From d26a4e12deafade205d37a9fda748a6b78dfdb6a Mon Sep 17 00:00:00 2001 From: Silvino Silva Date: Sat, 25 Feb 2017 18:40:03 +0000 Subject: overall revesion --- core/conf/sysctl.conf | 148 ++++++++++++++++++++++++++++---------------------- 1 file changed, 82 insertions(+), 66 deletions(-) (limited to 'core/conf/sysctl.conf') diff --git a/core/conf/sysctl.conf b/core/conf/sysctl.conf index b60d3e6..d17c0c6 100644 --- a/core/conf/sysctl.conf +++ b/core/conf/sysctl.conf @@ -2,9 +2,13 @@ # /etc/sysctl.conf: configuration for system variables, see sysctl.conf(5) # -kernel.printk = 15 1 1 4 -kernel.randomize_va_space = 1 -kernel.shmmax = 500000000 +kernel.printk = 7 1 1 4 +kernel.randomize_va_space = 2 +# Shared Memory +#kernel.shmmax = 500000000 +# Total allocated file handlers that can be allocated +# fs.file-nr= +vm.mmap_min_addr=65536 # Allow for more PIDs (to reduce rollover problems); may break some programs 32768 kernel.pid_max = 65536 @@ -16,14 +20,13 @@ kernel.pid_max = 65536 # Ioperm and iopl can be used to modify the running kernel. # Unfortunately, some programs need this access to operate properly, # the most notable of which are XFree86 and hwclock. hwclock can be -# remedied by having RTC support in the kernel, so real-time -# clock support is enabled if this option is enabled, to ensure +# remedied by having RTC support in the kernel, so real-time +# clock support is enabled if this option is enabled, to ensure # that hwclock operates correctly. -# +# # If you're using XFree86 or a version of Xorg from 2012 or earlier, # you may not be able to boot into a graphical environment with this # option enabled. In this case, you should use the RBAC system instead. -#kernel.grsecurity.disable_priv_io = 1 kernel.grsecurity.disable_priv_io = 0 # If you say Y here, attempts to bruteforce exploits against forking @@ -36,13 +39,13 @@ kernel.grsecurity.disable_priv_io = 0 # In the suid/sgid case, the attempt is logged, the user has all their # existing instances of the suid/sgid binary terminated and will # be unable to execute any suid/sgid binaries for 15 minutes. -# +# # It is recommended that you also enable signal logging in the auditing # section so that logs are generated when a process triggers a suspicious # signal. # If the sysctl option is enabled, a sysctl option with name # "deter_bruteforce" is created. -#kernel.grsecurity.deter_bruteforce = 1 +kernel.grsecurity.deter_bruteforce = 1 # # Filesystem Protections @@ -58,7 +61,7 @@ fs.file-max = 65535 # symlink is the owner of the directory. users will also not be # able to hardlink to files they do not own. If the sysctl option is # enabled, a sysctl option with name "linking_restrictions" is created. -kernel.grsecurity.linking_restrictions = 1 +kernel.grsecurity.linking_restrictions = 0 # Apache's SymlinksIfOwnerMatch option has an inherent race condition @@ -72,7 +75,7 @@ kernel.grsecurity.linking_restrictions = 1 # will be in place for the group you specify. If the sysctl option # is enabled, a sysctl option with name "enforce_symlinksifowner" is # created. -#kernel.grsecurity.enforce_symlinksifowner = 1 +kernel.grsecurity.enforce_symlinksifowner = 0 #kernel.grsecurity.symlinkown_gid = 33 # if you say Y here, users will not be able to write to FIFOs they don't @@ -80,7 +83,7 @@ kernel.grsecurity.linking_restrictions = 1 # the FIFO is the same owner of the directory it's held in. If the sysctl # option is enabled, a sysctl option with name "fifo_restrictions" is # created. -#kernel.grsecurity.fifo_restrictions = 1 +kernel.grsecurity.fifo_restrictions = 0 # If you say Y here, a sysctl option with name "romount_protect" will # be created. By setting this option to 1 at runtime, filesystems @@ -115,14 +118,14 @@ kernel.grsecurity.chroot_caps = 1 # against another published method of breaking a chroot. If the sysctl # option is enabled, a sysctl option with name "chroot_deny_chmod" is # created. -kernel.grsecurity.chroot_deny_chmod = 1 +kernel.grsecurity.chroot_deny_chmod = 1 # If you say Y here, processes inside a chroot will not be able to chroot # again outside the chroot. This is a widely used method of breaking -# out of a chroot jail and should not be allowed. If the sysctl -# option is enabled, a sysctl option with name +# out of a chroot jail and should not be allowed. If the sysctl +# option is enabled, a sysctl option with name # "chroot_deny_chroot" is created. -kernel.grsecurity.chroot_deny_chroot = 1 +kernel.grsecurity.chroot_deny_chroot = 1 # If you say Y here, a well-known method of breaking chroots by fchdir'ing # to a file descriptor of the chrooting process that points to a directory @@ -182,14 +185,14 @@ kernel.grsecurity.chroot_deny_unix = 1 # directory, so that `.' can be outside the tree rooted at # `/'. In particular, the super-user can escape from a # `chroot jail' by doing `mkdir foo; chroot foo; cd ..'. -# +# # It is recommended that you say Y here, since it's not known to break # any software. If the sysctl option is enabled, a sysctl option with # name "chroot_enforce_chdir" is created. kernel.grsecurity.chroot_enforce_chdir = 1 # If you say Y here, processes inside a chroot will not be able to -# kill, send signals with fcntl, ptrace, capget, getpgid, setpgid, +# kill, send signals with fcntl, ptrace, capget, getpgid, setpgid, # getsid, or view any process outside of the chroot. If the sysctl # option is enabled, a sysctl option with name "chroot_findtask" is # created. @@ -212,7 +215,7 @@ kernel.grsecurity.chroot_restrict_nice = 1 # watch certain users instead of having a large amount of logs from the # entire system. If the sysctl option is enabled, a sysctl option with # name "audit_group" is created. -kernel.grsecurity.audit_group = 0 +kernel.grsecurity.audit_group = 0 # If you say Y here, the exec and chdir logging features will only operate # on a group you specify. This option is recommended if you only want to @@ -228,67 +231,64 @@ kernel.grsecurity.audit_group = 0 # name "exec_logging" is created. # WARNING: This option when enabled will produce a LOT of logs, especially # on an active system. -kernel.grsecurity.exec_logging = 0 +kernel.grsecurity.exec_logging = 0 # If you say Y here, all attempts to overstep resource limits will # be logged with the resource name, the requested size, and the current # limit. It is highly recommended that you say Y here. If the sysctl # option is enabled, a sysctl option with name "resource_logging" is # created. If the RBAC system is enabled, the sysctl value is ignored. -#kernel.grsecurity.resource_logging = 1 -kernel.grsecurity.resource_logging = 0 +kernel.grsecurity.resource_logging = 1 # If you say Y here, all executions inside a chroot jail will be logged # to syslog. This can cause a large amount of logs if certain # applications (eg. djb's daemontools) are installed on the system, and # is therefore left as an option. If the sysctl option is enabled, a # sysctl option with name "chroot_execlog" is created. -kernel.grsecurity.chroot_execlog = 0 +kernel.grsecurity.chroot_execlog = 0 # If you say Y here, all attempts to attach to a process via ptrace # will be logged. If the sysctl option is enabled, a sysctl option # with name "audit_ptrace" is created. -#kernel.grsecurity.audit_ptrace = 1 -kernel.grsecurity.audit_ptrace = 0 +kernel.grsecurity.audit_ptrace = 1 # If you say Y here, all attempts to attach to a process via ptrace # will be logged. If the sysctl option is enabled, a sysctl option # with name "audit_ptrace" is created. -kernel.grsecurity.audit_chdir = 0 +kernel.grsecurity.audit_chdir = 0 # If you say Y here, all mounts and unmounts will be logged. If the # sysctl option is enabled, a sysctl option with name "audit_mount" is # created. -#kernel.grsecurity.audit_mount = 1 -kernel.grsecurity.audit_mount = 0 +kernel.grsecurity.audit_mount = 1 # If you say Y here, certain important signals will be logged, such as # SIGSEGV, which will as a result inform you of when a error in a program # occurred, which in some cases could mean a possible exploit attempt. # If the sysctl option is enabled, a sysctl option with name # "signal_logging" is created. -kernel.grsecurity.signal_logging = 0 +kernel.grsecurity.signal_logging = 1 # If you say Y here, all failed fork() attempts will be logged. # This could suggest a fork bomb, or someone attempting to overstep # their process limit. If the sysctl option is enabled, a sysctl option # with name "forkfail_logging" is created. #kernel.grsecurity.forkfail_logging = 1 -kernel.grsecurity.forkfail_logging = 0 +kernel.grsecurity.forkfail_logging = 1 # If you say Y here, any changes of the system clock will be logged. # If the sysctl option is enabled, a sysctl option with name # "timechange_logging" is created. -#kernel.grsecurity.timechange_logging = 1 +kernel.grsecurity.timechange_logging = 1 # if you say Y here, calls to mmap() and mprotect() with explicit # usage of PROT_WRITE and PROT_EXEC together will be logged when # denied by the PAX_MPROTECT feature. This feature will also # log other problematic scenarios that can occur when PAX_MPROTECT -# is enabled on a binary, like textrels and PT_GNU_STACK. If the +# is enabled on a binary, like textrels and PT_GNU_STACK. If the # sysctl option is enabled, a sysctl option with name "rwxmap_logging" # is created. -#kernel.grsecurity.rwxmap_logging = 1 +kernel.grsecurity.rwxmap_logging = 1 # # Executable Protections @@ -305,14 +305,14 @@ kernel.grsecurity.forkfail_logging = 0 kernel.grsecurity.dmesg = 1 # Hide symbol addresses in /proc/kallsyms -kernel.kptr_restrict = 1 +#kernel.kptr_restrict = 2 # If you say Y here, TTY sniffers and other malicious monitoring # programs implemented through ptrace will be defeated. If you # have been using the RBAC system, this option has already been # enabled for several years for all users, with the ability to make # fine-grained exceptions. -# +# # This option only affects the ability of non-root users to ptrace # processes that are not a descendent of the ptracing process. # This means that strace ./binary and gdb ./binary will still work, @@ -327,7 +327,7 @@ kernel.grsecurity.harden_ptrace = 1 # prevent infoleaking of their contents. This option adds # consistency to the use of that file mode, as the binary could normally # be read out when run without privileges while ptracing. -# +# # If the sysctl option is enabled, a sysctl option with name "ptrace_readexec" # is created. kernel.grsecurity.ptrace_readexec = 1 @@ -341,7 +341,7 @@ kernel.grsecurity.ptrace_readexec = 1 # same way, allowing the other threads of the process to continue # running with root privileges. If the sysctl option is enabled, # a sysctl option with name "consistent_setxid" is created. -#kernel.grsecurity.consistent_setxid = 1 +kernel.grsecurity.consistent_setxid = 0 # If you say Y here, access to overly-permissive IPC objects (shared # memory, message queues, and semaphores) will be denied for processes @@ -359,7 +359,7 @@ kernel.grsecurity.ptrace_readexec = 1 # CAP_IPC_OWNER are still permitted to access these IPC objects. # If the sysctl option is enabled, a sysctl option with name # "harden_ipc" is created. -kernel.grsecurity.harden_ipc = 1 +kernel.grsecurity.harden_ipc = 0 # If you say Y here, you will be able to choose a gid to add to the # supplementary groups of users you want to mark as "untrusted." @@ -367,7 +367,7 @@ kernel.grsecurity.harden_ipc = 1 # root-owned directories writable only by root. If the sysctl option # is enabled, a sysctl option with name "tpe" is created. kernel.grsecurity.tpe = 1 -kernel.grsecurity.tpe_gid = 101 +kernel.grsecurity.tpe_gid = 4 # If you say Y here, the group you specify in the TPE configuration will # decide what group TPE restrictions will be *disabled* for. This @@ -386,10 +386,11 @@ kernel.grsecurity.tpe_invert = 1 # world-writable, or in directories owned by root and writable only by # root. If the sysctl option is enabled, a sysctl option with name # "tpe_restrict_all" is created. -kernel.grsecurity.tpe_restrict_all = 0 +kernel.grsecurity.tpe_restrict_all = 1 + +kernel.grsecurity.harden_tty = 1 -#kernel.grsecurity.harden_tty = 1 # # Network Protections # @@ -418,7 +419,7 @@ net.ipv6.conf.lo.disable_ipv6 = 1 #net.ipv6.conf.default.dad_transmits = 0 #net.ipv6.conf.default.max_addresses = 0 -# Avoid a smurf attack +# Avoid a smurf attack, ping scanning net.ipv4.icmp_echo_ignore_broadcasts = 1 # Turn on protection for bad icmp error messages @@ -447,10 +448,6 @@ net.ipv4.conf.default.log_martians = 1 ## ignore echo broadcast requests to prevent being part of smurf attacks (default) net.ipv4.icmp_echo_ignore_broadcasts = 1 -# No source routed packets here -net.ipv4.conf.all.accept_source_route = 0 -net.ipv4.conf.default.accept_source_route = 0 - ## sets the kernels reverse path filtering mechanism to value 1(on) ## will do source validation of the packet's recieved from all the interfaces on the machine ## protects from attackers that are using ip spoofing methods to do harm @@ -459,16 +456,23 @@ net.ipv4.conf.default.rp_filter = 1 #net.ipv6.conf.default.rp_filter = 1 #net.ipv6.conf.all.rp_filter = 1 + # Make sure no one can alter the routing tables +# Act as a router, necessary for Access Point net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.default.secure_redirects = 0 +# No source routed packets here +# Discard packets with source routes, ip spoofing +net.ipv4.conf.all.accept_source_route = 0 +net.ipv4.conf.default.accept_source_route = 0 -# Act as a router, necessary for Access Point -net.ipv4.ip_forward = 1 -net.ipv4.conf.all.send_redirects = 1 -net.ipv4.conf.default.send_redirects = 1 + +net.ipv4.conf.all.send_redirects = 0 +net.ipv4.conf.default.send_redirects = 0 + +net.ipv4.ip_forward = 0 # Increase system IP port limits net.ipv4.ip_local_port_range = 2000 65000 @@ -477,15 +481,29 @@ net.ipv4.ip_local_port_range = 2000 65000 net.ipv4.tcp_rmem = 4096 87380 8388608 net.ipv4.tcp_wmem = 4096 87380 8388608 +# Disable proxy_arp +net.ipv4.conf.default.proxy_arp = 0 +net.ipv4.conf.all.proxy_arp = 0 + +# Disable bootp_relay +net.ipv4.conf.default.bootp_relay = 0 +net.ipv4.conf.all.bootp_relay = 0 + +# Decrease TCP fin timeout +net.ipv4.tcp_fin_timeout = 30 +# Decrease TCP keep alive time +net.ipv4.tcp_keepalive_time = 1800 +# Sen SynAck retries to 3 +net.ipv4.tcp_synack_retries = 3 # If you say Y here, neither TCP resets nor ICMP # destination-unreachable packets will be sent in response to packets # sent to ports for which no associated listening process exists. -# This feature supports both IPV4 and IPV6 and exempts the -# loopback interface from blackholing. Enabling this feature +# This feature supports both IPV4 and IPV6 and exempts the +# loopback interface from blackholing. Enabling this feature # makes a host more resilient to DoS attacks and reduces network # visibility against scanners. -# +# # The blackhole feature as-implemented is equivalent to the FreeBSD # blackhole feature, as it prevents RST responses to all packets, not # just SYNs. Under most application behavior this causes no @@ -498,7 +516,7 @@ net.ipv4.tcp_wmem = 4096 87380 8388608 # can spend in LAST_ACK state. If you're using haproxy and not # all servers it connects to have this option enabled, consider # disabling this feature on the haproxy host. -# +# # If the sysctl option is enabled, two sysctl options with names # "ip_blackhole" and "lastack_retries" will be created. # While "ip_blackhole" takes the standard zero/non-zero on/off @@ -506,14 +524,14 @@ net.ipv4.tcp_wmem = 4096 87380 8388608 # "tcp_retries1" and "tcp_retries2". The default value of 4 # prevents a socket from lasting more than 45 seconds in LAST_ACK # state. -#kernel.grsecurity.ip_blackhole = 1 -#kernel.grsecurity.lastack_retries = 4 +kernel.grsecurity.ip_blackhole = 1 +kernel.grsecurity.lastack_retries = 4 # If you say Y here, you will be able to choose a GID of whose users will # be unable to connect to other hosts from your machine or run server # applications from your machine. If the sysctl option is enabled, a # sysctl option with name "socket_all" is created. -#kernel.grsecurity.socket_all = 1 +kernel.grsecurity.socket_all = 0 # Here you can choose the GID to disable socket access for. Remember to # add the users you want socket access disabled for to the GID @@ -527,13 +545,13 @@ net.ipv4.tcp_wmem = 4096 87380 8388608 # you specify will have to use passive mode when initiating ftp transfers # from the shell on your machine. If the sysctl option is enabled, a # sysctl option with name "socket_client" is created. -#kernel.grsecurity.socket_client = 1 +kernel.grsecurity.socket_client = 1 # Here you can choose the GID to disable client socket access for. # Remember to add the users you want client socket access disabled for to # the GID specified here. If the sysctl option is enabled, a sysctl # option with name "socket_client_gid" is created. -#kernel.grsecurity.socket_client_gid = 203 +kernel.grsecurity.socket_client_gid = 15 # If you say Y here, you will be able to choose a GID of whose users will # be unable to connect to other hosts from your machine, but will be @@ -541,13 +559,13 @@ net.ipv4.tcp_wmem = 4096 87380 8388608 # you specify will have to use passive mode when initiating ftp transfers # from the shell on your machine. If the sysctl option is enabled, a # sysctl option with name "socket_client" is created. -#kernel.grsecurity.socket_server = 1 +kernel.grsecurity.socket_server = 1 # Here you can choose the GID to disable server socket access for. # Remember to add the users you want server socket access disabled for to # the GID specified here. If the sysctl option is enabled, a sysctl # option with name "socket_server_gid" is created. -#kernel.grsecurity.socket_server_gid = 204 +kernel.grsecurity.socket_server_gid = 99 # # Physical Protections @@ -559,17 +577,15 @@ net.ipv4.tcp_wmem = 4096 87380 8388608 # device insertion will be logged. This option is intended to be # used against custom USB devices designed to exploit vulnerabilities # in various USB device drivers. -# +# # For greatest effectiveness, this sysctl should be set after any # relevant init scripts. This option is safe to enable in distros # as each user can choose whether or not to toggle the sysctl. -#kernel.grsecurity.deny_new_usb = 0 +kernel.grsecurity.deny_new_usb = 0 # # Restrict grsec sysctl changes after this was set # -#kernel.grsecurity.grsec_lock = 1 - - +kernel.grsecurity.grsec_lock = 0 # End of file -- cgit 1.4.1-2-gfad0