Add CVE-2021-33909 mitigations (dev-sec#466)

* Add CVE-2021-33909 mitigations kernel.unprivileged_bpf_disabled: 1 kernel.unprivileged_userns_clone: 0 The first one is also used by Tails. Signed-off-by: Paweł Krawczyk <616047+kravietz@users.noreply.github.com> * Clean up whitespaces Signed-off-by: Paweł Krawczyk <616047+kravietz@users.noreply.github.com>
divialth · Jul 22, 2021 · c802c08 · c802c08
1 parent 53e5c40
commit c802c08
Showing 1 changed file with 8 additions and 0 deletions.
diff --git a/roles/os_hardening/defaults/main.yml b/roles/os_hardening/defaults/main.yml
@@ -282,6 +282,14 @@ sysctl_config:
   vm.mmap_rnd_bits: 32
   vm.mmap_rnd_compat_bits: 16
 
+  # Disable unprivileged users from loading eBPF programs into the kernel.
+  # One of mitigations against CVE-2021-33909. | Tail-2
+  kernel.unprivileged_bpf_disabled: 1
+
+  # Reduce attack surface by disabling unprivileged user namespaces.
+  # Mitigates CVE-2021-33909 and other exploits.
+  kernel.unprivileged_userns_clone: 0
+
 # Do not delete the following line or otherwise the playbook will fail
 # at task 'create a combined sysctl-dict if overwrites are defined'
 sysctl_overwrite: