/dev/shm & /proc hardening

Solution 1:

The process I use, based on the CIS Linux Security Benchmark, is to modify /etc/fstab to restrict device creation, execution and suid privs on the /dev/shm mount.

shmfs        /dev/shm         tmpfs   nodev,nosuid,noexec        0 0

For the sysctl settings, simply adding some of these to /etc/sysctl.conf works. Run sysctl -p to activate.

# CIS benchmarks
fs.suid_dumpable = 0
kernel.exec-shield = 1
kernel.randomize_va_space = 2
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0

Solution 2:

ewwhite has already mentioned the CIS Linux Security Benchmark recommendations, I would also like to add another security guideline worth mentioning - Guide to the Secure Configuration of Red Hat Enterprise Linux 5 by the NSA. In addition to adding nodev,nosuid,noexec options for /dev/shm, the recommendations for kernel parameters which affect networking are mentioned in section 2.5.1 -

Host only

net.ipv4.ip forward = 0
net.ipv4.conf.all.send redirects = 0
net.ipv4.conf.default.send redirects = 0

Host and Router

 net.ipv4.conf.all.accept_source_route = 0
 net.ipv4.conf.all.accept_redirects = 0
 net.ipv4.conf.all.secure_redirects = 0
 net.ipv4.conf.all.log_martians = 1
 net.ipv4.conf.default.accept_source_route = 0
 net.ipv4.conf.default.accept_redirects = 0
 net.ipv4.conf.default.secure_redirects = 0
 net.ipv4.icmp_echo_ignore_broadcasts = 1
 net.ipv4.icmp_ignore_bogus_error_messages = 1
 net.ipv4.tcp_syncookies = 1
 net.ipv4.conf.all.rp_filter = 1
 net.ipv4.conf.default.rp_filter = 1