File: rule.yml

package info (click to toggle)
scap-security-guide 0.1.76-1
  • links: PTS, VCS
  • area: main
  • in suites: trixie
  • size: 110,644 kB
  • sloc: xml: 241,883; sh: 73,777; python: 32,527; makefile: 27
file content (70 lines) | stat: -rw-r--r-- 2,905 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
 
documentation_complete: true

{{% if 'ubuntu' in product -%}}
{{% set kdump_service = 'kdump-tools' -%}}
{{% else -%}}
{{% set kdump_service = 'kdump' -%}}
{{% endif -%}}

title: 'Disable KDump Kernel Crash Analyzer (kdump)'

description: |-
    The <tt>{{{ kdump_service }}}</tt> service provides a kernel crash dump analyzer. It uses the <tt>kexec</tt>
    system call to boot a secondary kernel ("capture" kernel) following a system
    crash, which can load information from the crashed kernel for analysis.
    {{{ describe_service_disable(service=kdump_service) }}}

rationale: |-
    Kernel core dumps may contain the full contents of system memory at the
    time of the crash. Kernel core dumps consume a considerable amount of disk
    space and may result in denial of service by exhausting the available space
    on the target file system partition. Unless the system is used for kernel
    development or testing, there is little need to run the kdump service.

severity: medium

identifiers:
    cce@rhel8: CCE-80878-2
    cce@rhel9: CCE-84232-8
    cce@rhel10: CCE-88407-2
    cce@sle12: CCE-83105-7
    cce@sle15: CCE-85638-5
    cce@slmicro5: CCE-93773-0

references:
    cis-csc: 11,12,14,15,3,8,9
    cobit5: APO13.01,BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS01.04,DSS05.02,DSS05.03,DSS05.05,DSS06.06
    disa: CCI-000366
    hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3),164.308(a)(4),164.310(b),164.310(c),164.312(a),164.312(e)
    isa-62443-2009: 4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.3.2,4.3.4.3.3
    isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.11,SR 1.12,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.6,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.2,SR 2.3,SR 2.4,SR 2.5,SR 2.6,SR 2.7,SR 3.1,SR 3.5,SR 3.8,SR 4.1,SR 4.3,SR 5.1,SR 5.2,SR 5.3,SR 7.1,SR 7.6'
    iso27001-2013: A.11.2.6,A.12.1.2,A.12.5.1,A.12.6.2,A.13.1.1,A.13.2.1,A.14.1.3,A.14.2.2,A.14.2.3,A.14.2.4,A.6.2.1,A.6.2.2,A.9.1.2
    nist: CM-7(a),CM-7(b),CM-6(a)
    nist-csf: PR.AC-3,PR.IP-1,PR.PT-3,PR.PT-4
    ospp: FMT_SMF_EXT.1.1
    srg: SRG-OS-000269-GPOS-00103,SRG-OS-000480-GPOS-00227
    stigid@ol7: OL07-00-021300
    stigid@ol8: OL08-00-010670
    stigid@rhel8: RHEL-08-010670
    stigid@sle12: SLES-12-010840
    stigid@sle15: SLES-15-040190
    stigid@ubuntu2004: UBTU-20-010413
    stigid@ubuntu2204: UBTU-22-213015

ocil_clause: |-
    {{{ ocil_clause_service_disabled(service=kdump_service) }}}

ocil: |-
    {{{ ocil_service_disabled(service=kdump_service) }}}

fixtext: '{{{ fixtext_service_disabled(kdump_service) }}}'

srg_requirement: '{{{ srg_requirement_service_disabled(kdump_service) }}}'

platform: system_with_kernel

template:
    name: service_disabled
    vars:
        servicename: "{{{ kdump_service }}}"
        packagename: kexec-tools