diff mbox series

[v2] hide kernel addresses in /proc against privileged users

Message ID cb91cffd-10e2-c075-ec92-90fa8290eb71@link38.eu
State Accepted
Commit 7403755a939d9315b9b0185229c9cd0110df9fb6
Headers
Series [v2] hide kernel addresses in /proc against privileged users |

Commit Message

Peter Müller 22 Jan 2019, 7:43 a.m. UTC 
In order to make local privilege escalation more harder, hide
kernel addresses in various /proc files against users with
root (or similar) permissions, too.

Common system hardening tools such as lynis recommend this.

The second version of this patch also increments the package number.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
---
 setup/setup.nm                     | 2 +-
 setup/sysctl/kernel-hardening.conf | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)
diff mbox series

Patch

diff --git a/setup/setup.nm b/setup/setup.nm
index e79fff10d..0bb936ccb 100644
--- a/setup/setup.nm
+++ b/setup/setup.nm
@@ -5,7 +5,7 @@ 
 
 name       = setup
 version    = 3.0
-release    = 11
+release    = 12
 arch       = noarch
 
 groups     = Base Build System/Base
diff --git a/setup/sysctl/kernel-hardening.conf b/setup/sysctl/kernel-hardening.conf
index 6751bbef6..9bb6e9f45 100644
--- a/setup/sysctl/kernel-hardening.conf
+++ b/setup/sysctl/kernel-hardening.conf
@@ -1,5 +1,5 @@ 
 # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc).
-kernel.kptr_restrict = 1
+kernel.kptr_restrict = 2
 
 # Avoid kernel memory address exposures via dmesg.
 kernel.dmesg_restrict = 1