
Add charmhelpers.contrib.hardening and calls to install, config-changed, upgrade-charm and update-status hooks. Also add new config option to allow one or more hardening modules to be applied at runtime. Change-Id: Icf48829e010d35d7d7a4ccd547eae6a8c511c04e
117 lines
1.7 KiB
Plaintext
117 lines
1.7 KiB
Plaintext
###############################################################################
|
|
# WARNING: This configuration file is maintained by Juju. Local changes may
|
|
# be overwritten.
|
|
###############################################################################
|
|
# /etc/modules: kernel modules to load at boot time.
|
|
#
|
|
# This file contains the names of kernel modules that should be loaded
|
|
# at boot time, one per line. Lines beginning with "#" are ignored.
|
|
# Parameters can be specified after the module name.
|
|
|
|
# Arch
|
|
# ----
|
|
#
|
|
# Modules for certains builds, contains support modules and some CPU-specific optimizations.
|
|
|
|
{% if arch == "x86_64" -%}
|
|
# Optimize for x86_64 cryptographic features
|
|
twofish-x86_64-3way
|
|
twofish-x86_64
|
|
aes-x86_64
|
|
salsa20-x86_64
|
|
blowfish-x86_64
|
|
{% endif -%}
|
|
|
|
{% if cpuVendor == "intel" -%}
|
|
# Intel-specific optimizations
|
|
ghash-clmulni-intel
|
|
aesni-intel
|
|
kvm-intel
|
|
{% endif -%}
|
|
|
|
{% if cpuVendor == "amd" -%}
|
|
# AMD-specific optimizations
|
|
kvm-amd
|
|
{% endif -%}
|
|
|
|
kvm
|
|
|
|
|
|
# Crypto
|
|
# ------
|
|
|
|
# Some core modules which comprise strong cryptography.
|
|
blowfish_common
|
|
blowfish_generic
|
|
ctr
|
|
cts
|
|
lrw
|
|
lzo
|
|
rmd160
|
|
rmd256
|
|
rmd320
|
|
serpent
|
|
sha512_generic
|
|
twofish_common
|
|
twofish_generic
|
|
xts
|
|
zlib
|
|
|
|
|
|
# Drivers
|
|
# -------
|
|
|
|
# Basics
|
|
lp
|
|
rtc
|
|
loop
|
|
|
|
# Filesystems
|
|
ext2
|
|
btrfs
|
|
|
|
{% if desktop_enable -%}
|
|
# Desktop
|
|
psmouse
|
|
snd
|
|
snd_ac97_codec
|
|
snd_intel8x0
|
|
snd_page_alloc
|
|
snd_pcm
|
|
snd_timer
|
|
soundcore
|
|
usbhid
|
|
{% endif -%}
|
|
|
|
# Lib
|
|
# ---
|
|
xz
|
|
|
|
|
|
# Net
|
|
# ---
|
|
|
|
# All packets needed for netfilter rules (ie iptables, ebtables).
|
|
ip_tables
|
|
x_tables
|
|
iptable_filter
|
|
iptable_nat
|
|
|
|
# Targets
|
|
ipt_LOG
|
|
ipt_REJECT
|
|
|
|
# Modules
|
|
xt_connlimit
|
|
xt_tcpudp
|
|
xt_recent
|
|
xt_limit
|
|
xt_conntrack
|
|
nf_conntrack
|
|
nf_conntrack_ipv4
|
|
nf_defrag_ipv4
|
|
xt_state
|
|
nf_nat
|
|
|
|
# Addons
|
|
xt_pknock |