1
0
mirror of https://github.com/tommytran732/Fedora-CoreOS-Ignition synced 2024-11-22 17:21:34 -05:00

Additional Mitigations

Signed-off-by: Tommy <contact@tommytran.io>
This commit is contained in:
Tommy 2022-09-12 18:34:28 -04:00
parent c75d4a363a
commit 901bb8af68
No known key found for this signature in database
GPG Key ID: 060B29EB996BD9F2
8 changed files with 76 additions and 168 deletions

File diff suppressed because one or more lines are too long

View File

@ -32,6 +32,8 @@ systemd:
ExecStart=/bin/touch /var/lib/%N.stamp ExecStart=/bin/touch /var/lib/%N.stamp
ExecStart=/usr/bin/sed 's/nullok//g' /etc/pam.d/system-auth ExecStart=/usr/bin/sed 's/nullok//g' /etc/pam.d/system-auth
ExecStart=/usr/bin/curl https://raw.githubusercontent.com/Whonix/security-misc/master/etc/modprobe.d/30_security-misc.conf -o /etc/modprobe.d/30_security-misc.conf ExecStart=/usr/bin/curl https://raw.githubusercontent.com/Whonix/security-misc/master/etc/modprobe.d/30_security-misc.conf -o /etc/modprobe.d/30_security-misc.conf
ExecStart=/usr/bin/curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc.conf -o /etc/sysctl.d/30_security-misc.conf
ExecStart=/usr/bin/curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_silent-kernel-printk.conf -o /etc/sysctl.d/30_silent-kernel-printk.conf
ExecStart=/usr/bin/curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf -o /etc/chrony.conf ExecStart=/usr/bin/curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf -o /etc/chrony.conf
ExecStart=/bin/systemctl --no-block reboot ExecStart=/bin/systemctl --no-block reboot
@ -140,44 +142,19 @@ kernel_arguments:
- tsx_async_abort=full,nosmt - tsx_async_abort=full,nosmt
- kvm.nx_huge_pages=force - kvm.nx_huge_pages=force
- nosmt=force - nosmt=force
- sysctl.kernel.dmesg_restrict=1 - l1d_flush=on
- sysctl.fs.protected_fifos=2 - mmio_stale_data=full,nosmt
- sysctl.fs.protected_regular=2 - random.trust_bootloader=off
- sysctl.fs.protected_symlinks=1 - random.trust_cpu=off
- sysctl.fs.protected_hardlinks=1 - intel_iommu=on
- sysctl.net.core.bpf_jit_harden=2 - amd_iommu=on
- sysctl.kernel.kexec_load_disabled=1 - iommu.passthrough=0 iommu.strict=1
- sysctl.kernel.kptr_restrict=2 - slab_nomerge
- sysctl.vm.mmap_rnd_bits=32 - init_on_alloc=1
- sysctl.vm.mmap_rnd_compat_bits=16 - init_on_free=1
- sysctl.kernel.yama.ptrace_scope=2 - pti=on
- sysctl.fs.suid_dumpable=0 - vsyscall=none
- sysctl.kernel.randomize_va_space=2 - page_alloc.shuffle=1
- sysctl.net.ipv4.tcp_rfc1337=1 - randomize_kstack_offset=on
- sysctl.net.ipv4.conf.all.accept_redirects=0 - extra_latent_entropy
- sysctl.net.ipv4.conf.default.accept_redirects=0 - debugfs=off
- sysctl.net.ipv4.conf.all.secure_redirects=0
- sysctl.net.ipv4.conf.default.secure_redirects=0
- sysctl.net.ipv6.conf.all.accept_redirects=0
- sysctl.net.ipv6.conf.default.accept_redirects=0
- sysctl.net.ipv4.conf.all.send_redirects=0
- sysctl.net.ipv4.conf.default.send_redirects=0
- sysctl.net.ipv4.icmp_echo_ignore_all=1
- sysctl.net.ipv6.icmp.echo_ignore_all=1
- sysctl.net.ipv4.icmp_ignore_bogus_error_responses=1
- sysctl.net.ipv4.tcp_syncookies=1
- sysctl.net.ipv4.conf.all.accept_source_route=0
- sysctl.net.ipv4.conf.default.accept_source_route=0
- sysctl.net.ipv6.conf.all.accept_source_route=0
- sysctl.net.ipv6.conf.default.accept_source_route=0
- sysctl.net.ipv4.conf.default.rp_filter=1
- sysctl.net.ipv4.conf.all.rp_filter=1
- sysctl.net.ipv4.tcp_timestamps=0
- sysctl.kernel.sysrq=132
- sysctl.dev.tty.ldisc_autoload=0
- sysctl.vm.unprivileged_userfaultfd=0
- sysctl.vm.swappiness=1
- sysctl.kernel.perf_event_paranoid=3
- sysctl.net.ipv6.conf.all.accept_ra=0
- sysctl.net.ipv6.conf.default.accept_ra=0
- sysctl.kernel.printk=4

