Detections
Analytics
1.5.6 Ensure kernel.kptr_restrict is configured
Information
kernel.kptr_restrict sets whether restrictions are placed on exposing kernel addresses via /proc and other interfaces.- kptr_restrict = 0 - The address is hashed before printing. (equivalent to %p.)
- kptr_restrict = 1 - kernel pointers printed using the %pK format specifier will be replaced with 0 's.
- kptr_restrict = 2 - kernel pointers printed using %pK will be replaced with 0 's regardless of privileges.
More information about the kernel parameter configuration files, their location, and load preference is available in the section overview.
Masking the kernel symbols in /proc/kallsyms reduces the ability of an attacker using them to learn more about what to attack on your system.
Solution
- Run the following command to comment out kernel.kptr_restrict lines returned by the audit procedure that are not kernel.kptr_restrict = 2 or kernel.kptr_restrict = 1 :# sed -ri '^\s*kernel.kptr_restrict\s*=\s*(0|[3-9])/s/^/#/g' "path/to/file/in/audit/filename"
Example:
# sed -ri '/^\s*kernel.kptr_restrict\s*=\s*(0|[3-9])/s/^/#/g' /etc/sysctl.d/99-sysctl.conf
- Create or edit a file in the /etc/sysctl.d/ directory ending in .conf and edit or add the following line:
kernel.kptr_restrict = {N}
Example:
# [ ! -d "/etc/sysctl.d/" ] && mkdir -p /etc/sysctl.d/
# printf '%s\n' "" "kernel.kptr_restrict = 2" >> /etc/sysctl.d/60-kernel_sysctl.conf
Note: The example uses kernel.kptr_restrict = 2 but value may be set to 1 or 2
- Run the following command to load all system configuration filles:
# sysctl --system
See Also
Item Details
Audit Name: CIS Amazon Linux 2 v4.0.0 L1 Server
Category: CONFIGURATION MANAGEMENT
References: 800-53|CM-6b., CCI|CCI-000366, CSCv7|4.8, CSCv7|9.2, Rule-ID|SV-230547r1017309_rule, Rule-ID|SV-234861r958928_rule, Rule-ID|SV-248891r991589_rule, Rule-ID|SV-257800r1044851_rule, Rule-ID|SV-269423r1050306_rule, Rule-ID|SV-271747r1091953_rule
Plugin: Unix
Control ID: 26d624d07d3af5b73a0d5a9f58d91030bc78c23268e7f67074b16a4709c2bbc2