Disable storing core dumps.

fedora/profiles/ospp.profile

@@ -48,6 +48,9 @@ selections:
     - sysctl_kernel_unprivileged_bpf_disabled
     - sysctl_net_core_bpf_jit_harden
     - sysctl_kernel_core_pattern
+    - coredump_disable_storage
+    - coredump_disable_backtraces
+    - service_systemd-coredump_disabled
     - dconf_db_up_to_date
     - dconf_gnome_screensaver_idle_activation_enabled
     - dconf_gnome_screensaver_idle_delay

linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_backtraces/ansible/shared.yml

@@ -0,0 +1,11 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+{{{
+ansible_coredump_config_set(
+   parameter="ProcessSizeMax",
+   value="0"
+)
+}}}

linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_backtraces/bash/shared.sh

@@ -0,0 +1,9 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+. /usr/share/scap-security-guide/remediation_functions
+include_lineinfile
+
+coredump_config_set ProcessSizeMax 0

linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_backtraces/oval/shared.xml

@@ -0,0 +1,7 @@
+{{{
+oval_coredump_config_set(
+    parameter="ProcessSizeMax",
+    value="0",
+    missing_parameter_pass=false
+    )
+}}}

linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_backtraces/rule.yml

@@ -0,0 +1,38 @@
+documentation_complete: true
+
+title: 'Disable core dump backtraces'
+
+description: |-
+    The <tt>ProcessSizeMax</tt> option in <tt>[Coredump]</tt> section
+    of <tt>/etc/systemd/coredump.conf</tt>
+    specifies the maximum size in bytes of a core which will be processed.
+    Core dumps exceeding this size may be stored, but the backtrace will not
+    be generated.
+
+rationale: |-
+    A core dump includes a memory image taken at the time the operating system
+    terminates an application. The memory image could contain sensitive data
+    and is generally useful only for developers trying to debug problems.
+
+severity: unknown
+
+identifiers:
+    cce@rhel8: 82251-0
+
+references:
+    ospp: FMT_SMF_EXT.1
+
+ocil_clause: ProcessSizeMax is not set to zero
+
+ocil: |-
+    To verify that logging core dump backtraces is disabled, run the
+    following command:
+    <pre>$ grep ProcessSizeMax /etc/systemd/coredump.conf</pre>
+    The output should be:
+    <pre>ProcessSizeMax=0</pre>
+
+warnings:
+    - general: |-
+        If the <tt>/etc/systemd/coredump.conf</tt> file
+        does not already contain the <tt>[Coredump]</tt> section,
+        the value will not be configured correctly.

linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_storage/ansible/shared.yml

@@ -0,0 +1,11 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+{{{
+ansible_coredump_config_set(
+   parameter="Storage",
+   value="none"
+)
+}}}

linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_storage/bash/shared.sh

@@ -0,0 +1,9 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+. /usr/share/scap-security-guide/remediation_functions
+include_lineinfile
+
+coredump_config_set Storage none

linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_storage/oval/shared.xml

@@ -0,0 +1,7 @@
+{{{
+oval_coredump_config_set(
+    parameter="Storage",
+    value="none",
+    missing_parameter_pass=false
+    )
+}}}

linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_storage/rule.yml

@@ -0,0 +1,35 @@
+documentation_complete: true
+
+title: 'Disable storing core dump'
+
+description: |-
+    The <tt>Storage</tt> option in <tt>[Coredump]</tt> section
+    of <tt>/etc/systemd/coredump.conf</tt>
+    can be set to <tt>none</tt> to disable storing core dumps permanently.
+
+rationale: |-
+    A core dump includes a memory image taken at the time the operating system
+    terminates an application. The memory image could contain sensitive data
+    and is generally useful only for developers trying to debug problems.
+
+severity: unknown
+
+identifiers:
+    cce@rhel8: 82252-8
+
+references:
+    ospp: FMT_SMF_EXT.1
+
+ocil_clause: Storage is not set to none
+
+ocil: |-
+    To verify that storing core dumps are disabled, run the following command:
+    <pre>$ grep Storage /etc/systemd/coredump.conf</pre>
+    The output should be:
+    <pre>Storage=none</pre>
+
+warnings:
+    - general: |-
+        If the <tt>/etc/systemd/coredump.conf</tt> file
+        does not already contain the <tt>[Coredump]</tt> section,
+        the value will not be configured correctly.

linux_os/guide/system/permissions/restrictions/coredumps/service_systemd-coredump_disabled/rule.yml

@@ -0,0 +1,35 @@
+documentation_complete: true
+
+prodtype: rhel8,fedora,ol8
+
+title: 'Disable acquiring, saving, and processing core dumps'
+
+description: |-
+    The <tt>systemd-coredump.socket</tt> unit is a socket activation of
+    the <tt>systemd-coredump@.service</tt> which processes core dumps.
+    By masking the unit, core dump processing is disabled.
+
+rationale: |-
+    A core dump includes a memory image taken at the time the operating system
+    terminates an application. The memory image could contain sensitive data
+    and is generally useful only for developers trying to debug problems.
+
+severity: unknown
+
+identifiers:
+    cce@rhel8: 82881-4
+
+references:
+    ospp: FMT_SMF_EXT.1
+
+ocil_clause: unit systemd-coredump.socket is not masked or running
+
+ocil: |-
+    To verify that acquiring, saving, and processing core dumps is disabled, run the
+    following command:
+    <pre>$ systemctl status systemd-coredump.socket</pre>
+    The output should be similar to:
+    <pre>● systemd-coredump.socket
+       Loaded: masked (Reason: Unit systemd-coredump.socket is masked.)
+       Active: inactive (dead) ...
+    </pre>

ol8/profiles/ospp.profile

@@ -47,6 +47,9 @@ selections:
     - sysctl_kernel_unprivileged_bpf_disabled
     - sysctl_net_core_bpf_jit_harden
     - sysctl_kernel_core_pattern
+    - coredump_disable_storage
+    - coredump_disable_backtraces
+    - service_systemd-coredump_disabled
     - dconf_db_up_to_date
     - dconf_gnome_screensaver_idle_activation_enabled
     - dconf_gnome_screensaver_idle_delay

rhel8/profiles/ospp.profile

@@ -896,9 +896,9 @@ selections:
 
     ## Disable storing core dumps
     - sysctl_kernel_core_pattern
-    #sed -i "/^#Storage/s/#Storage=external/Storage=none/" /etc/systemd/coredump.conf
-    #sed -i "/^#ProcessSize/s/#ProcessSizeMax=2G/ProcessSizeMax=0/" /etc/systemd/coredump.conf
-    #systemctl mask systemd-coredump.socket
+    - coredump_disable_storage
+    - coredump_disable_backtraces
+    - service_systemd-coredump_disabled
     #systemctl mask kdump.service
 
     #################################################################

rhel8/templates/csv/services_disabled.csv

@@ -2,3 +2,4 @@
 sshd,openssh-server,
 sssd,,
 debug-shell,systemd,
+systemd-coredump,systemd,

shared/bash_remediation_functions/include_lineinfile.sh

@@ -156,3 +156,10 @@ function auditd_config_set() {
 
     set_config_file "/etc/audit/auditd.conf" "$parameter" "$value" "true" "" "" "true" " = " "\s*=\s*"
 }
+
+function coredump_config_set() {
+    local parameter="$1"
+    local value="$2"
+
+    set_config_file "/etc/systemd/coredump.conf" "$parameter" "$value" "false" "" "" "true" "=" "\s*=\s*"
+}

