From 5cf9afc21563712b851850e2041141807503807c Mon Sep 17 00:00:00 2001 From: Raja Grewal Date: Sun, 14 Jul 2024 17:05:49 +1000 Subject: [PATCH] Include optional `sysctl`'s in README.md --- README.md | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 9ed387b..d49d65f 100644 --- a/README.md +++ b/README.md @@ -35,6 +35,9 @@ space, user space, core dumps, and swap space. - Entirely disables the SysRq key so that the Secure Attention Key (SAK) can no longer be utilised. +- Provide option to disable unprivileged user namespaces as they can lead to + privilege escalation. + - Restrict kernel profiling and the performance events system to `CAP_PERFMON`. - Randomise the addresses (ASLR) for mmap base, stack, VDSO pages, and heap. @@ -42,7 +45,8 @@ space, user space, core dumps, and swap space. - Disable asynchronous I/O (when using Linux kernel version >= 6.6). - Restrict usage of `ptrace()` to only processes with `CAP_SYS_PTRACE` as it - enables programs to inspect and modify other active processes. + enables programs to inspect and modify other active processes. Provide option + to also entirely disable the use of `ptrace()` for all processes. - Prevent hardlink and symlink TOCTOU races in world-writable directories. @@ -75,8 +79,14 @@ Various networking components of the TCP/IP stack are hardened for IPv4/6. - Do not accept IPv6 router advertisements and solicitations. +- Provide option to disable SACK and DSACK as they have historically been a + vector for exploitation. + - Disable TCP timestamps as it can allow detecting the system time. +- Provide option to log of packets with impossible source or destination + addresses to enable inspection and further analysis. + ### mmap ASLR - The bits of entropy used for mmap ASLR are maxed out via