mirror of
https://github.com/dev-sec/ansible-collection-hardening
synced 2024-11-10 09:14:18 +00:00
Feature coredump (#513)
* restructure limits-tasks * disable coredumps in tests * use notify-task for systemd-reload Signed-off-by: rndmh3ro <github@gumpri.ch> * add notify to another task Signed-off-by: rndmh3ro <github@gumpri.ch> * rm obsolete task and rename handler Signed-off-by: rndmh3ro <github@gumpri.ch>
This commit is contained in:
Sebastian Gumprich
GitHub
parent
945d00fd91
commit
8f22ce788c
3 changed files with 18 additions and 20 deletions
|
|
@ -16,7 +16,7 @@
|
|||
name: os_hardening
|
||||
vars:
|
||||
os_security_users_allow: change_user
|
||||
os_security_kernel_enable_core_dump: true
|
||||
os_security_kernel_enable_core_dump: false
|
||||
os_security_suid_sgid_remove_from_unknown: true
|
||||
os_auth_pam_passwdqc_enable: false
|
||||
os_auth_lockout_time: 15
|
||||
|
|
|
|||
|
|
@ -7,3 +7,7 @@
|
|||
cmd: 'service auditd restart' # rhel: see: https://access.redhat.com/solutions/2664811
|
||||
warn: false # sadly 'service' module fails in that case also by using 'use: service'
|
||||
when: molecule_yml is not defined # restarting auditd in a container does not work
|
||||
|
||||
- name: Reload systemd
|
||||
systemd:
|
||||
daemon_reload: yes
|
||||
|
|
|
|||
|
|
@ -1,5 +1,6 @@
|
|||
---
|
||||
- block:
|
||||
- name: disable coredumps
|
||||
block:
|
||||
- name: Create limits.d-directory if it does not exist | sysctl-31a, sysctl-31b
|
||||
file:
|
||||
path: '/etc/security/limits.d'
|
||||
|
|
@ -27,15 +28,6 @@
|
|||
modification_time: preserve
|
||||
access_time: preserve
|
||||
|
||||
when: not os_security_kernel_enable_core_dump | bool
|
||||
|
||||
- name: Remove 10.hardcore.conf config file
|
||||
file:
|
||||
path: /etc/security/limits.d/10.hardcore.conf
|
||||
state: absent
|
||||
when: os_security_kernel_enable_core_dump | bool
|
||||
|
||||
- block:
|
||||
- name: create coredump.conf.d-directory if it does not exist
|
||||
file:
|
||||
path: '/etc/systemd/coredump.conf.d'
|
||||
|
|
@ -43,6 +35,7 @@
|
|||
group: root
|
||||
mode: 0755
|
||||
state: directory
|
||||
when: ansible_service_mgr == "systemd"
|
||||
|
||||
- name: create custom.conf for disabling coredumps
|
||||
template:
|
||||
|
|
@ -51,21 +44,22 @@
|
|||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
|
||||
- name: Reload daemon
|
||||
systemd:
|
||||
daemon_reload: yes
|
||||
when: ansible_service_mgr == "systemd"
|
||||
notify: Reload systemd
|
||||
|
||||
when: not os_security_kernel_enable_core_dump | bool
|
||||
|
||||
- block:
|
||||
- name: enable coredumps
|
||||
block:
|
||||
- name: Remove coredump.conf.d directory with files
|
||||
file:
|
||||
path: /etc/systemd/coredump.conf.d
|
||||
state: absent
|
||||
when: ansible_service_mgr == "systemd"
|
||||
notify: Reload systemd
|
||||
|
||||
- name: Reload daemon
|
||||
systemd:
|
||||
daemon_reload: yes
|
||||
|
||||
- name: Remove 10.hardcore.conf config file
|
||||
file:
|
||||
path: /etc/security/limits.d/10.hardcore.conf
|
||||
state: absent
|
||||
when: os_security_kernel_enable_core_dump | bool
|
||||
|
|
|
|||
Loading…
Reference in a new issue