Instructions, scripts, (meta)packages with purpose of hardening linux installations.
- Shell 92.2%
- Makefile 7.8%
| harder-debian | README: mention running Xorg as root as risk; misc textual tweaks | |
| src/selinux | selinux: provide harder.te policy for compilation and manual installation | |
| tools | modules: provide soft_disable_me as fake module with Management Engine disable command | |
| .editorconfig | README: add some notes on ufw and protection against misuse of web-browser scripting | |
| .gitignore | selinux: provide harder.te policy for compilation and manual installation | |
| .gitmodules | modules: provide soft_disable_me as fake module with Management Engine disable command | |
| Makefile | selinux: provide harder.te policy for compilation and manual installation | |
| README.md | README: mention running Xorg as root as risk; misc textual tweaks | |
This is an experiment and work-in-progress.
Distribution hardening
A (meta)package to facilitate hardening of a Debian installation.
Refer to usr/share/doc/harder/README.md for detailed information.
TODO
lightdmrunsXorgas root, which opens it up to attacks for privilege escalation. Running e.g.startxfce4as user startsXorgas regular user. Systemd-logind already provides necessary access and file-descriptors for access to special devices that other programs should not be able to access.- Bluetooth-hardening:
- Config values; not exact for copy-pasting:
Class 0x000000,DiscoverableTimeout 0,PairableTimeout 0,DebugKeys false,ControllerMode dual,MultiProfile off,JustWorksRepairing never,SecureConnections onlyKernelExperimental false,KeySize 16,ExchangeMTU 517,Channels 1,AutoEnable false,DisablePlugins autopair policy - modules:
btusb(bluetooth,btmtk,btintel,btbcm,btrtl,usbcore),bnep,rfcomm,cmac,ecdh_generic,af_alg,algif_hash,algif_skcipher - Warn/disable/remove bluetooth OBEX support for risks of autonomous/silent activity.
- Warn about bluetooth where certain devices are freely connectable due to "innocence" but can be malicious devices. ("pre-approved" classes/types?, hence also rfkill)
- Mice/keyboards may be able to engage in malicious activity freely.
- Conflict/mask/disable
bluez-obexdbluetooth OBEX support for risk of background meddling. - SELinux provides modules and booleans for managing bluetooth risks.
- References:
- Config values; not exact for copy-pasting:
- Check Kernel hardening checker. (Ref from KSPP.)
- Is there an actual recommended tool for rootkit-detection and/or other file/integrity checking? (
unhide, ...) - Check use of
SUIDbinaries. (Usesetcapto remove need forSUID?) - Notes on LUKS detached header, header detachment, backup + manual clearing (LUKS2 offset property), moving header onto ESP, ESP on separate drive, systemd-boot for simpler, self-contained boot that contains necessary modules for dmcrypt/cryptsetup/LVM/etc. One can migrate to detached header, but it is rather tricky because there needs to be a step-wise migration to a different boot configuration without breaking boot-capability for the operating system.
- Detached header: no encrypted symmetric key that can be exfiltrated and locally brute-forced; not self-contained.
Second verification:
- Loading modules-lists via symlinks to
/usr/lib/harder/modules-load.d/works. What if/usr/lib/harder/modules-load.d/is on a different file-system? - Do we need
usr/lib/harder/modules-load.dfiles prefixed with number to ensure proper ordering? Not likely, it seems modules from various files are loaded arbitrarily anyways. - Needs verification: modules-lists for
wireguardandopenvpn(and its dependencies) are the only modules needed for kernel-based support.