Enable use of Berkeley Packet Filter with seccomp

An XCCDF Rule

Details
Profiles
Prose

Description

Enable tasks to build secure computing environments defined in terms of Berkeley Packet Filter programs which implement task-defined system call filtering polices. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_SECCOMP_FILTER, run the following command: grep CONFIG_SECCOMP_FILTER /boot/config-* For each kernel installed, a line with value "y" should be returned.

warning alert: Warning

There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.

Rationale

Use of BPF filters allows for expressive filtering of system calls using a filter program language with a long history of being exposed to userland.

ID: xccdf_org.ssgproject.content_rule_kernel_config_seccomp_filter
Severity: Medium
References: BP28(R20)
Updated: about 1 year ago