setup/sysctl/kernel-hardening.conf

   1 # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc).
   2 kernel.kptr_restrict = 2
   3
   4 # Avoid kernel memory address exposures via dmesg.
   5 kernel.dmesg_restrict = 1
   6
   7 # Improve KASLR effectiveness for mmap.
   8 vm.mmap_rnd_bits = 32
   9 vm.mmap_rnd_compat_bits = 16
  10
  11 # Turn on hard- and symlink protection
  12 fs.protected_symlinks = 1
  13 fs.protected_hardlinks = 1
  14
  15 # Don't allow writes to files and FIFOs that we don't own in world writable sticky
  16 # directories, unless they are owned by the owner of the directory.
  17 fs.protected_fifos = 2
  18 fs.protected_regular = 2
  19
  20 # Include PID in file names of generated core dumps
  21 kernel.core_uses_pid = 1
  22
  23 # Block non-uid-0 profiling
  24 kernel.perf_event_paranoid = 3
  25
  26 # Restrict loading TTY line disciplines to CAP_SYS_MODULE to prevent unprivileged attackers
  27 # from loading vulnerable line disciplines with the TIOCSETD ioctl.
  28 dev.tty.ldisc_autoload = 0