Disable kdump [+Docs]

This patch disables the kdump service. Documentation is included. Implements: blueprint security-rhel7-stig Change-Id: I5b90eb2755beca3496863bfc7e8cfb5d88d8c786
2016-12-05 14:15:41 -06:00 · 2016-12-05 14:15:41 -06:00 · 21454affbf
commit 21454affbf
parent 4e8bf6705f
3 changed files with 34 additions and 3 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -610,3 +610,5 @@ security_disallow_icmp_redirects: yes                        # RHEL-07-040410 /
 security_disallow_ip_forwarding: no                          # RHEL-07-040730
 # Disable USB storage support.
 security_rhel7_disable_usb_storage: yes                      # RHEL-07-020160
+# Disable kdump.
+security_disable_kdump: yes                                  # RHEL-07-021230
--- a/doc/metadata/rhel7/RHEL-07-021230.rst
+++ b/doc/metadata/rhel7/RHEL-07-021230.rst
@ -1,7 +1,12 @@
 ---
 id: RHEL-07-021230
-status: not implemented
-tag: misc
+status: implemented
+tag: kernel
 ---

-This STIG requirement is not yet implemented.
+The ``kdump`` service is disabled if it exists on the system. Deployers can opt
+out of this change by setting the following Ansible variable:
+
+.. code-block:: yaml
+
+    security_disable_kdump: no
--- a/tasks/rhel7stig/kernel.yml
+++ b/tasks/rhel7stig/kernel.yml
@ -43,3 +43,27 @@
    - RHEL-07-040421
    - RHEL-07-040730
    - RHEL-07-040860
+
+- name: Check kdump service
+  command: systemctl status kdump
+  register: kdump_service_check
+  failed_when: kdump_service_check.rc not in [0,3]
+  changed_when: False
+  check_mode: no
+  tags:
+    - kernel
+    - medium
+    - RHEL-07-021230
+
+- name: RHEL-07-021230 - Kernel core dumps must be disabled unless needed.
+  service:
+    name: kdump
+    state: stopped
+    enabled: no
+  when:
+    - kdump_service_check.rc != 3
+    - security_disable_kdump
+  tags:
+    - kernel
+    - medium
+    - RHEL-07-021230