diff --git a/handlers/main.yml b/handlers/main.yml index 57bb7a5..f9144f4 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -49,3 +49,8 @@ ansible.builtin.systemd: name: systemd-journald state: restarted + +- name: reload systemd daemon + ansible.builtin.systemd: + daemon_reload: yes + become: true diff --git a/tasks/amazon_linux.yaml b/tasks/amazon_linux.yaml new file mode 100644 index 0000000..fa5f97e --- /dev/null +++ b/tasks/amazon_linux.yaml @@ -0,0 +1,3 @@ +--- +- name: Amazon Linux 2 | Configure Additional Process handling + include_tasks: configure_additional_process_handling_al2.yaml diff --git a/tasks/configure_additional_process_handling_al2.yaml b/tasks/configure_additional_process_handling_al2.yaml new file mode 100644 index 0000000..37932e2 --- /dev/null +++ b/tasks/configure_additional_process_handling_al2.yaml @@ -0,0 +1,38 @@ +--- +# Kernel hardening parameters +- name: "Configure kernel hardening parameters" + ansible.builtin.sysctl: + name: "{{ item.name }}" + value: "{{ item.value }}" + state: present + sysctl_set: true + reload: yes + sysctl_file: /etc/sysctl.d/60-kernel_sysctl.conf + loop: "{{ kernel_hardening_params }}" + loop_control: + label: "{{ item.desc }}" + become: true + +# Core dump restrictions +# Check existing coredump configuration for ProcessSizeMax and Storage directives +- name: "Check existing coredump configuration" + ansible.builtin.shell: | + grep -Pi -- '^\h*(ProcessSizeMax|Storage)\b' /etc/systemd/coredump.conf 2>/dev/null || true + register: coredump_check + changed_when: false + failed_when: false + become: true + +# Configure core dump restrictions only if not already set +- name: "Configure core dump restrictions (only if missing or incorrect)" + ansible.builtin.blockinfile: + path: /etc/systemd/coredump.conf + create: yes + block: "{{ coredump_config_block }}" + when: > + ('ProcessSizeMax=0' not in coredump_check.stdout) or + ('Storage=none' not in coredump_check.stdout) + notify: + - reload systemd daemon + become: true + diff --git a/tasks/main.yaml b/tasks/main.yaml index 01a0df0..a032800 100644 --- a/tasks/main.yaml +++ b/tasks/main.yaml @@ -2,15 +2,18 @@ - name: Include CIS Stage Specific vars include_vars: cis-{{ cis_Stage }}.yaml -- name: Debian realted Specification +- name: Debian related Specification include_tasks: configure_Debian.yaml when: ansible_os_family == 'Debian' -- name: Centos realted Specification +- name: CentOS related Specification include_tasks: configure_RedHat.yaml - when: - ansible_os_family == 'RedHat' + when: ansible_os_family == 'RedHat' and ansible_distribution != 'Amazon' + +- name: Amazon Linux 2 related Specification + include_tasks: amazon_linux.yaml + when: ansible_distribution == 'Amazon' # - name: Special purpose services # include_tasks: services.yaml @@ -35,3 +38,4 @@ # - name: Ensure dccp and sctp is disabled # include_tasks: network_protocol_and_unusedFilesystem.yaml + diff --git a/vars/main.yml b/vars/main.yml index 790b629..2115e88 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -88,3 +88,14 @@ os_services_name: ['avahi-daemon', 'slapd', 'named', 'cups', 'telnet', 'discard- # aide cronjob configuration minute_aide_cronjob: '0' hour_aide_cronjob: '5' + +#Configure Additional Process Hardening +kernel_hardening_params: + - { name: "kernel.randomize_va_space", value: "2", desc: "Ensure ASLR is enabled" } + - { name: "kernel.yama.ptrace_scope", value: "1", desc: "Restrict ptrace_scope" } + +coredump_config_block: | + [Coredump] + ProcessSizeMax=0 + Storage=none +