add more sysctl settings, allow overwriting

.kitchen.yml

@@ -22,8 +22,6 @@ provisioner:
   http_proxy: <%= ENV['http_proxy'] || nil %>
   https_proxy: <%= ENV['https_proxy'] || nil %>
   playbook: default.yml
-  ansible_extra_flags:
-    - "--skip-tags=sysctl"
 
 platforms:
 - name: centos6-ansible-latest

.travis.yml

@@ -55,10 +55,10 @@ script:
   # Run container in detached state.
   - 'docker run --detach --volume="${PWD}":/etc/ansible/roles/ansible-os-hardening:ro ${run_opts} rndmh3ro/docker-${distro}-ansible:${version} "${init}" > "${container_id}"'
 
-  # Test role.
+   # Test role.
   - 'docker exec "$(cat ${container_id})" ansible-playbook /etc/ansible/roles/ansible-os-hardening/default.yml --skip-tags "sysctl"'
 
-  # Verify role
+   # Verify role
   - 'inspec exec https://github.com/dev-sec/linux-baseline/ -t docker://$(cat ${container_id}) --controls=os-01 os-02 os-03 os-04 os-05 os-06 os-07 package-01 package-02 package-03 package-04 package-05 package-06'
 
 notifications:

README.md

@@ -78,59 +78,17 @@ We remove the following packages:
 
 
 ## Changing sysctl variables
-
-If you want to overwrite sysctl-variables, you have to overwrite the *whole* dict, or else only the single overwritten will be actually used.
-So for example if you want to change the IPv4 traffic forwarding variable to `1`, you must pass the whole dict like this:
++If you want to overwrite sysctl-variables, you can use the `sysctl_overwrite` variable (in older versions you had to overwrite the whole `sysctl_dict`).
++So for example if you want to change the IPv4 traffic forwarding variable to `1`, do it like this:
 
 ```
     - hosts: localhost
       roles:
         - dev-sec.os-hardening
       vars:
-        sysctl_config:
+        sysctl_overwrite:
           # Disable IPv4 traffic forwarding.
           net.ipv4.ip_forward: 1
-
-          # Disable IPv6 traffic forwarding.
-          net.ipv6.conf.all.forwarding: 0
-
-          # ignore RAs on Ipv6.
-          net.ipv6.conf.all.accept_ra: 0
-          net.ipv6.conf.default.accept_ra: 0
-
-          # Enable RFC-recommended source validation feature.
-          net.ipv4.conf.all.rp_filter: 1
-          net.ipv4.conf.default.rp_filter: 1
-
-          # Reduce the surface on SMURF attacks.
-          # Make sure to ignore ECHO broadcasts, which are only required in broad network analysis.
-          net.ipv4.icmp_echo_ignore_broadcasts: 1
-
-          # There is no reason to accept bogus error responses from ICMP, so ignore them instead.
-          net.ipv4.icmp_ignore_bogus_error_responses: 1
-
-          # Limit the amount of traffic the system uses for ICMP.
-          net.ipv4.icmp_ratelimit: 100
-
-          # Adjust the ICMP ratelimit to include ping, dst unreachable,
-          # source quench, ime exceed, param problem, timestamp reply, information reply
-          net.ipv4.icmp_ratemask: 88089
-
-          # Disable IPv6
-          net.ipv6.conf.all.disable_ipv6: 1
-
-          # Protect against wrapping sequence numbers at gigabit speeds
-          net.ipv4.tcp_timestamps: 0
-
-          # Define restriction level for announcing the local source IP
-          net.ipv4.conf.all.arp_ignore: 1
-
-          # Define mode for sending replies in response to
-          # received ARP requests that resolve local target IP addresses
-          net.ipv4.conf.all.arp_announce: 2
-
-          # RFC 1337 fix F1
-          net.ipv4.tcp_rfc1337: 1
 ```
 
 Alternatively you can change Ansible's [hash-behaviour](https://docs.ansible.com/ansible/intro_configuration.html#hash-behaviour) to `merge`, then you only have to overwrite the single hash you need to. But please be aware that changing the hash-behaviour changes it for all your playbooks and is not recommended by Ansible.

default.yml

@@ -13,8 +13,47 @@
     os_auth_allow_homeless: true
     os_security_suid_sgid_blacklist: ['/bin/umount']
     os_security_suid_sgid_whitelist: ['/usr/bin/rlogin']
+    sysctl_config:
+      net.ipv4.ip_forward: 0
+      net.ipv6.conf.all.forwarding: 0
+      net.ipv6.conf.all.accept_ra: 0
+      net.ipv6.conf.default.accept_ra: 0
+      net.ipv4.conf.all.rp_filter: 1
+      net.ipv4.conf.default.rp_filter: 1
+      net.ipv4.icmp_echo_ignore_broadcasts: 1
+      net.ipv4.icmp_ignore_bogus_error_responses: 1
+      net.ipv4.icmp_ratelimit: 100
+      net.ipv4.icmp_ratemask: 88089
+      net.ipv6.conf.all.disable_ipv6: 1
+      net.ipv4.conf.all.arp_ignore: 1
+      net.ipv4.conf.all.arp_announce: 2
+      net.ipv4.conf.all.shared_media: 1
+      net.ipv4.conf.default.shared_media: 1
+      net.ipv4.conf.all.accept_source_route: 0
+      net.ipv4.conf.default.accept_source_route: 0
+      net.ipv4.conf.default.accept_redirects: 0
+      net.ipv4.conf.all.accept_redirects: 0
+      net.ipv4.conf.all.secure_redirects: 0
+      net.ipv4.conf.default.secure_redirects: 0
+      net.ipv6.conf.default.accept_redirects: 0
+      net.ipv6.conf.all.accept_redirects: 0
+      net.ipv4.conf.all.send_redirects: 0
+      net.ipv4.conf.default.send_redirects: 0
+      net.ipv4.conf.all.log_martians: 1
+      net.ipv6.conf.default.router_solicitations: 0
+      net.ipv6.conf.default.accept_ra_rtr_pref: 0
+      net.ipv6.conf.default.accept_ra_pinfo: 0
+      net.ipv6.conf.default.accept_ra_defrtr: 0
+      net.ipv6.conf.default.autoconf: 0
+      net.ipv6.conf.default.dad_transmits: 0
+      net.ipv6.conf.default.max_addresses: 1
+      kernel.sysrq: 0
+      fs.suid_dumpable: 0
+      kernel.randomize_va_space: 2
+
 
