security-misc: Enhance Miscellaneous Security Settings

From Kicksecure
Revision as of 05:27, 27 January 2022 by Nurmagoz (talk | contribs)
Jump to navigation Jump to search

Stable Features

Described herearchive.org iconarchive.today icon.

Testing Features

Reduce Kernel Information Leaks

  • Security Impact: There are many of hardware, kernel, debug information, etc. in /sys, which is especially problematic and has been the cause of many infoleaks such as kernel pointer leaks.
  • Privacy/Anonymity Impact: Details about your hardware can be used for identification.
  • Threat: This information is per Debian (and probably most popular Linux distributions) available to attackers with local code execution privileges which includes,
    • malicious applications collecting such information and submitting it to data collectors,
    • as well as both, compromised non-privileged users and the privileged root user.
  • Non-Threat: This information does not randomly leak to third parties on clean (non-compromised) machines through use of legitimate applications such as the APT package manager.
  • Goal: This information should by default be unavailable to non-privileged users and untrusted root.
  • Solution: Therefore security-misc includes the hide-hardware-info.service systemd unit.
    • Restricts access to /sys, /proc/cpuinfo, /proc/bus, and /proc/scsi to the root user only.
    • This also hides most hardware identifiers.
  • Status: This setting is disabled by default because it might break many applications. Testers-only! Call for testers and forum discussion: Restrict Hardware Information to Root - Testers Wanted!archive.org iconarchive.today icon
  • Enable: It can optionally be enabled by running the following command.
    • Click = Copy Copied to clipboard! sudo systemctl enable hide-hardware-info.service
    • Reboot required.
    • A whitelist that allows specific applications to access /sys and /proc/cpuinfo is enabled by default to maintain basic functionality. [1] For example, this allows the launching of applications like XFCE.
  • Limitations of Solution:
    • Attackers which gained root compromise and/or malicious/compromised whitelisted applications have access to this information.
    • Cannot hide CPUIDarchive.org iconarchive.today icon. [2]
  • Possible Future Enhancements: untrusted root

Whitelisting Applications

To whitelist applications, they must be run under the sysfs group (if allowing access to /sys) and/or the cpuinfo group (if allowing access to /proc/cpuinfo).

Remember that any whitelisted applications add to the attack surface. An attacker can attempt to exploit a vulnerability in the whitelisted application(s) to gain access to hardware information.

addgroup method

For example, to add user user to group cpuinfo, run the following command. (Note, this is weakening protections.)

Click = Copy Copied to clipboard! sudo addgroup user cpuinfo

For example, to add user user to group sysfs, run the following command. (Note, this is weakening protections.)

Click = Copy Copied to clipboard! sudo addgroup user sysfs

Re-login required after changing groups. Easiest: reboot. [3] [4]

For example, after reboot it would be possible to run the cpu-info utility (from Debian package cpuinfo).

Click = Copy Copied to clipboard! cpu-info

systemd

For example, to run a systemd service as the sysfs group, create a drop-in directory and add the following.

Click = Copy Copied to clipboard! [Service] SupplementaryGroups=sysfs

setgid method

To run a specific binary as the sysfs group, the binary must be owned by the sysfs group and be made setgid. To achieve this, change the ownership of the binary by running the following.

Click = Copy Copied to clipboard! sudo chgrp sysfs /path/to/binary

Then make the binary setgid.

Click = Copy Copied to clipboard! sudo chmod g+s /path/to/binary

The binary will now run with the permissions of the sysfs group and have access to /sys.

All of these steps can also be applied to the cpuinfo group.

Disable the Whitelist

In order to reduce the attack surface as much as possible, optionally the whitelist can be disabled entirely.

warning Warning:

Note that this setting will break many applications; for example, the desktop environment will not even start. Do not perform this action unless you understand the implications and can reverse the change.

1. Open file /etc/hide-hardware-info.d/50_user.conf in an editor with root rights.

Kicksecure

See Open File with Root RightsOnion network Logo for detailed instructions on why to use sudoedit for better security and how to use it.

