operating-systems: buer: Add kicksecure kernel arguments and sysctl settings
parent
1f5167d9be
commit
57c0fc0644
|
@ -0,0 +1,464 @@
|
|||
;; Contents extracted from Kicksecure's resources.
|
||||
|
||||
(define-module (radix modules kicksecure-configs)
|
||||
#:export (kicksecure-delete
|
||||
%kicksecure-kernel-arguments
|
||||
%kicksecure-sysctl-rules))
|
||||
|
||||
(define (kicksecure-delete name lst)
|
||||
"Return a newly-created copy of LST with elements or pairs whose
|
||||
keys `string-prefix?' with NAME removed.
|
||||
|
||||
For example:
|
||||
(kicksecure-delete \"loglevel\"
|
||||
'(\"quiet\" \"loglevel=0\" \"loglevel=1\"))
|
||||
|
||||
=> (\"quiet\")
|
||||
|
||||
(kicksecure-delete \"net.ipv6.conf\"
|
||||
'((\"net.ipv6.conf.all.accept_ra\" . \"0\")
|
||||
(\"net.ipv6.conf.default.accept_ra\" . \"0\")))
|
||||
|
||||
=> ()"
|
||||
(filter (lambda (item)
|
||||
(not (cond
|
||||
((pair? item) (string-prefix? name (car item)))
|
||||
(else (string-prefix? name item)))))
|
||||
lst))
|
||||
|
||||
|
||||
|
||||
|
||||
;; Source: <https://github.com/Kicksecure/security-misc>
|
||||
;; Extracted with the following command:
|
||||
;; cat etc/default/grub.d/* | \
|
||||
;; sed -E \
|
||||
;; -e 's@GRUB_CMDLINE_LINUX(_DEFAULT)?=".GRUB_CMDLINE_LINUX(_DEFAULT)? @"@g' \
|
||||
;; -e 's@(=(on|off|force|1|0)|quiet) @\1" "@g' \
|
||||
;; -e 's@(.*dpkg.*|.*GRUB_CMDLINE.*)@#\1@g' \
|
||||
;; -e 's@^#+@;;@g'
|
||||
(define %kicksecure-kernel-arguments
|
||||
'(;; Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
|
||||
;; See the file COPYING for copying conditions.
|
||||
|
||||
;; Enables all known mitigations for CPU vulnerabilities.
|
||||
;;
|
||||
;; https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html
|
||||
;; https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647
|
||||
|
||||
;; Enable mitigations for Spectre variant 2 (indirect branch speculation).
|
||||
;;
|
||||
;; https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/spectre.html
|
||||
"spectre_v2=on"
|
||||
|
||||
;; Disable Speculative Store Bypass.
|
||||
"spec_store_bypass_disable=on"
|
||||
|
||||
;; Enable mitigations for the L1TF vulnerability through disabling SMT
|
||||
;; and L1D flush runtime control.
|
||||
;;
|
||||
;; https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html
|
||||
"l1tf=full,force"
|
||||
|
||||
;; Enable mitigations for the MDS vulnerability through clearing buffer cache
|
||||
;; and disabling SMT.
|
||||
;;
|
||||
;; https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html
|
||||
"mds=full,nosmt"
|
||||
|
||||
;; Patches the TAA vulnerability by disabling TSX and enables mitigations using
|
||||
;; TSX Async Abort along with disabling SMT.
|
||||
;;
|
||||
;; https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/tsx_async_abort.html
|
||||
"tsx=off" "tsx_async_abort=full,nosmt"
|
||||
|
||||
;; Mark all huge pages in the EPT as non-executable to mitigate iTLB multihit.
|
||||
;;
|
||||
;; https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/multihit.html
|
||||
"kvm.nx_huge_pages=force"
|
||||
|
||||
;; Enables mitigations for SRBDS to prevent MDS attacks on RDRAND and RDSEED instructions.
|
||||
;; Only mitigated through microcode updates from Intel.
|
||||
;;
|
||||
;; https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/special-register-buffer-data-sampling.html
|
||||
;; https://access.redhat.com/solutions/5142691
|
||||
|
||||
;; Force disable SMT as it has caused numerous CPU vulnerabilities.
|
||||
;; The only full mitigation of cross-HT attacks is to disable SMT.
|
||||
;;
|
||||
;; https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/core-scheduling.html
|
||||
;; https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647/17
|
||||
"nosmt=force"
|
||||
|
||||
;; Enables the prctl interface to prevent leaks from L1D on context switches.
|
||||
;;
|
||||
;; https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1d_flush.html
|
||||
"l1d_flush=on"
|
||||
|
||||
;; Mitigates numerous MMIO Stale Data vulnerabilities and disables SMT.
|
||||
;;
|
||||
;; https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/processor_mmio_stale_data.html
|
||||
"mmio_stale_data=full,nosmt"
|
||||
;; Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
|
||||
;; See the file COPYING for copying conditions.
|
||||
|
||||
;; Distrusts the bootloader for initial entropy at boot.
|
||||
;;
|
||||
;; https://lkml.org/lkml/2022/6/5/271
|
||||
"random.trust_bootloader=off"
|
||||
;; Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
|
||||
;; See the file COPYING for copying conditions.
|
||||
|
||||
;; Distrusts the CPU for initial entropy at boot as it is not possible to
|
||||
;; audit, may contain weaknesses or a backdoor.
|
||||
;;
|
||||
;; https://en.wikipedia.org/wiki/RDRAND#Reception
|
||||
;; https://twitter.com/pid_eins/status/1149649806056280069
|
||||
;; https://archive.nytimes.com/www.nytimes.com/interactive/2013/09/05/us/documents-reveal-nsa-campaign-against-encryption.html
|
||||
;; https://forums.whonix.org/t/entropy-config-random-trust-cpu-yes-or-no-rng-core-default-quality/8566
|
||||
;; https://lkml.org/lkml/2022/6/5/271
|
||||
"random.trust_cpu=off"
|
||||
;; Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
|
||||
;; See the file COPYING for copying conditions.
|
||||
|
||||
;; Enables IOMMU to prevent DMA attacks.
|
||||
"intel_iommu=on" "amd_iommu=force_isolation"
|
||||
|
||||
;; Disable the busmaster bit on all PCI bridges during very
|
||||
;; early boot to avoid holes in IOMMU.
|
||||
;;
|
||||
;; https://mjg59.dreamwidth.org/54433.html
|
||||
;; https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4444f8541dad16fefd9b8807ad1451e806ef1d94
|
||||
"efi=disable_early_pci_dma"
|
||||
|
||||
;; Enables strict enforcement of IOMMU TLB invalidation so devices will never be able to access stale data contents
|
||||
;; https://github.com/torvalds/linux/blob/master/drivers/iommu/Kconfig#L97
|
||||
;; Page 11 of https://lenovopress.lenovo.com/lp1467.pdf
|
||||
"iommu=force" "iommu.passthrough=0" "iommu.strict=1"
|
||||
;; Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
|
||||
;; See the file COPYING for copying conditions.
|
||||
|
||||
;;kpkg="linux-image-$(dpkg --print-architecture)" || true
|
||||
;;kver="$(dpkg-query --show --showformat='${Version}' "$kpkg")" 2>/dev/null || true
|
||||
;;echo "## kver: $kver"
|
||||
|
||||
;; Disables the merging of slabs of similar sizes.
|
||||
;; Sometimes a slab can be used in a vulnerable way which an attacker can exploit.
|
||||
"slab_nomerge"
|
||||
|
||||
;; Enables sanity checks (F) and redzoning (Z).
|
||||
;; Disabled due to kernel deciding to implicitly disable kernel pointer hashing
|
||||
;; https://github.com/torvalds/linux/commit/792702911f581f7793962fbeb99d5c3a1b28f4c3
|
||||
;;"slub_debug=FZ"
|
||||
|
||||
;; Zero memory at allocation and free time.
|
||||
"init_on_alloc=1" "init_on_free=1"
|
||||
|
||||
;; Machine check exception handler decides whether the system should panic or not based on the exception that happened.
|
||||
;; https://forums.whonix.org/t/kernel-hardening/7296/494
|
||||
;;"mce=0"
|
||||
|
||||
;; Enables Kernel Page Table Isolation which mitigates Meltdown and improves KASLR.
|
||||
"pti=on"
|
||||
|
||||
;; Vsyscalls are obsolete, are at fixed addresses and are a target for ROP.
|
||||
"vsyscall=none"
|
||||
|
||||
;; Enables page allocator freelist randomization.
|
||||
"page_alloc.shuffle=1"
|
||||
|
||||
;; Enables randomisation of the kernel stack offset on syscall entries (introduced in kernel 5.13).
|
||||
;; https://lkml.org/lkml/2019/3/18/246
|
||||
"randomize_kstack_offset=on"
|
||||
|
||||
;; Enables kernel lockdown.
|
||||
;;
|
||||
;; Disabled for now as it enforces module signature verification which breaks
|
||||
;; too many things.
|
||||
;; https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880
|
||||
;;
|
||||
;;if dpkg --compare-versions "${kver}" ge "5.4"; then
|
||||
;; "lockdown=confidentiality"
|
||||
;;fi
|
||||
|
||||
;; Gather more entropy during boot.
|
||||
;;
|
||||
;; Requires linux-hardened kernel patch.
|
||||
;; https://github.com/anthraxx/linux-hardened
|
||||
"extra_latent_entropy"
|
||||
|
||||
;; Restrict access to debugfs since it can contain a lot of sensitive information.
|
||||
;; https://lkml.org/lkml/2020/7/16/122
|
||||
;; https://github.com/torvalds/linux/blob/fb1201aececc59990b75ef59fca93ae4aa1e1444/Documentation/admin-guide/kernel-parameters.txt#L835-L848
|
||||
"debugfs=off"
|
||||
|
||||
;; Force the kernel to panic on "oopses" (which may be due to false positives)
|
||||
;; https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panic-on-oops-1-sysctl-for-better-security/7713
|
||||
;; Implemented differently:
|
||||
;; /usr/libexec/security-misc/panic-on-oops
|
||||
;; /etc/profile.d/security-misc.sh
|
||||
;; /etc/sudoers.d/security-misc
|
||||
;;"oops=panic"
|
||||
;; Requires every module to be signed before being loaded.
|
||||
;; Any module that is unsigned or signed with an invalid key cannot be loaded.
|
||||
;; This makes it harder to load a malicious module.
|
||||
;;
|
||||
;; Not enabled by default yet due to issues:
|
||||
;; https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880/61
|
||||
;; https://github.com/dell/dkms/issues/359
|
||||
;;"module.sig_enforce=1"
|
||||
;; Copyright (C) 2023 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
|
||||
;; See the file COPYING for copying conditions.
|
||||
|
||||
;; https://www.kicksecure.com/wiki/Security-misc#Remount_Secure
|
||||
|
||||
;; Disable Remount Secure.
|
||||
;;"remountsecure=0"
|
||||
|
||||
;; Re-mount with nodev, nosuid only.
|
||||
;;"remountsecure=1"
|
||||
|
||||
;; Re-mount with nodev, nosuid and most with noexec except for /home.
|
||||
;;"remountsecure=2"
|
||||
|
||||
;; Re-mount with nodev, nosuid and all with noexec including /home.
|
||||
;;"remountsecure=3"
|
||||
;; Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
|
||||
;; See the file COPYING for copying conditions.
|
||||
|
||||
;; Prevent kernel info leaks in console during boot.
|
||||
;; https://phabricator.whonix.org/T950
|
||||
|
||||
;; LANG=C str_replace is provided by package helper-scripts.
|
||||
|
||||
;; The following command actually removed "quiet" from the kernel command line.
|
||||
;; If verbosity is desired, the user might want to keep this line.
|
||||
;; Remove "quiet" from GRUB_CMDLINE_LINUX_DEFAULT because "quiet" must be first.
|
||||
;;GRUB_CMDLINE_LINUX_DEFAULT="$(echo "$GRUB_CMDLINE_LINUX_DEFAULT" | LANG=C str_replace "quiet" "")"
|
||||
|
||||
;; If verbosity is desired, the user might want to out-comment the following line.
|
||||
"quiet" "loglevel=0"
|
||||
|
||||
;; NOTE:
|
||||
;; After editing this file, running:
|
||||
;; sudo update-grub
|
||||
;; is required.
|
||||
;;
|
||||
;; If higher verbosity is desired, the user might also want to delete file
|
||||
;; /etc/sysctl.d/30_silent-kernel-printk.conf
|
||||
;; (or out-comment its settings).
|
||||
;;
|
||||
;; Alternatively, the user could consider to install the debug-misc package,
|
||||
;; which will undo the settings found here.
|
||||
))
|
||||
|
||||
|
||||
|
||||
|
||||
;; Source <https://github.com/Kicksecure/security-misc>>
|
||||
;; Extracted with the following command:
|
||||
;; cat usr/lib/sysctl.d/* | \
|
||||
;; sed -E \
|
||||
;; -e 's@^([0-9a-z_\.]*) ?= ?(.*)@("\1" . "\2")@g' \
|
||||
;; -e 's@\|/bin@\|/run/current-system/profile/bin@g' \
|
||||
;; -e 's@^#+@;;@g'
|
||||
(define %kicksecure-sysctl-rules
|
||||
'(;; Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
|
||||
;; See the file COPYING for copying conditions.
|
||||
|
||||
;; Quote https://www.kernel.org/doc/html/latest/admin-guide/sysctl/kernel.html
|
||||
;;
|
||||
;; kexec_load_disabled:
|
||||
;;
|
||||
;; A toggle indicating if the kexec_load syscall has been disabled. This value defaults to 0 (false: kexec_load enabled), but can be set to 1 (true: kexec_load disabled). Once true, kexec can no longer be used, and the toggle cannot be set back to false. This allows a kexec image to be loaded before disabling the syscall, allowing a system to set up (and later use) an image without it being altered. Generally used together with the "modules_disabled" sysctl.
|
||||
;; Disables kexec which can be used to replace the running kernel.
|
||||
("kernel.kexec_load_disabled" . "1")
|
||||
|
||||
;; Why is this in a dedicated config file?
|
||||
;; Package ram-wipe requires kexec. However, ram-wipe could not ship a config
|
||||
;; file /etc/sysctl.d/40_ram-wipe.conf which sets 'kernel.kexec_load_disabled=0'.
|
||||
;; This is because once systemd-sysctl.service has set 'kernel.kexec_load_disabled=1'
|
||||
;; it cannot be undone without reboot. This is a upstream Linux security feature.
|
||||
;; Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
|
||||
;; See the file COPYING for copying conditions.
|
||||
|
||||
;; Prevent kernel info leaks in console during boot.
|
||||
;; https://phabricator.whonix.org/T950
|
||||
("kernel.printk" . "3 3 3 3")
|
||||
|
||||
;; NOTE:
|
||||
;; For higher verbosity, the user might also want to delete file
|
||||
;; /etc/default/grub.d/41_quiet.cfg
|
||||
;; (or out-comment its settings).
|
||||
;;
|
||||
;; Alternatively, the user could consider to install the debug-misc package,
|
||||
;; which will undo the settings found here.
|
||||
;; Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
|
||||
;; See the file COPYING for copying conditions.
|
||||
|
||||
;; NOTE:
|
||||
;; This file has a weird file name so /usr/lib/sysctl.d/99-protect-links.conf
|
||||
;; is parsed first and /usr/lib/sysctl.d/990-security-misc.conf is parsed
|
||||
;; afterwards. See also:
|
||||
;; https://github.com/Kicksecure/security-misc/pull/135
|
||||
|
||||
;; Restricts the kernel log to root only.
|
||||
("kernel.dmesg_restrict" . "1")
|
||||
|
||||
;; Disables coredumps. This setting may be overwritten by systemd so this may not be useful.
|
||||
;; security-misc also disables coredumps in other ways.
|
||||
("kernel.core_pattern" . "|/run/current-system/profile/bin/false")
|
||||
|
||||
;; Does not set coredump name to 'core' which is default. Defense in depth.
|
||||
("kernel.core_uses_pid" . "1")
|
||||
|
||||
;; Prevent setuid processes from creating coredumps.
|
||||
("fs.suid_dumpable" . "0")
|
||||
|
||||
;; Don't allow writes to files that we don't own
|
||||
;; in world writable sticky directories, unless
|
||||
;; they are owned by the owner of the directory.
|
||||
("fs.protected_fifos" . "2")
|
||||
("fs.protected_regular" . "2")
|
||||
|
||||
;; Only allow symlinks to be followed when outside of
|
||||
;; a world-writable sticky directory, or when the owner
|
||||
;; of the symlink and follower match, or when the directory
|
||||
;; owner matches the symlink's owner.
|
||||
;;
|
||||
;; Prevent hardlinks from being created by users that do not
|
||||
;; have read/write access to the source file.
|
||||
;;
|
||||
;; These prevent many TOCTOU races.
|
||||
("fs.protected_symlinks" . "1")
|
||||
("fs.protected_hardlinks" . "1")
|
||||
|
||||
;; Hides kernel addresses in various files in /proc.
|
||||
;; Kernel addresses can be very useful in certain exploits.
|
||||
;;
|
||||
;; https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak
|
||||
("kernel.kptr_restrict" . "2")
|
||||
|
||||
;; Improves ASLR effectiveness for mmap.
|
||||
;; Both explicit sysctl are made redundant due to automation
|
||||
;; https://forums.whonix.org/t/automate-mmap-randomisation-to-fix-ppc64el/16514
|
||||
;; Do NOT enable either - displaying only for clarity
|
||||
;;
|
||||
;;vm.mmap_rnd_bits=32
|
||||
;;vm.mmap_rnd_compat_bits=16
|
||||
|
||||
;; Restricts the use of ptrace to root. This might break some programs running under WINE.
|
||||
;; A workaround for WINE would be to give the wineserver and wine-preloader ptrace capabilities. This can be done by running:
|
||||
;;
|
||||
;; sudo apt-get install libcap2-bin
|
||||
;; sudo setcap cap_sys_ptrace=eip /usr/bin/wineserver
|
||||
;; sudo setcap cap_sys_ptrace=eip /usr/bin/wine-preloader
|
||||
("kernel.yama.ptrace_scope" . "2")
|
||||
|
||||
;; Randomize the addresses for mmap base, heap, stack, and VDSO pages
|
||||
("kernel.randomize_va_space" . "2")
|
||||
|
||||
;; Hardens the BPF JIT compiler and restricts it to root.
|
||||
("kernel.unprivileged_bpf_disabled" . "1")
|
||||
("net.core.bpf_jit_harden" . "2")
|
||||
|
||||
;; meta start
|
||||
;; project Kicksecure
|
||||
;; category networking and security
|
||||
;; description
|
||||
;; TCP/IP stack hardening
|
||||
|
||||
;; A martian packet is a one with a source address which is blatantly wrong
|
||||
;; Recommended to keep a log of these to identify these suspicious packets
|
||||
("net.ipv4.conf.all.log_martians" . "1")
|
||||
("net.ipv4.conf.default.log_martians" . "1")
|
||||
|
||||
;; Protects against time-wait assassination.
|
||||
;; It drops RST packets for sockets in the time-wait state.
|
||||
("net.ipv4.tcp_rfc1337" . "1")
|
||||
|
||||
;; Disables ICMP redirect acceptance.
|
||||
("net.ipv4.conf.all.accept_redirects" . "0")
|
||||
("net.ipv4.conf.default.accept_redirects" . "0")
|
||||
("net.ipv4.conf.all.secure_redirects" . "0")
|
||||
("net.ipv4.conf.default.secure_redirects" . "0")
|
||||
("net.ipv6.conf.all.accept_redirects" . "0")
|
||||
("net.ipv6.conf.default.accept_redirects" . "0")
|
||||
|
||||
;; Disables ICMP redirect sending.
|
||||
("net.ipv4.conf.all.send_redirects" . "0")
|
||||
("net.ipv4.conf.default.send_redirects" . "0")
|
||||
|
||||
;; Ignores ICMP requests.
|
||||
("net.ipv4.icmp_echo_ignore_all" . "1")
|
||||
("net.ipv6.icmp.echo_ignore_all" . "1")
|
||||
|
||||
;; Ignores bogus ICMP error responses
|
||||
("net.ipv4.icmp_ignore_bogus_error_responses" . "1")
|
||||
|
||||
;; Enables TCP syncookies.
|
||||
("net.ipv4.tcp_syncookies" . "1")
|
||||
|
||||
;; Disable source routing.
|
||||
("net.ipv4.conf.all.accept_source_route" . "0")
|
||||
("net.ipv4.conf.default.accept_source_route" . "0")
|
||||
("net.ipv6.conf.all.accept_source_route" . "0")
|
||||
("net.ipv6.conf.default.accept_source_route" . "0")
|
||||
|
||||
;; Enable reverse path filtering to prevent IP spoofing and
|
||||
;; mitigate vulnerabilities such as CVE-2019-14899.
|
||||
;; https://forums.whonix.org/t/enable-reverse-path-filtering/8594
|
||||
("net.ipv4.conf.default.rp_filter" . "1")
|
||||
("net.ipv4.conf.all.rp_filter" . "1")
|
||||
|
||||
;; meta end
|
||||
|
||||
|
||||
;; Previously disabled SACK, DSACK, and FACK.
