seasharp
/
Rosenthal
mirror of https://codeberg.org/hako/Rosenthal.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

utils: Remove counter-stop.scm.

Browse Source 
* rosenthal/utils/counter-stop.scm: Delete file.
* rosenthal/utils/kicksecure.scm: Delete file.
remotes/origin/trunk
Hilton Chain 2 years ago
parent 35a4bc0849
commit 43e374a2dd
No known key found for this signature in database
GPG Key ID: ACC66D09CA528292
2 changed files with 0 additions and 614 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 200
      rosenthal/utils/counter-stop.scm
  2. 414
      rosenthal/utils/kicksecure.scm

200
rosenthal/utils/counter-stop.scm
Unescape View File

@ -1,200 +0,0 @@
;; SPDX-FileCopyrightText: 2022 Hilton Chain <hako@ultrarare.space>
;;
;; SPDX-License-Identifier: GPL-3.0-or-later
(define-module (rosenthal utils counter-stop)
#:use-module (srfi srfi-1)
#:use-module (guix channels)
#:use-module (guix gexp)
#:use-module (guix packages)
#:use-module (gnu packages)
#:use-module (gnu packages admin)
#:use-module (gnu packages bash)
#:use-module (gnu packages certs)
#:use-module (gnu packages compression)
#:use-module (gnu packages curl)
#:use-module (gnu packages less)
#:use-module (gnu packages linux)
#:use-module (gnu packages nano)
#:use-module (gnu packages nvi)
#:use-module (gnu packages ssh)
#:use-module (gnu packages texinfo)
#:use-module (gnu packages text-editors)
#:use-module (gnu services)
#:use-module (gnu services base)
#:use-module (gnu services networking)
#:use-module (gnu services ssh)
#:use-module (gnu services sysctl)
#:use-module (gnu system)
#:use-module (gnu system accounts)
#:use-module (gnu system file-systems)
#:use-module (gnu system keyboard)
#:use-module (gnu system shadow)
#:use-module (rosenthal utils kicksecure)
#:export (%channel-guix
%channel-nonguix
%channel-rosenthal
%guix-authorized-key-dorphine
%guix-authorized-key-nonguix
normalize-package
%xdg-base-directory-environment-variables
%rosenthal-default-channels
%rosenthal-default-kernel-arguments
%rosenthal-default-keyboard-layout
%rosenthal-base-initrd-modules
%rosenthal-base-file-systems
%rosenthal-base-packages
%rosenthal-base-services))
;; Common procedures and variables shared across my home environment and
;; operating system definitions.
;; Channels
(define %channel-guix
(first %default-channels))
(define %channel-nonguix
(channel
(name 'nonguix)
(url "https://gitlab.com/nonguix/nonguix")
(introduction
(make-channel-introduction
"897c1a470da759236cc11798f4e0a5f7d4d59fbc"
(openpgp-fingerprint
"2A39 3FFF 68F4 EF7A 3D29 12AF 6F51 20A0 22FB B2D5")))))
(define %channel-rosenthal
(channel
(name 'rosenthal)
(url "https://github.com/rakino/rosenthal")
(branch "trunk")
(introduction
(make-channel-introduction
"7677db76330121a901604dfbad19077893865f35"
(openpgp-fingerprint
"13E7 6CD6 E649 C28C 3385 4DF5 5E5A A665 6149 17F7")))))
(define %rosenthal-default-channels
(list %channel-guix
%channel-nonguix
%channel-rosenthal))
;; Keys
;; local
(define %guix-authorized-key-dorphine
(plain-file "dorphine.pub" "
(public-key
(ecc
(curve Ed25519)
(q #BBE816F9D051E8B715F17DA26B674462DF1967AC77A4130CA3306878314B84AC#)))"))
;; https://substitutes.nonguix.org/signing-key.pub
(define %guix-authorized-key-nonguix
(plain-file "nonguix.pub" "
(public-key
(ecc
(curve Ed25519)
(q #C1FD53E5D4CE971933EC50C9F307AE2171A2D3B52C804642A7A35F84F3A4EA98#)))"))
;; Procedures
(define (normalize-package pkg)
(if (package? pkg)
`(,pkg "out")
pkg))
;; Variables
;; Source: <https://wiki.archlinux.org/title/XDG_Base_Directory>
(define %xdg-base-directory-environment-variables
'(;; XDG Cache Home
("LESSHISTFILE" . "$XDG_CACHE_HOME/.lesshst")
;; XDG Config Home
("AWS_CONFIG_FILE" . "$XDG_CONFIG_HOME/aws/config")
("AWS_SHARED_CREDENTIALS_FILE" . "$XDG_CONFIG_HOME/aws/credentials")
("INPUTRC" . "$XDG_CONFIG_HOME/readline/inputrc")
("MBSYNCRC" . "$XDG_CONFIG_HOME/isync/mbsyncrc")
("NPM_CONFIG_USERCONFIG" . "$XDG_CONFIG_HOME/npm/npmrc")
("WAKATIME_HOME" . "$XDG_CONFIG_HOME/wakatime")
("WGETRC" . "$XDG_CONFIG_HOME/wgetrc")
;; XDG Data Home
("CARGO_HOME" . "$XDG_DATA_HOME/cargo")
("GDBHISTFILE" . "$XDG_DATA_HOME/gdb/history")
("GNUPGHOME" . "$XDG_DATA_HOME/gnupg")
("GOPATH" . "$XDG_DATA_HOME/go")
("PASSWORD_STORE_DIR" . "$XDG_DATA_HOME/pass")))
(define %rosenthal-default-kernel-arguments
`(,@(delete "nosmt=force"
%kicksecure-kernel-arguments)
"net.ifnames=0"))
(define %rosenthal-default-keyboard-layout
(keyboard-layout "us" "dvorak"
#:options '("ctrl:nocaps")))
(define %rosenthal-base-initrd-modules
'("btrfs" "xxhash_generic"))
(define %rosenthal-base-file-systems
(cons* (file-system
(device "none")
(mount-point "/tmp")
(type "tmpfs")
(check? #f))
(file-system
(device "none")
(mount-point "/run")
(type "tmpfs")
(needed-for-boot? #t)
(check? #f))
(file-system
(device "none")
(mount-point "/var/run")
(type "tmpfs")
(needed-for-boot? #t)
(check? #f))
(delete %debug-file-system
%base-file-systems)))
(define %rosenthal-base-packages
(let ((to-add (list nss-certs))
(to-remove (list bash-completion
info-reader
mg
nano
nvi
inetutils
isc-dhcp
iw
wireless-tools)))
(append to-add (lset-difference eqv? %base-packages to-remove))))
(define %rosenthal-base-services
(cons* (modify-services %base-services
(sysctl-service-type
config => (sysctl-configuration
(inherit config)
(settings `(,@%kicksecure-sysctl-rules
("net.core.rmem_max" . "2500000")
("net.ipv4.tcp_sack" . "0")
("net.ipv4.tcp_dsack" . "0")
("net.ipv4.tcp_fack" . "0")
("vm.page-cluster" . "0")
("vm.swappiness" . "90")))))
(guix-service-type
config => (guix-configuration
(inherit config)
(substitute-urls
(append %default-substitute-urls
'("https://substitutes.nonguix.org")))
(authorized-keys
(cons* %guix-authorized-key-nonguix
%default-authorized-guix-keys)))))))

414
rosenthal/utils/kicksecure.scm
Unescape View File

@ -1,414 +0,0 @@
;; Contents extracted from Kicksecure's resources.
(define-module (rosenthal utils kicksecure)
#:export (%kicksecure-kernel-arguments
%kicksecure-sysctl-rules))
;; Source: <https://github.com/Kicksecure/security-misc>
;; Extracted with the following command:
;; cat etc/default/grub.d/* | sed -e 's/#\+/;;/g' -e 's/GRUB.*DEFAULT /\"/g' -e 's/GRUB.*LINUX /\"/g' -e '/GRUB/d' -e 's/\(\".*[a-z0-9]\)\ \([a-z].*\"\)/\1\"\n\"\2/g' -e '/dpkg/d'
(define %kicksecure-kernel-arguments
'(;; Copyright (C) 2022 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
;; See the file COPYING for copying conditions.
;; Wiping RAM at shutdown to defeat cold boot attacks.
;;
;; RAM wipe is enabled by default on host operating systems, real hardware.
;; RAM wipe is disabled by in virtual machines (VMs).
;;
;; Most users should not make any modifications to this config file because
;; there is no need for that.
;;
;; User documentation:
;; https://www.kicksecure.com/wiki/Cold_Boot_Attack_Defense
;;
;; Design documentation:
;; https://www.kicksecure.com/wiki/Dev/RAM_Wipe
;; RAM wipe is omitted in virtual machines (VMs) by default because it is
;; unclear if that could actually lead to the host operating system using
;; swap. Through use of kernel parameter wiperam=force it is possible to
;; force RAM wipe inside VMs which is useful for testing, development purposes.
;; There is no additional security benefit by the wiperam=force setting
;; for host operating systems.
;;"wiperam=force"
;; Kernel parameter wiperam=skip is provided to support disabling RAM wipe
;; at shutdown, which might be useful to speed up shutdown or in case should
;; there ever be issues.
;;"wiperam=skip"
;; Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
;; See the file COPYING for copying conditions.
;; Enables all known mitigations for CPU vulnerabilities.
;;
;; https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/index.html
;; https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647
;; Enable mitigations for Spectre variant 2 (indirect branch speculation).
;;
;; https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/spectre.html
"spectre_v2=on"
;; Disable Speculative Store Bypass.
"spec_store_bypass_disable=on"
;; Enable mitigations for the L1TF vulnerability through disabling SMT
;; and L1D flush runtime control.
;;
;; https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html
"l1tf=full,force"
;; Enable mitigations for the MDS vulnerability through clearing buffer cache
;; and disabling SMT.
;;
;; https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html
"mds=full,nosmt"
;; Patches the TAA vulnerability by disabling TSX and enables mitigations using
;; TSX Async Abort along with disabling SMT.
;;
;; https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/tsx_async_abort.html
"tsx=off"
"tsx_async_abort=full,nosmt"
;; Mark all huge pages in the EPT as non-executable to mitigate iTLB multihit.
;;
;; https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/multihit.html
"kvm.nx_huge_pages=force"
;; Enables mitigations for SRBDS to prevent MDS attacks on RDRAND and RDSEED instructions.
;; Only mitigated through microcode updates from Intel.
;;
;; https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/special-register-buffer-data-sampling.html
;; https://access.redhat.com/solutions/5142691
;; Force disable SMT as it has caused numerous CPU vulnerabilities.
;; The only full mitigation of cross-HT attacks is to disable SMT.
;;
;; https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/core-scheduling.html
;; https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647/17
"nosmt=force"
;; Enables the prctl interface to prevent leaks from L1D on context switches.
;;
;; https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1d_flush.html
"l1d_flush=on"
;; Mitigates numerous MMIO Stale Data vulnerabilities and disables SMT.
;;
;; https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/processor_mmio_stale_data.html
"mmio_stale_data=full,nosmt"
;; Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
;; See the file COPYING for copying conditions.
;; Distrusts the bootloader for initial entropy at boot.
;;
;; https://lkml.org/lkml/2022/6/5/271
"random.trust_bootloader=off"
;; Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
;; See the file COPYING for copying conditions.
;; Distrusts the CPU for initial entropy at boot as it is not possible to
;; audit, may contain weaknesses or a backdoor.
;;
;; https://en.wikipedia.org/wiki/RDRAND;;Reception
;; https://twitter.com/pid_eins/status/1149649806056280069
;; https://archive.nytimes.com/www.nytimes.com/interactive/2013/09/05/us/documents-reveal-nsa-campaign-against-encryption.html
;; https://forums.whonix.org/t/entropy-config-random-trust-cpu-yes-or-no-rng-core-default-quality/8566
;; https://lkml.org/lkml/2022/6/5/271
"random.trust_cpu=off"
;; Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
;; See the file COPYING for copying conditions.
;; Enables IOMMU to prevent DMA attacks.
"intel_iommu=on"
"amd_iommu=on"
;; Disable the busmaster bit on all PCI bridges during very
;; early boot to avoid holes in IOMMU.
;;
;; https://mjg59.dreamwidth.org/54433.html
;; https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4444f8541dad16fefd9b8807ad1451e806ef1d94
"efi=disable_early_pci_dma"
;; Enables strict enforcement of IOMMU TLB invalidation so devices will never be able to access stale data contents
;; https://github.com/torvalds/linux/blob/master/drivers/iommu/Kconfig;;L97
;; Page 11 of https://lenovopress.lenovo.com/lp1467.pdf
"iommu.passthrough=0"
"iommu.strict=1"
;; Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
;; See the file COPYING for copying conditions.
;;echo ";; kver: $kver"
;; Disables the merging of slabs of similar sizes.
;; Sometimes a slab can be used in a vulnerable way which an attacker can exploit.
"slab_nomerge"
;; Enables sanity checks (F) and redzoning (Z).
;; Disabled due to kernel deciding to implicitly disable kernel pointer hashing
;; https://github.com/torvalds/linux/commit/792702911f581f7793962fbeb99d5c3a1b28f4c3
;;"slub_debug=FZ"
;; Zero memory at allocation and free time.
"init_on_alloc=1"
"init_on_free=1"
;; Machine check exception handler decides whether the system should panic or not based on the exception that happened.
;; https://forums.whonix.org/t/kernel-hardening/7296/494
;;"mce=0"
;; Enables Kernel Page Table Isolation which mitigates Meltdown and improves KASLR.
"pti=on"
;; Vsyscalls are obsolete, are at fixed addresses and are a target for ROP.
"vsyscall=none"
;; Enables page allocator freelist randomization.
"page_alloc.shuffle=1"
;; Enables randomisation of the kernel stack offset on syscall entries (introduced in kernel 5.13).
;; https://lkml.org/lkml/2019/3/18/246
"randomize_kstack_offset=on"
;; Enables kernel lockdown.
;;
;; Disabled for now as it enforces module signature verification which breaks
;; too many things.
;; https://forums.whonix.org/t/enforce-kernel-module-software-signature-verification-module-signing-disallow-kernel-module-loading-by-default/7880
;;
;; "lockdown=confidentiality"
;;fi
;; Gather more entropy during boot.
;;
;; Requires linux-hardened kernel patch.
;; https://github.com/anthraxx/linux-hardened
"extra_latent_entropy"
;; Restrict access to debugfs since it can contain a lot of sensitive information.
;; https://lkml.org/lkml/2020/7/16/122
;; https://github.com/torvalds/linux/blob/fb1201aececc59990b75ef59fca93ae4aa1e1444/Documentation/admin-guide/kernel-parameters.txt;;L835-L848
"debugfs=off"
;; Force the kernel to panic on "oopses" (which may be due to false positives)
;; https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panic-on-oops-1-sysctl-for-better-security/7713
;; Implemented differently:
;; /usr/libexec/security-misc/panic-on-oops
;; /etc/X11/Xsession.d/50panic_on_oops
;; /etc/sudoers.d/security-misc
;;"oops=panic"
;; Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
;; See the file COPYING for copying conditions.
;; Prevent kernel info leaks in console during boot.
;; https://phabricator.whonix.org/T950
;; LANG=C str_replace is provided by package helper-scripts.
;; The following command actually removed "quiet" from the kernel command line.
;; If verbosity is desired, the user might want to keep this line.
;; Remove "quiet" from "because "quiet" must be first.
;; If verbosity is desired, the user might want to out-comment the following line.
"quiet"
"loglevel=0"
;; NOTE:
;; After editing this file, running:
;; sudo update-grub
;; is required.
;;
;; If higher verbosity is desired, the user might also want to delete file
;; /etc/sysctl.d/30_silent-kernel-printk.conf
;; (or out-comment its settings).
;;
;; Alternatively, the user could consider to install the debug-misc package,
;; which will undo the settings found here.
))
;; Source <https://github.com/Kicksecure/security-misc>>
;; Extracted with the following command:
;; cat etc/sysctl.d/* | sed -e 's/#\+/;;/g' -e 's/ = /=/g' -e 's/;;\(.*\..*\)=\(.*\)/;; ("\1" . "\2")/g' -e 's/\(.*\..*\)=\(.*\)/("\1" . "\2")/g' -e 's@/bin\|/usr/bin@/run/current-system/profile/bin@g'
(define %kicksecure-sysctl-rules
'(;; Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
;; See the file COPYING for copying conditions.
;; Disables coredumps. This setting may be overwritten by systemd so this may not be useful.
;; security-misc also disables coredumps in other ways.
("kernel.core_pattern" . "|/run/current-system/profile/bin/false")
;; Restricts the kernel log to root only.
("kernel.dmesg_restrict" . "1")
;; Don't allow writes to files that we don't own
;; in world writable sticky directories, unless
;; they are owned by the owner of the directory.
("fs.protected_fifos" . "2")
("fs.protected_regular" . "2")
;; Only allow symlinks to be followed when outside of
;; a world-writable sticky directory, or when the owner
;; of the symlink and follower match, or when the directory
;; owner matches the symlink's owner.
;;
;; Prevent hardlinks from being created by users that do not
;; have read/write access to the source file.
;;
;; These prevent many TOCTOU races.
("fs.protected_symlinks" . "1")
("fs.protected_hardlinks" . "1")
;; Hardens the BPF JIT compiler and restricts it to root.
("kernel.unprivileged_bpf_disabled" . "1")
("net.core.bpf_jit_harden" . "2")
;; Quote https://www.kernel.org/doc/html/latest/admin-guide/sysctl/kernel.html
;;
;; kexec_load_disabled:
;;
;; A toggle indicating if the kexec_load syscall has been disabled. This value defaults to 0 (false: kexec_load enabled), but can be set to 1 (true: kexec_load disabled). Once true, kexec can no longer be used, and the toggle cannot be set back to false. This allows a kexec image to be loaded before disabling the syscall, allowing a system to set up (and later use) an image without it being altered. Generally used together with the "modules_disabled" sysctl.
;; Disables kexec which can be used to replace the running kernel.
("kernel.kexec_load_disabled" . "1")
;; Hides kernel addresses in various files in /proc.
;; Kernel addresses can be very useful in certain exploits.
;;
;; https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak
("kernel.kptr_restrict" . "2")
;; Improves ASLR effectiveness for mmap.
("vm.mmap_rnd_bits" . "32")
("vm.mmap_rnd_compat_bits" . "16")
;; Restricts the use of ptrace to root. This might break some programs running under WINE.
;; A workaround for WINE would be to give the wineserver and wine-preloader ptrace capabilities. This can be done by running:
;;
;; sudo apt-get install libcap2-bin
;; sudo setcap cap_sys_ptrace=eip /run/current-system/profile/bin/wineserver
;; sudo setcap cap_sys_ptrace=eip /run/current-system/profile/bin/wine-preloader
("kernel.yama.ptrace_scope" . "2")
;; Prevent setuid processes from creating coredumps.
("fs.suid_dumpable" . "0")
;; Randomize the addresses for mmap base, heap, stack, and VDSO pages
("kernel.randomize_va_space" . "2")
;; meta start
;; project Kicksecure
;; category networking and security
;; description
;; TCP/IP stack hardening
;; Protects against time-wait assassination.
;; It drops RST packets for sockets in the time-wait state.
("net.ipv4.tcp_rfc1337" . "1")
;; Disables ICMP redirect acceptance.
("net.ipv4.conf.all.accept_redirects" . "0")
("net.ipv4.conf.default.accept_redirects" . "0")
("net.ipv4.conf.all.secure_redirects" . "0")
("net.ipv4.conf.default.secure_redirects" . "0")
("net.ipv6.conf.all.accept_redirects" . "0")
("net.ipv6.conf.default.accept_redirects" . "0")
;; Disables ICMP redirect sending.
("net.ipv4.conf.all.send_redirects" . "0")
("net.ipv4.conf.default.send_redirects" . "0")
;; Ignores ICMP requests.
("net.ipv4.icmp_echo_ignore_all" . "1")
("net.ipv6.icmp.echo_ignore_all" . "1")
;; Ignores bogus ICMP error responses
("net.ipv4.icmp_ignore_bogus_error_responses" . "1")
;; Enables TCP syncookies.
("net.ipv4.tcp_syncookies" . "1")
;; Disable source routing.
("net.ipv4.conf.all.accept_source_route" . "0")
("net.ipv4.conf.default.accept_source_route" . "0")
("net.ipv6.conf.all.accept_source_route" . "0")
("net.ipv6.conf.default.accept_source_route" . "0")
;; Enable reverse path filtering to prevent IP spoofing and
;; mitigate vulnerabilities such as CVE-2019-14899.
;; https://forums.whonix.org/t/enable-reverse-path-filtering/8594
("net.ipv4.conf.default.rp_filter" . "1")
("net.ipv4.conf.all.rp_filter" . "1")
;; meta end
;; Disables SACK as it is commonly exploited and likely not needed.
;; https://forums.whonix.org/t/disabling-tcp-sack-dsack-fack/8109
;; ("net.ipv4.tcp_sack" . "0")
;; ("net.ipv4.tcp_dsack" . "0")
;; ("net.ipv4.tcp_fack" . "0")
;; meta start
;; project Kicksecure
;; category networking and security
;; description
;; disable IPv4 TCP Timestamps
("net.ipv4.tcp_timestamps" . "0")
;; meta end
;; Only allow the SysRq key to be used for shutdowns and the
;; Secure Attention Key (SAK).
;;
;; https://forums.whonix.org/t/sysrq-magic-sysrq-key/8079/
("kernel.sysrq" . "132")
;; Restrict loading TTY line disciplines to CAP_SYS_MODULE to prevent
;; unprivileged attackers from loading vulnerable line disciplines
;; with the TIOCSETD ioctl which has been used in exploits before
;; such as https://a13xp0p0v.github.io/2017/03/24/CVE-2017-2636.html
;;
;; https://lkml.org/lkml/2019/4/15/890
("dev.tty.ldisc_autoload" . "0")
;; Restrict the userfaultfd() syscall to root as it can make heap sprays
;; easier.
;;
;; https://duasynt.com/blog/linux-kernel-heap-spray
("vm.unprivileged_userfaultfd" . "0")
;; Let the kernel only swap if it is absolutely necessary.
;; Better not be set to zero:
;; - https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Performance_Tuning_Guide/s-memory-tunables.html
;; - https://en.wikipedia.org/wiki/Swappiness
("vm.swappiness" . "1")
;; Disallow kernel profiling by users without CAP_SYS_ADMIN
;; https://www.kernel.org/doc/Documentation/sysctl/kernel.txt
("kernel.perf_event_paranoid" . "3")
;; Do not accept router advertisments
("net.ipv6.conf.all.accept_ra" . "0")
("net.ipv6.conf.default.accept_ra" . "0")
;; Copyright (C) 2019 - 2022 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
;; See the file COPYING for copying conditions.
;; Prevent kernel info leaks in console during boot.
;; https://phabricator.whonix.org/T950
("kernel.printk" . "3 3 3 3")
;; NOTE:
;; For higher verbosity, the user might also want to delete file
;; /etc/default/grub.d/41_quiet.cfg
;; (or out-comment its settings).
;;
;; Alternatively, the user could consider to install the debug-misc package,
;; which will undo the settings found here.
))
Write Preview
Loading…
Cancel
Save