kubeasz/roles/os-harden/tasks/limits.yml

37 lines
1.1 KiB
YAML
Raw Normal View History

---
- block:
- name: create limits.d-directory if it does not exist | sysctl-31a, sysctl-31b
file:
path: '/etc/security/limits.d'
owner: 'root'
group: 'root'
mode: '0755'
state: 'directory'
2018-09-17 23:23:56 +08:00
2021-01-19 23:35:31 +08:00
- name: create additional limits config file -> 10.hardcore.conf | sysctl-31a, sysctl-31b
pam_limits:
dest: '/etc/security/limits.d/10.hardcore.conf'
domain: '*'
limit_type: hard
limit_item: core
2021-01-19 23:35:31 +08:00
value: '0'
comment: Prevent core dumps for all users. These are usually not needed and may contain sensitive information
2018-09-17 23:23:56 +08:00
- name: set 10.hardcore.conf perms to 0400 and root ownership
file:
path: /etc/security/limits.d/10.hardcore.conf
owner: 'root'
group: 'root'
mode: '0440'
2021-01-19 23:35:31 +08:00
state: touch
modification_time: preserve
access_time: preserve
2018-09-17 23:23:56 +08:00
2021-01-19 23:35:31 +08:00
when: not os_security_kernel_enable_core_dump | bool
- name: remove 10.hardcore.conf config file
file:
path: /etc/security/limits.d/10.hardcore.conf
state: absent
2021-01-19 23:35:31 +08:00
when: os_security_kernel_enable_core_dump | bool