Re: sysctl.conf
Hi. On Sun, 27 Oct 2013 11:25:15 +0400 Dmitrii Kashin wrote: > Sysctl is used in order to give kernel some default parameters to work. > The most common cases to use it: > - to allow packets redirection > - to enable/disable ipv6 support > - to change console behavior and printk output. > ..and so on, so on... > > Do you really need some of this? Don't forget restricting mmap from userspace to kernelspace (such mmap lead to NULL-pointer dereferences in kernel in past) with vm.mmap_min_addr. Or, restricted privileges of perf kernel subsystem (local privilege escalation to root) with kernel.perf_event_paranoid. Or, bringing some sanity in virtual memory kernel subsystem with vm.swappiness and vm.dirty_bytes. User may need some of this. Reco -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20131027114024.f47ab436c3e54f16314e8...@gmail.com
Re: sysctl.conf
Roland RoLaNd writes: > that's the thing, i'm reading up on sysctl and don't have the > necessary knowledge to know what to "expect" at the moment. You have to know what you will get in the end. In my opinion it is strongly recommended. You could begin with something easier, for example, configuring your shell or text editor. Sysctl is used in order to give kernel some default parameters to work. The most common cases to use it: - to allow packets redirection - to enable/disable ipv6 support - to change console behavior and printk output. ..and so on, so on... Do you really need some of this? pgpuPRSvsl1DH.pgp Description: PGP signature
Re: sysctl.conf
Roland RoLaNd writes: > All, > I'm reading up on how to harden debian.i just checked /etc/sysctl.conf > and noticed that everything is commented out.do that mean they're > running as defaults or none of what exists in this file is > implemented? All of options in default configuration files *are* implemented. Some lines are commented out because they provide users for not a common configuration, but very often needed functionality. pgptuO2aTe2yc.pgp Description: PGP signature
Re: sysctl.conf
On Sat, Oct 26, 2013 at 7:58 PM, Ralf Mardorf wrote: > On Sat, 2013-10-26 at 21:37 +0200, Roland RoLaNd wrote: >> >> I'm reading up on how to harden debian. >> i just checked /etc/sysctl.conf and noticed that everything is >> commented out. >> do that mean they're running as defaults or none of what exists in >> this file is implemented? > > What do you expect? > > I'm using another distro that switched. > > ls /etc/sysctl* > /etc/sysctl.conf.pacnew /etc/sysctl.conf.pacsave > > /etc/sysctl.d: > > blah > > To my surprise, there where unusual settings in /etc/sysctl.conf, I > dropped them during the transition. > > What exactly should be not commented out by default? > > For the distro I'm using there only is > > net.ipv4.tcp_syncookies = 1 > net.ipv4.ip_forward = 0 > net.ipv6.conf.all.forwarding = 0 > > by default. I had much more in my /etc/sysctl.conf, caused by what ever > package, but not by me and after I dropped those settings, nothing evil > happened. You might want to check "/usr/lib/sysctl.d/" on your "other distro." :) Debian has "/lib/modprobe.d" so "/lib/sysctl.d" might follow one day... -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAOdo=swib75_kotqan97trttewc4wry_hx0e2w5kyxm69o1...@mail.gmail.com
Re: sysctl.conf
On Sat, Oct 26, 2013 at 7:37 PM, Roland RoLaNd wrote: > > I'm reading up on how to harden debian. > i just checked /etc/sysctl.conf and noticed that everything is commented > out. > do that mean they're running as defaults or none of what exists in this file > is implemented? The commented-out settings are values that are set more or less often but they're commented out and unset. You can check what values are set with "sysctl -a". -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAOdo=swep51uzwaypxwprh0yqehvk66xsgkz1owyhkntzud...@mail.gmail.com
RE: sysctl.conf
that's the thing, i'm reading up on sysctl and don't have the necessary knowledge to know what to "expect" at the moment.though some did actually intrigue me such as: 19 #net.ipv4.conf.default.rp_filter=1 20 #net.ipv4.conf.all.rp_filter=1 43 # Do not accept ICMP redirects (prevent MITM attacks) 44 #net.ipv4.conf.all.accept_redirects = 0 45 #net.ipv6.conf.all.accept_redirects = 0 > Subject: Re: sysctl.conf > From: ralf.mard...@alice-dsl.net > To: debian-user@lists.debian.org > Date: Sat, 26 Oct 2013 21:58:59 +0200 > > On Sat, 2013-10-26 at 21:37 +0200, Roland RoLaNd wrote: > > All, > > > > > > I'm reading up on how to harden debian. > > i just checked /etc/sysctl.conf and noticed that everything is > > commented out. > > do that mean they're running as defaults or none of what exists in > > this file is implemented? > > What do you expect? > > I'm using another distro that switched. > > ls /etc/sysctl* > /etc/sysctl.conf.pacnew /etc/sysctl.conf.pacsave > > /etc/sysctl.d: > > blah > > To my surprise, there where unusual settings in /etc/sysctl.conf, I > dropped them during the transition. > > What exactly should be not commented out by default? > > For the distro I'm using there only is > > net.ipv4.tcp_syncookies = 1 > net.ipv4.ip_forward = 0 > net.ipv6.conf.all.forwarding = 0 > > by default. I had much more in my /etc/sysctl.conf, caused by what ever > package, but not by me and after I dropped those settings, nothing evil > happened. > > So again, what should be enabled by this file? > > > > > -- > To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org > Archive: http://lists.debian.org/1382817539.656.269.camel@archlinux >
Re: sysctl.conf
On Sat, 2013-10-26 at 21:37 +0200, Roland RoLaNd wrote: > All, > > > I'm reading up on how to harden debian. > i just checked /etc/sysctl.conf and noticed that everything is > commented out. > do that mean they're running as defaults or none of what exists in > this file is implemented? What do you expect? I'm using another distro that switched. ls /etc/sysctl* /etc/sysctl.conf.pacnew /etc/sysctl.conf.pacsave /etc/sysctl.d: blah To my surprise, there where unusual settings in /etc/sysctl.conf, I dropped them during the transition. What exactly should be not commented out by default? For the distro I'm using there only is net.ipv4.tcp_syncookies = 1 net.ipv4.ip_forward = 0 net.ipv6.conf.all.forwarding = 0 by default. I had much more in my /etc/sysctl.conf, caused by what ever package, but not by me and after I dropped those settings, nothing evil happened. So again, what should be enabled by this file? -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1382817539.656.269.camel@archlinux