Harden common str/mem functions against buffer overflows

An XCCDF Rule

Details
Profiles
Prose

Description

Detect overflows of buffers in common string and memory functions where the compiler can determine and validate the buffer sizes. This configuration is available from kernel 4.13, but may be available if backported by distros. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_FORTIFY_SOURCE, run the following command: grep CONFIG_FORTIFY_SOURCE /boot/config-* For each kernel installed, a line with value "y" should be returned.

warning alert: Warning

There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.

Rationale

This features helps reduce likelihood of memory corruption of kernel structures.

ID: xccdf_org.ssgproject.content_rule_kernel_config_fortify_source
Severity: Medium
References: BP28(R15)
Updated: about 1 year ago