From 893c8a343b4428678ef51b9112e43b761f4440b9 Mon Sep 17 00:00:00 2001
From: danielkubat <dan.kubat@gmail.com>
Date: Sat, 12 Dec 2020 02:52:30 +0100
Subject: [PATCH] Use pam_limits module to set limits

---
 ansible/playbooks/tasks/harden.yml | 14 +++++++-------
 ansible/playbooks/vars/RedHat.yml  |  4 ++++
 2 files changed, 11 insertions(+), 7 deletions(-)

diff --git a/ansible/playbooks/tasks/harden.yml b/ansible/playbooks/tasks/harden.yml
index 9056875..e42bfff 100644
--- a/ansible/playbooks/tasks/harden.yml
+++ b/ansible/playbooks/tasks/harden.yml
@@ -20,14 +20,14 @@
         - harden
         - kernel
 
-    - name: security limits
-      copy:
+    - name: Security limits
+      pam_limits:
         dest: "/etc/security/limits.d/cis.conf"
-        owner: root
-        group: root
-        mode: '0644'
-        content: |
-          * hard core 0
+        domain: "{{ item.domain }}"
+        limit_type: "{{ item.limit_type }}"
+        limit_item: "{{ item.limit_item }}"
+        value: "{{ item.value }}"
+      with_items: "{{ limits }}"
       tags:
         - harden
 
diff --git a/ansible/playbooks/vars/RedHat.yml b/ansible/playbooks/vars/RedHat.yml
index cd42896..68a2eb8 100644
--- a/ansible/playbooks/vars/RedHat.yml
+++ b/ansible/playbooks/vars/RedHat.yml
@@ -17,6 +17,10 @@ remove_packages:
   - rsh
   - lftp
 
+# security limits
+limits:
+  - { domain: '*', limit_type: hard, limit_item: core, value: 0 }
+
 # sysctl settings
 sysctl_config:
   net.ipv4.ip_forward: 0