Kernel Hardening

Then we need to update at same time debug-misc + documentation.

Have you tested that? A number of software uses databases behind the scenes like mediawiki and discourse and bringing them to a crawl would destroy the usecase. Some IM clients use dbs too.

As long as documented then at least they will have a clue what needs to be done.

1 Like

What do you think?

1 Like

This one is fine. kernel.perf_event_paranoid=3 requires a kernel patch but some distros (such as Debian) includes this by default. If the patch isn’t used then it’ll be the same as setting it to 2.


1 Like

Interesting tool, anything that can contributed to it?

1 Like

Was posted here: kernel recompilation for better hardening

1 Like

That comment needs an update.

debian bug report: Please reconsider enabling the user namespaces by default

It seems that next debian version will have unpriv user ns by default.



1 Like

Related to Linux kernel user namespaces:
Debian package bubblewrapwill set kernel.unprivileged_userns_clone=1 in Debian bullseye and above. bubblewrap will be no longer suid by default.

1 Like
1 Like

Great! Merged!

What do we do with debian/control?

(Used for apt-cache show security-misc, potentially packages.debian.org APT package repository web interface for deb.whonix.org) and README_generic.md?)

Simplify debian/control so it doesn’t have to be duplicated? Delete / avoid creation of README_generic.md?

1 Like

I think it should just contain a basic description and a link to the Github repository for more detailed information.

1 Like
[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Investors] [Priority Support] [Professional Support]