X-Git-Url: https://gerrit.akraino.org/r/gitweb?p=ta%2Finfra-ansible.git;a=blobdiff_plain;f=roles%2Fops-hardening%2Ftasks%2Fmain.yaml;h=fdf6512a635c7e7edc89e29d4acbfe54e8515ce9;hp=1ce68f25c0bd855307545a1d126b77831e4655e0;hb=refs%2Fheads%2Fmaster;hpb=f6eb1207cbd3c94bef9e0572556f4abf3d18de79

diff --git a/roles/ops-hardening/tasks/main.yaml b/roles/ops-hardening/tasks/main.yaml
index 1ce68f2..fdf6512 100644
--- a/roles/ops-hardening/tasks/main.yaml
+++ b/roles/ops-hardening/tasks/main.yaml
@@ -76,7 +76,7 @@
   lineinfile:
     path: /etc/login.defs
     regexp: '^SHA_CRYPT_MIN_ROUNDS[\s]*[0-9]*$'
-    line: 'SHA_CRYPT_MIN_ROUNDS   5000'
+    line: 'SHA_CRYPT_MIN_ROUNDS   10000'
 
 - name: "Set maximum number of password hash rounds"
   lineinfile:
@@ -230,6 +230,14 @@
   when:
     - item.stat.exists == true
 
+- name: Limit access to the assembler binary
+  file:
+    path: "/usr/bin/as"
+    state: file
+    mode: "0700"
+    owner: root
+    group: root
+
 #
 # Disable direct root login
 #
@@ -273,8 +281,7 @@
     state: absent
     regexp: '^tcp6.*'
 
-- name: Disable automatic ipv6 configuration
-  when: ansible_default_ipv6|length > 0
+- name: Disable automatic ipv6 configuration and routing
   sysctl:
     name: "{{ item.name }}"
     value: "{{ item.value }}"
@@ -282,12 +289,13 @@
     reload: yes
   with_items:
     - { name: 'net.ipv6.conf.all.accept_source_route', value: 0 }
+    - { name: 'net.ipv6.conf.default.accept_source_route', value: 0 }
     - { name: 'net.ipv6.conf.all.accept_ra', value: 0 }
     - { name: 'net.ipv6.conf.default.accept_ra', value: 0 }
     - { name: 'net.ipv6.conf.all.accept_redirects', value: 0 }
     - { name: 'net.ipv6.conf.default.accept_redirects', value: 0 }
-    - { name: 'net.ipv6.conf.default.accept_source_route', value: 0 }
     - { name: 'net.ipv6.conf.all.forwarding', value: 0 }
+    - { name: 'net.ipv6.conf.default.forwarding', value: 0 }
 
 #
 # Configure kernel parameters