Disable Core Dumps for SUID programs

$ sudo sysctl -w fs.suid_dumpable=0

fs.suid_dumpable = 0

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

# Comment out any occurrences of fs.suid\_dumpable from /etc/sysctl.d/\*.conf files

for f in /etc/sysctl.d/\*.conf /run/sysctl.d/\*.conf /usr/local/lib/sysctl.d/\*.conf /usr/lib/sysctl.d/\*.conf; do

 matching\_list=$(grep -P '^(?!#).\*[\s]\*fs.suid\_dumpable.\*$' $f | uniq )
 if ! test -z "$matching\_list"; then
 while IFS= read -r entry; do
 escaped\_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
 # comment out "fs.suid\_dumpable" matches to preserve user data
 sed -i "s/^${escaped\_entry}$/# &/g" $f
 done <<< "$matching\_list"
 fi
done

#
# Set sysctl config file which to save the desired value
#

SYSCONFIG\_FILE="/etc/sysctl.conf"


#
# Set runtime for fs.suid\_dumpable
#
/sbin/sysctl -q -n -w fs.suid\_dumpable="0"

#
# If fs.suid\_dumpable present in /etc/sysctl.conf, change value to "0"
# else, add "fs.suid\_dumpable = 0" to /etc/sysctl.conf
#

# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped\_key=$(sed 's/[\^=\$,;+]\*//g' <<< "^fs.suid\_dumpable")

# shellcheck disable=SC2059
printf -v formatted\_output "%s = %s" "$stripped\_key" "0"

# If the key exists, change it. Otherwise, add it to the config\_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC\_ALL=C grep -q -m 1 -i -e "^fs.suid\_dumpable\\>" "${SYSCONFIG\_FILE}"; then
 escaped\_formatted\_output=$(sed -e 's|/|\\/|g' <<< "$formatted\_output")
 LC\_ALL=C sed -i --follow-symlinks "s/^fs.suid\_dumpable\\>.\*/$escaped\_formatted\_output/gi" "${SYSCONFIG\_FILE}"
else
 if [[ -s "${SYSCONFIG\_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG\_FILE}" || true)" ]]; then
 LC\_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG\_FILE}"
 fi
 printf '%s\n' "$formatted\_output" >> "${SYSCONFIG\_FILE}"
fi

else
 >&2 echo 'Remediation is not applicable, nothing was done'
fi

- name: List /etc/sysctl.d/\*.conf files
 find:
 paths:
 - /etc/sysctl.d/
 - /run/sysctl.d/
 - /usr/local/lib/sysctl.d/
 - /usr/lib/sysctl.d/
 contains: ^[\s]\*fs.suid\_dumpable.\*$
 patterns: '\*.conf'
 file\_type: any
 register: find\_sysctl\_d
 when: ansible\_virtualization\_type not in ["docker", "lxc", "openvz", "podman", "container"]
 tags:
 - NIST-800-53-SI-11(a)
 - NIST-800-53-SI-11(b)
 - PCI-DSSv4-3.3.1.1
 - PCI-DSSv4-3.3.1.2
 - PCI-DSSv4-3.3.1.3
 - disable\_strategy
 - low\_complexity
 - medium\_disruption
 - medium\_severity
 - reboot\_required
 - sysctl\_fs\_suid\_dumpable

- name: Comment out any occurrences of fs.suid\_dumpable from config files
 replace:
 path: '{{ item.path }}'
 regexp: ^[\s]\*fs.suid\_dumpable
 replace: '#fs.suid\_dumpable'
 loop: '{{ find\_sysctl\_d.files }}'
 when: ansible\_virtualization\_type not in ["docker", "lxc", "openvz", "podman", "container"]
 tags:
 - NIST-800-53-SI-11(a)
 - NIST-800-53-SI-11(b)
 - PCI-DSSv4-3.3.1.1
 - PCI-DSSv4-3.3.1.2
 - PCI-DSSv4-3.3.1.3
 - disable\_strategy
 - low\_complexity
 - medium\_disruption
 - medium\_severity
 - reboot\_required
 - sysctl\_fs\_suid\_dumpable

- name: Ensure sysctl fs.suid\_dumpable is set to 0
 sysctl:
 name: fs.suid\_dumpable
 value: '0'
 sysctl\_file: /etc/sysctl.conf
 state: present
 reload: true
 when: ansible\_virtualization\_type not in ["docker", "lxc", "openvz", "podman", "container"]
 tags:
 - NIST-800-53-SI-11(a)
 - NIST-800-53-SI-11(b)
 - PCI-DSSv4-3.3.1.1
 - PCI-DSSv4-3.3.1.2
 - PCI-DSSv4-3.3.1.3
 - disable\_strategy
 - low\_complexity
 - medium\_disruption
 - medium\_severity
 - reboot\_required
 - sysctl\_fs\_suid\_dumpable