Strictly SYSCTL speaking, here's what I got so far:
kernel.randomize_va_space:
sysctl.present:
- value: 2
fs.protected_hardlinks:
sysctl.present:
- value: 1
fs.protected_symlinks:
sysctl.present:
- value: 1
net.ipv4.icmp_echo_ignore_broadcasts:
sysctl.present:
- value: 1
net.ipv4.icmp_ignore_bogus_error_responses:
sysctl.present:
- value: 1
net.ipv4.tcp_syncookies:
sysctl.present:
- value: 1
net.ipv4.conf.all.log_martians:
sysctl.present:
- value: 1
net.ipv4.conf.default.log_martians:
sysctl.present:
- value: 1
net.ipv4.conf.all.accept_source_route:
sysctl.present:
- value: 0
net.ipv4.conf.default.accept_source_route:
sysctl.present:
- value: 0
net.ipv4.conf.all.rp_filter:
sysctl.present:
- value: 1
net.ipv4.conf.default.rp_filter:
sysctl.present:
- value: 1
net.ipv4.conf.all.accept_redirects:
sysctl.present:
- value: 0
net.ipv4.conf.default.accept_redirects:
sysctl.present:
- value: 0
net.ipv4.conf.all.secure_redirects:
sysctl.present:
- value: 0
net.ipv4.conf.default.secure_redirects:
sysctl.present:
- value: 0
net.ipv4.ip_forward:
sysctl.present:
- value: 0
net.ipv4.conf.all.send_redirects:
sysctl.present:
- value: 0
net.ipv4.conf.default.send_redirects:
sysctl.present:
- value: 0
net.ipv4.conf.all.forwarding:
sysctl.present:
- value: 0
net.ipv6.conf.all.forwarding:
sysctl.present:
- value: 0
net.ipv4.conf.all.mc_forwarding:
sysctl.present:
- value: 0
net.ipv6.conf.all.mc_forwarding:
sysctl.present:
- value: 0
net.ipv6.conf.all.accept_source_route:
sysctl.present:
- value: 0
net.ipv6.conf.default.accept_source_route:
sysctl.present:
- value: 0
net.ipv6.conf.all.accept_redirects:
sysctl.present:
- value: 0
net.ipv6.conf.default.accept_redirects:
sysctl.present:
- value: 0
I know some of it may be redundant, as in they already may be set as such by default. My thinking is that should they become changed somehow, this will set it straight again.
Is this a bad way of thinking or simply not needed?
Are there any others a good idea or generally a best practice to include?