Restricting Access to Kernel Ring Buffer Messages

The kernel uses a ring buffer to surface messages for troubleshooting purposes, and these messages can be viewed by running the dmesg command.

Threat actors can use those messages to find exploits in the system, so it's considered good security practice to ensure that only users with root permissions can run the dmesg command.

To check whether access is restricted, run the following command:

sudo sysctl kernel.dmesg_restrict

If the value returned is 1, then access is already restricted.

If the value returned isn't 1, or the value is missing entirely, then you can restrict access by setting the value in a configuration file that's stored in the /etc/sysctl.d/ directory. For example, the following command creates the /etc/sysctl.d/dmesg-restrict configuration file:

echo kernel.dmesg_restrict = 1 | sudo tee /etc/sysctl.d/dmesg-restrict

To apply the change without restarting the system, run the following command:

sudo sysctl -p /etc/sysctl.d/dmesg-restrict