Merge "Restrict Access to Kernel Message Buffer"

author: Jenkins <jenkins@review.openstack.org> 2017-03-28 05:58:06 +0000
committer: Gerrit Code Review <review@openstack.org> 2017-03-28 05:58:06 +0000
commit: 0e76a20cae6008ae5cf13e7a1d87de154f6e0c40 (patch)
tree: 49f8ac1f546f77770e1b627a2359f9a80caed023
parent: f1c452fcf672b2543a06576cf55c8eb9e8f2061f (diff)
parent: 51c91597fbad0155b8cab62c8d12cbc01d44ed74 (diff)
2 files changed, 13 insertions, 0 deletions
diff --git a/puppet/services/kernel.yaml b/puppet/services/kernel.yaml
index fec455d1..ee4c771f 100644
--- a/puppet/services/kernel.yaml
+++ b/puppet/services/kernel.yaml
@@ -56,5 +56,7 @@ outputs:
             value: 10000
           kernel.pid_max:
             value: {get_param: KernelPidMax}
+          kernel.dmesg_restrict:
+            value: 1
       step_config: |
         include ::tripleo::profile::base::kernel
diff --git a/releasenotes/notes/restrict-access-to-kernel-message-buffer-809160674b92a073.yaml b/releasenotes/notes/restrict-access-to-kernel-message-buffer-809160674b92a073.yaml
new file mode 100644
index 00000000..c24e8921
--- /dev/null
+++ b/releasenotes/notes/restrict-access-to-kernel-message-buffer-809160674b92a073.yaml
@@ -0,0 +1,11 @@
+---
+upgrade:
+  - |
+    The kernel.dmesg_restrict is now set to 1 to prevent exposure of sensitive
+    kernel address information with unprivileged access. Deployments that set
+    or depend on values other than 1 for kernel.dmesg_restrict may be affected
+    by upgrading.
+security:
+  - |
+    Kernel syslog contains sensitive kernel address information, setting
+    kernel.dmesg_restrict to avoid unprivileged access to this information.
author	Jenkins <jenkins@review.openstack.org>	2017-03-28 05:58:06 +0000
committer	Gerrit Code Review <review@openstack.org>	2017-03-28 05:58:06 +0000
commit	0e76a20cae6008ae5cf13e7a1d87de154f6e0c40 (patch)
tree	49f8ac1f546f77770e1b627a2359f9a80caed023
parent	f1c452fcf672b2543a06576cf55c8eb9e8f2061f (diff)
parent	51c91597fbad0155b8cab62c8d12cbc01d44ed74 (diff)