merge the many sysctl config files into 1

and use a name starting with double digits

to make it easier to disable settings using a lexically higher config file
This commit is contained in:
Patrick Schleizer 2020-01-24 04:26:36 -05:00
parent f653b94e77
commit 6a4c493213
No known key found for this signature in database
GPG Key ID: CB8D50BB77BB3C48
14 changed files with 127 additions and 125 deletions

View File

@ -12,3 +12,16 @@ rm_conffile /etc/sysctl.d/sysrq.conf
## https://github.com/Whonix/security-misc/pull/45
rm_conffile /etc/apparmor.d/usr.lib.security-misc.pam_tally2-info
rm_conffile /etc/apparmor.d/usr.lib.security-misc.permission-lockdown
rm_conffile /etc/sysctl.d/fs_protected.conf
rm_conffile /etc/sysctl.d/kptr_restrict.conf
rm_conffile /etc/sysctl.d/suid_dumpable.conf
rm_conffile /etc/sysctl.d/harden_bpf.conf
rm_conffile /etc/sysctl.d/ptrace_scope.conf
rm_conffile /etc/sysctl.d/tcp_timestamps.conf
rm_conffile /etc/sysctl.d/mmap_aslr.conf
rm_conffile /etc/sysctl.d/dmesg_restrict.conf
rm_conffile /etc/sysctl.d/coredumps.conf
rm_conffile /etc/sysctl.d/kexec.conf
rm_conffile /etc/sysctl.d/tcp_hardening.conf
rm_conffile /etc/sysctl.d/tcp_sack.conf

View File

@ -0,0 +1,114 @@
## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## See the file COPYING for copying conditions.
## Disables coredumps. This setting may be overwritten by systemd so this may not be useful.
## security-misc also disables coredumps in other ways.
kernel.core_pattern=|/bin/false
## Restricts the kernel log to root only.
kernel.dmesg_restrict=1
## Makes some data spoofing attacks harder.
fs.protected_fifos=2
fs.protected_regular=2
## Hardens the BPF JIT compiler and restricts it to root.
kernel.unprivileged_bpf_disabled=1
net.core.bpf_jit_harden=2
## Quote https://www.kernel.org/doc/html/latest/admin-guide/sysctl/kernel.html
##
## kexec_load_disabled:
##
## A toggle indicating if the kexec_load syscall has been disabled. This value defaults to 0 (false: kexec_load enabled), but can be set to 1 (true: kexec_load disabled). Once true, kexec can no longer be used, and the toggle cannot be set back to false. This allows a kexec image to be loaded before disabling the syscall, allowing a system to set up (and later use) an image without it being altered. Generally used together with the "modules_disabled" sysctl.
## Disables kexec which can be used to replace the running kernel.
kernel.kexec_load_disabled=1
## Hides kernel addresses in various files in /proc.
## Kernel addresses can be very useful in certain exploits.
##
## https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak
kernel.kptr_restrict=2
## Improves ASLR effectiveness for mmap.
vm.mmap_rnd_bits=32
vm.mmap_rnd_compat_bits=16
## Restricts the use of ptrace to root. This might break some programs running under WINE.
## A workaround for WINE would be to give the wineserver and wine-preloader ptrace capabilities. This can be done by running:
##
## sudo apt-get install libcap2-bin
## sudo setcap cap_sys_ptrace=eip /usr/bin/wineserver
## sudo setcap cap_sys_ptrace=eip /usr/bin/wine-preloader
kernel.yama.ptrace_scope=2
## Prevent setuid processes from creating coredumps.
fs.suid_dumpable=0
#### meta start
#### project Kicksecure
#### category networking and security
#### description
## TCP/IP stack hardening
## Protects against time-wait assassination.
## It drops RST packets for sockets in the time-wait state.
net.ipv4.tcp_rfc1337=1
## Disables ICMP redirect acceptance.
net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.default.accept_redirects=0
net.ipv4.conf.all.secure_redirects=0
net.ipv4.conf.default.secure_redirects=0
net.ipv6.conf.all.accept_redirects=0
net.ipv6.conf.default.accept_redirects=0
## Disables ICMP redirect sending.
net.ipv4.conf.all.send_redirects=0
net.ipv4.conf.default.send_redirects=0
## Ignores ICMP requests.
net.ipv4.icmp_echo_ignore_all=1
## Enables TCP syncookies.
net.ipv4.tcp_syncookies=1
## Disable source routing.
net.ipv4.conf.all.accept_source_route=0
net.ipv4.conf.default.accept_source_route=0
## Enable reverse path filtering to prevent IP spoofing and
## mitigate vulnerabilities such as CVE-2019-14899.
## https://forums.whonix.org/t/enable-reverse-path-filtering/8594
net.ipv4.conf.default.rp_filter=1
net.ipv4.conf.all.rp_filter=1
#### meta end
## Disables SACK as it is commonly exploited and likely not needed.
## https://forums.whonix.org/t/disabling-tcp-sack-dsack-fack/8109
#net.ipv4.tcp_sack=0
#net.ipv4.tcp_dsack=0
#net.ipv4.tcp_fack=0
#### meta start
#### project Kicksecure
#### category networking and security
#### description
## disable IPv4 TCP Timestamps
net.ipv4.tcp_timestamps=0
#### meta end

View File

@ -1,6 +0,0 @@
## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## See the file COPYING for copying conditions.
## Disables coredumps. This setting may be overwritten by systemd so this may not be useful.
## security-misc also disables coredumps in other ways.
kernel.core_pattern=|/bin/false

View File

@ -1,5 +0,0 @@
## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## See the file COPYING for copying conditions.
## Restricts the kernel log to root only.
kernel.dmesg_restrict=1

View File

@ -1,6 +0,0 @@
## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## See the file COPYING for copying conditions.
## Makes some data spoofing attacks harder.
fs.protected_fifos=2
fs.protected_regular=2

View File

@ -1,6 +0,0 @@
## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## See the file COPYING for copying conditions.
## Hardens the BPF JIT compiler and restricts it to root.
kernel.unprivileged_bpf_disabled=1
net.core.bpf_jit_harden=2

View File

@ -1,11 +0,0 @@
## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## See the file COPYING for copying conditions.
## Quote https://www.kernel.org/doc/html/latest/admin-guide/sysctl/kernel.html
##
## kexec_load_disabled:
##
## A toggle indicating if the kexec_load syscall has been disabled. This value defaults to 0 (false: kexec_load enabled), but can be set to 1 (true: kexec_load disabled). Once true, kexec can no longer be used, and the toggle cannot be set back to false. This allows a kexec image to be loaded before disabling the syscall, allowing a system to set up (and later use) an image without it being altered. Generally used together with the "modules_disabled" sysctl.
## Disables kexec which can be used to replace the running kernel.
kernel.kexec_load_disabled=1

View File

@ -1,8 +0,0 @@
## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## See the file COPYING for copying conditions.
## Hides kernel addresses in various files in /proc.
## Kernel addresses can be very useful in certain exploits.
##
## https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak
kernel.kptr_restrict=2

View File

@ -1,6 +0,0 @@
## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## See the file COPYING for copying conditions.
## Improves ASLR effectiveness for mmap.
vm.mmap_rnd_bits=32
vm.mmap_rnd_compat_bits=16

View File

@ -1,10 +0,0 @@
## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## See the file COPYING for copying conditions.
## Restricts the use of ptrace to root. This might break some programs running under WINE.
## A workaround for WINE would be to give the wineserver and wine-preloader ptrace capabilities. This can be done by running:
##
## sudo apt-get install libcap2-bin
## sudo setcap cap_sys_ptrace=eip /usr/bin/wineserver
## sudo setcap cap_sys_ptrace=eip /usr/bin/wine-preloader
kernel.yama.ptrace_scope=2

View File

@ -1,5 +0,0 @@
## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## See the file COPYING for copying conditions.
## Prevent setuid processes from creating coredumps.
fs.suid_dumpable=0

View File

@ -1,42 +0,0 @@
## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## See the file COPYING for copying conditions.
#### meta start
#### project Kicksecure
#### category networking and security
#### description
## TCP/IP stack hardening
## Protects against time-wait assassination.
## It drops RST packets for sockets in the time-wait state.
net.ipv4.tcp_rfc1337=1
## Disables ICMP redirect acceptance.
net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.default.accept_redirects=0
net.ipv4.conf.all.secure_redirects=0
net.ipv4.conf.default.secure_redirects=0
net.ipv6.conf.all.accept_redirects=0
net.ipv6.conf.default.accept_redirects=0
## Disables ICMP redirect sending.
net.ipv4.conf.all.send_redirects=0
net.ipv4.conf.default.send_redirects=0
## Ignores ICMP requests.
net.ipv4.icmp_echo_ignore_all=1
## Enables TCP syncookies.
net.ipv4.tcp_syncookies=1
## Disable source routing.
net.ipv4.conf.all.accept_source_route=0
net.ipv4.conf.default.accept_source_route=0
## Enable reverse path filtering to prevent IP spoofing and
## mitigate vulnerabilities such as CVE-2019-14899.
## https://forums.whonix.org/t/enable-reverse-path-filtering/8594
net.ipv4.conf.default.rp_filter=1
net.ipv4.conf.all.rp_filter=1
#### meta end

View File

@ -1,8 +0,0 @@
## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## See the file COPYING for copying conditions.
## Disables SACK as it is commonly exploited and likely not needed.
## https://forums.whonix.org/t/disabling-tcp-sack-dsack-fack/8109
#net.ipv4.tcp_sack=0
#net.ipv4.tcp_dsack=0
#net.ipv4.tcp_fack=0

View File

@ -1,12 +0,0 @@
## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
## See the file COPYING for copying conditions.
#### meta start
#### project Kicksecure
#### category networking and security
#### description
## disable IPv4 TCP Timestamps
net.ipv4.tcp_timestamps=0
#### meta end