/etc/sysctl.d (Manjaro OpenRC vs Ubuntu Maté continued)

Since it is another topic, I created another post.
(That's for @artoo & @eugen-b ;-))

I have another suggestion: I noticed that the sysctl config /etc/sysctl.d was better in ubuntu maté.
I then added the conf files from Ubuntu in my system.

I suggest to add them in the default config if it is relevant (I mean it may be set as default in kernel compil parameters which I don't know)

Added files:

  • 10-kernel-hardening.conf
    
  • 10-link-restrictions.conf
    
  • 10-network-security.conf
    
  • 10-zeropage.conf
    

content:

[root sysctl.d]$for i in *; do echo -n "========="; echo "$i:"; cat $i; done

=========    100-manjaro.conf:
# https://archived.forum.manjaro.org/t/encrypted-swap-partition-system-freeze/6993
#vm.swappiness = 1
vm.swappiness = 60

# Enable the SysRq key
kernel.sysrq = 1

=========    10-kernel-hardening.conf:
# These settings are specific to hardening the kernel itself from attack
# from userspace, rather than protecting userspace from other malicious
# userspace things.
#
#
# When an attacker is trying to exploit the local kernel, it is often
# helpful to be able to examine where in memory the kernel, modules,
# and data structures live. As such, kernel addresses should be treated
# as sensitive information.
#
# Many files and interfaces contain these addresses (e.g. /proc/kallsyms,
# /proc/modules, etc), and this setting can censor the addresses. A value
# of "0" allows all users to see the kernel addresses. A value of "1"
# limits visibility to the root user, and "2" blocks even the root user.
kernel.kptr_restrict = 1

=========    10-link-restrictions.conf:
# These settings eliminate an entire class of security vulnerability:
# time-of-check-time-of-use cross-privilege attacks using guessable
# filenames (generally seen as "/tmp file race" vulnerabilities).
fs.protected_hardlinks = 1
fs.protected_symlinks = 1

=========    10-network-security.conf:

# Turn on Source Address Verification in all interfaces to
# prevent some spoofing attacks.
net.ipv4.conf.default.rp_filter=1
net.ipv4.conf.all.rp_filter=1

# Turn on SYN-flood protections.  Starting with 2.6.26, there is no loss
# of TCP functionality/features under normal conditions.  When flood
# protections kick in under high unanswered-SYN load, the system
# should remain more stable, with a trade off of some loss of TCP
# functionality/features (e.g. TCP Window scaling).
net.ipv4.tcp_syncookies=1

=========    10-zeropage.conf:
# Protect the zero page of memory from userspace mmap to prevent kernel
# NULL-dereference attacks against potential future kernel security
# vulnerabilities.  (Added in kernel 2.6.23.)
#
# While this default is built into the Ubuntu kernel, there is no way to
# restore the kernel default if the value is changed during runtime; for
# example via package removal (e.g. wine, dosemu).  Therefore, this value
# is reset to the secure default each time the sysctl values are loaded.
vm.mmap_min_addr = 65536

=========    99-sysctl.conf:
kernel.sysrq=1
fs.inotify.max_user_watches = 524288
1 Like

I will add a reference to the other topic

Which files exactly are from Ubuntu?

All the above. There are other files which I found less relevant.

The full list in ubuntu(not the content):

10-console-messages.conf
10-ipv6-privacy.conf
10-kernel-hardening.conf
10-link-restrictions.conf
10-magic-sysrq.conf
10-network-security.conf
10-ptrace.conf
10-zeropage.conf
99-sysctl.conf

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Forum kindly sponsored by