I understand this may be out of the scope of cerowrt right now since we're trying to get closer to a stable release and it's primary focus is on reducing buffer bloat, but as we get closer to a distribution I do have some security suggestions for consideration in the future.
sysctl.conf network hardening:
source address verification to protect against IP spoofing
net.ipv4.conf.default.rp_filter=1
net.ipv4.conf.all.rp_filter=1
Enable RFC 1337 to protect against time-wait assassination hazzards:
net.ipv4.tcp_rfc1337 = 1
I think only Linux hosts seem to support this so far, but since it's part of the RFC standard I don't see why this shouldn't be enabled by default. more information:
http://tools.ietf.org/html/rfc1337)
Other information: "This boolean enables a fix for 'time-wait assassination hazards in tcp', described in RFC 1337. If enabled, this causes the kernel to drop RST packets for sockets in the time-wait state. Default: 0"
net.ipv6.conf.all.use_tempaddr = 2
net.ipv6.conf.default.use_tempaddr = 2
TLDR version: "IPv6 typically uses a device's MAC address when choosing an IPv6 address to use in autoconfiguration. Privacy extensions allow using a randomly generated IPv6 address, which increases privacy"
Ubuntu enables this by default (and probably other distros too).
Symlink Protection:
fs.protected_hardlinks = 1
fs.protected_symlinks = 1
"A long-standing class of security issues is the symlink-based ToCToU race, most commonly seen in world-writable directories like /tmp/. The common method of exploitation of this flaw is crossing privilege boundaries when following a given symlink (i.e. a root user follows a symlink belonging to another user)."
Not entirely sure how this would effect cerowrt, or if it's even important at all with our current filesystem layout but worth looking into.