Kernel Hardening

Then we need to update at same time debug-misc + documentation.

Have you tested that? A number of software uses databases behind the scenes like mediawiki and discourse and bringing them to a crawl would destroy the usecase. Some IM clients use dbs too.

As long as documented then at least they will have a clue what needs to be done.

What do you think?

This one is fine. kernel.perf_event_paranoid=3 requires a kernel patch but some distros (such as Debian) includes this by default. If the patch isn’t used then it’ll be the same as setting it to 2.

https://patchwork.kernel.org/patch/9249919/

Interesting tool, anything that can contributed to it?

Was posted here: kernel recompilation for better hardening

That comment needs an update.

debian bug report: Please reconsider enabling the user namespaces by default

It seems that next debian version will have unpriv user ns by default.

Related:

https://forums.whonix.org/t/flathub-as-a-source-of-software/10706/6

Related to Linux kernel user namespaces:
Debian package bubblewrapwill set kernel.unprivileged_userns_clone=1 in Debian bullseye and above. bubblewrap will be no longer suid by default.

Great! Merged!

What do we do with debian/control?

(Used for apt-cache show security-misc, potentially packages.debian.org APT package repository web interface for deb.whonix.org) and README_generic.md?)

Simplify debian/control so it doesn’t have to be duplicated? Delete / avoid creation of README_generic.md?

I think it should just contain a basic description and a link to the Github repository for more detailed information.