Volt CLI: source-available under AGPSL v5.0

Complete infrastructure platform CLI:
- Container runtime (systemd-nspawn)
- VoltVisor VMs (Neutron Stardust / QEMU)
- Stellarium CAS (content-addressed storage)
- ORAS Registry
- GitOps integration
- Landlock LSM security
- Compose orchestration
- Mesh networking

Copyright (c) Armored Gates LLC. All rights reserved.
Licensed under AGPSL v5.0

configs/sysctl/90-armored-hardening.conf

@@ -0,0 +1,226 @@
+# Armored Linux - Kernel Hardening Configuration
+# Applied via sysctl at boot and during provisioning
+# These settings provide defense-in-depth for container isolation
+
+# ===================================
+# Kernel Hardening
+# ===================================
+
+# Restrict access to kernel logs (prevent information leakage)
+kernel.dmesg_restrict = 1
+
+# Restrict access to kernel pointers in /proc
+kernel.kptr_restrict = 2
+
+# Disable kernel profiling by unprivileged users
+kernel.perf_event_paranoid = 3
+
+# Restrict loading of TTY line disciplines
+dev.tty.ldisc_autoload = 0
+
+# Enable kernel address space layout randomization
+kernel.randomize_va_space = 2
+
+# Restrict ptrace to parent-child relationships only
+kernel.yama.ptrace_scope = 1
+
+# Disable core dumps for setuid programs
+fs.suid_dumpable = 0
+
+# Enable ExecShield (if available)
+kernel.exec-shield = 1
+
+# Restrict BPF (Berkeley Packet Filter) to privileged users only
+kernel.unprivileged_bpf_disabled = 1
+
+# Harden BPF JIT compiler against attacks
+net.core.bpf_jit_harden = 2
+
+# Restrict kernel module loading (if using signed modules)
+# kernel.modules_disabled = 1  # Uncomment to prevent module loading after boot
+
+# Restrict userfaultfd to privileged processes (prevents some exploits)
+vm.unprivileged_userfaultfd = 0
+
+# ===================================
+# Memory Management
+# ===================================
+
+# Restrict mmap to reasonable ranges
+vm.mmap_min_addr = 65536
+
+# Overcommit memory handling (be more conservative)
+vm.overcommit_memory = 1
+vm.overcommit_ratio = 50
+
+# Panic on out-of-memory instead of killing random processes
+vm.panic_on_oom = 0
+
+# ===================================
+# Network Security
+# ===================================
+
+# Disable IPv4 forwarding (unless this is a router)
+net.ipv4.ip_forward = 0
+
+# Disable IPv6 forwarding (unless this is a router)
+net.ipv6.conf.all.forwarding = 0
+
+# Enable TCP SYN cookies (DDoS protection)
+net.ipv4.tcp_syncookies = 1
+
+# Disable ICMP redirect acceptance
+net.ipv4.conf.all.accept_redirects = 0
+net.ipv4.conf.default.accept_redirects = 0
+net.ipv6.conf.all.accept_redirects = 0
+net.ipv6.conf.default.accept_redirects = 0
+
+# Disable source routing
+net.ipv4.conf.all.accept_source_route = 0
+net.ipv4.conf.default.accept_source_route = 0
+net.ipv6.conf.all.accept_source_route = 0
+net.ipv6.conf.default.accept_source_route = 0
+
+# Enable reverse path filtering (prevent IP spoofing)
+net.ipv4.conf.all.rp_filter = 1
+net.ipv4.conf.default.rp_filter = 1
+
+# Log martian packets
+net.ipv4.conf.all.log_martians = 1
+net.ipv4.conf.default.log_martians = 1
+
+# Ignore ICMP echo requests (ping)
+net.ipv4.icmp_echo_ignore_all = 0
+
+# Ignore ICMP broadcast requests
+net.ipv4.icmp_echo_ignore_broadcasts = 1
+
+# Ignore bogus ICMP error responses
+net.ipv4.icmp_ignore_bogus_error_responses = 1
+
+# Enable TCP timestamps for better performance
+net.ipv4.tcp_timestamps = 1
+
+# ===================================
+# Container Isolation (Voltainer Security)
+# ===================================
+
+# These settings enhance security for systemd-nspawn containers
+# Voltainer uses systemd-nspawn as the container runtime, which benefits from
+# strict namespace isolation and seccomp filtering
+
+# Restrict access to /proc/<pid>/net for containers
+kernel.perf_event_paranoid = 3
+
+# Limit number of user namespaces (0 = unlimited, use with caution)
+# user.max_user_namespaces = 10000
+
+# Restrict unprivileged user namespaces (some distros require this for containers)
+# Note: systemd-nspawn typically runs as root, so this affects other containerization
+# kernel.unprivileged_userns_clone = 1
+
+# Namespace restrictions for container isolation
+# These help prevent container escape and privilege escalation
+# kernel.yama.ptrace_scope already set above (value 1)
+
+# Enable strict seccomp filtering support
+# Voltainer applies seccomp filters defined in container manifests
+# No additional sysctl needed - enabled by kernel config
+
+# ===================================
+# File System Security
+# ===================================
+
+# Protected hardlinks (prevent hardlink exploits)
+fs.protected_hardlinks = 1
+
+# Protected symlinks (prevent symlink exploits)
+fs.protected_symlinks = 1
+
+# Protected fifos
+fs.protected_fifos = 2
+
+# Protected regular files
+fs.protected_regular = 2
+
+# ===================================
+# IPC Restrictions
+# ===================================
+
+# Maximum number of message queues
+kernel.msgmnb = 65536
+kernel.msgmax = 65536
+
+# Maximum shared memory segment size
+kernel.shmmax = 68719476736
+kernel.shmall = 4294967296
+
+# ===================================
+# Security Modules
+# ===================================
+
+# AppArmor/SELinux enforcement (if using)
+# These are typically managed by the security module itself
+
+# ===================================
+# System Limits
+# ===================================
+
+# Maximum number of open files
+fs.file-max = 2097152
+
+# Maximum number of inotify watches (for monitoring)
+fs.inotify.max_user_watches = 524288
+fs.inotify.max_user_instances = 512
+
+# Maximum number of PIDs
+kernel.pid_max = 4194304
+
+# ===================================
+# Logging and Auditing
+# ===================================
+
+# Keep kernel logs for debugging (but restrict access)
+kernel.printk = 3 3 3 3
+
+# ===================================
+# Performance Tuning (Container-Aware)
+# ===================================
+
+# Connection tracking for containers
+net.netfilter.nf_conntrack_max = 262144
+
+# TCP keepalive settings
+net.ipv4.tcp_keepalive_time = 600
+net.ipv4.tcp_keepalive_intvl = 60
+net.ipv4.tcp_keepalive_probes = 3
+
+# TCP buffer sizes (optimized for container networking)
+net.core.rmem_max = 16777216
+net.core.wmem_max = 16777216
+net.ipv4.tcp_rmem = 4096 87380 16777216
+net.ipv4.tcp_wmem = 4096 65536 16777216
+
+# Maximum connection backlog
+net.core.somaxconn = 32768
+net.core.netdev_max_backlog = 5000
+
+# ===================================
+# Panic Behavior
+# ===================================
+
+# Reboot after kernel panic (10 seconds)
+kernel.panic = 10
+kernel.panic_on_oops = 1
+
+# ===================================
+# Notes
+# ===================================
+# This configuration provides a secure baseline for Armored Linux nodes.
+# Some settings may need adjustment based on:
+# - Container workload requirements
+# - Network topology
+# - Hardware capabilities
+# - Specific security compliance requirements
+#
+# DevNodes may override some settings via detect-node-type.sh for debugging.