Bug#572712: use hardened sysctl net.* settings per default

To: Craig Small <csmall@debian.org>, Christoph Anton Mitterer <calestyo@scientia.net>, 572712@bugs.debian.org
Subject: Bug#572712: use hardened sysctl net.* settings per default
From: Moritz Muehlenhoff <jmm@inutil.org>
Date: Sun, 30 May 2010 19:29:58 +0200
Message-id: <[🔎] 20100530172958.GA3779@galadriel.inutil.org>
Reply-to: Moritz Muehlenhoff <jmm@inutil.org>, 572712@bugs.debian.org
In-reply-to: <20100306231111.GB9908@enc.com.au>
References: <1267820749.4491.72.camel@fermat.scientia.net> <20100306231111.GB9908@enc.com.au>

On Sun, Mar 07, 2010 at 10:11:11AM +1100, Craig Small wrote:
> On Fri, Mar 05, 2010 at 09:25:49PM +0100, Christoph Anton Mitterer wrote:
> > I think it would be a good idea to use at least the settings blow per
> > default:
> You're asking in the wrong place then.  To change the default behaviour
> of the kernel, you need to apply this bug to the kernel, not procps.
> 
> sysctl.conf is for suggested things that are off by default. Or perhaps
> more correctly can be changed but by default are not changed.

If you want to modify kernel defaults you'll need to discuss the
specific options with upstream, we won't differ in the Debian kernel
configuration.

For now I'd suggest to address Christoph's proposed changes through
the harden package. It appears to be designed for exactly this
purpose. Christoph, what do you think?

Cheers,
        Moritz

Reply to:

Follow-Ups:
- Bug#572712: use hardened sysctl net.* settings per default
  - From: Christoph Anton Mitterer <calestyo@scientia.net>

Prev by Date: Bug#502362: kernel 2.6.26 x86_64: some ioctls not mapped from 32bit userland
Next by Date: Bug#534964: Including memory cgroup support disabled by default
Previous by thread: Bug#463606: More Virtual PC results
Next by thread: Bug#572712: use hardened sysctl net.* settings per default
Index(es):
- Date
- Thread