RHEL 9 must enable hardening for the Berkeley Packet Filter just-in-time compiler.

An XCCDF Rule

Description

<VulnDiscussion>When hardened, the extended Berkeley Packet Filter (BPF) just-in-time (JIT) compiler will randomize any kernel addresses in the BPF programs and maps, and will not expose the JIT addresses in "/proc/kallsyms".</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-257942r991589_rule
Severity: Medium
References: CCI-000366
Updated: 17 days ago

Configure RHEL 9 to enable hardening for the BPF JIT compiler by adding the following line to a file, in the "/etc/sysctl.d" directory:

net.core.bpf_jit_harden = 2

The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command:
$ sudo sysctl --system

RHEL 9 must enable hardening for the Berkeley Packet Filter just-in-time compiler.

Description

Remediation - Manual Procedure