Merge pull request #76 from flawedworld/patch-2

Add IPv6 sysctl options and enforce kernel.perf_event_paranoid=3
This commit is contained in:
Patrick Schleizer 2020-09-28 14:23:42 +00:00 committed by GitHub
commit ae90107e6d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -82,6 +82,8 @@ net.ipv6.conf.default.accept_redirects=0
## Disables ICMP redirect sending.
net.ipv4.conf.all.send_redirects=0
net.ipv4.conf.default.send_redirects=0
net.ipv6.conf.all.accept_redirects=0
net.ipv6.conf.default.accept_redirects=0
## Ignores ICMP requests.
net.ipv4.icmp_echo_ignore_all=1
@ -92,6 +94,8 @@ net.ipv4.tcp_syncookies=1
## Disable source routing.
net.ipv4.conf.all.accept_source_route=0
net.ipv4.conf.default.accept_source_route=0
net.ipv6.conf.all.accept_source_route=0
net.ipv6.conf.default.accept_source_route=0
## Enable reverse path filtering to prevent IP spoofing and
## mitigate vulnerabilities such as CVE-2019-14899.
@ -145,3 +149,12 @@ vm.unprivileged_userfaultfd=0
## - https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Performance_Tuning_Guide/s-memory-tunables.html
## - https://en.wikipedia.org/wiki/Swappiness
vm.swappiness=1
## Disallow kernel profiling by users without CAP_SYS_ADMIN
## https://www.kernel.org/doc/Documentation/sysctl/kernel.txt
kernel.perf_event_paranoid=3
# Do not accept router advertisments
net.ipv6.conf.all.accept_ra=0
net.ipv6.conf.default.accept_ra=0