From b9404f13ca882e381a3c1b0797b761ce7638e273 Mon Sep 17 00:00:00 2001
From: Simon Rettberg
Date: Thu, 23 May 2013 20:14:53 +0200
Subject: Remove ldap in initial nsswitch conf, will be added after udev
 started up Update to systemd 204 Remove some systemd services that don't make
 sense in our setup Add own sysctl defaults

---
 .../systemd/data/usr/lib/sysctl.d/50-default.conf  | 39 ++++++++++++++++++++++
 1 file changed, 39 insertions(+)
 create mode 100644 remote/modules/systemd/data/usr/lib/sysctl.d/50-default.conf

(limited to 'remote/modules/systemd/data/usr/lib')

diff --git a/remote/modules/systemd/data/usr/lib/sysctl.d/50-default.conf b/remote/modules/systemd/data/usr/lib/sysctl.d/50-default.conf
new file mode 100644
index 00000000..6ece04ce
--- /dev/null
+++ b/remote/modules/systemd/data/usr/lib/sysctl.d/50-default.conf
@@ -0,0 +1,39 @@
+#  This file is part of systemd.
+#
+#  systemd is free software; you can redistribute it and/or modify it
+#  under the terms of the GNU Lesser General Public License as published by
+#  the Free Software Foundation; either version 2.1 of the License, or
+#  (at your option) any later version.
+
+# See sysctl.d(5) and core(5) for for details.
+
+# System Request functionality of the kernel (SYNC)
+kernel.sysrq = 1
+
+# Append the PID to the core filename
+kernel.core_uses_pid = 1
+
+# Source route verification
+net.ipv4.conf.all.rp_filter = 1
+# Do not accept source routing
+net.ipv4.conf.all.accept_source_route = 0
+# protection from the SYN flood attack
+net.ipv4.tcp_syncookies = 1
+# timestamps add a little overhead but are recommended for gbit links
+net.ipv4.tcp_timestamps = 1
+# ignore echo broadcast requests to prevent being part of smurf attacks
+net.ipv4.icmp_echo_ignore_broadcasts = 1
+# ignore bogus icmp errors
+net.ipv4.icmp_ignore_bogus_error_responses = 1
+# send redirects (not a router, disable it)
+net.ipv4.conf.all.send_redirects = 0
+# ICMP routing redirects (only secure)
+net.ipv4.conf.all.accept_redirects = 0
+net.ipv4.conf.all.secure_redirects = 1
+
+# Enable hard and soft link protection
+fs.protected_hardlinks = 1
+fs.protected_symlinks = 1
+
+# A little extra security for local exploits
+kernel.kptr_restrict = 1
-- 
cgit v1.2.3-55-g7522