diff --git a/README.md b/README.md index 5e029c8..d4dd706 100644 --- a/README.md +++ b/README.md @@ -57,6 +57,9 @@ space, user space, core dumps, and swap space. - Increase the maximum number of memory map areas a process is able to utilize. +- Disallow registering interpreters for various (miscellaneous) binary formats based + on a magic number or their file extension to prevent unintended code execution. + - Disable core dump files and prevent their creation. If core dump files are enabled, they will be named based on `core.PID` instead of the default `core`. diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 7b07033..334fb68 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -193,6 +193,22 @@ fs.protected_regular=2 ## vm.max_map_count=1048576 +## Disable the miscellaneous binary format virtual file system to prevent unintended code execution. +## Prevents registering interpreters for various binary formats based on a magic number or their file extension. +## If arbitrary executable file formats are recognised, they will be passed to relevant user space applications. +## These interpreters will run with root permissions when a setuid binary is owned by root. +## Can stop maliciously crafted files with specific file extensions from automatically executing. +## Breaks many scripts that do not have appropriate shebang interpreter directives (#!/bin/...). +## +## https://www.kernel.org/doc/html/latest/admin-guide/binfmt-misc.html +## https://salsa.debian.org/debian/binfmt-support +## https://access.redhat.com/solutions/1985633 +## https://en.wikipedia.org/wiki/Binfmt_misc +## https://security.stackexchange.com/questions/271786/does-allowing-binfmt-misc-significantly-increase-the-attack-surface-for-unprivil +## https://unix.stackexchange.com/questions/439569/what-kinds-of-executable-formats-do-the-files-under-proc-sys-fs-binfmt-misc-al +## +fs.binfmt_misc.status=0 + ## 3. Core Dumps: ## ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#core-dumps