I havent used your list of parameters, i tried some of the tails linux recommended  parameters , not sure exactly which one locked up my computer but the mds=full,nosmt seems to stand out to me, after removing that i had no issues. It definitely a case by case basis, not all intel computers are made the same.

https://tails.boum.org/contribute/desig … hardening/

Tails and Whonix have a much smaller set of security options than what I have proposed. In each specific case, you need to select your own set of security parameters for the Linux kernel. In my case, everything works due to the fact that I have a fairly ancient Intel processor. I am glad that you are interested in this topic, since few people are interested in the information security of their operating system and hardware.

dice wrote:

Thanks for sharing

one should definitely read up on linux kernel parameters. https://www.kernel.org/doc/html/v4.14/a … eters.html

I tried a few of those parameters awhile ago, i think disabling smt caused my rig to lock up.

If you have problems booting with the new Linux kernel parameters, then you can edit the boot parameters in the Grub menu when the bootloader starts. Unfortunately, I cannot check the performance of these parameters on many computers, since I do not have such an opportunity. I only urge specialists, especially in information security, to carefully read the official documentation for the possibility of self-defense of the Linux kernel.

I havent used your list of parameters, i tried some of the tails linux recommended  parameters , not sure exactly which one locked up my computer but the mds=full,nosmt seems to stand out to me, after removing that i had no issues. It definitely a case by case basis, not all intel computers are made the same.

https://tails.boum.org/contribute/desig … hardening/

kmemleak=on kmemleak.stack=on kmemleak.scan=on kmemleak=scan kmemleak=clear 

But, I think, the solution I proposed with these parameters will be correct, based on the logic of this subset of the Linux kernel.

Eaglet wrote:

I am not forcing you to do anything if you have not noticed. A smart person will study the proposal, perhaps with the help of other people, if his knowledge is not enough, and then decide whether he needs it. Don't insult me with your distrust!

I didn't mean to insult you.

When it comes to my computer, I distrust ANYONE who hasn't already earned my trust over time.

Also, I run a web site that has had 22 million visits from all over the world. I study its server logs every day. In all these years, I can't even remember the last time my site received a visitor from Russia (you have since changed your location to USSR) that wasn't malicious and needed to be blocked. So, I am especially suspicious of security advice from anyone who is from Russia.

Sorry, my feelings are based on my own experience, and are not personal against you.

1. I, unlike you, trust only myself. 2. No need to spam and talk off topic. 3. In every country in the world there are different people, both good and bad. 4. This is my last reply to your posts, I will only reply to posts on a technical topic.

ComputerBob wrote:

In order for me to even CONSIDER making these types of changes, the person who wants me to do them has to be someone who has long- established themself as a TRUSTED expert who has a documented history of helping people like me.

I am not forcing you to do anything if you have not noticed. A smart person will study the proposal, perhaps with the help of other people, if his knowledge is not enough, and then decide whether he needs it. Don't insult me with your distrust!

I didn't mean to insult you.

When it comes to my computer, I distrust ANYONE who hasn't already earned my trust over time.

Also, I run a web site that has had 22 million visits from all over the world. I study its server logs every day. In all these years, I can't even remember the last time my site received a visitor from Russia (you have since changed your location to USSR) that wasn't malicious and needed to be blocked. So, I am especially suspicious of security advice from anyone who is from Russia.

Sorry, my feelings are based on my own experience, and are not personal against you.

Thanks for sharing

one should definitely read up on linux kernel parameters. https://www.kernel.org/doc/html/v4.14/a … eters.html

I tried a few of those parameters awhile ago, i think disabling smt caused my rig to lock up.

If you have problems booting with the new Linux kernel parameters, then you can edit the boot parameters in the Grub menu when the bootloader starts. Unfortunately, I cannot check the performance of these parameters on many computers, since I do not have such an opportunity. I only urge specialists, especially in information security, to carefully read the official documentation for the possibility of self-defense of the Linux kernel.

In order for me to even CONSIDER making these types of changes, the person who wants me to do them has to be someone who has long- established themself as a TRUSTED expert who has a documented history of helping people like me.

I am not forcing you to do anything if you have not noticed. A smart person will study the proposal, perhaps with the help of other people, if his knowledge is not enough, and then decide whether he needs it. Don't insult me with your distrust!

one should definitely read up on linux kernel parameters. https://www.kernel.org/doc/html/v4.14/a … eters.html

I tried a few of those parameters awhile ago, i think disabling smt caused my rig to lock up.

I've seen a number of people post these lists of "super secure settings" that the poster allegedly has learned about, but for which they leave little or no description as to what each change does. I can only assume that zero readers try them, since it's just a "trust me this works" list.

For an explanation of each kernel parameter, see the official documentation for the Linux kernel (different versions). You, if you have the necessary qualifications, can check each parameter I have given. I don't think you will argue that the official Linux kernel documentation is lying to you? ;-)

Eaglet wrote:

Smart people learn from their mistakes

Only a fool learns from their own mistakes

You are wrong: you cannot teach a fool, because he is a fool! ;-)

Smart people learn from their mistakes

Only a fool learns from their own mistakes

The hardening-runtime package will apply several of those parameters automatically.
Note that the kernel tuning can be applied via /etc/sysctl.d/ if a bootloader-independent configuration method is required.

1. The hardening-runtime package contains very few security options for the Linux kernel compared to the FULL list of security options that I have provided!

2. The hardening-runtime package contains very few security options for sysctl. I current use over 96 parameters in my sysctl.conf for heavy security hardening my Linux system: for kernel, network & etc.

I can read, study, analyze and apply the written in the documentation in the primary sources for Linux in practice. The Debian Help is very incomplete. As long as sysadmins, information security professionals, and engineers do not read the primary sources of technical information, the security of Linux systems will be threatened by their gullibility. I prefer to protect my systems myself, not using ready-made solutions with a limited (not complete) set of security parameters. My solutions take advantage of all the Linux systems security hardening capabilities that are provided by the Linux kernel, as well as those subsystems that are additionally used to secure Linux systems. Life and bitter practical experience taught me this. Smart people learn from their mistakes, it is impossible to teach fools!