CIS role split and permission safety

roles/cis/tasks/sysctl.yml

@@ -0,0 +1,30 @@
+---
+- name: Create a consolidated sysctl configuration file
+  ansible.builtin.copy:
+    dest: /mnt/etc/sysctl.d/10-cis.conf
+    mode: "0644"
+    content: |
+      ## CIS Sysctl configurations
+      kernel.yama.ptrace_scope=1
+      kernel.randomize_va_space=2
+      # Network
+      net.ipv4.ip_forward=0
+      net.ipv4.tcp_syncookies=1
+      net.ipv4.icmp_echo_ignore_broadcasts=1
+      net.ipv4.icmp_ignore_bogus_error_responses=1
+      net.ipv4.conf.all.log_martians = 1
+      net.ipv4.conf.all.rp_filter = 1
+      net.ipv4.conf.all.secure_redirects = 0
+      net.ipv4.conf.all.send_redirects = 0
+      net.ipv4.conf.all.accept_redirects = 0
+      net.ipv4.conf.all.accept_source_route=0
+      net.ipv4.conf.default.log_martians = 1
+      net.ipv4.conf.default.rp_filter = 1
+      net.ipv4.conf.default.secure_redirects = 0
+      net.ipv4.conf.default.send_redirects = 0
+      net.ipv4.conf.default.accept_redirects = 0
+      net.ipv6.conf.all.accept_redirects = 0
+      net.ipv6.conf.all.disable_ipv6 = 1
+      net.ipv6.conf.default.accept_redirects = 0
+      net.ipv6.conf.default.disable_ipv6 = 1
+      net.ipv6.conf.lo.disable_ipv6 = 1