Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2024-10-01 08:25:45 -04:00
Code Issues Packages Projects Releases Wiki Activity

README.md: Organise sysctls

Browse Source
This commit is contained in:
Raja Grewal 2024-08-21 12:51:51 +10:00 committed by Patrick Schleizer
parent af87a84b4f
commit 433b15f985
No known key found for this signature in database
GPG Key ID: CB8D50BB77BB3C48
1 changed files with 14 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
README.md
View File

@ -11,10 +11,9 @@ implements all recommended Linux kernel settings by the KSPP and many more.
### sysctl
sysctl settings are configured via the `/usr/lib/sysctl.d/990-security-misc.conf`
configuration file.
configuration file and significant hardening is applied to a myriad of components.
Significant hardening is applied by default to a myriad of components within kernel
space, user space, core dumps, and swap space.
Kernel space:
- Restrict access to kernel addresses through the use of kernel pointers regardless
of user privileges.
@ -50,6 +49,8 @@ space, user space, core dumps, and swap space.
- Disable asynchronous I/O (when using Linux kernel >= 6.6) as `io_uring` has been
the source of numerous kernel exploits.
User space:
- Restrict usage of `ptrace()` to only processes with `CAP_SYS_PTRACE` as it
enables programs to inspect and modify other active processes. Optional - Disable
usage of `ptrace()` by all processes.
@ -68,12 +69,14 @@ space, user space, core dumps, and swap space.
- Disallow registering interpreters for various (miscellaneous) binary formats based
on a magic number or their file extension to prevent unintended code execution.
Core dumps:
- Disable core dump files and prevent their creation. If core dump files are
enabled, they will be named based on `core.PID` instead of the default `core`.
- Limit the copying of potentially sensitive content in memory to the swap device.
Various networking components of the TCP/IP stack are hardened for IPv4/6.
Networking:
- Enable TCP SYN cookie protection to assist against SYN flood attacks.
@ -104,13 +107,6 @@ Various networking components of the TCP/IP stack are hardened for IPv4/6.
- Optional - Enable IPv6 Privacy Extensions.
### mmap ASLR
- The bits of entropy used for mmap ASLR are maxed out via
`/usr/libexec/security-misc/mmap-rnd-bits` (set to the values of
`CONFIG_ARCH_MMAP_RND_BITS_MAX` and `CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX`
that the kernel was built with), therefore improving its effectiveness.
### Boot parameters
Mitigations for known CPU vulnerabilities are enabled in their strictest form
@ -186,6 +182,13 @@ Networking:
- Optional - Disable the entire IPv6 stack to reduce attack surface.
### mmap ASLR
- The bits of entropy used for mmap ASLR are maxed out via
`/usr/libexec/security-misc/mmap-rnd-bits` (set to the values of
`CONFIG_ARCH_MMAP_RND_BITS_MAX` and `CONFIG_ARCH_MMAP_RND_COMPAT_BITS_MAX`
that the kernel was built with), therefore improving its effectiveness.
### Kernel Modules
#### Kernel Module Signature Verification