diff options
author | zshi <zshi@redhat.com> | 2017-03-28 14:18:52 +0800 |
---|---|---|
committer | zshi <zshi@redhat.com> | 2017-03-28 14:18:52 +0800 |
commit | 4483378fec94ab3af9ad12e66bc6bc8697a673c6 (patch) | |
tree | 189c8f369d66db290d6a72115f7ad214e2646601 /puppet/services | |
parent | 0e76a20cae6008ae5cf13e7a1d87de154f6e0c40 (diff) |
Disable core dump for setuid programs
The core dump of a setuid program is more likely
to contain sensitive data, as the program itself
runs with greater privileges than the user who
initiated execution of the program. Disabling the
ability for any setuid program to write a core
file decreases the risk of unauthorized access of
such data.
This change sets core dump for setuid programs
to '0'.
Change-Id: Ib05d993c1bb59b59c784e438f805733f636c743d
Signed-off-by: zshi <zshi@redhat.com>
Diffstat (limited to 'puppet/services')
-rw-r--r-- | puppet/services/kernel.yaml | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/puppet/services/kernel.yaml b/puppet/services/kernel.yaml index ee4c771f..bc4380a5 100644 --- a/puppet/services/kernel.yaml +++ b/puppet/services/kernel.yaml @@ -58,5 +58,7 @@ outputs: value: {get_param: KernelPidMax} kernel.dmesg_restrict: value: 1 + fs.suid_dumpable: + value: 0 step_config: | include ::tripleo::profile::base::kernel |