--- # CIS-Compliant Sysctl Parameters # CIS 3.1.1 - Disable IP forwarding (unless VPN server needs it) - name: Disable IPv4 forwarding ansible.posix.sysctl: name: net.ipv4.ip_forward value: '1' # Enabled for VPN server state: present sysctl_set: yes reload: yes # CIS 3.1.2 - Disable packet redirect sending - name: Disable send packet redirects ansible.posix.sysctl: name: "{{ item }}" value: '0' state: present sysctl_set: yes reload: yes loop: - net.ipv4.conf.all.send_redirects - net.ipv4.conf.default.send_redirects # CIS 3.2.1 - Do not accept source routed packets - name: Disable source routed packets ansible.posix.sysctl: name: "{{ item }}" value: '0' state: present sysctl_set: yes reload: yes loop: - net.ipv4.conf.all.accept_source_route - net.ipv4.conf.default.accept_source_route - net.ipv6.conf.all.accept_source_route - net.ipv6.conf.default.accept_source_route # CIS 3.2.2 - Do not accept ICMP redirects - name: Disable ICMP redirects ansible.posix.sysctl: name: "{{ item }}" value: '0' state: present sysctl_set: yes reload: yes loop: - net.ipv4.conf.all.accept_redirects - net.ipv4.conf.default.accept_redirects - net.ipv6.conf.all.accept_redirects - net.ipv6.conf.default.accept_redirects # CIS 3.2.3 - Do not accept secure ICMP redirects - name: Disable secure ICMP redirects ansible.posix.sysctl: name: "{{ item }}" value: '0' state: present sysctl_set: yes reload: yes loop: - net.ipv4.conf.all.secure_redirects - net.ipv4.conf.default.secure_redirects # CIS 3.2.4 - Log suspicious packets - name: Enable suspicious packet logging ansible.posix.sysctl: name: "{{ item }}" value: '1' state: present sysctl_set: yes reload: yes loop: - net.ipv4.conf.all.log_martians - net.ipv4.conf.default.log_martians # CIS 3.2.5 - Ignore broadcast ICMP requests - name: Ignore ICMP broadcast requests ansible.posix.sysctl: name: net.ipv4.icmp_echo_ignore_broadcasts value: '1' state: present sysctl_set: yes reload: yes # CIS 3.2.6 - Ignore bogus ICMP responses - name: Ignore bogus ICMP error responses ansible.posix.sysctl: name: net.ipv4.icmp_ignore_bogus_error_responses value: '1' state: present sysctl_set: yes reload: yes # CIS 3.2.7 - Enable reverse path filtering - name: Enable reverse path filtering ansible.posix.sysctl: name: "{{ item }}" value: '1' state: present sysctl_set: yes reload: yes loop: - net.ipv4.conf.all.rp_filter - net.ipv4.conf.default.rp_filter # CIS 3.2.8 - Enable TCP SYN cookies - name: Enable TCP SYN cookies ansible.posix.sysctl: name: net.ipv4.tcp_syncookies value: '1' state: present sysctl_set: yes reload: yes # CIS 3.2.9 - Do not accept IPv6 router advertisements - name: Disable IPv6 router advertisements ansible.posix.sysctl: name: "{{ item }}" value: '0' state: present sysctl_set: yes reload: yes loop: - net.ipv6.conf.all.accept_ra - net.ipv6.conf.default.accept_ra # Additional hardening - name: Disable IPv6 (if not used) ansible.posix.sysctl: name: "{{ item }}" value: '1' state: present sysctl_set: yes reload: yes loop: - net.ipv6.conf.all.disable_ipv6 - net.ipv6.conf.default.disable_ipv6 when: disable_ipv6 | default(false) # CIS 1.5.2 - Enable ASLR - name: Enable address space layout randomization ansible.posix.sysctl: name: kernel.randomize_va_space value: '2' state: present sysctl_set: yes reload: yes # CIS 1.5.1 - Restrict core dumps - name: Restrict core dumps ansible.posix.sysctl: name: fs.suid_dumpable value: '0' state: present sysctl_set: yes reload: yes