This commit is contained in:
Patrick Schleizer 2020-01-24 11:55:38 -05:00
parent f4c54881ac
commit 07dcb32fc2
No known key found for this signature in database
GPG Key ID: CB8D50BB77BB3C48

View File

@ -19,7 +19,7 @@ the kernel. (!) Hence, this package disables this feature by shipping the
very useful for kernel exploits.
* Kexec is disabled as it can be used to load a malicious kernel.
/etc/sysctl.d/security-misc.conf
/etc/sysctl.d/30_security-misc.conf
* ASLR effectiveness for mmap is increased.
@ -33,7 +33,7 @@ mitigate vulnerabilities such as CVE-2019-14899.
* Some data spoofing attacks are made harder.
* SACK can be disabled as it is commonly exploited and is rarely used by
uncommenting settings in file /etc/sysctl.d/security-misc.conf.
uncommenting settings in file /etc/sysctl.d/30_security-misc.conf.
* Slab merging is disabled as sometimes a slab can be used in a vulnerable
way which an attacker can exploit.
@ -62,7 +62,7 @@ that could be useful to an attacker.
* Coredumps are disabled as they may contain important information such as
encryption keys or passwords.
/etc/security/limits.d/30_security-misc.conf
/etc/sysctl.d/security-misc.conf
/etc/sysctl.d/30_security-misc.conf
/lib/systemd/coredump.conf.d/30_security-misc.conf
* The thunderbolt and firewire kernel modules are blacklisted as they can be
@ -268,7 +268,7 @@ also allow one to look for clocks that match an expected value to find the
public IP used by a user.
Hence, this package disables this feature by shipping the
/etc/sysctl.d/security-misc.conf configuration file.
/etc/sysctl.d/30_security-misc.conf configuration file.
Note that TCP time stamps normally have some usefulness. They are
needed for: