mirror of
https://github.com/Kicksecure/security-misc.git
synced 2024-10-01 08:25:45 -04:00
commit
5177444d62
11
etc/default/grub.d/40_kernel_hardening.cfg
Normal file
11
etc/default/grub.d/40_kernel_hardening.cfg
Normal file
@ -0,0 +1,11 @@
|
||||
# Disables the merging of slabs of similar sizes. Sometimes a slab can be used in a vulnerable way which an attacker can exploit.
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_nomerge"
|
||||
|
||||
# Enables sanity checks (F), redzoning (Z) and poisoning (P).
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX slab_debug=FZP"
|
||||
|
||||
# Wipes free memory so it can't leak in various ways and prevents some use-after-free vulnerabilites.
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX page_poison=1"
|
||||
|
||||
# Makes the kernel panic on uncorrectable errors in ECC memory that an attacker could exploit.
|
||||
GRUB_CMDLINE_LINUX="$GRUB_CMDLINE_LINUX mce=0"
|
3
etc/sysctl.d/harden_bpf.conf
Normal file
3
etc/sysctl.d/harden_bpf.conf
Normal file
@ -0,0 +1,3 @@
|
||||
# Hardens the BPF JIT compiler and restricts it to root.
|
||||
kernel.unprivileged_bpf_disabled=1
|
||||
net.core.bpf_jit_harden=2
|
2
etc/sysctl.d/kptr_restrict.conf
Normal file
2
etc/sysctl.d/kptr_restrict.conf
Normal file
@ -0,0 +1,2 @@
|
||||
# Hides kernel symbols in /proc/kallsyms
|
||||
kernel.kptr_restrict=2
|
3
etc/sysctl.d/mmap_aslr.conf
Normal file
3
etc/sysctl.d/mmap_aslr.conf
Normal file
@ -0,0 +1,3 @@
|
||||
# Improves KASLR effectiveness for mmap.
|
||||
vm.mmap_rnd_bits=32
|
||||
vm.mmap_rnd_compat_bits=16
|
Loading…
Reference in New Issue
Block a user