name = hardened
include = perf-hardened, namespaces-hardened, kexec-hardened, kernel-alerts-hardened, line-disciplines-hardened, bpf-hardened

[sysctl]
net.core.bpf_jit_harden = 2
kernel.unprivileged_bpf_disabled = 1
kernel.dmesg_restrict = 1
vm.unprivileged_userfaultfd = 0
vm.mmap_min_addr = 65536
fs.protected_symlinks = 1
fs.protected_hardlinks = 1
fs.protected_regular = 2
fs.suid_dumpable = 0
vm.mmap_rnd_bits = 32
kernel.modules_disabled = 1
kernel.randomize_va_space = 2
kernel.io_uring_disabled = 2
fs.protected_fifos = 2
kernel.kptr_restrict = 2

[grub]
proc_mem.force_override = never
mitigations = auto
init_on_alloc = 1
init_on_free = 1
randomize_kstack_offset = 1
tsx = off
pti = on
debugfs = off
vsyscall = none
slab_nomerge
