summaryrefslogtreecommitdiffstats
path: root/puppet/services
diff options
context:
space:
mode:
authorzshi <zshi@redhat.com>2017-03-28 14:18:52 +0800
committerzshi <zshi@redhat.com>2017-03-28 14:18:52 +0800
commit4483378fec94ab3af9ad12e66bc6bc8697a673c6 (patch)
tree189c8f369d66db290d6a72115f7ad214e2646601 /puppet/services
parent0e76a20cae6008ae5cf13e7a1d87de154f6e0c40 (diff)
Disable core dump for setuid programs
The core dump of a setuid program is more likely to contain sensitive data, as the program itself runs with greater privileges than the user who initiated execution of the program. Disabling the ability for any setuid program to write a core file decreases the risk of unauthorized access of such data. This change sets core dump for setuid programs to '0'. Change-Id: Ib05d993c1bb59b59c784e438f805733f636c743d Signed-off-by: zshi <zshi@redhat.com>
Diffstat (limited to 'puppet/services')
-rw-r--r--puppet/services/kernel.yaml2
1 files changed, 2 insertions, 0 deletions
diff --git a/puppet/services/kernel.yaml b/puppet/services/kernel.yaml
index ee4c771f..bc4380a5 100644
--- a/puppet/services/kernel.yaml
+++ b/puppet/services/kernel.yaml
@@ -58,5 +58,7 @@ outputs:
value: {get_param: KernelPidMax}
kernel.dmesg_restrict:
value: 1
+ fs.suid_dumpable:
+ value: 0
step_config: |
include ::tripleo::profile::base::kernel