about summary refs log tree commit diff stats
path: root/core/conf/sysctl.conf
diff options
context:
space:
mode:
Diffstat (limited to 'core/conf/sysctl.conf')
-rw-r--r--core/conf/sysctl.conf463
1 files changed, 3 insertions, 460 deletions
diff --git a/core/conf/sysctl.conf b/core/conf/sysctl.conf
index 4606791..771112a 100644
--- a/core/conf/sysctl.conf
+++ b/core/conf/sysctl.conf
@@ -3,51 +3,19 @@
 #
 
 kernel.printk = 7 1 1 4
+
 kernel.randomize_va_space = 2
+
 # Shared Memory
 #kernel.shmmax = 500000000
 # Total allocated file handlers that can be allocated
 # fs.file-nr=
 vm.mmap_min_addr=65536
+
 # Allow for more PIDs (to reduce rollover problems); may break some programs 32768
 kernel.pid_max = 65536
 
 #
-# Memory Protections
-#
-
-#  If you say Y here, all ioperm and iopl calls will return an error.
-#  Ioperm and iopl can be used to modify the running kernel.
-#  Unfortunately, some programs need this access to operate properly,
-#  the most notable of which are XFree86 and hwclock.  hwclock can be
-#  remedied by having RTC support in the kernel, so real-time 
-#  clock support is enabled if this option is enabled, to ensure 
-#  that hwclock operates correctly.
-#  
-#  If you're using XFree86 or a version of Xorg from 2012 or earlier,
-#  you may not be able to boot into a graphical environment with this
-#  option enabled.  In this case, you should use the RBAC system instead.
-kernel.grsecurity.disable_priv_io = 1
-
-#  If you say Y here, attempts to bruteforce exploits against forking
-#  daemons such as apache or sshd, as well as against suid/sgid binaries
-#  will be deterred.  When a child of a forking daemon is killed by PaX
-#  or crashes due to an illegal instruction or other suspicious signal,
-#  the parent process will be delayed 30 seconds upon every subsequent
-#  fork until the administrator is able to assess the situation and
-#  restart the daemon.
-#  In the suid/sgid case, the attempt is logged, the user has all their
-#  existing instances of the suid/sgid binary terminated and will
-#  be unable to execute any suid/sgid binaries for 15 minutes.
-#  
-#  It is recommended that you also enable signal logging in the auditing
-#  section so that logs are generated when a process triggers a suspicious
-#  signal.
-#  If the sysctl option is enabled, a sysctl option with name
-#  "deter_bruteforce" is created.
-kernel.grsecurity.deter_bruteforce = 1
-
-#
 # Filesystem Protections
 #
 
@@ -55,341 +23,9 @@ kernel.grsecurity.deter_bruteforce = 1
 # Increase system file descriptor limit
 fs.file-max = 65535
 
-#  If you say Y here, /tmp race exploits will be prevented, since users
-#  will no longer be able to follow symlinks owned by other users in
-#  world-writable +t directories (e.g. /tmp), unless the owner of the
-#  symlink is the owner of the directory. users will also not be
-#  able to hardlink to files they do not own.  If the sysctl option is
-#  enabled, a sysctl option with name "linking_restrictions" is created.
-kernel.grsecurity.linking_restrictions = 1
-
-
-#  Apache's SymlinksIfOwnerMatch option has an inherent race condition
-#  that prevents it from being used as a security feature.  As Apache
-#  verifies the symlink by performing a stat() against the target of
-#  the symlink before it is followed, an attacker can setup a symlink
-#  to point to a same-owned file, then replace the symlink with one
-#  that targets another user's file just after Apache "validates" the
-#  symlink -- a classic TOCTOU race.  If you say Y here, a complete,
-#  race-free replacement for Apache's "SymlinksIfOwnerMatch" option
-#  will be in place for the group you specify. If the sysctl option
-#  is enabled, a sysctl option with name "enforce_symlinksifowner" is
-#  created.
-kernel.grsecurity.enforce_symlinksifowner = 1
-kernel.grsecurity.symlinkown_gid = 15
-
-#  if you say Y here, users will not be able to write to FIFOs they don't
-#  own in world-writable +t directories (e.g. /tmp), unless the owner of
-#  the FIFO is the same owner of the directory it's held in.  If the sysctl
-#  option is enabled, a sysctl option with name "fifo_restrictions" is
-#  created.
-kernel.grsecurity.fifo_restrictions = 1
-
-#  If you say Y here, a sysctl option with name "romount_protect" will
-#  be created.  By setting this option to 1 at runtime, filesystems
-#  will be protected in the following ways:
-#  * No new writable mounts will be allowed
-#  * Existing read-only mounts won't be able to be remounted read/write
-#  * Write operations will be denied on all block devices
-#  This option acts independently of grsec_lock: once it is set to 1,
-#  it cannot be turned off.  Therefore, please be mindful of the resulting
-#  behavior if this option is enabled in an init script on a read-only
-#  filesystem.
-#  Also be aware that as with other root-focused features, GRKERNSEC_KMEM
-#  and GRKERNSEC_IO should be enabled and module loading disabled via
-#  config or at runtime.
-#  This feature is mainly intended for secure embedded systems.
-#kernel.grsecurity.romount_protect = 1
-
-#  if you say Y here, the capabilities on all processes within a
-#  chroot jail will be lowered to stop module insertion, raw i/o,
-#  system and net admin tasks, rebooting the system, modifying immutable
-#  files, modifying IPC owned by another, and changing the system time.
-#  This is left an option because it can break some apps.  Disable this
-#  if your chrooted apps are having problems performing those kinds of
-#  tasks.  If the sysctl option is enabled, a sysctl option with
-#  name "chroot_caps" is created.
-kernel.grsecurity.chroot_caps = 1
-
-#kernel.grsecurity.chroot_deny_bad_rename = 1
-
-#  If you say Y here, processes inside a chroot will not be able to chmod
-#  or fchmod files to make them have suid or sgid bits.  This protects
-#  against another published method of breaking a chroot.  If the sysctl
-#  option is enabled, a sysctl option with name "chroot_deny_chmod" is
-#  created.
-kernel.grsecurity.chroot_deny_chmod = 1
-
-#  If you say Y here, processes inside a chroot will not be able to chroot
-#  again outside the chroot.  This is a widely used method of breaking
-#  out of a chroot jail and should not be allowed.  If the sysctl 
-#  option is enabled, a sysctl option with name 
-#  "chroot_deny_chroot" is created.
-kernel.grsecurity.chroot_deny_chroot = 1
-
-#  If you say Y here, a well-known method of breaking chroots by fchdir'ing
-#  to a file descriptor of the chrooting process that points to a directory
-#  outside the filesystem will be stopped.  If the sysctl option
-#  is enabled, a sysctl option with name "chroot_deny_fchdir" is created.
-kernel.grsecurity.chroot_deny_fchdir = 1
-
-#  If you say Y here, processes inside a chroot will not be allowed to
-#  mknod.  The problem with using mknod inside a chroot is that it
-#  would allow an attacker to create a device entry that is the same
-#  as one on the physical root of your system, which could range from
-#  anything from the console device to a device for your harddrive (which
-#  they could then use to wipe the drive or steal data).  It is recommended
-#  that you say Y here, unless you run into software incompatibilities.
-#  If the sysctl option is enabled, a sysctl option with name
-#  "chroot_deny_mknod" is created.
-kernel.grsecurity.chroot_deny_mknod = 1
-
-#  If you say Y here, processes inside a chroot will not be able to
-#  mount or remount filesystems.  If the sysctl option is enabled, a
-#  sysctl option with name "chroot_deny_mount" is created.
-kernel.grsecurity.chroot_deny_mount = 1
-
-#  If you say Y here, processes inside a chroot will not be able to use
-#  a function called pivot_root() that was introduced in Linux 2.3.41.  It
-#  works similar to chroot in that it changes the root filesystem.  This
-#  function could be misused in a chrooted process to attempt to break out
-#  of the chroot, and therefore should not be allowed.  If the sysctl
-#  option is enabled, a sysctl option with name "chroot_deny_pivot" is
-#  created.
