diff --git a/etc/sysctl.d/fs_protected.conf b/etc/sysctl.d/fs_protected.conf new file mode 100644 index 0000000..4e4117b --- /dev/null +++ b/etc/sysctl.d/fs_protected.conf @@ -0,0 +1,3 @@ +# Makes some data spoofing attacks harder. +fs.protected_fifos=2 +fs.protected_regular=2 diff --git a/etc/sysctl.d/kexec.conf b/etc/sysctl.d/kexec.conf new file mode 100644 index 0000000..cfe590a --- /dev/null +++ b/etc/sysctl.d/kexec.conf @@ -0,0 +1,2 @@ +# Disables kexec which can be used to replace the running kernel +kernel.kexec_load_disabled=1 diff --git a/etc/sysctl.d/ptrace_scope.conf b/etc/sysctl.d/ptrace_scope.conf new file mode 100644 index 0000000..f0bc04d --- /dev/null +++ b/etc/sysctl.d/ptrace_scope.conf @@ -0,0 +1,7 @@ +# Restricts the use of ptrace to root. This might break some programs running under WINE. +# A workaround for WINE would be to give the wineserver and wine-preloader ptrace capabilities. This can be done by running: +# +# sudo apt-get install libcap2-bin +# sudo setcap cap_sys_ptrace=eip /usr/bin/wineserver +# sudo setcap cap_sys_ptrace=eip /usr/bin/wine-preloader +kernel.yama.ptrace_scope=2 diff --git a/etc/sysctl.d/tcp_hardening.conf b/etc/sysctl.d/tcp_hardening.conf new file mode 100644 index 0000000..0cea4be --- /dev/null +++ b/etc/sysctl.d/tcp_hardening.conf @@ -0,0 +1,19 @@ +## TCP/IP stack hardening + +# Protects against time-wait assassination. It drops RST packets for sockets in the time-wait state. +net.ipv4.tcp_rfc1337=1 + +# Disables ICMP redirect acceptance. +net.ipv4.conf.all.accept_redirects=0 +net.ipv4.conf.default.accept_redirects=0 +net.ipv4.conf.all.secure_redirects=0 +net.ipv4.conf.default.secure_redirects=0 +net.ipv6.conf.all.accept_redirects=0 +net.ipv6.conf.default.accept_redirects=0 + +# Disables ICMP redirect sending. +net.ipv4.conf.all.send_redirects=0 +net.ipv4.conf.default.send_redirects=0 + +# Ignores ICMP requests +net.ipv4.icmp_echo_ignore_all=1