Restrict unprivileged access to the kernel syslog

An XCCDF Rule

Details
Profiles
Prose

Description

Enforce restrictions on unprivileged users reading the kernel syslog via dmesg(8). The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_SECURITY_DMESG_RESTRICT, run the following command: grep CONFIG_SECURITY_DMESG_RESTRICT /boot/config-* For each kernel installed, a line with value "y" should be returned.

warning alert: Warning

There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.

Rationale

Prevents unprivileged users from retrieving kernel addresses with dmesg.

ID: xccdf_org.ssgproject.content_rule_kernel_config_security_dmesg_restrict
Severity: Medium
References: BP28(R15)
Updated: 8 months ago