Kernel Log
ProtectKernelLogs setting
Restrict systemd units to read or write to the kernel log ring buffer with the unit setting ProtectKernelLogs.
Summary
Background
The Linux kernel exposes its kernel log ring buffer to userspace via /dev/kmsg and /proc/kmsg.
When this setting is defined as yes, the capability CAP_SYS_MODULE will be removed from the capability bounding set. This means that all processes in the unit will no longer have access to the kernel log ring buffer.