ArmoredGate/volt
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
81ad0b597c20fd2624e0c0dd697285340857eb70
volt/configs/sysctl/90-armored-hardening.conf
Karl Clinger 81ad0b597c Volt CLI: source-available under AGPSL v5.0 
Complete infrastructure platform CLI:
- Container runtime (systemd-nspawn)
- VoltVisor VMs (Neutron Stardust / QEMU)
- Stellarium CAS (content-addressed storage)
- ORAS Registry
- GitOps integration
- Landlock LSM security
- Compose orchestration
- Mesh networking

Copyright (c) Armored Gates LLC. All rights reserved.
Licensed under AGPSL v5.0
2026-03-21 00:31:12 -05:00

227 lines
6.3 KiB
Plaintext
Executable File
Raw Blame History

# Armored Linux - Kernel Hardening Configuration
# Applied via sysctl at boot and during provisioning
# These settings provide defense-in-depth for container isolation
# ===================================
# Kernel Hardening
# ===================================
# Restrict access to kernel logs (prevent information leakage)
kernel.dmesg_restrict = 1
# Restrict access to kernel pointers in /proc
kernel.kptr_restrict = 2
# Disable kernel profiling by unprivileged users
kernel.perf_event_paranoid = 3
# Restrict loading of TTY line disciplines
dev.tty.ldisc_autoload = 0
# Enable kernel address space layout randomization
kernel.randomize_va_space = 2
# Restrict ptrace to parent-child relationships only
kernel.yama.ptrace_scope = 1
# Disable core dumps for setuid programs
fs.suid_dumpable = 0
# Enable ExecShield (if available)
kernel.exec-shield = 1
# Restrict BPF (Berkeley Packet Filter) to privileged users only
kernel.unprivileged_bpf_disabled = 1
# Harden BPF JIT compiler against attacks
net.core.bpf_jit_harden = 2
# Restrict kernel module loading (if using signed modules)
# kernel.modules_disabled = 1 # Uncomment to prevent module loading after boot
# Restrict userfaultfd to privileged processes (prevents some exploits)
vm.unprivileged_userfaultfd = 0
# ===================================
# Memory Management
# ===================================
# Restrict mmap to reasonable ranges
vm.mmap_min_addr = 65536
# Overcommit memory handling (be more conservative)
vm.overcommit_memory = 1
vm.overcommit_ratio = 50
# Panic on out-of-memory instead of killing random processes
vm.panic_on_oom = 0
# ===================================
# Network Security
# ===================================
# Disable IPv4 forwarding (unless this is a router)
net.ipv4.ip_forward = 0
# Disable IPv6 forwarding (unless this is a router)
net.ipv6.conf.all.forwarding = 0
# Enable TCP SYN cookies (DDoS protection)
net.ipv4.tcp_syncookies = 1
# Disable ICMP redirect acceptance
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
# Disable source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0
# Enable reverse path filtering (prevent IP spoofing)
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Log martian packets
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
# Ignore ICMP echo requests (ping)
net.ipv4.icmp_echo_ignore_all = 0
# Ignore ICMP broadcast requests
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Ignore bogus ICMP error responses
net.ipv4.icmp_ignore_bogus_error_responses = 1
# Enable TCP timestamps for better performance
net.ipv4.tcp_timestamps = 1
# ===================================
# Container Isolation (Voltainer Security)
# ===================================
# These settings enhance security for systemd-nspawn containers
# Voltainer uses systemd-nspawn as the container runtime, which benefits from
# strict namespace isolation and seccomp filtering
# Restrict access to /proc/<pid>/net for containers
kernel.perf_event_paranoid = 3
# Limit number of user namespaces (0 = unlimited, use with caution)
# user.max_user_namespaces = 10000
# Restrict unprivileged user namespaces (some distros require this for containers)
# Note: systemd-nspawn typically runs as root, so this affects other containerization
# kernel.unprivileged_userns_clone = 1
# Namespace restrictions for container isolation
# These help prevent container escape and privilege escalation
# kernel.yama.ptrace_scope already set above (value 1)
# Enable strict seccomp filtering support
# Voltainer applies seccomp filters defined in container manifests
# No additional sysctl needed - enabled by kernel config
# ===================================
# File System Security
# ===================================
# Protected hardlinks (prevent hardlink exploits)
fs.protected_hardlinks = 1
# Protected symlinks (prevent symlink exploits)
fs.protected_symlinks = 1
# Protected fifos
fs.protected_fifos = 2
# Protected regular files
fs.protected_regular = 2
# ===================================
# IPC Restrictions
# ===================================
# Maximum number of message queues
kernel.msgmnb = 65536
kernel.msgmax = 65536
# Maximum shared memory segment size
kernel.shmmax = 68719476736
kernel.shmall = 4294967296
# ===================================
# Security Modules
# ===================================
# AppArmor/SELinux enforcement (if using)
# These are typically managed by the security module itself
# ===================================
# System Limits
# ===================================
# Maximum number of open files
fs.file-max = 2097152
# Maximum number of inotify watches (for monitoring)
fs.inotify.max_user_watches = 524288
fs.inotify.max_user_instances = 512
# Maximum number of PIDs
kernel.pid_max = 4194304
# ===================================
# Logging and Auditing
# ===================================
# Keep kernel logs for debugging (but restrict access)
kernel.printk = 3 3 3 3
# ===================================
# Performance Tuning (Container-Aware)
# ===================================
# Connection tracking for containers
net.netfilter.nf_conntrack_max = 262144
# TCP keepalive settings
net.ipv4.tcp_keepalive_time = 600
net.ipv4.tcp_keepalive_intvl = 60
net.ipv4.tcp_keepalive_probes = 3
# TCP buffer sizes (optimized for container networking)
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.ipv4.tcp_rmem = 4096 87380 16777216
net.ipv4.tcp_wmem = 4096 65536 16777216
# Maximum connection backlog
net.core.somaxconn = 32768
net.core.netdev_max_backlog = 5000
# ===================================
# Panic Behavior
# ===================================
# Reboot after kernel panic (10 seconds)
kernel.panic = 10
kernel.panic_on_oops = 1
# ===================================
# Notes
# ===================================
# This configuration provides a secure baseline for Armored Linux nodes.
# Some settings may need adjustment based on:
# - Container workload requirements
# - Network topology
# - Hardware capabilities
# - Specific security compliance requirements
#
# DevNodes may override some settings via detect-node-type.sh for debugging.
Reference in New Issue View Git Blame Copy Permalink