Add contents extracted from Kicksecure's resources.

* rosenthal/utils/kicksecure.scm: New file. (%kicksecure-kernel-arguments,%kicksecure-sysctl-rules): New variables. <https://github.com/kicksecure/security-misc> See also: <https://www.kicksecure.com/wiki/Security-misc>
2025-11-03 19:24:37 +00:00 · 2022-11-25 19:52:50 +08:00 · 2022-11-25 19:52:50 +08:00 · 0dff44354a
commit 0dff44354a
parent 76acf97ec6
1 changed files with 414 additions and 0 deletions
--- a/rosenthal/utils/kicksecure.scm
+++ b/rosenthal/utils/kicksecure.scm
@ -0,0 +1,414 @@
+;; Contents extracted from Kicksecure's resources.
+
+(define-module (rosenthal utils kicksecure)
+  #:export (%kicksecure-kernel-arguments
+            %kicksecure-sysctl-rules))
+
+;; Source: <https://github.com/Kicksecure/security-misc>
+;; Extracted with the following command:
+;; cat etc/default/grub.d/* | sed -e 's/#\+/;;/g' -e 's/GRUB.*DEFAULT /\"/g' -e 's/GRUB.*LINUX /\"/g' -e '/GRUB/d' -e 's/\(\".*[a-z0-9]\)\ \([a-z].*\"\)/\1\"\n\"\2/g' -e '/dpkg/d'
+(define %kicksecure-kernel-arguments
+  '(;; Copyright (C) 2022 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+    ;; See the file COPYING for copying conditions.
+
+    ;; Wiping RAM at shutdown to defeat cold boot attacks.
+    ;;
+    ;; RAM wipe is enabled by default on host operating systems, real hardware.
+    ;; RAM wipe is disabled by in virtual machines (VMs).
+    ;;
+    ;; Most users should not make any modifications to this config file because
+    ;; there is no need for that.
+    ;;
+    ;; User documentation:
+    ;; https://www.kicksecure.com/wiki/Cold_Boot_Attack_Defense
+    ;;
+    ;; Design documentation:
+    ;; https://www.kicksecure.com/wiki/Dev/RAM_Wipe
+
+    ;; RAM wipe is omitted in virtual machines (VMs) by default because it is
+    ;; unclear if that could actually lead to the host operating system using
+    ;; swap. Through use of kernel parameter wiperam=force it is possible to
+    ;; force RAM wipe inside VMs which is useful for testing, development purposes.
+    ;; There is no additional security benefit by the wiperam=force setting
+    ;; for host operating systems.
+    ;;"wiperam=force"
+
+    ;; Kernel parameter wiperam=skip is provided to support disabling RAM wipe
+    ;; at shutdown, which might be useful to speed up shutdown or in case should
+    ;; there ever be issues.
+    ;;"wiperam=skip"
+    ;; Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+    ;; See the file COPYING for copying conditions.
+
+    ;; Enables all known mitigations for CPU vulnerabilities.
+    ;;
+    ;; https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html
+    ;; https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647
+
+    ;; Enable mitigations for Spectre variant 2 (indirect branch speculation).
+    ;;
+    ;; https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/spectre.html
+    "spectre_v2=on"
+
+    ;; Disable Speculative Store Bypass.
+    "spec_store_bypass_disable=on"
+
+    ;; Enable mitigations for the L1TF vulnerability through disabling SMT
+    ;; and L1D flush runtime control.
+    ;;
+    ;; https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html
+    "l1tf=full,force"
+
+    ;; Enable mitigations for the MDS vulnerability through clearing buffer cache
+    ;; and disabling SMT.
+    ;;
+    ;; https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html
+    "mds=full,nosmt"
+
+    ;; Patches the TAA vulnerability by disabling TSX and enables mitigations using
+    ;; TSX Async Abort along with disabling SMT.
+    ;;
+    ;; https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/tsx_async_abort.html
+    "tsx=off"
+    "tsx_async_abort=full,nosmt"
+
+    ;; Mark all huge pages in the EPT as non-executable to mitigate iTLB multihit.
+    ;;
+    ;; https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/multihit.html
+    "kvm.nx_huge_pages=force"
+
+    ;; Enables mitigations for SRBDS to prevent MDS attacks on RDRAND and RDSEED instructions.
+    ;; Only mitigated through microcode updates from Intel.
+    ;;
+    ;; https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/special-register-buffer-data-sampling.html
+    ;; https://access.redhat.com/solutions/5142691
+
+    ;; Force disable SMT as it has caused numerous CPU vulnerabilities.
+    ;; The only full mitigation of cross-HT attacks is to disable SMT.
+    ;;
+    ;; https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/core-scheduling.html
+    ;; https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647/17
+    "nosmt=force"
+
+    ;; Enables the prctl interface to prevent leaks from L1D on context switches.
+    ;;
+    ;; https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1d_flush.html
+    "l1d_flush=on"
+
+    ;; Mitigates numerous MMIO Stale Data vulnerabilities and disables SMT.
+    ;;
+    ;; https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/processor_mmio_stale_data.html
+    "mmio_stale_data=full,nosmt"
+    ;; Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+    ;; See the file COPYING for copying conditions.
+
+    ;; Distrusts the bootloader for initial entropy at boot.
+    ;;
+    ;; https://lkml.org/lkml/2022/6/5/271
+    "random.trust_bootloader=off"
+    ;; Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+    ;; See the file COPYING for copying conditions.
+
+    ;; Distrusts the CPU for initial entropy at boot as it is not possible to
+    ;; audit, may contain weaknesses or a backdoor.
+    ;;
+    ;; https://en.wikipedia.org/wiki/RDRAND;;Reception
+    ;; https://twitter.com/pid_eins/status/1149649806056280069
+    ;; https://archive.nytimes.com/www.nytimes.com/interactive/2013/09/05/us/documents-reveal-nsa-campaign-against-encryption.html
+    ;; https://forums.whonix.org/t/entropy-config-random-trust-cpu-yes-or-no-rng-core-default-quality/8566
+    ;; https://lkml.org/lkml/2022/6/5/271
+    "random.trust_cpu=off"
+    ;; Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+    ;; See the file COPYING for copying conditions.
+
+    ;; Enables IOMMU to prevent DMA attacks.
+    "intel_iommu=on"
+    "amd_iommu=on"
+
+    ;; Disable the busmaster bit on all PCI bridges during very
+    ;; early boot to avoid holes in IOMMU.
+    ;;
+    ;; https://mjg59.dreamwidth.org/54433.html
+    ;; https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4444f8541dad16fefd9b8807ad1451e806ef1d94
+    "efi=disable_early_pci_dma"
+
+    ;; Enables strict enforcement of IOMMU TLB invalidation so devices will never be able to access stale data contents
+    ;; https://github.com/torvalds/linux/blob/master/drivers/iommu/Kconfig;;L97
+    ;; Page 11 of https://lenovopress.lenovo.com/lp1467.pdf
+    "iommu.passthrough=0"
+    "iommu.strict=1"
+    ;; Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+    ;; See the file COPYING for copying conditions.
+
+    ;;echo ";; kver: $kver"
+
+    ;; Disables the merging of slabs of similar sizes.
+    ;; Sometimes a slab can be used in a vulnerable way which an attacker can exploit.
+    "slab_nomerge"
+
+    ;; Enables sanity checks (F) and redzoning (Z).
+    ;; Disabled due to kernel deciding to implicitly disable kernel pointer hashing
+    ;; https://github.com/torvalds/linux/commit/792702911f581f7793962fbeb99d5c3a1b28f4c3
+    ;;"slub_debug=FZ"
+
+    ;; Zero memory at allocation and free time.
+    "init_on_alloc=1"
+    "init_on_free=1"
+
+    ;; Machine check exception handler decides whether the system should panic or not based on the exception that happened.
+    ;; https://forums.whonix.org/t/kernel-hardening/7296/494
+    ;;"mce=0"
+
+    ;; Enables Kernel Page Table Isolation which mitigates Meltdown and improves KASLR.
+    "pti=on"
+
+    ;; Vsyscalls are obsolete, are at fixed addresses and are a target for ROP.
+    "vsyscall=none"
+
+    ;; Enables page allocator freelist randomization.
+    "page_alloc.shuffle=1"
+
+    ;; Enables randomisation of the kernel stack offset on syscall entries (introduced in kernel 5.13).
+    ;; https://lkml.org/lkml/2019/3/18/246
+    "randomize_kstack_offset=on"
+
+    ;; Enables kernel lockdown.
+    ;;
+    ;; Disabled for now as it enforces module signature verification which breaks
+    ;; too many things.
+    ;; https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880
+    ;;
+    ;;  "lockdown=confidentiality"
+    ;;fi
+
+    ;; Gather more entropy during boot.
+    ;;
+    ;; Requires linux-hardened kernel patch.
+    ;; https://github.com/anthraxx/linux-hardened
+    "extra_latent_entropy"
+
+    ;; Restrict access to debugfs since it can contain a lot of sensitive information.
+    ;; https://lkml.org/lkml/2020/7/16/122
+    ;; https://github.com/torvalds/linux/blob/fb1201aececc59990b75ef59fca93ae4aa1e1444/Documentation/admin-guide/kernel-parameters.txt;;L835-L848
+    "debugfs=off"
+
+    ;; Force the kernel to panic on "oopses" (which may be due to false positives)
+    ;; https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panic-on-oops-1-sysctl-for-better-security/7713
+    ;; Implemented differently:
+    ;; /usr/libexec/security-misc/panic-on-oops
+    ;; /etc/X11/Xsession.d/50panic_on_oops
+    ;; /etc/sudoers.d/security-misc
+    ;;"oops=panic"
+    ;; Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+    ;; See the file COPYING for copying conditions.
+
+    ;; Prevent kernel info leaks in console during boot.
+    ;; https://phabricator.whonix.org/T950
+
+    ;; LANG=C str_replace is provided by package helper-scripts.
+
+    ;; The following command actually removed "quiet" from the kernel command line.
+    ;; If verbosity is desired, the user might want to keep this line.
+    ;; Remove "quiet" from "because "quiet" must be first.
+
+    ;; If verbosity is desired, the user might want to out-comment the following line.
+    "quiet"
+    "loglevel=0"
+
+    ;; NOTE:
+    ;; After editing this file, running:
+    ;; sudo update-grub
+    ;; is required.
+    ;;
+    ;; If higher verbosity is desired, the user might also want to delete file
+    ;; /etc/sysctl.d/30_silent-kernel-printk.conf
+    ;; (or out-comment its settings).
+    ;;
+    ;; Alternatively, the user could consider to install the debug-misc package,
+    ;; which will undo the settings found here.
+    ))
+
+
+
+;; Source <https://github.com/Kicksecure/security-misc>>
+;; Extracted with the following command:
+;; cat etc/sysctl.d/* | sed -e 's/#\+/;;/g' -e 's/ = /=/g' -e 's/;;\(.*\..*\)=\(.*\)/;; ("\1" . "\2")/g' -e 's/\(.*\..*\)=\(.*\)/("\1" . "\2")/g' -e 's@/bin\|/usr/bin@/run/current-system/profile/bin@g'
+(define %kicksecure-sysctl-rules
+  '(;; Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+    ;; See the file COPYING for copying conditions.
+
+    ;; Disables coredumps. This setting may be overwritten by systemd so this may not be useful.
+    ;; security-misc also disables coredumps in other ways.
+    ("kernel.core_pattern" . "|/run/current-system/profile/bin/false")
+
+    ;; Restricts the kernel log to root only.
+    ("kernel.dmesg_restrict" . "1")
+
+    ;; Don't allow writes to files that we don't own
+    ;; in world writable sticky directories, unless
+    ;; they are owned by the owner of the directory.
+    ("fs.protected_fifos" . "2")
+    ("fs.protected_regular" . "2")
+
+    ;; Only allow symlinks to be followed when outside of
+    ;; a world-writable sticky directory, or when the owner
+    ;; of the symlink and follower match, or when the directory
+    ;; owner matches the symlink's owner.
+    ;;
+    ;; Prevent hardlinks from being created by users that do not
+    ;; have read/write access to the source file.
+    ;;
+    ;; These prevent many TOCTOU races.
+    ("fs.protected_symlinks" . "1")
+    ("fs.protected_hardlinks" . "1")
+
+    ;; Hardens the BPF JIT compiler and restricts it to root.
+    ("kernel.unprivileged_bpf_disabled" . "1")
+    ("net.core.bpf_jit_harden" . "2")
+
+    ;; Quote https://www.kernel.org/doc/html/latest/admin-guide/sysctl/kernel.html
+    ;;
+    ;; kexec_load_disabled:
+    ;;
+    ;; A toggle indicating if the kexec_load syscall has been disabled. This value defaults to 0 (false: kexec_load enabled), but can be set to 1 (true: kexec_load disabled). Once true, kexec can no longer be used, and the toggle cannot be set back to false. This allows a kexec image to be loaded before disabling the syscall, allowing a system to set up (and later use) an image without it being altered. Generally used together with the "modules_disabled" sysctl.
+
+    ;; Disables kexec which can be used to replace the running kernel.
+    ("kernel.kexec_load_disabled" . "1")
+
+    ;; Hides kernel addresses in various files in /proc.
+    ;; Kernel addresses can be very useful in certain exploits.
+    ;;
+    ;; https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak
+    ("kernel.kptr_restrict" . "2")
+
+    ;; Improves ASLR effectiveness for mmap.
+    ("vm.mmap_rnd_bits" . "32")
+    ("vm.mmap_rnd_compat_bits" . "16")
+
+    ;; Restricts the use of ptrace to root. This might break some programs running under WINE.
+    ;; A workaround for WINE would be to give the wineserver and wine-preloader ptrace capabilities. This can be done by running:
+    ;;
+    ;; sudo apt-get install libcap2-bin
+    ;; sudo setcap cap_sys_ptrace=eip /run/current-system/profile/bin/wineserver
+    ;; sudo setcap cap_sys_ptrace=eip /run/current-system/profile/bin/wine-preloader
+    ("kernel.yama.ptrace_scope" . "2")
+
+    ;; Prevent setuid processes from creating coredumps.
+    ("fs.suid_dumpable" . "0")
+
+    ;; Randomize the addresses for mmap base, heap, stack, and VDSO pages
+    ("kernel.randomize_va_space" . "2")
+
+    ;; meta start
+    ;; project Kicksecure
+    ;; category networking and security
+    ;; description
+    ;; TCP/IP stack hardening
+
+    ;; Protects against time-wait assassination.
+    ;; It drops RST packets for sockets in the time-wait state.
+    ("net.ipv4.tcp_rfc1337" . "1")
+
+    ;; Disables ICMP redirect acceptance.
+    ("net.ipv4.conf.all.accept_redirects" . "0")
+    ("net.ipv4.conf.default.accept_redirects" . "0")
+    ("net.ipv4.conf.all.secure_redirects" . "0")
+    ("net.ipv4.conf.default.secure_redirects" . "0")
+    ("net.ipv6.conf.all.accept_redirects" . "0")
+    ("net.ipv6.conf.default.accept_redirects" . "0")
+
+    ;; Disables ICMP redirect sending.
+    ("net.ipv4.conf.all.send_redirects" . "0")
+    ("net.ipv4.conf.default.send_redirects" . "0")
+
+    ;; Ignores ICMP requests.
+    ("net.ipv4.icmp_echo_ignore_all" . "1")
+    ("net.ipv6.icmp.echo_ignore_all" . "1")
+
+    ;; Ignores bogus ICMP error responses
+    ("net.ipv4.icmp_ignore_bogus_error_responses" . "1")
+
+    ;; Enables TCP syncookies.
+    ("net.ipv4.tcp_syncookies" . "1")
+
+    ;; Disable source routing.
+    ("net.ipv4.conf.all.accept_source_route" . "0")
+    ("net.ipv4.conf.default.accept_source_route" . "0")
+    ("net.ipv6.conf.all.accept_source_route" . "0")
+    ("net.ipv6.conf.default.accept_source_route" . "0")
+
+    ;; Enable reverse path filtering to prevent IP spoofing and
+    ;; mitigate vulnerabilities such as CVE-2019-14899.
+    ;; https://forums.whonix.org/t/enable-reverse-path-filtering/8594
+    ("net.ipv4.conf.default.rp_filter" . "1")
+    ("net.ipv4.conf.all.rp_filter" . "1")
+
+    ;; meta end
+
+
+    ;; Disables SACK as it is commonly exploited and likely not needed.
+    ;; https://forums.whonix.org/t/disabling-tcp-sack-dsack-fack/8109
+    ;; ("net.ipv4.tcp_sack" . "0")
+    ;; ("net.ipv4.tcp_dsack" . "0")
+    ;; ("net.ipv4.tcp_fack" . "0")
+
+
+    ;; meta start
+    ;; project Kicksecure
+    ;; category networking and security
+    ;; description
+    ;; disable IPv4 TCP Timestamps
+
+    ("net.ipv4.tcp_timestamps" . "0")
+
+    ;; meta end
+
+
+    ;; Only allow the SysRq key to be used for shutdowns and the
+    ;; Secure Attention Key (SAK).
+    ;;
+    ;; https://forums.whonix.org/t/sysrq-magic-sysrq-key/8079/
+    ("kernel.sysrq" . "132")
+
+    ;; Restrict loading TTY line disciplines to CAP_SYS_MODULE to prevent
+    ;; unprivileged attackers from loading vulnerable line disciplines
+    ;; with the TIOCSETD ioctl which has been used in exploits before
+    ;; such as https://a13xp0p0v.github.io/2017/03/24/CVE-2017-2636.html
+    ;;
+    ;; https://lkml.org/lkml/2019/4/15/890
+    ("dev.tty.ldisc_autoload" . "0")
+
+    ;; Restrict the userfaultfd() syscall to root as it can make heap sprays
+    ;; easier.
+    ;;
+    ;; https://duasynt.com/blog/linux-kernel-heap-spray
+    ("vm.unprivileged_userfaultfd" . "0")
+
+    ;; Let the kernel only swap if it is absolutely necessary.
+    ;; Better not be set to zero:
+    ;; - https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Performance_Tuning_Guide/s-memory-tunables.html
+    ;; - https://en.wikipedia.org/wiki/Swappiness
+    ("vm.swappiness" . "1")
+
+    ;; Disallow kernel profiling by users without CAP_SYS_ADMIN
+    ;; https://www.kernel.org/doc/Documentation/sysctl/kernel.txt
+    ("kernel.perf_event_paranoid" . "3")
+
+    ;; Do not accept router advertisments
+    ("net.ipv6.conf.all.accept_ra" . "0")
+    ("net.ipv6.conf.default.accept_ra" . "0")
+    ;; Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+    ;; See the file COPYING for copying conditions.
+
+    ;; Prevent kernel info leaks in console during boot.
+    ;; https://phabricator.whonix.org/T950
+    ("kernel.printk" . "3 3 3 3")
+
+    ;; NOTE:
+    ;; For higher verbosity, the user might also want to delete file
+    ;; /etc/default/grub.d/41_quiet.cfg
+    ;; (or out-comment its settings).
+    ;;
+    ;; Alternatively, the user could consider to install the debug-misc package,
+    ;; which will undo the settings found here.
+    ))