Merge pull request #17 from madaidan/patch-13

Disable coredumps
2024-10-01 08:25:45 -04:00 · 2019-06-30 08:10:28 +00:00 · 2019-06-30 08:10:28 +00:00 · ec78a3e42e
commit ec78a3e42e
parent 9525ff87c6 67de5247c8
5 changed files with 11 additions and 0 deletions
--- a/debian/control
+++ b/debian/control
@ -110,5 +110,7 @@ Description: enhances misc security settings
 .
 IOMMU is enabled with a boot parameter to prevent DMA attacks.
 .
+ Coredumps are disabled as they may contain important information such as encryption keys or passwords.
+ .
 A systemd service mounts /proc with hidepid=2 at boot to prevent users from seeing each other's processes.
 .
--- a/etc/security/limits.d/disable-coredumps.conf
+++ b/etc/security/limits.d/disable-coredumps.conf
@ -0,0 +1,2 @@
+# Disable coredumps.
+* hard core 0
--- a/etc/sysctl.d/coredumps.conf
+++ b/etc/sysctl.d/coredumps.conf
@ -0,0 +1,3 @@
+# Disables coredumps. This setting may be overwritten by systemd so this may not be useful.
+# security-misc also disables coredumps in other ways.
+kernel.core_pattern=|/bin/false
--- a/etc/sysctl.d/suid_dumpable.conf
+++ b/etc/sysctl.d/suid_dumpable.conf
@ -0,0 +1,2 @@
+# Prevent setuid processes from creating coredumps.
+fs.suid_dumpable=0
--- a/lib/systemd/system/coredump.conf.d/disable-coredumps.conf
+++ b/lib/systemd/system/coredump.conf.d/disable-coredumps.conf
@ -0,0 +1,2 @@
+[Coredump]
+Storage=none