Consistency fix for comments

Signed-off-by: Tommy <contact@tommytran.io>

etc/sysctl.d/99-server.conf

@@ -3,30 +3,30 @@
 dev.tty.ldisc_autoload = 0
 
 # https://access.redhat.com/solutions/1985633
-# Seems dangerous
+# Seems dangerous.
 fs.binfmt_misc.status = 0
 
 # https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-userspace
-# Enable fs.protected sysctls
+# Enable fs.protected sysctls.
 fs.protected_regular = 2
 fs.protected_fifos = 2
 fs.protected_symlinks = 1
 fs.protected_hardlinks = 1
 
 # https://madaidans-insecurities.github.io/guides/linux-hardening.html#core-dumps
-# Disable coredumps
+# Disable coredumps.
 # For additional safety, disable coredumps using ulimit and systemd too.
 kernel.core_pattern=|/bin/false
 fs.suid_dumpable = 0
 
-# Restrict dmesg to CAP_SYS_LOG
+# Restrict dmesg to CAP_SYS_LOG.
 # https://www.kernel.org/doc/Documentation/sysctl/kernel.txt
 kernel.dmesg_restrict = 1
 
 # https://www.kernel.org/doc/Documentation/sysctl/kernel.txt
 # https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel
 # https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak
-# Restrict access to /proc
+# Restrict access to /proc.
 kernel.kptr_restrict = 2
 
 # Not needed, I don't do livepatching and reboot regularly.
@@ -38,10 +38,10 @@ kernel.kexec_load_disabled = 1
 kernel.unprivileged_bpf_disabled = 1
 net.core.bpf_jit_harden = 2
 
-# Docker running as root do not require unpriv user ns, which is dangerous, so we disabe it
+# Docker running as root do not require unpriv user ns, which is dangerous, so we disabe it.
 kernel.unprivileged_userns_clone = 0
 
-# Needed for gVisor, which is used on almost all of my servers
+# Needed for gVisor, which is used on almost all of my servers.
 kernel.yama.ptrace_scope = 1
 
 # https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl
@@ -57,60 +57,60 @@ kernel.perf_event_paranoid = 4
 kernel_io_uring_disable = 2
 
 # https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel
-# Disable sysrq
+# Disable sysrq.
 kernel.sysrq = 0
 
 # https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2020-09-03/finding/V-217911
-# Not running a router here, so no redirects
+# Not running a router here, so no redirects.
 net.ipv4.conf.*.send_redirects = 0
 net.ipv4.conf.*.accept_redirects = 0
 net.ipv6.conf.*.accept_redirects = 0
 
-# Check if the source of the IP address is reachable through the same interface it came in
+# Check if the source of the IP address is reachable through the same interface it came in.
-# Basic IP spoofing mitigation
+# Basic IP spoofing mitigation.
 net.ipv4.conf.*.rp_filter = 1
 
 # Respond to ICMP
 net.ipv4.icmp_echo_ignore_all = 0
 net.ipv6.icmp.echo_ignore_all = 0
 
-# Ignore Bogus ICMP responses
+# Ignore Bogus ICMP responses.
 net.ipv4.icmp_ignore_bogus_error_responses = 1
 
-# Enable IP Forwarding
+# Enable IP Forwarding.
 # Almost all of my servers run Docker anyways, and Docker absolutely requires this.
 net.ipv4.ip_forward = 1
 net.ipv6.conf.all.forwarding = 1
 
 # https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2016-06-05/finding/V-38537
-# Ignore bogus icmp response
+# Ignore bogus icmp response.
 net.ipv4.icmp_ignore_bogus_error_responses = 1
 
-# Protection against time-wait assasination attacks
+# Protection against time-wait assasination attacks.
 net.ipv4.tcp_rfc1337 = 1
 
-# Enable SYN cookies
+# Enable SYN cookies.
-# Basic SYN flood mitigation
+# Basic SYN flood mitigation.
 net.ipv4.tcp_syncookies = 1 
 
 # https://access.redhat.com/sites/default/files/attachments/20150325_network_performance_tuning.pdf
-# Make sure TCP timestamp is enabled
+# Make sure TCP timestamp is enabled.
 net.ipv4.tcp_timestamps = 1
 
 # https://access.redhat.com/sites/default/files/attachments/20150325_network_performance_tuning.pdf
-# Disable TCP SACK
+# Disable TCP SACK.
 # We have good networking :)
 net.ipv4.tcp_sack = 0
 
-# No SACK, therefore no Duplicated SACK
+# No SACK, therefore no Duplicated SACK.
 net.ipv4.tcp_dsack = 0
 
-# Improve ALSR effectiveness for mmap
+# Improve ALSR effectiveness for mmap.
 vm.mmap_rnd_bits = 32
 vm.mmap_rnd_compat_bits = 16
 
 # https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel
-# Restrict userfaultfd to CAP_SYS_PTRACE
+# Restrict userfaultfd to CAP_SYS_PTRACE.
 # https://bugs.archlinux.org/task/62780
 # Interestingly enough, Arch does not even have userfaultfd in their kernel, so it is
 # probably not used in the real world at all.

etc/sysctl.d/99-workstation.conf

@@ -4,11 +4,11 @@ dev.tty.ldisc_autoload = 0
 
 # https://access.redhat.com/solutions/1985633
 # Seems dangerous.
-# Roseta need this though, so if you use it change it to 1
+# Roseta need this though, so if you use it change it to 1.
 fs.binfmt_misc.status = 0
 
 # https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-userspace
-# Enable fs.protected sysctls
+# Enable fs.protected sysctls.
 fs.protected_regular = 2
 fs.protected_fifos = 2
 fs.protected_symlinks = 1
@@ -20,14 +20,14 @@ fs.protected_hardlinks = 1
 kernel.core_pattern=|/bin/false
 fs.suid_dumpable = 0
 
-# Restrict dmesg to CAP_SYS_LOG
+# Restrict dmesg to CAP_SYS_LOG.
 # https://www.kernel.org/doc/Documentation/sysctl/kernel.txt
 kernel.dmesg_restrict = 1
 
 # https://www.kernel.org/doc/Documentation/sysctl/kernel.txt
 # https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel
 # https://kernsec.org/wiki/index.php/Bug_Classes/Kernel_pointer_leak
-# Restrict access to /proc
+# Restrict access to /proc.
 kernel.kptr_restrict = 2
 
 # Not needed, I don't do livepatching and reboot regularly.
@@ -39,7 +39,7 @@ kernel.kexec_load_disabled = 1
 kernel.unprivileged_bpf_disabled = 1
 net.core.bpf_jit_harden = 2
 
-# Needed for Flatpak and Bubblewrap
+# Needed for Flatpak and Bubblewrap.
 kernel.unprivileged_userns_clone = 1
 
 # Disable ptrace. Not needed on workstations.
@@ -56,60 +56,60 @@ kernel.perf_event_paranoid = 4
 kernel_io_uring_disable = 2
 
 # https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel
-# Disable sysrq
+# Disable sysrq.
 kernel.sysrq = 0
 
 # https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2020-09-03/finding/V-217911
-# Not running a router here, so no redirects
+# Not running a router here, so no redirects.
 net.ipv4.conf.*.send_redirects = 0
 net.ipv4.conf.*.accept_redirects = 0
 net.ipv6.conf.*.accept_redirects = 0
 
 # Check if the source of the IP address is reachable through the same interface it came in
-# Basic IP spoofing mitigation
+# Basic IP spoofing mitigation.
 net.ipv4.conf.*.rp_filter = 1
 
-# Do not respond to ICMP
+# Do not respond to ICMP.
 net.ipv4.icmp_echo_ignore_all = 1
 net.ipv6.icmp.echo_ignore_all = 1
 
-# Ignore Bogus ICMP responses
+# Ignore Bogus ICMP responses.
 net.ipv4.icmp_ignore_bogus_error_responses = 1
 
-# Enable IP Forwarding
+# Enable IP Forwarding.
 # Needed for VM networking and whatnot.
 net.ipv4.ip_forward = 1
 net.ipv6.conf.all.forwarding = 1
 
 # https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2016-06-05/finding/V-38537
-# Ignore bogus icmp response
+# Ignore bogus icmp response.
 net.ipv4.icmp_ignore_bogus_error_responses = 1
 
-# Protection against time-wait assasination attacks
+# Protection against time-wait assasination attacks.
 net.ipv4.tcp_rfc1337 = 1
 
-# Enable SYN cookies
+# Enable SYN cookies.
-# Basic SYN flood mitigation
+# Basic SYN flood mitigation.
 net.ipv4.tcp_syncookies = 1 
 
 # https://access.redhat.com/sites/default/files/attachments/20150325_network_performance_tuning.pdf
-# Make sure TCP timestamp is enabled
+# Make sure TCP timestamp is enabled.
 net.ipv4.tcp_timestamps = 1
 
 # https://access.redhat.com/sites/default/files/attachments/20150325_network_performance_tuning.pdf
-# Disable TCP SACK
+# Disable TCP SACK.
 # We have good networking :)
 net.ipv4.tcp_sack = 0
 
-# No SACK, therefore no Duplicated SACK
+# No SACK, therefore no Duplicated SACK.
 net.ipv4.tcp_dsack = 0
 
-# Improve ALSR effectiveness for mmap
+# Improve ALSR effectiveness for mmap.
 vm.mmap_rnd_bits = 32
 vm.mmap_rnd_compat_bits = 16
 
 # https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl-kernel
-# Restrict userfaultfd to CAP_SYS_PTRACE
+# Restrict userfaultfd to CAP_SYS_PTRACE.
 # https://bugs.archlinux.org/task/62780
 # Interestingly enough, Arch does not even have userfaultfd in their kernel, so it is
 # probably not used in the real world at all.