From 8a824622bc4ea8885b5f301dc404454e4349ae2f Mon Sep 17 00:00:00 2001 From: Robert Kaussow Date: Tue, 13 Sep 2022 21:45:54 +0200 Subject: [PATCH] improve default kernel hardening --- defaults/main.yml | 6 ++++ templates/etc/sysctl.d/dump.conf.j2 | 5 ++- templates/etc/sysctl.d/local.conf.j2 | 46 +++++++++++++++++++++++++--- 3 files changed, 52 insertions(+), 5 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index e83432f..c4b96f5 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -4,6 +4,10 @@ kernel_disable_modules: kernel_blacklist_modules: - firewire-core + - dccp + - sctp + - tipc + - rds # @var kernel_ipv4_ping_group_range: $ "_unset" # @var kernel_ipv4_ping_group_range:example: $ "0 2000000" @@ -13,3 +17,5 @@ kernel_coredump_enabled: True kernel_cgroup_v2_enabled: False kernel_grub_rebuild_force: False + +kernel_ipv6_enabled: False diff --git a/templates/etc/sysctl.d/dump.conf.j2 b/templates/etc/sysctl.d/dump.conf.j2 index 5ba6c5a..bdf623b 100644 --- a/templates/etc/sysctl.d/dump.conf.j2 +++ b/templates/etc/sysctl.d/dump.conf.j2 @@ -1,3 +1,6 @@ {{ ansible_managed | comment }} -# disable core dumps for setuid programs +# Controls whether core dumps will append the PID to the core filename +kernel.core_uses_pid = 1 + +# Disable core dumps for setuid programs fs.suid_dumpable = 0 diff --git a/templates/etc/sysctl.d/local.conf.j2 b/templates/etc/sysctl.d/local.conf.j2 index 8369788..d9b55ec 100644 --- a/templates/etc/sysctl.d/local.conf.j2 +++ b/templates/etc/sysctl.d/local.conf.j2 @@ -4,9 +4,6 @@ kernel.exec-shield = 1 kernel.randomize_va_space = 2 -# Restricting access to kernel pointers in the proc filesystem -kernel.kptr_restrict = 1 - # Controls the System Request debugging functionality of the kernel kernel.sysrq = 0 @@ -19,6 +16,41 @@ kernel.kptr_restrict = 2 # Limit scope for ptrace kernel.yama.ptrace_scope = 2 +# Command is trapped and sent to the init program to handle a graceful restart +kernel.ctrl-alt-del = 0 + +# Disable loading new modules +kernel.modules_disabled = 1 + +# Disable access to performance events by users without CAP_SYS_ADMIN +kernel.perf_event_paranoid = 3 + +# Prevents unprivileged users from being able to use eBPF +kernel.unprivileged_bpf_disabled = 1 + +# Restricts loading TTY line disciplines to the CAP_SYS_MODULE capability +dev.tty.ldisc_autoload = 0 + +# Disallow opening FIFOs or regular files not owned by the user in world-writable directories +fs.protected_fifos = 2 +fs.protected_regular = 2 + +# Disallow following not owned by the user in world-writable directories +fs.protected_hardlinks = 1 +fs.protected_symlinks = 1 + +# Restrict eBPF to the CAP_BPF/CAP_SYS_ADMIN capability +net.core.bpf_jit_harden = 2 + +# Disable Bootstrap protocol, as it is superseded by DHCP +net.ipv4.conf.all.bootp_relay = 0 + +# Disable forwarding of multicast packets on all interfaces +net.ipv4.conf.all.mc_forwarding = 0 + +# Disable the ARP proxy on all interfaces +net.ipv4.conf.all.proxy_arp = 0 + # Avoid a smurf attack net.ipv4.icmp_echo_ignore_broadcasts = 1 @@ -30,7 +62,6 @@ net.ipv4.tcp_syncookies = 1 # Turn on and log spoofed, source routed, and redirect packets net.ipv4.conf.all.log_martians = 1 -net.ipv4.conf.default.accept_source_route = 0 # No source routed packets here net.ipv4.conf.all.accept_source_route = 0 @@ -57,14 +88,21 @@ net.ipv4.conf.default.log_martians = 1 # Turn off the tcp_timestamps net.ipv4.tcp_timestamps = 0 +{% if not kernel_ipv6_enabled | bool %} # Disable IPv6 for all interfaces net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1 +{% else %} # Disable ICMP routing redirects net.ipv6.conf.all.accept_redirects = 0 net.ipv6.conf.default.accept_redirects = 0 + +# Disable forwarding of IPv6 source-routed packets +net.ipv6.conf.all.accept_source_route = 0 +net.ipv6.conf.default.accept_source_route = 0 +{% endif %} {% if kernel_namespace_support_enabled | bool %} user.max_user_namespaces = 15076