# set mmap_min_addr to 4096 to mitigate
# Linux NULL-pointer dereference exploits
- site::sysctl { 'mmap_min_addr':
+ base::sysctl { 'mmap_min_addr':
ensure => absent
}
- site::sysctl { 'perf_event_paranoid':
+ base::sysctl { 'perf_event_paranoid':
key => 'kernel.perf_event_paranoid',
value => '2',
}
- site::sysctl { 'puppet-vfs_cache_pressure':
+ base::sysctl { 'puppet-vfs_cache_pressure':
key => 'vm.vfs_cache_pressure',
value => '10',
}
# https://www.decadent.org.uk/ben/blog/bpf-security-issues-in-debian.html
- site::sysctl { 'unprivileged_bpf_disabled':
+ base::sysctl { 'unprivileged_bpf_disabled':
key => 'kernel.unprivileged_bpf_disabled',
value => '1',
}