---
# Kernel hardening via sysctl
# Applied permanently via /etc/sysctl.d/99-hardening.conf

- name: Apply kernel hardening parameters
  ansible.posix.sysctl:
    name: "{{ item.name }}"
    value: "{{ item.value }}"
    state: present
    sysctl_file: /etc/sysctl.d/99-hardening.conf
    reload: true
  loop:
    # ── Network: IP Spoofing protection ───────────────────────────────────────
    - { name: net.ipv4.conf.all.rp_filter,          value: "1" }
    - { name: net.ipv4.conf.default.rp_filter,      value: "1" }

    # ── Network: Ignore ICMP redirects ────────────────────────────────────────
    - { name: net.ipv4.conf.all.accept_redirects,       value: "0" }
    - { name: net.ipv4.conf.default.accept_redirects,   value: "0" }
    - { name: net.ipv4.conf.all.send_redirects,         value: "0" }
    - { name: net.ipv4.conf.default.send_redirects,     value: "0" }
    - { name: net.ipv6.conf.all.accept_redirects,       value: "0" }
    - { name: net.ipv6.conf.default.accept_redirects,   value: "0" }

    # ── Network: Ignore broadcast pings ───────────────────────────────────────
    - { name: net.ipv4.icmp_echo_ignore_broadcasts, value: "1" }

    # ── Network: Ignore bogus error responses ────────────────────────────────
    - { name: net.ipv4.icmp_ignore_bogus_error_responses, value: "1" }

    # ── Network: SYN flood protection ────────────────────────────────────────
    - { name: net.ipv4.tcp_syncookies,    value: "1" }
    - { name: net.ipv4.tcp_max_syn_backlog, value: "2048" }
    - { name: net.ipv4.tcp_synack_retries,  value: "2" }
    - { name: net.ipv4.tcp_syn_retries,     value: "5" }

    # ── Network: Disable IPv6 if not needed ──────────────────────────────────
    - { name: net.ipv6.conf.all.disable_ipv6,     value: "1" }
    - { name: net.ipv6.conf.default.disable_ipv6, value: "1" }
    - { name: net.ipv6.conf.lo.disable_ipv6,      value: "1" }

    # ── Kernel: Restrict dmesg to root ───────────────────────────────────────
    - { name: kernel.dmesg_restrict, value: "1" }

    # ── Kernel: Hide kernel pointers ─────────────────────────────────────────
    - { name: kernel.kptr_restrict, value: "2" }

    # ── Kernel: Disable SysRq ────────────────────────────────────────────────
    - { name: kernel.sysrq, value: "0" }

    # ── Memory: Disable core dumps for suid programs ─────────────────────────
    - { name: fs.suid_dumpable, value: "0" }