renamed: etc/sysctl.d/30_security-misc.conf -> usr/lib/sysctl.d/30_security-misc.conf

renamed: etc/sysctl.d/30_security-misc_kexec-disable.conf -> usr/lib/sysctl.d/30_security-misc_kexec-disable.conf renamed: etc/sysctl.d/30_silent-kernel-printk.conf -> usr/lib/sysctl.d/30_silent-kernel-printk.conf
2025-05-09 01:15:04 -04:00 · 2023-10-25 17:28:43 -04:00 · 2023-10-25 17:28:43 -04:00 · b7c52800f4
commit b7c52800f4
parent 3317332cb4
3 changed files with 0 additions and 0 deletions
--- a/usr/lib/sysctl.d/30_security-misc.conf
+++ b/usr/lib/sysctl.d/30_security-misc.conf
@ -0,0 +1,158 @@
+## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## Disables coredumps. This setting may be overwritten by systemd so this may not be useful.
+## security-misc also disables coredumps in other ways.
+kernel.core_pattern=|/bin/false
+
+## Restricts the kernel log to root only.
+kernel.dmesg_restrict=1
+
+## Don't allow writes to files that we don't own
+## in world writable sticky directories, unless
+## they are owned by the owner of the directory.
+fs.protected_fifos=2
+fs.protected_regular=2
+
+## Only allow symlinks to be followed when outside of
+## a world-writable sticky directory, or when the owner
+## of the symlink and follower match, or when the directory
+## owner matches the symlink's owner.
+##
+## Prevent hardlinks from being created by users that do not
+## have read/write access to the source file.
+##
+## These prevent many TOCTOU races.
+fs.protected_symlinks=1
+fs.protected_hardlinks=1
+
+## Hardens the BPF JIT compiler and restricts it to root.
+kernel.unprivileged_bpf_disabled=1
+net.core.bpf_jit_harden=2
+
+## Hides kernel addresses in various files in /proc.
+## Kernel addresses can be very useful in certain exploits.
+##
+## https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak
+kernel.kptr_restrict=2
+
+## Improves ASLR effectiveness for mmap.
+## Both explicit sysctl are made redundant due to automation
+## https://forums.whonix.org/t/automate-mmap-randomisation-to-fix-ppc64el/16514
+## Do NOT enable either - displaying only for clarity
+##
+#vm.mmap_rnd_bits=32
+#vm.mmap_rnd_compat_bits=16
+
+## Restricts the use of ptrace to root. This might break some programs running under WINE.
+## A workaround for WINE would be to give the wineserver and wine-preloader ptrace capabilities. This can be done by running:
+##
+## sudo apt-get install libcap2-bin
+## sudo setcap cap_sys_ptrace=eip /usr/bin/wineserver
+## sudo setcap cap_sys_ptrace=eip /usr/bin/wine-preloader
+kernel.yama.ptrace_scope=2
+
+## Prevent setuid processes from creating coredumps.
+fs.suid_dumpable=0
+
+## Randomize the addresses for mmap base, heap, stack, and VDSO pages
+kernel.randomize_va_space=2
+
+#### meta start
+#### project Kicksecure
+#### category networking and security
+#### description
+## TCP/IP stack hardening
+
+## Protects against time-wait assassination.
+## It drops RST packets for sockets in the time-wait state.
+net.ipv4.tcp_rfc1337=1
+
+## Disables ICMP redirect acceptance.
+net.ipv4.conf.all.accept_redirects=0
+net.ipv4.conf.default.accept_redirects=0
+net.ipv4.conf.all.secure_redirects=0
+net.ipv4.conf.default.secure_redirects=0
+net.ipv6.conf.all.accept_redirects=0
+net.ipv6.conf.default.accept_redirects=0
+
+## Disables ICMP redirect sending.
+net.ipv4.conf.all.send_redirects=0
+net.ipv4.conf.default.send_redirects=0
+
+## Ignores ICMP requests.
+net.ipv4.icmp_echo_ignore_all=1
+net.ipv6.icmp.echo_ignore_all=1
+
+## Ignores bogus ICMP error responses
+net.ipv4.icmp_ignore_bogus_error_responses=1
+
+## Enables TCP syncookies.
+net.ipv4.tcp_syncookies=1
+
+## Disable source routing.
