1
0
Fork
You've already forked hardening
0
Instructions, scripts, (meta)packages with purpose of hardening linux installations.
  • Shell 92.2%
  • Makefile 7.8%
2026年06月30日 19:42:14 +02:00
harder-debian README: mention running Xorg as root as risk; misc textual tweaks 2026年06月30日 19:42:14 +02:00
src/selinux selinux: provide harder.te policy for compilation and manual installation 2026年06月01日 22:06:30 +02:00
tools modules: provide soft_disable_me as fake module with Management Engine disable command 2026年05月21日 01:52:52 +02:00
.editorconfig README: add some notes on ufw and protection against misuse of web-browser scripting 2026年06月01日 23:06:19 +02:00
.gitignore selinux: provide harder.te policy for compilation and manual installation 2026年06月01日 22:06:30 +02:00
.gitmodules modules: provide soft_disable_me as fake module with Management Engine disable command 2026年05月21日 01:52:52 +02:00
Makefile selinux: provide harder.te policy for compilation and manual installation 2026年06月01日 22:06:30 +02:00
README.md README: mention running Xorg as root as risk; misc textual tweaks 2026年06月30日 19:42:14 +02:00

This is an experiment and work-in-progress.

Distribution hardening

A (meta)package to facilitate hardening of a Debian installation.

Refer to usr/share/doc/harder/README.md for detailed information.

TODO

  • lightdm runs Xorg as root, which opens it up to attacks for privilege escalation. Running e.g. startxfce4 as user starts Xorg as regular user. Systemd-logind already provides necessary access and file-descriptors for access to special devices that other programs should not be able to access.
  • Bluetooth-hardening:
    • Config values; not exact for copy-pasting: Class 0x000000, DiscoverableTimeout 0, PairableTimeout 0, DebugKeys false, ControllerMode dual, MultiProfile off, JustWorksRepairing never, SecureConnections only KernelExperimental false, KeySize 16, ExchangeMTU 517, Channels 1, AutoEnable false, DisablePlugins autopair policy
    • modules: btusb (bluetooth, btmtk, btintel, btbcm, btrtl, usbcore), bnep, rfcomm, cmac, ecdh_generic, af_alg, algif_hash, algif_skcipher
    • Warn/disable/remove bluetooth OBEX support for risks of autonomous/silent activity.
    • Warn about bluetooth where certain devices are freely connectable due to "innocence" but can be malicious devices. ("pre-approved" classes/types?, hence also rfkill)
    • Mice/keyboards may be able to engage in malicious activity freely.
    • Conflict/mask/disable bluez-obexd bluetooth OBEX support for risk of background meddling.
    • SELinux provides modules and booleans for managing bluetooth risks.
    • References:
  • Check Kernel hardening checker. (Ref from KSPP.)
  • Is there an actual recommended tool for rootkit-detection and/or other file/integrity checking? (unhide, ...)
  • Check use of SUID binaries. (Use setcap to remove need for SUID?)
  • Notes on LUKS detached header, header detachment, backup + manual clearing (LUKS2 offset property), moving header onto ESP, ESP on separate drive, systemd-boot for simpler, self-contained boot that contains necessary modules for dmcrypt/cryptsetup/LVM/etc. One can migrate to detached header, but it is rather tricky because there needs to be a step-wise migration to a different boot configuration without breaking boot-capability for the operating system.
    • Detached header: no encrypted symmetric key that can be exfiltrated and locally brute-forced; not self-contained.

Second verification:

  • Loading modules-lists via symlinks to /usr/lib/harder/modules-load.d/ works. What if /usr/lib/harder/modules-load.d/ is on a different file-system?
  • Do we need usr/lib/harder/modules-load.d files prefixed with number to ensure proper ordering? Not likely, it seems modules from various files are loaded arbitrarily anyways.
  • Needs verification: modules-lists for wireguard and openvpn (and its dependencies) are the only modules needed for kernel-based support.