about summary refs log blame commit diff stats
path: root/core/sysctl.html
blob: d06afdef6d654a906fc32107c1a71d8626c68c04 (plain) (tree)
1
2
3
4
5
6
7
8
9
10



                              
                                    




                                              
                                          






                                                                                                                                                      
                                                                                   

































                                                                                          
                                             
































                                                                                  
                                                  












                                                                              

                                                     





                                                                                   
                                               














                                                                                  
                                              


















































































































                                                                                     
                                         





                                                                                   
                                        


























                                                                                   
                                           





















                                                                                  






























                                                                                
                                


































                                                                                       
                                               
















                                                                                                       
                                        






                                                                              
                                       


































































































































































                                                                                                    
                                        




                                                                                
                                              












                                                                                  
                                                 








































                                                                                  

                                                         
                  




                                                                                            
<!DOCTYPE html>
<html dir="ltr" lang="en">
    <head>
        <meta charset='utf-8'>
        <title>2.2.2. Sysctl</title>
    </head>
    <body>

        <a href="index.html">Core OS Index</a>

        <h1 id="sysctl">2.2.2. Sysctl</h1>

        <p>Sysctl references
        <a href="https://wiki.archlinux.org/index.php/sysctl#TCP.2FIP_stack_hardening">Arch TCP/IP stack hardening</a>,
        <a href="http://www.cyberciti.biz/tips/linux-unix-bsd-nginx-webserver-security.html">Cyberciti Nginx Hardning</a>,
        <a href="http://www.cyberciti.biz/faq/linux-kernel-etcsysctl-conf-security-hardening/">Cyberciti Security Hardening</a>,
        <a href="https://en.wikibooks.org/wiki/Grsecurity/Appendix/Grsecurity_and_PaX_Configuration_Options">Grsecurity and PaX Configuration</a>.</p>

        <p>Since kernels on machine-ports have <a href="pax.grsecurity.net">PaX</a>
        and <a href="http://grsecurity.net/announce.php">grsecurity</a>,
        <a href="conf/sysctl.conf">/etc/sysctl.conf</a> can have follow
        values;</p>

        <pre>
        #
        # /etc/sysctl.conf: configuration for system variables, see sysctl.conf(5)
        #

        kernel.printk = 7 1 1 4
        kernel.randomize_va_space = 2
        # Shared Memory
        #kernel.shmmax = 500000000
        # Total allocated file handlers that can be allocated
        # fs.file-nr=
        vm.mmap_min_addr=65536
        # Allow for more PIDs (to reduce rollover problems); may break some programs 32768
        kernel.pid_max = 65536

        #
        # Memory Protections
        #

        #  If you say Y here, all ioperm and iopl calls will return an error.
        #  Ioperm and iopl can be used to modify the running kernel.
        #  Unfortunately, some programs need this access to operate properly,
        #  the most notable of which are XFree86 and hwclock.  hwclock can be
        #  remedied by having RTC support in the kernel, so real-time
        #  clock support is enabled if this option is enabled, to ensure
        #  that hwclock operates correctly.
        #
        #  If you're using XFree86 or a version of Xorg from 2012 or earlier,
        #  you may not be able to boot into a graphical environment with this
        #  option enabled.  In this case, you should use the RBAC system instead.
        kernel.grsecurity.disable_priv_io = 1

        #  If you say Y here, attempts to bruteforce exploits against forking
        #  daemons such as apache or sshd, as well as against suid/sgid binaries
        #  will be deterred.  When a child of a forking daemon is killed by PaX
        #  or crashes due to an illegal instruction or other suspicious signal,
        #  the parent process will be delayed 30 seconds upon every subsequent
        #  fork until the administrator is able to assess the situation and
        #  restart the daemon.
        #  In the suid/sgid case, the attempt is logged, the user has all their
        #  existing instances of the suid/sgid binary terminated and will
        #  be unable to execute any suid/sgid binaries for 15 minutes.
        #
        #  It is recommended that you also enable signal logging in the auditing
        #  section so that logs are generated when a process triggers a suspicious
        #  signal.
        #  If the sysctl option is enabled, a sysctl option with name
        #  "deter_bruteforce" is created.
        kernel.grsecurity.deter_bruteforce = 1

