Disable Core Dumps for All Users

An XCCDF Rule

Description

To disable core dumps for all users, add the following line to /etc/security/limits.conf, or to a file within the /etc/security/limits.d/ directory:

*     hard   core    0

Rationale

A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers trying to debug problems.

ID: xccdf_org.ssgproject.content_rule_disable_users_coredumps
Severity: Medium
References: 1 12 13 15 16 2 7 8

APO13.01 BAI04.04 DSS01.03 DSS03.05 DSS05.07

CCI-000366

SR 6.2 SR 7.1 SR 7.2

A.12.1.3 A.17.2.1

CM-6 SC-7(10)

DE.CM-1 PR.DS-4

SRG-OS-000480-GPOS-00227

RHEL-08-010673

CCE-81038-2

3.3 3.3.1 3.3.1.1

SV-230313r1017124_rule
Updated: about 1 month ago

Remediation Templates

# Remediation is applicable only in certain platforms
if rpm --quiet -q pam; then
SECURITY_LIMITS_FILE="/etc/security/limits.conf"

if grep -qE '^\s*\*\s+hard\s+core' $SECURITY_LIMITS_FILE; then
        sed -ri 's/(hard\s+core\s+)[[:digit:]]+/\1 0/' $SECURITY_LIMITS_FILEelse
        echo "*     hard   core    0" >> $SECURITY_LIMITS_FILE
fi

if ls /etc/security/limits.d/*.conf > /dev/null; then
        sed -ri '/^\s*\*\s+hard\s+core/d' /etc/security/limits.d/*.conf
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-81038-2
  - DISA-STIG-RHEL-08-010673  - NIST-800-53-CM-6
  - NIST-800-53-SC-7(10)
  - PCI-DSSv4-3.3
  - PCI-DSSv4-3.3.1
  - PCI-DSSv4-3.3.1.1
  - disable_users_coredumps
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
- name: Disable core dumps with limits
  lineinfile:
    dest: /etc/security/limits.conf
    regexp: ^[^#].*core
    line: '*        hard       core      0'
    create: true
  when: '"pam" in ansible_facts.packages'
  tags:
  - CCE-81038-2
  - DISA-STIG-RHEL-08-010673
  - NIST-800-53-CM-6
  - NIST-800-53-SC-7(10)
  - PCI-DSSv4-3.3
  - PCI-DSSv4-3.3.1
  - PCI-DSSv4-3.3.1.1
  - disable_users_coredumps
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:
      version: 3.1.0    storage:
      files:
      - contents:
          source: data:,%2A%20%20%20%20%20hard%20%20%20core%20%20%20%200
        mode: 0644
        path: /etc/security/limits.d/75-disable_users_coredumps.conf
        overwrite: true

Disable Core Dumps for All Users

Description

Rationale

Remediation Templates

A Shell Script

An Ansible Snippet

A Kubernetes Patch