sysctl configuration hardening

[eloquence]

Identified as an medium finding in the December 2020 Workstation audit (TOB-SDW-025, medium severity), our kernel runtime parameters are not adequately configured.

Parameter	Current Value	Recommended Value	Rationale
kernel.grsecurity.grsec_lock	0	1	make grsecurity sysctl values immutable at runtime
kernel.grsecurity.deny_new_usb	0	1	If the VM does not need USB, consider setting to 1
kernel.kptr_restrict	1	set to 2
fs.protected_fifos	0	set to 1 or 2
fs.protected_regular	0	set to 1 or 2
kernel.pid_max	32768	Increase limit to decrease the likelihood of PID-reuse scenario.

They also recommend disabling the bpf in Linux Kernel if not required by any running application.

[Based on internal issue originally filed by @emkll]

[eloquence]

The next workstation & server kernel releases may be a good opportunity to evaluate these changes.

[rocodes]

backlog pruning:

• we should do this as part of our other kernel work, disable modules we aren't making use of, etc