KNEL/KNELConfigMgmt-FetchApply
1
0
Fork 0
Code Pull Requests Actions Packages Releases Activity
Files
main
KNELConfigMgmt-FetchApply/initializers/security-hardening/configs/sysctl-hardening.conf
Charles N Wyble 8f44815d97 feat(security-hardening): add SCAP-STIG compliance configuration files 
Add security hardening configuration files implementing SCAP-STIG
controls:

- sysctl-hardening.conf: 75 kernel security parameters covering:
  * IP forwarding and redirect controls
  * Source routing and martian packet logging
  * TCP SYN cookies and timestamps
  * ExecShield and ASLR settings
  * Ptrace scope restrictions
  * Unprivileged BPF and userns restrictions

- security-limits.conf: Resource limits for:
  * Core dump prevention (fork bomb protection)
  * Process count limits (4096 soft, 8192 hard)
  * File handle limits (1024 soft, 4096 hard)
  * Memory lock and file size restrictions

- issue, issue.net, motd: Security warning banners for local
  and network login

- modprobe/: Directory for kernel module blacklist configurations

These configs implement CIS Benchmark and DISA STIG requirements
for Linux server hardening.

Related: KNELServerBuild/ProjectCode/Modules/Security/secharden-scap-stig.sh
2026-02-17 16:32:14 -05:00

76 lines
1.8 KiB
Plaintext
Raw Permalink Blame History

# KNEL Kernel Security Hardening Configuration
# SCAP/STIG compliant sysctl parameters
# Disable IP forwarding
net.ipv4.ip_forward = 0
net.ipv6.conf.all.forwarding = 0
# Disable send packet redirects
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
# Disable accept source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0
# Disable accept redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
# Disable secure redirects
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
# Log martian packets
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
# Enable TCP SYN cookies
net.ipv4.tcp_syncookies = 1
# Disable RFC1337 fix
net.ipv4.tcp_rfc1337 = 1
# Enable reverse path filtering
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Disable ICMP redirects
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
# Disable IP source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
# Enable TCP timestamps
net.ipv4.tcp_timestamps = 1
# Disable magic sysrq
kernel.sysrq = 0
# Disable core dumps for SUID programs
fs.suid_dumpable = 0
# Enable execshield protection
kernel.exec-shield = 1
# Randomize virtual address space
kernel.randomize_va_space = 2
# Disable coredumps
kernel.core_pattern = |/bin/false
# Restrict ptrace scope
kernel.yama.ptrace_scope = 1
# Disable unprivileged BPF
kernel.unprivileged_bpf_disabled = 1
# Restrict user namespaces
kernel.unprivileged_userns_clone = 0
View Git Blame Copy Permalink