From 4216299ee847da0bdf4c714451a70b69f5881d8c Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Mon, 6 May 2019 15:42:55 +0000 Subject: [PATCH 1/6] Create kexec.conf --- etc/sysctl.d/kexec.conf | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 etc/sysctl.d/kexec.conf diff --git a/etc/sysctl.d/kexec.conf b/etc/sysctl.d/kexec.conf new file mode 100644 index 0000000..cfe590a --- /dev/null +++ b/etc/sysctl.d/kexec.conf @@ -0,0 +1,2 @@ +# Disables kexec which can be used to replace the running kernel +kernel.kexec_load_disabled=1 From 2923fc96ef9ee96a3149c8b2f781402c65e106b9 Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Mon, 6 May 2019 15:45:53 +0000 Subject: [PATCH 2/6] Create tcp_hardening.conf --- etc/sysctl.d/tcp_hardening.conf | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 etc/sysctl.d/tcp_hardening.conf diff --git a/etc/sysctl.d/tcp_hardening.conf b/etc/sysctl.d/tcp_hardening.conf new file mode 100644 index 0000000..dcc8afb --- /dev/null +++ b/etc/sysctl.d/tcp_hardening.conf @@ -0,0 +1,23 @@ +## TCP/IP stack hardening + +# Protects against time-wait assassination. It drops RST packets for sockets in the time-wait state. +net.ipv4.tcp_rfc1337=1 + +# Enables source validation of packets and protects against IP spoofing methods. +net.ipv4.conf.default.rp_filter=1 +net.ipv4.conf.all.rp_filter=1 + +# Disables ICMP redirect acceptance. +net.ipv4.conf.all.accept_redirects=0 +net.ipv4.conf.default.accept_redirects=0 +net.ipv4.conf.all.secure_redirects=0 +net.ipv4.conf.default.secure_redirects=0 +net.ipv6.conf.all.accept_redirects=0 +net.ipv6.conf.default.accept_redirects=0 + +# Disables ICMP redirect sending. +net.ipv4.conf.all.send_redirects=0 +net.ipv4.conf.default.send_redirects=0 + +# Ignores ICMP requests +net.ipv4.icmp_echo_ignore_all=1 From 0296e51e06d94cea598fcad3bdbfa165e519a47b Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Mon, 6 May 2019 15:46:37 +0000 Subject: [PATCH 3/6] Create ptrace_scope.conf --- etc/sysctl.d/ptrace_scope.conf | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 etc/sysctl.d/ptrace_scope.conf diff --git a/etc/sysctl.d/ptrace_scope.conf b/etc/sysctl.d/ptrace_scope.conf new file mode 100644 index 0000000..649c12e --- /dev/null +++ b/etc/sysctl.d/ptrace_scope.conf @@ -0,0 +1,2 @@ +# Restricts the use of ptrace to root. +kernel.yama.ptrace_scope=2 From a4852ad6c8260c68d9c1024e09a9487a8e2e1f61 Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Mon, 6 May 2019 20:37:53 +0000 Subject: [PATCH 4/6] Create fs_protected.conf --- etc/sysctl.d/fs_protected.conf | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 etc/sysctl.d/fs_protected.conf diff --git a/etc/sysctl.d/fs_protected.conf b/etc/sysctl.d/fs_protected.conf new file mode 100644 index 0000000..4e4117b --- /dev/null +++ b/etc/sysctl.d/fs_protected.conf @@ -0,0 +1,3 @@ +# Makes some data spoofing attacks harder. +fs.protected_fifos=2 +fs.protected_regular=2 From e6794721bd181f8884cd3817b5ae3c6c58747ae7 Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Thu, 16 May 2019 16:29:20 +0000 Subject: [PATCH 5/6] Update ptrace_scope.conf --- etc/sysctl.d/ptrace_scope.conf | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/etc/sysctl.d/ptrace_scope.conf b/etc/sysctl.d/ptrace_scope.conf index 649c12e..f0bc04d 100644 --- a/etc/sysctl.d/ptrace_scope.conf +++ b/etc/sysctl.d/ptrace_scope.conf @@ -1,2 +1,7 @@ -# Restricts the use of ptrace to root. +# Restricts the use of ptrace to root. This might break some programs running under WINE. +# A workaround for WINE would be to give the wineserver and wine-preloader ptrace capabilities. This can be done by running: +# +# sudo apt-get install libcap2-bin +# sudo setcap cap_sys_ptrace=eip /usr/bin/wineserver +# sudo setcap cap_sys_ptrace=eip /usr/bin/wine-preloader kernel.yama.ptrace_scope=2 From b814f338b803ae33380551919b00144bb63a53b8 Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Thu, 16 May 2019 16:33:03 +0000 Subject: [PATCH 6/6] Update tcp_hardening.conf --- etc/sysctl.d/tcp_hardening.conf | 4 ---- 1 file changed, 4 deletions(-) diff --git a/etc/sysctl.d/tcp_hardening.conf b/etc/sysctl.d/tcp_hardening.conf index dcc8afb..0cea4be 100644 --- a/etc/sysctl.d/tcp_hardening.conf +++ b/etc/sysctl.d/tcp_hardening.conf @@ -3,10 +3,6 @@ # Protects against time-wait assassination. It drops RST packets for sockets in the time-wait state. net.ipv4.tcp_rfc1337=1 -# Enables source validation of packets and protects against IP spoofing methods. -net.ipv4.conf.default.rp_filter=1 -net.ipv4.conf.all.rp_filter=1 - # Disables ICMP redirect acceptance. net.ipv4.conf.all.accept_redirects=0 net.ipv4.conf.default.accept_redirects=0