hide kernel addresses in /proc against privileged users

In order to make local privilege escalation more harder, hide
kernel addresses in various /proc files against users with
root (or similar) permissions, too.

Common system hardening tools such as lynis recommend this.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/setup/setup.nm b/setup/setup.nm
index e79fff10d87a1578d70754f3a1143dfcb9b6dde6..0bb936ccbaee95b0a21f4b1c4b99ca90eca62f0e 100644 (file)
--- a/setup/setup.nm
+++ b/setup/setup.nm
@@ -5,7 +5,7 @@
 
 name       = setup
 version    = 3.0
-release    = 11
+release    = 12
 arch       = noarch
 
 groups     = Base Build System/Base

diff --git a/setup/sysctl/kernel-hardening.conf b/setup/sysctl/kernel-hardening.conf
index 6751bbef65f1b6cf11a6818d48d2659e9219817a..9bb6e9f45d10d33a324c405b71ab6a74c20396cf 100644 (file)
--- a/setup/sysctl/kernel-hardening.conf
+++ b/setup/sysctl/kernel-hardening.conf
@@ -1,5 +1,5 @@
 # Try to keep kernel address exposures out of various /proc files (kallsyms, modules, etc).
-kernel.kptr_restrict = 1
+kernel.kptr_restrict = 2
 
 # Avoid kernel memory address exposures via dmesg.
 kernel.dmesg_restrict = 1