+net.ipv4.conf.all.accept_source_route=0
+net.ipv4.conf.default.accept_source_route=0
+net.ipv6.conf.all.accept_source_route=0
+net.ipv6.conf.default.accept_source_route=0
+
+## Enable reverse path filtering to prevent IP spoofing and
+## mitigate vulnerabilities such as CVE-2019-14899.
+## https://forums.whonix.org/t/enable-reverse-path-filtering/8594
+net.ipv4.conf.default.rp_filter=1
+net.ipv4.conf.all.rp_filter=1
+
+#### meta end
+
+
+## Previously disabled SACK, DSACK, and FACK.
+## https://forums.whonix.org/t/disabling-tcp-sack-dsack-fack/8109
+#net.ipv4.tcp_sack=0
+#net.ipv4.tcp_dsack=0
+#net.ipv4.tcp_fack=0
+
+
+#### meta start
+#### project Kicksecure
+#### category networking and security
+#### description
+## disable IPv4 TCP Timestamps
+
+net.ipv4.tcp_timestamps=0
+
+#### meta end
+
+
+## Only allow the SysRq key to be used for shutdowns and the
+## Secure Attention Key (SAK).
+##
+## https://forums.whonix.org/t/sysrq-magic-sysrq-key/8079/
+kernel.sysrq=132
+
+## Restrict loading TTY line disciplines to CAP_SYS_MODULE to prevent
+## unprivileged attackers from loading vulnerable line disciplines
+## with the TIOCSETD ioctl which has been used in exploits before
+## such as https://a13xp0p0v.github.io/2017/03/24/CVE-2017-2636.html
+##
+## https://lkml.org/lkml/2019/4/15/890
+dev.tty.ldisc_autoload=0
+
+## Restrict the userfaultfd() syscall to root as it can make heap sprays
+## easier.
+##
+## https://duasynt.com/blog/linux-kernel-heap-spray
+vm.unprivileged_userfaultfd=0
+
+## Let the kernel only swap if it is absolutely necessary.
+## Better not be set to zero:
+## - https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Performance_Tuning_Guide/s-memory-tunables.html
+## - https://en.wikipedia.org/wiki/Swappiness
+vm.swappiness=1
+
+## Disallow kernel profiling by users without CAP_SYS_ADMIN
+## https://www.kernel.org/doc/Documentation/sysctl/kernel.txt
+kernel.perf_event_paranoid=3
+
+# Do not accept router advertisments
+net.ipv6.conf.all.accept_ra=0
+net.ipv6.conf.default.accept_ra=0
--- a/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf
+++ b/usr/lib/sysctl.d/30_security-misc_kexec-disable.conf
@ -0,0 +1,16 @@
+## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## Quote https://www.kernel.org/doc/html/latest/admin-guide/sysctl/kernel.html
+##
+## kexec_load_disabled:
+##
+## A toggle indicating if the kexec_load syscall has been disabled. This value defaults to 0 (false: kexec_load enabled), but can be set to 1 (true: kexec_load disabled). Once true, kexec can no longer be used, and the toggle cannot be set back to false. This allows a kexec image to be loaded before disabling the syscall, allowing a system to set up (and later use) an image without it being altered. Generally used together with the "modules_disabled" sysctl.
+## Disables kexec which can be used to replace the running kernel.
+kernel.kexec_load_disabled=1
+
+## Why is this in a dedicated config file?
+## Package ram-wipe requires kexec. However, ram-wipe could not ship a config
+## file /etc/sysctl.d/40_ram-wipe.conf which sets 'kernel.kexec_load_disabled=0'.
+## This is because once systemd-sysctl.service has set 'kernel.kexec_load_disabled=1'
+## it cannot be undone without reboot. This is a upstream Linux security feature.
--- a/usr/lib/sysctl.d/30_silent-kernel-printk.conf
+++ b/usr/lib/sysctl.d/30_silent-kernel-printk.conf
@ -0,0 +1,14 @@
+## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## Prevent kernel info leaks in console during boot.
+## https://phabricator.whonix.org/T950
+kernel.printk = 3 3 3 3
+
+## NOTE:
+## For higher verbosity, the user might also want to delete file
+## /etc/default/grub.d/41_quiet.cfg
+## (or out-comment its settings).
+##
+## Alternatively, the user could consider to install the debug-misc package,
+## which will undo the settings found here.