Skip to content

Enable Kernel Parameter to Enforce DAC on FIFOs

An XCCDF Rule

Description

To set the runtime status of the fs.protected_fifos kernel parameter, run the following command:

$ sudo sysctl -w fs.protected_fifos=2
To make sure that the setting is persistent, add the following line to a file in the directory /etc/sysctl.d:
fs.protected_fifos = 2

Rationale

This parameter is available since Linux Kernel 4.19 and allows to prohibit opening FIFOs that are not owned by the user in world and group writeable sticky directories. It avoids unintentional writes to an attacker-controlled FIFO where a program expects to create the regular file.

ID
xccdf_org.ssgproject.content_rule_sysctl_fs_protected_fifos
Severity
Medium
References
Updated



Remediation - Shell Script

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

# Comment out any occurrences of fs.protected_fifos from /etc/sysctl.d/*.conf files

for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do

Remediation - Ansible

- name: List /etc/sysctl.d/*.conf files
  find:
    paths:
    - /etc/sysctl.d/
    - /run/sysctl.d/
    - /usr/local/lib/sysctl.d/