Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-06-20 08:34:09 -04:00
Code Issues Projects Releases Packages Wiki Activity

shuffle

Browse source
This commit is contained in:
Patrick Schleizer 2023-12-04 10:36:21 -05:00
parent 82bd9138de
commit 2634dbff2b
No known key found for this signature in database
GPG key ID: CB8D50BB77BB3C48
1 changed files with 14 additions and 14 deletions
Download patch file Download diff file Expand all files Collapse all files

28
usr/lib/sysctl.d/990-security-misc.conf
View file

@ -7,20 +7,18 @@
## afterwards. See also: ## afterwards. See also:
## https://github.com/Kicksecure/security-misc/pull/135 ## https://github.com/Kicksecure/security-misc/pull/135
## Restricts the kernel log to root only.
kernel.dmesg_restrict=1
## Disables coredumps. This setting may be overwritten by systemd so this may not be useful. ## Disables coredumps. This setting may be overwritten by systemd so this may not be useful.
## security-misc also disables coredumps in other ways. ## security-misc also disables coredumps in other ways.
kernel.core_pattern=|/bin/false kernel.core_pattern=|/bin/false
## Restricts the kernel log to root only.
kernel.dmesg_restrict=1
## Does not set coredump name to 'core' which is default. Defense in depth. ## Does not set coredump name to 'core' which is default. Defense in depth.
kernel.core_uses_pid=1 kernel.core_uses_pid=1
## A martian packet is a one with a source address which is blatantly wrong ## Prevent setuid processes from creating coredumps.
## Recommended to keep a log of these to identify these suspicious packets fs.suid_dumpable=0
net.ipv4.conf.all.log_martians=1
net.ipv4.conf.default.log_martians=1
## Don't allow writes to files that we don't own ## Don't allow writes to files that we don't own
## in world writable sticky directories, unless ## in world writable sticky directories, unless
@ -40,10 +38,6 @@ fs.protected_regular=2
fs.protected_symlinks=1 fs.protected_symlinks=1
fs.protected_hardlinks=1 fs.protected_hardlinks=1
## Hardens the BPF JIT compiler and restricts it to root.
kernel.unprivileged_bpf_disabled=1
net.core.bpf_jit_harden=2
## Hides kernel addresses in various files in /proc. ## Hides kernel addresses in various files in /proc.
## Kernel addresses can be very useful in certain exploits. ## Kernel addresses can be very useful in certain exploits.
## ##
@ -66,18 +60,24 @@ kernel.kptr_restrict=2
## sudo setcap cap_sys_ptrace=eip /usr/bin/wine-preloader ## sudo setcap cap_sys_ptrace=eip /usr/bin/wine-preloader
kernel.yama.ptrace_scope=2 kernel.yama.ptrace_scope=2
## Prevent setuid processes from creating coredumps.
fs.suid_dumpable=0
## Randomize the addresses for mmap base, heap, stack, and VDSO pages ## Randomize the addresses for mmap base, heap, stack, and VDSO pages
kernel.randomize_va_space=2 kernel.randomize_va_space=2
## Hardens the BPF JIT compiler and restricts it to root.
kernel.unprivileged_bpf_disabled=1
net.core.bpf_jit_harden=2
#### meta start #### meta start
#### project Kicksecure #### project Kicksecure
#### category networking and security #### category networking and security
#### description #### description
## TCP/IP stack hardening ## TCP/IP stack hardening
## A martian packet is a one with a source address which is blatantly wrong
## Recommended to keep a log of these to identify these suspicious packets
net.ipv4.conf.all.log_martians=1
net.ipv4.conf.default.log_martians=1
## Protects against time-wait assassination. ## Protects against time-wait assassination.
## It drops RST packets for sockets in the time-wait state. ## It drops RST packets for sockets in the time-wait state.
net.ipv4.tcp_rfc1337=1 net.ipv4.tcp_rfc1337=1