mirror of
https://github.com/optim-enterprises-bv/secureblue.git
synced 2025-11-06 05:17:45 +00:00
50 lines
1.5 KiB
Plaintext
50 lines
1.5 KiB
Plaintext
# Enable IP spoofing protection, turn on source route verification
|
|
net.ipv4.conf.all.rp_filter = 1
|
|
net.ipv4.conf.default.rp_filter = 1
|
|
|
|
# Disable ICMP Redirect Acceptance
|
|
net.ipv4.conf.all.accept_redirects = 0
|
|
net.ipv4.conf.all.send_redirects = 0
|
|
net.ipv4.conf.default.accept_redirects = 0
|
|
net.ipv4.conf.all.secure_redirects = 0
|
|
net.ipv4.conf.default.secure_redirects = 0
|
|
net.ipv6.conf.all.accept_redirects = 0
|
|
net.ipv6.conf.default.accept_redirects = 0
|
|
|
|
# Enable Log Spoofed Packets, Source Routed Packets, Redirect Packets
|
|
net.ipv4.conf.all.log_martians = 1
|
|
net.ipv4.conf.default.log_martians = 1
|
|
|
|
net.core.bpf_jit_harden = 2
|
|
kernel.yama.ptrace_scope = 3
|
|
kernel.unprivileged_bpf_disabled = 1
|
|
kernel.sysrq = 0
|
|
kernel.perf_event_paranoid = 3
|
|
kernel.kptr_restrict = 2
|
|
kernel.dmesg_restrict = 1
|
|
fs.suid_dumpable = 0
|
|
fs.protected_regular = 2
|
|
fs.protected_fifos = 2
|
|
dev.tty.ldisc_autoload = 0
|
|
|
|
# Swap only when necessary
|
|
vm.swappiness = 1
|
|
|
|
# Restrict userfaultfd to CAP_SYS_PTRACE
|
|
vm.unprivileged_userfaultfd = 0
|
|
|
|
## Prevent kernel info leaks in console during boot.
|
|
## https://phabricator.whonix.org/T950
|
|
kernel.printk = 3 3 3 3
|
|
|
|
## Disables kexec which can be used to replace the running kernel.
|
|
kernel.kexec_load_disabled=1
|
|
|
|
## Disable core dump
|
|
kernel.core_pattern=|/bin/false
|
|
|
|
## Disable io_uring
|
|
## https://lore.kernel.org/lkml/20230629132711.1712536-1-matteorizzo@google.com/T/
|
|
## https://security.googleblog.com/2023/06/learnings-from-kctf-vrps-42-linux.html
|
|
io_uring_disabled = 2
|