OT-OSM · prince03batra · Oct 9, 2025 · Nov 3, 2025 · Nov 5, 2025 · Nov 6, 2025
diff --git a/handlers/main.yml b/handlers/main.yml
@@ -49,3 +49,8 @@
   ansible.builtin.systemd:
     name: systemd-journald
     state: restarted
+
+- name: reload systemd daemon
+  ansible.builtin.systemd:
+    daemon_reload: yes
+  become: true
diff --git a/tasks/amazon_linux.yaml b/tasks/amazon_linux.yaml
@@ -0,0 +1,3 @@
+---
+- name: Amazon Linux 2 | Configure Additional Process handling
+  include_tasks: configure_additional_process_handling_al2.yaml
diff --git a/tasks/configure_additional_process_handling_al2.yaml b/tasks/configure_additional_process_handling_al2.yaml
@@ -0,0 +1,38 @@
+---
+# Kernel hardening parameters
+- name: "Configure kernel hardening parameters"
+  ansible.builtin.sysctl:
+    name: "{{ item.name }}"
+    value: "{{ item.value }}"
+    state: present
+    sysctl_set: true
+    reload: yes
+    sysctl_file: /etc/sysctl.d/60-kernel_sysctl.conf
+  loop: "{{ kernel_hardening_params }}"
+  loop_control:
+    label: "{{ item.desc }}"
+  become: true
+
+# Core dump restrictions
+# Check existing coredump configuration for ProcessSizeMax and Storage directives
+- name: "Check existing coredump configuration"
+  ansible.builtin.shell: |
+    grep -Pi -- '^\h*(ProcessSizeMax|Storage)\b' /etc/systemd/coredump.conf 2>/dev/null || true
+  register: coredump_check
+  changed_when: false
+  failed_when: false
+  become: true
+
+# Configure core dump restrictions only if not already set
+- name: "Configure core dump restrictions (only if missing or incorrect)"
+  ansible.builtin.blockinfile:
+    path: /etc/systemd/coredump.conf
+    create: yes
+    block: "{{ coredump_config_block }}"
+  when: >
+    ('ProcessSizeMax=0' not in coredump_check.stdout) or
+    ('Storage=none' not in coredump_check.stdout)
+  notify:
+    - reload systemd daemon
+  become: true
+
diff --git a/tasks/main.yaml b/tasks/main.yaml
@@ -2,15 +2,18 @@
 - name: Include CIS Stage Specific vars
   include_vars: cis-{{ cis_Stage }}.yaml
 
-- name: Debian realted Specification
+- name: Debian related Specification
   include_tasks: configure_Debian.yaml
   when:
     ansible_os_family == 'Debian'
 
-- name: Centos realted Specification
+- name: CentOS related Specification
   include_tasks: configure_RedHat.yaml
-  when:
-    ansible_os_family == 'RedHat'
+  when: ansible_os_family == 'RedHat' and ansible_distribution != 'Amazon'
+
+- name: Amazon Linux 2 related Specification
+  include_tasks: amazon_linux.yaml
+  when: ansible_distribution == 'Amazon'
 
 # - name: Special purpose services
 #   include_tasks: services.yaml
@@ -35,3 +38,4 @@
 
 # - name: Ensure dccp and sctp is disabled
 #   include_tasks: network_protocol_and_unusedFilesystem.yaml
+
diff --git a/vars/main.yml b/vars/main.yml
@@ -88,3 +88,14 @@ os_services_name: ['avahi-daemon', 'slapd', 'named', 'cups', 'telnet', 'discard-
 # aide cronjob configuration
 minute_aide_cronjob: '0'
 hour_aide_cronjob: '5'
+
+#Configure Additional Process Hardening
+kernel_hardening_params:
+  - { name: "kernel.randomize_va_space", value: "2", desc: "Ensure ASLR is enabled" }
+  - { name: "kernel.yama.ptrace_scope", value: "1", desc: "Restrict ptrace_scope" }
+
+coredump_config_block: |
+  [Coredump]
+  ProcessSizeMax=0
+  Storage=none
+