-kernel.grsecurity.chroot_deny_pivot     = 1
-
-#  If you say Y here, processes inside a chroot will not be able to attach
-#  to shared memory segments that were created outside of the chroot jail.
-#  It is recommended that you say Y here.  If the sysctl option is enabled,
-#  a sysctl option with name "chroot_deny_shmat" is created.
-kernel.grsecurity.chroot_deny_shmat = 1
-
-#  If you say Y here, an attacker in a chroot will not be able to
-#  write to sysctl entries, either by sysctl(2) or through a /proc
-#  interface.  It is strongly recommended that you say Y here. If the
-#  sysctl option is enabled, a sysctl option with name
-#  "chroot_deny_sysctl" is created.
-kernel.grsecurity.chroot_deny_sysctl = 1
-
-#  If you say Y here, processes inside a chroot will not be able to
-#  connect to abstract (meaning not belonging to a filesystem) Unix
-#  domain sockets that were bound outside of a chroot.  It is recommended
-#  that you say Y here.  If the sysctl option is enabled, a sysctl option
-#  with name "chroot_deny_unix" is created.
-kernel.grsecurity.chroot_deny_unix = 1
-
-#  If you say Y here, the current working directory of all newly-chrooted
-#  applications will be set to the the root directory of the chroot.
-#  The man page on chroot(2) states:
-#  Note that usually chhroot does not change  the  current  working
-#  directory,  so  that `.' can be outside the tree rooted at
-#  `/'.  In particular, the  super-user  can  escape  from  a
-#  `chroot jail' by doing `mkdir foo; chroot foo; cd ..'.
-#  
-#  It is recommended that you say Y here, since it's not known to break
-#  any software.  If the sysctl option is enabled, a sysctl option with
-#  name "chroot_enforce_chdir" is created.
-kernel.grsecurity.chroot_enforce_chdir  = 1
-
-#  If you say Y here, processes inside a chroot will not be able to
-#  kill, send signals with fcntl, ptrace, capget, getpgid, setpgid, 
-#  getsid, or view any process outside of the chroot.  If the sysctl
-#  option is enabled, a sysctl option with name "chroot_findtask" is
-#  created.
-kernel.grsecurity.chroot_findtask = 1
-
-#  If you say Y here, processes inside a chroot will not be able to raise
-#  the priority of processes in the chroot, or alter the priority of
-#  processes outside the chroot.  This provides more security than simply
-#  removing CAP_SYS_NICE from the process' capability set.  If the
-#  sysctl option is enabled, a sysctl option with name "chroot_restrict_nice"
-#  is created.
-kernel.grsecurity.chroot_restrict_nice = 1
-
-#
-# Kernel Auditing
-#
-
-#  If you say Y here, the exec and chdir logging features will only operate
-#  on a group you specify.  This option is recommended if you only want to
-#  watch certain users instead of having a large amount of logs from the
-#  entire system.  If the sysctl option is enabled, a sysctl option with
-#  name "audit_group" is created.
-kernel.grsecurity.audit_group = 1
-
-#  If you say Y here, the exec and chdir logging features will only operate
-#  on a group you specify.  This option is recommended if you only want to
-#  watch certain users instead of having a large amount of logs from the
-#  entire system.  If the sysctl option is enabled, a sysctl option with
-#  name "audit_group" is created.
-kernel.grsecurity.audit_gid = 99
-
-#  If you say Y here, all execve() calls will be logged (since the
-#  other exec*() calls are frontends to execve(), all execution
-#  will be logged).  Useful for shell-servers that like to keep track
-#  of their users.  If the sysctl option is enabled, a sysctl option with
-#  name "exec_logging" is created.
-#  WARNING: This option when enabled will produce a LOT of logs, especially
-#  on an active system.
-kernel.grsecurity.exec_logging = 0				
-
-#  If you say Y here, all attempts to overstep resource limits will
-#  be logged with the resource name, the requested size, and the current
-#  limit.  It is highly recommended that you say Y here.  If the sysctl
-#  option is enabled, a sysctl option with name "resource_logging" is
-#  created.  If the RBAC system is enabled, the sysctl value is ignored.
-kernel.grsecurity.resource_logging = 1
-
-#  If you say Y here, all executions inside a chroot jail will be logged
-#  to syslog.  This can cause a large amount of logs if certain
-#  applications (eg. djb's daemontools) are installed on the system, and
-#  is therefore left as an option.  If the sysctl option is enabled, a
-#  sysctl option with name "chroot_execlog" is created.
-kernel.grsecurity.chroot_execlog = 0	
-
-#  If you say Y here, all attempts to attach to a process via ptrace
-#  will be logged.  If the sysctl option is enabled, a sysctl option
-#  with name "audit_ptrace" is created.
-#kernel.grsecurity.audit_ptrace = 1
-
-#  If you say Y here, all attempts to attach to a process via ptrace
-#  will be logged.  If the sysctl option is enabled, a sysctl option
-#  with name "audit_ptrace" is created.
-kernel.grsecurity.audit_chdir = 0
-
-#  If you say Y here, all mounts and unmounts will be logged.  If the
-#  sysctl option is enabled, a sysctl option with name "audit_mount" is
-#  created.
-kernel.grsecurity.audit_mount = 1
-
-#  If you say Y here, certain important signals will be logged, such as
-#  SIGSEGV, which will as a result inform you of when a error in a program
-#  occurred, which in some cases could mean a possible exploit attempt.
-#  If the sysctl option is enabled, a sysctl option with name
-#  "signal_logging" is created.
-kernel.grsecurity.signal_logging = 1
-
-#  If you say Y here, all failed fork() attempts will be logged.
-#  This could suggest a fork bomb, or someone attempting to overstep
-#  their process limit.  If the sysctl option is enabled, a sysctl option
-#  with name "forkfail_logging" is created.
-kernel.grsecurity.forkfail_logging = 1
-
-#  If you say Y here, any changes of the system clock will be logged.
-#  If the sysctl option is enabled, a sysctl option with name
-#  "timechange_logging" is created.
-kernel.grsecurity.timechange_logging = 1
-
-#  if you say Y here, calls to mmap() and mprotect() with explicit
-#  usage of PROT_WRITE and PROT_EXEC together will be logged when
-#  denied by the PAX_MPROTECT feature.  This feature will also
-#  log other problematic scenarios that can occur when PAX_MPROTECT
-#  is enabled on a binary, like textrels and PT_GNU_STACK.  If the 
-#  sysctl option is enabled, a sysctl option with name "rwxmap_logging"
-#  is created.
-kernel.grsecurity.rwxmap_logging = 1
-
-#
-# Executable Protections
-#
-
-
-#  if you say Y here, non-root users will not be able to use dmesg(8)
-#  to view the contents of the kernel's circular log buffer.
-#  The kernel's log buffer often contains kernel addresses and other
-#  identifying information useful to an attacker in fingerprinting a
-#  system for a targeted exploit.
-#  If the sysctl option is enabled, a sysctl option with name "dmesg" is
-#  created.
-kernel.grsecurity.dmesg = 1
-
 # Hide symbol addresses in /proc/kallsyms
 kernel.kptr_restrict = 2
 
-#  If you say Y here, TTY sniffers and other malicious monitoring
-#  programs implemented through ptrace will be defeated.  If you
-#  have been using the RBAC system, this option has already been
-#  enabled for several years for all users, with the ability to make
-#  fine-grained exceptions.
-#  
-#  This option only affects the ability of non-root users to ptrace
-#  processes that are not a descendent of the ptracing process.
-#  This means that strace ./binary and gdb ./binary will still work,
-#  but attaching to arbitrary processes will not.  If the sysctl
-#  option is enabled, a sysctl option with name "harden_ptrace" is
-#  created.
-kernel.grsecurity.harden_ptrace = 1
-
-#  If you say Y here, unprivileged users will not be able to ptrace unreadable
-#  binaries.  This option is useful in environments that
-#  remove the read bits (e.g. file mode 4711) from suid binaries to
-#  prevent infoleaking of their contents.  This option adds
-#  consistency to the use of that file mode, as the binary could normally
-#  be read out when run without privileges while ptracing.
-#  
-#  If the sysctl option is enabled, a sysctl option with name "ptrace_readexec"
-#  is created.
-kernel.grsecurity.ptrace_readexec = 1
-
-#  If you say Y here, a change from a root uid to a non-root uid
-#  in a multithreaded application will cause the resulting uids,
-#  gids, supplementary groups, and capabilities in that thread
-#  to be propagated to the other threads of the process.  In most
-#  cases this is unnecessary, as glibc will emulate this behavior
-#  on behalf of the application.  Other libcs do not act in the
-#  same way, allowing the other threads of the process to continue
-#  running with root privileges.  If the sysctl option is enabled,
-#  a sysctl option with name "consistent_setxid" is created.
-kernel.grsecurity.consistent_setxid = 1
-
-#  If you say Y here, access to overly-permissive IPC objects (shared
-#  memory, message queues, and semaphores) will be denied for processes
-#  given the following criteria beyond normal permission checks:
-#  1) If the IPC object is world-accessible and the euid doesn't match
-#     that of the creator or current uid for the IPC object
-#  2) If the IPC object is group-accessible and the egid doesn't
-#     match that of the creator or current gid for the IPC object
-#  It's a common error to grant too much permission to these objects,
-#  with impact ranging from denial of service and information leaking to
-#  privilege escalation.  This feature was developed in response to
-#  research by Tim Brown:
-#  http://labs.portcullis.co.uk/whitepapers/memory-squatting-attacks-on-system-v-shared-memory/
-#  who found hundreds of such insecure usages.  Processes with
-#  CAP_IPC_OWNER are still permitted to access these IPC objects.
-#  If the sysctl option is enabled, a sysctl option with name
-#  "harden_ipc" is created.
-kernel.grsecurity.harden_ipc = 1
-
-#  If you say Y here, you will be able to choose a gid to add to the
-#  supplementary groups of users you want to mark as "untrusted."
-#  These users will not be able to execute any files that are not in
-#  root-owned directories writable only by root.  If the sysctl option
-#  is enabled, a sysctl option with name "tpe" is created.
-kernel.grsecurity.tpe = 1
-kernel.grsecurity.tpe_gid = 100
-
-#  If you say Y here, the group you specify in the TPE configuration will
-#  decide what group TPE restrictions will be *disabled* for.  This
-#  option is useful if you want TPE restrictions to be applied to most
-#  users on the system.  If the sysctl option is enabled, a sysctl option
-#  with name "tpe_invert" is created.  Unlike other sysctl options, this
-#  entry will default to on for backward-compatibility.
-kernel.grsecurity.tpe_invert = 0
-
-#  If you say Y here, all non-root users will be covered under
-#  a weaker TPE restriction.  This is separate from, and in addition to,
-#  the main TPE options that you have selected elsewhere.  Thus, if a
-#  "trusted" GID is chosen, this restriction applies to even that GID.
-#  Under this restriction, all non-root users will only be allowed to
-#  execute files in directories they own that are not group or
-#  world-writable, or in directories owned by root and writable only by
-#  root.  If the sysctl option is enabled, a sysctl option with name
-#  "tpe_restrict_all" is created.
-kernel.grsecurity.tpe_restrict_all = 1
-
-
-kernel.grsecurity.harden_tty = 1
-
 #
 # Network Protections
 #
@@ -455,7 +91,6 @@ net.ipv4.conf.default.rp_filter = 1
 #net.ipv6.conf.default.rp_filter = 1
 #net.ipv6.conf.all.rp_filter = 1
 
-
 # Make sure no one can alter the routing tables
 # Act as a router, necessary for Access Point
 net.ipv4.conf.all.accept_redirects = 0
@@ -495,96 +130,4 @@ net.ipv4.tcp_keepalive_time = 1800
 # Sen SynAck retries to 3
 net.ipv4.tcp_synack_retries = 3
 
-#  If you say Y here, neither TCP resets nor ICMP
-#  destination-unreachable packets will be sent in response to packets
-#  sent to ports for which no associated listening process exists.
-#  This feature supports both IPV4 and IPV6 and exempts the 
-#  loopback interface from blackholing.  Enabling this feature 
-#  makes a host more resilient to DoS attacks and reduces network
-#  visibility against scanners.
-#  
-#  The blackhole feature as-implemented is equivalent to the FreeBSD
-#  blackhole feature, as it prevents RST responses to all packets, not
-#  just SYNs.  Under most application behavior this causes no
-#  problems, but applications (like haproxy) may not close certain
-#  connections in a way that cleanly terminates them on the remote
-#  end, leaving the remote host in LAST_ACK state.  Because of this
-#  side-effect and to prevent intentional LAST_ACK DoSes, this
-#  feature also adds automatic mitigation against such attacks.
-#  The mitigation drastically reduces the amount of time a socket
-#  can spend in LAST_ACK state.  If you're using haproxy and not
-#  all servers it connects to have this option enabled, consider
-#  disabling this feature on the haproxy host.
-#  
-#  If the sysctl option is enabled, two sysctl options with names
-#  "ip_blackhole" and "lastack_retries" will be created.
-#  While "ip_blackhole" takes the standard zero/non-zero on/off
-#  toggle, "lastack_retries" uses the same kinds of values as
-#  "tcp_retries1" and "tcp_retries2".  The default value of 4
-#  prevents a socket from lasting more than 45 seconds in LAST_ACK
-#  state.
-kernel.grsecurity.ip_blackhole = 1
-kernel.grsecurity.lastack_retries = 4
-
-#  If you say Y here, you will be able to choose a GID of whose users will
-#  be unable to connect to other hosts from your machine or run server
-#  applications from your machine.  If the sysctl option is enabled, a
-#  sysctl option with name "socket_all" is created.
-kernel.grsecurity.socket_all = 1
-
-#  Here you can choose the GID to disable socket access for. Remember to
-#  add the users you want socket access disabled for to the GID
-#  specified here.  If the sysctl option is enabled, a sysctl option
-#  with name "socket_all_gid" is created.
-kernel.grsecurity.socket_all_gid = 200
-
-#  If you say Y here, you will be able to choose a GID of whose users will
-#  be unable to connect to other hosts from your machine, but will be
-#  able to run servers.  If this option is enabled, all users in the group
-#  you specify will have to use passive mode when initiating ftp transfers
-#  from the shell on your machine.  If the sysctl option is enabled, a
-#  sysctl option with name "socket_client" is created.
-kernel.grsecurity.socket_client = 1
-
-#  Here you can choose the GID to disable client socket access for.
-#  Remember to add the users you want client socket access disabled for to
-#  the GID specified here.  If the sysctl option is enabled, a sysctl
-#  option with name "socket_client_gid" is created.
-kernel.grsecurity.socket_client_gid = 201
-
-#  If you say Y here, you will be able to choose a GID of whose users will
-#  be unable to connect to other hosts from your machine, but will be
-#  able to run servers.  If this option is enabled, all users in the group
-#  you specify will have to use passive mode when initiating ftp transfers
-#  from the shell on your machine.  If the sysctl option is enabled, a
-#  sysctl option with name "socket_client" is created.
-kernel.grsecurity.socket_server = 1
-
-#  Here you can choose the GID to disable server socket access for.
-#  Remember to add the users you want server socket access disabled for to
-#  the GID specified here.  If the sysctl option is enabled, a sysctl
-#  option with name "socket_server_gid" is created.
-kernel.grsecurity.socket_server_gid = 99
-
-#
-# Physical Protections
-#
-
-#  If you say Y here, a new sysctl option with name "deny_new_usb"
-#  will be created.  Setting its value to 1 will prevent any new
-#  USB devices from being recognized by the OS.  Any attempted USB
-#  device insertion will be logged.  This option is intended to be
-#  used against custom USB devices designed to exploit vulnerabilities
-#  in various USB device drivers.
-#  
-#  For greatest effectiveness, this sysctl should be set after any
-#  relevant init scripts.  This option is safe to enable in distros
-#  as each user can choose whether or not to toggle the sysctl.
-kernel.grsecurity.deny_new_usb = 0
-
-#
-# Restrict grsec sysctl changes after this was set
-#
-kernel.grsecurity.grsec_lock = 0
-
 # End of file