From 0e7880313b3a3e016c0d2e287802cc6ddff9edd1 Mon Sep 17 00:00:00 2001 From: Silvino Silva Date: Mon, 20 Feb 2017 09:06:21 +0000 Subject: core revision --- core/conf/fstab | 13 +- core/conf/pkgmk.conf | 4 +- core/conf/prt-get.conf | 4 +- core/conf/rc.d/wlan | 7 +- core/conf/sysctl.conf | 538 ++++++++++++++-- core/configure.html | 45 +- core/dash.html | 2 +- core/exim.html | 2 +- core/index.html | 38 +- core/linux.html | 676 +++++++++++++++++++-- core/network.html | 141 +---- core/package.html | 18 +- core/ports.html | 16 +- core/ports/linux-blob/.footprint | 107 ++-- core/ports/linux-blob/.md5sum | 10 +- core/ports/linux-blob/Pkgfile | 11 +- core/ports/linux-blob/config-c9 | 49 +- core/ports/linux-blob/port-blob-grsecurity.patch | 8 +- core/ports/linux-blob/port-blob-make.patch | 2 +- core/ports/linux-libre/.footprint | 107 ++-- core/ports/linux-libre/.md5sum | 10 +- core/ports/linux-libre/Pkgfile | 10 +- core/ports/linux-libre/config-c9 | 49 +- core/ports/linux-libre/port-libre-grsecurity.patch | 4 +- core/ports/linux-libre/port-libre-make.patch | 2 +- core/reboot.html | 106 +--- 26 files changed, 1417 insertions(+), 562 deletions(-) (limited to 'core') diff --git a/core/conf/fstab b/core/conf/fstab index da3c9dd..d3fc878 100644 --- a/core/conf/fstab +++ b/core/conf/fstab @@ -13,9 +13,20 @@ #/dev/cdrom /cdrom iso9660 ro,user,noauto,unhide 0 0 #/dev/dvd /dvd udf ro,user,noauto,unhide 0 0 #/dev/floppy/0 /floppy vfat user,noauto,unhide 0 0 -devpts /dev/pts devpts noexec,nosuid,gid=tty,mode=0620 0 0 #tmp /tmp tmpfs defaults 0 0 #shm /dev/shm tmpfs defaults 0 0 #usb /proc/bus/usb usbfs defaults 0 0 # End of file +#/dev/sda3 on / type ext4 (rw,relatime,data=ordered) +#UUID=3bab76f8-e714-45f1-8e30-04cc8a09c3d1 / ext4 ro,relatime,data=ordered 0 1 +/dev/sda3 / ext4 defaults,noatime,ro 0 1 +devpts /dev/pts devpts noexec,nosuid,gid=tty,mode=0620 0 0 +UUID=3b408790-65e1-4638-9591-7ba61f266913 /boot ext4 defaults,ro,noatime 0 0 +UUID=962D-0DE1 /boot/efi vfat ro,noauto,umask=0077 0 0 +UUID=f2336a56-fbe6-444c-bdbf-f0e6c209c237 /var ext4 defaults,nodev,noexec,nosuid,errors=remount-ro 0 0 +UUID=20bd3948-0877-4192-af52-ad87d6f96db0 /usr ext4 defaults,ro,nodev,errors=remount-ro 0 0 +UUID=66c083d6-b8f2-4a98-ae55-9412f98cc089 /usr/ports ext4 defaults,ro,nodev,errors=remount-ro 0 0 +pkgmk /usr/ports/work tmpfs size=30G,gid=101,uid=100,defaults 0 0 +UUID=36e9e1d5-8356-451e-a301-81098b9a15ea /srv ext4 defaults,nodev,errors=remount-ro 0 0 +UUID=cd15196a-69f1-4fb4-9730-a384c62add91 /home ext4 defaults,nodev,nosuid,errors=remount-ro 0 0 diff --git a/core/conf/pkgmk.conf b/core/conf/pkgmk.conf index 3533ba7..4ef372e 100644 --- a/core/conf/pkgmk.conf +++ b/core/conf/pkgmk.conf @@ -2,7 +2,7 @@ # /etc/pkgmk.conf: pkgmk(8) configuration # -export CFLAGS="-O2 -march=x86-64" +export CFLAGS="-O2 -march=native -mtune=native" export CXXFLAGS="${CFLAGS}" export MAKEFLAGS="-j4" @@ -22,7 +22,7 @@ case ${PKGMK_ARCH} in ;; esac -PKGMK_SOURCE_MIRRORS=(http://crux.nu/distfiles/) +#PKGMK_SOURCE_MIRRORS=(http://crux.nu/distfiles/) PKGMK_SOURCE_DIR="/usr/ports/distfiles" PKGMK_PACKAGE_DIR="/usr/ports/packages" PKGMK_WORK_DIR="/usr/ports/work/$name" diff --git a/core/conf/prt-get.conf b/core/conf/prt-get.conf index f6b6d16..0504d3e 100644 --- a/core/conf/prt-get.conf +++ b/core/conf/prt-get.conf @@ -38,7 +38,7 @@ logfile /usr/ports/pkgbuild/%n-%v-%r.log readme verbose # (verbose|compact|disabled) ### prefer higher versions in sysup / diff -preferhigher no # (yes|no) +#preferhigher yes # (yes|no) ### use regexp search # useregex no # (yes|no) @@ -51,7 +51,7 @@ runscripts yes # (no|yes) ### EXPERT SECTION ### ### alternative commands -makecommand sudo -H -u pkgmk fakeroot pkgmk +makecommand sudo -H -u pkgmk -g pkgmk fakeroot pkgmk addcommand sudo pkgadd removecommand sudo pkgrm runscriptcommand sudo sh diff --git a/core/conf/rc.d/wlan b/core/conf/rc.d/wlan index 8800148..86910bc 100755 --- a/core/conf/rc.d/wlan +++ b/core/conf/rc.d/wlan @@ -15,7 +15,6 @@ PID_WIFI=/var/run/wpa_supplicant.pid OPTS_DHCP="--waitip -h $(/bin/hostname) -z $DEV" OPTS_WIFI="-B -P $PID_WIFI -D nl80211,wext -c /etc/wpa_supplicant.conf -i $DEV" - print_status() { $SSD --status --pidfile $2 case $? in @@ -35,7 +34,13 @@ case $1 in stop) ( $SSD --stop --retry 10 --pidfile $PID_DHCP $SSD --stop --retry 10 --pidfile $PID_WIFI ) + RETVAL=$? + /sbin/ip route del default dev ${DEV} + /sbin/ip route flush dev ${DEV} + /sbin/ip link set ${DEV} down + /sbin/ip addr flush dev ${DEV} + ;; restart) $0 stop diff --git a/core/conf/sysctl.conf b/core/conf/sysctl.conf index b419628..b60d3e6 100644 --- a/core/conf/sysctl.conf +++ b/core/conf/sysctl.conf @@ -3,20 +3,420 @@ # kernel.printk = 15 1 1 4 +kernel.randomize_va_space = 1 +kernel.shmmax = 500000000 +# Allow for more PIDs (to reduce rollover problems); may break some programs 32768 +kernel.pid_max = 65536 + +# +# Memory Protections +# + +# If you say Y here, all ioperm and iopl calls will return an error. +# Ioperm and iopl can be used to modify the running kernel. +# Unfortunately, some programs need this access to operate properly, +# the most notable of which are XFree86 and hwclock. hwclock can be +# remedied by having RTC support in the kernel, so real-time +# clock support is enabled if this option is enabled, to ensure +# that hwclock operates correctly. +# +# If you're using XFree86 or a version of Xorg from 2012 or earlier, +# you may not be able to boot into a graphical environment with this +# option enabled. In this case, you should use the RBAC system instead. +#kernel.grsecurity.disable_priv_io = 1 +kernel.grsecurity.disable_priv_io = 0 + +# If you say Y here, attempts to bruteforce exploits against forking +# daemons such as apache or sshd, as well as against suid/sgid binaries +# will be deterred. When a child of a forking daemon is killed by PaX +# or crashes due to an illegal instruction or other suspicious signal, +# the parent process will be delayed 30 seconds upon every subsequent +# fork until the administrator is able to assess the situation and +# restart the daemon. +# In the suid/sgid case, the attempt is logged, the user has all their +# existing instances of the suid/sgid binary terminated and will +# be unable to execute any suid/sgid binaries for 15 minutes. +# +# It is recommended that you also enable signal logging in the auditing +# section so that logs are generated when a process triggers a suspicious +# signal. +# If the sysctl option is enabled, a sysctl option with name +# "deter_bruteforce" is created. +#kernel.grsecurity.deter_bruteforce = 1 + +# +# Filesystem Protections +# + +# Optimization for port usefor LBs +# Increase system file descriptor limit +fs.file-max = 65535 + +# If you say Y here, /tmp race exploits will be prevented, since users +# will no longer be able to follow symlinks owned by other users in +# world-writable +t directories (e.g. /tmp), unless the owner of the +# symlink is the owner of the directory. users will also not be +# able to hardlink to files they do not own. If the sysctl option is +# enabled, a sysctl option with name "linking_restrictions" is created. +kernel.grsecurity.linking_restrictions = 1 + + +# Apache's SymlinksIfOwnerMatch option has an inherent race condition +# that prevents it from being used as a security feature. As Apache +# verifies the symlink by performing a stat() against the target of +# the symlink before it is followed, an attacker can setup a symlink +# to point to a same-owned file, then replace the symlink with one +# that targets another user's file just after Apache "validates" the +# symlink -- a classic TOCTOU race. If you say Y here, a complete, +# race-free replacement for Apache's "SymlinksIfOwnerMatch" option +# will be in place for the group you specify. If the sysctl option +# is enabled, a sysctl option with name "enforce_symlinksifowner" is +# created. +#kernel.grsecurity.enforce_symlinksifowner = 1 +#kernel.grsecurity.symlinkown_gid = 33 + +# if you say Y here, users will not be able to write to FIFOs they don't +# own in world-writable +t directories (e.g. /tmp), unless the owner of +# the FIFO is the same owner of the directory it's held in. If the sysctl +# option is enabled, a sysctl option with name "fifo_restrictions" is +# created. +#kernel.grsecurity.fifo_restrictions = 1 + +# If you say Y here, a sysctl option with name "romount_protect" will +# be created. By setting this option to 1 at runtime, filesystems +# will be protected in the following ways: +# * No new writable mounts will be allowed +# * Existing read-only mounts won't be able to be remounted read/write +# * Write operations will be denied on all block devices +# This option acts independently of grsec_lock: once it is set to 1, +# it cannot be turned off. Therefore, please be mindful of the resulting +# behavior if this option is enabled in an init script on a read-only +# filesystem. +# Also be aware that as with other root-focused features, GRKERNSEC_KMEM +# and GRKERNSEC_IO should be enabled and module loading disabled via +# config or at runtime. +# This feature is mainly intended for secure embedded systems. +#kernel.grsecurity.romount_protect = 0 + +# if you say Y here, the capabilities on all processes within a +# chroot jail will be lowered to stop module insertion, raw i/o, +# system and net admin tasks, rebooting the system, modifying immutable +# files, modifying IPC owned by another, and changing the system time. +# This is left an option because it can break some apps. Disable this +# if your chrooted apps are having problems performing those kinds of +# tasks. If the sysctl option is enabled, a sysctl option with +# name "chroot_caps" is created. +kernel.grsecurity.chroot_caps = 1 + +#kernel.grsecurity.chroot_deny_bad_rename = 1 + +# If you say Y here, processes inside a chroot will not be able to chmod +# or fchmod files to make them have suid or sgid bits. This protects +# against another published method of breaking a chroot. If the sysctl +# option is enabled, a sysctl option with name "chroot_deny_chmod" is +# created. +kernel.grsecurity.chroot_deny_chmod = 1 + +# If you say Y here, processes inside a chroot will not be able to chroot +# again outside the chroot. This is a widely used method of breaking +# out of a chroot jail and should not be allowed. If the sysctl +# option is enabled, a sysctl option with name +# "chroot_deny_chroot" is created. +kernel.grsecurity.chroot_deny_chroot = 1 + +# If you say Y here, a well-known method of breaking chroots by fchdir'ing +# to a file descriptor of the chrooting process that points to a directory +# outside the filesystem will be stopped. If the sysctl option +# is enabled, a sysctl option with name "chroot_deny_fchdir" is created. +kernel.grsecurity.chroot_deny_fchdir = 1 + +# If you say Y here, processes inside a chroot will not be allowed to +# mknod. The problem with using mknod inside a chroot is that it +# would allow an attacker to create a device entry that is the same +# as one on the physical root of your system, which could range from +# anything from the console device to a device for your harddrive (which +# they could then use to wipe the drive or steal data). It is recommended +# that you say Y here, unless you run into software incompatibilities. +# If the sysctl option is enabled, a sysctl option with name +# "chroot_deny_mknod" is created. +kernel.grsecurity.chroot_deny_mknod = 1 + +# If you say Y here, processes inside a chroot will not be able to +# mount or remount filesystems. If the sysctl option is enabled, a +# sysctl option with name "chroot_deny_mount" is created. +kernel.grsecurity.chroot_deny_mount = 1 + +# If you say Y here, processes inside a chroot will not be able to use +# a function called pivot_root() that was introduced in Linux 2.3.41. It +# works similar to chroot in that it changes the root filesystem. This +# function could be misused in a chrooted process to attempt to break out +# of the chroot, and therefore should not be allowed. If the sysctl +# option is enabled, a sysctl option with name "chroot_deny_pivot" is +# created. +kernel.grsecurity.chroot_deny_pivot = 1 + +# If you say Y here, processes inside a chroot will not be able to attach +# to shared memory segments that were created outside of the chroot jail. +# It is recommended that you say Y here. If the sysctl option is enabled, +# a sysctl option with name "chroot_deny_shmat" is created. +kernel.grsecurity.chroot_deny_shmat = 1 + +# If you say Y here, an attacker in a chroot will not be able to +# write to sysctl entries, either by sysctl(2) or through a /proc +# interface. It is strongly recommended that you say Y here. If the +# sysctl option is enabled, a sysctl option with name +# "chroot_deny_sysctl" is created. +kernel.grsecurity.chroot_deny_sysctl = 1 + +# If you say Y here, processes inside a chroot will not be able to +# connect to abstract (meaning not belonging to a filesystem) Unix +# domain sockets that were bound outside of a chroot. It is recommended +# that you say Y here. If the sysctl option is enabled, a sysctl option +# with name "chroot_deny_unix" is created. +kernel.grsecurity.chroot_deny_unix = 1 + +# If you say Y here, the current working directory of all newly-chrooted +# applications will be set to the the root directory of the chroot. +# The man page on chroot(2) states: +# Note that usually chhroot does not change the current working +# directory, so that `.' can be outside the tree rooted at +# `/'. In particular, the super-user can escape from a +# `chroot jail' by doing `mkdir foo; chroot foo; cd ..'. +# +# It is recommended that you say Y here, since it's not known to break +# any software. If the sysctl option is enabled, a sysctl option with +# name "chroot_enforce_chdir" is created. +kernel.grsecurity.chroot_enforce_chdir = 1 + +# If you say Y here, processes inside a chroot will not be able to +# kill, send signals with fcntl, ptrace, capget, getpgid, setpgid, +# getsid, or view any process outside of the chroot. If the sysctl +# option is enabled, a sysctl option with name "chroot_findtask" is +# created. +kernel.grsecurity.chroot_findtask = 1 + +# If you say Y here, processes inside a chroot will not be able to raise +# the priority of processes in the chroot, or alter the priority of +# processes outside the chroot. This provides more security than simply +# removing CAP_SYS_NICE from the process' capability set. If the +# sysctl option is enabled, a sysctl option with name "chroot_restrict_nice" +# is created. +kernel.grsecurity.chroot_restrict_nice = 1 + +# +# Kernel Auditing +# + +# If you say Y here, the exec and chdir logging features will only operate +# on a group you specify. This option is recommended if you only want to +# watch certain users instead of having a large amount of logs from the +# entire system. If the sysctl option is enabled, a sysctl option with +# name "audit_group" is created. +kernel.grsecurity.audit_group = 0 + +# If you say Y here, the exec and chdir logging features will only operate +# on a group you specify. This option is recommended if you only want to +# watch certain users instead of having a large amount of logs from the +# entire system. If the sysctl option is enabled, a sysctl option with +# name "audit_group" is created. +#kernel.grsecurity.audit_gid = 201 + +# If you say Y here, all execve() calls will be logged (since the +# other exec*() calls are frontends to execve(), all execution +# will be logged). Useful for shell-servers that like to keep track +# of their users. If the sysctl option is enabled, a sysctl option with +# name "exec_logging" is created. +# WARNING: This option when enabled will produce a LOT of logs, especially +# on an active system. +kernel.grsecurity.exec_logging = 0 + +# If you say Y here, all attempts to overstep resource limits will +# be logged with the resource name, the requested size, and the current +# limit. It is highly recommended that you say Y here. If the sysctl +# option is enabled, a sysctl option with name "resource_logging" is +# created. If the RBAC system is enabled, the sysctl value is ignored. +#kernel.grsecurity.resource_logging = 1 +kernel.grsecurity.resource_logging = 0 + +# If you say Y here, all executions inside a chroot jail will be logged +# to syslog. This can cause a large amount of logs if certain +# applications (eg. djb's daemontools) are installed on the system, and +# is therefore left as an option. If the sysctl option is enabled, a +# sysctl option with name "chroot_execlog" is created. +kernel.grsecurity.chroot_execlog = 0 + +# If you say Y here, all attempts to attach to a process via ptrace +# will be logged. If the sysctl option is enabled, a sysctl option +# with name "audit_ptrace" is created. +#kernel.grsecurity.audit_ptrace = 1 +kernel.grsecurity.audit_ptrace = 0 + +# If you say Y here, all attempts to attach to a process via ptrace +# will be logged. If the sysctl option is enabled, a sysctl option +# with name "audit_ptrace" is created. +kernel.grsecurity.audit_chdir = 0 + +# If you say Y here, all mounts and unmounts will be logged. If the +# sysctl option is enabled, a sysctl option with name "audit_mount" is +# created. +#kernel.grsecurity.audit_mount = 1 +kernel.grsecurity.audit_mount = 0 + +# If you say Y here, certain important signals will be logged, such as +# SIGSEGV, which will as a result inform you of when a error in a program +# occurred, which in some cases could mean a possible exploit attempt. +# If the sysctl option is enabled, a sysctl option with name +# "signal_logging" is created. +kernel.grsecurity.signal_logging = 0 + +# If you say Y here, all failed fork() attempts will be logged. +# This could suggest a fork bomb, or someone attempting to overstep +# their process limit. If the sysctl option is enabled, a sysctl option +# with name "forkfail_logging" is created. +#kernel.grsecurity.forkfail_logging = 1 +kernel.grsecurity.forkfail_logging = 0 + +# If you say Y here, any changes of the system clock will be logged. +# If the sysctl option is enabled, a sysctl option with name +# "timechange_logging" is created. +#kernel.grsecurity.timechange_logging = 1 + +# if you say Y here, calls to mmap() and mprotect() with explicit +# usage of PROT_WRITE and PROT_EXEC together will be logged when +# denied by the PAX_MPROTECT feature. This feature will also +# log other problematic scenarios that can occur when PAX_MPROTECT +# is enabled on a binary, like textrels and PT_GNU_STACK. If the +# sysctl option is enabled, a sysctl option with name "rwxmap_logging" +# is created. +#kernel.grsecurity.rwxmap_logging = 1 + +# +# Executable Protections +# + +# if you say Y here, non-root users will not be able to use dmesg(8) +# to view the contents of the kernel's circular log buffer. +# The kernel's log buffer often contains kernel addresses and other +# identifying information useful to an attacker in fingerprinting a +# system for a targeted exploit. +# If the sysctl option is enabled, a sysctl option with name "dmesg" is +# created. +kernel.grsecurity.dmesg = 1 + +# Hide symbol addresses in /proc/kallsyms +kernel.kptr_restrict = 1 + +# If you say Y here, TTY sniffers and other malicious monitoring +# programs implemented through ptrace will be defeated. If you +# have been using the RBAC system, this option has already been +# enabled for several years for all users, with the ability to make +# fine-grained exceptions. +# +# This option only affects the ability of non-root users to ptrace +# processes that are not a descendent of the ptracing process. +# This means that strace ./binary and gdb ./binary will still work, +# but attaching to arbitrary processes will not. If the sysctl +# option is enabled, a sysctl option with name "harden_ptrace" is +# created. +kernel.grsecurity.harden_ptrace = 1 + +# If you say Y here, unprivileged users will not be able to ptrace unreadable +# binaries. This option is useful in environments that +# remove the read bits (e.g. file mode 4711) from suid binaries to +# prevent infoleaking of their contents. This option adds +# consistency to the use of that file mode, as the binary could normally +# be read out when run without privileges while ptracing. +# +# If the sysctl option is enabled, a sysctl option with name "ptrace_readexec" +# is created. +kernel.grsecurity.ptrace_readexec = 1 + +# If you say Y here, a change from a root uid to a non-root uid +# in a multithreaded application will cause the resulting uids, +# gids, supplementary groups, and capabilities in that thread +# to be propagated to the other threads of the process. In most +# cases this is unnecessary, as glibc will emulate this behavior +# on behalf of the application. Other libcs do not act in the +# same way, allowing the other threads of the process to continue +# running with root privileges. If the sysctl option is enabled, +# a sysctl option with name "consistent_setxid" is created. +#kernel.grsecurity.consistent_setxid = 1 + +# If you say Y here, access to overly-permissive IPC objects (shared +# memory, message queues, and semaphores) will be denied for processes +# given the following criteria beyond normal permission checks: +# 1) If the IPC object is world-accessible and the euid doesn't match +# that of the creator or current uid for the IPC object +# 2) If the IPC object is group-accessible and the egid doesn't +# match that of the creator or current gid for the IPC object +# It's a common error to grant too much permission to these objects, +# with impact ranging from denial of service and information leaking to +# privilege escalation. This feature was developed in response to +# research by Tim Brown: +# http://labs.portcullis.co.uk/whitepapers/memory-squatting-attacks-on-system-v-shared-memory/ +# who found hundreds of such insecure usages. Processes with +# CAP_IPC_OWNER are still permitted to access these IPC objects. +# If the sysctl option is enabled, a sysctl option with name +# "harden_ipc" is created. +kernel.grsecurity.harden_ipc = 1 + +# If you say Y here, you will be able to choose a gid to add to the +# supplementary groups of users you want to mark as "untrusted." +# These users will not be able to execute any files that are not in +# root-owned directories writable only by root. If the sysctl option +# is enabled, a sysctl option with name "tpe" is created. +kernel.grsecurity.tpe = 1 +kernel.grsecurity.tpe_gid = 101 + +# If you say Y here, the group you specify in the TPE configuration will +# decide what group TPE restrictions will be *disabled* for. This +# option is useful if you want TPE restrictions to be applied to most +# users on the system. If the sysctl option is enabled, a sysctl option +# with name "tpe_invert" is created. Unlike other sysctl options, this +# entry will default to on for backward-compatibility. +kernel.grsecurity.tpe_invert = 1 + +# If you say Y here, all non-root users will be covered under +# a weaker TPE restriction. This is separate from, and in addition to, +# the main TPE options that you have selected elsewhere. Thus, if a +# "trusted" GID is chosen, this restriction applies to even that GID. +# Under this restriction, all non-root users will only be allowed to +# execute files in directories they own that are not group or +# world-writable, or in directories owned by root and writable only by +# root. If the sysctl option is enabled, a sysctl option with name +# "tpe_restrict_all" is created. +kernel.grsecurity.tpe_restrict_all = 0 + + +#kernel.grsecurity.harden_tty = 1 +# +# Network Protections +# + +# Increase Linux auto tuning TCP buffer limits +# min, default, and max number of bytes to use +# set max to at least 4MB, or higher if you use very high BDP paths +# Tcp Windows etc +net.core.rmem_max = 8388608 +net.core.wmem_max = 8388608 +net.core.netdev_max_backlog = 5000 +net.ipv4.tcp_window_scaling = 1 + +# Both ports linux-blob and linux-libre don't build with ipv6 # Disable ipv6 net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1 net.ipv6.conf.lo.disable_ipv6 = 1 # Tuen IPv6 -net.ipv6.conf.default.router_solicitations = 0 -net.ipv6.conf.default.accept_ra_rtr_pref = 0 -net.ipv6.conf.default.accept_ra_pinfo = 0 -net.ipv6.conf.default.accept_ra_defrtr = 0 -net.ipv6.conf.default.autoconf = 0 -net.ipv6.conf.default.dad_transmits = 0 -net.ipv6.conf.default.max_addresses = 0 +#net.ipv6.conf.default.router_solicitations = 0 +#net.ipv6.conf.default.accept_ra_rtr_pref = 0 +#net.ipv6.conf.default.accept_ra_pinfo = 0 +#net.ipv6.conf.default.accept_ra_defrtr = 0 +#net.ipv6.conf.default.autoconf = 0 +#net.ipv6.conf.default.dad_transmits = 0 +#net.ipv6.conf.default.max_addresses = 0 # Avoid a smurf attack net.ipv4.icmp_echo_ignore_broadcasts = 1 @@ -56,8 +456,8 @@ net.ipv4.conf.default.accept_source_route = 0 ## protects from attackers that are using ip spoofing methods to do harm net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1 -net.ipv6.conf.default.rp_filter = 1 -net.ipv6.conf.all.rp_filter = 1 +#net.ipv6.conf.default.rp_filter = 1 +#net.ipv6.conf.all.rp_filter = 1 # Make sure no one can alter the routing tables net.ipv4.conf.all.accept_redirects = 0 @@ -70,18 +470,6 @@ net.ipv4.ip_forward = 1 net.ipv4.conf.all.send_redirects = 1 net.ipv4.conf.default.send_redirects = 1 -kernel.shmmax = 500000000 -# Turn on execshild -kernel.exec-shield = 1 -kernel.randomize_va_space = 1 - -# Optimization for port usefor LBs -# Increase system file descriptor limit -fs.file-max = 65535 - -# Allow for more PIDs (to reduce rollover problems); may break some programs 32768 -kernel.pid_max = 65536 - # Increase system IP port limits net.ipv4.ip_local_port_range = 2000 65000 @@ -89,25 +477,99 @@ net.ipv4.ip_local_port_range = 2000 65000 net.ipv4.tcp_rmem = 4096 87380 8388608 net.ipv4.tcp_wmem = 4096 87380 8388608 -# Increase Linux auto tuning TCP buffer limits -# min, default, and max number of bytes to use -# set max to at least 4MB, or higher if you use very high BDP paths -# Tcp Windows etc -net.core.rmem_max = 8388608 -net.core.wmem_max = 8388608 -net.core.netdev_max_backlog = 5000 -net.ipv4.tcp_window_scaling = 1 -# Grsecurity stuff +# If you say Y here, neither TCP resets nor ICMP +# destination-unreachable packets will be sent in response to packets +# sent to ports for which no associated listening process exists. +# This feature supports both IPV4 and IPV6 and exempts the +# loopback interface from blackholing. Enabling this feature +# makes a host more resilient to DoS attacks and reduces network +# visibility against scanners. +# +# The blackhole feature as-implemented is equivalent to the FreeBSD +# blackhole feature, as it prevents RST responses to all packets, not +# just SYNs. Under most application behavior this causes no +# problems, but applications (like haproxy) may not close certain +# connections in a way that cleanly terminates them on the remote +# end, leaving the remote host in LAST_ACK state. Because of this +# side-effect and to prevent intentional LAST_ACK DoSes, this +# feature also adds automatic mitigation against such attacks. +# The mitigation drastically reduces the amount of time a socket +# can spend in LAST_ACK state. If you're using haproxy and not +# all servers it connects to have this option enabled, consider +# disabling this feature on the haproxy host. +# +# If the sysctl option is enabled, two sysctl options with names +# "ip_blackhole" and "lastack_retries" will be created. +# While "ip_blackhole" takes the standard zero/non-zero on/off +# toggle, "lastack_retries" uses the same kinds of values as +# "tcp_retries1" and "tcp_retries2". The default value of 4 +# prevents a socket from lasting more than 45 seconds in LAST_ACK +# state. +#kernel.grsecurity.ip_blackhole = 1 +#kernel.grsecurity.lastack_retries = 4 + +# If you say Y here, you will be able to choose a GID of whose users will +# be unable to connect to other hosts from your machine or run server +# applications from your machine. If the sysctl option is enabled, a +# sysctl option with name "socket_all" is created. +#kernel.grsecurity.socket_all = 1 + +# Here you can choose the GID to disable socket access for. Remember to +# add the users you want socket access disabled for to the GID +# specified here. If the sysctl option is enabled, a sysctl option +# with name "socket_all_gid" is created. +#kernel.grsecurity.socket_all_gid = 202 + +# If you say Y here, you will be able to choose a GID of whose users will +# be unable to connect to other hosts from your machine, but will be +# able to run servers. If this option is enabled, all users in the group +# you specify will have to use passive mode when initiating ftp transfers +# from the shell on your machine. If the sysctl option is enabled, a +# sysctl option with name "socket_client" is created. +#kernel.grsecurity.socket_client = 1 + +# Here you can choose the GID to disable client socket access for. +# Remember to add the users you want client socket access disabled for to +# the GID specified here. If the sysctl option is enabled, a sysctl +# option with name "socket_client_gid" is created. +#kernel.grsecurity.socket_client_gid = 203 + +# If you say Y here, you will be able to choose a GID of whose users will +# be unable to connect to other hosts from your machine, but will be +# able to run servers. If this option is enabled, all users in the group +# you specify will have to use passive mode when initiating ftp transfers +# from the shell on your machine. If the sysctl option is enabled, a +# sysctl option with name "socket_client" is created. +#kernel.grsecurity.socket_server = 1 + +# Here you can choose the GID to disable server socket access for. +# Remember to add the users you want server socket access disabled for to +# the GID specified here. If the sysctl option is enabled, a sysctl +# option with name "socket_server_gid" is created. +#kernel.grsecurity.socket_server_gid = 204 + +# +# Physical Protections +# + +# If you say Y here, a new sysctl option with name "deny_new_usb" +# will be created. Setting its value to 1 will prevent any new +# USB devices from being recognized by the OS. Any attempted USB +# device insertion will be logged. This option is intended to be +# used against custom USB devices designed to exploit vulnerabilities +# in various USB device drivers. +# +# For greatest effectiveness, this sysctl should be set after any +# relevant init scripts. This option is safe to enable in distros +# as each user can choose whether or not to toggle the sysctl. +#kernel.grsecurity.deny_new_usb = 0 + +# +# Restrict grsec sysctl changes after this was set +# +#kernel.grsecurity.grsec_lock = 1 -# cant chroot to outside chroot used to break chroot -kernel.grsecurity.chroot_deny_chroot = 1 -# function related to filesystems used to exploit -kernel.grsecurity.chroot_deny_pivot = 1 -# enforce current directory to chroot -kernel.grsecurity.chroot_enforce_chdir = 1 -# cant chmod inside chroot used to break chroot -kernel.grsecurity.chroot_deny_chmod = 0 # End of file diff --git a/core/configure.html b/core/configure.html index ffcb0f7..1ca655f 100644 --- a/core/configure.html +++ b/core/configure.html @@ -215,7 +215,7 @@ target partition, blkid list all while vol_id --uuid /dev/sdb1 returns only uuid. Add all block ids to the end of file - /etc/fstab + /etc/fstab; 

@@ -223,27 +223,40 @@

Read Securing mount points, - and edit /etc/fstab according to your disk layout.

+ and edit /etc/fstab according to your disk layout. Blocks with uuid will later be created at lvm

         #
         # /etc/fstab: static file system information
         #
         # <file system>        <dir>     <type>    <options>                        <dump> <pass>
-        /dev/sda4 on / type ext4 (rw,relatime,data=ordered)
-        /dev/sda3 on /boot type ext4 (rw,relatime,data=ordered)
-        /dev/sda2 on /boot/efi type vfat (rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=iso8859-1,shortname=mixed,errors=remount-ro)
-        /dev/sda5 on /var type ext4 (rw,relatime,data=ordered)
-        /dev/sda6 on /usr type ext4 (rw,relatime,data=ordered)
-        /dev/sda8 on /home type ext4 (rw,relatime,data=ordered)
-
-        devtmpfs on /dev type devtmpfs (rw,nosuid,noatime,size=8192k,nr_inodes=16384,mode=755)
-        devpts on /dev/pts type devpts (rw,relatime,mode=600)
-        shm on /dev/shm type tmpfs (rw,relatime)
-        proc on /proc type proc (rw,relatime)
-        sysfs on /sys type sysfs (rw,relatime)
-
-        pkgmk                                           /usr/ports/work tmpfs size=30G,gid=102,uid=101,defaults 0    0
+
+        #/dev/#EXT4FS_ROOT#    /         ext4      defaults                         0      1
+        #/dev/#BTRFS_ROOT#     /         btrfs     defaults                         0      0
+        #/dev/#XFS_ROOT#       /         xfs       defaults                         0      0
+        #/dev/#SWAP#           swap      swap      defaults                         0      0
+        #/dev/#EXT4FS_HOME#    /home     ext4      defaults                         0      2
+        #/dev/#BTRFS_HOME#     /home     btrfs     defaults                         0      0
+        #/dev/#XFS_HOME#       /home     xfs       defaults                         0      0
+        #/dev/cdrom            /cdrom    iso9660   ro,user,noauto,unhide            0      0
+        #/dev/dvd              /dvd      udf       ro,user,noauto,unhide            0      0
+        #/dev/floppy/0         /floppy   vfat      user,noauto,unhide               0      0
+        #tmp                   /tmp      tmpfs     defaults                         0      0
+        #shm                   /dev/shm  tmpfs     defaults                         0      0
+        #usb                   /proc/bus/usb usbfs defaults                         0      0
+
+        /dev/sda3               / 		ext4	defaults,noatime,ro				0	1
+        devpts                  /dev/pts	devpts	noexec,nosuid,gid=tty,mode=0620			0	0
+        /dev/sda2               /boot	ext4	defaults,ro,noatime     		  		0	0
+        /dev/sda1               /boot/efi	vfat	ro,noauto,umask=0077      			0	0
+        /dev/sda4               /var		ext4	defaults,nodev,noexec,nosuid,errors=remount-ro  0	0
+        /dev/sda5               /usr		ext4	defaults,ro,nodev,errors=remount-ro		0	0
+
+        UUID=66c083d6-b8f2-4a98-ae55-9412f98cc089  /usr/ports	ext4	        defaults,ro,nodev,errors=remount-ro     0	0
+        pkgmk                                      /usr/ports/work tmpfs        size=30G,gid=101,uid=100,defaults       0       0
+        UUID=36e9e1d5-8356-451e-a301-81098b9a15ea  /srv		ext4	        defaults,nodev,errors=remount-ro	0	0
+        UUID=cd15196a-69f1-4fb4-9730-a384c62add91  /home        ext4            defaults,nodev,nosuid,errors=remount-ro	0	0
+
         # End of file
diff --git a/core/dash.html b/core/dash.html index 18045e5..ed6dbab 100644 --- a/core/dash.html +++ b/core/dash.html @@ -20,7 +20,7 @@ Core OS Index

This is part of the c9 Manual. - Copyright (C) 2016 + Copyright (C) 2017 c9 team. See the file Gnu Free Documentation License for copying conditions.

diff --git a/core/exim.html b/core/exim.html index c4b3c95..c1fd494 100644 --- a/core/exim.html +++ b/core/exim.html @@ -216,7 +216,7 @@ Core OS Index

This is part of the c9 Manual. - Copyright (C) 2016 + Copyright (C) 2017 c9 team. See the file Gnu Free Documentation License for copying conditions.

diff --git a/core/index.html b/core/index.html index bc8dad5..abff93d 100644 --- a/core/index.html +++ b/core/index.html @@ -59,8 +59,7 @@
  • 1.4. Prepare for reboot @@ -70,32 +69,33 @@

    2. System Administration