59 lines
2.2 KiB
Text
59 lines
2.2 KiB
Text
# Don't let non-root users get addresses of kernel symbols
|
||
kernel.kptr_restrict=1
|
||
|
||
# Disable kexec to disallow replacing the running kernel.
|
||
kernel.kexec_load_disabled=1
|
||
|
||
# Only let root ptrace processes, for security reasons.
|
||
# Perhaps needs to be disabled for devtools & debugging
|
||
kernel.yama.ptrace_scope=2
|
||
|
||
# IPv6 Privacy Extensions (RFC 4941)
|
||
# ---
|
||
# IPv6 typically uses a device's MAC address when choosing an IPv6 address
|
||
# to use in autoconfiguration. Privacy extensions allow using a randomly
|
||
# generated IPv6 address, which increases privacy.
|
||
#
|
||
# Acceptable values:
|
||
# 0 - don’t use privacy extensions.
|
||
# 1 - generate privacy addresses
|
||
# 2 - prefer privacy addresses and use them over the normal addresses.
|
||
net.ipv6.conf.all.use_tempaddr=2
|
||
net.ipv6.conf.default.use_tempaddr=2
|
||
|
||
# The magic SysRq key enables certain keyboard combinations to be
|
||
# interpreted by the kernel to help with debugging. The kernel will respond
|
||
# to these keys regardless of the current running applications.
|
||
#
|
||
# In general, the magic SysRq key is not needed for the average Ubuntu
|
||
# system, and having it enabled by default can lead to security issues on
|
||
# the console such as being able to dump memory or to kill arbitrary
|
||
# processes including the running screen lock.
|
||
#
|
||
# Here is the list of possible values:
|
||
# 0 - disable sysrq completely
|
||
# 1 - enable all functions of sysrq
|
||
# >1 - enable certain functions by adding up the following values:
|
||
# 2 - enable control of console logging level
|
||
# 4 - enable control of keyboard (SAK, unraw)
|
||
# 8 - enable debugging dumps of processes etc.
|
||
# 16 - enable sync command
|
||
# 32 - enable remount read-only
|
||
# 64 - enable signalling of processes (term, kill, oom-kill)
|
||
# 128 - allow reboot/poweroff
|
||
# 256 - allow nicing of all RT tasks
|
||
#
|
||
# For example, to enable both control of console logging level and
|
||
# debugging dumps of processes: kernel.sysrq = 10
|
||
#
|
||
# 128 + 32 + 16
|
||
kernel.sysrq=176
|
||
|
||
# Disable NMI watchdog (powertop recommendation)
|
||
kernel.nmi_watchdog=0
|
||
|
||
# Increase writeback time (default's 500, powertop recommendation)
|
||
vm.dirty_writeback_centisecs=1500
|
||
|
||
# Quiet
|
||
kernel.printk = 3 3 3 3
|