copyright / comments

etc/sysctl.d/coredumps.conf

@@ -1,3 +1,6 @@
-# Disables coredumps. This setting may be overwritten by systemd so this may not be useful.
-# security-misc also disables coredumps in other ways.
+## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
+## See the file COPYING for copying conditions.
+
+## Disables coredumps. This setting may be overwritten by systemd so this may not be useful.
+## security-misc also disables coredumps in other ways.
 kernel.core_pattern=|/bin/false

etc/sysctl.d/dmesg_restrict.conf

@@ -1,2 +1,5 @@
-# Restricts the kernel log to root only.
+## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
+## See the file COPYING for copying conditions.
+
+## Restricts the kernel log to root only.
 kernel.dmesg_restrict=1

etc/sysctl.d/fs_protected.conf

@@ -1,3 +1,6 @@
-# Makes some data spoofing attacks harder.
+## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
+## See the file COPYING for copying conditions.
+
+## Makes some data spoofing attacks harder.
 fs.protected_fifos=2
 fs.protected_regular=2

etc/sysctl.d/harden_bpf.conf

@@ -1,3 +1,6 @@
-# Hardens the BPF JIT compiler and restricts it to root.
+## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
+## See the file COPYING for copying conditions.
+
+## Hardens the BPF JIT compiler and restricts it to root.
 kernel.unprivileged_bpf_disabled=1
 net.core.bpf_jit_harden=2

etc/sysctl.d/kexec.conf

@@ -1,3 +1,6 @@
+## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
+## See the file COPYING for copying conditions.
+
 ## Quote https://www.kernel.org/doc/html/latest/admin-guide/sysctl/kernel.html
 ##
 ## kexec_load_disabled:

etc/sysctl.d/kptr_restrict.conf

@@ -1,2 +1,5 @@
-# Hides kernel symbols in /proc/kallsyms
+## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
+## See the file COPYING for copying conditions.
+
+## Hides kernel symbols in /proc/kallsyms
 kernel.kptr_restrict=2

etc/sysctl.d/mmap_aslr.conf

@@ -1,3 +1,6 @@
-# Improves KASLR effectiveness for mmap.
+## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
+## See the file COPYING for copying conditions.
+
+## Improves KASLR effectiveness for mmap.
 vm.mmap_rnd_bits=32
 vm.mmap_rnd_compat_bits=16

etc/sysctl.d/ptrace_scope.conf

@@ -1,7 +1,10 @@
-# Restricts the use of ptrace to root. This might break some programs running under WINE.
-# A workaround for WINE would be to give the wineserver and wine-preloader ptrace capabilities. This can be done by running:
-#
-# sudo apt-get install libcap2-bin 
-# sudo setcap cap_sys_ptrace=eip /usr/bin/wineserver
-# sudo setcap cap_sys_ptrace=eip /usr/bin/wine-preloader
+## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
+## See the file COPYING for copying conditions.
+
+## Restricts the use of ptrace to root. This might break some programs running under WINE.
+## A workaround for WINE would be to give the wineserver and wine-preloader ptrace capabilities. This can be done by running:
+##
+## sudo apt-get install libcap2-bin
+## sudo setcap cap_sys_ptrace=eip /usr/bin/wineserver
+## sudo setcap cap_sys_ptrace=eip /usr/bin/wine-preloader
 kernel.yama.ptrace_scope=2

etc/sysctl.d/suid_dumpable.conf

@@ -1,2 +1,5 @@
-# Prevent setuid processes from creating coredumps.
+## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
+## See the file COPYING for copying conditions.
+
+## Prevent setuid processes from creating coredumps.
 fs.suid_dumpable=0

etc/sysctl.d/tcp_hardening.conf

@@ -1,9 +1,16 @@
-## TCP/IP stack hardening 
+## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
+## See the file COPYING for copying conditions.
 
-# Protects against time-wait assassination. It drops RST packets for sockets in the time-wait state.
+#### meta start
+#### project Whonix
+#### category networking and security
+#### description TCP/IP stack hardening
+
+## Protects against time-wait assassination.
+## It drops RST packets for sockets in the time-wait state.
 net.ipv4.tcp_rfc1337=1
 
-# Disables ICMP redirect acceptance.
+## Disables ICMP redirect acceptance.
 net.ipv4.conf.all.accept_redirects=0
 net.ipv4.conf.default.accept_redirects=0
 net.ipv4.conf.all.secure_redirects=0
@@ -11,16 +18,18 @@ net.ipv4.conf.default.secure_redirects=0
 net.ipv6.conf.all.accept_redirects=0
 net.ipv6.conf.default.accept_redirects=0
 
-# Disables ICMP redirect sending.
+## Disables ICMP redirect sending.
 net.ipv4.conf.all.send_redirects=0
 net.ipv4.conf.default.send_redirects=0
 
-# Ignores ICMP requests.
+## Ignores ICMP requests.
 net.ipv4.icmp_echo_ignore_all=1
 
-# Enables TCP syncookies.
+## Enables TCP syncookies.
 net.ipv4.tcp_syncookies=1
 
-# Disable source routing.
+## Disable source routing.
 net.ipv4.conf.all.accept_source_route=0
 net.ipv4.conf.default.accept_source_route=0
+
+#### meta end

etc/sysctl.d/tcp_sack.conf

@@ -1,3 +1,6 @@
+## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
+## See the file COPYING for copying conditions.
+
 ## Disables SACK as it is commonly exploited and likely not needed.
 ## https://forums.whonix.org/t/disabling-tcp-sack-dsack-fack/8109
 #net.ipv4.tcp_sack=0

etc/sysctl.d/tcp_timestamps.conf

@@ -1 +1,11 @@
+## Copyright (C) 2019 - 2019 ENCRYPTED SUPPORT LP <adrelanos@riseup.net>
+## See the file COPYING for copying conditions.
+
+#### meta start
+#### project Whonix
+#### category networking and security
+#### description disable IPv4 TCP Timestamps
+
 net.ipv4.tcp_timestamps=0
+
+#### meta end