LOW L2: Sysctl dmesg_restrict P4
Overview
This remediation restricts access to kernel ring buffer messages (dmesg) to privileged users only, preventing information disclosure about kernel internals.
Settings
| Setting | Value | Description |
|---|---|---|
kernel.dmesg_restrict |
1 |
Restrict kernel log access to privileged users |
Implementation
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
name: 75-sysctl-low
labels:
machineconfiguration.openshift.io/role: master
spec:
config:
ignition:
version: 3.2.0
storage:
files:
- path: /etc/sysctl.d/75-dmesg-restrict.conf
mode: 0644
overwrite: true
contents:
inline: |
# Restrict dmesg access to root
kernel.dmesg_restrict = 1
Compliance Checks Remediated
| Check | Profile | Docs |
|---|---|---|
rhcos4-e8-worker-sysctl-kernel-dmesg-restrict |
E8 | 📖 |
rhcos4-e8-master-sysctl-kernel-dmesg-restrict |
E8 | 📖 |
Source Remediation Files
- low/rhcos4-e8-worker-sysctl-kernel-dmesg-restrict.yaml
- low/rhcos4-e8-master-sysctl-kernel-dmesg-restrict.yaml
Verification
After applying, verify the sysctl setting:
oc debug node/<node-name> -- chroot /host sysctl kernel.dmesg_restrict
# Expected: kernel.dmesg_restrict = 1
Security Impact
Restricting dmesg access prevents:
- Information disclosure about kernel modules
- Leaking kernel addresses useful for exploitation
- Exposure of hardware configuration details
- Reconnaissance by unprivileged users
When dmesg_restrict = 0
Unprivileged users can run:
dmesg
And see kernel messages including:
- Loaded modules
- Hardware detection
- Kernel addresses (useful for ASLR bypass)
When dmesg_restrict = 1
Only root (CAP_SYSLOG) can access kernel logs via dmesg.