Title

Ubuntu 24.04 LTS must restrict access to the kernel message buffer. (Cat III impact)

Discussion

Restricting access to the kernel message buffer limits access only to root. This prevents attackers from gaining additional system information as a nonprivileged user.

Check Content

Verify Ubuntu 24.04 LTS is configured to restrict access to the kernel message buffer with the following command: $ sysctl kernel.dmesg_restrict kernel.dmesg_restrict = 1 If "kernel.dmesg_restrict" is not set to "1" or is missing, this is a finding. Verify there are no configurations that enable the kernel dmesg function: $ sudo grep -r kernel.dmesg_restrict /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null /etc/sysctl.d/10-kernel-hardening.conf:kernel.dmesg_restrict = 1 If any instance of "kernel.dmesg_restrict" is uncommented and set to "0", or if conflicting results are returned, this is a finding.

Fix Text

Configure Ubuntu 24.04 LTS to restrict access to the kernel message buffer. Set the system to the required kernel parameter by adding or modifying the following line in /etc/sysctl.conf or a config file in the /etc/sysctl.d/ directory: kernel.dmesg_restrict = 1 Remove any configurations that conflict with the above from the following locations: /run/sysctl.d/ /etc/sysctl.d/ /usr/local/lib/sysctl.d/ /usr/lib/sysctl.d/ /lib/sysctl.d/ /etc/sysctl.conf Reload settings from all system configuration files with the following command: $ sudo sysctl --system

Additional Identifiers

Rule ID: SV-270749r1067179_rule

Vulnerability ID: V-270749

Group Title: SRG-OS-000138-GPOS-00069

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.