From e90380edf10495438ba932c9ad92a6764d4bb59a Mon Sep 17 00:00:00 2001 From: Arnaldo Garcia Rincon Date: Mon, 9 Aug 2021 22:01:55 +0000 Subject: [PATCH] docs: fix kernel lockdown documentation This fixes the kernel lockdown's documentation, since the default values changed in newer variants Signed-off-by: Arnaldo Garcia Rincon --- README.md | 2 +- SECURITY_GUIDANCE.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index baedad9eaa1..f0b0b387fdc 100644 --- a/README.md +++ b/README.md @@ -476,7 +476,7 @@ Here are the metrics settings: #### Kernel settings * `settings.kernel.lockdown`: This allows further restrictions on what the Linux kernel will allow, for example preventing the loading of unsigned modules. - May be set to "none" (the default), "integrity", or "confidentiality". + May be set to "none" (the default in older [variants](variants/), up through aws-k8s-1.19), "integrity" (the default for newer [variants](variants/)), or "confidentiality". **Important note:** this setting cannot be lowered (toward 'none') at runtime. You must reboot for a change to a lower level to take effect. * `settings.kernel.sysctl`: Key/value pairs representing Linux kernel parameters. diff --git a/SECURITY_GUIDANCE.md b/SECURITY_GUIDANCE.md index 8aedf55368f..b68b7df3851 100644 --- a/SECURITY_GUIDANCE.md +++ b/SECURITY_GUIDANCE.md @@ -116,7 +116,7 @@ Modifications to the running kernel could bypass or subvert these mechanisms. Bottlerocket enables the Lockdown security module and offers settings to choose from one of three modes. The first mode, "none", effectively disables the protection. -This is the default in older [variants](variants/) of Bottlerocket, for compatibility with existing deployments. +This is the default in older [variants](variants/) of Bottlerocket up through aws-k8s-1.19, for compatibility with existing deployments. The second mode, "integrity", blocks most ways to overwrite the kernel's memory and modify its code. This is the default in newer variants.