Configure maximum number of process identifiers

An XCCDF Rule

Description

To set the runtime status of the kernel.pid_max kernel parameter, run the following command:

$ sudo sysctl -w kernel.pid_max=65536

To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:

kernel.pid_max = 65536

Rationale

The kernel.pid_max parameter configures upper limit on process identifiers (PID). If this number is not high enough, it might happen that forking of new processes is not possible, because all available PIDs are exhausted. Increasing this number enhances availability.

ID: xccdf_org.ssgproject.content_rule_sysctl_kernel_pid_max
Severity: Medium
References: BP28(R23)

CCE-91260-0
Updated: about 1 year ago

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

# Comment out any occurrences of kernel.pid_max from /etc/sysctl.d/*.conf files

for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf; do
  matching_list=$(grep -P '^(?!#).*[\s]*kernel.pid_max.*$' $f | uniq )
  if ! test -z "$matching_list"; then
    while IFS= read -r entry; do
      escaped_entry=$(sed -e 's|/|\\/|g' <<< "$entry")
      # comment out "kernel.pid_max" matches to preserve user data
      sed -i "s/^${escaped_entry}$/# &/g" $f
    done <<< "$matching_list"
  fi
done

#
# Set sysctl config file which to save the desired value
#

SYSCONFIG_FILE='/etc/sysctl.d/kernel_pid_max.conf'


#
# Set runtime for kernel.pid_max
#
/sbin/sysctl -q -n -w kernel.pid_max="65536"

#
# If kernel.pid_max present in /etc/sysctl.conf, change value to "65536"
#	else, add "kernel.pid_max = 65536" to /etc/sysctl.conf
#

sed -i "/^$SYSCONFIG_VAR/d" /etc/sysctl.conf

# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^kernel.pid_max")

# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "65536"

# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^kernel.pid_max\\>" "${SYSCONFIG_FILE}"; then
    escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
    LC_ALL=C sed -i --follow-symlinks "s/^kernel.pid_max\\>.*/$escaped_formatted_output/gi" "${SYSCONFIG_FILE}"
else
    if [[ -s "${SYSCONFIG_FILE}" ]] && [[ -n "$(tail -c 1 -- "${SYSCONFIG_FILE}" || true)" ]]; then
        LC_ALL=C sed -i --follow-symlinks '$a'\\ "${SYSCONFIG_FILE}"
    fi
    cce="CCE-91260-0"
    printf '# Per %s: Set %s in %s\n' "${cce}" "${formatted_output}" "${SYSCONFIG_FILE}" >> "${SYSCONFIG_FILE}"
    printf '%s\n' "$formatted_output" >> "${SYSCONFIG_FILE}"
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

- name: List /etc/sysctl.d/*.conf files
  find:
    paths:
    - /run/sysctl.d/
    - /etc/sysctl.d/
    - /usr/local/lib/sysctl.d/    - /lib/sysctl.d/
    contains: ^[\s]*kernel.pid_max.*$
    patterns: '*.conf'
    file_type: any
  register: find_sysctl_d
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-91260-0
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_kernel_pid_max

- name: Comment out any occurrences of kernel.pid_max from config files
  replace:
    path: '{{ item.path }}'
    regexp: ^[\s]*kernel.pid_max
    replace: '#kernel.pid_max'
  loop: '{{ find_sysctl_d.files }}'
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-91260-0
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_kernel_pid_max

- name: Comment out any occurrences of kernel.pid_max from /etc/sysctl.conf
  replace:
    path: /etc/sysctl.conf
    regexp: ^[\s]*kernel.pid_max
    replace: '#kernel.pid_max'
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-91260-0
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_kernel_pid_max

- name: Ensure sysctl kernel.pid_max is set to 65536
  sysctl:
    name: kernel.pid_max
    value: '65536'
    sysctl_file: /etc/sysctl.d/kernel_pid_max.conf
    state: present
    reload: true
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - CCE-91260-0
  - disable_strategy
  - low_complexity
  - medium_disruption
  - medium_severity
  - reboot_required
  - sysctl_kernel_pid_max

Configure maximum number of process identifiers

Description

Rationale

Remediation - Shell Script

Remediation - Ansible