Detections
Analytics

1.5.5 Ensure kernel.dmesg_restrict is configured

Information

kernel.dmesg_restrict can be used to configure the Linux kernel and prevent unprivileged users access to information from the kernel's log buffer.

More information about the kernel parameter configuration files, their location, and load preference is available in the section overview.

Restricting access to the kernel message buffer limits access to only root. This prevents attackers from gaining additional system information as a non-privileged user.

Solution

- Run the following command to comment out kernel.dmesg_restrict lines returned by the audit procedure that are not kernel.dmesg_restrict = 1 :

# sed -ri '^\s*kernel.dmesg_restrict\s*=\s*0/s/^/#/g' "path/to/file/in/audit/filename"

Example:

# sed -ri '/^\s*kernel.dmesg_restrict\s*=\s*0/s/^/#/g' /etc/sysctl.d/99-sysctl.conf
 - Create or edit a file in the /etc/sysctl.d/ directory ending in .conf and edit or add the following line:

kernel.dmesg_restrict = 1

Example:

# [ ! -d "/etc/sysctl.d/" ] && mkdir -p /etc/sysctl.d/
# printf '%s\n' "" "kernel.dmesg_restrict = 1" >> /etc/sysctl.d/60-kernel_sysctl.conf
 - Run the following command to load all system configuration filles:

# sysctl --system

Impact:

Changing dmesg_restrict to one 1, will restrict access to those users that have the CAP_SYSLOG capability.

See Also

https://workbench.cisecurity.org/benchmarks/25279

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-2, 800-53|SC-4, CCI|CCI-001082, CCI|CCI-001090, CSCv7|14.6, Rule-ID|SV-230269r1017087_rule, Rule-ID|SV-248579r958524_rule, Rule-ID|SV-255921r958524_rule, Rule-ID|SV-257797r958514_rule, Rule-ID|SV-260472r958524_rule, Rule-ID|SV-269425r1050308_rule, Rule-ID|SV-270749r1067179_rule, Rule-ID|SV-271745r1091947_rule

Plugin: Unix

Control ID: ef57c7a665d30be9b4c6195c8d8ea1f2c9a913ac902ae22dcbd21d2ae2475f95