Apply more kernel hardening
At the moment we have a hardening role which applies a few things, this can be extended with:
-
Set lockdown in kernel command line (requires setting GRUB_CMDLINE_LINUX_DEFAULT="rootflags=compress=lzo,lsm=lockdown,yama" in /etc/default/grub) -
Set module.sig_enforce=1 for boxes (verify that no machines use external modules like virtualbox) -
Set net.core.bpf_jit_harden=2 (any impact for us @anthraxx)