-
Notifications
You must be signed in to change notification settings - Fork 0
/
kicksecure.scm
487 lines (389 loc) · 19.6 KB
/
kicksecure.scm
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
;; Contents extracted from Kicksecure's resources.
(define-module (testament kicksecure)
#:export (kicksecure-delete
%kicksecure-kernel-arguments
%kicksecure-sysctl-rules))
(define (kicksecure-delete name lst)
"Return a newly-created copy of LST with elements or pairs whose
keys `string-prefix?' with NAME removed.
For example:
(kicksecure-delete \"loglevel\"
'(\"quiet\" \"loglevel=0\" \"loglevel=1\"))
=> (\"quiet\")
(kicksecure-delete \"net.ipv6.conf\"
'((\"net.ipv6.conf.all.accept_ra\" . \"0\")
(\"net.ipv6.conf.default.accept_ra\" . \"0\")))
=> ()"
(filter (lambda (item)
(not (cond
((pair? item) (string-prefix? name (car item)))
(else (string-prefix? name item)))))
lst))
;; Source: <https://github.com/Kicksecure/security-misc>
;; Extracted with the following command:
;; cat etc/default/grub.d/* | \
;; sed -E \
;; -e 's@GRUB_CMDLINE_LINUX(_DEFAULT)?=".GRUB_CMDLINE_LINUX(_DEFAULT)? @"@g' \
;; -e 's@(=(on|off|force|1|0)|quiet) @\1" "@g' \
;; -e 's@(.*dpkg.*|.*GRUB_CMDLINE.*)@#\1@g' \
;; -e 's@^#+@;;@g'
(define %kicksecure-kernel-arguments
'(;; Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
;; See the file COPYING for copying conditions.
;; Enables all known mitigations for CPU vulnerabilities.
;;
;; https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html
;; https://www.kernel.org/doc/html/latest/admin-guide/kernel-parameters.html
;; https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647
;; Enable known mitigations for CPU vulnerabilities and disable SMT.
"mitigations=auto,nosmt"
;; Enable mitigations for Spectre variant 2 (indirect branch speculation).
;;
;; https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/spectre.html
"spectre_v2=on"
;; Disable Speculative Store Bypass.
"spec_store_bypass_disable=on"
;; Enable mitigations for the L1TF vulnerability through disabling SMT
;; and L1D flush runtime control.
;;
;; https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html
"l1tf=full,force"
;; Enable mitigations for the MDS vulnerability through clearing buffer cache
;; and disabling SMT.
;;
;; https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html
"mds=full,nosmt"
;; Patches the TAA vulnerability by disabling TSX and enables mitigations using
;; TSX Async Abort along with disabling SMT.
;;
;; https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/tsx_async_abort.html
"tsx=off" "tsx_async_abort=full,nosmt"
;; Mark all huge pages in the EPT as non-executable to mitigate iTLB multihit.
;;
;; https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/multihit.html
"kvm.nx_huge_pages=force"
;; Enables mitigations for SRBDS to prevent MDS attacks on RDRAND and RDSEED instructions.
;; Only mitigated through microcode updates from Intel.
;;
;; https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/special-register-buffer-data-sampling.html
;; https://access.redhat.com/solutions/5142691
;; Force disable SMT as it has caused numerous CPU vulnerabilities.
;; The only full mitigation of cross-HT attacks is to disable SMT.
;;
;; https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/core-scheduling.html
;; https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647/17
"nosmt=force"
;; Enables the prctl interface to prevent leaks from L1D on context switches.
;;
;; https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1d_flush.html
"l1d_flush=on"
;; Mitigates numerous MMIO Stale Data vulnerabilities and disables SMT.
;;
;; https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/processor_mmio_stale_data.html
"mmio_stale_data=full,nosmt"
;; Enable mitigations for RETBleed (Arbitrary Speculative Code Execution with
;; Return Instructions) vulnerability and disable SMT.
;;
"retbleed=auto,nosmt"
;; Control RAS overflow mitigation on AMD Zen CPUs.
;; The current default kernel parameter is 'spec_rstack_overflow=safe-ret'
;; This default will used until provided sufficient evidence to modify.
;;
;; https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/srso.html
;; Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
;; See the file COPYING for copying conditions.
;; Distrusts the bootloader for initial entropy at boot.
;;
;; https://lkml.org/lkml/2022/6/5/271
"random.trust_bootloader=off"
;; Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
;; See the file COPYING for copying conditions.
;; Distrusts the CPU for initial entropy at boot as it is not possible to
;; audit, may contain weaknesses or a backdoor.
