diff --git a/Docker-Compose.yml b/Docker-Compose.yml index 5abdfad..1ed4e7b 100644 --- a/Docker-Compose.yml +++ b/Docker-Compose.yml @@ -136,22 +136,70 @@ storage: target: /dev/null kernel_arguments: should_exist: + - spectre_v2=on + - spec_store_bypass_disable=on + - l1tf=full,force + - mds=full,nosmt + - tsx=off + - tsx_async_abort=full,nosmt - kvm.nx_huge_pages=force + - nosmt=force + - l1d_flush=on + - mmio_stale_data=full,nosmt + - random.trust_bootloader=off - random.trust_cpu=off - - kernel.dmesg_restrict=1 - - fs.protected_fifos=2 - - fs.protected_regular=2 - - fs.protected_symlinks=1 - - fs.protected_hardlinks=1 - - net.core.bpf_jit_harden=2 - - kernel.kexec_load_disabled=1 - - kernel.kptr_restrict=2 - - vm.mmap_rnd_bits=32 - - vm.mmap_rnd_compat_bits=16 - - kernel.yama.ptrace_scope=2 - - fs.suid_dumpable=0 - - net.ipv4.tcp_rfc1337=1 - - kernel.perf_event_paranoid=3 - - kernel.randomize_va_space=2 - - net.ipv4.icmp_ignore_bogus_error_responses=1 - - net.ipv4.conf.all.log_martians=1 + - intel_iommu=on + - amd_iommu=on + - efi=disable_early_pci_dma + - iommu.passthrough=0 i + - iommu.strict=1 + - slab_nomerge + - init_on_alloc=1 + - init_on_free=1 + - pti=on + - vsyscall=none + - page_alloc.shuffle=1 + - randomize_kstack_offset=on + - extra_latent_entropy + - debugfs=off + - sysctl.kernel.core_pattern=|/bin/false + - sysctl.kernel.dmesg_restrict=1 + - sysctl.fs.protected_fifos=2 + - sysctl.fs.protected_regular=2 + - sysctl.fs.protected_symlinks=1 + - sysctl.fs.protected_hardlinks=1 + - sysctl.net.core.bpf_jit_harden=2 + - sysctl.kernel.kexec_load_disabled=1 + - sysctl.kernel.kptr_restrict=2 + - sysctl.vm.mmap_rnd_bits=32 + - sysctl.vm.mmap_rnd_compat_bits=16 + - sysctl.kernel.yama.ptrace_scope=3 + - sysctl.fs.suid_dumpable=0 + - sysctl.kernel.randomize_va_space=2 + - sysctl.net.ipv4.tcp_rfc1337=1 + - sysctl.net.ipv4.conf.all.accept_redirects=0 + - sysctl.net.ipv4.conf.default.accept_redirects=0 + - sysctl.net.ipv4.conf.all.secure_redirects=0 + - sysctl.net.ipv4.conf.default.secure_redirects=0 + - sysctl.net.ipv6.conf.all.accept_redirects=0 + - sysctl.net.ipv6.conf.default.accept_redirects=0 + - sysctl.net.ipv4.conf.all.send_redirects=0 + - sysctl.net.ipv4.conf.default.send_redirects=0 + - sysctl.net.ipv4.icmp_echo_ignore_all=1 + - sysctl.net.ipv6.icmp.echo_ignore_all=1 + - sysctl.net.ipv4.icmp_ignore_bogus_error_responses=1 + - sysctl.net.ipv4.tcp_syncookies=1 + - sysctl.net.ipv4.conf.all.accept_source_route=0 + - sysctl.net.ipv4.conf.default.accept_source_route=0 + - sysctl.net.ipv6.conf.all.accept_source_route=0 + - sysctl.net.ipv6.conf.default.accept_source_route=0 + - sysctl.net.ipv4.conf.default.rp_filter=1 + - sysctl.net.ipv4.conf.all.rp_filter=1 + - sysctl.net.ipv4.tcp_timestamps=0 + - sysctl.kernel.sysrq=132 + - sysctl.dev.tty.ldisc_autoload=0 + - sysctl.vm.unprivileged_userfaultfd=0 + - sysctl.vm.swappiness=1 + - sysctl.kernel.perf_event_paranoid=3 + - sysctl.net.ipv6.conf.all.accept_ra=0 + - sysctl.net.ipv6.conf.default.accept_ra=0 diff --git a/Generic.yml b/Generic.yml index 7b21ce9..ec656cc 100644 --- a/Generic.yml +++ b/Generic.yml @@ -154,22 +154,71 @@ storage: target: /dev/null kernel_arguments: should_exist: + - spectre_v2=on + - spec_store_bypass_disable=on + - l1tf=full,force + - mds=full,nosmt + - tsx=off + - tsx_async_abort=full,nosmt - kvm.nx_huge_pages=force + - nosmt=force + - l1d_flush=on + - mmio_stale_data=full,nosmt + - random.trust_bootloader=off - random.trust_cpu=off - - kernel.dmesg_restrict=1 - - fs.protected_fifos=2 - - fs.protected_regular=2 - - fs.protected_symlinks=1 - - fs.protected_hardlinks=1 - - net.core.bpf_jit_harden=2 - - kernel.kexec_load_disabled=1 - - kernel.kptr_restrict=2 - - vm.mmap_rnd_bits=32 - - vm.mmap_rnd_compat_bits=16 - - kernel.yama.ptrace_scope=2 - - fs.suid_dumpable=0 - - net.ipv4.tcp_rfc1337=1 - - kernel.perf_event_paranoid=3 - - kernel.randomize_va_space=2 - - net.ipv4.icmp_ignore_bogus_error_responses=1 - - net.ipv4.conf.all.log_martians=1 + - intel_iommu=on + - amd_iommu=on + - efi=disable_early_pci_dma + - iommu.passthrough=0 i + - iommu.strict=1 + - slab_nomerge + - init_on_alloc=1 + - init_on_free=1 + - pti=on + - vsyscall=none + - page_alloc.shuffle=1 + - randomize_kstack_offset=on + - extra_latent_entropy + - debugfs=off + - sysctl.kernel.core_pattern=|/bin/false + - sysctl.kernel.dmesg_restrict=1 + - sysctl.fs.protected_fifos=2 + - sysctl.fs.protected_regular=2 + - sysctl.fs.protected_symlinks=1 + - sysctl.fs.protected_hardlinks=1 + - sysctl.net.core.bpf_jit_harden=2 + - sysctl.kernel.kexec_load_disabled=1 + - sysctl.kernel.kptr_restrict=2 + - sysctl.vm.mmap_rnd_bits=32 + - sysctl.vm.mmap_rnd_compat_bits=16 + - sysctl.kernel.yama.ptrace_scope=3 + - sysctl.fs.suid_dumpable=0 + - sysctl.kernel.randomize_va_space=2 + - sysctl.net.ipv4.tcp_rfc1337=1 + - sysctl.net.ipv4.conf.all.accept_redirects=0 + - sysctl.net.ipv4.conf.default.accept_redirects=0 + - sysctl.net.ipv4.conf.all.secure_redirects=0 + - sysctl.net.ipv4.conf.default.secure_redirects=0 + - sysctl.net.ipv6.conf.all.accept_redirects=0 + - sysctl.net.ipv6.conf.default.accept_redirects=0 + - sysctl.net.ipv4.conf.all.send_redirects=0 + - sysctl.net.ipv4.conf.default.send_redirects=0 + - sysctl.net.ipv4.icmp_echo_ignore_all=1 + - sysctl.net.ipv6.icmp.echo_ignore_all=1 + - sysctl.net.ipv4.icmp_ignore_bogus_error_responses=1 + - sysctl.net.ipv4.tcp_syncookies=1 + - sysctl.net.ipv4.conf.all.accept_source_route=0 + - sysctl.net.ipv4.conf.default.accept_source_route=0 + - sysctl.net.ipv6.conf.all.accept_source_route=0 + - sysctl.net.ipv6.conf.default.accept_source_route=0 + - sysctl.net.ipv4.conf.default.rp_filter=1 + - sysctl.net.ipv4.conf.all.rp_filter=1 + - sysctl.net.ipv4.tcp_timestamps=0 + - sysctl.kernel.sysrq=132 + - sysctl.dev.tty.ldisc_autoload=0 + - sysctl.vm.unprivileged_userfaultfd=0 + - sysctl.vm.swappiness=1 + - sysctl.kernel.perf_event_paranoid=3 + - sysctl.net.ipv6.conf.all.accept_ra=0 + - sysctl.net.ipv6.conf.default.accept_ra=0 + diff --git a/GitLab.yml b/GitLab.yml index 10ad3d4..7ba2f58 100644 --- a/GitLab.yml +++ b/GitLab.yml @@ -156,22 +156,70 @@ storage: target: /dev/null kernel_arguments: should_exist: + - spectre_v2=on + - spec_store_bypass_disable=on + - l1tf=full,force + - mds=full,nosmt + - tsx=off + - tsx_async_abort=full,nosmt - kvm.nx_huge_pages=force + - nosmt=force + - l1d_flush=on + - mmio_stale_data=full,nosmt + - random.trust_bootloader=off - random.trust_cpu=off - - kernel.dmesg_restrict=1 - - fs.protected_fifos=2 - - fs.protected_regular=2 - - fs.protected_symlinks=1 - - fs.protected_hardlinks=1 - - net.core.bpf_jit_harden=2 - - kernel.kexec_load_disabled=1 - - kernel.kptr_restrict=2 - - vm.mmap_rnd_bits=32 - - vm.mmap_rnd_compat_bits=16 - - kernel.yama.ptrace_scope=2 - - fs.suid_dumpable=0 - - net.ipv4.tcp_rfc1337=1 - - kernel.perf_event_paranoid=3 - - kernel.randomize_va_space=2 - - net.ipv4.icmp_ignore_bogus_error_responses=1 - - net.ipv4.conf.all.log_martians=1 + - intel_iommu=on + - amd_iommu=on + - efi=disable_early_pci_dma + - iommu.passthrough=0 i + - iommu.strict=1 + - slab_nomerge + - init_on_alloc=1 + - init_on_free=1 + - pti=on + - vsyscall=none + - page_alloc.shuffle=1 + - randomize_kstack_offset=on + - extra_latent_entropy + - debugfs=off + - sysctl.kernel.core_pattern=|/bin/false + - sysctl.kernel.dmesg_restrict=1 + - sysctl.fs.protected_fifos=2 + - sysctl.fs.protected_regular=2 + - sysctl.fs.protected_symlinks=1 + - sysctl.fs.protected_hardlinks=1 + - sysctl.net.core.bpf_jit_harden=2 + - sysctl.kernel.kexec_load_disabled=1 + - sysctl.kernel.kptr_restrict=2 + - sysctl.vm.mmap_rnd_bits=32 + - sysctl.vm.mmap_rnd_compat_bits=16 + - sysctl.kernel.yama.ptrace_scope=3 + - sysctl.fs.suid_dumpable=0 + - sysctl.kernel.randomize_va_space=2 + - sysctl.net.ipv4.tcp_rfc1337=1 + - sysctl.net.ipv4.conf.all.accept_redirects=0 + - sysctl.net.ipv4.conf.default.accept_redirects=0 + - sysctl.net.ipv4.conf.all.secure_redirects=0 + - sysctl.net.ipv4.conf.default.secure_redirects=0 + - sysctl.net.ipv6.conf.all.accept_redirects=0 + - sysctl.net.ipv6.conf.default.accept_redirects=0 + - sysctl.net.ipv4.conf.all.send_redirects=0 + - sysctl.net.ipv4.conf.default.send_redirects=0 + - sysctl.net.ipv4.icmp_echo_ignore_all=1 + - sysctl.net.ipv6.icmp.echo_ignore_all=1 + - sysctl.net.ipv4.icmp_ignore_bogus_error_responses=1 + - sysctl.net.ipv4.tcp_syncookies=1 + - sysctl.net.ipv4.conf.all.accept_source_route=0 + - sysctl.net.ipv4.conf.default.accept_source_route=0 + - sysctl.net.ipv6.conf.all.accept_source_route=0 + - sysctl.net.ipv6.conf.default.accept_source_route=0 + - sysctl.net.ipv4.conf.default.rp_filter=1 + - sysctl.net.ipv4.conf.all.rp_filter=1 + - sysctl.net.ipv4.tcp_timestamps=0 + - sysctl.kernel.sysrq=132 + - sysctl.dev.tty.ldisc_autoload=0 + - sysctl.vm.unprivileged_userfaultfd=0 + - sysctl.vm.swappiness=1 + - sysctl.kernel.perf_event_paranoid=3 + - sysctl.net.ipv6.conf.all.accept_ra=0 + - sysctl.net.ipv6.conf.default.accept_ra=0 diff --git a/OnlyOffice.yml b/OnlyOffice.yml index 5e55348..5a8d7a1 100644 --- a/OnlyOffice.yml +++ b/OnlyOffice.yml @@ -155,22 +155,70 @@ storage: target: /dev/null kernel_arguments: should_exist: + - spectre_v2=on + - spec_store_bypass_disable=on + - l1tf=full,force + - mds=full,nosmt + - tsx=off + - tsx_async_abort=full,nosmt - kvm.nx_huge_pages=force + - nosmt=force + - l1d_flush=on + - mmio_stale_data=full,nosmt + - random.trust_bootloader=off - random.trust_cpu=off - - kernel.dmesg_restrict=1 - - fs.protected_fifos=2 - - fs.protected_regular=2 - - fs.protected_symlinks=1 - - fs.protected_hardlinks=1 - - net.core.bpf_jit_harden=2 - - kernel.kexec_load_disabled=1 - - kernel.kptr_restrict=2 - - vm.mmap_rnd_bits=32 - - vm.mmap_rnd_compat_bits=16 - - kernel.yama.ptrace_scope=2 - - fs.suid_dumpable=0 - - net.ipv4.tcp_rfc1337=1 - - kernel.perf_event_paranoid=3 - - kernel.randomize_va_space=2 - - net.ipv4.icmp_ignore_bogus_error_responses=1 - - net.ipv4.conf.all.log_martians=1 + - intel_iommu=on + - amd_iommu=on + - efi=disable_early_pci_dma + - iommu.passthrough=0 i + - iommu.strict=1 + - slab_nomerge + - init_on_alloc=1 + - init_on_free=1 + - pti=on + - vsyscall=none + - page_alloc.shuffle=1 + - randomize_kstack_offset=on + - extra_latent_entropy + - debugfs=off + - sysctl.kernel.core_pattern=|/bin/false + - sysctl.kernel.dmesg_restrict=1 + - sysctl.fs.protected_fifos=2 + - sysctl.fs.protected_regular=2 + - sysctl.fs.protected_symlinks=1 + - sysctl.fs.protected_hardlinks=1 + - sysctl.net.core.bpf_jit_harden=2 + - sysctl.kernel.kexec_load_disabled=1 + - sysctl.kernel.kptr_restrict=2 + - sysctl.vm.mmap_rnd_bits=32 + - sysctl.vm.mmap_rnd_compat_bits=16 + - sysctl.kernel.yama.ptrace_scope=3 + - sysctl.fs.suid_dumpable=0 + - sysctl.kernel.randomize_va_space=2 + - sysctl.net.ipv4.tcp_rfc1337=1 + - sysctl.net.ipv4.conf.all.accept_redirects=0 + - sysctl.net.ipv4.conf.default.accept_redirects=0 + - sysctl.net.ipv4.conf.all.secure_redirects=0 + - sysctl.net.ipv4.conf.default.secure_redirects=0 + - sysctl.net.ipv6.conf.all.accept_redirects=0 + - sysctl.net.ipv6.conf.default.accept_redirects=0 + - sysctl.net.ipv4.conf.all.send_redirects=0 + - sysctl.net.ipv4.conf.default.send_redirects=0 + - sysctl.net.ipv4.icmp_echo_ignore_all=1 + - sysctl.net.ipv6.icmp.echo_ignore_all=1 + - sysctl.net.ipv4.icmp_ignore_bogus_error_responses=1 + - sysctl.net.ipv4.tcp_syncookies=1 + - sysctl.net.ipv4.conf.all.accept_source_route=0 + - sysctl.net.ipv4.conf.default.accept_source_route=0 + - sysctl.net.ipv6.conf.all.accept_source_route=0 + - sysctl.net.ipv6.conf.default.accept_source_route=0 + - sysctl.net.ipv4.conf.default.rp_filter=1 + - sysctl.net.ipv4.conf.all.rp_filter=1 + - sysctl.net.ipv4.tcp_timestamps=0 + - sysctl.kernel.sysrq=132 + - sysctl.dev.tty.ldisc_autoload=0 + - sysctl.vm.unprivileged_userfaultfd=0 + - sysctl.vm.swappiness=1 + - sysctl.kernel.perf_event_paranoid=3 + - sysctl.net.ipv6.conf.all.accept_ra=0 + - sysctl.net.ipv6.conf.default.accept_ra=0