On 06/10/23 18:31, David A. Wheeler wrote:
FYI:
I've learned of a "Linux kernel hardening checker":
https://github.com/a13xp0p0v/kernel-hardening-checker
thanks for this!
> It might be interesting to run & see if there are missing hardening
measures that
> should be applied in Tails.
I run it into a regular Tails, using
sysctl -a > sysctl.txt
kernel-hardening-checker -s sysctl.txt
It gives us 4 suggestions:
- user.max_user_namespaces should be 0. I think we disagree on this.
- dev.tty.legacy_tiocsti should be 0. we don't have this option
- fs.protected_fifos should be 2 instead of 1. sounds good.
- kernel.yama.ptrace_scope should be 3 instead of 1. sounds good.
When it comes to
kernel-hardening-checker -m show_fail -l /proc/cmdline -c
/boot/config-6.1.0-12-amd64 | grep cmdline
there are some more cmdline options we could consider using. I haven't
investigated those, though.
bye,
--
boyska
_______________________________________________
Tails-dev mailing list
Tails-dev@boum.org
https://www.autistici.org/mailman/listinfo/tails-dev
To unsubscribe from this list, send an empty email to
tails-dev-unsubscr...@boum.org.
