Compare commits
No commits in common. "main" and "docs" have entirely different histories.
|
@ -1,11 +0,0 @@
|
|||
# ---> Ansible
|
||||
*.retry
|
||||
plugins
|
||||
library
|
||||
|
||||
# ---> Python
|
||||
# Byte-compiled / optimized / DLL files
|
||||
__pycache__/
|
||||
*.py[cod]
|
||||
*$py.class
|
||||
|
15
.later.yml
15
.later.yml
|
@ -1,15 +0,0 @@
|
|||
---
|
||||
ansible:
|
||||
custom_modules:
|
||||
- iptables_raw
|
||||
- openssl_pkcs12
|
||||
- proxmox_kvm
|
||||
- ucr
|
||||
- corenetworks_dns
|
||||
- corenetworks_token
|
||||
|
||||
rules:
|
||||
exclude_files:
|
||||
- "LICENSE*"
|
||||
- "**/*.md"
|
||||
- "**/*.ini"
|
|
@ -1,7 +0,0 @@
|
|||
---
|
||||
default: True
|
||||
MD013: False
|
||||
MD041: False
|
||||
MD024: False
|
||||
MD004:
|
||||
style: dash
|
|
@ -1 +0,0 @@
|
|||
LICENSE
|
|
@ -1,47 +0,0 @@
|
|||
---
|
||||
when:
|
||||
- event: [pull_request]
|
||||
- event: [push, manual]
|
||||
branch:
|
||||
- ${CI_REPO_DEFAULT_BRANCH}
|
||||
|
||||
steps:
|
||||
- name: generate
|
||||
image: quay.io/thegeeklab/ansible-doctor
|
||||
environment:
|
||||
ANSIBLE_DOCTOR_EXCLUDE_FILES: molecule/
|
||||
ANSIBLE_DOCTOR_FORCE_OVERWRITE: "true"
|
||||
ANSIBLE_DOCTOR_LOG_LEVEL: INFO
|
||||
ANSIBLE_DOCTOR_ROLE_NAME: ${CI_REPO_NAME}
|
||||
ANSIBLE_DOCTOR_TEMPLATE: readme
|
||||
|
||||
- name: format
|
||||
image: quay.io/thegeeklab/alpine-tools
|
||||
commands:
|
||||
- prettier -w README.md
|
||||
|
||||
- name: diff
|
||||
image: quay.io/thegeeklab/alpine-tools
|
||||
commands:
|
||||
- git diff --color=always README.md
|
||||
|
||||
- name: publish
|
||||
image: quay.io/thegeeklab/wp-git-action
|
||||
settings:
|
||||
action:
|
||||
- commit
|
||||
- push
|
||||
author_email: ci-bot@rknet.org
|
||||
author_name: ci-bot
|
||||
branch: main
|
||||
message: "[skip ci] automated docs update"
|
||||
netrc_machine: gitea.rknet.org
|
||||
netrc_password:
|
||||
from_secret: gitea_token
|
||||
when:
|
||||
- event: [push, manual]
|
||||
branch:
|
||||
- ${CI_REPO_DEFAULT_BRANCH}
|
||||
|
||||
depends_on:
|
||||
- test
|
|
@ -1,30 +0,0 @@
|
|||
---
|
||||
when:
|
||||
- event: [pull_request, tag]
|
||||
- event: [push, manual]
|
||||
branch:
|
||||
- ${CI_REPO_DEFAULT_BRANCH}
|
||||
|
||||
steps:
|
||||
- name: ansible-later
|
||||
image: quay.io/thegeeklab/ansible-later:4
|
||||
commands:
|
||||
- ansible-later
|
||||
environment:
|
||||
FORCE_COLOR: "1"
|
||||
|
||||
- name: python-format
|
||||
image: docker.io/python:3.12
|
||||
commands:
|
||||
- pip install -qq ruff
|
||||
- ruff format --check --diff .
|
||||
environment:
|
||||
PY_COLORS: "1"
|
||||
|
||||
- name: python-lint
|
||||
image: docker.io/python:3.12
|
||||
commands:
|
||||
- pip install -qq ruff
|
||||
- ruff .
|
||||
environment:
|
||||
PY_COLORS: "1"
|
|
@ -1,26 +0,0 @@
|
|||
---
|
||||
when:
|
||||
- event: [tag]
|
||||
- event: [push, manual]
|
||||
branch:
|
||||
- ${CI_REPO_DEFAULT_BRANCH}
|
||||
|
||||
runs_on: [success, failure]
|
||||
|
||||
steps:
|
||||
- name: matrix
|
||||
image: quay.io/thegeeklab/wp-matrix
|
||||
settings:
|
||||
homeserver:
|
||||
from_secret: matrix_homeserver
|
||||
password:
|
||||
from_secret: matrix_password
|
||||
roomid:
|
||||
from_secret: matrix_roomid
|
||||
username:
|
||||
from_secret: matrix_username
|
||||
when:
|
||||
- status: [success, failure]
|
||||
|
||||
depends_on:
|
||||
- docs
|
|
@ -1,25 +0,0 @@
|
|||
---
|
||||
when:
|
||||
- event: [pull_request, tag]
|
||||
- event: [push, manual]
|
||||
branch:
|
||||
- ${CI_REPO_DEFAULT_BRANCH}
|
||||
|
||||
variables:
|
||||
- &molecule_base
|
||||
image: quay.io/thegeeklab/molecule:6
|
||||
group: molecule
|
||||
secrets:
|
||||
- source: molecule_hcloud_token
|
||||
target: HCLOUD_TOKEN
|
||||
environment:
|
||||
PY_COLORS: "1"
|
||||
|
||||
steps:
|
||||
- name: molecule-default
|
||||
<<: *molecule_base
|
||||
commands:
|
||||
- molecule test -s default
|
||||
|
||||
depends_on:
|
||||
- lint
|
21
LICENSE
21
LICENSE
|
@ -1,21 +0,0 @@
|
|||
MIT License
|
||||
|
||||
Copyright (c) 2022 Robert Kaussow <mail@thegeeklab.de>
|
||||
|
||||
Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||
of this software and associated documentation files (the "Software"), to deal
|
||||
in the Software without restriction, including without limitation the rights
|
||||
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
||||
copies of the Software, and to permit persons to whom the Software is furnished
|
||||
to do so, subject to the following conditions:
|
||||
|
||||
The above copyright notice and this permission notice (including the next
|
||||
paragraph) shall be included in all copies or substantial portions of the
|
||||
Software.
|
||||
|
||||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
|
||||
FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS
|
||||
OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
|
||||
WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF
|
||||
OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
|
@ -1,11 +1,15 @@
|
|||
# xoxys.kernel
|
||||
---
|
||||
title: kernel
|
||||
type: docs
|
||||
---
|
||||
|
||||
[![Build Status](https://ci.rknet.org/api/badges/ansible/xoxys.kernel/status.svg)](https://ci.rknet.org/repos/ansible/xoxys.kernel)
|
||||
[![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg?label=license)](https://gitea.rknet.org/ansible/xoxys.kernel/src/branch/main/LICENSE)
|
||||
[![Source Code](https://img.shields.io/badge/gitea-source%20code-blue?logo=gitea&logoColor=white)](https://gitea.rknet.org/ansible/xoxys.kernel)
|
||||
[![Build Status](https://img.shields.io/drone/build/ansible/xoxys.kernel?logo=drone&server=https%3A%2F%2Fdrone.rknet.org)](https://drone.rknet.org/ansible/xoxys.kernel)
|
||||
[![License: MIT](https://img.shields.io/badge/license-MIT-blue.svg)](https://gitea.rknet.org/ansible/xoxys.kernel/src/branch/main/LICENSE)
|
||||
|
||||
Configure kernel parameters and coredump settings.
|
||||
|
||||
## Table of content
|
||||
<!--more-->
|
||||
|
||||
- [Requirements](#requirements)
|
||||
- [Default Variables](#default-variables)
|
||||
|
@ -18,16 +22,13 @@ Configure kernel parameters and coredump settings.
|
|||
- [kernel_ipv6_enabled](#kernel_ipv6_enabled)
|
||||
- [kernel_ipv6_forwarding_enabled](#kernel_ipv6_forwarding_enabled)
|
||||
- [kernel_namespace_support_enabled](#kernel_namespace_support_enabled)
|
||||
- [kernel_printk](#kernel_printk)
|
||||
- [Dependencies](#dependencies)
|
||||
- [License](#license)
|
||||
- [Author](#author)
|
||||
|
||||
---
|
||||
|
||||
## Requirements
|
||||
|
||||
- Minimum Ansible version: `2.10`
|
||||
- Minimum Ansible version: `2.1`
|
||||
|
||||
## Default Variables
|
||||
|
||||
|
@ -131,22 +132,8 @@ kernel_ipv6_forwarding_enabled: false
|
|||
kernel_namespace_support_enabled: false
|
||||
```
|
||||
|
||||
### kernel_printk
|
||||
|
||||
#### Default value
|
||||
|
||||
```YAML
|
||||
kernel_printk: 4 4 1 7
|
||||
```
|
||||
|
||||
## Dependencies
|
||||
|
||||
None.
|
||||
|
||||
## License
|
||||
|
||||
MIT
|
||||
|
||||
## Author
|
||||
|
||||
[Robert Kaussow](https://gitea.rknet.org/xoxys)
|
|
@ -1,37 +0,0 @@
|
|||
---
|
||||
kernel_disable_modules:
|
||||
- usb-storage
|
||||
- firewire-core
|
||||
- dccp
|
||||
- sctp
|
||||
- tipc
|
||||
- rds
|
||||
- bluetooth
|
||||
- cramfs
|
||||
- squashfs
|
||||
- udf
|
||||
|
||||
kernel_blacklist_modules: []
|
||||
|
||||
kernel_custom_config: []
|
||||
# @var kernel_custom_config:example: >
|
||||
# kernel_custom_config:
|
||||
# - file: 90-example
|
||||
# content:
|
||||
# - name: vm.panic_on_oom
|
||||
# value: 0
|
||||
# - name: vm.overcommit_memory
|
||||
# value: 1
|
||||
# @end
|
||||
|
||||
kernel_namespace_support_enabled: False
|
||||
kernel_coredump_enabled: True
|
||||
|
||||
# @var kernel_ipv4_ping_group_range: $ "_unset"
|
||||
# @var kernel_ipv4_ping_group_range:example: $ "0 2000000"
|
||||
kernel_ipv4_forwarding_enabled: False
|
||||
|
||||
kernel_ipv6_enabled: False
|
||||
kernel_ipv6_forwarding_enabled: False
|
||||
|
||||
kernel_printk: "4 4 1 7"
|
|
@ -1,9 +0,0 @@
|
|||
---
|
||||
- name: Reload kernel configuration
|
||||
ansible.builtin.command: "sysctl --system"
|
||||
listen: __kernel_reload
|
||||
|
||||
- name: Reboot server
|
||||
ansible.builtin.reboot:
|
||||
reboot_timeout: 600
|
||||
listen: __kernel_server_restart
|
|
@ -0,0 +1,132 @@
|
|||
---
|
||||
title: kernel
|
||||
type: docs
|
||||
---
|
||||
|
||||
[![Source Code](https://img.shields.io/badge/gitea-source%20code-blue?logo=gitea&logoColor=white)](https://gitea.rknet.org/ansible/xoxys.kernel) [![Build Status](https://img.shields.io/drone/build/ansible/xoxys.kernel?logo=drone&server=https%3A%2F%2Fdrone.rknet.org)](https://drone.rknet.org/ansible/xoxys.kernel) [![License: MIT](https://img.shields.io/badge/license-MIT-blue.svg)](https://gitea.rknet.org/ansible/xoxys.kernel/src/branch/main/LICENSE)
|
||||
|
||||
Configure kernel parameters and coredump settings.
|
||||
|
||||
<!--more-->
|
||||
|
||||
- [Default Variables](#default-variables)
|
||||
- [kernel_blacklist_modules](#kernel_blacklist_modules)
|
||||
- [kernel_coredump_enabled](#kernel_coredump_enabled)
|
||||
- [kernel_custom_config](#kernel_custom_config)
|
||||
- [kernel_disable_modules](#kernel_disable_modules)
|
||||
- [kernel_ipv4_forwarding_enabled](#kernel_ipv4_forwarding_enabled)
|
||||
- [kernel_ipv4_ping_group_range](#kernel_ipv4_ping_group_range)
|
||||
- [kernel_ipv6_enabled](#kernel_ipv6_enabled)
|
||||
- [kernel_ipv6_forwarding_enabled](#kernel_ipv6_forwarding_enabled)
|
||||
- [kernel_namespace_support_enabled](#kernel_namespace_support_enabled)
|
||||
- [Dependencies](#dependencies)
|
||||
|
||||
---
|
||||
|
||||
## Default Variables
|
||||
|
||||
### kernel_blacklist_modules
|
||||
|
||||
#### Default value
|
||||
|
||||
```YAML
|
||||
kernel_blacklist_modules: []
|
||||
```
|
||||
|
||||
### kernel_coredump_enabled
|
||||
|
||||
#### Default value
|
||||
|
||||
```YAML
|
||||
kernel_coredump_enabled: true
|
||||
```
|
||||
|
||||
### kernel_custom_config
|
||||
|
||||
#### Default value
|
||||
|
||||
```YAML
|
||||
kernel_custom_config: []
|
||||
```
|
||||
|
||||
#### Example usage
|
||||
|
||||
```YAML
|
||||
kernel_custom_config:
|
||||
- file: 90-example
|
||||
content:
|
||||
- name: vm.panic_on_oom
|
||||
value: 0
|
||||
- name: vm.overcommit_memory
|
||||
value: 1
|
||||
```
|
||||
|
||||
### kernel_disable_modules
|
||||
|
||||
#### Default value
|
||||
|
||||
```YAML
|
||||
kernel_disable_modules:
|
||||
- usb-storage
|
||||
- firewire-core
|
||||
- dccp
|
||||
- sctp
|
||||
- tipc
|
||||
- rds
|
||||
- bluetooth
|
||||
- cramfs
|
||||
- squashfs
|
||||
- udf
|
||||
```
|
||||
|
||||
### kernel_ipv4_forwarding_enabled
|
||||
|
||||
#### Default value
|
||||
|
||||
```YAML
|
||||
kernel_ipv4_forwarding_enabled: false
|
||||
```
|
||||
|
||||
### kernel_ipv4_ping_group_range
|
||||
|
||||
#### Default value
|
||||
|
||||
```YAML
|
||||
kernel_ipv4_ping_group_range: _unset
|
||||
```
|
||||
|
||||
#### Example usage
|
||||
|
||||
```YAML
|
||||
kernel_ipv4_ping_group_range: 0 2000000
|
||||
```
|
||||
|
||||
### kernel_ipv6_enabled
|
||||
|
||||
#### Default value
|
||||
|
||||
```YAML
|
||||
kernel_ipv6_enabled: false
|
||||
```
|
||||
|
||||
### kernel_ipv6_forwarding_enabled
|
||||
|
||||
#### Default value
|
||||
|
||||
```YAML
|
||||
kernel_ipv6_forwarding_enabled: false
|
||||
```
|
||||
|
||||
### kernel_namespace_support_enabled
|
||||
|
||||
#### Default value
|
||||
|
||||
```YAML
|
||||
kernel_namespace_support_enabled: false
|
||||
```
|
||||
|
||||
|
||||
|
||||
## Dependencies
|
||||
|
||||
None.
|
|
@ -1,25 +0,0 @@
|
|||
---
|
||||
galaxy_info:
|
||||
# @meta author:value: [Robert Kaussow](https://gitea.rknet.org/xoxys)
|
||||
author: Robert Kaussow <mail@thegeeklab.de>
|
||||
namespace: xoxys
|
||||
role_name: kernel
|
||||
# @meta description: >
|
||||
# [![Build Status](https://ci.rknet.org/api/badges/ansible/xoxys.kernel/status.svg)](https://ci.rknet.org/repos/ansible/xoxys.kernel)
|
||||
# [![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg?label=license)](https://gitea.rknet.org/ansible/xoxys.kernel/src/branch/main/LICENSE)
|
||||
#
|
||||
# Configure kernel parameters and coredump settings.
|
||||
# @end
|
||||
description: Configure kernel parameters and coredump settings
|
||||
license: MIT
|
||||
min_ansible_version: "2.10"
|
||||
platforms:
|
||||
- name: EL
|
||||
versions:
|
||||
- "9"
|
||||
galaxy_tags:
|
||||
- kernel
|
||||
- security
|
||||
dependencies: []
|
||||
collections:
|
||||
- community.general
|
|
@ -1,15 +0,0 @@
|
|||
---
|
||||
- name: Converge
|
||||
hosts: all
|
||||
vars:
|
||||
kernel_coredump_enabled: False
|
||||
kernel_ipv6_enabled: True
|
||||
kernel_custom_config:
|
||||
- file: 90-example
|
||||
content:
|
||||
- name: vm.panic_on_oom
|
||||
value: 0
|
||||
- name: vm.overcommit_memory
|
||||
value: 1
|
||||
roles:
|
||||
- role: xoxys.kernel
|
|
@ -1,17 +0,0 @@
|
|||
---
|
||||
driver:
|
||||
name: molecule_hetznercloud
|
||||
dependency:
|
||||
name: galaxy
|
||||
options:
|
||||
role-file: molecule/requirements.yml
|
||||
requirements-file: molecule/requirements.yml
|
||||
platforms:
|
||||
- name: "rocky9-kernel"
|
||||
server_type: "cx11"
|
||||
image: "rocky-9"
|
||||
provisioner:
|
||||
name: ansible
|
||||
log: False
|
||||
verifier:
|
||||
name: testinfra
|
|
@ -1,11 +0,0 @@
|
|||
---
|
||||
- name: Prepare
|
||||
hosts: all
|
||||
gather_facts: False
|
||||
tasks:
|
||||
- name: Bootstrap Python for Ansible
|
||||
ansible.builtin.raw: |
|
||||
command -v python3 python ||
|
||||
((test -e /usr/bin/apt && (apt -y update && apt install -y python-minimal)) ||
|
||||
echo "Warning: Python not boostrapped due to unknown platform.")
