From a3ff0589d2f4e0ecb6e92a4056e9128c050521f8 Mon Sep 17 00:00:00 2001
From: Major Hayden <major@mhtx.net>
Date: Fri, 9 Oct 2015 15:21:39 -0500
Subject: [PATCH] V-38675: Restrict core dumps

Change-Id: I33541ce7f53997fc552e38135d3caca286ebdbb7
---
 defaults/main.yml                      |  5 +++++
 doc/source/developer-notes/V-38675.rst |  8 ++++++++
 tasks/misc.yml                         | 10 ++++++++++
 3 files changed, 23 insertions(+)
 create mode 100644 doc/source/developer-notes/V-38675.rst

diff --git a/defaults/main.yml b/defaults/main.yml
index 8ca7a29e..549d7771 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -206,3 +206,8 @@ postfix_inet_interfaces: localhost                # V-38622
 # variable to 'yes'. See the documentation for V-38546 before making this
 # change.
 disable_ipv6: no                                  # V-38546
+
+## Core dumps
+# V-38675 requires disabling core dumps for all users unless absolutely
+# necessary. Set this variable to 'no' to skip this change.
+disable_core_dumps: yes                           # V-38675
diff --git a/doc/source/developer-notes/V-38675.rst b/doc/source/developer-notes/V-38675.rst
new file mode 100644
index 00000000..cfa86435
--- /dev/null
+++ b/doc/source/developer-notes/V-38675.rst
@@ -0,0 +1,8 @@
+Ubuntu doesn't restrict core dumps by default, but the STIG requires that core
+dumps are disabled for all users unless absolutely necessary.
+
+To opt-out of this change, set the following Ansible variable to ``no``:
+
+.. code-block:: yaml
+
+    disable_core_dumps: no
diff --git a/tasks/misc.yml b/tasks/misc.yml
index 06e6f749..62eb04f4 100644
--- a/tasks/misc.yml
+++ b/tasks/misc.yml
@@ -109,6 +109,16 @@
    - cat3
    - V-38624
 
+- name: V-38675 - Process core dump must be disabled
+  lineinfile:
+    dest: /etc/security/limits.d/V-38675-coredump.conf
+    line: "* hard core 0"
+    create: yes
+  when: disable_core_dumps is defined
+  tags:
+    - cat3
+    - V-38675
+
 - name: V-38684 - Maximum simultaneous logins per user
   lineinfile:
     dest: /etc/security/limits.d/V-38684-maxlogins.conf