Title

Amazon Linux 2023 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution. (Cat II impact)

Discussion

ASLR makes it more difficult for an attacker to predict the location of attack code they have introduced into a process' address space during an attempt at exploitation. Additionally, ASLR makes it more difficult for an attacker to know the location of existing code to repurpose it using return oriented programming (ROP) techniques.

Check Content

Verify Amazon Linux 2023 is implementing ASLR with the following command: $ sysctl kernel.randomize_va_space kernel.randomize_va_space = 2 Check that the configuration files are present to enable this kernel parameter. Verify the configuration of the kernel.kptr_restrict kernel parameter with the following command: $ sudo /usr/lib/systemd/systemd-sysctl --cat-config | egrep -v '^(#|;)' | grep -F kernel.randomize_va_space | tail -1 kernel.randomize_va_space = 2 If "kernel.randomize_va_space" is not set to "2" or is missing, this is a finding.

Fix Text

Configure Amazon Linux 2023 to enable ASLR to enhance memory protection. Enable ASLR by setting the kernel parameter with the following command: echo 2 | sudo tee /proc/sys/kernel/randomize_va_space Add or edit the following line in a system configuration file in the "/etc/sysctl.d/" directory: kernel.randomize_va_space = 2 Reload settings from all system configuration files with the following command: $ sudo sysctl --system

Additional Identifiers

Rule ID: SV-274006r1120006_rule

Vulnerability ID: V-274006

Group Title: SRG-OS-000433-GPOS-00193

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.