2023-03-30 02:08:47 -04:00
|
|
|
## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
|
2020-01-24 04:26:36 -05:00
|
|
|
## See the file COPYING for copying conditions.
|
|
|
|
|
2023-10-26 12:04:13 -04:00
|
|
|
## NOTE:
|
|
|
|
## This file has a weird file name so /usr/lib/sysctl.d/99-protect-links.conf
|
|
|
|
## is parsed first and /usr/lib/sysctl.d/990-security-misc.conf is parsed
|
|
|
|
## afterwards. See also:
|
|
|
|
## https://github.com/Kicksecure/security-misc/pull/135
|
|
|
|
|
2020-01-24 04:26:36 -05:00
|
|
|
## Disables coredumps. This setting may be overwritten by systemd so this may not be useful.
|
|
|
|
## security-misc also disables coredumps in other ways.
|
|
|
|
kernel.core_pattern=|/bin/false
|
|
|
|
|
|
|
|
## Restricts the kernel log to root only.
|
|
|
|
kernel.dmesg_restrict=1
|
|
|
|
|
2020-02-12 13:03:23 -05:00
|
|
|
## Don't allow writes to files that we don't own
|
|
|
|
## in world writable sticky directories, unless
|
|
|
|
## they are owned by the owner of the directory.
|
2020-01-24 04:26:36 -05:00
|
|
|
fs.protected_fifos=2
|
|
|
|
fs.protected_regular=2
|
|
|
|
|
2020-02-12 13:03:23 -05:00
|
|
|
## Only allow symlinks to be followed when outside of
|
|
|
|
## a world-writable sticky directory, or when the owner
|
|
|
|
## of the symlink and follower match, or when the directory
|
|
|
|
## owner matches the symlink's owner.
|
|
|
|
##
|
|
|
|
## Prevent hardlinks from being created by users that do not
|
|
|
|
## have read/write access to the source file.
|
|
|
|
##
|
|
|
|
## These prevent many TOCTOU races.
|
|
|
|
fs.protected_symlinks=1
|
|
|
|
fs.protected_hardlinks=1
|
2020-01-24 04:26:36 -05:00
|
|
|
|
|
|
|
## Hardens the BPF JIT compiler and restricts it to root.
|
|
|
|
kernel.unprivileged_bpf_disabled=1
|
|
|
|
net.core.bpf_jit_harden=2
|
|
|
|
|
|
|
|
## Hides kernel addresses in various files in /proc.
|
|
|
|
## Kernel addresses can be very useful in certain exploits.
|
|
|
|
##
|
|
|
|
## https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak
|
|
|
|
kernel.kptr_restrict=2
|
|
|
|
|
2023-05-15 12:11:44 -04:00
|
|
|
## Improves ASLR effectiveness for mmap.
|
|
|
|
## Both explicit sysctl are made redundant due to automation
|
|
|
|
## https://forums.whonix.org/t/automate-mmap-randomisation-to-fix-ppc64el/16514
|
|
|
|
## Do NOT enable either - displaying only for clarity
|
|
|
|
##
|
|
|
|
#vm.mmap_rnd_bits=32
|
|
|
|
#vm.mmap_rnd_compat_bits=16
|
|
|
|
|
2020-01-24 04:26:36 -05:00
|
|
|
## Restricts the use of ptrace to root. This might break some programs running under WINE.
|
|
|
|
## A workaround for WINE would be to give the wineserver and wine-preloader ptrace capabilities. This can be done by running:
|
|
|
|
##
|
|
|
|
## sudo apt-get install libcap2-bin
|
|
|
|
## sudo setcap cap_sys_ptrace=eip /usr/bin/wineserver
|
|
|
|
## sudo setcap cap_sys_ptrace=eip /usr/bin/wine-preloader
|
|
|
|
kernel.yama.ptrace_scope=2
|
|
|
|
|
|
|
|
## Prevent setuid processes from creating coredumps.
|
|
|
|
fs.suid_dumpable=0
|
|
|
|
|
2022-07-12 14:28:03 -04:00
|
|
|
## Randomize the addresses for mmap base, heap, stack, and VDSO pages
|
|
|
|
kernel.randomize_va_space=2
|
2020-01-24 04:26:36 -05:00
|
|
|
|
|
|
|
#### meta start
|
|
|
|
#### project Kicksecure
|
|
|
|
#### category networking and security
|
|
|
|
#### description
|
|
|
|
## TCP/IP stack hardening
|
|
|
|
|
|
|
|
## Protects against time-wait assassination.
|
|
|
|
## It drops RST packets for sockets in the time-wait state.
|
|
|
|
net.ipv4.tcp_rfc1337=1
|
|
|
|
|
|
|
|
## Disables ICMP redirect acceptance.
|
|
|
|
net.ipv4.conf.all.accept_redirects=0
|
|
|
|
net.ipv4.conf.default.accept_redirects=0
|
|
|
|
net.ipv4.conf.all.secure_redirects=0
|
|
|
|
net.ipv4.conf.default.secure_redirects=0
|
|
|
|
net.ipv6.conf.all.accept_redirects=0
|
|
|
|
net.ipv6.conf.default.accept_redirects=0
|
|
|
|
|
|
|
|
## Disables ICMP redirect sending.
|
|
|
|
net.ipv4.conf.all.send_redirects=0
|
|
|
|
net.ipv4.conf.default.send_redirects=0
|
|
|
|
|
|
|
|
## Ignores ICMP requests.
|
|
|
|
net.ipv4.icmp_echo_ignore_all=1
|
2022-07-18 10:37:31 -04:00
|
|
|
net.ipv6.icmp.echo_ignore_all=1
|
2020-01-24 04:26:36 -05:00
|
|
|
|
2022-07-12 14:29:42 -04:00
|
|
|
## Ignores bogus ICMP error responses
|
|
|
|
net.ipv4.icmp_ignore_bogus_error_responses=1
|
|
|
|
|
2020-01-24 04:26:36 -05:00
|
|
|
## Enables TCP syncookies.
|
|
|
|
net.ipv4.tcp_syncookies=1
|
|
|
|
|
|
|
|
## Disable source routing.
|
|
|
|
net.ipv4.conf.all.accept_source_route=0
|
|
|
|
net.ipv4.conf.default.accept_source_route=0
|
2020-09-18 18:36:30 -04:00
|
|
|
net.ipv6.conf.all.accept_source_route=0
|
|
|
|
net.ipv6.conf.default.accept_source_route=0
|
2020-01-24 04:26:36 -05:00
|
|
|
|
|
|
|
## Enable reverse path filtering to prevent IP spoofing and
|
|
|
|
## mitigate vulnerabilities such as CVE-2019-14899.
|
|
|
|
## https://forums.whonix.org/t/enable-reverse-path-filtering/8594
|
|
|
|
net.ipv4.conf.default.rp_filter=1
|
|
|
|
net.ipv4.conf.all.rp_filter=1
|
|
|
|
|
|
|
|
#### meta end
|
|
|
|
|
|
|
|
|
2023-03-30 04:17:43 -04:00
|
|
|
## Previously disabled SACK, DSACK, and FACK.
|
2020-01-24 04:26:36 -05:00
|
|
|
## https://forums.whonix.org/t/disabling-tcp-sack-dsack-fack/8109
|
|
|
|
#net.ipv4.tcp_sack=0
|
|
|
|
#net.ipv4.tcp_dsack=0
|
|
|
|
#net.ipv4.tcp_fack=0
|
|
|
|
|
|
|
|
|
|
|
|
#### meta start
|
|
|
|
#### project Kicksecure
|
|
|
|
#### category networking and security
|
|
|
|
#### description
|
|
|
|
## disable IPv4 TCP Timestamps
|
|
|
|
|
|
|
|
net.ipv4.tcp_timestamps=0
|
|
|
|
|
|
|
|
#### meta end
|
2020-02-14 13:17:20 -05:00
|
|
|
|
2020-02-15 05:41:52 -05:00
|
|
|
|
2020-02-14 13:17:20 -05:00
|
|
|
## Only allow the SysRq key to be used for shutdowns and the
|
|
|
|
## Secure Attention Key (SAK).
|
|
|
|
##
|
|
|
|
## https://forums.whonix.org/t/sysrq-magic-sysrq-key/8079/
|
|
|
|
kernel.sysrq=132
|
2020-02-15 05:41:52 -05:00
|
|
|
|
2020-02-15 12:30:21 -05:00
|
|
|
## Restrict loading TTY line disciplines to CAP_SYS_MODULE to prevent
|
2020-02-14 12:50:19 -05:00
|
|
|
## unprivileged attackers from loading vulnerable line disciplines
|
2020-02-15 12:30:21 -05:00
|
|
|
## with the TIOCSETD ioctl which has been used in exploits before
|
|
|
|
## such as https://a13xp0p0v.github.io/2017/03/24/CVE-2017-2636.html
|
|
|
|
##
|
|
|
|
## https://lkml.org/lkml/2019/4/15/890
|
2020-02-14 12:50:19 -05:00
|
|
|
dev.tty.ldisc_autoload=0
|
2020-02-24 13:23:15 -05:00
|
|
|
|
|
|
|
## Restrict the userfaultfd() syscall to root as it can make heap sprays
|
|
|
|
## easier.
|
|
|
|
##
|
|
|
|
## https://duasynt.com/blog/linux-kernel-heap-spray
|
2020-03-08 13:49:49 -04:00
|
|
|
vm.unprivileged_userfaultfd=0
|
2020-04-08 17:04:02 -04:00
|
|
|
|
|
|
|
## Let the kernel only swap if it is absolutely necessary.
|
|
|
|
## Better not be set to zero:
|
|
|
|
## - https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Performance_Tuning_Guide/s-memory-tunables.html
|
|
|
|
## - https://en.wikipedia.org/wiki/Swappiness
|
|
|
|
vm.swappiness=1
|
2020-09-18 18:29:04 -04:00
|
|
|
|
|
|
|
## Disallow kernel profiling by users without CAP_SYS_ADMIN
|
|
|
|
## https://www.kernel.org/doc/Documentation/sysctl/kernel.txt
|
|
|
|
kernel.perf_event_paranoid=3
|
2020-09-18 18:36:30 -04:00
|
|
|
|
|
|
|
# Do not accept router advertisments
|
|
|
|
net.ipv6.conf.all.accept_ra=0
|
|
|
|
net.ipv6.conf.default.accept_ra=0
|