[git.ipfire.org] IPFire 3.x development tree branch, master, updated. 7403755a939d9315b9b0185229c9cd0110df9fb6
This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 3.x development tree".
The branch, master has been updated via 7403755a939d9315b9b0185229c9cd0110df9fb6 (commit) from 8ef817a80a1faa7bf6fb3e53d50a76cd9b847f91 (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit 7403755a939d9315b9b0185229c9cd0110df9fb6 Author: Peter Müller peter.mueller@link38.eu Date: Mon Jan 21 21:43:26 2019 +0100
hide kernel addresses in /proc against privileged users
In order to make local privilege escalation more harder, hide kernel addresses in various /proc files against users with root (or similar) permissions, too.
Common system hardening tools such as lynis recommend this.
Signed-off-by: Peter Müller peter.mueller@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
-----------------------------------------------------------------------
Summary of changes: setup/setup.nm | 2 +- setup/sysctl/kernel-hardening.conf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-)
Difference in files: diff --git a/setup/setup.nm b/setup/setup.nm index e79fff10d..0bb936ccb 100644 --- a/setup/setup.nm +++ b/setup/setup.nm @@ -5,7 +5,7 @@
name = setup version = 3.0 -release = 11 +release = 12 arch = noarch
groups = Base Build System/Base diff --git a/setup/sysctl/kernel-hardening.conf b/setup/sysctl/kernel-hardening.conf index 6751bbef6..9bb6e9f45 100644 --- a/setup/sysctl/kernel-hardening.conf +++ b/setup/sysctl/kernel-hardening.conf @@ -1,5 +1,5 @@ # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc). -kernel.kptr_restrict = 1 +kernel.kptr_restrict = 2
# Avoid kernel memory address exposures via dmesg. kernel.dmesg_restrict = 1
hooks/post-receive -- IPFire 3.x development tree
-
Michael Tremer