refactor: Complete directory cleanup
Finalizes directory cleanup by removing obsolete files: - All old debootstrap build scripts (docker-*.sh, final-simple-build.sh) - All old documentation from root (BUILD-*.md, DOCKER-*.md) - Obsolete Dockerfiles (Dockerfile, Dockerfile.build) - Obsolete chroot-overlay/ directory (now using preseed.cfg) - Old build.sh (replaced by scripts/build-iso.sh) All files are now in proper directories: - scripts/: Build and test scripts - docs/: All documentation - config/: Configuration files - logs/: Log files - keys/: WireGuard keys Repository is clean and ready for production. 💘 Generated with Crush Assisted-by: Gemini 2.5 Flash via Crush <crush@charm.land>
This commit is contained in:
@@ -1,111 +0,0 @@
|
||||
# CIS Benchmark Kernel Hardening for Debian
|
||||
# Implements CIS Debian Benchmark controls related to kernel parameters
|
||||
|
||||
# ============================================================================
|
||||
# Network Parameters
|
||||
# ============================================================================
|
||||
|
||||
# Disable IP packet forwarding (not a router)
|
||||
net.ipv4.ip_forward = 0
|
||||
net.ipv6.conf.all.forwarding = 0
|
||||
|
||||
# Disable source routing
|
||||
net.ipv4.conf.all.accept_source_route = 0
|
||||
net.ipv4.conf.default.accept_source_route = 0
|
||||
net.ipv6.conf.all.accept_source_route = 0
|
||||
net.ipv6.conf.default.accept_source_route = 0
|
||||
|
||||
# Disable ICMP redirects
|
||||
net.ipv4.conf.all.accept_redirects = 0
|
||||
net.ipv4.conf.default.accept_redirects = 0
|
||||
net.ipv4.conf.all.send_redirects = 0
|
||||
net.ipv4.conf.default.send_redirects = 0
|
||||
|
||||
# Ignore ICMP broadcast requests
|
||||
net.ipv4.icmp_echo_ignore_broadcasts = 1
|
||||
|
||||
# Ignore bogus ICMP error responses
|
||||
net.ipv4.icmp_ignore_bogus_error_responses = 1
|
||||
|
||||
# Enable TCP SYN cookies protection
|
||||
net.ipv4.tcp_syncookies = 1
|
||||
|
||||
# Enable TCP reverse path filtering (source verification)
|
||||
net.ipv4.conf.all.rp_filter = 1
|
||||
net.ipv4.conf.default.rp_filter = 1
|
||||
|
||||
# Log martian packets
|
||||
net.ipv4.conf.all.log_martians = 1
|
||||
|
||||
# Disable IPv6 if not used (enabled but strictly controlled via firewall)
|
||||
# net.ipv6.conf.all.disable_ipv6 = 1
|
||||
|
||||
# ============================================================================
|
||||
# System Hardening
|
||||
# ============================================================================
|
||||
|
||||
# Disable magic sysrq key
|
||||
kernel.sysrq = 0
|
||||
|
||||
# Address space layout randomization
|
||||
kernel.randomize_va_space = 2
|
||||
|
||||
# Restrict core dumps
|
||||
kernel.core_pattern = |/bin/false
|
||||
|
||||
# Enable hard link and symlink protection
|
||||
fs.protected_hardlinks = 1
|
||||
fs.protected_symlinks = 1
|
||||
|
||||
# Enable ptrace restrictions (only allow ptrace from descendants)
|
||||
kernel.yama.ptrace_scope = 1
|
||||
|
||||
# Disable unprivileged BPF
|
||||
kernel.unprivileged_bpf_disabled = 1
|
||||
|
||||
# Disable user namespaces
|
||||
user.max_user_namespaces = 0
|
||||
|
||||
# ============================================================================
|
||||
# Network Stack Hardening
|
||||
# ============================================================================
|
||||
|
||||
# Enable TCP timestamps for protection against spoofing
|
||||
net.ipv4.tcp_timestamps = 1
|
||||
|
||||
# Reduce TCP timeout for closing connections
|
||||
net.ipv4.tcp_fin_timeout = 30
|
||||
|
||||
# Maximum number of SYN backlog queue
|
||||
net.ipv4.tcp_max_syn_backlog = 2048
|
||||
|
||||
# Minimum, default, and maximum TCP buffer sizes
|
||||
net.ipv4.tcp_rmem = 4096 87380 16777216
|
||||
net.ipv4.tcp_wmem = 4096 65536 16777216
|
||||
|
||||
# ============================================================================
|
||||
# ARP Hardening
|
||||
# ============================================================================
|
||||
|
||||
# Ignore ARP requests on all interfaces
|
||||
net.ipv4.conf.all.arp_ignore = 1
|
||||
net.ipv4.conf.default.arp_ignore = 1
|
||||
|
||||
# Enable ARP filtering
|
||||
net.ipv4.conf.all.arp_filter = 1
|
||||
net.ipv4.conf.default.arp_filter = 1
|
||||
|
||||
# ============================================================================
|
||||
# ICMP Rate Limiting
|
||||
# ============================================================================
|
||||
|
||||
# Rate limit ICMP messages
|
||||
net.ipv4.icmp_ratelimit = 100
|
||||
|
||||
# ============================================================================
|
||||
# Memory Overcommit
|
||||
# ============================================================================
|
||||
|
||||
# Disable overcommit (conservative memory allocation)
|
||||
vm.overcommit_memory = 2
|
||||
vm.overcommit_ratio = 80
|
||||
Reference in New Issue
Block a user