Kernel Hardening - security-misc

Maybe we can parse the mount options to only remount it if it’s already ro?

if mount | grep "${rootmnt}" | grep "ro"; then
  remount="yes"
  mount -o remount,rw "${rootmnt}"
fi
sysctl -p ${rootmnt}/etc/sysctl.conf >/dev/null 2>${rootmnt}/var/log/sysctl-initramfs-error.log
sysctl -p ${rootmnt}/etc/sysctl.d/*.conf >/dev/null 2>>${rootmnt}/var/log/sysctl-initramfs-error.log 
if [ "${remount}" = "yes" ]; then
  mount -o remount,ro "${rootmnt}"
fi
grep -v "unprivileged_userfaultfd" "${rootmnt}/var/log/sysctl-initramfs-error.log"
1 Like

Yes, that would be better.

This could go wrong if ro is inside the file path.

1 Like

What about

mount | grep “${rootmnt}” | grep “(ro,”

?

The ro/rw mount options are always at the start of the bracket and followed by a comma

1 Like

That’s better. The second should be grep -q to avoid unnecessary console output (confusing for users).

1 Like
2 Likes

madaidan via Whonix Forum:

Only remount in sysctl-initramfs if already mounted read-only by madaidan · Pull Request #73 · Kicksecure/security-misc · GitHub

Merged. Fixed. Thanks!

1 Like

https://community.parrotsec.org/t/linux-security-hardening-ehancement/10672

I don’t think Purism likes me much…

2 Likes

madaidan via Whonix Forum:

I don’t think Purism likes me much…

Skip that one. Many others.

1 Like

Yeah… They are still sore from our discussions about them on Twitter.

1 Like

twitter seems to be a curse for many of us. :wink:

2 Likes
1 Like

sysctl-initramfs has an issue vs grub-live. In case of booting into live mode, we shouldn’t write to the root image. Maybe this could help:

if grep -qs "boot=live" /proc/cmdline; then

There are also other cases (security-misc is a general package. Don’t just focus on Whonix / Kicksecure) where writing to the root image might be unwanted. It’s not up to initramfs stage (security-misc / sysctl-initramfs) to know what shall happen with root image write policy.

/run/initramfs already exists. Therefore log location /run/initramfs/sysctl-initramfs-error.log would be better since ephemeral, in RAM, not on persistent disk. Will implement.

1 Like

Done.

But the error log is weird. Added xxxxxxxxxxxx to some sysctl.d file.

cat /run/initramfs/sysctl-initramfs-error.log

sysctl: bad line 9: 1 tokens found, 2 needed

Looks fine when running sudo sh -x /etc/initramfs-tools/scripts/init-bottom/sysctl-initramfs but weird log when this is done in initramfs at boot. But I guess good enough.

1 Like

2 posts were split to a new topic: Virtualization Based Hardening Intel VBH

Could you please look into

sudo sysctl -a

And see if there is something else to harden?

ufw doesnt block ICMP - wiki fixation reminded me, perhaps there are some other ICMP related settings worth flipping? For example, you have this already covered:

## Disables ICMP redirect acceptance.
net.ipv4.conf.all.accept_redirects=0

But perhaps there is more? Even if Whonix firewall blocks ICMP, that could be interested in context of Kicksecure and clearnet reachable servers.

1 Like

We could maybe reduce some kernel attack surface by disabling a few things but this would all be done with hardened-kernel anyway.

fs.aio-max-nr=0

I think this would disable AIO which adds lot of complexity/attack surface to the kernel.

kernel.ftrace_enabled=0

Disables ftrace which adds a lot of potentially dangerous debugging functionality.

fs.binfmt_misc.status=0

Disables binfmt_misc which adds support for custom binary formats.

2 Likes

Shutting it down can destroy performance for async IO applications like databases.

I don’t think we depend on it for build debugging - similar to ptrace’s situation. Should be included in the debug functionality disabling package.

This one might break Java programs and cross compiling builds for other archs with QEMU. You might want to document that in case users show up with mysterious bug reports.

2 Likes

madaidan via Whonix Forum:

fs.binfmt_misc.status=0

Disables binfmt_misc which adds support for custom binary formats.

Not sure anymore but I think I tested that once and it broken XFCE for
unknown reason.

1 Like

I think the performance loss is worth it. Asynchronous I/O in general adds a lot of complexity and attack surface to the kernel. POSIX AIO is especially atrocious.

It’s already disabled in hardened-kernel and I see no issues.

1 Like