 - name: wrapper playbook for kitchen testing "ansible-os-hardening"
   hosts: localhost
   roles:
     - ansible-os-hardening
+

defaults/main.yml

@@ -58,10 +58,6 @@ ufw_default_application_policy: 'SKIP'
 ufw_manage_builtins: 'no'
 ufw_ipt_modules: 'nf_conntrack_ftp nf_nat_ftp nf_conntrack_netbios_ns'
 
-# CAUTION
-# If you want to overwrite sysctl-variables,
-# you have to overwrite the *whole* dict, or else only the single overwritten will be actually used.
-
 sysctl_config:
   # Disable IPv4 traffic forwarding.
   net.ipv4.ip_forward: 0
@@ -107,9 +103,73 @@ sysctl_config:
   # RFC 1337 fix F1
   net.ipv4.tcp_rfc1337: 1
 
-# CAUTION
-# If you want to overwrite sysctl-variables,
-# you have to overwrite the *whole* dict, or else only the single overwritten will be actually used.
+  # Send(router) or accept(host) RFC1620 shared media redirects
+  net.ipv4.conf.all.shared_media: 1
+  net.ipv4.conf.default.shared_media: 1
+
+  # Accepting source route can lead to malicious networking behavior,
+  # so disable it if not needed.
+  net.ipv4.conf.all.accept_source_route: 0
+  net.ipv4.conf.default.accept_source_route: 0
+
+  # Accepting redirects can lead to malicious networking behavior, so disable
+  # it if not needed.
+  net.ipv4.conf.default.accept_redirects: 0
+  net.ipv4.conf.all.accept_redirects: 0
+  net.ipv4.conf.all.secure_redirects: 0
+  net.ipv4.conf.default.secure_redirects: 0
+  net.ipv6.conf.default.accept_redirects: 0
+  net.ipv6.conf.all.accept_redirects: 0
+
+  # For non-routers: don't send redirects, these settings are 0
+  net.ipv4.conf.all.send_redirects: 0
+  net.ipv4.conf.default.send_redirects: 0
+
+  # log martian packets
+  net.ipv4.conf.all.log_martians: 1
+
+  # ipv6 config
+  # NSA 2.5.3.2.5 Limit Network-Transmitted Configuration
+  net.ipv6.conf.default.router_solicitations: 0
+  net.ipv6.conf.default.accept_ra_rtr_pref: 0
+  net.ipv6.conf.default.accept_ra_pinfo: 0
+  net.ipv6.conf.default.accept_ra_defrtr: 0
+  net.ipv6.conf.default.autoconf: 0
+  net.ipv6.conf.default.dad_transmits: 0
+  net.ipv6.conf.default.max_addresses: 1
+
+  # This settings controls how the kernel behaves towards module changes at
+  # runtime. Setting to 1 will disable module loading at runtime.
+  # Setting it to 0 is actually never supported.
+  # kernel.modules_disabled: 1
+
+  # Magic Sysrq should be disabled, but can also be set to a safe value if so
+  # desired for physical machines. It can allow a safe reboot if the system hangs
+  # and is a 'cleaner' alternative to hitting the reset button.
+  # The following values are permitted:
+  # * **0**   - disable sysrq
+  # * **1**   - enable sysrq completely
+  # * **>1**  - bitmask of enabled sysrq functions:
+  # * **2**   - control of console logging level
+  # * **4**   - control of keyboard (SAK, unraw)
+  # * **8**   - debugging dumps of processes etc.
+  # * **16**  - sync command
+  # * **32**  - remount read-only
+  # * **64**  - signalling of processes (term, kill, oom-kill)
+  # * **128** - reboot/poweroff
+  # * **256** - nicing of all RT tasks
+  kernel.sysrq: 0
+
+  # Prevent core dumps with SUID. These are usually only
+  # needed by developers and may contain sensitive information.
+  fs.suid_dumpable: 0
+
+  # Virtual memory regions protection
+  kernel.randomize_va_space: 2
+
+# Do not delete the following line or otherwise the playbook will fail
+# at task "create a combined sysctl-dict if overwrites are defined"
+sysctl_overwrite:
 
 sysctl_rhel_config:
   # ExecShield protection against buffer overflows

tasks/sysctl.yml

@@ -19,6 +19,10 @@
   command: 'update-initramfs -u'
   when: initramfs.changed
 
+- name: create a combined sysctl-dict if overwrites are defined
+  set_fact: sysctl_config="{{ sysctl_config | combine(sysctl_overwrite) }}"
+  when: sysctl_overwrite | default(omit)
+
 - name: Change various sysctl-settings, look at the sysctl-vars file for documentation
   sysctl:
     name: '{{ item.key }}'