TOSS must disable access to network bpf syscall from unprivileged processes.
An XCCDF Rule
Description
<VulnDiscussion>It is detrimental for operating systems to provide, or install by default, functionality exceeding requirements or mission objectives. These unnecessary capabilities or services are often overlooked and therefore may remain unsecured. They increase the risk to the platform by providing additional attack vectors.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-253113r991589_rule
- Severity
- Medium
- References
- Updated
Remediation - Manual Procedure
Configure TOSS to prevent privilege escalation thru the kernel by disabling access to the bpf syscall by adding the following line to a file in the "/etc/sysctl.d" directory:
kernel.unprivileged_bpf_disabled = 1
The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command: