File: README.Debian

package info (click to toggle)
hardening-runtime 1
  • links: PTS, VCS
  • area: main
  • in suites: buster
  • size: 48 kB
  • sloc: sh: 13; makefile: 5
file content (40 lines) | stat: -rw-r--r-- 1,728 bytes parent folder | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
Hardening configuration for Debian
==================================

This package contains some configuration files with hardening suggestions to
the Debian distribution. At the moment, two types of hardening are included:
kernel command line (via grub configuration file) and sysctl.

The settings come from the Kernel Self Protection Project recommended settings,
published at
https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings

Kernel command line
-------------------

Kernel command line is tuned when using the grub bootloader by adding a
configuration file to /etc/default/grub.d. This file is used to append specific
settings to the kernel command line:

- kaslr: Kernel Address Space Randomization
- pti=on: Force Page Table Isolation even if the processor is considered not
  vulnerable to Meltdown
- slab_nomerge: Disable slab merging (makes heap overflows harder to exploit)
- page_poison=1: Enable buddy allocator free poisoning
- sub_debug=FPZ: Enable sanity checks (F), poisoning (P) and red zoning (Z) on
  the slub allocator
- nosmt: Disable symmetric multithreading (also called hyperthreading)

This configuration file can be edited to add or remove command line options
suited to the installation. File content will be preserved across upgrades.

Sysctl
------

Some specific sysctls interesting for hardening are set using systemd-sysctl(8)
and systemd-sysctl.service(8) with a configuration file in /usr/lib/sysctl.d.

These settings can be overridden by copying the file in /etc/sysctl.d/ (and
keeping the same filename) and then doing edits. The file can also be
completely disabled by adding a symlink from /dev/null to /etc/sysctl.d (again
using the same filename)