## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## NOTE: ## This file has a special name to ensure that /usr/lib/sysctl.d/99-protect-links.conf ## is parsed first, followed by /usr/lib/sysctl.d/990-security-misc.conf. ## https://github.com/Kicksecure/security-misc/pull/135 ## This configuration file is divided into 5 sections: ## 1. Kernel Space ## 2. User Space ## 3. Core Dumps ## 4. Swap Space ## 5. Networking ## For detailed explanations of most of the selected commands, refer to: ## https://www.kernel.org/doc/html/latest/admin-guide/sysctl/kernel.html ## https://www.kernel.org/doc/html/latest/admin-guide/sysctl/fs.html ## https://www.kernel.org/doc/html/latest/admin-guide/sysctl/net.html ## https://www.kernel.org/doc/html/latest/admin-guide/sysctl/vm.html ## https://www.kernel.org/doc/html/latest//networking/ip-sysctl.html ## 1. Kernel Space: ## ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel ## https://kspp.github.io/Recommended_Settings#sysctls ## https://wiki.archlinux.org/title/Security#Kernel_hardening ## Restrict kernel address visibility via /proc and other interfaces, regardless of user privileges. ## Kernel pointers expose specific locations in kernel memory. ## ## https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak ## kernel.kptr_restrict=2 ## Restrict access to the kernel log buffer to users with CAP_SYSLOG. ## Kernel logs often contain sensitive information such as kernel pointers. ## kernel.dmesg_restrict=1 ## Prevent kernel information leaks in the console during boot. ## Must be used in conjunction with kernel boot parameters. ## See /etc/default/grub.d/41_quiet_boot.cfg for implementation. ## ## https://www.kernel.org/doc/html/latest/core-api/printk-basics.html ## ## See /usr/lib/sysctl.d/30_silent-kernel-printk.conf for implementation. ## #kernel.printk=3 3 3 3 ## Restrict eBPF access to CAP_BPF and enable associated JIT compiler hardening. ## ## https://en.wikipedia.org/wiki/EBPF#Security ## kernel.unprivileged_bpf_disabled=1 net.core.bpf_jit_harden=2 ## Restrict loading TTY line disciplines to users with CAP_SYS_MODULE. ## Prevents unprivileged users from loading vulnerable line disciplines with the TIOCSETD ioctl. ## ## https://a13xp0p0v.github.io/2017/03/24/CVE-2017-2636.html ## https://lkml.org/lkml/2019/4/15/890 ## dev.tty.ldisc_autoload=0 ## Restrict the userfaultfd() syscall to users with SYS_CAP_PTRACE. ## Reduces the likelihood of use-after-free exploits from heap sprays. ## ## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=cefdca0a86be517bc390fc4541e3674b8e7803b0 ## https://duasynt.com/blog/linux-kernel-heap-spray ## vm.unprivileged_userfaultfd=0 ## Disables kexec, which can be used to replace the running kernel. ## Useful for live kernel patching without rebooting. ## ## https://en.wikipedia.org/wiki/Kexec ## ## See /usr/lib/sysctl.d/30_security-misc_kexec-disable.conf for implementation. ## #kernel.kexec_load_disabled=1 ## Disable the SysRq key to prevent leakage of kernel information. ## The Secure Attention Key (SAK) can no longer be utilized. ## ## https://www.kernel.org/doc/html/latest/admin-guide/sysrq.html ## https://www.kicksecure.com/wiki/SysRq ## https://github.com/xairy/unlockdown ## kernel.sysrq=0 ## Restrict user namespaces to users with CAP_SYS_ADMIN. ## User namespaces aim to improve sandboxing and accessibility for unprivileged users. ## Unprivileged user namespaces pose substantial privilege escalation risks. ## Restricting may lead to breakages in numerous software packages. ## Uncomment the second sysctl to entirely disable user namespaces. ## Disabling entirely will reduce compatibility with some AppArmor profiles. ## ## https://lwn.net/Articles/673597/ ## https://madaidans-insecurities.github.io/linux.html#kernel ## https://github.com/a13xp0p0v/kernel-hardening-checker#questions-and-answers ## https://github.com/NixOS/nixpkgs/pull/84522#issuecomment-614640601 ## https://github.com/Kicksecure/security-misc/pull/263 ## ## KSPP=partial ## KSPP sets the stricter sysctl user.max_user_namespaces=0. ## kernel.unprivileged_userns_clone=0 #user.max_user_namespaces=0 ## Restricts kernel profiling to users with CAP_PERFMON. ## The performance events system should not be accessible by unprivileged users. ## Other distributions such as Ubuntu and Fedora may permit further restricting. ## ## https://www.kernel.org/doc/html/latest/admin-guide/perf-security.html#unprivileged-users ## https://lore.kernel.org/kernel-hardening/1469630746-32279-1-git-send-email-jeffv@google.com/ ## kernel.perf_event_paranoid=3 ## Force the kernel to panic on "oopses". ## Can sometimes potentially indicate and thwart certain kernel exploitation attempts. ## Also cause panics on machine check exceptions. ## Panics may be due to false-positives such as bad drivers. ## ## https://forums.whonix.org/t/set-oops-panic-kernel-parameter-or-kernel-panic-on-oops-1-sysctl-for-better-security/7713 ## ## See /usr/libexec/security-misc/panic-on-oops for implementation. ## #kernel.panic_on_oops=1 #kernel.panic=-1 ## Disable the use of legacy TIOCSTI operations which can be used to inject keypresses. ## Can lead to privilege escalation by pushing characters into a controlling TTY. ## Will break out-dated screen readers that continue to rely on this legacy functionality. ## ## https://lore.kernel.org/lkml/20221228205726.rfevry7ud6gmttg5@begin/T/ ## ## TODO: Debian 13 Trixie ## This is disabled by default when using Linux kernel >= 6.2. ## dev.tty.legacy_tiocsti=0 ## Disable asynchronous I/O for all processes. ## Leading cause of numerous kernel exploits. ## Disabling will reduce the read/write performance of storage devices. ## ## https://en.wikipedia.org/wiki/Io_uring#Security ## https://lwn.net/Articles/902466/ ## https://security.googleblog.com/2023/06/learnings-from-kctf-vrps-42-linux.html ## https://github.com/moby/moby/pull/46762 ## https://forums.whonix.org/t/io-uring-security-vulnerabilties/16890 ## ## TODO: Debian 13 Trixie ## Applicable when using Linux kernel >= 6.6 (retained here for future-proofing and completeness). ## kernel.io_uring_disabled=2 ## 2. User Space: ## ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-userspace ## Restrict usage of the ptrace() system call to only processes with CAP_SYS_PTRACE. ## Limit ptrace() as it enables programs to inspect and modify other active processes. ## Prevents native code debugging which some programs use as a method to detect tampering. ## May cause breakages in 'anti-cheat' software and programs running under Proton/WINE. ## ## https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html#ptrace-scope ## https://en.wikipedia.org/wiki/Ptrace ## https://grapheneos.org/features#attack-surface-reduction ## https://github.com/GrapheneOS/os-issue-tracker/issues/651#issuecomment-917599928 ## https://github.com/netblue30/firejail/issues/2860 ## ## It is possible to harden further by disabling ptrace() for all users, see documentation. ## https://github.com/Kicksecure/security-misc/pull/242 ## kernel.yama.ptrace_scope=2 ## Maximize bits of entropy for improved effectiveness of mmap ASLR. ## The maximum number of bits depends on CPU architecture (the ones shown below are for x86). ## Both explicit sysctl are made redundant due to automation. ## Do NOT enable either sysctl - displaying only for clarity. ## ## https://forums.whonix.org/t/automate-mmap-randomisation-to-fix-ppc64el/16514 ## ## See /usr/libexec/security-misc/mmap-rnd-bits for implementation. ## #vm.mmap_rnd_bits=32 #vm.mmap_rnd_compat_bits=16 ## Prevent hardlink creation by users who do not have read/write/ownership of source file. ## Only allow symlinks to be followed when outside of world-writable sticky directories. ## Allow symlinks when the owner and follower match or when the directory owner matches the symlink's owner. ## Hardens cross-privilege boundaries if root process follows a hardlink/symlink belonging to another user. ## This mitigates many hardlink/symlink-based TOCTOU races in world-writable directories like /tmp. ## ## https://wiki.archlinux.org/title/Security#File_systems ## https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=/tmp ## https://en.wikipedia.org/wiki/Time-of-check_to_time-of-use#Preventing_TOCTOU ## fs.protected_hardlinks=1 fs.protected_symlinks=1 ## Disallow writes to files in world-writable sticky directories unless owned by the directory owner. ## Also applies to group-writable sticky directories to make data spoofing attacks more difficult. ## Prevents unintentional writes to attacker-controlled files. ## fs.protected_fifos=2 fs.protected_regular=2 ## Enable ASLR for mmap base, stack, VDSO pages, and heap. ## Forces shared libraries to be loaded to random addresses ## Start location of PIE-linked binaries is randomized. ## Heap randomization can lead to breakages with legacy applications. ## ## https://en.wikipedia.org/wiki/Address_space_layout_randomization#Linux ## kernel.randomize_va_space=2 ## Increase the maximum number of memory map areas a process is permitted to utilize. ## Addresses performance, crash, and start-up issues for some memory-intensive applications. ## Required to accommodate the very large number of guard pages created by hardened_malloc. ## Kicksecure version 18 will deprecate hardened_malloc, so this sysctl will be applied here instead. ## ## https://archlinux.org/news/increasing-the-default-vmmax_map_count-value/ ## https://github.com/GrapheneOS/hardened_malloc#traditional-linux-based-operating-systems ## https://github.com/Kicksecure/hardened_malloc/blob/master/debian/hardened_malloc.conf ## https://www.kicksecure.com/wiki/Hardened_Malloc#Deprecation_in_Kicksecure ## vm.max_map_count=1048576 ## Disable the miscellaneous binary format virtual file system to prevent unintended code execution. ## Prevents registering interpreters for various binary formats based on a magic number or their file extension. ## Otherwise arbitrary executables with recognized file formats will be passed to relevant user space applications. ## These interpreters will then run with root permissions when a setuid binary is owned by root. ## Can stop maliciously crafted files with specific file extensions from automatically executing. ## Breaks many scripts that do not have appropriate shebang interpreter directives (#!/bin/...). ## ## https://www.kernel.org/doc/html/latest/admin-guide/binfmt-misc.html ## https://salsa.debian.org/debian/binfmt-support ## https://access.redhat.com/solutions/1985633 ## https://en.wikipedia.org/wiki/Binfmt_misc ## https://security.stackexchange.com/questions/271786/does-allowing-binfmt-misc-significantly-increase-the-attack-surface-for-unprivil ## https://unix.stackexchange.com/questions/439569/what-kinds-of-executable-formats-do-the-files-under-proc-sys-fs-binfmt-misc-al ## https://github.com/Kicksecure/security-misc/pull/249 ## ## KSPP=yes ## KSPP does not set CONFIG_BINFMT_MISC. ## fs.binfmt_misc.status=0 ## 3. Core Dumps: ## ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#core-dumps ## Disable core dump files by preventing any pattern names. ## This setting may be overwritten by systemd and is not comprehensive. ## Core dumps are also disabled in security-misc via other means. ## ## https://wiki.archlinux.org/title/Core_dump#Disabling_automatic_core_dumps ## kernel.core_pattern=|/bin/false ## Prevent setuid processes or otherwise protected/tainted binaries from creating core dumps. ## Any process which has changed privilege levels or is execute-only will not be dumped. ## fs.suid_dumpable=0 ## Set core dump file name to 'core.PID' instead of 'core' as a form of defense-in-depth. ## If core dumps are permitted, only useful if PID listings are hidden from non-root users. ## kernel.core_uses_pid=1 ## 4. Swap Space: ## ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#swap ## Limit the copying of memory to the swap device only if absolutely necessary. ## Minimizes the likelihood of writing potentially sensitive contents to disk. ## Not recommended to set to zero since this disables periodic write behavior. ## ## https://en.wikipedia.org/wiki/Memory_paging#Linux ## https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Performance_Tuning_Guide/s-memory-tunables.html ## vm.swappiness=1 ## 5. Networking: ## ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-network ## https://wiki.archlinux.org/title/Sysctl#TCP/IP_stack_hardening ## Enable TCP SYN cookie protection to assist against SYN flood attacks. ## ## https://en.wikipedia.org/wiki/SYN_flood ## https://cateee.net/lkddb/web-lkddb/SYN_COOKIES.html ## net.ipv4.tcp_syncookies=1 ## Protect against TCP time-wait assassination hazards. ## Drops RST packets for sockets in the time-wait state. ## ## https://tools.ietf.org/html/rfc1337 ## net.ipv4.tcp_rfc1337=1 ## Enable reverse path filtering (source validation) of packets received from all interfaces. ## Prevents IP spoofing and mitigates vulnerabilities such as CVE-2019-14899. ## The second "default" command fixes a bug in the existing kernel implementation. ## ## https://en.wikipedia.org/wiki/IP_address_spoofing ## https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/security_guide/sect-security_guide-server_security-reverse_path_forwarding#sect-Security_Guide-Server_Security-Reverse_Path_Forwarding ## https://forums.whonix.org/t/enable-reverse-path-filtering/8594 ## https://seclists.org/oss-sec/2019/q4/122 ## https://github.com/Kicksecure/security-misc/pull/261 ## net.ipv4.conf.*.rp_filter=1 net.ipv4.conf.default.rp_filter=1 ## Disable ICMP redirect acceptance and redirect sending messages. ## Prevents man-in-the-middle attacks and minimizes information disclosure. ## If ICMP redirects are permitted, accept messages only through approved gateways (kernel default). ## Approving gateways requires the managing of a default gateway list. ## ## https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/security_guide/sect-security_guide-server_security-disable-source-routing#sect-Security_Guide-Server_Security-Disable-Source-Routing ## https://www.frozentux.net/ipsysctl-tutorial/chunkyhtml/theconfvariables.html ## https://www.debian.org/doc/manuals/securing-debian-manual/network-secure.en.html ## https://askubuntu.com/questions/118273/what-are-icmp-redirects-and-should-they-be-blocked ## https://github.com/Kicksecure/security-misc/pull/248 ## net.ipv4.conf.*.accept_redirects=0 net.ipv4.conf.*.send_redirects=0 net.ipv6.conf.*.accept_redirects=0 #net.ipv4.conf.*.secure_redirects=1 ## Ignore ICMP echo requests. ## Prevents clock fingerprinting through ICMP timestamps and Smurf attacks. ## ## https://en.wikipedia.org/wiki/Smurf_attack ## net.ipv4.icmp_echo_ignore_all=1 net.ipv6.icmp.echo_ignore_all=1 ## Ignore bogus ICMP error responses. ## Mitigates attacks designed to fill log files with useless error messages. ## net.ipv4.icmp_ignore_bogus_error_responses=1 ## Disable source routing which allows users to redirect network traffic. ## Prevents man-in-the-middle attacks in which the traffic is redirected. ## ## https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/security_guide/sect-security_guide-server_security-disable-source-routing ## net.ipv4.conf.*.accept_source_route=0 net.ipv6.conf.*.accept_source_route=0 ## Do not accept IPv6 router advertisements and solicitations. ## net.ipv6.conf.*.accept_ra=0 ## Disable SACK and DSACK. ## Select acknowledgements (SACKs) are a known common vector of exploitation. ## Duplicate select acknowledgements (DSACKs) are an extension of SACK. ## Disabling can cause severe connectivity issues on networks with high latency or packet loss. ## Enabling on stable high-bandwidth networks can lead to reduced efficiency of TCP connections. ## ## https://datatracker.ietf.org/doc/html/rfc2018 ## https://datatracker.ietf.org/doc/html/rfc2883 ## https://access.redhat.com/sites/default/files/attachments/20150325_network_performance_tuning.pdf ## https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md ## https://wiki.archlinux.org/title/Sysctl#TCP_Selective_Acknowledgement ## https://forums.whonix.org/t/disabling-tcp-sack-dsack-fack/8109/5 ## ## SACK and DSACK are currently enabled. ## #net.ipv4.tcp_sack=0 #net.ipv4.tcp_dsack=0 ## Disable TCP timestamps to limit device fingerprinting via system time. ## Timestamps allow round-trip time measurement and protection against wrapped sequence numbers. ## Disabling timestamps on very fast links is likely to cause TCP Sequence Numbers to wrap. ## Segments with wrapped numbers will be incorrectly discarded, reducing network performance. ## ## https://datatracker.ietf.org/doc/html/rfc1323 ## https://forums.whonix.org/t/do-ntp-and-tcp-timestamps-really-leak-your-local-time/7824 ## https://web.archive.org/web/20170201160732/https://mailman.boum.org/pipermail/tails-dev/2013-December/004520.html ## https://access.redhat.com/sites/default/files/attachments/20150325_network_performance_tuning.pdf ## net.ipv4.tcp_timestamps=0 ## Enable logging of packets with impossible source or destination addresses. ## Martian and unroutable packets may be used for malicious purposes. ## Recommended to keep a (kernel dmesg) log of these to identify suspicious packets. ## Useful for troubleshooting and diagnostics but not necessary by default. ## Known to cause performance issues, especially on systems with multiple interfaces. ## ## https://wiki.archlinux.org/title/Sysctl#Log_martian_packets ## https://github.com/Kicksecure/security-misc/issues/214 ## ## The logging of martian packets is currently disabled. ## #net.ipv4.conf.*.log_martians=1 ## Enable IPv6 Privacy Extensions to prefer temporary addresses over public addresses. ## The temporary/privacy address is used as the source for all outgoing traffic. ## Must be used in combination with /usr/lib/systemd/networkd.conf.d/80_ipv6-privacy-extensions.conf. ## Must be used in combination with /usr/lib/NetworkManager/conf.d/80_ipv6-privacy.conf. ## Should be used with MAC randomization in /usr/lib/NetworkManager/conf.d/80_randomize-mac.conf. ## ## MAC randomization breaks root server and VirtualBox DHCP, likely due to IPv6 Privacy Extensions. ## ## https://datatracker.ietf.org/doc/html/rfc4941 ## https://github.com/Kicksecure/security-misc/pull/145 ## https://github.com/Kicksecure/security-misc/issues/184 ## ## The use of IPv6 Privacy Extensions is currently disabled due to these breakages. ## #net.ipv6.conf.*.use_tempaddr=2