Verify Permissions on System.map Files

An XCCDF Rule

Description

The System.map files are symbol map files generated during the compilation of the Linux kernel. They contain the mapping between kernel symbols and their corresponding memory addresses. In general, there is no need for non-root users to read these files. To properly set the permissions of /boot/System.map*, run the command:

$ sudo chmod 0600 /boot/System.map*

Rationale

The purpose of System.map files is primarily for debugging and profiling the kernel. Unrestricted access to these files might disclose information useful to attackers and malicious software leading to more sophisticated exploitation.

ID: xccdf_org.ssgproject.content_rule_file_permissions_systemmap
Severity: Low
References: R29
Updated: 5 days ago

- name: Find /boot/ file(s)
  command: find -H /boot/ -maxdepth 1 -perm /u+xs,g+xwrs,o+xwrt  -type f -regextype
    posix-extended -regex "^.*System\.map.*$"
  register: files_found
  changed_when: false
  failed_when: false  check_mode: false
  tags:
  - configure_strategy
  - file_permissions_systemmap
  - low_complexity
  - low_disruption
  - low_severity
  - no_reboot_needed

- name: Set permissions for /boot/ file(s)
  file:
    path: '{{ item }}'
    mode: u-xs,g-xwrs,o-xwrt
    state: file
  with_items:
  - '{{ files_found.stdout_lines }}'
  tags:
  - configure_strategy
  - file_permissions_systemmap
  - low_complexity
  - low_disruption
  - low_severity
  - no_reboot_needed





find -L /boot/ -maxdepth 1 -perm /u+xs,g+xwrs,o+xwrt  -type f -regextype posix-extended -regex '^.*System\.map.*$' -exec chmod u-xs,g-xwrs,o-xwrt {} \;

Verify Permissions on System.map Files

Description

Rationale

Remediation - Ansible

Remediation - Shell Script