Home / server / Questions / 474693
In Process
Tiffany Walker
Asked: 2013-02-02 13:52:56 +0800 CST

/dev/shm & /proc hardening

  • 772

I've seen mention of securing /dev/shm and /proc and I was wondering how you do that and what it consists of doing? I assume this involves /etc/sysctl.conf editing of some kind right.

Like these?

kernel.exec-shield = 1
kernel.randomize_va_space = 1
linux

2 Answers

  1. The process I use, based on the CIS Linux Security Benchmark, is to modify /etc/fstab to restrict device creation, execution and suid privs on the /dev/shm mount.

    shmfs        /dev/shm         tmpfs   nodev,nosuid,noexec        0 0

    For the sysctl settings, simply adding some of these to /etc/sysctl.conf works. Run sysctl -p to activate.

    # CIS benchmarks
fs.suid_dumpable = 0
kernel.exec-shield = 1
kernel.randomize_va_space = 2
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
    • 11

  2. ewwhite has already mentioned the CIS Linux Security Benchmark recommendations, I would also like to add another security guideline worth mentioning - Guide to the Secure Configuration of Red Hat Enterprise Linux 5 by the NSA. In addition to adding nodev,nosuid,noexec options for /dev/shm, the recommendations for kernel parameters which affect networking are mentioned in section 2.5.1 -

    Host only

    net.ipv4.ip forward = 0
net.ipv4.conf.all.send redirects = 0
net.ipv4.conf.default.send redirects = 0

    Host and Router

     net.ipv4.conf.all.accept_source_route = 0
 net.ipv4.conf.all.accept_redirects = 0
 net.ipv4.conf.all.secure_redirects = 0
 net.ipv4.conf.all.log_martians = 1
 net.ipv4.conf.default.accept_source_route = 0
 net.ipv4.conf.default.accept_redirects = 0
 net.ipv4.conf.default.secure_redirects = 0
 net.ipv4.icmp_echo_ignore_broadcasts = 1
 net.ipv4.icmp_ignore_bogus_error_messages = 1
 net.ipv4.tcp_syncookies = 1
 net.ipv4.conf.all.rp_filter = 1
 net.ipv4.conf.default.rp_filter = 1
    • 6