cannot mount options harden separate /home volume?

Kicksecure / security-misc

Kernel Hardening; Protect Linux User Accounts against Brute Force Attacks; Improve Entropy Collection; Strong Linux User Account Separation; Enhances Misc Security Settings - https://www.kicksecure.com/wiki/Security-misc

https://www.kicksecure.com/wiki/Impressum

Other

518 stars 51 forks source link

cannot mount options harden separate /home volume? #161

Closed adrelanos closed 12 months ago

adrelanos commented 1 year ago

Like if the user has a seperate /home volume, we can't harden it with our custom systemd unit. I think the reason behind this is, systemd dynamically overrides our unit with the unit it auto generates from fstab on startup.

Originally posted by @monsieuremre in https://github.com/Kicksecure/security-misc/issues/157#issuecomment-1793830718

adrelanos commented 1 year ago

Sure?

The dracut based implementation used to harden /home. There does not seem to be anything special with /home.

Otherwise the code would need some debugging. Write the output of findmnt --list to a file or output it to stdout so the systemd journal picks it up.

After the system completed booting, findmnt --list can be run again and the two different outputs can be compared. That would show if the initial mount hardening is failing or if indeed something else later reverts it.

adrelanos commented 12 months ago

No longer an issue. new plan: https://github.com/Kicksecure/security-misc/issues/157#issuecomment-1840229516