2d407a5399
This patch adds the basic scaffolding for developer-contributed hardening standards that are outside the scope of the Security Technical Implementation Guide (STIG). Deployers have the option to deploy these hardening standards as well. Change-Id: I33175ffd36a75d27e5ac6c13aaf1584e5fdf23dd
1.3 KiB
Additional hardening configurations
Although the Security Technical Implementation Guide (STIG) contains a very comprehensive set of security configurations, some ansible-hardening contributors want to add extra security configurations to the role. The contrib portion of the ansible-hardening role is designed to implement those configurations as an optional set of tasks.
The contrib hardening configurations are disabled by default, but they can be enabled by setting the following Ansible variable:
security_contrib_enabled: yesThe individual tasks are controlled by Ansible variables in
defaults/main.yml that begin with
security_contrib_.
Kernel
C-00001 - Disable IPv6
Some systems do not require IPv6 connectivity and the presence of link local IPv6 addresses can present an additional attack surface for lateral movement. Deployers can set the following variable to disable IPv6 on all network interfaces:
security_contrib_disable_ipv6: yesWarning
Deployers should test this change in a test environment before applying it in a production deployment. Applying this change to a production system that relies on IPv6 connectivity will cause unexpected downtime.