# Copyright 2025 The Secureblue Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software distributed under the License is
# distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and limitations under the License.

# https://docs.kernel.org/networking/ip-sysctl.html
net.ipv4.tcp_syncookies = 1

# https://docs.kernel.org/networking/ip-sysctl.html
# https://datatracker.ietf.org/doc/html/rfc1337
net.ipv4.tcp_rfc1337 = 1

# https://docs.kernel.org/networking/ip-sysctl.html
net.ipv4.icmp_echo_ignore_broadcasts = 1

# https://docs.kernel.org/networking/ip-sysctl.html
net.ipv4.icmp_ignore_bogus_error_responses = 1

# https://docs.kernel.org/networking/ip-sysctl.html
net.ipv4.icmp_echo_ignore_all = 1
net.ipv6.icmp.echo_ignore_all = 1

# https://docs.kernel.org/networking/ip-sysctl.html
net.ipv4.tcp_timestamps = 0

# Enable IP spoofing protection, turn on source route verification
# https://docs.kernel.org/networking/ip-sysctl.html
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Disable ICMP Redirect Acceptance
# https://docs.kernel.org/networking/ip-sysctl.html
net.ipv4.conf.*.send_redirects = 0
net.ipv4.conf.*.accept_redirects = 0
net.ipv6.conf.*.accept_redirects = 0

# https://docs.kernel.org/networking/ip-sysctl.html
net.ipv4.conf.*.shared_media = 0

# https://docs.kernel.org/networking/ip-sysctl.html
net.ipv4.conf.*.arp_filter = 1

# https://docs.kernel.org/networking/ip-sysctl.html
net.ipv4.conf.*.arp_ignore = 2

# https://docs.kernel.org/networking/ip-sysctl.html
net.ipv4.conf.all.drop_gratuitous_arp = 1

# https://docs.kernel.org/networking/ip-sysctl.html
net.ipv4.conf.*.accept_source_route = 0
net.ipv6.conf.*.accept_source_route = 0
net.ipv4.tcp_sack=0
net.ipv4.tcp_dsack=0

# Enable ipv6 privacy extension
# https://docs.kernel.org/networking/ip-sysctl.html
net.ipv6.conf.all.use_tempaddr = 2
net.ipv6.conf.default.use_tempaddr = 2

# Enable Log Spoofed Packets, Source Routed Packets, Redirect Packets
# https://docs.kernel.org/networking/ip-sysctl.html
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1

# https://docs.kernel.org/admin-guide/sysctl/net.html#bpf-jit-harden
net.core.bpf_jit_harden = 2

# https://docs.kernel.org/admin-guide/sysctl/kernel.html#unprivileged-bpf-disabled
kernel.unprivileged_bpf_disabled = 1

# https://docs.kernel.org/admin-guide/sysrq.html
kernel.sysrq = 0

# https://docs.kernel.org/admin-guide/sysctl/kernel.html#perf-event-paranoid
kernel.perf_event_paranoid = 3

# https://docs.kernel.org/admin-guide/sysctl/kernel.html#kptr-restrict
kernel.kptr_restrict = 2

# https://docs.kernel.org/admin-guide/sysctl/kernel.html#dmesg-restrict
kernel.dmesg_restrict = 1

# https://docs.kernel.org/admin-guide/sysctl/kernel.html#oops-limit
kernel.oops_limit=100

# https://docs.kernel.org/admin-guide/sysctl/kernel.html#warn-limit
kernel.warn_limit=100

# https://docs.kernel.org/admin-guide/sysctl/kernel.html#panic
kernel.panic=-1

# https://docs.kernel.org/admin-guide/binfmt-misc.html
fs.binfmt_misc.status = 0

# https://docs.kernel.org/admin-guide/sysctl/fs.html#suid-dumpable
fs.suid_dumpable = 0

# https://docs.kernel.org/admin-guide/sysctl/fs.html#protected-regular
fs.protected_regular = 2

# https://docs.kernel.org/admin-guide/sysctl/fs.html#protected-fifos
fs.protected_fifos = 2

# https://docs.kernel.org/admin-guide/sysctl/fs.html#protected-hardlinks
# Default in Fedora, including for runtime audit
fs.protected_hardlinks = 1

# https://docs.kernel.org/admin-guide/sysctl/fs.html#protected-symlinks
# Default in Fedora, including for runtime audit
fs.protected_symlinks = 1

# https://lkml.org/lkml/2019/4/15/890
dev.tty.ldisc_autoload = 0

# Restrict userfaultfd to CAP_SYS_PTRACE
# https://docs.kernel.org/admin-guide/sysctl/vm.html#unprivileged-userfaultfd
vm.unprivileged_userfaultfd = 0

# Prevent kernel info leaks in console during boot.
# https://docs.kernel.org/admin-guide/sysctl/kernel.html#printk
kernel.printk = 3 3 3 3

# Disables kexec which can be used to replace the running kernel.
# https://docs.kernel.org/admin-guide/sysctl/kernel.html#kexec-load-disabled
kernel.kexec_load_disabled = 1

# Disable core dump
# https://docs.kernel.org/admin-guide/sysctl/kernel.html#core-pattern
kernel.core_pattern = |/bin/false

# Disable io_uring
# https://lore.kernel.org/lkml/20230629132711.1712536-1-matteorizzo@google.com/T/
# https://security.googleblog.com/2023/06/learnings-from-kctf-vrps-42-linux.html
# https://docs.kernel.org/admin-guide/sysctl/kernel.html#io-uring-disabled
kernel.io_uring_disabled = 2

# Improve ALSR effectiveness for mmap.
# https://docs.kernel.org/admin-guide/sysctl/vm.html#mmap-rnd-bits
vm.mmap_rnd_bits = 32
vm.mmap_rnd_compat_bits = 16

# https://docs.kernel.org/admin-guide/sysctl/kernel.html#randomize-va-space
# Default in Fedora, including for runtime audit
kernel.randomize_va_space = 2

# https://docs.kernel.org/admin-guide/sysctl/vm.html#mmap-min-addr
# https://docs.kernel.org/admin-guide/sysctl/vm.html#max-map-count
# Default in Fedora, including for runtime audit
vm.mmap_min_addr = 65536
vm.max_map_count = 1048576