mirror of
https://github.com/Kicksecure/security-misc.git
synced 2024-12-23 23:59:22 -05:00
commit
7d7b899dd1
3
etc/sysctl.d/fs_protected.conf
Normal file
3
etc/sysctl.d/fs_protected.conf
Normal file
@ -0,0 +1,3 @@
|
||||
# Makes some data spoofing attacks harder.
|
||||
fs.protected_fifos=2
|
||||
fs.protected_regular=2
|
2
etc/sysctl.d/kexec.conf
Normal file
2
etc/sysctl.d/kexec.conf
Normal file
@ -0,0 +1,2 @@
|
||||
# Disables kexec which can be used to replace the running kernel
|
||||
kernel.kexec_load_disabled=1
|
7
etc/sysctl.d/ptrace_scope.conf
Normal file
7
etc/sysctl.d/ptrace_scope.conf
Normal file
@ -0,0 +1,7 @@
|
||||
# Restricts the use of ptrace to root. This might break some programs running under WINE.
|
||||
# A workaround for WINE would be to give the wineserver and wine-preloader ptrace capabilities. This can be done by running:
|
||||
#
|
||||
# sudo apt-get install libcap2-bin
|
||||
# sudo setcap cap_sys_ptrace=eip /usr/bin/wineserver
|
||||
# sudo setcap cap_sys_ptrace=eip /usr/bin/wine-preloader
|
||||
kernel.yama.ptrace_scope=2
|
19
etc/sysctl.d/tcp_hardening.conf
Normal file
19
etc/sysctl.d/tcp_hardening.conf
Normal file
@ -0,0 +1,19 @@
|
||||
## TCP/IP stack hardening
|
||||
|
||||
# Protects against time-wait assassination. It drops RST packets for sockets in the time-wait state.
|
||||
net.ipv4.tcp_rfc1337=1
|
||||
|
||||
# Disables ICMP redirect acceptance.
|
||||
net.ipv4.conf.all.accept_redirects=0
|
||||
net.ipv4.conf.default.accept_redirects=0
|
||||
net.ipv4.conf.all.secure_redirects=0
|
||||
net.ipv4.conf.default.secure_redirects=0
|
||||
net.ipv6.conf.all.accept_redirects=0
|
||||
net.ipv6.conf.default.accept_redirects=0
|
||||
|
||||
# Disables ICMP redirect sending.
|
||||
net.ipv4.conf.all.send_redirects=0
|
||||
net.ipv4.conf.default.send_redirects=0
|
||||
|
||||
# Ignores ICMP requests
|
||||
net.ipv4.icmp_echo_ignore_all=1
|
Loading…
Reference in New Issue
Block a user