To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
kernel.perf_event_max_sample_rate = 1
Rationale
The kernel.perf_event_max_sample_rate parameter configures maximum
frequency of collecting of samples for the Perf system. It is expressed in
samples per second. Restricting usage of Perf system decreases risk
of potential availability problems.
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-91259-2
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_perf_event_max_sample_rate
- name: List /etc/sysctl.d/*.conf files
find:
paths:
- /run/sysctl.d/
- /etc/sysctl.d/
- /usr/local/lib/sysctl.d/
- /lib/sysctl.d/
contains: ^[\s]*kernel.perf_event_max_sample_rate.*$
patterns: '*.conf'
file_type: any
register: find_sysctl_d
when: '"kernel-default" in ansible_facts.packages'
tags:
- CCE-91259-2
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_perf_event_max_sample_rate
- name: Comment out any occurrences of kernel.perf_event_max_sample_rate from config
files
replace:
path: '{{ item.path }}'
regexp: ^[\s]*kernel.perf_event_max_sample_rate
replace: '#kernel.perf_event_max_sample_rate'
loop: '{{ find_sysctl_d.files }}'
when: '"kernel-default" in ansible_facts.packages'
tags:
- CCE-91259-2
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_perf_event_max_sample_rate
- name: Comment out any occurrences of kernel.perf_event_max_sample_rate from /etc/sysctl.conf
replace:
path: /etc/sysctl.conf
regexp: ^[\s]*kernel.perf_event_max_sample_rate
replace: '#kernel.perf_event_max_sample_rate'
when: '"kernel-default" in ansible_facts.packages'
tags:
- CCE-91259-2
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_perf_event_max_sample_rate
- name: Ensure sysctl kernel.perf_event_max_sample_rate is set to 1
sysctl:
name: kernel.perf_event_max_sample_rate
value: '1'
sysctl_file: /etc/sysctl.d/kernel_perf_event_max_sample_rate.conf
state: present
reload: true
when: '"kernel-default" in ansible_facts.packages'
tags:
- CCE-91259-2
- disable_strategy
- low_complexity
- medium_disruption
- medium_severity
- reboot_required
- sysctl_kernel_perf_event_max_sample_rate
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel-default; then
# Comment out any occurrences of kernel.perf_event_max_sample_rate from /etc/sysctl.d/*.conf files
for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf; do
# skip systemd-sysctl symlink (/etc/sysctl.d/99-sysctl.conf -> /etc/sysctl.conf)
if [[ "$(readlink -f "$f")" == "/etc/sysctl.conf" ]]; then continue; fi
matching_list=$(grep -P '^(?!#).*[\s]*kernel.perf_event_max_sample_rate.*$' $f | uniq )
if ! test -z "$matching_list"; then
while IFS= read -r entry; do
escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
# comment out "kernel.perf_event_max_sample_rate" matches to preserve user data
sed -i --follow-symlinks "s/^${escaped_entry}$/# &/g" $f
done <<< "$matching_list"
fi
done
#
# Set sysctl config file which to save the desired value
#
SYSCONFIG_FILE='/etc/sysctl.d/kernel_perf_event_max_sample_rate.conf'
#
# Set runtime for kernel.perf_event_max_sample_rate
#
/sbin/sysctl -q -n -w kernel.perf_event_max_sample_rate="1"
#
# If kernel.perf_event_max_sample_rate present in /etc/sysctl.conf, change value to "1"
# else, add "kernel.perf_event_max_sample_rate = 1" to /etc/sysctl.conf
#
sed -i "/^$SYSCONFIG_VAR/d" /etc/sysctl.conf
# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^kernel.perf_event_max_sample_rate")
# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "1"
# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^kernel.perf_event_max_sample_rate\\>" "${SYSCONFIG_FILE}"; then
escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
LC_ALL=C sed -i --follow-symlinks "s/^kernel.perf_event_max_sample_rate\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
else
if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
fi
cce="CCE-91259-2"
printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}"
printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi