Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-03-12 13:36:29 -04:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #57 from madaidan/sysctl

Browse Source 
Prevent symlink/hardlink TOCTOU races
This commit is contained in:
Patrick Schleizer 2020-02-13 18:40:58 +00:00 committed by GitHub
commit ad6b766886
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 17 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
debian/control vendored
View File

@ -48,7 +48,9 @@ Description: enhances misc security settings
attacks and enabling reverse path filtering to prevent IP spoofing and attacks and enabling reverse path filtering to prevent IP spoofing and
mitigate vulnerabilities such as CVE-2019-14899. mitigate vulnerabilities such as CVE-2019-14899.
. .
* Some data spoofing attacks are made harder. * Avoids unintentional writes to attacker-controlled files.
.
* Prevents symlink/hardlink TOCTOU races.
. .
* SACK can be disabled as it is commonly exploited and is rarely used by * SACK can be disabled as it is commonly exploited and is rarely used by
uncommenting settings in file /etc/sysctl.d/30_security-misc.conf. uncommenting settings in file /etc/sysctl.d/30_security-misc.conf.

22
etc/sysctl.d/30_security-misc.conf
View File

@ -5,21 +5,31 @@
## security-misc also disables coredumps in other ways. ## security-misc also disables coredumps in other ways.
kernel.core_pattern=|/bin/false kernel.core_pattern=|/bin/false
## Restricts the kernel log to root only. ## Restricts the kernel log to root only.
kernel.dmesg_restrict=1 kernel.dmesg_restrict=1
## Don't allow writes to files that we don't own
## Makes some data spoofing attacks harder. ## in world writable sticky directories, unless
## they are owned by the owner of the directory.
fs.protected_fifos=2 fs.protected_fifos=2
fs.protected_regular=2 fs.protected_regular=2
## Only allow symlinks to be followed when outside of
## a world-writable sticky directory, or when the owner
## of the symlink and follower match, or when the directory
## owner matches the symlink's owner.
##
## Prevent hardlinks from being created by users that do not
## have read/write access to the source file.
##
## These prevent many TOCTOU races.
fs.protected_symlinks=1
fs.protected_hardlinks=1
## Hardens the BPF JIT compiler and restricts it to root. ## Hardens the BPF JIT compiler and restricts it to root.
kernel.unprivileged_bpf_disabled=1 kernel.unprivileged_bpf_disabled=1
net.core.bpf_jit_harden=2 net.core.bpf_jit_harden=2
## Quote https://www.kernel.org/doc/html/latest/admin-guide/sysctl/kernel.html ## Quote https://www.kernel.org/doc/html/latest/admin-guide/sysctl/kernel.html
## ##
## kexec_load_disabled: ## kexec_load_disabled:
@ -29,19 +39,16 @@ net.core.bpf_jit_harden=2
## Disables kexec which can be used to replace the running kernel. ## Disables kexec which can be used to replace the running kernel.
kernel.kexec_load_disabled=1 kernel.kexec_load_disabled=1
## Hides kernel addresses in various files in /proc. ## Hides kernel addresses in various files in /proc.
## Kernel addresses can be very useful in certain exploits. ## Kernel addresses can be very useful in certain exploits.
## ##
## https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak ## https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak
kernel.kptr_restrict=2 kernel.kptr_restrict=2
## Improves ASLR effectiveness for mmap. ## Improves ASLR effectiveness for mmap.
vm.mmap_rnd_bits=32 vm.mmap_rnd_bits=32
vm.mmap_rnd_compat_bits=16 vm.mmap_rnd_compat_bits=16
## Restricts the use of ptrace to root. This might break some programs running under WINE. ## Restricts the use of ptrace to root. This might break some programs running under WINE.
## A workaround for WINE would be to give the wineserver and wine-preloader ptrace capabilities. This can be done by running: ## A workaround for WINE would be to give the wineserver and wine-preloader ptrace capabilities. This can be done by running:
## ##
@ -50,7 +57,6 @@ vm.mmap_rnd_compat_bits=16
## sudo setcap cap_sys_ptrace=eip /usr/bin/wine-preloader ## sudo setcap cap_sys_ptrace=eip /usr/bin/wine-preloader
kernel.yama.ptrace_scope=2 kernel.yama.ptrace_scope=2
## Prevent setuid processes from creating coredumps. ## Prevent setuid processes from creating coredumps.
fs.suid_dumpable=0 fs.suid_dumpable=0