;;
;; https://en.wikipedia.org/wiki/RDRAND#Reception
;; https://twitter.com/pid_eins/status/1149649806056280069
;; https://archive.nytimes.com/www.nytimes.com/interactive/2013/09/05/us/documents-reveal-nsa-campaign-against-encryption.html
;; https://forums.whonix.org/t/entropy-config-random-trust-cpu-yes-or-no-rng-core-default-quality/8566
;; https://lkml.org/lkml/2022/6/5/271
"random.trust_cpu=off"
;; Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
;; See the file COPYING for copying conditions.
;; Enables IOMMU to prevent DMA attacks.
"intel_iommu=on" "amd_iommu=force_isolation"
;; Disable the busmaster bit on all PCI bridges during very
;; early boot to avoid holes in IOMMU.
;;
;; https://mjg59.dreamwidth.org/54433.html
;; https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4444f8541dad16fefd9b8807ad1451e806ef1d94
"efi=disable_early_pci_dma"
;; Enables strict enforcement of IOMMU TLB invalidation so devices will never be able to access stale data contents
;; https://github.com/torvalds/linux/blob/master/drivers/iommu/Kconfig#L97
;; Page 11 of https://lenovopress.lenovo.com/lp1467.pdf
"iommu=force" "iommu.passthrough=0" "iommu.strict=1"
;; Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
;; See the file COPYING for copying conditions.
;;kpkg="linux-image-$(dpkg --print-architecture)" || true
;;kver="$(dpkg-query --show --showformat='${Version}' "$kpkg")" 2>/dev/null || true
;;echo "## kver: $kver"
;; Disables the merging of slabs of similar sizes.
;; Sometimes a slab can be used in a vulnerable way which an attacker can exploit.
"slab_nomerge"
;; Enables sanity checks (F) and redzoning (Z).
;; Disabled due to kernel deciding to implicitly disable kernel pointer hashing
;; https://github.com/torvalds/linux/commit/792702911f581f7793962fbeb99d5c3a1b28f4c3
;;"slub_debug=FZ"
;; Zero memory at allocation and free time.
"init_on_alloc=1" "init_on_free=1"
;; Machine check exception handler decides whether the system should panic or not based on the exception that happened.
;; https://forums.whonix.org/t/kernel-hardening/7296/494
;;"mce=0"
;; Enables Kernel Page Table Isolation which mitigates Meltdown and improves KASLR.
"pti=on"
;; Vsyscalls are obsolete, are at fixed addresses and are a target for ROP.
"vsyscall=none"
;; Enables page allocator freelist randomization.
"page_alloc.shuffle=1"
;; Enables randomisation of the kernel stack offset on syscall entries (introduced in kernel 5.13).
;; https://lkml.org/lkml/2019/3/18/246
"randomize_kstack_offset=on"
;; Enables kernel lockdown.
;;
;; Disabled for now as it enforces module signature verification which breaks
;; too many things.
;; https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880
;;
;;if dpkg --compare-versions "${kver}" ge "5.4"; then
;; "lockdown=confidentiality"
;;fi
;; Gather more entropy during boot.
;;
;; Requires linux-hardened kernel patch.
;; https://github.com/anthraxx/linux-hardened
"extra_latent_entropy"
;; Restrict access to debugfs since it can contain a lot of sensitive information.
;; https://lkml.org/lkml/2020/7/16/122
;; https://github.com/torvalds/linux/blob/fb1201aececc59990b75ef59fca93ae4aa1e1444/Documentation/admin-guide/kernel-parameters.txt#L835-L848
"debugfs=off"
;; Force the kernel to panic on "oopses" (which may be due to false positives)
;; https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panic-on-oops-1-sysctl-for-better-security/7713
;; Implemented differently:
;; /usr/libexec/security-misc/panic-on-oops
;; /etc/profile.d/security-misc.sh
;; /etc/sudoers.d/security-misc
;;"oops=panic"
;; Requires every module to be signed before being loaded.
;; Any module that is unsigned or signed with an invalid key cannot be loaded.
;; This makes it harder to load a malicious module.
;;
;; Not enabled by default yet due to issues:
;; https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/61
;; https://github.com/dell/dkms/issues/359
;;"module.sig_enforce=1"
;; Copyright (C) 2023 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
;; See the file COPYING for copying conditions.
;; https://www.kicksecure.com/wiki/Security-misc#Remount_Secure
;; Disable Remount Secure.
;;"remountsecure=0"
;; Re-mount with nodev, nosuid only.
;;"remountsecure=1"
;; Re-mount with nodev, nosuid and most with noexec except for /home.
;;"remountsecure=2"
;; Re-mount with nodev, nosuid and all with noexec including /home.
;;"remountsecure=3"
;; Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
;; See the file COPYING for copying conditions.
;; Prevent kernel info leaks in console during boot.
;; https://phabricator.whonix.org/T950
;; LANG=C str_replace is provided by package helper-scripts.
;; The following command actually removed "quiet" from the kernel command line.
;; If verbosity is desired, the user might want to keep this line.
;; Remove "quiet" from GRUB_CMDLINE_LINUX_DEFAULT because "quiet" must be first.
;;GRUB_CMDLINE_LINUX_DEFAULT="$(echo "$GRUB_CMDLINE_LINUX_DEFAULT" | LANG=C str_replace "quiet" "")"
;; If verbosity is desired, the user might want to out-comment the following line.
"quiet" "loglevel=0"
;; NOTE:
;; After editing this file, running:
;; sudo update-grub
;; is required.
;;
;; If higher verbosity is desired, the user might also want to delete file
;; /etc/sysctl.d/30_silent-kernel-printk.conf
;; (or out-comment its settings).
;;
;; Alternatively, the user could consider to install the debug-misc package,
;; which will undo the settings found here.
))
;; Source <https://github.com/Kicksecure/security-misc>>
;; Extracted with the following command:
;; cat usr/lib/sysctl.d/* | \
;; sed -E \
;; -e 's@^([0-9a-z_\.]*) ?= ?(.*)@("\1" . "\2")@g' \
;; -e 's@\|/bin@\|/run/current-system/profile/bin@g' \
;; -e 's@^#+@;;@g'
(define %kicksecure-sysctl-rules
'(;; Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
;; See the file COPYING for copying conditions.
;; Quote https://www.kernel.org/doc/html/latest/admin-guide/sysctl/kernel.html
;;
;; kexec_load_disabled:
;;
;; A toggle indicating if the kexec_load syscall has been disabled. This value defaults to 0 (false: kexec_load enabled), but can be set to 1 (true: kexec_load disabled). Once true, kexec can no longer be used, and the toggle cannot be set back to false. This allows a kexec image to be loaded before disabling the syscall, allowing a system to set up (and later use) an image without it being altered. Generally used together with the "modules_disabled" sysctl.
;; Disables kexec which can be used to replace the running kernel.
("kernel.kexec_load_disabled" . "1")
;; Why is this in a dedicated config file?
;; Package ram-wipe requires kexec. However, ram-wipe could not ship a config
;; file /etc/sysctl.d/40_ram-wipe.conf which sets 'kernel.kexec_load_disabled=0'.
;; This is because once systemd-sysctl.service has set 'kernel.kexec_load_disabled=1'
;; it cannot be undone without reboot. This is a upstream Linux security feature.
;; Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
;; See the file COPYING for copying conditions.
;; Prevent kernel info leaks in console during boot.
;; https://phabricator.whonix.org/T950
("kernel.printk" . "3 3 3 3")
;; NOTE:
;; For higher verbosity, the user might also want to delete file
;; /etc/default/grub.d/41_quiet.cfg
;; (or out-comment its settings).
;;
;; Alternatively, the user could consider to install the debug-misc package,
;; which will undo the settings found here.
;; Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
;; See the file COPYING for copying conditions.
;; NOTE:
;; This file has a weird file name so /usr/lib/sysctl.d/99-protect-links.conf
;; is parsed first and /usr/lib/sysctl.d/990-security-misc.conf is parsed
;; afterwards. See also:
;; https://github.com/Kicksecure/security-misc/pull/135
;; Restricts the kernel log to root only.
("kernel.dmesg_restrict" . "1")
;; Disables coredumps. This setting may be overwritten by systemd so this may not be useful.
;; security-misc also disables coredumps in other ways.
("kernel.core_pattern" . "|/run/current-system/profile/bin/false")
;; Does not set coredump name to 'core' which is default. Defense in depth.
("kernel.core_uses_pid" . "1")
;; Prevent setuid processes from creating coredumps.
("fs.suid_dumpable" . "0")
;; Don't allow writes to files that we don't own
;; in world writable sticky directories, unless
;; they are owned by the owner of the directory.
("fs.protected_fifos" . "2")
("fs.protected_regular" . "2")
;; Only allow symlinks to be followed when outside of
;; a world-writable sticky directory, or when the owner
;; of the symlink and follower match, or when the directory
;; owner matches the symlink's owner.
;;
;; Prevent hardlinks from being created by users that do not
;; have read/write access to the source file.
;;
;; These prevent many TOCTOU races.
("fs.protected_symlinks" . "1")
("fs.protected_hardlinks" . "1")
;; Hides kernel addresses in various files in /proc.
;; Kernel addresses can be very useful in certain exploits.
;;
;; https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak
("kernel.kptr_restrict" . "2")
;; Improves ASLR effectiveness for mmap.
;; Both explicit sysctl are made redundant due to automation
;; https://forums.whonix.org/t/automate-mmap-randomisation-to-fix-ppc64el/16514
;; Do NOT enable either - displaying only for clarity
;;
;;vm.mmap_rnd_bits=32
;;vm.mmap_rnd_compat_bits=16
;; Restricts the use of ptrace to root. This might break some programs running under WINE.
;; A workaround for WINE would be to give the wineserver and wine-preloader ptrace capabilities. This can be done by running:
;;
;; sudo apt-get install libcap2-bin
;; sudo setcap cap_sys_ptrace=eip /usr/bin/wineserver
;; sudo setcap cap_sys_ptrace=eip /usr/bin/wine-preloader
("kernel.yama.ptrace_scope" . "2")
;; Randomize the addresses for mmap base, heap, stack, and VDSO pages
("kernel.randomize_va_space" . "2")
;; Hardens the BPF JIT compiler and restricts it to root.
("kernel.unprivileged_bpf_disabled" . "1")
("net.core.bpf_jit_harden" . "2")
;; Disable asynchronous I/O for all processes.
;; Valid only for linux kernel version >= 6.6.
;; Command is retained here for future-proofing and completeness.
;; https://forums.whonix.org/t/io-uring-security-vulnerabilties/16890/6
("kernel.io_uring_disabled" . "2")
;; meta start
;; project Kicksecure
;; category networking and security
;; description
;; TCP/IP stack hardening
;; A martian packet is a one with a source address which is blatantly wrong
;; Recommended to keep a log of these to identify these suspicious packets
("net.ipv4.conf.all.log_martians" . "1")
("net.ipv4.conf.default.log_martians" . "1")
;; Protects against time-wait assassination.
;; It drops RST packets for sockets in the time-wait state.
("net.ipv4.tcp_rfc1337" . "1")
;; Disables ICMP redirect acceptance.
("net.ipv4.conf.all.accept_redirects" . "0")
("net.ipv4.conf.default.accept_redirects" . "0")
("net.ipv4.conf.all.secure_redirects" . "0")
("net.ipv4.conf.default.secure_redirects" . "0")
("net.ipv6.conf.all.accept_redirects" . "0")
("net.ipv6.conf.default.accept_redirects" . "0")
;; Disables ICMP redirect sending.
("net.ipv4.conf.all.send_redirects" . "0")
("net.ipv4.conf.default.send_redirects" . "0")
;; Ignores ICMP requests.
("net.ipv4.icmp_echo_ignore_all" . "1")
("net.ipv6.icmp.echo_ignore_all" . "1")
;; Ignores bogus ICMP error responses
("net.ipv4.icmp_ignore_bogus_error_responses" . "1")
;; Enables TCP syncookies.
("net.ipv4.tcp_syncookies" . "1")
;; Disable source routing.
("net.ipv4.conf.all.accept_source_route" . "0")
("net.ipv4.conf.default.accept_source_route" . "0")
("net.ipv6.conf.all.accept_source_route" . "0")
("net.ipv6.conf.default.accept_source_route" . "0")
;; Enable reverse path filtering to prevent IP spoofing and
;; mitigate vulnerabilities such as CVE-2019-14899.
;; https://forums.whonix.org/t/enable-reverse-path-filtering/8594
("net.ipv4.conf.default.rp_filter" . "1")
("net.ipv4.conf.all.rp_filter" . "1")
;; meta end
;; Previously disabled SACK, DSACK, and FACK.
;; https://forums.whonix.org/t/disabling-tcp-sack-dsack-fack/8109
;;net.ipv4.tcp_sack=0
;;net.ipv4.tcp_dsack=0
;;net.ipv4.tcp_fack=0
;; meta start
;; project Kicksecure
;; category networking and security
;; description
;; disable IPv4 TCP Timestamps
("net.ipv4.tcp_timestamps" . "0")
;; meta end
;; Disable SysRq key
("kernel.sysrq" . "0")
;; Restrict loading TTY line disciplines to CAP_SYS_MODULE to prevent
;; unprivileged attackers from loading vulnerable line disciplines
;; with the TIOCSETD ioctl which has been used in exploits before
;; such as https://a13xp0p0v.github.io/2017/03/24/CVE-2017-2636.html
;;
;; https://lkml.org/lkml/2019/4/15/890
("dev.tty.ldisc_autoload" . "0")
;; Restrict the userfaultfd() syscall to root as it can make heap sprays
;; easier.
;;
;; https://duasynt.com/blog/linux-kernel-heap-spray
("vm.unprivileged_userfaultfd" . "0")
;; Let the kernel only swap if it is absolutely necessary.
;; Better not be set to zero:
;; - https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Performance_Tuning_Guide/s-memory-tunables.html
;; - https://en.wikipedia.org/wiki/Swappiness
("vm.swappiness" . "1")
;; Disallow kernel profiling by users without CAP_SYS_ADMIN
;; https://www.kernel.org/doc/Documentation/sysctl/kernel.txt
("kernel.perf_event_paranoid" . "3")
;; Do not accept router advertisements
("net.ipv6.conf.all.accept_ra" . "0")
("net.ipv6.conf.default.accept_ra" . "0")
))