fix 安全加固允许ip_forward

2019-06-05 20:41:09 +08:00 · 2019-06-05 20:41:09 +08:00 · e0392acef0
parent d0a481cd09
commit e0392acef0
2 changed files with 7 additions and 8 deletions
--- a/roles/clean/tasks/clean_lb.yml
+++ b/roles/clean/tasks/clean_lb.yml
@ -1,11 +1,10 @@
 # to clean 'lb' service
 - block:
-  - name: stop keepalived service
-    shell: systemctl disable keepalived && systemctl stop keepalived
-    ignore_errors: true
-
-  - name: stop haproxy service
-    shell: systemctl disable haproxy && systemctl stop haproxy
+  - name: rm service keepalived and haproxy
+    service: name={{ item }} state=stopped enabled=no
+    with_items:
+    - keepalived
+    - haproxy
    ignore_errors: true

  - name: remove files and dirs
--- a/roles/os-harden/os-harden.yml
+++ b/roles/os-harden/os-harden.yml
@ -7,8 +7,8 @@
    os_security_suid_sgid_whitelist: ['/usr/bin/rlogin']
    os_filesystem_whitelist: ['vfat']
    sysctl_config:
-      net.ipv4.ip_forward: 0
-      net.ipv6.conf.all.forwarding: 0
+      net.ipv4.ip_forward: 1
+      net.ipv6.conf.all.forwarding: 1
      net.ipv6.conf.all.accept_ra: 0
      net.ipv6.conf.default.accept_ra: 0
      net.ipv4.conf.all.rp_filter: 1