Sysctl Server Hardening - Help and Advice



  • I am using Fedora 26 Server edition.

    I found some Server Security guidelines by RedHat. I plan on following them if it makes sense.

    I don't know what the (sysctl) defaults are, if this stuff needs to be done, or what they mean (until look them up individually).
    I don't know if I even need to worry about this.

    Can someone shed some light on this, and/or explain this a little more?

    Here's a sample of some sysctl rules I was applying to my VPS via SaltStack, and what I'm referring to above:

    net.ipv4.icmp_echo_ignore_broadcasts:
      sysctl.present:
        - value: 1
    
    net.ipv4.icmp_ignore_bogus_error_responses:
      sysctl.present:
      - value: 1
    
    net.ipv4.tcp_syncookies:
      sysctl.present:
        - value: 1
    
    net.ipv4.conf.all.log_martians:
      sysctl.present:
      - value: 1
    
    net.ipv4.conf.default.log_martians:
      sysctl.present:
        - value: 1
    
    net.ipv4.conf.all.accept_source_route:
      sysctl.present:
        - value: 0
    
    net.ipv4.conf.default.accept_source_route:
      sysctl.present:
        - value: 0
    
    net.ipv4.conf.all.rp_filter:
      sysctl.present:
        - value: 1
    
    net.ipv4.conf.default.rp_filter:
      sysctl.present:
        - value: 1
    
    net.ipv4.conf.all.accept_redirects:
      sysctl.present:
        - value: 0
    
    net.ipv4.conf.default.accept_redirects:
      sysctl.present:
        - value: 0
    
    net.ipv4.conf.all.secure_redirects:
      sysctl.present:
        - value: 0
    
    net.ipv4.conf.default.secure_redirects:
      sysctl.present:
        - value: 0
    
    net.ipv4.ip_forward:
      sysctl.present:
        - value: 0
    
    net.ipv4.conf.all.send_redirects:
        sysctl.present:
        - value: 0
    
    net.ipv4.conf.default.send_redirects:
      sysctl.present:
        - value: 0
    


  • I use SCAP for this. Set up a host and install SCAP. It gives you hardening rules from common servers up to DISA STIG levels. You can pick and choose what you want to enforce. It has rules and the reasons for enforcing the rules. Some of the sysctl stuff is paranoid, but some is good. Most don't cause any issues with anything so it doesn't hurt to enable them.

    I'm surprised to not see kernel.randomize_va_space on there. That's a useful one that randomizes virtual address space.



  • @stacksofplates said in Sysctl Server Hardening - Help and Advice:

    I use SCAP for this. Set up a host and install SCAP. It gives you hardening rules from common servers up to DISA STIG levels. You can pick and choose what you want to enforce. It has rules and the reasons for enforcing the rules. Some of the sysctl stuff is paranoid, but some is good. Most don't cause any issues with anything so it doesn't hurt to enable them.

    I'm surprised to not see kernel.randomize_va_space on there. That's a useful one that randomizes virtual address space.

    I'm not at all familiar with this stuff specifically. I did a quick search that lead me to here: https://linux-audit.com/linux-aslr-and-kernelrandomize_va_space-setting/

    According to that I suppose the default setting is okay. Although I couldn't tell you what the default setting is on Fedora 26. (that article says 2, how do I check?)



  • @stacksofplates said in Sysctl Server Hardening - Help and Advice:

    I use SCAP for this. Set up a host and install SCAP. It gives you hardening rules from common servers up to DISA STIG levels.

    I've not used SCAP before. A quick search lead me to https://www.open-scap.org/download/.

    Any tips on usage and configurations?



  • @tim_g said in Sysctl Server Hardening - Help and Advice:

    @stacksofplates said in Sysctl Server Hardening - Help and Advice:

    I use SCAP for this. Set up a host and install SCAP. It gives you hardening rules from common servers up to DISA STIG levels. You can pick and choose what you want to enforce. It has rules and the reasons for enforcing the rules. Some of the sysctl stuff is paranoid, but some is good. Most don't cause any issues with anything so it doesn't hurt to enable them.

    I'm surprised to not see kernel.randomize_va_space on there. That's a useful one that randomizes virtual address space.

    I'm not at all familiar with this stuff specifically. I did a quick search that lead me to here: https://linux-audit.com/linux-aslr-and-kernelrandomize_va_space-setting/

    According to that I suppose the default setting is okay. Although I couldn't tell you what the default setting is on Fedora 26. (that article says 2, how do I check?)

    You want to set it at 2. I don’t think it’s on my default unless it is in Fedora.



  • @tim_g said in Sysctl Server Hardening - Help and Advice:

    @stacksofplates said in Sysctl Server Hardening - Help and Advice:

    I use SCAP for this. Set up a host and install SCAP. It gives you hardening rules from common servers up to DISA STIG levels.

    I've not used SCAP before. A quick search lead me to https://www.open-scap.org/download/.

    Any tips on usage and configurations?

    That’s the site. Just install it from the repos along with SCAP Workbench. Workbench makes it a lot easier to see stuff. Then you will get a nice HTML report with all of the remediations that you can fix.



  • If you use KVM you can also scan VMs without the agent on them. It will spin up a temporary VM and attach the disk read only and scan it.



  • Strictly SYSCTL speaking, here's what I got so far:

    kernel.randomize_va_space:
      sysctl.present:
        - value: 2
    
    fs.protected_hardlinks:
      sysctl.present:
        - value: 1
    
    fs.protected_symlinks:
      sysctl.present:
        - value: 1
    
    net.ipv4.icmp_echo_ignore_broadcasts:
      sysctl.present:
        - value: 1
    
    net.ipv4.icmp_ignore_bogus_error_responses:
      sysctl.present:
      - value: 1
    
    net.ipv4.tcp_syncookies:
      sysctl.present:
        - value: 1
    
    net.ipv4.conf.all.log_martians:
      sysctl.present:
      - value: 1
    
    net.ipv4.conf.default.log_martians:
      sysctl.present:
        - value: 1
    
    net.ipv4.conf.all.accept_source_route:
      sysctl.present:
        - value: 0
    
    net.ipv4.conf.default.accept_source_route:
      sysctl.present:
        - value: 0
    
    net.ipv4.conf.all.rp_filter:
      sysctl.present:
        - value: 1
    
    net.ipv4.conf.default.rp_filter:
      sysctl.present:
        - value: 1
    
    net.ipv4.conf.all.accept_redirects:
      sysctl.present:
        - value: 0
    
    net.ipv4.conf.default.accept_redirects:
      sysctl.present:
        - value: 0
    
    net.ipv4.conf.all.secure_redirects:
      sysctl.present:
        - value: 0
    
    net.ipv4.conf.default.secure_redirects:
      sysctl.present:
        - value: 0
    
    net.ipv4.ip_forward:
      sysctl.present:
        - value: 0
    
    net.ipv4.conf.all.send_redirects:
        sysctl.present:
        - value: 0
    
    net.ipv4.conf.default.send_redirects:
      sysctl.present:
        - value: 0
    
    net.ipv4.conf.all.forwarding:
      sysctl.present:
        - value: 0
    
    net.ipv6.conf.all.forwarding:
      sysctl.present:
        - value: 0
    
    net.ipv4.conf.all.mc_forwarding:
      sysctl.present:
        - value: 0
    
    net.ipv6.conf.all.mc_forwarding:
      sysctl.present:
        - value: 0
    
    net.ipv6.conf.all.accept_source_route:
      sysctl.present:
        - value: 0
    
    net.ipv6.conf.default.accept_source_route:
      sysctl.present:
        - value: 0
    
    net.ipv6.conf.all.accept_redirects:
      sysctl.present:
        - value: 0
    
    net.ipv6.conf.default.accept_redirects:
      sysctl.present:
        - value: 0
    

    I know some of it may be redundant, as in they already may be set as such by default. My thinking is that should they become changed somehow, this will set it straight again.

    Is this a bad way of thinking or simply not needed?

    Are there any others a good idea or generally a best practice to include?