{{Header}} {{#seo: |description=Documentation for package security-misc. |image=Securitymisc.jpg }} {{title|title= security-misc: Enhance Miscellaneous Security Settings }} [[File:Securitymisc.jpg|thumb]] {{intro| Documentation for package security-misc. }} = Stable Features = [https://github.com/{{project_name_short}}/security-misc#enhances-miscellaneous-security-settings Described here]. = system map = TODO: document * https://forums.whonix.org/t/kernel-hardening/7296/84 * https://forums.whonix.org/t/remove-system-map-cannot-work-lib-modules-is-mounted-read-only/13324 = Optional Features = '''1.''' Open [https://github.com/Kicksecure/security-misc security-misc readme]. '''2.''' Optional: Read all. '''3.''' Use the browser internal search for {{CodeSelect|inline=true|code=Optional -}} and read. '''4.''' Learn about optional sysctl features. Note: Look at the file but do not make any changes. This is because changes in any files in /usr folder are overwritten the next time the package which owns that file is updated. {{Open_File|filename= /usr/lib/sysctl.d/990-security-misc.conf }} '''5.''' Create a new sysctl configuration file. Note: This is because this file in /etc folder will remain unmodified by the package manager APT. {{Open with root rights|filename= /etc/sysctl.d/50_user.conf }} '''6.''' Paste sysctl settings. Example: Note: Do not use these settings without learning what might break by using these settings. There are reasons why these settings are non-default. {{CodeSelect|code= kernel.unprivileged_userns_clone=0 user.max_user_namespaces=0 kernel.panic=-1 kernel.panic_on_oops=1 kernel.panic_on_warn=1 kernel.oops_limit=1 kernel.warn_limit=1 fs.binfmt_misc.status=0 net.ipv4.tcp_sack=0 net.ipv4.tcp_dsack=0 net.ipv6.conf.*.use_tempaddr=2 }} '''7.''' Save. '''8.''' Learn about optional kernel parameter features. Note: Look at the file but do not make any changes. {{Open_File|filename= /etc/default/grub.d/40_kernel_hardening.cfg }} '''9.''' Create a new [[GRUB]] configuration file. {{Open with root rights|filename= /etc/default/grub.d/50_user.conf }} '''10.''' Paste kernel parameters. {{CodeSelect|code= GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX oops=panic" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX cfi=kcfi" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ia32_emulation=0" GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX ipv6.disable=1" }} '''11.''' Save. '''12.''' Update the GRUB configuration. {{CodeSelect|code= sudo update-grub }} '''13.''' Reboot required. {{CodeSelect|code= sudo reboot }} '''14.''' Done. Appendix: * [https://github.com/Kicksecure/security-misc/blob/master/usr/lib/sysctl.d/990-security-misc.conf /usr/lib/sysctl.d/990-security-misc.conf on github] * [https://github.com/Kicksecure/security-misc/blob/master/etc/default/grub.d/40_kernel_hardening.cfg /etc/default/grub.d/40_kernel_hardening.cfg on github] = Testing Features = {{Anchor|Restrict Hardware Information to Root}} == Reduce Kernel Information Leaks == {{mbox | type = notice | image = [[File:Ambox_notice.png|40px|alt=Info]] | text = Known to make the Restart and Shut Down buttons dysfunctional in Xfce, and sometimes cause the operating system not to start. }} By default, on most if not all (Linux based) operating systems, the Linux kernel makes lots of information available to running programs (and therefore by extension also to [[Malware]]). There's an optional feature to reduce such kernel information leaks. {{Testers-only}} {{box|text= * Security Impact: There are many of hardware, kernel, debug information, etc. in /sys and /proc, which is especially problematic and has been the cause of many infoleaks such as kernel pointer leaks. * Security / Privacy Impact: Details about your hardware can aid attacks and can be used for identification. * Threat: This information is per Debian (and probably most popular Linux distributions) available to attackers with local code execution privileges which includes, ** malicious applications collecting such information and submitting it to data collectors, ** as well as both, compromised non-privileged users and the privileged root user. * Non-Threat: This information does not randomly leak to third parties on clean (non-compromised) machines through use of legitimate applications such as the APT package manager. Legitimate applications do not request the information from the kernel, let alone leak them to third-parties over the internet. * Goal: This information should by default be unavailable to non-privileged users and [[Dev/boot_modes|untrusted root]]. * Solution: Therefore security-misc includes the hide-hardware-info.service systemd unit. ** Restricts access to /sys, /proc/cpuinfo, /proc/bus, and /proc/scsi to the root user only. ** This also hides most hardware identifiers. * Status: This setting is disabled by default because it might break