added recommendations from ANSSI (perf subsystem + vm low addr mapping)

> https://www.ssi.gouv.fr/uploads/2016/01/linux_configuration-fr-v1.2.pdf#section.6.2
2025-12-18 02:06:37 +00:00 · 2021-06-06 14:08:57 +02:00 · 2021-06-06 14:08:57 +02:00 · 4eba426270
commit 4eba426270
parent f426457a6b
1 changed files with 8 additions and 0 deletions
--- a/sysctl.conf
+++ b/sysctl.conf
@ -63,6 +63,11 @@ kernel.pid_max = 4194304
 # reboot machine after kernel panic
 #kernel.panic = 10

+# restrict perf subsystem usage
+kernel.perf_event_paranoid = 2
+kernel.perf_event_max_sample_rate = 1
+kernel.perf_cpu_time_max_percent = 1
+
 ########## File System ##########

 # disallow core dumping by SUID/SGID programs
@ -101,6 +106,9 @@ fs.inotify.max_user_watches = 524288

 ########## Virtualization ##########

+# do not allow mmap in lower addresses
+vm.mmap_min_addr = 65536
+
 # improve mmap ASLR effectness
 vm.mmap_rnd_bits=32
 vm.mmap_rnd_compat_bits=16