From 2cc3adf7acf0ff95e8696ed7ed848958d8a7243c Mon Sep 17 00:00:00 2001
From: Michael Boelen <michael.boelen@cisofy.com>
Date: Wed, 5 Oct 2016 09:50:34 +0200
Subject: Added new sysctl values

---
 default.prf | 51 +++++++++++++++++++++++++++++++++++----------------
 1 file changed, 35 insertions(+), 16 deletions(-)

(limited to 'default.prf')

diff --git a/default.prf b/default.prf
index 473de2a0..397f1bb5 100644
--- a/default.prf
+++ b/default.prf
@@ -166,33 +166,52 @@ plugin=users
 # - Solution field (url:URL, text:TEXT, or -)
 
 # Processes
-config-data=sysctl;security.bsd.see_other_gids;0;1;Disable display of processes of other groups;sysctl -a;-;category:security;
-config-data=sysctl;security.bsd.see_other_uids;0;1;Disable display of processes of other users;sysctl -a;-;category:security;
+config-data=sysctl;security.bsd.see_other_gids;0;1;Groups only see their own processes;sysctl -a;-;category:security;
+config-data=sysctl;security.bsd.see_other_uids;0;1;Users only see their own processes;sysctl -a;-;category:security;
+config-data=sysctl;security.bsd.stack_guard_page;1;1;Enable stack smashing protection (SSP)/ProPolice to defend against possible buffer overflows;-;category:security;
+config-data=sysctl;security.bsd.unprivileged_proc_debug;0;1;Unprivileged processes can not use process debugging;sysctl -a;-;category:security;
+config-data=sysctl;security.bsd.unprivileged_read_msgbuf;0;1;Unprivileged processes can not read the kernel message buffer;sysctl -a;-;category:security;
 
 # Kernel
-config-data=sysctl;kern.sugid_coredump;0;1;XXX;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
-config-data=sysctl;kernel.suid_dumpable;0;1;Restrict core dumps;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
-config-data=sysctl;kernel.core_setuid_ok;0;1;XXX;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
-config-data=sysctl;kernel.core_uses_pid;1;1;XXX;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
-config-data=sysctl;kernel.ctrl-alt-del;0;1;XXX;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
-config-data=sysctl;kernel.exec-shield-randomize;1;1;XXX;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
-config-data=sysctl;kernel.exec-shield;1;1;XXX;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
+#config-data=sysctl;kern.randompid=2345;Randomize PID numbers with a specific modulus;sysctl -a;-;category:security;
+config-data=sysctl;kern.sugid_coredump;0;1;No description;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
+config-data=sysctl;kernel.core_setuid_ok;0;1;No description;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
+config-data=sysctl;kernel.core_uses_pid;1;1;No description;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
+config-data=sysctl;kernel.ctrl-alt-del;0;1;No description;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
+config-data=sysctl;kernel.exec-shield-randomize;1;1;No description;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
+config-data=sysctl;kernel.exec-shield;1;1;No description;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
 config-data=sysctl;kernel.kptr_restrict;2;1;Restrict access to kernel symbols;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
 config-data=sysctl;kernel.maps_protect;1;1;Restrict access to /proc/[pid]/maps;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
 config-data=sysctl;kernel.randomize_va_space;2;1;Randomize of memory address locations (ASLR);sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
+config-data=sysctl;kernel.suid_dumpable;0;1;Restrict core dumps;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
 config-data=sysctl;kernel.sysrq;0;1;Disable magic SysRQ;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
-config-data=sysctl;kernel.use-nx;0;1;XXX;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
+config-data=sysctl;kernel.use-nx;0;1;No description;sysctl -a;url:https;//kernel.org/doc/Documentation/sysctl/kernel.txt;category:security;
 
 # Network
+config-data=sysctl;net.inet.ip.linklocal.in.allowbadttl;0;
+config-data=sysctl;net.inet.tcp.always_keepalive;0;1;Disable TCP keep alive detection for dead peers as the keepalive can be spoofed;-;category:security;
+#config-data=sysctl;net.inet.tcp.fast_finwait2_recycle;1;1;Recycle FIN/WAIT states more quickly (DoS mitigation step, with risk of false RST);-;category:security;
+config-data=sysctl;net.inet.tcp.nolocaltimewait;1;1;Remove the TIME_WAIT state for loopback interface;-;category:security;
+config-data=sysctl;net.inet.tcp.path_mtu_discovery;0;1;Disable MTU discovery as many hosts drop the ICMP type 3 packets;-;category:security;
 config-data=sysctl;net.inet.icmp.bmcastecho;0;1;Ignore ICMP packets directed to broadcast address;-;category:security;
+config-data=sysctl;net.inet.tcp.icmp_may_rst;0;1;ICMP may not send RST to avoid spoofed ICMP/UDP floods;-;category:security;
+config-data=sysctl;net.inet.icmp.drop_redirect;1;1Do not allow redirected ICMP packets;-;category:security;
 config-data=sysctl;net.inet.icmp.rediraccept;0;1;Disable incoming ICMP redirect routing redirects;-;category:security;
+config-data=sysctl;net.inet.icmp.timestamp;0;1;Disable timestamps;-;category:security;
 config-data=sysctl;net.inet.ip.accept_sourceroute;0;1;Disable IP source routing;-;category:security;
+config-data=sysctl;net.inet.ip.check_interface;1;1;Verify that a packet arrived on the right interface;-;category:security;
+config-data=sysctl;net.inet.ip.forwarding;0;1;Do not allow forwarding of traffic;-;category:security;
+config-data=sysctl;net.inet.ip.process_options;0;1;Ignore any IP options in the incoming packets;-;category:security;
+config-data=sysctl;net.inet.ip.random_id;1;1;Use a random IP id to each packet leaving the system;-;category:security;
 config-data=sysctl;net.inet.ip.redirect;0;1;Disable/Ignore ICMP routing redirects;-;category:security;
 config-data=sysctl;net.inet.ip.sourceroute;0;1;Disable IP source routing;-;category:security;
 config-data=sysctl;net.inet.ip6.redirect;0;1;Disable/Ignore ICMP routing redirects;-;category:security;
-config-data=sysctl;net.inet.tcp.blackhole;2;1;Do not sent RST but drop traffic;-;category:security;
-config-data=sysctl;net.inet.udp.blackhole;1;1;Do not sent RST but drop traffic;-;category:security;
+config-data=sysctl;net.inet.tcp.blackhole;2;1;Do not sent RST but drop traffic when delivered to closed TCP port;-;category:security;
+config-data=sysctl;net.inet.tcp.drop_synfin;1;1;SYN/FIN packets will be dropped on initial connection;-;category:security;
+config-data=sysctl;net.inet.udp.blackhole;1;1;Do not sent RST but drop traffic when delivered to closed UDP port;-;category:security;
 config-data=sysctl;net.inet6.icmp6.rediraccept;0;1;Disable incoming ICMP redirect routing redirects;-;category:security;
+config-data=sysctl;net.inet6.ip6.forwarding;0;1;Do not allow forwarding of traffic;-;category:security;
+config-data=sysctl;net.inet6.ip6.fw.enable;1;1;Enable filtering;-;category:security;
 config-data=sysctl;net.inet6.ip6.redirect;0;1;Disable sending ICMP redirect routing redirects;-;category:security;
 config-data=sysctl;net.ipv4.conf.all.accept_redirects;0;1;Disable/Ignore ICMP routing redirects;-;category:security;
 config-data=sysctl;net.ipv4.conf.all.accept_source_route;0;1;Disable IP source routing;-;category:security;
@@ -217,7 +236,8 @@ config-data=sysctl;net.ipv6.conf.all.accept_source_route;0;1;Disable IP source r
 config-data=sysctl;net.ipv6.conf.default.accept_redirects;0;1;Disable/Ignore ICMP routing redirects;-;category:security;
 config-data=sysctl;net.ipv6.conf.default.accept_source_route;0;1;Disable IP source routing;-;category:security;
 
-[security]
+# Other
+config-data=sysctl;hw.kbd.keymap_restrict_change;4;1;Disable changing the keymap by non-privileged users;-;category:security;
 #sysctl;kern.securelevel;1^2^3;1;FreeBSD security level;
 #security.jail.jailed; 0
 #security.jail.jail_max_af_ips; 255
@@ -232,10 +252,9 @@ config-data=sysctl;net.ipv6.conf.default.accept_source_route;0;1;Disable IP sour
 #security.bsd.unprivileged_proc_debug; 1
 #security.bsd.conservative_signals; 1
 #security.bsd.unprivileged_read_msgbuf; 1
-#security.bsd.hardlink_check_gid; 0
-#security.bsd.hardlink_check_uid; 0
 #security.bsd.unprivileged_get_quota; 0
-#sysctl;kern.randompid;1234;1;Increase the next PID with an amount close to the given value;sysctl -a;-;category:security;
+config-data=sysctl;security.bsd.hardlink_check_gid;1;1;Unprivileged processes are not allowed to create hard links to files which are owned by other groups;-;category:security;
+config-data=sysctl;security.bsd.hardlink_check_uid;1;1;Unprivileged processes are not allowed to create hard links to files which are owned by other users;-;category:security;
 
 
 #################################################################################
-- 
cgit v1.2.3