# First look at Lynis: opinions on hw.kbd.keymap_restrict_change?



## Toolforger (Nov 8, 2020)

Hi all,

I'm working through the Lynis results on a fresh FreeBSD install and need info about the likely background of this:
KRNL-6000 Disable changing the keymap by non-privileged users: hw.kbd.keymap_restrict_change
Default value: 0 (no restrictions on keyboard reconfiguration)
Preferred value: 4 (don't allow any keyboard reconfiguration except for root)

I am seeing a buffer overflow CVE for FreeBSD 10 and before, and restricting keyboard reconfiguration eliminates the thread.
Is that the only reason why Lynis is reporting this, or are there other factors I should consider?

On a side note, I don't see hw.kbd.keymap_restrict_change documented on the sysctl manpages; where are such settings documented?


----------



## SirDice (Nov 9, 2020)

Toolforger said:


> I am seeing a buffer overflow CVE for FreeBSD 10 and before,





			https://www.freebsd.org/security/advisories/FreeBSD-SA-16:18.atkbd.asc
		


That was fixed ages ago.



Toolforger said:


> and restricting keyboard reconfiguration eliminates the thread.


No, that was a workaround that could mitigate the issue until you were able to apply the security patch.


----------



## eldaemon (Nov 9, 2020)

A user on freebsd-hackers wrote up a sysctl patch that prevents users from overwriting the small handful of globally changeable sysctls. I can attach it if you like. I don't think it's good behavior by default.


----------



## Toolforger (Nov 9, 2020)

Heh. I know the CVE is, like, from the Stone Age and no more relevant.
The question is: Are there _other_ reasons to follow that Lynis advice?


----------



## T-Daemon (Nov 9, 2020)

Toolforger said:


> On a side note, I don't see hw.kbd.keymap_restrict_change documented on the sysctl manpages; where are such settings documented?


System source, see in /usr/src/tools/tools/sysdoc/tunables.mdoc.


----------