|
||||
changed_when: False
|
|
@ -1,47 +0,0 @@
|
|||
import os
|
||||
|
||||
import pytest
|
||||
import testinfra.utils.ansible_runner
|
||||
|
||||
testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
|
||||
os.environ["MOLECULE_INVENTORY_FILE"]
|
||||
).get_hosts("all")
|
||||
|
||||
|
||||
def test_sysctl_file(host):
|
||||
sysctl = host.file("/etc/sysctl.d/99-local.conf")
|
||||
|
||||
assert sysctl.exists
|
||||
assert sysctl.user == "root"
|
||||
assert sysctl.group == "root"
|
||||
assert sysctl.mode == 0o644
|
||||
|
||||
|
||||
@pytest.mark.parametrize(
|
||||
"name,value",
|
||||
[
|
||||
("net.ipv4.ip_forward", 0),
|
||||
("net.ipv6.conf.all.forwarding", 0),
|
||||
("vm.panic_on_oom", 0),
|
||||
("vm.overcommit_memory", 1),
|
||||
],
|
||||
)
|
||||
def test_sysctl_values(host, name, value):
|
||||
assert host.sysctl(name) == value
|
||||
|
||||
|
||||
def test_modprobe_file(host):
|
||||
modprobe = host.file("/etc/modprobe.d/custom.conf")
|
||||
|
||||
assert modprobe.exists
|
||||
assert modprobe.user == "root"
|
||||
assert modprobe.group == "root"
|
||||
assert modprobe.mode == 0o644
|
||||
assert modprobe.contains("install usb-storage /bin/true")
|
||||
assert modprobe.contains("blacklist firewire-core")
|
||||
|
||||
|
||||
def test_coredump_config(host):
|
||||
assert host.file("/etc/sysctl.d/99-dump.conf").exists
|
||||
assert host.file("/etc/security/limits.d/dump.conf").exists
|
||||
assert host.file("/etc/profile.d/dump.sh").exists
|
|
@ -1,4 +0,0 @@
|
|||
---
|
||||
collections: []
|
||||
|
||||
roles: []
|
|
@ -1,17 +0,0 @@
|
|||
[tool.ruff]
|
||||
exclude = [".git", "__pycache__"]
|
||||
|
||||
line-length = 99
|
||||
indent-width = 4
|
||||
|
||||
[tool.ruff.lint]
|
||||
ignore = ["W191", "E111", "E114", "E117", "S101", "S105"]
|
||||
select = ["F", "E", "I", "W", "S"]
|
||||
|
||||
[tool.ruff.format]
|
||||
quote-style = "double"
|
||||
indent-style = "space"
|
||||
line-ending = "lf"
|
||||
|
||||
[tool.pytest.ini_options]
|
||||
filterwarnings = ["ignore::FutureWarning", "ignore::DeprecationWarning"]
|
|
@ -1,33 +0,0 @@
|
|||
---
|
||||
- name: Disable core dump for setuid programs
|
||||
ansible.builtin.template:
|
||||
src: etc/sysctl.d/99-dump.conf.j2
|
||||
dest: /etc/sysctl.d/99-dump.conf
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0644"
|
||||
notify: __kernel_reload
|
||||
|
||||
- name: Disable core dump for all users
|
||||
ansible.builtin.template:
|
||||
src: etc/security/limits.d/dump.conf.j2
|
||||
dest: /etc/security/limits.d/dump.conf
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0644"
|
||||
|
||||
- name: Disable core dump via soft limits
|
||||
ansible.builtin.template:
|
||||
src: etc/profile.d/dump.sh.j2
|
||||
dest: /etc/profile.d/dump.sh
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0644"
|
||||
|
||||
- name: Disable core dump via systemd
|
||||
ansible.builtin.template:
|
||||
src: etc/systemd/coredump.conf.j2
|
||||
dest: /etc/systemd/coredump.conf
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0644"
|
|
@ -1,30 +0,0 @@
|
|||
---
|
||||
- name: Set default kernel hardening parameters
|
||||
ansible.builtin.template:
|
||||
src: etc/sysctl.d/99-local.conf.j2
|
||||
dest: /etc/sysctl.d/99-local.conf
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0644"
|
||||
notify: __kernel_reload
|
||||
|
||||
- name: Deploy custom kernel configurations
|
||||
ansible.builtin.template:
|
||||
src: etc/sysctl.d/xx-custom.conf.j2
|
||||
dest: "/etc/sysctl.d/{{ item.file }}.conf"
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0644"
|
||||
loop: "{{ kernel_custom_config }}"
|
||||
loop_control:
|
||||
label: "{{ item.file }}"
|
||||
notify: __kernel_reload
|
||||
|
||||
- name: Deploy custom modprobe
|
||||
ansible.builtin.template:
|
||||
src: etc/modprobe.d/custom.conf.j2
|
||||
dest: /etc/modprobe.d/custom.conf
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0644"
|
||||
notify: __kernel_reload
|
|
@ -1,5 +0,0 @@
|
|||
---
|
||||
- ansible.builtin.include_tasks: kernel.yml
|
||||
- ansible.builtin.include_tasks: coredump.yml
|
||||
when: not (kernel_coredump_enabled | bool)
|
||||
- ansible.builtin.include_tasks: post.yml
|
|
@ -1,3 +0,0 @@
|
|||
---
|
||||
- name: Flush handlers to enforce sysctl reload
|
||||
ansible.builtin.meta: flush_handlers
|
|
@ -1,11 +0,0 @@
|
|||
#jinja2: lstrip_blocks: True
|
||||
{{ ansible_managed | comment }}
|
||||
{% for module in kernel_disable_modules %}
|
||||
install {{ module }} /bin/true
|
||||
{% endfor %}
|
||||
{% if (kernel_blacklist_modules + kernel_disable_modules) | length > 0 %}
|
||||
|
||||
{% for module in (kernel_blacklist_modules + kernel_disable_modules) %}
|
||||
blacklist {{ module }}
|
||||
{% endfor %}
|
||||
{% endif %}
|
|
@ -1,3 +0,0 @@
|
|||
{{ ansible_managed | comment}}
|
||||
# Disable core dumps via soft limits for all users
|
||||
ulimit -S -c 0 > /dev/null 2>&1
|
|
@ -1,3 +0,0 @@
|
|||
{{ ansible_managed | comment }}
|
||||
# Prevent core dumps for all users
|
||||
* hard core 0
|
|
@ -1,10 +0,0 @@
|
|||
#jinja2: lstrip_blocks: True
|
||||
{{ ansible_managed | comment }}
|
||||
# Controls whether core dumps will append the PID to the core filename
|
||||
kernel.core_uses_pid = 1
|
||||
|
||||
# Disable storing core dumps
|
||||
kernel.core_pattern = |/bin/false
|
||||
|
||||
# Disable core dumps for setuid programs
|
||||
fs.suid_dumpable = 0
|
|
@ -1,106 +0,0 @@
|
|||
#jinja2: lstrip_blocks: True
|
||||
{{ ansible_managed | comment }}
|
||||
# Buffer Overflow Protection
|
||||
kernel.exec-shield = 1
|
||||
kernel.randomize_va_space = 2
|
||||
|
||||
# Controls the System Request debugging functionality of the kernel
|
||||
kernel.sysrq = 0
|
||||
|
||||
# Command is trapped and sent to the init program to handle a graceful restart
|
||||
kernel.ctrl-alt-del = 0
|
||||
|
||||
# Prevents unprivileged users from being able to use eBPF
|
||||
kernel.unprivileged_bpf_disabled = 1
|
||||
|
||||
# Restricts loading TTY line disciplines to the CAP_SYS_MODULE capability
|
||||
dev.tty.ldisc_autoload = 0
|
||||
|
||||
# Disallow opening FIFOs or regular files not owned by the user in world-writable directories
|
||||
fs.protected_fifos = 2
|
||||
fs.protected_regular = 2
|
||||
|
||||
# Disallow following not owned by the user in world-writable directories
|
||||
fs.protected_hardlinks = 1
|
||||
fs.protected_symlinks = 1
|
||||
|
||||
# Restrict eBPF to the CAP_BPF/CAP_SYS_ADMIN capability
|
||||
net.core.bpf_jit_harden = 2
|
||||
|
||||
