RHEL 9 must enable hardening for the Berkeley Packet Filter just-in-time compiler.
An XCCDF Rule
Description
<VulnDiscussion>When hardened, the extended Berkeley Packet Filter (BPF) just-in-time (JIT) compiler will randomize any kernel addresses in the BPF programs and maps, and will not expose the JIT addresses in "/proc/kallsyms".</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-257942r925813_rule
- Severity
- Medium
- References
- Updated
Remediation - Manual Procedure
Configure RHEL 9 to enable hardening for the BPF JIT compiler by adding the following line to a file, in the "/etc/sysctl.d" directory:
net.core.bpf_jit_harden = 2
The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command: