OpenShift must restrict access to the kernel buffer.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-257552 | SRG-APP-000243-CTR-000600 | CNTR-OS-000600 | SV-257552r961149_rule | 2024-12-06 | 2 |
| Description |
|---|
| Restricting access to the kernel buffer in OpenShift is crucial for preventing unauthorized access, protecting system stability, mitigating kernel-level attacks, preventing information leakage, and adhering to the principle of least privilege. It enhances the security posture of the platform and helps maintain the confidentiality, integrity, and availability of critical system resources. |
| ℹ️ Check |
|---|
| Verify the Red Hat Enterprise Linux CoreOS (RHCOS) is configured to restrict access to the kernel message buffer. Check the status of the kernel.dmesg_restrict kernel parameter by executing the following: for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n "$HOSTNAME "; sysctl kernel.dmesg_restrict' 2>/dev/null; done If "kernel.dmesg_restrict" is not set to "1" or is missing, this is a finding. |
| ✔️ Fix |
|---|
| Apply the machine config to restrict access to the kernel message buffer by executing the following: for mcpool in $(oc get mcp -oname | sed "s:.*/::" ); do echo "apiVersion: machineconfiguration.openshift.io/v1 kind: MachineConfig metadata: name: 75-sysctl-kernel-dmesg-restrict-$mcpool labels: machineconfiguration.openshift.io/role: $mcpool spec: config: ignition: version: 3.1.0 storage: files: - contents: source: data:,kernel.dmesg_restrict%3D1%0A mode: 0644 path: /etc/sysctl.d/75-sysctl_kernel_dmesg_restrict.conf overwrite: true " | oc apply -f - done |