1
0
mirror of https://github.com/tommytran732/Fedora-CoreOS-Ignition synced 2024-11-22 09:21:32 -05:00

Fix Kargs

Signed-off-by: Tommy <contact@tommytran.io>
This commit is contained in:
Tommy 2022-09-04 22:51:57 -04:00
parent a3491e4774
commit 2ce2af2b83
No known key found for this signature in database
GPG Key ID: 060B29EB996BD9F2
4 changed files with 261 additions and 68 deletions

View File

@ -136,22 +136,70 @@ storage:
target: /dev/null
kernel_arguments:
should_exist:
- spectre_v2=on
- spec_store_bypass_disable=on
- l1tf=full,force
- mds=full,nosmt
- tsx=off
- tsx_async_abort=full,nosmt
- kvm.nx_huge_pages=force
- nosmt=force
- l1d_flush=on
- mmio_stale_data=full,nosmt
- random.trust_bootloader=off
- random.trust_cpu=off
- kernel.dmesg_restrict=1
- fs.protected_fifos=2
- fs.protected_regular=2
- fs.protected_symlinks=1
- fs.protected_hardlinks=1
- net.core.bpf_jit_harden=2
- kernel.kexec_load_disabled=1
- kernel.kptr_restrict=2
- vm.mmap_rnd_bits=32
- vm.mmap_rnd_compat_bits=16
- kernel.yama.ptrace_scope=2
- fs.suid_dumpable=0
- net.ipv4.tcp_rfc1337=1
- kernel.perf_event_paranoid=3
- kernel.randomize_va_space=2
- net.ipv4.icmp_ignore_bogus_error_responses=1
- net.ipv4.conf.all.log_martians=1
- intel_iommu=on
- amd_iommu=on
- efi=disable_early_pci_dma
- iommu.passthrough=0 i
- iommu.strict=1
- slab_nomerge
- init_on_alloc=1
- init_on_free=1
- pti=on
- vsyscall=none
- page_alloc.shuffle=1
- randomize_kstack_offset=on
- extra_latent_entropy
- debugfs=off
- sysctl.kernel.core_pattern=|/bin/false
- sysctl.kernel.dmesg_restrict=1
- sysctl.fs.protected_fifos=2
- sysctl.fs.protected_regular=2
- sysctl.fs.protected_symlinks=1
- sysctl.fs.protected_hardlinks=1
- sysctl.net.core.bpf_jit_harden=2
- sysctl.kernel.kexec_load_disabled=1
- sysctl.kernel.kptr_restrict=2
- sysctl.vm.mmap_rnd_bits=32
- sysctl.vm.mmap_rnd_compat_bits=16
- sysctl.kernel.yama.ptrace_scope=3
- sysctl.fs.suid_dumpable=0
- sysctl.kernel.randomize_va_space=2
- sysctl.net.ipv4.tcp_rfc1337=1
- sysctl.net.ipv4.conf.all.accept_redirects=0
- sysctl.net.ipv4.conf.default.accept_redirects=0
- sysctl.net.ipv4.conf.all.secure_redirects=0
- sysctl.net.ipv4.conf.default.secure_redirects=0
- sysctl.net.ipv6.conf.all.accept_redirects=0
- sysctl.net.ipv6.conf.default.accept_redirects=0
- sysctl.net.ipv4.conf.all.send_redirects=0
- sysctl.net.ipv4.conf.default.send_redirects=0
- sysctl.net.ipv4.icmp_echo_ignore_all=1
- sysctl.net.ipv6.icmp.echo_ignore_all=1
- sysctl.net.ipv4.icmp_ignore_bogus_error_responses=1
- sysctl.net.ipv4.tcp_syncookies=1
- sysctl.net.ipv4.conf.all.accept_source_route=0
- sysctl.net.ipv4.conf.default.accept_source_route=0
- sysctl.net.ipv6.conf.all.accept_source_route=0
- sysctl.net.ipv6.conf.default.accept_source_route=0
- sysctl.net.ipv4.conf.default.rp_filter=1
- sysctl.net.ipv4.conf.all.rp_filter=1
- sysctl.net.ipv4.tcp_timestamps=0
- sysctl.kernel.sysrq=132
- sysctl.dev.tty.ldisc_autoload=0
- sysctl.vm.unprivileged_userfaultfd=0
- sysctl.vm.swappiness=1
- sysctl.kernel.perf_event_paranoid=3
- sysctl.net.ipv6.conf.all.accept_ra=0
- sysctl.net.ipv6.conf.default.accept_ra=0

View File

@ -154,22 +154,71 @@ storage:
target: /dev/null
kernel_arguments:
should_exist:
- spectre_v2=on
- spec_store_bypass_disable=on
- l1tf=full,force
- mds=full,nosmt
- tsx=off
- tsx_async_abort=full,nosmt
- kvm.nx_huge_pages=force
- nosmt=force
- l1d_flush=on
- mmio_stale_data=full,nosmt
- random.trust_bootloader=off
- random.trust_cpu=off
- kernel.dmesg_restrict=1
- fs.protected_fifos=2
- fs.protected_regular=2
- fs.protected_symlinks=1
- fs.protected_hardlinks=1
- net.core.bpf_jit_harden=2
- kernel.kexec_load_disabled=1
- kernel.kptr_restrict=2
- vm.mmap_rnd_bits=32
- vm.mmap_rnd_compat_bits=16
- kernel.yama.ptrace_scope=2
- fs.suid_dumpable=0
- net.ipv4.tcp_rfc1337=1
- kernel.perf_event_paranoid=3
- kernel.randomize_va_space=2
- net.ipv4.icmp_ignore_bogus_error_responses=1
- net.ipv4.conf.all.log_martians=1
- intel_iommu=on
- amd_iommu=on
- efi=disable_early_pci_dma
- iommu.passthrough=0 i
- iommu.strict=1
- slab_nomerge
- init_on_alloc=1
- init_on_free=1
- pti=on
- vsyscall=none
- page_alloc.shuffle=1
- randomize_kstack_offset=on
- extra_latent_entropy
- debugfs=off
- sysctl.kernel.core_pattern=|/bin/false
- sysctl.kernel.dmesg_restrict=1
- sysctl.fs.protected_fifos=2
- sysctl.fs.protected_regular=2
- sysctl.fs.protected_symlinks=1
- sysctl.fs.protected_hardlinks=1
- sysctl.net.core.bpf_jit_harden=2
- sysctl.kernel.kexec_load_disabled=1
- sysctl.kernel.kptr_restrict=2
- sysctl.vm.mmap_rnd_bits=32
- sysctl.vm.mmap_rnd_compat_bits=16
- sysctl.kernel.yama.ptrace_scope=3
- sysctl.fs.suid_dumpable=0
- sysctl.kernel.randomize_va_space=2
- sysctl.net.ipv4.tcp_rfc1337=1
- sysctl.net.ipv4.conf.all.accept_redirects=0
- sysctl.net.ipv4.conf.default.accept_redirects=0
- sysctl.net.ipv4.conf.all.secure_redirects=0
- sysctl.net.ipv4.conf.default.secure_redirects=0
- sysctl.net.ipv6.conf.all.accept_redirects=0
- sysctl.net.ipv6.conf.default.accept_redirects=0
- sysctl.net.ipv4.conf.all.send_redirects=0
- sysctl.net.ipv4.conf.default.send_redirects=0
- sysctl.net.ipv4.icmp_echo_ignore_all=1
- sysctl.net.ipv6.icmp.echo_ignore_all=1
- sysctl.net.ipv4.icmp_ignore_bogus_error_responses=1
- sysctl.net.ipv4.tcp_syncookies=1
- sysctl.net.ipv4.conf.all.accept_source_route=0
- sysctl.net.ipv4.conf.default.accept_source_route=0
- sysctl.net.ipv6.conf.all.accept_source_route=0
- sysctl.net.ipv6.conf.default.accept_source_route=0
- sysctl.net.ipv4.conf.default.rp_filter=1
- sysctl.net.ipv4.conf.all.rp_filter=1
- sysctl.net.ipv4.tcp_timestamps=0
- sysctl.kernel.sysrq=132
- sysctl.dev.tty.ldisc_autoload=0
- sysctl.vm.unprivileged_userfaultfd=0
- sysctl.vm.swappiness=1
- sysctl.kernel.perf_event_paranoid=3
- sysctl.net.ipv6.conf.all.accept_ra=0
- sysctl.net.ipv6.conf.default.accept_ra=0

View File

@ -156,22 +156,70 @@ storage:
target: /dev/null
kernel_arguments:
should_exist:
- spectre_v2=on
- spec_store_bypass_disable=on
- l1tf=full,force
- mds=full,nosmt
- tsx=off
- tsx_async_abort=full,nosmt
- kvm.nx_huge_pages=force
- nosmt=force
- l1d_flush=on
- mmio_stale_data=full,nosmt
- random.trust_bootloader=off
- random.trust_cpu=off
- kernel.dmesg_restrict=1
- fs.protected_fifos=2
- fs.protected_regular=2
- fs.protected_symlinks=1
- fs.protected_hardlinks=1
- net.core.bpf_jit_harden=2
- kernel.kexec_load_disabled=1
- kernel.kptr_restrict=2
- vm.mmap_rnd_bits=32
- vm.mmap_rnd_compat_bits=16
- kernel.yama.ptrace_scope=2
- fs.suid_dumpable=0
- net.ipv4.tcp_rfc1337=1
- kernel.perf_event_paranoid=3
- kernel.randomize_va_space=2
- net.ipv4.icmp_ignore_bogus_error_responses=1
- net.ipv4.conf.all.log_martians=1
- intel_iommu=on
- amd_iommu=on
- efi=disable_early_pci_dma
- iommu.passthrough=0 i
- iommu.strict=1
- slab_nomerge
- init_on_alloc=1
- init_on_free=1
- pti=on
- vsyscall=none
- page_alloc.shuffle=1
- randomize_kstack_offset=on
- extra_latent_entropy
- debugfs=off
- sysctl.kernel.core_pattern=|/bin/false
- sysctl.kernel.dmesg_restrict=1
- sysctl.fs.protected_fifos=2
- sysctl.fs.protected_regular=2
- sysctl.fs.protected_symlinks=1
- sysctl.fs.protected_hardlinks=1
- sysctl.net.core.bpf_jit_harden=2
- sysctl.kernel.kexec_load_disabled=1
- sysctl.kernel.kptr_restrict=2
- sysctl.vm.mmap_rnd_bits=32
- sysctl.vm.mmap_rnd_compat_bits=16
- sysctl.kernel.yama.ptrace_scope=3
- sysctl.fs.suid_dumpable=0
- sysctl.kernel.randomize_va_space=2
- sysctl.net.ipv4.tcp_rfc1337=1
- sysctl.net.ipv4.conf.all.accept_redirects=0
- sysctl.net.ipv4.conf.default.accept_redirects=0
- sysctl.net.ipv4.conf.all.secure_redirects=0
- sysctl.net.ipv4.conf.default.secure_redirects=0
- sysctl.net.ipv6.conf.all.accept_redirects=0
- sysctl.net.ipv6.conf.default.accept_redirects=0
- sysctl.net.ipv4.conf.all.send_redirects=0
- sysctl.net.ipv4.conf.default.send_redirects=0
- sysctl.net.ipv4.icmp_echo_ignore_all=1
- sysctl.net.ipv6.icmp.echo_ignore_all=1
- sysctl.net.ipv4.icmp_ignore_bogus_error_responses=1
- sysctl.net.ipv4.tcp_syncookies=1
- sysctl.net.ipv4.conf.all.accept_source_route=0
- sysctl.net.ipv4.conf.default.accept_source_route=0
- sysctl.net.ipv6.conf.all.accept_source_route=0
- sysctl.net.ipv6.conf.default.accept_source_route=0
- sysctl.net.ipv4.conf.default.rp_filter=1
- sysctl.net.ipv4.conf.all.rp_filter=1
- sysctl.net.ipv4.tcp_timestamps=0
- sysctl.kernel.sysrq=132
- sysctl.dev.tty.ldisc_autoload=0
- sysctl.vm.unprivileged_userfaultfd=0
- sysctl.vm.swappiness=1
- sysctl.kernel.perf_event_paranoid=3
- sysctl.net.ipv6.conf.all.accept_ra=0
- sysctl.net.ipv6.conf.default.accept_ra=0

View File

@ -155,22 +155,70 @@ storage:
target: /dev/null
kernel_arguments:
should_exist:
- spectre_v2=on
- spec_store_bypass_disable=on
- l1tf=full,force
- mds=full,nosmt
- tsx=off
- tsx_async_abort=full,nosmt
- kvm.nx_huge_pages=force
- nosmt=force
- l1d_flush=on
- mmio_stale_data=full,nosmt
- random.trust_bootloader=off
- random.trust_cpu=off
- kernel.dmesg_restrict=1
- fs.protected_fifos=2
- fs.protected_regular=2
- fs.protected_symlinks=1
- fs.protected_hardlinks=1
- net.core.bpf_jit_harden=2
- kernel.kexec_load_disabled=1
- kernel.kptr_restrict=2
- vm.mmap_rnd_bits=32
- vm.mmap_rnd_compat_bits=16
- kernel.yama.ptrace_scope=2
- fs.suid_dumpable=0
- net.ipv4.tcp_rfc1337=1
- kernel.perf_event_paranoid=3
- kernel.randomize_va_space=2
- net.ipv4.icmp_ignore_bogus_error_responses=1
- net.ipv4.conf.all.log_martians=1
- intel_iommu=on
- amd_iommu=on
- efi=disable_early_pci_dma
- iommu.passthrough=0 i
- iommu.strict=1
- slab_nomerge
- init_on_alloc=1
- init_on_free=1
- pti=on
- vsyscall=none
- page_alloc.shuffle=1
- randomize_kstack_offset=on
- extra_latent_entropy
- debugfs=off
- sysctl.kernel.core_pattern=|/bin/false
- sysctl.kernel.dmesg_restrict=1
- sysctl.fs.protected_fifos=2
- sysctl.fs.protected_regular=2
- sysctl.fs.protected_symlinks=1
- sysctl.fs.protected_hardlinks=1
- sysctl.net.core.bpf_jit_harden=2
- sysctl.kernel.kexec_load_disabled=1
- sysctl.kernel.kptr_restrict=2
- sysctl.vm.mmap_rnd_bits=32
- sysctl.vm.mmap_rnd_compat_bits=16
- sysctl.kernel.yama.ptrace_scope=3
- sysctl.fs.suid_dumpable=0
- sysctl.kernel.randomize_va_space=2
- sysctl.net.ipv4.tcp_rfc1337=1
- sysctl.net.ipv4.conf.all.accept_redirects=0
- sysctl.net.ipv4.conf.default.accept_redirects=0
- sysctl.net.ipv4.conf.all.secure_redirects=0
- sysctl.net.ipv4.conf.default.secure_redirects=0
- sysctl.net.ipv6.conf.all.accept_redirects=0
- sysctl.net.ipv6.conf.default.accept_redirects=0
- sysctl.net.ipv4.conf.all.send_redirects=0
- sysctl.net.ipv4.conf.default.send_redirects=0
- sysctl.net.ipv4.icmp_echo_ignore_all=1
- sysctl.net.ipv6.icmp.echo_ignore_all=1
- sysctl.net.ipv4.icmp_ignore_bogus_error_responses=1
- sysctl.net.ipv4.tcp_syncookies=1
- sysctl.net.ipv4.conf.all.accept_source_route=0
- sysctl.net.ipv4.conf.default.accept_source_route=0
- sysctl.net.ipv6.conf.all.accept_source_route=0
- sysctl.net.ipv6.conf.default.accept_source_route=0
- sysctl.net.ipv4.conf.default.rp_filter=1
- sysctl.net.ipv4.conf.all.rp_filter=1
- sysctl.net.ipv4.tcp_timestamps=0
- sysctl.kernel.sysrq=132
- sysctl.dev.tty.ldisc_autoload=0
- sysctl.vm.unprivileged_userfaultfd=0
- sysctl.vm.swappiness=1
- sysctl.kernel.perf_event_paranoid=3
- sysctl.net.ipv6.conf.all.accept_ra=0
- sysctl.net.ipv6.conf.default.accept_ra=0