This commit is contained in:
Patrick Schleizer 2024-07-17 11:04:03 -04:00
parent c8be4ac83c
commit a2e26f441b
No known key found for this signature in database
GPG Key ID: CB8D50BB77BB3C48

View File

@ -2,18 +2,18 @@
## See the file COPYING for copying conditions.
## NOTE:
## This file has a strange name so that /usr/lib/sysctl.d/99-protect-links.conf is
## first parsed and then followed by /usr/lib/sysctl.d/990-security-misc.conf.
## This file has a special name to ensure that /usr/lib/sysctl.d/99-protect-links.conf
## is parsed first, followed by /usr/lib/sysctl.d/990-security-misc.conf.
## https://github.com/Kicksecure/security-misc/pull/135
## This configuration file is split into 5 sections:
## This configuration file is divided into 5 sections:
## 1. Kernel Space
## 2. User Space
## 3. Core Dumps
## 4. Swap Space
## 5. Networking
## See the documentation below for details on the majority of the selected commands.
## For detailed explanations of most of the selected commands, refer to:
## https://www.kernel.org/doc/html/latest/admin-guide/sysctl/kernel.html
## https://www.kernel.org/doc/html/latest/admin-guide/sysctl/fs.html
## https://www.kernel.org/doc/html/latest/admin-guide/sysctl/net.html
@ -25,20 +25,20 @@
## https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel
## https://wiki.archlinux.org/title/Security#Kernel_hardening
## Restrict kernel addresses via /proc and other interfaces regardless of user privileges.
## Restrict kernel address visibility via /proc and other interfaces, regardless of user privileges.
## Kernel pointers expose specific locations in kernel memory.
##
## https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak
##
kernel.kptr_restrict=2
## Restrict access to the kernel log buffer to CAP_SYSLOG.
## Restrict access to the kernel log buffer to users with CAP_SYSLOG.
## Kernel logs often contain sensitive information such as kernel pointers.
##
kernel.dmesg_restrict=1
## Prevent kernel information leaks in the console during boot.
## Must be used in combination with the kernel boot parameters.
## Must be used in conjunction with kernel boot parameters.
## See /etc/default/grub.d/41_quiet_boot.cfg for implementation.
##
## https://www.kernel.org/doc/html/latest/core-api/printk-basics.html
@ -54,23 +54,23 @@ kernel.dmesg_restrict=1
kernel.unprivileged_bpf_disabled=1
net.core.bpf_jit_harden=2
## Restrict loading TTY line disciplines to CAP_SYS_MODULE.
## Prevents unprivileged users loading vulnerable line disciplines with the TIOCSETD ioctl.
## Restrict loading TTY line disciplines to users with CAP_SYS_MODULE.
## Prevents unprivileged users from loading vulnerable line disciplines with the TIOCSETD ioctl.
##
## https://a13xp0p0v.github.io/2017/03/24/CVE-2017-2636.html
## https://lkml.org/lkml/2019/4/15/890
##
dev.tty.ldisc_autoload=0
## Restrict the userfaultfd() syscall to SYS_CAP_PTRACE.
## Reduces likelihood of use-after-free exploits from heap sprays.
## Restrict the userfaultfd() syscall to users with SYS_CAP_PTRACE.
## Reduces the likelihood of use-after-free exploits from heap sprays.
##
## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=cefdca0a86be517bc390fc4541e3674b8e7803b0
## https://duasynt.com/blog/linux-kernel-heap-spray
##
vm.unprivileged_userfaultfd=0
## Disables kexec which can be used to replace the running kernel.
## Disables kexec, which can be used to replace the running kernel.
## Useful for live kernel patching without rebooting.
##
## https://en.wikipedia.org/wiki/Kexec
@ -80,7 +80,7 @@ vm.unprivileged_userfaultfd=0
#kernel.kexec_load_disabled=1
## Disable the SysRq key to prevent leakage of kernel information.
## The Secure Attention Key (SAK) can no longer be utilised.
## The Secure Attention Key (SAK) can no longer be utilized.
##
## https://www.kernel.org/doc/html/latest/admin-guide/sysrq.html
## https://www.kicksecure.com/wiki/SysRq
@ -88,10 +88,10 @@ vm.unprivileged_userfaultfd=0
##
kernel.sysrq=0
## Restrict user namespaces to CAP_SYS_ADMIN.
## Restrict user namespaces to users with CAP_SYS_ADMIN.
## User namespaces aim to improve sandboxing and accessibility for unprivileged users.
## Unprivileged user namespaces pose substantial privilege escalation risks.
## Restricting is well-known to cause breakages across numerous software.
## Restricting is known to cause breakages across numerous software packages.
##
## https://madaidans-insecurities.github.io/linux.html#kernel
## https://github.com/a13xp0p0v/kernel-hardening-checker#questions-and-answers
@ -100,7 +100,7 @@ kernel.sysrq=0
##
#kernel.unprivileged_userns_clone=0
## Restricts kernel profiling to CAP_PERFMON.
## Restricts kernel profiling to users with CAP_PERFMON.
## The performance events system should not be accessible by unprivileged users.
## Other distributions such as Ubuntu and Fedora may permit further restricting.
##
@ -110,7 +110,7 @@ kernel.sysrq=0
kernel.perf_event_paranoid=3
## Enable ASLR for mmap base, stack, VDSO pages, and heap.
## Heap randomisation can lead to breakages with legacy applications.
## Heap randomization can lead to breakages with legacy applications.
##
## https://en.wikipedia.org/wiki/Address_space_layout_randomization#Linux
##
@ -124,7 +124,7 @@ kernel.randomize_va_space=2
##
kernel.io_uring_disabled=2
## 2.User Space:
## 2. User Space:
##
## https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-userspace
@ -143,8 +143,8 @@ kernel.io_uring_disabled=2
##
kernel.yama.ptrace_scope=2
## Maximise bits of entropy for improved effectiveness of mmap ASLR.
## The maximum numbers of bits are dependent on CPU architecture (the ones shown below are for x86).
## Maximize bits of entropy for improved effectiveness of mmap ASLR.
## The maximum number of bits depends on CPU architecture (the ones shown below are for x86).
## Both explicit sysctl are made redundant due to automation.
## Do NOT enable either sysctl - displaying only for clarity.
##
@ -156,9 +156,9 @@ kernel.yama.ptrace_scope=2
#vm.mmap_rnd_compat_bits=16
## Prevent hardlink creation by users who do not have read/write/ownership of source file.
## Only allow symlinks to be followed when outside of a world-writable sticky directories.
## Only allow symlinks to be followed when outside of world-writable sticky directories.
## Allow symlinks when the owner and follower match or when the directory owner matches the symlink's owner.
## Hardens cross privilege boundaries if root process follows a hardlink/symlink belonging to another user.
## Hardens cross-privilege boundaries if root process follows a hardlink/symlink belonging to another user.
## This mitigates many hardlink/symlink-based TOCTOU races in world-writable directories like /tmp.
##
## https://wiki.archlinux.org/title/Security#File_systems
@ -169,16 +169,16 @@ fs.protected_hardlinks=1
fs.protected_symlinks=1
## Disallow writes to files in world-writable sticky directories unless owned by the directory owner.
## Also applies to group writable sticky directories to make data spoofing attacks more difficult.
## Also applies to group-writable sticky directories to make data spoofing attacks more difficult.
## Prevents unintentional writes to attacker-controlled files.
##
fs.protected_fifos=2
fs.protected_regular=2
## Increase the maximum number of memory map areas a process is permitted to utilise.
## Addresses performance, crash, and start-up issues for some memory intensive applications.
## Increase the maximum number of memory map areas a process is permitted to utilize.
## Addresses performance, crash, and start-up issues for some memory-intensive applications.
## Required to accommodate the very large number of guard pages created by hardened_malloc.
## Kicksecure version 18 will deprecate hardened_malloc and so this sysctl will be applied here instead.
## Kicksecure version 18 will deprecate hardened_malloc, so this sysctl will be applied here instead.
##
## https://archlinux.org/news/increasing-the-default-vmmax_map_count-value/
## https://github.com/GrapheneOS/hardened_malloc#traditional-linux-based-operating-systems
@ -192,7 +192,7 @@ vm.max_map_count=1048576
## https://madaidans-insecurities.github.io/guides/linux-hardening.html#core-dumps
## Disable core dump files by preventing any pattern names.
## This setting may be overwritten by systemd is is not comprehensive.
## This setting may be overwritten by systemd and is not comprehensive.
## Core dumps are also disabled in security-misc via other means.
##
## https://wiki.archlinux.org/title/Core_dump#Disabling_automatic_core_dumps
@ -204,7 +204,7 @@ kernel.core_pattern=|/bin/false
##
fs.suid_dumpable=0
## Set core dump file name to 'core.PID' instead of 'core' as a form of defence-in-depth.
## Set core dump file name to 'core.PID' instead of 'core' as a form of defense-in-depth.
## If core dumps are permitted, only useful if PID listings are hidden from non-root users.
##
kernel.core_uses_pid=1
@ -214,8 +214,8 @@ kernel.core_uses_pid=1
## https://madaidans-insecurities.github.io/guides/linux-hardening.html#swap
## Limit the copying of memory to the swap device only if absolutely necessary.
## Minimises the likelihood of writing potentially sensitive contents to disk.
## Not reccommmeded to set to zero since this disables periodic write behavior.
## Minimizes the likelihood of writing potentially sensitive contents to disk.
## Not recommended to set to zero since this disables periodic write behavior.
##
## https://en.wikipedia.org/wiki/Memory_paging#Linux
## https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Performance_Tuning_Guide/s-memory-tunables.html
@ -242,7 +242,7 @@ net.ipv4.tcp_syncookies=1
net.ipv4.tcp_rfc1337=1
## Enable reverse path filtering (source validation) of packets received from all interfaces.
## Prevents IP spoofing and mitigate vulnerabilities such as CVE-2019-14899.
## Prevents IP spoofing and mitigates vulnerabilities such as CVE-2019-14899.
##
## https://en.wikipedia.org/wiki/IP_address_spoofing
## https://forums.whonix.org/t/enable-reverse-path-filtering/8594
@ -252,7 +252,7 @@ net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.default.rp_filter=1
## Disable ICMP redirect acceptance and redirect sending messages.
## Prevents man-in-the-middle attacks and minimises information disclosure.
## Prevents man-in-the-middle attacks and minimizes information disclosure.
##
## https://askubuntu.com/questions/118273/what-are-icmp-redirects-and-should-they-be-blocked
##
@ -282,7 +282,7 @@ net.ipv6.icmp.echo_ignore_all=1
##
net.ipv4.icmp_ignore_bogus_error_responses=1
## Disable source routing which allows users redirect network traffic.
## Disable source routing which allows users to redirect network traffic.
## Prevents man-in-the-middle attacks in which the traffic is redirected.
##
## https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/security_guide/sect-security_guide-server_security-disable-source-routing
@ -323,10 +323,10 @@ net.ipv6.conf.default.accept_ra=0
net.ipv4.tcp_timestamps=0
## Enable logging of packets with impossible source or destination addresses.
## Martian and unroutable packets may be used for dangerous purposes.
## Recommended to keep a (kernel dmesg) log of these to identify these suspicious packets.
## Good for troubleshooting and diagnostics but not necessary by default.
## Known for causing performance issues especially on systems with multiple interfaces.
## Martian and unroutable packets may be used for malicious purposes.
## Recommended to keep a (kernel dmesg) log of these to identify suspicious packets.
## Useful for troubleshooting and diagnostics but not necessary by default.
## Known to cause performance issues, especially on systems with multiple interfaces.
##
## https://wiki.archlinux.org/title/Sysctl#Log_martian_packets
## https://github.com/Kicksecure/security-misc/issues/214
@ -336,19 +336,19 @@ net.ipv4.tcp_timestamps=0
#net.ipv4.conf.all.log_martians=1
#net.ipv4.conf.default.log_martians=1
## Enable IPv6 Privacy Extensions prefer temporary addresses over public addresses.
## The temporary/privacy address is used as the source of all outgoing traffic.
## Enable IPv6 Privacy Extensions to prefer temporary addresses over public addresses.
## The temporary/privacy address is used as the source for all outgoing traffic.
## Must be used in combination with /usr/lib/systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf.
## Must be used in combination with /usr/lib/NetworkManager/conf.d/80_ipv6-privacy.conf.
## Should be used with MAC randomisation in /usr/lib/NetworkManager/conf.d/80_randomize-mac.conf.
## Should be used with MAC randomization in /usr/lib/NetworkManager/conf.d/80_randomize-mac.conf.
##
## MAC randomisation breaks root server and VirtualBox DHCP likely due to IPv6 Privacy Extensions.
## MAC randomization breaks root server and VirtualBox DHCP, likely due to IPv6 Privacy Extensions.
##
## https://datatracker.ietf.org/doc/html/rfc4941
## https://github.com/Kicksecure/security-misc/pull/145
## https://github.com/Kicksecure/security-misc/issues/184
##
## The use of IPv6 Privacy Extenstions is currently diasbled due to these breakages.
## The use of IPv6 Privacy Extensions is currently disabled due to these breakages.
##
#net.ipv6.conf.all.use_tempaddr=2
#net.ipv6.conf.default.use_tempaddr=2