A few corrections
This commit is contained in:
parent
e8b4e853bc
commit
560497604a
1 changed files with 6 additions and 3 deletions
|
@ -36,7 +36,7 @@ You can check the status of apparmor using `apparmor-utils`:
|
||||||
There are a lot of kernel settings which can be passed to the command line to make a system more secure. [Madaidans-insecurities page](https://madaidans-insecurities.github.io/guides/linux-hardening.html#kernel) describes each of their function and how they improve security of the system so lets add them to `/etc/kernel-hooks/secureboot.conf`:
|
There are a lot of kernel settings which can be passed to the command line to make a system more secure. [Madaidans-insecurities page](https://madaidans-insecurities.github.io/guides/linux-hardening.html#kernel) describes each of their function and how they improve security of the system so lets add them to `/etc/kernel-hooks/secureboot.conf`:
|
||||||
|
|
||||||
```
|
```
|
||||||
cmdline="... slab_nomerge init_on_alloc=1 init_on_free=1 page_alloc.shuffle=1 pti=on randomize_kstack_offset=on vsyscall=none debugfs=off module.sig_enforce=1 lockdown=confidentiality mce=0 loglevel=0 iommu=force spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full mds=full l1ft=flush"
|
cmdline="... slab_nomerge init_on_alloc=1 init_on_free=1 page_alloc.shuffle=1 pti=on randomize_kstack_offset=on vsyscall=none debugfs=off module.sig_enforce=1 lockdown=confidentiality mce=0 loglevel=0 iommu=force spectre_v2=on spec_store_bypass_disable=on tsx=off tsx_async_abort=full mds=full l1ft=flush ipv6.disable=1"
|
||||||
```
|
```
|
||||||
|
|
||||||
After reconfiguring `kernel-hooks` try to reboot and it should boot. Although there are more options that might make the system more secure, these come with a big performance hit most of the time so these settings should do for now.
|
After reconfiguring `kernel-hooks` try to reboot and it should boot. Although there are more options that might make the system more secure, these come with a big performance hit most of the time so these settings should do for now.
|
||||||
|
@ -55,7 +55,6 @@ kernel.printk=3 3 3 3
|
||||||
kernel.unprivileged_bpf_disabled=1
|
kernel.unprivileged_bpf_disabled=1
|
||||||
net.core.bpf_jit_harden=2
|
net.core.bpf_jit_harden=2
|
||||||
dev.tty.ldisc_autoload=0
|
dev.tty.ldisc_autoload=0
|
||||||
vm.unprivileged_userfaultfd=0
|
|
||||||
kernel.kexec_load_disabled=1
|
kernel.kexec_load_disabled=1
|
||||||
kernel.sysrq=0
|
kernel.sysrq=0
|
||||||
kernel.perf_event_paranoid=3
|
kernel.perf_event_paranoid=3
|
||||||
|
@ -84,7 +83,7 @@ net.ipv4.tcp_sack=0
|
||||||
net.ipv4.tcp_dsack=0
|
net.ipv4.tcp_dsack=0
|
||||||
net.ipv4.tcp_fack=0
|
net.ipv4.tcp_fack=0
|
||||||
|
|
||||||
# User space
|
## User space
|
||||||
kernel.yama.ptrace_scope=2
|
kernel.yama.ptrace_scope=2
|
||||||
vm.mmap_rnd_bits=32
|
vm.mmap_rnd_bits=32
|
||||||
vm.mmap_rnd_compat_bits=16
|
vm.mmap_rnd_compat_bits=16
|
||||||
|
@ -92,6 +91,10 @@ fs.protected_symlinks=1
|
||||||
fs.protected_hardlinks=1
|
fs.protected_hardlinks=1
|
||||||
fs.protected_fifos=2
|
fs.protected_fifos=2
|
||||||
fs.protected_regular=2
|
fs.protected_regular=2
|
||||||
|
|
||||||
|
## For hardened_malloc
|
||||||
|
vm.max_map_count=1048576
|
||||||
|
|
||||||
```
|
```
|
||||||
|
|
||||||
This list is still incomplete.
|
This list is still incomplete.
|
||||||
|
|
Loading…
Reference in a new issue