search

Kicksecure / security-misc

Kernel Hardening; Protect Linux User Accounts against Brute Force Attacks; Improve Entropy Collection; Strong Linux User Account Separation; Enhances Misc Security Settings - https://www.kicksecure.com/wiki/Security-misc
https://www.kicksecure.com/wiki/Impressum
Other
514 stars 51 forks source link

systemd-coredump #174

Open adrelanos opened 11 months ago

adrelanos commented 11 months ago

In response to

How to even re-enable coredumps as of now? Is this implemented in debug-misc?

I don't want to configure us into a corner and then when somebody asks how to re-enable functionality, nobody knows the answer and it's a major effort to re-enable it.

Maybe not worth disabling coredumps anyhow.

Why not use systemd-coredump from packages.debian.org instead? See this short and nice article on how to use that: https://documentation.suse.com/sles/15-SP2/html/SLES-all/cha-tuning-systemd-coredump.html

Seems pretty sanely implemented at first sight. Core dumps are to be found in this folder: /var/lib/systemd/coredump/

We could leave coredumps enabled by default, harden the permissions of that folder to read access only by root using permission-hardener (if that is possible without breaking systemd-coredump) and then call it a day.

See also /usr/lib/sysctl.d/50-coredump.conf after installing the systemd-coredump package.

cat /usr/lib/sysctl.d/50-coredump.conf | grep --invert-match "#"

kernel.core_pattern=|/lib/systemd/systemd-coredump %P %u %g %s %t 9223372036854775808 %h
kernel.core_pipe_limit=16
fs.suid_dumpable=2

https://www.freedesktop.org/software/systemd/man/latest/systemd-coredump.html

monsieuremre commented 11 months ago

Consider closing due to the original request being closed.

adrelanos commented 11 months ago

This ticket as in original description is still planned.

Depends: systemd-coredump would be done in kicksecure-meta-package, not in security-misc.