On 06/10/23 18:31, David A. Wheeler wrote:
> FYI:
>
> I've learned of a "Linux kernel hardening checker":
> https://github.com/a13xp0p0v/kernel-hardening-checker
thanks for this!
> It might be interesting to run & see if there are missing hardening
measures that
> should be applied in Tails.
I run it into a regular Tails, using
sysctl -a > sysctl.txt
kernel-hardening-checker -s sysctl.txt
It gives us 4 suggestions:
- user.max_user_namespaces should be 0. I think we disagree on this.
- dev.tty.legacy_tiocsti should be 0. we don't have this option
- fs.protected_fifos should be 2 instead of 1. sounds good.
- kernel.yama.ptrace_scope should be 3 instead of 1. sounds good.
When it comes to
kernel-hardening-checker -m show_fail -l /proc/cmdline -c
/boot/config-6.1.0-12-amd64 | grep cmdline
there are some more cmdline options we could consider using. I haven't
investigated those, though.
bye,
--
boyska