59 lines
2.2 KiB
Text
59 lines
2.2 KiB
Text
|
# Don't let non-root users get addresses of kernel symbols
|
|||
|
|
kernel.kptr_restrict=1
|
|||
|
|
|
|||
|
|
# Disable kexec to disallow replacing the running kernel.
|
|||
|
|
kernel.kexec_load_disabled=1
|
|||
|
|
|
|||
|
|
# Only let root ptrace processes, for security reasons.
|
|||
|
|
# Perhaps I'll need to disable this again for devtools & debugging
|
|||
|
|
kernel.yama.ptrace_scope=2
|
|||
|
|
|
|||
|
|
# IPv6 Privacy Extensions (RFC 4941)
|
|||
|
|
# ---
|
|||
|
|
# IPv6 typically uses a device's MAC address when choosing an IPv6 address
|
|||
|
|
# to use in autoconfiguration. Privacy extensions allow using a randomly
|
|||
|
|
# generated IPv6 address, which increases privacy.
|
|||
|
|
#
|
|||
|
|
# Acceptable values:
|
|||
|
|
# 0 - don’t use privacy extensions.
|
|||
|
|
# 1 - generate privacy addresses
|
|||
|
|
# 2 - prefer privacy addresses and use them over the normal addresses.
|
|||
|
|
net.ipv6.conf.all.use_tempaddr=2
|
|||
|
|
net.ipv6.conf.default.use_tempaddr=2
|
|||
|
|
|
|||
|
|
# The magic SysRq key enables certain keyboard combinations to be
|
|||
|
|
# interpreted by the kernel to help with debugging. The kernel will respond
|
|||
|
|
# to these keys regardless of the current running applications.
|
|||
|
|
#
|
|||
|
|
# In general, the magic SysRq key is not needed for the average Ubuntu
|
|||
|
|
# system, and having it enabled by default can lead to security issues on
|
|||
|
|
# the console such as being able to dump memory or to kill arbitrary
|
|||
|
|
# processes including the running screen lock.
|
|||
|
|
#
|
|||
|
|
# Here is the list of possible values:
|
|||
|
|
# 0 - disable sysrq completely
|
|||
|
|
# 1 - enable all functions of sysrq
|
|||
|
|
# >1 - enable certain functions by adding up the following values:
|
|||
|
|
# 2 - enable control of console logging level
|
|||
|
|
# 4 - enable control of keyboard (SAK, unraw)
|
|||
|
|
# 8 - enable debugging dumps of processes etc.
|
|||
|
|
# 16 - enable sync command
|
|||
|
|
# 32 - enable remount read-only
|
|||
|
|
# 64 - enable signalling of processes (term, kill, oom-kill)
|
|||
|
|
# 128 - allow reboot/poweroff
|
|||
|
|
# 256 - allow nicing of all RT tasks
|
|||
|
|
#
|
|||
|
|
# For example, to enable both control of console logging level and
|
|||
|
|
# debugging dumps of processes: kernel.sysrq = 10
|
|||
|
|
#
|
|||
|
|
# 128 + 32 + 16
|
|||
|
|
kernel.sysrq=176
|
|||
|
|
|
|||
|
|
# Disable NMI watchdog (powertop recommendation)
|
|||
|
|
kernel.nmi_watchdog=0
|
|||
|
|
# Increase writeback time (default's 500, powertop recommendation)
|
|||
|
|
vm.dirty_writeback_centisecs=1500
|
|||
|
|
|
|||
|
|
# Quiet
|
|||
|
|
kernel.printk = 3 3 3 3
|