From c019c2f02940b709d10a3ca4c79e2b42979c8dad Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Sat, 4 Nov 2023 13:19:06 +0000 Subject: [PATCH 1/9] remount-secure.service --- lib/systemd/system/remount-secure.service | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100644 lib/systemd/system/remount-secure.service diff --git a/lib/systemd/system/remount-secure.service b/lib/systemd/system/remount-secure.service new file mode 100644 index 00000000..6ac007eb --- /dev/null +++ b/lib/systemd/system/remount-secure.service @@ -0,0 +1,12 @@ +[Unit] +Description=Remount partitions with hardened mount options. +After=sysinit.target +## so that these services don't fail to start +Before=systemd-logind.service power-profiles-daemon.service switcheroo-control.service + +[Service] +Type=oneshot +ExecStart=/usr/libexec/security-misc/secure-remount + +[Install] +WantedBy=sysinit.target From 85c450f79f8bbda0f2e67889f20366aedef4e302 Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Sat, 4 Nov 2023 13:22:38 +0000 Subject: [PATCH 2/9] secure-remount --- usr/libexec/security-misc/secure-remount | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 usr/libexec/security-misc/secure-remount diff --git a/usr/libexec/security-misc/secure-remount b/usr/libexec/security-misc/secure-remount new file mode 100644 index 00000000..2f79a262 --- /dev/null +++ b/usr/libexec/security-misc/secure-remount @@ -0,0 +1,7 @@ +#!/bin/bash + +config_file="/usr/lib/security-misc_secure-remount.conf" + +mount --fstab $config_file --all + +echo "Partitions securely remounted by security-misc" >&2 From 376323531cccb01517baf112e682fdba9375e39d Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Sat, 4 Nov 2023 13:24:26 +0000 Subject: [PATCH 3/9] generate remount config on install --- debian/security-misc.postinst | 2 ++ 1 file changed, 2 insertions(+) diff --git a/debian/security-misc.postinst b/debian/security-misc.postinst index 04410d95..02034b9a 100644 --- a/debian/security-misc.postinst +++ b/debian/security-misc.postinst @@ -61,6 +61,8 @@ pam-auth-update --package /usr/libexec/security-misc/permission-lockdown permission_hardening +/usr/libexec/security-misc/generate-secure-remount-config + ## https://phabricator.whonix.org/T377 ## Debian has no update-grub trigger yet: ## https://bugs.debian.org/481542 From fa61337ed36ef5cf2c60cbed563f5aea7979be24 Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Sat, 4 Nov 2023 13:25:42 +0000 Subject: [PATCH 4/9] generate-secure-remount-config --- .../generate-secure-remount-config | 67 +++++++++++++++++++ 1 file changed, 67 insertions(+) create mode 100644 usr/libexec/security-misc/generate-secure-remount-config diff --git a/usr/libexec/security-misc/generate-secure-remount-config b/usr/libexec/security-misc/generate-secure-remount-config new file mode 100644 index 00000000..7a5a2dae --- /dev/null +++ b/usr/libexec/security-misc/generate-secure-remount-config @@ -0,0 +1,67 @@ +#!/bin/bash + +config_file="/usr/lib/security-misc_secure-remount.conf" + +if [ -f $config_file ] +then +rm $config_file +fi +touch $config_file +chmod u+x $config_file + +echo "/ / ext4 defaults,remount 0 2" >> $config_file +echo "/dev/shm /dev/shm ext4 defaults,nosuid,nodev,noexec,remount 0 2" >> $config_file +echo "/dev /dev ext4 defaults,nosuid,noexec,remount 0 2" >> $config_file +echo "/run /run ext4 defaults,nosuid,nodev,noexec,remount 0 2" >> $config_file + +if grep --quiet " /boot " /etc/fstab +then +echo "/boot /boot ext4 defaults,nosuid,nodev,noexec,remount 0 2" >> $config_file +else +echo "/boot /boot ext4 defaults,nosuid,nodev,noexec,bind 0 2" >> $config_file +fi + +if grep --quiet " /boot/efi " /etc/fstab +then +echo "/boot/efi /boot/efi ext4 defaults,nosuid,nodev,noexec,remount 0 2" >> $config_file +fi + +if grep --quiet " /home " /etc/fstab +then +echo "/home /home ext4 defaults,nosuid,nodev,remount 0 2" >> $config_file +else +echo "/home /home ext4 defaults,nosuid,nodev,bind 0 2" >> $config_file +fi + +if grep --quiet " /tmp " /etc/fstab +then +echo "/tmp /tmp ext4 defaults,nosuid,nodev,noexec,remount 0 2" >> $config_file +else +echo "tmpfs /tmp tmpfs defaults,nosuid,nodev,noexec 0 0" >> $config_file +fi + +if grep --quiet " /var/log/audit " /etc/fstab +then +echo "/var/log/audit /log/audit ext4 defaults,nosuid,nodev,noexec,remount 0 2" >> $config_file +fi + +if grep --quiet " /var/tmp " /etc/fstab +then +echo "/var/tmp /var/tmp ext4 defaults,nosuid,nodev,noexec,remount 0 2" >> $config_file +else +echo "/tmp /var/tmp none defaults,nosuid,nodev,noexec,bind 0 0" >> $config_file +fi + +if grep --quiet " /var/log " /etc/fstab +then +echo "/var/log /var/log ext4 defaults,nosuid,nodev,noexec,remount 0 2" >> $config_file +else +echo "/var/log /var/log ext4 defaults,nosuid,nodev,noexec,bind 0 2" >> $config_file +fi + +if grep --quiet " /var " /etc/fstab +then +echo "/var /var ext4 defaults,nosuid,nodev,remount 0 2" >> $config_file +else +echo "/var /var ext4 defaults,nosuid,nodev,bind 0 2" >> $config_file +fi From 8ce90bc0904bfc8458a5503148d7bf64d7aeff04 Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Sat, 4 Nov 2023 13:51:04 +0000 Subject: [PATCH 5/9] /boot/efi super duper hardening and file system correction --- usr/libexec/security-misc/generate-secure-remount-config | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/libexec/security-misc/generate-secure-remount-config b/usr/libexec/security-misc/generate-secure-remount-config index 7a5a2dae..a302ff1f 100644 --- a/usr/libexec/security-misc/generate-secure-remount-config +++ b/usr/libexec/security-misc/generate-secure-remount-config @@ -23,7 +23,7 @@ fi if grep --quiet " /boot/efi " /etc/fstab then -echo "/boot/efi /boot/efi ext4 defaults,nosuid,nodev,noexec,remount 0 2" >> $config_file +echo "/boot/efi /boot/efi vfat defaults,nosuid,nodev,noexec,umask=0077,remount 0 2" >> $config_file fi if grep --quiet " /home " /etc/fstab From 3284b5ade00648d7ef44a407fd66ef415b231c53 Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Sat, 4 Nov 2023 20:41:25 +0000 Subject: [PATCH 6/9] before --- lib/systemd/system/remount-secure.service | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/systemd/system/remount-secure.service b/lib/systemd/system/remount-secure.service index 6ac007eb..c829c5fe 100644 --- a/lib/systemd/system/remount-secure.service +++ b/lib/systemd/system/remount-secure.service @@ -2,7 +2,7 @@ Description=Remount partitions with hardened mount options. After=sysinit.target ## so that these services don't fail to start -Before=systemd-logind.service power-profiles-daemon.service switcheroo-control.service +Before=systemd-logind.service power-profiles-daemon.service switcheroo-control.service networking.service dbus.service [Service] Type=oneshot From c42e6b279abaf164dcb970c0456b795f755f2b6d Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Sat, 4 Nov 2023 20:42:13 +0000 Subject: [PATCH 7/9] secure-remount --- usr/libexec/security-misc/secure-remount | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr/libexec/security-misc/secure-remount b/usr/libexec/security-misc/secure-remount index 2f79a262..7b4196c3 100644 --- a/usr/libexec/security-misc/secure-remount +++ b/usr/libexec/security-misc/secure-remount @@ -4,4 +4,4 @@ config_file="/usr/lib/security-misc_secure-remount.conf" mount --fstab $config_file --all -echo "Partitions securely remounted by security-misc" >&2 +echo "Partitions securely remounted by security-misc" From c0a5fabdaed8f2197f85d0a408969cde830ae6ae Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Sat, 4 Nov 2023 20:45:40 +0000 Subject: [PATCH 8/9] don't force ext4 --- .../generate-secure-remount-config | 30 +++++++++---------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/usr/libexec/security-misc/generate-secure-remount-config b/usr/libexec/security-misc/generate-secure-remount-config index a302ff1f..dedf23de 100644 --- a/usr/libexec/security-misc/generate-secure-remount-config +++ b/usr/libexec/security-misc/generate-secure-remount-config @@ -9,16 +9,16 @@ fi touch $config_file chmod u+x $config_file -echo "/ / ext4 defaults,remount 0 2" >> $config_file -echo "/dev/shm /dev/shm ext4 defaults,nosuid,nodev,noexec,remount 0 2" >> $config_file -echo "/dev /dev ext4 defaults,nosuid,noexec,remount 0 2" >> $config_file -echo "/run /run ext4 defaults,nosuid,nodev,noexec,remount 0 2" >> $config_file +echo "/ / none defaults,remount 0 2" >> $config_file +echo "/dev/shm /dev/shm none defaults,nosuid,nodev,noexec,remount 0 2" >> $config_file +echo "/dev /dev none defaults,nosuid,noexec,remount 0 2" >> $config_file +echo "/run /run none defaults,nosuid,nodev,noexec,remount 0 2" >> $config_file if grep --quiet " /boot " /etc/fstab then -echo "/boot /boot ext4 defaults,nosuid,nodev,noexec,remount 0 2" >> $config_file +echo "/boot /boot none defaults,nosuid,nodev,noexec,remount 0 2" >> $config_file else -echo "/boot /boot ext4 defaults,nosuid,nodev,noexec,bind 0 2" >> $config_file +echo "/boot /boot none defaults,nosuid,nodev,noexec,bind 0 2" >> $config_file fi if grep --quiet " /boot/efi " /etc/fstab @@ -28,40 +28,40 @@ fi if grep --quiet " /home " /etc/fstab then -echo "/home /home ext4 defaults,nosuid,nodev,remount 0 2" >> $config_file +echo "/home /home none defaults,nosuid,nodev,remount 0 2" >> $config_file else -echo "/home /home ext4 defaults,nosuid,nodev,bind 0 2" >> $config_file +echo "/home /home none defaults,nosuid,nodev,bind 0 2" >> $config_file fi if grep --quiet " /tmp " /etc/fstab then -echo "/tmp /tmp ext4 defaults,nosuid,nodev,noexec,remount 0 2" >> $config_file +echo "/tmp /tmp none defaults,nosuid,nodev,noexec,remount 0 2" >> $config_file else echo "tmpfs /tmp tmpfs defaults,nosuid,nodev,noexec 0 0" >> $config_file fi if grep --quiet " /var/log/audit " /etc/fstab then -echo "/var/log/audit /log/audit ext4 defaults,nosuid,nodev,noexec,remount 0 2" >> $config_file +echo "/var/log/audit /log/audit none defaults,nosuid,nodev,noexec,remount 0 2" >> $config_file fi if grep --quiet " /var/tmp " /etc/fstab then -echo "/var/tmp /var/tmp ext4 defaults,nosuid,nodev,noexec,remount 0 2" >> $config_file +echo "/var/tmp /var/tmp none defaults,nosuid,nodev,noexec,remount 0 2" >> $config_file else echo "/tmp /var/tmp none defaults,nosuid,nodev,noexec,bind 0 0" >> $config_file fi if grep --quiet " /var/log " /etc/fstab then -echo "/var/log /var/log ext4 defaults,nosuid,nodev,noexec,remount 0 2" >> $config_file +echo "/var/log /var/log none defaults,nosuid,nodev,noexec,remount 0 2" >> $config_file else -echo "/var/log /var/log ext4 defaults,nosuid,nodev,noexec,bind 0 2" >> $config_file +echo "/var/log /var/log none defaults,nosuid,nodev,noexec,bind 0 2" >> $config_file fi if grep --quiet " /var " /etc/fstab then -echo "/var /var ext4 defaults,nosuid,nodev,remount 0 2" >> $config_file +echo "/var /var none defaults,nosuid,nodev,remount 0 2" >> $config_file else -echo "/var /var ext4 defaults,nosuid,nodev,bind 0 2" >> $config_file +echo "/var /var none defaults,nosuid,nodev,bind 0 2" >> $config_file fi From 99596883578525950eb5aab5f6cedf6057e2ea41 Mon Sep 17 00:00:00 2001 From: monsieuremre <130907164+monsieuremre@users.noreply.github.com> Date: Sat, 4 Nov 2023 21:02:27 +0000 Subject: [PATCH 9/9] config isnt executable --- usr/libexec/security-misc/generate-secure-remount-config | 1 - 1 file changed, 1 deletion(-) diff --git a/usr/libexec/security-misc/generate-secure-remount-config b/usr/libexec/security-misc/generate-secure-remount-config index dedf23de..a42efc45 100644 --- a/usr/libexec/security-misc/generate-secure-remount-config +++ b/usr/libexec/security-misc/generate-secure-remount-config @@ -7,7 +7,6 @@ then rm $config_file fi touch $config_file -chmod u+x $config_file echo "/ / none defaults,remount 0 2" >> $config_file echo "/dev/shm /dev/shm none defaults,nosuid,nodev,noexec,remount 0 2" >> $config_file