From 44ee76746ec6f23f3e67602770e4a04ab8471e95 Mon Sep 17 00:00:00 2001 From: Silvino Date: Sun, 9 Jun 2019 02:19:01 +0100 Subject: core index re-ordering and tools storage revision --- core/sysctl.html | 481 ++----------------------------------------------------- 1 file changed, 12 insertions(+), 469 deletions(-) (limited to 'core/sysctl.html') diff --git a/core/sysctl.html b/core/sysctl.html index d06afde..a5af197 100644 --- a/core/sysctl.html +++ b/core/sysctl.html @@ -2,24 +2,18 @@ - 2.2.2. Sysctl + 2.6.2. Sysctl Core OS Index -

2.2.2. Sysctl

+

2.6.2. Sysctl

Sysctl references Arch TCP/IP stack hardening, Cyberciti Nginx Hardning, - Cyberciti Security Hardening, - Grsecurity and PaX Configuration.

- -

Since kernels on machine-ports have PaX - and grsecurity, - /etc/sysctl.conf can have follow - values;

+ Cyberciti Security Hardening.

         #
@@ -27,50 +21,18 @@
         #
 
         kernel.printk = 7 1 1 4
+
         kernel.randomize_va_space = 2
+
         # Shared Memory
         #kernel.shmmax = 500000000
         # Total allocated file handlers that can be allocated
         # fs.file-nr=
         vm.mmap_min_addr=65536
+
         # Allow for more PIDs (to reduce rollover problems); may break some programs 32768
         kernel.pid_max = 65536
 
-        #
-        # Memory Protections
-        #
-
-        #  If you say Y here, all ioperm and iopl calls will return an error.
-        #  Ioperm and iopl can be used to modify the running kernel.
-        #  Unfortunately, some programs need this access to operate properly,
-        #  the most notable of which are XFree86 and hwclock.  hwclock can be
-        #  remedied by having RTC support in the kernel, so real-time
-        #  clock support is enabled if this option is enabled, to ensure
-        #  that hwclock operates correctly.
-        #
-        #  If you're using XFree86 or a version of Xorg from 2012 or earlier,
-        #  you may not be able to boot into a graphical environment with this
-        #  option enabled.  In this case, you should use the RBAC system instead.
-        kernel.grsecurity.disable_priv_io = 1
-
-        #  If you say Y here, attempts to bruteforce exploits against forking
-        #  daemons such as apache or sshd, as well as against suid/sgid binaries
-        #  will be deterred.  When a child of a forking daemon is killed by PaX
-        #  or crashes due to an illegal instruction or other suspicious signal,
-        #  the parent process will be delayed 30 seconds upon every subsequent
-        #  fork until the administrator is able to assess the situation and
-        #  restart the daemon.
-        #  In the suid/sgid case, the attempt is logged, the user has all their
-        #  existing instances of the suid/sgid binary terminated and will
-        #  be unable to execute any suid/sgid binaries for 15 minutes.
-        #
-        #  It is recommended that you also enable signal logging in the auditing
-        #  section so that logs are generated when a process triggers a suspicious
-        #  signal.
-        #  If the sysctl option is enabled, a sysctl option with name
-        #  "deter_bruteforce" is created.
-        kernel.grsecurity.deter_bruteforce = 1
-
         #
         # Filesystem Protections
         #
@@ -79,341 +41,9 @@
         # Increase system file descriptor limit
         fs.file-max = 65535
 
-        #  If you say Y here, /tmp race exploits will be prevented, since users
-        #  will no longer be able to follow symlinks owned by other users in
-        #  world-writable +t directories (e.g. /tmp), unless the owner of the
-        #  symlink is the owner of the directory. users will also not be
-        #  able to hardlink to files they do not own.  If the sysctl option is
-        #  enabled, a sysctl option with name "linking_restrictions" is created.
-        kernel.grsecurity.linking_restrictions = 1
-
-
-        #  Apache's SymlinksIfOwnerMatch option has an inherent race condition
-        #  that prevents it from being used as a security feature.  As Apache
-        #  verifies the symlink by performing a stat() against the target of
-        #  the symlink before it is followed, an attacker can setup a symlink
-        #  to point to a same-owned file, then replace the symlink with one
-        #  that targets another user's file just after Apache "validates" the
-        #  symlink -- a classic TOCTOU race.  If you say Y here, a complete,
-        #  race-free replacement for Apache's "SymlinksIfOwnerMatch" option
-        #  will be in place for the group you specify. If the sysctl option
-        #  is enabled, a sysctl option with name "enforce_symlinksifowner" is
-        #  created.
-        kernel.grsecurity.enforce_symlinksifowner = 1
-        kernel.grsecurity.symlinkown_gid = 15
-
-        #  if you say Y here, users will not be able to write to FIFOs they don't
-        #  own in world-writable +t directories (e.g. /tmp), unless the owner of
-        #  the FIFO is the same owner of the directory it's held in.  If the sysctl
-        #  option is enabled, a sysctl option with name "fifo_restrictions" is
-        #  created.
-        kernel.grsecurity.fifo_restrictions = 1
-
-        #  If you say Y here, a sysctl option with name "romount_protect" will
-        #  be created.  By setting this option to 1 at runtime, filesystems
-        #  will be protected in the following ways:
-        #  * No new writable mounts will be allowed
-        #  * Existing read-only mounts won't be able to be remounted read/write
-        #  * Write operations will be denied on all block devices
-        #  This option acts independently of grsec_lock: once it is set to 1,
-        #  it cannot be turned off.  Therefore, please be mindful of the resulting
-        #  behavior if this option is enabled in an init script on a read-only
-        #  filesystem.
-        #  Also be aware that as with other root-focused features, GRKERNSEC_KMEM
-        #  and GRKERNSEC_IO should be enabled and module loading disabled via
-        #  config or at runtime.
-        #  This feature is mainly intended for secure embedded systems.
-        #kernel.grsecurity.romount_protect = 1
-
-        #  if you say Y here, the capabilities on all processes within a
-        #  chroot jail will be lowered to stop module insertion, raw i/o,
-        #  system and net admin tasks, rebooting the system, modifying immutable
-        #  files, modifying IPC owned by another, and changing the system time.
-        #  This is left an option because it can break some apps.  Disable this
-        #  if your chrooted apps are having problems performing those kinds of
-        #  tasks.  If the sysctl option is enabled, a sysctl option with
-        #  name "chroot_caps" is created.
-        kernel.grsecurity.chroot_caps = 1
-
-        #kernel.grsecurity.chroot_deny_bad_rename = 1
-
-        #  If you say Y here, processes inside a chroot will not be able to chmod
-        #  or fchmod files to make them have suid or sgid bits.  This protects
-        #  against another published method of breaking a chroot.  If the sysctl
-        #  option is enabled, a sysctl option with name "chroot_deny_chmod" is
-        #  created.
-        kernel.grsecurity.chroot_deny_chmod = 1
-
-        #  If you say Y here, processes inside a chroot will not be able to chroot
-        #  again outside the chroot.  This is a widely used method of breaking
-        #  out of a chroot jail and should not be allowed.  If the sysctl
-        #  option is enabled, a sysctl option with name
-        #  "chroot_deny_chroot" is created.
-        kernel.grsecurity.chroot_deny_chroot = 1
-
-        #  If you say Y here, a well-known method of breaking chroots by fchdir'ing
-        #  to a file descriptor of the chrooting process that points to a directory
-        #  outside the filesystem will be stopped.  If the sysctl option
-        #  is enabled, a sysctl option with name "chroot_deny_fchdir" is created.
-        kernel.grsecurity.chroot_deny_fchdir = 1
-
-        #  If you say Y here, processes inside a chroot will not be allowed to
-        #  mknod.  The problem with using mknod inside a chroot is that it
-        #  would allow an attacker to create a device entry that is the same
-        #  as one on the physical root of your system, which could range from
-        #  anything from the console device to a device for your harddrive (which
-        #  they could then use to wipe the drive or steal data).  It is recommended
-        #  that you say Y here, unless you run into software incompatibilities.
-        #  If the sysctl option is enabled, a sysctl option with name
-        #  "chroot_deny_mknod" is created.
-        kernel.grsecurity.chroot_deny_mknod = 1
-
-        #  If you say Y here, processes inside a chroot will not be able to
-        #  mount or remount filesystems.  If the sysctl option is enabled, a
-        #  sysctl option with name "chroot_deny_mount" is created.
-        kernel.grsecurity.chroot_deny_mount = 1
-
-        #  If you say Y here, processes inside a chroot will not be able to use
-        #  a function called pivot_root() that was introduced in Linux 2.3.41.  It
-        #  works similar to chroot in that it changes the root filesystem.  This
-        #  function could be misused in a chrooted process to attempt to break out
-        #  of the chroot, and therefore should not be allowed.  If the sysctl
-        #  option is enabled, a sysctl option with name "chroot_deny_pivot" is
-        #  created.
-        kernel.grsecurity.chroot_deny_pivot     = 1
-
-        #  If you say Y here, processes inside a chroot will not be able to attach
-        #  to shared memory segments that were created outside of the chroot jail.
-        #  It is recommended that you say Y here.  If the sysctl option is enabled,
-        #  a sysctl option with name "chroot_deny_shmat" is created.
-        kernel.grsecurity.chroot_deny_shmat = 1
-
-        #  If you say Y here, an attacker in a chroot will not be able to
-        #  write to sysctl entries, either by sysctl(2) or through a /proc
-        #  interface.  It is strongly recommended that you say Y here. If the
-        #  sysctl option is enabled, a sysctl option with name
-        #  "chroot_deny_sysctl" is created.
-        kernel.grsecurity.chroot_deny_sysctl = 1
-
-        #  If you say Y here, processes inside a chroot will not be able to
-        #  connect to abstract (meaning not belonging to a filesystem) Unix
-        #  domain sockets that were bound outside of a chroot.  It is recommended
-        #  that you say Y here.  If the sysctl option is enabled, a sysctl option
-        #  with name "chroot_deny_unix" is created.
-        kernel.grsecurity.chroot_deny_unix = 1
-
-        #  If you say Y here, the current working directory of all newly-chrooted
-        #  applications will be set to the the root directory of the chroot.
-        #  The man page on chroot(2) states:
-        #  Note that usually chhroot does not change  the  current  working
-        #  directory,  so  that `.' can be outside the tree rooted at
-        #  `/'.  In particular, the  super-user  can  escape  from  a
-        #  `chroot jail' by doing `mkdir foo; chroot foo; cd ..'.
-        #
-        #  It is recommended that you say Y here, since it's not known to break
-        #  any software.  If the sysctl option is enabled, a sysctl option with
-        #  name "chroot_enforce_chdir" is created.
-        kernel.grsecurity.chroot_enforce_chdir  = 1
-
-        #  If you say Y here, processes inside a chroot will not be able to
-        #  kill, send signals with fcntl, ptrace, capget, getpgid, setpgid,
-        #  getsid, or view any process outside of the chroot.  If the sysctl
-        #  option is enabled, a sysctl option with name "chroot_findtask" is
-        #  created.
-        kernel.grsecurity.chroot_findtask = 1
-
-        #  If you say Y here, processes inside a chroot will not be able to raise
-        #  the priority of processes in the chroot, or alter the priority of
-        #  processes outside the chroot.  This provides more security than simply
-        #  removing CAP_SYS_NICE from the process' capability set.  If the
-        #  sysctl option is enabled, a sysctl option with name "chroot_restrict_nice"
-        #  is created.
-        kernel.grsecurity.chroot_restrict_nice = 1
-
-        #
-        # Kernel Auditing
-        #
-
-        #  If you say Y here, the exec and chdir logging features will only operate
-        #  on a group you specify.  This option is recommended if you only want to
-        #  watch certain users instead of having a large amount of logs from the
-        #  entire system.  If the sysctl option is enabled, a sysctl option with
-        #  name "audit_group" is created.
-        kernel.grsecurity.audit_group = 1
-
-        #  If you say Y here, the exec and chdir logging features will only operate
-        #  on a group you specify.  This option is recommended if you only want to
-        #  watch certain users instead of having a large amount of logs from the
-        #  entire system.  If the sysctl option is enabled, a sysctl option with
-        #  name "audit_group" is created.
-        kernel.grsecurity.audit_gid = 99
-
-        #  If you say Y here, all execve() calls will be logged (since the
-        #  other exec*() calls are frontends to execve(), all execution
-        #  will be logged).  Useful for shell-servers that like to keep track
-        #  of their users.  If the sysctl option is enabled, a sysctl option with
-        #  name "exec_logging" is created.
-        #  WARNING: This option when enabled will produce a LOT of logs, especially
-        #  on an active system.
-        kernel.grsecurity.exec_logging = 0
-
-        #  If you say Y here, all attempts to overstep resource limits will
-        #  be logged with the resource name, the requested size, and the current
-        #  limit.  It is highly recommended that you say Y here.  If the sysctl
-        #  option is enabled, a sysctl option with name "resource_logging" is
-        #  created.  If the RBAC system is enabled, the sysctl value is ignored.
-        kernel.grsecurity.resource_logging = 1
-
-        #  If you say Y here, all executions inside a chroot jail will be logged
-        #  to syslog.  This can cause a large amount of logs if certain
-        #  applications (eg. djb's daemontools) are installed on the system, and
-        #  is therefore left as an option.  If the sysctl option is enabled, a
-        #  sysctl option with name "chroot_execlog" is created.
-        kernel.grsecurity.chroot_execlog = 0
-
-        #  If you say Y here, all attempts to attach to a process via ptrace
-        #  will be logged.  If the sysctl option is enabled, a sysctl option
-        #  with name "audit_ptrace" is created.
-        #kernel.grsecurity.audit_ptrace = 1
-
-        #  If you say Y here, all attempts to attach to a process via ptrace
-        #  will be logged.  If the sysctl option is enabled, a sysctl option
-        #  with name "audit_ptrace" is created.
-        kernel.grsecurity.audit_chdir = 0
-
-        #  If you say Y here, all mounts and unmounts will be logged.  If the
-        #  sysctl option is enabled, a sysctl option with name "audit_mount" is
-        #  created.
-        kernel.grsecurity.audit_mount = 1
-
-        #  If you say Y here, certain important signals will be logged, such as
-        #  SIGSEGV, which will as a result inform you of when a error in a program
-        #  occurred, which in some cases could mean a possible exploit attempt.
-        #  If the sysctl option is enabled, a sysctl option with name
-        #  "signal_logging" is created.
-        kernel.grsecurity.signal_logging = 1
-
-        #  If you say Y here, all failed fork() attempts will be logged.
-        #  This could suggest a fork bomb, or someone attempting to overstep
-        #  their process limit.  If the sysctl option is enabled, a sysctl option
-        #  with name "forkfail_logging" is created.
-        kernel.grsecurity.forkfail_logging = 1
-
-        #  If you say Y here, any changes of the system clock will be logged.
-        #  If the sysctl option is enabled, a sysctl option with name
-        #  "timechange_logging" is created.
-        kernel.grsecurity.timechange_logging = 1
-
-        #  if you say Y here, calls to mmap() and mprotect() with explicit
-        #  usage of PROT_WRITE and PROT_EXEC together will be logged when
-        #  denied by the PAX_MPROTECT feature.  This feature will also
-        #  log other problematic scenarios that can occur when PAX_MPROTECT
-        #  is enabled on a binary, like textrels and PT_GNU_STACK.  If the
-        #  sysctl option is enabled, a sysctl option with name "rwxmap_logging"
-        #  is created.
-        kernel.grsecurity.rwxmap_logging = 1
-
-        #
-        # Executable Protections
-        #
-
-
-        #  if you say Y here, non-root users will not be able to use dmesg(8)
-        #  to view the contents of the kernel's circular log buffer.
-        #  The kernel's log buffer often contains kernel addresses and other
-        #  identifying information useful to an attacker in fingerprinting a
-        #  system for a targeted exploit.
-        #  If the sysctl option is enabled, a sysctl option with name "dmesg" is
-        #  created.
-        kernel.grsecurity.dmesg = 1
-
         # Hide symbol addresses in /proc/kallsyms
         kernel.kptr_restrict = 2
 
-        #  If you say Y here, TTY sniffers and other malicious monitoring
-        #  programs implemented through ptrace will be defeated.  If you
-        #  have been using the RBAC system, this option has already been
-        #  enabled for several years for all users, with the ability to make
-        #  fine-grained exceptions.
-        #
-        #  This option only affects the ability of non-root users to ptrace
-        #  processes that are not a descendent of the ptracing process.
-        #  This means that strace ./binary and gdb ./binary will still work,
-        #  but attaching to arbitrary processes will not.  If the sysctl
-        #  option is enabled, a sysctl option with name "harden_ptrace" is
-        #  created.
-        kernel.grsecurity.harden_ptrace = 1
-
-        #  If you say Y here, unprivileged users will not be able to ptrace unreadable
-        #  binaries.  This option is useful in environments that
-        #  remove the read bits (e.g. file mode 4711) from suid binaries to
-        #  prevent infoleaking of their contents.  This option adds
-        #  consistency to the use of that file mode, as the binary could normally
-        #  be read out when run without privileges while ptracing.
-        #
-        #  If the sysctl option is enabled, a sysctl option with name "ptrace_readexec"
-        #  is created.
-        kernel.grsecurity.ptrace_readexec = 1
-
-        #  If you say Y here, a change from a root uid to a non-root uid
-        #  in a multithreaded application will cause the resulting uids,
-        #  gids, supplementary groups, and capabilities in that thread
-        #  to be propagated to the other threads of the process.  In most
-        #  cases this is unnecessary, as glibc will emulate this behavior
-        #  on behalf of the application.  Other libcs do not act in the
-        #  same way, allowing the other threads of the process to continue
-        #  running with root privileges.  If the sysctl option is enabled,
-        #  a sysctl option with name "consistent_setxid" is created.
-        kernel.grsecurity.consistent_setxid = 1
-
-        #  If you say Y here, access to overly-permissive IPC objects (shared
-        #  memory, message queues, and semaphores) will be denied for processes
-        #  given the following criteria beyond normal permission checks:
-        #  1) If the IPC object is world-accessible and the euid doesn't match
-        #     that of the creator or current uid for the IPC object
-        #  2) If the IPC object is group-accessible and the egid doesn't
-        #     match that of the creator or current gid for the IPC object
-        #  It's a common error to grant too much permission to these objects,
-        #  with impact ranging from denial of service and information leaking to
-        #  privilege escalation.  This feature was developed in response to
-        #  research by Tim Brown:
-        #  http://labs.portcullis.co.uk/whitepapers/memory-squatting-attacks-on-system-v-shared-memory/
-        #  who found hundreds of such insecure usages.  Processes with
-        #  CAP_IPC_OWNER are still permitted to access these IPC objects.
-        #  If the sysctl option is enabled, a sysctl option with name
-        #  "harden_ipc" is created.
-        kernel.grsecurity.harden_ipc = 1
-
-        #  If you say Y here, you will be able to choose a gid to add to the
-        #  supplementary groups of users you want to mark as "untrusted."
-        #  These users will not be able to execute any files that are not in
-        #  root-owned directories writable only by root.  If the sysctl option
-        #  is enabled, a sysctl option with name "tpe" is created.
-        kernel.grsecurity.tpe = 1
-        kernel.grsecurity.tpe_gid = 100
-
-        #  If you say Y here, the group you specify in the TPE configuration will
-        #  decide what group TPE restrictions will be *disabled* for.  This
-        #  option is useful if you want TPE restrictions to be applied to most
-        #  users on the system.  If the sysctl option is enabled, a sysctl option
-        #  with name "tpe_invert" is created.  Unlike other sysctl options, this
-        #  entry will default to on for backward-compatibility.
-        kernel.grsecurity.tpe_invert = 1
-
-        #  If you say Y here, all non-root users will be covered under
-        #  a weaker TPE restriction.  This is separate from, and in addition to,
-        #  the main TPE options that you have selected elsewhere.  Thus, if a
-        #  "trusted" GID is chosen, this restriction applies to even that GID.
-        #  Under this restriction, all non-root users will only be allowed to
-        #  execute files in directories they own that are not group or
-        #  world-writable, or in directories owned by root and writable only by
-        #  root.  If the sysctl option is enabled, a sysctl option with name
-        #  "tpe_restrict_all" is created.
-        kernel.grsecurity.tpe_restrict_all = 1
-
-
-        kernel.grsecurity.harden_tty = 1
-
         #
         # Network Protections
         #
@@ -519,105 +149,18 @@
         # Sen SynAck retries to 3
         net.ipv4.tcp_synack_retries = 3
 
-        #  If you say Y here, neither TCP resets nor ICMP
-        #  destination-unreachable packets will be sent in response to packets
-        #  sent to ports for which no associated listening process exists.
-        #  This feature supports both IPV4 and IPV6 and exempts the
-        #  loopback interface from blackholing.  Enabling this feature
-        #  makes a host more resilient to DoS attacks and reduces network
-        #  visibility against scanners.
-        #
-        #  The blackhole feature as-implemented is equivalent to the FreeBSD
-        #  blackhole feature, as it prevents RST responses to all packets, not
-        #  just SYNs.  Under most application behavior this causes no
-        #  problems, but applications (like haproxy) may not close certain
-        #  connections in a way that cleanly terminates them on the remote
-        #  end, leaving the remote host in LAST_ACK state.  Because of this
-        #  side-effect and to prevent intentional LAST_ACK DoSes, this
-        #  feature also adds automatic mitigation against such attacks.
-        #  The mitigation drastically reduces the amount of time a socket
-        #  can spend in LAST_ACK state.  If you're using haproxy and not
-        #  all servers it connects to have this option enabled, consider
-        #  disabling this feature on the haproxy host.
-        #
-        #  If the sysctl option is enabled, two sysctl options with names
-        #  "ip_blackhole" and "lastack_retries" will be created.
-        #  While "ip_blackhole" takes the standard zero/non-zero on/off
-        #  toggle, "lastack_retries" uses the same kinds of values as
-        #  "tcp_retries1" and "tcp_retries2".  The default value of 4
-        #  prevents a socket from lasting more than 45 seconds in LAST_ACK
-        #  state.
-        kernel.grsecurity.ip_blackhole = 1
-        kernel.grsecurity.lastack_retries = 4
-
-        #  If you say Y here, you will be able to choose a GID of whose users will
-        #  be unable to connect to other hosts from your machine or run server
-        #  applications from your machine.  If the sysctl option is enabled, a
-        #  sysctl option with name "socket_all" is created.
-        kernel.grsecurity.socket_all = 1
-
-        #  Here you can choose the GID to disable socket access for. Remember to
-        #  add the users you want socket access disabled for to the GID
-        #  specified here.  If the sysctl option is enabled, a sysctl option
-        #  with name "socket_all_gid" is created.
-        kernel.grsecurity.socket_all_gid = 200
-
-        #  If you say Y here, you will be able to choose a GID of whose users will
-        #  be unable to connect to other hosts from your machine, but will be
-        #  able to run servers.  If this option is enabled, all users in the group
-        #  you specify will have to use passive mode when initiating ftp transfers
-        #  from the shell on your machine.  If the sysctl option is enabled, a
-        #  sysctl option with name "socket_client" is created.
-        kernel.grsecurity.socket_client = 1
-
-        #  Here you can choose the GID to disable client socket access for.
-        #  Remember to add the users you want client socket access disabled for to
-        #  the GID specified here.  If the sysctl option is enabled, a sysctl
-        #  option with name "socket_client_gid" is created.
-        kernel.grsecurity.socket_client_gid = 201
-
-        #  If you say Y here, you will be able to choose a GID of whose users will
-        #  be unable to connect to other hosts from your machine, but will be
-        #  able to run servers.  If this option is enabled, all users in the group
-        #  you specify will have to use passive mode when initiating ftp transfers
-        #  from the shell on your machine.  If the sysctl option is enabled, a
-        #  sysctl option with name "socket_client" is created.
-        kernel.grsecurity.socket_server = 1
-
-        #  Here you can choose the GID to disable server socket access for.
-        #  Remember to add the users you want server socket access disabled for to
-        #  the GID specified here.  If the sysctl option is enabled, a sysctl
-        #  option with name "socket_server_gid" is created.
-        kernel.grsecurity.socket_server_gid = 99
-
-        #
-        # Physical Protections
-        #
-
-        #  If you say Y here, a new sysctl option with name "deny_new_usb"
-        #  will be created.  Setting its value to 1 will prevent any new
-        #  USB devices from being recognized by the OS.  Any attempted USB
-        #  device insertion will be logged.  This option is intended to be
-        #  used against custom USB devices designed to exploit vulnerabilities
-        #  in various USB device drivers.
-        #
-        #  For greatest effectiveness, this sysctl should be set after any
-        #  relevant init scripts.  This option is safe to enable in distros
-        #  as each user can choose whether or not to toggle the sysctl.
-        kernel.grsecurity.deny_new_usb = 0
-
-        #
-        # Restrict grsec sysctl changes after this was set
-        #
-        kernel.grsecurity.grsec_lock = 0
-
         # End of file
+

Reload sysctl settings;

+ + 
+        # sysctl --system
+
Core OS Index

This is part of the Hive System Documentation. - Copyright (C) 2018 + Copyright (C) 2019 Hive Team. See the file Gnu Free Documentation License for copying conditions.

-- cgit 1.4.1-2-gfad0 From 951a8a84411da6b71cee11d8c9feb993b984acf5 Mon Sep 17 00:00:00 2001 From: Silvino Date: Sun, 16 Jun 2019 05:03:49 +0100 Subject: apparmor and hardening revision --- core/apparmor.html | 31 +++++++++++++- core/hardening.html | 118 +++++++++++++++++++++++++++++++++++++++++++++------- core/sysctl.html | 5 +++ tools/irssi.html | 42 ++++++++++++++++--- tools/x.html | 60 +------------------------- 5 files changed, 176 insertions(+), 80 deletions(-) (limited to 'core/sysctl.html') diff --git a/core/apparmor.html b/core/apparmor.html index 0052a68..8b7a30c 100644 --- a/core/apparmor.html +++ b/core/apparmor.html @@ -109,6 +109,35 @@

Create profile with audit

+

Tools use log as a source to build profiles, it is + necessary to disable log rate limit;

+ + 
+        # sysctl -w kernel.printk_ratelimit=0
+
+ +

Start aa-genprof;

+ + 
+        $ sudo aa-genprof /usr/bin/lynx
+
+ +

Execute application with all common application options + and parts;

+ +

After initial automatic configuration enable profile in + complain mode. Use aa-logprof when rules need to be adapted.

+ + 
+        # aa-logprof
+
+ +

Once profile rules become well defined enable profile in + enforce mode with aa-enforce;

+ +

Monitor logs with aa-notify; + +

Create profile manually

To create a new profile, let's say for lynx, @@ -136,8 +165,6 @@ } - - Core OS Index

This is part of the Hive System Documentation. Copyright (C) 2019 diff --git a/core/hardening.html b/core/hardening.html index 8e9788f..d94cda6 100644 --- a/core/hardening.html +++ b/core/hardening.html @@ -10,15 +10,16 @@

2.6. Hardening

-

2.6.0.1 System configuration

+

2.6.0.2 System security

File systems
Check fstab and current mount options. Mount filesystems in read only, only strict necessary in rw.
Sys
Check kernel settings with sysctl.
+
kernel.yama.ptrace_scope breaks gdb, strace, perf trace and reptyr.
Iptables
-
Check if iptables rules are loaded and are correctly logging.
+
Check if iptables rules are loaded and are correctly logging.(firewald works as API to iptables).
Apparmor
Check if apparmor is active and enforcing policies.
Samhain
@@ -27,31 +28,120 @@
Build ports using hardened toolchain settings.
-

System security

         $ sudo prt-get depinst checksec
-
-
User / Pam
-
Normal user is not part of wheel group - or have administration rights.
-
Disable su.
-
Processes
-
Check processes running as root
-
Check processes users premissions
+

2.6.0.1 System configuration

+ +

1.1 - Users groups, passwords and sudo.

+ +

Check "normal" users groups, make sure they are not admin or wheel group; ps -U root -u root u, ps axl | awk '$7 != 0 && $10 !~ "Z"', process permission; ps -o gid,rdig,supgid -p "$pid"

+ +

Maintain, secure with hash, and enforce secure passwords with pam-cracklib.

+ + +

1.2 - Linux PAM

+ +

Cat /etc/pam.d/system-auth. Check pam modules, test on virtual machine, user can lockout during tests.

+ +

Check files (processes) set uid and set gid;

+ + 
+        # find / -perm -4000 >> /root/setuid_files
+        # find / -perm 2000 >> /root/setguid_files
+
+ +

To setuid (4744);

+ + 
+        # chmod u+s filename
+
+ +

To remove (0664) from su and Xorg (user must be part of input and video for xorg to run);

+ + 
+        # chmod u-s /usr/bin/su
+        # chmod u-s /usr/bin/X
+
+ +

To set gid (2744)

+ 
+        # chmod g+s filename
+
+

To remove (0774);

+ 
+        # chmod g-s filename
+
+ +

Check files (processes); getfacl filename.

+ , disable admins and root from sshd.

+ +

1.3. Capabilities

+ +

Check capabilities;

+ 
+        # getcap filename
+
+ +
1.9 - Limit number of processes.
+
1.10 - Lock user after 3 failed loggins.
+
1.8 - Block host ip based on iptable and services + abuse.
+

1.4 Sudo

+ +

Check sudo, sudoers and sudo replay.

+ +

Don't run editor as root, instead run sudoedit filename or sudo --edit filename. Editor can be set as a environment variable;

+ + 
+        $ export SUDO_EDITOR=vim
+
+ +

Set rvim as default on sudo config;

+ + 
+        # visudo
+
+        Defaults editor=/usr/bin/rvim
+
+ +

Once sudo is correctly configured, disable root login;

+ + 
+        # passwd --lock root
+
+ +

1.5 Auditd

+ + 
+        $ prt-get depinst audit
+
+ +

Example audit when file /etc/passwd get modified;

+ + 
+        $ auditctl -w /etc/passwd -p wa -k passwd_changes
+
+ +

Audit when a module get's loaded;

+ + 
+        # auditctl -w /sbin/insmod -p x -k module_insertion
+
+

2.6.0.2 Lynis

         $ sudo prt-get depinst lynis
-

Lynis gives a view of system overall configuration, without changing - default profile it runs irrelevant tests. Create a lynis profile by - coping default one and run lynis;

+

Lynis gives a view of system overall configuration, + without changing default profile it runs irrelevant tests. + Create a lynis profile by coping default one and run lynis;

         $ sudo cp /etc/lynis/default.prf /etc/lynis/custom.prf
diff --git a/core/sysctl.html b/core/sysctl.html
index a5af197..afee463 100644
--- a/core/sysctl.html
+++ b/core/sysctl.html
@@ -33,6 +33,9 @@
         # Allow for more PIDs (to reduce rollover problems); may break some programs 32768
         kernel.pid_max = 65536
 
+        #Yama LSM by default
+        kernel.yama.ptrace_scope = 1
+
         #
         # Filesystem Protections
         #
@@ -48,6 +51,8 @@
         # Network Protections
         #
 
+        net.core.bpf_jit_enable = 0
+
         # Increase Linux auto tuning TCP buffer limits
         # min, default, and max number of bytes to use
         # set max to at least 4MB, or higher if you use very high BDP paths
diff --git a/tools/irssi.html b/tools/irssi.html
index d4fcc0d..dbb1372 100644
--- a/tools/irssi.html
+++ b/tools/irssi.html
@@ -1,9 +1,39 @@
+
+
+    
+        
+        Irssi
+    
+    
 
-   Start up irssi, then:
-   /connect irc.freenode.net
-   /nick MyIRCNick
-   /SERVER ADD -auto -network freenode irc.freenode.net 6667 
+        Tools Index
+
+        
Irssi

+
+        
Default configuration file is at /usr/etc/irssi.conf;

+
+        
+        $ mkdir .irssi
+        $ cp /usr/etc/irssi.conf .irssi/config
+        

+
+        
Start up irssi, then:

+
+        
+        /connect irc.freenode.net
+        /nick MyIRCNick
+        /SERVER ADD -auto -network freenode irc.freenode.net 6667 <password>
+        /CHANNEL ADD -auto #crux freenode
+        

 
-      (you may have to shutdown and restart irssi at this point for it to
          recognize the network name "freenode" in the next step)
-         /CHANNEL ADD -auto #crux freenode
+
+        Tools Index
+        

+        This is part of the Hive System Documentation.
+        Copyright (C) 2019
+        Hive Team.
+        See the file Gnu Free Documentation License
+        for copying conditions.

+    
+
diff --git a/tools/x.html b/tools/x.html
index c693062..3efaf7a 100644
--- a/tools/x.html
+++ b/tools/x.html
@@ -17,34 +17,7 @@
         
Xorg

 
         
-        $ sudo prt-get depinst xorg-server \
-             xorg-xinit \
-             xorg-xrdb \
-             xorg-xdpyinfo \
-             xorg-xauth \
-             xorg-xmodmap \
-             xorg-xrandr \
-             xorg-xgamma \
-             xorg-xf86-input-evdev \
-             xorg-xf86-input-synaptics \
-             xsel \
-             xkeyboard-config
-        

-
-        
Fonts

-
-        
-        $ sudo prt-get depinst xorg-font-util \
-             xorg-font-alias \
-             xorg-font-dejavu-ttf \
-             xorg-font-cursor-misc \
-             xorg-font-misc-misc \
-             console-font-terminus \
-             xorg-font-terminus \
-             xorg-font-mutt-misc
-
-        $ prt-get search xorg-font-bitstream | xargs sudo prt-get depinst
-        $ prt-get search xorg-font-bh | xargs sudo prt-get depinst
+        $ prt-get depinst meta-desktop
         

 
 
@@ -53,35 +26,6 @@
         $ prt-get depinst otf-sourcecode
-

Utilities

- - 
-        $ sudo prt-get depinst \
-            alsa-utils \
-            libdrm \
-            mesa3d \
-            ffmpeg \
-            gstreamer \
-            gstreamer-vaapi \
-            gst-plugins-base \
-            gst-plugins-good \
-            gst-plugins-bad \
-            gst-plugins-ugly \
-            cmus \
-            dmenu \
-            st \
-            gparted \
-            gimp \
-            libreoffice \
-            ca-certificates \
-	    linux-pam \
-	    gstreamer \
-	    libgd \
-            icu \
-	    syndaemon \
-	    firefox
-
-

Window Managers

@@ -92,7 +36,7 @@
 	 	mate
-

Configure

+

Configure

Local xinitrc

-- cgit 1.4.1-2-gfad0