{"description": "To set the runtime status of the <code>kernel.unprivileged_bpf_disabled</code> kernel parameter, run the following command: <pre>$ sudo sysctl -w kernel.unprivileged_bpf_disabled=1</pre>\nTo make sure that the setting is persistent, add the following line to a file in the directory <tt>/etc/sysctl.d</tt>: <pre>kernel.unprivileged_bpf_disabled = 1</pre>", "rationale": "Loading and accessing the packet filters programs and maps using the bpf()\nsyscall has the potential of revealing sensitive information about the kernel state.", "severity": "medium", "references": {"nist": ["AC-6", "SC-7(10)"], "srg": ["SRG-OS-000132-GPOS-00067", "SRG-OS-000480-GPOS-00227"], "anssi": ["R9"], "ism": ["1409"]}, "control_references": {"anssi": ["R9"], "ism": ["1409"]}, "components": [], "identifiers": {}, "ocil_clause": "the correct value is not returned", "ocil": "The runtime status of the <code>kernel.unprivileged_bpf_disabled</code> kernel parameter can be queried\nby running the following command:\n<pre>$ sysctl kernel.unprivileged_bpf_disabled</pre>\n<code>1</code>.\n", "oval_external_content": null, "fixtext": "Configure Ubuntu 22.04 to prevent privilege escalation thru the kernel by disabling access to the bpf syscall.", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 must disable access to network bpf syscall from unprivileged processes.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must disable access to network bpf system call from nonprivileged processes.", "vuldiscussion": "Loading and accessing the packet filters programs and maps using the bpf() system call has the potential of revealing sensitive information about the kernel state.", "checktext": "Verify that Ubuntu 22.04 prevents privilege escalation through the kernel by disabling access to the bpf system call with the following commands:\n\n$ sysctl kernel.unprivileged_bpf_disabled\n\nkernel.unprivileged_bpf_disabled = 1\n\nIf the returned line does not have a value of \"1\", or a line is not returned, this is a finding.\n\nCheck that the configuration files are present to enable this kernel parameter.\n\n$ sudo /usr/lib/systemd/systemd-sysctl --cat-config | egrep -v '^(#|;)' | grep -F kernel.unprivileged_bpf_disabled | tail -1\n\nkernel.unprivileged_bpf_disabled = 1\n\nIf the network parameter \"kernel.unprivileged_bpf_disabled\" is not equal to \"1\", or nothing is returned, this is a finding.", "fixtext": "Configure the currently loaded kernel parameter to the secure setting:\n\n$ sudo sysctl -w kernel.unprivileged_bpf_disabled=1\n\nConfigure Ubuntu 22.04 to prevent privilege escalation through the kernel by disabling access to the bpf syscall by adding the following line to a file in the \"/etc/sysctl.d\" directory:\n\nkernel.unprivileged_bpf_disabled = 1\n\nThe system configuration files must be reloaded for the changes to take effect. To reload the contents of the files, run the following command:\n\n$ sysctl --system"}}, "platform": "system_with_kernel", "platforms": ["system_with_kernel"], "sce_metadata": {"check-import": "stdout", "platform": ["multi_platform_all"], "environment": "any", "filename": "sysctl_kernel_unprivileged_bpf_disabled.sh", "relative_path": "ubuntu2204/checks/sce/sysctl_kernel_unprivileged_bpf_disabled.sh"}, "inherited_platforms": [], "cpe_platform_names": ["system_with_kernel"], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Disable Access to Network bpf() Syscall From Unprivileged Processes", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/permissions/restrictions/sysctl_kernel_unprivileged_bpf_disabled/rule.yml", "template": {"name": "sysctl", "vars": {"sysctlvar": "kernel.unprivileged_bpf_disabled", "sysctlval": "1", "datatype": "int"}, "backends": {}}}