# Don't let non-root users get addresses of kernel symbols kernel.kptr_restrict=1 # Disable kexec to disallow replacing the running kernel. kernel.kexec_load_disabled=1 # Only let root ptrace processes, for security reasons. # Perhaps I'll need to disable this again for devtools & debugging kernel.yama.ptrace_scope=2 # IPv6 Privacy Extensions (RFC 4941) # --- # IPv6 typically uses a device's MAC address when choosing an IPv6 address # to use in autoconfiguration. Privacy extensions allow using a randomly # generated IPv6 address, which increases privacy. # # Acceptable values: # 0 - don’t use privacy extensions. # 1 - generate privacy addresses # 2 - prefer privacy addresses and use them over the normal addresses. net.ipv6.conf.all.use_tempaddr=2 net.ipv6.conf.default.use_tempaddr=2 # The magic SysRq key enables certain keyboard combinations to be # interpreted by the kernel to help with debugging. The kernel will respond # to these keys regardless of the current running applications. # # In general, the magic SysRq key is not needed for the average Ubuntu # system, and having it enabled by default can lead to security issues on # the console such as being able to dump memory or to kill arbitrary # processes including the running screen lock. # # Here is the list of possible values: # 0 - disable sysrq completely # 1 - enable all functions of sysrq # >1 - enable certain functions by adding up the following values: # 2 - enable control of console logging level # 4 - enable control of keyboard (SAK, unraw) # 8 - enable debugging dumps of processes etc. # 16 - enable sync command # 32 - enable remount read-only # 64 - enable signalling of processes (term, kill, oom-kill) # 128 - allow reboot/poweroff # 256 - allow nicing of all RT tasks # # For example, to enable both control of console logging level and # debugging dumps of processes: kernel.sysrq = 10 # # 128 + 32 + 16 kernel.sysrq=176 # Disable NMI watchdog (powertop recommendation) kernel.nmi_watchdog=0 # Increase writeback time (default's 500, powertop recommendation) vm.dirty_writeback_centisecs=1500 # Quiet kernel.printk = 3 3 3 3