diff --git a/etc/sysctl.d/99-server.conf b/etc/sysctl.d/99-server.conf index 73de4ae..db3c51a 100644 --- a/etc/sysctl.d/99-server.conf +++ b/etc/sysctl.d/99-server.conf @@ -3,30 +3,30 @@ dev.tty.ldisc_autoload = 0 # https://access.redhat.com/solutions/1985633 -# Seems dangerous +# Seems dangerous. fs.binfmt_misc.status = 0 # https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-userspace -# Enable fs.protected sysctls +# Enable fs.protected sysctls. fs.protected_regular = 2 fs.protected_fifos = 2 fs.protected_symlinks = 1 fs.protected_hardlinks = 1 # https://madaidans-insecurities.github.io/guides/linux-hardening.html#core-dumps -# Disable coredumps +# Disable coredumps. # For additional safety, disable coredumps using ulimit and systemd too. kernel.core_pattern=|/bin/false fs.suid_dumpable = 0 -# Restrict dmesg to CAP_SYS_LOG +# Restrict dmesg to CAP_SYS_LOG. # https://www.kernel.org/doc/Documentation/sysctl/kernel.txt kernel.dmesg_restrict = 1 # https://www.kernel.org/doc/Documentation/sysctl/kernel.txt # https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel # https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak -# Restrict access to /proc +# Restrict access to /proc. kernel.kptr_restrict = 2 # Not needed, I don't do livepatching and reboot regularly. @@ -38,10 +38,10 @@ kernel.kexec_load_disabled = 1 kernel.unprivileged_bpf_disabled = 1 net.core.bpf_jit_harden = 2 -# Docker running as root do not require unpriv user ns, which is dangerous, so we disabe it +# Docker running as root do not require unpriv user ns, which is dangerous, so we disabe it. kernel.unprivileged_userns_clone = 0 -# Needed for gVisor, which is used on almost all of my servers +# Needed for gVisor, which is used on almost all of my servers. kernel.yama.ptrace_scope = 1 # https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl @@ -57,60 +57,60 @@ kernel.perf_event_paranoid = 4 kernel_io_uring_disable = 2 # https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel -# Disable sysrq +# Disable sysrq. kernel.sysrq = 0 # https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2020-09-03/finding/V-217911 -# Not running a router here, so no redirects +# Not running a router here, so no redirects. net.ipv4.conf.*.send_redirects = 0 net.ipv4.conf.*.accept_redirects = 0 net.ipv6.conf.*.accept_redirects = 0 -# Check if the source of the IP address is reachable through the same interface it came in -# Basic IP spoofing mitigation +# Check if the source of the IP address is reachable through the same interface it came in. +# Basic IP spoofing mitigation. net.ipv4.conf.*.rp_filter = 1 # Respond to ICMP net.ipv4.icmp_echo_ignore_all = 0 net.ipv6.icmp.echo_ignore_all = 0 -# Ignore Bogus ICMP responses +# Ignore Bogus ICMP responses. net.ipv4.icmp_ignore_bogus_error_responses = 1 -# Enable IP Forwarding +# Enable IP Forwarding. # Almost all of my servers run Docker anyways, and Docker absolutely requires this. net.ipv4.ip_forward = 1 net.ipv6.conf.all.forwarding = 1 # https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2016-06-05/finding/V-38537 -# Ignore bogus icmp response +# Ignore bogus icmp response. net.ipv4.icmp_ignore_bogus_error_responses = 1 -# Protection against time-wait assasination attacks +# Protection against time-wait assasination attacks. net.ipv4.tcp_rfc1337 = 1 -# Enable SYN cookies -# Basic SYN flood mitigation +# Enable SYN cookies. +# Basic SYN flood mitigation. net.ipv4.tcp_syncookies = 1 # https://access.redhat.com/sites/default/files/attachments/20150325_network_performance_tuning.pdf -# Make sure TCP timestamp is enabled +# Make sure TCP timestamp is enabled. net.ipv4.tcp_timestamps = 1 # https://access.redhat.com/sites/default/files/attachments/20150325_network_performance_tuning.pdf -# Disable TCP SACK +# Disable TCP SACK. # We have good networking :) net.ipv4.tcp_sack = 0 -# No SACK, therefore no Duplicated SACK +# No SACK, therefore no Duplicated SACK. net.ipv4.tcp_dsack = 0 -# Improve ALSR effectiveness for mmap +# Improve ALSR effectiveness for mmap. vm.mmap_rnd_bits = 32 vm.mmap_rnd_compat_bits = 16 # https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel -# Restrict userfaultfd to CAP_SYS_PTRACE +# Restrict userfaultfd to CAP_SYS_PTRACE. # https://bugs.archlinux.org/task/62780 # Interestingly enough, Arch does not even have userfaultfd in their kernel, so it is # probably not used in the real world at all. diff --git a/etc/sysctl.d/99-workstation.conf b/etc/sysctl.d/99-workstation.conf index 2dcc795..cbf4530 100644 --- a/etc/sysctl.d/99-workstation.conf +++ b/etc/sysctl.d/99-workstation.conf @@ -4,11 +4,11 @@ dev.tty.ldisc_autoload = 0 # https://access.redhat.com/solutions/1985633 # Seems dangerous. -# Roseta need this though, so if you use it change it to 1 +# Roseta need this though, so if you use it change it to 1. fs.binfmt_misc.status = 0 # https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-userspace -# Enable fs.protected sysctls +# Enable fs.protected sysctls. fs.protected_regular = 2 fs.protected_fifos = 2 fs.protected_symlinks = 1 @@ -20,14 +20,14 @@ fs.protected_hardlinks = 1 kernel.core_pattern=|/bin/false fs.suid_dumpable = 0 -# Restrict dmesg to CAP_SYS_LOG +# Restrict dmesg to CAP_SYS_LOG. # https://www.kernel.org/doc/Documentation/sysctl/kernel.txt kernel.dmesg_restrict = 1 # https://www.kernel.org/doc/Documentation/sysctl/kernel.txt # https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel # https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak -# Restrict access to /proc +# Restrict access to /proc. kernel.kptr_restrict = 2 # Not needed, I don't do livepatching and reboot regularly. @@ -39,7 +39,7 @@ kernel.kexec_load_disabled = 1 kernel.unprivileged_bpf_disabled = 1 net.core.bpf_jit_harden = 2 -# Needed for Flatpak and Bubblewrap +# Needed for Flatpak and Bubblewrap. kernel.unprivileged_userns_clone = 1 # Disable ptrace. Not needed on workstations. @@ -56,60 +56,60 @@ kernel.perf_event_paranoid = 4 kernel_io_uring_disable = 2 # https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel -# Disable sysrq +# Disable sysrq. kernel.sysrq = 0 # https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2020-09-03/finding/V-217911 -# Not running a router here, so no redirects +# Not running a router here, so no redirects. net.ipv4.conf.*.send_redirects = 0 net.ipv4.conf.*.accept_redirects = 0 net.ipv6.conf.*.accept_redirects = 0 # Check if the source of the IP address is reachable through the same interface it came in -# Basic IP spoofing mitigation +# Basic IP spoofing mitigation. net.ipv4.conf.*.rp_filter = 1 -# Do not respond to ICMP +# Do not respond to ICMP. net.ipv4.icmp_echo_ignore_all = 1 net.ipv6.icmp.echo_ignore_all = 1 -# Ignore Bogus ICMP responses +# Ignore Bogus ICMP responses. net.ipv4.icmp_ignore_bogus_error_responses = 1 -# Enable IP Forwarding +# Enable IP Forwarding. # Needed for VM networking and whatnot. net.ipv4.ip_forward = 1 net.ipv6.conf.all.forwarding = 1 # https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2016-06-05/finding/V-38537 -# Ignore bogus icmp response +# Ignore bogus icmp response. net.ipv4.icmp_ignore_bogus_error_responses = 1 -# Protection against time-wait assasination attacks +# Protection against time-wait assasination attacks. net.ipv4.tcp_rfc1337 = 1 -# Enable SYN cookies -# Basic SYN flood mitigation +# Enable SYN cookies. +# Basic SYN flood mitigation. net.ipv4.tcp_syncookies = 1 # https://access.redhat.com/sites/default/files/attachments/20150325_network_performance_tuning.pdf -# Make sure TCP timestamp is enabled +# Make sure TCP timestamp is enabled. net.ipv4.tcp_timestamps = 1 # https://access.redhat.com/sites/default/files/attachments/20150325_network_performance_tuning.pdf -# Disable TCP SACK +# Disable TCP SACK. # We have good networking :) net.ipv4.tcp_sack = 0 -# No SACK, therefore no Duplicated SACK +# No SACK, therefore no Duplicated SACK. net.ipv4.tcp_dsack = 0 -# Improve ALSR effectiveness for mmap +# Improve ALSR effectiveness for mmap. vm.mmap_rnd_bits = 32 vm.mmap_rnd_compat_bits = 16 # https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel -# Restrict userfaultfd to CAP_SYS_PTRACE +# Restrict userfaultfd to CAP_SYS_PTRACE. # https://bugs.archlinux.org/task/62780 # Interestingly enough, Arch does not even have userfaultfd in their kernel, so it is # probably not used in the real world at all.