AlmaLinux OS 9 must enable hardening for the Berkeley Packet Filter (BPF) just-in-time (JIT) compiler.

An XCCDF Rule

Details
Profiles

Description

When hardened, the extended BPF JIT compiler will randomize any kernel addresses in the BPF programs and maps, and will not expose the JIT addresses in "/proc/kallsyms".

ID: SV-269273r1050155_rule
Version: ALMA-09-021800
Severity: Medium
References: CCI-000366
Updated: about 2 months ago

Remediation Templates

Configure AlmaLinux OS 9 to enable hardening for the BPF JIT compiler.

Create a numbered *.conf file in /etc/sysctl.d/ with the following content:

net.core.bpf_jit_harden = 2
The system configuration files must be reloaded for the changes to take effect. To reload the contents of the files, run the following command:

$ sysctl –system

AlmaLinux OS 9 must enable hardening for the Berkeley Packet Filter (BPF) just-in-time (JIT) compiler.

Description

Remediation Templates

A Manual Procedure