ok so i am very paranoid if you wanna call me that and im very big on security ive done a LOT of research or at least as much as i can find i have sysctl.conf and 99-sysctl.conf set up but i am wondering are all my commands or configs safe and if not which ones and why tell me what you think. thank you
I have no idea what sysctl is about, nor what you are trying to achieve, but I did a
man sysctl.conf
and it says
DESCRIPTION
sysctl.conf is a simple file containing sysctl values to be read in and set by sysctl. The syntax is simply as
follows:
# comment
; comment
token = value
Note that blank lines are ignored, and whitespace before and after a token or value is ignored, although a value
can contain whitespace within. Lines which begin with a # or ; are considered comments and ignored.
Thus it seems that a construct like
hard core = 0
is the same as
hard core=0
(IMHO not using a strict way of coding style is an invitation to human errors and thus of insecurity)
but you have also things like
hard core 0
which does not conform to the description in the man page.
Hi
Just a quick check on a few items, for example;
sysctl -a |grep fs.suid_dumpable
fs.suid_dumpable = 0
sysctl -a |grep kernel.randomize_va_space
kernel.randomize_va_space = 2
For the ASLR setting, the default 2 should be fine… the suid one is already set to 0…the default?
I would suggest going through your list and see what are the defaults (what exist and what don’t) and post that back so can probably offer more advice.
In plain words, sysctl.conf is a time honored way to execute commands on bootup that modify default processor settings, in this case networking.
The advantage of doing this is that you can avoid re-compiling the kernel with different settings.
In the following paper I wrote long ago,
I described how to inspect values and set by command line using both /proc and sysctl commands, then placing them in the /etc/sysctl.conf file, with the purposes of setting the TCP/IP Congestion Control algorithm and enlarging and optimizing Networking related values, increasing capacity.
I see a number of your listed commands simply reset the existing default value, there’s no harm in doing that but makes your list unnecessarily long.
The above doc also includes a number of checks you can make to verify default settings are set properly, some like ASLR as considered important and relatively recent.
A number of settings should of course be applied using common sense…
Historically a great many machines have been over locked down to where the machines became non-functional… In my early days experimenting with bastille, I destroyed a good number of machines before I decided its policies were generally capable of being too restrictive and broke machines.
In the same way, consider for instance your setting to deny echoes (ICMP), although it’s a common sense way of trying to make your machine invisible to unauthorized scanning, it can also mean preventing your own maintenance and monitoring from working.
Security is typically more complex than the average person understands…
There are often no black and white answers, every setting requires that you understand the consequences both good and bad.
If you’re looking for a “set and forget” security solution, those generally don’t exist, security is best done as an ongoing process to update and review as technology evolves.
Hi
If you install cnf, then it will help you find which package(s) to install
cnf cnf
Program 'cnf' is present in package 'command-not-found', which is installed on your system.
Absolute path to 'cnf' is '/usr/bin/cnf'. Please check your $PATH variable to see whether it contains the mentioned path.
cnf sysctl
Program 'sysctl' is present in package 'procps', which is installed on your system.
Absolute path to 'sysctl' is '/usr/sbin/sysctl', so running it may require superuser privileges (eg. root).
zypper in command-not-found procps
