Restrict Access to Kernel Message Buffer

Unprivileged access to the kernel syslog can expose sensitive kernel address information. Change-Id: If40f1b883dfde6c7870bf9c463753d037867c9e2 Signed-off-by: zshi <zshi@redhat.com>
2017-03-20 16:12:32 +08:00 · 2017-03-20 16:12:32 +08:00 · 51c91597fb
commit 51c91597fb
parent e0bd63c826
2 changed files with 13 additions and 0 deletions
--- a/puppet/services/kernel.yaml
+++ b/puppet/services/kernel.yaml
@ -56,5 +56,7 @@ outputs:
            value: 10000
          kernel.pid_max:
            value: {get_param: KernelPidMax}
+          kernel.dmesg_restrict:
+            value: 1
      step_config: |
        include ::tripleo::profile::base::kernel
--- a/releasenotes/notes/restrict-access-to-kernel-message-buffer-809160674b92a073.yaml
+++ b/releasenotes/notes/restrict-access-to-kernel-message-buffer-809160674b92a073.yaml
@ -0,0 +1,11 @@
+---
+upgrade:
+  - |
+    The kernel.dmesg_restrict is now set to 1 to prevent exposure of sensitive
+    kernel address information with unprivileged access. Deployments that set
+    or depend on values other than 1 for kernel.dmesg_restrict may be affected
+    by upgrading.
+security:
+  - |
+    Kernel syslog contains sensitive kernel address information, setting
+    kernel.dmesg_restrict to avoid unprivileged access to this information.