sysctl on mkirby.org

Uncategorized

The following is from my /etc/sysctl.conf with the documentation inline.
Some of the settings are default, but I like to reiterate these with comments so that I know why these are set.

# http://lwn.net/Articles/420403/
# kernel pointers using %pK are printed as 0’s regardless of privileges
# Add the %pK printk format specifier and the /proc/sys/kernel/kptr_restrict sysctl.
# The %pK format specifier is designed to hide exposed kernel pointers,
# specifically via /proc interfaces.  Exposing these pointers provides an
# easy target for kernel write vulnerabilities, since they reveal the
# locations of writable structures containing easily triggerable function
# pointers.  The behavior of %pK depends on the kptr_restrict sysctl.
kernel.kptr_restrict = 2

# http://lwn.net/Articles/414813/
# only users with CAP_SYS_ADMIN can read the kernel syslog via dmesg
kernel.dmesg_restrict = 1
#Enable ExecShield protection.  This is set by default.
kernel.exec-shield = 1

# Address Space Layout Randomization (ASLR). This is set to ‘1’ by default.
# ASLR involves randomly arranging the positions of key data areas of a program, including the base of the executable and the positions of the stack, heap, and libraries, in a process’s address space.
# Options are:
# 0 – disable ASLR
# 1 – Conservative address space randomization. Code start register will be randomized. (This is the default)
# 2 – Full address space randomization. Contains the feature of value 1 in addition brk area is randomized.
kernel.randomize_va_space = 2

# Disable source routes and redirects.
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.secure_redirects = 0

# Ignore all ICMP ECHO and TIMESTAMP requests sent to it via broadcast/multicast
net.ipv4.icmp_echo_ignore_broadcasts = 1

# Prevent against the common syn flood attack
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_synack_retries = 2

# Enable source validation by reversed path, as specified in RFC1812
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# This is just a server, so disable redirects.
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0

# Deny SRR
net.ipv4.conf.all.accept_source_route = 0

# This is a server, not a router. Disable IP forwarding. (disabled by default)
net.ipv4.ip_forward = 0

# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0

# Controls whether core dumps will append the PID to the core filename
# Useful for debugging multi-threaded applications
kernel.core_uses_pid = 1

net.ipv4.conf.all.log_martians=1
net.ipv4.conf.default.log_martians=1
net.ipv4.tcp_timestamps=0
net.ipv6.conf.all.accept_redirects=0
net.ipv6.conf.default.accept_redirects=0