CISS.debian.live.builder/docs/documentation/90-ciss-local.hardened.md

---
gitea: none
include_toc: true
-----------------

# 1. CISS.debian.live.builder

**Centurion Intelligence Consulting Agency Information Security Standard**<br>
*Debian Live Build Generator for hardened live environment and CISS Debian Installer*<br>
**Master Version**: 8.13<br>
**Build**: V8.13.768.2025.12.06<br>

# 2. ``90-ciss-local.hardened``

The configuration fragment ``90-ciss-local.hardened`` defines the local kernel and network hardening baseline that CISS systems 
apply via the Linux ``sysctl`` mechanism. It is written as a conventional ``sysctl.d`` drop-in and is meant to be consumed by early 
userspace tooling such as ``systemd-sysctl``, which imports the settings into ``/proc/sys`` during boot.

At a high level, the file does not contain executable shell logic. It consists exclusively of documented key–value assignments 
in the sysctl namespace plus a number of commented candidates that serve as a catalogue of optional hardening toggles. 
The numeric prefix ``90-`` places it late in the ``sysctl.d`` processing order, so its values override both distribution defaults 
and any earlier CISS baseline fragments. Error handling and reporting are delegated to the standard sysctl loader: unknown or
unsupported keys will be rejected and logged, but the configuration itself does not implement any conditional fallback paths.

The first block targets kernel level attack surface and introspection capabilities. By setting ``kernel.modules_disabled=1`` 
the configuration irrevocably closes the in-kernel module loader once the sysctl is applied, which prevents any further ``insmod``
or ``modprobe`` operations and thereby cuts off an entire class of kernel code injection vectors. The embedded warning comments 
 point out that this implies a very rigid boot pipeline: any device drivers, filesystems, or network stack components that are 
not built in or preloaded before this switch is flipped will simply never appear, which would otherwise lead to a dead network 
stack and loss of remote access. Additional restrictions such as ``kernel.unprivileged_bpf_disabled=1``, ``net.core.bpf_jit_harden=2``, 
``dev.tty.ldisc_autoload=0``, ``vm.unprivileged_userfaultfd=0``, ``kernel.kexec_load_disabled=1`` and ``kernel.unprivileged_userns_clone=0`` 
collectively neutralize typical exploitation primitives. They disable unprivileged BPF program loading, force the BPF JIT into 
its hardened mode, prevent automatic loading of TTY line discipline modules, restrict ``userfaultfd`` to privileged callers, 
shut off in-kernel kexec, and forbid unprivileged user namespace creation. Taken together, these choices assume a server or 
appliance workload that does not need container-style unprivileged namespaces, local kexec reseating, or dynamic TTY plumbing 
and is willing to trade flexibility for a markedly smaller attack surface.

A second cluster tightens diagnostic visibility and process inspection. The settings ``kernel.kptr_restrict=2`` and 
``kernel.dmesg_restrict=1`` remove kernel pointer values and log contents from unprivileged users, while ``kernel.printk=3 3 3 3`` 
drastically reduces what is emitted on the console during and after boot. TTY injection via the historical TIOCSTI ioctl is 
disabled with ``dev.tty.legacy_tiocsti=0``, which the comments correctly note may break some screen readers but eliminates a 
convenient path to smuggle keystrokes into another session. Process debugging is gated using the Yama LSM control 
``kernel.yama.ptrace_scope=2``, which only permits ``ptrace`` attach operations from processes that hold ``CAP_SYS_PTRACE``; 
unprivileged users can no longer freely attach debuggers to sibling processes. This aligns the system strongly towards a 
production profile in which on-host debugging is effectively a privileged maintenance activity rather than a normal user 
capability.

Crash handling and memory layout are hardened in a deliberate, multistep fashion. Classic process core dumps are effectively 
disabled by ``fs.suid_dumpable=0`` and ``kernel.core_pattern=|/bin/false``, so even privileged processes do not leave crash images 
lying around on persistent storage. ``kernel.core_uses_pid=1`` is kept consistent with this policy but has no practical effect 
once the core pattern is redirected into ``false``. The mapping base randomization knobs ``kernel.randomize_va_space=2``, 
``vm.mmap_rnd_bits=32`` and ``vm.mmap_rnd_compat_bits=16`` increase address space layout randomization for both native and compat 
processes, raising the entropy available for exploit mitigation. The comments explicitly point out that the chosen bit widths 
are tuned for x86 type architectures, and that other CPU families may require different values, so the configuration implicitly 
assumes a modern x86_64 kernel that implements these sysctls. The pair ``kernel.warn_limit=1`` and ``kernel.oops_limit=1`` 
introduces an extremely low tolerance for kernel anomalies: in combination with a build that enables ``CONFIG_PANIC_ON_OOPS``, 
which the commentary references, even a single WARN, BUG, or oops will trigger a reboot cycle rather than allow the kernel to 
limp along in a potentially corrupted state.

Filesystem-related sysctls are used to close off classes of symlink and hardlink-based attacks against privileged processes. The
combination of ``fs.protected_symlinks=1``, ``fs.protected_hardlinks=1``, ``fs.protected_fifos=2`` and ``fs.protected_regular=2`` 
changes how the kernel resolves symbolic links, hardlinks, and special files in world-writable directories. Access is 
constrained so that following such references across user boundaries or into attacker-controlled locations is significantly more 
difficult. This is particularly relevant for services that operate within shared directories such as ``/tmp`` and that 
historically have been exploitable through TOCTOU race conditions on links.

The networking section establishes a host profile that behaves explicitly as an end system, not as a router, and that is hostile
to in-band reconfiguration from the network. Source routing is disabled for both IPv4 and IPv6 through 
``net.ipv4.conf.*.accept_source_route=0`` and ``net.ipv6.conf.*.accept_source_route=0``. Redirects are neither accepted nor sent,
using the cluster ``net.ipv4.conf.*.accept_redirects=0``, ``net.ipv4.conf.*.secure_redirects=0``, ``net.ipv6.conf.*.accept_redirects=0``, 
and ``net.ipv4.conf.*.send_redirects=0``. Reverse path filtering is enabled with ``net.ipv4.conf.all.rp_filter=1`` and 
``net.ipv4.conf.default.rp_filter=1``, which offers a basic defense against address spoofing. Logging of martian packets is 
activated by ``net.ipv4.conf.*.log_martians=1``, so the system will record traffic with obviously bogus source addresses. IP 
forwarding is forcibly disabled via ``net.ipv4.conf.all.forwarding=0``, reinforcing the assumption that these machines are not 
supposed to forward traffic between interfaces.

On the IPv6 side, router advertisements are turned off by ``net.ipv6.conf.all.accept_ra=0`` and ``net.ipv6.conf.default.accept_ra=0``, 
which means that global IPv6 addressing and routing information must be configured statically or via a trusted configuration 
mechanism. ARP resilience is improved by setting ``net.ipv4.conf.all.arp_ignore=1`` and ``net.ipv4.conf.default.arp_ignore=1``, so 
the kernel only replies to ARP requests that match the target IP address on the receiving interface; this shrinks the surface 
for ARP spoofing and gratuitous replies. ICMP behavior is made highly conservative: ``net.ipv4.icmp_echo_ignore_all=1`` and 
``net.ipv4.icmp_echo_ignore_broadcasts=1`` effectively suppress echo replies entirely and ignore directed broadcasts, which 
hinders network scanning and mitigates certain amplification attacks at the cost of losing simple ``ping`` diagnostics.

Transport level settings are focused on resilience against SYN flood type denial of service and fingerprinting noise. The switch
``net.ipv4.tcp_syncookies=1`` activates SYN cookies, ``net.ipv4.tcp_rfc1337=1`` instructs the kernel to protect against time-wait 
assassination, and ``net.ipv4.tcp_max_syn_backlog=4096`` enlarges the queue for half-open connections, so the system can sustain 
more parallel handshake attempts before dropping them. ``net.ipv4.tcp_synack_retries=2`` it reduces the number of retransmissions for
SYN-ACK packets, which shortens the time wasted on unreachable peers and malicious scanners but can marginally penalize very 
lossy networks. Finally, ``net.ipv4.tcp_timestamps=0`` disables TCP timestamps, which otherwise leak information about host uptime
and clock behavior and can be abused for subtle fingerprinting.

Beyond the active values, the module also documents several tunables that are intentionally left commented out. These include 
sysctls for IO_uring disablement, performance event restrictions, memory overcommit policy, dirty page ratios, and swap 
aggressiveness. Their presence turns the file into a compact reference of hardened defaults that the CISS ecosystem considers 
defensible, while still leaving room for operator-specific adjustments when hardware constraints or workload characteristics 
demand different trade-offs.

In terms of preconditions, the configuration assumes a Linux kernel new enough to understand the modern hardening knobs it 
targets, and a deployment model where almost all required modules and capabilities are either built into the kernel or loaded 
before sysctl application. It does not itself coordinate with the live boot or initramfs stages: instead, it defines the 
steady-state behavior of a system that has already pivoted into its real root filesystem. Within the overall 
**CISS.debian.live.builder** architecture, ``90-ciss-local.hardened`` therefore functions as the final, host level enforcement layer 
that aligns runtime behavior with the hardened kernel command line and build time options defined elsewhere in the project, 
closing off residual dynamic features and network behaviors that would otherwise remain available after boot.

---
**[no tracking | no logging | no advertising | no profiling | no bullshit](https://coresecret.eu/)**
<!-- vim: set number et ts=2 sw=2 sts=2 ai tw=128 ft=markdown -->