-
Notifications
You must be signed in to change notification settings - Fork 739
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #20 from hardening-io/sysctl_restyle
Change sysctl-task. Fix #18
- Loading branch information
Showing
2 changed files
with
139 additions
and
144 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,146 +1,25 @@ | ||
| --- | ||
| - name: Disable IPv4 traffic forwarding. | ||
| sysctl: name='net.ipv4.ip_forward' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes | ||
| when: not os_network_forwarding | ||
|
|
||
| - name: Enable IPv4 traffic forwarding again, but only if required. | ||
| sysctl: name='net.ipv4.ip_forward' value=1 sysctl_set=yes state=present reload=yes ignoreerrors=yes | ||
| when: os_network_forwarding | ||
|
|
||
| - name: Disable IPv6 traffic forwarding. | ||
| sysctl: name='net.ipv6.conf.all.forwarding' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes | ||
| when: not (os_network_forwarding and os_network_ipv6_enable) | ||
|
|
||
| - name: Enable IPv6 traffic forwarding again, but only if required. | ||
| sysctl: name='net.ipv6.conf.all.forwarding' value=1 sysctl_set=yes state=present reload=yes ignoreerrors=yes | ||
| when: os_network_forwarding and os_network_ipv6_enable | ||
|
|
||
| - name: ignore RAs on Ipv6 | ||
| sysctl: name='net.ipv6.conf.all.accept_ra' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes | ||
|
|
||
| - name: ignore RAs on Ipv6 | ||
| sysctl: name='net.ipv6.conf.default.accept_ra' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes | ||
|
|
||
| - name: Enable RFC-recommended source validation feature. | ||
| sysctl: name='net.ipv4.conf.all.rp_filter' value=1 sysctl_set=yes state=present reload=yes ignoreerrors=yes | ||
|
|
||
| - name: Enable RFC-recommended source validation feature. | ||
| sysctl: name='net.ipv4.conf.default.rp_filter' value=1 sysctl_set=yes state=present reload=yes ignoreerrors=yes | ||
|
|
||
| - name: Reduce the surface on SMURF attacks. Make sure to ignore ECHO broadcasts, which are only required in broad network analysis. | ||
| sysctl: name='net.ipv4.icmp_echo_ignore_broadcasts' value=1 sysctl_set=yes state=present reload=yes ignoreerrors=yes | ||
|
|
||
| - name: There is no reason to accept bogus error responses from ICMP, so ignore them instead. | ||
| sysctl: name='net.ipv4.icmp_ignore_bogus_error_responses' value=1 sysctl_set=yes state=present reload=yes ignoreerrors=yes | ||
|
|
||
| - name: Limit the amount of traffic the system uses for ICMP. | ||
| sysctl: name='net.ipv4.icmp_ratelimit' value=100 sysctl_set=yes state=present reload=yes ignoreerrors=yes | ||
|
|
||
| - name: Adjust the ICMP ratelimit to include ping, dst unreachable, source quench, ime exceed, param problem, timestamp reply, information reply | ||
| sysctl: name='net.ipv4.icmp_ratemask' value=88089 sysctl_set=yes state=present reload=yes ignoreerrors=yes | ||
|
|
||
| - name: Disable IPv6 | ||
| sysctl: name='net.ipv6.conf.all.disable_ipv6' value=1 sysctl_set=yes state=present reload=yes ignoreerrors=yes | ||
| when: not os_network_ipv6_enable | ||
|
|
||
| - name: Enable IPv6 as it is needed. | ||
| sysctl: name='net.ipv6.conf.all.disable_ipv6' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes | ||
| when: os_network_ipv6_enable | ||
|
|
||
| - name: Protect against wrapping sequence numbers at gigabit speeds | ||
| sysctl: name='net.ipv4.tcp_timestamps' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes | ||
|
|
||
| - name: Define restriction level for announcing the local source IP | ||
| sysctl: name='net.ipv4.conf.all.arp_ignore' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes | ||
| when: not os_network_arp_restricted | ||
|
|
||
| - name: Define restriction level for announcing the local source IP | ||
| sysctl: name='net.ipv4.conf.all.arp_ignore' value=1 sysctl_set=yes state=present reload=yes ignoreerrors=yes | ||
| when: os_network_arp_restricted | ||
|
|
||
| - name: Define mode for sending replies in response to received ARP requests that resolve local target IP addresses | ||
| sysctl: name='net.ipv4.conf.all.arp_announce' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes | ||
| when: not os_network_arp_restricted | ||
|
|
||
| - name: Define mode for sending replies in response to received ARP requests that resolve local target IP addresses | ||
| sysctl: name='net.ipv4.conf.all.arp_announce' value=2 sysctl_set=yes state=present reload=yes ignoreerrors=yes | ||
| when: os_network_arp_restricted | ||
|
|
||
| - name: RFC 1337 fix F1 | ||
| sysctl: name='net.ipv4.tcp_rfc1337' value=1 sysctl_set=yes state=present reload=yes ignoreerrors=yes | ||
|
|
||
| - name: Syncookies is used to prevent SYN-flooding attacks. | ||
| sysctl: name='net.ipv4.tcp_syncookies' value=1 sysctl_set=yes state=present reload=yes ignoreerrors=yes | ||
|
|
||
| - sysctl: name='net.ipv4.conf.all.shared_media' value=1 sysctl_set=yes state=present reload=yes ignoreerrors=yes | ||
| - sysctl: name='net.ipv4.conf.default.shared_media' value=1 sysctl_set=yes state=present reload=yes ignoreerrors=yes | ||
|
|
||
| - name: Accepting source route can lead to malicious networking behavior, so disable it if not needed. | ||
| sysctl: name='net.ipv4.conf.all.accept_source_route' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes | ||
|
|
||
| - name: Accepting source route can lead to malicious networking behavior, so disable it if not needed. | ||
| sysctl: name='net.ipv4.conf.default.accept_source_route' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes | ||
|
|
||
| # Accepting redirects can lead to malicious networking behavior, so disable | ||
| # it if not needed. | ||
| - sysctl: name='net.ipv4.conf.default.accept_redirects' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes | ||
| - sysctl: name='net.ipv4.conf.all.accept_redirects' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes | ||
| - sysctl: name='net.ipv4.conf.all.secure_redirects' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes | ||
| - sysctl: name='net.ipv4.conf.default.secure_redirects' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes | ||
| - sysctl: name='net.ipv6.conf.default.accept_redirects' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes | ||
| - sysctl: name='net.ipv6.conf.all.accept_redirects' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes | ||
|
|
||
| # For non-routers: don't send redirects, these settings are 0 | ||
| - sysctl: name='net.ipv4.conf.all.send_redirects' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes | ||
| - sysctl: name='net.ipv4.conf.all.send_redirects' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes | ||
|
|
||
| - name: log martian packets | ||
| sysctl: name='net.ipv4.conf.all.log_martians' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes | ||
|
|
||
| # ipv6 config | ||
| # NSA 2.5.3.2.5 Limit Network-Transmitted Configuration | ||
| - sysctl: name='net.ipv6.conf.default.router_solicitations' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes | ||
| - sysctl: name='net.ipv6.conf.default.accept_ra_rtr_pref' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes | ||
| - sysctl: name='net.ipv6.conf.default.accept_ra_pinfo' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes | ||
| - sysctl: name='net.ipv6.conf.default.accept_ra_defrtr' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes | ||
| - sysctl: name='net.ipv6.conf.default.autoconf' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes | ||
| - sysctl: name='net.ipv6.conf.default.dad_transmits' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes | ||
