2024-05-11 10:18:36 +07:00
|
|
|
## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
|
2020-01-24 16:26:36 +07:00
|
|
|
## See the file COPYING for copying conditions.
|
|
|
|
|
2023-10-26 23:04:13 +07:00
|
|
|
## NOTE:
|
2024-07-17 22:04:03 +07:00
|
|
|
## This file has a special name to ensure that /usr/lib/sysctl.d/99-protect-links.conf
|
|
|
|
## is parsed first, followed by /usr/lib/sysctl.d/990-security-misc.conf.
|
2023-10-26 23:04:13 +07:00
|
|
|
## https://github.com/Kicksecure/security-misc/pull/135
|
|
|
|
|
2024-08-26 08:34:12 +07:00
|
|
|
## Definitions:
|
|
|
|
## KSPP=yes: compliant with recommendations by the KSPP
|
|
|
|
## KSPP=partial: partially compliant with recommendations by the KSPP
|
2024-09-26 20:09:21 +07:00
|
|
|
## KSPP=no: not (currently) compliant with recommendations by the KSPP
|
2024-10-14 09:54:30 +07:00
|
|
|
## If there is no explicit KSPP compliance notice, the setting is not mentioned by the KSPP.
|
2024-08-26 08:34:12 +07:00
|
|
|
|
2024-07-17 22:04:03 +07:00
|
|
|
## This configuration file is divided into 5 sections:
|
2024-07-13 19:41:40 +07:00
|
|
|
## 1. Kernel Space
|
|
|
|
## 2. User Space
|
|
|
|
## 3. Core Dumps
|
|
|
|
## 4. Swap Space
|
|
|
|
## 5. Networking
|
|
|
|
|
2024-07-17 22:04:03 +07:00
|
|
|
## For detailed explanations of most of the selected commands, refer to:
|
2024-07-13 19:41:40 +07:00
|
|
|
## https://www.kernel.org/doc/html/latest/admin-guide/sysctl/kernel.html
|
|
|
|
## https://www.kernel.org/doc/html/latest/admin-guide/sysctl/fs.html
|
|
|
|
## https://www.kernel.org/doc/html/latest/admin-guide/sysctl/net.html
|
|
|
|
## https://www.kernel.org/doc/html/latest/admin-guide/sysctl/vm.html
|
|
|
|
## https://www.kernel.org/doc/html/latest//networking/ip-sysctl.html
|
|
|
|
|
|
|
|
## 1. Kernel Space:
|
|
|
|
##
|
|
|
|
## https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel
|
2024-08-02 21:11:06 +07:00
|
|
|
## https://kspp.github.io/Recommended_Settings#sysctls
|
2024-07-13 19:41:40 +07:00
|
|
|
## https://wiki.archlinux.org/title/Security#Kernel_hardening
|
|
|
|
|
2024-07-17 22:04:03 +07:00
|
|
|
## Restrict kernel address visibility via /proc and other interfaces, regardless of user privileges.
|
2024-07-17 19:00:24 +07:00
|
|
|
## Kernel pointers expose specific locations in kernel memory.
|
2024-07-13 19:41:40 +07:00
|
|
|
##
|
|
|
|
## https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak
|
|
|
|
##
|
2024-08-16 22:06:21 +07:00
|
|
|
## KSPP=yes
|
|
|
|
## KSPP sets the sysctl.
|
|
|
|
##
|
2024-07-13 19:41:40 +07:00
|
|
|
kernel.kptr_restrict=2
|
|
|
|
|
2024-07-17 22:04:03 +07:00
|
|
|
## Restrict access to the kernel log buffer to users with CAP_SYSLOG.
|
2024-07-13 19:41:40 +07:00
|
|
|
## Kernel logs often contain sensitive information such as kernel pointers.
|
|
|
|
##
|
2024-08-16 22:06:21 +07:00
|
|
|
## KSPP=yes
|
|
|
|
## KSPP sets the sysctl and CONFIG_SECURITY_DMESG_RESTRICT=y.
|
|
|
|
##
|
2023-12-04 22:36:21 +07:00
|
|
|
kernel.dmesg_restrict=1
|
|
|
|
|
2024-07-13 19:41:40 +07:00
|
|
|
## Prevent kernel information leaks in the console during boot.
|
2024-07-17 22:04:03 +07:00
|
|
|
## Must be used in conjunction with kernel boot parameters.
|
2024-07-15 12:01:48 +07:00
|
|
|
## See /etc/default/grub.d/41_quiet_boot.cfg for implementation.
|
|
|
|
##
|
|
|
|
## https://www.kernel.org/doc/html/latest/core-api/printk-basics.html
|
2024-07-13 19:41:40 +07:00
|
|
|
##
|
2024-07-13 22:21:24 +07:00
|
|
|
## See /usr/lib/sysctl.d/30_silent-kernel-printk.conf for implementation.
|
2024-07-13 19:41:40 +07:00
|
|
|
##
|
2024-07-13 22:21:24 +07:00
|
|
|
#kernel.printk=3 3 3 3
|
2020-01-24 16:26:36 +07:00
|
|
|
|
2024-08-26 09:40:04 +07:00
|
|
|
## Restrict eBPF access to CAP_BPF.
|
|
|
|
## Disables unprivileged calls to bpf() without recovery.
|
2024-07-13 19:41:40 +07:00
|
|
|
##
|
|
|
|
## https://en.wikipedia.org/wiki/EBPF#Security
|
2024-08-26 09:40:04 +07:00
|
|
|
## https://lwn.net/Articles/660331/
|
2024-07-13 19:41:40 +07:00
|
|
|
##
|
2024-08-16 22:06:21 +07:00
|
|
|
## KSPP=yes
|
2024-08-26 09:40:04 +07:00
|
|
|
## KSPP sets the sysctl.
|
2024-08-16 22:06:21 +07:00
|
|
|
##
|
2024-07-13 19:41:40 +07:00
|
|
|
kernel.unprivileged_bpf_disabled=1
|
2023-10-27 18:07:53 +07:00
|
|
|
|
2024-07-17 22:04:03 +07:00
|
|
|
## Restrict loading TTY line disciplines to users with CAP_SYS_MODULE.
|
|
|
|
## Prevents unprivileged users from loading vulnerable line disciplines with the TIOCSETD ioctl.
|
2024-07-13 19:41:40 +07:00
|
|
|
##
|
|
|
|
## https://a13xp0p0v.github.io/2017/03/24/CVE-2017-2636.html
|
|
|
|
## https://lkml.org/lkml/2019/4/15/890
|
|
|
|
##
|
2024-08-16 22:06:21 +07:00
|
|
|
## KSPP=yes
|
|
|
|
## KSPP sets the sysctl does not set CONFIG_LDISC_AUTOLOAD.
|
|
|
|
##
|
2024-07-13 19:41:40 +07:00
|
|
|
dev.tty.ldisc_autoload=0
|
2023-10-27 18:07:53 +07:00
|
|
|
|
2024-07-17 22:04:03 +07:00
|
|
|
## Restrict the userfaultfd() syscall to users with SYS_CAP_PTRACE.
|
|
|
|
## Reduces the likelihood of use-after-free exploits from heap sprays.
|
2024-07-13 19:41:40 +07:00
|
|
|
##
|
|
|
|
## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=cefdca0a86be517bc390fc4541e3674b8e7803b0
|
|
|
|
## https://duasynt.com/blog/linux-kernel-heap-spray
|
|
|
|
##
|
2024-08-16 22:06:21 +07:00
|
|
|
## KSPP=yes
|
|
|
|
## KSPP sets the sysctl.
|
|
|
|
##
|
2024-07-13 19:41:40 +07:00
|
|
|
vm.unprivileged_userfaultfd=0
|
2020-01-24 16:26:36 +07:00
|
|
|
|
2024-07-17 22:04:03 +07:00
|
|
|
## Disables kexec, which can be used to replace the running kernel.
|
2024-07-13 19:41:40 +07:00
|
|
|
## Useful for live kernel patching without rebooting.
|
2020-02-13 01:03:23 +07:00
|
|
|
##
|
2024-07-13 19:41:40 +07:00
|
|
|
## https://en.wikipedia.org/wiki/Kexec
|
2020-02-13 01:03:23 +07:00
|
|
|
##
|
2024-07-13 22:21:24 +07:00
|
|
|
## See /usr/lib/sysctl.d/30_security-misc_kexec-disable.conf for implementation.
|
2024-07-13 19:41:40 +07:00
|
|
|
##
|
2024-08-16 22:06:21 +07:00
|
|
|
## KSPP=yes
|
|
|
|
## KSPP sets the sysctl and does not set CONFIG_KEXEC.
|
|
|
|
##
|
2024-07-13 19:41:40 +07:00
|
|
|
#kernel.kexec_load_disabled=1
|
2020-01-24 16:26:36 +07:00
|
|
|
|
2024-07-13 19:41:40 +07:00
|
|
|
## Disable the SysRq key to prevent leakage of kernel information.
|
2024-07-17 22:04:03 +07:00
|
|
|
## The Secure Attention Key (SAK) can no longer be utilized.
|
2020-01-24 16:26:36 +07:00
|
|
|
##
|
2024-07-13 19:41:40 +07:00
|
|
|
## https://www.kernel.org/doc/html/latest/admin-guide/sysrq.html
|
|
|
|
## https://www.kicksecure.com/wiki/SysRq
|
|
|
|
## https://github.com/xairy/unlockdown
|
|
|
|
##
|
2024-08-16 22:06:21 +07:00
|
|
|
## KSPP=yes
|
|
|
|
## KSPP sets the less strict CONFIG_MAGIC_SYSRQ_DEFAULT_ENABLE=176.
|
|
|
|
##
|
2024-07-13 19:41:40 +07:00
|
|
|
kernel.sysrq=0
|
2020-01-24 16:26:36 +07:00
|
|
|
|
2024-07-17 22:04:03 +07:00
|
|
|
## Restrict user namespaces to users with CAP_SYS_ADMIN.
|
2024-07-13 19:41:40 +07:00
|
|
|
## User namespaces aim to improve sandboxing and accessibility for unprivileged users.
|
|
|
|
## Unprivileged user namespaces pose substantial privilege escalation risks.
|
2024-07-18 08:04:54 +07:00
|
|
|
## Restricting may lead to breakages in numerous software packages.
|
2024-10-03 13:44:06 +07:00
|
|
|
##
|
2024-09-25 07:01:45 +07:00
|
|
|
## Flatpak requires unprivileged users to create new user namespaces for sandboxing.
|
2024-10-03 13:44:06 +07:00
|
|
|
## https://github.com/flatpak/flatpak/wiki/User-namespace-requirements
|
|
|
|
## https://salsa.debian.org/debian/bubblewrap/-/blob/debian/latest/debian/README.Debian
|
|
|
|
## https://forums.kicksecure.com/t/can-not-run-flatpak-apps-after-kicksecure-update/592
|
|
|
|
##
|
2024-08-18 10:53:11 +07:00
|
|
|
## Disabling entirely will reduce compatibility with some AppArmor profiles.
|
2024-09-04 20:23:24 +07:00
|
|
|
## Disabling entirely is known to break the UPower systemd service.
|
2024-07-13 19:41:40 +07:00
|
|
|
##
|
2024-10-03 13:44:06 +07:00
|
|
|
## Also breaks (some?) AppImages.
|
|
|
|
## https://forums.kicksecure.com/t/cannot-run-some-appimage-apps-after-kicksecure-upate/594
|
|
|
|
##
|
|
|
|
## Might also break evolution (e-mail client):
|
|
|
|
## https://forums.kicksecure.com/t/impossible-to-start-evolution-app-since-the-last-update/601
|
|
|
|
##
|
2024-08-18 10:53:11 +07:00
|
|
|
## https://lwn.net/Articles/673597/
|
2024-07-13 19:41:40 +07:00
|
|
|
## https://madaidans-insecurities.github.io/linux.html#kernel
|
2024-09-26 20:10:01 +07:00
|
|
|
## https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction
|
2024-07-13 19:41:40 +07:00
|
|
|
## https://github.com/a13xp0p0v/kernel-hardening-checker#questions-and-answers
|
2024-08-18 10:53:11 +07:00
|
|
|
## https://github.com/NixOS/nixpkgs/pull/84522#issuecomment-614640601
|
2024-09-25 07:01:45 +07:00
|
|
|
## https://github.com/flatpak/flatpak/wiki/User-namespace-requirements
|
2024-08-18 10:53:11 +07:00
|
|
|
## https://github.com/Kicksecure/security-misc/pull/263
|
2024-10-03 13:44:06 +07:00
|
|
|
## https://github.com/Kicksecure/security-misc/issues/274
|
2024-07-13 19:41:40 +07:00
|
|
|
##
|
2024-10-03 13:58:58 +07:00
|
|
|
## KSPP=no
|
|
|
|
## KSPP sets user.max_user_namespaces=0 sysctl, a Linux mainline, stricter setting.
|
2024-07-13 19:41:40 +07:00
|
|
|
##
|
2024-10-03 13:58:58 +07:00
|
|
|
## kernel.unprivileged_userns_clone is a Debian specific kernel feature. Not Linux mainline.
|
|
|
|
#kernel.unprivileged_userns_clone=0
|
2024-10-03 13:44:06 +07:00
|
|
|
## Uncomment the following sysctl to entirely disable user namespaces.
|
2024-08-16 19:54:57 +07:00
|
|
|
#user.max_user_namespaces=0
|
2024-07-13 19:41:40 +07:00
|
|
|
|
2024-07-17 22:04:03 +07:00
|
|
|
## Restricts kernel profiling to users with CAP_PERFMON.
|
2024-07-13 19:41:40 +07:00
|
|
|
## The performance events system should not be accessible by unprivileged users.
|
2024-07-14 10:40:53 +07:00
|
|
|
## Other distributions such as Ubuntu and Fedora may permit further restricting.
|
2024-07-13 19:41:40 +07:00
|
|
|
##
|
|
|
|
## https://www.kernel.org/doc/html/latest/admin-guide/perf-security.html#unprivileged-users
|
|
|
|
## https://lore.kernel.org/kernel-hardening/1469630746-32279-1-git-send-email-jeffv@google.com/
|
|
|
|
##
|
2024-08-16 22:06:21 +07:00
|
|
|
## KSPP=yes
|
|
|
|
## KSPP sets the sysctl.
|
|
|
|
##
|
2024-07-13 19:41:40 +07:00
|
|
|
kernel.perf_event_paranoid=3
|
|
|
|
|
2024-08-25 09:47:04 +07:00
|
|
|
## Force the kernel to panic on "oopses" and kernel warnings in the WARN() path.
|
2024-07-25 07:26:23 +07:00
|
|
|
## Can sometimes potentially indicate and thwart certain kernel exploitation attempts.
|
|
|
|
## Panics may be due to false-positives such as bad drivers.
|
2024-08-25 09:57:22 +07:00
|
|
|
## Oopses are serious but non-fatal errors.
|
|
|
|
## Kernel warnings are useful to avoid a when attempting to access the location of a WARN().
|
2024-07-25 07:26:23 +07:00
|
|
|
##
|
2024-08-25 09:47:04 +07:00
|
|
|
## https://en.wikipedia.org/wiki/Kernel_panic#Linux
|
|
|
|
## https://en.wikipedia.org/wiki/Linux_kernel_oops
|
|
|
|
## https://en.wikipedia.org/wiki/Kdump_(Linux)
|
|
|
|
## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panisc-on-oops-1-sysctl-for-better-security/7713
