From 9e3688ae2b335d37e910068a3a8f529f497f28b3 Mon Sep 17 00:00:00 2001
From: Sandwich <sandwich@archworks.co>
Date: Sat, 21 Feb 2026 01:18:52 +0100
Subject: [PATCH] fix(cis): strengthen kernel module blacklist and sysctl
 hardening

---
 roles/cis/tasks/modules.yml | 3 +++
 roles/cis/tasks/sysctl.yml  | 7 ++++++-
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/roles/cis/tasks/modules.yml b/roles/cis/tasks/modules.yml
index aec8f38..06fbde2 100644
--- a/roles/cis/tasks/modules.yml
+++ b/roles/cis/tasks/modules.yml
@@ -13,6 +13,9 @@
       - sctp
       - rds
       - tipc
+      - firewire-core
+      - firewire-sbp2
+      - thunderbolt
     cis_modules_squashfs: "{{ [] if os in ['ubuntu', 'ubuntu-lts'] else ['squashfs'] }}"
     cis_modules_all: "{{ cis_modules_base + cis_modules_squashfs }}"
   ansible.builtin.copy:
diff --git a/roles/cis/tasks/sysctl.yml b/roles/cis/tasks/sysctl.yml
index f5d0d8c..daa838a 100644
--- a/roles/cis/tasks/sysctl.yml
+++ b/roles/cis/tasks/sysctl.yml
@@ -7,7 +7,10 @@
       ## CIS Sysctl configurations
       fs.suid_dumpable=0
       kernel.dmesg_restrict=1
-      kernel.yama.ptrace_scope=1
+      kernel.kptr_restrict=2
+      kernel.perf_event_paranoid=3
+      kernel.unprivileged_bpf_disabled=1
+      kernel.yama.ptrace_scope=2
       kernel.randomize_va_space=2
       # Network
       # Disable forwarding; override in inventory for routers/containers
@@ -21,6 +24,8 @@
       net.ipv4.conf.all.send_redirects=0
       net.ipv4.conf.all.accept_redirects=0
       net.ipv4.conf.all.accept_source_route=0
+      net.ipv4.conf.all.arp_ignore=1
+      net.ipv4.conf.all.arp_announce=2
       net.ipv4.conf.default.log_martians=1
       net.ipv4.conf.default.rp_filter=1
       net.ipv4.conf.default.secure_redirects=0