1.5.3 Ensure address space layout randomization (ASLR) is enabled

Information

Address space layout randomization (ASLR) is an exploit mitigation technique which randomly arranges the address space of key data areas of a process.

Rationale:

Randomly placing virtual memory regions will make it difficult to write memory page exploits as the memory placement will be consistently shifting.

Solution

Run the following script to set:

kernel.randomize_va_space=2

#!/usr/bin/env bash

{
l_output='' l_output2=''
l_parlist='kernel.randomize_va_space=2'
l_searchloc='/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf $([ -f /etc/default/ufw ] && awk -F= '/^s*IPT_SYSCTL=/ {print $2}' /etc/default/ufw)'
l_kpfile='/etc/sysctl.d/60-kernel_sysctl.conf'
KPF()
{
# comment out incorrect parameter(s) in kernel parameter file(s)
l_fafile='$(grep -s -- '^s*$l_kpname' $l_searchloc | grep -Pv -- 'h*=h*$l_kpvaluebh*' | awk -F: '{print $1}')'
for l_bkpf in $l_fafile; do
echo -e '
- Commenting out '$l_kpname' in '$l_bkpf''
sed -ri '/$l_kpname/s/^/# /' '$l_bkpf'
done
# Set correct parameter in a kernel parameter file
if ! grep -Pslq -- '^h*$l_kpnameh*=h*$l_kpvaluebh*(#.*)?$' $l_searchloc; then
echo -e '
- Setting '$l_kpname' to '$l_kpvalue' in '$l_kpfile''
echo '$l_kpname = $l_kpvalue' >> '$l_kpfile'
fi
# Set correct parameter in active kernel parameters
l_krp='$(sysctl '$l_kpname' | awk -F= '{print $2}' | xargs)'
if [ '$l_krp' != '$l_kpvalue' ]; then
echo -e '
- Updating '$l_kpname' to '$l_kpvalue' in the active kernel parameters'
sysctl -w '$l_kpname=$l_kpvalue'
sysctl -w '$(awk -F'.' '{print $1'.'$2'.route.flush=1'}' <<< '$l_kpname')'
fi
}
for l_kpe in $l_parlist; do
l_kpname='$(awk -F= '{print $1}' <<< '$l_kpe')'
l_kpvalue='$(awk -F= '{print $2}' <<< '$l_kpe')'
KPF
done
}

Default Value:

kernel.randomize_va_space = 2

See Also

https://workbench.cisecurity.org/files/4226

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-16, CSCv7|8.3

Plugin: Unix

Control ID: a99cef37a2b4ce767147967860ede3a9a0bf0aa87b4bffbd7e69ddeda9c84b01