mirror of
https://gitlab.archlinux.org/archlinux/infrastructure.git
synced 2024-05-18 23:06:04 +02:00
26f289b72b
ansible-lint 6.5.0 complains about:
name: All names should start with an
uppercase letter. (name[casing])
42 lines
1.6 KiB
YAML
42 lines
1.6 KiB
YAML
- name: Set restricted access to kernel logs
|
|
copy: src=50-dmesg-restrict.conf dest=/etc/sysctl.d/50-dmesg-restrict.conf owner=root group=root mode=0644
|
|
notify:
|
|
- apply sysctl settings
|
|
|
|
- name: Set ptrace scope, restrict ptrace to CAP_SYS_PTRACE
|
|
copy: src=50-ptrace-restrict.conf dest=/etc/sysctl.d/50-ptrace-restrict.conf owner=root group=root mode=0644
|
|
when: "'buildservers' not in group_names"
|
|
notify:
|
|
- apply sysctl settings
|
|
|
|
- name: Set restricted access to kernel pointers in proc fs
|
|
copy: src=50-kptr-restrict.conf dest=/etc/sysctl.d/50-kptr-restrict.conf owner=root group=root mode=0644
|
|
notify:
|
|
- apply sysctl settings
|
|
|
|
- name: Enable JIT hardening for all users
|
|
copy: src=50-bpf_jit_harden.conf dest=/etc/sysctl.d/50-bpf_jit_harden.conf owner=root group=root mode=0644
|
|
notify:
|
|
- apply sysctl settings
|
|
|
|
- name: Disable unprivileged bpf
|
|
copy: src=50-unprivileged_bpf_disabled.conf dest=/etc/sysctl.d/50-unprivileged_bpf_disabled.conf owner=root group=root mode=0644
|
|
notify:
|
|
- apply sysctl settings
|
|
|
|
- name: Disable unprivileged userns
|
|
copy: src=50-unprivileged_userns_clone.conf dest=/etc/sysctl.d/50-unprivileged_userns_clone.conf owner=root group=root mode=0644
|
|
notify:
|
|
- apply sysctl settings
|
|
|
|
- name: Disable kexec load
|
|
copy: src=50-kexec_load_disabled.conf dest=/etc/sysctl.d/50-kexec_load_disabled.conf owner=root group=root mode=0644
|
|
notify:
|
|
- apply sysctl settings
|
|
|
|
- name: Set kernel lockdown to restricted
|
|
copy: src=50-lockdown.conf dest=/etc/tmpfiles.d/50-kernel-lockdown.conf owner=root group=root mode=0644
|
|
when: "'hcloud' in group_names"
|
|
notify:
|
|
- apply sysctl settings
|