diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 2f47e89..322abb8 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -98,6 +98,7 @@ kernel.sysrq=0 ## Restricts kernel profiling to CAP_PERFMON. ## The performance events system should not be accessible by unprivileged users. +## Other distributions such as Ubuntu and Fedora may permit further restricting. ## ## https://www.kernel.org/doc/html/latest/admin-guide/perf-security.html#unprivileged-users ## https://lore.kernel.org/kernel-hardening/1469630746-32279-1-git-send-email-jeffv@google.com/ @@ -126,9 +127,16 @@ kernel.io_uring_disabled=2 ## Restrict usage of the ptrace() system call to only processes with CAP_SYS_PTRACE. ## Limit ptrace() as it enables programs to inspect and modify other active processes. -## This may break some programs running under WINE. +## Prevents native code debugging which some programs use as a method to detect tampering. +## May cause breakages in 'anti-cheat' software and programs running under Proton/WINE. ## ## https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html#ptrace-scope +## https://en.wikipedia.org/wiki/Ptrace +## https://grapheneos.org/features#attack-surface-reduction +## https://github.com/GrapheneOS/os-issue-tracker/issues/651#issuecomment-917599928 +## https://github.com/netblue30/firejail/issues/2860 +## +## It is possible to harden further by disabling ptrace() for all users, see documentation. ## kernel.yama.ptrace_scope=2 @@ -301,16 +309,16 @@ net.ipv6.conf.default.accept_ra=0 #net.ipv4.tcp_dsack=0 net.ipv4.tcp_fack=0 -## Disable TCP timestamps to limit system fingerprinting via time. +## Disable TCP timestamps to limit device fingerprinting via system time. ## ## https://forums.whonix.org/t/do-ntp-and-tcp-timestamps-really-leak-your-local-time/7824 ## https://web.archive.org/web/20170201160732/https://mailman.boum.org/pipermail/tails-dev/2013-December/004520.html ## net.ipv4.tcp_timestamps=0 -## Previously enabled logging of packets with impossible source or destination addresses. +## Enable logging of packets with impossible source or destination addresses. ## Martian and unroutable packets may be used for dangerous purposes. -## Recommended to keep a (kernel dmesg) log of these to identify these suspicious packets +## Recommended to keep a (kernel dmesg) log of these to identify these suspicious packets. ## Good for troubleshooting and diagnostics but not necessary by default. ## Known for causing performance issues especially on systems with multiple interfaces. ##