diff --git a/fedora/profiles/ospp.profile b/fedora/profiles/ospp.profile
index 12792903d36a..1d31d2f402f1 100644
--- a/fedora/profiles/ospp.profile
+++ b/fedora/profiles/ospp.profile
@@ -48,6 +48,9 @@ selections:
- sysctl_kernel_unprivileged_bpf_disabled
- sysctl_net_core_bpf_jit_harden
- sysctl_kernel_core_pattern
+ - coredump_disable_storage
+ - coredump_disable_backtraces
+ - service_systemd-coredump_disabled
- dconf_db_up_to_date
- dconf_gnome_screensaver_idle_activation_enabled
- dconf_gnome_screensaver_idle_delay
diff --git a/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_backtraces/ansible/shared.yml b/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_backtraces/ansible/shared.yml
new file mode 100644
index 000000000000..6eefadfa9de9
--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_backtraces/ansible/shared.yml
@@ -0,0 +1,11 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+{{{
+ansible_coredump_config_set(
+ parameter="ProcessSizeMax",
+ value="0"
+)
+}}}
diff --git a/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_backtraces/bash/shared.sh b/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_backtraces/bash/shared.sh
new file mode 100644
index 000000000000..5c168d9f411f
--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_backtraces/bash/shared.sh
@@ -0,0 +1,9 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+. /usr/share/scap-security-guide/remediation_functions
+include_lineinfile
+
+coredump_config_set ProcessSizeMax 0
diff --git a/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_backtraces/oval/shared.xml b/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_backtraces/oval/shared.xml
new file mode 100644
index 000000000000..64d2d0088fbc
--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_backtraces/oval/shared.xml
@@ -0,0 +1,7 @@
+{{{
+oval_coredump_config_set(
+ parameter="ProcessSizeMax",
+ value="0",
+ missing_parameter_pass=false
+ )
+}}}
diff --git a/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_backtraces/rule.yml b/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_backtraces/rule.yml
new file mode 100644
index 000000000000..d472f40a33cb
--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_backtraces/rule.yml
@@ -0,0 +1,38 @@
+documentation_complete: true
+
+title: 'Disable core dump backtraces'
+
+description: |-
+ The ProcessSizeMax option in [Coredump] section
+ of /etc/systemd/coredump.conf
+ specifies the maximum size in bytes of a core which will be processed.
+ Core dumps exceeding this size may be stored, but the backtrace will not
+ be generated.
+
+rationale: |-
+ A core dump includes a memory image taken at the time the operating system
+ terminates an application. The memory image could contain sensitive data
+ and is generally useful only for developers trying to debug problems.
+
+severity: unknown
+
+identifiers:
+ cce@rhel8: 82251-0
+
+references:
+ ospp: FMT_SMF_EXT.1
+
+ocil_clause: ProcessSizeMax is not set to zero
+
+ocil: |-
+ To verify that logging core dump backtraces is disabled, run the
+ following command:
+ $ grep ProcessSizeMax /etc/systemd/coredump.conf
+ The output should be:
+ ProcessSizeMax=0
+
+warnings:
+ - general: |-
+ If the /etc/systemd/coredump.conf file
+ does not already contain the [Coredump] section,
+ the value will not be configured correctly.
diff --git a/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_storage/ansible/shared.yml b/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_storage/ansible/shared.yml
new file mode 100644
index 000000000000..658bc0d1d875
--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_storage/ansible/shared.yml
@@ -0,0 +1,11 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+{{{
+ansible_coredump_config_set(
+ parameter="Storage",
+ value="none"
+)
+}}}
diff --git a/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_storage/bash/shared.sh b/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_storage/bash/shared.sh
new file mode 100644
index 000000000000..63d7cbd3b8d7
--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_storage/bash/shared.sh
@@ -0,0 +1,9 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+. /usr/share/scap-security-guide/remediation_functions
+include_lineinfile
+
+coredump_config_set Storage none
diff --git a/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_storage/oval/shared.xml b/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_storage/oval/shared.xml
new file mode 100644
index 000000000000..bc10e3a6f0c3
--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_storage/oval/shared.xml
@@ -0,0 +1,7 @@
+{{{
+oval_coredump_config_set(
+ parameter="Storage",
+ value="none",
+ missing_parameter_pass=false
+ )
+}}}
diff --git a/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_storage/rule.yml b/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_storage/rule.yml
new file mode 100644
index 000000000000..b353bcbf3e04
--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_storage/rule.yml
@@ -0,0 +1,35 @@
+documentation_complete: true
+
+title: 'Disable storing core dump'
+
+description: |-
+ The Storage option in [Coredump] section
+ of /etc/systemd/coredump.conf
+ can be set to none to disable storing core dumps permanently.
