msw/CISS.debian.installer
SHA256
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

V8.00.000.2025.06.17
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m44s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-07-15 21:10:38 +02:00
parent b49f2a208e
commit 1033c600ad
7 changed files with 806 additions and 363 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
.preseed/preseed.yaml
View File

@@ -29,7 +29,7 @@ apt:
full_upgrade: true # Whether to upgrade packages after debootstrap. full_upgrade: true # Whether to upgrade packages after debootstrap.
install_recommends: true # Configure APT to not install recommended packages by default. install_recommends: true # Configure APT to not install recommended packages by default.
non_free: true # Optionally install non-free software. non_free: true # Optionally install non-free software.
non_free_firmware: true # Optionally install non-free firmware. non_free_firmware: true # Optionally install non-free firmware. MUST be "true" for microcode updates.
sec: "security.debian.org" # Debian Security Updates Archive. sec: "security.debian.org" # Debian Security Updates Archive.
############################################################################################################################## ##############################################################################################################################
@@ -77,7 +77,7 @@ apt:
################################################################################################################################ ################################################################################################################################
# Basic settings # Basic settings
################################################################################################################################ ################################################################################################################################
architecture: "amd64" # MUST be one of "amd64" or "arm64". architecture: "amd64" # MUST be one of "amd64", "intel64" or "arm64".
distribution: "bookworm" # MUST be "bookworm". distribution: "bookworm" # MUST be "bookworm".
debian_suite: "stable" # MUST be "stable". Not supported yet: "testing", "experimental". debian_suite: "stable" # MUST be "stable". Not supported yet: "testing", "experimental".
exit: exit:

58
docs/man/BOOTPARAMS.md Normal file
View File

@@ -0,0 +1,58 @@
---
gitea: none
include_toc: true
---
# 1. CISS.debian.installer
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*The CISS Debian Installer provides a fully automated and hardened installation process.*<br>
**Master Version**: 8.00<br>
**Build**: V8.00.000.2025.06.17<br>
# 2. Hardened Kernel Boot Parameters
Below is a curated set of kernel boot parameters optimized for CISS Debian Installer. These parameters enhance security posture,
restrict legacy interfaces, enforce memory initialization, and disable speculative side channels. Each parameter is documented
with a short rationale.
* ``audit=1``: Enable kernel auditing subsystem.
* ``audit_backlog_limit=8192``: Set audit event buffer depth.
* ``cfi=kcfi``: Enable Clang's Control Flow Integrity (if supported by kernel).
* ``debugfs=off``: Disable debugfs mount, prevents access to kernel internals.
* ``efi=disable_early_pci_dma``: Prevent early PCI DMA via EFI.
* ``hardened_usercopy=1``: Harden copy_*_user() functions, mitigate heap/memcpy bugs.
* ``ia32_emulation=0``: Disable 32-bit x86 binary support on 64-bit kernel.
* ``init_on_alloc=1``: Zero-initialize heap memory on allocation.
* ``init_on_free=1``: Zero memory on free to prevent reuse data leaks.
* ``iommu=force``: Enforce use of IOMMU.
* ``iommu.strict=1``: Enable strict IOMMU mode (always remap).
* ``iommu.passthrough=0``: Prevent IOMMU passthrough (forces remapping).
* ``kfence.sample_interval=100``: Enable low-overhead heap-fence sampling.
* ``kvm.nx_huge_pages=force``: Enforce NX-bit for KVM hugepages to prevent code execution.
* ``l1d_flush=on``: Flush L1D cache on VM-entry to mitigate cache side-channels.
* ``lockdown=confidentiality``: Enable kernel lockdown in confidentiality mode.
* ``loglevel=0``: Silence all kernel messages (only EMERG shown).
* ``mitigations=auto,nosmt``: Enable all available speculative mitigations, disable SMT.
* ``mmio_stale_data=full,force,nosmt``: Mitigate MMIO stale data side channel fully.
* ``nosmt=force``: Force disable Simultaneous Multithreading (SMT/HT).
* ``oops=panic``: Trigger kernel panic on oops, ensures halt on fault.
* ``page_alloc.shuffle=1``: Randomize page allocator freelist order.
* ``page_poison=1``: Fill freed pages with poison patterns to detect UAF.
* ``panic=-1``: Prevent automatic reboot after panic.
* ``pti=on``: Enable Page Table Isolation (Meltdown mitigation).
* ``quiet``: Suppress all non-critical kernel messages.
* ``random.trust_bootloader=off``: Do not trust RNG state from bootloader.
* ``random.trust_cpu=off``: Do not trust CPU's RDRAND or RDSEED.
* ``randomize_kstack_offset=on``: Enable randomized kernel stack offset per syscall.
* ``randomize_va_space=2``: Enable full ASLR for mmap and heap.
* ``retbleed=auto,nosmt``: Mitigate Retbleed exploit path via branch prediction.
* ``rodata=on``: Enforce read-only sections for .rodata.
* ``slab_nomerge``: Disable merging of similar slab caches.
* ``vdso32=0``: Disable 32-bit vdso mapping (x86 compatibility).
* ``vsyscall=none``: Disable vsyscall legacy mapping.
---
**[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
<!-- vim: set number et ts=2 sw=2 sts=2 ai tw=128 ft=markdown -->

361
func/4160_grub_bootparameter.sh Normal file
View File

@@ -0,0 +1,361 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Hardening Grub boot parameter.
# Globals:
# TARGET
# VAR_GRUB_CMDLINE_LINUX
# VAR_SETUP_PATH
# Arguments:
# None
# Returns:
# 0: Successfully executed commands.
#######################################
setup_grub_bootparameter() {
### Install Kernel Hardening-Presets
cp "${VAR_SETUP_PATH}/includes/etc/sysctl.d/99_local.hardened" "${TARGET}/etc/sysctl.d/99_local.hardened"
chmod 0644 "${TARGET}/etc/sysctl.d/99_local.hardened"
### Entropy collection improvements
mkdir -p "${TARGET}/usr/lib/modules-load.d"
cat << EOF >| "${TARGET}/usr/lib/modules-load.d/30_security-misc.conf"
## https://www.whonix.org/wiki/Dev/Entropy
## https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927972
## https://forums.whonix.org/t/jitterentropy-rngd/7204
jitterentropy_rng
EOF
chmod 0644 "${TARGET}/usr/lib/modules-load.d/30_security-misc.conf"
grub_extract_current_string
###########################################################################################
# Audit events need to be captured on processes that start up prior to auditd, #
# so that potential malicious activity cannot go undetected. During boot if audit=1, then #
# the backlog will hold 64 records. If more than 64 records are created during boot, #
# auditd records will be lost and potential malicious activity could go undetected #
###########################################################################################
VAR_GRUB_CMDLINE_LINUX="${VAR_GRUB_CMDLINE_LINUX} audit=1 audit_backlog_limit=8192"
###########################################################################################
# Distrusts CPU bootloader for initial entropy at boot. #
# Distrusts the CPU for initial entropy at boot, as it is not possible to audit, #
# may contain weaknesses or a backdoor. #
###########################################################################################
# https://en.wikipedia.org/wiki/RDRAND#Reception #
# https://twitter.com/pid_eins/status/1149649806056280069 #
# https://archive.nytimes.com/www.nytimes.com/interactive/2013/09/05/us/documents-reveal-nsa-campaign-against-encryption.html
# https://forums.whonix.org/t/entropy-config-random-trust-cpu-yes-or-no-rng-core-default-quality/8566
# https://lkml.org/lkml/2022/6/5/271 #
###########################################################################################
VAR_GRUB_CMDLINE_LINUX="${VAR_GRUB_CMDLINE_LINUX} random.trust_cpu=off"
###########################################################################################
# Distrusts the bootloader for initial entropy at boot. #
# https://lkml.org/lkml/2022/6/5/271 #
###########################################################################################
VAR_GRUB_CMDLINE_LINUX="${VAR_GRUB_CMDLINE_LINUX} random.trust_bootloader=off"
###########################################################################################
# ASLR (Address Space Layout Randomization) causes central areas of memory to be assigned #
# random addresses each time a program is started. These include: Stack, Heap, Shared #
# libraries (e.g., libc), mmap regions, VDSO/VSyscall. The executable itself (only with #
# PIE binaries). The aim is to make it more difficult for attackers to predict memory #
# addresses, thereby preventing classic exploits that rely on known addresses from #
# succeeding. #
# 0: disabled Fixed memory addresses insecure, testable. #
# 1: Partial ASLR Heap, mmap are randomized, stack only partially randomized. #
# 2: Full ASLR (default) Stack, mmap, heap, VDSO, shared libraries all randomized. #
###########################################################################################
VAR_GRUB_CMDLINE_LINUX="${VAR_GRUB_CMDLINE_LINUX} randomize_va_space=2"
###########################################################################################
# Enables IOMMU to prevent DMA attacks. #
# intel_iommu=on amd_iommu=force_isolation iommu=force #
# Multiple IOMMU switches are redundant; iommu=force is usually sufficient. #
# Forces an IOMMU to be initialized and used completely, even if the BIOS or ACPI wanted #
# to disable it. It activates the basic DMA remapping function. However, it does not say #
# anything about how restrictive the mapping strategy is, passthrough, strict, see below #
###########################################################################################
VAR_GRUB_CMDLINE_LINUX="${VAR_GRUB_CMDLINE_LINUX} iommu=force"
###########################################################################################
# Enables strict enforcement of IOMMU TLB invalidation, so devices will never be able to #
# access stale data contents. #
# iommu.passthrough=0 #
# Prevents devices from operating in identity-mapped passthrough mode. Without this #
# parameter (or with =1), devices could be passed through without being monitored by the #
# IOMMU in a truly restrictive manner. From a security standpoint, iommu.passthrough=0 is #
# an important step toward DMA isolation for all devices, especially for untrusted PCI(e) #
# devices. #
# iommu.strict=1 #
# Enables Strict Mode for dma-iommu.c (i.e., all DMA transactions are validated #
# synchronously). Without this parameter, the kernel often runs in lazy mode, where #
# mapping caches are used. #
# Performance vs. security: strict=1= more secure, but potentially slower, especially #
# with many small DMA transfers. #
# https://github.com/torvalds/linux/blob/master/drivers/iommu/Kconfig#L97 #
# Page 11 of https://lenovopress.lenovo.com/lp1467.pdf #
###########################################################################################
VAR_GRUB_CMDLINE_LINUX="${VAR_GRUB_CMDLINE_LINUX} iommu.passthrough=0 iommu.strict=1"
###########################################################################################
# Disable the busmaster bit on all PCI bridges during very early boot to avoid holes in #
# IOMMU. #
# https://mjg59.dreamwidth.org/54433.html #
# https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4444f8541dad16fefd9b8807ad1451e806ef1d94
###########################################################################################
VAR_GRUB_CMDLINE_LINUX="${VAR_GRUB_CMDLINE_LINUX} efi=disable_early_pci_dma"
###########################################################################################
# Disables the merging of slabs of similar sizes. #
# Sometimes a slab can be used vulnerably, which an attacker can exploit. #
###########################################################################################
VAR_GRUB_CMDLINE_LINUX="${VAR_GRUB_CMDLINE_LINUX} slab_nomerge"
###########################################################################################
# Zero memory at allocation and free time. #
###########################################################################################
VAR_GRUB_CMDLINE_LINUX="${VAR_GRUB_CMDLINE_LINUX} init_on_alloc=1 init_on_free=1"
###########################################################################################
# This option randomizes page allocator freelists, improving security by making page #
# allocations less predictable. This also improves performance. #
###########################################################################################
VAR_GRUB_CMDLINE_LINUX="${VAR_GRUB_CMDLINE_LINUX} page_alloc.shuffle=1"
###########################################################################################
# When releasing (i.e., free_pages()), all bytes with a marker value (e.g., 0xAA) are #
# overwritten. If later code (accidentally or maliciously) accesses this page, it will #
# most likely crash or produce recognizable artifacts. Only supported if the kernel was #
# built with CONFIG_PAGE_POISONING=y (default on Debian: enabled since Bookworm). #
###########################################################################################
VAR_GRUB_CMDLINE_LINUX="${VAR_GRUB_CMDLINE_LINUX} page_poison=1"
###########################################################################################
# Enables Kernel Page Table Isolation, which mitigates Meltdown, improves KASLR. #
###########################################################################################
VAR_GRUB_CMDLINE_LINUX="${VAR_GRUB_CMDLINE_LINUX} pti=on"
###########################################################################################
# The setting 'vsyscall' is obsolete, are at fixed addresses and are a target for ROP. #
###########################################################################################
VAR_GRUB_CMDLINE_LINUX="${VAR_GRUB_CMDLINE_LINUX} vsyscall=none"
###########################################################################################
# The kernel adds a small random padding offset to the stack pointer with every system #
# call or kernel entry. The starting point for local variables is at a different position #
# within the stack with every call. This makes ROP chains (return-oriented programming) #
# or stack pivoting attacks significantly more difficult. #
###########################################################################################
VAR_GRUB_CMDLINE_LINUX="${VAR_GRUB_CMDLINE_LINUX} randomize_kstack_offset=on"
###########################################################################################
# Prevents the debugfsfile system from being made available at boot time. This is a #
# useful hardening measure because debugfs reveals a lot of potentially security-relevant #
# kernel information by default, which can be misused by normal users (and by exploits). #
###########################################################################################
VAR_GRUB_CMDLINE_LINUX="${VAR_GRUB_CMDLINE_LINUX} debugfs=off"
###########################################################################################
# Force the kernel to panic on "oopses" (which may be due to false positives). #
# panic=N (e.g., panic=60): Wait N seconds and then reboot. #
# panic=0 No automatic action (System remains stuck in panic state). #
# panic=-1 Also explicitly prevents any automatic reboot. #
###########################################################################################
VAR_GRUB_CMDLINE_LINUX="${VAR_GRUB_CMDLINE_LINUX} oops=panic panic=-1"
###########################################################################################
# Enable a subset of known mitigations for CPU vulnerabilities and disable SMT. #
# mitigations=auto Enables all available CPU-specific security measures based on the #
# detected CPU, microcode version, and kernel build configuration, if applicable. #
# 'nosmt' Disables Simultaneous Multithreading (SMT) (e.g., Hyper-Threading on Intel) #
# system-wide to prevent shared cache attacks (SMoTHER, MDS, L1TF, TAA, Snoop-assisted). #
# Why is 'mitigations=auto,nosmt' better than setting everything manually? #
# Automatically adjusted: Depending on CPU family, stepping, microcode. #
# Consistency guaranteed: No contradictions between flags possible #
# (e.g., spec_store_bypass_disable=on vs. nospec_store_bypass_disable=off). #
# Future-proof: Even new kernel features (e.g., bhi=flush or srbds) are automatically #
# activated without having to know about them. #
###########################################################################################
VAR_GRUB_CMDLINE_LINUX="${VAR_GRUB_CMDLINE_LINUX} mitigations=auto,nosmt"
###########################################################################################
# If mitigations=auto,nosmt is set, see before, then these flags should not be set #
# individually because they are redundant. Enable mitigations for both Spectre Variant 2 #
# (indirect branch speculation) and Intel branch history injection (BHI) vulnerabilities. #
# https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/spectre.html #
###########################################################################################
# VAR_GRUB_CMDLINE_LINUX="${VAR_GRUB_CMDLINE_LINUX} spectre_v2=on spectre_v2_user=on spectre_bhi=on"
###########################################################################################
# If mitigations=auto,nosmt is set, see before, then these flags should not be set #
# individually because they are redundant. #
# Disable Speculative Store Bypass (Spectre Variant 4). #
# https://www.suse.com/support/kb/doc/?id=000019189 #
###########################################################################################
# VAR_GRUB_CMDLINE_LINUX="${VAR_GRUB_CMDLINE_LINUX} spec_store_bypass_disable=on nospec_store_bypass_disable=off"
###########################################################################################
# If mitigations=auto,nosmt is set, see before, then these flags should not be set #
# individually because they are redundant. #
# Enable mitigations for the L1TF vulnerability through disabling SMT and L1D flush #
# runtime control. #
# https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html #
###########################################################################################
# VAR_GRUB_CMDLINE_LINUX="${VAR_GRUB_CMDLINE_LINUX} l1tf=full,force"
###########################################################################################
# If mitigations=auto,nosmt is set, see before, then these flags should not be set #
# individually because they are redundant. #
# Enable mitigations for the MDS vulnerability through clearing buffer cache #
# and disabling SMT. #
# https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html #
###########################################################################################
# VAR_GRUB_CMDLINE_LINUX="${VAR_GRUB_CMDLINE_LINUX} mds=full,nosmt"
###########################################################################################
# If mitigations=auto,nosmt is set, see before, then these flags should not be set #
# individually because they are redundant. #
# Patches the TAA vulnerability by disabling TSX and enables mitigations using TSX Async #
# Abort along with disabling SMT. #
# https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/tsx_async_abort.html #
###########################################################################################
# VAR_GRUB_CMDLINE_LINUX="${VAR_GRUB_CMDLINE_LINUX} tsx=off tsx_async_abort=full,nosmt"
###########################################################################################
# Mark all huge pages in the EPT as non-executable to mitigate iTLB multihit. #
# https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/multihit.html #
###########################################################################################
VAR_GRUB_CMDLINE_LINUX="${VAR_GRUB_CMDLINE_LINUX} kvm.nx_huge_pages=force"
###########################################################################################
# Force disable SMT as it has caused numerous CPU vulnerabilities. #
# The only full mitigation of cross-HT attacks is to disable SMT. #
# https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/core-scheduling.html #
###########################################################################################
VAR_GRUB_CMDLINE_LINUX="${VAR_GRUB_CMDLINE_LINUX} nosmt=force"
###########################################################################################
# Enables the prctl interface to prevent leaks from L1D on context switches. #
# https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1d_flush.html #
###########################################################################################
VAR_GRUB_CMDLINE_LINUX="${VAR_GRUB_CMDLINE_LINUX} l1d_flush=on"
###########################################################################################
# Mitigates numerous MMIO Stale Data vulnerabilities and disables SMT. #
# mmio_stale_data=off No mitigation (unsafe) #
# mmio_stale_data=full All known measures active #
# mmio_stale_data=full,nosmt Full mitigation + SMT disabling #
# mmio_stale_data=auto Activated depending on CPU/microcode #
# mmio_stale_data=full,force Forces mitigation even on CPUs that are supposedly not #
# affected #
# https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/processor_mmio_stale_data.html
###########################################################################################
VAR_GRUB_CMDLINE_LINUX="${VAR_GRUB_CMDLINE_LINUX} mmio_stale_data=full,force"
###########################################################################################
# Enable mitigations for RETBleed (Arbitrary Speculative Code Execution with #
# Return Instructions) vulnerability and disable SMT. #
# If 'mitigations=auto,nosmt' is set, the kernel already activates all retbleed-relevant #
# mitigations, provided the CPU is affected; 'retbleed=auto,nosmt' explicitly overrides #
# the internal assessment and forces full protection. If maximum hardening is required, #
# and one does not want to rely on "auto-detection" then it is recommended to additionally#
# set 'retbleed=auto,nosmt' otherwise, 'mitigations=auto,nosmt' is sufficient. #
# https://www.suse.com/support/kb/doc/?id=000020693 #
###########################################################################################
VAR_GRUB_CMDLINE_LINUX="${VAR_GRUB_CMDLINE_LINUX} retbleed=auto"
###########################################################################################
# Enables kernel lockdown mode with a focus on confidentiality. The kernel is #
# configured in such a way that even privileged users (such as root) have limited access #
# to kernel data and debug mechanisms. 'confidentiality': Maximum restriction to ensure #
# the security and integrity of the system. This prevents direct access to hardware and #
# debug interfaces, for example. Useful for highly secure environments as it reduces the #
# attack surface to kernel data. However, some applications that require debugging or #
# hardware access may have problems. #
# https://blog.cloudflare.com/de-de/linux-kernel-hardening/ #
# https://www.linux-magazine.com/Issues/2020/239/Lockdown-Mode #
###########################################################################################
VAR_GRUB_CMDLINE_LINUX="${VAR_GRUB_CMDLINE_LINUX} lockdown=confidentiality"
###########################################################################################
# Enables 'Read-Only Data Protection', which implements read-only memory areas #
# for kernel data structures. This protects the kernel from certain types of exploit #
# (e.g., buffer overflows). 'on': Forces the corresponding areas to remain read-only. #
# https://www.kernel.org/doc/html/v6.10/admin-guide/kernel-parameters.html #
###########################################################################################
VAR_GRUB_CMDLINE_LINUX="${VAR_GRUB_CMDLINE_LINUX} rodata=on"
###########################################################################################
# Kernel Electric-Fence (KFENCE) is a low-overhead sampling-based memory safety #
# error detector. KFENCE detects heap out-of-bounds access, use-after-free, and #
# invalid-free errors. KFENCE is designed to be enabled in production kernels, and has #
# near zero performance overhead. Compared to KASAN, KFENCE trades performance for #
# precision. The main motivation behind KFENCEs design is that with enough total uptime #
# KFENCE will detect bugs in code paths not typically exercised by non-production test #
# workloads. One way to quickly achieve a large enough total uptime is when the tool is #
# deployed across a large fleet of machines. #
# https://docs.kernel.org/dev-tools/kfence.html #
###########################################################################################
VAR_GRUB_CMDLINE_LINUX="${VAR_GRUB_CMDLINE_LINUX} kfence.sample_interval=100"
###########################################################################################
# CFI Ensures that only controlled, predefined transitions are possible in the #
# programs' control flow. kcfi (Kernel Control Flow Integrity): Specific implementation of#
# CFI for the Linux kernel that is particularly robust and provides accurate control flow #
# validation. kcfi relies on compiler-based technologies (e.g., LLVM) that insert special #
# checks and instrumentation into the kernel code. #
# https://kspp.github.io/Recommended_Settings#kernel-command-line-options #
###########################################################################################
VAR_GRUB_CMDLINE_LINUX="${VAR_GRUB_CMDLINE_LINUX} cfi=kcfi"
###########################################################################################
# Remove additional (32-bit) attack surface, unless you really need them. #
# https://www.kernel.org/doc/html/v6.10/admin-guide/kernel-parameters.html #
# https://kspp.github.io/Recommended_Settings#kernel-command-line-options #
###########################################################################################
VAR_GRUB_CMDLINE_LINUX="${VAR_GRUB_CMDLINE_LINUX} ia32_emulation=0"
###########################################################################################
# Removes mapping for 32-bit VDSO (for ia32binaries). On 32-bit processes that rely on #
# VDSO, this causes a fallback to classic syscalls (slower) or errors. On a system #
# without CONFIG_IA32_EMULATION or with ia32_emulation=0, vdso32=0 is effective but #
# redundant. #
###########################################################################################
VAR_GRUB_CMDLINE_LINUX="${VAR_GRUB_CMDLINE_LINUX} vdso32=0"
###########################################################################################
# Checks every copy_to_user() / copy_from_user()operation. Prevents kernels from #
# accidentally copying unallocated memory to userspace. Stop exploits that trigger #
# buffer overflows or use-after-free via copy_*_user(), for example. Effect: Detects #
# heap/SLOB abuse, overwrites. Leads to BUG() & stack trace if suspicious access is #
# detected. #
###########################################################################################
VAR_GRUB_CMDLINE_LINUX="${VAR_GRUB_CMDLINE_LINUX} hardened_usercopy=1"
###########################################################################################
# Sets the minimum log output of the kernel at boot time to level 0 (= KERN_EMERG). #
###########################################################################################
VAR_GRUB_CMDLINE_LINUX="${VAR_GRUB_CMDLINE_LINUX} loglevel=0"
grub_finalize_string
do_in_target "${TARGET}" update-grub
do_log "info" "true" "Setting GRUB kernel parameters: ${VAR_GRUB_CMDLINE_LINUX}"
return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

55
func/4170_installation_microcode.sh Normal file
View File

@@ -0,0 +1,55 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Install microcode updates depending on architecture (amd64, arm64, intel64) and environment (Baremetal, VM)
# Globals:
# TARGET
# Arguments:
# None
# Returns:
# 0: Successfully executed commands.
#######################################
installation_microcode() {
declare var_microcode_pkgs=""
declare var_whereiam; var_whereiam=$(virt-what | head -n1)
[[ -z "${var_whereiam}" ]] && var_whereiam="baremetal"
declare var_cpu_vendor; var_cpu_vendor=$(lscpu | awk -F: '/Vendor ID/ {print $2}' | xargs)
case "${var_cpu_vendor}" in
*AuthenticAMD*) var_microcode_pkgs="amd64-microcode" ;;
*GenuineIntel*) var_microcode_pkgs="intel-microcode" ;;
""|*ARM*|*arm*|*) var_microcode_pkgs=""; do_log "info" "true" "ARM or unknown CPU detected skipping microcode install" ;;
esac
###########################################################################################
# Generally, it is best to let the hypervisor handle CPU microcode updates. #
###########################################################################################
if [[ "${var_whereiam}" != "kvm" && -n "${var_microcode_pkgs}" ]]; then
if ! do_in_target "${TARGET}" dpkg -l "${var_microcode_pkgs}" >/dev/null 2>&1; then
do_in_target "${TARGET}" apt-get install -y "${var_microcode_pkgs}"
fi
else
do_log "info" "true" "Skipping microcode install (${var_whereiam}, ${var_microcode_pkgs:-none})"
fi
return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

328
includes/etc/sysctl.d/99_local.hardened Normal file
View File

@@ -0,0 +1,328 @@
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
### Version Master V8.03.864.2025.07.15
### https://docs.kernel.org/
### https://github.com/a13xp0p0v/kernel-hardening-checker/
### https://kspp.github.io/
### https://linux-audit.com/tags/kernel/
###########################################################################################
# Warning
# Be careful not to lock yourself out of your system after a reboot due to incorrect
# settings. For example, 'kernel.modules_disabled=1' will generally prevent the network
# stack from being brought up after a reboot, which means NO SSH.
###########################################################################################
##### Linux Kernel #####
### Disable loading new modules. Be careful with using this option!
kernel.modules_disabled=1
### Restricting access to kernel pointers.
kernel.kptr_restrict=2
### Restricting access to kernel logs.
kernel.dmesg_restrict=1
###########################################################################################
# Despite the value of dmesg_restrict, the kernel log will still be displayed in the
# console during boot.
# This option prevents those information leaks.
###########################################################################################
kernel.printk=3 3 3 3
### Restricting eBPF to the CAP_BPF capability
kernel.unprivileged_bpf_disabled=1
net.core.bpf_jit_harden=2
### Restricting loading TTY line disciplines to the CAP_SYS_MODULE capability
dev.tty.ldisc_autoload=0
###########################################################################################
# The userfaultfd() syscall is often abused to exploit use-after-free flaws.
# This sysctl is used to restrict this syscall to the CAP_SYS_PTRACE capability.
###########################################################################################
vm.unprivileged_userfaultfd=0
###########################################################################################
# kexec is a system call that is used to boot another kernel during runtime.
# This functionality can be abused to load a malicious kernel and gain arbitrary code
# execution in kernel mode, so this sysctl disables it.
###########################################################################################
kernel.kexec_load_disabled=1
###########################################################################################
# Prevents unprivileged users from creating their own user namespaces, potentially
# enabling exploits. This is a good additional safeguard.
###########################################################################################
kernel.unprivileged_userns_clone=0
###########################################################################################
# The SysRq key exposes a lot of potentially dangerous debugging functionality to
# unprivileged users. You can set the value to 0 to disable SysRq completely.
###########################################################################################
kernel.sysrq=0
### Randomize memory space.
kernel.randomize_va_space=2
###########################################################################################
# These prevent creating files in potentially attacker-controlled environments, such as
# world-writable directories.
###########################################################################################
fs.protected_fifos=2
fs.protected_regular=2
###########################################################################################
# This only permits symlinks to be followed when outside a world-writable sticky directory,
# when the owner of the symlink and follower match or when the directory owner matches the
# symlink's owner.
###########################################################################################
fs.protected_symlinks=1
fs.protected_hardlinks=1
###########################################################################################
# ptrace is a system call that allows a program to alter and inspect another running
# process, which allows attackers to trivially modify the memory of other running programs.
# 0 - classic ptrace permissions:
# a process can PTRACE_ATTACH to any other process running under the same uid,
# as long as it is dumpable (i.e., did not transition uids,
# start privileged, or have called prctl(PR_SET_DUMPABLE...) already).
# Similarly, PTRACE_TRACEME is unchanged.
#
# 1 - restricted ptrace:
# a process must have a predefined relationship with the inferior it wants to call
# PTRACE_ATTACH on. By default, this relationship is that of only its descendants when the
# above classic criteria is also met. To change the relationship, an inferior can call
# prctl(PR_SET_PTRACER, debugger, ...) to declare an allowed debugger PID to call
# PTRACE_ATTACH on the inferior. Using PTRACE_TRACEME is unchanged.
#
# 2 - admin-only attach:
# only processes with CAP_SYS_PTRACE may use ptrace, either with PTRACE_ATTACH or through
# children calling PTRACE_TRACEME.
#
# 3 - no attach:
# no processes may use ptrace with PTRACE_ATTACH nor via PTRACE_TRACEME. Once set, this
# sysctl value cannot be changed.
###########################################################################################
kernel.yama.ptrace_scope=2
### Use filename based on core_pattern value
kernel.core_uses_pid=1
###########################################################################################
# Performance events add considerable kernel attack surface and have caused abundant
# vulnerabilities. Be careful ! Performance might be affected ! Here turned off by default.
###########################################################################################
#kernel.perf_event_paranoid=2
###########################################################################################
# ASLR is a common exploit mitigation that randomizes the position of critical parts of a
# process in memory. This can make a wide variety of exploits harder to pull off, as they
# first require an information leak. The above settings increase the bits of entropy used
# for mmap ASLR, improving its effectiveness. The values of these sysctls must be set in
# relation to the CPU architecture. The above values are compatible with x86, but other
# architectures may differ.
###########################################################################################
vm.mmap_rnd_bits=32
vm.mmap_rnd_compat_bits=16
###########################################################################################
# In addition to ASLR hardening, one could adjust the behavior for memory overbooking.
# Determines how the kernel provides the available memory for processes:
# - 0 (default): kernel decides heuristically whether memory allocations are allowed.
# - 1: Memory is always allocated, even if it is not physically available; can lead to
# out-of-memory errors.
# - 2: The kernel only allows memory allocations up to the available physical memory + swap
# (safe mode).
#vm.overcommit_memory=2
# Specifies how much of the available physical memory (plus swap) can be made available
# for memory allocations when vm.overcommit_memory=2 is active.
# The value is a percentage.
# 50: Up to 50% of the physical memory can be reserved for memory-intensive applications.
###########################################################################################
#vm.overcommit_ratio=50
###########################################################################################
# Reduces the likelihood of important data remaining unsecured in RAM for too long.
# Specifies the percentage of the total memory that can be filled with changed (dirty) data
# before it is written to the permanent memory (e.g., the hard disk).
# 15: If 15% of the RAM is occupied by dirty pages, a background flush process is triggered
# to write this data.
#vm.dirty_ratio=15
# Specifies the percentage of total memory at which the kernel starts writing dirty pages
# in the background before the dirty_ratio threshold is reached.
# 5: The kernel starts writing data in the background when 5% of RAM is occupied with
# dirty pages.
###########################################################################################
#vm.dirty_background_ratio=5
###########################################################################################
# Similar to core dumps, swapping or paging copies parts of memory to disk, which can
# contain sensitive information. The kernel should be configured to only swap if absolutely
# necessary.
###########################################################################################
#vm.swappiness=1
### This setting minimizes swapping, which is useful for servers.
### However, one could also consider vm.swappiness=0 if enough RAM is available.
# vm.swappiness=0
###########################################################################################
# Process that runs with elevated privileges may still dump their memory even after these
# settings.
###########################################################################################
fs.suid_dumpable=0
kernel.core_pattern= | /bin/false
### Disable User Namespaces, as it opens up a large attack surface to unprivileged users.
#user.max_user_namespaces=0
###########################################################################################
# Reboot after even 1 WARN or BUG/Oops. Adjust for your tolerances. (Since v6.2)
# If you want to set oops_limit greater than one, you will need to disable
# CONFIG_PANIC_ON_OOPS.
###########################################################################################
kernel.warn_limit=1
kernel.oops_limit=1
###########################################################################################
# Disable TIOCSTI, which is used to inject keypresses.
# (This will, however, break screen readers.)
###########################################################################################
dev.tty.legacy_tiocsti=0
###########################################################################################
# IO_uring has yielded some security concerns and vulnerabilities,
# particularly for those sticking to older versions of the Linux kernel.
# There have also been IO_uring integration issues with the Linux security subsystem.
###########################################################################################
#kernel.io_uring_disabled=2
##### Network Stack #####
### Disable IP source routing, we are not a router:
net.ipv4.conf.all.accept_source_route=0
net.ipv4.conf.default.accept_source_route=0
net.ipv6.conf.all.accept_source_route=0
net.ipv6.conf.default.accept_source_route=0
###########################################################################################
# This setting makes your system ignore all ICMP requests to avoid Smurf attacks, make
# the device more difficult to enumerate on the network and prevent clock fingerprinting
# through ICMP timestamps.
###########################################################################################
net.ipv4.icmp_echo_ignore_all=1
### Enable ignoring broadcast request.
net.ipv4.icmp_echo_ignore_broadcasts=1
### This helps protect against SYN flood attacks
net.ipv4.tcp_syncookies=1
###########################################################################################
# This protects against time-wait assassination by dropping RST packets for sockets in
# the time-wait state.
###########################################################################################
net.ipv4.tcp_rfc1337=1
###########################################################################################
# These enable source validation of packets received from all interfaces of the machine.
# This protects against IP spoofing, in which an attacker sends a packet with a fraudulent
# IP address.
###########################################################################################
net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.default.rp_filter=1
###########################################################################################
# This disables ICMP redirect acceptance and sending to prevent man-in-the-middle attacks
# and minimize information disclosure.
###########################################################################################
net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.default.accept_redirects=0
net.ipv4.conf.all.secure_redirects=0
net.ipv4.conf.default.secure_redirects=0
net.ipv6.conf.all.accept_redirects=0
net.ipv6.conf.default.accept_redirects=0
net.ipv4.conf.all.send_redirects=0
net.ipv4.conf.default.send_redirects=0
###########################################################################################
# A martian packet is a packet with a source address, which is obviously wrong -
# nothing could possibly be routed back to that address.
###########################################################################################
net.ipv4.conf.all.log_martians=1
net.ipv4.conf.default.log_martians=1
###########################################################################################
# Deactivates IP forwarding. This means that the system discards packets that are not
# intended for its own IP addresses. It therefore does not act as a router and does not
# forward data packets between network interfaces.
###########################################################################################
net.ipv4.conf.all.forwarding=0
###########################################################################################
# Disabling RA prevents the system from receiving routing information from potentially
# insecure or compromised routers. This is particularly important for servers that use
# static network configurations and should not dynamically accept new IPv6 routes or
# prefixes. An attacker could otherwise use forged RA messages to change the network route
# and redirect traffic, for example.
###########################################################################################
net.ipv6.conf.all.accept_ra=0
net.ipv6.conf.default.accept_ra=0
###########################################################################################
# These parameters relate to secure ICMP redirects. ICMP redirects are messages that a
# router sends to a device to inform it that there is a better route for the data traffic.
# This setting prevents the system from responding to redirects that have been spoofed by
# potential attackers to redirect traffic (e.g., for man-in-the-middle attacks).
###########################################################################################
net.ipv4.conf.all.secure_redirects=1
net.ipv4.conf.default.secure_redirects=1
###########################################################################################
# This setting prevents the disclosure of TCP timestamps that can be used for system
# fingerprinting:
###########################################################################################
net.ipv4.tcp_timestamps=0
###########################################################################################
# To make ARP spoofing attacks more difficult. Defines how the system responds to ARP
# requests.
# - 0 (default): Responds to every request, including IPs configured on other interfaces.
# - 1: Only responds to requests that are specifically intended for the IP of the
# respective interface. Increases security by preventing ARP spoofing attacks, as the
# system does not send unnecessary ARP responses.
###########################################################################################
net.ipv4.conf.all.arp_ignore=1
net.ipv4.conf.default.arp_ignore=1
###########################################################################################
# To minimize attacks on half-open connections.
# Specifies the maximum number of connection requests (SYN packets)
# that can be held in the connection establishment state (SYN_RECV) in the queue.
# 4096: A generous queue to better intercept SYN flood attacks.
# Useful for systems with high network traffic, or if protection against DoS attacks
# needs to be improved:
###########################################################################################
net.ipv4.tcp_max_syn_backlog=4096
###########################################################################################
# Specifies the maximum number of SYN/ACK retries before the connection is aborted:
# 2: The kernel will only send a SYN/ACK twice before dropping the connection.
# Reduces the time and effort wasted on inactive connection requests.
# This improves performance and protects against SYN flood attacks, but could cause
# problems on poor networks.
###########################################################################################
net.ipv4.tcp_synack_retries=2
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

361
source/func/3.8.1.functions_installation_setup_grub_bootparameter.sh
View File

@@ -1,361 +0,0 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-02-13; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-ExternalRef: GIT https://cendev.eu/marc.weidner/CISS.2025.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <cendev@coresecret.eu>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.2025.hardened.installer framework.
# SPDX-PackageName: CISS.2025.hardened.installer
# SPDX-Security-Contact: security@coresecret.eu
###########################################################################################
# 3.8.1. Functions - installation - setup grub hardening #
###########################################################################################
# TODO Important insert cryptdevice=UUID=881366ae-61ee-4ee0-893c-0def27c78c9e:cryptroot root=/dev/mapper/vg00-root
# TODO Important insert GRUB_CMDLINE_LINUX_DEFAULT="net.ifnames=0 biosdevname=0 ip=152.53.66.126::152.53.64.1:255.255.252.0:soc:ens3:none"
###########################################################################################
# Hardening Grub boot parameter
# Globals:
# DIR_BAK
# DIR_LOG
# GRUB_CMDLINE_LINUX
# MODULE_ERR
# MODULE_TXT
# PATH_ABS
# TARGET
# arch
# Arguments:
# None
###########################################################################################
3_8_1_functions_installation_setup_grub_bootparameter() {
declare -g -x MODULE_ERR="3_8_1_functions_installation_setup_grub_bootparameter"
declare -g -x MODULE_TXT="Setup GRUB bootparameter"
do_show_header "${MODULE_TXT}"
###########################################################################################
# Remarks: Kernel Hardening Preparation #
###########################################################################################
declare WHEREIAM
WHEREIAM=$(virt-what)
declare TIMESTAMP
TIMESTAMP=$(do_get_timestamp)
# shellcheck disable=SC2129
echo "${TIMESTAMP}" >> "${DIR_LOG}"cpu.log
grep . /sys/devices/system/cpu/vulnerabilities/* >> "${DIR_LOG}"cpu.log
spectre-meltdown-checker --explain >> "${DIR_LOG}"cpu.log
###########################################################################################
# Remarks: Setup Kernel Default- and Hardening-Presets #
###########################################################################################
cp "${PATH_ABS}"/.assets/99_local.hardened "${TARGET}"/etc/sysctl.d/99_local.hardened
chmod 0644 "${TARGET}"/etc/sysctl.d/99_local.hardened
cp "${PATH_ABS}"/.assets/99_local.defaults "${TARGET}"/etc/sysctl.d/99_local.defaults
chmod 0644 "${TARGET}"/etc/sysctl.d/99_local.defaults
###########################################################################################
# Remarks: Entropy collection improvements #
###########################################################################################
if [[ ! -d "${TARGET}"/usr/lib/modules-load.d ]]; then
mkdir -p "${TARGET}"/usr/lib/modules-load.d
fi
touch "${TARGET}"/usr/lib/modules-load.d/30_security-misc.conf
chmod 0644 "${TARGET}"/usr/lib/modules-load.d/30_security-misc.conf
cat << EOF >> "${TARGET}"/usr/lib/modules-load.d/30_security-misc.conf
## https://www.whonix.org/wiki/Dev/Entropy
## https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927972
## https://forums.whonix.org/t/jitterentropy-rngd/7204
jitterentropy_rng
EOF
do_help_grub_extract_current_string
declare -g -x MODULE_ERR="3_8_1_functions_installation_setup_grub_bootparameter"
###########################################################################################
# Remarks: Audit events need to be captured on processes that start up prior to auditd , #
# so that potential malicious activity cannot go undetected. During boot if audit=1, then #
# the backlog will hold 64 records. If more than 64 records are created during boot, #
# auditd records will be lost and potential malicious activity could go undetected #
###########################################################################################
GRUB_CMDLINE_LINUX="${GRUB_CMDLINE_LINUX} audit=1 audit_backlog_limit=8192"
###########################################################################################
# Remarks: Distrusts CPU bootloader for initial entropy at boot #
# Distrusts the CPU for initial entropy at boot, as it is not possible to audit, #
# may contain weaknesses or a backdoor. #
###########################################################################################
# https://en.wikipedia.org/wiki/RDRAND#Reception
# https://twitter.com/pid_eins/status/1149649806056280069
# https://archive.nytimes.com/www.nytimes.com/interactive/2013/09/05/us/documents-reveal-nsa-campaign-against-encryption.html
# https://forums.whonix.org/t/entropy-config-random-trust-cpu-yes-or-no-rng-core-default-quality/8566
# https://lkml.org/lkml/2022/6/5/271
###########################################################################################
GRUB_CMDLINE_LINUX="${GRUB_CMDLINE_LINUX} random.trust_cpu=off"
###########################################################################################
# Distrusts the bootloader for initial entropy at boot. #
# https://lkml.org/lkml/2022/6/5/271 #
###########################################################################################
GRUB_CMDLINE_LINUX="${GRUB_CMDLINE_LINUX} random.trust_bootloader=off"
###########################################################################################
# Remarks: Enables IOMMU to prevent DMA attacks. #
###########################################################################################
GRUB_CMDLINE_LINUX="${GRUB_CMDLINE_LINUX} intel_iommu=on amd_iommu=force_isolation"
###########################################################################################
# Remarks: Disable the busmaster bit on all PCI bridges during very early boot to avoid #
# holes in IOMMU. #
# may contain weaknesses or a backdoor. #
###########################################################################################
# https://mjg59.dreamwidth.org/54433.html
# https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=4444f8541dad16fefd9b8807ad1451e806ef1d94
###########################################################################################
GRUB_CMDLINE_LINUX="${GRUB_CMDLINE_LINUX} efi=disable_early_pci_dma"
###########################################################################################
# Remarks: Enables strict enforcement of IOMMU TLB invalidation so devices will never be #
# able to access stale data contents. #
# https://github.com/torvalds/linux/blob/master/drivers/iommu/Kconfig#L97 #
# Page 11 of https://lenovopress.lenovo.com/lp1467.pdf #
###########################################################################################
GRUB_CMDLINE_LINUX="${GRUB_CMDLINE_LINUX} iommu=force iommu.passthrough=0 iommu.strict=1"
###########################################################################################
# Remarks: Disables the merging of slabs of similar sizes. #
# Sometimes a slab can be used vulnerably, which an attacker can exploit. #
###########################################################################################
GRUB_CMDLINE_LINUX="${GRUB_CMDLINE_LINUX} slab_nomerge"
###########################################################################################
# Remarks: Zero memory at allocation and free time. #
###########################################################################################
GRUB_CMDLINE_LINUX="${GRUB_CMDLINE_LINUX} init_on_alloc=1 init_on_free=1"
###########################################################################################
# Remarks: This option randomizes page allocator freelists, improving security by making #
# page allocations less predictable. This also improves performance. #
###########################################################################################
GRUB_CMDLINE_LINUX="${GRUB_CMDLINE_LINUX} page_alloc.shuffle=1"
###########################################################################################
# Remarks: Enables Kernel Page Table Isolation, which mitigates Meltdown, improves KASLR #
###########################################################################################
GRUB_CMDLINE_LINUX="${GRUB_CMDLINE_LINUX} pti=on"
###########################################################################################
# Remarks: vsyscall is obsolete, are at fixed addresses and are a target for ROP. #
###########################################################################################
GRUB_CMDLINE_LINUX="${GRUB_CMDLINE_LINUX} vsyscall=none"
###########################################################################################
# Remarks: Enables randomization of the kernel stack offset on syscall entries #
# (introduced in kernel 5.13). https://lkml.org/lkml/2019/3/18/246 #
###########################################################################################
GRUB_CMDLINE_LINUX="${GRUB_CMDLINE_LINUX} randomize_kstack_offset=on"
###########################################################################################
# Remarks: Restrict access to debugfs since it can contain a lot of sensitive information.#
# https://lkml.org/lkml/2020/7/16/122 #
# https://github.com/torvalds/linux/blob/fb1201aececc59990b75ef59fca93ae4aa1e1444/Documentation/admin-guide/kernel-parameters.txt#L835-L848
###########################################################################################
GRUB_CMDLINE_LINUX="${GRUB_CMDLINE_LINUX} debugfs=off"
###########################################################################################
# Remarks: Force the kernel to panic on "oopses" (which may be due to false positives). #
# Reboot devices immediately if kernel experiences an Oops. #
# https://kspp.github.io/Recommended_Settings #
# https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panic-on-oops-1-sysctl-for-better-security/7713
###########################################################################################
GRUB_CMDLINE_LINUX="${GRUB_CMDLINE_LINUX} oops=panic panic=-1"
###########################################################################################
# Remarks: Enable a subset of known mitigations for CPU vulnerabilities and disable SMT. #
###########################################################################################
GRUB_CMDLINE_LINUX="${GRUB_CMDLINE_LINUX} mitigations=auto,nosmt"
###########################################################################################
# Remarks: Enable mitigations for both Spectre Variant 2 (indirect branch speculation) #
# and Intel branch history injection (BHI) vulnerabilities. #
# https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/spectre.html #
###########################################################################################
GRUB_CMDLINE_LINUX="${GRUB_CMDLINE_LINUX} spectre_v2=on spectre_v2_user=on spectre_bhi=on"
###########################################################################################
# Remarks: Disable Speculative Store Bypass (Spectre Variant 4). #
# https://www.suse.com/support/kb/doc/?id=000019189 #
###########################################################################################
GRUB_CMDLINE_LINUX="${GRUB_CMDLINE_LINUX} spec_store_bypass_disable=on nospec_store_bypass_disable=off"
###########################################################################################
# Remarks: Enable mitigations for the L1TF vulnerability through disabling SMT and L1D #
# flush runtime control. #
# https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1tf.html #
###########################################################################################
GRUB_CMDLINE_LINUX="${GRUB_CMDLINE_LINUX} l1tf=full,force"
###########################################################################################
# Remarks: Enable mitigations for the MDS vulnerability through clearing buffer cache #
# and disabling SMT. #
# https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html #
###########################################################################################
GRUB_CMDLINE_LINUX="${GRUB_CMDLINE_LINUX} mds=full,nosmt"
###########################################################################################
# Remarks: Patches the TAA vulnerability by disabling TSX and enables mitigations using #
# TSX Async Abort along with disabling SMT. #
# https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/tsx_async_abort.html #
###########################################################################################
GRUB_CMDLINE_LINUX="${GRUB_CMDLINE_LINUX} tsx=off tsx_async_abort=full,nosmt"
###########################################################################################
# Remarks: Mark all huge pages in the EPT as non-executable to mitigate iTLB multihit. #
# https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/multihit.html #
###########################################################################################
GRUB_CMDLINE_LINUX="${GRUB_CMDLINE_LINUX} kvm.nx_huge_pages=force"
###########################################################################################
# Remarks: Force disable SMT as it has caused numerous CPU vulnerabilities. #
# The only full mitigation of cross-HT attacks is to disable SMT. #
# https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/core-scheduling.html #
# https://forums.whonix.org/t/should-all-kernel-patches-for-cpu-bugs-be-unconditionally-enabled-vs-performance-vs-applicability/7647/17
###########################################################################################
GRUB_CMDLINE_LINUX="${GRUB_CMDLINE_LINUX} nosmt=force"
###########################################################################################
