Commit 27b5767a authored by hugbubby's avatar hugbubby Committed by Natanael Copa

main/alpine-baselayout: sysctl security changes.

parent 30ada7ff
# Contributor: Sören Tempel <soeren+alpine@soeren-tempel.net>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=alpine-baselayout
pkgver=3.0.5
pkgrel=3
pkgver=3.0.6
pkgrel=0
pkgdesc="Alpine base dir structure and init scripts"
url="https://git.alpinelinux.org/cgit/aports/tree/main/alpine-baselayout"
arch="all"
......@@ -145,11 +145,45 @@ package() {
# content of this file will override /etc/sysctl.d/*
EOF
cat > "$pkgdir"/etc/sysctl.d/00-alpine.conf <<-EOF
# Prevents SYN DOS attacks. Applies to ipv6 as well, despite name.
net.ipv4.tcp_syncookies = 1
# Prevents ip spoofing.
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.rp_filter = 1
# Only groups within this id range can use ping.
net.ipv4.ping_group_range=999 59999
# Redirects can potentially be used to maliciously alter hosts
# routing tables.
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 1
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.all.secure_redirects = 1
# The source routing feature includes some known vulnerabilities.
net.ipv4.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_source-route = 0
# See RFC 1337
net.ipv4.tcp_rfc1337 = 1
## Enable IPv6 Privacy Extensions (see RFC4941 and RFC3041)
net.ipv6.conf.default.use_tempaddr = 2
net.ipv6.conf.all.use_tempaddr = 2
# Restarts computer after 120 seconds after kernel panic
kernel.panic = 120
## Disable magic-sysrq key
kernel.sysrq = 0
# Users should not be able to create soft or hard links to files
# which they do not own. This mitigates several privilege
# escalation vulnerabilities.
fs.protected_hardlinks = 1
fs.protected_symlinks = 1
EOF
cat > "$pkgdir"/etc/fstab <<-EOF
/dev/cdrom /media/cdrom iso9660 noauto,ro 0 0
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment