Home Explore Help
Sign In
patron
/
FreeBSD
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

hardened sysctls

David Marec 10 months ago
parent
44cdde731d
commit
c5f015df6e
1 changed files with 35 additions and 0 deletions
Split View Show Diff Stats
  1. 35 0
      hardened.sysctl

+ 35 - 0
hardened.sysctl
View File 

@@ -0,0 +1,35 @@
 
+kern.elf32.allow_wx=0              # disallow pages to be mapped writable and executable, enforce W^X memory mapping policy for 32 bit user processes (default 1, enabled/allow needed for chrome, libreoffice and go apps)
 
+kern.elf64.allow_wx=0              # disallow pages to be mapped writable and executable, enforce W^X memory mapping policy for 64 bit user processes (default 1, enabled/allow needed for chrome, libreoffice and go apps)
 
+kern.ipc.shm_use_phys=1            # lock shared memory into RAM and prevent it from being paged out to swap (default 0, disabled)
 
+kern.msgbuf_show_timestamp=1       # display timestamp in msgbuf (default 0)
 
+kern.randompid=1                   # calculate PIDs by the modulus of an integer, set to one(1) to auto random (default 0)
 
+net.bpf.optimize_writers=1         # bpf is write-only unless program explicitly specifies the read filter (default 0)
 
+net.inet.icmp.drop_redirect=1      # no redirected ICMP packets (default 0)
 
+net.inet.ip.check_interface=1      # verify packet arrives on correct interface (default 0)
 
+net.inet.ip.portrange.first=32768  # use ports 32768 to portrange.last for outgoing connections (default 10000)
 
+net.inet.ip.portrange.randomcps=9999 # use random port allocation if less than this many ports per second are allocated (default 10)
 
+net.inet.ip.portrange.randomtime=1 # seconds to use sequental port allocation before switching back to random (default 45 secs)
 
+net.inet.ip.random_id=1            # assign a random IP id to each packet leaving the system (default 0)
 
+net.inet.ip.redirect=0             # do not send IP redirects (default 1)
 
+net.inet6.ip6.redirect=0           # do not send IPv6 redirects (default 1)
 
+net.inet.tcp.blackhole=2           # drop tcp packets destined for closed ports (default 0)
 
+net.inet.tcp.drop_synfin=1         # SYN/FIN packets get dropped on initial connection (default 0)
 
+net.inet.tcp.fast_finwait2_recycle=1 # recycle FIN/WAIT states quickly, helps against DoS, but may cause false RST (default 0)
 
+net.inet.tcp.fastopen.client_enable=0 # disable TCP Fast Open client side, enforce three way TCP handshake (default 1, enabled)
 
+net.inet.tcp.fastopen.server_enable=0 # disable TCP Fast Open server side, enforce three way TCP handshake (default 0)
 
+net.inet.tcp.finwait2_timeout=1000 # TCP FIN_WAIT_2 timeout waiting for client FIN packet before state close (default 60000, 60 sec)
 
+net.inet.tcp.icmp_may_rst=0        # icmp may not send RST to avoid spoofed icmp/udp floods (default 1)
 
+net.inet.tcp.keepcnt=2             # amount of tcp keep alive probe failures before socket is forced closed (default 8)
 
+net.inet.tcp.keepidle=62000        # time before starting tcp keep alive probes on an idle, TCP connection (default 7200000, 7200 secs)
 
+net.inet.tcp.keepinit=5000         # tcp keep alive client reply timeout (default 75000, 75 secs)
 
+net.inet.tcp.msl=2500              # Maximum Segment Lifetime, time the connection spends in TIME_WAIT state (default 30000, 2*MSL = 60 sec)
 
+net.inet.tcp.path_mtu_discovery=0  # disable for mtu=1500 as most paths drop ICMP type 3 packets, but keep enabled for mtu=9000 (default 1)
 
+net.inet.udp.blackhole=1           # drop udp packets destined for closed sockets (default 0)
 
+net.inet.udp.recvspace=1048576     # UDP receive space, HTTP/3 webserver, "netstat -sn -p udp" and increase if full socket buffers (default 42080)
 
+security.bsd.hardlink_check_gid=1  # unprivileged processes may not create hard links to files owned by other groups, DISABLE for mailman (default 0)
 
+security.bsd.hardlink_check_uid=1  # unprivileged processes may not create hard links to files owned by other users,  DISABLE for mailman (default 0)
 
+security.bsd.see_other_gids=0      # groups only see their own processes. root can see all (default 1)
 
+security.bsd.see_other_uids=0      # users only see their own processes. root can see all (default 1)
 
+security.bsd.stack_guard_page=1    # insert a stack guard page ahead of growable segments, stack smashing protection (SSP) (default 0)
 
+security.bsd.unprivileged_proc_debug=0 # unprivileged processes may not use process debugging (default 1)
 
+security.bsd.unprivileged_read_msgbuf=0 # unprivileged processes may not read the kernel message buffer (default 1)