220 lines
6.3 KiB
Python
220 lines
6.3 KiB
Python
#!/usr/bin/env python3
|
|
|
|
# Define the entry
|
|
|
|
def sysctl() -> list:
|
|
sysctl = list()
|
|
|
|
# https://access.redhat.com/security/sysctl/sysctl-2023-0179
|
|
#####
|
|
# CVE
|
|
#####
|
|
sysctl.append({
|
|
"from": "cve",
|
|
"id": "cve-2023-0179",
|
|
"description": "A buffer overflow vulnerability was be found in Linux system. An hacker can allow privilege escalation through Netfilter subsystem",
|
|
"flag": "kernel.unprivileged_userns_clone",
|
|
"value": 0,
|
|
"level": "medium",
|
|
"affectedSystem": ({
|
|
'linux': "Debian",
|
|
'release': 'buster',
|
|
'kernel': '4.19.249-2'
|
|
})
|
|
})
|
|
|
|
#####
|
|
# Best practice from CIS
|
|
#####
|
|
sysctl.append({
|
|
"from": "cis",
|
|
"id": "",
|
|
"description": "Disable IPv4 forwarding",
|
|
"flag": "net.ipv4.conf.all.forwarding",
|
|
"value": 0,
|
|
"level": "medium",
|
|
})
|
|
sysctl.append({
|
|
"from": "cis",
|
|
"id": "",
|
|
"description": "Disable ICMP redirects IPv4",
|
|
"flag": "net.ipv4.conf.all.accept_redirects",
|
|
"value": 0,
|
|
"level": "medium",
|
|
})
|
|
sysctl.append({
|
|
"from": "cis",
|
|
"id": "",
|
|
"description": "Disable Accepting Source Routed packets IPv4 for all interfaces",
|
|
"flag": "net.ipv4.conf.all.accept_source_route",
|
|
"value": 0,
|
|
"level": "medium",
|
|
})
|
|
sysctl.append({
|
|
"from": "cis",
|
|
"id": "",
|
|
"description": "Disable Accepting Source Routed packets IPv4 for default interface",
|
|
"flag": "net.ipv4.conf.default.accept_source_route",
|
|
"value": 0,
|
|
"level": "medium",
|
|
})
|
|
sysctl.append({
|
|
"from": "cis",
|
|
"id": "",
|
|
"description": "Disable ICMP Secure redirects IPv4 for all interfaces",
|
|
"flag": "net.ipv4.conf.all.secure_redirects",
|
|
"value": 0,
|
|
"level": "medium",
|
|
})
|
|
sysctl.append({
|
|
"from": "cis",
|
|
"id": "",
|
|
"description": "Disable ICMP Secure redirects IPv4 for default interface",
|
|
"flag": "net.ipv4.conf.default.secure_redirects",
|
|
"value": 0,
|
|
"level": "medium",
|
|
})
|
|
sysctl.append({
|
|
"from": "cis",
|
|
"id": "",
|
|
"description": "Enable Log martian packets IPv4 for all interfaces",
|
|
"flag": "net.ipv4.conf.all.log_martians",
|
|
"value": 1,
|
|
"level": "medium",
|
|
})
|
|
sysctl.append({
|
|
"from": "cis",
|
|
"id": "",
|
|
"description": "Enable Log martian packets IPv4 for default interface",
|
|
"flag": "net.ipv4.conf.default.log_martians",
|
|
"value": 1,
|
|
"level": "medium",
|
|
})
|
|
# https://lwn.net/Articles/277146/
|
|
sysctl.append({
|
|
"from": "cis",
|
|
"id": "",
|
|
"description": "Enable TCP syn cookies IPv4",
|
|
"flag": "net.ipv4.tcp_syncookies",
|
|
"value": 1,
|
|
"level": "medium",
|
|
})
|
|
sysctl.append({
|
|
"from": "cis",
|
|
"id": "",
|
|
"description": "Disable IPv4 forwarding on all interfaces",
|
|
"flag": "net.ipv4.ip_forward",
|
|
"value": 0,
|
|
"level": "medium",
|
|
})
|
|
sysctl.append({
|
|
"from": "cis",
|
|
"id": "",
|
|
"description": "Disable IPv4 send redirects on all interfaces",
|
|
"flag": "net.ipv4.conf.all.send_redirects",
|
|
"value": 0,
|
|
"level": "medium",
|
|
})
|
|
sysctl.append({
|
|
"from": "cis",
|
|
"id": "",
|
|
"description": "Disable IPv4 send redirects on default interface",
|
|
"flag": "net.ipv4.conf.default.send_redirects",
|
|
"value": 0,
|
|
"level": "medium",
|
|
})
|
|
sysctl.append({
|
|
"from": "cis",
|
|
"id": "",
|
|
"description": "Enable IPv4 reverse path filtering on all interfaces",
|
|
"flag": "net.ipv4.conf.all.rp_filter",
|
|
"value": 1,
|
|
"level": "medium",
|
|
})
|
|
sysctl.append({
|
|
"from": "cis",
|
|
"id": "",
|
|
"description": "Enable IPv4 reverse path filtering on default interface",
|
|
"flag": "net.ipv4.conf.default.rp_filter",
|
|
"value": 1,
|
|
"level": "medium",
|
|
})
|
|
|
|
# For IPv6
|
|
sysctl.append({
|
|
"from": "cis",
|
|
"id": "",
|
|
"description": "Disable IPvi6 forwarding",
|
|
"flag": "net.ipv6.conf.all.forwarding",
|
|
"value": 0,
|
|
"level": "medium",
|
|
})
|
|
sysctl.append({
|
|
"from": "cis",
|
|
"id": "",
|
|
"description": "Disable ICMP redirects IPv6",
|
|
"flag": "net.ipv6.conf.all.accept_redirects",
|
|
"value": 0,
|
|
"level": "medium",
|
|
})
|
|
sysctl.append({
|
|
"from": "cis",
|
|
"id": "",
|
|
"description": "Disable ICMP redirects IPv6 for default interface",
|
|
"flag": "net.ipv6.conf.default.accept_redirects",
|
|
"value": 0,
|
|
"level": "medium",
|
|
})
|
|
# https://datatracker.ietf.org/doc/html/rfc4861
|
|
sysctl.append({
|
|
"from": "cis",
|
|
"id": "",
|
|
"description": "Disable Route Advertisements for IPv6 for all interfaces",
|
|
"flag": "net.ipv6.conf.all.accept_ra",
|
|
"value": 0,
|
|
"level": "medium",
|
|
})
|
|
sysctl.append({
|
|
"from": "cis",
|
|
"id": "",
|
|
"description": "Disable Route Advertisements for IPv6 for default interface",
|
|
"flag": "net.ipv6.conf.default.accept_ra",
|
|
"value": 0,
|
|
"level": "medium",
|
|
})
|
|
sysctl.append({
|
|
"from": "cis",
|
|
"id": "",
|
|
"description": "Disable Accepting Source Routed for IPv6 for all interfaces",
|
|
"flag": "net.ipv6.conf.all.accept_source_route",
|
|
"value": 0,
|
|
"level": "medium",
|
|
})
|
|
sysctl.append({
|
|
"from": "cis",
|
|
"id": "",
|
|
"description": "Disable Accepting Source Routed for IPv6 for default interface",
|
|
"flag": "net.ipv6.conf.default.accept_source_route",
|
|
"value": 0,
|
|
"level": "medium",
|
|
})
|
|
sysctl.append({
|
|
"from": "cis",
|
|
"id": "",
|
|
"description": "Disable ICMP Secure redirects IPv6 for all interfaces",
|
|
"flag": "net.ipv6.conf.all.secure_redirects",
|
|
"value": 0,
|
|
"level": "medium",
|
|
})
|
|
sysctl.append({
|
|
"from": "cis",
|
|
"id": "",
|
|
"description": "Disable ICMP Secure redirects IPv6 for default interface",
|
|
"flag": "net.ipv6.conf.default.secure_redirects",
|
|
"value": 0,
|
|
"level": "medium",
|
|
})
|
|
|
|
|
|
return sysctl
|