lockdown
========
WARNING: read notes below about potential system breakage!

This package is intended to be installed on systems in order to limit
the exposed surface an attacker might be able to use to compromise and
embed themselves in a system. This way a security hole in an unused
feature can't be used for an attacker to gain a foothold.
It doesn't aim for perfection, but instead to raise the bar by making
things more difficult for attackers.

What it does:
* disables loading/removing kernel modules after boot
* disables live kernel patching (kexec)
* disables Berkeley packet filter (BPF)

Configure by editing /etc/default/lockdown to enable/disable features
and adjust settings.

kernel modules
--------------
Lock out the ability to load/remove kernel modules after boot. This
prevents an attacker from causing a kernel module for some obscure
subsystem that happens to have a security flaw from being loaded so they
can exploit it.

MODLOCK: enable/disable (default: true)
MODLOCK_DEL: delay, in seconds, before disabling module changes (default:10)

When enabled, kernel module changes are disabled on boot or when
/usr/sin/lockdown is run (but not automatically by the package install
or upgrade).

NOTE: when kernel module changes are disabled, if you don't yet have
the modules loaded you need for your hardware or necessary subsystems
then those things won't work. But you can resolve this telling modprobe
to preload them (which happens before the lockout) by adding them to
/etc/modules or by adding a delay to give them time to load before
loading is disabled. The default of 10 seconds delay is usually enough
to cover most built-in hardware, if you have things that are hotplugged
after boot (like usb devices) you may need to preload modules.

If you reboot and discover something not working, you should clear
MODLOCK in the defaults file, save the output of 'lsmod|sort' and reboot.

Hint for trying to determine what modules may be missing:
* boot with MODLOCK disabled (cleared) and save the result of 'lsmod|sort'
* boot with MODLOCK enabled (true) and save the result of 'lsmod|sort'
* use a diff tool to determine what's missing and add to /etc/modules

Some examples:
* SD card readers, external USB drives: usb_storage
* bitmask VPN client:
   ccm
   ctr
   ip6table_filter
   ip6t_REJECT
   iptables_filter
   iptables_nat
   ipt_MASQUERADE
   ipt_REJECT
   xt_nat
   xt_tcpudp
   tun


KEXEC
-----
kexec allows for live patching of kernels. If you aren't using this
feature it's safest to disable.

KEXECLOCK: enable/disable (default: true)

BPF
---
Berkeley packet filter (BPF) has it's own syscall for loading programs
into the kernel. It has protections that are supposed to make it safe,
but if you aren't using it then it's safest to disable.
More info at https://lwn.net/Articles/660331/

BPFLOCK: enable/disable (default: true)

TODO/Ideas
----------
* This package could also set modprobe aliases to disable different
kernel features. This would mostly be redundant with locking out
modules, but there are probably some cases where it's necessary
(where a module need to be loaded but much of it's functionality could be
disabled).
* Additional limits on SysRq (it's already mostly locked down, not sure
  if anything else is needed)
* Set some default resource/user limits
* Lots of other ideas from
  https://www.debian.org/doc/manuals/securing-debian-howto/
  https://wiki.debian.org/Hardening
  https://wiki.ubuntu.com/Security/Features

Matt Taggart <taggart@debian.org>
Started Feb 2017
