msw/CISS.debian.installer
SHA256
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

V8.00.000.2025.06.17
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 2m4s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-08-28 12:56:32 +02:00
parent 5e7e498a80
commit 528a55109c
5 changed files with 117 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
.preseed/preseed.yaml
View File

@@ -343,10 +343,22 @@ grub_parameter:
# 'confidentiality': Maximum restriction to ensure the security and integrity of the system. This prevents direct access to
# hardware and debug interfaces, for example. Useful for highly secure environments as it reduces the attack surface to kernel
# data. However, some applications that require debugging or hardware access may have problems.
# Note: Lockdown=confidentiality prevents the kernel reads required for the systemd eBPF program
# (e.g., bpf_probe_read_kernel()), the verifier aborts, Invalid argument, and bpf-restrict-fs cannot load. Functionally, this
# is "only" the failure of the systemd hardening module RestrictFileSystems= (and related BPF filters); the rest boots.
# Therefore, countermeasures without BPF/BTF:
# Strict least-privilege: CapabilityBoundingSet= (remove CAP_SYS_ADMIN), 'NoNewPrivileges=yes', 'SystemCallFilter=~mount',
# 'PrivateMounts=yes', 'ProtectKernelModules=yes'. On the network side: instead of BPF egress, nftables policies at host level
# per unit: BindToDevice=lo or disconnect network NS. File systems: 'ProtectSystem=strict', 'ReadOnlyPaths=',
# 'InaccessiblePaths=', 'ProtectHome=tmpfs|read-only'.
# Otherwise, countermeasures with 'lockdown=integrity':
# 'kernel.unprivileged_bpf_disabled=1', 'net.core.bpf_jit_harden=2', 'kernel.perf_event_paranoid=3', 'kernel.kptr_restrict=2',
# 'kernel.dmesg_restrict=1'. Optional: 'kernel.kexec_load_disabled=1'. One gets BPF hardening (Restrict-FS, Egress filter),
# but minimizes BPF abuse by unprivileged users & JIT hardening.
# https://blog.cloudflare.com/de-de/linux-kernel-hardening/
# https://www.linux-magazine.com/Issues/2020/239/Lockdown-Mode
##############################################################################################################################
- "lockdown=confidentiality"
- "lockdown=integrity"
##############################################################################################################################
# Enables 'Read-Only Data Protection', which implements read-only memory areas for kernel data structures. This protects the