0 Members and 2 Guests are viewing this topic.
#Avoid swap / disk write and bomb all data in RAM. This is what Whonix and Tails do.vm.swappiness=1vm.vfs_cache_pressure=0vm.dirty_background_ratio=100vm.dirty_ratio=100#Increase mmap ASLR randomization to the maximum supported value.vm.mmap_rnd_bits=32vm.mmap_rnd_compat_bits=16#The following two sysctls help mitigating TOCTOU vulnerabilities by preventing users from creating symbolic or hard links to files they do not own or have read/write access to.fs.protected_fifos=2fs.protected_regular=2#Hide exposed kernel pointers, specifically via /proc interfaces. Exposing these pointers provides an easy target for kernel write vulnerabilities.kernel.kptr_restrict=2#Prevents unprivileged users from reading the syslog.kernel.dmesg_restrict=1#Enable the ptrace scope restriction provided by the Yama LSM. When you update your system, you need down the value at 1.kernel.yama.ptrace_scope=1#This restricts loading TTY line disciplines to the CAP_SYS_MODULE capability to prevent unprivileged attackers from loading vulnerable line disciplines with the TIOCSETD ioctl which has been abused in a number of exploits before.dev.tty.ldisc_autoload=0#Userfaultfd can be misued to make it easier to exploit existing use-after-free (and similar) bugs that might otherwise only make a short window or race condition available. vm.unprivileged_userfaultfd=0#kexec is a system call that is used to boot another kernel during runtime. This functionality can be abused to load a malicious kernel and gain arbitrary code execution in kernel mode so this sysctl disables it.kernel.kexec_load_disabled=1#The SysRq key exposes a lot of potentially dangerous debugging functionality to unprivileged users. Contrary to common assumptions, SysRq is not only an issue for physical attacks as it can also be triggered remotely.kernel.sysrq=0#So the idea is, if there are core dumps and a regular user can read them, they might find out privileged information. If the program is dumped well it had privileged information in memory, and the user can read the dump, they might find out that privileged information.fs.suid_dumpable=0