fix(cis): strengthen kernel module blacklist and sysctl hardening
This commit is contained in:
@@ -13,6 +13,9 @@
|
|||||||
- sctp
|
- sctp
|
||||||
- rds
|
- rds
|
||||||
- tipc
|
- tipc
|
||||||
|
- firewire-core
|
||||||
|
- firewire-sbp2
|
||||||
|
- thunderbolt
|
||||||
cis_modules_squashfs: "{{ [] if os in ['ubuntu', 'ubuntu-lts'] else ['squashfs'] }}"
|
cis_modules_squashfs: "{{ [] if os in ['ubuntu', 'ubuntu-lts'] else ['squashfs'] }}"
|
||||||
cis_modules_all: "{{ cis_modules_base + cis_modules_squashfs }}"
|
cis_modules_all: "{{ cis_modules_base + cis_modules_squashfs }}"
|
||||||
ansible.builtin.copy:
|
ansible.builtin.copy:
|
||||||
|
|||||||
@@ -7,7 +7,10 @@
|
|||||||
## CIS Sysctl configurations
|
## CIS Sysctl configurations
|
||||||
fs.suid_dumpable=0
|
fs.suid_dumpable=0
|
||||||
kernel.dmesg_restrict=1
|
kernel.dmesg_restrict=1
|
||||||
kernel.yama.ptrace_scope=1
|
kernel.kptr_restrict=2
|
||||||
|
kernel.perf_event_paranoid=3
|
||||||
|
kernel.unprivileged_bpf_disabled=1
|
||||||
|
kernel.yama.ptrace_scope=2
|
||||||
kernel.randomize_va_space=2
|
kernel.randomize_va_space=2
|
||||||
# Network
|
# Network
|
||||||
# Disable forwarding; override in inventory for routers/containers
|
# Disable forwarding; override in inventory for routers/containers
|
||||||
@@ -21,6 +24,8 @@
|
|||||||
net.ipv4.conf.all.send_redirects=0
|
net.ipv4.conf.all.send_redirects=0
|
||||||
net.ipv4.conf.all.accept_redirects=0
|
net.ipv4.conf.all.accept_redirects=0
|
||||||
net.ipv4.conf.all.accept_source_route=0
|
net.ipv4.conf.all.accept_source_route=0
|
||||||
|
net.ipv4.conf.all.arp_ignore=1
|
||||||
|
net.ipv4.conf.all.arp_announce=2
|
||||||
net.ipv4.conf.default.log_martians=1
|
net.ipv4.conf.default.log_martians=1
|
||||||
net.ipv4.conf.default.rp_filter=1
|
net.ipv4.conf.default.rp_filter=1
|
||||||
net.ipv4.conf.default.secure_redirects=0
|
net.ipv4.conf.default.secure_redirects=0
|
||||||
|
|||||||
Reference in New Issue
Block a user