From 50605b1476206e0a01b9072ce3afa61bc0d353a1 Mon Sep 17 00:00:00 2001
From: Prince Batra <prince03batra@gmail.com>
Date: Thu, 9 Oct 2025 09:48:50 +0000
Subject: [PATCH] Configure Additional Process Hardening

---
 handlers/main.yml                             |  4 +++
 tasks/amazon_linux.yaml                       |  3 ++
 ...igure_additional_process_handling_al2.yaml | 29 +++++++++++++++++++
 tasks/main.yaml                               | 18 +++++++-----
 4 files changed, 46 insertions(+), 8 deletions(-)
 create mode 100644 tasks/amazon_linux.yaml
 create mode 100644 tasks/configure_additional_process_handling_al2.yaml

diff --git a/handlers/main.yml b/handlers/main.yml
index 57bb7a5..b4fd0cb 100644
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -49,3 +49,7 @@
   ansible.builtin.systemd:
     name: systemd-journald
     state: restarted
+
+- name: reload systemd reexec
+  ansible.builtin.command: systemctl daemon-reexec
+  become: true
diff --git a/tasks/amazon_linux.yaml b/tasks/amazon_linux.yaml
new file mode 100644
index 0000000..fa5f97e
--- /dev/null
+++ b/tasks/amazon_linux.yaml
@@ -0,0 +1,3 @@
+---
+- name: Amazon Linux 2 | Configure Additional Process handling
+  include_tasks: configure_additional_process_handling_al2.yaml
diff --git a/tasks/configure_additional_process_handling_al2.yaml b/tasks/configure_additional_process_handling_al2.yaml
new file mode 100644
index 0000000..869746f
--- /dev/null
+++ b/tasks/configure_additional_process_handling_al2.yaml
@@ -0,0 +1,29 @@
+---
+# Kernel hardening parameters
+- name: "Configure kernel hardening parameters"
+  ansible.builtin.sysctl:
+    name: "{{ item.name }}"
+    value: "{{ item.value }}"
+    state: present
+    sysctl_set: true
+    reload: yes
+    sysctl_file: /etc/sysctl.d/60-kernel_sysctl.conf
+  loop:
+    - { name: "kernel.randomize_va_space", value: "2", desc: "Ensure ASLR is enabled" }
+    - { name: "kernel.yama.ptrace_scope", value: "1", desc: "Restrict ptrace_scope" }
+  loop_control:
+    label: "{{ item.desc }}"
+
+# Core dump restrictions
+- name: "Configure core dump restrictions"
+  ansible.builtin.blockinfile:
+    path: /etc/systemd/coredump.conf
+    create: yes
+    block: "{{ item.block }}"
+  loop:
+    - { block: "[Coredump]\nProcessSizeMax=0", desc: "Disable core dump backtraces" }
+    - { block: "[Coredump]\nStorage=none", desc: "Disable core dump storage" }
+  loop_control:
+    label: "{{ item.desc }}"
+  notify:
+    - reload systemd reexec
diff --git a/tasks/main.yaml b/tasks/main.yaml
index 01a0df0..3de0b85 100644
--- a/tasks/main.yaml
+++ b/tasks/main.yaml
@@ -1,16 +1,18 @@
 ---
-- name: Include CIS Stage Specific vars
-  include_vars: cis-{{ cis_Stage }}.yaml
-
-- name: Debian realted Specification
-  include_tasks: configure_Debian.yaml
+- name: Ubuntu related Specification
+  include_tasks: ubuntu.yaml
   when:
     ansible_os_family == 'Debian'
 
-- name: Centos realted Specification
-  include_tasks: configure_RedHat.yaml
+- name: CentOS related Specification
+  include_tasks: centos.yaml
+  when:
+    ansible_os_family == 'RedHat' and ansible_distribution != 'Amazon'
+
+- name: Amazon Linux 2 related Specification
+  include_tasks: amazon_linux.yaml
   when:
-    ansible_os_family == 'RedHat'
+    ansible_distribution == 'Amazon'
 
 # - name: Special purpose services
 #   include_tasks: services.yaml