path: root/core/linux.html



 <!DOCTYPE html>
<html dir="ltr" lang="en">
    <head>
        <meta charset='utf-8'>
        <title>2.1. Kernel Linux</title>
    </head>
    <body>

        <a href="index.html">Core OS Index</a>
        <h1 id="kernel">2.1. Kernel Linux</h1>

        <p>Linux is a monolith kernel, a big one ! Visit
        <a href="http://www.fsfla.org/ikiwiki/selibre/linux-libre/">Linux Libre</a>
        and
        <a href="https://www.kernel.org/">Linux Non-Libre</a> pages for more links
        and information.</p>

        <h2 id="#linuxlibre">2.1.1. Port Linux Libre</h2>

        <p>Default crux configuration can be obtained from iso, this port depends
        on dracut and grub but is not required to install them. To build and install
        this port using prt-get;</p>

        <pre>
        $ prt-get depinst linux-libre
        </pre>

        <h2 id="kinstall">2.1.2. Manual Install</h2>

        <p>Download Linux Source from
        <a href="http://linux-libre.fsfla.org/pub/linux-libre/releases/">linux libre</a>,
        or using the port system;</p>

        <p>Crux iso comes with config that is more generic than used on linux-libre
        port, crux default is a good starting point to personalize according to your
        needs (build default, detect modules needed);</p>

        <pre>
        $ mkdir ~/kernel
        $ cd ~/kernel
        $ cp /usr/ports/distfiles/linux-libre-4.9.11-gnu.tar.xz .
        $ tar xf linux-libre-4.9.11-gnu.tar.xz
        $ cd linux-4.9.11/
        </pre>

        <p><a href="grsecurity.net">Grsecurity</a> patch for
        <a href="https://grsecurity.net/test/grsecurity-3.1-4.9.9-201702122044.patch">4.9.11</a>.
        Gcc <a href="https://github.com/graysky2/kernel_gcc_patch/">graysky2</a> kernel_gcc_patch (<a href="https://github.com/graysky2/kernel_gcc_patch/archive/master.zip">master.zip</a>)
        that adds more cpu options (FLAGS native).
        Check <a href="ports/linux-libre/Pkgfile">Pkgfile</a> for instructions and
        more patches used on linux-libre port. Read patching your kernel with
        <a href="https://en.wikibooks.org/wiki/Grsecurity/Configuring_and_Installing_grsecurity#Patching_Your_Kernel_with_grsecurity">gresecurity</a>.</p>

        <p>Configure kernel according to your current kernel
        hardware support;</p>

        <pre>
        $ make localmodconfig
        </pre>

        <p>This will disable all unloaded modules,
        you can use localyesconfig mark all loaded
        to be built in the kernel. To get information
        about your hardware, for example information
        about which graphic module (driver) is in use
        as root run;</p>

        <pre>
        # lspci -nnk | grep -i vga -A3 | grep 'in use'
        Kernel driver in use: i915
        </pre>

        <p>Before start compiling check configuration;</p>

        <pre>
        $ make nconfig
        </pre>

        <pre>
        $ make -j $(nproc) bzImage modules
        $ sudo make modules_install
        $ sudo cp arch/x86/boot/bzImage /boot/vmlinuz-4.9.11-gnu
        $ sudo cp System.map /boot/System.map-4.9.11-gnu
        </pre>

        <p>Create dracut initramfs;</p>

        <pre>
        $sudo dracut --fstab /boot/initramfs-4.9.11-gnu.img 4.9.11-gnu
        </pre>

        <p>Update grub;</p>

        <pre>
        # grub-mkconfig -o /boot/grub/grub.cfg
        </pre>

        <h2 id="kuninstall">2.1.3. Manual Remove</h2>

        <pre>
        $ sudo rm -r /lib/modules/4.9.11-gnu
        $ sudo rm /boot/vmlinuz-4.9.11-gnu
        $ sudo rm /boot/System.map-4.9.11-gnu
        </pre>

        <h2 id="sysctl">2.1.4. Sysctl</h2>

        <p>Sysctl references
        <a href="https://wiki.archlinux.org/index.php/sysctl#TCP.2FIP_stack_hardening">Arch TCP/IP stack hardening</a>,
        <a href="http://www.cyberciti.biz/tips/linux-unix-bsd-nginx-webserver-security.html">Cyberciti Nginx Hardning</a>,
        <a href="http://www.cyberciti.biz/faq/linux-kernel-etcsysctl-conf-security-hardening/">Cyberciti Security Hardening</a>,
        <a href="https://en.wikibooks.org/wiki/Grsecurity/Appendix/Grsecurity_and_PaX_Configuration_Options">Grsecurity and PaX Configuration</a>.</p>

        <p>Since kernels on c9-ports have <a href="pax.grsecurity.net">PaX</a>
        and <a href="http://grsecurity.net/announce.php">grsecurity</a>,
        <a href="conf/sysctl.conf">/etc/sysctl.conf</a> can have follow
        values;</p>

        <pre>
        #
        # /etc/sysctl.conf: configuration for system variables, see sysctl.conf(5)
        #

        kernel.printk = 15 1 1 4
        kernel.randomize_va_space = 1
        kernel.shmmax = 500000000
        # Allow for more PIDs (to reduce rollover problems); may break some programs 32768
        kernel.pid_max = 65536

        #
        # Memory Protections
        #

        #  If you say Y here, all ioperm and iopl calls will return an error.
        #  Ioperm and iopl can be used to modify the running kernel.
        #  Unfortunately, some programs need this access to operate properly,
        #  the most notable of which are XFree86 and hwclock.  hwclock can be
        #  remedied by having RTC support in the kernel, so real-time
        #  clock support is enabled if this option is enabled, to ensure
        #  that hwclock operates correctly.
        #
        #  If you're using XFree86 or a version of Xorg from 2012 or earlier,
        #  you may not be able to boot into a graphical environment with this
        #  option enabled.  In this case, you should use the RBAC system instead.
        #kernel.grsecurity.disable_priv_io = 1
        kernel.grsecurity.disable_priv_io = 0

        #  If you say Y here, attempts to bruteforce exploits against forking
        #  daemons such as apache or sshd, as well as against suid/sgid binaries
        #  will be deterred.  When a child of a forking daemon is killed by PaX
        #  or crashes due to an illegal instruction or other suspicious signal,
        #  the parent process will be delayed 30 seconds upon every subsequent
        #  fork until the administrator is able to assess the situation and
        #  restart the daemon.
        #  In the suid/sgid case, the attempt is logged, the user has all their
        #  existing instances of the suid/sgid binary terminated and will
        #  be unable to execute any suid/sgid binaries for 15 minutes.
        #
        #  It is recommended that you also enable signal logging in the auditing
        #  section so that logs are generated when a process triggers a suspicious
        #  signal.
        #  If the sysctl option is enabled, a sysctl option with name
        #  "deter_bruteforce" is created.
        #kernel.grsecurity.deter_bruteforce = 1

        #
        # Filesystem Protections
        #

        # Optimization for port usefor LBs
        # Increase system file descriptor limit
        fs.file-max = 65535

        #  If you say Y here, /tmp race exploits will be prevented, since users
        #  will no longer be able to follow symlinks owned by other users in
        #  world-writable +t directories (e.g. /tmp), unless the owner of the
        #  symlink is the owner of the directory. users will also not be
        #  able to hardlink to files they do not own.  If the sysctl option is
        #  enabled, a sysctl option with name "linking_restrictions" is created.
        kernel.grsecurity.linking_restrictions = 1


        #  Apache's SymlinksIfOwnerMatch option has an inherent race condition
        #  that prevents it from being used as a security feature.  As Apache
        #  verifies the symlink by performing a stat() against the target of
        #  the symlink before it is followed, an attacker can setup a symlink
        #  to point to a same-owned file, then replace the symlink with one
        #  that targets another user's file just after Apache "validates" the
        #  symlink -- a classic TOCTOU race.  If you say Y here, a complete,
        #  race-free replacement for Apache's "SymlinksIfOwnerMatch" option
        #  will be in place for the group you specify. If the sysctl option
        #  is enabled, a sysctl option with name "enforce_symlinksifowner" is
        #  created.
        #kernel.grsecurity.enforce_symlinksifowner = 1
        #kernel.grsecurity.symlinkown_gid = 33

