V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>

func/cdi_4400_hardening/4460_hardening_memory.sh

@@ -12,6 +12,29 @@
 
 guard_sourcing
 
+#######################################
+# NOTE:
+#   According to the manual pages of limits.conf(5) and pam_limits(8),
+#   entries in '/etc/security/limits.conf' or drop-ins under
+#   '/etc/security/limits.d/' are NOT applied automatically by the system.
+#   The actual enforcement of these ulimit(2) constraints — including
+#   '* soft core 0' and '* hard core 0' to disable kernel core dumps —
+#   requires that the PAM module 'pam_limits.so' is invoked in the
+#   'session' stack of the respective service (e.g., via
+#   '/etc/pam.d/common-session' and
+#   '/etc/pam.d/common-session-noninteractive').
+#
+#   Without 'pam_limits.so' present in these PAM configuration files,
+#   the configured limits remain ineffective for PAM-based logins
+#   (SSH, local TTY, sudo, su, cron, etc.).
+#   Services launched by systemd bypass PAM and must have 'LimitCORE=0'
+#   or 'DefaultLimitCORE=0' set in their unit or in system.conf.d(5).
+#
+# References:
+#   - man 5 limits.conf
+#   - man 8 pam_limits
+#######################################
+
 #######################################
 # Hardening memory dump via:
 #   '/etc/systemd/coredump.conf.d/disable.conf'
@@ -161,6 +184,6 @@ guard_pam_limits() {
 
   (( var_changed )) && do_log "info" "file_only" "4460() Activated pam_limits.so: (common-session[*])"
 
-  return 0
+  guard_dir && return 0
 }
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh