← Back to Oracle Linux 9 Security Technical Implementation Guide

V-271768

CAT II (Medium)

OL 9 must enable hardening for the Berkeley Packet Filter (BPF) just-in-time compiler.

Rule ID

SV-271768r1092016_rule

STIG

Oracle Linux 9 Security Technical Implementation Guide

Version

V1R5

CCIs

CCI-000366

Discussion

When hardened, the extended BPF just-in-time (JIT) compiler will randomize any kernel addresses in the BPF programs and maps and will not expose the JIT addresses in "/proc/kallsyms".

Check Content

Verify that OL 9 enables hardening for the BPF JIT with the following commands:

$ sudo sysctl net.core.bpf_jit_harden
net.core.bpf_jit_harden = 2

If the returned line does not have a value of "2", or a line is not returned, this is a finding.

Fix Text

Configure OL 9 to enable hardening for the BPF JIT compiler by adding the following line to a file, in the "/etc/sysctl.d" directory:

net.core.bpf_jit_harden = 2

The system configuration files need to be reloaded for the changes to take effect. To reload the contents of the files, run the following command:

$ sudo sysctl --system