From 51c91597fbad0155b8cab62c8d12cbc01d44ed74 Mon Sep 17 00:00:00 2001 From: zshi Date: Mon, 20 Mar 2017 16:12:32 +0800 Subject: Restrict Access to Kernel Message Buffer Unprivileged access to the kernel syslog can expose sensitive kernel address information. Change-Id: If40f1b883dfde6c7870bf9c463753d037867c9e2 Signed-off-by: zshi --- puppet/services/kernel.yaml | 2 ++ ...rict-access-to-kernel-message-buffer-809160674b92a073.yaml | 11 +++++++++++ 2 files changed, 13 insertions(+) create mode 100644 releasenotes/notes/restrict-access-to-kernel-message-buffer-809160674b92a073.yaml diff --git a/puppet/services/kernel.yaml b/puppet/services/kernel.yaml index fec455d1..ee4c771f 100644 --- a/puppet/services/kernel.yaml +++ b/puppet/services/kernel.yaml @@ -56,5 +56,7 @@ outputs: value: 10000 kernel.pid_max: value: {get_param: KernelPidMax} + kernel.dmesg_restrict: + value: 1 step_config: | include ::tripleo::profile::base::kernel diff --git a/releasenotes/notes/restrict-access-to-kernel-message-buffer-809160674b92a073.yaml b/releasenotes/notes/restrict-access-to-kernel-message-buffer-809160674b92a073.yaml new file mode 100644 index 00000000..c24e8921 --- /dev/null +++ b/releasenotes/notes/restrict-access-to-kernel-message-buffer-809160674b92a073.yaml @@ -0,0 +1,11 @@ +--- +upgrade: + - | + The kernel.dmesg_restrict is now set to 1 to prevent exposure of sensitive + kernel address information with unprivileged access. Deployments that set + or depend on values other than 1 for kernel.dmesg_restrict may be affected + by upgrading. +security: + - | + Kernel syslog contains sensitive kernel address information, setting + kernel.dmesg_restrict to avoid unprivileged access to this information. -- cgit 1.2.3-korg