aboutsummaryrefslogtreecommitdiffstatshomepage
path: root/dot_claude
diff options
context:
space:
mode:
authorLibravatar sommerfeld <sommerfeld@sommerfeld.dev>2026-05-29 11:18:11 +0100
committerLibravatar sommerfeld <sommerfeld@sommerfeld.dev>2026-05-29 11:18:11 +0100
commit75e84558ea71f14adbaa1a461cd5f6e8793b0470 (patch)
tree23419e4c9612752b3610cb1936f19b019a71375b /dot_claude
parent368f2aa6a09d7314b169f87e2a1466ed5a301a77 (diff)
downloaddotfiles-75e84558ea71f14adbaa1a461cd5f6e8793b0470.tar.gz
dotfiles-75e84558ea71f14adbaa1a461cd5f6e8793b0470.tar.bz2
dotfiles-75e84558ea71f14adbaa1a461cd5f6e8793b0470.zip
feat(sysctl): kernel info-disclosure + ICMP/IPv6 RA hardening
Adds standard KSPP-style sysctl hardening that does not interfere with the existing dev workflow: - kptr_restrict=2, unprivileged_bpf_disabled=1, bpf_jit_harden=2 - kexec_load_disabled=1 (no kexec in use) - fs.suid_dumpable=0 - ICMP broadcast/bogus-error ignores - tcp_timestamps=0 (BBR+cake do not need RFC1323 timestamps) - IPv6 RA disabled at kernel layer (systemd-networkd is authoritative) - explicit tcp_syncookies=1 Drops 'kernel.yama.ptrace_scope = 0' so the kernel default 1 (parent only) applies. Debugging own builds via 'gdb ./a.out', 'lldb -- ./bin', 'rust-gdb' still works; only attach-by-PID now needs sudo, accepted trade-off. Intentionally kept dev-permissive: kernel.sysrq=1, kernel.dmesg_restrict=0, kernel.perf_event_paranoid=-1
Diffstat (limited to 'dot_claude')
0 files changed, 0 insertions, 0 deletions
generated by cgit v1.3.1 (git 2.54.0) at 2026-05-31 23:17:43 +0000