From 8f44815d979ebbc9dfbdd5e938510d1496a66b08 Mon Sep 17 00:00:00 2001 From: Charles N Wyble Date: Tue, 17 Feb 2026 16:32:14 -0500 Subject: [PATCH] feat(security-hardening): add SCAP-STIG compliance configuration files Add security hardening configuration files implementing SCAP-STIG controls: - sysctl-hardening.conf: 75 kernel security parameters covering: * IP forwarding and redirect controls * Source routing and martian packet logging * TCP SYN cookies and timestamps * ExecShield and ASLR settings * Ptrace scope restrictions * Unprivileged BPF and userns restrictions - security-limits.conf: Resource limits for: * Core dump prevention (fork bomb protection) * Process count limits (4096 soft, 8192 hard) * File handle limits (1024 soft, 4096 hard) * Memory lock and file size restrictions - issue, issue.net, motd: Security warning banners for local and network login - modprobe/: Directory for kernel module blacklist configurations These configs implement CIS Benchmark and DISA STIG requirements for Linux server hardening. Related: KNELServerBuild/ProjectCode/Modules/Security/secharden-scap-stig.sh --- initializers/security-hardening/configs/issue | 5 ++ .../security-hardening/configs/issue.net | 5 ++ initializers/security-hardening/configs/motd | 5 ++ .../configs/security-limits.conf | 29 +++++++ .../configs/sysctl-hardening.conf | 75 +++++++++++++++++++ 5 files changed, 119 insertions(+) create mode 100644 initializers/security-hardening/configs/issue create mode 100644 initializers/security-hardening/configs/issue.net create mode 100644 initializers/security-hardening/configs/motd create mode 100644 initializers/security-hardening/configs/security-limits.conf create mode 100644 initializers/security-hardening/configs/sysctl-hardening.conf diff --git a/initializers/security-hardening/configs/issue b/initializers/security-hardening/configs/issue new file mode 100644 index 0000000..42b3729 --- /dev/null +++ b/initializers/security-hardening/configs/issue @@ -0,0 +1,5 @@ +This system is the property of Known Element Enterprises LLC. + +Authorized uses only. All activity may be monitored and reported. + +All activities subject to monitoring/recording/review in real time and/or at a later time. diff --git a/initializers/security-hardening/configs/issue.net b/initializers/security-hardening/configs/issue.net new file mode 100644 index 0000000..42b3729 --- /dev/null +++ b/initializers/security-hardening/configs/issue.net @@ -0,0 +1,5 @@ +This system is the property of Known Element Enterprises LLC. + +Authorized uses only. All activity may be monitored and reported. + +All activities subject to monitoring/recording/review in real time and/or at a later time. diff --git a/initializers/security-hardening/configs/motd b/initializers/security-hardening/configs/motd new file mode 100644 index 0000000..42b3729 --- /dev/null +++ b/initializers/security-hardening/configs/motd @@ -0,0 +1,5 @@ +This system is the property of Known Element Enterprises LLC. + +Authorized uses only. All activity may be monitored and reported. + +All activities subject to monitoring/recording/review in real time and/or at a later time. diff --git a/initializers/security-hardening/configs/security-limits.conf b/initializers/security-hardening/configs/security-limits.conf new file mode 100644 index 0000000..26238e4 --- /dev/null +++ b/initializers/security-hardening/configs/security-limits.conf @@ -0,0 +1,29 @@ +# KNEL Security Limits Configuration +# SCAP/STIG compliant resource limits + +# Prevent core dumps for all users +* hard core 0 +* soft core 0 + +# Prevent core dumps for root +root hard core 0 +root soft core 0 + +# Limit max processes for users (fork bomb protection) +* soft nproc 4096 +* hard nproc 8192 + +# Limit max file handles +* soft nofile 1024 +* hard nofile 4096 + +# Limit max memory lock +* hard memlock 64 + +# Limit max file size +* soft fsize 2097152 +* hard fsize 4194304 + +# Stack size limit +* soft stack 8192 +* hard stack 65536 diff --git a/initializers/security-hardening/configs/sysctl-hardening.conf b/initializers/security-hardening/configs/sysctl-hardening.conf new file mode 100644 index 0000000..1e9813f --- /dev/null +++ b/initializers/security-hardening/configs/sysctl-hardening.conf @@ -0,0 +1,75 @@ +# KNEL Kernel Security Hardening Configuration +# SCAP/STIG compliant sysctl parameters + +# Disable IP forwarding +net.ipv4.ip_forward = 0 +net.ipv6.conf.all.forwarding = 0 + +# Disable send packet redirects +net.ipv4.conf.all.send_redirects = 0 +net.ipv4.conf.default.send_redirects = 0 + +# Disable accept source routing +net.ipv4.conf.all.accept_source_route = 0 +net.ipv4.conf.default.accept_source_route = 0 +net.ipv6.conf.all.accept_source_route = 0 +net.ipv6.conf.default.accept_source_route = 0 + +# Disable accept redirects +net.ipv4.conf.all.accept_redirects = 0 +net.ipv4.conf.default.accept_redirects = 0 +net.ipv6.conf.all.accept_redirects = 0 +net.ipv6.conf.default.accept_redirects = 0 + +# Disable secure redirects +net.ipv4.conf.all.secure_redirects = 0 +net.ipv4.conf.default.secure_redirects = 0 + +# Log martian packets +net.ipv4.conf.all.log_martians = 1 +net.ipv4.conf.default.log_martians = 1 + +# Enable TCP SYN cookies +net.ipv4.tcp_syncookies = 1 + +# Disable RFC1337 fix +net.ipv4.tcp_rfc1337 = 1 + +# Enable reverse path filtering +net.ipv4.conf.all.rp_filter = 1 +net.ipv4.conf.default.rp_filter = 1 + +# Disable ICMP redirects +net.ipv4.icmp_echo_ignore_broadcasts = 1 +net.ipv4.icmp_ignore_bogus_error_responses = 1 + +# Disable IP source routing +net.ipv4.conf.all.accept_source_route = 0 +net.ipv4.conf.default.accept_source_route = 0 + +# Enable TCP timestamps +net.ipv4.tcp_timestamps = 1 + +# Disable magic sysrq +kernel.sysrq = 0 + +# Disable core dumps for SUID programs +fs.suid_dumpable = 0 + +# Enable execshield protection +kernel.exec-shield = 1 + +# Randomize virtual address space +kernel.randomize_va_space = 2 + +# Disable coredumps +kernel.core_pattern = |/bin/false + +# Restrict ptrace scope +kernel.yama.ptrace_scope = 1 + +# Disable unprivileged BPF +kernel.unprivileged_bpf_disabled = 1 + +# Restrict user namespaces +kernel.unprivileged_userns_clone = 0