2022-08-23 04:49:23 +02:00
|
|
|
- name: Set restricted access to kernel logs
|
2020-08-18 20:25:24 +02:00
|
|
|
copy: src=50-dmesg-restrict.conf dest=/etc/sysctl.d/50-dmesg-restrict.conf owner=root group=root mode=0644
|
2019-05-06 19:28:29 +02:00
|
|
|
notify:
|
|
|
|
- apply sysctl settings
|
|
|
|
|
2022-08-23 04:49:23 +02:00
|
|
|
- name: Set ptrace scope, restrict ptrace to CAP_SYS_PTRACE
|
2020-08-18 20:25:24 +02:00
|
|
|
copy: src=50-ptrace-restrict.conf dest=/etc/sysctl.d/50-ptrace-restrict.conf owner=root group=root mode=0644
|
2022-02-13 15:54:50 +01:00
|
|
|
when: "'buildservers' not in group_names"
|
2019-05-06 19:28:29 +02:00
|
|
|
notify:
|
|
|
|
- apply sysctl settings
|
|
|
|
|
2022-08-23 04:49:23 +02:00
|
|
|
- name: Set restricted access to kernel pointers in proc fs
|
2020-08-18 20:25:24 +02:00
|
|
|
copy: src=50-kptr-restrict.conf dest=/etc/sysctl.d/50-kptr-restrict.conf owner=root group=root mode=0644
|
2019-05-06 19:28:29 +02:00
|
|
|
notify:
|
|
|
|
- apply sysctl settings
|
2019-12-22 14:12:23 +01:00
|
|
|
|
2022-08-23 04:49:23 +02:00
|
|
|
- name: Enable JIT hardening for all users
|
2020-09-07 18:13:03 +02:00
|
|
|
copy: src=50-bpf_jit_harden.conf dest=/etc/sysctl.d/50-bpf_jit_harden.conf owner=root group=root mode=0644
|
|
|
|
notify:
|
|
|
|
- apply sysctl settings
|
|
|
|
|
2022-08-23 04:49:23 +02:00
|
|
|
- name: Disable unprivileged bpf
|
2020-09-07 18:13:03 +02:00
|
|
|
copy: src=50-unprivileged_bpf_disabled.conf dest=/etc/sysctl.d/50-unprivileged_bpf_disabled.conf owner=root group=root mode=0644
|
|
|
|
notify:
|
|
|
|
- apply sysctl settings
|
|
|
|
|
2022-08-23 04:49:23 +02:00
|
|
|
- name: Disable unprivileged userns
|
2020-09-07 18:13:03 +02:00
|
|
|
copy: src=50-unprivileged_userns_clone.conf dest=/etc/sysctl.d/50-unprivileged_userns_clone.conf owner=root group=root mode=0644
|
|
|
|
notify:
|
|
|
|
- apply sysctl settings
|
|
|
|
|
2022-08-23 04:49:23 +02:00
|
|
|
- name: Disable kexec load
|
2020-09-07 18:13:03 +02:00
|
|
|
copy: src=50-kexec_load_disabled.conf dest=/etc/sysctl.d/50-kexec_load_disabled.conf owner=root group=root mode=0644
|
|
|
|
notify:
|
|
|
|
- apply sysctl settings
|
|
|
|
|
2022-08-23 04:49:23 +02:00
|
|
|
- name: Set kernel lockdown to restricted
|
2020-08-18 20:25:24 +02:00
|
|
|
copy: src=50-lockdown.conf dest=/etc/tmpfiles.d/50-kernel-lockdown.conf owner=root group=root mode=0644
|
2019-12-22 14:12:23 +01:00
|
|
|
when: "'hcloud' in group_names"
|
|
|
|
notify:
|
|
|
|
- apply sysctl settings
|