kernel: further default sysctl hardening
- unprivileged bpf: we do not need this on our infra, we can assume bpf() calls will happen with CAP_SYS_ADMIN if required. - unprivileged userns: we do not need this on our infra for none of our services or similar. Reduce attack surface by a huge margin including most recent CVE-2020-14386. - kptr restrict: we already check for CAP_SYSLOG and real ids but we really do not require any specific kernel pointers to be logged. Settings this to 2 instead to blank out all kernel pointers to protect against info leak. - kexec: disable kexec as we do never want to kexec our running servers into something else. Settings this sysctl disables kexec even if its compiled into the kernel. - bpf jit harden: harden BPF JIT compiler to mitigate JIT spraying for the sacrifices off a bit performance for all users including privileged.
This commit is contained in:
parent
0d995b0108
commit
b2ba187738
1
roles/hardening/files/50-bpf_jit_harden.conf
Normal file
1
roles/hardening/files/50-bpf_jit_harden.conf
Normal file
|
@ -0,0 +1 @@
|
|||
net.core.bpf_jit_harden = 2
|
1
roles/hardening/files/50-kexec_load_disabled.conf
Normal file
1
roles/hardening/files/50-kexec_load_disabled.conf
Normal file
|
@ -0,0 +1 @@
|
|||
kernel.kexec_load_disabled = 1
|
|
@ -1 +1 @@
|
|||
kernel.kptr_restrict = 1
|
||||
kernel.kptr_restrict = 2
|
||||
|
|
1
roles/hardening/files/50-unprivileged_bpf_disabled.conf
Normal file
1
roles/hardening/files/50-unprivileged_bpf_disabled.conf
Normal file
|
@ -0,0 +1 @@
|
|||
kernel.unprivileged_bpf_disabled = 1
|
1
roles/hardening/files/50-unprivileged_userns_clone.conf
Normal file
1
roles/hardening/files/50-unprivileged_userns_clone.conf
Normal file
|
@ -0,0 +1 @@
|
|||
kernel.unprivileged_userns_clone = 0
|
|
@ -15,6 +15,26 @@
|
|||
notify:
|
||||
- apply sysctl settings
|
||||
|
||||
- name: enable JIT hardening for all users
|
||||
copy: src=50-bpf_jit_harden.conf dest=/etc/sysctl.d/50-bpf_jit_harden.conf owner=root group=root mode=0644
|
||||
notify:
|
||||
- apply sysctl settings
|
||||
|
||||
- name: disable unprivileged bpf
|
||||
copy: src=50-unprivileged_bpf_disabled.conf dest=/etc/sysctl.d/50-unprivileged_bpf_disabled.conf owner=root group=root mode=0644
|
||||
notify:
|
||||
- apply sysctl settings
|
||||
|
||||
- name: disable unprivileged userns
|
||||
copy: src=50-unprivileged_userns_clone.conf dest=/etc/sysctl.d/50-unprivileged_userns_clone.conf owner=root group=root mode=0644
|
||||
notify:
|
||||
- apply sysctl settings
|
||||
|
||||
- name: disable kexec load
|
||||
copy: src=50-kexec_load_disabled.conf dest=/etc/sysctl.d/50-kexec_load_disabled.conf owner=root group=root mode=0644
|
||||
notify:
|
||||
- apply sysctl settings
|
||||
|
||||
- name: set kernel lockdown to restricted
|
||||
copy: src=50-lockdown.conf dest=/etc/tmpfiles.d/50-kernel-lockdown.conf owner=root group=root mode=0644
|
||||
when: "'hcloud' in group_names"
|
||||
|
|
Loading…
Reference in a new issue