UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The Ubuntu operating system must restrict access to the kernel message buffer.


Overview

Finding ID Version Rule ID IA Controls Severity
V-255913 UBTU-20-010401 SV-255913r880908_rule Low
Description
Restricting access to the kernel message buffer limits access only to root. This prevents attackers from gaining additional system information as a nonprivileged user.
STIG Date
Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide 2023-09-08

Details

Check Text ( C-59590r880906_chk )
Verify the operating system is configured to restrict access to the kernel message buffer with the following commands:

$ sudo sysctl kernel.dmesg_restrict
kernel.dmesg_restrict = 1

If "kernel.dmesg_restrict" is not set to "1" or is missing, this is a finding.

Check that the configuration files are present to enable this kernel parameter:

$ sudo grep -r kernel.dmesg_restrict /run/sysctl.d/* /etc/sysctl.d/* /usr/local/lib/sysctl.d/* /usr/lib/sysctl.d/* /lib/sysctl.d/* /etc/sysctl.conf 2> /dev/null
/etc/sysctl.conf:kernel.dmesg_restrict = 1
/etc/sysctl.d/99-sysctl.conf:kernel.dmesg_restrict = 1

If "kernel.dmesg_restrict" is not set to "1", is missing or commented out, this is a finding.

If conflicting results are returned, this is a finding.
Fix Text (F-59533r880907_fix)
Configure the operating system to restrict access to the kernel message buffer.

Set the system to the required kernel parameter by adding or modifying the following line in /etc/sysctl.conf or a config file in the /etc/sysctl.d/ directory:

kernel.dmesg_restrict = 1

Remove any configurations that conflict with the above from the following locations:
/run/sysctl.d/
/etc/sysctl.d/
/usr/local/lib/sysctl.d/
/usr/lib/sysctl.d/
/lib/sysctl.d/
/etc/sysctl.conf

Reload settings from all system configuration files with the following command:

$ sudo sysctl --system