mirror of
https://github.com/Kicksecure/security-misc.git
synced 2025-01-15 20:37:08 -05:00
Some documentation additions and fixes
This commit is contained in:
parent
565597c9a2
commit
dd1741c4a1
@ -98,6 +98,7 @@ kernel.sysrq=0
|
|||||||
|
|
||||||
## Restricts kernel profiling to CAP_PERFMON.
|
## Restricts kernel profiling to CAP_PERFMON.
|
||||||
## The performance events system should not be accessible by unprivileged users.
|
## The performance events system should not be accessible by unprivileged users.
|
||||||
|
## Other distributions such as Ubuntu and Fedora may permit further restricting.
|
||||||
##
|
##
|
||||||
## https://www.kernel.org/doc/html/latest/admin-guide/perf-security.html#unprivileged-users
|
## https://www.kernel.org/doc/html/latest/admin-guide/perf-security.html#unprivileged-users
|
||||||
## https://lore.kernel.org/kernel-hardening/1469630746-32279-1-git-send-email-jeffv@google.com/
|
## https://lore.kernel.org/kernel-hardening/1469630746-32279-1-git-send-email-jeffv@google.com/
|
||||||
@ -126,9 +127,16 @@ kernel.io_uring_disabled=2
|
|||||||
|
|
||||||
## Restrict usage of the ptrace() system call to only processes with CAP_SYS_PTRACE.
|
## Restrict usage of the ptrace() system call to only processes with CAP_SYS_PTRACE.
|
||||||
## Limit ptrace() as it enables programs to inspect and modify other active processes.
|
## Limit ptrace() as it enables programs to inspect and modify other active processes.
|
||||||
## This may break some programs running under WINE.
|
## Prevents native code debugging which some programs use as a method to detect tampering.
|
||||||
|
## May cause breakages in 'anti-cheat' software and programs running under Proton/WINE.
|
||||||
##
|
##
|
||||||
## https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html#ptrace-scope
|
## https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html#ptrace-scope
|
||||||
|
## https://en.wikipedia.org/wiki/Ptrace
|
||||||
|
## https://grapheneos.org/features#attack-surface-reduction
|
||||||
|
## https://github.com/GrapheneOS/os-issue-tracker/issues/651#issuecomment-917599928
|
||||||
|
## https://github.com/netblue30/firejail/issues/2860
|
||||||
|
##
|
||||||
|
## It is possible to harden further by disabling ptrace() for all users, see documentation.
|
||||||
##
|
##
|
||||||
kernel.yama.ptrace_scope=2
|
kernel.yama.ptrace_scope=2
|
||||||
|
|
||||||
@ -301,16 +309,16 @@ net.ipv6.conf.default.accept_ra=0
|
|||||||
#net.ipv4.tcp_dsack=0
|
#net.ipv4.tcp_dsack=0
|
||||||
net.ipv4.tcp_fack=0
|
net.ipv4.tcp_fack=0
|
||||||
|
|
||||||
## Disable TCP timestamps to limit system fingerprinting via time.
|
## Disable TCP timestamps to limit device fingerprinting via system time.
|
||||||
##
|
##
|
||||||
## https://forums.whonix.org/t/do-ntp-and-tcp-timestamps-really-leak-your-local-time/7824
|
## https://forums.whonix.org/t/do-ntp-and-tcp-timestamps-really-leak-your-local-time/7824
|
||||||
## https://web.archive.org/web/20170201160732/https://mailman.boum.org/pipermail/tails-dev/2013-December/004520.html
|
## https://web.archive.org/web/20170201160732/https://mailman.boum.org/pipermail/tails-dev/2013-December/004520.html
|
||||||
##
|
##
|
||||||
net.ipv4.tcp_timestamps=0
|
net.ipv4.tcp_timestamps=0
|
||||||
|
|
||||||
## Previously enabled logging of packets with impossible source or destination addresses.
|
## Enable logging of packets with impossible source or destination addresses.
|
||||||
## Martian and unroutable packets may be used for dangerous purposes.
|
## Martian and unroutable packets may be used for dangerous purposes.
|
||||||
## Recommended to keep a (kernel dmesg) log of these to identify these suspicious packets
|
## Recommended to keep a (kernel dmesg) log of these to identify these suspicious packets.
|
||||||
## Good for troubleshooting and diagnostics but not necessary by default.
|
## Good for troubleshooting and diagnostics but not necessary by default.
|
||||||
## Known for causing performance issues especially on systems with multiple interfaces.
|
## Known for causing performance issues especially on systems with multiple interfaces.
|
||||||
##
|
##
|
||||||
|
Loading…
Reference in New Issue
Block a user