refactor(cis): extract hardcoded values to cis_defaults and add _normalize.yml

2026-02-21 01:26:31 +01:00
parent bef15af69f
commit f74ec325ea
8 changed files with 99 additions and 79 deletions
--- a/roles/cis/tasks/sysctl.yml
+++ b/roles/cis/tasks/sysctl.yml
@@ -5,35 +5,6 @@
    mode: "0644"
    content: |
      ## CIS Sysctl configurations
-      fs.suid_dumpable=0
-      kernel.dmesg_restrict=1
-      kernel.kptr_restrict=2
-      kernel.perf_event_paranoid=3
-      kernel.unprivileged_bpf_disabled=1
-      kernel.yama.ptrace_scope=2
-      kernel.randomize_va_space=2
-      # Network
-      # Disable forwarding; override in inventory for routers/containers
-      net.ipv4.ip_forward=0
-      net.ipv4.tcp_syncookies=1
-      net.ipv4.icmp_echo_ignore_broadcasts=1
-      net.ipv4.icmp_ignore_bogus_error_responses=1
-      net.ipv4.conf.all.log_martians=1
-      net.ipv4.conf.all.rp_filter=1
-      net.ipv4.conf.all.secure_redirects=0
-      net.ipv4.conf.all.send_redirects=0
-      net.ipv4.conf.all.accept_redirects=0
-      net.ipv4.conf.all.accept_source_route=0
-      net.ipv4.conf.all.arp_ignore=1
-      net.ipv4.conf.all.arp_announce=2
-      net.ipv4.conf.default.log_martians=1
-      net.ipv4.conf.default.rp_filter=1
-      net.ipv4.conf.default.secure_redirects=0
-      net.ipv4.conf.default.send_redirects=0
-      net.ipv4.conf.default.accept_redirects=0
-      net.ipv6.conf.all.accept_redirects=0
-      # Disable IPv6; override in inventory if IPv6 is needed
-      net.ipv6.conf.all.disable_ipv6=1
-      net.ipv6.conf.default.accept_redirects=0
-      net.ipv6.conf.default.disable_ipv6=1
-      net.ipv6.conf.lo.disable_ipv6=1
+      {% for key, value in cis_cfg.sysctl | dictsort %}
+      {{ key }}={{ value }}
+      {% endfor %}