Detections
Analytics

1.34 RHEL-09-213075

Information

RHEL 9 must disable access to network bpf system call from nonprivileged processes.

GROUP ID: V-257810
RULE ID: SV-257810r1044869

Loading and accessing the packet filters programs and maps using the bpf() system call has the potential of revealing sensitive information about the kernel state.

Satisfies: SRG-OS-000132-GPOS-00067, SRG-OS-000480-GPOS-00227

Solution

Configure the currently loaded kernel parameter to the secure setting:

$ sudo sysctl -w kernel.unprivileged_bpf_disabled=1

Configure RHEL 9 to prevent privilege escalation through the kernel by disabling access to the bpf syscall by adding the following line to a file in the "/etc/sysctl.d" directory:

kernel.unprivileged_bpf_disabled = 1

The system configuration files must be reloaded for the changes to take effect. To reload the contents of the files, run the following command:

$ sysctl --system

See Also

https://workbench.cisecurity.org/benchmarks/22008

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-2, CAT|II, CCI|CCI-001082, Rule-ID|SV-257810r1044869_rule, STIG-ID|RHEL-09-213075, Vuln-ID|V-257810

Plugin: Unix

Control ID: 61933038c4dfa0a120c65bb03c72bb92632fec7e0dc789bb71dfe0bfaf931e9e