tier1.jp released logcheck ignore database v0.11 for Debian GNU/Linux stretch and buster.
We've noticed that settings which allow logcheck to send its summary mails to normal users which is used daily, can cause a security issue which leaks restricted dmesg information.
- Processes running under those users can virtually
see dmesg, which could provide important
information for attackers via those processes.
- Debian Linux Kernel does not allow dmesg for normal users (CONFIG_SECURITY_DMESG_RESTRICT=y # kernel.dmesg_restrict=1).
user$ dmesg dmesg: read kernel buffer failed: Operation not permitted
- Both Debian and our logcheck ignore database
did not suppress those dmesg outputs enough.
- /var/mail/USER can contain dmesg output.
- We've started to add suppression rules for those
important dmesg information, such as
address range, port numbers, etc.
- We've just started and it is not enough now.
- It only covers very partial amd64 machine outputs.
Please update our ignore database ASAP, if you are using.
- Do not add daily normal users into logcheck recipient lists.
- At least who does developments tasks.
- Restrict web access.
- Never execute anything from the Internet directly.
- Use browser tracking protections as much as possible.
- Create special (but normal) user  to receive those logcheck summary mails.
|||who does nothing but to read summary mails.|
The tar file is available at the software page.