From 43e374a2dda0a0ece44139d45d1408a6af580dca Mon Sep 17 00:00:00 2001 From: Hilton Chain Date: Sun, 7 May 2023 16:22:22 +0800 Subject: [PATCH] utils: Remove counter-stop.scm. * rosenthal/utils/counter-stop.scm: Delete file. * rosenthal/utils/kicksecure.scm: Delete file. --- rosenthal/utils/counter-stop.scm | 200 --------------- rosenthal/utils/kicksecure.scm | 414 ------------------------------- 2 files changed, 614 deletions(-) delete mode 100644 rosenthal/utils/counter-stop.scm delete mode 100644 rosenthal/utils/kicksecure.scm diff --git a/rosenthal/utils/counter-stop.scm b/rosenthal/utils/counter-stop.scm deleted file mode 100644 index 610d4c4..0000000 --- a/rosenthal/utils/counter-stop.scm +++ /dev/null @@ -1,200 +0,0 @@ -;; SPDX-FileCopyrightText: 2022 Hilton Chain -;; -;; SPDX-License-Identifier: GPL-3.0-or-later - -(define-module (rosenthal utils counter-stop) - #:use-module (srfi srfi-1) - #:use-module (guix channels) - #:use-module (guix gexp) - #:use-module (guix packages) - #:use-module (gnu packages) - #:use-module (gnu packages admin) - #:use-module (gnu packages bash) - #:use-module (gnu packages certs) - #:use-module (gnu packages compression) - #:use-module (gnu packages curl) - #:use-module (gnu packages less) - #:use-module (gnu packages linux) - #:use-module (gnu packages nano) - #:use-module (gnu packages nvi) - #:use-module (gnu packages ssh) - #:use-module (gnu packages texinfo) - #:use-module (gnu packages text-editors) - #:use-module (gnu services) - #:use-module (gnu services base) - #:use-module (gnu services networking) - #:use-module (gnu services ssh) - #:use-module (gnu services sysctl) - #:use-module (gnu system) - #:use-module (gnu system accounts) - #:use-module (gnu system file-systems) - #:use-module (gnu system keyboard) - #:use-module (gnu system shadow) - #:use-module (rosenthal utils kicksecure) - #:export (%channel-guix - %channel-nonguix - %channel-rosenthal - - %guix-authorized-key-dorphine - %guix-authorized-key-nonguix - - normalize-package - - %xdg-base-directory-environment-variables - - %rosenthal-default-channels - %rosenthal-default-kernel-arguments - %rosenthal-default-keyboard-layout - %rosenthal-base-initrd-modules - %rosenthal-base-file-systems - %rosenthal-base-packages - %rosenthal-base-services)) - -;; Common procedures and variables shared across my home environment and -;; operating system definitions. - -;; Channels -(define %channel-guix - (first %default-channels)) - -(define %channel-nonguix - (channel - (name 'nonguix) - (url "https://gitlab.com/nonguix/nonguix") - (introduction - (make-channel-introduction - "897c1a470da759236cc11798f4e0a5f7d4d59fbc" - (openpgp-fingerprint - "2A39 3FFF 68F4 EF7A 3D29 12AF 6F51 20A0 22FB B2D5"))))) - -(define %channel-rosenthal - (channel - (name 'rosenthal) - (url "https://github.com/rakino/rosenthal") - (branch "trunk") - (introduction - (make-channel-introduction - "7677db76330121a901604dfbad19077893865f35" - (openpgp-fingerprint - "13E7 6CD6 E649 C28C 3385 4DF5 5E5A A665 6149 17F7"))))) - -(define %rosenthal-default-channels - (list %channel-guix - %channel-nonguix - %channel-rosenthal)) - -;; Keys -;; local -(define %guix-authorized-key-dorphine - (plain-file "dorphine.pub" " -(public-key - (ecc - (curve Ed25519) - (q #BBE816F9D051E8B715F17DA26B674462DF1967AC77A4130CA3306878314B84AC#)))")) - -;; https://substitutes.nonguix.org/signing-key.pub -(define %guix-authorized-key-nonguix - (plain-file "nonguix.pub" " -(public-key - (ecc - (curve Ed25519) - (q #C1FD53E5D4CE971933EC50C9F307AE2171A2D3B52C804642A7A35F84F3A4EA98#)))")) - -;; Procedures -(define (normalize-package pkg) - (if (package? pkg) - `(,pkg "out") - pkg)) - -;; Variables -;; Source: -(define %xdg-base-directory-environment-variables - '(;; XDG Cache Home - ("LESSHISTFILE" . "$XDG_CACHE_HOME/.lesshst") - - ;; XDG Config Home - ("AWS_CONFIG_FILE" . "$XDG_CONFIG_HOME/aws/config") - ("AWS_SHARED_CREDENTIALS_FILE" . "$XDG_CONFIG_HOME/aws/credentials") - ("INPUTRC" . "$XDG_CONFIG_HOME/readline/inputrc") - ("MBSYNCRC" . "$XDG_CONFIG_HOME/isync/mbsyncrc") - ("NPM_CONFIG_USERCONFIG" . "$XDG_CONFIG_HOME/npm/npmrc") - ("WAKATIME_HOME" . "$XDG_CONFIG_HOME/wakatime") - ("WGETRC" . "$XDG_CONFIG_HOME/wgetrc") - - ;; XDG Data Home - ("CARGO_HOME" . "$XDG_DATA_HOME/cargo") - ("GDBHISTFILE" . "$XDG_DATA_HOME/gdb/history") - ("GNUPGHOME" . "$XDG_DATA_HOME/gnupg") - ("GOPATH" . "$XDG_DATA_HOME/go") - ("PASSWORD_STORE_DIR" . "$XDG_DATA_HOME/pass"))) - -(define %rosenthal-default-kernel-arguments - `(,@(delete "nosmt=force" - %kicksecure-kernel-arguments) - "net.ifnames=0")) - -(define %rosenthal-default-keyboard-layout - (keyboard-layout "us" "dvorak" - #:options '("ctrl:nocaps"))) - -(define %rosenthal-base-initrd-modules - '("btrfs" "xxhash_generic")) - -(define %rosenthal-base-file-systems - (cons* (file-system - (device "none") - (mount-point "/tmp") - (type "tmpfs") - (check? #f)) - - (file-system - (device "none") - (mount-point "/run") - (type "tmpfs") - (needed-for-boot? #t) - (check? #f)) - - (file-system - (device "none") - (mount-point "/var/run") - (type "tmpfs") - (needed-for-boot? #t) - (check? #f)) - - (delete %debug-file-system - %base-file-systems))) - -(define %rosenthal-base-packages - (let ((to-add (list nss-certs)) - (to-remove (list bash-completion - info-reader - mg - nano - nvi - inetutils - isc-dhcp - iw - wireless-tools))) - (append to-add (lset-difference eqv? %base-packages to-remove)))) - -(define %rosenthal-base-services - (cons* (modify-services %base-services - (sysctl-service-type - config => (sysctl-configuration - (inherit config) - (settings `(,@%kicksecure-sysctl-rules - ("net.core.rmem_max" . "2500000") - ("net.ipv4.tcp_sack" . "0") - ("net.ipv4.tcp_dsack" . "0") - ("net.ipv4.tcp_fack" . "0") - ("vm.page-cluster" . "0") - ("vm.swappiness" . "90"))))) - (guix-service-type - config => (guix-configuration - (inherit config) - (substitute-urls - (append %default-substitute-urls - '("https://substitutes.nonguix.org"))) - (authorized-keys - (cons* %guix-authorized-key-nonguix - %default-authorized-guix-keys))))))) diff --git a/rosenthal/utils/kicksecure.scm b/rosenthal/utils/kicksecure.scm deleted file mode 100644 index 604a995..0000000 --- a/rosenthal/utils/kicksecure.scm +++ /dev/null @@ -1,414 +0,0 @@ -;; Contents extracted from Kicksecure's resources. - -(define-module (rosenthal utils kicksecure) - #:export (%kicksecure-kernel-arguments - %kicksecure-sysctl-rules)) - -;; Source: -;; Extracted with the following command: -;; cat etc/default/grub.d/* | sed -e 's/#\+/;;/g' -e 's/GRUB.*DEFAULT /\"/g' -e 's/GRUB.*LINUX /\"/g' -e '/GRUB/d' -e 's/\(\".*[a-z0-9]\)\ \([a-z].*\"\)/\1\"\n\"\2/g' -e '/dpkg/d' -(define %kicksecure-kernel-arguments - '(;; Copyright (C) 2022 - 2022 ENCRYPTED SUPPORT LP - ;; See the file COPYING for copying conditions. - - ;; Wiping RAM at shutdown to defeat cold boot attacks. - ;; - ;; RAM wipe is enabled by default on host operating systems, real hardware. - ;; RAM wipe is disabled by in virtual machines (VMs). - ;; - ;; Most users should not make any modifications to this config file because - ;; there is no need for that. - ;; - ;; User documentation: - ;; https://www.kicksecure.com/wiki/Cold_Boot_Attack_Defense - ;; - ;; Design documentation: - ;; https://www.kicksecure.com/wiki/Dev/RAM_Wipe - - ;; RAM wipe is omitted in virtual machines (VMs) by default because it is - ;; unclear if that could actually lead to the host operating system using - ;; swap. Through use of kernel parameter wiperam=force it is possible to - ;; force RAM wipe inside VMs which is useful for testing, development purposes. - ;; There is no additional security benefit by the wiperam=force setting - ;; for host operating systems. - ;;"wiperam=force" - - ;; Kernel parameter wiperam=skip is provided to support disabling RAM wipe - ;; at shutdown, which might be useful to speed up shutdown or in case should - ;; there ever be issues. - ;;"wiperam=skip" - ;; Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP - ;; See the file COPYING for copying conditions. - - ;; Enables all known mitigations for CPU vulnerabilities. - ;; - ;; https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html - ;; https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647 - - ;; Enable mitigations for Spectre variant 2 (indirect branch speculation). - ;; - ;; https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/spectre.html - "spectre_v2=on" - - ;; Disable Speculative Store Bypass. - "spec_store_bypass_disable=on" - - ;; Enable mitigations for the L1TF vulnerability through disabling SMT - ;; and L1D flush runtime control. - ;; - ;; https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html - "l1tf=full,force" - - ;; Enable mitigations for the MDS vulnerability through clearing buffer cache - ;; and disabling SMT. - ;; - ;; https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html - "mds=full,nosmt" - - ;; Patches the TAA vulnerability by disabling TSX and enables mitigations using - ;; TSX Async Abort along with disabling SMT. - ;; - ;; https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/tsx_async_abort.html - "tsx=off" - "tsx_async_abort=full,nosmt" - - ;; Mark all huge pages in the EPT as non-executable to mitigate iTLB multihit. - ;; - ;; https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/multihit.html - "kvm.nx_huge_pages=force" - - ;; Enables mitigations for SRBDS to prevent MDS attacks on RDRAND and RDSEED instructions. - ;; Only mitigated through microcode updates from Intel. - ;; - ;; https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/special-register-buffer-data-sampling.html - ;; https://access.redhat.com/solutions/5142691 - - ;; Force disable SMT as it has caused numerous CPU vulnerabilities. - ;; The only full mitigation of cross-HT attacks is to disable SMT. - ;; - ;; https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/core-scheduling.html - ;; https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647/17 - "nosmt=force" - - ;; Enables the prctl interface to prevent leaks from L1D on context switches. - ;; - ;; https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1d_flush.html - "l1d_flush=on" - - ;; Mitigates numerous MMIO Stale Data vulnerabilities and disables SMT. - ;; - ;; https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/processor_mmio_stale_data.html - "mmio_stale_data=full,nosmt" - ;; Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP - ;; See the file COPYING for copying conditions. - - ;; Distrusts the bootloader for initial entropy at boot. - ;; - ;; https://lkml.org/lkml/2022/6/5/271 - "random.trust_bootloader=off" - ;; Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP - ;; See the file COPYING for copying conditions. - - ;; Distrusts the CPU for initial entropy at boot as it is not possible to - ;; audit, may contain weaknesses or a backdoor. - ;; - ;; https://en.wikipedia.org/wiki/RDRAND;;Reception - ;; https://twitter.com/pid_eins/status/1149649806056280069 - ;; https://archive.nytimes.com/www.nytimes.com/interactive/2013/09/05/us/documents-reveal-nsa-campaign-against-encryption.html - ;; https://forums.whonix.org/t/entropy-config-random-trust-cpu-yes-or-no-rng-core-default-quality/8566 - ;; https://lkml.org/lkml/2022/6/5/271 - "random.trust_cpu=off" - ;; Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP - ;; See the file COPYING for copying conditions. - - ;; Enables IOMMU to prevent DMA attacks. - "intel_iommu=on" - "amd_iommu=on" - - ;; Disable the busmaster bit on all PCI bridges during very - ;; early boot to avoid holes in IOMMU. - ;; - ;; https://mjg59.dreamwidth.org/54433.html - ;; https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4444f8541dad16fefd9b8807ad1451e806ef1d94 - "efi=disable_early_pci_dma" - - ;; Enables strict enforcement of IOMMU TLB invalidation so devices will never be able to access stale data contents - ;; https://github.com/torvalds/linux/blob/master/drivers/iommu/Kconfig;;L97 - ;; Page 11 of https://lenovopress.lenovo.com/lp1467.pdf - "iommu.passthrough=0" - "iommu.strict=1" - ;; Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP - ;; See the file COPYING for copying conditions. - - ;;echo ";; kver: $kver" - - ;; Disables the merging of slabs of similar sizes. - ;; Sometimes a slab can be used in a vulnerable way which an attacker can exploit. - "slab_nomerge" - - ;; Enables sanity checks (F) and redzoning (Z). - ;; Disabled due to kernel deciding to implicitly disable kernel pointer hashing - ;; https://github.com/torvalds/linux/commit/792702911f581f7793962fbeb99d5c3a1b28f4c3 - ;;"slub_debug=FZ" - - ;; Zero memory at allocation and free time. - "init_on_alloc=1" - "init_on_free=1" - - ;; Machine check exception handler decides whether the system should panic or not based on the exception that happened. - ;; https://forums.whonix.org/t/kernel-hardening/7296/494 - ;;"mce=0" - - ;; Enables Kernel Page Table Isolation which mitigates Meltdown and improves KASLR. - "pti=on" - - ;; Vsyscalls are obsolete, are at fixed addresses and are a target for ROP. - "vsyscall=none" - - ;; Enables page allocator freelist randomization. - "page_alloc.shuffle=1" - - ;; Enables randomisation of the kernel stack offset on syscall entries (introduced in kernel 5.13). - ;; https://lkml.org/lkml/2019/3/18/246 - "randomize_kstack_offset=on" - - ;; Enables kernel lockdown. - ;; - ;; Disabled for now as it enforces module signature verification which breaks - ;; too many things. - ;; https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880 - ;; - ;; "lockdown=confidentiality" - ;;fi - - ;; Gather more entropy during boot. - ;; - ;; Requires linux-hardened kernel patch. - ;; https://github.com/anthraxx/linux-hardened - "extra_latent_entropy" - - ;; Restrict access to debugfs since it can contain a lot of sensitive information. - ;; https://lkml.org/lkml/2020/7/16/122 - ;; https://github.com/torvalds/linux/blob/fb1201aececc59990b75ef59fca93ae4aa1e1444/Documentation/admin-guide/kernel-parameters.txt;;L835-L848 - "debugfs=off" - - ;; Force the kernel to panic on "oopses" (which may be due to false positives) - ;; https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panic-on-oops-1-sysctl-for-better-security/7713 - ;; Implemented differently: - ;; /usr/libexec/security-misc/panic-on-oops - ;; /etc/X11/Xsession.d/50panic_on_oops - ;; /etc/sudoers.d/security-misc - ;;"oops=panic" - ;; Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP - ;; See the file COPYING for copying conditions. - - ;; Prevent kernel info leaks in console during boot. - ;; https://phabricator.whonix.org/T950 - - ;; LANG=C str_replace is provided by package helper-scripts. - - ;; The following command actually removed "quiet" from the kernel command line. - ;; If verbosity is desired, the user might want to keep this line. - ;; Remove "quiet" from "because "quiet" must be first. - - ;; If verbosity is desired, the user might want to out-comment the following line. - "quiet" - "loglevel=0" - - ;; NOTE: - ;; After editing this file, running: - ;; sudo update-grub - ;; is required. - ;; - ;; If higher verbosity is desired, the user might also want to delete file - ;; /etc/sysctl.d/30_silent-kernel-printk.conf - ;; (or out-comment its settings). - ;; - ;; Alternatively, the user could consider to install the debug-misc package, - ;; which will undo the settings found here. - )) - - - -;; Source > -;; Extracted with the following command: -;; cat etc/sysctl.d/* | sed -e 's/#\+/;;/g' -e 's/ = /=/g' -e 's/;;\(.*\..*\)=\(.*\)/;; ("\1" . "\2")/g' -e 's/\(.*\..*\)=\(.*\)/("\1" . "\2")/g' -e 's@/bin\|/usr/bin@/run/current-system/profile/bin@g' -(define %kicksecure-sysctl-rules - '(;; Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP - ;; See the file COPYING for copying conditions. - - ;; Disables coredumps. This setting may be overwritten by systemd so this may not be useful. - ;; security-misc also disables coredumps in other ways. - ("kernel.core_pattern" . "|/run/current-system/profile/bin/false") - - ;; Restricts the kernel log to root only. - ("kernel.dmesg_restrict" . "1") - - ;; Don't allow writes to files that we don't own - ;; in world writable sticky directories, unless - ;; they are owned by the owner of the directory. - ("fs.protected_fifos" . "2") - ("fs.protected_regular" . "2") - - ;; Only allow symlinks to be followed when outside of - ;; a world-writable sticky directory, or when the owner - ;; of the symlink and follower match, or when the directory - ;; owner matches the symlink's owner. - ;; - ;; Prevent hardlinks from being created by users that do not - ;; have read/write access to the source file. - ;; - ;; These prevent many TOCTOU races. - ("fs.protected_symlinks" . "1") - ("fs.protected_hardlinks" . "1") - - ;; Hardens the BPF JIT compiler and restricts it to root. - ("kernel.unprivileged_bpf_disabled" . "1") - ("net.core.bpf_jit_harden" . "2") - - ;; Quote https://www.kernel.org/doc/html/latest/admin-guide/sysctl/kernel.html - ;; - ;; kexec_load_disabled: - ;; - ;; A toggle indicating if the kexec_load syscall has been disabled. This value defaults to 0 (false: kexec_load enabled), but can be set to 1 (true: kexec_load disabled). Once true, kexec can no longer be used, and the toggle cannot be set back to false. This allows a kexec image to be loaded before disabling the syscall, allowing a system to set up (and later use) an image without it being altered. Generally used together with the "modules_disabled" sysctl. - - ;; Disables kexec which can be used to replace the running kernel. - ("kernel.kexec_load_disabled" . "1") - - ;; Hides kernel addresses in various files in /proc. - ;; Kernel addresses can be very useful in certain exploits. - ;; - ;; https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak - ("kernel.kptr_restrict" . "2") - - ;; Improves ASLR effectiveness for mmap. - ("vm.mmap_rnd_bits" . "32") - ("vm.mmap_rnd_compat_bits" . "16") - - ;; Restricts the use of ptrace to root. This might break some programs running under WINE. - ;; A workaround for WINE would be to give the wineserver and wine-preloader ptrace capabilities. This can be done by running: - ;; - ;; sudo apt-get install libcap2-bin - ;; sudo setcap cap_sys_ptrace=eip /run/current-system/profile/bin/wineserver - ;; sudo setcap cap_sys_ptrace=eip /run/current-system/profile/bin/wine-preloader - ("kernel.yama.ptrace_scope" . "2") - - ;; Prevent setuid processes from creating coredumps. - ("fs.suid_dumpable" . "0") - - ;; Randomize the addresses for mmap base, heap, stack, and VDSO pages - ("kernel.randomize_va_space" . "2") - - ;; meta start - ;; project Kicksecure - ;; category networking and security - ;; description - ;; TCP/IP stack hardening - - ;; Protects against time-wait assassination. - ;; It drops RST packets for sockets in the time-wait state. - ("net.ipv4.tcp_rfc1337" . "1") - - ;; Disables ICMP redirect acceptance. - ("net.ipv4.conf.all.accept_redirects" . "0") - ("net.ipv4.conf.default.accept_redirects" . "0") - ("net.ipv4.conf.all.secure_redirects" . "0") - ("net.ipv4.conf.default.secure_redirects" . "0") - ("net.ipv6.conf.all.accept_redirects" . "0") - ("net.ipv6.conf.default.accept_redirects" . "0") - - ;; Disables ICMP redirect sending. - ("net.ipv4.conf.all.send_redirects" . "0") - ("net.ipv4.conf.default.send_redirects" . "0") - - ;; Ignores ICMP requests. - ("net.ipv4.icmp_echo_ignore_all" . "1") - ("net.ipv6.icmp.echo_ignore_all" . "1") - - ;; Ignores bogus ICMP error responses - ("net.ipv4.icmp_ignore_bogus_error_responses" . "1") - - ;; Enables TCP syncookies. - ("net.ipv4.tcp_syncookies" . "1") - - ;; Disable source routing. - ("net.ipv4.conf.all.accept_source_route" . "0") - ("net.ipv4.conf.default.accept_source_route" . "0") - ("net.ipv6.conf.all.accept_source_route" . "0") - ("net.ipv6.conf.default.accept_source_route" . "0") - - ;; Enable reverse path filtering to prevent IP spoofing and - ;; mitigate vulnerabilities such as CVE-2019-14899. - ;; https://forums.whonix.org/t/enable-reverse-path-filtering/8594 - ("net.ipv4.conf.default.rp_filter" . "1") - ("net.ipv4.conf.all.rp_filter" . "1") - - ;; meta end - - - ;; Disables SACK as it is commonly exploited and likely not needed. - ;; https://forums.whonix.org/t/disabling-tcp-sack-dsack-fack/8109 - ;; ("net.ipv4.tcp_sack" . "0") - ;; ("net.ipv4.tcp_dsack" . "0") - ;; ("net.ipv4.tcp_fack" . "0") - - - ;; meta start - ;; project Kicksecure - ;; category networking and security - ;; description - ;; disable IPv4 TCP Timestamps - - ("net.ipv4.tcp_timestamps" . "0") - - ;; meta end - - - ;; Only allow the SysRq key to be used for shutdowns and the - ;; Secure Attention Key (SAK). - ;; - ;; https://forums.whonix.org/t/sysrq-magic-sysrq-key/8079/ - ("kernel.sysrq" . "132") - - ;; Restrict loading TTY line disciplines to CAP_SYS_MODULE to prevent - ;; unprivileged attackers from loading vulnerable line disciplines - ;; with the TIOCSETD ioctl which has been used in exploits before - ;; such as https://a13xp0p0v.github.io/2017/03/24/CVE-2017-2636.html - ;; - ;; https://lkml.org/lkml/2019/4/15/890 - ("dev.tty.ldisc_autoload" . "0") - - ;; Restrict the userfaultfd() syscall to root as it can make heap sprays - ;; easier. - ;; - ;; https://duasynt.com/blog/linux-kernel-heap-spray - ("vm.unprivileged_userfaultfd" . "0") - - ;; Let the kernel only swap if it is absolutely necessary. - ;; Better not be set to zero: - ;; - https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Performance_Tuning_Guide/s-memory-tunables.html - ;; - https://en.wikipedia.org/wiki/Swappiness - ("vm.swappiness" . "1") - - ;; Disallow kernel profiling by users without CAP_SYS_ADMIN - ;; https://www.kernel.org/doc/Documentation/sysctl/kernel.txt - ("kernel.perf_event_paranoid" . "3") - - ;; Do not accept router advertisments - ("net.ipv6.conf.all.accept_ra" . "0") - ("net.ipv6.conf.default.accept_ra" . "0") - ;; Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP - ;; See the file COPYING for copying conditions. - - ;; Prevent kernel info leaks in console during boot. - ;; https://phabricator.whonix.org/T950 - ("kernel.printk" . "3 3 3 3") - - ;; NOTE: - ;; For higher verbosity, the user might also want to delete file - ;; /etc/default/grub.d/41_quiet.cfg - ;; (or out-comment its settings). - ;; - ;; Alternatively, the user could consider to install the debug-misc package, - ;; which will undo the settings found here. - ))