security-misc: Enhance Miscellaneous Security Settings
Donate
Documentation for package security-misc.
Stable Features[edit]
system map[edit]
TODO: document
- https://forums.whonix.org/t/kernel-hardening/7296/84
- https://forums.whonix.org/t/remove-system-map-cannot-work-lib-modules-is-mounted-read-only/13324
Optional Features[edit]
1. Open security-misc readme.
2. Optional: Read all.
3. Use the browser internal search for Optional - and read.
4. Learn about optional sysctl features.
Note: Look at the file but do not make any changes. This is because changes in any files in /usr folder are overwritten the next time the package which owns that file is updated.
Open file /usr/lib/sysctl.d/990-security-misc.conf in a text editor of your choice as a regular, non-root user.
If you are using a graphical environment, run. mousepad /usr/lib/sysctl.d/990-security-misc.conf
If you are using a terminal, run. nano /usr/lib/sysctl.d/990-security-misc.conf
5. Create a new sysctl configuration file.
Note: This is because this file in /etc folder will remain unmodified by the package manager APT.
Open file /etc/sysctl.d/50_user.conf in an editor with root rights.
Kicksecure
See
Open File with Root Rights
for detailed instructions on why to use sudoedit for better security and how to use it.
sudoedit /etc/sysctl.d/50_user.conf
Kicksecure for Qubes
NOTES:
- When using Kicksecure-Qubes, this needs to be done inside the Template.
sudoedit /etc/sysctl.d/50_user.conf
- After applying this change, shutdown the Template.
- All App Qubes based on the Template need to be restarted if they were already running.
- This is a general procedure required for Qubes and unspecific to Kicksecure for Qubes.
Others and Alternatives
- This is just an example. Other tools could achieve the same goal.
- If this example does not work for you or if you are not using Kicksecure, please refer to this link.
sudoedit /etc/sysctl.d/50_user.conf
6. Paste sysctl settings.
Example:
Note: Do not use these settings without learning what might break by using these settings. There are reasons why these settings are non-default.
kernel.unprivileged_userns_clone=0 user.max_user_namespaces=0 kernel.panic=-1 kernel.panic_on_oops=1 kernel.panic_on_warn=1 kernel.oops_limit=1 kernel.warn_limit=1 fs.binfmt_misc.status=0 net.ipv4.tcp_sack=0 net.ipv4.tcp_dsack=0 net.ipv6.conf.*.use_tempaddr=2
7. Save.
8. Learn about optional kernel parameter features.
Note: Look at the file but do not make any changes.
Open file /etc/default/grub.d/40_kernel_hardening.cfg in a text editor of your choice as a regular, non-root user.
If you are using a graphical environment, run. mousepad /etc/default/grub.d/40_kernel_hardening.cfg
If you are using a terminal, run. nano /etc/default/grub.d/40_kernel_hardening.cfg
9. Create a new GRUB configuration file.
Open file /etc/default/grub.d/50_user.conf in an editor with root rights.
Kicksecure
See
Open File with Root Rights
for detailed instructions on why to use sudoedit for better security and how to use it.
sudoedit /etc/default/grub.d/50_user.conf
Kicksecure for Qubes
NOTES:
- When using Kicksecure-Qubes, this needs to be done inside the Template.
sudoedit /etc/default/grub.d/50_user.conf
- After applying this change, shutdown the Template.
- All App Qubes based on the Template need to be restarted if they were already running.
- This is a general procedure required for Qubes and unspecific to Kicksecure for Qubes.
Others and Alternatives
- This is just an example. Other tools could achieve the same goal.
- If this example does not work for you or if you are not using Kicksecure, please refer to this link.
sudoedit /etc/default/grub.d/50_user.conf
10. Paste kernel parameters.
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX oops=panic" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX cfi=kcfi" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ia32_emulation=0" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ipv6.disable=1"
11. Save.
12. Update the GRUB configuration.
sudo update-grub
13. Reboot required.
sudo reboot
14. Done.
Appendix:
/usr/lib/sysctl.d/990-security-misc.confon github/etc/default/grub.d/40_kernel_hardening.cfgon github
Testing Features[edit]
Reduce Kernel Information Leaks[edit]
Known to make the Restart and Shut Down buttons dysfunctional in Xfce, and sometimes cause the operating system not to start.
By default, on most if not all (Linux based) operating systems, the Linux kernel makes lots of information available to running programs (and therefore by extension also to Malware). There's an optional feature to reduce such kernel information leaks.
Warning: This is for testers-only!
- Security Impact: There are many of hardware, kernel, debug information, etc. in
/sysand/proc, which is especially problematic and has been the cause of many infoleaks such as kernel pointer leaks. - Security / Privacy Impact: Details about your hardware can aid attacks and can be used for identification.
- Threat: This information is per Debian (and probably most popular Linux distributions) available to attackers with local code execution privileges which includes,
- malicious applications collecting such information and submitting it to data collectors,
- as well as both, compromised non-privileged users and the privileged root user.
- Non-Threat: This information does not randomly leak to third parties on clean (non-compromised) machines through use of legitimate applications such as the APT package manager. Legitimate applications do not request the information from the kernel, let alone leak them to third-parties over the internet.
- Goal: This information should by default be unavailable to non-privileged users and untrusted root.
- Solution: Therefore security-misc includes the
hide-hardware-info.servicesystemd unit.- Restricts access to
/sys,/proc/cpuinfo,/proc/bus, and/proc/scsito the root user only. - This also hides most hardware identifiers.
- Restricts access to
- Status: This setting is disabled by default because it might break many applications. Testers-only! Call for testers and forum discussion: Restrict Hardware Information to Root - Testers Wanted!
- Enable: It can optionally be enabled by running the following command.
- sudo systemctl enable hide-hardware-info.service
- Reboot required.
- A whitelist that allows specific applications to access
/sysand/proc/cpuinfois enabled by default to maintain basic functionality. [1] For example, this allows the launching of applications like Xfce.
- Limitations of Solution:
- root compromise: Attackers which gained root compromise and/or malicious/compromised whitelisted applications have access to this information.
- CPUID: Cannot hide CPUID.
- Testing: See #Testing
- Possible Future Enhancements: untrusted root
Reduce Kernel Information Leaks - Known Issues[edit]
- breaks Xfce shutdown, reboot GUI buttons (but CLI commands for shutdown, reboot are functional) (maybe also fixed in testers repository)
- breaks APT updates and update-torbrowser run from within any Template when hide-hardware-information.service is running inside Qubes sys-whonix (fixed in testers repository)
- browsers:
- Firefox: functional
- Chromium:
- from packages.debian.org: broken, fails with an error popup, because it attempts to read
/proc/cpuinfo. - from flatpak: functional
- from packages.debian.org: broken, fails with an error popup, because it attempts to read
- ISO image to USB writer tools:
- breaks balanaEtcher
Whitelisting Applications[edit]
To whitelist applications, they must be run under the sysfs group (if allowing access to /sys) and/or the cpuinfo group (if allowing access to /proc/cpuinfo).
Remember that any whitelisted applications add to the attack surface. An attacker can attempt to exploit a vulnerability in the whitelisted application(s) to gain access to hardware information.
addgroup method[edit]
1. For example, to add user user to group cpuinfo, run the following command. (Note, this is weakening protections.)
sudo addgroup user cpuinfo
2. For example, to add user user to group sysfs, run the following command. (Note, this is weakening protections.)
sudo addgroup user sysfs
3. Re-login required after changing groups.
sudo reboot
4. Done.
For example, after reboot it would be possible to run the cpu-info utility (from Debian package cpuinfo).
cpu-info
systemd[edit]
For example, to run a systemd service as the sysfs group, create a drop-in directory and add the following.
[Service] SupplementaryGroups=sysfs
setgid method[edit]
To run a specific binary as the sysfs group, the binary must be owned by the sysfs group and be made setgid. To achieve this,
1. change the ownership of the binary by running the following.
sudo chgrp sysfs /path/to/binary
2. Then make the binary setgid.
sudo chmod g+s /path/to/binary
3. Done.
The binary will now run with the permissions of the sysfs group and have access to /sys.
All of these steps can also be applied to the cpuinfo group.
Disable the Whitelist[edit]
In order to reduce the attack surface as much as possible, optionally the whitelist can be disabled entirely.
Warning:
Note that this setting will break many applications; for example, the desktop environment will not even start. Do not perform this action unless you understand the implications and can reverse the change.
1. Open file /etc/hide-hardware-info.d/50_user.conf in an editor with root rights.
Kicksecure
See
Open File with Root Rights
for detailed instructions on why to use sudoedit for better security and how to use it.
sudoedit /etc/hide-hardware-info.d/50_user.conf
Kicksecure for Qubes
NOTES:
- When using Kicksecure-Qubes, this needs to be done inside the Template.
sudoedit /etc/hide-hardware-info.d/50_user.conf
- After applying this change, shutdown the Template.
- All App Qubes based on the Template need to be restarted if they were already running.
- This is a general procedure required for Qubes and unspecific to Kicksecure for Qubes.
Others and Alternatives
- This is just an example. Other tools could achieve the same goal.
- If this example does not work for you or if you are not using Kicksecure, please refer to this link.
sudoedit /etc/hide-hardware-info.d/50_user.conf
2. Add.
sysfs_whitelist=0 cpuinfo_whitelist=0
3. Save.
4. Done.
Testing[edit]
Optional: Users who wish to verify the functionality can perform the instructions in the following box.
1. Install pciutils.
Install package(s) pciutils following these instructions
1 Platform specific notice.
- Kicksecure: No special notice.
- Kicksecure-Qubes: In Template.
2
Update the package lists and upgrade the system
.
sudo apt update && sudo apt full-upgrade
3 Install the pciutils package(s).
Using apt command line
--no-install-recommends option
is in most cases optional.
sudo apt install --no-install-recommends pciutils
4 Platform specific notice.
- Kicksecure: No special notice.
- Kicksecure-Qubes: Shut down Template and restart App Qubes based on it as per
Qubes Template Modification
.
5 Done.
The procedure of installing package(s) pciutils is complete.
2. Run lspci.
lspci
Expected printout:
pcilib: Cannot open /proc/bus/pci lspci: Cannot find any working access method.
3. Attempt to view contents of virtual file /proc/cpuinfo:
cat /proc/cpuinfo
Expected printout:
cat: /proc/cpuinfo: Permission denied
Note: CPUID is still not hidden.
SUID Disabler and Permission Hardener[edit]
See SUID Disabler and Permission Hardener.
hidepid[edit]
TODO: document
Warning: This can break many things such as pkexec. This might cause symptoms similar to the ones mentioned in forum discussion cannot use pkexec.
1. Enable.
sudo systemctl enable proc-hidepid.service
2. Start.
sudo systemctl start proc-hidepid.service
3. Done.
hidepid has been enabled.
4. Testing.
pkexec test command (requires X11, will not work in Wayland):
pkexec mousepad /tmp/testfile
Error message if broken:
Error checking for authorization org.xfce.mousepad: GDBus.Error:org.gtk.GDBus.UnmappedGError.Quark._g_2dfile_2derror_2dquark.Code4: Failed to open file ?/proc/1423/status?: No such file or directory
Hopefully X11 and Wayland compatible.
pkexec nano /tmp/testfile
Install package(s) gparted following these instructions
1 Platform specific notice.
- Kicksecure: No special notice.
- Kicksecure-Qubes: In Template.
2
Update the package lists and upgrade the system
.
sudo apt update && sudo apt full-upgrade
3 Install the gparted package(s).
Using apt command line
--no-install-recommends option
is in most cases optional.
sudo apt install --no-install-recommends gparted
4 Platform specific notice.
- Kicksecure: No special notice.
- Kicksecure-Qubes: Shut down Template and restart App Qubes based on it as per
Qubes Template Modification
.
5 Done.
The procedure of installing package(s) gparted is complete.
gparted
Experimental Features[edit]
Unreleased. (Developers only.) Will flow into other repositories as per usual.
Harden Module Loading[edit]
Warning: Breaks desktop. Might work on servers.
sudo systemctl enable harden-module-loading.service
See also kernel module.
Remount Secure[edit]
Warning: This is for developers-only!
See also:
Design:
- runs at early boot
- no user freedom restriction
- can be disabled
- manual fstab hardening is possible
- broken applications? tb-starter?
The Remount Secure feature is currently not ready for use.
x. Maybe enable dracut module.
The following instructions based on kernel command line modification depend on a dracut module that is currently disabled by default.
/usr/lib/dracut/modules.d-disabled would need to be moved to /usr/lib/dracut/modules.d
sudo mv usr/lib/dracut/modules.d-disabled/20remount-secure /usr/lib/dracut/modules.d/
sudo dracut -f
x. Maybe enable systemd unit.
