Wiki

User Tools

Site Tools

Trace:
linux_hardening_guide:sysctl

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		Previous revision
linux_hardening_guide:sysctl [2025/05/31 14:40] – created peterlinux_hardening_guide:sysctl [2025/05/31 15:19] (current) peter
Line 33: Line 33:
 ---- ----
  
-====== Recommended sysctl settings to change ======+====== Recommended sysctl settings to change for Kernel self-protection ======
  
-===== kernel.kptr_restrict=2 =====+<code bash> 
 +kernel.kptr_restrict=2 
 +</code>
  
 A kernel pointer points to a specific location in kernel memory. A kernel pointer points to a specific location in kernel memory.
 +
   * These can be very useful in exploiting the kernel, but kernel pointers are not hidden by default — it is easy to uncover them by, for example, reading the contents of /proc/kallsyms.   * These can be very useful in exploiting the kernel, but kernel pointers are not hidden by default — it is easy to uncover them by, for example, reading the contents of /proc/kallsyms.
   * This setting aims to mitigate kernel pointer leaks.   * This setting aims to mitigate kernel pointer leaks.
Line 44: Line 47:
 ---- ----
  
-===== kernel.dmesg_restrict=1 =====+<code bash> 
 +kernel.dmesg_restrict=1 
 +</code> 
 + 
 +[[https://en.wikipedia.org/wiki/Dmesg|dmesg]] is the kernel log.
  
-dmesg is the kernel log. 
   * It exposes a large amount of useful kernel debugging information, but this can often leak sensitive information, such as kernel pointers.   * It exposes a large amount of useful kernel debugging information, but this can often leak sensitive information, such as kernel pointers.
   * Changing the above sysctl restricts the kernel log to the CAP_SYSLOG capability.   * Changing the above sysctl restricts the kernel log to the CAP_SYSLOG capability.
 +
 +<WRAP info>
 +**NOTE:**  Capabilities:
 +
 +  * In the Linux kernel, "root privileges" are split up into various different capabilities.
 +  * This is helpful in applying the principle of least privilege — instead of giving a process total root privileges, you can grant them only a specific subset instead.
 +  * For example, if a program simply needs to set your system time, then it only needs CAP_SYS_TIME rather than total root.
 +  * This could limit the potential damage that can be done; however, you must still be cautious with granting capabilities, as many of them can be abused to gain full root privileges anyway.
 +
 +</WRAP>
  
 ---- ----
  
-===== kernel.printk=3 3 3 3 =====+<code bash> 
 +kernel.printk=3 3 3 3 
 +</code>
  
 Despite the value of dmesg_restrict, the kernel log will still be displayed in the console during boot. Despite the value of dmesg_restrict, the kernel log will still be displayed in the console during boot.
 +
   * Malware that is able to record the screen during boot may be able to abuse this to gain higher privileges.   * Malware that is able to record the screen during boot may be able to abuse this to gain higher privileges.
   * This option prevents those information leaks.   * This option prevents those information leaks.
Line 61: Line 80:
 ---- ----
  
-===== kernel.unprivileged_bpf_disabled=1 =====+<code bash> 
 +kernel.unprivileged_bpf_disabled=1 
 +net.core.bpf_jit_harden=
 +</code>
  
 eBPF exposes quite large attack surface eBPF exposes quite large attack surface
   * As such, it must be restricted.   * As such, it must be restricted.
-  * These sysctls restrict eBPF to the CAP_BPF capability (CAP_SYS_ADMIN on kernel versions prior to 5.8) and enable JIT hardening techniques, such as constant blinding. +  * These sysctls restrict eBPF to the CAP_BPF capability (CAP_SYS_ADMIN on kernel versions prior to 5.8) and enable JIT hardening techniques, such as [[https://github.com/torvalds/linux/blob/9e4b0d55d84a66dbfede56890501dc96e696059c/include/linux/filter.h#L1039-L1070|constant blinding]].
  
 ---- ----
  
-===== net.core.bpf_jit_harden=2 =====+<code bash> 
 +dev.tty.ldisc_autoload=
 +</code>
  
-Same reason as for **kernel.unprivileged_bpf_disabled=1**.+This [[https://lkml.org/lkml/2019/4/15/890|restricts loading TTY line disciplines]] to the CAP_SYS_MODULE capability to prevent unprivileged attackers from loading vulnerable line disciplines with the TIOCSETD ioctl, which has been [[https://a13xp0p0v.github.io/2017/03/24/CVE-2017-2636.html|abused in a number of exploits before]].
  
-eBPF exposes quite large attack surface +---- 
-  As such, it must be restricted+ 
-  * These sysctls restrict eBPF to the CAP_BPF capability (CAP_SYS_ADMIN on kernel versions prior to 5.8) and enable JIT hardening techniques, such as constant blinding+<code bash> 
 +vm.unprivileged_userfaultfd=0 
 +</code> 
 + 
 +The **[[https://man7.org/linux/man-pages/man2/userfaultfd.2.html|userfaultfd()]]** syscall is often abused to exploit use-after-free flaws. 
 + 
 +  * Due to this, this sysctl is used to restrict this syscall to the CAP_SYS_PTRACE capability.
  
 ---- ----
  
-===== dev.tty.ldisc_autoload=0 =====+<code bash> 
 +kernel.kexec_load_disabled=
 +</code>
  
-This restricts loading TTY line disciplines to the CAP_SYS_MODULE capability to prevent unprivileged attackers from loading vulnerable line disciplines with the TIOCSETD ioctl, which has been abused in number of exploits before.+[[https://en.wikipedia.org/wiki/Kexec|kexec]] is a system call that is used to boot another kernel during runtime. 
 + 
 +  * This functionality can be abused to load malicious kernel and gain arbitrary code execution in kernel mode, so this sysctl disables it.
  
 ---- ----
  
-===== vm.unprivileged_userfaultfd=0 =====+<code bash> 
 +kernel.sysrq=
 +</code>
  
-The **userfaultfd()** syscall is often abused to exploit use-after-free flaws.+The [[https://www.kernel.org/doc/html/latest/admin-guide/sysrq.html|SysRq key]] exposes a lot of potentially dangerous debugging functionality to unprivileged users. 
 +  Contrary to common assumptions, SysRq is not only an issue for physical attacks, as it can also be [[https://github.com/xairy/unlockdown|triggered remotely]]. 
 +    The value of this sysctl makes it so that a user can only use the [[https://www.kernel.org/doc/Documentation/SAK.txt|secure attention key]], which will be necessary for accessing root securely. 
 +  Alternatively, you can simply set the value to 0 to disable SysRq completely.
  
-  * Due to this, this sysctl is used to restrict this syscall to the CAP_SYS_PTRACE capability.+---- 
 + 
 +<code bash> 
 +kernel.unprivileged_userns_clone=0 
 +</code> 
 + 
 +User namespaces are a feature in the kernel which aim to improve sandboxing and make it easily accessible for unprivileged users. 
 + 
 +  * However, this feature exposes significant kernel attack surface for privilege escalationso this sysctl restricts the usage of user namespaces to the CAP_SYS_ADMIN capability. 
 +  * For unprivileged sandboxing, it is instead recommended to use a setuid binary with little attack surface to minimise the potential for privilege escalation. 
 +  * This topic is covered further in the sandboxing section. 
 + 
 +<WRAP info> 
 +**NOTE:**  This sysctl only exists on certain Linux distributions, as it requires a kernel patch. 
 + 
 +  * If your kernel does not include this patch, you can alternatively disable user namespaces completely (including for root) by setting **user.max_user_namespaces=0**. 
 + 
 +</WRAP>
  
 ---- ----
  
-===== kernel.kexec_load_disabled=1 =====+<code bash> 
 +kernel.perf_event_paranoid=
 +</code>
  
-kexec is system call that is used to boot another kernel during runtime+[[https://lore.kernel.org/kernel-hardening/1469630746-32279-1-git-send-email-jeffv@google.com/|Performance events add considerable kernel attack surface and have caused abundant vulnerabilities]]. 
-  * This functionality can be abused to load a malicious kernel and gain arbitrary code execution in kernel modeso this sysctl disables it.+ 
 +This sysctl restricts all usage of performance events to the CAP_PERFMON capability (CAP_SYS_ADMIN on kernel versions prior to 5.8). 
 + 
 +<WRAP info> 
 +**NOTE:**  This sysctl also requires kernel patch that is only available on certain distributions. 
 + 
 +  * Otherwise, this setting is equivalent to **[[https://www.kernel.org/doc/html/latest/admin-guide/perf-security.html#unprivileged-users|kernel.perf_event_paranoid=2]]**which only restricts a subset of this functionality 
 + 
 +</WRAP>
  
 ---- ----
  
-===== kernel.sysrq======+====== Recommended sysctl settings to change for Networks ======
  
-The SysRq key exposes a lot of potentially dangerous debugging functionality to unprivileged users+<code bash> 
-  * Contrary to common assumptions, SysRq is not only an issue for physical attacks, as it can also be triggered remotely. +net.ipv4.tcp_syncookies=1 
-    * The value of this sysctl makes it so that user can only use the secure attention key, which will be necessary for accessing root securely. +</code> 
-  * Alternatively, you can simply set the value to to disable SysRq completely.+ 
 +This helps protect against [[https://en.wikipedia.org/wiki/SYN_flood|SYN flood attacks]]which are form of denial-of-service attackin which an attacker sends a large amount of bogus SYN requests in an attempt to consume enough resources to make the system unresponsive to legitimate traffic
  
 ---- ----
  
-===== kernel.unprivileged_userns_clone=0 =====+<code bash> 
 +net.ipv4.tcp_rfc1337=
 +</code>
  
 +This protects against [[https://tools.ietf.org/html/rfc1337|time-wait assassination]] by dropping RST packets for sockets in the time-wait state. 
 +
 +----
 +
 +<code bash>
 +net.ipv4.conf.all.rp_filter=1
 +net.ipv4.conf.default.rp_filter=1
 +</code>
 +
 +These enable source validation of packets received from all interfaces of the machine.
 +
 +  * This protects against [[https://en.wikipedia.org/wiki/IP_address_spoofing|IP spoofing]], in which an attacker sends a packet with a fraudulent IP address.
 +
 +----
 +
 +<code bash>
 +net.ipv4.conf.all.accept_redirects=0
 +net.ipv4.conf.default.accept_redirects=0
 +net.ipv4.conf.all.secure_redirects=0
 +net.ipv4.conf.default.secure_redirects=0
 +net.ipv6.conf.all.accept_redirects=0
 +net.ipv6.conf.default.accept_redirects=0
 +net.ipv4.conf.all.send_redirects=0
 +net.ipv4.conf.default.send_redirects=0
 +</code>
 +
 +These disable ICMP redirect acceptance and sending to prevent [[https://askubuntu.com/questions/118273/what-are-icmp-redirects-and-should-they-be-blocked|man-in-the-middle attacks]] and minimize information disclosure.
 +
 +----
 +
 +<code bash>
 +net.ipv4.icmp_echo_ignore_all=1
 +</code>
 +
 +This setting makes your system ignore all ICMP requests to avoid Smurf attacks, make the device more difficult to enumerate on the network and prevent clock fingerprinting through ICMP timestamps. 
 +
 +----
 +
 +<code bash>
 +net.ipv4.conf.all.accept_source_route=0
 +net.ipv4.conf.default.accept_source_route=0
 +net.ipv6.conf.all.accept_source_route=0
 +net.ipv6.conf.default.accept_source_route=0
 +</code>
 +
 +Source routing is a mechanism that allows users to redirect network traffic.
 +
 +  * As this can be used to perform man-in-the-middle attacks in which the traffic is redirected for nefarious purposes, the above settings disable this functionality. 
 +
 +----
 +
 +<code bash>
 +net.ipv6.conf.all.accept_ra=0
 +net.ipv6.conf.default.accept_ra=0
 +</code>
 +
 +Malicious IPv6 router advertisements can result in a man-in-the-middle attack, so they should be disabled.
 +
 +----
 +
 +<code bash>
 +net.ipv4.tcp_sack=0
 +net.ipv4.tcp_dsack=0
 +net.ipv4.tcp_fack=0
 +</code>
 +
 +This disables TCP SACK.
 +
 +  * SACK is commonly exploited and unnecessary in many circumstances, so it should be disabled if it is not required.
 +
 +----
 +
 +====== Recommended sysctl settings to change for User Space ======
 +
 +<code bash>
 +kernel.yama.ptrace_scope=2
 +</code>
 +
 +[[https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html|ptrace is a system call that allows a program to alter and inspect another running process]], which allows attackers to trivially modify the memory of other running programs.
 +
 +  * This restricts usage of ptrace to only processes with the CAP_SYS_PTRACE capability.
 +  * Alternatively, set the sysctl to 3 to disable ptrace entirely. 
 +
 +----
 +
 +<code bash>
 +vm.mmap_rnd_bits=32
 +vm.mmap_rnd_compat_bits=16
 +</code>
 +
 +[[https://en.wikipedia.org/wiki/Address_space_layout_randomization|ASLR]] is a common exploit mitigation which randomises the position of critical parts of a process in memory. This can make a wide variety of exploits harder to pull off, as they first require an information leak. The above settings increase the bits of entropy used for mmap ASLR, improving its effectiveness.
 +
 +The values of these sysctls must be set in relation to the CPU architecture. The above values are compatible with x86, but other architectures may differ. 
 +
 +----
 +
 +<code bash>
 +fs.protected_symlinks=1
 +fs.protected_hardlinks=1
 +</code>
 +
 +This only permits symlinks to be followed when outside of a world-writable sticky directory, when the owner of the symlink and follower match or when the directory owner matches the symlink's owner.
 +
 +  * This also prevents hardlinks from being created by users that do not have read/write access to the source file.
 +  * Both of these prevent many common [[https://en.wikipedia.org/wiki/Time-of-check_to_time-of-use|TOCTOU races]].
 +
 +----
 +
 +<code bash>
 +fs.protected_fifos=2
 +fs.protected_regular=2
 +</code>
 +
 +[[https://github.com/torvalds/linux/commit/30aba6656f61ed44cba445a3c0d38b296fa9e8f5|These prevent creating files in potentially attacker-controlled environments]], such as world-writable directories, to make data spoofing attacks more difficult.
 +
 +----
  
  
Line 124: Line 309:
 ... ...
 ... ...
-# Network Security+# Network Security.
 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.all.send_redirects = 0
 net.ipv4.conf.default.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0
Line 144: Line 329:
 net.ipv4.tcp_syn_retries = 5 net.ipv4.tcp_syn_retries = 5
  
-# IPv6 Security (if enabled)+# IPv6 Security (if enabled).
 net.ipv6.conf.all.accept_redirects = 0 net.ipv6.conf.all.accept_redirects = 0
 net.ipv6.conf.default.accept_redirects = 0 net.ipv6.conf.default.accept_redirects = 0
Line 150: Line 335:
 net.ipv6.conf.default.accept_source_route = 0 net.ipv6.conf.default.accept_source_route = 0
  
-# Process Security+# Process Security.
 kernel.randomize_va_space = 2 kernel.randomize_va_space = 2
 kernel.kptr_restrict = 2 kernel.kptr_restrict = 2
Line 161: Line 346:
  
  
-# File System Security+# File System Security.
 fs.protected_hardlinks = 1 fs.protected_hardlinks = 1
 fs.protected_symlinks = 1 fs.protected_symlinks = 1
Line 168: Line 353:
 fs.protected_regular = 2 fs.protected_regular = 2
  
-# Additional Security Measures +# Additional Security Measures. 
-dev.tty.ldisc_autoload = 0+#dev.tty.ldisc_autoload = 0
 #kernel.modules_disabled = 1 #kernel.modules_disabled = 1
 kernel.core_uses_pid = 1 kernel.core_uses_pid = 1
linux_hardening_guide/sysctl.1748702438.txt.gz · Last modified: 2025/05/31 14:40 by peter
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki