setup: Port sysctl hardening settings from IPFire 2.x

author Peter Müller <peter.mueller@ipfire.org>

Fri, 15 Sep 2023 12:41:42 +0000 (14:41 +0200)

committer Peter Müller <peter.mueller@ipfire.org>

Sat, 16 Sep 2023 11:47:41 +0000 (13:47 +0200)
author Peter Müller <peter.mueller@ipfire.org>
Fri, 15 Sep 2023 12:41:42 +0000 (14:41 +0200)
committer Peter Müller <peter.mueller@ipfire.org>
Sat, 16 Sep 2023 11:47:41 +0000 (13:47 +0200)
diff --git a/setup/sysctl/kernel-hardening.conf b/setup/sysctl/kernel-hardening.conf

index d92485d619c87efb4d59dc3afbfe1fa7a7922d58..6f782e0b1f6506855c27cb9e3a15e4da1a241105 100644 (file)
--- a/setup/sysctl/kernel-hardening.conf
+++ b/setup/sysctl/kernel-hardening.conf
@@ -11,3 +11,18 @@ vm.mmap_rnd_compat_bits = 16
  # Turn on hard- and symlink protection
  fs.protected_symlinks = 1
  fs.protected_hardlinks = 1
+
+# Don't allow writes to files and FIFOs that we don't own in world writable sticky
+# directories, unless they are owned by the owner of the directory.
+fs.protected_fifos = 2
+fs.protected_regular = 2
+
+# Include PID in file names of generated core dumps
+kernel.core_uses_pid = 1
+
+# Block non-uid-0 profiling
+kernel.perf_event_paranoid = 3
+
+# Restrict loading TTY line disciplines to CAP_SYS_MODULE to prevent unprivileged attackers
+# from loading vulnerable line disciplines with the TIOCSETD ioctl.
+dev.tty.ldisc_autoload = 0
author	Peter Müller <peter.mueller@ipfire.org>
	Fri, 15 Sep 2023 12:41:42 +0000 (14:41 +0200)
committer	Peter Müller <peter.mueller@ipfire.org>
	Sat, 16 Sep 2023 11:47:41 +0000 (13:47 +0200)