fix(cis): remove deprecated sshd options and update hardening values

2026-02-20 20:17:52 +01:00
parent a2993212ca
commit 524356cf8d
6 changed files with 9 additions and 4 deletions
--- a/roles/cis/tasks/sysctl.yml
+++ b/roles/cis/tasks/sysctl.yml
@@ -5,9 +5,12 @@
    mode: "0644"
    content: |
      ## CIS Sysctl configurations
+      fs.suid_dumpable=0
+      kernel.dmesg_restrict=1
      kernel.yama.ptrace_scope=1
      kernel.randomize_va_space=2
      # Network
+      # Disable forwarding; override in inventory for routers/containers
      net.ipv4.ip_forward=0
      net.ipv4.tcp_syncookies=1
      net.ipv4.icmp_echo_ignore_broadcasts=1
@@ -24,6 +27,7 @@
      net.ipv4.conf.default.send_redirects=0
      net.ipv4.conf.default.accept_redirects=0
      net.ipv6.conf.all.accept_redirects=0
+      # Disable IPv6; override in inventory if IPv6 is needed
      net.ipv6.conf.all.disable_ipv6=1
      net.ipv6.conf.default.accept_redirects=0
      net.ipv6.conf.default.disable_ipv6=1