The Photon operating system must enable hardlink access control protection in the kernel.

An XCCDF Rule

Description

<VulnDiscussion>By enabling the fs.protected_hardlinks kernel parameter, users can no longer create soft or hard links to files they do not own. Disallowing such hardlinks mitigate vulnerabilities based on insecure file system accessed by privileged programs, avoiding an exploitation vector exploiting unsafe use of open() or creat().</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-258903r933770_rule
Severity: Medium
References: CCI-000366
Updated: 8 months ago

Navigate to and open:

/etc/sysctl.d/zz-stig-hardening.conf

Add or update the following line:
fs.protected_hardlinks = 1

At the command line, run the following command to load the new configuration:

# /sbin/sysctl --load /etc/sysctl.d/zz-stig-hardening.conf

Note: If the file zz-stig-hardening.conf does not exist, it must be created.

The Photon operating system must enable hardlink access control protection in the kernel.

Description

Remediation - Manual Procedure