Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-01-01 06:36:14 -05:00
Code Issues Packages Projects Releases Wiki Activity

Update README.md relating to sysctl's

Browse Source
This commit is contained in:
Raja Grewal 2024-07-17 21:56:40 +10:00
parent 39fd125eb0
commit 25fd532ce6
No known key found for this signature in database
GPG Key ID: 92CA473C156B64C4
1 changed files with 16 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
README.md
View File

@ -36,8 +36,8 @@ space, user space, core dumps, and swap space.
- Entirely disables the SysRq key so that the Secure Attention Key (SAK) - Entirely disables the SysRq key so that the Secure Attention Key (SAK)
can no longer be utilised. See [documentation](https://www.kicksecure.com/wiki/SysRq). can no longer be utilised. See [documentation](https://www.kicksecure.com/wiki/SysRq).
- Provide option to disable unprivileged user namespaces as they can lead to - Provide the option to disable unprivileged user namespaces as they can lead to
privilege escalation. substantial privilege escalation.
- Restrict kernel profiling and the performance events system to `CAP_PERFMON`. - Restrict kernel profiling and the performance events system to `CAP_PERFMON`.
@ -46,8 +46,8 @@ space, user space, core dumps, and swap space.
- Disable asynchronous I/O (when using Linux kernel version >= 6.6). - Disable asynchronous I/O (when using Linux kernel version >= 6.6).
- Restrict usage of `ptrace()` to only processes with `CAP_SYS_PTRACE` as it - Restrict usage of `ptrace()` to only processes with `CAP_SYS_PTRACE` as it
enables programs to inspect and modify other active processes. Provide option enables programs to inspect and modify other active processes. Provide the
to also entirely disable the use of `ptrace()` for all processes. option to also entirely disable the use of `ptrace()` for all processes.
- Prevent hardlink and symlink TOCTOU races in world-writable directories. - Prevent hardlink and symlink TOCTOU races in world-writable directories.
@ -82,13 +82,15 @@ Various networking components of the TCP/IP stack are hardened for IPv4/6.
- Do not accept IPv6 router advertisements and solicitations. - Do not accept IPv6 router advertisements and solicitations.
- Provide option to disable SACK and DSACK as they have historically been a - Provide the option to disable SACK and DSACK as they have historically been
vector for exploitation. a known vector for exploitation.
- Disable TCP timestamps as it can allow detecting the system time. - Disable TCP timestamps as it can allow detecting the system time.
- Provide option to log of packets with impossible source or destination - Provide the option to log of packets with impossible source or destination
addresses to enable inspection and further analysis. addresses to enable further inspection and analysis.
- Provide the option to enable IPv6 Privacy Extensions.
### mmap ASLR ### mmap ASLR
@ -225,6 +227,12 @@ rather it is a form of badness enumeration.
## Network hardening ## Network hardening
Not yet due to issues:
- https://github.com/Kicksecure/security-misc/pull/145
- https://github.com/Kicksecure/security-misc/issues/184
- Unlike version 4, IPv6 addresses can provide information not only about the - Unlike version 4, IPv6 addresses can provide information not only about the
originating network, but also the originating device. We prevent this from originating network, but also the originating device. We prevent this from
happening by enabling the respective privacy extensions for IPv6. happening by enabling the respective privacy extensions for IPv6.