Home Explore Help
Sign In
patron
/
FreeBSD
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Branch: master
Branches Tags
FreeBSD
/
hardened.sysctl

hardened.sysctl 4.1 KB
Permalink History Raw

1234567891011121314151617181920212223242526272829303132333435 
  1. kern.elf32.allow_wx=0              # disallow pages to be mapped writable and executable, enforce W^X memory mapping policy for 32 bit user processes (default 1, enabled/allow needed for chrome, libreoffice and go apps)
    2. 

  2. kern.elf64.allow_wx=0              # disallow pages to be mapped writable and executable, enforce W^X memory mapping policy for 64 bit user processes (default 1, enabled/allow needed for chrome, libreoffice and go apps)
    3. 

  3. kern.ipc.shm_use_phys=1            # lock shared memory into RAM and prevent it from being paged out to swap (default 0, disabled)
    4. 

  4. kern.msgbuf_show_timestamp=1       # display timestamp in msgbuf (default 0)
    5. 

  5. kern.randompid=1                   # calculate PIDs by the modulus of an integer, set to one(1) to auto random (default 0)
    6. 

  6. net.bpf.optimize_writers=1         # bpf is write-only unless program explicitly specifies the read filter (default 0)
    7. 

  7. net.inet.icmp.drop_redirect=1      # no redirected ICMP packets (default 0)
    8. 

  8. net.inet.ip.check_interface=1      # verify packet arrives on correct interface (default 0)
    9. 

  9. net.inet.ip.portrange.first=32768  # use ports 32768 to portrange.last for outgoing connections (default 10000)
    10. 

  10. net.inet.ip.portrange.randomcps=9999 # use random port allocation if less than this many ports per second are allocated (default 10)
    11. 

  11. net.inet.ip.portrange.randomtime=1 # seconds to use sequental port allocation before switching back to random (default 45 secs)
    12. 

  12. net.inet.ip.random_id=1            # assign a random IP id to each packet leaving the system (default 0)
    13. 

  13. net.inet.ip.redirect=0             # do not send IP redirects (default 1)
    14. 

  14. net.inet6.ip6.redirect=0           # do not send IPv6 redirects (default 1)
    15. 

  15. net.inet.tcp.blackhole=2           # drop tcp packets destined for closed ports (default 0)
    16. 

  16. net.inet.tcp.drop_synfin=1         # SYN/FIN packets get dropped on initial connection (default 0)
    17. 

  17. net.inet.tcp.fast_finwait2_recycle=1 # recycle FIN/WAIT states quickly, helps against DoS, but may cause false RST (default 0)
    18. 

  18. net.inet.tcp.fastopen.client_enable=0 # disable TCP Fast Open client side, enforce three way TCP handshake (default 1, enabled)
    19. 

  19. net.inet.tcp.fastopen.server_enable=0 # disable TCP Fast Open server side, enforce three way TCP handshake (default 0)
    20. 

  20. net.inet.tcp.finwait2_timeout=1000 # TCP FIN_WAIT_2 timeout waiting for client FIN packet before state close (default 60000, 60 sec)
    21. 

  21. net.inet.tcp.icmp_may_rst=0        # icmp may not send RST to avoid spoofed icmp/udp floods (default 1)
    22. 

  22. net.inet.tcp.keepcnt=2             # amount of tcp keep alive probe failures before socket is forced closed (default 8)
    23. 

  23. net.inet.tcp.keepidle=62000        # time before starting tcp keep alive probes on an idle, TCP connection (default 7200000, 7200 secs)
    24. 

  24. net.inet.tcp.keepinit=5000         # tcp keep alive client reply timeout (default 75000, 75 secs)
    25. 

  25. net.inet.tcp.msl=2500              # Maximum Segment Lifetime, time the connection spends in TIME_WAIT state (default 30000, 2*MSL = 60 sec)
    26. 

  26. net.inet.tcp.path_mtu_discovery=0  # disable for mtu=1500 as most paths drop ICMP type 3 packets, but keep enabled for mtu=9000 (default 1)
    27. 

  27. net.inet.udp.blackhole=1           # drop udp packets destined for closed sockets (default 0)
    28. 

  28. net.inet.udp.recvspace=1048576     # UDP receive space, HTTP/3 webserver, "netstat -sn -p udp" and increase if full socket buffers (default 42080)
    29. 

  29. security.bsd.hardlink_check_gid=1  # unprivileged processes may not create hard links to files owned by other groups, DISABLE for mailman (default 0)
    30. 

  30. security.bsd.hardlink_check_uid=1  # unprivileged processes may not create hard links to files owned by other users,  DISABLE for mailman (default 0)
    31. 

  31. security.bsd.see_other_gids=0      # groups only see their own processes. root can see all (default 1)
    32. 

  32. security.bsd.see_other_uids=0      # users only see their own processes. root can see all (default 1)
    33. 

  33. security.bsd.stack_guard_page=1    # insert a stack guard page ahead of growable segments, stack smashing protection (SSP) (default 0)
    34. 

  34. security.bsd.unprivileged_proc_debug=0 # unprivileged processes may not use process debugging (default 1)
    35. 

  35. security.bsd.unprivileged_read_msgbuf=0 # unprivileged processes may not read the kernel message buffer (default 1)
    36.