Skip to content

Commit c310e15

Browse files
rndmh3rorndmh3ro
authored
Merge pull request #146 from martinbydefault/master
Removal of core dump hardening configuration if core dumps are allowed
2 parents 24fd32b + 9eb4550 commit c310e15

File tree

3 files changed

+37
-18
lines changed

3 files changed

+37
-18
lines changed

tasks/limits.yml

Lines changed: 30 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -1,19 +1,35 @@
11
---
22

3-
- name: create limits.d-directory if it does not exist | sysctl-31a, sysctl-31b
3+
- block:
4+
- name: create limits.d-directory if it does not exist | sysctl-31a, sysctl-31b
5+
file:
6+
path: '/etc/security/limits.d'
7+
owner: 'root'
8+
group: 'root'
9+
mode: '0755'
10+
state: 'directory'
11+
12+
- name: create aditional limits config file -> 10.hardcore.conf | sysctl-31a, sysctl-31b
13+
pam_limits:
14+
dest: '/etc/security/limits.d/10.hardcore.conf'
15+
domain: '*'
16+
limit_type: hard
17+
limit_item: core
18+
value: 0
19+
comment: Prevent core dumps for all users. These are usually only needed by developers and may contain sensitive information
20+
21+
- name: set 10.hardcore.conf perms to 0400 and root ownership
22+
file:
23+
path: /etc/security/limits.d/10.hardcore.conf
24+
owner: 'root'
25+
group: 'root'
26+
mode: '0440'
27+
28+
when: 'not os_security_kernel_enable_core_dump'
29+
30+
- name: remove 10.hardcore.conf config file
431
file:
5-
path: '/etc/security/limits.d'
6-
owner: 'root'
7-
group: 'root'
8-
mode: '0755'
9-
state: 'directory'
10-
when: 'os_security_kernel_enable_core_dump'
32+
path: /etc/security/limits.d/10.hardcore.conf
33+
state: absent
1134

12-
- name: create sane limits.conf | sysctl-31a, sysctl-31b
13-
template:
14-
src: 'limits.conf.j2'
15-
dest: '/etc/security/limits.d/10.hardcore.conf'
16-
owner: 'root'
17-
group: 'root'
18-
mode: '0440'
1935
when: 'os_security_kernel_enable_core_dump'

tasks/profile.yml

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,9 +1,15 @@
11
---
2-
- name: create profile.conf
2+
- name: add pinerolo_profile.sh to profile.d
33
template:
44
src: 'profile.conf.j2'
55
dest: '/etc/profile.d/pinerolo_profile.sh'
66
owner: 'root'
77
group: 'root'
88
mode: '0750'
99
when: not os_security_kernel_enable_core_dump
10+
11+
- name: remove pinerolo_profile.sh from profile.d
12+
file:
13+
path: /etc/profile.d/pinerolo_profile.sh
14+
state: absent
15+
when: os_security_kernel_enable_core_dump

templates/limits.conf.j2

Lines changed: 0 additions & 3 deletions
This file was deleted.

0 commit comments

Comments
 (0)