| - sysctl: name='net.ipv6.conf.default.max_addresses' value=1 sysctl_set=yes state=present reload=yes ignoreerrors=yes | ||
|
|
||
|
|
||
| # This settings controls how the kernel behaves towards module changes at | ||
| # runtime. Setting to 1 will disable module loading at runtime. | ||
| # Setting it to 0 is actually never supported. | ||
| - name: This settings controls how the kernel behaves towards module changes at runtime. | ||
| sysctl: name='kernel.modules_disabled' value=1 sysctl_set=yes state=present reload=yes ignoreerrors=yes | ||
| when: not os_security_kernel_enable_module_loading | ||
|
|
||
| # Magic Sysrq should be disabled, but can also be set to a safe value if so | ||
| # desired for physical machines. It can allow a safe reboot if the system hangs | ||
| # and is a 'cleaner' alternative to hitting the reset button. | ||
| # The following values are permitted: | ||
| # | ||
| # * **0** - disable sysrq | ||
| # * **1** - enable sysrq completely | ||
| # * **>1** - bitmask of enabled sysrq functions: | ||
| # * **2** - control of console logging level | ||
| # * **4** - control of keyboard (SAK, unraw) | ||
| # * **8** - debugging dumps of processes etc. | ||
| # * **16** - sync command | ||
| # * **32** - remount read-only | ||
| # * **64** - signalling of processes (term, kill, oom-kill) | ||
| # * **128** - reboot/poweroff | ||
| # * **256** - nicing of all RT tasks | ||
| - sysctl: name='kernel.sysrq' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes | ||
| when: not os_security_kernel_enable_sysrq | ||
|
|
||
| - sysctl: name='kernel.sysrq' value='{{ os_security_kernel_secure_sysrq }}' sysctl_set=yes state=present reload=yes ignoreerrors=yes | ||
| when: os_security_kernel_enable_sysrq | ||
|
|
||
| - name: Prevent core dumps with SUID. These are usually only needed by developers and may contain sensitive information. | ||
| sysctl: name='fs.suid_dumpable' value=0 sysctl_set=yes state=present reload=yes ignoreerrors=yes | ||
|
|
||
| - name: # Prevent core dumps with SUID. These are usually only needed by developers and may contain sensitive information. | ||
| sysctl: name='fs.suid_dumpable' value=1 sysctl_set=yes state=present reload=yes ignoreerrors=yes | ||
| when: os_security_kernel_enable_core_dump | ||
|
|
||
| - name: include sysctl variables | ||
| include_vars: sysctl.yml | ||
|
|
||
| - name: Change various sysctl-settings, look at the sysctl-vars file for documentation | ||
| sysctl: | ||
| name: '{{ item.key }}' | ||
| value: '{{ item.value }}' | ||
| sysctl_set: yes | ||
| state: present | ||
| reload: yes | ||
| ignoreerrors: yes | ||
| with_dict: sysctl_config | ||
|
|
||
| - name: Change various sysctl-settings on rhel-hosts, look at the sysctl-vars file for documentation | ||
| sysctl: | ||
| name: '{{ item.key }}' | ||
| value: '{{ item.value }}' | ||
| sysctl_set: yes | ||
| state: present | ||
| reload: yes | ||
| ignoreerrors: yes | ||
| with_dict: sysctl_rhel_config | ||
| when: ansible_distribution == 'RedHat' or ansible_distribution == 'Fedora' or ansible_distribution == 'CentOS' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,116 @@ | ||
| sysctl_config: | ||
| # Disable IPv4 traffic forwarding. | ||
| net.ipv4.ip_forward: 0 | ||
|
|
||
| # Disable IPv6 traffic forwarding. | ||
| net.ipv6.conf.all.forwarding: 0 | ||
|
|
||
| # ignore RAs on Ipv6. | ||
| net.ipv6.conf.all.accept_ra: 0 | ||
| net.ipv6.conf.default.accept_ra: 0 | ||
|
|
||
| # Enable RFC-recommended source validation feature. | ||
| net.ipv4.conf.all.rp_filter: 1 | ||
| net.ipv4.conf.default.rp_filter: 1 | ||
|
|
||
| # Reduce the surface on SMURF attacks. | ||
| # Make sure to ignore ECHO broadcasts, which are only required in broad network analysis. | ||
| net.ipv4.icmp_echo_ignore_broadcasts: 1 | ||
|
|
||
| # There is no reason to accept bogus error responses from ICMP, so ignore them instead. | ||
| net.ipv4.icmp_ignore_bogus_error_responses: 1 | ||
|
|
||
| # Limit the amount of traffic the system uses for ICMP. | ||
| net.ipv4.icmp_ratelimit: 100 | ||
|
|
||
| # Adjust the ICMP ratelimit to include ping, dst unreachable, | ||
| # source quench, ime exceed, param problem, timestamp reply, information reply | ||
| net.ipv4.icmp_ratemask: 88089 | ||
|
|
||
| # Disable IPv6 | ||
| net.ipv6.conf.all.disable_ipv6: 1 | ||
|
|
||
| # Protect against wrapping sequence numbers at gigabit speeds | ||
| net.ipv4.tcp_timestamps: 0 | ||
|
|
||
| # Define restriction level for announcing the local source IP | ||
| net.ipv4.conf.all.arp_ignore: 1 | ||
|
|
||
| # Define mode for sending replies in response to | ||
| # received ARP requests that resolve local target IP addresses | ||
| net.ipv4.conf.all.arp_announce: 1 | ||
|
|
||
| # RFC 1337 fix F1 | ||
| net.ipv4.tcp_rfc1337: 1 | ||
|
|
||
| # Syncookies is used to prevent SYN-flooding attacks. | ||
| net.ipv4.tcp_syncookies: 1 | ||
|
|
||
| # Send(router) or accept(host) RFC1620 shared media redirects | ||
| net.ipv4.conf.all.shared_media: 1 | ||
| net.ipv4.conf.default.shared_media: 1 | ||
|
|
||
| # Accepting source route can lead to malicious networking behavior, | ||
| # so disable it if not needed. | ||
| net.ipv4.conf.all.accept_source_route: 0 | ||
|
|
||
| # Accepting redirects can lead to malicious networking behavior, so disable | ||
| # it if not needed. | ||
| net.ipv4.conf.default.accept_redirects: 0 | ||
| net.ipv4.conf.all.accept_redirects: 0 | ||
| net.ipv4.conf.all.secure_redirects: 0 | ||
| net.ipv4.conf.default.secure_redirects: 0 | ||
| net.ipv6.conf.default.accept_redirects: 0 | ||
| net.ipv6.conf.all.accept_redirects: 0 | ||
|
|
||
| # For non-routers: don't send redirects, these settings are 0 | ||
| net.ipv4.conf.all.send_redirects: 0 | ||
| net.ipv4.conf.default.send_redirects: 0 | ||
|
|
||
| # log martian packets | ||
| net.ipv4.conf.all.log_martians: 0 | ||
|
|
||
| # ipv6 config | ||
| # NSA 2.5.3.2.5 Limit Network-Transmitted Configuration | ||
| net.ipv6.conf.default.router_solicitations: 0 | ||
| net.ipv6.conf.default.accept_ra_rtr_pref: 0 | ||
| net.ipv6.conf.default.accept_ra_pinfo: 0 | ||
| net.ipv6.conf.default.accept_ra_defrtr: 0 | ||
| net.ipv6.conf.default.autoconf: 0 | ||
| net.ipv6.conf.default.dad_transmits: 0 | ||
| net.ipv6.conf.default.max_addresses: 1 | ||
|
|
||
| # This settings controls how the kernel behaves towards module changes at | ||
| # runtime. Setting to 1 will disable module loading at runtime. | ||
| # Setting it to 0 is actually never supported. | ||
| kernel.modules_disabled: 1 | ||
|
|
||
| # Magic Sysrq should be disabled, but can also be set to a safe value if so | ||
| # desired for physical machines. It can allow a safe reboot if the system hangs | ||
| # and is a 'cleaner' alternative to hitting the reset button. | ||
| # The following values are permitted: | ||
| # * **0** - disable sysrq | ||
| # * **1** - enable sysrq completely | ||
| # * **>1** - bitmask of enabled sysrq functions: | ||
| # * **2** - control of console logging level | ||
| # * **4** - control of keyboard (SAK, unraw) | ||
| # * **8** - debugging dumps of processes etc. | ||
| # * **16** - sync command | ||
| # * **32** - remount read-only | ||
| # * **64** - signalling of processes (term, kill, oom-kill) | ||
| # * **128** - reboot/poweroff | ||
| # * **256** - nicing of all RT tasks | ||
| kernel.sysrq: 0 | ||
|
|
||
| # Prevent core dumps with SUID. These are usually only | ||
| # needed by developers and may contain sensitive information. | ||
| fs.suid_dumpable: 0 | ||
|
|
||
| # Virtual memory regions protection | ||
| kernel.randomize_va_space: 2 | ||
|
|
||
| sysctl_rhel_config: | ||
| # ExecShield protection against buffer overflows | ||
| kernel.exec-shield: 1 | ||
|
|
||
|
|