Set runtime for fs.suid_dumpable #sysctl -q -n -w fs.suid_dumpable=0
If fs.suid_dumpable present in /etc/sysctl.conf, change value to “0”else, add “fs.suid_dumpable = 0” to /etc/sysctl.conf
if grep –silent ^fs.suid_dumpable /etc/sysctl.conf ; then sed -i ‘s/^fs.suid_dumpable.*/fs.suid_dumpable = 0/g’ /etc/sysctl.conf else echo“” >> /etc/sysctl.conf echo“# Set fs.suid_dumpable to 0 per security requirements” >> /etc/sysctl.conf echo“fs.suid_dumpable = 0” >> /etc/sysctl.conf
Buffer Overflow Protection
This section helps mitigate against Buffer Overflow attacks (BOF).
Helps prevent stack smashing / BOF.
Enable on current kernel: sysctl -w kernel.exec-shield=1
Add to /etc/sysctl.conf:
Check / Enable ASLR
Set runtime for kernel.randomize_va_space sysctl -q -n -w kernel.randomize_va_space=2
Add kernel.randomize_va_space = 2 to /etc/sysctl.conf if it does not already exist.
Enable XD or NX Support on x86 Systems
Recent processors in the x86 family support the ability to prevent code execution on a per memory page basis. Generically and on AMD processors, this ability is called No Execute (NX), while on Intel processors it is called Execute Disable (XD). This ability can help prevent exploitation of buffer overflow vulnerabilities and should be activated whenever possible. Extra steps must be taken to ensure that this protection is enabled, particularly on 32-bit x86 systems. Other processors, such as Itanium and POWER, have included such support since inception and the standard kernel for those platforms supports the feature.
Check bios and ensure XD/NX is enabled, not relevant for VM’s.
Disable SSH Support for .rhosts Files
SSH can emulate the behavior of the obsolete rsh command in allowing users to enable insecure access to their accounts via .rhosts files.
To ensure this behavior is disabled, add or correct the following line in /etc/ssh/sshd_config:
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.