From 6f04d0e9df6270bff228f947a461fe531cc60356 Mon Sep 17 00:00:00 2001 From: Lorenzo Tucci Date: Fri, 20 Aug 2021 14:48:51 +0200 Subject: [PATCH 1/8] feat: add emacs.service for Emacs server --- emacs/emacs.service | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 emacs/emacs.service diff --git a/emacs/emacs.service b/emacs/emacs.service new file mode 100644 index 0000000..3bb60db --- /dev/null +++ b/emacs/emacs.service @@ -0,0 +1,18 @@ +# Emacs server unit service for systemd (start emacs as a server) +# This file is meant to be placed into your .config/systemd/user/ folder +# and started + enabled with systemctl enable emacs --user --now +# It is advised to add an alias for emacs to run it as client +# ex. for the terminal version: alias emacs='emacsclient -t' +[Unit] +Description=Emacs text editor +Documentation=info:emacs man:emacs(1) https://gnu.org/software/emacs/ + +[Service] +Type=forking +ExecStart=/usr/bin/emacs --daemon +ExecStop=/usr/bin/emacsclient --eval "(kill-emacs)" +Environment=SSH_AUTH_SOCK=%t/keyring/ssh +Restart=on-failure + +[Install] +WantedBy=default.target From 36e0b962ac316fd043fa90d8d13fc4a5e18918f3 Mon Sep 17 00:00:00 2001 From: Lorenzo Tucci Date: Sun, 22 Aug 2021 22:13:37 +0200 Subject: [PATCH 2/8] feat: add sshd_config, sysctl.conf, lynis custom --- lynis/etc/lynis/custom.prf | 13 +++++++++++ ssh/etc/ssh/sshd_config | 21 ++++++++++++++++++ systcl/etc/sysctl.conf | 45 ++++++++++++++++++++++++++++++++++++++ 3 files changed, 79 insertions(+) create mode 100644 lynis/etc/lynis/custom.prf create mode 100644 ssh/etc/ssh/sshd_config create mode 100644 systcl/etc/sysctl.conf diff --git a/lynis/etc/lynis/custom.prf b/lynis/etc/lynis/custom.prf new file mode 100644 index 0000000..38d246e --- /dev/null +++ b/lynis/etc/lynis/custom.prf @@ -0,0 +1,13 @@ +# Disable some tests that are not useful in cloud-based servers +skip-test=AUTH-9286 +skip-test=PRNT-2307 +skip-test=USB-1000 +skip-test=STRG-1846 +skip-test=PRNT-2308 +skip-test=FILE-6310 +skip-test=SSH-7408:tcpkeepalive +skip-test=SSH-7408:allowtcpforwarding +skip-test=SSH-7408:compression +skip-test=SSH-7408:port +skip-test=BANN-7126 +skip-test=BANN-7130 diff --git a/ssh/etc/ssh/sshd_config b/ssh/etc/ssh/sshd_config new file mode 100644 index 0000000..c13c440 --- /dev/null +++ b/ssh/etc/ssh/sshd_config @@ -0,0 +1,21 @@ +HostKey /etc/ssh/ssh_host_rsa_key +HostKey /etc/ssh/ssh_host_ecdsa_key +HostKey /etc/ssh/ssh_host_ed25519_key + +SyslogFacility AUTHPRIV + +AllowGroups sshlogin + +PermitRootLogin WITHOUT-PASSWORD +PubkeyAuthentication yes +AuthorizedKeysFile .ssh/authorized_keys +IgnoreRhosts yes +PasswordAuthentication no +ChallengeResponseAuthentication no +GSSAPIAuthentication no +UsePAM yes +X11Forwarding no +AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES +AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT +AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE +AcceptEnv XMODIFIERS diff --git a/systcl/etc/sysctl.conf b/systcl/etc/sysctl.conf new file mode 100644 index 0000000..0729e28 --- /dev/null +++ b/systcl/etc/sysctl.conf @@ -0,0 +1,45 @@ +# Hardened sysctl conf + +fs.protected_regular = 2 +fs.protected_fifos = 2 +fs.protected_hardlinks = 1 +fs.protected_symlinks = 1 +fs.suid_dumpable = 0 + +kernel.core_uses_pid = 1 +kernel.ctrl-alt-del = 0 +kernel.dmesg_restrict = 1 +kernel.kptr_restrict = 2 +kernel.randomize_va_space = 2 +kernel.sysrq = 0 +kernel.unprivileged_bpf_disabled = 1 + + +net.core.bpf_jit_harden = 2 +net.ipv4.conf.all.accept_redirects = 0 +net.ipv4.conf.all.accept_source_route = 0 +net.ipv4.conf.all.bootp_relay = 0 +net.ipv4.conf.all.forwarding = 0 +net.ipv4.conf.all.log_martians = 1 +net.ipv4.conf.all.mc_forwarding = 0 +net.ipv4.conf.all.proxy_arp = 0 +net.ipv4.conf.all.rp_filter = 0 +net.ipv4.conf.all.send_redirects = 0 + +net.ipv4.conf.default.accept_redirects = 0 +net.ipv4.conf.default.accept_source_route = 0 +net.ipv4.conf.default.log_martians = 1 + +net.ipv4.icmp_echo_ignore_broadcasts = 1 +net.ipv4.icmp_ignore_bogus_error_responses = 1 +net.ipv4.tcp_syncookies = 1 +net.ipv4.tcp_timestamps = 1 + + +net.ipv6.conf.all.accept_redirects = 0 +net.ipv6.conf.all.accept_source_route = 0 + +net.ipv6.conf.default.accept_redirects = 0 +net.ipv6.conf.default.accept_source_route = 0 + +vm.swappiness = 15 From 164bc16e95aaa062ecb258dfd5b6f1f37cc8760b Mon Sep 17 00:00:00 2001 From: Lorenzo Tucci Date: Mon, 23 Aug 2021 14:50:54 +0200 Subject: [PATCH 3/8] feat: add modprobe.d --- modprobe/etc/modprobe.d/disable-ipv6.conf | 1 + modprobe/etc/modprobe.d/disable-rare-protocols.conf | 4 ++++ 2 files changed, 5 insertions(+) create mode 100644 modprobe/etc/modprobe.d/disable-ipv6.conf create mode 100644 modprobe/etc/modprobe.d/disable-rare-protocols.conf diff --git a/modprobe/etc/modprobe.d/disable-ipv6.conf b/modprobe/etc/modprobe.d/disable-ipv6.conf new file mode 100644 index 0000000..84b10fc --- /dev/null +++ b/modprobe/etc/modprobe.d/disable-ipv6.conf @@ -0,0 +1 @@ +install ipv6 /bin/true diff --git a/modprobe/etc/modprobe.d/disable-rare-protocols.conf b/modprobe/etc/modprobe.d/disable-rare-protocols.conf new file mode 100644 index 0000000..92966bd --- /dev/null +++ b/modprobe/etc/modprobe.d/disable-rare-protocols.conf @@ -0,0 +1,4 @@ +install dccp /bin/true +install sctp /bin/true +install rds /bin/true +install tipc /bin/true From a3d00bd2383bc00ca4d83d0efd0dd77a89ea7813 Mon Sep 17 00:00:00 2001 From: Lorenzo Tucci Date: Mon, 23 Aug 2021 15:28:11 +0200 Subject: [PATCH 4/8] fix: change sshd_config --- ssh/etc/ssh/sshd_config | 6 ++++++ {systcl => sysctl}/etc/sysctl.conf | 0 2 files changed, 6 insertions(+) rename {systcl => sysctl}/etc/sysctl.conf (100%) diff --git a/ssh/etc/ssh/sshd_config b/ssh/etc/ssh/sshd_config index c13c440..842db0f 100644 --- a/ssh/etc/ssh/sshd_config +++ b/ssh/etc/ssh/sshd_config @@ -10,12 +10,18 @@ PermitRootLogin WITHOUT-PASSWORD PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys IgnoreRhosts yes +MaxSessions 4 +MaxAuthTries 4 +ClientAliveCountMax 2 +LogLevel VERBOSE PasswordAuthentication no ChallengeResponseAuthentication no GSSAPIAuthentication no UsePAM yes +PrintMotd no X11Forwarding no AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE AcceptEnv XMODIFIERS +Subsystem sftp /usr/lib/openssh/sftp-server diff --git a/systcl/etc/sysctl.conf b/sysctl/etc/sysctl.conf similarity index 100% rename from systcl/etc/sysctl.conf rename to sysctl/etc/sysctl.conf From 3ed5844553e766af3a8e6df70ff882c79342a153 Mon Sep 17 00:00:00 2001 From: Lorenzo Tucci Date: Mon, 23 Aug 2021 20:05:42 +0200 Subject: [PATCH 5/8] feat: add rc.local, update lynis --- lynis/etc/lynis/custom.prf | 15 +++++++++++++-- rc.local/etc/rc.local | 9 +++++++++ sysctl/etc/sysctl.conf | 4 ++++ 3 files changed, 26 insertions(+), 2 deletions(-) create mode 100644 rc.local/etc/rc.local diff --git a/lynis/etc/lynis/custom.prf b/lynis/etc/lynis/custom.prf index 38d246e..c367c83 100644 --- a/lynis/etc/lynis/custom.prf +++ b/lynis/etc/lynis/custom.prf @@ -5,9 +5,20 @@ skip-test=USB-1000 skip-test=STRG-1846 skip-test=PRNT-2308 skip-test=FILE-6310 +skip-test=BOOT-5122 +skip-test=BOOT-5260 +skip-test=BOOT-5260 + +# Disable /etc/issue checking +skip-test=BANN-7126 +skip-test=BANN-7130 + +# Disable some SSH feature checks that we intend to keep skip-test=SSH-7408:tcpkeepalive skip-test=SSH-7408:allowtcpforwarding skip-test=SSH-7408:compression skip-test=SSH-7408:port -skip-test=BANN-7126 -skip-test=BANN-7130 + +# Old packages +skip-test=CUST-0810 +skip-test=CUST-0285 diff --git a/rc.local/etc/rc.local b/rc.local/etc/rc.local new file mode 100644 index 0000000..6f8eb97 --- /dev/null +++ b/rc.local/etc/rc.local @@ -0,0 +1,9 @@ +#!/bin/bash +# /etc/rc.local + +# file needed to correctly load kernel parameters at boot time +# on Ubuntu (ex. to disable ipv6) without modifying grub +/etc/sysctl.d +/etc/init.d/procps restart + +exit 0 diff --git a/sysctl/etc/sysctl.conf b/sysctl/etc/sysctl.conf index 0729e28..bd29550 100644 --- a/sysctl/etc/sysctl.conf +++ b/sysctl/etc/sysctl.conf @@ -35,6 +35,10 @@ net.ipv4.icmp_ignore_bogus_error_responses = 1 net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_timestamps = 1 +# Uncomment do disable ipv6 +#net.ipv6.conf.all.disable_ipv6=1 +#net.ipv6.conf.default.disable_ipv6=1 +#net.ipv6.conf.lo.disable_ipv6=1 net.ipv6.conf.all.accept_redirects = 0 net.ipv6.conf.all.accept_source_route = 0 From 31ff66c2d2577c9e42a49b8d55817cce669822f1 Mon Sep 17 00:00:00 2001 From: Lorenzo Tucci Date: Mon, 23 Aug 2021 21:44:13 +0200 Subject: [PATCH 6/8] feat: add security/limits.conf, update lynis, close #2 --- lynis/etc/lynis/custom.prf | 4 +- security/etc/security/limits.conf | 62 +++++++++++++++++++++++++++++++ 2 files changed, 65 insertions(+), 1 deletion(-) create mode 100644 security/etc/security/limits.conf diff --git a/lynis/etc/lynis/custom.prf b/lynis/etc/lynis/custom.prf index c367c83..7dfa2ce 100644 --- a/lynis/etc/lynis/custom.prf +++ b/lynis/etc/lynis/custom.prf @@ -3,11 +3,13 @@ skip-test=AUTH-9286 skip-test=PRNT-2307 skip-test=USB-1000 skip-test=STRG-1846 +skip-test=STRG-1840 skip-test=PRNT-2308 skip-test=FILE-6310 skip-test=BOOT-5122 skip-test=BOOT-5260 -skip-test=BOOT-5260 +skip-test=KRNL-5788 +skip-test=AUTH-9308 # Disable /etc/issue checking skip-test=BANN-7126 diff --git a/security/etc/security/limits.conf b/security/etc/security/limits.conf new file mode 100644 index 0000000..06db731 --- /dev/null +++ b/security/etc/security/limits.conf @@ -0,0 +1,62 @@ +# /etc/security/limits.conf +# +#This file sets the resource limits for the users logged in via PAM. +#It does not affect resource limits of the system services. +# +#Also note that configuration files in /etc/security/limits.d directory, +#which are read in alphabetical order, override the settings in this +#file in case the domain is the same or more specific. +#That means for example that setting a limit for wildcard domain here +#can be overriden with a wildcard setting in a config file in the +#subdirectory, but a user specific setting here can be overriden only +#with a user specific setting in the subdirectory. +# +#Each line describes a limit for a user in the form: +# +# +# +#Where: +# can be: +# - a user name +# - a group name, with @group syntax +# - the wildcard *, for default entry +# - the wildcard %, can be also used with %group syntax, +# for maxlogin limit +# +# can have the two values: +# - "soft" for enforcing the soft limits +# - "hard" for enforcing hard limits +# +# can be one of the following: +# - core - limits the core file size (KB) +# - data - max data size (KB) +# - fsize - maximum filesize (KB) +# - memlock - max locked-in-memory address space (KB) +# - nofile - max number of open file descriptors +# - rss - max resident set size (KB) +# - stack - max stack size (KB) +# - cpu - max CPU time (MIN) +# - nproc - max number of processes +# - as - address space limit (KB) +# - maxlogins - max number of logins for this user +# - maxsyslogins - max number of logins on the system +# - priority - the priority to run user process with +# - locks - max number of file locks the user can hold +# - sigpending - max number of pending signals +# - msgqueue - max memory used by POSIX message queues (bytes) +# - nice - max nice priority allowed to raise to values: [-20, 19] +# - rtprio - max realtime priority +# +# +# + +* soft core 0 +* hard core 0 +#* hard rss 10000 +#@student hard nproc 20 +#@faculty soft nproc 20 +#@faculty hard nproc 50 +#ftp hard nproc 0 +#@student - maxlogins 4 + +# End of file From dddf1a381c7034db91b412499f796cf97cfe1ce7 Mon Sep 17 00:00:00 2001 From: Lorenzo Tucci Date: Thu, 26 Aug 2021 22:32:11 +0200 Subject: [PATCH 7/8] feat: add pam.d restricting su binary, add more modules to be disabled, add grub commandline options for security --- grub/grub | 5 ++ .../disable-network-filesystems.conf | 6 ++ .../modprobe.d/disable-rare-filesystems.conf | 7 +++ .../modprobe.d/disable-rare-protocols.conf | 23 ++++++-- modprobe/etc/modprobe.d/disable-vivid.conf | 1 + pam/etc/pam.d/rocky-linux/su | 13 ++++ pam/etc/pam.d/rocky-linux/su-l | 7 +++ pam/etc/pam.d/ubuntu/su | 59 +++++++++++++++++++ pam/etc/pam.d/ubuntu/su-l | 7 +++ sysctl/etc/sysctl.conf | 19 +++++- 10 files changed, 142 insertions(+), 5 deletions(-) create mode 100644 grub/grub create mode 100644 modprobe/etc/modprobe.d/disable-network-filesystems.conf create mode 100644 modprobe/etc/modprobe.d/disable-rare-filesystems.conf create mode 100644 modprobe/etc/modprobe.d/disable-vivid.conf create mode 100644 pam/etc/pam.d/rocky-linux/su create mode 100644 pam/etc/pam.d/rocky-linux/su-l create mode 100644 pam/etc/pam.d/ubuntu/su create mode 100644 pam/etc/pam.d/ubuntu/su-l diff --git a/grub/grub b/grub/grub new file mode 100644 index 0000000..fc4b202 --- /dev/null +++ b/grub/grub @@ -0,0 +1,5 @@ +# These rules are not meant to be copied and pasted as there will +# likely be other options enabled on your machine. +# Instead add them to the already existing ones in your /etc/default/grub +# remove ipv6 disable at the end if needed +GRUB_CMDLINE_LINUX="slab_nomerge slub_debug=FZ init_on_alloc=1 init_on_free=1 page_alloc.shuffle=1 pti=on vsyscall=none debugfs=off oops=panic module.sig_enforce=1 lockdown=confidentiality mce=0 quiet loglevel=0 ipv6.disable=1" diff --git a/modprobe/etc/modprobe.d/disable-network-filesystems.conf b/modprobe/etc/modprobe.d/disable-network-filesystems.conf new file mode 100644 index 0000000..c9032a8 --- /dev/null +++ b/modprobe/etc/modprobe.d/disable-network-filesystems.conf @@ -0,0 +1,6 @@ +# Disable only if not used +install cifs /bin/true +install nfs /bin/true +install nfsv3 /bin/true +install nfsv4 /bin/true +install gfs2 /bin/true diff --git a/modprobe/etc/modprobe.d/disable-rare-filesystems.conf b/modprobe/etc/modprobe.d/disable-rare-filesystems.conf new file mode 100644 index 0000000..10016ee --- /dev/null +++ b/modprobe/etc/modprobe.d/disable-rare-filesystems.conf @@ -0,0 +1,7 @@ +install cramfs /bin/false +install freevxfs /bin/false +install jffs2 /bin/false +install hfs /bin/false +install hfsplus /bin/false +install squashfs /bin/false +install udf /bin/false diff --git a/modprobe/etc/modprobe.d/disable-rare-protocols.conf b/modprobe/etc/modprobe.d/disable-rare-protocols.conf index 92966bd..5610011 100644 --- a/modprobe/etc/modprobe.d/disable-rare-protocols.conf +++ b/modprobe/etc/modprobe.d/disable-rare-protocols.conf @@ -1,4 +1,19 @@ -install dccp /bin/true -install sctp /bin/true -install rds /bin/true -install tipc /bin/true +install dccp /bin/false +install sctp /bin/false +install rds /bin/false +install tipc /bin/false +install n-hdlc /bin/false +install ax25 /bin/false +install netrom /bin/false +install x25 /bin/false +install rose /bin/false +install decnet /bin/false +install econet /bin/false +install af_802154 /bin/false +install ipx /bin/false +install appletalk /bin/false +install psnap /bin/false +install p8023 /bin/false +install p8022 /bin/false +install can /bin/false +install atm /bin/false diff --git a/modprobe/etc/modprobe.d/disable-vivid.conf b/modprobe/etc/modprobe.d/disable-vivid.conf new file mode 100644 index 0000000..79dd0ff --- /dev/null +++ b/modprobe/etc/modprobe.d/disable-vivid.conf @@ -0,0 +1 @@ +install vivid /bin/false diff --git a/pam/etc/pam.d/rocky-linux/su b/pam/etc/pam.d/rocky-linux/su new file mode 100644 index 0000000..c870601 --- /dev/null +++ b/pam/etc/pam.d/rocky-linux/su @@ -0,0 +1,13 @@ +#%PAM-1.0 +auth required pam_env.so +auth sufficient pam_rootok.so +# Uncomment the following line to require a user to be in the "wheel" group. +auth required pam_wheel.so use_uid +auth substack system-auth +auth include postlogin +account sufficient pam_succeed_if.so uid = 0 use_uid quiet +account include system-auth +password include system-auth +session include system-auth +session include postlogin +session optional pam_xauth.so diff --git a/pam/etc/pam.d/rocky-linux/su-l b/pam/etc/pam.d/rocky-linux/su-l new file mode 100644 index 0000000..b44e266 --- /dev/null +++ b/pam/etc/pam.d/rocky-linux/su-l @@ -0,0 +1,7 @@ +#%PAM-1.0 +auth include su +account include su +password include su +session optional pam_keyinit.so force revoke +session include su +auth required pam_wheel.so use_uid diff --git a/pam/etc/pam.d/ubuntu/su b/pam/etc/pam.d/ubuntu/su new file mode 100644 index 0000000..e7edba4 --- /dev/null +++ b/pam/etc/pam.d/ubuntu/su @@ -0,0 +1,59 @@ +# +# The PAM configuration file for the Shadow `su' service +# + +# This allows root to su without passwords (normal operation) +auth sufficient pam_rootok.so + +# Uncomment this to force users to be a member of group root +# before they can use `su'. You can also add "group=foo" +# to the end of this line if you want to use a group other +# than the default "root" (but this may have side effect of +# denying "root" user, unless she's a member of "foo" or explicitly +# permitted earlier by e.g. "sufficient pam_rootok.so"). +# (Replaces the `SU_WHEEL_ONLY' option from login.defs) + auth required pam_wheel.so + +# Uncomment this if you want wheel members to be able to +# su without a password. +# auth sufficient pam_wheel.so trust + +# Uncomment this if you want members of a specific group to not +# be allowed to use su at all. +# auth required pam_wheel.so deny group=nosu + +# Uncomment and edit /etc/security/time.conf if you need to set +# time restrainst on su usage. +# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs +# as well as /etc/porttime) +# account requisite pam_time.so + +# This module parses environment configuration file(s) +# and also allows you to use an extended config +# file /etc/security/pam_env.conf. +# +# parsing /etc/environment needs "readenv=1" +session