Added references and stuff from ANSSI-BP-028

pyllyukko · Jan 29, 2025 · 64bd82b · 64bd82b
1 parent 503b1f2
commit 64bd82b
Show file tree

Hide file tree

Showing 3 changed files with 30 additions and 1 deletion.
diff --git a/files/sysctl.d/network.conf.new b/files/sysctl.d/network.conf.new
@@ -6,10 +6,12 @@ net.ipv4.conf.all.rp_filter = 1
 net.ipv4.conf.all.accept_source_route = 0
 net.ipv4.conf.all.accept_redirects = 0
 net.ipv4.conf.all.secure_redirects = 0
+net.ipv4.conf.all.shared_media = 0
 net.ipv4.conf.default.rp_filter = 1
 net.ipv4.conf.default.accept_source_route = 0
 net.ipv4.conf.default.accept_redirects = 0
 net.ipv4.conf.default.secure_redirects = 0
+net.ipv4.conf.default.shared_media = 0
 net.ipv4.icmp_echo_ignore_broadcasts = 1
 
 # Following 3 lines added by CISecurity Benchmark sec 4.2
@@ -48,3 +50,26 @@ net.ipv4.tcp_timestamps = 0
 
 # https://www.kernel.org/doc/html/latest/admin-guide/sysctl/net.html#bpf-jit-harden
 net.core.bpf_jit_harden = 2
+
+# ANSSI-BP-028 R12 - IPv4 configuration options
+# Consider as invalid the packets received from outside whose source
+# is the 127/8 network.
+net.ipv4.conf.all.accept_local = 0
+# RFC 1337
+net.ipv4.tcp_rfc1337 = 1
+# Refuse the routing of packets whose source or destination address is that
+# of the local loopback. This prohibits the transmission of packets with
+# source network 127/8.
+net.ipv4.conf.all.route_localnet = 0
+# Respond to ARP requests only if the source and destination addresses are on
+# the same network and come from the same interface on which the packet was received.
+# Note that the configuration of this option is to be studied according to the
+# use case.
+net.ipv4.conf.all.arp_ignore = 2
+# https://tools.ietf.org/html/rfc5227
+# Ignore gratuitous ARP requests. This configuration is
+# effective against ARP poisoning attacks but only applicable
+# in association with one or more controlled ARP proxies.
+# This option can be problematic on networks with devices
+# in a high availability setup (VRRP, etc.).
+#net.ipv4.conf.all.drop_gratuitous_arp = 1
diff --git a/tasks/filesystem-sudoers.yml b/tasks/filesystem-sudoers.yml
@@ -12,7 +12,7 @@
   with_items:
     - sudoers.d
     - sudoers
-# ANSSI BP-028 R38 - Creating a group dedicated to the use of sudo
+# ANSSI-BP-028 R38 - Creating a group dedicated to the use of sudo
 - name: Set file permissions/ownership for sudo
   ansible.builtin.file:
     path: /usr/bin/sudo

diff --git a/tasks/kernel.yml b/tasks/kernel.yml
@@ -6,6 +6,9 @@
     owner: root
     group: root
     mode: '0750'
+# ANSSI-BP-028 R9  - Configuring the kernel options
+# ANSSI-BP-028 R12 - IPv4 configuration options
+# ANSSI-BP-028 R14 - File system configuration options
 - name: Create harden.conf sysctl settings file
   become: true
   ansible.builtin.copy:
@@ -14,6 +17,7 @@
     owner: root
     group: root
     mode: '0600'
+    backup: true
   with_items:
     - sysctl
     - network