Merge remote-tracking branch 'github/master'

etc/modprobe.d/30_security-misc.conf

@@ -44,6 +44,14 @@ install appletalk /bin/false
 install psnap /bin/false
 install p8023 /bin/false
 install p8022 /bin/false
+install can /bin/false
+install atm /bin/false
+
+# Disable uncommon filesystems to reduce attack surface
+install cramfs /bin/false
+install vfat /bin/false
+install squashfs /bin/false
+install udf /bin/false
 
 ## Blacklists the vivid kernel module as it's only required for
 ## testing and has been the cause of multiple vulnerabilities.

etc/sysctl.d/30_security-misc.conf

@@ -82,6 +82,8 @@ net.ipv6.conf.default.accept_redirects=0
 ## Disables ICMP redirect sending.
 net.ipv4.conf.all.send_redirects=0
 net.ipv4.conf.default.send_redirects=0
+net.ipv6.conf.all.accept_redirects=0
+net.ipv6.conf.default.accept_redirects=0
 
 ## Ignores ICMP requests.
 net.ipv4.icmp_echo_ignore_all=1
@@ -92,6 +94,8 @@ net.ipv4.tcp_syncookies=1
 ## Disable source routing.
 net.ipv4.conf.all.accept_source_route=0
 net.ipv4.conf.default.accept_source_route=0
+net.ipv6.conf.all.accept_source_route=0
+net.ipv6.conf.default.accept_source_route=0
 
 ## Enable reverse path filtering to prevent IP spoofing and
 ## mitigate vulnerabilities such as CVE-2019-14899.
@@ -145,3 +149,12 @@ vm.unprivileged_userfaultfd=0
 ## - https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Performance_Tuning_Guide/s-memory-tunables.html
 ## - https://en.wikipedia.org/wiki/Swappiness
 vm.swappiness=1
+
+## Disallow kernel profiling by users without CAP_SYS_ADMIN
+## https://www.kernel.org/doc/Documentation/sysctl/kernel.txt
+kernel.perf_event_paranoid=3
+
+# Do not accept router advertisments
+net.ipv6.conf.all.accept_ra=0
+net.ipv6.conf.default.accept_ra=0
+