required pam_env.so readenv=1 +# locale variables are also kept into /etc/default/locale in etch +# reading this file *in addition to /etc/environment* does not hurt +session required pam_env.so readenv=1 envfile=/etc/default/locale + +# Defines the MAIL environment variable +# However, userdel also needs MAIL_DIR and MAIL_FILE variables +# in /etc/login.defs to make sure that removing a user +# also removes the user's mail spool file. +# See comments in /etc/login.defs +# +# "nopen" stands to avoid reporting new mail when su'ing to another user +session optional pam_mail.so nopen + +# Sets up user limits according to /etc/security/limits.conf +# (Replaces the use of /etc/limits in old login) +session required pam_limits.so + +# The standard Unix authentication modules, used with +# NIS (man nsswitch) as well as normal /etc/passwd and +# /etc/shadow entries. +@include common-auth +@include common-account +@include common-session diff --git a/pam/etc/pam.d/ubuntu/su-l b/pam/etc/pam.d/ubuntu/su-l new file mode 100644 index 0000000..eb23e9e --- /dev/null +++ b/pam/etc/pam.d/ubuntu/su-l @@ -0,0 +1,7 @@ +#%PAM-1.0 +auth include su +account include su +password include su +session optional pam_keyinit.so force revoke +session include su +auth required pam_wheel.so diff --git a/sysctl/etc/sysctl.conf b/sysctl/etc/sysctl.conf index bd29550..2350204 100644 --- a/sysctl/etc/sysctl.conf +++ b/sysctl/etc/sysctl.conf @@ -23,18 +23,35 @@ net.ipv4.conf.all.forwarding = 0 net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.all.mc_forwarding = 0 net.ipv4.conf.all.proxy_arp = 0 -net.ipv4.conf.all.rp_filter = 0 +net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.all.send_redirects = 0 +net.ipv4.conf.all.secure_redirects=0 +net.ipv4.tcp_rfc1337=1 +net.ipv4.tcp_sack=0 +net.ipv4.tcp_dsack=0 +net.ipv4.tcp_fack=0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.default.accept_source_route = 0 net.ipv4.conf.default.log_martians = 1 +net.ipv4.conf.default.rp_filter=1 +net.ipv4.conf.default.send_redirects=0 +net.ipv4.conf.default.secure_redirects=0 net.ipv4.icmp_echo_ignore_broadcasts = 1 net.ipv4.icmp_ignore_bogus_error_responses = 1 net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_timestamps = 1 +dev.tty.ldisc_autoload=0 +vm.unprivileged_userfaultfd=0 +kernel.kexec_load_disabled=1 +kernel.perf_event_paranoid=2 +kernel.yama.ptrace_scope=2 + +vm.mmap_rnd_bits=32 +vm.mmap_rnd_compat_bits=16 + # Uncomment do disable ipv6 #net.ipv6.conf.all.disable_ipv6=1 #net.ipv6.conf.default.disable_ipv6=1 From a70c5cdc4f32e174c4694acdd51400eff699c971 Mon Sep 17 00:00:00 2001 From: Lorenzo Tucci Date: Sun, 5 Sep 2021 09:39:23 +0200 Subject: [PATCH 8/8] fix: give warning for some grub options --- grub/grub | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/grub/grub b/grub/grub index fc4b202..31c7f16 100644 --- a/grub/grub +++ b/grub/grub @@ -1,5 +1,9 @@ # These rules are not meant to be copied and pasted as there will # likely be other options enabled on your machine. # Instead add them to the already existing ones in your /etc/default/grub -# remove ipv6 disable at the end if needed +# +# NOTE: remove ipv6 disable at the end if needed +# NOTE: remove module.sig_enforce=1 and lockdown=confidentiality on some systems to enable loading +# of wireguard module + GRUB_CMDLINE_LINUX="slab_nomerge slub_debug=FZ init_on_alloc=1 init_on_free=1 page_alloc.shuffle=1 pti=on vsyscall=none debugfs=off oops=panic module.sig_enforce=1 lockdown=confidentiality mce=0 quiet loglevel=0 ipv6.disable=1"