dreadnode · l50 · Apr 23, 2026 · Apr 22, 2026 · Apr 22, 2026 · Apr 22, 2026
@@ -1,6 +1,11 @@
 #!/bin/bash
-# Launch ares orchestrator with environment variables
-# Placeholders are substituted by the calling task via envsubst/sed
+# Launch ares orchestrator in its own systemd transient unit so it (and any
+# tool subprocesses it spawns) gets its own cgroup, separate from
+# amazon-ssm-agent.service. Otherwise everything launched by SSM
+# RunShellScript inherits SSM's cgroup and competes with it for memory —
+# resulting in CONSTRAINT_MEMCG OOM-kills regardless of OOMScoreAdjust.
+set -euo pipefail
+
 export ARES_REDIS_URL=redis://127.0.0.1:6379
 export RUST_LOG=info
 export ARES_OPERATION_ID='__ARES_PAYLOAD__'
@@ -25,13 +30,54 @@ if [ -n "$_blue_model" ] && [ "$_blue_model" = "${_blue_model#__}" ]; then
 fi
 export ARES_DEPLOYMENT='__ARES_DEPLOYMENT__'
 export ARES_CONFIG=/etc/ares/config.yaml
+export ARES_MAX_CONCURRENT_TASKS=16
 _otel_endpoint='__OTEL_TRACES_ENDPOINT__'
 if [ -n "$_otel_endpoint" ] && [ "$_otel_endpoint" = "${_otel_endpoint#__}" ]; then
   export OTEL_EXPORTER_OTLP_TRACES_ENDPOINT="$_otel_endpoint"
   export OTEL_EXPORTER_OTLP_PROTOCOL='http/protobuf'
   export OTEL_RESOURCE_ATTRIBUTES='deployment.environment=staging,attack.team=red'
 fi
+
+mkdir -p /var/log/ares
+
+# Stop any prior orchestrator (transient unit or stray nohup process).
+systemctl stop ares-orchestrator.service 2>/dev/null || true
+systemctl reset-failed ares-orchestrator.service 2>/dev/null || true
 pkill -f 'ares orchestrator' 2>/dev/null || true
 sleep 1
-nohup /usr/local/bin/ares orchestrator >/var/log/ares/orchestrator.log 2>&1 &
-echo "Orchestrator started (PID: $!)"
+
+# Spawn as a transient systemd service in system-ares.slice. --setenv=NAME
+# (no value) inherits from current environment, preserving quoting that
+# would otherwise be mangled by EnvironmentFile parsing of JSON payloads.
+exec systemd-run \
+  --unit=ares-orchestrator.service \
+  --slice=system-ares.slice \
+  --description="Ares Orchestrator (transient)" \
+  --collect \
+  --setenv=ARES_REDIS_URL \
+  --setenv=RUST_LOG \
+  --setenv=ARES_OPERATION_ID \
+  --setenv=OPENAI_API_KEY \
+  --setenv=ANTHROPIC_API_KEY \
+  --setenv=DREADNODE_API_KEY \
+  --setenv=DREADNODE_SERVER_URL \
+  --setenv=DREADNODE_ORGANIZATION \
+  --setenv=DREADNODE_WORKSPACE \
+  --setenv=DREADNODE_PROJECT \
+  --setenv=GRAFANA_SERVICE_ACCOUNT_TOKEN \
+  --setenv=GRAFANA_URL \
+  --setenv=ARES_LLM_MODEL \
+  --setenv=ARES_TOOL_DISPATCH \
+  --setenv=ARES_BLUE_ENABLED \
+  --setenv=ARES_BLUE_LLM_MODEL \
+  --setenv=ARES_DEPLOYMENT \
+  --setenv=ARES_CONFIG \
+  --setenv=ARES_MAX_CONCURRENT_TASKS \
+  --setenv=OTEL_EXPORTER_OTLP_TRACES_ENDPOINT \
+  --setenv=OTEL_EXPORTER_OTLP_PROTOCOL \
+  --setenv=OTEL_RESOURCE_ATTRIBUTES \
+  --property=StandardOutput=append:/var/log/ares/orchestrator.log \
+  --property=StandardError=append:/var/log/ares/orchestrator.log \
+  --property=OOMScoreAdjust=-500 \
+  --property=TasksMax=4096 \
+  /usr/local/bin/ares orchestrator
@@ -21,6 +21,14 @@ fi
 echo "=== Creating directories ==="
 mkdir -p /var/log/ares /etc/ares
 
+echo "=== Removing legacy ares-worker@ unit (renamed in PR #226) ==="
+if [ -f /etc/systemd/system/ares-worker@.service ]; then
+	for role in recon credential_access cracker acl privesc lateral coercion; do
+		systemctl disable --now "ares-worker@${role}.service" 2>/dev/null || true
+	done
+	rm -f /etc/systemd/system/ares-worker@.service
+fi
+
 echo "=== Creating systemd worker template unit ==="
 cat >/etc/systemd/system/ares@.service <<'UNIT_EOF'
 [Unit]
@@ -42,9 +50,18 @@ RestartSec=5
 StandardOutput=append:/var/log/ares/%i.log
 StandardError=append:/var/log/ares/%i.log
 
+# Contain child processes (netexec, hashcat, nmap, etc.) within this cgroup.
+# Without these limits, runaway tool processes can OOM the entire system and
+# take down the SSM agent (see: Apr 2026 incident).
+Delegate=yes
+MemoryHigh=2G
+MemoryMax=3G
+TasksMax=256
+
 [Install]
 WantedBy=multi-user.target
 UNIT_EOF
+systemctl daemon-reload
 
 echo "=== Installing cracking tools ==="
 if ! command -v hashcat >/dev/null 2>&1 || ! command -v john >/dev/null 2>&1; then

@@ -738,6 +738,7 @@ tasks:
       BLUE_ENABLED: '{{.BLUE_ENABLED | default "0"}}'
       BLUE_LLM_MODEL: '{{.BLUE_LLM_MODEL | default ""}}'
       EC2_DEPLOYMENT: '{{.EC2_DEPLOYMENT | default "alpha-operator-range"}}'
+      STRATEGY: '{{.STRATEGY | default "comprehensive"}}'
       RESOLVED_TARGETS:
         sh: |
           TARGET="{{.TARGET}}"
@@ -867,7 +868,7 @@ tasks:
           # Build JSON payload for ARES_OPERATION_ID
           TARGET_IPS_JSON=$(echo "{{.RESOLVED_TARGETS}}" | tr ',' '\n' | sed 's/^/"/;s/$/"/' | paste -sd, - | sed 's/^/[/;s/$/]/')
 
-          ORCH_PAYLOAD="{\"operation_id\":\"{{.OPERATION_ID_COMPUTED}}\",\"target_domain\":\"{{.DOMAIN}}\",\"target_ips\":${TARGET_IPS_JSON},\"model\":\"{{.MODEL}}\"}"
+          ORCH_PAYLOAD="{\"operation_id\":\"{{.OPERATION_ID_COMPUTED}}\",\"target_domain\":\"{{.DOMAIN}}\",\"target_ips\":${TARGET_IPS_JSON},\"model\":\"{{.MODEL}}\",\"strategy\":\"{{.STRATEGY}}\"}"
 
           # Build orchestrator launch script from template
           ORCH_SCRIPT=$(mktemp)

@@ -18,6 +18,8 @@ Install and configure AWS SSM Agent
 | -------- | ---- | ------- | ----------- |
 | `aws_ssm_agent_temp_dir` | str | <code>/tmp/ssm_install</code> | No description |
 | `aws_ssm_agent_aws_region` | str | <code>us-east-1</code> | No description |
+| `aws_ssm_agent_oom_protect` | bool | <code>True</code> | No description |
+| `aws_ssm_agent_memory_max` | str | <code>512M</code> | No description |
 
 ### Role Variables (main.yml)
 
@@ -42,6 +44,8 @@ Install and configure AWS SSM Agent
 - **Create temporary directory for SSM installation** (ansible.builtin.file) - Conditional
 - **Download SSM agent** (ansible.builtin.get_url) - Conditional
 - **Install SSM agent (Debian/Ubuntu)** (ansible.builtin.apt) - Conditional
+- **Create SSM agent systemd override directory** (ansible.builtin.file) - Conditional
+- **Deploy SSM agent OOM protection override** (ansible.builtin.template) - Conditional
 - **Reload systemd** (ansible.builtin.systemd) - Conditional
 - **Enable and start SSM agent** (ansible.builtin.systemd) - Conditional
 - **Refresh snap SSM agent** (ansible.builtin.command) - Conditional

@@ -2,3 +2,8 @@
 # General settings
 aws_ssm_agent_temp_dir: "/tmp/ssm_install"
 aws_ssm_agent_aws_region: "us-east-1"
+
+# OOM protection — cap SSM agent memory and lower its OOM score so the kernel
+# kills worker tool processes (netexec, hashcat, nmap) instead of SSM.
+aws_ssm_agent_oom_protect: true
+aws_ssm_agent_memory_max: "512M"
@@ -68,6 +68,28 @@
     - aws_ssm_agent_snap_check.rc != 0
     - aws_ssm_agent_dpkg_check.rc != 0
 
+- name: Create SSM agent systemd override directory
+  ansible.builtin.file:
+    path: /etc/systemd/system/amazon-ssm-agent.service.d
+    state: directory
+    mode: '0755'
+  become: true
+  when:
+    - aws_ssm_agent_snap_check.rc != 0
+    - aws_ssm_agent_oom_protect | default(true)
+
+- name: Deploy SSM agent OOM protection override
+  ansible.builtin.template:
+    src: ssm-oom-protect.conf.j2
+    dest: /etc/systemd/system/amazon-ssm-agent.service.d/oom-protect.conf
+    mode: '0644'
+  become: true
+  when:
+    - aws_ssm_agent_snap_check.rc != 0
+    - aws_ssm_agent_oom_protect | default(true)
+  notify:
+    - Restart ssm_agent (Linux)
+
 - name: Reload systemd
   ansible.builtin.systemd:
     daemon_reload: true

@@ -0,0 +1,7 @@
+# Protect SSM agent from the OOM killer.
+# Ares workers spawn many tool subprocesses (netexec, hashcat, nmap) that can
+# exhaust memory. Without this override, the OOM killer targets the SSM agent's
+# cgroup and kills it, making the instance unreachable.
+[Service]
+OOMScoreAdjust=-900
+MemoryMax={{ aws_ssm_agent_memory_max }}
@@ -194,6 +194,7 @@ Install and configure privilege escalation tools for Ares agents
 - **Clone SCMUACBypass from GitHub** (ansible.builtin.git) - Conditional
 - **Clone noPac from GitHub** (ansible.builtin.git) - Conditional
 - **Create virtual environment for noPac** (ansible.builtin.command) - Conditional
+- **Install setuptools in noPac venv (provides pkg_resources)** (ansible.builtin.pip) - Conditional
 - **Install noPac dependencies in venv** (ansible.builtin.pip) - Conditional
 - **Create wrapper script for noPac** (ansible.builtin.copy) - Conditional
 - **Clone PrintNightmare from GitHub** (ansible.builtin.git) - Conditional

@@ -297,6 +297,14 @@
     creates: "{{ privesc_tools_nopac_install_dir }}/venv"
   when: privesc_tools_install_nopac
 
+- name: Install setuptools in noPac venv (provides pkg_resources)
+  ansible.builtin.pip:
+    # setuptools 81 dropped pkg_resources; impacket 0.9.24 still imports it.
+    name: "setuptools<81"
+    virtualenv: "{{ privesc_tools_nopac_install_dir }}/venv"
+  become: true
+  when: privesc_tools_install_nopac
+
 - name: Install noPac dependencies in venv
   ansible.builtin.pip:
     requirements: "{{ privesc_tools_nopac_install_dir }}/requirements.txt"

@@ -24,6 +24,9 @@ Redis server for Ares worker message broker
 | `redis_ares_worker_binary` | str | <code>/usr/local/bin/ares</code> | No description |
 | `redis_ares_log_dir` | str | <code>/var/log/ares</code> | No description |
 | `redis_ares_config_dir` | str | <code>/etc/ares</code> | No description |
+| `redis_ares_worker_memory_high` | str | <code>2G</code> | No description |
+| `redis_ares_worker_memory_max` | str | <code>3G</code> | No description |
+| `redis_ares_worker_tasks_max` | int | <code>256</code> | No description |
 | `redis_verify_install` | bool | <code>False</code> | No description |
 
 ## Tasks

@@ -11,5 +11,13 @@ redis_ares_worker_binary: "/usr/local/bin/ares"
 redis_ares_log_dir: "/var/log/ares"
 redis_ares_config_dir: "/etc/ares"
 
+# Worker cgroup resource limits (per-role instance).
+# Workers spawn tool subprocesses (netexec, hashcat, nmap) that inherit the
+# service cgroup. Without limits these can exhaust system memory and OOM-kill
+# unrelated services like the SSM agent.
+redis_ares_worker_memory_high: "2G"
+redis_ares_worker_memory_max: "3G"
+redis_ares_worker_tasks_max: 256
+
 # Verification
 redis_verify_install: false
@@ -15,5 +15,13 @@ RestartSec=5
 StandardOutput=append:{{ redis_ares_log_dir }}/%i.log
 StandardError=append:{{ redis_ares_log_dir }}/%i.log
 
+# Contain child processes (netexec, hashcat, nmap, etc.) within this cgroup.
+# Without these limits, runaway tool processes can OOM the entire system and
+# take down the SSM agent (see: Apr 2026 incident).
+Delegate=yes
+MemoryHigh={{ redis_ares_worker_memory_high }}
+MemoryMax={{ redis_ares_worker_memory_max }}
+TasksMax={{ redis_ares_worker_tasks_max }}
+
 [Install]
 WantedBy=multi-user.target