AlmaLinux OS 9 must enable hardening for the Berkeley Packet Filter (BPF) just-in-time (JIT) compiler.

STIG ID: ALMA-09-021800  |  SRG: SRG-OS-000480-GPOS-00227 |  Severity: medium |  CCI: CCI-000366 |  Vulnerability Id: V-269273

Vulnerability Discussion

When hardened, the extended BPF JIT compiler will randomize any kernel addresses in the BPF programs and maps, and will not expose the JIT addresses in "/proc/kallsyms".

Check

Verify AlmaLinux OS 9 enables hardening for the BPF JIT with the following commands:

$ sysctl net.core.bpf_jit_harden

net.core.bpf_jit_harden = 2

If the returned line does not have a value of "2", or a line is not returned, this is a finding.

Check that the configuration files are present to enable this kernel parameter.

$ /usr/lib/systemd/systemd-sysctl --cat-config | egrep -v '^(#|;)' | grep -F net.core.bpf_jit_harden | tail -1

net.core.bpf_jit_harden = 2

If the network parameter "net.core.bpf_jit_harden" is not equal to "2" or nothing is returned, this is a finding.

Fix

Configure AlmaLinux OS 9 to enable hardening for the BPF JIT compiler.

Create a numbered *.conf file in /etc/sysctl.d/ with the following content:

net.core.bpf_jit_harden = 2

The system configuration files must be reloaded for the changes to take effect. To reload the contents of the files, run the following command:

$ sysctl –system
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.