Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2024-10-01 08:25:45 -04:00
Code Issues Packages Projects Releases Wiki Activity

Add details on ASLR and move to user space section

Browse Source
This commit is contained in:
Raja Grewal 2024-08-16 13:39:11 +10:00
parent a132980023
commit 84376d23fc
No known key found for this signature in database
GPG Key ID: 92CA473C156B64C4
2 changed files with 11 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
README.md
View File

@ -45,8 +45,6 @@ space, user space, core dumps, and swap space.
certain kernel exploitation attempts. Optional - Force immediate reboot on the
occurrence of a kernel panic.
- Randomize the addresses (ASLR) for mmap base, stack, VDSO pages, and heap.
- Disable the use of legacy TIOCSTI operations which can be used to inject keypresses.
- Disable asynchronous I/O (when using Linux kernel >= 6.6) as `io_uring` has been
@ -63,6 +61,8 @@ space, user space, core dumps, and swap space.
- Disallow unintentional writes to files in world-writable directories unless
they are owned by the directory owner to mitigate some data spoofing attacks.
- Randomize the addresses (ASLR) for mmap base, stack, VDSO pages, and heap.
- Increase the maximum number of memory map areas a process is able to utilize.
- Disable core dump files and prevent their creation. If core dump files are

16
usr/lib/sysctl.d/990-security-misc.conf
View File

@ -120,13 +120,6 @@ kernel.perf_event_paranoid=3
#kernel.panic_on_oops=1
#kernel.panic=-1
## Enable ASLR for mmap base, stack, VDSO pages, and heap.
## Heap randomization can lead to breakages with legacy applications.
##
## https://en.wikipedia.org/wiki/Address_space_layout_randomization#Linux
##
kernel.randomize_va_space=2
## Disable the use of legacy TIOCSTI operations which can be used to inject keypresses.
## Can lead to privilege escalation by pushing characters into a controlling TTY.
## Will break out-dated screen readers that continue to rely on this legacy functionality.
@ -205,6 +198,15 @@ fs.protected_symlinks=1
fs.protected_fifos=2
fs.protected_regular=2
## Enable ASLR for mmap base, stack, VDSO pages, and heap.
## Forces shared libraries to be loaded to random addresses
## Start location of PIE-linked binaries is randomized.
## Heap randomization can lead to breakages with legacy applications.
##
## https://en.wikipedia.org/wiki/Address_space_layout_randomization#Linux
##
kernel.randomize_va_space=2
## Increase the maximum number of memory map areas a process is permitted to utilize.
## Addresses performance, crash, and start-up issues for some memory-intensive applications.
## Required to accommodate the very large number of guard pages created by hardened_malloc.