Mirrors/ansible-collection-hardening
2
0
Fork 0
mirror of https://github.com/dev-sec/ansible-collection-hardening synced 2024-09-20 05:11:53 +00:00
Code Issues Projects Releases Packages Wiki Activity

Add CVE-2021-33909 mitigations (#466)

Browse source 
* Add CVE-2021-33909 mitigations

kernel.unprivileged_bpf_disabled: 1
kernel.unprivileged_userns_clone: 0

The first one is also used by Tails.

Signed-off-by: Paweł Krawczyk <616047+kravietz@users.noreply.github.com>

* Clean up whitespaces

Signed-off-by: Paweł Krawczyk <616047+kravietz@users.noreply.github.com>
This commit is contained in:
Paweł Krawczyk 2021-07-22 14:32:41 +00:00 committed by GitHub
parent 327b1a84c8
commit 66bd1f0aec
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 8 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
roles/os_hardening/defaults/main.yml
View file

@ -282,6 +282,14 @@ sysctl_config:
vm.mmap_rnd_bits: 32
vm.mmap_rnd_compat_bits: 16
# Disable unprivileged users from loading eBPF programs into the kernel.
# One of mitigations against CVE-2021-33909. | Tail-2
kernel.unprivileged_bpf_disabled: 1
# Reduce attack surface by disabling unprivileged user namespaces.
# Mitigates CVE-2021-33909 and other exploits.
kernel.unprivileged_userns_clone: 0
# Do not delete the following line or otherwise the playbook will fail
# at task 'create a combined sysctl-dict if overwrites are defined'
sysctl_overwrite: