improve default kernel hardening
Some checks failed
continuous-integration/drone/push Build is failing

This commit is contained in:
Robert Kaussow 2022-09-13 21:45:54 +02:00
parent 9c528ecc81
commit 8a824622bc
Signed by: xoxys
GPG Key ID: 4E692A2EAECC03C0
3 changed files with 52 additions and 5 deletions

View File

@ -4,6 +4,10 @@ kernel_disable_modules:
kernel_blacklist_modules:
- firewire-core
- dccp
- sctp
- tipc
- rds
# @var kernel_ipv4_ping_group_range: $ "_unset"
# @var kernel_ipv4_ping_group_range:example: $ "0 2000000"
@ -13,3 +17,5 @@ kernel_coredump_enabled: True
kernel_cgroup_v2_enabled: False
kernel_grub_rebuild_force: False
kernel_ipv6_enabled: False

View File

@ -1,3 +1,6 @@
{{ ansible_managed | comment }}
# disable core dumps for setuid programs
# Controls whether core dumps will append the PID to the core filename
kernel.core_uses_pid = 1
# Disable core dumps for setuid programs
fs.suid_dumpable = 0

View File

@ -4,9 +4,6 @@
kernel.exec-shield = 1
kernel.randomize_va_space = 2
# Restricting access to kernel pointers in the proc filesystem
kernel.kptr_restrict = 1
# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0
@ -19,6 +16,41 @@ kernel.kptr_restrict = 2
# Limit scope for ptrace
kernel.yama.ptrace_scope = 2
# Command is trapped and sent to the init program to handle a graceful restart
kernel.ctrl-alt-del = 0
# Disable loading new modules
kernel.modules_disabled = 1
# Disable access to performance events by users without CAP_SYS_ADMIN
kernel.perf_event_paranoid = 3
# Prevents unprivileged users from being able to use eBPF
kernel.unprivileged_bpf_disabled = 1
# Restricts loading TTY line disciplines to the CAP_SYS_MODULE capability
dev.tty.ldisc_autoload = 0
# Disallow opening FIFOs or regular files not owned by the user in world-writable directories
fs.protected_fifos = 2
fs.protected_regular = 2
# Disallow following not owned by the user in world-writable directories
fs.protected_hardlinks = 1
fs.protected_symlinks = 1
# Restrict eBPF to the CAP_BPF/CAP_SYS_ADMIN capability
net.core.bpf_jit_harden = 2
# Disable Bootstrap protocol, as it is superseded by DHCP
net.ipv4.conf.all.bootp_relay = 0
# Disable forwarding of multicast packets on all interfaces
net.ipv4.conf.all.mc_forwarding = 0
# Disable the ARP proxy on all interfaces
net.ipv4.conf.all.proxy_arp = 0
# Avoid a smurf attack
net.ipv4.icmp_echo_ignore_broadcasts = 1
@ -30,7 +62,6 @@ net.ipv4.tcp_syncookies = 1
# Turn on and log spoofed, source routed, and redirect packets
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.accept_source_route = 0
# No source routed packets here
net.ipv4.conf.all.accept_source_route = 0
@ -57,14 +88,21 @@ net.ipv4.conf.default.log_martians = 1
# Turn off the tcp_timestamps
net.ipv4.tcp_timestamps = 0
{% if not kernel_ipv6_enabled | bool %}
# Disable IPv6 for all interfaces
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
{% else %}
# Disable ICMP routing redirects
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
# Disable forwarding of IPv6 source-routed packets
net.ipv6.conf.all.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0
{% endif %}
{% if kernel_namespace_support_enabled | bool %}
user.max_user_namespaces = 15076