Merge remote-tracking branch 'raja/sysctl'

2024-12-23 01:33:35 +07:00 · 2024-07-17 07:59:35 -04:00 · 2024-07-17 07:59:35 -04:00 · cf5f0edbb8
commit cf5f0edbb8
parent fe5c840b79 693b47e623
5 changed files with 368 additions and 190 deletions
--- a/README.md
+++ b/README.md
@ -6,57 +6,89 @@ This section is inspired by the Kernel Self Protection Project (KSPP). It
 implements all recommended Linux kernel settings by the KSPP and many more.
 -   https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project
 -   https://kspp.github.io/Recommended_Settings
 ### sysctl
-sysctl settings are configured via the `/etc/sysctl.d/30_security-misc.conf`
+sysctl settings are configured via the `/usr/lib/sysctl.d/990-security-misc.conf`
 configuration file.
-   A kernel pointer points to a specific location in kernel memory. These can
+Significant hardening is applied by default to a myriad of components within kernel
-    be very useful in exploiting the kernel so they are restricted to
+space, user space, core dumps, and swap space.
    `CAP_SYSLOG`.
-   The kernel logs are restricted to `CAP_SYSLOG` as they can often leak
+-   Restrict access to kernel addresses through the us of kernel pointers regardless 
-    sensitive information such as kernel pointers.
+    of user privileges.
-   The `ptrace()` system call is restricted to `CAP_SYS_PTRACE`.
+-   Restrict access to the kernel logs to `CAP_SYSLOG` as the often contain 
    sensitive information.
-   eBPF is restricted to `CAP_BPF` (`CAP_SYS_ADMIN` on kernel versions prior to
+-   Prevent kernel information leaks in the console during boot.
    5.8) and JIT hardening techniques such as constant blinding are enabled.
-   Restricts performance events to `CAP_PERFMON` (`CAP_SYS_ADMIN` on kernel
+-   Restrict eBPF access to `CAP_BPF` and enable associated JIT compiler hardening.
    versions prior to 5.8).
-   Restricts loading line disciplines to `CAP_SYS_MODULE` to prevent
+-   Restrict loading TTY line disciplines to `CAP_SYS_MODULE`.
    unprivileged attackers from loading vulnerable line disciplines with the
    `TIOCSETD` ioctl which has been abused in a number of exploits before.
-   Restricts the `userfaultfd()` syscall to `CAP_SYS_PTRACE` as `userfaultfd()`
+-   Restricts the `userfaultfd()` syscall to `CAP_SYS_PTRACE` which reduces the
-    is often abused to exploit use-after-free flaws.
+    likelihood of use-after-free exploits.
-   Kexec is disabled as it can be used to load a malicious kernel and gain
+-   Disable `kexec` as it can be used to replace the running kernel.
    arbitrary code execution in kernel mode.
-   Randomises the addresses for mmap base, heap, stack, and VDSO pages.
+-   Entirely disables the SysRq key so that the Secure Attention Key (SAK)
    can no longer be utilised. See [documentation](https://www.kicksecure.com/wiki/SysRq).
-   Prevents unintentional writes to attacker-controlled files.
+-   Provide option to disable unprivileged user namespaces as they can lead to
    privilege escalation.
-   Prevents common symlink and hardlink TOCTOU races.
+-   Restrict kernel profiling and the performance events system to `CAP_PERFMON`.
-   Disables SysRq key completely.
+-   Randomise the addresses (ASLR) for mmap base, stack, VDSO pages, and heap.
    * Therefore Secure Attention Key (SAK) cannot be used.
    * https://www.kicksecure.com/wiki/SysRq
-   The kernel is only allowed to swap if it is absolutely necessary. This
+-   Disable asynchronous I/O (when using Linux kernel version >= 6.6).
    prevents writing potentially sensitive contents of memory to disk.
-   TCP timestamps are disabled as it can allow detecting the system time.
+-   Restrict usage of `ptrace()` to only processes with `CAP_SYS_PTRACE` as it
    enables programs to inspect and modify other active processes. Provide option 
    to also entirely disable the use of `ptrace()` for all processes.
-   Set coredump file name based on core_pattern value instead of the default of
+-   Prevent hardlink and symlink TOCTOU races in world-writable directories.
    naming it 'core'.
-   Will disable `io_uring` interface for performing asynchronous I/O as it has
+-   Disallow unintentional writes to files in world-writable directories unless
-    historically been a significant attack surface.
+    they are owned by the directory owner to mitigate some data spoofing attacks.
 -   Increase the maximum number of memory map areas a process is able to utilise.
 -   Disable core dump files and prevent their creation. If core dump files are
    enabled, they will be named based on `core.PID` instead of the default `core`.
 -   Limit the copying of potentially sensitive content in memory to the swap device.
 Various networking components of the TCP/IP stack are hardened for IPv4/6.
 -   Enable TCP SYN cookie protection to assist against SYN flood attacks.
 -   Protect against TCP time-wait assassination hazards.
 -   Enables reverse path filtering (source validation) of packets received 
    from all interfaces to prevent IP spoofing.
 -   Disable ICMP redirect acceptance and redirect sending messages to 
    prevent man-in-the-middle attacks and minimise information disclosure.
 -   Ignore ICMP echo requests to prevent clock fingerprinting and Smurf attacks.
 -   Ignore bogus ICMP error responses.
 -   Disable source routing which allows users redirect network traffic that
    can result in man-in-the-middle attacks.
 -   Do not accept IPv6 router advertisements and solicitations.
 -   Provide option to disable SACK and DSACK as they have historically been a
    vector for exploitation.
 -   Disable TCP timestamps as it can allow detecting the system time.
 -   Provide option to log of packets with impossible source or destination 
    addresses to enable inspection and further analysis.
 ### mmap ASLR
@ -195,21 +227,6 @@ disabling should first be blacklisted for a suitable amount of time.
 ## Network hardening
 -   TCP syncookies are enabled to prevent SYN flood attacks.
 -   ICMP redirect acceptance, ICMP redirect sending, source routing and IPv6
    router advertisements are disabled to prevent man-in-the-middle attacks.
 -   The kernel is configured to ignore all ICMP requests to avoid Smurf attacks,
    make the device more difficult to enumerate on the network and prevent clock
    fingerprinting through ICMP timestamps.
 -   RFC1337 is enabled to protect against time-wait assassination attacks by
    dropping RST packets for sockets in the time-wait state.
 -   Reverse path filtering is enabled to prevent IP spoofing and mitigate
    vulnerabilities such as CVE-2019-14899.
 -   Unlike version 4, IPv6 addresses can provide information not only about the
    originating network, but also the originating device. We prevent this from
    happening by enabling the respective privacy extensions for IPv6.
--- a/debian/security-misc.maintscript
+++ b/debian/security-misc.maintscript
@ -10,7 +10,7 @@ rm_conffile /etc/sysctl.d/sysrq.conf
 rm_conffile /etc/apparmor.d/usr.lib.security-misc.pam_tally2-info
 rm_conffile /etc/apparmor.d/usr.lib.security-misc.permission-lockdown
-## merged into 1 file /etc/sysctl.d/30_security-misc.conf
+## merged into 3 files /usr/lib/sysctl.d/30_security-misc_kexec-disable.conf, /usr/lib/sysctl.d/30_silent-kernel-printk.conf, and /usr/lib/sysctl.d/990-security-misc.conf
 rm_conffile /etc/sysctl.d/fs_protected.conf
 rm_conffile /etc/sysctl.d/kptr_restrict.conf
 rm_conffile /etc/sysctl.d/suid_dumpable.conf
--- a/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf
+++ b/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf
@ -1,16 +1,16 @@
 ## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
-## Quote https://www.kernel.org/doc/html/latest/admin-guide/sysctl/kernel.html
+## NOTE:
 ##
 ## kexec_load_disabled:
 ##
 ## A toggle indicating if the kexec_load syscall has been disabled. This value defaults to 0 (false: kexec_load enabled), but can be set to 1 (true: kexec_load disabled). Once true, kexec can no longer be used, and the toggle cannot be set back to false. This allows a kexec image to be loaded before disabling the syscall, allowing a system to set up (and later use) an image without it being altered. Generally used together with the "modules_disabled" sysctl.
 ## Disables kexec which can be used to replace the running kernel.
 kernel.kexec_load_disabled=1
 ## Why is this in a dedicated config file?
 ## Package ram-wipe requires kexec. However, ram-wipe could not ship a config
 ## file /etc/sysctl.d/40_ram-wipe.conf which sets 'kernel.kexec_load_disabled=0'.
 ## This is because once systemd-sysctl.service has set 'kernel.kexec_load_disabled=1'
 ## it cannot be undone without reboot. This is a upstream Linux security feature.
 ## Disables kexec which can be used to replace the running kernel.
 ## Useful for live kernel patching without rebooting.
 ##
 ## https://en.wikipedia.org/wiki/Kexec
 ##
 kernel.kexec_load_disabled=1
--- a/usr/lib/sysctl.d/30_silent-kernel-printk.conf
+++ b/usr/lib/sysctl.d/30_silent-kernel-printk.conf
@ -1,14 +1,14 @@
 ## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
 ## See the file COPYING for copying conditions.
-## Prevent kernel info leaks in console during boot.
+## Prevent kernel information leaks in the console during boot.
-## https://phabricator.whonix.org/T950
+## Must be used in combination with the kernel boot parameters.
-kernel.printk = 3 3 3 3
+## See /etc/default/grub.d/41_quiet_boot.cfg for implementation.
 ## NOTE:
 ## For higher verbosity, the user might also want to delete file
 ## /etc/default/grub.d/41_quiet.cfg
 ## (or out-comment its settings).
 ##
-## Alternatively, the user could consider to install the debug-misc package,
+## https://www.kernel.org/doc/html/latest/core-api/printk-basics.html
-## which will undo the settings found here.
+##
 kernel.printk=3 3 3 3
 ## For Increased Log Verbosity:
 ## Adjust (or comment out) the kernel parameters in /etc/default/grub.d/41_quiet_boot.cfg.
 ## Alternatively, installing the debug-misc package will undo these settings.
--- a/usr/lib/sysctl.d/990-security-misc.conf
+++ b/usr/lib/sysctl.d/990-security-misc.conf
@ -2,177 +2,338 @@
 ## See the file COPYING for copying conditions.
 ## NOTE:
-## This file has a weird file name so /usr/lib/sysctl.d/99-protect-links.conf
+## This file has a strange name so that /usr/lib/sysctl.d/99-protect-links.conf is
-## is parsed first and /usr/lib/sysctl.d/990-security-misc.conf is parsed
+## first parsed and then followed by /usr/lib/sysctl.d/990-security-misc.conf.
 ## afterwards. See also:
 ## https://github.com/Kicksecure/security-misc/pull/135
-## Restricts the kernel log to root only.
+## This configuration file is split into 5 sections:
-kernel.dmesg_restrict=1
+## 1. Kernel Space
 ## 2. User Space
 ## 3. Core Dumps
 ## 4. Swap Space
 ## 5. Networking
-## Disables coredumps. This setting may be overwritten by systemd so this may not be useful.
+## See the documentation below for details on the majority of the selected commands.
-## security-misc also disables coredumps in other ways.
+## https://www.kernel.org/doc/html/latest/admin-guide/sysctl/kernel.html
-kernel.core_pattern=|/bin/false
+## https://www.kernel.org/doc/html/latest/admin-guide/sysctl/fs.html
 ## https://www.kernel.org/doc/html/latest/admin-guide/sysctl/net.html
 ## https://www.kernel.org/doc/html/latest/admin-guide/sysctl/vm.html
 ## https://www.kernel.org/doc/html/latest//networking/ip-sysctl.html
-## Does not set coredump name to 'core' which is default. Defense in depth.
+## 1. Kernel Space:
 kernel.core_uses_pid=1
 ## Prevent setuid processes from creating coredumps.
 fs.suid_dumpable=0
 ## Don't allow writes to files that we don't own
 ## in world writable sticky directories, unless
 ## they are owned by the owner of the directory.
 fs.protected_fifos=2
 fs.protected_regular=2
 ## Only allow symlinks to be followed when outside of
 ## a world-writable sticky directory, or when the owner
 ## of the symlink and follower match, or when the directory
 ## owner matches the symlink's owner.
 ##
-## Prevent hardlinks from being created by users that do not
+## https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel
-## have read/write access to the source file.
+## https://wiki.archlinux.org/title/Security#Kernel_hardening
 ##
 ## These prevent many TOCTOU races.
 fs.protected_symlinks=1
 fs.protected_hardlinks=1
-## Hides kernel addresses in various files in /proc.
+## Restrict kernel addresses via /proc and other interfaces regardless of user privileges.
-## Kernel addresses can be very useful in certain exploits.
+## Kernel pointers expose specific locations in kernel memory. 
 ##
 ## https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak
 ##
 kernel.kptr_restrict=2
-## Improves ASLR effectiveness for mmap.
+## Restrict access to the kernel log buffer to CAP_SYSLOG.
-## Both explicit sysctl are made redundant due to automation
+## Kernel logs often contain sensitive information such as kernel pointers.
 ##
 kernel.dmesg_restrict=1
 ## Prevent kernel information leaks in the console during boot.
 ## Must be used in combination with the kernel boot parameters.
 ## See /etc/default/grub.d/41_quiet_boot.cfg for implementation.
 ##
 ## https://www.kernel.org/doc/html/latest/core-api/printk-basics.html
 ##
 ## See /usr/lib/sysctl.d/30_silent-kernel-printk.conf for implementation.
 ##
 #kernel.printk=3 3 3 3
 ## Restrict eBPF access to CAP_BPF and enable associated JIT compiler hardening.
 ##
 ## https://en.wikipedia.org/wiki/EBPF#Security
 ##
 kernel.unprivileged_bpf_disabled=1
 net.core.bpf_jit_harden=2
 ## Restrict loading TTY line disciplines to CAP_SYS_MODULE.
 ## Prevents unprivileged users loading vulnerable line disciplines with the TIOCSETD ioctl.
 ##
 ## https://a13xp0p0v.github.io/2017/03/24/CVE-2017-2636.html
 ## https://lkml.org/lkml/2019/4/15/890
 ##
 dev.tty.ldisc_autoload=0
 ## Restrict the userfaultfd() syscall to SYS_CAP_PTRACE.
 ## Reduces likelihood of use-after-free exploits from heap sprays.
 ##
 ## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=cefdca0a86be517bc390fc4541e3674b8e7803b0
 ## https://duasynt.com/blog/linux-kernel-heap-spray
 ##
 vm.unprivileged_userfaultfd=0
 ## Disables kexec which can be used to replace the running kernel.
 ## Useful for live kernel patching without rebooting.
 ##
 ## https://en.wikipedia.org/wiki/Kexec
 ##
 ## See /usr/lib/sysctl.d/30_security-misc_kexec-disable.conf for implementation.
 ##
 #kernel.kexec_load_disabled=1
 ## Disable the SysRq key to prevent leakage of kernel information.
 ## The Secure Attention Key (SAK) can no longer be utilised.
 ##
 ## https://www.kernel.org/doc/html/latest/admin-guide/sysrq.html
 ## https://www.kicksecure.com/wiki/SysRq
 ## https://github.com/xairy/unlockdown
 ##
 kernel.sysrq=0
 ## Restrict user namespaces to CAP_SYS_ADMIN.
 ## User namespaces aim to improve sandboxing and accessibility for unprivileged users.
 ## Unprivileged user namespaces pose substantial privilege escalation risks.
 ## Restricting is well-known to cause breakages across numerous software.
 ##
 ## https://madaidans-insecurities.github.io/linux.html#kernel
 ## https://github.com/a13xp0p0v/kernel-hardening-checker#questions-and-answers
 ##
 ## Unprivileged user namespaces are currently enabled.
 ##
 #kernel.unprivileged_userns_clone=0
 ## Restricts kernel profiling to CAP_PERFMON.
 ## The performance events system should not be accessible by unprivileged users.
 ## Other distributions such as Ubuntu and Fedora may permit further restricting.
 ##
 ## https://www.kernel.org/doc/html/latest/admin-guide/perf-security.html#unprivileged-users
 ## https://lore.kernel.org/kernel-hardening/1469630746-32279-1-git-send-email-jeffv@google.com/
 ##
 kernel.perf_event_paranoid=3
 ## Enable ASLR for mmap base, stack, VDSO pages, and heap.
 ## Heap randomisation can lead to breakages with legacy applications.
 ##
 ## https://en.wikipedia.org/wiki/Address_space_layout_randomization#Linux
 ##
 kernel.randomize_va_space=2
 ## Disable asynchronous I/O for all processes.
 ##
 ## https://security.googleblog.com/2023/06/learnings-from-kctf-vrps-42-linux.html
 ##
 ## Applicable when using Linux kernel >= 6.6 (retained here for future-proofing and completeness).
 ##
 kernel.io_uring_disabled=2
 ## 2.User Space:
 ##
 ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-userspace
 ## Restrict usage of the ptrace() system call to only processes with CAP_SYS_PTRACE. 
 ## Limit ptrace() as it enables programs to inspect and modify other active processes.
 ## Prevents native code debugging which some programs use as a method to detect tampering.
 ## May cause breakages in 'anti-cheat' software and programs running under Proton/WINE. 
 ##
 ## https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html#ptrace-scope
 ## https://en.wikipedia.org/wiki/Ptrace
 ## https://grapheneos.org/features#attack-surface-reduction
 ## https://github.com/GrapheneOS/os-issue-tracker/issues/651#issuecomment-917599928
 ## https://github.com/netblue30/firejail/issues/2860
 ##
 ## It is possible to harden further by disabling ptrace() for all users, see documentation. 
 ##
 kernel.yama.ptrace_scope=2
 ## Maximise bits of entropy for improved effectiveness of mmap ASLR.
 ## The maximum numbers of bits are dependent on CPU architecture (the ones shown below are for x86).
 ## Both explicit sysctl are made redundant due to automation.
 ## Do NOT enable either sysctl - displaying only for clarity.
 ##
 ## https://forums.whonix.org/t/automate-mmap-randomisation-to-fix-ppc64el/16514
-## Do NOT enable either - displaying only for clarity
+##
 ## See /usr/libexec/security-misc/mmap-rnd-bits for implementation.
 ##
 #vm.mmap_rnd_bits=32
 #vm.mmap_rnd_compat_bits=16
-## Restricts the use of ptrace to root. This might break some programs running under WINE.
+## Prevent hardlink creation by users who do not have read/write/ownership of source file.
-## A workaround for WINE would be to give the wineserver and wine-preloader ptrace capabilities. This can be done by running:
+## Only allow symlinks to be followed when outside of a world-writable sticky directories.
 ## Allow symlinks when the owner and follower match or when the directory owner matches the symlink's owner.
 ## Hardens cross privilege boundaries if root process follows a hardlink/symlink belonging to another user.
 ## This mitigates many hardlink/symlink-based TOCTOU races in world-writable directories like /tmp.
 ##
-## sudo apt-get install libcap2-bin
+## https://wiki.archlinux.org/title/Security#File_systems
-## sudo setcap cap_sys_ptrace=eip /usr/bin/wineserver
+## https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=/tmp
-## sudo setcap cap_sys_ptrace=eip /usr/bin/wine-preloader
+## https://en.wikipedia.org/wiki/Time-of-check_to_time-of-use#Preventing_TOCTOU
-kernel.yama.ptrace_scope=2
+##
 fs.protected_hardlinks=1
 fs.protected_symlinks=1
-## Randomize the addresses for mmap base, heap, stack, and VDSO pages
+## Disallow writes to files in world-writable sticky directories unless owned by the directory owner.
-kernel.randomize_va_space=2
+## Also applies to group writable sticky directories to make data spoofing attacks more difficult.
 ## Prevents unintentional writes to attacker-controlled files.
 ##
 fs.protected_fifos=2
 fs.protected_regular=2
-## Hardens the BPF JIT compiler and restricts it to root.
+## Increase the maximum number of memory map areas a process is permitted to utilise.
-kernel.unprivileged_bpf_disabled=1
+## Addresses performance, crash, and start-up issues for some memory intensive applications.
-net.core.bpf_jit_harden=2
+## Required to accommodate the very large number of guard pages created by hardened_malloc.
 ## Kicksecure version 18 will deprecate hardened_malloc and so this sysctl will be applied here instead.
 ##
 ## https://archlinux.org/news/increasing-the-default-vmmax_map_count-value/
 ## https://github.com/GrapheneOS/hardened_malloc#traditional-linux-based-operating-systems
 ## https://github.com/Kicksecure/hardened_malloc/blob/master/debian/hardened_malloc.conf
 ## https://www.kicksecure.com/wiki/Hardened_Malloc#Deprecation_in_Kicksecure
 ##
 vm.max_map_count=1048576
-## Disable asynchronous I/O for all processes.
+## 3. Core Dumps:
-## Valid only for linux kernel version >= 6.6.
+##
-## Command is retained here for future-proofing and completeness.
+## https://madaidans-insecurities.github.io/guides/linux-hardening.html#core-dumps
 ## https://forums.whonix.org/t/io-uring-security-vulnerabilties/16890/6
 kernel.io_uring_disabled=2
-#### meta start
+## Disable core dump files by preventing any pattern names.
-#### project Kicksecure
+## This setting may be overwritten by systemd is is not comprehensive.
-#### category networking and security
+## Core dumps are also disabled in security-misc via other means.
-#### description
+##
-## TCP/IP stack hardening
+## https://wiki.archlinux.org/title/Core_dump#Disabling_automatic_core_dumps
 ##
 kernel.core_pattern=|/bin/false
-## A martian packet is a one with a source address which is blatantly wrong
+## Prevent setuid processes or otherwise protected/tainted binaries from creating core dumps.
-## Recommended to keep a log of these to identify these suspicious packets
+## Any process which has changed privilege levels or is execute-only will not be dumped.
-## Good for troubleshooting and diagnostics but not necessary by default.
+##
-## Caused issue:
+fs.suid_dumpable=0
 ## https://github.com/Kicksecure/security-misc/issues/214
 #net.ipv4.conf.all.log_martians=1
 #net.ipv4.conf.default.log_martians=1
-## Protects against time-wait assassination.
+## Set core dump file name to 'core.PID' instead of 'core' as a form of defence-in-depth.
-## It drops RST packets for sockets in the time-wait state.
+## If core dumps are permitted, only useful if PID listings are hidden from non-root users.
 ##
 kernel.core_uses_pid=1
 ## 4. Swap Space:
 ##
 ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#swap
 ## Limit the copying of memory to the swap device only if absolutely necessary.
 ## Minimises the likelihood of writing potentially sensitive contents to disk.
 ## Not reccommmeded to set to zero since this disables periodic write behavior.
 ##
 ## https://en.wikipedia.org/wiki/Memory_paging#Linux
 ## https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Performance_Tuning_Guide/s-memory-tunables.html
 ##
 vm.swappiness=1
 ## 5. Networking:
 ##
 ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-network
 ## https://wiki.archlinux.org/title/Sysctl#TCP/IP_stack_hardening
 ## Enable TCP SYN cookie protection to assist against SYN flood attacks.
 ##
 ## https://en.wikipedia.org/wiki/SYN_flood
 ## https://cateee.net/lkddb/web-lkddb/SYN_COOKIES.html
 ##
 net.ipv4.tcp_syncookies=1
 ## Protect against TCP time-wait assassination hazards.
 ## Drops RST packets for sockets in the time-wait state.
 ## 
 ## https://tools.ietf.org/html/rfc1337
 ##
 net.ipv4.tcp_rfc1337=1
-## Disables ICMP redirect acceptance.
+## Enable reverse path filtering (source validation) of packets received from all interfaces.
 ## Prevents IP spoofing and mitigate vulnerabilities such as CVE-2019-14899.
 ##
 ## https://en.wikipedia.org/wiki/IP_address_spoofing
 ## https://forums.whonix.org/t/enable-reverse-path-filtering/8594
 ## https://seclists.org/oss-sec/2019/q4/122
 ##
 net.ipv4.conf.all.rp_filter=1
 net.ipv4.conf.default.rp_filter=1
 ## Disable ICMP redirect acceptance and redirect sending messages.
 ## Prevents man-in-the-middle attacks and minimises information disclosure.
 ##
 ## https://askubuntu.com/questions/118273/what-are-icmp-redirects-and-should-they-be-blocked
 ##
 net.ipv4.conf.all.accept_redirects=0
 net.ipv4.conf.default.accept_redirects=0
-net.ipv4.conf.all.secure_redirects=0
+net.ipv4.conf.all.send_redirects=0
-net.ipv4.conf.default.secure_redirects=0
+net.ipv4.conf.default.send_redirects=0
 net.ipv6.conf.all.accept_redirects=0
 net.ipv6.conf.default.accept_redirects=0
-## Disables ICMP redirect sending.
+## Accept ICMP redirect messages only for approved gateways.
-net.ipv4.conf.all.send_redirects=0
+## If ICMP redirect messages are permitted, only useful if managing a default gateway list.
-net.ipv4.conf.default.send_redirects=0
+##
 net.ipv4.conf.all.secure_redirects=0
 net.ipv4.conf.default.secure_redirects=0
-## Ignores ICMP requests.
+## Ignore ICMP echo requests.
 ## Prevents clock fingerprinting through ICMP timestamps and Smurf attacks.
 ##
 ## https://en.wikipedia.org/wiki/Smurf_attack
 ##
 net.ipv4.icmp_echo_ignore_all=1
 net.ipv6.icmp.echo_ignore_all=1
-## Ignores bogus ICMP error responses
+## Ignore bogus ICMP error responses.
 ## Mitigates attacks designed to fill log files with useless error messages.
 ##
 net.ipv4.icmp_ignore_bogus_error_responses=1
-## Enables TCP syncookies.
+## Disable source routing which allows users redirect network traffic. 
-net.ipv4.tcp_syncookies=1
+## Prevents man-in-the-middle attacks in which the traffic is redirected.
-
+##
-## Disable source routing.
+## https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/security_guide/sect-security_guide-server_security-disable-source-routing
 ##
 net.ipv4.conf.all.accept_source_route=0
 net.ipv4.conf.default.accept_source_route=0
 net.ipv6.conf.all.accept_source_route=0
 net.ipv6.conf.default.accept_source_route=0
-## Enable reverse path filtering to prevent IP spoofing and
+## Do not accept IPv6 router advertisements and solicitations.
-## mitigate vulnerabilities such as CVE-2019-14899.
+##
-## https://forums.whonix.org/t/enable-reverse-path-filtering/8594
+net.ipv6.conf.all.accept_ra=0
-net.ipv4.conf.default.rp_filter=1
+net.ipv6.conf.default.accept_ra=0
 net.ipv4.conf.all.rp_filter=1
-#### meta end
+## Disable SACK, DSACK, and FACK.
-
+## Select acknowledgements (SACKs) are a known common vector of exploitation.
-
+## Duplicate select acknowledgements (DSACKs) are an extension of SACK.
-## Previously disabled SACK, DSACK, and FACK.
+## Forward acknowledgements (FACKs) are a legacy option that will (eventually) be deprecated.
-## https://forums.whonix.org/t/disabling-tcp-sack-dsack-fack/8109
+## Disabling can cause severe connectivity issues on networks with high latency or packet loss.
 ## Enabling on stable high-bandwidth networks can lead to reduced efficiency of TCP connections.
 ##  
 ## https://datatracker.ietf.org/doc/html/rfc2018
 ## https://datatracker.ietf.org/doc/html/rfc2883
 ## https://access.redhat.com/sites/default/files/attachments/20150325_network_performance_tuning.pdf
 ## https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md
 ## https://wiki.archlinux.org/title/Sysctl#TCP_Selective_Acknowledgement
 ## https://forums.whonix.org/t/disabling-tcp-sack-dsack-fack/8109/5
 ##
 ## SACK and DSACK are currently enabled.
 ##
 #net.ipv4.tcp_sack=0
 #net.ipv4.tcp_dsack=0
 #net.ipv4.tcp_fack=0
-
+## Disable TCP timestamps to limit device fingerprinting via system time.
-#### meta start
+##
-#### project Kicksecure
+## https://forums.whonix.org/t/do-ntp-and-tcp-timestamps-really-leak-your-local-time/7824
-#### category networking and security
+## https://web.archive.org/web/20170201160732/https://mailman.boum.org/pipermail/tails-dev/2013-December/004520.html
-#### description
+##
 ## disable IPv4 TCP Timestamps
 net.ipv4.tcp_timestamps=0
-#### meta end
+## Enable logging of packets with impossible source or destination addresses.
-
+## Martian and unroutable packets may be used for dangerous purposes.
-
+## Recommended to keep a (kernel dmesg) log of these to identify these suspicious packets.
-## Disable SysRq key
+## Good for troubleshooting and diagnostics but not necessary by default.
-kernel.sysrq=0
+## Known for causing performance issues especially on systems with multiple interfaces.
-
+## 
-## Restrict loading TTY line disciplines to CAP_SYS_MODULE to prevent
+## https://wiki.archlinux.org/title/Sysctl#Log_martian_packets
-## unprivileged attackers from loading vulnerable line disciplines
+## https://github.com/Kicksecure/security-misc/issues/214
 ## with the TIOCSETD ioctl which has been used in exploits before
 ## such as https://a13xp0p0v.github.io/2017/03/24/CVE-2017-2636.html
 ##
-## https://lkml.org/lkml/2019/4/15/890
+## The logging of martian packets is currently disabled. 
 dev.tty.ldisc_autoload=0
 ## Restrict the userfaultfd() syscall to root as it can make heap sprays
 ## easier.
 ##
-## https://duasynt.com/blog/linux-kernel-heap-spray
+#net.ipv4.conf.all.log_martians=1
-vm.unprivileged_userfaultfd=0
+#net.ipv4.conf.default.log_martians=1
 ## Let the kernel only swap if it is absolutely necessary.
 ## Better not be set to zero:
 ## - https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Performance_Tuning_Guide/s-memory-tunables.html
 ## - https://en.wikipedia.org/wiki/Swappiness
 vm.swappiness=1
 ## Disallow kernel profiling by users without CAP_SYS_ADMIN
 ## https://www.kernel.org/doc/Documentation/sysctl/kernel.txt
 kernel.perf_event_paranoid=3
 ## Do not accept router advertisements
 net.ipv6.conf.all.accept_ra=0
 net.ipv6.conf.default.accept_ra=0