Kicksecure · adrelanos · May 16, 2019 · May 6, 2019 · May 6, 2019 · May 6, 2019
diff --git a/etc/sysctl.d/fs_protected.conf b/etc/sysctl.d/fs_protected.conf
@@ -0,0 +1,3 @@
+# Makes some data spoofing attacks harder.
+fs.protected_fifos=2
+fs.protected_regular=2
diff --git a/etc/sysctl.d/kexec.conf b/etc/sysctl.d/kexec.conf
@@ -0,0 +1,2 @@
+# Disables kexec which can be used to replace the running kernel 
+kernel.kexec_load_disabled=1
diff --git a/etc/sysctl.d/ptrace_scope.conf b/etc/sysctl.d/ptrace_scope.conf
@@ -0,0 +1,7 @@
+# Restricts the use of ptrace to root. This might break some programs running under WINE.
+# A workaround for WINE would be to give the wineserver and wine-preloader ptrace capabilities. This can be done by running:
+#
+# sudo apt-get install libcap2-bin 
+# sudo setcap cap_sys_ptrace=eip /usr/bin/wineserver
+# sudo setcap cap_sys_ptrace=eip /usr/bin/wine-preloader
+kernel.yama.ptrace_scope=2
diff --git a/etc/sysctl.d/tcp_hardening.conf b/etc/sysctl.d/tcp_hardening.conf
@@ -0,0 +1,19 @@
+## TCP/IP stack hardening 
+
+# Protects against time-wait assassination. It drops RST packets for sockets in the time-wait state.
+net.ipv4.tcp_rfc1337=1
+
+# Disables ICMP redirect acceptance.
+net.ipv4.conf.all.accept_redirects=0
+net.ipv4.conf.default.accept_redirects=0
+net.ipv4.conf.all.secure_redirects=0
+net.ipv4.conf.default.secure_redirects=0
+net.ipv6.conf.all.accept_redirects=0
+net.ipv6.conf.default.accept_redirects=0
+
+# Disables ICMP redirect sending.
+net.ipv4.conf.all.send_redirects=0
+net.ipv4.conf.default.send_redirects=0
+
+# Ignores ICMP requests
+net.ipv4.icmp_echo_ignore_all=1