mirror of
https://github.com/dev-sec/ansible-collection-hardening
synced 2024-09-20 05:11:53 +00:00
Add CVE-2021-33909 mitigations (#466)
* Add CVE-2021-33909 mitigations kernel.unprivileged_bpf_disabled: 1 kernel.unprivileged_userns_clone: 0 The first one is also used by Tails. Signed-off-by: Paweł Krawczyk <616047+kravietz@users.noreply.github.com> * Clean up whitespaces Signed-off-by: Paweł Krawczyk <616047+kravietz@users.noreply.github.com>
This commit is contained in:
parent
327b1a84c8
commit
66bd1f0aec
1 changed files with 8 additions and 0 deletions
|
@ -282,6 +282,14 @@ sysctl_config:
|
|||
vm.mmap_rnd_bits: 32
|
||||
vm.mmap_rnd_compat_bits: 16
|
||||
|
||||
# Disable unprivileged users from loading eBPF programs into the kernel.
|
||||
# One of mitigations against CVE-2021-33909. | Tail-2
|
||||
kernel.unprivileged_bpf_disabled: 1
|
||||
|
||||
# Reduce attack surface by disabling unprivileged user namespaces.
|
||||
# Mitigates CVE-2021-33909 and other exploits.
|
||||
kernel.unprivileged_userns_clone: 0
|
||||
|
||||
# Do not delete the following line or otherwise the playbook will fail
|
||||
# at task 'create a combined sysctl-dict if overwrites are defined'
|
||||
sysctl_overwrite:
|
||||
|
|
Loading…
Reference in a new issue