diff options
Diffstat (limited to 'core/conf/sysctl.conf')
| -rw-r--r-- | core/conf/sysctl.conf | 463 |
1 files changed, 3 insertions, 460 deletions
diff --git a/core/conf/sysctl.conf b/core/conf/sysctl.conf index 4606791..771112a 100644 --- a/core/conf/sysctl.conf +++ b/core/conf/sysctl.conf @@ -3,51 +3,19 @@ # kernel.printk = 7 1 1 4 + kernel.randomize_va_space = 2 + # Shared Memory #kernel.shmmax = 500000000 # Total allocated file handlers that can be allocated # fs.file-nr= vm.mmap_min_addr=65536 + # Allow for more PIDs (to reduce rollover problems); may break some programs 32768 kernel.pid_max = 65536 # -# Memory Protections -# - -# If you say Y here, all ioperm and iopl calls will return an error. -# Ioperm and iopl can be used to modify the running kernel. -# Unfortunately, some programs need this access to operate properly, -# the most notable of which are XFree86 and hwclock. hwclock can be -# remedied by having RTC support in the kernel, so real-time -# clock support is enabled if this option is enabled, to ensure -# that hwclock operates correctly. -# -# If you're using XFree86 or a version of Xorg from 2012 or earlier, -# you may not be able to boot into a graphical environment with this -# option enabled. In this case, you should use the RBAC system instead. -kernel.grsecurity.disable_priv_io = 1 - -# If you say Y here, attempts to bruteforce exploits against forking -# daemons such as apache or sshd, as well as against suid/sgid binaries -# will be deterred. When a child of a forking daemon is killed by PaX -# or crashes due to an illegal instruction or other suspicious signal, -# the parent process will be delayed 30 seconds upon every subsequent -# fork until the administrator is able to assess the situation and -# restart the daemon. -# In the suid/sgid case, the attempt is logged, the user has all their -# existing instances of the suid/sgid binary terminated and will -# be unable to execute any suid/sgid binaries for 15 minutes. -# -# It is recommended that you also enable signal logging in the auditing -# section so that logs are generated when a process triggers a suspicious -# signal. -# If the sysctl option is enabled, a sysctl option with name -# "deter_bruteforce" is created. -kernel.grsecurity.deter_bruteforce = 1 - -# # Filesystem Protections # @@ -55,341 +23,9 @@ kernel.grsecurity.deter_bruteforce = 1 # Increase system file descriptor limit fs.file-max = 65535 -# If you say Y here, /tmp race exploits will be prevented, since users -# will no longer be able to follow symlinks owned by other users in -# world-writable +t directories (e.g. /tmp), unless the owner of the -# symlink is the owner of the directory. users will also not be -# able to hardlink to files they do not own. If the sysctl option is -# enabled, a sysctl option with name "linking_restrictions" is created. -kernel.grsecurity.linking_restrictions = 1 - - -# Apache's SymlinksIfOwnerMatch option has an inherent race condition -# that prevents it from being used as a security feature. As Apache -# verifies the symlink by performing a stat() against the target of -# the symlink before it is followed, an attacker can setup a symlink -# to point to a same-owned file, then replace the symlink with one -# that targets another user's file just after Apache "validates" the -# symlink -- a classic TOCTOU race. If you say Y here, a complete, -# race-free replacement for Apache's "SymlinksIfOwnerMatch" option -# will be in place for the group you specify. If the sysctl option -# is enabled, a sysctl option with name "enforce_symlinksifowner" is -# created. -kernel.grsecurity.enforce_symlinksifowner = 1 -kernel.grsecurity.symlinkown_gid = 15 - -# if you say Y here, users will not be able to write to FIFOs they don't -# own in world-writable +t directories (e.g. /tmp), unless the owner of -# the FIFO is the same owner of the directory it's held in. If the sysctl -# option is enabled, a sysctl option with name "fifo_restrictions" is -# created. -kernel.grsecurity.fifo_restrictions = 1 - -# If you say Y here, a sysctl option with name "romount_protect" will -# be created. By setting this option to 1 at runtime, filesystems -# will be protected in the following ways: -# * No new writable mounts will be allowed -# * Existing read-only mounts won't be able to be remounted read/write -# * Write operations will be denied on all block devices -# This option acts independently of grsec_lock: once it is set to 1, -# it cannot be turned off. Therefore, please be mindful of the resulting -# behavior if this option is enabled in an init script on a read-only -# filesystem. -# Also be aware that as with other root-focused features, GRKERNSEC_KMEM -# and GRKERNSEC_IO should be enabled and module loading disabled via -# config or at runtime. -# This feature is mainly intended for secure embedded systems. -#kernel.grsecurity.romount_protect = 1 - -# if you say Y here, the capabilities on all processes within a -# chroot jail will be lowered to stop module insertion, raw i/o, -# system and net admin tasks, rebooting the system, modifying immutable -# files, modifying IPC owned by another, and changing the system time. -# This is left an option because it can break some apps. Disable this -# if your chrooted apps are having problems performing those kinds of -# tasks. If the sysctl option is enabled, a sysctl option with -# name "chroot_caps" is created. -kernel.grsecurity.chroot_caps = 1 - -#kernel.grsecurity.chroot_deny_bad_rename = 1 - -# If you say Y here, processes inside a chroot will not be able to chmod -# or fchmod files to make them have suid or sgid bits. This protects -# against another published method of breaking a chroot. If the sysctl -# option is enabled, a sysctl option with name "chroot_deny_chmod" is -# created. -kernel.grsecurity.chroot_deny_chmod = 1 - -# If you say Y here, processes inside a chroot will not be able to chroot -# again outside the chroot. This is a widely used method of breaking -# out of a chroot jail and should not be allowed. If the sysctl -# option is enabled, a sysctl option with name -# "chroot_deny_chroot" is created. -kernel.grsecurity.chroot_deny_chroot = 1 - -# If you say Y here, a well-known method of breaking chroots by fchdir'ing -# to a file descriptor of the chrooting process that points to a directory -# outside the filesystem will be stopped. If the sysctl option -# is enabled, a sysctl option with name "chroot_deny_fchdir" is created. -kernel.grsecurity.chroot_deny_fchdir = 1 - -# If you say Y here, processes inside a chroot will not be allowed to -# mknod. The problem with using mknod inside a chroot is that it -# would allow an attacker to create a device entry that is the same -# as one on the physical root of your system, which could range from -# anything from the console device to a device for your harddrive (which -# they could then use to wipe the drive or steal data). It is recommended -# that you say Y here, unless you run into software incompatibilities. -# If the sysctl option is enabled, a sysctl option with name -# "chroot_deny_mknod" is created. -kernel.grsecurity.chroot_deny_mknod = 1 - -# If you say Y here, processes inside a chroot will not be able to -# mount or remount filesystems. If the sysctl option is enabled, a -# sysctl option with name "chroot_deny_mount" is created. -kernel.grsecurity.chroot_deny_mount = 1 - -# If you say Y here, processes inside a chroot will not be able to use -# a function called pivot_root() that was introduced in Linux 2.3.41. It -# works similar to chroot in that it changes the root filesystem. This -# function could be misused in a chrooted process to attempt to break out -# of the chroot, and therefore should not be allowed. If the sysctl -# option is enabled, a sysctl option with name "chroot_deny_pivot" is -# created. -kernel.grsecurity.chroot_deny_pivot = 1 - -# If you say Y here, processes inside a chroot will not be able to attach -# to shared memory segments that were created outside of the chroot jail. -# It is recommended that you say Y here. If the sysctl option is enabled, -# a sysctl option with name "chroot_deny_shmat" is created. -kernel.grsecurity.chroot_deny_shmat = 1 - -# If you say Y here, an attacker in a chroot will not be able to -# write to sysctl entries, either by sysctl(2) or through a /proc -# interface. It is strongly recommended that you say Y here. If the -# sysctl option is enabled, a sysctl option with name -# "chroot_deny_sysctl" is created. -kernel.grsecurity.chroot_deny_sysctl = 1 - -# If you say Y here, processes inside a chroot will not be able to -# connect to abstract (meaning not belonging to a filesystem) Unix -# domain sockets that were bound outside of a chroot. It is recommended -# that you say Y here. If the sysctl option is enabled, a sysctl option -# with name "chroot_deny_unix" is created. -kernel.grsecurity.chroot_deny_unix = 1 - -# If you say Y here, the current working directory of all newly-chrooted -# applications will be set to the the root directory of the chroot. -# The man page on chroot(2) states: -# Note that usually chhroot does not change the current working -# directory, so that `.' can be outside the tree rooted at -# `/'. In particular, the super-user can escape from a -# `chroot jail' by doing `mkdir foo; chroot foo; cd ..'