On Aug 17, Matthew Ruffell <matthew.ruff...@canonical.com> wrote: > I propose that we restrict access to dmesg to users in group 'adm' like so: > > 1) CONFIG_SECURITY_DMESG_RESTRICT=y in the kernel. Which is already the default for Debian.
> 2) Following changes to /bin/dmesg permissions in package 'util-linux' > - Ownership changes to root:adm > - Permissions changed to 0750 (-rwxr-x---) > - Add cap_syslog capability to binary. Looks good to me. > 3) Add a commented out '# kernel.dmesg_restrict = 0' to > /etc/sysctl.d/10-kernel-hardening.conf Debian does not have this file, so I am not sure if it should be introduced just for this. And what would be the point of setting kernel.dmesg_restrict=0 al long as dmesg is still not world-executable? -- ciao, Marco
signature.asc
Description: PGP signature
