2d407a5399
This patch adds the basic scaffolding for developer-contributed hardening standards that are outside the scope of the Security Technical Implementation Guide (STIG). Deployers have the option to deploy these hardening standards as well. Change-Id: I33175ffd36a75d27e5ac6c13aaf1584e5fdf23dd
40 lines
1.3 KiB
ReStructuredText
40 lines
1.3 KiB
ReStructuredText
Additional hardening configurations
|
|
===================================
|
|
|
|
Although the Security Technical Implementation Guide (STIG) contains a very
|
|
comprehensive set of security configurations, some ansible-hardening
|
|
contributors want to add extra security configurations to the role. The
|
|
*contrib* portion of the ansible-hardening role is designed to implement those
|
|
configurations as an optional set of tasks.
|
|
|
|
The *contrib* hardening configurations are disabled by default, but they can
|
|
be enabled by setting the following Ansible variable:
|
|
|
|
.. code-block:: yaml
|
|
|
|
security_contrib_enabled: yes
|
|
|
|
The individual tasks are controlled by Ansible variables in
|
|
``defaults/main.yml`` that begin with ``security_contrib_``.
|
|
|
|
Kernel
|
|
------
|
|
|
|
C-00001 - Disable IPv6
|
|
~~~~~~~~~~~~~~~~~~~~~~
|
|
|
|
Some systems do not require IPv6 connectivity and the presence of link local
|
|
IPv6 addresses can present an additional attack surface for lateral movement.
|
|
Deployers can set the following variable to disable IPv6 on all network
|
|
interfaces:
|
|
|
|
.. code-block:: yaml
|
|
|
|
security_contrib_disable_ipv6: yes
|
|
|
|
.. warning::
|
|
|
|
Deployers should test this change in a test environment before applying it
|
|
in a production deployment. Applying this change to a production system
|
|
that relies on IPv6 connectivity will cause unexpected downtime.
|