Configure Network Kernel Parameters

tasks/amazon_linux.yaml

@@ -0,0 +1,3 @@
+---
+- name: Amazon Linux 2 | Configure network kernel parameters 
+  include_tasks: configure_network_kernel_parameters_al2.yaml

tasks/configure_network_kernel_parameters_al2.yaml

@@ -0,0 +1,37 @@
+---
+# Check whether IPv6 is enabled
+- name: "Check IPv6 enablement status"
+  ansible.builtin.shell: cat /sys/module/ipv6/parameters/disable
+  register: ipv6_disabled
+  changed_when: false
+  failed_when: false
+  become: true
+
+# Persist kernel network parameters to sysctl config files
+- name: "Persist sysctl parameters to configuration files"
+  ansible.builtin.lineinfile:
+    path: "{{ item.file }}"
+    create: yes
+    line: "{{ item.name }} = {{ item.value }}"
+    state: present
+  loop: "{{ sysctl_params }}"
+  loop_control:
+    label: "{{ item.name }}"
+  become: true
+
+# Apply settings to the running kernel (IPv6 only if enabled)
+- name: "Apply sysctl parameters at runtime"
+  ansible.builtin.shell: |
+    echo "Applying {{ item.name }} = {{ item.value }}"
+    sysctl -w {{ item.name }}={{ item.value }}
+    if [[ "{{ item.name }}" == net.ipv4.* ]]; then
+      sysctl -w net.ipv4.route.flush=1
+    elif [[ "{{ item.name }}" == net.ipv6.* && -f /sys/module/ipv6/parameters/disable && "$(cat /sys/module/ipv6/parameters/disable)" = "0" ]]; then
+      sysctl -w net.ipv6.route.flush=1
+    fi
+  loop: "{{ sysctl_params }}"
+  loop_control:
+    label: "{{ item.name }}"
+  when: not (item.name is search("ipv6") and ipv6_disabled.stdout is defined and ipv6_disabled.stdout.strip() != "0")
+  become: true
+

tasks/main.yaml

@@ -2,15 +2,18 @@
 - name: Include CIS Stage Specific vars
   include_vars: cis-{{ cis_Stage }}.yaml
 
-- name: Debian realted Specification
+- name: Debian related Specification
   include_tasks: configure_Debian.yaml
   when:
     ansible_os_family == 'Debian'
 
-- name: Centos realted Specification
+- name: CentOS related Specification
   include_tasks: configure_RedHat.yaml
-  when:
-    ansible_os_family == 'RedHat'
+  when: ansible_os_family == 'RedHat' and ansible_distribution != 'Amazon'
+
+- name: Amazon Linux 2 related Specification
+  include_tasks: amazon_linux.yaml
+  when: ansible_distribution == 'Amazon'
 
 # - name: Special purpose services
 #   include_tasks: services.yaml
@@ -35,3 +38,4 @@
 
 # - name: Ensure dccp and sctp is disabled
 #   include_tasks: network_protocol_and_unusedFilesystem.yaml
+

vars/main.yml

@@ -88,3 +88,30 @@ os_services_name: ['avahi-daemon', 'slapd', 'named', 'cups', 'telnet', 'discard-
 # aide cronjob configuration
 minute_aide_cronjob: '0'
 hour_aide_cronjob: '5'
+
+#Configure Network Kernel Parameters
+sysctl_params:
+  - { name: "net.ipv4.ip_forward", value: "0", file: "/etc/sysctl.d/60-netipv4_sysctl.conf" }
+  - { name: "net.ipv6.conf.all.forwarding", value: "0", file: "/etc/sysctl.d/60-netipv6_sysctl.conf" }
+  - { name: "net.ipv4.conf.all.send_redirects", value: "0", file: "/etc/sysctl.d/60-netipv4_sysctl.conf" }
+  - { name: "net.ipv4.conf.default.send_redirects", value: "0", file: "/etc/sysctl.d/60-netipv4_sysctl.conf" }
+  - { name: "net.ipv4.icmp_ignore_bogus_error_responses", value: "1", file: "/etc/sysctl.d/60-netipv4_sysctl.conf" }
+  - { name: "net.ipv4.icmp_echo_ignore_broadcasts", value: "1", file: "/etc/sysctl.d/60-netipv4_sysctl.conf" }
+  - { name: "net.ipv4.conf.all.accept_redirects", value: "0", file: "/etc/sysctl.d/60-netipv4_sysctl.conf" }
+  - { name: "net.ipv4.conf.default.accept_redirects", value: "0", file: "/etc/sysctl.d/60-netipv4_sysctl.conf" }
+  - { name: "net.ipv6.conf.all.accept_redirects", value: "0", file: "/etc/sysctl.d/60-netipv6_sysctl.conf" }
+  - { name: "net.ipv6.conf.default.accept_redirects", value: "0", file: "/etc/sysctl.d/60-netipv6_sysctl.conf" }
+  - { name: "net.ipv4.conf.all.secure_redirects", value: "0", file: "/etc/sysctl.d/60-netipv4_sysctl.conf" }
+  - { name: "net.ipv4.conf.default.secure_redirects", value: "0", file: "/etc/sysctl.d/60-netipv4_sysctl.conf" }
+  - { name: "net.ipv4.conf.all.rp_filter", value: "1", file: "/etc/sysctl.d/60-netipv4_sysctl.conf" }
+  - { name: "net.ipv4.conf.default.rp_filter", value: "1", file: "/etc/sysctl.d/60-netipv4_sysctl.conf" }
+  - { name: "net.ipv4.conf.all.accept_source_route", value: "0", file: "/etc/sysctl.d/60-netipv4_sysctl.conf" }
+  - { name: "net.ipv4.conf.default.accept_source_route", value: "0", file: "/etc/sysctl.d/60-netipv4_sysctl.conf" }
+  - { name: "net.ipv6.conf.all.accept_source_route", value: "0", file: "/etc/sysctl.d/60-netipv6_sysctl.conf" }
+  - { name: "net.ipv6.conf.default.accept_source_route", value: "0", file: "/etc/sysctl.d/60-netipv6_sysctl.conf" }
+  - { name: "net.ipv4.conf.all.log_martians", value: "1", file: "/etc/sysctl.d/60-netipv4_sysctl.conf" }
+  - { name: "net.ipv4.conf.default.log_martians", value: "1", file: "/etc/sysctl.d/60-netipv4_sysctl.conf" }
+  - { name: "net.ipv4.tcp_syncookies", value: "1", file: "/etc/sysctl.d/60-netipv4_sysctl.conf" }
+  - { name: "net.ipv6.conf.all.accept_ra", value: "0", file: "/etc/sysctl.d/60-netipv6_sysctl.conf" }
+  - { name: "net.ipv6.conf.default.accept_ra", value: "0", file: "/etc/sysctl.d/60-netipv6_sysctl.conf" }
+