RHEL 10 must enable hardening for the Berkeley Packet Filter (BPF) just-in-time compiler.

STIG ID: RHEL-10-800050  |  SRG: SRG-OS-000433-GPOS-00192 |  Severity: medium (CAT II)  |  CCI: CCI-002824 |  Vulnerability Id: V-281337

Vulnerability Discussion

When hardened, the extended BPF just-in-time (JIT) compiler will randomize any kernel addresses in the BPF programs and maps, and will not expose the JIT addresses in "/proc/kallsyms".

Check

Verify RHEL 10 enables hardening for the BPF JIT compiler.

Check the status of the "net.core.bpf_jit_harden" parameter with the following command:

$ sudo sysctl net.core.bpf_jit_harden
net.core.bpf_jit_harden = 2

If "net.core.bpf_jit_harden" is not equal to "2" or is missing, this is a finding.

Fix

Configure RHEL 10 to enable hardening for the BPF JIT compiler.

Create the drop-in file if it does not already exist:

$ sudo vi /etc/sysctl.d/99-net_core-bpf_jit_harden.conf

Add the following line to the file:

net.core.bpf_jit_harden = 2

Reload settings from all system configuration files with the following command:

$ sudo sysctl --system
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.