lockdown
========
WARNING: read notes below about potential system breakage!

This package is intended to be installed on systems in order to limit
the exposed surface an attacker might be able to use to compromise and
embed themselves in a system. It doesn't aim for perfection, but instead
to raise the bar by making things more difficult for attackers.

kernel modules
--------------
Initially this is just locking out the ability to load kernel modules
after boot. This prevents an attacker from causing a kernel module for
some obscure subsystem that happens to have a security flaw from being
load so they can exploit it.

After install, kernel module changes are disabled on boot or when
/usr/sin/lockdown is run, but not automatically by the package install.

NOTE: when kernel module changes are disabled, if you don't yet have
the modules loaded you need for your hardware or necessary subsystems
then those things won't work. But you can resolve this telling modprobe
to preload them (which happens before the lockout), man modprobe, or
by adding a delay (see below).

Configure by editing /etc/default/lockdown:
MODLOCK: enable/disable (default: enabled)
MODLOCK_DEL: delay, in seconds, before disabling module changes (default:10)

TODO/Ideas
----------
* This package could also set modprobe aliases to disable different
kernel features. This would mostly be redundant with locking out
modules, but there are probably some cases where it's necessary
(module need to be loaded but much of it's functionality could be
disabled).

* Additional limits on SysRq (it's already mostly locked down, not sure
  if anything else is needed)
* Set some default resource/user limits
* Lots of other ideas from
  https://www.debian.org/doc/manuals/securing-debian-howto/
  https://wiki.debian.org/Hardening
  https://wiki.ubuntu.com/Security/Features

Matt Taggart <taggart@debian.org>
Started Feb 2017
