sysctl.conf and 99-sysctl.comf secure or not?

ok so i am very paranoid if you wanna call me that and im very big on security ive done a LOT of research or at least as much as i can find i have sysctl.conf and 99-sysctl.conf set up but i am wondering are all my commands or configs safe and if not which ones and why tell me what you think. thank you :slight_smile:

net.inet.tcp.rfc1323=1
net.inet.icmp.timestamp=0
vm.swappiness=0
kernel.randomize_va_space = 3
fs.suid_dumpable = 0
hard core 0
hard core = 0
kernel.exec-shield = 3
kernel.execshield = 3
net.ipv4.ip_forward = 0
net.ipv4.icmp_ignore_bogus_error_responses 1
net.ipv4.tcp_timestamps = 0
net.ipv4.conf.all.log_martians = 0
net.ipv6.conf.all.forwarding = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 1
net.ipv4.conf.all.send_redirects = 0
kernel.panic=10
fs.protected_hardlinks=1
fs.protected_symlinks=1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_synack_retries = 5
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1 
net.ipv6.conf.default.router_solicitations = 0
net.ipv6.conf.default.accept_ra_rtr_pref = 0
net.ipv6.conf.default.accept_ra_defrtr = 0
net.ipv6.conf.default.accept_ra_pinfo = 0
net.ipv6.conf.default.dad_transmits = 0
net.ipv6.conf.default.max_addresses = 1
swapoff -a

thats whats in both sysctrl.conf files

I have no idea what sysctl is about, nor what you are trying to achieve, but I did a

man sysctl.conf

and it says

DESCRIPTION
sysctl.conf is a simple file containing sysctl values to be read in and set by sysctl. The syntax is simply as
follows:

          # comment
          ; comment
          token = value
   Note that blank lines are ignored, and whitespace before and after a token or value is ignored, although  a  value
   can contain whitespace within.  Lines which begin with a # or ; are considered comments and ignored.

Thus it seems that a construct like

hard core = 0

is the same as

hard core=0

(IMHO not using a strict way of coding style is an invitation to human errors and thus of insecurity)
but you have also things like

hard core 0

which does not conform to the description in the man page.

so since hardcore=0 is not in the man pages should i not use it or change it to 1? isent it more secure to have it on 0 to my understanding?

I am only talking about the strange things I see in your syntax. Not about the meaning of those parameters and their values of which I have no idea.

Hi
Just a quick check on a few items, for example;


sysctl -a |grep fs.suid_dumpable
fs.suid_dumpable = 0

sysctl -a |grep kernel.randomize_va_space
kernel.randomize_va_space = 2

For the ASLR setting, the default 2 should be fine… the suid one is already set to 0…the default?

I would suggest going through your list and see what are the defaults (what exist and what don’t) and post that back so can probably offer more advice.

In plain words, sysctl.conf is a time honored way to execute commands on bootup that modify default processor settings, in this case networking.
The advantage of doing this is that you can avoid re-compiling the kernel with different settings.

In the following paper I wrote long ago,
I described how to inspect values and set by command line using both /proc and sysctl commands, then placing them in the /etc/sysctl.conf file, with the purposes of setting the TCP/IP Congestion Control algorithm and enlarging and optimizing Networking related values, increasing capacity.

https://sites.google.com/site/4techsecrets/optimize-and-fix-your-network-connection/tcp-buffer-re-sizing/viewinng

TSU

The following is the SUSE 12 security hardening doc

https://www.suse.com/documentation/sles-12/book_hardening/data/sec_sec_prot_general_kernel.html

I see a number of your listed commands simply reset the existing default value, there’s no harm in doing that but makes your list unnecessarily long.
The above doc also includes a number of checks you can make to verify default settings are set properly, some like ASLR as considered important and relatively recent.

A number of settings should of course be applied using common sense…
Historically a great many machines have been over locked down to where the machines became non-functional… In my early days experimenting with bastille, I destroyed a good number of machines before I decided its policies were generally capable of being too restrictive and broke machines.
In the same way, consider for instance your setting to deny echoes (ICMP), although it’s a common sense way of trying to make your machine invisible to unauthorized scanning, it can also mean preventing your own maintenance and monitoring from working.

Security is typically more complex than the average person understands…
There are often no black and white answers, every setting requires that you understand the consequences both good and bad.
If you’re looking for a “set and forget” security solution, those generally don’t exist, security is best done as an ongoing process to update and review as technology evolves.

TSU

when i do

sysctl -a |grep fs.suid_dumpable
sysctl: command not found


i get command not found?

Hi
If you install cnf, then it will help you find which package(s) to install :wink:


cnf cnf
                     
Program 'cnf' is present in package 'command-not-found', which is installed on your system.

Absolute path to 'cnf' is '/usr/bin/cnf'. Please check your $PATH variable to see whether it contains the mentioned path.

cnf sysctl
                        
Program 'sysctl' is present in package 'procps', which is installed on your system.

Absolute path to 'sysctl' is '/usr/sbin/sysctl', so running it may require superuser privileges (eg. root).

zypper in command-not-found procps

See the SUSE 12 reference I posted.
Your result just means that there isn’t a default setting configured.

TSU