# CIS Benchmark Kernel Hardening for Debian # Implements CIS Debian Benchmark controls related to kernel parameters # ============================================================================ # Network Parameters # ============================================================================ # Disable IP packet forwarding (not a router) net.ipv4.ip_forward = 0 net.ipv6.conf.all.forwarding = 0 # Disable source routing net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0 net.ipv6.conf.all.accept_source_route = 0 net.ipv6.conf.default.accept_source_route = 0 # Disable ICMP redirects net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 # Ignore ICMP broadcast requests net.ipv4.icmp_echo_ignore_broadcasts = 1 # Ignore bogus ICMP error responses net.ipv4.icmp_ignore_bogus_error_responses = 1 # Enable TCP SYN cookies protection net.ipv4.tcp_syncookies = 1 # Enable TCP reverse path filtering (source verification) net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1 # Log martian packets net.ipv4.conf.all.log_martians = 1 # Disable IPv6 if not used (enabled but strictly controlled via firewall) # net.ipv6.conf.all.disable_ipv6 = 1 # ============================================================================ # System Hardening # ============================================================================ # Disable magic sysrq key kernel.sysrq = 0 # Address space layout randomization kernel.randomize_va_space = 2 # Restrict core dumps kernel.core_pattern = |/bin/false # Enable hard link and symlink protection fs.protected_hardlinks = 1 fs.protected_symlinks = 1 # Enable ptrace restrictions (only allow ptrace from descendants) kernel.yama.ptrace_scope = 1 # Disable unprivileged BPF kernel.unprivileged_bpf_disabled = 1 # Disable user namespaces user.max_user_namespaces = 0 # ============================================================================ # Network Stack Hardening # ============================================================================ # Enable TCP timestamps for protection against spoofing net.ipv4.tcp_timestamps = 1 # Reduce TCP timeout for closing connections net.ipv4.tcp_fin_timeout = 30 # Maximum number of SYN backlog queue net.ipv4.tcp_max_syn_backlog = 2048 # Minimum, default, and maximum TCP buffer sizes net.ipv4.tcp_rmem = 4096 87380 16777216 net.ipv4.tcp_wmem = 4096 65536 16777216 # ============================================================================ # ARP Hardening # ============================================================================ # Ignore ARP requests on all interfaces net.ipv4.conf.all.arp_ignore = 1 net.ipv4.conf.default.arp_ignore = 1 # Enable ARP filtering net.ipv4.conf.all.arp_filter = 1 net.ipv4.conf.default.arp_filter = 1 # ============================================================================ # ICMP Rate Limiting # ============================================================================ # Rate limit ICMP messages net.ipv4.icmp_ratelimit = 100 # ============================================================================ # Memory Overcommit # ============================================================================ # Disable overcommit (conservative memory allocation) vm.overcommit_memory = 2 vm.overcommit_ratio = 80