Restrict Exposed Kernel Pointer Addresses Access
An XCCDF Rule
Description
To set the runtime status of the kernel.kptr_restrict
kernel parameter, run the following command:
$ sudo sysctl -w kernel.kptr_restrict=To make sure that the setting is persistent, add the following line to a file in the directory
/etc/sysctl.d
: kernel.kptr_restrict =
Rationale
Exposing kernel pointers (through procfs or seq_printf()
) exposes kernel
writeable structures which may contain functions pointers. If a write vulnerability
occurs in the kernel, allowing write access to any of this structure, the kernel can
be compromised. This option disallow any program without the CAP_SYSLOG capability
to get the addresses of kernel pointers by replacing them with 0.
- ID
- xccdf_org.ssgproject.content_rule_sysctl_kernel_kptr_restrict
- Severity
- Medium
- References
-
CIP-002-5 R1.1
CIP-002-5 R1.2
CIP-003-8 R5.1.1
CIP-003-8 R5.3
CIP-004-6 4.1
CIP-004-6 4.2
CIP-004-6 R2.2.3
CIP-004-6 R2.2.4
CIP-004-6 R2.3
CIP-004-6 R4
CIP-005-6 R1
CIP-005-6 R1.1
CIP-005-6 R1.2
CIP-007-3 R3
CIP-007-3 R3.1
CIP-007-3 R5.1
CIP-007-3 R5.1.2
CIP-007-3 R5.1.3
CIP-007-3 R5.2.1
CIP-007-3 R5.2.3
CIP-007-3 R8.4
CIP-009-6 R.1.1
CIP-009-6 R4
- Updated
Remediation - Kubernetes Patch
---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
config:
ignition:
Remediation - Ansible
- name: List /etc/sysctl.d/*.conf files
find:
paths:
- /etc/sysctl.d/
- /run/sysctl.d/
- /usr/local/lib/sysctl.d/
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# Comment out any occurrences of kernel.kptr_restrict from /etc/sysctl.d/*.conf files
for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do