# Remarks: Enables the prctl interface to prevent leaks from L1D on context switches. #
# https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/l1d_flush.html #
###########################################################################################
GRUB_CMDLINE_LINUX="${GRUB_CMDLINE_LINUX} l1d_flush=on"
###########################################################################################
# Remarks: Mitigates numerous MMIO Stale Data vulnerabilities and disables SMT. #
# https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/processor_mmio_stale_data.html
###########################################################################################
GRUB_CMDLINE_LINUX="${GRUB_CMDLINE_LINUX} mmio_stale_data=full,nosmt"
###########################################################################################
# Remarks: Enable mitigations for RETBleed (Arbitrary Speculative Code Execution with #
# Return Instructions) vulnerability and disable SMT. #
# https://www.suse.com/support/kb/doc/?id=000020693 #
###########################################################################################
GRUB_CMDLINE_LINUX="${GRUB_CMDLINE_LINUX} retbleed=auto,nosmt"
###########################################################################################
# Remarks: Enables kernel lockdown mode with a focus on confidentiality. The kernel is #
# configured in such a way that even privileged users (such as root) have limited access #
# to kernel data and debug mechanisms. 'confidentiality': Maximum restriction to ensure #
# the security and integrity of the system. This prevents direct access to hardware and #
# debug interfaces, for example. Useful for highly secure environments as it reduces the #
# attack surface to kernel data. However, some applications that require debugging or #
# hardware access may have problems. #
# https://blog.cloudflare.com/de-de/linux-kernel-hardening/ #
# https://www.linux-magazine.com/Issues/2020/239/Lockdown-Mode #
###########################################################################################
GRUB_CMDLINE_LINUX="${GRUB_CMDLINE_LINUX} lockdown=confidentiality"
###########################################################################################
# Remarks: Enables 'Read-Only Data Protection', which implements read-only memory areas #
# for kernel data structures. This protects the kernel from certain types of exploit #
# (e.g., buffer overflows). 'on': Forces the corresponding areas to remain read-only. #
# https://www.kernel.org/doc/html/v6.10/admin-guide/kernel-parameters.html #
###########################################################################################
GRUB_CMDLINE_LINUX="${GRUB_CMDLINE_LINUX} rodata=on"
###########################################################################################
# Remarks: Meaning:Enables initialization or overwriting of released memory so-called #
# 'poisoning' with special values. This helps to detect errors caused by the use of #
# already released memory (Use-After-Free). '1': Enables the function. Good for debugging #
# and security checks, but can slightly affect performance. #
# https://www.kernel.org/doc/html/v6.10/admin-guide/kernel-parameters.html #
###########################################################################################
GRUB_CMDLINE_LINUX="${GRUB_CMDLINE_LINUX} page_poison=1"
###########################################################################################
# Remarks: Kernel Electric-Fence (KFENCE) is a low-overhead sampling-based memory safety #
# error detector. KFENCE detects heap out-of-bounds access, use-after-free, and #
# invalid-free errors. KFENCE is designed to be enabled in production kernels, and has #
# near zero performance overhead. Compared to KASAN, KFENCE trades performance for #
# precision. The main motivation behind KFENCEs design is that with enough total uptime #
# KFENCE will detect bugs in code paths not typically exercised by non-production test #
# workloads. One way to quickly achieve a large enough total uptime is when the tool is #
# deployed across a large fleet of machines. #
# https://docs.kernel.org/dev-tools/kfence.html #
###########################################################################################
GRUB_CMDLINE_LINUX="${GRUB_CMDLINE_LINUX} kfence.sample_interval=100"
###########################################################################################
# Remarks: CFI Ensures that only controlled, predefined transitions are possible in the #
# programs' control flow. kcfi (Kernel Control Flow Integrity): Specific implementation of#
# CFI for the Linux kernel that is particularly robust and provides accurate control flow #
# validation. kcfi relies on compiler-based technologies (e.g., LLVM) that insert special #
# checks and instrumentation into the kernel code. #
# https://kspp.github.io/Recommended_Settings#kernel-command-line-options #
###########################################################################################
GRUB_CMDLINE_LINUX="${GRUB_CMDLINE_LINUX} cfi=kcfi"
###########################################################################################
# Remarks: Remove additional (32-bit) attack surface, unless you really need them. #
# https://www.kernel.org/doc/html/v6.10/admin-guide/kernel-parameters.html #
# https://kspp.github.io/Recommended_Settings#kernel-command-line-options #
###########################################################################################
GRUB_CMDLINE_LINUX="${GRUB_CMDLINE_LINUX} ia32_emulation=0"
do_help_grub_finalize_string
MODULE_ERR="3_8_1_functions_installation_setup_grub_bootparameter"
###########################################################################################
# Remarks: Generally, it is best to let the hypervisor handle CPU microcode updates #
###########################################################################################
case "${arch,,}" in
amd64)
if [[ -f "${TARGET}"/etc/default/amd64-microcode && ${WHEREIAM} != kvm ]]; then
cp -u /etc/default/amd64-microcode "${DIR_BAK}"amd64-microcode.bak
chmod 644 "${DIR_BAK}"amd64-microcode.bak
sed -i "s/#AMD64UCODE_INITRAMFS=auto/AMD64UCODE_INITRAMFS=early/" "${TARGET}"/etc/default/amd64-microcode
fi
if [[ -f "${TARGET}"/etc/modprobe.d/amd64-microcode-blacklist.conf && ${WHEREIAM} != kvm ]]; then
cp -u "${TARGET}"/etc/modprobe.d/amd64-microcode-blacklist.conf "${DIR_BAK}"amd64-microcode-blacklist.conf.bak
chmod 0644 "${DIR_BAK}"amd64-microcode-blacklist.conf.bak
sed -i "s/blacklist microcode/# blacklist microcode/" "${TARGET}"/etc/modprobe.d/amd64-microcode-blacklist.conf
fi
;;
intel64)
if [[ -f "${TARGET}"/etc/default/intel-microcode && ${WHEREIAM} != kvm ]]; then
cp -u "${TARGET}"/etc/default/intel-microcode "${DIR_BAK}"intel-microcode.bak
chmod 0644 "${DIR_BAK}"intel-microcode.bak
sed -i "s/#IUCODE_TOOL_INITRAMFS=auto/IUCODE_TOOL_INITRAMFS=early/" "${TARGET}"/etc/default/intel-microcode
sed -i "s/#IUCODE_TOOL_SCANCPUS=yes/IUCODE_TOOL_SCANCPUS=yes/" "${TARGET}"/etc/default/intel-microcode
fi
if [[ -f "${TARGET}"/etc/modprobe.d/intel-microcode-blacklist.conf && ${WHEREIAM} != kvm ]]; then
cp -u "${TARGET}"/etc/modprobe.d/intel-microcode-blacklist.conf "${DIR_BAK}"intel-microcode-blacklist.conf.bak
chmod 0644 "${DIR_BAK}"intel-microcode-blacklist.conf.bak
sed -i "s/blacklist microcode/# blacklist microcode/" "${TARGET}"/etc/modprobe.d/intel-microcode-blacklist.conf
fi
;;
esac
do_in_target "${TARGET}" update-grub
do_log "info" "false" "GRUB hardening of bootparameters, executed in: '${TARGET}'."
do_show_footer "${MODULE_TXT}"
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh:

2
source/func/3.8.2.z.functions_installation_dropbear.sh
View File

@@ -10,6 +10,8 @@
# SPDX-PackageName: CISS.2025.hardened.installer # SPDX-PackageName: CISS.2025.hardened.installer
# SPDX-Security-Contact: security@coresecret.eu # SPDX-Security-Contact: security@coresecret.eu
# TODO Important insert cryptdevice=UUID=881366ae-61ee-4ee0-893c-0def27c78c9e:cryptroot root=/dev/mapper/vg00-root
# TODO Important insert GRUB_CMDLINE_LINUX_DEFAULT="net.ifnames=0 biosdevname=0 ip=152.53.66.126::152.53.64.1:255.255.252.0:soc:ens3:none"
########################################################################################### ###########################################################################################
# 3.7.7. Functions - installation - kernel # # 3.7.7. Functions - installation - kernel #
########################################################################################### ###########################################################################################