diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index ea3ba02..e44fa80 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -23,7 +23,9 @@ - include: sshd.yml tags: sshd +# containers identify as virtualization hosts, which makes this tricky, because we have actual Debian VM hosts! - name: Reconfigure /etc/sysctl.conf + when: ansible_virtualization_role != 'host' template: src=sysctl_{{ ansible_distribution }}.j2 dest=/etc/sysctl.conf owner=root group=root mode=0644 notify: - reload sysctl diff --git a/roles/common/templates/sysctl_Debian.j2 b/roles/common/templates/sysctl_Debian.j2 new file mode 100644 index 0000000..d42147a --- /dev/null +++ b/roles/common/templates/sysctl_Debian.j2 @@ -0,0 +1,114 @@ +# +# /etc/sysctl.conf - Configuration file for setting system variables +# See /etc/sysctl.d/ for additional system variables +# See sysctl.conf (5) for information. +# + +#kernel.domainname = example.com + +# Uncomment the following to stop low-level messages on console +#kernel.printk = 3 4 1 3 + +##############################################################3 +# Functions previously found in netbase +# + +# Uncomment the next two lines to enable Spoof protection (reverse-path filter) +# Turn on Source Address Verification in all interfaces to +# prevent some spoofing attacks +#net.ipv4.conf.default.rp_filter=1 +#net.ipv4.conf.all.rp_filter=1 + +# Uncomment the next line to enable TCP/IP SYN cookies +# See http://lwn.net/Articles/277146/ +# Note: This may impact IPv6 TCP sessions too +#net.ipv4.tcp_syncookies=1 + +# Uncomment the next line to enable packet forwarding for IPv4 +#net.ipv4.ip_forward=1 + +# Uncomment the next line to enable packet forwarding for IPv6 +# Enabling this option disables Stateless Address Autoconfiguration +# based on Router Advertisements for this host +#net.ipv6.conf.all.forwarding=1 + + +################################################################### +# Additional settings - these settings can improve the network +# security of the host and prevent against some network attacks +# including spoofing attacks and man in the middle attacks through +# redirection. Some network environments, however, require that these +# settings are disabled so review and enable them as needed. +# +# Do not accept ICMP redirects (prevent MITM attacks) +#net.ipv4.conf.all.accept_redirects = 0 +#net.ipv6.conf.all.accept_redirects = 0 +# _or_ +# Accept ICMP redirects only for gateways listed in our default +# gateway list (enabled by default) +# net.ipv4.conf.all.secure_redirects = 1 +# +# Do not send ICMP redirects (we are not a router) +#net.ipv4.conf.all.send_redirects = 0 +# +# Do not accept IP source route packets (we are not a router) +#net.ipv4.conf.all.accept_source_route = 0 +#net.ipv6.conf.all.accept_source_route = 0 +# +# Log Martian Packets +#net.ipv4.conf.all.log_martians = 1 +# + +# CIS Benchmark Adjustments +# See: https://github.com/alanorth/securekickstarts +kernel.randomize_va_space = 2 +net.ipv4.ip_forward = 0 +net.ipv4.conf.all.send_redirects = 0 +net.ipv4.conf.default.send_redirects = 0 +net.ipv4.conf.all.accept_source_route = 0 +net.ipv4.conf.default.accept_source_route = 0 +net.ipv4.conf.all.accept_redirects = 0 +net.ipv4.conf.default.accept_redirects = 0 +net.ipv4.conf.all.secure_redirects = 0 +net.ipv4.conf.default.secure_redirects = 0 +net.ipv4.conf.all.log_martians = 1 +net.ipv4.conf.default.log_martians = 1 +net.ipv4.icmp_echo_ignore_broadcasts = 1 +net.ipv4.icmp_ignore_bogus_error_responses = 1 +net.ipv4.conf.all.rp_filter = 1 +net.ipv4.conf.default.rp_filter = 1 +net.ipv4.tcp_syncookies = 1 + +# TCP stuff +# See: http://fasterdata.es.net/host-tuning/linux/ +# increase TCP max buffer size settable using setsockopt() +net.core.rmem_max = 16777216 +net.core.wmem_max = 16777216 +# increase Linux autotuning TCP buffer limit +net.ipv4.tcp_rmem = 4096 87380 16777216 +net.ipv4.tcp_wmem = 4096 65536 16777216 +# increase the length of the processor input queue +net.core.netdev_max_backlog = 30000 +{# kernels after 2.6.32 don't have buggy cubic #} +{% if ansible_kernel < "2.6.33" %} +# recommended default congestion control is htcp +net.ipv4.tcp_congestion_control=htcp +{% endif %} +# recommended for hosts with jumbo frames enabled +#net.ipv4.tcp_mtu_probing=1 + +{# disable iptables on bridge interfaces on VM hosts #} +{% if ansible_virtualization_role == "host" %} +net.bridge.bridge-nf-call-ip6tables = 0 +net.bridge.bridge-nf-call-iptables = 0 +net.bridge.bridge-nf-call-arptables = 0 +{% endif %} + +{% if 'web' in group_names %} +# increase quadruplets (src ip, src port, dest ip, dest port) +# see: http://vincent.bernat.im/en/blog/2014-tcp-time-wait-state-linux.html +net.ipv4.ip_local_port_range = 10240 65535 +# recommended for web servers, especially if running SPDY +# see: http://www.chromium.org/spdy/spdy-best-practices +net.ipv4.tcp_slow_start_after_idle = 0 +{% endif %}