From c6b669f1a53bfef08a82994422f9e1b627a937d5 Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Sun, 30 Jun 2019 00:11:13 +0000 Subject: [PATCH 1/6] Create disable-coredumps.conf --- lib/systemd/system/coredump.conf.d/disable-coredumps.conf | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 lib/systemd/system/coredump.conf.d/disable-coredumps.conf diff --git a/lib/systemd/system/coredump.conf.d/disable-coredumps.conf b/lib/systemd/system/coredump.conf.d/disable-coredumps.conf new file mode 100644 index 0000000..519f838 --- /dev/null +++ b/lib/systemd/system/coredump.conf.d/disable-coredumps.conf @@ -0,0 +1,2 @@ +[Coredump] +Storage=none From f040081a5998fddd1ea4bc30140e41c405842371 Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Sun, 30 Jun 2019 00:13:52 +0000 Subject: [PATCH 2/6] Prevent setuid processes from creating coredumps. --- etc/sysctl.d/suid_dumpable.conf | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 etc/sysctl.d/suid_dumpable.conf diff --git a/etc/sysctl.d/suid_dumpable.conf b/etc/sysctl.d/suid_dumpable.conf new file mode 100644 index 0000000..1ed3b79 --- /dev/null +++ b/etc/sysctl.d/suid_dumpable.conf @@ -0,0 +1,2 @@ +# Prevent setuid processes from creating coredumps. +fs.suid_dumpable=0 From 1bf802f8469a4ffc36cccca1ea6fc6f92ea6af8a Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Sun, 30 Jun 2019 00:16:50 +0000 Subject: [PATCH 3/6] Create coredumps.conf --- etc/sysctl.d/coredumps.conf | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 etc/sysctl.d/coredumps.conf diff --git a/etc/sysctl.d/coredumps.conf b/etc/sysctl.d/coredumps.conf new file mode 100644 index 0000000..9ac4548 --- /dev/null +++ b/etc/sysctl.d/coredumps.conf @@ -0,0 +1,3 @@ +# Disables coredumps. This setting may be overwritten by systemd so this may not be useful. +# security-misc also disables coredumps in other ways. +kernel.core_pattern=|/bin/false From 230ef34db45c1c7d980abfd8bd4770ec336ae4bf Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Sun, 30 Jun 2019 00:19:04 +0000 Subject: [PATCH 4/6] Create disable-coredumps.conf --- etc/security/limits.d/disable-coredumps.conf | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 etc/security/limits.d/disable-coredumps.conf diff --git a/etc/security/limits.d/disable-coredumps.conf b/etc/security/limits.d/disable-coredumps.conf new file mode 100644 index 0000000..ea7c414 --- /dev/null +++ b/etc/security/limits.d/disable-coredumps.conf @@ -0,0 +1,2 @@ +# Disable coredumps. +* hard core 0 From 024a698249392bdc6ebd362a2c978bc0e02bd55f Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Sun, 30 Jun 2019 00:20:38 +0000 Subject: [PATCH 5/6] Update control --- debian/control | 2 ++ 1 file changed, 2 insertions(+) diff --git a/debian/control b/debian/control index 4a3352f..94bf967 100644 --- a/debian/control +++ b/debian/control @@ -108,4 +108,6 @@ Description: enhances misc security settings The thunderbolt and firewire modules are blacklisted as they can be used for DMA (Direct Memory Access) attacks. . + Coredumps are disabled as they may contain important information such as encryption keys or passwords. + . IOMMU is enabled with a boot parameter to prevent DMA attacks. From dbfb9e1cdf1e042c8985e2e69b7f5f5f1eaed860 Mon Sep 17 00:00:00 2001 From: madaidan <50278627+madaidan@users.noreply.github.com> Date: Sun, 30 Jun 2019 00:21:46 +0000 Subject: [PATCH 6/6] Update control --- debian/control | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/debian/control b/debian/control index 94bf967..778eb85 100644 --- a/debian/control +++ b/debian/control @@ -108,6 +108,6 @@ Description: enhances misc security settings The thunderbolt and firewire modules are blacklisted as they can be used for DMA (Direct Memory Access) attacks. . - Coredumps are disabled as they may contain important information such as encryption keys or passwords. - . IOMMU is enabled with a boot parameter to prevent DMA attacks. + . + Coredumps are disabled as they may contain important information such as encryption keys or passwords.