mirror of
https://github.com/Kicksecure/security-misc.git
synced 2024-12-23 01:23:36 +07:00
Add details on ASLR and move to user space section
This commit is contained in:
parent
a132980023
commit
84376d23fc
@ -45,8 +45,6 @@ space, user space, core dumps, and swap space.
|
||||
certain kernel exploitation attempts. Optional - Force immediate reboot on the
|
||||
occurrence of a kernel panic.
|
||||
|
||||
- Randomize the addresses (ASLR) for mmap base, stack, VDSO pages, and heap.
|
||||
|
||||
- Disable the use of legacy TIOCSTI operations which can be used to inject keypresses.
|
||||
|
||||
- Disable asynchronous I/O (when using Linux kernel >= 6.6) as `io_uring` has been
|
||||
@ -63,6 +61,8 @@ space, user space, core dumps, and swap space.
|
||||
- Disallow unintentional writes to files in world-writable directories unless
|
||||
they are owned by the directory owner to mitigate some data spoofing attacks.
|
||||
|
||||
- Randomize the addresses (ASLR) for mmap base, stack, VDSO pages, and heap.
|
||||
|
||||
- Increase the maximum number of memory map areas a process is able to utilize.
|
||||
|
||||
- Disable core dump files and prevent their creation. If core dump files are
|
||||
|
@ -120,13 +120,6 @@ kernel.perf_event_paranoid=3
|
||||
#kernel.panic_on_oops=1
|
||||
#kernel.panic=-1
|
||||
|
||||
## Enable ASLR for mmap base, stack, VDSO pages, and heap.
|
||||
## Heap randomization can lead to breakages with legacy applications.
|
||||
##
|
||||
## https://en.wikipedia.org/wiki/Address_space_layout_randomization#Linux
|
||||
##
|
||||
kernel.randomize_va_space=2
|
||||
|
||||
## Disable the use of legacy TIOCSTI operations which can be used to inject keypresses.
|
||||
## Can lead to privilege escalation by pushing characters into a controlling TTY.
|
||||
## Will break out-dated screen readers that continue to rely on this legacy functionality.
|
||||
@ -205,6 +198,15 @@ fs.protected_symlinks=1
|
||||
fs.protected_fifos=2
|
||||
fs.protected_regular=2
|
||||
|
||||
## Enable ASLR for mmap base, stack, VDSO pages, and heap.
|
||||
## Forces shared libraries to be loaded to random addresses
|
||||
## Start location of PIE-linked binaries is randomized.
|
||||
## Heap randomization can lead to breakages with legacy applications.
|
||||
##
|
||||
## https://en.wikipedia.org/wiki/Address_space_layout_randomization#Linux
|
||||
##
|
||||
kernel.randomize_va_space=2
|
||||
|
||||
## Increase the maximum number of memory map areas a process is permitted to utilize.
|
||||
## Addresses performance, crash, and start-up issues for some memory-intensive applications.
|
||||
## Required to accommodate the very large number of guard pages created by hardened_malloc.
|
||||
|
Loading…
Reference in New Issue
Block a user