Compliance: A lot of stuff

2025-08-11 01:56:37 -04:00 · 2025-08-11 01:56:37 -04:00 · 071ae80aa7
commit 071ae80aa7
parent 21decf798b
7 changed files with 680 additions and 20 deletions
--- a/build/build-image.sh
+++ b/build/build-image.sh
@ -78,11 +78,6 @@ mkdir -p "$DISTPATH"/usr/share/halogenos
 mkdir -p "$DISTPATH"/usr/share/halogenos/keys
 mkdir -p "$DISTPATH"/usr/share/halogenos/bin
 # Fix directory locations
 for dir in bin sbin etc lib; do
    mv "$DISTPATH"/"$dir" "$DISTPATH"/usr/"$dir"
 done
 cp -r /build/include-image/* "$DISTPATH"/
 echo "IMAGE_VERSION=$VERSION" >> "$DISTPATH"/usr/lib/os-release
@ -126,19 +121,12 @@ rm "$DISTPATH"/usr/etc/gentoo-release
 rm -rf "$DISTPATH"/usr/lib/gentoo
 # Create images dir and img files
-mkdir -p /build/images
+mkdir -p /build/images/"$VERSION"
-cp "$DISTPATH"/usr/share/halogenos/release.meta /build/images/
+cp "$DISTPATH"/usr/share/halogenos/release.meta /build/images/"$VERSION"
-dd if=/dev/zero of=/build/images/usr.img bs=1 count=0 seek=2G
+mksquashfs "$DISTPATH" /build/images/"$VERSION"/sys.sfs
-mkfs.btrfs /build/images/usr.img
+SYSHASH=$(sha512sum /build/images/"$VERSION"/sys.sfs)
-dd if=/dev/zero of=/build/images/verity.img bs=1 count=0 seek=2000M 
+echo "$SYSHASH" > /build/images/"$VERSION"/sys.sfs.sha512
-# Install squashfs filesystem onto usr img
+# Build kernel UKI with syshash embedded
 mkdir -p /mnt/usr
 mount /build/images/usr.img /mnt/usr
 mksquashfs "$DISTPATH" /mnt/usr/usr.sfs
 sync /mnt/usr/usr.sfs
 umount /mnt/usr
-# Build verity
+tar -czf "$VERSION".tar.gz /build/images/"$VERSION"
 tar -czf "$VERSION".tar.gz /build/images/ 
--- a/build/include-host/etc/portage/sets/halogenos-host
+++ b/build/include-host/etc/portage/sets/halogenos-host
@ -1,5 +1,4 @@
 =dev-build/cmake-3.31.7-r1::gentoo
 app-portage/gentoolkit
 sys-apps/busybox
 sys-fs/btrfs-progs
 sys-fs/squashfs-tools
--- a/build/include-image/usr/etc/login.defs
+++ b/build/include-image/usr/etc/login.defs
@ -0,0 +1,499 @@
 #
 # /etc/login.defs - Configuration control definitions for the shadow package.
 #
 #	$Id$
 #
 #
 # Delay in seconds before being allowed another attempt after a login failure
 # Note: When PAM is used, some modules may enforce a minimum delay (e.g.
 #       pam_unix(8) enforces a 2s delay)
 #
 FAIL_DELAY		3
 #
 # Enable logging and display of /var/log/faillog login(1) failure info.
 #
 # NOTE: This setting should be configured via /etc/pam.d/ and not in this file.
 #FAILLOG_ENAB		yes
 #
 # Enable display of unknown usernames when login(1) failures are recorded.
 #
 LOG_UNKFAIL_ENAB	no
 #
 # Enable logging of successful logins
 #
 LOG_OK_LOGINS		no
 #
 # Enable logging and display of /var/log/lastlog login(1) time info.
 #
 # NOTE: This setting should be configured via /etc/pam.d/ and not in this file.
 #LASTLOG_ENAB		yes
 #
 # Limit the highest user ID number for which the lastlog entries should
 # be updated.
 #
 # No LASTLOG_UID_MAX means that there is no user ID limit for writing
 # lastlog entries.
 #
 #LASTLOG_UID_MAX
 #
 # Enable checking and display of mailbox status upon login.
 #
 # Disable if the shell startup files already check for mail
 # ("mailx -e" or equivalent).
 #
 # NOTE: This setting should be configured via /etc/pam.d/ and not in this file.
 #MAIL_CHECK_ENAB		yes
 #
 # Enable additional checks upon password changes.
 #
 # NOTE: This setting should be configured via /etc/pam.d/ and not in this file.
 #OBSCURE_CHECKS_ENAB	yes
 #
 # Enable checking of time restrictions specified in /etc/porttime.
 #
 # NOTE: This setting should be configured via /etc/pam.d/ and not in this file.
 #PORTTIME_CHECKS_ENAB	yes
 #
 # Enable setting of ulimit, umask, and niceness from passwd(5) gecos field.
 #
 # NOTE: This setting should be configured via /etc/pam.d/ and not in this file.
 #QUOTAS_ENAB		yes
 #
 # Enable "syslog" logging of su(1) activity - in addition to sulog file logging.
 # SYSLOG_SG_ENAB does the same for newgrp(1) and sg(1).
 #
 SYSLOG_SU_ENAB		yes
 SYSLOG_SG_ENAB		yes
 #
 # If defined, either full pathname of a file containing device names or
 # a ":" delimited list of device names.  Root logins will be allowed only
 # from these devices.
 #
 # NOTE: This setting should be configured via /etc/pam.d/ and not in this file.
 #CONSOLE		/etc/securetty
 # NOTE: This setting should be configured via /etc/pam.d/ and not in this file.
 #CONSOLE	console:tty01:tty02:tty03:tty04
 #
 # If defined, all su(1) activity is logged to this file.
 #
 #SULOG_FILE	/var/log/sulog
 #
 # If defined, ":" delimited list of "message of the day" files to
 # be displayed upon login.
 #
 # NOTE: This setting should be configured via /etc/pam.d/ and not in this file.
 #MOTD_FILE	/etc/motd
 # NOTE: This setting should be configured via /etc/pam.d/ and not in this file.
 #MOTD_FILE	/etc/motd:/usr/lib/news/news-motd
 #
 # If defined, this file will be output before each login(1) prompt.
 #
 #ISSUE_FILE	/etc/issue
 #
 # If defined, file which maps tty line to TERM environment parameter.
 # Each line of the file is in a format similar to "vt100  tty01".
 #
 #TTYTYPE_FILE	/etc/ttytype
 #
 # If defined, login(1) failures will be logged here in a utmp format.
 # last(1), when invoked as lastb(1), will read /var/log/btmp, so...
 #
 # NOTE: This setting should be configured via /etc/pam.d/ and not in this file.
 #FTMP_FILE	/var/log/btmp
 #
 # If defined, name of file whose presence will inhibit non-root
 # logins.  The content of this file should be a message indicating
 # why logins are inhibited.
 #
 # NOTE: This setting should be configured via /etc/pam.d/ and not in this file.
 #NOLOGINS_FILE	/etc/nologin
 #
 # If defined, the command name to display when running "su -".  For
 # example, if this is defined as "su" then ps(1) will display the
 # command as "-su".  If not defined, then ps(1) will display the
 # name of the shell actually being run, e.g. something like "-sh".
 #
 SU_NAME		su
 #
 # *REQUIRED*
 #   Directory where mailboxes reside, _or_ name of file, relative to the
 #   home directory.  If you _do_ define both, MAIL_DIR takes precedence.
 #
 MAIL_DIR	/var/spool/mail
 #MAIL_FILE	.mail
 #
 # If defined, file which inhibits all the usual chatter during the login
 # sequence.  If a full pathname, then hushed mode will be enabled if the
 # user's name or shell are found in the file.  If not a full pathname, then
 # hushed mode will be enabled if the file exists in the user's home directory.
 #
 HUSHLOGIN_FILE	.hushlogin
 #HUSHLOGIN_FILE	/etc/hushlogins
 #
 # If defined, either a TZ environment parameter spec or the
 # fully-rooted pathname of a file containing such a spec.
 #
 #ENV_TZ		TZ=CST6CDT
 #ENV_TZ		/etc/tzname
 #
 # If defined, an HZ environment parameter spec.
 #
 # for Linux/x86
 # NOTE: This setting should be configured via /etc/pam.d/ and not in this file.
 #ENV_HZ		HZ=100
 # For Linux/Alpha...
 # NOTE: This setting should be configured via /etc/pam.d/ and not in this file.
 #ENV_HZ		HZ=1024
 #
 # *REQUIRED*  The default PATH settings, for superuser and normal users.
 #
 # (they are minimal, add the rest in the shell startup files)
 ENV_SUPATH	PATH=/sbin:/bin:/usr/sbin:/usr/bin
 ENV_PATH	PATH=/bin:/usr/bin
 #
 # Terminal permissions
 #
 #	TTYGROUP	Login tty will be assigned this group ownership.
 #	TTYPERM		Login tty will be set to this permission.
 #
 # If you have a write(1) program which is "setgid" to a special group
 # which owns the terminals, define TTYGROUP as the number of such group
 # and TTYPERM as 0620.  Otherwise leave TTYGROUP commented out and
 # set TTYPERM to either 622 or 600.
 #
 TTYGROUP	tty
 TTYPERM		0600
 #
 # Login configuration initializations:
 #
 #	ERASECHAR	Terminal ERASE character ('\010' = backspace).
 #	KILLCHAR	Terminal KILL character ('\025' = CTRL/U).
 #	ULIMIT		Default "ulimit" value.
 #
 # The ERASECHAR and KILLCHAR are used only on System V machines.
 # The ULIMIT is used only if the system supports it.
 # (now it works with setrlimit too; ulimit is in 512-byte units)
 #
 # Prefix these values with "0" to get octal, "0x" to get hexadecimal.
 #
 ERASECHAR	0177
 KILLCHAR	025
 #ULIMIT		2097152
 # Default initial "umask" value used by login(1) on non-PAM enabled systems.
 # Default "umask" value for pam_umask(8) on PAM enabled systems.
 # UMASK is also used by useradd(8) and newusers(8) to set the mode for new
 # home directories if HOME_MODE is not set.
 # 022 is the default value, but 027, or even 077, could be considered
 # for increased privacy. There is no One True Answer here: each sysadmin
 # must make up their mind.
 UMASK		027
 # HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new
 # home directories.
 # If HOME_MODE is not set, the value of UMASK is used to create the mode.
 #HOME_MODE	0700
 #
 # Password aging controls:
 #
 #	PASS_MAX_DAYS	Maximum number of days a password may be used.
 #	PASS_MIN_DAYS	Minimum number of days allowed between password changes.
 #	PASS_MIN_LEN	Minimum acceptable password length.
 #	PASS_WARN_AGE	Number of days warning given before a password expires.
 #
 PASS_MAX_DAYS	99999
 PASS_MIN_DAYS	0
 # NOTE: This setting should be configured via /etc/pam.d/ and not in this file.
 #PASS_MIN_LEN	5
 PASS_WARN_AGE	7
 #
 # If "yes", the user must be listed as a member of the first gid 0 group
 # in /etc/group (called "root" on most Linux systems) to be able to "su"
 # to uid 0 accounts.  If the group doesn't exist or is empty, no one
 # will be able to "su" to uid 0.
 #
 # NOTE: This setting should be configured via /etc/pam.d/ and not in this file.
 #SU_WHEEL_ONLY	no
 #
 # If compiled with cracklib support, sets the path to the dictionaries
 #
 # NOTE: This setting should be configured via /etc/pam.d/ and not in this file.
 #CRACKLIB_DICTPATH	/var/cache/cracklib/cracklib_dict
 #
 # Min/max values for automatic uid selection in useradd(8)
 #
 UID_MIN			 1000
 UID_MAX			60000
 # System accounts
 SYS_UID_MIN		  101
 SYS_UID_MAX		  999
 # Extra per user uids
 SUB_UID_MIN		   100000
 SUB_UID_MAX		600100000
 SUB_UID_COUNT		    65536
 #
 # Min/max values for automatic gid selection in groupadd(8)
 #
 GID_MIN			 1000
 GID_MAX			60000
 # System accounts
 SYS_GID_MIN		  101
 SYS_GID_MAX		  999
 # Extra per user group ids
 SUB_GID_MIN		   100000
 SUB_GID_MAX		600100000
 SUB_GID_COUNT		    65536
 #
 # Max number of login(1) retries if password is bad
 #
 LOGIN_RETRIES		5
 #
 # Max time in seconds for login(1)
 #
 LOGIN_TIMEOUT		60
 #
 # Maximum number of attempts to change password if rejected (too easy)
 #
 # NOTE: This setting should be configured via /etc/pam.d/ and not in this file.
 #PASS_CHANGE_TRIES	5
 #
 # Warn about weak passwords (but still allow them) if you are root.
 #
 # NOTE: This setting should be configured via /etc/pam.d/ and not in this file.
 #PASS_ALWAYS_WARN	yes
 #
 # Number of significant characters in the password for crypt().
 # Default is 8, don't change unless your crypt() is better.
 # Ignored if MD5_CRYPT_ENAB set to "yes".
 #
 #PASS_MAX_LEN		8
 #
 # Require password before chfn(1)/chsh(1) can make any changes.
 #
 # NOTE: This setting should be configured via /etc/pam.d/ and not in this file.
 #CHFN_AUTH		yes
 #
 # Which fields may be changed by regular users using chfn(1) - use
 # any combination of letters "frwh" (full name, room number, work
 # phone, home phone).  If not defined, no changes are allowed.
 # For backward compatibility, "yes" = "rwh" and "no" = "frwh".
 #
 CHFN_RESTRICT		rwh
 #
 # Password prompt (%s will be replaced by user name).
 #
 # XXX - it doesn't work correctly yet, for now leave it commented out
 # to use the default which is just "Password: ".
 #LOGIN_STRING		"%s's Password: "
