From 4483378fec94ab3af9ad12e66bc6bc8697a673c6 Mon Sep 17 00:00:00 2001 From: zshi Date: Tue, 28 Mar 2017 14:18:52 +0800 Subject: Disable core dump for setuid programs The core dump of a setuid program is more likely to contain sensitive data, as the program itself runs with greater privileges than the user who initiated execution of the program. Disabling the ability for any setuid program to write a core file decreases the risk of unauthorized access of such data. This change sets core dump for setuid programs to '0'. Change-Id: Ib05d993c1bb59b59c784e438f805733f636c743d Signed-off-by: zshi --- puppet/services/kernel.yaml | 2 ++ ...sable-core-dump-for-setuid-programs-e83a2a5da908b9c3.yaml | 12 ++++++++++++ 2 files changed, 14 insertions(+) create mode 100644 releasenotes/notes/disable-core-dump-for-setuid-programs-e83a2a5da908b9c3.yaml diff --git a/puppet/services/kernel.yaml b/puppet/services/kernel.yaml index ee4c771f..bc4380a5 100644 --- a/puppet/services/kernel.yaml +++ b/puppet/services/kernel.yaml @@ -58,5 +58,7 @@ outputs: value: {get_param: KernelPidMax} kernel.dmesg_restrict: value: 1 + fs.suid_dumpable: + value: 0 step_config: | include ::tripleo::profile::base::kernel diff --git a/releasenotes/notes/disable-core-dump-for-setuid-programs-e83a2a5da908b9c3.yaml b/releasenotes/notes/disable-core-dump-for-setuid-programs-e83a2a5da908b9c3.yaml new file mode 100644 index 00000000..3168a549 --- /dev/null +++ b/releasenotes/notes/disable-core-dump-for-setuid-programs-e83a2a5da908b9c3.yaml @@ -0,0 +1,12 @@ +--- +upgrade: + - | + The fs.suid_dumpable kernel parameter is now explicitly set to 0 to prevent + exposing sensitive data through core dumps of processes with elevated + permissions. Deployments that set or depend on non-zero values for + fs.suid_dumpable may be affected by upgrading. +security: + - | + Explicitly disable core dump for setuid programs by setting + fs.suid_dumpable = 0, this will descrease the risk of unauthorized access + of core dump file generated by setuid program. -- cgit 1.2.3-korg