        #
        # Filesystem Protections
        #

        # Optimization for port usefor LBs
        # Increase system file descriptor limit
        fs.file-max = 65535

        #  If you say Y here, /tmp race exploits will be prevented, since users
        #  will no longer be able to follow symlinks owned by other users in
        #  world-writable +t directories (e.g. /tmp), unless the owner of the
        #  symlink is the owner of the directory. users will also not be
        #  able to hardlink to files they do not own.  If the sysctl option is
        #  enabled, a sysctl option with name "linking_restrictions" is created.
        kernel.grsecurity.linking_restrictions = 1


        #  Apache's SymlinksIfOwnerMatch option has an inherent race condition
        #  that prevents it from being used as a security feature.  As Apache
        #  verifies the symlink by performing a stat() against the target of
        #  the symlink before it is followed, an attacker can setup a symlink
        #  to point to a same-owned file, then replace the symlink with one
        #  that targets another user's file just after Apache "validates" the
        #  symlink -- a classic TOCTOU race.  If you say Y here, a complete,
        #  race-free replacement for Apache's "SymlinksIfOwnerMatch" option
        #  will be in place for the group you specify. If the sysctl option
        #  is enabled, a sysctl option with name "enforce_symlinksifowner" is
        #  created.
        kernel.grsecurity.enforce_symlinksifowner = 1
        kernel.grsecurity.symlinkown_gid = 15

        #  if you say Y here, users will not be able to write to FIFOs they don't
        #  own in world-writable +t directories (e.g. /tmp), unless the owner of
        #  the FIFO is the same owner of the directory it's held in.  If the sysctl
        #  option is enabled, a sysctl option with name "fifo_restrictions" is
        #  created.
        kernel.grsecurity.fifo_restrictions = 1

        #  If you say Y here, a sysctl option with name "romount_protect" will
        #  be created.  By setting this option to 1 at runtime, filesystems
        #  will be protected in the following ways:
        #  * No new writable mounts will be allowed
        #  * Existing read-only mounts won't be able to be remounted read/write
        #  * Write operations will be denied on all block devices
        #  This option acts independently of grsec_lock: once it is set to 1,
        #  it cannot be turned off.  Therefore, please be mindful of the resulting
        #  behavior if this option is enabled in an init script on a read-only
        #  filesystem.
        #  Also be aware that as with other root-focused features, GRKERNSEC_KMEM
        #  and GRKERNSEC_IO should be enabled and module loading disabled via
        #  config or at runtime.
        #  This feature is mainly intended for secure embedded systems.
        #kernel.grsecurity.romount_protect = 1

        #  if you say Y here, the capabilities on all processes within a
        #  chroot jail will be lowered to stop module insertion, raw i/o,
        #  system and net admin tasks, rebooting the system, modifying immutable
        #  files, modifying IPC owned by another, and changing the system time.
        #  This is left an option because it can break some apps.  Disable this
        #  if your chrooted apps are having problems performing those kinds of
        #  tasks.  If the sysctl option is enabled, a sysctl option with
        #  name "chroot_caps" is created.
        kernel.grsecurity.chroot_caps = 1

        #kernel.grsecurity.chroot_deny_bad_rename = 1

        #  If you say Y here, processes inside a chroot will not be able to chmod
        #  or fchmod files to make them have suid or sgid bits.  This protects
        #  against another published method of breaking a chroot.  If the sysctl
        #  option is enabled, a sysctl option with name "chroot_deny_chmod" is
        #  created.
        kernel.grsecurity.chroot_deny_chmod = 1

        #  If you say Y here, processes inside a chroot will not be able to chroot
        #  again outside the chroot.  This is a widely used method of breaking
        #  out of a chroot jail and should not be allowed.  If the sysctl
        #  option is enabled, a sysctl option with name
        #  "chroot_deny_chroot" is created.
        kernel.grsecurity.chroot_deny_chroot = 1

        #  If you say Y here, a well-known method of breaking chroots by fchdir'ing
        #  to a file descriptor of the chrooting process that points to a directory
        #  outside the filesystem will be stopped.  If the sysctl option
        #  is enabled, a sysctl option with name "chroot_deny_fchdir" is created.
        kernel.grsecurity.chroot_deny_fchdir = 1

        #  If you say Y here, processes inside a chroot will not be allowed to
        #  mknod.  The problem with using mknod inside a chroot is that it
        #  would allow an attacker to create a device entry that is the same
        #  as one on the physical root of your system, which could range from
        #  anything from the console device to a device for your harddrive (which
        #  they could then use to wipe the drive or steal data).  It is recommended
        #  that you say Y here, unless you run into software incompatibilities.
        #  If the sysctl option is enabled, a sysctl option with name
        #  "chroot_deny_mknod" is created.
        kernel.grsecurity.chroot_deny_mknod = 1

        #  If you say Y here, processes inside a chroot will not be able to
        #  mount or remount filesystems.  If the sysctl option is enabled, a
        #  sysctl option with name "chroot_deny_mount" is created.
        kernel.grsecurity.chroot_deny_mount = 1

        #  If you say Y here, processes inside a chroot will not be able to use
        #  a function called pivot_root() that was introduced in Linux 2.3.41.  It
        #  works similar to chroot in that it changes the root filesystem.  This
        #  function could be misused in a chrooted process to attempt to break out
        #  of the chroot, and therefore should not be allowed.  If the sysctl
        #  option is enabled, a sysctl option with name "chroot_deny_pivot" is
        #  created.
        kernel.grsecurity.chroot_deny_pivot     = 1

        #  If you say Y here, processes inside a chroot will not be able to attach
        #  to shared memory segments that were created outside of the chroot jail.
        #  It is recommended that you say Y here.  If the sysctl option is enabled,
        #  a sysctl option with name "chroot_deny_shmat" is created.
        kernel.grsecurity.chroot_deny_shmat = 1

        #  If you say Y here, an attacker in a chroot will not be able to
        #  write to sysctl entries, either by sysctl(2) or through a /proc
        #  interface.  It is strongly recommended that you say Y here. If the
        #  sysctl option is enabled, a sysctl option with name
        #  "chroot_deny_sysctl" is created.
        kernel.grsecurity.chroot_deny_sysctl = 1

        #  If you say Y here, processes inside a chroot will not be able to
        #  connect to abstract (meaning not belonging to a filesystem) Unix
        #  domain sockets that were bound outside of a chroot.  It is recommended
        #  that you say Y here.  If the sysctl option is enabled, a sysctl option
        #  with name "chroot_deny_unix" is created.
        kernel.grsecurity.chroot_deny_unix = 1

        #  If you say Y here, the current working directory of all newly-chrooted
        #  applications will be set to the the root directory of the chroot.
        #  The man page on chroot(2) states:
        #  Note that usually chhroot does not change  the  current  working
        #  directory,  so  that `.' can be outside the tree rooted at
        #  `/'.  In particular, the  super-user  can  escape  from  a
        #  `chroot jail' by doing `mkdir foo; chroot foo; cd ..'.
        #
        #  It is recommended that you say Y here, since it's not known to break
        #  any software.  If the sysctl option is enabled, a sysctl option with
        #  name "chroot_enforce_chdir" is created.
        kernel.grsecurity.chroot_enforce_chdir  = 1

        #  If you say Y here, processes inside a chroot will not be able to
        #  kill, send signals with fcntl, ptrace, capget, getpgid, setpgid,
        #  getsid, or view any process outside of the chroot.  If the sysctl
        #  option is enabled, a sysctl option with name "chroot_findtask" is
        #  created.
        kernel.grsecurity.chroot_findtask = 1

        #  If you say Y here, processes inside a chroot will not be able to raise
        #  the priority of processes in the chroot, or alter the priority of
        #  processes outside the chroot.  This provides more security than simply
        #  removing CAP_SYS_NICE from the process' capability set.  If the
        #  sysctl option is enabled, a sysctl option with name "chroot_restrict_nice"
        #  is created.
        kernel.grsecurity.chroot_restrict_nice = 1

        #
        # Kernel Auditing
        #

        #  If you say Y here, the exec and chdir logging features will only operate
        #  on a group you specify.  This option is recommended if you only want to
        #  watch certain users instead of having a large amount of logs from the
        #  entire system.  If the sysctl option is enabled, a sysctl option with
        #  name "audit_group" is created.
        kernel.grsecurity.audit_group = 1

        #  If you say Y here, the exec and chdir logging features will only operate
        #  on a group you specify.  This option is recommended if you only want to
        #  watch certain users instead of having a large amount of logs from the
        #  entire system.  If the sysctl option is enabled, a sysctl option with
        #  name "audit_group" is created.
        kernel.grsecurity.audit_gid = 99

        #  If you say Y here, all execve() calls will be logged (since the
        #  other exec*() calls are frontends to execve(), all execution
        #  will be logged).  Useful for shell-servers that like to keep track
        #  of their users.  If the sysctl option is enabled, a sysctl option with
        #  name "exec_logging" is created.
        #  WARNING: This option when enabled will produce a LOT of logs, especially
        #  on an active system.
        kernel.grsecurity.exec_logging = 0

        #  If you say Y here, all attempts to overstep resource limits will
        #  be logged with the resource name, the requested size, and the current
        #  limit.  It is highly recommended that you say Y here.  If the sysctl
        #  option is enabled, a sysctl option with name "resource_logging" is
        #  created.  If the RBAC system is enabled, the sysctl value is ignored.
        kernel.grsecurity.resource_logging = 1

        #  If you say Y here, all executions inside a chroot jail will be logged
        #  to syslog.  This can cause a large amount of logs if certain
        #  applications (eg. djb's daemontools) are installed on the system, and
        #  is therefore left as an option.  If the sysctl option is enabled, a
        #  sysctl option with name "chroot_execlog" is created.
        kernel.grsecurity.chroot_execlog = 0

        #  If you say Y here, all attempts to attach to a process via ptrace
        #  will be logged.  If the sysctl option is enabled, a sysctl option
        #  with name "audit_ptrace" is created.
        #kernel.grsecurity.audit_ptrace = 1

        #  If you say Y here, all attempts to attach to a process via ptrace
        #  will be logged.  If the sysctl option is enabled, a sysctl option
        #  with name "audit_ptrace" is created.
        kernel.grsecurity.audit_chdir = 0

        #  If you say Y here, all mounts and unmounts will be logged.  If the
        #  sysctl option is enabled, a sysctl option with name "audit_mount" is
        #  created.
        kernel.grsecurity.audit_mount = 1

        #  If you say Y here, certain important signals will be logged, such as
        #  SIGSEGV, which will as a result inform you of when a error in a program
        #  occurred, which in some cases could mean a possible exploit attempt.
        #  If the sysctl option is enabled, a sysctl option with name
        #  "signal_logging" is created.
        kernel.grsecurity.signal_logging = 1

        #  If you say Y here, all failed fork() attempts will be logged.
        #  This could suggest a fork bomb, or someone attempting to overstep
        #  their process limit.  If the sysctl option is enabled, a sysctl option
        #  with name "forkfail_logging" is created.
        kernel.grsecurity.forkfail_logging = 1

        #  If you say Y here, any changes of the system clock will be logged.
        #  If the sysctl option is enabled, a sysctl option with name
        #  "timechange_logging" is created.
        kernel.grsecurity.timechange_logging = 1

        #  if you say Y here, calls to mmap() and mprotect() with explicit
        #  usage of PROT_WRITE and PROT_EXEC together will be logged when
        #  denied by the PAX_MPROTECT feature.  This feature will also
        #  log other problematic scenarios that can occur when PAX_MPROTECT
        #  is enabled on a binary, like textrels and PT_GNU_STACK.  If the
        #  sysctl option is enabled, a sysctl option with name "rwxmap_logging"
        #  is created.
        kernel.grsecurity.rwxmap_logging = 1

        #
        # Executable Protections
        #


        #  if you say Y here, non-root users will not be able to use dmesg(8)
        #  to view the contents of the kernel's circular log buffer.
        #  The kernel's log buffer often contains kernel addresses and other
        #  identifying information useful to an attacker in fingerprinting a
        #  system for a targeted exploit.
        #  If the sysctl option is enabled, a sysctl option with name "dmesg" is
        #  created.
        kernel.grsecurity.dmesg = 1

        # Hide symbol addresses in /proc/kallsyms
        kernel.kptr_restrict = 2

        #  If you say Y here, TTY sniffers and other malicious monitoring
        #  programs implemented through ptrace will be defeated.  If you
        #  have been using the RBAC system, this option has already been
        #  enabled for several years for all users, with the ability to make
        #  fine-grained exceptions.
        #
        #  This option only affects the ability of non-root users to ptrace
        #  processes that are not a descendent of the ptracing process.
        #  This means that strace ./binary and gdb ./binary will still work,
        #  but attaching to arbitrary processes will not.  If the sysctl
        #  option is enabled, a sysctl option with name "harden_ptrace" is
        #  created.
        kernel.grsecurity.harden_ptrace = 1

        #  If you say Y here, unprivileged users will not be able to ptrace unreadable
        #  binaries.  This option is useful in environments that
        #  remove the read bits (e.g. file mode 4711) from suid binaries to
        #  prevent infoleaking of their contents.  This option adds
        #  consistency to the use of that file mode, as the binary could normally
        #  be read out when run without privileges while ptracing.
        #
        #  If the sysctl option is enabled, a sysctl option with name "ptrace_readexec"
        #  is created.
        kernel.grsecurity.ptrace_readexec = 1

        #  If you say Y here, a change from a root uid to a non-root uid
        #  in a multithreaded application will cause the resulting uids,
        #  gids, supplementary groups, and capabilities in that thread
        #  to be propagated to the other threads of the process.  In most
        #  cases this is unnecessary, as glibc will emulate this behavior
        #  on behalf of the application.  Other libcs do not act in the
        #  same way, allowing the other threads of the process to continue
        #  running with root privileges.  If the sysctl option is enabled,
        #  a sysctl option with name "consistent_setxid" is created.
        kernel.grsecurity.consistent_setxid = 1

        #  If you say Y here, access to overly-permissive IPC objects (shared
        #  memory, message queues, and semaphores) will be denied for processes
        #  given the following criteria beyond normal permission checks:
        #  1) If the IPC object is world-accessible and the euid doesn't match
        #     that of the creator or current uid for the IPC object
        #  2) If the IPC object is group-accessible and the egid doesn't
        #     match that of the creator or current gid for the IPC object
        #  It's a common error to grant too much permission to these objects,
        #  with impact ranging from denial of service and information leaking to
        #  privilege escalation.  This feature was developed in response to
        #  research by Tim Brown:
        #  http://labs.portcullis.co.uk/whitepapers/memory-squatting-attacks-on-system-v-shared-memory/
        #  who found hundreds of such insecure usages.  Processes with
        #  CAP_IPC_OWNER are still permitted to access these IPC objects.
        #  If the sysctl option is enabled, a sysctl option with name
        #  "harden_ipc" is created.
        kernel.grsecurity.harden_ipc = 1

        #  If you say Y here, you will be able to choose a gid to add to the
        #  supplementary groups of users you want to mark as "untrusted."
        #  These users will not be able to execute any files that are not in
        #  root-owned directories writable only by root.  If the sysctl option
        #  is enabled, a sysctl option with name "tpe" is created.
        kernel.grsecurity.tpe = 1
        kernel.grsecurity.tpe_gid = 100

        #  If you say Y here, the group you specify in the TPE configuration will
        #  decide what group TPE restrictions will be *disabled* for.  This
        #  option is useful if you want TPE restrictions to be applied to most
        #  users on the system.  If the sysctl option is enabled, a sysctl option
        #  with name "tpe_invert" is created.  Unlike other sysctl options, this
        #  entry will default to on for backward-compatibility.
        kernel.grsecurity.tpe_invert = 1

        #  If you say Y here, all non-root users will be covered under
        #  a weaker TPE restriction.  This is separate from, and in addition to,
        #  the main TPE options that you have selected elsewhere.  Thus, if a
        #  "trusted" GID is chosen, this restriction applies to even that GID.
        #  Under this restriction, all non-root users will only be allowed to
        #  execute files in directories they own that are not group or
        #  world-writable, or in directories owned by root and writable only by
        #  root.  If the sysctl option is enabled, a sysctl option with name
        #  "tpe_restrict_all" is created.
        kernel.grsecurity.tpe_restrict_all = 1


        kernel.grsecurity.harden_tty = 1

        #
        # Network Protections
        #

        # Increase Linux auto tuning TCP buffer limits
        # min, default, and max number of bytes to use
        # set max to at least 4MB, or higher if you use very high BDP paths
        # Tcp Windows etc
        net.core.rmem_max = 8388608
        net.core.wmem_max = 8388608
        net.core.netdev_max_backlog = 5000
        net.ipv4.tcp_window_scaling = 1

