https://unix-esoterica.com/tags/hardening/ Recent content in Hardening on UNIX Esoterica Hugo en Tue, 29 Apr 2025 08:41:24 +0200 https://unix-esoterica.com/posts/sysctl-hardening/ Tue, 29 Apr 2025 08:41:24 +0200 https://unix-esoterica.com/posts/sysctl-hardening/ <p>/etc/sysctl.conf - hardening</p> <p>Official OpenBSD Documentation</p> <p>sysctl(8) manpage - <a href="https://man.openbsd.org/sysctl.8" rel="noopener noreferrer" target="_blank">https://man.openbsd.org/sysctl.8</a> </p> <p>sysctl.conf(5) manpage - <a href="https://man.openbsd.org/sysctl.conf.5" rel="noopener noreferrer" target="_blank">https://man.openbsd.org/sysctl.conf.5</a> </p> <p>malloc(3) manpage - <a href="https://man.openbsd.org/free" rel="noopener noreferrer" target="_blank">https://man.openbsd.org/free</a> </p> <table> <thead> <tr> <th style="text-align: left">Sysctl Parameter</th> <th style="text-align: left">Description</th> </tr> </thead> <tbody> <tr> <td style="text-align: left"><code>ddb.panic=0</code></td> <td style="text-align: left">Reboot on a panic, instead of dropping into the debugger.</td> </tr> <tr> <td style="text-align: left"><code>ddb.console=0</code></td> <td style="text-align: left">Prevent entry into the kernel debugger.</td> </tr> <tr> <td style="text-align: left"><code>net.inet.ip.forwarding=0</code></td> <td style="text-align: left">Prevent inet4 forwarding for standalone workstations ( unless needed ).</td> </tr> <tr> <td style="text-align: left"><code>machdep.allowaperature=0</code></td> <td style="text-align: left">For systems that don&rsquo;t run X.</td> </tr> <tr> <td style="text-align: left"><code>vm.malloc_conf=CFGU</code></td> <td style="text-align: left">Individual arguments explained below.</td> </tr> <tr> <td style="text-align: left">C ( Cache disabled )</td> <td style="text-align: left">Reduces the chance that sensitive data ( like passwords, keys, etc ) remains in memory after being freed.</td> </tr> <tr> <td style="text-align: left">F ( Free junking )</td> <td style="text-align: left">Easier to detect user-after-free bugs ( access to freed memory ), and prevents old data from leaking if memory is later misused.</td> </tr> <tr> <td style="text-align: left">G ( Guard pages )</td> <td style="text-align: left">Helps catch buffer overflows immediately by causing a segmentation fault when memory writes go past their bounds.</td> </tr> <tr> <td style="text-align: left">U ( Use junking )</td> <td style="text-align: left">Helps catch bugs where programs wrongly assume newly allocated memory.</td> </tr> </tbody> </table> <h3 id="server-example---etcsysctlconf">Server Example - /etc/sysctl.conf</h3> <pre tabindex="0"><code>ddb.panic=0 ddb.console=0 vm.malloc_conf=CFGU net.inet.ip.forwarding=0 machdep.allowaperature=0 </code></pre><h3 id="firewall-example---etcsysctlconf">Firewall Example - /etc/sysctl.conf</h3> <pre tabindex="0"><code>ddb.panic=0 ddb.console=0 vm.malloc_conf=CFGU net.inet.ip.forwarding=1 machdep.allowaperature=0 </code></pre><h3 id="workstation-example---etcsysctlconf">Workstation Example - /etc/sysctl.conf</h3> <pre tabindex="0"><code>ddb.panic=1 ddb.console=1 vm.malloc_conf=CFGU net.inet.ip.forwarding=0 machdep.allowaperature=1 </code></pre><p>Thanks to the author of the following page for teaching me about the malloc stuff:</p>