1.5.3 Ensure address space layout randomization (ASLR) is enabled

Information

Address space layout randomization (ASLR) is an exploit mitigation technique which randomly arranges the address space of key data areas of a process.

Randomly placing virtual memory regions will make it difficult to write memory page exploits as the memory placement will be consistently shifting.

Solution

Run the following script to set:

- kernel.randomize_va_space=2

#!/usr/bin/env bash

{
l_output="" l_output2=""
l_parlist="kernel.randomize_va_space=2"
l_searchloc="/run/sysctl.d/*.conf /etc/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf $([ -f /etc/default/ufw ] && awk -F= '/^s*IPT_SYSCTL=/ {print $2}' /etc/default/ufw)"
l_kpfile="/etc/sysctl.d/60-kernel_sysctl.conf"
KPF()
{
# comment out incorrect parameter(s) in kernel parameter file(s)
l_fafile="$(grep -s -- "^s*$l_kpname" $l_searchloc | grep -Pv -- "h*=h*$l_kpvaluebh*" | awk -F: '{print $1}')"
for l_bkpf in $l_fafile; do
echo -e "
- Commenting out \"$l_kpname\" in \"$l_bkpf\""
sed -ri "/$l_kpname/s/^/# /" "$l_bkpf"
done
# Set correct parameter in a kernel parameter file
if ! grep -Pslq -- "^h*$l_kpnameh*=h*$l_kpvaluebh*(#.*)?$" $l_searchloc; then
echo -e "
- Setting \"$l_kpname\" to \"$l_kpvalue\" in \"$l_kpfile\""
echo "$l_kpname = $l_kpvalue" >> "$l_kpfile"
fi
# Set correct parameter in active kernel parameters
l_krp="$(sysctl "$l_kpname" | awk -F= '{print $2}' | xargs)"
if [ "$l_krp" != "$l_kpvalue" ]; then
echo -e "
- Updating \"$l_kpname\" to \"$l_kpvalue\" in the active kernel parameters"
sysctl -w "$l_kpname=$l_kpvalue"
sysctl -w "$(awk -F'.' '{print $1"."$2".route.flush=1"}' <<< "$l_kpname")"
fi
}
for l_kpe in $l_parlist; do
l_kpname="$(awk -F= '{print $1}' <<< "$l_kpe")"
l_kpvalue="$(awk -F= '{print $2}' <<< "$l_kpe")"
KPF
done
}

See Also

https://workbench.cisecurity.org/files/4230

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-16, CSCv7|8.3

Plugin: Unix

Control ID: ebbe62dee556426df2f754e2e4095ee2480a5664d7392392fbd1bea7e08d3847