20 lines
850 B
YAML
20 lines
850 B
YAML
---
|
|
- name: Create a consolidated sysctl configuration file
|
|
when: cis_effective_rules.sysctl_hardening | default(false)
|
|
vars:
|
|
# ipv6_disable is a separate rule: when off, drop the disable_ipv6 keys but keep the rest.
|
|
_cis_sysctl: >-
|
|
{{ cis_cfg.sysctl
|
|
if (cis_effective_rules.ipv6_disable | default(false))
|
|
else (cis_cfg.sysctl | dict2items | rejectattr('key', 'search', 'disable_ipv6') | items2dict) }}
|
|
ansible.builtin.copy:
|
|
# 99- so CIS wins: a 10- name loses to vendor /usr/lib/sysctl.d/10-default-yama-scope.conf
|
|
# (later basename applies last), which reset kernel.yama.ptrace_scope back to 0.
|
|
dest: /mnt/etc/sysctl.d/99-cis.conf
|
|
mode: "0644"
|
|
content: |
|
|
## CIS Sysctl configurations
|
|
{% for key, value in _cis_sysctl | dictsort %}
|
|
{{ key }}={{ value }}
|
|
{% endfor %}
|