mirror of
https://github.com/Kicksecure/security-misc.git
synced 2025-08-05 10:44:17 -04:00
Merge branch 'Kicksecure:master' into kspp_compliance
This commit is contained in:
raja-grewal
GitHub
commit
9dbd200be4
6 changed files with 265 additions and 119 deletions
|
|
@ -114,11 +114,20 @@ kernel.sysrq=0
|
|||
## User namespaces aim to improve sandboxing and accessibility for unprivileged users.
|
||||
## Unprivileged user namespaces pose substantial privilege escalation risks.
|
||||
## Restricting may lead to breakages in numerous software packages.
|
||||
## Uncomment the second sysctl to entirely disable user namespaces.
|
||||
## Disabling entirely will reduce compatibility with some AppArmor profiles.
|
||||
##
|
||||
## https://lwn.net/Articles/673597/
|
||||
## https://madaidans-insecurities.github.io/linux.html#kernel
|
||||
## https://github.com/a13xp0p0v/kernel-hardening-checker#questions-and-answers
|
||||
## https://github.com/NixOS/nixpkgs/pull/84522#issuecomment-614640601
|
||||
## https://github.com/Kicksecure/security-misc/pull/263
|
||||
##
|
||||
## KSPP=partial
|
||||
## KSPP sets the stricter sysctl user.max_user_namespaces=0.
|
||||
##
|
||||
kernel.unprivileged_userns_clone=0
|
||||
#user.max_user_namespaces=0
|
||||
|
||||
## Restricts kernel profiling to users with CAP_PERFMON.
|
||||
## The performance events system should not be accessible by unprivileged users.
|
||||
|
|
@ -353,13 +362,15 @@ net.ipv4.tcp_rfc1337=1
|
|||
|
||||
## Enable reverse path filtering (source validation) of packets received from all interfaces.
|
||||
## Prevents IP spoofing and mitigates vulnerabilities such as CVE-2019-14899.
|
||||
## The second "default" command fixes a bug in the existing kernel implementation.
|
||||
##
|
||||
## https://en.wikipedia.org/wiki/IP_address_spoofing
|
||||
## https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/security_guide/sect-security_guide-server_security-reverse_path_forwarding#sect-Security_Guide-Server_Security-Reverse_Path_Forwarding
|
||||
## https://forums.whonix.org/t/enable-reverse-path-filtering/8594
|
||||
## https://seclists.org/oss-sec/2019/q4/122
|
||||
## https://github.com/Kicksecure/security-misc/pull/261
|
||||
##
|
||||
net.ipv4.conf.all.rp_filter=1
|
||||
net.ipv4.conf.*.rp_filter=1
|
||||
net.ipv4.conf.default.rp_filter=1
|
||||
|
||||
## Disable ICMP redirect acceptance and redirect sending messages.
|
||||
|
|
@ -373,14 +384,10 @@ net.ipv4.conf.default.rp_filter=1
|
|||
## https://askubuntu.com/questions/118273/what-are-icmp-redirects-and-should-they-be-blocked
|
||||
## https://github.com/Kicksecure/security-misc/pull/248
|
||||
##
|
||||
net.ipv4.conf.all.accept_redirects=0
|
||||
net.ipv4.conf.default.accept_redirects=0
|
||||
net.ipv4.conf.all.send_redirects=0
|
||||
net.ipv4.conf.default.send_redirects=0
|
||||
net.ipv6.conf.all.accept_redirects=0
|
||||
net.ipv6.conf.default.accept_redirects=0
|
||||
#net.ipv4.conf.all.secure_redirects=1
|
||||
#net.ipv4.conf.default.secure_redirects=1
|
||||
net.ipv4.conf.*.accept_redirects=0
|
||||
net.ipv4.conf.*.send_redirects=0
|
||||
net.ipv6.conf.*.accept_redirects=0
|
||||
#net.ipv4.conf.*.secure_redirects=1
|
||||
|
||||
## Ignore ICMP echo requests.
|
||||
## Prevents clock fingerprinting through ICMP timestamps and Smurf attacks.
|
||||
|
|
@ -400,15 +407,12 @@ net.ipv4.icmp_ignore_bogus_error_responses=1
|
|||
##
|
||||
## https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/security_guide/sect-security_guide-server_security-disable-source-routing
|
||||
##
|
||||
net.ipv4.conf.all.accept_source_route=0
|
||||
net.ipv4.conf.default.accept_source_route=0
|
||||
net.ipv6.conf.all.accept_source_route=0
|
||||
net.ipv6.conf.default.accept_source_route=0
|
||||
net.ipv4.conf.*.accept_source_route=0
|
||||
net.ipv6.conf.*.accept_source_route=0
|
||||
|
||||
## Do not accept IPv6 router advertisements and solicitations.
|
||||
##
|
||||
net.ipv6.conf.all.accept_ra=0
|
||||
net.ipv6.conf.default.accept_ra=0
|
||||
net.ipv6.conf.*.accept_ra=0
|
||||
|
||||
## Disable SACK and DSACK.
|
||||
## Select acknowledgements (SACKs) are a known common vector of exploitation.
|
||||
|
|
@ -451,8 +455,7 @@ net.ipv4.tcp_timestamps=0
|
|||
##
|
||||
## The logging of martian packets is currently disabled.
|
||||
##
|
||||
#net.ipv4.conf.all.log_martians=1
|
||||
#net.ipv4.conf.default.log_martians=1
|
||||
#net.ipv4.conf.*.log_martians=1
|
||||
|
||||
## Enable IPv6 Privacy Extensions to prefer temporary addresses over public addresses.
|
||||
## The temporary/privacy address is used as the source for all outgoing traffic.
|
||||
|
|
@ -468,5 +471,4 @@ net.ipv4.tcp_timestamps=0
|
|||
##
|
||||
## The use of IPv6 Privacy Extensions is currently disabled due to these breakages.
|
||||
##
|
||||
#net.ipv6.conf.all.use_tempaddr=2
|
||||
#net.ipv6.conf.default.use_tempaddr=2
|
||||
#net.ipv6.conf.*.use_tempaddr=2
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue