## Copyright (C) 2019 - 2024 ENCRYPTED SUPPORT LP ## See the file COPYING for copying conditions. ## NOTE: ## This file has a strange name so that /usr/lib/sysctl.d/99-protect-links.conf is ## first parsed and then followed by /usr/lib/sysctl.d/990-security-misc.conf. ## https://github.com/Kicksecure/security-misc/pull/135 ## This configuration file is split into 5 sections: ## 1. Kernel Space ## 2. User Space ## 3. Core Dumps ## 4. Swap Space ## 5. Networking ## See the documentation below for details on the majority of the selected commands. ## https://www.kernel.org/doc/html/latest/admin-guide/sysctl/kernel.html ## https://www.kernel.org/doc/html/latest/admin-guide/sysctl/fs.html ## https://www.kernel.org/doc/html/latest/admin-guide/sysctl/net.html ## https://www.kernel.org/doc/html/latest/admin-guide/sysctl/vm.html ## https://www.kernel.org/doc/html/latest//networking/ip-sysctl.html ## 1. Kernel Space: ## ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel ## https://wiki.archlinux.org/title/Security#Kernel_hardening ## Restrict kernel addresses via /proc and other interfaces regardless of user privileges. ## Kernel pointers expose specific locations in kernel memory. ## ## https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak ## kernel.kptr_restrict=2 ## Restrict access to the kernel log buffer to CAP_SYSLOG. ## Kernel logs often contain sensitive information such as kernel pointers. ## kernel.dmesg_restrict=1 ## Prevent kernel information leaks in the console during boot. ## Must be used in combination with the kernel boot parameters. ## See /etc/default/grub.d/41_quiet_boot.cfg for implementation. ## ## https://www.kernel.org/doc/html/latest/core-api/printk-basics.html ## ## See /usr/lib/sysctl.d/30_silent-kernel-printk.conf for implementation. ## #kernel.printk=3 3 3 3 ## Restrict eBPF access to CAP_BPF and enable associated JIT compiler hardening. ## ## https://en.wikipedia.org/wiki/EBPF#Security ## kernel.unprivileged_bpf_disabled=1 net.core.bpf_jit_harden=2 ## Restrict loading TTY line disciplines to CAP_SYS_MODULE. ## Prevents unprivileged users loading vulnerable line disciplines with the TIOCSETD ioctl. ## ## https://a13xp0p0v.github.io/2017/03/24/CVE-2017-2636.html ## https://lkml.org/lkml/2019/4/15/890 ## dev.tty.ldisc_autoload=0 ## Restrict the userfaultfd() syscall to SYS_CAP_PTRACE. ## Reduces likelihood of use-after-free exploits from heap sprays. ## ## https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=cefdca0a86be517bc390fc4541e3674b8e7803b0 ## https://duasynt.com/blog/linux-kernel-heap-spray ## vm.unprivileged_userfaultfd=0 ## Disables kexec which can be used to replace the running kernel. ## Useful for live kernel patching without rebooting. ## ## https://en.wikipedia.org/wiki/Kexec ## ## See /usr/lib/sysctl.d/30_security-misc_kexec-disable.conf for implementation. ## #kernel.kexec_load_disabled=1 ## Disable the SysRq key to prevent leakage of kernel information. ## The Secure Attention Key (SAK) can no longer be utilised. ## ## https://www.kernel.org/doc/html/latest/admin-guide/sysrq.html ## https://www.kicksecure.com/wiki/SysRq ## https://github.com/xairy/unlockdown ## kernel.sysrq=0 ## Restrict user namespaces to CAP_SYS_ADMIN. ## User namespaces aim to improve sandboxing and accessibility for unprivileged users. ## Unprivileged user namespaces pose substantial privilege escalation risks. ## Restricting is well-known to cause breakages across numerous software. ## ## https://madaidans-insecurities.github.io/linux.html#kernel ## https://github.com/a13xp0p0v/kernel-hardening-checker#questions-and-answers ## ## Unprivileged user namespaces are currently enabled. ## #kernel.unprivileged_userns_clone=0 ## Restricts kernel profiling to CAP_PERFMON. ## The performance events system should not be accessible by unprivileged users. ## Other distributions such as Ubuntu and Fedora may permit further restricting. ## ## https://www.kernel.org/doc/html/latest/admin-guide/perf-security.html#unprivileged-users ## https://lore.kernel.org/kernel-hardening/1469630746-32279-1-git-send-email-jeffv@google.com/ ## kernel.perf_event_paranoid=3 ## Enable ASLR for mmap base, stack, VDSO pages, and heap. ## Heap randomisation can lead to breakages with legacy applications. ## ## https://en.wikipedia.org/wiki/Address_space_layout_randomization#Linux ## kernel.randomize_va_space=2 ## Disable asynchronous I/O for all processes. ## ## https://security.googleblog.com/2023/06/learnings-from-kctf-vrps-42-linux.html ## ## Applicable when using Linux kernel >= 6.6 (retained here for future-proofing and completeness). ## kernel.io_uring_disabled=2 ## 2.User Space: ## ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-userspace ## Restrict usage of the ptrace() system call to only processes with CAP_SYS_PTRACE. ## Limit ptrace() as it enables programs to inspect and modify other active processes. ## Prevents native code debugging which some programs use as a method to detect tampering. ## May cause breakages in 'anti-cheat' software and programs running under Proton/WINE. ## ## https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html#ptrace-scope ## https://en.wikipedia.org/wiki/Ptrace ## https://grapheneos.org/features#attack-surface-reduction ## https://github.com/GrapheneOS/os-issue-tracker/issues/651#issuecomment-917599928 ## https://github.com/netblue30/firejail/issues/2860 ## ## It is possible to harden further by disabling ptrace() for all users, see documentation. ## kernel.yama.ptrace_scope=2 ## Maximise bits of entropy for improved effectiveness of mmap ASLR. ## The maximum numbers of bits are dependent on CPU architecture (the ones shown below are for x86). ## Both explicit sysctl are made redundant due to automation. ## Do NOT enable either sysctl - displaying only for clarity. ## ## https://forums.whonix.org/t/automate-mmap-randomisation-to-fix-ppc64el/16514 ## ## See /usr/libexec/security-misc/mmap-rnd-bits for implementation. ## #vm.mmap_rnd_bits=32 #vm.mmap_rnd_compat_bits=16 ## Prevent hardlink creation by users who do not have read/write/ownership of source file. ## Only allow symlinks to be followed when outside of a world-writable sticky directories. ## Allow symlinks when the owner and follower match or when the directory owner matches the symlink's owner. ## Hardens cross privilege boundaries if root process follows a hardlink/symlink belonging to another user. ## This mitigates many hardlink/symlink-based TOCTOU races in world-writable directories like /tmp. ## ## https://wiki.archlinux.org/title/Security#File_systems ## https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=/tmp ## https://en.wikipedia.org/wiki/Time-of-check_to_time-of-use#Preventing_TOCTOU ## fs.protected_hardlinks=1 fs.protected_symlinks=1 ## Disallow writes to files in world-writable sticky directories unless owned by the directory owner. ## Also applies to group writable sticky directories to make data spoofing attacks more difficult. ## Prevents unintentional writes to attacker-controlled files. ## fs.protected_fifos=2 fs.protected_regular=2 ## Increase the maximum number of memory map areas a process is permitted to utilise. ## Addresses performance, crash, and start-up issues for some memory intensive applications. ## Required to accommodate the very large number of guard pages created by hardened_malloc. ## Kicksecure version 18 will deprecate hardened_malloc and so this sysctl will be applied here instead. ## ## https://archlinux.org/news/increasing-the-default-vmmax_map_count-value/ ## https://github.com/GrapheneOS/hardened_malloc#traditional-linux-based-operating-systems ## https://github.com/Kicksecure/hardened_malloc/blob/master/debian/hardened_malloc.conf ## https://www.kicksecure.com/wiki/Hardened_Malloc#Deprecation_in_Kicksecure ## vm.max_map_count=1048576 ## 3. Core Dumps: ## ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#core-dumps ## Disable core dump files by preventing any pattern names. ## This setting may be overwritten by systemd is is not comprehensive. ## Core dumps are also disabled in security-misc via other means. ## ## https://wiki.archlinux.org/title/Core_dump#Disabling_automatic_core_dumps ## kernel.core_pattern=|/bin/false ## Prevent setuid processes or otherwise protected/tainted binaries from creating core dumps. ## Any process which has changed privilege levels or is execute-only will not be dumped. ## fs.suid_dumpable=0 ## Set core dump file name to 'core.PID' instead of 'core' as a form of defence-in-depth. ## If core dumps are permitted, only useful if PID listings are hidden from non-root users. ## kernel.core_uses_pid=1 ## 4. Swap Space: ## ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#swap ## Limit the copying of memory to the swap device only if absolutely necessary. ## Minimises the likelihood of writing potentially sensitive contents to disk. ## Not reccommmeded to set to zero since this disables periodic write behavior. ## ## https://en.wikipedia.org/wiki/Memory_paging#Linux ## https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Performance_Tuning_Guide/s-memory-tunables.html ## vm.swappiness=1 ## 5. Networking: ## ## https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-network ## https://wiki.archlinux.org/title/Sysctl#TCP/IP_stack_hardening ## Enable TCP SYN cookie protection to assist against SYN flood attacks. ## ## https://en.wikipedia.org/wiki/SYN_flood ## https://cateee.net/lkddb/web-lkddb/SYN_COOKIES.html ## net.ipv4.tcp_syncookies=1 ## Protect against TCP time-wait assassination hazards. ## Drops RST packets for sockets in the time-wait state. ## ## https://tools.ietf.org/html/rfc1337 ## net.ipv4.tcp_rfc1337=1 ## Enable reverse path filtering (source validation) of packets received from all interfaces. ## Prevents IP spoofing and mitigate vulnerabilities such as CVE-2019-14899. ## ## https://en.wikipedia.org/wiki/IP_address_spoofing ## https://forums.whonix.org/t/enable-reverse-path-filtering/8594 ## https://seclists.org/oss-sec/2019/q4/122 ## net.ipv4.conf.all.rp_filter=1 net.ipv4.conf.default.rp_filter=1 ## Disable ICMP redirect acceptance and redirect sending messages. ## Prevents man-in-the-middle attacks and minimises information disclosure. ## net.ipv4.conf.all.accept_redirects=0 net.ipv4.conf.default.accept_redirects=0 net.ipv4.conf.all.secure_redirects=0 net.ipv4.conf.default.secure_redirects=0 net.ipv6.conf.all.accept_redirects=0 net.ipv6.conf.default.accept_redirects=0 net.ipv4.conf.all.send_redirects=0 net.ipv4.conf.default.send_redirects=0 ## Ignore ICMP echo requests. ## Prevents clock fingerprinting through ICMP timestamps and Smurf attacks. ## ## https://en.wikipedia.org/wiki/Smurf_attack ## net.ipv4.icmp_echo_ignore_all=1 net.ipv6.icmp.echo_ignore_all=1 ## Ignore bogus ICMP error responses. ## Mitigates attacks designed to fill log files with useless error messages. ## net.ipv4.icmp_ignore_bogus_error_responses=1 ## Disable source routing which allows users redirect network traffic. ## Prevents man-in-the-middle attacks in which the traffic is redirected. ## ## https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/security_guide/sect-security_guide-server_security-disable-source-routing ## net.ipv4.conf.all.accept_source_route=0 net.ipv4.conf.default.accept_source_route=0 net.ipv6.conf.all.accept_source_route=0 net.ipv6.conf.default.accept_source_route=0 ## Do not accept IPv6 router advertisements and solicitations. ## net.ipv6.conf.all.accept_ra=0 net.ipv6.conf.default.accept_ra=0 ## Disable SACK, DSACK, and FACK. ## Select acknowledgements (SACKs) are a known common vector of exploitation. ## Duplicate select acknowledgements (DSACKs) are an extension of SACK. ## Forward acknowledgements (FACKs) are a legacy option that will (eventually) be deprecated. ## Disabling can cause severe connectivity issues on networks with high latency or packet loss. ## Enabling on stable high-bandwidth networks can lead to reduced efficiency of TCP connections. ## ## https://datatracker.ietf.org/doc/html/rfc2018 ## https://datatracker.ietf.org/doc/html/rfc2883 ## https://access.redhat.com/sites/default/files/attachments/20150325_network_performance_tuning.pdf ## https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md ## https://wiki.archlinux.org/title/Sysctl#TCP_Selective_Acknowledgement ## https://forums.whonix.org/t/disabling-tcp-sack-dsack-fack/8109/5 ## ## SACK and DSACK are currently enabled. ## #net.ipv4.tcp_sack=0 #net.ipv4.tcp_dsack=0 net.ipv4.tcp_fack=0 ## Disable TCP timestamps to limit device fingerprinting via system time. ## ## https://forums.whonix.org/t/do-ntp-and-tcp-timestamps-really-leak-your-local-time/7824 ## https://web.archive.org/web/20170201160732/https://mailman.boum.org/pipermail/tails-dev/2013-December/004520.html ## net.ipv4.tcp_timestamps=0 ## Enable logging of packets with impossible source or destination addresses. ## Martian and unroutable packets may be used for dangerous purposes. ## Recommended to keep a (kernel dmesg) log of these to identify these suspicious packets. ## Good for troubleshooting and diagnostics but not necessary by default. ## Known for causing performance issues especially on systems with multiple interfaces. ## ## https://wiki.archlinux.org/title/Sysctl#Log_martian_packets ## https://github.com/Kicksecure/security-misc/issues/214 ## ## The logging of martian packets is currently disabled. ## #net.ipv4.conf.all.log_martians=1 #net.ipv4.conf.default.log_martians=1