On 1/3/20 3:46 PM, Rich Freeman wrote: > If OpenRC contains a vulnerability wouldn't it make more sense to set > this as part of OpenRC, Indeed.
Furthermore there's a nifty page https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings which yields for me to this /etc/sysctl.d/local.conf : # Restrict potential illegal access via links # fs.protected_hardlinks = 1 fs.protected_symlinks = 1 # # https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project#CONFIGs # # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg. kernel.dmesg_restrict = 1 # Block non-uid-0 profiling (needs distro patch, otherwise this is the same as "= 2") kernel.perf_event_paranoid = 3 # Turn off kexec, even if it's built in. kernel.kexec_load_disabled = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 # Disable User Namespaces, as it opens up a large attack surface to unprivileged users. user.max_user_namespaces = 0 # Turn off unprivileged eBPF access. kernel.unprivileged_bpf_disabled = 1 # Turn on BPF JIT hardening, if the JIT is enabled. net.core.bpf_jit_harden = 2 -- Toralf PGP 23217DA7 9B888F45
signature.asc
Description: OpenPGP digital signature
