Detections
Analytics

1.5.8 Ensure kernel.kptr_restrict is configured

Information

kernel.kptr_restrict sets whether restrictions are placed on exposing kernel addresses via /proc and other interfaces.

 - kptr_restrict = 0 - The address is hashed before printing. (equivalent to %p.)
 - kptr_restrict = 1 - kernel pointers printed using the %pK format specifier will be replaced with 0 's.
 - kptr_restrict = 2 - kernel pointers printed using %pK will be replaced with 0 's regardless of privileges.

More information about the kernel parameter configuration files, their location, and load preference is available in the section overview.

Masking the kernel symbols in /proc/kallsyms reduces the ability of an attacker using them to learn more about what to attack on your system.

Solution

- Review all files being used by systemd-sysctl and comment out or remove all kernel.kptr_restrict lines that are not kernel.kptr_restrict=1 or kernel.kptr_restrict=2.

Example script:

#!/usr/bin/env bash

{
 l_option=\"kernel.kptr_restrict\" l_value=\"(1|2)\"
 l_grep=\"${l_option//./(\\.|\\/)}\" a_files=()
 l_systemdsysctl=\"$(readlink -e /lib/systemd/systemd-sysctl \
 || readlink -e /usr/lib/systemd/systemd-sysctl)\"
 l_ufw_file=\"$([ -f /etc/default/ufw ] && \
 awk -F= '/^\s*IPT_SYSCTL=/ {print $2}' /etc/default/ufw)\"
 [ -f \"$(readlink -e \"$l_ufw_file\")\" ] && \
 a_files+=(\"$l_ufw_file\"); a_files+=(\"/etc/sysctl.conf\")
 while IFS= read -r l_fname; do
 l_file=\"$(readlink -e \"${l_fname//# /}\")\"
 [ -n \"$l_file\" ] && ! grep -Psiq -- '(^|\h+)'\"$l_file\"'\b' \
 <<< \"${a_files[*]}\" && a_files+=(\"$l_file\")
 done < <(\"$l_systemdsysctl\" --cat-config | tac | \
 grep -Pios '^\h*#\h*\/[^#\n\r\h]+\.conf\b')
 for l_file in \"${a_files[@]}\"; do
 grep -Pios '\h*'\"$l_grep\"'\h*=\h*\H+\b' \"$l_file\" \
 | grep -Pivq '^\h*'\"$l_grep\"'\h*=\h*'\"$l_value\"'\b' && \
 sed -ri '/^\s*'\"$l_grep\"'\s*=\s*(0|[3-9]|[1-9][0-9]+)/s/^/# /' \"$l_file\"
 done
}
 - Create or edit a file in the /etc/sysctl.d/ directory ending in .conf and edit or add the following line:

kernel.kptr_restrict = {N}

Example:

# [ ! -d \"/etc/sysctl.d/\" ] && mkdir -p /etc/sysctl.d/
# printf '%s\n' \"\" \"kernel.kptr_restrict = 2\" >> /etc/sysctl.d/60-kernel_sysctl.conf

Note: The example uses kernel.kptr_restrict = 2 but value may be set to 1 or 2

 - Run the following command to load all system configuration files:

# sysctl --system

See Also

https://workbench.cisecurity.org/benchmarks/24932

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b., CCI|CCI-000366, CSCv7|4.8, CSCv7|9.2, Rule-ID|SV-230547r1017309_rule, Rule-ID|SV-234861r958928_rule, Rule-ID|SV-248891r991589_rule, Rule-ID|SV-257800r1044851_rule, Rule-ID|SV-269423r1050306_rule, Rule-ID|SV-271747r1091953_rule

Plugin: Unix

Control ID: 74cde2ab12b1c96daed4648911643b24cf487766fd1c79e0329a7bd14bb919b7