        # Both ports linux-blob and linux-libre don't build with ipv6
        # Disable ipv6
        net.ipv6.conf.all.disable_ipv6 = 1
        net.ipv6.conf.default.disable_ipv6 = 1
        net.ipv6.conf.lo.disable_ipv6 = 1

        # Tuen IPv6
        #net.ipv6.conf.default.router_solicitations = 0
        #net.ipv6.conf.default.accept_ra_rtr_pref = 0
        #net.ipv6.conf.default.accept_ra_pinfo = 0
        #net.ipv6.conf.default.accept_ra_defrtr = 0
        #net.ipv6.conf.default.autoconf = 0
        #net.ipv6.conf.default.dad_transmits = 0
        #net.ipv6.conf.default.max_addresses = 0

        # Avoid a smurf attack, ping scanning
        net.ipv4.icmp_echo_ignore_broadcasts = 1

        # Turn on protection for bad icmp error messages
        net.ipv4.icmp_ignore_bogus_error_responses = 1

        # Turn on syncookies for SYN flood attack protection
        net.ipv4.tcp_syncookies = 1

        ## protect against tcp time-wait assassination hazards
        ## drop RST packets for sockets in the time-wait state
        ## (not widely supported outside of linux, but conforms to RFC)
        net.ipv4.tcp_rfc1337 = 1

        ## tcp timestamps
        ## + protect against wrapping sequence numbers (at gigabit speeds)
        ## + round trip time calculation implemented in TCP
        ## - causes extra overhead and allows uptime detection by scanners like nmap
        ## enable @ gigabit speeds
        net.ipv4.tcp_timestamps = 0
        #net.ipv4.tcp_timestamps = 1

        # Turn on and log spoofed, source routed, and redirect packets
        net.ipv4.conf.all.log_martians = 1
        net.ipv4.conf.default.log_martians = 1

        ## ignore echo broadcast requests to prevent being part of smurf attacks (default)
        net.ipv4.icmp_echo_ignore_broadcasts = 1

        ## sets the kernels reverse path filtering mechanism to value 1(on)
        ## will do source validation of the packet's recieved from all the interfaces on the machine
        ## protects from attackers that are using ip spoofing methods to do harm
        net.ipv4.conf.all.rp_filter = 1
        net.ipv4.conf.default.rp_filter = 1
        #net.ipv6.conf.default.rp_filter = 1
        #net.ipv6.conf.all.rp_filter = 1


        # Make sure no one can alter the routing tables
        # Act as a router, necessary for Access Point
        net.ipv4.conf.all.accept_redirects = 0
        net.ipv4.conf.default.accept_redirects = 0
        net.ipv4.conf.all.secure_redirects = 0
        net.ipv4.conf.default.secure_redirects = 0
        # No source routed packets here
        # Discard packets with source routes, ip spoofing
        net.ipv4.conf.all.accept_source_route = 0
        net.ipv4.conf.default.accept_source_route = 0


        net.ipv4.conf.all.send_redirects = 0
        net.ipv4.conf.default.send_redirects = 0

        net.ipv4.ip_forward = 0

        # Increase system IP port limits
        net.ipv4.ip_local_port_range = 2000 65000

        # Increase TCP max buffer size setable using setsockopt()
        net.ipv4.tcp_rmem = 4096 87380 8388608
        net.ipv4.tcp_wmem = 4096 87380 8388608

        # Disable proxy_arp
        net.ipv4.conf.default.proxy_arp = 0
        net.ipv4.conf.all.proxy_arp = 0

        # Disable bootp_relay
        net.ipv4.conf.default.bootp_relay = 0
        net.ipv4.conf.all.bootp_relay = 0

        # Decrease TCP fin timeout
        net.ipv4.tcp_fin_timeout = 30
        # Decrease TCP keep alive time
        net.ipv4.tcp_keepalive_time = 1800
        # Sen SynAck retries to 3
        net.ipv4.tcp_synack_retries = 3

        #  If you say Y here, neither TCP resets nor ICMP
        #  destination-unreachable packets will be sent in response to packets
        #  sent to ports for which no associated listening process exists.
        #  This feature supports both IPV4 and IPV6 and exempts the
        #  loopback interface from blackholing.  Enabling this feature
        #  makes a host more resilient to DoS attacks and reduces network
        #  visibility against scanners.
        #
        #  The blackhole feature as-implemented is equivalent to the FreeBSD
        #  blackhole feature, as it prevents RST responses to all packets, not
        #  just SYNs.  Under most application behavior this causes no
        #  problems, but applications (like haproxy) may not close certain
        #  connections in a way that cleanly terminates them on the remote
        #  end, leaving the remote host in LAST_ACK state.  Because of this
        #  side-effect and to prevent intentional LAST_ACK DoSes, this
        #  feature also adds automatic mitigation against such attacks.
        #  The mitigation drastically reduces the amount of time a socket
        #  can spend in LAST_ACK state.  If you're using haproxy and not
        #  all servers it connects to have this option enabled, consider
        #  disabling this feature on the haproxy host.
        #
        #  If the sysctl option is enabled, two sysctl options with names
        #  "ip_blackhole" and "lastack_retries" will be created.
        #  While "ip_blackhole" takes the standard zero/non-zero on/off
        #  toggle, "lastack_retries" uses the same kinds of values as
        #  "tcp_retries1" and "tcp_retries2".  The default value of 4
        #  prevents a socket from lasting more than 45 seconds in LAST_ACK
        #  state.
        kernel.grsecurity.ip_blackhole = 1
        kernel.grsecurity.lastack_retries = 4

        #  If you say Y here, you will be able to choose a GID of whose users will
        #  be unable to connect to other hosts from your machine or run server
        #  applications from your machine.  If the sysctl option is enabled, a
        #  sysctl option with name "socket_all" is created.
        kernel.grsecurity.socket_all = 1

        #  Here you can choose the GID to disable socket access for. Remember to
        #  add the users you want socket access disabled for to the GID
        #  specified here.  If the sysctl option is enabled, a sysctl option
        #  with name "socket_all_gid" is created.
        kernel.grsecurity.socket_all_gid = 200

        #  If you say Y here, you will be able to choose a GID of whose users will
        #  be unable to connect to other hosts from your machine, but will be
        #  able to run servers.  If this option is enabled, all users in the group
        #  you specify will have to use passive mode when initiating ftp transfers
        #  from the shell on your machine.  If the sysctl option is enabled, a
        #  sysctl option with name "socket_client" is created.
        kernel.grsecurity.socket_client = 1

        #  Here you can choose the GID to disable client socket access for.
        #  Remember to add the users you want client socket access disabled for to
        #  the GID specified here.  If the sysctl option is enabled, a sysctl
        #  option with name "socket_client_gid" is created.
        kernel.grsecurity.socket_client_gid = 201

        #  If you say Y here, you will be able to choose a GID of whose users will
        #  be unable to connect to other hosts from your machine, but will be
        #  able to run servers.  If this option is enabled, all users in the group
        #  you specify will have to use passive mode when initiating ftp transfers
        #  from the shell on your machine.  If the sysctl option is enabled, a
        #  sysctl option with name "socket_client" is created.
        kernel.grsecurity.socket_server = 1

        #  Here you can choose the GID to disable server socket access for.
        #  Remember to add the users you want server socket access disabled for to
        #  the GID specified here.  If the sysctl option is enabled, a sysctl
        #  option with name "socket_server_gid" is created.
        kernel.grsecurity.socket_server_gid = 99

        #
        # Physical Protections
        #

        #  If you say Y here, a new sysctl option with name "deny_new_usb"
        #  will be created.  Setting its value to 1 will prevent any new
        #  USB devices from being recognized by the OS.  Any attempted USB
        #  device insertion will be logged.  This option is intended to be
        #  used against custom USB devices designed to exploit vulnerabilities
        #  in various USB device drivers.
        #
        #  For greatest effectiveness, this sysctl should be set after any
        #  relevant init scripts.  This option is safe to enable in distros
        #  as each user can choose whether or not to toggle the sysctl.
        kernel.grsecurity.deny_new_usb = 0

        #
        # Restrict grsec sysctl changes after this was set
        #
        kernel.grsecurity.grsec_lock = 0

        # End of file
        </pre>


        <a href="index.html">Core OS Index</a>
        <p>This is part of the Hive System Documentation.
        Copyright (C) 2018
        Hive Team.
        See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a>
        for copying conditions.</p>

    </body>
</html>