feat: apply patches to harden system (part 3)

* feat: blacklist numerous unused kernel modules * feat: include the option to apply additional hardening * feat: apply some hardened sysctl values Everything was taken from here: https://github.com/secureblue/secureblue
c0deplayer · Jan 28, 2024 · 8fb3882 · 8fb3882
1 parent 5122576
commit 8fb3882
Show file tree

Hide file tree

Showing 5 changed files with 152 additions and 27 deletions.
diff --git a/config/files/usr/etc/modprobe.d/blacklist.conf b/config/files/usr/etc/modprobe.d/blacklist.conf
@@ -0,0 +1,53 @@
+install dccp /bin/true
+install sctp /bin/true
+install rds /bin/true
+install tipc /bin/true
+install firewire-core /bin/true
+install firewire_core /bin/true
+install firewire-ohci /bin/true
+install firewire_ohci /bin/true
+install firewire_sbp2 /bin/true
+install firewire-sbp2 /bin/true
+install thunderbolt /bin/true
+install n-hdlc /bin/false
+install ax25 /bin/false
+install netrom /bin/false
+install x25 /bin/false
+install rose /bin/false
+install decnet /bin/false
+install econet /bin/false
+install af_802154 /bin/false
+install ipx /bin/false
+install appletalk /bin/false
+install psnap /bin/false
+install p8023 /bin/false
+install p8022 /bin/false
+install can /bin/false
+install atm /bin/false
+install cramfs /bin/false
+install freevxfs /bin/false
+install jffs2 /bin/false
+install hfs /bin/false
+install hfsplus /bin/false
+install squashfs /bin/false
+install udf /bin/false
+install cifs /bin/true
+install nfs /bin/true
+install nfsv3 /bin/true
+install nfsv4 /bin/true
+install ksmbd /bin/true
+install gfs2 /bin/true
+install vivid /bin/false
+install ohci1394 /bin/false
+install sbp2 /bin/false
+install dv1394 /bin/false
+install raw1394 /bin/false
+install video1394 /bin/false
+install msr /bin/true
+install vivid /bin/false
+
+blacklist tipc
+blacklist dccp
+blacklist sctp
+blacklist rds
+blacklist ath_pci
diff --git a/config/files/usr/etc/sysctl.d/10-kernel.conf b/config/files/usr/etc/sysctl.d/10-kernel.conf
@@ -1,13 +1,13 @@
 # Disable kernel watchdogs
-kernel.watchdog=0
-kernel.nmi_watchdog=0
-kernel.soft_watchdog=0
+kernel.watchdog = 0
+kernel.nmi_watchdog = 0
+kernel.soft_watchdog = 0
 
 # Disable split lock mitigate (prevents certain games performance drop)
-kernel.split_lock_mitigate=0
+kernel.split_lock_mitigate = 0
 
 # Disables kexec which can be used to replace the running kernel.
-kernel.kexec_load_disabled=1
+kernel.kexec_load_disabled = 1
 
 # Disable most kernel logs, but still show the important ones
 kernel.printk = 3 3 3 3
@@ -16,14 +16,21 @@ kernel.printk = 3 3 3 3
 kernel.core_pattern=|/bin/false
 
 # Restricts the use of the ptrace() syscall to root only
-kernel.yama.ptrace_scope=2
+kernel.yama.ptrace_scope = 2
 
 # Restrict the kernel logs to root only
-kernel.dmesg_restrict=1
+kernel.dmesg_restrict = 1
 
 # Hides the kernel symbols in /proc/kallsyms
 # (prevent an attacker from using them to learn more about what to attack on your system)
-kernel.kptr_restrict=2
+kernel.kptr_restrict = 2
 
 # Restricts the BPF JIT compiler to root only
-kernel.unprivileged_bpf_disabled=1
+kernel.unprivileged_bpf_disabled = 1
+
+# Restrct access perf events to root only
+kernel.perf_event_paranoid = 3
+
+fs.suid_dumpable = 0
+fs.protected_regular = 2
+fs.protected_fifos = 2
diff --git a/config/files/usr/etc/sysctl.d/20-memory.conf b/config/files/usr/etc/sysctl.d/20-memory.conf
@@ -1,12 +1,15 @@
 # ZRAM tweaks (PopOS defaults)
-vm.swappiness=180
-vm.watermark_boost_factor=0
-vm.watermark_scale_factor=125
-vm.page-cluster=0
+vm.swappiness = 180
+vm.watermark_boost_factor = 0
+vm.watermark_scale_factor = 125
+vm.page-cluster = 0
 
 # Prevent long file transfer OOM
-vm.dirty_bytes=268435456
-vm.dirty_background_bytes=134217728
+vm.dirty_bytes = 268435456
+vm.dirty_background_bytes = 134217728
 
 # Increase memory maps (SteamOS default)
-vm.max_map_count=2147483642
+vm.max_map_count = 2147483642
+
+# Restrict userfaultfd to CAP_SYS_PTRACE
+vm.unprivileged_userfaultfd = 0
diff --git a/config/files/usr/share/ublue-os/firstboot/yafti.yml b/config/files/usr/share/ublue-os/firstboot/yafti.yml
@@ -2,13 +2,15 @@ title: Welcome to uBlue
 properties:
   mode: "run-on-change"
 screens:
+
   first-screen:
     source: yafti.screen.title
     values:
       title: "Welcome to SilverFlow"
       icon: "/path/to/icon"
       description: |
         Default system apps are installing in the background, but it is safe to use your computer in the meantime.
+        
   applications:
     source: yafti.screen.package
     values:
@@ -74,18 +76,25 @@ screens:
             - Caprine: com.sindresorhus.Caprine
             - Materialgram: io.github.kukuruzka165.materialgram
             - Upscayl: org.upscayl.Upscayl
-  configure-silveflow:
-    source: yafti.screen.package
+
+  can-we-harden-your-kargs:
+    source: yafti.screen.consent
     values:
-      title: Additional SilverFlow configs
-      show_terminal: true
-      package_manager: yafti.plugin.run
-      groups:         
-        Hide GRUB:
-          description: Hides GRUB text output on boot.
-          default: false
-          packages:
-          - Hide GRUB: pkexec ujust configure-grub hide
+      title: Kernel hardening
+      description: |
+        This step will enable additional kernel hardening. Warning: setting disable_early_pci_dma may lead to boot issues. If you encounter them, re-run this without the disable_early_pci_dma variable
+      actions:
+        - run: pkexec ujust set-kargs-hardening append
+
+  can-we-hide-grub:
+    source: yafti.screen.consent
+    values:
+      title: Hide GRUB
+      description: |
+        This step will hide GRUB from the boot process. If you want to access GRUB, hold down the ESC key during boot.
+      actions:
+        - run: pkexec ujust configure-grub hide
+
   final-screen:
     source: yafti.screen.title
     values:

diff --git a/config/files/usr/share/ublue-os/just/60-custom.just b/config/files/usr/share/ublue-os/just/60-custom.just
@@ -11,6 +11,59 @@ install-pdm:
     python3 install-pdm.py --path "${HOMEDIR}/pdm"
     rm install-pdm.py
 
+# Add additional boot parameters for hardening (requires reboot)
+set-kargs-hardening ACTION="prompt":
+    #!/usr/bin/env bash
+    bold=$(tput bold)
+    normal=$(tput sgr0)
+    OPTION={{ ACTION }}
+    if [ "$OPTION" == "prompt" ]; then
+    echo "${bold}Additional boot parameters for hardening${normal}"
+    echo 'GRUB hiding option can be useful for making boot-times faster.'
+    echo 'Press ESC to exit.'
+    OPTION=$(ugum choose "Append" Delete)
+    if [ "${OPTION,,}" == "append" ]; then
+      rpm-ostree kargs \
+        --append-if-missing="init_on_alloc=1" \
+        --append-if-missing="init_on_free=1" \
+        --append-if-missing="slab_nomerge" \
+        --append-if-missing="page_alloc.shuffle=1" \
+        --append-if-missing="randomize_kstack_offset=on" \
+        --append-if-missing="vsyscall=none" \
+        --append-if-missing="debugfs=off" \
+        --append-if-missing="lockdown=confidentiality" \
+        --append-if-missing="random.trust_cpu=off" \
+        --append-if-missing="random.trust_bootloader=off" \
+        --append-if-missing="iommu=force" \
+        --append-if-missing="intel_iommu=on" \
+        --append-if-missing="amd_iommu=force_isolation" \
+        --append-if-missing="iommu.passthrough=0" \
+        --append-if-missing="iommu.strict=1" \
+        --append-if-missing="pti=on" \
+        --append-if-missing="module.sig_enforce=1" \
+        --append-if-missing="mitigations=auto,nosmt"
+    elif [ "${OPTION,,}" == "delete" ]; then
+      rpm-ostree kargs \
+        --delete-if-present="init_on_alloc=1" \
+        --delete-if-present="init_on_free=1" \
+        --delete-if-present="slab_nomerge" \
+        --delete-if-present="page_alloc.shuffle=1" \
+        --delete-if-present="randomize_kstack_offset=on" \
+        --delete-if-present="vsyscall=none" \
+        --delete-if-present="debugfs=off" \
+        --delete-if-present="lockdown=confidentiality" \
+        --delete-if-present="random.trust_cpu=off" \
+        --delete-if-present="random.trust_bootloader=off" \
+        --delete-if-present="iommu=force" \
+        --delete-if-present="intel_iommu=on" \
+        --delete-if-present="amd_iommu=force_isolation" \
+        --delete-if-present="iommu.passthrough=0" \
+        --delete-if-present="iommu.strict=1" \
+        --delete-if-present="pti=on" \
+        --delete-if-present="module.sig_enforce=1" \
+        --delete-if-present="mitigations=auto,nosmt"
+    fi
+
 # Configure GRUB screen with various options
 configure-grub ACTION="prompt":
     #!/usr/bin/env bash