From 0e344d4b7da0cee057321ab4089497f28c8e7167 Mon Sep 17 00:00:00 2001
From: Jelle van der Waa <jelle@vdwaa.nl>
Date: Mon, 6 May 2019 19:28:29 +0200
Subject: [PATCH] roles: add a hardening role for sysctl hardening options

Add sysctl hardening options which disallow perf/viewing kernel symbols
and dmesg for non-admin users as they contain valuable information for
attackers.
---
 playbooks/all-hosts-basic.yml                 |  1 +
 roles/hardening/files/50-dmesg-restrict.conf  |  1 +
 roles/hardening/files/50-kptr-restrict.conf   |  1 +
 roles/hardening/files/50-ptrace-restrict.conf |  1 +
 roles/hardening/handlers/main.yml             |  4 ++++
 roles/hardening/tasks/main.yml                | 16 ++++++++++++++++
 6 files changed, 24 insertions(+)
 create mode 100644 roles/hardening/files/50-dmesg-restrict.conf
 create mode 100644 roles/hardening/files/50-kptr-restrict.conf
 create mode 100644 roles/hardening/files/50-ptrace-restrict.conf
 create mode 100644 roles/hardening/handlers/main.yml
 create mode 100644 roles/hardening/tasks/main.yml

diff --git a/playbooks/all-hosts-basic.yml b/playbooks/all-hosts-basic.yml
index 71f3e005d..b9e820dda 100644
--- a/playbooks/all-hosts-basic.yml
+++ b/playbooks/all-hosts-basic.yml
@@ -13,3 +13,4 @@
     - { role: root_ssh, tags: ['root_ssh'] }
     - { role: borg-client, tags: ["borg"], when: "'borg-clients' in group_names" }
     - { role: zabbix-agent, tags: ["zabbix", "zabbix-agent"], when: "'unmanaged' not in group_names" }
+    - { role: hardening }
diff --git a/roles/hardening/files/50-dmesg-restrict.conf b/roles/hardening/files/50-dmesg-restrict.conf
new file mode 100644
index 000000000..fd707af75
--- /dev/null
+++ b/roles/hardening/files/50-dmesg-restrict.conf
@@ -0,0 +1 @@
+kernel.dmesg_restrict = 1
diff --git a/roles/hardening/files/50-kptr-restrict.conf b/roles/hardening/files/50-kptr-restrict.conf
new file mode 100644
index 000000000..4b49bb01a
--- /dev/null
+++ b/roles/hardening/files/50-kptr-restrict.conf
@@ -0,0 +1 @@
+kernel.kptr_restrict = 1
diff --git a/roles/hardening/files/50-ptrace-restrict.conf b/roles/hardening/files/50-ptrace-restrict.conf
new file mode 100644
index 000000000..7d1299309
--- /dev/null
+++ b/roles/hardening/files/50-ptrace-restrict.conf
@@ -0,0 +1 @@
+kernel.yama.ptrace_scope = 2
diff --git a/roles/hardening/handlers/main.yml b/roles/hardening/handlers/main.yml
new file mode 100644
index 000000000..16f770ce3
--- /dev/null
+++ b/roles/hardening/handlers/main.yml
@@ -0,0 +1,4 @@
+---
+
+- name: apply sysctl settings
+  command: sysctl --system
diff --git a/roles/hardening/tasks/main.yml b/roles/hardening/tasks/main.yml
new file mode 100644
index 000000000..d3b019918
--- /dev/null
+++ b/roles/hardening/tasks/main.yml
@@ -0,0 +1,16 @@
+---
+
+- name: set restricted access to kernel logs
+  copy: src=50-dmesg-restrict.conf dest=/etc/sysctl.d/50-dmesg-restrict.conf
+  notify:
+    - apply sysctl settings
+
+- name: set ptrace scope, restrict ptrace to CAP_SYS_PTRACE
+  copy: src=50-ptrace-restrict.conf dest=/etc/sysctl.d/50-ptrace-restrict.conf
+  notify:
+    - apply sysctl settings
+
+- name: set restricted access to kernel pointers in proc fs
+  copy: src=50-kptr-restrict.conf dest=/etc/sysctl.d/50-kptr-restrict.conf
+  notify:
+    - apply sysctl settings
-- 
GitLab