72 lines
1.9 KiB
Plaintext
72 lines
1.9 KiB
Plaintext
|
#jinja2: lstrip_blocks: True
|
||
|
{{ ansible_managed | comment }}
|
||
|
# Buffer Overflow Protection
|
||
|
kernel.exec-shield = 1
|
||
|
kernel.randomize_va_space = 2
|
||
|
|
||
|
# Restricting access to kernel pointers in the proc filesystem
|
||
|
kernel.kptr_restrict = 1
|
||
|
|
||
|
# Controls the System Request debugging functionality of the kernel
|
||
|
kernel.sysrq = 0
|
||
|
|
||
|
# Restrict unprivileged access to kernel syslog
|
||
|
kernel.dmesg_restrict = 1
|
||
|
|
||
|
# Restrict kernel address exposing
|
||
|
kernel.kptr_restrict = 2
|
||
|
|
||
|
# Limit scope for ptrace
|
||
|
kernel.yama.ptrace_scope = 2
|
||
|
|
||
|
# Avoid a smurf attack
|
||
|
net.ipv4.icmp_echo_ignore_broadcasts = 1
|
||
|
|
||
|
# Turn on protection for bad icmp error messages
|
||
|
net.ipv4.icmp_ignore_bogus_error_responses = 1
|
||
|
|
||
|
# Turn on syncookies for SYN flood attack protection
|
||
|
net.ipv4.tcp_syncookies = 1
|
||
|
|
||
|
# Turn on and log spoofed, source routed, and redirect packets
|
||
|
net.ipv4.conf.all.log_martians = 1
|
||
|
net.ipv4.conf.default.accept_source_route = 0
|
||
|
|
||
|
# No source routed packets here
|
||
|
net.ipv4.conf.all.accept_source_route = 0
|
||
|
net.ipv4.conf.default.accept_source_route = 0
|
||
|
|
||
|
# Turn on reverse path filtering
|
||
|
net.ipv4.conf.all.rp_filter = 1
|
||
|
net.ipv4.conf.default.rp_filter = 1
|
||
|
|
||
|
# Make sure no one can alter the routing tables
|
||
|
net.ipv4.conf.all.accept_redirects = 0
|
||
|
net.ipv4.conf.default.accept_redirects = 0
|
||
|
net.ipv4.conf.all.secure_redirects = 0
|
||
|
net.ipv4.conf.default.secure_redirects = 0
|
||
|
|
||
|
# Don't act as a router
|
||
|
net.ipv4.ip_forward = 0
|
||
|
net.ipv4.conf.all.send_redirects = 0
|
||
|
net.ipv4.conf.default.send_redirects = 0
|
||
|
|
||
|
# Make sure spoofed packets get logged
|
||
|
net.ipv4.conf.all.log_martians = 1
|
||
|
net.ipv4.conf.default.log_martians = 1
|
||
|
|
||
|
# Turn off the tcp_timestamps
|
||
|
net.ipv4.tcp_timestamps = 0
|
||
|
|
||
|
# Disable IPv6 for all interfaces
|
||
|
net.ipv6.conf.all.disable_ipv6 = 1
|
||
|
net.ipv6.conf.default.disable_ipv6 = 1
|
||
|
|
||
|
# Disable ICMP routing redirects
|
||
|
net.ipv6.conf.all.accept_redirects = 0
|
||
|
net.ipv6.conf.default.accept_redirects = 0
|
||
|
|
||
|
{% if kernel_namespace_support_enabled %}
|
||
|
user.max_user_namespaces = 15076
|
||
|
{% endif %}
|