kernel hardening + sync skel on start

system_files/usr/etc/sysctl.d/55-hardening.conf

@@ -0,0 +1,157 @@
+# Copyright 2025 The Secureblue Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed under the License is
+# distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and limitations under the License.
+
+# https://docs.kernel.org/networking/ip-sysctl.html
+net.ipv4.tcp_syncookies = 1
+
+# https://docs.kernel.org/networking/ip-sysctl.html
+# https://datatracker.ietf.org/doc/html/rfc1337
+net.ipv4.tcp_rfc1337 = 1
+
+# https://docs.kernel.org/networking/ip-sysctl.html
+net.ipv4.icmp_echo_ignore_broadcasts = 1
+
+# https://docs.kernel.org/networking/ip-sysctl.html
+net.ipv4.icmp_ignore_bogus_error_responses = 1
+
+# https://docs.kernel.org/networking/ip-sysctl.html
+net.ipv4.icmp_echo_ignore_all = 1
+net.ipv6.icmp.echo_ignore_all = 1
+
+# https://docs.kernel.org/networking/ip-sysctl.html
+net.ipv4.tcp_timestamps = 0
+
+# Enable IP spoofing protection, turn on source route verification
+# https://docs.kernel.org/networking/ip-sysctl.html
+net.ipv4.conf.all.rp_filter = 1
+net.ipv4.conf.default.rp_filter = 1
+
+# Disable ICMP Redirect Acceptance
+# https://docs.kernel.org/networking/ip-sysctl.html
+net.ipv4.conf.*.send_redirects = 0
+net.ipv4.conf.*.accept_redirects = 0
+net.ipv6.conf.*.accept_redirects = 0
+
+# https://docs.kernel.org/networking/ip-sysctl.html
+net.ipv4.conf.*.shared_media = 0
+
+# https://docs.kernel.org/networking/ip-sysctl.html
+net.ipv4.conf.*.arp_filter = 1
+
+# https://docs.kernel.org/networking/ip-sysctl.html
+net.ipv4.conf.*.arp_ignore = 2
+
+# https://docs.kernel.org/networking/ip-sysctl.html
+net.ipv4.conf.all.drop_gratuitous_arp = 1
+
+# https://docs.kernel.org/networking/ip-sysctl.html
+net.ipv4.conf.*.accept_source_route = 0
+net.ipv6.conf.*.accept_source_route = 0
+net.ipv4.tcp_sack=0
+net.ipv4.tcp_dsack=0
+
+# Enable ipv6 privacy extension
+# https://docs.kernel.org/networking/ip-sysctl.html
+net.ipv6.conf.all.use_tempaddr = 2
+net.ipv6.conf.default.use_tempaddr = 2
+
+# Enable Log Spoofed Packets, Source Routed Packets, Redirect Packets
+# https://docs.kernel.org/networking/ip-sysctl.html
+net.ipv4.conf.all.log_martians = 1
+net.ipv4.conf.default.log_martians = 1
+
+# https://docs.kernel.org/admin-guide/sysctl/net.html#bpf-jit-harden
+net.core.bpf_jit_harden = 2
+
+# https://docs.kernel.org/admin-guide/sysctl/kernel.html#unprivileged-bpf-disabled
+kernel.unprivileged_bpf_disabled = 1
+
+# https://docs.kernel.org/admin-guide/sysrq.html
+kernel.sysrq = 0
+
+# https://docs.kernel.org/admin-guide/sysctl/kernel.html#perf-event-paranoid
+kernel.perf_event_paranoid = 3
+
+# https://docs.kernel.org/admin-guide/sysctl/kernel.html#kptr-restrict
+kernel.kptr_restrict = 2
+
+# https://docs.kernel.org/admin-guide/sysctl/kernel.html#dmesg-restrict
+kernel.dmesg_restrict = 1
+
+# https://docs.kernel.org/admin-guide/sysctl/kernel.html#oops-limit
+kernel.oops_limit=100
+
+# https://docs.kernel.org/admin-guide/sysctl/kernel.html#warn-limit
+kernel.warn_limit=100
+
+# https://docs.kernel.org/admin-guide/sysctl/kernel.html#panic
+kernel.panic=-1
+
+# https://docs.kernel.org/admin-guide/binfmt-misc.html
+fs.binfmt_misc.status = 0
+
+# https://docs.kernel.org/admin-guide/sysctl/fs.html#suid-dumpable
+fs.suid_dumpable = 0
+
+# https://docs.kernel.org/admin-guide/sysctl/fs.html#protected-regular
+fs.protected_regular = 2
+
+# https://docs.kernel.org/admin-guide/sysctl/fs.html#protected-fifos
+fs.protected_fifos = 2
+
+# https://docs.kernel.org/admin-guide/sysctl/fs.html#protected-hardlinks
+# Default in Fedora, including for runtime audit
+fs.protected_hardlinks = 1
+
+# https://docs.kernel.org/admin-guide/sysctl/fs.html#protected-symlinks
+# Default in Fedora, including for runtime audit
+fs.protected_symlinks = 1
+
+# https://lkml.org/lkml/2019/4/15/890
+dev.tty.ldisc_autoload = 0
+
+# Restrict userfaultfd to CAP_SYS_PTRACE
+# https://docs.kernel.org/admin-guide/sysctl/vm.html#unprivileged-userfaultfd
+vm.unprivileged_userfaultfd = 0
+
+# Prevent kernel info leaks in console during boot.
+# https://docs.kernel.org/admin-guide/sysctl/kernel.html#printk
+kernel.printk = 3 3 3 3
+
+# Disables kexec which can be used to replace the running kernel.
+# https://docs.kernel.org/admin-guide/sysctl/kernel.html#kexec-load-disabled
+kernel.kexec_load_disabled = 1
+
+# Disable core dump
+# https://docs.kernel.org/admin-guide/sysctl/kernel.html#core-pattern
+kernel.core_pattern = |/bin/false
+
+# Disable io_uring
+# https://lore.kernel.org/lkml/20230629132711.1712536-1-matteorizzo@google.com/T/
+# https://security.googleblog.com/2023/06/learnings-from-kctf-vrps-42-linux.html
+# https://docs.kernel.org/admin-guide/sysctl/kernel.html#io-uring-disabled
+kernel.io_uring_disabled = 2
+
+# Improve ALSR effectiveness for mmap.
+# https://docs.kernel.org/admin-guide/sysctl/vm.html#mmap-rnd-bits
+vm.mmap_rnd_bits = 32
+vm.mmap_rnd_compat_bits = 16
+
+# https://docs.kernel.org/admin-guide/sysctl/kernel.html#randomize-va-space
+# Default in Fedora, including for runtime audit
+kernel.randomize_va_space = 2
+
+# https://docs.kernel.org/admin-guide/sysctl/vm.html#mmap-min-addr
+# https://docs.kernel.org/admin-guide/sysctl/vm.html#max-map-count
+# Default in Fedora, including for runtime audit
+vm.mmap_min_addr = 65536
+vm.max_map_count = 1048576

system_files/usr/etc/sysctl.d/98-network.conf

@@ -0,0 +1,45 @@
+net.ipv4.neigh.default.gc_thresh3 = 2048
+net.ipv4.neigh.default.gc_thresh2 = 1024
+net.ipv4.neigh.default.gc_thresh1 = 32
+net.ipv4.neigh.default.gc_interval = 30
+net.ipv4.neigh.default.proxy_qlen = 96
+net.ipv4.neigh.default.unres_qlen = 6
+
+net.ipv4.tcp_rmem = "8192 87380 16777216"
+net.ipv4.tcp_wmem = "8192 65536 16777216"
+
+net.ipv4.tcp_max_orphans = 16384
+net.ipv4.tcp_orphan_retries = 0
+
+net.ipv4.tcp_no_metrics_save = 1
+net.ipv4.tcp_moderate_rcvbuf = 1
+net.ipv4.tcp_window_scaling = 1
+
+net.ipv4.tcp_fastopen = 3
+net.ipv4.tcp_slow_start_after_idle = 0
+
+net.ipv4.tcp_syncookies = 1
+
+net.ipv4.tcp_tw_reuse=1
+net.ipv4.tcp_rfc1337=1
+net.ipv4.tcp_max_tw_buckets=1440000
+net.ipv4.conf.default.rp_filter=1
+net.ipv4.conf.all.rp_filter=1
+net.ipv4.tcp_ecn=1
+
+net.ipv4.conf.all.accept_redirects=0
+net.ipv4.conf.default.accept_redirects=0
+net.ipv4.conf.all.secure_redirects=0
+net.ipv4.conf.default.secure_redirects=0
+net.ipv4.conf.all.send_redirects=0
+net.ipv4.conf.default.send_redirects=0
+net.ipv4.icmp_echo_ignore_all=1
+net.ipv4.route.flush=1
+
+net.ipv6.conf.all.accept_redirects=0
+net.ipv6.conf.all.disable_ipv6=1
+net.ipv6.conf.default.accept_redirects=0
+net.ipv6.conf.default.disable_ipv6=1
+net.ipv6.route.flush=1
+
+net.unix.max_dgram_qlen=50

system_files/usr/etc/systemd/user/eve-skel-sync.service

@@ -0,0 +1,30 @@
+[Unit]
+Description=Eve Skeleton Directory Sync Service
+Documentation=man:rsync(1)
+After=graphical-session.target
+Wants=graphical-session.target
+PartOf=graphical-session.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+
+# Execute the skeleton sync script
+ExecStart=/usr/bin/eve-skel-sync
+
+# Restart policy
+Restart=on-failure
+RestartSec=5
+TimeoutStartSec=30
+
+# Logging
+StandardOutput=journal
+StandardError=journal
+SyslogIdentifier=eve-skel-sync
+
+# Security settings
+PrivateTmp=true
+NoNewPrivileges=true
+
+[Install]
+WantedBy=default.target