mirror of
https://github.com/Kicksecure/security-misc.git
synced 2024-12-23 01:23:36 +07:00
shuffle
This commit is contained in:
parent
82bd9138de
commit
2634dbff2b
@ -7,20 +7,18 @@
|
||||
## afterwards. See also:
|
||||
## https://github.com/Kicksecure/security-misc/pull/135
|
||||
|
||||
## Restricts the kernel log to root only.
|
||||
kernel.dmesg_restrict=1
|
||||
|
||||
## Disables coredumps. This setting may be overwritten by systemd so this may not be useful.
|
||||
## security-misc also disables coredumps in other ways.
|
||||
kernel.core_pattern=|/bin/false
|
||||
|
||||
## Restricts the kernel log to root only.
|
||||
kernel.dmesg_restrict=1
|
||||
|
||||
## Does not set coredump name to 'core' which is default. Defense in depth.
|
||||
kernel.core_uses_pid=1
|
||||
|
||||
## A martian packet is a one with a source address which is blatantly wrong
|
||||
## Recommended to keep a log of these to identify these suspicious packets
|
||||
net.ipv4.conf.all.log_martians=1
|
||||
net.ipv4.conf.default.log_martians=1
|
||||
## Prevent setuid processes from creating coredumps.
|
||||
fs.suid_dumpable=0
|
||||
|
||||
## Don't allow writes to files that we don't own
|
||||
## in world writable sticky directories, unless
|
||||
@ -40,10 +38,6 @@ fs.protected_regular=2
|
||||
fs.protected_symlinks=1
|
||||
fs.protected_hardlinks=1
|
||||
|
||||
## Hardens the BPF JIT compiler and restricts it to root.
|
||||
kernel.unprivileged_bpf_disabled=1
|
||||
net.core.bpf_jit_harden=2
|
||||
|
||||
## Hides kernel addresses in various files in /proc.
|
||||
## Kernel addresses can be very useful in certain exploits.
|
||||
##
|
||||
@ -66,18 +60,24 @@ kernel.kptr_restrict=2
|
||||
## sudo setcap cap_sys_ptrace=eip /usr/bin/wine-preloader
|
||||
kernel.yama.ptrace_scope=2
|
||||
|
||||
## Prevent setuid processes from creating coredumps.
|
||||
fs.suid_dumpable=0
|
||||
|
||||
## Randomize the addresses for mmap base, heap, stack, and VDSO pages
|
||||
kernel.randomize_va_space=2
|
||||
|
||||
## Hardens the BPF JIT compiler and restricts it to root.
|
||||
kernel.unprivileged_bpf_disabled=1
|
||||
net.core.bpf_jit_harden=2
|
||||
|
||||
#### meta start
|
||||
#### project Kicksecure
|
||||
#### category networking and security
|
||||
#### description
|
||||
## TCP/IP stack hardening
|
||||
|
||||
## A martian packet is a one with a source address which is blatantly wrong
|
||||
## Recommended to keep a log of these to identify these suspicious packets
|
||||
net.ipv4.conf.all.log_martians=1
|
||||
net.ipv4.conf.default.log_martians=1
|
||||
|
||||
## Protects against time-wait assassination.
|
||||
## It drops RST packets for sockets in the time-wait state.
|
||||
net.ipv4.tcp_rfc1337=1
|
||||
|
Loading…
Reference in New Issue
Block a user