        #  if you say Y here, users will not be able to write to FIFOs they don't
        #  own in world-writable +t directories (e.g. /tmp), unless the owner of
        #  the FIFO is the same owner of the directory it's held in.  If the sysctl
        #  option is enabled, a sysctl option with name "fifo_restrictions" is
        #  created.
        #kernel.grsecurity.fifo_restrictions = 1

        #  If you say Y here, a sysctl option with name "romount_protect" will
        #  be created.  By setting this option to 1 at runtime, filesystems
        #  will be protected in the following ways:
        #  * No new writable mounts will be allowed
        #  * Existing read-only mounts won't be able to be remounted read/write
        #  * Write operations will be denied on all block devices
        #  This option acts independently of grsec_lock: once it is set to 1,
        #  it cannot be turned off.  Therefore, please be mindful of the resulting
        #  behavior if this option is enabled in an init script on a read-only
        #  filesystem.
        #  Also be aware that as with other root-focused features, GRKERNSEC_KMEM
        #  and GRKERNSEC_IO should be enabled and module loading disabled via
        #  config or at runtime.
        #  This feature is mainly intended for secure embedded systems.
        #kernel.grsecurity.romount_protect = 0

        #  if you say Y here, the capabilities on all processes within a
        #  chroot jail will be lowered to stop module insertion, raw i/o,
        #  system and net admin tasks, rebooting the system, modifying immutable
        #  files, modifying IPC owned by another, and changing the system time.
        #  This is left an option because it can break some apps.  Disable this
        #  if your chrooted apps are having problems performing those kinds of
        #  tasks.  If the sysctl option is enabled, a sysctl option with
        #  name "chroot_caps" is created.
        kernel.grsecurity.chroot_caps = 1

        #kernel.grsecurity.chroot_deny_bad_rename = 1

        #  If you say Y here, processes inside a chroot will not be able to chmod
        #  or fchmod files to make them have suid or sgid bits.  This protects
        #  against another published method of breaking a chroot.  If the sysctl
        #  option is enabled, a sysctl option with name "chroot_deny_chmod" is
        #  created.
        kernel.grsecurity.chroot_deny_chmod     = 1

        #  If you say Y here, processes inside a chroot will not be able to chroot
        #  again outside the chroot.  This is a widely used method of breaking
        #  out of a chroot jail and should not be allowed.  If the sysctl
        #  option is enabled, a sysctl option with name
        #  "chroot_deny_chroot" is created.
        kernel.grsecurity.chroot_deny_chroot    = 1

        #  If you say Y here, a well-known method of breaking chroots by fchdir'ing
        #  to a file descriptor of the chrooting process that points to a directory
        #  outside the filesystem will be stopped.  If the sysctl option
        #  is enabled, a sysctl option with name "chroot_deny_fchdir" is created.
        kernel.grsecurity.chroot_deny_fchdir = 1

        #  If you say Y here, processes inside a chroot will not be allowed to
        #  mknod.  The problem with using mknod inside a chroot is that it
        #  would allow an attacker to create a device entry that is the same
        #  as one on the physical root of your system, which could range from
        #  anything from the console device to a device for your harddrive (which
        #  they could then use to wipe the drive or steal data).  It is recommended
        #  that you say Y here, unless you run into software incompatibilities.
        #  If the sysctl option is enabled, a sysctl option with name
        #  "chroot_deny_mknod" is created.
        kernel.grsecurity.chroot_deny_mknod = 1

        #  If you say Y here, processes inside a chroot will not be able to
        #  mount or remount filesystems.  If the sysctl option is enabled, a
        #  sysctl option with name "chroot_deny_mount" is created.
        kernel.grsecurity.chroot_deny_mount = 1

        #  If you say Y here, processes inside a chroot will not be able to use
        #  a function called pivot_root() that was introduced in Linux 2.3.41.  It
        #  works similar to chroot in that it changes the root filesystem.  This
        #  function could be misused in a chrooted process to attempt to break out
        #  of the chroot, and therefore should not be allowed.  If the sysctl
        #  option is enabled, a sysctl option with name "chroot_deny_pivot" is
        #  created.
        kernel.grsecurity.chroot_deny_pivot     = 1

        #  If you say Y here, processes inside a chroot will not be able to attach
        #  to shared memory segments that were created outside of the chroot jail.
        #  It is recommended that you say Y here.  If the sysctl option is enabled,
        #  a sysctl option with name "chroot_deny_shmat" is created.
        kernel.grsecurity.chroot_deny_shmat = 1

        #  If you say Y here, an attacker in a chroot will not be able to
        #  write to sysctl entries, either by sysctl(2) or through a /proc
        #  interface.  It is strongly recommended that you say Y here. If the
        #  sysctl option is enabled, a sysctl option with name
        #  "chroot_deny_sysctl" is created.
        kernel.grsecurity.chroot_deny_sysctl = 1

        #  If you say Y here, processes inside a chroot will not be able to
        #  connect to abstract (meaning not belonging to a filesystem) Unix
        #  domain sockets that were bound outside of a chroot.  It is recommended
        #  that you say Y here.  If the sysctl option is enabled, a sysctl option
        #  with name "chroot_deny_unix" is created.
        kernel.grsecurity.chroot_deny_unix = 1

        #  If you say Y here, the current working directory of all newly-chrooted
        #  applications will be set to the the root directory of the chroot.
        #  The man page on chroot(2) states:
        #  Note that usually chhroot does not change  the  current  working
        #  directory,  so  that `.' can be outside the tree rooted at
        #  `/'.  In particular, the  super-user  can  escape  from  a
        #  `chroot jail' by doing `mkdir foo; chroot foo; cd ..'.
        #
        #  It is recommended that you say Y here, since it's not known to break
        #  any software.  If the sysctl option is enabled, a sysctl option with
        #  name "chroot_enforce_chdir" is created.
        kernel.grsecurity.chroot_enforce_chdir  = 1

        #  If you say Y here, processes inside a chroot will not be able to
        #  kill, send signals with fcntl, ptrace, capget, getpgid, setpgid,
        #  getsid, or view any process outside of the chroot.  If the sysctl
        #  option is enabled, a sysctl option with name "chroot_findtask" is
        #  created.
        kernel.grsecurity.chroot_findtask = 1

        #  If you say Y here, processes inside a chroot will not be able to raise
        #  the priority of processes in the chroot, or alter the priority of
        #  processes outside the chroot.  This provides more security than simply
        #  removing CAP_SYS_NICE from the process' capability set.  If the
        #  sysctl option is enabled, a sysctl option with name "chroot_restrict_nice"
        #  is created.
        kernel.grsecurity.chroot_restrict_nice = 1

        #
        # Kernel Auditing
        #

        #  If you say Y here, the exec and chdir logging features will only operate
        #  on a group you specify.  This option is recommended if you only want to
        #  watch certain users instead of having a large amount of logs from the
        #  entire system.  If the sysctl option is enabled, a sysctl option with
        #  name "audit_group" is created.
        kernel.grsecurity.audit_group = 0

        #  If you say Y here, the exec and chdir logging features will only operate
        #  on a group you specify.  This option is recommended if you only want to
        #  watch certain users instead of having a large amount of logs from the
        #  entire system.  If the sysctl option is enabled, a sysctl option with
        #  name "audit_group" is created.
        #kernel.grsecurity.audit_gid = 201

        #  If you say Y here, all execve() calls will be logged (since the
        #  other exec*() calls are frontends to execve(), all execution
        #  will be logged).  Useful for shell-servers that like to keep track
        #  of their users.  If the sysctl option is enabled, a sysctl option with
        #  name "exec_logging" is created.
        #  WARNING: This option when enabled will produce a LOT of logs, especially
        #  on an active system.
        kernel.grsecurity.exec_logging = 0

        #  If you say Y here, all attempts to overstep resource limits will
        #  be logged with the resource name, the requested size, and the current
        #  limit.  It is highly recommended that you say Y here.  If the sysctl
        #  option is enabled, a sysctl option with name "resource_logging" is
        #  created.  If the RBAC system is enabled, the sysctl value is ignored.
        #kernel.grsecurity.resource_logging = 1

        #  If you say Y here, all executions inside a chroot jail will be logged
        #  to syslog.  This can cause a large amount of logs if certain
        #  applications (eg. djb's daemontools) are installed on the system, and
        #  is therefore left as an option.  If the sysctl option is enabled, a
        #  sysctl option with name "chroot_execlog" is created.
        kernel.grsecurity.chroot_execlog = 0

        #  If you say Y here, all attempts to attach to a process via ptrace
        #  will be logged.  If the sysctl option is enabled, a sysctl option
        #  with name "audit_ptrace" is created.
        #kernel.grsecurity.audit_ptrace = 1
        kernel.grsecurity.audit_ptrace = 0

        #  If you say Y here, all attempts to attach to a process via ptrace
        #  will be logged.  If the sysctl option is enabled, a sysctl option
        #  with name "audit_ptrace" is created.
        kernel.grsecurity.audit_chdir = 0

        #  If you say Y here, all mounts and unmounts will be logged.  If the
        #  sysctl option is enabled, a sysctl option with name "audit_mount" is
        #  created.
        #kernel.grsecurity.audit_mount = 1
        kernel.grsecurity.audit_mount = 0

        #  If you say Y here, certain important signals will be logged, such as
        #  SIGSEGV, which will as a result inform you of when a error in a program
        #  occurred, which in some cases could mean a possible exploit attempt.
        #  If the sysctl option is enabled, a sysctl option with name
        #  "signal_logging" is created.
        kernel.grsecurity.signal_logging = 0

        #  If you say Y here, all failed fork() attempts will be logged.
        #  This could suggest a fork bomb, or someone attempting to overstep
        #  their process limit.  If the sysctl option is enabled, a sysctl option
        #  with name "forkfail_logging" is created.
        #kernel.grsecurity.forkfail_logging = 1
        kernel.grsecurity.forkfail_logging = 0

        #  If you say Y here, any changes of the system clock will be logged.
        #  If the sysctl option is enabled, a sysctl option with name
        #  "timechange_logging" is created.
        #kernel.grsecurity.timechange_logging = 1

        #  if you say Y here, calls to mmap() and mprotect() with explicit
        #  usage of PROT_WRITE and PROT_EXEC together will be logged when
        #  denied by the PAX_MPROTECT feature.  This feature will also
        #  log other problematic scenarios that can occur when PAX_MPROTECT
        #  is enabled on a binary, like textrels and PT_GNU_STACK.  If the
        #  sysctl option is enabled, a sysctl option with name "rwxmap_logging"
        #  is created.
        #kernel.grsecurity.rwxmap_logging = 1

        #
        # Executable Protections
        #


        #  if you say Y here, non-root users will not be able to use dmesg(8)
        #  to view the contents of the kernel's circular log buffer.
        #  The kernel's log buffer often contains kernel addresses and other
        #  identifying information useful to an attacker in fingerprinting a
        #  system for a targeted exploit.
        #  If the sysctl option is enabled, a sysctl option with name "dmesg" is
        #  created.
        kernel.grsecurity.dmesg = 1

        # Hide symbol addresses in /proc/kallsyms
        kernel.kptr_restrict = 1

        #  If you say Y here, TTY sniffers and other malicious monitoring
        #  programs implemented through ptrace will be defeated.  If you
        #  have been using the RBAC system, this option has already been
        #  enabled for several years for all users, with the ability to make
        #  fine-grained exceptions.
        #
        #  This option only affects the ability of non-root users to ptrace
        #  processes that are not a descendent of the ptracing process.
        #  This means that strace ./binary and gdb ./binary will still work,
        #  but attaching to arbitrary processes will not.  If the sysctl
        #  option is enabled, a sysctl option with name "harden_ptrace" is
        #  created.
        kernel.grsecurity.harden_ptrace = 1

        #  If you say Y here, unprivileged users will not be able to ptrace unreadable
        #  binaries.  This option is useful in environments that
        #  remove the read bits (e.g. file mode 4711) from suid binaries to
        #  prevent infoleaking of their contents.  This option adds
        #  consistency to the use of that file mode, as the binary could normally
        #  be read out when run without privileges while ptracing.
        #
        #  If the sysctl option is enabled, a sysctl option with name "ptrace_readexec"
        #  is created.
        kernel.grsecurity.ptrace_readexec = 1

        #  If you say Y here, a change from a root uid to a non-root uid
        #  in a multithreaded application will cause the resulting uids,
        #  gids, supplementary groups, and capabilities in that thread
        #  to be propagated to the other threads of the process.  In most
        #  cases this is unnecessary, as glibc will emulate this behavior
        #  on behalf of the application.  Other libcs do not act in the
        #  same way, allowing the other threads of the process to continue
        #  running with root privileges.  If the sysctl option is enabled,
        #  a sysctl option with name "consistent_setxid" is created.
        #kernel.grsecurity.consistent_setxid = 1

        #  If you say Y here, access to overly-permissive IPC objects (shared
        #  memory, message queues, and semaphores) will be denied for processes
        #  given the following criteria beyond normal permission checks:
        #  1) If the IPC object is world-accessible and the euid doesn't match
        #     that of the creator or current uid for the IPC object
        #  2) If the IPC object is group-accessible and the egid doesn't
        #     match that of the creator or current gid for the IPC object
        #  It's a common error to grant too much permission to these objects,
        #  with impact ranging from denial of service and information leaking to
        #  privilege escalation.  This feature was developed in response to
        #  research by Tim Brown:
        #  http://labs.portcullis.co.uk/whitepapers/memory-squatting-attacks-on-system-v-shared-memory/
        #  who found hundreds of such insecure usages.  Processes with
        #  CAP_IPC_OWNER are still permitted to access these IPC objects.
        #  If the sysctl option is enabled, a sysctl option with name
        #  "harden_ipc" is created.
        kernel.grsecurity.harden_ipc = 1

        #  If you say Y here, you will be able to choose a gid to add to the
        #  supplementary groups of users you want to mark as "untrusted."
        #  These users will not be able to execute any files that are not in
        #  root-owned directories writable only by root.  If the sysctl option
        #  is enabled, a sysctl option with name "tpe" is created.
        kernel.grsecurity.tpe = 1
        kernel.grsecurity.tpe_gid = 101

        #  If you say Y here, the group you specify in the TPE configuration will
        #  decide what group TPE restrictions will be *disabled* for.  This
        #  option is useful if you want TPE restrictions to be applied to most
        #  users on the system.  If the sysctl option is enabled, a sysctl option
        #  with name "tpe_invert" is created.  Unlike other sysctl options, this
        #  entry will default to on for backward-compatibility.
        kernel.grsecurity.tpe_invert = 1

        #  If you say Y here, all non-root users will be covered under
        #  a weaker TPE restriction.  This is separate from, and in addition to,
        #  the main TPE options that you have selected elsewhere.  Thus, if a
        #  "trusted" GID is chosen, this restriction applies to even that GID.
        #  Under this restriction, all non-root users will only be allowed to
        #  execute files in directories they own that are not group or
        #  world-writable, or in directories owned by root and writable only by
        #  root.  If the sysctl option is enabled, a sysctl option with name
        #  "tpe_restrict_all" is created.
        kernel.grsecurity.tpe_restrict_all = 0


        #kernel.grsecurity.harden_tty = 1
        #
        # Network Protections
        #

        # Increase Linux auto tuning TCP buffer limits
        # min, default, and max number of bytes to use
        # set max to at least 4MB, or higher if you use very high BDP paths
        # Tcp Windows etc
        net.core.rmem_max = 8388608
        net.core.wmem_max = 8388608
        net.core.netdev_max_backlog = 5000
        net.ipv4.tcp_window_scaling = 1

        # Both ports linux-blob and linux-libre don't build with ipv6
        # Disable ipv6
        net.ipv6.conf.all.disable_ipv6 = 1
        net.ipv6.conf.default.disable_ipv6 = 1
        net.ipv6.conf.lo.disable_ipv6 = 1

        # Tuen IPv6
        #net.ipv6.conf.default.router_solicitations = 0
        #net.ipv6.conf.default.accept_ra_rtr_pref = 0
        #net.ipv6.conf.default.accept_ra_pinfo = 0
        #net.ipv6.conf.default.accept_ra_defrtr = 0
        #net.ipv6.conf.default.autoconf = 0
        #net.ipv6.conf.default.dad_transmits = 0
        #net.ipv6.conf.default.max_addresses = 0

        # Avoid a smurf attack
        net.ipv4.icmp_echo_ignore_broadcasts = 1

        # Turn on protection for bad icmp error messages
        net.ipv4.icmp_ignore_bogus_error_responses = 1

        # Turn on syncookies for SYN flood attack protection
        net.ipv4.tcp_syncookies = 1

        ## protect against tcp time-wait assassination hazards
        ## drop RST packets for sockets in the time-wait state
        ## (not widely supported outside of linux, but conforms to RFC)
        net.ipv4.tcp_rfc1337 = 1

        ## tcp timestamps
        ## + protect against wrapping sequence numbers (at gigabit speeds)
        ## + round trip time calculation implemented in TCP
        ## - causes extra overhead and allows uptime detection by scanners like nmap
        ## enable @ gigabit speeds
        net.ipv4.tcp_timestamps = 0
        #net.ipv4.tcp_timestamps = 1

        # Turn on and log spoofed, source routed, and redirect packets
        net.ipv4.conf.all.log_martians = 1
        net.ipv4.conf.default.log_martians = 1

        ## ignore echo broadcast requests to prevent being part of smurf attacks (default)
        net.ipv4.icmp_echo_ignore_broadcasts = 1

        # No source routed packets here
        net.ipv4.conf.all.accept_source_route = 0
        net.ipv4.conf.default.accept_source_route = 0

        ## sets the kernels reverse path filtering mechanism to value 1(on)
        ## will do source validation of the packet's recieved from all the interfaces on the machine
        ## protects from attackers that are using ip spoofing methods to do harm
        net.ipv4.conf.all.rp_filter = 1
        net.ipv4.conf.default.rp_filter = 1
        #net.ipv6.conf.default.rp_filter = 1
        #net.ipv6.conf.all.rp_filter = 1

        # Make sure no one can alter the routing tables
        net.ipv4.conf.all.accept_redirects = 0
        net.ipv4.conf.default.accept_redirects = 0
        net.ipv4.conf.all.secure_redirects = 0
        net.ipv4.conf.default.secure_redirects = 0

        # Act as a router, necessary for Access Point
        net.ipv4.ip_forward = 1
        net.ipv4.conf.all.send_redirects = 1
        net.ipv4.conf.default.send_redirects = 1

        # Increase system IP port limits
        net.ipv4.ip_local_port_range = 2000 65000

        # Increase TCP max buffer size setable using setsockopt()
        net.ipv4.tcp_rmem = 4096 87380 8388608
        net.ipv4.tcp_wmem = 4096 87380 8388608


        #  If you say Y here, neither TCP resets nor ICMP
        #  destination-unreachable packets will be sent in response to packets
        #  sent to ports for which no associated listening process exists.
        #  This feature supports both IPV4 and IPV6 and exempts the
        #  loopback interface from blackholing.  Enabling this feature
        #  makes a host more resilient to DoS attacks and reduces network
        #  visibility against scanners.
        #
        #  The blackhole feature as-implemented is equivalent to the FreeBSD
        #  blackhole feature, as it prevents RST responses to all packets, not
        #  just SYNs.  Under most application behavior this causes no
        #  problems, but applications (like haproxy) may not close certain
        #  connections in a way that cleanly terminates them on the remote
        #  end, leaving the remote host in LAST_ACK state.  Because of this
        #  side-effect and to prevent intentional LAST_ACK DoSes, this
        #  feature also adds automatic mitigation against such attacks.
        #  The mitigation drastically reduces the amount of time a socket
        #  can spend in LAST_ACK state.  If you're using haproxy and not
        #  all servers it connects to have this option enabled, consider
        #  disabling this feature on the haproxy host.
        #
        #  If the sysctl option is enabled, two sysctl options with names
        #  "ip_blackhole" and "lastack_retries" will be created.
        #  While "ip_blackhole" takes the standard zero/non-zero on/off
        #  toggle, "lastack_retries" uses the same kinds of values as
        #  "tcp_retries1" and "tcp_retries2".  The default value of 4
        #  prevents a socket from lasting more than 45 seconds in LAST_ACK
        #  state.
        #kernel.grsecurity.ip_blackhole = 1
        #kernel.grsecurity.lastack_retries = 4

        #  If you say Y here, you will be able to choose a GID of whose users will
        #  be unable to connect to other hosts from your machine or run server
        #  applications from your machine.  If the sysctl option is enabled, a
        #  sysctl option with name "socket_all" is created.
        #kernel.grsecurity.socket_all = 1

        #  Here you can choose the GID to disable socket access for. Remember to
        #  add the users you want socket access disabled for to the GID
        #  specified here.  If the sysctl option is enabled, a sysctl option
        #  with name "socket_all_gid" is created.
        #kernel.grsecurity.socket_all_gid = 202

        #  If you say Y here, you will be able to choose a GID of whose users will
        #  be unable to connect to other hosts from your machine, but will be
        #  able to run servers.  If this option is enabled, all users in the group
        #  you specify will have to use passive mode when initiating ftp transfers
        #  from the shell on your machine.  If the sysctl option is enabled, a
        #  sysctl option with name "socket_client" is created.
        #kernel.grsecurity.socket_client = 1

        #  Here you can choose the GID to disable client socket access for.
        #  Remember to add the users you want client socket access disabled for to
        #  the GID specified here.  If the sysctl option is enabled, a sysctl
        #  option with name "socket_client_gid" is created.
        #kernel.grsecurity.socket_client_gid = 203

        #  If you say Y here, you will be able to choose a GID of whose users will
        #  be unable to connect to other hosts from your machine, but will be
        #  able to run servers.  If this option is enabled, all users in the group
        #  you specify will have to use passive mode when initiating ftp transfers
        #  from the shell on your machine.  If the sysctl option is enabled, a
        #  sysctl option with name "socket_client" is created.
        #kernel.grsecurity.socket_server = 1

        #  Here you can choose the GID to disable server socket access for.
        #  Remember to add the users you want server socket access disabled for to
        #  the GID specified here.  If the sysctl option is enabled, a sysctl
        #  option with name "socket_server_gid" is created.
        #kernel.grsecurity.socket_server_gid = 204

        #
        # Physical Protections
        #

        #  If you say Y here, a new sysctl option with name "deny_new_usb"
        #  will be created.  Setting its value to 1 will prevent any new
        #  USB devices from being recognized by the OS.  Any attempted USB
        #  device insertion will be logged.  This option is intended to be
        #  used against custom USB devices designed to exploit vulnerabilities
        #  in various USB device drivers.
        #
        #  For greatest effectiveness, this sysctl should be set after any
        #  relevant init scripts.  This option is safe to enable in distros
        #  as each user can choose whether or not to toggle the sysctl.
        #kernel.grsecurity.deny_new_usb = 0

        #
        # Restrict grsec sysctl changes after this was set
        #
        #kernel.grsecurity.grsec_lock = 1


        # End of file
        </pre>


        <a href="index.html">Core OS Index</a>
        <p>This is part of the c9-doc Manual.
Copyright (C) 2017
c9 team.
See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a>
for copying conditions.</p>

    </body>
</html>
 <!DOCTYPE html>
<html dir="ltr" lang="en">
    <head>
        <meta charset='utf-8'>
        <title>2.1. Kernel Linux</title>
    </head>
    <body>

        <a href="index.html">Core OS Index</a>
        <h1 id="kernel">2.1. Kernel Linux</h1>

        <p>Linux is a monolith kernel, a big one ! Visit
        <a href="http://www.fsfla.org/ikiwiki/selibre/linux-libre/">Linux Libre</a>
        and
        <a href="https://www.kernel.org/">Linux Non-Libre</a> pages for more links
        and information.</p>

        <h2 id="#linuxlibre">2.1.1. Port Linux Libre</h2>

        <p>Default crux configuration can be obtained from iso, this port depends
        on dracut and grub but is not required to install them. To build and install
        this port using prt-get;</p>

        <pre>
        $ prt-get depinst linux-libre
        </pre>

        <h2 id="kinstall">2.1.2. Manual Install</h2>

        <p>Download Linux Source from
        <a href="http://linux-libre.fsfla.org/pub/linux-libre/releases/">linux libre</a>,
        or using the port system;</p>

        <p>Crux iso comes with config that is more generic than used on linux-libre
        port, crux default is a good starting point to personalize according to your
        needs (build default, detect modules needed);</p>

        <pre>
        $ mkdir ~/kernel
        $ cd ~/kernel
        $ cp /usr/ports/distfiles/linux-libre-4.9.11-gnu.tar.xz .
        $ tar xf linux-libre-4.9.11-gnu.tar.xz
        $ cd linux-4.9.11/
        </pre>

        <p><a href="grsecurity.net">Grsecurity</a> patch for
        <a href="https://grsecurity.net/test/grsecurity-3.1-4.9.9-201702122044.patch">4.9.11</a>.
        Gcc <a href="https://github.com/graysky2/kernel_gcc_patch/">graysky2</a> kernel_gcc_patch (<a href="https://github.com/graysky2/kernel_gcc_patch/archive/master.zip">master.zip</a>)
        that adds more cpu options (FLAGS native).
        Check <a href="ports/linux-libre/Pkgfile">Pkgfile</a> for instructions and
        more patches used on linux-libre port. Read patching your kernel with
        <a href="https://en.wikibooks.org/wiki/Grsecurity/Configuring_and_Installing_grsecurity#Patching_Your_Kernel_with_grsecurity">gresecurity</a>.</p>

        <p>Configure kernel according to your current kernel
        hardware support;</p>

        <pre>
        $ make localmodconfig
        </pre>

        <p>This will disable all unloaded modules,
        you can use localyesconfig mark all loaded
        to be built in the kernel. To get information
        about your hardware, for example information
        about which graphic module (driver) is in use
        as root run;</p>

        <pre>
        # lspci -nnk | grep -i vga -A3 | grep 'in use'
        Kernel driver in use: i915
        </pre>

        <p>Before start compiling check configuration;</p>

        <pre>
        $ make nconfig
        </pre>

        <pre>
        $ make -j $(nproc) bzImage modules
        $ sudo make modules_install
        $ sudo cp arch/x86/boot/bzImage /boot/vmlinuz-4.9.11-gnu
        $ sudo cp System.map /boot/System.map-4.9.11-gnu
        </pre>

        <p>Create dracut initramfs;</p>

        <pre>
        $sudo dracut --fstab /boot/initramfs-4.9.11-gnu.img 4.9.11-gnu
        </pre>

        <p>Update grub;</p>

        <pre>
        # grub-mkconfig -o /boot/grub/grub.cfg
        </pre>

        <h2 id="kuninstall">2.1.3. Manual Remove</h2>

        <pre>
        $ sudo rm -r /lib/modules/4.9.11-gnu
        $ sudo rm /boot/vmlinuz-4.9.11-gnu
        $ sudo rm /boot/System.map-4.9.11-gnu
        </pre>

        <h2 id="sysctl">2.1.4. Sysctl</h2>

        <p>Sysctl references
        <a href="https://wiki.archlinux.org/index.php/sysctl#TCP.2FIP_stack_hardening">Arch TCP/IP stack hardening</a>,
        <a href="http://www.cyberciti.biz/tips/linux-unix-bsd-nginx-webserver-security.html">Cyberciti Nginx Hardning</a>,
        <a href="http://www.cyberciti.biz/faq/linux-kernel-etcsysctl-conf-security-hardening/">Cyberciti Security Hardening</a>,
        <a href="https://en.wikibooks.org/wiki/Grsecurity/Appendix/Grsecurity_and_PaX_Configuration_Options">Grsecurity and PaX Configuration</a>.</p>

        <p>Since kernels on c9-ports have <a href="pax.grsecurity.net">PaX</a>
        and <a href="http://grsecurity.net/announce.php">grsecurity</a>,
        <a href="conf/sysctl.conf">/etc/sysctl.conf</a> can have follow
        values;</p>

        <pre>
        #
        # /etc/sysctl.conf: configuration for system variables, see sysctl.conf(5)
        #

        kernel.printk = 15 1 1 4
        kernel.randomize_va_space = 1
        kernel.shmmax = 500000000
        # Allow for more PIDs (to reduce rollover problems); may break some programs 32768
        kernel.pid_max = 65536

        #
        # Memory Protections
        #

        #  If you say Y here, all ioperm and iopl calls will return an error.
        #  Ioperm and iopl can be used to modify the running kernel.
        #  Unfortunately, some programs need this access to operate properly,
        #  the most notable of which are XFree86 and hwclock.  hwclock can be
        #  remedied by having RTC support in the kernel, so real-time
        #  clock support is enabled if this option is enabled, to ensure
        #  that hwclock operates correctly.
        #
        #  If you're using XFree86 or a version of Xorg from 2012 or earlier,
        #  you may not be able to boot into a graphical environment with this
        #  option enabled.  In this case, you should use the RBAC system instead.
        #kernel.grsecurity.disable_priv_io = 1
        kernel.grsecurity.disable_priv_io = 0

        #  If you say Y here, attempts to bruteforce exploits against forking
        #  daemons such as apache or sshd, as well as against suid/sgid binaries
        #  will be deterred.  When a child of a forking daemon is killed by PaX
        #  or crashes due to an illegal instruction or other suspicious signal,
        #  the parent process will be delayed 30 seconds upon every subsequent
        #  fork until the administrator is able to assess the situation and
        #  restart the daemon.
        #  In the suid/sgid case, the attempt is logged, the user has all their
        #  existing instances of the suid/sgid binary terminated and will
        #  be unable to execute any suid/sgid binaries for 15 minutes.
        #
        #  It is recommended that you also enable signal logging in the auditing
        #  section so that logs are generated when a process triggers a suspicious
        #  signal.
        #  If the sysctl option is enabled, a sysctl option with name
        #  "deter_bruteforce" is created.
        #kernel.grsecurity.deter_bruteforce = 1

        #
        # Filesystem Protections
        #

        # Optimization for port usefor LBs
        # Increase system file descriptor limit
        fs.file-max = 65535

        #  If you say Y here, /tmp race exploits will be prevented, since users
        #  will no longer be able to follow symlinks owned by other users in
        #  world-writable +t directories (e.g. /tmp), unless the owner of the
        #  symlink is the owner of the directory. users will also not be
        #  able to hardlink to files they do not own.  If the sysctl option is
        #  enabled, a sysctl option with name "linking_restrictions" is created.
        kernel.grsecurity.linking_restrictions = 1


        #  Apache's SymlinksIfOwnerMatch option has an inherent race condition
        #  that prevents it from being used as a security feature.  As Apache
        #  verifies the symlink by performing a stat() against the target of
        #  the symlink before it is followed, an attacker can setup a symlink
        #  to point to a same-owned file, then replace the symlink with one
        #  that targets another user's file just after Apache "validates" the
        #  symlink -- a classic TOCTOU race.  If you say Y here, a complete,
        #  race-free replacement for Apache's "SymlinksIfOwnerMatch" option
        #  will be in place for the group you specify. If the sysctl option
        #  is enabled, a sysctl option with name "enforce_symlinksifowner" is
        #  created.
        #kernel.grsecurity.enforce_symlinksifowner = 1
        #kernel.grsecurity.symlinkown_gid = 33

        #  if you say Y here, users will not be able to write to FIFOs they don't
        #  own in world-writable +t directories (e.g. /tmp), unless the owner of
        #  the FIFO is the same owner of the directory it's held in.  If the sysctl
        #  option is enabled, a sysctl option with name "fifo_restrictions" is
        #  created.
        #kernel.grsecurity.fifo_restrictions = 1

        #  If you say Y here, a sysctl option with name "romount_protect" will
        #  be created.  By setting this option to 1 at runtime, filesystems
        #  will be protected in the following ways:
        #  * No new writable mounts will be allowed
        #  * Existing read-only mounts won't be able to be remounted read/write
        #  * Write operations will be denied on all block devices
        #  This option acts independently of grsec_lock: once it is set to 1,
        #  it cannot be turned off.  Therefore, please be mindful of the resulting
        #  behavior if this option is enabled in an init script on a read-only
        #  filesystem.
        #  Also be aware that as with other root-focused features, GRKERNSEC_KMEM
        #  and GRKERNSEC_IO should be enabled and module loading disabled via
        #  config or at runtime.
        #  This feature is mainly intended for secure embedded systems.
        #kernel.grsecurity.romount_protect = 0

        #  if you say Y here, the capabilities on all processes within a
        #  chroot jail will be lowered to stop module insertion, raw i/o,
        #  system and net admin tasks, rebooting the system, modifying immutable
        #  files, modifying IPC owned by another, and changing the system time.
        #  This is left an option because it can break some apps.  Disable this
        #  if your chrooted apps are having problems performing those kinds of
        #  tasks.  If the sysctl option is enabled, a sysctl option with
        #  name "chroot_caps" is created.
        kernel.grsecurity.chroot_caps = 1

        #kernel.grsecurity.chroot_deny_bad_rename = 1

        #  If you say Y here, processes inside a chroot will not be able to chmod
        #  or fchmod files to make them have suid or sgid bits.  This protects
        #  against another published method of breaking a chroot.  If the sysctl
        #  option is enabled, a sysctl option with name "chroot_deny_chmod" is
        #  created.
        kernel.grsecurity.chroot_deny_chmod     = 1

        #  If you say Y here, processes inside a chroot will not be able to chroot
        #  again outside the chroot.  This is a widely used method of breaking
        #  out of a chroot jail and should not be allowed.  If the sysctl
        #  option is enabled, a sysctl option with name
        #  "chroot_deny_chroot" is created.
        kernel.grsecurity.chroot_deny_chroot    = 1

        #  If you say Y here, a well-known method of breaking chroots by fchdir'ing
        #  to a file descriptor of the chrooting process that points to a directory
        #  outside the filesystem will be stopped.  If the sysctl option
        #  is enabled, a sysctl option with name "chroot_deny_fchdir" is created.
        kernel.grsecurity.chroot_deny_fchdir = 1

        #  If you say Y here, processes inside a chroot will not be allowed to
        #  mknod.  The problem with using mknod inside a chroot is that it
        #  would allow an attacker to create a device entry that is the same
        #  as one on the physical root of your system, which could range from
        #  anything from the console device to a device for your harddrive (which
        #  they could then use to wipe the drive or steal data).  It is recommended
        #  that you say Y here, unless you run into software incompatibilities.
        #  If the sysctl option is enabled, a sysctl option with name
        #  "chroot_deny_mknod" is created.
        kernel.grsecurity.chroot_deny_mknod = 1

        #  If you say Y here, processes inside a chroot will not be able to
        #  mount or remount filesystems.  If the sysctl option is enabled, a
        #  sysctl option with name "chroot_deny_mount" is created.
        kernel.grsecurity.chroot_deny_mount = 1

        #  If you say Y here, processes inside a chroot will not be able to use
        #  a function called pivot_root() that was introduced in Linux 2.3.41.  It
        #  works similar to chroot in that it changes the root filesystem.  This
        #  function could be misused in a chrooted process to attempt to break out
        #  of the chroot, and therefore should not be allowed.  If the sysctl
        #  option is enabled, a sysctl option with name "chroot_deny_pivot" is
        #  created.
        kernel.grsecurity.chroot_deny_pivot     = 1

        #  If you say Y here, processes inside a chroot will not be able to attach
        #  to shared memory segments that were created outside of the chroot jail.
        #  It is recommended that you say Y here.  If the sysctl option is enabled,
        #  a sysctl option with name "chroot_deny_shmat" is created.
        kernel.grsecurity.chroot_deny_shmat = 1

        #  If you say Y here, an attacker in a chroot will not be able to
        #  write to sysctl entries, either by sysctl(2) or through a /proc
        #  interface.  It is strongly recommended that you say Y here. If the
        #  sysctl option is enabled, a sysctl option with name
        #  "chroot_deny_sysctl" is created.
        kernel.grsecurity.chroot_deny_sysctl = 1

        #  If you say Y here, processes inside a chroot will not be able to
        #  connect to abstract (meaning not belonging to a filesystem) Unix
        #  domain sockets that were bound outside of a chroot.  It is recommended
        #  that you say Y here.  If the sysctl option is enabled, a sysctl option
        #  with name "chroot_deny_unix" is created.
        kernel.grsecurity.chroot_deny_unix = 1

        #  If you say Y here, the current working directory of all newly-chrooted
        #  applications will be set to the the root directory of the chroot.
        #  The man page on chroot(2) states:
        #  Note that usually chhroot does not change  the  current  working
        #  directory,  so  that `.' can be outside the tree rooted at
        #  `/'.  In particular, the  super-user  can  escape  from  a
        #  `chroot jail' by doing `mkdir foo; chroot foo; cd ..'.
        #
        #  It is recommended that you say Y here, since it's not known to break
        #  any software.  If the sysctl option is enabled, a sysctl option with
        #  name "chroot_enforce_chdir" is created.
        kernel.grsecurity.chroot_enforce_chdir  = 1

        #  If you say Y here, processes inside a chroot will not be able to
        #  kill, send signals with fcntl, ptrace, capget, getpgid, setpgid,
        #  getsid, or view any process outside of the chroot.  If the sysctl
        #  option is enabled, a sysctl option with name "chroot_findtask" is
        #  created.
        kernel.grsecurity.chroot_findtask = 1

        #  If you say Y here, processes inside a chroot will not be able to raise
        #  the priority of processes in the chroot, or alter the priority of
        #  processes outside the chroot.  This provides more security than simply
        #  removing CAP_SYS_NICE from the process' capability set.  If the
        #  sysctl option is enabled, a sysctl option with name "chroot_restrict_nice"
        #  is created.
        kernel.grsecurity.chroot_restrict_nice = 1

        #
        # Kernel Auditing
        #

        #  If you say Y here, the exec and chdir logging features will only operate
        #  on a group you specify.  This option is recommended if you only want to
        #  watch certain users instead of having a large amount of logs from the
        #  entire system.  If the sysctl option is enabled, a sysctl option with
        #  name "audit_group" is created.
        kernel.grsecurity.audit_group = 0

        #  If you say Y here, the exec and chdir logging features will only operate
        #  on a group you specify.  This option is recommended if you only want to
        #  watch certain users instead of having a large amount of logs from the
        #  entire system.  If the sysctl option is enabled, a sysctl option with
        #  name "audit_group" is created.
        #kernel.grsecurity.audit_gid = 201

        #  If you say Y here, all execve() calls will be logged (since the
        #  other exec*() calls are frontends to execve(), all execution
        #  will be logged).  Useful for shell-servers that like to keep track
        #  of their users.  If the sysctl option is enabled, a sysctl option with
        #  name "exec_logging" is created.
        #  WARNING: This option when enabled will produce a LOT of logs, especially
        #  on an active system.
        kernel.grsecurity.exec_logging = 0

        #  If you say Y here, all attempts to overstep resource limits will
        #  be logged with the resource name, the requested size, and the current
        #  limit.  It is highly recommended that you say Y here.  If the sysctl
        #  option is enabled, a sysctl option with name "resource_logging" is
        #  created.  If the RBAC system is enabled, the sysctl value is ignored.
        #kernel.grsecurity.resource_logging = 1

        #  If you say Y here, all executions inside a chroot jail will be logged
        #  to syslog.  This can cause a large amount of logs if certain
        #  applications (eg. djb's daemontools) are installed on the system, and
        #  is therefore left as an option.  If the sysctl option is enabled, a
        #  sysctl option with name "chroot_execlog" is created.
        kernel.grsecurity.chroot_execlog = 0

        #  If you say Y here, all attempts to attach to a process via ptrace
        #  will be logged.  If the sysctl option is enabled, a sysctl option
        #  with name "audit_ptrace" is created.
        #kernel.grsecurity.audit_ptrace = 1
        kernel.grsecurity.audit_ptrace = 0

        #  If you say Y here, all attempts to attach to a process via ptrace
        #  will be logged.  If the sysctl option is enabled, a sysctl option
        #  with name "audit_ptrace" is created.
        kernel.grsecurity.audit_chdir = 0

        #  If you say Y here, all mounts and unmounts will be logged.  If the
        #  sysctl option is enabled, a sysctl option with name "audit_mount" is
        #  created.
        #kernel.grsecurity.audit_mount = 1
        kernel.grsecurity.audit_mount = 0

        #  If you say Y here, certain important signals will be logged, such as
        #  SIGSEGV, which will as a result inform you of when a error in a program
        #  occurred, which in some cases could mean a possible exploit attempt.
        #  If the sysctl option is enabled, a sysctl option with name
        #  "signal_logging" is created.
        kernel.grsecurity.signal_logging = 0

        #  If you say Y here, all failed fork() attempts will be logged.
        #  This could suggest a fork bomb, or someone attempting to overstep
        #  their process limit.  If the sysctl option is enabled, a sysctl option
        #  with name "forkfail_logging" is created.
        #kernel.grsecurity.forkfail_logging = 1
        kernel.grsecurity.forkfail_logging = 0

        #  If you say Y here, any changes of the system clock will be logged.
        #  If the sysctl option is enabled, a sysctl option with name
        #  "timechange_logging" is created.
        #kernel.grsecurity.timechange_logging = 1

        #  if you say Y here, calls to mmap() and mprotect() with explicit
        #  usage of PROT_WRITE and PROT_EXEC together will be logged when
        #  denied by the PAX_MPROTECT feature.  This feature will also
        #  log other problematic scenarios that can occur when PAX_MPROTECT
        #  is enabled on a binary, like textrels and PT_GNU_STACK.  If the
        #  sysctl option is enabled, a sysctl option with name "rwxmap_logging"
        #  is created.
        #kernel.grsecurity.rwxmap_logging = 1

        #
        # Executable Protections
        #


        #  if you say Y here, non-root users will not be able to use dmesg(8)
        #  to view the contents of the kernel's circular log buffer.
        #  The kernel's log buffer often contains kernel addresses and other
        #  identifying information useful to an attacker in fingerprinting a
        #  system for a targeted exploit.
        #  If the sysctl option is enabled, a sysctl option with name "dmesg" is
        #  created.
        kernel.grsecurity.dmesg = 1

        # Hide symbol addresses in /proc/kallsyms
        kernel.kptr_restrict = 1

        #  If you say Y here, TTY sniffers and other malicious monitoring
        #  programs implemented through ptrace will be defeated.  If you
        #  have been using the RBAC system, this option has already been
        #  enabled for several years for all users, with the ability to make
        #  fine-grained exceptions.
        #
        #  This option only affects the ability of non-root users to ptrace
        #  processes that are not a descendent of the ptracing process.
        #  This means that strace ./binary and gdb ./binary will still work,
        #  but attaching to arbitrary processes will not.  If the sysctl
        #  option is enabled, a sysctl option with name "harden_ptrace" is
        #  created.
        kernel.grsecurity.harden_ptrace = 1

        #  If you say Y here, unprivileged users will not be able to ptrace unreadable
        #  binaries.  This option is useful in environments that
        #  remove the read bits (e.g. file mode 4711) from suid binaries to
        #  prevent infoleaking of their contents.  This option adds
        #  consistency to the use of that file mode, as the binary could normally
        #  be read out when run without privileges while ptracing.
        #
        #  If the sysctl option is enabled, a sysctl option with name "ptrace_readexec"
        #  is created.
        kernel.grsecurity.ptrace_readexec = 1

        #  If you say Y here, a change from a root uid to a non-root uid
        #  in a multithreaded application will cause the resulting uids,
        #  gids, supplementary groups, and capabilities in that thread
        #  to be propagated to the other threads of the process.  In most
        #  cases this is unnecessary, as glibc will emulate this behavior
        #  on behalf of the application.  Other libcs do not act in the
        #  same way, allowing the other threads of the process to continue
        #  running with root privileges.  If the sysctl option is enabled,
        #  a sysctl option with name "consistent_setxid" is created.
        #kernel.grsecurity.consistent_setxid = 1

        #  If you say Y here, access to overly-permissive IPC objects (shared
        #  memory, message queues, and semaphores) will be denied for processes
        #  given the following criteria beyond normal permission checks:
        #  1) If the IPC object is world-accessible and the euid doesn't match
        #     that of the creator or current uid for the IPC object
        #  2) If the IPC object is group-accessible and the egid doesn't
        #     match that of the creator or current gid for the IPC object
        #  It's a common error to grant too much permission to these objects,
        #  with impact ranging from denial of service and information leaking to
        #  privilege escalation.  This feature was developed in response to
        #  research by Tim Brown:
        #  http://labs.portcullis.co.uk/whitepapers/memory-squatting-attacks-on-system-v-shared-memory/
        #  who found hundreds of such insecure usages.  Processes with
        #  CAP_IPC_OWNER are still permitted to access these IPC objects.
        #  If the sysctl option is enabled, a sysctl option with name
        #  "harden_ipc" is created.
        kernel.grsecurity.harden_ipc = 1

        #  If you say Y here, you will be able to choose a gid to add to the
        #  supplementary groups of users you want to mark as "untrusted."
        #  These users will not be able to execute any files that are not in
        #  root-owned directories writable only by root.  If the sysctl option
        #  is enabled, a sysctl option with name "tpe" is created.
        kernel.grsecurity.tpe = 1
        kernel.grsecurity.tpe_gid = 101

        #  If you say Y here, the group you specify in the TPE configuration will
        #  decide what group TPE restrictions will be *disabled* for.  This
        #  option is useful if you want TPE restrictions to be applied to most
        #  users on the system.  If the sysctl option is enabled, a sysctl option
        #  with name "tpe_invert" is created.  Unlike other sysctl options, this
        #  entry will default to on for backward-compatibility.
        kernel.grsecurity.tpe_invert = 1

        #  If you say Y here, all non-root users will be covered under
        #  a weaker TPE restriction.  This is separate from, and in addition to,
        #  the main TPE options that you have selected elsewhere.  Thus, if a
        #  "trusted" GID is chosen, this restriction applies to even that GID.
        #  Under this restriction, all non-root users will only be allowed to
        #  execute files in directories they own that are not group or
        #  world-writable, or in directories owned by root and writable only by
        #  root.  If the sysctl option is enabled, a sysctl option with name
        #  "tpe_restrict_all" is created.
        kernel.grsecurity.tpe_restrict_all = 0


        #kernel.grsecurity.harden_tty = 1
        #
        # Network Protections
        #

        # Increase Linux auto tuning TCP buffer limits
        # min, default, and max number of bytes to use
        # set max to at least 4MB, or higher if you use very high BDP paths
        # Tcp Windows etc
        net.core.rmem_max = 8388608
        net.core.wmem_max = 8388608
        net.core.netdev_max_backlog = 5000
        net.ipv4.tcp_window_scaling = 1

        # Both ports linux-blob and linux-libre don't build with ipv6
        # Disable ipv6
        net.ipv6.conf.all.disable_ipv6 = 1
        net.ipv6.conf.default.disable_ipv6 = 1
        net.ipv6.conf.lo.disable_ipv6 = 1

        # Tuen IPv6
        #net.ipv6.conf.default.router_solicitations = 0
        #net.ipv6.conf.default.accept_ra_rtr_pref = 0
        #net.ipv6.conf.default.accept_ra_pinfo = 0
        #net.ipv6.conf.default.accept_ra_defrtr = 0
        #net.ipv6.conf.default.autoconf = 0
        #net.ipv6.conf.default.dad_transmits = 0
        #net.ipv6.conf.default.max_addresses = 0

        # Avoid a smurf attack
        net.ipv4.icmp_echo_ignore_broadcasts = 1

        # Turn on protection for bad icmp error messages
        net.ipv4.icmp_ignore_bogus_error_responses = 1

        # Turn on syncookies for SYN flood attack protection
        net.ipv4.tcp_syncookies = 1

        ## protect against tcp time-wait assassination hazards
        ## drop RST packets for sockets in the time-wait state
        ## (not widely supported outside of linux, but conforms to RFC)
        net.ipv4.tcp_rfc1337 = 1

        ## tcp timestamps
        ## + protect against wrapping sequence numbers (at gigabit speeds)
        ## + round trip time calculation implemented in TCP
        ## - causes extra overhead and allows uptime detection by scanners like nmap
        ## enable @ gigabit speeds
        net.ipv4.tcp_timestamps = 0
        #net.ipv4.tcp_timestamps = 1

        # Turn on and log spoofed, source routed, and redirect packets
        net.ipv4.conf.all.log_martians = 1
        net.ipv4.conf.default.log_martians = 1

        ## ignore echo broadcast requests to prevent being part of smurf attacks (default)
        net.ipv4.icmp_echo_ignore_broadcasts = 1

        # No source routed packets here
        net.ipv4.conf.all.accept_source_route = 0
        net.ipv4.conf.default.accept_source_route = 0

        ## sets the kernels reverse path filtering mechanism to value 1(on)
        ## will do source validation of the packet's recieved from all the interfaces on the machine
        ## protects from attackers that are using ip spoofing methods to do harm
        net.ipv4.conf.all.rp_filter = 1
        net.ipv4.conf.default.rp_filter = 1
        #net.ipv6.conf.default.rp_filter = 1
        #net.ipv6.conf.all.rp_filter = 1

        # Make sure no one can alter the routing tables
        net.ipv4.conf.all.accept_redirects = 0
        net.ipv4.conf.default.accept_redirects = 0
        net.ipv4.conf.all.secure_redirects = 0
        net.ipv4.conf.default.secure_redirects = 0

        # Act as a router, necessary for Access Point
        net.ipv4.ip_forward = 1
        net.ipv4.conf.all.send_redirects = 1
        net.ipv4.conf.default.send_redirects = 1

        # Increase system IP port limits
        net.ipv4.ip_local_port_range = 2000 65000

        # Increase TCP max buffer size setable using setsockopt()
        net.ipv4.tcp_rmem = 4096 87380 8388608
        net.ipv4.tcp_wmem = 4096 87380 8388608


        #  If you say Y here, neither TCP resets nor ICMP
        #  destination-unreachable packets will be sent in response to packets
        #  sent to ports for which no associated listening process exists.
        #  This feature supports both IPV4 and IPV6 and exempts the
        #  loopback interface from blackholing.  Enabling this feature
        #  makes a host more resilient to DoS attacks and reduces network
        #  visibility against scanners.
        #
        #  The blackhole feature as-implemented is equivalent to the FreeBSD
        #  blackhole feature, as it prevents RST responses to all packets, not
        #  just SYNs.  Under most application behavior this causes no
        #  problems, but applications (like haproxy) may not close certain
        #  connections in a way that cleanly terminates them on the remote
        #  end, leaving the remote host in LAST_ACK state.  Because of this
        #  side-effect and to prevent intentional LAST_ACK DoSes, this
        #  feature also adds automatic mitigation against such attacks.
        #  The mitigation drastically reduces the amount of time a socket
        #  can spend in LAST_ACK state.  If you're using haproxy and not
        #  all servers it connects to have this option enabled, consider
        #  disabling this feature on the haproxy host.
        #
        #  If the sysctl option is enabled, two sysctl options with names
        #  "ip_blackhole" and "lastack_retries" will be created.
        #  While "ip_blackhole" takes the standard zero/non-zero on/off
        #  toggle, "lastack_retries" uses the same kinds of values as
        #  "tcp_retries1" and "tcp_retries2".  The default value of 4
        #  prevents a socket from lasting more than 45 seconds in LAST_ACK
        #  state.
        #kernel.grsecurity.ip_blackhole = 1
        #kernel.grsecurity.lastack_retries = 4

        #  If you say Y here, you will be able to choose a GID of whose users will
        #  be unable to connect to other hosts from your machine or run server
        #  applications from your machine.  If the sysctl option is enabled, a
        #  sysctl option with name "socket_all" is created.
        #kernel.grsecurity.socket_all = 1

        #  Here you can choose the GID to disable socket access for. Remember to
        #  add the users you want socket access disabled for to the GID
        #  specified here.  If the sysctl option is enabled, a sysctl option
        #  with name "socket_all_gid" is created.
        #kernel.grsecurity.socket_all_gid = 202

        #  If you say Y here, you will be able to choose a GID of whose users will
        #  be unable to connect to other hosts from your machine, but will be
        #  able to run servers.  If this option is enabled, all users in the group
        #  you specify will have to use passive mode when initiating ftp transfers
        #  from the shell on your machine.  If the sysctl option is enabled, a
        #  sysctl option with name "socket_client" is created.
        #kernel.grsecurity.socket_client = 1

        #  Here you can choose the GID to disable client socket access for.
        #  Remember to add the users you want client socket access disabled for to
        #  the GID specified here.  If the sysctl option is enabled, a sysctl
        #  option with name "socket_client_gid" is created.
        #kernel.grsecurity.socket_client_gid = 203

        #  If you say Y here, you will be able to choose a GID of whose users will
        #  be unable to connect to other hosts from your machine, but will be
        #  able to run servers.  If this option is enabled, all users in the group
        #  you specify will have to use passive mode when initiating ftp transfers
        #  from the shell on your machine.  If the sysctl option is enabled, a
        #  sysctl option with name "socket_client" is created.
        #kernel.grsecurity.socket_server = 1

        #  Here you can choose the GID to disable server socket access for.
        #  Remember to add the users you want server socket access disabled for to
        #  the GID specified here.  If the sysctl option is enabled, a sysctl
        #  option with name "socket_server_gid" is created.
        #kernel.grsecurity.socket_server_gid = 204

        #
        # Physical Protections
        #

        #  If you say Y here, a new sysctl option with name "deny_new_usb"
        #  will be created.  Setting its value to 1 will prevent any new
        #  USB devices from being recognized by the OS.  Any attempted USB
        #  device insertion will be logged.  This option is intended to be
        #  used against custom USB devices designed to exploit vulnerabilities
        #  in various USB device drivers.
        #
        #  For greatest effectiveness, this sysctl should be set after any
        #  relevant init scripts.  This option is safe to enable in distros
        #  as each user can choose whether or not to toggle the sysctl.
        #kernel.grsecurity.deny_new_usb = 0

        #
        # Restrict grsec sysctl changes after this was set
        #
        #kernel.grsecurity.grsec_lock = 1


        # End of file
        </pre>


        <a href="index.html">Core OS Index</a>
        <p>This is part of the c9-doc Manual.
Copyright (C) 2017
c9 team.
See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a>
for copying conditions.</p>

    </body>
</html>