Feature coredump (#513)

* restructure limits-tasks

* disable coredumps in tests

* use notify-task for systemd-reload

Signed-off-by: rndmh3ro <[email protected]>

* add notify to another task

Signed-off-by: rndmh3ro <[email protected]>

* rm obsolete task and rename handler

Signed-off-by: rndmh3ro <[email protected]>

Author: rndmh3ro

molecule/os_hardening/converge.yml

@@ -16,7 +16,7 @@
         name: os_hardening
   vars:
     os_security_users_allow: change_user
-    os_security_kernel_enable_core_dump: true
+    os_security_kernel_enable_core_dump: false
     os_security_suid_sgid_remove_from_unknown: true
     os_auth_pam_passwdqc_enable: false
     os_auth_lockout_time: 15

roles/os_hardening/handlers/main.yml

@@ -7,3 +7,7 @@
     cmd: 'service auditd restart'  # rhel: see: https://access.redhat.com/solutions/2664811
     warn: false  # sadly 'service' module fails in that case also by using 'use: service'
   when: molecule_yml is not defined  # restarting auditd in a container does not work
+
+- name: Reload systemd
+  systemd:
+    daemon_reload: yes

roles/os_hardening/tasks/limits.yml

@@ -1,5 +1,6 @@
 ---
-- block:
+- name: disable coredumps
+  block:
   - name: Create limits.d-directory if it does not exist | sysctl-31a, sysctl-31b
     file:
       path: '/etc/security/limits.d'
@@ -27,22 +28,14 @@
       modification_time: preserve
       access_time: preserve
 
-  when: not os_security_kernel_enable_core_dump | bool
-
-- name: Remove 10.hardcore.conf config file
-  file:
-    path: /etc/security/limits.d/10.hardcore.conf
-    state: absent
-  when: os_security_kernel_enable_core_dump | bool
-
-- block:
   - name: create coredump.conf.d-directory if it does not exist
     file:
       path: '/etc/systemd/coredump.conf.d'
       owner: root
       group: root
       mode: 0755
       state: directory
+    when: ansible_service_mgr == "systemd"
 
   - name: create custom.conf for disabling coredumps
     template:
@@ -51,21 +44,22 @@
       owner: root
       group: root
       mode: 0644
-
-  - name: Reload daemon
-    systemd:
-      daemon_reload: yes
+    when: ansible_service_mgr == "systemd"
+    notify: Reload systemd
 
   when: not os_security_kernel_enable_core_dump | bool
 
-- block:
+- name: enable coredumps
+  block:
   - name: Remove coredump.conf.d directory with files
     file:
       path: /etc/systemd/coredump.conf.d
       state: absent
+    when: ansible_service_mgr == "systemd"
+    notify: Reload systemd
 
-  - name: Reload daemon
-    systemd:
-      daemon_reload: yes
-
+  - name: Remove 10.hardcore.conf config file
+    file:
+      path: /etc/security/limits.d/10.hardcore.conf
+      state: absent
   when: os_security_kernel_enable_core_dump | bool