Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2024-10-01 08:25:45 -04:00
Code Issues Packages Projects Releases Wiki Activity

shuffle

Browse Source
This commit is contained in:
Patrick Schleizer 2023-12-04 10:36:21 -05:00
parent 82bd9138de
commit 2634dbff2b
No known key found for this signature in database
GPG Key ID: CB8D50BB77BB3C48
1 changed files with 14 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
usr/lib/sysctl.d/990-security-misc.conf
View File

@ -7,20 +7,18 @@
## afterwards. See also:
## https://github.com/Kicksecure/security-misc/pull/135
## Restricts the kernel log to root only.
kernel.dmesg_restrict=1
## Disables coredumps. This setting may be overwritten by systemd so this may not be useful.
## security-misc also disables coredumps in other ways.
kernel.core_pattern=|/bin/false
## Restricts the kernel log to root only.
kernel.dmesg_restrict=1
## Does not set coredump name to 'core' which is default. Defense in depth.
kernel.core_uses_pid=1
## A martian packet is a one with a source address which is blatantly wrong
## Recommended to keep a log of these to identify these suspicious packets
net.ipv4.conf.all.log_martians=1
net.ipv4.conf.default.log_martians=1
## Prevent setuid processes from creating coredumps.
fs.suid_dumpable=0
## Don't allow writes to files that we don't own
## in world writable sticky directories, unless
@ -40,10 +38,6 @@ fs.protected_regular=2
fs.protected_symlinks=1
fs.protected_hardlinks=1
## Hardens the BPF JIT compiler and restricts it to root.
kernel.unprivileged_bpf_disabled=1
net.core.bpf_jit_harden=2
## Hides kernel addresses in various files in /proc.
## Kernel addresses can be very useful in certain exploits.
##
@ -66,18 +60,24 @@ kernel.kptr_restrict=2
## sudo setcap cap_sys_ptrace=eip /usr/bin/wine-preloader
kernel.yama.ptrace_scope=2
## Prevent setuid processes from creating coredumps.
fs.suid_dumpable=0
## Randomize the addresses for mmap base, heap, stack, and VDSO pages
kernel.randomize_va_space=2
## Hardens the BPF JIT compiler and restricts it to root.
kernel.unprivileged_bpf_disabled=1
net.core.bpf_jit_harden=2
#### meta start
#### project Kicksecure
#### category networking and security
#### description
## TCP/IP stack hardening
## A martian packet is a one with a source address which is blatantly wrong
## Recommended to keep a log of these to identify these suspicious packets
net.ipv4.conf.all.log_martians=1
net.ipv4.conf.default.log_martians=1
## Protects against time-wait assassination.
## It drops RST packets for sockets in the time-wait state.
net.ipv4.tcp_rfc1337=1