diff --git a/README.md b/README.md index d99cdaa..52c4e0e 100644 --- a/README.md +++ b/README.md @@ -6,57 +6,89 @@ This section is inspired by the Kernel Self Protection Project (KSPP). It implements all recommended Linux kernel settings by the KSPP and many more. - https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project +- https://kspp.github.io/Recommended_Settings ### sysctl -sysctl settings are configured via the `/etc/sysctl.d/30_security-misc.conf` +sysctl settings are configured via the `/usr/lib/sysctl.d/990-security-misc.conf` configuration file. -- A kernel pointer points to a specific location in kernel memory. These can - be very useful in exploiting the kernel so they are restricted to - `CAP_SYSLOG`. +Significant hardening is applied by default to a myriad of components within kernel +space, user space, core dumps, and swap space. -- The kernel logs are restricted to `CAP_SYSLOG` as they can often leak - sensitive information such as kernel pointers. +- Restrict access to kernel addresses through the us of kernel pointers regardless + of user privileges. -- The `ptrace()` system call is restricted to `CAP_SYS_PTRACE`. +- Restrict access to the kernel logs to `CAP_SYSLOG` as the often contain + sensitive information. -- eBPF is restricted to `CAP_BPF` (`CAP_SYS_ADMIN` on kernel versions prior to - 5.8) and JIT hardening techniques such as constant blinding are enabled. +- Prevent kernel information leaks in the console during boot. -- Restricts performance events to `CAP_PERFMON` (`CAP_SYS_ADMIN` on kernel - versions prior to 5.8). +- Restrict eBPF access to `CAP_BPF` and enable associated JIT compiler hardening. -- Restricts loading line disciplines to `CAP_SYS_MODULE` to prevent - unprivileged attackers from loading vulnerable line disciplines with the - `TIOCSETD` ioctl which has been abused in a number of exploits before. +- Restrict loading TTY line disciplines to `CAP_SYS_MODULE`. -- Restricts the `userfaultfd()` syscall to `CAP_SYS_PTRACE` as `userfaultfd()` - is often abused to exploit use-after-free flaws. +- Restricts the `userfaultfd()` syscall to `CAP_SYS_PTRACE` which reduces the + likelihood of use-after-free exploits. -- Kexec is disabled as it can be used to load a malicious kernel and gain - arbitrary code execution in kernel mode. +- Disable `kexec` as it can be used to replace the running kernel. -- Randomises the addresses for mmap base, heap, stack, and VDSO pages. +- Entirely disables the SysRq key so that the Secure Attention Key (SAK) + can no longer be utilised. See [documentation](https://www.kicksecure.com/wiki/SysRq). -- Prevents unintentional writes to attacker-controlled files. +- Provide option to disable unprivileged user namespaces as they can lead to + privilege escalation. -- Prevents common symlink and hardlink TOCTOU races. +- Restrict kernel profiling and the performance events system to `CAP_PERFMON`. -- Disables SysRq key completely. - * Therefore Secure Attention Key (SAK) cannot be used. - * https://www.kicksecure.com/wiki/SysRq +- Randomise the addresses (ASLR) for mmap base, stack, VDSO pages, and heap. -- The kernel is only allowed to swap if it is absolutely necessary. This - prevents writing potentially sensitive contents of memory to disk. +- Disable asynchronous I/O (when using Linux kernel version >= 6.6). -- TCP timestamps are disabled as it can allow detecting the system time. +- Restrict usage of `ptrace()` to only processes with `CAP_SYS_PTRACE` as it + enables programs to inspect and modify other active processes. Provide option + to also entirely disable the use of `ptrace()` for all processes. -- Set coredump file name based on core_pattern value instead of the default of - naming it 'core'. +- Prevent hardlink and symlink TOCTOU races in world-writable directories. -- Will disable `io_uring` interface for performing asynchronous I/O as it has - historically been a significant attack surface. +- Disallow unintentional writes to files in world-writable directories unless + they are owned by the directory owner to mitigate some data spoofing attacks. + +- Increase the maximum number of memory map areas a process is able to