Skip to main content

Posts

hardening fedora

   sudo lynis audit system  consider explicit disabling of core dump in /etc/security/limits.conf  * hard core 0 * soft core 0   Configure password hashing rounds in /etc/login.defs  When possible set expire dates for all password protected accounts   Configure minimum password age in /etc/login.defs  Configure maximum password age in /etc/login.defs Default umask in /etc/login.defs could be more strict like 027  To decrease the impact of a full /var file system, place /var on a separate partition  Disable drivers like USB storage when not used, to prevent unauthorized storage or data theft Disable drivers like firewire storage when not used, to prevent unauthorized storage or data theft Check DNS configuration for the dns domain name Add the IP name and FQDN to /etc/hosts for proper name resolving Consider using a tool to automatically apply upgrades Determine if protocol 'dccp',sctp,rds,tipc  is really needed on this system   Enable logging to an external logging host
Recent posts

kicksecure driver blocklist

cat /etc/modprobe.d/30_security-misc.conf options nf_conntrack nf_conntrack_helper=0 install bluetooth /bin/true install btusb /bin/true ## Disable thunderbolt and firewire modules to prevent some DMA attacks install thunderbolt /bin/true install firewire-core /bin/true install firewire_core /bin/true install firewire-ohci /bin/true install firewire_ohci /bin/true install firewire_sbp2 /bin/true install firewire-sbp2 /bin/true install ohci1394 /bin/true install sbp2 /bin/true install dv1394 /bin/true install raw1394 /bin/true install video1394 /bin/true ## Disable CPU MSRs as they can be abused to write to arbitrary memory. install msr /bin/true ## Disables unneeded network protocols that will likely not be used as these may have unknown vulnerabilties. ## Credit to Tails (https://tails.boum.org/blueprint/blacklist_modules/) for some of these. install dccp /bin/true install sctp /bin/true install rds /bin/true install tipc /bin/true install n-hdlc /bin/true install ax25 /bin/true insta

linux-firmware and microcode

to find what drivers are needed boot live iso with gui and dmesg to see firmware loaded for i915 driver intel ice lake see required latest drivers from https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tree/i915 mine is icelake ( icl ) so  i select icl mkdir /lib/firmware/i915 nano fw-i915 curl -O https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/plain/i915/icl_dmc_ver1_09.bin curl -O https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/plain/i915/icl_guc_70.1.1.bin curl -O https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/plain/i915/icl_huc_9.0.0.bin chmod +x fw-i915 ./fw-i915   or manually download and move it to /lib/firmware/i915 filder  for ath10k driver qca9337 wireless card https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tree/ath10k https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tree/ath10k/QCA9377/hw1.0 mkdir -p /lib/firmw

fedora minimal rootfs via container image

container image install https://admin.fedoraproject.org/mirrormanager/mirrors https://mirrors.tuna.tsinghua.edu.cn/fedora/releases/38/  https://mirrors.tuna.tsinghua.edu.cn/fedora/releases/38/Container/x86_64/images/   https://ftp.yz.yamagata-u.ac.jp/pub/linux/fedora-projects/fedora/linux/releases/37/Container/x86_64/images/ wget   https://ftp.yz.yamagata-u.ac.jp/pub/linux/fedora-projects/fedora/linux/releases/37/Container/x86_64/images/Fedora-Container-Minimal-Base-37-1.7.x86_64.tar.xz    7z x Fedora-Container-Minimal-Base-37-1.7.x86_64.tar.xz 7z x  Fedora-Container-Minimal-Base-37-1.7.x86_64.tar cd 49107e6da2551f27fe73cfa91d821b9a072ea9f66d0e02b55b2fc0c488da9d46/ 7z x layer.tar mkfs.btrfs /dev/nvme0n1p6 mount -o compress=zstd /dev/nvme0n1p6 /mnt    nano chroot.sh doas mount --bind /dev /mnt/dev doas mount --bind /sys /mnt/sys doas mount -t proc proc /mnt/proc doas chroot /mnt /bin/bash    #chroot layer   cat  /mnt/etc/dnf/dnf.conf # see `man dnf.conf` for defaults and possible option

easy secureboot

intro Using a signed boot loader means using a boot loader signed with Microsoft's key here are two known signed boot loaders: PreLoader and shim Their purpose is to chainload other EFI binaries (usually boot loaders ) Since Microsoft would never sign a boot loader that automatically launches any unsigned binary, PreLoader and shim use an allowlist called Machine Owner Key list, abbreviated MokList. If the SHA256 hash of the binary (Preloader and shim) or key the binary is signed with (shim) is in the MokList they execute it, if not they launch a key management utility which allows enrolling the hash or key.  The enrollment of the Microsoft 3rd Party UEFI CA certificate needs to be enabled in firmware settings to launch EFI binaries and OpROMs signed with this certificate.    using shim When run, PreLoader tries to launch loader.efi debian kernel and modules are already signed with debian keys   /sbin/modinfo snd sig_id:         PKCS#7 signer:         Debian Secure Boot CA s

debian stable bootstrap

apk add debootstrap arch-install-scripts   prepare partition  doas mkfs.ext4 -O ^has_journal   /dev/nvme0n1p3 doas mount /dev/nvme0n1p3 /mnt   bootstrap using debootstrap   --print-debs for listing pkg to be installed  debian available releases are stable,testing,unstable debootstrap --variant=minbase stable /mnt http://deb.debian.org/debian/ debootstrap --include=apt,bash,dpkg stable /mnt http://deb.debian.org/debian/   ubuntu   sudo debootstrap --arch amd64   jammy http://np.archive.ubuntu.com/ubuntu/  --extractor =ar if you are using old apt without zstd support to install new image   devuan http://deb.devuan.org/merged/dists/  https://git.devuan.org/devuan/debootstrap/src/branch/suites/unstable/scripts/chimaera doas debootstrap --arch amd64 chimaera /mnt  http://deb.devuan.org/merged /usr/share/debootstrap/scripts/Chimaera security updates  nano /etc/apt/sources.list deb http://deb.devuan.org/merged chimaera main contrib non-free deb http://deb.devuan.org/merged chimaera-secu