-
Notifications
You must be signed in to change notification settings - Fork 9
/
sysctl.conf.new
77 lines (64 loc) · 3.18 KB
/
sysctl.conf.new
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
kernel.core_uses_pid = 1
# use address space randomization
#
# -plus-
#
# Randomizing heap placement makes heap exploits harder, but it
# also breaks ancient binaries (including anything libc5 based).
#
kernel.randomize_va_space = 2
# "Any process which has changed privilege levels or is execute only will not be dumped"
fs.suid_dumpable = 0
# "symlinks are permitted to be followed only":
# * "when outside a sticky world-writable directory"
# * "when the uid of the symlink and follower match"
# * "when the directory owner matches the symlink's owner"
fs.protected_symlinks = 1
# "hardlinks cannot be created by users if they do not already own the source file, or do not have read/write access to it"
fs.protected_hardlinks = 1
# https://www.kernel.org/doc/html/latest/admin-guide/sysctl/fs.html#protected-fifos
fs.protected_fifos = 2
# https://www.kernel.org/doc/html/latest/admin-guide/sysctl/fs.html#protected-regular
fs.protected_regular = 2
# got the idea from:
# https://secure.wikimedia.org/wikibooks/en/wiki/Grsecurity/Appendix/Grsecurity_and_PaX_Configuration_Options#Larger_entropy_pools
#kernel.random.poolsize = 8192
# disallow modifying the LDT (Local Descriptor Table)... "can sometimes be abused to exploit some weaknesses of the architecture, opening new vulnerabilities"
sys.kernel.modify_ldt = 0
# 0 - disable sysrq completely
# 4 - enable control of keyboard (SAK, unraw)
#
# links:
# - http://www.debian.org/doc/manuals/securing-debian-howto/ch4.en.html#s-restrict-sysrq
# - http://tldp.org/HOWTO/Remote-Serial-Console-HOWTO/security-sysrq.html
# - kernel.org/doc/Documentation/sysrq.txt
# - en.wikipedia.org/wiki/Magic_SysRq_key
kernel.sysrq = 4
# see Restrict unprivileged access to the kernel syslog (CONFIG_SECURITY_DMESG_RESTRICT) in kernel
kernel.dmesg_restrict = 1
# https://www.kernel.org/doc/Documentation/sysctl/kernel.txt
kernel.kptr_restrict = 2
kernel.ctrl-alt-del = 0
# TODO: shared_media?!?
# https://tools.ietf.org/html/rfc1620
# https://www.cert.fi/haavoittuvuudet/2013/haavoittuvuus-2013-071.html
# https://www.kernel.org/doc/html/v5.7/admin-guide/perf-security.html#perf-events-perf-unprivileged-users
# https://www.kernel.org/doc/html/v5.7/admin-guide/sysctl/kernel.html#perf-event-paranoid
kernel.perf_event_paranoid = 2
# https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings#sysctls
# Turn off kexec, even if it's built in.
kernel.kexec_load_disabled = 1
# https://www.kernel.org/doc/Documentation/security/Yama.txt
# 0 - classic ptrace permissions
# 1 - restricted ptrace
# 2 - admin-only attach
# 3 - no attach
# Avoid non-ancestor ptrace access to running processes and their credentials.
kernel.yama.ptrace_scope = 3
# Disable User Namespaces, as it opens up a large attack surface to unprivileged users.
# https://www.debian.org/releases/bullseye/amd64/release-notes/ch-information.en.html#linux-user-namespaces
# https://www.openwall.com/lists/oss-security/2022/01/29/1
#user.max_user_namespaces = 0
# https://www.kernel.org/doc/html/latest/admin-guide/sysctl/kernel.html#unprivileged-bpf-disabled
# https://www.debian.org/releases/bullseye/amd64/release-notes/ch-information.en.html#linux-unprivileged-bpf
kernel.unprivileged_bpf_disabled = 1