What is a core dump backtrace
A core dump is a snapshot capturing the state of a program at the moment it crashes. This memory dump includes the processors state and the program’s memory, including variables, program data, and processor registers. The data stored in core dump files, also records the contents of the system memory and CPU registers.
Backtraces are generated during a program crash. They show the sequence of function calls leading to the crash called the call stack. This traces the path the program took to reach the error, providing a path of insights into which function or line of code was responsible for the failure.
A backtrace is typically a part of the information generated from a core dump. Tools like gdb (GNU Project Debugger) are used to extract this information from the core dump and analyse it. Let’s explain further about why to disable core dump backtraces.
The purpose of core dumps and backtraces
The information gathered during a core dump and backtrace is essential for debugging, providing developers with a complete picture of a program’s environment at the point of failure.
By examining each line in the backtrace, developers can see the line number and details for each call in the stack trace. This can then be used to understand what went wrong and how to fix it.
Why ensure core dump and backtrace are disabled
Disabling core dump and backtrace is important for securing a system. Core dumps may contain sensitive data, such as passwords, tokens, or encryption keys, that were in memory at the crash. If left enabled on a production server, an attacker could access these files, using them to extract sensitive data, or understand a program’s inner workings to find vulnerabilities.
Keeping this data private prevents attackers from accessing sensitive information or alternatively, learning how to exploit the system.
To get a backtrace from a core dump
To get a backtrace from a core dump follow these instructions.
How to disable core dump backtraces
Create or edit the file /etc/systemd/coredump.conf, or a file in the
/etc/systemd/coredump.conf.d directory ending in .conf.
Edit or add the following line in the [Coredump] section:
ProcessSizeMax=0
Example:
#!/usr/bin/env bash
{
[ ! -d /etc/systemd/coredump.conf.d/ ] && mkdir/etc/systemd/coredump.conf.d/
if grep -Psq — ‘^h*[Coredump]’ /etc/systemd/coredump.conf.d/60-
coredump.conf; then
printf ‘%sn’ “ProcessSizeMax=0” >> /etc/systemd/coredump.conf.d/60-coredump.conf
else
printf ‘%sn’ “[Coredump]” “ProcessSizeMax=0” >>
/etc/systemd/coredump.conf.d/60-coredump.conf
fi
}
To understand more about backtraces and core dumps see here.
Default value
ProcessSizeMax=2G
MITRE ATT&CK Mappings
Techniques / Subtechniques – T1005, T1005.000
Tactics – TA0007
Mitigations – M1057
Server hardening
As with disabling core dumps, server hardening aims to reduce vulnerabilities and limit potential attack vectors to protect sensitive information. Server hardening improves server performance and reliability by disabling unnecessary services and resources, making the server more efficient. Additionally, server hardening aids in regulatory compliance, supports effective monitoring, and simplifies maintenance, creating a more stable and secure environment.
