kernel: further default sysctl hardening

- unprivileged bpf: we do not need this on our infra, we can assume bpf() calls will happen with CAP_SYS_ADMIN if required. - unprivileged userns: we do not need this on our infra for none of our services or similar. Reduce attack surface by a huge margin including most recent CVE-2020-14386. - kptr restrict: we already check for CAP_SYSLOG and real ids but we really do not require any specific kernel pointers to be logged. Settings this to 2 instead to blank out all kernel pointers to protect against info leak. - kexec: disable kexec as we do never want to kexec our running servers into something else. Settings this sysctl disables kexec even if its compiled into the kernel. - bpf jit harden: harden BPF JIT compiler to mitigate JIT spraying for the sacrifices off a bit performance for all users including privileged.
2020-09-07 18:13:03 +02:00 · 2020-09-07 18:13:03 +02:00 · b2ba187738
parent 0d995b0108
commit b2ba187738
6 changed files with 25 additions and 1 deletions
--- a/roles/hardening/files/50-bpf_jit_harden.conf
+++ b/roles/hardening/files/50-bpf_jit_harden.conf
@ -0,0 +1 @@
+net.core.bpf_jit_harden = 2
--- a/roles/hardening/files/50-kexec_load_disabled.conf
+++ b/roles/hardening/files/50-kexec_load_disabled.conf
@ -0,0 +1 @@
+kernel.kexec_load_disabled = 1
--- a/roles/hardening/files/50-kptr-restrict.conf
+++ b/roles/hardening/files/50-kptr-restrict.conf
@ -1 +1 @@
-kernel.kptr_restrict = 1
+kernel.kptr_restrict = 2
--- a/roles/hardening/files/50-unprivileged_bpf_disabled.conf
+++ b/roles/hardening/files/50-unprivileged_bpf_disabled.conf
@ -0,0 +1 @@
+kernel.unprivileged_bpf_disabled = 1
--- a/roles/hardening/files/50-unprivileged_userns_clone.conf
+++ b/roles/hardening/files/50-unprivileged_userns_clone.conf
@ -0,0 +1 @@
+kernel.unprivileged_userns_clone = 0
--- a/roles/hardening/tasks/main.yml
+++ b/roles/hardening/tasks/main.yml
@ -15,6 +15,26 @@
  notify:
    - apply sysctl settings

+- name: enable JIT hardening for all users
+  copy: src=50-bpf_jit_harden.conf dest=/etc/sysctl.d/50-bpf_jit_harden.conf owner=root group=root mode=0644
+  notify:
+    - apply sysctl settings
+
+- name: disable unprivileged bpf
+  copy: src=50-unprivileged_bpf_disabled.conf dest=/etc/sysctl.d/50-unprivileged_bpf_disabled.conf owner=root group=root mode=0644
+  notify:
+    - apply sysctl settings
+
+- name: disable unprivileged userns
+  copy: src=50-unprivileged_userns_clone.conf dest=/etc/sysctl.d/50-unprivileged_userns_clone.conf owner=root group=root mode=0644
+  notify:
+    - apply sysctl settings
+
+- name: disable kexec load
+  copy: src=50-kexec_load_disabled.conf dest=/etc/sysctl.d/50-kexec_load_disabled.conf owner=root group=root mode=0644
+  notify:
+    - apply sysctl settings
+
 - name: set kernel lockdown to restricted
  copy: src=50-lockdown.conf dest=/etc/tmpfiles.d/50-kernel-lockdown.conf owner=root group=root mode=0644
  when: "'hcloud' in group_names"