 #
 # Only works if compiled with MD5_CRYPT defined:
 # If set to "yes", new passwords will be encrypted using the MD5-based
 # algorithm compatible with the one used by recent releases of FreeBSD.
 # It supports passwords of unlimited length and longer salt strings.
 # Set to "no" if you need to copy encrypted passwords to other systems
 # which don't understand the new algorithm.  Default is "no".
 #
 # Note: If you use PAM, it is recommended to use a value consistent with
 # the PAM modules configuration.
 #
 # This variable is deprecated. You should use ENCRYPT_METHOD instead.
 #
 #MD5_CRYPT_ENAB	no
 #
 # Only works if compiled with ENCRYPTMETHOD_SELECT defined:
 # If set to MD5, MD5-based algorithm will be used for encrypting password
 # If set to SHA256, SHA256-based algorithm will be used for encrypting password
 # If set to SHA512, SHA512-based algorithm will be used for encrypting password
 # If set to BCRYPT, BCRYPT-based algorithm will be used for encrypting password
 # If set to YESCRYPT, YESCRYPT-based algorithm will be used for encrypting password
 # If set to DES, DES-based algorithm will be used for encrypting password (default)
 # MD5 and DES should not be used for new hashes, see crypt(5) for recommendations.
 # Overrides the MD5_CRYPT_ENAB option
 #
 # Note: If you use PAM, it is recommended to use a value consistent with
 # the PAM modules configuration.
 #
 ENCRYPT_METHOD SHA512
 #
 # Only works if ENCRYPT_METHOD is set to SHA256 or SHA512.
 #
 # Define the number of SHA rounds.
 # With a lot of rounds, it is more difficult to brute-force the password.
 # However, more CPU resources will be needed to authenticate users if
 # this value is increased.
 #
 # If not specified, the libc will choose the default number of rounds (5000),
 # which is orders of magnitude too low for modern hardware.
 # The values must be within the 1000-999999999 range.
 # If only one of the MIN or MAX values is set, then this value will be used.
 # If MIN > MAX, the highest value will be used.
 #
 #SHA_CRYPT_MIN_ROUNDS 5000
 #SHA_CRYPT_MAX_ROUNDS 5000
 #
 # Only works if ENCRYPT_METHOD is set to BCRYPT.
 #
 # Define the number of BCRYPT rounds.
 # With a lot of rounds, it is more difficult to brute-force the password.
 # However, more CPU resources will be needed to authenticate users if
 # this value is increased.
 #
 # If not specified, 13 rounds will be attempted.
 # If only one of the MIN or MAX values is set, then this value will be used.
 # If MIN > MAX, the highest value will be used.
 #
 #BCRYPT_MIN_ROUNDS 13
 #BCRYPT_MAX_ROUNDS 13
 #
 # Only works if ENCRYPT_METHOD is set to YESCRYPT.
 #
 # Define the YESCRYPT cost factor.
 # With a higher cost factor, it is more difficult to brute-force the password.
 # However, more CPU time and more memory will be needed to authenticate users
 # if this value is increased.
 #
 # If not specified, a cost factor of 5 will be used.
 # The value must be within the 1-11 range.
 #
 #YESCRYPT_COST_FACTOR 5
 #
 # List of groups to add to the user's supplementary group set
 # when logging in from the console (as determined by the CONSOLE
 # setting).  Default is none.
 #
 # Use with caution - it is possible for users to gain permanent
 # access to these groups, even when not logged in from the console.
 # How to do it is left as an exercise for the reader...
 #
 #CONSOLE_GROUPS		floppy:audio:cdrom
 #
 # Should login be allowed if we can't cd to the home directory?
 # Default is no.
 #
 DEFAULT_HOME	yes
 #
 # The pwck(8) utility emits a warning for any system account with a home
 # directory that does not exist.  Some system accounts intentionally do
 # not have a home directory.  Such accounts may have this string as
 # their home directory in /etc/passwd to avoid a spurious warning.
 #
 NONEXISTENT	/nonexistent
 #
 # If this file exists and is readable, login environment will be
 # read from it.  Every line should be in the form name=value.
 #
 # NOTE: This setting should be configured via /etc/pam.d/ and not in this file.
 #ENVIRON_FILE	/etc/environment
 #
 # If defined, this command is run when removing a user.
 # It should remove any at/cron/print jobs etc. owned by
 # the user to be removed (passed as the first argument).
 #
 #USERDEL_CMD	/usr/sbin/userdel_local
 #
 # Enable setting of the umask group bits to be the same as owner bits
 # (examples: 022 -> 002, 077 -> 007) for non-root users, if the uid is
 # the same as gid, and username is the same as the primary group name.
 #
 # This also enables userdel(8) to remove user groups if no members exist.
 #
 USERGROUPS_ENAB yes
 #
 # If set to a non-zero number, the shadow utilities will make sure that
 # groups never have more than this number of users on one line.
 # This permits to support split groups (groups split into multiple lines,
 # with the same group ID, to avoid limitation of the line length in the
 # group file).
 #
 # 0 is the default value and disables this feature.
 #
 #MAX_MEMBERS_PER_GROUP	0
 #
 # If useradd(8) should create home directories for users by default (non
 # system users only).
 # This option is overridden with the -M or -m flags on the useradd(8)
 # command-line.
 #
 CREATE_HOME yes
 #
 # Force use shadow, even if shadow passwd & shadow group files are
 # missing.
 #
 #FORCE_SHADOW    yes
 #
 # Allow newuidmap and newgidmap when running under an alternative
 # primary group.
 #
 #GRANT_AUX_GROUP_SUBIDS yes
 #
 # Prevents an empty password field to be interpreted as "no authentication
 # required".
 # Set to "yes" to prevent for all accounts
 # Set to "superuser" to prevent for UID 0 / root (default)
 # Set to "no" to not prevent for any account (dangerous, historical default)
 PREVENT_NO_AUTH superuser
 #
 # Select the HMAC cryptography algorithm.
 # Used in pam_timestamp module to calculate the keyed-hash message
 # authentication code.
 #
 # Note: It is recommended to check hmac(3) to see the possible algorithms
 # that are available in your system.
 #
 #HMAC_CRYPTO_ALGO SHA512
--- a/build/include-image/usr/etc/modprobe.d/filesystem_blacklist.conf
+++ b/build/include-image/usr/etc/modprobe.d/filesystem_blacklist.conf
@ -0,0 +1,41 @@
 # This file is derived from recommendations made by the Center for Internet 
 # Security (CIS) Debian Linux 12 benchmark, v1.1.0.
 # 1.1.1 Configure Filesystem Kernel Modules
 # 1.1.1.1 Ensure cramfs kernel module is not available
 install cramfs /bin/false
 blacklist cramfs
 # 1.1.1.2 Ensure freexvs kernel module is not available
 install freevxfs /bin/false
 blacklist freevxfs
 # 1.1.1.3 Ensure hfs kernel module is not available
 install hfs /bin/false
 blacklist hfs
 # 1.1.1.4 Ensure hfsplus kernel module is not available
 install hfsplus /bin/false
 blacklist hfsplus
 # 1.1.1.5 Ensure jffs2 kernel module is not available
 install jffs2 /bin/false
 blacklist jffs2
 # 1.1.1.8 Ensure udf kernel module is not available
 install udf /bin/false
 blacklist udf
 # 1.1.1.10 Ensure unused filesystems kernel modules are not available
 install afs /bin/false
 blacklist afs
 install ceph /bin/false
 blacklist ceph
 install cifs /bin/false
 blacklist cifs
 install fscache /bin/false
 blacklist fscache
 install gfs2 /bin/false
 blacklist gfs2
--- a/build/include-image/usr/etc/modprobe.d/network_blacklist.conf
+++ b/build/include-image/usr/etc/modprobe.d/network_blacklist.conf
@ -0,0 +1,21 @@
 # This file is derived from recommendations made by the Center for Internet 
 # Security (CIS) Debian Linux 12 benchmark, v1.1.0.
 # 3.2 Configure Network Kernel Modules
 # 3.2.1 Ensure dccp kernel module is not available
 install dccp /bin/false
 blacklist dccp
 # 3.2.2 Ensure tipc kernel module is not available
 install ticp /bin/false
 blacklist ticp
 # 3.2.3 Ensure rds kernel module is not available
 install rds /bin/false
 blacklist rds
 # 3.2.4 Ensure sctp kernel module is not available
 install sctp /bin/false
 blacklist sctp
--- a/build/include-image/usr/etc/security/faillock.conf
+++ b/build/include-image/usr/etc/security/faillock.conf
@ -0,0 +1,62 @@
 # Configuration for locking the user after multiple failed
 # authentication attempts.
 #
 # The directory where the user files with the failure records are kept.
 # The default is /var/run/faillock.
 # dir = /var/run/faillock
 #
 # Will log the user name into the system log if the user is not found.
 # Enabled if option is present.
 # audit
 #
 # Don't print informative messages.
 # Enabled if option is present.
 # silent
 #
 # Don't log informative messages via syslog.
 # Enabled if option is present.
 # no_log_info
 #
 # Only track failed user authentications attempts for local users
 # in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users.
 # The `faillock` command will also no longer track user failed
 # authentication attempts. Enabling this option will prevent a
 # double-lockout scenario where a user is locked out locally and
 # in the centralized mechanism.
 # Enabled if option is present.
 # local_users_only
 #
 # Deny access if the number of consecutive authentication failures
 # for this user during the recent interval exceeds n tries.
 # The default is 3.
 # deny = 3
 #
 # The length of the interval during which the consecutive
 # authentication failures must happen for the user account
 # lock out is <replaceable>n</replaceable> seconds.
 # The default is 900 (15 minutes).
 # fail_interval = 900
 #
 # The access will be re-enabled after n seconds after the lock out.
 # The value 0 has the same meaning as value `never` - the access
 # will not be re-enabled without resetting the faillock
 # entries by the `faillock` command.
 # The default is 600 (10 minutes).
 unlock_time = 900
 #
 # Root account can become locked as well as regular accounts.
 # Enabled if option is present.
 even_deny_root
 #
 # This option implies the `even_deny_root` option.
 # Allow access after n seconds to root account after the
 # account is locked. In case the option is not specified
 # the value is the same as of the `unlock_time` option.
 root_unlock_time = 0
 #
 # If a group name is specified with this option, members
 # of the group will be handled by this module the same as
 # the root account (the options `even_deny_root>` and
 # `root_unlock_time` will apply to them.
 # By default, the option is not set.
 # admin_group = <admin_group_name>
--- a/build/include-image/usr/etc/sysctl.d/network.conf
+++ b/build/include-image/usr/etc/sysctl.d/network.conf
@ -0,0 +1,50 @@
 # This file is derived from recommendations made by the Center for Internet 
 # Security (CIS) Debian Linux 12 benchmark, v1.1.0.
 # 3.3 Configure Network Kernel Parameters
 # 3.3.1 Ensure ip forwarding is disabled
 net.ipv4.ip_forward = 0
 net.ipv6.conf.all.forward = 0
 # 3.3.3 Ensure packet redirect sending is disabled
 net.ipv4.conf.all.send_redirects = 0
 net.ipv4.conf.default.send_redirects = 0
 # 3.3.3 Ensure bogus icmp responses are ignored
 net.ipv4.icmp_ignore_bogus_error_responses = 1
 # 3.3.4 Ensure broadcast icmp requests are ignored
 net.ipv4.icmp_echo_ignore_broadcasts = 1
 # 3.3.5 Ensure icmp redirects are not accepted
 net.ipv4.conf.all.accept_redirects = 0
 net.ipv4.conf.default.accept_redirects = 0
 net.ipv6.conf.all.accept_redirects = 0
 net.ipv6.conf.default.accept_redirects = 0
 # 3.3.6 Ensure secure icmp redirects are not accepted
 net.ipv4.conf.all.secure_redirects = 0
 net.ipv4.conf.default.secure_redirects = 0
 # 3.3.7 Ensure reverse path filtering is enabled
 net.ipv4.conf.all.rp_filter = 1
 net.ipv4.conf.default.rp_filter = 1
 # 3.3.8 Ensure source routed packets are not accepted
 net.ipv4.conf.all.accept_source_route = 0
 net.ipv4.conf.default.accept_source_route = 0
 net.ipv6.conf.all.accept_source_route = 0
 net.ipv6.conf.default.accept_source_route = 0
 # 3.3.9 Ensure suspicious packets are logged
 net.ipv4.conf.all.log_martians = 1
 net.ipv4.conf.default.log_martians = 1
 # 3.3.10 Ensure tcp syn cookies is enabled
 net.ipv4.tcp_syncookies = 1
 # 3.3.11 Ensure ipv6 router advertisements are not accepted
 net.ipv6.conf.all.accept_ra = 0
 net.ipv6.conf.default.accept_ra = 0