|
2024-07-25 07:26:23 +07:00
|
|
|
##
|
2024-08-19 07:53:05 +07:00
|
|
|
## KSPP=partial
|
2024-08-25 09:47:04 +07:00
|
|
|
## KSPP sets the sysctls, CONFIG_PANIC_ON_OOPS=y, but also requires CONFIG_PANIC_TIMEOUT=-1.
|
2024-08-16 22:06:21 +07:00
|
|
|
##
|
2024-07-25 07:26:23 +07:00
|
|
|
## See /usr/libexec/security-misc/panic-on-oops for implementation.
|
|
|
|
##
|
2024-08-25 09:47:04 +07:00
|
|
|
## TODO: Debian 13 Trixie
|
|
|
|
## The limits are applicable when using Linux kernel >= 6.2 (retained here for future-proofing and completeness).
|
|
|
|
##
|
2024-07-25 07:28:27 +07:00
|
|
|
#kernel.panic=-1
|
2024-08-25 09:57:22 +07:00
|
|
|
#kernel.panic_on_oops=1
|
2024-08-25 09:47:04 +07:00
|
|
|
#kernel.panic_on_warn=1
|
|
|
|
#kernel.oops_limit=1
|
|
|
|
#kernel.warn_limit=1
|
2024-07-25 07:26:23 +07:00
|
|
|
|
2024-08-05 12:06:34 +07:00
|
|
|
## Disable the use of legacy TIOCSTI operations which can be used to inject keypresses.
|
|
|
|
## Can lead to privilege escalation by pushing characters into a controlling TTY.
|
|
|
|
## Will break out-dated screen readers that continue to rely on this legacy functionality.
|
2024-08-02 21:25:49 +07:00
|
|
|
##
|
2024-08-05 12:06:34 +07:00
|
|
|
## https://lore.kernel.org/lkml/20221228205726.rfevry7ud6gmttg5@begin/T/
|
|
|
|
##
|
2024-08-16 22:06:21 +07:00
|
|
|
## KSPP=yes
|
|
|
|
## KSPP sets the sysctl and does not set CONFIG_LEGACY_TIOCSTI.
|
|
|
|
##
|
2024-08-09 10:33:32 +07:00
|
|
|
## TODO: Debian 13 Trixie
|
|
|
|
## This is disabled by default when using Linux kernel >= 6.2.
|
|
|
|
##
|
2024-08-05 12:06:34 +07:00
|
|
|
dev.tty.legacy_tiocsti=0
|
2024-08-02 21:25:49 +07:00
|
|
|
|
2024-07-13 19:41:40 +07:00
|
|
|
## Disable asynchronous I/O for all processes.
|
2024-07-18 09:25:00 +07:00
|
|
|
## Leading cause of numerous kernel exploits.
|
|
|
|
## Disabling will reduce the read/write performance of storage devices.
|
2024-07-13 19:41:40 +07:00
|
|
|
##
|
2024-07-18 09:25:00 +07:00
|
|
|
## https://en.wikipedia.org/wiki/Io_uring#Security
|
|
|
|
## https://lwn.net/Articles/902466/
|
2024-07-13 19:41:40 +07:00
|
|
|
## https://security.googleblog.com/2023/06/learnings-from-kctf-vrps-42-linux.html
|
2024-07-18 09:25:00 +07:00
|
|
|
## https://github.com/moby/moby/pull/46762
|
|
|
|
## https://forums.whonix.org/t/io-uring-security-vulnerabilties/16890
|
2024-07-13 19:41:40 +07:00
|
|
|
##
|
2024-08-09 10:33:32 +07:00
|
|
|
## TODO: Debian 13 Trixie
|
2024-07-13 19:41:40 +07:00
|
|
|
## Applicable when using Linux kernel >= 6.6 (retained here for future-proofing and completeness).
|
|
|
|
##
|
2024-07-19 18:20:59 +07:00
|
|
|
kernel.io_uring_disabled=2
|
2024-07-13 19:41:40 +07:00
|
|
|
|
2024-07-17 22:04:03 +07:00
|
|
|
## 2. User Space:
|
2024-07-13 19:41:40 +07:00
|
|
|
##
|
|
|
|
## https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-userspace
|
|
|
|
|
2024-07-17 19:00:24 +07:00
|
|
|
## Restrict usage of the ptrace() system call to only processes with CAP_SYS_PTRACE.
|
2024-07-13 19:41:40 +07:00
|
|
|
## Limit ptrace() as it enables programs to inspect and modify other active processes.
|
2024-07-14 10:40:53 +07:00
|
|
|
## Prevents native code debugging which some programs use as a method to detect tampering.
|
2024-07-17 19:00:24 +07:00
|
|
|
## May cause breakages in 'anti-cheat' software and programs running under Proton/WINE.
|
2024-07-13 19:41:40 +07:00
|
|
|
##
|
|
|
|
## https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html#ptrace-scope
|
2024-07-14 10:40:53 +07:00
|
|
|
## https://en.wikipedia.org/wiki/Ptrace
|
|
|
|
## https://grapheneos.org/features#attack-surface-reduction
|
|
|
|
## https://github.com/GrapheneOS/os-issue-tracker/issues/651#issuecomment-917599928
|
|
|
|
## https://github.com/netblue30/firejail/issues/2860
|
|
|
|
##
|
2024-08-16 22:06:21 +07:00
|
|
|
## KSPP=partial
|
|
|
|
## KSPP sets the stricter sysctl kernel.yama.ptrace_scope=3.
|
|
|
|
##
|
2024-07-17 19:00:24 +07:00
|
|
|
## It is possible to harden further by disabling ptrace() for all users, see documentation.
|
2024-07-27 10:28:59 +07:00
|
|
|
## https://github.com/Kicksecure/security-misc/pull/242
|
2024-07-13 19:41:40 +07:00
|
|
|
##
|
|
|
|
kernel.yama.ptrace_scope=2
|
|
|
|
|
2024-07-17 22:04:03 +07:00
|
|
|
## Maximize bits of entropy for improved effectiveness of mmap ASLR.
|
|
|
|
## The maximum number of bits depends on CPU architecture (the ones shown below are for x86).
|
2024-07-13 19:41:40 +07:00
|
|
|
## Both explicit sysctl are made redundant due to automation.
|
|
|
|
## Do NOT enable either sysctl - displaying only for clarity.
|
|
|
|
##
|
2023-05-15 23:11:44 +07:00
|
|
|
## https://forums.whonix.org/t/automate-mmap-randomisation-to-fix-ppc64el/16514
|
2024-07-13 19:41:40 +07:00
|
|
|
##
|
2024-07-13 22:21:24 +07:00
|
|
|
## See /usr/libexec/security-misc/mmap-rnd-bits for implementation.
|
2023-05-15 23:11:44 +07:00
|
|
|
##
|
|
|
|
#vm.mmap_rnd_bits=32
|
|
|
|
#vm.mmap_rnd_compat_bits=16
|
|
|
|
|
2024-07-13 19:41:40 +07:00
|
|
|
## Prevent hardlink creation by users who do not have read/write/ownership of source file.
|
2024-07-17 22:04:03 +07:00
|
|
|
## Only allow symlinks to be followed when outside of world-writable sticky directories.
|
2024-07-13 19:41:40 +07:00
|
|
|
## Allow symlinks when the owner and follower match or when the directory owner matches the symlink's owner.
|
2024-07-17 22:04:03 +07:00
|
|
|
## Hardens cross-privilege boundaries if root process follows a hardlink/symlink belonging to another user.
|
2024-07-13 19:41:40 +07:00
|
|
|
## This mitigates many hardlink/symlink-based TOCTOU races in world-writable directories like /tmp.
|
2020-01-24 16:26:36 +07:00
|
|
|
##
|
2024-07-13 19:41:40 +07:00
|
|
|
## https://wiki.archlinux.org/title/Security#File_systems
|
|
|
|
## https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=/tmp
|
|
|
|
## https://en.wikipedia.org/wiki/Time-of-check_to_time-of-use#Preventing_TOCTOU
|
|
|
|
##
|
2024-08-16 22:06:21 +07:00
|
|
|
## KSPP=yes
|
|
|
|
## KSPP sets the sysctls.
|
|
|
|
##
|
2024-07-13 19:41:40 +07:00
|
|
|
fs.protected_hardlinks=1
|
|
|
|
fs.protected_symlinks=1
|
2020-01-24 16:26:36 +07:00
|
|
|
|
2024-07-13 19:41:40 +07:00
|
|
|
## Disallow writes to files in world-writable sticky directories unless owned by the directory owner.
|
2024-07-17 22:04:03 +07:00
|
|
|
## Also applies to group-writable sticky directories to make data spoofing attacks more difficult.
|
2024-07-13 19:41:40 +07:00
|
|
|
## Prevents unintentional writes to attacker-controlled files.
|
|
|
|
##
|
2024-08-16 22:06:21 +07:00
|
|
|
## KSPP=yes
|
|
|
|
## KSPP sets the sysctls.
|
|
|
|
##
|
2024-07-13 19:41:40 +07:00
|
|
|
fs.protected_fifos=2
|
|
|
|
fs.protected_regular=2
|
2020-01-24 16:26:36 +07:00
|
|
|
|
2024-08-16 10:39:11 +07:00
|
|
|
## Enable ASLR for mmap base, stack, VDSO pages, and heap.
|
|
|
|
## Forces shared libraries to be loaded to random addresses
|
|
|
|
## Start location of PIE-linked binaries is randomized.
|
|
|
|
## Heap randomization can lead to breakages with legacy applications.
|
|
|
|
##
|
|
|
|
## https://en.wikipedia.org/wiki/Address_space_layout_randomization#Linux
|
|
|
|
##
|
2024-08-16 22:06:21 +07:00
|
|
|
## KSPP=yes
|
|
|
|
## KSPP sets the sysctl.
|
|
|
|
##
|
2024-08-16 10:39:11 +07:00
|
|
|
kernel.randomize_va_space=2
|
|
|
|
|
2024-08-19 08:32:20 +07:00
|
|
|
## Raise the minimum address a process can request for memory mapping to 64KB as a form of defense-in-depth.
|
|
|
|
## Prevents kernel null pointer dereference vulnerabilities which may trigger kernel panics.
|
|
|
|
## Protects against local unprivileged users gaining root privileges by mapping data to low memory pages.
|
|
|
|
## Some legacy applications may still depend on low virtual memory addresses for proper functionality.
|
|
|
|
##
|
|
|
|
## https://googleprojectzero.blogspot.com/2023/01/exploiting-null-dereferences-in-linux.html
|
|
|
|
## https://access.redhat.com/articles/20484
|
|
|
|
## https://wiki.debian.org/mmap_min_addr
|
|
|
|
##
|
|
|
|
## KSPP=yes
|
|
|
|
## KSPP sets CONFIG_DEFAULT_MMAP_MIN_ADDR=65536.
|
|
|
|
##
|
|
|
|
vm.mmap_min_addr=65536
|
|
|
|
|
2024-07-17 22:04:03 +07:00
|
|
|
## Increase the maximum number of memory map areas a process is permitted to utilize.
|
|
|
|
## Addresses performance, crash, and start-up issues for some memory-intensive applications.
|
2024-07-13 19:41:40 +07:00
|
|
|
## Required to accommodate the very large number of guard pages created by hardened_malloc.
|
2024-07-17 22:04:03 +07:00
|
|
|
## Kicksecure version 18 will deprecate hardened_malloc, so this sysctl will be applied here instead.
|
2024-07-13 19:41:40 +07:00
|
|
|
##
|
|
|
|
## https://archlinux.org/news/increasing-the-default-vmmax_map_count-value/
|
|
|
|
## https://github.com/GrapheneOS/hardened_malloc#traditional-linux-based-operating-systems
|
|
|
|
## https://github.com/Kicksecure/hardened_malloc/blob/master/debian/hardened_malloc.conf
|
|
|
|
## https://www.kicksecure.com/wiki/Hardened_Malloc#Deprecation_in_Kicksecure
|
|
|
|
##
|
|
|
|
vm.max_map_count=1048576
|
2023-12-04 22:36:21 +07:00
|
|
|
|
2024-07-25 07:11:33 +07:00
|
|
|
## Disable the miscellaneous binary format virtual file system to prevent unintended code execution.
|
|
|
|
## Prevents registering interpreters for various binary formats based on a magic number or their file extension.
|
2024-07-28 18:57:25 +07:00
|
|
|
## Otherwise arbitrary executables with recognized file formats will be passed to relevant user space applications.
|
2024-07-28 19:04:30 +07:00
|
|
|
## These interpreters will then run with root permissions when a setuid binary is owned by root.
|
2024-07-25 07:11:33 +07:00
|
|
|
## Can stop maliciously crafted files with specific file extensions from automatically executing.
|
|
|
|
## Breaks many scripts that do not have appropriate shebang interpreter directives (#!/bin/...).
|
|
|
|
##
|
|
|
|
## https://www.kernel.org/doc/html/latest/admin-guide/binfmt-misc.html
|
|
|
|
## https://salsa.debian.org/debian/binfmt-support
|
|
|
|
## https://access.redhat.com/solutions/1985633
|
|
|
|
## https://en.wikipedia.org/wiki/Binfmt_misc
|
|
|
|
## https://security.stackexchange.com/questions/271786/does-allowing-binfmt-misc-significantly-increase-the-attack-surface-for-unprivil
|
|
|
|
## https://unix.stackexchange.com/questions/439569/what-kinds-of-executable-formats-do-the-files-under-proc-sys-fs-binfmt-misc-al
|
2024-08-15 08:54:21 +07:00
|
|
|
## https://github.com/Kicksecure/security-misc/pull/249
|
|
|
|
##
|
2024-08-29 12:34:24 +07:00
|
|
|
## KSPP=no
|
2024-08-15 08:54:21 +07:00
|
|
|
## KSPP does not set CONFIG_BINFMT_MISC.
|
2024-07-25 07:11:33 +07:00
|
|
|
##
|
2024-08-28 17:49:50 +07:00
|
|
|
## This is disabled by default due to file/folder permission issues:
|
|
|
|
## https://github.com/Kicksecure/security-misc/issues/267
|
|
|
|
##
|
|
|
|
#fs.binfmt_misc.status=0
|
2024-07-25 07:11:33 +07:00
|
|
|
|
2024-07-13 19:41:40 +07:00
|
|
|
## 3. Core Dumps:
|
|
|
|
##
|
|
|
|
## https://madaidans-insecurities.github.io/guides/linux-hardening.html#core-dumps
|
2020-01-24 16:26:36 +07:00
|
|
|
|
2024-07-13 19:41:40 +07:00
|
|
|
## Disable core dump files by preventing any pattern names.
|
2024-07-17 22:04:03 +07:00
|
|
|
## This setting may be overwritten by systemd and is not comprehensive.
|
2024-07-13 19:41:40 +07:00
|
|
|
## Core dumps are also disabled in security-misc via other means.
|
|
|
|
##
|
|
|
|
## https://wiki.archlinux.org/title/Core_dump#Disabling_automatic_core_dumps
|
|
|
|
##
|
|
|
|
kernel.core_pattern=|/bin/false
|
|
|
|
|
|
|
|
## Prevent setuid processes or otherwise protected/tainted binaries from creating core dumps.
|
|
|
|
## Any process which has changed privilege levels or is execute-only will not be dumped.
|
|
|
|
##
|
2024-08-16 22:06:21 +07:00
|
|
|
## KSPP=yes
|
|
|
|
## KSPP sets the sysctl.
|
|
|
|
##
|
2024-07-13 19:41:40 +07:00
|
|
|
fs.suid_dumpable=0
|
|
|
|
|
2024-07-17 22:04:03 +07:00
|
|
|
## Set core dump file name to 'core.PID' instead of 'core' as a form of defense-in-depth.
|
2024-07-13 19:41:40 +07:00
|
|
|
## If core dumps are permitted, only useful if PID listings are hidden from non-root users.
|
|
|
|
##
|
|
|
|
kernel.core_uses_pid=1
|
|
|
|
|
|
|
|
## 4. Swap Space:
|
|
|
|
##
|
|
|
|
## https://madaidans-insecurities.github.io/guides/linux-hardening.html#swap
|
|
|
|
|
|
|
|
## Limit the copying of memory to the swap device only if absolutely necessary.
|
2024-07-17 22:04:03 +07:00
|
|
|
## Minimizes the likelihood of writing potentially sensitive contents to disk.
|
|
|
|
## Not recommended to set to zero since this disables periodic write behavior.
|
2024-07-13 19:41:40 +07:00
|
|
|
##
|
|
|
|
## https://en.wikipedia.org/wiki/Memory_paging#Linux
|
2024-07-16 21:31:23 +07:00
|
|
|
## https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Performance_Tuning_Guide/s-memory-tunables.html
|
2024-07-13 19:41:40 +07:00
|
|
|
##
|
|
|
|
vm.swappiness=1
|
2023-12-04 22:36:21 +07:00
|
|
|
|
2024-07-13 19:41:40 +07:00
|
|
|
## 5. Networking:
|
|
|
|
##
|
|
|
|
## https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-network
|
|
|
|
## https://wiki.archlinux.org/title/Sysctl#TCP/IP_stack_hardening
|
|
|
|
|
2024-08-26 09:40:04 +07:00
|
|
|
## Enable hardening of the BPF JIT compiler for all users.
|
|
|
|
## Provides some mitigation against JIT spraying.
|
|
|
|
##
|
|
|
|
## https://en.wikipedia.org/wiki/JIT_spraying
|
|
|
|
## https://www.blackhat.com/docs/eu-16/materials/eu-16-Reshetova-Randomization-Can't-Stop-BPF-JIT-Spray-wp.pdf
|
|
|
|
## https://lwn.net/Articles/686098/
|
|
|
|
## https://lwn.net/Articles/525609/
|
|
|
|
##
|
|
|
|
## KSPP=yes
|
|
|
|
## KSPP sets the sysctl.
|
|
|
|
##
|
|
|
|
net.core.bpf_jit_harden=2
|
|
|
|
|
2024-07-13 19:41:40 +07:00
|
|
|
## Enable TCP SYN cookie protection to assist against SYN flood attacks.
|
|
|
|
##
|
|
|
|
## https://en.wikipedia.org/wiki/SYN_flood
|
|
|
|
## https://cateee.net/lkddb/web-lkddb/SYN_COOKIES.html
|
|
|
|
##
|
2024-08-16 22:06:21 +07:00
|
|
|
## KSPP=yes
|
|
|
|
## KSPP sets CONFIG_SYN_COOKIES=y.
|
|
|
|
##
|
2024-07-13 19:41:40 +07:00
|
|
|
net.ipv4.tcp_syncookies=1
|
|
|
|
|
|
|
|
## Protect against TCP time-wait assassination hazards.
|
|
|
|
## Drops RST packets for sockets in the time-wait state.
|
2024-07-17 19:00:24 +07:00
|
|
|
##
|
2024-07-13 19:41:40 +07:00
|
|
|
## https://tools.ietf.org/html/rfc1337
|
|
|
|
##
|
2020-01-24 16:26:36 +07:00
|
|
|
net.ipv4.tcp_rfc1337=1
|
|
|
|
|
2024-07-13 19:41:40 +07:00
|
|
|
## Enable reverse path filtering (source validation) of packets received from all interfaces.
|
2024-07-17 22:04:03 +07:00
|
|
|
## Prevents IP spoofing and mitigates vulnerabilities such as CVE-2019-14899.
|
2024-08-16 16:23:48 +07:00
|
|
|
## The second "default" command fixes a bug in the existing kernel implementation.
|
2024-07-13 19:41:40 +07:00
|
|
|
##
|
|
|
|
## https://en.wikipedia.org/wiki/IP_address_spoofing
|
2024-08-09 10:35:33 +07:00
|
|
|
## https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/security_guide/sect-security_guide-server_security-reverse_path_forwarding#sect-Security_Guide-Server_Security-Reverse_Path_Forwarding
|
2024-07-13 19:41:40 +07:00
|
|
|
## https://forums.whonix.org/t/enable-reverse-path-filtering/8594
|
|
|
|
## https://seclists.org/oss-sec/2019/q4/122
|
2024-08-16 16:23:48 +07:00
|
|
|
## https://github.com/Kicksecure/security-misc/pull/261
|
2024-07-13 19:41:40 +07:00
|
|
|
##
|
2024-08-16 09:46:51 +07:00
|
|
|
net.ipv4.conf.*.rp_filter=1
|
2024-07-13 19:41:40 +07:00
|
|
|
net.ipv4.conf.default.rp_filter=1
|
|
|
|
|
|
|
|
## Disable ICMP redirect acceptance and redirect sending messages.
|
2024-07-17 22:04:03 +07:00
|
|
|
## Prevents man-in-the-middle attacks and minimizes information disclosure.
|
2024-08-07 10:48:53 +07:00
|
|
|
## If ICMP redirects are permitted, accept messages only through approved gateways (kernel default).
|
|
|
|
## Approving gateways requires the managing of a default gateway list.
|
2024-07-17 11:58:30 +07:00
|
|
|
##
|
2024-07-24 14:26:50 +07:00
|
|
|
## https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/security_guide/sect-security_guide-server_security-disable-source-routing#sect-Security_Guide-Server_Security-Disable-Source-Routing
|
|
|
|
## https://www.frozentux.net/ipsysctl-tutorial/chunkyhtml/theconfvariables.html
|
|
|
|
## https://www.debian.org/doc/manuals/securing-debian-manual/network-secure.en.html
|
2024-07-17 11:58:30 +07:00
|
|
|
## https://askubuntu.com/questions/118273/what-are-icmp-redirects-and-should-they-be-blocked
|
2024-08-07 10:48:53 +07:00
|
|
|
## https://github.com/Kicksecure/security-misc/pull/248
|
2024-07-13 19:41:40 +07:00
|
|
|
##
|
2024-08-16 09:46:51 +07:00
|
|
|
net.ipv4.conf.*.accept_redirects=0
|
|
|
|
net.ipv4.conf.*.send_redirects=0
|
|
|
|
net.ipv6.conf.*.accept_redirects=0
|
|
|
|
#net.ipv4.conf.*.secure_redirects=1
|
2020-01-24 16:26:36 +07:00
|
|
|
|
2024-11-13 12:40:21 +07:00
|
|
|
## Enable ARP (Address Resolution Protocol) filtering.
|
|
|
|
## Prevents the Linux kernel from handling the ARP table globally
|
|
|
|
## Can mitigate some ARP spoofing and ARP cache poisoning attacks.
|
|
|
|
## Improper filtering can lead to increased ARP traffic and inadvertently block legitimate ARP requests.
|
|
|
|
##
|
|
|
|
## https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf
|
|
|
|
##
|
|
|
|
#net.ipv4.conf.*.arp_filter=1
|
|
|
|
|
2024-11-13 12:38:03 +07:00
|
|
|
## Drop gratuitous ARP (Address Resolution Protocol) packets.
|
|
|
|
## Stops ARP responses sent by a device without being explicitly requested.
|
|
|
|
## Prevents ARP cache poisoning by rejecting fake ARP entries into a network.
|
|
|
|
## Prevents man-in-the-middle and denial-of-service attacks.
|
|
|
|
## May cause breakages when ARP proxies are used in the network.
|
|
|
|
##
|
|
|
|
## https://cyber.gouv.fr/sites/default/files/document/linux_configuration-en-v2.pdf
|
|
|
|
## https://patchwork.ozlabs.org/project/netdev/patch/1428652454-1224-3-git-send-email-johannes@sipsolutions.net/
|
|
|
|
## https://www.practicalnetworking.net/series/arp/gratuitous-arp/
|
|
|
|
##
|
|
|
|
#net.ipv4.conf.*.drop_gratuitous_arp=1
|
|
|
|
|
2024-07-13 19:41:40 +07:00
|
|
|
## Ignore ICMP echo requests.
|
|
|
|
## Prevents clock fingerprinting through ICMP timestamps and Smurf attacks.
|
|
|
|
##
|
|
|
|
## https://en.wikipedia.org/wiki/Smurf_attack
|
|
|
|
##
|
2020-01-24 16:26:36 +07:00
|
|
|
net.ipv4.icmp_echo_ignore_all=1
|
2022-07-18 21:37:31 +07:00
|
|
|
net.ipv6.icmp.echo_ignore_all=1
|
2020-01-24 16:26:36 +07:00
|
|
|
|
2024-07-13 19:41:40 +07:00
|
|
|
## Ignore bogus ICMP error responses.
|
|
|
|
## Mitigates attacks designed to fill log files with useless error messages.
|
|
|
|
##
|
2022-07-13 01:29:42 +07:00
|
|
|
net.ipv4.icmp_ignore_bogus_error_responses=1
|
|
|
|
|
2024-07-17 22:04:03 +07:00
|
|
|
## Disable source routing which allows users to redirect network traffic.
|
2024-07-13 19:41:40 +07:00
|
|
|
## Prevents man-in-the-middle attacks in which the traffic is redirected.
|
|
|
|
##
|
|
|
|
## https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/security_guide/sect-security_guide-server_security-disable-source-routing
|
|
|
|
##
|
2024-08-16 09:46:51 +07:00
|
|
|
net.ipv4.conf.*.accept_source_route=0
|
|
|
|
net.ipv6.conf.*.accept_source_route=0
|
2020-01-24 16:26:36 +07:00
|
|
|
|
2024-07-13 19:41:40 +07:00
|
|
|
## Do not accept IPv6 router advertisements and solicitations.
|
|
|
|
##
|
2024-08-16 09:46:51 +07:00
|
|
|
net.ipv6.conf.*.accept_ra=0
|
2020-01-24 16:26:36 +07:00
|
|
|
|
2024-07-17 20:35:25 +07:00
|
|
|
## Disable SACK and DSACK.
|
2024-07-13 19:41:40 +07:00
|
|
|
## Select acknowledgements (SACKs) are a known common vector of exploitation.
|
|
|
|
## Duplicate select acknowledgements (DSACKs) are an extension of SACK.
|
|
|
|
## Disabling can cause severe connectivity issues on networks with high latency or packet loss.
|
|
|
|
## Enabling on stable high-bandwidth networks can lead to reduced efficiency of TCP connections.
|
2024-07-17 19:00:24 +07:00
|
|
|
##
|
2024-07-13 19:41:40 +07:00
|
|
|
## https://datatracker.ietf.org/doc/html/rfc2018
|
|
|
|
## https://datatracker.ietf.org/doc/html/rfc2883
|
|
|
|
## https://access.redhat.com/sites/default/files/attachments/20150325_network_performance_tuning.pdf
|
|
|
|
## https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md
|
|
|
|
## https://wiki.archlinux.org/title/Sysctl#TCP_Selective_Acknowledgement
|
|
|
|
## https://forums.whonix.org/t/disabling-tcp-sack-dsack-fack/8109/5
|
|
|
|
##
|
|
|
|
## SACK and DSACK are currently enabled.
|
|
|
|
##
|
2020-01-24 16:26:36 +07:00
|
|
|
#net.ipv4.tcp_sack=0
|
|
|
|
#net.ipv4.tcp_dsack=0
|
|
|
|
|
2024-07-14 10:40:53 +07:00
|
|
|
## Disable TCP timestamps to limit device fingerprinting via system time.
|
2024-08-16 10:12:07 +07:00
|
|
|
## Timestamps allow round-trip time measurement and protection against wrapped sequence numbers.
|
2024-08-09 11:21:59 +07:00
|
|
|
## Disabling timestamps on very fast links is likely to cause TCP Sequence Numbers to wrap.
|
|
|
|
## Segments with wrapped numbers will be incorrectly discarded, reducing network performance.
|
2024-07-13 19:41:40 +07:00
|
|
|
##
|
2024-08-09 11:21:59 +07:00
|
|
|
## https://datatracker.ietf.org/doc/html/rfc1323
|
2024-07-13 19:41:40 +07:00
|
|
|
## https://forums.whonix.org/t/do-ntp-and-tcp-timestamps-really-leak-your-local-time/7824
|
|
|
|
## https://web.archive.org/web/20170201160732/https://mailman.boum.org/pipermail/tails-dev/2013-December/004520.html
|
2024-08-09 11:21:59 +07:00
|
|
|
## https://access.redhat.com/sites/default/files/attachments/20150325_network_performance_tuning.pdf
|
2024-07-13 19:41:40 +07:00
|
|
|
##
|
2020-01-24 16:26:36 +07:00
|
|
|
net.ipv4.tcp_timestamps=0
|
|
|
|
|
2024-07-14 10:40:53 +07:00
|
|
|
## Enable logging of packets with impossible source or destination addresses.
|
2024-07-17 22:04:03 +07:00
|
|
|
## Martian and unroutable packets may be used for malicious purposes.
|
|
|
|
## Recommended to keep a (kernel dmesg) log of these to identify suspicious packets.
|
|
|
|
## Useful for troubleshooting and diagnostics but not necessary by default.
|
|
|
|
## Known to cause performance issues, especially on systems with multiple interfaces.
|
2024-07-17 19:00:24 +07:00
|
|
|
##
|
2024-07-13 22:21:24 +07:00
|
|
|
## https://wiki.archlinux.org/title/Sysctl#Log_martian_packets
|
2024-07-13 19:41:40 +07:00
|
|
|
## https://github.com/Kicksecure/security-misc/issues/214
|
2020-02-16 00:30:21 +07:00
|
|
|
##
|
2024-07-17 19:00:24 +07:00
|
|
|
## The logging of martian packets is currently disabled.
|
2020-02-25 01:23:15 +07:00
|
|
|
##
|
2024-08-16 09:46:51 +07:00
|
|
|
#net.ipv4.conf.*.log_martians=1
|
2024-07-17 18:44:44 +07:00
|
|
|
|
2024-07-17 22:04:03 +07:00
|
|
|
## Enable IPv6 Privacy Extensions to prefer temporary addresses over public addresses.
|
|
|
|
## The temporary/privacy address is used as the source for all outgoing traffic.
|
2024-07-17 19:05:27 +07:00
|
|
|
## Must be used in combination with /usr/lib/systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf.
|
2024-07-17 18:44:44 +07:00
|
|
|
## Must be used in combination with /usr/lib/NetworkManager/conf.d/80_ipv6-privacy.conf.
|
2024-07-17 22:04:03 +07:00
|
|
|
## Should be used with MAC randomization in /usr/lib/NetworkManager/conf.d/80_randomize-mac.conf.
|
2024-07-17 19:05:27 +07:00
|
|
|
##
|
2024-07-17 22:04:03 +07:00
|
|
|
## MAC randomization breaks root server and VirtualBox DHCP, likely due to IPv6 Privacy Extensions.
|
2024-07-17 18:44:44 +07:00
|
|
|
##
|
|
|
|
## https://datatracker.ietf.org/doc/html/rfc4941
|
|
|
|
## https://github.com/Kicksecure/security-misc/pull/145
|
|
|
|
## https://github.com/Kicksecure/security-misc/issues/184
|
|
|
|
##
|
2024-07-17 22:04:03 +07:00
|
|
|
## The use of IPv6 Privacy Extensions is currently disabled due to these breakages.
|
2024-07-17 18:44:44 +07:00
|
|
|
##
|
2024-08-16 09:46:51 +07:00
|
|
|
#net.ipv6.conf.*.use_tempaddr=2
|