# Setting added via ansible CIS remediation playbook

{% if rhel9cis_rule_1_6_1 %}
# Filesystem sysctl
# CIS 1.6.1
fs.suid_dumpable = 0
{% endif %}
{% if rhel9cis_rule_1_6_2 %}
# Kernel sysctl
# CIS 1.6.2
kernel.randomize_va_space = 2
{% endif %}

# Network sysctl
{% if rhel9cis_rule_3_1_1 %}
# CIS 3.1.1
net.ipv4.ip_forward = 0
{% if rhel9cis_rule_3_1_1 and rhel9cis_ipv6_required %}
net.ipv6.conf.all.forwarding = 0
{% endif %}
{% endif %}
{% if rhel9cis_rule_3_1_2 %}
# CIS 3.1.2
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
{% endif %}
{% if rhel9cis_rule_3_2_1 %}
# CIS 3.2.1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
{% if rhel9cis_rule_3_2_1 and rhel9cis_ipv6_required %}
net.ipv6.conf.all.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0
{% endif %}
{% endif %}
{% if rhel9cis_rule_3_2_2 %}
# CIS 3.2.2
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
{% if rhel9cis_rule_3_2_2 and rhel9cis_ipv6_required %}
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
{% endif %}
{% endif %}
{% if rhel9cis_rule_3_2_3 %}
# CIS 3.2.3
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
{% endif %}
{% if rhel9cis_rule_3_2_4 %}
# CIS 3.2.4
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
{% endif %}
{% if rhel9cis_rule_3_2_5 %}
# CIS 3.2.5
net.ipv4.icmp_echo_ignore_broadcasts = 1
{% endif %}
{% if rhel9cis_rule_3_2_6 %}
# CIS 3.2.6
net.ipv4.icmp_ignore_bogus_error_responses = 1
{% endif %}
{% if rhel9cis_rule_3_2_7 %}
# CIS 3.2.7
net.ipv4.conf.default.rp_filter = 1
{% endif %}
{% if rhel9cis_rule_3_2_8 %}
# CIS 3.2.8
net.ipv4.tcp_syncookies = 1
{% endif %}
{% if rhel9cis_rule_3_2_9 %}
# CIS 3.2.9
net.ipv6.conf.all.accept_ra = 0
net.ipv6.conf.default.accept_ra = 0
{% endif %}