Sysctl.conf

2024-06-12T21:01:43Z

Gresskar: Added some security options

{{DISPLAYTITLE:sysctl.conf}}sysctl.conf is the configuration file at <code>/etc/sysctl.conf</code> for [https://linux.die.net/man/8/sysctl sysctl] and is used to configure kernel parameters at boot time. You can load the configuration file with {{Cmd|sysctl -p}} or simply with a reboot.
This article is not an exhaustive list but covers some of the main points. You may, of course, wish to change some settings to suite your environment. The config examples are well commented so should provide all the information you need. If further information is required on anything, please make a note in this page or in the 'discussion' area.
Some of the options shown in the below examples may already be as default in your release. Check with <pre>sysctl -a|grep <somestring></pre>
Lines beginning with a hash '#' are comments and are thus not read until the # is removed.

= IPv6 =
Although IPv6 is [[Configure Networking|configured]] in <code>/etc/network/interfaces</code> more advanced options are configured in <code>/etc/sysctl.conf</code>:
<pre>
####Turn off IPv6 Routing####
## if not functioning as a router, there is no need
## to accept redirects or source routes
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_source_route = 0
## Number of Router Solicitations to send until assuming no routers are present.
## This is a host and not router
net.ipv6.conf.default.router_solicitations = 2

## Router advertisements can cause the system to assign a global
## unicast address to an interface
## Turn on/off below (default is 1, on)
#net.ipv6.conf.default.autoconf = 0
## How many global unicast IPv6 addresses can be assigned to each interface?
#net.ipv6.conf.all.max-addresses = 1
#net.ipv6.conf.default.max_addresses = 1

##Force IPv6 off
#net.ipv6.conf.all.disable_ipv6 = 1
#net.ipv6.conf.default.disable_ipv6 = 1
#net.ipv6.conf.lo.disable_ipv6 = 1
#net.ipv6.conf.eth0.disable_ipv6 = 1
</pre>

= General networking and performance =
Do not enable (uncomment) any of this unless you know what you are doing!! Be prepared to perform thorough testing and potentially break stuff!

<pre>
### Disable routing
## send redirects (not a router, disable it)
net.ipv4.conf.all.send_redirects = 0

## log martian packets
#net.ipv4.conf.all.log_martians = 1

### Memory and buffer changes. See https://wwwx.cs.unc.edu/~sparkst/howto/network_tuning.php {{Dead link}} for more information.
## Increase maximum amount of memory allocated to shm
#kernel.shmmax = 1073741824
## Improve file system performance
#vm.bdflush = 100 1200 128 512 15 5000 500 1884 2
## This will increase the amount of memory available for socket input/output queues
#net.ipv4.tcp_rmem = 4096 87380 524288
#net.core.rmem_max = 1048576
#net.core.rmem_default = 524288
#net.ipv4.tcp_wmem = 4096 65536 524288
#net.core.wmem_max = 1048576
#net.core.wmem_default = 524288
#net.core.optmem_max = 25165824

## Increase system file descriptor limit
fs.file-max = 65535

## Allow for more PID's
kernel.pid_max = 65536

## Swapping too much or not enough? Disks spinning up when you'd
## rather they didn't? Tweak these.
#vm.vfs_cache_pressure = 100
#vm.laptop_mode = 0
#vm.swappiness = 60

## Set small dirty bytes values (overcomes random short system freezes)
## If you uncomment the below, it is set to 4MB
#vm.dirty_background_bytes = 4194304
#vm.dirty_bytes = 4194304

## reuse/recycle time-wait sockets (this is often needed on busy servers)
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1

## Controls the number of syn retries (default is 6)
#net.ipv4.tcp_syn_retries = 3
## Controls the number of tcp syn-ack retries (default is 5)
#net.ipv4.tcp_synack_retries = 3

## Change the time default value for tcp_fin_timeout connection
## (i.e. time to hold socket in FIN-WAIT-2 if it was closed by us)
## Default is 60 seconds
#net.ipv4.tcp_fin_timeout = 15
## Decrease the time default value for tcp_keepalive_time connection
## (i.e. how often to send TCP keepalive message)
## Default is 2 hours!
#net.ipv4.tcp_keepalive_time = 360
## Turn on tcp_window_scaling
#net.ipv4.tcp_window_scaling = 1
## Turn on the tcp_sack
#net.ipv4.tcp_sack = 1
## tcp_fack should be on because of sack
#net.ipv4.tcp_fack = 1

## Set the port range used for outgoing connections
#net.ipv4.ip_local_port_range = 1200 65000

## the number of packets to queue on input when they arrive faster
## than they can be processed by the kernel (the socket queue)
#net.core.netdev_max_backlog = 3000

## Maximum number of remembered connection requests which have not
## received an ack from connecting client. Increases in proportion
## to available memory. Set it manually below
#net.ipv4.tcp_max_syn_backlog = 1000

#Don't penalize programs for using split locks. Marginally speeds up the steam and Google Chrome flatpaks.
kernel.split_lock_mitigate = 0
</pre>

= Security =

<pre>
## Disable magic-sysrq key
kernel.sysrq = 0

## Restrict dmesg access to root
kernel.dmesg_restrict = 1

## optionally, ignore all echo requests
## this is NOT recommended, as it ignores echo requests on localhost as well
#net.ipv4.icmp_echo_ignore_all = 1

## Don't expose kernel memory addresses in procfs
kernel.kptr_restrict = 2

## Restrict access to kernel performance events
kernel.perf_event_paranoid = 2

## Restrict unprivileged access to eBPF
kernel.unprivileged_bpf_disabled = 1

## Enable JIT hardening techniques for eBPF
net.core.bpf_jit_harden = 2

## Disable core dumps
kernel.core_pattern=|/bin/false

## Restrict access to the ptrace() syscall
## a value of 3 disables ptrace() entirely
kernel.yama.ptrace_scope = 2

## Increase bits of entropy for ASLR
## these values are compatible with x86, but other archs may differ
vm.mmap_rnd_bits = 32
vm.mmap_rnd_compat_bits = 16

# Heavily restrict writing to FIFOs; they must be owned, not in sticky dirs...
fs.protected_fifos = 2
# don't allow O_CREAT open on regular files that we don't own in world/group writable sticky directories,
# unless they are owned by the owner of the directory.
fs.protected_regular = 2
</pre>

[[Category:Networking]]

AppArmor

2024-06-12T20:47:20Z

Gresskar: Added Audit as a dependency when generating AppArmor profiles with the aa-* commands

{{TOC right}}

AppArmor is a kernel security module that restricts individual programs' capabilities. This can allow administrators to prevent programs accessing system resources in malicious ways according to per-applications specifications. AppArmor works by following profiles, which dictate what each application is and is not allowed to do.

== Installation ==

{{Cmd|# apk add {{Pkg|apparmor}}}}

 

You should also install <code>apparmor-utils</code> if you want to use the <code>aa</code> command to interact with AppArmor.

{{Cmd|# apk add {{Pkg|apparmor-utils}}}}

 

==Setup==

Run the command {{Cmd|# cat /sys/kernel/security/lsm}} to see what linux security modules are currently setup.

 

=== With SYSLINUX ===

Use a text editor of your choice (preferably a TUI based one since some GUI setups don't work with privilege escalation, unless you use sudo -e) to edit <pre>/boot/extlinux.conf</pre> such that the <code>'''APPEND'''</code> line ends with the following:

<pre>
lsm=landlock,yama,apparmor
</pre>

Note that because you're including lsm in this .conf file you are overriding the default lsm. Thus, you should include any lsm that you saw previously running in the above cat command. Additionally, lsm initializes these modules in order, so their position is important in regards to major/minor modules. Ensure that apparmor is placed first among major modules. Note for convenience that yama, capability, and landlock, which come with Alpine Linux, are not major modules, and apparmor can be placed after them. The module called capability is automatically included and does not need to be written in.

=== With GRUB ===

Add the following at the end of the value for key <code>'''GRUB_CMDLINE_LINUX_DEFAULT'''</code> to <code>/etc/default/grub</code>:

<pre>
apparmor=1 security=apparmor
</pre>

Then apply with:

{{Cmd|# grub-mkconfig -o /boot/grub/grub.cfg}}

 

== Running ==

Next, start AppArmor and tell [[OpenRC]] to start it on boot.

{{Cmd|# rc-service apparmor start}}

{{Cmd|# rc-update add apparmor boot}}

You can check if AppArmor is running with the command <code>aa-enabled</code>

{{Cmd|# aa-enabled}}

== Configuration ==

AppArmor works using rules established in profiles. A set of pre-made profiles is available for ease of use:

{{Cmd|# apk add {{Pkg|apparmor-profiles}}}}

Reboot following installation

=== Enabling Extra Profiles ===

Extra profiles reside in {{Path|/usr/share/apparmor/extra-profiles/}}. In order to enable to profile, it needs to be copied to {{Path|/etc/apparmor.d/}}:

If you want to enable the profile for <code>usr.bin.chromium-browser</code>, for example:

{{Cmd|# cp /usr/share/apparmor/extra-profiles/usr.bin.chromium-browser /etc/apparmor.d/}}

This will ''install'' the profile, it then needs to be set to '''complain''' or '''enforce''' mode:

{{Cmd|# aa-complain /etc/apparmor.d/usr.bin.chromium-browser}}

{{Note|Use <code>aa-enforce</code> to set it to enforce mode, '''but beware that this could break functionality'''.}}

=== Creating additional profiles ===

The profiles provided by the apparmor-profiles package are just a starter. You can create your own profiles, but first you must install and start <code>audit</code>

{{Cmd|# apk add {{Pkg|audit}}}}

{{Cmd|# rc-service auditd start}}

{{Cmd|# rc-update add auditd}}

 

Now you can generate your own profiles with

{{Cmd|# aa-easyprof /path/to/binary}}

or

{{Cmd|# aa-genprof /path/to/binary}}

 

Note that for this to work you'll probably need to set a more verbose [https://linuxconfig.org/introduction-to-the-linux-kernel-log-levels kernel log level]. For improved security, set it back to a higher level afterwards.

== Use ==

View AppArmor's report:

{{Cmd|# aa-status}}

This details how many and what profiles are in use as well as relevant findings, such as how many profiles are in complain mode or in kill mode.

== Troubleshooting ==

If you notice a bunch of AppArmor errors on boot, try running <code>aa-status</code> and <code>aa-enabled</code> in the terminal. If the output mentions AppArmor being disabled at boot, re-open your <code>/boot/extlinux.conf</code> file and make sure the '''APPEND''' line still ends with <code>lsm=landlock,yama,apparmor</code>

== See Also ==

* [https://wiki.apparmor.net/ AppArmor Wiki]
* [https://wiki.debian.org/AppArmor/HowToUse Debian Wiki: How to use AppArmor]
* [https://wiki.archlinux.org/title/AppArmor AppArmor entry on ArchWiki]

[[Category:Security]]
[[Category:Kernel]]

Alpine Linux - User contributions [en]

Sysctl.conf

AppArmor