From 944fed3c459dd55820cb1eca68f86816bdf8469f Mon Sep 17 00:00:00 2001 From: flawedworld <38294951+flawedworld@users.noreply.github.com> Date: Fri, 18 Sep 2020 23:29:04 +0100 Subject: [PATCH 1/2] Disallow kernel profiling by users without CAP_SYS_ADMIN It's the default on a lot of stuff, but still nice to have. --- etc/sysctl.d/30_security-misc.conf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/etc/sysctl.d/30_security-misc.conf b/etc/sysctl.d/30_security-misc.conf index 18902ef..cb53834 100644 --- a/etc/sysctl.d/30_security-misc.conf +++ b/etc/sysctl.d/30_security-misc.conf @@ -145,3 +145,7 @@ vm.unprivileged_userfaultfd=0 ## - https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Performance_Tuning_Guide/s-memory-tunables.html ## - https://en.wikipedia.org/wiki/Swappiness vm.swappiness=1 + +## Disallow kernel profiling by users without CAP_SYS_ADMIN +## https://www.kernel.org/doc/Documentation/sysctl/kernel.txt +kernel.perf_event_paranoid=3 From 8f7727e823a86a1826686d5c95d0070721c7acba Mon Sep 17 00:00:00 2001 From: flawedworld <38294951+flawedworld@users.noreply.github.com> Date: Fri, 18 Sep 2020 23:36:30 +0100 Subject: [PATCH 2/2] Add some IPv6 options --- etc/sysctl.d/30_security-misc.conf | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/etc/sysctl.d/30_security-misc.conf b/etc/sysctl.d/30_security-misc.conf index cb53834..e7b7706 100644 --- a/etc/sysctl.d/30_security-misc.conf +++ b/etc/sysctl.d/30_security-misc.conf @@ -82,6 +82,8 @@ net.ipv6.conf.default.accept_redirects=0 ## Disables ICMP redirect sending. net.ipv4.conf.all.send_redirects=0 net.ipv4.conf.default.send_redirects=0 +net.ipv6.conf.all.accept_redirects=0 +net.ipv6.conf.default.accept_redirects=0 ## Ignores ICMP requests. net.ipv4.icmp_echo_ignore_all=1 @@ -92,6 +94,8 @@ net.ipv4.tcp_syncookies=1 ## Disable source routing. net.ipv4.conf.all.accept_source_route=0 net.ipv4.conf.default.accept_source_route=0 +net.ipv6.conf.all.accept_source_route=0 +net.ipv6.conf.default.accept_source_route=0 ## Enable reverse path filtering to prevent IP spoofing and ## mitigate vulnerabilities such as CVE-2019-14899. @@ -149,3 +153,8 @@ vm.swappiness=1 ## Disallow kernel profiling by users without CAP_SYS_ADMIN ## https://www.kernel.org/doc/Documentation/sysctl/kernel.txt kernel.perf_event_paranoid=3 + +# Do not accept router advertisments +net.ipv6.conf.all.accept_ra=0 +net.ipv6.conf.default.accept_ra=0 +