[ipfire-3.x.git] / setup / sysctl / kernel-hardening.conf

# Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc).
kernel.kptr_restrict = 2

# Avoid kernel memory address exposures via dmesg.
kernel.dmesg_restrict = 1

# Improve KASLR effectiveness for mmap.
vm.mmap_rnd_bits = 32
vm.mmap_rnd_compat_bits = 16

# Turn on hard- and symlink protection
fs.protected_symlinks = 1
fs.protected_hardlinks = 1
Commit	Line	Data
5c62e473	1	# Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc).
7403755a	2	kernel.kptr_restrict = 2
5c62e473 PM	3
	4	# Avoid kernel memory address exposures via dmesg.
	5	kernel.dmesg_restrict = 1
	6
78d3aeab PM	7	# Improve KASLR effectiveness for mmap.
	8	vm.mmap_rnd_bits = 32
	9	vm.mmap_rnd_compat_bits = 16
5d673af2 PM	10
	11	# Turn on hard- and symlink protection
	12	fs.protected_symlinks = 1
	13	fs.protected_hardlinks = 1