diff options
author | hugbubby <hugbubby@protonmail.com> | 2018-05-21 02:56:03 -0700 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2018-06-06 17:49:51 +0000 |
commit | 27b5767a9ebe609e84659eed250365c0a9bbbf71 (patch) | |
tree | 18ac21cd042f347939a01e584489d8a32c251d7b | |
parent | 30ada7ffb6dae9e62026afbc3a54013fc67c4f40 (diff) | |
download | alpine_aports-27b5767a9ebe609e84659eed250365c0a9bbbf71.tar.bz2 alpine_aports-27b5767a9ebe609e84659eed250365c0a9bbbf71.tar.xz alpine_aports-27b5767a9ebe609e84659eed250365c0a9bbbf71.zip |
main/alpine-baselayout: sysctl security changes.
-rw-r--r-- | main/alpine-baselayout/APKBUILD | 38 |
1 files changed, 36 insertions, 2 deletions
diff --git a/main/alpine-baselayout/APKBUILD b/main/alpine-baselayout/APKBUILD index 87229ccf70..2e1a8673a2 100644 --- a/main/alpine-baselayout/APKBUILD +++ b/main/alpine-baselayout/APKBUILD | |||
@@ -1,8 +1,8 @@ | |||
1 | # Contributor: Sören Tempel <soeren+alpine@soeren-tempel.net> | 1 | # Contributor: Sören Tempel <soeren+alpine@soeren-tempel.net> |
2 | # Maintainer: Natanael Copa <ncopa@alpinelinux.org> | 2 | # Maintainer: Natanael Copa <ncopa@alpinelinux.org> |
3 | pkgname=alpine-baselayout | 3 | pkgname=alpine-baselayout |
4 | pkgver=3.0.5 | 4 | pkgver=3.0.6 |
5 | pkgrel=3 | 5 | pkgrel=0 |
6 | pkgdesc="Alpine base dir structure and init scripts" | 6 | pkgdesc="Alpine base dir structure and init scripts" |
7 | url="https://git.alpinelinux.org/cgit/aports/tree/main/alpine-baselayout" | 7 | url="https://git.alpinelinux.org/cgit/aports/tree/main/alpine-baselayout" |
8 | arch="all" | 8 | arch="all" |
@@ -145,11 +145,45 @@ package() { | |||
145 | # content of this file will override /etc/sysctl.d/* | 145 | # content of this file will override /etc/sysctl.d/* |
146 | EOF | 146 | EOF |
147 | cat > "$pkgdir"/etc/sysctl.d/00-alpine.conf <<-EOF | 147 | cat > "$pkgdir"/etc/sysctl.d/00-alpine.conf <<-EOF |
148 | # Prevents SYN DOS attacks. Applies to ipv6 as well, despite name. | ||
148 | net.ipv4.tcp_syncookies = 1 | 149 | net.ipv4.tcp_syncookies = 1 |
150 | |||
151 | # Prevents ip spoofing. | ||
149 | net.ipv4.conf.default.rp_filter = 1 | 152 | net.ipv4.conf.default.rp_filter = 1 |
150 | net.ipv4.conf.all.rp_filter = 1 | 153 | net.ipv4.conf.all.rp_filter = 1 |
154 | |||
155 | # Only groups within this id range can use ping. | ||
151 | net.ipv4.ping_group_range=999 59999 | 156 | net.ipv4.ping_group_range=999 59999 |
157 | |||
158 | # Redirects can potentially be used to maliciously alter hosts | ||
159 | # routing tables. | ||
160 | net.ipv4.conf.all.accept_redirects = 0 | ||
161 | net.ipv4.conf.all.secure_redirects = 1 | ||
162 | net.ipv6.conf.all.accept_redirects = 0 | ||
163 | net.ipv6.conf.all.secure_redirects = 1 | ||
164 | |||
165 | # The source routing feature includes some known vulnerabilities. | ||
166 | net.ipv4.conf.all.accept_source_route = 0 | ||
167 | net.ipv6.conf.all.accept_source-route = 0 | ||
168 | |||
169 | # See RFC 1337 | ||
170 | net.ipv4.tcp_rfc1337 = 1 | ||
171 | |||
172 | ## Enable IPv6 Privacy Extensions (see RFC4941 and RFC3041) | ||
173 | net.ipv6.conf.default.use_tempaddr = 2 | ||
174 | net.ipv6.conf.all.use_tempaddr = 2 | ||
175 | |||
176 | # Restarts computer after 120 seconds after kernel panic | ||
152 | kernel.panic = 120 | 177 | kernel.panic = 120 |
178 | |||
179 | ## Disable magic-sysrq key | ||
180 | kernel.sysrq = 0 | ||
181 | |||
182 | # Users should not be able to create soft or hard links to files | ||
183 | # which they do not own. This mitigates several privilege | ||
184 | # escalation vulnerabilities. | ||
185 | fs.protected_hardlinks = 1 | ||
186 | fs.protected_symlinks = 1 | ||
153 | EOF | 187 | EOF |
154 | cat > "$pkgdir"/etc/fstab <<-EOF | 188 | cat > "$pkgdir"/etc/fstab <<-EOF |
155 | /dev/cdrom /media/cdrom iso9660 noauto,ro 0 0 | 189 | /dev/cdrom /media/cdrom iso9660 noauto,ro 0 0 |