path: root/float/roles/float-base/templates/sysctl.conf.j2

### Generically useful settings

# Enable reboots on kernel panic
kernel.panic=10
kernel.panic_on_oops=1

# Stop low-level messages from cluttering the console.
kernel.printk=3 4 1 3

# Increase the port range available for client connections.
net.ipv4.ip_local_port_range=20000 65535

### Server-oriented settings

# Decrease the time closed connections spend in the FIN state.
# We want this number to be low so that connection slots are
# freed quickly.
net.ipv4.tcp_fin_timeout=30

# Reduce slightly the TCP keepalive parameters, so that dead
# connections are expired quickly and do not use resources.
net.ipv4.tcp_keepalive_time=1800
net.ipv4.tcp_keepalive_intvl=30
net.ipv4.tcp_keepalive_probes=5

# Keep more SYNs in queue to improve handling of connection bursts.
net.ipv4.tcp_max_syn_backlog=8192
net.ipv4.tcp_synack_retries=2
net.ipv4.tcp_syn_retries=2

# Make TCP sizes quite bigger than the default.
net.core.rmem_max=8738000
net.core.wmem_max=6553600
net.ipv4.tcp_rmem=8192 873800 8738000
net.ipv4.tcp_wmem=4096 655360 6553600

# Increase the max number of connection requests queued on a single socket.
net.core.somaxconn=4000
net.core.netdev_max_backlog=4000

# Required by Elasticsearch and other JVM-based Docker images.
vm.max_map_count=262144

# Conntrack limits.
net.netfilter.nf_conntrack_max={{ nf_conntrack_max }}

### Miscellaneous hardening settings

# Restrict core dumps for SUID binaries.
fs.suid_dumpable=0

# Disable source routed packet acceptance.
net.ipv4.conf.all.accept_source_route=0
net.ipv4.conf.default.accept_source_route=0
net.ipv6.conf.all.accept_source_route=0
net.ipv6.conf.default.accept_source_route=0

# Do not accept ICMP redirects.
net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.default.accept_redirects=0
net.ipv4.conf.all.secure_redirects=0
net.ipv4.conf.default.secure_redirects=0
net.ipv6.conf.all.accept_redirects=0
net.ipv6.conf.default.accept_redirects=0

# Do not send ICMP redirects.
net.ipv4.conf.all.send_redirects=0

# Enable bad ICMP error message protection.
net.ipv4.icmp_ignore_bogus_error_responses=1

# Enable RFC-recommended source route validation.
net.ipv4.conf.all.rp_filter=1
net.ipv4.conf.default.rp_filter=1

# Prevent the automatic loading of line disciplines
# https://lore.kernel.org/patchwork/patch/1034150
dev.tty.ldisc_autoload=0

# Additional protections for fifos, hardlinks, regular files, and symlinks
# https://patchwork.kernel.org/patch/10244781
# slightly tightened up from the systemd default values of "1" for each
fs.protected_fifos=2
fs.protected_hardlinks=1
fs.protected_regular=2
fs.protected_symlinks=1

{% if not disable_restricted_sysctl %}
# Disable the kexec system call (can be used to replace the running kernel)
# https://lwn.net/Articles/580269
# (linux-hardened default)
kernel.kexec_load_disabled=1
{% endif %}

# Impose restrictions on exposing kernel pointers
# https://lwn.net/Articles/420403
# (linux-hardened default)
kernel.kptr_restrict=2

# Restrict use of the performance events system by unprivileged users
# https://lwn.net/Articles/696216
# (linux-hardened default)
kernel.perf_event_paranoid=3

# Disable the "magic sysrq key" functionality
# https://security.stackexchange.com/questions/138658
# https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1861238
kernel.sysrq=0

{% if not disable_restricted_sysctl %}
# Harden the BPF JIT compiler and restrict unprivileged use of BPF
# https://www.zerodayinitiative.com/advisories/ZDI-20-350
# https://lwn.net/Articles/660331
# (linux-hardened default)
net.core.bpf_jit_harden=2
kernel.unprivileged_bpf_disabled=1
{% endif %}

{% if not disable_restricted_sysctl %}
# Disable unprivileged user namespaces
# https://lwn.net/Articles/673597
# (linux-hardened default)
kernel.unprivileged_userns_clone=0
{% endif %}

# Enable yama ptrace restrictions
# https://www.kernel.org/doc/Documentation/security/Yama.txt
# (linux-hardened default)
# set to "3" if the use of ptrace is not needed
kernel.yama.ptrace_scope=1