# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-05-05; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.live.builder.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.live.builder
# SPDX-Security-Contact: security@coresecret.eu

# Version Master V8.13.256.2025.10.21

### https://docs.kernel.org/
### https://github.com/a13xp0p0v/kernel-hardening-checker/
### https://kspp.github.io/
### https://linux-audit.com/tags/kernel/

###########################################################################################
# Warning
# Be careful not to lock yourself out of your system after a reboot due to incorrect
# settings. For example, 'kernel.modules_disabled=1' will generally prevent the network
# stack from being brought up after a reboot, which means NO SSH.
###########################################################################################

##### Linux Kernel #####

### Disable loading new modules. Be careful with using this option!
kernel.modules_disabled=1

### Restricting access to kernel pointers.
kernel.kptr_restrict=2

### Restricting access to kernel logs.
kernel.dmesg_restrict=1

###########################################################################################
# Despite the value of dmesg_restrict, the kernel log will still be displayed in the
# console during boot.
# This option prevents those information leaks.
###########################################################################################
kernel.printk=3 3 3 3

### Restricting eBPF to the CAP_BPF capability
kernel.unprivileged_bpf_disabled=1
net.core.bpf_jit_harden=2

### Restricting loading TTY line disciplines to the CAP_SYS_MODULE capability
dev.tty.ldisc_autoload=0

###########################################################################################
# The userfaultfd() syscall is often abused to exploit use-after-free flaws.
# This sysctl is used to restrict this syscall to the CAP_SYS_PTRACE capability.
###########################################################################################
vm.unprivileged_userfaultfd=0

###########################################################################################
# kexec is a system call that is used to boot another kernel during runtime.
# This functionality can be abused to load a malicious kernel and gain arbitrary code
# execution in kernel mode, so this sysctl disables it.
###########################################################################################
kernel.kexec_load_disabled=1

###########################################################################################
# Prevents unprivileged users from creating their own user namespaces, potentially
# enabling exploits. This is a good additional safeguard.
###########################################################################################
kernel.unprivileged_userns_clone=0

###########################################################################################
# The SysRq key exposes a lot of potentially dangerous debugging functionality to
# unprivileged users. You can set the value to 0 to disable SysRq completely.
###########################################################################################
kernel.sysrq=0

### Randomize memory space.
kernel.randomize_va_space=2

###########################################################################################
# These prevent creating files in potentially attacker-controlled environments, such as
# world-writable directories.
###########################################################################################
fs.protected_fifos=2
fs.protected_regular=2

###########################################################################################
# This only permits symlinks to be followed when outside a world-writable sticky directory,
# when the owner of the symlink and follower match or when the directory owner matches the
# symlink's owner.
###########################################################################################
fs.protected_symlinks=1
fs.protected_hardlinks=1

###########################################################################################
# ptrace is a system call that allows a program to alter and inspect another running
# process, which allows attackers to trivially modify the memory of other running programs.
# 0 - classic ptrace permissions:
# a process can PTRACE_ATTACH to any other process running under the same uid,
# as long as it is dumpable (i.e., did not transition uids,
# start privileged, or have called prctl(PR_SET_DUMPABLE...) already).
# Similarly, PTRACE_TRACEME is unchanged.
#
# 1 - restricted ptrace:
# a process must have a predefined relationship with the inferior it wants to call
# PTRACE_ATTACH on. By default, this relationship is that of only its descendants when the
# above classic criteria is also met. To change the relationship, an inferior can call
# prctl(PR_SET_PTRACER, debugger, ...) to declare an allowed debugger PID to call
# PTRACE_ATTACH on the inferior. Using PTRACE_TRACEME is unchanged.
#
# 2 - admin-only attach:
# only processes with CAP_SYS_PTRACE may use ptrace, either with PTRACE_ATTACH or through
# children calling PTRACE_TRACEME.
#
# 3 - no attach:
# no processes may use ptrace with PTRACE_ATTACH nor via PTRACE_TRACEME. Once set, this
# sysctl value cannot be changed.
###########################################################################################
kernel.yama.ptrace_scope=2

### Use filename based on core_pattern value
kernel.core_uses_pid=1

###########################################################################################
# Performance events add considerable kernel attack surface and have caused abundant
# vulnerabilities. Be careful ! Performance might be affected ! Here turned off by default.
###########################################################################################
#kernel.perf_event_paranoid=2

###########################################################################################
# ASLR is a common exploit mitigation that randomizes the position of critical parts of a
# process in memory. This can make a wide variety of exploits harder to pull off, as they
# first require an information leak. The above settings increase the bits of entropy used
# for mmap ASLR, improving its effectiveness. The values of these sysctls must be set in
# relation to the CPU architecture. The above values are compatible with x86, but other
# architectures may differ.
###########################################################################################
vm.mmap_rnd_bits=32
vm.mmap_rnd_compat_bits=16

###########################################################################################
# In addition to ASLR hardening, one could adjust the behavior for memory overbooking.
# Determines how the kernel provides the available memory for processes:
# - 0 (default): kernel decides heuristically whether memory allocations are allowed.
# - 1: Memory is always allocated, even if it is not physically available; can lead to
#      out-of-memory errors.
# - 2: The kernel only allows memory allocations up to the available physical memory + swap
#      (safe mode).
#vm.overcommit_memory=2
#   Specifies how much of the available physical memory (plus swap) can be made available
#   for memory allocations when vm.overcommit_memory=2 is active.
# The value is a percentage.
# 50: Up to 50% of the physical memory can be reserved for memory-intensive applications.
###########################################################################################
#vm.overcommit_ratio=50

###########################################################################################
# Reduces the likelihood of important data remaining unsecured in RAM for too long.
# Specifies the percentage of the total memory that can be filled with changed (dirty) data
# before it is written to the permanent memory (e.g., the hard disk).
# 15: If 15% of the RAM is occupied by dirty pages, a background flush process is triggered
# to write this data.
#vm.dirty_ratio=15
# Specifies the percentage of total memory at which the kernel starts writing dirty pages
# in the background before the dirty_ratio threshold is reached.
# 5: The kernel starts writing data in the background when 5% of RAM is occupied with
# dirty pages.
###########################################################################################
#vm.dirty_background_ratio=5

###########################################################################################
# Similar to core dumps, swapping or paging copies parts of memory to disk, which can
# contain sensitive information. The kernel should be configured to only swap if absolutely
# necessary.
###########################################################################################
#vm.swappiness=1
  ### This setting minimizes swapping, which is useful for servers.
  ### However, one could also consider vm.swappiness=0 if enough RAM is available.
  # vm.swappiness=0

###########################################################################################
# Process that runs with elevated privileges may still dump their memory even after these
# settings.
###########################################################################################
fs.suid_dumpable=0
kernel.core_pattern= | /bin/false

### Disable User Namespaces, as it opens up a large attack surface to unprivileged users.
#user.max_user_namespaces=0

###########################################################################################
# Reboot after even 1 WARN or BUG/Oops. Adjust for your tolerances. (Since v6.2)
# If you want to set oops_limit greater than one, you will need to disable
# CONFIG_PANIC_ON_OOPS.
###########################################################################################
kernel.warn_limit=1
kernel.oops_limit=1

###########################################################################################
# Disable TIOCSTI, which is used to inject keypresses.
# (This will, however, break screen readers.)
###########################################################################################
dev.tty.legacy_tiocsti=0

###########################################################################################
# IO_uring has yielded some security concerns and vulnerabilities,
# particularly for those sticking to older versions of the Linux kernel.
# There have also been IO_uring integration issues with the Linux security subsystem.
###########################################################################################
#kernel.io_uring_disabled=2

##### Network Stack #####

### Disable IP source routing, we are not a router:
net.ipv4.conf.all.accept_source_route=0
net.ipv4.conf.default.accept_source_route=0
net.ipv6.conf.all.accept_source_route=0
net.ipv6.conf.default.accept_source_route=0

###########################################################################################
# This setting makes your system ignore all ICMP requests to avoid Smurf attacks, make
# the device more difficult to enumerate on the network and prevent clock fingerprinting
# through ICMP timestamps.
###########################################################################################
net.ipv4.icmp_echo_ignore_all=1

### Enable ignoring broadcast request.
net.ipv4.icmp_echo_ignore_broadcasts=1

### This helps protect against SYN flood attacks
net.ipv4.tcp_syncookies=1

###########################################################################################
# This protects against time-wait assassination by dropping RST packets for sockets in
# the time-wait state.
###########################################################################################
net.ipv4.tcp_rfc1337=1

###########################################################################################
# These enable source validation of packets received from all interfaces of the machine.
# This protects against IP spoofing, in which an attacker sends a packet with a fraudulent
# IP address.
###########################################################################################
net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.default.rp_filter=1

###########################################################################################
# This disables ICMP redirect acceptance and sending to prevent man-in-the-middle attacks
# and minimize information disclosure.
###########################################################################################
net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.default.accept_redirects=0
net.ipv4.conf.all.secure_redirects=0
net.ipv4.conf.default.secure_redirects=0
net.ipv6.conf.all.accept_redirects=0
net.ipv6.conf.default.accept_redirects=0
net.ipv4.conf.all.send_redirects=0
net.ipv4.conf.default.send_redirects=0

###########################################################################################
# A martian packet is a packet with a source address, which is obviously wrong -
# nothing could possibly be routed back to that address.
###########################################################################################
net.ipv4.conf.all.log_martians=1
net.ipv4.conf.default.log_martians=1

###########################################################################################
# Deactivates IP forwarding. This means that the system discards packets that are not
# intended for its own IP addresses. It therefore does not act as a router and does not
# forward data packets between network interfaces.
###########################################################################################
net.ipv4.conf.all.forwarding=0

###########################################################################################
# Disabling RA prevents the system from receiving routing information from potentially
# insecure or compromised routers. This is particularly important for servers that use
# static network configurations and should not dynamically accept new IPv6 routes or
# prefixes. An attacker could otherwise use forged RA messages to change the network route
# and redirect traffic, for example.
###########################################################################################
net.ipv6.conf.all.accept_ra=0
net.ipv6.conf.default.accept_ra=0

###########################################################################################
# This setting prevents the disclosure of TCP timestamps that can be used for system
# fingerprinting:
###########################################################################################
net.ipv4.tcp_timestamps=0

###########################################################################################
# To make ARP spoofing attacks more difficult. Defines how the system responds to ARP
# requests.
# - 0 (default): Responds to every request, including IPs configured on other interfaces.
# - 1: Only responds to requests that are specifically intended for the IP of the
#      respective interface. Increases security by preventing ARP spoofing attacks, as the
#      system does not send unnecessary ARP responses.
###########################################################################################
net.ipv4.conf.all.arp_ignore=1
net.ipv4.conf.default.arp_ignore=1

###########################################################################################
# To minimize attacks on half-open connections.
# Specifies the maximum number of connection requests (SYN packets)
# that can be held in the connection establishment state (SYN_RECV) in the queue.
# 4096: A generous queue to better intercept SYN flood attacks.
# Useful for systems with high network traffic, or if protection against DoS attacks
# needs to be improved:
###########################################################################################
net.ipv4.tcp_max_syn_backlog=4096

###########################################################################################
# Specifies the maximum number of SYN/ACK retries before the connection is aborted:
# 2: The kernel will only send a SYN/ACK twice before dropping the connection.
# Reduces the time and effort wasted on inactive connection requests.
# This improves performance and protects against SYN flood attacks, but could cause
# problems on poor networks.
###########################################################################################
net.ipv4.tcp_synack_retries=2

# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh