mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2024-12-23 01:13:40 +07:00
Code Issues Packages Projects Releases Wiki Activity

Add details on BPF hardening and split the sysctls

Browse Source
This commit is contained in:
Raja Grewal 2024-08-26 12:40:04 +10:00
parent 2c356e8b0e
commit 9e91c98cc9
No known key found for this signature in database
GPG Key ID: 92CA473C156B64C4
2 changed files with 21 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
README.md
View File

@ -25,7 +25,8 @@ Kernel space:
- Prevent kernel information leaks in the console during boot.
- Restrict eBPF access to `CAP_BPF` and enable associated JIT compiler hardening.
- Restrict usage of `bpf()` to `CAP_BPF` to prevent the loading of BPF programs
by unprivileged users.
- Restrict loading TTY line disciplines to `CAP_SYS_MODULE`.
@ -82,6 +83,8 @@ Swap space:
Networking:
- Enable hardening of the BPF JIT compiler protect against JIT spraying.
- Enable TCP SYN cookie protection to assist against SYN flood attacks.
- Protect against TCP time-wait assassination hazards.

20
usr/lib/sysctl.d/990-security-misc.conf
View File

@ -58,15 +58,16 @@ kernel.dmesg_restrict=1
##
#kernel.printk=3 3 3 3
## Restrict eBPF access to CAP_BPF and enable associated JIT compiler hardening.
## Restrict eBPF access to CAP_BPF.
## Disables unprivileged calls to bpf() without recovery.
##
## https://en.wikipedia.org/wiki/EBPF#Security
## https://lwn.net/Articles/660331/
##
## KSPP=yes
## KSPP sets the sysctls.
## KSPP sets the sysctl.
##
kernel.unprivileged_bpf_disabled=1
net.core.bpf_jit_harden=2
## Restrict loading TTY line disciplines to users with CAP_SYS_MODULE.
## Prevents unprivileged users from loading vulnerable line disciplines with the TIOCSETD ioctl.
@ -348,6 +349,19 @@ vm.swappiness=1
## https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-network
## https://wiki.archlinux.org/title/Sysctl#TCP/IP_stack_hardening
## Enable hardening of the BPF JIT compiler for all users.
## Provides some mitigation against JIT spraying.
##
## https://en.wikipedia.org/wiki/JIT_spraying
## https://www.blackhat.com/docs/eu-16/materials/eu-16-Reshetova-Randomization-Can't-Stop-BPF-JIT-Spray-wp.pdf
## https://lwn.net/Articles/686098/
## https://lwn.net/Articles/525609/
##
## KSPP=yes
## KSPP sets the sysctl.
##
net.core.bpf_jit_harden=2
## Enable TCP SYN cookie protection to assist against SYN flood attacks.
##
## https://en.wikipedia.org/wiki/SYN_flood