Disable Access to Network bpf() Syscall From Unprivileged Processes
An XCCDF Rule
Description
To set the runtime status of the kernel.unprivileged_bpf_disabled
kernel parameter, run the following command:
$ sudo sysctl -w kernel.unprivileged_bpf_disabled=1To make sure that the setting is persistent, add the following line to a file in the directory
/etc/sysctl.d
: kernel.unprivileged_bpf_disabled = 1
Rationale
Loading and accessing the packet filters programs and maps using the bpf() syscall has the potential of revealing sensitive information about the kernel state.
- ID
- xccdf_org.ssgproject.content_rule_sysctl_kernel_unprivileged_bpf_disabled
- Severity
- Medium
- References
- Updated
Remediation - Ansible
- name: List /etc/sysctl.d/*.conf files
find:
paths:
- /etc/sysctl.d/
- /run/sysctl.d/
- /usr/local/lib/sysctl.d/
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# Comment out any occurrences of kernel.unprivileged_bpf_disabled from /etc/sysctl.d/*.conf files
for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do