I don't know how to open GOS ROM or any Android ROM .IMG files, but I want to take a look at default GrapheneOS SysCTL.conf (Linx Kernel configuration) file and suggest some tweaks (if they aren't already there).

You can view the kernel configuration in the kernel source trees. Most of it is set via the kernel build configuration. A small portion of configuration can be set at runtime via sysctl or sysfs interfaces. You can see the sysctl and most sysfs configuration via the init scripts in system/core and the device-specific scripts in the device repositories. Trying to give us suggestions based on copying suggestions from content elsewhere will not be helpful.

GrapheneOS is an OS, not a ROM. Please don't refer to it that way. it's incorrect and not used by the project.

11 days later

The fact that I wasn't able to find a SysCTL.conf file with tweaks for whichever GOS device demonstrates my ignorance and lack of expertise, but I just can't help myself and not post common tweaks applied to SysCTL.conf files in routers for improved security and performance. I hope GOS either plans to include them or already includes them:

IPv4 Redirection and IP Anti-spoofing

net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.all.accept_source_route=0
net.ipv4.conf.all.secure_redirects=0
net.ipv4.conf.all.send_redirects=0
net.ipv4.conf.all.shared_media=0
net.ipv4.conf.all.rp_filter=1 (excellent for IP spoofing resistance, but NordVPN protocol requires value to be either 0 or 2 to work correctly with NordVPN's NordLynx WireGuard protocool)

ARP and ARP Anti-Spoofing

net.ipv4.conf.all.arp_announce=2 (or 1)
net.ipv4.conf.all.arp_filter=1 (or 2)
net.ipv4.conf.all.arp_ignore=2 (or 1)
net.ipv4.conf.all.drop_gratuitous_arp=1
net.ipv4.conf.all.proxy_arp=0

ICMP

net.ipv4.icmp_echo_ignore_all=1
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv4.icmp_ignore_bogus_error_responses=1
net.ipv4.icmp_ratelimit=1
net.ipv4.icmp_ratemask=88089

Multicast

net.ipv4.conf.default.drop_unicast_in_l2_multicast=1
net.ipv4.igmp_link_local_mcast_reports=0

IPSec (WiFi Calling)

net.ipv4.conf.all.disable_policy=1 (can be used for a toggle to fully disable IPSec WiFi calling)
net.ipv4.conf.all.disable_xfrm=1 (can be used for a toggle to fuly disable IPSec WiFi calling)

Generic

fs.file-max=395955
fs.protected_hardlinks=1
fs.protected_symlinks=1
kernel.dmesg_restrict=1
kernel.kptr_restrict=1
kernel.panic=0
kernel.panic_on_oops=0
kernel.randomize_va_space=2
kernel.sysrq=0
net.core.default_qdisc=fq_codel

Other

net.ipv4.ip_forward_use_pmtu=0
net.ipv4.ip_local_port_range=1024 65534
net.ipv4.ip_no_pmtu_disc=2
net.ipv4.tcp_challenge_ack_limit=999999999
net.ipv4.tcp_dsack=0
net.ipv4.tcp_ecn=2
net.ipv4.tcp_ecn_fallback=1
net.ipv4.tcp_fack=0
net.ipv4.tcp_fastopen=3
net.ipv4.tcp_frto=0
net.ipv4.conf.all.ignore_routes_with_linkdown=1
net.ipv4.conf.all.log_martians=1
net.ipv4.tcp_moderate_rcvbuf=1
net.ipv4.tcp_mtu_probing=0
net.ipv4.tcp_no_metrics_save=1
net.ipv4.tcp_retries1=3
net.ipv4.tcp_retries2=8
net.ipv4.tcp_rfc1337=1
net.ipv4.tcp_sack=0
net.ipv4.tcp_slow_start_after_idle=0
net.ipv4.tcp_syn_retries=3
net.ipv4.tcp_synack_retries=2
net.ipv4.tcp_syncookies=1
net.ipv4.tcp_timestamps=0
net.ipv4.tcp_tw_reuse=1

    OpenSource-Ghost Many of these are misguided, obsolete or have no connection to security. For example, rp_filter only works for IPv4 and it should be done via netfilter (iptables/nftables) or eBPF instead to cover both IPv4 and IPv6 in the same way. The reason it's not implemented for IPv6 is because it's a deprecated approach that's not removed for compatibility reasons.

    Breaking IPSec is not an appropriate way to disable Wi-Fi calling. IPSec isn't only used for Wi-FI calling.

    Extremely strange to be disabling saving TCP metrics, TCP timestamps and SACK if your goal is improving performance when what you are doing is crippling it.

    Many of these are also setting things to their default value.

    Its really hard to tell without deeper knowledge. There is isn't much a non-expert do except research each parameter and find things like:
    SACK Panic Attack - CVE-2019-11477, CVE-2019-11478 & CVE-2019-11479 - https://www.suse.com/support/kb/doc/?id=000019472

    TCP Timestamps granting information about systems - https://raxis.com/blog/2018/06/04/goodies-for-hoodies-tcp-timestamps/

    TCP Timestamps grant the hacker insight into a given system's operational state, and how we use that information is limited only by our imagination. But to dismiss their presence as a low severity security finding just to be remediated is inappropriate, and it may do more harm than good.

    • de0u replied to this.

      OpenSource-Ghost "There was once a bad bug in SACK processing" does not imply "disable SACK processing everywhere forever".

      "PAWS might leak uptime on some systems" does not imply "always disable PAWS everywhere".

      Something many people can do is to read Bruce Schneier's book Secrets & Lies. It is very old and parts are quite outdated. But a lot of the ideas about how to think about security are still valid, and the book is accessible to lots of people.

      What about introducing Snort or Suricata into GOS? Suricata is open-source and optimized at this point.