Do this only if not using the dracut module
sudo systemctl enable remount-secure
sudo systemctl start remount-secure
1. Create a new configuration file.
You'll need to make changes to the kernel boot parameters (see also grub).
Only useful if using the dracut module.
Open file /etc/default/grub.d/50_user.cfg in an editor with root rights.
Kicksecure
See
Open File with Root Rights
for detailed instructions on why to use sudoedit for better security and how to use it.
sudoedit /etc/default/grub.d/50_user.cfg
Kicksecure for Qubes
NOTES:
- When using Kicksecure-Qubes, this needs to be done inside the Template.
sudoedit /etc/default/grub.d/50_user.cfg
- After applying this change, shutdown the Template.
- All App Qubes based on the Template need to be restarted if they were already running.
- This is a general procedure required for Qubes and unspecific to Kicksecure for Qubes.
Others and Alternatives
- This is just an example. Other tools could achieve the same goal.
- If this example does not work for you or if you are not using Kicksecure, please refer to this link.
sudoedit /etc/default/grub.d/50_user.cfg
2. Add the required kernel parameters based on the security level you prefer:
- Option A (No Security): Disable Remount Secure:
- GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=0"
- Option B (Low Security): Re-mount with
nodev,nosuid:- GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=1"
- Option C (Medium Security): Re-mount with
nodev,nosuid,noexecfor most mount points, excluding/home.- GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=2"
- Option D (Highest Security): Re-mount with
nodev,nosuid,noexecfor all mount points including/home.- GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=3"
3. Save the configuration file.
4. Regenerate the grub configuration: sudo update-grub
5. Reboot your system.
A reboot is necessary for the kernel parameter changes to take effect.
6. Completion.
You have successfully enabled the Remount Secure feature.
For more details and developer information, see the following resources: [4]
Installation of security-misc[edit]
This chapter is only required for users which aren't users of Kicksecure or its derivatives (such as Whonix®). That is because security-misc is installed by default in Kicksecure and Kicksecure derivatives.
Prerequisites:
1. Essentials.
The user needs to verify that the following prerequisites are met.
- Debian
bookworminstalled. - A user account such as for example user
userexists. - Calling the user name
useris recommended because then you could copy and paste the commands below and do not need to adjust for another user name.
2. Gain administrative (root) rights. [5]
Becoming root is required because the following commands need to be run with administrative (root) rights as documented below. [6]
- A) Debian: Use
suorsudo suas documented below. - B) Most Qubes users: same as above.
- C) Advanced Qubes users: If using a Debian minimal template or not having the
passwordless-rootpackage installed, see footnote. [7]
Try to come root by running the following command in a terminal.
su
Executing plain su might not be possible depending on how Debian has been installed. [8] In that case, try.
sudo su
3. Install sudo and adduser package.
1. Update the package lists.
apt update
2. Upgrade the system.
apt full-upgrade
3. Install sudo and adduser package.
apt install --no-install-recommends sudo adduser
4. Root rights hardening notice.
Note:
- A) Most users: No special notice.
- B) Advanced users: If the user is intending to lockdown user
userby not granting root rights, see footnote. [9]
5. sudo configuration.
Optional.
Allow user user to run sudo without as password.
Note: Replace user user with your actual user name.
Configuration File Method
Securely create file /etc/sudoers.d/user.conf using visudo.
echo "user ALL=(ALL:ALL) NOPASSWD:ALL" | EDITOR=tee visudo -f /etc/sudoers.d/nopassword >/dev/null
Adduser Method
Add user user to group sudo.
/usr/sbin/adduser user sudo
Reboot required.
/sbin/reboot
Gain administrative rights after reboot. Same as in step 2.
6. Create group console.
/usr/sbin/addgroup --system console
7. Add your Linux account user name to group console. [10]
Note: Replace user user with your actual user name.
/usr/sbin/adduser user console
8. Install console related packages.
This might also result in removal of plymouth, which is good, because it is unsupported. [11]
sudo apt install console-data console-common kbd keyboard-configuration
1. Download the Signing Key.
wget https://www.kicksecure.com/keys/derivative.asc
2. Optional: Check the Signing Key for better security.
3. Add Kicksecure signing key.
sudo cp derivative.asc /usr/share/keyrings/derivative.asc
4. Kicksecure APT repository choices.
Optional: See Kicksecure Packages for Debian Hosts and Kicksecure Host Enhancements instead of the next step for more secure and complex options.
5. Add Kicksecure APT repository.
echo "deb [signed-by=/usr/share/keyrings/derivative.asc] https://deb.kicksecure.com trixie main contrib non-free" | sudo tee /etc/apt/sources.list.d/derivative.list
Install security-misc.
Install package(s) security-misc following these instructions
1 Platform specific notice.
- Kicksecure: No special notice.
- Kicksecure-Qubes: In Template.
2
Update the package lists and upgrade the system
.
sudo apt update && sudo apt full-upgrade
3 Install the security-misc package(s).
Using apt command line
--no-install-recommends option
is in most cases optional.
sudo apt install --no-install-recommends security-misc
4 Platform specific notice.
- Kicksecure: No special notice.
- Kicksecure-Qubes: Shut down Template and restart App Qubes based on it as per
Qubes Template Modification
.
5 Done.
The procedure of installing package(s) security-misc is complete.
selinux[edit]
COMMUNITY SUPPORT ONLY :
THIS wiki CHAPTER only
is only supported by the community. Kicksecure developers are very unlikely to provide free support for this content.
See Community Support for further information, including implications and possible alternatives.
- https://github.com/Kicksecure/security-misc/pull/100
- https://forums.whonix.org/t/restrict-hardware-information-to-root/7329/88
Debugging[edit]
Should security-misc create issues, the most likely causes might be the following two files.
Option A) option would be Kernel Boot Parameter Change.
Option B)
Delete.
sudo mv /etc/default/grub.d/40_cpu_mitigations.cfg ~/
And/or delete.
sudo mv /etc/default/grub.d/40_kernel_hardening.cfg ~/
And.
sudo update-grub
Then reboot.
If that helps, it means that one or another security hardening is causing issues.
References[edit]
- ↑
https://github.com/Kicksecure/security-misc/blob/master/usr/lib/systemd/system/user%40.service.d/sysfs.conf
- ↑
No reboot required: Use the execute command as different group ID command line utility
sgto execute thecpu-info(from Debian packagecpuinfo) application under groupcpuinfo. sg cpuinfo cpu-info - ↑ Also no reboot required: sudo -u user bash cpu-info Or. sudo -u user cpu-info
- ↑
- Forum discussion
- remount-secure script
- remount-secure dracut module
- Dev/remount-secure
- ls -la /var/run/remount-secure
- Forum discussion
- ↑ Use any method to gain administrative (root) rights. Gain root one way or another.
- ↑
When a user is using
suto gain administrative rights, the user is required to use full path to the programsaddgroup,adduser,rebootbecause when usingsuthePATHenvironment variable is not adjusted for use with root rights. Seeecho "$PATH". echo "$PATH" user rightsPATHprintout:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
root rights
PATHprintout:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
By comparison, when using
sudousing /full/path/to/application is not required. - ↑ A root terminal is required to proceed which can be started from Qubes dom0 terminal as per the Qubes upstream documentation. Unspecific to Kicksecure.
- ↑
If a root password has not configured during Debian installation, Debian-Installer might have already set up
sudo. - ↑
The following command
/usr/sbin/adduser user sudogrants root rights to useruser. If the user intents to use useruserwithout root rights for better security, the user should omit running the/usr/sbin/adduser user sudoand instead 1) make sure that another Linux user account such as useradminis a member of Linux user groupsudoand 2) adhere to the following platform specific instructions.- Debian: Use
su. - Kicksecure for Qubes: If not installing the
passwordless-rootpackage and/or when distribution morphing a Debian minimal template into Kicksecure, root terminal is required to proceed which can be started from Qubes dom0 terminal as per the Qubes upstream documentation. Unspecific to Kicksecure.
- Debian: Use
- ↑ Context: Console Lockdown Required for login into a Virtual Consoles which might be handy in context of Recovery.
- ↑
https://forums.kicksecure.com/t/error-plymouth-conflict-in-debian-morphing/641
A secure by default operating system with the latest security research in place.
At
Kicksecure we value freedom and trust, supporting Open Source and Freedom Software
2012-
2024 ENCRYPTED SUPPORT LP
We believe security software like Kicksecure needs to remain Open Source and independent. Would you help sustain and grow the project? Learn more about our 12 year success story and maybe DONATE!