From 8489d3cc883f673d8a11290346fe93e4a860d85f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Sachse?= <Joerg.Sachse@slub-dresden.de>
Date: Fri, 21 Jan 2022 08:03:29 +0100
Subject: [PATCH] feat: disable kdump as per DoD STIG V-72057

---
 tasks/configure_kdump.yml | 13 +++++++++++++
 tasks/main.yml            |  2 ++
 2 files changed, 15 insertions(+)
 create mode 100644 tasks/configure_kdump.yml

diff --git a/tasks/configure_kdump.yml b/tasks/configure_kdump.yml
new file mode 100644
index 0000000..f48e4c9
--- /dev/null
+++ b/tasks/configure_kdump.yml
@@ -0,0 +1,13 @@
+---
+# find the documentation of US Department of Defense (DoD) Security Technical
+# Implementation Guide (STIG) V-72057 at
+# https://www.stigviewer.com/stig/red_hat_enterprise_linux_7/2017-07-08/finding/V-72057
+# Quote:
+# "Kernel core dumps may contain the full contents of system memory at the time
+# of the crash. Kernel core dumps may consume a considerable amount of disk
+# space and may result in denial of service by exhausting the available space
+# on the target file system partition."
+- name: disable kdump as per DoD STIG V-72057
+  systemd:
+    name: "kdump.service"
+    state: disabled
diff --git a/tasks/main.yml b/tasks/main.yml
index 93bdbb1..809ee19 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -37,6 +37,8 @@
   tags: [iptables]
 - import_tasks: configure_selinux.yml
   tags: [selinux]
+- import_tasks: "configure_kdump.yml"
+  tags: [security, kdump]
 
 ### ROSETTA TASKS
 
-- 
GitLab