Fix duplicate sysctl config

Signed-off-by: tekicat <tekicat@amibee.com> Signed-off-by: gk <ganesh.jayachandran@revolut.com> Signed-off-by: Tekicat <tekicat@amibee.com>
dev-sec · Nov 25, 2021 · db6e22c · db6e22c
1 parent b67a28b
commit db6e22c
Showing 1 changed file with 6 additions and 10 deletions.
diff --git a/roles/os_hardening/defaults/main.yml b/roles/os_hardening/defaults/main.yml
@@ -69,6 +69,12 @@ sysctl_config:
   # filenames (generally seen as "/tmp file race" vulnerabilities).
   fs.protected_hardlinks: 1
   fs.protected_symlinks: 1
+
+  # For more info on the following settings see: https://www.kernel.org/doc/html/latest/admin-guide/sysctl/fs.html
+  # Restrict FIFO special device creation behavior
+  fs.protected_fifos: 1
+  # Restrict regular files creation behavior
+  fs.protected_regular: 2
 
   # Prevent core dumps with SUID. These are usually only
   # needed by developers and may contain sensitive information. | sysctl-31
@@ -290,16 +296,6 @@ sysctl_config:
   # Mitigates CVE-2021-33909 and other exploits.
   kernel.unprivileged_userns_clone: 0
 
-  # For more info on the following settings see: https://www.kernel.org/doc/html/latest/admin-guide/sysctl/fs.html
-  # Restrict FIFO special device creation behavior
-  fs.protected_fifos: 1
-  # Restrict hardlink creation behavior
-  fs.protected_hardlinks: 1
-  # Restrict regular files creation behavior
-  fs.protected_regular: 2
-  # Restrict symlink following behavior
-  fs.protected_symlinks: 1
-
 # Do not delete the following line or otherwise the playbook will fail
 # at task 'create a combined sysctl-dict if overwrites are defined'
 sysctl_overwrite: