summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--puppet/services/kernel.yaml2
-rw-r--r--releasenotes/notes/disable-core-dump-for-setuid-programs-e83a2a5da908b9c3.yaml12
2 files changed, 14 insertions, 0 deletions
diff --git a/puppet/services/kernel.yaml b/puppet/services/kernel.yaml
index ee4c771f..bc4380a5 100644
--- a/puppet/services/kernel.yaml
+++ b/puppet/services/kernel.yaml
@@ -58,5 +58,7 @@ outputs:
value: {get_param: KernelPidMax}
kernel.dmesg_restrict:
value: 1
+ fs.suid_dumpable:
+ value: 0
step_config: |
include ::tripleo::profile::base::kernel
diff --git a/releasenotes/notes/disable-core-dump-for-setuid-programs-e83a2a5da908b9c3.yaml b/releasenotes/notes/disable-core-dump-for-setuid-programs-e83a2a5da908b9c3.yaml
new file mode 100644
index 00000000..3168a549
--- /dev/null
+++ b/releasenotes/notes/disable-core-dump-for-setuid-programs-e83a2a5da908b9c3.yaml
@@ -0,0 +1,12 @@
+---
+upgrade:
+ - |
+ The fs.suid_dumpable kernel parameter is now explicitly set to 0 to prevent
+ exposing sensitive data through core dumps of processes with elevated
+ permissions. Deployments that set or depend on non-zero values for
+ fs.suid_dumpable may be affected by upgrading.
+security:
+ - |
+ Explicitly disable core dump for setuid programs by setting
+ fs.suid_dumpable = 0, this will descrease the risk of unauthorized access
+ of core dump file generated by setuid program.