review secureblue sysctl

[adrelanos]

• https://github.com/secureblue/secureblue/blob/live/files/system/etc/sysctl.d/hardening.conf
• https://github.com/secureblue/secureblue/blob/a6b58f042b0e9e9036a6d68a5b202eed96a1a892/files/system/etc/sysctl.d/hardening.conf

[raja-grewal]

They do not include any settings that are not already included in our settings, however, they do enable certain settings that we for a variety of reasons keep disabled.

The discrepancies are:

1. net.ipv6.conf.*.use_tempaddr=2: We keep the IPv6 privacy extensions disabled due to breakages.
2. net.ipv4.conf.*.log_martians=1: We keep the logging of these packets optional.
3. fs.binfmt_misc.status=0: We keep this enabled due to current file/folder permissions issue.

Furthermore, we can also review their kernel arguments:

• https://github.com/secureblue/secureblue/blob/live/files/justfiles/kargs.just
• https://github.com/secureblue/secureblue/blob/7315361e537327d3a11b73e367b713275e80077e/files/justfiles/kargs.just
• https://github.com/secureblue/secureblue/blob/live/docs/KARGS.md
• https://github.com/secureblue/secureblue/blob/7315361e537327d3a11b73e367b713275e80077e/docs/KARGS.md

Across all these there are only minor explainable discrepancies:

1. lockdown=confidentiality and module.sig_enforce=1: We do not enable these due to compatibility issues.
2. ia32_emulation=0: We can not currently enable this as it is only applicable when using Linux kernel >= 6.7.
3. kvm-intel.vmentry_l1d_flush=always: We do not include this, however according kernel docs, this parameter is redundant if using l1tf=full,force (which we enable by default).