diff options
| -rw-r--r-- | puppet/services/kernel.yaml | 2 | ||||
| -rw-r--r-- | releasenotes/notes/disable-core-dump-for-setuid-programs-e83a2a5da908b9c3.yaml | 12 |
2 files changed, 14 insertions, 0 deletions
diff --git a/puppet/services/kernel.yaml b/puppet/services/kernel.yaml index ee4c771f..bc4380a5 100644 --- a/puppet/services/kernel.yaml +++ b/puppet/services/kernel.yaml @@ -58,5 +58,7 @@ outputs: value: {get_param: KernelPidMax} kernel.dmesg_restrict: value: 1 + fs.suid_dumpable: + value: 0 step_config: | include ::tripleo::profile::base::kernel diff --git a/releasenotes/notes/disable-core-dump-for-setuid-programs-e83a2a5da908b9c3.yaml b/releasenotes/notes/disable-core-dump-for-setuid-programs-e83a2a5da908b9c3.yaml new file mode 100644 index 00000000..3168a549 --- /dev/null +++ b/releasenotes/notes/disable-core-dump-for-setuid-programs-e83a2a5da908b9c3.yaml @@ -0,0 +1,12 @@ +--- +upgrade: + - | + The fs.suid_dumpable kernel parameter is now explicitly set to 0 to prevent + exposing sensitive data through core dumps of processes with elevated + permissions. Deployments that set or depend on non-zero values for + fs.suid_dumpable may be affected by upgrading. +security: + - | + Explicitly disable core dump for setuid programs by setting + fs.suid_dumpable = 0, this will descrease the risk of unauthorized access + of core dump file generated by setuid program. |