Skip to content

1.5.4 Ensure core dumps are restricted

Audit#

Run the following commands and verify output matches: 

# grep -Es '^(\*|\s).*hard.*core.*(\s+#.*)?$' /etc/security/limits.conf /etc/security/limits.d/*
* hard core 0

# sysctl fs.suid_dumpable
fs.suid_dumpable = 0

# grep "fs.suid_dumpable" /etc/sysctl.conf /etc/sysctl.d/*
fs.suid_dumpable = 0

Run the following command to check if systemd-coredump is installed: 

# systemctl is-enabled coredump.service

If enabled, masked, or disabled is returned systemd-coredump is installed

Remediation#

Add the following line to /etc/security/limits.conf or a /etc/security/limits.d/* file: 

* hard core 0

Set the following parameter in /etc/sysctl.conf or a /etc/sysctl.d/* file: 

fs.suid_dumpable = 0

Run the following command to set the active kernel parameter: 

# sysctl -w fs.suid_dumpable=0

IF systemd-coredump is installed:

edit /etc/systemd/coredump.conf and add/modify the following lines: 

Storage=none
ProcessSizeMax=0

Run the command: 

systemctl daemon-reload