Merge pull request #6 from madaidan/patch-2

Even more kernel hardening
This commit is contained in:
Patrick Schleizer 2019-05-16 19:52:52 +00:00 committed by GitHub
commit 7d7b899dd1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 31 additions and 0 deletions

View File

@ -0,0 +1,3 @@
# Makes some data spoofing attacks harder.
fs.protected_fifos=2
fs.protected_regular=2

2
etc/sysctl.d/kexec.conf Normal file
View File

@ -0,0 +1,2 @@
# Disables kexec which can be used to replace the running kernel
kernel.kexec_load_disabled=1

View File

@ -0,0 +1,7 @@
# Restricts the use of ptrace to root. This might break some programs running under WINE.
# A workaround for WINE would be to give the wineserver and wine-preloader ptrace capabilities. This can be done by running:
#
# sudo apt-get install libcap2-bin
# sudo setcap cap_sys_ptrace=eip /usr/bin/wineserver
# sudo setcap cap_sys_ptrace=eip /usr/bin/wine-preloader
kernel.yama.ptrace_scope=2

View File

@ -0,0 +1,19 @@
## TCP/IP stack hardening
# Protects against time-wait assassination. It drops RST packets for sockets in the time-wait state.
net.ipv4.tcp_rfc1337=1
# Disables ICMP redirect acceptance.
net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.default.accept_redirects=0
net.ipv4.conf.all.secure_redirects=0
net.ipv4.conf.default.secure_redirects=0
net.ipv6.conf.all.accept_redirects=0
net.ipv6.conf.default.accept_redirects=0
# Disables ICMP redirect sending.
net.ipv4.conf.all.send_redirects=0
net.ipv4.conf.default.send_redirects=0
# Ignores ICMP requests
net.ipv4.icmp_echo_ignore_all=1