Disable compatibility with brk()

An XCCDF Rule

Details
Profiles
Prose

Description

Enabling compatiliby with brk() allows legacy binaries to run (i.e. those linked against libc5). But this compatibility comes at the cost of not being able to randomize the heap placement (ASLR). Unless legacy binaries need to run on the system, set CONFIG_COMPAT_BRK to "n". The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_COMPAT_BRK, run the following command: grep CONFIG_COMPAT_BRK /boot/config-* Configs with value 'n' are not explicitly set in the file, so either commented lines or no lines should be returned.

warning alert: Warning

There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.

Rationale

Enabling compatibility with brk() disables support for ASLR.

ID: xccdf_org.ssgproject.content_rule_kernel_config_compat_brk
Severity: Medium
References: BP28(R17)
Updated: about 1 year ago