LOW L2: Sysctl dmesg_restrict P4

🟡 Pending 📦 Compare Branch

Overview

This remediation restricts access to kernel ring buffer messages (dmesg) to privileged users only, preventing information disclosure about kernel internals.

Settings

Setting	Value	Description
`kernel.dmesg_restrict`	`1`	Restrict kernel log access to privileged users

Implementation

apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
  name: 75-sysctl-low
  labels:
    machineconfiguration.openshift.io/role: master
spec:
  config:
    ignition:
      version: 3.2.0
    storage:
      files:
        - path: /etc/sysctl.d/75-dmesg-restrict.conf
          mode: 0644
          overwrite: true
          contents:
            inline: |
              # Restrict dmesg access to root
              kernel.dmesg_restrict = 1

Compliance Checks Remediated

Check	Profile	Docs
`rhcos4-e8-worker-sysctl-kernel-dmesg-restrict`	E8	📖
`rhcos4-e8-master-sysctl-kernel-dmesg-restrict`	E8	📖

Source Remediation Files

low/rhcos4-e8-worker-sysctl-kernel-dmesg-restrict.yaml
low/rhcos4-e8-master-sysctl-kernel-dmesg-restrict.yaml

Verification

After applying, verify the sysctl setting:

oc debug node/<node-name> -- chroot /host sysctl kernel.dmesg_restrict
# Expected: kernel.dmesg_restrict = 1

Security Impact

Restricting dmesg access prevents:

Information disclosure about kernel modules
Leaking kernel addresses useful for exploitation
Exposure of hardware configuration details
Reconnaissance by unprivileged users

When dmesg_restrict = 0

Unprivileged users can run:

dmesg

And see kernel messages including:

Loaded modules
Hardware detection
Kernel addresses (useful for ASLR bypass)

When dmesg_restrict = 1

Only root (CAP_SYSLOG) can access kernel logs via dmesg.

← L1 All Groups