6
Harden sysctl.conf by Sparrow checks (wp.me)
submitted 11 months ago* (last edited 11 months ago) by melezhik@programming.dev to c/linux@programming.dev
7 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[-] nesc@lemmy.cafe 7 points 11 months ago* (last edited 11 months ago)

You definitely shouldn't copy and paste things like this.

[-] melezhik@programming.dev 2 points 11 months ago

sorry, could you please elaborate on "shouldn’t copy" ? thanks

[-] nesc@lemmy.cafe 4 points 11 months ago

For example if you blindly apply this and forget, you may encounter problems with ipv6 or with your vpn. So it's really depends on your use case and not hardening in general.

[-] melezhik@programming.dev 2 points 11 months ago* (last edited 11 months ago)

fair enough, however the intention is to show how one could create rules on Sparrow/Raku, not to show rules ... Maybe I should have mentioned that ...

for example this is more interesting example evaluation of net.ipv4.tcp_synack_retries"

regexp: ^^ "net.ipv4.tcp_synack_retries" \s* "=" \s* (\d+) \s* $$

generator: <<RAKU
!raku
if matched().elems {
  my $v = capture()[];
  say "note: net.ipv4.tcp_synack_retries={$v}";
  if $v >= 3 && $v <= 5 {
     say "assert: 1 net.ipv4.tcp_synack_retries in [3..5] range"
  } else {
     say "assert: 0 net.ipv4.tcp_synack_retries in [3..5] range"
  }
} else {
  say "note: net.ipv4.tcp_synack_retries setting not found"
}
RAKU
[-] melezhik@programming.dev 1 points 11 months ago* (last edited 11 months ago)

you are seemed to have edited your initial reply - "it should be sysctl.conf not syslog.conf " - anyway thanks for that, now it's fixed, this was just overlook typo

this post was submitted on 04 Feb 2025
6 points (80.0% liked)

Linux

10864 readers
738 users here now

A community for everything relating to the GNU/Linux operating system (except the memes!)

Also, check out:

Original icon base courtesy of lewing@isc.tamu.edu and The GIMP

founded 2 years ago
MODERATORS
Ategon@programming.dev
anzo@programming.dev
dwraf_of_ignorance@programming.dev