## AL2 defaults ## # Wait 10 seconds and then reboot kernel.panic = 10 # Controls the kernel's behaviour when an oops or BUG is encountered kernel.panic_on_oops = 1 # Allow neighbor cache entries to expire even when the cache is not full net.ipv4.neigh.default.gc_thresh1 = 0 net.ipv6.neigh.default.gc_thresh1 = 0 # Avoid neighbor table contention in large subnets net.ipv4.neigh.default.gc_thresh2 = 15360 net.ipv6.neigh.default.gc_thresh2 = 15360 net.ipv4.neigh.default.gc_thresh3 = 16384 net.ipv6.neigh.default.gc_thresh3 = 16384 # Increasing to account for skb structure growth since the 3.4.x kernel series net.ipv4.tcp_wmem = 4096 20480 4194304 # Bumped the default TTL to 255 (maximum) net.ipv4.ip_default_ttl = 255 ## Bottlerocket settings ## # Enable IPv4 forwarding for container networking. net.ipv4.conf.all.forwarding = 1 # Enable IPv6 forwarding for container networking. net.ipv6.conf.all.forwarding = 1 # This is generally considered a safe ephemeral port range net.ipv4.ip_local_port_range = 32768 60999 # Connection tracking to prevent dropped connections net.netfilter.nf_conntrack_max = 1048576 net.netfilter.nf_conntrack_generic_timeout = 120 # Enable loose mode for reverse path filter net.ipv4.conf.lo.rp_filter = 2 ## Kernel hardening settings ## Settings & descriptions sourced from the KSPP wiki, see ## https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings#sysctls # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). kernel.kptr_restrict = 1 # Avoid kernel memory address exposures via dmesg. kernel.dmesg_restrict = 1 # Avoid non-ancestor ptrace access to running processes and their credentials. kernel.yama.ptrace_scope = 1 # Disable User Namespaces, as it opens up a large attack surface to unprivileged users. user.max_user_namespaces = 0 # Turn off unprivileged eBPF access. kernel.unprivileged_bpf_disabled = 1 # Turn on BPF JIT hardening, if the JIT is enabled. net.core.bpf_jit_harden = 2 # Increase inotify limits to allow for a greater number of containers fs.inotify.max_user_instances = 8192 fs.inotify.max_user_watches = 524288 # Increase virtual memory to allow for larger workloads vm.max_map_count = 524288