Giters

Kicksecure / security-misc

Kernel Hardening; Protect Linux User Accounts against Brute Force Attacks; Improve Entropy Collection; Strong Linux User Account Separation; Enhances Misc Security Settings - https://www.kicksecure.com/wiki/Security-misc

Home Page:https://www.kicksecure.com/wiki/Impressum

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

test remount-secure script and systemd unit

adrelanos opened this issue · comments

commented

Developer discussion. Not for users since not the in the testers repository yet.

Based suggestions in #202 thanks to @monsieuremre, recently I have improved.

Enabling it should be as simple as:

sudo systemctl enable remount-secure.service

Risks: Breaking the boot.

Unbreaking the boot?

  • A) Booting into recovery mode and disalbing the systemd unit or,
  • B) kernel parameter remountsecure=0

might work.

commented

Once again, I want to give my opinion here. I am not a big fan of bind mounting things. My suggested implementation was, how would it be done if we absolutely wanted bind units. It goes without saying that remounting anything is completely unnecessary and does nothing but add extra overhead and complexity. These can be hardened with drop in files, as I suggested previously. Api file systems can be hardened from the kernel command line, again, a drop-in file. Bind mounting stuff is where we can't use drop in files. Actually, if we wanted, we could. But I already am not a fan of bind mounts. We can create bind units under /usr/lib/systemd, but really, should we be the one to have the var.mount unit? Like someone else might want to own that file, I don't know. My suggestion is, let's do drop in's boot parameters. I don't support bind mounts. But if it is desired, it can be done with either

  • a service such as this (messy)
  • boot parameter, again, fstab lines (preferred)
  • systemd units under /usr/lib (less messy, but still is messy)

For API file systems and real partitions, a service or a hook should not be used. This is not only unnecessary, but introduces overhead.

commented

Seems off-topic since it does not contribute towards the testing of remount-secure script / systemd unit file. Instead replied to it here: #157 (comment)

commented

Actually never mind. Systemd units for everything just works fine. Will create a pull when I find the time. No bash scripting is used, just systemd units that are triggered based on conditions. Actually I am not sure why I haven't thought of this before. This officially covers everything. It is really similar to previous suggestions too, just fills in the missing gaps.