diff options
| author | hugbubby <hugbubby@protonmail.com> | 2018-05-21 02:56:03 -0700 |
|---|---|---|
| committer | Natanael Copa <ncopa@alpinelinux.org> | 2018-06-06 17:49:51 +0000 |
| commit | 27b5767a9ebe609e84659eed250365c0a9bbbf71 (patch) | |
| tree | 18ac21cd042f347939a01e584489d8a32c251d7b | |
| parent | 30ada7ffb6dae9e62026afbc3a54013fc67c4f40 (diff) | |
| download | aports-27b5767a9ebe609e84659eed250365c0a9bbbf71.tar.bz2 aports-27b5767a9ebe609e84659eed250365c0a9bbbf71.tar.xz | |
main/alpine-baselayout: sysctl security changes.
| -rw-r--r-- | main/alpine-baselayout/APKBUILD | 38 |
1 files changed, 36 insertions, 2 deletions
diff --git a/main/alpine-baselayout/APKBUILD b/main/alpine-baselayout/APKBUILD index 87229ccf70..2e1a8673a2 100644 --- a/main/alpine-baselayout/APKBUILD +++ b/main/alpine-baselayout/APKBUILD @@ -1,8 +1,8 @@ # Contributor: Sören Tempel <soeren+alpine@soeren-tempel.net> # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=alpine-baselayout -pkgver=3.0.5 -pkgrel=3 +pkgver=3.0.6 +pkgrel=0 pkgdesc="Alpine base dir structure and init scripts" url="https://git.alpinelinux.org/cgit/aports/tree/main/alpine-baselayout" arch="all" @@ -145,11 +145,45 @@ package() { # content of this file will override /etc/sysctl.d/* EOF cat > "$pkgdir"/etc/sysctl.d/00-alpine.conf <<-EOF + # Prevents SYN DOS attacks. Applies to ipv6 as well, despite name. net.ipv4.tcp_syncookies = 1 + + # Prevents ip spoofing. net.ipv4.conf.default.rp_filter = 1 net.ipv4.conf.all.rp_filter = 1 + + # Only groups within this id range can use ping. net.ipv4.ping_group_range=999 59999 + + # Redirects can potentially be used to maliciously alter hosts + # routing tables. + net.ipv4.conf.all.accept_redirects = 0 + net.ipv4.conf.all.secure_redirects = 1 + net.ipv6.conf.all.accept_redirects = 0 + net.ipv6.conf.all.secure_redirects = 1 + + # The source routing feature includes some known vulnerabilities. + net.ipv4.conf.all.accept_source_route = 0 + net.ipv6.conf.all.accept_source-route = 0 + + # See RFC 1337 + net.ipv4.tcp_rfc1337 = 1 + + ## Enable IPv6 Privacy Extensions (see RFC4941 and RFC3041) + net.ipv6.conf.default.use_tempaddr = 2 + net.ipv6.conf.all.use_tempaddr = 2 + + # Restarts computer after 120 seconds after kernel panic kernel.panic = 120 + + ## Disable magic-sysrq key + kernel.sysrq = 0 + + # Users should not be able to create soft or hard links to files + # which they do not own. This mitigates several privilege + # escalation vulnerabilities. + fs.protected_hardlinks = 1 + fs.protected_symlinks = 1 EOF cat > "$pkgdir"/etc/fstab <<-EOF /dev/cdrom /media/cdrom iso9660 noauto,ro 0 0 |