MEDIUM M23: Kernel Sysctl Extended P3
Overview
Additional kernel hardening parameters beyond M2. Disables kexec (prevents kernel replacement at runtime), restricts perf_event access, and controls core dump file naming.
Profile: NIST 800-53 Moderate (rhcos4-moderate)
Compliance Checks
| Check | Description |
|---|---|
kernel.kexec_load_disabled=1 |
Disable kexec kernel loading |
kernel.perf_event_paranoid=2 |
Restrict perf_event to root only |
kernel.core_pattern=|/bin/false |
Disable core dump processing |
Verification
oc debug node/<node> -- chroot /host sysctl kernel.kexec_load_disabled kernel.perf_event_paranoid kernel.core_pattern