melezhik@programming.dev to Linux@programming.dev · edit-223 hours agoHarden sysctl.conf by Sparrow checkswp.meexternal-linkmessage-square7fedilinkarrow-up18arrow-down12
arrow-up16arrow-down1external-linkHarden sysctl.conf by Sparrow checkswp.memelezhik@programming.dev to Linux@programming.dev · edit-223 hours agomessage-square7fedilink
minus-squaremelezhik@programming.devOPlinkfedilinkarrow-up2·1 day agosorry, could you please elaborate on “shouldn’t copy” ? thanks
minus-squarenesc@lemmy.cafelinkfedilinkEnglisharrow-up4·1 day agoFor example if you blindly apply this and forget, you may encounter problems with ipv6 or with your vpn. So it’s really depends on your use case and not hardening in general.
minus-squaremelezhik@programming.devOPlinkfedilinkarrow-up2·edit-21 day agofair enough, however the intention is to show how one could create rules on Sparrow/Raku, not to show rules … Maybe I should have mentioned that … for example this is more interesting example evaluation of net.ipv4.tcp_synack_retries" regexp: ^^ "net.ipv4.tcp_synack_retries" \s* "=" \s* (\d+) \s* $$ generator: <<RAKU !raku if matched().elems { my $v = capture()[]; say "note: net.ipv4.tcp_synack_retries={$v}"; if $v >= 3 && $v <= 5 { say "assert: 1 net.ipv4.tcp_synack_retries in [3..5] range" } else { say "assert: 0 net.ipv4.tcp_synack_retries in [3..5] range" } } else { say "note: net.ipv4.tcp_synack_retries setting not found" } RAKU
sorry, could you please elaborate on “shouldn’t copy” ? thanks
For example if you blindly apply this and forget, you may encounter problems with ipv6 or with your vpn. So it’s really depends on your use case and not hardening in general.
fair enough, however the intention is to show how one could create rules on Sparrow/Raku, not to show rules … Maybe I should have mentioned that …
for example this is more interesting example evaluation of net.ipv4.tcp_synack_retries"
regexp: ^^ "net.ipv4.tcp_synack_retries" \s* "=" \s* (\d+) \s* $$ generator: <<RAKU !raku if matched().elems { my $v = capture()[]; say "note: net.ipv4.tcp_synack_retries={$v}"; if $v >= 3 && $v <= 5 { say "assert: 1 net.ipv4.tcp_synack_retries in [3..5] range" } else { say "assert: 0 net.ipv4.tcp_synack_retries in [3..5] range" } } else { say "note: net.ipv4.tcp_synack_retries setting not found" } RAKU