Profile Applicability:
• Level 1
Description:
Core dumps store the memory state of a process after a crash, which can contain sensitive information such as passwords, encryption keys, and other private data. Disabling core dump storage prevents this potentially sensitive data from being written to disk.
Rationale:
Disabling core dump storage reduces the risk of sensitive information leakage and limits the exposure of critical data in case of system or application crashes.
Impact:
Pros:
Protects sensitive data from being written to disk.
Reduces risk of information disclosure via core dump files.
Cons:
Limits post-crash debugging capabilities.
May hinder forensic analysis during troubleshooting.
Default Value:
Core dump storage may be enabled by default depending on system configuration.
Pre-requisites:
Root or sudo privileges to modify system core dump settings.
Remediation:
Test Plan:
Using Linux command line:
1. Check if core dumps are currently enabled:
sysctl kernel.core_pattern
2. Verify systemd-coredump storage settings (if applicable):
systemctl status systemd-coredump
3. Confirm that core dumps are not stored on disk.
Implementation Plan:
Using Linux command line:
1. Disable core dump storage by setting the core pattern to |/bin/false or |/bin/true:
sysctl -w kernel.core_pattern="|/bin/false"
2. Make the change persistent by adding to /etc/sysctl.conf or /etc/sysctl.d/99-disable-coredump.conf:
kernel.core_pattern = |/bin/false
3. Disable systemd-coredump storage if used:Edit
/etc/systemd/coredump.conf and set: Storage=none
4. Restart systemd-coredump service:
Backout Plan:
Using Linux command line:
- Re-enable core dump storage by restoring the previous kernel.core_pattern, for example:
sysctl -w kernel.core_pattern=/core/core.%e.%p.%h.%t
Revert changes in /etc/sysctl.conf or systemd-coredump configuration.
Restart systemd-coredump service if applicable.
References:
CIS Amazon Linux 2 Benchmark v3.0.0
Linux kernel core dump configuration
systemd-coredump Documentation