seasharp/Rosenthal
1
0
Fork 0
mirror of https://codeberg.org/hako/Rosenthal.git synced 2025-02-02 15:35:24 +00:00
Code Issues Packages Projects Releases Wiki Activity

utils: Remove counter-stop.scm.

Browse Source 
* rosenthal/utils/counter-stop.scm: Delete file.
* rosenthal/utils/kicksecure.scm: Delete file.
This commit is contained in:
Hilton Chain 2023-05-07 16:22:22 +08:00
parent 35a4bc0849
commit 43e374a2dd
No known key found for this signature in database
GPG Key ID: ACC66D09CA528292
2 changed files with 0 additions and 614 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

200
rosenthal/utils/counter-stop.scm
View File

@ -1,200 +0,0 @@
;; SPDX-FileCopyrightText: 2022 Hilton Chain <hako@ultrarare.space>
;;
;; SPDX-License-Identifier: GPL-3.0-or-later
(define-module (rosenthal utils counter-stop)
#:use-module (srfi srfi-1)
#:use-module (guix channels)
#:use-module (guix gexp)
#:use-module (guix packages)
#:use-module (gnu packages)
#:use-module (gnu packages admin)
#:use-module (gnu packages bash)
#:use-module (gnu packages certs)
#:use-module (gnu packages compression)
#:use-module (gnu packages curl)
#:use-module (gnu packages less)
#:use-module (gnu packages linux)
#:use-module (gnu packages nano)
#:use-module (gnu packages nvi)
#:use-module (gnu packages ssh)
#:use-module (gnu packages texinfo)
#:use-module (gnu packages text-editors)
#:use-module (gnu services)
#:use-module (gnu services base)
#:use-module (gnu services networking)
#:use-module (gnu services ssh)
#:use-module (gnu services sysctl)
#:use-module (gnu system)
#:use-module (gnu system accounts)
#:use-module (gnu system file-systems)
#:use-module (gnu system keyboard)
#:use-module (gnu system shadow)
#:use-module (rosenthal utils kicksecure)
#:export (%channel-guix
%channel-nonguix
%channel-rosenthal
%guix-authorized-key-dorphine
%guix-authorized-key-nonguix
normalize-package
%xdg-base-directory-environment-variables
%rosenthal-default-channels
%rosenthal-default-kernel-arguments
%rosenthal-default-keyboard-layout
%rosenthal-base-initrd-modules
%rosenthal-base-file-systems
%rosenthal-base-packages
%rosenthal-base-services))
;; Common procedures and variables shared across my home environment and
;; operating system definitions.
;; Channels
(define %channel-guix
(first %default-channels))
(define %channel-nonguix
(channel
(name 'nonguix)
(url "https://gitlab.com/nonguix/nonguix")
(introduction
(make-channel-introduction
"897c1a470da759236cc11798f4e0a5f7d4d59fbc"
(openpgp-fingerprint
"2A39 3FFF 68F4 EF7A 3D29 12AF 6F51 20A0 22FB B2D5")))))
(define %channel-rosenthal
(channel
(name 'rosenthal)
(url "https://github.com/rakino/rosenthal")
(branch "trunk")
(introduction
(make-channel-introduction
"7677db76330121a901604dfbad19077893865f35"
(openpgp-fingerprint
"13E7 6CD6 E649 C28C 3385 4DF5 5E5A A665 6149 17F7")))))
(define %rosenthal-default-channels
(list %channel-guix
%channel-nonguix
%channel-rosenthal))
;; Keys
;; local
(define %guix-authorized-key-dorphine
(plain-file "dorphine.pub" "
(public-key
(ecc
(curve Ed25519)
(q #BBE816F9D051E8B715F17DA26B674462DF1967AC77A4130CA3306878314B84AC#)))"))
;; https://substitutes.nonguix.org/signing-key.pub
(define %guix-authorized-key-nonguix
(plain-file "nonguix.pub" "
(public-key
(ecc
(curve Ed25519)
(q #C1FD53E5D4CE971933EC50C9F307AE2171A2D3B52C804642A7A35F84F3A4EA98#)))"))
;; Procedures
(define (normalize-package pkg)
(if (package? pkg)
`(,pkg "out")
pkg))
;; Variables
;; Source: <https://wiki.archlinux.org/title/XDG_Base_Directory>
(define %xdg-base-directory-environment-variables
'(;; XDG Cache Home
("LESSHISTFILE" . "$XDG_CACHE_HOME/.lesshst")
;; XDG Config Home
("AWS_CONFIG_FILE" . "$XDG_CONFIG_HOME/aws/config")
("AWS_SHARED_CREDENTIALS_FILE" . "$XDG_CONFIG_HOME/aws/credentials")
("INPUTRC" . "$XDG_CONFIG_HOME/readline/inputrc")
("MBSYNCRC" . "$XDG_CONFIG_HOME/isync/mbsyncrc")
("NPM_CONFIG_USERCONFIG" . "$XDG_CONFIG_HOME/npm/npmrc")
("WAKATIME_HOME" . "$XDG_CONFIG_HOME/wakatime")
("WGETRC" . "$XDG_CONFIG_HOME/wgetrc")
;; XDG Data Home
("CARGO_HOME" . "$XDG_DATA_HOME/cargo")
("GDBHISTFILE" . "$XDG_DATA_HOME/gdb/history")
("GNUPGHOME" . "$XDG_DATA_HOME/gnupg")
("GOPATH" . "$XDG_DATA_HOME/go")
("PASSWORD_STORE_DIR" . "$XDG_DATA_HOME/pass")))
(define %rosenthal-default-kernel-arguments
`(,@(delete "nosmt=force"
%kicksecure-kernel-arguments)
"net.ifnames=0"))
(define %rosenthal-default-keyboard-layout
(keyboard-layout "us" "dvorak"
#:options '("ctrl:nocaps")))
(define %rosenthal-base-initrd-modules
'("btrfs" "xxhash_generic"))
(define %rosenthal-base-file-systems
(cons* (file-system
(device "none")
(mount-point "/tmp")
(type "tmpfs")
(check? #f))
(file-system
(device "none")
(mount-point "/run")
(type "tmpfs")
(needed-for-boot? #t)
(check? #f))
(file-system
(device "none")
(mount-point "/var/run")
(type "tmpfs")
(needed-for-boot? #t)
(check? #f))
(delete %debug-file-system
%base-file-systems)))
(define %rosenthal-base-packages
(let ((to-add (list nss-certs))
(to-remove (list bash-completion
info-reader
mg
nano
nvi
inetutils
isc-dhcp
iw
wireless-tools)))
(append to-add (lset-difference eqv? %base-packages to-remove))))
(define %rosenthal-base-services
(cons* (modify-services %base-services
(sysctl-service-type
config => (sysctl-configuration
(inherit config)
(settings `(,@%kicksecure-sysctl-rules
("net.core.rmem_max" . "2500000")
("net.ipv4.tcp_sack" . "0")
("net.ipv4.tcp_dsack" . "0")
("net.ipv4.tcp_fack" . "0")
("vm.page-cluster" . "0")
("vm.swappiness" . "90")))))
(guix-service-type
config => (guix-configuration
(inherit config)
(substitute-urls
(append %default-substitute-urls
'("https://substitutes.nonguix.org")))
(authorized-keys
(cons* %guix-authorized-key-nonguix
%default-authorized-guix-keys)))))))

414
rosenthal/utils/kicksecure.scm
View File

@ -1,414 +0,0 @@
;; Contents extracted from Kicksecure's resources.
(define-module (rosenthal utils kicksecure)
#:export (%kicksecure-kernel-arguments
%kicksecure-sysctl-rules))
;; Source: <https://github.com/Kicksecure/security-misc>
;; Extracted with the following command:
;; cat etc/default/grub.d/* | sed -e 's/#\+/;;/g' -e 's/GRUB.*DEFAULT /\"/g' -e 's/GRUB.*LINUX /\"/g' -e '/GRUB/d' -e 's/\(\".*[a-z0-9]\)\ \([a-z].*\"\)/\1\"\n\"\2/g' -e '/dpkg/d'
(define %kicksecure-kernel-arguments
'(;; Copyright (C) 2022 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
;; See the file COPYING for copying conditions.
;; Wiping RAM at shutdown to defeat cold boot attacks.
;;
;; RAM wipe is enabled by default on host operating systems, real hardware.
;; RAM wipe is disabled by in virtual machines (VMs).
;;
;; Most users should not make any modifications to this config file because
;; there is no need for that.
;;
;; User documentation:
;; https://www.kicksecure.com/wiki/Cold_Boot_Attack_Defense
;;
;; Design documentation:
;; https://www.kicksecure.com/wiki/Dev/RAM_Wipe
;; RAM wipe is omitted in virtual machines (VMs) by default because it is
;; unclear if that could actually lead to the host operating system using
;; swap. Through use of kernel parameter wiperam=force it is possible to
;; force RAM wipe inside VMs which is useful for testing, development purposes.
;; There is no additional security benefit by the wiperam=force setting
;; for host operating systems.
;;"wiperam=force"
;; Kernel parameter wiperam=skip is provided to support disabling RAM wipe
;; at shutdown, which might be useful to speed up shutdown or in case should
;; there ever be issues.
;;"wiperam=skip"
;; Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
;; See the file COPYING for copying conditions.
;; Enables all known mitigations for CPU vulnerabilities.
;;
;; https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html
;; https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647
;; Enable mitigations for Spectre variant 2 (indirect branch speculation).
;;
;; https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/spectre.html
"spectre_v2=on"
;; Disable Speculative Store Bypass.
"spec_store_bypass_disable=on"
;; Enable mitigations for the L1TF vulnerability through disabling SMT
;; and L1D flush runtime control.
;;
;; https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html
"l1tf=full,force"
;; Enable mitigations for the MDS vulnerability through clearing buffer cache
;; and disabling SMT.
;;
;; https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html
"mds=full,nosmt"
;; Patches the TAA vulnerability by disabling TSX and enables mitigations using
;; TSX Async Abort along with disabling SMT.
;;
;; https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/tsx_async_abort.html
"tsx=off"
"tsx_async_abort=full,nosmt"
;; Mark all huge pages in the EPT as non-executable to mitigate iTLB multihit.
;;
;; https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/multihit.html
"kvm.nx_huge_pages=force"
;; Enables mitigations for SRBDS to prevent MDS attacks on RDRAND and RDSEED instructions.
;; Only mitigated through microcode updates from Intel.
;;
;; https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/special-register-buffer-data-sampling.html
;; https://access.redhat.com/solutions/5142691
;; Force disable SMT as it has caused numerous CPU vulnerabilities.
;; The only full mitigation of cross-HT attacks is to disable SMT.
;;
;; https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/core-scheduling.html
;; https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647/17
"nosmt=force"
;; Enables the prctl interface to prevent leaks from L1D on context switches.
;;
;; https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1d_flush.html
"l1d_flush=on"
;; Mitigates numerous MMIO Stale Data vulnerabilities and disables SMT.
;;
;; https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/processor_mmio_stale_data.html
"mmio_stale_data=full,nosmt"
;; Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
;; See the file COPYING for copying conditions.
;; Distrusts the bootloader for initial entropy at boot.
;;
;; https://lkml.org/lkml/2022/6/5/271
"random.trust_bootloader=off"
;; Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
;; See the file COPYING for copying conditions.
;; Distrusts the CPU for initial entropy at boot as it is not possible to
;; audit, may contain weaknesses or a backdoor.
;;
;; https://en.wikipedia.org/wiki/RDRAND;;Reception
;; https://twitter.com/pid_eins/status/1149649806056280069
;; https://archive.nytimes.com/www.nytimes.com/interactive/2013/09/05/us/documents-reveal-nsa-campaign-against-encryption.html
;; https://forums.whonix.org/t/entropy-config-random-trust-cpu-yes-or-no-rng-core-default-quality/8566
;; https://lkml.org/lkml/2022/6/5/271
"random.trust_cpu=off"
;; Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
;; See the file COPYING for copying conditions.
;; Enables IOMMU to prevent DMA attacks.
"intel_iommu=on"
"amd_iommu=on"
;; Disable the busmaster bit on all PCI bridges during very
;; early boot to avoid holes in IOMMU.
;;
;; https://mjg59.dreamwidth.org/54433.html
;; https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4444f8541dad16fefd9b8807ad1451e806ef1d94
"efi=disable_early_pci_dma"
;; Enables strict enforcement of IOMMU TLB invalidation so devices will never be able to access stale data contents
;; https://github.com/torvalds/linux/blob/master/drivers/iommu/Kconfig;;L97
;; Page 11 of https://lenovopress.lenovo.com/lp1467.pdf
"iommu.passthrough=0"
"iommu.strict=1"
;; Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
;; See the file COPYING for copying conditions.
;;echo ";; kver: $kver"
;; Disables the merging of slabs of similar sizes.
;; Sometimes a slab can be used in a vulnerable way which an attacker can exploit.
"slab_nomerge"
;; Enables sanity checks (F) and redzoning (Z).
;; Disabled due to kernel deciding to implicitly disable kernel pointer hashing
;; https://github.com/torvalds/linux/commit/792702911f581f7793962fbeb99d5c3a1b28f4c3
;;"slub_debug=FZ"
;; Zero memory at allocation and free time.
"init_on_alloc=1"
"init_on_free=1"
;; Machine check exception handler decides whether the system should panic or not based on the exception that happened.
;; https://forums.whonix.org/t/kernel-hardening/7296/494
;;"mce=0"
;; Enables Kernel Page Table Isolation which mitigates Meltdown and improves KASLR.
"pti=on"
;; Vsyscalls are obsolete, are at fixed addresses and are a target for ROP.
"vsyscall=none"
;; Enables page allocator freelist randomization.
"page_alloc.shuffle=1"
;; Enables randomisation of the kernel stack offset on syscall entries (introduced in kernel 5.13).
;; https://lkml.org/lkml/2019/3/18/246
"randomize_kstack_offset=on"
;; Enables kernel lockdown.
;;
;; Disabled for now as it enforces module signature verification which breaks
;; too many things.
;; https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880
;;
;; "lockdown=confidentiality"
;;fi
;; Gather more entropy during boot.
;;
;; Requires linux-hardened kernel patch.
;; https://github.com/anthraxx/linux-hardened
"extra_latent_entropy"
;; Restrict access to debugfs since it can contain a lot of sensitive information.
;; https://lkml.org/lkml/2020/7/16/122
;; https://github.com/torvalds/linux/blob/fb1201aececc59990b75ef59fca93ae4aa1e1444/Documentation/admin-guide/kernel-parameters.txt;;L835-L848
"debugfs=off"
;; Force the kernel to panic on "oopses" (which may be due to false positives)
;; https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panic-on-oops-1-sysctl-for-better-security/7713
;; Implemented differently:
;; /usr/libexec/security-misc/panic-on-oops
;; /etc/X11/Xsession.d/50panic_on_oops
;; /etc/sudoers.d/security-misc
;;"oops=panic"
;; Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
;; See the file COPYING for copying conditions.
;; Prevent kernel info leaks in console during boot.
;; https://phabricator.whonix.org/T950
;; LANG=C str_replace is provided by package helper-scripts.
;; The following command actually removed "quiet" from the kernel command line.
;; If verbosity is desired, the user might want to keep this line.
;; Remove "quiet" from "because "quiet" must be first.
;; If verbosity is desired, the user might want to out-comment the following line.
"quiet"
"loglevel=0"
;; NOTE:
;; After editing this file, running:
;; sudo update-grub
;; is required.
;;
;; If higher verbosity is desired, the user might also want to delete file
;; /etc/sysctl.d/30_silent-kernel-printk.conf
;; (or out-comment its settings).
;;
;; Alternatively, the user could consider to install the debug-misc package,
;; which will undo the settings found here.
))
;; Source <https://github.com/Kicksecure/security-misc>>
;; Extracted with the following command:
;; cat etc/sysctl.d/* | sed -e 's/#\+/;;/g' -e 's/ = /=/g' -e 's/;;\(.*\..*\)=\(.*\)/;; ("\1" . "\2")/g' -e 's/\(.*\..*\)=\(.*\)/("\1" . "\2")/g' -e 's@/bin\|/usr/bin@/run/current-system/profile/bin@g'
(define %kicksecure-sysctl-rules
'(;; Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
;; See the file COPYING for copying conditions.
;; Disables coredumps. This setting may be overwritten by systemd so this may not be useful.
;; security-misc also disables coredumps in other ways.
("kernel.core_pattern" . "|/run/current-system/profile/bin/false")
;; Restricts the kernel log to root only.
("kernel.dmesg_restrict" . "1")
;; Don't allow writes to files that we don't own
;; in world writable sticky directories, unless
;; they are owned by the owner of the directory.
("fs.protected_fifos" . "2")
("fs.protected_regular" . "2")
;; Only allow symlinks to be followed when outside of
;; a world-writable sticky directory, or when the owner
;; of the symlink and follower match, or when the directory
;; owner matches the symlink's owner.
;;
;; Prevent hardlinks from being created by users that do not
;; have read/write access to the source file.
;;
;; These prevent many TOCTOU races.
("fs.protected_symlinks" . "1")
("fs.protected_hardlinks" . "1")
;; Hardens the BPF JIT compiler and restricts it to root.
("kernel.unprivileged_bpf_disabled" . "1")
("net.core.bpf_jit_harden" . "2")
;; Quote https://www.kernel.org/doc/html/latest/admin-guide/sysctl/kernel.html
;;
;; kexec_load_disabled:
;;
;; A toggle indicating if the kexec_load syscall has been disabled. This value defaults to 0 (false: kexec_load enabled), but can be set to 1 (true: kexec_load disabled). Once true, kexec can no longer be used, and the toggle cannot be set back to false. This allows a kexec image to be loaded before disabling the syscall, allowing a system to set up (and later use) an image without it being altered. Generally used together with the "modules_disabled" sysctl.
;; Disables kexec which can be used to replace the running kernel.
("kernel.kexec_load_disabled" . "1")
;; Hides kernel addresses in various files in /proc.
;; Kernel addresses can be very useful in certain exploits.
;;
;; https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak
("kernel.kptr_restrict" . "2")
;; Improves ASLR effectiveness for mmap.
("vm.mmap_rnd_bits" . "32")
("vm.mmap_rnd_compat_bits" . "16")
;; Restricts the use of ptrace to root. This might break some programs running under WINE.
;; A workaround for WINE would be to give the wineserver and wine-preloader ptrace capabilities. This can be done by running:
;;
;; sudo apt-get install libcap2-bin
;; sudo setcap cap_sys_ptrace=eip /run/current-system/profile/bin/wineserver
;; sudo setcap cap_sys_ptrace=eip /run/current-system/profile/bin/wine-preloader
("kernel.yama.ptrace_scope" . "2")
;; Prevent setuid processes from creating coredumps.
("fs.suid_dumpable" . "0")
;; Randomize the addresses for mmap base, heap, stack, and VDSO pages
("kernel.randomize_va_space" . "2")
;; meta start
;; project Kicksecure
;; category networking and security
;; description
;; TCP/IP stack hardening
;; Protects against time-wait assassination.
;; It drops RST packets for sockets in the time-wait state.
("net.ipv4.tcp_rfc1337" . "1")
;; Disables ICMP redirect acceptance.
("net.ipv4.conf.all.accept_redirects" . "0")
("net.ipv4.conf.default.accept_redirects" . "0")
("net.ipv4.conf.all.secure_redirects" . "0")
("net.ipv4.conf.default.secure_redirects" . "0")
("net.ipv6.conf.all.accept_redirects" . "0")
("net.ipv6.conf.default.accept_redirects" . "0")
;; Disables ICMP redirect sending.
("net.ipv4.conf.all.send_redirects" . "0")
("net.ipv4.conf.default.send_redirects" . "0")
;; Ignores ICMP requests.
("net.ipv4.icmp_echo_ignore_all" . "1")
("net.ipv6.icmp.echo_ignore_all" . "1")
;; Ignores bogus ICMP error responses
("net.ipv4.icmp_ignore_bogus_error_responses" . "1")
;; Enables TCP syncookies.
("net.ipv4.tcp_syncookies" . "1")
;; Disable source routing.
("net.ipv4.conf.all.accept_source_route" . "0")
("net.ipv4.conf.default.accept_source_route" . "0")
("net.ipv6.conf.all.accept_source_route" . "0")
("net.ipv6.conf.default.accept_source_route" . "0")
;; Enable reverse path filtering to prevent IP spoofing and
;; mitigate vulnerabilities such as CVE-2019-14899.
;; https://forums.whonix.org/t/enable-reverse-path-filtering/8594
("net.ipv4.conf.default.rp_filter" . "1")
("net.ipv4.conf.all.rp_filter" . "1")
;; meta end
;; Disables SACK as it is commonly exploited and likely not needed.
;; https://forums.whonix.org/t/disabling-tcp-sack-dsack-fack/8109
;; ("net.ipv4.tcp_sack" . "0")
;; ("net.ipv4.tcp_dsack" . "0")
;; ("net.ipv4.tcp_fack" . "0")
;; meta start
;; project Kicksecure
;; category networking and security
;; description
;; disable IPv4 TCP Timestamps
("net.ipv4.tcp_timestamps" . "0")
;; meta end
;; Only allow the SysRq key to be used for shutdowns and the
;; Secure Attention Key (SAK).
;;
;; https://forums.whonix.org/t/sysrq-magic-sysrq-key/8079/
("kernel.sysrq" . "132")
;; Restrict loading TTY line disciplines to CAP_SYS_MODULE to prevent
;; unprivileged attackers from loading vulnerable line disciplines
;; with the TIOCSETD ioctl which has been used in exploits before
;; such as https://a13xp0p0v.github.io/2017/03/24/CVE-2017-2636.html
;;
;; https://lkml.org/lkml/2019/4/15/890
("dev.tty.ldisc_autoload" . "0")
;; Restrict the userfaultfd() syscall to root as it can make heap sprays
;; easier.
;;
;; https://duasynt.com/blog/linux-kernel-heap-spray
("vm.unprivileged_userfaultfd" . "0")
;; Let the kernel only swap if it is absolutely necessary.
;; Better not be set to zero:
;; - https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Performance_Tuning_Guide/s-memory-tunables.html
;; - https://en.wikipedia.org/wiki/Swappiness
("vm.swappiness" . "1")
;; Disallow kernel profiling by users without CAP_SYS_ADMIN
;; https://www.kernel.org/doc/Documentation/sysctl/kernel.txt
("kernel.perf_event_paranoid" . "3")
;; Do not accept router advertisments
("net.ipv6.conf.all.accept_ra" . "0")
("net.ipv6.conf.default.accept_ra" . "0")
;; Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
;; See the file COPYING for copying conditions.
;; Prevent kernel info leaks in console during boot.
;; https://phabricator.whonix.org/T950
("kernel.printk" . "3 3 3 3")
;; NOTE:
;; For higher verbosity, the user might also want to delete file
;; /etc/default/grub.d/41_quiet.cfg
;; (or out-comment its settings).
;;
;; Alternatively, the user could consider to install the debug-misc package,
;; which will undo the settings found here.
))