+
+rationale: |-
+ A core dump includes a memory image taken at the time the operating system
+ terminates an application. The memory image could contain sensitive data
+ and is generally useful only for developers trying to debug problems.
+
+severity: unknown
+
+identifiers:
+ cce@rhel8: 82252-8
+
+references:
+ ospp: FMT_SMF_EXT.1
+
+ocil_clause: Storage is not set to none
+
+ocil: |-
+ To verify that storing core dumps are disabled, run the following command:
+ $ grep Storage /etc/systemd/coredump.conf
+ The output should be:
+ Storage=none
+
+warnings:
+ - general: |-
+ If the /etc/systemd/coredump.conf file
+ does not already contain the [Coredump] section,
+ the value will not be configured correctly.
diff --git a/linux_os/guide/system/permissions/restrictions/coredumps/service_systemd-coredump_disabled/rule.yml b/linux_os/guide/system/permissions/restrictions/coredumps/service_systemd-coredump_disabled/rule.yml
new file mode 100644
index 000000000000..029cf6c8a8f8
--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/coredumps/service_systemd-coredump_disabled/rule.yml
@@ -0,0 +1,35 @@
+documentation_complete: true
+
+prodtype: rhel8,fedora,ol8
+
+title: 'Disable acquiring, saving, and processing core dumps'
+
+description: |-
+ The systemd-coredump.socket unit is a socket activation of
+ the systemd-coredump@.service which processes core dumps.
+ By masking the unit, core dump processing is disabled.
+
+rationale: |-
+ A core dump includes a memory image taken at the time the operating system
+ terminates an application. The memory image could contain sensitive data
+ and is generally useful only for developers trying to debug problems.
+
+severity: unknown
+
+identifiers:
+ cce@rhel8: 82881-4
+
+references:
+ ospp: FMT_SMF_EXT.1
+
+ocil_clause: unit systemd-coredump.socket is not masked or running
+
+ocil: |-
+ To verify that acquiring, saving, and processing core dumps is disabled, run the
+ following command:
+ $ systemctl status systemd-coredump.socket
+ The output should be similar to:
+ ● systemd-coredump.socket
+ Loaded: masked (Reason: Unit systemd-coredump.socket is masked.)
+ Active: inactive (dead) ...
+
diff --git a/ol8/profiles/ospp.profile b/ol8/profiles/ospp.profile
index ee32e1295b2c..3f45731c4eda 100644
--- a/ol8/profiles/ospp.profile
+++ b/ol8/profiles/ospp.profile
@@ -47,6 +47,9 @@ selections:
- sysctl_kernel_unprivileged_bpf_disabled
- sysctl_net_core_bpf_jit_harden
- sysctl_kernel_core_pattern
+ - coredump_disable_storage
+ - coredump_disable_backtraces
+ - service_systemd-coredump_disabled
- dconf_db_up_to_date
- dconf_gnome_screensaver_idle_activation_enabled
- dconf_gnome_screensaver_idle_delay
diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile
index 112d9fc42daa..fc3f88b71fc1 100644
--- a/rhel8/profiles/ospp.profile
+++ b/rhel8/profiles/ospp.profile
@@ -896,9 +896,9 @@ selections:
## Disable storing core dumps
- sysctl_kernel_core_pattern
- #sed -i "/^#Storage/s/#Storage=external/Storage=none/" /etc/systemd/coredump.conf
- #sed -i "/^#ProcessSize/s/#ProcessSizeMax=2G/ProcessSizeMax=0/" /etc/systemd/coredump.conf
- #systemctl mask systemd-coredump.socket
+ - coredump_disable_storage
+ - coredump_disable_backtraces
+ - service_systemd-coredump_disabled
#systemctl mask kdump.service
#################################################################
diff --git a/rhel8/templates/csv/services_disabled.csv b/rhel8/templates/csv/services_disabled.csv
index 8b72f2fbfc70..ec0c142bf6b7 100644
--- a/rhel8/templates/csv/services_disabled.csv
+++ b/rhel8/templates/csv/services_disabled.csv
@@ -2,3 +2,4 @@
sshd,openssh-server,
sssd,,
debug-shell,systemd,
+systemd-coredump,systemd,
diff --git a/shared/bash_remediation_functions/include_lineinfile.sh b/shared/bash_remediation_functions/include_lineinfile.sh
index be1de3ad9341..5c3a3040ea5d 100644
--- a/shared/bash_remediation_functions/include_lineinfile.sh
+++ b/shared/bash_remediation_functions/include_lineinfile.sh
@@ -156,3 +156,10 @@ function auditd_config_set() {
set_config_file "/etc/audit/auditd.conf" "$parameter" "$value" "true" "" "" "true" " = " "\s*=\s*"
}
+
+function coredump_config_set() {
+ local parameter="$1"
+ local value="$2"
+
+ set_config_file "/etc/systemd/coredump.conf" "$parameter" "$value" "false" "" "" "true" "=" "\s*=\s*"
+}
diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja
index 42e74ca5759a..4af64682a8f0 100644
--- a/shared/macros-ansible.jinja
+++ b/shared/macros-ansible.jinja
@@ -173,3 +173,14 @@
{{%- macro ansible_auditd_set(msg='', parameter='', value='') %}}
{{{ ansible_set_config_file(msg, "/etc/audit/auditd.conf", parameter=parameter, value=value, create="yes", separator=" = ", separator_regex="\s*=\s*") }}}
{{%- endmacro %}}
+
+{{#
+ High level macro to set a parameter in /etc/systemd/coredump.conf.
+ Parameters:
+ - msg: the name for the Ansible task
+ - parameter: parameter to be set in the configuration file
+ - value: value of the parameter
+#}}
+{{%- macro ansible_coredump_config_set(msg='', parameter='', value='') %}}
+{{{ ansible_set_config_file(msg, "/etc/systemd/coredump.conf", parameter=parameter, value=value, create="no", separator="=", separator_regex="\s*=\s*") }}}
+{{%- endmacro %}}
diff --git a/shared/macros-oval.jinja b/shared/macros-oval.jinja
index 3a876358be64..0b35727c14d3 100644
--- a/shared/macros-oval.jinja
+++ b/shared/macros-oval.jinja
@@ -238,6 +238,20 @@
{{{ oval_check_config_file("/etc/audit/auditd.conf", prefix_regex="^\s*(?i)", parameter=parameter, separator_regex='(?-i)\s*=\s*', value="(?i)"+value+"(?-i)", missing_parameter_pass=missing_parameter_pass, application="auditd", multi_value=multi_value, missing_config_file_fail=missing_config_file_fail) }}}
{{%- endmacro %}}
+{{#
+ High level macro to set a parameter in /etc/systemd/coredump.conf.
+ This function can take five parameters:
+ - parameter (String): The parameter to be checked in the configuration file.
+ - value (String): The value to be checked. This can also be a regular expression (e.g: value1|value2 can match both values).
+ - missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied).
+ - multi_value (boolean): If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values.
+ - missing_config_file_fail (boolean): If set, the check will fail if the configuration is not existent in the system.
+
+#}}
+{{%- macro oval_coredump_config_set(parameter='', value='', missing_parameter_pass=false, multi_value=false, missing_config_file_fail=false) %}}
+{{{ oval_check_config_file("/etc/systemd/coredump.conf", prefix_regex="^\s*(?i)", parameter=parameter, separator_regex='(?-i)\s*=\s*', value="(?i)"+value+"(?-i)", missing_parameter_pass=missing_parameter_pass, application="systemd-coredump", multi_value=multi_value, missing_config_file_fail=missing_config_file_fail, section="Coredump") }}}
+{{%- endmacro %}}
+
{{#
High level macro to check if a particular combination of parameter and value in the grub configuration file is set.
This macro can take five parameters:
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index 92d5d9325130..f582dae58f89 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -66,8 +66,6 @@ CCE-82246-0
CCE-82247-8
CCE-82248-6
CCE-82250-2
-CCE-82251-0
-CCE-82252-8
CCE-82253-6
CCE-82254-4
CCE-82255-1
@@ -689,7 +687,6 @@ CCE-82877-2
CCE-82878-0
CCE-82879-8
CCE-82880-6
-CCE-82881-4
CCE-82882-2
CCE-82883-0
CCE-82884-8
diff --git a/tests/data/group_system/group_permissions/group_restrictions/group_coredumps/rule_coredump_disable_backtraces/coredumps_processsizemax_0.pass.sh b/tests/data/group_system/group_permissions/group_restrictions/group_coredumps/rule_coredump_disable_backtraces/coredumps_processsizemax_0.pass.sh
new file mode 100644
index 000000000000..a53b199954c2
--- /dev/null
+++ b/tests/data/group_system/group_permissions/group_restrictions/group_coredumps/rule_coredump_disable_backtraces/coredumps_processsizemax_0.pass.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_ospp
+
+echo ProcessSizeMax=0 >> /etc/systemd/coredump.conf
diff --git a/tests/data/group_system/group_permissions/group_restrictions/group_coredumps/rule_coredump_disable_backtraces/coredumps_processsizemax_default.fail.sh b/tests/data/group_system/group_permissions/group_restrictions/group_coredumps/rule_coredump_disable_backtraces/coredumps_processsizemax_default.fail.sh
new file mode 100644
index 000000000000..75a4b2f9f8b8
--- /dev/null
+++ b/tests/data/group_system/group_permissions/group_restrictions/group_coredumps/rule_coredump_disable_backtraces/coredumps_processsizemax_default.fail.sh
@@ -0,0 +1,2 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_ospp
diff --git a/tests/data/group_system/group_permissions/group_restrictions/group_coredumps/rule_coredump_disable_backtraces/coredumps_processsizemax_nonzero.fail.sh b/tests/data/group_system/group_permissions/group_restrictions/group_coredumps/rule_coredump_disable_backtraces/coredumps_processsizemax_nonzero.fail.sh
new file mode 100644
index 000000000000..042d49c3622a
--- /dev/null
+++ b/tests/data/group_system/group_permissions/group_restrictions/group_coredumps/rule_coredump_disable_backtraces/coredumps_processsizemax_nonzero.fail.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_ospp
+
+echo ProcessSizeMax=2G >> /etc/systemd/coredump.conf
diff --git a/tests/data/group_system/group_permissions/group_restrictions/group_coredumps/rule_coredump_disable_storage/coredumps_storage_default.fail.sh b/tests/data/group_system/group_permissions/group_restrictions/group_coredumps/rule_coredump_disable_storage/coredumps_storage_default.fail.sh
new file mode 100644
index 000000000000..75a4b2f9f8b8
--- /dev/null
+++ b/tests/data/group_system/group_permissions/group_restrictions/group_coredumps/rule_coredump_disable_storage/coredumps_storage_default.fail.sh
@@ -0,0 +1,2 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_ospp
diff --git a/tests/data/group_system/group_permissions/group_restrictions/group_coredumps/rule_coredump_disable_storage/coredumps_storage_none.pass.sh b/tests/data/group_system/group_permissions/group_restrictions/group_coredumps/rule_coredump_disable_storage/coredumps_storage_none.pass.sh
new file mode 100644
index 000000000000..08dc803e528d
--- /dev/null
+++ b/tests/data/group_system/group_permissions/group_restrictions/group_coredumps/rule_coredump_disable_storage/coredumps_storage_none.pass.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_ospp
+
+echo Storage=none >> /etc/systemd/coredump.conf
diff --git a/tests/data/group_system/group_permissions/group_restrictions/group_coredumps/rule_coredump_disable_storage/coredumps_storage_persistent.fail.sh b/tests/data/group_system/group_permissions/group_restrictions/group_coredumps/rule_coredump_disable_storage/coredumps_storage_persistent.fail.sh
new file mode 100644
index 000000000000..8ebcf7a8bb7a
--- /dev/null
+++ b/tests/data/group_system/group_permissions/group_restrictions/group_coredumps/rule_coredump_disable_storage/coredumps_storage_persistent.fail.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_ospp
+
+echo Storage=persistent >> /etc/systemd/coredump.conf