Add CVE-2021-33909 mitigations (#466)

* Add CVE-2021-33909 mitigations

kernel.unprivileged_bpf_disabled: 1
kernel.unprivileged_userns_clone: 0

The first one is also used by Tails.

Signed-off-by: Paweł Krawczyk <[email protected]>

* Clean up whitespaces

Signed-off-by: Paweł Krawczyk <[email protected]>

Author: kravietz

roles/os_hardening/defaults/main.yml

@@ -282,6 +282,14 @@ sysctl_config:
   vm.mmap_rnd_bits: 32
   vm.mmap_rnd_compat_bits: 16
 
+  # Disable unprivileged users from loading eBPF programs into the kernel.
+  # One of mitigations against CVE-2021-33909. | Tail-2
+  kernel.unprivileged_bpf_disabled: 1
+
+  # Reduce attack surface by disabling unprivileged user namespaces.
+  # Mitigates CVE-2021-33909 and other exploits.
+  kernel.unprivileged_userns_clone: 0
+
 # Do not delete the following line or otherwise the playbook will fail
 # at task 'create a combined sysctl-dict if overwrites are defined'
 sysctl_overwrite: