First look at Lynis: opinions on hw.kbd.keymap_restrict_change?

[Toolforger]

Hi all,

I'm working through the Lynis results on a fresh FreeBSD install and need info about the likely background of this:
KRNL-6000 Disable changing the keymap by non-privileged users: hw.kbd.keymap_restrict_change
Default value: 0 (no restrictions on keyboard reconfiguration)
Preferred value: 4 (don't allow any keyboard reconfiguration except for root)

I am seeing a buffer overflow CVE for FreeBSD 10 and before, and restricting keyboard reconfiguration eliminates the thread.
Is that the only reason why Lynis is reporting this, or are there other factors I should consider?

On a side note, I don't see hw.kbd.keymap_restrict_change documented on the sysctl manpages; where are such settings documented?

 

[SirDice]

I am seeing a buffer overflow CVE for FreeBSD 10 and before,

https://www.freebsd.org/security/advisories/FreeBSD-SA-16:18.atkbd.asc

That was fixed ages ago.

and restricting keyboard reconfiguration eliminates the thread.

No, that was a workaround that could mitigate the issue until you were able to apply the security patch.

 

[eldaemon]

A user on freebsd-hackers wrote up a sysctl patch that prevents users from overwriting the small handful of globally changeable sysctls. I can attach it if you like. I don't think it's good behavior by default.

 

[Toolforger]

Heh. I know the CVE is, like, from the Stone Age and no more relevant.
The question is: Are there other reasons to follow that Lynis advice?

 

[T-Daemon]

On a side note, I don't see hw.kbd.keymap_restrict_change documented on the sysctl manpages; where are such settings documented?

System source, see in /usr/src/tools/tools/sysdoc/tunables.mdoc.