OpenShift must restrict access to the kernel buffer.

STIG ID: CNTR-OS-000600  |  SRG: SRG-APP-000243-CTR-000600 |  Severity: medium |  CCI: CCI-001090 |  Vulnerability Id: V-257552 | 

Vulnerability Discussion

Restricting access to the kernel buffer in OpenShift is crucial for preventing unauthorized access, protecting system stability, mitigating kernel-level attacks, preventing information leakage, and adhering to the principle of least privilege. It enhances the security posture of the platform and helps maintain the confidentiality, integrity, and availability of critical system resources.

Check

Verify the Red Hat Enterprise Linux CoreOS (RHCOS) is configured to restrict access to the kernel message buffer.

Check the status of the kernel.dmesg_restrict kernel parameter by executing the following:

for node in $(oc get node -oname); do oc debug $node -- chroot /host /bin/bash -c 'echo -n "$HOSTNAME "; sysctl kernel.dmesg_restrict' 2>/dev/null; done

If "kernel.dmesg_restrict" is not set to "1" or is missing, this is a finding.

Fix

Apply the machine config to restrict access to the kernel message buffer by executing the following:

for mcpool in $(oc get mcp -oname | sed "s:.*/::" ); do
echo "apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
metadata:
name: 75-sysctl-kernel-dmesg-restrict-$mcpool
labels:
machineconfiguration.openshift.io/role: $mcpool
spec:
config:
ignition:
version: 3.1.0
storage:
files:
- contents:
source: data:,kernel.dmesg_restrict%3D1%0A
mode: 0644
path: /etc/sysctl.d/75-sysctl_kernel_dmesg_restrict.conf
overwrite: true
" | oc apply -f -
done