1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
|
documentation_complete: true
title: 'Restrict Access to Kernel Message Buffer'
description: '{{{ describe_sysctl_option_value(sysctl="kernel.dmesg_restrict", value="1") }}}'
rationale: |-
Unprivileged access to the kernel syslog can expose sensitive kernel
address information.
severity: low
identifiers:
cce@rhcos4: CCE-82499-5
cce@rhel8: CCE-80913-7
cce@rhel9: CCE-83952-2
cce@rhel10: CCE-89000-4
cce@sle12: CCE-91565-2
cce@sle15: CCE-91448-1
cce@slmicro5: CCE-93625-2
cce@slmicro6: CCE-94683-0
references:
cui: 3.1.5
hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3),164.308(a)(4),164.310(b),164.310(c),164.312(a),164.312(e)
nist: SI-11(a),SI-11(b)
ospp: FMT_SMF_EXT.1
srg: SRG-OS-000132-GPOS-00067,SRG-OS-000138-GPOS-00069,SRG-APP-000243-CTR-000600
stigid@ol7: OL07-00-010375
stigid@ol8: OL08-00-010375
stigid@sle12: SLES-12-010375
stigid@sle15: SLES-15-010375
{{{ complete_ocil_entry_sysctl_option_value(sysctl="kernel.dmesg_restrict", value="1") }}}
fixtext: |-
Configure {{{ full_name }}} to restrict access to the dmesg bus.
{{{ fixtext_sysctl("kernel.dmesg_restrict", "1") | indent(4) }}}
srg_requirement: '{{{ full_name }}} must restrict access to the kernel message buffer.'
platform: system_with_kernel
template:
name: sysctl
vars:
sysctlvar: kernel.dmesg_restrict
sysctlval: '1'
datatype: int
|
