security-misc

security-misc copied to clipboard

Consider enabling `panic_on_oom`

13

Context: https://forums.whonix.org/t/screen-locker-in-security-can-we-disable-these-at-least-4-backdoors/8128/14 > As covered in [XScreenSaver Manual](https://www.jwz.org/xscreensaver/man1.html#15), the OOM killer may take out a process like the screen locker even though Magic SysRq is disabled; all that has to...

ArrayBolt3

This pull request re-enables the logging of martian packets Currently a draft PR as per https://github.com/Kicksecure/security-misc/issues/214#issuecomment-3509646182. ## Changes Re-sets `sysctl net.ipv4.conf.*.log_martians=1` setting. ## Mandatory Checklist - [x] Legal agreements accepted....

raja-grewal

Enhance Yama protections with `proc_mem.force_override=ptrace`

2

### `proc_mem.force_override=ptrace` This essentially prevents a process from directly modifying its own memory mappings unless it is privileged. > https://github.com/a13xp0p0v/kernel-hardening-checker/pull/201 > > https://lwn.net/Articles/983169/ > > While kernel.yama.ptrace_scope effectively protects other...

ghost

enable Kernel Lockdown Mode / `lockdown=confidentiality` / `echo confidentiality > /sys/kernel/security/lockdown`

1

Reason why the kernel parameter `lockdown=confidentiality` got disabled in the past: @adrelanos > Have to disable kernel lockdown. Unfortunately. Because that enforces kernel module signature verification. Which we don’t have...

adrelanos

Use `slub_debug=FZ`?

16

https://tails.net/contribute/design/kernel_hardening/ https://gitlab.tails.boum.org/tails/tails/-/issues/19613 https://kspp.github.io/Recommended_Settings slub_debug is not apparently used in Kicksecure (and friends Whonix and QubesOS). Tails and KSPP, however, do recommend using `slub_debug=FZ`, still used in Tails to this day....

cynicsketch