Kernel parameters for hardening

Page content

/etc/security/limits.conf

Concept

https://wiki.archlinux.org/index.php/Limits.conf

/etc/security/limits.conf allows setting resource limits for users logged in via PAM. This is a useful way of preventing, for example, fork-bombs from using up all system resources.

Note: The file does not affect system services. For systemd services the files /etc/systemd/system.conf, /etc/systemd/user.conf, and /etc/systemd/<systemd_unit>/override.conf control the limit. See the systemd-system.conf(5) man page for details.

Config sample

https://linux.die.net/man/5/limits.conf

* soft nofile 160000

The syntax of the lines is as follows:

<domain> <type> <item> <value>

Note: The domain * doesn’t include root user. root should be added explicitly.

domain

usename, group, uid, gui, uid range, gui range, etc..

type

  • hard: These limits are set by the superuser and enforced by the Kernel.
  • soft: These limits are ones that the user can move up or down within the permitted range by any pre-existing hard limits.

item

  • nofile: maximum number of open files.
  • nproc: maximum number of processes.
  • stack: maximum stack size (KB).

/etc/security/access.conf

https://linux.die.net/man/5/access.conf

The /etc/security/access.conf file specifies (user/group, host), (user/group, network/netmask) or (user/group, tty) combinations for which a login will be either accepted or refused.

Each line of the login access control table has three fields separated by a “:” character (colon):

permission:users/groups:origins

  • permission: + (add) or - (remove).
  • users/groups: We can use ALL and EXCEPT syntax.
  • origins: tty, IP, domain, ALL, EXCEPT, etc.

sysctl

Concept

sysctl is different from systemctl. The meaning of system in sysctl is Linux kernel, and sysctl command can change a kernel parameters. We can use sysctl for hardening.

https://linux.die.net/man/8/sysctl

In many Linux distribution the default path of configuration file is /etc/sysctl.conf.

Once you edit the config file, enables (kind of reload) it with following commands.

sysctl -p /etc/sysctl.conf

About hardening configurations, here is the good samples.

https://www.cyberciti.biz/faq/linux-kernel-etcsysctl-conf-security-hardening/

/etc/modules

http://manpages.ubuntu.com/manpages/focal/man5/modules.5.html

The /etc/modules file contains the names of kernel modules that are to be loaded at boot time, one per line.

nf_conntrack

To be written…

lsmod command

Shows currently loaded modules.