## Copyright (C) 2019 - 2023 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## NOTE: ## This file has a weird file name so /usr/lib/sysctl.d/99-protect-links.conf ## is parsed first and /usr/lib/sysctl.d/990-security-misc.conf is parsed ## afterwards. See also: ## https://github.com/Kicksecure/security-misc/pull/135 ## Restricts the kernel log to root only. kernel.dmesg_restrict=1 ## Disables coredumps. This setting may be overwritten by systemd so this may not be useful. ## security-misc also disables coredumps in other ways. kernel.core_pattern=|/bin/false ## Does not set coredump name to 'core' which is default. Defense in depth. kernel.core_uses_pid=1 ## Prevent setuid processes from creating coredumps. fs.suid_dumpable=0 ## Don't allow writes to files that we don't own ## in world writable sticky directories, unless ## they are owned by the owner of the directory. fs.protected_fifos=2 fs.protected_regular=2 ## Only allow symlinks to be followed when outside of ## a world-writable sticky directory, or when the owner ## of the symlink and follower match, or when the directory ## owner matches the symlink's owner. ## ## Prevent hardlinks from being created by users that do not ## have read/write access to the source file. ## ## These prevent many TOCTOU races. fs.protected_symlinks=1 fs.protected_hardlinks=1 ## Hides kernel addresses in various files in /proc. ## Kernel addresses can be very useful in certain exploits. ## ## https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak kernel.kptr_restrict=2 ## Improves ASLR effectiveness for mmap. ## Both explicit sysctl are made redundant due to automation ## https://forums.whonix.org/t/automate-mmap-randomisation-to-fix-ppc64el/16514 ## Do NOT enable either - displaying only for clarity ## #vm.mmap_rnd_bits=32 #vm.mmap_rnd_compat_bits=16 ## Restricts the use of ptrace to root. This might break some programs running under WINE. ## A workaround for WINE would be to give the wineserver and wine-preloader ptrace capabilities. This can be done by running: ## ## sudo apt-get install libcap2-bin ## sudo setcap cap_sys_ptrace=eip /usr/bin/wineserver ## sudo setcap cap_sys_ptrace=eip /usr/bin/wine-preloader kernel.yama.ptrace_scope=2 ## Randomize the addresses for mmap base, heap, stack, and VDSO pages kernel.randomize_va_space=2 ## Hardens the BPF JIT compiler and restricts it to root. kernel.unprivileged_bpf_disabled=1 net.core.bpf_jit_harden=2 ## Disable asynchronous I/O for all processes. ## Valid only for linux kernel version >= 6.6. ## Command is retained here for future-proofing and completeness. ## https://forums.whonix.org/t/io-uring-security-vulnerabilties/16890/6 kernel.io_uring_disabled=2 #### meta start #### project Kicksecure #### category networking and security #### description ## TCP/IP stack hardening ## A martian packet is a one with a source address which is blatantly wrong ## Recommended to keep a log of these to identify these suspicious packets net.ipv4.conf.all.log_martians=1 net.ipv4.conf.default.log_martians=1 ## Protects against time-wait assassination. ## It drops RST packets for sockets in the time-wait state. net.ipv4.tcp_rfc1337=1 ## Disables ICMP redirect acceptance. net.ipv4.conf.all.accept_redirects=0 net.ipv4.conf.default.accept_redirects=0 net.ipv4.conf.all.secure_redirects=0 net.ipv4.conf.default.secure_redirects=0 net.ipv6.conf.all.accept_redirects=0 net.ipv6.conf.default.accept_redirects=0 ## Disables ICMP redirect sending. net.ipv4.conf.all.send_redirects=0 net.ipv4.conf.default.send_redirects=0 ## Ignores ICMP requests. net.ipv4.icmp_echo_ignore_all=1 net.ipv6.icmp.echo_ignore_all=1 ## Ignores bogus ICMP error responses net.ipv4.icmp_ignore_bogus_error_responses=1 ## Enables TCP syncookies. net.ipv4.tcp_syncookies=1 ## Disable source routing. net.ipv4.conf.all.accept_source_route=0 net.ipv4.conf.default.accept_source_route=0 net.ipv6.conf.all.accept_source_route=0 net.ipv6.conf.default.accept_source_route=0 ## Enable reverse path filtering to prevent IP spoofing and ## mitigate vulnerabilities such as CVE-2019-14899. ## https://forums.whonix.org/t/enable-reverse-path-filtering/8594 net.ipv4.conf.default.rp_filter=1 net.ipv4.conf.all.rp_filter=1 #### meta end ## Previously disabled SACK, DSACK, and FACK. ## https://forums.whonix.org/t/disabling-tcp-sack-dsack-fack/8109 #net.ipv4.tcp_sack=0 #net.ipv4.tcp_dsack=0 #net.ipv4.tcp_fack=0 #### meta start #### project Kicksecure #### category networking and security #### description ## disable IPv4 TCP Timestamps net.ipv4.tcp_timestamps=0 #### meta end ## Disable SysRq key kernel.sysrq=0 ## Restrict loading TTY line disciplines to CAP_SYS_MODULE to prevent ## unprivileged attackers from loading vulnerable line disciplines ## with the TIOCSETD ioctl which has been used in exploits before ## such as https://a13xp0p0v.github.io/2017/03/24/CVE-2017-2636.html ## ## https://lkml.org/lkml/2019/4/15/890 dev.tty.ldisc_autoload=0 ## Restrict the userfaultfd() syscall to root as it can make heap sprays ## easier. ## ## https://duasynt.com/blog/linux-kernel-heap-spray vm.unprivileged_userfaultfd=0 ## Let the kernel only swap if it is absolutely necessary. ## Better not be set to zero: ## - https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Performance_Tuning_Guide/s-memory-tunables.html ## - https://en.wikipedia.org/wiki/Swappiness vm.swappiness=1 ## Disallow kernel profiling by users without CAP_SYS_ADMIN ## https://www.kernel.org/doc/Documentation/sysctl/kernel.txt kernel.perf_event_paranoid=3 ## Do not accept router advertisements net.ipv6.conf.all.accept_ra=0 net.ipv6.conf.default.accept_ra=0