Disable core dump backtraces

An XCCDF Rule

Description

The ProcessSizeMax option in [Coredump] section of /etc/systemd/coredump.conf specifies the maximum size in bytes of a core which will be processed. Core dumps exceeding this size may be stored, but the backtrace will not be generated.

warning alert: Warning

If the /etc/systemd/coredump.conf file does not already contain the [Coredump] section, the value will not be configured correctly.

Rationale

A core dump includes a memory image taken at the time the operating system terminates an application. The memory image could contain sensitive data and is generally useful only for developers or system operators trying to debug problems. Enabling core dumps on production systems is not recommended, however there may be overriding operational requirements to enable advanced debuging. Permitting temporary enablement of core dumps during such situations should be reviewed through local needs and policy.

ID: xccdf_org.ssgproject.content_rule_coredump_disable_backtraces
Severity: Medium
References: CCI-000366

CM-6

FMT_SMF_EXT.1

Req-3.2

SRG-OS-000480-GPOS-00227

1.6.1

CCE-92209-6

3.3.1
Updated: about 1 year ago

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-92209-6
  - NIST-800-53-CM-6  - PCI-DSS-Req-3.2
  - PCI-DSSv4-3.3.1
  - coredump_disable_backtraces
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: 'Disable core dump backtraces: Make sure Coredump section exist in remediation
    file'
  ansible.builtin.lineinfile:
    path: /etc/systemd/coredump.conf.d/oscap-autoremedy.conf
    line: '[Coredump]'
    create: true
  when: '"systemd" in ansible_facts.packages'
  tags:
  - CCE-92209-6
  - NIST-800-53-CM-6
  - PCI-DSS-Req-3.2
  - PCI-DSSv4-3.3.1
  - coredump_disable_backtraces
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Disable core dump backtraces
  block:

  - name: Check for duplicate values
    lineinfile:
      path: /etc/systemd/coredump.conf.d/oscap-autoremedy.conf
      create: true
      regexp: ^\s*ProcessSizeMax\s*=\s*
      state: absent
    check_mode: true
    changed_when: false
    register: dupes

  - name: Deduplicate values from /etc/systemd/coredump.conf.d/oscap-autoremedy.conf
    lineinfile:
      path: /etc/systemd/coredump.conf.d/oscap-autoremedy.conf
      create: true
      regexp: ^\s*ProcessSizeMax\s*=\s*
      state: absent
    when: dupes.found is defined and dupes.found > 1

  - name: Insert correct line to /etc/systemd/coredump.conf.d/oscap-autoremedy.conf
    lineinfile:
      path: /etc/systemd/coredump.conf.d/oscap-autoremedy.conf
      create: true
      regexp: ^\s*ProcessSizeMax\s*=\s*
      line: ProcessSizeMax=0
      state: present
      insertafter: '[Coredump]'
  when: '"systemd" in ansible_facts.packages'
  tags:
  - CCE-92209-6
  - NIST-800-53-CM-6
  - PCI-DSS-Req-3.2
  - PCI-DSSv4-3.3.1
  - coredump_disable_backtraces
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

# Remediation is applicable only in certain platforms
if rpm --quiet -q systemd; then

mkdir -p /etc/systemd/coredump.conf.d/
if [ ! -f "/etc/systemd/coredump.conf.d/oscap-autoremedy.conf" ]; then
   echo "[Coredump]" > "/etc/systemd/coredump.conf.d/oscap-autoremedy.conf"fi
if [ -e "/etc/systemd/coredump.conf.d/oscap-autoremedy.conf" ] ; then
    
    LC_ALL=C sed -i "/^\s*ProcessSizeMax\s*=\s*/Id" "/etc/systemd/coredump.conf.d/oscap-autoremedy.conf"
else
    touch "/etc/systemd/coredump.conf.d/oscap-autoremedy.conf"
fi
# make sure file has newline at the end
sed -i -e '$a\' "/etc/systemd/coredump.conf.d/oscap-autoremedy.conf"

cp "/etc/systemd/coredump.conf.d/oscap-autoremedy.conf" "/etc/systemd/coredump.conf.d/oscap-autoremedy.conf.bak"
# Insert at the end of the file
printf '%s\n' "ProcessSizeMax=0" >> "/etc/systemd/coredump.conf.d/oscap-autoremedy.conf"
# Clean up after ourselves.
rm "/etc/systemd/coredump.conf.d/oscap-autoremedy.conf.bak"

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Disable core dump backtraces

Description

Rationale

Remediation - Ansible

Remediation - Shell Script