Linux-Setup-Scripts/etc/sysctl.d/99-workstation.conf


# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl
dev.tty.ldisc_autoload = 0

# https://access.redhat.com/solutions/1985633
# Seems dangerous.
# Roseta need this though, so if you use it change it to 1.
fs.binfmt_misc.status = 0

# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-userspace
# Enable fs.protected sysctls.
fs.protected_regular = 2
fs.protected_fifos = 2
fs.protected_symlinks = 1
fs.protected_hardlinks = 1

# https://madaidans-insecurities.github.io/guides/linux-hardening.html#core-dumps
# Disable coredumps.
# For additional safety, disable coredumps using ulimit and systemd too.
kernel.core_pattern=|/bin/false
fs.suid_dumpable = 0

# Restrict dmesg to CAP_SYS_LOG.
# https://www.kernel.org/doc/Documentation/sysctl/kernel.txt
kernel.dmesg_restrict = 1

# https://www.kernel.org/doc/Documentation/sysctl/kernel.txt
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel
# https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak
# Restrict access to /proc.
kernel.kptr_restrict = 2

# Not needed, I don't do livepatching and reboot regularly.
# On a workstation, this shouldn't be used at all. Don't live patch, just reboot.
kernel.kexec_load_disabled = 1

# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl
# Basically, restrict eBPF to CAP_BPF.
kernel.unprivileged_bpf_disabled = 1
net.core.bpf_jit_harden = 2

# Needed for Flatpak and Bubblewrap.
kernel.unprivileged_userns_clone = 1

# Disable ptrace. Not needed on workstations.
kernel.yama.ptrace_scope = 3

# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl
# Restrict performance events from unprivileged users as much as possible.
# We are using 4 here, since Ubuntu supports such a level.
# Official Linux kernel documentation only says >= so it probably will work.
kernel.perf_event_paranoid = 4

# https://github.com/containerd/containerd/issues/9048
# Disable io_uring, a very sus feature.
kernel_io_uring_disable = 2

# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel
# Disable sysrq.
kernel.sysrq = 0

# https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2020-09-03/finding/V-217911
# Not running a router here, so no redirects.
net.ipv4.conf.*.send_redirects = 0
net.ipv4.conf.*.accept_redirects = 0
net.ipv6.conf.*.accept_redirects = 0

# Check if the source of the IP address is reachable through the same interface it came in
# Basic IP spoofing mitigation.
net.ipv4.conf.*.rp_filter = 1

# Do not respond to ICMP.
net.ipv4.icmp_echo_ignore_all = 1
net.ipv6.icmp.echo_ignore_all = 1

# Ignore Bogus ICMP responses.
net.ipv4.icmp_ignore_bogus_error_responses = 1

# Enable IP Forwarding.
# Needed for VM networking and whatnot.
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1

# https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2016-06-05/finding/V-38537
# Ignore bogus icmp response.
net.ipv4.icmp_ignore_bogus_error_responses = 1

# Protection against time-wait assasination attacks.
net.ipv4.tcp_rfc1337 = 1

# Enable SYN cookies.
# Basic SYN flood mitigation.
net.ipv4.tcp_syncookies = 1 

# https://access.redhat.com/sites/default/files/attachments/20150325_network_performance_tuning.pdf
# Make sure TCP timestamp is enabled.
net.ipv4.tcp_timestamps = 1

# https://access.redhat.com/sites/default/files/attachments/20150325_network_performance_tuning.pdf
# Disable TCP SACK.
# We have good networking :)
net.ipv4.tcp_sack = 0

# No SACK, therefore no Duplicated SACK.
net.ipv4.tcp_dsack = 0

# Improve ALSR effectiveness for mmap.
vm.mmap_rnd_bits = 32
vm.mmap_rnd_compat_bits = 16

# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel
# Restrict userfaultfd to CAP_SYS_PTRACE.
# https://bugs.archlinux.org/task/62780
# Interestingly enough, Arch does not even have userfaultfd in their kernel, so it is
# probably not used in the real world at all.
vm.unprivileged_userfaultfd = 0
Use custom sysctl Signed-off-by: Tommy <contact@tommytran.io> 2024-06-04 06:36:34 -04:00
			`# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl`
			`dev.tty.ldisc_autoload = 0`

			`# https://access.redhat.com/solutions/1985633`
Update workstation sysctl 2024-06-06 00:06:33 -04:00			`# Seems dangerous.`
Consistency fix for comments Signed-off-by: Tommy <contact@tommytran.io> 2024-06-07 01:44:25 -04:00			`# Roseta need this though, so if you use it change it to 1.`
Use custom sysctl Signed-off-by: Tommy <contact@tommytran.io> 2024-06-04 06:36:34 -04:00			`fs.binfmt_misc.status = 0`

			`# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-userspace`
Consistency fix for comments Signed-off-by: Tommy <contact@tommytran.io> 2024-06-07 01:44:25 -04:00			`# Enable fs.protected sysctls.`
Use custom sysctl Signed-off-by: Tommy <contact@tommytran.io> 2024-06-04 06:36:34 -04:00			`fs.protected_regular = 2`
			`fs.protected_fifos = 2`
			`fs.protected_symlinks = 1`
			`fs.protected_hardlinks = 1`

			`# https://madaidans-insecurities.github.io/guides/linux-hardening.html#core-dumps`
Update workstation sysctl 2024-06-06 00:06:33 -04:00			`# Disable coredumps.`
Use custom sysctl Signed-off-by: Tommy <contact@tommytran.io> 2024-06-04 06:36:34 -04:00			`# For additional safety, disable coredumps using ulimit and systemd too.`
			`kernel.core_pattern=\|/bin/false`
			`fs.suid_dumpable = 0`

Consistency fix for comments Signed-off-by: Tommy <contact@tommytran.io> 2024-06-07 01:44:25 -04:00			`# Restrict dmesg to CAP_SYS_LOG.`
Use custom sysctl Signed-off-by: Tommy <contact@tommytran.io> 2024-06-04 06:36:34 -04:00			`# https://www.kernel.org/doc/Documentation/sysctl/kernel.txt`
			`kernel.dmesg_restrict = 1`

			`# https://www.kernel.org/doc/Documentation/sysctl/kernel.txt`
			`# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel`
			`# https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak`
Consistency fix for comments Signed-off-by: Tommy <contact@tommytran.io> 2024-06-07 01:44:25 -04:00			`# Restrict access to /proc.`
Use custom sysctl Signed-off-by: Tommy <contact@tommytran.io> 2024-06-04 06:36:34 -04:00			`kernel.kptr_restrict = 2`

			`# Not needed, I don't do livepatching and reboot regularly.`
			`# On a workstation, this shouldn't be used at all. Don't live patch, just reboot.`
			`kernel.kexec_load_disabled = 1`

			`# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl`
			`# Basically, restrict eBPF to CAP_BPF.`
			`kernel.unprivileged_bpf_disabled = 1`
			`net.core.bpf_jit_harden = 2`

Consistency fix for comments Signed-off-by: Tommy <contact@tommytran.io> 2024-06-07 01:44:25 -04:00			`# Needed for Flatpak and Bubblewrap.`
Use custom sysctl Signed-off-by: Tommy <contact@tommytran.io> 2024-06-04 06:36:34 -04:00			`kernel.unprivileged_userns_clone = 1`

			`# Disable ptrace. Not needed on workstations.`
			`kernel.yama.ptrace_scope = 3`

			`# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl`
			`# Restrict performance events from unprivileged users as much as possible.`
			`# We are using 4 here, since Ubuntu supports such a level.`
			`# Official Linux kernel documentation only says >= so it probably will work.`
			`kernel.perf_event_paranoid = 4`

			`# https://github.com/containerd/containerd/issues/9048`
			`# Disable io_uring, a very sus feature.`
			`kernel_io_uring_disable = 2`

Disable sysrq Signed-off-by: Tommy <contact@tommytran.io> 2024-06-04 06:50:00 -04:00			`# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel`
Consistency fix for comments Signed-off-by: Tommy <contact@tommytran.io> 2024-06-07 01:44:25 -04:00			`# Disable sysrq.`
Disable sysrq Signed-off-by: Tommy <contact@tommytran.io> 2024-06-04 06:50:00 -04:00			`kernel.sysrq = 0`

Use custom sysctl Signed-off-by: Tommy <contact@tommytran.io> 2024-06-04 06:36:34 -04:00			`# https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2020-09-03/finding/V-217911`
Consistency fix for comments Signed-off-by: Tommy <contact@tommytran.io> 2024-06-07 01:44:25 -04:00			`# Not running a router here, so no redirects.`
Use custom sysctl Signed-off-by: Tommy <contact@tommytran.io> 2024-06-04 06:36:34 -04:00			`net.ipv4.conf.*.send_redirects = 0`
			`net.ipv4.conf.*.accept_redirects = 0`
			`net.ipv6.conf.*.accept_redirects = 0`

			`# Check if the source of the IP address is reachable through the same interface it came in`
Consistency fix for comments Signed-off-by: Tommy <contact@tommytran.io> 2024-06-07 01:44:25 -04:00			`# Basic IP spoofing mitigation.`
Disable sysrq Signed-off-by: Tommy <contact@tommytran.io> 2024-06-04 06:50:00 -04:00			`net.ipv4.conf.*.rp_filter = 1`
Use custom sysctl Signed-off-by: Tommy <contact@tommytran.io> 2024-06-04 06:36:34 -04:00
Consistency fix for comments Signed-off-by: Tommy <contact@tommytran.io> 2024-06-07 01:44:25 -04:00			`# Do not respond to ICMP.`
Disable sysrq Signed-off-by: Tommy <contact@tommytran.io> 2024-06-04 06:50:00 -04:00			`net.ipv4.icmp_echo_ignore_all = 1`
			`net.ipv6.icmp.echo_ignore_all = 1`
Use custom sysctl Signed-off-by: Tommy <contact@tommytran.io> 2024-06-04 06:36:34 -04:00
Consistency fix for comments Signed-off-by: Tommy <contact@tommytran.io> 2024-06-07 01:44:25 -04:00			`# Ignore Bogus ICMP responses.`
Ignore Bogus ICMP responses 2024-06-06 17:03:28 -04:00			`net.ipv4.icmp_ignore_bogus_error_responses = 1`

Consistency fix for comments Signed-off-by: Tommy <contact@tommytran.io> 2024-06-07 01:44:25 -04:00			`# Enable IP Forwarding.`
Use custom sysctl Signed-off-by: Tommy <contact@tommytran.io> 2024-06-04 06:36:34 -04:00			`# Needed for VM networking and whatnot.`
			`net.ipv4.ip_forward = 1`
			`net.ipv6.conf.all.forwarding = 1`

			`# https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2016-06-05/finding/V-38537`
Consistency fix for comments Signed-off-by: Tommy <contact@tommytran.io> 2024-06-07 01:44:25 -04:00			`# Ignore bogus icmp response.`
Use custom sysctl Signed-off-by: Tommy <contact@tommytran.io> 2024-06-04 06:36:34 -04:00			`net.ipv4.icmp_ignore_bogus_error_responses = 1`

Consistency fix for comments Signed-off-by: Tommy <contact@tommytran.io> 2024-06-07 01:44:25 -04:00			`# Protection against time-wait assasination attacks.`
Use custom sysctl Signed-off-by: Tommy <contact@tommytran.io> 2024-06-04 06:36:34 -04:00			`net.ipv4.tcp_rfc1337 = 1`

Consistency fix for comments Signed-off-by: Tommy <contact@tommytran.io> 2024-06-07 01:44:25 -04:00			`# Enable SYN cookies.`
			`# Basic SYN flood mitigation.`
Use custom sysctl Signed-off-by: Tommy <contact@tommytran.io> 2024-06-04 06:36:34 -04:00			`net.ipv4.tcp_syncookies = 1`

			`# https://access.redhat.com/sites/default/files/attachments/20150325_network_performance_tuning.pdf`
Consistency fix for comments Signed-off-by: Tommy <contact@tommytran.io> 2024-06-07 01:44:25 -04:00			`# Make sure TCP timestamp is enabled.`
Use custom sysctl Signed-off-by: Tommy <contact@tommytran.io> 2024-06-04 06:36:34 -04:00			`net.ipv4.tcp_timestamps = 1`

			`# https://access.redhat.com/sites/default/files/attachments/20150325_network_performance_tuning.pdf`
Consistency fix for comments Signed-off-by: Tommy <contact@tommytran.io> 2024-06-07 01:44:25 -04:00			`# Disable TCP SACK.`
Use custom sysctl Signed-off-by: Tommy <contact@tommytran.io> 2024-06-04 06:36:34 -04:00			`# We have good networking :)`
			`net.ipv4.tcp_sack = 0`

Consistency fix for comments Signed-off-by: Tommy <contact@tommytran.io> 2024-06-07 01:44:25 -04:00			`# No SACK, therefore no Duplicated SACK.`
Use custom sysctl Signed-off-by: Tommy <contact@tommytran.io> 2024-06-04 06:36:34 -04:00			`net.ipv4.tcp_dsack = 0`

Consistency fix for comments Signed-off-by: Tommy <contact@tommytran.io> 2024-06-07 01:44:25 -04:00			`# Improve ALSR effectiveness for mmap.`
Use custom sysctl Signed-off-by: Tommy <contact@tommytran.io> 2024-06-04 06:36:34 -04:00			`vm.mmap_rnd_bits = 32`
			`vm.mmap_rnd_compat_bits = 16`

			`# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel`
Consistency fix for comments Signed-off-by: Tommy <contact@tommytran.io> 2024-06-07 01:44:25 -04:00			`# Restrict userfaultfd to CAP_SYS_PTRACE.`
Use custom sysctl Signed-off-by: Tommy <contact@tommytran.io> 2024-06-04 06:36:34 -04:00			`# https://bugs.archlinux.org/task/62780`
			`# Interestingly enough, Arch does not even have userfaultfd in their kernel, so it is`
			`# probably not used in the real world at all.`
			`vm.unprivileged_userfaultfd = 0`