# Armored Linux - Kernel Hardening Configuration # Applied via sysctl at boot and during provisioning # These settings provide defense-in-depth for container isolation # =================================== # Kernel Hardening # =================================== # Restrict access to kernel logs (prevent information leakage) kernel.dmesg_restrict = 1 # Restrict access to kernel pointers in /proc kernel.kptr_restrict = 2 # Disable kernel profiling by unprivileged users kernel.perf_event_paranoid = 3 # Restrict loading of TTY line disciplines dev.tty.ldisc_autoload = 0 # Enable kernel address space layout randomization kernel.randomize_va_space = 2 # Restrict ptrace to parent-child relationships only kernel.yama.ptrace_scope = 1 # Disable core dumps for setuid programs fs.suid_dumpable = 0 # Enable ExecShield (if available) kernel.exec-shield = 1 # Restrict BPF (Berkeley Packet Filter) to privileged users only kernel.unprivileged_bpf_disabled = 1 # Harden BPF JIT compiler against attacks net.core.bpf_jit_harden = 2 # Restrict kernel module loading (if using signed modules) # kernel.modules_disabled = 1 # Uncomment to prevent module loading after boot # Restrict userfaultfd to privileged processes (prevents some exploits) vm.unprivileged_userfaultfd = 0 # =================================== # Memory Management # =================================== # Restrict mmap to reasonable ranges vm.mmap_min_addr = 65536 # Overcommit memory handling (be more conservative) vm.overcommit_memory = 1 vm.overcommit_ratio = 50 # Panic on out-of-memory instead of killing random processes vm.panic_on_oom = 0 # =================================== # Network Security # =================================== # Disable IPv4 forwarding (unless this is a router) net.ipv4.ip_forward = 0 # Disable IPv6 forwarding (unless this is a router) net.ipv6.conf.all.forwarding = 0 # Enable TCP SYN cookies (DDoS protection) net.ipv4.tcp_syncookies = 1 # Disable ICMP redirect acceptance net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv6.conf.all.accept_redirects = 0 net.ipv6.conf.default.accept_redirects = 0 # Disable source routing net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0 net.ipv6.conf.all.accept_source_route = 0 net.ipv6.conf.default.accept_source_route = 0 # Enable reverse path filtering (prevent IP spoofing) net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1 # Log martian packets net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.default.log_martians = 1 # Ignore ICMP echo requests (ping) net.ipv4.icmp_echo_ignore_all = 0 # Ignore ICMP broadcast requests net.ipv4.icmp_echo_ignore_broadcasts = 1 # Ignore bogus ICMP error responses net.ipv4.icmp_ignore_bogus_error_responses = 1 # Enable TCP timestamps for better performance net.ipv4.tcp_timestamps = 1 # =================================== # Container Isolation (Voltainer Security) # =================================== # These settings enhance security for systemd-nspawn containers # Voltainer uses systemd-nspawn as the container runtime, which benefits from # strict namespace isolation and seccomp filtering # Restrict access to /proc//net for containers kernel.perf_event_paranoid = 3 # Limit number of user namespaces (0 = unlimited, use with caution) # user.max_user_namespaces = 10000 # Restrict unprivileged user namespaces (some distros require this for containers) # Note: systemd-nspawn typically runs as root, so this affects other containerization # kernel.unprivileged_userns_clone = 1 # Namespace restrictions for container isolation # These help prevent container escape and privilege escalation # kernel.yama.ptrace_scope already set above (value 1) # Enable strict seccomp filtering support # Voltainer applies seccomp filters defined in container manifests # No additional sysctl needed - enabled by kernel config # =================================== # File System Security # =================================== # Protected hardlinks (prevent hardlink exploits) fs.protected_hardlinks = 1 # Protected symlinks (prevent symlink exploits) fs.protected_symlinks = 1 # Protected fifos fs.protected_fifos = 2 # Protected regular files fs.protected_regular = 2 # =================================== # IPC Restrictions # =================================== # Maximum number of message queues kernel.msgmnb = 65536 kernel.msgmax = 65536 # Maximum shared memory segment size kernel.shmmax = 68719476736 kernel.shmall = 4294967296 # =================================== # Security Modules # =================================== # AppArmor/SELinux enforcement (if using) # These are typically managed by the security module itself # =================================== # System Limits # =================================== # Maximum number of open files fs.file-max = 2097152 # Maximum number of inotify watches (for monitoring) fs.inotify.max_user_watches = 524288 fs.inotify.max_user_instances = 512 # Maximum number of PIDs kernel.pid_max = 4194304 # =================================== # Logging and Auditing # =================================== # Keep kernel logs for debugging (but restrict access) kernel.printk = 3 3 3 3 # =================================== # Performance Tuning (Container-Aware) # =================================== # Connection tracking for containers net.netfilter.nf_conntrack_max = 262144 # TCP keepalive settings net.ipv4.tcp_keepalive_time = 600 net.ipv4.tcp_keepalive_intvl = 60 net.ipv4.tcp_keepalive_probes = 3 # TCP buffer sizes (optimized for container networking) net.core.rmem_max = 16777216 net.core.wmem_max = 16777216 net.ipv4.tcp_rmem = 4096 87380 16777216 net.ipv4.tcp_wmem = 4096 65536 16777216 # Maximum connection backlog net.core.somaxconn = 32768 net.core.netdev_max_backlog = 5000 # =================================== # Panic Behavior # =================================== # Reboot after kernel panic (10 seconds) kernel.panic = 10 kernel.panic_on_oops = 1 # =================================== # Notes # =================================== # This configuration provides a secure baseline for Armored Linux nodes. # Some settings may need adjustment based on: # - Container workload requirements # - Network topology # - Hardware capabilities # - Specific security compliance requirements # # DevNodes may override some settings via detect-node-type.sh for debugging.