ProtectKernelLogs setting

The property ProtectKernelLogs is a systemd unit setting used for sandboxing. It is available since systemd 244.

Purpose: define if service may read or write to the kernel log ring buffer

Background

The Linux kernel exposes its kernel log ring buffer to userspace via /dev/kmsg and /proc/kmsg .

When this setting is defined as yes, the capability CAP_SYS_MODULE will be removed from the capability bounding set. This means that all processes in the unit will no longer have access to the kernel log ring buffer.

Generic advice

For most common services access to the kernel log ring buffer is not need, therefore safe to disable (ProtectKernelLogs=yes).

Values

Systemd unit setting ProtectKernelLogs expects a boolean (yes/no or true/false).

Values for systemd unit setting ProtectKernelLogs
Value	Intended action	Available since
no	access to kernel log ring buffer allowed - default
yes	access to kernel log ring buffer will be denied

Example to show the current value of ProtectKernelLogs for the ssh service:

systemctl show --property=ProtectKernelLogs ssh.service

Related hardening profiles

The systemd unit setting ProtectKernelLogs is used in the following hardening profiles.

Like to learn more? Here is a list of articles within the same category or having similar tags.

Feedback

This article has been written by our Linux security expert Michael Boelen. With focus on creating high-quality articles and relevant examples, he wants to improve the field of Linux security. No more web full of copy-pasted blog posts.

Discovered outdated information or have a question? Share your thoughts. Thanks for your contribution!