From 340f2a55de4ae99bc07a75e4b1829530067a0fc1 Mon Sep 17 00:00:00 2001 From: shenzhui007 <12231252@bjtu.edu.cn> Date: Mon, 6 Jun 2022 12:58:49 +0800 Subject: [PATCH 1/3] Update sysctl.conf update according to https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl --- sysctl.conf | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/sysctl.conf b/sysctl.conf index a661e09..3969fd5 100644 --- a/sysctl.conf +++ b/sysctl.conf @@ -288,3 +288,10 @@ net.ipv6.conf.all.accept_source_route = 0 #net.ipv6.icmp.echo_ignore_all = 1 #net.ipv6.icmp.echo_ignore_anycast = 1 #net.ipv6.icmp.echo_ignore_multicast = 1 + + +# prevent unprivileged attackers from loading vulnerable line disciplines with the TIOCSETD ioctl +dev.tty.ldisc_autoload = 0 + +# disable syscall to the CAP_SYS_PTRACE capability +vm.unprivileged_userfaultfd = 0 From 871c697809dc140738ea9540c6cd0fb921056520 Mon Sep 17 00:00:00 2001 From: Samuel FORESTIER Date: Sat, 2 Jul 2022 10:19:10 +0200 Subject: [PATCH 2/3] Improved consistency by adding spaces around '=' for `vm.mmap_rnd_*` --- sysctl.conf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/sysctl.conf b/sysctl.conf index a661e09..f548ade 100644 --- a/sysctl.conf +++ b/sysctl.conf @@ -110,9 +110,9 @@ fs.inotify.max_user_watches = 524288 # do not allow mmap in lower addresses vm.mmap_min_addr = 65536 -# improve mmap ASLR effectness -vm.mmap_rnd_bits=32 -vm.mmap_rnd_compat_bits=16 +# improve mmap ASLR effectiveness +vm.mmap_rnd_bits = 32 +vm.mmap_rnd_compat_bits = 16 ########## Networking ########## From fa1f91a45e85e7bd090271ceef9260338fea4b03 Mon Sep 17 00:00:00 2001 From: k4yt3x Date: Thu, 4 Aug 2022 16:22:59 +0000 Subject: [PATCH 3/3] moved ldisc_autoload and unprivileged_userfaultfd; updated comments --- sysctl.conf | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/sysctl.conf b/sysctl.conf index 3969fd5..7ef7083 100644 --- a/sysctl.conf +++ b/sysctl.conf @@ -2,12 +2,14 @@ # Author: K4YT3X # Contributor: IceCodeNew # Contributor: HorlogeSkynet +# Contributor: shenzhui007 +# Contributor: HorlogeSkynet # Date Created: October 5, 2020 -# Last Updated: October 15, 2021 +# Last Updated: August 4, 2022 # Licensed under the GNU General Public License Version 3 (GNU GPL v3), # available at: https://www.gnu.org/licenses/gpl-3.0.txt -# (C) 2020-2021 K4YT3X +# (C) 2020-2022 K4YT3X # Multiple sources have been consulted while writing this configuration # file (e.g., nixCraft's sysctl.conf). Sources are not cited since this @@ -69,6 +71,9 @@ kernel.perf_event_paranoid = 3 kernel.perf_cpu_time_max_percent = 1 kernel.perf_event_max_sample_rate = 1 +# prevent unprivileged attackers from loading vulnerable line disciplines with the TIOCSETD ioctl +dev.tty.ldisc_autoload = 0 + ########## File System ########## # disallow core dumping by SUID/SGID programs @@ -114,6 +119,10 @@ vm.mmap_min_addr = 65536 vm.mmap_rnd_bits=32 vm.mmap_rnd_compat_bits=16 +# prevent unprivileged users from accessing userfaultfd +# restricts syscall to the privileged users or the CAP_SYS_PTRACE capability +vm.unprivileged_userfaultfd = 0 + ########## Networking ########## # increase the maximum length of processor input queues @@ -288,10 +297,3 @@ net.ipv6.conf.all.accept_source_route = 0 #net.ipv6.icmp.echo_ignore_all = 1 #net.ipv6.icmp.echo_ignore_anycast = 1 #net.ipv6.icmp.echo_ignore_multicast = 1 - - -# prevent unprivileged attackers from loading vulnerable line disciplines with the TIOCSETD ioctl -dev.tty.ldisc_autoload = 0 - -# disable syscall to the CAP_SYS_PTRACE capability -vm.unprivileged_userfaultfd = 0