Bug#919226: hardening

To: Matt Taggart <taggart@debian.org>, 919226@bugs.debian.org
Subject: Bug#919226: hardening
From: Yves-Alexis Perez <corsac@debian.org>
Date: Tue, 15 Jan 2019 10:26:22 +0100
Message-id: <[🔎] b5ebba71a0df0bc1acea54a7b202ac8ba6b7ff0b.camel@debian.org>
Reply-to: Yves-Alexis Perez <corsac@debian.org>, 919226@bugs.debian.org
In-reply-to: <a93b9c67-93d5-cb1a-d92a-111f932890a5@debian.org>
References: <a93b9c67-93d5-cb1a-d92a-111f932890a5@debian.org> <[🔎] 154739613513.30539.12921342606297238658.reportbug@scapa>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

[adding the ITP bug on CC]

On Mon, 2019-01-14 at 10:24 -0800, Matt Taggart wrote:
> Hi,
> 
> I just found out about your hardening-runtime package, it's great!
> 
> A while back I created a package with similar intent named lockdown.
> 
> https://gitlab.com/taggart/lockdown

Nice, I didn't know about it, thanks for the pointer.
> 
> (although now there is a linux lockdown https://lwn.net/Articles/750761/
> so I might rename it).

Indeed.
> 
> I've been meaning to get back to working on it, I have some other ideas
> about locking out some old networking protocols and other junk.
> 
> Take a look and tell me what you think, maybe it's interesting to merge
> them? (or at the very least I will add a dependency to pull yours in).

I have to admit I'm not sure I like the whole initscript thing, and prefer the
configuration file approach. Regarding the current features:

kernel.kexec_load_disabled=1 and kernel.unprivileged_bpf_disabled=1 are in
hardening-runtime

kernel.modules_disabled is not. Starting with Buster unsigned modules won't
load by default so part of the feature (not loading random kernel modules even
if you have CAP_SYS_ADMIN) will be enabled. For the rest (not loading signed
modules for vulnerable stuff, for example), I think it would make more sense
to load the required module in the initramfs and set the setting there.

This could be done by a special initramfs hook and adding all the whitelisted
modules in /etc/initramfs-tools/modules but it has to be done manually.

All in all:

- - I don't think it really make sense to have both lockdown and hardening-
runtime (it doesn't hurt that much but still it's duplicate work)
- - hardening-runtime supports more stuff (sysctl settings and kernel command
line) than lockdown at the moment

I think it would make more sense to migrate the modules_disabled part to
hardening-runtime and I would happily welcome co-maintainership on this if
you're interested. Obviously that's my opinion and I can understand if you're
reluctant on that :)

Regards,
- -- 
Yves-Alexis
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEE8vi34Qgfo83x35gF3rYcyPpXRFsFAlw9pz4ACgkQ3rYcyPpX
RFuhfwf/X9ttM0f9iH/jRL/JanMFpFNN/DZ0ufFjEZIA8xnyBRhc6No3Io+sKxET
zPCnyuV/gzPObd/IXCIYLyKSIpa2mO8U2U1qK4jmJHG89zt0UNDRK3F9gWHx+Nzn
ZlgY6g3FTEhL6thxz0egqob1LxyVkigkqDeiqhrDvE8xeMqhkTs9O3oav7j5zFuK
VLbly1Cea8ki9C0VlIP/73ytt1JqInC7a8k3CoqYKzhJI6mshtqhQvXZ9YJVwSRb
sQchq8xQENqaSI6xYmRsmtTArLS35c8/UvzT9fizwaQ255TB2PY66vdp7mvBleqc
f2oFsJssCP8hhB0uQZmWiDKonzormQ==
=Vud0
-----END PGP SIGNATURE-----

Reply to:

References:
- Bug#919226: ITP: hardening-runtime -- Runtime hardening configuration files
  - From: Yves-Alexis Perez <corsac@debian.org>

Prev by Date: Processed: retitle to RFP: massivethreads - Lightweight Thread Library for High Productivity Languages
Next by Date: Bug#919367: ITP: omemo-backend-signal -- backend for python-omemo offering compatibility with libsignal
Previous by thread: Bug#919226: ITP: hardening-runtime -- Runtime hardening configuration files
Next by thread: Bug#919226: marked as done (ITP: hardening-runtime -- Runtime hardening configuration files)
Index(es):
- Date
- Thread