# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl dev.tty.ldisc_autoload = 0 # https://access.redhat.com/solutions/1985633 # Seems dangerous. # Roseta need this though, so if you use it change it to 1. fs.binfmt_misc.status = 0 # https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-userspace # Enable fs.protected sysctls. fs.protected_regular = 2 fs.protected_fifos = 2 fs.protected_symlinks = 1 fs.protected_hardlinks = 1 # https://madaidans-insecurities.github.io/guides/linux-hardening.html#core-dumps # Disable coredumps. # For additional safety, disable coredumps using ulimit and systemd too. kernel.core_pattern=|/bin/false fs.suid_dumpable = 0 # Restrict dmesg to CAP_SYS_LOG. # https://www.kernel.org/doc/Documentation/sysctl/kernel.txt kernel.dmesg_restrict = 1 # https://www.kernel.org/doc/Documentation/sysctl/kernel.txt # https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel # https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak # Restrict access to /proc. kernel.kptr_restrict = 2 # Not needed, I don't do livepatching and reboot regularly. # On a workstation, this shouldn't be used at all. Don't live patch, just reboot. kernel.kexec_load_disabled = 1 # https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl # Basically, restrict eBPF to CAP_BPF. kernel.unprivileged_bpf_disabled = 1 net.core.bpf_jit_harden = 2 # Needed for Flatpak and Bubblewrap. kernel.unprivileged_userns_clone = 1 # Disable ptrace. Not needed on workstations. kernel.yama.ptrace_scope = 3 # https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl # Restrict performance events from unprivileged users as much as possible. # We are using 4 here, since Ubuntu supports such a level. # Official Linux kernel documentation only says >= so it probably will work. kernel.perf_event_paranoid = 4 # Disable io_uring # https://docs.kernel.org/admin-guide/sysctl/kernel.html#io-uring-disabled # https://security.googleblog.com/2023/06/learnings-from-kctf-vrps-42-linux.html # Note that this will make using Proxmox extremely annoying though, so you might wanna comment this out # on a Proxmox node. kernel.io_uring_disabled = 2 # https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel # Disable sysrq. kernel.sysrq = 0 # https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2020-09-03/finding/V-217911 # Not running a router here, so no redirects. net.ipv4.conf.*.send_redirects = 0 net.ipv4.conf.*.accept_redirects = 0 net.ipv6.conf.*.accept_redirects = 0 # Check if the source of the IP address is reachable through the same interface it came in # Basic IP spoofing mitigation. net.ipv4.conf.*.rp_filter = 1 # Do not respond to ICMP. net.ipv4.icmp_echo_ignore_all = 1 net.ipv6.icmp.echo_ignore_all = 1 # Ignore Bogus ICMP responses. net.ipv4.icmp_ignore_bogus_error_responses = 1 # Enable IP Forwarding. # Needed for VM networking and whatnot. net.ipv4.ip_forward = 1 net.ipv6.conf.all.forwarding = 1 # https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2016-06-05/finding/V-38537 # Ignore bogus icmp response. net.ipv4.icmp_ignore_bogus_error_responses = 1 # Protection against time-wait assasination attacks. net.ipv4.tcp_rfc1337 = 1 # Enable SYN cookies. # Basic SYN flood mitigation. net.ipv4.tcp_syncookies = 1 # https://access.redhat.com/sites/default/files/attachments/20150325_network_performance_tuning.pdf # Make sure TCP timestamp is enabled. net.ipv4.tcp_timestamps = 1 # https://access.redhat.com/sites/default/files/attachments/20150325_network_performance_tuning.pdf # Disable TCP SACK. # We have good networking :) net.ipv4.tcp_sack = 0 # No SACK, therefore no Duplicated SACK. net.ipv4.tcp_dsack = 0 # Improve ALSR effectiveness for mmap. vm.mmap_rnd_bits = 32 vm.mmap_rnd_compat_bits = 16 # https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel # Restrict userfaultfd to CAP_SYS_PTRACE. # https://bugs.archlinux.org/task/62780 # Interestingly enough, Arch does not even have userfaultfd in their kernel, so it is # probably not used in the real world at all. vm.unprivileged_userfaultfd = 0