0ebe75b2ca
Complete infrastructure platform CLI: - Container runtime (systemd-nspawn) - VoltVisor VMs (Neutron Stardust / QEMU) - Stellarium CAS (content-addressed storage) - ORAS Registry - GitOps integration - Landlock LSM security - Compose orchestration - Mesh networking Copyright (c) Armored Gates LLC. All rights reserved. Licensed under AGPSL v5.0
227 lines
6.3 KiB
Plaintext
Executable File
227 lines
6.3 KiB
Plaintext
Executable File
# Armored Linux - Kernel Hardening Configuration
|
|
# Applied via sysctl at boot and during provisioning
|
|
# These settings provide defense-in-depth for container isolation
|
|
|
|
# ===================================
|
|
# Kernel Hardening
|
|
# ===================================
|
|
|
|
# Restrict access to kernel logs (prevent information leakage)
|
|
kernel.dmesg_restrict = 1
|
|
|
|
# Restrict access to kernel pointers in /proc
|
|
kernel.kptr_restrict = 2
|
|
|
|
# Disable kernel profiling by unprivileged users
|
|
kernel.perf_event_paranoid = 3
|
|
|
|
# Restrict loading of TTY line disciplines
|
|
dev.tty.ldisc_autoload = 0
|
|
|
|
# Enable kernel address space layout randomization
|
|
kernel.randomize_va_space = 2
|
|
|
|
# Restrict ptrace to parent-child relationships only
|
|
kernel.yama.ptrace_scope = 1
|
|
|
|
# Disable core dumps for setuid programs
|
|
fs.suid_dumpable = 0
|
|
|
|
# Enable ExecShield (if available)
|
|
kernel.exec-shield = 1
|
|
|
|
# Restrict BPF (Berkeley Packet Filter) to privileged users only
|
|
kernel.unprivileged_bpf_disabled = 1
|
|
|
|
# Harden BPF JIT compiler against attacks
|
|
net.core.bpf_jit_harden = 2
|
|
|
|
# Restrict kernel module loading (if using signed modules)
|
|
# kernel.modules_disabled = 1 # Uncomment to prevent module loading after boot
|
|
|
|
# Restrict userfaultfd to privileged processes (prevents some exploits)
|
|
vm.unprivileged_userfaultfd = 0
|
|
|
|
# ===================================
|
|
# Memory Management
|
|
# ===================================
|
|
|
|
# Restrict mmap to reasonable ranges
|
|
vm.mmap_min_addr = 65536
|
|
|
|
# Overcommit memory handling (be more conservative)
|
|
vm.overcommit_memory = 1
|
|
vm.overcommit_ratio = 50
|
|
|
|
# Panic on out-of-memory instead of killing random processes
|
|
vm.panic_on_oom = 0
|
|
|
|
# ===================================
|
|
# Network Security
|
|
# ===================================
|
|
|
|
# Disable IPv4 forwarding (unless this is a router)
|
|
net.ipv4.ip_forward = 0
|
|
|
|
# Disable IPv6 forwarding (unless this is a router)
|
|
net.ipv6.conf.all.forwarding = 0
|
|
|
|
# Enable TCP SYN cookies (DDoS protection)
|
|
net.ipv4.tcp_syncookies = 1
|
|
|
|
# Disable ICMP redirect acceptance
|
|
net.ipv4.conf.all.accept_redirects = 0
|
|
net.ipv4.conf.default.accept_redirects = 0
|
|
net.ipv6.conf.all.accept_redirects = 0
|
|
net.ipv6.conf.default.accept_redirects = 0
|
|
|
|
# Disable source routing
|
|
net.ipv4.conf.all.accept_source_route = 0
|
|
net.ipv4.conf.default.accept_source_route = 0
|
|
net.ipv6.conf.all.accept_source_route = 0
|
|
net.ipv6.conf.default.accept_source_route = 0
|
|
|
|
# Enable reverse path filtering (prevent IP spoofing)
|
|
net.ipv4.conf.all.rp_filter = 1
|
|
net.ipv4.conf.default.rp_filter = 1
|
|
|
|
# Log martian packets
|
|
net.ipv4.conf.all.log_martians = 1
|
|
net.ipv4.conf.default.log_martians = 1
|
|
|
|
# Ignore ICMP echo requests (ping)
|
|
net.ipv4.icmp_echo_ignore_all = 0
|
|
|
|
# Ignore ICMP broadcast requests
|
|
net.ipv4.icmp_echo_ignore_broadcasts = 1
|
|
|
|
# Ignore bogus ICMP error responses
|
|
net.ipv4.icmp_ignore_bogus_error_responses = 1
|
|
|
|
# Enable TCP timestamps for better performance
|
|
net.ipv4.tcp_timestamps = 1
|
|
|
|
# ===================================
|
|
# Container Isolation (Voltainer Security)
|
|
# ===================================
|
|
|
|
# These settings enhance security for systemd-nspawn containers
|
|
# Voltainer uses systemd-nspawn as the container runtime, which benefits from
|
|
# strict namespace isolation and seccomp filtering
|
|
|
|
# Restrict access to /proc/<pid>/net for containers
|
|
kernel.perf_event_paranoid = 3
|
|
|
|
# Limit number of user namespaces (0 = unlimited, use with caution)
|
|
# user.max_user_namespaces = 10000
|
|
|
|
# Restrict unprivileged user namespaces (some distros require this for containers)
|
|
# Note: systemd-nspawn typically runs as root, so this affects other containerization
|
|
# kernel.unprivileged_userns_clone = 1
|
|
|
|
# Namespace restrictions for container isolation
|
|
# These help prevent container escape and privilege escalation
|
|
# kernel.yama.ptrace_scope already set above (value 1)
|
|
|
|
# Enable strict seccomp filtering support
|
|
# Voltainer applies seccomp filters defined in container manifests
|
|
# No additional sysctl needed - enabled by kernel config
|
|
|
|
# ===================================
|
|
# File System Security
|
|
# ===================================
|
|
|
|
# Protected hardlinks (prevent hardlink exploits)
|
|
fs.protected_hardlinks = 1
|
|
|
|
# Protected symlinks (prevent symlink exploits)
|
|
fs.protected_symlinks = 1
|
|
|
|
# Protected fifos
|
|
fs.protected_fifos = 2
|
|
|
|
# Protected regular files
|
|
fs.protected_regular = 2
|
|
|
|
# ===================================
|
|
# IPC Restrictions
|
|
# ===================================
|
|
|
|
# Maximum number of message queues
|
|
kernel.msgmnb = 65536
|
|
kernel.msgmax = 65536
|
|
|
|
# Maximum shared memory segment size
|
|
kernel.shmmax = 68719476736
|
|
kernel.shmall = 4294967296
|
|
|
|
# ===================================
|
|
# Security Modules
|
|
# ===================================
|
|
|
|
# AppArmor/SELinux enforcement (if using)
|
|
# These are typically managed by the security module itself
|
|
|
|
# ===================================
|
|
# System Limits
|
|
# ===================================
|
|
|
|
# Maximum number of open files
|
|
fs.file-max = 2097152
|
|
|
|
# Maximum number of inotify watches (for monitoring)
|
|
fs.inotify.max_user_watches = 524288
|
|
fs.inotify.max_user_instances = 512
|
|
|
|
# Maximum number of PIDs
|
|
kernel.pid_max = 4194304
|
|
|
|
# ===================================
|
|
# Logging and Auditing
|
|
# ===================================
|
|
|
|
# Keep kernel logs for debugging (but restrict access)
|
|
kernel.printk = 3 3 3 3
|
|
|
|
# ===================================
|
|
# Performance Tuning (Container-Aware)
|
|
# ===================================
|
|
|
|
# Connection tracking for containers
|
|
net.netfilter.nf_conntrack_max = 262144
|
|
|
|
# TCP keepalive settings
|
|
net.ipv4.tcp_keepalive_time = 600
|
|
net.ipv4.tcp_keepalive_intvl = 60
|
|
net.ipv4.tcp_keepalive_probes = 3
|
|
|
|
# TCP buffer sizes (optimized for container networking)
|
|
net.core.rmem_max = 16777216
|
|
net.core.wmem_max = 16777216
|
|
net.ipv4.tcp_rmem = 4096 87380 16777216
|
|
net.ipv4.tcp_wmem = 4096 65536 16777216
|
|
|
|
# Maximum connection backlog
|
|
net.core.somaxconn = 32768
|
|
net.core.netdev_max_backlog = 5000
|
|
|
|
# ===================================
|
|
# Panic Behavior
|
|
# ===================================
|
|
|
|
# Reboot after kernel panic (10 seconds)
|
|
kernel.panic = 10
|
|
kernel.panic_on_oops = 1
|
|
|
|
# ===================================
|
|
# Notes
|
|
# ===================================
|
|
# This configuration provides a secure baseline for Armored Linux nodes.
|
|
# Some settings may need adjustment based on:
|
|
# - Container workload requirements
|
|
# - Network topology
|
|
# - Hardware capabilities
|
|
# - Specific security compliance requirements
|
|
#
|
|
# DevNodes may override some settings via detect-node-type.sh for debugging.
|