. -# -# It is recommended that you say Y here, since it's not known to break -# any software. If the sysctl option is enabled, a sysctl option with -# name "chroot_enforce_chdir" is created. -kernel.grsecurity.chroot_enforce_chdir = 1 - -# If you say Y here, processes inside a chroot will not be able to -# kill, send signals with fcntl, ptrace, capget, getpgid, setpgid, -# getsid, or view any process outside of the chroot. If the sysctl -# option is enabled, a sysctl option with name "chroot_findtask" is -# created. -kernel.grsecurity.chroot_findtask = 1 - -# If you say Y here, processes inside a chroot will not be able to raise -# the priority of processes in the chroot, or alter the priority of -# processes outside the chroot. This provides more security than simply -# removing CAP_SYS_NICE from the process' capability set. If the -# sysctl option is enabled, a sysctl option with name "chroot_restrict_nice" -# is created. -kernel.grsecurity.chroot_restrict_nice = 1 - -# -# Kernel Auditing -# - -# If you say Y here, the exec and chdir logging features will only operate -# on a group you specify. This option is recommended if you only want to -# watch certain users instead of having a large amount of logs from the -# entire system. If the sysctl option is enabled, a sysctl option with -# name "audit_group" is created. -kernel.grsecurity.audit_group = 1 - -# If you say Y here, the exec and chdir logging features will only operate -# on a group you specify. This option is recommended if you only want to -# watch certain users instead of having a large amount of logs from the -# entire system. If the sysctl option is enabled, a sysctl option with -# name "audit_group" is created. -kernel.grsecurity.audit_gid = 99 - -# If you say Y here, all execve() calls will be logged (since the -# other exec*() calls are frontends to execve(), all execution -# will be logged). Useful for shell-servers that like to keep track -# of their users. If the sysctl option is enabled, a sysctl option with -# name "exec_logging" is created. -# WARNING: This option when enabled will produce a LOT of logs, especially -# on an active system. -kernel.grsecurity.exec_logging = 0 - -# If you say Y here, all attempts to overstep resource limits will -# be logged with the resource name, the requested size, and the current -# limit. It is highly recommended that you say Y here. If the sysctl -# option is enabled, a sysctl option with name "resource_logging" is -# created. If the RBAC system is enabled, the sysctl value is ignored. -kernel.grsecurity.resource_logging = 1 - -# If you say Y here, all executions inside a chroot jail will be logged -# to syslog. This can cause a large amount of logs if certain -# applications (eg. djb's daemontools) are installed on the system, and -# is therefore left as an option. If the sysctl option is enabled, a -# sysctl option with name "chroot_execlog" is created. -kernel.grsecurity.chroot_execlog = 0 - -# If you say Y here, all attempts to attach to a process via ptrace -# will be logged. If the sysctl option is enabled, a sysctl option -# with name "audit_ptrace" is created. -#kernel.grsecurity.audit_ptrace = 1 - -# If you say Y here, all attempts to attach to a process via ptrace -# will be logged. If the sysctl option is enabled, a sysctl option -# with name "audit_ptrace" is created. -kernel.grsecurity.audit_chdir = 0 - -# If you say Y here, all mounts and unmounts will be logged. If the -# sysctl option is enabled, a sysctl option with name "audit_mount" is -# created. -kernel.grsecurity.audit_mount = 1 - -# If you say Y here, certain important signals will be logged, such as -# SIGSEGV, which will as a result inform you of when a error in a program -# occurred, which in some cases could mean a possible exploit attempt. -# If the sysctl option is enabled, a sysctl option with name -# "signal_logging" is created. -kernel.grsecurity.signal_logging = 1 - -# If you say Y here, all failed fork() attempts will be logged. -# This could suggest a fork bomb, or someone attempting to overstep -# their process limit. If the sysctl option is enabled, a sysctl option -# with name "forkfail_logging" is created. -kernel.grsecurity.forkfail_logging = 1 - -# If you say Y here, any changes of the system clock will be logged. -# If the sysctl option is enabled, a sysctl option with name -# "timechange_logging" is created. -kernel.grsecurity.timechange_logging = 1 - -# if you say Y here, calls to mmap() and mprotect() with explicit -# usage of PROT_WRITE and PROT_EXEC together will be logged when -# denied by the PAX_MPROTECT feature. This feature will also -# log other problematic scenarios that can occur when PAX_MPROTECT -# is enabled on a binary, like textrels and PT_GNU_STACK. If the -# sysctl option is enabled, a sysctl option with name "rwxmap_logging" -# is created. -kernel.grsecurity.rwxmap_logging = 1 - -# -# Executable Protections -# - - -# if you say Y here, non-root users will not be able to use dmesg(8) -# to view the contents of the kernel's circular log buffer. -# The kernel's log buffer often contains kernel addresses and other -# identifying information useful to an attacker in fingerprinting a -# system for a targeted exploit. -# If the sysctl option is enabled, a sysctl option with name "dmesg" is -# created. -kernel.grsecurity.dmesg = 1 - # Hide symbol addresses in /proc/kallsyms kernel.kptr_restrict = 2 -# If you say Y here, TTY sniffers and other malicious monitoring -# programs implemented through ptrace will be defeated. If you -# have been using the RBAC system, this option has already been -# enabled for several years for all users, with the ability to make -# fine-grained exceptions. -# -# This option only affects the ability of non-root users to ptrace -# processes that are not a descendent of the ptracing process. -# This means that strace ./binary and gdb ./binary will still work, -# but attaching to arbitrary processes will not. If the sysctl -# option is enabled, a sysctl option with name "harden_ptrace" is -# created. -kernel.grsecurity.harden_ptrace = 1 - -# If you say Y here, unprivileged users will not be able to ptrace unreadable -# binaries. This option is useful in environments that -# remove the read bits (e.g. file mode 4711) from suid binaries to -# prevent infoleaking of their contents. This option adds -# consistency to the use of that file mode, as the binary could normally -# be read out when run without privileges while ptracing. -# -# If the sysctl option is enabled, a sysctl option with name "ptrace_readexec" -# is created. -kernel.grsecurity.ptrace_readexec = 1 - -# If you say Y here, a change from a root uid to a non-root uid -# in a multithreaded application will cause the resulting uids, -# gids, supplementary groups, and capabilities in that thread -# to be propagated to the other threads of the process. In most -# cases this is unnecessary, as glibc will emulate this behavior -# on behalf of the application. Other libcs do not act in the -# same way, allowing the other threads of the process to continue -# running with root privileges. If the sysctl option is enabled, -# a sysctl option with name "consistent_setxid" is created. -kernel.grsecurity.consistent_setxid = 1 - -# If you say Y here, access to overly-permissive IPC objects (shared -# memory, message queues, and semaphores) will be denied for processes -# given the following criteria beyond normal permission checks: -# 1) If the IPC object is world-accessible and the euid doesn't match -# that of the creator or current uid for the IPC object -# 2) If the IPC object is group-accessible and the egid doesn't -# match that of the creator or current gid for the IPC object -# It's a common error to grant too much permission to these objects, -# with impact ranging from denial of service and information leaking to -# privilege escalation. This feature was developed in response to -# research by Tim Brown: -# http://labs.portcullis.co.uk/whitepapers/memory-squatting-attacks-on-system-v-shared-memory/ -# who found hundreds of such insecure usages. Processes with -# CAP_IPC_OWNER are still permitted to access these IPC objects. -# If the sysctl option is enabled, a sysctl option with name -# "harden_ipc" is created. -kernel.grsecurity.harden_ipc = 1 - -# If you say Y here, you will be able to choose a gid to add to the -# supplementary groups of users you want to mark as "untrusted." -# These users will not be able to execute any files that are not in -# root-owned directories writable only by root. If the sysctl option -# is enabled, a sysctl option with name "tpe" is created. -kernel.grsecurity.tpe = 1 -kernel.grsecurity.tpe_gid = 100 - -# If you say Y here, the group you specify in the TPE configuration will -# decide what group TPE restrictions will be *disabled* for. This -# option is useful if you want TPE restrictions to be applied to most -# users on the system. If the sysctl option is enabled, a sysctl option -# with name "tpe_invert" is created. Unlike other sysctl options, this -# entry will default to on for backward-compatibility. -kernel.grsecurity.tpe_invert = 0 - -# If you say Y here, all non-root users will be covered under -# a weaker TPE restriction. This is separate from, and in addition to, -# the main TPE options that you have selected elsewhere. Thus, if a -# "trusted" GID is chosen, this restriction applies to even that GID. -# Under this restriction, all non-root users will only be allowed to -# execute files in directories they own that are not group or -# world-writable, or in directories owned by root and writable only by -# root. If the sysctl option is enabled, a sysctl option with name -# "tpe_restrict_all" is created. -kernel.grsecurity.tpe_restrict_all = 1 - - -kernel.grsecurity.harden_tty = 1 - # # Network Protections # @@ -455,7 +91,6 @@ net.ipv4.conf.default.rp_filter = 1 #net.ipv6.conf.default.rp_filter = 1 #net.ipv6.conf.all.rp_filter = 1 - # Make sure no one can alter the routing tables # Act as a router, necessary for Access Point net.ipv4.conf.all.accept_redirects = 0 @@ -495,96 +130,4 @@ net.ipv4.tcp_keepalive_time = 1800 # Sen SynAck retries to 3 net.ipv4.tcp_synack_retries = 3 -# If you say Y here, neither TCP resets nor ICMP -# destination-unreachable packets will be sent in response to packets -# sent to ports for which no associated listening process exists. -# This feature supports both IPV4 and IPV6 and exempts the -# loopback interface from blackholing. Enabling this feature -# makes a host more resilient to DoS attacks and reduces network -# visibility against scanners. -# -# The blackhole feature as-implemented is equivalent to the FreeBSD -# blackhole feature, as it prevents RST responses to all packets, not -# just SYNs. Under most application behavior this causes no -# problems, but applications (like haproxy) may not close certain -# connections in a way that cleanly terminates them on the remote -# end, leaving the remote host in LAST_ACK state. Because of this -# side-effect and to prevent intentional LAST_ACK DoSes, this -# feature also adds automatic mitigation against such attacks. -# The mitigation drastically reduces the amount of time a socket -# can spend in LAST_ACK state. If you're using haproxy and not -# all servers it connects to have this option enabled, consider -# disabling this feature on the haproxy host. -# -# If the sysctl option is enabled, two sysctl options with names -# "ip_blackhole" and "lastack_retries" will be created. -# While "ip_blackhole" takes the standard zero/non-zero on/off -# toggle, "lastack_retries" uses the same kinds of values as -# "tcp_retries1" and "tcp_retries2". The default value of 4 -# prevents a socket from lasting more than 45 seconds in LAST_ACK -# state. -kernel.grsecurity.ip_blackhole = 1 -kernel.grsecurity.lastack_retries = 4 - -# If you say Y here, you will be able to choose a GID of whose users will -# be unable to connect to other hosts from your machine or run server -# applications from your machine. If the sysctl option is enabled, a -# sysctl option with name "socket_all" is created. -kernel.grsecurity.socket_all = 1 - -# Here you can choose the GID to disable socket access for. Remember to -# add the users you want socket access disabled for to the GID -# specified here. If the sysctl option is enabled, a sysctl option -# with name "socket_all_gid" is created. -kernel.grsecurity.socket_all_gid = 200 - -# If you say Y here, you will be able to choose a GID of whose users will -# be unable to connect to other hosts from your machine, but will be -# able to run servers. If this option is enabled, all users in the group -# you specify will have to use passive mode when initiating ftp transfers -# from the shell on your machine. If the sysctl option is enabled, a -# sysctl option with name "socket_client" is created. -kernel.grsecurity.socket_client = 1 - -# Here you can choose the GID to disable client socket access for. -# Remember to add the users you want client socket access disabled for to -# the GID specified here. If the sysctl option is enabled, a sysctl -# option with name "socket_client_gid" is created. -kernel.grsecurity.socket_client_gid = 201 - -# If you say Y here, you will be able to choose a GID of whose users will -# be unable to connect to other hosts from your machine, but will be -# able to run servers. If this option is enabled, all users in the group -# you specify will have to use passive mode when initiating ftp transfers -# from the shell on your machine. If the sysctl option is enabled, a -# sysctl option with name "socket_client" is created. -kernel.grsecurity.socket_server = 1 - -# Here you can choose the GID to disable server socket access for. -# Remember to add the users you want server socket access disabled for to -# the GID specified here. If the sysctl option is enabled, a sysctl -# option with name "socket_server_gid" is created. -kernel.grsecurity.socket_server_gid = 99 - -# -# Physical Protections -# - -# If you say Y here, a new sysctl option with name "deny_new_usb" -# will be created. Setting its value to 1 will prevent any new -# USB devices from being recognized by the OS. Any attempted USB -# device insertion will be logged. This option is intended to be -# used against custom USB devices designed to exploit vulnerabilities -# in various USB device drivers. -# -# For greatest effectiveness, this sysctl should be set after any -# relevant init scripts. This option is safe to enable in distros -# as each user can choose whether or not to toggle the sysctl. -kernel.grsecurity.deny_new_usb = 0 - -# -# Restrict grsec sysctl changes after this was set -# -kernel.grsecurity.grsec_lock = 0 - # End of file |