shared/macros-ansible.jinja

@@ -173,3 +173,14 @@
 {{%- macro ansible_auditd_set(msg='', parameter='', value='') %}}
 {{{ ansible_set_config_file(msg, "/etc/audit/auditd.conf", parameter=parameter, value=value, create="yes", separator=" = ", separator_regex="\s*=\s*") }}}
 {{%- endmacro %}}
+
+{{#
+  High level macro to set a parameter in /etc/systemd/coredump.conf.
+  Parameters:
+  - msg: the name for the Ansible task
+  - parameter: parameter to be set in the configuration file
+  - value: value of the parameter
+#}}
+{{%- macro ansible_coredump_config_set(msg='', parameter='', value='') %}}
+{{{ ansible_set_config_file(msg, "/etc/systemd/coredump.conf", parameter=parameter, value=value, create="no", separator="=", separator_regex="\s*=\s*") }}}
+{{%- endmacro %}}

shared/macros-oval.jinja

@@ -238,6 +238,20 @@
 {{{ oval_check_config_file("/etc/audit/auditd.conf", prefix_regex="^\s*(?i)", parameter=parameter, separator_regex='(?-i)\s*=\s*', value="(?i)"+value+"(?-i)", missing_parameter_pass=missing_parameter_pass, application="auditd", multi_value=multi_value, missing_config_file_fail=missing_config_file_fail) }}}
 {{%- endmacro %}}
 
+{{#
+  High level macro to set a parameter in /etc/systemd/coredump.conf.
+  This function can take five parameters:
+    - parameter (String): The parameter to be checked in the configuration file.
+    - value (String): The value to be checked. This can also be a regular expression (e.g: value1|value2 can match both values).
+    - missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied).
+    - multi_value (boolean): If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values.
+    - missing_config_file_fail (boolean): If set, the check will fail if the configuration is not existent in the system.
+
+#}}
+{{%- macro oval_coredump_config_set(parameter='', value='', missing_parameter_pass=false, multi_value=false, missing_config_file_fail=false) %}}
+{{{ oval_check_config_file("/etc/systemd/coredump.conf", prefix_regex="^\s*(?i)", parameter=parameter, separator_regex='(?-i)\s*=\s*', value="(?i)"+value+"(?-i)", missing_parameter_pass=missing_parameter_pass, application="systemd-coredump", multi_value=multi_value, missing_config_file_fail=missing_config_file_fail, section="Coredump") }}}
+{{%- endmacro %}}
+
 {{#
   High level macro to check if a particular combination of parameter and value in the grub configuration file is set.
   This macro can take five parameters:

shared/references/cce-redhat-avail.txt

@@ -66,8 +66,6 @@ CCE-82246-0
 CCE-82247-8
 CCE-82248-6
 CCE-82250-2
-CCE-82251-0
-CCE-82252-8
 CCE-82253-6
 CCE-82254-4
 CCE-82255-1
@@ -689,7 +687,6 @@ CCE-82877-2
 CCE-82878-0
 CCE-82879-8
 CCE-82880-6
-CCE-82881-4
 CCE-82882-2
 CCE-82883-0
 CCE-82884-8

tests/data/group_system/group_permissions/group_restrictions/group_coredumps/rule_coredump_disable_backtraces/coredumps_processsizemax_0.pass.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_ospp
+
+echo ProcessSizeMax=0 >> /etc/systemd/coredump.conf

tests/data/group_system/group_permissions/group_restrictions/group_coredumps/rule_coredump_disable_backtraces/coredumps_processsizemax_default.fail.sh

@@ -0,0 +1,2 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_ospp

tests/data/group_system/group_permissions/group_restrictions/group_coredumps/rule_coredump_disable_backtraces/coredumps_processsizemax_nonzero.fail.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_ospp
+
+echo ProcessSizeMax=2G >> /etc/systemd/coredump.conf

tests/data/group_system/group_permissions/group_restrictions/group_coredumps/rule_coredump_disable_storage/coredumps_storage_default.fail.sh

@@ -0,0 +1,2 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_ospp

tests/data/group_system/group_permissions/group_restrictions/group_coredumps/rule_coredump_disable_storage/coredumps_storage_none.pass.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_ospp
+
+echo Storage=none >> /etc/systemd/coredump.conf

tests/data/group_system/group_permissions/group_restrictions/group_coredumps/rule_coredump_disable_storage/coredumps_storage_persistent.fail.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_ospp
+
+echo Storage=persistent >> /etc/systemd/coredump.conf