#jinja2: lstrip_blocks: True {{ ansible_managed | comment }} # Buffer Overflow Protection kernel.exec-shield = 1 kernel.randomize_va_space = 2 # Controls the System Request debugging functionality of the kernel kernel.sysrq = 0 # Restrict unprivileged access to kernel syslog kernel.dmesg_restrict = 1 # Restrict kernel address exposing kernel.kptr_restrict = 2 # Limit scope for ptrace kernel.yama.ptrace_scope = 2 # Command is trapped and sent to the init program to handle a graceful restart kernel.ctrl-alt-del = 0 # Disable loading new modules kernel.modules_disabled = 1 # Disable access to performance events by users without CAP_SYS_ADMIN kernel.perf_event_paranoid = 3 # Prevents unprivileged users from being able to use eBPF kernel.unprivileged_bpf_disabled = 1 # Restricts loading TTY line disciplines to the CAP_SYS_MODULE capability dev.tty.ldisc_autoload = 0 # Disallow opening FIFOs or regular files not owned by the user in world-writable directories fs.protected_fifos = 2 fs.protected_regular = 2 # Disallow following not owned by the user in world-writable directories fs.protected_hardlinks = 1 fs.protected_symlinks = 1 # Restrict eBPF to the CAP_BPF/CAP_SYS_ADMIN capability net.core.bpf_jit_harden = 2 # Disable Bootstrap protocol, as it is superseded by DHCP net.ipv4.conf.all.bootp_relay = 0 # Disable forwarding of multicast packets on all interfaces net.ipv4.conf.all.mc_forwarding = 0 # Disable the ARP proxy on all interfaces net.ipv4.conf.all.proxy_arp = 0 # Avoid a smurf attack net.ipv4.icmp_echo_ignore_broadcasts = 1 # Turn on protection for bad icmp error messages net.ipv4.icmp_ignore_bogus_error_responses = 1 # Turn on syncookies for SYN flood attack protection net.ipv4.tcp_syncookies = 1 # Turn on and log spoofed, source routed, and redirect packets net.ipv4.conf.all.log_martians = 1 # No source routed packets here net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0 # Turn on reverse path filtering net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1 # Make sure no one can alter the routing tables net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.all.secure_redirects = 0 net.ipv4.conf.default.secure_redirects = 0 # Don't act as a router net.ipv4.ip_forward = 0 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 # Make sure spoofed packets get logged net.ipv4.conf.all.log_martians = 1 net.ipv4.conf.default.log_martians = 1 # Turn off the tcp_timestamps net.ipv4.tcp_timestamps = 0 {% if not kernel_ipv6_enabled | bool %} # Disable IPv6 for all interfaces net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1 {% else %} # Disable ICMP routing redirects net.ipv6.conf.all.accept_redirects = 0 net.ipv6.conf.default.accept_redirects = 0 # Disable forwarding of IPv6 source-routed packets net.ipv6.conf.all.accept_source_route = 0 net.ipv6.conf.default.accept_source_route = 0 {% endif %} {% if kernel_namespace_support_enabled | bool %} user.max_user_namespaces = 15076 {% endif %} {% if kernel_ipv4_ping_group_range is defined %} net.ipv4.ping_group_range={{ kernel_ipv4_ping_group_range }} {% endif %}