Restrict Access to Kernel Message Buffer

An XCCDF Rule

Description

To set the runtime status of the kernel.dmesg_restrict kernel parameter, run the following command:

$ sudo sysctl -w kernel.dmesg_restrict=1

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

kernel.dmesg_restrict = 1

Rationale

Unprivileged access to the kernel syslog can expose sensitive kernel address information.

ID: xccdf_org.ssgproject.content_rule_sysctl_kernel_dmesg_restrict
Severity: Low
References: BP28(R23)

3.1.5

CCI-001090 CCI-001314

164.308(a)(1)(ii)(D) 164.308(a)(3) 164.308(a)(4) 164.310(b) 164.310(c) 164.312(a) 164.312(e)

SI-11(a) SI-11(b)

SRG-OS-000132-GPOS-00067 SRG-OS-000138-GPOS-00069

SRG-APP-000243-CTR-000600

CCE-82499-5
Updated: about 1 year ago

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,kernel.dmesg_restrict%3D1%0A
        mode: 0644
        path: /etc/sysctl.d/75-sysctl_kernel_dmesg_restrict.conf
        overwrite: true

Restrict Access to Kernel Message Buffer

Description

Rationale

Remediation - Kubernetes Patch