← Back to Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide

V-282677

CAT II (Medium)

TOSS 5 must enable hardening for the Berkeley Packet Filter (BPF) just-in-time (JIT) compiler.

Rule ID

SV-282677r1201330_rule

STIG

Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide

Version

V1R1

CCIs

CCI-000366

Discussion

When hardened, the extended BPF JIT compiler will randomize any kernel addresses in the BPF programs and maps and will not expose the JIT addresses in "/proc/kallsyms".

Check Content

Verify TOSS 5 enables hardening for the BPF JIT with the following commands:

$ sudo sysctl net.core.bpf_jit_harden

net.core.bpf_jit_harden = 2

If the returned line does not have a value of "2", or a line is not returned, this is a finding.

Check that the configuration files are present to enable this kernel parameter.

$ sudo /usr/lib/systemd/systemd-sysctl --cat-config | egrep -v '^(#|;)' | grep -F net.core.bpf_jit_harden | tail -1
net.core.bpf_jit_harden = 2

If the network parameter "net.core.bpf_jit_harden" is not equal to "2" or nothing is returned, this is a finding.

Fix Text

Configure TOSS 5 to enable hardening for the BPF JIT compiler by adding the following line to a file, in the "/etc/sysctl.d" directory:

net.core.bpf_jit_harden = 2

Reload the system configuration files for the changes to take effect.

$ sudo sysctl --system