diff options
| author | Topi Miettinen <toiwoton@gmail.com> | 2020-05-23 19:49:13 +0300 |
|---|---|---|
| committer | Topi Miettinen <toiwoton@gmail.com> | 2020-05-23 19:55:12 +0300 |
| commit | c76a4ca1a6dc9e5d52141861709470ad72254b69 (patch) | |
| tree | 0beb7aa30aabf18dd9fd34c7be101b166bd484da /default.prf | |
| parent | 96659e61eb73c91089b4d3b1e05078eef9a62d64 (diff) | |
[KRNL-6000] Check more sysctls
Add checks for sysctls recommended by CLIP OS (vanilla kernel sysctls
only):
https://docs.clip-os.org/clipos/kernel.html#sysctl-security-tuning
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
Diffstat (limited to 'default.prf')
| -rw-r--r-- | default.prf | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/default.prf b/default.prf index 6ff3eac2..e5635147 100644 --- a/default.prf +++ b/default.prf @@ -182,7 +182,9 @@ config-data=sysctl;security.bsd.unprivileged_read_msgbuf;0;1;Unprivileged proces # Kernel config-data=sysctl;fs.suid_dumpable;0;1;Restrict core dumps;sysctl -a;url:https;//www.kernel.org/doc/Documentation/sysctl/fs.txt;category:security; +config-data=sysctl;fs.protected_fifos;2;1;Restrict FIFO special device creation behavior;sysctl -a;url:https;//www.kernel.org/doc/Documentation/sysctl/fs.txt;category:security; config-data=sysctl;fs.protected_hardlinks;1;1;Restrict hardlink creation behavior;sysctl -a;url:https;//www.kernel.org/doc/Documentation/sysctl/fs.txt;category:security; +config-data=sysctl;fs.protected_regular;2;1;Restrict regular files creation behavior;sysctl -a;url:https;//www.kernel.org/doc/Documentation/sysctl/fs.txt;category:security; config-data=sysctl;fs.protected_symlinks;1;1;Restrict symlink following behavior;sysctl -a;url:https;//www.kernel.org/doc/Documentation/sysctl/fs.txt;category:security; #config-data=sysctl;kern.randompid=2345;Randomize PID numbers with a specific modulus;sysctl -a;-;category:security; config-data=sysctl;kern.sugid_coredump;0;1;No description;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security; @@ -194,13 +196,17 @@ config-data=sysctl;kernel.exec-shield-randomize;1;1;No description;sysctl -a;url config-data=sysctl;kernel.exec-shield;1;1;No description;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security; config-data=sysctl;kernel.kptr_restrict;2;1;Restrict access to kernel symbols;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security; config-data=sysctl;kernel.maps_protect;1;1;Restrict access to /proc/[pid]/maps;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security; +config-data=sysctl;kernel.modules_disabled;1;1;Restrict module loading once this sysctl value is loaded;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security; +config-data=sysctl;kernel.perf_event_paranoid;3;1;Restrict unprivileged access to the perf_event_open() system call.;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security; config-data=sysctl;kernel.randomize_va_space;2;1;Randomize of memory address locations (ASLR);sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security; config-data=sysctl;kernel.suid_dumpable;0;1;Restrict core dumps;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security; config-data=sysctl;kernel.sysrq;0;1;Disable magic SysRQ;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security; +config-data=sysctl;kernel.unprivileged_bpf_disabled;1;1;Restrict BPF for unprivileged users;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security; config-data=sysctl;kernel.use-nx;0;1;No description;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security; config-data=sysctl;kernel.yama.ptrace_scope;1|2|3;1;Disable process tracing for everyone;-;category:security; # Network +config-data=sysctl;net.core.bpf_jit_harden;2;1;Hardened BPF JIT compilation;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security; config-data=sysctl;net.inet.ip.linklocal.in.allowbadttl;0; config-data=sysctl;net.inet.tcp.always_keepalive;0;1;Disable TCP keep alive detection for dead peers as the keepalive can be spoofed;-;category:security; #config-data=sysctl;net.inet.tcp.fast_finwait2_recycle;1;1;Recycle FIN/WAIT states more quickly (DoS mitigation step, with risk of false RST);-;category:security; @@ -250,6 +256,7 @@ config-data=sysctl;net.ipv6.conf.default.accept_redirects;0;1;Disable/Ignore ICM config-data=sysctl;net.ipv6.conf.default.accept_source_route;0;1;Disable IP source routing;-;category:security; # Other +config-data=sysctl;dev.tty.ldisc_autoload;0;1;Disable loading of TTY line disciplines;-;category:security; config-data=sysctl;hw.kbd.keymap_restrict_change;4;1;Disable changing the keymap by non-privileged users;-;category:security; #sysctl;kern.securelevel;1^2^3;1;FreeBSD security level; #security.jail.jailed; 0 |