Note: Mousepad (or the chosen text editor) must be closed before running the sudoedit command.

Click = Copy Copied to clipboard! sudoedit /etc/hide-hardware-info.d/50_user.conf

Kicksecure for Qubes

NOTES:

Click = Copy Copied to clipboard! sudoedit /etc/hide-hardware-info.d/50_user.conf

  • After applying this change, shutdown the Template.
  • All App Qubes based on the Template need to be restarted if they were already running.
  • This is a general procedure required for Qubes and unspecific to Kicksecure for Qubes.

Others and Alternatives

  • This is just an example. Other tools could achieve the same goal.
  • If this example does not work for you or if you are not using Kicksecure, please refer to this link.

Click = Copy Copied to clipboard! sudoedit /etc/hide-hardware-info.d/50_user.conf

2. Add.

Click = Copy Copied to clipboard! sysfs_whitelist=0 cpuinfo_whitelist=0

3. Save.

4. Done.

SUID Disabler and Permission Hardener

See SUID Disabler and Permission Hardener.

hidepid

TODO: document

sudo systemctl enable proc-hidepid.service

Experimental Features

Unreleased. (Developers only.) Will flow into other repositories as per usual.

Remount Secure

Feature not ready!

Click = Copy Copied to clipboard! sudo touch /etc/noexec

Installation of security-misc

Whonix / Kicksecure default admin password is: changeme This chapter is only required for users which aren't users of Kicksecure or Kicksecure. That is because security-misc is installed by default in Kicksecure and Kicksecure.

Prerequisites:

Template:Kicksecure Prerequisites

1. Download the Signing Key.

Click = Copy Copied to clipboard! wget https://www.kicksecure.com/keys/derivative.asc

2. Optional: Check the Signing Key for better security.

3. Add Kicksecure signing key.

Click = Copy Copied to clipboard! sudo cp derivative.asc /usr/share/keyrings/derivative.asc

4. Kicksecure APT repository choices.

Optional: See Kicksecure Packages for Debian Hosts and Kicksecure Host Enhancements instead of the next step for more secure and complex options.

5. Add Kicksecure APT repository.

Click = Copy Copied to clipboard! echo "deb [signed-by=/usr/share/keyrings/derivative.asc] https://deb.kicksecure.com trixie main contrib non-free" | sudo tee /etc/apt/sources.list.d/derivative.list

Install security-misc.

Install package(s) security-misc following these instructions

1 Platform specific notice.

2 Update the package lists and upgrade the systemOnion network Logo.

Click = Copy Copied to clipboard! sudo apt update && sudo apt full-upgrade

3 Install the security-misc package(s).

Using apt command line --no-install-recommends optionOnion network Logo is in most cases optional.

Click = Copy Copied to clipboard! sudo apt install --no-install-recommends security-misc

4 Platform specific notice.

  • Kicksecure: No special notice.
  • Kicksecure-Qubes: Shut down Template and restart App Qubes based on it as per Qubes Template ModificationOnion network Logo.

5 Done.

The procedure of installing package(s) security-misc is complete.

selinux

Info COMMUNITY SUPPORT ONLY : THIS WHOLE WIKI PAGE is only supported by the community. Kicksecure developers are very unlikely to provide free support for this content. See Community Support for further information, including implications and possible alternatives.

References

  1. https://gitlab.com/whonix/security-misc/-/blob/master/lib/systemd/system/user@.service.d/sysfs.confarchive.org iconarchive.today icon
  3. No reboot required: Use the execute command as different group ID command line utility sg to execute the cpu-info (from Debian package cpuinfo) application under group cpuinfo. Click = Copy Copied to clipboard! sg cpuinfo cpu-info
  4. Also no reboot required: Click = Copy Copied to clipboard! sudo -u user bash Click = Copy Copied to clipboard! cpu-info Or. Click = Copy Copied to clipboard! sudo -u user cpu-info
Notification image
Your support makes
all the difference!

We believe security software like Kicksecure needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!

Retrieved from "https://www.kicksecure.com/w/index.php?title=Security-misc&oldid=54266"