ProtectKernelLogs setting

The property ProtectKernelLogs is a systemd unit setting used for sandboxing. It is available since systemd 244.

Purpose: define if service may read or write to the kernel log ring buffer

Background

The Linux kernel exposes its kernel log ring buffer to userspace via /dev/kmsg and /proc/kmsg.

When this setting is defined as yes, the capability CAP_SYS_MODULE will be removed from the capability bounding set. This means that all processes in the unit will no longer have access to the kernel log ring buffer.

Generic advice

For most common services access to the kernel log ring buffer is not need, therefore safe to disable (ProtectKernelLogs=yes).

Values

This setting expects a boolean (yes or no).

no: access to kernel log ring buffer allowed - default
yes: access to kernel log ring buffer will be denied

Example to show the current value of ProtectKernelLogs for the dmesg service:

systemctl show --property=ProtectKernelLogs dmesg.service

Related hardening profiles

The systemd unit setting ProtectKernelLogs is used in the following hardening profiles.

Nginx hardening profile

Feedback

This article has been written by our Linux security expert Michael Boelen. With focus on creating high-quality articles and relevant examples, he wants to improve the field of Linux security. No more web full of copy-pasted blog posts.

Discovered outdated information or have a question? Share your thoughts. Thanks for your contribution!