4.1 Restrict Core Dumps - apport

Information

A core dump is the memory of an executable program. It is generally used to determine
why a program aborted. It can also be used to glean confidential information from a core
file. The system provides the ability to set a soft limit for core dumps, but this can be
overridden by the user.

*Rationale*

Setting a hard limit on core dumps prevents users from overriding the soft variable. If core
dumps are required, consider setting limits for user groups (see limits.conf(5)). In
addition, setting the fs.suid_dumpable variable to 0 will prevent setuid programs from
dumping core. The apport service if active will override the fs.suid_dumpable variable
setting and automatically create core dump reports. The whoopsie service monitors apport
core dump reports and transmits them to Canonical.

Solution

Add the following line to the /etc/security/limits.conf file.* hard core 0Add the following line to the /etc/sysctl.conf file.
fs.suid_dumpable = 0Uninstall the apport and whoopsie packages or comment out any start lines in
/etc/init/apport.conf and /etc/init/whoopsie.conf files-#start on runlevel [2345]

See Also

https://workbench.cisecurity.org/files/91

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-7b., CSCv6|9.1

Plugin: Unix

Control ID: 487e35ce7a5044c2e5903adbc590c7efb6e8d58abaa35ee5b71e40b8cc4e14cd