Restrict Access to Kernel Message Buffer
An XCCDF Rule
Description
To set the runtime status of the kernel.dmesg_restrict
kernel parameter, run the following command:
$ sudo sysctl -w kernel.dmesg_restrict=1To make sure that the setting is persistent, add the following line to a file in the directory
/etc/sysctl.d
: kernel.dmesg_restrict = 1
Rationale
Unprivileged access to the kernel syslog can expose sensitive kernel address information.
- ID
- xccdf_org.ssgproject.content_rule_sysctl_kernel_dmesg_restrict
- Severity
- Low
- References
- Updated
Remediation - Ansible
- name: List /etc/sysctl.d/*.conf files
find:
paths:
- /etc/sysctl.d/
- /run/sysctl.d/
- /usr/local/lib/sysctl.d/
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# Comment out any occurrences of kernel.dmesg_restrict from /etc/sysctl.d/*.conf files
for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do