ProtectKernelLogs setting
This article has last been updated at .
The property ProtectKernelLogs is a systemd unit setting used for sandboxing. It is available since systemd 244.
Purpose: define if service may read or write to the kernel log ring buffer
New to securing and tuning systemd services? Start with the how to harden a systemd service unit article to learn tuning step-by-step, including the usage of relevant tools.
Background
The Linux kernel exposes its kernel log ring buffer to userspace via /dev/kmsg and /proc/kmsg .
When this setting is defined as yes, the capability CAP_SYS_MODULE will be removed from the capability bounding set. This means that all processes in the unit will no longer have access to the kernel log ring buffer.
Generic advice
For most common services access to the kernel log ring buffer is not need, therefore safe to disable (ProtectKernelLogs=yes).
Values
Systemd unit setting ProtectKernelLogs expects a boolean (yes/no or true/false).
| Value | Intended action | Available since systemd version |
|---|---|---|
| no | access to kernel log ring buffer allowed - default | |
| yes | access to kernel log ring buffer will be denied |
Example to show the current value of ProtectKernelLogs for the ssh service:
systemctl show --property=ProtectKernelLogs ssh.serviceRelated hardening profiles
The systemd unit setting ProtectKernelLogs is used in the following systemd hardening profiles. These hardening profiles help improving security of common Linux services and usually require minimal tuning.
