-
Notifications
You must be signed in to change notification settings - Fork 51
/
990-security-misc.conf
178 lines (141 loc) · 5.75 KB
/
990-security-misc.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
## See the file COPYING for copying conditions.
## NOTE:
## This file has a weird file name so /usr/lib/sysctl.d/99-protect-links.conf
## is parsed first and /usr/lib/sysctl.d/990-security-misc.conf is parsed
## afterwards. See also:
## https://github.com/Kicksecure/security-misc/pull/135
## Restricts the kernel log to root only.
kernel.dmesg_restrict=1
## Disables coredumps. This setting may be overwritten by systemd so this may not be useful.
## security-misc also disables coredumps in other ways.
kernel.core_pattern=|/bin/false
## Does not set coredump name to 'core' which is default. Defense in depth.
kernel.core_uses_pid=1
## Prevent setuid processes from creating coredumps.
fs.suid_dumpable=0
## Don't allow writes to files that we don't own
## in world writable sticky directories, unless
## they are owned by the owner of the directory.
fs.protected_fifos=2
fs.protected_regular=2
## Only allow symlinks to be followed when outside of
## a world-writable sticky directory, or when the owner
## of the symlink and follower match, or when the directory
## owner matches the symlink's owner.
##
## Prevent hardlinks from being created by users that do not
## have read/write access to the source file.
##
## These prevent many TOCTOU races.
fs.protected_symlinks=1
fs.protected_hardlinks=1
## Hides kernel addresses in various files in /proc.
## Kernel addresses can be very useful in certain exploits.
##
## https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak
kernel.kptr_restrict=2
## Improves ASLR effectiveness for mmap.
## Both explicit sysctl are made redundant due to automation
## https://forums.whonix.org/t/automate-mmap-randomisation-to-fix-ppc64el/16514
## Do NOT enable either - displaying only for clarity
##
#vm.mmap_rnd_bits=32
#vm.mmap_rnd_compat_bits=16
## Restricts the use of ptrace to root. This might break some programs running under WINE.
## A workaround for WINE would be to give the wineserver and wine-preloader ptrace capabilities. This can be done by running:
##
## sudo apt-get install libcap2-bin
## sudo setcap cap_sys_ptrace=eip /usr/bin/wineserver
## sudo setcap cap_sys_ptrace=eip /usr/bin/wine-preloader
kernel.yama.ptrace_scope=2
## Randomize the addresses for mmap base, heap, stack, and VDSO pages
kernel.randomize_va_space=2
## Hardens the BPF JIT compiler and restricts it to root.
kernel.unprivileged_bpf_disabled=1
net.core.bpf_jit_harden=2
## Disable asynchronous I/O for all processes.
## Valid only for linux kernel version >= 6.6.
## Command is retained here for future-proofing and completeness.
## https://forums.whonix.org/t/io-uring-security-vulnerabilties/16890/6
kernel.io_uring_disabled=2
#### meta start
#### project Kicksecure
#### category networking and security
#### description
## TCP/IP stack hardening
## A martian packet is a one with a source address which is blatantly wrong
## Recommended to keep a log of these to identify these suspicious packets
## Good for troubleshooting and diagnostics but not necessary by default.
## Caused issue:
## https://github.com/Kicksecure/security-misc/issues/214
#net.ipv4.conf.all.log_martians=1
#net.ipv4.conf.default.log_martians=1
## Protects against time-wait assassination.
## It drops RST packets for sockets in the time-wait state.
net.ipv4.tcp_rfc1337=1
## Disables ICMP redirect acceptance.
net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.default.accept_redirects=0
net.ipv4.conf.all.secure_redirects=0
net.ipv4.conf.default.secure_redirects=0
net.ipv6.conf.all.accept_redirects=0
net.ipv6.conf.default.accept_redirects=0
## Disables ICMP redirect sending.
net.ipv4.conf.all.send_redirects=0
net.ipv4.conf.default.send_redirects=0
## Ignores ICMP requests.
net.ipv4.icmp_echo_ignore_all=1
net.ipv6.icmp.echo_ignore_all=1
## Ignores bogus ICMP error responses
net.ipv4.icmp_ignore_bogus_error_responses=1
## Enables TCP syncookies.
net.ipv4.tcp_syncookies=1
## Disable source routing.
net.ipv4.conf.all.accept_source_route=0
net.ipv4.conf.default.accept_source_route=0
net.ipv6.conf.all.accept_source_route=0
net.ipv6.conf.default.accept_source_route=0
## Enable reverse path filtering to prevent IP spoofing and
## mitigate vulnerabilities such as CVE-2019-14899.
## https://forums.whonix.org/t/enable-reverse-path-filtering/8594
net.ipv4.conf.default.rp_filter=1
net.ipv4.conf.all.rp_filter=1
#### meta end
## Previously disabled SACK, DSACK, and FACK.
## https://forums.whonix.org/t/disabling-tcp-sack-dsack-fack/8109
#net.ipv4.tcp_sack=0
#net.ipv4.tcp_dsack=0
#net.ipv4.tcp_fack=0
#### meta start
#### project Kicksecure
#### category networking and security
#### description
## disable IPv4 TCP Timestamps
net.ipv4.tcp_timestamps=0
#### meta end
## Disable SysRq key
kernel.sysrq=0
## Restrict loading TTY line disciplines to CAP_SYS_MODULE to prevent
## unprivileged attackers from loading vulnerable line disciplines
## with the TIOCSETD ioctl which has been used in exploits before
## such as https://a13xp0p0v.github.io/2017/03/24/CVE-2017-2636.html
##
## https://lkml.org/lkml/2019/4/15/890
dev.tty.ldisc_autoload=0
## Restrict the userfaultfd() syscall to root as it can make heap sprays
## easier.
##
## https://duasynt.com/blog/linux-kernel-heap-spray
vm.unprivileged_userfaultfd=0
## Let the kernel only swap if it is absolutely necessary.
## Better not be set to zero:
## - https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Performance_Tuning_Guide/s-memory-tunables.html
## - https://en.wikipedia.org/wiki/Swappiness
vm.swappiness=1
## Disallow kernel profiling by users without CAP_SYS_ADMIN
## https://www.kernel.org/doc/Documentation/sysctl/kernel.txt
kernel.perf_event_paranoid=3
## Do not accept router advertisements
net.ipv6.conf.all.accept_ra=0
net.ipv6.conf.default.accept_ra=0