From 21454affbf8a65e595af688afc0744568002650d Mon Sep 17 00:00:00 2001
From: Major Hayden <major@mhtx.net>
Date: Mon, 5 Dec 2016 14:15:41 -0600
Subject: [PATCH] Disable kdump [+Docs]

This patch disables the kdump service.

Documentation is included.

Implements: blueprint security-rhel7-stig
Change-Id: I5b90eb2755beca3496863bfc7e8cfb5d88d8c786
---
 defaults/main.yml                     |  2 ++
 doc/metadata/rhel7/RHEL-07-021230.rst | 11 ++++++++---
 tasks/rhel7stig/kernel.yml            | 24 ++++++++++++++++++++++++
 3 files changed, 34 insertions(+), 3 deletions(-)

diff --git a/defaults/main.yml b/defaults/main.yml
index 3fd78a83..df29124e 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -610,3 +610,5 @@ security_disallow_icmp_redirects: yes                        # RHEL-07-040410 /
 security_disallow_ip_forwarding: no                          # RHEL-07-040730
 # Disable USB storage support.
 security_rhel7_disable_usb_storage: yes                      # RHEL-07-020160
+# Disable kdump.
+security_disable_kdump: yes                                  # RHEL-07-021230
diff --git a/doc/metadata/rhel7/RHEL-07-021230.rst b/doc/metadata/rhel7/RHEL-07-021230.rst
index 08e9c191..e9e6e424 100644
--- a/doc/metadata/rhel7/RHEL-07-021230.rst
+++ b/doc/metadata/rhel7/RHEL-07-021230.rst
@@ -1,7 +1,12 @@
 ---
 id: RHEL-07-021230
-status: not implemented
-tag: misc
+status: implemented
+tag: kernel
 ---
 
-This STIG requirement is not yet implemented.
+The ``kdump`` service is disabled if it exists on the system. Deployers can opt
+out of this change by setting the following Ansible variable:
+
+.. code-block:: yaml
+
+    security_disable_kdump: no
diff --git a/tasks/rhel7stig/kernel.yml b/tasks/rhel7stig/kernel.yml
index a3f7c732..f19e1bf9 100644
--- a/tasks/rhel7stig/kernel.yml
+++ b/tasks/rhel7stig/kernel.yml
@@ -43,3 +43,27 @@
     - RHEL-07-040421
     - RHEL-07-040730
     - RHEL-07-040860
+
+- name: Check kdump service
+  command: systemctl status kdump
+  register: kdump_service_check
+  failed_when: kdump_service_check.rc not in [0,3]
+  changed_when: False
+  check_mode: no
+  tags:
+    - kernel
+    - medium
+    - RHEL-07-021230
+
+- name: RHEL-07-021230 - Kernel core dumps must be disabled unless needed.
+  service:
+    name: kdump
+    state: stopped
+    enabled: no
+  when:
+    - kdump_service_check.rc != 3
+    - security_disable_kdump
+  tags:
+    - kernel
+    - medium
+    - RHEL-07-021230