Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-01-04 00:00:51 -05:00
Code Issues Packages Projects Releases Wiki Activity

Include optional sysctl's in README.md

Browse Source
This commit is contained in:
Raja Grewal 2024-07-14 17:05:49 +10:00
parent 2b9e174c9d
commit 5cf9afc215
No known key found for this signature in database
GPG Key ID: 92CA473C156B64C4
1 changed files with 11 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
README.md
View File

@ -35,6 +35,9 @@ space, user space, core dumps, and swap space.
- Entirely disables the SysRq key so that the Secure Attention Key (SAK) - Entirely disables the SysRq key so that the Secure Attention Key (SAK)
can no longer be utilised. can no longer be utilised.
- Provide option to disable unprivileged user namespaces as they can lead to
privilege escalation.
- Restrict kernel profiling and the performance events system to `CAP_PERFMON`. - Restrict kernel profiling and the performance events system to `CAP_PERFMON`.
- Randomise the addresses (ASLR) for mmap base, stack, VDSO pages, and heap. - Randomise the addresses (ASLR) for mmap base, stack, VDSO pages, and heap.
@ -42,7 +45,8 @@ space, user space, core dumps, and swap space.
- Disable asynchronous I/O (when using Linux kernel version >= 6.6). - Disable asynchronous I/O (when using Linux kernel version >= 6.6).
- Restrict usage of `ptrace()` to only processes with `CAP_SYS_PTRACE` as it - Restrict usage of `ptrace()` to only processes with `CAP_SYS_PTRACE` as it
enables programs to inspect and modify other active processes. enables programs to inspect and modify other active processes. Provide option
to also entirely disable the use of `ptrace()` for all processes.
- Prevent hardlink and symlink TOCTOU races in world-writable directories. - Prevent hardlink and symlink TOCTOU races in world-writable directories.
@ -75,8 +79,14 @@ Various networking components of the TCP/IP stack are hardened for IPv4/6.
- Do not accept IPv6 router advertisements and solicitations. - Do not accept IPv6 router advertisements and solicitations.
- Provide option to disable SACK and DSACK as they have historically been a
vector for exploitation.
- Disable TCP timestamps as it can allow detecting the system time. - Disable TCP timestamps as it can allow detecting the system time.
- Provide option to log of packets with impossible source or destination
addresses to enable inspection and further analysis.
### mmap ASLR ### mmap ASLR
- The bits of entropy used for mmap ASLR are maxed out via - The bits of entropy used for mmap ASLR are maxed out via