Cherry pick from Kicksecure security-misc #4
Comments
|
Links of relevance: NetworkManager and systemd-networkd support for IPv6 privacy should be enabled alongside sysctl Legal disclaimer in banner. Doesn't add inherent security but it's just a few bytes of text and doesn't hurt to add; as long as it eventually scares at least one person from trying to hack someone it's worth it. https://github.com/Kicksecure/security-misc/blob/master/usr/lib/systemd/coredump.conf.d/30_security-misc.conf (https://github.com/NixOS/nixpkgs/blob/e2dd4e18cc1c7314e24154331bae07df76eb582f/nixos/modules/system/boot/systemd/coredump.nix tldr; systemd.coredump.enable = false; doesn't actually reconfigure coredump to use Storage=none, so we need to do this manually.) https://github.com/Kicksecure/security-misc/blob/master/usr/bin/remount-secure Other notes: We should probably make overrides for anything labeled "most_noexec_maybe." There's no good reason to have anything executable installed in /root, so an override for that would probably be unnecessary. IPv6 privacy extensions can apparently cause breakage in some very specific environments, an override should be made for that as well. As for the rest of security-misc, the rest of it seems to be relating to experimental scripts and unbreaking various stuff from said experimental scripts. We can entertain those later, but the links already listed here should be easy and effective to implement. |
|
Merged with exceptions for the filesystem hardening to ensure a functioning system. TODO: Overrides for exec on certain mountpoints and removing IPv6 private addresses. |
We already borrow the module blacklist and bluetooth configuration from them. There is a lot more here that could be used right now; used by both Whonix and QubeOS and are generally useful and trustworth.
https://github.com/Kicksecure/security-misc
The text was updated successfully, but these errors were encountered: