STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 3 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Red Hat Enterprise Linux 10 Security Technical Implementation Guide

V-281337

CAT II (Medium)

RHEL 10 must enable hardening for the Berkeley Packet Filter (BPF) just-in-time compiler.

Rule ID

SV-281337r1167161_rule

STIG

Red Hat Enterprise Linux 10 Security Technical Implementation Guide

Version

V1R1

CCIs

CCI-002824

Discussion

When hardened, the extended BPF just-in-time (JIT) compiler will randomize any kernel addresses in the BPF programs and maps, and will not expose the JIT addresses in "/proc/kallsyms".

Check Content

Verify RHEL 10 enables hardening for the BPF JIT compiler.

Check the status of the "net.core.bpf_jit_harden" parameter with the following command:

$ sudo sysctl net.core.bpf_jit_harden
net.core.bpf_jit_harden = 2

If "net.core.bpf_jit_harden" is not equal to "2" or is missing, this is a finding.

Fix Text

Configure RHEL 10 to enable hardening for the BPF JIT compiler.

Create the drop-in file if it does not already exist:

$ sudo vi /etc/sysctl.d/99-net_core-bpf_jit_harden.conf

Add the following line to the file:

net.core.bpf_jit_harden = 2

Reload settings from all system configuration files with the following command:

$ sudo sysctl --system