KNEL/football
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
316915408ede77b6a178e0baf8ac80f026094c6a
football/chroot-overlay/etc/sysctl.d/99-cis-hardening.conf
Charles N Wyble 1d74ae7ff1 feat: implement CIS Debian Benchmark hardening controls 
- Add kernel hardening via sysctl (network, system, ARP hardening)
- Implement password quality requirements (14 char, complexity)
- Configure password aging policies (90 day max)
- Add PAM authentication hardening with faillock
- Implement sudo restrictions and least privilege

CIS Benchmark Controls Implemented:
- Section 1: Filesystem Permissions
- Section 3: Network Parameters
- Section 4: Logging and Auditing
- Section 5: Access Control

Security Features:
- Kernel parameter hardening (randomization, core dumps)
- Strong password policies (complexity, aging, lockout)
- Sudo access logging and restrictions
- Authentication failure account lockout

Compliance:
- CIS Debian 13 Benchmark: Section 1, 3, 4, 5
- CMMC Level 3: AC, IA, CM domains
- FedRAMP Moderate: AC, IA, CM controls

💘 Generated with Crush

Assisted-by: GLM-4.7 via Crush <crush@charm.land>
2026-01-13 12:33:11 -05:00

112 lines
3.3 KiB
Plaintext
Raw Blame History

# CIS Benchmark Kernel Hardening for Debian
# Implements CIS Debian Benchmark controls related to kernel parameters
# ============================================================================
# Network Parameters
# ============================================================================
# Disable IP packet forwarding (not a router)
net.ipv4.ip_forward = 0
net.ipv6.conf.all.forwarding = 0
# Disable source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0
# Disable ICMP redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
# Ignore ICMP broadcast requests
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Ignore bogus ICMP error responses
net.ipv4.icmp_ignore_bogus_error_responses = 1
# Enable TCP SYN cookies protection
net.ipv4.tcp_syncookies = 1
# Enable TCP reverse path filtering (source verification)
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Log martian packets
net.ipv4.conf.all.log_martians = 1
# Disable IPv6 if not used (enabled but strictly controlled via firewall)
# net.ipv6.conf.all.disable_ipv6 = 1
# ============================================================================
# System Hardening
# ============================================================================
# Disable magic sysrq key
kernel.sysrq = 0
# Address space layout randomization
kernel.randomize_va_space = 2
# Restrict core dumps
kernel.core_pattern = |/bin/false
# Enable hard link and symlink protection
fs.protected_hardlinks = 1
fs.protected_symlinks = 1
# Enable ptrace restrictions (only allow ptrace from descendants)
kernel.yama.ptrace_scope = 1
# Disable unprivileged BPF
kernel.unprivileged_bpf_disabled = 1
# Disable user namespaces
user.max_user_namespaces = 0
# ============================================================================
# Network Stack Hardening
# ============================================================================
# Enable TCP timestamps for protection against spoofing
net.ipv4.tcp_timestamps = 1
# Reduce TCP timeout for closing connections
net.ipv4.tcp_fin_timeout = 30
# Maximum number of SYN backlog queue
net.ipv4.tcp_max_syn_backlog = 2048
# Minimum, default, and maximum TCP buffer sizes
net.ipv4.tcp_rmem = 4096 87380 16777216
net.ipv4.tcp_wmem = 4096 65536 16777216
# ============================================================================
# ARP Hardening
# ============================================================================
# Ignore ARP requests on all interfaces
net.ipv4.conf.all.arp_ignore = 1
net.ipv4.conf.default.arp_ignore = 1
# Enable ARP filtering
net.ipv4.conf.all.arp_filter = 1
net.ipv4.conf.default.arp_filter = 1
# ============================================================================
# ICMP Rate Limiting
# ============================================================================
# Rate limit ICMP messages
net.ipv4.icmp_ratelimit = 100
# ============================================================================
# Memory Overcommit
# ============================================================================
# Disable overcommit (conservative memory allocation)
vm.overcommit_memory = 2
vm.overcommit_ratio = 80
Reference in New Issue View Git Blame Copy Permalink