Enable Kernel Parameter to Enforce DAC on Regular files
An XCCDF Rule
Description
To set the runtime status of the fs.protected_regular
kernel parameter, run the following command:
$ sudo sysctl -w fs.protected_regular=2To make sure that the setting is persistent, add the following line to a file in the directory
/etc/sysctl.d
: fs.protected_regular = 2
Rationale
This parameter is available since Linux Kernel 4.19 and allows to prohibit opening "regular" files that are not owned by the user in world and group writeable sticky directories. It avoids writes to an attacker-controlled regular file, for example, when a program expects to create the regular file.
- ID
- xccdf_org.ssgproject.content_rule_sysctl_fs_protected_regular
- Severity
- Medium
- Updated
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
# Comment out any occurrences of fs.protected_regular from /etc/sysctl.d/*.conf files
for f in /etc/sysctl.d/*.conf /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf; do
Remediation - Ansible
- name: List /etc/sysctl.d/*.conf files
find:
paths:
- /etc/sysctl.d/
- /run/sysctl.d/
- /usr/local/lib/sysctl.d/