kernel.yama.ptrace_scope :
Great but might break some programs running
under WINE. Please add this to the comments so we can answer user support
tickets.
net.ipv4.conf.all.rp_filter=1 :
Please remove. Whonix is not configured to act as a router so this setting is unnecessary. It could also break VPN traffic.
All seem to be enabled by default, enabled by security-misc, not available anymore, useless or counter-productive. Most options are just performance tuning.
Also, unrelated but does Whonix disable core dumps? One of the options there reminded me of them.
Netflix CVEs published for TCP stack DDoS. It’s mitigated by tweaking a couple of sysctl settings:
Offtopic, but interesting fact mentioned in a thread discussing this. IMHO we shouldn’t fix what ain’t broke but it makes an interesting point.
It is much preferred to use “iptables -I INPUT” instead of “iptables -A INPUT”. Depending on rules in your chain, -A could possibly cause much cpu load if the rule is heavily processed.
At HN it is suggested to use “-t raw -I PREROUTING”, which could be of benefit especially with heavy traffic.
I doubt most people would setup VPN over Tor so disabling this might not be much of a problem.
SACK seems to be commonly exploited. Disabling it may prevent many other bugs and not just the ones found recently and may reduce potential attack surface. The way it seems to me is, SACK is fundamentally flawed and not necessary in most use cases.