# Disable Bootstrap protocol, as it is superseded by DHCP
|
||||
net.ipv4.conf.all.bootp_relay = 0
|
||||
|
||||
# Disable the ARP proxy on all interfaces
|
||||
net.ipv4.conf.all.proxy_arp = 0
|
||||
|
||||
# Avoid a smurf attack
|
||||
net.ipv4.icmp_echo_ignore_broadcasts = 1
|
||||
|
||||
# Turn on protection for bad icmp error messages
|
||||
net.ipv4.icmp_ignore_bogus_error_responses = 1
|
||||
|
||||
# Turn on syncookies for SYN flood attack protection
|
||||
net.ipv4.tcp_syncookies = 1
|
||||
|
||||
# Turn on and log spoofed, source routed, and redirect packets
|
||||
net.ipv4.conf.all.log_martians = 1
|
||||
net.ipv4.conf.default.accept_source_route = 0
|
||||
|
||||
# No source routed packets here
|
||||
net.ipv4.conf.all.accept_source_route = 0
|
||||
net.ipv4.conf.default.accept_source_route = 0
|
||||
|
||||
# Turn on reverse path filtering
|
||||
net.ipv4.conf.all.rp_filter = 1
|
||||
net.ipv4.conf.default.rp_filter = 1
|
||||
|
||||
# Make sure no one can alter the routing tables
|
||||
net.ipv4.conf.all.accept_redirects = 0
|
||||
net.ipv4.conf.default.accept_redirects = 0
|
||||
net.ipv4.conf.all.secure_redirects = 0
|
||||
net.ipv4.conf.default.secure_redirects = 0
|
||||
|
||||
# Don't act as a router
|
||||
net.ipv4.ip_forward = {{ kernel_ipv4_forwarding_enabled | bool | ternary(1, 0, 0) }}
|
||||
net.ipv4.conf.all.send_redirects = 0
|
||||
net.ipv4.conf.default.send_redirects = 0
|
||||
|
||||
# Make sure spoofed packets get logged
|
||||
net.ipv4.conf.all.log_martians = 1
|
||||
net.ipv4.conf.default.log_martians = 1
|
||||
|
||||
# Turn off the tcp_timestamps
|
||||
net.ipv4.tcp_timestamps = 0
|
||||
{% if not kernel_ipv6_enabled | bool %}
|
||||
|
||||
# Disable IPv6 for all interfaces
|
||||
net.ipv6.conf.all.disable_ipv6 = 1
|
||||
net.ipv6.conf.default.disable_ipv6 = 1
|
||||
{% else %}
|
||||
|
||||
# Disable router advertisements
|
||||
net.ipv6.conf.default.accept_ra = 0
|
||||
net.ipv6.conf.all.accept_ra = 0
|
||||
|
||||
# Disable ICMP routing redirects
|
||||
net.ipv6.conf.all.accept_redirects = 0
|
||||
net.ipv6.conf.default.accept_redirects = 0
|
||||
|
||||
# Disable forwarding of IPv6 source-routed packets
|
||||
net.ipv6.conf.all.accept_source_route = 0
|
||||
net.ipv6.conf.default.accept_source_route = 0
|
||||
|
||||
# Disable forwarding of IPv6
|
||||
net.ipv6.conf.all.forwarding = {{ kernel_ipv6_forwarding_enabled | bool | ternary(1, 0, 0) }}
|
||||
{% endif %}
|
||||
{% if kernel_namespace_support_enabled | bool %}
|
||||
|
||||
user.max_user_namespaces = 15076
|
||||
{% endif %}
|
||||
{% if kernel_ipv4_ping_group_range is defined %}
|
||||
|
||||
net.ipv4.ping_group_range={{ kernel_ipv4_ping_group_range }}
|
||||
{% endif %}
|
||||
|
||||
# Kernel message logging
|
||||
kernel.printk = {{ kernel_printk }}
|
|
@ -1,5 +0,0 @@
|
|||
#jinja2: lstrip_blocks: True
|
||||
{{ ansible_managed | comment }}
|
||||
{% for option in item.content %}
|
||||
{{ option.name }} = {{ option.value }}
|
||||
{% endfor %}
|
|
@ -1,7 +0,0 @@
|
|||
#jinja2: lstrip_blocks: True
|
||||
{{ ansible_managed | comment }}
|
||||
[Coredump]
|
||||
{% if not kernel_coredump_enabled | bool %}
|
||||
Storage=none
|
||||
ProcessSizeMax=0
|
||||
{% endif %}
|
Loading…
Reference in New Issue