mirror of
https://github.com/Kicksecure/security-misc.git
synced 2024-12-27 07:59:31 -05:00
commit
b0b73db3c8
@ -386,10 +386,6 @@ https://github.com/ioerror/torbirdy/pull/11
|
||||
Some hardening is opt-in as it causes too much breakage to be enabled by
|
||||
default.
|
||||
|
||||
* TCP SACK can be disabled as it is commonly exploited and is rarely used by
|
||||
uncommenting settings in the `/etc/sysctl.d/30_security-misc.conf`
|
||||
configuration file.
|
||||
|
||||
* An optional systemd service mounts `/proc` with `hidepid=2` at boot to
|
||||
prevent users from seeing another user's processes. This is disabled by
|
||||
default because it is incompatible with `pkexec`. It can be enabled by
|
||||
|
@ -36,6 +36,14 @@ net.core.bpf_jit_harden=2
|
||||
## https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak
|
||||
kernel.kptr_restrict=2
|
||||
|
||||
## Improves ASLR effectiveness for mmap.
|
||||
## Both explicit sysctl are made redundant due to automation
|
||||
## https://forums.whonix.org/t/automate-mmap-randomisation-to-fix-ppc64el/16514
|
||||
## Do NOT enable either - displaying only for clarity
|
||||
##
|
||||
#vm.mmap_rnd_bits=32
|
||||
#vm.mmap_rnd_compat_bits=16
|
||||
|
||||
## Restricts the use of ptrace to root. This might break some programs running under WINE.
|
||||
## A workaround for WINE would be to give the wineserver and wine-preloader ptrace capabilities. This can be done by running:
|
||||
##
|
||||
|
Loading…
Reference in New Issue
Block a user