An XCCDF Group - A logical subset of the XCCDF Benchmark
kernel.core_pattern
$ sudo sysctl -w kernel.core_pattern=|/bin/false
/etc/sysctl.d
kernel.core_pattern = |/bin/false
kernel.core_uses_pid
$ sudo sysctl -w kernel.core_uses_pid=0
kernel.core_uses_pid = 0
kernel.dmesg_restrict
$ sudo sysctl -w kernel.dmesg_restrict=1
kernel.dmesg_restrict = 1
kernel.kexec_load_disabled
$ sudo sysctl -w kernel.kexec_load_disabled=1
kernel.kexec_load_disabled = 1
kernel.modules_disabled
$ sudo sysctl -w kernel.modules_disabled=1
kernel.modules_disabled = 1
kernel.panic_on_oops
$ sudo sysctl -w kernel.panic_on_oops=1
kernel.panic_on_oops = 1
kernel.perf_cpu_time_max_percent
$ sudo sysctl -w kernel.perf_cpu_time_max_percent=1
kernel.perf_cpu_time_max_percent = 1
kernel.perf_event_max_sample_rate
$ sudo sysctl -w kernel.perf_event_max_sample_rate=1
kernel.perf_event_max_sample_rate = 1
kernel.perf_event_paranoid
$ sudo sysctl -w kernel.perf_event_paranoid=2
kernel.perf_event_paranoid = 2
kernel.pid_max
$ sudo sysctl -w kernel.pid_max=65536
kernel.pid_max = 65536
kernel.sysrq
$ sudo sysctl -w kernel.sysrq=0
kernel.sysrq = 0
kernel.unprivileged_bpf_disabled
$ sudo sysctl -w kernel.unprivileged_bpf_disabled=1
kernel.unprivileged_bpf_disabled = 1
kernel.yama.ptrace_scope
$ sudo sysctl -w kernel.yama.ptrace_scope=1
kernel.yama.ptrace_scope = 1
net.core.bpf_jit_harden
$ sudo sysctl -w net.core.bpf_jit_harden=2
net.core.bpf_jit_harden = 2
user.max_user_namespaces
$ sudo sysctl -w user.max_user_namespaces=0
user.max_user_namespaces = 0
vm.mmap_min_addr
$ sudo sysctl -w vm.mmap_min_addr=65536
vm.mmap_min_addr = 65536
/etc/security/limits.conf
/etc/security/limits.d/
limits.conf
sysctl
fs.suid_dumpable
systemd-coredump.socket
systemd-coredump@.service
ProcessSizeMax
[Coredump]
/etc/systemd/coredump.conf
Storage
none
* hard core 0
$ sudo sysctl -w fs.suid_dumpable=0
fs.suid_dumpable = 0
kernel.exec-shield
kernel.randomize_va_space
kernel.kptr_restrict
$ sudo sysctl -w kernel.kptr_restrict=
kernel.kptr_restrict =
$ sudo sysctl -w kernel.randomize_va_space=2
kernel.randomize_va_space = 2
/etc/default/grub
slub_debug
page_poison=1
GRUB_CMDLINE_LINUX="... page_poison=1 ..."
# grubby --update-kernel=ALL --args="page_poison=1"
slub_debug=
GRUB_CMDLINE_LINUX="... slub_debug= ..."
# grubby --update-kernel=ALL --args="slub_debug="