Wiki

User Tools

Site Tools

Trace:
linux_hardening_guide:sysctl

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
linux_hardening_guide:sysctl [2025/05/31 14:54] peterlinux_hardening_guide:sysctl [2025/05/31 15:19] (current) peter
Line 35: Line 35:
 ====== Recommended sysctl settings to change for Kernel self-protection ====== ====== Recommended sysctl settings to change for Kernel self-protection ======
  
-===== kernel.kptr_restrict=2 =====+<code bash> 
 +kernel.kptr_restrict=2 
 +</code>
  
 A kernel pointer points to a specific location in kernel memory. A kernel pointer points to a specific location in kernel memory.
 +
   * These can be very useful in exploiting the kernel, but kernel pointers are not hidden by default — it is easy to uncover them by, for example, reading the contents of /proc/kallsyms.   * These can be very useful in exploiting the kernel, but kernel pointers are not hidden by default — it is easy to uncover them by, for example, reading the contents of /proc/kallsyms.
   * This setting aims to mitigate kernel pointer leaks.   * This setting aims to mitigate kernel pointer leaks.
Line 44: Line 47:
 ---- ----
  
-===== kernel.dmesg_restrict=1 =====+<code bash> 
 +kernel.dmesg_restrict=1 
 +</code> 
 + 
 +[[https://en.wikipedia.org/wiki/Dmesg|dmesg]] is the kernel log.
  
-dmesg is the kernel log. 
   * It exposes a large amount of useful kernel debugging information, but this can often leak sensitive information, such as kernel pointers.   * It exposes a large amount of useful kernel debugging information, but this can often leak sensitive information, such as kernel pointers.
   * Changing the above sysctl restricts the kernel log to the CAP_SYSLOG capability.   * Changing the above sysctl restricts the kernel log to the CAP_SYSLOG capability.
 +
 +<WRAP info>
 +**NOTE:**  Capabilities:
 +
 +  * In the Linux kernel, "root privileges" are split up into various different capabilities.
 +  * This is helpful in applying the principle of least privilege — instead of giving a process total root privileges, you can grant them only a specific subset instead.
 +  * For example, if a program simply needs to set your system time, then it only needs CAP_SYS_TIME rather than total root.
 +  * This could limit the potential damage that can be done; however, you must still be cautious with granting capabilities, as many of them can be abused to gain full root privileges anyway.
 +
 +</WRAP>
  
 ---- ----
Line 66: Line 82:
 <code bash> <code bash>
 kernel.unprivileged_bpf_disabled=1 kernel.unprivileged_bpf_disabled=1
 +net.core.bpf_jit_harden=2
 </code> </code>
  
 eBPF exposes quite large attack surface eBPF exposes quite large attack surface
   * As such, it must be restricted.   * As such, it must be restricted.
-  * These sysctls restrict eBPF to the CAP_BPF capability (CAP_SYS_ADMIN on kernel versions prior to 5.8) and enable JIT hardening techniques, such as constant blinding. +  * These sysctls restrict eBPF to the CAP_BPF capability (CAP_SYS_ADMIN on kernel versions prior to 5.8) and enable JIT hardening techniques, such as [[https://github.com/torvalds/linux/blob/9e4b0d55d84a66dbfede56890501dc96e696059c/include/linux/filter.h#L1039-L1070|constant blinding]].
  
 ---- ----
  
-===== net.core.bpf_jit_harden=2 =====+<code bash> 
 +dev.tty.ldisc_autoload=
 +</code>
  
-Same reason as for **kernel.unprivileged_bpf_disabled=1**. +This [[https://lkml.org/lkml/2019/4/15/890|restricts loading TTY line disciplines]] to the CAP_SYS_MODULE capability to prevent unprivileged attackers from loading vulnerable line disciplines with the TIOCSETD ioctlwhich has been [[https://a13xp0p0v.github.io/2017/03/24/CVE-2017-2636.html|abused in a number of exploits before]].
- +
-eBPF exposes quite large attack surface +
-  * As such, it must be restricted. +
-  * These sysctls restrict eBPF to the CAP_BPF capability (CAP_SYS_ADMIN on kernel versions prior to 5.8) and enable JIT hardening techniquessuch as constant blinding+
  
 ---- ----
  
-===== dev.tty.ldisc_autoload=0 ===== +<code bash> 
- +vm.unprivileged_userfaultfd=0 
-This restricts loading TTY line disciplines to the CAP_SYS_MODULE capability to prevent unprivileged attackers from loading vulnerable line disciplines with the TIOCSETD ioctl, which has been abused in a number of exploits before. +</code>
- +
----- +
- +
-===== vm.unprivileged_userfaultfd=0 =====+
  
-The **userfaultfd()** syscall is often abused to exploit use-after-free flaws.+The **[[https://man7.org/linux/man-pages/man2/userfaultfd.2.html|userfaultfd()]]** syscall is often abused to exploit use-after-free flaws.
  
   * Due to this, this sysctl is used to restrict this syscall to the CAP_SYS_PTRACE capability.   * Due to this, this sysctl is used to restrict this syscall to the CAP_SYS_PTRACE capability.
Line 98: Line 109:
 ---- ----
  
-===== kernel.kexec_load_disabled=1 =====+<code bash> 
 +kernel.kexec_load_disabled=1 
 +</code> 
 + 
 +[[https://en.wikipedia.org/wiki/Kexec|kexec]] is a system call that is used to boot another kernel during runtime.
  
-kexec is a system call that is used to boot another kernel during runtime. 
   * This functionality can be abused to load a malicious kernel and gain arbitrary code execution in kernel mode, so this sysctl disables it.   * This functionality can be abused to load a malicious kernel and gain arbitrary code execution in kernel mode, so this sysctl disables it.
  
 ---- ----
  
-===== kernel.sysrq=4 =====+<code bash> 
 +kernel.sysrq=4 
 +</code>
  
-The SysRq key exposes a lot of potentially dangerous debugging functionality to unprivileged users. +The [[https://www.kernel.org/doc/html/latest/admin-guide/sysrq.html|SysRq key]] exposes a lot of potentially dangerous debugging functionality to unprivileged users. 
-  * Contrary to common assumptions, SysRq is not only an issue for physical attacks, as it can also be triggered remotely. +  * Contrary to common assumptions, SysRq is not only an issue for physical attacks, as it can also be [[https://github.com/xairy/unlockdown|triggered remotely]]
-    * The value of this sysctl makes it so that a user can only use the secure attention key, which will be necessary for accessing root securely.+    * The value of this sysctl makes it so that a user can only use the [[https://www.kernel.org/doc/Documentation/SAK.txt|secure attention key]], which will be necessary for accessing root securely.
   * Alternatively, you can simply set the value to 0 to disable SysRq completely.   * Alternatively, you can simply set the value to 0 to disable SysRq completely.
  
 ---- ----
  
-===== kernel.unprivileged_userns_clone=0 =====+<code bash> 
 +kernel.unprivileged_userns_clone=0 
 +</code>
  
 User namespaces are a feature in the kernel which aim to improve sandboxing and make it easily accessible for unprivileged users. User namespaces are a feature in the kernel which aim to improve sandboxing and make it easily accessible for unprivileged users.
Line 131: Line 149:
 ---- ----
  
-===== kernel.perf_event_paranoid=3 =====+<code bash> 
 +kernel.perf_event_paranoid=3 
 +</code>
  
-Performance events add considerable kernel attack surface and have caused abundant vulnerabilities.+[[https://lore.kernel.org/kernel-hardening/1469630746-32279-1-git-send-email-jeffv@google.com/|Performance events add considerable kernel attack surface and have caused abundant vulnerabilities]].
  
 This sysctl restricts all usage of performance events to the CAP_PERFMON capability (CAP_SYS_ADMIN on kernel versions prior to 5.8). This sysctl restricts all usage of performance events to the CAP_PERFMON capability (CAP_SYS_ADMIN on kernel versions prior to 5.8).
Line 140: Line 160:
 **NOTE:**  This sysctl also requires a kernel patch that is only available on certain distributions. **NOTE:**  This sysctl also requires a kernel patch that is only available on certain distributions.
  
-  * Otherwise, this setting is equivalent to **kernel.perf_event_paranoid=2**, which only restricts a subset of this functionality. +  * Otherwise, this setting is equivalent to **[[https://www.kernel.org/doc/html/latest/admin-guide/perf-security.html#unprivileged-users|kernel.perf_event_paranoid=2]]**, which only restricts a subset of this functionality. 
  
 </WRAP> </WRAP>
Line 148: Line 168:
 ====== Recommended sysctl settings to change for Networks ====== ====== Recommended sysctl settings to change for Networks ======
  
-===== net.ipv4.tcp_syncookies=1 =====+<code bash> 
 +net.ipv4.tcp_syncookies=1 
 +</code>
  
-This helps protect against SYN flood attacks, which are a form of denial-of-service attack, in which an attacker sends a large amount of bogus SYN requests in an attempt to consume enough resources to make the system unresponsive to legitimate traffic. +This helps protect against [[https://en.wikipedia.org/wiki/SYN_flood|SYN flood attacks]], which are a form of denial-of-service attack, in which an attacker sends a large amount of bogus SYN requests in an attempt to consume enough resources to make the system unresponsive to legitimate traffic. 
  
 ---- ----
  
-===== net.ipv4.tcp_rfc1337=1 =====+<code bash> 
 +net.ipv4.tcp_rfc1337=1 
 +</code>
  
-This protects against time-wait assassination by dropping RST packets for sockets in the time-wait state. +This protects against [[https://tools.ietf.org/html/rfc1337|time-wait assassination]] by dropping RST packets for sockets in the time-wait state. 
  
