Title

RHEL 9 must enable hardening for the Berkeley Packet Filter just-in-time compiler. (Cat II impact)

Discussion

When hardened, the extended Berkeley Packet Filter (BPF) just-in-time (JIT) compiler will randomize any kernel addresses in the BPF programs and maps, and will not expose the JIT addresses in "/proc/kallsyms".

Check Content

Verify RHEL 9 enables hardening for the BPF JIT with the following commands: $ sudo sysctl net.core.bpf_jit_harden net.core.bpf_jit_harden = 2 If the returned line does not have a value of "2", or a line is not returned, this is a finding. Check that the configuration files are present to enable this kernel parameter. $ sudo /usr/lib/systemd/systemd-sysctl --cat-config | egrep -v '^(#|;)' | grep -F net.core.bpf_jit_harden | tail -1 net.core.bpf_jit_harden = 2 If the network parameter "net.core.bpf_jit_harden" is not equal to "2" or nothing is returned, this is a finding.

Fix Text

Configure RHEL 9 to enable hardening for the BPF JIT compiler by adding the following line to a file, in the "/etc/sysctl.d" directory: net.core.bpf_jit_harden = 2 The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command: $ sudo sysctl --system

Additional Identifiers

Rule ID: SV-257942r925813_rule

Vulnerability ID: V-257942

Group Title: SRG-OS-000480-GPOS-00227

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.