diff --git a/Recommended_Settings.md b/Recommended_Settings.md index 5a515af..1a0a951 100644 --- a/Recommended_Settings.md +++ b/Recommended_Settings.md @@ -415,7 +415,6 @@ CONFIG_CPU_SW_DOMAIN_PAN=y # Dangerous; old interfaces and needless additional attack surface. # CONFIG_OABI_COMPAT is not set ``` - # kernel command line options ``` @@ -465,6 +464,30 @@ mitigations=auto,nosmt # Another way to enable KFENCE (see CONFIG_KFENCE_SAMPLE_INTERVAL). kfence.sample_interval=100 + +# Kernel features that allow userland to modify the running kernel and to extract confidential information from It are disabled. This disables hibernation. +lockdown=confidentiality + +# Enable Spectre v2 mitigations to protect against speculative execution attacks. +spectre_v2=on + +# Enable Spectre BHI mitigations to protect against Branch History Injection attacks. +spectre_bhi=on + +# Disable Speculative Store Bypass to mitigate speculative execution vulnerabilities. +spec_store_bypass_disable=on + +# Enable KVM huge page NX bit enforcement for stronger memory protections. +kvm.nx_huge_pages=force + +# Disable debug filesystem to reduce kernel attack surface. +debugfs=off + +# Set kernel log level to 0 to prevent information leaks via console output. +loglevel=0 + +# Disable early PCI DMA in EFI to prevent unauthorized DMA access before IOMMU setup. +efi=disable_early_pci_dma ``` ## x86_64 @@ -479,8 +502,25 @@ vdso32=0 # Disable FineIBT since it is weaker than pure KCFI. cfi=kcfi -``` +# Disable 32-bit emulation to reduce syscall attack surface. +ia32_emulation=0 + +# Disable Transactional Synchronization Extensions to mitigate associated vulnerabilities. +tsx=off + +# Enable L1 Data Cache flushing to mitigate L1 Terminal Fault (L1TF) vulnerabilities. +l1d_flush=on + +# Mitigate speculative return stack overflow with safe return handling. +spec_rstack_overflow=safe-ret + +# Force Gather Data Sampling (GDS) mitigations to protect against data sampling attacks. +gather_data_sampling=force + +# Enable Register File Data Sampling (RFDS) mitigations to protect against data sampling attacks. +reg_file_data_sampling=on +``` # sysctls ``` @@ -543,4 +583,95 @@ fs.protected_regular = 2 # Make sure the default process dumpability is set (processes that changed privileges aren't dumpable). fs.suid_dumpable = 0 + +# Disable io_uring to prevent potential exploitation of its complex functionality. +kernel.io_uring_disabled = 2 + +# Improve ALSR effectiveness for mmap. +vm.mmap_rnd_bits = 32 +vm.mmap_rnd_compat_bits = 16 + +# Disable core dumps +kernel.core_pattern = |/bin/false + +# Configures the kernel to prefer keeping memory in RAM over swapping to disk. Reduces the attack surface minimizing disk I/O, which could be exploited to leak sensitive data. +vm.swappiness=1 + +# Enable TCP SYN cookies to mitigate SYN flood attacks by avoiding resource exhaustion. +net.ipv4.tcp_syncookies=1 + +# Enable TCP time-wait assassination protections as per RFC 1337 to reduce risks from stale connections. +net.ipv4.tcp_rfc1337=1 + +# Ignore ICMP broadcast echo requests to prevent amplification attacks. +net.ipv4.icmp_echo_ignore_broadcasts = 1 + +# Ignore bogus ICMP error responses to prevent potential exploitation via crafted packets. +net.ipv4.icmp_ignore_bogus_error_responses = 1 + +# Ignore all ICMP echo requests on IPv4 to reduce exposure to network probing. +net.ipv4.icmp_echo_ignore_all=1 + +# Ignore all ICMP echo requests on IPv6 to reduce exposure to network probing. +net.ipv6.icmp.echo_ignore_all=1 + +# Disable TCP timestamps to prevent information leaks that could aid in network reconnaissance. +net.ipv4.tcp_timestamps=0 + +# Enable IP spoofing protection, turn on source route verification +net.ipv4.conf.all.rp_filter = 1 +net.ipv4.conf.default.rp_filter = 1 + +# Disable ICMP Redirect Acceptance +net.ipv4.conf.*.send_redirects = 0 +net.ipv4.conf.*.accept_redirects = 0 +net.ipv6.conf.*.accept_redirects = 0 + +# Disable source routing for IPv4 and IPv6 to prevent packet routing attacks. +net.ipv4.conf.*.accept_source_route = 0 +net.ipv6.conf.*.accept_source_route = 0 + +# Enable ipv6 privacy extension +net.ipv6.conf.all.use_tempaddr=2 +net.ipv6.conf.default.use_tempaddr=2 + +# Avoid kernel memory address exposures via dmesg (this value can also be set by CONFIG_SECURITY_DMESG_RESTRICT). +kernel.dmesg_restrict = 1 + +# Disable the binary format miscellaneous interface to prevent loading of untrusted binary formats. +fs.binfmt_misc.status = 0 + +# Disable POSIX corner cases with creating regular files unless the directory owner matches. Check your workloads! +fs.protected_regular = 2 + +# Disable POSIX corner cases with creating fifos unless the directory owner matches. Check your workloads! +fs.protected_fifos = 2 + +# Prevent kernel info leaks in console during boot +kernel.scan = 3 3 3 3 + +# Disables kexec which can be used to replace the running kernel. +kernel.kexec_load_disabled = 1 + +# Allows reuse of TIME_WAIT sockets for new outgoing connections, reducing resource exhaustion from DoS attacks +net.ipv4.tcp_tw_reuse=1 + +# Limits orphaned TCP sockets to prevent memory exhaustion from unattached sockets +net.ipv4.tcp_max_orphans=16384 +net.ipv4.tcp_orphan_retries=0 + +# Disables bootp relay to prevent the system from acting as a BOOTP relay agent. +net.ipv4.conf.all.bootp_relay=0 + +# Disables IPv4 forwarding, preventing the system from routing packets between interfaces. +net.ipv4.conf.all.forwarding=0 + +# Disables proxy ARP, preventing the system from responding to ARP requests on behalf of other hosts. +net.ipv4.conf.all.proxy_arp=0 + +# Limits the number of orphaned TCP sockets to prevent memory exhaustion from unattached sockets. +net.ipv4.tcp_max_orphans=16384 + +# Immediately closes orphaned sockets. +net.ipv4.tcp_orphan_retries=0 ```