test remount-secure script and systemd unit

Kicksecure / security-misc

Kernel Hardening; Protect Linux User Accounts against Brute Force Attacks; Improve Entropy Collection; Strong Linux User Account Separation; Enhances Misc Security Settings - https://www.kicksecure.com/wiki/Security-misc

https://www.kicksecure.com/wiki/Impressum

Other

505 stars 50 forks source link

test remount-secure script and systemd unit #203

Open adrelanos opened 7 months ago

adrelanos commented 7 months ago

Developer discussion. Not for users since not the in the testers repository yet.

Based suggestions in https://github.com/Kicksecure/security-misc/pull/202 thanks to @monsieuremre, recently I have improved.

systemd unit file: https://github.com/Kicksecure/security-misc/blob/master/usr/lib/systemd/system/remount-secure.service
remount-secure script: https://github.com/Kicksecure/security-misc/blob/master/usr/bin/remount-secure

Enabling it should be as simple as:

sudo systemctl enable remount-secure.service

Risks: Breaking the boot.

Unbreaking the boot?

A) Booting into recovery mode and disalbing the systemd unit or,
B) kernel parameter remountsecure=0

might work.

monsieuremre commented 7 months ago

Once again, I want to give my opinion here. I am not a big fan of bind mounting things. My suggested implementation was, how would it be done if we absolutely wanted bind units. It goes without saying that remounting anything is completely unnecessary and does nothing but add extra overhead and complexity. These can be hardened with drop in files, as I suggested previously. Api file systems can be hardened from the kernel command line, again, a drop-in file. Bind mounting stuff is where we can't use drop in files. Actually, if we wanted, we could. But I already am not a fan of bind mounts. We can create bind units under /usr/lib/systemd, but really, should we be the one to have the var.mount unit? Like someone else might want to own that file, I don't know. My suggestion is, let's do drop in's boot parameters. I don't support bind mounts. But if it is desired, it can be done with either

a service such as this (messy)
boot parameter, again, fstab lines (preferred)
systemd units under /usr/lib (less messy, but still is messy)

For API file systems and real partitions, a service or a hook should not be used. This is not only unnecessary, but introduces overhead.

adrelanos commented 6 months ago

Seems off-topic since it does not contribute towards the testing of remount-secure script / systemd unit file. Instead replied to it here: https://github.com/Kicksecure/security-misc/issues/157#issuecomment-1976364746

monsieuremre commented 6 months ago

Actually never mind. Systemd units for everything just works fine. Will create a pull when I find the time. No bash scripting is used, just systemd units that are triggered based on conditions. Actually I am not sure why I haven't thought of this before. This officially covers everything. It is really similar to previous suggestions too, just fills in the missing gaps.