file directory location fix
This commit is contained in:
mustard
parent
7bac3636b1
commit
b9d10d2258
5 changed files with 0 additions and 0 deletions
|
|
@ -0,0 +1,114 @@
|
|||
# unused network protocols
|
||||
install dccp /bin/false
|
||||
install sctp /bin/false
|
||||
install rds /bin/false
|
||||
install tipc /bin/false
|
||||
install n-hdlc /bin/false
|
||||
install ax25 /bin/false
|
||||
install netrom /bin/false
|
||||
install x25 /bin/false
|
||||
install rose /bin/false
|
||||
install decnet /bin/false
|
||||
install econet /bin/false
|
||||
install af_802154 /bin/false
|
||||
install ipx /bin/false
|
||||
install appletalk /bin/false
|
||||
install psnap /bin/false
|
||||
install p8023 /bin/false
|
||||
install p8022 /bin/false
|
||||
install can /bin/false
|
||||
install atm /bin/false
|
||||
|
||||
# firewire and thunderbolt
|
||||
install firewire-core /bin/false
|
||||
install firewire_core /bin/false
|
||||
install firewire-ohci /bin/false
|
||||
install firewire_ohci /bin/false
|
||||
install firewire_sbp2 /bin/false
|
||||
install firewire-sbp2 /bin/false
|
||||
install firewire-net /bin/false
|
||||
install thunderbolt /bin/false
|
||||
install ohci1394 /bin/false
|
||||
install sbp2 /bin/false
|
||||
install dv1394 /bin/false
|
||||
install raw1394 /bin/false
|
||||
install video1394 /bin/false
|
||||
|
||||
# unused filesystems
|
||||
install cramfs /bin/false
|
||||
install freevxfs /bin/false
|
||||
install jffs2 /bin/false
|
||||
install hfs /bin/false
|
||||
install hfsplus /bin/false
|
||||
install squashfs /bin/false
|
||||
install udf /bin/false
|
||||
install cifs /bin/false
|
||||
install nfs /bin/false
|
||||
install nfsv3 /bin/false
|
||||
install nfsv4 /bin/false
|
||||
install ksmbd /bin/false
|
||||
install gfs2 /bin/false
|
||||
install reiserfs /bin/false
|
||||
install kafs /bin/false
|
||||
install orangefs /bin/false
|
||||
install 9p /bin/false
|
||||
install adfs /bin/false
|
||||
install affs /bin/false
|
||||
install afs /bin/false
|
||||
install befs /bin/false
|
||||
install ceph /bin/false
|
||||
install coda /bin/false
|
||||
install ecryptfs /bin/false
|
||||
install erofs /bin/false
|
||||
install jfs /bin/false
|
||||
install minix /bin/false
|
||||
install netfs /bin/false
|
||||
install nilfs2 /bin/false
|
||||
install ocfs2 /bin/false
|
||||
install romfs /bin/false
|
||||
install ubifs /bin/false
|
||||
install zonefs /bin/false
|
||||
install sysv /bin/false
|
||||
install ufs /bin/false
|
||||
|
||||
# disable vivid
|
||||
install vivid /bin/false
|
||||
|
||||
# disable GNSS
|
||||
install gnss /bin/false
|
||||
install gnss-mtk /bin/false
|
||||
install gnss-serial /bin/false
|
||||
install gnss-sirf /bin/false
|
||||
install gnss-usb /bin/false
|
||||
install gnss-ubx /bin/false
|
||||
|
||||
# https://en.wikipedia.org/wiki/Bluetooth#History_of_security_concerns
|
||||
install bluetooth /bin/false
|
||||
install btusb /bin/false
|
||||
|
||||
# blacklist ath_pci
|
||||
blacklist ath_pci
|
||||
|
||||
# blacklist cdrom
|
||||
blacklist cdrom
|
||||
blacklist sr_mod
|
||||
|
||||
# blacklist framebuffer drivers
|
||||
# source, ubuntu: https://git.launchpad.net/ubuntu/+source/kmod/tree/debian/modprobe.d/blacklist-framebuffer.conf
|
||||
blacklist cyber2000fb
|
||||
blacklist cyblafb
|
||||
blacklist gx1fb
|
||||
blacklist hgafb
|
||||
blacklist kyrofb
|
||||
blacklist lxfb
|
||||
blacklist matroxfb_base
|
||||
blacklist neofb
|
||||
blacklist nvidiafb
|
||||
blacklist pm2fb
|
||||
blacklist s1d13xxxfb
|
||||
blacklist sisfb
|
||||
blacklist tdfxfb
|
||||
blacklist vesafb
|
||||
blacklist vfb
|
||||
blacklist vt8623fb
|
||||
blacklist udlfb
|
||||
|
|
@ -0,0 +1,2 @@
|
|||
GSSAPIAuthentication no
|
||||
VerifyHostKeyDNS yes
|
||||
|
|
@ -0,0 +1,119 @@
|
|||
|
||||
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl
|
||||
dev.tty.ldisc_autoload = 0
|
||||
|
||||
# https://access.redhat.com/solutions/1985633
|
||||
# Seems dangerous.
|
||||
# Roseta need this though, so if you use it change it to 1.
|
||||
fs.binfmt_misc.status = 0
|
||||
|
||||
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-userspace
|
||||
# Enable fs.protected sysctls.
|
||||
fs.protected_regular = 2
|
||||
fs.protected_fifos = 2
|
||||
fs.protected_symlinks = 1
|
||||
fs.protected_hardlinks = 1
|
||||
|
||||
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#core-dumps
|
||||
# Disable coredumps.
|
||||
# For additional safety, disable coredumps using ulimit and systemd too.
|
||||
kernel.core_pattern=|/bin/false
|
||||
fs.suid_dumpable = 0
|
||||
|
||||
# Restrict dmesg to CAP_SYS_LOG.
|
||||
# https://www.kernel.org/doc/Documentation/sysctl/kernel.txt
|
||||
kernel.dmesg_restrict = 1
|
||||
|
||||
# https://www.kernel.org/doc/Documentation/sysctl/kernel.txt
|
||||
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel
|
||||
# https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak
|
||||
# Restrict access to /proc.
|
||||
kernel.kptr_restrict = 2
|
||||
|
||||
# Not needed, I don't do livepatching and reboot regularly.
|
||||
# On a workstation, this shouldn't be used at all. Don't live patch, just reboot.
|
||||
kernel.kexec_load_disabled = 1
|
||||
|
||||
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl
|
||||
# Basically, restrict eBPF to CAP_BPF.
|
||||
kernel.unprivileged_bpf_disabled = 1
|
||||
net.core.bpf_jit_harden = 2
|
||||
|
||||
# Needed for Flatpak and Bubblewrap.
|
||||
kernel.unprivileged_userns_clone = 1
|
||||
|
||||
# Disable ptrace. Not needed on workstations.
|
||||
kernel.yama.ptrace_scope = 3
|
||||
|
||||
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl
|
||||
# Restrict performance events from unprivileged users as much as possible.
|
||||
# We are using 4 here, since Ubuntu supports such a level.
|
||||
# Official Linux kernel documentation only says >= so it probably will work.
|
||||
kernel.perf_event_paranoid = 4
|
||||
|
||||
# Disable io_uring
|
||||
# https://docs.kernel.org/admin-guide/sysctl/kernel.html#io-uring-disabled
|
||||
# https://security.googleblog.com/2023/06/learnings-from-kctf-vrps-42-linux.html
|
||||
# Note that this will make using Proxmox extremely annoying though, so you might wanna comment this out
|
||||
# on a Proxmox node.
|
||||
kernel.io_uring_disabled = 2
|
||||
|
||||
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel
|
||||
# Disable sysrq.
|
||||
kernel.sysrq = 0
|
||||
|
||||
# https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2020-09-03/finding/V-217911
|
||||
# Not running a router here, so no redirects.
|
||||
net.ipv4.conf.*.send_redirects = 0
|
||||
net.ipv4.conf.*.accept_redirects = 0
|
||||
net.ipv6.conf.*.accept_redirects = 0
|
||||
|
||||
# Check if the source of the IP address is reachable through the same interface it came in
|
||||
# Basic IP spoofing mitigation.
|
||||
net.ipv4.conf.*.rp_filter = 1
|
||||
|
||||
# Do not respond to ICMP.
|
||||
net.ipv4.icmp_echo_ignore_all = 1
|
||||
net.ipv6.icmp.echo_ignore_all = 1
|
||||
|
||||
# Ignore Bogus ICMP responses.
|
||||
net.ipv4.icmp_ignore_bogus_error_responses = 1
|
||||
|
||||
# Enable IP Forwarding.
|
||||
# Needed for VM networking and whatnot.
|
||||
net.ipv4.ip_forward = 1
|
||||
net.ipv6.conf.all.forwarding = 1
|
||||
|
||||
# https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2016-06-05/finding/V-38537
|
||||
# Ignore bogus icmp response.
|
||||
net.ipv4.icmp_ignore_bogus_error_responses = 1
|
||||
|
||||
# Protection against time-wait assasination attacks.
|
||||
net.ipv4.tcp_rfc1337 = 1
|
||||
|
||||
# Enable SYN cookies.
|
||||
# Basic SYN flood mitigation.
|
||||
net.ipv4.tcp_syncookies = 1
|
||||
|
||||
# https://access.redhat.com/sites/default/files/attachments/20150325_network_performance_tuning.pdf
|
||||
# Make sure TCP timestamp is enabled.
|
||||
net.ipv4.tcp_timestamps = 1
|
||||
|
||||
# https://access.redhat.com/sites/default/files/attachments/20150325_network_performance_tuning.pdf
|
||||
# Disable TCP SACK.
|
||||
# We have good networking :)
|
||||
net.ipv4.tcp_sack = 0
|
||||
|
||||
# No SACK, therefore no Duplicated SACK.
|
||||
net.ipv4.tcp_dsack = 0
|
||||
|
||||
# Improve ALSR effectiveness for mmap.
|
||||
vm.mmap_rnd_bits = 32
|
||||
vm.mmap_rnd_compat_bits = 16
|
||||
|
||||
# https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel
|
||||
# Restrict userfaultfd to CAP_SYS_PTRACE.
|
||||
# https://bugs.archlinux.org/task/62780
|
||||
# Interestingly enough, Arch does not even have userfaultfd in their kernel, so it is
|
||||
# probably not used in the real world at all.
|
||||
vm.unprivileged_userfaultfd = 0
|
||||
|
|
@ -0,0 +1,28 @@
|
|||
[Service]
|
||||
# Hardening
|
||||
CapabilityBoundingSet=CAP_NET_ADMIN CAP_DAC_OVERRIDE CAP_NET_RAW CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_MODULE CAP_AUDIT_WRITE CAP_KILL CAP_SYS_CHROOT
|
||||
LockPersonality=true
|
||||
MemoryDenyWriteExecute=true
|
||||
#PrivateDevices=true #breaks tun usage
|
||||
#ProtectProc=invisible
|
||||
PrivateTmp=yes
|
||||
ProtectClock=true
|
||||
ProtectControlGroups=true
|
||||
ProtectHome=read-only
|
||||
ProtectKernelLogs=true
|
||||
#ProtectKernelModules=true
|
||||
#ProtectSystem=strict
|
||||
#ReadOnlyPaths=/etc/NetworkManager
|
||||
ReadOnlyPaths=-/home
|
||||
#ReadWritePaths=-/etc/NetworkManager/system-connections
|
||||
ReadWritePaths=-/etc/sysconfig/network-scripts
|
||||
ReadWritePaths=/var/lib/NetworkManager
|
||||
ReadWritePaths=-/var/run/NetworkManager
|
||||
ReadWritePaths=-/run/NetworkManager
|
||||
RemoveIPC=true
|
||||
RestrictNamespaces=true
|
||||
RestrictRealtime=true
|
||||
RestrictSUIDSGID=true
|
||||
SystemCallArchitectures=native
|
||||
SystemCallFilter=@system-service
|
||||
UMask=0077
|
||||
|
|
@ -0,0 +1,2 @@
|
|||
[preferred]
|
||||
default=gtk;
|
||||
Loading…
Add table
Add a link
Reference in a new issue