Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ensure core dumps are restricted task (1.6.4) missing changes needed in /etc/security/limits.conf #31

Closed
jrbeilke opened this issue Apr 9, 2021 · 1 comment · Fixed by #34
Closed

Ensure core dumps are restricted task (1.6.4) missing changes needed in /etc/security/limits.conf #31

jrbeilke opened this issue Apr 9, 2021 · 1 comment · Fixed by #34

Comments

@jrbeilke
Copy link

jrbeilke commented Apr 9, 2021

Seems the SCORED | 1.6.4 | PATCH | Ensure core dumps are restricted task is only partially complete, setting fs.suid_dumpable for sysctl, but missing the changes needed in /etc/security/limits.conf

These are the full remediation steps per the CIS benchmark for core dumps:

Remediation:
Add the following line to /etc/security/limits.conf or a /etc/security/limits.d/* file:
* hard core 0

Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file:
fs.suid_dumpable = 0

Run the following command to set the active kernel parameter:
# sysctl -w fs.suid_dumpable=0

If systemd-coredump is installed:
edit /etc/systemd/coredump.conf and add/modify the following lines:

Storage=none
ProcessSizeMax=0

Run the command:
systemctl daemon-reload
@jrbeilke
Copy link
Author

jrbeilke commented Apr 9, 2021

Here's an example using lineinfile to update /etc/security/limits.conf accordingly:

- name: "SCORED | 1.6.4 | PATCH | Ensure core dumps are restricted"
  lineinfile:
      state: present
      dest: /etc/security/limits.conf
      regexp: '^#?\\*.*core'
      line: '*                hard    core            0'
      insertbefore: '^# End of file'
  when:
      - ubtu18cis_rule_1_6_4
  tags:
      - level1-server
      - level1-workstation
      - scored
      - patch
      - rule_1.6.4
      - coredump

georgenalen added a commit that referenced this issue Apr 9, 2021
@georgenalen
fix for issue #31
a2e8757 
Signed-off-by: George Nalen <georgen@mindpointgroup.com>
This was referenced Apr 12, 2021
Merged
Merged
@georgenalen georgenalen linked a pull request Apr 14, 2021 that will close this issue
Issue Fixes and Layout Change #34
Merged
uk-bolly pushed a commit that referenced this issue Sep 20, 2023
@georgenalen @uk-bolly
fix for issue #31
9aefb02 
Signed-off-by: George Nalen <georgen@mindpointgroup.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Issue Fixes and Layout Change ansible-lockdown/UBUNTU18-CIS
2 participants
@jrbeilke @georgenalen