mirror of
https://github.com/dev-sec/ansible-collection-hardening
synced 2024-11-10 09:14:18 +00:00
move sysctls to debian specific vars (#524)
* fix ansible-lint issue https://github.com/ansible-community/ansible-lint/issues/1795 Signed-off-by: rndmh3ro <github@gumpri.ch> * move 2 sysctls to debian specific Signed-off-by: rndmh3ro <github@gumpri.ch> * fix ansible-lint issue https://github.com/ansible-community/ansible-lint/issues/1795 Signed-off-by: rndmh3ro <github@gumpri.ch> * add arch linux sysctls * simplify sysctl settings Signed-off-by: rndmh3ro <github@gumpri.ch> * ove overwrite to the bottom to let it acutally overwrite something Signed-off-by: rndmh3ro <github@gumpri.ch> * fix typo Signed-off-by: rndmh3ro <github@gumpri.ch>
This commit is contained in:
Sebastian Gumprich
GitHub
parent
798f4b9a99
commit
2ba40b0891
6 changed files with 26 additions and 24 deletions
2
.github/workflows/ansible-lint.yml
vendored
2
.github/workflows/ansible-lint.yml
vendored
|
|
@ -30,6 +30,8 @@ jobs:
|
|||
# override-deps: |
|
||||
# ansible==2.9
|
||||
# ansible-lint==4.2.0
|
||||
override-deps: |
|
||||
rich>=9.5.1,<11.0.0
|
||||
# [optional]
|
||||
# Arguments to be passed to the ansible-lint
|
||||
|
||||
|
|
|
|||
|
|
@ -69,7 +69,7 @@ sysctl_config:
|
|||
# filenames (generally seen as "/tmp file race" vulnerabilities).
|
||||
fs.protected_hardlinks: 1
|
||||
fs.protected_symlinks: 1
|
||||
|
||||
|
||||
# For more info on the following settings see: https://www.kernel.org/doc/html/latest/admin-guide/sysctl/fs.html
|
||||
# Restrict FIFO special device creation behavior
|
||||
fs.protected_fifos: 1
|
||||
|
|
@ -288,14 +288,6 @@ sysctl_config:
|
|||
vm.mmap_rnd_bits: 32
|
||||
vm.mmap_rnd_compat_bits: 16
|
||||
|
||||
# Disable unprivileged users from loading eBPF programs into the kernel.
|
||||
# One of mitigations against CVE-2021-33909. | Tail-2
|
||||
kernel.unprivileged_bpf_disabled: 1
|
||||
|
||||
# Reduce attack surface by disabling unprivileged user namespaces.
|
||||
# Mitigates CVE-2021-33909 and other exploits.
|
||||
kernel.unprivileged_userns_clone: 0
|
||||
|
||||
# Do not delete the following line or otherwise the playbook will fail
|
||||
# at task 'create a combined sysctl-dict if overwrites are defined'
|
||||
sysctl_overwrite:
|
||||
|
|
|
|||
|
|
@ -43,6 +43,17 @@
|
|||
|
||||
- name: Change sysctls
|
||||
block:
|
||||
- name: Create a combined sysctl-dict if os-dependent sysctls are defined
|
||||
set_fact:
|
||||
sysctl_config: '{{ sysctl_config | combine(sysctl_custom_config) }}'
|
||||
when: sysctl_custom_config | default()
|
||||
|
||||
# sysctl_rhel_config is kept for backwards-compatibility. use sysctl_custom_config instead
|
||||
- name: Create a combined sysctl-dict if os-dependent sysctls are defined
|
||||
set_fact:
|
||||
sysctl_config: '{{ sysctl_config | combine(sysctl_rhel_config) }}'
|
||||
when: sysctl_rhel_config | default()
|
||||
|
||||
- name: Create a combined sysctl-dict if overwrites are defined
|
||||
set_fact:
|
||||
sysctl_config: '{{ sysctl_config | combine(sysctl_overwrite) }}'
|
||||
|
|
@ -57,17 +68,6 @@
|
|||
reload: true
|
||||
ignoreerrors: true
|
||||
with_dict: '{{ sysctl_config }}'
|
||||
|
||||
- name: Change various sysctl-settings on Amazon Linux, look at the sysctl-vars file for documentation
|
||||
sysctl:
|
||||
name: '{{ item.key }}'
|
||||
value: '{{ item.value }}'
|
||||
state: present
|
||||
reload: true
|
||||
ignoreerrors: true
|
||||
with_dict: '{{ sysctl_rhel_config }}'
|
||||
when: ansible_facts.distribution == 'Amazon'
|
||||
|
||||
when: ansible_virtualization_type not in ['docker', 'lxc', 'openvz']
|
||||
|
||||
- name: Apply ufw defaults
|
||||
|
|
|
|||
|
|
@ -45,8 +45,4 @@ auditd_package: 'audit'
|
|||
# system accounts that do not get their login disabled and pasword changed
|
||||
os_always_ignore_users: ['root', 'sync', 'shutdown', 'halt', 'ec2-user']
|
||||
|
||||
sysctl_rhel_config:
|
||||
# ExecShield protection against buffer overflows
|
||||
kernel.exec-shield: 1
|
||||
|
||||
hidepid_option: '2' # allowed values: 0, 1, 2
|
||||
|
|
|
|||
|
|
@ -33,3 +33,9 @@ modprobe_package: 'kmod'
|
|||
auditd_package: 'audit'
|
||||
|
||||
hidepid_option: '2' # allowed values: 0, 1, 2
|
||||
|
||||
sysctl_custom_config:
|
||||
# Mitigation of vulnerability CVE-2021-33909
|
||||
kernel.unprivileged_userns_clone: 0
|
||||
# Mitigation of vulnerability CVE-2021-33910
|
||||
kernel.unprivileged_bpf_disabled: 1
|
||||
|
|
|
|||
|
|
@ -43,3 +43,9 @@ tally2_path: '/usr/share/pam-configs/tally2'
|
|||
passwdqc_path: '/usr/share/pam-configs/passwdqc'
|
||||
|
||||
hidepid_option: '2' # allowed values: 0, 1, 2
|
||||
|
||||
sysctl_custom_config:
|
||||
# Mitigation of vulnerability CVE-2021-33909
|
||||
kernel.unprivileged_userns_clone: 0
|
||||
# Mitigation of vulnerability CVE-2021-33910
|
||||
kernel.unprivileged_bpf_disabled: 1
|
||||
|
|
|
|||
Loading…
Reference in a new issue