Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2024-12-27 07:19:22 -05:00
Code Issues Packages Projects Releases Wiki Activity

Some documentation additions and fixes

Browse Source
This commit is contained in:
Raja Grewal 2024-07-14 13:40:53 +10:00
parent 565597c9a2
commit dd1741c4a1
No known key found for this signature in database
GPG Key ID: 92CA473C156B64C4
1 changed files with 12 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
usr/lib/sysctl.d/990-security-misc.conf
View File

@ -98,6 +98,7 @@ kernel.sysrq=0
## Restricts kernel profiling to CAP_PERFMON.
## The performance events system should not be accessible by unprivileged users.
## Other distributions such as Ubuntu and Fedora may permit further restricting.
##
## https://www.kernel.org/doc/html/latest/admin-guide/perf-security.html#unprivileged-users
## https://lore.kernel.org/kernel-hardening/1469630746-32279-1-git-send-email-jeffv@google.com/
@ -126,9 +127,16 @@ kernel.io_uring_disabled=2
## Restrict usage of the ptrace() system call to only processes with CAP_SYS_PTRACE.
## Limit ptrace() as it enables programs to inspect and modify other active processes.
## This may break some programs running under WINE.
## Prevents native code debugging which some programs use as a method to detect tampering.
## May cause breakages in 'anti-cheat' software and programs running under Proton/WINE.
##
## https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html#ptrace-scope
## https://en.wikipedia.org/wiki/Ptrace
## https://grapheneos.org/features#attack-surface-reduction
## https://github.com/GrapheneOS/os-issue-tracker/issues/651#issuecomment-917599928
## https://github.com/netblue30/firejail/issues/2860
##
## It is possible to harden further by disabling ptrace() for all users, see documentation.
##
kernel.yama.ptrace_scope=2
@ -301,16 +309,16 @@ net.ipv6.conf.default.accept_ra=0
#net.ipv4.tcp_dsack=0
net.ipv4.tcp_fack=0
## Disable TCP timestamps to limit system fingerprinting via time.
## Disable TCP timestamps to limit device fingerprinting via system time.
##
## https://forums.whonix.org/t/do-ntp-and-tcp-timestamps-really-leak-your-local-time/7824
## https://web.archive.org/web/20170201160732/https://mailman.boum.org/pipermail/tails-dev/2013-December/004520.html
##
net.ipv4.tcp_timestamps=0
## Previously enabled logging of packets with impossible source or destination addresses.
## Enable logging of packets with impossible source or destination addresses.
## Martian and unroutable packets may be used for dangerous purposes.
## Recommended to keep a (kernel dmesg) log of these to identify these suspicious packets
## Recommended to keep a (kernel dmesg) log of these to identify these suspicious packets.
## Good for troubleshooting and diagnostics but not necessary by default.
## Known for causing performance issues especially on systems with multiple interfaces.
##