Enable Randomized Layout of Virtual Address Space

An XCCDF Rule

Description

To set the runtime status of the kernel.randomize_va_space kernel parameter, run the following command:

$ sudo sysctl -w kernel.randomize_va_space=2

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

kernel.randomize_va_space = 2

Rationale

Address space layout randomization (ASLR) makes it more difficult for an attacker to predict the location of attack code they have introduced into a process's address space during an attempt at exploitation. Additionally, ASLR makes it more difficult for an attacker to know the location of existing code in order to re-purpose it using return oriented programming (ROP) techniques.

ID: xccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space
Severity: Medium
References: BP28(R23)

3.1.7

CCI-000366 CCI-002824

164.308(a)(1)(ii)(D) 164.308(a)(3) 164.308(a)(4) 164.310(b) 164.310(c) 164.312(a) 164.312(e)

CIP-002-5 R1.1 CIP-002-5 R1.2 CIP-003-8 R5.1.1 CIP-003-8 R5.3 CIP-004-6 4.1 CIP-004-6 4.2 CIP-004-6 R2.2.3 CIP-004-6 R2.2.4 CIP-004-6 R2.3 CIP-004-6 R4 CIP-005-6 R1 CIP-005-6 R1.1 CIP-005-6 R1.2 CIP-007-3 R3 CIP-007-3 R3.1 CIP-007-3 R5.1 CIP-007-3 R5.1.2 CIP-007-3 R5.1.3 CIP-007-3 R5.2.1 CIP-007-3 R5.2.3 CIP-007-3 R8.4 CIP-009-6 R.1.1 CIP-009-6 R4

CM-6(a) SC-30 SC-30(2)

Req-2.2.1

SRG-OS-000433-GPOS-00193 SRG-OS-000480-GPOS-00227

SRG-APP-000450-CTR-001105

CCE-88128-4

3.3.1
Updated: about 1 year ago

---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,kernel.randomize_va_space%3D2%0A
        mode: 0644
        path: /etc/sysctl.d/75-sysctl_kernel_randomize_va_space.conf
        overwrite: true

Enable Randomized Layout of Virtual Address Space

Description

Rationale

Remediation - Kubernetes Patch