diff --git a/usr/lib/sysctl.d/30_silent-kernel-printk.conf b/usr/lib/sysctl.d/30_silent-kernel-printk.conf index de73876..884a2a6 100644 --- a/usr/lib/sysctl.d/30_silent-kernel-printk.conf +++ b/usr/lib/sysctl.d/30_silent-kernel-printk.conf @@ -11,4 +11,4 @@ kernel.printk=3 3 3 3 ## For Increased Log Verbosity: ## Adjust (or comment out) the kernel parameters in /etc/default/grub.d/41_quiet_boot.cfg. -## Alternatively, installing the debug-misc package will undo these settings. \ No newline at end of file +## Alternatively, installing the debug-misc package will undo these settings. diff --git a/usr/lib/sysctl.d/990-security-misc.conf b/usr/lib/sysctl.d/990-security-misc.conf index 3cebc76..67af3c3 100644 --- a/usr/lib/sysctl.d/990-security-misc.conf +++ b/usr/lib/sysctl.d/990-security-misc.conf @@ -26,7 +26,7 @@ ## https://wiki.archlinux.org/title/Security#Kernel_hardening ## Restrict kernel addresses via /proc and other interfaces regardless of user privileges. -## Kernel pointers expose specific locations in kernel memory. +## Kernel pointers expose specific locations in kernel memory. ## ## https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak ## @@ -128,10 +128,10 @@ kernel.io_uring_disabled=2 ## ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-userspace -## Restrict usage of the ptrace() system call to only processes with CAP_SYS_PTRACE. +## Restrict usage of the ptrace() system call to only processes with CAP_SYS_PTRACE. ## Limit ptrace() as it enables programs to inspect and modify other active processes. ## Prevents native code debugging which some programs use as a method to detect tampering. -## May cause breakages in 'anti-cheat' software and programs running under Proton/WINE. +## May cause breakages in 'anti-cheat' software and programs running under Proton/WINE. ## ## https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html#ptrace-scope ## https://en.wikipedia.org/wiki/Ptrace @@ -139,7 +139,7 @@ kernel.io_uring_disabled=2 ## https://github.com/GrapheneOS/os-issue-tracker/issues/651#issuecomment-917599928 ## https://github.com/netblue30/firejail/issues/2860 ## -## It is possible to harden further by disabling ptrace() for all users, see documentation. +## It is possible to harden further by disabling ptrace() for all users, see documentation. ## kernel.yama.ptrace_scope=2 @@ -236,7 +236,7 @@ net.ipv4.tcp_syncookies=1 ## Protect against TCP time-wait assassination hazards. ## Drops RST packets for sockets in the time-wait state. -## +## ## https://tools.ietf.org/html/rfc1337 ## net.ipv4.tcp_rfc1337=1 @@ -282,7 +282,7 @@ net.ipv6.icmp.echo_ignore_all=1 ## net.ipv4.icmp_ignore_bogus_error_responses=1 -## Disable source routing which allows users redirect network traffic. +## Disable source routing which allows users redirect network traffic. ## Prevents man-in-the-middle attacks in which the traffic is redirected. ## ## https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/security_guide/sect-security_guide-server_security-disable-source-routing @@ -303,7 +303,7 @@ net.ipv6.conf.default.accept_ra=0 ## Forward acknowledgements (FACKs) are a legacy option that will (eventually) be deprecated. ## Disabling can cause severe connectivity issues on networks with high latency or packet loss. ## Enabling on stable high-bandwidth networks can lead to reduced efficiency of TCP connections. -## +## ## https://datatracker.ietf.org/doc/html/rfc2018 ## https://datatracker.ietf.org/doc/html/rfc2883 ## https://access.redhat.com/sites/default/files/attachments/20150325_network_performance_tuning.pdf @@ -329,11 +329,11 @@ net.ipv4.tcp_timestamps=0 ## Recommended to keep a (kernel dmesg) log of these to identify these suspicious packets. ## Good for troubleshooting and diagnostics but not necessary by default. ## Known for causing performance issues especially on systems with multiple interfaces. -## +## ## https://wiki.archlinux.org/title/Sysctl#Log_martian_packets ## https://github.com/Kicksecure/security-misc/issues/214 ## -## The logging of martian packets is currently disabled. +## The logging of martian packets is currently disabled. ## #net.ipv4.conf.all.log_martians=1 #net.ipv4.conf.default.log_martians=1