From 3bec75419714986c5a67ec1d25abb26c356ca488 Mon Sep 17 00:00:00 2001
From: Jan Pazdziora <jpazdziora@redhat.com>
Date: Wed, 24 Jul 2019 16:19:09 +0200
Subject: [PATCH 1/3] Disable storing core dumps.

---
 fedora/profiles/ospp.profile                  |  2 ++
 .../ansible/shared.yml                        | 11 +++++++
 .../bash/shared.sh                            |  9 ++++++
 .../oval/shared.xml                           |  7 +++++
 .../coredump_disable_backtraces/rule.yml      | 31 +++++++++++++++++++
 .../ansible/shared.yml                        | 11 +++++++
 .../coredump_disable_storage/bash/shared.sh   |  9 ++++++
 .../coredump_disable_storage/oval/shared.xml  |  7 +++++
 .../coredump_disable_storage/rule.yml         | 28 +++++++++++++++++
 ol8/profiles/ospp.profile                     |  2 ++
 rhel8/profiles/ospp.profile                   |  4 +--
 .../include_lineinfile.sh                     |  7 +++++
 shared/macros-ansible.jinja                   | 11 +++++++
 shared/macros-oval.jinja                      | 14 +++++++++
 shared/references/cce-redhat-avail.txt        |  2 --
 .../coredumps_processsizemax_0.pass.sh        |  4 +++
 .../coredumps_processsizemax_default.fail.sh  |  2 ++
 .../coredumps_processsizemax_nonzero.fail.sh  |  4 +++
 .../coredumps_storage_default.fail.sh         |  2 ++
 .../coredumps_storage_none.pass.sh            |  4 +++
 .../coredumps_storage_persistent.fail.sh      |  4 +++
 21 files changed, 171 insertions(+), 4 deletions(-)
 create mode 100644 linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_backtraces/ansible/shared.yml
 create mode 100644 linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_backtraces/bash/shared.sh
 create mode 100644 linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_backtraces/oval/shared.xml
 create mode 100644 linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_backtraces/rule.yml
 create mode 100644 linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_storage/ansible/shared.yml
 create mode 100644 linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_storage/bash/shared.sh
 create mode 100644 linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_storage/oval/shared.xml
 create mode 100644 linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_storage/rule.yml
 create mode 100644 tests/data/group_system/group_permissions/group_restrictions/group_coredumps/rule_coredump_disable_backtraces/coredumps_processsizemax_0.pass.sh
 create mode 100644 tests/data/group_system/group_permissions/group_restrictions/group_coredumps/rule_coredump_disable_backtraces/coredumps_processsizemax_default.fail.sh
 create mode 100644 tests/data/group_system/group_permissions/group_restrictions/group_coredumps/rule_coredump_disable_backtraces/coredumps_processsizemax_nonzero.fail.sh
 create mode 100644 tests/data/group_system/group_permissions/group_restrictions/group_coredumps/rule_coredump_disable_storage/coredumps_storage_default.fail.sh
 create mode 100644 tests/data/group_system/group_permissions/group_restrictions/group_coredumps/rule_coredump_disable_storage/coredumps_storage_none.pass.sh
 create mode 100644 tests/data/group_system/group_permissions/group_restrictions/group_coredumps/rule_coredump_disable_storage/coredumps_storage_persistent.fail.sh

diff --git a/fedora/profiles/ospp.profile b/fedora/profiles/ospp.profile
index 12792903d36a..390a92297bfc 100644
--- a/fedora/profiles/ospp.profile
+++ b/fedora/profiles/ospp.profile
@@ -48,6 +48,8 @@ selections:
     - sysctl_kernel_unprivileged_bpf_disabled
     - sysctl_net_core_bpf_jit_harden
     - sysctl_kernel_core_pattern
+    - coredump_disable_storage
+    - coredump_disable_backtraces
     - dconf_db_up_to_date
     - dconf_gnome_screensaver_idle_activation_enabled
     - dconf_gnome_screensaver_idle_delay
diff --git a/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_backtraces/ansible/shared.yml b/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_backtraces/ansible/shared.yml
new file mode 100644
index 000000000000..6eefadfa9de9
--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_backtraces/ansible/shared.yml
@@ -0,0 +1,11 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+{{{
+ansible_coredump_config_set(
+   parameter="ProcessSizeMax",
+   value="0"
+)
+}}}
diff --git a/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_backtraces/bash/shared.sh b/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_backtraces/bash/shared.sh
new file mode 100644
index 000000000000..5c168d9f411f
--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_backtraces/bash/shared.sh
@@ -0,0 +1,9 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+. /usr/share/scap-security-guide/remediation_functions
+include_lineinfile
+
+coredump_config_set ProcessSizeMax 0
diff --git a/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_backtraces/oval/shared.xml b/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_backtraces/oval/shared.xml
new file mode 100644
index 000000000000..64d2d0088fbc
--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_backtraces/oval/shared.xml
@@ -0,0 +1,7 @@
+{{{
+oval_coredump_config_set(
+    parameter="ProcessSizeMax",
+    value="0",
+    missing_parameter_pass=false
+    )
+}}}
diff --git a/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_backtraces/rule.yml b/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_backtraces/rule.yml
new file mode 100644
index 000000000000..ec26c5d41978
--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_backtraces/rule.yml
@@ -0,0 +1,31 @@
+documentation_complete: true
+
+title: 'Disable core dump backtraces'
+
+description: |-
+    The <tt>ProcessSizeMax</tt> option in <tt>/etc/systemd/coredump.conf</tt>
+    specifies the maximum size in bytes of a core which will be processed.
+    Core dumps exceeding this size may be stored, but the backtrace will not
+    be generated.
+
+rationale: |-
+    A core dump includes a memory image taken at the time the operating system
+    terminates an application. The memory image could contain sensitive data
+    and is generally useful only for developers trying to debug problems.
+
+severity: unknown
+
+identifiers:
+    cce@rhel8: 82251-0
+
+references:
+    ospp: FMT_SMF_EXT.1
+
+ocil_clause: ProcessSizeMax is not set to zero
+
+ocil: |-
+    To verify that logging core dump backtraces is disabled, run the
+    following command:
+    <pre>$ grep ProcessSizeMax /etc/systemd/coredump.conf</pre>
+    The output should be:
+    <pre>ProcessSizeMax=0</pre>
diff --git a/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_storage/ansible/shared.yml b/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_storage/ansible/shared.yml
new file mode 100644
index 000000000000..658bc0d1d875
--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_storage/ansible/shared.yml
@@ -0,0 +1,11 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+{{{
+ansible_coredump_config_set(
+   parameter="Storage",
+   value="none"
+)
+}}}
diff --git a/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_storage/bash/shared.sh b/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_storage/bash/shared.sh
new file mode 100644
index 000000000000..63d7cbd3b8d7
--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_storage/bash/shared.sh
@@ -0,0 +1,9 @@
+# platform = multi_platform_all
+# reboot = false
+# strategy = restrict
+# complexity = low
+# disruption = low
+. /usr/share/scap-security-guide/remediation_functions
+include_lineinfile
+
+coredump_config_set Storage none
diff --git a/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_storage/oval/shared.xml b/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_storage/oval/shared.xml
new file mode 100644
index 000000000000..bc10e3a6f0c3
--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_storage/oval/shared.xml
@@ -0,0 +1,7 @@
+{{{
+oval_coredump_config_set(
+    parameter="Storage",
+    value="none",
+    missing_parameter_pass=false
+    )
+}}}
diff --git a/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_storage/rule.yml b/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_storage/rule.yml
new file mode 100644
index 000000000000..f57511c1a0c0
--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_storage/rule.yml
@@ -0,0 +1,28 @@
+documentation_complete: true
+
+title: 'Disable storing core dump'
+
+description: |-
+    The <tt>Storage</tt> option in <tt>/etc/systemd/coredump.conf</tt>
+    can be set to <tt>none</tt> to disable storing core dumps permanently.
+
+rationale: |-
+    A core dump includes a memory image taken at the time the operating system
+    terminates an application. The memory image could contain sensitive data
+    and is generally useful only for developers trying to debug problems.
+
+severity: unknown
+
+identifiers:
+    cce@rhel8: 82252-8
+
+references:
+    ospp: FMT_SMF_EXT.1
+
+ocil_clause: Storage is not set to none
+
+ocil: |-
+    To verify that storing core dumps are disabled, run the following command:
+    <pre>$ grep Storage /etc/systemd/coredump.conf</pre>
+    The output should be:
+    <pre>Storage=none</pre>
diff --git a/ol8/profiles/ospp.profile b/ol8/profiles/ospp.profile
index ee32e1295b2c..877c34a81615 100644
--- a/ol8/profiles/ospp.profile
+++ b/ol8/profiles/ospp.profile
@@ -47,6 +47,8 @@ selections:
     - sysctl_kernel_unprivileged_bpf_disabled
     - sysctl_net_core_bpf_jit_harden
     - sysctl_kernel_core_pattern
+    - coredump_disable_storage
+    - coredump_disable_backtraces
     - dconf_db_up_to_date
     - dconf_gnome_screensaver_idle_activation_enabled
     - dconf_gnome_screensaver_idle_delay
diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile
index 112d9fc42daa..522242a776a9 100644
--- a/rhel8/profiles/ospp.profile
+++ b/rhel8/profiles/ospp.profile
@@ -896,8 +896,8 @@ selections:
     
     ## Disable storing core dumps
     - sysctl_kernel_core_pattern
-    #sed -i "/^#Storage/s/#Storage=external/Storage=none/" /etc/systemd/coredump.conf
-    #sed -i "/^#ProcessSize/s/#ProcessSizeMax=2G/ProcessSizeMax=0/" /etc/systemd/coredump.conf
+    - coredump_disable_storage
+    - coredump_disable_backtraces
     #systemctl mask systemd-coredump.socket
     #systemctl mask kdump.service
 
diff --git a/shared/bash_remediation_functions/include_lineinfile.sh b/shared/bash_remediation_functions/include_lineinfile.sh
index be1de3ad9341..25be274ddd3d 100644
--- a/shared/bash_remediation_functions/include_lineinfile.sh
+++ b/shared/bash_remediation_functions/include_lineinfile.sh
@@ -156,3 +156,10 @@ function auditd_config_set() {
 
     set_config_file "/etc/audit/auditd.conf" "$parameter" "$value" "true" "" "" "true" " = " "\s*=\s*"
 }
+
+function coredump_config_set() {
+    local parameter="$1"
+    local value="$2"
+
+    set_config_file "/etc/systemd/coredump.conf" "$parameter" "$value" "true" "" "" "true" "=" "\s*=\s*"
+}
diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja
index 42e74ca5759a..ad9cfc210923 100644
--- a/shared/macros-ansible.jinja
+++ b/shared/macros-ansible.jinja
@@ -173,3 +173,14 @@
 {{%- macro ansible_auditd_set(msg='', parameter='', value='') %}}
 {{{ ansible_set_config_file(msg, "/etc/audit/auditd.conf", parameter=parameter, value=value, create="yes", separator=" = ", separator_regex="\s*=\s*") }}}
 {{%- endmacro %}}
+
+{{#
+  High level macro to set a parameter in /etc/systemd/coredump.conf.
+  Parameters:
+  - msg: the name for the Ansible task
+  - parameter: parameter to be set in the configuration file
+  - value: value of the parameter
+#}}
+{{%- macro ansible_coredump_config_set(msg='', parameter='', value='') %}}
+{{{ ansible_set_config_file(msg, "/etc/systemd/coredump.conf", parameter=parameter, value=value, create="yes", separator="=", separator_regex="\s*=\s*") }}}
+{{%- endmacro %}}
diff --git a/shared/macros-oval.jinja b/shared/macros-oval.jinja
index 3a876358be64..0b35727c14d3 100644
--- a/shared/macros-oval.jinja
+++ b/shared/macros-oval.jinja
@@ -238,6 +238,20 @@
 {{{ oval_check_config_file("/etc/audit/auditd.conf", prefix_regex="^\s*(?i)", parameter=parameter, separator_regex='(?-i)\s*=\s*', value="(?i)"+value+"(?-i)", missing_parameter_pass=missing_parameter_pass, application="auditd", multi_value=multi_value, missing_config_file_fail=missing_config_file_fail) }}}
 {{%- endmacro %}}
 
+{{#
+  High level macro to set a parameter in /etc/systemd/coredump.conf.
+  This function can take five parameters:
+    - parameter (String): The parameter to be checked in the configuration file.
+    - value (String): The value to be checked. This can also be a regular expression (e.g: value1|value2 can match both values).
+    - missing_parameter_pass (boolean): If set, the check will also pass if the parameter is not present in the configuration file (default is applied).
+    - multi_value (boolean): If set, it means that the parameter can accept multiple values and the expected value must be present in the current list of values.
+    - missing_config_file_fail (boolean): If set, the check will fail if the configuration is not existent in the system.
+
+#}}
+{{%- macro oval_coredump_config_set(parameter='', value='', missing_parameter_pass=false, multi_value=false, missing_config_file_fail=false) %}}
+{{{ oval_check_config_file("/etc/systemd/coredump.conf", prefix_regex="^\s*(?i)", parameter=parameter, separator_regex='(?-i)\s*=\s*', value="(?i)"+value+"(?-i)", missing_parameter_pass=missing_parameter_pass, application="systemd-coredump", multi_value=multi_value, missing_config_file_fail=missing_config_file_fail, section="Coredump") }}}
+{{%- endmacro %}}
+
 {{#
   High level macro to check if a particular combination of parameter and value in the grub configuration file is set.
   This macro can take five parameters:
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index 92d5d9325130..8e84a467db94 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -66,8 +66,6 @@ CCE-82246-0
 CCE-82247-8
 CCE-82248-6
 CCE-82250-2
-CCE-82251-0
-CCE-82252-8
 CCE-82253-6
 CCE-82254-4
 CCE-82255-1
diff --git a/tests/data/group_system/group_permissions/group_restrictions/group_coredumps/rule_coredump_disable_backtraces/coredumps_processsizemax_0.pass.sh b/tests/data/group_system/group_permissions/group_restrictions/group_coredumps/rule_coredump_disable_backtraces/coredumps_processsizemax_0.pass.sh
new file mode 100644
index 000000000000..a53b199954c2
--- /dev/null
+++ b/tests/data/group_system/group_permissions/group_restrictions/group_coredumps/rule_coredump_disable_backtraces/coredumps_processsizemax_0.pass.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_ospp
+
+echo ProcessSizeMax=0 >> /etc/systemd/coredump.conf
diff --git a/tests/data/group_system/group_permissions/group_restrictions/group_coredumps/rule_coredump_disable_backtraces/coredumps_processsizemax_default.fail.sh b/tests/data/group_system/group_permissions/group_restrictions/group_coredumps/rule_coredump_disable_backtraces/coredumps_processsizemax_default.fail.sh
new file mode 100644
index 000000000000..75a4b2f9f8b8
--- /dev/null
+++ b/tests/data/group_system/group_permissions/group_restrictions/group_coredumps/rule_coredump_disable_backtraces/coredumps_processsizemax_default.fail.sh
@@ -0,0 +1,2 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_ospp
diff --git a/tests/data/group_system/group_permissions/group_restrictions/group_coredumps/rule_coredump_disable_backtraces/coredumps_processsizemax_nonzero.fail.sh b/tests/data/group_system/group_permissions/group_restrictions/group_coredumps/rule_coredump_disable_backtraces/coredumps_processsizemax_nonzero.fail.sh
new file mode 100644
index 000000000000..042d49c3622a
--- /dev/null
+++ b/tests/data/group_system/group_permissions/group_restrictions/group_coredumps/rule_coredump_disable_backtraces/coredumps_processsizemax_nonzero.fail.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_ospp
+
+echo ProcessSizeMax=2G >> /etc/systemd/coredump.conf
diff --git a/tests/data/group_system/group_permissions/group_restrictions/group_coredumps/rule_coredump_disable_storage/coredumps_storage_default.fail.sh b/tests/data/group_system/group_permissions/group_restrictions/group_coredumps/rule_coredump_disable_storage/coredumps_storage_default.fail.sh
new file mode 100644
index 000000000000..75a4b2f9f8b8
--- /dev/null
+++ b/tests/data/group_system/group_permissions/group_restrictions/group_coredumps/rule_coredump_disable_storage/coredumps_storage_default.fail.sh
@@ -0,0 +1,2 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_ospp
diff --git a/tests/data/group_system/group_permissions/group_restrictions/group_coredumps/rule_coredump_disable_storage/coredumps_storage_none.pass.sh b/tests/data/group_system/group_permissions/group_restrictions/group_coredumps/rule_coredump_disable_storage/coredumps_storage_none.pass.sh
new file mode 100644
index 000000000000..08dc803e528d
--- /dev/null
+++ b/tests/data/group_system/group_permissions/group_restrictions/group_coredumps/rule_coredump_disable_storage/coredumps_storage_none.pass.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_ospp
+
+echo Storage=none >> /etc/systemd/coredump.conf
diff --git a/tests/data/group_system/group_permissions/group_restrictions/group_coredumps/rule_coredump_disable_storage/coredumps_storage_persistent.fail.sh b/tests/data/group_system/group_permissions/group_restrictions/group_coredumps/rule_coredump_disable_storage/coredumps_storage_persistent.fail.sh
new file mode 100644
index 000000000000..8ebcf7a8bb7a
--- /dev/null
+++ b/tests/data/group_system/group_permissions/group_restrictions/group_coredumps/rule_coredump_disable_storage/coredumps_storage_persistent.fail.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+# profiles = xccdf_org.ssgproject.content_profile_ospp
+
+echo Storage=persistent >> /etc/systemd/coredump.conf

From a0ad45d4af70e20a8e9cb8f5cb3c90b0966fe5e9 Mon Sep 17 00:00:00 2001
From: Jan Pazdziora <jpazdziora@redhat.com>
Date: Thu, 25 Jul 2019 15:58:07 +0200
Subject: [PATCH 2/3] Disable acquiring, saving, and processing core dumps.

---
 fedora/profiles/ospp.profile                  |  1 +
 .../rule.yml                                  | 35 +++++++++++++++++++
 ol8/profiles/ospp.profile                     |  1 +
 rhel8/profiles/ospp.profile                   |  2 +-
 rhel8/templates/csv/services_disabled.csv     |  1 +
 shared/references/cce-redhat-avail.txt        |  1 -
 6 files changed, 39 insertions(+), 2 deletions(-)
 create mode 100644 linux_os/guide/system/permissions/restrictions/coredumps/service_systemd-coredump_disabled/rule.yml

diff --git a/fedora/profiles/ospp.profile b/fedora/profiles/ospp.profile
index 390a92297bfc..1d31d2f402f1 100644
--- a/fedora/profiles/ospp.profile
+++ b/fedora/profiles/ospp.profile
@@ -50,6 +50,7 @@ selections:
     - sysctl_kernel_core_pattern
     - coredump_disable_storage
     - coredump_disable_backtraces
+    - service_systemd-coredump_disabled
     - dconf_db_up_to_date
     - dconf_gnome_screensaver_idle_activation_enabled
     - dconf_gnome_screensaver_idle_delay
diff --git a/linux_os/guide/system/permissions/restrictions/coredumps/service_systemd-coredump_disabled/rule.yml b/linux_os/guide/system/permissions/restrictions/coredumps/service_systemd-coredump_disabled/rule.yml
new file mode 100644
index 000000000000..029cf6c8a8f8
--- /dev/null
+++ b/linux_os/guide/system/permissions/restrictions/coredumps/service_systemd-coredump_disabled/rule.yml
@@ -0,0 +1,35 @@
+documentation_complete: true
+
+prodtype: rhel8,fedora,ol8
+
+title: 'Disable acquiring, saving, and processing core dumps'
+
+description: |-
+    The <tt>systemd-coredump.socket</tt> unit is a socket activation of
+    the <tt>systemd-coredump@.service</tt> which processes core dumps.
+    By masking the unit, core dump processing is disabled.
+
+rationale: |-
+    A core dump includes a memory image taken at the time the operating system
+    terminates an application. The memory image could contain sensitive data
+    and is generally useful only for developers trying to debug problems.
+
+severity: unknown
+
+identifiers:
+    cce@rhel8: 82881-4
+
+references:
+    ospp: FMT_SMF_EXT.1
+
+ocil_clause: unit systemd-coredump.socket is not masked or running
+
+ocil: |-
+    To verify that acquiring, saving, and processing core dumps is disabled, run the
+    following command:
+    <pre>$ systemctl status systemd-coredump.socket</pre>
+    The output should be similar to:
+    <pre>● systemd-coredump.socket
+       Loaded: masked (Reason: Unit systemd-coredump.socket is masked.)
+       Active: inactive (dead) ...
+    </pre>
diff --git a/ol8/profiles/ospp.profile b/ol8/profiles/ospp.profile
index 877c34a81615..3f45731c4eda 100644
--- a/ol8/profiles/ospp.profile
+++ b/ol8/profiles/ospp.profile
@@ -49,6 +49,7 @@ selections:
     - sysctl_kernel_core_pattern
     - coredump_disable_storage
     - coredump_disable_backtraces
+    - service_systemd-coredump_disabled
     - dconf_db_up_to_date
     - dconf_gnome_screensaver_idle_activation_enabled
     - dconf_gnome_screensaver_idle_delay
diff --git a/rhel8/profiles/ospp.profile b/rhel8/profiles/ospp.profile
index 522242a776a9..fc3f88b71fc1 100644
--- a/rhel8/profiles/ospp.profile
+++ b/rhel8/profiles/ospp.profile
@@ -898,7 +898,7 @@ selections:
     - sysctl_kernel_core_pattern
     - coredump_disable_storage
     - coredump_disable_backtraces
-    #systemctl mask systemd-coredump.socket
+    - service_systemd-coredump_disabled
     #systemctl mask kdump.service
 
     #################################################################
diff --git a/rhel8/templates/csv/services_disabled.csv b/rhel8/templates/csv/services_disabled.csv
index 8b72f2fbfc70..ec0c142bf6b7 100644
--- a/rhel8/templates/csv/services_disabled.csv
+++ b/rhel8/templates/csv/services_disabled.csv
@@ -2,3 +2,4 @@
 sshd,openssh-server,
 sssd,,
 debug-shell,systemd,
+systemd-coredump,systemd,
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index 8e84a467db94..f582dae58f89 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -687,7 +687,6 @@ CCE-82877-2
 CCE-82878-0
 CCE-82879-8
 CCE-82880-6
-CCE-82881-4
 CCE-82882-2
 CCE-82883-0
 CCE-82884-8

From bb59ff9b628c70e6369e74a10f455213c7852681 Mon Sep 17 00:00:00 2001
From: Jan Pazdziora <jpazdziora@redhat.com>
Date: Fri, 26 Jul 2019 10:38:52 +0200
Subject: [PATCH 3/3] Be conservative about missing [Coredump] section.

---
 .../coredumps/coredump_disable_backtraces/rule.yml       | 9 ++++++++-
 .../coredumps/coredump_disable_storage/rule.yml          | 9 ++++++++-
 shared/bash_remediation_functions/include_lineinfile.sh  | 2 +-
 shared/macros-ansible.jinja                              | 2 +-
 4 files changed, 18 insertions(+), 4 deletions(-)

diff --git a/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_backtraces/rule.yml b/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_backtraces/rule.yml
index ec26c5d41978..d472f40a33cb 100644
--- a/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_backtraces/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_backtraces/rule.yml
@@ -3,7 +3,8 @@ documentation_complete: true
 title: 'Disable core dump backtraces'
 
 description: |-
-    The <tt>ProcessSizeMax</tt> option in <tt>/etc/systemd/coredump.conf</tt>
+    The <tt>ProcessSizeMax</tt> option in <tt>[Coredump]</tt> section
+    of <tt>/etc/systemd/coredump.conf</tt>
     specifies the maximum size in bytes of a core which will be processed.
     Core dumps exceeding this size may be stored, but the backtrace will not
     be generated.
@@ -29,3 +30,9 @@ ocil: |-
     <pre>$ grep ProcessSizeMax /etc/systemd/coredump.conf</pre>
     The output should be:
     <pre>ProcessSizeMax=0</pre>
+
+warnings:
+    - general: |-
+        If the <tt>/etc/systemd/coredump.conf</tt> file
+        does not already contain the <tt>[Coredump]</tt> section,
+        the value will not be configured correctly.
diff --git a/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_storage/rule.yml b/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_storage/rule.yml
index f57511c1a0c0..b353bcbf3e04 100644
--- a/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_storage/rule.yml
+++ b/linux_os/guide/system/permissions/restrictions/coredumps/coredump_disable_storage/rule.yml
@@ -3,7 +3,8 @@ documentation_complete: true
 title: 'Disable storing core dump'
 
 description: |-
-    The <tt>Storage</tt> option in <tt>/etc/systemd/coredump.conf</tt>
+    The <tt>Storage</tt> option in <tt>[Coredump]</tt> section
+    of <tt>/etc/systemd/coredump.conf</tt>
     can be set to <tt>none</tt> to disable storing core dumps permanently.
 
 rationale: |-
@@ -26,3 +27,9 @@ ocil: |-
     <pre>$ grep Storage /etc/systemd/coredump.conf</pre>
     The output should be:
     <pre>Storage=none</pre>
+
+warnings:
+    - general: |-
+        If the <tt>/etc/systemd/coredump.conf</tt> file
+        does not already contain the <tt>[Coredump]</tt> section,
+        the value will not be configured correctly.
diff --git a/shared/bash_remediation_functions/include_lineinfile.sh b/shared/bash_remediation_functions/include_lineinfile.sh
index 25be274ddd3d..5c3a3040ea5d 100644
--- a/shared/bash_remediation_functions/include_lineinfile.sh
+++ b/shared/bash_remediation_functions/include_lineinfile.sh
@@ -161,5 +161,5 @@ function coredump_config_set() {
     local parameter="$1"
     local value="$2"
 
-    set_config_file "/etc/systemd/coredump.conf" "$parameter" "$value" "true" "" "" "true" "=" "\s*=\s*"
+    set_config_file "/etc/systemd/coredump.conf" "$parameter" "$value" "false" "" "" "true" "=" "\s*=\s*"
 }
diff --git a/shared/macros-ansible.jinja b/shared/macros-ansible.jinja
index ad9cfc210923..4af64682a8f0 100644
--- a/shared/macros-ansible.jinja
+++ b/shared/macros-ansible.jinja
@@ -182,5 +182,5 @@
   - value: value of the parameter
 #}}
 {{%- macro ansible_coredump_config_set(msg='', parameter='', value='') %}}
-{{{ ansible_set_config_file(msg, "/etc/systemd/coredump.conf", parameter=parameter, value=value, create="yes", separator="=", separator_regex="\s*=\s*") }}}
+{{{ ansible_set_config_file(msg, "/etc/systemd/coredump.conf", parameter=parameter, value=value, create="no", separator="=", separator_regex="\s*=\s*") }}}
 {{%- endmacro %}}