fix(cis): strengthen kernel module blacklist and sysctl hardening

2026-02-21 01:18:52 +01:00
parent dea01cc8a0
commit 9e3688ae2b
2 changed files with 9 additions and 1 deletions
--- a/roles/cis/tasks/sysctl.yml
+++ b/roles/cis/tasks/sysctl.yml
@@ -7,7 +7,10 @@
      ## CIS Sysctl configurations
      fs.suid_dumpable=0
      kernel.dmesg_restrict=1
-      kernel.yama.ptrace_scope=1
+      kernel.kptr_restrict=2
+      kernel.perf_event_paranoid=3
+      kernel.unprivileged_bpf_disabled=1
+      kernel.yama.ptrace_scope=2
      kernel.randomize_va_space=2
      # Network
      # Disable forwarding; override in inventory for routers/containers
@@ -21,6 +24,8 @@
      net.ipv4.conf.all.send_redirects=0
      net.ipv4.conf.all.accept_redirects=0
      net.ipv4.conf.all.accept_source_route=0
+      net.ipv4.conf.all.arp_ignore=1
+      net.ipv4.conf.all.arp_announce=2
      net.ipv4.conf.default.log_martians=1
      net.ipv4.conf.default.rp_filter=1
      net.ipv4.conf.default.secure_redirects=0