 ---- ----
Line 165: Line 189:
 </code> </code>
  
-These enable source validation of packets received from all interfaces of the machine. This protects against IP spoofing, in which an attacker sends a packet with a fraudulent IP address. +These enable source validation of packets received from all interfaces of the machine. 
 + 
 +  * This protects against [[https://en.wikipedia.org/wiki/IP_address_spoofing|IP spoofing]], in which an attacker sends a packet with a fraudulent IP address. 
 + 
 +---- 
 + 
 +<code bash> 
 +net.ipv4.conf.all.accept_redirects=0 
 +net.ipv4.conf.default.accept_redirects=0 
 +net.ipv4.conf.all.secure_redirects=0 
 +net.ipv4.conf.default.secure_redirects=0 
 +net.ipv6.conf.all.accept_redirects=0 
 +net.ipv6.conf.default.accept_redirects=0 
 +net.ipv4.conf.all.send_redirects=0 
 +net.ipv4.conf.default.send_redirects=0 
 +</code> 
 + 
 +These disable ICMP redirect acceptance and sending to prevent [[https://askubuntu.com/questions/118273/what-are-icmp-redirects-and-should-they-be-blocked|man-in-the-middle attacks]] and minimize information disclosure. 
 + 
 +---- 
 + 
 +<code bash> 
 +net.ipv4.icmp_echo_ignore_all=1 
 +</code> 
 + 
 +This setting makes your system ignore all ICMP requests to avoid Smurf attacks, make the device more difficult to enumerate on the network and prevent clock fingerprinting through ICMP timestamps.  
 + 
 +---- 
 + 
 +<code bash> 
 +net.ipv4.conf.all.accept_source_route=0 
 +net.ipv4.conf.default.accept_source_route=0 
 +net.ipv6.conf.all.accept_source_route=0 
 +net.ipv6.conf.default.accept_source_route=0 
 +</code> 
 + 
 +Source routing is a mechanism that allows users to redirect network traffic. 
 + 
 +  * As this can be used to perform man-in-the-middle attacks in which the traffic is redirected for nefarious purposes, the above settings disable this functionality.  
 + 
 +---- 
 + 
 +<code bash> 
 +net.ipv6.conf.all.accept_ra=0 
 +net.ipv6.conf.default.accept_ra=0 
 +</code> 
 + 
 +Malicious IPv6 router advertisements can result in a man-in-the-middle attack, so they should be disabled. 
 + 
 +---- 
 + 
 +<code bash> 
 +net.ipv4.tcp_sack=0 
 +net.ipv4.tcp_dsack=0 
 +net.ipv4.tcp_fack=0 
 +</code> 
 + 
 +This disables TCP SACK. 
 + 
 +  * SACK is commonly exploited and unnecessary in many circumstances, so it should be disabled if it is not required. 
 + 
 +---- 
 + 
 +====== Recommended sysctl settings to change for User Space ====== 
 + 
 +<code bash> 
 +kernel.yama.ptrace_scope=2 
 +</code> 
 + 
 +[[https://www.kernel.org/doc/html/latest/admin-guide/LSM/Yama.html|ptrace is a system call that allows a program to alter and inspect another running process]], which allows attackers to trivially modify the memory of other running programs. 
 + 
 +  * This restricts usage of ptrace to only processes with the CAP_SYS_PTRACE capability. 
 +  * Alternatively, set the sysctl to 3 to disable ptrace entirely.  
 + 
 +---- 
 + 
 +<code bash> 
 +vm.mmap_rnd_bits=32 
 +vm.mmap_rnd_compat_bits=16 
 +</code> 
 + 
 +[[https://en.wikipedia.org/wiki/Address_space_layout_randomization|ASLR]] is a common exploit mitigation which randomises the position of critical parts of a process in memory. This can make a wide variety of exploits harder to pull off, as they first require an information leak. The above settings increase the bits of entropy used for mmap ASLR, improving its effectiveness. 
 + 
 +The values of these sysctls must be set in relation to the CPU architecture. The above values are compatible with x86, but other architectures may differ.  
 + 
 +---- 
 + 
 +<code bash> 
 +fs.protected_symlinks=1 
 +fs.protected_hardlinks=1 
 +</code> 
 + 
 +This only permits symlinks to be followed when outside of a world-writable sticky directory, when the owner of the symlink and follower match or when the directory owner matches the symlink's owner. 
 + 
 +  * This also prevents hardlinks from being created by users that do not have read/write access to the source file. 
 +  * Both of these prevent many common [[https://en.wikipedia.org/wiki/Time-of-check_to_time-of-use|TOCTOU races]]. 
 + 
 +---- 
 + 
 +<code bash> 
 +fs.protected_fifos=2 
 +fs.protected_regular=2 
 +</code> 
 + 
 +[[https://github.com/torvalds/linux/commit/30aba6656f61ed44cba445a3c0d38b296fa9e8f5|These prevent creating files in potentially attacker-controlled environments]], such as world-writable directories, to make data spoofing attacks more difficult. 
 + 
 +---- 
 + 
 + 
  
 ---- ----
linux_hardening_guide/sysctl.1748703240.txt.gz · Last modified: 2025/05/31 14:54 by peter
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki