Detections
Analytics

1.5.8 Ensure kernel.randomize_va_space is configured

Information

Address space layout randomization (ASLR) is an exploit mitigation technique which randomly arranges the address space of key data areas of a process.

Randomly placing virtual memory regions will make it difficult to write memory page exploits as the memory placement will be consistently shifting.

Solution

- Review all files being used by systemd sysctl and comment out or remove all kernel.randomize_va_space lines that are not kernel.randomize_va_space=2.

Example script:

#!/usr/bin/env bash

{
 l_option="kernel.randomize_va_space" l_value="2"
 l_grep="${l_option//./(\\.|\\/)}" a_files=()
 l_systemdsysctl="$(readlink -e /lib/systemd/systemd-sysctl \
 || readlink -e /usr/lib/systemd/systemd-sysctl)"
 l_ufw_file="$([ -f /etc/default/ufw ] && \
 awk -F= '/^\s*IPT_SYSCTL=/ {print $2}' /etc/default/ufw)"
 [ -f "$(readlink -e "$l_ufw_file")" ] && \
 a_files+=("$l_ufw_file"); a_files+=("/etc/sysctl.conf")
 while IFS= read -r l_fname; do
 l_file="$(readlink -e "${l_fname//# /}")"
 [ -n "$l_file" ] && ! grep -Psiq -- '(^|\h+)'"$l_file"'\b' \
 <<< "${a_files[*]}" && a_files+=("$l_file")
 done < <("$l_systemdsysctl" --cat-config | tac | \
 grep -Pio -- '^\h*#\h*\/[^#\n\r\h]+\.conf\b')
 for l_file in "${a_files[@]}"; do
 grep -Poi -- '\h*'"$l_grep"'\h*=\h*\H+\b' "$l_file" \
 | grep -Pivq -- '^\h*'"$l_grep"'\h*=\h*'"$l_value"'\b' && \
 sed -ri '/^\s*'"$l_grep"'\s*=\s*([01]|[3-9]|1[0-9]+)/s/^/# /' "$l_file"
 done
}
 - Create or edit a file in the /etc/sysctl.d/ directory ending in .conf and edit or add the following line:

kernel.randomize_va_space = 2

Example:

# [ ! -d "/etc/sysctl.d/" ] && mkdir -p /etc/sysctl.d/
# printf '%s\n' "" "kernel.randomize_va_space = 2" >> /etc/sysctl.d/60-kernel_sysctl.conf

Note: If the UFW file was the first file listed in the audit, the entry will be commented out as part of the first step, however updating Uncomplicated Firewall (UFW) may update this change. In this case the updated entry will supersede the entry being created as part of this step.

 - Run the following command to load all system configuration filles:

# sysctl --system

See Also

https://workbench.cisecurity.org/benchmarks/24009

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-16, CCI|CCI-002824, CSCv7|8.3, Rule-ID|SV-230280r1017093_rule, Rule-ID|SV-234862r958928_rule, Rule-ID|SV-248594r958928_rule, Rule-ID|SV-257809r1044866_rule, Rule-ID|SV-260474r958928_rule, Rule-ID|SV-269452r1050335_rule, Rule-ID|SV-270772r1066805_rule, Rule-ID|SV-271761r1091995_rule, STIG-ID|ALMA-09-044900, STIG-ID|RHEL-08-010430, STIG-ID|RHEL-09-213070, STIG-ID|SLES-15-010550, STIG-ID|UBTU-22-213020, STIG-ID|UBTU-24-700310

Plugin: Unix

Control ID: 31be6b11a967ba4b5ad0d32f4654aab7255d8376550dbd14829a666d01b73e0a