Merge pull request dev-sec#494 from dev-sec/sysctl-34

implement sysctl-34 - link protection settings
divialth · Oct 24, 2021 · e088a93 · e088a93
2 parents e60c035 + bea8e92
commit e088a93
Showing 1 changed file with 10 additions and 0 deletions.
diff --git a/roles/os_hardening/defaults/main.yml b/roles/os_hardening/defaults/main.yml
@@ -290,6 +290,16 @@ sysctl_config:
   # Mitigates CVE-2021-33909 and other exploits.
   kernel.unprivileged_userns_clone: 0
 
+  # For more info on the following settings see: https://www.kernel.org/doc/html/latest/admin-guide/sysctl/fs.html
+  # Restrict FIFO special device creation behavior
+  fs.protected_fifos: 1
+  # Restrict hardlink creation behavior
+  fs.protected_hardlinks: 1
+  # Restrict regular files creation behavior
+  fs.protected_regular: 2
+  # Restrict symlink following behavior
+  fs.protected_symlinks: 1
+
 # Do not delete the following line or otherwise the playbook will fail
 # at task 'create a combined sysctl-dict if overwrites are defined'
 sysctl_overwrite: