Enable Randomized Layout of Virtual Address Space
An XCCDF Rule
Description
To set the runtime status of the kernel.randomize_va_space
kernel parameter, run the following command:
$ sudo sysctl -w kernel.randomize_va_space=2To make sure that the setting is persistent, add the following line to a file in the directory
/etc/sysctl.d
: kernel.randomize_va_space = 2
Rationale
Address space layout randomization (ASLR) makes it more difficult for an attacker to predict the location of attack code they have introduced into a process's address space during an attempt at exploitation. Additionally, ASLR makes it more difficult for an attacker to know the location of existing code in order to re-purpose it using return oriented programming (ROP) techniques.
- ID
- xccdf_org.ssgproject.content_rule_sysctl_kernel_randomize_va_space
- Severity
- Medium
- References
-
CIP-002-5 R1.1
CIP-002-5 R1.2
CIP-003-8 R5.1.1
CIP-003-8 R5.3
CIP-004-6 4.1
CIP-004-6 4.2
CIP-004-6 R2.2.3
CIP-004-6 R2.2.4
CIP-004-6 R2.3
CIP-004-6 R4
CIP-005-6 R1
CIP-005-6 R1.1
CIP-005-6 R1.2
CIP-007-3 R3
CIP-007-3 R3.1
CIP-007-3 R5.1
CIP-007-3 R5.1.2
CIP-007-3 R5.1.3
CIP-007-3 R5.2.1
CIP-007-3 R5.2.3
CIP-007-3 R8.4
CIP-009-6 R.1.1
CIP-009-6 R4
- Updated
Remediation - Kubernetes Patch
---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
config:
ignition:
Remediation - Ansible
- name: List /etc/sysctl.d/*.conf files
find:
paths:
- /etc/sysctl.d/
- /run/sysctl.d/
- /usr/local/lib/sysctl.d/
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# Comment out any occurrences of kernel.randomize_va_space from /etc/sysctl.d/*.conf files
for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do