Marc S. Weidner
051361abbb
Some checks failed
🛡️ Retrieve DNSSEC status of coresecret.dev. / 🛡️ Retrieve DNSSEC status of coresecret.dev. (push) Successful in 1m5s
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m15s
🔐 Generating a Private Live ISO TRIXIE. / 🔐 Generating a Private Live ISO TRIXIE. (push) Failing after 1m23s
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
57 lines
3.1 KiB
Markdown
57 lines
3.1 KiB
Markdown
---
|
|
gitea: none
|
|
include_toc: true
|
|
---
|
|
|
|
# 1. CISS.debian.live.builder
|
|
|
|
**Centurion Intelligence Consulting Agency Information Security Standard**<br>
|
|
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
|
|
**Master Version**: 8.13<br>
|
|
**Build**: V8.13.392.2025.11.07<br>
|
|
|
|
# 2. Hardened Kernel Boot Parameters
|
|
|
|
Below is a curated set of kernel boot parameters optimized for CISS Debian Installer. These parameters enhance security posture,
|
|
restrict legacy interfaces, enforce memory initialization, and disable speculative side channels. Each parameter is documented
|
|
with a short rationale.
|
|
|
|
* ``audit=1``: Enable kernel auditing subsystem.
|
|
* ``audit_backlog_limit=8192``: Set audit event buffer depth.
|
|
* ``cfi=kcfi``: Enable Clang's Control Flow Integrity (if supported by kernel).
|
|
* ``debugfs=off``: Disable debugfs mount, prevents access to kernel internals.
|
|
* ``efi=disable_early_pci_dma``: Prevent early PCI DMA via EFI.
|
|
* ``hardened_usercopy=1``: Harden copy_*_user() functions, mitigate heap/memcpy bugs.
|
|
* ``ia32_emulation=0``: Disable 32-bit x86 binary support on 64-bit kernel.
|
|
* ``init_on_alloc=1``: Zero-initialize heap memory on allocation.
|
|
* ``init_on_free=1``: Zero memory on free to prevent reuse data leaks.
|
|
* ``iommu=force``: Enforce use of IOMMU.
|
|
* ``iommu.strict=1``: Enable strict IOMMU mode (always remap).
|
|
* ``iommu.passthrough=0``: Prevent IOMMU passthrough (forces remapping).
|
|
* ``kfence.sample_interval=100``: Enable low-overhead heap-fence sampling.
|
|
* ``kvm.nx_huge_pages=force``: Enforce NX-bit for KVM hugepages to prevent code execution.
|
|
* ``l1d_flush=on``: Flush L1D cache on VM-entry to mitigate cache side-channels.
|
|
* ``lockdown=confidentiality``: Enable kernel lockdown in confidentiality mode.
|
|
* ``loglevel=0``: Silence all kernel messages (only EMERG shown).
|
|
* ``mitigations=auto,nosmt``: Enable all available speculative mitigations, disable SMT.
|
|
* ``mmio_stale_data=full,force,nosmt``: Mitigate MMIO stale data side channel fully.
|
|
* ``nosmt=force``: Force disable Simultaneous Multithreading (SMT/HT).
|
|
* ``oops=panic``: Trigger kernel panic on oops, ensures halt on fault.
|
|
* ``page_alloc.shuffle=1``: Randomize page allocator freelist order.
|
|
* ``page_poison=1``: Fill freed pages with poison patterns to detect UAF.
|
|
* ``panic=-1``: Prevent automatic reboot after panic.
|
|
* ``pti=on``: Enable Page Table Isolation (Meltdown mitigation).
|
|
* ``random.trust_bootloader=off``: Do not trust RNG state from bootloader.
|
|
* ``random.trust_cpu=off``: Do not trust CPU's RDRAND or RDSEED.
|
|
* ``randomize_kstack_offset=on``: Enable randomized kernel stack offset per syscall.
|
|
* ``randomize_va_space=2``: Enable full ASLR for mmap and heap.
|
|
* ``retbleed=auto,nosmt``: Mitigate Retbleed exploit path via branch prediction.
|
|
* ``rodata=on``: Enforce read-only sections for .rodata.
|
|
* ``slab_nomerge``: Disable merging of similar slab caches.
|
|
* ``vdso32=0``: Disable 32-bit vdso mapping (x86 compatibility).
|
|
* ``vsyscall=none``: Disable vsyscall legacy mapping.
|
|
|
|
---
|
|
**[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
|
|
<!-- vim: set number et ts=2 sw=2 sts=2 ai tw=128 ft=markdown -->
|