From 8489d3cc883f673d8a11290346fe93e4a860d85f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Sachse?= <Joerg.Sachse@slub-dresden.de> Date: Fri, 21 Jan 2022 08:03:29 +0100 Subject: [PATCH] feat: disable kdump as per DoD STIG V-72057 --- tasks/configure_kdump.yml | 13 +++++++++++++ tasks/main.yml | 2 ++ 2 files changed, 15 insertions(+) create mode 100644 tasks/configure_kdump.yml diff --git a/tasks/configure_kdump.yml b/tasks/configure_kdump.yml new file mode 100644 index 0000000..f48e4c9 --- /dev/null +++ b/tasks/configure_kdump.yml @@ -0,0 +1,13 @@ +--- +# find the documentation of US Department of Defense (DoD) Security Technical +# Implementation Guide (STIG) V-72057 at +# https://www.stigviewer.com/stig/red_hat_enterprise_linux_7/2017-07-08/finding/V-72057 +# Quote: +# "Kernel core dumps may contain the full contents of system memory at the time +# of the crash. Kernel core dumps may consume a considerable amount of disk +# space and may result in denial of service by exhausting the available space +# on the target file system partition." +- name: disable kdump as per DoD STIG V-72057 + systemd: + name: "kdump.service" + state: disabled diff --git a/tasks/main.yml b/tasks/main.yml index 93bdbb1..809ee19 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -37,6 +37,8 @@ tags: [iptables] - import_tasks: configure_selinux.yml tags: [selinux] +- import_tasks: "configure_kdump.yml" + tags: [security, kdump] ### ROSETTA TASKS -- GitLab