|
2 | 2 | # Author: K4YT3X |
3 | 3 | # Contributor: IceCodeNew |
4 | 4 | # Contributor: HorlogeSkynet |
| 5 | +# Contributor: shenzhui007 |
| 6 | +# Contributor: HorlogeSkynet |
5 | 7 | # Date Created: October 5, 2020 |
6 | | -# Last Updated: October 15, 2021 |
| 8 | +# Last Updated: August 4, 2022 |
7 | 9 |
|
8 | 10 | # Licensed under the GNU General Public License Version 3 (GNU GPL v3), |
9 | 11 | # available at: https://www.gnu.org/licenses/gpl-3.0.txt |
10 | | -# (C) 2020-2021 K4YT3X |
| 12 | +# (C) 2020-2022 K4YT3X |
11 | 13 |
|
12 | 14 | # Multiple sources have been consulted while writing this configuration |
13 | 15 | # file (e.g., nixCraft's sysctl.conf). Sources are not cited since this |
@@ -69,6 +71,9 @@ kernel.perf_event_paranoid = 3 |
69 | 71 | kernel.perf_cpu_time_max_percent = 1 |
70 | 72 | kernel.perf_event_max_sample_rate = 1 |
71 | 73 |
|
| 74 | +# prevent unprivileged attackers from loading vulnerable line disciplines with the TIOCSETD ioctl |
| 75 | +dev.tty.ldisc_autoload = 0 |
| 76 | + |
72 | 77 | ########## File System ########## |
73 | 78 |
|
74 | 79 | # disallow core dumping by SUID/SGID programs |
@@ -110,9 +115,13 @@ fs.inotify.max_user_watches = 524288 |
110 | 115 | # do not allow mmap in lower addresses |
111 | 116 | vm.mmap_min_addr = 65536 |
112 | 117 |
|
113 | | -# improve mmap ASLR effectness |
114 | | -vm.mmap_rnd_bits=32 |
115 | | -vm.mmap_rnd_compat_bits=16 |
| 118 | +# improve mmap ASLR effectiveness |
| 119 | +vm.mmap_rnd_bits = 32 |
| 120 | +vm.mmap_rnd_compat_bits = 16 |
| 121 | + |
| 122 | +# prevent unprivileged users from accessing userfaultfd |
| 123 | +# restricts syscall to the privileged users or the CAP_SYS_PTRACE capability |
| 124 | +vm.unprivileged_userfaultfd = 0 |
116 | 125 |
|
117 | 126 | ########## Networking ########## |
118 | 127 |
|
|
0 commit comments