security-misc
security-misc copied to clipboard
Kicksecure
systemd-coredump
In response to
- https://github.com/Kicksecure/security-misc/pull/151
How to even re-enable coredumps as of now? Is this implemented in debug-misc?
I don't want to configure us into a corner and then when somebody asks how to re-enable functionality, nobody knows the answer and it's a major effort to re-enable it.
Maybe not worth disabling coredumps anyhow.
Why not use systemd-coredump from packages.debian.org instead? See this short and nice article on how to use that: https://documentation.suse.com/sles/15-SP2/html/SLES-all/cha-tuning-systemd-coredump.html
Seems pretty sanely implemented at first sight. Core dumps are to be found in this folder:
/var/lib/systemd/coredump/
We could leave coredumps enabled by default, harden the permissions of that folder to read access only by root using permission-hardener (if that is possible without breaking systemd-coredump) and then call it a day.
See also /usr/lib/sysctl.d/50-coredump.conf after installing the systemd-coredump package.
cat /usr/lib/sysctl.d/50-coredump.conf | grep --invert-match "#"
kernel.core_pattern=|/lib/systemd/systemd-coredump %P %u %g %s %t 9223372036854775808 %h
kernel.core_pipe_limit=16
fs.suid_dumpable=2
https://www.freedesktop.org/software/systemd/man/latest/systemd-coredump.html
This ticket as in original description is still planned.
Depends: systemd-coredump would be done in kicksecure-meta-package, not in security-misc.