’t look too good.

Patrick · September 10, 2019, 4:34pm

35 posts were merged into an existing topic: SysRq (Magic SysRq key)

Patrick · June 25, 2019, 6:07am

Sounds all great!

Could you please add a script to:
https://github.com/Whonix/security-misc/tree/master/usr/lib/security-misc

The deletion logic should be in the script not in a systemd unit file directly. Reason:

can call that script from a systemd unit file, as well as
can call that script from https://github.com/Whonix/whonix-initializer/blob/master/usr/lib/anon-dist/chroot-scripts-post.d/80_cleanup#L416 so it can be done inside chroot too (decreases image size a bit)
I might add “source /usr/lib/helper-scripts/pre.bsh” (if existing) so this can even be controlled by settings drop-in files.

Patrick · June 26, 2019, 11:32am

comment added here:
Remove System.map and restrict the SysRq key. by madaidan · Pull Request #13 · Kicksecure/security-misc · GitHub

madaidan · June 27, 2019, 6:24pm

github.com/Kicksecure/security-misc

Add some hardening for other distributions

Kicksecure:master ← madaidan:patch-10

opened 06:22PM - 27 Jun 19 UTC

madaidan

+10 -1

Debian (and by extension, Whonix) enables these settings by default but other di…stros (that are using security-misc) may not. This also makes sure that some default settings don't get changed after an update. It sets `kernel.dmesg_restrict=1` with sysctl to restrict the kernel log to the root user, enables TCP syncookies to prevent SYN flood attacks and disables [source routing](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sect-security_guide-server_security-disable-source-routing).

Patrick · June 29, 2019, 10:21am

A post was split to a new topic: lynis - security auditing tool for Unix based systems

Patrick · June 29, 2019, 8:31pm

Back to hidepid.

I would not hold my breath for [feature request] /etc/fstab.d · Issue #790 · util-linux/util-linux · GitHub to materialize. The ticket was not even reopened yet.

Let’s not touch /etc/fstab for stability reasons.

In /etc/fstab.d · Issue #12506 · systemd/systemd · GitHub poettering wrote [sniped by me]:

if I were you I’d just write a generator that looks at /etc/fstab and creates drop-ins for the .mount units systemd-fstab-generator generates that override the Option= line. i.e. let systemd-fstab-generator do its thing as it currently does (meaning: translating fstab into native systemd .mount unit files), but then have your own generator that tweak some of these mount units with additional generated drop-ins as you need.

Can you make head or tail of it?
We don’t have to make it as complicated as having our own generator. Hardcoding the few option we need in drop-in config files would suffice.

Btw there are files in /run/systemd/generator/ which are # Automatically generated by systemd-fstab-generator if that helps.

Alternatively we had:

theory #1:
theory #2:
theory #3:

Could you work on this please?

madaidan · June 29, 2019, 9:21pm

It sounds very complicated and hard to do.

Those seem to be systemd .mount files. I think systemd generates .mount files out of /etc/fstab and uses them to mount the filesystems.

I can try. The past attempts didn’t work though.

madaidan · June 29, 2019, 9:38pm

Mounting /proc with .mount files doesn’t seem possible.

host systemd[1]: proc.mount: Cannot create mount unit for API file system /proc. Refusing.

Theory #1 seems to be the best solution right now. I’ll test it now.

madaidan · June 29, 2019, 9:49pm

Theory #1 works great! Create a systemd service with:

[Unit]
Description=Mounts /proc with hidepid=2
Requires=local-fs.target
After=local-fs.target

[Service]
Type=oneshot
ExecStart=/bin/mount -o remount,nosuid,nodev,noexec,hidepid=2 /proc

[Install]
WantedBy=multi-user.target

I can add systemd sandboxing if needed (likely not).

madaidan · June 29, 2019, 10:31pm