|
||||
;; https://forums.whonix.org/t/disabling-tcp-sack-dsack-fack/8109
|
||||
;;net.ipv4.tcp_sack=0
|
||||
;;net.ipv4.tcp_dsack=0
|
||||
;;net.ipv4.tcp_fack=0
|
||||
|
||||
|
||||
;; meta start
|
||||
;; project Kicksecure
|
||||
;; category networking and security
|
||||
;; description
|
||||
;; disable IPv4 TCP Timestamps
|
||||
|
||||
("net.ipv4.tcp_timestamps" . "0")
|
||||
|
||||
;; meta end
|
||||
|
||||
|
||||
;; Disable SysRq key
|
||||
("kernel.sysrq" . "0")
|
||||
|
||||
;; Restrict loading TTY line disciplines to CAP_SYS_MODULE to prevent
|
||||
;; unprivileged attackers from loading vulnerable line disciplines
|
||||
;; with the TIOCSETD ioctl which has been used in exploits before
|
||||
;; such as https://a13xp0p0v.github.io/2017/03/24/CVE-2017-2636.html
|
||||
;;
|
||||
;; https://lkml.org/lkml/2019/4/15/890
|
||||
("dev.tty.ldisc_autoload" . "0")
|
||||
|
||||
;; Restrict the userfaultfd() syscall to root as it can make heap sprays
|
||||
;; easier.
|
||||
;;
|
||||
;; https://duasynt.com/blog/linux-kernel-heap-spray
|
||||
("vm.unprivileged_userfaultfd" . "0")
|
||||
|
||||
;; Let the kernel only swap if it is absolutely necessary.
|
||||
;; Better not be set to zero:
|
||||
;; - https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Performance_Tuning_Guide/s-memory-tunables.html
|
||||
;; - https://en.wikipedia.org/wiki/Swappiness
|
||||
("vm.swappiness" . "1")
|
||||
|
||||
;; Disallow kernel profiling by users without CAP_SYS_ADMIN
|
||||
;; https://www.kernel.org/doc/Documentation/sysctl/kernel.txt
|
||||
("kernel.perf_event_paranoid" . "3")
|
||||
|
||||
;; Do not accept router advertisements
|
||||
("net.ipv6.conf.all.accept_ra" . "0")
|
||||
("net.ipv6.conf.default.accept_ra" . "0")))
|
|
@ -57,6 +57,12 @@
|
|||
#|S|# #:use-module ((buer files substitute-keys) #:prefix public-key:)
|
||||
#|T|# #:use-module ((buer files thinkfan) #:prefix file:thinkfan-)
|
||||
|
||||
#|Kicksecure configurations|#
|
||||
#|K|# #:use-module (radix modules kicksecure-configs)
|
||||
|
||||
#|SRFI's|#
|
||||
#:use-module (srfi srfi-1)
|
||||
|
||||
#:export (operating-system))
|
||||
|
||||
(define operating-system
|
||||
|
@ -83,10 +89,10 @@
|
|||
|
||||
(kernel linux-libre-6.7)
|
||||
(kernel-arguments
|
||||
`("modprobe.blacklist=usbmouse,usbkbd,pcspkr"
|
||||
(cons* "modprobe.blacklist=usbmouse,usbkbd,pcspkr"
|
||||
"thinkpad_acpi.fan_control=1"
|
||||
"loglevel=5"
|
||||
"quiet"))
|
||||
(kicksecure-delete %kicksecure-kernel-arguments
|
||||
"debugfs")))
|
||||
|
||||
(file-systems
|
||||
(cons* (file-system
|
||||
|
@ -317,13 +323,21 @@
|
|||
`(("/bin/sh" ,(file-append dash-next "/bin/dash"))
|
||||
("/usr/bin/env" ,(file-append coreutils "/bin/env"))))
|
||||
|
||||
(simple-service 'extra-sysctl-settings sysctl-service-type
|
||||
`(("vm.swappiness" . "180")
|
||||
("vm.watermark_boost_factor" . "0")
|
||||
("vm.watermark_scale_factor" . "125")
|
||||
("vm.page-cluster" . "0")))
|
||||
|
||||
#|Miscellaneous services|#
|
||||
(service urandom-seed-service-type)
|
||||
(service nscd-service-type)
|
||||
(service sysctl-service-type
|
||||
(sysctl-configuration
|
||||
(sysctl (file-append procps "/sbin/sysctl"))
|
||||
(settings `(("fs.protected_hardlinks" . "1")
|
||||
("fs.protected_symlinks" . "1")))))))))
|
||||
(settings (fold kicksecure-delete
|
||||
%kicksecure-sysctl-rules
|
||||
'("net.core.bpf_jit_harden"
|
||||
"kernel.unprivileged_bpf_disabled")))))))))
|
||||
|
||||
operating-system
|
||||
|
|
Loading…
Reference in New Issue