Disable Automatic Bug Reporting Tool (abrtd)

Classification:

compliance

Framework:

Control:

Description

The Automatic Bug Reporting Tool (abrtd) daemon collects and reports crash data when an application crash is detected. Using a variety of plugins, abrtd can email crash reports to system administrators, log crash reports to files, or forward crash reports to a centralized issue tracking system such as RHTSupport.

The abrtd service can be disabled with the following command:

$ sudo systemctl disable abrtd.service

Rationale

Mishandling crash data could expose sensitive information about vulnerabilities in software executing on the system, as well as sensitive information from within a process’s address space or registers.

Remediation

Shell script

The following script can be run on the host to remediate the issue.

SYSTEMCTL\_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL\_EXEC" stop 'abrtd.service'
"$SYSTEMCTL\_EXEC" disable 'abrtd.service'
# Disable socket activation if we have a unit file for it
"$SYSTEMCTL\_EXEC" list-unit-files | grep -q '^abrtd.socket\>' && "$SYSTEMCTL\_EXEC" disable 'abrtd.socket'
# The service may not be running because it has been started and failed,
# so let's reset the state so OVAL checks pass.
# Service should be 'inactive', not 'failed' after reboot though.
"$SYSTEMCTL\_EXEC" reset-failed 'abrtd.service'

Ansible playbook

The following playbook can be run with Ansible to remediate the issue.

- name: Disable service abrtd
 service:
 name: "{{item}}"
 enabled: "no"
 state: "stopped"
 register: service\_result
 failed\_when: "service\_result is failed and ('Could not find the requested service' not in service\_result.msg)"
 with\_items:
 - abrtd
 tags:
 - service\_abrtd\_disabled
 - unknown\_severity
 - disable\_strategy
 - low\_complexity
 - low\_disruption
 - NIST-800-53-AC-17(8)
 - NIST-800-53-CM-7


- name: Disable socket of service abrtd if applicable
 service:
 name: "{{item}}"
 enabled: "no"
 state: "stopped"
 register: socket\_result
 failed\_when: "socket\_result is failed and ('Could not find the requested service' not in socket\_result.msg)"
 with\_items:
 - abrtd.socket
 tags:
 - service\_abrtd\_disabled
 - unknown\_severity
 - disable\_strategy
 - low\_complexity
 - low\_disruption
 - NIST-800-53-AC-17(8)
 - NIST-800-53-CM-7