diff options
| author | hugbubby <hugbubby@protonmail.com> | 2018-05-21 02:56:03 -0700 |
|---|---|---|
| committer | Natanael Copa <ncopa@alpinelinux.org> | 2018-06-06 17:49:51 +0000 |
| commit | 27b5767a9ebe609e84659eed250365c0a9bbbf71 (patch) | |
| tree | 18ac21cd042f347939a01e584489d8a32c251d7b | |
| parent | 30ada7ffb6dae9e62026afbc3a54013fc67c4f40 (diff) | |
| download | alpine_aports-27b5767a9ebe609e84659eed250365c0a9bbbf71.tar.bz2 alpine_aports-27b5767a9ebe609e84659eed250365c0a9bbbf71.tar.xz alpine_aports-27b5767a9ebe609e84659eed250365c0a9bbbf71.zip | |
main/alpine-baselayout: sysctl security changes.
| -rw-r--r-- | main/alpine-baselayout/APKBUILD | 38 |
1 files changed, 36 insertions, 2 deletions
diff --git a/main/alpine-baselayout/APKBUILD b/main/alpine-baselayout/APKBUILD index 87229ccf70..2e1a8673a2 100644 --- a/main/alpine-baselayout/APKBUILD +++ b/main/alpine-baselayout/APKBUILD | |||
| @@ -1,8 +1,8 @@ | |||
| 1 | # Contributor: Sören Tempel <soeren+alpine@soeren-tempel.net> | 1 | # Contributor: Sören Tempel <soeren+alpine@soeren-tempel.net> |
| 2 | # Maintainer: Natanael Copa <ncopa@alpinelinux.org> | 2 | # Maintainer: Natanael Copa <ncopa@alpinelinux.org> |
| 3 | pkgname=alpine-baselayout | 3 | pkgname=alpine-baselayout |
| 4 | pkgver=3.0.5 | 4 | pkgver=3.0.6 |
| 5 | pkgrel=3 | 5 | pkgrel=0 |
| 6 | pkgdesc="Alpine base dir structure and init scripts" | 6 | pkgdesc="Alpine base dir structure and init scripts" |
| 7 | url="https://git.alpinelinux.org/cgit/aports/tree/main/alpine-baselayout" | 7 | url="https://git.alpinelinux.org/cgit/aports/tree/main/alpine-baselayout" |
| 8 | arch="all" | 8 | arch="all" |
| @@ -145,11 +145,45 @@ package() { | |||
| 145 | # content of this file will override /etc/sysctl.d/* | 145 | # content of this file will override /etc/sysctl.d/* |
| 146 | EOF | 146 | EOF |
| 147 | cat > "$pkgdir"/etc/sysctl.d/00-alpine.conf <<-EOF | 147 | cat > "$pkgdir"/etc/sysctl.d/00-alpine.conf <<-EOF |
| 148 | # Prevents SYN DOS attacks. Applies to ipv6 as well, despite name. | ||
| 148 | net.ipv4.tcp_syncookies = 1 | 149 | net.ipv4.tcp_syncookies = 1 |
| 150 | |||
| 151 | # Prevents ip spoofing. | ||
| 149 | net.ipv4.conf.default.rp_filter = 1 | 152 | net.ipv4.conf.default.rp_filter = 1 |
| 150 | net.ipv4.conf.all.rp_filter = 1 | 153 | net.ipv4.conf.all.rp_filter = 1 |
| 154 | |||
| 155 | # Only groups within this id range can use ping. | ||
| 151 | net.ipv4.ping_group_range=999 59999 | 156 | net.ipv4.ping_group_range=999 59999 |
| 157 | |||
| 158 | # Redirects can potentially be used to maliciously alter hosts | ||
| 159 | # routing tables. | ||
| 160 | net.ipv4.conf.all.accept_redirects = 0 | ||
| 161 | net.ipv4.conf.all.secure_redirects = 1 | ||
| 162 | net.ipv6.conf.all.accept_redirects = 0 | ||
| 163 | net.ipv6.conf.all.secure_redirects = 1 | ||
| 164 | |||
| 165 | # The source routing feature includes some known vulnerabilities. | ||
| 166 | net.ipv4.conf.all.accept_source_route = 0 | ||
| 167 | net.ipv6.conf.all.accept_source-route = 0 | ||
| 168 | |||
| 169 | # See RFC 1337 | ||
| 170 | net.ipv4.tcp_rfc1337 = 1 | ||
| 171 | |||
| 172 | ## Enable IPv6 Privacy Extensions (see RFC4941 and RFC3041) | ||
| 173 | net.ipv6.conf.default.use_tempaddr = 2 | ||
| 174 | net.ipv6.conf.all.use_tempaddr = 2 | ||
| 175 | |||
| 176 | # Restarts computer after 120 seconds after kernel panic | ||
| 152 | kernel.panic = 120 | 177 | kernel.panic = 120 |
| 178 | |||
| 179 | ## Disable magic-sysrq key | ||
| 180 | kernel.sysrq = 0 | ||
| 181 | |||
| 182 | # Users should not be able to create soft or hard links to files | ||
| 183 | # which they do not own. This mitigates several privilege | ||
| 184 | # escalation vulnerabilities. | ||
| 185 | fs.protected_hardlinks = 1 | ||
| 186 | fs.protected_symlinks = 1 | ||
| 153 | EOF | 187 | EOF |
| 154 | cat > "$pkgdir"/etc/fstab <<-EOF | 188 | cat > "$pkgdir"/etc/fstab <<-EOF |
| 155 | /dev/cdrom /media/cdrom iso9660 noauto,ro 0 0 | 189 | /dev/cdrom /media/cdrom iso9660 noauto,ro 0 0 |