xoxys.kernel/templates/etc/sysctl.d/99-local.conf.j2

107 lines
3.1 KiB
Plaintext
Raw Normal View History

2019-11-03 23:22:18 +00:00
#jinja2: lstrip_blocks: True
{{ ansible_managed | comment }}
# Buffer Overflow Protection
kernel.exec-shield = 1
kernel.randomize_va_space = 2
# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0
2022-09-13 19:45:54 +00:00
# Command is trapped and sent to the init program to handle a graceful restart
kernel.ctrl-alt-del = 0
# Prevents unprivileged users from being able to use eBPF
kernel.unprivileged_bpf_disabled = 1
# Restricts loading TTY line disciplines to the CAP_SYS_MODULE capability
dev.tty.ldisc_autoload = 0
# Disallow opening FIFOs or regular files not owned by the user in world-writable directories
fs.protected_fifos = 2
fs.protected_regular = 2
# Disallow following not owned by the user in world-writable directories
fs.protected_hardlinks = 1
fs.protected_symlinks = 1
# Restrict eBPF to the CAP_BPF/CAP_SYS_ADMIN capability
net.core.bpf_jit_harden = 2
# Disable Bootstrap protocol, as it is superseded by DHCP
net.ipv4.conf.all.bootp_relay = 0
# Disable forwarding of multicast packets on all interfaces
net.ipv4.conf.all.mc_forwarding = 0
# Disable the ARP proxy on all interfaces
net.ipv4.conf.all.proxy_arp = 0
2019-11-03 23:22:18 +00:00
# Avoid a smurf attack
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Turn on protection for bad icmp error messages
net.ipv4.icmp_ignore_bogus_error_responses = 1
# Turn on syncookies for SYN flood attack protection
net.ipv4.tcp_syncookies = 1
# Turn on and log spoofed, source routed, and redirect packets
net.ipv4.conf.all.log_martians = 1
2022-09-19 14:15:10 +00:00
net.ipv4.conf.default.accept_source_route = 0
2019-11-03 23:22:18 +00:00
# No source routed packets here
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
# Turn on reverse path filtering
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Make sure no one can alter the routing tables
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
# Don't act as a router
net.ipv4.ip_forward = {{ kernel_ipv4_forwarding_enabled | bool | ternary(1, 0, 0) }}
2019-11-03 23:22:18 +00:00
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
# Make sure spoofed packets get logged
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
# Turn off the tcp_timestamps
net.ipv4.tcp_timestamps = 0
2022-09-13 19:45:54 +00:00
{% if not kernel_ipv6_enabled | bool %}
2019-11-03 23:22:18 +00:00
# Disable IPv6 for all interfaces
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
2022-09-13 19:45:54 +00:00
{% else %}
2019-11-03 23:22:18 +00:00
2022-09-19 14:15:10 +00:00
# Disable router advertisements
net.ipv6.conf.default.accept_ra = 0
net.ipv6.conf.all.accept_ra = 0
2019-11-03 23:22:18 +00:00
# Disable ICMP routing redirects
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
2022-09-13 19:45:54 +00:00
# Disable forwarding of IPv6 source-routed packets
net.ipv6.conf.all.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0
2022-09-19 14:15:10 +00:00
# Disable forwarding of IPv6
net.ipv6.conf.all.forwarding = {{ kernel_ipv6_forwarding_enabled | bool | ternary(1, 0, 0) }}
2022-09-13 19:45:54 +00:00
{% endif %}
{% if kernel_namespace_support_enabled | bool %}
2019-11-03 23:22:18 +00:00
user.max_user_namespaces = 15076
{% endif %}
{% if kernel_ipv4_ping_group_range is defined %}
net.ipv4.ping_group_range={{ kernel_ipv4_ping_group_range }}
{% endif %}