Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-06-20 05:04:11 -04:00
Code Issues Projects Releases Packages Wiki Activity

Add details on BPF hardening and split the sysctls

Browse source
This commit is contained in:
Raja Grewal 2024-08-26 12:40:04 +10:00
parent 2c356e8b0e
commit 9e91c98cc9
No known key found for this signature in database
GPG key ID: 92CA473C156B64C4
2 changed files with 21 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

5
README.md
View file

@ -25,7 +25,8 @@ Kernel space:
- Prevent kernel information leaks in the console during boot. - Prevent kernel information leaks in the console during boot.
- Restrict eBPF access to `CAP_BPF` and enable associated JIT compiler hardening. - Restrict usage of `bpf()` to `CAP_BPF` to prevent the loading of BPF programs
by unprivileged users.
- Restrict loading TTY line disciplines to `CAP_SYS_MODULE`. - Restrict loading TTY line disciplines to `CAP_SYS_MODULE`.
@ -82,6 +83,8 @@ Swap space:
Networking: Networking:
- Enable hardening of the BPF JIT compiler protect against JIT spraying.
- Enable TCP SYN cookie protection to assist against SYN flood attacks. - Enable TCP SYN cookie protection to assist against SYN flood attacks.
- Protect against TCP time-wait assassination hazards. - Protect against TCP time-wait assassination hazards.

20
usr/lib/sysctl.d/990-security-misc.conf
View file

@ -58,15 +58,16 @@ kernel.dmesg_restrict=1
## ##
#kernel.printk=3 3 3 3 #kernel.printk=3 3 3 3
## Restrict eBPF access to CAP_BPF and enable associated JIT compiler hardening. ## Restrict eBPF access to CAP_BPF.
## Disables unprivileged calls to bpf() without recovery.
## ##
## https://en.wikipedia.org/wiki/EBPF#Security ## https://en.wikipedia.org/wiki/EBPF#Security
## https://lwn.net/Articles/660331/
## ##
## KSPP=yes ## KSPP=yes
## KSPP sets the sysctls. ## KSPP sets the sysctl.
## ##
kernel.unprivileged_bpf_disabled=1 kernel.unprivileged_bpf_disabled=1
net.core.bpf_jit_harden=2
## Restrict loading TTY line disciplines to users with CAP_SYS_MODULE. ## Restrict loading TTY line disciplines to users with CAP_SYS_MODULE.
## Prevents unprivileged users from loading vulnerable line disciplines with the TIOCSETD ioctl. ## Prevents unprivileged users from loading vulnerable line disciplines with the TIOCSETD ioctl.
@ -348,6 +349,19 @@ vm.swappiness=1
## https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-network ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-network
## https://wiki.archlinux.org/title/Sysctl#TCP/IP_stack_hardening ## https://wiki.archlinux.org/title/Sysctl#TCP/IP_stack_hardening
## Enable hardening of the BPF JIT compiler for all users.
## Provides some mitigation against JIT spraying.
##
## https://en.wikipedia.org/wiki/JIT_spraying
## https://www.blackhat.com/docs/eu-16/materials/eu-16-Reshetova-Randomization-Can't-Stop-BPF-JIT-Spray-wp.pdf
## https://lwn.net/Articles/686098/
## https://lwn.net/Articles/525609/
##
## KSPP=yes
## KSPP sets the sysctl.
##
net.core.bpf_jit_harden=2
## Enable TCP SYN cookie protection to assist against SYN flood attacks. ## Enable TCP SYN cookie protection to assist against SYN flood attacks.
## ##
## https://en.wikipedia.org/wiki/SYN_flood ## https://en.wikipedia.org/wiki/SYN_flood