fix: disable and blacklist modules from kernel_disable_modules
All checks were successful
continuous-integration/drone/push Build is passing
All checks were successful
continuous-integration/drone/push Build is passing
This commit is contained in:
parent
8a824622bc
commit
ca27e64ad4
@ -1,14 +1,14 @@
|
|||||||
---
|
---
|
||||||
kernel_disable_modules:
|
kernel_disable_modules:
|
||||||
- usb-storage
|
- usb-storage
|
||||||
|
|
||||||
kernel_blacklist_modules:
|
|
||||||
- firewire-core
|
- firewire-core
|
||||||
- dccp
|
- dccp
|
||||||
- sctp
|
- sctp
|
||||||
- tipc
|
- tipc
|
||||||
- rds
|
- rds
|
||||||
|
|
||||||
|
kernel_blacklist_modules: []
|
||||||
|
|
||||||
# @var kernel_ipv4_ping_group_range: $ "_unset"
|
# @var kernel_ipv4_ping_group_range: $ "_unset"
|
||||||
# @var kernel_ipv4_ping_group_range:example: $ "0 2000000"
|
# @var kernel_ipv4_ping_group_range:example: $ "0 2000000"
|
||||||
|
|
||||||
|
@ -1,10 +1,11 @@
|
|||||||
#jinja2: lstrip_blocks: True
|
#jinja2: lstrip_blocks: True
|
||||||
{{ ansible_managed | comment }}
|
{{ ansible_managed | comment }}
|
||||||
|
|
||||||
{% for module in kernel_disable_modules %}
|
{% for module in kernel_disable_modules %}
|
||||||
install {{ module }} /bin/true
|
install {{ module }} /bin/true
|
||||||
|
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
{% for module in kernel_blacklist_modules %}
|
{% if (kernel_blacklist_modules + kernel_disable_modules) | length > 0 %}
|
||||||
|
|
||||||
|
{% for module in (kernel_blacklist_modules + kernel_disable_modules) %}
|
||||||
blacklist {{ module }}
|
blacklist {{ module }}
|
||||||
{% endfor %}
|
{% endfor %}
|
||||||
|
{% endif %}
|
||||||
|
@ -19,9 +19,6 @@ kernel.yama.ptrace_scope = 2
|
|||||||
# Command is trapped and sent to the init program to handle a graceful restart
|
# Command is trapped and sent to the init program to handle a graceful restart
|
||||||
kernel.ctrl-alt-del = 0
|
kernel.ctrl-alt-del = 0
|
||||||
|
|
||||||
# Disable loading new modules
|
|
||||||
kernel.modules_disabled = 1
|
|
||||||
|
|
||||||
# Disable access to performance events by users without CAP_SYS_ADMIN
|
# Disable access to performance events by users without CAP_SYS_ADMIN
|
||||||
kernel.perf_event_paranoid = 3
|
kernel.perf_event_paranoid = 3
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user