File diff suppressed because one or more lines are too long

View File

@ -32,6 +32,8 @@ systemd:
ExecStart=/bin/touch /var/lib/%N.stamp ExecStart=/bin/touch /var/lib/%N.stamp
ExecStart=/usr/bin/sed 's/nullok//g' /etc/pam.d/system-auth ExecStart=/usr/bin/sed 's/nullok//g' /etc/pam.d/system-auth
ExecStart=/usr/bin/curl https://raw.githubusercontent.com/Whonix/security-misc/master/etc/modprobe.d/30_security-misc.conf -o /etc/modprobe.d/30_security-misc.conf ExecStart=/usr/bin/curl https://raw.githubusercontent.com/Whonix/security-misc/master/etc/modprobe.d/30_security-misc.conf -o /etc/modprobe.d/30_security-misc.conf
ExecStart=/usr/bin/curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc.conf -o /etc/sysctl.d/30_security-misc.conf
ExecStart=/usr/bin/curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_silent-kernel-printk.conf -o /etc/sysctl.d/30_silent-kernel-printk.conf
ExecStart=/usr/bin/curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf -o /etc/chrony.conf ExecStart=/usr/bin/curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf -o /etc/chrony.conf
ExecStart=/bin/systemctl --no-block reboot ExecStart=/bin/systemctl --no-block reboot
@ -144,44 +146,19 @@ kernel_arguments:
- tsx_async_abort=full,nosmt - tsx_async_abort=full,nosmt
- kvm.nx_huge_pages=force - kvm.nx_huge_pages=force
- nosmt=force - nosmt=force
- sysctl.kernel.dmesg_restrict=1 - l1d_flush=on
- sysctl.fs.protected_fifos=2 - mmio_stale_data=full,nosmt
- sysctl.fs.protected_regular=2 - random.trust_bootloader=off
- sysctl.fs.protected_symlinks=1 - random.trust_cpu=off
- sysctl.fs.protected_hardlinks=1 - intel_iommu=on
- sysctl.net.core.bpf_jit_harden=2 - amd_iommu=on
- sysctl.kernel.kexec_load_disabled=1 - iommu.passthrough=0 iommu.strict=1
- sysctl.kernel.kptr_restrict=2 - slab_nomerge
- sysctl.vm.mmap_rnd_bits=32 - init_on_alloc=1
- sysctl.vm.mmap_rnd_compat_bits=16 - init_on_free=1
- sysctl.kernel.yama.ptrace_scope=2 - pti=on
- sysctl.fs.suid_dumpable=0 - vsyscall=none
- sysctl.kernel.randomize_va_space=2 - page_alloc.shuffle=1
- sysctl.net.ipv4.tcp_rfc1337=1 - randomize_kstack_offset=on
- sysctl.net.ipv4.conf.all.accept_redirects=0 - extra_latent_entropy
- sysctl.net.ipv4.conf.default.accept_redirects=0 - debugfs=off
- sysctl.net.ipv4.conf.all.secure_redirects=0
- sysctl.net.ipv4.conf.default.secure_redirects=0
- sysctl.net.ipv6.conf.all.accept_redirects=0
- sysctl.net.ipv6.conf.default.accept_redirects=0
- sysctl.net.ipv4.conf.all.send_redirects=0
- sysctl.net.ipv4.conf.default.send_redirects=0
- sysctl.net.ipv4.icmp_echo_ignore_all=1
- sysctl.net.ipv6.icmp.echo_ignore_all=1
- sysctl.net.ipv4.icmp_ignore_bogus_error_responses=1
- sysctl.net.ipv4.tcp_syncookies=1
- sysctl.net.ipv4.conf.all.accept_source_route=0
- sysctl.net.ipv4.conf.default.accept_source_route=0
- sysctl.net.ipv6.conf.all.accept_source_route=0
- sysctl.net.ipv6.conf.default.accept_source_route=0
- sysctl.net.ipv4.conf.default.rp_filter=1
- sysctl.net.ipv4.conf.all.rp_filter=1
- sysctl.net.ipv4.tcp_timestamps=0
- sysctl.kernel.sysrq=132
- sysctl.dev.tty.ldisc_autoload=0
- sysctl.vm.unprivileged_userfaultfd=0
- sysctl.vm.swappiness=1
- sysctl.kernel.perf_event_paranoid=3
- sysctl.net.ipv6.conf.all.accept_ra=0
- sysctl.net.ipv6.conf.default.accept_ra=0
- kernel.printk=4

File diff suppressed because one or more lines are too long

View File

@ -32,6 +32,8 @@ systemd:
ExecStart=/bin/touch /var/lib/%N.stamp ExecStart=/bin/touch /var/lib/%N.stamp
ExecStart=/usr/bin/sed 's/nullok//g' /etc/pam.d/system-auth ExecStart=/usr/bin/sed 's/nullok//g' /etc/pam.d/system-auth
ExecStart=/usr/bin/curl https://raw.githubusercontent.com/Whonix/security-misc/master/etc/modprobe.d/30_security-misc.conf -o /etc/modprobe.d/30_security-misc.conf ExecStart=/usr/bin/curl https://raw.githubusercontent.com/Whonix/security-misc/master/etc/modprobe.d/30_security-misc.conf -o /etc/modprobe.d/30_security-misc.conf
ExecStart=/usr/bin/curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc.conf -o /etc/sysctl.d/30_security-misc.conf
ExecStart=/usr/bin/curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_silent-kernel-printk.conf -o /etc/sysctl.d/30_silent-kernel-printk.conf
ExecStart=/usr/bin/curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf -o /etc/chrony.conf ExecStart=/usr/bin/curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf -o /etc/chrony.conf
ExecStart=/bin/systemctl --no-block reboot ExecStart=/bin/systemctl --no-block reboot
@ -146,45 +148,20 @@ kernel_arguments:
- tsx_async_abort=full,nosmt - tsx_async_abort=full,nosmt
- kvm.nx_huge_pages=force - kvm.nx_huge_pages=force
- nosmt=force - nosmt=force
- sysctl.kernel.dmesg_restrict=1 - l1d_flush=on
- sysctl.fs.protected_fifos=2 - mmio_stale_data=full,nosmt
- sysctl.fs.protected_regular=2 - random.trust_bootloader=off
- sysctl.fs.protected_symlinks=1 - random.trust_cpu=off
- sysctl.fs.protected_hardlinks=1 - intel_iommu=on
- sysctl.net.core.bpf_jit_harden=2 - amd_iommu=on
- sysctl.kernel.kexec_load_disabled=1 - iommu.passthrough=0 iommu.strict=1
- sysctl.kernel.kptr_restrict=2 - slab_nomerge
- sysctl.vm.mmap_rnd_bits=32 - init_on_alloc=1
- sysctl.vm.mmap_rnd_compat_bits=16 - init_on_free=1
- sysctl.kernel.yama.ptrace_scope=2 - pti=on
- sysctl.fs.suid_dumpable=0 - vsyscall=none
- sysctl.kernel.randomize_va_space=2 - page_alloc.shuffle=1
- sysctl.net.ipv4.tcp_rfc1337=1 - randomize_kstack_offset=on
- sysctl.net.ipv4.conf.all.accept_redirects=0 - extra_latent_entropy
- sysctl.net.ipv4.conf.default.accept_redirects=0 - debugfs=off
- sysctl.net.ipv4.conf.all.secure_redirects=0
- sysctl.net.ipv4.conf.default.secure_redirects=0
- sysctl.net.ipv6.conf.all.accept_redirects=0
- sysctl.net.ipv6.conf.default.accept_redirects=0
- sysctl.net.ipv4.conf.all.send_redirects=0
- sysctl.net.ipv4.conf.default.send_redirects=0
- sysctl.net.ipv4.icmp_echo_ignore_all=1
- sysctl.net.ipv6.icmp.echo_ignore_all=1
- sysctl.net.ipv4.icmp_ignore_bogus_error_responses=1
- sysctl.net.ipv4.tcp_syncookies=1
- sysctl.net.ipv4.conf.all.accept_source_route=0
- sysctl.net.ipv4.conf.default.accept_source_route=0
- sysctl.net.ipv6.conf.all.accept_source_route=0
- sysctl.net.ipv6.conf.default.accept_source_route=0
- sysctl.net.ipv4.conf.default.rp_filter=1
- sysctl.net.ipv4.conf.all.rp_filter=1
- sysctl.net.ipv4.tcp_timestamps=0
- sysctl.kernel.sysrq=132
- sysctl.dev.tty.ldisc_autoload=0
- sysctl.vm.unprivileged_userfaultfd=0
- sysctl.vm.swappiness=1
- sysctl.kernel.perf_event_paranoid=3
- sysctl.net.ipv6.conf.all.accept_ra=0
- sysctl.net.ipv6.conf.default.accept_ra=0
- sysctl.kernel.printk=4

File diff suppressed because one or more lines are too long

View File

@ -32,6 +32,8 @@ systemd:
ExecStart=/bin/touch /var/lib/%N.stamp ExecStart=/bin/touch /var/lib/%N.stamp
ExecStart=/usr/bin/sed 's/nullok//g' /etc/pam.d/system-auth ExecStart=/usr/bin/sed 's/nullok//g' /etc/pam.d/system-auth
ExecStart=/usr/bin/curl https://raw.githubusercontent.com/Whonix/security-misc/master/etc/modprobe.d/30_security-misc.conf -o /etc/modprobe.d/30_security-misc.conf ExecStart=/usr/bin/curl https://raw.githubusercontent.com/Whonix/security-misc/master/etc/modprobe.d/30_security-misc.conf -o /etc/modprobe.d/30_security-misc.conf
ExecStart=/usr/bin/curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_security-misc.conf -o /etc/sysctl.d/30_security-misc.conf
ExecStart=/usr/bin/curl https://raw.githubusercontent.com/Kicksecure/security-misc/master/etc/sysctl.d/30_silent-kernel-printk.conf -o /etc/sysctl.d/30_silent-kernel-printk.conf
ExecStart=/usr/bin/curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf -o /etc/chrony.conf ExecStart=/usr/bin/curl https://raw.githubusercontent.com/GrapheneOS/infrastructure/main/chrony.conf -o /etc/chrony.conf
ExecStart=/bin/systemctl --no-block reboot ExecStart=/bin/systemctl --no-block reboot
@ -145,44 +147,19 @@ kernel_arguments:
- tsx_async_abort=full,nosmt - tsx_async_abort=full,nosmt
- kvm.nx_huge_pages=force - kvm.nx_huge_pages=force
- nosmt=force - nosmt=force
- sysctl.kernel.dmesg_restrict=1 - l1d_flush=on
- sysctl.fs.protected_fifos=2 - mmio_stale_data=full,nosmt
- sysctl.fs.protected_regular=2 - random.trust_bootloader=off
- sysctl.fs.protected_symlinks=1 - random.trust_cpu=off
- sysctl.fs.protected_hardlinks=1 - intel_iommu=on
- sysctl.net.core.bpf_jit_harden=2 - amd_iommu=on
- sysctl.kernel.kexec_load_disabled=1 - iommu.passthrough=0 iommu.strict=1
- sysctl.kernel.kptr_restrict=2 - slab_nomerge
- sysctl.vm.mmap_rnd_bits=32 - init_on_alloc=1
- sysctl.vm.mmap_rnd_compat_bits=16 - init_on_free=1
- sysctl.kernel.yama.ptrace_scope=2 - pti=on
- sysctl.fs.suid_dumpable=0 - vsyscall=none
- sysctl.kernel.randomize_va_space=2 - page_alloc.shuffle=1
- sysctl.net.ipv4.tcp_rfc1337=1 - randomize_kstack_offset=on
- sysctl.net.ipv4.conf.all.accept_redirects=0 - extra_latent_entropy
- sysctl.net.ipv4.conf.default.accept_redirects=0 - debugfs=off
- sysctl.net.ipv4.conf.all.secure_redirects=0
- sysctl.net.ipv4.conf.default.secure_redirects=0
- sysctl.net.ipv6.conf.all.accept_redirects=0
- sysctl.net.ipv6.conf.default.accept_redirects=0
- sysctl.net.ipv4.conf.all.send_redirects=0
- sysctl.net.ipv4.conf.default.send_redirects=0
- sysctl.net.ipv4.icmp_echo_ignore_all=1
- sysctl.net.ipv6.icmp.echo_ignore_all=1
- sysctl.net.ipv4.icmp_ignore_bogus_error_responses=1
- sysctl.net.ipv4.tcp_syncookies=1
- sysctl.net.ipv4.conf.all.accept_source_route=0
- sysctl.net.ipv4.conf.default.accept_source_route=0
- sysctl.net.ipv6.conf.all.accept_source_route=0
- sysctl.net.ipv6.conf.default.accept_source_route=0
- sysctl.net.ipv4.conf.default.rp_filter=1
- sysctl.net.ipv4.conf.all.rp_filter=1
- sysctl.net.ipv4.tcp_timestamps=0
- sysctl.kernel.sysrq=132
- sysctl.dev.tty.ldisc_autoload=0
- sysctl.vm.unprivileged_userfaultfd=0
- sysctl.vm.swappiness=1
- sysctl.kernel.perf_event_paranoid=3
- sysctl.net.ipv6.conf.all.accept_ra=0
- sysctl.net.ipv6.conf.default.accept_ra=0
- sysctl.kernel.printk=4