1
0
mirror of https://github.com/PrivSec-dev/privsec.dev synced 2024-12-22 04:41:33 -05:00

Fix more dead links on Desktop Linux Hardening page (#232)

* Fix dead links

Signed-off-by: friendly-rabbit-35 <169707731+friendly-rabbit-35@users.noreply.github.com>

* Remove outdated line about BT

Signed-off-by: friendly-rabbit-35 <169707731+friendly-rabbit-35@users.noreply.github.com>

---------

Signed-off-by: friendly-rabbit-35 <169707731+friendly-rabbit-35@users.noreply.github.com>
This commit is contained in:
friendly-rabbit-35 2024-05-17 23:56:15 +00:00 committed by GitHub
parent 41c314574f
commit 9ef57f03e8
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194

View File

@ -198,7 +198,7 @@ Another option is [Kata Containers](https://katacontainers.io/) which masquerade
If you are using Ubuntu LTS, consider subscribing to [Ubuntu Pro](https://ubuntu.com/pro). Canonical currently allows up to 5 machines with the free subscription.
With Ubuntu Pro, you gain access to the [The Ubuntu Security Guide]([https://discourse.ubuntu.com/t/ubuntu-advantage-client/21788](https://ubuntu.com/security/certifications/docs/usg)), which allows for easy application of the CIS OpenSCAP profile:
With Ubuntu Pro, you gain access to the [The Ubuntu Security Guide](https://ubuntu.com/security/certifications/docs/usg), which allows for easy application of the CIS OpenSCAP profile:
```bash
sudo ua enable usg
@ -285,7 +285,7 @@ _This section extensively references [Madaidan's Linux Hardening Guide](https://
_See ["2.2&nbsp;Sysctl"](https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl) in Madaidan's guide._
Madaidan recommends that you disable [unprivileged user namespaces](https://www.containerlabs.kubedaily.com/LXC/Linux%20Containers/User_namespaces.html) due to the [significant attack surface for privilege escalation](https://madaidans-insecurities.github.io/linux.html#kernel). However, some software such as Podman and LXC relies on unprivileged user namespaces. If you wish to use such software, do not disable `kernel.unprivileged_userns_clone`.
Madaidan recommends that you disable [unprivileged user namespaces](https://github.com/sangam14/CloudNativeLab/blob/master/LXC/Linux%20Containers/User_namespaces.md) due to the [significant attack surface for privilege escalation](https://madaidans-insecurities.github.io/linux.html#kernel). However, some software such as Podman and LXC relies on unprivileged user namespaces. If you wish to use such software, do not disable `kernel.unprivileged_userns_clone`.
If you are using Kicksecure or Whonix, most of this hardening is included by default. If you are using Debian, you should consider [morphing it into Kicksecure](https://www.kicksecure.com/wiki/Debian). On other distributions, you can copy the [configuration files from Kicksecure](https://github.com/Kicksecure/security-misc/tree/master/usr/lib/sysctl.d) into `/etc/sysctl.d/` (but note that these configurations do not disable unprivileged user namespaces).
@ -359,7 +359,6 @@ Once again, Kicksecure includes this hardening by default and provides a config
There are a few things in this config to keep in mind:
- Bluetooth is disabled. Comment out the `install bluetooth` and `install btusb` lines to use Bluetooth.
- Thunderbolt is disabled. Comment out the `install thunderbolt` line to use Thunderbolt devices.
- The `cdrom` and `sr_mod` modules are merely _blacklisted_ (can still be loaded at runtime with `modprobe`). If you have no intention to ever use CD&#8209;ROM devices, they should be _disabled_ by *un*commenting the respective `install` lines. ([More about how this works on the ArchWiki](https://wiki.archlinux.org/title/Kernel_module#Using_files_in_/etc/modprobe.d/_2))
- Apple filesystems are disabled. While generally fine on non&#8209;Apple systems, if you are using an Apple device you **must** check the filesystem of your EFI partition and comment out the relevant `install` line, otherwise your Linux install will not boot. For example, comment out the `install hfsplus` line if your ESP filesystem is HFS+.