[PATCH] hide kernel addresses in /proc against privileged users

[PATCH] hide kernel addresses in /proc against privileged users

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 850 bytes --]

In order to make local privilege escalation more harder, hide
kernel addresses in various /proc files against users with
root (or similar) permissions, too.

Common system hardening tools such as lynis recommend this.

Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
---
 setup/sysctl/kernel-hardening.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/setup/sysctl/kernel-hardening.conf b/setup/sysctl/kernel-hardening.conf
index 6751bbef6..9bb6e9f45 100644
--- a/setup/sysctl/kernel-hardening.conf
+++ b/setup/sysctl/kernel-hardening.conf
@@ -1,5 +1,5 @@
 # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc).
-kernel.kptr_restrict = 1
+kernel.kptr_restrict = 2
 
 # Avoid kernel memory address exposures via dmesg.
 kernel.dmesg_restrict = 1
-- 
2.16.4

Re: [PATCH] hide kernel addresses in /proc against privileged users

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 1061 bytes --]

Hello,

Please increment the release number of this package.

Best,
-Michael

> On 20 Jan 2019, at 17:03, Peter Müller <peter.mueller(a)link38.eu> wrote:
> 
> In order to make local privilege escalation more harder, hide
> kernel addresses in various /proc files against users with
> root (or similar) permissions, too.
> 
> Common system hardening tools such as lynis recommend this.
> 
> Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
> ---
> setup/sysctl/kernel-hardening.conf | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/setup/sysctl/kernel-hardening.conf b/setup/sysctl/kernel-hardening.conf
> index 6751bbef6..9bb6e9f45 100644
> --- a/setup/sysctl/kernel-hardening.conf
> +++ b/setup/sysctl/kernel-hardening.conf
> @@ -1,5 +1,5 @@
> # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc).
> -kernel.kptr_restrict = 1
> +kernel.kptr_restrict = 2
> 
> # Avoid kernel memory address exposures via dmesg.
> kernel.dmesg_restrict = 1
> -- 
> 2.16.4

[PATCH v2] hide kernel addresses in /proc against privileged users

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 1255 bytes --]

In order to make local privilege escalation more harder, hide
kernel addresses in various /proc files against users with
root (or similar) permissions, too.

Common system hardening tools such as lynis recommend this.

The second version of this patch also increments the package number.

Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
---
 setup/setup.nm                     | 2 +-
 setup/sysctl/kernel-hardening.conf | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/setup/setup.nm b/setup/setup.nm
index e79fff10d..0bb936ccb 100644
--- a/setup/setup.nm
+++ b/setup/setup.nm
@@ -5,7 +5,7 @@
 
 name       = setup
 version    = 3.0
-release    = 11
+release    = 12
 arch       = noarch
 
 groups     = Base Build System/Base
diff --git a/setup/sysctl/kernel-hardening.conf b/setup/sysctl/kernel-hardening.conf
index 6751bbef6..9bb6e9f45 100644
--- a/setup/sysctl/kernel-hardening.conf
+++ b/setup/sysctl/kernel-hardening.conf
@@ -1,5 +1,5 @@
 # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc).
-kernel.kptr_restrict = 1
+kernel.kptr_restrict = 2
 
 # Avoid kernel memory address exposures via dmesg.
 kernel.dmesg_restrict = 1
-- 
2.16.4