Kernel Parameters

Hardening the Security of Kernel Parameters

Description

Kernel parameters specify the status of network configurations and application privileges. The kernel provides system control which can be fine-tuned or configured by users. This function can improve the security of the OS by controlling configurable kernel parameters. For example, you can fine-tune or configure network options to improve system security.

Implementation

  1. Write the hardening items in Table 1 to the /etc/sysctl.conf file.

    NOTE:
    Record security hardening items as follows:

    net.ipv4.icmp_echo_ignore_broadcasts = 1  
    net.ipv4.conf.all.rp_filter = 1  
    net.ipv4.conf.default.rp_filter = 1  
    

    Table 1 Policies for hardening the security of kernel parameters

    Item

    Description

    Suggestion

    Configured as Suggested

    net.ipv4.icmp_echo_ignore_broadcasts

    Specifies whether ICMP broadcast packets are accepted. They are not accepted according to the hardening policy.

    1

    Yes

    net.ipv4.conf.all.rp_filter

    Specifies whether the actual source IP address used by a data packet is related to a routing table and whether the data packet receives responses through interfaces. The item is enabled according to the hardening policy.

    1

    Yes

    net.ipv4.conf.default.rp_filter

    1

    Yes

    net.ipv4.ip_forward

    The IP forwarding function prevents unauthorized IP address packets from being transferred to a network. The item is disabled according to the hardening policy.

    0

    Yes

    net.ipv4.conf.all.accept_source_route

    accept_source_route indicates that a packet sender can specify a path for sending the packet and a path for receiving a response. The item is disabled according to the hardening policy.

    0

    Yes

    net.ipv4.conf.default.accept_source_route

    0

    Yes

    net.ipv4.conf.all.accept_redirects

    Specifies whether a redirected ICMP packet is sent. The packet is not sent according to the hardening policy.

    0

    Yes

    net.ipv4.conf.default.accept_redirects

    0

    Yes

    net.ipv6.conf.all.accept_redirects

    0

    Yes

    net.ipv6.conf.default.accept_redirects

    0

    Yes

    net.ipv4.conf.all.send_redirects

    Specifies whether a redirected ICMP packet is sent to another server. This item is enabled only when the host functions as a route. The item is disabled according to the hardening policy.

    0

    Yes

    net.ipv4.conf.default.send_redirects

    0

    Yes

    net.ipv4.icmp_ignore_bogus_error_responses

    Fake ICMP packets are not recorded to logs, which saves disk space. The item is enabled according to the hardening policy.

    1

    Yes

    net.ipv4.tcp_syncookies

    SYN attack is a DoS attack that forces system restart by occupying system resources. TCP-SYN cookie protection is enabled according to the hardening policy.

    1

    Yes

    kernel.dmesg_restrict

    Hardens dmesg messages. Only the administrator is allowed to view the messages.

    1

    Yes

    kernel.sched_autogroup_enabled

    Determines whether the kernel automatically groups and schedules threads. After this item is enabled, scheduling groups compete for time slices, and threads in a scheduling group compete for the time slices allocated to the scheduling group. The item is disabled according to the hardening policy.

    0

    No

    kernel.sysrq

    Disables the magic key.

    NOTE:

    You are advised to disable the magic key so that commands cannot be directly passed to the kernel.

    0

    Yes

    net.ipv4.conf.all.secure_redirects

    Specifies whether redirected ICMP messages sent from any servers or from gateways listed in the default gateway list are accepted. Redirected ICMP messages are received from any servers according to the hardening policy.

    0

    Yes

    net.ipv4.conf.default.secure_redirects

    0

    Yes

  2. Run the following command to load the kernel parameters set in the sysctl.conf file:

    sysctl -p  /etc/sysctl.conf
    

Other Security Suggestions

  • net.ipv4.icmp_echo_ignore_all: ignores ICMP requests.

    For security purposes, you are advised to enable this item. The default value is 0. Set the value to 1 to enable this item.

    After this item is enabled, all incoming ICMP Echo request packets will be ignored, which will cause failure to ping the target host. Determine whether to enable this item based on your actual networking condition.

  • net.ipv4.conf.all.log_martians/net.ipv4.conf.default.log_martians: logs spoofed, source routed, and redirect packets.

    For security purposes, you are advised to enable this item. The default value is 0. Set the value to 1 to enable this item.

    After this item is enabled, data from forbidden IP addresses will be logged. Too many new logs will overwrite old logs because the total number of logs allowed is fixed. Determine whether to enable this item based on your actual usage scenario.

  • net.ipv4.tcp_timestamps: disables tcp_timestamps.

    For security purposes, you are advised to disable tcp_timestamps. The default value is 1. Set the value to 0 to disable tcp_timestamps.

    After this item is disabled, TCP retransmission timeout will be affected. Determine whether to disable this item based on the actual usage scenario.

  • net.ipv4.tcp_max_syn_backlog: determines the number of queues that is in SYN_RECV state.

    This parameter determines the number of queues that is in SYN_RECV state. When this number is exceeded, new TCP connection requests will not be accepted. This to some extent prevents system resource exhaustion. Configure this parameter based on your actual usage scenario.

有奖捉虫

“有虫”文档片段

存在的问题

提交类型 issue
有点复杂...
找人问问吧。
PR
小问题,全程线上修改...
一键搞定!
问题类型
规范和低错类

● 错别字或拼写错误;标点符号使用错误;

● 链接错误、空单元格、格式错误;

● 英文中包含中文字符;

● 界面和描述不一致,但不影响操作;

● 表述不通顺,但不影响理解;

● 版本号不匹配:如软件包名称、界面版本号;

易用性

● 关键步骤错误或缺失,无法指导用户完成任务;

● 缺少必要的前提条件、注意事项等;

● 图形、表格、文字等晦涩难懂;

● 逻辑不清晰,该分类、分项、分步骤的没有给出;

正确性

● 技术原理、功能、规格等描述和软件不一致,存在错误;

● 原理图、架构图等存在错误;

● 命令、命令参数等错误;

● 代码片段错误;

● 命令无法完成对应功能;

● 界面错误,无法指导操作;

风险提示

● 对重要数据或系统存在风险的操作,缺少安全提示;

内容合规

● 违反法律法规,涉及政治、领土主权等敏感词;

● 内容侵权;

您对文档的总体满意度

非常不满意
非常满意
创Issue赢奖品
根据您的反馈,会自动生成issue模板。您只需点击按钮,创建issue即可。