fix(cis): strengthen kernel module blacklist and sysctl hardening

roles/cis/tasks/modules.yml

@@ -13,6 +13,9 @@
       - sctp
       - rds
       - tipc
+      - firewire-core
+      - firewire-sbp2
+      - thunderbolt
     cis_modules_squashfs: "{{ [] if os in ['ubuntu', 'ubuntu-lts'] else ['squashfs'] }}"
     cis_modules_all: "{{ cis_modules_base + cis_modules_squashfs }}"
   ansible.builtin.copy:

roles/cis/tasks/sysctl.yml

@@ -7,7 +7,10 @@
       ## CIS Sysctl configurations
       fs.suid_dumpable=0
       kernel.dmesg_restrict=1
-      kernel.yama.ptrace_scope=1
+      kernel.kptr_restrict=2
+      kernel.perf_event_paranoid=3
+      kernel.unprivileged_bpf_disabled=1
+      kernel.yama.ptrace_scope=2
       kernel.randomize_va_space=2
       # Network
       # Disable forwarding; override in inventory for routers/containers
@@ -21,6 +24,8 @@
       net.ipv4.conf.all.send_redirects=0
       net.ipv4.conf.all.accept_redirects=0
       net.ipv4.conf.all.accept_source_route=0
+      net.ipv4.conf.all.arp_ignore=1
+      net.ipv4.conf.all.arp_announce=2
       net.ipv4.conf.default.log_martians=1
       net.ipv4.conf.default.rp_filter=1
       net.ipv4.conf.default.secure_redirects=0