secureblue/files/system/usr/etc/sysctl.d/hardening.conf

# Enable IP spoofing protection, turn on source route verification
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1

# Disable ICMP Redirect Acceptance
net.ipv4.conf.*.send_redirects = 0
net.ipv4.conf.*.accept_redirects = 0
net.ipv6.conf.*.accept_redirects = 0

# Enable Log Spoofed Packets, Source Routed Packets, Redirect Packets
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1

net.core.bpf_jit_harden = 2
kernel.yama.ptrace_scope = 3
kernel.unprivileged_bpf_disabled = 1
kernel.sysrq = 0
kernel.perf_event_paranoid = 3
kernel.kptr_restrict = 2
kernel.dmesg_restrict = 1
fs.binfmt_misc.status = 0
fs.suid_dumpable = 0
fs.protected_regular = 2
fs.protected_fifos = 2
dev.tty.ldisc_autoload = 0

# Restrict userfaultfd to CAP_SYS_PTRACE
vm.unprivileged_userfaultfd = 0

## Prevent kernel info leaks in console during boot.
## https://phabricator.whonix.org/T950
kernel.printk = 3 3 3 3

## Disables kexec which can be used to replace the running kernel.
kernel.kexec_load_disabled = 1

## Disable core dump
kernel.core_pattern = |/bin/false

## Disable io_uring
## https://lore.kernel.org/lkml/20230629132711.1712536-1-matteorizzo@google.com/T/
## https://security.googleblog.com/2023/06/learnings-from-kctf-vrps-42-linux.html
kernel.io_uring_disabled = 2

# Improve ALSR effectiveness for mmap.
vm.mmap_rnd_bits = 32
vm.mmap_rnd_compat_bits = 16