# KNEL Kernel Security Hardening Configuration
# SCAP/STIG compliant sysctl parameters

# Disable IP forwarding
net.ipv4.ip_forward = 0
net.ipv6.conf.all.forwarding = 0

# Disable send packet redirects
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0

# Disable accept source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0

# Disable accept redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0

# Disable secure redirects
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0

# Log martian packets
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1

# Enable TCP SYN cookies
net.ipv4.tcp_syncookies = 1

# Disable RFC1337 fix
net.ipv4.tcp_rfc1337 = 1

# Enable reverse path filtering
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Disable ICMP redirects
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1

# Disable IP source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0

# Enable TCP timestamps
net.ipv4.tcp_timestamps = 1

# Disable magic sysrq
kernel.sysrq = 0

# Disable core dumps for SUID programs
fs.suid_dumpable = 0

# Enable execshield protection
kernel.exec-shield = 1

# Randomize virtual address space
kernel.randomize_va_space = 2

# Disable coredumps
kernel.core_pattern = |/bin/false

# Restrict ptrace scope
kernel.yama.ptrace_scope = 1

# Disable unprivileged BPF
kernel.unprivileged_bpf_disabled = 1

# Restrict user namespaces
kernel.unprivileged_userns_clone = 0