Disallow magic SysRq key

An XCCDF Rule

Description

To set the runtime status of the kernel.sysrq kernel parameter, run the following command:

$ sudo sysctl -w kernel.sysrq=0

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

kernel.sysrq = 0

Rationale

The Magic SysRq key allows sending certain commands directly to the running kernel. It can dump various system and process information, potentially revealing sensitive information. It can also reboot or shutdown the machine, disturbing its availability.

ID: xccdf_org.ssgproject.content_rule_sysctl_kernel_sysrq
Severity: Medium
References: CCE-91571-0

R9
Updated: 5 days ago

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-91571-0
  - disable_strategy  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_kernel_sysrq

- name: List /etc/sysctl.d/*.conf files
  find:
    paths:
    - /run/sysctl.d/
    - /etc/sysctl.d/
    - /usr/local/lib/sysctl.d/
    - /lib/sysctl.d/
    contains: ^[\s]*kernel.sysrq.*$
    patterns: '*.conf'
    file_type: any
  register: find_sysctl_d
  when: '"kernel-default" in ansible_facts.packages'
  tags:
  - CCE-91571-0
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_kernel_sysrq

- name: Comment out any occurrences of kernel.sysrq from config files
  replace:
    path: '{{ item.path }}'
    regexp: ^[\s]*kernel.sysrq
    replace: '#kernel.sysrq'
  loop: '{{ find_sysctl_d.files }}'
  when: '"kernel-default" in ansible_facts.packages'
  tags:
  - CCE-91571-0
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_kernel_sysrq

- name: Comment out any occurrences of kernel.sysrq from /etc/sysctl.conf
  replace:
    path: /etc/sysctl.conf
    regexp: ^[\s]*kernel.sysrq
    replace: '#kernel.sysrq'
  when: '"kernel-default" in ansible_facts.packages'
  tags:
  - CCE-91571-0
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_kernel_sysrq

- name: Ensure sysctl kernel.sysrq is set to 0
  sysctl:
    name: kernel.sysrq
    value: '0'
    sysctl_file: /etc/sysctl.d/kernel_sysrq.conf
    state: present
    reload: true
  when: '"kernel-default" in ansible_facts.packages'
  tags:
  - CCE-91571-0
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_kernel_sysrq

# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel-default; then

# Comment out any occurrences of kernel.sysrq from /etc/sysctl.d/*.conf files

for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf; do

  # skip systemd-sysctl symlink (/etc/sysctl.d/99-sysctl.conf -> /etc/sysctl.conf)
  if [[ "$(readlink -f "$f")" == "/etc/sysctl.conf" ]]; then continue; fi

  matching_list=$(grep -P '^(?!#).*[\s]*kernel.sysrq.*$' $f | uniq )
  if ! test -z "$matching_list"; then
    while IFS= read -r entry; do
      escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
      # comment out "kernel.sysrq" matches to preserve user data
      sed -i --follow-symlinks "s/^${escaped_entry}$/# &/g" $f
    done <<< "$matching_list"
  fi
done

#
# Set sysctl config file which to save the desired value
#

SYSCONFIG_FILE='/etc/sysctl.d/kernel_sysrq.conf'


#
# Set runtime for kernel.sysrq
#
/sbin/sysctl -q -n -w kernel.sysrq="0"

#
# If kernel.sysrq present in /etc/sysctl.conf, change value to "0"
#	else, add "kernel.sysrq = 0" to /etc/sysctl.conf
#

sed -i "/^$SYSCONFIG_VAR/d" /etc/sysctl.conf

# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^kernel.sysrq")

# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "0"

# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^kernel.sysrq\\>" "${SYSCONFIG_FILE}"; then
    escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
    LC_ALL=C sed -i --follow-symlinks "s/^kernel.sysrq\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
else
    if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
        LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
    fi
    cce="CCE-91571-0"
    printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}"
    printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Disallow magic SysRq key

Description

Rationale

Remediation - Ansible

Remediation - Shell Script