X-Git-Url: https://gerrit.akraino.org/r/gitweb?a=blobdiff_plain;f=deploy%2Fcluster%2Fresources%2Fharden_os.sh;h=89ff36357611c1baeecabb427e68c38023589971;hb=refs%2Fchanges%2F04%2F4804%2F1;hp=8af18935e4b56545bee3afb6735c3e6a602111f0;hpb=7f5b95aaf15bca22ac6506ac5e1b5db0d0437222;p=icn.git diff --git a/deploy/cluster/resources/harden_os.sh b/deploy/cluster/resources/harden_os.sh index 8af1893..89ff363 100644 --- a/deploy/cluster/resources/harden_os.sh +++ b/deploy/cluster/resources/harden_os.sh @@ -117,13 +117,32 @@ replace_or_append '^\s*AllowGroups\s+' 'AllowGroups root sudo' /etc/ssh/sshd_con # Restart SSH systemctl restart ssh +# Disabling Apport is necessary to prevent it from overriding +# fs.suid_dumpable in sysctl conf below +replace_or_append '^enabled=' 'enabled=0' /etc/default/apport + +# The fs.protected_fifos setting below in 99-zzz-icn.conf does not +# stick on reboot. The setting in /usr/lib takes precendence, but per +# the sysctl.d manpage, a file with the same name in /etc will +# override /usr/lib. +# +# Reference: +# https://groups.google.com/g/linux.debian.bugs.dist/c/cYMr7EXCcWY?pli=1 +sed -e 's/fs.protected_fifos = .*/fs.protected_fifos = 2/' /usr/lib/sysctl.d/protect-links.conf > /etc/sysctl.d/protect-links.conf + # Check sysctl key pairs in scan profile cat </etc/sysctl.d/99-zzz-icn.conf +dev.tty.ldisc_autoload = 0 +fs.protected_fifos = 2 fs.suid_dumpable = 0 kernel.core_uses_pid = 1 kernel.dmesg_restrict = 1 kernel.kptr_restrict = 2 +# TODO module loading required by accelerator drivers +# kernel.modules_disabled = 1 kernel.sysrq = 0 +kernel.unprivileged_bpf_disabled = 1 +net.core.bpf_jit_harden = 2 net.ipv4.conf.all.accept_redirects = 0 # TODO forwarding required by k8s # net.ipv4.conf.all.forwarding = 0 @@ -134,6 +153,8 @@ net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.default.accept_source_route = 0 net.ipv4.conf.default.log_martians = 1 net.ipv6.conf.all.accept_redirects = 0 +# TODO forwarding required by k8s +net.ipv6.conf.all.forwarding = 1 net.ipv6.conf.default.accept_redirects = 0 EOF sysctl --system