openstack/ansible-hardening
Code Issues Proposed changes

V-38675: Restrict core dumps

Browse Source 
Change-Id: I33541ce7f53997fc552e38135d3caca286ebdbb7
This commit is contained in:
Major Hayden 2015-10-09 15:21:39 -05:00
parent 15159ff146
commit a3ff0589d2
3 changed files with 23 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
defaults/main.yml
View File

@ -206,3 +206,8 @@ postfix_inet_interfaces: localhost # V-38622
# variable to 'yes'. See the documentation for V-38546 before making this # variable to 'yes'. See the documentation for V-38546 before making this
# change. # change.
disable_ipv6: no # V-38546 disable_ipv6: no # V-38546
## Core dumps
# V-38675 requires disabling core dumps for all users unless absolutely
# necessary. Set this variable to 'no' to skip this change.
disable_core_dumps: yes # V-38675

8
doc/source/developer-notes/V-38675.rst Normal file
View File

@ -0,0 +1,8 @@
Ubuntu doesn't restrict core dumps by default, but the STIG requires that core
dumps are disabled for all users unless absolutely necessary.
To opt-out of this change, set the following Ansible variable to ``no``:
.. code-block:: yaml
disable_core_dumps: no

10
tasks/misc.yml
View File

@ -109,6 +109,16 @@
- cat3 - cat3
- V-38624 - V-38624
- name: V-38675 - Process core dump must be disabled
lineinfile:
dest: /etc/security/limits.d/V-38675-coredump.conf
line: "* hard core 0"
create: yes
when: disable_core_dumps is defined
tags:
- cat3
- V-38675
- name: V-38684 - Maximum simultaneous logins per user - name: V-38684 - Maximum simultaneous logins per user
lineinfile: lineinfile:
dest: /etc/security/limits.d/V-38684-maxlogins.conf dest: /etc/security/limits.d/V-38684-maxlogins.conf