#!/usr/bin/env python3 # Define the entry def sysctl() -> list: sysctl = list() # https://access.redhat.com/security/sysctl/sysctl-2023-0179 ##### # CVE ##### sysctl.append({ "from": "cve", "id": "cve-2023-0179", "description": "A buffer overflow vulnerability was be found in Linux system. An hacker can allow privilege escalation through Netfilter subsystem", "flag": "kernel.unprivileged_userns_clone", "value": 0, "level": "medium", "affectedSystem": ({ 'linux': "Debian", 'release': 'buster', 'kernel': '4.19.249-2' }) }) ##### # Best practice from CIS ##### sysctl.append({ "from": "cis", "id": "", "description": "Disable IPv4 forwarding", "flag": "net.ipv4.conf.all.forwarding", "value": 0, "level": "medium", }) sysctl.append({ "from": "cis", "id": "", "description": "Disable ICMP redirects IPv4", "flag": "net.ipv4.conf.all.accept_redirects", "value": 0, "level": "medium", }) sysctl.append({ "from": "cis", "id": "", "description": "Disable Accepting Source Routed packets IPv4 for all interfaces", "flag": "net.ipv4.conf.all.accept_source_route", "value": 0, "level": "medium", }) sysctl.append({ "from": "cis", "id": "", "description": "Disable Accepting Source Routed packets IPv4 for default interface", "flag": "net.ipv4.conf.default.accept_source_route", "value": 0, "level": "medium", }) sysctl.append({ "from": "cis", "id": "", "description": "Disable ICMP Secure redirects IPv4 for all interfaces", "flag": "net.ipv4.conf.all.secure_redirects", "value": 0, "level": "medium", }) sysctl.append({ "from": "cis", "id": "", "description": "Disable ICMP Secure redirects IPv4 for default interface", "flag": "net.ipv4.conf.default.secure_redirects", "value": 0, "level": "medium", }) sysctl.append({ "from": "cis", "id": "", "description": "Enable Log martian packets IPv4 for all interfaces", "flag": "net.ipv4.conf.all.log_martians", "value": 1, "level": "medium", }) sysctl.append({ "from": "cis", "id": "", "description": "Enable Log martian packets IPv4 for default interface", "flag": "net.ipv4.conf.default.log_martians", "value": 1, "level": "medium", }) # https://lwn.net/Articles/277146/ sysctl.append({ "from": "cis", "id": "", "description": "Enable TCP syn cookies IPv4", "flag": "net.ipv4.tcp_syncookies", "value": 1, "level": "medium", }) sysctl.append({ "from": "cis", "id": "", "description": "Disable IPv4 forwarding on all interfaces", "flag": "net.ipv4.ip_forward", "value": 0, "level": "medium", }) sysctl.append({ "from": "cis", "id": "", "description": "Disable IPv4 send redirects on all interfaces", "flag": "net.ipv4.conf.all.send_redirects", "value": 0, "level": "medium", }) sysctl.append({ "from": "cis", "id": "", "description": "Disable IPv4 send redirects on default interface", "flag": "net.ipv4.conf.default.send_redirects", "value": 0, "level": "medium", }) sysctl.append({ "from": "cis", "id": "", "description": "Enable IPv4 reverse path filtering on all interfaces", "flag": "net.ipv4.conf.all.rp_filter", "value": 1, "level": "medium", }) sysctl.append({ "from": "cis", "id": "", "description": "Enable IPv4 reverse path filtering on default interface", "flag": "net.ipv4.conf.default.rp_filter", "value": 1, "level": "medium", }) # For IPv6 sysctl.append({ "from": "cis", "id": "", "description": "Disable IPvi6 forwarding", "flag": "net.ipv6.conf.all.forwarding", "value": 0, "level": "medium", }) sysctl.append({ "from": "cis", "id": "", "description": "Disable ICMP redirects IPv6", "flag": "net.ipv6.conf.all.accept_redirects", "value": 0, "level": "medium", }) sysctl.append({ "from": "cis", "id": "", "description": "Disable ICMP redirects IPv6 for default interface", "flag": "net.ipv6.conf.default.accept_redirects", "value": 0, "level": "medium", }) # https://datatracker.ietf.org/doc/html/rfc4861 sysctl.append({ "from": "cis", "id": "", "description": "Disable Route Advertisements for IPv6 for all interfaces", "flag": "net.ipv6.conf.all.accept_ra", "value": 0, "level": "medium", }) sysctl.append({ "from": "cis", "id": "", "description": "Disable Route Advertisements for IPv6 for default interface", "flag": "net.ipv6.conf.default.accept_ra", "value": 0, "level": "medium", }) sysctl.append({ "from": "cis", "id": "", "description": "Disable Accepting Source Routed for IPv6 for all interfaces", "flag": "net.ipv6.conf.all.accept_source_route", "value": 0, "level": "medium", }) sysctl.append({ "from": "cis", "id": "", "description": "Disable Accepting Source Routed for IPv6 for default interface", "flag": "net.ipv6.conf.default.accept_source_route", "value": 0, "level": "medium", }) sysctl.append({ "from": "cis", "id": "", "description": "Disable ICMP Secure redirects IPv6 for all interfaces", "flag": "net.ipv6.conf.all.secure_redirects", "value": 0, "level": "medium", }) sysctl.append({ "from": "cis", "id": "", "description": "Disable ICMP Secure redirects IPv6 for default interface", "flag": "net.ipv6.conf.default.secure_redirects", "value": 0, "level": "medium", }) return sysctl