Package: linux-image-amd64 Version: 4.19+104 Severity: important Hi,
It would be great if Debian included some kernel hardening by default. These settings would offer great security benefits and no or very minimal performance decrease. Setting “kernel.kptr_restrict=1” with sysctl makes kernel symbols in /proc/kallsyms only accessible to root which can make it more difficult for a kernel exploit to resolve addresses/symbols. Setting it to 2 hides the symbols regardless of privileges. Setting “kernel.dmesg_restrict=1” with sysctl restricts access to the kernel logs which can give an attacker less information on what they can do. Setting “kernel.unprivileged_bpf_disabled=1” and “net.core.bpf_jit_harden=2” with sysctl hardens the BPF JIT compiler and restricts it to root. It comes with a performance drop on systems that use the JIT compiler a lot but this should only really effect servers. Setting “vm.mmap_rnd_bits=32” and “vm.mmap_rnd_compat_bits=16” with sysctl improves KASLR effectiveness for mmap. This might break some things but I haven't had anything break on me yet. Adding “slab_nomerge” as a boot parameter may also be useful. slab_nomerge disables the merging of slabs of similar sizes. Sometimes a slab can be used in a vulnerable way which an attacker can exploit. This may have a slight increase in memory usage. Mounting /proc with hidepid=2 in /etc/fstab will hide other users’ processes from unprivileged users. This makes it a lot harder for an attacker to get information about other running processes. Some processes (like systemd-logind) will break but you can add exceptions for them. If Debian could include any of these by default then that would be great. Best Regards.
