improve default kernel hardening

defaults/main.yml

@@ -4,6 +4,10 @@ kernel_disable_modules:
 
 kernel_blacklist_modules:
   - firewire-core
+  - dccp
+  - sctp
+  - tipc
+  - rds
 
 # @var kernel_ipv4_ping_group_range: $ "_unset"
 # @var kernel_ipv4_ping_group_range:example: $ "0 2000000"
@@ -13,3 +17,5 @@ kernel_coredump_enabled: True
 kernel_cgroup_v2_enabled: False
 
 kernel_grub_rebuild_force: False
+
+kernel_ipv6_enabled: False

templates/etc/sysctl.d/dump.conf.j2

@@ -1,3 +1,6 @@
 {{ ansible_managed | comment }}
-# disable core dumps for setuid programs
+# Controls whether core dumps will append the PID to the core filename
+kernel.core_uses_pid = 1
+
+# Disable core dumps for setuid programs
 fs.suid_dumpable = 0

templates/etc/sysctl.d/local.conf.j2

@@ -4,9 +4,6 @@
 kernel.exec-shield = 1
 kernel.randomize_va_space = 2
 
-# Restricting access to kernel pointers in the proc filesystem
-kernel.kptr_restrict = 1
-
 # Controls the System Request debugging functionality of the kernel
 kernel.sysrq = 0
 
@@ -19,6 +16,41 @@ kernel.kptr_restrict = 2
 # Limit scope for ptrace
 kernel.yama.ptrace_scope = 2
 
+# Command is trapped and sent to the init program to handle a graceful restart
+kernel.ctrl-alt-del = 0
+
+# Disable loading new modules
+kernel.modules_disabled = 1
+
+# Disable access to performance events by users without CAP_SYS_ADMIN
+kernel.perf_event_paranoid = 3
+
+# Prevents unprivileged users from being able to use eBPF
+kernel.unprivileged_bpf_disabled = 1
+
+# Restricts loading TTY line disciplines to the CAP_SYS_MODULE capability
+dev.tty.ldisc_autoload = 0
+
+# Disallow opening FIFOs or regular files not owned by the user in world-writable directories
+fs.protected_fifos = 2
+fs.protected_regular = 2
+
+# Disallow following not owned by the user in world-writable directories
+fs.protected_hardlinks = 1
+fs.protected_symlinks = 1
+
+# Restrict eBPF to the CAP_BPF/CAP_SYS_ADMIN capability
+net.core.bpf_jit_harden = 2
+
+# Disable Bootstrap protocol, as it is superseded by DHCP
+net.ipv4.conf.all.bootp_relay = 0
+
+# Disable forwarding of multicast packets on all interfaces
+net.ipv4.conf.all.mc_forwarding = 0
+
+# Disable the ARP proxy on all interfaces
+net.ipv4.conf.all.proxy_arp = 0
+
 # Avoid a smurf attack
 net.ipv4.icmp_echo_ignore_broadcasts = 1
 
@@ -30,7 +62,6 @@ net.ipv4.tcp_syncookies = 1
 
 # Turn on and log spoofed, source routed, and redirect packets
 net.ipv4.conf.all.log_martians = 1
-net.ipv4.conf.default.accept_source_route = 0
 
 # No source routed packets here
 net.ipv4.conf.all.accept_source_route = 0
@@ -57,14 +88,21 @@ net.ipv4.conf.default.log_martians = 1
 
 # Turn off the tcp_timestamps
 net.ipv4.tcp_timestamps = 0
+{% if not kernel_ipv6_enabled | bool %}
 
 # Disable IPv6 for all interfaces
 net.ipv6.conf.all.disable_ipv6 = 1
 net.ipv6.conf.default.disable_ipv6 = 1
+{% else %}
 
 # Disable ICMP routing redirects
 net.ipv6.conf.all.accept_redirects = 0
 net.ipv6.conf.default.accept_redirects = 0
+
+# Disable forwarding of IPv6 source-routed packets
+net.ipv6.conf.all.accept_source_route = 0
+net.ipv6.conf.default.accept_source_route = 0
+{% endif %}
 {% if kernel_namespace_support_enabled | bool %}
 
 user.max_user_namespaces = 15076