In order to make local privilege escalation more harder, hide kernel addresses in various /proc files against users with root (or similar) permissions, too.
Common system hardening tools such as lynis recommend this.
Signed-off-by: Peter Müller peter.mueller@ipfire.org --- setup/sysctl/kernel-hardening.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/setup/sysctl/kernel-hardening.conf b/setup/sysctl/kernel-hardening.conf index 6751bbef6..9bb6e9f45 100644 --- a/setup/sysctl/kernel-hardening.conf +++ b/setup/sysctl/kernel-hardening.conf @@ -1,5 +1,5 @@ # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). -kernel.kptr_restrict = 1 +kernel.kptr_restrict = 2
# Avoid kernel memory address exposures via dmesg. kernel.dmesg_restrict = 1