{"description": "The <tt>kdump-tools</tt> service provides a kernel crash dump analyzer. It uses the <tt>kexec</tt>\nsystem call to boot a secondary kernel (\"capture\" kernel) following a system\ncrash, which can load information from the crashed kernel for analysis.\n\nThe <code>kdump-tools</code> service can be disabled with the following command:\n<pre>$ sudo systemctl mask --now kdump-tools.service</pre>", "rationale": "Kernel core dumps may contain the full contents of system memory at the\ntime of the crash. Kernel core dumps consume a considerable amount of disk\nspace and may result in denial of service by exhausting the available space\non the target file system partition. Unless the system is used for kernel\ndevelopment or testing, there is little need to run the kdump service.", "severity": "medium", "references": {"cis-csc": ["11", "12", "14", "15", "3", "8", "9"], "cobit5": ["APO13.01", "BAI10.01", "BAI10.02", "BAI10.03", "BAI10.05", "DSS01.04", "DSS05.02", "DSS05.03", "DSS05.05", "DSS06.06"], "hipaa": ["164.308(a)(1)(ii)(D)", "164.308(a)(3)", "164.308(a)(4)", "164.310(b)", "164.310(c)", "164.312(a)", "164.312(e)"], "isa-62443-2009": ["4.3.3.5.1", "4.3.3.5.2", "4.3.3.5.3", "4.3.3.5.4", "4.3.3.5.5", "4.3.3.5.6", "4.3.3.5.7", "4.3.3.5.8", "4.3.3.6.1", "4.3.3.6.2", "4.3.3.6.3", "4.3.3.6.4", "4.3.3.6.5", "4.3.3.6.6", "4.3.3.6.7", "4.3.3.6.8", "4.3.3.6.9", "4.3.3.7.1", "4.3.3.7.2", "4.3.3.7.3", "4.3.3.7.4", "4.3.4.3.2", "4.3.4.3.3"], "isa-62443-2013": ["SR 1.1", "SR 1.10", "SR 1.11", "SR 1.12", "SR 1.13", "SR 1.2", "SR 1.3", "SR 1.4", "SR 1.5", "SR 1.6", "SR 1.7", "SR 1.8", "SR 1.9", "SR 2.1", "SR 2.2", "SR 2.3", "SR 2.4", "SR 2.5", "SR 2.6", "SR 2.7", "SR 3.1", "SR 3.5", "SR 3.8", "SR 4.1", "SR 4.3", "SR 5.1", "SR 5.2", "SR 5.3", "SR 7.1", "SR 7.6"], "iso27001-2013": ["A.11.2.6", "A.12.1.2", "A.12.5.1", "A.12.6.2", "A.13.1.1", "A.13.2.1", "A.14.1.3", "A.14.2.2", "A.14.2.3", "A.14.2.4", "A.6.2.1", "A.6.2.2", "A.9.1.2"], "nist": ["CM-7(a)", "CM-7(b)", "CM-6(a)"], "nist-csf": ["PR.AC-3", "PR.IP-1", "PR.PT-3", "PR.PT-4"], "ospp": ["FMT_SMF_EXT.1.1"], "srg": ["SRG-OS-000269-GPOS-00103", "SRG-OS-000480-GPOS-00227"], "stigid": ["UBTU-22-213015"], "stigref": ["SV-260473r1044782_rule"]}, "control_references": {"stigid": ["UBTU-22-213015"]}, "components": [], "identifiers": {}, "ocil_clause": "the \"kdump-tools\" is loaded and not masked", "ocil": "To check that the <code>kdump-tools</code> service is disabled in system boot configuration,\nrun the following command:\n<pre>$ sudo systemctl is-enabled <code>kdump-tools</code></pre>\nOutput should indicate the <code>kdump-tools</code> service has either not been installed,\nor has been disabled at all runlevels, as shown in the example below:\n<pre>$ sudo systemctl is-enabled <code>kdump-tools</code><br/> disabled</pre>\n\nRun the following command to verify <code>kdump-tools</code> is not active (i.e. not running) through current runtime configuration:\n<pre>$ sudo systemctl is-active kdump-tools</pre>\n\nIf the service is not running the command will return the following output:\n<pre>inactive</pre>\n\nThe service will also be masked, to check that the <code>kdump-tools</code> is masked, run the following command:\n<pre>$ sudo systemctl show <code>kdump-tools</code> | grep \"LoadState\\|UnitFileState\"</pre>\n\nIf the service is masked the command will return the following outputs:\n\n<pre>LoadState=masked</pre>\n\n<pre>UnitFileState=masked</pre>", "oval_external_content": null, "fixtext": "To disable the kdump-tools service run the following command:\n$ sudo systemctl disable --now kdump-tools\n$ sudo systemctl mask --now kdump-tools", "checktext": "", "vuldiscussion": "", "srg_requirement": "The Ubuntu 22.04 service kdump-tools must be disabled.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "The kdump service on Ubuntu 22.04 must be disabled.", "vuldiscussion": "Kernel core dumps may contain the full contents of system memory at the time of the crash. Kernel core dumps consume a considerable amount of disk space and may result in denial of service by exhausting the available space on the target file system partition. Unless the system is used for kernel development or testing, there is little need to run the kdump service.", "checktext": "Verify that the kdump service is disabled in system boot configuration with the following command:\n\n$ sudo systemctl is-enabled  kdump\n\ndisabled\n\nVerify that the kdump service is not active (i.e., not running) through current runtime configuration with the following command:\n\n$ sudo systemctl is-active kdump\n\nmasked\n\nVerify that the kdump service is masked with the following command:\n\n$ sudo systemctl show  kdump  | grep \"LoadState\\|UnitFileState\"\n\nLoadState=masked\nUnitFileState=masked\n\nIf the \"kdump\" service is loaded or active, and is not masked, this is a finding.", "fixtext": "Disable and mask the kdump service on Ubuntu 22.04.\n\nTo disable the kdump service run the following command:\n\n$ sudo systemctl disable --now kdump\n\nTo mask the kdump service run the following command:\n\n$ sudo systemctl mask --now kdump"}}, "platform": "system_with_kernel", "platforms": ["system_with_kernel"], "sce_metadata": {"check-import": "stdout", "platform": ["multi_platform_all"], "environment": "any", "filename": "service_kdump_disabled.sh", "relative_path": "ubuntu2204/checks/sce/service_kdump_disabled.sh"}, "inherited_platforms": [], "cpe_platform_names": ["system_with_kernel"], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Disable KDump Kernel Crash Analyzer (kdump)", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/services/base/service_kdump_disabled/rule.yml", "template": {"name": "service_disabled", "vars": {"servicename": "kdump-tools", "packagename": "kexec-tools"}, "backends": {}}}