Core OS Index

2.2.2. Sysctl

Sysctl references Arch TCP/IP stack hardening, Cyberciti Nginx Hardning, Cyberciti Security Hardening, Grsecurity and PaX Configuration.

Since kernels on c9-ports have PaX and grsecurity, /etc/sysctl.conf can have follow values;

        #
        # /etc/sysctl.conf: configuration for system variables, see sysctl.conf(5)
        #

        kernel.printk = 7 1 1 4
        kernel.randomize_va_space = 2
        # Shared Memory
        #kernel.shmmax = 500000000
        # Total allocated file handlers that can be allocated
        # fs.file-nr=
        vm.mmap_min_addr=65536
        # Allow for more PIDs (to reduce rollover problems); may break some programs 32768
        kernel.pid_max = 65536

        #
        # Memory Protections
        #

        #  If you say Y here, all ioperm and iopl calls will return an error.
        #  Ioperm and iopl can be used to modify the running kernel.
        #  Unfortunately, some programs need this access to operate properly,
        #  the most notable of which are XFree86 and hwclock.  hwclock can be
        #  remedied by having RTC support in the kernel, so real-time
        #  clock support is enabled if this option is enabled, to ensure
        #  that hwclock operates correctly.
        #
        #  If you're using XFree86 or a version of Xorg from 2012 or earlier,
        #  you may not be able to boot into a graphical environment with this
        #  option enabled.  In this case, you should use the RBAC system instead.
        kernel.grsecurity.disable_priv_io = 1

        #  If you say Y here, attempts to bruteforce exploits against forking
        #  daemons such as apache or sshd, as well as against suid/sgid binaries
        #  will be deterred.  When a child of a forking daemon is killed by PaX
        #  or crashes due to an illegal instruction or other suspicious signal,
        #  the parent process will be delayed 30 seconds upon every subsequent
        #  fork until the administrator is able to assess the situation and
        #  restart the daemon.
        #  In the suid/sgid case, the attempt is logged, the user has all their
        #  existing instances of the suid/sgid binary terminated and will
        #  be unable to execute any suid/sgid binaries for 15 minutes.
        #
        #  It is recommended that you also enable signal logging in the auditing
        #  section so that logs are generated when a process triggers a suspicious
        #  signal.
        #  If the sysctl option is enabled, a sysctl option with name
        #  "deter_bruteforce" is created.
        kernel.grsecurity.deter_bruteforce = 1

        #
        # Filesystem Protections
        #

        # Optimization for port usefor LBs
        # Increase system file descriptor limit
        fs.file-max = 65535

        #  If you say Y here, /tmp race exploits will be prevented, since users
        #  will no longer be able to follow symlinks owned by other users in
        #  world-writable +t directories (e.g. /tmp), unless the owner of th
#!/bin/sh
# Start a Linux container containing the mu/ directory.
# Useful on non-Linux platforms.
# Run it from the top-level mu/ directory.

docker run -it --name mu -v `pwd`:/mu abyssos/abyss:dev

# On the first startup, you'll need to run the following commands:
#   apk add git nano libcxx-dev
#   cd /mu

# Leaving this container will stop it.
# Restart it with:
#   docker start mu
#
# Now you can connect to it anytime with:
#   docker exec -it mu sh
#   cd /mu
#
# Quite slow, though. Docker has to run a VM on other platforms.
generated by cgit-pink 1.4.1-2-gfad0 (git 2.36.2.497.gbbea4dcf42) at 2024-07-08 23:15:39 +0000
n sockets that were bound outside of a chroot. It is recommended # that you say Y here. If the sysctl option is enabled, a sysctl option # with name "chroot_deny_unix" is created. kernel.grsecurity.chroot_deny_unix = 1 # If you say Y here, the current working directory of all newly-chrooted # applications will be set to the the root directory of the chroot. # The man page on chroot(2) states: # Note that usually chhroot does not change the current working # directory, so that `.' can be outside the tree rooted at # `/'. In particular, the super-user can escape from a # `chroot jail' by doing `mkdir foo; chroot foo; cd ..'. # # It is recommended that you say Y here, since it's not known to break # any software. If the sysctl option is enabled, a sysctl option with # name "chroot_enforce_chdir" is created. kernel.grsecurity.chroot_enforce_chdir = 1 # If you say Y here, processes inside a chroot will not be able to # kill, send signals with fcntl, ptrace, capget, getpgid, setpgid, # getsid, or view any process outside of the chroot. If the sysctl # option is enabled, a sysctl option with name "chroot_findtask" is # created. kernel.grsecurity.chroot_findtask = 1 # If you say Y here, processes inside a chroot will not be able to raise # the priority of processes in the chroot, or alter the priority of # processes outside the chroot. This provides more security than simply # removing CAP_SYS_NICE from the process' capability set. If the # sysctl option is enabled, a sysctl option with name "chroot_restrict_nice" # is created. kernel.grsecurity.chroot_restrict_nice = 1 # # Kernel Auditing # # If you say Y here, the exec and chdir logging features will only operate # on a group you specify. This option is recommended if you only want to # watch certain users instead of having a large amount of logs from the # entire system. If the sysctl option is enabled, a sysctl option with # name "audit_group" is created. kernel.grsecurity.audit_group = 1 # If you say Y here, the exec and chdir logging features will only operate # on a group you specify. This option is recommended if you only want to # watch certain users instead of having a large amount of logs from the # entire system. If the sysctl option is enabled, a sysctl option with # name "audit_group" is created. kernel.grsecurity.audit_gid = 99 # If you say Y here, all execve() calls will be logged (since the # other exec*() calls are frontends to execve(), all execution # will be logged). Useful for shell-servers that like to keep track # of their users. If the sysctl option is enabled, a sysctl option with # name "exec_logging" is created. # WARNING: This option when enabled will produce a LOT of logs, especially # on an active system. kernel.grsecurity.exec_logging = 0 # If you say Y here, all attempts to overstep resource limits will # be logged with the resource name, the requested size, and the current # limit. It is highly recommended that you say Y here. If the sysctl # option is enabled, a sysctl option with name "resource_logging" is # created. If the RBAC system is enabled, the sysctl value is ignored. kernel.grsecurity.resource_logging = 1 # If you say Y here, all executions inside a chroot jail will be logged # to syslog. This can cause a large amount of logs if certain # applications (eg. djb's daemontools) are installed on the system, and # is therefore left as an option. If the sysctl option is enabled, a # sysctl option with name "chroot_execlog" is created. kernel.grsecurity.chroot_execlog = 0 # If you say Y here, all attempts to attach to a process via ptrace # will be logged. If the sysctl option is enabled, a sysctl option # with name "audit_ptrace" is created. #kernel.grsecurity.audit_ptrace = 1 # If you say Y here, all attempts to attach to a process via ptrace # will be logged. If the sysctl option is enabled, a sysctl option # with name "audit_ptrace" is created. kernel.grsecurity.audit_chdir = 0 # If you say Y here, all mounts and unmounts will be logged. If the # sysctl option is enabled, a sysctl option with name "audit_mount" is # created. kernel.grsecurity.audit_mount = 1 # If you say Y here, certain important signals will be logged, such as # SIGSEGV, which will as a result inform you of when a error in a program # occurred, which in some cases could mean a possible exploit attempt. # If the sysctl option is enabled, a sysctl option with name # "signal_logging" is created. kernel.grsecurity.signal_logging = 1 # If you say Y here, all failed fork() attempts will be logged. # This could suggest a fork bomb, or someone attempting to overstep # their process limit. If the sysctl option is enabled, a sysctl option # with name "forkfail_logging" is created. kernel.grsecurity.forkfail_logging = 1 # If you say Y here, any changes of the system clock will be logged. # If the sysctl option is enabled, a sysctl option with name # "timechange_logging" is created. kernel.grsecurity.timechange_logging = 1 # if you say Y here, calls to mmap() and mprotect() with explicit # usage of PROT_WRITE and PROT_EXEC together will be logged when # denied by the PAX_MPROTECT feature. This feature will also # log other problematic scenarios that can occur when PAX_MPROTECT # is enabled on a binary, like textrels and PT_GNU_STACK. If the # sysctl option is enabled, a sysctl option with name "rwxmap_logging" # is created. kernel.grsecurity.rwxmap_logging = 1 # # Executable Protections # # if you say Y here, non-root users will not be able to use dmesg(8) # to view the contents of the kernel's circular log buffer. # The kernel's log buffer often contains kernel addresses and other # identifying information useful to an attacker in fingerprinting a # system for a targeted exploit. # If the sysctl option is enabled, a sysctl option with name "dmesg" is # created. kernel.grsecurity.dmesg = 1 # Hide symbol addresses in /proc/kallsyms kernel.kptr_restrict = 2 # If you say Y here, TTY sniffers and other malicious monitoring # programs implemented through ptrace will be defeated. If you # have been using the RBAC system, this option has already been # enabled for several years for all users, with the ability to make # fine-grained exceptions. # # This option only affects the ability of non-root users to ptrace # processes that are not a descendent of the ptracing process. # This means that strace ./binary and gdb ./binary will still work, # but attaching to arbitrary processes will not. If the sysctl # option is enabled, a sysctl option with name "harden_ptrace" is # created. kernel.grsecurity.harden_ptrace = 1 # If you say Y here, unprivileged users will not be able to ptrace unreadable # binaries. This option is useful in environments that # remove the read bits (e.g. file mode 4711) from suid binaries to # prevent infoleaking of their contents. This option adds # consistency to the use of that file mode, as the binary could normally # be read out when run without privileges while ptracing. # # If the sysctl option is enabled, a sysctl option with name "ptrace_readexec" # is created. kernel.grsecurity.ptrace_readexec = 1 # If you say Y here, a change from a root uid to a non-root uid # in a multithreaded application will cause the resulting uids, # gids, supplementary groups, and capabilities in that thread # to be propagated to the other threads of the process. In most # cases this is unnecessary, as glibc will emulate this behavior # on behalf of the application. Other libcs do not act in the # same way, allowing the other threads of the process to continue # running with root privileges. If the sysctl option is enabled, # a sysctl option with name "consistent_setxid" is created. kernel.grsecurity.consistent_setxid = 1 # If you say Y here, access to overly-permissive IPC objects (shared # memory, message queues, and semaphores) will be denied for processes # given the following criteria beyond normal permission checks: # 1) If the IPC object is world-accessible and the euid doesn't match # that of the creator or current uid for the IPC object # 2) If the IPC object is group-accessible and the egid doesn't # match that of the creator or current gid for the IPC object # It's a common error to grant too much permission to these objects, # with impact ranging from denial of service and information leaking to # privilege escalation. This feature was developed in response to # research by Tim Brown: # http://labs.portcullis.co.uk/whitepapers/memory-squatting-attacks-on-system-v-shared-memory/ # who found hundreds of such insecure usages. Processes with # CAP_IPC_OWNER are still permitted to access these IPC objects. # If the sysctl option is enabled, a sysctl option with name # "harden_ipc" is created. kernel.grsecurity.harden_ipc = 1 # If you say Y here, you will be able to choose a gid to add to the # supplementary groups of users you want to mark as "untrusted." # These users will not be able to execute any files that are not in # root-owned directories writable only by root. If the sysctl option # is enabled, a sysctl option with name "tpe" is created. kernel.grsecurity.tpe = 1 kernel.grsecurity.tpe_gid = 100 # If you say Y here, the group you specify in the TPE configuration will # decide what group TPE restrictions will be *disabled* for. This # option is useful if you want TPE restrictions to be applied to most # users on the system. If the sysctl option is enabled, a sysctl option # with name "tpe_invert" is created. Unlike other sysctl options, this # entry will default to on for backward-compatibility. kernel.grsecurity.tpe_invert = 1 # If you say Y here, all non-root users will be covered under # a weaker TPE restriction. This is separate from, and in addition to, # the main TPE options that you have selected elsewhere. Thus, if a # "trusted" GID is chosen, this restriction applies to even that GID. # Under this restriction, all non-root users will only be allowed to # execute files in directories they own that are not group or # world-writable, or in directories owned by root and writable only by # root. If the sysctl option is enabled, a sysctl option with name # "tpe_restrict_all" is created. kernel.grsecurity.tpe_restrict_all = 1 kernel.grsecurity.harden_tty = 1 # # Network Protections # # Increase Linux auto tuning TCP buffer limits # min, default, and max number of bytes to use # set max to at least 4MB, or higher if you use very high BDP paths # Tcp Windows etc net.core.rmem_max = 8388608 net.core.wmem_max = 8388608 net.core.netdev_max_backlog = 5000 net.ipv4.tcp_window_scaling = 1 # Both ports linux-blob and linux-libre don't build with ipv6 # Disable ipv6 net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1 net.ipv6.conf.lo.disable_ipv6 = 1 # Tuen IPv6 #net.ipv6.conf.default.router_solicitations = 0 #net.ipv6.conf.default.accept_ra_rtr_pref = 0 #net.ipv6.conf.default.accept_ra_pinfo = 0 #net.ipv6.conf.default.accept_ra_defrtr = 0 #net.ipv6.conf.default.autoconf = 0 #net.ipv6.conf.default.dad_transmits = 0 #net.ipv6.conf.default.max_addresses = 0 # Avoid a smurf attack, ping scanning net.ipv4.icmp_echo_ignore_broadcasts = 1 # Turn on protection for bad icmp error messages net.ipv4.icmp_ignore_bogus_error_responses = 1 # Turn on syncookies for SYN flood attack protection net.ipv4.tcp_syncookies = 1 ## protect against tcp time-wait assassination hazards ## drop RST packets for sockets in the time-wait state ## (not widely supported outside of linux, but conforms to RFC) net.ipv4.tcp_rfc1337 = 1 ## tcp timestamps ## + protect against wrapping sequence numbers (at gigabit speeds) ## + round trip time calculation implemented in TCP ## - causes extra overhead and allows uptime detection by scanners like nmap ## enable @ gigabit speeds net.ipv4.tcp_timestamps = 0 #net.ipv4.tcp_timestamps = 1 # Turn on and log spoofed, source routed, and redirect packets net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.default.log_martians = 1 ## ignore echo broadcast requests to prevent being part of smurf attacks (default) net.ipv4.icmp_echo_ignore_broadcasts = 1 ## sets the kernels reverse path filtering mechanism to value 1(on) ## will do source validation of the packet's recieved from all the interfaces on the machine ## protects from attackers that are using ip spoofing methods to do harm net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1 #net.ipv6.conf.default.rp_filter = 1 #net.ipv6.conf.all.rp_filter = 1 # Make sure no one can alter the routing tables # Act as a router, necessary for Access Point net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.default.secure_redirects = 0 # No source routed packets here # Discard packets with source routes, ip spoofing net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 net.ipv4.ip_forward = 0 # Increase system IP port limits net.ipv4.ip_local_port_range = 2000 65000 # Increase TCP max buffer size setable using setsockopt() net.ipv4.tcp_rmem = 4096 87380 8388608 net.ipv4.tcp_wmem = 4096 87380 8388608 # Disable proxy_arp net.ipv4.conf.default.proxy_arp = 0 net.ipv4.conf.all.proxy_arp = 0 # Disable bootp_relay net.ipv4.conf.default.bootp_relay = 0 net.ipv4.conf.all.bootp_relay = 0 # Decrease TCP fin timeout net.ipv4.tcp_fin_timeout = 30 # Decrease TCP keep alive time net.ipv4.tcp_keepalive_time = 1800 # Sen SynAck retries to 3 net.ipv4.tcp_synack_retries = 3 # If you say Y here, neither TCP resets nor ICMP # destination-unreachable packets will be sent in response to packets # sent to ports for which no associated listening process exists. # This feature supports both IPV4 and IPV6 and exempts the # loopback interface from blackholing. Enabling this feature # makes a host more resilient to DoS attacks and reduces network # visibility against scanners. # # The blackhole feature as-implemented is equivalent to the FreeBSD # blackhole feature, as it prevents RST responses to all packets, not # just SYNs. Under most application behavior this causes no # problems, but applications (like haproxy) may not close certain # connections in a way that cleanly terminates them on the remote # end, leaving the remote host in LAST_ACK state. Because of this # side-effect and to prevent intentional LAST_ACK DoSes, this # feature also adds automatic mitigation against such attacks. # The mitigation drastically reduces the amount of time a socket # can spend in LAST_ACK state. If you're using haproxy and not # all servers it connects to have this option enabled, consider # disabling this feature on the haproxy host. # # If the sysctl option is enabled, two sysctl options with names # "ip_blackhole" and "lastack_retries" will be created. # While "ip_blackhole" takes the standard zero/non-zero on/off # toggle, "lastack_retries" uses the same kinds of values as # "tcp_retries1" and "tcp_retries2". The default value of 4 # prevents a socket from lasting more than 45 seconds in LAST_ACK # state. kernel.grsecurity.ip_blackhole = 1 kernel.grsecurity.lastack_retries = 4 # If you say Y here, you will be able to choose a GID of whose users will # be unable to connect to other hosts from your machine or run server # applications from your machine. If the sysctl option is enabled, a # sysctl option with name "socket_all" is created. kernel.grsecurity.socket_all = 1 # Here you can choose the GID to disable socket access for. Remember to # add the users you want socket access disabled for to the GID # specified here. If the sysctl option is enabled, a sysctl option # with name "socket_all_gid" is created. kernel.grsecurity.socket_all_gid = 200 # If you say Y here, you will be able to choose a GID of whose users will # be unable to connect to other hosts from your machine, but will be # able to run servers. If this option is enabled, all users in the group # you specify will have to use passive mode when initiating ftp transfers # from the shell on your machine. If the sysctl option is enabled, a # sysctl option with name "socket_client" is created. kernel.grsecurity.socket_client = 1 # Here you can choose the GID to disable client socket access for. # Remember to add the users you want client socket access disabled for to # the GID specified here. If the sysctl option is enabled, a sysctl # option with name "socket_client_gid" is created. kernel.grsecurity.socket_client_gid = 201 # If you say Y here, you will be able to choose a GID of whose users will # be unable to connect to other hosts from your machine, but will be # able to run servers. If this option is enabled, all users in the group # you specify will have to use passive mode when initiating ftp transfers # from the shell on your machine. If the sysctl option is enabled, a # sysctl option with name "socket_client" is created. kernel.grsecurity.socket_server = 1 # Here you can choose the GID to disable server socket access for. # Remember to add the users you want server socket access disabled for to # the GID specified here. If the sysctl option is enabled, a sysctl # option with name "socket_server_gid" is created. kernel.grsecurity.socket_server_gid = 99 # # Physical Protections # # If you say Y here, a new sysctl option with name "deny_new_usb" # will be created. Setting its value to 1 will prevent any new # USB devices from being recognized by the OS. Any attempted USB # device insertion will be logged. This option is intended to be # used against custom USB devices designed to exploit vulnerabilities # in various USB device drivers. # # For greatest effectiveness, this sysctl should be set after any # relevant init scripts. This option is safe to enable in distros # as each user can choose whether or not to toggle the sysctl. kernel.grsecurity.deny_new_usb = 0 # # Restrict grsec sysctl changes after this was set # kernel.grsecurity.grsec_lock = 0 # End of file Core OS Index

This is part of the c9 Manual. Copyright (C) 2017 c9 team. See the file Gnu Free Documentation License for copying conditions.