Allow SAK in KRNL-6000 test

CISOfy / lynis

Lynis - Security auditing tool for Linux, macOS, and UNIX-based systems. Assists with compliance testing (HIPAA/ISO27001/PCI DSS) and system hardening. Agentless, and installation optional.

https://cisofy.com/lynis/

GNU General Public License v3.0

13.47k stars 1.49k forks source link

Allow SAK in KRNL-6000 test #87

Closed pyllyukko closed 8 years ago

pyllyukko commented 9 years ago

Currently Lynis complains if the kernel.sysrq sysctl value is not 0. Most of the stuff provided by magic sysrq functionality can indeed decrease security, but there is at least one feature that increases security and that is the secure attention key (SAK) feature.

I think Lynis should allow if SAK is enabled through kernel.sysrq.

ghost commented 8 years ago

What is the added value of having sysrq feature like SAK in case it enables possibility to kill all processes (except 1)? ;-)

Look at Caution[1] section. It is not recommended to use this feature for security reasons. For desktops, feel free. ;-)

References: [1.] https://www.debian.org/doc/manuals/debian-reference/ch09.en.html#_alt_sysrq_key

pyllyukko commented 8 years ago

I was referring to only the k functionality, which you can use to kill fake login screens.

mboelen commented 8 years ago

The KRNL-6000 test is a "container" test for boolean values. While the SAK feature is definitely interesting, I think the use-case for this is barely used. If one knows about this function, they can change the related sysctl value in their (custom) profile. So the default looks good as it is.

Thanks for reporting this insight!

Closing reason: default value will do for most users. For those using it, they can change their profile (instead of test).