forked from bottlerocket-os/bottlerocket
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathrelease-sysctl.conf
67 lines (49 loc) · 2.19 KB
/
release-sysctl.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
## AL2 defaults ##
# Wait 10 seconds and then reboot
kernel.panic = 10
# Controls the kernel's behaviour when an oops or BUG is encountered
kernel.panic_on_oops = 1
# Allow neighbor cache entries to expire even when the cache is not full
net.ipv4.neigh.default.gc_thresh1 = 0
net.ipv6.neigh.default.gc_thresh1 = 0
# Avoid neighbor table contention in large subnets
net.ipv4.neigh.default.gc_thresh2 = 15360
net.ipv6.neigh.default.gc_thresh2 = 15360
net.ipv4.neigh.default.gc_thresh3 = 16384
net.ipv6.neigh.default.gc_thresh3 = 16384
# Increasing to account for skb structure growth since the 3.4.x kernel series
net.ipv4.tcp_wmem = 4096 20480 4194304
# Bumped the default TTL to 255 (maximum)
net.ipv4.ip_default_ttl = 255
## Bottlerocket settings ##
# Enable IPv4 forwarding for container networking.
net.ipv4.conf.all.forwarding = 1
# Enable IPv6 forwarding for container networking.
net.ipv6.conf.all.forwarding = 1
# This is generally considered a safe ephemeral port range
net.ipv4.ip_local_port_range = 32768 60999
# Connection tracking to prevent dropped connections
net.netfilter.nf_conntrack_max = 1048576
net.netfilter.nf_conntrack_generic_timeout = 120
# Enable loose mode for reverse path filter
net.ipv4.conf.lo.rp_filter = 2
## Kernel hardening settings
## Settings & descriptions sourced from the KSPP wiki, see
## https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings#sysctls
# Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc).
kernel.kptr_restrict = 1
# Avoid kernel memory address exposures via dmesg.
kernel.dmesg_restrict = 1
# Avoid non-ancestor ptrace access to running processes and their credentials.
kernel.yama.ptrace_scope = 1
# Disable User Namespaces, as it opens up a large attack surface to unprivileged users.
user.max_user_namespaces = 0
# Turn off unprivileged eBPF access.
kernel.unprivileged_bpf_disabled = 1
# Turn on BPF JIT hardening, if the JIT is enabled.
net.core.bpf_jit_harden = 2
# Increase inotify limits to allow for a greater number of containers
fs.inotify.max_user_instances = 8192
fs.inotify.max_user_watches = 524288
# Increase virtual memory to allow for larger workloads
vm.max_map_count = 524288