mirror of
https://github.com/Kicksecure/security-misc.git
synced 2024-12-23 01:13:40 +07:00
Refactor existing sysctl for clarity
This commit is contained in:
parent
f34b9d7c45
commit
2de3a79599
96
README.md
96
README.md
@ -6,57 +6,76 @@ This section is inspired by the Kernel Self Protection Project (KSPP). It
|
||||
implements all recommended Linux kernel settings by the KSPP and many more.
|
||||
|
||||
- https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project
|
||||
- https://kspp.github.io/Recommended_Settings
|
||||
|
||||
### sysctl
|
||||
|
||||
sysctl settings are configured via the `/etc/sysctl.d/30_security-misc.conf`
|
||||
sysctl settings are configured via the `/usr/lib/sysctl.d/990-security-misc.conf`
|
||||
configuration file.
|
||||
|
||||
- A kernel pointer points to a specific location in kernel memory. These can
|
||||
be very useful in exploiting the kernel so they are restricted to
|
||||
`CAP_SYSLOG`.
|
||||
Significant hardening is applied by default to a myriad of components within kernel
|
||||
space, user space, core dumps, and swap space.
|
||||
|
||||
- The kernel logs are restricted to `CAP_SYSLOG` as they can often leak
|
||||
sensitive information such as kernel pointers.
|
||||
- Restrict kernel addresses regardless of user privileges.
|
||||
|
||||
- The `ptrace()` system call is restricted to `CAP_SYS_PTRACE`.
|
||||
- Restrict access to the kernel logs to `CAP_SYSLOG` as the often contain
|
||||
sensitive information.
|
||||
|
||||
- eBPF is restricted to `CAP_BPF` (`CAP_SYS_ADMIN` on kernel versions prior to
|
||||
5.8) and JIT hardening techniques such as constant blinding are enabled.
|
||||
- Prevent kernel information leaks in the console during boot.
|
||||
|
||||
- Restricts performance events to `CAP_PERFMON` (`CAP_SYS_ADMIN` on kernel
|
||||
versions prior to 5.8).
|
||||
- Restrict eBPF access to `CAP_BPF` and enable associated JIT compiler hardening.
|
||||
|
||||
- Restricts loading line disciplines to `CAP_SYS_MODULE` to prevent
|
||||
unprivileged attackers from loading vulnerable line disciplines with the
|
||||
`TIOCSETD` ioctl which has been abused in a number of exploits before.
|
||||
- Restrict loading TTY line disciplines to `CAP_SYS_MODULE`.
|
||||
|
||||
- Restricts the `userfaultfd()` syscall to `CAP_SYS_PTRACE` as `userfaultfd()`
|
||||
is often abused to exploit use-after-free flaws.
|
||||
- Restricts the `userfaultfd()` syscall to `CAP_SYS_PTRACE` which reduces the
|
||||
likelihood of use-after-free exploits.
|
||||
|
||||
- Kexec is disabled as it can be used to load a malicious kernel and gain
|
||||
arbitrary code execution in kernel mode.
|
||||
- Disable `kexec` as it can be used to replace the running kernel.
|
||||
|
||||
- Randomises the addresses for mmap base, heap, stack, and VDSO pages.
|
||||
- Entirely disables the SysRq key so that the Secure Attention Key (SAK)
|
||||
can no longer be utilised.
|
||||
|
||||
- Prevents unintentional writes to attacker-controlled files.
|
||||
- Restrict kernel profiling and the performance events system to `CAP_PERFMON`.
|
||||
|
||||
- Prevents common symlink and hardlink TOCTOU races.
|
||||
- Randomise the addresses (ASLR) for mmap base, stack, VDSO pages, and heap.
|
||||
|
||||
- Disables SysRq key completely.
|
||||
* Therefore Secure Attention Key (SAK) cannot be used.
|
||||
* https://www.kicksecure.com/wiki/SysRq
|
||||
- Disable asynchronous I/O (when using Linux kernel version >= 6.6).
|
||||
|
||||
- The kernel is only allowed to swap if it is absolutely necessary. This
|
||||
prevents writing potentially sensitive contents of memory to disk.
|
||||
- Restrict usage of `ptrace()` to only processes with `CAP_SYS_PTRACE` as it
|
||||
enables programs to inspect and modify other active processes.
|
||||
|
||||
- TCP timestamps are disabled as it can allow detecting the system time.
|
||||
- Prevent hardlink and symlink TOCTOU races in world-writable directories.
|
||||
|
||||
- Set coredump file name based on core_pattern value instead of the default of
|
||||
naming it 'core'.
|
||||
- Disallow unintentional writes to attacker-controlled files.
|
||||
|
||||
- Will disable `io_uring` interface for performing asynchronous I/O as it has
|
||||
historically been a significant attack surface.
|
||||
- Increase the maximum number of memory map areas a process is able to utilise.
|
||||
|
||||
- Disable core dump files and prevent their creation.
|
||||
|
||||
- Limit the copying of potentially sensitive content in memory to the swap device.
|
||||
|
||||
Various networking components of the TCP/IP stack are hardened for IPv4/6.
|
||||
|
||||
- Enable TCP SYN cookie protection to assist against SYN flood attacks.
|
||||
|
||||
- Protect against TCP time-wait assassination hazards.
|
||||
|
||||
- Enables reverse path filtering (source validation) of packets received
|
||||
from all interfaces to prevent IP spoofing.
|
||||
|
||||
- Disable ICMP redirect acceptance and redirect sending messages to
|
||||
prevent man-in-the-middle attacks and minimise information disclosure.
|
||||
|
||||
- Ignore ICMP echo requests to prevent clock fingerprinting and Smurf attacks.
|
||||
|
||||
- Ignore bogus ICMP error responses.
|
||||
|
||||
- Disable source routing which allows users redirect network traffic that
|
||||
can result in man-in-the-middle attacks.
|
||||
|
||||
- Do not accept IPv6 router advertisements and solicitations.
|
||||
|
||||
- Disable TCP timestamps as it can allow detecting the system time.
|
||||
|
||||
### mmap ASLR
|
||||
|
||||
@ -193,21 +212,6 @@ rather it is a form of badness enumeration.
|
||||
|
||||
## Network hardening
|
||||
|
||||
- TCP syncookies are enabled to prevent SYN flood attacks.
|
||||
|
||||
- ICMP redirect acceptance, ICMP redirect sending, source routing and IPv6
|
||||
router advertisements are disabled to prevent man-in-the-middle attacks.
|
||||
|
||||
- The kernel is configured to ignore all ICMP requests to avoid Smurf attacks,
|
||||
make the device more difficult to enumerate on the network and prevent clock
|
||||
fingerprinting through ICMP timestamps.
|
||||
|
||||
- RFC1337 is enabled to protect against time-wait assassination attacks by
|
||||
dropping RST packets for sockets in the time-wait state.
|
||||
|
||||
- Reverse path filtering is enabled to prevent IP spoofing and mitigate
|
||||
vulnerabilities such as CVE-2019-14899.
|
||||
|
||||
- Unlike version 4, IPv6 addresses can provide information not only about the
|
||||
originating network, but also the originating device. We prevent this from
|
||||
happening by enabling the respective privacy extensions for IPv6.
|
||||
|
2
debian/security-misc.maintscript
vendored
2
debian/security-misc.maintscript
vendored
@ -10,7 +10,7 @@ rm_conffile /etc/sysctl.d/sysrq.conf
|
||||
rm_conffile /etc/apparmor.d/usr.lib.security-misc.pam_tally2-info
|
||||
rm_conffile /etc/apparmor.d/usr.lib.security-misc.permission-lockdown
|
||||
|
||||
## merged into 1 file /etc/sysctl.d/30_security-misc.conf
|
||||
## merged into 3 files /usr/lib/sysctl.d/30_security-misc_kexec-disable.conf, /usr/lib/sysctl.d/30_silent-kernel-printk.conf, and /usr/lib/sysctl.d/990-security-misc.conf
|
||||
rm_conffile /etc/sysctl.d/fs_protected.conf
|
||||
rm_conffile /etc/sysctl.d/kptr_restrict.conf
|
||||
rm_conffile /etc/sysctl.d/suid_dumpable.conf
|
||||
|
@ -1,12 +1,11 @@
|
||||
## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
|
||||
## See the file COPYING for copying conditions.
|
||||
|
||||
## Quote https://www.kernel.org/doc/html/latest/admin-guide/sysctl/kernel.html
|
||||
##
|
||||
## kexec_load_disabled:
|
||||
##
|
||||
## A toggle indicating if the kexec_load syscall has been disabled. This value defaults to 0 (false: kexec_load enabled), but can be set to 1 (true: kexec_load disabled). Once true, kexec can no longer be used, and the toggle cannot be set back to false. This allows a kexec image to be loaded before disabling the syscall, allowing a system to set up (and later use) an image without it being altered. Generally used together with the "modules_disabled" sysctl.
|
||||
## Disables kexec which can be used to replace the running kernel.
|
||||
## Useful for live kernel patching without rebooting.
|
||||
##
|
||||
## https://en.wikipedia.org/wiki/Kexec
|
||||
##
|
||||
kernel.kexec_load_disabled=1
|
||||
|
||||
## Why is this in a dedicated config file?
|
||||
|
@ -1,8 +1,8 @@
|
||||
## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
|
||||
## See the file COPYING for copying conditions.
|
||||
|
||||
## Prevent kernel info leaks in console during boot.
|
||||
## https://phabricator.whonix.org/T950
|
||||
## Prevent kernel information leaks in the console during boot.
|
||||
##
|
||||
kernel.printk = 3 3 3 3
|
||||
|
||||
## NOTE:
|
||||
|
@ -2,177 +2,322 @@
|
||||
## See the file COPYING for copying conditions.
|
||||
|
||||
## NOTE:
|
||||
## This file has a weird file name so /usr/lib/sysctl.d/99-protect-links.conf
|
||||
## is parsed first and /usr/lib/sysctl.d/990-security-misc.conf is parsed
|
||||
## afterwards. See also:
|
||||
## This file has a strange name so that `/usr/lib/sysctl.d/99-protect-links.conf` is
|
||||
## first parsed and then followed by `/usr/lib/sysctl.d/990-security-misc.conf`.
|
||||
## https://github.com/Kicksecure/security-misc/pull/135
|
||||
|
||||
## Restricts the kernel log to root only.
|
||||
kernel.dmesg_restrict=1
|
||||
## This configuration file is split into 5 sections:
|
||||
## 1. Kernel Space
|
||||
## 2. User Space
|
||||
## 3. Core Dumps
|
||||
## 4. Swap Space
|
||||
## 5. Networking
|
||||
|
||||
## Disables coredumps. This setting may be overwritten by systemd so this may not be useful.
|
||||
## security-misc also disables coredumps in other ways.
|
||||
kernel.core_pattern=|/bin/false
|
||||
## See the documentation below for details on the majority of the selected commands.
|
||||
## https://www.kernel.org/doc/html/latest/admin-guide/sysctl/kernel.html
|
||||
## https://www.kernel.org/doc/html/latest/admin-guide/sysctl/fs.html
|
||||
## https://www.kernel.org/doc/html/latest/admin-guide/sysctl/net.html
|
||||
## https://www.kernel.org/doc/html/latest/admin-guide/sysctl/vm.html
|
||||
## https://www.kernel.org/doc/html/latest//networking/ip-sysctl.html
|
||||
|
||||
## Does not set coredump name to 'core' which is default. Defense in depth.
|
||||
kernel.core_uses_pid=1
|
||||
|
||||
## Prevent setuid processes from creating coredumps.
|
||||
fs.suid_dumpable=0
|
||||
|
||||
## Don't allow writes to files that we don't own
|
||||
## in world writable sticky directories, unless
|
||||
## they are owned by the owner of the directory.
|
||||
fs.protected_fifos=2
|
||||
fs.protected_regular=2
|
||||
|
||||
## Only allow symlinks to be followed when outside of
|
||||
## a world-writable sticky directory, or when the owner
|
||||
## of the symlink and follower match, or when the directory
|
||||
## owner matches the symlink's owner.
|
||||
## 1. Kernel Space:
|
||||
##
|
||||
## Prevent hardlinks from being created by users that do not
|
||||
## have read/write access to the source file.
|
||||
##
|
||||
## These prevent many TOCTOU races.
|
||||
fs.protected_symlinks=1
|
||||
fs.protected_hardlinks=1
|
||||
## https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel
|
||||
## https://wiki.archlinux.org/title/Security#Kernel_hardening
|
||||
|
||||
## Hides kernel addresses in various files in /proc.
|
||||
## Kernel addresses can be very useful in certain exploits.
|
||||
## Restrict kernel addresses via /proc and other interfaces regardless of user privileges.
|
||||
## Kernel pointers expose specific locations in kernel memory.
|
||||
##
|
||||
## https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak
|
||||
##
|
||||
kernel.kptr_restrict=2
|
||||
|
||||
## Improves ASLR effectiveness for mmap.
|
||||
## Both explicit sysctl are made redundant due to automation
|
||||
## Restrict access to the kernel log buffer to CAP_SYSLOG.
|
||||
## Kernel logs often contain sensitive information such as kernel pointers.
|
||||
##
|
||||
kernel.dmesg_restrict=1
|
||||
|
||||
## Prevent kernel information leaks in the console during boot.
|
||||
##
|
||||
## See `/usr/lib/sysctl.d/30_silent-kernel-printk.conf` for implementation.
|
||||
##
|
||||
#kernel.printk=3 3 3 3s
|
||||
|
||||
## Restrict eBPF access to CAP_BPF and enable associated JIT compiler hardening.
|
||||
##
|
||||
## https://en.wikipedia.org/wiki/EBPF#Security
|
||||
##
|
||||
kernel.unprivileged_bpf_disabled=1
|
||||
net.core.bpf_jit_harden=2
|
||||
|
||||
## Restrict loading TTY line disciplines to CAP_SYS_MODULE.
|
||||
## Prevents unprivileged users loading vulnerable line disciplines with the TIOCSETD ioctl.
|
||||
##
|
||||
## https://a13xp0p0v.github.io/2017/03/24/CVE-2017-2636.html
|
||||
## https://lkml.org/lkml/2019/4/15/890
|
||||
##
|
||||
dev.tty.ldisc_autoload=0
|
||||
|
||||
## Restrict the userfaultfd() syscall to SYS_CAP_PTRACE.
|
||||
## Reduces likelihood of use-after-free exploits from heap sprays.
|
||||
##
|
||||
## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=cefdca0a86be517bc390fc4541e3674b8e7803b0
|
||||
## https://duasynt.com/blog/linux-kernel-heap-spray
|
||||
##
|
||||
vm.unprivileged_userfaultfd=0
|
||||
|
||||
## Disables kexec which can be used to replace the running kernel.
|
||||
## Useful for live kernel patching without rebooting.
|
||||
##
|
||||
## https://en.wikipedia.org/wiki/Kexec
|
||||
##
|
||||
## See `/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf` for implementation.
|
||||
##
|
||||
#kernel.kexec_load_disabled=1
|
||||
|
||||
## Disable the SysRq key to prevent leakage of kernel information.
|
||||
## The Secure Attention Key (SAK) can no longer be utilised.
|
||||
##
|
||||
## https://www.kernel.org/doc/html/latest/admin-guide/sysrq.html
|
||||
## https://www.kicksecure.com/wiki/SysRq
|
||||
## https://github.com/xairy/unlockdown
|
||||
##
|
||||
kernel.sysrq=0
|
||||
|
||||
## Restrict user namespaces to CAP_SYS_ADMIN.
|
||||
## User namespaces aim to improve sandboxing and accessibility for unprivileged users.
|
||||
## Unprivileged user namespaces pose substantial privilege escalation risks.
|
||||
## Restricting is well-known to cause breakages across numerous software.
|
||||
##
|
||||
## https://madaidans-insecurities.github.io/linux.html#kernel
|
||||
## https://github.com/a13xp0p0v/kernel-hardening-checker#questions-and-answers
|
||||
##
|
||||
## Unprivileged user namespaces are currently enabled.
|
||||
##
|
||||
#kernel.unprivileged_userns_clone=0
|
||||
|
||||
## Restricts kernel profiling to CAP_PERFMON.
|
||||
## The performance events system should not be accessible by unprivileged users.
|
||||
##
|
||||
## https://www.kernel.org/doc/html/latest/admin-guide/perf-security.html#unprivileged-users
|
||||
## https://lore.kernel.org/kernel-hardening/1469630746-32279-1-git-send-email-jeffv@google.com/
|
||||
##
|
||||
kernel.perf_event_paranoid=3
|
||||
|
||||
## Enable ASLR for mmap base, stack, VDSO pages, and heap.
|
||||
## Heap randomisation can lead to breakages with legacy applications.
|
||||
##
|
||||
## https://en.wikipedia.org/wiki/Address_space_layout_randomization#Linux
|
||||
##
|
||||
kernel.randomize_va_space=2
|
||||
|
||||
## Disable asynchronous I/O for all processes.
|
||||
##
|
||||
## https://security.googleblog.com/2023/06/learnings-from-kctf-vrps-42-linux.html
|
||||
##
|
||||
## Applicable when using Linux kernel >= 6.6 (retained here for future-proofing and completeness).
|
||||
##
|
||||
kernel.io_uring_disabled=2
|
||||
|
||||
|
||||
## 2.User Space:
|
||||
##
|
||||
## https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-userspace
|
||||
|
||||
## Restrict usage of the ptrace() system call to only processes with CAP_SYS_PTRACE.
|
||||
## Limit ptrace() as it enables programs to inspect and modify other active processes.
|
||||
## This may break some programs running under WINE.
|
||||
##
|
||||
## https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html#ptrace-scope
|
||||
##
|
||||
kernel.yama.ptrace_scope=2
|
||||
|
||||
## Maximise bits of entropy for improved effectiveness of mmap ASLR.
|
||||
## The maximum numbers of bits are dependent on CPU architecture (the ones shown below are for x86).
|
||||
## Both explicit sysctl are made redundant due to automation.
|
||||
## Do NOT enable either sysctl - displaying only for clarity.
|
||||
##
|
||||
## https://forums.whonix.org/t/automate-mmap-randomisation-to-fix-ppc64el/16514
|
||||
## Do NOT enable either - displaying only for clarity
|
||||
##
|
||||
## See `/usr/libexec/security-misc/mmap-rnd-bits` for implementation.
|
||||
##
|
||||
#vm.mmap_rnd_bits=32
|
||||
#vm.mmap_rnd_compat_bits=16
|
||||
|
||||
## Restricts the use of ptrace to root. This might break some programs running under WINE.
|
||||
## A workaround for WINE would be to give the wineserver and wine-preloader ptrace capabilities. This can be done by running:
|
||||
## Prevent hardlink creation by users who do not have read/write/ownership of source file.
|
||||
## Only allow symlinks to be followed when outside of a world-writable sticky directories.
|
||||
## Allow symlinks when the owner and follower match or when the directory owner matches the symlink's owner.
|
||||
## Hardens cross privilege boundaries if root process follows a hardlink/symlink belonging to another user.
|
||||
## This mitigates many hardlink/symlink-based TOCTOU races in world-writable directories like /tmp.
|
||||
##
|
||||
## sudo apt-get install libcap2-bin
|
||||
## sudo setcap cap_sys_ptrace=eip /usr/bin/wineserver
|
||||
## sudo setcap cap_sys_ptrace=eip /usr/bin/wine-preloader
|
||||
kernel.yama.ptrace_scope=2
|
||||
## https://wiki.archlinux.org/title/Security#File_systems
|
||||
## https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=/tmp
|
||||
## https://en.wikipedia.org/wiki/Time-of-check_to_time-of-use#Preventing_TOCTOU
|
||||
##
|
||||
fs.protected_hardlinks=1
|
||||
fs.protected_symlinks=1
|
||||
|
||||
## Randomize the addresses for mmap base, heap, stack, and VDSO pages
|
||||
kernel.randomize_va_space=2
|
||||
## Disallow writes to files in world-writable sticky directories unless owned by the directory owner.
|
||||
## Also applies to group writable sticky directories to make data spoofing attacks more difficult.
|
||||
## Prevents unintentional writes to attacker-controlled files.
|
||||
##
|
||||
fs.protected_fifos=2
|
||||
fs.protected_regular=2
|
||||
|
||||
## Hardens the BPF JIT compiler and restricts it to root.
|
||||
kernel.unprivileged_bpf_disabled=1
|
||||
net.core.bpf_jit_harden=2
|
||||
## Increase the maximum number of memory map areas a process is permitted to utilise.
|
||||
## Addresses performance, crash, and start-up issues for some memory intensive applications.
|
||||
## Required to accommodate the very large number of guard pages created by hardened_malloc.
|
||||
## Kicksecure version 18 will deprecate hardened_malloc and so this sysctl will be applied here instead.
|
||||
##
|
||||
## https://archlinux.org/news/increasing-the-default-vmmax_map_count-value/
|
||||
## https://github.com/GrapheneOS/hardened_malloc#traditional-linux-based-operating-systems
|
||||
## https://github.com/Kicksecure/hardened_malloc/blob/master/debian/hardened_malloc.conf
|
||||
## https://www.kicksecure.com/wiki/Hardened_Malloc#Deprecation_in_Kicksecure
|
||||
##
|
||||
vm.max_map_count=1048576
|
||||
|
||||
## Disable asynchronous I/O for all processes.
|
||||
## Valid only for linux kernel version >= 6.6.
|
||||
## Command is retained here for future-proofing and completeness.
|
||||
## https://forums.whonix.org/t/io-uring-security-vulnerabilties/16890/6
|
||||
kernel.io_uring_disabled=2
|
||||
|
||||
#### meta start
|
||||
#### project Kicksecure
|
||||
#### category networking and security
|
||||
#### description
|
||||
## TCP/IP stack hardening
|
||||
## 3. Core Dumps:
|
||||
##
|
||||
## https://madaidans-insecurities.github.io/guides/linux-hardening.html#core-dumps
|
||||
|
||||
## A martian packet is a one with a source address which is blatantly wrong
|
||||
## Recommended to keep a log of these to identify these suspicious packets
|
||||
## Good for troubleshooting and diagnostics but not necessary by default.
|
||||
## Caused issue:
|
||||
## https://github.com/Kicksecure/security-misc/issues/214
|
||||
#net.ipv4.conf.all.log_martians=1
|
||||
#net.ipv4.conf.default.log_martians=1
|
||||
## Disable core dump files by preventing any pattern names.
|
||||
## This setting may be overwritten by systemd is is not comprehensive.
|
||||
## Core dumps are also disabled in security-misc via other means.
|
||||
##
|
||||
## https://wiki.archlinux.org/title/Core_dump#Disabling_automatic_core_dumps
|
||||
##
|
||||
kernel.core_pattern=|/bin/false
|
||||
|
||||
## Protects against time-wait assassination.
|
||||
## It drops RST packets for sockets in the time-wait state.
|
||||
## Prevent setuid processes or otherwise protected/tainted binaries from creating core dumps.
|
||||
## Any process which has changed privilege levels or is execute-only will not be dumped.
|
||||
##
|
||||
fs.suid_dumpable=0
|
||||
|
||||
## Set core dump file name to 'core.PID' instead of 'core' as a form of defence-in-depth.
|
||||
## If core dumps are permitted, only useful if PID listings are hidden from non-root users.
|
||||
##
|
||||
kernel.core_uses_pid=1
|
||||
|
||||
|
||||
## 4. Swap Space:
|
||||
##
|
||||
## https://madaidans-insecurities.github.io/guides/linux-hardening.html#swap
|
||||
|
||||
## Limit the copying of memory to the swap device only if absolutely necessary.
|
||||
## Minimises the likelihood of writing potentially sensitive contents to disk.
|
||||
##
|
||||
## https://en.wikipedia.org/wiki/Memory_paging#Linux
|
||||
##
|
||||
vm.swappiness=1
|
||||
|
||||
|
||||
## 5. Networking:
|
||||
##
|
||||
## https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-network
|
||||
## https://wiki.archlinux.org/title/Sysctl#TCP/IP_stack_hardening
|
||||
|
||||
## Enable TCP SYN cookie protection to assist against SYN flood attacks.
|
||||
##
|
||||
## https://en.wikipedia.org/wiki/SYN_flood
|
||||
## https://cateee.net/lkddb/web-lkddb/SYN_COOKIES.html
|
||||
##
|
||||
net.ipv4.tcp_syncookies=1
|
||||
|
||||
## Protect against TCP time-wait assassination hazards.
|
||||
## Drops RST packets for sockets in the time-wait state.
|
||||
##
|
||||
## https://tools.ietf.org/html/rfc1337
|
||||
##
|
||||
net.ipv4.tcp_rfc1337=1
|
||||
|
||||
## Disables ICMP redirect acceptance.
|
||||
## Enable reverse path filtering (source validation) of packets received from all interfaces.
|
||||
## Prevents IP spoofing and mitigate vulnerabilities such as CVE-2019-14899.
|
||||
##
|
||||
## https://en.wikipedia.org/wiki/IP_address_spoofing
|
||||
## https://forums.whonix.org/t/enable-reverse-path-filtering/8594
|
||||
## https://seclists.org/oss-sec/2019/q4/122
|
||||
##
|
||||
net.ipv4.conf.all.rp_filter=1
|
||||
net.ipv4.conf.default.rp_filter=1
|
||||
|
||||
## Disable ICMP redirect acceptance and redirect sending messages.
|
||||
## Prevents man-in-the-middle attacks and minimises information disclosure.
|
||||
##
|
||||
net.ipv4.conf.all.accept_redirects=0
|
||||
net.ipv4.conf.default.accept_redirects=0
|
||||
net.ipv4.conf.all.secure_redirects=0
|
||||
net.ipv4.conf.default.secure_redirects=0
|
||||
net.ipv6.conf.all.accept_redirects=0
|
||||
net.ipv6.conf.default.accept_redirects=0
|
||||
|
||||
## Disables ICMP redirect sending.
|
||||
net.ipv4.conf.all.send_redirects=0
|
||||
net.ipv4.conf.default.send_redirects=0
|
||||
|
||||
## Ignores ICMP requests.
|
||||
## Ignore ICMP echo requests.
|
||||
## Prevents clock fingerprinting through ICMP timestamps and Smurf attacks.
|
||||
##
|
||||
## https://en.wikipedia.org/wiki/Smurf_attack
|
||||
##
|
||||
net.ipv4.icmp_echo_ignore_all=1
|
||||
net.ipv6.icmp.echo_ignore_all=1
|
||||
|
||||
## Ignores bogus ICMP error responses
|
||||
## Ignore bogus ICMP error responses.
|
||||
## Mitigates attacks designed to fill log files with useless error messages.
|
||||
##
|
||||
net.ipv4.icmp_ignore_bogus_error_responses=1
|
||||
|
||||
## Enables TCP syncookies.
|
||||
net.ipv4.tcp_syncookies=1
|
||||
|
||||
## Disable source routing.
|
||||
## Disable source routing which allows users redirect network traffic.
|
||||
## Prevents man-in-the-middle attacks in which the traffic is redirected.
|
||||
##
|
||||
## https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/security_guide/sect-security_guide-server_security-disable-source-routing
|
||||
##
|
||||
net.ipv4.conf.all.accept_source_route=0
|
||||
net.ipv4.conf.default.accept_source_route=0
|
||||
net.ipv6.conf.all.accept_source_route=0
|
||||
net.ipv6.conf.default.accept_source_route=0
|
||||
|
||||
## Enable reverse path filtering to prevent IP spoofing and
|
||||
## mitigate vulnerabilities such as CVE-2019-14899.
|
||||
## https://forums.whonix.org/t/enable-reverse-path-filtering/8594
|
||||
net.ipv4.conf.default.rp_filter=1
|
||||
net.ipv4.conf.all.rp_filter=1
|
||||
|
||||
#### meta end
|
||||
|
||||
|
||||
## Previously disabled SACK, DSACK, and FACK.
|
||||
## https://forums.whonix.org/t/disabling-tcp-sack-dsack-fack/8109
|
||||
#net.ipv4.tcp_sack=0
|
||||
#net.ipv4.tcp_dsack=0
|
||||
#net.ipv4.tcp_fack=0
|
||||
|
||||
|
||||
#### meta start
|
||||
#### project Kicksecure
|
||||
#### category networking and security
|
||||
#### description
|
||||
## disable IPv4 TCP Timestamps
|
||||
|
||||
net.ipv4.tcp_timestamps=0
|
||||
|
||||
#### meta end
|
||||
|
||||
|
||||
## Disable SysRq key
|
||||
kernel.sysrq=0
|
||||
|
||||
## Restrict loading TTY line disciplines to CAP_SYS_MODULE to prevent
|
||||
## unprivileged attackers from loading vulnerable line disciplines
|
||||
## with the TIOCSETD ioctl which has been used in exploits before
|
||||
## such as https://a13xp0p0v.github.io/2017/03/24/CVE-2017-2636.html
|
||||
## Do not accept IPv6 router advertisements and solicitations.
|
||||
##
|
||||
## https://lkml.org/lkml/2019/4/15/890
|
||||
dev.tty.ldisc_autoload=0
|
||||
|
||||
## Restrict the userfaultfd() syscall to root as it can make heap sprays
|
||||
## easier.
|
||||
##
|
||||
## https://duasynt.com/blog/linux-kernel-heap-spray
|
||||
vm.unprivileged_userfaultfd=0
|
||||
|
||||
## Let the kernel only swap if it is absolutely necessary.
|
||||
## Better not be set to zero:
|
||||
## - https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Performance_Tuning_Guide/s-memory-tunables.html
|
||||
## - https://en.wikipedia.org/wiki/Swappiness
|
||||
vm.swappiness=1
|
||||
|
||||
## Disallow kernel profiling by users without CAP_SYS_ADMIN
|
||||
## https://www.kernel.org/doc/Documentation/sysctl/kernel.txt
|
||||
kernel.perf_event_paranoid=3
|
||||
|
||||
## Do not accept router advertisements
|
||||
net.ipv6.conf.all.accept_ra=0
|
||||
net.ipv6.conf.default.accept_ra=0
|
||||
|
||||
## Disable SACK, DSACK, and FACK.
|
||||
## Select acknowledgements (SACKs) are a known common vector of exploitation.
|
||||
## Duplicate select acknowledgements (DSACKs) are an extension of SACK.
|
||||
## Forward acknowledgements (FACKs) are a legacy option that will (eventually) be deprecated.
|
||||
## Disabling can cause severe connectivity issues on networks with high latency or packet loss.
|
||||
## Enabling on stable high-bandwidth networks can lead to reduced efficiency of TCP connections.
|
||||
##
|
||||
## https://datatracker.ietf.org/doc/html/rfc2018
|
||||
## https://datatracker.ietf.org/doc/html/rfc2883
|
||||
## https://access.redhat.com/sites/default/files/attachments/20150325_network_performance_tuning.pdf
|
||||
## https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md
|
||||
## https://wiki.archlinux.org/title/Sysctl#TCP_Selective_Acknowledgement
|
||||
## https://forums.whonix.org/t/disabling-tcp-sack-dsack-fack/8109/5
|
||||
##
|
||||
## SACK and DSACK are currently enabled.
|
||||
##
|
||||
#net.ipv4.tcp_sack=0
|
||||
#net.ipv4.tcp_dsack=0
|
||||
net.ipv4.tcp_fack=0
|
||||
|
||||
## Disable TCP timestamps to limit system fingerprinting via time.
|
||||
##
|
||||
## https://forums.whonix.org/t/do-ntp-and-tcp-timestamps-really-leak-your-local-time/7824
|
||||
## https://web.archive.org/web/20170201160732/https://mailman.boum.org/pipermail/tails-dev/2013-December/004520.html
|
||||
##
|
||||
net.ipv4.tcp_timestamps=0
|
||||
|
||||
## Previously enabled logging of packets with impossible source or destination addresses.
|
||||
## Martian and unroutable packets may be used for dangerous purposes.
|
||||
## Recommended to keep a (kernel dmesg) log of these to identify these suspicious packets
|
||||
## Good for troubleshooting and diagnostics but not necessary by default.
|
||||
## Known for causing performance issues especially on systems with multiple interfaces.
|
||||
##
|
||||
## https://wiki.archlinux.org/title/Sysctl#TCP_Selective_Acknowledgement
|
||||
## https://github.com/Kicksecure/security-misc/issues/214
|
||||
##
|
||||
## The logging of martian packets is currently disabled.
|
||||
##
|
||||
#net.ipv4.conf.all.log_martians=1
|
||||
#net.ipv4.conf.default.log_martians=1
|
||||
|
Loading…
Reference in New Issue
Block a user