From 60c044a9d669dd816ff473f19e19b87f87cc9008 Mon Sep 17 00:00:00 2001 From: Patrick Schleizer Date: Mon, 7 Oct 2019 05:30:56 +0000 Subject: [PATCH] copyright / comments --- etc/sysctl.d/coredumps.conf | 7 +++++-- etc/sysctl.d/dmesg_restrict.conf | 5 ++++- etc/sysctl.d/fs_protected.conf | 5 ++++- etc/sysctl.d/harden_bpf.conf | 5 ++++- etc/sysctl.d/kexec.conf | 3 +++ etc/sysctl.d/kptr_restrict.conf | 5 ++++- etc/sysctl.d/mmap_aslr.conf | 5 ++++- etc/sysctl.d/ptrace_scope.conf | 15 +++++++++------ etc/sysctl.d/suid_dumpable.conf | 5 ++++- etc/sysctl.d/tcp_hardening.conf | 23 ++++++++++++++++------- etc/sysctl.d/tcp_sack.conf | 3 +++ etc/sysctl.d/tcp_timestamps.conf | 10 ++++++++++ 12 files changed, 70 insertions(+), 21 deletions(-) diff --git a/etc/sysctl.d/coredumps.conf b/etc/sysctl.d/coredumps.conf index 9ac4548..79c2922 100644 --- a/etc/sysctl.d/coredumps.conf +++ b/etc/sysctl.d/coredumps.conf @@ -1,3 +1,6 @@ -# Disables coredumps. This setting may be overwritten by systemd so this may not be useful. -# security-misc also disables coredumps in other ways. +## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Disables coredumps. This setting may be overwritten by systemd so this may not be useful. +## security-misc also disables coredumps in other ways. kernel.core_pattern=|/bin/false diff --git a/etc/sysctl.d/dmesg_restrict.conf b/etc/sysctl.d/dmesg_restrict.conf index 789769d..0883bd3 100644 --- a/etc/sysctl.d/dmesg_restrict.conf +++ b/etc/sysctl.d/dmesg_restrict.conf @@ -1,2 +1,5 @@ -# Restricts the kernel log to root only. +## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Restricts the kernel log to root only. kernel.dmesg_restrict=1 diff --git a/etc/sysctl.d/fs_protected.conf b/etc/sysctl.d/fs_protected.conf index 4e4117b..19c3920 100644 --- a/etc/sysctl.d/fs_protected.conf +++ b/etc/sysctl.d/fs_protected.conf @@ -1,3 +1,6 @@ -# Makes some data spoofing attacks harder. +## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Makes some data spoofing attacks harder. fs.protected_fifos=2 fs.protected_regular=2 diff --git a/etc/sysctl.d/harden_bpf.conf b/etc/sysctl.d/harden_bpf.conf index a039bfd..e1c84b4 100644 --- a/etc/sysctl.d/harden_bpf.conf +++ b/etc/sysctl.d/harden_bpf.conf @@ -1,3 +1,6 @@ -# Hardens the BPF JIT compiler and restricts it to root. +## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Hardens the BPF JIT compiler and restricts it to root. kernel.unprivileged_bpf_disabled=1 net.core.bpf_jit_harden=2 diff --git a/etc/sysctl.d/kexec.conf b/etc/sysctl.d/kexec.conf index a863ab5..6fc9689 100644 --- a/etc/sysctl.d/kexec.conf +++ b/etc/sysctl.d/kexec.conf @@ -1,3 +1,6 @@ +## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + ## Quote https://www.kernel.org/doc/html/latest/admin-guide/sysctl/kernel.html ## ## kexec_load_disabled: diff --git a/etc/sysctl.d/kptr_restrict.conf b/etc/sysctl.d/kptr_restrict.conf index f1bbc0e..a363063 100644 --- a/etc/sysctl.d/kptr_restrict.conf +++ b/etc/sysctl.d/kptr_restrict.conf @@ -1,2 +1,5 @@ -# Hides kernel symbols in /proc/kallsyms +## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Hides kernel symbols in /proc/kallsyms kernel.kptr_restrict=2 diff --git a/etc/sysctl.d/mmap_aslr.conf b/etc/sysctl.d/mmap_aslr.conf index 4bcdbeb..8275391 100644 --- a/etc/sysctl.d/mmap_aslr.conf +++ b/etc/sysctl.d/mmap_aslr.conf @@ -1,3 +1,6 @@ -# Improves KASLR effectiveness for mmap. +## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Improves KASLR effectiveness for mmap. vm.mmap_rnd_bits=32 vm.mmap_rnd_compat_bits=16 diff --git a/etc/sysctl.d/ptrace_scope.conf b/etc/sysctl.d/ptrace_scope.conf index f0bc04d..b48ad18 100644 --- a/etc/sysctl.d/ptrace_scope.conf +++ b/etc/sysctl.d/ptrace_scope.conf @@ -1,7 +1,10 @@ -# Restricts the use of ptrace to root. This might break some programs running under WINE. -# A workaround for WINE would be to give the wineserver and wine-preloader ptrace capabilities. This can be done by running: -# -# sudo apt-get install libcap2-bin -# sudo setcap cap_sys_ptrace=eip /usr/bin/wineserver -# sudo setcap cap_sys_ptrace=eip /usr/bin/wine-preloader +## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Restricts the use of ptrace to root. This might break some programs running under WINE. +## A workaround for WINE would be to give the wineserver and wine-preloader ptrace capabilities. This can be done by running: +## +## sudo apt-get install libcap2-bin +## sudo setcap cap_sys_ptrace=eip /usr/bin/wineserver +## sudo setcap cap_sys_ptrace=eip /usr/bin/wine-preloader kernel.yama.ptrace_scope=2 diff --git a/etc/sysctl.d/suid_dumpable.conf b/etc/sysctl.d/suid_dumpable.conf index 1ed3b79..54f19b6 100644 --- a/etc/sysctl.d/suid_dumpable.conf +++ b/etc/sysctl.d/suid_dumpable.conf @@ -1,2 +1,5 @@ -# Prevent setuid processes from creating coredumps. +## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +## Prevent setuid processes from creating coredumps. fs.suid_dumpable=0 diff --git a/etc/sysctl.d/tcp_hardening.conf b/etc/sysctl.d/tcp_hardening.conf index e192a8b..1376f18 100644 --- a/etc/sysctl.d/tcp_hardening.conf +++ b/etc/sysctl.d/tcp_hardening.conf @@ -1,9 +1,16 @@ -## TCP/IP stack hardening +## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. -# Protects against time-wait assassination. It drops RST packets for sockets in the time-wait state. +#### meta start +#### project Whonix +#### category networking and security +#### description TCP/IP stack hardening + +## Protects against time-wait assassination. +## It drops RST packets for sockets in the time-wait state. net.ipv4.tcp_rfc1337=1 -# Disables ICMP redirect acceptance. +## Disables ICMP redirect acceptance. net.ipv4.conf.all.accept_redirects=0 net.ipv4.conf.default.accept_redirects=0 net.ipv4.conf.all.secure_redirects=0 @@ -11,16 +18,18 @@ net.ipv4.conf.default.secure_redirects=0 net.ipv6.conf.all.accept_redirects=0 net.ipv6.conf.default.accept_redirects=0 -# Disables ICMP redirect sending. +## Disables ICMP redirect sending. net.ipv4.conf.all.send_redirects=0 net.ipv4.conf.default.send_redirects=0 -# Ignores ICMP requests. +## Ignores ICMP requests. net.ipv4.icmp_echo_ignore_all=1 -# Enables TCP syncookies. +## Enables TCP syncookies. net.ipv4.tcp_syncookies=1 -# Disable source routing. +## Disable source routing. net.ipv4.conf.all.accept_source_route=0 net.ipv4.conf.default.accept_source_route=0 + +#### meta end diff --git a/etc/sysctl.d/tcp_sack.conf b/etc/sysctl.d/tcp_sack.conf index 970d56d..4bd07eb 100644 --- a/etc/sysctl.d/tcp_sack.conf +++ b/etc/sysctl.d/tcp_sack.conf @@ -1,3 +1,6 @@ +## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + ## Disables SACK as it is commonly exploited and likely not needed. ## https://forums.whonix.org/t/disabling-tcp-sack-dsack-fack/8109 #net.ipv4.tcp_sack=0 diff --git a/etc/sysctl.d/tcp_timestamps.conf b/etc/sysctl.d/tcp_timestamps.conf index f47b8d3..98ba7e9 100644 --- a/etc/sysctl.d/tcp_timestamps.conf +++ b/etc/sysctl.d/tcp_timestamps.conf @@ -1 +1,11 @@ +## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP +## See the file COPYING for copying conditions. + +#### meta start +#### project Whonix +#### category networking and security +#### description disable IPv4 TCP Timestamps + net.ipv4.tcp_timestamps=0 + +#### meta end