Disable mutable hooks

An XCCDF Rule

Details
Profiles
Prose

Description

Ensure kernel structures associated with LSMs are always mapped as read-only after system boot. The configuration that was used to build kernel is available at /boot/config-*. To check the configuration value for CONFIG_SECURITY_WRITABLE_HOOKS, run the following command: grep CONFIG_SECURITY_WRITABLE_HOOKS /boot/config-* Configs with value 'n' are not explicitly set in the file, so either commented lines or no lines should be returned.

warning alert: Warning

There is no remediation for this besides re-compiling the kernel with the appropriate value for the config.

Rationale

If CONFIG_SECURITY_WRITABLE_HOOKS is enabled, then hooks can be loaded at runtime and being able to manipulate hooks is a way to bypass all LSMs.

ID: xccdf_org.ssgproject.content_rule_kernel_config_security_writable_hooks
Severity: Medium
References: BP28(R20)
Updated: 8 months ago