in particular, the boot option kaslr no longer exists as kaslr is the
default. however, there is a 'nokaslr' kernel parameter:

nokaslr         [KNL,EARLY]
                When CONFIG_RANDOMIZE_BASE is set, this disables
                kernel and module base offset ASLR (Address Space
                Layout Randomization).

i have 6.10 kernel from backports and its boot options can be found here:
   https://www.kernel.org/doc/html/v6.10/a … tions.html

the 6.10 kernel params can be found here:
   https://www.kernel.org/doc/html/v6.10/a … eters.html

just change the kernel version in the above URLs to what your kernel is
and take a look.

a good, more up-to-date, hardening guide can be found here and here:
   https://wiki.archlinux.org/title/Hardening_Guides
   https://gist.github.com/dante-robinson/ … 87633ff8ca

additionally, page_poison is no longer recommended and should be replaced
with 'init_on_alloc=1 init_on_free=1' and, related to this, change to
slub_debug=ZF instead of slub_debug=FPZ

for reference, my personalised 'hardened' grub command line is:

   ipv6.disable=1 ia32_emulation=0 page_alloc.shuffle=1   \
   pti=on init_on_free=1 slab_nomerge slub_debug=ZF vsyscall=none"

on a practical note, hardening devuan/debian is really hard :-) so not
really worth it. the biggest weakness is the browser, not the kernel.
try to harden firefox (apparmor, firejail, VM) first.

if you are really motivated then checkout the firefox hardening guides
such as arkenfox user.js. this involves a lot of work and is for the paranoid.

if you are really interested in hardening linux then try to make the
system read-only. that's a nice, long-term project. see alpine linux.

cat /usr/share/doc/hardening-runtime/README.Debian

cat /etc/default/grub.d/01_hardening.cfg 
# Linux command line options recommended by the KSPP
# https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings#kernel_command_line_options
GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT kaslr pti=on slab_nomerge page_poison=1 slub_debug=FPZ nosmt"

# Other interesting options are:
# - intel_iommu=on (sometimes intel_iommu=on,igfx_off) for enabing I/OMMU

# When done editing the file, rebuild grub configuration with: update-grub

now must find out why kernel refuses its parameter

# update-grub

Maybe something that is caused by the NVidea driver?

Checked on my system, I do not see such a thing with my AMD graphics.

root@host /proc # cat cmdline 
BOOT_IMAGE=/boot/vmlinuz-6.1.0-26-amd64 root=UUID=...... ro nvidia-drm.modeset=1 quiet kaslr pti=on slab_nomerge page_poison=1 slub_debug=FPZ nosmt
root@host /proc # grep CMDLINE /etc/default/grub
GRUB_CMDLINE_LINUX_DEFAULT="quiet"
GRUB_CMDLINE_LINUX="nvidia-drm.modeset=1"

everything behind

quiet

is not in the grub settings.
Kernel complains because kaslr is unknown to it.

2024-11-01T19:14:44.792356+01:00 host kernel: [    0.013968] Kernel command line: BOOT_IMAGE=/boot/vmlinuz-6.1.0-26-amd64 root=UUID=e26f69aa-878b-46ca-8a16-c90ac9e06e62 ro nvidia-drm.modeset=1 quiet kaslr pti=on slab_nomerge page_poison=1 slub_debug=FPZ nosmt
2024-11-01T19:14:44.792357+01:00 host kernel: [    0.014070] Unknown kernel command line parameters "kaslr BOOT_IMAGE=/boot/vmlinuz-6.1.0-26-amd64 pti=on", will be passed to user space.
2024-11-01T19:14:44.793285+01:00 host kernel: [    3.354434]     kaslr

where do these settings come from and what I have to test and get rid off false entries?