Lock down kernel on buster

daradib · daradib · commit 68c4e0b9b79b · 2020-07-23T23:24:41.000-04:00
Disable some kernel features: module loading after boot, kexec,
Berkeley Packet Filter (BPF).

Also install cloud kernel image on VMs which removes some hardware
support. Benefits: slightly faster boot and reduced attack surface.
diff --git a/modules/ocf/manifests/packages.pp b/modules/ocf/manifests/packages.pp
@@ -11,6 +11,7 @@
   include ocf::packages::git
   include ocf::packages::grub
   include ocf::packages::helm
+  include ocf::packages::kernel
   include ocf::packages::ldapvi
   include ocf::packages::ntp
   include ocf::packages::postfix
diff --git a/modules/ocf/manifests/packages/kernel.pp b/modules/ocf/manifests/packages/kernel.pp
@@ -0,0 +1,19 @@
+class ocf::packages::kernel {
+  if $::lsbdistcodename != 'stretch' {
+    # Disable some kernel features: module loading after boot, kexec,
+    # Berkeley Packet Filter (BPF).
+    package { 'lockdown': }
+
+    if $::is_virtual {
+      # Install cloud kernel image which removes some hardware support.
+      # Benefits: slightly faster boot and reduced attack surface.
+      package{ "linux-image-cloud-${::architecture}": }
+
+      # Remove existing kernel meta-package. The actual kernel is its
+      # dependency which should be autoremoved.
+      package{ "linux-image-${::architecture}":
+        ensure => purged,
+      }
+    }
+  }
+}
