Disable Access to Network bpf() Syscall From Unprivileged Processes
An XCCDF Rule
Description
To prevent unprivileged processes from using the bpf()
syscall
the kernel.unprivileged_bpf_disabled
kernel parameter must
be set to 1
or 2
.
Writing 1
to this entry will disable unprivileged calls to bpf()
; once
disabled, calling bpf()
without CAP_SYS_ADMIN
or CAP_BPF
will return -EPERM
.
Once set to 1
, this can't be cleared from the running kernel anymore.
To set the runtime status of the kernel.unprivileged_bpf_disabled
kernel parameter,
run the following command:
$ sudo sysctl -w kernel.unprivileged_bpf_disabled=1To make sure that the setting is persistent, add the following line to a file in the directory
/etc/sysctl.d
:
kernel.unprivileged_bpf_disabled = 1Writing
2
to this entry will also disable unprivileged calls to bpf()
,
however, an admin can still change this setting later on, if needed, by
writing 0
or 1
to this entry.
To set the runtime status of the kernel.unprivileged_bpf_disabled
kernel parameter,
run the following command:
$ sudo sysctl -w kernel.unprivileged_bpf_disabled=2To make sure that the setting is persistent, add the following line to a file in the directory
/etc/sysctl.d
:
kernel.unprivileged_bpf_disabled = 2
Rationale
Loading and accessing the packet filters programs and maps using the bpf() syscall has the potential of revealing sensitive information about the kernel state.
- ID
- xccdf_org.ssgproject.content_rule_sysctl_kernel_unprivileged_bpf_disabled_accept_default
- Severity
- Medium
- Updated
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# Comment out any occurrences of kernel.unprivileged_bpf_disabled from /etc/sysctl.d/*.conf files
for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do
Remediation - Ansible
- name: List /etc/sysctl.d/*.conf files
find:
paths:
- /etc/sysctl.d/
- /run/sysctl.d/
- /usr/local/lib/sysctl.d/