utilise. + +- Disable core dump files and prevent their creation. If core dump files are + enabled, they will be named based on `core.PID` instead of the default `core`. + +- Limit the copying of potentially sensitive content in memory to the swap device. + +Various networking components of the TCP/IP stack are hardened for IPv4/6. + +- Enable TCP SYN cookie protection to assist against SYN flood attacks. + +- Protect against TCP time-wait assassination hazards. + +- Enables reverse path filtering (source validation) of packets received + from all interfaces to prevent IP spoofing. + +- Disable ICMP redirect acceptance and redirect sending messages to + prevent man-in-the-middle attacks and minimise information disclosure. + +- Ignore ICMP echo requests to prevent clock fingerprinting and Smurf attacks. + +- Ignore bogus ICMP error responses. + +- Disable source routing which allows users redirect network traffic that + can result in man-in-the-middle attacks. + +- Do not accept IPv6 router advertisements and solicitations. + +- Provide option to disable SACK and DSACK as they have historically been a + vector for exploitation. + +- Disable TCP timestamps as it can allow detecting the system time. + +- Provide option to log of packets with impossible source or destination + addresses to enable inspection and further analysis. ### mmap ASLR @@ -195,21 +227,6 @@ disabling should first be blacklisted for a suitable amount of time. ## Network hardening -- TCP syncookies are enabled to prevent SYN flood attacks. - -- ICMP redirect acceptance, ICMP redirect sending, source routing and IPv6 - router advertisements are disabled to prevent man-in-the-middle attacks. - -- The kernel is configured to ignore all ICMP requests to avoid Smurf attacks, - make the device more difficult to enumerate on the network and prevent clock - fingerprinting through ICMP timestamps. - -- RFC1337 is enabled to protect against time-wait assassination attacks by - dropping RST packets for sockets in the time-wait state. - -- Reverse path filtering is enabled to prevent IP spoofing and mitigate - vulnerabilities such as CVE-2019-14899. - - Unlike version 4, IPv6 addresses can provide information not only about the originating network, but also the originating device. We prevent this from happening by enabling the respective privacy extensions for IPv6. diff --git a/debian/security-misc.maintscript b/debian/security-misc.maintscript index 59043e5..aa00d07 100644 --- a/debian/security-misc.maintscript +++ b/debian/security-misc.maintscript @@ -10,7 +10,7 @@ rm_conffile /etc/sysctl.d/sysrq.conf rm_conffile /etc/apparmor.d/usr.lib.security-misc.pam_tally2-info rm_conffile /etc/apparmor.d/usr.lib.security-misc.permission-lockdown -## merged into 1 file /etc/sysctl.d/30_security-misc.conf +## merged into 3 files /usr/lib/sysctl.d/30_security-misc_kexec-disable.conf, /usr/lib/sysctl.d/30_silent-kernel-printk.conf, and /usr/lib/sysctl.d/990-security-misc.conf rm_conffile /etc/sysctl.d/fs_protected.conf rm_conffile /etc/sysctl.d/kptr_restrict.conf rm_conffile /etc/sysctl.d/suid_dumpable.conf diff --git a/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf b/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf index bbdf5ea..74c0bbf 100644 --- a/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf +++ b/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf @@ -1,16 +1,16 @@ ## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Quote https://www.kernel.org/doc/html/latest/admin-guide/sysctl/kernel.html -## -## kexec_load_disabled: -## -## A toggle indicating if the kexec_load syscall has been disabled. This value defaults to 0 (false: kexec_load enabled), but can be set to 1 (true: kexec_load disabled). Once true, kexec can no longer be used, and the toggle cannot be set back to false. This allows a kexec image to be loaded before disabling the syscall, allowing a system to set up (and later use) an image without it being altered. Generally used together with the "modules_disabled" sysctl. -## Disables kexec which can be used to replace the running kernel. -kernel.kexec_load_disabled=1 - +## NOTE: ## Why is this in a dedicated config file? ## Package ram-wipe requires kexec. However, ram-wipe could not ship a config ## file /etc/sysctl.d/40_ram-wipe.conf which sets 'kernel.kexec_load_disabled=0'. ## This is because once systemd-sysctl.service has set 'kernel.kexec_load_disabled=1' ## it cannot be undone without reboot. This is a upstream Linux security feature. + +## Disables kexec which can be used to replace the running kernel. +## Useful for live kernel patching without rebooting. +## +## https://en.wikipedia.org/wiki/Kexec +## +kernel.kexec_load_disabled=1 diff --git a/usr/lib/sysctl.d/30_silent-kernel-printk.conf b/usr/lib/sysctl.d/30_silent-kernel-printk.conf index b76a4b3..de73876 100644 --- a/usr/lib/sysctl.d/30_silent-kernel-printk.conf +++ b/usr/lib/sysctl.d/30_silent-kernel-printk.conf @@ -1,14 +1,14 @@ ## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. -## Prevent kernel info leaks in console during boot. -## https://phabricator.whonix.org/T950 -kernel.printk = 3 3 3 3 - -## NOTE: -## For higher verbosity, the user might also want to delete file -## /etc/default/grub.d/41_quiet.cfg -## (or out-comment its settings). +## Prevent kernel information leaks in the console during boot. +## Must be used in combination with the kernel boot parameters. +## See /etc/default/grub.d/41_quiet_boot.cfg for implementation. ## -## Alternatively, the user could consider to install the debug-misc package, -## which will undo the settings found here. +## https://www.kernel.org/doc/html/latest/core-api/printk-basics.html +## +kernel.printk=3 3 3 3 + +## For Increased Log Verbosity: +## Adjust (or comment out) the kernel parameters in /etc/default/grub.d/41_quiet_boot.cfg. +## Alternatively, installing the debug-misc package will undo these settings. \ No newline at end of file diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 371c265..3cebc76 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -2,177 +2,338 @@ ## See the file COPYING for copying conditions. ## NOTE: -## This file has a weird file name so /usr/lib/sysctl.d/99-protect-links.conf -## is parsed first and /usr/lib/sysctl.d/990-security-misc.conf is parsed -## afterwards. See also: +## This file has a strange name so that /usr/lib/sysctl.d/99-protect-links.conf is +## first parsed and then followed by /usr/lib/sysctl.d/990-security-misc.conf. ## https://github.com/Kicksecure/security-misc/pull/135 -## Restricts the kernel log to root only. -kernel.dmesg_restrict=1 +## This configuration file is split into 5 sections: +## 1. Kernel Space +## 2. User Space +## 3. Core Dumps +## 4. Swap Space +## 5. Networking -## Disables coredumps. This setting may be overwritten by systemd so this may not be useful. -## security-misc also disables coredumps in other ways. -kernel.core_pattern=|/bin/false +## See the documentation below for details on the majority of the selected commands. +## https://www.kernel.org/doc/html/latest/admin-guide/sysctl/kernel.html +## https://www.kernel.org/doc/html/latest/admin-guide/sysctl/fs.html +## https://www.kernel.org/doc/html/latest/admin-guide/sysctl/net.html +## https://www.kernel.org/doc/html/latest/admin-guide/sysctl/vm.html +## https://www.kernel.org/doc/html/latest//networking/ip-sysctl.html -## Does not set coredump name to 'core' which is default. Defense in depth. -kernel.core_uses_pid=1 - -## Prevent setuid processes from creating coredumps. -fs.suid_dumpable=0 - -## Don't allow writes to files that we don't own -## in world writable sticky directories, unless -## they are owned by the owner of the directory. -fs.protected_fifos=2 -fs.protected_regular=2 - -## Only allow symlinks to be followed when outside of -## a world-writable sticky directory, or when the owner -## of the symlink and follower match, or when the directory -## owner matches the symlink's owner. +## 1. Kernel Space: ## -## Prevent hardlinks from being created by users that do not -## have read/write access to the source file. -## -## These prevent many TOCTOU races. -fs.protected_symlinks=1 -fs.protected_hardlinks=1 +## https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel +## https://wiki.archlinux.org/title/Security#Kernel_hardening -## Hides kernel addresses in various files in /proc. -## Kernel addresses can be very useful in certain exploits. +## Restrict kernel addresses via /proc and other interfaces regardless of user privileges. +## Kernel pointers expose specific locations in kernel memory. ## ## https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak +## kernel.kptr_restrict=2 -## Improves ASLR effectiveness for mmap. -## Both explicit sysctl are made redundant due to automation +## Restrict access to the kernel log buffer to CAP_SYSLOG. +## Kernel logs often contain sensitive information such as kernel pointers. +## +kernel.dmesg_restrict=1 + +## Prevent kernel information leaks in the console during boot. +## Must be used in combination with the kernel boot parameters. +## See /etc/default/grub.d/41_quiet_boot.cfg for implementation. +## +## https://www.kernel.org/doc/html/latest/core-api/printk-basics.html +## +## See /usr/lib/sysctl.d/30_silent-kernel-printk.conf for implementation. +## +#kernel.printk=3 3 3 3 + +## Restrict eBPF access to CAP_BPF and enable associated JIT compiler hardening. +## +## https://en.wikipedia.org/wiki/EBPF#Security +## +kernel.unprivileged_bpf_disabled=1 +net.core.bpf_jit_harden=2 + +## Restrict loading TTY line disciplines to CAP_SYS_MODULE. +## Prevents unprivileged users loading vulnerable line disciplines with the TIOCSETD ioctl. +## +## https://a13xp0p0v.github.io/2017/03/24/CVE-2017-2636.html +## https://lkml.org/lkml/2019/4/15/890 +## +dev.tty.ldisc_autoload=0 + +## Restrict the userfaultfd() syscall to SYS_CAP_PTRACE. +## Reduces likelihood of use-after-free exploits from heap sprays. +## +## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=cefdca0a86be517bc390fc4541e3674b8e7803b0 +## https://duasynt.com/blog/linux-kernel-heap-spray +## +vm.unprivileged_userfaultfd=0 + +## Disables kexec which can be used to replace the running kernel. +## Useful for live kernel patching without rebooting. +## +## https://en.wikipedia.org/wiki/Kexec +## +## See /usr/lib/sysctl.d/30_security-misc_kexec-disable.conf for implementation. +## +#kernel.kexec_load_disabled=1 + +## Disable the SysRq key to prevent leakage of kernel information. +## The Secure Attention Key (SAK) can no longer be utilised. +## +## https://www.kernel.org/doc/html/latest/admin-guide/sysrq.html +## https://www.kicksecure.com/wiki/SysRq +## https://github.com/xairy/unlockdown +## +kernel.sysrq=0 + +## Restrict user namespaces to CAP_SYS_ADMIN. +## User namespaces aim to improve sandboxing and accessibility for unprivileged users. +## Unprivileged user namespaces pose substantial privilege escalation risks. +## Restricting is well-known to cause breakages across numerous software. +## +## https://madaidans-insecurities.github.io/linux.html#kernel +## https://github.com/a13xp0p0v/kernel-hardening-checker#questions-and-answers +## +## Unprivileged user namespaces are currently enabled. +## +#kernel.unprivileged_userns_clone=0 + +## Restricts kernel profiling to CAP_PERFMON. +## The performance events system should not be accessible by unprivileged users. +## Other distributions such as Ubuntu and Fedora may permit further restricting. +## +## https://www.kernel.org/doc/html/latest/admin-guide/perf-security.html#unprivileged-users +## https://lore.kernel.org/kernel-hardening/1469630746-32279-1-git-send-email-jeffv@google.com/ +## +kernel.perf_event_paranoid=3 + +## Enable ASLR for mmap base, stack, VDSO pages, and heap. +## Heap randomisation can lead to breakages with legacy applications. +## +## https://en.wikipedia.org/wiki/Address_space_layout_randomization#Linux +## +kernel.randomize_va_space=2 + +## Disable asynchronous I/O for all processes. +## +## https://security.googleblog.com/2023/06/learnings-from-kctf-vrps-42-linux.html +## +## Applicable when using Linux kernel >= 6.6 (retained here for future-proofing and completeness). +## +kernel.io_uring_disabled=2 + +## 2.User Space: +## +## https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-userspace + +## Restrict usage of the ptrace() system call to only processes with CAP_SYS_PTRACE. +## Limit ptrace() as it enables programs to inspect and modify other active processes. +## Prevents native code debugging which some programs use as a method to detect tampering. +## May cause breakages in 'anti-cheat' software and programs running under Proton/WINE. +## +## https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html#ptrace-scope +## https://en.wikipedia.org/wiki/Ptrace +## https://grapheneos.org/features#attack-surface-reduction +## https://github.com/GrapheneOS/os-issue-tracker/issues/651#issuecomment-917599928 +## https://github.com/netblue30/firejail/issues/2860 +## +## It is possible to harden further by disabling ptrace() for all users, see documentation. +## +kernel.yama.ptrace_scope=2 + +## Maximise bits of entropy for improved effectiveness of mmap ASLR. +## The maximum numbers of bits are dependent on CPU architecture (the ones shown below are for x86). +## Both explicit sysctl are made redundant due to automation. +## Do NOT enable either sysctl - displaying only for clarity. +## ## https://forums.whonix.org/t/automate-mmap-randomisation-to-fix-ppc64el/16514 -## Do NOT enable either - displaying only for clarity +## +## See /usr/libexec/security-misc/mmap-rnd-bits for implementation. ## #vm.mmap_rnd_bits=32 #vm.mmap_rnd_compat_bits=16 -## Restricts the use of ptrace to root. This might break some programs running under WINE. -## A workaround for WINE would be to give the wineserver and wine-preloader ptrace capabilities. This can be done by running: +## Prevent hardlink creation by users who do not have read/write/ownership of source file. +## Only allow symlinks to be followed when outside of a world-writable sticky directories. +## Allow symlinks when the owner and follower match or when the directory owner matches the symlink's owner. +## Hardens cross privilege boundaries if root process follows a hardlink/symlink belonging to another user. +## This mitigates many hardlink/symlink-based TOCTOU races in world-writable directories like /tmp. ## -## sudo apt-get install libcap2-bin -## sudo setcap cap_sys_ptrace=eip /usr/bin/wineserver -## sudo setcap cap_sys_ptrace=eip /usr/bin/wine-preloader -kernel.yama.ptrace_scope=2 +## https://wiki.archlinux.org/title/Security#File_systems +## https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=/tmp +## https://en.wikipedia.org/wiki/Time-of-check_to_time-of-use#Preventing_TOCTOU +## +fs.protected_hardlinks=1 +fs.protected_symlinks=1 -## Randomize the addresses for mmap base, heap, stack, and VDSO pages -kernel.randomize_va_space=2 +## Disallow writes to files in world-writable sticky directories unless owned by the directory owner. +## Also applies to group writable sticky directories to make data spoofing attacks more difficult. +## Prevents unintentional writes to attacker-controlled files. +## +fs.protected_fifos=2 +fs.protected_regular=2 -## Hardens the BPF JIT compiler and restricts it to root. -kernel.unprivileged_bpf_disabled=1 -net.core.bpf_jit_harden=2 +## Increase the maximum number of memory map areas a process is permitted to utilise. +## Addresses performance, crash, and start-up issues for some memory intensive applications. +## Required to accommodate the very large number of guard pages created by hardened_malloc. +## Kicksecure version 18 will deprecate hardened_malloc and so this sysctl will be applied here instead. +## +## https://archlinux.org/news/increasing-the-default-vmmax_map_count-value/ +## https://github.com/GrapheneOS/hardened_malloc#traditional-linux-based-operating-systems +## https://github.com/Kicksecure/hardened_malloc/blob/master/debian/hardened_malloc.conf +## https://www.kicksecure.com/wiki/Hardened_Malloc#Deprecation_in_Kicksecure +## +vm.max_map_count=1048576 -## Disable asynchronous I/O for all processes. -## Valid only for linux kernel version >= 6.6. -## Command is retained here for future-proofing and completeness. -## https://forums.whonix.org/t/io-uring-security-vulnerabilties/16890/6 -kernel.io_uring_disabled=2 +## 3. Core Dumps: +## +## https://madaidans-insecurities.github.io/guides/linux-hardening.html#core-dumps -#### meta start -#### project Kicksecure -#### category networking and security -#### description -## TCP/IP stack hardening +## Disable core dump files by preventing any pattern names. +## This setting may be overwritten by systemd is is not comprehensive. +## Core dumps are also disabled in security-misc via other means. +## +## https://wiki.archlinux.org/title/Core_dump#Disabling_automatic_core_dumps +## +kernel.core_pattern=|/bin/false -## A martian packet is a one with a source address which is blatantly wrong -## Recommended to keep a log of these to identify these suspicious packets -## Good for troubleshooting and diagnostics but not necessary by default. -## Caused issue: -## https://github.com/Kicksecure/security-misc/issues/214 -#net.ipv4.conf.all.log_martians=1 -#net.ipv4.conf.default.log_martians=1 +## Prevent setuid processes or otherwise protected/tainted binaries from creating core dumps. +## Any process which has changed privilege levels or is execute-only will not be dumped. +## +fs.suid_dumpable=0 -## Protects against time-wait assassination. -## It drops RST packets for sockets in the time-wait state. +## Set core dump file name to 'core.PID' instead of 'core' as a form of defence-in-depth. +## If core dumps are permitted, only useful if PID listings are hidden from non-root users. +## +kernel.core_uses_pid=1 + +## 4. Swap Space: +## +## https://madaidans-insecurities.github.io/guides/linux-hardening.html#swap + +## Limit the copying of memory to the swap device only if absolutely necessary. +## Minimises the likelihood of writing potentially sensitive contents to disk. +## Not reccommmeded to set to zero since this disables periodic write behavior. +## +## https://en.wikipedia.org/wiki/Memory_paging#Linux +## https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Performance_Tuning_Guide/s-memory-tunables.html +## +vm.swappiness=1 + +## 5. Networking: +## +## https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-network +## https://wiki.archlinux.org/title/Sysctl#TCP/IP_stack_hardening + +## Enable TCP SYN cookie protection to assist against SYN flood attacks. +## +## https://en.wikipedia.org/wiki/SYN_flood +## https://cateee.net/lkddb/web-lkddb/SYN_COOKIES.html +## +net.ipv4.tcp_syncookies=1 + +## Protect against TCP time-wait assassination hazards. +## Drops RST packets for sockets in the time-wait state. +## +## https://tools.ietf.org/html/rfc1337 +## net.ipv4.tcp_rfc1337=1 -## Disables ICMP redirect acceptance. +## Enable reverse path filtering (source validation) of packets received from all interfaces. +## Prevents IP spoofing and mitigate vulnerabilities such as CVE-2019-14899. +## +## https://en.wikipedia.org/wiki/IP_address_spoofing +## https://forums.whonix.org/t/enable-reverse-path-filtering/8594 +## https://seclists.org/oss-sec/2019/q4/122 +## +net.ipv4.conf.all.rp_filter=1 +net.ipv4.conf.default.rp_filter=1 + +## Disable ICMP redirect acceptance and redirect sending messages. +## Prevents man-in-the-middle attacks and minimises information disclosure. +## +## https://askubuntu.com/questions/118273/what-are-icmp-redirects-and-should-they-be-blocked +## net.ipv4.conf.all.accept_redirects=0 net.ipv4.conf.default.accept_redirects=0 -net.ipv4.conf.all.secure_redirects=0 -net.ipv4.conf.default.secure_redirects=0 +net.ipv4.conf.all.send_redirects=0 +net.ipv4.conf.default.send_redirects=0 net.ipv6.conf.all.accept_redirects=0 net.ipv6.conf.default.accept_redirects=0 -## Disables ICMP redirect sending. -net.ipv4.conf.all.send_redirects=0 -net.ipv4.conf.default.send_redirects=0 +## Accept ICMP redirect messages only for approved gateways. +## If ICMP redirect messages are permitted, only useful if managing a default gateway list. +## +net.ipv4.conf.all.secure_redirects=0 +net.ipv4.conf.default.secure_redirects=0 -## Ignores ICMP requests. +## Ignore ICMP echo requests. +## Prevents clock fingerprinting through ICMP timestamps and Smurf attacks. +## +## https://en.wikipedia.org/wiki/Smurf_attack +## net.ipv4.icmp_echo_ignore_all=1 net.ipv6.icmp.echo_ignore_all=1 -## Ignores bogus ICMP error responses +## Ignore bogus ICMP error responses. +## Mitigates attacks designed to fill log files with useless error messages. +## net.ipv4.icmp_ignore_bogus_error_responses=1 -## Enables TCP syncookies. -net.ipv4.tcp_syncookies=1 - -## Disable source routing. +## Disable source routing which allows users redirect network traffic. +## Prevents man-in-the-middle attacks in which the traffic is redirected. +## +## https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/security_guide/sect-security_guide-server_security-disable-source-routing +## net.ipv4.conf.all.accept_source_route=0 net.ipv4.conf.default.accept_source_route=0 net.ipv6.conf.all.accept_source_route=0 net.ipv6.conf.default.accept_source_route=0 -## Enable reverse path filtering to prevent IP spoofing and -## mitigate vulnerabilities such as CVE-2019-14899. -## https://forums.whonix.org/t/enable-reverse-path-filtering/8594 -net.ipv4.conf.default.rp_filter=1 -net.ipv4.conf.all.rp_filter=1 +## Do not accept IPv6 router advertisements and solicitations. +## +net.ipv6.conf.all.accept_ra=0 +net.ipv6.conf.default.accept_ra=0 -#### meta end - - -## Previously disabled SACK, DSACK, and FACK. -## https://forums.whonix.org/t/disabling-tcp-sack-dsack-fack/8109 +## Disable SACK, DSACK, and FACK. +## Select acknowledgements (SACKs) are a known common vector of exploitation. +## Duplicate select acknowledgements (DSACKs) are an extension of SACK. +## Forward acknowledgements (FACKs) are a legacy option that will (eventually) be deprecated. +## Disabling can cause severe connectivity issues on networks with high latency or packet loss. +## Enabling on stable high-bandwidth networks can lead to reduced efficiency of TCP connections. +## +## https://datatracker.ietf.org/doc/html/rfc2018 +## https://datatracker.ietf.org/doc/html/rfc2883 +## https://access.redhat.com/sites/default/files/attachments/20150325_network_performance_tuning.pdf +## https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md +## https://wiki.archlinux.org/title/Sysctl#TCP_Selective_Acknowledgement +## https://forums.whonix.org/t/disabling-tcp-sack-dsack-fack/8109/5 +## +## SACK and DSACK are currently enabled. +## #net.ipv4.tcp_sack=0 #net.ipv4.tcp_dsack=0 #net.ipv4.tcp_fack=0 - -#### meta start -#### project Kicksecure -#### category networking and security -#### description -## disable IPv4 TCP Timestamps - +## Disable TCP timestamps to limit device fingerprinting via system time. +## +## https://forums.whonix.org/t/do-ntp-and-tcp-timestamps-really-leak-your-local-time/7824 +## https://web.archive.org/web/20170201160732/https://mailman.boum.org/pipermail/tails-dev/2013-December/004520.html +## net.ipv4.tcp_timestamps=0 -#### meta end - - -## Disable SysRq key -kernel.sysrq=0 - -## Restrict loading TTY line disciplines to CAP_SYS_MODULE to prevent -## unprivileged attackers from loading vulnerable line disciplines -## with the TIOCSETD ioctl which has been used in exploits before -## such as https://a13xp0p0v.github.io/2017/03/24/CVE-2017-2636.html +## Enable logging of packets with impossible source or destination addresses. +## Martian and unroutable packets may be used for dangerous purposes. +## Recommended to keep a (kernel dmesg) log of these to identify these suspicious packets. +## Good for troubleshooting and diagnostics but not necessary by default. +## Known for causing performance issues especially on systems with multiple interfaces. +## +## https://wiki.archlinux.org/title/Sysctl#Log_martian_packets +## https://github.com/Kicksecure/security-misc/issues/214 ## -## https://lkml.org/lkml/2019/4/15/890 -dev.tty.ldisc_autoload=0 - -## Restrict the userfaultfd() syscall to root as it can make heap sprays -## easier. +## The logging of martian packets is currently disabled. ## -## https://duasynt.com/blog/linux-kernel-heap-spray -vm.unprivileged_userfaultfd=0 - -## Let the kernel only swap if it is absolutely necessary. -## Better not be set to zero: -## - https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Performance_Tuning_Guide/s-memory-tunables.html -## - https://en.wikipedia.org/wiki/Swappiness -vm.swappiness=1 - -## Disallow kernel profiling by users without CAP_SYS_ADMIN -## https://www.kernel.org/doc/Documentation/sysctl/kernel.txt -kernel.perf_event_paranoid=3 - -## Do not accept router advertisements -net.ipv6.conf.all.accept_ra=0 -net.ipv6.conf.default.accept_ra=0 +#net.ipv4.conf.all.log_martians=1 +#net.ipv4.conf.default.log_martians=1