feat(security-hardening): add SCAP-STIG compliance configuration files

Add security hardening configuration files implementing SCAP-STIG controls: - sysctl-hardening.conf: 75 kernel security parameters covering: * IP forwarding and redirect controls * Source routing and martian packet logging * TCP SYN cookies and timestamps * ExecShield and ASLR settings * Ptrace scope restrictions * Unprivileged BPF and userns restrictions - security-limits.conf: Resource limits for: * Core dump prevention (fork bomb protection) * Process count limits (4096 soft, 8192 hard) * File handle limits (1024 soft, 4096 hard) * Memory lock and file size restrictions - issue, issue.net, motd: Security warning banners for local and network login - modprobe/: Directory for kernel module blacklist configurations These configs implement CIS Benchmark and DISA STIG requirements for Linux server hardening. Related: KNELServerBuild/ProjectCode/Modules/Security/secharden-scap-stig.sh
2026-02-17 16:32:14 -05:00
parent 429454ebc9
commit 8f44815d97
5 changed files with 119 additions and 0 deletions
--- a/initializers/security-hardening/configs/security-limits.conf
+++ b/initializers/security-hardening/configs/security-limits.conf
@@ -0,0 +1,29 @@
+# KNEL Security Limits Configuration
+# SCAP/STIG compliant resource limits
+
+# Prevent core dumps for all users
+* hard core 0
+* soft core 0
+
+# Prevent core dumps for root
+root hard core 0
+root soft core 0
+
+# Limit max processes for users (fork bomb protection)
+* soft nproc 4096
+* hard nproc 8192
+
+# Limit max file handles
+* soft nofile 1024
+* hard nofile 4096
+
+# Limit max memory lock
+* hard memlock 64
+
+# Limit max file size
+* soft fsize 2097152
+* hard fsize 4194304
+
+# Stack size limit
+* soft stack 8192
+* hard stack 65536