diff --git a/playbooks/all-hosts-basic.yml b/playbooks/all-hosts-basic.yml
index 71f3e005d546e97aeb3b8f95b5a15f80dec46e87..b9e820dda57211382221c8f87ba1eb15ad5f4369 100644
--- a/playbooks/all-hosts-basic.yml
+++ b/playbooks/all-hosts-basic.yml
@@ -13,3 +13,4 @@
     - { role: root_ssh, tags: ['root_ssh'] }
     - { role: borg-client, tags: ["borg"], when: "'borg-clients' in group_names" }
     - { role: zabbix-agent, tags: ["zabbix", "zabbix-agent"], when: "'unmanaged' not in group_names" }
+    - { role: hardening }
diff --git a/roles/hardening/files/50-dmesg-restrict.conf b/roles/hardening/files/50-dmesg-restrict.conf
new file mode 100644
index 0000000000000000000000000000000000000000..fd707af75fc37c2290213558f714b9c165a1c9b6
--- /dev/null
+++ b/roles/hardening/files/50-dmesg-restrict.conf
@@ -0,0 +1 @@
+kernel.dmesg_restrict = 1
diff --git a/roles/hardening/files/50-kptr-restrict.conf b/roles/hardening/files/50-kptr-restrict.conf
new file mode 100644
index 0000000000000000000000000000000000000000..4b49bb01ab89d3bd005fd91a77c4017eb76eb2b1
--- /dev/null
+++ b/roles/hardening/files/50-kptr-restrict.conf
@@ -0,0 +1 @@
+kernel.kptr_restrict = 1
diff --git a/roles/hardening/files/50-ptrace-restrict.conf b/roles/hardening/files/50-ptrace-restrict.conf
new file mode 100644
index 0000000000000000000000000000000000000000..7d1299309d062d08553bf4506215849c2050deb9
--- /dev/null
+++ b/roles/hardening/files/50-ptrace-restrict.conf
@@ -0,0 +1 @@
+kernel.yama.ptrace_scope = 2
diff --git a/roles/hardening/handlers/main.yml b/roles/hardening/handlers/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..16f770ce327e8522443e3fb4520ad6508591056b
--- /dev/null
+++ b/roles/hardening/handlers/main.yml
@@ -0,0 +1,4 @@
+---
+
+- name: apply sysctl settings
+  command: sysctl --system
diff --git a/roles/hardening/tasks/main.yml b/roles/hardening/tasks/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..d3b01991831757c833e8390dd15ec8dc4c4f2fa8
--- /dev/null
+++ b/roles/hardening/tasks/main.yml
@@ -0,0 +1,16 @@
+---
+
+- name: set restricted access to kernel logs
+  copy: src=50-dmesg-restrict.conf dest=/etc/sysctl.d/50-dmesg-restrict.conf
+  notify:
+    - apply sysctl settings
+
+- name: set ptrace scope, restrict ptrace to CAP_SYS_PTRACE
+  copy: src=50-ptrace-restrict.conf dest=/etc/sysctl.d/50-ptrace-restrict.conf
+  notify:
+    - apply sysctl settings
+
+- name: set restricted access to kernel pointers in proc fs
+  copy: src=50-kptr-restrict.conf dest=/etc/sysctl.d/50-kptr-restrict.conf
+  notify:
+    - apply sysctl settings