many applications. Testers-only! Call for testers and forum discussion: [https://forums.whonix.org/t/restrict-hardware-information-to-root-testers-wanted/8618 Restrict Hardware Information to Root - Testers Wanted!] * Enable: It can optionally be enabled by running the following command. ** {{CodeSelect|code= sudo systemctl enable hide-hardware-info.service }} ** Reboot required. ** A whitelist that allows specific applications to access /sys and /proc/cpuinfo is enabled by default to maintain basic functionality. https://github.com/{{project_name_short}}/security-misc/blob/master/usr/lib/systemd/system/user%40.service.d/sysfs.conf For example, this allows the launching of applications like Xfce. * Limitations of Solution: ** root compromise: Attackers which gained root compromise and/or malicious/compromised whitelisted applications have access to this information. ** CPUID: Cannot hide [[CPUID]]. * Testing: See [[#Testing]] * Possible Future Enhancements: [[Dev/boot_modes|untrusted root]] }} === Reduce Kernel Information Leaks - Known Issues === * [https://forums.whonix.org/t/restrict-hardware-information-to-root-testers-wanted/8618/55 breaks Xfce shutdown, reboot GUI buttons] (but CLI commands for shutdown, reboot are functional) (maybe also fixed in testers repository) * [https://forums.whonix.org/t/update-torbrowser-is-currently-broken/18279/7 breaks APT updates and update-torbrowser run from within any Template when hide-hardware-information.service is running inside Qubes sys-whonix] (fixed in testers repository) * browsers: ** Firefox: functional ** Chromium: *** from packages.debian.org: broken, fails with an error popup, because it attempts to read /proc/cpuinfo. *** from flatpak: functional * ISO image to USB writer tools: ** breaks balanaEtcher === Whitelisting Applications === To whitelist applications, they must be run under the sysfs group (if allowing access to /sys) and/or the cpuinfo group (if allowing access to /proc/cpuinfo). Remember that any whitelisted applications add to the attack surface. An attacker can attempt to exploit a vulnerability in the whitelisted application(s) to gain access to hardware information. ==== addgroup method ==== '''1.''' For example, to add user user to group cpuinfo, run the following command. (Note, this is weakening protections.) {{CodeSelect|code= sudo addgroup user cpuinfo }} '''2.''' For example, to add user user to group sysfs, run the following command. (Note, this is weakening protections.) {{CodeSelect|code= sudo addgroup user sysfs }} '''3.''' Re-login required after changing groups. Easiest: reboot. No reboot required: Use the execute command as different group ID command line utility sg to execute the cpu-info (from Debian package cpuinfo) application under group cpuinfo. {{CodeSelect|code= sg cpuinfo cpu-info }} Also no reboot required: {{CodeSelect|code= sudo -u user bash }} {{CodeSelect|code= cpu-info }} Or. {{CodeSelect|code= sudo -u user cpu-info }} {{CodeSelect|code= sudo reboot }} '''4.''' Done. For example, after reboot it would be possible to run the cpu-info utility (from Debian package cpuinfo). {{CodeSelect|code= cpu-info }} ==== systemd ==== For example, to run a systemd service as the sysfs group, create a [[Configuration_Files#Configuration_Drop-In_Folders|drop-in directory]] and add the following. {{CodeSelect|code= [Service] SupplementaryGroups=sysfs }} ==== setgid method ==== To run a specific binary as the sysfs group, the binary must be owned by the sysfs group and be made setgid. To achieve this, '''1.''' change the ownership of the binary by running the following. {{CodeSelect|code= sudo chgrp sysfs /path/to/binary }} '''2.''' Then make the binary setgid. {{CodeSelect|code= sudo chmod g+s /path/to/binary }} '''3.''' Done. The binary will now run with the permissions of the sysfs group and have access to /sys. All of these steps can also be applied to the cpuinfo group. === Disable the Whitelist === In order to reduce the attack surface as much as possible, optionally the whitelist can be disabled entirely. {{mbox | image = [[File:Ambox_warning_pn.svg.png|40px|alt=warning]] | text = '''Warning:''' Note that this setting will break many applications; for example, the desktop environment will not even start. Do not perform this action unless you understand the implications and can reverse the change. }} '''1.''' {{Open with root rights|filename= /etc/hide-hardware-info.d/50_user.conf }} '''2.''' Add. {{CodeSelect|code= sysfs_whitelist=0 cpuinfo_whitelist=0 }} '''3.''' Save. '''4.''' Done. === Testing === Optional: Users who wish to verify the functionality can perform the instructions in the following box. {{box|text= '''1.''' Install pciutils. {{Install Package|package= pciutils }} '''2.''' Run lspci. {{CodeSelect|code= lspci }} Expected printout:
pcilib: Cannot open /proc/bus/pci
lspci: Cannot find any working access method.
'''3.''' Attempt to view contents of virtual file /proc/cpuinfo: {{CodeSelect|code= cat /proc/cpuinfo }} Expected printout:
cat: /proc/cpuinfo: Permission denied
Note: [[CPUID|CPUID is still not hidden]]. }} == SUID Disabler and Permission Hardener == See [[SUID Disabler and Permission Hardener]]. == hidepid == TODO: document Warning: This can break many things such as pkexec. This might cause symptoms similar to the ones mentioned in forum discussion [https://forums.whonix.org/t/cannot-use-pkexec/8129 cannot use pkexec]. '''1.''' Enable. {{CodeSelect|code= sudo systemctl enable proc-hidepid.service }} '''2.''' Start. {{CodeSelect|code= sudo systemctl start proc-hidepid.service }} '''3.''' Done. hidepid has been enabled. '''4.''' Testing. pkexec test command (requires X11, will not work in Wayland): {{CodeSelect|code= pkexec mousepad /tmp/testfile }} Error message if broken:
Error checking for authorization org.xfce.mousepad: GDBus.Error:org.gtk.GDBus.UnmappedGError.Quark._g_2dfile_2derror_2dquark.Code4: Failed to open file ?/proc/1423/status?: No such file or directory
Hopefully X11 and Wayland compatible. {{CodeSelect|code= pkexec nano /tmp/testfile }} {{Install Package|package= gparted }} {{CodeSelect|code= gparted }} = Experimental Features = Unreleased. (Developers only.) Will flow into other repositories as per usual. == Harden Module Loading == Warning: Breaks desktop. Might work on servers. {{CodeSelect|code= sudo systemctl enable harden-module-loading.service }} See also [[kernel module]]. {{anchor|suid}} == Remount Secure == {{Developers-only}} See also: * [[Dev/remount-secure]] * [[noexec|Enhanced Security via Mount Options and Compiler Restrictions]] Design: * runs at early boot * no user freedom restriction * can be disabled * manual fstab hardening is possible * broken applications? tb-starter? The Remount Secure feature is currently not ready for use. '''x.''' Maybe enable dracut module. The following instructions based on kernel command line modification depend on a dracut module that is currently disabled by default. /usr/lib/dracut/modules.d-disabled would need to be moved to /usr/lib/dracut/modules.d {{CodeSelect|code= sudo mv usr/lib/dracut/modules.d-disabled/20remount-secure /usr/lib/dracut/modules.d/ }} {{CodeSelect|code= sudo dracut -f }} '''x.''' Maybe enable systemd unit. Do this only if not using the dracut module {{CodeSelect|code= sudo systemctl enable remount-secure }} {{CodeSelect|code= sudo systemctl start remount-secure }} '''1.''' Create a new configuration file. You'll need to make changes to the kernel boot parameters (see also [[grub]]). Only useful if using the dracut module. {{Open_with_root_rights| filename=/etc/default/grub.d/50_user.cfg }} '''2.''' Add the required kernel parameters based on the security level you prefer: * '''Option A (No Security):''' Disable Remount Secure: ** {{CodeSelect|code= GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=0" }} * '''Option B (Low Security):''' Re-mount with nodev, nosuid: ** {{CodeSelect|code= GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=1" }} * '''Option C (Medium Security):''' Re-mount with nodev, nosuid, noexec for most mount points, excluding /home. ** {{CodeSelect|code= GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=2" }} * '''Option D (Highest Security):''' Re-mount with nodev, nosuid, noexec for all mount points including /home. ** {{CodeSelect|code= GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX remountsecure=3" }} '''3.''' Save the configuration file. '''4.''' Regenerate the grub configuration: {{CodeSelect|code= sudo update-grub }} '''5.''' Reboot your system. A reboot is necessary for the kernel parameter changes to take effect. '''6.''' Completion. You have successfully enabled the Remount Secure feature. For more details and developer information, see the following resources: * [https://forums.whonix.org/t/re-mount-home-and-other-with-noexec-and-nosuid-among-other-useful-mount-options-for-better-security/7707/27 Forum discussion] * [https://github.com/{{project_name_short}}/security-misc/blob/master/usr/bin/remount-secure remount-secure script] * [https://github.com/Kicksecure/security-misc/tree/master/usr/lib/dracut/modules.d-disabled/20remount-secure remount-secure dracut module] * [[Dev/remount-secure]] * {{CodeSelect|code= ls -la /var/run/remount-secure }} {{Anchor|install}} = Installation of security-misc = {{mbox | image = [[File:Ambox_notice.png|40px|alt=Info]] | text = This chapter is only required for users which aren't users of {{project_name_long}} or its derivatives (such as {{Whonix}}). That is because security-misc is installed by default in {{project_name_long}} and {{project_name_long}} derivatives. }} Prerequisites: {{Prerequisites}} {{Box|text= {{Project-APT-Repository-Add Easy}} }} {{Box|text= Install security-misc. {{Install Package|package= security-misc }} }} = selinux = {{Community_Support|scope=chapter}} * https://github.com/{{project_name_short}}/security-misc/pull/100 * https://forums.whonix.org/t/restrict-hardware-information-to-root/7329/88 = References = {{reflist|close=1}} {{Footer}} [[Category:Documentation]]