On Mon, 2020-08-17 at 15:50 +1200, Matthew Ruffell wrote: > I propose that we restrict access to dmesg to users in group 'adm' like so: > > 1) CONFIG_SECURITY_DMESG_RESTRICT=y in the kernel. > 2) Following changes to /bin/dmesg permissions in package 'util-linux' > - Ownership changes to root:adm > - Permissions changed to 0750 (-rwxr-x---) > - Add cap_syslog capability to binary. > 3) Add a commented out '# kernel.dmesg_restrict = 0' to > /etc/sysctl.d/10-kernel-hardening.conf
That grants additional rights to the `adm` group that it did not have before, for example to clear the dmesg buffer: $ dmesg --clear works after adding `cap_syslog` to the dmesg binary whereas it did not work before. Ansgar
