Disable acquiring, saving, and processing core dumps

An XCCDF Rule

Description

The systemd-coredump.socket unit is a socket activation of the systemd-coredump@.service which processes core dumps. By masking the unit, core dump processing is disabled.

Rationale

A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems.

ID: xccdf_org.ssgproject.content_rule_service_systemd-coredump_disabled
Severity: Medium
References: CCI-000366

SC-7(10)

FMT_SMF_EXT.1

SRG-OS-000480-GPOS-00227
Updated: over 1 year ago

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - NIST-800-53-SC-7(10)
  - disable_strategy  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - service_systemd-coredump_disabled

- name: Disable acquiring, saving, and processing core dumps - Collect systemd Socket
    Units Present in the System
  ansible.builtin.command:
    cmd: systemctl -q list-unit-files --type socket
  register: result_systemd_unit_files
  changed_when: false
  when: '"kernel" in ansible_facts.packages'
  tags:
  - NIST-800-53-SC-7(10)
  - disable_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - service_systemd-coredump_disabled

- name: Disable acquiring, saving, and processing core dumps - Ensure systemd-coredump.socket
    is Masked
  ansible.builtin.systemd:
    name: systemd-coredump.socket
    state: stopped
    enabled: false
    masked: true
  when:
  - '"kernel" in ansible_facts.packages'
  - result_systemd_unit_files.stdout_lines is search("systemd-coredump.socket")
  tags:
  - NIST-800-53-SC-7(10)
  - disable_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - service_systemd-coredump_disabled

# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel; then

SOCKET_NAME="systemd-coredump.socket"
SYSTEMCTL_EXEC='/usr/bin/systemctl'
if "$SYSTEMCTL_EXEC" -q list-unit-files --type socket | grep -q "$SOCKET_NAME"; then
    "$SYSTEMCTL_EXEC" stop "$SOCKET_NAME"
    "$SYSTEMCTL_EXEC" mask "$SOCKET_NAME"
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Disable acquiring, saving, and processing core dumps

Description

Rationale

Remediation - Ansible

Remediation - Shell Script