Replace common sysctl conf script with /etc/sysctl.d/ overlay (/etc/sysctl.conf does not exist in trixie)

JedMeister · JedMeister · commit 371a7b79a08f · 2025-10-12T23:52:17.000Z
diff --git a/overlays/turnkey.d/sysctl-hardening/etc/sysctl.d/00-quiet-console.conf b/overlays/turnkey.d/sysctl-hardening/etc/sysctl.d/00-quiet-console.conf
@@ -1,4 +1,4 @@
-#!/bin/bash -e
+# Config provided by TurnKey
 
 # KERN_EMERG    0  system is unusable
 # KERN_ALERT    1  action must be taken immediately
@@ -11,10 +11,5 @@
 
 # suppress low-level messages on the console
 # console default_message minimum_console default_console
-sed -i "s|#kernel.printk\(.*\)|kernel.printk = 1 4 1 7|" /etc/sysctl.conf
 
-cat >> /etc/sysctl.conf << EOF
-# Disable TCP timestamps
-net.ipv4.tcp_timestamps = 0
-#
-EOF
+kernel.printk = 1 4 1 7
diff --git a/overlays/turnkey.d/sysctl-hardening/etc/sysctl.d/10-hardening-turnkey.conf b/overlays/turnkey.d/sysctl-hardening/etc/sysctl.d/10-hardening-turnkey.conf
@@ -1,21 +1,21 @@
+# System Hardening config provided by TurnKey
 #
-# /etc/sysctl.d/10-hardening.conf - Configuration file
-# for hardening system variables as recommended by Lynis.
+# hardened system variables as recommended by Lynis
+# - https://cisofy.com/lynis/
 #
-# Settings can be overridden in /etc/sysctl.conf.
-# See /etc/sysctl.d/ for additional system variables.
-# See sysctl.conf (5) for information.
+# For more info see:
+# - sysctl.conf (5) (i.e. 'man sysctl.conf')
+# - https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt
 #
-##############################################################3
+##############################################################
 # Harden kernel recommendations by Lynis
 fs.suid_dumpable = 0
 kernel.core_uses_pid = 1
 kernel.dmesg_restrict = 1
 kernel.kptr_restrict = 2
 kernel.sysrq = 0
 
-
-##############################################################3
+##############################################################
 # Functions previously found in netbase
 #
 
@@ -67,6 +67,6 @@ net.ipv6.conf.all.accept_source_route = 0
 net.ipv4.conf.all.log_martians = 1
 net.ipv4.conf.default.log_martians = 1
 #
-# Disable TCP timestamps
-net.ipv4.tcp_timestamps = 0
-#
+# Explcitly enable tcp_timestamps (should be default)
+# - kernel now adds a random offset for each connection so safe to enable
+net.ipv4.tcp_timestamps = 1
