systemd-coredump

[adrelanos]

In response to

• Add more hardening options to the default profile in etc #151

How to even re-enable coredumps as of now?
Is this implemented in debug-misc?

I don't want to configure us into a corner and then when somebody asks how to re-enable functionality, nobody knows the answer and it's a major effort to re-enable it.

Maybe not worth disabling coredumps anyhow.

Why not use systemd-coredump from packages.debian.org instead?
See this short and nice article on how to use that:
https://documentation.suse.com/sles/15-SP2/html/SLES-all/cha-tuning-systemd-coredump.html

Seems pretty sanely implemented at first sight. Core dumps are to be found in this folder:
/var/lib/systemd/coredump/

We could leave coredumps enabled by default, harden the permissions of that folder to read access only by root using permission-hardener (if that is possible without breaking systemd-coredump) and then call it a day.

See also /usr/lib/sysctl.d/50-coredump.conf after installing the systemd-coredump package.

cat /usr/lib/sysctl.d/50-coredump.conf | grep --invert-match "#"

kernel.core_pattern=|/lib/systemd/systemd-coredump %P %u %g %s %t 9223372036854775808 %h
kernel.core_pipe_limit=16
fs.suid_dumpable=2

---

https://www.freedesktop.org/software/systemd/man/latest/systemd-coredump.html

[monsieuremre]

Consider closing due to the original request being closed.

[adrelanos]

This ticket as in original description is still planned.

Depends: systemd-coredump would be done in kicksecure-meta-package, not in security-misc.